Web security functions

Similar Messages

• SAP.Web.Security.TicketException: MYSAP_INVALID

  We recently updated our portal to the following:
  J2EE Engine 6.40 PatchLevel 108290.313
  Portal 6.0.20.0.0
  Previously sap.web.security dll worked fine but now I get this exception
  SAP.Web.Security.TicketException: MYSAP_INVALID
  I have tried all the suggestions in this forum and nothing works.  Does anyone have the orginal source code for this dll or a working solution ?
  the following code does get the ticket if I remove the handler from the web.config.....
              Dim cookieString As String = HttpUtility.UrlDecode((Request.Cookies("MYSAPSSO2").Value).Replace("!", "%2B"))
              Dim ticket As SAP.Web.Security.MySapSso2Ticket = New SAP.Web.Security.MySapSso2Ticket("verify.pse", cookieString)
              Dim objUsr As SAP.Web.Security.MySAPSso2Identity = New SAP.Web.Security.MySAPSso2Identity(ticket, cookieString)
  so why does the handler fail ?  driving me crazy.

  Ok so I added the code to the wiki in the attachment area. Hopefully Wiki mods don't delete it.  This works perfectly for our purposes and config.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/snippets/home&
  SSOTest.rar.jpg
  PortalSecurity.rar.jpg
  Right Click and save the files then remove the .jpg extension.  Open with WinRAR or Winzip.
  You will have to generate your own public key so take a look at the assemblyinfo.vb file.
  Steps to create your own public key
  C:DevelopmentPortalSecurityKeyFile>sn -k keyfile.snk
  Microsoft (R) .NET Framework Strong Name Utility  Version 1.1.4322.573
  Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.
  Key pair written to keyfile.snk
  C:DevelopmentPortalSecurityKeyFile>sn -p keyfile.snk publickey.snk
  Microsoft (R) .NET Framework Strong Name Utility  Version 1.1.4322.573
  Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.
  Public key written to publickey.snk
  C:DevelopmentPortalSecurityKeyFile>sn -t publickey.snk
  Microsoft (R) .NET Framework Strong Name Utility  Version 1.1.4322.573
  Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.
  Public key token is [should display your Public Key Token]
  Other config...May not be necessary as you can change the code to do whatever you want.
  - Note 442401 - Web server filter for SSO to third-party systems
    (https://service.sap.com/sap/support/notes/442401)
  Extract the zip file attached to this SAP Note.  Follow the instructions in the SAP Note and the instructions in the "filterdocs" directory of the unzipped files. 
  For our environment, I copied the iss6_sso.dll (for IIS 6) and the verify.properties files into the "inetpubscripts" directory.  (There is a "verify.properties" file attached tot the source for your reference).  Note the reference to a verify.pse file in the 'verify.properties' file.  It should point to wherever the verify.pse file is, which in our case is "c:secverify.pse".   I also copied the WPSSO_V3.DLL file from the "C in
  ti386" directory to the system32 directory. 
  - Note 304450 - Single-Sign-On with SAP logon tickets in non-SAP systems
    (https://service.sap.com/sap/support/notes/304450)
  This SAP Note points the developer to SAPSSOEXT in SAP's software download area.  Use SAPCAR to unzip the downloaded file and follow the instructions in this SAP Note and the instructions in the DOCS directory (a PDF and a README.TXT file). 
  PDF Note:  The comments portion of the MySapEvalLogonTicketEx function declaration (Section 3.2 of the PDF) indicates that an environment variable named SSF_LIB must be created/exist.  It should point to the location of the SSF-compliant security library (ie: SAPSECU.DLL in the system32 directory).

