Replacing SSL keys and certificates for already defined services

Similar Messages

• PKCS#11 Provider unable to fetch asymmetric keys and certificates

  Hi,
  I'm facing a problem while getting keys and certificate from Eracom HSM (ProtectServer Orange:38039 Model: PSO:PL50) using Sun PKCS#11 Provider. It gets only the symmetric keys but NEVER gets the asymmetric keys.
  My code snippet and configuration file are:
       Java Code:
       java.io.InputStream is = new java.io.FileInputStream("pkcs11.cfg");
  sun.security.pkcs11.SunPKCS11 pkcs11_provider = new sun.security.pkcs11.SunPKCS11(is);
  System.out.println("Provider Name : " + pkcs11_provider.getName());
  java.security.Security.addProvider(pkcs11_provider);
  KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11_provider);
  ks.load(null, "password".toCharArray());
  java.util.Enumeration obj_enumeration = ks.aliases();
  while (obj_enumeration.hasMoreElements()) {
  String str_certAlias = (String) obj_enumeration.nextElement();
  System.out.println("Alias : " + str_certAlias);
       pkcs11.cfg:
       name = Eracom
       library = G:\Eracom\cryptoki.dll
       slot = 0
       attributes(*, CKO_PRIVATE_KEY, *) = {
       CKA_TOKEN = false
       CKA_SENSITIVE = false
       CKA_EXTRACTABLE = true
       CKA_DECRYPT = true
       CKA_SIGN = true
       CKA_SIGN_RECOVER = true
       CKA_UNWRAP = true
       attributes(*, CKO_PUBLIC_KEY, *) = {
       CKA_ENCRYPT = true
       CKA_VERIFY = true
       CKA_VERIFY_RECOVER = true
       CKA_WRAP = true
  I also ran my program without specifying any attributes in configuration file, also tried many other combination, but in all cases (with or without attributes) only symmetric keys are loaded from HSM. I am able to get all keys (symmteric and asymmteric) and certificates from the same HSM using IAIK PKCS#11 Provider. Though, the Sun PKCS#11 Provider is working fine with SmartCard tokens (Rainbow, Alladin etc.)
  Any help to resolve my problem would be highly appreciated.
  Thanks in advance.

  I recently had a problem with ECDSA and the PKCS#11 library of nCipher. Here's info from one of their engineers about the PKCS11 library:
  "There are two separate issues - one is that our current pkcs11
  release doesn't support ECDSA signature with SHA-2 hashes
  (the v11.00 firmware adds support for it, but the main release version of
  the pkcs11 library hasn't been updated to take advantage of it yet).
  There is a hotfix version that does support SHA-2 hashes with some
  restrictions, talk to [email protected] for details, and V11.10
  should be out soon and have that merged in.
  But the issue with setting CKA_SIGN is that our underlying HSM API
  allows elliptic curve keys to be either key exchange (ECDH) or
  signature (ECDSA) keys, but not both at one.
  At the PKCS #11 level, if you specify CKA_DERIVE=true and let
  CKA_SIGN default, it will default to false, and vice versa.
  If you specify both CKA_DERIVE=true and CKA_SIGN=true, then we
  return CKR_TEMPLATE_INCONSISTENT because we can't do both with
  the same key. (However, the tests using C_GetMechanismInfo will
  show that we can do both mechanisms, because we can - so long
  as you use different keys, even though they have the same PKCS#11
  type.)
  I can't comment on when or how that will be changed."
  I was using the PKCS#11 library through NSS when I ran into the problem, but I imagine Java would run into similar problems also using the PKCS#11 library. I was able to generate keypairs but not create a CSR (which required making a signature, which required SHA-2).
  Can you just use the java classes to speak to the netHSM? I've never directly written code to do so myself, but I have used Corestreet's OCSP product that uses the java classes to speak to the nCipher HSMs (though not using EC). It might work better than going through the PKCS#11 layer. There should be a java directory under NFAST_HOME that contains some jars.
  Please post back if you figure anything out as I'll probably be playing with this stuff myself soon.
  Dave

• What is account key and where do i define them?

  hello,
  what is account key and where do i define them? which transaction?
  Thanks

