POA IMAP and enabling SSL

Similar Messages

• How to enable logging of IMAP and SMTP connections in Mail

  I have set up my own mail server and am able to send and receive mail. However, I would like to enable SSL security for connections from the client application to the mail server. I have created certificate authority, created a root certificate, and created an SSL certificate and key for the server. However, every time I connect, I get a warning message that the certificate is not valid - but the host names and domain names are correct in the certificate and match in the error message. It appears that there is some other problem with the certificate that is not reported in the dialog.
  I would like to turn on logging in Mail.app to try to find out what is happening as the connection is made and TLS is enabled to find out why the certificate is being rejected. What options exist for logging SMTP and IMAP connections in mail? How can I find the logging options - should I look for strings in the binary or a resource file?

  You cannot log only those changes but you can log *all* changes.
  The messages 111008 and 111010 are the ones to look for (as described in this post).

• How to enable SSL optimization only for a single remote WAE and specific website?

  Hi guys.
  I have to enable SSL optimization for a specifc HTTPS website only and for a specific remote site only (branch office).
  The scenario is as follows:
  Multiple sites connected via a MPLS cloud. Each site has its own WAE device (module or appliance).
  There is a central manager and core WAE in the main site (central site).
  There is a website accessed via HTTPS by all the remote sites. This specific website is hosted within the main site.
  For only a specific branch office (remote site) we want to enable SSL optimization for this specific website.
  I saw this great and useful doc, but I still have some concerns.
  https://supportforums.cisco.com/docs/DOC-16452
  Basically, according to I see, I should do the following if I want to enable SSL optimization with the entire environment:
  - export the certificate and keys;
  - enable secure store in the central manager;
  - In the remote and core WAE, Check "initialize CMS secure store" and "Open CMS Secure Store";
  - In the core WAE, import the CA certificate (upload PEM file);
  - In the core WAE, create the SSL Accelerated Service by:
      --importing the client certificate and the key;
      -- Match interesting traffic;
      -- Put the SSL Acc Service in service;
  - Finally, make sure SSL acceleration is enabled in both remote and core WAE.
  The concerns:
  I only need to enable SSL optimization for a specific location accessing a specific website.
  Should the steps above work fine If I enable the SSL service for this specific website in the core WAE and enabling secure store only in a single remote site (brach office)?
  how will the other remote locations behave?
  Will they access the website normally with no SSL optimization even passing thru the core WAE?
  What about the other SSL sites which have no certificate? They will be treated as normal HTTPS with no optimization, right?
  If the site uses proxy, will any flow be impacted?
  If the steps above do not fit my case, how can I configure SSL optimization for only one remote WAE?
  Thanks in advance.
  importing  the client certificate and key (client.crt and client.key exported from  the Web server - See more at:  https://supportforums.cisco.com/docs/DOC-16452#sthash.3BKz05zU.dpu

  Hi guys.
  I have to enable SSL optimization for a specifc HTTPS website only and for a specific remote site only (branch office).
  The scenario is as follows:
  Multiple sites connected via a MPLS cloud. Each site has its own WAE device (module or appliance).
  There is a central manager and core WAE in the main site (central site).
  There is a website accessed via HTTPS by all the remote sites. This specific website is hosted within the main site.
  For only a specific branch office (remote site) we want to enable SSL optimization for this specific website.
  I saw this great and useful doc, but I still have some concerns.
  https://supportforums.cisco.com/docs/DOC-16452
  Basically, according to I see, I should do the following if I want to enable SSL optimization with the entire environment:
  - export the certificate and keys;
  - enable secure store in the central manager;
  - In the remote and core WAE, Check "initialize CMS secure store" and "Open CMS Secure Store";
  - In the core WAE, import the CA certificate (upload PEM file);
  - In the core WAE, create the SSL Accelerated Service by:
      --importing the client certificate and the key;
      -- Match interesting traffic;
      -- Put the SSL Acc Service in service;
  - Finally, make sure SSL acceleration is enabled in both remote and core WAE.
  The concerns:
  I only need to enable SSL optimization for a specific location accessing a specific website.
  Should the steps above work fine If I enable the SSL service for this specific website in the core WAE and enabling secure store only in a single remote site (brach office)?
  how will the other remote locations behave?
  Will they access the website normally with no SSL optimization even passing thru the core WAE?
  What about the other SSL sites which have no certificate? They will be treated as normal HTTPS with no optimization, right?
  If the site uses proxy, will any flow be impacted?
  If the steps above do not fit my case, how can I configure SSL optimization for only one remote WAE?
  Thanks in advance.
  importing  the client certificate and key (client.crt and client.key exported from  the Web server - See more at:  https://supportforums.cisco.com/docs/DOC-16452#sthash.3BKz05zU.dpu

