Identity Asserter is not invoked

Hi,
I am trying to write a custom identity asserter. I deployed the jar file to the MbenTypes directory, added asserter to the providers list under realm, chose correct token. I followed the every step in the document.
But the assertIdentity method is never get called. It always goes into
public AppConfigurationEntry getLoginModuleConfiguration() {
and it seems that wls treats the asserter as an authenticator.
Any clue? At least how can I debug it? I have no idea what happened behinde the scene.
Your help is very much appreciated.
-Wei

Sorry for the intrusion, but how do you verify the token matches the application user?
In my scenario, I have an MS.NET IIS application running as an "sso partner" application. On another j2ee server, I have deployed a set of web services that expose some custom security methods, as well as retrieve information from the SSO/LDAP repository (the user profile and some other attributes). I don't want want the MS app to simply make calls to these services without providing some form of identity information. If they could pass the currently logged in user, that really wouldn't mean much, because they could pass any name. What would validate it?
I don't know how they could pass the username AND password, as that password, I'm assuming, is not accessible as that was posted to the SSO server. I thought about using some of the request headers that the SSO server sets, but I don't know of any APIs that come into play to use these.
Does anyone have any suggestions as to what kind of security might be appropriate for these services?
Thanks a bunch,
Eric

Similar Messages

OAM Identity Asserter Provider Error:Unable to create the AccessGate entry

Hi All,
I have installed Oracle Access Manager and trying to protect an application deployed on weblogic application server.
I have added the jar oamAuthnProvider in weblogic server lib mbeantypes and configured an OAM Identity Asserter Provider in myrealm. When I restart the weblogic server, I encounter the following error:
<Error> <> <BEA-000000> <OAMAP-60516:Unableto create the AccessGate entry for identity assertion/authentication.>
<Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException
: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException.weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException
When I remove the following section from config.xml, the server starts fine:
<sec:authentication-provider xmlns:ext="http://www.bea.com/ns/weblogic/90/security/extension" xsi:type="ext:oam-identity-asserterType">
<n1:name xmlns:n1="http://www.bea.com/ns/weblogic/90/security">OAMID</n1:name>
<n2:control-flag xmlns:n2="http://www.bea.com/ns/weblogic/90/security">REQUIRED</n2:control-flag>
<ext:access-gate-name>MYAPP</ext:access-gate-name>
<ext:primary-access-server>AccessServer</ext:primary-access-server>
<ext:application-domain>MYDOMAIN.com</ext:application-domain>
<ext:access-gate-password-encrypted>{AES}P3UIYbQpYupPs=</ext:access-gate-password-encrypted>
</sec:authentication-provider>
Has anyone come across this error before? Please suggest a workaround..
Software versions being used:
OAM 10.1.4.3
Weblogic: 10.3.2
Thanks
Joe

I am having the same problem on my WLS 10.3.4. running OSB 11g. I get the following error:
tuning)'> <<WLS Kernel>> <> <> <1296595010528> <BEA-000000> <OAMAP-60516:Unable to create the AccessGate entry for identity assertion/authentication.>
####<Feb 1, 2011 1:16:50 PM PST> <Info> <Security> <WD-OR14P5A5W624> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1296595010528> <BEA-090511> <The following exception has occurred:
com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
     at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
     at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
     at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
     at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
     at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:222)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1784)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:445)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:870)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1030)
     at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:881)
     at weblogic.security.SecurityService.start(SecurityService.java:142)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
I looked the error number up and it says:
OAMAP-60516: Unable to create the AccessGate entry for identity assertion/authentication.
Cause: AccessGate instance creation failed.
Action: See the Identity Asserter/Authenticator log for details.
Level: 1
Type: ERROR
Impact: Configuration
This seems to indication my identity assertion is incorrect. My oam authentication provider is pretty simple.
I am using OPEN transport security so the provider config is pretty simple. I provided an AccessGate pwd, primary and secondary access gate servers and Access Gate name provided by my administrator.
I'm not sure about what the Application Domain field refers to. Can someone provide guidance on that?

