Implementing password policie using Role and CoS

Similar Messages

• Hashing of the password field using MD5 and then store in the XML

  Hi,
  I need to design a form with User ID and a Password field. When i extract the XML from the form i need to hash the password field using MD5 and then store it. Does anyone have some kind of experience in doint it. Can you please suggest some way to do it.
  Thanks,
  Sayoni.

  Hi,
  To hash password you can use function from http://kevin.vanzonneveld.net/techblog/article/javascript_equivalent_for_phps_md5/ or try to find another implementation. Just call this function on some event like button click for example.
  Also I made some example. See attach.
  BR,
  Paul Butenko

• I tried to implement photo albums using iweb and got a publishing error.

  I tried to implement photo albums using iweb and got a publishing error. All was fine with my site until I added the photo album page. The software doesnt say what the error is exactly, only that it is a publishing error to my ftp
  Exact message "There was an error communicating with the FTP server. Try again later, or check with your service provider."
  If I reduce the albums inside to 1 then it seems to work but that takes away from the usefullness of multiple albums.
  my iWeb version is 3.0.4 (601)

  Publish your site to a folder on your hard drive to see if the publication will proceed successfully and open the site locally with your browser to confirm all of the alums are there and work.  If they do try the following:
  delete the iWeb preference files, com.apple.iWeb.plist and com.apple.iWeb.plist.lockfile, that resides in your Home() /Library/Preferences folder.
  go to your Home()/Library/Caches/com.apple.iWeb folder and delete its contents.
  Click to view full size
  launch iWeb and try again.
  If you're still not able to publish from iWeb to your server download and use the free  Cyberduck to upload your website files to the server. Users have found that CD has been successful when iWeb had problems.
  OT

• Use roles and/or cos for delegated administration?

  I am using iDS 5.1 SP1. I want managers of departments to be able to modify certain attributes of people in their department. I am aware of the userdnattr aci keyword but I read in the 5.1 admin manual that it is being deprecated.
  Here is our current set up. We have an ou=people and an ou=departments. People are in ou=people and their entries have an attribute that denotes their department membership by a department code. The departments are in ou=departments with an entry for each department listing basic information like name, address, telephone, and the department code. They could contain other attributes like mamanger to make a roles and/or cos mechanism for delegated admin work. So fee free to suggest anything. The departments are there merely for lookup purposes now and are not connected to the people entries.
  The main issue I cannot grasp is how to easily enable managers to modify entries in their respective departments. I could add managers to the department entries and based on the department code in the department entry somehow match that to a department code in a people entry? I am thinking there is a cool way to do this with roles and/or cos, but can't figure out how and what aci to create.
  Also if there is an easy way to do this with groups let me know.

  I am using iDS 5.1 SP1. I want managers of
  departments to be able to modify certain attributes
  of people in their department. I am aware of the
  userdnattr aci keyword but I read in the 5.1 admin
  manual that it is being deprecated.The new "userattr" ACI keyword should be used instead. It does everything that userdnattr did and much more.

• How to implement password policies in BI 11g?

  Hi Folks,
  Can someone point me to a doc that shows how to set up password policies in BI 11g? I'm talking about things like enforcing password expiration, enforcing complex passwords etc., things like that. I understand that now in 11g, users need to be set up via the Weblogic console, but I don't see it in there, and I'm not sure where to go from there.
  Thanks very much,
  -Adam vonNieda

  Hi Adam,
  Is this what you are looking for;
  http://download.oracle.com/docs/cd/E21764_01/apirefs.1111/e13952/taskhelp/security/ConfigurePasswordValidationProviders.html
  Cheers,
  Daan Bakboord
  http://obibb.wordpress.com

