Cisco 3850 SSO and NSF failover time
Dear Member,
I m trying to setup a network with few second fail-over with Cisco 3850 stack, C3850 support SSO and NSF on OSPF.
However, when the Master fails, Slave take up the role and re-learn routing information and around 10 sec to fail-over.
May any brothers have this experience and 10 sec fail-over should be the normal behavior or can be enhance?
Attach diagram for reference.
Regards
Russ
Great, adding the following command and only have 1 ping loss with end to end.
=========================
Stack-mac persistent timer 0
router ospf 1
nsf cisco enforce global
========================
Similar Messages
-
Cisco 3850 Switch and Windows 7 IP Conflicts
Team,
Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
we went with a very vanilla config on each port
interface g1/0/1
switchport host
that is it - nothing special at all.
well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
we tried 3+ hours of prescribed work-arounds found when researching this issue -
ip device tracking probe delay 10 (global config)
ip device tracking max 0 (disabed, on interface)
finally,
nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
Finally,
we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
Doing more research, I found out this also can effect vmware guests running windows SERVER.
this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
the work-around I came up with which is not great is -
Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
interface g1/0/1
switchport mode trunk
switchport trunk native vlan 1
this is NOT an acceptable workaround as this presents security issues even with
switchport trunk allowed vlan 1, etc. as the only allowed vlan.
Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
4) when could confirm NO DHCP SNOOPING
5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
thanks,
Joe Brunner
#19366thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
Answers in line -
This all stems from a switch replacement correct?
yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
Are these 3850's in a stack?
>yes, tested all aspects of the stack many times.
Does it have a managment ip address -If so, is it using the old switch ip address
>old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
>various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
How are they connected( L3 interface/L2 trunk/access port)
>all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
Are thse switches performing inter-vlan routing or just acting as host switches?
>dumb flat network, no routing.
Is ip routing enabled?
>not unless enabled on 3850 by default. I didnt type "ip routing"
Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
Your 7 pcs = are they just client pcs not servers?
client PC's - no servers OS per say.
can you confirm something like ICS isnt enabled (Internet connection sharing) on any of them?
>yes not enabled.
Are the just using one NIC each?
> one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
sh switch
2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
tested all power and general 3850 stacking. saw no issues.
sh int trunk
>all ports are now trunks (hence the workaround used to get it up).
has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
sh vlan brief
>just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
sh vtp status
not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
sh cdp neighbours
cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
sh ip route
just the L and C routes for the vlan 1 ip address 192.168.17.1/24
no static routes
no vlan interfaces other than int vlan 1
no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
int g0/0/0
ip vrf forwarding Switch_Mgmt
i can get over there if you think of anything else key to show the group.
thanks,
Joe -
Optimize rac failover time?
I have 2node RAC and the failover time is taking 4 minutes. Please advice some tips/documents/links that shows, how to optimize the rac failover time?
[email protected]Hi
Could you provide some more information of what it is you are trying to achieve. I assume you are talking about a the time it takes for clients to start connecting to the available instance on the second node, could you clarify this?
There is SQLnet parameters that can be set, you can also make shadow connections with the preconnect parameter in your fail_over section of your tnsnames.ora on the clients.
Have you set both of your hosts as preferred in the service configuration on the RAC cluster. The impact will be less in a failure as approximately half of your connections will be unaffeced when an instance fails.
Cheers
Peter -
SSO and User Mapping at same time
Hi,
Can we use SSO and User mapping at same time between Portal and SAP Backend system?
For some of the users the user id is different in both end.
After implementing the SSO... Will it affect the existing user mapping? and the system alias created for that?
If not, Can we use both SSO and user Mapping same time?
Thanks,
VBHi VB,
In this case I suggest you create 2 systems one you might have created for users who are having common user ids in portal & at the backend system.
For the users whose ids are defeering you can create reference system and in user managemant property of that system
Authentication Ticket Type - Select -SAP Logon TicketSAP Assertion Ticket
Logon Method - UWPW
User Mapping Fields - {100,200,300}Client;Language
where 100,200,300 are the clients of the backend system.
Assign this system in the ivews.
