OSR 2way SSL client configuration in Weblogic

We've implemented 2way SSL in our Weblogic domains that host endpoints for use by OSB and OSR, using signed ( not self-signed! ) certificates. OSB works great and invokes the endpoints successfully over 2way SSL.
The problem is that OSR doesn't use the same security keystore / truststore as WebLogic. The Weblogic server hosting OSR is configured with the same keystore / truststore that the OSB server uses, and the OSR mgd server also has "Use Server Certs" enabled.
The OSR 10g server and the endpoint domain both use the same versions: Weblogic 10.3, using jrockit_160_05, both running on Linux 2.6.18-92.1.17.0.2.el5xen #1 SMP Tue Nov 18 04:11:19 EST 2008 i686 i686 i386 GNU/Linux on different hosts.
For one-way SSL, I imported ( with PStoreTool.sh ) the server certificate from the endpoints' domain into the registry's conf/pstore.xml & redeployed, and then OSR was able to trust the incoming server cert. That's been working great.
I'd like to have OSR submit the same certificate that OSB does so that OSR can act as a client in 2-way SSL. So I've used this:
# Get the server cert from the OSR WL server
sslTool.sh serverInfo url https://"OSR_HOST" certFile "OSR_HOST_FILE"
# Add it into extracted pstore
PStoreTool.sh new -alias "CN value" -keypassword ****t -config conf/pstore.xml -certFile "OSR_HOST_FILE"
# encrypt keypass
sslTool.sh encrypt --password *****
and added an entry in the registry.war's app/uddi/conf/security.xml of:
sslConnectionAlias>OSR_HOST</sslConnectionAlias>
sslConnectionPassword_coded>"output from sslTool encrypt"</sslConnectionPassword_coded>
But when trying to publish an https:// endpoint into OSR, I get an error in the OSR console of:
Invalid WSDL location! WSDLException: faultCode=INVALID_WSDL: Cannot get WSDL at 'https://...."'. Exception occured: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error.
The OSR server logs shows this
ERROR: com.idoox.wsdl.xml.WSDLReaderImpl - javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
ERROR: com.systinet.uddi.webui.WebUIRawService - Web Framework exception
EXCEPTION: com.systinet.uddi.webui.WebUIException: (18003) UDDI error occurred.
javax.servlet.ServletException: com.systinet.uddi.webui.WebUIException: (18003) UDDI error occurred.
In the weblogic endpoint domain, I get this error at the same time - after the OSR certificate has been presented:
<Sep 17, 2009 4:12:40 PM EDT> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateVerify>
<Sep 17, 2009 4:12:40 PM EDT> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<Sep 17, 2009 4:12:40 PM EDT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 51
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ServerStateReceivedClientKeyExchange.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
For two-way SSL, what steps are needed? The documentation on PStoreTool only lists available commands, but not how they would be used to perform 2way ssl config.

After many, many, many iterations, I finally have an OSR that can import over 2way SSL.
So here are the steps I used ( variables in caps )
* Extract the conf/pstore.xml and app/uddi/conf/security/xml from registry.war
jar -xf conf/pstore.xml
jar -xf app/uddi/conf/security.xml
* Encrypt the password for later use:
PStoreTool.sh encrypt --password=OSR_PASS
( gives you an encrypted string )
* Edit the security.xml, add these lines:
<sslConnectionAlias>OSR_ALIAS</sslConnectionAlias>
<sslConnectionPassword_coded>encrypted_password</sslConnectionPassword_coded>
</security>
<destinationConfig>
<alias>OSR_ALIAS</alias> <!-- same alias -->
<password_coded>encrypted_password</password_coded>
<destination url="https://SERVICE_ENDPOINT/*"/> <!-- server hosting the endpoints that you're importing -->
</destinationConfig>
* put security.xml back
jar -tf registry.war app/uddi/conf/security.xml
* import the OSR server's identity cert ( to use as a client cert in outbound 2way SSL
sslTool.sh serverInfo url https://OSR_HOST  certFile ./OSR_HOST.cer
PStoreTool.sh add -config conf/pstore.xml -certFile ./OSR_HOST.cer
* If your OSR cert is signed, also import signer certs with PStoreTool as previous
* create a new user
PStoreTool.sh new -alias OSR_ALIAS -keypassword unencrypted_password -config conf/pstore.xml
* overwrite the user with the cert
sslTool.sh pstoreEI -i keystore /etc/java/OSR_IDENTITY_KEYSTORE.jks storepass *** alias *** keypass *** --pstore [REGISTRY_HOME]/conf/clientconf.xml pstoreAlias OSR_ALIAS pstoreKeypass OSR_PASS
sslTool.sh pstoreEI -i keystore /etc/java/OSR_IDENTITY_KEYSTORE.jks storepass *** alias *** keypass *** pstore conf/pstore.xml pstoreAlias OSR_ALIAS --pstoreKeypass OSR_PASS
* Put the pstore.xml back
jar -uf registry.war conf/pstore.xml
Stop your OSR server, undeploy the registry.war, remove the OSR managed server's tmp directory, redeploy and restart.
If you get "BAD_CERT" - you have a self-signed cert in pstore.xml that needs to be overwritten with your real cert from your OSR's identity jks
If you get "login failed" - you need to run the "PStoreTool new"

