Import X.509 certificate via LDAP

Similar Messages

• Getting SSL certificate via LDAP connection

  Hello...
  I'm trying to get the SSL Certificate from a Novell eDir directly by connecting through ldap. The object dn is:
  cn=SSLSERVICES1024 - SERVICES, ou=gip, o=testorg
  and when I list all the attributes are:
  ===========
  nDSPKICertificateChain: 0
  hostServer: cn=SERVICES,ou=GIP,o=testorg
  nDSPKIPublicKey: 0
  nDSPKIKeyFile: @P
  objectClass: nDSPKIKeyMaterial, top
  nDSPKIPrivateKey: 0
  nDSPKIPublicKeyCertificate: 0
  cn: SSLSERVICES1024 - SERVICES
  nDSPKISubjectName: O=testorg.OU=GIP.CN=SERVICES
  nDSPKIGivenName: SSLSERVICES1024 - SERVICES.GIP.testorg
  ACL: 2#entry#[Public]#hostServer, 2#subtree#cn=SAS Service - SERVICES,ou=GIP,o=testorg#[All Attributes Rights]
  ==============
  Which attribute do I take to instanciate a X509Certificate class?
  Any ideas?
  Thank you!

  I am not exactly sure what you are trying to do, but I was using e-directory and trying to get SSL working. Here is the URL for what I did to get SSL working.
  http://forum.java.sun.com/thread.jsp?forum=51&thread=322566
  hopefully it helps
  -Allison

• Consumer-Proxy authentication via x.509 Certificate

  Hi experts,
  I want to consume a service from a erp system and authenticate via x.509 SSL Certificate. But in soamanager there is no checkbox for this authentication method when I create the logical port. Only u201CUser Id / passwordu201D and u201CSAP authentication Assertion Ticketu201D are existing under consumer security. Has someone any idea / hint? I have no Idea how I can solve the problemu2026

  The Basis Team installed the x.509 client certificate.
  The logon to a service which is running on SAP ECC 6.0 works via SSL and Client Certificate. (Configuration in SOAMANAGER
       Provider Security -> Transport Guarantee Type: Https
       HTTP Authentication: x.509 SSL Client Certificate via Https)
  But the authentication to a consumer proxy from SAP to a legacy system only works vie http and username / password at the moment
  In SOAMANAGER -> Logical Port -> Consumer Security there is no opportunity for SSL oder Client certificate. There are only the two opportunities:
       User ID / Password
       SAP Authentication Assertion Ticket
  In SOAMANAGER -> Logical Port -> Transport Settings: there is an opportunity to select Https. Is this selection enough for x.509 Client Certificate and SSL?
  Someone an idea how to configure a consumer proxy (SAP ECC 6.0) for certificate authentication?

• SSL Server PSE -  loading existing certificate via STRUST

  We are configuring XI ABAP stack (via transaction STRUST) to use HTTP adapter for secure communication with business partners for inbound communication (SAP WAS will take a role of SSL server).
  We would like to re-use SSL Global Server certificate purchased and installed already on our XI JAVA stack for RNIF adapter (can this be done at all?), but importing/installing it via STRUST in SSL Server PSE is so confusing… and it does not work. How can we load server’s private/public keys in STRUST?  
  We used Replace function to change default SAP cert in SSL Server PSE to our own server cert, entered all possible CNs, OUs and Os, however little popup screen during Replace does not allow to enter all needed values according to the naming convention of CA we are using, default SAP CA uses less information, can this create a problem?
  We installed Intermediate and Root certs in IE, but still getting message that server certificate is not trusted when trying https from the browser.
  Any help will be appreciated.
  Thanks!
  Margaret

  We just went through a similar situation.  We are switching from external to internal ITS.  We also tried to "import" an existing certificate - unsuccessfully.  We opened an OSS note and were told this funcitionality was not meant for this use - you have to create a new certificate.  You can however use the root certificates in the SAP database - if the one you use is in the list.  Click on "certificates" in transaction STRUST and then import.
  Hope this helps.

