HTTP adapter, SSL and wildcard certificate

Similar Messages

• JDBC Thin Connections with SSL and client certificates

  Hi ,
  we are going have a look at JDBC Thin Connections with SSL and client certificates.
  I have two questions:
  1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
  2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
  Thanks for your help
  regards
  Markus Reichert

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.

• How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

  Hi,
  I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
  Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
  Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
  Please suggest how to pass both the certs from client Application..

  Hi,
  This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
  And for more information, you could refer to:
  http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
  Regards

• VPN Cluster and Wildcard Certificate

  Hi,
  I am setting up a VPN cluster with three ASA boxes and i am wondering if anyone has any experience using a wildcard certificate with this kind of setup.
  I am done with the setup and everything works fine, but as my initial setup (and the doc i have been reading) shows, the client first connect to:
  cluster.domain.com
  Then the master returns the address or fqdn (i am using fqdn) of the least busy asa in the cluster:
  vpn01.domain.com
  or
  vpn02.domain.com
  or
  vpn03.domain.com
  Thus i would need 4 certificates to meet my needs. The cluster.domain.com certificate also must be present on all 3 boxes, because the cluster ip is configured on all boxes, and the master role is shifted if one of the boxes fail.
  Because of this i thought it would be a good idea to use 1 wildcard certificate (*.doman.com) on all boxes and avoid the hassle.
  Any experience or recommendations?
  BR,
  /K

  Hello Kenneth,
  It was working for version before 9.
  On ASA9 you even can not install wildcard certificate to manage ASA via ASDM, so i guess vpn loadbalancing with wildcard certificate will not work either (but i have not tested that).
  And it's not a bug - it's a feature - it's a security device and wildcardard certificates are strongly discouraged
  Michal

• Rdpsign and wildcard certificate

  Hi,
  All is working fine with rdp sign and I can sign file with thumbprint of our wildcard certificate, but when running file I still have a message "Do you trust the publisher of this remote connection?". It's not yellow with warning, but a warning
  anyway. I can see a message:
  Publisher: *.domain.com (our wildcard certificate)
  Remote computer: rds.domain.com
  Gateway server: rdg.domain.com
  Is this normal for rdg files signed with wildcard cert used for RDS deployment?
  Best,
  Marcin

  Hi Marcin,
  Do you need any other assistance?
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Receiver SOAP adapter SSL error - client certificate required?

  Hi all,
  Problem configuring SSL in XI 3.0 NW04 SP17....
  I have followed the config steps from Rahul's excellent weblog at <a href="/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter">How to use Client Authentication with SOAP Adapter</a> (my Basis team have done the Visual Admin steps) and am going through his example as it closely matches my requirement. So, I have a test receiver SOAP adapter sending messages to a web service URL defined for a sender SOAP adapter. My test scenario is:
  <b>Sender File -> <u><i>Receiver SOAP -> Sender SOAP</i></u> -> IDoc Receiver -> IDocs in R/3</b>
  The problem components are in italic and underlined above. My Receiver SOAP Adapter has the web service URL, Certificate Keystore Entry and View entered. If, in the Sender SOAP Adapter, I have an HTTP Security Level of HTTPS Without Client Authentication, the interface works fine (note that Rahul suggests you untick the User Authentication in the Receiver but with this Security Level, it seems to work with or without it).
  The problem is when I set HTTPS <b>With</b> Client Authentication in the Sender. I then get the following error in the message monitor:
  SOAP: response message contains an error XIServer/UNKNOWN/ModuleUnknownException - com.sap.aii.af.mp.module.ModuleException: java.security.AccessControlException: <b>client certificate required caused by: java.security.AccessControlException</b>: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:1111) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl3.process(ModuleLocalLocalObjectImpl3.java:103) at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:250) at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:103) at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:166) at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:421) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.Client.handle(Client.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java(Compiled Code)) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code)) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code)) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code)) at java.security.AccessController.doPrivileged1(Native Method) at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code)) Caused by: java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:843) ... 22 more
  Has anyone got any idea what this could be caused by?
  Many thanks,
  Stuart Richards

  Have you configured the https port with that keystore entry?
  Check out these links:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b0/881e3e3986f701e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/5c/15f73dd0408e5be10000000a114084/frameset.htm
  Regards,
  Henrique.

