BPC authentication via Tivoli Access Manager
Hello experts,
I'm now investigating BPC authentication mechanism with third vendor authentication software.
Is it possible to login to BPC v7.5 MS version via Tivoli Access Manager with 'Reverse Proxy' ?
And can BPC get a login-user information as a http-header from Tivoli Access Manager at this time ?
If the above situation is possible, can BPC utilize BO enterprise authentication with Tivoli Access Manager ?
Best regards,
Tatsuo Oba
SAP BOPC can use Reverse Proxy.
I'm not sure how you want to use Tivoli Access Manager with SAP BOPC?
It is very interesting to know also the reason you woudl like to use SAP BOPC in this way.
It can be a very nice case study.
BPC can not get information like an HTTP header and something like that it will be unsafe from security point of view.
Regarding your question:
BPC to utilize CMS authentication with Tivoli Access Manager
I think you have to provide more information? Why do I need Tivoli Access Manager to access BPC or to do authentication to CMS.
I have to mention I don't know how it is working Tivoli Access Manager and because of that I'm asking you to provide more information.
Regards
Sorin Radulescu
Similar Messages
-
Tivoli Access Manager WebSeal & Infoview
Post Author: ab129001
CA Forum: Authentication
Is it possible to enable Infoview users to authenticate via Tivoli Access Manager WebSeal (a reverse proxy authentication product)?
Thanks in advance.
AndyPost Author: jsanzone
CA Forum: Authentication
Andy,
It's my understanding that in order to achieve SSO w/ TAM running under WebSeal, that a Portal Integration Kit (PIK) must first be produced from BusinessObjects for the XI R2 platform. Back in early April 2007, before I knew about PIKs, I submitted a trouble ticket to Tech Support in the hopes of getting a "quick" solution, hence the PIK education lesson. In response to my request, tech support submitted an enhancement request for a WebSeal Portal Integration Kit, the Ticket number for the enhancement is ADAPT00755013. If you find out anything further on this situation, I'd be all ears!! -
Using IBM Tivoli Access Manager to Secure Tuxedo Services
Wondering if anybody has any experience using 'IBM Tivoli Access Manager for e-business' to perform tuxedo service authorization ?
Is there an out-of-the-box integrated solution available or does one have to basically build a security service that use the Tivoli Access Manager APIs to determine if the user is authorized to invoke service?
Thanks,Hi,
I followed the steps of establishing SSO using TAM for OBIEE application.
Below is the piece of code that i had inserted in the "instanceconfig.xml" to enable SSO:
<Listener>
<!-- other settings ... -->
</Listener>
<CredentialStore>
<CredentialStorage type="file" path="<OracleBIData>/web/config/credentialstore.xml" passphrase="another"/> </CredentialStore>
<!-- other settings ... -->
<Auth>
<SSO enabled="true">
<ParamList>
<!--IMPERSONATE param is used to get the authenticated user's username and is re quired -->
<Param name="IMPERSONATE"
source="httpHeader" nameInSource="iv-user"/>
</ParamList> <!--Optional. Replace the URLs with actual logoff/logon URL-->
<LogonUrl>http://pkmslogin</LogonUrl>
<LogoffUrl>http://pkmslogout</LogoffUrl>
</SSO>
</Auth>
My credential store file look Like on below
<sawcs:credential type="usernamePassword" alias="impersonation">
<sawcs:username>USER</sawcs:username>
<sawcs:password>password</sawcs:password>
</sawcs:credential>
In the above code i am trying to get the userID of a User through the header of the application's URL, who has been already been authenticated by Windows desktop Authentication mechanism .
but then i try creating a junction using TAM and access the application through the junction i still get the logon page of OBIEE application...
Can any one help me out in this issue..
Thanks in Advance... -
Hyperion integration with Tivoli Access Manager
Hello All:
Does Hyperion supports using pre-authenticated users from IBM Tivoli Access Manager. Please can you point me to any documentation explaining the integration procedure.
TIA.Suggest you read sections 2,3,4 of the below document:
http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/hyp_security_guide.pdf
It doesn't come out and say that this type of agent is supported -- you can potentially log a case with Oracle and they may be able to answer you however as it's not documented I would suggest it's not supported.
If you decided to go forward with this then you need to find someone else who is using it successfully and ask them how it is working out.
Presuming they didn't change too much from 9.3.1 to 11.1 (9.5) then you will find many many issues with SSO working.
IT saving a user a login box or two and making the application non-usable just isn't a good direction to go.
