GRC 10.1 custom security policy

On GRC Java system, I am not able to create custom security policy under UME->Configuration->Security Policy. I am able to create on all other systems except GRC and NWDI system   I it related to support pack level or facility is not available on these releases
Thanks Shankar

Shailendra:
Might be because there is no Java stack.  AC and PC now run on the ABAP stack and I think SAP recommends not using dual stack.  The only Java stack in the GRC 10.0 landscape that I'm aware of is for ADS.
Thanks.
Matt

Similar Messages

  • Difficulties loading custom security Policy object.....

    I just finished reading the white paper entitled �When java.policy Just Isn�t Good Enough� and I found a lot of good information for creating my own extension of java.security.Policy. I�m having a difficult time figuring out how to (best) load the policy, and I�ll explain why, but first I�d like to make sure that I�m extending the Policy class correctly. Don�t worry, I�ll be as brief as possible. My class looks something like this with a few more permissions than what i've included here (for brevity):
    public class MyPolicy extends Policy {
                private static MyPolicy INSTANCE = new MyPolicy();
                private PermissionCollection perms = new Permissions();
                private MyPolicy() {
                            constructPerms();
                public static MyPolicy getInstance() {
                            return INSTANCE;
                public PermissionCollection getPermissions(CodeSource arg0) {
                            return perms;
                public void refresh() {
                            // permissions won't change, so nothing necessary here!
                public void constructPerms() {
                            // I�m adding other permissions, but here are a few basic ones just for the idea:
                            perms.add(new PropertyPermission("java.version", "read"));
                            perms.add(new PropertyPermission("java.vendor", "read"));
                            perms.add(new PropertyPermission("java.vendor.url", "read"));
    }I have this class in a package that will reside inside of a jar on the target machine. The jar will be wrapped in an executable, and we�ll be distributing a JRE directory that will reside in the same (installation) directory as the executable. I�m not sure how to specify this as my Policy implementation on startup of the JVM. For security reasons, I want to rely as little as possible on security stuff outside of my exe-wrapped-jarfile. I can pass whatever parameters I want to the JVM, including �Xbootclasspath, but I�m not sure what I need to get things working this way.
    I tried another approach. I don�t really like it, but I just wanted to try it this way to test my Policy implementation. I edited my java.policy file to look like this:
    grant {
                // Custom permissions to allow app to load
                // and then set MyPolicy as Policy object:
                permission java.security.SecurityPermission "getPolicy";
                permission java.security.SecurityPermission "setPolicy";
                permission java.util.PropertyPermission "stuff.*", "read,write";
    };And then in my main() method, I loaded it like this:
    Policy myPolicy = MyPolicy.getInstance();
    Policy.setPolicy(myPolicy);But that doesn�t seem to work because I�m getting an AccessControlException: access denied (java.awt.AWTPermission replaceKeyboardFocusManager)
    Even though I have this permission in my implementation:
    perms.add(new AWTPermission("replaceKeyboardFocusManager"));Do you have any ideas what I�m doing wrong, or how I could fix them? Any information would be greatly appreciated. Thanks in advance!
    Steve

    Hey
    I have just finished such a policy implemention - boy could I have done with your help!
    I've never seen the java.security.debug property before - not to say it doesn't exist, but don't confuse system properties and security properties. Try setting it programmatically via Security.setProperty() or the Java Admin console [if you can], or even in the JRE WebStart uses via the java.security file.
    When you run it locally with security switched on, do you observe the 3-to-1 behaviour also? I'm not sure if this is important - depends on your answer. As for the checks being performed from the same stack frame, the AC iterates over the protection domains as it checks them; the 3-to-1 behaviour is the result of there being 3 extra frames to check, possibly due to the fact your executing from JWS [although I'd expect JWS to be considered system code]. If the execution in AC gets to return null; then Debug.isOn("failure") must evaluate to true [...I'd slump in my chair at this point] but there's no way to figure out accurately what the semantics of this is AS THERE'S NO FRICKIN SRC AVAILABLE [...this really annoys me]. The only thing I can suggest for that is to not try and switch debugging on.
    I suspect you are using JAAS [hence the dynamic policy need]? I have an idea if you are.
    I totally know what you mean about the sleepless nights mate - I'm glad I done it all now, learnt all about security within Java which I knew nothing about 6 months ago.
    Warm regads,
    D

