FIPS-compliant SSL as client in XI 7.0

Similar Messages

• FIPS. Can you configure a FIPS compliant ASA to reject any non-FIPS Anyconnect connections

  Hi guy's, is there any way to automagically refuse any Anyconnect connections to a FIPS compliant ASA if the Anyconnect client is non-FIPS compliant?
  Any help, thoughts or ideas are greatly appreciated as I can't seem to find anything to suggest you can.   
  Kind regards
  Paul.

  You enable FIPS compliance for the core AnyConnect Security Mobility  Client in the local policy file on the user computer. This file is an  XML file containing security settings, and is not deployed by the ASA.  The file must be installed manually or deployed to a user computer using  an enterprise software deployment system. You must purchase a FIPS  license for the ASA the client connects to.
  AnyConnect Local Policy parameters reside in the XML file AnyConnectLocalPolicy.xml.  This file is not deployed by the ASA. You must deploy this file using  corporate software deployment systems or change the file manually on a  user computer.
  You can get more information from following link:-
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/anyconnect24rn.html#wp1028083
  HTH!!
  Regards,
  Naresh

• SSL VPN Client Error

  I setup a Cisco ASA 5510 SSL VPN with the folowing;
  IOS 7.2
  SSL VPN CLient sslclient-win-1.1.1.164.pkg
  Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
  IBM Thinkpad T40
  Windows XP SP 2
  Internet Explorer 7
  All patches up-to-date
  All drivers up-to-date
  SSL VPN Client connection process;
  - User login with valid account and password
  - The SSL VPN Client package will automatically download and installed.
  - User will then be connected to SSL VPN
  The ERRORS;
  1. GUI (Cisco SSL VPN Client installation process)
  "The SSL VPN Client driver has Encountered an Error"
  2. Event Viewer
  The only error in this user event viewer that differs from other users who successfully connected are;
  a)
  Function: EnableVA
  Return code: 0
  File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
  Line: 310
  Description: unknown
  b)
  Function: EnableVA
  Return code: 0xFE080007
  File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
  Line: 1145
  Description: VAMGR_ERROR_ENABLE_VA_FAILED
  Anyone know what thus the error means?
  BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
  Thanks

  The Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm

• Web Service, SSL and Client Authentication

  I tried to enable SSL with client authentication over a web service. I am using App Server 10.1.3.4.
  The test page requires my certificate (firefox asks me to choose the certificate) the response page of the web service returns this error:
  java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 405 Method Not Allowed
  Has anyone used web services with SSL client authentication?
  Any clue why?
  Regards

  Any comment?
  Thank you.

