OAAM 10g setting up encryption
Hi,
I am trying to install OAAM 10g and i am stuck on the part about setting up encryption to load ip location data. What i have done until now:
1) loaded the schemas in the DB
2) i have generated the keystores as per instructions.
3) copied the system_db.keystore in my classpath and updated the bharosa_server.properties file with the encrypted values for keystore password and alias password
4) running the loadIPLocationData.sh script throws the following exceptions
+2011-03-14 18:01:27,141 ERROR [app=bharosa_server] [main] com.bharosa.common.util.cipher.KeystoreKeyRetrieval - getKeystore error lType=JCEKS, lKeyStoreFilename=system_db.keystore, lPassword length=0+
java.io.IOException: Keystore was tampered with, or password was incorrect
+ at com.sun.crypto.provider.JceKeyStore.engineLoad(DashoA13*..)+
+ at java.security.KeyStore.load(KeyStore.java:1185)+
+ at com.bharosa.common.util.cipher.KeystoreKeyRetrieval.getKeystore(KeystoreKeyRetrieval.java:158)+
+ at com.bharosa.common.util.cipher.KeystoreKeyRetrieval.init(KeystoreKeyRetrieval.java:79)+
+ at com.bharosa.common.util.cipher.KeystoreKeyRetrieval.<init>(KeystoreKeyRetrieval.java:42)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at com.bharosa.common.util.BharosaCipher.getKeyRetrievalClass(BharosaCipher.java:393)+
+ at com.bharosa.common.util.BharosaCipher.getCipher(BharosaCipher.java:208)+
+ at com.bharosa.common.util.BharosaCipher.getCipher(BharosaCipher.java:261)+
+ at com.bharosa.vcrypt.auth.util.VCryptPassword.<init>(VCryptPassword.java:31)+
+ at com.bharosa.common.toplink.TOPLinkPasswordAttributeTransformer.<init>(TOPLinkPasswordAttributeTransformer.java:17)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at java.lang.Class.newInstance0(Class.java:355)+
+ at java.lang.Class.newInstance(Class.java:308)+
+ at oracle.toplink.internal.security.PrivilegedAccessController.newInstanceFromClass(PrivilegedAccessController.java:542)+
+ at oracle.toplink.mappings.foundation.AbstractTransformationMapping.initializeAttributeTransformer(AbstractTransformationMapping.java:604)+
+ at oracle.toplink.mappings.foundation.AbstractTransformationMapping.initialize(AbstractTransformationMapping.java:587)+
+ at oracle.toplink.publicinterface.Descriptor.initialize(Descriptor.java:1872)+
+ at oracle.toplink.publicinterface.DatabaseSession.initializeDescriptors(DatabaseSession.java:361)+
+ at oracle.toplink.publicinterface.DatabaseSession.initializeDescriptors(DatabaseSession.java:322)+
+ at oracle.toplink.publicinterface.DatabaseSession.login(DatabaseSession.java:504)+
+ at oracle.toplink.tools.sessionmanagement.SessionManager.getSession(SessionManager.java:379)+
+ at oracle.toplink.tools.sessionmanagement.SessionManager.getSession(SessionManager.java:242)+
+ at com.bharosa.common.toplink.TopLinkDBMgr.<init>(TopLinkDBMgr.java:61)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at java.lang.Class.newInstance0(Class.java:355)+
+ at java.lang.Class.newInstance(Class.java:308)+
+ at com.bharosa.vcrypt.dataaccess.util.VCryptDataAccessMgr.initializeDBMgr(VCryptDataAccessMgr.java:129)+
+ at com.bharosa.vcrypt.dataaccess.util.VCryptDataAccessMgr.<init>(VCryptDataAccessMgr.java:54)+
+ at com.bharosa.common.util.BharosaConfigLoadDbImpl.init(BharosaConfigLoadDbImpl.java:61)+
+ at com.bharosa.common.util.BharosaConfigCommonImpl.init(BharosaConfigCommonImpl.java:39)+
+ at com.bharosa.common.util.BharosaConfig.init(BharosaConfig.java:113)+
+ at com.bharosa.common.util.BharosaConfig.get(BharosaConfig.java:457)+
+ at com.bharosa.common.newlocation.IPLocationLoader.main(IPLocationLoader.java:109)+
+2011-03-14 18:01:27,143 ERROR [app=bharosa_server] [main] com.bharosa.common.util.cipher.KeystoreKeyRetrieval - Exception while retrieving the Key pAlias=DESede_db_key_alias, alogrithmId=22+
java.security.KeyStoreException: Uninitialized keystore
+ at java.security.KeyStore.isKeyEntry(KeyStore.java:1032)+
+ at com.bharosa.common.util.cipher.KeystoreKeyRetrieval.getKey(KeystoreKeyRetrieval.java:122)+
+ at com.bharosa.common.util.cipher.KeystoreKeyRetrieval.init(KeystoreKeyRetrieval.java:79)+
+ at com.bharosa.common.util.cipher.KeystoreKeyRetrieval.<init>(KeystoreKeyRetrieval.java:42)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at com.bharosa.common.util.BharosaCipher.getKeyRetrievalClass(BharosaCipher.java:393)+
+ at com.bharosa.common.util.BharosaCipher.getCipher(BharosaCipher.java:208)+
+ at com.bharosa.common.util.BharosaCipher.getCipher(BharosaCipher.java:261)+
+ at com.bharosa.vcrypt.auth.util.VCryptPassword.<init>(VCryptPassword.java:31)+
+ at com.bharosa.common.toplink.TOPLinkPasswordAttributeTransformer.<init>(TOPLinkPasswordAttributeTransformer.java:17)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at java.lang.Class.newInstance0(Class.java:355)+
+ at java.lang.Class.newInstance(Class.java:308)+