Similar Messages

  • SSL Connection Configuration between Apache and Weblogic 8,1

    I'm currently using Apache web server as a front end server for Weblogic server 8.1 and now i' facing some configuration problem to setting up the SSL connection between this 2 server. When i open my web application page, it shows
    Failure of Server Apache bridge
    No backend server available for connection: timed out after 10 seconds or idempotent set to OFF.
    and my proxy.log shows:
    Thu Nov 03 09:36:41 2011 <182413202842013> INFO: SSL is configured
    Thu Nov 03 09:36:41 2011 <182413202842013> INFO: SSL configured successfully
    Thu Nov 03 09:36:41 2011 <182413202842013> Using Uri /favicon.ico
    Thu Nov 03 09:36:41 2011 <182413202842013> After trimming path: '/favicon.ico'
    Thu Nov 03 09:36:41 2011 <182413202842013> The final request string is '/favicon.ico'
    Thu Nov 03 09:36:41 2011 <182413202842013> SEARCHING id=[ebwdsk298.ebworx.com:7002] from current ID=[ebwdsk298.ebworx.com:7002]
    Thu Nov 03 09:36:41 2011 <182413202842013> The two ids matched
    Thu Nov 03 09:36:41 2011 <182413202842013> @@@FOUND...id=[ebwdsk298.ebworx.com:7002], server_name=[10.122.50.218], server_port=[80]
    Thu Nov 03 09:36:41 2011 <182413202842013> attempt #0 out of a max of 5
    Thu Nov 03 09:36:41 2011 <182413202842013> general list: trying connect to '10.122.50.48'/7002/7002 at line 2696 for '/favicon.ico'
    Thu Nov 03 09:36:41 2011 <182413202842013> New SSL URL: match = 0 oid = 22
    Thu Nov 03 09:36:41 2011 <182413202842013> Connect returns -1, and error no set to 10035, msg 'Unknown error'
    Thu Nov 03 09:36:41 2011 <182413202842013> EINPROGRESS in connect() - selecting
    Thu Nov 03 09:36:41 2011 <182413202842013> Setting peerID for new SSL connection
    Thu Nov 03 09:36:41 2011 <182413202842013> 0a7a 3230 5a1b 0000 .z20Z...
    Thu Nov 03 09:36:41 2011 <182413202842013> Local Port of the socket is 2121
    Thu Nov 03 09:36:41 2011 <182413202842013> Remote Host 10.122.50.48 Remote Port 7002
    Thu Nov 03 09:36:41 2011 <182413202842013> general list: created a new connection to '10.122.50.48'/7002 for '/favicon.ico', Local port:2121
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Host]=[10.122.50.218]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Connection]=[keep-alive]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept]=[*/*]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Encoding]=[gzip,deflate,sdch]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Language]=[en-US,en;q=0.8]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3]
    Thu Nov 03 09:36:41 2011 <182413202842013> URL::sendHeaders(): meth='GET' file='/favicon.ico' protocol='HTTP/1.1'
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Host]=[10.122.50.218]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept]=[*/*]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Encoding]=[gzip,deflate,sdch]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Language]=[en-US,en;q=0.8]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Connection]=[Keep-Alive]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[WL-Proxy-SSL]=[false]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[WL-Proxy-Client-IP]=[10.122.50.48]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Proxy-Client-IP]=[10.122.50.48]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[X-Forwarded-For]=[10.122.50.48]
    Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
    Thu Nov 03 09:36:41 2011 <182413202841921> INFO: No session match found
    Thu Nov 03 09:36:41 2011 <182413202842013> INFO: No CA was trusted, validation failed
    Thu Nov 03 09:36:41 2011 <182413202841921> INFO: DeleteSessionCallback
    Thu Nov 03 09:36:41 2011 <182413202842013> ERROR: SSLWrite failed
    Thu Nov 03 09:36:41 2011 <182413202842013> SEND failed (ret=-1) at 789 of file ../nsapi/URL.cpp
    Thu Nov 03 09:36:41 2011 <182413202842013> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 790 of ../nsapi/URL.cpp
    Thu Nov 03 09:36:41 2011 <182413202842013> Marking 10.122.50.48:7002 as bad
    Thu Nov 03 09:36:41 2011 <182413202842013> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0,  line 790 of ../nsapi/URL.cpp]: at line 3078
    Thu Nov 03 09:36:41 2011 <182413202842013> INFO: Closing SSL context
    Thu Nov 03 09:36:41 2011 <182413202842013> INFO: Error after SSLClose, socket may already have been closed by peer
    Thu Nov 03 09:36:41 2011 <182413202842013> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
    Can anyone tell me what should i do in order to correct this error? Your help is kindly appreciate!!! Please~

    1) Is the managed server up?
    2) from apache server are you able to bind the managed server port?
    3) can you pls send the weblogic ssl configuration?

  • WLS :: Will Vista web client work with Weblogic Server 8.1.6 over SSL?

    Hello,
    I have installed 51-2 bit SSL cert on weblogic 7 and found that the secure site doesn't work on Vista web client.
    Weblogic gives error in handshaking and says algorithm is not supported.
    Vista web client uses some algorithms which were not supported by weblogic 7.
    So would like to know if would Vista web client work with Weblogic Server 8.1.6 over SSL?
    Any information in this regard would be helpful.
    Thanks in Advance.

    can you use the following debug flags in the weblogic server as java_options and paste the complete ssl handshake exception here.
    -Dweblogic.StdoutDebugEnabled=true
    -Dssl.debug=true
    thanks,
    sandeep

  • How can you configure an Exchange Account in Mac OS X to use a SSL client certificate?

    I'm trying to connect the Mail App of Mac OS X to my company's Exchange server. For security reasons you have provide a SSL client certificate to the server. You can convince Safari to use a client certificate by putting it into your keychain and configuring a suitable "identity preference" for the URL of the related site. But the Mail App seems not to use the keychain for this part of the SSL negotiations.
    Since you can configure the client certificate usage for an Exchange Account for the iPhone with the Configuration Utility there should be a way for the desktop App, too. Has someone sorted this issue out already or does the Mail App actually lack of client certificate support?

    I had a nice chat with the Apple end user support which revealed that this feature falls in the responsibility of the business support group. Since I have no appropriate support contract I could ask for help for about 480€ per issue -- nice try
    After more research I found the Configuration Profile Reference, where you get information about Exchange accounts too. Starting with a working iOS-Profile I changed the Exchange account part according to this documentation for OS X. All you have to do is to replace PayloadType com.apple.eas.account by com.apple.ews.account.
    After importing this profile I found the expected Exchange account within the Contacts.app. But the SSL client certificate was still not used and therefore my account not usable.
    You could enable Mail, Calendar & Reminders and Notes within the System Preferences, but neither of these would work due to the missing client certificate support.
    I came to the conclusion that the relevant applications in OS X have no proper SSL Client support build in. Since the underlying libraries and frameworks have everything in place that is really a shame.
    Would be nice, if someone would enforce the developers to do their homework there.

  • OSB 11.1.1.6 - Business Service IIS6.0 2way SSL Null Pointer Exception JSSE

    We must use JSSE because of SHA256RSA sign algorithm.
    Business Service calls a remote webservice over two way ssl. Client-cert configured, Key Provider is correctly set, PKI Provider Mapping is fine. Everything is tested with SoapUI 2way SSL and worked like a charm.
    But not with IIS 6.0. Renegotation is enabled (with parameter sun.security.ssl.allowUnsafeRenegotiation) and Chunked Streaming Mode is also set.
    The invocation resulted in an error: [WliSbTransports:381304]Exception in HttpOutboundMessageContext.RetrieveHttpResponseWork.run: java.lang.NullPointerException
    java.lang.NullPointerException
    at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:101)
    at weblogic.socket.JSSEFilterImpl.handleResultsCommonly(JSSEFilterImpl.java:659)
    at weblogic.socket.JSSEFilterImpl.handleUnwrapResults(JSSEFilterImpl.java:550)
    at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:456)
    at weblogic.socket.JSSEFilterImpl.read(JSSEFilterImpl.java:370)
    at weblogic.socket.JSSESocket$JSSEInputStream.read(JSSESocket.java:58)
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
    at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
    at java.io.SequenceInputStream.read(SequenceInputStream.java:149)
    at java.io.SequenceInputStream.read(SequenceInputStream.java:152)
    at weblogic.net.http.MessageHeader.parseHeader(MessageHeader.java:151)
    at weblogic.net.http.HttpClient.parseHTTP(HttpClient.java:468)
    at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:401)
    at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
    at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:1005)
    at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.getResponse(HttpOutboundMessageContext.java:679)
    at com.bea.wli.sb.transports.http.wls.HttpOutboundMessageContextWls.access$100(HttpOutboundMessageContextWls.java:26)
    at com.bea.wli.sb.transports.http.wls.HttpOutboundMessageContextWls$RetrieveHttpResponseWork.handleResponse(HttpOutboundMessageContextWls.java:96)
    at weblogic.net.http.AsyncResponseHandler$MuxableSocketHTTPAsyncResponse$RunnableCallback.run(AsyncResponseHandler.java:535)
    at weblogic.work.ContextWrap.run(ContextWrap.java:41)
    at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