• SA540 SSL VPN Client will not install on Windows 7

  I had the SSL VPN Client working on my Windows 7 laptop.  I tried to use the SSL VPN through Firefox and now my client does not work on IE anymore.
  The install process beings and the progress bar makes it halfway before I get an error saying the install failed.
  I tried everything I could to remove the SSL VPN client manually.  I even followed the instructions posted at the end of this forum posting:  https://cisco-support.hosted.jivesoftware.com/thread/2018716?decorator=print&displayFullThread=true
  Nothing has worked.
  The best I can find is the VPN Client is crashing during install.  I saw this in the Event Log.
  Fault bucket 177244756, type 5
  Event Name: PnPDriverInstallError
  Response: Not available
  Cab Id: 0
  Problem signature:
  P1: x64
  P2: E0000234
  P3: ssldrv.inf
  P4: 93775c2b0faa616bc11a47d4ff617aa8d00cd56f
  P5: SSLDrv.Ndi
  P6:
  P7:
  P8:
  P9:
  P10:
  Attached files:
  C:\Users\shudson\AppData\Local\Temp\DMIE984.tmp.log.xml
  C:\Windows\inf\oem54.inf
  These files may be available here:
  C:\Users\shudson\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_x64_d317f66069d2e3b17f6bc1e7306afd9085494a_1020fe2c
  Analysis symbol:
  Rechecking for solution: 0
  Report Id: 75c67e96-1882-11e0-8e4d-5c260a0235ed
  Report Status: 0
  I then used AppCrashView to see the crash report and I get this:
  Version=1
  EventType=APPCRASH
  EventTime=129386443518175301
  ReportType=2
  Consent=1
  UploadTime=129386443518799293
  ReportIdentifier=2a4c4f0a-183c-11e0-aac2-5c260a0235ed
  IntegratorReportIdentifier=2a4c4f09-183c-11e0-aac2-5c260a0235ed
  WOW64=1
  Response.BucketId=2007535968
  Response.BucketTable=1
  Response.type=4
  Sig[0].Name=Application Name
  Sig[0].Value=VirtualPassageExe.exe
  Sig[1].Name=Application Version
  Sig[1].Value=1.7.3.1
  Sig[2].Name=Application Timestamp
  Sig[2].Value=4b20cf25
  Sig[3].Name=Fault Module Name
  Sig[3].Value=OLEAUT32.dll
  Sig[4].Name=Fault Module Version
  Sig[4].Value=6.1.7600.16567
  Sig[5].Name=Fault Module Timestamp
  Sig[5].Value=4bbc2f3d
  Sig[6].Name=Exception Code
  Sig[6].Value=c0000005
  Sig[7].Name=Exception Offset
  Sig[7].Value=00004660
  DynamicSig[1].Name=OS Version
  DynamicSig[1].Value=6.1.7600.2.0.0.256.48
  DynamicSig[2].Name=Locale ID
  DynamicSig[2].Value=1033
  DynamicSig[22].Name=Additional Information 1
  DynamicSig[22].Value=0a9e
  DynamicSig[23].Name=Additional Information 2
  DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
  DynamicSig[24].Name=Additional Information 3
  DynamicSig[24].Value=0a9e
  DynamicSig[25].Name=Additional Information 4
  DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
  UI[2]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  UI[3]=VirtualPassageExe MFC Application has stopped working
  UI[4]=Windows can check online for a solution to the problem.
  UI[5]=Check online for a solution and close the program
  UI[6]=Check online for a solution later and close the program
  UI[7]=Close the program
  LoadedModule[0]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
  LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
  LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
  LoadedModule[4]=C:\Windows\system32\MFC42.DLL
  LoadedModule[5]=C:\Windows\syswow64\msvcrt.dll
  LoadedModule[6]=C:\Windows\syswow64\USER32.dll
  LoadedModule[7]=C:\Windows\syswow64\GDI32.dll
  LoadedModule[8]=C:\Windows\syswow64\LPK.dll
  LoadedModule[9]=C:\Windows\syswow64\USP10.dll
  LoadedModule[10]=C:\Windows\syswow64\ADVAPI32.dll
  LoadedModule[11]=C:\Windows\SysWOW64\sechost.dll
  LoadedModule[12]=C:\Windows\syswow64\RPCRT4.dll
  LoadedModule[13]=C:\Windows\syswow64\SspiCli.dll
  LoadedModule[14]=C:\Windows\syswow64\CRYPTBASE.dll
  LoadedModule[15]=C:\Windows\syswow64\ole32.dll
  LoadedModule[16]=C:\Windows\syswow64\OLEAUT32.dll
  LoadedModule[17]=C:\Windows\system32\ODBC32.dll
  LoadedModule[18]=C:\Windows\syswow64\SHELL32.dll
  LoadedModule[19]=C:\Windows\syswow64\SHLWAPI.dll
  LoadedModule[20]=C:\Windows\system32\apphelp.dll
  LoadedModule[21]=C:\Windows\AppPatch\AcLayers.DLL
  LoadedModule[22]=C:\Windows\system32\USERENV.dll
  LoadedModule[23]=C:\Windows\system32\profapi.dll
  LoadedModule[24]=C:\Windows\system32\WINSPOOL.DRV
  LoadedModule[25]=C:\Windows\system32\MPR.dll
  LoadedModule[26]=C:\Windows\system32\IMM32.DLL
  LoadedModule[27]=C:\Windows\syswow64\MSCTF.dll
  LoadedModule[28]=C:\Windows\system32\odbcint.dll
  LoadedModule[29]=C:\Windows\system32\uxtheme.dll
  LoadedModule[30]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16661_none_ebfb56996c72aefc\COMCTL32.DLL
  LoadedModule[31]=C:\Windows\system32\dwmapi.dll
  State[0].Key=Transport.DoneStage1
  State[0].Value=1
  FriendlyEventName=Stopped working
  ConsentKey=APPCRASH
  AppName=VirtualPassageExe MFC Application
  AppPath=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  None of this makes any sense to me, but may someone can tell me why the install is failing?
  Thanks,
  Scott

