[Solved] Generating User Certificate Programmatically
I have a requirement to automatically generate a user certificate when a new user is created (via a custom form). Is it possible to do this with OCA? How? Are there any alternatives?
Thanks,
Brian
Couldn't find a way to do this. Our solution was to email the new user with a hyperlink to OCA where they can request and download their certificate.
Similar Messages
-
Problem Generating a certificate request
I have a couple of Windows 2003 R2 SP2 servers hosting several instances of ADAM. I am using certreq to generate the certificate requests for these servers so I can use SSL in connecting to ADAM but I am getting an error. This is the request.inf I am using (pretty much straight from an MS article...) to generate the request...
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=servername.childdomain.rootdomain.com" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
I am using this command.... certreq -new request.inf request.req
After hitting enter, it sits there for about 10 seconds and gives me this error back...
Certificate Request Processor: Access is denied. 0x80070005 (WIN32: 5)
[RequestAttributes]
I have searched on this error and have not found much of anything on it. This process seems to work fine on other servers that I have, but these two servers both generate this error. Both servers are clean builds and only have ADAM installed on them. I am a local admin on both servers so it doesn't appear that there should be any permission issues as implied by the error message.
Anyone have any ideas?
Thanks!Hello Bryan,
First of all, please make sure that the CA certificate is added into the Trusted Root certificate store on the servers. If the certificate web enrollment is enabled, please check how a certificate request works on that two server generate the error.
Meanwhile, please verify the security permission on the MachineKeys directory:
1. Open Windows Explorer, and find the MachineKeys directory in the following location:
Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys
2. Right-click the directory, and click Properties.
3. Click the Security tab, and ensure that the full control permission for the Administrators
How to: Change the Security Permissions for the MachineKeys Directory
http://msdn.microsoft.com/en-us/library/bb909654.aspx
Hope it helps. -
CProjects approval error - Signature not possible : no user certificate ex
When i try to approve the phase in cProjects i get an error which says
"Signature not possible : no user certificate exist".
Where exactly do we maintain this certificate because i am not able to change the decision for phase approval.
I have maintain the person responsible for project role via Organizational mgmt. in PPOCE and BP transactions. I have also specified personnel number and user in the identification tab in BP tcode.
Please reply asap,
Pratik.The issue is solved.
1. Specify Personeel number - BP transaction
2. Specify user name - BP transaction
Additions made :-
Specified external reference number - BP transaction
Also made changes in Phase type settings related to approval where couple of statuses were changed.
Regards;
Pratik -
Configure WLan for user certificate authentication
I have windows CA and NPS (radius server).
I want wireless clients / devices using active directory user certificates (generated by AD CA) to authenticate and encrypted to wireless WLAN.
I have setup WLAN as [WPA2][Auth(802.1X)] and pointing to Radius server (windows NPS).
My test notebook PC has ca.cer and username certificate installed in trusted and personal stores. And configure the wireless profile as "Microsoft: smart card or other certificate".
However when I try to connect I got failed. And wireshark on NPS showing no traffic on port 1812.
Could someone please help a look anything wrong on WLC setting?
Thanks.
GPINGHi, Scott,
My WLC setting: SSID-Test, WPA2 802.1x, AES, Radius server overwrite interficace "ticked", Server1 - x.x.x.x port 1812,
Local EAP auth - Enabled and profile = "Peap"
On my NPS, I got 2 policies (enabled only one of them for test).
NPS-Policy 1: Auth method = Microsoft PEAP -> "wireless server certificate", User group ="test users".
On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft PEAP" with ca.cer installed and ticked . When "connect", I got connected with login user credential.
NPS-Policy 2: Auth method = "Microsoft Smart card or other certificate" -> wireless server certificate"
On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft Smart card or other certificate". Choose "use a certificate on this computer". (I have one user certificate installed on Personal store). Also ticked "Validate server certificate" and ticked the ca.cer which was installed. When "connect" I failed.
I tried some other combination, like TKIP instead of AES, but I got "
The settings saved on this computer for the network do not match the requiremen
ts of the network" - really frastrated.
