Encrypting parameters

Hi,
We are trying to secure our applications. One of the clients
requirements is to "hide" the parameters of our requests. I have been
studying all the possibilities, like use tags and javascript to avoid
this, but in MSExplorer all of this solutions aren't valid. So, the last
way is to encrypt these parameters. Does anyone know if iPlanet has some
utility for this? I think no, but maybe...
I'm still working with AppLogics in some applications, but running under
iPlanet 6.0 SP2.
Thanks for all.
Regards,
Neus Prenafeta
[email protected]

Frank,
Thanks for confirming this - this is what I had suspected - just wanted to check that there wasn't already some inbuilt functionality which I had overlooked. DBMS_OBFUSCATION_TOOLKIT it is then!
Shane

Similar Messages

Encryption parameters

Hi,
I have simple scenario to write IDOCs to Oracle DB staging tables. I have to use encryption and I'm using extra parameters like in [ this blog|http://wiki.sdn.sap.com/wiki/display/XI/EncryptioninscenariosinvolvingJDBCAdapterwithOracleDatabase].
So my question is how to actualy check and prove to customer that data over network is encrypted, is there any hidden parameter on com.channel? Is there any way to dump stream of bytes from com.channel to file? Or any other idea....
kr
mario

Stefan, thx this is it, very, very nice, pinpoint accuracy
lg
mario

Archive Link - encrypt HTTP call parameters

Hello!
I have an Archive Link which is configured to open an Internet Explorer (web application). I would like to prevent user from copying the IE address bar and starting the application manually with the same or changed parameters. How do I do this?
I was thinking: Is there a way to encrypt parameters of a HTTP call triggered by Archive Link, which would be decrypted at a server application?
Or is there some other way to acomplish security of the HTTP call parameters?
Thanks in advance!
Kind regards,
Boris

Hi Thomas,
It is Meridio for DMS and IIS for Content Server, to be more precise this is the enviroment: SAP 4.7 with ArchiveLink 0046,Meridio 4.4, FI repository , http as protocol calling external IExplorer.
BNJ

Parameters encryption

hi,
i've seen on some pages, that they use an encryption for the parameters delivered by GET. for example, i wanna request an url with a couple of parameters, something like this:
http://www.blabla.com/?user=who&age=99&whateveruwant=ucanget
instead of seeing this explicit url you get this one:
http://www.blabla.com/?code=033A23C9430D34590AAA345F2344
from this i can understand that the parameters have been encrypted and the string which actually includes encrypted parameters passed as a parameter by itself.
as i also understand, the server gets this "code" parameter and knows how to get the encrypted parameters from it.
my questions are:
1. is there any common way this thing can be done in java?
2. i'm sure there are encryption classes, but if all this works the way i think, if encryption used we need to parse the unencrypted string of parameters and values with tokenizers or something, because there is no "request.getParameter("age")" way..
thanks

I was assigned to make one or more request parameters from a GET reqest be sent over HTTP to be encrypted. The reason is that we have in essence a link counter / redirector and we want to make sure we only redirect to URLs which orignated in links in documents on our system. We don't want anyone to be able to just put the URL to goto in the Address field of the browser to use our redirector. This is for documents with links to external sites which we count. So we can't use POST. Now that I set that up so that the "just use HTTPs" comments won't fly in - this is what I was assigned to do so (I see a lot of questions from previous posts like the concept of encrypting a request parameter is the dumbest thing ever).
Anyway, here is how I got it too work and I wondering about a couple of things and just wanted comments to stream line. I will not give every detail for obvious reasons (if not so obvious, it is for a client so I can't give out all their code, ok).
/* This is a generic test to prove if it will work with how to do it embedded within */
String gotoUrl = "http://www.google.com"; // Retrieved through parsing a link in a file
// Encryption done with a wrapper class that is home grown (and I didn't write it)
// Only detail I will give is Cipher.getInstance("DES/ECB/NoPadding", "something"
// was used.
byte[] encryptedUrlAsBytes = ENCRYPT.encrypt(gotoUrl.getBytes());
// UTF-8 did not ultimately work for me as I would have hoped.
String encryptedUrlAsString = new String(encryptedUrlAsBytes, "ISO-8859-1");
String encryptedEncodedUrl = URLEncoder.encode(encryptedUrlAsString, "ISO-8859-1");
// From here up is used to prepare the string for going in the href   now you
// can append the encryptedEncodedUrl into a StringBuffer which is used
// to create the HTML href (with no worries about the character encoder at this point
// From here down is just to help you varify things can be gotten back to...
String decodedEncryptedUrl = URLDecoder.decode(encryptedEncodedUrl);
byte[] decodedEncryptedUrlAsBytes = decodedEncryptedUrl.getBytes();
byte[] decodedDecryptedUrlAsBytes = ENCRYPT.decrypt(decodedEncryptedUrlAsBytes);
String decryptedUrl = new String(decodedDecryptedUrlAsBytes);
// You can test if decryptedUrl = gotoUrlNow one thing I discovered is that (at least in my app) strings encoded with URLEncoder will not necessarily be decoded properly when you do a request.getParameter(). So, in the Servlet receiving this encrypted request parameter I had to do...
String queryString = req.getQueryString();
// "code" is the name of my request parameter
String encUrlParam = queryString.substring(queryString.indexOf("code=")+5, queryString.indexOf("&", queryString.indexOf("code=")+5));
//You will need a try/catch which is excluded
String decodedEncryptedUrl = URLDecoder.decode(encUrlParam);
String unencUrl = ENCRYPT.decrypt(decodedEncryptedUrl.getBytes());
// unencUrl should = the original gotoUrlNow, my observation is that String needed a specific character type to be specified and StringBuffer did not. This gives me interest as to how nice and flexible StringBuffer is (I didn't have to specify a character encoding and nothing was lost when the specially encoded String was appended).
I am surprised that getParameter() doesn't decode strings encoded with URLEncoder !!
Based on what I have shown are there any efficiencies or other things I have missed to make this better?
I haven't had a change to test with very complicated string values to see if any specific characters mess up the process between encrypting->encoding->decoding->decrypting. If anyone else tests this out and finds problems please let me know.

