Question of the phase 2 of VPN

Hello

I'm AEK I am facing problem in the 2nd phase of the vpn between two ASA. The questions that the tunnel is upward, but in the second phase, the traffic is encrypt but not decrypt waiting for NAT - t, what could be the issue please let me know

Hello

Without any specific info, that the problem can be, too, that the remote end just has not authorized the connections you are trying by the L2L VPN. In this case, you wouldn't see any traffic from the remote end. In other words, there could be a missing ACL rule in the remote end.

You have control of the ASAs two? Can you share any configuration or log messages related to the problem?

-Jouni

Tags: Cisco Security

Similar Questions

Failure of the Phase 2 of VPN

Hello

I'm trying to set up a new VPN between Site A and Site b.

He spent the first phase, but throws an error in the second phase. I will attach the error message.

Firewall site A currently has another VPN works far then I suspect the problem lies on the config of Site B.

Thanks in advance

PFS does not match.

Site A: you ' card crypto outside_map 2 pfs group1 set.

Site b: you 'card crypto outside_map 4 set pfs'---> which defaults to group 2 in the pfs

Change one to match each other.

Hope that solves this problem.

Question about the phase-out of the VCAP

Hello
I just recently had my VCP5 and I plan to start studying for my VCAP but I noticed the following thread: Re: VCAP exams is being gradually...
It is, will change the goals, etc.? This would affect me if I got my VCAP-DCA in the meantime? If I have to spend another review for the VTC VCIX or just change the title?
Thank you
Jake

It is only the new track of virtualization of network which includes the new VCIX element at the moment - he there is no news on the existing VTC, DT, and tracks of cloud.

So, for now I continue as planned to the VCAP-DCA or VCAP-DCD (you don't tell you you're aiming for)

We have laptops in the field who use VPN to connect. How can I get these systems to update our DNS when they connect to the VPN?

Our mobile sales are part of a domain but not connected to our network. Cached credentials are used to connect outside the office. Once they connect and view their desktops, they select the card from Verizon and use it to connect to our network via a VPN connection. These generally to enter an IP address but the router that connects and not from our DHCP server. This usually means that updates to our DNS servers are not always instantaneous (or update at all).

When they are done for the day, they just closed the lid of the laptop and he starts in mode 'sleep'. The next day, they open the lid and no lgin is necessary, but they do not need to reconnect to the VPN through their cards from Verizon. How can I configure my DNS to update more frequently or maybe these computers portable bécon a command "ipconfig/registerdns"?

We have to connect to these systems in the field and it is almost impossible, unless we call the sales person and ask them their IP. We have more than 350 laptops in the field, then this makes it almost impossible to update all the.

Hello

Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for Windows XP on Technet. Please post your question in the Technet forums. You can follow the link to your question:

http://social.technet.Microsoft.com/forums/en-us/itproxpsp/threads

connection error, try using the citrix via a VPN LT2P connection connection - worked on last week

I use a VPN connection to my work which then uses citrix to load the applications. I am able to dial in the VPN but citrix says to check the network connection - seems to want to use internet which is incorrect. It worked last week - has an update from microsoft has changed a setting?

Hi CherylFreeman,

Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums as it is linked to a virtual private network. It is better suited for the IT Pro TechNet public.

Please ask your question in the Forums Pro Windows XP IT.

You can also contact the Support of Citrix.

error on the remote desktop and VPN connections

Unable to connect using desktop remote or VPN. remotes can't find the computer at home on the network and the VPN gives me an 800 error code. I used the remote desktop, but it says my work computer isn't on this network and the VPN connection fails. We checked everything using remote assistance, but it becomes too hard and not responses. Help!!!!!!!!!!!!!!!!!!!

Hello

Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public.
Please post your question in the TechNet Windows XP category.
Here is the link:
http://social.technet.Microsoft.com/forums/en-us/itproxpsp/threads

I hope this helps.
Thank you, and in what concerns:
Shekhar S - Microsoft technical support.

Visit our Microsoft answers feedback Forum and let us know what you think.
If this post can help solve your problem, please click the 'Mark as answer' or 'Useful' at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.

How to use the library of Extension VPN

Hello!

I'll expand VPN enforcement using the library of Extension VPN. I already tried some time ago, but had no direct mechanism to develop and libvpn_ext library is not available on a simulator.

I will use the library to open the VPN connection with a solution programmatically open source vpn, OpenVPN probably at the beginning.

