ACS-Auth-proxy Security misconfig

Similar Messages

• ASA auth-proxy timeout

  Hi, everyone
  I have a puzzle with ASA auth-proxy authentication timeout. I want to achieve the inactivity timeout, that is, when there are some traffic btw client and host through ASA after user authenticated, cache timeout timer don't work. When traffic is end, cache timeout timer work again.
  but when I configurate the ASA 7.0, I found if I have configurate the ASA timeout timer as absolute with the following command:
  timeout uauth 0:05:00 absolute
  I cannot change the timer to inactivity,
  but can changed to as below
  timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity
  what is its meaning?
  and can user authentication timer change to inactivity?
  very thanks

  Use the timeout uauth absolute & inactivity values locally.
  Try the bug CSCsg52108
  http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/t_711.html#wp1318629

• Ip auth-proxy form action is always IP address for HTTPS?

  I am trying to set up an ip auth-proxy on a 1840.
  It works, but results in https certificate error, as the authentication form is always submitted back to router using IP address in URL and not domain name that is in the certificate.
  ... <form method="post" action="https://10.10.10.11:443" target="pxywindow1"> ...
  Is there a way to make router send the form with domain name or at least relative URL and not IP address?
  With this certificate error, the feature cannot be possibly used in production environment.
  Thanks!
  Sergey

  Figured it out: I had not put in a default aaa authentication login default tacacas+ command. I didn't think it was necessary. I was wrong.

• Ip auth−proxy

  Can somebody explain me meaning of follwoing commands in the link given below.
  1)aaa authentication login default local group RTP none
  In this command default is local will it prompt user to TACACS 1st.
  2)ip auth−proxy name list_a http and ip auth−proxy list_a
  what is the meaning of putting these command .
  3) access−list 116 permit tcp host 40.31.1.47 host 40.31.1.150 eq www
  why this access-list is required.
  4) there is no access-list from host to webserver ??
  3)
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a0080094655.shtml

  1> This command will try first to authenticate using a local database (username john password 0 doe
  ) if it returns an error (if you dont set any username, I believe) it will try the TACACS server.
  2>ip auth-proxy name list_a http
  This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy.
  Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.
  ip auth-proxy list_a
  The rule is applied to an interface on a router using this command
  3>
  ACL 116 is blocking traffic from the host 10.31.1.47 to other webservers (it only allows it to talk with the router).
  After authenticating , new lines will be added to the front of the ACL and then it will be allowed to talk to the webserver.
  HTH,
  rate this post if it does,
  vlad

• Ip admission auth-proxy

  Platform:  881W
  IOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3
  License:  I have tried both advsecurity and advipservices
  Problem:  Configuring an auth-proxy redirect on seccessful authentication
  Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated.  The command is:
  ip admission proxy http success redirect <url-string>
  However, the command does not seem to exist on many of the latter IOS versions.  I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication.  Is this command depricated?  Is there a more efficient method of redirecting?
  Documentation I am using:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swwebauth.html#wp1103789
  Thank you,
  Dan

  Hello,
  Can anyone here help me call a URL that has an image into my consent page?
  I have an html page in the flash of the router called consent_page.html Here are two diffent methods I am using to attempt to get the logo to show up in the consent page. Any ideas how to make this part work? Everything else works.
  http://www.officemax.com"> SRC="/logo.gif" ALT="Company" WIDTH=246 HEIGHT=48>
  http://www.officemax.com"> SRC="http://www.officemax.com/images//header/logo.png" ALT="OfficeMax" WIDTH=246 HEIGHT=48>
  Warning!
  The web site you have tried to access may not conform to the company's Acceptable Usage Policy
  If you want to continue to this website click the "Accept" button below to proceed which will give you temporary access to this website. Please note that all web access is monitored.
  Free Internet Hotspot
  Terms of Service Agreement
  Company provides free Internet access under the condition that you agree to abide by the restrictions below.
  Responsibility of Use
  You are responsible for all content distributed, accessed, or viewed while connected to this service. Company is not liable for your actions while using this service.
  Limitation of Liability
  Company is not liable for any damages which result from your use of this service.