IronPort email encryption config precedence

Hi,
I'm reading thru the IronPort Email Config Guide for Email encryption. I have noticed up to three different ways of requesting certain encryption parameters. I'd like to make sure I understand the order of precedence for these different methods, when multiple options are encountered for a given message.
For example, to configure Read Receipts on an outbound secure message:
a) I can configure Read Receipt in the Encryption Profile
b) I can configure a Content Filter to add an encryption header "X-PostX-Send-Return-Receipt" to the message
c) At the time of sending the message, from BCE app, I can select Read Receipt (or for certain attribuutes, I can use the CRES admin console and ask for the actions such as message expiration, etc)
So given the above methods for requesting a certain action, my understanding is that the order of precedence is:
c -> b -> a
That is, (c) overrides (b); and (b) overrides (a).
Is the above correct?
And as for (c), is it also correct to expect that the upcoming Outlook plugin release 7.3 will enable a desktop user to set the same flags on an outbound message as supported today in BCE app (such as requesting ReadReceipt, etc.)?
Thaks for any help.

Hi,
I'm reading thru the IronPort Email Config Guide for Email encryption. I have noticed up to three different ways of requesting certain encryption parameters. I'd like to make sure I understand the order of precedence for these different methods, when multiple options are encountered for a given message.
For example, to configure Read Receipts on an outbound secure message:
a) I can configure Read Receipt in the Encryption Profile
b) I can configure a Content Filter to add an encryption header "X-PostX-Send-Return-Receipt" to the message
c) At the time of sending the message, from BCE app, I can select Read Receipt (or for certain attribuutes, I can use the CRES admin console and ask for the actions such as message expiration, etc)
So given the above methods for requesting a certain action, my understanding is that the order of precedence is:
c -> b -> a
That is, (c) overrides (b); and (b) overrides (a).
Is the above correct?
And as for (c), is it also correct to expect that the upcoming Outlook plugin release 7.3 will enable a desktop user to set the same flags on an outbound message as supported today in BCE app (such as requesting ReadReceipt, etc.)?
Thaks for any help.

Do I get encryption with transport-guarantee set to NONE over HTTPS?

Hello,
If I established HTTPS connection and then access some web resource which either
does not have <user-data-constraint> or has <transport-guarantee> set to NONE. Do
I still have my communication encrypted? I read Servlet spec 2.3, but does not find
it explicitly talking about this. Any pointers? Or this become implementation dependent.
I'm thinking WLS 6.1/7.0 and maybe Tomcat.
TIA
chuck

