Using certificates with ACS

Does any of you know how to configure certificates in ACS?, any reference for this issue?
thanks

Have a look at these:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804721c3.shtml
http://www.geocerts.com/support/install/install_cisco_acs.php
Regards
Farrukh

Similar Messages

  • Can't connect to wireless using certificate with Andorid device

    Hi,
    I'm trying to connect to my wireless network using an android device with certificate but with no success.
    I'm using a WLC 4402 7.0.235.3
    SSID Security (WPA2 Auth802.1X + CCKM)
    Logs from WLC
    (Cisco Controller) debug>*apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Association received from mobile on AP 00:3a:98:7d:cc:30
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Clearing Address 10.10.168.3 on mobile
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 10.10.168.3 RUN (20) Skipping TMP rule add
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 apfMsRunStateDec
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 10.10.168.3 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Complete to Mobility-Incomplete
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Reached FAILURE: from line 5154
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Scheduling deletion of Mobile Station:  (callerId: 9) in 10 seconds
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:3a:98:7d:cc:30]
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Applying site-specific IPv6 override for station 20:02:af:a6:0a:85 - vapId 3, site 'BPA-SEDE', interface 'wifi - ip phones'
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Applying IPv6 Interface Policy for station 20:02:af:a6:0a:85 - vlan 431, interface id 13, interface 'wifi - ip phones'
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Applying site-specific override for station 20:02:af:a6:0a:85 - vapId 3, site 'BPA-SEDE', interface 'wifi - ip phones'
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 STA - rates (8): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 STA - rates (10): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Processing RSN IE type 48, length 20 for mobile 20:02:af:a6:0a:85
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Received RSN IE with 0 PMKIDs from mobile 20:02:af:a6:0a:85
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 apfMs1xStateDec
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state DHCP_REQD (7)
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state DHCP_REQD (7)
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:3a:98:7d:cc:30 vapId 3 apVapId 4for this client
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:3a:98:7d:cc:30 vapId 3 apVapId 4
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 20:02:af:a6:0a:85 on AP 00:3a:98:7d:cc:30 from Associated to Associated
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 Sending Assoc Response to station on BSSID 00:3a:98:7d:cc:30 (status 0) ApVapId 4 Slot 0
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 20:02:af:a6:0a:85 on AP 00:3a:98:7d:cc:30 from Associated to Associated
    *pemReceiveTask: Jan 03 08:26:10.873: 20:02:af:a6:0a:85 0.0.0.0 Removed NPU entry.
    *dot1xMsgTask: Jan 03 08:26:10.874: 20:02:af:a6:0a:85 Station 20:02:af:a6:0a:85 setting dot1x reauth timeout = 0
    *dot1xMsgTask: Jan 03 08:26:10.874: 20:02:af:a6:0a:85 Stopping reauth timeout for 20:02:af:a6:0a:85
    *dot1xMsgTask: Jan 03 08:26:10.874: 20:02:af:a6:0a:85 dot1x - moving mobile 20:02:af:a6:0a:85 into Connecting state
    *dot1xMsgTask: Jan 03 08:26:10.874: 20:02:af:a6:0a:85 Sending EAP-Request/Identity to mobile 20:02:af:a6:0a:85 (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.880: 20:02:af:a6:0a:85 Received EAPOL EAPPKT from mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.880: 20:02:af:a6:0a:85 Received Identity Response (count=1) from mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.880: 20:02:af:a6:0a:85 EAP State update from Connecting to Authenticating for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.880: 20:02:af:a6:0a:85 dot1x - moving mobile 20:02:af:a6:0a:85 into Authenticating state
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.881: 20:02:af:a6:0a:85 Entering Backend Auth Response state for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.886: 20:02:af:a6:0a:85 Processing Access-Challenge for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.886: 20:02:af:a6:0a:85 Entering Backend Auth Req state (id=2) for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.886: 20:02:af:a6:0a:85 Sending EAP Request from AAA to mobile 20:02:af:a6:0a:85 (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.888: 20:02:af:a6:0a:85 Received EAPOL EAPPKT from mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.888: 20:02:af:a6:0a:85 Received EAP Response from mobile 20:02:af:a6:0a:85 (EAP Id 2, EAP Type 3)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.889: 20:02:af:a6:0a:85 Entering Backend Auth Response state for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Processing Access-Reject for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Removing PMK cache due to EAP-Failure for mobile 20:02:af:a6:0a:85 (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Sending EAP-Failure to mobile 20:02:af:a6:0a:85 (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Entering Backend Auth Failure state (id=2) for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Setting quiet timer for 5 seconds for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 dot1x - moving mobile 20:02:af:a6:0a:85 into Unknown state
    *osapiBsnTimer: Jan 03 08:26:15.740: 20:02:af:a6:0a:85 802.1x 'quiteWhile' Timer expired for station 20:02:af:a6:0a:85 and for message = M0
    *dot1xMsgTask: Jan 03 08:26:15.740: 20:02:af:a6:0a:85 quiet timer completed for mobile 20:02:af:a6:0a:85
    *dot1xMsgTask: Jan 03 08:26:15.740: 20:02:af:a6:0a:85 dot1x - moving mobile 20:02:af:a6:0a:85 into Connecting state
    *dot1xMsgTask: Jan 03 08:26:15.741: 20:02:af:a6:0a:85 Sending EAP-Request/Identity to mobile 20:02:af:a6:0a:85 (EAP Id 4)

