How to pass kerberos ticket at api level?
Hi,
Am relatively new in the domain of Java Security, JAAS and JGSS. After reading the tutorials and examples, I was able to do authentication and message transfer using Kerberos LoginModule. All the examples demonstrates message transfer and credential passing at socket level.
But in normal scenario's a server application exposes its APIs and the clients invokes remote methods on the server instead of sending data at a socket level.
My question is can I use kerberos and JGSS to pass security context at api level without adding an arguement for security context in each api call?
In simple terms, Is it possible to implicitly pass user credential's to server at each api call instead of exchanging/encrypting data at socket level?
Is there any other mechanism that meets this kind of requirement?
Thanks,
Kapil
Seema, could you please elaborate on how GSS context is established?
The examples show that context is established after series of message passing between client and server inside a while loop
while (!peerContext.isEstablished()) {
byteToken = peerContext.initSecContext(byteToken, 0, byteToken.length);
if (byteToken != null) {
outStream.writeInt(byteToken.length);
outStream.write(byteToken );
outStream.flush();
}//if
if (!peerContext.isEstablished()) {
byteToken = new byte[inStream.readInt()];
inStream.readFully(byteToken );
}//if
}//while (!peerContext...)Is there any other way to establish GSS context ?
Thanks & Regards,
Kapil
Similar Messages
-
Hi All,
Can you please let me know how to pass po_number(Purchase Order Number) while creating an assignment. i'm using hr_asignment_api to create assignments. Or do we have any other way to pass PO_NUMBER value to any API.
Thanks,
AnilHi jackytam ,
/people/yeusheng.teo/blog/2008/01/05/ordering-unit-vs-order-pricing-unit-in-srm-sus
you make get some pointers
regards,
Neelima -
How to delete kerberos tickets from client machine?
Although i not having problems anymore with portable home directories reconnecting after a server reinstall on different domain name, i'd like to know where the client stores the kerberos ticket so i can just delete it next time. Does anybody know?
Kerberos.app. Available from Keychain Access's Keychain Access menu or in /System/Library/CoreServices.
-
How to pass the value from one level to another level
Example :
we have secnario for leave process
initiall the user enters the name in first action the personal number should pick from first action to background RFC CO to pick the Payroll admin from R/3
i designed the first data input form.... i want to pick the personal number and pass that one to next action in background mode.
thanks in advance
sukumarHi,
If you want to execute the step in background then you can use the callable object of type "Background Execution" or if you want to do any user interaction on that step then you can go for web dynpro callable object. Here is the link for Background Execution callable object.
http://help.sap.com/saphelp_nw70/helpdata/en/9a/e8934258a5ca6ae10000000a155106/frameset.htm
Here is also link for Web Dynpro Callable Object
http://help.sap.com/saphelp_nw70/helpdata/en/de/8976417f2d5558e10000000a1550b0/frameset.htm
If you have any conficution please let me know.
Thanks
Chandan -
How to pass data from one component to another
Hi all,
We have added a button on "ICCMP_BTSHEAD" component, which will open a new popup component (Zcomponent), which will have some fields related to the order. Can anyone please tell us how to pass the ticket/ entity value to the new component so that it can be used there. Any pointers will be highly appreciated. Thanks.
Rgda,
@runHi Arun,
I have the same issue. I added the Follow-up(hyperlink) button in the Sales order. How can i get the view from the Interaction record follow-up by clicking on hyperlink in Sales order. Please help me.
Regards,
Swaraj -
How do I create a kerberos ticket using coldfusion
I have 3 apps on our intra net that require authentication and would like to use kerberos to accomplish this. This is my set up.
users log in to the network and authenticate via active directory (all windows based) , Our web apps are on a box running solaris 10, weblogic app server, cf 9 and oracle 11g. A group of our web apps on this sever require users to authenticate through oracle (not the web / app server).
I can authenticate with kerberos via a putty session on the server with no problems.
USEING COLDFUSION, how do i request a kerberos ticket and pass the necessary credentials to authenticate.?
can this be done.?
I am looking for a CODE SAMPLE OF HOW DO THIS IN A UNIX environment NOT WINDOWS.