Thanks,
Vishal -
Emergency Responder and Cisco 3850 Switches
I'm running Cisco ER V8.5, and recently installed new Cisco 3850 Switches. All the phones connected to the 3850 switches show a "unlocated" status. I've check the hardware compatibility Matrix for ER V8.5 and the 3850 is not on it.
What are my options for locating these phones in ER and assigning them to an ERL. Manually defining the phones? Is there a patch or update to ER V8.5 that would make a 3850 compatible?I haven't used the 3850's with ER yet so can't speak to that specifically, but generally speaking you have more flexibility using location by subnets vs switches. Scalability-wise, you can add way more subnets than switches. There's more going on under the hood if you're locating by switches so the process overhead is greater.
The only downside with using subnets is if you need to get more granular with your locations than your deployed subnets allow (ie a single voice subnet for an entire building but you need to define and assign locations at the floor level). As long as you've been a little forward thinking on the route/switch side, you'll be fine.
hope that helps,
will -
Hi,
i would like to know if i could use the cisco 3850 as a pass through to register with cisco 5508 (flex connect) at our main site. at the moment i can see the AP registering to cisco 3850 and not 5508. if i plug in the ap to a cisco 2960 will connect to 5508 ?
also which mode should it be if the above is possbile (Moblity controller mode or Mobility agent mode)
ThanksHi Raskia,
Thanks for your reply. so if i go for option 1 can i still use mobility tunnel and mobility anchor feature. I need to for form a mobility tunnel to 5508 on the inside network and another tunnel to 4400 controller in the dmz (i know it has problems with tunnel to 4404 controller due to ios problems but if i can do to 5508 it will be fine)
its a shame if i cant do the above i will have to remove the wireless feature and use it as l2 switch. when i do no wireless management inter x then does it remove the router (l3) bit of the router?
Thanks -
Help needed in implementing Cisco Unity SSO using SAML
Hello,
I am aware that Cisco Unity 8.x has a SSO checklist that requires:
- Cisco Unity
- MS AD on Win2003/8
- Open AM
- Apache Tomcat 7.0
We already have a single sign-on solution at our organization that uses the Novell Access Manager (NAM). Would we be able to do Federated solution between another SSO product and the OpenAM on the Cisco Unity product. In this architecture all we will do is setup Open AM as Service Provider (SP) fronting the Cisco Unity Apps and then do a SAML 2.0 protocol with an Identity Provider (IdP) which would the NAM.
The idea is that we have single Identity Provider (IdP). I have a difficult time understanding why setting up SSO for Cisco Unity app requires installing a full suite of OpenAM SSO. I imagine most companies have their SSO solutions that have been implemented using products such as Oracle AM, Tivoli etc and all they would need to do is federate with the Cisco App, instead of of setting up a parallel SSO suite.
Thanks in advance!Instead of registering the plug-in can u try placing it in the plugins folder under Oracle_IDM1/server folder.
at times restart is required. esp when the server is running in production mode.
Regards
user12841694 -
Cisco 3850 support BFD ?
Hi ,
how can i enable and config BFD on the Cisco 3850 .
i had check eigrp plugin but It have not BFD Platform Support .
Core_IDC3850#sh eigrp plugins
EIGRP feature plugins:::
eigrp-release : 7.00.00 : Portable EIGRP Release
: 1.00.13 : Source Component Release(rel7)
parser : 2.02.00 : EIGRP Parser Support
igrp2 : 3.00.00 : Reliable Transport/Dual Database
external-client : 1.02.00 : Service Distribution Client Support
eigrp-nsf : 2.00.00 : Platform Support
Spatial Reuse Prot : 1.01.00 : Platform Support
mtr : 1.00.01 : Multi-Topology Routing(MTR)
EVN/vNets : 1.00.00 : Easy Virtual Network (EVN/vNets)
ipv4-af : 2.01.01 : Routing Protocol Support
ipv4-sf : 1.02.00 : Service Distribution Support
ipv6-af : 2.01.01 : Routing Protocol Support
ipv6-sf : 2.01.00 : Service Distribution Support
vNets-parse : 1.00.00 : EIGRP vNets Parse Support
snmp-agent : 1.01.01 : SNMP/SNMPv2 Agent Support
Core_IDC3850#
My 3850 OS ver
Switch Ports Model SW Version SW Image Mode
* 1 32 WS-C3850-24T 03.03.01SE cat3k_caa-universalk9 INSTALL
Br
HoraceAs per the Cisco Feature Navigator output, this switch model does not support BFD.
