Tls usage requirements

Similar Messages

• TLS usage in Mail

  I've set up a postfix server using version 2.3.3 (redhat) along with dovecot.
  Enabled it to use TLS. The previous version of postfix was 2.2.x. Mail worked just fine
  using TLS on version 2.2. It breaks when using the newer version with TLS. Secure pop3
  or secure imap works just fine with Mail and dovecot. It's smtp using TLS that has a problem.
  Turning off TLS and using port 25 works just fine.
  Loaded up Thunderbird and ran the checks SSL, TLS, text (port 25, plain vanilla), same certificates
  as used with mail. Works just fine.
  Ran same checks using Mail, and turned debug on at the mail server (postfix), and it looks like
  it hangs during the TLS negotiation. i.e. does not handle version 3 it seems. It hung on the client
  side, i.e. Mail.
  Checked using ports 25, 465, and 587. Tried unchecking SSL at Mail for port 587.
  No affect. Mail autochecks the connection, and sometimes it would pass, and other times
  it would fail. This depended entirely on the server side (postfix) cached credentials. Turning
  caching off at the postfix server provides a better test of the way Mail works.
  i.e. in postfix comment out the line "smtpdtls_session_cachedatabase = "in main.cf ,
  also setting the "smtpdtls_session_cachetimeout = " to a low value works.
  The CA used for all checks was self signed. It was used to sign the server certificate.
  This worked just fine for all clients and servers involved.
  Here is what the server (postfix) log is indicating when the port is 587 and SSL check box is
  checked using plain username and password to authenticate.
  Feb 6 17:51:38 mail postfix/smtpd[9565]: connect from crystal.pharmacy.ohio-state.edu[128.146.80.58]
  Feb 6 17:51:38 mail postfix/smtpd[9565]: disconnect from crystal.pharmacy.ohio-state.edu[128.146.80.58]
  Feb 6 17:51:49 mail postfix/smtpd[9565]: connect from crystal.pharmacy.ohio-state.edu[128.146.80.58]
  Feb 6 17:51:49 mail postfix/smtpd[9567]: initializing the server-side TLS engine
  Feb 6 17:51:49 mail postfix/smtpd[9565]: setting up TLS connection from crystal.pharmacy.ohio-state.edu[128.146.80.58]
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:before/accept initialization
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:error in SSLv2/v3 read client hello A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:error in SSLv3 read client hello B
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:error in SSLv3 read client hello B
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 read client hello B
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 write server hello A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 write certificate A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 write server done A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 flush data
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:error in SSLv3 read client certificate A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: connect from crystal.pharmacy.ohio-state.edu[128.146.80.58]
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:error in SSLv3 read client certificate A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 read client key exchange A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:error in SSLv3 read certificate verify A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: setting up TLS connection from crystal.pharmacy.ohio-state.edu[128.146.80.58]
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:before/accept initialization
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:error in SSLv2/v3 read client hello A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:error in SSLv3 read client hello B
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:error in SSLv3 read client hello B
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 read client hello B
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 write server hello A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 write certificate A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 write server done A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 flush data
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:error in SSLv3 read client certificate A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:error in SSLv3 read client certificate A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 read client key exchange A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:error in SSLv3 read certificate verify A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:error in SSLv3 read certificate verify A
  Feb 6 17:51:49 mail last message repeated 2 times
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 read finished A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 write change cipher spec A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 write finished A
  Feb 6 17:51:49 mail postfix/smtpd[9565]: SSL_accept:SSLv3 flush data
  Feb 6 17:51:49 mail postfix/smtpd[9565]: save session FDE39063436627C13B70FC2F99018D62FD617A52D02330C71BC11BE36BC0090A to smtpd cache
  Feb 6 17:51:49 mail postfix/tlsmgr[9566]: put smtpd session id=FDE39063436627C13B70FC2F99018D62FD617A52D02330C71BC11BE36BC0090A [data 126 bytes]
  Feb 6 17:51:49 mail postfix/tlsmgr[9566]: write smtpd TLS cache entry FDE39063436627C13B70FC2F99018D62FD617A52D02330C71BC11BE36BC0090A: time=1233960709 [data 126 bytes]
  Feb 6 17:51:49 mail postfix/smtpd[9565]: TLS connection established from crystal.pharmacy.ohio-state.edu[128.146.80.58]: TLSv1 with cipher AES128-SHA (128/128 bits)
  Feb 6 17:51:49 mail postfix/smtpd[9565]: disconnect from crystal.pharmacy.ohio-state.edu[128.146.80.58]
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:error in SSLv3 read certificate verify A
  Feb 6 17:51:49 mail last message repeated 2 times
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 read finished A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 write change cipher spec A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 write finished A
  Feb 6 17:51:49 mail postfix/smtpd[9567]: SSL_accept:SSLv3 flush data
  Feb 6 17:51:49 mail postfix/smtpd[9567]: save session C45CE103ACA91E9BE220A32CA1007F7C61601DCFE753A08EF726DAE1ED166731 to smtpd cache
  Feb 6 17:51:49 mail postfix/tlsmgr[9566]: put smtpd session id=C45CE103ACA91E9BE220A32CA1007F7C61601DCFE753A08EF726DAE1ED166731 [data 126 bytes]
  Feb 6 17:51:49 mail postfix/tlsmgr[9566]: write smtpd TLS cache entry C45CE103ACA91E9BE220A32CA1007F7C61601DCFE753A08EF726DAE1ED166731: time=1233960709 [data 126 bytes]
  Feb 6 17:51:49 mail postfix/smtpd[9567]: TLS connection established from crystal.pharmacy.ohio-state.edu[128.146.80.58]: TLSv1 with cipher AES128-SHA (128/128 bits)
  Feb 6 17:51:49 mail postfix/smtpd[9567]: disconnect from crystal.pharmacy.ohio-state.edu[128.146.80.58]
  However, the Mail application indicates that the outgoing server is (offline).
  It maintains this message for port 465 for all configurations as well.
  Doesn't work any better on port 25 for any of the secure configurations.
  Question: Does an exception for Mail have to be entered into the postfix server policy for the
  security level (v 1, 2, or 3, or TLS v1) supported by the Mail application?
  Question: Does Mail application support TLS as implemented by the current version of SSL and
  Postfix?
  Thank you for considering this problem.
  Ed Beranek

