Configure SAM to use AD as Authentication Source

Similar Messages

• Problem configuring SOA suite to use OID for authentication

  We are in the process of rebuilding our environment to use the full SOA suite with our OID server for authentication (was previously just BPEL using AD directly), and have encountered several problems (below). We have rebuilt the OID server, and reinstalled the SOA suite into a clean ORACLE_HOME to no avail.
  We first rebuilt the OID server using the following steps (derived from Oracle® Internet Directory Administrator's Guide):
  1)     Create the Import and Export profiles for AD synchronization. We did this using the Directory Integration and Provisioning Server Administration tool under “Active Directory Configuration”
  2)     Modify the map file to specify the correct OU mappings between AD and OID.
  3)     Update the profile with the new map file using “dipassistant.bat mp”
  4)     Bootstrap the import profile using “dipassistant.bat bootstrap”
  5)     Start a new instance of the Integration server (odisrv) running on config set 1 (the config set containing the Active Directory import/export profiles) using “oidctl”
  6)     Set the Import profile to Enable. The OID server does not export changes to AD in our current configuration, so the Export profile is left on disable (and not bootstrapped)
  At this point it appears that the AD synchronizes correctly into our new OID server.
  Next we installed the SOA suite:
  1)     We ran “irca.bat” on our database server to create the ORABPEL, ORAESB, and ORAWSM schemas and associated integration repository structure.
  2)     After launching the SOA suite installer, we selected Advanced Install.
  3)     On the next screen, we selected J2EE Server, Web Server, and SOA Suite.
  4)     We then provided the credentials for our Oracle database, and the passwords for ORABPEL, ORAESB, and ORAWSM.
  5)     We configured our new AS instance as an administration instance, but did not opt to use from a separate HTTP server, and did not make this instance part of an OAS cluster topology.
  And finally, we configured our new SOA suite instance to use OID for authentication (using the instructions in Oracle® BPEL Process Manager Administrator's Guide section 2.1.3):
  1)     Used the configure_oid.bat command to seed OID with required users only.
  2)     Logged into the OracleAS Control Console
  3)     Chose the oc4j_soa instance, then Administration->Security->Identity Management
  4)     Configured the OID server using a non-ssl connection and the cn=orcladmin account.
  5)     When prompted, chose to reconfigure all applications in the oc4j_soa instance to OID, but not to use SSO for any of them.
  6)     Copied the contents of ORACLE_HOME\j2ee\home\config\jazn.xml to ORACLE_HOME\j2ee\oc4j_soa\config\jazn.xml
  7)     Restarted the application server.
  After this procedure, we encountered the following issues:
  1)     The BPEL console appears to authenticate users correctly out of OID, but no users have access to the default domain, including bpeladmin and oc4jadmin. All users receive a similar access denied message when attempting to log into the BPEL Admin Console.
  2)     We cannot upload a BPEL process to our new server via JDeveloper’s standard BPEL deployment mechanisms. The connection appears to be working properly and passes all tests, but on uploading a process we get a Java AccessDeniedException. ESB appears to be functioning properly, and accepts uploaded projects without issue.

  Bassman,
  We recently configured our SOA Suite to use OID and SSO. We had the same issues you are having, and we found the resolutions in a blog from Jaas Poot (http://blog.jpoot.com/category/oracle-appserver/oid-ldap/). For the BPEL domain access, this involved going to the data-sources.xml file and changing the database passwords from using ->pwForOrabpel for the orabpel schema and ->pwForOraesb for the oraesb schema to the real passwords; the blog explains more about this.
  The blog also covers the JDeveloper deployment issue, and another issue we encountered, where we couldn't access the BPEL Admin console. All of these were resolved following the steps in the blog.
  Hope this helps
  Candace

• Multiple authentication sources with the same category

  Quote from portal help:
  "Multiple authentication sources can use the same category. However, because the prefix is prepended to the user and group names, you need to be certain that the domains involved do not have different users or groups with the same name. That is, if a LizaR user exists on one domain, and a LizaR user exists on another domain, they must be the same user because only one user will be created."
  Fine, let's say I am "certain that the domains involved do not have different users or groups with the same name".
  But there is other concern I have here. I want to know how portal will RECOGNIZE which authentication source to use?
  Let's say I have 2 auth sources AS1 and AS2 with the same category MyAuth. AS1 use WS1 to authenticate against LDAP1 and AS2 use WS2 to authenticate against LDAP2.
  Now, I have a user - Dmitry. I am trying to login into portal and I selected AS1 to do actual authentication. My question is how portal will CHOOSE which auth source to use because all portal knows about me is <MyAuth\Dmitry> that is came from portal login screen? Both auth sources match this pattern so seems like portal may choose any of them.
  Does it mean that portal will try to authenticate again AS1 and if this attempt failed then you AS2?
  I didn't find any explanation in portal documentation.
  Thank you.
  Edited by Bryazgin at 12/12/2007 10:42 AM

