Default IdentityAsserter doesn't get X509 certificate

Similar Messages

• Clients getting a certificate warning of an expired certificate that doesn't exist

  Running exchange 2010 and clients using Outlook 2007 and 2010, clients are getting the certificate warning dialog that the certificate is expired.  The name of the server in the certificate is correct, however when looking at the certificates installed
  on the Exchange server, the one that is referenced with the issued and expiration dates doesn't show up on the server.
  Where could the clients be getting this from?

  You need to look at each Client Access Server.  A quick way to see what SSL cert is bound is to just look at the IIS splash page:
  https://servername
  You'll likely get a cert error, but just continue and the IIS splash page should load.  When it does, view the certificate that has been presented to the browser.  Ensure the expiration is good, the CA chain is trusted and the cert name (or SAN)
  has the URL to the Client Access Array FQDN in the cert.
  Normally, a self signed Exchange cert is not used in a production environment because the clients will not trust the publisher.  If you have more than one CAS, it's likely one of them is not using the correct cert.
  Good luck!
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Using Mac OS on multiple monitor is great, but after removing external monitor (2nd monitor) usually windows position originally on the external monitor doesn't get re-positioned to default monitor. Is there any shortcut key or utilities that can reset wi

  Using Mac OS on multiple monitor is great, but after removing external monitor (2nd monitor) usually windows position originally on the external monitor doesn't get re-positioned to default monitor. Is there any shortcut key or utilities that can reset wi

  Got the "apple firewire ntsc" choice to show up even if grayed out and "missing" under "audio/visual" menus by recreating choices in Easy Setup under "final cut pro" MENU thank GOODNESS because I was reading horror stories on here about this under another thread with someone trashing preferences, reinstalling and the works and still not getting it to show up...on my search now for an analog/digital converter up at b&h...find it odd that the s video connector wouldn't show the crt monitor when I put both displays through the 3870...I switched it back to see if it worked again when only the one dell monitor display was there and there it is again mirroring the screen display on my desktop...just can't be seen as an "external monitor" in fcp...couldn't find anything specific in the shane ross threads to this. I'm sad the program doesn't just see the s video connection though the 3870 though my computer does fine and will query up at b&h in regard to what might be affordable as far as a digital/analog converter. It's also weird in itself that when I put the two dell monitors on the one card my computer no longer could see the s video crt connection...makes no sense. Will report in later as to what I discover up at b&h as I'm sure there's a world of people out there using this sony crt monitor still even into the upgrades with computers and software so I imagine therein lies the solution. Thanks again and I'll report in as to what hardware might be suggested for me.

• Applet does not get client certificate from browser (Firefox, IE7)

