• RELEVANCY SCORE 4.46

    DB:4.46:Create Dedicated Send Connector For Tls cc




    Hello all

    Is is possible to create a send connector that is dedicated to sending Mutual TLS to sepecfic domains that require us to send mutual TLS, and another send connector that is s used to send regular smtp traffic to all other domains?Bulls on Parade

    DB:4.46:Create Dedicated Send Connector For Tls cc

    Send connector/Domain secured TLS
    http://technet.microsoft.com/en-us/library/aa998662.aspx
    http://technet.microsoft.com/en-us/library/aa997285.aspx
    http://technet.microsoft.com/en-us/library/bb123543.aspx#Step3
    Sukh

  • RELEVANCY SCORE 4.41

    DB:4.41:Mutual Tls 1z




    Hi,
    We have configure mutual TLS at our exchange 2010, we notice that the server will received the error message below:
    5.4.4 smtp;554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop #SMTP#
    Webelieve it should be something wrongwith the receivedconnector.
    Does anyone also having this kind of issues?
    How many domains can weconfigure for mutual TLS?
    regards,
    shirobb

    DB:4.41:Mutual Tls 1z

    Hi,
    Anyone can share for getting the error message above?

  • RELEVANCY SCORE 4.18

    DB:4.18:Exchange 2010 Receive Connector Gets 530 5.7.1 Not Authenticated Error 3k




    Hi All, I am using Exchange2010 SP2 with HT,CAS and Mail roles ( this is my test machine). I created a receive connector for Mutual TLS in which i have added remote servers with which i want to do mutual (Domain Secure Emails Transfer) and enabled TLS
    Mutual TLS in authentication tab only and partners in permission tab only. When I test these settings with my partners who are on exchange server or iron mail they are working fine. My problem occurs when i receive mails from MDaemon Pro 13.5 and the problem
    is i get 530 5.7.1 Not Authenticated error. Can anyone help me why i am getting this.

    DB:4.18:Exchange 2010 Receive Connector Gets 530 5.7.1 Not Authenticated Error 3k

    One thing more i check in my application log in event viewer that i get following error from ExchangeTransport.

    A message from domain-secured domain 'sender.com' on connector 'Default WIN2K8' could not be authenticated because the server did not use Transport Layer Security (TLS).
    Contact the administrator for sender.com to resolve the problem, or remove the domain from the domain-secured list.

    Can anyone get any idea for this statement. To me it looks that sender domain had not configured my domain on mutual and neither they have TLS option.

  • RELEVANCY SCORE 4.14

    DB:4.14:Frage Zur E-Mail Verschlsselung Ber Tls Mit Einem Geschftspartner x8


    Hallo,
    einer meiner Partner mchte unseren gemeinsamen E-Mail Verkehr ber TLS Verschlsseln. Alle nichtverschlsselten E-mails zu oder von dem Partner sollen abgelehnt werden.
    Hierzu habe ich von Microsoft schon ein WhitePapergefunden:Configuring Mutual TLS for Domain Security

    http://technet.microsoft.com/de-de/library/bb266978%28EXCHG.80%29.aspx
    Soweit so gut, jedoch hngt unser Exchange Server nicht direkt im Internet, sondern wir nutzen ein Sammelpostfach imInternet, holen die E-Mails da ber POPBeamer ab und versenden auch ber dieses Postfach.
    Ist da eine TLS Verschlsselung berhaupt mglich?

    Danke

    Gru Roman

    DB:4.14:Frage Zur E-Mail Verschlsselung Ber Tls Mit Einem Geschftspartner x8

    Guten Tag,

    also ich habe heute mit meinem Provider gesprochen. Dieser versendet die Mails eh schon mit TLS Verschlsselung, sofern die Gegenstelle das kann.
    Ich muss also nur bei mir im Exchange die TLS Verschlselung zum Provider aktivieren und der macht den Rest.
    Das muss frs erste reichen.

    Danke fr eure Tipps und Hinweise.
    Gru Roman

  • RELEVANCY SCORE 4.14

    DB:4.14:Tls 1.2 9p


    Does anyone know if OID 11.1.1.5.0 support TLS 1.2. I know it does support TLS 1.0.Thanks

    DB:4.14:Tls 1.2 9p

    i think your best bet is to raise an SR and ask Oracle

  • RELEVANCY SCORE 3.94

    DB:3.94:Importing Ad Certificates In Ovd Using Ssl jk


    Hi All
    I am trying to connect the OVD with AD.
    The AD is SSL enabled.
    I want to connect this AD to OVD.
    I have created an adapter.In that adapter .
    I have entered the LDAP server details and I have selected the check box use SSL/TLS.
    I have also selected SSL authentication mode as Server only authentication/ Mutual Authentication.
    In the LDAP server details it shows the status as certificates trusted (here it should be green check mark)
    when i connect it through oim it gives me the following exception

    exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetSo how to import the ad certificates in OVD so that above exception is resolved.

    DB:3.94:Importing Ad Certificates In Ovd Using Ssl jk

    Hi,

    To export a CA cert from AD, log as a domain administrator, use the Certificate Export Wizard from the MMC and save in DER or Base64 encoded form
    Importing cert in OVD java keystore is documented at [http://docs.oracle.com/cd/E15586_01/oid.1111/e10046/basic_adapters.htm#CHDBBFHA|http://docs.oracle.com/cd/E15586_01/oid.1111/e10046/basic_adapters.htm#CHDBBFHA]

    -Sylvain

  • RELEVANCY SCORE 3.84

    DB:3.84:Lync 2013 Tls Integration With Audiocodes M2000 pm


    Hi, All,
    I have struggled with it for whole day. Aftertrying diffrent settings, I like to share this to everyone.
    I am still not quiet sure how Sip Secured, unsecurred and Securred work exactly. Unsecurred is easy to understand as unencryped TCP SIP call.

    Does Securred mean to encrypt both TCP signaling and RTP voice packages?
    How is TLS competible with Sip Securred or Securred? How does Mutual Auth? I hope someone can give me a good link for explanation.
    Anyway, here is the setting in my audiocodes M2k to work with Lync 2013. Before you follow it, I assume youmay have tested successfully unsecurred PSTN gateway between Lyncand (or) an Audiocode gateway via tcp port 5060 and 5068 (Lync Mediation
    server port).You should have knowledge aboutthose termsunder 'Voice Routing' in Lync's control pannel
    1. First all, I have imported certificate I created from my own CA server. It was create for sipgw.hidemydomain.com (I replaced my real domain with hidemydomain.com)
    For detail steps, please see below linked guide. You can go to page 'Step 2-3: Configure a Certificate'. DO NOT follow other steps if you want to set up Audiocodes M2K unless this gateway is dedicated for your testing.
    http://www.google.ca/url?sa=trct=jq=esrc=sfrm=1source=webcd=1cad=rjaved=0CE4QFjAAurl=http%3A%2F%2Fwww.audiocodes.com%2Ffilehandler.ashx%3Ffileid%3D1575796ei=hjO9UJ64DsyJ0QGRzoDgDAusg=AFQjCNH_4bV5fHTZPYa5R7TqSEtf83mvQwsig2=2vhwM7h33VzOe8WT85BU-A
    2. After certificate part is done, export same certificate from your CA server to install into your Lync server (or exchange if you need UM)
    3. In Audiocodes, Goto Security setting- General Security Setting at left side. make sure those there items are disabled. Even though I saw 'Mutual Auth' should be supported by both Lync and Audiocodes, I just had no luck to bring it up. Someone
    may, please, help further.

    TLS Mutual Authentication

    Peer Host Name Verification Mode

    TLS Client Verify Server Certificate

    4. In Protocol Configuration-Proxies/IpGroups/Registration-Proxy Sets Table, add your Lync server's IP as TLS.
    My Audicodes M2K is used for our softswitch, I don't want to change others settings. In order to take care calls from Lync, you need addLync's IP into proxy set
    5. in Proxy Registration, make sure Gateway Name is same as the name your CA created for. For example, sipgw.hidemydomain.com
    6. For same purpose in step 4, I need set up Tel to IP route when there is an incoming call from PSTN side and I want it route to Lync. As below, number 1778945019 (0-9) will be routed to my Lync server. Port 5067 is default non-tcp port of Lync mediation
    server.

    Src. Trunk Group ID
    Dest. Phone Prefix
    Source Phone Prefix
    -
    Dest. IP Address
    Port
    Transport Type
    Dest. IPGroup ID
    IP Profile ID
    Status

    1
    1
    1778945019*
    *

    mylync.hidemydomain.com
    5067
    TLS

    7. Under same routing table' section, create a internal DNS record for mylync.hidemydomain.com to your Lync's IP. It's same steps if you like to add your Exchange UM.
    8. Now, go to your Lync server and opentoplogy builder. Make sure your mediation server disable TCP (TCP unchecked).

    9. Make sure your sip trunk is set as 5061.

    10. Publish topology and make sure your call plans, routes, policies, etc. are properly setup. You are ready to test. BTW, Encryption Support Level underTrunk Configuration' is set as Not Supported

    DB:3.84:Lync 2013 Tls Integration With Audiocodes M2000 pm

    Hi,
    SIP Secured encrypts for SIP traffic only and Secured encryptsboth SIP and RTP traffic.
    More about Encryption for Lync Server, please refer this article:http://technet.microsoft.com/en-us/library/gg195673(OCS.14).aspx
    More about TLS and MTLS for Lync Server, please refer this document:http://technet.microsoft.com/en-us/library/gg195752(OCS.14).aspx

  • RELEVANCY SCORE 3.84

    DB:3.84:Sol Exception In Enterprise Mode jz



    Hello everybody,

    I'm testing the power management cicle in an Enterprise provisioned machine. The problem is that when the the StartSerial method is called (in the SDK code) the return value of this function is a socket openingerror. But when I tried with a SMB provisioned machine there is no error. I have been debugging and I do not found what's happening. The Enterprise machine is TLS secured (not mutual, just basic TLS) and provisioned with the SCS. I'm already getting the machine asset via WsMan, so I'm able to access it.

    Thanks a lot,

    Javier Andrs Cceres Alvis

    DB:3.84:Sol Exception In Enterprise Mode jz

    Quoting - rogerb

    Hi Javier,

    That is a very good question considering the only valid sleep states in the system are S3, S4, and S5; the S1 and S2 states have been deprecated. It think that it is a good question for the Intel folks as to why the sleep state would be coming back as a S1 or S2.

    Regards,

    Roger

    Hello Roger,

    I'm switching back to EOI cause this also affects asset functionality.

    See this thread: http://software.intel.com/en-us/forums/showthread.php?t=61450

    Thanks anyway,

    Javier Andrs Cceres Alvis

  • RELEVANCY SCORE 3.84

    DB:3.84:Upgraded To 9.0.1 And Several Web Pages Are Garbage (E.G. Facebook). Help!!! 8p



    0
    0
    0

    Find Friends
    Friend Requests
    Karen Howard
    Marlise Swartz
    3 mutual friends
    Robert Soudant
    Len Krichko
    1 mutual friend
    Robert Mooney
    19 mutual friends
    Dave Doherty
    3 mutual friends
    Michael Lutz
    2 mutual friends
    Steve Haynes
    8 mutual friends
    Julian F. Santos
    Douglas Edwards
    3 mutual friends
    No new requests
    Show More
    See All Friend Requests27 requests

    Send a New Message

    DB:3.84:Upgraded To 9.0.1 And Several Web Pages Are Garbage (E.G. Facebook). Help!!! 8p


    0
    0
    0

    Find Friends
    Friend Requests
    Karen Howard
    Marlise Swartz
    3 mutual friends
    Robert Soudant
    Len Krichko
    1 mutual friend
    Robert Mooney
    19 mutual friends
    Dave Doherty
    3 mutual friends
    Michael Lutz
    2 mutual friends
    Steve Haynes
    8 mutual friends
    Julian F. Santos
    Douglas Edwards
    3 mutual friends
    No new requests
    Show More
    See All Friend Requests27 requests

    Send a New Message

  • RELEVANCY SCORE 3.80

    DB:3.80:Tls Encryption - #550 5.7.1 m7


    Hi!
    Trying to set up TLS-Encryption between two organizations (1x Exchange 2010, 1x Exchange 2007)

    Followed those steps on both servershttp://technet.microsoft.com/en-us/library/ee428172(v=exchg.80).aspx
    Both servers got public certificates enabled for SMTP.
    When trying to send testmails via OWA from one organization to the other, I receive an NDR with error:
    #550 5.7.1 Client does not have permissions to submit to this server ##
    In the SMTP-log I can see STARTTLS and send/receive certificates - everything looks ok, but when it comes to sending message the error message 550 5.7.1 follows.
    Settings on Receive-Connector should be ok
    Authentication - TLS, Mutual TLS Auth
    Permission - Anonymous
    Thanks for any tips.
    cheers,
    Stefan

    DB:3.80:Tls Encryption - #550 5.7.1 m7

    This was driving me crazy and that fixed it for me too. Check Partner permissions for the receive connector.

    Thanks for posting the solution.Anise

  • RELEVANCY SCORE 3.77

    DB:3.77:Mutual Authentication Client For Web Service 88


    Hi,

    How I can tell java to use this particular client certificate in mutual authentication.

    I have two certificates

    1) cacert.pem and
    2) client.pem (includes private key),

    client.pem is signed by cacert.pem and also contains the private key. I have the wsdl file for the webservice that I have to call and I can generate java wrappers of it using wsdl2java.

    Infact I just called web services that used Server-Only SSL/TLS authentication, in that case I just had to add root/CA certificate (in cer format) in the JREs cacerts file and used https for the webservice url, and all worked file

    Now I can't understand what to do for mutual authentication.
    Thanks in advance.

    Sohaib

    DB:3.77:Mutual Authentication Client For Web Service 88

    Hi,

    How I can tell java to use this particular client certificate in mutual authentication.

    I have two certificates

    1) cacert.pem and
    2) client.pem (includes private key),

    client.pem is signed by cacert.pem and also contains the private key. I have the wsdl file for the webservice that I have to call and I can generate java wrappers of it using wsdl2java.

    Infact I just called web services that used Server-Only SSL/TLS authentication, in that case I just had to add root/CA certificate (in cer format) in the JREs cacerts file and used https for the webservice url, and all worked file

    Now I can't understand what to do for mutual authentication.
    Thanks in advance.

    Sohaib

  • RELEVANCY SCORE 3.70

    DB:3.70:Tmg 2010 Ex2010 Edge Role - Addititional Receive Connector 7s


    Hello!
    I have TMG 2010 and Exchange 2010 Edge Role on the same machine. Edge Subscription with an Exchange 2010Hub/Transport server is enabled.
    Now I need an additional receive connector on the Edge Role to handle TLS enforcement (mutual TLS does not work in this case). I understand that I can't add the connectoron the Edge Exchangebecause TMG overwrites this changes. But when I try
    to add an SMTP route in the TMG console it won't let me because routing is managed on the HUB/Transport servers. But where?If I just add an receive connector on the Hub server nothing gets replicated to the TMG/Edgemachine. Where do I have to
    add the connector?

    DB:3.70:Tmg 2010 Ex2010 Edge Role - Addititional Receive Connector 7s

    Hi,

    Thank you for the post.

    As far as I know, you can configure the receive connector via the Exchange Management console on the Forefront TMG server. Forefront TMG will not override this setting.
    Please take a look at this link: http://technet.microsoft.com/en-us/library/ee513174.aspx.

    Regards,Nick Gu - MSFT

  • RELEVANCY SCORE 3.70

    DB:3.70:Tls Domain Secure Email And Securenet Smart Host mp


    Hello

    I have to send and receive mutual TLS email to and from an external domain (bank). We currently do not use EDGE servers, we use securenet for AV and antispam. MX records for our domain point to securenet and we send outbound email to the internet through
    securenet via a smart host on a send connector. From reading the documentation around Exchange 2010 and mutual TLS it doesn't sound like i can use smart host for TLS? How can i get this to work when using a smart host in Exchange 2010? The high level
    steps i am thinking of taking are below, please let me know if i am on track with this.

    Thank you.

    #1Import the cert into Exchange 2010 HT servers, bind the cert to the SMTP protocol. Then follow http://technet.microsoft.com/en-us/library/bb123543.aspx#Step1 to configure the TLS between the two domains.
    #2 export the same cert and import it into securenet, configure securenet to accept the TLS SMTP traffic from the remote domain, and configure securenet to send TLS SMTP traffic back to Exchange 2010.

    Will this work?
    Bulls on Parade

    DB:3.70:Tls Domain Secure Email And Securenet Smart Host mp

    Hi Skipster,

    Some other information for you :
    Exchange 2010 Domain message security
    For outbound email, if you have other sender connector setted to specific domain, it is not need to bind a new IP for it.
    If you have other confused point, please feel free let us know.

    Regards!

    Gavin
    TechNet Community Support

  • RELEVANCY SCORE 3.70

    DB:3.70:Mutual Tls W/Partner Domain Through Fope k3


    A little background. My company (DomainA) has a sister corporation (DomainB) on an enitrely separate network. We both have 3rd party SSL certs from the same provider. We need to exchange e-mail securely.
    The following Setup Exists:

    DomainA has a send connector of type partner domain for DomainB with Mutual TLS enabled and the FQDN matches the information in the SSL cert.DomainB has a send connector of type partner domain for DomainA with Mutual TLS enabledFQDN matches the information in the SSL cert.
    Until yesterday all seemed to be working, however now the Systems Engineer at DomainB is stating that queues to DomainA are backing up and providing a Certificate Validation Error.

    DomainA has FOPE for all inbound mail and only accepts mail from the FOPE servers.DomainA connects directly to DomainB's mailserver so TLS encrypted e-mail
    communication works fine.DomainB's logs now reveal that certificate it receives during the TLS exchange is the
    one for the FOPE -- mail.global.frontbridge.com -- so it is delaying delivery of the e-
    mails. When he routes all traffic destined for DomainA back through his default send
    connector, everything works fine for DomainB - DomainA routed e-mail.
    My question is: how do I get this resolved? It was working perfectly fine until yesterday morning. Should I give it a couple of days to make sure it's not an FOPE glitch or is there some trick to making Mutual TLS work between two domains, one of which has
    FOPE in place?
    Thanks in advance

    DB:3.70:Mutual Tls W/Partner Domain Through Fope k3


    According to that part of the guide the only thing I forgot was the subnet in the IP address of their mail server. I will try that and see what happens.

    Apparently this did not work. Oh well. I've disabled it. I'm going to be looking at possibly using a Site-to-Site VPN for that domain and route mail over it. *sigh*. Not what I wanted to do since the functionality is built in.

  • RELEVANCY SCORE 3.70

    DB:3.70:Disable Tls On Firefox Android 18



    hi I want to disable Tls on Firefox android but in setting not have tls please help

    DB:3.70:Disable Tls On Firefox Android 18



    Hi hagi_mostafa, what version do you have on Android? The min/max settings are coming in Firefox 23. They are not in the released version.

    I don't think you will have to create them on Firefox 23, but it has been a while since I reviewed the documentation so I'm not 100% certain.

  • RELEVANCY SCORE 3.66

    DB:3.66:Exporting Manufacturing Root Certificate And Manufacturing Ca Certificate 7925g c7



    according to the instructions there should be export link from phone web interface under certificate, but I don't see it.

    anybody have an idea how to export certificate from the phone?  trying to use EAP-TLS for mutual authentication using ACS 4.2.

    thanks in advance

    Yong

    DB:3.66:Exporting Manufacturing Root Certificate And Manufacturing Ca Certificate 7925g c7


    Check out the document I wrote for how to export those certificates from phones for use with a RADIUS server for 802.1x: https://supportforums.cisco.com/docs/DOC-25798.  I'm not sure if this procedure works for 7925 since I've never tried it but I would assume it would work.

    Also the manufacturing root CA can be downloaded from the OS Administration page of CUCM.

