Secure RPC - DH authentication without NIS ??
I need to setup NFS mounts between two Solaris 10 boxes and one Sol9 box but we need the ability to have users in more than 16 groups. My first round of digging leads me to believe we need to use Secure NFS/RPC. But which flavor of authentication ?? We're trying to minimize impact on the users and the administrators here.
The DH auth. sounds simpler to me - a straightforward PKI exchange. Has to be easier than using the Kerberos auth.. But all the doc. for setting up the DH says it uses NIS/NIS+ and that is going away. But I can't see any reference to the DH key maps being migrated into LDAP.
Is there any other way to setup DH authentication for Secure RPC without using NIS(+) ?? Static files would even be acceptable.
thanks,
Don M.
Hi Garth
I have exactly the same problem as the one you've described.
Did you find any solution?
Thanks
Terence
Similar Messages
-
Connecting Using SSL Authentication Without Username and Password
Hi,
We're on RedHat Linux 4.0 using 10.2.0.3 (server/client). We're trying to figure out a way to connect to the database using instantclient and JDBC-OCI and SSL authentication without using a username or password. According to the documentation this should be possible but no sample code is given.
LD_LIBRARY_PATH is set /opt/app/oracle/product/10.2.0/db_1/lib:/usr/lib:/home/oracle/instantclient where the instantclient was installed from the 10.2.0.1 client software
and we are using JDK version 1.6.0_03.
We're also referencing the following paper:
http://www.oracle.com/technology/tech/java/sqlj_jdbc/pdf/wp-oracle-jdbc_thin_ssl_2007.pdf
We've got our client and server wallets configured and the sample code we tried looks like this:
import java.sql.*;
import java.sql.*;
import java.io.*;
import java.util.*;
import oracle.net.ns.*;
import oracle.net.ano.*;
import oracle.jdbc.*;
import oracle.jdbc.pool.*;
import java.security.*;
import oracle.jdbc.pool.OracleDataSource;
public static void main(String[] argv) throws Exception {
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
Security.addProvider(new oracle.security.pki.OraclePKIProvider());
System.setProperty("oracle.net.tns_admin", "/opt/app/oracle/product/10.2.0/db_1/network/admin");
String url = "jdbc:oracle:thin:@orcl";
java.util.Properties props = new java.util.Properties();
props.setProperty("oracle.net.authentication_services","(TCPS)");
props.setProperty("javax.net.ssl.trustStore",
"/opt/app/oracle/product/10.2.0/db_1/admin/wallet/server/cwallet.sso");
props.setProperty("javax.net.ssl.trustStoreType","SSO");
props.setProperty("javax.net.ssl.keyStore", "/opt/app/oracle/product/10.2.0/db_1/admin/wallet/client/cwallet.sso");
props.setProperty("javax.net.ssl.keyStoreType","SSO");
props.put ("oracle.net.ssl_version","3.0");
props.put ("oracle.net.wallet_location", "(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/opt/app/oracle/product/10.2.0/db_1/admin/wallet/client)))");
System.out.println("At Here...");
OracleDataSource ods = new OracleDataSource();
//ods.setUser("scott");
//ods.setPassword("tiger");
ods.setURL(url);
ods.setConnectionProperties(props);
System.out.println("At Here1...");
Connection conn = ods.getConnection();
System.out.println("At Here2...");
Statement stmt = conn.createStatement();
ResultSet rset = stmt.executeQuery("select 'Hello Thin driver SSL "
+ "tester ' from dual");
while (rset.next())
System.out.println(rset.getString(1));
rset.close();
stmt.close();
conn.close();
When this code is compiled and run, the following error is thrown:
Exception in thread "main" java.sql.SQLException: invalid arguments in call
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)
If a username and password is supplied, the code works. So does anyone have a working of using SSL to authenticate without supplying username/password?