    Hi Scott,
    I've made the change as you suggested and collected logs from MS NPS and I think that Authentication is failing
    Authentication Details:
    Connection Request Policy Name:          Use Windows authentication for all users
    Network Policy Name:                    Wireless
    Authentication Provider:                    Windows
    Authentication Server:                    NPSServer.domain.local
    Authentication Type:                    EAP
    EAP Type:                              -
    Account Session Identifier:                    -
    Logging Results:                              Accounting information was written to the local log file.
    Reason Code:                              22
    Reason:                                        The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
    Best regards,
    Alcides Miguel

  • Can't use certificati, with version 4, it not run

    for use an bank account, I use an security certificate, but with version 4 don't run, I can't send the certificate, I think that I can send with an normal Email, with an allegato

    I have the same problem.
    I have my sons touch and my iphone. Neither can connect either way since the update to V4.3. It just rings on the outgoing device until it says "Call Failed"
    Both devices have facetime activated
    Skype VC works fine so I know its not the devices or the connection.
    Another new one is in setting up "find me" on the touch it seems to think we are at our old address in I have spoke to my broadband provider and they have the correct postal address and they issue a dynamic IP address.

  • Any way to use SFTP with ACS SE?

    We're trying to keep ftp out of our network and I'd like to know if there is anyway to get sftp to work with the ACS Applicance or if there's another option for backups/restores other than ftp?

    Currently the only way to secure a database backup is by encrypting it using a key from the section,
    System configuration > ACS Backup > and put any key to encrypt the database backup from "Encryption Password" and check "Encrypt Backup File", and take a backup.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCBasic.html#wp222491
    Other then that we already have an enhancement request open with us,
    CSCsi15224 : Secure protocols aren't available for backup/restore operations
    Regards,
    Prem

  • Can't auth to Nortels networks devices using RADIUS with ACS 5.1

    Hi,
    I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
    After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
    I can't manage to login using RADIUS and i get the following message.
    "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
    But in my ACS View, I can see : "Authentication succeeded."
    I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
    I've got no problems with RADIUS Auth using other brand devices
    Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
    Regards.

    Are you sure that setting up a compound condition will help ?
    To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
    Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
    Here is my steps in the ACS View
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new  session
    Evaluating Service Selection  Policy
    15004  Matched rule
    15012  Selected Access  Service - Default Network Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity  Store - Internal Users
    24210  Looking up User in  Internal Users IDStore - radius
    24212  Found User in Internal  Users IDStore
    22037  Authentication Passed
    Evaluating Group Mapping  Policy
    Evaluating Exception  Authorization Policy
    15042  No rule was matched
    Evaluating Authorization  Policy
    15006  Matched Default Rule
    15016  Selected Authorization  Profile - Permit Access
    11002  Returned RADIUS  Access-Accept
    So I think the ACS does its job

  • Using TACACS+ With ACS 5.6 on 300 Series Switches v1.4

    I was wondering if anyone could give me instructions on how to set up ACS for TACACS+ on a 300 series switch using Authorization? I can get it to work to authenticate, but the authorization doesn't seem to work like a catalyst switch. Thanks in advance for any help!