I appologize for the frustrated tone of this post. However, after a week of reading documentation til my eyes bleed, to end up chasing my tail with no truly help info............
TIA
JBThis is something your web server should do, not CF. Configure your web server to participate in the Kerberos realm. If WebLogic is the web server (and not just the application server) configure that:
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/sso.html
If you have WebLogic configured to use Apache as a web server, configure that:
http://modauthkerb.sourceforge.net/
http://support.microsoft.com/kb/555092
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/ -
How to use Kerberos & GSS-API to authenticate in Windows OS
Hi,
I need to use Kerberos and GSS-API authentication for user loing in my JSP/Java application against Active Directory in Windows 2003 Server.
I have goen through one thread which is quite similar to my need, but it's used for Linux host, which u can see below.
http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
Anyone can guide me that how to authenticate user using Kerberos again Active Directory for Windows Environment ?
Thanking you in Advance.
Satyam AMINYou can use Java GSS/Kerberos for authentication using any KDC (Solaris/Linux/Windows) provided you have setup the configuration.
Here are the Java GSS tutorials to get started:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index.html
Seema -
How to pass High Level Indicator (HLI) for Components?
Purchase Order has to pass from one system 1 (SAP) to another system 2 (SAP) and to create Sales Order in the system 2 automatically through ALE IDOCs.
How to pass HLI from one system to another using IDOCS? Which segments need be passed and how? help me with this. Thank you.Hello Cnu,
Welcome to SDN.
High Level Design gives you an overview of what you are going to do to get the desired result (without going deep technical config. details)
Eg: What interfaces are you going to use ? Where you are going to load the data(including staging) ? How the reports are delivered ? How the Application Support is provided ? etc..
For a generic description of High Level Design see this http://en.wikipedia.org/wiki/High-level_design
by the way, who is your client in Aus. I am from Syd.
Cheers
Praveen -
Initial Kerberos ticket only 10 minutes- how to fix?
I have a 10.5.8 server with OD and AFP set up.
I have an OD user account. I have two client machines, both bound to the OD server with Directory Utility.
On client A (10.5.8), I have a local user account that is "Managed, Mobile" with the same username/password as my OD account, but I'm using my local home directory as my default and not syncing to my server home directory.
On client B (also 10.5.8), which is a shared machine, I do not have a local account matching my OD account.
On every startup of client A, I automatically get a Kerberos ticket for the server, as I'd expect, but it has a life of only 10 minutes and does not auto-renew. As long as the ticket is valid, I can connect to and mount sharepoints on the server (without new authentication). Once the ticket expires, I can't connect to the AFP server without manually renewing the ticket (I use the Kerberos client) or re-booting. (Otherwise, I get a login prompt but credentials are not accepted.) If I renew the ticket, it renews for 10 hours and then I can connect to the AFP server, but I have to do this manually. It doesn't appear to matter whether I've set client A to trusted binding. I've set Kerberos preferences on A to a minimum and maximum ticket life of 10 hours, but this doesn't help.
On client B (also 10.5.8), with a similar setup in Directory Utility, I get a 10 hour ticket. (If I login at startup with my OD account, I get the Kerberos ticket immediately. If I login in with a local account, I'm prompted to authenticate when I attempt to connect to the AFP server and then can use my OD account to connect.) I've not waited to see if this ticket will auto-renew, but my Kerberos preferences (on both A and B) are set to a renewable life range of 7 days and I'm guessing that it will auto-renew on B.
Client B behavior is what I expect. Client A behavior I don't understand. Can anyone help me figure out what's happening (keeping in mind that I'm an OD novice!), so that I can stop client A from creating a ticket with such a short life?
Thanks in advance for any help.I am not really following what you have and what you want here.
Each Sequence is unique, and has a Duration that is equal (or should be) to the total Duration of the Assets on that Sequence.
It is not until one defines the output and delivery of those Sequences, that any concern needs to be made for the Duration, and then the TimeCode for that delivery will incorporate the Durations from all Sequences used.
