OHS SSL CRL configuration
Hello
I have documents of murky conclusion which describes the process of "integer" necessary for configuring SSL CRL on a level OHS 11 g web install. I have a dev site configured for SSL and check customer on and works well. When I configure ESS to use LCR, it is unusable at the start of the slow a user logs on for the first time. Before I start looking for bottlenecks, I want to be sure I have properly configured the server.
So far, I took the following steps to configure the Revocation list:
(1) on the audit
SSLCRLCheck on
(2) set the path of the CRL file
SSLCARevocationPath ' ${ORACLE_INSTANCE} / config/folder.
(3) copied the .crl file required in the folder
(4) orapki used to chop the .crl file
(5) restarted the server
I have restored a few Setup SSL OHS documents. Here are the key steps? I'd feel better if I had one complete source for the configuration of SSL CRL OHS 11 g web level only.
Thank you
-Scott
Hi Scott,.
He is the doc you can check for the Revocation configuration.
How to configure CRL checking in Oracle HTTP Server in FMW 11 g (11.1.1.X) (Doc ID 1269633.1)
You may or may not be able to check this doc due to the limitation. You can contact support for assistance.
Thank you
Sharmela
Tags: Fusion Middleware
Similar Questions
-
On ASA 5520 SSL certificate configuration
Hello
I have an SSL certificate from a third party that shows under the identity of ADSM, howerver analysis of verification of the firewall shows that the SSL certificate is signed with an unknown certification Authority. I installed through primary and secondary certificate from the third party under the authority of certification the SMDA but when I check the SSL certificate it still shows as self-signed. Don't miss what other measures. I have attached a few screenshots.
Thank you for your help.
Wo
Hello
You have activated the correct trustpoint in Configuration > device management > advanced > component settings SSL? On this screen, there a "Certificates" section where you can select the trustpoint appropriate for each interface.
The trustpoint will reference the certificate that you imported, and the interface will reference this trustpoint. Until you activate, the ASA will continue to use the self-signed certificate.
Hope that helps.
-Mike
-
HTTP Mode SSL connector configuration
What are the configuration changes I need to do at the stage of HTTP connector to connect to the short server that is configured in SSL mode.
I do error below when executing the ExportViewDefinition.grf as the HTTP connector
Component [HTTP connector: HTTP_CONNECTOR0] finished with ERROR status.
peer not authenticated
When you export views of a short protected by SSL server, try using the WEB_SERVICE_CLIENT component instead of the HTTP_CONNECTOR component. See my review of wiki https://wikis.oracle.com/display/endecainformationdiscovery/EID+3.1+Export+View+Configuration?focusedCommentId=62423284&#comment-62423284
-
Router Cisco SSL VPN Configuration
Hello support.
A question concerning this scenario.
One of our clients has currently SSLVPN enabled for remote users and I was wondering if there is anyway to configure a remote Cisco router to connect via IPSEC at this endpoint SSLVPN? the idea is simply to set up the tunnel without requiring changes on my end of customers.
Thanks in advance.
Ivan Chacon
Hello
IPSEC and SSLVPN are 2 different configurations, there is no way to have a router configured for IPSec and connect to another without changing this end as well. You can run IPSec and SSLVPN on the same router, however.
There are a lot of IOS Lan to Lan configuration guides, or if you want the router to act as a client, are looking to make EZVPN.
HTH
-Jason
-
Xcode Server installation failed (ssl configuration infrastructure)
After the upgrade to Server 5.2 today, I am unable to start the service of Xcode as a result of a mistake.
The first time, I tried to implement the service, after having chosen the Xcode application, I was asked to create a service user account Xcode. So, I followed the guests to create a Xcode Server user account.
Then I saw a message that Xcode Helper should be allowed to make UI script, to which I agreed.
Finally, a progress bar appears where, apparently, that was under the service of Xcode configuration.
And then an error stating:
Xcode Server installation failed (ssl configuration infrastructure)
Try clicking on choose Xcode and selecting a new version of Xcode or upgrade to a newer version of the server.
Given that I had just installed the latest version of Xcode previously, I advanced and checked that Xcode launches without problem, and no message appears.
Then I went to System Preferences > Security & privacy > accessibility and verified that an entry is added for Xcode Helper, and I checked the box next to it to allow access.
Also, I have advanced and connected to the server of Xcode user account and used the fast user switching option to return to my main account.
Unfortunately, trying to start again service results in the same error. I even tried to start the service when you are logged on the server of Xcode user account. Whenever it has failed with the same message.