Could please point me where got wrong?
THanks
GPING -
Creating user accounts programmatically
Hi,
We would like to perform few activities programmatically in Azure as follows:
1) Like to know the approach or APIs available to create the user accounts programmatically
2) Also would like to know how to access the pricing model of the Azure cloud component programmatically
Please help us at the earliest to the APIs/ways we requested.
Thanks,
Sathish Kumar.KHi
What's the user account mean here?
Co-admin or Storage account?
I wrote a blog about how to manage Azure programmatically
here.
You can use that class libraries to do that.
If you have any further question, please let me know
For the second question:
In my memory there isn't have any billing API for developers, you can only get the info by portal.
My Blog
Please use Make as Answer if my post solved your problem and use
Vote As Helpful if a post was useful. -
Anyconnect 3.1 and user certificate-based authentication
Hi experts,
I'm trying to test a basic full tunnel VPN connection from Anyconnect 3.1 installed on a Windows 7 machine to a Cisco ASA, using only certificate authentication.
Steps i took:
1) I've created a Windows 2008 certificate authority for testing, and imported the root CA certificate into both the Windows 7 client and into Cisco ASA
2) I generated a certificate signing request on the W7 client, got that signed by W2008 CA and imported the signed certificate into W7. Both user certificate and root CA are in the personal certificate store
3) On ASA, I've also generated a certificate signing request, got that signed by W2008 CA and imported the signed certificate back in ASA
I then used ASDM to configure ASA to support Anyconnect on its untrust interface.
When I use Anyconnect on the W7 client to connect to ASA, I got "No valid certificates available for authentication" and "certificate validation failure" messages as seen in the below screenshot
I can confirm that both user and root CA certificate exist in the personal certificate store
The corresponding ASA configuration and debug output are shown in the attached txt file. On the ASA, I've made sure its ID certificate has CN=<public IP of ASA> since I don't have a DNS setup in place.
Can anyone suggest what could be wrong with my setup?Problem has been fixed by using IP address instead of hostname in the Anyconnect Client profile, since I don't have a DNS setup in my environment.
Once that is done I was able to connect and authenticate using user certificates.
ASA1# sh vpn-sessiondb detail anycon
Session Type: AnyConnect Detailed
Username : cisco Index : 2
Assigned IP : 10.5.1.100 Public IP : 10.3.1.10
Protocol : IKEv2 IPsecOverNatT AnyConnect-Parent
License : AnyConnect Premium
Encryption : AES256 Hashing : none SHA1
Bytes Tx : 0 Bytes Rx : 30758
Pkts Tx : 0 Pkts Rx : 195
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_VPN-CP1 Tunnel Group : VPN-CP1
Login Time : 06:40:49 UTC Wed Feb 19 2014
Duration : 0h:07m:38s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKEv2 Tunnels: 1
IPsecOverNatT Tunnels: 1
AnyConnect-Parent Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 2.1
Public IP : 10.3.1.10
Encryption : none Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 22 Minutes
Client Type : AnyConnect
Client Ver : 3.1.05152
IKEv2:
Tunnel ID : 2.2
UDP Src Port : 50530 UDP Dst Port : 4500
Rem Auth Mode: Certificate
Loc Auth Mode: rsaCertificate
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 85941 Seconds
PRF : SHA1 D/H Group : 5
Filter Name :
Client OS : Windows
IPsecOverNatT:
Tunnel ID : 2.3
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.5.1.100/255.255.255.255/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28341 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607970 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 0 Bytes Rx : 31218
Pkts Tx : 0 Pkts Rx : 196
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 459 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL : -
Problem loading/storing user certificate on 6230
I have generated a certificate using keytool and have signed my midlet using the same certificate. I then sent the certificate via IR to my Nokia 6230. The phone recevies it but says unknown format. Any suggestions on how to send the certificate to the phone?
The midlet loaded cant be started - the error message is "No Valid Certificate" - which i guess is correct since I havent loaded the certificate to the phone.
