Disabling certificate-based login

Hello all,
does anybody know how to disable certificate-based login in SSL sessions? We are running iMS 5.2.1.
My webmail server should run on HTTPS but only accept password-based logins. Our users don't have certificates so certificate-based login is not needed. When I connect to webmail with Netscape Communicator 4.8 I get annoying message "No user certificate ... you do not have a Personal Certificate to authenticate yourself. The site may choose not to give you access without one."
Thanks, Vito

Yes it does.
I tried this.
Apparently, the server doesn't need to trust its own
certificate's CA
But remember that your clients MUST trust
your CA in order to avoid the popup window saying
that the certificate advertised by your server belongs to
an untrusted Certificate Authority
(add the CA's certificate to their personal database)
Good luck,
VIncent MAZARD

Similar Messages

[IMAP SSL] Certificate-Based Login problems

Hi,
I am trying to set up a Certificate-Based Login authentication for an installation of Java Messaging Server 7 Update 3 over Solaris x86 64bit platform.
The objetive is to allow a client to establish an SSL session using a certificate that has been issued by a CA that the server has established as trusted and then grant access to the user without providing his password.
In my installation, unfortunately password is allways required to login any user. These are the steps I have made:
1. Add the CA-signed server certificate.
2. Add the trusted Certificate Authority.
3. Turn on all cipher suites including the weak ones.
4. Enable SSL
./configutil -o service.imap.enablesslport -v yes
./configutil -o service.imap.enable -v 1
./configutil -o service.imap.sslport -v 993
./configutil -o service.imap.sslusessl -v yes
./configutil -o encryption.rsa.nssslpersonalityssl -v "Product-Cert" (where Product-Cert is my CA signed server certificate)
5. Check with the netstat command to verify that the service is running.
bash-3.00# ./configutil -o service.imap.sslport
993
bash-3.00# netstat -an | grep 993
*.993 *.* 0 0 49152 0 LISTEN
Once I have taken these steps, when I use a client to establish an SSL session with a PKCS#12 certificate installed (signed by the same CA trusted by MS and the email address in your users' certificates matches the email address in a users' directory entry) the connection is correct stablished using the port 993 but it is allways necessary to login with password to grant access.
The imap logs seems to show that the MS is not requesting the user's certificate from the client, because allways shows "plaintext authentication" (this correspond a try to access to the user's inbox without Login).
[10/Mar/2010:10:31:38 -0100] goody imapd[2623]: Account Notice: badlogin: [192.168.169.12:1595] plaintext llcc authentication failure
[10/Mar/2010:10:31:41 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:1595] [unauthenticated] 2010/3/10 10:31:37 0:00:04 41 907 0
[10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Network Error: Socket error [192.168.169.12:2226] : I/O function error
[10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:2226] [unauthenticated] 2010/3/10 10:31:56 0:00:25 11 511 0
Also there are some error logs related to the Ciphers:
[10/Mar/2010:10:30:39 -0100] goody imapd[2623]: General Error: SSL initialization error: Unable to enable SSL cipher suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SH
A (0x0064)
(-8186)
Please, Can you help me to discover if there is something wrong in my configuration?
Thanks in advance.
Kind Regards,
Luis