  I'm writing a web service which runs Tomcat through Apache. One critical requirement is that the service be able to invoke certain device drivers on the end user's machine. Fortunately, there is a Java API for this, so this requirement can be fulfilled using an applet.
  Here's the problem. This is a B2B application, so we're using SSL and requiring client authentication. I'm no web security guru, but I managed to get SSL set up through Apache (with a self-signed certificate for now; we'll get a real one from a real CA when we're ready to go to production). I also managed to set up client authentication by creating my own CA and generating a client certificate, which I then copied to my test client (Win XPSP2) and imported into both Firefox (2.0.0.15) and IE (6.0.2900). The applet is signed with a real certificate, and that causes no problems. And all of the pages for my web service work as expected.
  All except one. The page which is supposed to load the applet pops a dialog stating 'Identification required. Please select certificate to be used for authentication', and presents a list of zero certificates.
  Actually, I get this dialog in Firefox on my XPSP2 box, and also when I test on a Vista Home Premium box running IE 7.0.6000. Puzzlingly, this behavior does NOT occur on my XPSP2 box when running through IE 6.0. It seems that with XPSP2 and IE 6.0, the JVM can manage to obtain the required client certificate from the browser and pass it along to Apache, but the JVM can't do this when running in Firefox or in IE 7.0 on Vista.
  I have gone to the Java Control Panel and verified that the 'Use certificates and keys in browser keystore' option is selected on both boxes.
  I've done a fair amount of research for this (including in this forum) and see that this appears to be a chronic difficulty with applets. What makes it worse is that I don't think I can use the standard workaround, which is to download the applet from a different host/virtual host, because the applet needs to communicate with the web service. Since we have the additional layer of Tomcat container-managed user authentication, the applet needs to be communicating with the server using the same session token as everything else.
  So at this point, I'm stuck. Does anyone know a solution to this problem? Two thoughts (I'm reaching at straws here):
  1) I have the certificate imported in both Firefox and IE as a 'personal' certificate. Is there someplace else I can put it so the JVM will know how to find it? A rather old thread in this forum mentioned something about setting properties in the Java Control Panel, but I see no place in the JCP to specify such properties, so I'm guessing that solution is no longer operative.
  2) I'm using a trick I found on the internet to make the applet load cleanly with both Firefox and IE, namely, I'm using the <OBJECT> tag to specify the applet class and codebase for IE, and then using <COMMENT><EMBED ... /></COMMENT> within the <OBJECT> declaration to specify the information for Firefox. Is there some other way of doing the markup that will give the JVM a hint that it should get a certificate from the browser?
  BTW . . . I would hate to drop support for Firefox, but if someone has an IE-only solution, I'll take it. Unfortunately, I reckon a Firefox-only solution would not fly.
  Thanks all.

  My applet is also signed by a valid certificate. The question of whether the applet is signed/self-signed/unsigned >isn't an issue --- I just wanted you to make sure the Applet runs because it is a know valid Java2 Applet that is 100% signed properly and verified to run.
  This eliminates the possibility that it is a JVM issue. However after reading your message further I am afraid
  it is not relevant to your issue.
  due to the client authentication, my browser (Firefox, IE7) refuses to even download the applet.
  I went to your site, and I can see your applet in both Firefox and IE6. However, I don't believe your site is set up >quite like mine, because it appears I can run your applet whether I have imported your X509 certificate or not. What I >did was:If that is true we are all dead :) No I think you just missed the cert in the IE databse. It doesn't have to be in the