Whenever I try to start the service, I see this (or very similar) message sequence struck the system log:
20 September 15:50:36 servermgr_xcode Server [867]: getSetXcodePathProgressWithRequest: {}
control = getSetXcodePathProgress;
currentPercentageCompleteRangeMaximum = 10;
currentPercentageCompleteRangeMinimum = 10;
currentStep = 'Xcode stop server';
percentComplete = 10;
status = running;
}
20 September 15:50:37 Server servermgr_xcode [867]: task completed (State 0)
20 September 15:50:37 Server servermgr_xcode [867]: stderr output for the job:
(4 / 6) [START] stop nginx daemon
(3 / 6) Server [START] stop API
(1 / 6) [START] stop CouchDB
(6 / 6) [START] stop builder
(5 / 6) [START] daemon stop control
(2 / 6) [START] stop repeat
(5 / 6) [END - 0.05 S] Stop control daemon
(1 / 6) [END - 0.05 S] Judgment of CouchDB
(2 / 6) [END - 0.05 S] Stopping repeat
(3 / 6) [END - 0.05 S] Stop server API
(4 / 6) [END - 0.14 S] Stop the nginx daemon
(6 / 6) [END - 0.16 S] Stop generator
A successful!
Total time: 0.32 seconds
20 September 15:50:37 Server servermgr_xcode [867]: launch/usr/bin/xcrun xcscontrol - initialize - build-service-user xcodeserver
20 September 15:50:37 Server servermgr_xcode [867]: wait for task to leave
20 September 15:50:37 Server lsd [961]: LaunchServices: could not store file lsd-identifiers to /private/var/db/lsd/com.apple.lsdschemes.plist
20 September 15:50:37 Server servermgr_xcode [867]: xcscontrol reported progress: (1/29) checking that Xcode is accessible
20 September 15:50:37 Server sudo [1422]: root: TTY = unknown; PWD =; USER = nobody; /Applications/XCode.app/Contents/developer = / usr/bin/file COMMAND
20 September 15:50:37 Server servermgr_xcode [867]: xcscontrol reported progress: (1/29) checking that Xcode is accessible
20 September 15:50:37 Server servermgr_xcode [867]: xcscontrol reported progress: running (4/29) xcode-selector - /Applications/Xcode.app
20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: integration of control to prepare (9/29)
20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: (11/29) setting up the config for Redis file
20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: (12/29) setting up the config for CouchDB file
20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: launchd jobs (13/29) system configuration
20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: (14/29) creative group for users of service if required
Note : There was a lot of posts like this that I missed:
20 September 15:50:38 syslogd server [69]: notice of Configuration:
ASL Module 'com.apple.AccountPolicyHelper' claims the selected messages.
These messages may not appear in the standard system log files or in the database of the ASL.
20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: configuration record (16/29)
20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: users of creative services (17/29) if necessary
20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: infrastructure configuration of SSL (18/29)
20 September 15:50:39 Server servermgr_xcode [867]: getSetXcodePathProgressWithRequest: {}
control = getSetXcodePathProgress;
currentPercentageCompleteRangeMaximum = 75;
currentPercentageCompleteRangeMinimum = 20;
currentStep = "Configuring SSL infrastructure."