Let's take a DVD as an example. One edits in Sequences. Their Durations will be determined by Clips on each Sequence. While there are different workflows here, I am going to keep it very simple. I am also going to save typing, and just list the minutes of Duration for each Sequence.
I have 4 Sequences, #1 thru #4. I Export each Sequence as an AV file (DV-AVI on PC, or MOV on a Mac). Sequence #1 is 20 mins. long. Sequence #2 is 10 mins. Sequence #3 is 10 mins. Sequence #4 is 20 mins. This will be a total of 60 mins., when Imported into Encore for authoring the DVD. I assemble my 4 Sequences, in whatever order I wish, or use a Playlist to navigate to each/all in whatever order I wish. The TimeCode in the Sequences (back in PrPro) make no difference. Each starts at 00;00;00;00, and only the total Duration of each really counts for anything in my authoring. I can choose to play any/all, and in any order that I wish.
Now, if one wishes to Export to some other delivery scheme, say a MOV filed combined into one, you can Nest (in the manual, or Help file) all Sequences into a single additional Sequence, and in any order that you wish, say Sequence 4, Sequence 1, Sequence 3 and Sequence 2. Then, just Export that new, Nested Sequence as a MOV file. That Nested Sequence does not care what the starting TimeCode of each of the contributing Sequences was. Only the total Duration of all Sequences matters.
Does that make sense? If not, can you articulate exactly what the problem with your Sequences is?
Good luck,
Hunt -
Hi,
My ultimate goal is to validate a kerberos ticket generated by user1 on a server side application which connects to the KDC with user2.
I have been following the examples at: http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part2.html.
I have changed the krb5.conf to suit our environment, I have changed the jaas-krb5.conf to:
client {
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]";
server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
isInitiator=false
keyTab="file:///C:/user2.keytab"
principal="[email protected]";
};The prinicipal of the server is getting validated by the keytab file , login is successful, however on trying to validate the ticket , I am getting :
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Checksum failed !
Exception in thread "main" java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)I am new to Kerberos authentication, please can someone guide me how to do this type of validation.
Regards,
Sabyasachi.http://www.afp548.com/article.php?story=20071109134320909&query=renew%2Btickets
"For the people that want auto-renew on Kerberos tickets you can continue to do the same thing that has worked since 10.2. Just open the Kerberos application and leave it running." -
Hi All,
I was wondering how to pass text in MDX query.
Below mentioned is my sample query and it is working fine.
SELECT
{[Measures].members} ON AXIS(0),
NON EMPTY [0MATERIAL].[LEVEL01].MEMBERS
*[0DOC_NUMBER].[LEVEL01].MEMBERS ON AXIS(1)"
FROM [$ZTEST]"
WHERE {[0MATERIAL].[000012345]} ";
But in data base 000012345 consists of material name as Pepsi
Now based on Pepsi I want to fetch results? Is it possible?
Thanks in advance.Srinivas,
So you are using JAVA, if you consult the developer's guide there is a section specifically addressing your question the ResultSet API should handle this via the formatted
<b>Retrieving Result Sets
ResultSet API</b>
Note that the concept allows for more than two axes, however a two-dimensional, table-like data set makes the
example easy to illustrate. On the columns axis, two members (Store Cost and Store Sales) of the measures
dimension have been selected; on the rows axis, three members (Berlin, Hamburg, and Munich) of the City level
of a geographical hierarchy. The dataset has six cells:
Cells provide four mandatory properties:
Value supports all common column types, for example:
o numeric types
o dates
o time values
o strings
o null
Data type int value describing the data-type (see java.sql.Types)
Status state of the cell (for example, error or null)
<b> Formatted value a string representation of value</b>
You can retrieve text in this manner.
Do you want to be able to pass text as if it were a value as well?
