Accessing Active Risk Manager (ARM) folder security markings through Risk Performance Manager

Hello folks,
I am building custom reports in RPM to display ARM data but am struggling to get a security label assigned to the reports.
In the standard reports the security label changes according to the risks inputted but I can't see the wood for the trees in the expression used!
Any hints or tips?
Many thanks,
Christian

Hi sea_lene,
In Reporting Services, each subreport instance is a separate query execution and a separate report processing task. So it the performance should be an issue. To improve the performance, we can consider changing the dataset query in the main report by using
one of the following mitigation strategies:
Collect data in a data warehouse and use the data warehouse as a data source for a single dataset.
Use SQL Server linked servers and write a query that retrieves data from multiple databases.
Use the OPEN ROWSET capability to specify different databases.
References:
Troubleshooting Reports: Report Performance
More tips to improve performance of SSRS reports
Hope this helps.
Thanks,
Katherine Xiong
Katherine Xiong
TechNet Community Support

Similar Messages

Accessing files stored in a folder on portal through application

Hi
I have to access the files that are stored in the folder in "irj" folder on portal, through one link.
the path i gave is:
<a href= "http://myserver:12345/irj/<folder name>/<file name>">
but it is not taking this path and gives the error that requested resource not found.
Can anybody please help in this regard, whether this way is correct or have to specify the path in some other format.
Thanks & regards,
Anupreet

Hi,
as Dieter stated implicitely, irj/root on the file system is the "root" folder when calling .../irj via http. There is no access to the irj folder by default.
On NW04, the mapped folder in fact is ...\cluster\server0\apps\sap.com\irj\servlet_jsp\irj\root (so there are two irj folders, the second counts).
Hope it helps
Detlev

Access Denied Error For Shared Folder with Win Server 2008R2 Task Manager Scheduled Task

Hi,
I have scheduled a Task with the Task scheduler. It invokes an .EXE file after every 5 min.
The application is supposed to access some files lying on a different Server's shared path, process them and move them across folders on the Shared path only.
Problem: When the .EXE gets executed from the Task scheduler, I am getting "Access Denied to the Shared path" error. I have already given Full Control to Everyone as well as to the Account with which the Task has been configured with.
Another important point to note is, if I run the .EXE manually, the solution is able is able to do everything intended; I don't get any Access Denied error.
Kindly help me with what needs to be done in order that this issue is resolved. This is really urgent for me.
Thanks a lot in advance..
AC

Hello Alex,
first of all, make sure your task was correctly create: How to Create Advanced Tasks with the Task
Scheduler.
Please, read these:
TechNet Library Task Security Context
TechNet Forums post How
does "Run with the highest privileges" really work in Task Scheduler ? - Look at the answer "...When you want to run a program with admin rights from a standard user account, you have to select "run whether the user is logged
on or not" and select a user which is member of the admingroup."
TechNet Forums post
Log on as batch job right (written on previous post)
serverfault Task Scheduler is not executing the program
serverfault
unable to schedule a task (access denied)
UAC: Do you receive the User Account Control "Windows need your permission to continue" message to approve the scheduled application ?
If yes, maybe "Run with highest privileges" option will not take precedence of the UAC. While the Admin Approval Mode for built-in Administrator account is enabled, UAC will still ask for approval according to the settings on the Behavior
of elevation to prompt for the administrators. Check whether the "User Account Control: Admin Approval Mode for built-in Administrator account" is enabled. If yes, disable it or change the setting on "User Account Control: Behavior
of elevation to prompt for the administrators" to elevate without prompting.
Local Computer Policy ---> Computer Configuration ---> Windows Settings ---> Security Settings ---> Local policies ---> Security Options (source: Task
Scheduler "run with highest privileges": does not work on Windows Server 2008 ?)
Bye,
Luca
Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