• Ask the Expert:Cisco Web Security

  With Ryan Wager
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about design, configuration and troubleshooting of the Cisco Web Security Solutions including Cisco Ironport WSA and Cisco ScanSafe with Cisco experts Kiran Sirupa and Ryan Wager. Kiran Sirupa is a technical marketing engineer in the product marketing team for the Cisco IronPort Web Security Appliance product line. He also works on documentation, partner ,and system engineering training. Kiran has been working in the Cisco Security Technologies group for more than six years. Ryan Wager is a technical marketing engineer at Cisco in the product management team for the ScanSafe Web Security platform. He is heavily involved with the product's integration with the Cisco Integrated Services Router Generation 2 platform, along with documentation, training, and testing of all new products and features. Before joining the product management team, Wagner spent two years as an implementation engineer helping ScanSafe's largest customers implement the platform into their networks.
  Remember to use the rating system to let Kiran and Ryan know if you have received an adequate response.  
  They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, discussion forum shortly after the event. This event lasts through October 7, 2011.. Visit this forum often to view responses to your questions and the questions of other community members.

  Yes, the IronPort WSA will support all the security functions including Anti-Virus, Anti-Malware, Anti-Spyware, Web Reputation when working in conjunction with an existing proxy.
  There are two conditions:
  1. WSA acts as an upstream proxy - In this case, the authentication will be handled by your existing proxy, but the WSA is the first layer of defense. The WSA will perform a lookup in its web reputation database based on the destination. Also, The WSA can scan the http response with Anti-Virus, Anti-SpyWare and Anti-Malware software. However, since the WSA doesn't have user authentication information, you can only apply global controls for Acceptable Use.
  2. WSA has to go through an existing upstream proxy - In this case, the WSA has all the security functionality. In addition, it also handles the authentication. Hence, you can apply role based controls.
  You may refer to the following links for more information:
  WSA Product Literature: http://www.cisco.com/en/US/products/ps10164/prod_literature.html
  Cisco Security Reports: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
  Cisco Security Intelligence Operations: http://tools.cisco.com/security/center/home.x

• ASA5512-K9 CX AVC and Web Security Essentials

  I have purchased the ASA5512-K9 with the CX AVC and Web Security Essentials L-ASA5512-AW1Y as recommended by a Cisco pre-sales representative and my reseller for my environment.  I had previously believed from the documentation on the Cisco site that all X generation models had the CX software included on them in the state that they are sold.  Now in trying to configure the ASA5512, and with further reading of the setup documentation, I have discovered that I do not have the capability to access the CX functionality with this model 'as is', and this combination does not appear to be appropriate.  It appears that the CX software module is not actually included on the ASA5512-K9 model, but rather only on the ASA5512-SSD120-K9 model.  Could someone please verify for me that I have understood this correctly?
  If it is, then please advise if I should exchange the ASA5512-K9 for an ASA5512-SSD120-K9 to get the combination of this subscription license and ASA model working.  Am I correct in that the ASA5512-K9 model does not have a solid state drive on it already and so I can not download and install the CX software on it?   As an alternative, is it possible to purchase a Cisco solid state drive seperately, plug it into the ASA5512-K9, download the CX software, and then install it on this new drive in the ASA5512-K9? 
  I would greatly appreciate guidance from anyone who has experience with the ASA5512 line and CX.  I was unable to find help from Cisco pre-sales and technical support for this question via phone or online chat, and my reseller has been unable to answer this question for me so far.

  Hi!
  According to many documents, i.e. page 3 of http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/white_paper_c11-727394.pdf
  An SSD is required to run AVC and WSE on ASA 5500-X Series Next-Generation Firewalls. SSD bundles have the ASA CX software image pre-loaded, and customers receive a free 60-day trial of the WSE and AVC subscriptions.
  An SSD bundle is ASA5512-SSD120-K8 (or  ASA5512-SSD120-K9). So If you happened to buy ASA5512-K9 - Then you definitely need this SSD option -  ASA5500X-SSD120=.
  Cheers.

• Configure 2 Ironport web security boxes in HA mode

  Hi ALL,
  i want to ask something about ironport web security that how can i connect 2 boxes for HA.if top of that i have already 2 core switches in HSRP .
  Regards
  Prakash

  Prakash,
  HA for WSA boxes is a function of how you get the traffic to them.  If you're using explicit proxy, you can configure the PAC file for failover, or use DNS to resolve the proxy and let the DNS determine where to send it (DNS LB).  You could also use a web load balancer...
  If you're using WCCP, you could run that on the HRSP router or set it on your firewall(s).  If its on the router, you need to subscribe both WSA's to both routers, and make sure the access lists for the WCCP directed at one WSA don't process traffic from the other WSA.  (search the forum...) 