So question is, can I develop some app using this library for this application and then publish app on AppWorld?

Thank you.

I looked into the available VPN API, and they are not sufficient to set up your own VPN client. So it is not possible to do what you describe. I am not sure why we have listed what we do on our developer site. They do not seem to offer enough to do something useful and probably just would induce in error the developers, as has happened here. They may eventually be removed. If I find more is coming I'll respond here, but it doesn't seem anything is imminent.

Remote access to the site to site VPN

We currently have a VPN site-to-site set up on a direct line between our two data centers. Hosts on site one can speak to guests at site B, and talk to the hosts to site A to site B guests.

I've recently implemented a site A. VPN VPN remote access clients can access all of the resources behind the ASA at A site without problem. However, strange things happen when they try to contact the site B.

I have set up corresponding exemptions of NAT on each side of the connection. The remote site reported no abnormalities. When you attempt to connect to a remote VPN client to site B, the only errors that appear are on the SAA to site A. When a remote client attempts to connect to a host at site B, the following errors appear in the log:

% ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22

I have the exemption following NAT set up on site A:

access-list sheep; 3 items

access-list 1 permit line sheep extended ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt = 0)

allowed to Access-list sheep lengthened 2 ip line 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt = 0)

allowed to Access-list sheep line 3 extended ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt = 0)

I work on it for a few days now and hesitate to open a ticket of TAC. I've seen a few similar questions on the forums, but have found zero with a working solution. I tried to follow the technical notes on Cisco's Web site for a configuration similar to, but had no luck.

Also, I enabled same-security-traffic on intra and inter-interface interface.

Any help would be appreciated.

HUB of the ASA, is this your topology? If so try below suggestions.

Inside 10.1.1.0/16 Net

Net 172.16.0.0/28 - net through Tunnel L2L 10.0.0.0/16 end DS3

VPN RA Net 10.3.0.0/24

To RA to access the L2L tunnel end hosting you will need to exempt sheep rule applied to the ds3 interface.

based on the journal

% ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22

Try this

no scope list ip 10.3.0.0 access test allow 255.255.255.0 10.0.0.0 255.255.0.0

test the ip 10.0.0.0 allowed extended access list 255.255.0.0 10.3.0.0 255.255.255.0

test access list 0 Tan (ds3)

on the end of the tunnel (spoke), to allow the network of RA from the FOCUS of the ASA in the interesting traffic.

Let us know how it works

Concerning

Several subnets in the site to Site VPN

Hi guys,.
I would like to set up a site of tunnel VPN stie with several subnets. I could not find a configuration which is my problem. I hope you can help me with the solution.
You can find my design network attach to this subject.
This is my setup on the ASA:

(1) NAT excemption for network traffic, go to the Site to site VPN.
NAT (MGMTLAN, INT STSVPN) static source 192.168.10.0 192.168.10.0 static destination 192.168.31.0 192.168.31.0
NAT (inside, INT STSVPN) static source 192.168.15.0 192.168.15.0 static destination 192.168.38.0 192.168.38.0

(2) the Accesslist with traffic to encrypt
object-group network 192.168.10.0
object-network 192.168.10.0 255.255.255.0

object-group network 192.168.15.0
object-network 192.168.15.0 255.255.255.0

the 192.168.38.0 object-group network
object-network 192.168.38.0 255.255.255.0

the 192.168.31.0 object-group network
object-network 192.168.31.0 255.255.255.0

object-group network STSVPN-LOCAL
Group-object 192.168.10.0
purpose of group - 192.168.15.0

object-group network STSVPN-US
purpose of group - 192.168.38.0
purpose of group - 192.168.31.0

ACL_STSVPN-US allowed extended ip access-list object-STSVPN-LOCAL object group STSVPN-American

(3) proposal phase 1
IKEv2 crypto policy 10
aes-256 encryption
sha256 integrity
Group 14
FRP sha256
second life 86400

(4) proposal phase 2
Crypto ipsec ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
Protocol esp encryption aes-256
Protocol esp integrity sha-256

(5) group tunnel
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 General attributes
Group Policy - by default-GrpPolicy-STSVPN-US
IPSec-attributes tunnel-group 14.4.4.4
IKEv2 remote-authentication pre-shared key abcd
IKEv2 authentication local pre-shared key abcd

GroupPolicy
Group Policy GrpPolicy-STSVPN-US internal
Group Policy attributes GrpPolicy-STSVPN-US
value of VPN-filter STSVPN-US
Ikev2 VPN-tunnel-Protocol