John -
Oracle Apex - SSO with IBM Tivoli Access Manager WebSeal - filters out Files with Server Error 500
Hi,
We are using IBM Tivoli Access Manager for SSO to authenticate users to access our APEX application. The authentication works but...
When the application is being accessed with the WebSeal JS/CSS files are randomly not loaded and show up with either HTTP 400 or HTTP 500 error in the FF Toolbar Console. Of course without certain CSS / JS files the application can't be used by the user.
If the application is accessed without WebSeal all files are loaded successful.
Our set up:
There are two APEX Applications using the WebSeal - the first one apparently works
Apex Listener on Tomcat7.0
Apex 4.2.6
We tried all kind of different WebSeal configurations but nothing worked so far.
I found the following:
interactive report problem with SSO
==> Does anyone know how to use mapping tables and does it help?
Interactive report javascript error due to proxy
==> The solution is for EPG but we use Tomcat as Listener so the solution does not apply
Does anyone know how to configure the WebSeal ?
ThanksI have same issue with Apex 4.2.6 and Webseal, but only on Mobile Application. Desktop Application is ok.
I have raise a SR on supportweb, but SR engineer tell me it's may be the Webseal issue, they can't reproduce it with Oracle Access Manger.
It's really a tough issue. -
Tivoli Access Manager 6.0 with Sun Java System Directory 6.3
Hi,
We have been using Tivoli Access Manager 6.0 with Sun Java System Directory 6.3 .
Using IBM TAM Java API we can administer the user creation but the API provide support only to create user with required attribute as user name, password, description, setAccoutntvalid etc.
But Sun Java System Directory 6.3 contains the many attributes as just to name a few...
First Name (givenname), User ID (uid),Password (userPassword), Confirm Password
E-mail (mail), Telephone Number (telephoneNumber), Country (c),Fax Number (facsimileTelephoneNumber), Locality (l), Organization (o), Organizational Unit (ou), accessHint, accountHint, departmentNumber, description, destinationIndicator, displayName, employeeNumber ETC...
Now My Issue is if we need to add the values for other attributes as "accessHint" , "employeeNumber" etc, then how can we acheive using IBM TAM Java API or is there any other way.
Thanks for your kind help...Looks like the attribute sunIdentityServerDiscoEntries is defined twice in the schema. Run the following and see where it is defined for the second time.
# cd /var/opt/SUNWdsee/dsins1/config/schema
# grep -w sunIdentityServerDiscoEntries *.ldif | grep -iv objectclasses
Edited by: etst123 on Mar 3, 2009 1:28 PM -
Punchout - How to post login params to Tivoli Access Manager?
I am trying to help a customer access our parts ordering system. He is using SAP and wants to use the OCI Punchout feature. (Warning: I am a complete and utter SAP novice)
Our application servers are protected by Tivoli Access Manager and users currently login to our application by entering their user/pwd info in a form. This customer wants to store this login info in SAP and perform the login automatically as well as posting other parameters, such as HOOK_URL etc., to our parts ordering application.
I have been struggling with this for a few days now but without success. Can anyone offer some pointers here? Has anyone done something similar?
Thanks
PaulThanks for your reply Masa,
as I mentioned in my post, I am an SAP novice. I am assuming that the user, password and hook url are stored somewhere in SAP for use in the punchout.
The problem I see is this: how to login with TAM and send the hook url to my application. It seems to me to be 2 separate actions.
Paul -
BO Authentication with Sun Access Manager
Post Author: aboucher
CA Forum: Authentication
Hi,
Is there a way to use Sun Access Manager (Role base) with BO. We are using XIR2 but we are willing to move to XIR3 if this version can do this job. I know that BO can be configured with LDAP, AD, Enterprise but is there a Custom choice. Any idea?
ThanksPost Author: TAZ
CA Forum: Authentication
So quickly reviewing sun access manager it doesn't seem to be an LDAP server per se. It's more like a portal used for SSO. If that's the case then you would integrate LDAP accounts and then use technology like trusted authentication for SSO from the sun access maanger portal. In that case trusted auth will support just about any front end as long as the user info can be forwarded to us in one of 7 methods. You can read more about trusted authentication in the XIR2 deployment guide
http://support.businessobjects.com/documentation/product_guides/default.asp
Integrations of this level typically involvel in depth planning and should probably be done with the assistance of a BO consultant.
Regards,
Tim -
Integrating windows authentication with Sun ACCESS MANAGER
Hi,
I have implemented sun access manager and successfully protected an application (ABC). At present iam using the SDS as the authentication and authorization directory. I login in to the machine using the network username and password which is on AD.
