Replacing SSL keys and certificates for already defined services
I have about 10 new 2048-bit keys and certs to replace existing 1024 bit keys and certs on my CSS11500 with SSL modules.
I'm trying to figure out my options, now that I've got the files SFTP'ed to the CSS.
I can create a new startup-config file for the CSS with the new files referenced by the SSL associate commands in the startup-config. This will require a reboot (not desired).
I can come up with new associations for the new files, then suspend the ssl-proxy-list and edit it to use the new associations. This doesn't require a reboot but then I have to clear out the old associations before I can delete the old key/cert files.
Is there any way to force the CSS to "overwrite" an existing SSL association without rebooting the CSS?
"Clear file filename "password" commad will help you to clear SSL certificates and private keys from the CSS that are no longer valid.
Please check if the below URL: could help:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdGenA.html#wp1030153
Similar Messages
-
PKCS#11 Provider unable to fetch asymmetric keys and certificates
Hi,
I'm facing a problem while getting keys and certificate from Eracom HSM (ProtectServer Orange:38039 Model: PSO:PL50) using Sun PKCS#11 Provider. It gets only the symmetric keys but NEVER gets the asymmetric keys.
My code snippet and configuration file are:
Java Code:
java.io.InputStream is = new java.io.FileInputStream("pkcs11.cfg");
sun.security.pkcs11.SunPKCS11 pkcs11_provider = new sun.security.pkcs11.SunPKCS11(is);
System.out.println("Provider Name : " + pkcs11_provider.getName());
java.security.Security.addProvider(pkcs11_provider);
KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11_provider);
ks.load(null, "password".toCharArray());
java.util.Enumeration obj_enumeration = ks.aliases();
while (obj_enumeration.hasMoreElements()) {
String str_certAlias = (String) obj_enumeration.nextElement();
System.out.println("Alias : " + str_certAlias);
pkcs11.cfg:
name = Eracom
library = G:\Eracom\cryptoki.dll
slot = 0
attributes(*, CKO_PRIVATE_KEY, *) = {
CKA_TOKEN = false
CKA_SENSITIVE = false
CKA_EXTRACTABLE = true
CKA_DECRYPT = true
CKA_SIGN = true
CKA_SIGN_RECOVER = true
CKA_UNWRAP = true
attributes(*, CKO_PUBLIC_KEY, *) = {
CKA_ENCRYPT = true
CKA_VERIFY = true
CKA_VERIFY_RECOVER = true
CKA_WRAP = true
I also ran my program without specifying any attributes in configuration file, also tried many other combination, but in all cases (with or without attributes) only symmetric keys are loaded from HSM. I am able to get all keys (symmteric and asymmteric) and certificates from the same HSM using IAIK PKCS#11 Provider. Though, the Sun PKCS#11 Provider is working fine with SmartCard tokens (Rainbow, Alladin etc.)
Any help to resolve my problem would be highly appreciated.
Thanks in advance.I recently had a problem with ECDSA and the PKCS#11 library of nCipher. Here's info from one of their engineers about the PKCS11 library:
"There are two separate issues - one is that our current pkcs11
release doesn't support ECDSA signature with SHA-2 hashes
(the v11.00 firmware adds support for it, but the main release version of
the pkcs11 library hasn't been updated to take advantage of it yet).
There is a hotfix version that does support SHA-2 hashes with some
restrictions, talk to [email protected] for details, and V11.10
should be out soon and have that merged in.
But the issue with setting CKA_SIGN is that our underlying HSM API
allows elliptic curve keys to be either key exchange (ECDH) or
signature (ECDSA) keys, but not both at one.
At the PKCS #11 level, if you specify CKA_DERIVE=true and let
CKA_SIGN default, it will default to false, and vice versa.
If you specify both CKA_DERIVE=true and CKA_SIGN=true, then we
return CKR_TEMPLATE_INCONSISTENT because we can't do both with
the same key. (However, the tests using C_GetMechanismInfo will
show that we can do both mechanisms, because we can - so long
as you use different keys, even though they have the same PKCS#11
type.)
I can't comment on when or how that will be changed."
I was using the PKCS#11 library through NSS when I ran into the problem, but I imagine Java would run into similar problems also using the PKCS#11 library. I was able to generate keypairs but not create a CSR (which required making a signature, which required SHA-2).