  • RELEVANCY SCORE 3.58

    DB:3.58:How To Configure Multiple Tls Certificates In E2k7 ? a8


    Hello,
    I'm struggling finding detailed information on implementation of TLS in exchange 2007, and hopefully someone on this forum can shed some light:
    I have the following situation: I'd like to use a wildcard certificate from a 3rd party CA to do TLS on inbound and outbound SMTP traffic, and would like to use self-signed (internal CA) certificates for TLS within exchange organization and inside my firewall. I'm not using Edge transport (as we have external virus/spam filtering service). I need to ensure TLS encyption with some of our clients, as well as make sure that all internal traffic is secured. I have the following specific questions;
    1) I can add multiple certs to my hub using the import- and enable-exchangecertificate cmdlets, and end up with multiple certs enabled for SMTP. However there is NO method that I could find where I can associate specific certificate with a specific SMTP send or receive connector..... ? If this is done with built-in smartness, then how does E2K7 HUB transport determine when to use which certificate ?
    2) The Set-TransportConfig -TLSSendDomainSecureList command seems to be a shotgun approach to enabling TLS for secure partners.... My situation requires a little more granular control. The Partner already is forcing TLS on traffic he sends to external filtering service. I now need to force TLS on ALL incoming mail from the filtering service datacenters (can do that by checking Transport Layer Security TLS on authentication tab of the receive connector), however is this the same as Secure channel required in 2003 ? In other words, will this REQUIRE TLS (and fail in case TLS transport can not be negotiated) ?
    3) To force TLS on outbound connections to partner domains, I plan to create a separate send connector for just these domains.  The send connector only has option Enable Domain Security (MTLS) (So not just TLS, but MTLS). So what does this option do ? Will it FORCE TLS Require secure channel ? Under which conditions will it do MTLS ?
    4) Is the name on certificate significant when one turns on Enable Domain Security (Mutual Aut TLS) ?  Does domain name need to match the domain of the smtp sender or receiver ? Or the FQDN that the connector is configured to use when responding to HELO/EHLO ?
    Thanks, Andre.
     

    DB:3.58:How To Configure Multiple Tls Certificates In E2k7 ? a8

    Minor Correction:(Set-SendConnector -Identity 07 TLS required -TLSRequired $True)

  • RELEVANCY SCORE 3.56

    DB:3.56:Problem:Client Authentication From Server Side In Tls Implementation For Windows Mobile 3x


    Hello,
    I am implementing TLS server for Windows mobile, For that i am using Schannel protocol. i want Mutual Authentication so i

    set ASC_REQ_MUTUAL_AUTH bit flag in AcceptSecurityContext API as a input parameter. after calling AcceptSecurityContext API i got ASC_REQ_MUTUAL_AUTH set bit in output parameter.
    When i call QueryContextAttributes to get the client Certificate information, i am not able to get.
    my code is as:
    CERT_CONTEXT m_pClientCertContext;
    SECURITY_STATUS scRet = pf-QueryContextAttributes(srvCtx,

    SECPKG_ATTR_REMOTE_CERT_CONTEXT ,

    m_pClientCertContext);
    This API is not filling the output structure m_pClientCertContext(i got all variables are Zero and pointers are Bad pointer) .Even though this API is returning SEC_E_OK means Success.
    i am passing proper value of CtxtHandle srvCtx .

    So Could any one can help me for solving this problem? What could be the problem?
    Thanks.

    DB:3.56:Problem:Client Authentication From Server Side In Tls Implementation For Windows Mobile 3x

    Hello,
    I am implementing TLS server for Windows mobile, For that i am using Schannel protocol. i want Mutual Authentication so i

    set ASC_REQ_MUTUAL_AUTH bit flag in AcceptSecurityContext API as a input parameter. after calling AcceptSecurityContext API i got ASC_REQ_MUTUAL_AUTH set bit in output parameter.
    When i call QueryContextAttributes to get the client Certificate information, i am not able to get.
    my code is as:
    CERT_CONTEXT m_pClientCertContext;
    SECURITY_STATUS scRet = pf-QueryContextAttributes(srvCtx,

    SECPKG_ATTR_REMOTE_CERT_CONTEXT ,

    m_pClientCertContext);
    This API is not filling the output structure m_pClientCertContext(i got all variables are Zero and pointers are Bad pointer) .Even though this API is returning SEC_E_OK means Success.
    i am passing proper value of CtxtHandle srvCtx .

    So Could any one can help me for solving this problem? What could be the problem?
    Thanks.

  • RELEVANCY SCORE 3.55

    DB:3.55:Eap-Tls On A Wlc Controller fz


  • RELEVANCY SCORE 3.52

    DB:3.52:Cwa 2005 37


    Caros,
     
    revi todos os passos do deploy e nao estou encontrando algo que possa estar errado. Instalei o CWA 2005, implantei o certificado da maquina no MUTUAL TLS e esta com sinal de OK. No Virtual Server, implantei o certificado publicado para internet e esta com sinal de OK em tudo.
     
    Quando acesso o site, digite meu login@dominio e na proxima tela dominio\username  e senha porém após um tempo processando ocorre o erro abaixo:
     
    The session was ended. Communicator Web Access Server cannot log the user on to the Live Communications Server. (Error Code: 1)
    alguem tem uma idéia do que possa ser?  Vasculhei a internet e nao achei nada que fosse especifico.  O estranho é que eu consigo autenticar no servidor através do site, pois nos logs de Security do servidor consta e nenhum erro em application.
     
    bem, fico no aguardo de algum resposta.
     
    obrigado.

    DB:3.52:Cwa 2005 37

    Você conseguiu resolver este problema? Se sim posta a solução aqui!abs,Bruno Estrozi - MCSE/MCTS/MCITP - Unified Communications Specialist | http://brunoestrozi.spaces.live.com

  • RELEVANCY SCORE 3.51

    DB:3.51:Mutual Authentication Certificate Selection Issue On Win7/Ie8 j8


    Hi all
    We use TLS Mutual Authentication, initiated via Internet Explorer.The users always have 2 certificates (possibly more) in their personal certificate store.
    The old client certificate selection dialogue in IE6/7 used a neat 2-column format, which we managed to intercept and make the right certificate selection for the user, improving usability for the user. (It would come up and be instantly dismissed)
    The new dialogue (Windows 7, IE8) does not seperate out the data and we are struggling to make the auto-selection. Is there anyway to revert to the old dialogue, or replace the certificateselection prompt with our own dialogue? Any alternatives?
    (One idea: any way to instruct the current prompt to filter on key usage? Since this would resolve to one cert the prompt may not appear at all, which is optimal!)
    Thanks,
    Simon.

  • RELEVANCY SCORE 3.50

    DB:3.50:Cisco Wireless Eap-Tls Authentication Issues 1c


    Hi,

    We have setup a new wireless environment and were looking at using EAP-TLS. This works ok, but no matter what we do it will never prompt for username and password credentials as well as the mutual certificate authentication. Is there a way that this can occur? We are using:

    Cisco WLC 7.2

    CISCO ACS 5.2

    MICROSOFT SERVER 2008 AD infrastructure

    Windows 7 PC

    Any info or articles greatly appreciated

    Kind regards

    David

    Sent from Cisco Technical Support iPad App

    DB:3.50:Cisco Wireless Eap-Tls Authentication Issues 1c


    EAP-TLS does not prompt for credentials. It uses the clients certificates to provide client's identity.

    You need to read EAP-TLS deployment guide, it is interesting and useful: http://tiny.cc/l27ojw

    HTH

    Amjad

    You want to say "Thank you"? Don't. Just rate the useful answers, that is more useful than "Thank you".

  • RELEVANCY SCORE 3.50

    DB:3.50:Jax-Rpc - Setting Keystore Not Using System Properties ps


    Hi,

    I have a requirement to develop a server component (gateway) that connects to a web service over SSL (using mutual authentication - server and client certificates). Clients will then connect to the gateway and request data (sourced by the gateway from the web service).

    The web service will run on IIS and will be implemented in .NET. IIS will hold all client certificates and map them to one or more domain users.

    The (Java) gateway is required to handle multiple and concurrent clients, each with their own distinct client certificates. A client invokes a session with the gateway, and can then make multiple requests within the same session.

    Each time a client initiates a session with the gateway, it will provide it's certificate+(private key)password. The gateway will then store the certificate and use it to make requests (on the client's behalf) to the web service (over HTTPS).

    Make sense?

    I have been able to use JAX-RPC successfully to call the web service using mutual authentication (as required), but as I am currently setting the keystore and keystore password (+truststore) using the system properties (javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword etc), the solution is not able to support concurrent users. What I need is a way to set the keystore on a client-by-client basis, where concurrent requests are isolated.

    I have written a small application to initiate an SSL connection to a secure web server (not a web service) using mutual authentication by using the following code snippet, but I need to do the same using SOAP:

    SSLSocketFactory factory = null;
    KeyManagerFactory kmfClient;
    KeyStore ksClient;

    KeyStore ksServer;
    TrustManagerFactory tmfServer;

    try
    {
    // client auth
    kmfClient = KeyManagerFactory.getInstance("SunX509");
    ksClient = KeyStore.getInstance("JKS");
    ksClient.load(new FileInputStream(CLIENT_KEY_STORE), clientpassphrase);
    kmfClient.init(ksClient, privatekeypassword);

    // server auth
    ksServer = KeyStore.getInstance("JKS");
    ksServer.load(new FileInputStream(SERVER_KEY_STORE), serverpassphrase);
    tmfServer = TrustManagerFactory.getInstance("SunX509");
    tmfServer.init(ksServer);

    SSLContext ctx;
    ctx = SSLContext.getInstance("TLS");
    ctx.init(kmfClient.getKeyManagers(), tmfServer.getTrustManagers(), null);

    factory = ctx.getSocketFactory();
    }
    catch (Exception e)
    {
    throw new IOException(e.getMessage());
    }

    SSLSocket socket = (SSLSocket)factory.createSocket(host, port);Can anyone help?

    Thanks in advance,

    Dave J

    DB:3.50:Jax-Rpc - Setting Keystore Not Using System Properties ps

    Hi,

    I am also involing the same project, but my concept is different.
    But in my project also I have develope gateway for communication
    between 2 servers. then that gateway could be server as web services.

    Please follow my requirements,

    This is a new project, which we are going to develope a new technology
    in telecommunication (GSM).
    My task is develope a component based gateways , then this gateway is use for communication between two servers like HLR and IM-HSS(Extension of HSS).

    In telecommunication the central data base for all subscriber data stored in Home Location Registry(HLR), during circuit switched domain and packet swiched domain.

    But we are going to develope a new server called Home Subscriber server
    (HSS), because this server will be develope totally based on web services.and we are completely concentrate on packet switched domain because it supports Internet and other gateways like GPRS, UMTS etc.

    My task is have to develope component based Gateway between
    HLR and IM-HSS (Extension of HSS) for communication between two servers . later this gateway could be serve as web services to IM-HSS.

    1. I have to develope gateway using Java beans, and for web services
    WSDL.
    2. I need a Application server
    3. J2SE
    4. DataBase.

    My questions
    1. What exactls Gateway means, for my understanding Gateway means, develope programming logic to communicate with another just like Adapter.But to develope gateway I need application server also??
    what the softwares I need to use for develope gateway?

    2. How can I develope gateways using Java beans between this two servers for communication , plese give any simple hint to get clear.

    3. Gateway between these two servers means, only java beans logic have
    to develope or I need a application server also for gateways?
    4. Java beans means EJB or what is the difference between these two?

    5. For webservices I need a application server??

    6. Where exactls fit application server between HLR and IM-HSS??

    7. Once I developed gateways then this could be used for webservices
    , what is structure behind gateways and web services??

    8. what is the difference between J2SE and jdk1.4 and J2EE SDK??
    I am bit of confusing this versions.

    How can I start first to develope this gateway.
    This would be very grateful and appriciated to clear those for me.

    Thanks,
    Fyrose.

  • RELEVANCY SCORE 3.49

    DB:3.49:Configure Tls Exchange 2010 ad


    Hi mates!
    I have Exchange 2010 organization (2 HUB/CAS, 2 DAG and 2 Edge).
    I need to configure a TLS encryptation with other 5 companies. Do I have a Mutual TLS with each company?? Will I need a certificate for each company?? I´ve never configured TLS on Exchange 2010. Please, any suggestion??
    Thanks.

    DB:3.49:Configure Tls Exchange 2010 ad

    Ok, Opportunistic TLS is activated in Exchange 2010 by default. I will need to configure Enforced TLS or Mutual TLS...
    Is possible to configure with one Send Connector for all companies, add the address space of each company...
    I found this article:
    http://www.msexchange.org/articles-tutorials/exchange-server-2010/security-message-hygiene/exchange-2010-domain-security-part3.html
    Is the same, but with my 5 companies.. true?
    Regards.

  • RELEVANCY SCORE 3.49

    DB:3.49:Exchange Tls Query zj


    Hi,
    Couldanyone confirm that it is possible to setup TLS mutual authentication with a remote site on a single Exchange 2010 server with core roles (Mailbox/Hub/CA),
    without having to use an Edge Transport server. The server in particular has a wildcard 3suprd/sup party certificate.

    Many thanks

  • RELEVANCY SCORE 3.46

    DB:3.46:Mutual Authentication 7a


    DB:3.46:Mutual Authentication 7a


    Again i tried to get the Sample exmaples....SimpleCertAuthenticaterUp and running,
    but still i have the trouble, that "HTTP not found ... " shows up on an ssl accesd to a tested web-app.

    I have no idea whats's the problem here.
    Paul

    Suresh Vallabhaneni suresh@bea.com wrote:
    Paul
    Cross-posting this question to servelt group.
    thanks

    Paul hettl wrote:

    Yes, i did this. I as well have a certifcate installed, but when i call the servlet, that is protected, i get a http page not found error.
    What i expected is: ie5 comes up with a client window asking me for the certificate to send.
    Are there some client options ?

    Paul

    "Suresh Vallabhaneni" suresh@bea.com wrote:

    Paul
    Look in "Programming with the WebLogic Security SPI" section of WLS docs. You've a section on "Using Mutual Authentication" in which you'll find info about using mutual authentication with servlets. Let me know if this helps.
    thanks

    "Paul Hettl" Paul.hettl@gmx.de wrote:

    For my web app i want to turn on mutual autentication. Thus i am not very familiar with this feature, so i would be happy haveing some commonts. What i want to do is: having a servlet based web-app, that get the user cert from ie5 client an used this for authentication.
    - is this possible
    - do i have to write code for it ( e.g.CertAuthenticator)

    Thanks for comments. Paul

  • RELEVANCY SCORE 3.45

    DB:3.45:Mutual Authentication Vs2003 8k


    Hi,
    I am doing a B2B integration using HTTPs. The server application is developed using Java. I have developed a client in C# (VS2003).
    I have been issued a certificate from the server side that I use when i send a Https request. Similary I have issued a certificate for the server application which it uses when it sends the response back to the client. Its like a mutual authentication.
    Every thing works fine when I use the certificate issued by them and they dont use my certificate.
    When they start using my certificate i get this error:
    the underlyning connection is closed could not establish trust relationship for the ssl/tls secure channel
    When i call the server url using https (for e.g. https://ip_address:port) from the browser i was getting a popup for choosing the client certificate. I some how managed to bypass this pop up from the browser.
    Can anybody please tell me how can I make this working from my application.
    Thanks,
    Rabia 
     
     
     

    DB:3.45:Mutual Authentication Vs2003 8k

    Hi,
    I am doing a B2B integration using HTTPs. The server application is developed using Java. I have developed a client in C# (VS2003).
    I have been issued a certificate from the server side that I use when i send a Https request. Similary I have issued a certificate for the server application which it uses when it sends the response back to the client. Its like a mutual authentication.
    Every thing works fine when I use the certificate issued by them and they dont use my certificate.
    When they start using my certificate i get this error:
    the underlyning connection is closed could not establish trust relationship for the ssl/tls secure channel
    When i call the server url using https (for e.g. https://ip_address:port) from the browser i was getting a popup for choosing the client certificate. I some how managed to bypass this pop up from the browser.
    Can anybody please tell me how can I make this working from my application.
    Thanks,
    Rabia 
     
     
     

  • RELEVANCY SCORE 3.39

    DB:3.39:Support Of The Ciphersuite Tls_Rsa_With_Null_Sha as


    Hi,

    I need to implement the mutual authentication in Java using TLS protocol. It's for the Connectathon event managed by IHE organization and the only ones ciphersuites authorized are TLS_RSA_WITH_NULL_SHA and TLS_RSA_WITH_AES_128_CBC_SHA.

    The Java implementation of JSSE doesn't support TLS_RSA_WITH_NULL_SHA and I have no idea how to make it work.

    I have no time enough to build a JSSE provider working with this ciphersuite. If you have any idea that can help me to solve this problem

    Thanks,

    Jonathan

  • RELEVANCY SCORE 3.39

    DB:3.39:Smtp Open Relay 1j


    I've currently got a spam issue which I'm sure is caused by an open relay. But I can't find where the open relay is. By default, Exchange 2010 is a closed relay from my understanding, so it has to be a setting I configured. Here's what I have
    configured:

    Hub Transport Authentication Client
    All settings are checked except:
    -Enable Domain Security (Mutual Auth TLS)
    -Exchange Server authentication
    -Externally Secured

    Permission Groups
    -Exchange users

    Hub Transport Authentication Default
    All settings checked except:
    -Enable Domain Security (Mutual Auth TLS)
    -Externally Secured

    Permissions Group
    Selected are:
    -Anonymous uses
    -Exchange users
    -Exchange servers
    -Legacy Exchange Servers

    DB:3.39:Smtp Open Relay 1j

    On Tue, 23 Oct 2012 18:44:12 0000, sheld0r wrote:

  • RELEVANCY SCORE 3.38

    DB:3.38:Web Services Https With Mutual Athentication j1


    I'm tryng to call a web service on BEA WLS 8.1 via HTTPS with mutual athentication.

    An alert is sent from the server when the client tries to authenticate to the server.

    On the server I get the following error:

    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 HANDSHAKEMESSAGE: Certificate
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 validationCallback: validateErr = 16
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Required peer certificates not supplied by peer
    ####Feb 15, 2005 10:38:39 AM MET Warning Security flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel
    .Default' WLS Kernel BEA-090508 Certificate chain received from flanders - 172.22.4.61 was incomplete.
    ####Feb 15, 2005 10:38:39 AM MET Warning Security flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel
    .Default' WLS Kernel BEA-090477 Certificate chain received from flanders - 172.22.4.61 was not trusted causing SSL handsh
    ake failure.
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Validation error = 20
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Certificate chain is incomplete
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Certificate chain is untrusted
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 User defined JSSE trustmanagers not allowed to override
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 SSLTrustValidator returns: 84
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Trust failure (84): CERT_CHAIN_INCOMPLETE CERT_CHAIN_UNTRUSTED
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 NEW ALERT: com.certicom.tls.record.alert.Alert@13a252a Severity: 2 Type: 40
    java.lang.Throwable: Stack trace
    at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
    at com.certicom.tls.record.alert.Alert.init(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown Source)
    at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)

    On the client I get the following error:

    Feb 15, 2005 10:20:15 AM MET Info WebService BEA-220094 An IOException was thrown trying to access the WSDL at the given U
    L.
    Feb 15, 2005 10:20:15 AM MET Info WebService BEA-220034 A stack trace associated with message 220094 follows:

    javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE alert received from flanders - 172.22.4.61. Check both side
    of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification
    ettings.
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertReceived(Unknown Source)
    at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
    at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at com.certicom.net.ssl.HttpsClient.doHandshake(Unknown Source)
    at com.certicom.net.ssl.internal.HttpURLConnection.getInputStream(Unknown Source)
    at weblogic.webservice.client.https.HttpsURLConnection.getInputStream(HttpsURLConnection.java:216)
    at weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefinition(DefinitionFactory.java:87)
    at weblogic.webservice.tools.wsdlp.WSDLParser.init(WSDLParser.java:76)
    at weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:108)
    at weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:84)
    at weblogic.webservice.core.rpc.ServiceImpl.init(ServiceImpl.java:79)
    at com.etnoteam.timvas.srsv.interfaces.in.csp.activate.client.Activate_Impl.init(Activate_Impl.java:22)
    at clientPep1.main(clientPep1.java:149)

    DB:3.38:Web Services Https With Mutual Athentication j1

    Have you checked that the root CA is in your cacerts file?