Thanks for your reply Shane.
Yes, I have configured the client to use port 993. I think the problem is in the Multiplexor configuration, after finished, I allways get this Log message in the ImapProxy Logs:
[15/Mar/2010:17:25:10 -0100] goody ImapProxy[1865]: General Error: (id 455) Connection limit reached for client IP 192.168.169.108
[15/Mar/2010:17:25:22 -0100] goody ImapProxy[1865]: General Error: (id 477) Connection limit reached for client IP 192.168.169.108
[15/Mar/2010:17:25:37 -0100] goody ImapProxy[1865]: General Error: (id 499) Connection limit reached for client IP 192.168.169.108
Where 192.168.169.108 is the IP of the server where MS is installed. The strange thing is that there are no connections established becacause this is a development environment, when I try to check the IMAP port (not ssl) I find a strange behaviour:
bash-3.00# telnet localhost 143
Trying 192.168.169.108...
Connected to goody.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY UNSELECT SORT CATENATE URLAUTH LANGUAGE ESEARCH ESORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ENABLE QRESYNC CONTEXT=SEARCH CONTEXT=SORT WITHIN SASL-IR XSENDER X-NETSCAPE XSERVERINFO AUTH=PLAIN STARTTLS] Messaging Multiplexor (Sun Java(tm) System Messaging Server 7.3-11.01 (built Sep 1 2009))
. login llcc LLCC_PASSWORD
Connection to goody closed by foreign host.
The ConnLimits parameter is set to default in the ImapProxyAService.cfg (i.e. default:ConnLimits 0.0.0.0|0.0.0.0:20).
Also I have set this values not present in the link: http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication#ConfiguringEncryptionandCertificate-BasedAuthentication-ToSetUpCertificateBasedLogin
configutil -o local.mmp.enable -v 1
configutil -o local.store.enable -v 0
configutil -o local.imta.enable -v 0
configutil -o local.http.enable -v 0
Any idea?
One question more. I have read that Store Administrators have proxy authentication privileges to any service (POP, IMAP, HTTP, or SMTP), which means they can authenticate to any service using the privileges of any user. The question is: Is there any way for the Store Administrator to access to the mailbox of all the users using the IMAP protocol?
Thanks a lot for your help,
Best Regards,
Luis

Configuring Certificate-Based Login on iMS 5.2

Dear All,
I have two message stores and one messenger express running on a third server in proxy mode. I am trying to configure the third server to accept certificate-based logins. I have already installed a server certificate, CA certificate, and root CA certificate on this server.I am not planning to install any certificates on the message stores. I have modified the certmap.conf file accordingly to my requirements. The question is, how do I store a user's certificate in LDAP so that the Messenger express which is in proxy mode could use it to authenticate the user?
Currently, I am getting this error in the messager express log files.
General Information: search_from_namespace(uid=marwan,ou=people,o=domain.net.ae,o=eim): no entry
Although the DN exists in LDAP.
Thanks,
Marwan

You will want to look at the ldap server's Access log, and make sure that you've updated the correct record, that it's searching for where you've placed the cert.

How do I disable password based login for ssh

Before upgrading to Mountain Lion I had setup my computer to allow remote login via SSH. Now that I have upgraded I can no longer login to my computer via SSH without specifying a password. How do I get back to not having to supply a password to login?
I created a user named `remotepair` and generated a RSA ssh key. I had setup password-less login to this user by adding the public keys of those who login to the ~/.ssh/authorized_keys file and the following settings in /etc/sshd_config
Protocol 2
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
AllowUsers remotepair
I also created a question on ServerFault about other issues I have with SSH. I solved the issue by doing a PRAM reset.
Since my settings are no longer working for password-less login, how do I enable password-less login to my Mountain Lion enable Mac?