• Web service Security using X.509 certificate

  Hi All,
  I have a web service deployed on the SAP Web AS J2EE.
  I want to include Authentication option in my web service
  I have configured the settings for using X.509 certificate(HTTPS) in my
  web service configuration and similarly I've configured my client proxy
  for the same.
  My question is..... from where do I get the X.509 certificate?
  actually I have the .crt and .der files, which I created from
  the visual administrator.
  And also do I need to install anything on my SAP server
  in order to use the authentication service? (Any prerequisite)
  Thanks,
  Talimeren

  Hi Talimeren,
  when you want to use certificates you have to setup SSL which you've started already. You have to get and import a server certificate which authenticates the server while the client creates a SSL connection. The cert has to assigned to the SSL port. For NW04 you can find the guide here http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
  If you want client authentication by certificates as well you have to import at least one root certificate from a certficate authority (CA) which you trust and by which all user certificates are signed.
  SAP delivers the IAIK library for WebAS security, but this depends on your WebAS version and installation. I suggest you setup SSL and try to make a connection. If the connection can be made, the security library should be there.
  HTH
  Daniel
  Message was edited by: Correct Link
          Daniel Sass

• Importing public key certificate from external application

  Hello!
  I am trying to implement the following scenario:
  1. External client application sends it's public key certificate to SAP WAS
  2. SAP imports this certificate into its PSE
  3. External client application sends digitally signed messages to SAP (with <i>secKey</i> HTTP call parameter)
  4. SAP checks this signature and does whatever further action.
  For simplicity reason, I emulated this "external app" by using the ArchiveLink interface of the very same SAP system. So, I have one system which is at the same time client and server, but the communication works via HTTP.
  I started with step 1: The ArchiveLink (in my case "external app") uses the function SCMS_HTTP_PUT_CERT to send the public key certificate to the client via HTTP. It worked well - I received the message with HTTP service and it contained some binary content as expected (valid public key certificate - I suppose).
  Unfortunately, I was unsuccessfull with step 2: How to import the received certificate into my PSE?
  I debugged the STRUST transaction and saw that it uses the function SSFP_PUTCERTIFICATE to import public key certificate into SAP's own PSE. However, when I try to use it, I get error <i>No temporary PSE available</i>. I also tried to <i>encode-base64</i> this message with the same result. What does this mean?
  Does anyone has experience with this? Please share it.
  Thanks in advance and kind regards,
  Igor

  The key point was understanding the cleverly named parameter PROFILE in the function SSFC_PUT_CERTIFICATE. You'd never guess: it's a path to a PSE where you want to put the certificate, in my case: C:\usr\sap\NSP\DVEBMGS00\sec\SAPSYS.pse. There's one more step: updating database with the file system PSE.
  So, the test sequence that works is:
  1. SSFP_GETSAPCERTIFICATE
  2. SSFC_PUT_CERTIFICATE
  3. SSFPSE_STORE
  Regards,
  Igor
  P.S. Am I the only one playing with these things? I keep getting 0 replies to my questions.

• ABAP SE37 Web Service and x.509 certificate

  ECC 7.01 EPH 1
  I have created a Web Service from an ABAP function module. I then created a service using SOAMANAGER and have configued it and tested it using Web Navigator. This WS uses no auththentication or username/password.  It also works being consumed from a non-SAP server/application
  I want to have another non-SAP server and application use this WS. Currently the non-SAP  can consume it passing the user/password.
  I now want to have the WS consumed using x.509 certs.
  I have tried multiple methods with no success.
  On the server I have imported using STRUSTS
  Maintain the serveru2019s SSL server PSE.
  Use the trust manager (transaction STRUST) and import the issuing CAu2019s root certificate into this PSEu2019s certificate list.
  Created Web Service communication user, technical type with security roles --> zwebserviceuser
  Cretaed entries in table USREXTID using transaction SM30, view VUSREXTID
  external type = DN
  imported non-SAP server cert into external id
  user = zwebserviceuser
  activated
  Tthe ICM to request a client X.509 certificate. (check icm/HTTPS/verify_client profile parameter) was alreday configued
  I choose tha appropriate security profile for your ABAP web service --> security HIGH
  I choose in SOAMANAGER http authentication and x.509 certificate
  The NON-SAP Server/application is calling the SAP WEBservice and sends the "certificate"
  The RunTime error is
  The request failed with HTTP status 401: Unauthorized.
  Any Help would be appreciated
  thank you,
  Sarah

  Take a kind look on SAP note 495911 to analyse ABAP logon errors.
  Most likely you have forgotten to add the root certificate of the CA which has issued the SSL client certificate (of the WS consumer) to the certificate list of the SSL server PSE (of the NWAS ABAP, acting as WS provider). In that case the SSL handshake will be incomplete: the SSL client certificate will not be requested by NWAS ABAP and thus no SSL client certificate will be send by the WS consumer. That's why no credentials are there resulting in the 401 error.