(5) crypto card
10 CM-STSVPN crypto card matches the address STSVPN-US
10 CM - STSVPN peer set 4.4.4.4 crypto card
card crypto 10 CM-STSVPN set ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
interface card crypto INT-STSVPN CM-STSVPN
Crypto ikev2 enable INT-STSVPN

/////////////////////////////////////////////////////////////////////

The router configuration:

(1) part SA

proposal of crypto ikev2 ki2. PROP
encryption aes-cbc-256
sha256 integrity
Group 14
IKEv2 crypto policy ki2. POL
proposal ki2. PROP
ikev2 KR1 encryption keys
peer ASALAB
address 2.2.2.2
pre-shared key local abcd
pre-shared key remote abcd
Profile of crypto ikev2 ki2. TEACHER
match one address remote identity 2.2.2.2 255.255.255.255
address local identity 4.4.4.4
sharing front of remote authentication
sharing of local meadow of authentication
door-key local KR1

(2) Transformset

Crypto ipsec transform-set TS. VPN2, esp esp - aes hmac-sha256-256
tunnel mode

(3) access-list

IP ACL extended access list. VPNIKE2
IP 192.168.31.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
IP 192.168.38.0 allow 0.0.0.255 192.168.15.0 0.0.0.255

(5) crypto card

crypto CM card. 30 VPN ipsec-isakmp
defined peer 2.2.2.2
the transform-set TS value. VPN2
group14 Set pfs
ki2 ikev2-profile value. TEACHER
match address ACL. VPNIKE2

//////////////////////////////////////////////////////////////////////

This configuration is correct to allow both subnets on each side of the VPN tunnel to communicate with each other.

192.168.31.0 subnet cannot communicate with 192.168.10.0
192.168.38.0 subnet cannot communicate with 192.168.15.0

Hello Jay,

I went during the configuration of the two aircraft and noticed a few errors on the configuration of the SAA. Details here:

(1) the access list configured for VPN traffic is named ACL_STSVPN-US, however the address for correspondence configured on the map encryption uses a group of objects name instead:

address for correspondence card crypto 10 CM - STSVPN STSVPN-US

You must change this setting to avoid any problems with the negotiation of traffic:

no matching address card crypto 10 CM-STSVPN STSVPN-US

10 CM-STSVPN crypto card matches the address ACL_STSVPN-US

(2) you also have the same error on the configured vpn filter. However, you could not use the access list ACL_STSVPN-United States for VPN filter since the ASA will filter incoming packets only. In this case the appropriate ACL will be configured for remote network (ROUTER) to local networks (ASA). It will look something like this:

access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN

access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN

Group Policy attributes GrpPolicy-STSVPN-US
VPN-Filter VPN_filter value

Keep in mind that the VPN filter is in the rules that determine whether to allow or deny packets of data tunnelees coming through the device security, based on criteria such as the source, destination, and Protocol address address. If you want to use the IP Protocol, the filter will not make a difference.

(3) group 14 of the PFS is configured on the router crypto map, but not on the SAA. You need to even add it in the card encryption ASA or remove it from the router.

ASA:

card crypto 10 CM-STSVPN set group14 pfs

Router:

crypto CM card. 30 VPN ipsec-isakmp

No group14 set pfs

Hope this help you to raise the tunnel,

Luis.

Question about the life of the IPSec Security Association

Hi all

I'm confused about life. A book, they said that you should service life of the peer to keep two exact same, otherwise you can not establish the tunnel. But I saw another book says you can use different to life (time interval or byte count), two peers will choose the lower one.

Please help me. Thanks in advance.

Banlan

There are two lives involved with IPSec, Phase 1 (ISAKMP) and Phase 2 (IPSec) connections.

With the Phase 1 tunnel, if the initiator has a longer life than that the answering machine, the answering machine does not accept the connection, then it is certainly preferable to keep your the same Phase 1 lives.

Phase 2, life will be negotiated at the lower of the two values regardless of intiates, if it is not serious. Always advised to keep living the same since you can run questions of negotiation with devices from different vendors.

