Implementing code security in an untrusted environment

Similar Messages

• Java.security.cert.CertificateException: Untrusted Cert Chain

  Hi all,
  While sending transaction to our supplier I am facing below error, Actually Our trading partner has given .p7b cert, I converted it into base 64 and i m using in b2b server. I am doing the same with all the suppliers but I am facing issue with only this trading partner. I asked him to send a new trusted certificate but he said that he is having 100's of customers, all are using the same certficate.
  Error
  http.sender.timeout=0
  2010.05.20 at 10:52:20:711: Thread-19: B2B - (DEBUG) scheme null userName null realm null
  2010.05.20 at 10:52:22:159: Thread-19: B2B - (WARNING)
  Message Transmission Transport Exception
  Transport Error Code is OTA-HTTP-SEND-1006
  StackTrace oracle.tip.transport.TransportException: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
       at oracle.tip.transport.TransportException.create(TransportException.java:91)
       at oracle.tip.transport.basic.HTTPSender.send(HTTPSender.java:627)
       at oracle.tip.transport.b2b.B2BTransport.send(B2BTransport.java:311)
       at oracle.tip.adapter.b2b.transport.TransportInterface.send(TransportInterface.java:1034)
       at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequestPostColab(Request.java:1758)
       at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequest(Request.java:976)
       at oracle.tip.adapter.b2b.engine.Engine.processOutgoingMessage(Engine.java:1167)
       at oracle.tip.adapter.b2b.transport.AppInterfaceListener.onMessage(AppInterfaceListener.java:141)
       at oracle.tip.transport.basic.FileSourceMonitor.processMessages(FileSourceMonitor.java:903)
       at oracle.tip.transport.basic.FileSourceMonitor.run(FileSourceMonitor.java:317)
  Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Cert Chain
       at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
       at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:112)
       at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3018)
       at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2843)
       at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:2635)
       at HTTPClient.HTTPConnection.Post(HTTPConnection.java:1107)
       at oracle.tip.transport.basic.HTTPSender.send(HTTPSender.java:590)
       ... 8 more
  Caused by: java.security.cert.CertificateException: Untrusted Cert Chain
       at oracle.security.pki.ssl.C21.checkClientTrusted(C21)
       at oracle.security.pki.ssl.C21.checkServerTrusted(C21)
       at oracle.security.pki.ssl.C08.checkServerTrusted(C08)
       at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
       ... 21 more
  2010.05.20 at 10:52:22:164: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.transport.TransportInterface:send Error in sending message
  2010.05.20 at 10:52:22:168: Thread-19: B2B - (INFORMATION) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequestPostColab Request Message Transmission failed
  2010.05.20 at 10:52:22:170: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Enter
  2010.05.20 at 10:52:22:173: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Transaction.begin()
  2010.05.20 at 10:52:22:176: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Leave
  2010.05.20 at 10:52:22:179: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequestPostColab [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
  Untrusted Cert Chain
  2010.05.20 at 10:52:22:226: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.engine.Engine:notifyApp retry value <= 0, so sending exception to IP_IN_QUEUE
  2010.05.20 at 10:52:22:232: Thread-19: B2B - (DEBUG) Engine:notifyApp Enter
  2010.05.20 at 10:52:22:248: Thread-19: B2B - (DEBUG) notifyApp:notifyApp Enqueue the ip exception message:
  <Exception xmlns="http://integration.oracle.com/B2B/Exception" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <correlationId>543222</correlationId>
  <b2bMessageId>543222</b2bMessageId>
  <errorCode>AIP-50079</errorCode>
  <errorText>Transport error: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
  Untrusted Cert Chain</errorText>
  <errorDescription>
  <![CDATA[Machine Info: (usmtnz-sinfwi02)Transport error: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
  Untrusted Cert Chain ]]>
  </errorDescription>
  <errorSeverity>2</errorSeverity>
  </Exception>
  2010.05.20 at 10:52:22:298: Thread-19: B2B - (DEBUG) Engine:notifyApp Exit
  2010.05.20 at 10:52:22:301: Thread-19: B2B - (DEBUG) DBContext commit: Enter
  2010.05.20 at 10:52:22:307: Thread-19: B2B - (DEBUG) DBContext commit: Transaction.commit()
  2010.05.20 at 10:52:22:310: Thread-19: B2B - (DEBUG) DBContext commit: Leave
  2010.05.20 at 10:52:22:313: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequest Exit
  2010.05.20 at 10:52:22:317: Thread-19: B2B - (INFORMATION) oracle.tip.adapter.b2b.engine.Engine:processOutgoingMessage:
  ***** REQUEST MESSAGE *****
  Exchange Protocol: AS2 Version 1.1
  Transport Protocol: HTTPS
  Unique Message ID: <543222@EMRSNS>
  Trading Partner: ZZEASY_PROD
  Message Signed: RSA
  Payload encrypted: 3DES
  Attachment: None