On the phone, under services->settings->security settings there is a user certificates and Authority Certificates. I presume, when i eventually succeed in getting the certificate loaded on the phone it would show up under User Certificates. Is this a good assumption?
thanks in advance,
anishHi Prateek,
Thanks for the reply. I have got my certificate signed by CA. The problem is importing the client certificate into the Trusted CA's.
When i try to import the client certificate into TrustedCA using the load button, after selecting the certi a pop up comes and asks for the password.
I tried with two diff certifi and this happens only to one which has got digital signature. I have asked the customer who sends the request and they are saying there is no such kind of password.
any help or suggestions would be appreciated
Thanks,
Srini -
Is there a way to generate server certificates in a multi-controller environment?
Q: Is there a way to generate server certificates in a multi-controller environment?
A: 1. For PEAP, only the Radius Server needs a certificate, not the controller. Managing a certificate for each controller for 802.1x when you can alternatively manage a single certificate for each radius server is a mistake.
2. For Captive Portal, if you don't want your guest or company users to have an untrusted error every time they hit the captive portal you will need a public certificate that all your users will trust. That could either involve (1) A different certificate for each controller with the subject being the fqdn of each controller or (2) a single, identical certificate that has the SAN or Subject ALT Name filled out with the FQDN of each controller listed in the SAN field (https://www.digicert.com/subject-alternative-name.htm)
Here is an example of a cert with multiple fqdns in the Subject Alternative Name field below: Of course, you will have to pay for each SAN that you have added to the certificate. If you will have an environment where you have a VRRP and that is the ip address that the clients will be redirected to, you should make the SAN point to the VRRP.
A document on certificates that is specifically geared toward ClearPass, instead of controllers is here: Certificates 101 V1.0 It speaks to certificates on ClearPass, but the concepts are the same...
Solution:-
We can use ClearPass server to generate the CSR, where the CN is named after the 1st controller, which included all the Subject Alternate Names (SANs) for the other 3 controllers as well as the master controllers (in case of an N+1 failover). This allows to save/export the private key as a file.
After submitting the CSR for a UCC and after receiving the cert, then proceed to chain the cert to include server, all intermediate and root CAs. Then copy the chained cert as well as the private key file to a MacBook so that we can use OpenSSL to create a PFX formatted cert as follows:
sudo openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem
Once this generated a PFX cert, upload it to all controllers and used it under Configuration > Management > General for both “WebUI Management Authentication Method” as well as “Captive Portal Certificate” (even though the ClearPass Guest captive portal is using a different cert for the captive portal page itself).
https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/Create-a-CSR-with-multiple-SANsSorry I'm still confused here. What you are describing makes no sense for properly using TestStand.
Maybe I can help you find the right solution if I can understand your goal?
Do you want to dynamically populate the variables (Locals and FileGlobals) with values? Or do you want to dynamically create the variables from scratch (i.e. add subproperties to the sequence file) based on some file?
Generally what happens is people want an ASCII file (in your case I'm guessing CVS) such that they can change the values of variable so that when TS is executing it will load those values and use them. In this case NI recommends the Property Loader. There is an example for this in <TestStand>\Examples. Open the workspace and look for the PropertyLoader example. Also, if you google "proprety loader teststand" then you will find various articles which may assist you.
When you say "define the variables for the sequence/sequence file" Are you actually referring to manually right clicking in the sequence file and saying Insert Local? or are you just saying that you change the value of a variable?
Thanks,
jigg
CTA, CLA
teststandhelp.com
~Will work for kudos and/or BBQ~ -
How to renewal the Java Keytool DIgital Certificate programmatically?
Hi,
I created the self signed Digital certificate programmatically.My certificate got expired.I want to Renewal the Digital certificate programmatically.
If any one is having idea to renewal the certificate,please share it to me.
Thank youWhenever we want to renewal the certificate , we have to create new key store file and new certficate file .
NO
Absolutely not.
I've just told you that.