• How do I enable SSL to serve swfs and non video content in FMS 4.5

  I'm running FMS 4.5 with the built in Apache server on a Windows 2003 server running SP2.  Our users are complaining that embedded videos in Chrome aren't displaying properly because the SWFs and some of the non video content are being delivered over http instead of https.  I'm having trouble finding any documentation on how to add an SSL cert to the Apache server and enabling it to serve content over 443.  I've requested my cert and am following my CA's docs on adding the cert to Apache, but I'm not seeing the VirtualDirectory referenced in the httpd.conf file.  I'm relatively new to Apache configuration, so please include as much detail as possible in your answer.  Thanks in advance for any assistance.

  Look for httpd-hls-secure.conf file in AMS(FMS) Apache Bundle. httpd.conf includes this file. This enables SSL for key delivery for HLS. You may like to do the same for other cases.
  Other than this, you have to enable the LoadModule mod_ssl in httpd.conf.

• How to use SquirrelMail and Require SSL for IMAP Service?

  Hello,
  Mac OS X Server v.10.4.9 – Open Directory Master
  Providing POP, IMAP, SMTP, web services including webmail via SquirrelMail.
  PHP v.4.4.4 Nov. 1, 2006
  OpenSSL v.0.9.7l Sept. 2006
  I need to require SSL for IMAP access, however, I also need to provide webmail access. SquirrelMail does support TSL it seems and that can be configured from /etc/squirrelmail/config/conf.pl and is discussed briefly here: http://www.squirrelmail.org/wiki/SquirrelMailIMAPS .
  When I turn on TSL on SquirrelMail and change the IMAP port number to 993 attempting to log into SquirrelMail provides the following error:
  Bad request: IMAP server does not appear to support the authentication method selected. Please contact your system administrator.
  According to the above noted page from the SquirrelMail site one needs PHP 4.3 and SSLv3 in order for TSL to work, one must also connect to the IMAP server over port 993. Requirements I appear to meet.
  So – how can one require the use of SSL for IMAP and still provide webmail access via SquirrelMail?
  I have reviewed these three threads:
  http://discussions.apple.com/thread.jspa?threadID=912841&tstart=75
  http://discussions.apple.com/thread.jspa?messageID=1457773&#1457773
  http://discussions.apple.com/thread.jspa?messageID=3921004&#3921004
  However they do not answer the fundamental question of how to use SquirrelMail with SSL required by IMAP. Essentially the conversation revolves around working around the SSL requirement or forgoing it.
  Thank you for any assistance.

  David,
  Yet from time to time these same users are in a
  circumstance where they need to use webmail, thus
  SquirrelMail needs to work. I am not trying to
  secure webmail by requiring SSL.
  I see, your problem. In this particular case there is a workaround.
  Use different ports for postfix and cyrus limited to localhost, thus catering only to SquirrelMail, thus not needing TLS.
  Roughly do this (this is just off the top of my head, may contain errors):
  For SMTP / Postfix:
  Edit /etc/postfix/master.cf
  and add:
  465 inet n - n - - smtpd
  -o smtpdrecipientrestrictions= permit_mynetworks,reject
  -o mynetworks=127.0.0.1/32
  -o smtpdenforcetls=no
  # This will create a port 465 (if you use this alreay pick another one. choose the number wisely, depending ony what is in use on your server)
  # This port is only accessible to IP number in "mynetworks"
  For IMAP / Cyrus
  Edit /etc/cyrus.conf and add (below imap):
  imaplocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0
  Next duplicate /etc/imapd.conf and name it imapd-local.conf
  Edit /etc/imapd-local.conf
  Change
  tlsserveroptions: require
  to
  tlsserveroptions: use
  Next edit:
  /etc/services
  and create a port called "imaplocal"
  (you could probably recycle 585 wich is deprecated, check what is in the services file, make sure no duplicate port numbers).
  should look something like:
  imaplocal 585/udp
  imaplocal 585/tcp
  When done with all config files:
  Save & restart mail services
  Point SquirrelMail to the new ports wich should only be accessible to localhost (check with an external client if it holds
  Sorry for the "draft style" post, but I don't have much time.
  Just ask, if anything isn't clear.
  HTH,
  Alex

• Error messagCannot connect Secure connection needed  enable ssl 3.0 and slt

  Error message "We cannot complete your itunes request. A secure internet connection cannot be determined. Be sure to enable ssl 3.0 or slt 1.0 in the internet options control panel. I did NOTHING different to my computer. One day I could purchase songs from itunes and 4 days later I couldn't. I've checked all things that discussion boards and technical support have suggested and nothing works. Enabled ssl 3.0 and slt 1.0, turned off firewall, authorized my computer, blah, blah...
  Not only can't I purchase songs but when I plug in my ipod to shuffle or change playlists, the error messages tell me I will lose many of my songs if I don't authorize my account. Then, back to the problem of it looping me through error messages.

