Configuration of Public Key Authentication Policy for SFTP on OAG 11.1.2.2

Similar Messages

• Solaris 9 LDAP client sun_ssh public key authentication

  I have directory server 6.0 up on solaris 9 system and I have a couple of solaris 9 system migrated to LDAP client. I need to configure ssh public key authentication on two Solaris 9 LDAP clients. However, I seem can't make it working. I have done 1) generate rsa public/private key pairs on one host 2) cat public key to the authorized_keys file on another host. I checked the permission on $HOME and $HOME/.ssh, they both set to 700. The file permission are also correct. But I still get prompt when ssh from one LDAP client to another. If I add my password/shadow entry back to local files, then public key authentication works. My /etc/pam.conf is set up according to the Sun documentation for LDAP client. In /etc/nsswitch.conf
  passwd: compat
  passwd_compat: ldap
  shadow: files ldap
  group: files ldap
  netgroup: ldap
  loginShell does exist for the user.and LDAP entry has objectClasses 'posixAccount' and 'shadowAccount'
  I have latest patch 112960 installed on all of LDAP clients.
  What am I missing here?
  Thanks,
  --xinhuan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  One more thing - I have latest patch 112960 installed on all of LDAP clients.
  --xinhuan                                                                                                                                                                               

• Renewing public key certificate used for Seeburger AS2

  My general question is when a public key certificate, used for Seeburger AS2 payload decryption and digital signatures, needs to be renewed, how carefully do the certificate renewal steps need to be coordinated for a seamless transition?  More specifically...
  1. Once we import the CSR response from the CA, will the public key currently used by our partner become invalid, or will it continue to work until its expiration date? 
  2. Will our partner be able to validate our signature after the new CSR has been imported, but prior to them applying the new public key certificate in their system? 
  3. Or can we renew the certificate, import the CSR request, provide our partner with the renewed certificate, and let them apply the certificate at their own volition, provided they do it prior to the original certificate expiration?

  Hi Kurt
  In my experience, the renewal/replacement of AS2 certificates for encryption/decryption & signing/authentication requires coordinated effort on both sides.
  This is because AS2 uses asymmetrical encryption, so both parties need to use the same pair of certificates at the same time, i.e. you encrypt on your private key, and partner decrypt on the public key matching your private key. If the keys used do not belong to the same pair, then decryption will not work.
  I'm not sure what AS2 software your partner uses and if it has the feature of automatic rollover of certificate, but PI/Seeburger does not. The approach in PI/Seeburger can either be one of the following:-
  i) import new cert replacing original cert of the same name
  ii) import new cert into new name, manually update sender/receiver agreements
  Due to the manual nature of the tasks, normally it requires coordinated effort during a cutover window.
  Rgds
  Eng Swee

• Public key encryption algorithm for files

  Is there a public key algorithm
  good for encrypting files (large ones)
  or should I stick to secret
  keys for that?
  Thanks.

  There is no good way to encrypt larga data amounts using public key.
  The way to do this is to generate a random key for a symetric algorithm (like DES), encrypt the file with tis file, cipher the symetric key with the asymetric key and append the result to the ciphered file.
  Good luck

• No Authentication Policy for ABCS composites

  Hi All,
  Whenever I am invoking WSDL of ABCS Impl from other SOA composites, it checks for No Authentication Policy. Everytime I do some changes and redeploy in ABCS composites in Enterprise Manager, I need to attach "No Authentication Policy" for all the end points of it.
  As I do not want these WS policy, kindly guide me how to get rid of this issue. I will appreciate a quick response on this.
  Thanks,
  Dhiraj Mishra

  Hi Dhiraj,
  We also faced this issue with AIA flows in 11.1.1.4. Below is how we disabled policies
  1. Login to em console
  2. WebLogic Domain --> right click on xyz_domain --> Web Services --> Policies
  3. Select “All” in Applies To and type Name as “oracle/aia_wss10_saml_token_client_policy_OPT_ON”
  4.     Select “oracle/aia_wss10_saml_token_client_policy_OPT_ON” and click Edit
  5.     Uncheck “Enabled”
  6.     Applies To “All”
  7.     WSSecurity SAML Token --> Uncheck Advertised and Enforced
  8.     Click Save
  9. Similarly we disabled below policy : oracle/aia_wss_saml_or_username_or_http_token_service_policy_OPT_ON
  10. Restart managed server(mandatory)
  Hope this helps
  Thanks,
  Hema

