Portal certificate renew

Similar Messages

• Poratal certificate renewal

  Hi,
  In my BW system the existing portal certificate is expired today.Can anybody please tell me how to renew the portal PSE certificate in BW system.
  Could you please explain this with steps.
  Regards,
  SA.

  Hi
  This is the normal process to upload portal certificate to backend.
  Yuo can try this
  - Download the certificate from the portal: logon to the Portal with an admin account and navigate to System Administration u2013 System configuration u2013 choose Keystore administration in the left pane u2013 choose download verify.der file u2013 save file locally. Since this is a zip-file you have to unpack it first.
  - Logon in the abap system and start transaction STRUSTSSO2 u2013 navigate to certificate u2013 import and upload verify.der as a binary file.
  - The cerficate is visible in the cerficate-frame, now add the certificate to the certificate-list using the pushbutton
  - Add certificate to the ACL list using corresponding pushbutton, fill in System ID and client
  - Save the configuration
  - Restart ICM using SMICM u2013 administration u2013 ICM u2013 exit soft.
  make sure to restart the ICM on every application server

• Regarding Certificate Renewal

  Hi all,
  i am using sun java communication suite 5 + portal server 7.1.
  My Webmail and Application Server is using the same certificate which will expire soon. If I can get any information about the certificate renewal.
  regards
  Adeel

  Hi,
  Try it with the new license page:
  <a href="http://service.sap.com/sap/bc/bsp/spn/minisap/minisap.htm">http://service.sap.com/sap/bc/bsp/spn/minisap/minisap.htm</a>
  For the old-style license key (license string) choose <b>NSP - SAP NetWeaver 04</b>.
  For the new license key (license file) choose <b>NSP - SAP NetWeaver 2004s</b>
  Hope this helps.
  Kind regards,
  Klaus

• J2EE Certificate Renewal in PI 7.0

  Hi
  We are executing a project to renew the certificates installed in our XI server. The certificate which is currently installed in our XI severer is signed by Verisign. All partners communicating to the XI server use the certificate to digitally sign the message. In XI server we have configured communication channels to receive process the signed message and also to deliver digitally signed message to partners. The validity of the current certificate installed in our system is going to end by the end of Feb. We are looking at renewing the certificate before the expiry date so that there will not be any interruption in partner communication. In this regard, please provide your inputs to the following items
  1. Should the existing CSR be sent to the CA for validity extension or a new CSR to be generated
  2. During certificate renewal, can the existing private/public key be retained for the renewed certificate
  3. Can we have the old certificate installed in the XI server along with the newly renewed certificate, so that the partners can be gradually migrated
  4. Is XI server restart required after certificate installation/upgrade
  We have referred the SAP Note 694290 for Verisign certificate renewal
  Thanks
  Srinivas

  No cross posting
  Read the "Rules of Engagement"
  Regards
  Juan

• Portal Certificate Errors

  Hi,
  We have installed SRM 7.0 .  I am facing problem with some of the tabs in portal . When I click on the tabs it is giving the following error:
  Content was blocked because it was not signed by a valid security certificate.
  For more information, see "Certificate Errors" in Internet Explorer Help.
  Please suggest a solution for this.
  I am using IE7 . I tried opening the same tabs in IE6 where I did not get this problem.

  check STRUSTSSO2 tcode and see if its valid or not..i am sure its the validity issue as i have tested in IE7 and its working fine..
  read more here..http://rahulursportal.blogspot.com/2010/01/sap-portal-certificate-error-for-sso.html
  or SSO in general  : http://rahulursportal.blogspot.com/2009/04/sap-portal-single-sign-on-for-non-sap.html

• Cisco ISE Admin and EAP certificate renewal

  Hi board,
  maybe I'm asking a rather dumb question here, but anyway :)
  I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
  Here's the thing I do, when I initially install an ISE node
  1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
  2.) Sign CSR and bind certificate on ISE node - done
  Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
  CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
  So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
  How do you guys do this in your deployments?
  Thanks in advance and sorry again if this is a silly question.
  Johannes

  you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
  Certificate Renewal on Cisco Identity Services Engine Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

• Portal Certificate Expired with NO VA running!!!