Yes, it will still be encrypted, with whatever usual encryption parameters
your
HTTPS connection has. NONE means integrity or confidentialy isn't required
for that resource, but it doesn't prevent you from applying them.
regards,
-Ade
"Chuck Zheng" <[email protected]> wrote in message
news:3d2b594e$[email protected]..
>
Hello,
If I established HTTPS connection and then access some web resource whicheither
does not have <user-data-constraint> or has <transport-guarantee> set toNONE. Do
I still have my communication encrypted? I read Servlet spec 2.3, but doesnot find
it explicitly talking about this. Any pointers? Or this becomeimplementation dependent.
I'm thinking WLS 6.1/7.0 and maybe Tomcat.
TIA
chuck

Data transport encryption between Database - Apps Server

Hi
We have 10g R2 database on Linux
and would like to setup a basic encryption for data transport between Database and Apps Server.
On searching, i found a couple of SQL ENCRYPTION parameters to be placed in SQLNET.ORA , which am not sure off.
Could anyone suggest as how should i be doing this setup?
Do i also need to be doing changes at the Apps Server side?

Check the Advanced Security Guide, specifically
http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14268/asopart2.htm#sthref141
Note that Advanced Security is a separate licensed option.

How can I route internet traffic over IPSec point to point?

I have a remote site that connects by IPSEC with the end points on a router and ASA. The connection is working fine and the remote site can access my other networks at the main headquarters. The problem is, currently this remote site is accessing the internet via the same link that is supposed to VPN everything back to headquarters. I need to figure out how to VPN their internet traffic to my main headquarters. There's an IPrism behind the firewall to filter web access so it seems like I need to point the remote sites default gateway to my routing device that's behind my Iprism?
Also, currently the outside interface on the remote site's router does not have an ACL applied, can someone suggest what that ACl should look like? Thank you for your help! Here is a sample configuration of the remote site's router:
crypto isakmp policy 20
(encryption parameters here)
crypto isakmp key password address x.x.x.x (Public ASA IP) no-xauth
crypto ipsec transform-set remotesite (encryption parameters here)
crypto ipsec df-bit clear
crypto map Mainsite 1 ipsec-isakmp
set peer x.x.x.x (Public ASA IP)
set transform-set remotesite
match address 100
interface FastEthernet0/0
description $ETH-LAN$
ip address 10.1.1.1 255.255.0.0
ip nbar protocol-discovery
interface FastEthernet0/1
description ISP Interface
ip address x.x.x.x (public IP) 255.255.255.0
crypto map Mainsite
crypto ipsec df-bit clear
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP's default gateway)
access-list 100 remark Access list Mainsite Access
access-list 100 permit ip 10.1.0.0 0.0.255.255 10.3.0.0 0.0.255.255
and other various headquarter networks...

Hi Mark, you can modify your crypto acl to permit any any on your remote site which will make all traffic goes through the tunnel. Then on ASA you need to do hairpinning on the outside interface. This will make users on remote site to access internet via HQ. But if you do it this way the internet traffic goes straight to internet without having them filtered by your iPrism.
What I am not sure about is if there is a way to do it if you want those traffics to be filtered by the iPrism before going out to internet.
HTH

Opening a seeded OAF page from custom JSP page.

Hi All,
We have requirement to open a seeded OAF page from custom JSP page.
When we try to open URL of an OAF page after passing URL input parameters, we are always getting following error:
'You have insufficient privileges for the current operation. Please contact your System Administrator.'
On directly accessing the seeded OAF page, its encoding all the input parameters passed in URL. Also some more encoded parameters are getting added to the URL dynamically.
Is there any standard way exists to invoke seeded OAF pages without passing encrypted parameters to it? Also where can we get more details about
encrypting OAF URL parameters.
Any pointers would be appreciated.
Thanks in advance!
Saurabh

Have you duplicated entire Customer Service module's menu in your responsibility?
or Also ping me the menu name..
--Prasanna

Error while opening AME Approval Function

Hi All
I am trying to open the AME "Approvals" Function in R12 Vision Instance and I am getting the following Error.
The requested URL /pls/VIS/OracleSSWA.Execute was not found on this server.
Seeded approval functionality for iRec is working fine.
I am logging in with a vision instance user only with a seeded responsibility "FED AME Application Administrator".
I checked the function details but could not make out any thing. Here are the function details
Function: AME_WEB_APPROVALS
User Function Name: Approvals Management
Properties:
Type: SSWA plsql function that opens a new window (Kiosk Mode)
Maintenance Support Mode: None
Context Dependence: Responsibility
Web HTML
HTML Call: ame_rules_ui.listRulesForm1
Web Host:
Encrypt Parameters: Checked
Have you got any of these issues.
Thanks
Gaurav