• ISE Authentication Policy for RSA Securid and LDAP for VPN

  We are working on replacing our existing ACS server with ISE.  We have 2 groups of users, customers and employees.  The employee's utilize RSA securid for authentication while the customers use Window authentication.  We have integrated the AD into ISE using LDAP and this has been tested.  We are now working on trying to get the rsa portion to work.  We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
  Here is my question:
  Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users.  I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment.  With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA.  The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy.  The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues.  Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl. 
  Thanks,
  Joe

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• ASA 8.4+ RSA Public Key for SSH user authentication

    I have seen in the configuration guide and a separate post in the support community that RSA Public Key authentication is support for SSH sessions in 8.4 and after.  I have tried implementing this on both an 8.4 ASA and a 9.1 ASA and I get the same error on both.  I have tried specifying SSH version 2 to see if that is the issue but I still get the error.  Is there a step I am missing?
  Here is the output of the configuration commands:
  ciscoasa(config)#username test nopassword privilege 15
  ciscoasa(config)#username test attributes
  ciscoasa(config-username)# ssh authentication publickey
                               ^
  ERROR: % Invalid Hostname
  The links referenced above:
  https://supportforums.cisco.com/thread/2150480
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1053558
  http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/aaa_servers.html#wp1176050
  Thanks!

  That would be great if the resolution was that simple.  I am using a public key I generated using the putty key generator.  Below is the key I would use if I got that far.  However I get an error on the "ssh authentication publickey" attribute so I never get the chance to enter a public key.  What code version and hardware version are you running that this worked on?
  AAAAB3NzaC1yc2EAAAABJQAAAIEA2h00RCKBbpbrTWSe/3TYAvRpkJz7tLwQDCf9
  4fDJUWUGrmxXHeomuBhNGZh7tyfFjRL2CKY6nWmFyKN/eDm0PF4IWhhCArzOPVDu
  q7Nu2y/pD8wWH8dH4a3zRpkLSekNJtH6lzuqmY0zqz9TnZlpS6g4LI1a+lOGSmhU
  /HySw9s=
  ciscoasa(config)#username test nopassword privilege 15
  ciscoasa(config)#username test attributes
  ciscoasa(config-username)#ssh ?
  configure mode commands/options:
    Hostname or A.B.C.D  The IP address of the host and/or network authorized to
                         login to the system
    X:X:X:X::X/<0-128>   IPv6 address/prefix authorized to login to the system
    scopy                Secure Copy mode
    timeout              Configure ssh idle timeout
    version              Specify protocol version to be supported
  exec mode commands/options:
    disconnect  Specify SSH session id to be disconnected after this keyword
  ciscoasa(config-username)# ssh
  ciscoasa(config-username)# sh ver | in Ver
  Cisco Adaptive Security Appliance Software Version 9.1(1)
  Device Manager Version 7.1(1)52
  ciscoasa(config-username)#

• Create User for Target (Terminal Adapter) with private key authentication through web service

  Hi
  I have a question about Terminal adapter.
  My current aim is to create process "Execute script through ssh on remote Linux system" with  input parameters ( login, path to private key, path to script)
  It was very helpful to find this discussion https://supportforums.cisco.com/message/3543289#3543289 .
  Is  there a way to create  Public-key Authenticated Admin Runtime User with private key for authentication by using NB webservice ?

  I will second Shaun's comment...
  Unfortunately, it looks like this is not possible in 2.3.X. (That is you can create the user but the fields you need to use to configure that user properly do not appear to be exposed to the Northbound Web Service).
  It looks like something that will be fixed in a future release of Process Orchestrator.
  Svetlana

• SSH public key issue?

