CSM client vlan addressing
Hi there,
I'm testing out some new topologies for a planned installation and I have a question about the addressing that should be used on the client vlan of the CSM.
In my topology I'll be running the CSM adjacent to a FWSM, with the MSFC will be on the inside of the FWSM. Typically I assign a router-router or router-FW link a /29 range and assign the actual devices addresses in that range. In my first test I setup the CSM and FWSM in a /29, and used client side VIP addresses in a totally different range. I added static routes to the FWSM to point to the CSM for those ranges and as far as I can tell it works great. I also tried the setup with the CSM, FWSM, and VIP addresses all in the same /24 range, and it also worked great.
So while it seems that both worked fine, is there any advantage or technical reason why one would be better than the other, or is it all a matter of choice? I've attached a diagram to illustrate.
Thanks,
Brandon
Hi Brandon,
Any of the two options are perfectly valid, and I see no technical reasons to choose one over the other.
Daniel
Similar Messages
-
CSM + multiple client vlan
If a CSM has more than one client VLANs, connected to different routers, how does CSM decide what path to take when server initiate a connection? in other words is there a way to associate server vlan(s) to client vlan?
The term client vlan actually represents an interface between the CSM and the 6500's L2 and L3 vlan.
If you have multiple routers connecting to your 6500, they will be associated vlan(s) n the 6500 as any other vlan is...you define the balanced servers default gateway as the alias address within the server vlan define on the CSM...the CSM then forwards this to the gateway defined on the csm client vlan which is also the 6500's L3 interface. The 6500 then uses it's own routing table to define where the next hop for this destination is.
Hope this helps
Steve -
2 client vlan for CSM - possible?
Hi,
Is it possible that CSM has two client side vlans? The reason why i need to configure 2 client-side vlans is the ip address of the first client-side vlan is running out.
Thanks.
J.W.Yes you can definitely use mulitiple client vlans with CSM.
CSM keeps track of the MAC address from where it recieves the flow
and send the reponse from reals back there.
If you define two default gateways then you will face some routing issues. With multiple
gateways defined, CSM randomly picks one gateway. This random selection can hurt you if your reals intiate coonections.
To tackle server initiated connection issue you can use following workaround
vserver Server-side
virtual 0.0.0.0 0.0.0.0 any
vlan 100 <------- server vlan where real exist
serverfarm RealX-out
inservice
serverfarm RealX-out
no nat server
real 192.168.1.1 <---- Gateway that you want to use for this traffic
inservice
Hope it helps
Syed Iftekhar Ahmed -
i have 6500 with 8 vlans..now iam going to implement a CSM with remote clients as well as all the local users on my 8 vlans. My questions are;
1. do i have to configure all vlans as clients?
2. is the VLAN where my CSM client is configured, be my only gateway?
thx a lotHI,
regarding 1)
no normaly u have 1 client vlan and x server vlans
regarding 2)
this depends on the implementation if you use the brdiged mode the GW is placed in the "client vlan" if you use secure mode you have to take care that a default GW is configured on the CSM server side.
Regards,
Joerg -
CSM - Client NAT for routable server subnet
I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?
Thanks. This is now working.
I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
Noticed that a previous "show mod csm 5 arp" showed:
10.200.2.100 -->10.200.250.1 0 REAL routed
10.200.2.101 -->10.200.250.1 0 REAL routed
10.200.2.102 -->10.200.250.1 0 REAL routed -
How can I preserve Client IP address?
I am configuring the ACE for bridged mode. However, the real server is seeing VIP IP but not Client IPs. Our business requires that the real server must see client IPs. Do you have any idea how to set that up?
I tried to turn ON/OFF normalization but it is still not working.
