MomCertImport and multiple certificates

I cannot find this information anywhere on the net. Here is the scenario.
I have a fully deployed SCOM 2012 environment and multiple gateway servers that are functioning without any issues. Agents in the untrusted domains are reporting to the gateway servers as designed. The mutual authentication is working as designed as the
certs use the same trusted Root Certificate Authority.
Here is my question:
I want to add another gateway server for a DMZ that doesnt use the same trusted Root Certificate Authority. In my lab I run the MomCertImport.exe on the gateway server. This works fine but when i run the MomCertImport.exe on the management server it replaces
the current certificate int he registry which in turns breaks the other gateways. 
What is the best supported approach to resolve this? Standing up more servers? Is this documented anywhere?

I believe both the management server and gateway need to trust the same CA. However, theoretically, if these can both "see" each CA, you should be able to import the root ca chain on both machines and everything should pan out ok. If they cannot
both see each CA, then I think you're out of luck - unless you opt for a internet trusted root ca, and that costs $.
Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

Similar Messages

  • ISE 1.2 and multiple certificates

    Hello,
    Hopefully someone can answer this question.  We have ISE 1.2 setup and running, 802.1x and user and computer certificates.  All is working fine except some users have two user certificates, one from our server the other from our parent company.  When these users log in they get a bubble message saying "additional information is required to connect to the network", they click on this and they are asked to pick a certificate.  If they pick the one from us all works. 
    Question, is there a way either in Windows or ISE to use our certificate by default?  The PCs in question all have the cisco NAC agent, 4.9.43, and are either XP, Windows 7 or 8. 
    Thanks

    Thanks for the response but it's wrong. Cisco supports stacked ports in 1.2 for wired users. They carried over 1.1documentation to 1.2 and never updated it. We have it in writing from Cisco tac. 

  • Web services and multiple certificates

    I originally posted this question in the SOA forum, but someone suggested this forum as well. So, here we go...
    Hi, I am trying to consume a secure web service on ECC 6.0 - so far without much luck.
    When I try to connect to the ws server, it seems there are three certificates in action: a CICS certificate for establishing the SSL connection, a 'root' certificate from the PKI certificate issuer, and a private certificate issued by the above issuer (please forgive me if a have the syntax wrong - certificates are not my primary line of work). So, using Trust Manager (STRUST), I have created a PSE named 'OES' and imported all three certificates into it.
    In SOAMANAGER I have set up the end-point using the WSDL-file and set the following parameters:
    - Authentication Method = X.509 Client Certificate
    - Trustworthiness Method = Holder of Key
    - Issuer = <issuer from the root certificate>
    - Name of Attester = <blank>
    - Validity of SAML Assertion = 180
    - Caching of SAML Assertions = False
    - Attester System Destination = <blank>
    - Name of Attester = <blank>
    - User = SRxxxWS
    - Password = <blank>
    - Client PSE = OES
    When I try to consume the web service, I can see in the log files that the CICS certificat is used for establishing the SSL connection but all I receive back is an HTTP 403 "Client Authentication Error". If I remove the CICS certificate from the PSE, the connection is not made.
    How do I make the client certificate available for the connection? Have I approached the problem from the wrong side? Has anybody experienced something similar? Any help will be highly appreciated.
    Thanks,
    Bo

    Thanks for the reply! I'm no expert either, that's why I'm
    here!
    Yes, the certificate for the server is loaded. I'm doing this
    all on one machine, so I just loaded it's own server certificate
    into the trust store. The problem is the server is protected by
    client authentication via certificates. I guess I'm relating this
    to a regular request, where if you have a server that requires
    certificates, you can pass along the cert in an CFHTTP call with
    clientCert parameter. Here we are calling a page that invokes the
    web service which is really another request. This is where the
    issue is, since I don't see how to send along the certificate
    information in the invoke call.
    Thanks for the help!