  • RELEVANCY SCORE 3.37

    DB:3.37:Exchange 2003 Mutual Authentication Tls jx


    Hi all,
    Does anyone know if Exchange 2003 supports Domain SecurityMutual Authentication TLS for outbound email?
    Thanks and Regards,
    Irfan

    Irfan Goolab SALES ENGINEER (Microsoft UC) MCP, MCSA, MCTS, MCITP, MCT

    DB:3.37:Exchange 2003 Mutual Authentication Tls jx

    I would look at:
    http://support.microsoft.com/kb/829721
    How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server

    If that does not work for you, then consider sending outbound mail through a smarthost/3rd party provider that provides what you need.

  • RELEVANCY SCORE 3.37

    DB:3.37:Tomcat Mutual Authentication 87


    Hi,
    I have a problem.
    There r 2 Applications running in my tomcat
    A and B
    I have to mutual authenticate A but i dont want to mutual authenticate Application B
    Both are running on SSL

    When I do clientAuth=true in server.xml Both A and B are asking for Mutual Authentication.
    thats a problem 4 me
    I have to mutual authenticate A but i dont want to mutual authenticate Application B

    how to do it???

    DB:3.37:Tomcat Mutual Authentication 87

    Hi,
    I have a problem.
    There r 2 Applications running in my tomcat
    A and B
    I have to mutual authenticate A but i dont want to mutual authenticate Application B
    Both are running on SSL

    When I do clientAuth=true in server.xml Both A and B are asking for Mutual Authentication.
    thats a problem 4 me
    I have to mutual authenticate A but i dont want to mutual authenticate Application B

    how to do it???

  • RELEVANCY SCORE 3.36

    DB:3.36:Need Help How To Setup Tls Between Between Two Companies That Use Smarthosts - Microsoft Frontbridge ap


    Our companyA needs to send/receive emails via TLS to companyB. We have two internal exchange 2007 hub transports servers that have send connectors that only send to our smarthost Microsoft Frontbridge. We do not want to install an Edge server,
    and we can only continue to send/receive email outbound through Microsoft Frontbridge smarthost. Within Frontbridge I can specify ForceTLS policies for specific domains and/or recipients. So I understand that I can force TLS to companyB via Frontbridge.
    What I'm not sure about is how to setup our internal exchange properly. I have read the

    technet articles that discuss setting up mutual TLS between two companies, yet that requires the receive connector to include the IPs of the companyB, which is not an option for us...we can only continue to receive email that comes from Frontbridge IPs.
    I'm looking for some guidance on:
    Setting up public cert properly for two internal HT's to be used for TLS
    How to setup the receive connectors for TLS and for receiving TLS from companyB
    How to setup the send connectors for TLS to send out to companyB
    CompanyB says they already accept TLS, so they most likely have their public certs in place already for TLS send/receive.

    DB:3.36:Need Help How To Setup Tls Between Between Two Companies That Use Smarthosts - Microsoft Frontbridge ap

    asa FOPE customer all my emails our TLS encrypted between our internal servers and FOPE just using our internal certs. However once a customer needs to recieve my TLS email FOPE will first attempt to send it to them TLS...if the customer has
    a 3rd party cert to receive TLS and is configured to receive TLS...then FOPE will verify their cert and send it on via TLS.....if not then FOPE will send it basic. I can also specify a domain policy FOPE to forceTLS so that certain addresses or domains
    will only be sent TLS and not basic/opportunistic.

  • RELEVANCY SCORE 3.36

    DB:3.36:Authentication In Failure Environment xf



    Hi everybody,

    I have been reading about enterprise mode because of it is the desired mode I want to use.

    I am pretty sure I am going to use SCS with DA and CA but I have an important doubt.

    If I have configured my amt based-network with mutual TLS authentication, using certificates for doing it and It occurse a windows fall...how can I manage my amt-devices? If the AD and CA are down and I cant authenticate using them...can I access amt-devices using only user/password as if I were in Small Business Mode??

    I hope you can help me with that simple doubt

    Thanks a lot

    DB:3.36:Authentication In Failure Environment xf


    Quoting - alberto_saganHi everybody,

    I have been reading about enterprise mode because of it is the desired mode I want to use.

    I am pretty sure I am going to use SCS with DA and CA but I have an important doubt.

    If I have configured my amt based-network with mutual TLS authentication, using certificates for doing it and It occurse a windows fall...how can I manage my amt-devices? If the AD and CA are down and I cant authenticate using them...can I access amt-devices using only user/password as if I were in Small Business Mode??

    I hope you can help me with that simple doubt

    Thanks a lot

    Hi - once you provision your system in Enterprise Mode using either Server or Mutual Authentication you cannot access AMT using Digest Authentication unless you re-provision in Small Business Mode or Enterprise/NON-TLS.

    For the next part of your question, you would have to look at how your network environment is designed. In order to manage an AMT system, you have to be able to log on to a system that has your management software on it (or you can at least accessthe Web UI, perhaps.) Both systems need to be accessible to each other on the network. If you are operating in Enterprise TLS with either Mutual or Server Authentication then your management console needs to have the right credentials in order to authenticate with the AMT system, so you are correct - if your AD/CA system goes down and you have not built in redundancy into your network environment youwould not be able to authenticate with your AMT systems and so you would not be able to manage them until those systems were back on line.

    Any other responses from our Forum Users?

  • RELEVANCY SCORE 3.36

    DB:3.36:Mutual Tls zx


    I installed a brand new ocs server with a cerificate which we purchased fromVerisign. Works great users can connect with there clients in TLS mode. I would like to install CWA on another server an use the same cert, can this be done or do I need to purchase another cert
     
    thks, 

    DB:3.36:Mutual Tls zx

    You won't be able to use the same certificate because the servers have different names and FQDNs.You'll need to either deploy a Windows internal CA and request a certificate from that or generate a CSR and request a certificate for your CWA server from Verisign.FQDNs and certificate subject names must match up everywhere within your entire OCS environment otherwise nothing will work. There's no ignore certificate errors button when it comes to MTLS or MOC/LM.

  • RELEVANCY SCORE 3.36

    DB:3.36:Office Communicator Web Access Error 89


    Our current system and installation target as bellow list.

    Current running version:
    MS OCS 2007 Version 3.0.6362.0
    Services
    : Front End, IM Conferencing, Telephony Conferencing

    Requirement installation:
    Communication Web access (CWA)

    Step -1 Installation (completed)

    Setp -2 Activation (Mutual TLS certificate error occur)

    Microsoft Office Communicator Web Access
    The certificate you selected is the incorrect. Please select a valid Mutual TLS certificate.

    (This certificate is issued by CA server and just same template with Front end server certificate but error still occur)

    DB:3.36:Office Communicator Web Access Error 89

    The Certificate Template should NOT be Webserver as this does not have any MTLS capabilities (Client Only)
    A Certificate Templatelike Computer does has MTLS capabilities (Both Client Server)
    So you must choose another certificate!- Belgian Unified Communications Community : http://www.pro-exchange.be -

  • RELEVANCY SCORE 3.35

    DB:3.35:Mutual Fund Buzz... 1f



    http://news.yahoo.com/s/usnews/20100928/ts_usnews/​mutualfundbuzzforseptember28investorslostbiglastde​...

    DB:3.35:Mutual Fund Buzz... 1f


    http://news.yahoo.com/s/usnews/20100928/ts_usnews/​mutualfundbuzzforseptember28investorslostbiglastde​...

  • RELEVANCY SCORE 3.35

    DB:3.35:Httpwebrequest With Self-Signed Certificate dd


    I'm trying to use a locally created self signed certificate for mutual authentication TLS communication.  I add this certificate to the HttpWebRequest.ClientCertificates collection, but this certificate is never selected as the client certificate for the channel.  If I use a certiricate that is issued by an issuer in the trusted root certificate store it works.Is there a way to get HttpWebRequest to select a certificate that is self signed and not in the trusted root certificate store?

    DB:3.35:Httpwebrequest With Self-Signed Certificate dd

    I'm trying to use a locally created self signed certificate for mutual authentication TLS communication.  I add this certificate to the HttpWebRequest.ClientCertificates collection, but this certificate is never selected as the client certificate for the channel.  If I use a certiricate that is issued by an issuer in the trusted root certificate store it works.Is there a way to get HttpWebRequest to select a certificate that is self signed and not in the trusted root certificate store?

  • RELEVANCY SCORE 3.35

    DB:3.35:Tls kj


    Introduction:
    Transport Layer Security (TLS).

    TLS is a successor to Secure Sockets Layer protocol. TLS provides secure communications on the Internet for such things as e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. It is good idea to keep in mind that TLS resides on the Application Layer of the OSI model. This will save you a lot of frustrations while debugging and troubleshooting encryption problems related to TLS.

    TLS Handshake:

    The TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. In a typical scenario, only the server is authenticated and its identity is ensured while the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients. When a server and client communicate, TLS protocol ensures that no third party may eavesdrop, tamper with any message, and message forgery. A TLS message may span multiple TLS records.

    RFCs:
    RFC2246 TLS 1.0 - (formerly known as Secure Socket Layer - SSL)

    RFC4346 TLS 1.1

    DB:3.35:Tls kj

    Introduction:
    Transport Layer Security (TLS).

    TLS is a successor to Secure Sockets Layer protocol. TLS provides secure communications on the Internet for such things as e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. It is good idea to keep in mind that TLS resides on the Application Layer of the OSI model. This will save you a lot of frustrations while debugging and troubleshooting encryption problems related to TLS.

    TLS Handshake:

    The TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. In a typical scenario, only the server is authenticated and its identity is ensured while the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients. When a server and client communicate, TLS protocol ensures that no third party may eavesdrop, tamper with any message, and message forgery. A TLS message may span multiple TLS records.

    RFCs:
    RFC2246 TLS 1.0 - (formerly known as Secure Socket Layer - SSL)

    RFC4346 TLS 1.1

  • RELEVANCY SCORE 3.25

    DB:3.25:Ldap Ssl Mutual Authentication fz



    Hi All,

    is there a way to setup mutual authentication between weblogic and LDAP.

    kumar

    DB:3.25:Ldap Ssl Mutual Authentication fz

    "kumar" v_sk@yahoo.com wrote:
    Hi All,

    is there a way to setup mutual authentication between weblogic and LDAP.

    kumar

    "kumar" v_sk@yahoo.com wrote:

    Hi All,

    is there a way to setup mutual authentication between weblogic and LDAP.

    kumar

  • RELEVANCY SCORE 3.25

    DB:3.25:Usersrolesloginmodule And Client-Cert (Desperately) s8



    Hello there.I wonder what happened to my topic that I posted yesterday (25.)!?!But that is not the major problem I am struggling with. The past days I made several desperate efforts to use mutual authentication via certificates.The SSL handshake works so far - no problem here. But I need to use the content of the client-certificate which is sent to the server for more specific authorization with role-based information from property files (UsersRolesLoginModule).Here are some snippets of the current project:- the connector in the jboss-service.xml of the built-in Tomcat:

    Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
    address="${jboss.bind.address}" port = "8443" scheme = "https" secure = "true"
    Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
    keystoreFile=".../server.ks"
    keystorePass="keystorepass"
    clientAuth="true"
    protocol = "TLS"/
    /Connector

    DB:3.25:Usersrolesloginmodule And Client-Cert (Desperately) s8


    Probably a problem with the file encoding/white space differences on the two platforms.

  • RELEVANCY SCORE 3.23

    DB:3.23:Tls Mutual Authentication And Separate Default Smtp Routes Per Listener - Ironport C370 zc



    Dear all ,

     

    We have two IronPort C370 ESAs , formed in a cluster.

    We are in a need to route e-mails targeted to a special group using TLS Required/Verify.

    I have two questions :

     

    1.  Is TLS mutual authentication possible on both incoming and outgoing ?

     

    2.  Due to the nature of the TLS need the existing listener cannot be used. So I created a new listener and respective filters to decide when the recipient requirements are met. The new listener is going to be configured with a policy specifying TLS required/verify. Problem is that  there is always a default SMTP route pointing specifically to a cloud service rather than directly to the Internet while for the new listener usedns is required. Is it possible to have two different default SMTP routes assigned to different listeners ?

     

    Thanks and kind regards ,

    Gino.

     

    PS : Please bear with me and questions. I am making my first steps in Iron Port administration.

    DB:3.23:Tls Mutual Authentication And Separate Default Smtp Routes Per Listener - Ironport C370 zc


    I have made some sort of progress but I would also like to have your expert opinions.

     

    I have came to understand that in order to present TLS mutual authentication for the incoming traffic I will just have to trust the sender(s) CA ( containing SANs etc for both the SMTP domain and the ESA itself ) while if I spread own SANs to the counterparts I will also have TLS mutual authentication on the outgoing traffic as well. Issue is that I will have to declare it in destination controls and it cannot be generic.

    Is there any way to make TLS required/verify with mutual authentication the default without having to set destination contol(s) ?

     

    As for my second question I have came to understand that the additional listener is not an aditional MTA and concequently I cannot have separate default SMTP route ( default = what is called as "ALL" in IronPort ). Still if anyone knows something more it would be really helpful if it was shared.

  • RELEVANCY SCORE 3.22

    DB:3.22:Exchange 2007 Assured/Enfored Tls Send Connector d7


    Hi,
    Before implementingAssured/Enfored TLS for several domains we've been testing with http://www.checktls.com.
    The Assured/Enfored TLS receive connector is working however the send connector is not as it is sending non TLS email.

    Receive Connector: Set to receive email from 69.61.187.232 only, this is the Checktls.com email server, and Domain Security (Mutual Auth TLS) is enabled.

    Send Connector: Address space is TestSenderAssureTLS.CheckTLS.com and Domain Security (Mutual Auth TLS) is enabled. In order to test this I send an email to test@TestSenderAssureTLS.CheckTLS.com.

    Domain AssureTLS.CheckTLS.com is added to the TLSReceiveDomainSecureList.

    Any assistance much appreciated.
    Thanks,
    Denis

    DB:3.22:Exchange 2007 Assured/Enfored Tls Send Connector d7

    I'm doing that now then will have someone to test with :-) Should of done it that way to start but wanted to test/learn first.
    Cheers.

  • RELEVANCY SCORE 3.19

    DB:3.19:Web Services Https With Mutual Athentication fa


    I'm tryng to call a web service on BEA WLS 8.1 via HTTPS with mutual athentication.

    An alert is sent from the server when the client tries to authenticate to the server.

    On the server I get the following error:

    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 HANDSHAKEMESSAGE: Certificate
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 validationCallback: validateErr = 16
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Required peer certificates not supplied by peer
    ####Feb 15, 2005 10:38:39 AM MET Warning Security flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel
    .Default' WLS Kernel BEA-090508 Certificate chain received from flanders - 172.22.4.61 was incomplete.
    ####Feb 15, 2005 10:38:39 AM MET Warning Security flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel
    .Default' WLS Kernel BEA-090477 Certificate chain received from flanders - 172.22.4.61 was not trusted causing SSL handsh
    ake failure.
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Validation error = 20
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Certificate chain is incomplete
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Certificate chain is untrusted
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 User defined JSSE trustmanagers not allowed to override
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 SSLTrustValidator returns: 84
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Trust failure (84): CERT_CHAIN_INCOMPLETE CERT_CHAIN_UNTRUSTED
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 NEW ALERT: com.certicom.tls.record.alert.Alert@13a252a Severity: 2 Type: 40
    java.lang.Throwable: Stack trace
    at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
    at com.certicom.tls.record.alert.Alert.init(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown Source)
    at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)

    On the client I get the following error:

    Feb 15, 2005 10:20:15 AM MET Info WebService BEA-220094 An IOException was thrown trying to access the WSDL at the given U
    L.
    Feb 15, 2005 10:20:15 AM MET Info WebService BEA-220034 A stack trace associated with message 220094 follows:

    javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE alert received from flanders - 172.22.4.61. Check both side
    of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification
    ettings.
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertReceived(Unknown Source)
    at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
    at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at com.certicom.net.ssl.HttpsClient.doHandshake(Unknown Source)
    at com.certicom.net.ssl.internal.HttpURLConnection.getInputStream(Unknown Source)
    at weblogic.webservice.client.https.HttpsURLConnection.getInputStream(HttpsURLConnection.java:216)
    at weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefinition(DefinitionFactory.java:87)
    at weblogic.webservice.tools.wsdlp.WSDLParser.init(WSDLParser.java:76)
    at weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:108)
    at weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:84)
    at weblogic.webservice.core.rpc.ServiceImpl.init(ServiceImpl.java:79)
    at com.etnoteam.timvas.srsv.interfaces.in.csp.activate.client.Activate_Impl.init(Activate_Impl.java:22)
    at clientPep1.main(clientPep1.java:149)

    DB:3.19:Web Services Https With Mutual Athentication fa

    I have a similar problem now. Did you find out the cause? The server reports "Certificate chain is incomplete", but I checked the the client certificate. It's ok.

    Running Weblogic Server 8.1, SP4 + Patch CR210310_81sp4

    ####Sep 26, 2005 1:53:01 PM MEST Debug TLS h00962.pnet.ch node1 ExecuteThread: '29' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 Certificate chain is incomplete
    ####Sep 26, 2005 1:53:01 PM MEST Debug TLS h00962.pnet.ch node1 ExecuteThread: '29' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 User defined JSSE trustmanagers not allowed to override
    ####Sep 26, 2005 1:53:01 PM MEST Debug TLS h00962.pnet.ch node1 ExecuteThread: '29' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 SSLTrustValidator returns: 68
    ####Sep 26, 2005 1:53:01 PM MEST Debug TLS h00962.pnet.ch node1 ExecuteThread: '29' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 Trust failure (68): CERT_CHAIN_INCOMPLETE
    ####Sep 26, 2005 1:53:01 PM MEST Debug TLS h00962.pnet.ch node1 ExecuteThread: '29' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 NEW ALERT with Severity: FATAL, Type: 40
    java.lang.Exception: New alert stack
    at com.certicom.tls.record.alert.Alert.init(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
    at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at javax.net.ssl.impl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:340)
    at com.bea.sslplus.CerticomSSLContext.forceHandshakeOnAcceptedSocket(Unknown Source)
    at weblogic.security.utils.SSLContextWrapper.forceHandshakeOnAcceptedSocket(SSLContextWrapper.java:128)
    at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:484)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)

    ####Sep 26, 2005 1:53:01 PM MEST Debug TLS h00962.pnet.ch node1 ExecuteThread: '29' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 write ALERT, offset = 0, length = 2
    ####Sep 26, 2005 1:53:01 PM MEST Debug TLS h00962.pnet.ch node1 ExecuteThread: '29' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 close(): 7080341
    ####Sep 26, 2005 1:53:01 PM MEST Debug TLS h00962.pnet.ch node1 ExecuteThread: '29' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 SSLIOContextTable.removeContext(ctx): 5413348

  • RELEVANCY SCORE 3.19

    DB:3.19:Ive Enabled Domain Security On My Exchange 2010 Server Between Two Domain For Both Inbound And Outbound Emails... 3p


    Hi Team,
    I've enabled domain security on my exchange 2010 Servers (Lab environment)between two domains for both inbound and outbound emails and the mail flow is now domain secured between these two domains, but now I want to do it for all possible external
    domains in a production environment, how?
    Can both Mutual and Opportunistic TLS be enabled at the same time, if yes, how? Practically speaking which one is more secure and better to use MTLS or OTLS?
    Any Help?
    Thanks.