• Fault Policies using retry and java hadler

  Hi,
  I am using fault policies to handle a remote and binding faults.Whenever i get a fault i want to retry for 5 times and then call a java handler, which will insert the error into queue.
  I have written the fault policies and java handler.But the problem is for each retry it is going to Java handler and pushing the message to queue.
  Here is my Fault policies file.
  <?xml version="1.0" encoding="UTF-8"?>
  <faultPolicies xmlns="http://schemas.oracle.com/bpel/faultpolicy"
  xmlns:bpelx="http://schemas.oracle.com/bpel/extension"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <faultPolicy version="2.0.1" id="FaultHandling-faultpolicy">
  <Conditions>
  <faultName xmlns:bpelx="http://schemas.oracle.com/bpel/extension"
  name="bpelx:remoteFault">
  <condition>
  <action ref="ora-retry"/>
  </condition>
  </faultName>
  <faultName xmlns:bpelx="http://schemas.oracle.com/bpel/extension"
  name="bpelx:bindingFault">
  <condition>
  <action ref="ora-retry"/>
  </condition>
  </faultName>
  <faultName xmlns:bpelx="http://schemas.xmlsoap.org/ws/2003/03/business-process/"
  name="bpws:selectionFailure">
  <condition>
  <action ref="ora-retry"/>
  </condition>
  </faultName>
  </Conditions>
  <Actions>
  <Action id="ora-terminate">
  <abort/>
  </Action>
  <Action id="ora-replay-scope">
  <replayScope/>
  </Action>
  <Action id="ora-retry">
  <retry>
  <retryCount>7</retryCount>
  <retryInterval>2</retryInterval>
  <retryFailureAction ref="ora-java"/>
  </retry>
  </Action>
  <Action id="ora-java">
  <javaAction className="faultpolicies.MyFaultHandler"
  defaultAction="ora-human-intervention"
  propertySet="customLogProps">
  </javaAction>
  </Action>
  <Action id="ora-rethrow-fault">
  <rethrowFault/>
  </Action>
  <Action id="ora-human-intervention">
  <humanIntervention/>
  </Action>
  </Actions>
  </faultPolicy>
  </faultPolicies>
  Pls guide me what should be done..
  Thanks.

  There is no point in retry on binding fault, rather you can raise it as exception and catch it in sepcific catch block or catch all will handle it.
  Ideally this particular instance will be faulted and if required you can customize to send a mail with fault string to developer or support person or dba
  This type of fault need human intervension to fix this code or it could be data issue.
  - It is considered good etiquette to reward answerers with points (as "helpful" - 5 pts - or "correct" - 10pts).
  Thanks,
  Vijay

• Assignment of custom password policies

  In the documentation is well described how to assign a custom password policy using Roles and CoS. This technique is fairly flexible and can be applied to a number of situations. I have the fear that this is very costly in terms of performance.
  Are there simpler ways to assign a password policy to all objects in a container?
  Thank you,
  Jo

  We just did this same thing in one of our instances and have not seen any CPU usage increase, but it's a very small instance (only about 10,000 entries.
  We just applied the password policy to all objects in the ou using the following template & COS
  # Template user for Class of Service
  dn: cn=AgencyTemplate,ou=agencies,o=company
  objectClass: top
  objectClass: extensibleObject
  objectClass: costemplate
  objectClass: ldapsubentry
  cosPriority: 1
  passwordPolicySubentry: cn=Agency Password Policy,o=company
  cn: AgencyTemplate
  # The COS to apply the policy to all agency users (ou=agencies,o=company)
  dn: cn=AgcyPwdPol_cosDefinition,ou=agencies,o=company
  objectClass: top
  objectClass: LDAPsubentry
  objectClass: cosSuperDefinition
  objectClass: cosPointerDefinition
  costemplatedn: cn=AgencyTemplate,ou=agencies,o=company
  cosAttribute: passwordPolicySubentry operational
  cn: AgcyPwdPol_cosDefinition

• OSB Authentication using username and password (plaintext or digest)

