Accessing OBIEE Webservices under SSO Setup

Similar Messages

• UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

  PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
  In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  Is there some known bug or workaround that matches this description?
  Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
  We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
  So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
  Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
  So, we have the following software stack:
  1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
  2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
  These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
  3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
  At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
  Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
  Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
  4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
  In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
  5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
  This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
  The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
  # imsimta version
  Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
  libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
  SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
  While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
  "Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
  We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
  Here's the configuration we did specifically for AM SSO:
  1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
  com.iplanet.am.cookie.encode=false
  am.encryption.pwd=<the same value>
  all hostname-related parameters point to "psam.domain.ru"
  2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
  com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
  com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
  3) in "msg.conf" on "sunmail" (entries added via configutil):
  local.webmail.sso.amcookiename = iPlanetDirectoryPro
  local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
  local.webmail.sso.singlesignoff = yes
  local.webmail.sso.uwcenabled = 1
  service.http.ipsecurity = no
  (perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
  4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
  5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
  --- main.js.orig        Sat Jan 26 07:52:09 2008
  +++ main.js     Mon Jul 21 01:06:29 2008
  @@ -667,7 +667,8 @@
  function cleanup() {
     if(laurel)
  -      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +//      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +      top.window.location =  "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     else
         exec('logout', '', 'exit()')
  @@ -1707,7 +1708,8 @@
     if(lg) {
           url = document.location.href
           url = url.substr(0,url.indexOf('webmail'))
  -        uwcurl = url + 'base/UWCMain?op=logout'        
  +//      uwcurl = url + 'base/UWCMain?op=logout'        
  +        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     exit()
  }6) Calendar SSO - per docs...
  According to ngrep sniffing,
  1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
  2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
  3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
  Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
  Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
  4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
  Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
  5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
  Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
  6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
  Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
  7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
  <Request><![CDATA[
  <NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
  <GetNamingProfile>
  </GetNamingProfile>
  </NamingRequest>]]>
  </Request>
  </RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
  ...then a double-request to /amserver/sessionservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="Session" reqid="686">
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="678">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]>
  </Request>
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="679">
  <AddSessionListener>
  <URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </AddSessionListener>
  </SessionRequest>]]>
  </Request>
  </RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
  !!!*** Now, the problem part ***!!!
  8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
  I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
  For the most detail I can provide, I'll even paste the whole HTTP packet:
  POST /amserver/sessionservice HTTP/1.1
  Proxy-agent: Sun-Java-System-Web-Server/7.0
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
  Content-type: text/xml;charset=UTF-8
  Content-length: 336
  Cache-control: no-cache
  Pragma: no-cache
  User-agent: Java/1.5.0_09
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Host: cos-psam-01.domain.ru
  Client-ip: 194.xxx.xxx.xxx
  Via: 1.1 https-weblb.domain.ru
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="258">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]></Request>
  </RequestSet> The server's error response is apparent:
  HTTP/1.1 200 OK
  Server: Sun-Java-System-Web-Server/7.0
  Date: Thu, 31 Jul 2008 05:49:50 GMT
  Content-type: text/html
  Transfer-encoding: chunked
  19b
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="258">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
  <GetSession>
  <Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
  AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
  </GetSession>
  </SessionResponse>]]></Response>
  </ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
  POST /amserver/sessionservice HTTP/1.1
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
  Content-Type: text/xml;charset=UTF-8
  Content-Length: 379
  Cache-Control: no-cache
  Pragma: no-cache
  User-Agent: Java/1.5.0_09
  Host: psam.domain.ru
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="281">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
  <SetProperty>
  <SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
  <Property name="uwcstatus" value="active"></Property>
  </SetProperty>
  </SessionRequest>]]></Request>
  </RequestSet> ...and the response is OK:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="281">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
  <SetProperty>
  <OK></OK>
  </SetProperty>
  </SessionResponse>]]></Response>
  </ResponseSet>

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.

• Hi, I am using my icloud on my iphone but am unable to find it on my mac book pro. It's not under my system preferences like it shows under the setup. Can I download it again? Or something. I just need to backup some files on my computer and am unable.

  Hi, I am using my icloud on my iphone but am unable to find it on my mac book pro. It's not under my system preferences like it shows under the setup. Can I download it again? Or something. I just need to backup some files on my computer and am unable.