  You don't really need to do anything, as the handshake will fall back to SSLv3 if either end can't speak TLS.
  However if you want to enforce SSLv3 and nothing else (e.g. SSLv2) you could remove TLSv1 from the enabledProtocols of the SSLSocket (or SSLServerSocket if you're writing a server). You should also remove SSLv2 at the same time IMHO as it is insecure.
  Alternatively, if you're using SSLContexts, do SSLContext.getInstance("SSLv3") and get your SSLSocketFactory from the result; see http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/JSSERefGuide.html#AppA.
  EJP

• My problem when I enable SSL in Weblogic and I don't have a trusted CA cert

  <h3>Hello
  I've enabled weblogic SSL
  Now when I want use Weblogic Administration Console with Https protocol it works
  But at first when I enter to its addredd my Web Browser(Mozella Firefox) show me this exception </h3>
  "+This Connection is Untrusted You have asked Firefox to connect+
  +securely to localhost:7002, but we can't confirm that your connection is secure.+
  +Normally, when you try to connect securely,+
  +sites will present trusted identification to prove that you are+
  +going to the right place. However, this site's identity can't be verified+."
  <h3>
  I know that it's because I don't have any certificate of trusted certificate authorities (however when I add the exception it goes to the administration console)
  Suppose I want develop an application for a small company and it uses HTTPS for its loging page and I don't have
  any trusted CA certificate , when users want login , web brwoser shows the exception
  </h3>
  <h3>
  Know I want ask
  can I create a valid certificate by myself without connecting a trusted certificate authority and doing its official stages ? In other word , can I
  be a Trusted Certificate Authority for myself and configure Web Browser for getting rid of that exception ?
  My aim is to finding a way to use SSL and make a secure connection without receiving the exception in Web Browser and without
  connecting certificate authorities and doing its official corresponding and paying cost
  do you have any solution for me ?
  Thanks
  </h3>

  Hi
  I enabled SSL Debugging in Weblogic and it show me this log when the WebBrowser want user https :
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 1639942021>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <181142934 SSL3/TLS MAC>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <181142934 received HANDSHAKE>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ClientHello>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 58>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 1583>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 4>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <181142934 SSL3/TLS MAC>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <181142934 received ALERT>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
  java.lang.Exception: New alert stack
  at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
  at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
  at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
  at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
  at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@47204d1a>
  <Jan 4, 2012 4:18:48 PM IRST> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from 172.17.33.59 - 172.17.33.59. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <close(): 424502001>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <close(): 424502001>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 1639942021>
  Can it give helpful glue ?
  Thanks

• Howto setup an imap connection with ssl for incoming, but nonssl for outgo

  I am just stucked in a "simple" problem. Our mail-server is doing imap with a special configuration:
  - incomming is running imap/ssl on port 443
  - outgoing is running non-ssl (plain) on port 25
  The problem is that I can not set the "use ssl" and "port" configuration for incoming or outgoing separately. Or I assume I just can not find the way to setup this in the right way.
  Any hints on this?
  Carsten

  Hi. To set up you ssl incoming connection, open Preferences>Accounts. Click the Advanced tab, and near the bottom, you will see a place to enter the port number and check ssl enabled. For the outgoing connection, in the preference box, click Account Information. At the bottom you should see outgoing server information. Click on this and scroll to Edit Server List. Select the appropriate server (if you have more than one) and Click the Advanced tab. You should see a radio button that selects Standard ports (25 is among them).
  My account is set up exactly the same way without any problems.