• Proxy security settings don't allow to download the iPhone updates

  My PC where I set up my iPhone is located at my office and the proxy security settings prevent my PC (any PC) to connect to the Apple servers for downloading any updates.
  One solution could be if I can get the addrees where I can go from my personal laptop and accesing internet from a totally different network.
  Another solution is moving my iPhone to my personal computer and then use my personal DSL internet connection.
  I will appreciate your help.

  Go to Start>Control Panel>Internet Options>Privacy (tab) There should be a bar & it might work if you make it lower. You could go to the advanced tab too & uncheck some of the security blocking things

• Newbie with auth-proxy

  Hi,
  I need to allow and deny some user to go to the Internet, but I want to allow/deny only for http traffic.
  For exemple I dont want any user to have to authenticate if they want to use ftp.
  Is it possible with the auth-proxy? if yes any configuration exemple?
  In the exemple I saw, the user had to authenticate to then allow his computer to send any packet to the Internet.
  Thanks for your help.
  Cheers Gael

  Auth-proxy will authenticate the user only via HTTP, before they can send ANY traffic out. Going by your description this is not what you want.
  Lock-and-Key might be more what you want. See here for details:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm
  You could define an ACL to the inside interface allowing everything EXCEPT HTTP/HTTPS. Users doing FTP can just go straight out as normal then. Then define dynamic entries to this ACL that allow all traffic. For anyone to go out with HTTP/HTTPS they'd have to telnet to the router first, put in their login credentials, then they can browse out. Something like the following should work for you:
  interface ethernet0
  description Inside interface
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in
  access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 80
  access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 443
  access-list 101 permit ip 10.1.1.0 0.0.0.255 any
  access-list 101 dynamic mytestlist timeout 120 permit ip any any
  line vty 0 4
  login local
  autocommand access-enable host timeout 5
  It takes a bit of user education in that they will have to be told how to use this (first telnet to the router at 10.1.1.1, login, then you can use HTTP traffic outbound), but should give you what you want.

• Socket で Proxy を介して Secure (HTTPS) な接続をするには?

  Socket を使い、Proxyを介して "https://～" へ接続してレスポンスを取得するにはどうすればいいですか？
  非SecureなURL(HTTP)へは、まずはProxyサーバーへ socket.connect() した後に、
  目的のサーバーへの CONNECT リクエストを送ることによって実現できました。
  しかし、SecureなURL(HTTPS)ではTLS/SSLを使用しないといけないのか、出来ませんでした。
  Socket 接続を途中からTLS/SSLで暗号化することは出来るのでしょうか？
  また、SecureSocket も使用してみましたが、Proxyサーバーへの接続が確立できません。
  SecureSocket　を使って Proxy を介する方法はあるのでしょうか？
  とても困っています。
  どうかどうか、解決方法を教えてください。

  Ok, here is the solution. The latest stable release of Apache ws-soap, v2.3.1, does not support soap vis proxy with auth. One has to use one of the nightlies. In my case it worked with the latest nightly from 2004-06-22. The classes SSLUtils and HTTPUtils have been improved a lot with this. If only this would have been easier to find...

• Scale 802.1X ACS in High Security Mode any Idea's?

  Scenario
  Platform ACS V 5.1.0.44
  Switch 4510R with 8 48 port modules (384 ports)
  802.1x authentication of the ports in High Security Mode (VLAN assignments required)
  Authentication Method Cert based eap-tls to machine
  we currently have 4 Data Vlans that users and assets drop into on this switch
  How do I scale this as I cant differentiate the cert to distribute the users across the 4 vlans in ACS?
  I think I can use unique Identity groups for the MAB of assets but the users has me really scratching my head.

  Looks like a Switching group has been looking at this as a possible answer for the stack switches but I cant configure vlan groups on 4510's
  and would theres no config guide on how to apply it in ACS 5.1 (use attrib 81 like we do for vlan assignment?)
  12.2(52)SE
  IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to improve scalability of the network by load balancing users across different VLANs. Authorized users are assigned to the least populated VLAN in the group, assigned by RADIUS server.
  12.2(52)SE
  3750-E, 3560-E
  But then you get bit with even using VLAN assignments on large stacks
  •When IEEE 802.1x authentication with VLAN assignment is enabled, a CPUHOG message might appear if the switch is authenticating supplicants in a switch stack.
  The workaround is not use the VLAN assignment option. (CSCse22791)