  Hi,
  I want to implement a simple osb authentication using username/password (plain text or digest) , so that client required to provide username password token in soap header (message Level security) to access our webservices. I have read some of articles which shows how to create custom ws policy, but received following error during deployment.
  weblogic.wsee.ws.init.WsDeploymentException: The WebLogic Server 9.x-style policy is not supported in JAX-WS web services
  Please note - I can not install OWSM as part of my requirement
  =======
  <?xml version="1.0"?>
  <!-- WS-SecurityPolicy -->
  <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wssp="http://www.bea.com/wls90/security/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part">
  <!-- Identity Assertion -->
  <wssp:Identity>
  <wssp:SupportedTokens>
  <!-- Use UsernameToken for authentication -->
  <wssp:SecurityToken IncludeInMessage="true"
  TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
  <wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"/>
  </wssp:SecurityToken>
  </wssp:SupportedTokens>
  </wssp:Identity>
  </wsp:Policy>

  You can use the default Auth.xml WS policy in OSB and be able implement the authentication using username and plain text password.
  Just assign the Auth.xml on the Request Policies of the Proxy Service (under Policies).
  Then use any user credentials that has access to the domain for testing.
  If you want to restrict access for each operation then in the Security tab, under Message Access Control, specify a Role.
  Then in the OSB > Security Configuration, create the appropriate role with the specific role conditions like User is User1 or User is User2 etc ...
  Hope this helps.
  Thanks,
  Patrick

• Invoking password policies within a RequestValidator

  Hello gurus. I am looking for an API, or whatever, to match a user-supplied password against a password policy created via Design Console.
  My goal is to implement a password-consistency check at request level, so that a user is immediately notified if the supplied password does not meet the minimum security criteria for the target resource.
  This is my reference scenario:
  - a user creates a self-provision request for a target resource
  - the users fills the Request Dataset form in and submits the request. One of the Dataset fields contains the password for the account which will be created.
  - the supplied password is checked against resource's password policies
  - if the check is successful, the request is created an filed in for approval
  - otherwise, the user gets a "INVALID PASSWORD" pop-up error message and can make his/her correction immediately
  OIM implements password policies at process form level, i.e. after the request is submitted and approved, which is too late. What I'd love to do is to leverage that existing code by invoking OIM's password policies at request level, within a RequestValidator plugin. Is that possibile? What class/method would I have to call to verify a password against an existing policy?
  Thanks in advance,
  Patri

  Well, good news and bad news.
  Good News
  I was able to implement a RequestDataValidator that performed password validation at the object/account level using the tcPasswordUtilities.checkProcessPasswordUserID method.
  Bad News
  Our password policies all have history rules (i.e can't be one of last x passwords). In addition to validating the object/account password, the tcPasswordUtilities.checkProcessPasswordUserID also updates the password history table (PWH) with the validated password. Since we're doing this validation as part of the request process (RequestDataValidator), the new password will already be in the history table when the actual process form update is performed. Since the process form update will also validate the password, it will always fail because the password is already in the history table because of our request validator's check!
  Back to the drawing board...

• Configuring roles and users (adf security) application context wise.

  Dear All,
  I referred this tutorial (http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html) which shows how to hook up adf security with database schema but at domain level which will be common to all applications in that domain. I want to make it different to each application. (i.e each application will use differene database schema for storing user credientials i.e enterprise roles,application roles and users.)
  Can any one please point me to proper way..
  Regards,
  Santosh
  jdev 11.1.1.2.0

  Dear Frank,
  <i>
  Instead you have a single identity management system and have the application policies being different for the applications.Using ADF Security, users and groups can have different privileges in different applications
  </i>
  suppose i have 3 applications that use adf security, the users will be common to all applications. right..?Roles and group can be different for applications.
  application polices means roles and group..?
  So how it(application polices) can be made different for applications? is it inbuilt or some configurations needed ?. Can you point me to some blogs or tutorials for more reference.
  Bet: Incase i hook up adf security with database schema.
  Regards,
  Santosh.