  Mario,
  I tried everything you mentioned.  I cleared cookies and temporary files.  I enabled SSL 3.0. I restarted IE.
  I get the same thing.  The install process starts and then ends at suddenly saying the install failed.
  Scott

• FortiClient SSL VPN Client Not Functioning Correctly

  Hello,
  I use the FortiClient SSL application to connect to work. In Windows 7 x64 it works without issue. In Windows 8 Build 9200 it exhibits and odd behaviour.
  I can connect using FortiClient version 4.4.3.445. Once connected my sent bytes continues to increase which is correct. However received bytes stays at 0.
  If I try to Remote Desktop it fails.  This is obviously due to no inbound packets coming back from the Fortigate appliance being allowed back to Windows 8.
  Disabling the Firewall doesn't have any affect on the condition. Received bytes stays at 0. 
  This is a clean install with no 3rd party applications, other than the Forticlient software. This is only the SSL VPN portion of  the the FortiClient software and does not included AV or Firewall options.
  Doing some Googling, I've seen some other people with the same problem but no resolution. Another FortiClient user and Sophos & Juniper SSL VPN clients having the same problem.
  Does anybody have any idea what would be causing the SSL VPN to only send bytes but not receive.
  Thanks!
  UPDATE 2:
  In the built in MSTSC.exe "Remote Desktop" I went into Options/Advanced/Server Authentication. I switched the setting to "Connect and don't warn me" and that fixed the problem. The default was "Warn Me' However the warning screen was not coming up.
  Just for the heck of it I switched it back to the default settings and saved. Strangely I now get the "Warning" screen that you would normally see. So now both the built-in and App Store Remote Desktop applications are working. FortiClient still shows Bytes
  received as 0.....which is odd.
  UPDATE: Solved Workaround
  I was using the built-in Remote Desktop Application without success. I went into the APP Store and saw their was an APP called "Remote Desktop" I installed that and connected my FortiClient SSL to work. Still no received bytes like I would get in
  Win7. I then launched the "APP" Remote Desktop, punched in my PC name at work and creds and boom I can login to my work PC. FortiClient SSL still showing no received bytes, but the "Remote Desktop" from the APP store does work. Not sure why MSTSC.exe will
  not work, and why FortiClient shows no received bytes is still unsolved. At least the APP Store Remote Desktop works with the SSL Client.

  Hello Everyone,
  I finally able to track down the issue .
  After spending 3 days i found that VPN Client may bind some setting with user. I tried to install the same on my personal laptop and another machine where the user bind with same account
  (hotmail).
  Then I realize may be this is user issue so I follow below steps and it work fine.
  1. Uninstall Client from Machine
  2. Remove same from IE ( Options =>> Connections)
  3. Restart System
  4. Create Local user and provide administrator rights.
  5. Login with new user and logoff all other.
  6. Install Client.