Cheers,
Scott -
No valid credentials provided: Failed to find any Kerberos Ticket
I'm running a java routine on a Windows 2000 workstation and trying to use JAAS to authenticate against a RedHat based kerberos server. When I do a login I get the following debug information:
Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null KeyTab is null principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: drrobison/admin
principal is drrobison/[email protected]
Added server's keyKerberos Principal drrobison/[email protected] Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 76 9B 32 9D 02 AB 23 4C
[Krb5LoginModule] added Krb5Principal drrobison/[email protected] to Subject
Commit Succeeded
When I print out the returned subject I get
Subject:
Principal: drrobison/[email protected]
Private Credential: Ticket (hex) =
Client Principal = drrobison/[email protected]
Server Principal = krbtgt/[email protected]
Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 4F A7 BA 6D B0 E5 E5 6D
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket true
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Mon Nov 25 17:16:35 EST 2002
Start Time = Mon Nov 25 17:16:35 EST 2002
End Time = Tue Nov 26 03:16:35 EST 2002
Renew Till = Null
Client Addresses Null
Private Credential: Kerberos Principal drrobison/[email protected] Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 76 9B 32 9D 02 AB 23 4C
THen when I try to use the GSSManager.createCredential I get the following error:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:142)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
GSSException No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket): No valid credentials provided: Failed to find any Kerberos Ticket
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.orci.OpenTMS.CctvGUI.SimpleNTSCApp.<init>(SimpleNTSCApp.java:115)
at com.orci.OpenTMS.CctvGUI.SimpleNTSCApp.main(SimpleNTSCApp.java:227)
Any ideas what the problem might be?
Many thanks in advance...Hi ,
I hope first that you solved your problem.
In fact I'm using Tomcat on Windows 2000 and I try to get tickets for a Kerberos V installation on a Linux Box, using a Krb5LoginModule.
To do so , I would like to know how do you tell your windows box where to find the destination realm (in your case OPENROADSCONSULTING.COM) .
If it is in the jaas.config file , could you send yours to me please
Thanx by advance
Yann -
How to pass soap request message to server?
how i can pass soap request message to server using http request header? the soap
message contains remote procedure call which invokes the method at serverside?
and where i have to write that header request?
so i dont know how to pass the request soap message document
[addsoaprequest.xml]Hello,
We have a diagnostic tool called Post [1] that will post the request
directly to a SOAP server. You can also try the graphical tool WeX [2]
so you can see what is happening at the wire level.
I may have misunderstood your question and goal. The purpose of the
JAX-RPC [3] API is to provide a high-level abstraction of SOAP
communications such as you describe.
What is your use case?
Thanks,
Bruce
[1]
http://edocs.bea.com/wls/docs81/webserv/trouble.html#1066132
[2]
http://webservice.bea.com/wex.zip
[3]
http://java.sun.com/xml/jaxrpc/index.html
Nisha Kothari wrote:
>
how i can pass soap request message to server using http request header? the soap
message contains remote procedure call which invokes the method at serverside?
and where i have to write that header request?
so i dont know how to pass the request soap message document
Name: addsoaprequest.xml
addsoaprequest.xml Type: ACT Project (text/xml)
Encoding: base64 -
How to Pass parameter to Custom Scheduler dynamically
hi ,
I am new to OIM.
Need your help in passing parameters dynamically to Custom Scheduler.
I have created Custom Scheduler by extending Task Support.
I have registered the plugin through API , using PlatformService.registerPlugin() method.
As I need to send the parameter(s) to this CustomScheduler, I have defined them in Metadata (CustomScheduleTask.xml) file as below and got it imported into DB
through weblogicImportMetadata.sh script by providing the path of the file.
<scheduledTasks xmlns="http://xmlns.oracle.com/oim/scheduler">
<task>
<name>CustomScheduleTask</name>
<class>org.schedule.custom.task.CustomScheduleTask</class>
<description>Fetch details of the given user_id</description>
<retry>5</retry>
<parameters>
<string-param required="true" helpText="Login Name">Login Name</string-param>
</parameters>
</task>
</scheduledTasks>
Iam able to import this plugin as well as register the plugin successfully. Now I have defined a job to which this Custom SchedulerTask is mapped.
Now in order to run this job(schedule task) I need to provide Login name( or id) which needs to be send as a parameter for the scheduler to get executed.
But while defining the job with this Schedule Task on OIM console, I was not able to define or pass parameter to this job. hence parameter is null in
CustomSchedule 's execute method .
