Configuration Audit across environments

Similar Messages

• Configure Audit Database in BOBJ LCM

  Hello,
  Can anyone please provide me steps to configure Audit Database in BOBJ LCM?
  When I goto SIA properties under configuration, I have configured Audit Database and i got message saying Audit Database completed. I have enabled AUDIT in Adaptive processing server too however when I goto properties of Audit Events I am getting message as "Auditing information is not being written to the auditing database. Please verify that the auditing data source is configured properly on the CMS".
  Please guide me in solving this issue...
  Thanks,
  Sravanthi

  Hello Stratos,
  Yes, this is different oracle instance. I am tried with sysdba and i still dont see Audit tables in database. I appreciate, if you have any hints on checking the Audit tables.
  How do I make sure Audit database has been created? and Could you please provide me the steps to configure Audit Database.
  Thanks,
  Sravanthi

• PI/XI System Configuration Audit

  Hi,
  I am looking for some good reference document or the majority of the settings we need to look on to do PI/XI System Configuration Audit by which we can re-check the system configuration at regular intervals.
  Thanks
  Sekhar.

  Hi,
  Refer the below links:
  General Configuration Steps
  http://help.sap.com/saphelp_nw04/helpdata/en/cf/230240d981e469e10000000a155106/content.htm
  SAP Exchange Infrastructure (XI) : Installation & CONFIGURATION GUIDE
  http://help.sap.com/saphelp_nw04/helpdata/en/d7/f01a403233dd5fe10000000a155106/frameset.htm
  Personal Settings
  http://help.sap.com/saphelp_erp2004/helpdata/en/e9/c4cc9b03a422428603643ad3e8a5aa/content.htm
  Roles and Tool Access : Administration, Technical Configuration,Design,Configuration,Monitoring
  http://help.sap.com/saphelp_nw04/helpdata/en/89/05793c05f0807be10000000a11405a/content.htm
  http://www.forumtopics.com/busobj/viewtopic.php?t=59586&start=15&postdays=0&postorder=asc
  Refer these post installation links
  http://help.sap.com/saphelp_nw70/helpdata/en/a0/40084136b5f423e10000000a155106/frameset.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/14/39084136b5f423e10000000a155106/frameset.htm
  2004s PI installation - help.sap.com:
  http://help.sap.com/saphelp_nw04s/helpdata/en/78/f59442062bcd6ae10000000a155106/frameset.htm
  Thnx
  Chirag

• Things captured in Configuration Audit

  Hi All,
  I know its a silly question. But want to know what actions will be captured in Configuration Audit for Hyperion 11.1.2.1.
  As per the update from security PDF:
  Shared Services allows the auditing of provisioning and lifecycle management activities to track
  changes to security objects and the artifacts that are exported or imported using Lifecycle
  Management functionality.
  Auditing can be configured at three levels: global, application group, and application.
  At the global level, you can audit security and artifacts handled by Shared Services. Application
  group-level and application-level auditing allows you to audit security activities related to an
  application group or application performed through Shared Services. Application group and
  application security activities that are performed outside Shared Services; for example, assigning
  calculation scripts in Essbase, cannot be audited.
  We have gobal application overwrite enable. And seen it have captured all the changes we did on Shared Services like Auditing enable, LCM ,external directory configuration.
  But want to know does it will track the new configurations like new essbase configuration. or any other activities.
  Thanks in advance.
  Sh!va

  Hi All,
  Please suggest for the same.