  Hi all,
  I've been trying to set up public key authentication for SSH recently, and have come across a problem which has left me stumped. I want to be able to SSH into computer A (iBook G4, 10.5.1) from computer B (iMac G4, 10.5.0), and vice versa. At the moment, both these machines are on the same LAN, and SSH-ing to their respective local addresses works fine - A can connect to B, and B can connect to A (e.g. ssh -l username computerA.local). So far so good.
  The end goal is to allow SSH access between my two machines over the web, using No-ip.com's dynamic DNS app. Both machines have this daemon installed and running. When SSh-ing to the machines using their no-ip DNS names (e.g. ssh -l username computerA.no-ip.org) for some reason connecting from B to A works fine, but from A to B throws up a "Permission denied (publickey)" error.
  As far as I'm aware, I've set up all the ssh_config and sshd_config files on both machines correctly, specifying the correct protocols and key files, and neither machine is firewalled. Both are running OpenSSH 4.5p1.
  Can anyone think of a reason why this is happening?
  Thanks in advance,
  Pete

  Are both A and B behind the same home router? If so, it is likely that both the computerA.no-ip.org IP address is the same as the computerB.no-ip.org IP address, and you have only configured your home router to forward ssh connections to computerA.no-ip.org.
  You home router would typically only have 1 internet WAN IP address. The no-ip client is going to figure out the router's WAN IP address and give that address to computerA.no-ip.org and computerB.no-ip.org DNS names.
  If my guess is correct, then when telling A to connect to B, the name lookup for B gives an IP address which is your router, and your router then forwards port 22 traffic to back to A, and since you most likely have not put A's ssh .pub key into A's .ssh/authorized_key2 file, it fails to connect.
  One way to verify my guess is to ask http://whatismyip.com from both A and B. If you get the same IP address, then computerA.no-ip.org and computerB.no-ip.org DNS names will have the same IP address and thus from the DNS name level there is no way to tell the difference between computerA.no-ip.org and computerB.no-ip.org.
  Again, if I am correct, then what you want to do is configure your router to
  forward port 22100 to A port 22
  forward port 22101 to B port 22
  Then when you want to make an ssh connection use
  ssh -p 22100 [email protected]
  ssh -p 22101 [email protected]

• Remote login via ssh and public keys

  I'm not exactly a UNIX expert, but I need to be able to remote login to my PowerBook. The problem with enabling ssh is that as soon as I'm on campus, all kinds of nefarious hosts try brute force attempts to crack my password. I've heard that public/private key logins are the answer, and I've managed to get the public key in the right place on my PowerBook (the private key resides on my iPhone, from which I'll be logging in). But I have two questions:
  1) How do I disable logins via user/password?
  2) When I use my private key, I'm asked to enter the password for the key -- ssh isn't properly storing that password. I've checked permissions, but how can I get ssh to store that password, as it should?

  1) In Sharing > Remote Login, do I still need an account listed to be able to use ssh logins with a public key? I ask because currently (i.e. password authentication enabled), when no accounts are listed, login via public key doesn't work. In other words, an account has to be listed for public key logins to work.
  Yes you still need an account name to login to that computer. However you don't need to specify an account in the sharing preferences. You can lock down the security further by limiting which user accounts can login via ssh.
  by default if you don't specify a username when you login it will use the username of the device your logging in from. So to use an alternative login name you would use
  ssh [email protected]
  whereas john can be anyname or your choosing.
  Put another way: if turn off password authentication for ssh in sshd_config, how should Sharing > Remote Login be configured?
  If you turn off password authentication you still need to allow your user account to login via ssh in the sharing preferences or you can allow all.
  2) According to that MacOS X Hints article:
  "Leopard has now a built-in support for SSH authentication with public keys.
  OSX has been able to use ssh public key authentication since day 1 of the beta release of osx. It is not new to leopared it has been around for years.
  Just open Terminal and ssh to your public-key-enabled server. A Keychain window appears, proposing you to enter the pass phrase, and then remembering it in your keychain. "
  I have not used this functionality as I don't use any passwords for ssh logins.
  They're talking about the password associated with the key. But on second thought, that password is being saved on the client, not the server, right?
  I am sure this is the case.