  Yes, it seems you are right. As soon as portal have found CORRECT user there is no issue anymore because user is bind to unique auth source that actually has been used to created this user.
  I think my main confusion come from the fact that having <Category> and <UserName> is not enough to UNIQUE identify user in portal as soon as <Category> can be the SAME for different auth sources.
  Let's have you have user created by AS1. According API this user created by this AS1 will have 4 different names, like sUniqueName, sAuthenticationName, sLoginName and sDisplayName. But portal is going to search user in portal database BASED on information that is available in login form - <Category> and <User Name>. At this point portal has no idea about sUniqueName and all this things.
  Now if there were 2 users in database that have been created by 2 different auth sources with the same <category> and <User Name> then I don't understand how portal will figured out which user to choose from. I guess <Category> value somehow MUST participate in sUniqueName value. <Category> has to be involve in process of finding user in database. In this scenario 2 users will be retrieved from database and what is important these 2 users are different, they have been created by different auth sources. Now question became which user is CORRECT one?
  Edited by Bryazgin at 12/12/2007 1:34 PM

• Trying to configure a Win 2003 Server to use TLS server authentication . . .

  I am trying to
  configure a Win 2003 Server to use TLS server authentication following Method 2 in KB 895443 - see below:-
  Method 2: By using the Certificate Request Wizard
  The following steps describe how to obtain a certificate from a Windows Server 2003 Certification Authority. You can also request a certificate from a Windows 2000
  Certification Authority. Additionally, you must have Read permissions and Enroll permissions on the certificate template file to successfully request a certificate. Use this method if one or more of the following conditions are true:
  You want to request a certificate from an Enterprise Certification Authority.
  You want to request a certificate that is based on a template where the subject name is generated by Windows.
  You want to obtain a certificate that does not require administrator approval before the certificate is issued.
  To obtain a certificate, follow these steps:
  Click Start, click Run, type mmc, and then click OK.
  On the File menu, click Add/Remove Snap-in.
  Click Add, click Certificates, and then click Add.
  Click Computer account, and then click Next.
  If you want to add a certificate to the local computer, click Local computer. If you want to add a certificate to a remote computer, click Another
  computer, and then type the name of that remote computer in the Another computer box.
  Click Finish.
  In the Add Standalone Snap-in dialog box, click Close, and then click OK in the Add/Remove
  Snap-in dialog box.
  Under Console Root, click Certificates (Local Computer).
  Note If you configured the Certificates MMC snap-in to manage a remote computer, click Certificates (servername)instead of Certificates (Local Computer).
  On the View menu, click Options.
  In the View Options dialog box, click Certificate purpose, and then click OK.
  In the right pane, right-click Server Authentication, point to All Tasks, and then click Request New Certificate.
  In the Certificate Request Wizard that starts, click Next.
  In the Certificate types list, click Server Authentication, click to select the Advanced check box,
  and then click Next.
  In the Cryptographic Service Providers list, click Microsoft RSA SChannel Cryptographic Provider.
  I get as far as step 11 and I get the error message:-
  The wizard cannot be started because of one or more of the following conditions:
  - There are no trusted certification authorities (CAs) available.
  - You do not have the permissions to request certificates from the available CAs.
  - The available CAs issue certificates for which you do not have permissions.
  This is covered in KB 927066 – see below:-
  To resolve the problem, follow these steps:
  Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority. This group is in the CN=Users container.
  To do this, follow these steps:
  Click Start, click Run,
  type Dsa.msc, and then click OK.
  In the left pane, click the Users container.
  Verify that the CERTSVC_DCOM_ACCESS group is in the right
  pane. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
  Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
  Domain Users
  Domain Computers
  If these member groups do not exist in the CERTSVC_DCOM_ACCESS group, go to step 4. 
  Note If users or computers in other domains need to enroll against the certification authority, you must also add those users and computers to the CERTSVC_DCOM_ACCESS group. If the current problem occurs on a domain
  controller, you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group. By default, domain controllers are not members of the Domain Computers global group. Therefore, domain controllers
  do not have sufficient DCOM permissions.
  Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification
  authority.
  Click Start, point to Program,
  point to Administrative Tools, and then click Component Services.
  Expand the Component Services node.
  Expand the Computers node.
  Right-click the My Computer node, and
  then click Properties.
  Click the COM Security tab.
  Under Access Permission, click Edit
  Limits.
  Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow
  Remote Access permissions, and then click Cancel.
  Under Launch and Activation Permissions, click Edit
  Limits.
  Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow
  Remote Activationpermissions, and then click Cancel.
  Click Cancel, and then close the Component
  Services console.
  Settings may be incorrect if any one of the following conditions is true:
  The CERTSVC_DCOM_ACCESS group does not exist.
  The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
  The CERTSVC_DCOM_ACCESS group does not have the correct permissions.
  If any one setting is incorrect, run the following commands at a command prompt. Press ENTER after each command.
  certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
  net stop certsvc
  net start certsvc
  Repeat steps 1 through 3 to verify that all the settings are correct.
  Note If the changes affect the group membership of the certification authority server, you must restart the server for the changes to take effect.
  The only part of the above instructions which I have not been able to complete is:-
  “you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group”.
  When I click on the CERTSVC_DCOM_ACCESS user then click the Members tab & go to add Enterprise Domain Controllers the option is not there.