  Hai Shilpa,
  1) You can create Account Keys in OBCN t.code this is used for Tax Procedure purpose
  2) Secnond one is the u can create in FI-SD integration purpose
  You define your account keys in this menu option and allocate them to the condition types in the pricing procedures.With the account keys, you group together similar accounts in financial accounting. Using the account key, the SAP System finds the desired G/L accounts.This way you can allocate a separate account key to each condition type within a pricing procedure to implement detailed revenue account determination.For example, you can allocate a freight condition to a freight revenue account, or a surcharge for packaging costs to a corresponding account for packaging revenues.
  u2022ERF freight revenues
  u2022ERL revenues
  u2022ERS sales deductions
  u2022EVV cash settlement
  u2022MWS sales tax
  SPRO u2192 REF IMG u2192 Sales and Distribution u2192 Basic Functions u2192 Account Assignment/Costing  u2192  Revenue Account Determination  u2192 Define and Assign Account Keys
  Regards
  Madhu I
  Edited by: Madhu I on Apr 14, 2009 4:25 PM

• How to handle form close event or escape key press event for user defined f

  Experts,
  Please let me know how to handle form close event or escape key press event for user defined form...
  Thanks & Regards,
  Pravin.

  Hi
  You can catch the form close event like this
  If ((pVal.FormType = 139 And (pVal.EventType = SAPbouiCOM.BoEventTypes.et_FORM_CLOSE)) And (pVal.Before_Action = True)) Then
        Try
                 SBO_Application.SetStatusBarMessage(pVal.EventType.ToString())
        Catch ex As Exception
                  SBO_Application.SetStatusBarMessage(ex.Message)
          End Try
        End If
  Hope this helps
  Regards
  Arun

• Enabling Key and text for the Variable Selection screen

  I need to display key and text for a characteristic when selecting the drop down menu in the variable selection screen of a web report. In the Business Explorer tab within the info-object, I changed the General Settings to display Key and text, but when I open the drop down menu for this characteristic, it is still displaying the key only. Is there some other place where this change needs to happen?

  Hi,
  Did you try to log out and log in again into BEx?
  Best regards,
  Eugene
  Message was edited by: Eugene Khusainov

• Key and text for variable

  Dear ALL,
  I m having one variable for that i need key and text in bex analyzer.
  how to enable the key and text for a variable.
  pls asap
  regards,
  Jenish

  Hi jenish kumar ,
  if i under stan your requirement correctly,  need to have both text and key values for variables with F4 help.
  you need to chnage the properties of that infoobject at infoobjects level or at infoprovider level,
  this is at infoprovider level
  in RSA1-> go to change mode of infoprovider (Multiprovider/ cube) on which Query is build) then Expand  Charecteristc Dimension -> select infoobject -> right -> select provider-specific properties -> select Display '0 Key and Text' . Activate infoprovider and Run Query and check the Selection screen.
  hope this helps
  Regards
  Daya Sagar

• JSSE: keys and certificates

  1)What exactly is the difference between a key and a certificate?
  2)Can both be used by JSSE?
  3)How can I obtain a key?
  4)A private and a public key? are it two separate files or what is it?

  The first (and until so far only time) that I used SSL was with a webapplication, running on tomcat on SSL. Then I was told to generate a keystore with the keytool command and that was all and everything worked fine. You would have had to import a certificate from the server to the client's truststore. If you worked at the server end you would have had to generate a key and either a self-signed cert or the whole CSR, get it signed, re-import sequence. This is a bit more than just 'generate a keystore with the keytool command'.
  if you never heard about the keytoolAre you kidding me?
  1)So this keystore was then a self-signed-certificate or even not a certificate at all???keytool -genkey generates a private/public key pair. keytool -selfcert generates a self-signed certificate for that keypair. Nobody in the world will trust that certificate unless you export it from this keystore and import it into their truststore. By contrast, if you generate a CSR, get it signed by a well-known CA, and import the signed cert into the same keystore the CSR came from, everybody will trust that cert, because they already trust the CA. BTW these things aren't they keystore, they are in the keystore.
  2)The keystore contains thus a private and public key, which ensure integrity and confidentiality.... but NOT client and server autentication?The public/private key system can give you integrity and confidentiality. The X.509 certificate system can be used for authentication. They are different things.