V8 SP4 SPNEGO Identity Asserter problem

I configured my domain to authenticate against AD using the SPNEGO Identity Asserter.
Two questions.
1) How do I do authorization ? Do I enter the name of an AD group in the webapps weblogic.xml under Principal-Name? Or use weblogic groups (if so, how do the userids get matched) ?
2) It doesn't work - I get challenged for userid/pwd/domain.
In debug, I get:
"Found NTLM token when expecting SPNEGO"
What can I do about this ?
Some lines from debug...
<PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found NTLM token when expecting SPNEGO>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - IdentityAssertionException>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <RoleManager.getRoles subject: Subject: 0
Resource: type=<url>, application=earspnegodemo, contextPath=/earspnegodemo, uri=/index.jsp, httpMethod=GET>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Default RoleMapper getRoles(): input arguments:
Subject: 0
Thanks,
Mike

The documentation on dev2dev appears to change all the time and without notice. I run Google beta which caches all visited web pages and one of the documents for WL enterprise security has three different versions in my cache each with slightly different implementation instructions.
Anyway, I have implemented SSO using WL and AD using a third party Spnego identity asserter in the past and I presume the asserter which is now built in to sp4 works in the same way. You need to set up an active directory authenticator to enable weblogic to 'see' the users and roles in the AD domain.
When you access the protected web application from the client pc (the one in the AD domain) the url used has to contain the SPN name
eg http://domainname.project.net/test where domainname is the SPN.
and not http://192.168.7.2:7001/test
I think this is what triggers IE to send the kerberos ticket during the negotiate step.
The order of the identity asserters (in the WL console) is important the SPNEGO one should be first and the AD one should be second and have a value of SUFFICIENT for the control flag.
I have done all of the above and it still doesn't work but I think that there should be a servlet to handle the kerberos negotiation. A previous version of the WLES documentation does mention a negotiate servlet but has since been removed. I have sent an email to one of the security gurus at BEA, but as I am out of the office all week I don't know if I have a reply.
I don't know if the above is of any use but I will post more info as I get it.
Stephen

Combine Identity Asserter and Auth hosts filter

Hi,
I'd like to incorporate the functionality of an auth hosts filter within my Identity Asserter, so valid hosts can be defined per extend client rather than for any client.
In order to achieve this i need access to the client's address within the identity asserter, and i cannot find a way to access it. Is it available anywhere, perhaps via the Service that is passed to assertIdentity?
If it's not available, i was considering other options, such as storing the address in a threadlocal within the auth hosts filter and then retrieving it in the asserter.
Currently on version 12.1.2.0.1

In WLS 7.0 you must write an implementation of the weblogic.security.providers.authentication.UserNameMapper
interface in order to return a username from the X.509 certificate.
WLS 8.1 supplies a DefaultUserNameMapper that can be configured when adding the
default identity asserter.
Yesh <[email protected]> wrote:
Hi Sheri
You have to configure a "UserNameMapper" class .
http://e-docs.bea.com/wls/docs70/javadocs/weblogic/security/providers/authentication/UserNameMapper.html
Hope this helps
yesh
Sheri G. wrote:
I am trying to use the default realm to authenticate a user based ontwo way SSL
and X.509. I need to know all of the steps to take to do this. I havedone the
following steps but I receive an Error 401: Unauthorized using:
1. Added the Audit Default Provider.
2. Added the Default Identity Asserter and set active types to X.509.
3. Set up one user, group, and a role.
4. Added the <login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config> to the web.xml file.
5. Deployed my application to the server.
6. Set the policy based on a users group.
7.Restarted the server.
After all this I try to access the page and get the Error 401. I havetwo-way
ssl set up already. Is there anything I am missing. Also, I am usingWebLogic
7.0. Are there any know bugs with this? How does the identity asserterknow what
field to authenticate against (ie CN, C, etc). I have seen in the demoof 8.1
that you specify which to use. How is this done in WebLogic 7.0.
Thanks in Advance,
Sheri

