Datagram socket and security manager

Similar Messages

• Socket and Security Policy

  I've tried to set experiment with Socket communication in Flex, but I keep hitting problems. Approach 1: in a Flex web app, I load a crossdomain security policy from a server. I then open a socket and write a few bytes to the server. In my server, I do not get the expected output on the stream--in fact, I get nothing at all--until I close the Flex application, at which point I get a seemingly inifinite stream of the bytes '0xEFBFBF'. Here's a hexdump view of a fragment of the data Flash Player sends to the server after I close the Flex app:
  00000130  ef bf bf ef bf bf ef bf  bf ef bf bf ef bf bf ef  |................|
  00000140  bf bf ef bf bf ef bf bf  ef bf bf ef bf bf ef bf  |................|
  00000150  bf ef bf bf ef bf bf ef  bf bf ef bf bf ef bf bf  |................|
  Approach 2: I then tried it in air, but although the connection seems to initiate properly and I can go through the above trivial client-server interaction, after a few seconds, I get a SecurityErrorEvent. From what I've been able to follow of the docs, Air applications are trusted in this respect, and should not need to load security policy, right? I tried to add a call to Security.loadPolicy(), but it seems to be ignored. This is the message flow:
  Received [class Event] connect
  Received [class ProgressEvent] socketData
  Received [class Event] close
  Received [class SecurityErrorEvent] securityError
  Security error: Error #2048: Security sandbox violation: app:/main.swf cannot load data from localhost:5432.
  The Air version of my client code is below:
  <?xml version="1.0" encoding="utf-8"?>
  <mx:WindowedApplication xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute">
  <mx:Script>
      <![CDATA[
          var str:Socket;
          private function handleClick(e:Event):void {
              Security.loadPolicyFile("xmlsocket://localhost:2525");           
              str = new Socket('localhost', 5555);
              var message:String = 'hello';
              for (var i:int = 0; i < message.length; i++) {
                  str.writeByte(message.charCodeAt(i));               
              str.writeByte(0);
              str.flush();
              str.addEventListener(Event.ACTIVATE, handleEvent);
              str.addEventListener(Event.CLOSE, handleEvent);
              str.addEventListener(Event.CONNECT, handleEvent);
              str.addEventListener(Event.DEACTIVATE, handleEvent);
              str.addEventListener(IOErrorEvent.IO_ERROR, handleEvent);
              str.addEventListener(ProgressEvent.SOCKET_DATA, handleEvent);
              str.addEventListener(SecurityErrorEvent.SECURITY_ERROR, handleEvent);           
          private function handleEvent(e:Event):void {
               trace("Received", Object(e).constructor, e.type);
               if (e is ProgressEvent) {
                   var strBytes:Array = [];
                   while(str.bytesAvailable > 0) {
                       var byte:int = str.readByte();
                       strBytes.push(byte);
                   trace(String.fromCharCode.apply(null, strBytes));
               } else if (e is SecurityErrorEvent) {
                   trace("Security error:", SecurityErrorEvent(e).text);
      ]]>
  </mx:Script>
  <mx:Button label="test" click="handleClick(event)"/>   
  </mx:WindowedApplication>
  The server is in Java and is as follows:
  import java.net.*;
  import java.io.*;
  public class DeadSimpleServer implements Runnable {
      public static void main(String[] args) throws Exception {
          if (args.length != 2) {
              throw new Exception("Usage: DeadSimpleServer policy-port service-port");
          int policyPort = Integer.parseInt(args[0]);
          int servicePort = Integer.parseInt(args[1]);
          new Thread(new DeadSimpleServer(policyPort,
                                          "<?xml version=\"1.0\"?>\n" +
                                          "<cross-domain-policy>\n" +
                                          "<allow-access-from domain=\"*\" to-ports=\"" + servicePort + "\"/>\n" +
                                          "</cross-domain-policy>\n"
                     ).start();
          new Thread(new DeadSimpleServer(servicePort, "world")).start();
          while (true) Thread.sleep(1000);
      private int port;
      private String response;
      public DeadSimpleServer(int port, String response) {
          this.port = port;
          this.response = response;
      public String getName() {
          return DeadSimpleServer.class.getName() + ":" + port;
      public void run() {
          try {
              ServerSocket ss = new ServerSocket(port);
              while (true) {
                  Socket s = ss.accept();
                  System.out.println(getName() + " accepting connection to " + s.toString());
                  OutputStream outStr = s.getOutputStream();
                  InputStream inStr = s.getInputStream();
                  int character;
                  System.out.print(getName() + " received request: ");
                  while ((character = inStr.read()) != 0) {
                      System.out.print((char) character);
                  System.out.println();
                  Writer out = new OutputStreamWriter(outStr);
                  out.write(response);
                  System.out.println(getName() + " sent response: ");
                  System.out.println(response);
                  System.out.println(getName() + " closing connection");
                  out.flush();
                  out.close();
                  s.close();
          } catch (Exception e) {
              System.out.println(e);
  Am I missing something? From what I understand, either of these approaches should work, but I'm stuck with both. I have Flash Player 10,0,15,3 and am working with Flex / Air 3.0.0 under Linux.

