Iplanet 6.0 Security

Hi,
Are there any security configuration recommendations or guides for iplanet/netscape enterprise/sun one 6.0?
I've done the basic chmod 0600 admpw, remove default /servlet and /manual, run in chroot, removed default index/banner/launch.html, disabled following of symbolic links.
Anything else I should be aware of? Thanks.

Depends alot on what you're trying to accomplish.
Don't leave the Admin Server running when not in use. Restrict the install (and config dirs) to only be readable by the UID that the server is running as. Control access to your log files. chroot your CGIs (if used) as well as set a different UID for them to run as. Run the entire server in a chrooted envionment. Set the TempDirectory (magnus.conf) to something other than /tmp/[stuff].

Similar Messages

Crawling iplanet portal server secured content.

Hi, All,
I am new on the iplanet portal server. Try to come up a solution to crawling
the secured content with a valid user name and password. What this the
authentication mechanism of iplanet portal server keep the user's session?
is iPlanet Portal server using cookie to store the session id or pass it
back and forth as a parameter? Where can I find more information about this?
Any response is appreciated!
Hao Huang

currently there is no testing tool available as a part of the product.

Help Needed regarding JSESSIONID!!

I have read some where that JSESSIONID Cookie which is set by the Webserver (Eg: iPlanet) is not Secure.
Is that true??
If yes is there any way that we could set it as secure ..
Our Application Cookie can be made as secure .. But how abt the Application Server Cookie??
Any Help would be Appreciated..

Yes, it's true, but there are several things you need to take into account.
There is a notion of a secure cookie. This means that the cookie will not be sent unless the connection to the server is a secure one.
"If a cookie is marked secure, it will only be transmitted if the communications channel with the host is a secure one. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers."
-- from http://wp.netscape.com/newsref/std/cookie_spec.html
So in that sense, the cookie is not secure.
However, this is just a function of the protocol that defines what cookies are. Actual security comes from using SSL (HTTPS). Anything you send between browser and server is not secure if you are using plain HTTP. If you use SSL, the data is secure. So if you only provide an SSL connection for you web application, then the session ID cookie security is covered.
Of course, if you are using your own cookies for you application and setting them to be secure, then you would be using SSL already. The cookies aren't going to go to a different server anyway.

Cfmail w/attachments issues

Hi there,
I have a basic html form where the user can add attachments.
The action form uses cfmail to send an email to an address with the
form contents as well as the attachment. However, I am having
issues with this part and am at a loss. Do i need to do an upload
first? or mim attachment? Any help would be appreciated. Thanks in
advance.
My cfmail code looks like this:
<cfoutput>
<cfmail to="[email protected]"
from="a test person"
subject="Request for yada yada">
Name: #form.name#
Article: #form.text#
<cfmailparam file="#form.file1#"> (If i actually put
in /tmp/test.txt which is a file on the drive i am mapped to, then
the cfmail works and delivers .. but this doesn't help me for other
people and their attachments)
</cfmail>
</cfoutput>
This never goes to the email address.. instead it goes to
undeliverable with this log. (p.s. I use my actual email address
for the 'to')
body: Name: test
body: Article: t3est
body: Files:
/engines/coldfusionmx7/runtime/servers/coldfusion/SERVER-INF/temp/wwwroot-tmp/neotmp40024 .tmp
file:
/engines/coldfusionmx7/runtime/servers/coldfusion/SERVER-INF/temp/wwwroot-tmp/neotmp40024 .tmp
file-type: application/octet-stream; name=neotmp40024.tmp
file-disposition: attachment

quote:
Originally posted by:
Gnatflea
Thanks for the reply. I decided to try an cffile = upload for
the file, but got an error message that time: (the .tmp file name
is not the name of the file i attempted to attach). I really want
to use the first option you gave and I thought i had done this
correctly.
The form field
"/engines/coldfusionmx7/runtime/servers/coldfusion/SERVER-INF/temp/wwwroot-tmp/neotmp4009 2.tmp"
did not contain a file.
The error occurred in
/engines/iplanet/v6.0/docs/intranet/exchange_action.cfm: line 12
10 : #form.file1#
11 : <cffile action = "upload"
12 : fileField = "#form.file1#"
13 : destination = "/logs/iplanet/docs/eol/secure/exchange/"
14 : accept = "image/gif,application/msword">
Things to check
1. Does your form tag include enctype="multipart/form-data"
If these suggestions don't work please post all of your code.
Edit: Removed incorrect suggestion related to file
path