Exception while accessing web service secure through web services Manager

Hi All,
I deployed sime Hello World web service on JWSDP1.6 and secure it through web service manager(gateway) using Certificate based security.But when I try to access this web service using JWSDP client,I got the following Error while monitoring the soap messages through TCP-Monitor:
/////////////////////////////////Request///////////////////////////////////////////////////////////////
POST /gateway/services/SID0003009 HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 5631
SOAPAction: ""
User-Agent: Java/1.5.0_05
Host: ivy.cs.ucl.ac.uk:8082
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://hello.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">eN9famBBWzHNUIwWRhMPktcM+VQ=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>MHjtgA4wOtvI1B+SuRVEmD07yE+jl6axd4XbJ0nvQ3EzSuVVoST9vHzURh+B47yj41187s8T+yjt
Bmpk9OB278Jghonkacv6r+q+LVlxRrQDudNGir7plzFeM6bUadMxf+FLgn5O0a44vU/tvy6V9+zi
yqFdhTvS21No/aW62No=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#XWSSGID-1155126003241-1198323932"/></xenc:ReferenceList></xenc:EncryptedKey><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-11551260018331598979688">MIIC3TCCAkagAwIBAgIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEMMAoGA1UECBMD
U0NBMQwwCgYDVQQKEwNTVU4xHjAcBgNVBAMTFWNlcnRpZmljYXRlLWF1dGhvcml0eTAeFw0wNjAz
MTkxMzQ5MDJaFw0xNjAzMTYxMzQ5MDJaMEcxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAK
BgNVBAoTA1NVTjEcMBoGA1UEAxMTeHdzLXNlY3VyaXR5LWNsaWVudDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAzNDPKUz1MhUH1LsrLqXKxciOKSWeTrdoe/SVwe/4uy5eobAWSsSTposaOYFy
uxf3cGCCIs7u0jMAXLQ9jzobDbt9XQ4tXPoBzKKzS+yU6hDk2TcOCkioeT9A9db5LF8yevhwXKB4
AJ1Eh//Dp/djoonXCCxsxupQZp3ueRJrR98CAwEAAaOB1jCB0zAJBgNVHRMEAjAAMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUECH05VC3/WGW
H4AGD6tnH0h+kFUweQYDVR0jBHIwcIAUdry1wGRZ2fyJSKisVSxpMEmIiaahTaRLMEkxCzAJBgNV
BAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAKBgNVBAoTA1NVTjEeMBwGA1UEAxMVY2VydGlmaWNhdGUt
YXV0aG9yaXR5ggkA4HaEvd6hq8YwDQYJKoZIhvcNAQEEBQADgYEA0RhOk67pCrO6MgZZGqrmAMW6
76fZowBxTKlFq88nrf8v1MUxV8H9wgbTDrwR0HtxY3TGpDFw2tNAww2pyDX/pQ2Wt46ichluGxjf
aEV53loKTOM7syAmlicWqViGzBfgzriIl918TzFaX9BD/Y55bKZQk057maBCSkUuFfF453s=</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse enc env ns0 xsd xsi"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#XWSSGID-1155126002593447652186"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UJ1kuwI+WuF/RkrQpZrj1GvraLI=</ds:DigestValue></ds:Reference><ds:Reference URI="#XWSSGID-1155126002602761294100"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>sKG/z5OIGgqJ2nw7JtpXyJzr8pY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SBc65VTG1xpEkRUTz70H0fVGIgoBJ0QnNad0k07RMSfw4vG1WHJdt19R05pO2AvU5aoYuBSaguJe
ZGEjmWzw8mnSWKBi+zeDMeJiwgqwW6HHHX9P7JDslxuTIqoJIVUbSjUTSVz6ww8siIK65quXdkMT
ZzLfp7Cd0gBuA3EEZpg=</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11551260025411896275738">
<wsse:Reference URI="#XWSSGID-11551260018331598979688" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002602761294100"><wsu:Created>2006-08-09T12:20:02Z</wsu:Created><wsu:Expires>2006-08-09T12:20:07Z</wsu:Expires></wsu:Timestamp></wsse:Security></env:Header><env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002593447652186"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="XWSSGID-1155126003241-1198323932" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><xenc:CipherData><xenc:CipherValue>XNqEzHNp47ILtOagAUNCXYkxOCWv4CjHqmZ7j6VKN/NO96ce4BsNSL6lKzqa9dPxHB1sTVGZQ8KA
COQ6DGwyWCP8ip+CU2hor3uUAml7nzHTx1LUw3Db+0p31VAT3EqKJA3aFy38GQrBTr9ojMOUA6tm
Cj71yucN3UCKRUl3RpE8qU68y7AwNxPsyAZeSa2AVm2cmWvSDZlxgMsx+JCEZaf3+D0o1zMp0Fxb
MSISPt/JrEolt1H5UM1AoFGU4QkckWrQNLPyEF9oxEgZ8oCE5U8v/YJwZIAHFrx67XfaLwQLjzXw
VPigsH9gLkfbP2BU8Vp31GsPwBZtUeNz9S35+CZPD7EiqoAB1QuAxZkJV7n00VChYH+scT64tNja
c81bcD8tf4sAr7toCMNDAU6+74+Qy0EyPqgwLtotDxErn4kF8e72cONMMQBQ91tQs+iI+D6C1I6+
f9UiSfgtm/MTuKQK1CRqarEtI9N6lpqVH8k7ulUwH/jFstihxmhMJ3aZY+qQgSwSs3pwSSim+e18
eR7dOEq4vG8ivKuGvTDO4sSV2RP/nL/3eXr0y7eM0kMFKwTUA4JqL4Y/l8Bo/rie/ZXkkbF6hwEu
dX1QmB0gf5k=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>
////////////////////////////////Response///////////////////////////////////////////////////////////////
HTTP/1.1 100 Continue
Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
Date: Wed, 09 Aug 2006 12:28:47 GMT
HTTP/1.1 500 Internal Server Error
Date: Wed, 09 Aug 2006 12:28:47 GMT
Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
Connection: Keep-Alive
Keep-Alive: timeout=15, max=100
Content-Type: text/xml
Transfer-Encoding: chunked
157
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
0
So basically, what I am doing here as follows:
HelloClient(using JWSPD1.6)->gateway(web service manager for securing the web service using message level security through certificate )->helloservice(deployed using JWSDP1.6)
I would appreciate if someone could tell me the cause of this errror.Thanks.
Kashif

