Security domain with mandated dap privilege

Similar Messages

• How to implement Security Domains with Delegated Management

  Hello,
  I have read the GlobalPlatform docs and 'scoured' the Internet for some useful advice on how to implement DM with Java Card.
  The GlobalPlatform docs say that "The interface between a SD and the Card Manager is not defined by Open Platform" and that "It is assumed that a SD cannot be developed in the same manner as a normal app". How then is someone supposed to be able to implement a system that includes Java Card applets and post-issuance uploading of applets using DM?
  I have purchased the Aspects Developer IDE with DM supported Java Card smart cards but am at a loss of how to actually implement the SD applets with DM....I know this technology is not supposed to be easy , but it should be possible to research and find the information that is required to learn it.
  Can anyone point me in the direction of somewhere that will provide me with some direction?
  Thanks in advance,
  Ann

  Hi Kavitha,
  check this link http://andrejusb.blogspot.in/2011/04/housekeeping-for-adf-security-test-all.html
  http://www.orastudy.com/oradoc/selfstu/fusion/web.1111/b31974/adding_security.htm
  Edited by: MaDi on Jun 11, 2012 3:46 PM

• Security Domain privileges

  I'm trying to install a security domain using the JCOP simulator with a Token Management privileges.
  I've installed the security domain with the available privileges by the INSTALL [for install] command provided by JCOP shell:
  cm>  install -s -e -b -m -q C90145 -i A000000151535041 A0000001515350 A000000151535041
  => 80 E6 0C 00 21 07 A0 00 00 01 51 53 50 08 A0 00
      00 01 51 53 50 41 08 A0 00 00 01 51 53 50 41 01
      E1 03 C9 01 45 00 00
  (12088 usec)
  <= 00 90 00         
  Status: No Error
  then tried to update the privileges using INSTALL [for registry update] command:
  cm>  send 80E6400011000008A00000015153504103E12000000000
  => 80 E6 40 00 11 00 00 08 A0 00 00 01 51 53 50 41
      03 E1 20 00 00 00 00
  (5642 usec)
  <= 6A 80              
  Status: Wrong data
  Also, I tried to set the privilege bytes while installing the Security domain but failed too
  cm>  send 80E60C002307A000000151535008A00000015153504108A00000015153504103E1200003C901450000
  => 80 E6 0C 00 23 07 A0 00 00 01 51 53 50 08 A0 00
      00 01 51 53 50 41 08 A0 00 00 01 51 53 50 41 03 
      E1 20 00 03 C9 01 45 00 00
  (7888 usec)
  <= 6A 80             
  Status: Wrong data
  Anyone can help
  thanks in advance,
  Khadrawy

  Hi,
  It seems, you are trying to Install Security Domain with Delegated Management Privilege (Privilege Byte 1 - 0xE1) and Token Verification Privilege(Privilege Byte 2 - 0x20).
  According to GP Specification 2.2.1, Token Verification and Receipt generation privilege can not be assigned to Security Domain with Delegated Management privilege.
  Token Verification and Receipt generation privilege may be assigned to security domain with Authorized Management privilege.
  Hope this helps you.
  regards,
  Karthik

• Applet's associated security domain

  Hi All.
  I have the mobile device with embededd secure element:
  Global Platform version : 2.1.1
  Global Platform Secure Channel Protocol: 02 option 15
  Java Card version : 2.2
  There is the content of it:
  Card Manager AID : A000000003000000
  Card Manager state : SECURED
  Application: SELECTABLE (--------) "2PAY.SYS.DDF01"
  Application: SELECTABLE (--------) A0000000041010
  Application: SELECTABLE (--------) A0000000041010BB5449435301
  Sec. Domain:PERSONALIZED (S-------) A00000000353504101
  Load File : LOADED (--------) A0000000035350 (Security Domain)
  Module : A000000003535041
  Load File : LOADED (--------) 4D66344D0002
  Module : A0000003964D66344D0002
  Load File : LOADED (--------) "2PAY."
  Module : "2PAY.SYS.DDF01"
  Load File : LOADED (--------) A000000004
  Module : A00000000410100001
  Module : A0000000041010
  Applet with AID A0000000041010BB5449435301 has been extradited to supplementary security domain with AID A00000000353504101.
  Other applets belongs to ISD.
  Is there any possibilities to discover this relations?
  GP GET STATUS command does not have such options in GP Card Spec v2.1.1.
  In v2.2.1 I found optional tag CC (Associated Security Domain's AID) in GET STATUS command description and tag 2F00 (List of Applications belonging to the Security Domain) in GET DATA description.
  But I need to get this info from card 2.1.1.
  Thanks in advance.
  Vasiliy.
  Edited by: 1010453 on Jun 7, 2013 7:00 PM

