application of CRL through ldap on c2611

I work with certificates on a 2611 router. Everything works very well in combination with a CA, except the polling stations for the revocation list.

My CA publishes CRL to something like:

LDAP:///CN=CA-server,CN=ServerName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subdomain,DC=domain,DC=int? CertificateRevocationList? base? objectClass = CRLDistributionPoint

In het 2611 router config, I have the map "crypto ca trustpoint CA-SERVER", where I put

CRL query ldap://IP ADRES OF CA-SERVER/CN=CA-SERVER,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=subdomain,DC=domain,DC=int?certificateRevocationList?base?objectClass=cRLDistributionPoint

But enough wrong, it does not work. The router is not fetch a revocation list. I think that he's not even trying to connect (I do not see the ldap on the firewall traffic).

Does anyone know a solution for this problem? Is it maybe possible to retrieve the CRL on HTTP?

Thank you

Angelo.

Don't know what version of the code that you use, so I'll give you a little history of IOS.

Before IOS 12.1 (5) CEP has been used with Microsoft case to retrieve the CRL. However the SCEP Protocol is not a very effective method for the extraction of CRLs, we added

support to retrieve CRLs via ldap and http. IOS determines the actual certificate how extract CRL using the CDP. In the certificates

you show, the CDP is indicated via LDAP, then the router will try to get by using this method (assuming that the code is later than the 12.1 (5).)

However, the problem you are experiencing is due to the 'strange' the ldap URL format in certificates. Microsoft Enterprise certification authorities press file specifications in the ldap URL using multiple CommonNames (CN = a) and the? XXX construct. IOS dislikes the specifications of file name in the URL at this time.

IOS works very well with a PPC that specify an http URL, or define an LDAP URL but not with all the CN stuff. The 'url of the request' in the config is ignored if the certificate contains a PPC with http:// or ldap: / / URL (without all the CN), however if it contains a LDAP URL in the format that you show, and then the "url of the request" command is used. IOS still does not all the ADS, etc., specifying if a "request url" command with all that won't work, as you've seen.

You can change your MS CA server to put a URL HTTP or LDAP directly in the certificate, or make it available on an HTTP server somewhere your LRC and then add a "the request url" pointing directly at it. Because the router do not understand LDAP CRL in the cert, it will use the location "applications url" you specify and it should work for you.

Tags: Cisco Security

Similar Questions

  • Application not available through internal work space

    Hello

    Is it possible to make an application not available through space internal and connected work as an admin user? If so can you point us in the right direction? We have been watching all about to do, but couldn't find anywhere to do it.

    BTW - we made the request not available but we connected to the workspace where the app is as a developer and set the status as unavailable, I was wondering if we could do it as the admin user.

    We currently use Apex 3.2.

    See you soon,.
    Paul.

    I think you have misinterpreted? or maybe I?

    You want the option change the "availability" of an application, not change from run to run and build.

    You can't do it from the internal workspace from what I can tell, but can do so from within your current workspace if you have administrator privileges.

    See Managing the status of building in the Administration of the workspace in the doco: http://download.oracle.com/docs/cd/E17556_01/doc/admin.40/e15521/aadm_build_status.htm#BABFDJHI

    In addition, I don't know if you're aware, but you can also change the State of availability through SQL Developer.

    Van
    Trent

    Published by: trent on March 12, 2011 08:18

    In fact, that the documentation is for 4.x... not sure on 3.x, nothing in the doco. Maybe try the technique of the SQL Developer?

  • Auth of remote VPN through LDAP allow all users!

    Hello

    I have 5505 firewall and security license. I have configure remote VPN on firewall through CLI with the commands below. Remote VPN works well, but the problem is, it allows all remote VPN users. I need to restrict remote VPN access bit user, I need to configure via CLI, I don't want to go through ASDM, can someone help me with CLI?

    ASDM I can able to perfom below things I'm not able to perform through CLI

    Configuration-> access to the network (Client)-> dynamic access policies

    Through ASDM I'm able to set the VPN users are allow to remote VPN access, how to set up same thing through CLI

    Here's my CLI:

    LDAP attribute-map CISCOMAP

    name of the KFG IETF Radius-class card

    map-value VPN CN = VPN, DC = domain, DC = com noaccess_pri

    map-value VPN CN = VPN, DC = domain, DC = com noaccess_bk

    map-value VPN CN = VPN, DC = domain, DC = com splitgroup_pri

    map-value VPN CN = VPN, DC = domain, DC = com splitgroup_bk

    AAA-server ldapgroup protocol ldap

    ldapgroup AAA-server (inside) host 10.1.10.5

    LDAP-base-dn dc = domain, dc = com

    LDAP-scope subtree

    LDAP-naming-attribute sAMAccountName

    LDAP-login-password Inf0rmati0n1

    LDAP-connection-dn cn = VPN, dc = domain, dc = com

    microsoft server type

    LDAP-attribute-map CISCOMAP

    internal noaccess_pri group policy

    attributes of the strategy of group noaccess_pri

    VPN - concurrent connections 0

    output

    internal noaccess_bk group policy

    attributes of the strategy of group noaccess_bk

    VPN - concurrent connections 0

    output

    internal splitpolicy_pri group policy

    Protocol-tunnel-VPN IPSEC l2tp ipsec

    tunnel-group splitgroup_pri General-attributes

    ldapgroup group-LOCAL authentication server

    internal splitpolicy_bk group policy

    Protocol-tunnel-VPN IPSEC l2tp ipsec

    tunnel-group splitgroup_bk General-attributes

    ldapgroup group-LOCAL authentication server

    Thank you

    Abhishek

    Hello

    You cannot configure the DAP via CLI Protocol because the configuration is saved in a file dap.xml and is stored in flash of the SAA.

    You can configure the DAP protocol using the following link:

    http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml#T4

    Also note that the link mentions the following:

    Note:

    The dap.xml file that contains the attributes of selection policies DAP, is stored in flash of the SAA. Although you can export the file dap.xml out, the edit box (if you know about the xml syntax), and re - import again, be very careful, because you might ASDM stop treatment of DAP files if you have misconfigured something. There is no CLI to handle this part of the configuration.

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this message as answered if you feel that your query is resolved. Note the useful messages.

  • application role custom (added ldap group) still no connection possible

    Hello
    I created a BIConsumer_USA (using Oracle Enterprise Manager) role for consumers to report BI from the United States, who should have access only
    dashboards US (consisting of BI publisher reports). I added this new application role BIConsumer_USA
    the application role existing BIConsumer (so the permissions are defined) as well as the usersUSA of the LDAP group.
    However, even after doing all this. I can not connect with users who belong to this group and who have the role of BI_Consumer_USA.
    Why is this?

    Given that the LDAP protocol is an IBM Tivoli we should able to use OpenLDAP instead of OVD LDAP provider in the logic of the Web.

  • Cannot access the application of planning through the workspace

    Hi gurus intended,

    I need your guidenace I'm unable to access planning through workspace to help navigate - Application-> planning-> Planapp1 (my request that I created in the planning planning URL); Hyp Workspace Error: Invalid or to find the configuration of the Module; --> required application module HyperionPlanning. It is not configured in planning. Please contact your administrator; --> communication error;

    I use Hyp 9.3.1 on windows 2000 Advance Server with SQL server 2005. while I have no problem to navigate directly from URL planning. Evenes am able to load data using the Regional service.

    I configured: Shared services, Essbase server, services of the Essbase administrator; Reporting and analysis services, Reporting and UIservices analysis and planning.

    Kindly advice.

    If possible send me details of correct order of departure services. I need to use planning through the workspace.

    Concerning
    Kumar N

    Hello

    Stop the planning server and re configure the planning through the configuration utility.

    Thank you
    TSR

  • Allow other applications to share through my application

    Hello

    Is it possible to have my application as an option, when the user wants to share the url in the browser? I know I should use the framework of the appeal, but I tried different configurations and are still unable to see my app in the sharing option.

    Best regards

    Thor

    With the following configuration of target invoke, I have had my request during the Exchange was called in the browser BlackBerry 10. Note that after the installation, your application must be opened at least once.

    
http://www.w3.org/ns/widgets"
        xmlns:rim="http://www.blackberry.com/ns/widgets"
        version="1.0.0.0" id="com.oros.invoketarget">

        Invoke Target
        Erik Oros

         

    

    
        APPLICATION
        
            bb.action.SHARE
            *

  • Transport and Application Layer relationship through Segmentation

    Hello!

    I have a question and I didn't know what section, can I ask that.

    I understand that the application layer data to the transport layer. and this is to be split into "segments".

    If he really be segmented, sliced, it should be preserved somewhere, right?

    a request for a specific retransmission of a segment came - whence the tcp takes this segment of? memory?

    the fact that memory has all the data and the transport layer have simply a description of the 'of a - c which is segment 1' "d-e, which is the segment 2"?

    or all segments are really stored "sliced" somewhere?

    I feel funny asking this but it poped upward and it's interesting,

    hope my question is understandable

    Hello

    You basically ask the subject how TCP or UDP is implemented in an operating system. There are no standards for this, just best practice that has evolved over the years.

    When your application want to communicate over the network with a server using TCP, for example, it must first open a socket. Taking represents an endpoint of a communication, and it's your object you use in your application to talk to the other party. C, is a description of file, very similar to an open file. If you want to talk to the other end, you write data on the socket, and if you want to see what data the other party sent you, you read the decision-making.