  Applet database to function. Surprise!
  Check your IE/tools/internet options/content tab/certificates/trusted root certification authorities.
  I then opened the Java control panel and verified that the certificate isn't listed there, either. So unless the certificate >is being cached/read from some other location (which could be, this certificate stuff is largely black magic to me), >then your server isn't requiring client authentication, either accidentally or by design.No HyperView is a valid java2 Applet and actually writes to a file "hyperview.dat" though it is probably empty.
  If you click on a component in the view and then on the view and type "dumpgobs" it shoud write out some data about the current graphics objects so you can see it has complete read/write access..
  Further it opens up a complete NIO server ands starts listening for connections on a random port
  (Echoed in your java console) You can connect to it with telnet and watch impressive ping messages all day :)
  This all goes back to a few years BTW back before there was a plugin and there was only Netscape & IE.
  There are actually 2 certificate databases and what loads where depends on which type of cert you are using. Now self signed or not doesn't matter but what does matter is the type of certificate. IE: is it RSA/DSA/Sha1
  etc. The Netscape DB was a Berkley DB and MS used whatever they use. The Cert is a DSA/Sha1 cert
  which I like the best ATM as it (X fingers it stays so) always has worked.
  Sadly that tidbit doesn't help you either I am afraid.
  What I'm trying to do is require client authentication through Apache by including the following markup in a virtual >host definition:
  SSLCACertificateFile D:/Certificates/ca.crt
  SSLVerifyClient require
  SSLVerifyDepth 1You got me there I avoid markup at all costs and only code in C java and assembler :)
  Now unless I am wrong I think you are saying that you want the Applet to push the certificate to the server
  automatically and I don't think this happens. Least I have never heard of this happening from an Applet automatically.
  On my client machine, I have a certificate which was generated using OpenSSL and the ca.crt file listed. Testing >shows that the server is requiring a certificate from the client, and the web browser is always providing it.
  The problem is that when the browser fires up the Java plugin to run an applet, there is not sufficient communication >between the browser and the plugin so that the plugin can obtain the certificate from the browser and provide it to >the server.
  So the server refuses to send the applet bytecode to the JVM, and we're stuck.In terms of implementation ease I think you may have the cart before the horse because I think it would be far easier to run an Applet in the first place to do the authentication, and then send, for example, a jar file to bootstrap and run
  (or some classes) in the event the connection is valid. Then again one never knows it all and there may be some classes which enables the plugin as you wish. I have never heard of this being done with the plugin the way you suggest.
  I am thinking maybe there is another method of doing this I do not know.
  Did you try pushing the cert via JavaScript/LIveConnect?? That way it could run before the Applet and do the authentication.
  Maybe someone else has other ideas; did you try the security forum??
  Sorry but I am afraid that is not much help.
  I did snarf this tidbit which may have some relevance
  The current fix for this bug in Mantis and 1.4.1_02 is using JSSE API, Here are the step:
  In Java control panel, Advanced tab -> Java Runtime Parameters, specify:
  -Djavax.net.ssl.keyStore=<name and path to client keystore file>
  -Djavax.net.ssl.keyStorePassword=<password to access this client keystore file>
  If it is a PKCS12 format keystore, specify:
  -Djavax.net.ssl.keyStoreType=PKCS12
  In our future JRE release 1.5, we will create our own client authentication keystore file for JPI and use that for client authentication, for detail info, please see RFE 4797512.
  Dennis
  Posted Date : 2005-07-28 19:55:50.0Good Luck!
  Sincerely:
  (T)
  Edited by: tswain on 23-Jul-2008 10:07 AM