• How to enable ACS configuration audit

  Dear Expert,
  Im a newbie and ACS and i would like to know how to enable the "Configuration Audit" for someone login to my network devices using their ACS login and i can monitor what they did on it.
  Appreciate if you could give me a simple steps .. thank you
  ACS Version : 5.2.0.26
  regards

  This is a known defect.
  CSCtn25508    Administrative and Operational Audit logs becomes unable to be recorded.
  Symptom:
     Administrative and Operational Audit logs suddenly becomes unable to be recorded. 
     The log can be configured at  ACS5 GUI -> System Administration -> Configuration -> Log Configuration
     -> Logging Categories -> Global.
  Conditions:
    unknown.
  Workaround:
    none
  This defect has been addressed in ACS 5.2 patch 7 and above.
  Jatin Katyal
  - Do rate helpful posts -

• Porting modified components across environments

  I am using the HTML code generated for the parameter form
  of a standard report component in an HTML portlet on a page
  to call the standard report component. When porting from
  development to production will these customizations be
  a problem - do the component ID's of standard application
  components change when ported across environments? Is it
  better to write a custom dynamic page instead that would
  call the component?
  Thanks,
  Suzanne

  Hello Narayana,
  Can you please raise an SR and provide us the export of one operating system.
  Rgds,Ramesh

• Migrating Studio across environments

  EIS had/has the ability to export schemas and other EIS objects as XML files that can be used to migrate across environments.
  Studio has no such thing (or if it does, I can't see it).
  The docs do talk about migration, but that's from EIS to Studio. LCM, tantilizingly, shows Studio, but when I click on it I get a "User is not authorized for the action." My id has every Studio provisioning right there is.
  I can see a migration path, sort of, that entails moving an entire database schema/database (Oracle/SQL Server) from one environment to another, and then diving into the tables to change references to servers, rights, etc. I have not tried this because it reminds me of pre-11 Planning migrations and they hurt.
  Is the above approach documented anywhere?
  Is there a better way to migrate from development to production?
  If there is, wonderful. Following on that welcome news, is there a way to selectively migrate an object or series of objects?
  Regards,
  Cameron Lackpour

  Hello GlennS:
  CL, I hope you do not mind if I re-open this post ;)
  I have been working with Essbase Studio 11.1.2 and I have seen that models could be exported to xml. But now I am working with 11.1.1.3 and I do not know how to migrate between environments.
  I think I have two issues:
  1) Maybe 11.1.1.3 does not support this feature?. Migrating the entire database should be the solution?. Should I also migrate physical files?
  2) My database is in SQL Server 2005 and destination database is Oracle. Do you think I would be able to?
  Thank you for your help
  Regards
  Javier

• Migrating Custom Functions across environments

  Within our DEV environment (EPM 11.1.2.1 - Planning & Essbase) we have about 15 CDFs visible in EAS for an application.
  Of these 15 CDFs 1 has a class name of pwc_date and all the rest are com.hyperion.essbase.cdf.psb.HSPCDFUtils.
  I need to migrate these to UAT.
  How do I do this?
  For what it is worth in DEV - I can see pwc_date.class in D:\Oracle\Middleware\EPMSystem11R1\products\Essbase\EssbaseServer\java\udf but the others are still hidden to me!
  Thanks in advance for all assistance.
  Regards
  Paul

  The functions in com.hyperion.essbase.cdf.psb.HSPCDFUtils are part of planning and will have been installed by default, it is possible to deploy them from the planning application when refreshing "update custom-defined functions" - Creating and Refreshing Application Databases
  For the other CDF copy the jar or class file across environments, update udf.policy and register the functions.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Configuring multiple forms environments

  I originally posted this over in app server, but saw a similar post with a response suggesting that forms issues are best addressed over in this forum ... so here it is:
  9i AS Rel 2. We need to have two independent 'environments' running on one server. For example, a 'dev' environment (development set of forms) and a separate 'QA' environment (separate set of forms).
  We know how to handle this using 'named configurations' within the formsweb.cfg file, but in that case, both environments use the same, single oc4j server. We'd like to have one oc4j server for each forms set.
  We've also read how to setup more than one oc4j instance for load balancing, but they all point to the same set of forms. We need to somehow setup a separate oc4j for each set of forms.
  Why? Why not named configurations? We want to be able to stop/start (bounce) one environment without impacting another; we want to 'stop' one environment altogether without impacting others; we want to prevent one environment from going ballistic and impacting the others; etc. Ideally, we'd like to tie each forms environment to a separate ip address, or at least a different port number.
  Anyone know how to do this? !!
  Platform is windows 2000 server.