Herewith attached the supported feature of this switch model 3.3.1 software version.
HTH
Rasika
**** Pls rate all useful responses **** -
Linux ntp server with cisco 3850
hi all
i'm trying to make sync with linux ntp with cisco 3850 here is the what i did
linux centos 6.5 (on the ucs virtual machin) . this is a ntp server
ip 10.1.1.251
===================================================
For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html)
#server 1.centos.pool.ntp.org iburs
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 127.127.1.0
fudge 127.127.1.0 stratum 2
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
and cisco 3850 configured this one
ntp server 10.1.1.241
and
show ntp status
clock is unsynchronized, stratum 16, reference is null
why...didn't work.. somebody help me..Is there a typo in your post or configuration? You show the NTP server IP address as 10.1.1.251, but the router configured to use 10.1.1.241.
Regards -
Hi,
Question regarding a Cisco 3850 & Stack .
I´ve two 3850 switches stacked.
sh switch
Switch/Stack Mac Address : c025.5cb9.1b80 - Local Mac Address
Mac persistency wait time: Indefinite
H/W Current
Switch# Role Mac Address Priority Version State
*1 Active c025.5cb9.1b80 1 J0 Ready
2 Standby c025.5cb7.c480 1 J0 Ready
Now I will change the priority from switch 1 from 1 to 15 but I can´t do this:
(config)#switch 1 ?
provision Configure Switch provision / offline confi NMTSL3CORE1
I can´t use the command : switch 1 priority 15 as exmaple . Why ?
Thanks for help.
CheersSee below :
sh ver
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.03.01SE RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 05-Dec-13 10:15 by prod_rel_team
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 1.2, RELEASE SOFTWARE (P)
NMTSL3CORE1 uptime is 2 hours, 57 minutes
Uptime for this control processor is 2 hours, 59 minutes
System returned to ROM by reload at 11:53:48 CET Mon Dec 16 2013
System image file is "flash:packages.conf"
Last reload reason: reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
License Level: Ipbase
License Type: Permanent
Next reload license Level: Ipbase
cisco WS-C3850-24P (MIPS) processor with 4194304K bytes of physical memory.
Processor board ID FOC1737X0T4
4 Virtual Ethernet interfaces
56 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
250456K bytes of Crash Files at crashinfo-2:.
1609272K bytes of Flash at flash:.
1609272K bytes of Flash at flash-2:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of Dummy USB Flash at usbflash0-2:.
0K bytes of at webui:.
Base Ethernet MAC Address : c0:25:5c:b9:1b:80
Model Revision Number : J0
Motherboard Revision Number : C0
Model Number : WS-C3850-24P
Switch Ports Model SW Version SW Image Mode
* 1 32 WS-C3850-24P 03.03.01SE cat3k_caa-universalk9 INSTALL
2 32 WS-C3850-24P 03.03.01SE cat3k_caa-universalk9 INSTALL
Switch 02
Switch uptime : 58 minutes
Base Ethernet MAC Address : c0:25:5c:b7:c4:80
Model Revision Number : J0
Motherboard Revision Number : C0
Model Number : WS-C3850-24P
Configuration register is 0x102
Cheers -
Hi community,
I am trying to integrate Cisco Unified Presence 8.6.1.10000-34 with IBM Lotus Notes 8.5.2 with the integrated Sametime Client version 8.0.2 via the Cisco Plugins 8.6.1.1185.
Phone control is working fine, whereas the presence status is not shown (= no handset symbol next to the Sametime user). When I look in the preferences of the plugin, I can see that the plugin has connected successfully to the CUCM (8.6.2.20000-2),whereas the connection to the CUPS has not been established.
