Identity service XPath extension ids:getGroupProperty returns empty

Similar Messages

• Xslt copy-of creates a xml which returns empty while trying to access elements using XPATH

  Hi
  I am trying to do a copy-of function using the XSLT in jdev. This is what I do
      <xsl:param name="appdataDO"/>
      <xsl:template match="/">
      <ns1:applicationData>
        <ns1:applicationId>
          <xsl:value-of select="$appdataDO/ns1:applicationData/ns1:applicationId"/>
        </ns1:applicationId>
        <xsl:copy-of select="/fslo:ExternalapplicationData/fslo:ApplicationsHDRAddInfo">
        </xsl:copy-of>
      </ns1:applicationData>
      </xsl:template>
      </xsl:stylesheet>
  After this I can see the document created in the process flow as this :
      <ns1:applicationData>
      <ns1:applicationId>MMMM</ns1:applicationId>
      <ns2:ApplicationsHDRAddInfo>
      <ns3:genericFromBasePrimitive>iuoui</ns3:genericFromBasePrimitive>
      <ns4:EstimatedMarketValue>77</ns4:EstimatedMarketValue>
      <ns4:PropertyInsuranceFee>jih</ns4:PropertyInsuranceFee>
      <ns4:LoanOriginationFee>hjh</ns4:LoanOriginationFee>
      <ns4:RegistrarFee>kkkkk</ns4:RegistrarFee>
      <ns4:LoanCashInFee>hjh</ns4:LoanCashInFee>
      <ns4:LoanPaidInCashFlag>cddffgd</ns4:LoanPaidInCashFlag>
      </ns2:ApplicationsHDRAddInfo>
      </ns1:applicationData>
  But whenever I am trying to extract any of the output nodes I am getting an empty result. I can copy the whole dataset into similar kind of variable.
  But I am unable to get individual elements using XPATH.
  I tried using exslt function for node set and xslt 2.0 without avail.
  The namespaces might be the culprit here . The test method in the jdev is able to output a result but at runtime the xpath returns empty .
  I have created another transform where I try to copy data from the precious dataobject to a simple string in another data object .
  This is the test sample source xml for the transform created by jdev while testing with all namespaces, where I try to copy the data in a simple string in another data object.
      <applicationData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/bpmpa/fs/ulo/types file:/C:/JDeveloper/NewAPP/Xfrm/xsd/ApplicationData.xsd" xmlns="http://xmlns.oracle.com/bpmpa/fs/ulo/types">
         <applicationId>applicationId289</applicationId>
         <ApplicationsHDRAddInfo>
            <genericFromBasePrimitive xmlns="http://xmlns.oracle.com/bpm/pa/extn/types/BasePrimitive">genericFromBasePrimitive290</genericFromBasePrimitive>
            <EstimatedMarketValue xmlns="http://xmlns.oracle.com/bpm/pa/extn/headerCategories/">291</EstimatedMarketValue>
            <PropertyInsuranceFee xmlns="http://xmlns.oracle.com/bpm/pa/extn/headerCategories/">PropertyInsuranceFee292</PropertyInsuranceFee>
            <LoanOriginationFee xmlns="http://xmlns.oracle.com/bpm/pa/extn/headerCategories/">LoanOriginationFee293</LoanOriginationFee>
            <RegistrarFee xmlns="http://xmlns.oracle.com/bpm/pa/extn/headerCategories/">RegistrarFee294</RegistrarFee>
            <LoanCashInFee xmlns="http://xmlns.oracle.com/bpm/pa/extn/headerCategories/">LoanCashInFee295</LoanCashInFee>
            <LoanPaidInCashFlag xmlns="http://xmlns.oracle.com/bpm/pa/extn/headerCategories/">LoanPaidInCashFlag296</LoanPaidInCashFlag>
         </ApplicationsHDRAddInfo>
      </applicationData>
  And the xslt
      <xsl:template match="/">
          <ns1:DefaultOutput>
            <ns1:attribute1>
              <xsl:value-of select="/fslo:applicationData/fslo:ApplicationsHDRAddInfo/custom:LoanOriginationFee"/>
            </ns1:attribute1>
          </ns1:DefaultOutput>
        </xsl:template>
  This results in a empty attribute1. Any help will be appreciated .