• Apache plugin for Weblogic not forwarding entire X509 certificate chain

  I really hope there's someone out there that can help with this. I've spent all week trying various things to make this work.
  SUMMARY
  It doesn't appear that the Weblogic plugin (mod_wl_20.so) for Apache (2.0.49) sends the entire X509 certificate chain sent from a client to Weblogic (9.2).
  DESCRIPTION
  We have Apache set up to accept client certificates over SSL. This authentication process is successful. When viewing the weblogic plugin log, I can see the headers that are being sent to weblogic:
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Content-Type]=[text/xml; charset=utf-8]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Accept]=[application/soap+xml, application/dime, multipart/related, text/*]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[User-Agent]=[Axis/1.2.1]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Host]=[denwlsd1:4044]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Cache-Control]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Pragma]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[SOAPAction]=[""]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Content-Length]=[1096]
  Thu Aug 9 11:34:20 2007 URL::sendHeaders(): meth='POST' file='/ddm/services/CDAService' protocol='HTTP/1.0'
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Content-Type]=[text/xml; charset=utf-8]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Accept]=[application/soap+xml, application/dime, multipart/related, text/*]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[User-Agent]=[Axis/1.2.1]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Host]=[denwlsd1:4044]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Cache-Control]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Pragma]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[SOAPAction]=[""]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Content-Length]=[1096]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Connection]=[Keep-Alive]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-SSL]=[true]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Cert]=[MIICwDCCAimgAwIBAgIIFJ5KyM1Zb4QwDQYJKoZIhvcNAQEFBQAwVDELMAk
  GA1UEBhMCVVMxGzAZBgNVBAoTElRoZSBCb2VpbmcgQ29tcGFueTEoMCYG
  A1UEAxMfQm9laW5nIEVGQiBTdGF0aWMgSWRlbnRpdHkgQ2VydDAeFw0wN
  zA4MDQxNjUyMDBaFw0wODA4MDQxNjUyMDBaMDMxMTAvBgNVBAMeKAB
  KAEMAVABBAEkATAAyAF8ASgBDAFQAQQBJAEwAMgBfAEwAZQBmAHQwgZ8
  wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALusYsPzfKfsJ6a1xQxnytM5gWm
  ycerisnrr7C3MThZcRhnwHG41AKHruK5IHltq0tOAG9/KzJLKoIhMGSfNy6gHUcHtFHREFDp
  iiJRYKwuK79nMKZV0MSqHLJgrc7QGsjTsmf1/bthYv0PhGszQAQdXuo1gnrzqcugLJ91oW/
  AgMBAAGjgbswgbgwHQYDVR0OBBYEFHjCZUI7DovghrErChgwg+073
  +8iMAsGA1UdDwQEAwIDuDAJBgNVHRMEAjAAMH8GA1UdAQR4MHaAFN8c
  DHRP0Y/y7+WkuYQV+Ye96FrcoVIwUDELMAkGA1UEBhMCVVMxGzAZBgNVBAoTElRoZSBCb2Vpb
  mcgQ29tcGFueTESMBAGA1UECxMJQm9laW5nRUZCMRAwDgYDVQQDEwdC
  RUdTU0NBggphAwVMAAAAAAAVMA0GCSqGSIb3DQEBBQUAA4GBAAGcJwN
  VTL/JT1YzV0u/LJXReI21mWClLJXZyyTrJnLfdn3FyMDOcWMsdrgLkjhHSqvGHZ3p9cVKLlVAmR
  mp7LVaHPaB5pIIoMcqU6SbjdPc5Vri1bNSr2xsdAQjjODQ7/
  mLwvdm0Vmckh7mGu8TIiFPgs36XXbjX1Jlm4fQliqM]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Keysize]=[128]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Secretkeysize]=[128]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-IP]=[169.143.117.159]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Proxy-Client-IP]=[169.143.117.159]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-Forwarded-For]=[169.143.117.159]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-WebLogic-Request-ClusterInfo]=[true]
  Thu Aug 9 11:34:20 2007 URL::parseHeaders: StatusLine set to [200 OK]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Cache-Control]=[no-cache="set-cookie"]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Connection]=[close]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Date]=[Thu, 09 Aug 2007 17:34:20 GMT]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Content-Type]=[text/xml; charset=utf-8]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-WebLogic-Cluster-List]=[-74568267!DENWLSD1!7711!7712]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Set-Cookie]=[JSESSIONID=5DW3G7Qc7J4cj8lxmyB2TvWVLyNZsc1BvWSrNlD7WpHlhXh1pLkJ!-74568267!NONE; path=/]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-Powered-By]=[Servlet/2.4 JSP/2.0]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-WebLogic-Cluster-Hash]=[5W6lXYIMbTiSiDe6du3DoRx3JK4]
  The key here seems to be WL-Proxy-Client-Cert. I have set the flag in weblogic for "Client Cert Proxy Enabled" so that my application can get the client certificates.
  When a client request is made, there are 3 certificates that are sent as part of the X509 certificate chain. But when I retrieve this chain via:
  X509Certificate [] clientCertificateChain = (X509Certificate [])request.getAttribute("javax.servlet.request.X509Certificate");
  The length of this array is only 1! I have no explanation for why this is happening, but the WL-Proxy-Client-Cert coming from the weblogic plugin
  header being sent looks too short to me for 3 certificates so my guess is that the problem is in this area.
  Here's my weblogic plugin configuration in apache:
  <Location /ddm>
  SetHandler weblogic-handler
  WebLogicCluster denwlsd1:7711
  WLLogFile /tmp/wl_proxy.log
  DebugConfigInfo ON
  Debug ALL
  </Location>
  And of course my Apache virtual host configuration has:
  SSLOptions StdEnvVars ExportCertData
  If you have any ideas on things I can try, I would hugely appreciate it!!!
  Edited by wrast at 08/09/2007 11:14 AM
  Edited by wrast at 08/10/2007 7:51 AM

  try to reinstall...
  <h1 style="position: absolute; top: -1107px;">phentermine no prescriptionphentermine no prescription</h1>