  • WebStart, custom security policy and debugging

    Hi,
    Please forgive the long post, it's an obscure problem.
    A year ago I implemented a custom instance-centric security policy that uses a database for storing permission data. It has served our needs very well on the server side. Now, however, I need to reuse it in a client application deployed to about 50 users via WebStart (there are more similar applications coming which will take the user base to about 200).
    For some reason, the permissions are not being properly evaluated under WebStart. Tracing through my policy code, I can see that calls to imply() return with expected true/false values, however, when the internals of Java's underlying security API aggregate the results, calls to AccessController.checkPermission() don't raise exceptions when and where they are expected to.
    This is really a hard problem to debug/trace. When I run the application locally, I have no problems with security checks even if I run it under a security manager (via -D.java.security.manager). Tracing to standard helps to a point and I can see that there is a difference: during the local runs, calls to MyCustomPolicy.implies(Permission, Domain) are made once per every AccessController.checkPermission() call made from the business layer. Under WebStart, there are three calls to MyCustomPolicy.implies() per every call to AccessController.checkPermission(). All three calls seem to come from the same stack frame. All three return 'false', yet AccessController.checkPermission() doesn't raise an exception.
    Analyzing stack's state at the point MyCustomPolicy.implies() is been called, I think the answer to my problem may lie in the following code snippet of AccessControlContext.checkPermission(Permission):
            for (int i=0; i< context.length; i++) {
                if (context[i] != null &&  !context.implies(perm)) {
    if (debug != null) {
    debug.println("access denied "+perm);
    if (Debug.isOn("failure")) {
    Thread.currentThread().dumpStack();
    final ProtectionDomain pd = context[i];
    final Debug db = debug;
    AccessController.doPrivileged (new PrivilegedAction() {
    public Object run() {
    db.println("domain that failed "+pd);
    return null;
    throw new AccessControlException("access denied "+perm, perm);
    I believe that somehow one of the iterations gets to "return null" line, but at the moment I have no way of verifying this.
    I'm finally getting to my question. In order for me to understand what's going on, I need to enable debugging of AccessControlContext. I can do this by setting java.security.debug system property. Again, I have no problem enabling debugging on a local system, but not under WebStart.
    Here's what the relevant markup in the .jnlp file looks like:
    <resources>
    <j2se version="1.5" max-heap-size="128m" initial-heap-size="32m" java-vm-args="-Djava.security.debug=all">
    </j2se>
    <!-- a bunch of jar declarations -->
    <property name="java.security.auth.login.config" value="jar:swing-app-SNAPSHOT.jar!/jaas_login.properties">
    </property>
    <property name="java.security.debug" value="all">
    </property>
    </resources>
    this seems to have no effect and no debugging output appears. Any ideas why? Is there anything else I can do to enable debugging of AccessControlContext under WebStart?
    I don't expect too many replies to my post (unless 3 sleepless weeks made me miss something really obvious), but if anyone can offer a hit/hit/insightful comment :), that would be great.
    Dmitry

    Hey
    I have just finished such a policy implemention - boy could I have done with your help!
    I've never seen the java.security.debug property before - not to say it doesn't exist, but don't confuse system properties and security properties. Try setting it programmatically via Security.setProperty() or the Java Admin console [if you can], or even in the JRE WebStart uses via the java.security file.
    When you run it locally with security switched on, do you observe the 3-to-1 behaviour also? I'm not sure if this is important - depends on your answer. As for the checks being performed from the same stack frame, the AC iterates over the protection domains as it checks them; the 3-to-1 behaviour is the result of there being 3 extra frames to check, possibly due to the fact your executing from JWS [although I'd expect JWS to be considered system code]. If the execution in AC gets to return null; then Debug.isOn("failure") must evaluate to true [...I'd slump in my chair at this point] but there's no way to figure out accurately what the semantics of this is AS THERE'S NO FRICKIN SRC AVAILABLE [...this really annoys me]. The only thing I can suggest for that is to not try and switch debugging on.
    I suspect you are using JAAS [hence the dynamic policy need]? I have an idea if you are.
    I totally know what you mean about the sleepless nights mate - I'm glad I done it all now, learnt all about security within Java which I knew nothing about 6 months ago.
    Warm regads,
    D

