TN3270 Plugin / ASA SSL Portal

Similar Messages

• ASA SSL Portal : Remove Application help

  Hello,
  I've done some customization on the SSL Web portal on an ASA 8.2.
  Everything's fine except I want to remove the help column on the right when I click on application.
  See the attachment the column entitled 'Terminal Servers Help'
  Regards

  Yes it works. so easy !
  Thanks much.

• 6.1 SP 2 certificate authenticator fails with Apache plugin and SSL

  Hi,
  Does anybody have a certificate authenticator working in WebLogic 6.1
  SP 2, in combination with the Apache HTTP Server plugin and SSL?
  We implemented a certificate authenticator that works correctly in
  WebLogic 6.1 SP 2 when we configure SSL with "Client Certificate
  Required", and access it directly from a browser (the browser hits the
  SSL port of the WebLogic server, like 7002).
  This certificate authenticator also works correctly with a proxy web
  server. We set up a Stronghold server (web server based on Apache) on
  Linux with the Apache HTTP Server plugin from BEA, configured the
  plugin to use SSL, and configured our WebLogic 6.1 SP 1 server without
  "Client Certificate Required". The certificate authenticator gets the
  end user's certificate correctly.
  This same architecture with the proxy web server does not work when we
  upgrade the WebLogic Server to SP 2. WebLogic Server logs the
  "incorrect or missing client cert" error, our certificate
  authenticator is never called, and the browser gets a 401 Unauthorized
  error.
  We looked all over the WebLogic 6.1 SP 2 installation for a newer
  version of the plugin (mod_wl_ssl.so) and found the same version as SP
  1. We double-checked that it was the Linux-specific installer
  (because we'd found that some Linux libraries are missing from the
  generic installer). So it appears to us that the plugin encodes the
  certificate in the request header in such a way that a SP 1 server can
  extract it, but an SP 2 server cannot. We were wondering whether
  there might be changes to the plugin to stay in step with the SP 2
  server that never got ported to Linux, or whether an updated Linux
  plugin never got included in the installer packages.
  So: has anybody gotten a system like
  Apache/Stronghold + WebLogic Plugin <-- SSL --> WebLogic 6.1 SP 2 +
  Cert Auth
  to work?
  Thanks in advance for any help,
  Jim Doyle
  [email protected]

  A correction, I think:
  Now that I rolled back a system to 6.1 SP 1, it looks like 6.1 SP 1
  does include a different mod_wl_ssl.so from that in SP 2. I believe I
  was comparing the wrong file. In fact, trying to compare versions of
  the mod_wl_ssl.so makes things rather confusing:
  A mod_wl_ssl.so from a straight weblogic610sp2_generic.zip install has
  a cksum of "1853014778 1132467".
  A mod_wl_ssl.so from a weblogic610sp1_generic.zip install with a
  subsequent SP 2 upgrade install has a cksum of "1350917183 1147927".
  A mod_wl_ssl.so from a plain 6.1 install with subsequent SP 1 and SP 2
  upgrade installs, followed by an SP 2 uninstall and another SP 1
  upgrade install, has a cksum of "1471948065 1136501".
  I think I may be looking at three different plugin versions here: 6.1,
  6.1 SP 1, and 6.1 SP 2, assuming the upgrade installs don't actually
  change mod_wl_ssl.so. I'm not sure whether there's an easier way to
  verify what version of the plugin you have.
  In any case, we did try each plugin version, and none of them works
  against a 6.1 SP 2 WebLogic server.
  Jim
  [email protected] (Jim Doyle) wrote in message news:<[email protected]>...
  [snip]
  We looked all over the WebLogic 6.1 SP 2 installation for a newer
  version of the plugin (mod_wl_ssl.so) and found the same version as SP
  1. We double-checked that it was the Linux-specific installer
  (because we'd found that some Linux libraries are missing from the
  generic installer). [snip]

• SSL Portal for IMAP, POP3, SMTP?

  Hello,
  is it possible to offer with an UAG SSL Portal a preauthentication for IMAP, POP3 and SMTP?
  If yes, any How to's out there?
  Edit: I know that TMG is able to offer that but is there preauthentication used?
  Grüße/Regards, Jens Klein

  Hi,
  No, UAG does not support (as in does not work) any other ports than 80 and 443.
  Hth,
  Lutz

• Web Service encoding response improperly using the plugin and ssl

  We are having a problem with the response from a document style web service. The response is xml but the elements come back as "&lt element &gt" instead of <element>. The return variable is of type String.
  Our setup is Iplanet(6.1) frontend using the wl-proxy plugin
  to Weblogic 8.1. The webservice is using https. If we use port 7001 (not https) instead of https 443 it works fine.
  It appears to me that the plugin when used with ssl has a bug.
  In help would be greatly appreciated. This situation did not occur using wls6.1. When we migrated to 8.1 that is when it started happening.
  Other screnarios tested: When going right at weblogic 8.1 using ssl no problem.