The user id as well as the password are all the same on all systems. Here is a description of what I have configured via the ciscocfg.exe tool:
Feature Control:
- Enable Phone Status -> checked
- Enable Dial Using Cisco IP Communicator -> unchecked (not required)
- Enable Control Desk Phone -> checked
- Default Mode -> Control Desk Phone
Control Desk Phone Settings:
- Voicemail Pilot Number -> left blank (no voicemail)
- Cisco Unified Communications Manager
- Servers -> IP address of CUCM
- Read Only -> unchecked
- Use as Default CUCM -> checked
- Synchronize Credentials -> checked
- Use Sametime Credentials -> checked
Use Secure Connection: -> not required
LDAP Phone Attributes: -> not required
Phone Status Settings:
- Cisco Unified Presence Servers -> IP address of CUPS
- Read Only -> unchecked
- Synchronize Credentials -> checked
- Use Sametime Credentials -> checked
- Sametime User ID Mapping
- Use Business Card Attribute -> MailAddress
- Remove Domain -> checked
- Display Off-Hook Status Only -> unchecked
At the moment I don't see an error in the configuration, but maybe I am wrong. Could anyone please tell me what the error could be?
Thanks a lot in advance!
Kind regards,
IgorHi all,
here are some additions to my above post:
Servers and clients used:
1x CUCM 8.6.2.20000-2
1x CUPS 8.6.1.10000-34
1x IBM Lotus Domino Messaging Express Server 8.5.2
1x Sametime Entry Server 8.5.2 (on top of the Domino server)
2x IBM Lotus Notes 8.5.2 with integrated Sametime 8.0.2
2x Cisco Phone Control and Presence with Lotus Sametime (PCAP) 8.6.1.1185
2x Cisco Unified Personal Communicator 8.5.5.19839
Setup:
- CUCM, CUPS and CUPC are working fine, i.e. Desk Phone control via CUPC, as well as availability and presence status are working without issues
- IBM Lotus Domino server is the LDAP Directory, the Sametime Entry Server is installed on top of the Domino server and uses the Domino Directory
- User ID and password on CUCM/CUPS match the ShortName field and password in Domino
- The PCAP plug-in has been manually deployed to both Notes clients with the following configuration:
- Enable Phone Status -> active
- Desk Phone Control -> active
- no credential synchronization for CUCM and CUPS, i.e. every user must fill the user details himself
- Sametime User ID Mapping is implemented via the LDAP Attribute uid (which is equal to the user id in CUCM)
- LDAP configuration filled in with details of the Domino server
Phone Control is working fine, also the connection to the LDAP server (Domino) is fine. However, when I type in the credentials for the CUPS server login, I can see (in Troubleshooting pane) that the user (pparker) is connected to the CUPS server for a short period of time and then gets disconnected. After that no connection is possible to the CUPS server, i.e. status is always disconnected.
I have collected the Tomcat (EPASSoap00010.log and security00010.log) logs via RTMT and compared them to the logs from the PCAP plugin. The relevant time period is from 15:14 to 15:17. In the Tomcat logs I can see that the authentication is successful (see attached files), however in the log of PCAP plugin I can see the following messages:
2012/02/03 15:14:35.281 WARNUNG Credential is rejected. Nothing to retry ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.answerChallenge() ::thread=CT_CALLBACK.1 ::loggername=com.cisco.sametime.phonestatus.cup
2012/02/03 15:14:35.281 WARNUNG #### Connection rejected presence server ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.onPresenceServerConnectionRejected() ::thread=CT_CALLBACK.1 ::loggername=com.cisco.sametime.phonestatus.cup
2012/02/03 15:14:35.281 WARNUNG Credential is rejected. Nothing to retry ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.answerChallenge() ::thread=CT_CALLBACK.2 ::loggername=com.cisco.sametime.phonestatus.cup
2012/02/03 15:14:35.281 WARNUNG #### Connection rejected presence server ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.onPresenceServerConnectionRejected() ::thread=CT_CALLBACK.2 ::loggername=com.cisco.sametime.phonestatus.cup
I don't understand why the connection is rejected although the Sametime Internal ID and CUPS User ID match. Does anyone know what the issue could be?
