Obtaining x.509 certificate or DN

Similar Messages

• More than one X.509 certificate was found with the specified parameters

  Greetings All,
  We are getting an error in our application event logs every minute or so and it seems to be causing search queries to fail. Same error is appearing in the ULS logs.
  System
  Provider
  Name]
  System.ServiceModel
  4.0.0.0
  EventID
  3
  Qualifiers]
  49154
  Level
  2
  Task
  5
  Keywords
  0x80000000000000
  TimeCreated
  SystemTime]
  2014-06-25T02:30:12.000000000Z
  EventRecordID
  92894
  Channel
  Application
  Computer
  Security
  UserID]
  EventData
  System.ServiceModel.ServiceHostingEnvironment+HostingManager/63835064
  System.ServiceModel.ServiceActivationException:
  The service '/0c98374520dc4b748d92a1e51b365dce/SearchService.svc' cannot be
  activated due to an exception during compilation. The exception message is: More
  than one X.509 certificate was found with the specified parameters.. --->
  System.ArgumentException: More than one X.509 certificate was found with the
  specified parameters. at
  Microsoft.SharePoint.Utilities.CertificateManager.GetCertificate(String
  storeName, StoreLocation storeLocation, X509FindType findType, Object findValue)
  at
  Microsoft.SharePoint.Administration.SPIisWebServiceSettings.get_LocalSslCertificate()
  at Microsoft.SharePoint.SPServiceHostOperations.Configure(ServiceHostBase
  serviceHost, SPServiceAuthenticationMode authenticationMode) at
  Microsoft.Office.Server.Search.Administration.SearchServiceHostFactory.CreateServiceHost(String
  constructorString, Uri[] baseAddresses) at
  System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String
  normalizedVirtualPath, EventTraceActivity eventTraceActivity) at
  System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo
  serviceActivationInfo, EventTraceActivity eventTraceActivity) at
  System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String
  normalizedVirtualPath, EventTraceActivity eventTraceActivity) --- End of inner
  exception stack trace --- at
  System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String
  normalizedVirtualPath, EventTraceActivity eventTraceActivity) at
  System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String
  relativeVirtualPath, EventTraceActivity
  eventTraceActivity)
  w3wp
  6328
  Doesn't appear to affect the component health status or the crawling process, only the return of search results.
  Sorry, something went wrong.
  Search has encountered a problem that prevents results from being returned.  If the issue persists, please contact your administrator.
  I checked the certificates snapin, didn't see anything out of the ordinary but I have a feeling it goes deeper than that.
  Where can I remove this duplicate certificate? Thanks!

  Open IIS and check server certificates
  Check if there is any certificate applied to Security token service
  Did you used any certificate for web application in site
  Check binding of all web application in IIS
  Try to browse
  servername/0c98374520dc4b748d92a1e51b365dce/SearchService.svc from all servers, check the certificate details
  If this helped you resolve your issue, please mark it Answered

• Web service Security using X.509 certificate

  Hi All,
  I have a web service deployed on the SAP Web AS J2EE.
  I want to include Authentication option in my web service
  I have configured the settings for using X.509 certificate(HTTPS) in my
  web service configuration and similarly I've configured my client proxy
  for the same.
  My question is..... from where do I get the X.509 certificate?
  actually I have the .crt and .der files, which I created from
  the visual administrator.
  And also do I need to install anything on my SAP server
  in order to use the authentication service? (Any prerequisite)
  Thanks,
  Talimeren

  Hi Talimeren,
  when you want to use certificates you have to setup SSL which you've started already. You have to get and import a server certificate which authenticates the server while the client creates a SSL connection. The cert has to assigned to the SSL port. For NW04 you can find the guide here http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
  If you want client authentication by certificates as well you have to import at least one root certificate from a certficate authority (CA) which you trust and by which all user certificates are signed.
  SAP delivers the IAIK library for WebAS security, but this depends on your WebAS version and installation. I suggest you setup SSL and try to make a connection. If the connection can be made, the security library should be there.
  HTH
  Daniel
  Message was edited by: Correct Link
          Daniel Sass

