FTP with SSL cert on ACNS via WCCP

Similar Messages

• Data Transfer Port ranges in FTPS with SSL in File Adapter

  Hi,
  I would appreciate if you could give me pointers reagrding the below issue.
  We are on XI 3.0.
  For one interface, I have to configure the FTP File adapter to pick up the files from external server.
  The connection is secure and should be FTPS with SSL.
  I have the certificate from the 3rd party and have it installed on our XI development server.
  The change has been made in our firewall to allow the connection to the host IP and port 21 which is configured at the target party as Explicit FTPS port and they have allowed access to our Server IP in their firewall.
  I have configured other FTPS connections and they worked fine but this is the only one that has been giving me so much trouble.
  The error i get today is:
  Error occurred while connecting to the FTP server "60.234.48.106:21": java.net.SocketException: Connection reset
  Yesterday, i got the below error:
  Error occurred while connecting to the FTP server "60.234.48.106:21": iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
  The Vendor has suggested to get the firewall ports 21 and 28000:30000 (data transfer) to be opened.
  He has also provided with the certificate passphrase additionally to the user name and password needed to make the connection.
  When i tried the connection from the XI development to the vendor server, via the Telnet, it looked like it worked.
  Please advice.
  Regards,
  Archana

  >
  Archana Singhai wrote:
  > Hi,
  > I would appreciate if you could give me pointers reagrding the below issue.
  > We are on XI 3.0.
  > For one interface, I have to configure the FTP File adapter to pick up the files from external server.
  > The connection is secure and should be FTPS with SSL.
  > I have the certificate from the 3rd party and have it installed on our XI development server.
  > The change has been made in our firewall to allow the connection to the host IP and port 21 which is configured at the target party as Explicit FTPS port and they have allowed access to our Server IP in their firewall.
  > I have configured other FTPS connections and they worked fine but this is the only one that has been giving me so much trouble.
  > The error i get today is:
  > Error occurred while connecting to the FTP server "60.234.48.106:21": java.net.SocketException: Connection reset
  > Yesterday, i got the below error:
  > Error occurred while connecting to the FTP server "60.234.48.106:21": iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
  > The Vendor has suggested to get the firewall ports 21 and 28000:30000 (data transfer) to be opened.
  > He has also provided with the certificate passphrase additionally to the user name and password needed to make the connection.
  > When i tried the connection from the XI development to the vendor server, via the Telnet, it looked like it worked.
  > Please advice.
  > Regards,
  > Archana
  1. Open the port ranges. FTPS usually requires you to open ports in the range of 65024 through 65535 for Passive FTP data
  connections
  2. Use the CA name in the certificate. it should be same as of the host name of the FTPS server

• Java Client FTP with ssl and fxp

  Hy, I make java ftp client that supports ssl and fxp. I found for ssl something but nothing for fxp. Do you have any information for me regarding java and fxp?
  Best regards

  is this going over the internet, a private connection. a vpn over the internet? are there any logs that show any ftp error codes? if there is a firewall in play, does it show any logs on this connection?

• Getting sec_error_inadequate_cert_type with Private SSL Cert

  Howdy,
  I run a Private Certificate Authority for my personal use and just to learn about SSL Certs. However, with the current build of FireFox I'm on ( 31 ) I can no longer visit sites I've secured with SSL Certs signed by this certificate authority, even though these SSL certs work just perfectly fine in Chrome and Internet Explorer. I keep getting a "sec_error_inadequate_cert_type" error. I can only assume that the certs I've been issuing are incorrect in some way, but the error is so vague and the error page doesn't specify more.
  I only discovered this when I realized some of my SSL certs had expired, and I went to re-issue them.
  One of the certs that hasn't expired yet but is experiencing problems can be found here:
  * https://forums.silicateillusion.org
  One of the Certs I've tried re-issuing, matching fields included as closely as I can to a Google SSL cert that I looked up is here:
  * https://phpmyadmin.endofevolution.com
  These certificates were generated using the application called SimpleAuthority, found here: http://simpleauthority.com/
  A Site like Networking4All.com seems to believe the Certs are valid, excepting the CA that is Self Signed: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=phpmyadmin.endofevolution.com&protocol=https
  Interestingly enough, using a different site like SSLShopper shows an error similar to FF31: http://www.sslshopper.com/ssl-checker.html#hostname=https://phpmyadmin.endofevolution.com
  The certs are running on an Apache Web server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.10
  The CA Cert is in FireFox's store as trusted.
  If needed, I can provide certs.