Inside Source NAT from the remote host and VPN from Site to Site

Hi all

I was in charge of the construction of a vpn tunnel with a firewall PIX of our business partner company and ASA of the other company of the firewall. Traffic will be A partner business users will access my company Citrix server. I want to source-pat the user traffic partner company to PIX of my business within the interface to its entry in my LAN to access my company Citrix server. The partner company will be PAT'ing their traffic from users to a single ip address - Let's say for discussion end is 65.99.100.101. There is the site to site vpn configuration, and configure nat be performed to allow this traffic in accordance with the above provisions.

I'm more concerned about the accuracy of the configuration of the domain encryption because NAT is involved in this whole upward. My goal is to NAT (of the other company company a) ip address to a routable ip address in my company network.

The fundamental question here is should I include the ip address of real source (65.99.100.101) of the company the user or IP natted (10.200.11.9) in the field of encryption.

In other words should the encryption field looks like this

OPTION A.

permit ip host 10.200.11.103 65.99.100.101

OR

OPTION B

permit ip host 10.200.11.103 10.200.11.9

I'm inclined to think it should look like OPTION A. Here's the part of MY complete SOCIETY of the VPN configuration. I've also attached a diagram illustrating this topology.

Thanks in advance,

Adil

CONFIG BELOW

------------------------------------------------

#################################################

Object-group Config:

#################################################

the COMPANY_A_NETWORK object-group network

Description company network access my company A firm Citrix

host of the object-Network 65.99.100.101

the MYCOMPANY_CITRIX_FARM object-group network

Description farm Citrix accessible Takata by Genpact

host of the object-Network 10.200.11.103

################################################

Config of encryption:

################################################

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

********************************

CRYPTO MAP

********************************

crypto Outside_map 561 card matches the address Outside_561_cryptomap

card crypto Outside_map 561 set peer 55.5.245.21

Outside_map 561 transform-set ESP-3DES-SHA crypto card game

********************************

TUNNEL GROUP

********************************

tunnel-group 55.5.245.21 type ipsec-l2l

IPSec-attributes tunnel-group 55.5.245.21

pre-shared-key * 55.5.245.21

*******************************

FIELD OF CRYPTO

*******************************

Outside_561_cryptomap list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK

###########################################

NAT'ing

###########################################

Global (inside) 9 10.200.11.9

NAT (9 genpact_source_nat list of outdoor outdoor access)

genpact_source_nat list extended access permit ip host 65.99.100.101 all

genpact_source_nat list extended access permit ip host 65.99.100.102 all

! For not natting ip address of the Citrix server

Inside_nat0 list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK

You must include pre - nat ip 65.99.x.x in your crypto-card, like you did.

For me, config you provided here looks good and meets your needs.

One thing, I do not see here the nat rule real 0, but there is the ACL that NAT. probably, you just forgot this rule.

65.99.100.101 #sthash.mQm0FIOM.dpuf

Tunnel of the phase 2's not going up between Watchguard and PIX 525

Hi people,

Can you please help me to know where is the problem liying, currently I am trying to establish a VPN tunnel between the PIX firewall and Watchguard, all settings of the two devices are the same, but tunnel Phase two is not coming.

Here is the fix:

crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:500 dpt:500

Exchange OAK_MM

ISAKMP (0): processing KE payload. Message ID = 0

ISAKMP (0): processing NONCE payload. Message ID = 0

ISAKMP (0:0): payload detected NAT - D

ISAKMP (0:0): NAT does not match hash MINE

received hash: b3 8f bb 0 93 3 b 65 e8 35 54 6 c4 cc 59 6f 6f

My nat hash: dd 9 70 35 58 40 ac da 3 b 5 b 1 b 4 c 87 d2 11 fc

ISAKMP (0:0): payload detected NAT - D

ISAKMP (0:0): NAT does not match THE hash

received hash: ba 72 c5 e 5 b fb 88 f0 1e ba c9 c6 c1 cc 8A f7

its nat hash: c 4 c 89 a5 66 dd 80 76 48 3f f0 56 ed b0 a5 c1

ISAKMP (0:0): built HIS NAT - D

ISAKMP (0:0): built MINE NAT - D

to return to the State is IKMP_NO_ERROR

crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

Exchange OAK_MM

ISAKMP (0): processing ID payload. Message ID = 0

ISAKMP (0): HASH payload processing. Message ID = 0

ISAKMP (0): SA has been authenticated.