IPlanet vs. Weblogic security

Hi,
I've recently joined a project where security is paramount. We are very
concerned about access to personal data from unauthorized external sources
and also from rogue developers and/or support staff.
The proposed architecture is as follows: -
An external public accessible web server (iPlanet WebServer 4) connects
through a firewall to an internal web server (iPlanet WebServer 4) which
connects to a Unix hosted Sybase database via JDBC. All business logic is
contained within Servlets and support classes running on the internal
server.
A high percentage of the database is encrypted/decrypted using a key that is
hardware generated/controlled.
All communications with browser clients is via SSL.
The guy who designed the system has said that there is a SSL weakness in the
public webserver side i.e. the browser establishes a SSL connection with the
external server, which then establishes a second SSL connection across the
firewall with the internal server.
The problem seems to be that the webserver must decrypt data from the first
SSL connection before encrypting it for the second SSL connection. While the
data is decrypted it is exposed in memory on a public server to potential
hackers.
Is this a specific problem with iPlanet or a problem common to all
external/firewall/internal webservers??
Have Weblogic any solutions??
I would really appreciate any comments or references about this.
A second concern is unauthorized access to the database from support staff.
Although the data is encrypted, a programmer could spoof the hardware device
for the key.
Have Weblogic any comments or solutions?
Another concern (which maybe more appropriate in a different forum) is the
concentration of business logic in the Servlets and support classes. I
believe that this approach was taken to improve performance. At what point
should EJBs be used to encapsulate some of the servlet business logic? Are
there any guidelines?
Many thanks
Ray

r> The problem seems to be that the webserver must decrypt data from
r> the first SSL connection before encrypting it for the second SSL
r> connection. While the data is decrypted it is exposed in memory on
r> a public server to potential hackers.
r> Is this a specific problem with iPlanet or a problem common to all
r> external/firewall/internal webservers??
This is common to all web servers on all platforms. You can only
really avoid it by passing the SSL connection straight through to the
back end box without decrypting it, but that makes the existence of
the box in the middle pointless.
r> A second concern is unauthorized access to the database from
r> support staff. Although the data is encrypted, a programmer could
r> spoof the hardware device for the key.
Eh?
<b

Setting secure cookie in iPlanet

Hi All,
I would like to set the JSESSIONID cookie as Secure. I read the product documentation for iPlanet Web Server 6.0 and it suggest to use the session-cookie in web-apps.xml. I try to modify the file as following and restart the server
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
"http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
<vs>
<session-cookie is-secure="true"/>
</vs>
Unfortunately, it doesn't work, the JSESSIONID is still not Secure Cookie. Does anyone have solution on this? Thanks in advance.
-Wallace

I do face the Same Problem. Please Let me know aswell.

Does iPlanet Portal Server support ipsec (IP Security Protocol)

IPSec operates at the operating system level, not the application level. Solaris 8 supports IPSec so you can use iPSec to set up tunnels between the gateway and the profile server to secure the connection.
Does this answer your question?
Kent

After I upgraded iplanet web server to 4.18 on AIX 4.3.3. I encountered "lossing secure instance's error/access log suddenly" very often.

I have to restart the instance in order to recreate these log files. This secure instance has error log rotation at midnight. Anyone can help me out? Please advise.Thanks.
Bruce

Hi,
What is the result of the command emctl start dbconsole ?
What is the value of the EMD_URL parameter in your emd.properties file ?
Cheers

How can I access the username and password entered into an https IPlanet login so that it may be passed to an LDAP to obtain additional security classification information for that user?

Have you tried simply using the REMOTE_USER environment variable which is accessible via CGI by the following:
$customer = $ENV{"REMOTE_USER"};
Once you have that (which will correspond to the uid attribute in your LDAP server) you can do a query for the other things. The password shohuld not be required to lookupu other info since you know at this point that the are already authenticated.

Re: [iPlanet-JATO] onBeforeRequest(); Finding requested view from requestContext

The problem is that you don't know what the target view is until it has
been forwarded to.
Think about it... the request handling view bean (or command object) has
the request handler that has the code that will ultimately forward to
another view bean. This is code that you have written. So, until that
forwardTo() is invoked, there is no notion of a "target page".
What you do know is which "page" (view bean) the request is coming from
(the handling view bean or command class). You can get this from the
HttpServletRequest. The attribute name is "viewBean".
So you can get the view bean name by doing the following in onBeforeRequest:
<HttpServletRequest>.getAttribute("viewBean");
But I suspect this is not going to solve your current issue.
You could add the target page name to the page session. If there is more
than one possible target page, it might get a little more involved.
Let me know if the use of page session needs further explanation.
c
nickmalthus wrote:
I am implementing a custom security model since the standard J2EE
security model does not allow me access to the users password, which I
need to log into a third party application. I have overriden the
onBeforeRequest() method to check to see if the user is logged in, and
if not, forward to the Login ViewBean. However, I need to determine
what page/viewbean the request is attempting to access so I can let it
pass through if it is accessing the Login viewbean and to forward to
the requested view once the user is logged in. What is the best way to
do this? I see no obvious uitility in the javadocs
TIA
For more information about JATO, including download information, please visit:
http://developer.iplanet.com/tech/appserver/framework/index.jsp