• Consuming WS using X.509 certificate not working after NetWeaver 7.02 SP08

  Hi
  For more than two years we have had a solution that consumes web services over HTTPS using an X.509 certificate for authentication. Now, after upgrading to NetWeaver 7.02 SP08, the web services no longer work.
  Today, roughly a week after the upgrade, all the logical ports have been set by the system to an Inconsistent state, and have been renamed with a prefix of ERROR.
  When I try to re-create the logical ports I cannot assign the correct PSE file from STRUST to the newly created Logical Port. Previously, we would go into SM59 and set the SSL Certificate to the PSE containing the client and root certificates. But that option is apparently no longer available, see DUETE - Logical Port for OBAfielReciever. 
  I have been able to get the HTTPS communication to work again by copying the SSL certificate of the service provider into the PSE ANONYMOUS. But I cannot get the soamanager to use the client certificate, so I always get a "HTTP Code 403  : Client Authentication Error" back when consuming the web service.
  Any pointers on how to attach the PSE to the logical port would be appreciated.
  Best regards,
  Bo

  Still no ideas ?

• Configure JAAS login module stack to support x.509 certificates without SSL

  I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
  I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.
  What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

  Hi Claus,
  you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
  There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
  Looking at this topic:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
  the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
  So with the above said your LM stack config should look like this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  If this doesn't work I'd suggest opening a support ticket.
  Regards,
  Yonko

• Failed Calling A X.509 Certificate Secured Web Service From OSB

  Hi,
  I have wsdl resource, business service and proxy service setup in OSB 11.1.1.6 on Linux. The business service will consume a X.509 certificate secured web service running on a remote server.
  Below is my approach:
  The consumer of the proxy service of OSB signs its saop request header.
  My OSB proxy service authenticates the signature and forward the request to business service.
  The business service signs the outbound soap request header. (To do this I configured the keystore in Security Provider Configuration of my SOA_domain in Enterprise Manager. Also I applied Web Service Policy of Service Client type to the business service.)
  This is not working yet. Not sure if my approach is correct or not?
  Thank you,
  Eric