  Hi CNU,
  1st they has given me in .p7b certificateIs it a self-signed certificate? If no then do you have the CA certs as well?
  Open the certificate by double clicking on it. If "Issued To" and "Issued By" fields are same then it is a self signed cert and you need to import only this cert (in base64 format) into wallet.
  If it is not a self-signed cert then open the certificate and click on "Certification Path" tab. You should be able to see the issue's certificate here. Make sure that you have imported all issuers certificate along with your TP's cert in the wallet. Moreover, check that all the certs (TP cert and it's issuer cert's) are valid in terms of dates. You can see the "Certificate status" in "Certification Path" tab of certificate.
  Please provide the certificate chain details here along with list of certs in wallet (you may mail it to my id as well - [email protected])
  Regards,
  Anuj

• Adf security misbehaving in production environment

  Hi all,
  I am using jdev 11.1.2.2 and weblogic 10.3.6
  I have implemented adf security from based authentication in my web application and i have used sql authenticator for authentication.
  In my integrated WLS everything works fine . but in the production WLS what is happening is when the user access a Protected Page without login it navigates to the protected page instead of navigating him to the login page. In the integrated WLS this happens normally .
  Has anyone faced this issue before ? What can be wrong ?
  I have added my web.xml
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
           version="2.5">
    <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>client</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
      <param-value>false</param-value>
    </context-param>
  <session-config>
      <session-timeout>5</session-timeout>
    </session-config>
    <context-param>
      <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
      <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <param-name>oracle.adf.view.rich.SUPPRESS_IDS</param-name>
      <param-value>auto</param-value>
    </context-param>
    <context-param>
      <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
      <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
      <param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
      <param-value>differentOrigin</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_VIEW_MAPPINGS</param-name>
      <param-value>*.jsf;*.xhtml</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_DECORATORS</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
    </context-param>
    <filter>
      <filter-name>JpsFilter</filter-name>
      <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
      <init-param>
        <param-name>enable.anonymous</param-name>
        <param-value>true</param-value>
      </init-param>
      <init-param>
        <param-name>remove.anonymous.role</param-name>
        <param-value>false</param-value>
      </init-param>
    </filter>
    <filter>
      <filter-name>trinidad</filter-name>
      <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
    </filter>
    <filter>
      <filter-name>ADFLibraryFilter</filter-name>
      <filter-class>oracle.adf.library.webapp.LibraryFilter</filter-class>
    </filter>
    <filter>
      <filter-name>adfBindings</filter-name>
      <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>JpsFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>trinidad</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>ERROR</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>ADFLibraryFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>adfAuthentication</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <listener>
      <listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
    </listener>
    <servlet>
      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
      <servlet-name>resources</servlet-name>
      <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>MapProxyServlet</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>adflibResources</servlet-name>
      <servlet-class>oracle.adf.library.webapp.ResourceServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>adfAuthentication</servlet-name>
      <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/adf/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/afr/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <url-pattern>/servlet/GraphServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <url-pattern>/servlet/GaugeServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>MapProxyServlet</servlet-name>
      <url-pattern>/mapproxy/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/bi/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>adflibResources</servlet-name>
      <url-pattern>/adflib/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>adfAuthentication</servlet-name>
      <url-pattern>/adfAuthentication</url-pattern>
    </servlet-mapping>
    <mime-mapping>
      <extension>swf</extension>
      <mime-type>application/x-shockwave-flash</mime-type>
    </mime-mapping>
    <mime-mapping>
      <extension>amf</extension>
      <mime-type>application/x-amf</mime-type>
    </mime-mapping>
    <security-constraint>
    <web-resource-collection>
      <web-resource-name>Allowed ADF Resources</web-resource-name>
      <url-pattern>/adf/*</url-pattern>
      <url-pattern>/afr/*</url-pattern>
      <url-pattern>/bi/*</url-pattern>
    </web-resource-collection>
  </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>adfAuthentication</web-resource-name>
        <url-pattern>/adfAuthentication</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>/faces/login</form-login-page>
        <form-error-page>/faces/login</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
      <role-name>valid-users</role-name>
    </security-role>
  </web-app>Thanks,
  Rakesh