  So... apparently, with the Air approach, this is what I was missing: http://www.ultrashock.com/forums/770036-post10.html
  It'd be nice if FlashPlayer gave us a nicer error here.
  I'm still trying to figure out what the heck is going on in the web app (i.e., non-Air Flex) example. If anyone has any suggestions, that would be very helpful.

• Business Objects XI R2 SP2 with Tomcat and Security Manager enabled

  XI R2 SP2 Unix server:
  I need to start the tomcat that is embedded in Business Objects with Security Manager enabled. Is there a writeup on how to do that? This changes the port that tomcat runs on, so do I just change all references to the port that it is currently running? Is it that simple?
  Thanks for any advice!

  It sounds like an issue that would need to be troubleshot by an engineer. Can you open  a message with support?
  Cluster members for client tools are defined in the windows registry. Does infoview work?
  Regards,
  Tim

• CS Mars, Cisco Works and Security Manager

  If we wanted to get all three applications, do cisco bundle it into one package? Or does it have to be purchased separately?

  do we need a NetFlow card or is the service implemented by default in Cat4500. Is MARS & CSM suitable solution for main configuring, incident monitoring and evaluation of ASA5520 & Cat4500?
  Yes, you need WS-F4531= card (Netflow is not available in Cat IOS as a service/command), which works with Cat 4500 Sup IV/V.
  MARS is a monitoring device, and CSM is a management device. You can get critical NBA (Network Behaviour Analysis) alerts from MARS, and from CSM you can get configuration backups/audit/bulk administration (of security devices only).
  Hope that helps.

• Config Repository and Security management Tools, Attn Frank/anyone

  Hi Frank:
  I am trying to change permissions not from JDEV but from a "tool." Our customer might want to change permissions once delivered.
  I looked over the link you sent me. I am somewhat confused. On Page 17, it says "use Application Server Control" for Users/Roles .
  For policies, it says use JAAS Provider Tool (which is the command line tool, I guess). However, third column says Tools for JAAS Login Module (n/a).
  I am assuming I have start start_oc4j.bat whether it is standalone or embedded.
  "App Server Control" tool web-based and started via http://localhost:8888/em? Looks like there is a place to change default module. Wonder we can use the tool to set secure-web-app?
  For policies, and JAAS AdminTool, how do I issue the commands. Is this the one to do with changing permissions? Do I have to specify all paths when issuing commands? Where are the commands doc?
  I am testing in embedded environment, not standalone. Can I still use the above tools and how? (Any doc/examples)
  Lastly, I am not even sure if I can use any of these? I use custom JAAS Login Module and the doc says "n/a". Does that mean I have to change permissions manually?
  Thanks

  Hi,
  actually enterprise managed in OC4J might not be as powerful as EM in ApplicationServer. I never used both of them to configure security and instead used Textpad as I am feeling confident with the syntax to use.
  Frank

