ESSO-LM Secondary Authentication API

Hi
I am facing problem to implement Custom Secondary Authentication Library with ESSO -LM for Passphrase prompt.
I have gone through documents, but it is not helpful up to much extend.
Does anyone have implemented this one or any idea?

You can do it by changing authentication level in LMconsole.
Chage the setting write this setting to hklm.
Check also documents for AM. you will get helped.

Similar Messages

EToken + RSA Key Secondary Authentication problem

Hello. I need to access to an eToken using Java Security API (PKCS11) and I can't use the "RSA Key Secondary Authentication" mode because when I try to sign I've got an error (CKR_USER_NOT_LOGGED_IN).
Do you know why it happens?
This is my code:
String pkcs11config;
pkcs11config = "name = my-eToken";
pkcs11config += "\nlibrary = c:\\WINDOWS\\system32\\eTpkcs11.dll";
InputStream confStream = new ByteArrayInputStream(pkcs11config.getBytes());
sunpkcs11 = new SunPKCS11(confStream);
Security.addProvider(sunpkcs11);
alias = "myAlias";
KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", sunpkcs11,
new KeyStore.CallbackHandlerProtection(new MyCallbackHandler()));
KeyStore keyStore = builder.getKeyStore();
// get my private key
KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(alias,
 new KeyStore.PasswordProtection("aliasPwd".toCharArray()));
privateKey = pkEntry.getPrivateKey();
Serializable o = new SignedBean("bla bla"); //dummy object which wraps a String, just for testing
sig = Signature.getInstance("SHA1withRSA");
signedObject = new SignedObject(o, privateKey, sig);And when attempts to create an instance of SignedObject throws the exception:
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
 at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:420)
 at java.security.Signature$Delegate.engineSign(Signature.java:1131)
 at java.security.Signature.sign(Signature.java:527)
 at java.security.SignedObject.sign(SignedObject.java:227)
 at java.security.SignedObject.<init>(SignedObject.java:144)
 at ar.gov.mecon.esidif.firmaDigital.test.ETokenTest2.testLogin(ETokenTest2.java:99)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at junit.framework.TestCase.runTest(TestCase.java:154)
 at junit.framework.TestCase.runBare(TestCase.java:127)
 at junit.framework.TestResult$1.protect(TestResult.java:106)
 at junit.framework.TestResult.runProtected(TestResult.java:124)
 at junit.framework.TestResult.run(TestResult.java:109)
 at junit.framework.TestCase.run(TestCase.java:118)
 at junit.framework.TestSuite.runTest(TestSuite.java:208)
 at junit.framework.TestSuite.run(TestSuite.java:203)
 at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:128)
 at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
 at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
 at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
 at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
 at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
 at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
 at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:391)
 ... 23 moreThanks in advance

Hello. Try redefining your callback:
KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", sunpkcs11,
new KeyStore.CallbackHandlerProtection(new CallbackHandler() {
 public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
 //makes nothing... so the native driver login implemantation is called
KeyStore keyStore = builder.getKeyStore();
// get my private key
privateKey = (PrivateKey) this.getKeyStore().getKey(alias, null); //send null cause the secondary pwd is gotten by the driver In my case, it works fine (JDK 1.5), but it open twice the dialog for the secondary key :( I don't know why!!
If you know, please answer me!!
Hope this help you

Authentication APIs

Guys,
can any one tell me from where i can download the API for Identity Server Authentication for ex.com.sun.identity.authentication api.
Thanks,
Ramnath

Hi,
Let me first let you know my requirement. Actually, I have to implement SSO between Oracle e-Business Suite v12 and a third party system.
In this use case, incoming request first goes to third party system that will take authentication and authorization decision and upon successful it will add user name in the http header and forward the request to Oracle e-Business Suite login code.
So, we have to modify/extend the login code from Oracle e-Business Suite so that it could read the value of HTTP Header, which was set by the third party application and then we will have to locate this user in FND_USER.
My questions around this are:
1- Does Oracle e-Business Suite provide APIs to locate any user if user name/userid is given?If yes, then please provide me the link to understand the usage of this API.
2- The name of the file which does the job of login/authentication?
Thanks,
Shyam