+ at oracle.toplink.internal.security.PrivilegedAccessController.newInstanceFromClass(PrivilegedAccessController.java:542)+
+ at oracle.toplink.mappings.foundation.AbstractTransformationMapping.initializeAttributeTransformer(AbstractTransformationMapping.java:604)+
+ at oracle.toplink.mappings.foundation.AbstractTransformationMapping.initialize(AbstractTransformationMapping.java:587)+
+ at oracle.toplink.publicinterface.Descriptor.initialize(Descriptor.java:1872)+
+ at oracle.toplink.publicinterface.DatabaseSession.initializeDescriptors(DatabaseSession.java:361)+
+ at oracle.toplink.publicinterface.DatabaseSession.initializeDescriptors(DatabaseSession.java:322)+
+ at oracle.toplink.publicinterface.DatabaseSession.login(DatabaseSession.java:504)+
+ at oracle.toplink.tools.sessionmanagement.SessionManager.getSession(SessionManager.java:379)+
+ at oracle.toplink.tools.sessionmanagement.SessionManager.getSession(SessionManager.java:242)+
+ at com.bharosa.common.toplink.TopLinkDBMgr.<init>(TopLinkDBMgr.java:61)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at java.lang.Class.newInstance0(Class.java:355)+
+ at java.lang.Class.newInstance(Class.java:308)+
+ at com.bharosa.vcrypt.dataaccess.util.VCryptDataAccessMgr.initializeDBMgr(VCryptDataAccessMgr.java:129)+
+ at com.bharosa.vcrypt.dataaccess.util.VCryptDataAccessMgr.<init>(VCryptDataAccessMgr.java:54)+
+ at com.bharosa.common.util.BharosaConfigLoadDbImpl.init(BharosaConfigLoadDbImpl.java:61)+
+ at com.bharosa.common.util.BharosaConfigCommonImpl.init(BharosaConfigCommonImpl.java:39)+
+ at com.bharosa.common.util.BharosaConfig.init(BharosaConfig.java:113)+
+ at com.bharosa.common.util.BharosaConfig.get(BharosaConfig.java:457)+
+ at com.bharosa.common.newlocation.IPLocationLoader.main(IPLocationLoader.java:109)+
+2011-03-14 18:01:27,154 ERROR [app=bharosa_server] [main] com.bharosa.common.util.BharosaCipher - Exception while Instantiating com.bharosa.common.util.cipher.DESedeCipher with pKeyRetrievalIntf.+
java.lang.reflect.InvocationTargetException
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at com.bharosa.common.util.BharosaCipher.getPasswordClass(BharosaCipher.java:441)+
+ at com.bharosa.common.util.BharosaCipher.initCipher(BharosaCipher.java:90)+
+ at com.bharosa.common.util.BharosaCipher.init(BharosaCipher.java:68)+
+ at com.bharosa.common.util.BharosaCipher.<init>(BharosaCipher.java:38)+
+ at com.bharosa.common.util.BharosaCipher.getCipherFromCache(BharosaCipher.java:143)+
+ at com.bharosa.common.util.BharosaCipher.getCipherObject(BharosaCipher.java:109)+
+ at com.bharosa.common.util.BharosaCipher.getCipher(BharosaCipher.java:210)+
+ at com.bharosa.common.util.BharosaCipher.getCipher(BharosaCipher.java:261)+
+ at com.bharosa.vcrypt.auth.util.VCryptPassword.<init>(VCryptPassword.java:31)+
+ at com.bharosa.common.toplink.TOPLinkPasswordAttributeTransformer.<init>(TOPLinkPasswordAttributeTransformer.java:17)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at java.lang.Class.newInstance0(Class.java:355)+
+ at java.lang.Class.newInstance(Class.java:308)+
+ at oracle.toplink.internal.security.PrivilegedAccessController.newInstanceFromClass(PrivilegedAccessController.java:542)+
+ at oracle.toplink.mappings.foundation.AbstractTransformationMapping.initializeAttributeTransformer(AbstractTransformationMapping.java:604)+
+ at oracle.toplink.mappings.foundation.AbstractTransformationMapping.initialize(AbstractTransformationMapping.java:587)+
+ at oracle.toplink.publicinterface.Descriptor.initialize(Descriptor.java:1872)+
+ at oracle.toplink.publicinterface.DatabaseSession.initializeDescriptors(DatabaseSession.java:361)+
+ at oracle.toplink.publicinterface.DatabaseSession.initializeDescriptors(DatabaseSession.java:322)+
+ at oracle.toplink.publicinterface.DatabaseSession.login(DatabaseSession.java:504)+
+ at oracle.toplink.tools.sessionmanagement.SessionManager.getSession(SessionManager.java:379)+
+ at oracle.toplink.tools.sessionmanagement.SessionManager.getSession(SessionManager.java:242)+
+ at com.bharosa.common.toplink.TopLinkDBMgr.<init>(TopLinkDBMgr.java:61)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at java.lang.Class.newInstance0(Class.java:355)+
+ at java.lang.Class.newInstance(Class.java:308)+
+ at com.bharosa.vcrypt.dataaccess.util.VCryptDataAccessMgr.initializeDBMgr(VCryptDataAccessMgr.java:129)+
+ at com.bharosa.vcrypt.dataaccess.util.VCryptDataAccessMgr.<init>(VCryptDataAccessMgr.java:54)+
+ at com.bharosa.common.util.BharosaConfigLoadDbImpl.init(BharosaConfigLoadDbImpl.java:61)+
+ at com.bharosa.common.util.BharosaConfigCommonImpl.init(BharosaConfigCommonImpl.java:39)+
+ at com.bharosa.common.util.BharosaConfig.init(BharosaConfig.java:113)+
+ at com.bharosa.common.util.BharosaConfig.get(BharosaConfig.java:457)+
+ at com.bharosa.common.newlocation.IPLocationLoader.main(IPLocationLoader.java:109)+