  ''SniperFodder [[#answer-626818|said]]''
  <blockquote>
  I however, do not. It's something specific to Firefox I seem to be having. Maybe I'm running an outdated version of Chrome? Which would be hard seeing as chrome itself says it's up to date: Version 37.0.2062.120 m
  I appreciate the link to Bug 1034124, However the SSL certificate itself IS NOT self signed. Only the CA is, which signed the SSL Cert. I guess what I mean to be asking is... Is Firefox Rejecting my SSL Cert, because my CA Is Self Signed?
  I also offer the CA Cert for download since no one would have the cert in their stores. Would this also affect it?
  I've attached a screen shot of the error I'm getting so that it's available for the ticket. The following is also the "plaintext" verison of the error I'm getting:
  "Certificate type not approved for application."
  </blockquote>

• SSL cert on ASA 5512 from Thwate or Digitcert

  I ran into the issue when I install SSL123 cert from Thwate . I did not have issue with SSL cert from DIgitcert- their process and steps are simple and using better encryoption - SHA256. Compare to Thwate - their support did not let me use SHA2 and I had to use SHA1 - according to some organisation SHA1 will be retired soon 
  Let me explain how to install SSL123 from Thwate into ASA 5510- you can follow their instruction - but generate CSR with 2048 - with 4096 did not work .Once you apply into their portal use SHA1 ( SHA2 did not work ) . Before you get email with their CA -  install Root and Secondary intermidiate certificate - located in their website . After you get email with the new cert - you can install under Idendity certificates where still says pending .Note - there are CSR checker tools - before you apply it into CA _ google CSR checker - make sure your CSR does not have any errors
  Note - When you install each certificate - trustpoint association could be in different order - example - ASDM_trustpoint0 , ASDM_trustpoint1 , ASDM_trustpoint2   etc . If you use the same ASDM_trustpoint0 for all certs- root , intermidiate and signed certificate - Did not work and you are getting ERROR - :Failed to parse or verify imported certificate
  here is the link you can follow - https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO16141&actp=search&viewlocale=en_US&searchid=1429125296765
  Finally you can check your SSL cert - google SSL checker to see if your chain as good all the way and what need to be fixed 

  First of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
  When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
  If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
  Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware).

• IMAP Mail Setup with self-signed SSL certs

  I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
  Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

  If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
  And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

• Dreamweaver CS 5.5 not working with Godaddy FTP with TLS/SSL

  I've upgraded to CS 5.5 and tried to connect to a client's Godaddy account with FTP with TLS/SSL it fails.  Works perfectly with my mac app Transmit every time as it always has.   It doesn't work with implicit or explicit settings with authentication set to none or otherwise.
  Can someone please let me know if Dreamweaver will ever be compatible with FTP with TLS/SSL and Godaddy?  Or is there some setting I can try that will make it work now somehow?
  Been waiting years for this....