    Muhammad Nadeem Ahmed Sr System Support Engineer Premier Systems (Pvt) Ltd T. 9221-2429051 Ext-226 F. 9221-2428777 M. 92300-8262627 Web. www.premier.com.pk

    DB:3.19:Ive Enabled Domain Security On My Exchange 2010 Server Between Two Domain For Both Inbound And Outbound Emails... 3p

    Are you planning to trust every domain that sends to you? :)
    Practically speaking, you cant set MTLS with *all* possible domains,its only used for specific scenarios with partners that trust each other. The certificates between them are used to encrypt the connection and serve as a method to, well, trust each
    other (I am who I say I am)
    Opportunistic TLS on the other hand simply offers SMTP over TLS and uses it when both the sender and receiving server support it and typically does not verify the cert or if its even expired.
    It Opp. TLS isnt supported by the SMTP gateway, Opp. TLS will fall back to plain SMTP and the SMTP conversation will continue. On the hand, if cert verification fails with MTLS, the connection will fail entirely.
    So, bottom line, enable Opp TLS as a general rule and use Domain/Mutual TLS with custom connectors only for those partners with which you have a relationship with and require that TLS is only the method used for SMTP transactions between you and them.

    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

  • RELEVANCY SCORE 3.18

    DB:3.18:Blogs- ak


    Ihave got1 requirement i had created blog site now
    added 3 new category :banking,insurance,mutual fund
    User had posted comments under specific category let say example user1 under banking :sbi is better and user2 under banking :kotak is better
    user3 under mutual fund:ICICI Mutual fundis better
    now i am pulling data using cqwp (xslt included ),i want to dispaly data as shown below
    banking
    sbi is better
    kotak is better
    mutual fund
    ICICI Mutual fundis better

    prsently i am getting data display as follows

    banking
    sbi is better
    banking
    kotak is better
    mutual fund
    ICICI Mutual fundis better

    plz provide help.......

    DB:3.18:Blogs- ak

    Hi,
    Where is the XSLT?Best regards,

    Riwut Libinuko
    SharePoint Architect, Singapore
    Microsoft MVP | SharePoint Server | Singapore
    Blog : http://blog.libinuko.com

  • RELEVANCY SCORE 3.18

    DB:3.18:Mutual Tls For Windows Mobile 6.1 With Native Rtc Client(Internet Calling) Available On Phones. 8m


    Hi, How do we set the TLS certificate Path that a Internet calling (RTC) client one windows MObile 6.1 would use to setup Mutual TLS session. Is there some parameter in SIPsetting on windows Mobile. Or based on some parameter in SIP settings it will identify the certificate in cert store.

    DB:3.18:Mutual Tls For Windows Mobile 6.1 With Native Rtc Client(Internet Calling) Available On Phones. 8m

    Hi Dhruvin Desai,Please refer to following articles:How to: Set Up a Certificate for Secure SIP Peer CommunicationHow to: Configure a SIP Peer for Mutual TLSBest regards,Guang-Ming Bian - MSFTPlease remember to mark the replies as answers if they help and unmark them if they provide no help

  • RELEVANCY SCORE 3.15

    DB:3.15:Tls Encryption Tls_Rsa_With_3des_Ede_Cbc_Sha Support jm



    Does JBoss support the TLS encryption TLS_RSA_WITH_3DES_EDE_CBC_SHA?

    DB:3.15:Tls Encryption Tls_Rsa_With_3des_Ede_Cbc_Sha Support jm


    As per the JSSE reference guide. TLS_KRB5_WITH_3DES_EDE_CBC_SHA is not enabled by default. Does Jboss enable this cipher?

  • RELEVANCY SCORE 3.15

    DB:3.15:Adding A Commercial Cert.P7b To Edge Transport Servers For Tls cf


    I've got Exchange 2010 setup with 2 CAS servers, 2 MB servers, 2 HT servers, and 2 ET servers in our DMZ.
    Up until now we are simply using the default self signed certs, and have edge synchronization in place.
    Everything is working AOK, but I now want to add a commercial cert on our edge servers so we can setup mutual TLS with a partner organization.
    Here's where I'm unclear:
    I received a cert with a CN of our external mx record,and withSAN's of our FQDN's of our Edge transport servers, and accepted domains.
    This cert is in a p7b format. (so there's no private key attached to it)
    Do I copythe cert to the ET servers and import from there, (and is it OK to import in that format?)
    Will the in place self signed cert's be affected, or will they be replaced? I'm just concerned that when I import the new one, my external traffic will be disrupted during the process.
    What's the best way to do this?DQ

  • RELEVANCY SCORE 3.15

    DB:3.15:Mutual Redistribution Between Eigrp And Bgp xc



    I have to do a mutual redistribution between EIGRP and BGP, can anyone help me?

    -Sai.

    DB:3.15:Mutual Redistribution Between Eigrp And Bgp xc


    Hi,

    Config R2

    router bgp 1

    network 131.108.0.0

    neighbour 192.5.10.1 remote-as 2

    neighbour 192.5.10.15 remote-as 1

    neighbour 192.5.10.24 remote-as 3

    redistribute eigrp 1 metric 10000 100 255 1 1500

    distribute-list 1 out eigrp 1

    all networks that should be advertise from router are controlled with access list

    access-list 1 permit 131.108.0.0

    access-list 1 ermit 150.136.0.0

    access-list 1 permit 128.125.0.0

    router eigrp 1

    network 131.108.0.0

    network 192.5.10.0

    redistribute bgp 1

    bandwidth: In units of kilobits per second; 10000 for Ethernet

    delay:In units of tens of microseconds; for Ethernet it is100 x 10 microseconds = 1 ms

    reliability:255 for 100 percent reliability

    load:Effective load on the link expressed as a number from 0 to 255 (255 is 100 percent loading)

    MTU:Minimum MTU of the path; usually equals that for the Ethernet interface, which is 1500 bytes

    Also the link provided below will help.

    Hope this helps.

    Regards

    Pravin

  • RELEVANCY SCORE 3.15

    DB:3.15:Mutual Tls With Load Balanced Edge Servers 99


    Hello,
    We are in the process of migrating from Exchange 2007 to Exchange 2010, we are planning to have two Exchange 2010 Edge servers behind F5. Our new ssl cert has the following names
    mail.contoso.com, autodiscover.contoso.com, legacy.contoso.com
    In future we will be implementing mutual TLS with our partner, I need to know if we need any additional name on the cert to setup TLS.
    Thanks,

    DB:3.15:Mutual Tls With Load Balanced Edge Servers 99

    When you say DNS name of th VIP, are you referring to external name of the MX record? Assume it is mail.contoso.com and load balancer will be handling the traffic or do I need to create an internal DNS entry such as smtp.contoso.com?
    Also what about the receive connector FQDN? It is my understanding that the FQDN name on the Edge server receive connector must be on the certificate for TLS, what fqdn we need to set on the receive connector?
    Thanks.

  • RELEVANCY SCORE 3.15

    DB:3.15:Tls 1.2 Roadmap ? 81


    When will Java support TLS 1.2 ?

    DB:3.15:Tls 1.2 Roadmap ? 81

    abentley wrote:
    @kajbj: Ok. so, Is this the best forum to get an answer ?Read reply #3 again, but note that he doesn't say the networking forums on this site. He's talking about the site [http://www.java.net]

  • RELEVANCY SCORE 3.15

    DB:3.15:Mutual Tls In Exchange 2007 With Tumbleweed And Postini 9m


    So I have gotten as far as getting my certs from Verisign.I have imported them to both my CAS servers. I have turned on TLS on Postini, not yet for Tumbleweed because it is a little more invovled. Right now we have all our mail going from
    Exchange (via send connector) to Tumbleweed firewall server. So my SMTP connector says to route mail through the following smart host. My problem is that I want to enable Mutual Auth TLS but it is grayed out.
    How do I do that on the exchange side without breaking things to our tumbleweed server?

    DB:3.15:Mutual Tls In Exchange 2007 With Tumbleweed And Postini 9m


    Hi,

    To enable TLS between exchange server and Smart host:

    1. Open the send connector's properties.

    2. In Network tab, click Change.

    3. Select Basic authentication then check the box Basic Authentication Over TLS

  • RELEVANCY SCORE 3.15

    DB:3.15:[E2010][Ta][C#] What Transportagent Event And Method Should Be Used To Replace Tls Certificate? mm


    I can't rely on the certificates I need being present in the local store. What TransportAgent
    event will allow me to replace the TLS certificate with one of my choosing?
    For example: A SMTP sends a Mutual Auth TLS request to a second server. In this case the Subject name or the subject alternative name of the certificate has to match.
    When I'm hosting many different DNS domains on the same Hub Transport and I partner with an external HT, I want to present my certificates as authoritative for that domain. I feel uneasy about storing 10,000 public keys (each key storing on Subject
    and 0 or more Alternative nemes) in DAPI / the certificate store.

    The only solution I can come up with is to dynamically fetch the certificate from a Directory and cache the keys in the Agent.
    I'm interested modifications to a single HT server when SENDING email.

    DB:3.15:[E2010][Ta][C#] What Transportagent Event And Method Should Be Used To Replace Tls Certificate? mm

    I can't rely on the certificates I need being present in the local store. What TransportAgent
    event will allow me to replace the TLS certificate with one of my choosing?
    For example: A SMTP sends a Mutual Auth TLS request to a second server. In this case the Subject name or the subject alternative name of the certificate has to match.
    When I'm hosting many different DNS domains on the same Hub Transport and I partner with an external HT, I want to present my certificates as authoritative for that domain. I feel uneasy about storing 10,000 public keys (each key storing on Subject
    and 0 or more Alternative nemes) in DAPI / the certificate store.

    The only solution I can come up with is to dynamically fetch the certificate from a Directory and cache the keys in the Agent.
    I'm interested modifications to a single HT server when SENDING email.

  • RELEVANCY SCORE 3.12

    DB:3.12:Exchange 2010 Send Connector Config dk


    One of my customers is setting up a send connetor on their Exchange 2010 edge server to allow all e-mail sent to my organization to be encrypted using TLS. He would like to enable mutual TLS on his end but it is failing because the 2 edge appliances on my
    end (Not Exchange) have the certifiactes with the names of mail1.mydomain.com and mail2.mydomain.com. The mutual auth is failing because it is looking for a cert with mydomain.com name.
    Is there a way to configure the send connector on his end to use mutual auth TLS and accept the names of mail1.mydomain.com and mail2.mydomain.com?

    DB:3.12:Exchange 2010 Send Connector Config dk

    You obviously add your domain name(s) instead of Woodgrove bank.

  • RELEVANCY SCORE 3.11

    DB:3.11:Two Factor Authentication pd



    My security team have tasked me with finding an authentication mechanism similar to EAP-TLS that also uses User ID's and Passwords.

    EAP-Fast would fit the bill but we don't want to run a PAC deployment alongside our PKI infrastructure.

    I was originally going to go with PEAP-MSCHAPv2, but the certificate used is a server certificate and the security teams requirement is for a client certificate (individually revocable) and optionally a server certificate (for mutual authentication).

    I really dont want to go down the VPN route either.

    Does anyone know of an EAP type that fits the bill?

    DB:3.11:Two Factor Authentication pd


    My security team have tasked me with finding an authentication mechanism similar to EAP-TLS that also uses User ID's and Passwords.

    EAP-Fast would fit the bill but we don't want to run a PAC deployment alongside our PKI infrastructure.

    I was originally going to go with PEAP-MSCHAPv2, but the certificate used is a server certificate and the security teams requirement is for a client certificate (individually revocable) and optionally a server certificate (for mutual authentication).

    I really dont want to go down the VPN route either.

    Does anyone know of an EAP type that fits the bill?

  • RELEVANCY SCORE 3.11

    DB:3.11:Eap-Tls Supported On Aironet 350 Pc Card Under Windows Ce /Pocket Pc 2000? za



    Hi-

    I'm trying to find out whether or not EAP-TLS is supported on an Aironet 350 used on an HP Jornada 720 (Pocket PC 2000).

    Another Cisco site says:

    ·Support of popular operating systems—Windows 95, Windows 98/98SE, Windows 2000, Windows ME, Windows NT, Windows XP, Mac OS 9.X, MAC OS X, Windows CE, Linux and MS-DOS.

    ·Cisco Wireless Security Suite including:

    ·Authentication:

    ·802.1X support including Cisco LEAP, PEAP, EAP-TLS, EAP-TTLS, and EAP-SIM to yield mutual authentication and dynamic, per-user, per-session WEP keys.

    However, I suspect this is just a general 'features' sort of document- I have my doubts that Cisco would bother implementing all of this for a 3 year old, superceded OS that no-one else is bothering with and feel the need to check.

    Anyone have any experience of Pocket PC 2000 and 802.1x authentication?

    Cheers-

    0r8it

    DB:3.11:Eap-Tls Supported On Aironet 350 Pc Card Under Windows Ce /Pocket Pc 2000? za


    Thanks Thomas-

    yeah, you're right about it being an MS thing.

    And the answer was no!

    Cheers-

    0r8it

  • RELEVANCY SCORE 3.11

    DB:3.11:How Can I Set Up Mutual Tls For Interacting With An Sts Server Through Wse3 ss


    Hello, I use the following code to get a token from an STS SecurityTokenServiceClient tokenProxy = new SecurityTokenServiceClient( endpoint );RequestSecurityToken rst = new RequestSecurityToken( requestedTokenType );RequestSecurityTokenResponse rstr = base.IssueSecurityToken( rst ); How can I set the client certificate for authenticate the STS client to the STS server? Thanks.

    DB:3.11:How Can I Set Up Mutual Tls For Interacting With An Sts Server Through Wse3 ss

    Hello, I use the following code to get a token from an STS SecurityTokenServiceClient tokenProxy = new SecurityTokenServiceClient( endpoint );RequestSecurityToken rst = new RequestSecurityToken( requestedTokenType );RequestSecurityTokenResponse rstr = base.IssueSecurityToken( rst ); How can I set the client certificate for authenticate the STS client to the STS server? Thanks.

  • RELEVANCY SCORE 3.07

    DB:3.07:Send Secure Smtp From Outlook/Thunderbird/Scanner? zx


    I have a requirement to be able to send secure email from outside our network. This could be from Outlook, Thunderbird or a scanner with email capabilities.

    I set up a new receive connector in Exchange 2010 EMC:
    Name: Secure Outside Relay
    HELO response: FQDN of our SSL certificate (same as OWA, Outlook Anywhere, etc)
    Port: 587
    IPs: Any
    Authentication: TLS (not mutual or anything else)
    Permission group: Exchange users, Exchange servers

    That is all I have set up.

    When I try and send from Outlook I keep getting a password prompt. Outlook says 0x800CCC92 Your e-mail server rejected your login. I have tried just username, email address and domain\username. No dice.

    Outlook is set up with port 587 and to use TLS.

    I see an Audit Success on the Exchange server with my attempt.

    Do I need to add
    Get-ReceiveConnector Secure Outside Relay | Add-ADPermission -User NT AUTHORITY\ANONYMOUS LOGON -ExtendedRights Ms-Exch-SMTP-Accept-Any-Recipient ?

    DB:3.07:Send Secure Smtp From Outlook/Thunderbird/Scanner? zx

    For Outlook, you shouldn't have to do anything. Use Outlook Anywhere. Of course, you can use Outlook with an IMAP profile to test as you have been doing.
    Why did you create a separate connector rather than just modifying the Client connector that's already bound to port 587? Having two connectors bound to the same IP addresses and port is likely to cause confusion unless you have some other way of distinguishing
    which is to be used by the clients.Ed Crowley MVP There are seldom good technological solutions to behavioral problems.

  • RELEVANCY SCORE 3.04

    DB:3.04:From Exchange 2007 Iam Not Able To Send Mails To Some Domains sf


    Dear expert's friends
     
    We installed exchange 2007 in existing exchange 2003 environment, in exchange 2003 environment we have frontend and backend server.
     
    Frontend(exchange 2003) server receiving mails from internet, sending mail is going through exchange 2007 some mails are not delivering recipient  (like rediff.com etc).
     
    Send connector details
     
    Address space
     * SMTP   
    Network
    Selected
     Use domain name system (DNS) Mx records to route mail automatically
     
    enable domain security (mutual Auth TLS)
     
     
    Kindly suggest in this regards
     
     
     
     
     
     
     
     

    DB:3.04:From Exchange 2007 Iam Not Able To Send Mails To Some Domains sf

    Hello Sameer1,
     
    Are you in a test environment right? the first role that should be updated in your case is the front-end server to CAS server, okay?
     
    What's the NDR that you receive? have you tried to send the message from Exchange 2007 through telnet (resolving the MX records and try to connect manually .. telnet hostMX.rediff.com 25 for example)?
     
     
     

  • RELEVANCY SCORE 3.01

    DB:3.01:Client Authentication From Server Side In Tls Implementation For Windows Mobile a7


    Hello,
    I am implementing TLS server for Windows mobile, For that i am using Schannel protocol. i want Mutual Authentication so i

    set ASC_REQ_MUTUAL_AUTH bit flag in AcceptSecurityContext API as a input parameter. after calling AcceptSecurityContext API i got ASC_REQ_MUTUAL_AUTH set bit in output parameter.
    When i call QueryContextAttributes to get the client Certificate information, i am not able to get.
    my code is as:
    CERT_CONTEXT m_pClientCertContext;
    SECURITY_STATUS scRet = pf-QueryContextAttributes(srvCtx,

    SECPKG_ATTR_REMOTE_CERT_CONTEXT ,

    m_pClientCertContext);
    This API is not filling the output structure m_pClientCertContext(i got all variables are Zero and pointers are Bad pointer) .Even though this API is returning SEC_E_OK means Success.
    i am passing proper value of CtxtHandle srvCtx .

    So Could any one can help me for solving this problem? What could be the problem?
    Thanks.

    DB:3.01:Client Authentication From Server Side In Tls Implementation For Windows Mobile a7

    Hi VaibhavSam,
    This forum is for WCF related questions, I suggest youposting the question at Network Class Library Forum
    http://social.msdn.microsoft.com/Forums/en-US/ncl/threads
    Thanks,Mog Liang

  • RELEVANCY SCORE 3.01

    DB:3.01:I Cant Get Tls To Work For One Company 87


    Excuse my ignorance, I've never setup TLS before so this may be very nubie of me.
    I'm trying to setup TLS between us and one of our vendors. I only need it for this one vendor.One of myproblems is that we use a 3rd party for spam filter that all our inbound mail goes through before it gets here.
    If I setup a send connector and check enable domain security (mutual auth TLS) and then put the domain in the
    set-transportconfig TLSSendDomainSecureList vendordomain.com All emails to that domain stop flowing. Do I have to have a receive connector setup for this specific domain?
    The vendor allow opportunistic TLS. I have to ensure that the emails are encrypted though.

    My logsshow it isn'teven offering to do TLS? There are no StartTLS in the 250's

  • RELEVANCY SCORE 3.01

    DB:3.01:How Do I Use Signedpublickeyandchallenge (Spac) With Ad Ca? C# Or Command Line? mp


    I need my users to get a local client key for mutual Auth TLS. How can I parse the SPAC response from the KeyGen HTML element that is supported in Safari, Chrome, and Firefox?

    Related links:

    http://stackoverflow.com/q/14187373/328397

    http://security.stackexchange.com/q/26403/396

    http://security.stackexchange.com/q/26148/396

    DB:3.01:How Do I Use Signedpublickeyandchallenge (Spac) With Ad Ca? C# Or Command Line? mp

    Hi,

    Thanks for posting in Microsoft TechNet forums.

    Regarding this issue, I suggest we seek help in our MSDN forum. There you can get more effective suggestion by other experts who familiar with this topic.

    MSDN

    http://social.msdn.microsoft.com/Forums/en-US/categories

    Your understanding is appreciated.

    Have a nice day.

    Regards

    Kevin

    TechNet Subscriber Support
    If you are
    TechNet Subscription user and have any feedback
    on our support quality, please send your feedback here.