  Hi
  When you have generated the client proxy classes from NW DS you can then include the .jar file into your applets code. Then, to actually execute the web service you can use the following code (for example)
  String logicalPort = "<logical port defined in WSDL>";
  <generate service interface> service = new <generated service implementation>();
  <generated proxy class> port = (<generated proxy class>)service.getLogicalPort(logicalPort, <generated proxy class>.class);
  String param = "myval";
  String result = port.<method>(param);
  where everything in the <> represents the relevant client classes that have been generated by NW DS. Bear in mind that you can either create deployed proxies or standalone proxies. Deployed proxies get deplyed to the J2EE server and need to be looked up via JNDI. The implementation classes are not included as part of the proxy generation.
  Standalone proxies are created with the implementation classes included and can therefore be included in ANY java application.
  I hope this helps
  Darrell

• ASA SSL Licensing query

  Hi,
  We are planning on putting Active/Standby pairs of ASA CSC bundles at three of our sites. We would also like to use these pairs as SSL head end devices.
  The question is whether we really need to purchase two sets of SSL licenses (and for that matter CSC user licenses) when only one device will ever be active in the proposed scenario?
  I would be very grateful if anyone can clear this up as I have not been able to find anything definitive on Cisco's web or through their distribution channels.
  Thanks
  Richards

  Hi Raj,
  Thanks for the response,i was worried that this was the case. Are you totally sure, have you deployed a similar scenario?
  We're looking at the 500 user license (list at $30k) so it is harsh that we need to purchase the license twice. I'm sure Cisco will rectity this over time though.
  Thanks

• Precondition Failed problem with apache plugin using SSL

  I got a "Precondition Failed" while trying to use apache + mod_ssl + mod_wl128_20.so.
  I am using Apache 2.0.52 & WebLogic 8.1 SP4 on Windows 2K Server.
  The web.xml is something like this:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Secured</web-resource-name>
  <url-pattern>/appmanager/Portal/desktop</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  While the httpd.conf is:
       <IfModule mod_weblogic.c>
            SetHandler weblogic-handler
            WebLogicHost localhost
            WebLogicPort 7001
            MatchExpression *
       </IfModule>
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  <VirtualHost localhost:443>
       <IfModule mod_weblogic.c>
            DEBUG ALL
            SetHandler weblogic-handler
            SecureProxy ON
            TrustedCAFile C:/bea81/weblogic81/server/lib/CertGenCA.der
            RequireSSLHostMatch FALSE
            WebLogicHost localhost
            WebLogicPort 7002
            KeepAliveEnabled false
            MatchExpression *
       </IfModule>
  The proxy of http is fine and I can also use port virtualhost 443 map to weblogic http (port 7001).
  But when I use 443 map to 7002 (SSL), I got an error:
       Precondition Failed
       The precondition on the request for the URL /MyPortal/appmanager/Portal/desktop evaluated to false.
  When I turned on the DEBUG ALL in httpd.conf, I find an error message:
       ================New Request: [GET /MyPortal/appmanager/Portal/desktop HTTP/1.1] =================
       Thu Aug 11 14:29:44 2005 INFO: SSL is configured
       Thu Aug 11 14:29:44 2005 SSL Main Context not set. Calling InitSSL
       Thu Aug 11 14:29:44 2005 ERROR: SSL initialization failed
  Can anyone help me? Please email me by [email protected]
  Thanks very much!

  I got past the initial problem. You need to run der2pem and use the pem file not the der file.