  Hi Nick,
  Have you successfully set up an enterprise CA?
  If yes, is the enterprise CA’s certificate located under the Trusted Root Certification Authorities store?
  Best Regards,
  Amy

• I purchased a 3TB Airport Time Capsule After 8 hours been able to configure the box using Ethernet connection but now I want to move my current backups and it wants authentication but no box is available to provide my administrator name can anyone help ?

  I purchased a 3TB Airport Time Capsule to use with my Mac running latest Maverics. After 8 hours been able to configure the box using Ethernet connection but now I want to move my current backups from my small driveand it wants authentication but no box is available to provide my administrator name can anyone help ?

  I overcame the permissions by allowing both paths to have read and write access to anyone but that didnt solve it until I copied it into the DATA directory which I created on the Airport Time Capsule.
  I had already discovered the TIME MACHINE How to transfer backups but I am struggling still with the item and cannot currently get it to work. My setup seems to have created a wireless link to my router which is what I wanted and in that set up there are three options. I have simply gone for the extension of my network. I ignored the other option there which I cannot remember something like DNS? That may be the problem becasuse when I remove the Ethernet connector it just doesnt go anywhere.
  I have also found I cannot update my TIME MACHINE software (currently 1.3) as although Apple tell me I should be able to set backups hourly daily or weekly I have only ever been able to run it hourly when i would prefer longer intervals so thought an update might be necssary.
  Also tried to get an update for my Airport Utility (Currently 6.3.2 but cannot find one even though I have read there might be one available and again this might be the problem.
  Have reset the Time Capsule now about a dozen times.
  Following the instructions and trying to copy my existing backup it suggests you need to copy it to the root directory but that is when I get some sort of security issue and I found I could only get it to accept if I dragged my .backupdb to the DATA directory on the Time Capsule. I dont even know if I do this it will work when I come to use it.
  I therefore found your reply of no more help than i had discovered but I hope you return to read this note because I really do need some help.
  I am intending starting again in the next couple of days and fully documenting what I do and what I see and then as I suspect it will be no different and I will then seek an appointment at the Apple Store in Trafford Centre and if that proves unsuccessful then I still have time to return and become a dissatisfied customer with Apple for the first time in a long experience with Apple. I have noticed frightening notes on the conversations which point to problems of Mavericks working with Airport Time Machine!! So in the end it might not be me doing anything wrong. Unfortunately you do feel left out in the dark sometimes that is why I hope you can respond with a solution?

• I used to export cut clips to tape but recently - to keep having the exact same video-quality as the (analog) source! - I export simply to external HDs (so, to the computer)... I recently bought the PREM 13-verssion and I have tried (I think) éverything b

  I used to export cut clips to tape (version 9.0)  but recently I bought the 13.0 version of PREMIERE and - to keep having the exàct same video-quality as the (analog) source! - I export simply to external HDs (so, actually to the computer)... but whatever I am trying  I notice that when I check the export-material with the original clip the first is NOT ONLY SMALLER but ALSO DOES NOT SEEM TO HAVE THE SAME RESOLUTION, DETAILNESS, SHARPNESS (or whatever you may call it)... What am I  doing wrong? WHICH SETTINGS DO I HAVE TO MAKE IN ORDER TO KEEP THE SAME IMAGE-QUALITY (or even to enhance it) IN STORING ON THE COMPUTER ?!     Thanks, RVH

  How are you exporting?

• Using a SQL data source and XML data source in the same template

  I am trying to develop a template for the Request for Quote report generated in Apps 11.5.10. I have loaded the data from the XML output into the template, but I am missing one field - I need the org_id from the po_headers table. Is it possible to use a sql data source (i.e., "select org_id from po_headers_all where po_header_id = [insert header_id from xml data]...") in addition to the xml data source to populate the template at runtime? When you use the Insert > SQL functionality is it static at the time the template is created, or does it call to the database at runtime? I've looked through all the docs I could find, but this isn't clear.
  Thanks for any help or suggestions you may have.
  Rhonda

  Hi Pablo
  Thats a tough one ... if you go custom with a data template you will at least get support on the data template functionality ie you have a problem when you try and build one. You will not get support on the query inside the data template as you might have gotten with the Oracle Report, well you could at least log a bug against development for a bad query.
  Eventually that Oracle Report will be converted by development anyway, theres an R12 project going on right now to switch the shipped OReports to data templates. AT this point you'll be fully supported again but:
  1. You have to have R12 and
  2. You'll need to wait for the patch
  On reflection, if you are confident enough in the query then Oracle will support you on its implementation within a data template. Going forward you may be able to swap out your DT and out in the Oracle one without too much effort.
  Regards, Tim