• WS security, SSL and client auth

  Hello all,
  I need to secure a web service using SSL with client auth (client has a certificat issued by the web service provider wich he can use to access it... i suppose).
  Being a newbie i have no idea what are the options and how to implement them.
  If good tutos are available on the subject it would be nice.
  I also had another question: with a web service, what guarantee do i have that the client has consumed the web service and received the information he wants etc., it is critical for me to know that everything went ok...
  Cheers

  Hi
  One of the best books I found that covers security is located at:
  http://www.lulu.com/content/214643
  You will, or get you company to :), buy it (it's not expensive). It covers axis1.3, note that axis2 is out, but since your just starting with web services this will be a very good start on many of the concepts and how to implement them.
  Should you decide to use Axis give it's documentation and many tutorials a look, the main site is: http://ws.apache.org/axis2/
  Re: getting a guarantee, I might be wrong, but I do not see how this can be done with services and to be honest with any other type of application (especially the "received the information he wants" bit). The only way I can think one to do this is to include it as part of the SOP (standard operating procedure) for specific functionality in your application. The "it" would be an additional step that the user needs to do e.g. click an "accept" button that kicks of another "request" to the web service indicating that the initial request satisfied the users query - logically this request will need to contain some type of identifier that will enable you to map it to a previous request.

• JDBC Thin Connections with SSL and client certificates

  Hi ,
  we are going have a look at JDBC Thin Connections with SSL and client certificates.
  I have two questions:
  1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
  2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
  Thanks for your help
  regards
  Markus Reichert

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.

• System cryptography: Use FIPS compliant cryptographic algorithms, including encryption, hashing and signing algorithms

  Hi,
  I have enabled FIPS compliant algorithms,including encryption, hashing and signing algorithms in (Windows server 2012 R2 ), after enabling. My SSIS package is not working and i am not able open my SSRS also.
  So can any one assist in this.
  Surendran.G
  Regards, Surendran.G

  Hi,
  in latest security recommendation guides it is no longer recommended to use this setting (because it breaks a lot of stuff...).
  http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx
  Consider turning it off if  you do not have strict resuirements for it.
  otherwise, You will have to investigate you code. SQL server forums would be the appropirate place to get help in troublesooting your code.
  MCP/MCSA/MCTS/MCITP

• Watchguard SSL VPN client on OSX 10.7 Lion TUN/TAP Kernel Problem

  I upgraded to OSX 10.7 Lion and lost the use of the Watchguard VPN client.
  I eventually found a solution at http://lesmond.net/2011/07/watchguard-ssl-vpn-client-on-osx-10-7-lion/
  I had already uninstalled Watchguard VPN and tried to reinstall to see if that worked (poor advice from another forum)
  I hadn't manually removed Watchguard icon from the dock.
  When you try to reinstall the dialog tells you to run an postupgrade script on the TUN/TAP kernel and then quits with a fail.
  If you install openVPN in this scenario you get an openVPN app and menu item, both of which do nothing.
  Click on the Watchguard dock icon and connect.
  I was then asked to upgrade and ended up with the run post upgrade script dialog and quit with a fail.
  I then clicked on the Watchguard doc icon again and connected.
  This time it connected with no problem.
  Hope this helps!

  WG has new firmware that will fix the problem, once flashed, download the new client vpn client (11.5.1) and you should be good to go.
  I had to contact WG to get the patch as it was not in the portal  Version 11.3.4 CSP6 for my device.  Hope this helps someone.

• FIPS Compliant Libaries

  Does anyone know when or why Apple does not have FIPS 140-1 and 140-2 approved modules and or algorithms inherent in the OSX framework? The proof that they do not exist is here:
  http://www.csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html
  http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm
  The sad thing is even Microsoft is listed for their .NET APIs of having certified cryptographic libraries much how Linux relies on OpenSSL libraries. I will go on to further say that one of the reasons why the IPhone is not adopted into the federal and business workspace is this primary reason because RIM's OS and Microsoft's Pocket PC and CE versions have Certified solutions available.
  What gives?

  Thanks a lot for the reference and timely response!
  Do you know of any IPhone apps that have been certified or better yet in the process of being certified. The apps I found such as eWallet, msecure, Keeper, etc. all say they are using FIPS compliant algorithms but non of their implementations within their app i.e. modules, have been certified either.