• Datagram socket is not working

  Hi,
  I made a datagram socket and try to send a byte array. but when I called socket.send method it returned an error that an operation is attempted on invalid socket. What I am missing
  here is my code...
  <mx:WindowedApplication xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute" width="480" height="262">
  <mx:Script><![CDATA[
  private var udp:DatagramSocket = new DatagramSocket();
  private var address:String = "255.255.255.255";
  private var port:uint = 200;
  private function OnSend():void
    udp.addEventListener(DatagramSocketDataEvent.DATA, RecvUdpDataHandler);
    var byteArray:ByteArray = new ByteArray();
    byteArray.endian = Endian.LITTLE_ENDIAN;
    byteArray.writeMultiByte("dvcrNetshare", "US-ASCII");
    byteArray.writeUnsignedInt(123);
    udp.send(byteArray, 0, byteArray.length, address, port);
    udp.receive();
  private function RecvUdpDataHandler(obj:DatagramSocketDataEvent):void
    var str:String = obj.srcAddress;
    var srcport:int = obj.srcPort;
  ]]></mx:Script>
  <mx:Button x="206" y="134" label="Send" click="OnSend()"/>
  </mx:WindowedApplication>
  Thanks

  You can call Apple and appeal their decision if you wish to (or go back to the store and ask for a supervisor or manager to assess your device - basically dispute the genius claim and ask to have it bumped up the chain of command).  Ultimately though they are the ones who decide if your damage is a warranty-related defect or something caused by accidenatal damage or abuse.  If they say you are not eligible for a warranty repair, then you pay the fee for an out of warranty repair.

• Confused about Datagrams and security model

  Hi,
  I'm trying to write a java Applet that opens a port back to it's originating machine.
  I'm having a lot of problems. I've seen so much code out there that is so different and I've only been able to get some of it to work.
  My code currently works on Mac OS X, but not Mac OS 9, or any windows platform that I've tried.
  I'm thinking I might have some Java2 specific code, and that's why Mac OS 9 isn't working, but windows gives a security error.
  Here's the code that gives an error:
  DatagramSocket socket = null;
  public void getMySocket() throws IOException
  socket = new DatagramSocket(5252);
  Here's the error I get:
  com.ms.security.SecurityExceptionEx[auth.getMySocket]: cannot access 5252
       at com/ms/security/permissions/NetIOPermission.check
       at com/ms/security/PolicyEngine.deepCheck
       at com/ms/security/PolicyEngine.checkPermission
       at com/ms/security/StandardSecurityManager.chk
       at com/ms/security/StandardSecurityManager.checkListen
       at java/net/DatagramSocket.create
       at java/net/DatagramSocket.<init>
       at java/net/DatagramSocket.<init>
       at auth.getMySocket
       at auth.init
       at com/ms/applet/AppletPanel.securedCall0
       at com/ms/applet/AppletPanel.securedCall
       at com/ms/applet/AppletPanel.processSentEvent
       at com/ms/applet/AppletPanel.processSentEvent
       at com/ms/applet/AppletPanel.run
       at java/lang/Thread.run
  I thought it was possible to open a socket back to the originating machine with no problems, but that doesn't seem to be the case.
  I don't seem to be able to open any datagram sockets without getting a security violation.
  I need to be able to implement this applet with no platform specific libraries, and I can't require the clients to have to "allow" the applet access.
  I'd really like to be able to get ahold of someone at sun, since this is a project for the University of Utah. Are there any sun developers watching that think they could help out?
  Does anyone else have any suggestions?
  I don't really understand what's going on here, even after reading other forum posts.
  Thanks in advance,
  - Terry

  Datagram or not, you've definitely blown the lock on the sandbox, and IE isn't happy. You ARE allowed connections back to the originating server, generally on the default port (80), but it looks like you'll probably have to sign this puppy.
  For more information check out:
  http://www.microsoft.com/Java/security/default.htm

• I forgot the answers for the security questions and when I try to change them (My Apple ID - Manage your account - Password and Security) I'm asked to answer the exact questions I'm Trying to change because I don't remember the answers. How can I do it?

  I forgot the answers for the security questions and when I try to change them (My Apple ID -> Manage your account -> Password and Security) I'm asked to answer the exact questions I'm trying to change because I don't remember the answers. How can I do it?

  Can't you try the email option instead?

• I have been trying to reset my security questions. i have found others who said they changed them from the manage account and then password and security online, but i am asked to answer the security questions i don't know the answers to. help?

  for some reason apple thinks ill know the answers when im trying to change them haha :/ does anyone know how to bypass this or any other way to change the security questions for your account?

