BO Security Management within CMC

Similar Messages

• Secure "Applications" within CMC

  Hi there,
  I am building a delegated security model and I want to secure the 'Applications' option in the CMC for a local admin user who is going to add users and change passwords
  I can't see a way to secure this, any thoughts?
  regards
  James

  “More Info” being unavailable from the About box is probably because System Profiler—another usual inhabitant of the Utilities folder—is missing. Have you tried searching the drive with Spotlight, in case the utilities got moved somewhere, um, unusual?
  Have you run Disk Utility (from the system installer disc) to check for problems with the hard drive? Sometimes files will appear to go missing because of corruption in the directory structures.

• Using the Security Manager to restrict access to a single package

  After reading up on the Security Manager, the package.access property and the use of the [accessClassInPackage RuntimePermission|http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] , it seemed to me that it would possible to set up the following: I have a security-sensitive code base packaged in a jar, and I want to make sure that only one client code base that I specify is permitted to access it. The idea here is to prevent malicious code from executing anything in the sensitive code base; the sensitive code is only accessible to one client that I name in a security policy file. Perhaps rather foolishly, I advised a client to consider this before testing out a sample myself, because much to my surprise, it appears to me that it isn't possible to get the Security Manager to do this at all. Am I missing something? I'm a bit startled by this conclusion -- it seems like such an obvious use for the Security Manager, I'm hard-pressed to be believe that it can't be done, and more inclined to suspect that I'm going about it wrong.
  Here's what I thought I could do: set up the package.access property so that it denies access to any package; then in the policy file, grant the RuntimePermission/accessClassInPackage to the client code base that is permitted to access the sensitive code.
  Of course, you wouldn't want the package.access property to exclude all packages in the global java.security file, because then no code could be accessed at all. It would be necessary to use the trick of resetting the package.access property within the code, as [illustrated in the secure coding guidelines|http://java.sun.com/security/seccodeguide.html#1-1a] .
  But the problem lies in the idea of "use the package.access property to deny access to +any+ package". There doesn't seem to be any way to use wildcards or the like with the property -- it has to specifically name packages (or package prefixes) to which access is forbidden. It wouldn't do to try to name the packages to which I'm trying to prevent access, since we're trying to prevent access from malicious code -- the attacker could just choose package names that aren't on the list. I'd really need to say that access is denied to all packages, except for those in the permitted code base, but the security mechanisms for package access don't seem to allow that.
  Moreover, the trick of changing the value of package.access can't be done within the client code -- otherwise, the attacker client would just set the property to his own purposes. But it can't really be done within the sensitive package either, because the whole idea is to prevent access to that package, and by the time it's busy setting the property, it's already too late, because the package has to have been accessed by a client to get there at all.
  It seems to me that this a symptom of something I've never really understood about the design of the Security Manager -- you can grant permissions to specific code bases, but you can't revoke permissions from specific code bases, let alone all code bases. What I want to do here is grant access permission to one specific code base and revoke it from all others. There doesn't seem to be any way to express that with the mechanisms of the Security Manager.
  The more I look at it, the more it seems that there's just no way to use the Security Manager this way -- set up package access so that a specific code base can only be accessed by one specific client code base. There are surely other ways to get the effect that I'm looking for, but as far as I can tell, none of them involve restricting package access (for example: define a custom permission, grant it only to the permitted client. and check against that permission within the sensitive code base; meaning that the sensitive code has to be accessible to anyone in the first place). This conclusion really surprises me (not to mention my bit of embarrassment with the client); wouldn't this be precisely the sort of thing the Security Manager ought to be good for?

  You're looking at this back to front. The security policy file is there for the client to decide how much access he is going to give this application, not for to application to restrict who can use it. If you want to control what used to be called 'state orientation' you can do that directly by looking down the stack trace inside your code.

• Security Manager Performance

  Hi all,
  i have implemented a Repository Manager and a Security Manager with the help of the Tutorial from the Code Samples Section. Everything works fine, but the Performance of the Search is very bad. The Security Manager has serveral isAllowed Methods, but the framework always calls the atomic method "isAllowed(IResourceHandle, IPrincipal, IPermission)". This causes a great timedelay. In my case it will be much more effectiv to use the isAllowed-Methods with the Lists as Parameter. But i heard that it is not possible to force the framework to use this isAllowed-Methods.
  Can anyone tell me how i can increase the performance of the SecurityManager or how i can use the isAllowed Methods with the lists?
  Thank you very much for your answers!