• How to configure Firefox to use OpenVPN?

  summary: I'm running OpenVPN from a Debian client through a Debian jumpbox/server. After I [start the server, start the client] most IP-based applications (DNS, ping, ssh) seem to work from the client, but client's Firefox cannot connect to http://www.whatismyip.com/ (or any other URI). How to configure Firefox to use the VPN? or otherwise fix the problem? or further debug it?
  details:
  I have a laptop running debian_version==jessie/sid with Firefox version=33.0 which needs to access a compute cluster. The cluster formerly required only an SSL VPN (enabled by a Firefox plugin) to access, but now has several additional requirements, which I seek to satisfy by running the SSL VPN through a jumpbox running an OpenVPN server. The jumpbox is running a "vanilla" Debian 7.7.
  I have been using the laptop successfully for a few years without network problems. Currently I have the laptop connected by wire directly to an ISP-supplied modem/router. With `openvpn` NOT running on the laptop, I see:
  * `ifconfig` shows no entry='tun0' (just "the usual" entries for 'eth0', 'lo', 'wlan0'), and shows the expected client IP# bound to 'eth0'.
  * I can `ping` my jumpbox/server using its real IP#, but cannot `ping 10.8.0.1`
  * I can `ssh` to my jumpbox/server using its real IP#, but cannot `ssh 10.8.0.1`
  * `nslookup www.whatismyip.com` gives correct results
  * browsing to http://www.whatismyip.com/ shows my client's IP# (as also shown in `ifconfig`)
  Both my client/laptop and server/jumpbox setups are quite generic OpenVPN-wise, and are almost exactly as described on the Debian wiki
  https://wiki.debian.org/openvpn%20for%20server%20and%20client
  me@jumpbox:~$ date ; cat /etc/openvpn/server.conf
  Sat Nov 8 16:49:00 EST 2014
  port 1194
  proto udp
  dev tun
  ca /etc/openvpn/ca.crt
  cert /etc/openvpn/server.crt
  key /etc/openvpn/server.key
  dh /etc/openvpn/dh1024.pem
  server 10.8.0.0 255.255.255.0
  ifconfig-pool-persist ipp.txt
  push "redirect-gateway def1 bypass-dhcp"
  push "dhcp-option DNS 8.8.8.8" # google public DNS
  keepalive 10 120
  comp-lzo
  user nobody
  group nogroup
  persist-key
  persist-tun
  status openvpn-status.log
  verb 3
  me@laptop:~$ date ; cat /etc/openvpn/client1.conf
  Sat Nov 8 16:51:31 EST 2014
  client
  dev tun
  proto udp
  remote ser.ver.IP.num 1194
  resolv-retry infinite
  nobind
  user nobody
  group nogroup
  persist-key
  persist-tun
  mute-replay-warnings
  ca /etc/openvpn/ca.crt
  cert /etc/openvpn/client1.crt
  key /etc/openvpn/client1.key
  ns-cert-type server
  comp-lzo
  verb 3
  up /etc/openvpn/update-resolv-conf
  down /etc/openvpn/update-resolv-conf
  My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:
  me@jumpbox:~$ date ; sudo iptables -L
  Sat Nov 8 16:42:06 EST 2014
  Chain INPUT (policy ACCEPT)
  target prot opt source destination
  fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
  Chain FORWARD (policy ACCEPT)
  target prot opt source destination
  Chain OUTPUT (policy ACCEPT)
  target prot opt source destination
  Chain fail2ban-ssh (1 references)
  target prot opt source destination
  RETURN all -- anywhere anywhere
  After I start `openvpn` on first the server and then the client, I see no OpenVPN errors on either the server or the client:
  me@jumpbox:~$ sudo openvpn --script-security 2 --config /etc/openvpn/server.conf &
  Sat Nov 8 17:48:25 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
  Sat Nov 8 17:48:25 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  Sat Nov 8 17:48:25 2014 Diffie-Hellman initialized with 1024 bit key
  Sat Nov 8 17:48:25 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
  Sat Nov 8 17:48:25 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
  Sat Nov 8 17:48:25 2014 ROUTE default_gateway=ser.ver.gate.way
  Sat Nov 8 17:48:25 2014 TUN/TAP device tun0 opened
  Sat Nov 8 17:48:25 2014 TUN/TAP TX queue length set to 100
  Sat Nov 8 17:48:25 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Sat Nov 8 17:48:25 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
  Sat Nov 8 17:48:25 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
  Sat Nov 8 17:48:25 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
  Sat Nov 8 17:48:25 2014 GID set to nogroup
  Sat Nov 8 17:48:25 2014 UID set to nobody
  Sat Nov 8 17:48:25 2014 UDPv4 link local (bound): [undef]
  Sat Nov 8 17:48:25 2014 UDPv4 link remote: [undef]
  Sat Nov 8 17:48:25 2014 MULTI: multi_init called, r=256 v=256
  Sat Nov 8 17:48:25 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
  Sat Nov 8 17:48:25 2014 ifconfig_pool_read(), in='TomRoche,10.8.0.4', TODO: IPv6
  Sat Nov 8 17:48:25 2014 succeeded -> ifconfig_pool_set()
  Sat Nov 8 17:48:25 2014 IFCONFIG POOL LIST