time to look into the gateway logs as stated by the fault ..
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
looks like the cipher step might have failed

Talent Management - Performance Management

Hi all,
I want to know if there is possible to setup different appraisal forms (VA) for different personnel groups (like executives, managers, analists, etc.). I have make the customizing but only one form is used to evaluate all employees.
Thanks in advance.
P.D.: We have ECC 6.0 with Enhancement Package 4, and Enterprise Portals with Business Package 1.41.

Hi Abe,
need more information. If you are talking about the talent assessment forms (potential, risk, derailers, etc) than you can only have 1 form active at a time.
if you are talking about performance management - you than need to decide if your talking about predefined performance management or flexible performance mgmt.
Predefined performance management only allows for 1 template active at a time.
Flexible - you can do anything.

Performance Management Architect doesn't display applications

Hi,
I am reading through the Performance Management Architect Administrators Guide (System 11 release) from Oracle trying to figure out how to work with Hyperion Planning and Essbase. First of all, is the Architect just a fancy name for certain functions in Workspace? Because the documentation describes accesssing Archictect through the Workspace Navigate options. Second, the Application Library is defined in the documentation as "A summary of applications that have been created and/or deployed to Financial Management, Planning, Profitability and Cost Management, Essbase Aggregate Storage Option (ASO), or Essbase Block Storage Option (BSO)." It also says I can create Planning applications here as well.
I follow the directions to access the Application Library - When in Workspace, I go to Navigate > Administer > Application Library, a new tab comes up, but there is nothing in the tab. It is completely blank. I have created several Planning applications, including initializing the Sample Application that comes with the Planning installation. I can view this application from Workspace or the Planning Web-app. Does anyone know why it is not showing up in the Application Library? If I want to build my own outline and define dimensions and members to create a planning applicaiton that works with my own sample data, where do I go to do this?
Thanks.