• Adobe Muse (2014.3) "Add Web Font" Function Not Working As Expected - Newly Added Fonts Become Unavailable Though Shown

  Hello.
  This has also been posted in the Community: Adobe Muse Bugs forum.
  I've been having some odd/irregular issues though they have now become fairly predictable in nature. The issue is in regards to Adobe Muse (2014.3) and the availability of web fonts provided through the applications "Add Web Fonts" feature. Once added they perform as expected but then become "unavailable." Full details below. I have been a Creative Cloud Complete subscriber for a number of years so am fairly familiar with the way in which the system works minus a few issues that have popped up now and then, this one included.
  System Info:
  Adobe Creative Cloud (Full Subscription): Version 1.9.1.474
  Adobe Muse: Version 2014.3
  OS X Yosemite: 10.10.2
  Here is a recap of what has been taking place. I'll detail the bug as best I can.
  1. Created new Adobe Muse project. Everything normal.
  2. Chose to add a new font through the "Add Web Fonts" function within Muse. A note, my Creative Cloud App is running/open at all times (in file synch mode).
  3. Chose new fonts using above. All seemed fine (see screenshots below).
  4. Fonts also were indicated as being "Synched" within Creative Cloud (screenshot below).
  5. As expected the two fonts were added to the list of available Web Fonts within Muse (first screenshot below - left). I added them successfully to my site. Well after a number of hours I went back to this same font selection menu within Muse and the fonts were still visible yet the sub-menu that one would expect showing various forms (i.e. Bold, Italic, etc) was not available. In a sense the font could not be chosen from the list even though the name is clearly visible (second screenshot below - right).
  Have no idea what may have been wrong. Saved Muse project, closed and reopened - nothing changed. Created new project - fonts still "shown" in menu but can't be used. Did find a vague description using Google of similar problem (different application) which recommended closing Creative Cloud Desktop App and reopening as one possible solution. This DID WORK initially yet the problem, though corrected for a period of time (few hours at most), would reappear again where one would again see yet not be able to choose from the two Web Fonts. Went so far as to uninstalling the Creative Cloud Desktop application and reinstalling. Still have not solved the problem.
  Any thoughts as to what this may be would be welcome. Restarting the CC app each and every time the fonts become unavailable is quite time consuming to my workflow.
  Thanks!

  Abhishek,
  Thank you for the reply. Wanted to comment on a few things.
  I reviewed the other post that you've referenced. Nothing unusual jumped out at me as something that I was not aware of. I'm running an older iMac that is in good working condition. 2.4 GHz Intel Core 2 Duo, 24" screen. I know this issue is fleeting, as I stated earlier typically can be corrected with a restart of the CC Desktop application (that I am always running at startup). I have not been able to determine that shutting down Muse corrects the issue. I would, at this time say it doesn't.
  I did open InDesign and see if the fonts in question, Open Sans and Open Sans Condensed, were present and usable. They were. The fonts are shown as being synched in my CC Desktop app window (even if they are not "installed" in Muse). That is expected but it may be a bug in how Muse brings in a font from those that are already synched to your CC account. I don't know enough about how that works to comment.
  And just to complicate matters, Muse seems to be working again, the fonts that is. I brought them back in and they are showing up in all locations (which there are actually three - see screen shots).
  First is primary text menu dropdown (to right of orange "Text").
  Second is if you click orange Text link. Another drop down menu appears.
  And lastly, the Text Panel to right of screen.
  I also wanted to add this extra bit of information, for what it is worth. When the issue arises and you do not get the sub-menu dropdown showing various styles of the font (italics, bold, etc.), one can use click on the missing font if you had used it previously and it is present in the "previously used font" list.
  Cheers!

• Downloads for different products e.g., Crawler Web Security won't take

  I attempted to download different toolbars and products such as from Crawler's Spyware and Web Security without any luck. It goes through the usual set-up windows and a window opens up to say that the downloads have been successfully completed. I cannot find them!

