Executing TS with DHCP certificate requirements

I have this enviroment, where retriving IP from DHCP requires certificate. The certificate script and package is already done, and it has been working earlier, but when I try to create new boot image media, the script executes too fast and IP is not retrived.
If I then execute the script manualy from WinPE, it goes OK and IP is retrived. So problem is here, that for some reason I cannot create the prestage command right.
I have tried 4 different ways;
1. In boot image properties -> customization -> run prestage command.
2. In boot image properties -> customization -> run prestage command with cmd /c
3. While creating boot media, set prestage command.
4. While creating boot media, set prestage command with cmd /c
I have checked, that package sourse and folder directories are porperly set, there is no typo or missleading paths.
Also problem is, that X:\Windows\Temp\smsts.log does not show anything about executing prestage command.

If cmd is just flashing by, then it's not really delaying.
Not sure what you mean by prestage package?
Prestart commands are simple files added to the boot image within the WIM.
Jason | http://blog.configmgrftw.com
By prestage package, I ment the package I use when I set prestage command in boot media. So I have the package with all files required for import certificate script. And I added the delay to the beginning of main command file which executes entire script
and all components.
I wonder, why I don´t have that package available in WinPE, before TS selection, if I try to search it on command line? If I open boot media .iso, I will see the package too.

Similar Messages

GR with quality certificate required

Hi All,
I have set certificate require in my PO. During GR, it will prompt me whether I have receive my certificate. If no system will post the stock into block stock as I did not active quality inspection lot. So if I have receive the certificate after GR, will this stock be posted to unrestricted stock automatically ? Or I need to do a manual transfer posting?
Please kindly advice.

Hi,
After you get quality certificate you need to do transfer posting. According to my knolwedge system won't post the stock to unrestricted stock automatically. Thanking you.

What does this mean and how do I fix it? Error ITMS-9000 "Invalid Code Signing The executable ´viwer.app/ viewer´ must be signed with the certificate that is contained in the provisioning profile"

What does this mean and how do I fix it? Error ITMS-9000 "Invalid Code Signing The executable ´viwer.app/ viewer´ must be signed with the certificate that is contained in the provisioning profile"

If you had Firefox save your Yahoo password, first try deleting that here:
orange Firefox button ''or'' classic Tools menu > Options > Security > "Saved Passwords"
The "signed out" message seems to be related to how Yahoo authenticates you. Some users have reported that disabling automatic proxy detection solves the problem, and it also resolves an issue of getting logged out every few minutes, if you have ever experienced that.
To make the change:
orange Firefox button ''or'' classic Tools menu > Options > Advanced
On the "Network" mini-tab, click the "Settings" button, then choose "No Proxy" and OK your way back out.
If your work connection requires you to use a proxy server, try the "Use system settings" option instead.
Does that help?

Failing to execute Check: systems configured with DHCP

Recommendation: Oracle supports installations on systems with DHCP-assigned public IP addresses. However, the primary network interface on the system should be configured with a static IP address in order for the Oracle Software to function properly. See the Installation Guide for more details on installing the software on systems configured with DHCP.
Status: Not Executed
Why is Oracle failing to execute the check? What sort of check does Oracle run for DHCP IPs?
Any help will be appreciated.
Thanks

A server is not supposed to work with DHCP but with a fixed IP address. Enterprise Manager DB Control Console will only work with a fixed IP address, if ever either the IP or the hostname change then EM won't work any more unless it is reconfigured.
The purpose of the loopback adapter is to provide a fixed IP address on a dynamic assigned environment. You should make sure once you fix the IP address by means of DHCP to name this IP address in the host file at c:\windows\system32\drivers\etc\host.
~ Madrid
http://hrivera99.blogspot.com/

Receiver SOAP adapter SSL error - client certificate required?

