Custom LoginPlugin/Password Auth

Similar Messages

• ACS 5.3 userbased/custom enable passwords

  Hello,
  I've installed Cisco ACS 5.3. After I created several internal users (defined password and enabled password), Identiy Groups, Access Polices, Network Devices and AAA Clients (e.g. Cisco 1841) for Radius and configured my Router like this:
  aaa authentication login VTY group radius local-case
  aaa authentication enable default group radius enable
  Now I'm able to login successful using my internal User. But if I try to use enable to enter the enable level I'll receive the message "% Error in authentication." when I use the defined enable password.
  In the ACS logging I'll can see that "$enab15$" is missing.
  If I setup a user name "$enab15" I can login to enable level, but what have I to do, to use the custom enable passwords?
  Kind regards
  Kai
  === Correct answer ===
  Hello,
  please see the attachment.
  Step 1.2 - 1.5 is requiered for both (Radius and Tacacs). Then you have to  switch to 2.1-2.7 for Radius or 3.1 - 3.7 for Tacacs authentication.
  The document shows you all steps you have to take. The box on the right  side shows to you in the headline "Requiered for".This should help you the find  out why this is configured and where you will need in future steps. or "Provided  by" should tell you where you have configured it.
  But I'm sure, you will make it.
  I've testet it with the following hardware:
  Cisco Router:
  600 ,800 ,1800 ,1900 ,2600 ,2800 ,2900, 3900, 4000, 7200 ,7300 Series
  Cisco Switches:
  2900, 2950, 2960, 3550, 3560, 3750, 4500, 6500, Nexus 5500 Series
  Cisco Unified Communicaton:
  Call Manager Express, UC560
  Hewlett-Packard Switches:
  1700, 1800, 2500, 2600, 3500, 5400, 8100 (out of sale) Series
  Yes, working in a datacenter is fine for testing

  Hi Kai,
  can you share the configurations for TACACS? 
  Thanks

• Standard Error Messages in Custom Change Password Screen

  Hi All,
  I've developed a custom change password screen in Web Dynpro. I want to use the standard messages that appear in the portal logon screen. I looked in the portal logon par and got the umelogonbase.jar and found in my eclipse dir the com.sap.security.core.jar wich this last one depends. I put then in an externallib and wrapped them in a JEE lib. Declared dependency from my WD DC to the JEE lib and added the library reference in the WD DC.
  I have the following code:
  try {
       IUserAccount userAcc = UMFactory.getUserAccountFactory().getUserAccountByLogonId(wdContext.currentInfoElement().getLogon());
       userAcc.setPassword(wdContext.currentInfoElement().getOldPassword(), wdContext.currentInfoElement().getNewPassword());
  } catch (UMException e) {
       e.printStackTrace();
       error = true;
       LogonMessageBean bean = new LogonMessageBean(WDClientUser.getLoggedInClientUser().getLocale());
       String msg = bean.print(new Message(e.getMessage()));
       wdComponentAPI.getMessageManager().reportWarning(msg);
  But when I try to execute my app I get the following exception:
     java.lang.VerifyError: (class: com/cafedecolombia/ols/um/ChangePassword, method: test signature: ()V) Incompatible object argument for function call
      at com.cafedecolombia.ols.um.wdp.InternalChangePassword.(InternalChangePassword.java:109)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
      at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
      ... 28 more
  Does anyone has successfully done this? Is there any other dependencies? Is there an EASIER way to do this? Is there any initialization needed?
  Any help will be highly appreciated.
  Regards,
  Andrés Acero

  Ok so here is how I solved it.
  I found this very interesting article called "SAP Authentication Guideline" and there the author mentions that the messages are defined in class SecuritPolicy of the core security jar. So with that in mind this is how my code finally worked out:
  try {
       IUserAccount userAcc = UMFactory.getUserAccountFactory().getUserAccountByLogonId(wdContext.currentInfoElement().getLogon());
       IUserAccount mutableUserAcc = UMFactory.getUserAccountFactory().getMutableUserAccount(userAcc.getUniqueID());
       mutableUserAcc.setPassword(wdContext.currentInfoElement().getOldPassword(), wdContext.currentInfoElement().getNewPassword());
       mutableUserAcc.commit();
  } catch (UMException e) {
       e.printStackTrace();
       error = true;
       ISecurityPolicy policy = SecurityPolicyFactory.getInstance().getSecurityPolicy();
       wdComponentAPI.getMessageManager().reportWarning(policy.getLocalizedMessage(WDClientUser.getLoggedInClientUser().getLocale(), e));
  Here is a link to the article on SDN:
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/599ab890-0201-0010-12a1-b988e3a09735
  If you have any comments please do.
  Cheers,

• Is SSH safer or more vulnerable with password auth?