  Hi All,
  I got one issue about Portal certificate expiration, for which SSO is not working b/w Portal and R3.
  As working on Solaris, required to re-generate the Keystore Certificate via Visual Admin, but WHAT!!!
  I am not able to run it, it says that JAVA_HOME needs to be set.
  Done (Set) but still am not able to see that VA screen. Tried thru root and SIDADM (recommended) also, but couldnt... which is turning my head 360 degrees.
  Well request you all to share your good experiences thru which i may be able to resolve the issue which is pending past 2 days and no proceedings since...
  And i guess there is no way out to increase the validity of certificate without VA. OR is there any????
  Thanks
  Piyush

  hi Anil,
  i got,
  /usr/java
  we ran the command "./go" to start visual admin, which inturn shows the error as below
  4/7/10 12:09 PM com.sap.engine.tools.launcher.Launcher Error : console output st
  ream will not be logged into a file; there was an error opening the log file
  java.io.FileNotFoundException: /usr/sap/EPD/JC01/j2ee/admin/log/console_logs/out
  put.log (Permission denied)
          at java.io.FileOutputStream.open(Native Method)
          at java.io.FileOutputStream.<init>(FileOutputStream.java:179)
          at java.io.FileOutputStream.<init>(FileOutputStream.java:131)
          at com.sap.engine.tools.launcher.Launcher.initLogs(Launcher.java:636)
          at com.sap.engine.tools.launcher.Launcher.init(Launcher.java:198)
          at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:113)
  4/7/10 12:09 PM com.sap.engine.tools.launcher.Launcher Error : unable to invoke
  main class  com.sap.engine.services.adminadapter.gui.AdminFrameView
  Exception in thread "main" com.sap.engine.tools.launcher.LauncherException
          at com.sap.engine.tools.launcher.Launcher.launch(Launcher.java:340)
          at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:114)
  caused by -
  java.lang.reflect.InvocationTargetException
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
  java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
  sorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:324)
          at com.sap.engine.tools.launcher.Launcher.launch(Launcher.java:336)
          at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:114)
  Caused by: java.lang.InternalError: Can't connect to X11 window server using ':0
  .0' as the value of the DISPLAY variable.
          at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
          at sun.awt.X11GraphicsEnvironment.<clinit>(X11GraphicsEnvironment.java:1
  34)
          at java.lang.Class.forName0(Native Method)
          at java.lang.Class.forName(Class.java:141)
          at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvi
  ronment.java:62)
          at java.awt.Window.init(Window.java:231)
          at java.awt.Window.<init>(Window.java:275)
          at java.awt.Frame.<init>(Frame.java:401)
          at java.awt.Frame.<init>(Frame.java:366)
          at javax.swing.SwingUtilities$1.<init>(SwingUtilities.java:1641)
          at javax.swing.SwingUtilities.getSharedOwnerFrame(SwingUtilities.java:16
  37)
          at javax.swing.JWindow.<init>(JWindow.java:160)
          at javax.swing.JWindow.<init>(JWindow.java:112)
          at com.sap.engine.services.adminadapter.gui.AboutWindow.<init>(AboutWind
  ow.java:12)
          at com.sap.engine.services.adminadapter.gui.AdminFrameView.main(AdminFra
  meView.java:234)
          ... 6 more
  caused by -
  java.lang.reflect.InvocationTargetException
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
  java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
  sorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:324)
          at com.sap.engine.tools.launcher.Launcher.launch(Launcher.java:336)
          at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:114)
  Caused by: java.lang.InternalError: Can't connect to X11 window server using ':0
  .0' as the value of the DISPLAY variable.
          at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
          at sun.awt.X11GraphicsEnvironment.<clinit>(X11GraphicsEnvironment.java:1
  34)
          at java.lang.Class.forName0(Native Method)
          at java.lang.Class.forName(Class.java:141)
          at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvi
  ronment.java:62)
          at java.awt.Window.init(Window.java:231)
          at java.awt.Window.<init>(Window.java:275)
          at java.awt.Frame.<init>(Frame.java:401)
          at java.awt.Frame.<init>(Frame.java:366)
          at javax.swing.SwingUtilities$1.<init>(SwingUtilities.java:1641)
          at javax.swing.SwingUtilities.getSharedOwnerFrame(SwingUtilities.java:16
  37)
          at javax.swing.JWindow.<init>(JWindow.java:160)
          at javax.swing.JWindow.<init>(JWindow.java:112)
          at com.sap.engine.services.adminadapter.gui.AboutWindow.<init>(AboutWind
  ow.java:12)
          at com.sap.engine.services.adminadapter.gui.AdminFrameView.main(AdminFra
  meView.java:234)
          ... 6 more
  Regards
  Piyush