All posts are very much appreciated!
Thanks a lot in advance!
Kind regards,
Igor -
SSO and success URL with parameters
Hello
I have succeeded to configure HTML_DB engine as Partner App for Oracle SSO.
HTML_DB 1.5.0.00.33
Oracle IAS Release 1 ehk 1.0.2.2.2
I'm entering into HTMLDB application from outside directly to concrete page with concrete parameters. The calling outside app is authenticated with SSO.
Example URL: http://host/pls/DAD/f?p=103:3:::::PAR1,PAR2:VAL1,VAL2
I'm then authenticated checked against SSO and redirected to my requested page, but the parameters are lost. The URL looks like http://host/pls/DAD/f?p=103:3:987698769876098
It only happens at first try. Next time I have a session and I'm redirected together with parametes.
It seams that this http://host/pls/DAD/wwv_flow_custom_auth_sso.process_success is getting somehow wrong parameter URLC. Without parameters. Why?
Please help!
Yours,
jan lakspereHi
Thanks, Scott.
This patch 1.5.1 solved this problem. Now SSO redirect forwards the parameters together with URL.
Yours,
jan -
Hi All,
Thanks for any replies in advance. Is it possible to have SSO and the normal login mechanism enabled at the same time? I want to enable SSO, but if the user is not authenticated, I want the normal login screen to appear. What I mean is that if SSO is not enabled and you are not logged in, you should get the default OBI login screen, not some LogonURL that I specify. However, when SSO is enabled and the user is not logged in, all I see is a "Not logged in" message. I know I can enable a login URL that should presumably take the user to the SSO login page. However, is there anyway that OBI checks cookies to see if the user is logged in and if not it should present the default OBI login screen.
The reason is that I want some external users to be authenticated using SSO, but I want the normal screen to appear for internal company users. Thanks.There isn't much documentation in OBIEE about how to implement your own SSO authentication. The documentation (Deployment Guide) simply says:
"When using a J2EE Application Server and the BI Presentation Services Plug-In (Java Servlet), from the getRemoteUser method of the javax.servlet.http.HttpServletRequest.getRemoteUser API. In this case, the SSO system must be able to integrate with the J2EE environment of choice and set up the framework such that the getRemoteUser method returns the username of the end user."
And that's what you have to do. Implementing the getRemoteUser method in a Java WebApp is not difficult, the difficulty will depend on how you want to authenticate your users. Also you need to integrate this custom Java WebApp within your Presentation Services plug-in. In JBOSS we have done this by creating a custom Valve. The integration will vary depending on your J2EE server and your custom SSO authenticator. Once setup it works pretty well. Users go to any /analytics URL and if the they have not been authenticated before our custom SSO Java kicks in. In they are authenticated correctly the getRemoteUser method gets set with their current user ID. Then on the OBIEE side we have the impersonator user and the usual Init Blocks to validate the user on the BI Server and grant them Web Catalog groups, BI Server Groups, set the Display Name, etc. -
SSO and Principal Propagation in SUP
Hi all,
I am wondering how SSO and Principal Propagation work in SUP.
Ideally, users should be able to logon on their device application and the same user/pwd should be used to perform backend SAP invocations.
I have seen that personalization keys exists which can store users/passwords to use later in backend invocations.
However:
how can I perform login if my device is offline?
is the password used for login from device the same as the SAP system's?
do SUP and SAP have to share the same user engine (i.e. LDAP)?
Any help or pointers to best practices/manuals are really appreciated
Thanks, regards
VincenzoHi
how can I perform login if my device is offline?
Once the device logs into the SUP once every-time thereafter the client app doesn't perform an online authentication.
The credentials are stored on the device securely and authenticated with the user supplied credentials. When the device is online it will perform the online authentication.
is the password used for login from device the same as the SAP system's?
You can have the same credentials on both the systems. The SAP connectivity credentials are however stored in SUP.
do SUP and SAP have to share the same user engine (i.e. LDAP)?
Yes currently SUP for development purposes has the openDS ldap service. but in production we can use the LDAP provider of your company.
Thanks -
HOME#sho run
Building configuration...
