Compass Server and Access Control
Hello,
i would like to know the following: Is it possible to make an entry in db-schema for the authentication for reading an article. E. g. i make an entry with number 1 for an article. Only users, who have an entry in LDAP with number 1, can gain access for this article. I hope you know what i mean! :-)
I am using WL9.2 MP2. I am starting my servers in production mode. Below is the log configuration<log> <file-name>logs/myservera_%yyyy%-%MM%-%dd%-%HH%-%mm%.log</file-name>
<rotation-type>bySize</rotation-type>
<number-of-files-limited>true</number-of-files-limited>
<file-count>10</file-count>
<file-min-size>20</file-min-size>
<rotate-log-on-startup>true</rotate-log-on-startup>
<log-file-rotation-dir>/archive/myserver/</log-file-rotation-dir>
<log-file-severity>Debug</log-file-severity> <redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
</log>My domain does not reside in the default BEA_HOME.. user_domain directory. I created it in /work/mydomain. I noticed if i were to rotate it to any directory under /work, the rotation works. But if i rotated it out , in this case /archive directory, it does not work. I have checked the files permissions of /archive directory, i could use my weblogic user touch a file in the /archive directory
Similar Messages
-
User management and Access Control in HCM Cloud
Hello,
Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
- How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
- Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
Best regards,OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet). -
Installing program on server and access it from mac workstation
Hi
How can i install a program on a mac server and access that program from mac workstation.
On windows server you use the remote app manager application to do this. is there something similar on mac?Hi,
- This isn't exactly what you are asking for but there is an App: /System/Library/Coreservices/Screen Sharing.app on the Mac which is similar in operation to Terminal Services Client but is based on VNC.
- Thus it will be a whole user's logon session which would run on the mac server .
I haven't used Screen Sharing.app on a large scale deployment of clients connecting to an OS X Server.
Hope this helps -
Inside Identity and Access Control products
Hello,
For the past few months I was working on a blog which can help understanding under the hood of identity and access control products. Please have a look into it and let me know how to improve the contents.
http://identitycontrol.blogspot.comLatest Topics
1) Video of Federated Access Control
2) RSA Conference 2007 -
Inside identity and access control products : blog
Frinends,
Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
Latest topic i added is "SAML in action"
Please post your comments also so I can improve the contents.
ThanksThanks a lot idmguru!!
your efforts are simply awesome..
-Yash Bansal -
Inside of idm and access control products
Hello Friends,
For the past few months I was working on a blog where I shared my past experiences with the IAM products, New technologies and problems faced in the products at a conceptual level. I thought of sharing that with experienced team of technocrats like you. Please have a look into this and let me how how can I improve this.
blog URL --> http://identitycontrol.blogspot.com/
Thanks
idmguruFrinends,
Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
Latest topic i added is "SAML in action"
Please post your comments also so I can improve the contents.
Thanks -
War file and access control with WebLogic
I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
This is how my weblogic.properties file looks like:
weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
weblogic.password.koko=kokokoko
weblogic.password.arnebelinda=arne1234
weblogic.security.group.ppuseradmins=arnebelinda
and my weblogicURL.policy:
deny Principal weblogic.security.acl.GroupImpl "everyone" {
Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
and finally, my web.xml-file:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>index.jsp</url-pattern> </web-resource-collection>
<auth-constraint>
<role-name>ppuseradmins</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WebLogic Server</realm-name>
</login-config>
<security-role>
<role-name>ppuseradmins</role-name>
</security-role>
</web-app>
it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
Does anybody have a clue? I would really appreciate it!
I am using WebLogic 5.1 sp 9
best regards,
PJIn you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ? -
I am trying to put some access control on different files in my war-file, but just
can't get it to work... It seems like all roles defined in weblogic.properties
gives the user access to all files in the war. I just don't understand the connections
between the security realm, the weblogicURL.policy file and the web.xml file...
If I do not specify a weblogic.security.URLAclFile, no access control is done
at all.
This is how my weblogic.properties file looks like:
weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
weblogic.password.koko=kokokoko
weblogic.password.arnebelinda=arne1234
weblogic.security.group.ppuseradmins=arnebelinda
and my weblogicURL.policy:
deny Principal weblogic.security.acl.GroupImpl "everyone" {
Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
and finally, my web.xml-file:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>index.jsp</url-pattern> </web-resource-collection>
<auth-constraint>
<role-name>ppuseradmins</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WebLogic Server</realm-name>
</login-config>
<security-role>
<role-name>ppuseradmins</role-name>
</security-role>
</web-app>
it does not matter which user is part of the ppuseradmins group. The user koko
is not a member, but is given access to my whole .war anyway (after submitting
correct username/password). Omitting the <realm-name> does not seem to work either;
the default realm is not used, instead null is used.
Does anybody have a clue? I would really appreciate it!