• ACS not authorising Security Manager devices

  Hi I have a setup ACS 4.1 CS-Manager 3.2.2
  I have intergrated the CS-Manager into ACS with no problems.
  However when I try to add devices into the CS-Manager I get the message "The Device is not in the Cisco Secure ACS"
  I have one wildcard entry encompassing all devices and the CS-Manager (TACACS+ (cisco IOS))
  I am wondering if CS-Manager is not liking the wildcards.
  Unfortunatley as we have 500 or so production devices already using this entry I am not in a position to remove it to test my theory at present.
  Any one know if Wildcards are supported for authorising CS-Manager devices?
  Regards
  Colin

  Colin
  Assumption: you have CSM's common services integrated correctly into ACS, first with a admin account in acs with full rights and second with the system identity user and pass in the ACS server with full rights as a user (not admin portal) and during the setup of AAA in CS you used the [tick box] to push out the authorization categories from CS into ACS.
  Assumption: you have a super admin group in ACS setup that has full rights to CSM authorization categories that was pushed into ACS from Common Services when you first setup AAA in CS. And you have setup a user that is part of that the ACS super admin group.
  Three things to check.
  1. Under ACS, click the 'Share Profile Components' buttom, check that Common services has pushed out the Authorization categories into ACS, you should see CSM and auto update modules. Drill down into the CSM and check to see which authorization category gives the most access, should be 'System Administrator', make sure that all the tick boxes in this profile is all ticked with no gray or shaded boxes.
  2. The user account your logging into CSM is part of the ACS super user group that you created. Check the ACS super user group is correctly matching the CS-manager authorization categories. i.e make sure that you have matched the group that you checked in my previous point, 'System Administrator' or what ever group you created that gave full rights.
  3. Finally, you must have the device listed in your network device groups in ACS. Remembering that CSM will check against the ACS's NDG lists and WILL also matches against a FQDN, so if you added domain information into a device in CSM then the device listed in ACS will need to be the FQDN, if its not, then remove the domain name info from CSM and test. (EDIT: This might have been fixed in 3.2.2 not 100% sure but it broke my network in 3.1). I'm going to take a wild stab in the dark and say that the wild card might be failing you because it doesnt match between CSM host name and domain name sections to the ACS host name.
  Dale
  Oh one final test you can try, log into the end device manually using telnet or ssh using the system identity user and pass. Just double check that the account gets access to the device via tacacs and that you can perform enable access type functions using this account.