Thanks,
Vincent
==============================
Here is my configuration:
rserver host 192.168.71.71
ip address 192.168.71.71
inservice
serverfarm host WEB_FARM
failaction purge
probe ICMP
rserver 192.168.71.71
inservice
access-list PERMIT-BPDU ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
sticky ip-netmask 255.255.255.255 address source WEB_FARM_Sticky
timeout 180
replicate sticky
serverfarm WEB_FARM
class-map match-all WEB_FARM_VIP
2 match virtual-address 192.168.71.154 tcp eq 80
class-map type management match-any remote_access
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any
policy-map type loadbalance first-match WEB_FARM_Policy
class class-default
sticky-serverfarm WEB_FARM_Sticky
policy-map multi-match WEB_VIPS
class WEB_FARM_VIP
loadbalance vip inservice
loadbalance policy WEB_FARM_Policy
loadbalance vip icmp-reply active
nat dynamic 6 vlan 31
nat dynamic 5 vlan 21
interface vlan 21
description Client VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 5 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
interface vlan 31
description Server VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 6 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
no shutdown
interface bvi 171
ip address 192.168.71.3 255.255.255.0
no shutdownDo you have a default route on the ACE and the rservers? Are they all pointing to the same IP? I have the same configuration. An ACE 4710 in transparent mode, but I have no NATing and my rservers are able to see the original client IPs (security requirement).
Here is part of my config for one serverfarm
rserver host RS_MIDTIER_220
description
ip address 172.31.0.131
inservice
rserver host RS_MIDTIER_221
description
ip address 172.31.0.132
inservice
rserver host RS_MIDTIER_222
description
ip address 172.31.0.133
inservice
rserver redirect RS_SSL_Redirects
webhost-redirection https://%h/%p 301
inservice
action-list type modify http SSL_URL_REWRITE
ssl url rewrite location ".*"
serverfarm redirect SF_SSL_Redirects
predictor leastconns
rserver RS_SSL_Redirects
inservice
serverfarm host SF_Midtier_Prod
description Midtier Production
predictor leastconns
probe APACHE
probe ICMP
rserver RS_MIDTIER_220 80
inservice
rserver RS_MIDTIER_221 80
inservice
rserver RS_MIDTIER_222 80
inservice
ssl-proxy service SSL_PSERVICE_MIDTIER_PROD
key
cert
chaingroup EntrustChainGroup
sticky http-cookie JSESSIONID Sticky_Jsession_Cookie_Midtier_Prod
timeout 90
serverfarm SF_Midtier_Prod
class-map type management match-any REMOTE_MGT_ACCESS
description remote access traffic match
2 match protocol ssh source-address
4 match protocol https source-address
5 match protocol snmp source-address
class-map match-any VS_Midtier_Prod_L3SLB
description Midtier Prod IPs
2 match virtual-address 172.31.0.46 tcp eq https
3 match virtual-address 172.31.0.47 tcp eq https
class-map match-any VS_SSL_Redirects
description Redirects any http VIPS to https
5 match virtual-address 172.31.0.46 tcp eq www
6 match virtual-address 172.31.0.47 tcp eq www
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_MGT_ACCESS
permit
policy-map type loadbalance http first-match Midtier_Prod_L4SLB
class class-default
sticky-serverfarm Sticky_Jsession_Cookie_Midtier_Prod
action SSL_URL_REWRITE
policy-map type loadbalance first-match SSL_Redirect_L4SLB
class class-default
serverfarm SF_SSL_Redirects
policy-map multi-match Farm_VIPS
class VS_SSL_Redirects
loadbalance vip inservice
loadbalance policy SSL_Redirect_L4SLB
class VS_Midtier_Prod_L3SLB
loadbalance vip inservice
loadbalance policy Midtier_Prod_L4SLB
loadbalance vip icmp-reply active
ssl-proxy server SSL_PSERVICE_MIDTIER_PROD
interface vlan 100
description DMZ ACE frontside
bridge-group 1
access-group input BPDUALLOW
access-group input ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input Farm_VIPS
no shutdown
interface vlan 110
description DMZ ACE backside
bridge-group 1
access-group input BPDUALLOW
access-group input ALL
no shutdown
interface bvi 1
ip address 172.31.0.150 255.255.255.0
no shutdown
rserver redirect RS_SSL_Redirects
webhost-redirection https://%h/%p
301
inservice
domain
ip route 0.0.0.0 0.0.0.0 172.31.0.1 -
Is there a way to add a helper-address (or something similiar) to the CSM server VLAN? My unix team is planning on setting up a PIXE server boot server and a few of their servers that would need the ability to boot from it are in the server VLAN that my CSM hosts, I'm not sure how a DHCP request would ever leave that VLAN is I don't have some way of adding a helper address to it.
Thanks for any help....JeffHello-
The CSM does not have any DHCP Helper address equivelants. However, you can configure the server VLAN in question in a bridged mode with a vlan on the MSFC that does do DHCP and the CSM will bridge the BOOTP requests to it.