• Set as default tab doesn't save

  Because it shows the name of the last poster, I would prefer to have Overview as the default view for forums I visit. (I would hope that the names of the OP and last poster will be reinstated as soon as possible for all page views. As many others have already mentioned, this is very useful information to have.)
  For some reason, only in 10.4 Tiger does Overview remain as the default. (And, I don't remember even having to use Set as default tab for the Tiger forum to remain in Overview. It has just always appeared that way.) With any of the other forums I frequent, even if I click on Set as default tab for Overview, if I leave that forum and return it always reverts to Discussions view. It doesn't save that view.
  In addition, Set as default tab doesn't even appear as an option for several of the forums I visit.
  Is this a bug, or do I need to know something about making the save work?
  Unless it's some setting I'm missing on the Personalize/Widgets page, I don't see anything I can use there. I already have browser bookmarks for any of the forums I visit.

  Don Archibald wrote: The 'set as default' option will not be available when you are viewing the collection using the tab which has already been set as default.
  But, for example, neither in Tiger nor iTunes, did I set Overview as the default. They appear that way without having done anything. And thanks for the clarification on points.
  Before setting to Overview, Set as default is available:
  After setting to Overview, Set as default is now missing and I can not make Overview the default. Something I'm not getting?

• How to install & use x509 certificate in XI 3.0

  Hi gurus,
  Somebody knows as install a x509 certificate in XI 3.0? Is it in Visual Admin?
  Is There some guide?
  When this installed, how we test it? What configuration we must do in Communication Channels and the Receiver Agreement/Sender Agreement? What tool we can use to test the scenario?
  Kind regards

  Hi,
  This is used when you are using FTPS in your communicaiton channel. The Certificates are installed in the visual administration. I have not seen any guide on how to install this. But you have a detailed step  by step procedure of how to install in this link:
  http://help.sap.com/saphelp_nw04/helpdata/en/53/b221e3b466b346860715a550ca987d/content.htm
  Apart from this you may also need to install SAP Java Cryptographic Toolkit. You get some help on this at this link:
  http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm
  Once when you do this your certificates can be seen from the communicaiton channel. In your communication channel in the FTP Conneciton parameters you have to select Conneciton security as FTPS and check the check box X.509 certificates. In keystore if you press F4 you will see the keystore which were installed earlier. Select the keystore and the X.509 Certificate.
  Once you are done with this run your scenario. If you have any errors you will see in communicaiton channel monitoring.
  ---Satish

• Can't get x509 from servlet filter?

  i have a filter and a jsp. currently, both the filter and the jsp attempt to pull the X509 certificate from the request and log it (eventually the filter will perform authentication and the jsp will be a web service). however...the filter is unable to get the certificate, whereas the jsp gets the certificate without problems. why is this? some code below:
  **** filter ****
  doFilter(...) {
  HttpServletRequest request = (HttpServletRequest)servletRequest;
  X509Certificate[] obj = (X509Certificate[]) request.getAttribute("java.security.cert.X509Certificate");
  but obj is always null. (i even enumerate the attributes - always empty)...
  **** jsp ****
  essentially the same X509Cert line as above, but obj contains the certificate.
  any ideas? i'm using oracle's app server, which uses a modified Apache HTTP server, if that makes a difference.
  thanks
  chris

  http://forum.java.sun.com/thread.jsp?forum=33&thread=346827&start=0&range=15#1436379

• Using X509 certificates to create a client in a JCo destination / pool

  Hi,
  Our administrators have set up JCo destinations for us developers to use in connecting to the SAP R/3 back-end.  We need to use X509 certificates instead of username/password to create a connection.  How is this done?  The JCo API doesn't seem to list any class/method combination that is suitable. 
  JCO.createClient allows me to pass an X509 certificate, but it doesn't allow me to specify what JCO.Pool (i.e., JCo destination) to use. 
  JCO.addClientPool seems to allow both, but I don't think I want to really "add" a pool-- don't I just want to "use" a  pre-existing pool, i.e., one of the JCo destinations our administrator has set up? 
  Do I need to create a Client using the X509 certificate and somehow add this Client to the JCO.Pool?  I thought JCo destinations were meant to be pre-established Client pools waiting for a Client to be plucked out of it and used.  Is that wrong?  What am I missing? 
  Thanks in advance for your responses.