  • Multiple Certificates for the same WLS

    Hi,
    IHAC who asks the following:
    Background
    Bigshop Limited carried out a soft launch of our e-tailing website under
    the
    url fonzie.bigshop.com.au
    We have a verisign certificate setup up for 128 bit ssl under the
    knownname
    fonzie.bigshop.com.au
    All ssl connections that connect to the site with this url are able to
    establish an SSL session.
    Current Issue
    Bigshop is now in the process of carrying out the public launch of the
    website. The public url for the website will be www.bigshop.com.au
    We have generated new public/private key pair and a Certificate Signing
    Request (CSR) and have ordered a new certificate from verisign
    Could you please advise if it is possible to operate two certificates
    for
    the one server. This will allow our www.bigshop.com.au and
    fonzie.bigshop.com.au url's to operate concurrently and enable both to
    establish SSL session with valid certificates.
    Is what they want to do possible ?? any suggestions
    appreciated,
    regards,
         Patrick.

    Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
    In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
    one certificate per server.
    -utpal

  • Is it possible to use certutil to export multiple certificates from a local client machine store, to a .p7b file?

    Is it possible to use certutil to export multiple certificates from a local client machine store, to a .p7b file?
    Scenario: We have a few legacy certificates based on some legacy templates (2012 R2). Some belong to an old SubCA (2008 R2).
    I’ve can manually export them using certmgr mmc on the local machine to a single .p7b e.g.
    cert_backupNEW.p7b. But this is not a practical solution for me and I want to achieve this remotely via certutil or some other util that comes with Windows 7 machines.
    I’ve already worked out how to run a certutil command to add the certs back into the store e.g.
    certutil.exe -addstore -f my cert_backupNEW.p7b
    Is there a way to export multiple certs to a single backup cert, or is what I’m trying to do not possible with multiple certs?
    TC

    Something like this:
    $store = New-Object Security.Cryptography.X509Certificates.X509Store "my","localmachine"
    $store.Open("ReadOnly")
    Set-Content -Path exportedcerts.pfx -Value $store.Certificates.Export("pfx","password")
    $store.Close()
    note that this command will fail, if there are certificates with non-exportable keys. You cannot export certificates with non-exportable keys.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Multiple certificate stored in Browser

    I run certificate request using https://.../oca/sso_oca_link and also /oca/user.
    eg. with these User DN:
    => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
    => cn=tova,cn=users,dc=subdom,dc=mydomain,dc=com
    => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
    By requesting certificate several times from the same PC using several user account, have result in multiple certificate stored in Browser.
    When visit my secure web using Internet Explorer 6, a window raised and lists these
    "users"
    "users"
    "users"
    By using Netscape Navigator 7.1: a window appear with a bit more information display
    "users's myOrganisation"
    "users's myOrganisation"
    "users's myOrganisation"
    and some explanation eg
    Issued to:
    Subject: CN=ferry, CN=users, DC=subdom, DC=domain, DC=com
    Serial Number: 1C
    Valid from 23/09/2005 14:53:42 to 23/09/2006 14:53:42
    Issued by:
    Subject: CN=MyCcertificate Authority,...
    How to display USER NAME (according to CN) in the list instead of "users" ?
    or this is the expected behaviour?
    TIA,
    ferry

    Ok. I've found the solution.
    For reference to all you guys:
    ByteArrayInputStream bais = new ByteArrayInputStream( (byte[])attr.get() );
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    cert = (X509Certificate)cf.generateCertificate(bais);

  • Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

    Hello,
    I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
    In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
    Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
    Any way to resolve this?
    Thanks,
    Steve

    You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
    an example (uses user/pass though, but same concept)
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