• Java Crypto - X.509 Certificate - DER encoded to Base64

  How to convert DER encoded X.509 Certificate to Base64 encoded X.509 Certificate?

  One way is to use the keytool utility supplied with the jdk. My keystore is already set up so you may have some additional steps beyond what I show below.
  First import the DER encoded certificate
  keytool -import -alias tempaliasname -file file.der(you will be prompted for the keystore password)
  Then export to Base64
  keytool -export -alias tempaliasname -file file.cer -rfc(you will be prompted for the keystore password)
  That will give you the Base64 version of your certificate.
  You can use the keytool -delete command to delete the key from your keystore if you want.
  Bruce

• Keychain access keeps crashing while trying to import a new certificate

  I have been having trouble with trying to import a certificate to my Macbook Pro but everytime I go to Import the certificate via: File --> Import... Keychain access keeps crashing on me. Has anyone else been experiencing this?
  Here is the link to where I have uploaded the error report: http://www.filedropper.com/keychainaccesserrorreport

  Hi Moving Art,
  Please provide the exact version of Premiere Pro CC that you are using, you can check this by going to Premiere Pro menu. Also, this type of crash might be because of the Graphics display drivers. So, please check the Graphics Card installed on your MAC and the version of the MAC that you are using.
  Regards,
  Vinay

• Extracting X.509 certificate information from OSB/OWSM

  Hello everyone,
  I'm using SOA suite 11gR1 and I'm creating a proxy service with an OWSM policy ( oracle/wss11_x509_token_with_message_protection_service_policy ) . I'd like to know how to extract the certificate details from the incoming message so my Web Services can acess them with something like the WebServicesContext interface.
  Thanks !

  I am working on this same scenario as well (and agree that OWSM documentation is incomplete for this important use case). Vikas Jain provides some further explanation of Verify Signature in a blog entry: http://ws-security.blogspot.com/2007/06/faq-owsm-1013-what-is-use-of-cerificate.html . Essentially he clarifies that the Verify Signature policy step is doing two different functions: 1) validating the signature using the public cert passed in the request, 2) validating that said public cert is actually trusted by the server (directly or through a trusted CA).
  Unfortunately, even with this assistance, I have yet to get OWSM to work correctly using the X.509 certificate token profile for authentication purposes. OWSS does work for me but the desire is to externalize this security function to OWSM (outside of the service container).
  Any information you find out appreciated.
  Todd

• Encrypt Emails using PKI Infrastructure (X.509 Certificates)

  Dear HTMLDB Fans,
  i wonder if anybody ever needed to send passwords via email to the enduser and how you are doing this via plsql. As far as i can see there is no easy way to send encrypted Emails with a Plsql Package. I read that Oracle took over the PHAOS Company in order to fullfill Requirements in the Security Area but there must have been some solutions out there before?!
  The way to do it seems preety easy.
  1. Download the public Key of an User you want to send an email.
  2. Encrypt your Message with that Key
  3. Send your Message
  Any Hints are appreciated.

  I tried using demo_mail and DBMS_OBFUSCATION_TOOLKIT but it doesn't seem to be able to deal with x.509 certificates.....
  Has anyone succeeded before me?

• Mail using old instead of new X.509 certificate, two certs causes problems

  I have two X.509 Thawte certificates on my key chain. One expires in 2008, the other expires later in 2007. The 2008 certificate has an additional email address embedded over the 3 in the 2007 certificate.
  When I send signed email the old certificate is getting sent instead of the new. If I look at my email entries in ADDRESS BOOK, the old certificate shows except the new email address that is unique to the 2008 certificate.
  I exported the 2007 certificate, deleted the 2007 certificate and closed and opened KeyChain Utility and now the 2008, which is the expected certificate shows for all email addresses. Problem is that I can't read any old email that was encrypted with the 2007 certificate unless I import the old certificate.
  Anyone know how to have both certificates on your key chain and have OS X default to the latest certificate for sending email, but use the correct certificate for reading all email when mail has been encrypted with one of several certificates over time?
  Importing and exporting, deleting certificates as you update certificate is a real pain.

  I'm having a similar problem. Also have thawte certificates. I renewed the one about to expire which seems to have worked. I deleted the old one; wrong move, as I now could not read the email that used the old one. I fetched the old certificate, which appears in Certificates, but the email still seems to not be decryptable. There seems to be no way to get it into the My Certificates place. I have used these for several years with no problems until now.
  If anybody has a clue on how to read the old email, I would love to hear it.