  i have same problem in GP2.1.1,
  i think if Applet A associated with SD A, then when I select ISD, i cannot delete Applet A. but i'm wrong. JCOP also  deleted it

• How to install an applet on a Security Domain

  Dear all,
  I have installed a new SD on my card but I cant install my applet on it! I dont know what is the problem and I havent found any related reference! I was wondering that maybe I am doing sth wrong with my SD and applet installation, here is what I have done:
  1.Select ISD
  2.Authenticate with ISD keys
  3.Install a new instance of ISD with Security Domain privilege
  4.Select new SD
  5.Authenticate with default keys
  6.Put key command
  7.Authenticate with new keys
  8.install for load my applet ----> (6A86) failed!
  Thanks for your helps!

  that means associating an application (applet instance) with another security domain than the ISD.
  an SSD is basically a keystore application, even if its aid can be selected to open a secure channel with the keys it contains.
  The main use is to make GPSystem.getSecureChannel() refer to the other (SSD) keys. This way, a card owner can install an applet and delegate secure channel services to the SSD, using dedicated keys.
  You can also open a secure channel with the SSD (using its own keys) and use INSTALL FOR PERSONNALIZATION / STORE DATA.
  this way you don't have to give the ISD keys to a applet provider for him to be able to personnalize its own applet.
  the owner of the ISD keys manages the card contents (install for install / delete) and the applet provider manages the personnalization.
  Note that normal SSD are able to manage channels, but generally are not allowed to load/install/delete applets.
  DAP requires the applet owner to sign its CAP file and to verify the signature on the card. the card manager loads the cap, the signature ensures the CAP file provided by the applet provider was not tampered.
  with DM, the applet provider runs the card management commands, but the card requires these commands to be signed by the card manager. The card manager can choose which commands are allowed.

• Who shall create a specific Security Domain compliant to GP 2.1?

  Particularly, in case of the delegated management, the GP card specification 2.1.1 decribes as follows:
  "Security Domains authorized by the Card Issuer to perform Card Content changes shall request the OPEN to load, install, extradite, and delete applications."
  I think that the Security Domain is implemented by the Application Provider using GP API. The OPEN is ,however, the component of the Card Manager which should be implemented by a GP compliant JCVM provider or a GP component provider.
  My questions are:
  1. How does a Security Domain request the OPEN to load, install.. ? How do they interface with each other? Does the GP compliant JCVM provider have to provide the specific interfaces used to change Card Contents for the Application Providers who implement their own Security Domain?
  2. If the GP compliant JCVM provider is also responsible for implementing a specific Security Domain, what is the role of the Application Provider? only as a provider of his own security policy for the GP compliant JCVM provider? Can't a Application Provider implement his own Security Domain himself (using only GP2.1 public API)?
  I am grateful to you for a kind assistance.