Regards,
Chris Higgins -
Blocking Client MAC Addresses at Sup720/WLSM?
I want to block client MAC addresses at the central 6500, where the WLSM is located. Is there any solution like "dot11 association mac-list" at the accesspoints? I tried an "access-expression" on the tunnelinterface, but it did not work. Any suggestions?
Here is an example of config
switch(config)# mac access-list extended ARP_Packet
Switch(config-ext-nacl)# permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
Switch(config-ext-nacl)# end
Issue the vlan access-map map_ name command and the action drop command, which is the action to perform.
The vlan access-map map_ name command uses the MAC access list that you created to block ARP traffic from the hosts.
Switch(config)# vlan access-map block_arp 10
Switch (config-access-map)# action drop
Switch (config-access-map)# match mac address ARP-Packet
Add an additional line to the same VLAN access map to forward the rest of the traffic.
Switch(config)# vlan access-map block_arp 20
Switch (config-access-map)# action forward
Choose a VLAN access map and apply it to a VLAN interface.
Issue the VLAN filter vlan_access_map_name vlan-list vlan_number command.
Switch(config)# vlan filter block_arp vlan-list 2 -
I am automating the process of sending appointment reminders to my clients. I started with an alert with an email in calendar using the clients email address as a custom entry in my me card in my contacts. this was resulting in three emails being sent with slightly different versions of the same address (see my previous post). Heating someone else's suggestion I created a workflow file to send an email and calling that file from an alert on my calendar. This is working and sends only one email to the client.
My calendar is on I cloud and I access it from three different computers so I can keep my appointment calendar current. The files that send the email only exist on one computer. My other computers show error messages when those emails get sent. It seems that each computer wants to send the email. It's a small problem but is there a way that I could not get those alerts.
But appreciate any thoughts about this. It seems like both problems might be related to the iCloud system.
Thank you in advance,
MichaelGood work, catch so far Michael, does seem to be a "feature" of iCloud syncing, not sure what you could do to disable it.
-
Folks,
Hello.
I am installing PeopleTools 8.53 with Oracle Database Server 11gR1 and OS Oracle Linux 5.10.
Data Mover Bootstrap and Application Designer can log into Database instance successfully. My procedure to run PIA is below:
Step 1: start Oracle Database Server and LISTENR is listening.
Step 2: start Application Server ./psadmin and 8 processes are started.
Step 3: start WebLogic Server PIA /opt/PT8.53/webserv/PT853/bin/startPIA.sh
In Browser, http://192.168.196.102:8000/ps/signon.html comes up successfully. But when sign in using UserID PSADMIN and password "myname", I get the error message in Browser as below:
The application server is down at this time.
CHECK APPSERVER LOGS. THE SITE BOOTED WITH INTERNAL DEFAULT SETTINGS, BECAUSE OF: bea.jolt.ServiceException: Invalid Session
We've detected that your operating system is not supported by this website. For best results, use one of the following operating systems:
Mac OS X 10.6(Snow Leopard)
Mac OS X 10.5(Leopard)
iPad
Oracle Linux Enterprise
Mac OS X 10.4(Tiger)
Windows 8
Windows 7
Mac OS X 10.7(Lion)
Regarding Application Designer, both Database Type "Oracle" and Connection Type "Application Server", UserID "PSADMIN" and password "myname" login successfully. I view TUXLOG (current Tuxedo log file) and its last screen is below:
191723.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191723.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191723.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191725.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191725.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191725.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191727.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191727.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191727.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
191727.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
I View APPSRV_1023.LOG (current server log file) and its content is below:
PSADMIN.32259 (0) [2013-10-23T18:55:12.134](0) Begin boot attempt on domain PT853
PSAPPSRV.32290 (0) [2013-10-23T18:55:35.701](0) PeopleTools Release 8.53 (Linux) starting. Tuxedo server is APPSRV(99)/1
PSAPPSRV.32290 (0) [2013-10-23T18:55:35.923](0) Cache Directory being used: /home/user/psft/pt/8.53/appserv/PT853/CACHE/PSAPPSRV_1/
PSAPPSRV.32290 (0) [2013-10-23T18:56:19.256](2) App server host time skew is DB+00:00:00 (ORACLE PT853)
PSAPPSRV.32290 (0) [2013-10-23T18:56:23.504](0) Server started
PSAPPSRV.32290 (0) [2013-10-23T18:56:23.507](3) Detected time zone is EDT
PSAPPSRV.32338 (0) [2013-10-23T18:56:25.793](0) PeopleTools Release 8.53 (Linux) starting. Tuxedo server is APPSRV(99)/2
PSAPPSRV.32338 (0) [2013-10-23T18:56:26.003](0) Cache Directory being used: /home/user/psft/pt/8.53/appserv/PT853/CACHE/PSAPPSRV_2/
PSAPPSRV.32338 (0) [2013-10-23T18:57:08.871](2) App server host time skew is DB+00:00:00 (ORACLE PT853)
PSAPPSRV.32338 (0) [2013-10-23T18:57:10.662](0) Server started
PSAPPSRV.32338 (0) [2013-10-23T18:57:10.663](3) Detected time zone is EDT
PSSAMSRV.32388 (0) [2013-10-23T18:57:12.159](2) Min instance is set to 1. To avoid loss of service, configure Min instance to atleast 2.
