SSL Offloading and Certificate Errors

Similar Messages

• Autodiscover, domain controllers, and certificate errors

  I have just deployed and Exchange 2013 server in one of my sites. I'm having tons of issues with it, but one issue I'm having trouble thinking through goes like this:
  All users have email addresses that are [email protected] Domain.com is our internal domain name and also a public domain. Now, in a Windows environment, if you were to nslookup domain.com within our network it
  will resolve to any one of the domain controllers. On our infrastructure master DC there is an IIS website, with SSL, that handles certificate services for our internal CA.
  Here's my problem: When a user opens Outlook and autodiscover attempts to find their Exchange connection info it first tries to reach the site
  https://domain.com/autodiscover/autodiscover.xml. If that PC happens to resolve domain.com to the DC that has our certificate services website on it then the Outlook client sends a certificate error.
  If the client is prior to Outlook 2013, the mailbox configuration just halts and throws an error.
  What do I do to prevent this?

  Hi,
  Yes, we can have the following “switchers”
  PreferLocalXML
  ExcludeHttpRedirect
  ExcludeHttpsAutoDiscoverDomain
  ExcludeHttpsRootDomain
  ExcludeScpLookup
  ExcludeSrvRecord
  ExcludeLastKnownGoodUR
  Thanks,
  Simon Wu
  TechNet Community Support

• Build dataguard two more questions. password prompt and certificate error

  The fiirt two data guard instances are built. One is running fine the second I'm getting this error in the primarys alert log. it looks like it is a certificate error but I'm having a hard time nailing it down.
  BTW: Instance is 11.2.0.1
  Thread 1 advanced to log sequence 318 (LGWR switch)
  Current log# 6 seq# 318 mem# 0: +DATA/sfs01/onlinelog/group_6.4762.769266689
  SSL Client: Server DN doesn't contain expected SID name
  Archived Log entry 706 added for thread 1 sequence 317 ID 0x799622d4 dest 1:
  Thu Mar 22 12:46:48 2012
  SSL Client: Server DN doesn't contain expected SID name
  The third and final data guard instance I'm building is 3T and taking forever to restore. Two questions:
  1) Can I suspend rman and restart it.
  2) when I restart rman how do I keep it from prompting me for the password. I would prefer to put a nohup on a shell script.
  Here is the script. Right now I'm running it manually but would relly to run with nohup so I can go get lunch.
  rman target SYS@sor01_primary auxiliary / << EOF
  run {
  allocate channel C1 device type disk;
  allocate auxiliary channel C2 device type disk;
  allocate auxiliary channel C3 device type disk;
  allocate auxiliary channel C4 device type disk;
  allocate auxiliary channel C5 device type disk;
  duplicate target database for standby nofilenamecheck;
  release channel C1;
  release channel C2;
  release channel C3;
  release channel C4;
  release channel C5;
  EOF

  Hello (certificate error is vague. By that I mean whoever wrote that error message)
  Can I suspend rman and restart it? I believe no, stop and restart should work.
  Something like this, I use an env file can post if it helps :
  #!/bin/bash
  . /u01/app/oracle/dba_tool/env/DATABASE.env
  echo "Starting RMAN..."
  $ORACLE_HOME/bin/rman target SYS@sor01_primary auxiliary << EOF
  run {
  allocate channel C1 device type disk;
  allocate auxiliary channel C2 device type disk;
  allocate auxiliary channel C3 device type disk;
  allocate auxiliary channel C4 device type disk;
  allocate auxiliary channel C5 device type disk;
  duplicate target database for standby nofilenamecheck;
  release channel C1;
  release channel C2;
  release channel C3;
  release channel C4;
  release channel C5;
  }My env file ( yours will be different ) use env to check you compare to your profile
  export ORACLE_BASE=/u01/app/oracle
  export ORACLE_HOME=/u01/app/oracle/product/11.2.0.2
  export ORACLE_SID=STANDBY
  export ULIMIT=unlimited
  export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
  export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME/network/lib
  export LIBPATH=$LD_LIBRARY_PATH:/usr/lib
  export TNS_ADMIN=$ORACLE_HOME/network/admin
  PATH=$ORACLE_HOME/bin:$ORACLE_BASE/dba_tool/bin:/bin:/usr/bin:/etc:/etc/X11/xserver/C:.
  export PATHI run from the cron which is similar to nohup as far as env goes.
  Best Regards
  mseberg
  Edited by: mseberg on Mar 22, 2012 2:32 PM
  Edited by: mseberg on Mar 22, 2012 2:41 PM