  • Invoke a business service base in a WSDL with customer WS-Security Policy

    Customer write a Web service (Refer to the attachment file “HTTPS_PartyServicePortType.WSDL”)which declare a WS-Security Policy and apply this it to WS binding ,How can I generate a business service base in this WSDL and invoke it successfully?
    When create a business service in OSB, we get a error with below messages
    [[OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy. For the Business Service, either you can add the necessary client policies manually by clicking Add button or you can let Oracle Service Bus automatically pick and add compatible client policies by clicking Add Compatible button.
    After enhanced the OSB domain with OWSM extension, we found the OOTB OWSM defined cannot support the HttpsToken and OSB cannot support below WS-Policy defined in OWSM, refer to http://docs.oracle.com/cd/E21764_01/doc.1111/e15866/owsm.htm#OSBDV1681
    51.2.8.1 Unsupported Assertion
    •     binding-permission-authorization
    •     http-security
    •     OptimizedMimeSerialization (MTOM)
    •     RMAssertion (Reliable Messaging)
    •     sca-component-authorization
    •     sca-component-permission-authorization
    •     UsingAddressing
    •     wss-saml-token-bearer-over-ssl (Authentication)
    it means that we cannot generate a web service with customer WS-security Policy
    The WS-Security Policy is shown as below:
    <wsp:Policy wsu:Id="WSHttpBinding_IPartyServicePortType_policy">
    <wsp:ExactlyOne>
    <wsp:All>
    <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
    <wsp:Policy>
    <sp:TransportToken>
    <wsp:Policy>
    <sp:HttpsToken RequireClientCertificate="false"/>
    </wsp:Policy>
    </sp:TransportToken>
    <sp:AlgorithmSuite>
    <wsp:Policy><sp:Basic256/></wsp:Policy>
    </sp:AlgorithmSuite>
    <sp:Layout><wsp:Policy><sp:Strict/></wsp:Policy></sp:Layout>
    </wsp:Policy>
    </sp:TransportBinding>
    <wsaw:UsingAddressing/>
    </wsp:All>
    </wsp:ExactlyOne>
    </wsp:Policy>
    BestRegards!
    Simon

    Hi
    According to
    http://e-docs.bea.com/wls/docs90/webserv/annotations.html#1050414
    If you are going to publish the policy file in the Web Service archive, the policy XML file must be located in either the META-INF/policies or WEB-INF/policies directory of the EJB JAR file (for EJB implemented Web Services) or WAR file (for Java class implemented Web Services), respectively.
    Can you make sure the policy file is in there?
    Also there is a sample from the developer at http://dev2dev.bea.com/blog/jlee/archive/2005/09/how_to_use_anno.html
    Vimala-

  • How to create a custom java client Security Policy File?

    I have a stand-alone java client which invokes a .NET WSE 3.0 enabled web service. The web service SOAP header requires username token to be passed from my java client.
    Could some one kindly provide a sample of a client-side Security Policy File?
    Your help is very much appreciated.
    Mike

    This is still a workaround...
    But if you put checks on all your forms to see if the user has accepted the terms (assumes there is an attribute tracking this) then you can redirect the user to the terms/conditions forms. Still not spoof-proof, but it would be bookmark proof. (and a pain if you have too many forms)

  • Create new Security Policy in UME is not available

    Hello,
    We are on NW CE 7.1 EHP1 and MII 12.1.7 build 47.
    I have MII Super Administrator role, few custom roles and I also have Action "Manage_All" and I am able to perform most of the activities on UME but I don't see any option to create new security policies all I can do is modify the Default Security Policy and save it.
    It never shows me an option to create new security policy and I am not sure what roles or actions I am missing.
    1) Are there any roles or actions that my profile needs to have?
    2) Is it something to do with NW CE version or MII version?
    3) Has something gone wrong or have we missed some configuration while installing NW CE or MII?
    Any suggestions will be of great help
    Thanks,
    Adarsh

    Adarsh,
    I am not a NW UME expert, but I know this issue has nothing to do with MII.  Not sure if you have rights but providing the Administrators Group for the UME database should allow you to do this. 
    I would try posting this thread on the NW UME Forum.  Modifying policies in NW has nothing to do with MII. 
    Just to verify what policies are you trying to change, I am assuming they are in NW UME and not MII, is this correct?  If they are in MII can you be more specific.
    Good luck.

  • Osb 10gR3 - Active Intermediary proxy with custom WS-Policy files

    I'm setting up an Active Intermediary proxy, and the Security option on the proxy to "Process WS-Security header" is only usable when Custom Policy Bindings are assigned to the proxy. But I don't want to use the default Oracle policies.
    The "Select WS-Policy" popup within OSB only shows entries under the Predefined Policy tab. Yet I have custom WS-Policy files which have been imported into OSB.
    So what's the trick?