• Using Coherence and Oracle Database as the CacheStore

  We are working on implementing a solution using Coherence and Oracle Database as the CacheStore. We initially implemented the Cache as a distributed-scheme which in turn uses the backing-map-scheme. We are trying to introduce transaction management and I used a scheme-ref in a transactional-scheme to point to an already existing distributed-scheme. However when I bring up the server, my custom coherence-cache-config.xml file is not recognized and Coherence comes up with the default setting. Given below is the snippet of my configuration file.
  1)     I would like to understand why the below configuration doesn’t work and am I doing it the right way? If not, what is the correct way of doing it?
  2)     There are a multiple transaction management options given in the documentation. Which are the ones that will work with a distributed-scheme and read-write-backing-map-scheme?
  3)     If transactional-schemes cannot work with distributed-scheme, what is the best way to have a distributed cache with a oracle database as a cache store?
  <caching-scheme-mapping>
  <cache-mapping>
  <cache-name>id<cache-name>
  <scheme-name>example-transactional<scheme-name>
  </cache-mapping>
  </caching-scheme-mapping>
  <caching-schemes>
  <transactional-scheme>
  <scheme-name>example-transactional</scheme-name>
  <scheme-ref>distributedcustomcache</scheme-ref>
  <thread-count>10</thread-count>
  </transactional-scheme>
  <distributed-scheme>
  <scheme-name>distributedcustomcache</scheme-name>
  <service-name>DistributedCache</service-name>
  <backing-map-scheme>
  <read-write-backing-map-scheme>
  <internal-cache-scheme>
  <local-scheme>
  <!--scheme-ref>categories-eviction</scheme-ref-->
  <scheme-name>inMemory</scheme-name>
  </local-scheme>
  </internal-cache-scheme>
  <cachestore-scheme>
  <class-scheme>
  <class-name>spring-bean:coherenceCacheStore</class-name>
  <init-params>
  <init-param>
  <param-name>setEntityName</param-name>
  <param-value>{cache-name}</param-value>
  </init-param>
  </init-params>
  </class-scheme>
  </cachestore-scheme>
  <!--refresh-ahead-factor>0.5</refresh-ahead-factor-->
  </read-write-backing-map-scheme>
  </backing-map-scheme>
  <autostart>true</autostart>
  </distributed-scheme>

  Hi,
  If you look at the documentation for transactional-scheme here: http://docs.oracle.com/cd/E24290_01/coh.371/e22837/appendix_cacheconfig.htm#BHCIABHA
  you will see that it says The transactional-scheme element defines a transactional cache, which is a specialized distributed cache. That means that a transactional-scheme is already a distributed-scheme.
  You will see from the same documentation above that there is no way in a transactional-scheme to configure things like cache-stores or listeners or even the backing-map-scheme as these are not supported on a transactional-scheme - so you cannot use a cache store.
  Personally I would not use transactional-scheme unless you have some really big reason to do so - the restrictions far outweigh any perceived advantage of having a transaction. There are better ways to build applications so they do not require transactions, that is what we have been doing for years with Coherence so far, and there is no real reason to change that.
  JK

• Error in reconcilation Function - Job "Reconcile roles and privileges"

  SAP NW 7.0 SP2 Patch 3
  Roles contain Privileges
  Help file says: "If you are using roles and privileges, you will need to perform a reconciliation of the roles/privileges assigned to the users in the identity store after the roles are modified. "
  Job imported as described.
  When I let the job run on the ID-Store, for each entry, the following error message occurs:
  runFunctionsInString($FUNCTION.reconcile( MSKEY )$$) got exception
  org.mozilla.javascript.NotAFunctionException: reconcile( MSKEY )
  ...where MSKEY is, of course, the MSKEY of the entry.
  If I let run the job with the Windows-Dispatcher and as a VB-script, it produces no error; however, in the output file, there are a lot of Messages like
  "!ERROR: Invalid use of Null"
  Only some entries (of Type MX_PERSON) show the "Priviliege added: (...)" output. But the job does not add the Privileges assigend to the role, as it should.
  So, I would suggest that one redefines the SQL-Query of the Job so that it runs only on MX_PERSONS. But then, still, in my case, it does nothing.
  Has anyone better experiences with the Job?
  Edited by: Thomas P. Felder on Sep 25, 2008 10:32 AM