percentComplete = 54;
status = running;
}
20 September 15:50:41 com.apple.SecurityServer [114 Server]: displaying guest Keychain for Applications/Xcode.app/Contents/Developer/usr/bin/xcscontrol(1421)
20 September 15:50:41 Server servermgr_xcode [867]: xcscontrol reported progress: FAILED (18/29): configuration of SSL infrastructure
20 September 15:50:41 Server servermgr_xcode [867]: task completed (Status 5)
20 September 15:50:41 Server servermgr_xcode [867]: stderr output for the job:
(1/29) [START] make sure Xcode is accessible
(1/29) [END - 0.20 S] Make sure Xcode is accessible
Audit (2/29) [START] version of Xcode is supported
(2/29) [END - 0.00 S] Check if the version of Xcode is supported
Developer mode (5/29) [START] if necessary activation
[START] Running (4/29) xcode-selector - /Applications/Xcode.app
(29/3) [START] check if the server version is supported
(3/29) [END - 0.02 S] Check if the server version is supported
Data directories (6/29) [START] creation by default (if they are missing)
(6/29) [END - 0.00 S] Creation of data directories by default (if they are missing)
(7/29) [START] create a symbolic link to the current path of the Xcode application
Access to the repository (8/29) [START] HTTP configuration
Integration of control (9/29) [STARTED] preparation
Access [START] SSH configuration repository (10/29)
(8/29) [END - 0.12 S] Access to the HTTP repository configuration
(7/29) [END - 0.12 S] Create a symbolic link to the current path of the Xcode application
(10/29) [END - 0.12 S] The access to the repository SSH configuration
(11/29) [START] establishing the file config for Redis
(12/29) [START] set up the config for CouchDB file
(13/29) [START] Setup launchd job system
(5/29) [END - 0.16 S] Enabling developer mode if necessary
(9/29) [END - 0.23 S] Preparation of control integrations
(11/29) [END - 0.16 S] Setting up the config for Redis file
(12/29) [END - 0.20 S] Setting up the config for CouchDB file
(13/29) [END - 0.20 S] Launchd jobs system configuration
Group creation [START] (14/29) for users of service if required
Saving configuration [START] (16/29)
(15/29) [START] configuration CouchDB to use all cores
(14/29) [END - 0.02 S] Creation of service if required users group
Users of creative services [START] (17/29) if necessary
(4/29) [END - 0.41 S] Running xcode - select - switch for /Applications/Xcode.app
(15/29) [END - 0.08] Configuration of CouchDB to use all cores
(16/29) [END - 0.33 S] Configuration of the recording
(17/29) [END - 0.52 S] Creation of users of the service if necessary
Configuration of SSL infrastructure [START] (18/29)
(18/29) [END - 3.03 S] FAILED: SSL infrastructure Configuration
Failed: could not export the certificate of the server API: error Domain = =-25308 Security Code 'user intervention is not permitted.' UserInfo = {NSLocalizedDescription = User interaction is not allowed.}
Total time: 4.13 seconds
The service initialization error: could not export the certificate of the server API: error Domain = =-25308 Security Code 'user intervention is not permitted.' UserInfo = {NSLocalizedDescription = User interaction is not allowed.}
20 September 15:50:41 Server servermgr_xcode [867]: response: {}
error = "Xcode Server Configuration has failed (ssl configuration infrastructure)";
errorCode = "-1";
errorDomain = ServermgrXcodeErrorDomain;
errorLocalizedDescription = "Configuration of Xcode Server failed (ssl configuration infrastructure)";
errorLocalizedFailureReason = "failed to install Service in step: Setup ssl infrastructure";
errorLocalizedRecoverySuggestion = "try clicking on choose Xcode and selecting a new version of Xcode or upgrade to a newer version of the server.
errorString = "Configuration of Xcode Server failed (ssl configuration infrastructure)";
status = 1;
}
20 September 15:50:41 com.apple.xpc.launchd [Server 1] (com.apple.dt.XCSDeviceService [1417]): Service not out 5 seconds after SIGTERM. Sending SIGKILL.
20 September 15:50:42 Server servermgr_xcode [867]: getSetXcodePathProgressWithRequest: {}
control = getSetXcodePathProgress;
currentPercentageCompleteRangeMaximum = 75;
currentPercentageCompleteRangeMinimum = 20;
currentStep = "FAILED: SSL infrastructure configuration ';
error = "Xcode Server Configuration has failed (ssl configuration infrastructure)";
errorCode = "-1";
errorDomain = ServermgrXcodeErrorDomain;
errorLocalizedDescription = "Configuration of Xcode Server failed (ssl configuration infrastructure)";
errorLocalizedFailureReason = "failed to install Service in step: Setup ssl infrastructure";
errorLocalizedRecoverySuggestion = "try clicking on choose Xcode and selecting a new version of Xcode or upgrade to a newer version of the server.
errorString = "Configuration of Xcode Server failed (ssl configuration infrastructure)";
percentComplete = 54;
status = FAILURE;
}
This article is interesting:
20 September 15:50:41 com.apple.SecurityServer [114 Server]: displaying guest Keychain for Applications/Xcode.app/Contents/Developer/usr/bin/xcscontrol(1421)
No prompt was displayed at this time. I had to see a real Keychain prompt? In any case, this article seems to be the cause of the problem:
Failed: could not export the certificate of the server API: error Domain = =-25308 Security Code 'user intervention is not permitted.' UserInfo = {NSLocalizedDescription = User interaction is not allowed.}
Help to get the Xcode service backup and race would be much appreciated!
I had this same problem. I typed in the following in the terminal:
sudo /applications/xcode-beta6.app/contents/developer/usr/bin/xcscontrol--reinitialiser
After the reset, I tried to enable the server to Xcode from the macOS GUI server and it worked
-
Fichier.conf OTC has no details of the location of the ssl wallet file
Hi gurus B2B.