• HTTPS using SOAP and sharing certificates

  Hi Experts,
  We have been able to activate HTTPS port in our PI system and created a scenario with SOAP sender with option -- >> HTTPS without client authentication.
  Now, we generated the URL from sender agreement -- >> https:<host>:<port>:XISOAPAdapter/MessageServlet?........
  When we try to test this from SOAPUI, an error message is received that - Client Certificate is required.
  Now in NWA, under Security - >> SSL, we could find Private key and have uploaded the same in SOAPUI Keystore... But the error persists.
  Just to emphasie we are just using self-generated certificate which is not signed by any CA.
  Now questions or rather confusions:
  1. If PI is hosting a service ( SOAP Sender ), exactly what kind of certificate should be exported and imported into SOAPUI or third party ? Private key PK8, PK12 or simply Certificate ?? Where exactly is the Public key ?
  2. In case third party hosts the service and PI needs to consume it, I assume third party will share their certificates. Will they share public or private key ? Shall we simply upload it in our key store and it will work ?
  3. In case PI and Third Party both are hosting the services so do we need 2 Set of certificates for scenarios to work ? ( One generated at each server ?)
  I have read blogs, discussions but have seen varying opinions and hence wanted to clarify.
  Thanks..
  regards,
  Omkar.

  Please go through this link - HTTP and SSL - SAP NetWeaver Process Integration Security Guide - SAP Library
  "A general prerequisite for using HTTPS in both SAP NetWeaver Application Server (AS) ABAP and Java is that the SAP Cryptographic Library is installed on the AS. In addition, the certificates (for example an X.509 certificate) used must have been issued by a company-internal Certification Authority (CA), or by an external trusted CA such as Thawte, Verisign, or TC Trustcenter."

• SSL and Client Certificates

  Hi,
  We are using Forms 6i deployed using 9iAS Release 1(1.0.2.2.2a).
  We are using the "Forms Listener Servlet" implementation, and have successfully configured Apache (Oracle HTTP Server) using mod_ssl to use Server Side certificates to provide SSL / HTTPS communications.
  I have also been attempting to validate the existence of Client Side (personal) certificates. This has been successful when accessing normal Web Pages, but not when accessing the Forms Application.
  We are using JInitiator on the client (1.1.8.19), and receive a Java Exception ---
  javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
  Looking on the server logs, we can see the following error
  OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
  I have used all the Oracle documentation (notes 130728.1, 147836.1 and 161161.1), but nowhere does this state that Client Side Certification is supported by using JInitiator (or any other JVM).
  Searching other forums, it appears that this may just not be
  supported by any JVM running on the client machine.
  Has anyone any information or expererience of successfully using Client Side Certificates to deploy Oracle Forms with 9iAS ?
  Many Thanks
  Marc Ludwig

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.

• Java ssl and root certificate

  We use JAVA as a client for secure SSL connection. For this is a SSL root certificate necessary, if not, the SSL handshake fails due the trust relationship.
  SUN introduced the feature in version 1.5, that JAVA can use OS keystore and grab ROOT certificate from there.
  Unfortunately, this is not working anymore with JAVA 1.6 and if the ROOT is not present in JAVA keystore, the SSL handsake fails. Once the ROOT is imported in JAVA keystore, the SSL works fine. SUN JAVA 1.5 works fine with same environment and ROOT does not need to be in JAVA keystore.
  The failed SSL handsake is visible in Ethereal Sniffing log and is always reproducible.
  Please, are there known issues, that SUN JAVA 1.6.x can not use OS keystore, but only JAVA keystore ? Are there any reported bugs ?

  Right.  Hopefully you've gotten acquainted with this:
  http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
  Is the CA on the DC also issuing certs, or is it just the Enterprise Root and there are subordinates issuing certs?  I ask because if it's just the Enterprise Root but not actually issuing certs, that simplifies things greatly.  If it's issuing
  certs, one thing to research is what certs are currently issued, how often they are renewed, and what they are used for.  This will give you an idea how much risk you're looking at during cutover. 
  To address the specific question of what happens to a desktop that has been offline during the cutover, as I understand it the desktop will pull the new PKI information (new AIA path, new CDP if that gets changed) from AD when it comes back online. 
  This data is stored in "CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=COM" in AD.  In a nutshell, it should be seamless to that particular client.

• CSS SSL and client certificate

  Hello,
  In a situation where SSL Traffic is terminated on a SSL Module.
  And having clients which to clientcertification.
  There are 2 contents aviable on the webserver.
  One for certified users and one for both.
  Is there a way to restrict a path of a url to clients which performed a client cert?
  And have all other content on that server aviable to both , certified and not certified clients?
  Sven