    As soon as you write a certain amount of data in decision-making, it is taken by your operating system. It copies the data from your program (the so-called userspace) into the internal buffer managed by the core of your operating system (the so-called kernelspace). Note that as soon as the data are copied to userspace for the kernelspace, the nucleus has its own copy of the data you want to transfer to the other side and can chop her segment, wrap according to his wishes, without modifying the original data in your userspace program. This does not mean, however, that the copied data must be changed - read more.

    So in the kernelspace, after you call the write() function, the amount of data you have written into the socket is segmented, encapsulated and sent on his way. If you use a reliable transport protocol then segments are released of the kernelspace immediately after sending. If you use a reliable transport protocol segments are deallocated only after recognition of the other side. If the buffering takes place, Yes, and it's in a part of the memory that is maintained by your kernel for its internal use.

    so does that memory has the  complete data and the transport layer simply have a description of "from  a-c thats segment 1" "from d-e thats segment 2" ?
    

    or all the segments are really being stored "sliced" somewhere ?

    It is an implementation-specific issue. It depends on how much your driver TCP/IP is written and what is more effective for the operating system. In general, however, it is more efficient to store the original unmodified data and instead, have only a set of pointers that point to specific compensation where the data item must be divided and wrapped separately. In this way, it is easy to adapt to changes in the TCP window size, for example. If you already divided and encapsulated data and TCP window size has changed, you need to defragment the data and repackage them which would be very inefficient.

    Best regards

    Peter

  • Run Microsoft remote applications (RemoteApp service) through WebVPN

    Hello

    Having been troubled by the following thing:

    I've got Cisco ASA 8.2 configured to use WebVPN. And it seems that everything is working properly.

    But, when I try to run the remote application via Microsoft TS (RemoteApp service web pages), it returns me error: host is unreachable.

    The application correct running inside the local network and the run profile includes the IP address of the host. The application installed on the same host running the service Microsoft RemoteApp. So, if I can not access the server, I should have access to the application as well...

    So, did anyone knows where the hook?

    ! ACL

    access-list acl_vpn_clients note * VPN access for clients to resources *.
    access extensive list ip 172.16.13.0 acl_vpn_clients allow 255.255.255.0 host 172.16.3.101

    ! Web - acl

    access-list acl_web_clients webtype allow url http://172.16.3.101/ * default journal

    access-list acl_web_clients webtype allow url rdp://172.16.3.101/ * default journal

    ! default policy

    dynamic-access-policy-registration ClientsAccessPolicy

    Description "Access policy by default for users of WebVPN/Anyconnect customers"

    network-acl acl_vpn_clients

    WebVPN

    Appl-acl acl_web_clients

    value of the Corporative URL-list

    ...

    ...

    WBR,

    SERG

    SERG,

    can you say try adding:

    Iexplore.exe

    mstsc.exe

    TSWbPrxy.exe
    

    This is the process involved as far as I understand which app you're using.
    

    The processes were "reverse engineered" by looking at process monitor duing execution ;-)
    

    Marcin

  • Application of flow through Webgate and web application server

    I have a scenarios,

    There are two webgates on both web servers configured as a reverse proxy to an application. The doors of two web use external load balancer 1 (material). Two web portals are registered on two servers OAM (load balancing - logical web application server). The application is protected by OAM, and is set to launch a custom login page. The application web servers also use external load balancer 2.

    First, when the user tries to access the URL of the application, the flow would be:

    LoadBalancer1 - Web server with OAM WebGate - WebServer with WebGate (after successful authentication) - LoadBalancer2 (lettering) - server of web App - homepage

    Now, what happens if the user goes to another link within the app? The user will be routed to the loadbalancer 2 to the Web server with load balancer WebGate GOLD 2 to 1 load balancer, then to the Web server with WebGate. Please note that the web server with WebGate is configured as reverse proxy for the application. Sorry if I'm not able to articulate the situation clearly.

    Any thoughts?

    Thank you.

    Hello

    Allows to call the application URL app.mydomain.com. With the components you mentioned above, generally that would make a DNS change to point app.mydomain.com to 'loadbalancer1 '.

    Say so the user has already been authenticated and authorized and on the page of the application (app.mydomain.com/home.jsp). OAM is usually configured to protect web pages within an application. When the user clicks on 'Préférences' inside of home.jsp which is "app.mydomain.com/preferences.jsp", control would again go to loadbalancer1-> of the webgates.

    Hope that answers your question.

  • Cannot open the application of planning through the workspace

    Hi all
    I have installed and configured the Hyperion products in the following order

    -> foundation services
    -> server Essbase
    -> Essbase Administration service
    -> planning
    -> reporting and analysis
    -> workspace

    We know that this workspace is a unique user interface.