All by the HTTPS configuration had we observed that certain lines of were missing in the fichier.conf located in < Oracle_Home > \Apache\Apache\conf. The mentioned below, the lines are missing en.conf OTC but present OracleB2B dans.conf
Location of the ssl file same portfolio is also absent in the fichier.conf of TBT as mentioned below.
Can u please let us know as why these lines are missing or you manually add these lines when we do HTTPS on OTC?
Listen 4444
< VirtualHost default: 4444 >
# General setup for the virtual host
DocumentRoot "E:\Oracle_b2b\cachehome\Apache\Apache\htdocs".
ServerName DSCP17506. TechMahindra.com
ServerAdmin [email protected]
ErrorLog "| E:\Oracle_b2b\cachehome\Apache\Apache\bin\rotatelogs logs/error_log 43200 "
TransferLog "| E:\Oracle_b2b\cachehome\Apache\Apache\bin\rotatelogs logs/access_log 43200 "
Port 443
# The SSL engine switch:
# Enable/disable SSL for this virtual host.
SSLEngine on
# Suite of SSL encryption:
# List of encryption algorithms that the client is authorized to negotiate.
All SSLCipherSuite!: ADH:! EXPORT56: + HIGH: + MEDIUM: + LOW: + SSLv2: + EXP
# Server Wallet:
# The server wallet contains the server private key certificate
# and certificate trust. The value of SSLWallet in the portfolio directory
# using the syntax: file: < path-to-door-currency-directory >
SSLWallet file:E:\Oracle_b2b\cachehome\Apache\Apache\conf\ssl.wlt\default
# Certificate lists CRL (CRL):
# Set the path of the CA revocation where to find CA CRL to customer
authentication # or alternatively a huge file containing all the
# of them (file must be PEM encoded)
# Note: Inside of the SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath conf\ssl.crl
#SSLCARevocationFile conf\ssl.crl\ca-bundle.crl
# The authentication of the client (Type):
# Client certificate verification type and depth. The types are
# No, optional and require
Need to #SSLVerifyClient
# Access control:
# With SSLRequire, you make a directory-based access control
# on arbitrary complex Boolean expressions containing server
# variable control and other directions of research. The syntax is a
mixture of # between C and Perl. See the mod_ssl documentation
# For more details.
# < location / >
#SSLRequire (% {SSL_CIPHER}! ~ m/^(EXP|)) (NULL)-/.
# and eq % {SSL_CLIENT_S_DN_O} "powder of snake oil, Ltd.".
# % {SSL_CLIENT_S_DN_OU} in {"staff", "CA", "Dev"}.
# % {TIME_WDAY} > = 1 and % {TIME_WDAY} < = 5.
(# % {TIME_HOUR} > = 8 and % {TIME_HOUR} < = 20).
# % {REMOTE_ADDR} = ~ m/^192\.76\.162\. [0-9] + $/
# < / location >
# SSL engine options:
# Set different options for the SSL engine.
# o FakeBasicAuth:
# The client X.509 translate basic authorization. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
user name of # is 'a line' version of the X.509 client certificate.
# Note that no password is obtained from the user. All entries in the user
# file needs this password: 'xxj31ZMTZzkVA '.
# o ExportCertData:
# This operation exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These documents contain the PEM-encoded certificates of the
# (still existing) server and client (existing only when customer)
(# authentication is used). This can be used to import the certificates
# in CGI scripts.
# o StdEnvVars:
# This operation exports the standard SSL/TLS related ' SSL_ * ' environment variables.
# By default this export is disabled for performance reasons.
# because the extraction step is an expensive operation and is usually
# no need for static content. If we allow in general of the
# to export queries CGI and SSI only.
# o CompatEnvVars:
# This operation exports obsolete environment for backward compatibility variables
# for Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. use this
# to ensure compatibility to the existing CGI scripts.
# o StrictRequire:
# This denies access when it is "SSLRequireSSL" or "SSLRequire" applied even
# in a situation of "Satisfy", i.e. when it applied the access is denied
# and no other module can change.
# o OptRenegotiate:
# This allows optimized connection handling SSL renegotiation when SSL
# directives are used in the context of the directories.
#SSLOptions FakeBasicAuth ExportCertData CompatEnvVars StrictRequire
< files ~ "------." (cgi | shtml) $">"
SSLOptions + StdEnvVars
< / files >
< directory "E:\Oracle_b2b\cachehome\Apache\Apache\cgi-bin" >
SSLOptions + StdEnvVars
< / Book >
SetEnvIf User-Agent ".» * MSIE.*"nokeepalive ssl-unclean-shutdown
# Server logging:
# The House of a custom SSL log file. Use this setting when you want one
# compact without error SSL logfile on a base of the virtual host.
"CustomLog E:\Oracle_b2b\cachehome\Apache\Apache\logs\ssl_request_log"%t % {SSL_PROTOCOL} % {SSL_CIPHER} x \"%r\ x hour" %b ".