Identity Asserter / Token always decoded / WLS 7.0

Hello,
i am implementing a perimeter authentication. A user/password is passed as a cookie.
Cookies are identified with SP1 now as token and passed to the identity asserter.
The problem is only, that the tokens are always base64 decoded by the web-container
out of my control, even if the cookie itsself is not base64 encoded.
Thanks.
Frank

Hi Frank
I just made some tests with WLS 7.0 SP1, an identity asserter and
HTTP-Unit-test as client.
With encoding the cookie it works. Without encoding it doesn't work.
Your're right the WLS security framework always base64-decodes the cookie
value.
The WLS framework presumes that the cookie value is encoded.
This is also written in the comment of the sample in
SamplePerimeterAtnClient.java:
// base 64 encode it. The webapp container (that is, internal WLS code)
will
// base 64 decode the token. The decoded string will be passed to the..
You MUST send a base64-encoded cookie value to a WLS 7.0!. or wait for a
patch.
Alain
"Frank Arendt" <Frank,.[email protected]> wrote in message
news:3dbee0b3$[email protected]..
>
Hello,
i am implementing a perimeter authentication. A user/password is passed asa cookie.
Cookies are identified with SP1 now as token and passed to the identityasserter.
The problem is only, that the tokens are always base64 decoded by theweb-container
out of my control, even if the cookie itsself is not base64 encoded.
Thanks.
Frank

My custom identity asserter is ignored - what did I miss?

Hello -
My custom identity asserter's assertIdentity method is never called - even though I've verified that the correct token is added to the request header. I am hoping for some guidance as to what I am missing.
1. I downloaded this sample app which uses ADF security: http://jdevsamples.googlecode.com/files/ADFSecurityWL.zip
I changed the app to:
- add a filter to dump request headers to System.out so I could verify that the token is correctly added to the request headers
- changed the auth-method in web.xml from BASIC to CLIENT-CERT
2. I also downloaded the sample authentication providers (for WLS 9.1) from here: https://codesamples.samplecode.oracle.com/servlets/tracking?id=S224
and created a custom identity asserter based on the sample identity asserter provider in the app.
3. I created an EAR file for the app and an mbean jar for the custom identity assertion provider.
4. I added the mbean jar to the correct directory under weblogic, restarted weblogic, and created an instance of my provider in the security realm. I also reordered the providers so mine would be first (not sure if that matters). Then I restarted weblogic again. I verified that my provider was in the list of providers and that the chosen "Active Types" included my token type.
5. I deployed the app EAR file to weblogic.
6. I created a test program based on the test program in the sample providers download (above) and connected to the deployed app. I verified that the test program added the correct token to the request. My app's filter dumped the headers and I could see the token there.
7. My custom identity assertion provider has System.out.println calls in the initialize() and assertIdentity() methods. I can see that the initialize() method is called when I start weblogic. However, I never see the assertIdentity() method's calls to System.out.println when I try to reach the app and those calls are the 1st thing in the method.
8. I am using WebLogic Server version 10.3.3.0
So, is there some obvious step I missed? (I am new to using WLS so it wouldn't surprise me if I got something really obvious wrong...)
Thanks for reading my question,
-- Scott

Thanks Faisal.
When I compared my mbean declaration with yours I discovered that I had set the Extends attribute to "weblogic.management.security.authentication.Authenticator" instead of "weblogic.management.security.authentication.IdentityAsserter". Using the correct value fixed my problem.

Publisher 11g and Identity Asserter

How do you integrate publisher 11g with a custom weblogic identity asserter? From what I have been told so far, integration cannot be performed via the publisher administrative interfaces. It must be performed via configuration files on the server. There is no documentation on this subject yet. Has anyone performed the configuration that would be willing to share their experiences and configurations?
FYI, any attempt to utilize the identity asserter in the default publisher configuration will result in java errors in the server log and a 500 error in the browser.