Hi all,
Problem configuring SSL in XI 3.0 NW04 SP17....
I have followed the config steps from Rahul's excellent weblog at <a href="/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter">How to use Client Authentication with SOAP Adapter</a> (my Basis team have done the Visual Admin steps) and am going through his example as it closely matches my requirement. So, I have a test receiver SOAP adapter sending messages to a web service URL defined for a sender SOAP adapter. My test scenario is:
Sender File -> Receiver SOAP -> Sender SOAP -> IDoc Receiver -> IDocs in R/3
The problem components are in italic and underlined above. My Receiver SOAP Adapter has the web service URL, Certificate Keystore Entry and View entered. If, in the Sender SOAP Adapter, I have an HTTP Security Level of HTTPS Without Client Authentication, the interface works fine (note that Rahul suggests you untick the User Authentication in the Receiver but with this Security Level, it seems to work with or without it).
The problem is when I set HTTPS With Client Authentication in the Sender. I then get the following error in the message monitor:
SOAP: response message contains an error XIServer/UNKNOWN/ModuleUnknownException - com.sap.aii.af.mp.module.ModuleException: java.security.AccessControlException: client certificate required caused by: java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:1111) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl3.process(ModuleLocalLocalObjectImpl3.java:103) at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:250) at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:103) at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:166) at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:421) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.Client.handle(Client.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java(Compiled Code)) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code)) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code)) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code)) at java.security.AccessController.doPrivileged1(Native Method) at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code)) Caused by: java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:843) ... 22 more
Has anyone got any idea what this could be caused by?
Many thanks,
Stuart Richards

Have you configured the https port with that keystore entry?
Check out these links:
http://help.sap.com/saphelp_nw2004s/helpdata/en/b0/881e3e3986f701e10000000a114084/frameset.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/5c/15f73dd0408e5be10000000a114084/frameset.htm
Regards,
Henrique.

Re: Quality Certificate requirement At MIGO for raw material

Dear all,
I have a requirement where I want the system ask for Quality certificate while doing the goods receipt. The system should not allow me to process the transaction-MIGO if certificate is not recieved.
Please advice
Regards,
Vivek Sharma

Hi Vivek,
You need to perform following settings.
Configuration
Follow the path
Run trx QCC0->QM in Logistics->QM in Procurement-->Define Control Keys.
Here create your own control key
Where you can set the rest data as per your requirement but for to check the check box for "Cert Required" is must be activated to meet the requirement relevant to this thread.
Save
Say you have configured your Control Key ZZ01
Now just below this one small configuration is mandatory is Run trx QCC0->QM in Logistics->QM in Procurement-->Define Keys for Certificate Processing
Maintain Description
Execute it and go to "Define Certificate Types"
Here either for your relevant certification type or for new type (if you wish to create new), maintain the data as below
"Certificate Required for Each Purchase Order Item" ==== Active
"Certif. per GR Item" ==== Active
"Certif. check required" ==== Active
"Control W/O Certif." Set any error message, I would suggest to select "Without lot error message, with lot error message"
"Enhanced cert. processing" ==== Don't Activate
"No certif. confirmation at GR" ==== Don't Activate
The rest settings are not important to maintain so leave them blank.
At Master Level
In QM view of MM for the material maintain "QM Control Key" that just created "ZZ01"
and the certificate type that is just created or amended. under the procurement data.
Maintain Q-Info record for Material - Vendor - Plant combination (QI01)
Now as per your requirement system will ask for the confirmation for certificate receipt as Yes/No. under the Purchase Order data in MIGO at item level data.
If you select "NO" to it it will not allow to post the GR.
I hope this is what you were looking for.
Regards,
Shyamal

PEAP Happening with out certificate

How could peap authentication be successful with out server certificate on the client i mean its not installed or autoenrolled on the client which is an windows xp with sp2.
I am using ACS appliance which runs 4.0 and has a self-signed certificate in it.
i am believing no one could login to the network with out the certificate in the client either physically installed or auto enrolled but i couls able to login with out certificate.how could this be possible.

For PEAP, the certificate is there for the client to validate that it is connecting to the right server; it is not there to support validating the client TO the server.
Verifying the validity of the server prevents / reduces the chance that someone is executing something like a "Man-in-the-Middle" attack.
If you are trying to verify the client to the server (server validates the client), then you need something like EAP-FAST or EAP-TLS ... EAP-TLS wold require a certificate on the client.
Choosing an auth/auth scheme will depend on who/what you are trying to protect, and where you judge the higher risk is most likely to occur.
In this case, the cert required by PEAP is there to protect the client against connecting to a malicious user who is acting as the authentic portal into a networking system (i.e., to steal credentials or information).
Good Luck
Scott

Java Webstart application problem with TLS certificate revocation checks (Java 1.7.0_76)