Output for ssh -vvv [email protected]
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /Users/jjasonclark/.ssh/config
debug1: Reading configuration data /usr/local/Cellar/openssh/5.9p1/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to home.jjasonclark.com [50.47.10.153] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/Users/jjasonclark/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /Users/jjasonclark/.ssh/id_rsa type 1
debug1: identity file /Users/jjasonclark/.ssh/id_rsa-cert type -1
debug1: identity file /Users/jjasonclark/.ssh/id_dsa type -1
debug1: identity file /Users/jjasonclark/.ssh/id_dsa-cert type -1
debug1: identity file /Users/jjasonclark/.ssh/id_ecdsa type -1
debug1: identity file /Users/jjasonclark/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "home.jjasonclark.com" from file "/Users/jjasonclark/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/jjasonclark/.ssh/known_hosts:20
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-e xchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14
-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],ecd
[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.
liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.
liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha
1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha
1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 125/256
debug2: bits set: 510/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 80:b1:a1:11:8f:73:3a:bf:29:04:e9:70:18:d8:d5:cd
debug3: load_hostkeys: loading entries for host "home.jjasonclark.com" from file "/Users/jjasonclark/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/jjasonclark/.ssh/known_hosts:20
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "50.47.10.153" from file "/Users/jjasonclark/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/jjasonclark/.ssh/known_hosts:20
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'home.jjasonclark.com' is known and matches the RSA host key.
debug1: Found key in /Users/jjasonclark/.ssh/known_hosts:20
debug2: bits set: 475/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/jjasonclark/.ssh/id_rsa (0x7fbb53c14d60)
debug2: key: /Users/jjasonclark/.ssh/github (0x7fbb53c15600)
debug2: key: /Users/jjasonclark/.ssh/id_dsa (0x0)
debug2: key: /Users/jjasonclark/.ssh/id_ecdsa (0x0)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/jjasonclark/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/jjasonclark/.ssh/github
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/jjasonclark/.ssh/id_dsa
debug3: no such identity: /Users/jjasonclark/.ssh/id_dsa
debug1: Trying private key: /Users/jjasonclark/.ssh/id_ecdsa
debug3: no such identity: /Users/jjasonclark/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:

Make certificate-based wireless unavailable at login?

Error: "Unable to log in with a network account" appears because the wireless connection goes offline. WEP networks work okay, but our internal network uses wireless with EAP certificate-based authentication. Since the Macbook does not come with ethernet jack, I have no other option. How do I get it to connect to the wireless prior to login?

does this article help.
http://support.apple.com/kb/ht4772

Certificate based authentication with sender SOAP adapter. Please help!

Hi Experts,
I have a scenario where first a .Net application makes a webservice call to XI via SOAP Adapter. Then the input from the .Net application is sent to the R/3 system via RFC adapter.
.Net --->SOAP -
>XI -
>RFC -
R/3 System
Now as per client requirement I have to implement certificate based authentication in the sender side for the webservice call. In this case the .Net application is the "client" and XI is the "server". In other words the client has to be authenticated by XI server. In order to accomplish this I have setup the security level in the SOAP sender channel as "HTTPS with client authentication". Additionally I have assigned a .Net userid in the sender agreement under "Assigned users" tab.
I have also installed the SSL certificate in the client side. Then generated the public key and loaded it into the XI server's keystore.
When I test the webservice via SOAPUI tool I am always getting the "401 Unauthorized" error. However if I give the userid/password for XI login in the properties option in the SOAPUI tool then it works fine. But my understanding is that in certificate based authentication, the authentication should happen based on the certificate and hence there is no need for the user to enter userid/password. Is my understanding correct? How to exactly test certificate based authentication?
Am I missing any steps for certificate based authentication?
Please help
Thanks
Gopal
Edited by: gopalkrishna baliga on Feb 5, 2008 10:51 AM

Hi!
Although soapUI is a very goot SOAP testing tool, you can't test certificate based authentication with it. There is no way (since I know) how to import certificat into soapUI.
So, try to find other tool, which can use certificates or tey it directly with the sender system.
Peter

Certificate Based Authentication and SSL

To whom it may concern,
I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
I am running my Messenger express (http) like this :
http://testing.xyz.com:8100
(I am using port 8100 for http access to mails). After restarting the mail server, I tried :
https://testing.xyz.com:8100 also,
http://testing.xyz.com:443 also,
https://testing.xyz.com:443 also,
but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
Thanking you,
Farhan Ahmed,
System Engineer
Dubai, UAE.

Dear jay,
I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
[29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
i got this line from the http log:
[29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
Thanking you,
Farhan Ahmed,
System Engineer,
Dubai Internet City, Dubai, UAE.