• SSL Offloading and Certificate Errors

  I am attempting to offload SSL on an F5 load balancer.  I made the certificate request from the load balancer, procured the certificate from Entrust, and installed on the load balancer.  I then followed SSL Offloading TechNet instructions here:
  http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx.  My two CAS servers still have the self-signed certificates bound in IIS.  I am getting certificate
  errors when making RPC over HTTPs connections in Outlook and the self-signed certificate is popping up.
  My question is what do I do with the certificates on my 2 CAS servers?  Do I leave the self-signed certificates on there and export the Entrust certificate from my F5 and then import it to my CAS servers and change the bindings in IIS? 
  Or do I have to make the CSR from a CAS server, issue a new Entrust certificate from that, import to both CAS servers, then import to the F5 and make sure all bindings are correct in IIS?
  Or am I completely misunderstanding how this works and need to do something different entirely?
  Thanks in advance for any guidance.

  As I previously mentioned, I have already followed the SSL Offloading guide from technet, which included unticking Require SSL for all the various objects in IIS (OWA, ECP, EWS, RPC etc.) 
  Additionally I made sure SSL Offloading was enabled for Outlook Anywhere in Powershell.  See for example output of Get-OutlookAnywhere:
  RunspaceId                         : 1bdf6a03-d43d-4478-84cc-95e18806b11b
  ServerName                         : TSTEXCG2013
  SSLOffloading                      : True
  ExternalHostname                   : tstowa.XXXX.com
  InternalHostname                   : tstowa.XXXX.com
  ExternalClientAuthenticationMethod : Ntlm
  InternalClientAuthenticationMethod : Ntlm
  IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
  XropUrl                            :
  ExternalClientsRequireSsl          : True
  InternalClientsRequireSsl          : True
  MetabasePath                       : IIS://TSTEXCG2013.tstXXX.tstXXXX.tst/W3SVC/1/ROOT/Rpc
  Path                               : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
  ExtendedProtectionTokenChecking    : None
  ExtendedProtectionFlags            : {}
  ExtendedProtectionSPNList          : {}
  AdminDisplayVersion                : Version 15.0 (Build 847.32)
  Server                             : TSTEXCG2013
  AdminDisplayName                   :
  ExchangeVersion                    : 0.20 (15.0.0.0)
  Name                               : Rpc (Default Web Site)
  DistinguishedName                  : CN=Rpc (Default Web
                                       Site),CN=HTTP,CN=Protocols,CN=TSTEXCG2013,CN=Servers,CN=Exchange
  Administrative
                                       Group (FYDIBOHF23SPDLT),CN=Administrative
  Groups,CN=XXX XXXX,CN=Microsoft
                                       Exchange,CN=Services,CN=Configuration,DC=tstXXXX,DC=tst
  Identity                           : TSTEXCG2013\Rpc (Default Web Site)
  Guid                               : 9b2bc5e2-41c1-4219-9186-8e6b8cb63dc0
  ObjectCategory                     : tstXXXX.tst/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
  ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
  WhenChanged                        : 7/10/2014 7:38:58 PM
  WhenCreated                        : 6/23/2014 2:54:36 PM
  WhenChangedUTC                     : 7/11/2014 12:38:58 AM
  WhenCreatedUTC                     : 6/23/2014 7:54:36 PM
  OrganizationId                     :
  OriginatingServer                  : TSTXXXXDC02.tstXXXX.tst
  IsValid                            : True
  ObjectState                        : Changed