I am using WebLogic 5.1 sp 9
best regards,
PJ
In you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ? -
Computer Lists and Access Control
Hi
I've got OS/X Server 10.4.6 setup to a be an OD master and have several linux boxes authenticating to it using kerberos.
Currently, all OD users can login to all the linux boxes, but I'm trying to restrict access to some boxes to a group of users.
I've tried creating a computer list and putting a linux server in this list, then adding entries to the 'access tab' but this doesn't seem to work.
All users can still login to these 'access controlled' servers, in effect the list is ignored.
Has anyone got this working or can shed some light on what I'm doing wrong ?
Thanks,
Mac OS X (10.4.6)Hi, Tropic
You must to load the class into an jar file
Then you must to sign out the jar file by means of th jarsigner utility provided bye java SDK
Hear a sample script to do it.
javac SomeApplet.java
jar cvf SomeJarFile.jar SomeApplet.class
keytool -genkey -keystore SomeStoreFile -keyalg rsa -dname "CN=May BeYour Name, OU=IT Dept., O=Company Name, L=Your Location, ST=Your State, C=Your Country" -alias YourAlias -validity 365 -keypass YourPassowrd -storepass storePasswd
jarsigner -keystore SomeStoreFile -storepass storePasswd -keypass YourPassowrd -verbose SomeJarFile.jar YourAlias
Regards, -
EJB and access controll???
Hi all,
I have a question about access control via EJB,
For example I have a client app�ication and on start I will prompt user for user name and password, and now what to do with this information how to pas it to the ejb server, or??? Or may be some of you have any link to tutorial as an answer? My EJB will access database and I want to use the access control from database.
Thank you in advance.Hi Eshwa,
thank you for your reply, I found a nice developer guide on the link that you give me, but I steal have a problem with undestanding of practical way to pas user information from client application to ejb server, may be you can give mi a pice of code or an small example, where is geted 2 String (user name and password) and sent to the ejb server to be autentificated, and then to have acces to the resources that is accessable for this user (discribed in the deployment description user - role).
Anyway thank you again.
Best regards Alexander Hincu . -
Nintex Workflow and Access Control
Hello, can anybody help with getting owner permissions on Nintex workflows in Sharepoint 2010 with Powershell.
I also want to ask your opinion about Access control in Sharepoint 2010. Should all Access Control like AD, Sharepoint, Titus be in the hands of Administrator or some of it like Titus be in the hand of the Developers.
Best Regards Olafur_s
Icelandic DBA adminHello
Hemendra,<o:p></o:p>
Thank you
for your answer. I have developers that create sites and lists and they are all Site Collection admin. The problem is that they can go everywhere they want and look into all kinds of sensitive information and do all that they want to do. So basically they
are running the system. <o:p></o:p>
I am new to
Sharepoint as an admin but I have experience in other system like AD, Exchange, SQL. The evolution of this Sharepoint system here brought it to the point that the developers have too much admin rights and the system is not working well. I am trying to
find the fine line between the Administration part, my work, and the developers part and not steeping on the developers toe's.
Best regards Olafur_s<o:p></o:p>
Icelandic DBA admin -
Qs About SQL Server and RoboSource Control
Hi. I have two questions:
(1) Will the SQL Server Compact edition work as the db used
for RoboSource Control? I know that it has a limit of 4 GB.
(2) Do I have to install a copy of RoboHelp (and, thus, of
the RoboSource Server Configuration Utility) onto the network
server where my SQL database is located, or can I configure the SQL
database remotely from one of the client machines?
Thanks!Hi. Yes, you are correct that the "RSC Server" is really just
a SQL db that you have modified using the RSC Database
Configuration tool.
We are working on a client project from several
locations--some people are at the client site sometimes, some
people are at home sometimes, and some people are at our company
site sometimes. The client software that we are documenting
requires us to be connected to the client VPN if we are not at the
client site. However, we would like to store the RH files on our
company server, which can be VPN'd into from either our client site
or from home.
Apparently the VPNs will pass the IP/HTTP protocols that
SQL/RSC uses. What we'd have to do is log into the company VPN (if
necessary) at the beg of the day, use the "offline" feature of RSC
to check out the documents, and then log off the company VPN and
onto the client VPN to access the software we are documenting. Then
reverse the process at the end of the day or whenever.
However, our company doesn't want to install SQL on our
storage machine which is just a file server. And we don't want to
store it on the client site, either. (We're just documentation and
training, after all, not real software developers.)
One alternative to using RSC is to use merged projects, since
each tech writer will only be working on one section of the
documentation at a time. However, I'm concerned about context
sensitivity and merged projects. I found a good discussion where
one of the Peters (the two gurus on here who are named Peter) gave
an extensive description of how to do CS with merged projects.
However, someone reported that they couldn't get it to work using
RH7.