    Brandon, thanks for the link, but this is for the older software before they included authorization (the v1.4). I've looked through a bunch of manuals and tried to find examples online, but it doesn't seem like anyone has anything out there I can find.

  • Problem with ACS 4.1 using certificate

    I have an ACS 4.1 appliance, I have already configured ACS in order to work with certificate. I got the certificate from ACS, I already installed it as the installation guide says . Additionally I configured the card's controller in my PC in order to manage certificate.
    Whe I try to be validated from ACS I can not go on because a message appears and says " click to select a certificate " , after click a windows appears asking user and password however I expected not receive this window.
    The switch's port were configured as follows:
    aaa new-model
    aaa authentication dot1x default group radius+
    dot1x system-auth-control
    interface GigabitEthernet1/0/4
    switchport mode access
    dot1x mac-auth-bypass eap
    dot1x pae authenticator
    dot1x port-control auto
    dot1x timeout quiet-period 15
    dot1x timeout tx-period 3
    dot1x reauthentication
    radius-server host (ip address) auth-port 1645 acct-port 1646
    radius-server source-ports 1645-1646
    radius-server key password
    What am I doing wrong or there is something left???

    1) Did you install the Certificate file in the local machine? (Right click >> Install Certificate >> And so on..)
    2) Are you using the built-in Dot1x supplication in WIndows XP? Is the setting to MD5?
    3) Did you Selected this installed certificate from the drop-down Menu in the wireless software?
    Regards
    Farrukh

  • Using Multiple AD domains with ACS

    Hi,
    Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
    In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
    Thanks in advance
    Jason

    Hi Javier,
    I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
    Kind regards
    Jason

  • Problems in using a certificate with  different versions of JVM

    Hi friends,
    I am facing a typical problem:
    I have to use a certificate which uses the sha1DSA signing algorithm to contact a web service(I am coding a client). I was using J2SDK_1.4.1_02 before. I added the certificate to keystore and it was working fine. But if I upgraded my JRE to 1.4.2_13 the same code doesn't work,. I got the following exception:
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
         at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
         at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA12275)
         at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA12275)
         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:570)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(DashoA12275)
         at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection.post(HttpSOAPConnection.java:263)
         at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(HttpSOAPConnection.java:151)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:121)
         at TestRequest.getCustomerInfo(TestRequest.java:60)
         at TestRequest.main(TestRequest.java:122)After some investigation I found that this JRE is accepting only certificate with sha1RSA signature algorithm. Please help me if anybody knows why this occurs or is this an issue which is to be addressed in server side.

    Hi Michal,
    Keeping in mind the recommendations of the Production Checklist...
    All other things being equal, homogenous deployments are usually less prone to surprises.
    But JDK 1.6 is noticeably faster than JDK 1.4, and features much better JMX support as well, so it's a probably the better option.
    Jon Purdy
    Oracle

  • Does JCE 1.2.2 make use of a certificate with an expiration date?

    Does JCE 1.2.2 make use of a certificate with an expiration
    date?
    If so, what's the date?

    The validation code which checked for certificate expiration was only found in JCE 1.2.1. It WAS REMOVED from JCE 1.2.2 and all successive releases like JCE in JDK 1.4.x and 5.x (and soon in 6.x). This expiration problem was the primary reason for releasing JCE 1.2.2 over three years ago. Export control regulations changed following the release of JCE 1.2.1, and Sun released 1.2.2 shortly thereafter so that customers wouldn't have this expiration problem.
    This change is documented as the first bullet in the change log for JCE 1.2.2, which is found both in the product distribution itself and on the following JCE product page:
    http://java.sun.com/products/jce/jce122_changes.html
    That said, JCE 1.2.2 is indeed signed with a certificate which is valid until October 2006, HOWEVER the JCE 1.2.2 and JCE in JDK 1.4.x/5.x code no longer checks that expiration date. All it cares about is that the code signature is valid.
    My understanding is that BOTH JDK 1.3.x and JCE 1.2.2 are slated for End-of-Life on March 30th, 2006, and will no longer be supported by Sun. Both should continue to work after that time, but will no longer be supported.
    I hope that helps clear the confusion.