• WD for Java: How to I retrieve key and value for DropDownbyKey selection

  Dear All
  I thought this was going to be straightfoward and am obviously missing something.
  I have created a simple modifiable value set to create a dropdown list to select a country:
    public void GetCountryDropDownValues( )
      //@@begin GetCountryDropDownValues()
      Y_Tf_Npf_Get_Countries_Input countriesInput = new Y_Tf_Npf_Get_Countries_Input();
      wdContext.nodeY_Tf_Npf_Get_Countries_Input().bind(countriesInput);
      try {
            countriesInput.execute();
            wdContext.nodeY_Tf_Npf_Get_Countries_Input().nodeOutput_countries().invalidate();
       } catch (WDRFCException ex) {
            // TODO: handle exception
      IPrivateNonPersonalisedLearnAdminReq.IContextElement elem = wdContext.currentContextElement();
       String strObjElem0 = elem.COUNTRY;
       IWDAttributeInfo i_ObjType0 = wdContext.getNodeInfo().getAttribute(strObjElem0);
       ISimpleTypeModifiable w_ObjType0 = i_ObjType0.getModifiableSimpleType();
                 IModifiableSimpleValueSet s_ObjType0 = w_ObjType0.getSVServices().getModifiableSimpleValueSet();
                 s_ObjType0.clear();
       for(int i=0;i<wdContext.nodeEt_Countries().size();i++)
                    IPublicNonPersonalisedLearnAdminReq.IEt_CountriesElement elemOrg = wdContext.nodeEt_Countries().getEt_CountriesElementAt(i);
                      s_ObjType0.put(elemOrg.getLand1(),elemOrg.getLandx50());
      //@@end
  This is bound to a new context element attribute:
  Country of type string
  When value is selected from dropdown, it is stored in string
  What I want to be able to do is to retrieve the text as well as the key from the selected object.
  At the moment I can only return the key.
  i.e.  wdContext.currentContextElement().getCountry();
  Any pointers will be greatfully received and maximum points awarded to the first complete
  answer that works for me.
  Many thanks in advance
  Mike

  Hi,
  You can use the following code.
  ISimpleValueSet valueset = attInfo.getModifiableSimpleType().getSVServices().getValues();
  if(valueset.containsKey(key)){           // Give your key here, which you already know to retrieve
  String value = valueset.getText(key);             // Here you will get the value
  Hope it helps.
  Regards,
  Manoj

• How to get Key and text for plant for which variable is created

  Hi All
  I have created one variable for Plant. User is going to give input for the plant for  execution of query.I am displaying the variable value which is user putting in the query. kindly let me know how to display key and text both for the query.as key is displaying presently.
  Regards
  Atul

  hi Atul kumar jais
  You have to create a text variable using replacement path for processing type and give the reference object which is the object which you created variable for, "replace with" one with key and anther one with text. Then you can display that in the header of the column or if you are using custom template, you can use webitem for it.
  thanks.
  Wond

• NLB Unicast and certificate for the machine

  Hello,
  I have set up a two node nlb cluster, in unicast.
  On the other hand, I have a GPO with which every computer in the network gets a
  certificate from the CA, through auto enrollment.
  I am new to NLB , but from what I gather, the CA machine won't be able to issue any certificate to any of the two NLB nodes, because the virtual ip replaces to the actual ips's of the two machines ?. I am a bit confused.
  Thanks in advance !!
  Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

  It's the Mac addresses that are (sort of) replaced, not the IP addresses. The two nodes of an NLB cluster can make outbound connections to a CA and other machines, and using the nodes' individual IP addresses each of them can still be contacted from other
  machine (in addition to using the cluster IP address).
  The only thing that does not work is: With unicast the nodes cannot communicate with each other over the network that has the shared IP address but you could use an additional NIC if you need inter-node communication.
  With multicast on the other hand there is a chance you run into
  this issue described here for CISCO routers (just have observed this myself); this article also gives an overview on how NLB works at the Mac address level.
  Re CA and certificates: Note that autoenrolled certificates will contain the nodes' individual names retrieved from AD. If you need a certificate that includes the cluster name you have to issue this certificate manually.
  Elke

• Creation of Account payee keys and Table for House Bank

  Hi Gurus,
  Please tell me how to create a Account payee keys what is transaction code for this.And let me know that what is table to check the house Banks.
  Thanks

  I dont think you create payee keys mate, you get that data from your financial institute(bank) and then upload it into your sap system.
  so if I were in your position I would talk to the business user who deals with the bank & bank transfers currently in your client-organisation and ask for that info to be provided.
  from my previous payroll expreience I know the business user for payroll, usually the payroll manager, gets that info for the sap team member and then there should also be a standard upload program to upload all those payee keys into the system.
  cheers