  Please delete attributeFormDefault="qualified" elementFormDefault="qualified" from your XSD
  Please check the next link:
  http://www.oraclefromguatemala.com.gt/?p=34

• Jar-file for XPath extension functions

  Hi all,
  can anyone tell me which jar-file contains the class for the following xpath extension function / method:
  oracle.tip.pc.services.functions.Xpath20.currentDate
  I need this for an ant xsl validation which runs without JDev.
  Thanks in advance, Ingo

  When you go to :
  <ORACLE_HOME>/bpel/system/config
  you will find the file : xpath-functions.xml
  In this file you will see :
      <function id="getCurrentDate" arity="0">
          <classname>com.collaxa.cube.xml.xpath.functions.datetime.GetCurrentDateFunction</classname>
          <comment>
          <![CDATA[This function returns current date as string.
          <p/>
          The signature of this function is <i>ora:getCurrentDate('format'?)</i>.  The argument (optional) specifies a string formatted accoding to java.text.SimpleDateFormat format.]]>
          </comment>
          <property id="namespace-uri">
              <value>http://schemas.oracle.com/xpath/extension</value>
              <comment>Namespace URI for this function</comment>
          </property>
          <property id="namespace-prefix">
              <value>ora</value>
              <comment>Namespace prefix for this function</comment>
          </property>
      </function>This classname can be found in the orabpel.jar
  sorry..wrong function..
  Message was edited by:
  Eric Elzinga (IT-Eye)

• Ask the Expert: Identity Services Engine - 802.1x, Identity Management and BYOD

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Identity Service Engine (ISE) with subject matter expert Nicolas Darchis.
  Cisco Identity Service Engine is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. It is primarily used to provide secure access and guest access, support BYOD initiatives, and enforce usage policies in conjunction with Cisco TrustSec. 
  Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, since 2007. He also focuses on filing technical and documentation bugs. Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification (no. 25344).
  Remember to use the rating system to let Nicolas know if you have received an adequate response.
  Because of the volume expected during this event, our expert might not be able to answer every question. Remember that you can continue the conversation in the Security community under subcommunity AAA, Identity, and NAC shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi.
  1) It is not "ISE loses the credentials and asks for web portal again". Once a user is authenticated, it is authenticated as long as it stays connected. Possibilities are :
  -You are returning a session timeout (attribute radius 27) in the authz profile of the user. Therefore user has to reauthenticate after X seconds. But you would see a pattern, then.
  -Over wireless, many clients are not capable of doing fast roaming (smartphones is the biggest example) and will therefore reauthenticate with dot1x everytime they roam. A small coverage hole would be enough for the cached credentials to disappear and web portal to show up again
  -Over wired, this cannot really occur but the idea is that it's probably the switch resetting the connection and contacting ISE again. The idea to troubleshoot this is to monitor the access device (WLC/switch) and check if the port goes up/down, if the MAB session gets reset or something and why.
  2) The captive bypass issue is that Apple devices will probe apple.com website to check if there is internet connectivity. If they can reach it, then fine, if they sense that they are redirected, they open a small window pop up with the login portal. The problem (and I still cannot understand why) is that this is not Safari, it's some nameless feature-less browser that doesn't work properly.
  By enabling the captive bypass feature, the WLC intercepts the requests to the Apple testpage and replies with HTTP OK. The apple device then thinks "ok I have internet connectivity" and it's up to the user to bring up a real browser to login to the portal page.
  It therefore does not affect non-Apple device to have the feature enabled.
  The problem is that in IOS 7.x, Apple decided to not just use Apple.com anymore but a whole list of testpages on different websites.
  3) "whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary"
  => This is disturbing because EAP-TLS is a certificate authentication method. But ISE message seems to imply that the user is hitting an authnetication rule that only provides PEAP or EAP-FAST with mschap or something similar ...
  If you have the windows default supplicant you have close to no control on what the client will submit. I can imagine that moving from wired to wireless, the laptop would sometimes try to send password instead of certificate and/or vice-versa. Anyconnect with fixed network profiles would solve the problem elegantly.
  I cannot comment on your auth policies as I do not know them :-)
  Regards,
  Nicolas