• Cisco ASA 5505 and comodo SSL certificate

  Hey All,
  I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
  Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
  On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
  What am I missing here? I can post config if anyone needs it.
  (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

  It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
  ASA Version 9.0(2)
  hostname MyDomain-firewall-1
  domain-name MyDomain.com
  enable password omitted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd omitted
  names
  name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
  name 10.200.0.0 MyDomain_New_IP description MyDomain_New
  name 10.100.0.0 MyDomain-Old description Inside_Old
  name XXX.XXX.XX.XX Provider description Provider_Wireless
  name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
  name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
  ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
  ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address Cisco_ASA_5505 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address Provider 255.255.255.252
  boot system disk0:/asa902-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.0.3.21
  domain-name MyDomain.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network MyDomain-Employee
  subnet 192.168.208.0 255.255.255.0
  description MyDomain-Employee
  object-group network Inside-all
  description All Networks
  network-object MyDomain-Old 255.255.254.0
  network-object MyDomain_New_IP 255.255.192.0
  network-object host MyDomain-Inside
  access-list inside_access_in extended permit ip any4 any4
  access-list split-tunnel standard permit host 10.0.13.1
  pager lines 24
  logging enable
  logging buffered errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
  route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
  route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
  route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  action terminate
  dynamic-access-policy-record "Network Access Policy Allow VPN"
  description "Must have the Network Access Policy Enabled to get VPN access"
  aaa-server LDAP_Group protocol ldap
  aaa-server LDAP_Group (inside) host 10.0.3.21
  ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
  server-type microsoft
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http MyDomain_New_IP 255.255.192.0 inside
  http redirect outside 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  no validation-usage
  no accept-subordinates
  no id-cert-issuer
  crl configure
  crypto ca trustpoint VPN
  enrollment terminal
  fqdn vpn.mydomain.com
  subject-name CN=vpn.mydomain.com,OU=IT
  keypair vpn.mydomain.com
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpool policy
  crypto ca server
  shutdown
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate ca 01
      omitted
    quit
  crypto ca certificate chain VPN
  certificate
      omitted
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate ca
      omitted
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint VPN
  telnet timeout 5
  ssh MyDomain_New_IP 255.255.192.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  dynamic-filter updater-client enable
  dynamic-filter use-database
  dynamic-filter enable
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
  ssl trust-point VPN outside
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
  anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
  anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
  anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value MyDomain.com
  group-policy MyDomain-Employee internal
  group-policy MyDomain-Employee attributes
  wins-server none
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value MyDomain.com
  webvpn
    anyconnect profiles value MyDomain-employee type user
  username MyDomainadmin password omitted encrypted privilege 15
  tunnel-group MyDomain-Employee type remote-access
  tunnel-group MyDomain-Employee general-attributes
  address-pool MyDomain-Employee-Pool
  authentication-server-group LDAP_Group LOCAL
  default-group-policy MyDomain-Employee
  tunnel-group MyDomain-Employee webvpn-attributes
  group-alias MyDomain-Employee enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
  : end
  asdm image disk0:/asdm-712.bin
  asdm location MyDomain_New_IP 255.255.192.0 inside
  asdm location MyDomain-Inside 255.255.255.255 inside
  asdm location MyDomain-Old 255.255.254.0 inside
  no asdm history enable

• Enabling SSL for Oracle Enterprise Manager 10.1.3.1 is Failing!!!

  Hi All,
  I have followed the steps described in
  http://download-uk.oracle.com/docs/cd/B31017_01//core.1013/b28940/em_app.htm#BABCEEAH.
  However when I am trying to start the application server using 'opmnctl startall' the server is not starting and some timeout is getting generated in the log file.
  Is it that enabling SSL will only make the EM console secured? Then how to enable SSL for other soa components like - BPEL,ESB,OWSM? Are there any documentations available?
  Also please let me know how can I enable SSL for Oracle Application server console?
  Please any advice will be appreciated. I am in the middle of a project delivery.
  Thanks