Hi,
The planning applications that you have created maybe classic planning applications so you won't see them in the EPMA application library. There are two methods of managing planning applications either the classic method or through EPMA.
You can create a new planning application through EPMA or you can upgrade one of your classic applications to an EPMA version.
Cheers
John
http://john-goodwin.blogspot.com/

Performance management controls

What specific controls should an auditor be looking for when looking for effective performance management of business critical oracle databases? I.e. what clues would indicate a good performance management process, what would indicate a poor performance management strategy?

This Oracle doc will be helpful
http://www.oracle.com/technetwork/database/audit-vault/learnmore/twp-security-auditperformance-166655.pdf

Oracle Performance Management doubts

Hi All,
I have some questions related to Oracle performance management and hope they will get answered over here:-
Que1. The weight of all objective should be 100 but in my case it is allowing any value. What I need to do to restrict it?
Que2. Can we do objective setting and Appraisal process simultaneously? That would be allocate objective and rating in parallel?
Que3. When and how the rating provided by manager would reflect in the Performance (People --> Assignment --> other --> Performance) widow and what would be the effective date. I have completed all setup and process but the final rating is still not available.
Que4. What is difference between Talent management, Performance management and Workforce performance Management?
Que5. When I include the Appraisal in the PMP and select the Appraisal template (that just has final rating) and click on the "Go to Task" against "Manage appraisals" (to initiate it) I do not see anything. Do we/manager need to create plan every time using the link Appraisal.
Sorry for asking too many questions.
Thanks,
Avinash

Que1. The weight of all objective should be 100 but in my case it is allowing any value. What I need to do to restrict it?
ANS : This is a seeded one. If you want to restrict it you have to customize the page.
Que2. Can we do objective setting and Appraisal process simultaneously? That would be allocate objective and rating in parallel?
ANS : There is a checkbox "Allow Objective Setting outside of the period" (something like that).
Que4. What is difference between Talent management, Performance management and Workforce performance Management?
ANS: AFAIK, Oracle Talent Management and Oracle Performance Management are same. Prior to Oracle Performance Management, the module name was Oracle Talent Management.
Que5. When I include the Appraisal in the PMP and select the Appraisal template (that just has final rating) and click on the "Go to Task" against "Manage appraisals" (to initiate it) I do not see anything. Do we/manager need to create plan every time using the link Appraisal.
ANS : You can schedule the concurrent program, "Mass Appraisal Creation".
Hope it helps!.
MAK

Competency Weight age- Oracle Performance Management

Dear All,
We are in the process of implementing Oracle Performance Management (12.1.3 Ver), these are following scenario we need to address. Kindly post your advice .
1.     We have 4 Objective ( Objective-1, Objective-2, Objective-3 and Non-Bonus able Objective) for all the employees with weigh age. We need to restrict the weight age and the sum of all the Objective weight age should not exceed 35% . (EX: Obj 1+ Obj 2 + Obj 3+ Non-Bonus able = 35%). How to achieve this?
2.     We have 4 Mandatory competency and for which we need to provided weight age for each competency ( Ex: Communication Skill -20% weight age & Team work – 30%) How to achieve this?
3.     Our final rating works as, Objective Rating + Competency Rating ( Final Score = Objective Rating + Competency Rating). How to achieve this?
4.     We have another requirement like we need to Tag Absenteeism Rating ( Please see the below rating scale) along with the Final Appraisal rating . I am furnishing the Rating details
Excel----------Never Absent and always punctual.
Achieved----Never absent but late in or early out with prior permission.
Partial ------ Deduction of 5%     Few Absent or late in or early out without prior permission or advance intimation.
Not Achieved ----- Deduction of 10%     Multiple Absent or late in or early out with no permission at all.
Please let me know if you need more information
Thanks and Regards
Suresh Subramaniyam