  SnakEyez02 wrote:
  First, that's a Godaddy problem if their security isn't up to par.
  That may be the case that Godaddy is also at fault, but every other FTP app I use with Godaddy works fine.  It's just Dreamweaver and has always been just Dreamweaver not working with a secure connection to Godaddy.  Considering Godaddy is the largest webhost in the USA, you'd think Adobe would have fixed this years ago.  I should also mention I'm not endorsing Godaddy and I understand there's plenty of people that don't like Godaddy for very good reasons.
  Sent you PM with FTP account with Godaddy yesterday.  Thank you for taking a look!
  UPDATE: Whoops, I see you responded via private message already.  I'll paste most of it here in hopes it helps others to understand the issue:
  via SnakEyez02 PM:
  Ok this took a lot of digging.  I won't say it's not a DW issue 100% and I will report a bug for your problem, but DW is not the problem alone Godaddy needs to share the blame here for a bad certificate.  Here is what is happening:
  I'll start with DW:
  - The settings are correct that were in the post.  Port 21, FTP explicit, and the authentication should be set to None (encyprtion only).  This is where the transmission is encrypted using SSL, but the certificate is shared and not specific to the domain owner.  That is the difference between DW's "none" and "trusted".  It's a poor choice of words I'll give them that.  However, Godaddy seems to want all connections to be trusted thus the other error you get when you turn on the None option.  Now could DW do what Transmit does, warn you and write in an unsigned certificate into the Keychain app, probably, is it best practice for security reasons to "Trust" an unsigned certificate probably not.
  Now Transmit:
  - As explained above Transmit opens up a prompt to override and create a fake-trusted signed certificate.  Thus by forcing the OS to think a legitimate certificate is there it gets you through albeit through unconventional methods.
  The problem:
  - A good portion of this problem lies with Godaddy.  Now I use a shared hosting account and set one up on an independant host for a friend of mine and both of them accept the shared certificates (SSL explicit).  The difference is the hostname of the certificate.  I ran a traceroute (from Network Utility in Utilities folder) on your website and came up with the following address: 173.201.23x.x.
  The problem is that the certificate on your server is actually not for that server which is the reason DW seems to have such an issue with it.  The SSL certificate that Godaddy put on your shared server is for host - 173.201.19x.5x.  As you can see, it's a certificate for another server.  Honestly the fact that Panic's Transmit allows this override scares me a little bit and the fact that Godaddy never noticed this issue either scares me to.  So while DW could write in a bad certificate I can see why this is happening.
  I know there is not much solice in my answer because it still doesn't alleviate the problem that you have with DW connecting.  Unfortunately I do not have a workaround despite my numerous attempts to try and gain access over a secure connection.  One alternative you could ask Godaddy for in the meantime is an SSH connection which would allow you to use SFTP instead of FTPS.  But that's a short-term solution to a long-term problem.
  If you think of anything else feel free to bounce any ideas off me I don't mind.  Good luck in getting this solved and I will post a bug report to make Adobe aware of the issue.
  Thank you for looking into this issue in depth like you have!
  I think the issue might be that Godaddy is applying cost saving measures to keep their prices down in the way they implement their certificates (but it also wouldn't surprise me to know it's simply ineptitude on Godaddy's part either).  I'm not sure I fault Panic with Transmit much at all because it clearly warns you about the certificate and it's your choice to continue.  And, as it stands now, it's much safer to continue to connect that way with Transmit than to stop and connect with no encryption at all at a public hotspot.
  As it stands now, you really shouldn't connect to Godaddy with Dreamweaver at a public hotspot unless you set up an SSH tunnel with your connection first.  But enabling SSH is an added expense in many ways including paying for the service, using more computer resources for tunneling and time setting it up and implementation... all because Dreamweaver won't just allow developers the option like Transmit does.
  Once again, thank you for looking at this and I hope someone at Adobe finally address this issue for the security of its customers who use Godaddy (which is often not their choice and was, instead, the choice of their clients to use Godaddy as a webhost).
  Just a side note, I contacted Godaddy support about this several years ago and they were unresponsive and even hostile about it  - So that's definitely another vote against Godaddy from me as well.
  Message was edited by: greenbluewave

• Anyone having issues with Self-Signed SSL-certs on mail servers?

  Can't get it to allow connecting via SSL to outgoing mail servers with self-signed certificates. Problem did not exist in earlier versions of OSX as far as I know.

  YES. I have a cert from lunarpages, where my accounts are hosted. I'm seeing two issues, and they are different for the different servers at lunarpages:
  1. Multiple logins from different machines --> problem
  2. Multiple accounts accessing same server --> problem
  So, with 1 account on one of lunarpages machines, I can have several machines running Mail with ssl on at the same time and get no problem (that is, once I've saved the certificate and marked it trusted). But as soon as another account (my wife's email on the same domain, for example) tries to access the same server, it gives me an ssl error, a choice to save that cert. and if I do then my account will generate the ssl error. Seems like only one account can have the certificate.
  On another account on a different lunarpages machine, I can't have several machines running Mail at the same time, only the first will get through and the rest will give an SSL error.
  Lunarpages says they can't find a problem, though my last email with them told me to use TLS rather than SSL. Of course, there's no way to specify that in Mail anyway, but I'd thought Mail automatically used TLS anyway, and I'm running the right ports (587 for smtp, 993 for incoming).
  Feels like it's an issue with Mail or the OS's handling of certificates. Any clues on a fix will be most appreciated as this is getting annoying. I've had to turn off SSL on my wife's and daughter's accounts just so that I can use it. And I have to quit Mail so that on the other account I can get my mail on my iPhone. Having to quit Mail on my main work machine is frustrating -- if I forget to do it I can't get mail.

• Remote Desktop Services Single SSL Cert with multiple hosts

  I am trying to use a single SSL Cert from a third party issuer.  I have 3 servers in my deployement all are 2012R2.  One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role.  The other 2 are
  RD Session Hosts.  I have the SSL cert for the server that has the Gateway and other roles.  My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL.  It works currently with the
  exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match.  Is anyone else using a similar setup and had success with it?  I am trying
  to avoid buying an expensive wildcard cert to cover all of them.

  Hi,
  Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC.  To do this, log on to RD Web Access using IE, right-click and choose View Source.  Find the goRDP function for the icon you want to examine and copy
  the text between the ' marks.  Next paste this into the escape text box the below page:
  http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
  Click complete unescape to get the plain text version.  After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file.  Once you have the .rdp file created you can compare
  it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
  Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
  Thanks.
  -TP

• Does XI support FTP over SSL with Command AUTH TLS??