  I think that the Security Domain is implemented by theApplication Provider using GP API. The OPEN is
  ,however, the component of the Card Manager which
  should be implemented by a GP compliant JCVM provider
  or a GP component provider. Typically and due to the fact that the GP specification is missing the API that would allow a Security Domain to be loaded on the card, Security Domains are developed by the card vendor and present on the card at production. The vendor can decide which features are implemented in the Security Domain e.g. Secure Channel services, DAP Verification, Delegated Management. If, as an Application Provider, you wish to develop your own Security Domain, your vendor may be willing to provide you with details of their proprietary API but this would be specific to this vendors product.
  >
  My questions are:
  1. How does a Security Domain request the OPEN to
  load, install.. ? How do they interface with each
  other? Does the GP compliant JCVM provider have to
  provide the specific interfaces used to change Card
  Contents for the Application Providers who implement
  their own Security Domain?Yes.
  >
  2. If the GP compliant JCVM provider is also
  responsible for implementing a specific Security
  Domain, what is the role of the Application Provider?
  only as a provider of his own security policy for the
  GP compliant JCVM provider? Can't a Application
  Provider implement his own Security Domain himself
  (using only GP2.1 public API)?No.
  >
  I am grateful to you for a kind assistance.

• Security Domain

  Hello , Im a newbie to Java Card and have loads of questions, but ill start with the Security Domain. Could the experts please help me on this topic?? Main question :
  1) What is a Security Domaain?? GP spec. says it is an application.
  2) If it is an application, is it implemented in Java???
  3) Are the metods unwrap(), decrypt() etc specified in GP spec. called within the Security Domain??
  3) Any reference to Security Domain [ doc/implementation] apart from GP spec ?
  Any pseudo code for implementing a SD would be highly appreciated. Thanks.

  1) What is a Security Domaain?? GP spec. says it is an application.correect. it's an app with special privileges, such as interaction with the OS.
  >2) If it is an application, is it implemented in Java???
  no, or maybe some parts only.
  >3) Are the metods unwrap(), decrypt() etc specified in GP spec. called within the Security Domain??
  no, called within the applet using native tricks to use the sec dom keys, this is unspecified and vendor dependent.
  >3) Any reference to Security Domain [ doc/implementation] apart from GP spec ?
  google
  >Any pseudo code for implementing a SD would be highly appreciated. Thanks.
  my turn:
  1) why would you want to implement a SD?
  2) good luck. no. wake up instead, and lurk moar about GlobalPlatform, young padawan. if you want to play with security domains, you'd better work within a company that builds javacard/GP OSes.
  regards

• How to create a Supplementary security domain

  Hi all, i am new to javaCard. i want to create a Supplementary security domain, but i have no idea.
  is it that i need to create an applet implements SecureChannel, then install the applet with the privileges 0x80(security domain)?
  is it right? Anybody any suggest? It would be really helpful.

  I've seen this if the database is down or in a funky state. Try shutting down BPEL, and restart the database, then bring BPEL back up. If you're using Oracle Lite just use the "Stop SOA Suite" GUI from the Start Menu.

• Provider Security Domain applet on JCOP

  hi, All
  I use the Eclipse plugin JCOP 3.0 tools, try to install myself Security Domain applet to OP.
  Is the JCOP card simulator support the Provider Security Domain ?
  If not, which JCOP real card can I use to upload & install my Security Domain ?
  thanks for advance!
  Andy Hua.

  MatiGdoc wrote:
  Hi,
  I'm newbie in JCOP programming, so I need help from "masters" ...
  Im using JCOP 10 v2.2 GP2.1.1 compliant with SCP02 support. I can compute sucesfully all neccessary session keys / cryptograms needed by initialize update / external authenticate commands.
  Original JCOP tools uses in external authenticate security mode "NO_SECURITY_LEVEL" - 84 82 00 00, so the load command contains plain Header, Directory, Import etc .cap files.
  But I want to load .cap in more secure way, using C_DECRYPTION mode. So, my questions are:
  - Is C_MAC mode mandatory with C_DECRYPTION ? In other way, can I use p1=0x02 instead of 0x03 in External Authenticate command ?C_DECRYPTION also mandates C_MAC. You can use for P1: 00, 01 and 03.
  - Which key must be used for Datafield encryption ? I suppose S_ENC key generated for secure channel, right ?Correct.
  - should datafield for Install_for_load command (80 E6 02) also be crypted with S_ENC ?Yes. Starting with C_MAC your class byte needs to be 84 though.
  - should the datafield also be padded before calculating the C_MAC ? You pad for C_MAC as first step, and then pad the data field as a second step, excluding C_MAC. Check out GP 2.1.1 card spec, figure E-6.