Kindly help me how to pass parameter dynamically while running the scheduler from OIM console so that the execute method would be able to receive it.
Thank you in Advance.
Regards,
KumarHi,
When you have created the schedule job for your custom schedule task, you should see your Login Name textfield in the schedule task. If not, then there verify your schedule task xml.
In your schedule class code, add:
public void execute(HashMap arg0) {
final String METHOD_NAME = "execute :: ";
logger.debug(CLASS_NAME + METHOD_NAME + "Entering Method - execute");
try {
String LoginName = arg0.get("Login Name");
Regards,
Sunny -
How to Pass a HEX-Value to AdobeLifeCycle (TA:SFP) .
Hello all,
how to pass a HEX-Value to print a BLACK RIGHT-POINTING TRIANGLE?
I want to pass a HEX value to AdobeLifeCycle (TA:SFP).
This is done as follwoing:
*-- Variablen
DATA hex(2) TYPE x.
SET BIT: 01 OF hex TO 0,
02 OF hex TO 0,
03 OF hex TO 1,
04 OF hex TO 0,
05 OF hex TO 0,
06 OF hex TO 1,
07 OF hex TO 0,
08 OF hex TO 1,
09 OF hex TO 1,
10 OF hex TO 0,
11 OF hex TO 1,
12 OF hex TO 1,
13 OF hex TO 1,
14 OF hex TO 0,
15 OF hex TO 1,
16 OF hex TO 0.
The HEX-VALUE ist u201E25BAu201C from the codepage 4110 = BLACK RIGHT-POINTING TRIANGLE, (use TA:SPC to see it).
I set the HEX-VALUE before i call the PDF-OUTPUT:
move hex to ls_frmglobal-hex. u201E(the field ist defined as u201ERAWSTRINGu201C)
Then i call the Output;
Now call the generated function module
CALL FUNCTION fm_name
EXPORTING
/1bcdwb/docparams = fp_docparams
frmglobal = ls_frmglobal
frmisu = ls_frmisu
frminf = ls_frminf
connections = connections
t_sums = t_sums
EXCEPTIONS
usage_error = 1
system_error = 2
internal_error = 3
OTHERS = 4.
The result is u201E25BAu2018 instead of the BLACK RIGHT-POINTING TRIANGLE.
Can any one have a idea what is goning wrong?
I know how to print a Triangle on the Designer the quetion is how to pass the Hex-Value from a different codepage than the Stanndard codepage which we use.
Thanks and regards
IbrahimI am trying to match \xfa which means that match faas
a hex value.
All I want to know is how to use the RE class tocheck
for a cetain hex value.
Correction:
If the data is numeric, it can be matched using a hex,
or octal representation for the regular
expression. for instance, the numeric value 6 will be
matched with either of the following regexes (hex,
and octal, respectively). Read the API for
the Pattern class if this doesn't make sense.
"\06"
"\006"(Should have checked first...)
Maybe you are looking for
-
I want to give my old macbook pro away as a gift & bought a 250 GB SATA internal hard drive and installed it, then popped in the osx install disk. When I start it up it begins well, but when it gets to the point to install the software on the drive,
-
Can anyone tell me how to manipulate Oracle9i Forms Builder JavaBeans
Hi, I tried to include LWMenuBar java class as a javabean in a form. I found problems adding menus and menuitems in runtime to this javabean. If someone knows how to complete this task please help me. Bye
-
I can't get this piece of code to work.
Hello everybody! I am using AS2 and I am trying to make a simple 'game' for an assignment for school. I am first trying to make a simplified version of the game, to get some experience before I make the final version. I will try to explain this simpl
-
Anyone else experiencing delay in uploading articles? Taking a long time....I have to sign out and restart several times before I can get and article to upload. Just started was working fin this morning....Is there a server issue?
-
Reports Sugestion - Data Template Support for Downloadable PDF Reports.
This is something that I miss in APEX reports that I would like to see. Right now I have BI Publisher tied to my APEX install but there are reports I would like to move over but I hate the fact that APEX does not have the ability to use BI Publisher