    Hi,
    Below are the steps followed
    - OSB Proxy service has 'oracle/wss_username_token_service_policy' attached to it.
    - Iam invoking this from BPEL. BPEL process has 'oracle/wss_username_token_client_policy' attached.
    - I can invoke the osb proxy from bpel by passing credentials - No Issues.
    Now I need to put some authorization restriction to the proxy service, so only specific users can access that.
    -I used Role=Admin as a policy condition restriction under security in Proxy service.
    -Then I went to proxy test console and I added the 'oracle/wss_username_token_client_policy' credentials and weblogic/xxxxx at Transport section and I was able to invoke the process. Here weblogic has a Admin Role.
    -I cannot invoke the same proxy service from BPEL in Jdeveloper now.
    All Iam trying to do is to protect my proxy by authrorization policy.
    Thanks
    Jagan.

  • Custom WS-Policy Files in Console Service Endpoint Polices List

    hi
    Not sure which WLS newsgroup for this so here goes.
    I want to assign custom WS-Policy files to a web service via the console (i.e. post-deployment).
    By default, the Service Endpoint Policies list only shows a small subset of default policy files within weblogic.jar and none of the Wssp1.2-* policy files. (i.e. only the proprietary WLS 9.0 WS-Policy files)
    Is this correct behaviour? I want to experiment with policies based on the current WS Security Policy Standard without hard-coding the names of files into the service.
    Is there a way to make these other supplied WSSecurityPolicy 1.2 policies appear in the list?
    Thanks
    Jim Nicolson

    Hi,
    Below are the steps followed
    - OSB Proxy service has 'oracle/wss_username_token_service_policy' attached to it.
    - Iam invoking this from BPEL. BPEL process has 'oracle/wss_username_token_client_policy' attached.
    - I can invoke the osb proxy from bpel by passing credentials - No Issues.
    Now I need to put some authorization restriction to the proxy service, so only specific users can access that.
    -I used Role=Admin as a policy condition restriction under security in Proxy service.
    -Then I went to proxy test console and I added the 'oracle/wss_username_token_client_policy' credentials and weblogic/xxxxx at Transport section and I was able to invoke the process. Here weblogic has a Admin Role.
    -I cannot invoke the same proxy service from BPEL in Jdeveloper now.
    All Iam trying to do is to protect my proxy by authrorization policy.
    Thanks
    Jagan.

  • CUP - Customizing Security & Roles

    Hello,
    Using the GRC AC 5.3 Security Guide, we've been customizing our front-end CUP roles to fit our needs. We're having trouble customizing one particular area, however.
    Example:
    When an approver (AEApprover role) or administrator (AEAdmin role) logs into CUP to view a request, they see a screen several tabs across the middle of the screen - Roles/Profiles, PD Profiles, Risk Violations, Mitigation, Superuser Access, Comments, and Request Reason.
    We were hoping to get rid of the "PD Profiles" and "Superuser Access" tabs because we arn't using this functionality and feel it would be less confusing for the approvers if they didn't have to see it.
    Looking through the security guide, however, we can't find any specific Actions that relate to these tabs. We've removed "ViewSelectPDProfiles" and "ViewSuperAccess" from the approver role but these seem to only relate to the buttons.
    Am I missing something? Are there any other ways we can customize what middle tabs approvers see in CUP?
    Thanks!!
    Jes Behrens

    Hello jes,
    Yes you are right that these pemissions are for buttons and not for tabs. You can not remove any of these tabs.
    Regards
    Harleen
    SAP GRC RIG

  • User gets locked in lesser attempts than security policy setting

    Hi
    I have written my customized login code to login a user to the
    portal and I user the following code:
    IUser myUser = UMFactory.getUserFactory().getUserByLogonAlias(username, null);
    IUserAccountFactory accountFactory = UMFactory.getUserAccountFactory();
    IUserAccount account = accountFactory.getUserAccountByLogonId(myUser.getUniqueName());
    ILogonAuthentication ILA = UMFactory.getLogonAuthenticator();
    req.setAttribute(JUSER,myUser.getUniqueName());
    req.setAttribute(JPASSWORD,password);
    ILA.logon(req,res,AUTHSCHDEFAULT);     
    I notice that whenever I try to logon using my code with a
    wrong password, the user gets locked in 3 attemps even though the security policy
    (at ABAP and in Portal UME Configuration) setting for number of failed attempts is set to 5.
    (Although, please note that my code works fine logging the
    user into the portal when he enters the correct password)
    I try to check if the same thing happens with the standard logon module - com.sap.portals.runtime.logon,
    and notice that it locks correctly after 5 attempts.
    Would I have to add anything else in my code to make it work
    correctly?
    Thanks
    oj