• Allow privilleged users to enter into EXEC mode on login not working with public keys

  Hi,
  I have recently updated one of my Cisco ASA to v9.2(1) and noticed a function to get the perform authorization for exec shell access can do a auto-enable when logging in from ssh.
  The problem is that if I use a private/public key authentication with a user it won't do the auto-enable feature. If I login without keys and using my password, it jumps into privilleged exec mode as it should.
  Anyone else had this issue?
  Config:
  aaa authentication ssh console LOCAL
  aaa authorization exec LOCAL auto-enable
  username user password xxxxxx encrypted privilege 15
  username user attributes
   ssh authentication publickey 22:af:xxxxxx hashed
  Any answer will be highly appreciated. 
  P.S I'm totally new in this forum.

  Would you be able to open a TAC SR and once you do , Email me the SR no and i will look into this issue.
  [email protected]
  Thanks and Regards,
  Vibhor Amrodia

• Ssh public keys in LDAP

  Perhaps my question is answered elsewhere in these forums, but I have not been able to find it.
  My question is... Is it possible for LDAP accounts to login to a solaris 10 box using public key authentication with the sun native ssh server/client when the ssh keys are also in LDAP? I am currently using the following software...
  Sun Directory server 6.3.1
  Sun_SSH_1.1
  Solaris 10
  I have read on a possible openssh solution with openldap but to convert to an open solution is not a possibility.
  I am not looking to implement kerberos either.
  Thank you for any response.
  Joe

  SSH keys are driving me a little crazy too. I would agree that it would be quite nice to get some type of central repository for them. Unfortunately I have nothing to offer in this regard...

• How to get Public Key Remainder?

  Hi Friends..
  Sorry, i have a little doubt regarding the Public Key Remainder..
  What is Public Key Remainder used for?.. is it a part of Public Key?.. How to get it from Public Key, especially in Java?
  As far as i know that the Public Key is constructed with Modulus and Exponent, and with this we can Encrypt and Verify data was signed by Private Key..
  In Java, we can expose Public Key's modulus and public exponent using RSAPublicKey, there's no method to expose Public Key's Remainder..
  Please help me regarding this..
  Thanks

  Leonardo Carreira wrote:
  Hi Shane,
  Thanks for your reply.. :)
  safarmer wrote:
  In that case the exponent and remainder are you public key (exponent and modulus) and the certificate is defined in the definitions section of Book 3. It is a secure way of verifying the public key and it's owner through a trusted certification authority.
  EMV Book 3 tends to use Remainder and Modulus interchangeably.You mean, the Issuer (in this case one of E,M, and V) should provide 2 certificates for 1 card?..
  This is implemented on SDA or DDA?..
  Sorry, i'm still have no idea..
  The Remainder and Modulus should be used interchangeably?..
  How the Host and Card can decides in each transaction whether it will use Remainder or Modulus?..I mean that the terminology is used interchangeably. They refer to the same thing as far as the actual key is concerned.
  Cheers,
  Shane

• How to retrieve the Authentication Policy Responses?