  Hi Marcus,
  Unfortunately you have no possiblity to change the way the RF calls security managers.
  Is it possible for you to do reasonable caching within you security manager implementation?
  Best regards,
  Michael

• Security Manager traceroute ASA 5520

  How can I use Security Manager (3.2) to configure a ASA 5520 to show up in a traceroute, have found a doc on how to do this from the cmd line but would prefer to keep everything in CSM.
  Mike

  There used to be a similar bug in IDM.
  The sensor itself does not declare an interface as promiscuous.
  SO CSM has to intepret the configuration to determine if the interface is promiscuous.
  On an Appliance an Interface is InLine only if it is configured as part of an InLine Interface Pair, or has InLine Vlan Pairs assigned.
  So CSM makes the assumption that if it is not part of an InLine Interface Pair and does not have InLine Vlan Pairs created, but is active and being monitored by a virtual sensor then it must be Promiscuous.
  And the above is True for Appliances.
  What the CSM developers may not have realized is that this is NOT true for Modules.
  For most modules like the AIP-SSMs, the sensor is configured to monitor the interface, but there is nothing in the module configuration itself that tells you whether it is inline or promiscuous.
  That knowledge is only within the configuration of the ASA chassis itself.
  CSM is simply incorrectly using the rules for Appliances against the SSMs.
  This was corrected in IDM by always just marking the SSM port as "monitored" if I remember right and not trying to specify whether it is promiscuous or inline.
  CSM would likely have to make the same change, and just then just tell the user they need to check ASA configuration to determine whether or not the ASA is configured to send packets to the SSM promiscuously or inline.
  Marco

• Ensuring applications use a Security Manager

  Is it possible to enable the use of a security manager by default for Java applications?
  I understand that I can enable a security manager by using the -Djava.security.manager command-line option to java and javaw. But to utilise that I need to modify all scripts that call java/javaw, and I need to remember to include it when running all future java applications I acquire.
  These are the possibilities I've looked at:
  1. A configuration file that stores default options to those commands (similar to the ide.cfg in Netbeans). To my knowledge this feature doesn't exist.
  2. A configuration file for specifying default system properties (the -D prefix indicates it's a system property to be passed to the VM). Again, to my knowledge such a feature doesn't exist.
  3. An option in the ${java.home}/lib/java.security "master security properties file" which forces security managers by default. I couldn't find any such option. In fact, I couldn't find any solid documentation about this master security properties file on the Java web site. (The only information I found was about the JAAS extensions to this file).
  Any help will be greatly appreciated.
  There are two further options I would like to try, but they are nontrivial.
  A. Move to a Unix-based platform where the java/javaw commands are likely to be implemented as shell scripts to which the default options can readily by added. Or if they are not can be seemlessly replaced with a shell script. (I would really like to do this, I've tried to make the switch thrice in the past but have so far encountered difficulties).
  B. Build new java.exe and javaw.exe executables that invoke the originals (perhaps renamed to java-unsafe.exe) with the required default options (perhaps even reading the options from a text file a la Netbeans).
  Thanks in advance. Hopefully there is something obvious I've overlooked that does this.
  P.-S. I notice another poster raised this issue last year, but it received no replies. That post can be found here:
  http://forum.java.sun.com/thread.jsp?forum=61&thread=301657

  For those following this thread I've managed to make one step towards ensuring that no Java code is run locally without a Security Manager.
  It's an OS-level solution protecting against code run by double-clicking a jar file. (Admittedly this is not something I do often, but it's a start).
  The OS is Windows 2000 Professional. To add this protection, I performed the following steps.
  1. Choose the 'Tools'|'Folder Options...' menu item from within Windows Explorer.
  2. Within the 'File Types' tab, select the 'JAR' extension and click 'Advanced'.
  3. Click 'New...'.
  4. Type something like 'run with manager' in the 'Action' field. Type cmd.exe /c "java.exe -Djava.security.manager -jar "%1" %* & pause.exe" in the other field. Click OK.
  5. Ensure that this 'run with manager' action is the default. (I believe that the 'Set Default' button is supposed to do this. It did not do so for me. On my setup the default action was always the action with the earliest alphabetically-listed name.)
  sudheesh_j: Do you have any recommendations as to how to contact Sun? Should I post a Feature Request, or is there a list or email address that I should contact?