PSSAMSRV.32388 (0) [2013-10-23T18:57:12.168](0) PeopleTools Release 8.53 (Li nux) starting. Tuxedo server is APPSRV(99)/100
PSSAMSRV.32388 (0) [2013-10-23T18:57:12.265](0) Cache Directory being used: /home/user/psft/pt/8.53/appserv/PT853/CACHE/PSSAMSRV_100/
PSSAMSRV.32388 (0) [2013-10-23T18:57:59.414](0) Server started
PSSAMSRV.32388 (0) [2013-10-23T18:57:59.416](3) Detected time zone is EDT
PSADMIN.32259 (0) [2013-10-23T18:58:48.149](0) End boot attempt on domain PT853
PSAPPSRV.32290 (1) [2013-10-23T18:59:06.144 GetCertificate](3) Returning context. ID=PSADMIN, Lang=ENG, UStreamId=185906140_32290.1, Token=PT_LOCAL/2013-10-23-11.59.26.248432/PSADMIN/ENG/vSz0ix+wq8d+zPRwQ0Wa4hcek0Q=
~
I think the error is indicated in TUXLOG file "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password". The application password "myname" in Browser http://192.168.196.102:8000/ps/signon.html page is not working. I use the same password "myname" to login Data Mover Bootstrap mode, Application Designer, and Application Server psadmin configuration successfully. I have tried a few other passwords in Browser http://192.168.196.102:8000/ps/signon.html page but not working.
My question is:
How to solve Sign In issue on http://192.168.196.102:8000/ps/signon.html that is "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password" ?
Thanks.Dear Nicolas,
Hello. I have used the same password for "DomainConnectPswd" in the file Configuration.properties with that for Application Server setting. Eventually, UserID PSADMIN sign in http://192.168.196.102:8000/ps/signon.html successfully. PeopleTools 8.53 runs correctly in Browser.
It seems that whether upgrade Oracle Linux 5.0 to the latest 5.10 does not have effect !
I am very grateful to your great help for this installation of PT8.53 with Linux and Oracle Database ! -
Retrieve Client IP Address in a Oracle WebServices Manager Custom Policy
Hi everybody,
For some reasons i had to implement a custom policy in the OWSM, to restrict the access to webservices by Client IP Addresses. I´ve been following the examples for custom policies mentioned in the books: "Oracle Web Services Manager, Oracle Web Services Manager" by Sitaraman Lakshminarayanan, and the "Oracle® Web Services Manager Extensibility Guide 10g (10.1.3.3.0)" by Oracle. I followed the examples mentioned in those books to implement my Custom policy, the policy is successfully deployed to OWSM and it works, only by the issue that when i want to retrieve the Client Ip address it returns null, and following the example by the Oracle Guide, the HttpServletRequest its also returns null, im desperated because in every site that i finally find some info about it, quotes any of these 2 examples in those books, and mine doesnt work! this is the code of the custom policy, i´ve combined the 2 aproaches:
package project1;
import com.cfluent.ccore.util.logging.ILogger;
import com.cfluent.ccore.util.logging.Level;
import com.cfluent.ccore.util.logging.LogManager;
import com.cfluent.pipelineengine.container.MessageContext;
import com.cfluent.policysteps.sdk.AbstractStep;
import com.cfluent.policysteps.sdk.Fault;
import com.cfluent.policysteps.sdk.IMessageContext;
import com.cfluent.policysteps.sdk.IResult;
import com.cfluent.policysteps.sdk.InvocationStatus;
import com.cfluent.policysteps.sdk.Result;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
public class CustomPolicy extends AbstractStep {
private static String CLASSNAME = CustomPolicy.class.getName();
private static ILogger LOGGER = LogManager.getLogger(CLASSNAME);
private String allowedIpAddress = null;
private String allowedRoleName = null;
private String protectedServiceMethodName = null;
public CustomPolicy() {
public void init() throws IllegalStateException {
// nothing to initialize
public void destroy() {
* This is the main method which will validate that the request is coming from
* the correct IP Address and has permission to access the specified metod.