  Hello,
  Why don't you simply include your 2 forms in just one?
  I'm no smartform specialist but you should be able to simulate 2 documents with a single smartform.
  Rgds,
  Pierre

• Best way to migrate Applications across environments of different versions

  Hello Gurus,
  Source EPM Environment - EPM 11.1.1.3
  Target EPM Environment - EPM 11.1.2.2
  What is the best way to migrate applications for Planning , Essbase , HFM and also the related reports from 11.1.1.3 to 11.1.2.2 .
  Any help will be highly appreciated..
  Thanks
  HyperEPM.

  I tried with upgrading the application and it was done pretty smoothly as compared to the LCM import export method.
  Now what would be the feasible way to move all the applications when following is the scenario and we need a minimum downtime.
  1. Move from EPM 11.1.1.3 to EPM 11.1.2.2
  2. DB used to configure EPM 11.1.2.2 should be fresh and not the existing one.
  3. We want to move all the applications across to EPM 11.1.2.2 on the freshly configured EPM 11.1.2.2.
  4. Move all the applications intact across the version.
  Thanks
  HyperEPM

• Adapter configurations in clustered environments

  Could you please let me know if any additional configurations/changes in the WSDL files are required for the Oracle adapters in a clustered environment.
  The Apps adapters , AQ adapters and the DB adapters in our processes have stopped working after being migrated to a clustered environments.
  Any inputs on the same would be greatly appreciated.
  Thanks a lot in advance!

  DB Inbound WSDL generated for single node cannot be used in clusters. At least for DB adapter released with OSB 10.3.1 Maintenance Pack1, we have to create separate inbound wsdl in jdev if they are supposed to be deployed to cluster. These is no way we can modify the Inbound WSDL generated for Single node to work in cluster.
  For a cluster inbound these steps are required
    1. Distributed Polling – When generating the WSDL in JDeveloper, set the Distributed Polling option when creating the DB adapter WSDL in JDeveloper. This option is required in an Oracle Service Bus cluster.  
  2. UseDirectlySQL – When generating the WSDL in JDeveloper, if you are using Distributed Polling  
  3. <toplink:lock-mode>lock</toplink:lock-mode> on toplink file
  Outbound WSDL should work with out any issues in cluster.
  Are you using adapters bundled with OSB?
  Cheers
  Manoj

• Configuring auditing with Oracle database

  we created auditing tables in Oracle and enabled auditing. According to our naming stardarts it gave names to the tables as follow: schema owner.table name (like BOE.AUDIT_EVENT). When we check in CMC it sais that auditing datasource is not configured correctly. Do we need to make any changes the way database tables are named? What other possiblle reasons could cause bad connection between database and BO (we verified in other tools that user account we are using in setting up connection can read auditing tables)?
  Thanks
  Vita

  Are you sure you used an oracle account with sufficient rights on the database level?
  Do you connect via "Oracle Names Service" or TNSNAMES entries?
  Since the database tables seem to be created properly(?), I guess there must be another problem., You could enable tracing at the oracle client level (see SQLNET.ORA entries) and maybe find something there.
  You can also enable tracing at the BO server levels, by starting up the BO servers in trace mode and look at the log files...
  hth,
  Walter

• Configuring Kerberos across 2 domains?