  • RELEVANCY SCORE 2.99

    DB:2.99:Remote User Cant Send Mail zc


    Please help me to solve this problem. My Messaging System: EX01 (Hub+CAS+Mailbox) --- ISA1 --- Edge --- ISA2 --- Internet - All users send/receive mail from internal -- Internet successfully in Internal Network. - Today, I publish POP3 Server for remote users from internet - My problem: remote users can receive mail successful but unable sending mails.
    Configuration on Edge Transport: Accepted Domain: abc.com Receive Connector: *Authentication: - Transport Layer Security (TLS) = check - Enable Domain Security (Mutual Auth TLS) = uncheck - Basic Authentication = uncheck - Offer Basic authentication only after starting TLS = uncheck - Exchange Server Authentication = check - Integrated Windows authentication = check - Externally Secured = uncheck *Permission Groups: - Anonymous User = check - Exchange User = check - Exchange Servers = check
    My problem: - Remote Users (using POP3/SMTP) -- Edge Transport -- abc.com = OK - Remote Users (using POP3/SMTP) -- Edge Transport -- GMail/Yahoo... = Failed.
    Outlook Express inform that: Server Response: '550.5.7.1 Unable to relay'Can you show me to configure the relay mail on Edge Transport?
    Thanks in advance.
     

    DB:2.99:Remote User Cant Send Mail zc

    you can use port 587 as the port when you create the new receive connector. then check exchange users in the permissions tab to keep the world from using it

  • RELEVANCY SCORE 2.98

    DB:2.98:Where Does The Pfx File Come From In Technet Article: Using Domain Security: Configuring Mutual Tls fx


    technet article Using Domain Security: Configuring Mutual TLS describes step-by-step how to setup Exchange domain security. In step 1 a new certificate request has been created with 'new-exchangecertificate', in step 2 the issued certificate gets imported and SMTP enabled. I'm wondering where the pfx file comes from, which gets imported. I followed the guide - created the certificate request and used the CA web interface to get the certificate. You can download the certificate from the web interface 'der - coded' or 'base64 - coded' - but no way to get a pfx-file. Also opening the issued certificate and trying to save it to file doesn't give you the possibility to store it as pfx.So I'm wondering, why in step 2 a pfx is used an not a cer-file.YoursFranz-Georg Clodt!----fgc

    DB:2.98:Where Does The Pfx File Come From In Technet Article: Using Domain Security: Configuring Mutual Tls fx

    Hi,

    According to the article, we can get description like below:

    When you receive a certificate from your PKI or CA provider, convert the issued certificate to a PFX (PKCS#12) file so that you can back it up as part of a disaster contingency. A PFX file contains the certificate and related keys. In some cases, you may want to transport the certificate and keys to move them to other computers. For example, if you have multiple Edge Transport servers where you expect to send and receive e-mail that is Domain Secured, you can create a single certificate that will work for all servers. In this case, you must have the certificate imported and enabled for TLS on each Edge Transport server.

    As long as you keep a copy of the PFX file securely archived, you can always import and enable the certificate. The PFX file contains the private key so it's important to physically protect the file by keeping in on storage media in a secure location.

    It's important to understand that the Import-ExchangeCertificate cmdlet always marks the imported private key from the PFX as non-exportable. This functionality is by design.

    ~~~~~~~~~~~~~~~~
    Mike Shen
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com
    ~~~~~~~~~~~~~~~~

  • RELEVANCY SCORE 2.98

    DB:2.98:Tls Handshake Certificaterequest And Certificateverify Messages Missing With Wcf Httpstransportbindingelement Requireclientcertificate z1


    Hi all,
    I have a bit of a problem understanding why I am not getting theCertificateRequest and CertificateVerify messages in the TLS (1.0) handshake for a WCF 4.0 service hosted on IIS 7.5 and Windows Server 2008 x64. The IIS site is configured with
    an https binding and mutual SSL/TLS (Require SSL). I am using a custom binding for the service as follows:

    BindingElementCollection elements = new BindingElementCollection();

    AsymmetricSecurityBindingElement secBindingElement = new AsymmetricSecurityBindingElement();

    secBindingElement.SecurityHeaderLayout = SecurityHeaderLayout.Lax;

    secBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
    secBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
    secBindingElement.IncludeTimestamp = true;
    secBindingElement.SetKeyDerivation(false);
    secBindingElement.AllowSerializedSigningTokenOnReply = true;
    secBindingElement.RequireSignatureConfirmation = false;

    X509SecurityTokenParameters initiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint,
    SecurityTokenInclusionMode.AlwaysToRecipient);
    initiatorTokenParameters.RequireDerivedKeys = false;
    initiatorTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
    secBindingElement.InitiatorTokenParameters = initiatorTokenParameters;

    X509SecurityTokenParameters recipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint,
    SecurityTokenInclusionMode.Never);
    recipientTokenParameters.RequireDerivedKeys = false;
    recipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never;
    secBindingElement.RecipientTokenParameters = recipientTokenParameters;

    secBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;

    elements.Add(secBindingElement);

    elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8));

    HttpsTransportBindingElement httspBindingElement = new HttpsTransportBindingElement();

    httspBindingElement.RequireClientCertificate = true;

    elements.Add(httspBindingElement);

    CustomBinding securedBinding = new CustomBinding(elements);

    DB:2.98:Tls Handshake Certificaterequest And Certificateverify Messages Missing With Wcf Httpstransportbindingelement Requireclientcertificate z1

    Well, I found out that if I replace theAsymmetricSecurityBindingElement with aTransportSecurityBindingElement in the custom configuration above, I can set theDefaultAlgorithmSuite to Basic256Sha256. We are required to use AsymmetricSecurityBindingElementso
    using TransportSecurityBindingElementis really not an option. Is there any other way I can set theDefaultAlgorithmSuite in the TransformBinding?
    Also, with the TransportSecurityBindingElement replacement and with theHttpsTransportBindingElement with theRequireClientCertificate
    setin place, I tried the the TLS connection again to see if
    there was any change in the handshake. Unfortunately, theCertificateRequest and CertificateVerify
    messages are still missing.
    Thanks for any feedback you guys can provide,
    Robert

  • RELEVANCY SCORE 2.98

    DB:2.98:How Do I Use Signedpublickeyandchallenge (Spac) With Ad Cs? C# Or Command Line? j7



    I'm posting a AD CS question here because I can't find the right forum. Please redirect me if you know of a better spot.

    I need my users to get a local client key for mutual Auth TLS. How can I parse the SPAC response from the KeyGen HTML element that is supported in Safari, Chrome, and Firefox?

    Related links:

    http://stackoverflow.com/q/14187373/328397

    http://security.stackexchange.com/q/26403/396

    http://security.stackexchange.com/q/26148/396

    DB:2.98:How Do I Use Signedpublickeyandchallenge (Spac) With Ad Cs? C# Or Command Line? j7


    I'm posting a AD CS question here because I can't find the right forum. Please redirect me if you know of a better spot.

    I need my users to get a local client key for mutual Auth TLS. How can I parse the SPAC response from the KeyGen HTML element that is supported in Safari, Chrome, and Firefox?

    Related links:

    http://stackoverflow.com/q/14187373/328397

    http://security.stackexchange.com/q/26403/396

    http://security.stackexchange.com/q/26148/396

  • RELEVANCY SCORE 2.97

    DB:2.97:How To Build Openssl For Windows Ce? How To Implement Ssl For Win Ce? za


    Hi All,
    We need to implement SSL for Windows CE. We need to implement Mutual Authentication of X509 certificates using the ciphers AES 256 and Protocol as TLS 1.0.
    1. I tried creating Secure Socket using the link :
    Secure Socket
    but it does not seem to support Client certificate authentication part. Also, I am not able to set the
    Cipher programmatically.

    The following Code fails:
    SSLCIPHERS ciphersToUse;
    ciphersToUse.dwCount = 1;
    ciphersToUse.CipherList[0] = (DWORD)ALG_SID_3DES;
    ciphersToUse.dwProtocol = SSL_PROTOCOL_TLS1;

    if( WSAIoctl( s, SO_SSL_SET_CIPHERS,
    (LPVOID)ciphersToUse, sizeof(ciphersToUse),
    NULL, 0, NULL, NULL, NULL ) == SOCKET_ERROR)
    {
    printf(SO_SSL_SET_CIPHERS failed);
    }
    Q1 : How can I set Cipher programmatically? Am I right in thinking that Client Authentication is not provided at the Socket Level?

    Q2. I am not able to build OpenSSL for Windows CE. Is there any working build available for OpenSSL without any issues?
    Q3. Are there any third party libraries which support Secure socket connections with Mutual authentication on Windows CE?
    Thanks,
    Himanshu
    Himanshu chhaya - Windows CE, Mobile and Phone 7

    DB:2.97:How To Build Openssl For Windows Ce? How To Implement Ssl For Win Ce? za

    Hi All,
    We need to implement SSL for Windows CE. We need to implement Mutual Authentication of X509 certificates using the ciphers AES 256 and Protocol as TLS 1.0.
    1. I tried creating Secure Socket using the link :
    Secure Socket
    but it does not seem to support Client certificate authentication part. Also, I am not able to set the
    Cipher programmatically.

    The following Code fails:
    SSLCIPHERS ciphersToUse;
    ciphersToUse.dwCount = 1;
    ciphersToUse.CipherList[0] = (DWORD)ALG_SID_3DES;
    ciphersToUse.dwProtocol = SSL_PROTOCOL_TLS1;

    if( WSAIoctl( s, SO_SSL_SET_CIPHERS,
    (LPVOID)ciphersToUse, sizeof(ciphersToUse),
    NULL, 0, NULL, NULL, NULL ) == SOCKET_ERROR)
    {
    printf(SO_SSL_SET_CIPHERS failed);
    }
    Q1 : How can I set Cipher programmatically? Am I right in thinking that Client Authentication is not provided at the Socket Level?

    Q2. I am not able to build OpenSSL for Windows CE. Is there any working build available for OpenSSL without any issues?
    Q3. Are there any third party libraries which support Secure socket connections with Mutual authentication on Windows CE?
    Thanks,
    Himanshu
    Himanshu chhaya - Windows CE, Mobile and Phone 7

  • RELEVANCY SCORE 2.96

    DB:2.96:Client Authentication In Web Service ( Client Side Only ) 7d


    Hi,

    How I can tell java to use this particular client certificate in mutual authentication.

    I have two certificates

    1) cacert.pem and
    2) client.pem (includes private key),

    client.pem is signed by cacert.pem and also contains the private key. I have the wsdl file for the webservice that I have to call and I can generate java wrappers of it using wsdl2java.

    Infact I just called web services that used Server-Only SSL/TLS authentication, in that case I just had to add root/CA certificate (in cer format) in the JREs cacerts file and used https for the webservice url, and all worked file

    Now I can't understand what to do for mutual authentication.
    Thanks in advance.

    Sohaib

    DB:2.96:Client Authentication In Web Service ( Client Side Only ) 7d

    Normally you would have created a keypair and then a CSR request from that keystore, then sent the CSR off to the CA, then received the signed CSR and the CA certificate, then you import both those things back into the same keystore. The private key should never have left the original keystore. If you import the signed CSR into a keystore that doesn't already have its private key it will fail.

  • RELEVANCY SCORE 2.95

    DB:2.95:Mutual Authentication,Jax-Rpc -Setting Keystore Not Using System Properties 97


    Hi,

    I have a requirement to develop a server component (gateway) that connects to a web service over SSL (using mutual authentication - server and client certificates). Clients will then connect to the gateway and request data (sourced by the gateway from the web service).

    The web service will run on IIS and will be implemented in .NET. IIS will hold all client certificates and map them to one or more domain users.

    The (Java) gateway is required to handle multiple and concurrent clients, each with their own distinct client certificates. A client invokes a session with the gateway, and can then make multiple requests within the same session.

    Each time a client initiates a session with the gateway, it will provide it's certificate+(private key)password. The gateway will then store the certificate and use it to make requests (on the client's behalf) to the web service (over HTTPS).

    Make sense?

    I have been able to use JAX-RPC successfully to call the web service using mutual authentication (as required), but as I am currently setting the keystore and keystore password (+truststore) using the system properties (javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword etc), the solution is not able to support concurrent users. What I need is a way to set the keystore on a client-by-client basis, where concurrent requests are isolated.

    I have written a small application to initiate an SSL connection to a secure web server (not a web service) using mutual authentication by using the following code snippet, but I need to do the same using SOAP:

    SSLSocketFactory factory = null;
    KeyManagerFactory kmfClient;
    KeyStore ksClient;

    KeyStore ksServer;
    TrustManagerFactory tmfServer;

    try
    {
    // client auth
    kmfClient = KeyManagerFactory.getInstance("SunX509");
    ksClient = KeyStore.getInstance("JKS");
    ksClient.load(new FileInputStream(CLIENT_KEY_STORE), clientpassphrase);
    kmfClient.init(ksClient, privatekeypassword);

    // server auth
    ksServer = KeyStore.getInstance("JKS");
    ksServer.load(new FileInputStream(SERVER_KEY_STORE), serverpassphrase);
    tmfServer = TrustManagerFactory.getInstance("SunX509");
    tmfServer.init(ksServer);

    SSLContext ctx;
    ctx = SSLContext.getInstance("TLS");
    ctx.init(kmfClient.getKeyManagers(), tmfServer.getTrustManagers(), null);

    factory = ctx.getSocketFactory();
    }
    catch (Exception e)
    {
    throw new IOException(e.getMessage());
    }

    SSLSocket socket = (SSLSocket)factory.createSocket(host, port);Can anyone help?

    Thanks in advance,

    Dave J

    DB:2.95:Mutual Authentication,Jax-Rpc -Setting Keystore Not Using System Properties 97

    UP!
    is there anybody that know how to use Jax-Rpc without setting System properties?

    Thanks in advance
    Michele

  • RELEVANCY SCORE 2.95

    DB:2.95:Mutual Tls And Gnu-Tls z3


    We experienced issues when a partner's gateways is using GNU-TLS in order to establish a mutual TLS session. In the SMTPReceive log we see that no certificate was received by the Edge Server and therefore the authentication failed. If the external partner's gateway is running OpenSSL instead GNU-TLS it's working fine. Is there any way to get the GNU-TLS implementation working together with Exchange 2007?Regards,Carsten

    DB:2.95:Mutual Tls And Gnu-Tls z3

    Hi,From the article that Frank provided, the TLS is supported but disabled by default. Do you enable it?In fact, this is the third party issue which is unable to be resolved on our Exchange server side, you'd better to contact the certificate's owner.ThanksAllen

  • RELEVANCY SCORE 2.95

    DB:2.95:How Can I Do Mutual Ssl When Using Jboss As Web Service Clie aa



    Hi,I'm running a Web Service client on JBoss 4.0.5 and JBossWS1.0.4GA.The Web service I'm trying to consume requires mutual SSL authentication.I have created keytore, with the private key, the certificate in it. I also added the Web service provider's certificate to this keystore as a trusted certificate.I have configured my server.xml file to include the following:
    Connector port="8443" address="${jboss.bind.address}"
    maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
    emptySessionPath="true"
    scheme="https" secure="true" clientAuth="false"
    keystoreFile="${jboss.server.home.dir}/conf/jboss.keystore"
    keystoreType="jks"
    keystorePass="password" sslProtocol = "TLS" /

    DB:2.95:How Can I Do Mutual Ssl When Using Jboss As Web Service Clie aa


    Could anyone post resolution on the above org.jboss.ws.WSException: Invalid HTTP server response [403] - Forbidden error. I am facing the same issue currently. Many thanks in advance for your help.

  • RELEVANCY SCORE 2.95

    DB:2.95:Eap-Tls And Encryption 79



    EAP-TLS is very strong security solution. But with EAP-TLS is enabled WEP encryption and this is not secure. How is it with eap-tls and encryption????

    DB:2.95:Eap-Tls And Encryption 79


    EAP-TLS will bring you a more "secure" way of doing mutual authentication between the AAA and the Wireless client based on certificates.

  • RELEVANCY SCORE 2.94

    DB:2.94:Find Mutual Callers mp


    Dear all

    DB:2.94:Find Mutual Callers mp

    Well, I think I have it. More testing at your end will confirm it - or prove me wrong. Here is a link to my file with the functional code in it:
    for_Stefanbehfar_001.xlsm 28.9 KB
    http://www.mediafire.com/download/g27uvf9mzgnj09g/for_Stefanbehfar_001.xlsm

    The code is posted below if you just want that. It will add a worksheet to your workbook named 'Results Report' where it will place the results of its work. There is a button onthe data sheet to click to run themacro. The data sheet must be selected
    when you run the macro.

    Here are a couple of screen shots of my test data and the results. Results are only shown for routines that call one another and have at least 1 common other process that each calls.

    The test data:

    The Results:

    The code: this goes into a regular code module. Follow the instructions on this page to place it into your workbook:
    http://www.contextures.com/xlvba01.html#videoreg
    Be sure that you:
    #1 - test with a copy of your workbook.
    #2 - save the file as a macro-enabled workbook, type .xlsm or .xlsb

    The code:

    Sub FindMutualCallers()
    Const colA = "A" ' column 1 list is in
    Const colB = "B" ' column references are in
    Const firstDataRow = 2 ' first row with a pair to examine

    Dim dataWS As Worksheet
    Dim rptWS As Worksheet
    Dim lastRow As Long
    Dim AListRange As Range
    Dim BListRange As Range
    Dim ALC As Long
    Dim ALC2 As Long
    Dim BLC2 As Long
    Dim foundCell As Range
    Dim foundMatch As Boolean

    Set dataWS = ActiveSheet
    lastRow = Range(colA Rows.Count).End(xlUp).Row
    If lastRow firstDataRow Then
    MsgBox "No data to examine.", vbOKOnly + vbInformation, "Quitting"
    Exit Sub ' no work to do
    End If
    Set AListRange = Range(colA firstDataRow ":" colA lastRow)
    Set BListRange = Range(colB firstDataRow ":" colB lastRow)
    'reference or create and reference a report sheet
    On Error Resume Next
    Set rptWS = ThisWorkbook.Worksheets("Results Report")
    If Err 0 Then
    ThisWorkbook.Worksheets.Add after:=ActiveSheet
    ActiveSheet.Name = "Results Report"
    Set rptWS = ActiveSheet
    Err.Clear
    End If
    On Error GoTo 0
    With rptWS
    .Cells.ClearContents
    .Range("A1") = "Prime"
    .Range("B1") = "Referenced"
    .Range("C1") = "Common Reference"
    End With


    For ALC = firstDataRow To lastRow
    'is the entry in A ever referenced in column B
    Set foundCell = BListRange.Find(what:=Range(colA ALC).Value, _
    LookIn:=xlValues, lookat:=xlWhole)
    If Not foundCell Is Nothing Then
    'the entry in A does also appear in B.
    'this means that SOMEONE ELSE in A calls it!
    'does the entry in B ever call something else?
    'that is, does the current B entry ever appear in A also?
    Set foundCell = AListRange.Find(what:=Range(colB ALC).Value, _
    LookIn:=xlValues, lookat:=xlWhole)
    If Not foundCell Is Nothing Then
    'current A is in B, current B is also in A
    'so this could be 2 main routines that might have a 3rd
    'called procedure in common. See if that is the case.
    For ALC2 = ALC + 1 To lastRow
    If Range(colA ALC) = Range(colA ALC2) Then
    foundMatch = False
    For BLC2 = firstDataRow To lastRow
    If Range(colA BLC2) = Range(colB ALC) Then
    'should be final test
    If Range(colB ALC2) = Range(colB BLC2) Then
    rptWS.Range("A" Rows.Count).End(xlUp).Offset(1, 0) = _
    Range(colA ALC)
    rptWS.Range("A" Rows.Count).End(xlUp).Offset(0, 1) = _
    Range(colA BLC2)
    rptWS.Range("A" Rows.Count).End(xlUp).Offset(0, 2) = _
    Range(colB ALC2)
    foundMatch = True
    Exit For
    End If
    End If
    Next ' end BLC2 loop
    If foundMatch Then
    Exit For
    End If
    End If
    Next ' end ALC2 loop
    End If
    End If
    Next ' end ALC loop
    rptWS.Activate
    End Sub

  • RELEVANCY SCORE 2.94

    DB:2.94:Ocs 2007 R2 Vs Tcp Transport zk


    Здравствуйте господа!Не поделится ли кто ссылкой на описание развёртывания OCS 2007 на tcp транспорте. Т.е. без tls, сертификатов и mutual authentication.Если вам помог чей-либо ответ, пожалуйста, не забывайте жать на кнопку Предложить как ответ или Проголосовать за полезное сообщение

    DB:2.94:Ocs 2007 R2 Vs Tcp Transport zk

    А уже если и доменный CA боитесь поднимать, так на виртуалке любой поднимите, скормите сертификат OCS и установите с ним. Потом настройте пользователей на использование TCP и не думайте о сертификатах пока не потребуется голосовая почта или другие серверы OCS (между ними взаимодействие тоже по сертификатам)

  • RELEVANCY SCORE 2.94

    DB:2.94:Nap(802.1x) Doesnt Work Using Peap-Tls Authentication Method. k9


    I am configuring NPS for testing wired 802.1x authentication with NAP using PEAP-TLS authentication method.My test environment is as given as below- Server01 : Windows Server 2008(NPS and Enterprise CA installed)  - Server02 : Windows Server 2008(Domain Controller installed) - Client : Windows Vista SP1- Authenticator : 802.1x Switch
    First of all, I read a guide and made test environment. [Step-by-Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab]http://www.microsoft.com/downloads/thankyou.aspx?familyId=8a0925ee-ee06-4dfb-bba2-07605eff0608displayLang=en
    In the case of PEAP-MSCHAP v2, I comprehend and confirm that a quarantine function of NAP(802.1X).However, I fail in mutual authentication when I change a authentication method into PEAP-TLS from PEAP-MSCHAP v2, and NAP does not work. Balloon Help of A certificate is necessary to be connected to the network was displayed when I logged in to the PC(Vista).
    Additionally I read a bellow 3 documents and confirmed to deploy a computer certificate and a user certificate were stored on PC.But NAP does not work yet.
    [Deploy Client Computer Certificates]http://technet.microsoft.com/en-us/library/cc731242.aspx
    [Deploy User Certificates]http://technet.microsoft.com/en-us/library/cc770857.aspx
    [Selecting PEAP-TLS and other PEAP methods in Windows Vista and Windows Server 2008]http://blogs.technet.com/nap/archive/2008/09/29/selecting-peap-tls-and-other-peap-methods-in-windows-vista-and-windows-server-2008.aspx
    Please let me know if you find out what was the problem.
    Thanks,

    DB:2.94:Nap(802.1x) Doesnt Work Using Peap-Tls Authentication Method. k9

    Thanks for the reply Greg, I am using PEAP-TLS, and from what I can see from Microsoft, it should allow me to use Computer based Certs.  Unless there is some thing with the Cisco Wism that is preventing it?  But I called Cisco and they said it should work.  Thanks!