We have a problem with our Java Web Start Application regarding the TLS certificate revocation check:
The application is running on a server within a wide area network which is separated from the internet.
The application users have access to the WAN, and also access to the internet over some corporate proxy/firewall.
The user has to enter, for example "https://my-site.de/myapp/ma.jnlp" within a webbrowser or could also call "javaws https://my-site.de/myapp/ma.jnlp" to start the application client.
The webserver has a certificate from a trusted certificate authority. This certificate seems to be ok, the browser is even configured to perform OCSP status check.
The application files are signed with a certificate from another trusted certificate authority. This certificate seems also to be ok. Regarding this certificate there
are no problems with certificate revocation checks.
The problem is, while starting the application client there is a message box which tell us something like "the connection to this website ist not trustworthy",
"Website: https://my-site.de:80", and something about an invalid certificate, meaning the webserver certificate.
Obviously the jvm runtime, which is executed on the users workstation, tries to perform a revocation check for the webservers certificate, but this fails because
it cannot fetch the certificate under https://my-site.de:80.
The application will execute without further problems after that message but the users are very concerned about the "invalid" certificate, so here are my questions:
- Why is the application trying to get the webserver certificate over Port 80. Our application developers told me, there is no corresponding statement. Calling this address
has to fail while "https://my-site.de:443" or "https://my-site.de" would not have a problem.
- Is there a way to make the application go on without performing a tls revocation check? I mean, by adjusting the application sourcecode and not by configuring the users Java Control Panel.
While disabling the TLS Certificate Revocation check in the Java Control Panel, the Webstart Application executes without a warning message, but this is not a workable solution for
our users.
It would be great if someone can help me with a hint so i can send our developers into the right direction;-)
Many thanks!
This is a part from a java console output after calling "javaws -verbose https://my-site.de/myapp/"
(sorry for this is in german... and also my english above)
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
security: OCSP Response: GOOD
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
security: UNAUTHORIZED
security: Failing over to CRLs: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
network: Cacheeintrag gefunden [URL: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl, Version: null] prevalidated=false/0
cache: Adding MemoryCache entry: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl
cache: Resource http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl has expired.
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: ResponseCode für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: 200
network: Codierung für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: null
network: Verbindung mit http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl trennen
CacheEntry[http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl]: updateAvailable=true,lastModified=Tue Mar 24 10:50:01 CET 2015,length=53241
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird
network: Verbindung von socket://ldap.serverpass.telesec.de:389 mit Proxy=DIRECT wird hergestellt
security: Revocation Status Unknown
com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
    at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
    at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
    at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
    at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
    at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
    at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
    at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
    at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
    at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
    at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
    at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.deploy.model.ResourceProvider.getResource(Unknown Source)
    at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
    at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
    at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
    at com.sun.javaws.Main.launchApp(Unknown Source)
    at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
    at com.sun.javaws.Main.access$000(Unknown Source)
    at com.sun.javaws.Main$1.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
        at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
        ... 35 more
Caused by: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    ... 36 more
security: Ungültiges Zertifikat vom HTTPS-Server
network: Cacheeintrag nicht gefunden [URL: https://my-site.de:80, Version: null]

Add the JSF Jars to the WEB-INF/lib directory of the application. If still getting error add to the CLASSPATH variable in the startWebLogic script in the domain/bin directory.

Oracle10g Installation problem on Linux with DHCP IP

Hi,
I am new to Oracle Products, I have tried to install Oracle 10G on Linux with DHCP IP.
I got the following warning while installing even though I have loopback interface configured.
Checking Network Configuration requirements ...
Check complete. The overall result of this check is: Failed <<<<
Problem: The install has detected that the primary IP address of the system is DHCP-assigned.
Recommendation: Oracle supports installations on systems with DHCP-assigned public IP addresses. However, the primary network interface on the system should be configured with a static IP address in order for the Oracle Software to function properly. See the Installation Guide for more details on installing the software on systems configured with DHCP.
Please help me in resolving this problem or Can I ignore this message?
My Server Configurations:
[root@SQAESMRH5 Oracle_Install_Errors]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:12:3F:79:FA:2C
inet addr:10.10.121.61 Bcast:10.10.121.2 Mask:255.255.255.0
inet6 addr: fe80::212:3fff:fe79:fa2c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20751998 errors:0 dropped:0 overruns:0 frame:0
TX packets:19278549 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2150795393 (2.0 GiB) TX bytes:438232502 (417.9 MiB)
Interrupt:177
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12383146 errors:0 dropped:0 overruns:0 frame:0
TX packets:12383146 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1965045834 (1.8 GiB) TX bytes:1965045834 (1.8 GiB)
[root@SQAESMRH5 Oracle_Install_Errors]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
#::1 localhost6.localdomain6 localhost6
127.0.0.1 localhost.localdomain localhost
#::1 localhost6.localdomain6 localhost6
[root@SQAESMRH5 Oracle_Install_Errors]#