• Exchange 2007 Webmail certificate Renewal

  Hi,
  If any one knows more details about how to renew the webmail certificate in Exchange 2007, Webmail certificate is ging to expire soon ...EventID 12018

  You can use powershell cmdlet Import-ExchangeCertificate to renew the certificate.
  To enable the certificate, execute Enable-ExchangeCertificate -Services IMAP,POP,IIS,SMTP -Thumbprint <cert-thumbprint-here>
  For more info, visit
  https://www.digicert.com/ssl-certificate-renewal-exchange-2007.htm

• Cannot delete expired portal certificate

  Hi
  I'm having problems deleting an expired portal certificate in STRUST. I tried exporting it and then reimporting it but still I wasn't able to delete it. When I try to delete it, i always get a generic error. Any insights? Thanks.
  Shery

  Problem solved.
  The rename operation of the copy of datafile was recorded in the controlfile, hence renamed also the recorded datafile copy in the rman repository.
  The key was to simply use the RMAN switch command again.
  RMAN> switch datafile '+DATA/orcl/datafile/example.269.730723991' to copy.
  After that, deleting the copy in RMAN worked.
  The RMAN switch command is obviously a 2-way toggle command, e.g.:
  RMAN> backup as copy datafile 5;
  input datafile file number=00005 name=+DATA/orcl/datafile/example.272.736664147
  output file name=/u02/fra/ORCL/datafile/o1_mf_example_6hg6xo8p_.dbf
  RMAN> switch datafile 5 to copy;
  datafile 5 switched to datafile copy "/u02/fra/ORCL/datafile/o1_mf_example_6hg6xo8p_.dbf"
  RMAN> switch datafile 5 to copy;
  datafile 5 switched to datafile copy "+DATA/orcl/datafile/example.272.736664147"

• Customizing Certificate Renewal

  We are developing system that makes use of Certificate Server. But, only our system is visible form the Internet,
  CS is hidden behind the firewall.
  We've developed a solution, that makes it possible to request for certificate from our system, then forwards the request to CS, and vice versa, we fetch the page which installs the certificate and forwards it to end-user.
  But, when talking about renewal, we have a problem.
  CS interface for certificate renewal expects, that user legitimates with its expiring (or expired) certificate and then
  CS regenerates new certificate (with validity customized via console) and installs it on client browser.
  We expected similar functionality as with requesting for certificate. User fills out the request, sends it to CS, and admin after checking issues the certificate. More, the admin is responsible for renewing the certificate, not the user, as in previous scenario.
  Also, authenticating with client certificate makes it impossible to forward the request and response by us (we cannot fetch the certificate from the user browser to use it for communication with CS)...
  Maybe some of You have solution that satisfies our needs?
  Maybe CS has another interface, which we didn't explore, allowing certificate renewal without presenting user certificate.
  Or you developed your own, custom solution, that can be suitable for us...
  Thanks for help!
  Michal Szklanowski
  Java Architecte
  empolis Poland

  You have to create certificate request(CSR) from the same instance on which you are trying to install the certificate.
  You need to copy the production server's *.dbs in <ws-install-dir>/https-<instance>/config and run a pull-config --force command to pull the changes into Admin Server.
  If you use WS7.0 Admin Server for certificate renewal, AFAIK a new set of private and public key is generated.

• Asa5505 client certificate renewal

  folks
  i have an asa 5505 as an ssl vpn termination point
  users are authenticated by certificate and username/password
  the asa is using a self generated certificate and issuing client certificates to users
  my problem:
  one of my user certs has expired and i can't find how to renew it
  i have found how to enable the enrollment threshold to notify users in advance of an expiry
  can anyone point me in the right direction or do i have to force a new enrollment?
  thanks to anyone taking the time to reply

  Deleting the profile will just make the device appear as a brand new BYOD device which needs BYOD on-boarding. The process/experience should not be any different than when the device was first on-boarded. Thus, the user can delete the profile at anytime. Obviously there will be no access until the re-on-boarding happens but again that is not any different than when the device was setup originally. To answer your last question: It really depends on how you setup your policies but just because the device is registered it does not mean that it won't go through the on-boarding process. In addition, if your rules are setup in such way that the device must NOT be registered for on-boarding to succeed then the BYOD user(s) can use the My Devices portal to manually delete the iOS device from ISE without the need of admin intervention. 