  • 2008R2 Connection Broker internal vs external name and UCC Certificates

    I have a RD Farm, all in 2008R2.  Consisting of Gateway, Connection Broker, multiple Session Hosts.  They belong to an AD Domain, xyz.local.  The machines have AD names, CB.xyx.local, GW.xyz.local, SH1.xyz.local, SH2.xyz.local.
    The internal DNS system has a Zone for the External Domain, MyDomain.com.  There are host records for the farm, rdpfarm.mydomain.com pointing to the Internal IP of the farm.
    The farm is accessible on the Internet at rdpfarm.mydomain.com via Public DNS.
    We have a VeriSign Public UCC Certificate, that has the public MyDomain.com SAN's for the hostnames for all the machines,  CB.MyDomain.com, GW.MyDomain.com, SH1.MyDomain.com, SH2.MyDomain.com, and the farm name is the Common Name rdpfarm.MyDomain.com. 
    (Note, as of soon, internal Domain names are no longer allowed on UCC Certificates)
    I have tried everything I can find to get the Gateway and/or the Connection Broker to answer using the rdpfarm.MyDomain.com name and match the Certificate, without success.
    As I recall in Exchange Server we face a similar problem, but there is a method in Exchange to cover this.  If there is one for an RD farm, I cannot find it.
    Any help here would be greatly appreciated.

    Hi,
    Thank you for posting in Windows Server Forum.
    Did you receive any particular error during\event id this issue?
    For certificate, here is requirement for RDS server which need to have for successful configuration.
    Basic requirements for Remote Desktop certificates:
    1. The certificate is installed into computer’s “Personal” certificate store. 
    2. The certificate has a corresponding private key. 
    3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well. 
    In Windows 2008/2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, next to the connection broker and finally to the server that will host your session.
    Please check below article for information.
    a. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
    b. Configuring Remote Desktop certificates
    c. Dealing to the annoying certificate errors and multiple credential
    requests in Remote Desktop Services 2008 R2
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    TechNet Community Support

  • Points System Incorrectly invalidated $50 and $5 certificate, left with $40...

    To whom it may concern,
    I received an email back on 12/24/2013 stating that My Best Buy redeemed my points for a $50 certificate.  I continued to purchase items without using the certificate.  On 12/30/2013, I received another email stating that My Best Buy redeemed additional points for a $5 certificate.  I have not made any additional purchases since the $5 certificate and yet when I attempted to use both of the certificates the other day, I was told they were not valid and had likely been used.  The only thing that I have returned was purchased on 12/30/2013 after receiving the $5 certificate.  The tablet was then returned in the following two days.  I know from previous experience that Best Buy only awards points on purchases at a minimum 30 days after the purchase has been completed to ensure that the awarded points are only given on items that have been kept.
    Given this, why is it that your system invalidated my $50 and $5 certificates, and then proceeded to give me a $40 certificate instead? What happened to the additional points that your system issued back prior to downgrading me to a $40 certificate???  I'll be honest with you - I have already had multiple displeasing experiences at Best Buy and hope this will not be another one.  I can assure you that if it is, I will be transitioning my purchases to Amazon instead of through your company.
    Please advise...

    Good morning mrod5167, and welcome to the forum,
    I can understand having questions if it appears that points are missing from your account or if certificates were cancelled for some reason.  After using the email address you registered with the forum to review your My Best Buy™ account, I believe that I can explain why those certificates were cancelled.  Whenever a return is processed, any points that were awarded for the original purchase would be removed.  The returns that you processed at the beginning of the year involved bonus points that you had been awarded from one of our private shopping events, so when removed caused your points balance to go negative and the two certificates to be cancelled.  Once the point values for the two certificates reposted to your account, you no longer had a negative balance, but only enough for a $40 certificate.
    I hope that explanation helps; however, if you do have additional questions, please feel free to send me a private message and I will see what I can do to further assist.  A private message can be sent by clicking on the blue button located within my signature.
    Thank you for reaching out to us.
    Derek|Social Media Specialist | Best Buy® Corporate
     Private Message

  • Multiple Gateways - multiple certificates?

