Agentless host support in ACS

Similar Messages

• Remote host supports the use of SSL ciphers that offer weak encryption

  Dear All,
  Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.
  We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP
  as mentioned in the point 6 we have added below parameter in the instance profile of application server  and restarted our server but still the issue is not resoved.
  ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL
  Clients are accessing our PI server through SAP Web dispatcher.
  Kindly suggest the action to be taken to resolve the issue.
  Please find the below comment from Audit.
  The remote host supports the use of SSL ciphers that offer weak encryption.
  Note: This is considerably easier to exploit if the attacker is on the same physical network
  Regards,
  Lalitha.

  Hi Jim,
  The remote host is the PI(7.0) server.
  PI server profile
  FN_JSTART = jcontrol$(FT_EXE)
  ssl/ciphersuites = HIGH:MEDIUM:!mMD5
  jstartup/recorder = java -classpath ../j2ee/cluster/bootstrap/launcher.jar com.sap.engine.offline.OfflineToolStart com.sap.engine.flightrecorder.core.Collector ../j2ee/
  cluster/bootstrap -node %nodeID% %startTime% -bz $(DIR_GLOBAL) âexitcode %exitcode%
  login/accept_sso2_ticket = 1
  SAPSYSTEMNAME = APQ
  SAPSYSTEM = 00
  INSTANCE_NAME = DVEBMGS00
  DIR_CT_RUN = $(DIR_EXE_ROOT)/run
  DIR_EXECUTABLE = $(DIR_INSTANCE)/exe
  jstartup/trimming_properties = off
  jstartup/protocol = on
  jstartup/vm/home = /opt/IBMJava2-amd64-142
  jstartup/max_caches = 500
  jstartup/release = 700
  jstartup/instance_properties = $(jstartup/j2ee_properties):$(jstartup/sdm_properties)
  j2ee/dbdriver = /oracle/client/10x_64/instantclient/ojdbc14.jar
  PHYS_MEMSIZE = 512
  exe/saposcol = $(DIR_CT_RUN)/saposcol
  rdisp/wp_no_dia = 10
  rdisp/wp_no_btc = 3
  exe/icmbnd = $(DIR_CT_RUN)/icmbnd
  rdisp/j2ee_start_control = 1
  rdisp/j2ee_start = 1
  rdisp/j2ee_libpath = $(DIR_EXECUTABLE)
  exe/j2ee = $(DIR_EXECUTABLE)/jcontrol$(FT_EXE)
  rdisp/j2ee_timeout = 1800
  rdisp/frfc_fallback = on
  icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00
  icm/server_port_0 = PROT=HTTP,PORT=80$$
  # SAP Messaging Service parameters are set in the DEFAULT.PFL
  ms/server_port_0 = PROT=HTTP,PORT=81$$
  rdisp/wp_no_enq = 1
  rdisp/wp_no_vb = 1
  rdisp/wp_no_vb2 = 1
  rdisp/wp_no_spo = 1
  # Jcontrol: Migrated Profile Parameter
  #      create at Wed Mar 25 20:20:02 2009
  j2ee/instance_id = ID0079698
  Web dispatcher profile
  SAPSYSTEMNAME = WD0
  SAPSYSTEM = 00
  INSTANCE_NAME = W00
  DIR_CT_RUN = $(DIR_EXE_ROOT)/run
  DIR_EXECUTABLE = $(DIR_CT_RUN)
  wdisp/shm_attach_mode = 6
  # Accesssability of Message Server
  #rdisp/mshost = asapq00.b.com
  #ms/http_port = 8100
  #ms/https_port = 8101
  wdisp/system_0 = MSHOST=asapq00.b.com, MSPORT=8100, SID=APQ
  # Configuration for medium scenario
  icm/max_conn               = 16350
  icm/max_sockets            = 32768
  wdisp/HTTPS/max_pooled_con = 16350
  icm/req_queue_len          = 8000
  icm/min_threads            = 100
  icm/max_threads            = 500
  mpi/total_size_MB          = 700
  mpi/buffer_size            = 32768
  mpi/max_pipes              = 21000
  wdisp/HTTP/max_pooled_con  = 8192
  wdisp/HTTPS/max_pooled_con = 8192
  # SAP Web Dispatcher Ports
  icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1
  icm/server_port_1 = PROT=ROUTER,PORT=443,EXTBIND=1
  #icm/host_name_full= asapq00.b.com
  icm/host_name_full= qtyh2h.k.co.in
  icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=/sapmnt/WD0/global/security/data/icmauth.txt
  ssl/ssl_lib=/usr/sap/WD0/W00/sec/libsapcrypto.so
  wdisp/HTTPS/dest_logon_group = PUBLIC
  wdisp/HTTPS/max_client_ip_entries = 100000
  wdisp/HTTPS/sticky_mask = 255.255.255.0
  #Additional Parameters
  wdisp/add_client_protocol_header = true
  wdisp/auto_refresh = 120
  wdisp/max_servers = 100
  wdisp/handle_webdisp_ap_header = 1
  #Registering SAP Web Dispatcher in the SLD
  #wdisp/system_0 = HOST=asapq00.b.com, PORT=8100, SID=APQ, NR=00
  #Parameter to avoid week SSL ciphers
  ssl/ciphersuites=HIGH:MEDIUM:!mMD5
  Regards,
  Lalitha