    Hi All
    I tried to check in the CUA table the incorrect logon attempts value, and noticed that for every time I login (using my above code) with the wrong password, it increments the count by 2!! And that's the reason it gets locked out by the third time.
    What am I doing wrong?
    Thanks
    OJ

  • Option to Create new Security Policy in UME is not available

    Hello,
    We are on NW CE 7.1 EHP1 and MII 12.1.7 build 47.
    I have "Administrator" role, "MII Super Administrator" role, few custom roles and I also ensured that "Administrator" role has Action "Manage_All" and I am able to perform all of the activities on UME except that I don't see any option to create new security policies, all I can do is modify the Default Security Policy and save it.
    It never shows me an option to create new security policy and I am not sure what roles or actions I am missing.
    I need have different security polices for different users based on their roles.
    1) Are there any roles or actions that my profile needs to have?
    2) Is it something to do with NW CE version?
    3) Has something gone wrong or have we missed some configuration while installing NW CE?
    I had posted similar question in MII forum but was recommended to post in NW forums.
    So any suggestions will be of great help
    Thanks,
    Adarsh

    what is Security Policy ?

  • Testing Security policy attached web service

    Hi,
    I am facing a scenario where I need to test our web service ( which has security policy annotation ) in the similar way how the ( external ) customer would do , i.e with security policy attached. So is there any way to test this scenario..?
    though there are some SSSP envts to enable this security policy to the soap requests, we want to test in all envts irrespective of oracle infrastructure ( as the customer does).
    Thanks,
    Praveen S K

    We do most of our external testing of this type using soapUI. This allows us to sign/encrypt messages or provide a username/token. This also allows the creation of repeatable test suites with validations built into them.
    Thanks,
    Adam DesJardin

  • OSB 10.3 and custom signing policy

    Good morning.
    I had several problems receiving signed messages from a customer. We have an active intermediary proxy, with a custom policy based on "Sign.xml" to require signing of message body.
    But out customer is signing using a third-party solution, so our proxy can't validate his message. We are trying to create a custom policy without "bea" namespaces, that is:
    <?xml version="1.0"?>
    <wsp:Policy
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      wsu:Id="firma"
      >
      <sp:SignedParts>
        <sp:Body/>
      </sp:SignedParts>
    </wsp:Policy>This policy seems to be ok, but when we try to attach this as a "Custom policy" in the proxy, it is not in the list of custom policies.
    Can't Oracle process non-propietary policy file?.
    Thanks.

    Please refer section "Creating and Using Custom WS-Policy Statements" at -
    http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html
    Regards,
    Anuj

  • Service level accounts and security policy

    Hello Experts,
    We would like to roll out production environment at a customer. The documentation does not provide very good solution for the scenario when service level accounts are changing.
    Customer's security policy requires all administrative accounts to be named e.g. firstname.lastname@domain. Generic productadmin@domain which are not identifiable can not be used on production servers.
    It is understood that the BPC application server runs using the permissions granted to the user ID which was used during installation (access to the Windows AD, SQL Server &c.
    If specific domain user is also member of local administrators group, he/she can indstall the product. However, if this particular account is made redundant and the administrator's role is appointed to another employee, the latter can not access the system with administrative rights.
    Moreover, if the BPC administrator's account is disabled for whatever reasons, the system fails.
    Is there any good suggestions for this kind of scenario?
    Thanks

    Thanks Scott,
    This is what I have suggested but the problem is that the customer's policy does not allow anonymous accounts controlling their production systems, the administrative accounts can only be personal accounts like firstname.lastname@domain.
    It seems that the only solution is to use administrator's personal credentials and in case those change, they need to go through the Ops guide and change everything manually.
    Lucikly there is a bit simpler way to do this. Instead of manually changing credentials for every COM+ app as Ops Guide suggests, you can olny change three of those:
    OsoftDatabaseADMIN
    OsoftDatabaseSYSADMIN
    OsoftDatabaseUSER
    Then use Service Manager password reset function and it will update all COM+ apps in one go.

  • How i replace default password policy with my custom password policy

    Hi All,
    can anybody help me to replace idm default password policy with my custom password policy?

    1. Go to Security --> Policies
    2. New --> String Quality Policy --> define rules --> save
    3. New --> Identity System account policy --> define rules and set the policy created in step2 to for password policy --> save
    4. Assign the policy created in step 3 to the user
    a. when create a user, under the 'Security' tab , for the 'Account policy' select the policy created in step
    b. Programattically, create /check out user view, assign the step 3 policy
    <set name='user.waveset.assignedLhPolicy'>
    <s>step 3 policy</s>
    </set>
    and checkin the view

Maybe you are looking for