  Does the ext directory have the php_oci8.dll? In the original steps the PHP dir is renamed. In the given php.in the extension_dir looks like it has been updated correctly. Since PHP distributes php_oci8.dll by default I reckon there would be a very good chance that the problem was somewhere else. Since this is an old thread I don't think we'll get much value from speculation.
  -- cj

• Web Analysis functions not working in Workspace

  I am looking for a list of Web Analysis functions that are available in the Java client that will not work in the Workspace DHTML client (Version 9.3.1.0). Any guidance would be appreciated.

  There are 4 types of differences:
  - font differences, Workspace (DHTML) uses the WA Server fonts whereas WA Studio client machine fonts.
  - Service Buttons are very restricted using Workspace
  - Display: Tab selection, Splitter panels, Slider selection do not render in Workspace
  - Cannot restrict WA Tools menu in Workspace at all, where you can in the Studio.
  For exact details check out the Hyperion Web Analysis Studio User’s Guide from the Doc Library:
  http://download.oracle.com/docs/cd/E10530_01/doc/nav/portal_4.htm
  Cheers
  Iain

• Warning System spameater Unable to connect to Cisco Web Security Service.; URL Filter...

  My C670 ESA's have been throwing these alerts intermittently for the past few days, anyone else seeing them?
  The Warning message is:
  Unable to connect to Cisco Web Security Service.
  URL Filtering will not work correctly.
  Please verify all network, proxy and firewall settings.
  Connection to "v2.sds.cisco.com" failed.
  The last error seen on this connection: "Request failed with code: 28 (Connection time-out)"
  Version: 8.5.6-092
  Looks like it is open on port 443 and currently up.  Hitting it with a browser gives me:
  https://v2.sds.cisco.com/
  After an error or two they go away and appear OK.   
  Checking the logs I don't see a way to verify URL lookups are working, is there a way?
  Also, I setup URL filtering six months ago and had it set to only trigger on (-10)-(-9.5) and saw about an 80% false positive.  It has improved over the past six months drastically but still catching mostly advertising URLs and allowing all phishing URLs right through.  I've yet to see it block a phishing URL.
  Jason

  After lots of trial and error, I was able to eliminate this problem.  What I wound up doing is defining the XE service again in the listener.ora file:
  SID_LIST_LISTENER =
    (SID_LIST =
      (SID_DESC =
        (SID_NAME = XE)
        (ORACLE_HOME = C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server)
  I know that typically you should not have to do this, especially since I already had defined DEFAULT_SERIVCE_LISTENER = (XE) at the bottom of the listener.ora file.  Explicitly defining the XE service in the listener.ora file allows the listener to find it while the system is running under the Cisco AnyConnect VPN.  The only hiccup I found by doing this is that the XE service is discovered twice by the listener when the system is NOT running under the Cisco AnyConnect VPN.  It still works OK.  The listener just seems to ignore the repeated definition of the XE service (see output below):
  C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server\bin>lsnrctl service
  LSNRCTL for 32-bit Windows: Version 11.2.0.2.0 - Production on 13-JUN-2013 10:03:15
  .......(omitted output).......
  Service "XE" has 2 instance(s).
    Instance "XE", status UNKNOWN, has 1 handler(s) for this service...
      Handler(s):
        "DEDICATED" established:0 refused:0
           LOCAL SERVER
    Instance "xe", status READY, has 1 handler(s) for this service...
      Handler(s):
        "DEDICATED" established:0 refused:0 state:ready
           LOCAL SERVER
  Service "XEXDB" has 1 instance(s).
    Instance "xe", status READY, has 1 handler(s) for this service...
      Handler(s):
        "D000" established:0 refused:0 current:0 max:1022 state:ready
           DISPATCHER <machine: DEV-M-137GF, pid: 5544>
  (ADDRESS=(PROTOCOL=tcp)(HOST=DEV-M-137GF.paychex.com)(PORT=58257))
  The command completed successfully
  If anyone has a cleaner solution for this problem, please let me know.  Otherwise, I am moving forward with what I did.
  Thanks.....Paul