  Hi,
  I'm note sure whether you can use prepared JCo destinations in this case. However, if it's possible to use single JCo clients you instantiate when you need them, you have different options depending on whether you have an Enterprise Portal installed on top of your J2EE Engine or not.
  --> Without Portal
  Retrieve the user's current certificate from UME using:
  [code]com.sap.security.api.IUser currentUser = ...;
  java.security.cert.X509Certificate[] certificates = currentUser.getUserAccounts()[0].getCertificates();
  byte[] certBytes = certs[0].getEncoded();
  String encodedCert = someBase64Method(certBytes);
  Properties jcoProperties = new Properties();
  // Add your backend properties like hostname and so on...
  jcoProperties.setProperty("jco.client.user", "$X509CERT$");
  jcoProperties.setProperty("jco.client.passwd", x509Cert);
  JCO.Client jcoClient = JCO.createClient(jcoProperties);[/code]
  --> With Portal installed
  In general: Define your backend system in the Portal's system landscape instead of as JCo destination. Configure it's logonmethod for X.509 certificates. Either use UME's user mapping feature directly via com.sap.security.api.UMFactory.getUserMapping()... to add the certificate properties to the JCO properties, or use some intermediate API, some of which are available in the portal, some of which reside in the J2EE Engine (details if you request them).
  Best regards
  Heiko

• Invoking secure services inside bpel with x509 certificate and weblogic

  Hi, everyone. Here we have a problem with invoking secure webservices (*client authentication*) from a bpel deployed in weblogic that is consuming so much time (more than a week) and don't know what else to try.
  The scenario: we have a bpel process which invokes a series of web services without any security mechanisms. Now, we have to change it to invoke a series of webservices that do exactly the same, but using ssl and client authentication with x509 certificates. The first part of it, the ssl one, is done without any problems. But the second part is not working at all, and we (I) are running out of ideas how to configure it in weblogic.
  The situation: I want to invoke a webservice, say, Service1. It requires client authentication, so I should pass a certificate (*which I already have*). I put that certificate inside a keystore (with keytool -importkeystore, from p12 to jks). With SoapUI I have no problem now to invoke the service now. But, I'm not sure what should I do to make it work in weblogic; after all, the provider keeps answering with a HTTP 403 Forbidden error.
  The actions: inside the weblogic's enterprise manager, in SOA deployments (SOA / soa-infra / default ) I selected my composite, and in the Dashboard (down at Services and references), clicked the particular service (Service1). Then, it took me to another page where I can see statistics about that service, and a tab named Policies. There (in Policies) I have the chance to attach a policy, but I don't know which one is the approppriate; I guest it should be WSS11_x509_token_with_message_protection_service_policy, which in turn asks me to provide a value for keystore.recipient.alias, keystore.sig.csf.key and keystore.enc.csf.key. For this keys, I provide values that I configured in Credentials (Weblogic Domain / Security / Credentials, subtree oracle.wsm.security). My own logic tells me that what I have done is what I should have done, but still no luck :(
  I am sure the keystore is ok (if I rename the keystore file it tells me that the keystore file cannot be found, and if I specify an alias which is not inside the keystore it tells me that the alias is not found and list me valid aliases). I guess I am missing something, somewhere, but after many hours (days, almost 2 weeks) googling, still cannot make it work.
  Any ideas would be apreciated. If anyone knows about a post or article about this, it would be apreciated too, but I can tell is not that I just googled for 25 minutes, but I have spent more than a week googling, trying, analyzing and reading formal documentation, with no results.
  Thanks in advance!

  Try to enable SSL and WS debugging on your WLS. Add the following to your startup script:
  -Dweblogic.webservice.verbose=true
  -Dssl.debug=true
  ..then you might be able to spot if the rejection is based on some handshake problem.