  • RELEVANCY SCORE 2.94

    DB:2.94:Redirection Exception ff



    Hi there,

    I'm trying to use SOL/IDE-R in an Enterprise provisioned machine with TLS enabled (basic, not mutual) and I'm getting a Exception.

    I'm able to see the asset information and to power up/down the machine (with EOI, NOT WsMan), but SOL/IDE-R does not work, so I'm sure it's not an access issue (cause the machine security certificate is added is the client trusted root certificate store and the user being used is admin).

    The method which one returns the error is (AmtRedirectorWrapper.cs line 617):
    r = IMR_SOLOpenTCPSession(clientId, login, data, IntPtr.Zero);

    An the error is in r = IMRResult.IMR_RES_SOCKET_ERROR

    Help!

    Javier Andrs Cceres Alvis

    DB:2.94:Redirection Exception ff


    Hi Javier,
    I am glad that you solved this problem - again - we would love to see your next post - or perhaps a blog? :-)
    I'm going to close this thread - please open a new thread for new questions.

    Thanks,
    Gael

  • RELEVANCY SCORE 2.94

    DB:2.94:Thread: How To Disable Tls Esmtp jj


    How do I disable TLS ESMTP?

    DB:2.94:Thread: How To Disable Tls Esmtp jj

    In article dburek.5t6hu0@no-mx.forums.novell.com, Dburek wrote:

    How do I disable TLS ESMTP?

    Would that be for GWIA (the part that talks SMTP/ESMTP to the rest of

    the internet), if so there is a forum focused on that part

    https://forums.novell.com/novell-pro...aboration/grou

    pwise/groupwise-2012/gw2012-gwia/

    Andy Konecny

    Knowledge Partner (voluntary SysOp)

    KonecnyConsulting.ca in Toronto

    -' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-' + '-

    Andy\'s Profile: http://forums.novell.com/member.php?userid=75037

  • RELEVANCY SCORE 2.94

    DB:2.94:Howto Traverse Cim_Hostedaccesspoint With Winrm jj



    I tried to put certificates into the Management Engine and to configure it using TLS.
    Instead of using the Manageability Director, Commander ... I tried to make this configuration with WinRM.

    Therefore I read:
    http://software.intel.com/sites/manageability/AMT_Implementation_and_Ref...
    -- Intel AMT Features
    -- Transport Layer Security
    -- Use Cases
    -- * Set/Update the TLS Credentials Certificate
    -- * Set TLS to Server/Mutual Authentication

    To Discovering CIM_ComputerSystem I typed:

    -----------------------------------------------------------------------------------------------------------------------
    D:\\IAMTwinrm enumerate http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_Co
    mputerSystem -remote:http://192.168.0.81:16992/wsman -encoding:utf-8 -un -auth:D
    igest -username:admin -password:*****************
    -----------------------------------------------------------------------------------------------------------------------

    the result I got, is:
    -----------------------------------------------------------------------------------------------------------------------
    CIM_ComputerSystem
    CreationClassName = CIM_ComputerSystem
    Dedicated = 33
    ElementName = Managed System
    EnabledDefault = 5
    EnabledState = 2
    HealthState = 5
    IdentifyingDescriptions = CIM:GUID
    Name = ManagedSystem
    NameFormat = Other
    OperationalStatus = 0
    OtherIdentifyingInfo = 00000000000000000000000000000000
    RequestedState = 12

    CIM_ComputerSystem
    CreationClassName = CIM_ComputerSystem
    Dedicated = 14
    ElementName = Intel AMT Subsystem
    EnabledDefault = 5
    EnabledState = 5
    HealthState = 5
    Name = Intel AMT
    NameFormat = Other
    OperationalStatus = 0
    RequestedState = 12
    -----------------------------------------------------------------------------------------------------------------------

    So I got the CIM_ComputerSystem which represents Intel AMT. The second block of the result ist the
    CIM_ComputerSystem, which represents Intel AMT.

    And now?

    Now the manual says that the next step that must be done is:

    2. From the CIM_ComputerSystem instance, traverse the CIM_HostedAccessPoint association class to find the instance of AMT_TLSProtocolEndpoint.

    1. But how can this step be done with WinRM?

    2. Does anybody know a link to WinRM samples, which performs such configurations?

    Thanks in advance for your help.

    DB:2.94:Howto Traverse Cim_Hostedaccesspoint With Winrm jj


    Out of curiousity, why are you attempting to do this with WinRM at the command line instead of building off of the examples in the SDK? They can be configured to use WinRM instead of the DotNetWSman client provided in the library, if you would like. It'd be a lot easier than trying to build the requests directly at the command line with WinRM. In my previous response to your question about how you could load certificates (here: http://software.intel.com/en-us/forums/showthread.php?t=77240 ), I listed some of the other mechanisms you could use to help build the calls. The flow you described has an SDK sample listed at the bottom (it's in the Windows\Intel_AMT\Samples\WS-Management\GeneralInfo directory in the SDK), as a starting point.

    I'd recommend looking at that code instead of trying to implement with WinRM at the command line.

  • RELEVANCY SCORE 2.94

    DB:2.94:Cwa Certificate Setup ff


    Lads,
    I am a bit stuck here on the certificate aprt of my CWA setup.
    I am not using a local CA to create the MTLS certificate, i am instead using a Third Party CA (Comodo) to create one certificate to accomplish both the MTLS and SSL requiremnet.

    The problem is that when I receive my certificate from COMODO and then run the Activate Communicator Web Access part of the setup, it states that The certificate you selected is not valid. Please select a valid Mutual TLS Certificate
    I am creating the certificate request using the OCS FE Certificate Wizard.
    ANy help here is much apreciated.

    Regards

    DB:2.94:Cwa Certificate Setup ff

    Randy, when saying run the CWA config wizzard again - what do mean by that?

    I am having issues getting CWA server to work after renewing the cert .. looks like an MTLS issue.

  • RELEVANCY SCORE 2.94

    DB:2.94:Tls 1.1, Tls 1.2 Protocols Support 1c



    Hi. Someone know blackberry webworks apps for smartphones supportTLS 1.1 or/and TLS 1.2 protocols?

  • RELEVANCY SCORE 2.94

    DB:2.94:Bridge Jms On Ssl Mutual Authenticathed Servers 3p


    Hi all,

    I'm facing a problem on bridging JMS message with WLS bridge on SSL Mutual authenticathed Servers

    I configured two WLS (8.1 SP6), say "ALICE" and "BOB", with SSL listen port and I enabled "Two Way Client Cert Behavior" with "Client Certs Requested and Enforced" for both servers.

    I configured a WLS bridge on ALICE with source destination on ALICE itself and target destination on BOB.

    When I start this bridge it cannot connect to BOB. I enabled SSL debug and I found that ALICE didn't send CLIENT certificate to BOB.

    Here is BOB's log:

    22-mag-2008 14.56.10 CEST Debug TLS 000000 Filtering JSSE SSLSocket
    22-mag-2008 14.56.10 CEST Debug TLS 000000 SSLIOContextTable.addContext(ctx): 32975481
    22-mag-2008 14.56.10 CEST Debug TLS 000000 SSLSocket will be Muxing
    22-mag-2008 14.56.10 CEST Debug TLS 000000 SSLFilter.isActivated: false
    22-mag-2008 14.56.10 CEST Debug TLS 000000 isMuxerActivated: false
    22-mag-2008 14.56.10 CEST Debug TLS 000000 SSLFilter.isActivated: false
    22-mag-2008 14.56.12 CEST Debug TLS 000000 7192496 SSL Version 2 with no padding
    22-mag-2008 14.56.12 CEST Debug TLS 000000 21231495 SSL3/TLS MAC
    22-mag-2008 14.56.12 CEST Debug TLS 000000 21231495 received SSL_20_RECORD
    22-mag-2008 14.56.12 CEST Debug TLS 000000 HANDSHAKEMESSAGE: ClientHelloV2
    22-mag-2008 14.56.12 CEST Debug TLS 000000 write HANDSHAKE, offset = 0, length = 58
    22-mag-2008 14.56.12 CEST Debug TLS 000000 write HANDSHAKE, offset = 0, length = 566
    22-mag-2008 14.56.12 CEST Debug TLS 000000 write HANDSHAKE, offset = 0, length = 260
    22-mag-2008 14.56.12 CEST Debug TLS 000000 write HANDSHAKE, offset = 0, length = 4
    22-mag-2008 14.56.12 CEST Debug TLS 000000 SSLFilter.isActivated: false
    22-mag-2008 14.56.12 CEST Debug TLS 000000 isMuxerActivated: false
    22-mag-2008 14.56.12 CEST Debug TLS 000000 SSLFilter.isActivated: false
    22-mag-2008 14.56.13 CEST Debug TLS 000000 21231495 SSL3/TLS MAC
    22-mag-2008 14.56.13 CEST Debug TLS 000000 21231495 received HANDSHAKE
    22-mag-2008 14.56.13 CEST Debug TLS 000000 HANDSHAKEMESSAGE: Certificate
    22-mag-2008 14.56.13 CEST Debug TLS 000000 validationCallback: validateErr = 0
    22-mag-2008 14.56.13 CEST Debug TLS 000000 Required peer certificates not supplied by peer
    22-mag-2008 14.56.13 CEST Warning Security BEA-090508 Certificate chain received from localhost - 127.0.0.1 was incomplete.
    22-mag-2008 14.56.13 CEST Debug TLS 000000 Validation error = 4
    22-mag-2008 14.56.13 CEST Debug TLS 000000 Certificate chain is incomplete
    22-mag-2008 14.56.13 CEST Debug TLS 000000 User defined JSSE trustmanagers not allowed to override
    22-mag-2008 14.56.13 CEST Debug TLS 000000 SSLTrustValidator returns: 68
    22-mag-2008 14.56.13 CEST Debug TLS 000000 Trust failure (68): CERT_CHAIN_INCOMPLETE
    22-mag-2008 14.56.13 CEST Debug TLS 000000 NEW ALERT with Severity: FATAL, Type: 40

    and here is ALICE's log:

    22-mag-2008 15.28.01 CEST Warning Connector BEA-190032 Weblogic Messaging Bridge Adapter (XA)_eis/jms/WLSConnectionFactoryJNDIXA ResourceAllocationException of javax.resource.ResourceException: ConnectionFactory: failed to get
    initial context (InitialContextFactory =weblogic.jndi.WLInitialContextFactory, url = t3s://localhost:7002, user name = jmsbob) on createManagedConnection.
    22-mag-2008 15.28.01 CEST Info MessagingBridge BEA-200043 Bridge "AliceToBobMessagingBridge" failed to connect to the target destination and will try again in 25 seconds. (java.lang.Exception: javax.resource.ResourceException: Conn
    ectionFactory: failed to get initial context (InitialContextFactory =weblogic.jndi.WLInitialContextFactory, url = t3s://localhost:7002, user name = jmsbob)
    at weblogic.jms.adapter.JMSBaseConnection.throwResourceException(JMSBaseConnection.java:1386)
    at weblogic.jms.adapter.JMSBaseConnection.throwResourceException(JMSBaseConnection.java:1366)
    at weblogic.jms.adapter.JMSBaseConnection.startInternal(JMSBaseConnection.java:345)
    at weblogic.jms.adapter.JMSBaseConnection.start(JMSBaseConnection.java:219)
    at weblogic.jms.adapter.JMSManagedConnectionFactory.createManagedConnection(JMSManagedConnectionFactory.java:188)
    at weblogic.connector.common.internal.ConnectionFactory.createResource(ConnectionFactory.java:127)
    at weblogic.common.resourcepool.ResourcePoolImpl.makeResources(ResourcePoolImpl.java:1193)
    at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:345)
    at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:286)
    at weblogic.connector.common.internal.ConnectionPool.reserveResource(ConnectionPool.java:567)
    at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:280)
    at weblogic.connector.common.internal.ConnectionPoolManager.getConnection(ConnectionPoolManager.java:650)
    at weblogic.connector.common.internal.ConnectionManagerImpl.allocateConnection(ConnectionManagerImpl.java:106)
    at weblogic.jms.adapter.JMSBaseConnectionFactory.getTargetConnection(JMSBaseConnectionFactory.java:120)
    at weblogic.jms.bridge.internal.MessagingBridge.getConnections(MessagingBridge.java:809)
    at weblogic.jms.bridge.internal.MessagingBridge.execute(MessagingBridge.java:991)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
    -------------- Linked Exception ------------
    javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://localhost:7002: Destination unreachable; nested exception is:
    javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE alert received from localhost - 127.0.0.1. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted C
    As, and hostname verification settings.; No available router to destination]
    at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:47)
    at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:651)
    at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:320)
    at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:253)
    at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:135)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
    at javax.naming.InitialContext.init(InitialContext.java:219)
    at javax.naming.InitialContext.init(InitialContext.java:195)
    at weblogic.jms.adapter.JMSBaseConnection.getInitialContext(JMSBaseConnection.java:1967)
    at weblogic.jms.adapter.JMSBaseConnection.startInternal(JMSBaseConnection.java:233)
    at weblogic.jms.adapter.JMSBaseConnection.start(JMSBaseConnection.java:219)
    at weblogic.jms.adapter.JMSManagedConnectionFactory.createManagedConnection(JMSManagedConnectionFactory.java:188)
    at weblogic.connector.common.internal.ConnectionFactory.createResource(ConnectionFactory.java:127)
    at weblogic.common.resourcepool.ResourcePoolImpl.makeResources(ResourcePoolImpl.java:1193)
    at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:345)
    at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:286)
    at weblogic.connector.common.internal.ConnectionPool.reserveResource(ConnectionPool.java:567)
    at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:280)
    at weblogic.connector.common.internal.ConnectionPoolManager.getConnection(ConnectionPoolManager.java:650)
    at weblogic.connector.common.internal.ConnectionManagerImpl.allocateConnection(ConnectionManagerImpl.java:106)
    at weblogic.jms.adapter.JMSBaseConnectionFactory.getTargetConnection(JMSBaseConnectionFactory.java:120)
    at weblogic.jms.bridge.internal.MessagingBridge.getConnections(MessagingBridge.java:809)
    at weblogic.jms.bridge.internal.MessagingBridge.execute(MessagingBridge.java:991)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
    Caused by: java.net.ConnectException: t3s://localhost:7002: Destination unreachable; nested exception is:
    javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE alert received from localhost - 127.0.0.1. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted C
    As, and hostname verification settings.; No available router to destination
    at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:200)
    at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:125)
    at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:310)
    ... 23 more
    )
    22-mag-2008 15.28.09 CEST Info MessagingBridge BEA-200036 The Started attribute of Bridge "AliceToBobMessagingBridge" has been changed from "true" to "false".