• I want a Web hosting supports OC4J

  Hi
  I have a oracle developer suit 10g application(.FMX) with Oracle 10g database engine and I want to upload it on web server,
  I`m tiring searching for web hosting support oracle application server witch supports(OC4J) ?
  please,can you suggest me web hosting sits support OC4J or alternative solutions.
  thank you.

  You can set Firefox to open with the internet log-in page, and have
  another page as your home page. The password manager will take
  care of the rest.
  Press the '''<Alt>''' or '''<F10>''' key to bring up the tool bar.
  Followed by;
  Windows; '''Tools > Options'''
  Linux; '''Edit > Preferences'''
  Mac; ''application name'' '''> Preferences'''
  Then '''General.'''
  There are two settings;
  * '''When Firefox Starts'''
  When the browser is started, what page do you want to
  display. Many of us choose '''Show My Home Page.'''
  * '''Home Page'''
  When a new page is opened, what do you want displayed.
  # '''Use Current Page'''. Use what ever page(s) are open at that time.
  # '''Use Bookmark'''
  # '''Restore To Default.''' about:home shows a Mozilla page with tools.
  You can use any of these that you wish;
  '''about:home''' (Firefox default home page),
  '''about:newtab''' (shows the sites most visited),
  '''about:blank''' (a blank page),
  or you can enter any '''web page''' or '''about: ''page''''' you want.

• IdeaPad A1 USB OTG/Host Support

  Hey everyone,
  Has anyone found a way to get USB Host (USB OTG) to work on a tablet that is not supported? I have a Lenovo IdeaPad A1 which was upgraded from Android 2.0.3 to ICS (4.0.4) which is also rooted. I was under the impression that all Android devices had the support for USB OTG as I bought a $70 tablet off of eBay and it did. I found out the hard way today that not all support it. I really hope someone has some insight to this as I just bought this Lenovo and am kind of disappointed to find it doesn't have something a $70 tablet does.
  Thanks in advance,
  Ben

  ben12334 wrote:
   I just bought this Lenovo and am kind of disappointed to find it doesn't have something a $70 tablet does.
  I think this is a matter of building it into the Adroid/linux kernel and not all companys build it in for some reason. I have built plenty of kernels and its not that big of a deal especially for a high tech company. They must not have the time or can not pay the engineer.
  Anyway, since you are rooted and the source is available you can actually do this yourself if you have the time and skills.

• 802.1x with AD support via ACS 4

  Hello ,
  I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
  Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
  Thanks.
  Karthik

  Hi Karthik,
  The SSL handshake will fail in our experience for any of the following reasons:
  - The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
  - The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
  - CRL checking is enabled and the CRL has expired or is inaccessible
  If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
  Hope that helps
  Andy

• Is Multiple SDM agents in one Host supported?