    I am trying to setup a Gateway to another domain. We already have one Gateway setup to a different domain. As soon as I ran the Momcertimport on the first Management Server the existing gateway stopped communicating. I cannot find out why. We have different
    certificates for the different domains, was this a mistake? Should only one certificate be used for all gateways?

    Hi,
    As far as I know, we should request certificates for each Management and Gateway server, and export certificates (.pfx), and then copy certificates to management and gateways servers.
    Please refer to the below link for more details:
    http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx
    Deploying SCOM Gateway Certificates when ADCS Web Enrollment is not enabled
    http://www.systemcentercentral.com/deploying-scom-gateway-certificates-when-adcs-web-enrollment-is-not-enabled/
    Regards,
    Yan Li
    Regards, Yan Li

  • Is SSL and multiple websites possible with Lion Server?

    this is the obligatory apology from a nub here....
    I have not been a sys admin since the days of NT 4.0.
    I like to think that "hey, i might need a touch up here and there, but I think I can find my way around..."  Wrong.
    I have been searching, and reading and searching and reading, and trying everything I can think of..  and I CAN NOT figure out how to get mutliple websites working with Lion Server, using self signed certs 1 for each of my subdomains.
    Has anyone, anywhere (thank you google for returning searches to me from 2004?!?!  More puzzled confusion....)  posted a step by step guide yet??? 
    I have a mac mini, and I have two domain names that are resolving to my exterinal interface on my router just fine, and I have tried what I thought was
    every different possible combination of voodoo, magic, 00000...MoreTestingNeeded.conf, and all the other tricks.
    Is it possible to get ssl and multiple websites working with one IP address? 
    Thanks...

    Thank you very much for your time and input.  My birthday was fantastic! Thanks for asking.
    I found out about SNI while researching an error I was getting in the log.  I really never found any definitive "this is what you need to do", so I was going to get back to it later.
    You probably know this, but Lion Server breaks out all of the virtual hosts into seperate documents in the "sites" directory.   All I do is I launch the server.app, and in the web component, I enter the name of the website that I want to resolve to my server, and I give it the path to the docs.  Thats it.  There is no DNS configuration to speak of, on my part, and I don't believe that its necessary (?) to touch the httpd.conf file at this point yet either, even though I think I hear others saying you do.  (I have no issues with getting into the file and making any changes, I just thought it was interesting.)
    I am still trying to figure out how a user is supposed to add any other types of services LIKE ftp, etc.  I know and use the server admin tools, but I have found that the app really does do its job in terms of creating all the dns records for resolving the sites you create.  I sure hope its not just using the host file, is it? I never see any additional files in the DNS manager, for any of the subdomains.  Where are they?
    Here is the contents of what appears to be the first file read, that is for SSL enabled sites:
    ``````````````````````````````````````````````````````````````````
    This is "0000_any_443.conf:"
    `````````````````````````````````````````````````````````````````
    ## Default Virtual Host Configuration
    NameVIrtualHost *:443
    <VirtualHost *:443>
      ServerAdmin [email protected]
      DocumentRoot "/path/to/the/docs"
      DirectoryIndex index.html index.php /wiki/ default.html
      CustomLog "//log" cmbndvhst
      ErrorLog "/"
      <IfModule mod_ssl.c>
      SSLEngine On
      SSLCipherSuite "SOMEGARBAGEIDONTKNOWIFISHOULDSHAREORWHAT"
      SSLProtocol -ALL +SSLv3 +TLSv1
      SSLProxyEngine On
      SSLCertificateFile "/sslcerts/certs/*.DOMAIN.COM.XXXXXXXXXXXXXXXXXXXXXXXXXXXX.cert.pem"
      SSLCertificateKeyFile "/sslcerts/certs/*.DOMAIN.COM.XXXXXXXXXXXXXXXXXXXXXXXXXXX.key.pem"
      SSLCertificateChainFile "/path/*.DOMAIN.COM.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.chain.pem"
      SSLProxyProtocol -ALL +SSLv3 +TLSv1
      </IfModule>
      <Directory "/Path/To/The/Docs/XXXX/SDFSDD">
      Options All +MultiViews -ExecCGI -Indexes
      AllowOverride None
      <IfModule mod_dav.c>
      DAV Off
      </IfModule>
      </Directory>
      Include /httpd_passwordreset_required.conf
    </VirtualHost>
    ```````````````````````````````````````````````````````````````````````````````` `````````````
    So..  my questions are:
    Where in the .confs do I add what I need from your above items?  Would it go each of the site docs that I need?  I am really not sure what apple is doing here.
    I have 4 domain names resolving to my server right now, and subdomains to each of the domains.  So there are a total of about 10 "site" docs, not a big deal to change each, I just wonder if Lion overwrites these docs with each refresh or what? Also, If I try to add a third .com right now it breaks the whole site.
    (Out of conversation, but I just remembered this.  I just had to "quit" out of the server.app.)  When installing the directory server,  it hangs on "getting certificates". The spinning wheel (not the rainbow collered one, but the black one by the words "Getting Certificates") just sits there and spins.  I finally just hit the red X and relaunch server.
    Lastly, you meniton importing the key.  I am using the key manager within the server app.  I am not sure where and how I would make the cert and key you are referring to for the importing?  I have tried to use the key manager in the OS, but I am not sure of the relationship between that key manager app, and the key manager within the server.app.  I have tried to create certs in the keymanager in the OS side, but I do not know how to get them to show up for use in the keymanager in the server.app.
    BTW: Thanks.   Thanks for the help.  I really appreciate it.