    What I need to do to avoid this problem?
    Nathan65

    DB:2.94:Bridge Jms On Ssl Mutual Authenticathed Servers 3p

    I checked my configuration. ALICE's keystores are

    IDENTITY

    Tipo keystore: jks
    Provider keystore: SUN

    Il keystore contiene 2 entry

    Nome alias: certgenca
    Data di creazione: 21-mag-2008
    Tipo entry: trustedCertEntry

    Proprietario: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Numero di serie: 234b5559d1fa0f3ff5c82bdfed032a87
    Valido da Thu Oct 24 17:54:45 CEST 2002 a Tue Oct 25 17:54:45 CEST 2022
    Impronte digitali certificato:
    MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
    SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59

    *******************************************
    *******************************************

    Nome alias: alicecert
    Data di creazione: 21-mag-2008
    Tipo entry: keyEntry
    Lunghezza catena certificati: 1
    Certificato[1]:
    Proprietario: CN=alice@etnoteam.it, OU=CompetenceCenter, O=ValueTeam, L=Rome, ST=IT, C=IT
    Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Numero di serie: -1dbb65eaa595141fa1e44ba5856d65e4
    Valido da Tue May 20 09:39:25 CEST 2008 a Sun May 21 09:39:25 CEST 2023
    Impronte digitali certificato:
    MD5: BA:01:C2:E3:CC:92:C4:99:F7:8C:28:FF:C1:16:88:D9
    SHA1: C0:D8:E8:B6:C2:62:03:90:3F:23:3C:FA:A8:C8:0A:00:FA:96:5A:4E

    *******************************************
    *******************************************

    TRUST

    Tipo keystore: jks
    Provider keystore: SUN

    Il keystore contiene 1 entry

    Nome alias: certgenca
    Data di creazione: 21-mag-2008
    Tipo entry: trustedCertEntry

    Proprietario: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Numero di serie: 234b5559d1fa0f3ff5c82bdfed032a87
    Valido da Thu Oct 24 17:54:45 CEST 2002 a Tue Oct 25 17:54:45 CEST 2022
    Impronte digitali certificato:
    MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
    SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59

    *******************************************
    *******************************************

    BOB's keystores are:

    IDENTITY

    Tipo keystore: jks
    Provider keystore: SUN

    Il keystore contiene 2 entry

    Nome alias: certgenca
    Data di creazione: 21-mag-2008
    Tipo entry: trustedCertEntry

    Proprietario: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Numero di serie: 234b5559d1fa0f3ff5c82bdfed032a87
    Valido da Thu Oct 24 17:54:45 CEST 2002 a Tue Oct 25 17:54:45 CEST 2022
    Impronte digitali certificato:
    MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
    SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59

    *******************************************
    *******************************************

    Nome alias: bobcert
    Data di creazione: 21-mag-2008
    Tipo entry: keyEntry
    Lunghezza catena certificati: 1
    Certificato[1]:
    Proprietario: CN=bob@etnoteam.it, OU=CompetenceCenter, O=ValueTeam, L=Rome, ST=IT, C=IT
    Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Numero di serie: 26ccb8983c1cd0dc2eb6b0c7019eddb2
    Valido da Tue May 20 09:53:38 CEST 2008 a Sun May 21 09:53:38 CEST 2023
    Impronte digitali certificato:
    MD5: 6C:B3:9D:02:6E:CD:F4:04:C2:76:F2:92:97:39:66:7E
    SHA1: D1:07:5A:64:79:2F:FE:35:4D:D4:FD:7E:42:FC:D3:9C:68:6B:EE:B8

    *******************************************
    *******************************************

    TRUST (same as ALICE's TRUST)

    Tipo keystore: jks
    Provider keystore: SUN

    Il keystore contiene 1 entry

    Nome alias: certgenca
    Data di creazione: 21-mag-2008
    Tipo entry: trustedCertEntry

    Proprietario: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
    Numero di serie: 234b5559d1fa0f3ff5c82bdfed032a87
    Valido da Thu Oct 24 17:54:45 CEST 2002 a Tue Oct 25 17:54:45 CEST 2022
    Impronte digitali certificato:
    MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
    SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59

    *******************************************
    *******************************************

    Here is a FRAGMENT of ALICE's "config.xml" (I use custom identity and custom trust)

    Server
    CustomIdentityKeyStoreFileName="C:\bea\wlp81sp6\user_projects\domains\ALICE\CERTIFICATI\alice.jks"
    CustomIdentityKeyStorePassPhraseEncrypted="{3DES}/q7+XXkrvz0zncx18PjDug=="
    CustomIdentityKeyStoreType="JKS"
    CustomTrustKeyStoreFileName="C:\bea\wlp81sp6\user_projects\domains\ALICE\CERTIFICATI\certgenca.jks"
    CustomTrustKeyStorePassPhraseEncrypted="{3DES}/q7+XXkrvz0zncx18PjDug=="
    CustomTrustKeyStoreType="JKS" ExpectedToRun="false"
    JavaStandardTrustKeyStorePassPhraseEncrypted="{3DES}CVtHlHaDky1XKC1QZVz2Kw=="
    KeyStores="CustomIdentityAndCustomTrust" ListenAddress=""
    ListenPort="7011" Name="alice" NativeIOEnabled="true"
    ReliableDeliveryPolicy="RMDefaultPolicy" ServerVersion="8.1.6.0"
    StdoutDebugEnabled="true" StdoutSeverityLevel="64"
    SSL ClientCertificateEnforced="true" Enabled="true"
    HostnameVerificationIgnored="true"
    IdentityAndTrustLocations="KeyStores" ListenPort="7012"
    Name="alice" ServerPrivateKeyAlias="alicecert"
    ServerPrivateKeyPassPhraseEncrypted="{3DES}/q7+XXkrvz0zncx18PjDug==" TwoWaySSLEnabled="true"/
    Log FileCount="2" FileMinSize="5000" Name="alice" NumberOfFilesLimited="true"/
    /Server

    and also here is a fragment of BOB's "config.xml" (same of ALICE's keystores configuration)

    Server
    CustomIdentityKeyStoreFileName="C:\bea\wlp81sp6\user_projects\domains\BOB\CERTIFICATI\bob.jks"
    CustomIdentityKeyStorePassPhraseEncrypted="{3DES}PJMoAH+j5jeVWzQfY8Gf2w=="
    CustomIdentityKeyStoreType="JKS"
    CustomTrustKeyStoreFileName="C:\bea\wlp81sp6\user_projects\domains\BOB\CERTIFICATI\certgenca.jks"
    CustomTrustKeyStorePassPhraseEncrypted="{3DES}PJMoAH+j5jeVWzQfY8Gf2w=="
    CustomTrustKeyStoreType="JKS" ExpectedToRun="false"
    JavaStandardTrustKeyStorePassPhraseEncrypted="{3DES}TXgi1bpazzUgtLpwMy9q9Q=="
    KeyStores="CustomIdentityAndCustomTrust" ListenAddress=""
    ListenPort="7001" Name="bob" NativeIOEnabled="true"
    ReliableDeliveryPolicy="RMDefaultPolicy" ServerVersion="8.1.6.0"
    StdoutDebugEnabled="true" StdoutSeverityLevel="64"
    SSL ClientCertificateEnforced="true" Enabled="true"
    HostnameVerificationIgnored="true"
    IdentityAndTrustLocations="KeyStores" ListenPort="7002"
    Name="bob" ServerPrivateKeyAlias="bobcert"
    ServerPrivateKeyPassPhraseEncrypted="{3DES}PJMoAH+j5jeVWzQfY8Gf2w==" TwoWaySSLEnabled="true"/
    Log FileCount="2" FileMinSize="5000" Name="bob" NumberOfFilesLimited="true"/
    /Server

    PS: I used a JNDI Client to access to BOB configured with ALICE's keystores and I got a success.

    Nat.

  • RELEVANCY SCORE 2.94

    DB:2.94:Mutual Fund Transactions In Sap Through Fi Module j9



    Dear All,

    We have Mutual Fund Transaction and we dont have Treasry module, we need to map these entries through finance. Since we have huge mutual fund investments every month so if we create vendors for all mutual fund scheme will not be suggested.

    Is any method to do that

    Regards,

    Sahil

    DB:2.94:Mutual Fund Transactions In Sap Through Fi Module j9


    Dear All,

    We have Mutual Fund Transaction and we dont have Treasry module, we need to map these entries through finance. Since we have huge mutual fund investments every month so if we create vendors for all mutual fund scheme will not be suggested.

    Is any method to do that

    Regards,

    Sahil

  • RELEVANCY SCORE 2.94

    DB:2.94:Mutual Authentication On Tomcat 5 3p


    Hello,

    For the moment I'm experimenting with J2EE security with Tomcat 5.

    So far I was able to get BASIC authentication to work and also server Authentication (SSL with certificate).

    The next step I wanted to take was to configure Tomcat to use Mutual authentication but so far without success.

    Here are the steps I take:

    1. Create a client keystore with one certificates using the java keytool
    2. Create a server keystore with one certificate using the java keytool (my CN name is localhost and I also
    use this in my test URL: https://localhost:8443)
    3. Export the client certificate from the client keystore to a .cer certificate
    4. Export the server certificate fomr the server keystore to a .cer certifciate
    5. Import my .cer server certificate in my trust store (%JRE_HOME%\lib\security\cacerts)
    Now the client should trust the server's certificate.
    6. Import my .cer client certificate in my server's keystore
    This way the server should trust the client.
    7. In my server.xml file I have put clientAuth to true and used the -keystore parameter to point to the correct
    certificate.
    Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"
    secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="c:/keys/serverKeys"
    keystorePass="password"/

    As a test I also imported the 2 .cer certificates (client + server) in my IE but I don't think this is needed.

    When I start tomcat and check if it is running http://localhost:8080 then this works, but when I want to use https://localhost:8443 I get the message that the page could not be displayed ...

    I'm trying for several days to solve this but without success ...

    Can someone help me please ?

    Many thanks !

    Best regards,

    Tom.

    DB:2.94:Mutual Authentication On Tomcat 5 3p

    With truststore file you mean cacerts.jks in %JAVA_HOME%/JRE/LIB/SECURITY ?

    To avoid misunderstanding, the only thing I try to do is to establish mutual authentication bewteen a client (IE) and a server (localhost) on the same machine (without using any java code) ?

    Is that possible ?
    Do I need to configure anything in my web.xml ?

    Does there exist a step by step guideline to get it to work ?

    By javax.net.debug system property, you mean that this must be done in java code ?

  • RELEVANCY SCORE 2.93

    DB:2.93:Thread: Tls Support kk


    Can anyone tell me if Groupwise 7x supports the TLS protocol?

    DB:2.93:Thread: Tls Support kk

    Sherry McNamara wrote:

    Yes using GWIA to Internet. It sounds like their system will enforce

    it because they said if our system supports it, there is nothing for

    us to do. Thanks for your help. I just wanted to verify that it did.

    Maybe this helps:

    http://support.novell.com/techcenter...c2003_10e.html

    -' + '-

    Cheers,

    Edward

  • RELEVANCY SCORE 2.89

    DB:2.89:What Does The Mutual Reward Theory State? 93



    What does the Mutual Reward Theory state?

  • RELEVANCY SCORE 2.89

    DB:2.89:Is It Possible To Configure Jboss To Request A Client Certificate Without Verifying It? p7



    Hi

    I am trying to configure JBoss for mutual TLS authentication and for various reasons I cannot place the client certificates or the ca authority in the truststore file.

    My https connector in standalone.xml configuration looks something like this:

    connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https"
    ssl name="ssl" key-alias="1" password="abc" certificate-key-file="[path]/keystore.p12" protocol="TLSv1" verify-client="want" keystore-type="PKCS12"/
    /connector

    DB:2.89:Is It Possible To Configure Jboss To Request A Client Certificate Without Verifying It? p7


    Hi

    I am trying to configure JBoss for mutual TLS authentication and for various reasons I cannot place the client certificates or the ca authority in the truststore file.

    My https connector in standalone.xml configuration looks something like this:

    connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https"
    ssl name="ssl" key-alias="1" password="abc" certificate-key-file="[path]/keystore.p12" protocol="TLSv1" verify-client="want" keystore-type="PKCS12"/
    /connector

  • RELEVANCY SCORE 2.88

    DB:2.88:Mutual Tls (Domain Secure Enabled) Fails With Event 11020 Revocation Offline cf


    I have two separate domains, each with their own exchange 2010 server and Enterprise CA running on Server 2008 R2. There is no domain trust, and e-mail is routed with MX records. I am unable to get e-mail to flow either direction when I enable
    Mutual TLS, but works fine with Mutual Auth Disabled.
    The Event log shows MSExchangeTransport Error 11020 on both exchange servers : A secure connection to domain-secured domain * on connector * could not be established because the validation of the Transport Layer Security (TLS) certificate for * failed with
    status 'RevocationOffline...
    I've verified that:

    Receive Connectors have DomainSecureEnabled to True Send Connectors have DomainSecureEnabled to True Transport Configs have the remote domain in the TLSSendDomainSecureEnabled and Receive lists
    Certificate is valid for server and client authentication (Actually valid for Any Purpose)
    Certificate is binded for IIS and SMTP Remote CA is in Local Computer Store, (I can navigate to the IIS page with https and it's trusted)
    CDP and AIA extensions in the certificates have the correct link to the CRL. (I've tried certs with LDAP, LDAP and HTTP, and only HTTP)
    CRL is accessible if I manually go to the link from the Certificate in IE. DNS resolution is successful. Certificates were created outside of exchange and imported. I need to be able to export the private key, so I created a new template.

    Taking traces with Wireshark, what I see is Mutual Auth requested, the Exchange Servers exchange certificates, but then immediately close the connection. There is no attempt to download the CRL. Occasionally, I'll see a little bit of LDAP traffic,
    not sure if it's trying to access the CRL that way, but I've tried with only HTTP CDP and AIA extensions - still says Revocation Offline without trying to downlaod the CRL.
    I've tried manually installing the remote CRL, and it shows up in the store when I run Certutil -verifystore CA.
    Also, I've setup the same lab setup with 2003 Servers and Exchange 2007, and it worked fine. This is a lab setup for testing and testing Mutual TLS is a requirement.
    Any ideas?

    DB:2.88:Mutual Tls (Domain Secure Enabled) Fails With Event 11020 Revocation Offline cf

    FOLLOW UP:
    I've fixed the issue. The Certificate Revocation Offline was a misleading error message it seems.
    I had removed all LDAP CRL and AIA distribution points from the certificates and left only HTTP ones, but I was still seeing no HTTP traffic. Occasionally, I'd see some LDAP traffic and couldn't figure out why. I ended up adding a Two-way Forest
    Domain Trust, then that LDAP traffic started succeeding. The client Exchange Server then fetched a Kerberos Ticket from the other Exchange Server, and then ran some more LDAP traffic. After that, THEN the client Exchange Server fetched the CRL
    via HTTP as expected.
    Every connection, the Exchange servers are getting Kerberos tickets. It appears to use Kerberos somewhere in the SMTP traffic auth, but the new Wireshark isn't playing nice with Decrypting my SSL traffic, so I can't confirm that.
    This did not happen in Exchange 2007. I don't know why the behavior is different, a domain trust was not required in my Exchange 2007 setup. I haven't had time to investigate anything with the SMTP auth.
    TL;DR: Added a Forest Domain Trust and all is well.

  • RELEVANCY SCORE 2.87

    DB:2.87:Reading Smtp Protocol Logs For Tls Confirmation xz


    I have a test receive connector set up on my hub server that requires the use of TLS for communication (Only the TLS and Mutual TLS checks are selected).
    Our test message has been received successfully, but I am trying to confirm the use of TLS through the SMTP Protocol logs (set to Verbose).
    I have found the entry in the logs for the message, but cannot figure out if there is a flag that confirms the use of TLS.
    Can anyone offer some guidance on what to look for?
    Thanks.
    Log is attached (sanitized)

    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,0,10.16.0.42:25,10.16.64.63:50364,,,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,1,10.16.0.42:25,10.16.64.63:50364,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,2,10.16.0.42:25,10.16.64.63:50364,,220 HUBSERVER.domain.com Microsoft ESMTP MAIL Service ready at Tue, 22 Mar 2011 15:19:08 -0400,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,3,10.16.0.42:25,10.16.64.63:50364,,EHLO ipxplorer,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,4,10.16.0.42:25,10.16.64.63:50364,,250-HUBSERVER.domain.com Hello [10.16.64.63],
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,5,10.16.0.42:25,10.16.64.63:50364,,250-SIZE 10485760,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,6,10.16.0.42:25,10.16.64.63:50364,,250-PIPELINING,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,7,10.16.0.42:25,10.16.64.63:50364,,250-DSN,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,8,10.16.0.42:25,10.16.64.63:50364,,250-ENHANCEDSTATUSCODES,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,9,10.16.0.42:25,10.16.64.63:50364,,250-STARTTLS,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,10,10.16.0.42:25,10.16.64.63:50364,,250-AUTH,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,11,10.16.0.42:25,10.16.64.63:50364,,250-8BITMIME,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,12,10.16.0.42:25,10.16.64.63:50364,,250-BINARYMIME,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,13,10.16.0.42:25,10.16.64.63:50364,,250 CHUNKING,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,14,10.16.0.42:25,10.16.64.63:50364,,MAIL FROM:ipxplorer@domain.com,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,15,10.16.0.42:25,10.16.64.63:50364,*,08CD936A60A4A1E2;2011-03-22T19:19:09.011Z;1,receiving message
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,16,10.16.0.42:25,10.16.64.63:50364,,250 2.1.0 Sender OK,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,17,10.16.0.42:25,10.16.64.63:50364,,RCPT TO:user@domain.com,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,18,10.16.0.42:25,10.16.64.63:50364,,250 2.1.5 Recipient OK,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,19,10.16.0.42:25,10.16.64.63:50364,,DATA,
    2011-03-22T19:19:09.011Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,20,10.16.0.42:25,10.16.64.63:50364,,354 Start mail input; end with CRLF.CRLF,
    2011-03-22T19:19:09.418Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,21,10.16.0.42:25,10.16.64.63:50364,,250 2.6.0 887031.275170983-sendEmail@ipxplorer Queued mail for delivery,
    2011-03-22T19:19:09.418Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,22,10.16.0.42:25,10.16.64.63:50364,,QUIT,
    2011-03-22T19:19:09.418Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,23,10.16.0.42:25,10.16.64.63:50364,,221 2.0.0 Service closing transmission channel,
    2011-03-22T19:19:09.418Z,HUBSERVER\TLS Test Connector,08CD936A60A4A1E2,24,10.16.0.42:25,10.16.64.63:50364,-,,Local

    DB:2.87:Reading Smtp Protocol Logs For Tls Confirmation xz

    Thanks for the info.

    I will check the header of the email for TLS confirmation information.

    Cheers!

  • RELEVANCY SCORE 2.87

    DB:2.87:Tls Encryption From Printer To Exchange 89


    Hi,
    I must ancrypt email traffic from printer to Exchange 2010. On receive Connector I enabled Transport Layer Security (TLS). But not Mutual Auth TLS.

    In SMTP protocol logs I see:
    ,,220 blabla Microsoft ESMTP MAIL Service ready
    at Thu, 28 Aug 2014 11:07:18 0200,
    ,,250-STARTTLS,
    response is:
    ,,STARTTLS,
    ,220 2.0.0 SMTP server ready,
    *,,Sending certificate
    *,CN=.....,Certificate subject
    *,CN=blabla,Certificate issuer name
    *,.....,Certificate serial number
    *,92D44750CB765456D278B6A72AB68BDA0BC4A4,Certificate thumbprint
    but later is:
    ,EHLO printerName,
    *,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
    ,250-serverName Hello [IPAddres],
    ,250-SIZE 10485760,
    ,250-PIPELINING,
    ,250-ENHANCEDSTATUSCODES,
    ,250-AUTH LOGIN,
    ,250-8BITMIME,
    ,250-BINARYMIME,
    ,250 CHUNKING,
    ,MAIL From:email@blabla,
    *,08D17EBB66CFE110;2014-08-28T09:07:18.802Z;1,receiving message
    ,250 2.1.0 Sender OK,
    ,RCPT To:recipient@blabla,
    ,250 2.1.5 Recipient OK,
    ,DATA,

    So is TLS working or not? IF not, why? Do I need certyficate on printer?

    Adam

    DB:2.87:Tls Encryption From Printer To Exchange 89

    Thank you. I' not see that header in message.
    Printer has a some default self signed cert but it cannot be used for TLS - I've got an errorCannot find issuer certificate. So i think I must install cert from our CA.

  • RELEVANCY SCORE 2.87

    DB:2.87:How To Build Openssl For Windows Ce 6.0? How To Implement Ssl For Win Ce 6.0? ff


    Hi All,
    We need to implement SSL for Windows CE. We need to implement Mutual Authentication of X509 certificates using the ciphers AES 256 and Protocol as TLS 1.0.
    1. I tried creating Secure Socket using the link :
    Secure Socket
    but it does not seem to support Client certificate authentication part. Also, I am not able to set the
    Cipher programmatically.

    The following Code fails:
    SSLCIPHERS ciphersToUse;
    ciphersToUse.dwCount = 1;
    ciphersToUse.CipherList[0] = (DWORD)ALG_SID_3DES;
    ciphersToUse.dwProtocol = SSL_PROTOCOL_TLS1;

    if( WSAIoctl( s, SO_SSL_SET_CIPHERS,
    (LPVOID)ciphersToUse, sizeof(ciphersToUse),
    NULL, 0, NULL, NULL, NULL ) == SOCKET_ERROR)
    {
    printf(SO_SSL_SET_CIPHERS failed);
    }
    Q1 : How can I set Cipher programmatically? Am I right in thinking that Client Authentication is not provided at the Socket Level?
    Q2. I am not able to build OpenSSL for Windows CE. Is there any working build available for OpenSSL without any issues?
    Q3. Are there any third party libraries which support Secure socket connections with Mutual authentication on Windows CE?
    Thanks,
    HimanshuHimanshu chhaya - Windows CE, Mobile and Phone 7

    DB:2.87:How To Build Openssl For Windows Ce 6.0? How To Implement Ssl For Win Ce 6.0? ff

    http://social.msdn.microsoft.com/Forums/en-US/microsoftdeviceemu/thread/8dc5bbff-efbc-40b0-bb62-5fd470c93223/Please not forget mark your answer, and unmark your disagreed point.

  • RELEVANCY SCORE 2.86

    DB:2.86:Mac And Linux Nps Authentication 1k


    Hi,
    I am setting up PKI and NPS environment for 802.1x authentication. I published computer certificates to all Windows Domain Computers. All Windows Domain Computers are connected successfully using mutual authentication (EAP-TLS). Now the problem is that we
    have MAC and Linux systems as well. I can get them to work using PEAP authentication (asking username and password) but that´s not what I want. I created template non-domain Client Certificate - Computer and I enrolled the certificate via Windows
    Workstation. I can export the certificate with Private Key to MAC or Linux environment. But all I can see from IAS log is that they try to connect using username rather then Computer certificate.