Sun Idm Secondary Authentication Policy Options

Hi,
I need some inputs on the below,
1. We have a situation where we need to configure 10 security questions in the policy.
2. Force the user to select minimum 5 questions during their first login.
3. Later on, whenever the user's tries to access password reset from Forgot password - they need to answer only 2 questions in order to reset their password.
The "Default Identity Manager Account Policy" policy has a security questions section to setup the questions. And there is an option to enter "Minimum Number of Questions User is Required to Answer " -
if i configure it as 5, it would work on the initial setup page, but when comes to password reset, it asks for 5 questions answered. Any inputs on this is highly appreciated.
Thanks,
Navatha

Navatha,
To force user to select minimum of 5 questions and allow user to login by answering any 2 of them you can follow these steps:
1) Default Identity Manager Account Policy can be modified by adding following entries in 'Secondary Authentication Policy Options ' section:
a) For Login interface: select 'User Interface' from the drop down.
b) Tick 'Enforce Answer policy at login'
c) slect Any from Authentication Question policy drop down.
d) Enter 2 as the minimum number of questions to be answered.
e) add all the quetions need to answered.
Now since i dont recommend the out of box 'Login Change User Answers Form' form modification, so copy the content in another form. Lets name it as 'Modified Login Change User Answers Form'. Modify the text in 'questionPrompt' label.
 <eq>
 <ref>waveset.loginInterfaces[<ref>selectedLoginInterface</ref>].questionPolicy</ref>
 <s>Any</s>
 </eq>
 <message name='UI_AUTH_QUESTION_PROMPT_2'>
 5 ----> This has been hardcode. Original value would be two as per your configuration.
 </message>Also Add validation in the form button at bootom:
<block>
<set name='questions'>
 <null/>
</set>
<cond>
 <neq>
 <length>
 <ref>waveset.questions[loginInterface=UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE]</ref>
 </length>
 0
 </neq>
 <dolist name='nmr'>
 <ref>waveset.questions[loginInterface=UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE].name</ref>
 <cond>
 <notnull>
 <ref><expand>
<concat>
 <s>waveset.questions[</s>
 <ref>nmr</ref>
 <s>].answer</s>
</concat>
</expand></ref>
 </notnull>
 <set name='questions'>
 <add>
 <ref>questions</ref>
 1
 </add>
 </set>
 </cond>
 </dolist>
</cond>
<cond>
 <lt>
 <ref>questions</ref>
 5
 </lt>
 <s>please answer all five questions</s> ---> Custom message to be displayed.
</cond>
</block>Import the form and change the form mapping of 'loginChangeAnswers' with 'Modified Login Change User Answers Form'.
I guess this matches your requirement.

Weblogic Security Programmatic Authentication API

Hi all,
I am trying to use weblogic authentication API with weblogic 11g and jdeveloper 11.1.1.2.
According to programming security document, we can use weblogic.security.SimpleCallbackHandler or weblogic.security.URLCallbackHandler class.
But i don't see any library to import those class.
where can i download those library?
With Regards,
Wai Phyo

Where can i get this Jar(com.bea.core.weblogic.security_2.0.1.0.jar). I have installed Weblogic10.3 on jdk1.6 and it has com.bea.core.weblogic.security_1.0.0.0_6-0-3-0.jar which does not have the weblogic.security.spi.AuthenticationProviderV2.
Any help on this will be really appreciated.
Thanks.
Ajay

Programmatic Authentication API

Readin through the WL Server 8.1 docs on security, there is a section which talks
about "Using the Programmatic Authentication API" in web apps, as opposed to posting
to j_security_check. That section talks about two built-in CallbackHandler impls
named SimpleCallbackHandler and URLCallbackHandler. What is the purpose of the
URLCallbackHandler? Specifically, what is the URL passed into the constrauctor
supposed to represent?
The docs say to look at the javadoc comments which, unfortunately, are completely
useless.
TIA

"Steve Ebersole" <[email protected]> wrote in message
news:3f9532fa$[email protected]..
>
Readin through the WL Server 8.1 docs on security, there is a sectionwhich talks
about "Using the Programmatic Authentication API" in web apps, as opposedto posting
to j_security_check. That section talks about two built-inCallbackHandler impls
named SimpleCallbackHandler and URLCallbackHandler. What is the purposeof the
URLCallbackHandler? Specifically, what is the URL passed into theconstrauctor
supposed to represent?
The URLcallbackhandler is used primarily for fat clients that are using jaas
to login
into the server. The url is that of the server.