• How do I create an Integration Domain with 3 servers ?

  Hi,
  I would like to create a WLI domain with three servers:<br>
  Ø     One for the administration console;<br>
  Ø     One for WLI;<br>
  Ø     And the last to deploy EJB Session (which are the service called by WLI)<br><br>
  To create the domain, I use the WLI 8.1 SP4 Configuration Wizard.<br><br>
  After creating the domain with 3 services, I have not succeeded to start the WLI Server.<br><br>
  For another test, I would like to create a WLI domain with two servers:<br>
  Ø     One for the administration console and WLI;<br>
  Ø     And the last to deploy EJB Session<br><br>
  To create the main server, I have used the configuration wizard. For the other, I have used the console administration. With this configuration, the message brocker was not initialised.<br><br>
  For the last test, I have created a domain with single server and I had no errors.<br><br>
  <b>So, my question is: What is the method to create a domain with three servers?</b><br><br>
  Thanks for your help<br> <br><br><br>
  <b>Case 1: Test to define 3 servers</b>
  <4 nov. 2005 14 h 45 CET> <Notice> <WebLogicServer> <BEA-000328> <Starting WebLogic Managed Server "etsoWLI" for domain "complexDomain">
  The WebLogic Server did not start up properly.
  weblogic.management.AbortDeploymentException: weblogic.t3.srvr.FatalStartupException: Can't start server due to startup class failure WLI Startup Class - with nested exception:
  [com.bea.wli.management.BPMComponentInitializationException: Failed to initialize ProcessConfiguration module]
  at weblogic.t3.srvr.StartupClassService.addDeployment(StartupClassService.java:92)
  at weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentTarget.java:337)
  at weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(DeploymentTarget.java:597)
  at weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(DeploymentTarget.java:575)
  at weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(DeploymentTarget.java:241)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl.java:754)
  at weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:733)
  at weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBeanImpl.java:509)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1560)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1528)
  at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.java:988)
  at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:946)
  at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:954)
  at weblogic.management.internal.MBeanProxy.invokeForCachingStub(MBeanProxy.java:481)
  at weblogic.management.configuration.ServerMBean_Stub.updateDeployments(ServerMBean_Stub.java:7691)
  at weblogic.management.deploy.slave.SlaveDeployer.updateServerDeployments(SlaveDeployer.java:1304)
  at weblogic.management.deploy.slave.SlaveDeployer.resume(SlaveDeployer.java:347)
  at weblogic.management.deploy.DeploymentManagerServerLifeCycleImpl.resume(DeploymentManagerServerLifeCycleImpl.java:229)
  at weblogic.t3.srvr.SubsystemManager.resume(SubsystemManager.java:131)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:966)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:361)
  at weblogic.Server.main(Server.java:32)
  Reason: [Deployer:149601]The deployment framework was unable to resume accepting requests.weblogic.t3.srvr.FatalStartupException: Can't start server due to startup class failure WLI Startup Class - with nested exception:
  [com.bea.wli.management.BPMComponentInitializationException: Failed to initialize ProcessConfiguration module]