  I have discovered somthing odd.
  My network was setup using a single Dlink DI-524 router sharing a 10M down / 1M up connection to a Nintendo Wii, Linux server, and 3 Windows XP pcs and my single Macbook. I noticed through the logs that the Wii connected multiple times through the wifi connection getting updates and every time that it did this it would temporarily knock my Macbook off the network causing a delay accessing Gmail's IMAP servers. This causes Mail.app to go into a loop trying to access the IMAP servers and chew up tons and tons of RAM.
  Solution. I setup a second Belkin router off one of my Dlink's ports and configured it to only allow my Macbook and AppleTV to access it. Problem solved. I have a rock solid internet connection with zero disruption to Gmail's IMAP servers. It appears with the 10.5.2 update, mail.app has developed a sensitivity to how it connects to the network. Hopefully 10.5.3 fixes it. We will have to see.
  Hope this helps.

• Database Mail installation, usage requirements??

  I have been told that Database Mail in SQL Server 2012 (I don't know anything yet about 2014) on Windows Server 2012 R2 (Update 1 presumably) now requires installing the Desktop Experience
  feature on the Windows 2012 R2 server containing SQL Server 2012.
  I was further told that SQL Server Database Mail now requires
  one file that is included by installing the Desktop Experience feature...!!
  I'm sure this was/is not an issue with Windows Server 2008 R2 and earlier.
  Is this all TRUE??
  Would someone(s) please clarify??
  Thank you, Tom

  I had this told to me by a consultant...who also said it's something involved with or related to or akin to the Mail applet in Control Panel in Windows Server 2003/2008/2008 R2.
  I can test this by quickly spinning up a test Win2k12 server and installing SQL 2012 and then setting up Database Mail...
  Would you or someone(s) suggest a quick easy way to do a real-world test(s) of Database Mail that would help me test this out in addition to the built-in 'Test connection'??
  Thank you, Tom

• Time Machine requires me to reformat my external hard disk

  I have a Maxtor 1TB external hard disk that works fine with my Mac. It has been formatted to FAT32 format so I can use it on Mac and PC. When I tried to setup Time Machine to back up to this drive, I was told I needed to reformat my external hard disk as the format was not recognised. Do I have to get a separate external hard disk to use with Time Machine? Why the discrepancy in formats? If I get another external hard disk and reformat it according to the requirement by Time Machine, will that mean that I cannot use that hard disk with a PC? What is the required format recognised by Time Machine anyway.
  Thanks for your answers.