• Apache Proxy Plugin with SSL in Weblogic Cluster

  Hi,
  I have configured a weblogic cluster and configured SSL. Then I configured the apache plugin to work with the cluster machines with non ssl and worked succesfull but when I configured the ssl communication between apache and weblogic I´m having problems.
  The actual configuration is:
  <Location /spmlws>
  SetHandler weblogic-handler
  WLLogFile /var/log/httpd/tmpweblogic1.log
  DebugConfigInfo ON
  Debug ALL
  KeepAliveEnabled ON
  KeepAliveSecs 15
  WebLogicPort 7002
  SecureProxy ON
  TrustedCAFile /opt/freeware/etc/httpd/conf/trustedCA35cert.pem
  TrustedCAFile /opt/freeware/etc/httpd/conf/trustedCA36cert.pem
  WLProxySSL ON
  RequireSSLHostMatch false
  WebLogicCluster machine35:7002,machine36:7002
  EnforceBasicConstraints false
  </Location>
  The problem is that the plugin always takes the last TrustedCAFile. In this way if machine36 is down the plugin tries to send all the request to machine35 but it takes the TrustedCAFile for the machine36 (/opt/freeware/etc/httpd/conf/trustedCA36cert.pem) hence the apache complains
  [Wed Jun 30 11:13:56 2010] [error] [client 10.19.232.249] ap_proxy: trying GET /spmlws/OIMProvisioning at backend host '10.19.232.97/7002; got exception 'WRITE_ERROR_TO_SERVER [os error=0,  line 796 of ../nsapi/URL.cpp]: '
  What can I do to have multiple TrustedCAFile or to have working the communication between apache and weblogic cluster using SSL?
  thanks in advance

  Acording to the documentation this is not possible.
  One way to achieve the load balancing of n-weblogic servers in cluster using ssl is to configure de HttpClusterServlet.

• SSL: Portal and Third-Party-Tool

  Hello everybody,
  I need an advice how to solve the following problem: We integrated a Third-Party-WebTool with the Application Integrator. If we lauch the portal and the special iView with HTTP everything works fine but with HTTPS we get an error message: "Session Management will not work! Please check DSM log files for details. You can turn off this alert inside 'Support Desk' -> 'SAP Application'"
  Do I need those logs? Because if I understood the message correctly this deals only with SAP Applications. What about Third-Party-Tools with own SSL certificates? How solve the problem described above? Do I need to import the certificate of my Third-Party-Tool into my portal keystorage? Do I need to configure anything else?
  Thanks in advance...
  Regards
  Steffen

  I would be very appreciated if anybody could give me an advice...
  Steffen

• Web Dispatcher - SSL - Portal

  Hi,
  I have configured Web Dispatcher for SSL Termination to the portal. When I go to my https://... Web Dispatcher address, the portal comes up but the address in the browser changes to http://....
  What could the problem be? Why is the Web Dispatcher terminating the SSL between it & the browser? There's nothing in the trace file that indicates a problem.
  Many thanks in advance.
  Regards
  Jane

  Hi Jane Tooke,
                        In the profile file of web dispatcher which is " sapwebdisp.pfl " located in the sapwebdisp directory, please check if the following parameter exists. This parameter describes how the inbound connections are handled by web dispatcher.
  wdisp/ssl_encrypt
  the possible values for this parameter are < 0, 1, 2 >
  wdisp/ssl_encrypt = 0 ( this means the SSL is terminated when sending to the 
                                     back end server )
  wdisp/ssl_encrypt = 1 ( the SSL is terminated and then SSL encrypted again by
                                     webdispatcher )
  wdisp/ssl_encrypt = 2  ( the SSL is not terminated and request is sent encrypted
                                       to the back end )
  The default value of this parameter is " 0 " . So, set it as appropriate to solve your purpose. Please refer to the following link to find more explanation about each of the profile parameters of the web dispatcher.
  http://help.sap.com/saphelp_nw04/helpdata/en/de/89023c59698908e10000000a11402f/frameset.htm
  Sai Kondapi

• ASA SSL Authentication special caracters

  Hi,
  I have a ASA 5540 configured in WebVPN to authenticate users through an ACS server. The ACS server can use my Active Directory Users Database.
  a user with those credentials:
  login : testuser
  pass : céli20
  can login through Remote Access VPN (classic cisco ipsec vpn client)
  but can't throught webvpn portal page..!!If we change the password and remove the "é" it can log-in...How to allow specials characters in the webvpn session connection?

  ASDM does not support any non-English characters or any other special characters. If you enter non-English characters in any text entry field, they become unrecognizable when you submit the entry, and you cannot delete or edit them.
  If you are using a non-English keyboard or usually type in language other than English, be careful not to enter non-English characters accidentally. For a workaround, see caveat CSCeh39437

• ASA SSL trustpoints

  Hello,
  I have a scenario where a web server is hosted on the inside and users accessing to it through https are being authenticated first on the ASA( there is a certificated installed on the ASA for secure access)
  I want to add another web server and do the same setup, will I need a separate cetificate on the ASA( can I have multiple certificates for the same trustpoint knowing that I can assign only one trustpoint on the outside interface)
  What's the best practise?

  Yes you can assign the trustpoint to be used for SSL connections on the outside interface.
  A trustpoint contains the identity of a certificate authority, CA-specific configuration parameters, and an association with one enrolled identity certificate. You need one trustpoint to connect with the Citrix server. You can configure up to two trustpoints, each to be assigned to a different interface on the security appliance; however, you can assign a single trustpoint to two interfaces.