  Hi,
  Let me first highlight the installation that I have done. I have installed SOA components with 'basic installation' mode.
  The log file under <ORACLE_SOA_HOME>/opmn/config/ has generated the following stack:-
  08/07/25 11:03:34 Start process
  08/07/25 11:03:37 WARNING: XMLApplicationServerConfig.overwriteSiteConfigPort Port assignment is ignored: web-site not found in the server OC4JServiceInfo id: default-web-site protocol: http hostname: null port: 8890 description: null
  08/07/25 11:03:37 WARNING: XMLApplicationServerConfig.overwriteSiteConfigPort Port assignment is ignored: web-site not found in the server OC4JServiceInfo id: secure-web-site protocol: https hostname: null port: 1156 description: null
  08/07/25 11:03:47 log4j:WARN No appenders could be found for logger (wsif).
  08/07/25 11:03:47 log4j:WARN Please initialize the log4j system properly.
  08/07/25 11:03:53 WARNING: OC4J Service: ascontrol-web-site with protocol: https and port: 1156 was not declared in opmn.xml
  08/07/25 11:03:53 Oracle Containers for J2EE 10g (10.1.3.1.0) initialized
  08/07/25 11:03:53 WARNING: OC4J will not send ONS ProcReadyPort messages to opmn for service: OC4JServiceInfo id: default-web-site protocol: http hostname: null port: 8890 description: null
  08/07/25 11:03:53 default-web-site hostname was null
  08/07/25 11:03:53 WARNING: OC4J will not send ONS ProcReadyPort messages to opmn for service: OC4JServiceInfo id: secure-web-site protocol: https hostname: null port: 1156 description: null
  08/07/25 11:03:53 secure-web-site hostname was null
  On the command prompt I am getting the following error:-
  opmn id=CALTP8BB32:6203
  0 of 1 processes started.
  ias-instance id=home.CALTP8BB32.cts.com
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ias-component/process-type/process-set:
  default_group/home/default_group/
  Error
  --> Process (index=1,uid=301928631,pid=2944)
  failed to start a managed process after the maximum retry limit
  Log:
  D:\product\SOASuite\opmn\logs\\default_group~home~default_group~1.log
  --------------------------------------------------------------+---------
  ias-component | process-type | pid | status
  --------------------------------------------------------------+---------
  OC4JGroup:default_group | OC4J:home | N/A | Down
  ASG | ASG | N/A | Down
  Please let me know where am I going wrong?
  Thanks,
  Mandrita.

• How to enable ssl in ohs

  I installed the web tier (ohs and web cache) 11.1.1.2 on 2008 r2 64 bits. Also I patched that to 11.1.1.3 I did not think and this may
  be where I went wrong, I needed to install weblogic?. I have not done anything with webcache. yet.
  I had imagined I could enable ssl in apache the way it is done on other installations just by putting entries in
  the ssl.conf like SSLCertificateFile and SSLCertificateKeyFile . But no. The software will not allow you to do that.
  I believe the certificate has to go in a wallet (for ohs. Other fusion things want a different plan). There's multiple
  wallet programs already there such as from installing the database. I find that the wallet program will not allow
  me to use the csr I already created that was used to get the certificate I have gotten. oops!
  So anyone know if there is a way around this so I can use the .crt and .key I have for this domain name?
  This is really taking a lot of time. I suppose I could install apache, the regular one, on this machine so that I
  could use an ssl connection to that and then hand it over to ohs. Since it wasn't going anywhere it wouldn't
  be much of a problem the traffic wasn't encrypted.
  Edited by: lake on Nov 23, 2010 7:11 PM

  I thought I'd never get this to work. No one should bother trying without reading the docs
  1226484.1 and 1218603.1 on metalink.
  While it could be that one could use a reverse proxy such as using proxypass and proxypass reverse
  in an apache web server so that ssl could be configured in the other server, I saw reports of that not always working.
  Otherwise if one did not install weblogic I believe the only way to configure ssl with this version of ohs is with orapki the command line
  interface for handling wallets, or the gui wallet application which I found on the 11gr2 database menu under "integrated management tools". You may be able to add an existing csr to a wallet via the orapki interface.
  If you were using a separate key and certificate you may be able to change them to the wallet requirements given sufficient knowledge of opensll. That was more knowledge than I had. So what I did
  was start over from scratch totally. I created the csr in the wallet gui, exported it, submitted it, and got a totally new cert from our cert source.
  What I used for the wallet "operations, import user certificate" was a .cer file, and it worked. The wallet already had our CA in it so I did not have to fight that battle. Hallelujah.
  It is essential to check on the "Wallet" menu the "Auto Login" selection before saving it. When you save a wallet
  it will be called cwallet.sso if it is autologin. If the saved file is called ewallet.p12 it is not autologin and will not
  work for ohs.
  After you have saved your wallet as cwallet.sso say in
  "....instances\instance1\config\OHS\ohs1\mykeys"
  then you would need to check the ssl.conf and it would need to be like so:
  SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/mykeys"
  Note that is to the directory the sso file is in.
  But wait there's more....
  on windows 2008 r2, you need to get fire up windows explorer and navigate to your cwallet.sso file
  Under properties, security you need to add SYSTEM in "group or user names" and give it all permissions possible.
  Secondly, you need to go under properties, security, advanced, owner and change the owner to SYSTEM.
  Without these changes it will never work because the web server cannot open the wallet.
  Remember by default the logs go in
  "....instances\instance1\diagnostics\logs\OHS\ohs1"
  I became very familiar with them :-)