  Hi Rakesh,
  Make sure you have migrated the policy store to the production server. When Weblogic Server is running in production mode, automatic credential overwrite is not allowed. From the developer's guide:
  When the target server is configured for production mode, you typically handle the migration task outside of JDeveloper using tools like Oracle Enterprise Manager. For details about using tools outside of JDeveloper to migrate the policy store to the domain-level in a production environment, see the Oracle Containers for J2EE Security Guide. Note that Oracle WebLogic Server running in production mode does not support the overwriting of system credentials under any circumstances.http://docs.oracle.com/cd/E26098_01/web.1112/e16182/adding_security.htm#CDDGFDFH
  HTH,
  Joonas

• Implementing port security

  i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
  What are the recommended steps? All are connected with users and all ports are already in use.
  - Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
  - It's tedious to go switch by switch, port by port
  - Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.

  The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
  With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
  When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
  If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
  It sounds like you may have a hard time, since they don't seem to really care about security at this place.
  Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically.

• How to implement a security sub-system?

  Hi Everyone,
  I got the following task below from my team leader. I don't know where to start to get the following task done. If you have any idea on how to get the following task done, please give me the steps on how to complete the following task. Or give me some links (websites) which can get me start on getting the following task done. Thanks for your time and help in advance!
  Your next task is depicted in the case scenario as follows:
  Some remote process is able to view a directory listing of the files on the directory and then selects a JSP file to execute. It runs without any enforced permission on the server and the remote process is able to view the output or that the JSP file is executed without the proper caller - a DocIt system process (JSP, Javabean). How can we solve this problem?
  For one thing the directory listing permissions should only be permitted explicitly by the server "system security/permission objects" (configured by the administrator/root) on win32/Linux. Second, all JSP files must include a security module as part of it's code base before even a single line of code is written by the programmer. This ensures that at least the caller is allowed certain permissions to execute the code residing in the JSP file. The granularity of the permissions depend directly on the type of caller. Is it a "user", a "power user", a "system admin", a "pre-defined DocIt system object" (forms subsystem), and so on. We need a powerful yet flexible security system as it is important to register the permitted objects to execute only the rightful code determined by the DocIt system security policy.
  This task is less specific and thus you have more flexibility to provide a solution. Please describe and analyze a security policy to prevent any executable code from running without its proper caller for the case scenario above. Be creative in determining the requirements for identifying the calling object and the code that checks for the proper credentials before permitting execution of the code. Say you have an hierarchy of inheritable permission objects. The code must be able to check that the caller belongs to the set of permission objects. Please use diagrams, cases scenarios, and other designs to provide a basis for implementation. After the designs are reviewed along side any other requirements we will implement this security sub-system in the near future

  You may also want to look at JAAS. http://java.sun.com/developer/technicalArticles/Security/jaasv2/
  It's probably a tad overkill for some JSP applications, but it would give you an additional layer of protection for documents, i.e., you can control access to actual files based on roles. I say it's a bit of overkill because Tomcat incorporates most of the ideas into their realms.

• What are the different options for implementing web security?

  Hi,
  Right now I am working on an internet website. We are using JSP for presentation and running Weblogic Application Server. I want to know different options for implementing website security. One of the options that I am aware of is to use LDAP. But we donot want to go and buy a LDAP Directory Server now. So I would really appreciate if somebody could let me know my choices here.
  Thanks in advance.

  Hi,
  If you are working on a Windows 2000 platform, the most obvious choice would be Active Directory Server as this is shipped free with Server 2000. It is LDAP compliant, although does have a few differences that set it apart from the other X500 standard based solutions which I will mention in a moment. Details on these differences can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/msdn_activedirvsnds.asp
  Other options are openldap, an open source implementation of an ldap server or iPlanet's Directory Server. If you are initially doing an evaluation, a trial version is available of the iPlanet software and can be downloaded from their site. I found this particularly easy to get to grips with and their is excellent documentation available. There is also an offering from Novell, but I have no experience of this.
  Hope this helps.
  Jon

• Implementing Function Security in Oracle apps.