  Hi All,
  Can we change Command AUTH TLS to AUTH SSL in the Command Order of receiver FTP adapter when you select FTPS (FTP using SSL/TLS) for Controal and Data Connection??
  We are able to transfer business documents to bank's FTP server (Following RFC 2228 standards) using WS FTP Pro (I think follows RFC 959 and 1123 standards) which using AUTH SSL in Command order.
  We did go through SAP note 821267 (FAQ for XI 3.0 / PI 7.0 File Adapter)...question number 33 address about the "AUTH TLS" command. But we not getting the same error. We get different as in this forum:
  Re: Error: Message processing failed: FTPEx: PBSZ=0
  Can someone please confirm if this is the issue with FTP RFC standarads?? Or can we coustomize FTPS adapter to send AUTH SSL command??
  Thank you,
  Indrasena Janga

  Dear Andy,
  I am also looking for the same information.
  Could you please share with ,if u have got anything related....
  Hi Experts,
  Pls share your exp with us if u have any....
  Regards,
  Srinivas

• OIM SSL cert with AD

  I have a OIM on a cluster with two nodes running on WLS. I have a VIP URL that I connect to OIM with.
  i am going to upload the OIM cert to AD for provisioning etc and get AD cert in OIM jdk keystore.
  What I need to know is what hostname shall I use in the cert? The for VIP or hostname of a node? If its a node then I need two certs for OIM then?

  thx, I just added one cert which has the vip address and that worked fine. it stays ssl session validated successfully.
  However, when I provision a user to AD, I see Password is required while provisioning user with SSL. Do you know what this means?
  I have password in AD process form and password for admin user that will provision to AD. What am I missing?
  thx for your reply sir.

• SSL Cert used to sign Jars for distribution via WebStart

  Hi,
  I have an SSL cert (Comodo InstallSSL) for my website and wondered if I can use it to sign jars so, when distributed via webstart, the old "untrusted source" message doesn't get displayed. I've been doing a lot of reading but, to be honest, I can't really find my bearings! I have imported the cert into my keystore but get the message when I try to sign a jar:
  Certificate chain not found for: myalias  myalias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.I have the following files in relation to my cert:
  xxx.cabundle (this can be imported into keytool easily)
  cert/xxx.crt (looks like a PGP file, cannot be imported (-import) into keytool)
  private/xxx.key
  My questions I suppose are:
  1. Can I use a cert issued for SSL to sign jars for webstart distribution?
  2. If yes to 1; what steps other than importing the cert alone (which generates the message above) do I need to do to achieve this?
  Any help would be appreciated!
  Rich

  Hi,
  yes, the pkcs12 certificate includes the private key, as opposed to pb7 which does not.
  Sent from Cisco Technical Support Android App

• Http client------ XI  (via HTTP with SSL),

  hi forum,
  we have a http client that sends a http erquest to XI, by using sap/xi/adapter_plain
  service,  i mean plain http adapter
  but for scurity reasons i need HTTPS communication,
  can u tell me how to enable HTTPS (HTTP with SSL) communiaction in the same scenario,
  http client------>XI  (via HTTP with SSL)

  hi sudeep,
  u need to create a comm ch of adapter type http n set the security level there.
  refer this for help:
  http://help.sap.com/saphelp_nw04/helpdata/en/14/80243b4a66ae0ce10000000a11402f/frameset.htm
  [reward if helpful]
  regards,
  latika.

• Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

  We have a Certificate Authority (Version: 5.2.3790.3959) configured on  Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
  Currently i am only able to generate SSL cert with md5RSA.

  Hi,
  Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
  Therefore, you need to build a new CA to use a new algorithm.
  More information for you:
  Is it possible to change the hash algorithm when I renew the Root CA
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
  Changing public key algorithm of a CA certificate
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
  modify CA configuration after Migration
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
  Best Regards,
  Amy Wang

• ACE: Single SSL Cert for two domains with same VIP

  At present I have a design that will use individual SSL cert per domain and link both certs to (two or one) serverfarm.
  policy-map multi-match popvip_01
  class POP_VIP01
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or popPMT1
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  class POP3_VIP02
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or POPPMT2
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP3_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  however,
  if I can get one single certificate to process both pop and pop3 domains, that use the same VIP/port, and if this will work with ACE, i'm inclined to design using this alternative.
  ie,
  pop.mydomain.com = 10.10.10.1 995
  pop3.mydomain.com = 10.10.10.1 995
  Any suggestions would be appriciated.

  Hello,
  In order to achieve this then you will need to order a wildcard certifictae ie
  *.mydomain.com
  These certificates are more expensive and so you will probably find it cheaper to buy two certificates than one wildcard certificate.
  Regards