  I've been having a fight with the university IT people about SSH being unsafe because of the possibility of a brute-force password attack. Of course (as I explain to them) there are myriad ways to thwart this, some of which I had already taken before the fight began (only allow a short time to connect successfully, for example). (Although, I haven't been able to figure out if SSH can simply decide to refuse a connection after a certain number of failed passwords, but that's another issue..). On the other hand, I have seen a few sites in my SSH googling that hint that the RSA key authentication is less secure than password authentication.
  So, my question I would like to submit for discussion is this: Is a passwordless RSA key authentication more or less secure than password authentication, and why? Or, if you would rather, under what circumstances are each method more vulnerable?

  I think it really depends on the attack vector you are looking at.
  Assuming mutually exclusive for the sake of this discussion (either key-based auth with password login disabled, or password login and key based auth disabled). A password-less ssh key is likely more vulnerable to an endpoint exploit -- as if an attacker has your sshkey without a password, he has access. Password-over-ssh is likely more vulnerable to a server-side exploit -- opens the password-guess vector, and if you aren't paying attention to the 'fingerprint doesn't match' message and someone hijacks your dns, you could attempt to login to a compromised system, thus giving away your password. Key-based auth would fail if they did not have your public key on the compromised server (you would still see the fingerprint difference message though).
  You can do things to increase the security of the above vectors, from using a passphrase on your ssh-key and using ssh-agent (so you only have to auth once per session and it simply 'unlocks' your key, and doesn't leave it laying around open)..to using something like knockd or fail2ban on the server side.
  Personally, I use a passphrase protected ssh key (along with ssh-agent), and disable interactive (password) authentication on my boxes anytime they are exposed to a public network (along with adding root to the denyusers ssh list).
  Last edited by cactus (2009-07-08 01:52:11)

• Set custom generated password during create user and email to user

  Hi,
  In OIM 11g r2, I want to  generate password using some logic and send a notification to the user with the generated password during user creation.
  Please let me know how to achive that..
  can I use some post process event handler?? if yes then how to set the custom password to the user.

  Refer:
  How To Use The OIM 11g Password Generator Feature To Generate Random Password For A User (Doc ID 1273464.1)

• Custom DB password in WCS 7.0.220.0

  Hi there,
  we are desperately trying to set a custom password of our WCS database in order to use it for direct SQL queries (Cumbersome over Web surface).
  To my knowledge there is a way to reset it however this password would be randomly generated and not available in plain text.
  Until version 6 there was a feature to directly set a password via the dbadmin command.
  Anyone know a way? Thanks!
  Regards,
  Patrick