• Identity service

  Hello, I created a new portal (ALI 6.0 SP1) on a new server and restored data from our production DB to it. It now works - except for Identity Services 6.2. I did the install of it on the server. It was working fine until I changed the remote server from the production(LIVE) server name to the new one (TEST).
  Now when I try to sync it it gives me this error from the job log: Jul 4, 2008 4:44:28 PM- *** Job Operation #2 failed: An exception has occurred: com.plumtree.server.marshalers.PTException: -2147201112 - SOAP call failed, an internal error occured on the remote server. Web Service='Active Directory PWS', SOAP Action='urn:plumtree-com:ProfileSourceProvider.Initialize', URL='http://actportalv1.eub.gov.ab.ca:8098/adpws/ProfileProviderSoapBinding.asmx'. The remote server returned: <?xml version="1.0" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Server Unavailable </title> </head> <body>
  Server Application Unavailable
  The web application you are attempting to access on this web server is currently unavailable. Please hit the "Refresh" button in your web browser to retry your request.
  Administrator Note: An error message detailing the cause of this specific request failure can be found in the application event log of the web server. Please review this log entry to discover what caused this error to occur.
  </body> </html> . Current operation state: (282610) The web logs just shows: 2008-07-04 22:48:34 W3SVC1869053956 TEST 10.44.0.18 GET /adpws/ProfileProviderSoapBinding.asmx - 8098 - 10.44.0.18 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) - - TEST.com:8098 500 0 0 1056 360 15 When I try to access the profile souce it gives me a big error. When I try to create a new one - same thing. So I cannot create a new one. I assume something is wrong with the IIS setting - yet it is set upt he same as in our LIVE environment? What am I missing? Help? Thanks, V

  I find a solution here:
  http://download.oracle.com/docs/cd/E15523_01/integration.1111/e10226/hwf_config.htm
  I am currently using weblogic's defaultAuthentication to test BPM 11g.
  I do not know if this approach works in production environment.

• Issue in setting custom identity service for soa 11.1.1.4

  Hello,
  I am facing issue in setting custom identity service for soa 11.1.1.4
  It is not picking up the implemented UserManager (in custom IDM) implemented via ServiceProvider and IdentityStoreService.
  This is configured in jps-config.xml
  The same setup was working in soa 11.1.1.2
  I believe there is a change done in JpsProvider in bpm-service.jar to authenticate via default login context from oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule
  If my uderstanding is correct,
  Please guide me in implementing custom identity store and services for bpm services for soa 11.1.1.4
  Tried various work arounds but no luck.
  Thanks
  Bala

  Hi...
  Can u tell me how did u set up custom identity service for 11.1.1.2 ?
  Thanks

• Custom Identity Service configuration in SOA Suite 11g

  Has anyone been successfull in using custom identity service (available in 10.1.3.X) as a identity store in soa suite 11g human workflow component? If yes, please guide me.

  Can you make sure your helloworld is using adf bindings as mentioned in thread Re: Urgent :: 11g Invoking Composite from Java/From Webservice Proxy

• Microsoft Exchange Server 2013 Cumulative Update 7 Setup - Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error - Set-SharedConfigDC