  If I get another external hard disk and reformat it according to the requirement by Time Machine, will that mean that I cannot use that hard disk with a PC?
  Yes, unless the PC has software such as MacDrive installed.
  What is the required format recognised by Time Machine anyway.
  Mac OS Extended (Journaled). Time Machine has usage requirements beyond Mac OS X's general ones.
  (52969)

• TLS and message filter question

  Hello,
  I don't believe this is possible because of the email workflow but I want to cover all bases.
  Here is the scenario:
  - We have 2 IronPort C350's. I have one that handles all normal outbound mail flow and the other handles CRE encryption as well as being set to TLS preferred for all outbound mail
  -I have several outbound content filters set on the first box that will send to alt host (the second box) for either CRE encryption or simply delivered via TLS preferred.
  -The filters that do not use CRE encryption are basically for SSN and HIPAA term matches from (careless) internal users who do not choose end-to-end encryption.
  I was wondering if it were possible to have a rule set up on the second box to basically act on failed TLS requests for outbound messages and use CRE encryption?
  Another option I was looking at was setting TLS to required and then setting up a rule to notify the internal sender of failed TLS.
  My third option ( and the one I think I'll end up having to use) is to set the filters up to use CRE encryption instead.
  Any insight into this would be greatly appreciated. Thanks![/list]

  I was wondering if it were possible to have a rule set up on the second box to basically act on failed TLS requests for outbound messages and use CRE encryption?
  Currently, The IronPort is not able to turn over a failed TLS
  connection to another mechanism.
  Another option I was looking at was setting TLS to required and then setting up a rule to notify the internal sender of failed TLS.
  You can configure a workaround of sorts by creating specific bounce
  profiles for domains that require TLS, and setting these profiles to
  bounce messages within a short period of time 9 say 2 minutes or
  less).
  That way, if the message is in the delivery queue and a TLS
  connection cannot be verified to the recipient host, the message
  would bounce.
  The bounce would contain a 5.4.7 error message stating that TLS was
  unavailable. This workaround would depend on how savvy your users
  are at reading/understanding bounce messages.
  My third option ( and the one I think I'll end up having to use) is to set the filters up to use CRE encryption instead.
  This would probably be the best option.

• Support for TLS-DSK Authentication in UCMA End Point connections?

  The Lync servers support NTLM, Kerberos, TLS-DSK as supported Authentication Protocols.
  However, it appears that  UCMA API when used in the End Point connection mode does not provide an option to use TLS-DSK as an authentication scheme.  Is there any way to connect to a Lync server that only supports TLS-DSK as an authentication protocol?
  //etc
              _collabPlatform = new CollaborationPlatform(clientPlatformSettings);
              _collabPlatform.AllowedAuthenticationProtocol = SipAuthenticationProtocols.None;   //Authentication protocol limitation -- TLS-DSK not available.
  UCFin

  No, UCMA only supports NTLM/Kerberos.  TLS-DSK requires HTTP requests which UCMA can not currently handle.

• MOPZ selecting technical usages with JAVA pre-requisite

  Hello all,
  Upgrading from 46C to EHP5. Some of the desired technical usage require both ABAP and JAVA system. For example, HCM_Learning Solution has the following pre-requisites
  - SAP Learning Sol-Client (Lern, Auth, CP) - all JAVA
  - Learning Solution (ABAP)
  - SAP Learning Sol-Frontend ABAP
  - Portal Content (Java)
  So cannot select it in MOPZ since the 46C is not connected to a JAVA instance.
  It means the ABAP side reqires two-step upgrade (1) upgrade to EHP5 without the HCM_Learning Solution, then (2) connect to a JAVA instance, select it it in MOPZ, then another ABAP upgrade with HCM_Learning Solution.
  Any suggestion how to do the ABAP side in single step - i.e. include the Learning Solution (ABAP and the SAP Learning Sol-Frontend ABAP, then just create the JAVA instance after the ABAP upgrade? Is this a valid scenario?
  Regards,
  Terry

  Hi,
  Workaround of this situation is:
  Add As Java usage type as well in system definition in SMSY. As a result you will be able to select these usage type as well in MOPZ. But it will give you Java packages as well. You can ignore those packages. And then you can carry out upgrade in a single step.
  Thanks
  Sunny

• Renew certificate broke TLS - how do I fix it?