  Sat Nov 8 17:48:25 2014 TomRoche,10.8.0.4
  Sat Nov 8 17:48:25 2014 Initialization Sequence Completed
  me@laptop:~$ sudo openvpn --script-security 2 --config /etc/openvpn/client1.conf &
  Sat Nov 8 17:49:12 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  Sat Nov 8 17:49:12 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
  Sat Nov 8 17:49:12 2014 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
  Sat Nov 8 17:49:12 2014 UDPv4 link local: [undef]
  Sat Nov 8 17:49:12 2014 UDPv4 link remote: [AF_INET]jump.box.IP.num:1194
  Sat Nov 8 17:49:12 2014 TLS: Initial packet from [AF_INET]jump.box.IP.num:1194, sid=25df7af6 0ece4089
  Sat Nov 8 17:49:13 2014 VERIFY OK: depth=1, <my config data/>
  Sat Nov 8 17:49:13 2014 VERIFY OK: nsCertType=SERVER
  Sat Nov 8 17:49:13 2014 VERIFY OK: depth=0, <my config data/>
  Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
  Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
  Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
  Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
  Sat Nov 8 17:49:14 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
  Sat Nov 8 17:49:14 2014 [TomRoche] Peer Connection Initiated with [AF_INET]jump.box.IP.num:1194
  Sat Nov 8 17:49:16 2014 SENT CONTROL [TomRoche]: 'PUSH_REQUEST' (status=1)
  Sat Nov 8 17:49:16 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
  Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: timers and/or timeouts modified
  Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ifconfig/up options modified
  Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: route options modified
  Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
  Sat Nov 8 17:49:16 2014 ROUTE_GATEWAY lap.top.gate.way/255.255.255.0 IFACE=eth0 HWADDR=la:pt:op:MAC:ad:dr
  Sat Nov 8 17:49:16 2014 TUN/TAP device tun0 opened
  Sat Nov 8 17:49:16 2014 TUN/TAP TX queue length set to 100
  Sat Nov 8 17:49:16 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Sat Nov 8 17:49:16 2014 /sbin/ip link set dev tun0 up mtu 1500
  Sat Nov 8 17:49:16 2014 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
  Sat Nov 8 17:49:16 2014 /etc/openvpn/update-resolv-conf tun0 1500 1542 10.8.0.6 10.8.0.5 init
  dhcp-option DNS 8.8.8.8
  Sat Nov 8 17:49:16 2014 /sbin/ip route add lap.top.IP.num/32 via lap.top.gate.way
  Sat Nov 8 17:49:16 2014 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
  Sat Nov 8 17:49:16 2014 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
  Sat Nov 8 17:49:16 2014 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
  Sat Nov 8 17:49:16 2014 GID set to nogroup
  Sat Nov 8 17:49:16 2014 UID set to nobody
  Sat Nov 8 17:49:16 2014 Initialization Sequence Completed
  I then see the following on my client:
  * `ifconfig` shows a new entry=`tun0`, which looks correct
  * I can `ping` the server using either its real IP# or `10.8.0.1`
  * I can `ssh` to the server using either its real IP# or `10.8.0.1`
  * `nslookup www.whatismyip.com` gives correct results
  ... but I get no connection if I open a new instance of Firefox and browse to http://www.whatismyip.com/ :-( "Looking up www.whatismyip.com..." succeeds quickly but the status line continues to display "Connecting to www.whatismyip.com..." until the attempt times out. I also get the same behavior (connection timeout) if I open a new instance of Chrome, or if I browse to http://www.whatismyip.com/ with a Firefox opened prior to starting OpenVPN. FWIW I get the same behavior browsing to any URI, including (e.g.) Google.
  This is a major problem for me! For the SSL VPN to work, I need to start a Firefox and run it (since the SSL VPN's vendor only supports it on Linux via a Firefox plugin) to access a particular remote-access website. Furthermore I need the SSL VPN to run through the jumpbox/OpenVPN. (Don't ask, it's a long, sad story ...)
  Is there something I must do to configure Firefox to use the VPN? Or is there some other way to fix this?
  Alternatively, what should I do to further debug the problem? It just seems odd to me that the other services work (e.g., `nslookup`, `ssh`) but Firefox does not. That being said, both Firefox and Chrome fail in this usecase, so the problem might be generic to web browsers.
  your assistance is appreciated, Tom Roche <[email protected]>

  You're kidding. You have to go through that rigamarole just to put your bookmarks on your own server? Where's the simple FTP option?
  Also, the above-linked article has a broken link. The link to the weaveserver (which is what you have to set up on your own server) is no good, and there is no obvious replacement. There are plenty of Weave-related repositories here:
  http://hg.mozilla.org/labs
  but it's not clear what you need.