• OSB proxy secured with message level protection - No Protocol error

  I have an OSB business service that calls a JAX-WS service protected by OWSM policy wss11_message_protection_service_policy. The business service is protected by the corresponding client policy. The proxy service is secured by wss11_message_protection_service_policy. Business service works fine but the proxy doesn't. It runs into this "no protocol" error below on the outbound. The system is a windows 8 64 bit PC and uses IPV6. The domain path has no spaces (I read online on an unrelated forum that spaces can cause this 'no protocol' error). This error occurs only with the message protection policy. UserName token works fine from proxy->business svc->webservice.  There are no issues with the certificates because I am able to call the webservice using a jax-ws client using the certificates in keystore.
  Caused By: java.net.MalformedURLException: no protocol: /OSBProject/proxy/HelloS
  erviceProxySvc
          at java.net.URL.<init>(URL.java:583)
          at java.net.URL.<init>(URL.java:480)
          at java.net.URL.<init>(URL.java:429)
          at oracle.wsm.security.identity.WSMIdentityReaderValidator.getHostname(W
  SMIdentityReaderValidator.java:200)
          at oracle.wsm.security.identity.WSMIdentityReaderValidator.getIdentity(W
  SMIdentityReaderValidator.java:149)
          at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor
  .fetchIdentity(SecurityScenarioExecutor.java:488)
          at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor
  .initialize(SecurityScenarioExecutor.java:455)
          at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor
  .init(SecurityScenarioExecutor.java:347)
          at oracle.wsm.security.policy.scenario.executor.Wss11AnonWithCertsScenar
  ioExecutor.init(Wss11AnonWithCertsScenarioExecutor.java:97)
          at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populate
  AssertionExecutors(WSPolicyRuntimeExecutor.java:259)
          at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populate
  AssertionExecutors(WSPolicyRuntimeExecutor.java:282)
          at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.init(WSP
  olicyRuntimeExecutor.java:165)
          at oracle.wsm.policyengine.impl.PolicyExecutionEngine.getPolicyExecutor(
  PolicyExecutionEngine.java:137)
          at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExec
  utionEngine.java:101)
          at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1059)
          at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:489)
          at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvo
  ker.java:374)
          at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundH
  andler.java:217)
          at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundH
  andler.java:215)
          at java.security.AccessController.doPrivileged(Native Method)
          at oracle.security.jps.util.JpsSubject.doAs(JpsSubject.java:213)
          at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler.processRequest(Wsm
  OutboundHandler.java:214)
          at com.bea.wli.sb.test.service.wss.WssHandler.processRequest(WssHandler.
  java:279)
          at com.bea.wli.sb.test.service.ServiceMessageBuilder.buildMessage(Servic
  eMessageBuilder.java:468)
          at com.bea.wli.sb.test.service.ServiceMessageBuilder.buildMessage(Servic
  eMessageBuilder.java:116)
          at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessage
  Sender.java:261)
          at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMe
  ssageSender.java:79)
          at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessage
  Sender.java:137)
          at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessage
  Sender.java:135)
          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
  dSubject.java:363)
          at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
  146)
          at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityCo
  ntextService.java:55)
          at com.bea.wli.sb.test.service.ServiceMessageSender.send(ServiceMessageS
  ender.java:140)
          at com.bea.wli.sb.test.service.ServiceProcessor.invoke(ServiceProcessor.
  java:454)
          at com.bea.wli.sb.test.TestServiceImpl.invoke(TestServiceImpl.java:172)
          at com.bea.wli.sb.test.client.ejb.TestServiceEJBBean.invoke(TestServiceE
  JBBean.java:167)
          at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.__WL_invoke(
  Unknown Source)
          at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(Ses
  sionRemoteMethodInvoker.java:40)
          at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.invoke(Unkno
  wn Source)
          at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl_WLSkel.invok
  e(Unknown Source)
          at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:17
  4)
          at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef
  .java:345)
          at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef
  .java:259)
          at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl_1036_WLStub.
  invoke(Unknown Source)
          at com.bea.alsb.console.test.TestServiceClient.invoke(TestServiceClient.
  java:174)
          at com.bea.alsb.console.test.actions.DefaultRequestAction.invoke(Default
  RequestAction.java:117)
          at com.bea.alsb.console.test.actions.DefaultRequestAction.execute(Defaul
  tRequestAction.java:70)
          at com.bea.alsb.console.test.actions.ServiceRequestAction.execute(Servic
  eRequestAction.java:143)
          at org.apache.struts.action.RequestProcessor.processActionPerform(Reques
  tProcessor.java:431)
          at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201
  (PageFlowRequestProcessor.java:97)
          at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunn
  er.execute(PageFlowRequestProcessor.java:2044)
          at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionI
  nterceptors.wrapAction(ActionInterceptors.java:91)
          at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processAct
  ionPerform(PageFlowRequestProcessor.java:2116)
          at com.bea.alsb.console.common.base.SBConsoleRequestProcessor.processAct
  ionPerform(SBConsoleRequestProcessor.java:91)
          at org.apache.struts.action.RequestProcessor.process(RequestProcessor.ja
  va:236)
          at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInt
  ernal(PageFlowRequestProcessor.java:556)
          at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(Pa
  geFlowRequestProcessor.java:853)
          at com.bea.alsb.console.common.base.SBConsoleRequestProcessor.process(SB
  ConsoleRequestProcessor.java:191)
          at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(A
  utoRegisterActionServlet.java:631)
          at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageF
  lowActionServlet.java:158)
          at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionSe
  rvlet.java:262)
          at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
          at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServ
  let.java:134)
          at com.bea.alsb.console.common.base.SBConsoleActionServlet.doGet(SBConso
  leActionServlet.java:49)
          at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlow
  Utils.java:1199)
          at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlow
  Utils.java:1129)
          at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.exec
  uteAction(ScopedContentCommonSupport.java:687)
          at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.proc
  essActionInternal(ScopedContentCommonSupport.java:142)
          at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.processAction(St
  rutsStubImpl.java:76)
          at com.bea.portlet.adapter.NetuiActionHandler.raiseScopedAction(NetuiAct
  ionHandler.java:111)
          at com.bea.netuix.servlets.controls.content.NetuiContent.raiseScopedActi
  on(NetuiContent.java:181)
          at com.bea.netuix.servlets.controls.content.NetuiContent.raiseScopedActi
  on(NetuiContent.java:167)
          at com.bea.netuix.servlets.controls.content.NetuiContent.handlePostbackD
  ata(NetuiContent.java:225)
          at com.bea.netuix.nf.ControlLifecycle$2.visit(ControlLifecycle.java:180)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:324)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.j
  ava:334)
          at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:130)
          at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395)
          at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
          at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:352)
          at com.bea.netuix.nf.Lifecycle.runInbound(Lifecycle.java:184)
          at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:159)
          at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java
  :388)
          at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258)
          at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:199)
          at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileS
  ervlet.java:251)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
          at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130)
          at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run
  (StubSecurityHelper.java:227)
          at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecuri
  tyHelper.java:125)
          at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.jav
  a:301)
          at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
  va:56)
          at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
          at java.security.AccessController.doPrivileged(Native Method)
          at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:32
  4)
          at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUt
  il.java:460)
          at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.jav
  a:103)
          at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:1
  71)
          at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
  va:56)
          at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:16
  3)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
  va:56)
          at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsF
  ilter.java:27)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
  va:56)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
  n.wrapRun(WebAppServletContext.java:3730)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
  n.run(WebAppServletContext.java:3696)
          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
  dSubject.java:321)
          at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
  120)
          at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppS
  ervletContext.java:2273)
          at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletC
  ontext.java:2179)
          at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.j
  ava:1490)
          at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
          at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
  >