Instead of tcreating new certificate/keystore file, is it possible to update the +'valid from and Valid to date '+ alone in old keystore file?I've jsut answered that as well. I don't know what code you executed to generate the original certificate but you have to repeat the part that signed it. -
Unable to import the user certificate into the Oracle Wallet Manager
Hi,
I am configuring the External Authentication plugin using the password filters.
i am using the version 10.1.0.5.0 version of Oracle Wallet manager
inorder to do that i am enabling the SSL mode.
to enable the SSL mode i followed the some steps in OWM and OCA admin and user console.
when i approved a certificate as admin and importing to the Oracle Wallet Manager, i got an error that
User Certificate Installation failed.
Possible errors:
- Input was not a valid certificate
- No matching certificate request found
- CA certificate needed for certificate chain not found.
Please install it first
can anyone help me how to resolve this problem.hi,
thanks for your reply pramod
I tried to import the two certificate files(rootca.crt and server.crt). but i am got the same error.
what may be the problem. -
E-Recruiting generated user names
We want to change the format of generated user names (for internal candidates). By default, if they don't already have a user name in IT0105 a user name gets generated in the format of EEXXXXXXXX where XXXXXXXX is their personnel number.
The data is coming from the HR system to the E-Recruiting system by means of ALE. Other than inserting an 0105 record with desired user name in the IDoc is there any other way of changing the format of the generated user name?
ThanksHello Rich,
there is no easy customizing / configuration way to replace the algorithm for the user name.
Still there are different approaches to do this other than rewriting the IDoc and add a line. As the whole processing is a BAdI implementation you could replace it entirely by a customer implementation. This would be modification / enhancement free but as it is a quite large implementation it could be troublesome to key track of changes / corrections SAP does in the standard coding.
Another way is the enhancement / modification of the coding as suggested above.
There is also another BAdI which is called in the implementation itself (following a basic design rule there should always be one if sap delivers an implementation - in in this case it is really there :o)). You could use it to replace the standard user name assigned. Unfortunately this leaves you with this generated user which would have to be deleted so it is not the best choice from a performance and perhaps a security problem.
Last solution I could imagine is changing the HRP558* table. It is used as a temporary storage for the IDoc data with EhP 4.
All of these solutions have their pros and cons. Personally I'd use the posibility of changing the IDoc directly and add a line either in the outgoing BAdI on the HR server or in the inbound processing of the e-rec. server.
Kind Regards
Roman -
Problem with Generate a certificate and Key
I have a Cisco S370 and generated a certificate Key to block HTTPS pages.
I require a CA signs the certificate generated by the Cisco S370, but the CA returns me an error and asks the key is changed to 2048, but I have no option to do this in the GUI, look in the CLI but can not find any option to change the HTTPS certificate key 2048
You can change the certificate that was generated by the WSA S370 to 2048In addtition to Kush's response, we had a similar thread in the past. Please refer to:
https://supportforums.cisco.com/message/3900340?referring_site=bss&channel=bdp#3900340
Also, please note it would be advisable to refer to this Feature Request using Cisco Bug ID CSCzv70884 instead of
86121.
You can search for Bug IDs using Cisco Bug Search Tool :
https://tools.cisco.com/bugsearch/
From this tool, you can not only obtain info about the bug but also open TAC cases and Save the bug so you can get updates.
Regards,
-Valter -
Generate User Login in "Create User" Request
Hi Guys,
I have more a problem. To create user, I am using a Request (Create User Template), I managed add the attributes that would necessary normally, but I use a Event Handler (Post-Process) to generate user login. So I marked the User Login in Attributes Restrictions, fixing an user login default for example: autogenerate.
Then I created a new request to create user, I filled out all the fields that I marked to appear. I approved this request, and the user is created with the User Login generate by my Event Handler normally. The issue is, when I create 2 create user requests, as I use a Default value in the User Login attribute, if the first request still isn't approved, the second request isn't created because the "autogenerate" user login already being used.
Exists some otherwise to I resolve this issue?
ThanksHi Bikash,
Use a prepopulate adapter an attribute with timestamp is nice idea, but I use the "Create User" template CreateUserDataSet.xml and not exists a form in Design Console to associate the prepopulate adapter.