• Probable bug while creating authentication source

  I am not sure if its a bug in Plumtree but whenever I try to configure the sample HelloWorld Authentication service in the Portal I get the following error.
  Error - Unable to initialize the Server Configuration Interface framework because the XUI.XSL transformer file could not be located. Confirm this file was installed properly.
  This error is recieved when I try to create a Remote Authentication Source using the Hello World Authentication web service.
  On the other hand when I configure the same files on a Portal running on Unix platform it runs like a charm
  I am using 6.0 version of plumtree
  Thanks
  Pallav

  This error message was resolved for me by following the steps in Appendix D: 'Configuring WebLogic After You Run the Plumtree Installer' of the Plumtree Installation Guide. After doing so, I do get a ClassNotFoundException for the SAXParser when I start up the domain in certain cases, but that's another story...

• Document Access via Custom Authentication Source?

  I don't know if this should be under the 'Content Services' forum or this one, so I'll start here. I have a custom content crawler that crawls documents stored in a database. That works fine, but now I want to integrate access control into the equation. The documents that I retrieve have metadata associated with them (i.e. the users/groups from the document repository that have access to the document). Every ALUI portal user has an associated user with the same name in the document repository. I want to set things up so users can only see/view documents that they are allowed to see/view. I'm wondering if I need to create a custom authentication source to get these users/groups integrated into the portal. We already are doing Single Sign-On, but I need to know what needs to be done to pass user/group info from the document repository to the portal. Any thoughts would be appreciated.

  Hi Jake,
  I am also trying to achieve the same functionality. I have written a custom crawler and I am having the ACL's that contains the read/write etc permissions for the users and groups, but I am not able to find out how I can pass this information using custom cralwer interfaces. If you have got solution to your query please let me know the approach ASAP. Thanks in Advance.
  Viren

• CUP 5.3 SP8 - Authentication Source/User Details Source question

  Hello,
  Here is another issue I'm noticing with CUP.
  Currently we have it configured as such:
  Authentication Source: LDAP
  Search Data Sourec: SAPHR
  User Details Data Source: SAPHR
  When a Requestor logs in to create a request for themself, Requestor Username and Email are correctly populated under the Requestor section of the request screen. This Username and Email match identically from SAPHR; and it should, as that is what we have defined as our User Data Source
  When a Requestor logs in to create a request for another user, Requestor Username and Email are populated differently under the Requestor section of the request screen; this information in this case appears to be coming from LDAP. This does not seem correct to me. LDAP is only defined as the Authentication Source, not the User Data Source.
  1) Why would the Requestor section populate differently when creating a request for yourself vs. another user?
  2) Is this a bug in CUP?
  3) Has anyone else noticed this or found a fix?
  Thanks!!
  Jes

  We are on the same SP level and are configured similarly but don't see this issue. 
  Data Source - LDAP
  Search - SAP
  Datasource - Multiple (SAPHR, SAP(BI), LDAP, SAP(SRM))
  Also, our LDAP does not carry the email address (yet).
  When I create a new request for someone else, all the information is filled in correctly from our SAPHR system, if they are in HR, or from our BI system if they are not in HR but are in BI.  However, since we don't carry e-mail address in our LDAP system yet, the requestor e-mail field is left blank and I have to manually fill it in.  (We do plan on changing this).
  Hope this helps,
  Peggy

• How to configure crystal report xml file as data source in BOE in Solaris?

  Hi,
  How to configure crystal reports from xml file as data source in Solaris? I didn't find any suitable driver for xml / excel files for sun solaris.
  Which driver i have to use to connect xml file to crystal report to view my crystal report in solaris BOE?
  And the same way excel file as data source for crystal report.
  Thanks

  Hi Don thanks for the reply,
  In windows environment I donot have any problem when creating crystal report from Xml file and Excel file. After creating reports when I publish those into boe server in solaris, getting connection failed error.
  My solaris BOE server doent have any network connection with windows machines. So i have to place the files in solaris server.
  Below the steps what I tried:
  1. Created crystal reports from cr designer in windows using ADO.Net(xml) and in another try with Xml webservices drivers. Reports works well as it should.
  2. Saved in BOE repository in Solaris server from crystal reports and changed database configuration settings as:
      -Used custom database logon information and specified cr_xml as custom driver.
      -Chnaged database path to file directory path according to solaris server file path </app/../../>
      -tried table prefix also
      - Selected radio button use same database logon as when report is run saved.
  My environment :
  SAP BOXI3.1 sp3
  crystal reports 2008 sp3
  SunOS
  Cr developing in windows 7.
  For Excel I tried with ODBC in windows but I can't find any ODBC or JDBC drivers for Excel in solaris.
  Any help to solve my issues
  Thanks
  Nagalla

• Configure CRS2008 to using AD and Kerberos with Java application servers.