In R12 old AME functionality will not work. Old AME pages as in 11.5.10, AME.A are built using mod PL/SQL. But in R12 mod PL/SQL is not supported. In R12 all the AME pages are build using OA Framework now and using RBAC mechanism for assigning responsibilities.
For setting up AME Rules in R12 one can follow the following note
Approvals Management Responsibilities and Setups in AME.B
https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=434567.1&blackframe=1
Following are the error you might get while opening the AME Approval function from old responsibility.
1.
The requested URL /pls/VIS/OracleSSWA.Execute was not found on this server.
OR
2.
Can not access function AME_WEB_APPROVALS. This installation does not manage mode pl/sql. Please contact your System Administrator.
Regards
Gaurav

Add Previous Employement Information in Self-Service

Hi,
I have a requirement in which I need to Add previous employee information in Employee Self Service. The Employee could able to modify it. Can anyone help me with this. The version which I am using or R-12
Thanks
Nitin Singh

Hi Nitin
We are also migrating on R12.0.4
I tested employment history page to add in employee self service and it worked. The exact function details are as follows.
Name Irc Apl Qualification & Experience Page
Code IRC_APL_QUALIFY_DETS_PAGE
Description My Account Qualification & Experience Page
Type JSP
Maintenance Mode Support NONE
Context Dependence RESP
HTML Call OA.jsp?page=/oracle/apps/irc/candidateSelfService/webui/AplQualifyDetsPG&akRegionApplicationId=821&OASF=IRC_APL_QUALIFY_DETS_LINK
Secured N
Encrypt Parameters N
Host Name
Agent Name
Icon
Object Name
Parameters OAFunc=IRC_APL_QUALIFY_DETS_PAGE
Region Code
Region Application Name
Try with this function and see if you are still getting the error. If it works then you can personalize this page for your responsibility to show only previous employers.

Request-URI Too Large

Hi, I am working on a project that involves exporting excel spreadsheets to a JSP script for special charting and as a result the URLs can be very long like: http://preview.tinyurl.com/p9vykm (full URL shown in tinyurl preview). As a result of this, servers typically complain about the URL being too large to process even though browsers like Firefox will happily accept such long URLs. So obviously a alternative method of passing this data to my JSP script must be saught, and it must be a manageable method able to be performed with VBA which is unfortunately being used to interact between the excel spreadsheet and this script. My thought was base64 encrypting the parameters, passing that to the JSP script and then having the JSP script decrypt the encrypted parameters and process them. Is that possible and if so how? If not, how would you think it best to approach this issue? Thanks!

Yes, it's true. Servers are allowed to put a limit on the length of a URL when it's used for a GET request. There's nothing you can do about that. However if you use a POST request, then the parameters are passed differently and they don't count as part of the length. I have no idea whether VBA can be made to use POST instead of GET.
I don't see why Base64 encoding would help, since it's guaranteed to increase the size of the string by one third. You need something which reduces the size of the string.

[SOLVED] Newbie asks how to suggest edits to LVM Luks Wiki page...

I'm a newb to Arch. I've been using Fedora for about four years, so Arch is a fun challenge. And I wish to contribute to the clarity of the Wiki page. Having set up LUKS with LVM for Fedora twice, and now Arch, one or two points might benefit the following wiki pages.
First, The instructions for kernel parameters on Kernel parameter configuration of the bootloader refers to the kernel parameter as:
cryptdevice=<device>:<dmname>
<device>
The path to the raw encrypted device. Usage of Persistent block device naming is advisable.
<dmname>
The name given to the device after decryption, will be available as /dev/mapper/<dmname>. (<dmname> MUST NOT be set to a name already used for LVM partitions!)
While higher up the page LVM on LUKS:
cryptsetup luksOpen /dev/sda3 lvmpool (alternate)
For setting up LVM ontop the encryption layer the device file for the decrypted volume group would be anything like /dev/mapper/lvmpool instead of /dev/sda3. LVM will then give additional names to all logical volumes created, e.g. /dev/mapper/lvmpool-root and /dev/mapper/lvmpool-swap.
The alternate reflects the LVM setup which seems to be a best practice in Fedora. My working setup is
cryptdevice=/dev/sda3:<LVMvolumeGroup>
. And when mounting the LUKS partitions I found it necessary to activate the volume group name with
#vgchange -ay <volumeGroup>
In that scenario the configuration install was:
# cryptsetup luksFormat -y --cipher aes-xts-plain --key-size 512 /dev/sda3
# cryptsetup luksOpen /dev/sda3 cryptVG
# pvcreate /dev/mapper/crypt
# vgcreate cryptVG /dev/mapper/crypt
# lvcreate -n root -L 20.0G cryptVG
# lvcreate -n swap -L 6.0G cryptVG
# lvcreate -n data -l 100%FREE cryptVG
/** For Arch you're applying the file-systems now, but in Fedora, the Anaconda installer takes care of it.**/
# cryptsetup luksClose crypt
For me, as a newbie setting up the two L's I found it easier to understand LVM as logical volumes in a volume group. Not sure how much this matters in theory, but in practice as a newbie setting up the two L's, I found it easier to understand LVM as logical volumes in a single volume group. Mainly because the Anaconda installer was automatically setting up the volume group name, and when I used the above setup, my custom name was reflected in Anaconda's GUI.
Second, The omnious Bang'd warning not to use 'a name already used for LVM partitions' seemed to conflict with the GRUB page instructions, until I noticed the GRUB page didn't include LVM. Given the popularity of LUKS and LVM solutions, it seems some hyperlinking notes would be appropriate. Yes?
And maybe third... I was working on a GRUB config issue and couldn't find any reference in the GRUB wiki page to explain to me the difference between GRUB_CMDLINE_LINUX and GRUB_CMDLINE_LINUX_DEFAULT (or more importantly, something to explain putting commands into one, the other or both). The GRUB wiki instructs to put the encryption parameter on the former, and dm-luks instructs to put it ... well, it doesn't state where to put the encryption parameters, and simply refers to Kernel parameters page.
Last edited by xtian (2013-09-17 22:00:44)