    Windows computer IAS log: host\machinename.domain.com - IAS_SUCCESS
    MAC computer IAS log: username - IAS_AUTH_FAILURE
    I don´t know lot about MAC or Linux computers. In Windows I have Computer and User certificate store. And I can choose what kind of authentication will I use in Wifi AP properties (Computer auth or User outh or both). I can´t see any options in MAC or Linux.
    So is there any solutions what I can try to get MAC and Linux computers to authenticate using computer certificate and EAP-TLS. What am I doing wrong.
    Any help will be appriciated
    Taavi

    DB:2.86:Mac And Linux Nps Authentication 1k

    Try here:

    http://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/

    You WILL NEED to join Macs to AD (which works very well indeed)
    Script help is here: https://discussions.apple.com/thread/5373901

    Seb

  • RELEVANCY SCORE 2.86

    DB:2.86:Web Services Https With Mutual Athentication az


    I'm tryng to call a web service on BEA WLS 8.1 via HTTPS with mutual athentication.

    An alert is sent from the server when the client tries to authenticate to the server.

    On the server I get the following error:

    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 HANDSHAKEMESSAGE: Certificate
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 validationCallback: validateErr = 16
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Required peer certificates not supplied by peer
    ####Feb 15, 2005 10:38:39 AM MET Warning Security flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel
    .Default' WLS Kernel BEA-090508 Certificate chain received from flanders - 172.22.4.61 was incomplete.
    ####Feb 15, 2005 10:38:39 AM MET Warning Security flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel
    .Default' WLS Kernel BEA-090477 Certificate chain received from flanders - 172.22.4.61 was not trusted causing SSL handsh
    ake failure.
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Validation error = 20
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Certificate chain is incomplete
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Certificate chain is untrusted
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 User defined JSSE trustmanagers not allowed to override
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 SSLTrustValidator returns: 84
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 Trust failure (84): CERT_CHAIN_INCOMPLETE CERT_CHAIN_UNTRUSTED
    ####Feb 15, 2005 10:38:39 AM MET Debug TLS flanders ConsensoServer ExecuteThread: '14' for queue: 'weblogic.kernel.Defaul
    t' WLS Kernel 000000 NEW ALERT: com.certicom.tls.record.alert.Alert@13a252a Severity: 2 Type: 40
    java.lang.Throwable: Stack trace
    at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
    at com.certicom.tls.record.alert.Alert.init(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown Source)
    at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)

    On the client I get the following error:

    Feb 15, 2005 10:20:15 AM MET Info WebService BEA-220094 An IOException was thrown trying to access the WSDL at the given U
    L.
    Feb 15, 2005 10:20:15 AM MET Info WebService BEA-220034 A stack trace associated with message 220094 follows:

    javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE alert received from flanders - 172.22.4.61. Check both side
    of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification
    ettings.
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertReceived(Unknown Source)
    at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
    at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at com.certicom.net.ssl.HttpsClient.doHandshake(Unknown Source)
    at com.certicom.net.ssl.internal.HttpURLConnection.getInputStream(Unknown Source)
    at weblogic.webservice.client.https.HttpsURLConnection.getInputStream(HttpsURLConnection.java:216)
    at weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefinition(DefinitionFactory.java:87)
    at weblogic.webservice.tools.wsdlp.WSDLParser.init(WSDLParser.java:76)
    at weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:108)
    at weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:84)
    at weblogic.webservice.core.rpc.ServiceImpl.init(ServiceImpl.java:79)
    at com.etnoteam.timvas.srsv.interfaces.in.csp.activate.client.Activate_Impl.init(Activate_Impl.java:22)
    at clientPep1.main(clientPep1.java:149)

    DB:2.86:Web Services Https With Mutual Athentication az

    I have a similar problem now calling a webservice (2-way-SSL). The server reports "Certificate chain is incomplete", but I checked the the client certificate. It's ok.

    Particularly I'd like to understand what causes the following server log message:

    User defined JSSE trustmanagers not allowed to override

    Running Weblogic Server 8.1, SP4 + Patch CR210310_81sp4

    server log:

    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 HANDSHAKEMESSAGE: ClientHelloV2
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 write HANDSHAKE, offset = 0, length = 58
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 write HANDSHAKE, offset = 0, length = 1924
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 write HANDSHAKE, offset = 0, length = 4811
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 write HANDSHAKE, offset = 0, length = 4
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 SSLFilter.isActivated: false
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 isMuxerActivated: false
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 SSLFilter.isActivated: false
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 15158345 SSL3/TLS MAC
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 15158345 received HANDSHAKE
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 HANDSHAKEMESSAGE: Certificate
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 validationCallback: validateErr = 0
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 Required peer certificates not supplied by peer
    ####Sep 26, 2005 2:17:39 PM MEST Warning Security h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel BEA-090508 Certificate chain received from w008nr - 10.224.64.3 was incomplete.
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 Validation error = 4
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 Certificate chain is incomplete
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 User defined JSSE trustmanagers not allowed to override
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 SSLTrustValidator returns: 68
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 Trust failure (68): CERT_CHAIN_INCOMPLETE
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 NEW ALERT with Severity: FATAL, Type: 40
    java.lang.Exception: New alert stack
    at com.certicom.tls.record.alert.Alert.init(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
    at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at javax.net.ssl.impl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:340)
    at com.bea.sslplus.CerticomSSLContext.forceHandshakeOnAcceptedSocket(Unknown Source)
    at weblogic.security.utils.SSLContextWrapper.forceHandshakeOnAcceptedSocket(SSLContextWrapper.java:128)
    at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:484)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)

    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 write ALERT, offset = 0, length = 2
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 close(): 31922233
    ####Sep 26, 2005 2:17:39 PM MEST Debug TLS h00962 node1 ExecuteThread: '28' for queue: 'weblogic.kernel.Default' WLS Kernel 000000 SSLIOContextTable.removeContext(ctx): 3401541

    client log:

    HANDSHAKEMESSAGE: ServerHelloDone
    write HANDSHAKE, offset = 0, length = 7
    write HANDSHAKE, offset = 0, length = 262
    write CHANGE_CIPHER_SPEC, offset = 0, length = 1
    write HANDSHAKE, offset = 0, length = 16
    27187756 SSL3/TLS MAC
    27187756 received ALERT
    NEW ALERT with Severity: FATAL, Type: 40
    java.lang.Exception: New alert stack
    at com.certicom.tls.record.alert.Alert.init(Unknown Source)
    at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
    at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
    at java.io.BufferedOutputStream.write(BufferedOutputStream.java:105)
    at java.io.FilterOutputStream.write(FilterOutputStream.java:80)
    at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:407)
    at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:196)
    at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:37)
    at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:143)
    at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:231)
    at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:143)
    at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
    at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:443)
    at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:303)
    at ch.post.pf.nama.webservices.lists.client.ListsWebServicePort_Stub.findListValue(ListsWebServicePort_Stub.java:26)
    at test.webservices.lists.Client.invokeSecureWebservice(Client.java:123)
    at test.webservices.lists.Client.main(Client.java:57)
    Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@b02928
    close(): 16094127
    java.rmi.RemoteException: SOAP Fault:javax.xml.rpc.soap.SOAPFaultException: Failed to send request
    Detail:
    detail
    bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0"javax.net.ssl.SSLHandshakeException: FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters.
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertReceived(Unknown Source)
    at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
    at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
    at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
    at java.io.BufferedOutputStream.write(BufferedOutputStream.java:105)
    at java.io.FilterOutputStream.write(FilterOutputStream.java:80)
    at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:407)
    at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:196)
    at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:37)
    at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:143)
    at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:231)
    at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:143)
    at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
    at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:443)
    at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:303)
    at ch.post.pf.nama.webservices.lists.client.ListsWebServicePort_Stub.findListValue(ListsWebServicePort_Stub.java:26)
    at test.webservices.lists.Client.invokeSecureWebservice(Client.java:123)
    at test.webservices.lists.Client.main(Client.java:57)
    /bea_fault:stacktrace
    /detail; nested exception is:
    javax.xml.rpc.soap.SOAPFaultException: Failed to send request
    at ch.post.pf.nama.webservices.lists.client.ListsWebServicePort_Stub.findListValue(ListsWebServicePort_Stub.java:31)
    at test.webservices.lists.Client.invokeSecureWebservice(Client.java:123)
    at test.webservices.lists.Client.main(Client.java:57)
    Caused by: javax.xml.rpc.soap.SOAPFaultException: Failed to send request
    at weblogic.webservice.core.ClientDispatcher.receive(ClientDispatcher.java:313)
    at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:144)
    at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
    at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:443)
    at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:303)
    at ch.post.pf.nama.webservices.lists.client.ListsWebServicePort_Stub.findListValue(ListsWebServicePort_Stub.java:26)
    ... 2 more

  • RELEVANCY SCORE 2.86

    DB:2.86:Requiring Tls To A Specific 3rd Party 7c


    Right now we're sending and receiving email with two external entities and require that these communications be sent with TLS encryption. The more recent one is not using an Exchange server, and they do not have any relationship to our domain or company.
    My current understanding right now is we have several methods to use TLS.

    Mutual TLS Opportunistic TLS Direct Trust Domain Security
    I'm able to verify right now that they're sending and receiving via TLS with us, so its working, but the requirement from them is that we force a TLS connection with them. As I understand it right now, we're simply communicating with TLS because our
    Exchange 2007 server was already configured to use TLS with another party, so its Opportunistic. But I need to ensure that its forced TLS.
    Help me Obi Wan to learn the way of the forced TLS. :)
    Thanks in advance for any help.

    DB:2.86:Requiring Tls To A Specific 3rd Party 7c

    For everyone's reference, this is the exact syntax I used, domain names have been anonymized.

    New-Sendconnector -Name sendersdomain.com -AddressSpaces sendersdomain.com -RequireTLS $True

  • RELEVANCY SCORE 2.85

    DB:2.85:Wcf .Net 4 Client. Which Binding Should I Use For These Requirements? c3


    So far I have spent time experimenting with basicHttpBinding, wsHttpBinding, ws2007HttpBinding, and customBinding. At this point I've befuddled myself to the point I want some fresh eyes to recommend suggestions.
    I am byno means an expert with any of this but I am knowledgeable enough to get into the details with a good degree of understanding. All comments/questions would be greatly appreciated.

    Transport-level
    SSL/TLS is required while data travels on the Internet
    Implement mutual authentication via SSL/TLS
    Ensure minimum SSL/TLS security settings
    SSL/TLS version MUST be at least 3.0
    The SSL/TLS cipher suite MUST include AES 128 bit for encryption
    The SSL/TLS cipher suite MUST include SHA-1 for integrity protection
    Message-level
    Use OASIS Web Services Security (WSS) standards
    SOAP Message Security
    Sign all SOAP messages
    X.509 Token Profile
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
    Signing entities are expected to be applications/systems with appropriate certificates
    Message headers MUST include a timestamp and a nonce
    A timestamp as specified by WSS wsu:timestamp
    A random number as specified by WSS wsu:nonce
    Message-Validation
    signature
    certificates
    Revocation status of certificates
    Timestamp and nonce (to prevent replay attacks)
    Security rules mentioned above apply to Reques and Reply.Brett L. Brown

    DB:2.85:Wcf .Net 4 Client. Which Binding Should I Use For These Requirements? c3

    If you think it's SOAP 1.1, try to use basicHttpBinding. wsHttpBinding by default uses SOAP 1.2.Lante, shanaolanxing This posting is provided AS IS with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog

  • RELEVANCY SCORE 2.85

    DB:2.85:Mail Flow Is Not Working Between Two Organization 3p


    Hello All,
    my setup: 2 AD forest with forest trust. 2 exchange organizations (abc.com xyz.com)
    created send connector in both place and chose route the mail though following smart host mention opposite exchange ip, it is working fine.
    My goal is toachieve Mutual TLS.. so when i chose use DNS (MX) records to route the mail automatically, it is not working...
    my question is how do i make it use MX record?
    already i have created secondary zone and created mx record in both the place but no luck.
    suggestion would be much helpful.Thanks & Regards, Kottees R

    DB:2.85:Mail Flow Is Not Working Between Two Organization 3p

    Hello Zbynek,
    anyway it worked.. thanks for more clarification..Thanks & Regards, Kottees R

  • RELEVANCY SCORE 2.81

    DB:2.81:802.1x - How To Enforce Authentication Of Both A User Certificate And Computer Certificate ax


    Hi there,
    I'm setting up 802.1x (EAP-TLS) for wireless clients in the test environment. The Microsoft best practises documentation (http://technet.microsoft.com/en-us/library/bb457091.aspx) states
    that the most secure method of authentication is:

    WPA2 with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication and
    both user and computer certificates
    EAP-TLS is the strongest 802.1X authentication method supported by Windows-based wireless clients. EAP-TLS uses digital certificates to provide mutual authentication, in which the wireless client authenticates itself to the authentication server and
    vice versa. EAP-TLS authentication requires a public key infrastructure (PKI) to issue certificates and keep them current. For the highest security, configure your PKI to issue both user and computer certificates for wireless access.

    Can someone please explain how you configure both your client and backend (Radius) infrastructure to process two certificates? From my experience, when you configure your supplicant you have to instruct it to present either a user cert OR a computer cert...
    not both. On Windowws XP you can do this via the EAPOL reg key I think.... on WIndows 7 you just select the drop down box....
    Am I missing something, or is there a way to ensure both certificate types are presented by the client machine and authenticated by the Radius server?
    Regards, James.
    James Frost

    DB:2.81:802.1x - How To Enforce Authentication Of Both A User Certificate And Computer Certificate ax

    Hmm OK - I've done some more research, and I think I have the answer. This type of authentication can't be done... at least not simultaneously.
    Microsoft provide further detail here:
    http://technet.microsoft.com/en-us/library/cc754057(WS.10).aspx
    EAP does not provide mechanisms that perform dual authentication that is, the authentication of both the computer being used to access the network and the user who is attempting to connect. For this reason, you are not required to issue both
    computer and user certificates when you deploy EAP and PEAP with certificate-based authentication types.

    They go onto explain how computer certificates can be issued (seperately to user certs).
    Using autoenrollment. When you deploy certificates using autoenrollment, you configure the CA to automatically enroll certificates to computers that are members of the Domain Computers group and to users who are members of the Domain
    Users group. No additional hardware is required to autoenroll certificates, because the certificates are stored on the computer that is connecting to the network. When a computer receives a computer or user certificate from the CA, the certificate is stored
    locally in a data store named the certificate store.
    In other words - you can authenticate via computer and user certificate - it just can't happen at the same time. Computer cert auth would happen at computer boot (pre GINA-logon) and I believe user cert authentication then happens again after user GINA-logon.
    Obviously you'd need two different Radius policies to accomodate this scenario.
    If anyone has configured this scenario and has some pointers, let me know.
    Cheers, James.

    James Frost

  • RELEVANCY SCORE 2.80

    DB:2.80:Cannot Send Email While The Mutual Tls Is Enabled. ms


    We want to set up our exchange 2010 server to use mandatory TLS encryption while sending mail to one of our partner. They are using the hosted email service provided by Google now. And I have read the Library article ,Using Domain Security: Configuring
    Mutual TLS:http://technet.microsoft.com/en-us/library/bb123543.aspx.

    I also read the Forum post here:http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaginglegacy/thread/210ba7f6-6d52-4ea6-be0a-b8f02cd16b18

    But the error is going on, I have created a new sende connector and enabled the Domain Security for partner's domain according to that Library article. All the mail sent to my partner were delayed in the Queue. The last error show like this,

    451 4.4.0 Primary target IP address responded with: 454 4.7.5 Certificate validation failure.

    or
    451 4.4.0 Primary target IP address responded with: 421 4.2.1 Unable to connect.
    The certificated is self-signed, but the Opportunistic TLS is OK! I can use opportunistic TLS for delivering mail to my partner! I have checked the log and performed a sniffer for this communication, the delivery is ok and encrypted by TLS. But
    the TLS is not enforced, exchange will try to send the mail in plain text while the TLS is not available. When I enabled the Domain Security, the communication error occurred. The Opportunistic TLS is OK, but the Mutual TLS is not, Why? Could you help me?
    Thanks.

    DB:2.80:Cannot Send Email While The Mutual Tls Is Enabled. ms

    Hi
    Did the below thread help?
    http://social.technet.microsoft.com/Forums/en/exchangesvrsecuremessaginglegacy/thread/beed1f0f-52b5-4108-97c6-b578a28c220b
    The user's smarthost was having problems with their name servers.
    And Rock Provide some steps of solution when
    we are not be able to validate the remote certificate.
    Hope it helps
    CheersZi Feng

    TechNet Community Support

  • RELEVANCY SCORE 2.78

    DB:2.78:Ocs 2007 R2 Enterprise Setup Certificate Wizard am


    HelloWhen i use the OCS certificate wizard to create a cert, is this the cert that is used for the internal clients to connect to OCS, or is it used for both internal and external clients? the reason i am asking is i can easily create a new cert request and use my internal CA server to issue the certificate, and all internal clients on the network will have a copy of the CA's root cert, but my external clients who are not part of the domain will not trust my internal CA root cert. So at this point should i be getting a cert from a public CA or can i use my internal CA for this particular step?
    Office Communications Server requires certificates on each Standard Edition server or Enterprise Edition server in order to use mutual TLS (MTLS), which is TLS with mutual authentication. All Office Communications Servers use MTLS to communicate with one another. If you do not configure MTLS on each server, presence and instant messaging (IM) communication may not work properly.
    Each client also needs to trust the certificate that the server is using in order to connect to the server by using TLS. You can use the Certificates Wizard on a Standard Edition server or Enterprise Edition server to: Bulls on Parade

    DB:2.78:Ocs 2007 R2 Enterprise Setup Certificate Wizard am

    Ok so the EDGE role is more for communicating with external users who are remote and do not have user accounts in the domain?Again many thanks!Bulls on Parade

  • RELEVANCY SCORE 2.78

    DB:2.78:How To Configure Mutual Tls On Exchange 2007 With Other Company Running Exchange 2010 zp


    Hi:
    I need help with configuring our Exchange 2007 server for Mutual TLS. We are using certificate from Public CA. I have tried going throughhttp://technet.microsoft.com/en-us/library/bb123543(v=exchg.80).aspxarticle
    and that is not working. All the settings I have done described in this article were on default connectors.
    CompanyB wants to create Mutual TLS with mycompany
    mycompany is running exchange 2007 no edge server just hub transport
    companyB is running exchange 2010 with hosted Forefront and edge server
    I have not tried creating new send Receive connectors, since i am not sure which setting I need to input.
    Can someone please help me out.

    Thank you.
    Nick

    DB:2.78:How To Configure Mutual Tls On Exchange 2007 With Other Company Running Exchange 2010 zp

    Hi
    You just need to set up TLS on your exchange 2007.
    You can read process from this
    blog. Terence Yu
    TechNet Community Support

  • RELEVANCY SCORE 2.78

    DB:2.78:Web Components Mutal Tls Cert Error ss


     
    This is not my first time i have had nothing but headache with OCS and Certs.  I have never seen such a picky system when it came to certs.
     
    Well i am trying to set up my Web Components on another system and i can not seem to make it happy on what Mutual TLS Cert it wants.
     
    We have an internal CA with Root certs on this Server.
     
    Any Idea?

    DB:2.78:Web Components Mutal Tls Cert Error ss

    Well i figured out what i was doing wrong
     
    When i went to my CA /CertSrv
     
    I would fill out as a Web Cert (Exportable)
     
    Put the FQDN of the Server in the Name Field and then Again in the Friendly name Field
     
    I went back in and ONLY put the FQDN of the server in the Top Name Field and left the Friendly name Field Blank
     
    I also checked the box that said Store Certificate in the Local computer Cert Store
     
    All is well.  Now i am off to a new error