As a relatively novice (though technically inclined) user, I
would like to avoid the issues with merged projects and CS.
Therefore, I think what I'm going to do is store the RSC server on
my local machine and check out the documents for tech writers
myself, then check them back in when the writer is done.
I'm testing today and I will report back on my results.
Thanks for your responsiveness and let me know if you have
any opinions on this!
HKB -
Getting error in starting identity server and access server in OAM
Hi all,
Am new to OAM . now am try to do sso for two different resources . i completed installations but now the error is the while starting the identity server the error is "*oracle access manager identity server services on local computer started and then stopped .some services stop automatically if they have no work to do , for example, the performance logs and alters service* ". and while starting access server the error is "*could not start the oracle access manager access server service on local computer. error 1067: the process terminated unexpectedly* " any one please give me solution for this errorHi Pokuri,
Perhaps the Identity Server's oblog.log file has some helpful information in it. One possibility: is the ldap server that the Identity Server uses up and running (and visible on the network)?
Regards,
Colin -
2-way SSL and access control using the client certificate
Hi,
I'd like to configure WLS 8.1 so that the server will use the client identity extracted from the client certificate to determine whether permissions should be granted. I am having some problems.
Details: The client can be either a Web service or a web application. The steps for authentication and authorization should be:
- The client sends a request to an Apache server (DMZ) which will then be forwarded to WLS.
- The client's identity, common name from the X.509 certificate, is mapped to the "username" (using WLS default identity assertion provider).
- Validate whether the client should be trusted (via the list in the trusted credentials)
- Check whether the resource should be granted based on the "username".
The on-line manual says
"If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires that the Web browser or Java client have an identity."
"The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource. For information on configuring users on the server, see Creating Users in Managing WebLogic Security."
So the questions I have are:
- If the client identity is certificate based, why should we configure users with the "user name" and "password"? How can we get around it?
- Once I defined the security condition for my app to use "user name of the caller," a default username and password prompt automatically popped up.
Apparently, the SSL mutual authentication configuration and the default authentication provider to use the X.509 type didn't take any effect.
- Without defining the security policy for the application, the debugging messages show that
getRoles(): input arguments: subject:0
Entitlement - <Role:Annonymous with expr:Grp(everyone)>
Any suggestions? Thanks.Hi,
I am trying to use 2 way ssl using webservices client , here is my code :
AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
// clientCredentialFile stores in PEM format the public key and
// all the CAs associated with it + then the private key. All this in // a concatenated manner
FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
// private key password
String pwd = "password";
adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
adapter.setVerbose(true);
adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
adapter.setStrictCheckingDefault(false);
factory.setDefaultAdapter(adapter);
factory.setUseDefaultAdapter(true);
boolean idAvailability = false;
UNSLocator locator = new UNSLocator();
URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
UNSPort unsprt = locator.getUNSPort(portAddress);
idAvailability = unsprt.isIDAvailable("Yulin125", "C");
System.out.println("Got from method :"+idAvailability);
After runing this code i am getting the following exception :
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: java.net.SocketException: Software caused connection abort: socket write error
faultActor:
faultNode:
faultDetail:
I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
I am stuck with for quite sometime.
Some insight needed from the guru's -
SSL connection between Dist Auth UI Server and Access Manager
Hi,
I have a Dist Auth UI Server installed in Web Server 7 and working properly, but now i want to configure it to talk with Access Manager with a secure port.
I have configured Access Manager (also deployed in Web Server 7) in a secure port (443). I have requested and installed the server certificate in the Access Manager Web Server instance and also the root entity certificate.
My question is: how must i configure the UI Server to communicate with the Access Manager Server in a secure way and trust the certificate that the WS of the AM presents ?
Regards,There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
<property name="encodeCookies" value="false"/>
<session-config>
<session-manager/>
</session-config>
<jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane.
Maybe you are looking for
-
Can I use the same itunes for my ipad and iphone on my computer? Will the computer erase my other device information?
-
Printing Nested Structure values
Hi i have two structures and i want to print those values using c#.. I have parent structure which has 5 properties on it and inside that having another child structure which refers 5 properties on it. so now i want to print the values for both stru
-
Outbound interface for transfering the payroll results
Hi everyone, Can any one provide me with the Outbound interface program for transfering payroll data, to the third party submission.
-
Hi All, Can any one send me some documents regarding Warehouse activity Monitor, transaction- LL01. The functionality of Warehouse activity Monitor and how the variant will be created and in report what are details will be displayed. Thanks in advanc
-
RAISE_APPLICATION_ERROR (which error_number?)
Good morning, I am writing a function which should raise an application error if something doesnt work fine. The calling procedure should catch and handle this exception. CREATE FUNCTION f1 (value_1 IN VARCHAR2) RETURN INTEGER IS BEGIN IF something =