This warning means it is not recommended to install Oracle 10g on a DHCP assigned IP address. It could work, but you won't be able to configure Enterprise Manager, since this tool requires a fixed IP address. If possible, have the IP address fixed.
~ Madrid
http://hrivera99.blogspot.com/

Lync 2013 certificate requirements for multiple SIP domains

Hi All,
I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
Friendly URL option 3 from this page:
http://technet.microsoft.com/en-us/library/gg398287.aspx
Client auto-configuration:
i.
Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
ii.
Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
iii.
Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
HTTPS.
If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
Many thanks,

Many thanks for the response.
I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
http://technet.microsoft.com/en-us/library/gg398287.aspx
What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
http://technet.microsoft.com/en-gb/library/hh690030.aspx
Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
to an address of director.contoso.net is not supported over HTTPS.
In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
rule for port 80 (HTTP).
For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
domain.”
I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
As per the below article:
http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
“The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field. This is no longer a requirement (it was in OCS) as it is possible to
create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net).
This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
the same domain namespace. Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
===================
1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
fall under the XXX umbrella but are very much run as individual entities.
Question:
Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
Thanks.

SOAP Receiver Adapter problem (client certificate required)

My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
PI Server AXD - (Client) - Receiver SOAP adapter
PI Server AXQ - (Server) - Sender SOAP Adapter.
Steps in AXD
1. I have created a certificate of AXD in the service_ssl view of key storage.
2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
Steps in AXQ
1. I have created a certificate of AXQ in the service_ssl view of key storage.
2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
Any pointer to solve this problem is highly appreciated.
Thanks
Abinash

Hi Hemant,
I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
As far as my scenario goes I am not using message level security.
Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage. I can see a view named just WebServiceSecuity though.
Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
Abinash

Invoking secure services inside bpel with x509 certificate and weblogic

Hi, everyone. Here we have a problem with invoking secure webservices (*client authentication*) from a bpel deployed in weblogic that is consuming so much time (more than a week) and don't know what else to try.
The scenario: we have a bpel process which invokes a series of web services without any security mechanisms. Now, we have to change it to invoke a series of webservices that do exactly the same, but using ssl and client authentication with x509 certificates. The first part of it, the ssl one, is done without any problems. But the second part is not working at all, and we (I) are running out of ideas how to configure it in weblogic.
The situation: I want to invoke a webservice, say, Service1. It requires client authentication, so I should pass a certificate (*which I already have*). I put that certificate inside a keystore (with keytool -importkeystore, from p12 to jks). With SoapUI I have no problem now to invoke the service now. But, I'm not sure what should I do to make it work in weblogic; after all, the provider keeps answering with a HTTP 403 Forbidden error.
The actions: inside the weblogic's enterprise manager, in SOA deployments (SOA / soa-infra / default ) I selected my composite, and in the Dashboard (down at Services and references), clicked the particular service (Service1). Then, it took me to another page where I can see statistics about that service, and a tab named Policies. There (in Policies) I have the chance to attach a policy, but I don't know which one is the approppriate; I guest it should be WSS11_x509_token_with_message_protection_service_policy, which in turn asks me to provide a value for keystore.recipient.alias, keystore.sig.csf.key and keystore.enc.csf.key. For this keys, I provide values that I configured in Credentials (Weblogic Domain / Security / Credentials, subtree oracle.wsm.security). My own logic tells me that what I have done is what I should have done, but still no luck :(
I am sure the keystore is ok (if I rename the keystore file it tells me that the keystore file cannot be found, and if I specify an alias which is not inside the keystore it tells me that the alias is not found and list me valid aliases). I guess I am missing something, somewhere, but after many hours (days, almost 2 weeks) googling, still cannot make it work.
Any ideas would be apreciated. If anyone knows about a post or article about this, it would be apreciated too, but I can tell is not that I just googled for 25 minutes, but I have spent more than a week googling, trying, analyzing and reading formal documentation, with no results.
Thanks in advance!