I want to integrate my authentication/authorization mechanism from SDS to AD. so that when i login into the machine and open application ABC it should not ask me for the credentials; instead allow me to the homepage directly.
How to do this.
Thanks in advance
MaruthiHi!
Maybe this helps you, it describes how to setup AM and policy agent to handle basic authentication protected sites. While the article is about sharepoint it should work for any application.
http://developers.sun.com/identity/reference/techart/sharepoint.html
Christoph -
Groupwise Webaccess Basic Interface via NAM (Access Manager)
Hi,
I have just setup Groupwise as a protected resource behind NAM (Access Manager), and it works great. The only issue is that I did not take account for the mobile users using the webaccess basic interface. What I think is a possible solution is to have a different URL for the basic interface along the lines of http://portal.website.com/gwbasic, but what I need to do is to be able to get webaccess at the backend to open in basic interface mode from NAM. Can anyone please give me some clues of what needs to be passed in the headers to get Webaccess to render the basic interface?
Thanks,
Mark CurrieYeah I flipped a coin whether to post it here or in the NAM forum...I don't normally like to multi-post, but I think I will make an exception is this case as it concerns both products...I've been trying to capture the post from the webacc login screen to see if I can fool it without much success so far....Need to do SSO as their are quite a few line of business apps that are being NAM'ed. Thanks, Mark Currie
-
Integrated windows authentication with Oracle access manager 10g
Hi SSo guys,
Our project requirement is as follows:
We have two applications Ebiz 11.5.10.2 and OBIEE10g and we are supposed to integrate IWA for both the applications
so as per the below note OAM integration with IWA only works for the applications using IIS.
So can we protect both the applications in OAM 10g and point those applications to two html pages say http://IIS hostname/ebiz and http://IIS hostname/OBIEE and protect those two resorces in OAM suing IIS webserver?
As per the note :
Doc ID 1072204.1 specify
Excerpt from this doc:
#-begin-
OAM accomplishes IWA by using an OAM Webgate on the IIS Web Server that uses a hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization. Behind the scenes, the IIS WebGate utilizes the UseIISBuiltinAuthentication parameter, by default, this value is false. IWA can only be achieved when this attribute is set to true on an IIS WebGate. This is not a valid parameter for any other OAM WebGate.
#-end-It should be this way:
Ebiz:
1. Integrate OAM with OASSO
2. Register OASSO and OID with Ebiz11.5.10.2
3. Protect the resource in OAM
4. Verify if authentication is successful for this resource.
Obiee:
1. Integrate OBIEE with OAM
2. Verify if authentication is successful for this resource.
IWA:
1. Install IIS webser and webgate
2. Create authentication scheme which protects / of IIS web server.
Create a Form Authentication Scheme(this scheme should protect OBIEE and EBiz resource) which will have challenge redirect to IIS web server where IWA is configured and / is protected.
Login Flow:
1. User tries to access ebiz or obiee resource.
2. Form Authentication Scheme will challenge redirect to IIS web server where IWA is configured.
3. As IWA is configured. User will be automatically get ObSSOCookie.
4. User gets redirected back to the requested resource.
There is a My oracle support doc which talks in details about this setup. -
Is it possible to Integrate IBM Tivoli Access Manager with EBS R12.1.3 ?
Hi All,
We have a requirment to integrate IBM TAM with oracle EBS R12.1.3. We already had such setup with TAM5.1 with oracle EBS 11.5.0. Now we try to replicate setup using R12.1.3 and end up with failures.
- TAM login is unable to bypass the oracle EBS 12.1.3 page (Webseal landing page marks to /OA_HTML/Rf.jsp in R12 and 11i has /OA_HTML/AppsLocalLogin.jsp) which normally gives the home page in 11i.
- I can see EBS is not accepting the TAM post call completly.
Can somebody please throw some light on this.
OS -- IBM AIX 6.1
DB - 11.2.0.3Hi Hussein,
Thanks for the reply. There is no error message as such. TAM Page just route it to apps login page.
I've reviewed above MOS notes. But in our case, we are not using any form services. Just HTTP and oacore services are running in application node.