    Hi, I have the same problem but with Weblogic 12.1.1 (12c):
    at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:114)
         at weblogic.socket.JSSEFilterImpl.handleResultsCommonly(JSSEFilterImpl.java:739)
         at weblogic.socket.JSSEFilterImpl.handleUnwrapResults(JSSEFilterImpl.java:630)
         at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:498)
         at weblogic.socket.JSSEFilterImpl.read(JSSEFilterImpl.java:414)
         at weblogic.socket.JSSESocket$JSSEInputStream.read(JSSESocket.java:58)
         at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
         at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
         at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
         at weblogic.net.http.MessageHeader.isHTTP(MessageHeader.java:224)
         at weblogic.net.http.MessageHeader.parseHeader(MessageHeader.java:148)
         at weblogic.net.http.HttpClient.parseHTTP(HttpClient.java:469)
         at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:401)
         at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37
    Is there a patch for this version?
    Thanks in advance

  • SSL Client example from dev2dev

    Bruce,
    I still have some questions unaswered.
    1. Is there any "default" list of trusted CA that is used during handshake?
    The SSLClient example does not have any references to trusted CA files. The
    weblogic.webservice.client.ssl.trustedcerts property returns null. What
    trusted CA is used in the SSLClient example? Considering the plural name of
    the property, should it contain only one file name, or it can contain
    several file names? Order? Delimiter?
    2. I copied the SSL setup code from SSLClient to my own web service client,
    but it does not work. My web service is made of stateless session bean, and
    wsdl is generated dynamically. Is it possible, that certain wsdl settings
    could affect handshake process? Maybe I need to copy certain wsdl tags from
    the example?
    3. What username/password should I use in IE when "Enter network password"
    dialog is presented? The combination used to start weblogic server does not
    work. The same combination works for non-SSL client. Why?
    Thanks,
    Michael J.
    "Bruce Stephens" <[email protected]> wrote in message
    news:[email protected]...
    Hi Michael,
    Thanks for the good feedback and this will be incorporated into a revised
    example.
    Concerning your questions toward the end, to set the list of trusted CA
    certificates, you need the CA certificate in a file and you need to setthis
    System property to the filename:
    weblogic.webservice.client.ssl.trustedcerts
    To turn off strict hostname checking during certificate validation, youneed to
    set this property to "false":
    weblogic.webservice.client.ssl.strictcertchecking
    Thanks again,
    Bruce
    Michael Jouravlev wrote:
    Bruce,
    here are some issues that I wish you could help me with.
    1) package.html from the simpleSSL example is outdated. The links posted
    here do not work. Considering "Please pay careful attention" phrase I am
    a
    little bit worried if I missed something in my SSL configuration.
    === cut here ===
    You must first setup and verify your WLS SSL configuration.
    1. Set up your development shell as described in Quick Start.
    2. Startup the WebLogic Server.
    3. Monitor the log file for any errors.
    4. Use the console and configure the WebLogic Service security asdescribed
    by:
    http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
    Please pay careful attention to this step, especially concerning theSSL
    protocol configuration:
    http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
    === cut here ===
    I use the following information:
    1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
    configure
    server-wide SSL setup
    2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
    configure web service-related SSL setup.
    2) In "Setup and verify the toUpper WebService" chapter the linksentitled
    http://localhost:7001/toUpper/toUpper and
    http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
    but
    maybe you would like to correct this.
    3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
    connect to https://localhost:7002/toUpper/toUpper , I receive the
    "Security
    Alert" dialog (I am using IE5) that there is a problem with security
    certificate: name of the certificate does not match the name of thesite. It
    is OK, because it is demo certificate. (Should I do "View
    Certificate/Install Certificate" to proceed successfully or just to say
    "Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
    proceed. In the next window is "Do you want to display nonsecure items?"I
    say "yes" and I am brought to the the test page. Now, when I try to testthe
    service, I click on "toUpper" link and am presented with sample text and
    "Invoke" button.
    And when I press "Invoke" I am presented with a dialog window "Enternetwork
    password" containing: Site: localhost, Realm: default, User name:
    <blank>, Password: <blank>. So, the first serious issue is: what username
    and password should I use? I tried username and password that I used to
    start the server in set WLS_USER=<username> and set WLS_PW=<password> in
    startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
    either. What should I submit??? I did not change any security setting inmy
    WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
    >>
    After "Enter network password" dialog fails to verify a user, I get apage
    with the following text: "Failed to retrieve WSDL from
    https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
    the
    protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
    >>
    Interesting enough, if I try to go directly to the link
    https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
    problem
    and without any password windows. What is happening here?
    4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
    order for it to be compiled. I changed super( _port,ToUpperPort.class );
    to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
    changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
    original code does not work on 7.0GA. I successfully did run both Mainand
    Main2 without username/password and with it. I also usedusername/password
    from startWebLogic.cmd file and they worked. Why they do not work when Itry
    to call test page from web browser?
    5) Finally I compiled and did run the SSLClient. It worked. But the
    questions here are:
    BEA_HOME environment variable is not defined, and WebLogic SSL
    implementation is used. How licence.bea was found while running theclient?
    When I tried to build my own client, I got a message that I license fileis
    needed. Or is it needed only if the client library webservices+ssl.jaris
    used?
    The most important question: What trusted CA is used by client and how
    client finds it? No certificates are in the SSLClient directory and no
    property settings telling where to find it. It is a puzzle for my why it
    works here and why my own client does not work when the CA is supplied.
    Thank you,
    Michael J.