Que1. The weight of all objective should be 100 but in my case it is allowing any value. What I need to do to restrict it?
ANS : This is a seeded one. If you want to restrict it you have to customize the page.
Que2. Can we do objective setting and Appraisal process simultaneously? That would be allocate objective and rating in parallel?
ANS : There is a checkbox "Allow Objective Setting outside of the period" (something like that).
Que4. What is difference between Talent management, Performance management and Workforce performance Management?
ANS: AFAIK, Oracle Talent Management and Oracle Performance Management are same. Prior to Oracle Performance Management, the module name was Oracle Talent Management.
Que5. When I include the Appraisal in the PMP and select the Appraisal template (that just has final rating) and click on the "Go to Task" against "Manage appraisals" (to initiate it) I do not see anything. Do we/manager need to create plan every time using the link Appraisal.
ANS : You can schedule the concurrent program, "Mass Appraisal Creation".
Hope it helps!.
MAK

Error On configuraing Performance Management Process

hi all,
I am able to create Pre-define Performance Management template. but after that, on configuring Performance Management Process i am getting follwoing error on click on SAVE button.
A process already exists in the time period entered
Thanks and Regards,
Jayesh Talreja

Hi Team,
Please let me know, if any one of you have any suggestions?
Thanks and Regards,
Jayesh Talreja

MSS Performance Management Error

Hi All,
I created MSS Performance Management iView in Portal. In this Page trying to create Appraisal Doucment and getting ESS Appraisal Docuemnt Page. Not getting Proformance Management Appraisal Page when clicking the button "Create".
I have done all the configurations as per SAP notes
1468466 Performance Management Launchpad Configuration
1463821 Performance Management Portal Configuration
1416756 OBN Configuration in Performance Management
1408243 Configuration for object-based navigation
Please help to resolve the issue.
Thanks
Risha

Hi,
In MSS Performance Management I am not getting error. While "Create" appraisal template through popup window getting ESS Appraisal Document window. It is pointing to this application HAP_START_PAGE_POWL_UI_ESS.
In SE80 , the create button pointing to "hap_main_document" application.
We need two iViews and I created new iViews for MSS - Performance Management(HAP_START_PAGE_POWL_UI_MSS) ,
Appraisal Documen(HAP_MAIN_DOCUMENT).
In Portal , why it is pointing to ESS Appraisal Document. Is there any OBN to set?
We don't have HTTP trace in our Client Browser. Please help me out.
Thanks
Risha

Cluster cannot be added to this instance - Performance Manager

Hi, I installed an instance of Performance Manager and added two clusters to it. For whatever reason I had to ditch the Performance Manager VM and re-deploy it. Now that I have a new instance, I cannot add the clusters to it. Yes, I should have removed them before I destroyed the first instance, but I didn't. How can I tell the clusters that they are no longer being managed by the old instance of Performance Manager? The documentation says to ignore the warning, but alas that is not possible, it will not let you add them. Error: Cluster <xxx> is currently managed by the following instance of OnCommand Performance Manager: URL:                       https://<xxx.xxx.com>:443System ID:          <uuid-here> Managing a cluster with multiple instances of the same application will impact the performance of the cluster. You must remove cluster <xxx> from the instance of OnCommand Performance Manager above before adding it to this instance of OnCommand Performance Manager. Thanks

Huge! This was bugging me for two weeks -- thanks for documenting the fix.   Lukeitdavisllp wrote:
Hi, I installed an instance of Performance Manager and added two clusters to it. For whatever reason I had to ditch the Performance Manager VM and re-deploy it. Now that I have a new instance, I cannot add the clusters to it. Yes, I should have removed them before I destroyed the first instance, but I didn't. How can I tell the clusters that they are no longer being managed by the old instance of Performance Manager? The documentation says to ignore the warning, but alas that is not possible, it will not let you add them. Error: Cluster <xxx> is currently managed by the following instance of OnCommand Performance Manager: URL:                       https://<xxx.xxx.com>:443System ID:          <uuid-here> Managing a cluster with multiple instances of the same application will impact the performance of the cluster. You must remove cluster <xxx> from the instance of OnCommand Performance Manager above before adding it to this instance of OnCommand Performance Manager. Thanks