  I validated the keystore, all the certificates used and the value for keystore.sig.csf.key / value for keystore.recipient.alias. They are all as expected. Restarted the server. Still failed for OSB to invoke the remote secured web service, but worked if only use soapUI to invoke the same remote secured web service directly.
  The error message is:
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)
  In the soap request / reponse message shown in the OSB Test Console, there seems to be two signature sections in the header and encryption section although I tried not to encrypt the soap request. I am using Web Service Client Policy "calpers/wss11_x509_token_with_message_integrity_client_policy_osb" which was created based on "oracle/wss11_x509_token_with_message_protection_client_policy". The difference between the two policies is my policy not to sign nor to encrypt entire body.
  In the "Message Signing Setting" section, I unchecked the "Include Entire Body" and left the three default namespaces under the Header Elements.
  In the "Message Encrypt Setting" section, I unchecked the "Include Entire Body" and also left the one default namespace under the Header Elements.
  I don't know how to attach document here, so i add long saop message here.
       Business Service Testing - BookSec_Biz_Svc_52
       Request Document
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsu:Timestamp wsu:Id="Timestamp-eEud1RcUOPcnV0fDqd6gZQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsu:Created>2013-03-14T18:10:00Z</wsu:Created>
  <wsu:Expires>2013-03-14T18:15:00Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-VnzMtSwHMI8THKi2hhG2SQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  MIICazCCAdSgAwIBAgIEUTY65zANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwHhcNMTMwMzA1MTgzNTE5WhcNMTMwNjAzMTgzNTE5WjB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJhF0cMUwB/EjAyIOy9Cq8KCDqTXvlnlvMGq6LEhiGOtrATYy+JnHURcPUeusi65Ua3bE7JACWhHJ0fYEl7NtxPPSN3Q1RovkWGQ6I5O2XuEyMHg3MISh2CHhnkGSR+W6riDSUoB0ZC0KTgu14OTwqo54JSY/ugQszY7QC9DAuabAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAWeQ6LjMo12bY65GmnrmLdbRNm95RkL6gJCKa9pyUaMfvaIqKpmMQW8RM+eB90CR5DrM8oO2+8uKcqTt/pGNRYi2UJh2X0CdmyQQTmf3mCfgoZ597VTl+k3mKHKeeST7ZwAyBRL2jI0VisopFHpUhIwABoDgwOMpLcCF974AZ2rA=
  </wsse:BinarySecurityToken>
  *<dsig:Signature* Id="XSIG-oISn2AADumTdR86sONuz8g22" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
  <dsig:Reference URI="#Timestamp-eEud1RcUOPcnV0fDqd6gZQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>3LQ1IpQR3rKHvP6Ov/m9ZRoecZM=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>X2BUn9TLL26Ay9A3HGEn/mnGCCE=</dsig:SignatureValue>
  <dsig:KeyInfo>
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#EK-h7saqC1VyBKZw2n1IHz8GQ22" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<dsig:Signature* xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <dsig:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>dau9qjB2lxIvlaoDIHuWVHqjulI=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#STR-QC3ZDBRwsXv8unEWVns9rQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
  <wsse:TransformationParameters>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </wsse:TransformationParameters>
  </dsig:Transform>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>nPO9mKSC9cMg2fEkGZI+ujy5O1Q=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#XSIG-oISn2AADumTdR86sONuz8g22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>qXkW/ZFFNc8Bu0VL9eF6c4np7IA=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>
  MuHCTh5cW8TiVKtkWFl+Of2EFAiHwuPTR7J9b4/n2KZtPy2OCrgi1lBpuzhFKLhoBxYNOK8TMOa/3b223Vv+CQUfUP7z0YVj5Ck7QETYngaQlS07KulnstJjsAgHBV8Zk3A0EafuWF2c3t5wBzEkgEC99v0EdY3mRiCzt7vh2qs=
  </dsig:SignatureValue>
  <dsig:KeyInfo Id="KeyInfo-0LT1QavoIVXOHesZfrxTwg22">
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<xenc:EncryptedKey* Id="EK-h7saqC1VyBKZw2n1IHz8GQ22" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
  </xenc:EncryptionMethod>
  <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <wsse:SecurityTokenReference wsu:Id="STR-QC3ZDBRwsXv8unEWVns9rQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">q9Z9yPxvNw4CvSLQNI4rxVlSF+w=</wsse:KeyIdentifier>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  <xenc:CipherData>
  <xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
  Tgdhxy6wMJBBrw23iq1GLCm0TYKBXSVQvBcN+7TXdXL6FPSjhcbfXqtoz7wzirbSwUZuu+DrYuWs
  0BjRXqw3auUSCMlkm4IoT1ag3wFQQ/PEbB8HNlYhW3gp/At3toTw+k5p9wOUd4BMFAiXyeHQ8+dQ
  8JUiohXhiHErTDn6fFQ=
  </xenc:CipherValue>
  </xenc:CipherData>
  </xenc:EncryptedKey>
  </wsse:Security>
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Document
  The invocation resulted in an error: Internal Server Error.
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
  <soapenv:Fault>
  <faultcode>soapenv:Client</faultcode>
  <faultstring xmlns:lang="en">
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption) </faultstring>
  </soapenv:Fault>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Metadata
  <con:metadata xmlns:con="http://www.bea.com/wli/sb/test/config">
  <tran:headers xsi:type="http:HttpResponseHeaders" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <tran:user-header name="Accept" value="text/xml"/>
  <tran:user-header name="Expires" value="Thu, 14 Mar 2013 18:10:01 GMT"/>
  <tran:user-header name="SOAPAction" value="&quot;&quot;"/>
  <http:Cache-Control>max-age=0</http:Cache-Control>
  <http:Connection>close</http:Connection>
  <http:Content-Type>text/xml; charset=UTF-8</http:Content-Type>
  <http:Date>Thu, 14 Mar 2013 18:10:01 GMT</http:Date>
  <http:Server>Apache</http:Server>
  <http:Transfer-Encoding>chunked</http:Transfer-Encoding>
  </tran:headers>
  <tran:response-code xmlns:tran="http://www.bea.com/wli/sb/transports">2</tran:response-code>
  <tran:response-message xmlns:tran="http://www.bea.com/wli/sb/transports">Internal Server Error</tran:response-message>
  <tran:encoding xmlns:tran="http://www.bea.com/wli/sb/transports">UTF-8</tran:encoding>
  <http:http-response-code xmlns:http="http://www.bea.com/wli/sb/transports/http">500</http:http-response-code>
  </con:metadata>