  While troubleshooting another problem I followed a suggestion in a Technet document to renew my Exchange server self-signed certificate. Quite easy, right-click, renew certificate. Doing so did not fix the problem I was working on, but it did thoroughly
  trash my entire Exchange setup. I managed to get Outlook and OWA working again, but TLS is broken. I have a Receive Connector set up to relay email from other internal servers and appliances. It was set up to use TLS and/or Externally Secured Authentication
  and under Permission Groups, Anonymous users and Exchange servers are allowed to connect. After renewing the certificate, I had to remove TLS authentication. When enabled, those systems on which TLS is required or optional will fail to connect to send mail.
  When disabled, with Externally Secured the only checked option, those systems which do not require TLS can successfully send mail, others which require TLS fail (obviously). I know that this is some failure of Exchange to use the renewed certificate to establish
  TLS connections but I can't find anywhere to check or correct it. The certificate is enabled through EMC for all services but UCM, which we don't use, and I also ran enable-exchangecertificate -thumbprint "xxxxxxxxxxxxxxxxxx" -services "SMTP"
  in EMS using the thumbprint value found on the Details tab of the certificate from MMC. Any help on fixing this?

  Thanks for the suggestion, but that's not applicable here. The communications are all internal to our domain and really shouldn't have to be secured. Our Helpdesk application was using the connector w/TLS until I did the renew, then it was unable to email
  us when new requests came in or to send emails back to the requestors when we closed a ticket. That was easy, when I uncheck the TLS box, it doesn't try to use TLS and it works fine. Two other servers don't email all that often and I'm not sure yet if they
  work or not, I have no way to force an email from them. Then we have a couple appliances, like the chiller for a large piece of equipment, which email people when they detect a problem. That chiller has to use TLS, it's not configurable, so it's not emailing
  anyone right now. It's not a member of our or any domain, it's just running an embedded OS with a built in SMTP server that's not at all configurable. The worst part is, this all worked great until I did the renew. I'm thinking I'm going to have to delete
  the connector, delete the server certificate, and start over with a new certificate and connector, but that seems like such an obtuse way to fix what should be a simple problem.

• Configuring IronPort to use TLS

  We have never used TLS before and havent got ant certs/keys C650
  Is there a checklist of everything needed to set up TLS between our company and a external company that requires it?
  I know there is information in the Advanced user guide but I need a dummy guide!

  Yeah, you probably don't to require/prefer all inbound connections to have to go through a TLS check as this can hamper performance.
  A common method is to create a new Sendergroup(SG) and Mail flow policy(MFP) that either prefers or requires TLS to be established before transfer of information on a "as needed basis".
  For example, call the new sendergroup, "TLS_Required" and position it above the Whitelist SG. Assign this new "TLS_Required" SG to the new MFP called "Accepted_TLS" for example. Then, add the IP, hostname, or partial hostnames (ie. .bankofamerica.com) to the new SG.
  This is one way of doing it. How have other companies that put a lot of importantance on TLS receiving and delivery done it? Anyone?
  Also, remember that HAT Overview/MFP are for receiving. In other words, when other incoming hosts connect to your Ironport appliance.
  "Mail Policies > Destination Controls", is for when your Ironport appliance delivers mail to hosts on the Internet. You probably don't want to make TLS Prefer/Require as the default. Likewise, you should create corresponding destination host entries for the domains that need the connections to be secure. However, if you're a banking institution and it's vital that all transactions between you and the Internet be made securely, then you may need to enable it on the Default.
  Hope that helps.
  Thanks folks.
  Do companies normally set their public listners to preffered for default MFP? Is there a perceived performance hit in activating for all?
  If we create MFP for thoses companies who require TLS I presume this just generates NDR?
  Thanks John.

• Report of low database usage by hour?

  How can I find the times when the usage is low on database server? as in the number of running processes running per hour...what data dictionary can I pull from? Any help is appreciated, thanks!