  Hi Experts
  I know about the rule of one SDM agent per host.  Is it possible to install 2 different SDM agents in one host...
  Does SAP supports this?  Is there any documentation supporting this.
  For Example...
  I want my Development systems connected to my both Solution Managers ( Production and Development ).  I want to have the possibility to start  monitoring from either one of them.
  Or, I want an SDM agent pointing to an external service provider to monitor my landscape throught their SolMan,   And I want to keep one SDM agent configured to my own Solman Server.
  Again
  Should/Can I install an additional SDM agent in every system?
  Do you have a particular documentation that support this scenario?
  Regards and thanks
  Henry Lopez

  Hi,
  first, if you mean SMD Agent, then yes, the diagnostics concept from SAP needs only one diagnostics agent per host.
  Big negativ impact on this SAP concept is, that if you implement monitoring with SAP Solution Manager, you have a single point of failure = the SAP Solution Manager itself,
  In former days, there was CCMS and primary / secondary target servers possible.
  Now with SMD you may have a agent with instance 98 (older versions had 97 as default) which "reacts" to the prod Sol Man and an additional agent with a diffent number which "reacts" to the non-prod Sol Man and so on.
  This "single point of failure" in the E2E / SMD concept is for me not acceptable.
  Everytime there is a Sol Man downtime, you and your complete "monitoring" will be BLIND.
  Sometimes the Java Agent turns from Green to Yellow, then the blindness is for all compontents on that host.
  If any alerts (MAI) etc come up, the SolMan down, you will not know / auto-react it until SolMan downtime is over or you restarted the Yellow agent.
  That's the reason and solution why the making a SPOF to a "halt/two point of failure" might be better on larger landscapes.
  Raymond

• LG G4 USB Host support - & green spot issue

  Hi - using my new LG G4 on the weekend.   I noted two disasters.  I have the dreaded green spot on my camera.  Sneding back for replacement on this issue.  See photo below. Also - I noted that USB Host Mode does not support 3rd party apps.  What this means is an important app I have used on Samsung S3 and S4 does not work.  Its called RccDroidPro and is used to shoot tethered to Sony Alpha and other Cameras.  Bummer.  XDA developers have patches for custom ROMSs - not one for G4 yet.   I am not keen to root my phone - anyone know another way of making this work - or where do we report feature requests for future ROM releases to Telstra?   

  Hey Jeff, that's bad luck there with the G4, from all reports they seem overall to be a great looking unit, especially in the camera department. Looks like you might have got the odd one out though. I'm not overly familiar with the RccDroidPro, but it was my understanding that in the first place this was a Sony app developed for use with Sony devices etc. primarilly for usb teethering of DSLR cameras. Actually LG would have to make your hardware compatible, USB wise to run this app. 

• Maximum "Internal Hosts accounts" on ACS 5.2

  Is there a maximum number of "Internal Hosts account" IDs that the local database in a ACS 5.2 can handle?
  Thanks....

  I hope you're right, jrabinow
  Because I have 7,000 hosts that I need to add.  I dont want to find out that max number of host is less than 7,000..that would be really frustrating..lol
  @ ewood2624
  you are referring to max number to import using csv, not max number of hosts that could reside internally.

• EAP-TTLS support in ACS v4?

  Hi,
  Does anyone know if there are any support for EAP-TTLS in the upcoming release 4 of ACS? We have invested heavilly in ACS but now we really need EAP-TTLS support (both auth and proxing).
  Cheers
  Anders Nilsson
  UMDAC

  Hi,
  EAP-TTLS along with PEAP is one of the prefered EAP:s used for EduRoam (www.eduroam.org) which is gaining more and more acceptance around the educational community. I'm really suprized that Cisco isn't up to date on whats going on around the many Universities. I estimate the only in Europe there will be more than 1000 universities using Radius servers and proxies. Australia is online and soon the US will join in. Here in Sweden (SUNET) we are now locking at but ACS product but if EAP-TTLS and Radius Proxing of all the protocols (PEAP, EAP-TLS, EAP-TTLS) are not supported we will have to look elseware (Freeraduis or Radiator). :(
  We here in Sweden strongly suggest that Cisco implements EAP-TTLS and better Raduis Proxy functionallity. (Version 4.1 maybe? ;) )
  Best Regards
  Anders Nilsson
  UMDAC

• Why doesn't Apple host "support communities" with Apple representatives?

  I'm a big Apple fan. I've been using Macs for more than 25 years, and luckily for me I bought Apple stock at a good price. But there are times when it seems to me that Apple has chosen saving moneny over providing good service to its customers.
  Case in point: a few days ago, I had a couple of problems with purchases on iTunes. I wanted to give iTunes money, but I was prevented from doing so, and I couldn't get through to iTunes support.
  It turns out the support problem was caused by a Safari extension called Ghostery. It was blocking Adobe Analytics, and that stopped the support link from working. Why couldn't I just 800-MY-APPLE and connect to support? iTunes is the world's largest music retailer, and Apple has long been in the top 2 or 3 most profitable companies. It currently has $150 BILLION in cash reserves. Why do they have to save pennies on customer support?
  When Ghostery (an approved Safari extension) caused problems with the Apple website, there should have been other ways to get to the support.