Thanks
mohammedHi,
I just solved this. I noticed from another thread that I was not using the OCI driver (see below):
String url = "jdbc:oracle:thin:@pki14";
Once I changed it to:
String url = "jdbc:oracle:oci:@pki14";
The code worked perfectly. One more setting that you'll have to do is to create the user you want to connect as externally:
create user scott identified externally as
'CN=acme, OU=development, O=acme, C=US';
grant connect,create session to scott;
Note that the DN should be the same as the SSL certificate that you created in your wallet.
hth
mohammed -
802.1x Machine Authentication without AD
Hello,
I'm new to 802.1x security, and i'm wondering if it's possible to do windows machine authentication without an active directory?
Thanks,
Dan.Hi,
Windows Machine authentication requires machine credentials, and these credentials can only exist on the AD.
What you can do is authenticate the machine using its MAC address (Mac authentication bypass), and for this you only need to configure mab on the switch, make sure the client do not speak dot1x and create the user with username/password = mac address on the RADIUS server.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Securing RPC services with TCP Wrappers
Hello All,
I have two node cluster running solaris 10. Since SVM needs few rpc services like metad,metamedd and metamhd, I dont want to disable them. But at the same time, wants to block them from outside world.
But readme page of TCP Wrappers (http://www.sunfreeware.com/README.tcpwrappers) says "The wrappers do not work with RPC services over TCP. These services are registered as rpc/tcp in the inetd configuration file". And other internet sources says same. So my question is this valid still?. Or it is possible to filter RPC services using TCP Wrappers.
When I tested this with following entries in /etc/hosts.allow and /etc/hosts.deny, my two nodes did not give any trouble after couple of reboots. SVM is working fine. So I wonder whether RPC services area really blocked (other than the local host) or not.
Content of /etc/hosts.deny
===========================
rpcbind: ALL : severity debug
rpc.metad: ALL : severity debug
rpc.metamhd: ALL : severity debug
rpc.metamedd: ALL : severity debug
rpc.metacld: ALL : severity debug
Content of /etc/hosts.allow
=======================================
rpcbind: KNOWN : severity debug
rpc.metad: localhost : severity debug
rpc.metamhd: localhost : severity debug
rpc.metamedd: localhost : severity debug
rpc.metacld: localhost : severity debug
Any hints/information regarding this will be really appreciated.Hello Mark,
Sorry that I missed to thank you in your last post.
If I get it right, The RPC bind program is used to maintain a table of dynamically allocated ports for RPC-based services.
From internet, "The file /etc/rpc contains a list of network services. Typically, when a remote machine wants to connect to one of those services on your machine, it first issues a query to the rpcbind program running on your computer. It knows the name of the services it wants to connect with, but doesn't know what port number to use. Your rpcbind will respond with a port number. The remote host will then attempt a connection to the specified port."
Also, Note that blocking rpcbind doesn't block access to the/etc/rpc services altogether. It does block access for those programs which do an rpcinfo query in order to reach those services. So other possible ways also exist to make remote connection without querying. Here lies the problem. I wanted to secure RPC services completely.
Coming to metad, it is true that ldd will result nothing related to libwrap*. But inetadm tells different story
inetadm -l /network/rpc/meta | grep -i wrap
default tcp_wrappers=TRUE
So encapsulating with tcpd should work for metad and other RPC services, I believe.
What is your opinion on this?. -
Running LDAP without NIS: Does it work?
Is anyone out there using Netscape Directory Server without NIS
(extensions)?
We are planning on going to an LDAP solution for logons, and etc. Everything
I am reading is saying that Solaris needs to use the NIS extensions for NIS
maps. This make sense for that purpose. Then they are making it sound like
from there go to straight LDAP. I would like to skip that intermediate step
and go straight to ldap.
And if all of that works, how does automount and NFS work with that type of
solution?
Thank you for any help,
K. MurphyThe NIS extensions are a bit confusing to understand. Solaris supports
native LDAP authentication in two ways:
1) Solaris can directly authenticate against an LDAP directory (no NIS
involved).
2) For those clients which support NIS but do not support LDAP
(machines with old versions of Solaris or maybe non-Sun boxes), Solaris
will act as a NIS server (such that the client communicates via NIS and
doesn't use LDAP) but the NIS server really uses LDAP.
The NIS extensions for Solaris are for implimenting method #2. If you
are using method #1 then you should not install the NIS extensions.