public IResult execute(IMessageContext messageContext) throws Fault {
LOGGER.entering(CLASSNAME, "execute");
Result result = new Result();
result.setStatus(IResult.FAILED); //initialize result
String processingStage = messageContext.getProcessingStage();
LOGGER.log(Level.INFO, "Processing stage is " + processingStage);
HttpServletRequest httpServletRequest = (HttpServletRequest)
messageContext.getProperty("javax.servlet.request");
String remoteAddr = httpServletRequest.getHeader("Host");
LOGGER.log(Level.SEVERE, "Dir IP:"+remoteAddr);
String remoteHost = httpServletRequest.getRemoteHost();
LOGGER.log(Level.INFO, "ADDR" + remoteAddr+ "HOST"+remoteHost);
boolean isRequest =
(IMessageContext.STAGE_REQUEST.equals(messageContext.getProcessingStage()) ||
IMessageContext.STAGE_PREREQUEST.equals(messageContext.getProcessingStage()));
//Execute the step Only when its a Request pipeline else return success
if (!isRequest) {
result.setStatus(IResult.SUCCEEDED);
return result;
MessageContext msgCtxt = (MessageContext)messageContext;
String _MethodName = msgCtxt.getRequest().getMethodName();
LOGGER.log(Level.INFO,
"Writing Allowed IP Addr before creating SOAP header " +
allowedIpAddress);
LOGGER.log(Level.INFO,
"Writing Remote IP Addr before creating SOAP header " +
msgCtxt.getRemoteAddr());
/*LOGGER.log(Level.INFO,
"Writing Remote IP Addr before creating SOAP header " +
remoteAddr);*/
String cadTempo = allowedIpAddress;
Vector vect = new Vector();
for (int i = 0; i < allowedIpAddress.length(); i++) {
if (cadTempo.indexOf(",") != -1) {
//vect.add(cadTempo.substring(0, cadTempo.indexOf(",") - 1));
vect.add(cadTempo.substring(0, cadTempo.indexOf(",")));
cadTempo =
cadTempo.substring(cadTempo.indexOf(",") + 1, cadTempo.length());
LOGGER.log(Level.INFO,
"AQUI111");
} else {
if (!cadTempo.equalsIgnoreCase("")) {
vect.add(cadTempo);
LOGGER.log(Level.INFO,
"AQUI222");
break;
for(int i=0;i<vect.size();i++){
String temp = (String)vect.get(i);
if (temp.equals(msgCtxt.getRemoteAddr()) &&
_MethodName.equals(protectedServiceMethodName)) {
LOGGER.log(Level.INFO,
"AQUI333");
result.setStatus(IResult.SUCCEEDED);
break;
} else {
msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
LOGGER.log(Level.INFO,
"AQUI444");
/*if(allowedIpAddress!=null){
result.setStatus(IResult.SUCCEEDED);
/*if (allowedIpAddress.equals(msgCtxt.getRemoteAddr()) &&
_MethodName.equals(protectedServiceMethodName)) {
result.setStatus(IResult.SUCCEEDED);
} else {
msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
// Set the result to SUCCESS
//result.setStatus(IResult.SUCCEEDED);
return result;
public String getIpAddress() {
return allowedIpAddress;
public void setIpAddress(String IpAddress) {
this.allowedIpAddress = IpAddress;
LOGGER.log(Level.INFO, "IP Address is.. " + allowedIpAddress);
public String getServiceMethodName() {
return protectedServiceMethodName;
public void setServiceMethodName(String serviceMethodName) {
this.protectedServiceMethodName = serviceMethodName;
public String getRoleName() {
return allowedRoleName;
public void setRoleName(String roleName) {
this.allowedRoleName = roleName;
And the xml:
<csw:StepTemplate xmlns:csw="http://schemas.confluentsw.com/ws/2004/07/policy"
name="Custom authenticate step" package="project1"
timestamp="Oct 31, 2005 05:00:00 PM" version="1"
id="0102030405">
<csw:Description>Custom step that authenticates the user against the
credentials entered here. This step requires Extract
credentials to be present before it in the request pipeline.</csw:Description>
<csw:Implementation>project1.CustomPolicy</csw:Implementation>
<csw:PropertyDefinitions>
<csw:PropertyDefinitionSet name="Basic Properties">