Can you just use the java classes to speak to the netHSM? I've never directly written code to do so myself, but I have used Corestreet's OCSP product that uses the java classes to speak to the nCipher HSMs (though not using EC). It might work better than going through the PKCS#11 layer. There should be a java directory under NFAST_HOME that contains some jars.
Please post back if you figure anything out as I'll probably be playing with this stuff myself soon.
Dave -
What is account key and where do i define them?
hello,
what is account key and where do i define them? which transaction?
ThanksHai Shilpa,
1) You can create Account Keys in OBCN t.code this is used for Tax Procedure purpose
2) Secnond one is the u can create in FI-SD integration purpose
You define your account keys in this menu option and allocate them to the condition types in the pricing procedures.With the account keys, you group together similar accounts in financial accounting. Using the account key, the SAP System finds the desired G/L accounts.This way you can allocate a separate account key to each condition type within a pricing procedure to implement detailed revenue account determination.For example, you can allocate a freight condition to a freight revenue account, or a surcharge for packaging costs to a corresponding account for packaging revenues.
u2022ERF freight revenues
u2022ERL revenues
u2022ERS sales deductions
u2022EVV cash settlement
u2022MWS sales tax
SPRO u2192 REF IMG u2192 Sales and Distribution u2192 Basic Functions u2192 Account Assignment/Costing u2192 Revenue Account Determination u2192 Define and Assign Account Keys
Regards
Madhu I
Edited by: Madhu I on Apr 14, 2009 4:25 PM -
How to handle form close event or escape key press event for user defined f
Experts,
Please let me know how to handle form close event or escape key press event for user defined form...
Thanks & Regards,
Pravin.Hi
You can catch the form close event like this
If ((pVal.FormType = 139 And (pVal.EventType = SAPbouiCOM.BoEventTypes.et_FORM_CLOSE)) And (pVal.Before_Action = True)) Then
Try
SBO_Application.SetStatusBarMessage(pVal.EventType.ToString())
Catch ex As Exception
SBO_Application.SetStatusBarMessage(ex.Message)
End Try
End If
Hope this helps
Regards
Arun -
Enabling Key and text for the Variable Selection screen
I need to display key and text for a characteristic when selecting the drop down menu in the variable selection screen of a web report. In the Business Explorer tab within the info-object, I changed the General Settings to display Key and text, but when I open the drop down menu for this characteristic, it is still displaying the key only. Is there some other place where this change needs to happen?
Hi,
Did you try to log out and log in again into BEx?
Best regards,
Eugene
Message was edited by: Eugene Khusainov -
Dear ALL,
I m having one variable for that i need key and text in bex analyzer.
how to enable the key and text for a variable.
pls asap
regards,
JenishHi jenish kumar ,
if i under stan your requirement correctly, need to have both text and key values for variables with F4 help.
you need to chnage the properties of that infoobject at infoobjects level or at infoprovider level,
this is at infoprovider level
in RSA1-> go to change mode of infoprovider (Multiprovider/ cube) on which Query is build) then Expand Charecteristc Dimension -> select infoobject -> right -> select provider-specific properties -> select Display '0 Key and Text' . Activate infoprovider and Run Query and check the Selection screen.
hope this helps
Regards
Daya Sagar -
JSSE: keys and certificates
1)What exactly is the difference between a key and a certificate?
2)Can both be used by JSSE?
3)How can I obtain a key?
4)A private and a public key? are it two separate files or what is it?The first (and until so far only time) that I used SSL was with a webapplication, running on tomcat on SSL. Then I was told to generate a keystore with the keytool command and that was all and everything worked fine. You would have had to import a certificate from the server to the client's truststore. If you worked at the server end you would have had to generate a key and either a self-signed cert or the whole CSR, get it signed, re-import sequence. This is a bit more than just 'generate a keystore with the keytool command'.
if you never heard about the keytoolAre you kidding me?
1)So this keystore was then a self-signed-certificate or even not a certificate at all???keytool -genkey generates a private/public key pair. keytool -selfcert generates a self-signed certificate for that keypair. Nobody in the world will trust that certificate unless you export it from this keystore and import it into their truststore. By contrast, if you generate a CSR, get it signed by a well-known CA, and import the signed cert into the same keystore the CSR came from, everybody will trust that cert, because they already trust the CA. BTW these things aren't they keystore, they are in the keystore.