• To enable SSL in Apex 3.1.2, wallet must or not

  Hi Experts,
  We have to enable SSL in Apex 3.1.2. We are using Companion HTTP server as a Application Server.
  My question is,
  To enable SSL we need to create wallet or not?
  Please clarify my doubt.
  Thanks
  R.Sundaravel

  Usually a Wallet is created at installation time with a dummy certificate for SSL.
  If you are planning to use a certificate from any commercial CA, you should go ahead and create a new Wallet, then create the certificate request and send it to the CA to get your certificate.
  After that change the ssl virtual host configuration to point to the new wallet.

• Issue with one of the Managed server while enabling SSL.__ Issue Resovled

  Weblogic version:wls 8.1sp6
  SSL: internal
  Environment:
  1 AdminServer and 2 Managed servers. Admin and M1 are on same host. M2 is on different host. We have enabled SSL on M1 & M2 only. Configuration of M1 & M2 are identical. After restarting the servers M1 has no issue with SSL but M2 throws javax.net.ssl.SSLKeyException as shown below,
  <Aug 4, 2008 12:29:01 PM BST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <Aug 4, 2008 12:29:02 PM BST> <Info> <WebLogicServer> <BEA-000213> <Adding address: 10.96.201.249 to licensed client list>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Error> <Cluster> <BEA-000141> <TCP/IP socket failure occurred while fetching statedump over HTTP from -6401422690190304510S:lonlxwebhost99:[16544,16544,16042,16042,16544,16042,-1,0,0]:etg:lonwpyq_16543_1.
  javax.net.ssl.SSLKeyException: [Security:090773]The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
  at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
  at com.certicom.tls.record.WriteHandler.write(Unknown Source)
  at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
  at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
  at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
  at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
  at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:122)
  at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:322)
  at weblogic.cluster.HTTPExecuteRequest.connect(HTTPExecuteRequest.java:73)
  at weblogic.cluster.HTTPExecuteRequest.execute(HTTPExecuteRequest.java:121)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)>
  Please let me know where I am going wrong. Thnx in advance
  Message was edited by:
  Shashi_sr

  Solution given by BEA Engineer:
  <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  The reason for this was
  The CA Certificate was missing a required bit (according to RFC 3280).
  keyEncipherment bit is not in the KeyUsage and KeyUsage is marked as critical.
  As per RFC:
  The keyEncipherment bit is asserted when the subject public key is
  used for key transport. For example, when an RSA key is to be
  used for key management, then this bit is set.
  According to RFC3280, when the key will be used to encrypt other keys that are send over the wire ("key transport") the keyEncipherment bit of the KeyUsage extension must be set. If the KeyUsage extension is critical, the SSL certificate validation will check that the key can be used in the key agreement. That is, that the key can be used to encrypt the symmetric public key.
  Your KeyUsage only contains the following bits:
  [4]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
  Since it is marked Critical, it MUST have the keyEncipherment bit.
  Otherwise, it should not be marked as Critical.
  So the three solutions that should work are
  1) Remove keyUsage
  2) Don't mark keyUsage as critical
  3) If keyUsage is critical, make sure keyEncipherment bit is set.

• Enabling SSL in oracle EBS 12.0.6

  Dear All,
  I want to enable SSL (secure socket layer). in oracle ebs R12,
  Application is 12.0.6
  Web/Apache server is 10.1.3
  Form and reports server 10.1.2
  Database server 10.2.0.4.0
  there is required any upgrade patch before enable ssl ?
  Thanks & Regards
  Ravi Kumar

  Hi Ravi,
  This is a duplicated thread, and you have raised a similar thread before..
  Enabling SSL in oracle EBS 12.0.6
  there is required any upgrade patch before enable ssl ?
  You environment will support configuring SSL.
  Please see note:
  Enabling SSL in Oracle E-Business Suite Release 12 (Doc ID 376700.1)
  Best Regards,

• How to enable SSL in iChat 3.1.9

  Can anyone please tell me how to enable SSL in iChat 3.1.9 for Tiger? I am having the error "Cannot connect to AIM." I was having on my Leopard macbook, but I enabled SSL and it works now. However, I can't see where to enable SSL in my iMac? Thanks ahead of time for any help!

  Ok, upon doing research, I hav found out that there is no SSL to enable until ichat 4.