• FIPS compliant encrypted backup

  Is an encrypted backup from OS X 10.8 on a Time Capsule (2011) FIPS compliant if you have enabled FileVault2 encryption and installed the FIPS cryptography packages from Apple ? (http://support.apple.com/kb/HT4603)

  Below is the URL that lists the products that are FIPS, Common Criteria, etc, compliant. I dont see 4500 under FIPS but do see it under CC, which is in progress.
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit0900aecd8009a16f.html#fips
  Regards,
  Arul
  ** Please rate helpful posts **

• FIPS Compliant

  Is the software for the Catalyst 4500E FIPS compliant? If so, what is the software version.

  Below is the URL that lists the products that are FIPS, Common Criteria, etc, compliant. I dont see 4500 under FIPS but do see it under CC, which is in progress.
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit0900aecd8009a16f.html#fips
  Regards,
  Arul
  ** Please rate helpful posts **

• Does SunJDK support fips compliant?

  I could see IBM JCE has FIPS compliant. Can we have samething for SUN. I would appreciate if I get the ans as early as possible.
  We are in process of ceritifying fips compliant.
  Thanks in advance!
  Regards,
  Tamil.

  Thanks a lot!! for your quick reponse.
  Here is the snippet .....
  public class HashKey {
  public static SecretKey generateSHA1Key() {
  SecretKey skey = null;
  try {
  KeyGenerator keyGen = KeyGenerator.getInstance("HmacSHA1");
  skey = keyGen.generateKey();
  catch (NoSuchAlgorithmException ex) {
  System.out.println(ex);
  return skey;
  public static void main(String[] args) {
  // check args and get plaintext
  //args[1] = "/work2/tamil/test";
  if (args.length !=1) {
  System.err.println
  ("Usage: java HmacSHA1KeyGenerator filename");
  System.exit(1);
  writeKeyToFile("hmacsha1key",generateSHA1Key());
  public static void writeKeyToFile(String fname , SecretKey key)
  try {
  File f = new File(fname);
  FileOutputStream fout = new FileOutputStream(f);
  fout.write(key.getEncoded());
  fout.close();
  System.out.println("key written successfully to: " + f.getAbsolutePath());
  catch (IOException ex) {
  System.out.println(ex);
  works find If use SunJCE or IBMJCE getting an exception, when I try to use
  security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
  security.provider.2=com.ibm.crypto.provider.IBMJCE
  security.provider.3=com.ibm.jsse.IBMJSSEProvider
  security.provider.4=com.ibm.security.cert.IBMCertPath
  security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
  security.provider.6=com.ibm.security.jgss.IBMJGSSProvider
  this configuration with IBM JCE ... inside our driver also we are trying to use the same kind of snippet.

• SSL/TLS clients binds fail to Solaris 10 06/06 DS5.2p4 Server

  hello all,
  this is a bizarre issue that i think is related to the solaris version that is running on the directory server, at least this appears to the the issue. i have 2 SunDS servers running solaris 10 06/06 and the other solaris 10 01/06 with DS5.2p4. both have SSL enabled, the certs i signed with my own CA which i maintain with tinyca2. the directory starts fine and is listening on both 389(ldap) and 636(ldaps). i am able to successfully bind to both servers on the non-secure ports fine, commands like getent, finger, id are pulling the people from the directory. when i enable the clients to use ssl/tls those same commands fail against the solaris 10 06/06 machine but NOT the solaris 10 01/06 server. on the linux machines i'm getting "nscd: pam_ldap: could not search LDAP server" errors and on the solaris machines "Mesg: openConnection: failed to initialize TLS security" and "libsldap: Status: 7 Mesg: Session error no available conn."
  using "ldapsearch -x -ZZ" from the clients is successful to both systems, and i can use "openssl s_client" to view the certs fine. another bizzare occurance is when i do "getent passwd" i see the local and ldap users but "getent passwd ldap_user" will return nothing. again this are against the solaris 10 06/06 machine.
  has anyone see this before? i'm going to open a service request for sun on this but i wanted to see if anyone else has run into this.

  there was a problem with the certificate db which was causing this.