2)The keystore contains thus a private and public key, which ensure integrity and confidentiality.... but NOT client and server autentication?The public/private key system can give you integrity and confidentiality. The X.509 certificate system can be used for authentication. They are different things. -
SSL Offloading and Certificate Errors
I am attempting to offload SSL on an F5 load balancer. I made the certificate request from the load balancer, procured the certificate from Entrust, and installed on the load balancer. I then followed SSL Offloading TechNet instructions here:
http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx. My two CAS servers still have the self-signed certificates bound in IIS. I am getting certificate
errors when making RPC over HTTPs connections in Outlook and the self-signed certificate is popping up.
My question is what do I do with the certificates on my 2 CAS servers? Do I leave the self-signed certificates on there and export the Entrust certificate from my F5 and then import it to my CAS servers and change the bindings in IIS?
Or do I have to make the CSR from a CAS server, issue a new Entrust certificate from that, import to both CAS servers, then import to the F5 and make sure all bindings are correct in IIS?
Or am I completely misunderstanding how this works and need to do something different entirely?
Thanks in advance for any guidance.As I previously mentioned, I have already followed the SSL Offloading guide from technet, which included unticking Require SSL for all the various objects in IIS (OWA, ECP, EWS, RPC etc.)
Additionally I made sure SSL Offloading was enabled for Outlook Anywhere in Powershell. See for example output of Get-OutlookAnywhere:
RunspaceId : 1bdf6a03-d43d-4478-84cc-95e18806b11b
ServerName : TSTEXCG2013
SSLOffloading : True
ExternalHostname : tstowa.XXXX.com
InternalHostname : tstowa.XXXX.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
XropUrl :
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
MetabasePath : IIS://TSTEXCG2013.tstXXX.tstXXXX.tst/W3SVC/1/ROOT/Rpc
Path : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.0 (Build 847.32)
Server : TSTEXCG2013
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web
Site),CN=HTTP,CN=Protocols,CN=TSTEXCG2013,CN=Servers,CN=Exchange
Administrative
Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=XXX XXXX,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=tstXXXX,DC=tst
Identity : TSTEXCG2013\Rpc (Default Web Site)
Guid : 9b2bc5e2-41c1-4219-9186-8e6b8cb63dc0
ObjectCategory : tstXXXX.tst/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged : 7/10/2014 7:38:58 PM
WhenCreated : 6/23/2014 2:54:36 PM
WhenChangedUTC : 7/11/2014 12:38:58 AM
WhenCreatedUTC : 6/23/2014 7:54:36 PM
OrganizationId :
OriginatingServer : TSTXXXXDC02.tstXXXX.tst
IsValid : True
ObjectState : Changed -
WD for Java: How to I retrieve key and value for DropDownbyKey selection
Dear All
I thought this was going to be straightfoward and am obviously missing something.
I have created a simple modifiable value set to create a dropdown list to select a country:
public void GetCountryDropDownValues( )
//@@begin GetCountryDropDownValues()
Y_Tf_Npf_Get_Countries_Input countriesInput = new Y_Tf_Npf_Get_Countries_Input();
wdContext.nodeY_Tf_Npf_Get_Countries_Input().bind(countriesInput);
try {
countriesInput.execute();
wdContext.nodeY_Tf_Npf_Get_Countries_Input().nodeOutput_countries().invalidate();
} catch (WDRFCException ex) {
// TODO: handle exception
IPrivateNonPersonalisedLearnAdminReq.IContextElement elem = wdContext.currentContextElement();
String strObjElem0 = elem.COUNTRY;
IWDAttributeInfo i_ObjType0 = wdContext.getNodeInfo().getAttribute(strObjElem0);
ISimpleTypeModifiable w_ObjType0 = i_ObjType0.getModifiableSimpleType();
IModifiableSimpleValueSet s_ObjType0 = w_ObjType0.getSVServices().getModifiableSimpleValueSet();
s_ObjType0.clear();
for(int i=0;i<wdContext.nodeEt_Countries().size();i++)
IPublicNonPersonalisedLearnAdminReq.IEt_CountriesElement elemOrg = wdContext.nodeEt_Countries().getEt_CountriesElementAt(i);
s_ObjType0.put(elemOrg.getLand1(),elemOrg.getLandx50());
//@@end
This is bound to a new context element attribute:
Country of type string
When value is selected from dropdown, it is stored in string
What I want to be able to do is to retrieve the text as well as the key from the selected object.