  Welcome to the Apple Community.
  Start here, and reset your password, you will receive an email with your new password, then go to manage your account > Password and Security and change your security questions.
  If that doesn't help you might try contacting Apple through iTunes Store Support

• Client Security Solution--and Password Manager--no longer autoruns

  My T61 was working wonderfully until recent installation of antispyware, antivirus programs.
  Prior to that, on boot, I could always see a brief CSS splash screen, and, more importantly, Password Manager would always kick in automatically, to load password data or to ask if I wanted it to remember something.
  Now, although Password Manager remains an icon in the system tray, it not only does not detect need for input, hotkeys do nothing, despite being marked enabled.
  I downloaded CSS 8.1 from the website (although this was still installed), and ran the "Repair", but still no joy.
  Your help is greatly appreciated.

  Thanks again--as you suggested, a thread well worth reviewing.
  In my case, I opted for the Rescue and Recovery Quick Restore--albeit with much fear and trepidation, since, unlike the roughly equivalent MS System Restore, this feature does not tell the user the date of the restore point that is being recreated.
  As it turned out, this took me back to a point when Norton Internet Security was only partially removed--which created the added anxiety of (a) inability to connect to the Internet through Explorer or Outlook 2007 and (b) inability to launch any Office 2007 program!  (That last caused yet another twist, since the instructions I had previously followed to completely removed Norton were now saved as .docx files....)  Although Norton Internet Security was still present on the desktop, and ccApp.exe was obviously running (and unable to shut itself down on Restart), Add/Remove Programs (the first step in the removal process) would not work--"the module is missing."
  Fortunately, I was able to download the Symantec Removal Tool through another computer onto a USB drive, copy the program to the T61, and run it there.  (Note that although Explorer would not load fully, Internet access of a sort was still available as witness System Update and Microsoft Update downloading without difficulty--though MS could not complete installing updates for Office 2007 with Norton still in the picture.  This matters because the Removal Tool accesses the net.)
  Once Removal had done its thing, Explorer, Office 2007, and Password Manager again worked as before.
  Sadly, I still don't know what the necessary ingredients for CSS/Password Manager are--there ought to be a listing of what files these otherwise excellent programs require.  And I'm not sure what approach to firewall, antivirus, and antispyware I ought to take, given the possibility that the programs I replaced Norton Internet Security with caused CSS/Password Manager grief.
  Sigh.

• Intel Management and Security Status Icon started appearing 3 days ago

  We didn't install anything new, and this "Intel Management and Security" icon (which you can't close) started appearing in the start menu on the bottom of the screen.  What made this start appearing, and how can we get rid of it?

  Hello aoppen,
  please also refer to this guide how to use AMT.
  Follow @LenovoForums on Twitter! Try the forum search, before first posting: Forum Search Option
  Please insert your type, model (not S/N) number and used OS in your posts.
  I´m a volunteer here using New X1 Carbon, ThinkPad Yoga, Yoga 11s, Yoga 13, T430s,T510, X220t, IdeaCentre B540.
  TIP: If your computer runs satisfactorily now, it may not be necessary to update the system.
   English Community       Deutsche Community       Comunidad en Español

• How to export "Managed by" field of Distribution and Security groups and import with new values? (Exchange 2010, AD 2003)

  My Active Directory environment is 2003 functional level and we have Exchange 2010.
  I am trying to find out the best way to do a mass edit for the "Managed by" values of our security and distribution groups.
  I know we can export the "managed by" field by csvde but I am not sure this is the correct way to do it. Also in the case that there are multiple users assigned to be managing a distribution group it only shows one value. Also powershell from Exchange
  2010 can be used with "get-distribution" but as our AD environment is 2003 is this correct also?
  Finally once the data is exported to csv can it be edited to then reimport and udpate the existing group managed by fields with new values?
  Not really sure that the best way to go about this is.
  Summary - We have 2003 AD with Exchange 2010 and I am trying to export a list of all our Distribution/Security groups showing the group name and managedby values so we can edit and update the
  existing managedby values with new ones. In some cases we have multiple users as the owners.
  Appreciate any advice on how this can be best achieved. Thank you.