  I wanted to restrict certain menus in Payables manager for a particular user. How should i implement it? Is there any live example of implementing function security in oracle apps? Please Help.

  Hi,
  One approach is to create a custom menu and attach to it all the menus and functions you want and the add this menu to a new responsibility. But this is not the best way to solve the issue because you have to define different menus + responsibilities for each different user. Other way is to create roles which can be assigned to users.
  Thanks,
  Bahchevanov.

• Issue with implementing Object Security in RPD (OBIEE 11g)

  Hello All,
  I am following these steps to implement Object Security, but it doesn't work. Please let me know what am I doing wrong here:
  1. I want to block a few presentation tables for the user 'weblogic'.
  2. I open the RPD in online mode and in the Identity Manager, for the application role 'BIAdministrator', I setup permissions 'no access' to these presentation tables. It asks me to 'Check Out' which I do.
  3. I check in the changes, save the RPD and deploy in back in EM.
  4. I login into OBIEE Answers using 'weblogic' user but alas these presentation tables are still available for me to use.
  I have tried looking for a solution on the internet before posting the solution here. Please don't ask me to read through the security setup guide because I have done that. Any specific answers are most welcome.
  Thanks in advance.

  Try this:
  Double click on the presentation table.
  Go to permissions and then revoke the access to BI Administrators.

• How to implement the security notes in Java System.

  Hi All,
  For the ABAP systems we use RSECNOTE to implement the security notes, but how do we do that in Java systems?
  Any reference or guidance will be of great help.
  Thanks,
  Akash.

  RSECNOTE is for ABAP only, and I dont think there is any equivalent for Java.
  For Java , security note will guide you on how to implement.
  It could be manual changes or via SDM or JSPM.
  Regards,
  Pinkle

• How to resolve Issues while implement gateway security by using reginfo,secinfo?

  Hi,
  I want to implement gateway security using  gw/reg_info,  gw/sec_info,  gw/reg_no_conn_info.
  so far I have created reginfo and secinfo files to allow all internal traffic and I kept gw/reg_no_conn_info=11, gw/acl_mode=1
  reginfo
  ======
  #VERSION=2
  P TP=*,HOST=local
  P TP=*,HOST=internal
  P TP=*,HOST=*.abc.com
  with the above setting I believe all the programs with in sap systems(including app servers), also system from domain abc.com can register programs with out having any issues.
  secinfo:
  ======
  #VERSION=2
  P TP=* USER=* USER-HOST=local HOST=local
  P TP=* USER=* USER-HOST=internal HOST=internal
  similarly  as per secinfo content I believe that all the internal traffic can go with out any issue with in sap system.
  beside that I have activated gateway logging to find the rejecting connections if any.
  I have following questions:
  ===================
  1)As the reginfo,secinfo files maintained can I remove gw/acl_mode=1 parameter ?
  2)if I want to add a specific programs to register from 3rd party system, suppose a program called "zram" from system "172.198.10.1" where I suppose to add it. Do I need to add that IP to secinfo along with reginfo?
  3)when I set parameter gw/reg_no_conn_info=11 when convert to binary it equals to 00001011
  what exactly this means from the following definitions from note 1444282
  1 1298433 Bypassing security in reginfo & secinfo
  2 1434 117 Bypassing sec_info without reg_info
  4 1465129 CANCEL registered programs
  8 1473017 Uppercase/lowercase in the files reg_info and sec_info
  will that means 8+2+1 means satisfying the above 3 lines except condition 4 ?
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  5)From simulation mode I got to know that It will satisfy reginfo,secinfo restrictions and it will allow all other traffic.so what is the added advantage with this when activate?
  6)is there any sap native tools which help while preparing reginfo, secinfo files?
  Regards,
  Koteswararao.Davuluri(Koti).

  Hi,
  Here is answers for questions 4 and 5.
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  SMGW->Goto->Expert functions->logging
  In the above path if you select security->(under that)->Rejected access only
  when you select that it should show you the connections getting rejected.
  5)For simulation mode you have 2 options. you can activate directly from the above path.Other option  if you maintain gw/sim_mode = 1  that will make the permanent simulation mode. But once after all the entries set in reginfo you have to disable simulation mode. with secinfo you will not have much problems.
  After doing steps 4, 5 you can see rejected entries in Gateway log.

