Database authentication with 9iAS

Similar Messages

• DAD and Database Authentication with db link

  I have a report that access a table via dblink and displays the result set.
  I am trying to implement the database authentication for this using DAD. I created the new DAD without the plsqlusername and password. When I run this application with the valid apex_public_user I get a
  ORA-00942: table or view does not exist ORA-02063: preceding line from DB1
  But I can run the same SQL from sqlplus for the same user. What am I doing wrong? Any help appreciated.
  Thanks

  Found what was causing the problem. I had not given the workspace user the necessary permissions on the remote database.

• Database authentication with 9i web reports

  My apologies if this has been answered already or is an elementary question. I couldn't find the answer to it with a search.
  Simply put, how do you authenticate to the database with a JSP web report which uses the RW taglib? I've got my report ready to go but when I attempt to run it I get the error "REP-1202: ORACLE logon not specified". I've searched the documentation for a conf file to put the database configurations in but haven't come up with much. HELP!
  Jeremy

  hello,
  there are three ways of passing the database connection information to your JSP
  1) pass the parameter USERID=username/password@connectstring to the JSP
  2) code it into the parameters-attribute of the rw:reports tag in your JSP
  3) use the keymap file to define a key on the server, containing the parameter and then just pass the key to your JSP
  regards,
  philipp

• Database Authentication with CMP

  Hi all,
  I was curious if there was any way to have the login credentials for the underlying datasource that my CMP 2.0 entity bean uses be passed in somehow at "access" time (i.e. via some context object, properties, JAAS, etc).
  Basically I want to have my entity bean receive the user's username/password prior to retrieving data for the bean and have it use that authentication information to access the underlying datasource.
  Ideas? Suggestions?
  Thanks,
  Eric

  In the next release of iAS (towards end of year) single signon will be integrated with apache. At that time, it will be possible to do this.

• Update database installed with 9iAS Infrastructure?

  Hi!
  I'm about to install BIBeans on this system, which has Oracle 9i Database (9.2.0.4), 9iAS Infrastructure (9.0.2.3) and 9i Mid-Tier (9.0.2.3)... In the readme for the bibdemo schema, it says this: "Install (and upgrade, if you have an existing installation) the Oracle9i database. You must also install the required patchsets to get your database to version 9.2.0.3 or higher. Installation of the demo database schema will fail if the correct patchsets are not installed."
  I previously patched the 9i Database instance up to 9.2.0.4, but I was under the impression that Infrastructure installed its own copy of the database... Is that correct? If so, do I also have to update the IASDB? I had a look at the readme for the 9.2.0.4 DB patch, and it looked like that could only be applied to the 9i Database Server...
  Any help would be greatly appreciated.
  Thanks!

  Even I am having the same problem.
  I am still struggling to get this right but in the meantime you can start from the following URL:
  Re: Alter table doubts
  All the best.
  -Puneet

• How to use a custom database authentication with APEX_AUTHENTICATION??

  i have Custom user authentication method.
  create or replace function user_check(username varchar2,password varchar2) return boolem
  is
  check_out integer;
  begin
  select count(*) into check_out from "user" where USER_EMAIL=username and USER_PASS=password;
  if check_out >0 then
  return true;
  else
  return false;
  end if;
  end;
  apex_authentication.login() how to use. And how to make apex_authentication.login() use my method Verify User Login

  You can't mix custom authentication and the internal APEX authentication functions.. So either you use the pre-built user authentication in APEX or you can build your own CUSTOM authentication...
  Many examples of custom authentication are out there...
  Thank you,
  Tony Miller
  Ruckersville, VA

• Lync 2013 Error - Certificate could not be published in the database associated with User Services Cluster

  Hi Lync gurus,
  I have a weird issue:
  Just installed a Lync Standard 2013. 
  Everything works except I keep getting this error in Log: every 30 minute or so.
  First an Error:  Event 47067
  A server did not respond to HTTP request
  Server lyncserver.domain.local did not respond to HTTP request PublishCertRequest targeted at
  https://lyncserver.domain.local:444/LiveServer/UserPinService.
  Cause: Server might be down or the network path between servers might not be properly configured.
  Resolution:
  Please ensure that the server can be connected on the target port using telnet and then re-try.
  Then I get a Warning: Event 47068
  GetAndPublish web service failed.
  Certificate could not be published in the database associated with User Services Cluster [lyncserver.domain.local ]. Request Details - Entity: [[email protected]], Device Id: [6BB30A3E-2923-553A-8E5F-0B2FB2CEA330], Authenticated User: [sip:[email protected]].
  Additional Context: [Publish_Failure: OtherFailure;HttpNoResponse:"lyncserver.domain.local "]
  Cause: This could be due to network connectivity issues with the remote server, or because the database is down.
  Resolution:
  Please ensure that the user services is reachable and the database is up and running.
  Thanks for any help