ISAKMP: Created a struct 212.37.17.43, peer port 37905 peer

ISAKMP: Lock struct UDP_ENC crypto_ikmp_udp_enc_ike_init 0x3cbb634, 1

ISAKMP (0): ID payload

next payload: 8

type: 2

Protocol: 17

Port: 0

Length: 23

ISAKMP (0): the total payload length: 27

to return to the State is IKMP_NO_ERROR

ISAKMP (0): send to notify INITIAL_CONTACT

ISAKMP (0): sending message 24578 NOTIFY 1 protocol

Peer VPN: ISAKMP: approved new addition: ip:212.37.17.43/4500 Total VPN peer: 16

Peer VPN: ISAKMP: ip:212.37.17.43/4500 Ref cnt is incremented to peers: 1 Total VPN peer: 16

crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

ISAKMP (0): processing NOTIFY payload Protocol 24578 1

SPI 0, message ID = 3168983470

ISAKMP (0): treatment notify INITIAL_CONTACT

to return to the State is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

Exchange OAK_QM

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): treatment ITS payload. Message ID = 484086886

ISAKMP: Check IPSec proposal 1

ISAKMP: turn 1, ESP_3DES

ISAKMP: attributes of transformation:

ISAKMP: Life Type SA in seconds

ISAKMP: Lifetime of HIS (basic) of 28800

ISAKMP: Type of life HIS enKo

ISAKMP: Lifetime of HIS (basic) 32000

ISAKMP: program is 61433

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Security Association is not acceptable!

ISAKMP (0): 14 NOTIFY message protocol sending 0

to return to the State is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

ISAKMP: phase 2 package is a duplicate of a previous package

ISAKMP: last reply reference

ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3

crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500

ISAKMP: phase 2 package is a duplicate of a previous package

ISAKMP: last reply reference

crypto_isakmp_process_block:src:213.210.211.82, dest:212.118.128.233 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload Protocol 36136 1

SPI 0, message ID = 287560609

ISAMKP (0): DPD_R_U_THERE received from the peer 213.210.211.82

ISAKMP (0): sending message 36137 NOTIFY 1 protocol

to return to the State is IKMP_NO_ERR_NO_TRANSdebug

ISAKMP (0): retransmission of the phase 1 (0)...

Thank you

Ismail

Hello

The debug version, it seems that the parameters are not same on devices:

ISAKMP (0): atts are not acceptable. Next payload is 0

Please check the settings of the Phase 2 and also make sure that you have PFS disabled Watchguard.

* Please rate if helped.

-Kanishka

Cannot access the internal resources for VPN site-to-site

We have two ASA. We set up just VPN site-to-site. For some reason, we are not able to access internal resources at the main office of the remote office. Do you have any suggestions? Thank you.

as wu suggested, please first confirm that the tunnel is mounted correctly

"sh cry isa his '-> will tell u if the phase 1 is in place

"sh cry ips its '-> say if phase 2 is in place

now once they r upward, when you ping from site to site b

program in the site, you should see one and decaps site b for traffic from a to b and vice versa for return transportation

Now we have to see where it is a failure

could be tht package is coming up to the asa but not getting is not encrypted or that the package does not come to the asa itself

You can run tracer package to see if it's getting wrapped, or in other words hits vpn tunnel

It might be a nat problem, and sometimes if it is a new configuration probably ISP may have blocked the esp traffic in one direction or in the other direction

the best approach, that it is turn on "management of access to the inside" on the firewall and make a ping of source of asa

inside ping

[JDev12.1.2, ADF, GlassFish 4] A few questions on the tutorial of Shay "Deploy Oracle ADF Essentials Applications to Glassfish"