• Three part blog about Reducing the Cost to Implement a Security Plan

  Part 3 of a great blog done by in AlienVault Support who has "heard it all" about the problems SMBs have in implementing a security plan with small budgets. Kenneth offers lots of practical and helpful advice for IT and security practitioners.
  https://www.alienvault.com/blogs/security-essentials/third-step-in-reducing-the-cost-to-implement-a-...
  This topic first appeared in the Spiceworks Community

  hi Elistariel -
  With no texting plan, it is 25 cents per picture message. The LG VX5500 (same phone my daughter has) does not use a memory card, so you can try two different programs on your computer (both free) and see if either one will get the pics off and saved on your computer; from there you can upload to your online album without a per picture charge.
  You can try Verizon's VCast media manager - download and install it on your computer, then use the USB cable to link the phone to the computer and transfer the pics with VCast.
  Here's a link
  A third party program called BitPim will also work, but it's more technical and does a lot more than just transfer your media. It can also brick your phone if you don't know what you are doing, so it's "use at your own risk", as Verizon won't cover any losses due to using BitPim. It does work though--I have used it, very cautiously!

• Implementing a secure servlet

  Hi all,
  I am stuck about implementing this! My web site is implemented using static HTML pages and hosted on Apache server. I have a separate application server that runs my dynamic applications. In my web site, I have a contact us form with action as a simple servlet. Everything works fine and servlet does its purpose. But there is security issue with this. Anybody can access my servlet using the URL. Anybody can view source my page, get the servlet URL and can spam! I need to make this secure.
  Any thoughts on this issue would be great.
  Thanks and Regards,
  Abdel Olakara
  [http://technopaper.blogspot.com|http://technopaper.blogspot.com]

  Olakara wrote:
  Yawmark, your thinking correct with my context. I am more concerned with the user side and not the bots. I am having a look at spring but is there any simple way (with out using any frameworks?).Personally, I think using Spring Security is the simple way, rather than trying to think through and design an effective security model on one's own, only to come up with a poor imitation of an existing framework. :o)
  Security is not a simple subject, and "implementing a secure servlet" is not a simple matter. At least, not to my reckoning.
  ~

• Implement Code folding

  I know that there are several topics about how to implement code folding, but no one is giving a solution.
  Has anyone some usable and more important useful code snippets?
  My goal is to implement code folding (collapsing) into JTextPane (better way into any JTextComponent), like Eclipse, NetBeans or JEdit does ...
  Thanks for any help ....

  i also want to implement such functionality, but currently i have no clue where to start, could you post some relevant parts of your code?

• Re: Java JRE Mixed Code Security starting with JRE 1.6.0_19 and on

  Hi,
  Can you please share how you added 3rd party jars to manifest.mf. I am having same problem but I am self - signing 3rd party jars. 3rd party jars are able to upload fine if I don't sign the jars,
  but if I self -sign the jars I get the following exception:
  Exception in thread "Thread-15" java.lang.NoClassDefFoundError: com/l2fprod/common/swing/JDirectoryChooser
       at com.sjm.pcs.sneakernet.applet.ScanApplet$JavaScriptEventListener.run(ScanApplet.java:803)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.lang.ClassNotFoundException: com.l2fprod.common.swing.JDirectoryChooser
       at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
       at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
  Thanks!

  What are you missing?
  I inherited this app and signing the third party jars is how it was setup, I was wondering the same thing too, why was it necessary to sign the third party jars?
  The applet runs in either JRE 1.6.0_13 or JRE 1.6.0_27 depending on the other Java apps the user uses. JRE 1.6.0_13 does not have the mixed code security (so it is like is disable), but JRE 1.6.0_27 does have the mixed code security and the applet will not launch with mixed code security enable, so we have to disable it. With all the hacking going on in the last two years, is important to improve security; so this is a must.
  Yes, I always clear up the cache.
  Any idea on how to resolve this problem?

• Implementations of Oracle EBS on virtualized environment

  dear experts
  our company wants to implement Oracle EBS R12 on virtualized environment .
  is any one of you ever did such implementation or worked in such environment ??

  Some virtualization technologies are certified with EBS - pl see these MOS Docs
  Certified Oracle Solaris and SPARC Virtualization and Partitioning Technologies for Oracle E-Business Suite [ID 1234632.1]
  Using Oracle VM with Oracle E-Business Suite Release 11i or Release 12 [ID 465915.1]
  Support Position for Oracle Products Running on VMWare Virtualized Environments [ID 249212.1]
  HTH
  Srini