  What am I trying to do?
  I have tried installing Microsoft Exchange Server 2013 Cumulative Update 7 Setup on a fresh install of Windows Server 2012 R2 but it gets stuck when running the setup exe on Step 8 of 14 “Mailbox Transport Service” I have included full
  error logs at the bottom of the page but the basics are in order it will throw which loop around are:
  [01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
  [01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
  Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
  Exchange is currently running in the envirmonet on 2010 Sp3 I am installing 2013 CU7 fresh so I can migrate the databases over.
  What am I running?
  2 X DC on domain and forest functional level 2008R2 both writable
  1 X fresh install of Windows 2012 R2 which is domain joined
  What have I tried?
  Checked Ipv6 is enabled on all DC NICS and Existing Exchange Servers
  Rebooted every server
  Run setup as Administrator
  My account is part of the domain Enterprise Admin group
  Tried adding "Exchange Server" or "Exchange Enterprise Servers" to the group policy and doing the relevant gpupdate /force and reboot :
  Computer Configuration Windows Settings
  Security Settings + Local Policies
  User Rights Assignment Mange auditing and security log
  Turned off firewall on DC and Exchange Server even stopped the service
  Turned off all AV on the DC and Exchange Server
  Checked I could telnet to global catalog servers on port 3268 which I can
  Checked the global catalog records existed in DNS which they all do
  Done the obvious ping tests all round which confirms connectivity
  Schema has been prepared using appropriate commands before running the setup exe
  setup.exe /PrepareSchema /IacceptExchangeServerLicenseTerms
  Making sure the following path has full permissions:
  EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
  Restarted Microsoft Exchange Active Directory Topology service
  DcDiag all looks good
  What have I noticed that is suspicious?
  Microsoft Exchange Transport service will not start even though both of its dependences services have started:
  Microsoft Filtering Management Service
  Microsoft Exchange Active Directory Topology Service
  It will eventually error with
  “Windows could not start the Microsoft Exchange Transport Service on local computer
  Error 1053: This Service did not respond to the start of control request in a timely fashion”
  This error is from the GUI wizard itself:
  Error:
  The following error was generated when "$error.Clear();
  $maxWait = New-TimeSpan -Minutes 8
  $timeout = Get-Date;
  $timeout = $timeout.Add($maxWait);
  $currTime = Get-Date;
  $successfullySetConfigDC = $false;
  while($currTime -le $timeout)
  $setSharedCDCErrors = @();
  try
  Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
  $successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
  if($successfullySetConfigDC)
  break;
  Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
  catch
  Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
  Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
  Start-Sleep -Seconds 30;
  $currTime = Get-Date;
  if( -not $successfullySetConfigDC)
  Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
  " was run: "System.Exception: Unable to set shared config DC.
  at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
  at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
  at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
  at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
  at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
  Exchange logs which have been written:
  **The error will loop around for 8 minutes on trying to set-sharedconfig DC whatever this is trying to do ??
  [01/20/2015 17:13:20.0084] [2] Active Directory session settings for 'Set-SharedConfigDC' are: View Entire Forest: 'True', Configuration Domain Controller:mydomain.com', Preferred Global Catalog: 'mydomain.com', Preferred Domain Controllers:
  '{ mydomain.com}'
  [01/20/2015 17:13:20.0084] [2] User specified parameters: 
  -DomainController:mydomain.com' -ErrorVariable:'setSharedCDCErrors' -ErrorAction:'SilentlyContinue'
  [01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
  [01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
  Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
  [01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
  Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
  [01/20/2015 17:13:20.0178] [2] Ending processing Set-SharedConfigDC
  [01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
  [01/20/2015 17:13:20.0193] [2] An error ocurred while setting shared config DC. Error: The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details
  No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
  [01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
  [01/20/2015 17:13:20.0193] [2] Waiting 30 seconds before attempting again.
  [01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
  [01/20/2015 17:13:50.0195] [2] Beginning processing Write-ExchangeSetupLog
  [01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
  [01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
  [01/20/2015 17:13:50.0288] [2] Ending processing Write-ExchangeSetupLog
  [01/20/2015 17:13:50.0288] [1] The following 1 error(s) occurred during task execution:
  [01/20/2015 17:13:50.0288] [1] 0.  ErrorRecord: Unable to set shared config DC.
  [01/20/2015 17:13:50.0288] [1] 0.  ErrorRecord: System.Exception: Unable to set shared config DC.
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
     at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
     at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
     at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
  [01/20/2015 17:13:50.0288] [1] [ERROR] The following error was generated when "$error.Clear();
  $maxWait = New-TimeSpan -Minutes 8
  $timeout = Get-Date;
  $timeout = $timeout.Add($maxWait);
  $currTime = Get-Date;
  $successfullySetConfigDC = $false;
  while($currTime -le $timeout)
  $setSharedCDCErrors = @();
  try
  Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
  $successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
  if($successfullySetConfigDC)
  break;
  Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
  catch
  Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
  Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
  Start-Sleep -Seconds 30;
  $currTime = Get-Date;
  if( -not $successfullySetConfigDC)
  Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
          " was run: "System.Exception: Unable to set shared config DC.
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
     at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
     at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
     at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
  [01/20/2015 17:13:50.0288] [1] [ERROR] Unable to set shared config DC.
  [01/20/2015 17:13:50.0288] [1] [ERROR-REFERENCE] Id=AllADRolesCommonServiceControl___ee47ab1c06fb47919398e2e95ed99c6c Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
  [01/20/2015 17:13:50.0288] [1] Setup is stopping now because of one or more critical errors.
  [01/20/2015 17:13:50.0288] [1] Finished executing component tasks.
  [01/20/2015 17:13:50.0304] [1] Ending processing Install-BridgeheadRole
  Windows Event Viewer:
  Process Microsoft.Exchange.Directory.TopologyService.exe (PID=5276) Forest mydomain.com. Exchange Active Directory Provider couldn't find minimal required number of suitable Global Catalog servers
  in either the local site 'Default-First-Site' or the following sites:

  Hi apl228,
  1. Please make sure the IPv6 is enabled.
  2. Please make sure the account that install Exchange server has Administrator permission.
  3. Please make sure DNS has been configured correctly.
  Thanks
  Mavis Huang
  TechNet Community Support

• Ask the Expert: Integrating Cisco Identity Service Engine (ISE) 1.2 for BYOD

  With Eric Yu and Todd Pula 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions  about integrating Cisco ISE 1.2 for BYOD with experts Eric Yu and Todd Pula.
  Cisco Bring Your Own Device (BYOD) is an end-to-end architecture that orchestrates the integration of Cisco's mobile and security architectures to various third-party components. The session takes a deep dive into the available tools and methodologies for troubleshooting the Cisco BYOD solution to identify root causes for problems that stem from mobile device manager integration, Microsoft Active Directory and certificate authority services, and Cisco Enterprise Mobility integration to the Cisco Identity Services Engine (ISE). 
  Todd and Eric recently delivered a technical workshop that helps network designers and network engineers understand integration of the various Cisco BYOD components by taking a deep dive to analyze best practice configurations and time-saving troubleshooting methodologies. The content consisted of common troubleshooting scenarios in which TAC engineers help customers address operational challenges as seen in real Cisco BYOD deployments.
  Eric Yu is a technical leader at Cisco responsible for supporting our leading-edge borderless network solutions. He has 10 years of experience in the telecommunications industry designing data and voice networks. Previous to his current role, he worked as a network consulting engineer for Cisco Advance Services, responsible for designing and implementing Cisco Unified Communications for Fortune 500 enterprises. Before joining Cisco, he worked at Verizon Business as an integration engineer responsible for developing a managed services solution for Cisco Unified Communications. Eric holds CCIE certification in routing and switching no. 14590 and has two patents pending related to Cisco's medianet.   
  Todd Pula is a member of the TAC Security and NMS Technical Leadership team supporting the ISE and intrusion prevention system (IPS) product lines. Todd has 15 years of experience in the networking and information security industries, with 6 years of experience working in Cisco's TAC organization. Previous to his current role, Todd was a TAC team lead providing focused technical support on Cisco's wide array of VPN products. Before joining Cisco, he worked at Stanley Black & Decker as a network engineer responsible for the design, configuration, and support of an expansive global network infrastructure. Todd holds his CCIE in routing and switching no. 19383 and an MS degree in IT from Capella University.
  Remember to use the rating system to let Eric and Todd know if you have received an adequate response.
  Because of the volume expected during this event, Eric and Todd might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity AAA, Identity and NAC, shortly after the event. This event lasts through November 15, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Antonio,
  Many great questions to start this series.  For the situation that you are observing with your FlexConnect configuration, is the problem 100% reproducible or is it intermittent?  Does the problem happen for one WLAN but not another?  As it stands today, the CoA-Ack needs to be initiated by the management interface.  This limitation is documented in bug CSCuj42870.  I have provided a link for your reference below.  If the problem happens 100% of the time, the two configuration areas that I would check first include:
  On the WLC, navigate to Security > RADIUS > Authentication.  Click on the server index number for the associated ISE node.  On the edit screen, verify that the Support for RFC 3576 option is enabled.
  On the WLC, navigate to the WLANs tab and click on the WLAN ID for the WLAN in question.  On the edit screen, navigate to Security > AAA and make sure the Radius Server Overwrite interface is unchecked.  When this option is checked, the WLC will attemp to send client authentication requests and the CoA-Ack/Nak via the dynamic interface assigned to the WLAN vs. the management interface.  Because of the below referenced bug, all RADIUS packets except the CoA-Ack/Nak will actually be transmitted via the dynamic interface.  As a general rule of thumb, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.
  Bug Info:  https://tools.cisco.com/bugsearch/bug/CSCuj42870
  For your second question, you raise a very valid point which I am going to turn into a documentation enhancement request.  We don't currently have a document that lists the possible supplicant provisioning wizard errors that may be encountered.  Please feel free to post specific errors that you have questions about in this chat and we will try to get you answers.  For most Android devices, the wizard log file can be found at /sdcards/downloads/spw.log.
  As for product roadmap questions, we won't be able to discuss this here due to NDA.  Both are popular asks from the field so it will be interesting to see what the product marketing team comes up with for the next iterration of ISE.
  Related Info:
  Wireless BYOD for FlexConnect Deployment Guide