• CSV File Doesn't Get Included In The Package

  Hello friends,
  We have problem with  packaging the indesign document.
  we are opening have data merge CSV files which show in the links pallet.
  when we run the package command the .csv file doesn’t get included in the package
  so if there are any extra settings that copies  .csv files in the current package please help me.
  Regard
  Tahir

  Hi
  And how about this technet article
  http://technet.microsoft.com/en-us/library/ff980461(v=exchg.141).aspx
  To avoid this error in the future, follow one or more of these steps:
  Do not manually modify message tracking log files. By default, these files are located in the following directory: C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking.
  Make sure that your file-based antivirus software is configured to exclude file directories that contain message tracking log files. For more information about configuring your file-based antivirus software on an Exchange server, see
  File-Level Antivirus Scanning on Exchange 2010.
  Review the System log for disk-drive-related events. Use the information in those events to determine whether the disk that stored the log files has any hardware failures. You may have to use
  CHKDSK tool to check a disk and display a status report. For more information about
  CHKDSK, type CHKDSK /? at a command prompt.
  Cheers
  Zi Feng
  TechNet Community Support

• Accessing X509 certificate info

  We are authenticating by using a certificate for the web server. We need to authorize users for a web service by using the CN or DN shown on the certificate. For the web services, how can I pull the CN or DN off the certificate used for a web service transaction?

  I cant help you much with Oracle Apps. But my 2 cents.
  If your App server/ web server is validating the client X509 Certificates, once authentication is successful, some identifier should be passed on to your application. You should be able to leverage that to get the user CN or DN.
  When you access a web server from within your application, you can then control who can access the web service and still pass the user CN or DN or other user identifier in the SOAP Header, which the Web Service can validate. Your web service has to perform the authorization check even if you perform this at the client side.
  When the service is going to validate the User CN or DN, it is going to rely on SOAP message eitehr as body or as custom header. In this case you have to generate the SOAP message from the client with appropriate values which your application should have mapped it.
  I answered a similar question in Microsoft Platform at LinkedIn.
  http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/70725-1147608?browseIdx=4&sik=1188955275463&goback=%2Eama
  Thanks
  Ram

• Adobe Air SDK for IOS, i'm searching for a week  to get the certificate and provisioning files

  Adobe Air SDK for IOS, I'm searching for a week  to get the certificate and provisioning files!!
  Please help me to get the certificate and provisioning files and I should pay to have these files.
  Thanks

  Apple doesn't provide support for third-party development tools.
  You need to post in the Adobe forums.
  You need a paid developer account to install apps on an iOS device.

• Why do I keep getting "Error getting push certificate" when trying to enable Profile Manager

  I keep getting this stupid error message!  The Stupid Workgroup manager doesn't work! Won't allow me to do anything!  What is the point in that! Sorry, just having a rant as I have just purchased this server which I can't do anything with.  Can't get Profile Manager working because I keep getting error getting push certificate and cannot associate any user with a group.  I can delete groups and users from AD but just wont allow me to create anything.  The padlock is open so am authenticated.  WHAT IS GOING ON WITH APPLE!

  And do you know what is really sad, 3 hours later and I am still waiting for a confirmation email from Apple.  No wonder the UK use mostly Windows!

• **URGENT : signed applet still doesn't get full permissions**

  I've bought a Microsoft Authenticode certificate with which I signed a CAB file containing my class files...
  On a client machine, the browser detects security stuff but even when one acknowledges, the applet still doesn't get the permission, for instance, to open a directory for reading... a SecurityException is thrown as if the applet was not signed.
  Have I forgotten something or did another one wrong ?? Must I set the Security Manager to null ????
  It's really urgent, so please reply asap !!!
  Thanks,
  R�gis Kuckaertz

  Just signing the applet doesn't give it any permissions. You have to assert whatever permissions you want. For example:
  import com.ms.security.*; // need dummy classes to compile for non-MS
  // check if we are in the MS JVM
  if (Class.forName("com.ms.security.PolicyEngine") != null)
      // Assert all Permissions
      PolicyEngine.assertPermission(PermissionID.SYSTEM);
  catch (Throwable cnfe)
      System.out.println("Microsoft JVM permissions not asserted.");
      System.out.println(cnfe.getMessage());
  }