    After setting up, I tried to open the planning via the workspace Application, but I could not able to find "* classic Application Administration *" under administer option of the menu navigation to guide me.

    Thanks and greetings
    Alizée

    Try to rerun the configuration utility and configuration of Foundation > Web server

    See you soon

    John
    http://John-Goodwin.blogspot.com/

  • Failed to create the application of planning through traditional Application 11.1.2

    The URL of planning I try to create a test application in my development environment. To finish I have error "treatment request check the log for details"

    Scoured the server and it is impossible to find the 'diary '. Anyone know what the name of the error log to create a classic application in Hyperion Planning?

    JTS

    John,

    This trick you show us in regedit to 9.3.1 is now automatic in 11.1.2. Someone at - it get vague planning errors log files below:

    drive letter: \Oracle\Middleware\user_projects\domains\EPMSystem\servers\Planning0\logs
    drive letter: \Oracle\Middleware\user_projects\epmsystem1\diagnostics\logs\services

    JTS

  • does not not the application of air through non administrator user account

    We have developed an application with air.it works well when it runs with the user admin account, but it is not executed for the normal user account.

    What changes, we need to do to run the application with nonadministrator account.

    and also how to detect the reader of cd/dvd via the air application.

    Plase help me

    Thanks and greetings

    Al-Shabaab

    Hi Chandra,

    When you create your database, you this place in the application package or you use the applicationStorageDirectory?  I think that should work in the repository, it would be problematic if you're using a location such as your application directory (or any place under Program Files) because this would require elevated privileges.

    Creation of a database

    Chris

  • Application sharing (passing through network events)

    Hello

    I wan't to share an application on the network via as3 with FMS so that events made on demand on a PC should also reflect on all connected computers. for example if I shared a notebook, the task performed by me on this notebook should be reflected in all connected users and vice versa, as Remote Desktop works.

    Yes what r calmchessplayesuggested is perfect.

    But I prefer the first option of the use of the screenshot and OUT works very well with enough of them. You can follow this post: http://forums.adobe.com/thread/586997?tstart=0 where I gave a few details on the screenshot of the filters available on the net.

    Please let me know if you need more info

  • How LDAP query within an APEX application?

    Hi all

    I have setup an APEX application that uses the LDAP authentication and I was wondering if it is possible to request information from LDAP to complete the forms once logged into the application.


    Thanks in advance for the support everybody!

    view Oracle database Blog 2.0: using Active Directory to control authentication and authorization at Apex

    on authentication LDAP at the Apex.

  • application for registration without database through MobileAdf

    Dear all,

    We are developing an application without database through MobileAdf.
    I don't have to provide a database in this application.
    I'm not able to find a tutorial for it.
    Please suggest a link for this tutorial.



    Thanks in advance.

    If we are talking about the ADF Mobile Browser, then similar to regular ADF, the app can be supported by a variety of non DB back ends.

    If we talk about ADF Mobile Client (I suppose that this is the case), then the tech preview version only supports based on DB - app. However, in the production version that will be published soon, the app can also be supported through Web Services (via WS Data Control) to access SOAP-based web services. Alternatively, you can write custom code to access resources local/no DB if necessary - for example if you have local XML data you need to access. For example, you can write a managed bean to access this source of XML data.

    What is the use case, incidentally?

    Thank you

    Joe Huang

Maybe you are looking for

  • How can I check if an ethernet port working?

    Hello I use an iMac 21.5 ", mid-2011. How can I check the functionality of the port ethernet on this machine? I am trying to narrow down the reason why I get an error message that I am not connected to an Ethernet network.

  • OFFICEJET6600

    I HAVE A PROBLEM WITH MY PRINTER.  ERROR "MISSING OR DOESN'T HAVE A PRINTHEAD" THIS POSTER.  I TRIED EVERYTHING YOU SAID TO RECONCILE PROLEM, BUT THE ISSUE HAS NOT BEEN RESOLVED. I ALSO HAVE A PROBLEM OF SCANNING. WHEN THE PRINTER SAYS 'SCANNED TO E-

  • 2 questions about updates windows 7

    Hello (1.) I am a student in a University, and it gave me a lot of programs, including Windows 7 Professional.  I can get these programs for download from a Web site and get a password for activation.  Please consider these scenarios: 1.1) I installe

  • I want to add a printer, but get the error message "print spooler service does not work."

    I can't print from my computer.  This has happened with no other visible defects on the computer or the printer. When I use the printer in case of problem, and hit the 'add printer' link, I get the error message "print spooler service is not." "I did

  • How will I know if my pc allows all cookies more?

    I can't get online to a site. It is said that my pc could be not to accept all cookies more. How do I know this?