Only certain versions of Solaris work with method #1. What version of
Solaris are you running? What version of iPlanet Directory Server were
you planning to use?
Michael Haines and Tom Bialaski of Sun have jointly authored a book on
this topic (I think it's called "Solaris Native LDAP" - it's one of the
Sun "Blueprints" series books) and Michael has written a pretty good
script (which is so verbosely commented that it's also highly
educational to read) which automates the configuration of the directory
and the Solaris clients (configures them to bind to the directory), but
the last version I had supported iDS 4.12 & 4.13 - not iDS 5.x (maybe
he's got a revision by now).
Regards
Tim
K Murphy wrote:
Is anyone out there using Netscape Directory Server without NIS
(extensions)?
We are planning on going to an LDAP solution for logons, and etc. Everything
I am reading is saying that Solaris needs to use the NIS extensions for NIS
maps. This make sense for that purpose. Then they are making it sound like
from there go to straight LDAP. I would like to skip that intermediate step
and go straight to ldap.
And if all of that works, how does automount and NFS work with that type of
solution?
Thank you for any help,
K. Murphy -
Nokia Belle - EAP-PEAP authentication without Cert...
Its time for my half yearly bickering about the still non-support for EAP-PEAP authentication without server Certificates on Symbian Phone.
Here is my last thread begging for help from Nokia when Anna was released.
/t5/Software-Updates/EAP-PEAP-Authentication-without-Certificate-Is-it-fixed-in/td-p/1072133
My question remain the same.Does the new Nokia Belle support EAP-PEAP authentication without the requirement that a server certificate be present.
I have been living a life of ridicule and becomes an object of jokes and punchlines in office when it comes to the Phone that I carry. Lot of people now don't even know that there is company called Nokia. And when I tell them about it that say "Are you the guy carrying the phone that does not connect to our corporate network?".
If you read that earlier thread you know that none of the exotic workaround that some have been able to do, does not work with my office as our network administration has not installed any server certificate whatsoever on the access point.
I am fed of hearing from Nokia techs that this is supposed to be the secure and right way of doing things. When every other device, every smartphone, tablet, laptop supports this way of connecting to a EAP-PEAP access point why does Nokia has to keep this stance?
Nokia has kept everything open on the Nokia N8, it has everything that a anyone can ask for in a smartphone, so why is Nokia so adamant on this small matter of not requiring a server certificate?
Now that the WP7 line of Lumia devices are in the market can someone tell me if the problem exists on those phones too. I wont be surprised if this restriction is still there.
With Nokia going downhill so fast it does not help with this kind of attitude towards diehard Nokia followers.
Can someone from Nokia tech say once and for all if I can ever expect this thing to be fixed?
ramanramany wrote:
What should be an appropriate title for this thread. There was an older thread for the same that i started six months back when Anna was released. So i this expecting something to happen with Belle.
If nothing happens I will probably start a new one when future updates to Symbian in Clara. Donna, Emma, Florina, Georgia, Hanna, Isabelle, Jenna, Kate, Linda, Marie, Nancy, Olivia, Patty, Quinn, Rita, Sabina, Terry, Uma, Vega, Wyome, Xandra, Yetta and Zoe are released.
I hope Symbian (Nokia) lasts that long, but the support of this comes in Belle.
I see no jokes yet...common guys.isn't anyone subjected to jokes because of this.
At least give me some so i can feed more to the one going around.
Well, I believe the example of EAP-TTLS + PAP authentication isn't 'without certificates'... it does use certificates, but EAP-TTLS + PAP just doesn't happen to be a supported authentication method with recent Symbian phones.
I'm not any sort of wireless authentication guru, but there's probably a better, more precise description of the authentication support (probably a few methods) that's currently missing in Symbian.
And a couple more details for some wireless authentication methods... I believe Windows users typically have to grab a third-party 'securew2' utility to support some of the more robust (read better, more secure) authentication methods for some networks.
I think one of the more valid arguments for EAP-TTLS + PAP in general, is that I believe it may be part of the 'Eduroam' standard, although MSCHAPv2 may also be substituted for PAP, IIRC... but again, I'm not a wireless authentication guru.