• WRT54GS and Certificate Errors

  I have had my WRT54GS (actually 2 in the house) for over a year now and they have worked perfectly. Just recently, I have problems accessing them through IE or Firefox. I get a certificate error. I removed the Linksys certificates and added them when asked in IE but it still gives me an error. Anyone experiencing this?

  what specific error?try to check your browser settings..(cookies,files etc..)
  try a different pc if it would do the same thing
  if it is try doing reset press and hold the reset for 30 secs.. then turn it off for a minute or so then try again it should work..

• 2 quest ssl offload and DR

  1. ssl offload - how do I secure clear text pwd sent from ACE to serverfarm?
  2. If 2 DR site say CA and UK, and CA has earthquake, can pair of ACE be design to keep website going in UK.

  Hi,
  1/ ACE can be configured to setup a second ssl tunnel and encrypt data between ACE and server. For more details:
  http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/initiate.html
  Is this what you are looking for?
  2/ Where are the ACEs? Are they load balancing traffic to servers in both CA and UK?
  --Olivier

• ODIInvokeWebservice and Certificate Error

  Hi,
  I am trying to call a Third Party web service. It is an https service and when I try to call the service I am getting the following error
  Invalid Request : javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://xxxxxx?WSDL. It failed with:
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
  I cannot find any option where I can provide the keystore or certificate path.
  Is there a folder where I have to add the certificate?
  Regards,
  Harris

  Hi Harris,
  After copy WSDL URL in OdInvokeWebservice tool, have you tested to connect to WSDL from ODI, if not try this and let me know the result
  In OdiInvokeWebservice properties, copy WSDL URl and provide Application server credentials, select WSDL URL and click on Advance button and it will popup the window there you can see same WSDL URL in address bar and right side of address you can find a globe symbol (Connect to WSDL) just clic and let me know the result.
  In such case it iwll throw an error message that case you can provide host entry of that application server into your machine (where ODI got installed).
  Thanks,
  Phani

• Replacing SSL keys and certificates for already defined services

  I have about 10 new 2048-bit keys and certs to replace existing 1024 bit keys and certs on my CSS11500 with SSL modules.
  I'm trying to figure out my options, now that I've got the files SFTP'ed to the CSS.
  I can create a new startup-config file for the CSS with the new files referenced by the SSL associate commands in the startup-config. This will require a reboot (not desired).
  I can come up with new associations for the new files, then suspend the ssl-proxy-list and edit it to use the new associations. This doesn't require a reboot but then I have to clear out the old associations before I can delete the old key/cert files.
  Is there any way to force the CSS to "overwrite" an existing SSL association without rebooting the CSS?

  "Clear file filename "password" commad will help you to clear SSL certificates and private keys from the CSS that are no longer valid.
  Please check if the below URL: could help:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdGenA.html#wp1030153

• ACE 4710 in failover - ssl offload, cert for second ACE

  Hi,
  I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
  At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
  Now I would like to move further and configure ssl offload and configure High availability.
  I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
  Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
  Is it better to first set up high availability and then configure ssl offload or vice versa?
  Does anyone have a config example of ssl offload and active/standby configuration?
  Thank you in advance.