  Hi
  I am trying to set up a 3rd party application to use Single Sign On using Kerberos authentication across two Domains and am having troubles. DOMAIN1.COM is a W2K domain and DOMAIN2 is a Citrix farm. My application is a Solaris (5.9) hosted Java app (1.4.2_08) running under a Weblogic 8.1.
  I've generated the keytab files etc and can successfully authenticate using kinit. I can successfully sign in from my desktop when I configure my environment to use only just domain, either DOMAIN1.COM or DOMAIN2, but I am hitting this error when trying to authenticate with a user accouint on DOMAIN2 (it works fine for a user account on DOMAIN1):
  <000000> <Found Negotiate with SPNEGO token>
  *<000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))*
  The application uses the JAAS login framework to perform the authentication. The steps I have followed are:
  1. We have generated the keytab file for both domains and have tested that we can generate tickets using kinit command
  2. When I start my WL server I am using the DOMAIN1.COM domain credentials i.e.
  JAVA_OPTIONS="-ms1024m ...etc... -Djava.security.auth.login.config=krb5Login.conf -Djava.security.krb5.realm=DOMAIN1.COM -Djava.security.krb5.kdc=ldap-domain1.com -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"
  3. I've configured my krb5Login.conf to use DOMIAN1.COM e.g.
  com.sun.security.jgss.initiate
  com.sun.security.auth.module.Krb5LoginModule required
  principal="HTTP/[email protected]" useKeyTab=true
  keyTab=krb5.keytab storeKey=true debug=true;
  com.sun.security.jgss.accept
  com.sun.security.auth.module.Krb5LoginModule required
  principal="HTTP/[email protected]" useKeyTab=true
  keyTab=krb5.keytab storeKey=true debug=true;
  4. I've configured my /etc/krb5/krb5.conf to use DOMAIN2 as default.
  [libdefaults]
  default_realm=DOMAIN2
  default_tkt_enctypes = des-cbc-md5
  default_tgs_enctypes = des-cbc-md5
  [realms]
  DOMAIN1.COM = {
  kdc=ldap-domain1.com:88
  admin_server=ldap-domain1.com
  DOMAIN2 = {
  kdc=kdc1.domain2:88
  kdc=kdc2.domain2:88
  admin_server=ADMINSERVER2
  [domain_realm]
  mydomain.com=DOMAIN2
  [appdefaults]
  kinit = {
  renewable = true
  forwardable= true
  autologin = true
  forward = true
  encrypt = true
  I am not a Java developer so this is all new to me so hopefully someone can give me some guidance. I've been told the reason I can't authenticate is because I don't have a trust relationship set up between the two domains. But our Active Directory team have stated that setting up a trust relationship is not an option.
  The software supplier has said that the application should work across both domains without the trust relationship but they are unwilling to assist (as they have been paid already!). The way I have been led to understand it is that when we try and access the app over the DOMAIN2 the app should default to the default domain set in the /etc/krb5/krb5.conf file. Am I misguided? I don't understand how the JAAS login framework works with Kerberos and I would greatly appreciate some guidance on a possible config or code change I can make to resolve this issue?
  Thanks