Any security configuration must be under certified products so you can be confident they should work 100%. Otherwise
any issues you find under NOT certified products may not work and Oracle Support will not be able to help you.
As you describe the configuration you are trying to set is not certified and therefore the issues you find will probably
never be resolved.
References:
1. Setting Security in BIEE 11g:
http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/intromartin.htm#CJHFBCBA
2. List of Certified products for BIEE11g:
http://www.oracle.com/technetwork/middleware/bi-enterprise-edition/bi-11gr1certmatrix-166168.xls
(Non Oracle ID and Access Mgmt tab)
If you configure BI Publisher 11g as Standalone then the list of Security Modes are:
- Oracle DB
- Siebel
- EBusiness Suite
- BI Publisher
- LDAP
- Fusion Middleware
regards
Jorge

Weblogic identity assertion provider for apache

I am using apache reverse proxy to handle the user authentication. My work env. is
a) apache reverse proxy
b) mod_auth_tkt (single sign on module for apache)
c) weblogic portal server
once the user is authenticated against mod_auth_tkt/active directory, apache generates cookie/ticket based on MD5 checksum.
I need to pass the credentials from apache to weblogic.
My question is
a) Can I use any weblogic identity assertion provider which comes weblogic server product or do i have to develop custom weblogic identity assertion provider. Please advise
Thanks
Prabu

*1-Can you please double check that your latest version of your web application is deployed ?*
I have checked the application and can confirm that the correct application is deployed. With the auth-method as just BASIC (no CLIENT-CERT) I see the following behaviour:
- With a Negotiate Identity Asserter Provider I see both WWW-Authenticate: Negotiate and WWW-Authenticate: Basic
- Without a Negotiate Identity Asserter Provider I see just WWW-Authenticate: Basic
*2-I believe there is no intermediary web server (like IIS) between your client and WLS ? A third part may add additional authentication request in the http header. If there is an intermediary exist, can you please avoid it for your tests.*
I can confirm that there is no intermediary server between me and Weblogic.
*3-Can you please check "weblogic.security.enableNegotiate" system parameter value. If it is true can you please set it to false and test your app again ?*
I have weblogic.security.enableNegotiate set to true. I tried setting it to false and it seems I still see the same behaviour I described above in my answer to question 1.
*3-Although I'm quite sure that Negotiate Identity Assertion Provider would not work for your app, can you please remove it and repeat your tests again. If you detect that it's because of the Negotiate Identity Assertion Provider, that you can consider open a bug request in Oracle Support system.*
When I remove the Negotiate Identity Assertion Provider, I no longer see a WWW-Authenticate: Negotiate challenge in the response.
Edited by: user1992925 on 16/05/2010 17:06

OSSO Identity Asserter problem with SecurityServiceRuntimeException

I'm having issues bringing up a managed 10.3.1 WLS with an OSSO Identity Asserter configured. I have applied the Java Required Files to the domain, and have created an OID Authenticator (login module) and an OSSO Identity Asserter via the admin console in the security realm. I have even tried to apply the JRF to the managed server via the WLST.
However, when I try to bring up the managed server, the following error appears in the managed server's log file:
####<Nov 9, 2009 12:13:41 PM PST> <Error> <Security> <mycomputer.us.oracle.com> <AppServer1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1257797621586> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OSSOAuthenticator is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OSSOAuthenticator is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:342)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OSSOAuthenticator is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OSSOAuthenticator is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:47)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
What do I need to do to be able to bring up the managed server? Is there an issue with the JRF version of the OSSO Identity Asserter and, if so, where can I download one that works?

You need to make sure that you nuke the whole directory that you are specifying to the MBean marker generator. For example, I use the following command to generate the provider jar file.
java -Dfiles=$PRJROOT/ERModel/classes -DMDF=$PRJROOT/ERModel/classes/MyCustomAuthenticator.xml -DMJF=$PRJROOT/ERModel/custom-auth-provider.jar -DtargetNameSpace=http://xmlns.oracle.com/oracleas/schema/11/adf/sampleapp/weblogic/providers -DpreserveStubs=true -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker1c
I need to nuke the directory in the -Dfile option i.e. 'rm -rf $PRJROOT/ERModel/classes/' each time I generate the jar file. If you don't, the jar file generates without any error but you will get a runtime exception.