  The minimum requirement for iCloud is Lion 10.7.5 (Mavericks preferred): the iCloud Preference Pane does not appear on earlier systems - the MobileMe pane appears on Lion and earlier but is now non-functional - you cannot now open or access a MobileMe account.
  To make use of iCloud you will have to upgrade your Mac to Lion or Mavericks, provided it meets the requirements.
  The requirements for Lion are:
  Mac computer with an Intel Core 2 Duo, Core i3, Core i5, Core i7, or Xeon processor
  2GB of memory
  OS X v10.6.6 or later (v10.6.8 recommended)
  7GB of available space
  Lion is available in the Online Apple Store ($19.99). Mountain Lion (10.8.x) is also available there at the same price but there seems little point as the system requirements are the same for Mavericks (10.9.x) - which is free - unless you need to run specific software which will run on Mountain Lion only.
  The requirements for Mountain Lion and Mavericks are:
  OS X v10.6.8 or later
  2GB of memory
  8GB of available space
    and the supported models are:
  iMac (Mid 2007 or newer)
  MacBook (Late 2008 Aluminum, or Early 2009 or newer)
  MacBook Pro (Mid/Late 2007 or newer)
  Xserve (Early 2009)
  MacBook Air (Late 2008 or newer)
  Mac mini (Early 2009 or newer)
  Mac Pro (Early 2008 or newer)
  It is available from the Mac App Store (in Applications).
    You should be aware that PPC programs (such as AppleWorks) will not run on Lion or above; and some other applications may not be compatible - there is a useful compatibility checklist at http://roaringapps.com/apps:table

• OBIEE webservices and custom application

  Hi all,
  am a newbie to these oracle technologies.am a .net developer.
  and my question is related to OBIEE webservices.
  1.i was able to access a webservice(http://xxxxx:9704/analytics/saw.dll?wsdl).now my requirement is simple.i want to access a report data from obiee page.
  2. like on clicking "go"the report in obiee is displayed.so i need that report data .
  i came to know that it was exposed through webservices.but am unable to found which is the correct function and how to call it?
  please help. i need it urgently.thanks in advance
  Regards,
  Pavan

  hi gerardnico & all other experts,
  how are you?
  i haven't got any breakthrough from one month .but i have learned a little bit about obiee.
  correct me if am wrong any where
  am using a obiee 10.1.3.4
  1. obiee has a bug to"print to pdf". if am using any HTML code within narrative or a TEXT control on the answers/dashboard sections; it doen't give you exact format of the dashboard in to the pdf.; even same with download options
  2.so i started to prepare a custom page(it may be either java or .NET or Flex) to do export to pdf
  3. for this when ever am using those two controls on the dashboard; within simple JavaScript code am giving the end user(on dashboard) a custom button named as "export to pdf".
  4. Now my problem is to know the where is the user right now on the OBIEE portal/webpages . so that i have to know which dashboard he is seeing;what are the reports init;and get concerned HTML,styles data into my custom page; finally i will take care of how to make a pdf in my custom page.
  for all these things i need to communicate between my custom page and the obiee dashboard;;;the only option is webservice call; i need to trap the concerned dashboard name or something from the page and send it to my custom page.
  Hope you understood my problem. please help me if you have any suggestions for me.am working on this from so long
  Thanks & Regards,
  Pavan N

• OBIEE  webservice,The "next page" function failure

  hi all,
  I use webservice access OBIEE,When I click ”next page “ icon, js error:'Action' is empty or is not an object.
  I have edit the file OracleBIData\web\config\instanceconfig.xml , add this code:
  <URL>
  <ForceAbsoluteCommandURL>true</ForceAbsoluteCommandURL>
  <ForceAbsoluteResourceURL>true</ForceAbsoluteResourceURL>
  </URL>
  thanks for your help!

  Thank yoy try67 !
  I am trying this way, now I am creating a new button, and I am trying to put, all the code of the original button in one function.
  And, when I am creating de new button  btn:
  var btn = this.addField(name, type, page, newAddRect)
  btn.setAcion("MouseUp","myFunction()");
  this not works...
  the function is in one file in:
  C:\Documents and Settings\user\Datos de programa\Adobe\Acrobat\9.0\JavaScripts\myFile.js
  and the contains of the function is a simple alert.....
  Any idea...¿?
  Thank you!
  Regards,
  Xavi Marín.

• Accessing OBIEE report  from mobile browser or tablet

  HI
  jdev 11.1.1.5
  we have OBIEE reports embeded in adf jspx page .
  can we access this report from mobile browser or tablet ?
  I think we can access OBIEE report using OBIEE client application for Iphone.
  but is it possible to access the same from mobile browser?(embeded in adf application)

  chk this
  http://blogs.forrester.com/boris_evelson/10-07-07-oracle_obiee_11g_launch_we_are_back
  Mobile BI apps delivered to iPhone/iPad, BlackBerry, Android and Windows Mobile devices

• Accessing OBIEE report  mobile browser or tablet

  HI
  jdev 11.1.1.5
  we have OBIEE reports embeded in adf jspx page .
  can we access this report from mobile browser or tablet ?
  I think we can access OBIEE report using OBIEE client application for Iphone.
  but is it possible to access the same from mobile browser?(embeded in adf application)