  1. Install Statspack on your database (see <ORACLE_HOME>/rdbms/admin/spdoc.txt)
  2. configure periodic snapshots
  3. run reports and use Load Profile and Top 5 Timed Events
  If you have the license to use Diagnostic Pack you can use AWR the same way.
  Note that V$ACTIVE_SESSION_HISTORY usage requires also Diagnostic Pack licensing.
  Edited by: P. Forstmann on 25 août 2010 20:24

• TLS Monitoring Incoming

  The TLS alerts mechanism under the "destination controls setting" works great, but i need the same for incoming connections.
  I wish to be informed about any failed TLS-connection with partner X.
  Is there a solution?
  I tried several filters, but without success.
  e.g.
  GUI
  Order Condition Rule Delete
  1
  Other Header
  header("from") != "TLSv1"
  Notify
  notify ("[email protected]")
  any ideas?

  Hello,
  there is no alert functionality for incoming messages where TLS is required. This is basically because of the sender being in charge to enable TLS when they cannot establish a connection to you. A filter would not work because the message never enters the appliance. Or do you try to archive this with messages that have fall back to plain text (TLS preffered) when TLS could not be established?
  Regards,
  Andreas

• 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication

  I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication  only, for wireless security. 
  We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.  
  I push out the wireless client’s setting via group policy, and the clients are using WZC. 
  Every now and then, a client will be unable to authenticate/validate during the authentication phase. 
  Some clients this will never happen to and a few it will happen repeatedly. 
  To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain. 
  Many of our classrooms lack network drops, so wireless is the best for us. 
  Except for this one downfall, it is working great. Any help is appreciated.

  Hi Ryan,
  Thanks for posting here.
  Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase. 
  Some clients this will never happen to and a few it will happen repeatedly. ”
    in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
  Only certain computers are facing this issue or all?
  What’s OS running on these client computers?
  According the situation right now , I’d like to share some suggections with you:
  1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
  the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
  click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
  of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
  2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
  event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
  dialog.
  3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
  settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
  4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
  an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
  if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
  If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
  authentication.
  5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
  authentication process the failure occurs.
  Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
  Windows Server 2003 Wireless Troubleshooting
  http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
  Troubleshooting Windows Vista 802.11 Wireless Connections
  http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
  Thanks.
  Tiger Li
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  Random computers running Windows XP have this problem.  It does not happen to all of them at once. 
  It is very random.  A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection. 
  I checked if logging is turned on and I can see successful events from computers that are working. 
  I can also see failed events from computers that are not ours that tried to connect to our wireless. 
  However for the computers that are having this problem there are no logged events. 
  It is as if they don’t even communicate with the server. 
  Other clients on the same AP are working fine.  I rebooted the IAS service, and RADIUS clients, but this did not help. 
  I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled. 
  I did notice that the firewall is also turned on through group policy when the domain is not available.
     Do you think the firewall is blocking the communication? 
  I added an exception to port 1812 UDP and this did not make a difference.

• How to load a client certificate into a servlet to access a Web Service

  Hi,
  I am having the following problem:
  I am trying to use a Web Service client (Axis) within a servlet running under
  WebLogic 8.1.
  I would like to have mutual SSL-based authentication between the client and the
  server hosting the Web Service. Thus, my client has to send a certificate to the
  server.
  My problem is: how to get the certificate into the request? I know that, for example,
  the HttpsURLConnection class of WebLogic has a loadIdentity method. But I can't
  use this class.
  Is there any other method to make sure that SSL requests use my client certificates?
  By the way, I am receiving the following error message from the server:
  <Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peer certificate
  s not supplied by peer>
  <Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508> <Certificate
  ch
  ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  Anyone has an idea?
  Thanks for any hints,
  Zoltan Schreter
  Nokia