  • Always Access Denied when choosing Automatically Enrol and Retrieve Certificates from MMC

    I am using 2008 R2 Certificate Services to issue certs across multiple forests (although don't let that muddy the waters).
    I have a need to issue certificates for use with s/ldap, so I have duplicated the Kerberos cert and removed all Intended Purposes other than Server Authentication and configured appropriate security to allow Domain Controllers/Domain Admins to enrol. 
    The certificate also requires CA Manager Approval.
    Everything looks good - I am able to enrol for the cert via the MMC, the request goes into pending, and I am then able to issue the cert.  However, when I go back into the MMC on the Server that requested the cert and choose All Tasks | Automatically
    Enrol and Retrieve Certificates, I choose the pending cert and then get Access Denied.
    On the issuing Server, I get an Event 21 in the App Log:
    Active Directory Certificate Services could not process request 8466 due to an error: Access is denied. 0x80070005 (WIN32: 5).  The request was for CN=server.domain.com.
    On the Server that requested the cert, I get an Event 9:
    Certificate enrollment for Local system was denied by servername\Issuing CA when retrieving the pending request for a SecureLDAPCertificate certificate with request ID 8466.
    The strange thing is, if I follow this procedure but using the certsrv website, it works fine and I can install the certificate.
    What am I missing?  Or is this one of those random quirks of AD CS?
    Any help is appreciated.

    Hi,
    Thanks for posting in Microsoft TechNet forums.
    According to the error messages you provided, this can be a permission issue.
    The method of Autoenrollment for a certificate depends on an Active Directory. Considering using Certsrv website was successful, the problem can be that the requester does not have enough permission to access the certificate template in Active Directory
    To autoenroll a certificate template, a user or computer must belong to a security group that is assigned the read,enroll,and autoenroll permissions.
    Only groups that are assigned these permissions are enabled for autoenrollment.
    Could you please answer the following questions for us so that we can troubleshoot the issue more effectively?
    Are the issuing CA server and the requesting CA in the same forest/domain?
    regards
    Ted