• ISE 1.2.1 - CLient certificate renewal and expiration

  Hi all,
  Anyone had any luck setting up and getting this functionality working? I have set up the correct authentication and authorisation flows and all works well. My major issue is that it would appear as though apple iOS devices do not allow you to update the profiles - meaning you have to delete the iOS profile which in essence means the entire renewal process is pointless.

  Deleting the profile will just make the device appear as a brand new BYOD device which needs BYOD on-boarding. The process/experience should not be any different than when the device was first on-boarded. Thus, the user can delete the profile at anytime. Obviously there will be no access until the re-on-boarding happens but again that is not any different than when the device was setup originally. To answer your last question: It really depends on how you setup your policies but just because the device is registered it does not mean that it won't go through the on-boarding process. In addition, if your rules are setup in such way that the device must NOT be registered for on-boarding to succeed then the BYOD user(s) can use the My Devices portal to manually delete the iOS device from ISE without the need of admin intervention. 

• Guest portal certificate on ise

  Background:
        Customer don't have an internal DNS server. We are using the google DNS server, which doesn't resolve the internal guest ISE server name. Hence, we are directly using the ip-address in redirect URL and guest authentication portal.
  Question:
     Which certificate I need to use for the guest login portal to avoid the cert error. We tried ipaddress(10.1.1.1) in cert common name , Firefox showed cert error(invalid - for not matching-10.1.1.1:8443 ). Then, we tried DNS name as common name and IP address as subject alternate name. Most of the browsers worked fine. Internet explorer gave certificate error. Do you think of any other solution?

  There are several things that need to be setup correctly for clients to see a certificate as valid.
  1. The redirect needs to use a DNS name that the client can resolve
  2. DNS name used above must be in the certificate as CN or a SAN
  3. If the redirect uses a fully qualified domain name then this also needs to be in the certificate
  4. Client needs to have the ROOT cert and any required intermediates in it certificate store.
  Using IP address in the SAN should work but if you want to use a publicly signed cert on ISE then you cannot use IP address because the certificate authorities will no long support this.
  You could try using 10.1.1.1:8443 in the SAN to see if this works but you will still need to ensure that the client device has the certificates ROOT and intermediates in its certificate store.
  Hope this helps

• EAP-TLS - 802.1x - Certificate renewal

  Hello
  I want to implement EAP-TLS as realised in Document "EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003". Everything thing works fine.
  Though our customer wants to FW the Data WLAN/ VLAN and allow only data traffic between WLAN Client to a the terminal server within his secure LAN.
  By blocking all other traffic(except Terminal Server sessions) we experienced that the MS WinXP Client cannot renew its` EAP_TLS Certificate (in this case both user and machine)when its` Time expires.
  Could somebody give me a hint if there are other Cisco solutions for this issue.
  I have also read something about Cisco Virtual office. Does this deployement coupe up to solve this issue?

  The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.
  What I don't get is the following:
  Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.
  The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP).

• Portal Certificate Login / Basic Authentication

  Hi .
  We've setup our Portal to login by either client certs of basic authentication. The client cert is stored on a smart card device. On each access to the smartcard a user dialog prompts the user to enter the password of the smartcard.
  Some users have several user IDs. Client certificate can IMHO only mapped to one user ID. First question: Is it possible to map a client cert to more than one user ID in UME?
  2)
  If the smartcard is in cardreader and the user opens the portal login page, portal always requests the client certificate (since it is present). If the user clicks cancel, then an error page is shown. The user should have the ability to login using basic authentication user/password, even the certificate is present. At the moment we need to advice the users to remove the smartcard before trying to login. What I am looking for is something like
  https://portal.com/irj/login&j_authscheme=basicauthentication <- do not request client cert, prompt for userid password
  https://portal.com/ijr/login/certlogonportlet <- requests client cert
  Thanks for your help
  Philipp

  For the ABAP stack you can force the logon screen.
  For Java stacks you would need to make it application specific.
  I agree with Olivier  - the use case for 1) is suspect.
  If your problem is tht system admins are also ESS endusers (for example) then you can give them a different network zone to work from as admin with a different SSO ID. From a risk perspective it is the same... you should only give admin access to people whom you trust and accept being monitored.
  Cheers,
  Julius