  Hi Gilles,
  i have not described my problem at all.
  Currently we are doing the SSL Termination on a webserver.
  There are two locations specified in the apache config.
  Like this:
  location /webservices/onlytoca>
  SSLVerifyClient require
  SSLVeridfyDepth 0
  So the path /webservices/onlyToCa is only allowd to clients which did a certification via clientcert.
  The /content is allowed to all.
  I have to migrate to the SSL-Module because we need to analyse the URL for stickyness.
  My question was, is there a way to restrict a url path to clients which did a client certification.
  I can set up the ssl-server to ignore certificaton failures.
  Also, do you know about the HTTP-Header insert? Is the header to be inserted also if the client has not been certified via cc or only if the client performed a certification?
  If not, a solution would be to have 3 contet_rules
  one, which checks for a existing of http-header which is set when the request is cerfified.
  There i can limit the URL to /webservices/toCaOnly/*
  one cr, which allows any other content
  one cr, which sends a redirect to a error page. This one should only be accessed if the url is /webservices/toCaOnly and the http header is not set.
  I hope i wrote it down clear enough to understand.
  Sven

• Plain Http adapter Monitoring with CCMS / Alerting framework

  Hello all,
  Can you explain me the optimal way to monitor process using plain http adapter (Sender AND Receiver).
  My goal is to push issue information as soon as possible to monitoring team (via CCMS) when the process is in error.
  During my tests, I ve had a lot of messages with ICM HTTP error 110 but Integration engine did not trigger any alert.
  Thanks for your help.

  Hi,
  Check this link for ICF trace.
  http://help.sap.com/saphelp_webas620/helpdata/en/2d/64d041e74911d6b2e400508b6b8a93/content.htm
  /people/arulraja.ma/blog/2006/08/18/xi-reliable-messaging-150-eoio-in-abap-proxies
  /people/michal.krawczyk2/blog/2005/05/10/xi-i-cannot-see-some-of-my-messages-in-the-sxmbmoni
  regards
  Aashish Sinha
  PS : reward points if helpful

• J2SE adapter engine and SSL testing

  Hi there,
  We are currently doing a B2B scenario whereby SAP XI sends a message to the J2SE adapter engine in the DMZ and then that sends the message via HTTPS / SSL to the receiving service....
  In order to test that the HTTPS / certificate etc worked I wrote a small Java application and dialled out of the network. I inserted the DER file into my CACERTS file on my local machine using the keytool as a "trusted certificate". The Java application worked 100% and did the SSL handshake fine and POSTED the data fine as well......
  Now I am no expert in the J2SE adapter engine but decided to try testing the same SSL connection using the J2SE adapter engine from my LOCAL machine with me dialled out onto the Internet.
  I logged into the J2SE adapter engine and imported the same DER file into the engine  (actually inserted into the "truststore.jks" file). I them went into the "Test Environment" of the J2SE adapter and have been trying to test.....
  I have a few questions:
  1. Do I have to use a P12 or PFX file for this sort of communication? Reason I ask is that with the Java application all I needed was the DER file?
  2. In the full blown scenario do I have to have SSL configured between XI and the J2SE adapter engine as well? Or can that stay as HTTP?
  My basic config for the test is roughly:
  WS.targetURL=https://someserver:4433/soap/someInbox
  WS.SOAPAction=CustomSoapAction
  SSLauthentication=true
  Do I really need the following two?
  SSLcertificate=somecert.p12
  SSLcertificatePassword=somepassword
  From my logic all I should need if the DER file loaded into the J2SE adapter which I have done......
  Has anyone done successfull SSL / HTTPS testing from the J2SE adapter engine using the "Test Environment"?
  Any advise would be greatly appreciated
  Kind regards
  Lynton

  Hi
  Not a answer to your question but why use the J2SE adapter engine in the DMZ and why not the J2EE Decentral Adapter Engine?
  Regards
  Bhavesh

• HTTP Adapter outbound (SSL) processing

  I am trying to send a XML message (an Invoice) from XI to an external Customer via HTTP Adapter.
  The site I am posting the message to is SSL.
  I have installed the Customer's Certificate via STRUST under SSL Client (Standard) and can see it in the
  certificate list.
  Within the Communication Channel for HTTP Adapter I have tried Addressing Type of URL
  and also with a HTTP (SM59) destination.  Both do not work.
  The setting used for both are
  host : workflw.externalcustomer.xxx.com  Service: 443
  Path : /SubmitInvoiceUAT/SubmitInvoice.asmx/SubmitCXML
  HTTP Proxy : internetproxy.mycompany.com
  Proxy Servuce : 80
  SSL Active : SSL Client Certificate ANONYM SSL Client(Anonymous).  As no client cert is used for logon
  I have attempted a connection test within SM59 for the HTTP Destination and I receive the error
  ICM_HTTP_SSL_ERROR.
  1) If the SSL Client Certificate ONLY for logon then how does XI know what cert to encyrption with?.
  2) Should Verisign/Thawte etc CA certs be also installed in STRUST ?
  Does that "public" key for encryption need to be placed anywhere (eg STRUST) or will XI just do
  3) this when it does the handshake with the external HTTPS site it is posting to ?
  4) Also the transaction STRUST may (or may not depending on how the documentation is interpreted) need the installation of some certs into its PSE (Personal Security Environment).  But exactly what they mean is a mystery.  I have created what I thought was the servers cert but cannot see to create a dev.connector.boc.com named certificate.  Perhaps that is not needed.
  Here is the help <a href="http://help.sap.com/saphelp_nw70/helpdata/en/e8/1f1041a0f6f16fe10000000a1550b0/frameset.htm">SAPHelp on  PI HTTPS Config</a>
  5) Also OSS note 510007 it advises to check a number of settings.  I have had a look at what I can ..namely via transaction RZ10  and I can see one parameter and should that be changed to include a HTTPS ? .i,e  currently it is set to     <i>icm/server_port_0  PROT=HTTP,PORT=80$$,PROCTIMEOUT=3600</i>