    Hi Michael,
    I've asked our security folks to help answer your questions. The
    weblogic.webservice.client.ssl.trustedcertfile file (located on the client
    application computer) contains the certificates of CA (certificate authority).
    The CAs are trusted to issue WebLogic Server certificates. The file can also
    contain certificates that you trust directly. The file contains a collection of
    PEM-encoded certificates. See:
    http://e-docs.bea.com/wls/docs70/webserv/security.html#1056434
    There shouldn't be any WSDL changes/tags required.
    HTHs,
    Bruce
    Michael Jouravlev wrote:
    Bruce,
    I still have some questions unaswered.
    1. Is there any "default" list of trusted CA that is used during handshake?
    The SSLClient example does not have any references to trusted CA files. The
    weblogic.webservice.client.ssl.trustedcerts property returns null. What
    trusted CA is used in the SSLClient example? Considering the plural name of
    the property, should it contain only one file name, or it can contain
    several file names? Order? Delimiter?
    2. I copied the SSL setup code from SSLClient to my own web service client,
    but it does not work. My web service is made of stateless session bean, and
    wsdl is generated dynamically. Is it possible, that certain wsdl settings
    could affect handshake process? Maybe I need to copy certain wsdl tags from
    the example?
    3. What username/password should I use in IE when "Enter network password"
    dialog is presented? The combination used to start weblogic server does not
    work. The same combination works for non-SSL client. Why?
    Thanks,
    Michael J.
    "Bruce Stephens" <[email protected]> wrote in message
    news:[email protected]...
    Hi Michael,
    Thanks for the good feedback and this will be incorporated into a revised
    example.
    Concerning your questions toward the end, to set the list of trusted CA
    certificates, you need the CA certificate in a file and you need to setthis
    System property to the filename:
    weblogic.webservice.client.ssl.trustedcerts
    To turn off strict hostname checking during certificate validation, youneed to
    set this property to "false":
    weblogic.webservice.client.ssl.strictcertchecking
    Thanks again,
    Bruce
    Michael Jouravlev wrote:
    Bruce,
    here are some issues that I wish you could help me with.
    1) package.html from the simpleSSL example is outdated. The links posted
    here do not work. Considering "Please pay careful attention" phrase I am
    a
    little bit worried if I missed something in my SSL configuration.
    === cut here ===
    You must first setup and verify your WLS SSL configuration.
    1. Set up your development shell as described in Quick Start.
    2. Startup the WebLogic Server.
    3. Monitor the log file for any errors.
    4. Use the console and configure the WebLogic Service security asdescribed
    by:
    http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
    Please pay careful attention to this step, especially concerning theSSL
    protocol configuration:
    http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
    === cut here ===
    I use the following information:
    1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
    configure
    server-wide SSL setup
    2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
    configure web service-related SSL setup.
    2) In "Setup and verify the toUpper WebService" chapter the linksentitled
    http://localhost:7001/toUpper/toUpper and
    http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
    but
    maybe you would like to correct this.
    3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
    connect to https://localhost:7002/toUpper/toUpper , I receive the
    "Security
    Alert" dialog (I am using IE5) that there is a problem with security
    certificate: name of the certificate does not match the name of thesite. It
    is OK, because it is demo certificate. (Should I do "View
    Certificate/Install Certificate" to proceed successfully or just to say
    "Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
    proceed. In the next window is "Do you want to display nonsecure items?"I
    say "yes" and I am brought to the the test page. Now, when I try to testthe
    service, I click on "toUpper" link and am presented with sample text and
    "Invoke" button.
    And when I press "Invoke" I am presented with a dialog window "Enternetwork
    password" containing: Site: localhost, Realm: default, User name:
    <blank>, Password: <blank>. So, the first serious issue is: what username
    and password should I use? I tried username and password that I used to
    start the server in set WLS_USER=<username> and set WLS_PW=<password> in
    startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
    either. What should I submit??? I did not change any security setting inmy
    WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
    After "Enter network password" dialog fails to verify a user, I get apage
    with the following text: "Failed to retrieve WSDL from
    https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
    the
    protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
    Interesting enough, if I try to go directly to the link
    https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
    problem
    and without any password windows. What is happening here?
    4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
    order for it to be compiled. I changed super( _port,ToUpperPort.class );
    to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
    changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
    original code does not work on 7.0GA. I successfully did run both Mainand
    Main2 without username/password and with it. I also usedusername/password
    from startWebLogic.cmd file and they worked. Why they do not work when Itry
    to call test page from web browser?
    5) Finally I compiled and did run the SSLClient. It worked. But the
    questions here are:
    BEA_HOME environment variable is not defined, and WebLogic SSL
    implementation is used. How licence.bea was found while running theclient?
    When I tried to build my own client, I got a message that I license fileis
    needed. Or is it needed only if the client library webservices+ssl.jaris
    used?
    The most important question: What trusted CA is used by client and how
    client finds it? No certificates are in the SSLClient directory and no
    property settings telling where to find it. It is a puzzle for my why it
    works here and why my own client does not work when the CA is supplied.
    Thank you,
    Michael J.

  • A fatal error occurred while creating an SSL client credential. The internal error state is 10011.

    Need help.  I have my pilot lync 2013 pool up (in coexistence with 2010 production environment) and can log into Lync 2013 environment with a lync 2010 client but am not able to with a lync 2013 client.  It just prompts for password but will not
    take it. I'm sseeing this on my front end server multiple times:
    A fatal error occurred while creating an SSL client credential. The internal error state is 10011.
    Came across this http://www.logicspot.net/index.php?id=50 and tried disabling TLS 1.2, which I did and verified but yet the issue still exists.
    All my certs are good coming from internal CA.  My signin logs show below but keep in mind, this works just fine if using a 2010 lync client to my lync 2013 servers.  Issue only occurs when trying to connect using a lync 2013 client.
    1 Login: FAIL (hr = 0x1) 
    this request needs authentication, trying webticket from: https://domain.com/WebTicket/WebTicketService.svc
    1.1 Get-NewWebTicket: FAIL (hr = 0x1) 
    CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
    1.1.1 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000) 
    Executing wws method with windows auth auth, asyncContext=0A4FC348,
     context: WebRequest context@ :173931816
      MethodType:4
      ExecutionComplete? :1
      Callback@ :0A5A1864
      AsyncHResult:80f10041
      TargetUri:https://domain.com/WebTicket/WebTicketService.svc
      OperationName:http://tempuri.org/:IWebTicketService
     Error:
    There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
    The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
    The requested resource requires user authentication.
    1.1.2 ExecuteWithWindowsOrNoAuthInternal: PASS
    1.1.3 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
    Executing wws method with windows auth auth, asyncContext=0A4FC348,
     context: WebRequest context@ :173931816
      MethodType:4
      ExecutionComplete? :1
      Callback@ :0A5A1864
      AsyncHResult:80f10041
      TargetUri:https://domain.com/WebTicket/WebTicketService.svc
      OperationName:http://tempuri.org/:IWebTicketService
     Error:
    There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
    The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
    The requested resource requires user authentication.
    1.1.4 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
    Discovery task(0A4FF830) sent to URL http://domain.com completed with hr=0x80f10045
    1.1.5 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
    Executing wws method with windows auth auth, asyncContext=0A4FC348,
     context: WebRequest context@ :173931816
      MethodType:4
      ExecutionComplete? :1
      Callback@ :0A5A1864
      AsyncHResult:80f10041
      TargetUri:https://domain.com/WebTicket/WebTicketService.svc
      OperationName:http://tempuri.org/:IWebTicketService
     Error:
    There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
    The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
    The requested resource requires user authentication.
    1.1.6 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
    CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
    Rich

    Hi,
    Please check the server role and Web Services for Internet Information Services (IIS) are set correctly.
    For the detailed IIS configuration, please check:
    http://technet.microsoft.com/en-us/library/gg412871.aspx
    As Lync client 2013 attempt to query in order to perform autodiscover of the Lync registration server. First
    lyncdiscoverinternal.<sipdomain> Host (A) record and then
    lyncdiscover.<sipdomain> Host (A) record. If neither of these records are resolvable then the legacy DNS SRV and A record fall-back process is used. So make sure you have add the two A record in DNS server.
    More details:
    http://blog.schertz.name/2012/12/lync-2013-client-autodiscover/
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
    sure that you completely understand the risk before retrieving any suggestions from the above link.
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • Error 403.7 - Forbidden: SSL client certificate is required