Caused by: java.lang.NullPointerException
+ at com.bharosa.common.util.cipher.DESedeCipher.generateKey(DESedeCipher.java:79)+
+ at com.bharosa.common.util.cipher.DESedeCipher.init(DESedeCipher.java:59)+
+ at com.bharosa.common.util.cipher.DESedeCipher.<init>(DESedeCipher.java:52)+
+ ... 43 more+
+2011-03-14 18:01:27,156 ERROR [app=bharosa_server] [main] com.bharosa.common.util.BharosaCipher - initCipher pEncryptionAlgorithmId=22, pEncAlgoClassnameStr=com.bharosa.common.util.cipher.DESedeCipher, isClientKey=false, lPrefix=vCSKC+
java.lang.NoSuchMethodException: com.bharosa.common.util.cipher.DESedeCipher.<init>()
+ at java.lang.Class.getConstructor0(Class.java:2706)+
+ at java.lang.Class.getConstructor(Class.java:1657)+
+ at com.bharosa.common.util.BharosaCipher.getPasswordClass(BharosaCipher.java:449)+
+ at com.bharosa.common.util.BharosaCipher.initCipher(BharosaCipher.java:90)+
+ at com.bharosa.common.util.BharosaCipher.init(BharosaCipher.java:68)+
+ at com.bharosa.common.util.BharosaCipher.<init>(BharosaCipher.java:38)+
+ at com.bharosa.common.util.BharosaCipher.getCipherFromCache(BharosaCipher.java:143)+
+ at com.bharosa.common.util.BharosaCipher.getCipherObject(BharosaCipher.java:109)+
+ at com.bharosa.common.util.BharosaCipher.getCipher(BharosaCipher.java:210)+
+ at com.bharosa.common.util.BharosaCipher.getCipher(BharosaCipher.java:261)+
+ at com.bharosa.vcrypt.auth.util.VCryptPassword.<init>(VCryptPassword.java:31)+
+ at com.bharosa.common.toplink.TOPLinkPasswordAttributeTransformer.<init>(TOPLinkPasswordAttributeTransformer.java:17)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at java.lang.Class.newInstance0(Class.java:355)+
+ at java.lang.Class.newInstance(Class.java:308)+
+ at oracle.toplink.internal.security.PrivilegedAccessController.newInstanceFromClass(PrivilegedAccessController.java:542)+
+ at oracle.toplink.mappings.foundation.AbstractTransformationMapping.initializeAttributeTransformer(AbstractTransformationMapping.java:604)+
+ at oracle.toplink.mappings.foundation.AbstractTransformationMapping.initialize(AbstractTransformationMapping.java:587)+
+ at oracle.toplink.publicinterface.Descriptor.initialize(Descriptor.java:1872)+
+ at oracle.toplink.publicinterface.DatabaseSession.initializeDescriptors(DatabaseSession.java:361)+
+ at oracle.toplink.publicinterface.DatabaseSession.initializeDescriptors(DatabaseSession.java:322)+
+ at oracle.toplink.publicinterface.DatabaseSession.login(DatabaseSession.java:504)+
+ at oracle.toplink.tools.sessionmanagement.SessionManager.getSession(SessionManager.java:379)+
+ at oracle.toplink.tools.sessionmanagement.SessionManager.getSession(SessionManager.java:242)+
+ at com.bharosa.common.toplink.TopLinkDBMgr.<init>(TopLinkDBMgr.java:61)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)+
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)+
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)+
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)+
+ at java.lang.Class.newInstance0(Class.java:355)+
+ at java.lang.Class.newInstance(Class.java:308)+
+ at com.bharosa.vcrypt.dataaccess.util.VCryptDataAccessMgr.initializeDBMgr(VCryptDataAccessMgr.java:129)+
+ at com.bharosa.vcrypt.dataaccess.util.VCryptDataAccessMgr.<init>(VCryptDataAccessMgr.java:54)+
+ at com.bharosa.common.util.BharosaConfigLoadDbImpl.init(BharosaConfigLoadDbImpl.java:61)+
+ at com.bharosa.common.util.BharosaConfigCommonImpl.init(BharosaConfigCommonImpl.java:39)+
+ at com.bharosa.common.util.BharosaConfig.init(BharosaConfig.java:113)+
+ at com.bharosa.common.util.BharosaConfig.get(BharosaConfig.java:457)+
+ at com.bharosa.common.newlocation.IPLocationLoader.main(IPLocationLoader.java:109)+
+2011-03-14 18:01:27,158 ERROR [app=bharosa_server] [main] com.bharosa.common.util.BharosaCipher - getCipherFromCache caching cipher lCacheKey=22-0, size=0, pEncryptionAlgorithmId=22+
+java.lang.RuntimeException: Cipher could not be initialized with Enum Id [22] KeyRetrievalIntf [com.bharosa.common.util.cipher.KeystoreKeyRetrieval@ecb3f1]+
+ at com.bharosa.common.util.BharosaCipher.init(BharosaCipher.java:72)+
+ at com.bharosa.common.util.BharosaCipher.<init>(BharosaCipher.java:38)+
what should i do? am i required to put somewhere the original encryption key?
thx in advance
I use rsync rather than tar to do what Stebalien is suggesting here. I use btrfs, and my root filesystem is actually a subvolume. So I mount the entire btrfs filesystem (from subvolid=0) at /var/lib/btrfs-root. By doing this, it makes it much easier to simply rsync (or tar) from that mountpoint to the backup mountpoint. This makes it so that I can actually backup the system I am running off of without explicitly excluding all the volatile directories (like /sys, /tmp, /proc, etc.) Though I think a more sane approach, since I use btrfs, would be to snapshot each subvol and rsync those instead.
