SSL LLE together with Cert-C PKI Encryption
I could successfully set up LLE encrytion for WSL without Cert-C or message encrpytion with Cert-C plugin. But could not mange to get them both working in the same application.
I am using Tuxedo10.3 + OpenLDAP on RH5.
Native client tpinit gives me tpinit failure and in ULOG I see LIBTUX_CAT:6657: ERROR: Could not copy SSL context, err = -1
Encrpyted PKCS8 private key dont work for me with Cert-C. SEC_PRINCIPAL_PASSVER and decPassword attribute for cert-c/key_manager didnt change anything and finaly i used unencrypted PK.
ULOG ---------------------------------8<----------------------------------------------------------------
173342.730.borjomi!WSH.14905.3086448320.0: 09-17-2010: Tuxedo Version 10.3.0.0, 32-bit
173342.730.borjomi!WSH.14905.3086448320.0: PIFREG: instantiate(intf=engine/pif/registry, impl=registry.so, flags=0
173342.730.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/map_proof, alias=bea/mapfile)
173342.731.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=native/security/authentication)
173342.731.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=bea/native/atn)
173342.732.borjomi!WSH.14905.3086448320.0: PIFREG: instantiate(intf=engine/pif/registry, impl=registry.so, flags=0
173342.732.borjomi!WSH.14905.3086448320.0: PIFREG: destroy(priv=0x8199ee0)
173342.732.borjomi!WSH.14905.3086448320.0: WSNAT_CAT:1030: INFO: Work Station Handler joining application
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/map_proof, alias=native/security/map_proof)
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/pk_initialization, alias=native/security/pk_initialization)
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/pk_initialization, alias=bea/native/pkifile)
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=ws/security/authentication)
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=bea/ws/atn)
173342.739.borjomi!?proc.14904.3086374592.0: 09-17-2010: Tuxedo Version 10.3.0.0, 32-bit
173342.739.borjomi!?proc.14904.3086374592.0: PIFREG: instantiate(intf=engine/pif/registry, impl=registry.so, flags=0
173342.739.borjomi!?proc.14904.3086374592.0: PIFREG: GetAlias(intf=engine/security/map_proof, alias=bea/mapfile)
173342.740.borjomi!?proc.14904.3086374592.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=ws/security/authentication)
173342.740.borjomi!?proc.14904.3086374592.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=bea/ws/atn)
173342.744.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/key_management, alias=native/security/key_management)
173342.751.borjomi!WSH.14905.3086448320.0: INFO: CERTDBG level is 255
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG:{ _ep_dl_certc_key_management()
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: regData: privateKeyDir=file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: regData: decPassword=password
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: { parseFileURL(dir file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/)
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: return file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: } parseFileURL(50) return EE_SUCCESS
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: Using Private keys in directory /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/
173342.751.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/certificate_lookup, alias=native/security/certificate_lookup)
173342.760.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/certificate_parsing, alias=native/security/certificate_parsing)
173342.760.borjomi!WSH.14905.3086448320.0: INFO: CERTDBG level is 255
173342.760.borjomi!WSH.14905.3086448320.0: CCDBG: { _e_dl_certc_certificate_parsing()
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: } edl_certc_certificate_parsing(30), returns 0
173342.761.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/certificate_validation, alias=native/security/certificate_validation)
173342.761.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/certificate_validation, alias=bea/cert-c/certificate_validation)
173342.761.borjomi!WSH.14905.3086448320.0: INFO: CERTDBG level is 255
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { _ep_dl_certc_validate_certificate()
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: Trusted CA file file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: CRL file file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/my_crl.der
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { parseFileURL(dir file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der)
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: return file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: } parseFileURL(50) return EE_SUCCESS
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { parseFileURL(dir file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/my_crl.der)
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: return file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/my_crl.der
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: } parseFileURL(50) return EE_SUCCESS
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { validate_init()
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { addCertFromFileToList(fname /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der)