• Problem with CFMX web service function return

  I made a post yesterday about a web service function I was
  writing, as it turns out my post was extremly incorrect for my
  problem. With this web service function I can return an array just
  fine, I can return one instance of an object just fine, however,
  when I try to return an array of the object I keep getting the
  error:
  Could not perform web service invocation "SelectGames"
  because AxisFault faultCode: {
  http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
  faultSubcode: faultString: [org.apache.axis.AxisFault : ; nested
  exception is: coldfusion.xml.rpc.CFCInvocationException:
  [java.lang.IncompatibleClassChangeError : Dependent CFC type(s)
  have been modified. Please refresh your web service client.]];
  nested exception is: coldfusion.xml.rpc.CFCInvocationException:
  [org.apache.axis.AxisFault : ; nested exception is:
  coldfusion.xml.rpc.CFCInvocationException:
  [java.lang.IncompatibleClassChangeError : Dependent CFC type(s)
  have been modified. Please refresh your web service client.]]
  faultActor: faultNode: faultDetail: {
  http://xml.apache.org/axis/}stackTrace:
  AxisFault faultCode: {
  http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
  faultSubcode: faultString: [org.apache.axis.AxisFault : ; nested
  exception is: coldfusion.xml.rpc.CFCInvocationException:
  [java.lang.IncompatibleClassChangeError : Dependent CFC type(s)
  have been modifie..
  which basically means that the CF server needs restarted.
  However if I restart the CF server, no matter how many times I am
  still getting this error. If I change up my web service function to
  return just a normal array of integers or strings, or I change it
  to return one instance of the arbritrary complex type it all works
  just fine. I am still a little new on this subject and any
  enlightenment would be great. If anyone has found a way around this
  please let me know.
  Here is my complex type:
  <cfcomponent>
  <cfproperty name="Game_id" type="numeric">
  <cfproperty name="gameDate" type="date">
  <cfproperty name="Starttime" type="string">
  <cfproperty name="Place" type="string">
  <cfproperty name="Level" type="string">
  <cfproperty name="Sport" type="string">
  <cfproperty name="Gender" type="string">
  <cfproperty name="Opponent" type="string">
  <cfproperty name="Type" type="string">
  <cfproperty name="Link" type="string">
  </cfcomponent>
  I loop trhough a query and set a cfobject of the types above,
  then I append that object to an array and try t o return the array.
  Here is the basics of the loop:
  <cfset theArray = arrayNew(1)>
  <cfobject component = "games" name = "test>
  <cfloop query ...>
  <!--- set values to test ---->
  <cfset arrayApend(theArray, test)>
  </cfquery>
  <cfreturn theArray>
  my return type is array, I think the problem is I need to
  specify the return type to be an array of arbritray complex types
  which is impossible to do in CF. Anyone find a way to get around
  this?? Any feed back at all would be greatly appreciated.

  Yes, I have tried it and return type any does not work in
  this situation since this function is being consumed by a web
  service. It needs to be in the form of an array of arbritrary type
  that is defined in a cfc file. Since this is WSDL the returntype
  has to be specified to every last bit.

• Web service functions in SSO without username and password

  Is there a way to use the Public Report Web Service functions when configured in SSO and without passing a username and password? I was able to try out the web service and make it work. As we all know, you need to pass a username and password for each web service call unless your reports can be accessed by guests. In an SSO + LDAP server configuration, there are cases in which you are not allowed to get the password. The password can not be decrypted.
  Is there a way to still use web service? or do you need to use the url approach instead? But if you use the url approach then you may be limited to generating reports only.
  I'm thinking there should be since if you are already logged in for SSO then you should be able to generate.
  Any way to configure this?

  <i>When I access web reports from bw.</i>
  i hope you are not talking about BEX web reports , since you have mentioned ITS.
  Is it a standlone ITS or intergrated ITS?
  can you post the url pattern here.
  Regards
  Raja

• Cisco ISE or NAC Guest with web security (IronPort) integration

  All,
  We have a scenario where guests will be authenticated against the ISE or NAC Guest server, and customer will place an IronPort to provide web security, however, we can not find referentes whether IronPort can or cannot integrate with Guest Server, so that guests are not requested to be authenticated twice, one by the Guest Server, a one by the proxy. The idea is to keep it transparent for the guests with a single authentication.
  Has anyone there implemented such scenario?
  Thank you!