I guess what I am trying to get at, is that if you were to create something like /mnt/system and /mnt/backup. If you mounted your rootfs to /mnt/system (and then possibly your home partition to /mnt/system/home), then mount the backup destination to /mnt/backup, you could simply do something like:
# rsync -aAXv /mnt/system/* /mnt/backup
Then of course you would have to put it all back after you set up Luks/dmcrypt.
This installation I use has been through a few different drives and trying and removing Luks/dmcrypt. I have also changed filesystems, switched to LVM2, tried mdadm RAID0, mdadm RAID1, and eventually went back to btrfs. So as mentioned above, there is really no need to reinstall just to change the underlying layout of the HDD/SSD. Of course this assumes that you have a spare drive with the space to copy your entire filesystem to... but then you should have backups anyway, right?
Similar Messages
-
Setting up encryption on an already installed Arch setup?
Recently I have been thinking about setting up encryption on my already installed Arch setup. I would reinstall and encrypt it that way, however I do not have an external HDD big enough to back up everything, so I was wondering if it is possible to encrypt a hard disk on an already installed Arch setup. I have two partitions, /dev/sda1 and /dev/sda2, and would like to encrypt both while not having to reinstall.
Can anyone help? Thanks!
Edit:
Alternatively, could I reinstall it and use encryption in the install in such a way that it retains my file contents?
Last edited by ThatPerson (2013-07-30 12:41:13)I use rsync rather than tar to do what Stebalien is suggesting here. I use btrfs, and my root filesystem is actually a subvolume. So I mount the entire btrfs filesystem (from subvolid=0) at /var/lib/btrfs-root. By doing this, it makes it much easier to simply rsync (or tar) from that mountpoint to the backup mountpoint. This makes it so that I can actually backup the system I am running off of without explicitly excluding all the volatile directories (like /sys, /tmp, /proc, etc.) Though I think a more sane approach, since I use btrfs, would be to snapshot each subvol and rsync those instead.
I guess what I am trying to get at, is that if you were to create something like /mnt/system and /mnt/backup. If you mounted your rootfs to /mnt/system (and then possibly your home partition to /mnt/system/home), then mount the backup destination to /mnt/backup, you could simply do something like:
# rsync -aAXv /mnt/system/* /mnt/backup
Then of course you would have to put it all back after you set up Luks/dmcrypt.
This installation I use has been through a few different drives and trying and removing Luks/dmcrypt. I have also changed filesystems, switched to LVM2, tried mdadm RAID0, mdadm RAID1, and eventually went back to btrfs. So as mentioned above, there is really no need to reinstall just to change the underlying layout of the HDD/SSD. Of course this assumes that you have a spare drive with the space to copy your entire filesystem to... but then you should have backups anyway, right? -
How do I set Force Encryption using PowerShell
I have to automate the task of setting Force Encryption (within Properties under SQL Server Configuration Manager, Network Configuration, Protocols for MSSQLSERVER). Do you know the PowerShell command to set Force Encryption to Yes? Any help would be appreciated.
I can see some TCP configurations with this command, but I cannot see the Properties:
$MachineObject = new-object ('Microsoft.SqlServer.Management.Smo.WMI.ManagedComputer');
$ProtocolUri = "ManagedComputer[@Name='" + (get-item env:\computername).Value + "']/ServerInstance[@Name='MSSQLSERVER']/ServerProtocol";
$tcp = $MachineObject.getsmoobject($ProtocolUri + "[@Name='Tcp']");$tcp;I had to use a registry hack to change this value. Unfortunately, it is not the best way to make changes to an SQL server:
$RegKey = "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQLServer\SuperSocketNetLib";
Set-ItemProperty -path $RegKey -name ForceEncryption -value "1"; -
Trying to set up encrypted mails but I'm confused about certificates and keys
Hello all,
My first foray into encrypted emails and I'm already confused! To begin with, I'm trying to exchange mails with one other person, who I believe uses Outlook. So far:
He's sent me his certificate (although I thought I would receive his public key) which is a file called smime.p7m. I don't know what to do with this.
I've successfully followed the instructions at https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages. When I start a new mail, I can either go to the Enigmail menu and switch on encryption / digital signing and it seems fine, or I can go to the dropdown on the S/MIME button and it says "You need to set up one or more personal certificates before you can use this security feature." Are these two different ways of doing the same thing (in which case I'll use the one that works!) or not?
As you can see, I'm getting confused between keys and certificates! If some kind person could take a minute to explain what my next steps are, that would be much appreciated. I couldn't find anything on the Thunderbird support pages, though I know I need to send him my public key.
Thanks in advance.
Stuart.Stuart8, good find, that article.