  • Multiple certificates on Issuing CA server

    Hi,
    Due to errors multiple certificates were issued from Root CA server for SubCA. Although old certificate was revoked from Root, but I see 2 certificates on Issuing CA. Also, because of 2 certificates, 2 CRLs are getting published everytime for each. Although
    when I see web server certificate issued for IIS, it was signed by new certificate of Issuing CA. Also, in PKIview, I see CDP path for this CA with new CRL.
    But my questions is that how shall I remove old one from Issuing CA as I am not gettign that option. Also, in AD i see 2 certficaates published for that CA. Will that cause any issue.
    Thanks
    Neha Garg

    This is actually a normal state in PKI. When you renew a sub CA with a new key pair, ot will result in multiple CRL files.
    - there is no need to remove the previous subca cert
    - there is no need to revoke the previous subca cert (unless there are config or security issues)
    - make sure the AIA paths use %4 in the paths to keep separate versions
    - make sure that the CDP paths use %9 in the paths to keep separate versions
    - make sure you publish *all* versions of .crts and .crls to *all* publication points
    You need to leave all versions of the CA certs in play so that both current and previously issued certs can be validated
    Brian

  • Keychain Access: Adding multiple Certificates, signed by the same CA

    Hello, Community.
    I have recently posted my request for help in this thread:
    http://discussions.apple.com/thread.jspa?messageID=10448884
    Now, I am facing a new problem: I wish to add a new Certificate to the Keychain, but whenever I try, it tells me the item exists, and does not add it to the Keychain. It adds the keys perfectly fine, both public and private, but not the Certificate.
    What can I do to have multiple Certificates, signed by the same CA.
    I cannot add them to my Keychain, so that will be of no help. And I have tried to create every Certificate anew in the same Keychain, but this will not work, either. I created they Certificates and exported them before I went on to the next and they are now on my desktop. This is very inconvenient, as the keychain is distributed over a network as a shared Keychain and resides in a Snow Leopard Server (Domestic version, not Snow Leopard Server). Our business is one day behind, but since it is now weekend, I hope to get this issue resolved by Monday morning, send out the e-mails we should have and update our register with sales.
    Could I please have some advice?
    Also, if this topic is handled in full in another thread, please post the links, so I can read up on this topic and try to find a solution.
    Thank you for your time.
    Kashidom Nenakh
    Mantha Designs incorporated
    http://www.manthadesigns.net
    [email protected]

    http://www.isi.edu/~brian/security/kerberos.html

  • I have one apple ID and multiple family members share this with their devices.  How do we keep pics and messages separate?

    I have one apple ID and multiple family members share this with their individual devices.  How do we keep pics and messages separate for each device?

    For messages
    MacMost Now 653: Setting Up Multiple iOS Devices For Messages and FaceTime
    For other issue:
    How to use multiple iPods, iPads, or iPhones with one computer
    What is the best way to manage multiple...: Apple Support Communities

Maybe you are looking for

  • Control the combo box select of COPY FROM in Delivery Order

    Dear all I have a requirement where in the user wants to restrict the "copy from" button on the delivery order. They want the delivery orders to be created only from Sales orders. So that would mean that i do a bubbleevent = false when any other row

  • ABAP OO - Class cl_bcs

    Hi, I'm quite new to abap oo but...anyway: I get a exception when I try to call call method lo_bcs->set_sender 1. Any pointers to why this code doesn't work. 2. Why can't I do a CREATE OBJECT on lo_bcs. method SETADDRESS_TO_FROM . data: lo_sender typ

  • Vonteera Browser hijacker in about:config, how to remove?

    Hello, I have been infected by a Browser Hijacker, which posts ads on websites. It shows "ads by Volaro" and by doing some reading on the net, Vonteera is involved/ the cause. I have tried to clean the registry and removed several suspicious files fr

  • SSL implementaion on portal

    Hi Gurus, we are planning to implement SSL on EP7.0 can any body help were can i find the documents Thanks and Regards, Kishore

  • DP_PROD_CHK_BADI

    Hi...    i want to deactive the 'Order as Direct' material button. if the material type is non-stock material. How can i check with material type field?? in which table the material type is stored in SRM.which is replicated from backend.. thanks....