HTTP or LDAP for CRL

Hello
I am setting up a new PKI (in a LAB initially) an reading up on the subject.
I see the default location for the CDP is in the Configuration partition in AD and therefore accessed via LDAP://......
I also see other recommending using IIS/HTTP to publish the CRL, CPS
I can see the advantage of publishing the CPS via HTTP (not sure how you would import a file e.g. text file containing the CPS into AD in any event)
Question 1:
But what are the main advantages/disadvantages of placing the CRL in an IIS site and therefore HTTP?
Question 2:
I can see how the AD integrated CA would publish updated CRL to AD as the CA is integrated (e.g. Sub issuing CA)
If the CRL is published via IIS/HTTP will the CA be able to automatically update the CRL via HTTP PUT or something like that (and if so I assume the CA Server needs rights to the Site and underlying NTFS folder containing the sites files),
or will I have to manually download the CRL from the CA and publish to the HTTP site manually (or via script)?
Question 3:
Can I have the CRL published to LDAP and HTTP at the same time, and therefore I assume I will have to update the CA in come where so when it issues certificates is states both location in the CDP information within the certificate?
Any help most appreciated
AAnotherUser__
AAnotherUser__

1) HTTP versus LDAP
The advantages of HTTP over LDAP/AD:
Easy anonymous access - you don't need an AD account or tweak your AD permissions, so you can serve validating apps on non-domain machines or on machines in other forests.
No replication delays (if you can use a web server in the domain, see 2) and 3)).
Can be used as 'external' and 'internal' URL, using split DNS or by publishing using a reverse proxy.
If you use the same CA for 'external' and 'internal' certificates: You do not disclose information about the structure of your AD forest to external parties.
One advantage of LDAP / AD might be the distributed structure that provides 'fail-over' - but you can use load-balanced web services with HTTP.
2) Automation of publication to an HTTP URL
You cannot use HTTP PUT unless you would write your own application for that - but you can simply share the directory the web server uses, give the CA machine account Write permissions, and add a UNC path to the list of CRL publication URLs (file:///\\webserver\share\%3%8%9.crl)
Pre-requisite: The web server needs to be member of the same or a trusted Windows domain. Otherwise you would need a script that copies or FTPs the CRL.
3) Point of time of CRL publication - LDAP vs. HTTP
If you can use the UNC path as explained before both this path and the LDAP object would be populated with the new CRL at the same time. Otherwise (web server not in a trusted domain) you would need to run the publication script more often than the CRL is
published so that there is not too much lag.
Elke

Similar Messages

HTTP Parameters for CRL Update

Hi,
There is a new parameter in the Identity Server 6.2 in the Certificate Authentication Service called "HTTP Parameters for CRL Update".
Has anyone used this parameter?
This is a nice feature that I think should enable the CRL update.
The question is how it should work?
Where should it store the CRL?
How to set the time interval for CRL update?
Any clues?
Mario

Hi,
Unfortunatelly, triggers are not supported in SAP environment. For more details see SAP Note:
105047: Support for Oracle functions in the SAP environment
57. Trigger
o Used implicitly by SAP in the BW environment (/BI0/05*, see Note
        449891)
o Logon Trigger can be used in accordance with Note 712777.
o Otherwise, it cannot be used
o You cannot use trigger-based real-time replication either.

External LDAP for authentication

Hi All,
I want to use external ldap for authentication purpose with Access Manager.
I tried adding this external ldap as a secondary ldap but couldn�t succeed.
If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
How can I achieve this?
I read many topics in this forum regarding this but none of them explain how it can be achieved.
Please suggest.
Thanks in advance.

This is what the amconsole log says:
ERROR: ConsoleServletBase.onUncaughtException
java.lang.NullPointerException
     at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
     at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
     at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
     at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
     at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
     at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
     at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
     at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
     at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
     at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
     at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
     at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
     at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
     at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
     at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
     at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
     at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
     at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
     at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
     at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
     at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
     at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
     at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
     at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
     at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
     at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
     at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
     at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
     at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
     at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
     at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
     at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
     at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
     at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)

Does Weblogic server 9.2 provide support for CRL checking

Does Weblogic server 9.2 provide support for CRL checking?