<csw:PropertyDefinition name="Enabled" type="boolean">
<csw:Description>If set to true, this step is enabled</csw:Description>
<csw:DefaultValue>
<csw:Absolute>true</csw:Absolute>
</csw:DefaultValue>
</csw:PropertyDefinition>
</csw:PropertyDefinitionSet>
<csw:PropertyDefinitionSet name="Custom Access Rules">
<csw:PropertyDefinition name="IpAddress" type="string" isRequired="true">
<csw:DisplayName>IpAddress</csw:DisplayName>
<csw:Description>IP Address that is allowed access</csw:Description>
<csw:DefaultValue>
<csw:Absolute>192.168.0.1</csw:Absolute>
</csw:DefaultValue>
</csw:PropertyDefinition>
<csw:PropertyDefinition name="ServiceMethodName" type="string"
isRequired="true">
<csw:DisplayName>ServiceMethodName</csw:DisplayName>
<csw:Description>Service Method Name that is Protected (Secured)</csw:Description>
<csw:DefaultValue>
<csw:Absolute>getTime</csw:Absolute>
</csw:DefaultValue>
</csw:PropertyDefinition>
</csw:PropertyDefinitionSet>
</csw:PropertyDefinitions>
</csw:StepTemplate>
Please any tip or idea is welcome, thanks in advance for the help.
Carlos.Hi again
copied your code for testing. And it works fine.
So both the code and policy-step definition is fine, log output below.
What is your log output?
Using soapui to send the request will give the ip of my localhost, using the test client will give the ip of the server, because that is the actual client.
I guess the server ip is 192.168.0.1 in your case, as you are testing from test console.
<b>anyway, results from SOAPUI:</b>
2009-05-19 09:52:15,096 FINE [HTTPThreadGroup-4] CSWComponent - Executing policy step. Policy='SID0003004', Step Name='Custom Policy Step', Step Class='com.*.soa.wsm.CustomPolicy'
2009-05-19 09:52:15,096 FINER [HTTPThreadGroup-4] wsm.CustomPolicy - com.*.soa.wsm.CustomPolicy execute:ENTERING
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Processing stage is Request
2009-05-19 09:52:15,096 SEVERE [HTTPThreadGroup-4] wsm.CustomPolicy - Dir IP:hostname.domain:8890
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - ADDRhostname.domain:8890HOST10.47.89.116
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - MethodName=getHostNameElement
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.89.116
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
2009-05-19 09:52:15,097 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI333
2009-05-19 09:52:15,097 FINER [HTTPThreadGroup-4] agent.Agent - com.cfluent.agent.Agent intercept:ENTERING
<b>But if I use the test client the remote IP would be 10.47.137.50 and execution fails, as code is written</b>
<i>
2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.137.50
2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
2009-05-19 09:54:12,267 FINE [HTTPThreadGroup-4] CSWComponent - Step execution failed: Policy=[SID0003004] Pipeline=[Request] Step Name=[Custom Policy Step] Step Class=[com.tandberg.soa.wsm.CustomPolicy]
2009-05-19 09:54:12,267 FINER [HTTPThreadGroup-4] common.PrepareForServiceStep - Step PrepareForServiceStep called
</i> -
jute way pc locked up after iTunes update. It says client Mac address 001320 be ad 25 . PXE E53 No boot file name received
pXE MOF. Exiting Broadcom PXE. ROM . How do I unlock my pc?jute way pc locked up after iTunes update. It says client Mac address 001320 be ad 25 . PXE E53 No boot file name received
pXE MOF. Exiting Broadcom PXE. ROM . How do I unlock my pc? -
I downloaded an iTunes update and when ashen I restarted my pc it locked up. It says client Mac address 001320bead25, PXE E53 No boot file name received. PXE MOF. Exiting Broadcom pie rom. How do I get my pc back!