  • How can i Use SERVLET with RMI to avoid trust certificate

    I know that for begining RMI, you must launch the server and the client.
    for the server i use :
    java -Djavax.net.ssl.trustStore=server.keystore -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=server TestServer
    for the client I use :
    java -Djavax.net.ssl.trustStore=client.keystore -Djavax.net.ssl.keyStore=client.keystore -Djavax.net.ssl.keyStorePassword=client TestClient
    and all work fine.
    but i want to use a servlet for rmi client and i wrote this:
    public class AppelServlet extends HttpServlet
         public void doPost(HttpServletRequest request, HttpServletResponse response)
         throws ServletException, IOException
              try
                   System.out.println("Registering secure RMI socket factory ...");
                   java.rmi.server.RMISocketFactory.setSocketFactory(new SecureRMISocketFactory());
              TestRemote test = (TestRemote) Naming.lookup("rmi://127.0.0.1:7123/TestClient");
    String reponse=test.toLowerCase("HELLO WORLD");
                   System.out.println("la reponse est : "+reponse);
         catch (Exception e)
              System.out.println("test client exception: " +e);
    PrintWriter out = response.getWriter();
              response.setContentType("text/html");
    and i have the following error on tomcat:
    Registering secure RMI socket factory ...
    test client exception: java.rmi.ConnectIOException: error during JRMP connection
    establishment; nested exception is:
    javax.net.ssl.SSLHandshakeException: Couldn't find trusted certificate
    i think i must precise how to indicate the truststore like in the first case.
    help me please.
    hamdi

    Hi,
    Try doing the following steps.
    Assuming you have a certificate obtained
    Export the certificate into a .cer file.
    On IE, goto tools->internet options->content->certificates, and export to a .cer file.
    Using keytool of java import the certificate to the store that can be used doing the following command.
    keytool -import -alias <ailas> -file < .cer filename> -keystore <storename here>
    set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties at the command prompt using the command below.
    java -Djavax.net.ssl.trustStore=<storename> -Djavax.net.ssl.trustStorePassword=<password> <classname>
    Let me know if this helped.
    Also take a look at this link for using RMI with SSL
    http://java.sun.com/products/jdk/1.2/docs/guide/rmi/SSLInfo.html
    Regards,
    Roopasri Vittal
    Developer Technical Support
    Sun Microsystems
    http://sun.com/developers/support

  • How do we create certificate with .pem extension using keytool

    Hai all,
    please tell me the procedure to create certificates using keytool with .pem extension.

    I dont think keytool can do this, try OpenSSL:
    openssl pkcs12 -in test.p12 -out test.pem
    David

  • Integrating Exchange 2013 & Lync Server 2013: can't use a certificate with Seth-AuthConfig

    I'm trying to integrate Exchange and Lyn Server. One of the first steps is to bind a correct certificate to IIS on all of the CAS servers and set it as a main certificate in the global AuthConfig object. The certificate must be the same on all of the
    CAS servers because the autodiscover.domain.local DNS record points to all of them, and Lync Server uses this FQDN to access Exchange servers. The thumbprint of this certificate must be specified in Set-AuthConfig command run on an Exchange server.
    We have an internal enterprise CA. I generated a certificate on one of the CAS servers and bound it to all of the Exchange services. Then I exported it, imported it on the second CAS server and bound it to all of the services as well. Now Exchange correctly uses
    it for OWA, for example, and IE gives no security warnings when I connect to OWA.
    However, whenever I run Set-AuthConfig command on any server, it keeps telling me that
    The certificate with thumbprint XXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyNotAccessible).
    The key IS accessible - I can export the certificate along with its private key. What's wrong?

    Here's the answer.
    It seems that the -Server switch in the Set-AuthConfig command is only used to specify where you want to look for the certificate with the given thumbprint. However, it's impossible to predict which Exchange server will actually perform the operation
    (the Server switch doesn't influence it a bit). It could be ANY server, even a mailbox one with no CAS role at all. And, of course, another Exchange server has no access to the certificate store of the CAS server where the certificate is actually stored. It
    was exactly the case in my environment.
    So in order to enable this certificate you must import it on ALL of your Exchange servers. You need't (and even shouldn't) enable it for any services on your mailbox servers if you don't want to, just import it.