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: open file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der, read 537 of bytes
173342.762.borjomi!WSH.14905.3086448320.0: CCDBG: } addCertFromFileToList(50) return 0
173342.762.borjomi!WSH.14905.3086448320.0: CCDBG: open file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/my_crl.der, read 279 of bytes
173342.762.borjomi!WSH.14905.3086448320.0: CCDBG: } validate_init(140) return SUCCESS
173342.762.borjomi!WSH.14905.3086448320.0: CCDBG: } epdl_certc_validate_certificate(80) return SUCCESS
173342.797.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_trust(principal myapp)
173342.797.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_trust(50) return SUCCESS
173342.797.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_get_issuer_name()
173342.797.borjomi!WSH.14905.3086448320.0: issuer dn (81 bytes):
173342.797.borjomi!WSH.14905.3086448320.0: 30 4f 31 10 30 0e 06 03 55 04 03 13 07 63 61 6d 0O1.0...U....cam
173342.797.borjomi!WSH.14905.3086448320.0: 79 61 70 70 31 0e 30 0c 06 03 55 04 0b 13 05 54 yapp1.0...U....T
173342.797.borjomi!WSH.14905.3086448320.0: 69 65 74 6f 31 0d 30 0b 06 03 55 04 07 13 04 52 ieto1.0...U....R
173342.797.borjomi!WSH.14905.3086448320.0: 69 67 61 31 0f 30 0d 06 03 55 04 08 13 06 4c 61 iga1.0...U....La
173342.797.borjomi!WSH.14905.3086448320.0: 74 76 69 61 31 0b 30 09 06 03 55 04 06 13 02 4c tvia1.0...U....L
173342.797.borjomi!WSH.14905.3086448320.0: 56 V
173342.797.borjomi!WSH.14905.3086448320.0: CCDBG: { getNameFromNameObject()
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: avaCount 5
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: valueTag PRINTABLE STRING
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: type = 55, 4, 55
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: name camyapp, 0x81ccb40
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: } getNameFromNameObject(40) return SUCCESS
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: issuer name is camyapp
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_get_issuer_name(60) return 0
173342.836.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_trust(principal camyapp)
173342.836.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_trust(40) return TRUSTED
173342.836.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_open_private(cd 0x81cd260, principal myapp, location /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/myapp.der)
173342.836.borjomi!WSH.14905.3086448320.0: CCDBG: req_usage 0x2, cd->cds_usage 0x2
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: open file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/myapp.der, read 634 of bytes
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: got the key info for type 0
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: private key 0x81cbdf0, *keyp 0x81cbdf0
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_open_private(70) return SUCCESS
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_open_public(cd 0x81cd260, principal myapp, req_usage 0x2)
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: public key match type 0
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: public key 0x81d19c8, *keyp 0x81d19c8
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_open_public(70) return SUCCESS
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_validate(principal myapp)
173342.840.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_validate(100) return SUCCESS
173342.848.borjomi!WSH.14905.3086448320.0: LIBTUX_CAT:6657: ERROR: Could not copy SSL context, err = -1
173342.848.borjomi!WSH.14905.3086448320.0: LIBTUX_CAT:6741: ERROR: SSL error -1
173342.848.borjomi!WSH.14905.3086448320.0: LIBTUX_CAT:6633: ERROR: Could not create SSL context on accept
173344.852.borjomi!?proc.14904.3086374592.0: LIBWSC_CAT:1032: ERROR: Failed to receive expected reply
173344.852.borjomi!?proc.14904.3086374592.0: LIBWSC_CAT:2003: ERROR: Unable to get reply to gssapi token message
---------------------------------8<----------------------------------------------------------------
Test setup script:
---------------------------------8<----------------------------------------------------------------
LDAP_HOST=10.57.5.167
LDAP_PORT=8080
LDAP_ROOTDN="dc=com"
LDAP_BASEDN="cn=Manager,$LDAP_ROOTDN"
LDAP_PASSWORD="password"
## Create openssl config
cat <<EOF >openssl.cfg
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # top dir
database= index.txt
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = md5
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
[ req_distinguished_name ]
EOF
## Generate self-signed CA
openssl req -x509 -newkey rsa:1024 -keyform PEM -keyout camyapp_key.pem -out camyapp_crt.pem -days 365 -subj '/CN=camyapp/OU=Tieto/L=Riga/ST=Latvia/C=LV' -config openssl.cfg
openssl x509 -in camyapp_crt.pem -out camyapp_crt.der -outform DER
cat camyapp_crt.pem >> $TUXDIR/udataobj/security/certs/trust_ca.cer
## Generate user certificate for PRINCIPAL myapp
openssl req -newkey rsa:1024 -keyform PEM -keyout myapp_key.pem -outform PEM -out myapp_csr.pem -days 365 -subj '/CN=myapp/OU=Tieto/L=Riga/ST=Latvia/C=LV' -config openssl.cfg
# myapp.pem works fine for LLE when using libplugin.so
#openssl pkcs8 -topk8 -in myapp_key.pem -passout pass:password -outform PEM -out myapp.pem
# It look like libcertctux.so accepts only unencrypted keys. Is it true?
openssl pkcs8 -topk8 -in myapp_key.pem -outform DER -nocrypt -out myapp.der