< / VirtualHost >
Thank you for your help in advance.
Kind regards
PriyankaNot sure that the CTA is expected to take in charge the entire feature. Please add entries manually. Let us know.
-
SSL Tunneling Application outgoing failure
Outgoing SSL Tunneling Application error Hello dear colleagues,
I have UTM5 with the latest firmware. The unit works fine now with 3 VLANS / subnets, routing inter - VLAN, SSL VPN configuration, etc. I have an interesting question, but probably one of these questions to someone else experienced and solved (I hope).Medical practice I have set this up for actually needs of outgoing VPN tunnel/SSL. I encouraged the VPN on UTM protocols so the initial remote OUTGOING connection goes off flawlessly and allows users to authenticate. My question is when we try to show the remote Citrix server/published apps page. I get an error "request the Tunneling SSL - Failed to connect to server" . I know that the issue must be understood with the ProSecure UTM because I've temporarily removed the UTM equation and put in a D-Link DIR - 655 and Citrix published apps portal page launches very well. I am able to launch a published application and function normally. I pass on the D-Link with the Prosecure and I get the same question.
I really don't understand what prevents to launch published applications page.
I'd be more than happy to provide more information that I need to solve this problem.
Not that it is important, but all endpoint devices are XPSP3/IE8. Yet once, shouldn't matter that customers can bring to the top of the published page no problem when the D-Link is used.
Thank you
MEDADIT, I've really hemmed and best enemy cela and managed to get a solution in place. Curious, if you have an idea on the terminal services question license I have known which I'll explain a little.
So, I have disabled HTTPS scanning as you said and it helped the citrix portal page to come; However, the user received an error of connection application failure when they launched an app on the page. The error said that there are not enough licenses available Terminal Server. I am as there is no way in hell that all licenses are in use.
So I completely disconnected from the remote network via SSL - VPN and not connected from my home network this site remote to see if I would have the same result and no problems to launch the applications of the portal page... basically no problem license Terminal Server services. I tried connecting from the prosecure and received the same error message.
I wanted to keep HTTPS enabled analysis despite connect it secure by nature implemented with 443, so I spotted around based on your advice and added 4 remote domains to exclusions scan tab (my eyes completely spent during this 1st 10 x (very annoying). I tested the outgoing connection and it helped me successfully citrix portal page, but applications would not launch successfully. I received once again the same error of license to the Terminal Server services, but we expected it because it didn't start with the scanning to disabled .
so I connected to the remote network and thought that I would allow my client to its remote desktop RDP access. I have configured RDP on his computer to Office XP and the connected failed. I thought at this stage that he had something to do with trying to RDP through the Microsoft UAG gateway used by the remote site. Rather than trying to work through sets of rules with the specialist support network out there, we decided to allow my client to run an IP network connector dry which was all ready helped the UAG. This enabled him successfully to RDP to his remote desktop and run any distance needed applications on the remote network.
So, it's not what I really wanted to do. I really want to start individual applications of the closed Citrix portal page, but why this issue licenses arose himself the Terminal Server services is a mystery to me. The specialist in support of the remote side has been also blocked down there. He informed me that he has other clients that connect out through boxes of CISCO ASA and they have any problems launches applications of the portal page. If they scan you 80/443 traffic is not relevant because I disabled it completely on the UTM and it did not help.
So any thoughts on that would be great and I once again thank you for your expertise.
-
ASA 8.4 (6) "cannot retrieve or check the CRL.
Hello
I have configured our ASA to retrieve a list of Revocation provided through our Linux certification authority. The LCR is exported via Tinyca as a crl file and served by Apache.
The file is accessible by the SAA and to date, I see an http 200 (OK). Despite this, I get an "impossible to extract or to check the Revocation list.