  Hi all,
  I hope not too many have followed my approach yet as it comprises a problem. That is leaving the dbopts.db
  file (that contains the encrypted password for the 'dba' user) in the directory /WCS7.0.230.0/webnms/db/eval_kit/standalone unmodified which will no longer allow to start the database server if the WCS service is re-started due to invalid credentials or mismatch between database user record and the password in dbopts.db file.
  You would find similar messages as shown below in the logfile solmsg.out
  [root@WCS standalone]$ more solmsg.out
  23.07 14:36:52 User 'DBA' was disconnected abnormally, user id 39, machine id WCS.
  23.07 14:36:52 User 'DBA' was disconnected abnormally, user id 53, machine id WCS.
  23.07 14:36:52 Memory allocation size has fallen below 1483MB. Current size: 1483647331 bytes. Number of allocations: 12465.
  23.07 14:36:56 User 'DBA' tried to connect from WCS with an illegal username or password.
  23.07 14:38:04 User 'DBA' tried to connect from WCS with an illegal username or password.
  23.07 14:46:17 User 'DBA' tried to connect from WCS with an illegal username or password.
  23.07 14:49:52 User 'DBA' tried to connect from WCS with an illegal username or password.
  23.07 15:03:56 Server shut down by either ALT+F4 or kill command
  Mon Jul 23 15:09:36 2012
  Version: 04.50.0184
  Operating system: Linux 2.6.18 ix86 MT
  Solid BoostEngine - v.04.50.0184 (Linux 2.6.18 ix86 MT)
  (C) Copyright Solid Information Technology Ltd 1993-2010
  Using license file /data/WCS/WCS7.0.220.0/webnms/db/eval_kit/standalone/solid.lic
  License for Solid BoostEngine 4.x, Standard Edition
  Development license
  Serial number: 416000266
       4 processors
       100 concurrent connections
       25 threads
       SmartFlow option
       HotStandBy option
       1 master databases
       5 replica databases
       Accelerator option
       Diskless replica option
  Licensed to:
       Cisco Systems
       WCS WNBU
  Current working directory changed to /data/WCS/WCS7.0.220.0/webnms/db/eval_kit/standalone
  Using configuration file /data/WCS/WCS7.0.220.0/webnms/db/eval_kit/standalone/solid.ini
  Starting roll-forward recovery, please wait ...
  Recovery of 2242 transactions successfully completed
  23.07 15:09:57 Listening of 'TCP/IP localhost 1315' started.
  23.07 15:09:58 Solid BoostEngine started at Mon Jul 23 15:09:58 2012
  23.07 15:09:58 Database started.
  23.07 15:09:58 Memory allocation size has exceeded 1102MB. Current size: 1102911836 bytes. Number of allocations: 738.
  23.07 15:09:58 User 'DBA' tried to connect from WCS with an illegal username or password.
  23.07 15:14:58 User 'DBA' tried to connect from WCS with an illegal username or password.
  23.07 15:19:58 User 'DBA' tried to connect from WCS with an illegal username or password.
  23.07 15:24:58 User 'DBA' tried to connect from WCS with an illegal username or password.
  23.07 15:29:58 User 'DBA' tried to connect from WCS with an illegal username or password.
  23.07 15:34:58 User 'DBA' tried to connect from WCS with an illegal username or password.
  In order to avoid that problem please follow the steps below:
  Please note, that the first two steps are only necessary if you did already change the 'dba' user password with the SQL statement ''ALTER USER dba IDENTIFIED BY ") and only replacing the dbopts.db file does not resolve the issue of mismatching credentials.
  1)
  Uninstall the WCS 7.0.220.0 installation
  2)
  Conduct a fresh installation of WCS 7.0.220.0 (or successor version 7.0.230.0).
  Restore from an existing database backup (http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0main.html#wp1077207).
  3)
  Stop the WCS 7.0.220.0 (or 7.0.230.0) service
  Update (2012/07/25, 08:18 UTC):
  If the database server cannot be stopped by using the /opt/WCS7.0.30.0/StopWCS script, navigate to the /WCS7.0.230.0/webnms/db/bin directory and connect to the database server with the command "./solcon 'tcp localhost 1315' dba ". Issue the command "shutdown" in order to stop the database service. You will be automatically disconnected from the database server. Stopping the WCS service by using the /opt/WCS7.0.30.0/StopWCS script will now work and you can proceed with the next step.
  4)
  Conduct a fresh installation of WCS 6.0.202.0.
  Start the WCS 6.0.202.0 service.
  Run the dbadmin.sh utility and change the database password for the user 'dba' (./dbadmin.sh password ).
  This will update both the corresponding user record in the database itself as well as the dbopts.db file.
  5)
  Stop the WCS 6.0.202.0 service.
  Start the WCS 7.0.220.0 (or 7.0.230.0) service.
  6)
  Run the SQL statement as described in my previous post.
  7)
  Make a backup of the dbopts.db file of the v7 installation and replace it with the one of the v6 installation.
  [root@WCSstandalone]# pwd
  /data/WCS/WCS7.0.230.0/webnms/db/eval_kit/standalone
  [root@WCS standalone]# cp dbopts.db dbopts.db.backup-v7
  [root@WCS standalone]# rm -rf dbopts.db
  [root@WCS standalone]# cp /data/WCS/WCS6.0.202.0/webnms/db/eval_kit/standalone/dbopts.db .
  8)
  Restart (Stop and start) the WCS 7.0.220.0 (or 7.0.230.0) service.
  By doing so, the WCS will continue working without any problems and direct database access is possible.
  [root@WCS bin]# /opt/WCS7.0.230.0/WCSStatus
  Health Monitor is running.
  WCS is running.
  Database server is running
  Apache server is running
  [root@WCS bin]# ./solsql -e "select * from SYS_USERS" 'tcp localhost 1315' dba
  Solid SQL Editor (teletype) v.04.50.0188
  (C) Copyright Solid Information Technology Ltd 1993-2010
  Connected to 'tcp localhost 1315'.
         ID NAME               TYPE                    PRIV PASSW           PRIORITY   PRIVATE LOGIN_CATALOG    
          1 DBA                USER                       1       NULL         0 WEBNMSDB         
  1 rows fetched.
  SOLID SQL Editor exiting.
  Please apologize my delayed update to this post!
  HTH
  Stephan