  I see. So, lets say we disable proxy authentication for the guest segment, can I still provide content filter for the segment, even though there is no proxy authentication? I assume customer will lose the reportinga and tracking granularity, but the scenario will work withou proxy authentication. This may be some sort of "man in the middle" only, but with content filter. Does it make sense?
  Thank you!

• Ask the Expert: Service Delivery Manager for Cloud Web Security with Alex Chan

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the recommended practices for Cisco Cloud Web Security (CWS).  Cisco Cloud Web Security (CWS) provides industry-leading security and control for the distributed enterprise, with Cisco expert Alex Chan.
  October 27, 2014 through November 7, 2014.
  Learn how users are protected everywhere and anytime, when using CWS through Cisco worldwide threat intelligence, advanced threat defense capabilities, and roaming user protection. Create a virtual space to learn and ask questions about best practice when implementing Cloud Web Security offerings for various customer requirements and environments. Alex will also answer questions about Easy ID, CWS as SAML Service Provider, Deployment Options (such as ASA, ISR, WSA, Workgroup based Connector and AnyConnect Web Security agent.
  Remember to use the rating system to let Alex know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Cisco CWS platform is one of the Cisco products that maintain collaboration with Cisco PSIRT, and there are few security vulnerabilities related to CWS were being monitored by PSIRT, which you can find out more about in: http://tools.cisco.com/security/center/home.x#~blog.
  Another Cisco entity known as "SenderBase" that is powered by Cisco Security Intelligence Operations (SIO) will provides a view into virus threat intelligence collected from CWS cloud traffics. For more information about "SenderBase", please visit this web site: http://www.senderbase.org

• Are we allowed to use the Web developer function in Firefox version 5.0 to edit the html source code associated with the Firefox home page?

  Locking at request of OP - https://support.mozilla.com/en-US/questions/844506
  Are we allowed to use the Web developer function, under the "Firefox" tab in Firefox version 5.0, to edit the html source code associated with the Firefox version 5.0 home page ( so that we can personalize the home page )? Is this legal?
  Sincerely in Christ,
  Russell E. Willis

  Solution: (Free Download Manager)
  Go here: http://codecpack.co/download/Free_Download_Manager.html and download Free Download Manager 3.8.1067 Beta 3, it works perfectly with Firefox 5.0.1
  Solution: (to Google mail aka Gmail)
  I have had this problem for a while since I did a previous Firefox update, where I had to force Gmail to load in Basic HTML else it's next to impossible to use it. The solution is this: simply update your Java, and Gmail will work without a problem using Standard HTML. To update your Java go here: http://www.java.com/en/ and select "Free Java Download".
  And beta normally, universally, means "the not quite there yet version of the version we're aiming for" NORMALLY used during production and testing of a type of software.

• Adding SAN through web-security and Creating CSR for Tomcat (CUCM 10.5) to be signed by Third Party CA

  Hi Guys,
  Wondering if Any one has done this or could suggest the needful,
  We are running CUCM 10.5 cluster and currently using self-signed certificate for Tomcat. Now, we would like to get it signed by Third party CA.
  Just to be clear that we are doing this for Jabber clients so they should not get prompted for certificate Invalid.
  Now the issue; The CUCM is using IP address as hostname and for that reason we had to add the desired IP address under SAN (alternate name) through set web-security command. We did that successfully and restarted the Tomcat service and when we run the Show web-security command, it does show the added SAN;
   altNames: 2 names
            1) UCS-CUCM-UB.domain (dNSName)
            2) 10.x.x.x (dNSName)
  But when we try to generate the new CSR, it didn't contain the modified SAN, just the first one i.e only 1) UCS-CUCM-UB.domain (dNSName)
  Is there anything we missed here to get the added SAN being populated in the new CSR ?
  Regards
  M

  Hi Gordon,
  Thank you for your prompt response. For recommendation, you are right but we don't want to initiate that change for now unless, there is no other option left.
  While Generating new CSR, under SAN, there is only Parent Domain field which is populated with our domain name. How should I add the IP address there ?
  Regards