I had thought in eventhundler because I use a method that check on Active Directory if the user login generated by other method, already is being used. And I use this eventhandler in HR GTC recon too.
About XL.LDAPReservationPluginImpl, I opened the oracle.iam.identity.usermgmt.impl.plugins.reservation.ReservationInOID but I not understood as use this option. If I needs add in this class my method of generate user login. If I needs implement an new class similar to this class, using my methods and associate the name of class in XL.LDAPReservationPluginImpl.
Thanks a lot -
Unable to generate users.xml file
Hi All,
I have installed OCS 10.1.2.0.0.and applied the cumulative patchset and now on OCS 10.1.2.3.0
Now i am trying to migrate users and their mail box from exchange 5.5 running on Windows NT 4 server.
I have installed the esmigration tool on a machine running Windows XP SP2, Outlook 2003 client installed. I ran the tool and successfully created the system profile. Once done when i try extract users which should generate a users.xml file, i get an error saying "Unable to generate users.xml" file. When i look at the log file i can see the error which says invalid domain which is not true. The domain name is right and i have repeated the process more than 10 times, but still keep getting the same error. I tried using IMPA to IMAP as well as with MBOX , but still the same error. Has anyone seen such a behavior ?
So i tried to choose plan B. As i do not have too many users i decided to export the users mail box as a pst file and then import it. This is not a problem, but what i do not know is that what do i need to do to enable coexistence mode on exchange, meaning when an email arrives, it first goes to exchange and then forwards a copy to OCS.Please note on my research i have found some notes on how to do this on exchange 2000 on a windows 2000 server with AD, but i couldn't find anything for Exchange 5.5 on NT4.
Any assistance on this would be very helpful.
Regards,
DipakHi Dipak,
If you do the migration from the Windows 2000 machine with outlook 2000 installed, and connected to Exchange 5.5 via an admin profile, then you will not see this issue.
In case, it is not possible for you to move to new machine where above said environment exists, then you can request for a patch of migration tool that has fix for this issue. Please send an email to [email protected] or [email protected], for the fixed version.
For your co-existence query: Please make use of alternate-recipient setup that exists on exchange 5.5 user properties. So, the emails will be routed to both exchange, and ocs server mailboxes of that user.
If you have any further queries please send an email to [email protected]
Thanks,
Venkat -
How to generate a certificate request with more than one OU?
We're using Sun Java System Web Server 6.1 SP4. The Corp. has it's own CA and organize their certificates in a hierarchical rule with more then one organization unit (OU) in a chain.
So what we need is generate a certificate requeste with more than one OU, but the Web Server wizard has only one text field for it. We've already tried to fill in this field the complete chain of OUs like "ou=orgX, ou=deptY, ou=secZ" and didn't work either.
Thank's in advance,
Jeff!Do you have tried with the command line "certutil" ?
#<SERVER-ROOT>/bin/https/admin/bin/certutil
Maybe you are looking for
-
I've gone to the options section several times and the right settings are in place but it still doesn't open in a new tab. I've never had this problem before. Should I change back to 3.6 or 4 beta? This problem occurs on the newest update. I believe
-
I reinstalled X pro on my newish computer and get appcrash error message - how do i fix? bill
I reinstalled my acrobat X pro in my new computer and when I try to open it I get the APPRASH error message. I cannot print documents from word 7 to acrobat either and the acrobat printer doesn't show on my printer selection. I downloaded Acrobat re
-
Enums as members of another class????
Hi , I have the following example on the server side public Enum Colors RED, ORANGE, UNKNOWN, the above enum is in a separate file/class Now the webservice class. @WebService public class A Colors myColor =Colors.UNKNOWN public void setMyColor(Colors
-
I saved a newsletter in pages but cannot find it
I was working on a pages newsletter and saved each page as I wrote it but now I cannot find it. Where would it have been saved?
-
Hi, Can anyone please guide me through choosing career in SAP. I have done B.com and i got 6 years of experience in Finance and Accounts field with exposure over SAP. Currently appearing for MBA exams and wanted to enhance my skills in SAP in Finance