• Complete List of Error Codes for Customized Change Password Page

  Hi,
  does anyone has a complete list of "Change Password Page Error Codes"?
  The list provided in the document:
  Oracle® Application Server Single Sign-On Administrator's Guide
  10g (9.0.4)
  Part Number B10851-01
  seems to be incomplete. (See: http://download-uk.oracle.com/docs/cd/B10464_01/manage.904/b10851/custom.htm#1009955 )
  I found at least three additional / different error codes:
  auth_fail_err
  pwd_minlength_err
  pwd_numeric_err
  I'm using a JSP Page.
  Thanks for help

  Hi,
  I found the list in the OID Admin Documentation. The list contains the error messages the OID sends to the client. In case of SSO, the client for the OID is the SSO server. So now I know which errors are transmitted to the server, I have to find out what the server sends to the SSO Page for Password change. Probably I should test all cases documented in the OID Admin doc to find the appropriate values for SSO Server.
  Thanks for the tip

• Custom mass password generate  program

  Hi,
  I'm requried to develop a mass password  generate program to be sent to the user via mail, i'm using RSEC_GENERATE_PASSWORD function module to to generate the random password, but how do  i update the user password that puzzles me, is there any process/ class/method/ FM/ BADI etc that will update/ create a user, has anyone done this before, appreciate any adivse/ pointers

  Hi Lawrence,
  You can do this in 2 ways viz:-
  1. Use BAPI_USER_CREATE1 to create new users in system and assign initial password to the users just created by BAPI_USER_CHANGE. After this you can use function module SUSR_USER_BUFFER_AFTER_CHANGE to refresh the buffer.
  2. Do a BDC of SU01 transaction with proper check of authority object.
  I would recommend option 1. Please check and let me know if you face any problems.
  Reward points if this helps.
  BR,
  Atanu
  Moderator Message: Asking for points violates the Forum Rules Of Engagement
  Edited by: Suhas Saha on Jul 26, 2011 10:48 PM

• How can you create a customized page to change user password?

  Hello to all,
  I would like to create a customized page for a user to change their password. We are using Portal version 3.0.9 on Windows NT/2000. Currently there is a page in portal where a user can change their password.
  I tried linking to that page by copying the shortcut url and adding it as an html portlet. The problem is that we want to direct the users to a
  page of our choosing when they click on the "cancel" and "ok" buttons. I read in the forums that there is a selfreg.cmd script.
  I also read that there is some code that has been available.
  Has anyone implemented a customized user password change page? Do you know of any links that might have steps to follow or
  more informatioin?
  Thanks in advance,
  Lindsay