I found the main disincentive to using the built-in S/MIME capability is that it's not immediately obvious where to get your certificate and keys. Most providers want $$$ for them, which is natural enough if they are actually going to validate you in some way. I did at one time have a Thawte certificate and even enough WOT vouches to be a low-grade WOT Attorney.
Once you have your key, it's a bit of a pfaff to install it into Thunderbird. You'll probably find that S/MIME is the default in business correspondence, since many businesses operate their own mail servers, ftp servers and so on and probably have an arrangement to generate self-issued certificates or to buy them on a commercial basis from a CA.
Enigmail/OpenPGP doesn't require any financial outlay on your part, but is harder to get your keys properly validated since there's not much of a formal WOT nor a reliable central registry. You generate your own keys and it's pretty much all based on mutual trust.
Since the two systems are incompatible, you need to have set up the same as whatever your correspondent is using.
I suspect that you have discovered that it's a two-way process. In order for a correspondent to send you an encrypted message, you must both be using the same system, and he must have your public key to encrypt his message, and you'll need his in order to reply with encryption. So yes, he needs to send you his public key for you to send to him, but what he sends to you needs YOUR public key.
Obviously, signing messages is a useful halfway house. I believe that you sign with your private key, and the recipient will have to download your public key to validate your signature. Whilst a signature doesn't safeguard your privacy, it goes some way to proving that the message came from who it says it came from and that it hasn't been altered in transit. (I really can't understand why banks, lawyers, insurance companies haven't picked up on these encryption and signing schemes. Perhaps they actually prefer all those awful phone calls where you need to struggle to recall supposedly unforgettable names and dates! ;-) )
In practice, I find that if you sign a message to an outfit who don't know what to do with it, their numpty anti-virus system will probably barf on the signature which it thinks is executable code and therefore must be a virus or worm. :-( -
How to set a encrypted value on a ConfigurationProperty when working offlin
So, I have a particular instance of configuration property that I am trying to modify when working on a domain offline, in particular during the configuration of a domain template in final.py.
wls:/offline>ls()
-rw- EncryptValueRequired true
-rw- EncryptedValueEncrypted {3DES}istgZKedh7j6eu/9GdqXMg==
-rw- Name IntegrityKeyPassword
-rw- Notes null
-rw- Value null
wls:/offline>prompt()
As I am working in offline mode cmo.setEncryptedValue() doesn't appear to work as it complains there is no such attribute. I can set "Value" but the server only reads the encrypted value so that doesn't help me.
I did work out how to calculate the encrypted value using weblogic.security.Encryption; but I can't find a set(...) or cmo.setXXX(...) combination that works. It is very likely something very obvious,
Thanks,
Gerard DavisonHi Gersh
Sorry for my late reply and thanks for your helpful information.
I tried the second way of your information and I could configure it.
And I 'll try first way of your information.
Regards,
Keisuke -
Where can I find setting to encrypt backup on iTunes
Where can I find setting in ITunes to encrypt backups?
It's in the Summary Pane Options section when your phone is connected to iTunes.
-
SSO and Form 10g, Setting RAD of OID for DB users identified externally
Please Help!
Current environment:
- All users were created with identified externally in Database (OPS$)
- SSO was setup correctly according to OID admin guide Ch 43 and SSO admin guide ch 8 for App10g. (user login orasso without seeing basic auth/sso login form)
- DB parameters:
remote_os_authent=TRUE
os_authent_prefix=' '
issues:
- set ssoDynamicResourceCreate = true
When user hit the form link, i.e. http://host:port/forms90/f90servlet?config=test&form=appwelcome
it redirects to http://host:7777/oiddas/ui/oracle/ldap/das/mypage/AppCreateResourceInfo?...
where it shows Resource Name TEST and prompts username/password/database
when user inputs window logon /password/database value (same as in form6i)
it returns ORA-01017: invalid username/password; logon denied.
- set ssoDynamicResourceCreate = false
manually set RAD for the end user (I am not sure if I am doing this correctly):
Name = test
TYPE = oracledb
username = (blank)
password = (blank)
datebase = prod
When enduser hits the form link, it returns ORA-01017.... same errors.
Any ideas how to trouble shoot and configure RAD for users with OPS$ auth?
thank you in advance!
KanThank you for your input!
This is how our current production is setup that users use os authent (OPS$) to access forms/reports 6i. I'm just trying to migrate it to app10g environment.
I did configure SSO with WNA, it works fine. Any users can access NON-DB connected forms/reports. Only when forms/reports require DB conn, users who
have db password can access them with one click. But users identified externally will keep seeing Oracle Logon and Ora-01017 after authent into MidTier.
Setup RAI with one real db user account is not ideal since there are 1000+ OS authent users who have different database roles. Turn off the OPS$ and setup dummy password for 1000+ users may be the last solution.
v/r
Kan -
Oracle 10g - Set Operator Union Causing Timeout Network problem
Purpose is to get all of the customers not contacted given a starting date and current date(sysdate). The problem is a timeout issue because the query is inefficient. Example: A salesman has 6,946 rows returned from the cust table where his salesid =1163. Then the inner query:
‘SELECT count(Customer_ID) FROM cust_info WHERE info_type_id = 32’
returns 225505 rows just based on this info_type_record.