The ASA is configured as follows:
crypto ca trustpoint LINUX-CA-TP
revocation-check crl none
enrollment terminal
crl configure
policy static
url 1 http:///issuingca.crl
no protocol ldap
no protocol scepWhich allows to debug and try a "request for LRC crypto ca LINUX-CA-TP:
ASA (config)# crypto ca crl request LINUX-CA-TP
CRYPTO_PKI: CRL is being polled from CDP http://
/issuingca.crl. Unable to retrieve or verify CRL
vpn015pi(config)#
CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Date: Wed, 18 Dec 2013 12:49:01 GMT
Server: Apache/2.2.22 (Ubuntu)
Last-Modified: Wed, 18 Dec 2013 09:50:20 GMT
ETag: ...
Accept-Ranges: bytes
Content-Length: 1170
Connection: close
Content-Type: application/x-pkcs7-crlCRYPTO_PKI: transaction HTTPGetCRL completed
I'm a little puzzled. The error is not really tell where the ASA is exactly a failure!
Thank you
Hello.
I know this is a late response, but I found the solution.
My CA was created through openssl commands and LCR was coppied to the www server. I installed the CA ASA certificate and I tried to check the Revocation list. But he has failed. It's the debug output:
CRYPTO_PKI: CRL is being polled from CDP http://x.x.x.x/ca/root-ca/root-ca.crl.crypto_pki_req(0x00007fff2b9e3900, 24, ...)CRYPTO_PKI: Crypto CA req queue size = 1.Crypto CA thread wakes up!CRYPTO_PKI: http connection openedCRYPTO_PKI: content dump count 81----------CRYPTO_PKI: For function crypto_http_sendGET /ca/root-ca/root-ca.crl HTTP/1.0Host: x.x.x.x CRYPTO_PKI: For function crypto_http_sendCRYPTO_PKI: content dump------------------- CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OKDate: Wed, 13 Jan 2016 08:10:01 GMTServer: Apache/2.4.7 (Ubuntu)Last-Modified: Tue, 12 Jan 2016 10:12:50 GMTETag: "31c-529204bc05097"Accept-Ranges: bytesContent-Length: 796Connection: closeContent-Type: application/x-pkcs7-crl CRYPTO_PKI: CRL data2d 2d 2d 2d 2d 42 45 47 49 4e 20 58 35 30 39 20 | -----BEGIN X509 ... CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!CRYPTO_PKI: Failed to retrieve CRL for trustpoint: ASDM_TrustPoint3. Retrying with next CRL DP...
Because the CRL file has been downloaded, I check my LCR with the command openssl on my linux server:openssl crl -inform PEM -text -in crl/root-ca/root-ca.crl Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: Last Update: Jan 12 10:09:33 2016 GMT Next Update: Jan 11 10:09:33 2017 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:E9:5E:25:61:EB:5D:9D:7E:2E:1A:3A:DA:71:B3:7B:C2:55:8D:59:66 Authority Information Access: CA Issuers - URI:http://x.x.x.x/ca/root-ca/root-ca.cer X509v3 CRL Number: 1No Revoked Certificates. Signature Algorithm: sha256WithRSAEncryption... -----BEGIN X509 CRL-----...-----END X509 CRL-----
I founded CRL file is in PEM format. And because another available in LRC format is DER format I have converted to DER format and copied to the www server.openssl crl -inform PEM -outform DER -in crl/root-ca/root-ca.crl -out crl/root-ca/root-ca-der.crl
After that I tried to download file CRL my ASA again and he succeeded.CRYPTO_PKI: CRL is being polled from CDP http://x.x.x.x/ca/root-ca/root-ca.crl.crypto_pki_req(0x00007fff2b9e3900, 24, ...)CRYPTO_PKI: Crypto CA req queue size = 1.Crypto CA thread wakes up!CRYPTO_PKI: http connection openedCRYPTO_PKI: content dump count 81----------CRYPTO_PKI: For function crypto_http_sendGET /ca/root-ca/root-ca.crl HTTP/1.0Host: x.x.x.x CRYPTO_PKI: For function crypto_http_sendCRYPTO_PKI: content dump------------------- CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OKDate: Wed, 13 Jan 2016 08:28:08 GMTServer: Apache/2.4.7 (Ubuntu)Last-Modified: Wed, 13 Jan 2016 08:25:54 GMTETag: "227-52932eb2c1926"Accept-Ranges: bytesContent-Length: 551Connection: closeContent-Type: application/x-pkcs7-crl CRYPTO_PKI: CRL data30 ... CRYPTO_PKI: Found suitable tpCRYPTO_PKI: Found suitable tpCRYPTO_PKI: Failed to create name objects to compare DNs. status = 1795CRYPTO_PKI(select cert) subject = ...CRYPTO_PKI: Found a subject match - inserting the following cert record into certListCRYPTO_PKI: Storage context locked by thread Crypto CA CRYPTO_PKI: inserting CRLCRYPTO_PKI: set CRL update timer with delay: 31455520CRYPTO_PKI: the current device time: 08:30:53 UTC Jan 13 2016 CRYPTO_PKI: the last CRL update time: 10:09:33 UTC Jan 12 2016CRYPTO_PKI: the next CRL update time: 10:09:33 UTC Jan 11 2017CRYPTO_PKI: CRL cache delay being set to: 3600000CRYPTO_PKI: Storage context released by thread Crypto CA CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!