Identity Server Cookie not found

Hi all.
Iam getting a cookie related error message when trying to access a protected web application;
sequence :
When i type in the url of my web application, as obvious, i was redirected to my identity login page.
I also get the this error message ;) in my amAgent log :
"2003-07-31 12:22:13.832 Warning 7048:d1168 PolicyAgent: Identity Server Cookie not found"
To add something to this cookie issue:
when i get authernticated from my identity server, i was successfuly redirected to my web application; but if i invoke any web resource or link, buttons .... - trigger any event, i was thrown way to the login page of the web application - if i login again in my web app, i go to the last page that i was accessing;
I guess all this funny thing happens because of the cookie, which is missing.
anyone have an idea, what this cookie is? and what should be done to fix it?
regards
Kumar

Sorr for so many people faced the sam or similar issues. I just joined this support a short while. If you think any old problem which is still critical to you, please repost. We shall try our best to give you assistance. Jerry
Here are some of tips for debugging Web agent.
From the AMAgent.properties, are both IIS and AM are in the same domain? If they are not, then you need to use CDSSO. Also please check in AM, under "Service Configuration-> Platform -> Cookie Domains" , whether cookie is set for the entire domain which includes AM and IIS ("test.com") or just the AM machine name.
Also check whether correct value for "Agent-Identity Server Shared Secret" is entered. This should be your internal ldap password (amldapuser). In the AMAgent.properties for the below property the password will be encrypted and assigned: "com.sun.am.policy.am.password".
Could you also check if the Identity servver and the IIS web server are time synchronized. The problem may be that agent requests policy decisions and the response from server may be timed out due to non-syncrhonized clock.
Don't forget to restart the whole IIS service using internet
management console after making agent changes.
Some of the common error codes:
20: Application authentication failed. This occurs when Agent cannot sucessfully authenticate with Identity Server. This is mainly due to incorrect password for agent entered during agent installation. Please refer to another faq describing how to change password.
7: Policy not found. This error occurs typically if there are no policies defined on Identity server for the given web server URL. Otherwise, there may be time skew between Identity Server and Agent. So, polices fetched from Identity Server is instantly flushed by Agent and attempted to refetch over and over again. This can be solved by running rdate or similar command to synchronize time between the two machines. It is recommended to run NNTP server syncrhonize times between your Identity systems.

How to pass back Subject do Client app after authentication via identity assertion

I have developed an Identity Assertion Provider based on
SampleIdentityAsserterProviderImpl provided by BEA.
It seams that all works fine, but I don't now how to pass back authenticated
Subject to client application in order to call methods runAs(Subject,
PrivillegedAction). I have tried build Subject from
connection.getInputStream() but when I use Subject constructed in that way I
have received an error:
lava.lang.SecurityException: Invalid Subject: principals=[user, usergroup1,
usergroup1]
Thanks in advance for any suggestions.
Jerzy Nawrot

Hi,
as per the below comment.
We want to change this and do this dynamic way so that the XCM configuration application can read these dynamic parameters and behave accordingly(like customers with different languages, client systems etc). This is the 1st part .
You have to use different scanrios to be set in XCM like (customer specific to language, and client), and that to be passed in
Where language specifications should maintained in XCM settings only. also to be noted that Product catalog for those should also maintain in that specific language.
"/init.do?scenario=value2;
The 2nd part leading this scenario is after the portal user successfully lands into ISA application, if the user needs to go back to the WDP java screen, would the JSP based ISA application be able to navigate back to the original WD Java iView Screen. ? or would it open in a new window ? (probably this can be set to be launched in same window)
I am not sure, but if you go back to WD from ISA , ISA Session will die.
Let me know if you have any further queries.
Regards,
Devender V