  Please check you can telnet port 443 and port 444 on Lync Front End Serve from client.
  Try to regenerate a new certificate for Lync Front End Server.
  Check all the services on Lync Front End Server are started.
  Check the option “Enable all purposes for this certificate” is checked for the trusted root CA certificate.
  For the detailed steps:
  Run MMC--Add\Remove Snap-ins--certificates--Local Computer--Trusted Root Certificate Authorities--Certificates, find the Root CA certificate you installed--Properties--General, check the "Enable all purposes for this certificate".
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• LDAP authentication with MD5 passwords

  Hi,
  in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
  I know it is to be done with {crypt} storage scheme.
  This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
  Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
  Thanks in advance,
  Kristof

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• HOWTO: Setting up Server-Side Authentication with SSL

  This howto covers the configuration of server-side SSL authentication for both Net8 and IIOP (JServer) connections. It documents the steps required to set up an SSL encrypted connection; it does not cover certificate authentication.
  It is worthwhile noting that although the setup of SSL requires the installation of certificates, these certificates do not have to be current, only valid. For some reason, in order to enable SSL connections, it is necessary to set up valid certificate file on the server whether you intend to use certificate authentication or not.
  NOTE: I have been unable to determine whether or not the above statement is entirely correct. If anyone can confirm or disprove it, please let me know.
  The steps described below must all be carried out from the same logon account. They have been tested on both 816 and 817 databases, but will probably work for all versions, including 9i (unless there have been some drastic changes in 9i that I'm not aware of).
  1. Log on to the database server with an administrative login.
  Configure the database and listener to run under the current login account (Control Panel -> Services). It is not necessary to restart these services at this time.
  2. Create an Oracle wallet and set up the required certificates
  (i) Open the Oracle Wallet Manager:
  Start -> Programs -> [Oracle Home] -> Network Administration -> Wallet Manager
  (ii) Create a new wallet (Wallet -> New).
  (iii) When prompted, elect to generate a certificate request.
  (iv) On the request form, the only field that matters is the Common Name. Enter the fully qualified domain name (FQDN) of the database server (i.e. the name with which the database server will be referenced by clients).
  (v) Export the certificate request to file (Operations -> Export Certificate Request).
  (vi) Obtain a valid server certificate from an authorised signing authority. It will also be necessary to download the signing authoritys publicly available trusted root certificate. Certificates can be obtained from Verisign (http://www.verisign.com/)
  (vii) Install the trusted root certificate obtained in (vi) into the wallet (Operations -> Import Trusted Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
  (viii) Install the server certificate obtained in (vi) into the wallet (Operations -> Import User Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
  (ix) Save the wallet (Wallet -> Save). The wallet will be saved to the [user home]\Oracle\Wallets directory.
  3. Configure the listener for SSL.
  (i) Open the Oracle Net8 Assistant:
  Start -> Programs -> [Oracle Home] -> Network Administration -> Net8 Assistant
  (ii) Select Net8 Configuration -> Local -> Profile.
  (iii) From the drop-down list at right, select Oracle Advanced Security. Select the SSL tab.
  (iv) Select the Server radio button.
  (v) In the wallet directory field, enter the location of the wallet created in step 2, e.g. C:\WINNT\Profiles\oracleuser\ORACLE\WALLET
  (vi) Uncheck the Require Client Authentication checkbox.
  (vii) Select Net8 Configuration -> Listeners -> [listener name].
  (viii) Add a new address:
  Protocol: TCP/IP with SSL
  Host: [database server FQDN] (e.g. oraserver)
  Port: 2484
  (ix) Add a second new address:
  Protocol: TCP/IP with SSL
  Host: [database server FQDN] (e.g. oraserver)
  Port: 2482
  Check the Dedicate this endpoint to IIOP connections checkbox.
  (x) Save the Net8 configuration (File p Save Network Configuration).
  (xi) Restart the listener service.
  4. Configure the database to accept SSL connections.
  (i) Open the database inti.ora file (\admin\[SID]\pfile\init.ora or equivalent).
  (ii) At the bottom of the file, uncomment the line that reads
  mts_dispatchers = "(PROTOCOL=TCPS)(PRE=oracle.aurora.server.SGiopServer)"
  (iii) Save the file and restart the database service.
  5. Test the SSL confi guration using the Net8 Assistant.
  (i) Open the Oracle Net8 Assistant.
  (ii) Select Net8 Configuration -> Local -> Service Naming.
  (iii) Add a new net service (Edit p Create).
  Net service name: [SID].auth (e.g. iasdb.auth)
  Protocol: TCP/IP with SSL
  Host: [database server] (e.g. oraserver)
  Port: 2484
  Service Name/SID: [SID] (e.g. iasdb.orion.internal)
  Note: at the end of the net service configuration, click Finish, not Test. The test can hang if run from the wizard.
  (iv) Test the connection (Command -> Test Service). If the only error to appear is username/password denied, the test has succeeded.
  null