-
Dear all,
I have ASA 5510 and Version 8. I want to know IOS for SSL VPN, but I don't know which...
Please help me show...
HQ-ASA5510 # HS, fla
path-# - length - time -.
177 14137344 January 1, 2003 00:06:12 asa804 - k8.bin
75 4096 November 21, 2008 12:17:46 log
79 4096 crypto_archive November 21, 2008 12:18
178 7562988 November 21, 2008 12:19:30 Amps - 613.bin
180 4863904 November 21, 2008 12:21:10 securedesktop_asa_3_3_0_129.pkg.zip
181 4096 November 21, 2008 12:21:10 sdesktop
188 1462 November 21, 2008 12:21:10 sdesktop/data.xml
182 2153936 November 21, 2008 12:21:10 anyconnect-victory - 2.2.0133 - k9.pkg
183 3446540 November 21, 2008 12:21:12 anyconnect-macosx-powerpc - 2.2.0133 - k9.pkg
184 3412549 November 21, 2008 12:21:16 anyconnect-macosx-i386 - 2.2.0133 - k9.pkg
185 3756345 November 21, 2008 12:21:16 anyconnect-linux - 2.2.0133 - k9.pkg
For Version 7. he say the ssl VPN.
Please help me which line as SSL VPN.
Best regards
Rechard
Richard, you already have the code that supports SSL webvpn on your ASA.
See page medium low SSL VPN VPN/Web for more detailed examples, which provides all the necessary information for any additional/optional
plug-ins needed.
http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html
Details of the sample SSL VPN configuration and types... but all the SSL.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00806ea271.shtml
What you have in your directory ASA applies the Anyconnect client who is also driven SSL but is a bit different from plain SSL webvpn, I suggest you go to the configuration examples of link that can provide information on the implementation of SSL vpn varios.
Concerning
-
Clientless VPN SSL certificate
Hello
Is a certificate must be installed on the client in a SSL VPN configuration without client for HTTPS traffic.
Thank you.
NO - do not mandatory, only cert that is used is the end of SSL VPN. The user must accept it if it's a self-signed certificate (this is normal), or if the cert was signed by the normal authorities - the user will never see the cert.
HTH
-
SSL VPN authentication using different sequences of identity Sources
Morning,
At the moment we have SSL VPN configuration passing security to GBA. This is accomplished by using strong authentication. GBA the
Sequence identity Sources is WBS then AD.
We want to implement on the same firewall a few users select proper respect by AD authentication, they will have a group name different tunnel connecting etc.
GBA im not sure how I would setup two sequences of Sources Identidy therefor using the same Service selection rule. At the moment I have if RAY and IP is XXX then political use of XXX
We are currently installed ISE so in the not to distant future is ACS can not do this can ISE?
If it's confusing that I can extend were nesscessary
Thank youS
Hello
I don't know how it looked like GBA but on its flexible ISE
If the rule is simple
If the RADIUS request is device ASA type formed then check the tunnel-group-name attribute (146) and will benefit from its interventions to the string value choose LOCAL or AD store.
hope this helps
concerning
-
RDP ActiveX clientless SSL VPN on Windows 8.1
Hi all
I have A 5510 Sec with a clientless SSL VPN configured. We have a few pre-configured bookmarks and prevented users to open its own URL. We have RDP plugin installed rdp_09.11.2012.jar.
When a user runs Winodws 8.1 clicks one bookmarks, they receive a message from IE that Java is not installed. In all other scenarios I tested (WinXP + IE8, IE10, IE11 + Win 7 + Windows 7), by clicking on the bookmark starts the ActiveX plugin.
How to do this work on Win 8.1 + IE11? It feels like a setting of the client.
Thank you.
Hello.
First of all, IE11 is not officially supported by the asa again.
REF. http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html
But if you put the 'portal' in a compatibility mode you should be able to use the ActiveX again.
In Internet Explorer click Tools and search for Compatibility Mode settings.
In addition, you must use the 'Office' of IE version and not the subway.