  Hi,
  We can use the following command in Exchange 2010 to export "Managed by" field of Distribution and Security groups:
  Get-DistributionGroup | Select-object Name,@{label="ManagedBy";expression={[string]::join(“;”,$_.managedby)}},Primarysmtpaddress | Export-Csv
  C:\export.csv
  After you changed the Managed by field in export.csv and saved it as a new file named import.csv, we can run the following command to set with new value:
  Import-Csv C:\import.csv | Foreach-Object{ Set-DistributionGroup –Identity $_.Name –ManagedBy $_.ManagedBy}
  Hope it works.
  Thanks,
  Winnie Liang
  TechNet Community Support

• IPv6 Address Management and Security Questions

  I'm trying to draft an IPv6-based version of our location's current routing configuration in anticipation of when our ISP will finally roll it out, and address management has been giving me the biggest headache - ironic, considering IPv6 was supposed to simplify address allocation.
  My first config draft was made assuming that I would be getting a static /56 or /60 prefix from the ISP, and I was just going to insert the prefix into my DHCP pools and there would be no issues. That was before reading around and discovering that some ISPs are considering prefix delegation (PD) for both residential and business accounts instead of static blocks. Now I have questions about how to stick as close to the current IPv4 configuration as possible.
  For the PD scenario, what I am looking at now are two addresses ranges for each network - a ULA /120 space that I want to control using stateful DHCPv6, and the global space which can be /64 and auto-configured. That way there will be a "private" address space for internal routing in the event of a prefix change or an extended outage. But I'm not sure how the config should look for such a scenario. What I have drafted so far is this:
  ipv6 dhcp pool DHCP6_INTERNAL
   address prefix FDAB::1:0/120
   domain-name whatever.net
   dns-server FDAB::1:1
  ipv6 dhcp pool DHCP6_DMZ-WIFI
   address prefix FDAB::2:0/120
   domain-name guest.whatever.net
   dns-server FDAB::2:1
  interface GigabitEthernet0
   description WAN-LINK
   ipv6 enable
   ipv6 address dhcp
   no ipv6 unreachables
   no ipv6 redirects
   ipv6 flow ingress
   ipv6 flow egress
   ipv6 virtual-reassembly in
   ipv6 nd autoconfig default-route
   ipv6 dhcp client pd hint ::/56
   ipv6 dhcp client pd ISP-PREFIX
   zone-member security OUTSIDE
   speed auto
   duplex auto
   no cdp enable
  interface FastEthernet8.1
   description VLAN_1-INTERNAL
   encapsulation dot1Q 1 native
   ipv6 enable
   ipv6 address FDAB::1:1/120
   ipv6 address ISP-PREFIX ::1:0:0:0:1/64
   ipv6 flow ingress
   ipv6 flow egress
   ipv6 virtual-reassembly in
   zone-member security INSIDE
   ip tcp adjust-mss 1300
   ipv6 dhcp server DHCP6_INTERNAL
   ipv6 nd managed-config-flag
   ipv6 nd other-config-flag
  interface FastEthernet8.2
   description VLAN_2-DMZ-WIFI
   encapsulation dot1Q 2
   ipv6 enable
   ipv6 address FDAB::2:1/120
   ipv6 address ISP-PREFIX ::2:0:0:0:1/64
   ipv6 flow ingress
   ipv6 flow egress
   ipv6 virtual-reassembly in
   zone-member security DMZ
   ip tcp adjust-mss 1300
   ipv6 dhcp server DHCP6_DMZ-WIFI
   ipv6 nd managed-config-flag
   ipv6 nd other-config-flag
  Will this config work? By which I mean: will the DHCPv6 servers provide ULA addresses, and will SLAAC work for global address allocation? If not, what needs to be changed?
  Also, another question. I found a few references to a prefix name (the "ISP-PREFIX") which can be used as part of a static IPv6 address on an interface, which is a good idea in case the prefix changes. But that brings up another concern - if the prefix changes, that will invalidate ACLs referencing the global addresses using the previous prefix. Is there anything similar to the prefix name string that can be used in ACLs to keep this from occurring?