  <4 nov. 2005 14 h 45 CET> <Emergency> <WebLogicServer> <BEA-000342> <Unable to initialize the server: [Deployer:149601]The deployment framework was unable to resume accepting requests.weblogic.t3.srvr.FatalStartupException: Can't start server due to startup class failure WLI Startup Class - with nested exception:
  [com.bea.wli.management.BPMComponentInitializationException: Failed to initialize ProcessConfiguration module]>
  <br> <br>
  <b>Case 2 : Test to define 2 servers</b><br>
  <4 nov. 2005 15 h 03 CET> <Error> <WLI-Core> <BEA-484037> <Process Tracking failed to initialize properly. Tracking data cannot be recorded for process typ
  e "/MailProcess/processes/process02.jpd".>
  <4 nov. 2005 15 h 03 CET> <Error> <WLI-Core> <BEA-481000> <The Message Broker is not initialized>
  <4 nov. 2005 15 h 03 CET> <Error> <WLW> <000000> <Failed to register subscriptions for JPD /MailProcess/processes/process02.jpd
  java.lang.RuntimeException: The Message Broker is not initialized
  at com.bea.wli.broker.MessageBroker.getMessageBroker(MessageBroker.java:277)
  at com.bea.wli.control.MBUtils.registerSubscriptionRules(MBUtils.java:99)
  at com.bea.wli.bpm.runtime.JpdDispFile$3.run(JpdDispFile.java:903)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at com.bea.wli.bpm.runtime.JpdDispFile.registerSubscriptions(JpdDispFile.java:912)
  at com.bea.wli.bpm.runtime.JpdDispFile.<init>(JpdDispFile.java:212)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
  at com.bea.wlw.runtime.core.dispatcher.DispUnit.loadDispFile(DispUnit.java:219)
  at com.bea.wlw.runtime.core.dispatcher.DispUnit.<init>(DispUnit.java:153)
  at com.bea.wlw.runtime.core.dispatcher.DispCache.ensureDispUnit(DispCache.java:578)
  at com.bea.wlw.runtime.core.dispatcher.HttpServerHelper.getDispUnit(HttpServerHelper.java:501)
  at com.bea.wlw.runtime.core.dispatcher.HttpServerHelper.executeGetRequest(HttpServerHelper.java:541)
  at com.bea.wlw.runtime.core.dispatcher.HttpServer.doGet(HttpServer.java:81)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1006)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6718)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3764)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  >
  javax.management.InstanceNotFoundException: lastEtsoDomain:Location=etsoMain,Name=MsgBroker,Type=MsgBrokerRuntime (admin server:true)
  at weblogic.management.internal.MBeanHomeImpl.getMBean_helper(MBeanHomeImpl.java:145)
  at weblogic.management.internal.MBeanHomeImpl.getMBean(MBeanHomeImpl.java:130)
  at weblogic.management.internal.MBeanHomeImpl.getRuntimeMBean(MBeanHomeImpl.java:557)
  at weblogic.management.internal.MBeanHomeImpl.getRuntimeMBean(MBeanHomeImpl.java:549)
  at weblogic.management.internal.AdminMBeanHomeImpl.getRuntimeMBean(AdminMBeanHomeImpl.java:580)
  at com.bea.wli.management.MBeanHelper.getMsgBrokerRuntimeMBean(MBeanHelper.java:549)
  at com.bea.wli.bpm.runtime.__broker.listSubscriptions(__broker.java:178)
  at com.bea.wli.bpm.runtime.__broker._jspService(__broker.java:833)
  at com.bea.wlw.runtime.core.dispatcher.ServiceView.dispatchToPage(ServiceView.java:269)
  at com.bea.wlw.runtime.core.dispatcher.ServiceView.forward(ServiceView.java:438)
  at com.bea.wlw.runtime.core.dispatcher.HttpServerHelper.executeGetRequest(HttpServerHelper.java:617)
  at com.bea.wlw.runtime.core.dispatcher.HttpServer.doGet(HttpServer.java:81)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1006)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6718)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3764)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)