  Hi,
  I was able to customize the change password screen through a procedure. This is what I did:
  * Created a procedure under the Portal30_sso schema:
  CREATE OR REPLACE procedure reports_chage_password
  site2pstoretoken in varchar2 default null
  ,p_username in varchar2 default null
  ,p_error_code in varchar2 default null
  ,p_submit_url in varchar2 default null
  ,p_done_url in varchar2 default null
  ,p_pwd_is_exp in varchar2 default null
  ,p_password in varchar2 default null
  is
  begin
  htp.htmlopen;
  htp.headopen;
  htp.title ('<TITLE of Page>');
  htp.headclose;
  htp.bodyopen;
  htp.p('<table width="100%"><tr><td colspan=2 align=center><IMG SRC=<directory of image if you want>"><br><hr><br></td></tr>');
  htp.p('<tr><td colspan=2 align=center>');
  htp.p('<font COLOR="#000080" face="Times New Roman" size=+2><b>');
  htp.header(nsize => 1 ,cheader => 'Change Password');
  htp.p('</b></font>');
  htp.p('</td></tr><tr><td align=right>');
  htp.formopen(curl => p_submit_url );
  htp.p('<font color="#000080" face="Times New Roman" size=+1>');
  htp.p ('Username:');
  htp.p('</td><td alight=left><font color="#000080" face="Times New Roman" size=+1>');
  htp.p(p_username);
  htp.p('</font>');
  htp.p('</td></tr>');
  htp.formHidden(cname => 'p_username',cvalue => p_username);
  htp.br;
  htp.p('<tr><td align=right>');
  htp.p('<font color="#000080" face="Times New Roman" size=+1>');
  htp.p ('Old Password: ');
  htp.p('</font>');
  htp.p('</td><td align=left>');
  htp.p ( htf.formPassword(cname => 'p_old_password',csize => 30,cmaxlength => 30) );
  htp.p('</td></tr>');
  htp.br;
  htp.p('<tr><td align=right>');
  htp.p('<font color="#000080" face="Times New Roman" size=+1>');
  htp.p ('New Password: ');
  htp.p('</font>');
  htp.p('</td><td align=left>');
  htp.p ( htf.formPassword(cname => 'p_new_password',csize => 30,cmaxlength => 30) );
  htp.p('</td></tr>');
  htp.br;
  htp.p('<tr><td align=right>');
  htp.p('<font color="#000080" face="Times New Roman" size=+1>');
  htp.p ('Confirm New Password: ');
  htp.p('</font>');
  htp.p('</td><td align=left>');
  htp.p ( htf.formPassword(cname => 'p_new_password_confirm',csize => 30,cmaxlength => 30) );
  htp.p('</td></tr>');
  htp.p('<tr><td rowsapn=2>');
  htp.formHidden(cname => 'p_done_url',cvalue => '<the url that you want users to go to when they are done>');
  htp.formHidden(cname => 'p_pwd_is_exp',cvalue => p_pwd_is_exp);
  htp.formHidden(cname => 'p_password',cvalue => p_password);
  htp.formHidden(cname => 'site2pstoretoken',cvalue => site2pstoretoken);
  htp.p('</td></tr>');
  htp.p('<tr><td align=right>');
  htp.formSubmit(cname => 'p_action',cvalue => 'OK');
  htp.p('</td><td align=left>');
  htp.formSubmit(cname => 'p_action',cvalue => 'CANCEL');
  htp.p('</td></tr></table>');
  if p_error_code is not null then
  htp.br;
  htp.fontOpen(ccolor=> 'red', csize=> 4);
  if p_error_code = 'auth_fail_err' then
  htp.p('Old password is incorrect');
  elsif p_error_code = 'pwd_rule_err' then
  htp.p('The new password does not follow '||
  'the password policies.');
  htp.br;
  htp.p('Verify with your System Administrator '||
  'about the Password Policies');
  elsif p_error_code = 'confirm_pwd_fail_txt' then
  htp.p('Confirmation for new passord is not '||
  'the same as the New Passowrd');
  elsif p_error_code = 'null_new_pwd_err' then
  htp.p('New password cannot be null');
  elsif p_error_code = 'null_old_pwd_err' then
  htp.p('Old password cannot be null');
  else
  htp.p ('Error: ' || p_error_code );
  end if;
  htp.fontClose;
  end if;
  end;
  * Grant this procedure to PUBLIC
  * Update the portal30_sso.wwsso_ls_configuration_info_$:
  UPDATE portal30_sso.wwsso_ls_configuration_info_$
  SET LOGIN URL = '<YOUR CUSTOM LOGIN URL OR THE WORD UNUSED IF YOU DON'T HAVE ONE> http://<MACHINE_NAME>.<DOMAIN>/pls/portal30_sso/portal30_sso.<NAME OF PROCEDURE>';
  * After you update the table, go to your account information link, and click on the change password link.
  * Then copy the url that you see in your address line
  * And if you want a change password link at the top of your portal page, just go to EDIT on your page, then edit the banner defaults. Then in the links add the Lable and the URL. The URL would be the URL you copied from the previous step.
  Hope this helps.
  I've customized the login page too if you would like some sample code for that. Let me know.
  Martin

• *** How to get the username in a custom password change routine....