At the moment I can only return the key.
i.e. wdContext.currentContextElement().getCountry();
Any pointers will be greatfully received and maximum points awarded to the first complete
answer that works for me.
Many thanks in advance
MikeHi,
You can use the following code.
ISimpleValueSet valueset = attInfo.getModifiableSimpleType().getSVServices().getValues();
if(valueset.containsKey(key)){ // Give your key here, which you already know to retrieve
String value = valueset.getText(key); // Here you will get the value
Hope it helps.
Regards,
Manoj -
How to get Key and text for plant for which variable is created
Hi All
I have created one variable for Plant. User is going to give input for the plant for execution of query.I am displaying the variable value which is user putting in the query. kindly let me know how to display key and text both for the query.as key is displaying presently.
Regards
Atulhi Atul kumar jais
You have to create a text variable using replacement path for processing type and give the reference object which is the object which you created variable for, "replace with" one with key and anther one with text. Then you can display that in the header of the column or if you are using custom template, you can use webitem for it.
thanks.
Wond -
NLB Unicast and certificate for the machine
Hello,
I have set up a two node nlb cluster, in unicast.
On the other hand, I have a GPO with which every computer in the network gets a
certificate from the CA, through auto enrollment.
I am new to NLB , but from what I gather, the CA machine won't be able to issue any certificate to any of the two NLB nodes, because the virtual ip replaces to the actual ips's of the two machines ?. I am a bit confused.
Thanks in advance !!
Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)It's the Mac addresses that are (sort of) replaced, not the IP addresses. The two nodes of an NLB cluster can make outbound connections to a CA and other machines, and using the nodes' individual IP addresses each of them can still be contacted from other
machine (in addition to using the cluster IP address).
The only thing that does not work is: With unicast the nodes cannot communicate with each other over the network that has the shared IP address but you could use an additional NIC if you need inter-node communication.
With multicast on the other hand there is a chance you run into
this issue described here for CISCO routers (just have observed this myself); this article also gives an overview on how NLB works at the Mac address level.
Re CA and certificates: Note that autoenrolled certificates will contain the nodes' individual names retrieved from AD. If you need a certificate that includes the cluster name you have to issue this certificate manually.
Elke -
Creation of Account payee keys and Table for House Bank
Hi Gurus,
Please tell me how to create a Account payee keys what is transaction code for this.And let me know that what is table to check the house Banks.
ThanksI dont think you create payee keys mate, you get that data from your financial institute(bank) and then upload it into your sap system.
so if I were in your position I would talk to the business user who deals with the bank & bank transfers currently in your client-organisation and ask for that info to be provided.
from my previous payroll expreience I know the business user for payroll, usually the payroll manager, gets that info for the sap team member and then there should also be a standard upload program to upload all those payee keys into the system.
cheers -
Assigning primary key and index for a table
I have a database consisting of only one table with 10 million rows which mostly looks like this:
RECORDDATE ID CLASS VALUE
24-JAN-12 10.52.47.000000 AM 96 3 0
24-JAN-12 10.52.48.000000 AM 96 10 156
24-JAN-12 10.52.48.000000 AM 96 3 0
24-JAN-12 10.52.48.000000 AM 96 3 0
24-JAN-12 10.52.48.000000 AM 96 3 0
24-JAN-12 10.52.48.000000 AM 96 3 0
24-JAN-12 10.52.48.000000 AM 96 10 156
24-JAN-12 10.52.48.000000 AM 96 3 0
24-JAN-12 10.52.48.000000 AM 96 3 0
24-JAN-12 10.52.48.000000 AM 96 6 38
24-JAN-12 10.53.05.000000 AM 253 16 197
24-JAN-12 10.53.06.000000 AM 98 10 150
24-JAN-12 10.53.06.000000 AM 98 0 0
24-JAN-12 10.53.06.000000 AM 98 4 0
24-JAN-12 10.53.06.000000 AM 98 11 33As you can see there are several entries that look exactly the same. Currently, I don't have primary key or index for any column and have a lot of performance issues. For example this query takes more than 10 seconds to run:
select distinct ID
from scdatabase4
where ID < 253
order by 1Since database is not my primary job and have no background of it, I'm really confused about what to do to fix my issues. Could someone please help me in assigning primary key and index if you agree that this is the problem?!Execute the query below to help decide what column to index:
SELECT COLUMN_NAME, NUM_DISTINCT, NUM_NULLS, NUM_BUCKETS, DENSITY
FROM DBA_TAB_COL_STATISTICS
WHERE TABLE_NAME = 'your_table_name'
ORDER BY COLUMN_NAME;
The important columns are:
1) NUM_DISTINCTS: Indicates the number of distinct values. If this number is very low for a column, it indicates that this column is not a very good candidate for a B-Tree index.