openssl pkcs8 -topk8 -in myapp_key.pem -outform DER -nocrypt -out myapp.pvt
openssl x509 -req -in myapp_csr.pem -CA camyapp_crt.pem -CAkey camyapp_key.pem -CAcreateserial -outform DER -out myapp_crt.der -days 356
#Reload LDAP
ldapdelete -h $LDAP_HOST -p $LDAP_PORT -D $LDAP_BASEDN -w $LDAP_PASSWORD -r "$LDAP_ROOTDN"
cat <<EOF > myapp.ldif
dn: $LDAP_ROOTDN
dc: ${LDAP_ROOTDN/*=}
objectClass: dcObject
objectClass: organization
o: something
dn: o=TUX,$LDAP_ROOTDN
o: TUX
objectClass: organization
dn: cn=myapp,o=TUX,$LDAP_ROOTDN
userPassword: password
objectClass: inetOrgPerson
objectClass: person
objectClass: pkiUser
objectClass: strongAuthenticationUser
sn: myapp
cn: myapp
# For SSL search:SRCH base="o=TUX,dc=com" scope=2 deref=0 filter="(&(objectClass=strongAuthenticationUser)(mail=myapp))"
mail: myapp
userCertificate;binary:<file://`pwd`/myapp_crt.der
EOF
ldapadd -h $LDAP_HOST -p $LDAP_PORT -D $LDAP_BASEDN -f myapp.ldif -w $LDAP_PASSWORD -c
## Generate empty CRL. The same CRL is used for ARL
echo > index.txt
openssl ca -gencrl -keyfile camyapp_key.pem -cert camyapp_crt.pem -out my_crl.pem -config openssl.cfg
openssl crl -in my_crl.pem -out my_crl.der -outform DER
cat <<EOF > ca.ldif
dn: cn=camyapp,o=TUX,$LDAP_ROOTDN
userPassword: password
objectClass: inetOrgPerson
objectClass: person
objectClass: certificationAuthority
sn: camyapp
mail: camyapp
cACertificate;binary:<file://`pwd`/camyapp_crt.der
certificateRevocationList;binary:<file://`pwd`//my_crl.der
authorityRevocationList;binary:<file://`pwd`//my_crl.der
EOF
ldapadd -h $LDAP_HOST -p $LDAP_PORT -D $LDAP_BASEDN -f ca.ldif -w $LDAP_PASSWORD -c
## Installation values
epifregedt -s -k SYSTEM/impl/security/BEA/certificate_lookup -a Params=userCertificateLdap=ldap://10.57.5.167:8080/ -a Params=ldapBaseObject=o=TUX,dc=com -a Params=binaryCertificate=YES
epifregedt -s -k SYSTEM/impl/security/BEA/certificate_validation -a Params=caCertificateFile=file://$TUXDIR/udataobj/security/certs/trust_ca.cer -a Params=peerValidationRuleFile=file://$TUXDIR/udataobj/security/certs/peer_val.rul
epifregedt -s -k SYSTEM/impl/security/BEA/key_management -a Params=privateKeyDir=file://$TUXDIR/udataobj/security/keys
# ** Modify Validation Interface **
epifreg -r -p bea/cert-c/certificate_validation -i engine/security/certificate_validation -v 1.0 -f libcertctux.so -e epdl_certc_validate_certificate -u caCertificateFile=file://`pwd`/camyapp_crt.der -u crlFile=file://`pwd`/my_crl.der
epifregedt -s -k SYSTEM/impl/bea/valfile -a InterceptionSeq=bea/cert-c/certificate_validation
epifregedt -s -k SYSTEM/interfaces/engine/security/certificate_validation -a DefaultImpl=bea/valfile
# ** Modify Lookup Interface ** Use OpenLDAP
# Not using cert-c certificate lookup. Lookup from libplugin is compatible with OpenLDAP
#epifreg -r -p bea/cert-c/certificate_lookup -i engine/security/certificate_lookup -v 1.0 -f libcertctux.so -e epdl_certc_certificate_lookup -u ldapUserCertificate=ldap://10.57.5.167:8080 -u ldapBaseObject="o=TUX,dc=com" -u ldapFilterAttribute="cn" -u ldapBaseDNAttribute="dc,o,cn,c,ou"
epifregedt -s -k SYSTEM/impl/security/BEA/certificate_lookup -a Params=userCertificateLdap=ldap://$LDAP_HOST:$LDAP_PORT/ -a Params=ldapBaseObject=o=TUX,$LDAP_ROOTDN -a Params=binaryCertificate=YES -a Params=filterFileLocation="file://$TUXDIR/udataobj/security/bea_ldap_filter.dat"
epifregedt -s -k SYSTEM/interfaces/engine/security/certificate_lookup -a DefaultImpl=security/BEA/certificate_lookup
# ** Modify Key Management Interface **
epifreg -r -p bea/cert-c/key_management -i engine/security/key_management -v 1.0 -f libcertctux.so -e epdl_certc_key_management -u privateKeyDir=file://`pwd`/ -u decPassword="password"
epifregedt -s -k SYSTEM/interfaces/engine/security/key_management -a DefaultImpl=bea/cert-c/key_management
# ** Modify Certificate Parsing Interfaces **
epifreg -r -p bea/cert-c/certificate_parsing -i engine/security/certificate_parsing -v 1.0 -f libcertctux.so -e epdl_certc_certificate_parsing
epifregedt -s -k SYSTEM/interfaces/engine/security/certificate_parsing -a DefaultImpl=bea/cert-c/certificate_parsing
----------------------------8<------------------------------------------------
Ldap log:
----------------------------8<------------------------------------------------
conn=0 fd=12 ACCEPT from IP=10.57.5.167:34885 (IP=10.57.5.167:8080)
conn=0 op=0 BIND dn="" method=128
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="o=TUX,dc=com" scope=2 deref=0 filter="(&(objectClass=strongAuthenticationUser)(mail=myapp))"
<= bdb_equality_candidates: (mail) not indexed
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=0 op=2 SRCH base="o=TUX,dc=com" scope=2 deref=0 filter="(&(objectClass=certificationAuthority)(cn=camyapp)(sn=camyapp))"
<= bdb_equality_candidates: (cn) not indexed
<= bdb_equality_candidates: (sn) not indexed
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
----------------------------8<------------------------------------------------
Message signing works fine
Note.
OpenLDAP must allow bind_v2
ULOGDEBUG, PIFDBG and CERTCDBG environment variables are set.
Any ideas?
I got workaround by putting WSL parameters in a separate registry file.
System.rdp is registry with cert-c PKI plugin setup.
System_wsl.rdp is registry with key_management from libplugin.so (default installation values).