    Hi people!
    I�m developing a java client to a WebService (developed in .NET). The communication protocol is HTTPS to the URL where the Web Service is located (something like https://10.200.140.117/dirNotes/serviceName.asmx.). I�ve been reading many posts but I could'nt find the solution to the problem wich has the following message: Error 403.7 - Forbidden: SSL client certificate is required".
    I�m using JDK 1.5 and developing and testing on Windows Plataform. I'm able to access the URL specified above directly from the browser, I installed the client certificate (the same that �ve put into the ,jks keystore. I�ve also imported the whole certificate chain of the server to the cacerts.
    I�ll paste the code and the console trace below. I�d be very grateful if you can help me. Thanks a lot.
    _THE CODE_
    package principal;
    import java.io.BufferedReader;
    import java.io.FileInputStream;
    import java.io.FileNotFoundException;
    import java.io.FileReader;
    import java.io.IOException;
    import java.net.URL;
    import java.net.UnknownHostException;
    import java.security.KeyStore;
    import java.security.Security;
    import javax.net.ssl.HttpsURLConnection;
    import javax.net.ssl.KeyManagerFactory;
    import javax.net.ssl.SSLContext;
    import javax.net.ssl.SSLSocket;
    import javax.net.ssl.SSLSocketFactory;
    import javax.net.ssl.TrustManagerFactory;
    import org.apache.axis.client.Call;
    import org.apache.axis.client.Service;
    import entidade.Certificado;
    public class SSLClient {
    private static final int PORT_NUMBER = 443;
    private static final String HTTPS_ADDRESS = "10.200.140.117";
    private static String strCabecalhoMsg = "";
    private static String strDadosMsg = "";
    public static void main(String[] args) throws Exception {
    System.setProperty("javax.net.ssl.keyStore", Certificado.getStrNomeArquivoJKSServidor());
    System.setProperty("javax.net.ssl.keyStorePassword", "senha");
    System.setProperty("javax.net.ssl.trustStore", "Certificados/cacerts");
    System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
    System.setProperty("javax.net.ssl.keyStoreType", "JKS");
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    System.setProperty("javax.net.debug","ssl,handshake,record");
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(new FileInputStream(Certificado.getStrNomeArquivoJKSServidor()),
    Certificado.getArranjoCharSenhaCertificadoServidor());
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(ks, Certificado.getArranjoCharSenhaCertificadoServidor());
    KeyStore ksT = KeyStore.getInstance(KeyStore.getDefaultType());
    ksT.load(new FileInputStream("C:/Arquivos de programas/Java/jre1.5.0_05/lib/security/cacerts"), "changeit".toCharArray());
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ksT);
    SSLContext sc = SSLContext.getInstance("SSLv3");
    sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
    SSLSocketFactory factory = sc.getSocketFactory();
    try{
    // method to load the values of the strings strCabecalhoMsg and strDadosMsg
    carregarXMLCabecalhoDados();
    SSLSocket socket =(SSLSocket)factory.createSocket(HTTPS_ADDRESS, PORT_NUMBER);
    socket.startHandshake();
    String [] arr = socket.getEnabledProtocols();
    URL url = new URL("https://10.200.140.117/dirNotes");
    HttpsURLConnection.setDefaultSSLSocketFactory(factory);
    HttpsURLConnection urlc = (HttpsURLConnection) url.openConnection();
    urlc.setDoInput(true);
    urlc.setUseCaches(false);
    Object[] params = {strCabecalhoMsg, strDadosMsg};
    Service service = new Service();
    Call call = (Call) service.createCall();
    call.setTargetEndpointAddress(url);
    call.setOperationName("serviceName");
    String ret = (String) call.invoke(params);
    System.out.println("Result: " + ret);
    catch (UnknownHostException uhe) {
    uhe.printStackTrace();
    System.err.println(uhe);
    catch (Exception uhe) {
    uhe.printStackTrace();
    System.err.println(uhe);
    private static void carregarXMLCabecalhoDados()
    try
    BufferedReader input = new BufferedReader( new FileReader("notas/cabecalho.xml"));
    String str;
    while((str=input.readLine()) != null)
    strCabecalhoMsg += str ;
    System.out.println("Cabe�a: " + strCabecalhoMsg);
    input = new BufferedReader( new FileReader("notas/nota.xml"));
    while((str=input.readLine()) != null)
    strDadosMsg += str ;
    System.out.println("Nota: " + strDadosMsg);
    catch (FileNotFoundException e)
    // TODO Auto-generated catch block
    e.printStackTrace();
    catch (IOException e)
    // TODO Auto-generated catch block
    e.printStackTrace();
    _THE TRACE_
    adding as trusted cert:
    Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Algorithm: RSA; Serial number: 0x1
    Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
    *others trusted certs*
    trigger seeding of SecureRandom
    done seeding SecureRandom
    export control - checking the cipher suites
    export control - no cached value available...
    export control - storing legal entry into cache...
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1198158630 bytes = { 48, 135, 53, 24, 112, 72, 104, 220, 27, 114, 37, 42, 25, 77, 224, 32, 12, 58, 90, 217, 232, 3, 104, 251, 93, 82, 40, 91 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, READ: TLSv1 Handshake, length = 3953
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1198158523 bytes = { 56, 166, 181, 215, 86, 245, 8, 55, 214, 108, 128, 50, 8, 11, 0, 209, 38, 62, 187, 185, 240, 231, 56, 161, 212, 111, 194, 79 }
    Session ID: {222, 2, 0, 0, 147, 179, 182, 212, 18, 34, 199, 100, 168, 167, 48, 116, 140, 186, 151, 153, 226, 168, 163, 174, 24, 83, 208, 73, 179, 57, 86, 137}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    *** Certificate chain
    chain [0] = [
    Version: V3
    *many chains and related data*
    Found trusted certificate:
    Version: V3
    Subject:
    *many trusted certificates and related data*
    *** ServerHelloDone
    *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
    Random Secret: { 3, 1, 117, 112, 233, 166, 240, 9, 226, 67, 53, 111, 194, 84, 124, 103, 197, 28, 17, 36, 32, 48, 145, 166, 161, 61, 30, 63, 153, 214, 137, 113, 222, 204, 138, 77, 212, 75, 65, 192, 159, 215, 69, 156, 47, 188, 179, 219 }
    main, WRITE: TLSv1 Handshake, length = 134
    SESSION KEYGEN:
    PreMaster Secret:
    0000: 03 01 75 70 E9 A6 F0 09 E2 43 35 6F C2 54 7C 67 ..up.....C5o.T.g
    0010: C5 1C 11 24 20 30 91 A6 A1 3D 1E 3F 99 D6 89 71 ...$ 0...=.?...q
    0020: DE CC 8A 4D D4 4B 41 C0 9F D7 45 9C 2F BC B3 DB ...M.KA...E./...
    CONNECTION KEYGEN:
    Client Nonce:
    0000: 47 6A 73 26 30 87 35 18 70 48 68 DC 1B 72 25 2A Gjs&0.5.pHh..r%*
    0010: 19 4D E0 20 0C 3A 5A D9 E8 03 68 FB 5D 52 28 5B .M. .:Z...h.]R([
    Server Nonce:
    0000: 47 6A 73 BB 38 A6 B5 D7 56 F5 08 37 D6 6C 80 32 Gjs.8...V..7.l.2
    0010: 08 0B 00 D1 26 3E BB B9 F0 E7 38 A1 D4 6F C2 4F ....&>....8..o.O
    Master Secret:
    0000: 0B 3A 71 F8 BB 79 5E 07 78 C2 5F 13 4F 92 9D 87 .:q..y^.x._.O...
    0010: CF 69 0D 07 78 D2 59 46 1E C3 C1 5B A2 DB 04 B9 .i..x.YF...[....
    0020: 42 60 92 48 59 8E FD FD C3 5B BD 00 9C 54 7A 7E B`.HY....[...Tz.
    Client MAC write Secret:
    0000: 33 7C 19 C4 75 D2 CE 82 39 98 37 E5 7D 20 CB B1 3...u...9.7.. ..
    Server MAC write Secret:
    0000: 1E 1E 48 C7 D4 77 23 E4 22 26 8B 98 2E 92 5C 95 ..H..w#."&....\.
    Client write key:
    0000: EE 05 39 76 B2 85 63 6C F7 70 30 CB 6D 08 07 54 ..9v..cl.p0.m..T
    Server write key:
    0000: 5C 2E 3B 5E DC D9 EC C5 04 C4 D5 B5 12 11 B9 08 \.;^............
    ... no IV for cipher
    main, WRITE: TLSv1 Change Cipher Spec, length = 1
    *** Finished
    verify_data: { 143, 115, 243, 131, 242, 244, 12, 44, 191, 172, 205, 122 }
    main, WRITE: TLSv1 Handshake, length = 32
    main, READ: TLSv1 Change Cipher Spec, length = 1
    main, READ: TLSv1 Handshake, length = 32
    *** Finished
    verify_data: { 231, 215, 37, 250, 177, 121, 111, 192, 11, 41, 1, 165 }
    %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    setting up default SSLSocketFactory
    use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
    class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
    keyStore is : Certificados/certificadoSondaMonitor.jks
    keyStore type is : JKS
    keyStore provider is :
    init keystore
    init keymanager of type SunX509
    trustStore is: Certificados\cacerts
    trustStore type is : jks
    trustStore provider is :
    init truststore
    adding as trusted cert:
    Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Algorithm: RSA; Serial number: 0x1
    Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
    adding as trusted cert:
    * many certificates*
    init context
    trigger seeding of SecureRandom
    done seeding SecureRandom
    instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
    export control - checking the cipher suites
    export control - found legal entry in cache...
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1198158632 bytes = { 93, 1, 41, 236, 165, 146, 251, 117, 129, 195, 129, 72, 245, 181, 43, 48, 80, 251, 244, 198, 223, 85, 82, 101, 20, 159, 17, 26 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, READ: TLSv1 Handshake, length = 3953
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1198158525 bytes = { 109, 114, 234, 1, 130, 97, 251, 9, 61, 105, 56, 246, 239, 222, 97, 143, 22, 254, 65, 213, 10, 204, 153, 67, 237, 133, 223, 48 }
    Session ID: {23, 30, 0, 0, 26, 129, 168, 21, 252, 107, 124, 183, 171, 228, 138, 227, 94, 17, 195, 213, 216, 233, 205, 2, 117, 16, 21, 65, 123, 119, 171, 109}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    %% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    *** Certificate chain
    chain [0] = [
    many chains again
    *** ServerHelloDone
    *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
    Random Secret: { 3, 1, 116, 247, 155, 227, 25, 25, 231, 129, 199, 76, 134, 222, 98, 69, 149, 224, 75, 6, 60, 121, 115, 216, 244, 246, 102, 92, 188, 64, 113, 56, 190, 43, 32, 51, 90, 254, 141, 184, 71, 48, 41, 29, 173, 180, 46, 116 }
    main, WRITE: TLSv1 Handshake, length = 134
    SESSION KEYGEN:
    PreMaster Secret:
    0000: 03 01 74 F7 9B E3 19 19 E7 81 C7 4C 86 DE 62 45 ..t........L..bE
    0010: 95 E0 4B 06 3C 79 73 D8 F4 F6 66 5C BC 40 71 38 ..K.<ys...f\.@q8
    0020: BE 2B 20 33 5A FE 8D B8 47 30 29 1D AD B4 2E 74 .+ 3Z...G0)....t
    CONNECTION KEYGEN:
    Client Nonce:
    0000: 47 6A 73 28 5D 01 29 EC A5 92 FB 75 81 C3 81 48 Gjs(].)....u...H
    0010: F5 B5 2B 30 50 FB F4 C6 DF 55 52 65 14 9F 11 1A ..+0P....URe....
    Server Nonce:
    0000: 47 6A 73 BD 6D 72 EA 01 82 61 FB 09 3D 69 38 F6 Gjs.mr...a..=i8.
    0010: EF DE 61 8F 16 FE 41 D5 0A CC 99 43 ED 85 DF 30 ..a...A....C...0
    Master Secret:
    0000: FC C9 75 A4 2B F1 8A D8 AD 16 27 70 B7 E4 64 6C ..u.+.....'p..dl
    0010: 05 D7 33 4A 53 91 2F 51 1E 32 D3 3B 2E 18 2E BC ..3JS./Q.2.;....
    0020: E4 16 EE 2F 01 A1 08 48 19 09 32 68 CE 69 8F B1 .../...H..2h.i..
    Client MAC write Secret:
    0000: F1 95 3B CE 06 5B 8A 9B EC DE 1C 8F B4 AB D9 36 ..;..[.........6
    Server MAC write Secret:
    0000: BF 52 36 48 63 24 FE 74 22 BE 00 99 BE F0 6E E5 .R6Hc$.t".....n.
    Client write key:
    0000: 9F 08 0A 6E 8F 54 A3 66 1C BC C7 6B AE 88 67 E0 ...n.T.f...k..g.
    Server write key:
    0000: 06 A1 0B 4F 69 DE 5F AF 0E 6B B5 04 ED E8 EA F5 ...Oi._..k......
    ... no IV for cipher
    main, WRITE: TLSv1 Change Cipher Spec, length = 1
    *** Finished
    verify_data: { 148, 93, 105, 42, 110, 212, 55, 2, 150, 191, 13, 111 }
    main, WRITE: TLSv1 Handshake, length = 32
    main, READ: TLSv1 Change Cipher Spec, length = 1
    main, READ: TLSv1 Handshake, length = 32
    *** Finished
    verify_data: { 171, 150, 45, 10, 99, 35, 67, 174, 35, 52, 23, 192 }
    %% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
    main, setSoTimeout(600000) called
    main, WRITE: TLSv1 Application Data, length = 282
    main, WRITE: TLSv1 Application Data, length = 8208
    main, WRITE: TLSv1 Application Data, length = 1102
    main, READ: TLSv1 Application Data, length = 1830
    main, received EOFException: ignored
    main, called closeInternal(false)
    main, SEND TLSv1 ALERT: warning, description = close_notify
    main, WRITE: TLSv1 Alert, length = 18
    main, called close()
    main, called closeInternal(true)
    AxisFault
    faultCode: {http://xml.apache.org/axis/}HTTP
    faultSubcode:
    faultString: (404)Not Found
    faultActor:
    faultNode:
    faultDetail:
         {}:return code: 404
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
    <HTML><HEAD><TITLE>The page cannot be found</TITLE>
    <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
    <STYLE type="text/css">
    BODY { font: 8pt/12pt verdana }
    H1 { font: 13pt/15pt verdana }
    H2 { font: 8pt/12pt verdana }
    A:link { color: red }
    A:visited { color: maroon }
    </STYLE>
    </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
    <h1>The page cannot be found</h1>
    The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
    <hr>
    <p>Please try the following:</p>
    <ul>
    <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
    <li>If you reached this page by clicking a link, contact
    the Web site administrator to alert them that the link is incorrectly formatted.
    </li>
    <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
    </ul>
    <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
    <hr>
    <p>Technical Information (for support personnel)</p>
    <ul>
    <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
    <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
    and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
    </ul>
    </TD></TR></TABLE></BODY></HTML>
         {http://xml.apache.org/axis/}HttpErrorCode:404
    (404)Not Found
         at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
         at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
         at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
         at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
         at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
         at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
         at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
         at org.apache.axis.client.Call.invoke(Call.java:2767)
         at org.apache.axis.client.Call.invoke(Call.java:2443)
         at org.apache.axis.client.Call.invoke(Call.java:2366)
         at org.apache.axis.client.Call.invoke(Call.java:1812)
         at principal.SSLClient.main(SSLClient.java:86)
    (404)Not Found
    -----