Client certificate based authentication

We have a JAVA web start application that needs to connect to an apache server and use client certificate based authentication. When javaws initiates a connection with apache server, it tries to retrieve the certificate/key from the PKCS12 keystore to present it to the apache server. We have made this work, however, javaws is prompting user to enter the password for accessing the keystore password. We do not want our users to enter this password and are looking into ways to either supply the password as one of the javaws deployment property or create an unprotected keystore. Both of our attempts have been unsuccessfull. We have tried the following
1. we passed the 3 discussed properties (javax.net.ssl.keyStore,
javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType) in Java
Control Panel, according to the following procedure: open Control Panel,
select Java tab, click View under Java Applet Runtime Settings, set
values in Java Runtime Parameters table column. This operation added the
properties to the user's deployment file (in a new attribute named
deployment.javapi.jre.1.5.0_09.args, which held all 3 properties as a
value), but there was no effect (password window still popped up).
2. We setup the deployment.property file manually with the 3 attributes
[javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword,
javax.net.ssl.keyStoreType], it didn't have any affect either.
3. When launching java applications you can set system properties as
part of the command line using the follwing format
"-D<property_name>=<property_value>", we failed to find the analogous in
javaws.
Has anyone got any ideas on how to workaround this problem? Really appreciate any help here.

Hi, client cert auth is not realy the best way to protect your resources. It needs to install client cert on every workstation to access application. I think it conflict with javaws concept!
I have the same situation (protect resources and avoid password promt on start) and my solution is:
Using tomcat as web server:
Direct structure as follow:
/ApplicationRoot
       /WEB-INF
             /resources
                    - private.jar
                    - private.jnlp
        /resources
             - icon.png
             - public.jarAs you can see there is no direct access to protected resources. All protected resources availiable only thrue ResourceProvider servlet, configured as follow (web.xml):
<servlet-mapping>
        <servlet-name>ResourceProvider</servlet-name>
        <url-pattern>/resources/secret/*</url-pattern>
</servlet-mapping>
<security-constraint>
        <web-resource-collection>
            <web-resource-name>protected resources awailiable from browser</web-resource-name>
            <url-pattern>/resources/secret/browser/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>somerole</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>
<security-role>
        <role-name>somerole</role-name>
</security-role>
<login-config>
        <auth-method>BASIC</auth-method>
        <realm-name></realm-name>
</login-config>Code your ResourceProvider servlet to grant access only if:
- Connection is secure (ssl).
- URL pattern is "/resources/secret/browser/*" and client has pass realm.
- URL pattern is "/resources/secret/javaws/secretkey/*" (where secretkey is a pin kept both by client and server)
To Install app from browser (access private.jnpl) use "/resources/secret/browser/*" url pattern and basic auth.
To download app resources configure jnlp file as follow:
<jnlp spec="1.0+" codebase="https://host:port/AppRoot/resources/" href="secret/javaws/secretkey/private.jnlp
    <information>
         <icon href="icon.png"/>
    </information>
    <resources>
        <j2se version="1.6+"/>
        <jar href="secret/javaws/secretkey/private.jar" />
        <jar href="public.jar" />
    </resources>
</jnlp>
{code}
And last you need to do is configure ssl connector on tomcat server as follow:
{code}
<Connector port="port"
         scheme="https"
         secure="true"
         SSLEnabled="true"
         clientAuth="false"
         sslProtocol="TLS"
/>
{code}
Pay attention to "clientAuth" param. Set it to "false" to avoid javaws splash cert choose dialog on every app update.
Hope it help!

OWA and ActiveSync certificate based authentication

I have Exchange 2013 CU3 installed and want to activate the certificate based authentication for ActiveSync and OWA. But I want to have the login without certificate as well for users without a certificate.
I already found some information how to do that on Exchange 2010 and I already did all steps to activate it.
But at one point I cant find anything to configure in Exchange 2013. So I have activated the AD certificate based authentication in ISS and configured the OWA folder in IIS to accept client certificates. This seems to work as I get asked to use the certificate
when I open the OWA page. But then I am landing on the OWA login page where I have to enter username and password.
So it seems that I am missing something. In the tutorials for Exchange 2010 they activate the certificate based authentication in the Management console. But I cant find anything in ECP to activate.
Can anyone help me?