How to configure ADF application to use OAM Identity Assertion ? web.xml

We have a web application developed using ADF (application development framework) and deployed on WebCenter 11.1.1.2 (weblogic 10.3.2)
OID Authentication and OAM identity assertion is configured in WebLogic 10.3.2 .
How to configure security in ADF application (web.xml or weblogic.xml) so that it uses OAM identity assertion (already configured as authentication providers in weblogic server)
Any pointers or documentation so that application (developed using ADF) check for identity tocken and verifies it with one of identity assertion providers.

John,
I have to concur. With OAM you don't need this. OAM intercepts the calls and inserts a cookie for WLS to get user information from.
I strongly advise to go through the above mention OFM Security Guide. Esp. Chapter 10 tells you in every detail how to implement OAM SSO with WLS (with or without OHS as a proxy).
Reading this chapter saves you time and turnarounds on this topic...
--olaf

"A technical error during invocation : Could not invoke service reference" Error message while calling a service from BPM

Hi Experts,
We are facing a issue while calling a Automated activity from BPM process, the process gets suspended and the BPM logs says "Process XYZ suspended, A technical error during invocation: Could not invoke service reference name fdhueoegghejietyhsjk6886 Component name ABC " We have already checked the mapped service reference and provider system. Gone through the below link, but no help.
http://http://wiki.scn.sap.com/wiki/display/TechTSG/Sending+a+message+from+SAP+NetWeaver+BPM+process+to+PI+fails+via+automated+activity?original_fqdn=wiki.sdn.sap.com
Any pointers or suggestions to fix up this issue will be highly appreciated. Thanks in advance.
Regards,
Mohit Jaju

The details/ID in NWDS Service Reference must exactly match the SOA configuration. Sometimes it's possible you have changed the reference or the group itself and something changed to become mismatched.
It's possible they don't match - but the SG itself will show green in NWA since the service exists and responds on the target system. Does the ID listed in the error match what is shown in the NWDS project?
regards, Nick

How to fix "Modifying a column with the 'Identity' pattern is not supported"

When doing Code First Migrations my mobile service always errors in the seed method with: 'Modifying a column with the 'Identity' pattern is not supported. Column: 'CreatedAt'. Table: 'CodeFirstDatabaseSchema.Methodology' for the CreatedAt column. All my
models inherit from EntityData.
// Sample model
using System;
using System.Collections.Generic;
using System.ComponentModel.DataAnnotations;
using Microsoft.WindowsAzure.Mobile.Service;
namespace sbp_ctService.Models
public class Methodology : EntityData
public Methodology()
this.Scenarioes = new List<Scenario>();
public string Id { get; set; }
[Required]
[StringLength(50)]
public string EntryMethod { get; set; }
[Required]
[StringLength(50)]
public string TestDirection { get; set; }
[Required]
[StringLength(50)]
public string PassCriteria { get; set; }
[Required]
[StringLength(50)]
public string Dependency { get; set; }
public bool ExtraInfo { get; set; }
public virtual ICollection<Scenario> Scenarioes { get; set; }
And in my Configuration.cs file during an update here's my seed method:
protected override void Seed(sbp_ctService.Models.sbp_ctContext context)
// This method will be called after migrating to the latest version.
context.Methodologies.AddOrUpdate(
m => m.Id,
new Methodology { Id = "Methodology1", EntryMethod = "P/F", PassCriteria = "P/F", Dependency = "None", ExtraInfo = false, TestDirection = "Round" },
new Methodology { Id = "Methodology2", EntryMethod = "P/F", PassCriteria = "Best", Dependency = "None", ExtraInfo = false, TestDirection = "Round" },
new Methodology { Id = "Methodology3", EntryMethod = "P/F", PassCriteria = "Best", Dependency = "None", ExtraInfo = false, TestDirection = "In/Out" },
new Methodology { Id = "Methodology4", EntryMethod = "P/F", PassCriteria = "Best", Dependency = "None", ExtraInfo = false, TestDirection = "Out" }
For some reason on an update the CreatedAt field is created and given a value of null. So of course on an insert/update it will error because CreatedAt is an Identity field.
I've tried to configure the modelBuilder in my context to tell it that CreatedAt is an identity field, but that still doesn't work.
modelBuilder.Entity<Methodology>()
.Property(m => m.CreatedAt)
.HasDatabaseGeneratedOption(DatabaseGeneratedOption.Identity);
So far the only way to fix this is by commenting out my Seed data, but it's not a fix. I've seen other solutions where you can force it to not serialize certain fields, but I don't know if those solutions apply.