• Yesterday, since I downloaded the lastest version 3.6.6, every time firefox opens and when I click on something, I get multiple error windows that say "ERROR: Security Manager Vetoed Action. I can't hardly use if anymore because of all the window pop-ups

  Yesterday, since I downloaded the latest version 3.6.6, every time firefox opens and when I click on something, I get multiple error windows that say "ERROR: Security Manager Vetoed Action". I can't hardly use if anymore because of all the window pop-ups. What can I do? Can I go back to an older version?
  == This happened ==
  Every time Firefox opened
  == I downloaded version 3.6.6 yesterday

  hello, when this is happening after you've already updated firefox with your admin account, try to delete the ''updates'' folder and ''active-update.xml & updates.xml'' within the %localappdata% folder of your restricted account like it is described in http://kb.mozillazine.org/Software_Update#Software_Update_not_working_properly

• Cisco Security Manager 3.2.1

  I have a customer who needs to increase their device count from 5 to 25. What is involved in doing this? Can I just install a new license file?

  The terms of your Security Manager software license determine many things, including the features that are available to you and the number of devices that you can manage. For licensing purposes, the device count includes any physical device, security context, virtual sensor, or Catalyst security services module that uses an IP address. Failover pairs count as one device. For PIX Firewalls, FWSM, and ASA devices that are configured in multiple-context mode (so that they host more than one security context), only the security contexts are counted as devices; the hosting device is not counted as a separate device.
  License limits are imposed when you exceed the allotted time (in the case of the evaluation license), or the number of devices that your license allows you to manage. The evaluation license provides the same privileges as the Professional Edition license. It is important that you register Security Manager as soon as you can within the first 90 days, and for the number of devices that you need, to ensure uninterrupted use of the product. Each time you start the application you are reminded of how many days remain on your evaluation license, and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you are prevented from logging in until you upgrade your license.

• Install Cisco Security Manager 4.7 on Hyper-V

  Hello,
  Our customer want to install Cisco Security Manager on a Virtual Machine virtualized with Hyper-V. Documentation only mentions install the software on a Virtual Machine on Vmware systems.
  Can we install without problems, and the installation will be supported on TAC if we need open a support case?
  Best Regards,
  David

  While it should work (since CSM is basically an application running on a Windows server), it is not a system that meets the requirements of the Installation Guide.
  So... if the TAC found an issue related to that setup when you needed their help, they'd be within their rights to say your installation is unsupported.

• HP Client Security Manager 8.3.3.1786 - Specified cast is not valid

  I've recently installed HP Client Security and find usefull accessing the PC using my finger: it works.But I got a problem accessing all USB Drivers. I got the solution reading questions in this forum: I should modify a setting in HP Client Security Manager.But my HP Client Security Manager fails after authentication giving: Specified cast is not validMy PC windows software is updated according to Microsoft Update,  even HP tool says it's all updatedI've bought the PC a little more than a year ago so HP assistence says they can't answer me (but they wrote a note) Error details: at DPClientConsole.FirstBooleanToIntConverter.Convert(Object[] values, Type targetType, Object parameter, CultureInfo culture)
  at System.Windows.Data.MultiBindingExpression.TransferValue()
  at System.Windows.Data.MultiBindingExpression.Transfer()
  at System.Windows.Data.MultiBindingExpression.UpdateTarget(Boolean includeInnerBindings)
  at System.Windows.Data.MultiBindingExpression.AttachToContext(Boolean lastChance)
  at System.Windows.Data.MultiBindingExpression.MS.Internal.Data.IDataBindEngineClient.AttachToContext(Boolean lastChance)
  at MS.Internal.Data.DataBindEngine.Task.Run(Boolean lastChance)
  at MS.Internal.Data.DataBindEngine.Run(Object arg)
  at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
  at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(Object source, Delegate method, Object args, Int32 numArgs, Delegate catchHandler)

  @ssheaf 
  ‎Thank you for using HP Support Forum. I have brought your issue to the appropriate team within HP. They will likely request information from you in order to look up your case details or product serial number. Please look for a private message from an identified HP contact. Additionally, keep in mind not to publicly post ( serial numbers and case details).
  If you are unfamiliar with the Forum's private messaging please click here to learn more.
  Thank you,
  Omar
  I Work for HP

• " plug-in name does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari Security "Manage Website Settings"?