Next, ‘SELECT c.customer_id
FROM customer c,
event e
WHERE c.salesperson_id = 1163
AND e.eventdate BETWEEN '10-Feb-2010' AND TRUNC(SYSDATE)
AND c.customer_id = e.customer_id
GROUP BY c.customer_id’
Returns 231 rows
Finally, ‘SELECT c.customer_id
FROM customer c,
note n
WHERE c.salesperson_id = 1163
AND n.created_date_time BETWEEN '10-Feb-2010' AND TRUNC(SYSDATE)
AND n.note_type_id IN (1,3,4)
AND c.customer_id = n.pk_id
AND n.table_name = 'CUSTOMER'
GROUP BY c.customer_id’
Returns 399 rows.
How can I improve the structure of this query(see bottom)? The following is a sample data structure:
CREATE TABLE "CUST "
( "CUST_ID" NUMBER,
"SSN" VARCHAR2(9),
"SSN_TYP" NUMBER(1,0),
"CREATED_DTE_TME" DATE,
"FULLNAME" VARCHAR2(110),
"F_NAME" VARCHAR2(35),
"L_NAME" VARCHAR2(40),
"BDTE" DATE,
"DCEASED_DTE" DATE,
"SALES_ID" NUMBER DEFAULT NULL,
"BRNCH_ID" NUMBER,
"HOME_BRNCH_ID" NUMBER,
"TTL_ASSETS" NUMBER,
"TTL_ASSETS_DTE" DATE,
"NO_MAILINGS" NUMBER(1,0),
"NO_CALLS" NUMBER(1,0) ) ;
CREATE TABLE "CUST_INFO"
( "CUST_INFO_ID" NUMBER,
"CUST_ID" NUMBER,
"INFO_TYPE_ID" NUMBER ) ;
CREATE TABLE "EVENT"
( "EVENT_ID" NUMBER,
"EVENTDATE" DATE,
"CUST_ID" NUMBER,
"SALES_ID" NUMBER,
"EVENT_INFO" VARCHAR2(4000) )
ENABLE ROW MOVEMENT ;
CREATE TABLE “NOTE"
( "NOTE_ID" NUMBER,
"NOTE_TYPE_ID" NUMBER DEFAULT 0,
"TABLE_NAME" VARCHAR2(50),
"PK_ID" NUMBER,
"CREATED_DTE_TME" DATE ) ;
INSERT INTO CUST VALUES(20151,'009529433',1,'01-MAY-5','FRENCH','D','M','01-DEC-01', '05-JUN-05',1163,
NULL,0,NULL,NULL,NULL,NULL)
INSERT INTO CUST_INFO VALUES (15,1001,32)
INSERT INTO EVENT VALUES (5,'05-MAY-05',1001,1163,'NONE')
INSERT INTO NOTE VALUES (100,2,'CUST',1001,TRUNC(SYSDATE))
SELECT CUST.CUST_ID,
SSN,
F_NAME,
L_NAME,
CREATED_DTE_TME ,
TTL_ASSETS,
BRNCH_ID,
SALES_ID ,
BDTE,
SSN_TYP,
FULLNAME,
Home_BRNCH_ID ,
No_Mailings,
No_Calls,
DCEASED_DTE,
TTL_ASSETS_DTE
FROM CUST
WHERE SALES_ID = 1163
AND CUST.CUST_ID NOT IN (
(SELECT CUST_ID FROM cust_info WHERE info_type_id = 32
UNION
(SELECT c.CUST_ID
FROM CUST c,
event e
WHERE c.SALES_ID = 1163
AND e.eventdate BETWEEN '10-Feb-2010' AND TRUNC(SYSDATE)
AND c.CUST_ID = e.CUST_ID
GROUP BY c.CUST_ID
UNION
(SELECT c.CUST_ID
FROM CUST c,
note n
WHERE c.SALES_ID = 1163
AND n.CREATED_DTE_TME BETWEEN '10-Feb-2010' AND TRUNC(SYSDATE)
AND n.note_type_id IN (1,3,4)
AND c.CUST_ID = n.pk_id
AND n.table_name = 'CUST'
GROUP BY c.CUST_ID
AND CUST.ssn IS NOT NULL
AND CUST.DCEASED_DTE IS NULL
{code}
Any guidance is appreciated!It’s not problem with SET operator. while you are using date field in where clause, U must use date conversion function, otherwise it will stuck there
Here is the right sql, U can try with this
SELECT cust.cust_id, ssn, f_name, l_name, created_dte_tme, ttl_assets,
brnch_id, sales_id, bdte, ssn_typ, fullname, home_brnch_id,
no_mailings, no_calls, dceased_dte, ttl_assets_dte
FROM cust
WHERE sales_id = 1163
AND cust.cust_id NOT IN (
(SELECT cust_id
FROM cust_info
WHERE info_type_id = 32)
UNION
((SELECT c.cust_id
FROM cust c, event e
WHERE c.sales_id = 1163
AND e.eventdate BETWEEN to_date('10-Feb-2010','dd-mon-rrrr') AND TRUNC (SYSDATE)
AND c.cust_id = e.cust_id
GROUP BY c.cust_id)
UNION
(SELECT c.cust_id
FROM cust c, note n
WHERE c.sales_id = 1163
AND n.created_dte_tme BETWEEN to_date('10-Feb-2010','dd-mon-rrrr') AND TRUNC
(SYSDATE)
AND n.note_type_id IN (1, 3, 4)
AND c.cust_id = n.pk_id
AND n.table_name = 'CUST'
GROUP BY c.cust_id)))
AND cust.ssn IS NOT NULL
AND cust.dceased_dte IS NULL; -
OamAuthn cookies are not set with encrypted value in https login with FFbro
we have developed a custom login page which is deployed on oam server itself .
In custom login page we are passing 3 userinfo like username ,passowrd and request id as part of authentication parameter .