• ABAP SE37 Web Service and x.509 certificate

  ECC 7.01 EPH 1
  I have created a Web Service from an ABAP function module. I then created a service using SOAMANAGER and have configued it and tested it using Web Navigator. This WS uses no auththentication or username/password.  It also works being consumed from a non-SAP server/application
  I want to have another non-SAP server and application use this WS. Currently the non-SAP  can consume it passing the user/password.
  I now want to have the WS consumed using x.509 certs.
  I have tried multiple methods with no success.
  On the server I have imported using STRUSTS
  Maintain the serveru2019s SSL server PSE.
  Use the trust manager (transaction STRUST) and import the issuing CAu2019s root certificate into this PSEu2019s certificate list.
  Created Web Service communication user, technical type with security roles --> zwebserviceuser
  Cretaed entries in table USREXTID using transaction SM30, view VUSREXTID
  external type = DN
  imported non-SAP server cert into external id
  user = zwebserviceuser
  activated
  Tthe ICM to request a client X.509 certificate. (check icm/HTTPS/verify_client profile parameter) was alreday configued
  I choose tha appropriate security profile for your ABAP web service --> security HIGH
  I choose in SOAMANAGER http authentication and x.509 certificate
  The NON-SAP Server/application is calling the SAP WEBservice and sends the "certificate"
  The RunTime error is
  The request failed with HTTP status 401: Unauthorized.
  Any Help would be appreciated
  thank you,
  Sarah

  Take a kind look on SAP note 495911 to analyse ABAP logon errors.
  Most likely you have forgotten to add the root certificate of the CA which has issued the SSL client certificate (of the WS consumer) to the certificate list of the SSL server PSE (of the NWAS ABAP, acting as WS provider). In that case the SSL handshake will be incomplete: the SSL client certificate will not be requested by NWAS ABAP and thus no SSL client certificate will be send by the WS consumer. That's why no credentials are there resulting in the 401 error.

• Java Crypto - X.509 Certificate - DER encoded to Base64

  How to convert DER encoded X.509 Certificate to Base64 encoded X.509 Certificate?

  One way is to use the keytool utility supplied with the jdk. My keystore is already set up so you may have some additional steps beyond what I show below.
  First import the DER encoded certificate
  keytool -import -alias tempaliasname -file file.der(you will be prompted for the keystore password)
  Then export to Base64
  keytool -export -alias tempaliasname -file file.cer -rfc(you will be prompted for the keystore password)
  That will give you the Base64 version of your certificate.
  You can use the keytool -delete command to delete the key from your keystore if you want.
  Bruce

• Unable to obtain a development certificate in Xcode

  Please bear with me - I'm new to Apple development. I'm trying to follow the "Start Developing iOS Apps Today" tutorial, and I reached the point where I'm supposed to obtain a development certificate in Xcode.
  It instructs me to open the Organizer window, click Devices, select Provisioning Profiles, click Refresh, and log in with my Apple Developer user name and password.
  However, when I do that, the "Sign in with your Apple ID" dialog keeps reappearing again and again, even though I fill in the correct details (with which I had successfully enrolled as an iOS Developer before). At the same time, the Organizer window seems to be "stuck" on "Fetching team list...".

  Probably solved:
  After lots of experimenting, it appears I must check the "Remember my password in my keychain" option in the log-in dialog.

• Safari Does Not Allow Access to Web Sites With Wildcard X.509 Certificates

  I'm really getting irritated with the Safari browser in OSX Mavericks.  One of the more irritating features involves the inability to access web sites that use improperly constructed wildcard X509 certificates.  By improperly constructed, I mean that the X.509 certificate does not contain the host name of the system being accessed in the Subject Alternate Name list.
  Earlier versions of Safari would, at least, allow me to examine the X.509 certificate and determine whether I wanted to proceed with the connection.  The current version of Safari doesn't provide that option.  It simply displays a screen stating that it can't establish a secure connection to the web site.  If you actually have a need to access the web site, you need to use a web browser like Firefox.
  What's really irritating about this is that Safari had improved to the point where it was reliable enough to be used as the default browser.
  Is there a Safari.plist setting that will allow me to change the behavior of Safari when it encounters an improperly constructed X.509 certificate and provide me the opportunity to examine the certificate to decide whether to proceed or not?