• Assigning primary key and index for a table

  I have a database consisting of only one table with 10 million rows which mostly looks like this:
  RECORDDATE                     ID     CLASS     VALUE
  24-JAN-12 10.52.47.000000 AM     96     3     0
  24-JAN-12 10.52.48.000000 AM     96     10     156
  24-JAN-12 10.52.48.000000 AM     96     3     0
  24-JAN-12 10.52.48.000000 AM     96     3     0
  24-JAN-12 10.52.48.000000 AM     96     3     0
  24-JAN-12 10.52.48.000000 AM     96     3     0
  24-JAN-12 10.52.48.000000 AM     96     10     156
  24-JAN-12 10.52.48.000000 AM     96     3     0
  24-JAN-12 10.52.48.000000 AM     96     3     0
  24-JAN-12 10.52.48.000000 AM     96     6     38
  24-JAN-12 10.53.05.000000 AM     253     16     197
  24-JAN-12 10.53.06.000000 AM     98     10     150
  24-JAN-12 10.53.06.000000 AM     98     0     0
  24-JAN-12 10.53.06.000000 AM     98     4     0
  24-JAN-12 10.53.06.000000 AM     98     11     33As you can see there are several entries that look exactly the same. Currently, I don't have primary key or index for any column and have a lot of performance issues. For example this query takes more than 10 seconds to run:
  select distinct      ID
  from      scdatabase4
  where ID < 253
  order by 1Since database is not my primary job and have no background of it, I'm really confused about what to do to fix my issues. Could someone please help me in assigning primary key and index if you agree that this is the problem?!

  Execute the query below to help decide what column to index:
  SELECT COLUMN_NAME, NUM_DISTINCT, NUM_NULLS, NUM_BUCKETS, DENSITY
  FROM DBA_TAB_COL_STATISTICS
  WHERE TABLE_NAME = 'your_table_name'
  ORDER BY COLUMN_NAME;
  The important columns are:
  1) NUM_DISTINCTS: Indicates the number of distinct values. If this number is very low for a column, it indicates that this column is not a very good candidate for a B-Tree index.
  2) NUM_NULL: Indicates the number of null values for each column. A column with few null values is a good candidate for a index
  But be aware, this is not a rule, it's just a method to help decide which column will have the most benefit of index creation.

• Configuring use of clinet certificates for jax web services  configuring u

  Hello dear people,
  I have a very simple jax web service under glassfish v.2.1 and I want to secure it using mutual authentication. I could configure using server certificates but I have problems with configuring the server to ask client certificates. The problem is that the clients are not asked to provide a valid client certificate to use the service. The clients can easily use the service without having a certificate.
  Can anyone tell me what should I do to have this?
  I got the example code from http://java.net/projects/javaeetutorial/downloads and the sample code that I used is in the folder : javaeetutorial5/examples/jaxws/helloservice-clientcert
  Best regards,
  Arash.

  Did you resolve your issue?
  I´m posting some comments that maybe can help newer administrators facing similar doubts.
  I´m using NW PI 7.1 EHP1 also and some interfaces were developed for using an external site providing web services through SSL (HTTPS) connection.
  As in browser navigation, secure sites protected with SSL has a certificate emited by a international CA. We didn´t perceive the "handshake" in the most of cases because normally the web browser has a group of trusted CAs loaded on its certificate store.
  With SAP PI and its WAS Java a similar procedure occurs with a small difference. The WAS Java didn´t have the trusted CAs loaded on KeyStorage. So, when the adapter tries to establishing a connection with an HTTPS site (it is a background process)  a "handshake" is required to accepting the certificate and produces a error.
  We completes the handshake importing the entire certificate chain (you can upload the site´s certificate to your browser and export it as file) on Keytore under the Trusted CAs view.
  Hope this can help someone. It´s an "easy" part of SSL communication.
  Now I´m trying to configure the inverse: Some third party consuming the PI web services using SSL. I have an additional component on inbound/ incoming connections that is the SAP Web Dispatcher.
  The Help.sap.com is the reference but as always its a little difficult to find the (sequential) path following the links (go ahead, go ahead, go ahead, go back, go back, go ahead)...
  Regards,
  Rodrigo Aoki

• Change location and plant for Internal Goods/services

  Hi all,
  I want to change the plant and location information of product/material for SC item selected from Internal goods/services.
  I am changing the plant and location -  ( partner function 75 ) in  doc change badi but its getting reset to originial value .
  Even if i see item check the value is getting replaced with original value.
  My question is can I change Plant/location for item selected from Internal goods/services. I could succesfully change the value when I selected item from catalog.
  Please suggest.
  Thanks.

  yes I have assignned the plant i mean BE_plant in the specified badi.
  But still its getting overwritten. So im guessing is that possible for internal goods/services.