  Replied offline as forum was down. Issue sorted.
  Many thanks for detailed analysis.

• SpacesWebService proxy security failure when deployed in weblogic server

  Hi all,
  I plan to use the SPacesWebservice by creating a webservices proxy. A proxy client was created and I passed on appropriate security information.
  public static void main(String[] args) {
  try {
  spacesWebService_Service = new SpacesWebService_Service();
  SpacesWebService spacesWebService = spacesWebService_Service.getSpacesWebServiceSoapHttpPort();
  Map<String, Object> requestContext = ((BindingProvider) spacesWebService).getRequestContext();
  setPortCredentialProviderList(requestContext);
  System.out.println(spacesWebService.getGroupSpaces(null));
  // Add your code to call the desired methods.
  } catch (Exception ex) {
  ex.printStackTrace();
  @Generated("Oracle JDeveloper")
  public static void setPortCredentialProviderList(Map<String, Object> requestContext) throws Exception {
  // TODO - Provide the required values
  String username = "weblogic";
  String password = "weblogic1";
  String clientKeyStore = "C:\\default-keystore.jks";
  String clientKeyStorePassword = "weblogic1";
  String clientKeyAlias = "orakey";
  String clientKeyPassword = "weblogic1";
  String serverKeyStore = "C:\\default-keystore.jks";
  String serverKeyStorePassword = "weblogic1";
  String serverKeyAlias = "orakey";
  List<CredentialProvider> credList = new ArrayList<CredentialProvider>();
  // Add the necessary credential providers to the list
  credList.add(getUNTCredentialProvider(username, password));
  credList.add(getBSTCredentialProvider(clientKeyStore, clientKeyStorePassword, clientKeyAlias, clientKeyPassword, serverKeyStore, serverKeyStorePassword, serverKeyAlias, requestContext));
  //credList.add(getSAMLTrustCredentialProvider());
  requestContext.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credList);
  When i run this client, just plain java, the client runs fine.
  But additionally, I created the webservice proxy in a web application, and I try to use the proxy client to invoke the webservice. However, when I deploy the web application in weblogic server, and I try to touch the SpacesWebService methods using the client then I get the following errors :
  Caused by: oracle.wsm.common.sdk.WSMException: FailedCheck : failure in security check
  at oracle.wsm.security.policy.scenario.executor.Wss11UsernameWithCertsScenarioExecutor.receiveRequest(Wss11UsernameWithCertsScenarioExecutor.java:201)
  at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:596)
  at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:666)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeXorAssertion(WSPolicyRuntimeExecutor.java:477)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:336)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:289)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
  at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:975)
  at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:460)
  at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
  ... 46 more
  Caused by: oracle.wsm.security.policy.scenario.policycompliance.PolicyComplianceException: WSM-00034 : Error in Encryption reference mechanism compliance : Expected : thumbprint , Actual : issuerserial. Ensure that a compatible policy is attached at the client side.
  at oracle.wsm.security.policy.scenario.policycompliance.impl.ComplianceEngine.preDecryptionCompliance(ComplianceEngine.java:223)
  at oracle.wsm.security.policy.scenario.policycompliance.impl.ComplianceEngine.checkCompliance(ComplianceEngine.java:385)
  at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verifyRequest(Wss11X509TokenProcessor.java:882)
  at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:844)
  at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:808)
  at oracle.wsm.security.policy.scenario.executor.Wss11UsernameWithCertsScenarioExecutor.receiveRequest(Wss11UsernameWithCertsScenarioExecutor.java:134)
  ... 56 more
  Does anyone know why authentication is not happening only in the webapp ? (Note: the weblogic server is in the same machine. So the path to the keystore is valid)
  Edited by: user9138987 on Aug 21, 2011 3:04 PM