WSL is configured to read parameters from System_wsl.rdp.
ubbt SERVER section:
WSL SRVGRP=NOTMS_GROUP SRVID=200 CLOPT="-A -- -d /dev/tcp -n //10.57.5.167:12500 -S 12501 -z 40 -Z 128" ENVFILE="<absolute path>/WSL.env"<absolutel path>/WSL.env:
REG_KEY_SYSTEM=<absolute path>/System_wsl.rdpStill I am curious about Cert-C + SSL.
Similar Messages
-
Do we need appache and ssl work together with tomcat
Hi all,
I have experience use tomcate+ sql2000 +JDK to develop and web search site. Now I hope somebody told me
1) do I need add apache with tomcat?
2) do I need to add SSL?
thank you every muchHi all,
I download mod_jk 1.2.5_2.0.47.dll from (http://www.apache.org/dist/jakarta/tomcat-connectors/jk/binaries/win32/) rname it as mod_jk.dll and put it down to apache modules, at this step I still get Syntax Ok when I try c:\apache|apache2\bin|Apache.exe -t. but when I add
<Listener className="org.apache.ajp.tomcat5.config.ApacheConfig" modJk="c:/Apache/Apache2/modules/mod_jk.dll" /> just below the
<Server port="8005" shutdown="SHUTDOWN" debug="0">
I can't not star my tomcat.
what is wrong??
I have apache 2.0.50 and tomcat 5.0.25 on my Pc and before I add apache my tomcat work fine.
Thank you -
SSL secured listener with Netweaver possible
Is it possible to use a ssl-secured listener (protocol=tcps) together with sap netweaver (abap and/or java)?
Is there significant loss of i/o throughput to be expected?
A notes search for SSL or TCPS on BC-DB-ORA did not show results.I believe it should be possible to use ssl connection. Never tried it, but I think it should work since it is a matter between Oracle Client and listener and has nothing to do with SAP application server.
If you security requirements are such that you must encrypt traffic, and if you do not want to mess with tnsnames.ora, wallet and stuff then you might consider using some generic tunneling techniques.
And it definitely will have some performance impact.
... just my two cents. -
Ssl-handshake fails with scandinavian chars in client certificate
Hello,
We've run into a problem with 2-way-ssl and certificates that have scandinavian
characters in the subject. The problem cert is used as client-certificate for
authentication and it goes like this:
1. Client surfs with http in our site, until clicks https-link that will immediately
start the ssl-handshake
2. Server presents it's trusted cert-list fine
3. PIN is being asked fine
4. Next the request processing stops on the exception below and nothing will happen
on the client side.
Certs without these äöå -chars work fine, so our guess is that they cause it,
but the certs ought to be according to specs: name-fields encoding is UTF-8 according
to RFC 2459 from year 1999. A failing example-cert is also below.
Would this be a problem with the certificate rather than BEA-implementation?
Same behavior on Windows and Solaris Weblogic 8.11 as such and with SP2 (and with
sp2 + CASE_ID_NUM: 501454 hotfix).
Best Regards,
Igor Styrman
<avalable(): 20303264 : 0 + 0 = 0>
<write ALERT offset = 0 length = 2>
<SSLIOContextTable.removeContext(ctx): 1765100>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <Filtering JSSE
SSLSocket>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.addContext(ctx):
6487148>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLSocket will
be Muxing>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.findContext(is):
11153746>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL Version 2 with no padding>
<21647856 SSL3/TLS MAC>
<21647856 received SSL_20_RECORD>
<HANDSHAKEMESSAGE: ClientHelloV2>
<write HANDSHAKE offset = 0 length = 58>
<write HANDSHAKE offset = 0 length = 1789>
<Converting principal: OU=Class 4 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<Converting principal: CN=SHP ROOT CA, O=SHP, C=FI>
<Converting principal: CN=topsel, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=SatShp CA, O=Satakunnan sairaanhoitopiiri, C=FI>
<Converting principal: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<Converting principal: [email protected], CN=Thawte Personal
Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<Converting principal: CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
<Converting principal: [email protected], CN=Thawte Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western
Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte Premium
Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western Cape, C=ZA>
<Converting principal: OU=Secure Server Certification Authority, O="RSA Data Security,
Inc.", C=US>
<Converting principal: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore,
C=IE>
<Converting principal: CN=Fujitsu Test CA, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=PSHP CA, O=Pirkanmaan sairaanhoitopiiri, C=FI>
<Converting principal: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE>
<Converting principal: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<write HANDSHAKE offset = 0 length = 2409>
<write HANDSHAKE offset = 0 length = 4>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL3/TLS MAC>
<21647856 received HANDSHAKE>
<HANDSHAKEMESSAGE: Certificate>
PM EEST> <Error> <Kernel> <> <satshpeduServer> <ExecuteThread: '14' for queue:
'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest failed
java.lang.NullPointerException: Could not set value for ASN.1 string object..
java.lang.NullPointerException: Could not set value for ASN.1 string object.