  Hi All,
  I have configure CRS2008 to using AD and Kerberos with Java application servers. Domain Controller is installed on W2K3 Server. In addition, CRS2008 is installed on another W2k3 Server.
  I have create service account in domain controller: CMSACC
  I have create two user account: CRuser1 and CRuser2
  I have create domain group: CRSGroup
  After I had run the setspn in domain controller,I got the message at below:
  Registered ServicePrincipalNames for CN=CMSACC, OU=TEST, DC=BD, DC=com:
      BOBJCentralMS/BDMGTSRV.BD.com
  CMC Setting:
  AD Administration Name: BD\administrator
  Default AD Domain: BD.com
  Add AD Group(Domain\Group): secWinAD:CN=CRSGroup,OU=TEST,D=BD,DC=com
  Service principal name:BOBJCentralMS/CMSACCatBD.com
  I have create a WINNT folder in root directory.Moreover and save bcsLognin.conf and Krb5.ini at here.
  bscLogin.conf:
  com.businessobjects.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required;
  krb5.ini:
  [libdefaults]
  default_realm = BD.com
  dns_lookup_kdc = true
  dns_lookup_realm = true
  [realms]
  forwardable = true
  BD.com = {
  default_domain = BD.com
  kdc = BDMGTSRV.BD.com
  I have tested the Kerberos,using kinit CMSACCatBD.com password, and got error message at below:
  Exception: krb_error 41 Message stream modified (41) Message stream modified
  KrbException: Message stream modified (41)
          at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
          at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)
          at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:486)
       at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:444)
       at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
       at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:259)
       at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
  My problem is failed to logon CMC and infoview and got error message at below:
  Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserNameatDNS_DomainName, and then try again.
  Actually, I am sucessful to logon Business View manager with CRuser1. However, I fail to logon CMC and infoview and got the above error. Have you any suggestion to solve this problem?
  Ken.

  if you can logon with client tools then that should be an indication that the service account running the CMS IS working! Good news.
  So the problem is likely with the java portion (krb5/bsclogin or java options)
  If the files are in c:\winnt\ (if not copy them there) and perform c:\program files\business objects\javasdk\bin\kinit username
  then enter and password/enter again
  Probably get the same message. To note in your krb5.ini all domain info must be in CAPS (the .com appears to be in lower case)
  kinit works with just the krb5.ini, java SDK and AD (removing BO config and the service account from the picture). Once that works if your java options are specified properly you should be able to login to CMC/infoview.
  also 1 last point. Add udp_preference_limit = 1 to the krb5 lib defaults section
  libdefaults
  default_realm = BD.com
  dns_lookup_kdc = true
  dns_lookup_realm = true
  udp_preference_limit = 1
  Regards,
  Tim

• Using Web Dynpro authentication for a Web Service call

  Hi all,
  I want to develop a Web Dynpro that calls a Web Service running on the same Web AS (7.0). The Web Dynpro will be integrated in a Portal. The web service that has to be called is automatically generated when we create a guided procedure :
  http://help.sap.com/saphelp_nw2004s/helpdata/en/44/44c59fd7c72e84e10000000a155369/frameset.htm
  In my Web Dynpro, I imported the WSDL of this WS and created a model.
  The first time I tried to call the WS in my Web Dynpro I got an authentication error :
  Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://<myHostName>:50100/GPRuntimeFacadeWS/GPProcessExposing?style=document&pid=CA544E9B629A11DB91480017A48D672A&pver=0.5"
  So I hard-coded an HTTP authentication :
       model._setUser("myWASuser");
       model._setPassword("myPassword");
  And the Web Service call now works.
  Now the next step is that the WS call is made by the user that runs the Web Dynpro. So I found this documentation :
  http://help.sap.com/saphelp_nw04/helpdata/en/59/e8e95d1eba48dfa86ae91ad8816f5d/frameset.htm
  It would resolve my authentication problem, AND the transport issue : at the moment the Web Service URL is stored in the Logical Port of the WD model, and at transport time, a rebuild of the WD project will be needed.
  So I applied what is said in the doc : from the point of view of the Web Service consumer, I just had to add :
      model._setHTTPDestinationName("STARTGP");
  (where STARTGP is the name of the destination I created in the Visual Administrator with a "Logon Ticket" authentication.)
  before the execute(), and I removed my hardcoded authentication.
  Unfortunately, nothing changes... I still get a 401 authentication error.
  Does anyone have an idea about this ? Or maybe a workaround ?
  Thanks in advance for any suggestion.
  Regards,
  Julien