No, but you can create a custom CertPath provider for your own implementation.
Mike
Weblogic/J2EE Security Blog: http://monduke.com

Secure LDAP for GWIA Address book

I've setup the GWIA 7.0.3 May 2009 code set and configured for Secure LDAP.
I'm using the same *.b64 and *.key files we use for all our POA and MTAs.
I cannot get the Novell LDAP address book to connect to 636.
Is there a document I can use to help me figure this out.
I can revert to 389 but that port is not open through the firewall.
Mike

POP and IMAP both work on secure port
>>>
From: jgrubbs<[email protected]>
To:novell.support.groupwise.7x.gwia
Date: 9/9/2009 6:36 PM
Subject: Re: Secure LDAP for GWIA Address book
Does POP3 work on the secure port?-- Jeff Grubbs
Novell Technical Support Engineer II
[email protected]-------------------------jgrubbs's Profile: http://forums.novell.com/member.php?userid=41638View this thread: http://forums.novell.com/showthread.php?t=385674

HTTP-to-LDAP Client

Trying to migate an existing 4.x Directory Server HTTP-to-LDAP client so that it can be used on a newer 5.x directory server.
Does Sun One Directory Server 5.x have a similar Gateway system like iPlanet 4.x directory server described at http://docs.sun.com/source/816-6681-10/contents.htm. Or can we copy CGI scripts over?

Hi there,
Are you sure that you need a specific binary for Solaris 9??
SunOne Directory Server 5.1x can run both on Solaris 8 and Solaris 9, and the iPlanet Directory Server Resource Kit 5.1 includes the certutil tool. So I guess that it can be used on your case:
- http://wwws.sun.com/software/download/developer/5175.html
- http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
- http://docs.sun.com/source/816-5615-10/index.html
Hope this would help.
Cheers / Damien

IBM RACF as LDAP for Portal EHP1

hi,
we want to use our RACF LDAP for the user authentication for our SAP portal 7.0.
But the UME in the portal should be used for all roles etc.
Is this possible and how do we implement this?
Thank you very much

Even if you connect your portal to an LDAP server, you store the portal roles in the portal database itself.
You may choose to assign the portal roles to a portal group, an LDAP group or an LDAP user.
I don't see IBM RACF in the certified directory servers list from SAP.
If it is one of the SAP certified directory servers, you can use the delivered data source configuration files to establish the connectivity.
In your case, select the closest one possible from the delivered datasource configuration files and customize according to your needs.
Please refer to SAP Note 673824 (section for Certified Directory Servers) for information on the certified directory servers.
Please see the following links on how to connect your portal to LDAP server.
http://wiki.sdn.sap.com/wiki/pages/viewpage.action?pageId=13710
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/d1d13f7fb44c21e10000000a1550b0/frameset.htm
Do you have SAP IDM in place ?
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20a1f8ad-e742-2c10-0e9b-e4e2a21ba96f?QuickLink=index&overridelayout=true
Thanks,
Shanti

Configure LDAP for UNIX user

Hi All
I am doing user provisioning of SUN IDM to SUN LDAP. But In LDAP i am storing unix user. When you create any user in LDAP for UNIX then you have to specify UID, GID ,Home directory.
Same thing i m try to create user in LDAP for unix through SUN IDM.
But I am not able to enable checked box for unix user in posix user information.
By default this check box is disable. we have to enable manually this check box if u want to create a user for unix in LDAP.
I want to change this check box disable to enable by default.
it is very urgent.
I am not getting any doc related doc or other thing.
thanks
SAini

We have so few customers using ADAM now that LDAP to AD is supported I forgot this. However to note: this means managing an entire new directory separate from your multiple AD forests.
http://technet.microsoft.com/en-us/magazine/2009.04.schema.aspx?pr=blog
Regards,
Tim

Pam.conf does not use ldap for password length check when changing passwd

I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AM

you can try passwd -r ldap for changing the ldap passwds...

PO 7.4: NW BPM: HTTP Error response for SOAP request or invalid content-type.HTTP 200 OK

Hi Experts
I am trying to call NW BPM scenario(File to BPM) from PI, and using below adapter config.
I am getting below error.
Failed to call the endpoint: Error in call over HTTP: HTTP 200 OK
SOAP: Call failed: java.io.IOException: HTTP Error response for SOAP request or invalid content-type.; HTTP 200 OK
SOAP: Error occurred: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: HTTP Error response for SOAP request or invalid content-type.; HTTP 200 OK
MP: exception caught with cause com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: HTTP Error response for SOAP request or invalid content-type.; HTTP 200 OK
Transmitting the message to endpoint <local> using connection File_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: HTTP Error response for SOAP request or invalid content-type.; HTTP 200 OK
Any idea how to fix this issue?
Thanks,
Sandeep Maurya.