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Integration of custom identity services with JDeveloper BPEL designer

  Hi,
  I'd like to know if a custom user repository plugin will cause the 'Identity Lookup Dialog' (Step 6 of Human Workflow Wizard to generate a user task) to utilize the list of users and groups from a third party provider, when used as the Custom Identity Service provider.
  I'd like to have the custom list of users and groups at 'design time' of the BPEL process itself, as well as process runtime. Is this possible?
  This is with respect to both BPEL PM v10.2.0.2 and v 10.1.3.1.0.
  Regards,
  Vineet

  ok, thank you for the reply.
  But the installation of the Oracle BPEL Process Manger for Developers which includes the JDeveloper and the BPEL Designer doesn't come with 10.1.3.1.0?
  I have to install the JDeveloper and the BPEL Process Manager seperate?
  Thx

• EntryProcessor invokeAll returning empty ConverterMap{}

  Hi All,
  I am trying to write a custom entryprocessor and whatever I return from the invokeAll method in the entryprocessor, I am always getting a empty ConverterMap{}. The code for the entryprocessor is as below:
  public class CustomEP implements PortableObject, EntryProcessor {
       public CustomEP (){
  public Map processAll(Set entries) {
            Map results=new HashMap ();
  results.put ("1", "1");
  System.out.println("Inside process All method");
            return results;
  public Object process(Entry arg0) {
            Map results=new HashMap ();
  results.put ("1", "1");
  System.out.println("Inside process method");
            return results;
  The client code to invoke this entryprocessor is as below:
  Map results=cache.invokeAll(AlwaysFilter.INSTANCE, new CustomEP());
  The processAll method on the Coherence nodes is invoked but if the print the results on the client side it return empty ConverterMap{}
  On the other hand, if I invoke process method of CustomEP as below:
  Map results=(Map) cache.invoke(AlwaysFilter.INSTANCE, new CustomEP());
  I get the desired results. Please help me with the details why it is happening this way when the return type of the processAll is a Map.
  Thanks a lot!
  Regards,
  S

  911767 wrote:
  Hi Robert and JK,
  Thank you for your reply and time!
  I could not find these details in any of the documentation that specifies keys passed in the result should be subset of the keys passed to the processAll method. Anyways, my problem is to invoke server-side code (avoid de-serialization) by passing a filter and then create a entirely new map (key and value will be different from the entries extracted from the passed filter) by reading the data from the passed entries. How can I implement it?
  I am thinking to use aggregator as they are read-only and faster but again how to implement it using:
  public Object aggregate(Set entries){
  Again, I am getting an empty Map so is it necessary that the object returned should have keys matching the set of the entries passed to this method.
  Secondly, there are other methods such as, finalizeResult() and init() if I extend AbstractAggregator, do I need to implement them and if yes, how? The entries set passed to the aggregate() method may not reside on the same node.
  Please advise!
  Regards,
  SHi S,
  the process() return value object, or the entry value objects in the map returned by processAll() can be arbitrary objects. So you just return a map from process(), and return a map as the entry value in the result map from processAll().
  The AbstractAggregator has a fairly badly documented contract in the Javadoc (does not properly cover the values received in different scenarios for invocation). You should probably read the section about it in the Coherence book, that explains leveraging AbstractAggregator in significantly more details. It also happens to be in the sample chapter, but I recommend reading the entire book.
  I am not sure about the issues relating to posting links to PDFs on Packt's webpage, so I won't do that. Please go to Packt's webpage (http://www.packtpub.com ), look for the Coherence book there and download the sample chapter (or order the book).
  In short, all 3 to-be-implemented methods (init(), process(), finalizeResult()) in AbstractAggregator are called both on the server and on the caller side. You can distinguish which side you are on from looking at both the passed in fFinal boolean parameter and the m_fParallel attribute tof the aggregator instance.
  There are 3 cases:
  - non-parallel aggregation processing extracted values (m_fParallel is false, I don't remember what fFinal is in this case),
  - parallel aggregation storage side processing extracted values (if I correctly remember, m_fParallel is true, fFinal is false),
  - parallel aggregation caller side processing parallel results (m_fParallel and fFinal are both true).
  Depending on which side you are on, the process method takes different object types (on server side it receievs the extracted value, on caller side it receives a parallel result object instance).
  You SHOULD NOT override any of the other methods (e.g. aggregate() which you mentioned).
  The advantage of this approach is that the AbstractAggregator subclass instance can pass itself off as a parallel-aggregator instance.
  You should put together a temporary result in a member attribute of the AbstractAggregator subclass, which also means that it will likely not be thread-safe, but at the moment it is not necessary for it to be thread-safe either as it is called only on a single-thread.
  Best regards,
  Robert
  Edited by: robvarga on Feb 3, 2012 10:38 AM

• [Urget Help] [BPEL 11g] How to use Database 11g as Identity Service source?