    I'm having the same problem with the same URL. I try many configuration and nothing works. My code is:
    public class NFeClient {
         static{
              Security.addProvider(new BouncyCastleProvider());
         public static void main(final String[] args) throws Exception {
              final String path = "https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx";
              final String keyStoreProvider = "BC";
              final String keyStoreType = "PKCS12";
              final String keyStore = "/home/mendes/certificados/cert.p12";
              final String keyStorePassword = "xxxx";
              System.setProperty("javax.net.ssl.keyStoreProvider",keyStoreProvider);
              System.setProperty("javax.net.ssl.keyStoreType",keyStoreType);
              System.setProperty("javax.net.ssl.keyStore",keyStore);
              System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
              System.setProperty("javax.net.ssl.trustStore","/home/mendes/workspace/NFE/jssecacerts");
              final SSLContext context =  SSLContext.getInstance("TLS");
              final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
              final KeyStore ks = KeyStore.getInstance(keyStoreType);
              ks.load(new FileInputStream(keyStore), keyStorePassword.toCharArray());
              kmf.init(ks, keyStorePassword.toCharArray());
              context.init(kmf.getKeyManagers(), null, null);
              final URL url = new URL(path);
              final HttpsURLConnection httpsConnection = (HttpsURLConnection) url.openConnection();
              httpsConnection.setDoInput(true);
              httpsConnection.setRequestMethod("GET");
              httpsConnection.setRequestProperty("Host", "iis-server");
              httpsConnection.setRequestProperty("UserAgent", "Mozilla/4.0");
              httpsConnection.setSSLSocketFactory(context.getSocketFactory());
              try{
                   final InputStream is = httpsConnection.getInputStream();
                   final byte[] buff = new byte[1024];
                   int readed;
                   while((readed = is.read(buff)) > 0)
                        System.out.write(buff,0,readed);
              }catch(final IOException ioe){
                   ioe.printStackTrace();
    }and the response of the server is always the same:
    java.io.IOException: Server returned HTTP response code: 403 for URL: https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx
         at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
         at br.com.esales.nfe.signer.client.NFeClient.main(NFeClient.java:60)Edited by: mendes on Apr 25, 2008 9:56 AM