In any case, if well-known, widely-implemented (or soon to be implemented, for good reason) authentication methods aren't supported in Symbian, it just makes Symbian just looks a bit ridiculous and irrelevant.
Your previous thread was quite good, and it may make sense to keep bumping that thread for updates periodically. I noticed that someone mentioned an MSCHAPv2 scenario in that thread, but again... that's not actually helpful for resolving EAP-TTLS + PAP support, and I think that there's probably a concise way to describe the current 'missing authentication methods support' in Symbian.
It continues to baffle me how Nokia seems to have such a quiet, secretive presence on these forums, when I think it would make much more sense to publicly acknowledge relevant threads/discussions, and make a statement about planned fixes, updates, etc... rather than just have people wonder if/when Nokia is paying any attention to the discussions here. -
How do I change my security questions and answers without setting up a new account. I can't remember the answers to the questions that they ask.
1. See my User Tip for some help: Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities.
2. Here are two different but direct methods:
a. Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
b. Call Apple Support in your country: Customer Service: Contacting Apple for support
and service.
3. For other queries about Apple ID see Frequently asked questions about Apple ID.
4. Rescue email address and how to reset Apple ID security questions
5. For online assistance use Apple - Support - Express Lane -
Network security:LAN manager authentication level setting on GPO
Hi,
We have a requirement from project team to change the one of the security setting on default domain policy for all computers in domain. Below are the security setting which we need to modify.
computer configuration-->windows settings-->security settings-->local policies-->security options-->
Network security: LAN manager authentication level
this setting need to be changed to - Send LM & NTLM - use NTLMv2 session security if negotiated.
The project team facing issue with Apache web server and they found the solution on below link.(we have tested this by changing local group policy and this solution works as expected)
https://www.sysaid.com/Sysforums/posts/list/9065.page
We need to know what is the impact after enabling this on domain computers.
Need help on this to go-head on this.Hi,
you have a weaker domain security overall. "
LM Hash Generation
The algorithm introduces several weaknesses that attackers can exploit. First, all lowercase characters are set to uppercase, reducing the number of possible characters. Second, it splits a long, strong, password into two seven-character chunks.
Both the LM and NTLM protocols operate essentially the same way; the only difference is the password hash.
REF: The Most Misunderstood Windows Security Setting of All Time
This post is provided AS IS with no warranties or guarantees, and confers no rights.
~~~
Questo post non fornisce garanzie e non conferisce diritti -
Hi all
Is there any way to change the security on multiple pdfs without having to open each pdf in acrobat ?Hi Gilad
Thanks for the reply
I'm not sure how to create an action I have Acrobat Pro 8.
My company would love if I could make it as a batch file or some exe so that each file doesn't have to be opened in Acrobat -
What do IPSEC mean under Security - AAA - Radius - Authentication
I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
The default value is unchecked."
What is exactly mean by IP security mechanism?
Does this mean that I can terminate VPN client over my WLC?
Take note that this options appeared even though no crypto card installed in my controller.This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
HTH,
Steve -
Weblogic.security.acl.realm.authentication... Exception
Hello All
the reason I'm moving a post-question from JMS to this section is people there
suggested this. anyway,
when I tried to use an applet which implemented MessageListener to send message,
I got the following exception ( the port 7001 had been granted to connect, resolve
in java.policy)
javax.naming.AuthenticationException [root exception is java.lang.SecurityException:Authentication
for user admin denied in realm webogic start server side trace: java.lang.SecurityException:Authentication
for user admin denied in realm weblogic at weblogic.security.acl.Realm.authentication(Realm.java
212) at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java 233) at weblogic.security.acl.internal.Security.authenticate(Security.java
135) at weblogic.kernel.bootSevicesImp.authenticat(BootServicesImp.java 119) at
weblogic.kernel.ExecuteThread.run(ExcuteThread.java:120 ..
My Question is why servlet or swing or other application out of applet don't generate
such exceptions even most codes are similar ? How to deal with this?