at com.certicom.security.asn1.ASN1String.setValue(Unknown Source)
at com.certicom.security.asn1.ASN1String.setBufferTo(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeString(Unknown Source)
at com.certicom.security.asn1.ASN1String.decode(Unknown Source)
at com.certicom.security.pkix.AttributeTypeAndValue.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.asn1.ASN1SetOf.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSetOf(Unknown Source)
at com.certicom.security.asn1.ASN1SetOf.decode(Unknown Source)
at com.certicom.security.asn1.ASN1SequenceOf.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.pkix.Name.decodeContents(Unknown Source)
at com.certicom.security.asn1.ASN1Choice.decode(Unknown Source)
at com.certicom.security.pkix.TBSCertificate.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.pkix.Certificate.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
at com.certicom.tls.record.handshake.MessageCertificate.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeMessage.create(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
-----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQQDEw9GdWppdHN1
IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMjE4WjB3MQswCQYD
VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSMO2bG3DtmzDpGlu
ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSMO2bG3DtmzDpGlu
ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO44
Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0Ef
C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFgQUtS4z8K26uW2d
IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKwYKKwYBBAGCNxQC
A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS5ob2xtb2xhaW5l
bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi8vMjEyLjI0Ni4y
MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89RnVqaXRzdSUyMFNl
cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwHQYD
VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAZ
KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF+fcK+q0T
3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUULcmQGQFAd69R0Ur
JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1uh8hgtStujmqsI
0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHth7qoV3BtUKv4+z
SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2wJzwNigt4zWiNg
tvrGCMOrvrb5QTxVtLNr
-----END CERTIFICATE-----BMPString is another asn1 type that can be used for certificate attributes with
non-ascii characters. The workaround is simply to use the BMPString instead of
UTF8String for that subject name attribute in the certificate request. This off-course
assumes that you can replace the certificate, and have control over what asn1
type is used for the subject name attributes in the certificate request (via a
tool options, or by generating the request yourself), so it is probably not applicable.
Pavel.
"Ari Räisänen" <[email protected]> wrote:
>
Thanks again, Pavel!
I'm filing a support case about this. You talked about a workaround (BMPString).
Could you be more spesific? I haven't talked about this issue with Igor
yet.
Regards,
Ari
"Pavel" <[email protected]> wrote:
Sounds like a bug in certicom code. It should support UTF8String.
I'd file a support case.
You might be able to use BMPString instead as a workaround.
Pavel.
"Igor Styrman" <[email protected]> wrote:
Hello,
We've run into a problem with 2-way-ssl and certificates that have
scandinavian
characters in the subject. The problem cert is used as client-certificate
for
authentication and it goes like this:
1. Client surfs with http in our site, until clicks https-link thatwill
immediately
start the ssl-handshake
2. Server presents it's trusted cert-list fine
3. PIN is being asked fine
4. Next the request processing stops on the exception below and nothing
will happen
on the client side.
Certs without these äöå -chars work fine, so our guess is that they
cause it,
but the certs ought to be according to specs: name-fields encoding
is
UTF-8 according
to RFC 2459 from year 1999. A failing example-cert is also below.
Would this be a problem with the certificate rather than BEA-implementation?
Same behavior on Windows and Solaris Weblogic 8.11 as such and withSP2
(and with
sp2 + CASE_ID_NUM: 501454 hotfix).
Best Regards,
Igor Styrman
<avalable(): 20303264 : 0 + 0 = 0>
<write ALERT offset = 0 length = 2>
<SSLIOContextTable.removeContext(ctx): 1765100>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <Filtering
JSSE
SSLSocket>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.addContext(ctx):
6487148>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLSocket
will
be Muxing>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.findContext(is):
11153746>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL Version 2 with no padding>
<21647856 SSL3/TLS MAC>
<21647856 received SSL_20_RECORD>
<HANDSHAKEMESSAGE: ClientHelloV2>
<write HANDSHAKE offset = 0 length = 58>
<write HANDSHAKE offset = 0 length = 1789>
<Converting principal: OU=Class 4 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<Converting principal: CN=SHP ROOT CA, O=SHP, C=FI>
<Converting principal: CN=topsel, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust
Solutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=SatShp CA, O=Satakunnan sairaanhoitopiiri,
C=FI>
<Converting principal: OU=Class 1 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<Converting principal: [email protected], CN=Thawte
Personal
Basic CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape
Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte
Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: OU=Class 3 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<Converting principal: CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
<Converting principal: [email protected], CN=Thawte
Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western
Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte
Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte
Premium
Server CA, OU=Certification Services Division, O=Thawte Consultingcc,
L=Cape
Town, ST=Western Cape, C=ZA>
<Converting principal: OU=Secure Server Certification Authority, O="RSA
Data Security,
Inc.", C=US>
<Converting principal: CN=Baltimore CyberTrust Root, OU=CyberTrust,O=Baltimore,
C=IE>
<Converting principal: CN=Fujitsu Test CA, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Root 5, OU="GTE CyberTrustSolutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=PSHP CA, O=Pirkanmaan sairaanhoitopiiri,
C=FI>
<Converting principal: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE>
<Converting principal: OU=Class 2 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<write HANDSHAKE offset = 0 length = 2409>
<write HANDSHAKE offset = 0 length = 4>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL3/TLS MAC>
<21647856 received HANDSHAKE>
<HANDSHAKEMESSAGE: Certificate>
PM EEST> <Error> <Kernel> <> <satshpeduServer> <ExecuteThread: '14'
for queue:
'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest
failed
java.lang.NullPointerException: Could not set value for ASN.1 string
object..
java.lang.NullPointerException: Could not set value for ASN.1 string
object.