Authentication APIs in Oracle e-Business Suite

Hi All,
Does Oracle e-business suite offers any authentication APIs?
If yes, then please provide me pointer for the same.
Thanks,
Shyam

Hi,
Let me first let you know my requirement. Actually, I have to implement SSO between Oracle e-Business Suite v12 and a third party system.
In this use case, incoming request first goes to third party system that will take authentication and authorization decision and upon successful it will add user name in the http header and forward the request to Oracle e-Business Suite login code.
So, we have to modify/extend the login code from Oracle e-Business Suite so that it could read the value of HTTP Header, which was set by the third party application and then we will have to locate this user in FND_USER.
My questions around this are:
1- Does Oracle e-Business Suite provide APIs to locate any user if user name/userid is given?If yes, then please provide me the link to understand the usage of this API.
2- The name of the file which does the job of login/authentication?
Thanks,
Shyam

Secondary authentication for KM links..........

Hello all,
I have created an URL iView for a document stored in KM repository. The URL I used can be found at <name of the doc>->Deatils->Settings->Properties->Access Links.
When a user successfully login to portal, this iView again popup a window for authentication.
Does anybody know how to eliminate it????
Thanks & regards,
Amol

Try this:
Go to Content Management ® Global Services ® URL Generator Service.
Make the following changes:
● a) Replace the prefix
/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs in the parameters Image Path, Viewer, XML Forms CSS URL, and Content Access Path with /irj/go/km/docs
The entry in the Image Path parameter must look as follows: /irj/go/km/docs/etc/public/mimes/images
● b) Replace the prefix
/irj/servlet/prt/portal/prtroot/com.sap.km.cm.uidetails in the parameters Resource Properties Page and New Resource Properties Page with /irj/go/km/details
● c) Replace the prefix
/irj/servlet/prt/portal/prtroot/com.sap.km.cm.navigation in the parameters Explorer Servlet and Navigation Servlet with /irj/go/km/navigation
● d) Replace
/irj/servlet/prt/portal/prtroot/com.sap.km.cm.highlightedcontent in the parameters Highlighted Content with /irj/go/km/highlightedcontent
● e) Replace
/irj/servlet/prt/portal/prtroot/com.sap.km.cm.basicsearch in the parameter Basic Search Servlet with /irj/go/km/basicsearch
Regards, Fede

ASA5510 - VPN AnyConnect - Two Part Authentication

Currently, we have the AnyConnect client authenticating our users to our AD environment. All is working as desired. Now our Controll Agency is requiring a two step authentication for VPN access. Is it possible (and if so how do you do it) to also configure the AnyConnect client login to send a PIN to the AD usres registered Cell Phone and then require that PIN to be input to make complete the VPN login process?
This is basically the sequence that I forsee:
1. The AnyConnect client requests and then validates the User's AD credentials
2. The ASA 5510 generates and sends a one-time 4 to 6 digit PIN to the AD user's cell phone.
3. The AnyConnect client presents a dialog box awaiting the PIN to be entered.
4. The user enters the PIN and completes the login once the ASA validates the PIN.

Hi,
You can use secondary authentication:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html#wp1452151
Do you have any external server/vendor for that PIN (one time password) authentication ?
How user in step 3 should know which PIN to type (if it's one-time generated) ?
With RSA one time password you could configure it as radius and use secondary authentication feature.
You could also use ACS as a proxy between ASA and RSA.
Michal