  The keystore is created using the following commands and the default-keystore is assigned to the weblogic domain
  keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias orakey -keypass weblogic1 -keystore default-keystore.jks -storepass welcome1 -validity 1064
  keytool -exportcert -v -alias orakey -keystore default-keystore.jks -storepass weblogic1 -rfc -file orakey.cer
  keytool -importcert -alias webcenter_spaces_ws -file orakey.cer -keystore default-keystore.jks -storepass weblogic1

• ACS 5.1 security vulnerabilities

  Hi,
  we are having a SECURITY AUDIT and they have reported 2 vulnerabilities regarding ACS5.1 appliance:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  SSL Server Supports Weak Encryption
  X.509 Certificate MD5 Signature Collision Vulnerability - port 2030
  Any ideas how to solve them (if possible)?
  Thanks

  Resolved,
  After around 3 hours I managed to sort my problem out.
  For anyone who is experiencing the same problems with Intel.
  1)Use Proset 12.4.3.2 or later (install all administrator options)
  2)Create an ITAdmin package with a PLC+PST profile( i.e. check persistent and prelogon check box) while creating profile the ITAdmin Profile Wizard.
  3)Select PEAP as Authentication Type and MSCHAP-v2 as inner tunnel protocol. Use 'Use Secure password' as User Credentials. Uncheck 'For pre-logon connections,....' check-box.
  4)Save the package and apply it on the machine where Proset client is installed.
  Tested on ACS 5.1 for machine authentication and AD credentials.
  Jay

• HR Auth: Social Security Number

  Hi!
  Social Security number is listed among other information in InfoType 0002. Can you set authorizations so that the user would see all other information of IT 0002 exept the Social Security Number? I.e how to rule out the users visibility to Social Security Number?

  Hi,
  As far as I know, as you mentioned, the control of these information belongs to the infotypes. The infotypes are primarly authorized by the objecto PLOG (with the fields INFOTYP and SUBTYP).
  You need to check the role with you are looking to restrict the access to these information and accesss the values of infotypes and subtypes of the information of HR wich you like to have access.
  Usually, when you add a Tx wich involve PLOG object, it adds full authorization ("*" in almost all fields), that's why you need to get in the role and change these values.
  Ask your HR consultant and the HR department of your company, about the information allowed to see and the values of infotypes/subtypes.
  Reward points if found helpful....
  Cheers,
  Venkoji Babu.

• ACS as proxy radius and class 25 attribute

  Hello !
  Could you please help ?
  we have cisco3640 as nas, cs acs 2.6 as radius-server.
  Now we would need to
  forward authentication request to another radius-server ( username is unknown to the acs)
  Username is provided with a certain prefix and according to that prefix, request is forwarded to another radius-server.
  That another server should give back accept/deny and class attribute 25.
  Here comes the question
  Can acs 2.6 take the class attribute and use it as username's group-information ?.
  for example class attribute 25 named test is forwarded to acs and acs has a group named test. According to group test ACS gives ip/dns information back to to cisco3640 and ras-client.
  Or could you please tell me how we could forward username authentication and then bind username that is not known to acs to a certain acs group ?
  The ip/dns information must be provided by acs.
  Any help will be appreciated !
  TIA
  Best Regards,
  Susanna

  As far as I know, ACS 2.6 cannot take the class attribute and use it as username's group-information....