We have developed our own javascript to pass all these information using ajax call .
Below are the snippet of ajax method which is posting the data to oam server .
var uname = $("#username").val();
var pwd = $("#password").val();
pwd = pwd.replace( /&/g, '%26' );
var requestId = $("#request_id").val();
var oamAuthenticationUrl=$("#oamAuthUrl").val()+'/oam/server/auth_cred_submit';
var postdata = "username=" + uname + "&password=" + pwd + "&request_id=" + requestId;
$.ajax( {
type :'POST', url : oamAuthenticationUrl, data :postdata,
complete : function (xmlHttp, statusCode) {
// some code if user login is done successfully ......
Here we are making login page call using ssl port Like our login page is https://oamserver:14101/.....
This code is working perfectly fine in internet explorer but in firefox oracle access manager is not setting any value to oamAuthnCookeis.
I mean before logging and after logging value of oamAuthnCookies remains same like
LoggedoutContinue .
Thanks,
ArunThis is a known issue of CEP (Common Extensibility Platform, a DLL that supports displaying extensions). Code like “document.cookie” in HTML extension is invalid because CEF (CEP integrated CEF3 to display HTML Extensions) intentionally disables cookies on "file://..." for a variety of reasons.
However, CEP stores cookies at:
Windows: "C:\Users\yourusername\AppData\Local\Temp\cep_cookies"
Mac: "/Users/yourusername/Library/Logs/CSXS/cep_cookies"
Please let me know if more information is needed, thanks -
Hi,
I have a DataBase Oracle 10g, I'm configuring the Advanced Security, and I would like to know if it's posible to configure the server in order to refuse the connections which do not have configured the encryption option that I have defined in the server.
For example: in the server, the sqlnet.ora contain that:
sqlnet.crypto_seed="dsdfrpdstrpgrmmpbmprthmtpommbmptbmpotpre"
sqlnet.encryption_client = required
sqlnet.encryption_types_client = (RC4_40)
but, if the client don't have defined nothing in his sqlnet.ora can to connect with the DataBase.
Can someone help me?
Thanks in advance,
Fernando.Roger22 wrote:
Ok, thanks for reply
And one more question:
If i have
alter system set encryption key authenticated by "ImOracle";then the encryption key is ImOracle, like the password for the wallet too? The password for the wallet is ImOracle too?
I found this here: http://oracleflash.com/26/Oracle-10g-Transparent-Data-Encryption-examples.html
(This creates a wallet at the location defined in the sqlnet.ora, sets the password for the wallet for TDE to retrieve the master key for encryption of table keys used to encrypt values in the tables.)First of all, try to stick with the official oracle documentation website, http://tahiti.oracle.com . Now, the encryption key is the key that is used to encrypt the data of the columns. The above command is setting the master key for the column encryption. Please see,
http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asotrans.htm#ASOAG9525
For the wallet, you set up a password when you set up the wallet using the oracle wallet manager so that should have prompted you for a password.
HTH
Aman.... -
From a 10g Form, Launch a Form Connected to Different Instance
We are migrating a Forms 6i application to 10g. From within a form I need to launch a different form with the new form being connected to a different Oracle database instance.
In 6i client/server we did the following:
p_string := ' ifrun60.EXE module=AR100 userid=uname/pwd@'||v_acctg_connect||' p_cust_no='||v_cust_id||' p_ord_no='||v_order_no;
host(p_string,no_screen);
This obviously will not work for 10g.
Any ideas?
I solved a similar need for launching a report connected to a different instance by using Frank Nimphius' frmrwinteg.jar which sets an encrypted cookie for the userid(pwd@connect string) and web_show_document. This works very well for reports.
Is there a similar solution for forms?
Thanks,
JamesThanks, Jan!
I've seen another promising thread
Re: Launch multiple 10g forms
that touts success utilizing web_show_document. I am now working to try that. -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg -
This is in regard to hard drive encryption issues in my USB Hard drive. I have Windows 7. I was encrypting my USB hard drive and
was able to enter a password. However, I did not receive any prompt to save the Bitlocker recovery key. During encryption process, I received an error. The encryption process was unsuccessful. However, now when I plug-in the hard drive, I receive the
following message on the status bar:
Application and Device Control rule Block writing to removable media. Unencrypted drive found (No_Encrypted_Found) has blocked edpa.exe trying to access Volume
{e3901a75-f1ff-11e1-817c-806e6f6e6963 alpha-numeric number appearing here}
When I try to open the drive, it asks for a password. When I enter the password, I am receiving the following error message:
Bitlocker Drive Encryption failed to recover from an abruptly terminated conversion. This could be due to either all conversion logs being corrupted or the media
being write-protected.
I have read that Bitlocker repair tool can help resolve this issue.
However, I just have the password that I had set to encrypt the drive and Bitlocker recovery key identification. Can this help to get access to my hard drive data using the Bitlocker tool.Checked this ?
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/bitlocker-drive-encryption-failed-to-recover-from/232e812b-4f7a-e011-9b4b-68b599b31bf5
Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
the thread. -
Sending encrypted emails from the iPad is not working
I can't get sending encrypted emails working on my iPad3 running iOS 8.0.2
Let me explain what I did:
1. I created S/MIME certificates for 2 email addresses on my iMac in Keychain Access. One email address exists only on the iMac the other only on the iPad.
2. I set "When using this certificate" to "Always Trust" in both certificates.
3. I exported 1 S/MIME certificate (p12) and installed it on the iPad. Then I deleted this certificate and its private&public keys in iMac Keychain Access
4. I exchanged public certificates between the 2 devices. I installed one certificate in iMac Keychain Access and the other in iPad/Settings/General/Profiles.