Best regards, Søren.
-
Dear members
Please see the diagram for an easy understanding of the issue.
I am facing a problem with the SSL VPN configured on ASA 5520. Here's the simple network topology.
customer has an ERP server inside the segment, which is runniing Apche / Tomcat 5.5 and listening on port 8204.Complete URL to access the installed application is
http://192.168.2.1:8204 / system/servlet/login
ASA connects to a router in parameter, which has a configured AS VPN remote access. Cisco VPN client users can access this URL easily when they connect via VPN, also if I create a static translation for this IP 192.168.2.1, the full URL is accessible from the outside, but the problem of SSl VPN, when I enter the URL, nothing appears, and Session expires, however if I just enter http://192.168.2.1:8204 , Apache /Tomcat Page opens menas through SSL VPN can I reach the web server running on 192.168.2.1, but this particular URL is not accessible.
Here apache on the ERP server is listening on a nonstandard port, which could be the reason, I need to create a forwarding port or "smart."
I already tried with port forwarding, but that has not solved the problem.
All entries from your side will be highly appreciated.
Thank you
Ahad
Hi Ahad,
When you access the server ( http://192.168.2.1:8204 / system/servlet/connectionURL) from the inside, the URL in the browser address bar remains the same? Or it redirects?
On the login page is a java applet?
Now, there are several things to try:
-do a "view page source" on the work (internal or via IPsec vpn) login page and again on the default (via webvpn) page and compare - that provides any suspicion?
-You can install a software like Charles SSL Proxy (http://www.charlesproxy.com/ - note this is not a product of Cisco, or approved by Cisco) to see exactly what is happening above the SSL tunnel (i.e. it will show you the HTTP request in the browser to the server and the response.) Again, you can do this for both a job and the absence of case to compare.
-as a possible solution: create a bookmark HTTP on the portal of this URL and select "smart tunnel" for her.
HTH
Herbert
-
I have a SSL VPN configuration without client for a user and try to use the rdp with a bookmark plugin. I bookmarked configured for rdp: / /
, but when the user clicks on it, a Web page opens with an inability to display a message and a url of type https://.plugins./rdp/index. HTML? target = rdp: / /? csco_lang = en. If the user clicks on the button Terminal servers and then manually selects DPR: / / and between the IP address of the server it works fine. Any thoughts?ASA v8.0 (4)
Hello
It seems that you have enabled the option "smart tunnel" for the RDP bookmark. Plug-ins are not supported with smart tunnels and can cause the error you see.
Could you please make sure that the smart tunnel option is disabled and let us know if you still see this problem?
Thank you
Steve.
-
VPN SSL from the inside on the external interface
Hi all
First of all I know that I can activate the SSL interface inside, but that's not what I need or want.
Scenario:
Several interfaces and VLAN on the SAA (running 8.0.5).
SSL VPN configured and enabled on the external interface.
Need to know if it is possible to access the SSL VPN from other interfaces directly to the IP address external interface, something like her hairpin.
Possible a solution (if it exists) with or without NAT (I have public IPs on some interfaces).
This will be useful for users who can connect any interface (inside, outside, or other) and with only a DNS record, I'll be able to manage everything.
Concerning
PS: Is DNS doctoring an option? The tests that I have done this does not work.
Post edited by: rcordeiro
Hello
Unfortunately, it is not possible. You cannot communicate with an ASA interface which is not directly connected through the firewall.
Kind regards
NT
Maybe you are looking for
-
HP 15-f009ca: can not find the drivers for my PC after downgrading to Windows 7
Hello world!A few weeks ago, I bought a Hp laptop of type 15-f009ca. Because I didn't like windows 8, I downgraded to Windows 7. The installation was successful, but I could not find the driver for my PC wireless LAN.Anyone know where I can download
-
Help - how to recover my password? I have Windows XP on my Dell desktop computer. I do not remember the password created when I came to the computer. When I installed the computer, I na not create a password reset disk (didn't know I could / shoul
-
Network of shortcuts on the desktop will not connect to documents
I have shortcuts on my Vista desktop to the word "Networking" & excel files that I use all the time. When I click on the shortcut, my computer says that the file is not found. If I go through 'my computer' to connect to the file, everything is fine
-
Interface of Windows 7 on Windows 8
Is it possible to use or install an interface of Windows 7 (office) with the Start button?
-
I know, this has been asked a million times, and even if I get it, I'm having a problem with some popup that nobody else has mentioned it please let me provide a little background, so we are all on the same page. It's pretty simple. I have about 30 0