at com.certicom.security.asn1.ASN1String.setValue(Unknown Source)
at com.certicom.security.asn1.ASN1String.setBufferTo(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeString(UnknownSource)
at com.certicom.security.asn1.ASN1String.decode(Unknown Source)
at com.certicom.security.pkix.AttributeTypeAndValue.decodeContents(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.asn1.ASN1SetOf.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSetOf(Unknown Source)
at com.certicom.security.asn1.ASN1SetOf.decode(Unknown Source)
at com.certicom.security.asn1.ASN1SequenceOf.decodeContents(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.pkix.Name.decodeContents(Unknown Source)
at com.certicom.security.asn1.ASN1Choice.decode(Unknown Source)
at com.certicom.security.pkix.TBSCertificate.decodeContents(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.pkix.Certificate.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown
Source)
at com.certicom.tls.record.handshake.MessageCertificate.<init>(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeMessage.create(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
-----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQQDEw9GdWppdHN1
IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMjE4WjB3MQswCQYD
VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSMO2bG3DtmzDpGlu
ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSMO2bG3DtmzDpGlu
ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO44
Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0Ef
C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFgQUtS4z8K26uW2d
IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKwYKKwYBBAGCNxQC
A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS5ob2xtb2xhaW5l
bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi8vMjEyLjI0Ni4y
MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89RnVqaXRzdSUyMFNl
cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwHQYD
VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAZ
KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF+fcK+q0T
3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUULcmQGQFAd69R0Ur
JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1uh8hgtStujmqsI
0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHth7qoV3BtUKv4+z
SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2wJzwNigt4zWiNg
tvrGCMOrvrb5QTxVtLNr
-----END CERTIFICATE----- -
802.1X Authentication + PKI encryption
Hi Guys,
I want to know if there is a relationship between 802.1x authentication and cisco PKI encryption.
We are facing some problems with many IP Phones that were using 802.1x without problems. Once we we installed PKI encryption on ip phones , many of them began to fail : the ip phone shows phone not registered and on the status messages we can see authentication fail. I have to restart security settings on ip phones or disabling 802.1x on the switches to get phones registering again
I am using CUCM 8.5 with 6961 phones
RegardsWe ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
Hope that someone else has any clue? -
WSE3.0 encrpyt and sign soap message together with disabled WSAdressing
Good Morning,
my task is to develop client´s applications written in .net4 who calls webservice (written by other- foreign firm in Java). My application, which calls webservice of other firm are: (plugin of MS CRM 2013, windowservice, windowformsapp for testing this communication)..
I had to implement encrypt and sign comunication with this webservice by client and servers certifikate.
I implemented this functions from:
http://msdn.microsoft.com/en-us/library/aa528788.aspx
and
http://msdn.microsoft.com/en-us/library/aa529565.aspx
by WSE 3.0.
Now I have to implement to disable WSAdresing in soap messege. Is it possible to use encrypt and sign from WSE together with disabled WSadressing?
(Other firm needs so as nodes of WSA will not be in soap message). With nodes WSAdresing in soap message, my communication with other webservice do not works. They (other firm) require no WSA nodes in soap message
If it is posible, how to implement this functionality?Hi Matesak,
I'm afraid this is not the most suitable forum for your question. Please open a new thread in this forum, you'll get more valuable responses.
ASP.NET Forums >
Advanced ASP.NET >
WCF, ASMX and other Web Services
Thanks for your understanding.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.Hi Guigs2,
From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix? -
Tieing 2 key systems together with fxo/fxs and 1760 routers
Hello,
I need some programming help from someone good on voice. I've got two offices that I'm trying to tie the phone systems together with 2x Cisco 1760 routers each with 2x PVDM-256K-4 1 DSP Modules. I've got the layout below and am basically looking to do two things.
First, I would like ext. 210 from the first site to dial a co group â1â or directly access a âCO lineâ that is connected to the Cisco and get dial tone to be able to dial the directory number for a âCO lineâ with the same setup at the second site and have it able to be answered like a normal call and be transferred.
The second connection I would like is to have ext. 210 be able to dial locally to one of site 1's analog single line extensions and have the Ciscos make a connection through to site 2 and go off-hook on one of the analog single line extensions of site 2 in order to get a site 2 dial tone and be able to dial locally @ site 2 to any extension, or dial one of site 2's co groups or directory number for one of site 2's real CO lines and place a âlocalâ call to the outside world from site 2's lines.
Obviously this process would all be reversed for site 2 accessing site 1. I've come across a couple of documents, like ID: 15405, and a section of a VoIP Configuration guide labeled OL-1070-01 and have some command structure available, but the concept of how it all takes place and should be configured is a little fuzzy.
Thank you,
MarkOK, let me simplify things. I think I'm putting way too much thought into it all. I've got site A and site B. Site A (currently for testing) has a single line extension from Site A's key system plugged into port 0 in fxo card in slot 2. Site A will have a patch from port 0 in fxs card in slot 3 to a CO line on the key system. Site B has the same setup. Both have fa 0/0 configured with IP addresses on the same network (just to simulate the connections - later I will actually move these to two separate internet feeds for more advanced testing).
Currently for testing I have disconnected the fxs patches to the phone systems and just have a regular analog phone plugged in. When my phone plugged into Site A goes off hook, I get dial-tone from the extension hooked up to Site B (which is the exact way I want it). When my analog phone is plugged into Site B (port 0 of fxs card in slot 3) and goes off hook, it will ring port 0 of fxs card in slot 3 of Site A. This I don't understand. If I can get both to behave like Site A, I'd be happy.