  You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
  FOllowing will be steps to achive that
  On primary Ace
  1. create RSA Keys
  crypto generate key 2048 app1.key
  2. Create CSR & send it to CA
  ace/Admin(config)# crypto csr-params app1-csr
  ace/Admin(config-csr-params)# common-name www.app1.com
  ace/Admin(config-csr-params)# country US
  ace/Admin(config-csr-params)# email [email protected]
  ace/Admin(config-csr-params)# locality xyz
  ace/Admin(config-csr-params)# organization-name xyz
  ace/Admin(config-csr-params)# organization-unit xyz
  ace/Admin(config-csr-params)# state CA
  ace/Admin(config-csr-params)# serial-number 1234
  ace/Admin(config-csr-params)# end
  ace/Admin(config)# crypto generate csr app1-csr app1.key
  (copy the result to a file)
  4. Import certificate recieved from CA
  crypto import terminal app1.cert
  (pasted the content from the cert)
  5. verify the cert & keys match
  crypto verify app1.key app1.cert
  6. Export the keys from Active
  crypto export app1.key
  (copy the result to a file)
  ON Standby ACE:
  1. Import the keys
  crypto import terminal app1.key
  2. Import the cert
  crypto import terminal app1.cert
  3.verify the cert & keys match
  crypto verify app1.key app1.cert
  Hope this helps
  Syed

• ACE 4710 & SSL Offloading

  I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
  We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
  My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
  Description of the web application usage:
  Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

  Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
  Am I correct?

• SSL Offload Requests

  When using any loadbalancer, CSS, CSM or ACE and doing SSL offload, how does the request to the backend server get created? For example if the client requests https://secure.example.com/privatedata.html and that url is configured for SSL offload on the loadbalancer, it the request from the LB to the server just http://secure.example.com/privatedata.html ? What would the request look like if SSL offload and backend SSL are both configured? Are there methods to modify the default behavior on any of the platforms?
  TIA

  First you have to understand that a url is not sent the way you type it in http.
  So the request actually looks like this :
  GET /privatedata.html
  Host: secure.example.com
  This request is encrypted with SSL if you enter the url with HTTPS:// and is sent in cleartext if you don't use SSL.
  So, what the offloader will do is simply decrypt the traffic and whatever the request will send it in cleartext to the server ip address.
  The offloader can't change the content of the request. However, it can add some lines in the header.
  Also, instead of just transmitting in cleartext, the loadbalancer can re-encrypt so the communication between offloader and server is also SSL.
  Again, the request (see above) does not change.
  Gilles.

• Error:iaik.security.ssl.SSLCertificateException: Peer certificate rejected

  Hi,
  I am getting error com.sap.engine.interfaces.messaging.api.exception.MessagingException:
  iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  When i test for digital signing and encryption using soap receiver CC
  we passed all the values for soap CC
  Created key store view and in that view I have generated private certificate and generated CSR using SAP CA(test ssl for 8 weeks) for the private key and also imported public key for encryption given by reciver
  When i test i get the error message
  I check certificates validity dates
  I restarted java engine and ICM
  I added the public key in trusted CA in NWA
  I re created the view and added the certifcates
  still the same error
  how and where to check to check IAIK in NWA and how to deploy it in java engine using NWA, we are using PI7.11 (no VA)
  any suggestions?

  Hi,
  The main causes for this kind of problem are:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it and if it's the case renew it or extend the validation.
  3. The certificate chain was not in correct order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
  (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio Cagnani

• Webservice call failed during execution (SSL and certificates) on NetWeaver 7.30