Network Error: Clean Access Server could not establish a secure connection to Clean Access Manager

Hello everyone
I am implementing a failover solution of NAC in OOB VG version 4.8, I have 2 CAS and 2 CAM.
The Error I am getting is when I connect to both IP address and the FQDN of the CAS.
===========
Network Error:
Clean Access Server could not establish a secure connection to Clean Access Manager at camsrv3.cadivi.gob.ve.
This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
Please report this to your network administrator.
==========
For the CAM's I use this names camsrv1 and camsrv2. then generate a CSR in the camsrv1 with the name camsrv3.mycompany.com corresponding to virtual ip and it exported to camsrv2, Install the CA certificate of the company and everything works perfect.
This is the failover configuration
CAM:
Primary:     10.1.206.248 camsrv1.mycompany.com
Secondary: 10.1.206.249 camsrv2.mycompany.com
Virtual:       10.1.206.250 camsrv3.mycompany.com
Then I do exactly the same steps for the CAS's and this is the failover configuration:
Primary:     10.1.216.248 cassrv1.mycompany.com
Secondary: 10.1.216.249 cassrv2.mycompany.com
Virtual:       10.1.216.250 cassrv3.mycompany.com
Then I add the certificate of CAM in the CAS on the tab "Trusted Certificate Authorities" and vice versa.
The communication between all the CAM´s and CAS´s is correct (Primary, Secondary and Virtual). I can ping the IP and the FQDN and I can also manage the CAS through the CAM.
I verify that the time was right in the CAM and the CAS and all good up there.
Appreciate your help
Eduardo Navas

Eduardo,
Bump up the CAS/CAS communications logging on both the CAS and CAMs, and then look in the log files for clues.
On CAM they live in /perfigo/control/tomcat/logs and on CAS in /perfigo/access/tomcat/logs
HTH,
Faisal
If you find this post helpful, please rate so others can find the answer easily

Using container managed form-based security in JSF

h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
    <navigation-rule>
<from-view-id>/login.jsp</from-view-id>
        <navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
        </navigation-case>
    </navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
    <jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
    <f:view>
        <webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
        </webuijsf:page>
    </f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
    public String button1_action() {
        setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
        return "loginproxy";
    }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry Randolph

If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry

Clean Access Server could not establish a secure connection

I have a OOB Real IP GW setup on v4.1.2
I seem to have a problem with the CAS connecting to the CAM although I have added the CAS to the CAM and can manage the CAS from the CAM.
I noticed while troubleshooting client authentication that the client was not being redirected to the logon web page and it had full access to the trusted network from the untrusted authentication vlan. I eventually figured out that if I change the CAS Filter Fallback method from Allow to ignore then it tries to authenticate the client. However the fact that the fallback is activated tells you that something is not right.
I have 2 problems:
A) The clients web page is redirected for authentication but it only lists the domain name in the URL and not the hostname or host IP. In the lab I do not have a DNS server and it would not help as it does not include the hostname in the URL anyway. How do I fix this or perhaps it's related to the 2nd problem.
B) When I manually change the URL by replacing the domain name with the IP of the CAS (untrusted OOB Real IP GW) then I get the following error message when logging on:
Network Error:
Clean Access Server could not establish a secure connection to Clean Access Manager at mydomain.com.
This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
Please report this to your network administrator.
I would guess the culprit is No 2 but surely the system can run on self signed certificates? I have an NTP server so time is in sync. I have even tried regenerating the cetificates on the CAM
& CAS.
Any ideas?

To overcome problem B, I regenerated the SSL Certificates using the host IP address instead of the name for all the CAM & CAS appliances. This seems to have resolved this problem.
I also SSH'd from each of the CAS's to each of the CAM's from the CLI and it then prompts to permanently store the certificates. I'm not sure it this was necessary though.

Accessing Active Risk Manager (ARM) folder security markings through Risk Performance Manager

Similar Messages

Maybe you are looking for