  To use 3 managed servers with Weblogic, I must a cluster environment.
  Weblogic say: "WebLogic Integration domain that includes an administrative server and one or more managed servers must include a cluster. A WebLogic Integration domain that includes an administrative server and one or more managed servers without a cluster is an unsupported configuration."
  Fred

• In RSA Authentication Manager 7.1, how create multiple security domains

  Hi,
  RSA Authentication Manager 7.1 in configured with LDAP(Sun java system directory server); how create multiple security domains 7.1, is this security domains is releted to LDAP?
  thanks

  I think what you need to do is create an identity sequence with RSA as the selection in
  Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

• How can I create a new Security Domain ?

  Hi everyone,
  I would like to know how can I create an Security Domain other than ISD ?(If my card support multi SD and delegated management)
  I read Global Platform v2.1.1 ,but I don't know how can I create new SD practically(how can I write it's code ,how can I install it and how can I associate an applet to it,...).
  if there is any document or link can help me ,please inform me.
  I'll appreciate for any one if explain it to me step by step.
  yours sincerely.
  Orchid.

  You're right, it is not visible looking at your script, but at the APDU log. /card is an internal JCShell script to do the following:
  cm>  /card
  resetCard with timeout: 0 (ms)First the card is reset. This is analogous with /atr
  --Waiting for card...
  ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 34 31 56    ;.....1.EJCOP41V
      32 33 31 97                                        231.
  ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V231"Then an /identify command is issued.
  => 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF          .........gA0..
  (163429 nsec)
  <= 09 01 01 29 00 00 00 00 50 48 36 35 30 41 00 00    ...)....PH650A..
      6A 82                                              j.
  Status: File not foundNow the Issuer Security Domain (ISD) is selected. You can do the same sending the JCShell 'select' command.
  => 00 A4 04 00 07 A0 00 00 00 03 00 00 00             .............
  (650082 nsec)
  <= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65    oe...........Y.e
      01 FF 9F 6E 06 40 51 70 92 29 00 73 4A 06 07 2A    ...n.@Qp.).sJ..*
      86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B    .H..k.`...*.H..k
      02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64    ....c...*.H..k.d
      0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09    ...*.H..k...e...
      2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01    +...Hd...f...+..
      04 01 2A 02 6E 01 02 90 00                         ..*.n....
  Status: No ErrorThe answer is the File Control Information (FCI) returned by the ISD. The format is also described in GP.

• Safari cannot create secure connection with certain websites

  I have OS X 10.10 with every available updates, and Safari's currently unable to 'establish secure connection' with some site I'm trying to connect, most disturbing being the whole Steam network (store/support.steampowered.com, steamcommunity.com, etc). IE (via Bootcamp), Chrome (both standalone and integrated into Steam client) and Firefox have no problem doing so.
  Considering sometime before the in Steam browser indicated the site as insecure (a red lock icon with a cross, typically used to indicate bad cert) for a short time, and hearing of certs issued to gov agencies for man in the middle, I compared the cert for store.steampowered.com/login (which, in contrary to most content on that domain, forces a secure connection) and this discussions.apple.com. Well Firefox and IE do show a normal grey lock icon without organization name, and Chrome admits the website's ownership is unverified (in details, it says ownership is verified by the CA but there's no public verification record; the secure setting of that site has outdated, too) despite having Valve's name and green lock icon. So the cert could be a fake since it's an ordinary (I guess?) cert from a EV authority (DigiCert High Assurance EV CA-1 in this case). The certificate shown from Chrome is totally fine (not a single red cross in the chain), though.
  Well there're other https resources Safari fails to create a secure connection with every now and then. I just forgot/ am unable to test them with other browsers (Sometimes it's not the page itself that can't be retrieved via https, but some resource it loads. Sadly I only know how to use Inspector in Safari, though I'm sure other browsers have similar functions, too). I suspect Safari just refuses such certificates (or the AES_128_CBC method maybe) while other browsers accept it. Is there an override for this?
  Weird enough, https://ev-root.digicert.com/ has grey lock on Firefox and Safari. Seems overriding is the only workaround.
  As a side note, my Safari freezes upon loading PayPal, being ir-responsive for tens of seconds on every activity such as clicking a link. For most of duration of the freeze no high CPU usage is monitored, though ocspd does sometimes take 50% or so, and the web process bursts into 100% immediately before unfreezing. Guess Yosemite has some issues with TLS on the system level.