• Asa ssl licensing

  We have a 5520 ASA with a 100 user ssl license. We need to increase this but 250 is overkill. Is there an option to just add 50 more licenses or do we have to go up to 250?
  Sent from Cisco Technical Support iPhone App

  That's right - the next level after 100 is 250. Please refer to this post for more details.

• Reverse proxy plugin with SSL

  Hi,
  I'm trying to set up reverse proxy plugin that forwards requests from plain HTTP port on web server to SSL port on origin-server (sun web console)
  I have followed instructions from [http://blogs.sun.com/meena/entry/configuring_reverse_proxy_in_web] to achieve this:
  wadm create-reverse-proxy --user=admin --password-file=/.ws7pass --config=test --vs=test --uri-prefix=/console/ --server=https://webconsole:6789And part of my obj.conf related to reverse-proxy:
  NameTrans fn="map" from="/console/" to="https:/" name="reverse-proxy-/console"
  <Object ppath="https:*">
      Service fn="proxy-retrieve" method="*"
  </Object>
  <Object name="reverse-proxy-/console">
      Route fn="set-origin-server" server="https://webconsole:6789/"
  </Object>When one tries to access http://test/console/ following messages appear in the log file:
  fine    (27868): for host x.x.x.x trying to GET https:/, service-http reports: attempting to contact webconsole:6789
  fine    (27868): for host x.x.x.x trying to GET https:/, attempting to resolve webconsole
  fine    (27868): for host x.x.x.x trying to GET https:/, attempting to connect to 192.168.1.80:6789
  fine    (27868): for host x.x.x.x trying to GET https:/, connected to 192.168.1.80:6789
  failure (27868): for host x.x.x.x trying to GET https:/, service-http reports: HTTP7765: error reading response header (Server closed connection)
  finest  (27868): for host x.x.x.x trying to GET https:/, func_exec reports: executing fn="set-origin-server" server="https://webconsole:6789/" Directive="Route" magnus-internal=""
  fine    (27868): for host x.x.x.x trying to GET https:/, set-origin-server reports: using server https://webconsole:6789
  finest  (27868): for host x.x.x.x trying to GET https:/, func_exec reports: fn="set-origin-server" server="https://webconsole:6789/" Directive="Route" magnus-internal="" returned 0 (REQ_PROCEED)
  finest  (27868): for host x.x.x.x trying to GET https:/, func_exec reports: fn="proxy-retrieve" method="*" Directive="Service" returned -1 (REQ_ABORTED)Any ideas?

  Oh, sorry, when I'm accessing console through reverse proxy, nothing is written to the web console log initially, and these messages appear in the web server log (now loglevel=info):
  [15/May/2008:15:52:41] failure (23204): for host x.x.x.x trying to GET https:/, service-http reports: HTTP7765: error reading response header (Server closed connection)
  [15/May/2008:15:52:41] info    (23204): for host x.x.x.x trying to GET https:/, set-origin-server reports: HTTP7751: server https://webconsole:6789 offline
  [15/May/2008:15:52:41] failure (23204): for host x.x.x.x trying to GET https:/, service-http reports: HTTP7765: error reading response header (Server closed connection)
  [15/May/2008:15:52:41] failure (23204): for host x.x.x.x trying to GET https:/, service-http reports: HTTP7765: error reading response header (Server closed connection)After some time this message is written to webserver log:
  [15/May/2008:15:53:02] info (23204): trying to OPTIONS https://webconsole:6789, check-http-server reports: HTTP7750: server https://webconsole:6789 onlineAnd simultaneously this message is written to webconsole log:
  CoreSessionManagerFilter:doFilter | Request: https-mfwk-zone-6789: /

• SSL Portal Wallet configuration

  I'm trying to setup my application server using SSL, it all configured and works fine, the problems comes when I try to change the SSLwallet file path, if I change this path in ssl.conf the forms service works fine, it detects the certificate without problems, but if I try to access portal, I get a No resonse from Application Web Server after the SSO page, if I go back to the original path for the SSLwallert everything works fine except I get no certificate. I believe I'm missing something in the configuration in order for this to work. Could somebody point me into the right direction?

  I worked this out by replacing all the wallet files in the oraclehome the wallet containing the certificate,
  but now I come to another issue. When I set up SSO for Forms after the login page I get redirected to the SSO url (ex. http:\\myinfrasite:4443) and the problem is that this url doesn't have the S in the httpS, if I make the login through portal I get no such problem. I guess that I have a missconfiguration for the URL that forms uses in SSO, but i cant find that url anywhere