  In my OAM server(OAM 11.1.1.5), I configured a Response in authentication policy to retrieve the user information after user signed in, the response item named "UserID", value is "$user.userid", type is "Cookie".
  My question is:
  If I use the WebGate , I will got the response items after user signed in. But I need to develop an Access Gate use the ASDK to replace the WebGate, I don't know how to retrieve the Response items by the ASDK.
  Below is the access log captured by Fiddler, "http://auth.mydomain.com/login.aspx" is my customized login page.
  -----------------------------Web Gate 10g (IIS)----------------------------
  GET http://alan-hu.mydomain.com/oamtest/index.aspx HTTP/1.1
  Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
  Referer: http://auth.mydomain.com/login.aspx?authn_try_count=0&request_id=6476845472436935518&OAM_REQ=VERSION_4%7EFC5cvGlDZbKLQVbcnbvJSmtBw163LKRGyryAQ8b3CvEpVzVXpqqVE3Nbdcf3K7J957wIyP1d%252bEHNaC92smcnXnYxZr7xSfW8eNMU9NlFRnCUoNBTNXR6jZr8Ug8zqnSau5U%252bEnlInxHudS%252bTzD%252bUy5E9qUfX6lySlHfesJbBBH2yubEJ%252fJVrjbetqv5L295D1mhF%252f7VKyTED%252fAOv2LaVjT7Mi9PGkKDwGkZy9Th5vKVCvT58V%252fEYEgWqawE2LUv%252fb9nh7mdP5gRGBcoDpIeqXWo1F9G767%252feG9vPxM7jZRlGWcMKuYQYSn1oTg%252fL1KBE0KW2EJPvOiBpsplU7e0BvbqWgoSR8ctora%252fj2DHbHZh7m2k1GulUeBRiF3MKbY8XulBEtOYIuc02qVNhlQg2XAHOOk%252bqQ1Z6oua3DWH0aru6jnlFNpsTx6Rk2Q4WHAhXqKPzTwjtVHLgs%252b7Fb32D2Ncz%252fQqx%252b%252bfRtK9yS4YSNcoA3AmF15HoHgFd0lXQzUuQzxsDiho5S6GRc5QY2UvTz%252fsoC0Osismkd%252bUx0yZtxeFJrqA1%252f%252b9eeN%252fEFLMes2%252bxn7jxDP9ahl%252bDKaF9GdypVNZAKSdxSdUKcVCWHneHRRRtqdW8jcUEcTzohuCdCOvEgETz%252fksM7nsFHq01GHakc8174sXvcEE1l1jvsPy8f1CBf75DtguanLVIfenmUEp7kcRhe1vIgiBxmNefuhMKhLV%252fW%252fveJgnuMtWZ%252bgc2Yr%252bYFL5Qe9yz3Zz0Zn2d4PAzZWiS9teBrLqzAk6dU5dM9JTGdthstrhwjovP96J252mAGrRjo%252fFWTByyfrXYoQzETxV8QCDl8kDWaCsZl6V3Ahm94gDcTQrW8MYK8PJDlkUlnVtRtaDevrv4%252fQY%252bFvo78W1iKYM9v9O%252fu0EgPqyOJBg%252fYsBC5fI4VV7OvLZ1YoPb2v6IsepN9avD8nTB6B%252f5ZW0z1IxocptShWgjb5fMrDclA%252fEqgShz0QXzkoOa80cqLu%252bNEG7aUHQQXhZEG42zCN0NaJZbENpksK5ZyKo8U92KdjdSgHeUsFbWA0jZ%252b5nIIYHtesLFwoRZw%252f%252bbceyXAG8%252b6LMjJWYsRpl8bKKJejnOIvzM1dlY7PQ%252bf8eCtGxPkCaCa%252bkuJUkhHcK%252bsS5T2JMyocrBj0hIZsBXiWIrtmGr5h%252bbQIT8TdTfVCmUiv3zBRgDSvQqpJ3hAFc0NIk6zJS%252bPxSquhuYIH15G7zeN%252faW3sRecDpH8%252bFqa7HsT7xDukI2c6Ro3x7Bvp5MBEBSITibP41PJo7f5kPP6wFIk3rMpsC9r7zsSU0pzN3RvWn5M5gNyQ4EZVuwYMFCfgIAjRKRcNUWHebwSMxsOhwrsYESNfA9rFYxtOapzvIcx63B%252baR%252bsQXHI%252fQ4eoP2VBkkCOktummpQ41bDC6elI5LhFrAlSwCT5qv4ytCSBRan6OfMZ%252bLSA5J%252fkFtTvx2aNbV&locale=en_US
  Accept-Language: en-US
  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
  Cookie: ObSSOCookie=NQqPNA%2BvLoyIujMLO%2F3VWalLMpFbnK6IW4uvEl1piC8hoQVQw%2FqGbDdkVg%2BDDcx1O7YeJhFVYinyJtKF8vI3VTQ%2BL3StaWFRZFLl7KqHnQEqdNVgkn4FCfx49t2KzXNQ%2FxLBkF0olHoNU1P01VTMOdQsq4hzdc6C0B7X6PM9hoaVGWvVmsbUKr5BmqWBG0aHbT1HXgNKlVsDimyz2Q9iy%2Briiu8%2B7x190rm8PTm3uXqEUqs4zuvOSdjZGs77uUFzeYnEzQb6T9gcZqyUvo8OtXqnmrUtPwdva8UrV9GlUkymsWDDtNk3iIqapLxQL1oXHO0iH2KXzXfUAcnQca%2BfNw%3D%3D
  Accept-Encoding: gzip, deflate
  Connection: Keep-Alive
  Pragma: no-cache