Below standard IBM note was followed for config,
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itame2.doc_5.1%2Fam51_webseal_guide99.htm
Apache log with debug option gives below messages
10.15.25.71 - - [26/Jun/2013:10:31:35 +0100] "GET /OA_HTML/RF.jsp?function_id=1024788&resp_id=-1&resp_appl_id=-
1&security_group_id=0&lang_code=US HTTP/1.1" 200 13618 6 "https://isup-sit.via.novonet/pkmslogin.form" "Mozilla
/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.45
06.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
10.15.25.71 - - [26/Jun/2013:10:31:35 +0100] "POST /OA_HTML/OA.jsp?page=/oracle/apps/fnd/sso/login/webui/MainLo
ginPG&_ri=0&_ti=1493943578&language_code=US&oapc=2&oas=vAqt8ennrMoGojwjkH3sjA.. HTTP/1.1" 200 12466 0 "https://
isup-sit.via.novonet/isup/OA_HTML/RF.jsp?function_id=1024788&resp_id=-1&resp_appl_id=-1&security_group_id=0&lan
g_code=US" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.507
27; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
In normal course we use to get one more GET to OA.jsp that is not happening here..
GET /OA_HTML/OA.jsp?OAFunc=OAHOMEPAGE
Please note we are not using oracle SSO.
Thanks,
Lakshmanan -
Policy Agent doesn't reset Sun Access Manager session time idle value
Hi,
We have the following setup in our environment:
- apache web server/web and policy agent 2.2 for apache 2.0.54
- webmethods portal server (jetty)
-Sun Access Manager (with Sun Directory Server)
We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
Thanks a lot for the help.Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
Thanks for all your help, -
VZW Access manager freezing MacBook Pro
I use VZW Access Manager to connect to the internet via bluetooth through my BlackBerry. I am using the latest version of the software. Sometimes VZW Access Mananger will freeze up after I have disconnected my phone. I've tried to force quit the application but it still displays the pinball when I try to reconnect via VZW Access Manager. The only way that I can completely force quit the program is to do a hard shut down. I've tried simply restarting the computer and shutting it down, but it freezes up when it tries to shut down/restart. Has anyone else experienced this?? Any suggestions?? Please help, it's starting to become really annoying! I purchased the MacBook Pro in November so it is relatively new....
Uninstall Virus Barrier don't use it again. ClamXav is free and won't bugger up your machine.
Uninstall your RIM software, check for updates/compatability with iTunes 11.
Run through this list of fixes 1-15.
Step by Step to fix your Mac
And make sure of your machines performance
Why is my computer slow?
Backup backup backup
Most commonly used backup methods -
Network Access Manager and WiFi
I have a computer that is a member of a domain. The computer has Network Access Manager and Cisco Secure Mobility Client VPN modules loaded. I have the computer setup to authenticate to the network before it connects to the domain. This is working fine.
When a user brings their computer home, they are unable to connect to their wireless network. I tried adding some wifi authentication in Network Access Manager, but that did not fix the issue. I am still going to do some reading up on this issue, but I was hoping that somebody could give me some input if they have any experience?
I need for people to be able to authenticate to the network when they are at work, and VPN when they are at home.
Thanks,
Alex PfeilYou mean you have start before feature (SBL) enabled and its working fine as long as you're at work. I guess I have seen this before.
What I read in an internal enhancement request that Cisco AnyConnect 3.0 Start Before Logon (SBL) does not work with user created personal networks. NAM establishes connections with user created network profiles only after user logon, and consequently there will be no network connectivity at the time Start Before Logon executes.
What version of NAM are you using?
Jatin Katyal
- Do rate helpful posts -
Maybe you are looking for
-
How to get list of folders containing documents of certain type?
Hello, I need to perform iFS search which returns list of folders containing documents of certain custom document class. What is the best way of doing it? I tried to build search clause in the following manner: JoinQualification jq = new JoinQualific
-
Windows Client Binding Failure in a different subnet - Snow Leopard Server
hi all, We are running SL 10.6.6 mini mac on a subnetted domain - The svr subnet is 10.20.10.xxx Clients (mac & win xp) are in subnets 10.20.12.xxx & 10.20.13.xxx Linux Firewalls separate the subnets although for the purposes of this topic and setup
-
How can i bypass IPs shared secret or certificate when connecting to an older microsoft vpn network
I have a macbook pro running Lion. When I attempt to connect via VPN I am asked for either a shared secret or a certificate, but the Microsoft server does not use or recognize either. How can I bypass this requirement so I can access files I desper
-
Saving picture received via Bluetooth
Anyone know how to save pictures received via Bluetooth share on lumia 800 running 7.8 Please.
-
Can anyone take me in step by step to understand MVC design pattern
Hi Everybody, I just killed myself trying to understand what is MVC and how to apply it to flash (AS3) the easy way but I could not, there is a lot of information on MVC on google but it is very hard I can not understand it and apply it to anykind of