  The job when imported by default uses java runtime engine but the script is written in vbscript syntax so you have to change the engine or the script syntax.
  When you did your select statement did you use SELECT DISTINCT.  That will also cause errors.  I do not narrow the entry type to MX_PERSON.
  I'm installing the patch now;  I will see if I get any errors.

• Comparison of number of bytes transferred over network while using HTTPService and RemoteObjects

  If I have to transfer data(say records of 100 employees in a DB) from Server to Client, I could use HTTPService and fetch the data as an XML file and then convert it to ArrayCollection in the Client. Or use RemoteObject and transfer the data in binary. Lets ignore other methods(Web Services etc) of data transfer for the moment.
  Now, for the same data, if I implement the application using HTTPService and RemoteObject, I notice that the number of bytes transferred over the network is less in case of HTTPService(XML) when compared to RemoteObject(AMF) which is a shock to me. My understanding is that AMF transfer should be more compact than XML. Ofcourse, once the data is available, RemoteObject result processing is noticeably faster than HTTPService result processing. My concern is why data transferred using AMF is larger than XML. As an example, you may refer to the samples provided in TourDeFlex. Refer to the following:
  HTTPService:
      Found in : Flex Data Access->HTTPService->BasicExample
      Link: http://www.adobe.com/devnet-archive/flex/tourdeflex/web/#docIndex=0;illustIndex=0;sampleId =12700
      Click on the 'Get Data' button to fetch the data.
      Bytes transferred - 1050
  RemoteObject:
      Found in : Flex Data Access->RemoteObject->BasicJavaRemoting
      Link: http://www.adobe.com/devnet-archive/flex/tourdeflex/web/#docIndex=0;illustIndex=0;sampleId =13300
      Click on the 'Get Data' button to fetch the data.
      Bytes transferred - 1440
  This is a significant size difference. You may see the data transfer size by using developer tools like the HTTPFox Firefox extension.
  Am I missing something here? Any help will be very much appreciated.
  Thanks,
  Balu

  There is definitely problem with your tool or you looked at something else. Please check the attached snapshots of the session using charles capture tool. The response sizes are way bigger than what you mentioned but remoteobjects is almost half of httpservice for the complete transfer including request and response. Check below -
  httpservice -
  http://tinypic.com/view.php?pic=2q2le2e&s=7
  amf -
  http://tinypic.com/r/10wmx4o/7

• Role and Analysis Authorizations in BI

  Hello allo,
  Since analysis authorizations contains carateritics like infocube, queries, activities., is using role and the PFCG transaction (authorizations object)in BI obsolete ? i.e is Analysis authorizations completely replacing Authorization objects (and PFCG) in BI ?
  thanks !!

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• SPam prevention in java mail using CAPTCHA and Obfuscation

  im using struts,     
  i want to implement spam prevention using CAPTCHA and Obfuscation for
  DOS or DDOS attack or unsolicited submissions through jsp forms submitted?
  Suggest me some ideas or implementations for this
  Thanks
  Rajesh

  Hi,
  Setting up GMail as IMAP will allow you to view your Spam folder. IMAP is the newer way of accessing mail so that would be the preferred way to go. IMAP enables you to keep everything in synch across multiple email clients.
  The following link gives you more information on how to set things up and frequently asked questions:
  http://mail.google.com/support/bin/answer.py?ctx=gmail&hl=en&answer=75725
  Good luck!