  Host: alan-hu.mydomain.com
  HTTP/1.1 200 OK
  Cache-Control: no-cache,private
  Pragma: no-cache
  Content-Length: 649
  Content-Type: text/html; charset=utf-8
  Set-Cookie: UserID=TEST; path=/
  Server: Microsoft-IIS/7.5
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET
  Date: Thu, 05 Jul 2012 08:14:13 GMT
  -----------------------------My Access Gate (IIS)----------------------------
  GET http://alan-hu.mydomain.com/oamtest/index.aspx HTTP/1.1
  Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
  Referer: http://auth.mydomain.com/login.aspx?authn_try_count=0&request_id=-8854367975480028914&OAM_REQ=VERSION_4%7EslyJg6j%252fLhjd%252b%252b%252fAFDpFiRr4cPvaT3dU90HILcJWiqxptP4dV%252fNkm4eAzVOznnJmtFh8SNMg4G5K2IuCABhCNxJuFau4XUgfRJtQl03anU6YgU1U%252fc3nRevxNFTZ8bIGALMXNiGbtnNO7c9WRUy%252bekw7T5YidA2qr103PNQD0g36jKosUb2aT2kOYJ0HoZizyW%252bCeI2ARhjuqB4Kc0Kfv%252fHuZCCwcUychXY5cGDlcD2UVl9YRwEGBdcYnweNbps18LqmQNm0%252fJYh2XwW80hNKqRBQBGPUCrYP8A0XIF2%252bUFvViDfqcuK05n0vv5NErxih%252bgtZKRObD6pHsnLOd2a19jUU%252fsFaFYQ0n5UdTN0JSx8yFtvEjdwXKya2PGqKqHa2JzEXhLBXTP5eC4EavAwAMbVRVtNTle%252fU29tDOuUtb1NLTBsqI63ipchzUvouQ6QREcybIXErAMX06X9gpwEtMBXYCppIiV%252b67XpETVzcmMuOl%252bSj9Aha6AKy3yPYlEOTA0o5HqOMe2NTu2sSvJxUJJW0ZYXvqkprkWsaw5SBACH473KY7WS0kqUIiV7UoN60cRdT9I3fAdyuLzWDS7dhGKKTstmpTxClQQNlw7XcDfdczqJJBRSwbZQyomnSPRcO%252f%252f5EY56wSXMJLv5WDkfb3RC4Va5rzXeQn1McihExvrymn6ztZ2A6zZso%252b0jDObEa%252bWioCBinvdK%252bF85qk8ai%252bLal30b27oNzFHKc1AELQ7eP%252bkoyXDYQpVeHfX9ujHGAcEdN4FTGyxBoIohbQb%252fEvl3uEga%252fsufBa%252fVcFVM8WTI59kUSOCKankogv9ABry7CxYByZURjjloQp1CZif%252fuN1ddg5yGMuqmvY7OFz8BIT8mm%252b0klysXJbcneztKbVm2njffvj29gardyyFZ1%252fXDPqMJM1OKVcughERRZW%252fHbBFZ5h%252fupGqhgXaNXZGoeg%252bm8iaAXqrxRIg7NHmK7VnEtIV2qo4iDYWl%252fmf09eJJHMrhhQNRLjV5drgiIwGuPZWVC4irUhXBOPixks8StHx0c0TV%252boIRPxiyupLJKzdlE0SBjplC1%252ffMjiVgQGqZ2zena7601QT89vmuU%252bkO1NoAnN8iwZNF1dT45RDbfg8TLcK1C0CGb29eN7dbwBtbgnAAOXX8F421RTSv9W6UAn%252bttP%252fr2teYO8eXOwFkGMrGkdxdt%252b7%252fj9oH1nJ92Mviv5fiuxhnx9ukvyjQdkdGl0gnGVehnDIQODIXEG0EmEo9%252fJtQkNjgwLlKvTK5bcqIg0Kez27GqEKYhNc4XRsuYsfPQ2byH%252bnnsSDz%252bOLo43ub8vZ7XNWjMtQrNUpfbOwmw5jhfPsU9E2xgYTHGvDdbKBrLXgxQrO%252fSflCzRPhpc5gE9zOOFkCskHxy%252b%252bI8zyJFT7lEaIhz6WgXa5nk3An%252b9yukw2YkoFe1WB%252bfZsgdr%252fq%252b%252blUqjfUf1G5lHDUjODh0qh&locale=en_US
  Accept-Language: en-US
  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
  Cookie: ObSSOCookie=fhyRb/mqqsz1Tk7Ma3aAvuTmisrarOveqR1FWPkCOKcMG860oQ/V/trZzor0ZPZs4lOl3yHvf83Jj1ahsffCMIueaSlJqHoBZPFB+uLlof9KV6OzyztVzLaxUql/qddGnzajvRs0ti9vKx84AsnMEbZwTcYdf8CNesOh5aSSgz4r6U2D3/rWaT/s1h7vda9rUhD7McjybboHWThM1sKVUGmDFJBA3XdXpwCbG+L35yw5NdablTgB8KOCaAiYDSNsbRkDRluzAxrwD9r/glEq9xI7X3fQ+t40PEQ/sIVFAy+BH6fqXUUEN6D8sc3GKt5RxxTzNzaHLoczlLyakAainQ==
  Accept-Encoding: gzip, deflate
  Connection: Keep-Alive
  Pragma: no-cache
  Host: alan-hu.mydomain.com
  HTTP/1.1 200 OK
  Cache-Control: private
  Content-Type: text/html; charset=utf-8
  Server: Microsoft-IIS/7.5
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET
  Date: Thu, 05 Jul 2012 08:29:41 GMT
  Content-Length: 649