Web Services Authentication Error - AUTH_0005

Authentication via the AuthenticationService is successful, returning a valid Session ID. Authentication via passing an AuthenticationToken in the SOAP Header fails with an error of AUTH_0005 The user name header is invalid ....
We are calling newScale web services from an external application. Making a call to the AuthenticationService using this SOAP request is successful:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:aut="http://authentication.api.newscale.com">
 <soapenv:Header/>
 <soapenv:Body>
 <aut:authenticate>
 <aut:userName>username</aut:userName>
 <aut:password>password</aut:password>
 </aut:authenticate>
 </soapenv:Body>
</soapenv:Envelope>
The return data is:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <soap:Header>
 <AuthenticationToken>
 <Username>username</Username>
 <SessionId>1FD9023262278342CACF63D0D6C5A8F2</SessionId>
 </AuthenticationToken>
 </soap:Header>
 <soap:Body>
 <ns1:authenticateResponse xmlns:ns1="http://authentication.api.newscale.com">
 <ns1:personInfo>
 <active xmlns="http://authentication.api.newscale.com">false</active>
 <email xmlns="http://authentication.api.newscale.com">[email protected]</email>
 <employeeCode xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
 <firstName xmlns="http://authentication.api.newscale.com">user</firstName>
 <homeOrganizationalUnitName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
 <lastName xmlns="http://authentication.api.newscale.com">name</lastName>
 <localeName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
 <login xmlns="http://authentication.api.newscale.com">username</login>
 <managerEmail xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
 <managerName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
 <managerPhone xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
 <placeName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
 <status xmlns="http://authentication.api.newscale.com">0</status>
 <timeZoneName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
 <title xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
 </ns1:personInfo>
 </ns1:authenticateResponse>
 </soap:Body>
</soap:Envelope>
However, when we pass credentials in an AuthenticationToken when accessing any of the other services, we get an error. For example:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:req="http://requisition.api.newscale.com">
 <soapenv:Header>
 <req:AuthenticationToken>
 <req:Username>username</req:Username>
 <req:Password>password</req:Password>
 </req:AuthenticationToken>
 </soapenv:Header>
 <soapenv:Body>
 <req:getServiceDefinition>
 <req:initiatorLoginName>username</req:initiatorLoginName>
 <req:customerLoginName>username</req:customerLoginName>
 <req:serviceName>VMSpinup</req:serviceName>
 </req:getServiceDefinition>
 </soapenv:Body>
</soapenv:Envelope>
Yields this error:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <soap:Body>
 <soap:Fault>
 <faultcode>soap:Server</faultcode>
 <faultstring>The user name header is invalid. It is either not present or empty!. Please send a valid header.</faultstring>
 <detail>
 <RequisitionFault xmlns="http://requisition.api.newscale.com">
 <errorCode>AUTH_0005</errorCode>
 <errorMessage>The user name header is invalid. It is either not present or empty!. Please send a valid header.</errorMessage>
 </RequisitionFault>
 </detail>
 </soap:Fault>
 </soap:Body>
</soap:Envelope>
Unfortunately, I cannot find any details on the meaning of this error or what its cause is. There appears to be a valud SOAP header. Is it talking about the HTTP header instead?
Thanks.

I posted this same question here on the form, bottom line this does not work. You need to pass in the username and password each time
https://supportforums.cisco.com/message/3492955#3492955

2 Factor Authentication for Anyconnect VPN using ISE

We are planning to implement dual factor authentication for Anyconnect VPN.
The end users will be authenticated using domain name in machine certificates and username password with
ISE used as radius server.
We have the following approaches to achieve this :-
1. Use primary and secondary authentication with user credentials as primary authentication
and CN field of the certificate as secondary authentication.However this option prompts users for password for
both the fields while we want the machine certificate to authenticate itself without a password.
2. Second approach is to authenticate using user credentials and authorize the user to access the network if
the machine certificate has a domain name in CN field which we are able to validate from the AD using
Dynamic Access Policy.
We are looking forward for discussions on the above approaches and are open to any other
solution.

Hi Umahar,
Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.
If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.
If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.