  This could be a complicated problem to solve, as there are several possible causes for it.
  Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.
  Step 1
  From the menu bar, select
             ▹ System Preferences... ▹ Date & Time
  Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.
  Check the box marked 
            Set date and time automatically
  if it's not already checked, and select one of the Apple time servers from the menu next to it.
  Step 2
  Triple-click anywhere in the line below on this page to select it:
  /System/Library/Keychains/SystemCACertificates.keychain
  Right-click or control-click the highlighted line and select
            Services ▹ Show Info
  from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.
  Repeat with this line:
  /System/Library/Keychains/SystemRootCertificates.keychain
  If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.
  Step 3
  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
  In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
  In the Keychains list, there should be items named System and System Roots. If not, select
            File ▹ Add Keychain
  from the menu bar and add the following items:
  /Library/Keychains/System.keychain
  /System/Library/Keychains/SystemRootCertificates.keychain
  Open the View menu in the menu bar. If one of the items in the menu is
            Show Expired Certificates
  select it. Otherwise it will show
            Hide Expired Certificates
  which is what you want.
  From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled
            Secure Sockets Layer (SSL)
  select
            no value specified
  Close the inspection window. You'll be prompted for your administrator password to update the settings.
  Now open the same inspection window again, and select
            When using this certificate: Use System Defaults
  Save the change in the same way as before.
  Revert all the certificates with non-default trust settings. Never again change any of those settings.
  Step 4
  Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.
  Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select
            Help ▹ Keychain Access Help
  from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.
  Step 5
  From the menu bar, select
            Keychain Access ▹ Preferences... ▹ Certificates
  There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to  CRL.
  Step 6
  Triple-click anywhere in the line of text below on this page to select it:
  /var/db/crls
  Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
  A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.
  Restart the computer, empty the Trash, and test.
  Step 7
  Triple-click anywhere in the line below on this page to select it:
  open -e /etc/hosts
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:
  # Host Database
  # localhost is used to configure the loopback interface
  # when the system is booting.  Do not change this entry.
  127.0.0.1                              localhost
  255.255.255.255          broadcasthost
  ::1                                        localhost
  fe80::1%lo0                    localhost
  If that's not what you see, post the contents of the window.

• Use of robots.txt to disallow system/secure domain names?

  I've got a client who's system and secure domains are ranking very high on google.  My SEO advisor has mentioned that a key way to eliminate these URLs from google is through the use of disallowing content through robots.txt.  Given BC's unique nature of dealing with system and secure domains I'm not too sure if this is even possible as any disallowances I've seen or used before have been directories and not absolute URL's, nor have I seen any mention of this possibility around.  Any help or advice would be great!

  Hi Mike
  Under Site Manager > Pages, when accessing a specific page, you can open the SEO Metadata section and tick “Hide this page for search engines”
  Aside from this, using the robots.txt file is indeed an efficient way of instructing search engine robots which pages are not to be indexed.

• Could not establish secure connection with server

  Hi ,
  We are not able to access our web service URL from Ipad Application on some of the network. We are receiving “could not establish secure connection with the server” message. We are able to access the same URL from other networks. Can you please suggest what can be possible Root cause and their suggested solution?  We would appreciate your quick response..

  hi Alfonso,
  Editing the hosts file is easy. just need to use the CAS/CAM CLI and the vi test editor. You can google for instructions on how to use Vi.
  To start assume we have a CAM and CAS with the hostname cam1 and cas1 respectively. the domain is mycompany.com and the ip addresses for the CAM and CAS is 192.168.10.1 and 192.168.15.2 respectively.
  start with the CAM and view the hosts table
  cat /etc/hosts
  To check what domain u used to setup the CAM
  cat /etc/resolver.conf
  edit the hosts file so appears like so
  192.168.10.1 cam1.mycompany.com cam1
  192.168.15.2 cas1.mycompany.com cas1
  Verify with 'cat /etc/hosts'
  Make sure you can ping 'cas1' and 'cas1.mycompany.com' from cam1
  Next edit the hosts file for cas1 so that it appears like so
  192.168.15.2 cas1.mycompany.com cas1
  192.168.10.1 cam1.mycompany.com cam1
  Make sure you can ping 'cam1' and 'cam1.mycompany.com' from cas1
  HTH
  George