So I think this occurs because you might have created the database (Code-first) with POCOs that didn't have the CreatedAt field in them. I think that's what I did and the easiest way to fix it for me was to delete my database and re-create it with my POCOs
inheriting from Entity Data from the very beginning. We were still in development so it worked out for us but I know some people might not be able to do that. Here's what my table looks like after it was created correctly:
USE [database_name]
GO
/****** Object: Table [sbp_ct].[Methodologies] Script Date: 2/24/2015 9:48:45 PM ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TABLE [schema_name].[Methodologies] (
[Id] NVARCHAR (128) NOT NULL,
[EntryMethod] NVARCHAR (50) NOT NULL,
[TestDirection] NVARCHAR (50) NOT NULL,
[PassCriteria] NVARCHAR (50) NOT NULL,
[Dependency] NVARCHAR (50) NOT NULL,
[ExtraInfo] BIT NOT NULL,
[Version] ROWVERSION NOT NULL,
[CreatedAt] DATETIMEOFFSET (7) NULL,
[UpdatedAt] DATETIMEOFFSET (7) NULL,
[Deleted] BIT NOT NULL,
[Name] NVARCHAR (MAX) NULL
GO
CREATE CLUSTERED INDEX [IX_CreatedAt]
ON [schema_name].[Methodologies]([CreatedAt] ASC);
GO
ALTER TABLE [schema_name].[Methodologies]
ADD CONSTRAINT [PK_schema_name.Methodologies] PRIMARY KEY NONCLUSTERED ([Id] ASC);
Does yours look something like that?

Error in CodeFirst Seed with migrations : Modifying a column with the 'Identity' pattern is not supported. Column: 'CreatedAt'. Table: 'CodeFirstDatabaseSchema.Category'.

Hi,
I have activated migrations on my Azure Mobile Services project. I filled the new seed function Inside the Configuration.cs class of the migrations. If the tables are empty, the seed function is going without any problems. When my AddorUpdate tries to update
the first object I get the error in the inner exception : "Modifying a column with the 'Identity' pattern is not supported. Column: 'CreatedAt'. Table: 'CodeFirstDatabaseSchema.Category'."
Part of my code is as follows:
context.categories.AddOrUpdate(
new Category { Id="1", Code="GEN", Text="General"},
new Category { Id="2", Code="POL", Text="Politics"},
new Category { Id="3", Code="FAS", Text="Fashion"},
new Category { Id="4", Code="PEO", Text="People"},
new Category { Id="5", Code="TEC", Text="Technology"},
new Category { Id="6", Code="SPO", Text="Sport"},
new Category { Id="7", Code="LIV", Text="Living"}
Any help is welcomed. Thanks.
Faical SAID Highwave Creations

This occurred to me because I changed my POCO models to inherit from EntityData after I had already created my database without the extra Azure Mobile Service properties (UpdatedAt, CreatedAt, Deleted). The only way I fixed it was to drop the database and
start over with my classes inheriting from EntityData from the beginning. If you can't do that then I would create a new table with EntityData models and see how that database is created and manually update your tables to match those. Here's an image of one
of my tables from the management console on Azure. You can see that CreatedAt is an index.

Identity Asserter is not invoked

Similar Messages

Maybe you are looking for