I need to know if this makes sense to anyone on how I want this to operate? Is it achievable?
Here's my base config on it (Site A first, then Site B):
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Simmering
boot-start-marker
boot-end-marker
enable secret 5 $1$F/AM$ige2qFh9lVD6uNubE.qm80
no aaa new-model
voice-card 2
voice-card 3
ip cef
interface FastEthernet0/0
ip address 192.168.254.30 255.255.255.0
speed auto
no ip http server
no ip http secure-server
control-plane
voice-port 2/0
connection plar opx 290
voice-port 2/1
connection plar opx 291
voice-port 2/2
voice-port 2/3
voice-port 3/0
connection plar 190
voice-port 3/1
connection plar 191
voice-port 3/2
voice-port 3/3
dial-peer voice 280 pots
destination-pattern 280
port 2/0
dial-peer voice 281 pots
destination-pattern 281
port 2/1
dial-peer voice 290 voip
destination-pattern 29
session target ipv4:192.168.254.40
dial-peer voice 180 pots
destination-pattern 180
port 3/0
dial-peer voice 181 pots
destination-pattern 181
port 3/1
dial-peer voice 190 voip
destination-pattern 19
session target ipv4:192.168.254.40
line con 0
logging synchronous
line aux 0
line vty 0 4
password Corazon64789
logging synchronous
login
transport input telnet
end
SITE B:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Sigma
boot-start-marker
boot-end-marker
enable secret 5 $1$1H58$6.VsVieyi4srcC7v4Lndv0
no aaa new-model
voice-card 2
voice-card 3
ip cef
interface FastEthernet0/0
ip address 192.168.254.40 255.255.255.0
speed auto
no ip http server
no ip http secure-server
control-plane
voice-port 2/0
connection plar opx 280
voice-port 2/1
connection plar opx 281
voice-port 2/2
voice-port 2/3
voice-port 3/0
connection plar 180
voice-port 3/1
connection plar 181
voice-port 3/2
voice-port 3/3
dial-peer voice 290 pots
destination-pattern 290
port 3/0
dial-peer voice 291 pots
destination-pattern 291
port 3/1
dial-peer voice 280 voip
destination-pattern 28
session target ipv4:192.168.254.30
dial-peer voice 190 pots
destination-pattern 190
port 2/0
dial-peer voice 191 pots
destination-pattern 191
port 2/1
dial-peer voice 180 voip
destination-pattern 18
session target ipv4:192.168.254.30
line con 0
logging synchronous
line aux 0
line vty 0 4
password Corazon64789
logging synchronous
login
transport input telnet
end -
I have purchased a ringtone in the iTunes Store for my iPad, and I cannot find the download together with my music. I have received the invoice but I have no product. I am working with iOS6, if that helps. Can anybody help me?
I am confused. Do you mean you found the music, not the tones, or you can't find either?
If the former, then this is normal. You can't redownload tones from the Cloud. -
How can I create a client console and work together with the Cache Server?
How can I edit the following Cache-Server.cmd file to create a client console and work together with the Cache Server?
The following is the cache server file: contacts-cache-server.cmd
@echo off
setlocal
if (%COHERENCE_HOME%)==() (
set COHERENCE_HOME=c:\coherence
set CONFIG=C:\home\oracle\coherence\Contacts
set COH_OPTS=%COH_OPTS% -server -cp %COHERENCE_HOME%\lib\coherence.jar;C:\home\oracle\
coherence\Contacts;C:\home\oracle\coherence\Contacts\classes;
set COH_OPTS=%COH_OPTS% -Dtangosol.coherence.cacheconfig=%CONFIG%\contacts-cache-config.xml
java %COH_OPTS% -Xms1g -Xmx1g -Xloggc: com.tangosol.net.DefaultCacheServer %2 %3 %4 %5 %6 %7
:exitEdited by: junez on 23-Oct-2009 09:20Hi
To run the console, change DefaultCacheServer to CacheFactory
Paul -
Using iPhoto together with Adobe Lightroom
I use Adobe Lightroom for my image organizing/tagging needs, since it's way more powerful than iPhoto in this area. I would however like to use iPhoto for my daily image browsing, syncing with my iPhone and for ordering prints/books ++. The way I do this now, is I let iPhoto scan the folder where I have my images. After a while when it gets outdated, I delete the database and rescan in iPhoto. Kinda cumbersome...
So:
1. Is there a way I can make iPhoto rescan my image folder? Maybe some script or something that can do it for me?
2. When I rate images in LR, the ratings are stored in the IPTC Urgency field. When I import to iPhoto it doesn't import this as rating. Any way I can convert IPTC Urgency to iPhoto rating?
3. Would Aperture be a better choice for working together with iPhoto, or would it be just as cumbersome?In reverse order:
3. Would Aperture be a better choice for working together with iPhoto, or would it be just as cumbersome?
It’s a lot better. You can grab your previews from Aperture right into iPhoto using a Media Browser, but given that Aperture will do all those things - books, syncing with iPhone etc - you’ll probably need to do it less. Like iPhoto, Aperture is integrated throughout the OS, in every Open... Dialogue, through Media Browsers to integrate with other apps and so on. The primary advantage of using Aperture is that +at least the two apps know each other exist+.