Thanks
John
Hello All
the reason I'm moving a post-question from JMS to this section is people there
suggested this. anyway,
when I tried to use an applet which implemented MessageListener to send message,
I got the following exception ( the port 7001 had been granted to connect, resolve
in java.policy)
javax.naming.AuthenticationException [root exception is java.lang.SecurityException:Authentication
for user admin denied in realm webogic start server side trace: java.lang.SecurityException:Authentication
for user admin denied in realm weblogic at weblogic.security.acl.Realm.authentication(Realm.java
212) at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java 233) at weblogic.security.acl.internal.Security.authenticate(Security.java
135) at weblogic.kernel.bootSevicesImp.authenticat(BootServicesImp.java 119) at
weblogic.kernel.ExecuteThread.run(ExcuteThread.java:120 ..
My Question is why servlet or swing or other application out of applet don't generate
such exceptions even most codes are similar ? How to deal with this?
Thanks
John
-
Windows Live ID Web Authentication without consent page
I'm using windows live authentication in an ASP.net MVC website. When a new user signs in using the windows live sign in for the first time they are taken to a consent page. This page asks the user if they would like to give the site access to their profile
and contacts list. If they say yes they are then taken to my homepage. However if they say no then they are still taken to the homepage but the sign in fails.
My goal here is to remove the consent page and not allow my site access to any of the user's profile information, but still have a successful sign in. All I need is the unique ID returned for each user. I'm aware that there is a scope variable that can be
set to change how much information the user is being asked to give access to. I'm not sure how to set this scope to zero or remove it entirely. It seems like scope = wl.signin is the lowest form of access?
Is there a way to use windows live authentication without bringing the user to the consent page at any point in time? Or is this not possible?I've bumped up the timeout, which was originally at the default of 5 minutes, but not to the point where it would cover an entire workday. We do have some users who expect to connect once and then be done even if the next time they use it may be hours later. I'm being asked if there is a method that will allow for an authentication mechanism without the need for a username/password (or certificate, or MAC filtering, etc...). My first thought was that really isn't possible, but thought I would check here to see if anyone had other ideas.
Thanks,
Ken -
Teststand switch step without NISE software installe
Is it possible to run a sequence with switch steps on a PC without NISE installed. Is there a run time engine or something.
kphIn order to access a NISE virtual device fom TS you will need to have the NISE virtual device present in MAX and therefore you will need at least the deployment version of NISE installed on the machine.
-
How can I change my Apple ID password security questions and answers without providing a rescue email address?
Click here for information. If you can't reset them through the method described in that article, contact the iTunes Store staff via the link in the 'Additional Information' section.
(105909) -
Basic authentication without a secure connection
Hello!
I'm developing a Java, Struts, Tomcat application.
Authentication Screen-shot Dialog appears when I want to open page from another server via my application.
Is there any way to pass the username and password (attach it on link, or put it in the session/request) so it won't be necessary to fill the attached dialog? How?
RegardsThe above answer is apt....
As an example u can use the following code:
final String login="XXXX";
final String password="XXXX";
try{
Authenticator.setDefault(new Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication (login, password.toCharArray());
});
Maybe you are looking for
-
PI7.0 interfaces migration to PI7.1
Hello All, I have a sitution where I have to start interface development on PI7.0 . After some time I am going to get PI 7.1 system. That time I need to migrate PI7.0 development to PI7.1. Please can you tell me the steps involved in this migration t
-
Testing Webservices in XI with XML Spy
Hi , I am trying to define a Webservice in XI from the ID by going to Tools -> Define Webservice( the usual way ) and I got the WSDL.I am trying to use the same from XML Spy to send SOAP messages to XI.But there is something wrong in the link g
-
I am making the move to VISTA on my primary development machine. I develope in LV 7.1 8.0 and 8.21 concurently. Is there any issues to be aware of? Many clients will still run the software on XP and a few on 2000. Will daqMX and Labview compiled
-
I want my slide show to work without having to click tomake them move..
i have done powerpoint in Microsoft word and it allows the slides to move without having to click.. does anyone know how to do this?
-
Trying to use a usb flash drive on an ipad 2 and get a power error
bought the camera kit and trying to plug in a flash drive to the usb slot and getting an insufficient power error message. How do I use a flash drive on the ipad 2?