Hi,
We can create an additional Web Site in IIS to configure additional OWA and ECP virtual directory for external access. And configuring the Default Web Site for internal access.
Then we can configure internal one with Integrated Windows authentication and Basic authentication while the external one configured for forms-based authentication of Domain\user name format. For more information about
Configuring Multiple OWA/ECP Virtual Directories, we can refer to:
https://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
Thanks,
Winnie Liang
TechNet Community Support

How can we disable user to login Hyperion Workspace

We understand we can set to admin mode for Hyperion Planning so that only administrator can login the system. Any other ways to disable users to login Hyperion Workspace? We are using Hyperion version 11.1.1.1
Thanks a lot!

JohnGoodwin wrote:
Hi,
Just to confirm you want to stop users creating Financial reports using the Reporting Studio? If so then you would remove the role of "Report Designer" in there provisioning.
Cheers
John
http://john-goodwin.blogspot.com/
Thanks John. We just want to disable user using FR report prepared in Reporting Studio and put under "Explore" of Workspace. We found that we can't do that once the user is login into Workspace. The only way we can do is to setup the security setting of each FR report based on the group setting.

How to disable Buttons based on condition.

Hi
Need your help to disable button based on condition.
Please refer the application:
http://apex.oracle.com/pls/otn/f?p=34797:5:110582943383419::NO:::
login credentials:
workspace: vsanthanam
user: vijay
pswd: apex_demo
In the above application, i have 2 buttons in page 5, (Report1 and Report2)
Where i have to disable button based on the following conditon:
i) USER whoever has Admin value 'Y' in my table can access the button.
for this i've written a Button Condition : Type (EXISTS)
select 1 from apex_extra_values where rtrim(lower(empname)) like decode((select Admin from apex_extra_values
where rtrim(lower(empname))=rtrim(lower(V('APP_USER')))),'Y',rtrim(lower(V('APP_USER'))))
note: i have empname same as my APEx user name. with Admin access 'Y'.
By using this code i can able to hide the button for users who has no Admin access.
But my requirement is : i have to show the button even if the user is not Admin, but to grey out (disable the button - no action)
I tried using javascript function:
function disableButton(pThis)
pThis.disabled=true;
But either of this (exists condtion or JAvascript function) works in my case and not both.
Any pointer on this would be highlt appreciated.
Thanks
Vijay

Couple of things:
1. I would never use v('APP_ITEM') but :APP_ITEM - it is faster and there is no need to use this function within an application
2. The way you are doing this check is not the best approach. You should create an authorization schema and run this once per session. Whatever this authorization is returning as a result you can check using the following Function returning boolean:
IF apex_util.public_check_authorization ('MY_AUTH') THEN RETURN TRUE; ELSE RETURN FALSE; END IF;
See this example on authorization issues:
http://apex.oracle.com/pls/otn/f?p=31517:148
3. As far as disabling a button is concerned I think I explained the options. I also have an example on that here:
http://apex.oracle.com/pls/otn/f?p=31517:143
whereby it is not disabling but hiding a button.
Denes Kubicek
http://deneskubicek.blogspot.com/
http://www.opal-consulting.de/training
http://apex.oracle.com/pls/otn/f?p=31517:1
-------------------------------------------------------------------

Certificate based S2S VPN

Hi all!
Please give me advice in the problem below:
Exist a device in the Small business portfolio which allows certificate based authentication (not only PSK) in S2S VPN?
Or which is the first/cheapest device that support this function?
We have to connect a device (remote site) to a Checkpoint firewall (central site) over S2S VPN.
On the remote site NO fixed IP address. And our contact person sad, the Checkpoint support this type of connection only with certificate.
(PSK is not allowed, only with fixed IP)
Thanks,