  How to get the username in a custom password change routine / procedure / form when a user's password has expired and is redirected automatically to this custom program?
  We use the 2nd parameter in LOGIN_URL column in WWSSO_LS_CONFIGURATION_INFO$ table to get to this custom change-password proc.

  OK !
  Use that maybe good :
  select USERID into v_user from sys.aud$
    where ntimestamp#=(
    select max(ntimestamp#)
    from sys.aud$ );

• Customer trying to login cannot reset password

  Customer tried to login and could not, tried to reset password twice never got the email.
  [email protected]
  John Harrison
  Customer needs password reset, and a call or email to let him know when this is fixed. 415 581 8593

  Please read the login FAQ:
  http://forums.oracle.com/forums/ann.jspa?annID=14

• Intel AMT upgrade to 2.6 , forgot password

  Hi,
  I got a t61 with intel amt 2.5.0.18 version, i forgot the intel me password and tried a lot of times couldnt recollect. I searched in google to find out that... one has to remove the cmos battery and replace it to get the default password "admin" to enter into the intel me configuration page after pressing ctl+P, but the thing is I do not know how to replace the cmos battery. I have checked in the lenovo technical info site and then couldnt get any information about the cmos battery instructions. I want the complete clear instuctions of how to remove and put the cmos battery in my t61 laptop so as to get the default "admin" password to enter into the intel me setup page while booting to my desktop. I also want to know since there is an upgrade to the intel amt 2.6 in the lenovo upgrade site through system update, can i just upgrade to amt 2.6 even if i forgot my password. I mean if i click on the package which I have downloaded, will it upgrade while booting up or will ask the password when I press Ctrl+P and then need to go into it. Please let me know, do you have any online or tech support so as to reset my intel me password to admin. I am very much confused and worried since I forgot my password and dont want to screw up my system.

  Yes, I forgot to add whats going on exactly in /var/log/auth.log when I try to login.
  tail -f /mnt/custom/var/log/auth.log
  Feb  1 17:55:57 dell agetty[3327]: tty1: can't exec /bin/login: Exec format error
  Feb  1 17:56:25 dell agetty[4279]: tty1: can't exec /bin/login: Exec format error
  Feb  1 17:56:47 dell agetty[3332]: tty6: can't exec /bin/login: Exec format error
  Feb  1 17:56:54 dell agetty[4284]: tty1: can't exec /bin/login: Exec format error
  Feb  1 17:59:05 dell agetty[3272]: tty1: can't exec /bin/login: Exec format error
  Feb  1 18:01:40 dell agetty[3297]: tty1: can't exec /bin/login: Exec format error
  Feb  1 19:12:54 dell agetty[3314]: tty1: can't exec /bin/login: Exec format error
  Feb  5 17:56:13 dell agetty[3298]: tty1: can't exec /bin/login: Exec format error
  Feb  5 17:58:15 dell agetty[4247]: tty1: can't exec /bin/login: ExecFeb  6 14:18:56 dell agetty[3306]: tty1: can't exec /bin/login: Exec format error
  Feb  6 14:19:54 dell agetty[3308]: tty3: can't exec /bin/login: Exec format error

• SSO password push to another database

  We are about to enforce password expiration times at our company, which as of now we do not use. Currently, when a user chooses to change their password, we have modified the link to point ot a procedure which first updates the SSO password using calls to the DBMS_LDAP package, and then reaches across a db link to a stored procedure on another oracle database which issues an "alter user ... identified by ..." command to sync the passwords in that database.
  This isn't an issue currently because without a password expiration change being enforced, user only change passwords through the Portal app. However, now that there is an expiration warning involved, the user is prompted to change their password at the SSO level before they are authenticated into Portal. The form which handles this is
  $ORACLE_INFRASTRUCTURE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/jsp/password.jsp
  Looking at this file, I wasn't able to come up with what it might be calling so I would know what to modify. Any ideas?