  Hi
  Have a look in your Networks panel in System Preferences. Click on the Advanced button, then Proxies. There may be an errant proxy present blocking the site load.

• Extracting X.509 certificate information from OSB/OWSM

  Hello everyone,
  I'm using SOA suite 11gR1 and I'm creating a proxy service with an OWSM policy ( oracle/wss11_x509_token_with_message_protection_service_policy ) . I'd like to know how to extract the certificate details from the incoming message so my Web Services can acess them with something like the WebServicesContext interface.
  Thanks !

  I am working on this same scenario as well (and agree that OWSM documentation is incomplete for this important use case). Vikas Jain provides some further explanation of Verify Signature in a blog entry: http://ws-security.blogspot.com/2007/06/faq-owsm-1013-what-is-use-of-cerificate.html . Essentially he clarifies that the Verify Signature policy step is doing two different functions: 1) validating the signature using the public cert passed in the request, 2) validating that said public cert is actually trusted by the server (directly or through a trusted CA).
  Unfortunately, even with this assistance, I have yet to get OWSM to work correctly using the X.509 certificate token profile for authentication purposes. OWSS does work for me but the desire is to externalize this security function to OWSM (outside of the service container).
  Any information you find out appreciated.
  Todd

• Encrypt Emails using PKI Infrastructure (X.509 Certificates)

  Dear HTMLDB Fans,
  i wonder if anybody ever needed to send passwords via email to the enduser and how you are doing this via plsql. As far as i can see there is no easy way to send encrypted Emails with a Plsql Package. I read that Oracle took over the PHAOS Company in order to fullfill Requirements in the Security Area but there must have been some solutions out there before?!
  The way to do it seems preety easy.
  1. Download the public Key of an User you want to send an email.
  2. Encrypt your Message with that Key
  3. Send your Message
  Any Hints are appreciated.

  I tried using demo_mail and DBMS_OBFUSCATION_TOOLKIT but it doesn't seem to be able to deal with x.509 certificates.....
  Has anyone succeeded before me?

• Import X.509 certificate via LDAP

  Hello,
  I have an iPad running iOS 5 and I'd like to know if it's possible to import people's X.509 certificates via LDAP. I have my corporate LDAP set up in Settings>Mail, Contacts  and I can search for people fine. The LDAP also has X.509 certificates that I'd like to use for encryption when sending emails from the iPad.
  regards,
  Tex

  I think if you select security profile in the channel then you can do sign and verify the certificate in the reciever agreement. THat is only for Security parameters. For just configure certificate authentication,  you will not see anything in the receiver agreement.

• To create an x.509 certificate not using any tools

  I'm having a project, is to generate an x.509 certificate without using any other tools, did anyone know the bytes structure of an x.509 v1 certificate, please kindly help! thanks!

  x509 certificates are described using ASN.1 notation; see http://www.ietf.org/rfc/rfc2459.txt for all the gory options. The ASN.1 structures are encoded into bytes by following the Distinguished Encoding Rules (DER) for ASN.1. See "A Layman's Guide ..." at http://luca.ntop.org/Teaching/Appunti/asn1.html.

• Verify a X.509 Certificate with Bouncy Castle and Java ME

  Hi,
  Can anybody point me to an example of verifying a X.509 certificate with Bouncy Castle under Java ME?
  I can see how to easily do it in Java SE code with java.security.cert.Certificate.verify(), but I could not find an equivalent method in the lightweight API.
  Any help is much appreciated.
  Best regards,
  iobytrap

  That's a shame. I'm afraid I don't have any solutions, but I'm am interested if you find one. If you solve your problem, please post back here. In the mean time I'll keep looking around. Have you considered non-free software? IAIK has some fairly complete Java libraries for $$$, though I'm not sure what they have for JME.
  EDIT:
  Yes, they have a library for JME and it has an X509Certificate class. Here are the javadocs .
  Edited by: ghstark on Apr 17, 2010 2:14 PM