  Hi,
  Wondering why "<plug-in name> does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari > Security > "Manage Website Settings"?
  Have been trying to get to the root cause of the problem but did not find much on this. I am trying to figure out what can get the warning to go away completely than using the Allow/Always Allow options for the plug-in
  Thanks,
  Shyam

  Hi Linc,
  Thank you for your response. Here is the screenshot of the warning that I am talking about.
  Here is what I do:
  1. Launch Safari and open its Preferences. I have Safari 7.1 installed on my machine.
  2. Click Security Tab and click Manage WebSite Settings
  3. A window opens showing me all the Plug-ins that I have (listed on the left hand side).
  4. One of them is the Adobe Reader plug-in. When I click Adobe Reader, the following details about the plug-in show up on the right
  I was referring to the highlighted section that warns me about this plug-in not using the highest level of security for Safari Plug-ins.
  Note: I do not see this for all my plug-ins (QuickTime, Adobe Flash Player don't give me this warning) which tells me that there is a way to make the warning go away.
  Thanks again,
  Shyam

• Need security management software for OS 8.6 through 9.2

  Are there any security management softwares available these days for OS 8.6 through OS 9.2? Something which lets the computer owner turn off firewire and USB is what I'm looking for. It would be nice to be able to allow only some selected USB devices, like a keyboard and a printer or scanner, and still disallow external drives or thumb flash drives, but turning off all USB would be useful on machines which don't need USB keyboards, like beige or B&W PMG3 computers or G3 iBooks.

  Are there any security management softwares available these days for OS 8.6 through OS 9.2? Something which lets the computer owner turn off firewire and USB is what I'm looking for. It would be nice to be able to allow only some selected USB devices, like a keyboard and a printer or scanner, and still disallow external drives or thumb flash drives, but turning off all USB would be useful on machines which don't need USB keyboards, like beige or B&W PMG3 computers or G3 iBooks.

• Rmi with security manager not working in netbeans

  Hello i'm trying to use rmi but get the error java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve) when i run it in netbeans. here is my code
  public static void main(String[] args) {
          if (System.getSecurityManager() == null) {
              System.setSecurityManager(new SecurityManager());
          try {
              String name = "Compute";
              Compute engine = new ComputeEngine();
              Compute stub =
                  (Compute) UnicastRemoteObject.exportObject(engine, 0);
              Registry registry = LocateRegistry.getRegistry();
              registry.rebind(name, stub);
              System.out.println("ComputeEngine bound");
          } catch (Exception e) {
              System.err.println("ComputeEngine exception:");
              e.printStackTrace();
      }It works if i don't have a security manager and it works with a security manager if i don't use netbeans to run it and use the command line. i need to use a secuirty manager because the client code is running in eclipse and it moans that there is no security manager if i run it without one
  this is the error i get when running with no security manager
  java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
       java.lang.ClassNotFoundException: takenoteremote.Compute (no security manager: RMI class loader disabled)
  Please help

  I have sort of got it to work, i took out the security manager and used the code base parameter on the command line, and put my interface into a jar file. I can only get it to work though on the command line, if i run it in netbeans it doesn't find the class in the jar file it needs.
  Any ideas?

• Windows 2008 r2 Cluster not starting - "unable to create security manager worker queues"

  Hello, following a power outage, we got a serious cluster error preventing the start of the cluster.
  We are trying to interpret the only four lines the cluster.log generates :
  00000330.000016cc::2014/09/26-10:44:06.348 ERR   [WTQ] bogus file creation failed, 2
  00000330.000016cc::2014/09/26-10:44:06.348 ERR   [WTQ] bogus file creation failed, 2
  00000330.000016cc::2014/09/26-10:44:06.348 ERR   [CS] Unable to create SecurityManager worker queues, 2
  00000330.000016cc::2014/09/26-10:44:06.363 ERR   Error 6
  AND if starting clussvc manually :
  Got ERROR_FILE_NOT_FOUND(2)' because of 'Error while creating the Security Manag
  er's Thread Pool' in
      000007fe:fd69940d( ERROR_MOD_NOT_FOUND(126) )
      00000000:001ff190( ERROR_MOD_NOT_FOUND(126) )
  We suspect a DLL problem (because of mod not found), but we are unable to find the ones involved even with process monitor.
  clusdb hive seems ok.
  The situation is serious, can anybody help, please ?

  Hi RodV,
  This error usually caused by cluster service fails to open a 
  handle to the \NUL device, Device manager shows the device instance in error state.
  Please check whether the following register value still exist, if not please backup your current registry then add the it.
  HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NULL\0000\CONTROL
  ActiveService REG_SZ Null
  I am glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Problem with Advanced Security Manager

  Hi
  I am using the advanced security manager to migrate security from Essbase 7 server to Essbase 11 server. The users who are externally authenticated on essbase 7 server are under native security mode on the Essbase 11 server after security import.Does the Advanced security manager put all the users (whether they are externally authenticated or under native security mode) in native security mode after import?
  Please help

  Hello 831221
  In version 11 "native" means that the users are stored in OpenLDAP (once Essbase was externalized).
  You would only be able to create "external" users if the Shared Services have been connected to an external User Source (e.g. MSAD) prior to
  importing the users.
  best regards
  .T