  Summary:
  1. The Responses of Authentication Policy will be retrieved after user just signed in:
  ObConfigMgd.initialize();
  ObResourceRequestMgd rrq = new ObResourceRequestMgd("http", "//alan-hu.achievo.com/oamtest/index.aspx", "GET");
  ObDictionary creds = new ObDictionary();
  creds.Add("userid", "test");
  creds.Add("password", "Tt1234");
  ObUserSessionMgd session = new ObUserSessionMgd(rrq, creds);
  ObDictionary actions = session.getActions("cookie");
  ObConfigMgd.shutdown();
  2. The Responses of Authorization Policy will be retrieved after execute the ObUserSession.IsAuthorized() method:
  ObConfigMgd.initialize();
  ObResourceRequestMgd rrq = new ObResourceRequestMgd("http", "//alan-hu.achievo.com/oamtest/index.aspx", "GET");
  HttpCookie ObSSOCookie = Request.Cookies["ObSSOCookie"];
  string sessionToken = ObSSOCookie.Value;
  ObUserSessionMgd session = new ObUserSessionMgd(sessionToken);
  if (session.Status.IsLoggedIn && session.IsAuthorized(resource))
  ObDictionary actions = session.getActions("cookie");
  ObConfigMgd.shutdown();
  -----

• How encrypt msg with Public Key ?

  I want to encrypt my Session Key with the public key of the recipient but how can I do ?
  I know how to encrypt with the Secret Key but not with the Public Key.
  Thanks for response
  Nicolas

  It depends on the cryptosystem of which the public key you are having.
  If it is of RSA then you have to get the cipher of RSA and pass the session key bytes as input to it.