  Hi all,
  I have solved this problem basically by using weblogic's SSLSocketFactory instead
  of the default one used by Axis. I created a custom HttpSender (MyHttpSender)
  which uses this Factory. I then created a custom Config class which I pass to
  the constructor of Service. The Config class looks like this:
  public class MyConfig extends SimpleProvider {
  * Constructor - deploy client-side basic transports.
  public MyConfig() {
  deployTransport("java", new SimpleTargetedChain(new JavaSender()));
  deployTransport("local", new SimpleTargetedChain(new LocalSender()));
  deployTransport("http", new SimpleTargetedChain(new MyHttpSender()));
  The relevant code within MyHttpSender looks something like this:
  SSLClientInfo sslinfo = new SSLClientInfo();
  File ClientKeyFile = new File("C:/certificates/testkey.pem");
  File ClientCertsFile = new File("C:/certificates/testcert.pem");
  InputStream[] ins = new InputStream[2];
  ins[0] = new FileInputStream(ClientCertsFile);
  ins[1] = new FileInputStream(ClientKeyFile);
  String pwd = "mykeypass";
  sslinfo.loadLocalIdentity(ins[0], ins[1], pwd.toCharArray());
  javax.net.SocketFactory sockf = weblogic.security.SSL.SSLSocketFactory.getJSSE(sslinfo);
  sock = sockf.createSocket(host, port) ;
  By the way, this change also solved the other problem I posted about (not being
  able to tunnel through the https proxy).
  Cheeers,
  Zoltan Schreter
  Nokia
  "Tony" <TonyV> wrote:
  Which API's are you currently using for the SSL communication in the
  client
  side?
  Tony
  "Zoltan Schreter" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I am having the following problem:
  I am trying to use a Web Service client (Axis) within a servlet runningunder
  WebLogic 8.1.
  I would like to have mutual SSL-based authentication between the clientand the
  server hosting the Web Service. Thus, my client has to send a certificateto the
  server.
  My problem is: how to get the certificate into the request? I knowthat,
  for example,
  the HttpsURLConnection class of WebLogic has a loadIdentity method.But I
  can't
  use this class.
  Is there any other method to make sure that SSL requests use my clientcertificates?
  By the way, I am receiving the following error message from the server:
  <Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peercertificate
  s not supplied by peer>
  <Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508><Certificate
  ch
  ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  Anyone has an idea?
  Thanks for any hints,
  Zoltan Schreter
  Nokia

• How do I lock PDF before e-mailing so that it cannot be altered by the recipient?

  I've created a form in LiveCycle which will be seen and filled by users who only have Reader.
  Once the form is completed, the user has to click three buttons: one prints the page (for a specific paper-based usage required by the filler of the form). The same button  sends the entire form to one e-mail address.
  The second button prepares the form for submission to a second e-mail recipient. This recipient must not be able to see some of the filled fields on the form. As well as setting these fields to invisible, the second button also hides key fields behind a text message, telling the second recipient where to find the information that is most useful to them on the form. Again, this recipient will be using only Acrobat Reader.
  Everything works fine, apart from when it comes to e-mailing the form to the second recipient. I've used various scripts I've found on this forum and elsewhere to lock fields before sending and I've extended Reader rights in Acrobat. But, whatever I do, the form received by the recipients is STILL editable, the "invisible" fields are visible again and also editable,  and the test box that obscured key fields has become invisible again.
  I've already tried using a range of scripts that I've found both on this forum and elsewhere (including Paul Guerrett's 'Lock All Fields' and 'Lock All Fields Not Buttons' scripts. I've also tried using the scripts in different 'events' - mouse up, mouse down, click etc.
  What am I doing wrong? I've spent days trying to figure this out and I'm getting nowhere.
  I am  a JavaScript novice, by the way. So please keep it simple and (better still) provide working script! Thanks to anyone who can help

  Hi Steve,
  I can see 2 possible options for you to investigate,
  1) Submit the form to a LiveCycle process and let LiveCycle Output turn the PDF into a PDFA and then email the second recipient.
  if you don't have a LiveCycle Output server
  2) Remove the second submit button and add a signature field which can lock the entire PDF.. once signed the PDF can be email directly from Reader/Acrobat using the File>Attach To Email
  One thing to remember is that anything that can achieved through script can also be undone through script written into the javascript console, so if you a working with sensitive data you should use one of the options above.
  Kind Regards
  Kev
  Solutions Architect
  Avoka
  www.avoka.com

• Error while compiling model in Visual Composer 7.1.

  Hi,
  I am getting a error while compiling model in Visual Composer 7.1.
  An exception occurred at the server while running the build process, reason: Extension with id com.sap.vc.runtimeproviders.null not found. For more details please refer to the log file.
  Can any one please tell me what the error is?

  Hello
  This problem usually indicates the model Runtime provider is not set properly
  Please goto configure pane and check the RT provider that is et for the model or any other model in the same DC
  Also services usages require this property to be set accordingly
  To make sure the services are set properly please look into the configuration pane when the respective service usage is selected (and check the same)
  Please let me know if this helped or not
  Guy