  • Using a SHA2 certificate with 12.1.1 (Oracle Wallet Manager 10.1.0.5)

    Hi folks,
    I'm trying to enable SSL on my 12.1.1 system, but I've got a bit of a problem.
    I've already logged a SR on this, so I already know that you cannot use SHA2 SSL certificates with Oracle Wallet Manager 10.1.0.5, which is part of the 10.1.3 tech stack. I started the SR on the EBS side, but it was passed on to the security group, and closed there. My question is, is there something that I don't know? Is there an upgrade path in 12.1.x that would include an upgrade to the OWM, or is there some sort of workaround? I'll be opening another SR tomorrow, but wanted to see if I was missing something simple.
    We have an internal certificate server (Microsoft AD), and the root certificate, which I need to import, is SHA2. I'm being told that they cannot generate a SHA1 root certificate, and would have to stand up another certificate authority. OWM 10.1.0.5 can't handle SHA2, so I'm stuck.
    Anybody been there done that?
    Thanks very much,
    -Adam vonNieda

    I'm trying to enable SSL on my 12.1.1 system, but I've got a bit of a problem. What kind of problems?
    I've already logged a SR on this, so I already know that you cannot use SHA2 SSL certificates with Oracle Wallet Manager 10.1.0.5, which is part of the 10.1.3 tech stack. I started the SR on the EBS side, but it was passed on to the security group, and closed there. My question is, is there something that I don't know? Is there an upgrade path in 12.1.x that would include an upgrade to the OWM, or is there some sort of workaround? I'll be opening another SR tomorrow, but wanted to see if I was missing something simple.
    We have an internal certificate server (Microsoft AD), and the root certificate, which I need to import, is SHA2. I'm being told that they cannot generate a SHA1 root certificate, and would have to stand up another certificate authority. OWM 10.1.0.5 can't handle SHA2, so I'm stuck. I am not sure if SHA2 is certified with EBS R12 so you might need to ask this question to Oracle Support. According to the following docs, SHA1 can be used with no issues.
    Enabling SSL in Oracle E-Business Suite Release 12 [ID 376700.1]     To BottomTo Bottom     
    SSL Primer: Enabling SSL in Oracle E-Business Suite Release 12 (Trial Certificate Example) [ID 1425103.1]
    Thanks,
    Hussein

  • How to use Self Signed certificate with SSLServerSocket?

    Hello to all.
    I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
    The server must have it's own certificate, clients don't need one.
    I started with this
    http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
    To generate key for the server and a self signed certificate.
    To sum it up:
         Create a new keystore and self-signed certificate with corresponding public/private keys.
    keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
         Export and examine the self-signed certificate.
    keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
         Import the certificate into a new truststore.
    keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jksThen in my server code I do
    System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
    System.setProperty("javax.net.ssl.keyStorePassword", "123456");
    SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
    SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
    Socket s = sslServerSocket.accept();I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
    Can it be a problem with the certificate? When using -validity <days> in keytool the certificate gets self-signed, so it should work if I'm not wrong.
    I have also tried this solution
    serverKeyStore = KeyStore.getInstance( "JKS" );
    serverKeyStore.load( new FileInputStream("/scratch/stores/server.jks" ),
         "123456".toCharArray() );
    tmf = TrustManagerFactory.getInstance( "SunX509" );
    tmf.init( serverKeyStore );
    sslContext = SSLContext.getInstance( "TLS" );
    sslContext.init( null, tmf.getTrustManagers(),secureRandom );
    SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
    SSLServerSocket ss = (SSLServerSocket)sf.createServerSocket( port );and still it doesn't work.
    So what am I missing?