Hi Sandeep,
Test the URL from your browser and check the proxy settings as well.
Refer the below links
SOAP: call failed: java.io.IOException: invalid content type for SOAP: TEXT
SOAP: Call failed: java.io.IOException: Failed to get the input stream from socket: java.net.SocketException: Connection…
Regards
Bhargava Krishna

HTTP Proxy setting for SOA server

Hi,
my intention is to enable SOA Server to connect through HTTP Proxy to external services. This occurred when I am trying to connect to Yahoo Mail Server, via User Messaging Service but it keep throwing connection time out. One of the possible solution is to make the service to connect via the HTTP Proxy server in our network.
There are no mention of how to setup HTTP Proxy connection for UMS, as well as SOA Server in any documents.
Please advice or direct me to the relevant solutions.
Appreciate any help rendered :)
yee thian

I have not worked in SoA server, but since it uses weblogic server underlying (I assume), you can try setting the -Dhttp.proxyHost , -Dhttp.proxyPort system properties ( https for secured URL's) to WLS to specify the proxy details. Also the product might not have the capability to pass user credentials for authentication at the proxy. The version of OSB we are using had this problem. To overcome this you might require to add the URL to the proxy free list in your proxy server. This prevents the proxy from prompting for the user name when you access that URL.

HTTP SERVICE STOPS FOR NO REASON AND NO ERRORS IN LOGS WIN2K

The HTTP service stops for no reason and we have to stop and restart to unlock and web server runs again. It appears to be related to number of concurrent users but we cannot tie it down to and specfics except on our NT 4.0 system the service never stops and runs fine . We are running versions R1 patch 4 and have gone up to 5 and 7 . We are running against an 9i database and using forms and reports. We are not using the forms server in patch 4 just the HTTP service. This is a big problem and would like an answer if possiable.

Please post your question in the appropriate product forum(s):
Database
http://forums.oracle.com/forums/index.jsp?cat=18
AppServer
http://forums.oracle.com/forums/index.jsp?cat=13
Forms
Forms
Reports
Reports

SOAP Receiver Error: HTTP Error response for SOAP Request

Hi gurus,
I'm facing a weird error in File --> PI 7.31 java only --> soap receiver proxy.
The other interfaces runs well. just one get the the following error:
Exception caught by adapter framework: java.io.IOException: Error receiving or parsing request message: java.io.IOException: HTTP Error response for SOAP request or invalid content-type.
I check the payload and test in the inbound proxy. on error.
Any hints?
Thanks a lot!
regards
Christine

Hello Christine,
I faced the same issue,
You can use the beans below to overcome the error.
And charset should be utf-8

HTTP Proxy Connection for sharepoint-webservice endpoint in SMP

hi all,
I want to consume share-point services(soap based) through SMP. for that i am creating HTTP Proxy Connection for sharepoint web service endpoint in
SMP. i have done with creation of proxy connection without any error but while testing (on REST_CLIENT add-ons) it showing following error :
Status Code: 400 <?xml version="1.0" encoding="utf-8"?> <error ><message xml:lang="en">Error occurred while connecting to the Gatewaynull</message> </error>
Can anyone help me....
Thanks in advance.

hii Andrew,
Here are screenshots of proxy connection configuration,
security configuration:
Application creation:
connection white listing :
Error message in Rest Client:
Regards,
SupriyaD

How set UserName and Password for HTTP Basic Authentication for a servlet

Hi..
How set UserName and Password for HTTP Basic Authentication for a servlet in JBoss server?
Using Tomcat i can do it .(By setting roles in web.xml, and user credintails in tomcat-user.xml).
But i dont know how do it in JBOSS..
I am using Netbeans and Eclipse IDEs.. Can we do it by using them also!?
Thank u

Hi Raj,
You can do this by creating a Login screen for the users and check the authentication of each user in PAI i.e. PROCESS AFTER INPUT.
Store the user information in a database table and check the username and password when the user enters it.
You can display password as *** also. For this double click on input box designed for password and goto Display tab. Select Invisible in the list and check it.
CASE sy-ucomm.
    WHEN 'BACK'.
      LEAVE PROGRAM.
    WHEN <fcode for submit>.
      SELECT SINGLE uname pwd
       FROM <DB table>
       INTO (user, pass)
       WHERE username = user AND
               password = passwd.
      IF sy-subrc = 0.
<Go to next screen for further processing>
      ELSE.
<Display Error message and exit>
      ENDIF.
ENDCASE.
Regards,
Amit
Message was edited by:
        Amit Kumar

HTTP or LDAP for CRL

Similar Messages

Maybe you are looking for