  Hello
  As a process you have done well. I suspect the problem could be with " SSL Client Certificate  ". Check weather the SSL Client Certificate  is Valid version.
  Best practice.
     Alway when we are communicating with HTTP outbound. It is better to have a STANDALONE ftp location for both SENDER and RECEIVE xml DATA transfter files.
           I hope I answered your question. It was nice answering your question. Feel free to reach SDN if you have any questions.
  Regards

• Wildcard Certificats and 4400 WLC

  First, I know the 4400 has been EOS. I am planning on replacing this with a new controller next year as part of a larger project. In the meantime, the certificate we have setup on our guest network is due to expire soon.
  I am pretty familiar with how to get a new certificate setup, but was wondering if anyone has had any experience at using a "wildcard" type certificate, instead of the standard webserver style cert?  (http://www.digicert.com/wildcard-ssl-certificates.htm)
  Its my understanding that a wildcard certificate can be used for any type of server, but the server needs to support it.
  Thanks.

  All my recent install using a 3rd party certificate has been with installing a chained certificate.
  Here is a doc that shows you how to combine a chained certificate and install it on a wlc.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  Sent from Cisco Technical Support iPhone App

• Installing wildcard certificate in a WLC (ver 7.0.240 and 7.5.102)

  Is it possible to install a widcard certificate for web auth in those versions?
  Is there any difference between this two versions.
  Are both of them versions supporting wildcards certificates?
  Here you have the log file resulting of installing the wildcart certificate in the wlc with v 7.0.240.
  *TransferTask: Nov 28 11:20:51.117: Memory overcommit policy changed from 0 to 1
  *TransferTask: Nov 28 11:20:51.319: Delete ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:51.432: RESULT_STRING: TFTP Webauth cert transfer starting.
  *TransferTask: Nov 28 11:20:51.432: RESULT_CODE:1
  *TransferTask: Nov 28 11:20:55.434: Locking tftp semaphore, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore locked, now unlocking, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.516: Semaphore successfully unlocked, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
  *TransferTask: Nov 28 11:20:55.517: TFTP: Binding to local=0.0.0.0 remote=10.16.50.63
  *TransferTask: Nov 28 11:20:55.588: TFP End: 1666 bytes transferred (0 retransmitted packets)
  *TransferTask: Nov 28 11:20:55.589: tftp rc=0, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
       pLocalFilename=cert.p12
  *TransferTask: Nov 28 11:20:55.589: RESULT_STRING: TFTP receive complete... Installing Certificate.
  *TransferTask: Nov 28 11:20:55.589: RESULT_CODE:13
  *TransferTask: Nov 28 11:20:59.590: Adding cert (5 bytes) with certificate key password.
  *TransferTask: Nov 28 11:20:59.590: RESULT_STRING: Error installing certificate.
  *TransferTask: Nov 28 11:20:59.591: RESULT_CODE:12
  *TransferTask: Nov 28 11:20:59.591: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application
  *TransferTask: Nov 28 11:20:59.624: finished umounting
  *TransferTask: Nov 28 11:20:59.903: Create ramdisk for ap bunble
  *TransferTask: Nov 28 11:20:59.904: start to create c1240 primary image
  *TransferTask: Nov 28 11:21:01.322: start to create c1240 backup image
  *TransferTask: Nov 28 11:21:02.750: Success to create the c1240 image
  *TransferTask: Nov 28 11:21:02.933: Memory overcommit policy restored from 1 to 0
  (Cisco Controller) >
  Would I have the same results in wlc with  v 7.5.102?
  Thank you.

  Hi Pdero,
  Please check out these docs:
  https://supportforums.cisco.com/thread/2052662
  http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
  https://supportforums.cisco.com/thread/2067781
  https://supportforums.cisco.com/thread/2024363
  https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc
  Regards
  Dont forget to rate helpful posts.