2) NUM_NULL: Indicates the number of null values for each column. A column with few null values is a good candidate for a index
But be aware, this is not a rule, it's just a method to help decide which column will have the most benefit of index creation. -
Configuring use of clinet certificates for jax web services configuring u
Hello dear people,
I have a very simple jax web service under glassfish v.2.1 and I want to secure it using mutual authentication. I could configure using server certificates but I have problems with configuring the server to ask client certificates. The problem is that the clients are not asked to provide a valid client certificate to use the service. The clients can easily use the service without having a certificate.
Can anyone tell me what should I do to have this?
I got the example code from http://java.net/projects/javaeetutorial/downloads and the sample code that I used is in the folder : javaeetutorial5/examples/jaxws/helloservice-clientcert
Best regards,
Arash.Did you resolve your issue?
I´m posting some comments that maybe can help newer administrators facing similar doubts.
I´m using NW PI 7.1 EHP1 also and some interfaces were developed for using an external site providing web services through SSL (HTTPS) connection.
As in browser navigation, secure sites protected with SSL has a certificate emited by a international CA. We didn´t perceive the "handshake" in the most of cases because normally the web browser has a group of trusted CAs loaded on its certificate store.
With SAP PI and its WAS Java a similar procedure occurs with a small difference. The WAS Java didn´t have the trusted CAs loaded on KeyStorage. So, when the adapter tries to establishing a connection with an HTTPS site (it is a background process) a "handshake" is required to accepting the certificate and produces a error.
We completes the handshake importing the entire certificate chain (you can upload the site´s certificate to your browser and export it as file) on Keytore under the Trusted CAs view.
Hope this can help someone. It´s an "easy" part of SSL communication.
Now I´m trying to configure the inverse: Some third party consuming the PI web services using SSL. I have an additional component on inbound/ incoming connections that is the SAP Web Dispatcher.
The Help.sap.com is the reference but as always its a little difficult to find the (sequential) path following the links (go ahead, go ahead, go ahead, go back, go back, go ahead)...
Regards,
Rodrigo Aoki -
Change location and plant for Internal Goods/services
Hi all,
I want to change the plant and location information of product/material for SC item selected from Internal goods/services.
I am changing the plant and location - ( partner function 75 ) in doc change badi but its getting reset to originial value .
Even if i see item check the value is getting replaced with original value.
My question is can I change Plant/location for item selected from Internal goods/services. I could succesfully change the value when I selected item from catalog.
Please suggest.
Thanks.yes I have assignned the plant i mean BE_plant in the specified badi.
But still its getting overwritten. So im guessing is that possible for internal goods/services.
Maybe you are looking for
-
I have just downloaded a trial version of Photoshop Elements onto my Mac Book Pro (10.9.4). The installation to my hard drive went fine so I attempted to use Elements on an existing Photoshop file. I did not see the Elements option in my filter men
-
Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access
Hi there, I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you. Outlook Web App - What do I need to configure in or
-
Business partner - how many address ?
Helo expert, I created a business partner with 2 role ( I mean 2 type - customer and vendor ). I check the number of address created, and I see that the system created one address for each business partner type. Exemple: 1 address ( in the ADRC table
-
Regarding data transfer from SAP system to XI
Hi Experts, I have a program in which a file of type XSTRING is sent to SAP Business Connector through a Function module. Now we want that file to be transferred to third party system through XI as interface instead of SAP BC. Can anybody suggest wha
-
Hi everyone! Sorry if this has already been asked before, but I couldn't find any threads about it so I thought I'd post a new one. I'm currently trying to work out a useful way to display a sample of a book online, so I've created a PDF file with th