  Dear all,
  My customer is using BPEL 11g for current project. They have a legacy user database (Oracle DB 11g) which store all accounts info.
  Now we want to connect BPEL with this database as identity service and pick up the users and groups as approver. I saw following graph from below link, but I don't know how to implement it. It seems a huge change in BPEL 11g.
  Can you give me an idea on it? Any suggestions are welcome.
  http://download.oracle.com/docs/cd/E12839_01/integration.1111/e10224/bp_workflow.htm#BABEIHDD
  Thanks in advance.

  repost

• Application deployed on Oracle Java Cloud Service - SaaS Extension is not connecting with cloud database.

  Hello Experts,
  I have deployed an ADF application on Oracle Java Cloud Service - SaaS Extension and also deployed database objects from local environment to cloud using JDeveloper. I can see the cloud database has tables and data which I have deployed but when I access the application it seems it is not able to connect with cloud database.
  I have followed below document and same sample application (HRSystem). 
  http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JDeveloperPart1/jdeveloperPart1.html
  http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JDeveloperPart2/jdeveloperPart2.html
  Please guide me what can be the issue.
  Regards
  Gulam Dyer

  Hi,
  Can you give us more details about your issue? Any error messages?
  Thanks,
  Bogdan

• Applescript: file.open("r") returns empty in jsx

  Hey guys,
  i am having a bit of a scripting problem here. The big goal for me at the moment is creating a UI script to control aerender.
  To achieve getting feedback from the terminal about when an aerender process is completed, i let the terminal trigger an applescript running a jsx inside after effects (since the terminal can't run a jsx inside after effects itself).
  However, this particular script needs to eval the contents of a text file that is outputted during the render process (its just a log file put into a fixed location). No matter what i do: I can't get a proper response from the script. Here is what should happen when a render is done:
  function RenderEnd () {
  var report = new File ("Macintosh HD/Users/macname/generallog.txt");
  report.open("r");
  var reportstring = report.read();
  report.close();
  var reportendindex = reportstring.indexOf("Total Time Elapsed:");
  var reportcloseindex = reportstring.indexOf("aerender version");
  var reportendstring = reportstring.substring(reportendindex, [reportcloseindex]);
  var regex = /Finished composition/gi, result, indices = [];
  while ( (result = regex.exec(reportstring)) ) {
      indices.push(result.index);
  var ItemStringArray = new Array ();
  for(var i=0; i<indices.length; i++){
      ItemStringArray.push("Finished Item " + (i+1) + ": " + reportstring.substring(indices[i]-32, [indices[i]-2]));
  var AlertString = "Rendering done." + "\r" + reportendstring + "\r" + ItemStringArray.toString().replace(",","\r");
  alert(AlertString);
  RenderEnd ();
  Running this script by itself properly returns an alert containing a message "Rendering done." plus additional info about the render time and item completion.
  But whenever i have the following applescript triggering the above jsx script...
  set scriptfile to (POSIX file ("/Applications/Adobe After Effects CS5.5/Scripts/AERenderEndTrigger.jsx"))
  tell application "Adobe After Effects CS5.5"
    DoScriptFile scriptfile
  end tell
  ...the line report.open("r") just returns empty.
  Same goes when i place the jsx in the startup folder and just call the function RenderEnd () via applescript. It's as if the file open/read stuff does not work when using applescript.
  Does anybody have an idea about this or knows the reason for why this obviously wrong behaviour happens? Maybe someone knows a different approach of how to get feedback from a completed aerender process back into a UI script.

  Ok, i finally found the issue:
  Applescript apparently does not recognize file paths beginning with a drive designation:
  When i change the file path part of the report file from
  var report = new File ("Macintosh HD/Users/macname/generallog.txt");
  to simply
  var report = new File ("/Users/macname/generallog.txt");
  everything works as it should.
  It's still a bit weird and i don't understand this. Maybe someone can explain this to me, please?