  Hey experts,
  i need your help!
  We make webservice calls to sap me with our own software.
  We connect to our software via SSL and certificates e.g. https://host:50001/XMII/CM/POD/MEDialogsWeb.irpt
  At the beginning the software runs without any problems and than we become the following message on all our webservice:
  thats the webservice configurations
  (configuration - connectivity - single service administration):
  (configuration - security - authentication and single sign-on)
  if we restart the software after the error display, the webservice call runs successfully again.
  is it a timeout?
  can anybody help us?
  Thanks,
  Markus
  our system info:
  NetWeaver 7.30 Java
  SAP ME 6.0
  software runs log looks as following
  software doesn't runs log looks as following
  security Log Entry
  more info from security_00.0.log
  #2.0 #2014 06 06 14:51:17:136#+0200#Warning#/System/Security/WS#
  com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tc~sec~wssec~service#C0000A650AD826FF0000000100000BEC#3855850000000005#sap.com/me~ws#com.sap.engine.services.wssec.authentication#Guest#0##207092CAED7111E3A01A0000003AD5EA#23386e31ed7911e39d560000003ad5ea#23386e31ed7911e39d560000003ad5ea#0#Thread[HTTP Worker [@648881277],5,Dedicated_Application_Thread]#Plain##
  Received unsupported callback: com.sap.engine.interfaces.security.auth.SetLogonTicketCallback
  Received unsupported callback: com.sap.engine.lib.security.http.HttpSetterCallback
  Read data of type username and value  MEFLEX from wsse:Security header and set on module javax.security.auth.callback.NameCallback
  Read data of type username and value   from HTTP header and set on module javax.security.auth.callback.NameCallback
  Read data of type password and value  xxx from wsse:Security header and set on module javax.security.auth.callback.PasswordCallback
  Read data of type password and value  xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback
  Authentication for web service ShopOrderService, configuration ShopOrderService using security policy BASIC*SSO2*_*_*ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).

  Hi,
  the authentication for the second call is failing. Have you tried suggest log level from note 880896 - Web Service authentication failure? I would also try to use something like SoapUI to test if the issue is caused by your application or something wrong on SAP side. Also coparing messages for the first and second calls might give you answer.
  Cheers

• When trying to get to a CUIC permalink report via a get XML document data step in UCCX, we get a SSL certificate error

  Has anyone found a way to overcome the SSL certificate error via UCCX editor?  See attached screenshots.  Thanks!

  Hi, not easily, no.
  But I guess this has already been discussed/answered by Sam Womack in a later post. What you need to do is talk to TAC and have them upload the client certificate into your UCCX's keystore.
  G.

• Certificate errors with Exchange 2013 and Outlook 2013

  Hello, I wonder if someone could help.
  I've recently set up a network with one Windows 2012 domain controller and one windows 2012 server running Exchange 2013.
  Clients run Outlook 2013 and are all one the same Lan. Outlook's setup wizard finds the exchange server automatically and sets up the profile. However if I choose the manual setup and enter the server
  name and user name it does not find the server.
  When I check the server name in Outlook it shows as 
  [email protected] rather than the real name of the server: AYCEX01.AYC.local.
  When Outlook is opened there is a certificate error saying "The name on the security certificate is invalid or does not match the name of the site." and another error saying "There is
  a problem with the server's security certificate. The name on the security certificate is invalid or does not match the name of the target site mail.ardfernyacht.co.uk. Outlook is unable to connect to the proxy server. (Error code 10)
  The external address by which users connect to OWA and active sych is mail.ardfernyacht.co.uk. The
  certificate which is used is one automatically generated by Exchange.
  Any suggestions you may have would be appreciated.
  Many thanks,
  Ruaridh
  Ruaridh Mackintosh

  Self sign cert wont work With autodiscover.For that you need 3rd part or from Your own CA.
  Please follow this guide to install CA in Your domain:
  http://careexchange.in/how-to-install-certificate-authority-on-windows-server-2012/
  Please follow this guide to request New cert in Exchange 2013:
  http://exchangeserverpro.com/create-ssl-certificate-request-exchange-2013/
  Your cert must contain external hostname of Your mail.domain.com
  Also configure Your Virtual directories to contain internal and external hostname:
  http://blogs.msdn.com/b/mvpawardprogram/archive/2013/03/18/virtual-directories-exchange-2013.aspx
  Regarding servername when using autodiscover,it should automatically resolve mailbox guid instead of servername.
  Please check if Your DNS is setup With autodiscover.domain.local (which is pointed to Your Exchange server)
  Hope this helps!
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

• Get certificate error trying to access yahoo mail, and there is no exception to bypass the error.

  I am getting a certificate error trying to access https://mail.yahoo.com. Unlike most other certificate errors, there is no option for "I understand the risks" to add an exception for the page, just the following:
  mail.yahoo.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)
  I tried setting the proxy to "no proxy" under Advanced settings, as well as clearing all cookies and other cache history. Did not resolve the problem. I cannot access my email.

  hello, which security program is running on your computer?