  Nikhil,
  It shouldn't matter whether its coming from ADF or from Oracle BI PS directly what matters is the default formatting of the images/charts that get rendered.
  I wrote a post about how to change the default image format in OBI 11g (11.1.1.3), http://www.artofbi.com/index.php/2010/12/to-flash-or-not-to-flash-svg-and-png-options-not/.
  In that post a bug prevented this default image switch from working but I think they have fixed it in 11.1.1.5 (I haven't tested it yet due to time constraints).
  I would attempt attempting to change from Flash to SVG and then you should be able to view your ADF and the default Oracle BI PS charts/graphs via the tablet devices.
  Cheers,
  Christian

• How to access the webservice in portal component

  hai
       how to access the webservice in portal component.
       anyone knows give the solution
  Rds
  Shanthakumar

  Hai
  Please check this link.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/vc/connectivity&
  Regards

• Problem accessing R/3 with SSO ticket from the EP6.0

  Hi all,
  I have seen this thread: Problem accessing R/3 with SSO ticket from the EP6.0
  I know that it is possible to read SSO ticket from the Cookie in WebDynpro application.
  Now we are at the first step, we don't know how to read SSO ticket from the Cookie in WebDynpro application with java code.
  So anyone can help us?

  Hi,
  This has been discussed in a previous forum.Check this link.A code snippet is also there to read a cookie in webdynpro with this question
  How to implement SSO between Portal, Webdypro and ABAP system?
  I am not able to send the link exactly.
  Regards,
  Sowjanya.
  Message was edited by: Sowjanya Chintala

• Managed System Configuration: SSO setup failed for Solution Manager 7.1 sp11

  Hi Folks,
  While doing Managed System Configuration for Soman system i am getting error in SSO Setup
  Currently I am in
  8. Configure Automatically :Single Sign On Setup
  This is i am going for managed System (Solution Manager System Itself)
  Below is error log..
  SSO setup failed : a problem occured while attempting to add login modules for ticket authentication
  Screen shot attached.
  Found SID for SSO ACL entry : SMP
  Found login.ticket_client for SSO ACL entry : 000
  The Read entry permission on TicketKeystore/SAPLogonTicketKeypair-cert was given to sap.com/tc~webadministrator~solmandiag/servlet_jsp/smd/root/WEB-INF/lib/SetupLib.jar
  The TicketKeystore/SAPLogonTicketKeypair-cert was succesfully read (619 bytes)
  The SSO ticket Certificate <OU=J2EE,CN=SMP> has been successfully imported into ticket Keystore
  SSO setup failed : a problem occured while attempting to add login modules for ticket authentication
  SSO setup failed : error while updating login modules : Caller not authorized.; nested exception is:
  java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
  at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:634)
  at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:520)
  at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
  at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java:170)
  at com.sap.engine.services.security.restriction.Restrictions.checkPermissionRemote(Restrictions.java:158)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImpl.getPolicyConfiguration(RemoteSecurityImpl.java:63)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImplp4_Skel.dispatch(RemoteSecurityImplp4_Skel.java:225)
  at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:336)
  at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
  at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:137)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  The SSO ticket Certificate <CN=SMP> has been successfully imported into ticket Keystore
  SSO setup failed : a problem occured while attempting to add login modules for ticket authentication
  SSO setup failed : error while updating login modules : Caller not authorized.; nested exception is:
  java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
  at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:634)
  at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:520)
  at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
  at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java:170)
  at com.sap.engine.services.security.restriction.Restrictions.checkPermissionRemote(Restrictions.java:158)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImpl.getPolicyConfiguration(RemoteSecurityImpl.java:63)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImplp4_Skel.dispatch(RemoteSecurityImplp4_Skel.java:225)
  at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:336)
  at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
  at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:137)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Exception
  java.rmi.RemoteException: Caller not authorized.; nested exception is:
  java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
  at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:634)
  at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:520)
  at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
  at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java:170)
  at com.sap.engine.services.security.restriction.Restrictions.checkPermissionRemote(Restrictions.java:158)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImpl.getPolicyConfiguration(RemoteSecurityImpl.java:63)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImplp4_Skel.dispatch(RemoteSecurityImplp4_Skel.java:225)
  at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:336)
  at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
  at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:137)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  at com.sap.engine.services.security.restriction.Restrictions.checkPermissionRemote(Restrictions.java:160)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImpl.getPolicyConfiguration(RemoteSecurityImpl.java:63)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImplp4_Skel.dispatch(RemoteSecurityImplp4_Skel.java:225)
  at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:336)
  at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
  at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:137)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by: java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
  at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:634)
  at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:520)
  at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
  at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java:170)
  at com.sap.engine.services.security.restriction.Restrictions.checkPermissionRemote(Restrictions.java:158)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImpl.getPolicyConfiguration(RemoteSecurityImpl.java:63)
  at com.sap.engine.services.security.remoteimpl.RemoteSecurityImplp4_Skel.dispatch(RemoteSecurityImplp4_Skel.java:225)
  at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:336)
  at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:201)
  at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:137)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  at com.sap.engine.services.security.exceptions.BaseSecurityException.writeReplace(BaseSecurityException.java:349)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:331)
  at java.io.ObjectStreamClass.invokeWriteReplace(ObjectStreamClass.java:910)
  at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1024)
  at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1344)
  at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1316)
  at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1260)
  at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1065)
  at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:282)
  at com.sap.engine.services.rmi_p4.DispatchImpl.throwException(DispatchImpl.java:147)
  at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:338)
  ... 8 more
  Regards,
  San