  Hi
  Thanks for the reply. I couldn't see krb5.conf in the logs so I added it to the JAVA_OPTIONS and re-ran a test but it failed with the same error. Here some output from my logs:
  ####<Nov 4, 2009 5:38:07 PM GMT> <Info> <Management> <aukobpcs> <aukobpcs_dd1> <main> <<WLS Kernel>> <> <BEA-141187> <Java system properties are defined as follows:
  java.security.auth.login.config = /opt/bea/user_projects/domains/onebill_online/krb5Login.conf
  java.security.krb5.conf = /etc/krb5/krb5.conf
  java.security.policy = /opt/bea/weblogic81/server/lib/weblogic.policy
  java.specification.name = Java Platform API Specification
  java.specification.vendor = Sun Microsystems Inc.
  java.specification.version = 1.4
  java.util.prefs.PreferencesFactory = java.util.prefs.FileSystemPreferencesFactory
  java.vendor = Sun Microsystems Inc.
  java.vendor.url = http://java.sun.com/
  java.vendor.url.bug = http://java.sun.com/cgi-bin/bugreport.cgi
  java.version = 1.4.2_11
  vde.home = ./aukobpcs_dd1/ldap
  weblogic.Name = aukobpcs_dd1
  weblogic.StdoutDebugEnabled = true
  weblogic.StdoutSeverityLevel = 64
  weblogic.management.server = http://aukobpcs.dc-dublin.de:7001
  weblogic.security.enableNegotiate = true
  ####<Nov 4, 2009 5:40:22 PM GMT> <Info> <HTTP> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<anonymous>> <> <BEA-101047> <[ServletContext(id=19509258,name=bpa,context-path=/bpa)] *.jsp: initialization complete>
  ####<Nov 4, 2009 5:40:22 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
  ####<Nov 4, 2009 5:40:22 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found Negotiate with SPNEGO token>
  ####<Nov 4, 2009 5:40:23 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <GSS exception GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
  GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:277)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
       at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
       at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
       at weblogic.security.service.adapters.IdentityAsserterV1Adapter.assertIdentity(IdentityAsserterV1Adapter.java:28)
       at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:672)
       at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:617)
       at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
       at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:228)
       at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
       at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
       at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3823)
       at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2773)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
  Caused by: javax.security.auth.login.LoginException: Cannot get kdc for realm DOMAIN1.COM
       at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
       at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
       ... 21 more
  Caused by: KrbException: Cannot get kdc for realm DOMAIN1.COM
       at sun.security.krb5.KrbKdcReq.send(DashoA12275:137)
       at sun.security.krb5.KrbKdcReq.send(DashoA12275:110)
       at sun.security.krb5.KrbAsReq.send(DashoA12275:300)
       at sun.security.krb5.Credentials.acquireTGT(DashoA12275:360)
       at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
       ... 35 more
  If you have any other suggestions I could try that will be great, otherwise we'll look at implementing workaround to this issue (probably having a separate WL server for each domain)
  Thanks

• NCM - Configuration Audit - Device Types

  Hi All
  We are using NCM to audit configurations of various cisco devices on the network... We have basic config templates built, which would be compared to provide exceptions. Now, we know, each device has its own limitation , based on the device model/IOS etc.. With a base configuration, NCM throws large number of non-compliance reports for commands compared against..
  my question is - isnt NCM intelligent enough to compare the configurations based on the hardware, ios etc by itself ? Are there any patches/modules etc available for us to upload to NCM, to do this funcationality automatically ? Issue is we have thousands of devices and we are creating thousands of exceptions each day to get the non-compliance solved !
  eg - snmp-server enable trap ospf command is not available on some devices like 3550 (with IOS less than 12.2(25) SE). Now, we manually create a ruleset to exempt this from audit, but there are many rules like this which has to be checked against.
  As far as I know, its not possible, but just thought of giving a shout out !

  If I understand your example, you are trying to have the policy compliance skip over certain devices if they aren't at a certain IOS level. Is that correct? If so, the only way to accomplish this that I have ever seen is to create some dynamic groups and then apply your policies appropriately.
  For example, if you create a dynamic group that contains all Catalyst switches with 12.2(25) or higher and then tell your policy only to apply to that group that may work for you.
  At least, that's how I am doing that in the NCM deployment for the company I work for.
  Hope this helps and good luck!

• Help configuring Audition with Virtual  Audio Cable and Skype

  I'm using the latest version of Audition, along with Virtual Audio Cable and Skype for my PC (Windows 7).  While I'm able to properly configure my own microphone (Edirol UA-25), to be captured by Audition on track 1, I can't seem to get track 2 configured properly to capture and record.
  I seem to be missing a step.
  Is there anyone that can help me properly configure or offer an alternative that will allow me to record my microphone and the Skype call on two separate tracks?
  Thanks in advance for your expertise!

  Others may have made it work but I've never persuaded Audition to record a mic in one channel and line out (Skype) in the other.  Since Audition it designed to work with a single ASIO audio interface, this makes sense.
  My solution is to use a little utility called the iFree Skype recorder:  Record Skype Calls with iFree Skype Recorder - Your FREE Skype call recorder software
  It works well for me, keeping the outgoing part of the call and the incoming separate for easy editing later.  It works fine with an external audio interface and good mic as long as Skype is set up to work that way.
  The only drawback is that it records in MP3 not wave but, given the quality of most Skype calls, this isn't really a deal breaker.