When you installed iTunes on your work computer, then connected your iPad to that computer, it wiped what was on the iPad, then put the iTunes library (nothing) from the work computer onto the iPad. You can try copying the iTunes folder from your home computer over to your work computer, but since the apps were bought with a different account, they may not load or update properly.
-
How do I get list of client IP Addresses using new Airport Utility v6.3?
I have purchased and Airport Time Capsule 3TB (newest model). Previous models were still compatible with Airport Utility 5.6 and I could use "manual" mode to get a list of client IP addresses attached to the device. The new Airport Time Capsule is only compatible with Airport Utility 6.3 and I cannot figure out how to get a list of client IP addresses with this new model. Does anyone know how to do this?
Try a ping broadcast - for example if your network were 192.168.1.xxx (netmask of 255.255.255.0) try this from a Termnal.app window (located in /Applications/Utilities):
ping 192.168.1.255
If you have a different type netmask, you need to put 255's where the 0's are in your netmask.
Everyone on the local network (the 192.168.1.xxx network) should reply that is up and running unless you have them setup to not respond to pings (the WAN port on your TC should not reply cause it's in a different network) and you have your list of clients on the network. If you setup the TC to dedicate a range of addresses for WiFi clients you can even identify which of them are wired and which are wireless.
good luck. -
UNABLE TO RETRIEVE THE CLIENT IP ADDRESS AND HOST NAME OF A PORTAL USER
I'm trying to retrive the client IP address and host name of a portal user
trying to access a portal page using APIs:
PortletRenderRequest portletRequest =
(PortletRenderRequest)request.getAttribute(HttpCommonConstants.PORTLET_RENDER_REQUEST);
HttpServletRequest servletRequest =
(HttpServletRequest)portletRequest.getAttribute(HttpCommonConstants.SERVLET_REQUEST);
String l_szClientIPAddress = servletRequest.getRemoteAddr();
String l_szClientHost = servletRequest.getRemoteHost();
but i found that for all portal users on different machines IP addresses, the
returned IP is the same for all which is Portal middle tier IP address.
So how can retrive the IP addess of a portal user trying to access a portal
page ?Brijesh,
Do you mean how to see hostname/ip address of client requests processed by the server? If yes, depending on what's your front ending component - Web Cache or OHS, you can configure the access log format to have this information recorded in either of these component's access log file.
For Web Cache access log file, refer this:
http://download.oracle.com/docs/cd/B14099_19/caching.1012/b14046/diagnostics.htm#sthref2090
For OHS access log file, refer this:
http://download.oracle.com/docs/cd/B14099_19/web.1012/b14007/servlog.htm#sthref439
By default, both Web Cache and OHS are configured to use Common Log Format (CLF) that does record hostname/ip address so if you haven't made any changes to log format, this info is already there for you. Look for $ORACLE_HOME/webcache/logs/access_log file for Web Cache and $ORACLE_HOME/Apache/Apache/logs/access_log file for OHS.
Thanks
Shail
Maybe you are looking for
-
Hi, I've got an iPhone 4S and not had a problem with it in the 15 months since I've had it. However, on Saturday my reception dropped off completely but I could still receive wireless and 3G. After a few attempts to reboot (power&menu button) it woul
-
Best Practice for Running Number Table
Dear All Thank you for your attention. I would like to generate number for each order AAAA150001 AAAA is prefix 1 is year and 0001 is he sequence number. I proposed the table as below Prefix | Year | Number AAAA | 15 | 1 Using SQL q
-
Hi Maybe off topic... I have been importing some classical albums lately, and some albums is almost all about the conductor. He/She is the star of the recording. Example: Herbert Von Karajan. I still don't how, or where, to put the conductor's name i
-
Is there an SDK to read/import *.ai files?
I would like to read/import the vector graphics from an *.ai file into my own 2D drawing package. Is there an SDK to do this? thanks. -bill
-
Internationalization for Local Langauges
Dear All, Can we design applications for Local languages like (Telugu,Tamil ,marathi ) using Internationalization Concept in Webdynpro for java. pls anybody suggest me in clarifiying the issue. Regards Subash