Try to enable SSL and WS debugging on your WLS. Add the following to your startup script:
-Dweblogic.webservice.verbose=true
-Dssl.debug=true
..then you might be able to spot if the rejection is based on some handshake problem.

Qm view- certificate required

Hi, we assigned 0003 (certificate required) control key in qm view of material master. Say,in case if we don not receive certificate from vendor along with the delivery of goods. What we should do at the time of receiving the goods. Shall we take the delivery with no certificate mark in migo and in that case what will happen? Please advise what will be the best way to handle this.

Raju, the inspecion lot will have the status indicating that a certificate is required and usage decision (and release of the material to available stock) cannot be made until a certificate is received.... or as in many cases, the reception of the CoA is "simulated" as manufacturing requires the stock and ... as you surely know, manufacturing cannot keep incative due to shortage in raw materials.

RDS Certificate Requirements

Hello, I have implemented the following RDS configuration however I am having some trouble in locating the exact SSL certificate requirements that are needed for this setup. Any help with this would be much appreciated.
Environment:
Internal Domain Name: contoso.com
External Domain Name. contoso.com
1 x server with RDS Gateway installed
1 x server with RDS Web Access installed
1 x Session Broker
2 x Session Hosts, configured in a farm with the name farm.contoso.com
Please note that the Gateway and Web Access roles are installed on seperate servers. There is no ISA/TMG server in this implementation.
I believe I require the following certifcates:
RD Gateway - Public CA Single Name certificate containing the publically resolvable name of gateway.contoso.com
Web Access - Public CA Single Name certificate containing the publically resolvable name of webaccess.contoso.com
Session Hosts - Public CA SAN certificate containg the publically resolvable name of farm.contoso.com and the servers internal FQDN of host1.contoso.com and host2.contoso.com
If possible could someone please confirm if this is correct, it would be very much appreciated.
Kind Regards.

Hi Alex,
thank you for your reply, and yes that is correct regarding DNS. I plan to purchased the following certificates for my environment based on our discussion, can you please confirm if
this is correct.
RD Gateway - 1 x public CA single subject name SSL certificate for the publically resolvable name of remote.contoso.com
RD Web Access - 1 x public CA single subject name SSL certificate for publically resolvable name of webaccess.contoso.com
Session Hosts - 1 x public CA single subject name SSL certificate for farm.contoso.com for both session hosts and RemoteApp signing
Or I could purchase 1 x SAN certificate with all of the above external namespaces? Any feedback would be much appreciated.
Kind Regards.

Problem with client certificate based authentication

Hello.
We are developing an AIR application that uses client
certificates for authentication. We have written a simple test case
to show the problem.
<?xml version="1.0" encoding="utf-8"?>
<mx:WindowedApplication xmlns:mx="
http://www.adobe.com/2006/mxml"
layout="absolute">
<mx:Script>
<![CDATA[
import mx.controls.Alert;
private function responseHandler(): void {
Alert.show("Response received");
]]>
</mx:Script>
<mx:HTTPService id="exampleService"
url="https://www1.aeat.es/pymes1/pacargoi.html"
showBusyCursor="true"
result="responseHandler()">
</mx:HTTPService>
<mx:Button label="Send"
click="exampleService.send()"/>
</mx:WindowedApplication>
When we click on the button, it sends the request to the
protected page and then (if you have CA emitted certificates) the
dialog appears requesting the client certificate. And it works
fine.
But next time we click on the button, the dialog requesting
the client certificate appears again.
Is there a way to stop showing the dialog every time?
Any help would be very appreciated.
Thanks a lot for your support.
Paco.

I have just sent a Feature Request/Bug Report with the
following text:
"We are experiencing a problem using AIR with a server that
requires authentication via client certificate.
The dialog for selecting the client certificate appears every
time that the AIR application interacts with the server (not only
the first time).
Steps to reproduce bug:
1. Install Apache HTTP Server with SSL and require client
certificate in order to authenticate.
2. Develop an AIR Application that connects to this server
(HTTPService or RemoteObject have been tested with the same
result).
3. Every time that the AIR application connect to the
server, the dialog appears in order the user to select the client
certificate.
Results: This makes the AIR application unusable.
Expected results: The dialog requesting the client
certificate should appear the first time only."
Thanks,
Paco.

Executing TS with DHCP certificate requirements

Similar Messages

Maybe you are looking for