2. When I rate images in LR, the ratings are stored in the IPTC Urgency field. When I import to iPhoto it doesn't import this as rating. Any way I can convert IPTC Urgency to iPhoto rating
I don’t think so. There is no real way to move ratings between any apps that I know of. This area of metadata is still in its infancy.
1. Is there a way I can make iPhoto rescan my image folder? Maybe some script or something that can do it for me?
No. However there are apps out there that can watch that folder for you and execute specific actions on events occurring. You may be able to cook up an Automator action or Folder Action script that will import to iPhoto when a file is added to the Folder. Or use an app like Hazel to do it for you.
Update: I’m not sure what this Lightroom plug-in brings to the party, but it may help.
Regards
TD
Message was edited by: Terence Devlin -
I have a macbook air (mid 2012) and a thunderbolt display (27'').
Do I absolutely need to connect the power supply together with the thunderbolt cable ?
I found that the screen won't wake up if only the thunderbolt connection is plugged. Is this normal ?I just got my ATD and late 2011 MBP up and running. I've not tried running without the power adapter from the ATD plugged in, but I just tried and didn't have any problems with the display not waking. You may want to take your query to the ATD forum - https://discussions.apple.com/community/peripherals/thunderbolt_display - perhaps someone there has experienced a similar issue.
Good luck,
Clinton -
my iphone 4 doesnt want to start . all it shows is the apple icon.i have tried holding the home button together with the lock button. nothing seems to work . please help.
Plug the iPhone in with the Wall Charger. Then while plugged in do the Reset again, hold both Home and Power buttons until the iPhone Restarts. This usually begins to happen in less than 20 seconds time.
If you this does not work you can try to Restore the Firmware on your iPhone. If you decide to do this, connect your iPhone to your computer with iTunes open. Hold both the Home and Power buttons until the iPhone is detected by iTunes in Recovery Mode, this takes about 20 seconds time. Restore your iPhone.
If this does not work, you can try to Restore the Firmware on your iPhone in DFU Mode. Connect your iPhone to your computer with iTunes open. Hold both Home and Power buttons for exactly 10 seconds, release the Power Button and keep holding the Home Button until iTunes recognizes the iPhone in Recovery Mode, about 20 seconds more time. Restore the iPhone.
If this does not work and you have Warranty or AppleCare Coverage take your iPhone to Apple for resolution of the problem. -
Hi together,
maybe anybody can help me with my question:
We want to use GTS 7.2 together with ERP 4.6C. Do I have to install additionally the plug-in SLL_PI720_46C in my feeder system? Or is it ok if I have only the standard plug-in PI2004_1_46C, SP14 installed? Do I need both?
Thanks very much for your help and answers.
Cheers,
AndreasAndreas,
I believe in your case it would be sufficient to install the GTS7.2 plug-in. SAP changed its plug-in strategy for GTS 7.2 and went from the plug-in that comes pre-installed with ECC 6.0 to a separate GTS plug in for 7.2.
I also have used GTS 7.2 with the "old" plug-in which you're referring to. This will work for the basic Compliance and Customs functionality but I am guessing that you would run into issues when trying to use functionality that is new in GTS 7.2.
Sascha -
Keeping a picture together with a certain paragraph of text
I think this is probably a very rookie question but I am having a problem keeping my pictures where I want them. I need them to stay together with a certain paragraphs of text.
A- "Lock position" doesn't work. I don't care where in the doc. they are as long as they stay with the right text.
B- Anchored objects don't seem to be the answer, I want to do text wraps around the picture.
All suggestions are appreciated.
Bubby BellaNo, that's not a problem, as long as the anchor is in the right place. Use a "custom" andchored object, rather than inline, and make sure the anchor is in a line ahead of the ones you want to wrap. A custom anchored object can be moved anywhere on the page and will continue to move with the anchor point.
The illustration below shows two anchored objects with text wrap applied. The anchors are the first characters in the Notes: paragraph, and the postions are set as part of an object style that includes the text wrap, font (for the caption) and position information. The anchored object options dialog dispalyed is for the caption.
In this case I didn't need to worry about wrapping the top, but pushing the image down on the page gives you this:
Maybe you are looking for
-
i have cc but lights room is coming up with ,An error occurred when attempting to change modules. can you help please
-
I APOLOGIZE FOR MY IGNORANCE BUT I HAVE BEEN A RECENT CONVERT TO MAC AND HAVE HAD A PROBLEM WITH IPHOTO. IT IS A RECENT OCCURANCE BUT I CANNOT GET THE LIBRARY TO SHOW ALL THE THUMBNAILS OF ALL MY PPHOTOS. I SEEM TO BE STUCK IN THE EDIT PAGE AND HAVE
-
BI Content Original objects vs. Copy
Hi, is there a SAP recomentation (white paper) how to use the SAP business content: Original infoobjects or copies Original infoproviders or copies Original infosources or copies etc. What are your recomentations regarding this issue? Thanks, Klaus
-
HotSpot VM doesn't support connection to an IBM mainframe?
Are there any known issues with HotSpot Client VM (1.4.2_06-b03, mixed mode) or J2RE Standard Edition (1.4.2_06-b03) that would cause problems connecting to an IBM mainframe (OS 390)? If so, what are they? My program compiles with no errors on a Sun
-
i would like to deploy my jsf application (done in sun one studio + sun aaplication server + Mysql) in tomcat. where do i find the war file???