  DHCPv6-PD is not necessarily dynamic the same way as DHCP was with the public IPv4 addresses in the IPv4 world.
  While the outside network (PPPoE, DHCPv6, anything) might be truly dynamic and changing with possibly every login session, the DHCPv6 delegated prefix might be tied to your login credentials or DHCPv6 client's DUID after the first connection. A bit like a DHCP lease reservation.
  If that is the case, there is some possibility that your ISP will run reverse route injection, and will always route your "fixed" prefix  to the currently active dynamic "outside" address.
  Talk to your ISP and have them confirm that, once the PD'd /48 or /56 is initially assigned, it won't change, and that the same prefix will be delegated every time. Then you can treat it as if it were fully static, and you won't have to go down the ULA path.
  I contacted one of our local ISPs, and they're doing it exactly that way: PPPoE for IPv4 and IPv6 (fully dynamic), and DHCPv6-PD with the /48 tied to the PPPoE login credentials. I might change to that ISP sooner or later.
  With my current ISP, my IPv6 access is 6RD based. I get a /60, with my current public ipv4 address (by DHCP) embedded into those 60 bits. Readressing is bound to happen sooner or later, and it happens every so often, and it breaks my IPv6 ACLs.
  I'm also looking for a way to write IPv6 ACLs with wildcard bits, not prefix/mask, so I can use them with ZBFW. So far, no sign of it.
  A few more comments:
  ULA addressing: 
  It may look tempting, plausible and intuitive to use dual global and ULA addressing. 
  I started this way as well. However, it turns out that Windows 7 has (had?) some issues with proper source address selection. The "longest common prefix" rule never seemed to work properly. In some cases, it would pick the global address to talk to ULA hosts, or stubbornly insist to use the ULA address to talk to an IPv6 internet host. It was a frustrating experience. Be sure to test this to the full extent (and back, and again and then some more) with every operating system you intend to use.
  Using /120:
  Be sure to test this as well, and very thoroughly. Subnet masks longer than /64 are sometimes called "uncharted territory" in IPv6. Longer subnet masks will break SLAAC, and there may be (embedded) devices that will not react benevolently to a subnet mask other than /64, or simply lack support for DHCPv6.
  adjust-mss
  I see you have "ip tcp adjust-mss 1300". While PMTUd may be mandatory with IPv6, I found it being broken already :-( . "ipv6 tcp adjust-mss .... " is now a separate command since IOS 15.4(1). I would suggest considering it, depending with your experience with PMTUd on IPv6.

• Security Manager and Policy Files

  Hi all,
  I am writing a simple java rmi application, but understand it wont run without a Security Manager installed and a policy file.
  I think I have installed the security manger using the following in the main() method of my client application:
  System.setSecurityManager(new RMISecurityManager());However I am unsure how to use a policy file with this. I have looked on the internet, but it does not seem to be very well documented
  Please could you advise me how to create a policy file that will work for my application and where to place it in my application so that my application can use it.
  Any help would be greatfuly appreciated
  Thanx
  Aaron

  An RMI application doesn't need a security manager unless you are using the codebase feature.

• Cisco Security Manager and User-aware firewall rules

  Hello !
  I have a firewall ASA which is managed with CSM and I try to create some user-aware rules. To do this, I need to match CSM with an Active Directory server.
  I added an AAA server group matching my Active Directory server in the Identity Setting menu from Security Manager Administration and when i click on "Test", I obtain the error message "Unsuccessful Bind prevented to fetch data, please reconfigure AAA server".
  What can I do to solve this problem ?
  Thank you !
  Stephane

  You can contact your local AM to get an evaluations version, this is related to the new 'restricted' downloaded access on CCO. You need to have a service contract assocaited for that 'specific' product to download software (I know it does not make sense in case of an evaluation).
  And you also have the following alternate:
  Note:
  This download does not include  CiscoWorks Resource Manager Essentials (RME). For customers that wish to  also evaluate CiscoWorks RME or that prefer a media format rather than a  large download, an evaluation DVD can be ordered from Cisco  Marketplace. At http://www.cisco.com/pcgi-bin/marketplace/welcome.pl,  navigate to the Collateral and Subscriptions Store and search for part  number EVAL-CSMGR-4.0.
  Regards
  Farrukh