Current configuration : 5657 bytes
! Last configuration change at 10:51:11 UTC Fri May 17 2013 by admin
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname HOME
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 $1$bgx9$VrtQW3Wg182VyYhKAHLbN.
no aaa new-model
memory-size iomem 10
crypto pki trustpoint TP-self-signed-1190003239
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1190003239
revocation-check none
rsakeypair TP-self-signed-1190003239
crypto pki certificate chain TP-self-signed-1190003239
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313930 30303332 3339301E 170D3133 30353137 31303333
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31393030
30333233 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C002 80BBF151 E095E469 AA7DBB18 2A9E3CC2 4AC223F6 ABE0AF49 876C1203
65D0E246 786F174D E5B7897A 44C5755A 2571E58A 184A6C62 DD992A2A D8A24878
25A8D3C3 03F5D3C2 522EC8BB 302B0CCD 2945087A 7AF01418 D0056679 6F64DB4A
BE2D5DA1 106CD03A 83B422A2 3CCBAE88 F2413123 12269390 6949DFE0 411118E7
8F210203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
551D1104 16301482 12484F4D 452E7777 772E7961 686F6F2E 636F6D30 1F060355
1D230418 30168014 3D2D854D 1203F50D 77F4ABC5 B61CEAF6 C922F4DF 301D0603
551D0E04 1604143D 2D854D12 03F50D77 F4ABC5B6 1CEAF6C9 22F4DF30 0D06092A
864886F7 0D010104 05000381 8100B24C 48BACACE 87ADEA03 386F2045 CC89624A
4EB1AD09 062EB2A4 CF4C96CA 0B2CF001 BD2C3804 8DC47FED 6A5B5F0D 3965AC6E
4FC4682F 707E4132 8F27C083 C7FAE1BD 21D055E6 C79D5DAD 051B6321 D35DB4F2
044E6BBD DAD08B6A 6ED87C7E 08F4F7E1 4EFDFB6F 867AF6FA 84165CFC D219D56F
A82EABD4 AD9CFA24 A5088145 E571
quit
ip source-route
ip routing protocol purge interface
ip dhcp excluded-address 10.10.10.1
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
domain-name www.google.com
dns-server 192.168.1.1
lease 0 2
ip cef
ip domain name www.yahoo.com
ip name-server 84.235.6.55
ip name-server 84.235.57.230
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1516933C
username admin privilege 15 password 0 cisco
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
interface Vlan2
no ip address
ip nat inside
ip virtual-reassembly
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
banner motd ^Cuthorized ^C
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password cisco
logging synchronous
login local
transport input telnet ssh
scheduler max-task-time 5000
endHOME#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
HOME#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 192.168.1.120 YES DHCP up up
NVI0 10.10.10.1 YES unset up up
Vlan1 10.10.10.1 YES NVRAM down down
Vlan2 unassigned YES NVRAM down down
HOME#
fast ethernet is connected to my internet connection
Maybe you are looking for
-
Confusion with a current state of Oracle Identity Management
I would like to know if anyone has successfully implemented the complete suite of IdM. If yes, please share this experience. I want to clarify the definition of "successful integration". It should include the following: - SSO for Partner applications
-
Two iPhones. One account. Can I have separate calendar alerts?
I have a new 4s. My wife has my old 3GS. We are using the same iTunes/iCloud apple I'd account. It's nice because she can make her own calendar and I can make my own calendar. If I don't want to see her calendar I just deselect it in the calendars to
-
Have itunes and nano, can i put the same library on new ipod touch
hi. do i just hook up the new ipod touch and sync whatever i want from the itunes library that i already had and been using with the ipod nano, which will still be used also.
-
Cant upgrade to lastest itunes 10.5.1
I have a macbook, 2.4 intel core 2 duo version 10.5.8 Im trying to upgrade my iphone 4 to latest 5.0.1. I plug in my iphone, i tunes opens up, it says "a newer version of the iphone software is available (version 5.0.1) to update yor iphone with the
-
I am trying to use pages. When I open a document and begin entering text, nothing shows up on the document. I cannot see what I am typing. What is the problem and what am I doing wrong.