  This is one of the problems with this kind of support: helpful people being helpful inadvertantly give the wrong information, and then you either have to correct them (which comes across as being negative) or the thread goes down the wrong tracks.
  Ghostery makes the link you gave not work
  I did not give you the wrong information; that link works both in FF and Safari here.
  When you install third party addons you have to expect unexpected behavior. Add ons are not guaranteed. If you will read any SLA, you will note that such things can happen and Apple does not guarantee uninterrupted use. So, instead of telling me that I gave you the wrong information, disable or uninstall Ghostery.
  — iTunes is part of Apple selling things and "MY APPLE"—what logical reason is there to make it innaccessible to 800-MY-APPLE?
  Sales and support are generally two separate entities in a large corporation. The hardware sales and iTunes stores are two separate entities.
  Good luck.

• What host support MS SQL 2008

  Does anyone know of a hosting server that offers MS SQL 2008?
  The complete System requirements are
  Windows hosting environment.
  Coldfusion 8
  Microsoft SQL Server 2008
  I am told we need SQL Server 2008 because we need to be able
  to store polygon and polyline data.

  "DC_Eric2" <[email protected]> wrote in
  message
  news:go6vk0$946$[email protected]..
  > Does anyone know of a hosting server that offers MS SQL
  2008?
  >
  > The complete System requirements are
  > Windows hosting environment.
  > Coldfusion 8
  > Microsoft SQL Server 2008
  >
  > I am told we need SQL Server 2008 because we need to be
  able to store
  > polygon
  > and polyline data.
  http://www.hostmysite.com/hosting/coldfusion/
  Massimo Foti, web-programmer for hire
  Tools for ColdFusion, JavaScript and Dreamweaver:
  http://www.massimocorner.com

• Host Support for Packages

  Hi, I have been trying to get the proper definition of "observable" in the Java Language Specifications 2. However, it seems that a package is "observable" if its compilation units are "observable". Compilation units' observability depends on the host system! ??? How can I determine whether a compilation unit is observable and what is the difference between "observable" and "accessible".
  Thank you!
  Luka

  Its not as tough as you feel. Consider you have 2 classes , one extends Observable , another implements Observer. Both are linked by the Observer implementation "public void update(Observable o, Object arg) ". Whenever the instance of the Observable object changes, it will notify the Observer implementation through the update method.
  Following lines are taken from the API :
  " An observable object can have one or more observers. An observer may be any object that implements interface Observer. After an observable instance changes, an application calling the Observable's notifyObservers method causes all of its observers to be notified of the change by a call to their update method. "
  Hope this has given a start for your understanding this concept.
  Rajesh

• Enterprise Wireless 802.1x WEP EAP-PEAP Support with ACS Certificate

  Hi,
  Do BB10 support this type of connection?. 
  Thanks.

  Hi,
  Do BB10 support this type of connection?. 
  Thanks.

• How to support ACS format into an ebook reader

  Hi,
  we are developing an ebook reader for iphone and ipad (using XCode) and we have already implemented functions for reading free epub and pdf files.
  We'd like to add support for ACS files.
  Where can we find  technical informations about this task?
  Kind regards.

  You will want to be looking at the Reader Mobile SDK: http://www.adobe.com/devnet/readermobile.html
  This is the client side code that works with ACS4

• Does ACS 1120 5.0 version support RSA?

  Hi all,
    We are using Cisco ACS 1120 with 5.0 base licenced for TACACS , does ACS 5.0 support RSA server as external database for authenticating the users as we do in the previous versions of 4.2,4.0.
  If so kindly let me know how we can do it ? or do we have any document?
  Regards
  Sreekanth

  This is supported in ACS 5.1. ACS 5.1 can be downloaded from CCO and can upgrade ACS 5.0 to ACS 5.1
  The RSA SecurID Agent is built in to ACS 5.1. Through the ACS GUI you can perform all the required configuration items to activate and configure the agent. This includes setting the:
  agent record (sdconf.rec)
  load balancing data (sdopts.rec)
  node secret (securid)
  agent status file (sdstatus.12)
  For more details, see http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1134728