Bridge Flickr module update due to Flickr API change

Dear users,
As Flickr will disable the old authentication API and recommend third party application switch to the new OAuth API by the July, 31(http://code.flickr.com/blog/2011/06/21/flickr-now-supports-oauth-1-0a/), we have made a update in the Bridge Flickr module for this change. We have pushed the Flickr module update to the update sever on July, 31. So please note:
Now, when you open Bridge Export panel and attempt to use the Flickr module, Bridge will automatically do the update and then notify you a restarting Bridge is needed.
Once you finish the update, the Flickr authentication flow is a little difference. It needs input a code that you get after authorizing in Flickr web site into Bridge. Please see picture below.
This update will be available for Bridge CS5, CS5.1 and CS6 Export panel.
Adobe Bridge team

Hi,
I recently posted a issue with this here http://forums.adobe.com/thread/1366073
can you please help with this, basically it is not taking me to the Flickr website to get the code when I try to pair Adobe Bridge with Flickr.

What is the work done by the authentication application residing in the iPlanet Portal Server?

Pls explain about the authentication application

I would recommend you to take a look at the administration guide for portal. It will give you a basic idea about authentication and the different authentication modules shipped with portal.
http://docs.iplanet.com/docs/manuals/portal/30/ag/authctn.htm#741907
You might also wanna take a look at the programmers reference guide that explains about the authentication api's available.

Bypassing Identity server authentication

I am working on Sun ONE portal 6.0 and its bundled identity server 5.1. I am exploring various methods to authenticate users transparently without login screen being shown.
1. can we pass params through query string something like "http://portal.domain.com/amserver/login?module=LDAP&TOKEN0=uid&TOKEN1=pwd" to achieve it.
2. I have gone thru sso package and tried to find method
to retrieve ssotokenid for web based authentication. I could not find any ??
3. I have gone thru Authentication API whose implementation example is given in ../authentication/LDAP directory. But it is in identity server 6.0
4. Is it possible to write any customised authentication module to authenticate user and retireve cookie to be set on browser ????
Can anybody suggest me solution ???

As of your first Step, you can pass the parameters to the amserver login module and authenticate the user against the authentication backend. This is not By passing the Identiy Server itself. Its a way of authenticating the user without going throught the login sreen of that perticular module.
As per I know you can develop your own authentication module and pass the cookie that you want to pass and carry the session.

Connect to Linkedin API with Power Query

Hello
Is there a way to create Power Query queries that connect to Linkedin API permanently (like Power Query does with Facebook)? I know it is possible to access Linkedin API the way Shish Shridar did it, but it is pretty limited and thus frustrating (see his
article entitled "Analyzing LinkedIn Data using PowerBI" on his blog).
I am sorry to ask without more technical details, but I am pretty new to Power query. I guess it has something to do with OAuth2 authentification not being implemented in Power query...
I would be delighted If someone would be kind enough to provide me some insight on this issue !

Thanks for your answer.
What if I create an app to get the required access token etc? I know an excel add-on could be considered as a Twitter app, and thus be able to connect to the website's API (I'm thinking about Analytics for Twitter 2013 for instance) - is there any way to
do the same with Linkedin?
I guess this is far beyond my capacities for now, but any insight would be very much appreciated !
[EDIT]
I did a little more research... I created a Linkedin app and then followed the steps described on the official documentation to enable it to make authenticated API calls to LinkedIn using OAuth 2.0 (I cannot use hyperlink for now, but here is the full link
to the official doc : https://developer.linkedin.com/docs/oauth2)
Maybe some VBA would be able to request an authorization code following this type of URL : https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=MYCLEINTID&state=STATE&redirect_uri=MYREDIRECTURL
- Then the user will be presented with LinkedIn's authentication dialog box. Is VBA able to fill in this login form?
-If it is, then it should get the code displayed in the redirection URL, which looks like :
MYREDIRECTURL?code=THECODETOGETWITHVBA&state=STATE
-If VBA could, then it just has to go to this new URL : https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=THECODETOGETWITHVBA&redirect_uri=MYREDIRECTURL&client_id=MYCLIENTID&state=STATE&client_secret=MYCLIENTSECRET
-At this point, the last URL returns the access token, which could then be stored somewhere in Excel and thus used in Power Query (pretty easy to do using a headers like this:
Headers=[#"Authorization"="Bearer Access Token"]])
Hope someone will see this and tell me if it is feasible and likely to succeed.

ESSO-LM Secondary Authentication API

Similar Messages

Maybe you are looking for