You are on the right track. Client certificates plus OTP authentication methods is one of the most secure ways to setup remote access VPN on the ASA.
For revocation, the ASA will generally check the CRLs on the issuing CA. (or in rare cases use OCSP)
For your second post, you use connection-profiles (i.e. pre-login selection) to configure the different authentication methods for your two (or more) use cases.
You might want to invest in the certifcation guide for the CCNP VPN exam:
CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)
Even though that exam is being retired next month, it has a wealth of information that complements the configuration guides with a more comprehensive explanation of just the type of questions you are asking.

Is there a way to decrypt the SQL login-only encryption in the netmon trace or disable the SQL login-only encryption?

We know by default the SQL Server use the self-signed certificate to encrypt the SQL login information when building the connection, my question is if
there is a way to decrypt the SQL login-only encryption in the netmon trace or disable the SQL login-only encryption?
Please click the Mark as Answer button if a post solves your problem!

Not without login as admin. To avoid using credentials to login to SQL, use Windows Credentials instead.
jdweng

Exchange 2010 SP3 OWA with certificate based authentication

Hi,
I have a bizarre problem in my customer’s environment. Maybe someone has an idea.
Exchange 2010 with SP3, latest cumulative Update installed.
The problem I’m having is that when I enable Certificate based authentication (require client certificate option in IIS) on OWA and ECP virtual directories in conjunction with forms based authentication (this is the requirement – the user
must have a client certificate and type in username and password to log in to OWA), the result is that after the user selects the certificate he wants to use, he is logged into OWA automatically, but cannot use the website, because it’s being constantly automatically
refreshed (or redirected to itself or something like that). The behavior occurs with all users, with any browser. If client certificate is on required, forms based authentication works just fine. If I switch to “Basic Authentication” and enable client certificate
requirement, then OWA act’s as it should be – so no problems. The problem only occurs when authentication type is forms based and client certificates are required.
I have tried the exact same settings (as far as I can tell) on one other production server and one test server, and encountered no such problems.
Anyone – any ideas?

Hi McWax,
According to your description and test, I understand that all accounts cannot login OWA when select require client certificate.
Is there any error message when open OWA or login? For example, return error ”HTTP error: 403 - Forbidden”. Please post relative error for further troubleshooting.
I want to confirm which authentication methods are used for OWA, Integrated Windows authentication or Digest authentication? More details about it, for your reference:
http://technet.microsoft.com/en-us/library/bb430796(v=exchg.141).aspx
If you select another authentication method, please check whether Client Certificate Mapping Authentication services is installed, and also enabled in IIS, please refer to:
http://www.iis.net/configreference/system.webserver/security/authentication/clientcertificatemappingauthentication
To prevent firewall factor, please try to sign in OWA at CAS server. Besides, I find a FAQ about certificate:
http://technet.microsoft.com/en-us/library/aa998424(v=exchg.80).aspx
Best Regards,
Allen Wang

Form based login, iframes and session time out

Hi all,
I'm trying to create a site using form based login.
The site contains a page protected page, default.jsp that have a logout button/link (clicking it invalidates the session), and a navigation bar with links linking opening them in iframes inside the default.jsp page:
I have also a login.jsp page and and a error.jsp page
Everything works fine I can login, I can logout. My problem occurs when the session times out and the user tries to access protected contents in the internal frames. He then is promted for a new login. The problem is that the login,jsp page now turns up inside the jframe designatet for my contents.
I woud have liked the login page to turn up at the top level i.e. filling the entire browser window (i.e on the same level as the default.jsp page). Is this somehow possible?
Regards
Uno Engborg

Easy answer: use JS to jump out iframe.
Best answer: don't use iframes, but use server side includes like jsp:include. Iframes have too much disadvangages, topping the extremely bad SEO and UX.

Disabling certificate-based login

Similar Messages

Maybe you are looking for