    You were right. I corrected the mistakes in the server code, now it's
         private SSLServerSocket setupSSLServerSocket(){
              try {
                   SSLContext sslContext = SSLContext.getInstance( "TLS" );
                   KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
                   KeyStore ks = KeyStore.getInstance("JKS");
                   ks.load(new FileInputStream(_KEYSTORE), _KEYSTORE_PASSWORD.toCharArray());
                   km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
                    * Da usare con un truststore se serve autenticazione dei client
                    * TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
                   tm.init(ks);*/
                   sslContext.init(km.getKeyManagers(), null, null);
                   SSLServerSocketFactory f = sslContext.getServerSocketFactory();
                   SSLServerSocket ss = (SSLServerSocket) f.createServerSocket(_PORT);
                   return ss;
              } catch (UnrecoverableKeyException e) {
                   e.printStackTrace();
              } catch (KeyManagementException e) {
                   e.printStackTrace();
              } catch (NoSuchAlgorithmException e) {
                   e.printStackTrace();
              } catch (KeyStoreException e) {
                   e.printStackTrace();
              } catch (CertificateException e) {
                   e.printStackTrace();
              } catch (FileNotFoundException e) {
                   e.printStackTrace();
              } catch (IOException e) {
                   e.printStackTrace();
              return null;
         }and on the client code
    private SSLSocket setupSSLClientSocket(){
         try {
              SSLContext sslContext = SSLContext.getInstance( "TLS" );
              /* SERVER
              KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
              km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
              KeyStore clientks = KeyStore.getInstance("JKS");
              clientks.load(new FileInputStream(_TRUSTSTORE), _TRUSTSTORE_PASS.toCharArray());
              TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
              tm.init(clientks);
              sslContext.init(null, tm.getTrustManagers(), null);
              SSLSocketFactory f = sslContext.getSocketFactory();
              SSLSocket sslSocket = (SSLSocket) f.createSocket("localhost", _PORT);
              return sslSocket;
         } catch (KeyManagementException e) {
              e.printStackTrace();
         } catch (NoSuchAlgorithmException e) {
              e.printStackTrace();
         } catch (KeyStoreException e) {
              e.printStackTrace();
         } catch (CertificateException e) {
              e.printStackTrace();
         } catch (FileNotFoundException e) {
              e.printStackTrace();
         } catch (IOException e) {
              e.printStackTrace();
         return null;
    }and added a System.out.println(sslSocket); after every incoming message (server side) and SSL is now fully working!
    So my mistakes were:
    [] Incorrect setup done by code
    [] Incorrect and insufficient println() of socket status
    Now that everything works, I've deleted all this manual setup and just use the system properties. (They MUST be set before getting the Factory)
    SERVER SIDE:
    System.setProperty("javax.net.ssl.keyStore", _KEYSTORE);
    System.setProperty("javax.net.ssl.keyStorePassword", KEYSTOREPASSWORD);
    SSLServerSocketFactory f = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
    SSLServerSocket sslServerSocket = (SSLServerSocket) f.createServerSocket(_PORT);
    CLIENT SIDE:
    System.setProperty("javax.net.ssl.trustStore", "/scratch/stores/client.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "client");
    SSLSocketFactory f = (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket sslSocket = (SSLSocket) f.createSocket(_HOST, _PORT);
    And everything is working as expected. Thank you!
    I hope my code will help someone else in the future.

Maybe you are looking for

  • How do I get rid of the EXS24 sample processing when I launch a project?

    Whenever I launch a Logic project, I get a "Process" window that loads my EXS24 samples. This can be somewhat lengthy. I am using Logic 8 now, but this happened in Logic 7 as well; although, I don't remember it always being in place. Did I switch on

  • Initial setup of corporate phones for Intune - how to deal with initial account required

    Hi,  I'm running an Intune trial and have a question about new phones for corporate users - I find it irritating that a Microsoft account or an AppleID is needed to download the company portal app. For example the Nokia 935 with Windows 8.1 doesn't a

  • SFE300 reboots every 4 or 5 hours

    Hi, I have a new SFE300 with 24ports. The switch works fine, but after 4 or 5 hours it reboots it self. After reebots it works fine for another 4 or 5 hours. The only message I get is: Emergency   %OS-F-MEMORY: OSMEMG_rn_free: Memory magic is invalid

  • Anyone using Logic 8 with 10.6 Snow Leopard ? issues ?

    Using Logic 8 with 10.6, I'm aware there is an issue quitting Logic without first closing the current project. Are there any other issues? any performance boost/ benefit? I'm running an 06 Macbook Pro 17" 2 Gb Ram 10.5.8 currently and considering an

  • "Add to Adobe Media Encoder queue" option very slow

    Hello, The new "add to Adobe Media Encoder queue" directly from After Effects is great, but it is sooooo much slower than encoding directly from Adobe Media Encoder. My comp is very simple : it's a 90 min. length video that I'm trying to convert from