  • How to specify alias name in system property while making 2way SSL con ?

    Hi All,
    I am tring to run a java client with 2way SSL which uses CAC card as keystore for the client. I have addded the following system property in my client program to make it work and change the java.security file to add pcks11 provider.
    System.setProperty("javax.net.ssl.keyStoreType", "pkcs11");
    System.setProperty("javax.net.debug", "ssl");
    The program works fine and handshake is successfully done . But the problem is when i have more than one trusted certificate in the CAC card, it take a default certificate. I want to specify the certificate that should be used to do the client auth maybe specify the alias name . I didnt find any system property to do so.
    Please let me know how to specify alias name as system property so that the 2way SSL used the specified alias for the client auth or is there any other way to specify the alias name. As in case i acccess the server URL from any browser i get a certificate selection prompt and the connection is established with the selected certificate.
    Thanks in advanced,
    Ruhul

    I didn't find any system property to do so.There isn't one.
    Please let me know how to specify alias name as system propertyYou can't.
    You would have to write a custom KeyManager. See the JSSE Reference Guide.

  • Policy Based Routing with VPN Client configuration

    Hi to all,
    We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
    The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
    The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
    Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
    Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
    This is our sanitized config
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group dc
    key ***
    dns 192.168.5.7
    domain corp.local
    pool SDM_POOL_1
    acl 101
    max-users 3
    netmask 255.255.255.0
    crypto isakmp profile sdm-ike-profile-1
       match identity group dc
       isakmp authorization list sdm_vpn_group_ml_1
       client configuration address respond
       virtual-template 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec profile SDM_Profile1
    set security-association idle-time 3600
    set transform-set ESP-3DES-SHA
    set isakmp-profile sdm-ike-profile-1
    interface Loopback0
    ip address 10.10.10.1 255.255.255.0
    interface FastEthernet0/0
    description *WAN*
    no ip address
    ip mtu 1396
    duplex auto
    speed auto
    interface FastEthernet0/0.3
    description FAST-WAN-11D-11U
    encapsulation dot1Q 3
    ip address 88.XX.XX.75 255.255.255.248
    ip load-sharing per-packet
    ip nat outside
    ip virtual-reassembly
    interface FastEthernet0/0.4
    description SLOW-WAN-10D-1U
    encapsulation dot1Q 4
    ip address dhcp
    ip nat outside
    ip virtual-reassembly
    no cdp enable
    interface FastEthernet0/1
    description *LOCAL*
    no ip address
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/1.10
    description VLAN 10 192-168-5-0
    encapsulation dot1Q 10
    ip address 192.168.5.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly max-reassemblies 32
    no cdp enable
    interface FastEthernet0/1.20
    description VLAN 20 10-10-0-0
    encapsulation dot1Q 20
    ip address 10.10.0.254 255.255.255.0
    ip access-group PERMIT-MNG out
    ip nat inside
    ip virtual-reassembly
    !!! NOTE: This route map is used to PBR the http traffic for our server
    ip policy route-map REDIRECT-VIA-FAST-WAN
    no cdp enable
    interface Virtual-Template1 type tunnel
    ip unnumbered Loopback0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile SDM_Profile1
    interface Virtual-Template3
    no ip address
    interface Virtual-Template4
    no ip address
    ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
    ip forward-protocol nd
    !!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
    ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
    !!! FAST-WAN NEXT HOP DEFAULT ADDRESS
    ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
    ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
    ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
    access-list 101 remark SDM_ACL Category=4
    access-list 101 permit ip 192.168.5.0 0.0.0.255 any
    access-list 101 permit ip 10.10.0.0 0.0.0.255 any
    ip access-list extended FAST-WAN-NAT
    permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
    permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
    permit icmp 192.168.5.0 0.0.0.255 any
    permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
    permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
    permit icmp 10.10.0.0 0.0.0.255 any
    ip access-list extended REDIRECT-VIA-FAST-WAN
    deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
    permit tcp host 10.10.0.43 eq 443 9675 any
    ip access-list extended SLOW-WAN-NAT
    permit ip 192.168.5.0 0.0.0.255 any
    permit ip 10.10.0.0 0.0.0.255 any
    route-map FAST-WAN-NAT-RMAP permit 10
    match ip address FAST-WAN-NAT
    match interface FastEthernet0/0.3
    route-map REDIRECT-VIA-FAST-WAN permit 10
    match ip address REDIRECT-VIA-FAST-WAN
    set ip next-hop 88.XX.XX.73
    route-map SLOW-WAN-NAT-RMAP permit 10
    match ip address SLOW-WAN-NAT
    match interface FastEthernet0/0.4