As stated by WonderWoofy, you are more than welcome on the wiki! Just register and edit the article, but I'd like to add that you (like everyone else) are very warmly invited to always explain each of your edits exhaustively using the Edit Summary at the bottom of the Editor page; if the explanation is so long that doesn't fit in the summary, open a discussion in the talk page and link to that discussion from the summary itself. Last thing, don't do big edits all at once, but prefer splitting your work in a series of little edits: this will help everybody understand what you've done, since the resulting diffs will be much clearer.
Edit: typo
Last edited by kynikos (2013-09-01 04:56:26)

Creation of the organization within SIM

Hello!
How i can automatically сreate several organizations within SIMs Top?
I can create CSV file with organization parameters (or database table), but i don't know how it is possible to load this file to IDM.
May be there are some instructions how to realize it? Or some practices to perform this?
I am using IDM 8.0
Thanks for your advices!

It's difficult to convert CVS to XPRESS xml, because of encrypted parameters within the tags.
For example:
I try to create organization. The XML source of this object contains fields such as:
<ObjectGroup id='#ID#FA16-:EC602865C11:22B63D32-:5365FFED9DFE7765' name='5677EFD9DEFF5635:-23D36B22:11C568206CE:-61B0' displayName='entry_3' creator='Configurator' createDate='1221637646703' lastModifier='Configurator' lastModDate='1221646146984' lastMod='4' primaryObjectClass='ObjectGroup'>Do you know how parameters id and name generates ? May be there is a specification of this structure somewhere?
Edited by: DmitryG on Sep 17, 2008 7:36 AM
Edited by: DmitryG on Sep 17, 2008 7:36 AM

Opening a download in a new window

We have a list of files that are relevant to the user. We display this list of files to the user in a table so they can view the ones they want.
I have written a servlet that reads the file information from a cookie, and delivers the file to the client.
We are using a goButton to launch the servlet because we want the document to be display in a new window.
Our problem comes with the code that writes the cookie. I have replaced the table's row selected listener with a custom method that first, sets the bindings with the selected row, and then uses the info in the bindings to write a cookie. This technique is working well except when the first document displayed is the one selected. When the table is rendered, the row selection event isn't sent, even though the first row is selected by default.
Can anyone offer advice on techniques to try?
I did attempt to use an el that referenced the bindings in the target of the goButton, and pass the document to display as a parameter. I abandoned that attempt because in the servlet, the parameter was not able to be decrypted after decoding it. The padding had gotten corrupted.
I have also considered using a commandButton to write the cookie, and then javascript to call the servlet in a new window, but I have never used javascript and would like to stick with a declarative approach if possible.
Thank you

John, thank you for the answer and sorry for the long delay, I was assigned a different priority. I'm back thinking about this now.
We would like to encrypt the parameter because we are sending a document id to a download servlet. We don't want the user to spoof this servlet by putting in a random document id.
Is it not normal to encrypt parameters? We are new to web development, but it seems that we would want to employ as much security as possible.
Thanks again
Dave

Encrypting parameters

Similar Messages

Maybe you are looking for