  Hi Sandeep,
  It seems authorization issue. Please check the below SAP Note :
  1988642 - Warning 'caller not authorized' in Step 'Single Sign On Setup'
  Hope this helps.
  Thanks & Regards,
  Nisha

• Error accessing OBIEE 11.1.1.5 Analytics in IE 7 ,IE 8

  Hi,
  I am using IE 8 and when i am accessing OBIEE 11g Analytics there is an error displaying in status bar.
  The error goes : (3 items remaining) Downloading picture http://...............    .png
  I have switched to IE7 , error is same... however there are no items to be downloaded but still throwing an exception.
  Kindly if anyone had a solution please share it, as this ticket is raised by my client i am in hurry...

  Hi,
  First of all, this is not an error. Whenever, we request some web page (May it be analysis,dashboard,plain html,jsp,asp etc) the static stuff on the page like images/scripts (.js files) etc would be downloaded by the browser onto the local client's "Temporary Internet Files" location. There are many advantages of this process viz reduces the amount of data being transferred, caching it locally for faster access etc. There are many webservers out there, which help caching these kind of files at the server level, compressing them for reducing the data transferred too.
  Now coming to the message, your client is referring to... Yes,this is the same thing happening here. So, there is nothing to worry and this is not an exception.
  Hope this helps.
  Thank you,
  Dhar

• Can we access a webservice registered to OWSM gateway using java client

  Hi all,
  Can we access a webservice registered to owsm gateway using a java client.
  Thank you.

  Using com.oracle.bpel.client.Locator to obtain a connection to the BPEL PM.
  how can we invoke a web service if it is registered with OWSM is there any java api
  to do this.
  What are the possible ways we can invoke a web service registered to OWSM?

• After installing latest update cannot access "messenger options" under the options tab

  After installing Firefox latest update I cannot access "messenger options" under the options tab. The other tabs, themes and mail options work when clicked but nothing happens when I click "messenger options" It works fine in IE.

  When I go to the settings page to access iCloud and click on terms and conditions it gives the message

• Getting HTTP transport error: when trying to access the webservices

  Hi,
  I have created proxy in JDeveloper 10g. When trying to access the webservices, getting the following error:
  javax.xml.rpc.soap.SOAPFaultException: exception on JaxRpc invoke: HTTP transport error:
  javax.xml.soap.SOAPException: java.security.PrivilegedActionException:
  oracle.j2ee.ws.saaj.ContentTypeException: Not a valid SOAP Content-Type: text/html
       at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:578)
       at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:400)
       at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:113)
       at com.tenncare.payment.proxy.runtime.__soap_pipe_execute_ppt_Stub.execute(__soap_pipe_execute_ppt_Stub.java:76)
       at com.tenncare.payment.proxy.__soap_pipe_execute_pptClient.execute(__soap_pipe_execute_pptClient.java:69)
       at com.tenncare.payment.proxy.__soap_pipe_execute_pptClient.main(__soap_pipe_execute_pptClient.java:43)
  Process exited with exit code 0.
  Can anyone help me what might be the reason. If you need more information, I can post it in the next.

  Hi,
  Can you just check your end point URL, and try with appending user name and password at the end of it as parrameters like http://<end point URL>&UserName=admin&Password=admin.
  Other wise check the SOAP request which is going to server using any tool as SOAP UI.
  Regards,
  Vikram

• Add RADIUS attributes under "Group Setup" in ACS 4.2

  Hi Security Experts,
  I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes,
  IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
  PS: I rate useful posts
  Thanks,
  Kashish

  Under "Interface" you can enable which RADIUS-Attributes you want to display. Probably there's just one checkmark missing for your vendor.
  The Options for RADIUS are described here:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html