• Help with X.509 certificate instalation

  Hi all..
  We had exported a X.509 certificate from a https site form one of our vendors...
  then we imported this file using the keytool command as shown...
  keytool -import -alias [AliasgoesHere] -file /tmp/[filename].cer -keystore ticketKeyStore -storepass [mypassword]
  Then in the VA we uploaded it into the TrustedCAs.
  However, when we run a webservice that shall use this certificate we are receiving the error... "unknown certificate"
  Anyone know if we are missing any steps???

  Hi Kerubon,
  you will need the following JAR-Files to resolve the imports (only at development time):
  - keystore_api.jar
  - tc_sec_ssf.jar
  For runtime you define the following sharing references if you do not want to deploy the jars with your application (SAPJ2EE::interface:keystore_api, SAPJ2EE::library:security.class)
  Here's the code:
  try {
    // get profile from keystore service of J2EE engine
    InitialContext ctx = ctx = new InitialContext();
    Object o = (Object) ctx.lookup("keystore");
    KeystoreManager manager = (KeystoreManager) o;
    KeyStore ks = manager.getKeystore("DEFAULT");
    String alias = "TEST-cert";
    SsfProfileKeyStore profile = new SsfProfileKeyStore(ks, alias, null);
    // Here you can fetch the certificate from the profile or do stuff with your certificate
    String SubjectDN = profile.getCertificate().getSubjectDN().getName();
  } catch (Exception Ex) {
    Ex.printStackTrace();
  Make sure you access the DEFAULT Keystore so you won't get into trouble with permissions (I suggest you store your certificates in DEFAULT)
  Note that when creating a certificate you will mostly get 2 entries (PRIVATE KEY and certificate entry). Make sure that for alias you use the name of the PRIVATE KEY entry that also contains the certificate!
  Hope this helps (Please reward points if helpful)
  Cheers

• X.509 certificate support in OWSM

  Hi,
  I am now considering to use OWSM or Oracle AS webservice security to secure my webservices, which I use in my current project. Due to project requirements and specifications, I am focused on X.509 certificates for webservice security.
  I have read a lot about both, but I am wondering if I can use X.509 certificates with OWSM. In the administration guide it is said that OWSM has support for X.509 for authentication. However, I can't find clear documentation about it on OTN.
  In de Oracle AS webservices security guide, I can find a lot of information about using X.509 certificates, both on the client and server side.
  I am also considering the possibility to use the Webservice assembler in Oracle AS webservices to generate the webservice client with security handlers and use OWSM to deal with the security policies on the server side.
  I hope you can provide me some feedback about my considerations described above..
  Kind regards,
  -Tom

  I am working on this same scenario as well (and agree that OWSM documentation is incomplete for this important use case). Vikas Jain provides some further explanation of Verify Signature in a blog entry: http://ws-security.blogspot.com/2007/06/faq-owsm-1013-what-is-use-of-cerificate.html . Essentially he clarifies that the Verify Signature policy step is doing two different functions: 1) validating the signature using the public cert passed in the request, 2) validating that said public cert is actually trusted by the server (directly or through a trusted CA).
  Unfortunately, even with this assistance, I have yet to get OWSM to work correctly using the X.509 certificate token profile for authentication purposes. OWSS does work for me but the desire is to externalize this security function to OWSM (outside of the service container).
  Any information you find out appreciated.
  Todd

• X.509 Certificates on Java Card

  Hi,
  I'm a newbie on this and am looking for any help I can get.
  I am wanting to store or generate an X.509 certificate securely on a Java Card for an application which either requsests the certificate or gets details from the certificate to the application.
  I am currently using keytool to generate certs to get an idea of things. I have no hardware (card/reader) and am currently reliant on SUN's jcwde .
  I have looked for proprietary javacard api's on X.509 and found nothing on this. So I guess I will have to write my own code to do the job using the standards involved.
  What I guess I'm looking for is anyone out there to tell me wether it is feasable to do what I wish and any pointers on how to go about it.
  Thanks in advance ...

  You can't generate a cert on the card because of the technology of certs. Of course, you can store them on the card. It's up to your design how to store it. For example, you might want to store it in PKCS#15 format, or just raw data format, or actually importing the private key using the JC API. Keep in mind you can generate keys on card using the JC API.
  What you are describing is very common with PKI solutions that need a secure token. The smart card is that token.