  AMN wrote:
  1. Do you change passwords for portal users in the SSO or for the schema users in the DB?
  a. alter user SOMEONE idetified by SOMEPASSWORD works for db schema users. and you do not make a schema user for each portal user; or do you or have you? Portal users are different from the schema users.
  2. In all of 10g Portals, you can change passwords for portal users by directing them to a default Change Password utility in the oiddas (oid delegated administration service/ self service console) which is accessible at http: //yourdomain.com:7777/oiddas. (use this port number).
  3. for a custom change password utility for your company, explore DMBS_LDAP packages for changing user password attributes in OID.
  4. this above file (password.jsp) is mentioned in the deployment specific pages that you can write for your own custom application. these pages are login, change password and logout pages. for that purpose, read the chapter given in this link. basically, you write your own pwd.jsp in the change pwd page and mention it in the sso.properties.
  1> Yes, we do create schema users for each Portal user. The home-brew Java apps hook into the db directly. The portal offers a framework for accessing the cgi scripts.
  2> True, but this will not push password changes to the schema users.
  3> We have a custom change password procedure which first does all the DBMS_LDAP stuff, and then calls a procedure across a DB link to do the ALTER USER ...
  4> Actually I found this which outlines a method for modifying the INFRASTRUCTURE_ORACLE_HOME/sso/conf/policy.properties file to point to custom login/password URLs. While we're already using a custom login (not through this framework though I'm thinking of adopting it now that I know it exists), I created a custom password change file based on the password.jsp which doesn't allow them the option of changing their password and simply tells them "your password is about to expire" or "has expired" and then allows them to click OK to be shuffled into the main framework of Portal where they will be back into our customized solutions. It works to our needs, and from what I can tell, further customizations would require changing the ChangePwdServlet, which is way out of bounds.
  Just for background, this portal environment was set up in 2007, and I inherited it here at this company when I joined 6 months back as a DBA. I've not worked with it before and in that time I've got he basic admin stuff down and have staged Production to a new test environment with new hosts/ips (kind of a tricky process as I would learn). As I'm learning, not all the customiztions are outlined in the documentation and some that are can be difficult to find, which is why in this area OTN has been a great help. Especially when trying to understand how to generate the site2ptoken for the new staged environment.
  I appreciate all the responses on these threads.
  PS> To address another comment, as part of this password strength initiative I did learn about the OID plugin framework for passwords. I had to, since the OID options out-of-box aren't strong enough to meet our security requirements. With that in place we get functionality for testing for password similarities and special chars.
  Edited by: athompson88 on Jun 19, 2009 6:49 AM

• Forcing a user's password to be expired

  I am trying to test my customized change password page. I have updated the URL in the LS_CONFIGURATION table. How can I force a user to produce the change password page so I can test my customized change password page?

  Also, is there a way to force the user's password to expire upon first successful login and likely force the user to change the pre-assigned password? This is a requirement on the customer's wishlist.
  Chris, please let us all know if you get an anwer to your question. I can't be the only person who'd be interested.
  Mike

• URGENT : Password management

  Hi
  I'm in the position where i am required to put a constraint on the user (eg:scott) where the person that logs in is not allowed to change the password, ie: alter user scott identified by other_password will not be allowed.
  Can anyone help me on this? How do I go about doing it?
  Thanks

  You could invoke password checking by:
  1. run the script $ORACLE_HOME/rdbms/admin/utlpwdmg.sql
  2. create a custom verify password function in the sys account or alter the default verify_function function so that it will raise an exception depending on your requirements.
  3. Create a profile, or alter the default profile like so:
  alter profile default password_verify_function = myverify_function;
  I am not sure if you want to apply this to all users or some users i.e. schema owner accounts, so you will have to figure out what logic you need to raise the exception, for example (stop user scott from changing his password):
  create or replace function myverify_function
  (username varchar2,
  password varchar2,
  old_password varchar2)
  return boolean is
  n boolean;
  begin
  if username='SCOTT' then
  raise_application_error(-20001, 'User may not change his password');
  -- Other password checking as required
  return(TRUE);
  end;
  /