5. On the iMac in the iPad certificate I set "When using this certificate" to "Always Trust"
6. I tested whether I can send and receive signed and/or encrypted emails
Results:
1. From the iMac I can send signed and/or encrypted emails to the iPad.
On the iPad I can read the encrypted emails. The signature is not trusted
2. On the iPad I can send signed messages to the iMac. On the iMac the signature is trusted.
I cannot send encrypted emails from the iPad to the iMac. The iPad doesn't know about the public certificate in iPad/Settings/General/Profiles
So much for the straight forward part. Now it gets a bit more complicated and confusing.
1. I deleted the iMac certificate in the iPad/Settings/General/Profiles. Then in iPad Mail I opened the signed mail coming from the iMac.
I viewed the untrusted certificate in Mail and installed it. From this point on all signed emails from the iMac are trusted.
Strangely the by this method installed certificate doesn't appear in iPad/Settings/General/Profiles.
Furthermore I still cannot send encrypted messages to the iMac. This certificate installation seems to be used only to check trust worthiness of the signature.
Installing on top the iMac public certificate in iPad/Settings/General/Profiles doesn't enable to send encrypted messages from the iPad either.
To be sure that this problem relates to the iPad certificate management and is not related to an error by me I did the following:
1. I transferred a p12 file for a certificate that I created in my iMac to a PC running Windows7.
2. I transferred a p12 file plus its public key (.pem) that I created in my iMac to another iMac into Keychain Access. (I have not tested if the pem is needed).
3. On the other iMac and the PC I made sure that the certificates are trusted.
On the PC that means in the Certificate Manager the p12 needs to be in the "Personal" folder and in the "Trusted Root Certification Authorities" folder.
The public keys need to be in the "Trusted People" folder and the "Other People" folder. One can just copy/paste the certificates.
4. In both cases I deleted the certificate and public/private keys on my iMac.
5. I exchanged public certificates between the devices.
6. I tested exchanging signed and/or encrypted emails between my iMac and the PC and my iMac and the other iMac.
Result:
1. I can send signed and/or encrypted emails to the other iMac and the PC
2. The PC and the other iMac trust the signature from my iMac and can read the encrypted emails
3. My iMac can read encrypted emails from the PC and the other iMac
4. My iMac trusts emails with signatures from the PC and the other iMac.
Everything is working as it should.
After the above test I wanted to see whether I can set up encrypted email exchange between the iPad and the PC. Strangely iPad Mail recognized the public certificate from the PC installed in iPad/Settings/General/Profiles and allowed me to send an encrypted email to the PC. However, on the PC I was unable to read the encrypted email. And the other way around, encrypted emails send from the PC to the iPad cannot be read on the iPad.
My conclusion from all this testing is that iPad mail encryption is still "under construction".I was able to resolve the above described problem to some degree. Setting up sending and receiving encrypted emails between iOS and OSX I have working.
What is still not working is reading encrypted emails on the iPad/iOS8 received from Windows 7 PC. And sending encrypted emails to Windows 7 PC.
The details about how I solved part of the problem are described here. -
Need help setting up my d-link wireless router to my imac
I need some help trying to set up my D-Link WBR 2310 wireless router to my iMac. I currently have Bell Sympatico high speed.
The reason I want to set up the wireless router is because my girlfriend works from home sometimes with her office computer downstairs and needs a wireless connection (she has a PC). I tried to call D-Link, but they're useless.
Anyways, any help would be greatly appreciated. It would be great to know what settings to change and as much step by step info as possible. I realize it's probably pretty simple to set up, but I'm fairly new to Macs and also to wireless.
Thanks againHello,
Connect the D-Link to the iMac by Ethernet.
Open Safari (or Firefox)
Navigate to http://192.168.1.1
Enter your password (default user is Admin and password "admin" - change it!)
Find the Wireless Security section and change the SSID to your own name i.e. "home network" .
Set the Encryption setting to "WPA" and enter a password of your choice. This is the encryption key and is different to the router's admin password.
Configure the WAN part of the router (which will vary depending on your ISP).
Configure the DHCP to serve clients (should be a simple on/off).
Disconnect the iMac
Go to the iMac and turn on Airport on (on the menu bar).
When the iMac finds your SSID select it and enter the encryption password.
Check to allow Keychain to store that detail.
Hope that helps
mrtotes
Maybe you are looking for
-
How to delete projects from Vault
Ok, here is the issue. I work remotely on a laptop and my main library and vault are on my home computer. I only keep the last couple of projects on the laptop and use the vault to backup those projects. I used managed files. When I get home from the
-
How to validate the file path when downloading.
Hi How to validate the file path when downloading to Presentation or application Server.
-
802.1X getting a password prompt
Okay something is still broken in 10.6.7 with 802.1X authentication. I sometimes never get a loging/password prompt from OSX eventhough in the user profile I have "prompt for password" checked. Just today I enabled my wireless and waited for the pa
-
How to make a Collection out of a Collection?
I don't want to get into the specifics of my problem since I don't think they are needed. Anyways, Say I have a Collection of ArrayLists and I want to create a Collection of their size()'s - how would I do that? I found a way to do it but its very me
-
Linux or windows? godaddy
I'm looking at the godaddy hosting plans, and it asks Linux or Windows-based, not giving a choice for Mac OS. I presume that it still works with Mac. Which one should I select? I intend to make pages with iWeb on a mac, and then host them outside of