Hallo (Shay),
I want to deploy my application Web ADF to GlassFish that is installed on a different server from the development computer.
The application interacts with a MS SQL Server database.
I have some doubts/questions on the tutorial of Shay https://blogs.oracle.com/shay/entry/deploying_oracle_adf_applications_to
So far in the development phase, I deployed the application only to the JDeveloper-itegrated WebLogic Server on the development computer.
Creating a connection pool
- I could successfully creates a pool of connections only by copying the sqljdbc4.jar library in the C:\glassfish4\glassfish\libdirectory. Is this OK or should the library remain in C:\glassfish4\glassfish\domains\domain1\lib?
- Is there a way to hide the password in the additional properties?
- Is there any setting for the property should do (especially for MS SQL Server)? For example, somewhere I read that the isolation of transactions should be set to read uncommitted... but I did not understand why.
- What is the difference between types java.sql.DataSource resources and java.sql.XADataSource?
In JDeveloper application configuration
- Since the beginning of its development, the local configuration of the application Module has the name of data source (JDBC data source) set to java: comp/env/jdbc/MyDatabase_DB_SQLServerDS. If I change this field value to jdbc / < name_of_jdbc_resource_created_in_GlassFish >, as in the tutorial of Shay, it is not longer possible to run the application in JDeveloper (so using the WebLogic JDeveloper-itegrated server). Why? What's wrong?
- JDeveloper offers only the choiche GlassFish 3.1 as a platform for the deployment, but I'll use GlassFish 4. Perhaps this cause problems?
Taking care of the libraries used by the application
- In the project properties, between the libraries and railways class there are a few additional libraries I've used in applications. Here's the JAR files I put in C:\JDeveloper\lib. I copy these libraries on the production server? If Yes, where?
Other questions
- What is the difference between putting a library in the lib of GlassFish folder and put it in the folder lib of Domain1?
- Deployment procedure used by Shay in his tutorial might also be used to deploy the application on a remote production server?
- Is there a way to manually delploy an application, for example by copying manually under GlassFish project folder?
- My final goal is as follows. I have a clean Setup that allows me (1) to continue to run the application in JDeveloper on its built-in WLS, (2) to test the application to the GlassFish that I have installed on the computer development and (3) delploy the application on the remote production server. Could help me do that?
These are a lot of questions.
I thank in advance all the users who want to respond and I hope that the answers to these questions will help also others.
Ciao,.
Federico

Federico - most of your questions is generic Glassfish questions that do not specifically have anything to do with ADF - I recommend that you post on the forum of Glassfish. (Or read the Glassfish documentation for things like the difference between directories and deployment/admin console).

>>
- Since the beginning of its development, the local configuration of the application Module has the name of data source (JDBC data source) parameter tojava:comp / env/jdbc/MyDatabase_DB_SQLServerDS. If I change the value of this field of jdbc /, as in the tutorial of Shay, it is not longer possible to run the application in JDeveloper (so using the WebLogic JDeveloper-itegrated server). Why? What is the problem?
This is because JDeveloper uses an integrated WebLogic when you run and therefor cannot use the data source of Glassfish.

I suggest that make you this change only when you go to deploy on Glassfish.

>>
- JDeveloper offers only the choiche GlassFish 3.1 as a platform for the deployment, but I'll use GlassFish 4. Perhaps this cause problems?
We don't know, as the matrix of certification for the ADF will show that we have not tested/certified this combination.

Oracle JDeveloper and ADF 12 c (12.1.3) supported systems

>>
- In the project properties, between the libraries and railways class there are a few additional libraries I've used in applications. Here's the JAR files that I put inC:\JDeveloper\lib. I copy these libraries on the production server? If Yes, where?
Use the properties of project-> libraries and class path to add the jar or create a library and add it to your project.

Make sure that this library is deployed by default.

>>
- Deployment procedure used by Shay in his tutorial can also be used to deploy the application on a remote production server
Yes

> Is there any property setting should do (especially for MS SQL Server)?

Oracle ADF business with several databases components

question on the smart card's mutual authentication process
I have a question about the process to authenticate each other between the smart card and the host application.

Basic knowledge
As far as I understand, use of the host application the KMC to derive the static key, the value of the card and this set of keys, the host application creates the set of session keys. He uses this session defined key to check the cryptogram of the map and generate cryptogram of the host.

Similar process is conducted by the card with the fact that static keys are stored in the vault of the smart card in the customization of the security field transmitter phase. It sends to the host application the cryptogram of the card.

Framework
I'm trying to review this process manually. I play the role of the host application and I have in hand the necessary cryptographic functions (Triple a) and Mac.

Question
I'm trying to calculate the MAC (cipher card) as described in section 5.4.1 of the CPS v1.1 (EMV card) but I can't receive the cryptogram of the card sent to me using the reference.
Is there more than 1 function of MAC (in theory) and this MAC function varies from one card to another manufacturer?

Thanks in advance
Best regards
JDL
There may be something in the API c# BouncyCastle (I don't do much dotnet so I have not tried) http://www.bouncycastle.org/csharp/

The MAC is relatively simple. There is a line where you encrypt a block of data at a time (as opposed to entire entry) and feed the result of an iteration in the next as the ICV (initial vector chaining). The original ICV value is 0x00 all.

See you soon,.
Shane

Question of the phase 2 of VPN

Similar Questions

Maybe you are looking for