    Can you try to use PBR Match track object,
    Device(config)# route-map abc
    Device(config-route-map)# match track 2
    Device(config-route-map)# end
    Device# show route-map abc
    route-map abc, permit, sequence 10
      Match clauses:
        track-object 2
      Set clauses:
      Policy routing matches: 0 packets, 0 bytes
    Additional References for PBR Match Track Object
    This feature is a part of IOS-XE release 3.13 and later.
    PBR Match Track Object
    Cisco IOS XE Release 3.13S
    The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
    The following commands were introduced or modified: match track tracked-obj-number
    Cheers,
    Sumit

  • SSL client default does not exist

    Hi,
    I had newly installed XI system on one of our server.
    when i am creating RFC destination INTEGRATION_DIRECTORY_HMI, i am getting the following error on logon /security tab.
    "<b>SSL client default does not exist"</b>
    and it is not even permitting to go furthur!
    any suggestions will be appreciated highly.
    Thanks,
    Ravi

    Hi Ravi
    Check if your SSL provider is running.
    Go to visual admin--instanceservernodeservices----SSL provider.Start the SSL service and check for the configuration.
    Follow the same steps for the dispatcher node.
    Go to visual admin--instancedispatchernodeservices----SSL provider

  • ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

    Hi
    Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
    Example:
    Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
    The "client" Server does not support SSL.
    Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
    Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
    Regards

    Hello Byron,
    Yes, the ACE can do it
    Here you have some of the flavors of SSL with the ACE.
    Here you have a sample about it:
    parameter-map type http CASE_PARAM
      case-insensitive
      persistence-rebalance
      set header-maxparse-length 65535
      set content-maxparse-length 65535
    class-map match-all CLEAR_TEXT_VIP
      2 match virtual-address 172.20.120.19 tcp eq www
    policy-map multi-match JORGE-MULTIMATCH
      class CLEAR_TEXT_VIP
        loadbalance vip inservice
        loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
        loadbalance vip icmp-reply active
        appl-parameter http advanced-options CASE_PARAM
    policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
      class class-default
        serverfarm ENCRYPTED-SERVERFARM
        ssl-proxy client SSL-PROXY-JORGE
    ssl-proxy service SSL-PROXY-JORGE
      key TAC-key
      cert TAC-cert
    serverfarm host ENCRYPTED-SERVERFARM
      rserver JORGE-SERVER 443
        inservice
    Here you have some additional details under the configuration guide:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
    Here you have some additional samples:
    http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
    Hope this helps for you and fix your issue
    Jorge

  • ACE as ssl client

    Hello all,
    has anyone been able to successfully configure the ACE board to initiate and terminate ssl connections as ssl client. We tried a lot, but no luck... Is there a working configuration example out there, because the documentation does not tell anything useful? Would be great to get some hints on this issue.
    And what IP is the ACE using, when initiating the ssl connection to the outside? As we can not configure NAT through a VIP address, how can the ACE board recognize the right IP association?
    Thanks in advance and regards,
    Rene

    Hi,
    thank you, i red this doc already. I tried several different ways of configuring all this. But no luck in any way. Is the vserver address the one of the external server? And do i need to configure the external server as serverfarm? All this is not very clear from my point of view. Do you have a working example?
    regards,
    rene

  • Error to run Configuration Wizard weblogic 12.1.2 # error is  java virtual machine launcher error could not create the java virtual machine

    hi
    Error to run Configuration Wizard weblogic 12.1.2
    my system is windows xp by 2 gig ram
    and jvm version
    C:\Program Files\Java\jdk1.7.0_25\bin>java -version
    java version "1.7.0_25"
    Java(TM) SE Runtime Environment (build 1.7.0_25-b17)
    Java HotSpot(TM) Client VM (build 23.25-b01, mixed mode, sharing)
    how resolve this problem and how find log file weblogic to this error?

    In user environments where the path to java is not already established as an system-level environment variable, the service is unable to determine where to find java and this error will occur.
    This could occur, for example, in environments where there is more than one JDK installed, or where the default JDK is different from the JDK which needs to be used by WLS.
    Try to set the environment variable  in windows  i.e JAVA_HOME=C:\Sun\Java\jdk1.7.xx.x.  to point to jdk 1.7 and run the configuration wizard.
    Hope it helps!!
    Thanks,
    Vijaya

  • Can't get WebVpn full SSL client to work

    Hello,
    I just get a new 1812 router and i wanna try the full SSL client. I upgrade IOS to 12.4.9T1, get last SDM and last vpn ssl package.
    I follow the wizard on SDM to configure a simple webvpn on my outside network.
    I can connect to the portal with my creditentials, and the ssl client install itself. It write warnings about certificates. But at last, i always got a message window "http return code error, contact your network admin". And on event viewer i have some errors with STCAgent (one is HTTP response code from the gateway is 401 , unautorized....).
    I try on 2 different PC's with XP PRO SP2.
    What else to try ??
    Thanks

    Hi,
    I am getting the exact same error. Below is my webvpn configuration:
    webvpn gateway guest
    ip address 10.100.1.254 port 443
    http-redirect port 80
    ssl trustpoint TP-self-signed-927014488
    inservice
    webvpn install svc flash:/webvpn/svc.pkg
    webvpn install csd flash:/webvpn/sdesktop.pkg
    webvpn context guest
    title-color #669999
    secondary-color white
    text-color black
    ssl authenticate verify all
    policy group fullclient
    functions svc-required
    hide-url-bar
    svc address-pool "vpn-pool"
    svc rekey method new-tunnel
    svc dns-server primary 10.100.2.8
    default-group-policy fullclient
    aaa authentication list default
    gateway guest
    inservice
    Have you solved your problem?
    //F

Maybe you are looking for