  Dear Alex,
  Thank you for reaching the Small Business Support Community.
  I would first suggest you to uncheck the "Perfect Forward Secrecy" setting on the RVS4000 and if see if there is some similar setting enabled, then disable it, on the other side.  If still the same thing happens, then go to RVS4000, VPN Advanced settings, and disable the "Aggressive Mode" so it becomes "Main mode" and use the same on the other end of the tunnel.
  Just in case and as a VPN configuration guide, below is a document called "IPSec VPN setup" if it helps somehow;
  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=587
  Besides my suggestions I would advise you to contact your ISP to make sure there is no IPSec traffic restrictions and/or if there is something in particular they require to make this happen and please do not hesitate to reach me back if there is any further assistance I may help you with.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• External database Authentication Issue

  Hello Experts
  I have omplemented external database authentication in my PC and somehow its not working
  Do we have to configure the details in NQSconfig file in the security section for implementing External Database Authentication .

  Hello Thanks for your concern .
  Steps i have followed
  *1)* use that table. If not, create the following table in your database.
  CREATE TABLE OBI_USER
  USERNAME VARCHAR2(255 BYTE),
  PASSWORD VARCHAR2(255 BYTE),
  GROUPNAME VARCHAR2(255 BYTE),
  DISPLAYNAME VARCHAR2(255 BYTE),
  LOGLEVEL NUMBER,
  CREATED_DT DATE sysdate,
  **2)**Created New ODBC Connection to use Separate Connection pool for OBIEE Security .
  *3)* Created New Session Initialization Block for Authentication and gave
  (SELECT USERNAME, GROUPNAME, DISPLAYNAME, LOGLEVEL FROM CPR_OBI_USER WHERE UPPER( USERNAME) =UPPER(':USER') AND UPPER(PASSWORD) =UPPER(':PASSWORD') ) by selection the new BI Security connection pool
  In the variable Traget i have defined 'USER', 'GROUP', 'LOGLEVEL','DISPLAYNAME'
  *4)* Created another Session Initialization Block for Authorization and gave (SELECT 'GROUP', GROUPNAME FROM OBI_USER WHERE UPPER( USERNAME) =UPPER(':USER'))
  And selected row wise initialization in variable target AND assigned Authentication Initialization block in the Execution Precedence .
  *5)* Created Groups in Manage-> Security-> Groups with the same group names as given in OBI_USER Table
  *6)* Added Groups in Manage Catalog and groups in Presentation Services .
  *7)* When i log on with the user which is assigned to the group in the OBI_USER Table then its giving
  (Unable to Log In     
  An invalid User Name or Password was entered.
  Please enter your User ID and Password below, and then press the Log In button.)
  Edited by: newbi on Sep 28, 2010 9:53 AM

• Database Version for 9iAS ???

  We are evaluating wich version of the DB use with 9iAS, Standard or Enterprise.
  We do mostly need reads of the database, but have at least two applications that need replication with other DB's - that could be a point for Enterprise version.
  What are the advantages of use each version ??
  Thanks
  null

  In my opinion for 9iAS itself it does not matter whether you use Enterprise or Standard edition of backend database.

• ISE Web Authentication with Profile

     Hi,
     I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
     The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
     But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
     the Web Authentication cause the endpoint is already in the internal endpoint store.
     What's the better way to solve this problem ?
     Thanks in Advanced
     Andre Gustavo Lomonaco

      Hi Neno, let me clarify my question
      I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
      Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• ISE mab authentication with Avaya/Nortel switches

  Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
  When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
  Could this be an issues with the username/password format in the Radius packet from the Cisco?
  Thanks in advance for any assistance.
  -Kurt

  As requested...
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
  chBugDetails&bugId=CSCuc22732
  MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
  The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...