  Hello Julien,
  I have a scenario similar to yours. A client webdynpro application accessing a EJB methods exposed as web service. Those EJB's methods calls R3 RFC's. The client requirements' was to allow SSO through all the layers (Webdynpro -> EJB WS -> RFC). The Webdynpro and EJB's are deployed on the same WAS.
  Solution:
  1 - Create a RFC Destination on Visual Administration provide the R3 connection parameters and set the Authentication for "Current User (Logon Ticket)". Save your Destination;
  2 - In your EJB Project open your Web Service Configuration, on the Security page, set:
      Authentication Mechanism: HTTP Authentication
      Basic (username/password)
      Use SAP Logon Ticket
  3 - In your EJB, implement the following code to create JCO Client for the RFC invocations:
  Object obj = ctx.lookup(DestinationService.JNDI_KEY);
      DestinationService dstService = (DestinationService) obj;
      RFCDestination dst = (RFCDestination) dstService.getDestination("RFC", "<YOUR_RFC_DESTINATION_NAME>");
      Properties jcoProperties = dst.getJCoProperties();
      JCO.Client jcoClient = JCO.createClient(jcoProperties);
  4 - In your EAR Project, open your "application-j2ee-engine.xml" and add the References:
       "tc/sec/destinations/service" as Service
       "tc/sec/destinations/interface" as Interface.
  5 - Create your EAR File and Deploy;
  6 - Check if the web service now requires Authentication: go to http://<host>:<port>/index.html and click on Web Services Navigator. Test your Web Service. Your Web Service should requiere you to log in before execute the test;
  7 - Go back to your Visual Administrator and create a HTTP Destination. Provide your WS URL (should be something like "http://<host>:<port>/<WS_NAME>/Config1?style=document"). Choose Authentication: Logon Ticket. Save your Destination;
  8 - Go to your webdynpro project, import your WS Model. (If you have already created it, you have to delete it and import it again, refer to this blog on how to reimport WS Models: /people/bertram.ganz/blog/2005/10/10/how-to-reimport-web-service-models-in-web-dynpro-for-java  How To Reimport Web Service Models in Web Dynpro for Java );
  9 - Open your model's Logical Ports node, go to the Security tab, and choose "Use SAP Logon Ticket";
  10 - In your webdynpro code, before you call the ws invocation (should be something like that: <YOUR_NODE_DEFINITION>.modelObject().execute();), include the following line:
  <YOUR_NODE_DEFINITION>.modelObject()._setHTTPDestinationName("<YOUR_HTTP_DESTINATION_NAME>");
  11 - Save All Metadata and deploy your Webdynpro App. Test your results.
  I hope it helps you, as the documentation on how to implement this scenario is scattered through the SDN and all the SAP help portal.
  Best regards,
  Paulo.

• The kerberos PAC verification failure when all users of only one RODC Site, trying to get access iis webpage of different site using Integrated Windows Authentication

  The kerberos PAC verification failure when all users of only one Site which having only one RODC server(A), trying to get access iis webpage of different site which having WDC server(B) using Integrated Windows Authentication. But when they accessing the
  website using IP address, it is not asking for credentials as I think it is using NTLM Authentication at that time which is less secure than Kerberos.
  Note that:- All user accounts and Computers of the RODC has been allowed cache password on the RODC. Nearest WDC for the RODC (A) is the WDC (B).
  The website is hosted on a windows server 2003 R2 and generating below system event log for those users of the RODC site :-
  Event Type: Error
  Event Source: Kerberos
  Event Category: None
  Event ID: 7
  Date:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">date</var>
  Time:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">time</var>
  User: N/A
  Computer:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name (the 2003 server)</var>
  Description: The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client<var style="color:#333333;font-family:'Segoe
  UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name</var> in realm <var
  style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">realm_name</var> had
  a PAC which failed to verify or was modified. Contact your system administrator.
  This issue has been raised for last one week. Before that everything was fine. No Group Policy changed, Time also same.
  In this situation do I need to do Demotion of the RODC and re-promote it as RODC again  or is there any other troubleshooting to resolve it.
  Thanks in Advanced
  Souvik

   Hi Amy,
  Thanks for your response
  I noticed that Logon server could become incorrect again after user re-login or restart of a workstation.
  It seems root cause is different.  Need a permanent solution.
  The Workstations of the RODC site are getting IP from a DHCP server by automatic distribution of IP from a specific subnet for the site only.  The RODC is
  the Primary DNS server for the site.
  I have checked the subnet and it is properly bound with only with that AD site. The group of users and workstations are in the same site AD organisational Unit.
  Sometime I restarted the NET LOGON service and DNS server service on ther RODC server and sometime rebooted the server. But the Logon server issue has not fixed permanently.
  The internal network bandwidth of the site is better than the bandwidth to communicate with other site.  
  The server is Windows server 2008 R2 standard and hosting the below roles
  RODC
  DNS
  File server
  The server performance is Healthy in core times when maximum users usually logins. 
  Any further support would be much appreciated Amy
  Thanks
  Souvik