I guess what I am thinking about doing is capturing the requested URL,
i.e. /appname/modulename/RequestName. In the onBeforeRequest(). I
would then check to see if the user is logged in, and if not, set the
URL in the session(or page session of the Login bean) and forward to
the Login viewbean using the viewbean manager. Inside the login view
in the handleSubmit() method I would authenticate the user and then
get the URL out of the session (or pagesession). I would then
magically get the ViewBean/Command object for the URL or otherwise
"forward the request" as if the user had typed in
/appname/modulename/RequestName, which is the behavior I am trying to
acheive.
It turns out I cannot forward in the onBeforeRequest() as it will
output the viewbean and then continue to process the request which in
turn trys to do a RequestDispatcher().forward after data has been
written to the stream which does not bode well with the servlet
container. Thus, it appears I have no control of the request in the
onBeforeRequest() method. Is this correct?
In light of this new observation I am now going to create a base view
class that all views will extend from and override the
onSecurityCheck() method to forward to my login bean. If I can't find
any other way, I will get the URL from the page session and do a
response.sendRedirect() to the URL.
Thanks for the help!
--- In iPlanet-JATO@y..., "Craig V. Conover" <craig.conover@s...> wrote:
The problem is that you don't know what the target view is until it has
been forwarded to.
Think about it... the request handling view bean (or command object)has
the request handler that has the code that will ultimately forward to
another view bean. This is code that you have written. So, until that
forwardTo() is invoked, there is no notion of a "target page".
What you do know is which "page" (view bean) the request is coming from
(the handling view bean or command class). You can get this from the
HttpServletRequest. The attribute name is "viewBean".
So you can get the view bean name by doing the following inonBeforeRequest:
>
<HttpServletRequest>.getAttribute("viewBean");
But I suspect this is not going to solve your current issue.
You could add the target page name to the page session. If there ismore
than one possible target page, it might get a little more involved.
Let me know if the use of page session needs further explanation.
c

Re: [iPlanet-JATO] Re: onSecurityCheckFailedEvent & & onSessionTimeoutEvent

My mistake. Thanks for the clarification, Craig.
Todd
----- Original Message -----
From: "Craig V. Conover" <craig.conover@s...>
Sent: Friday, January 04, 2002 11:14 AM
Subject: Re: [iPlanet-JATO] Re: onSecurityCheckFailedEvent & &
onSessionTimeoutEvent
Alex,
In addition to Todd saying that the ND security object "is nothing morethan a
sessionable object...", remember that the security object did nothing morethan
retrieve the user profile from some persistent store: a database or athird party
API. So the security object was just a very specialized model (a dataobject in ND
terms, of course), although it need not be a model, it could just be anarbitrary
Java class, whatever works best.
Once the security object was triggered to perform a user profile lookup,the
profile was stored in an instance of CSpUserProfile and kept in the user's
session. The project object was then the object that was responsible forchecking
the user profile for privileges, previous pages, and db logins and such.As Todd
explained, the ViewBean API now does the security check (as opposed toJATO's
module servlet, or ND's project object), so extending ViewBeanBase andoverriding
securityCheck is a convenient way to mimic ND's security hooks. You couldeven
override a method or event in the module servlet to do a lookup if youwant a
greater parallel to ND, but this is unneccessary. Either way, the securitycheck
is performed before the "page" is "loaded".
c
Todd Fast wrote:
Agreed. This is partly why we have never added such a feature to JATO
(though we've talked about it many many times), because it seemed too
prescriptive and possibly at odds with the other solutions people favor.
We're still on the fence. We want to add it, but feel it'll take a fair
bit
of design to do properly and extensibly.
However, realize that the ND security object is nothing more than a
sessionable object with slots for username, password, and priveleges.This
is almost trivially easy to replicate on your own, with a small additionof
code to automatically handle lifecycle and security checking. It wouldbe
extremely easy to create a subclass of ViewBeanBase that would overridethe
securityCheck() method to check the state of a sessioned "user profile"
object. Add to the ViewBean a declared set of "privelege" strings, andyou
can check the profile object against those required.
I feel I'm being unclear--do you see where I'm going?
Todd
----- Original Message -----
From: "njdoe123" <first.us@a...>
Sent: Friday, December 28, 2001 6:44 AM
Subject: [iPlanet-JATO] Re: onSecurityCheckFailedEvent & &
onSessionTimeoutEvent
Hi,
We used a lot of "security object" in netD projects. Each used
username, password and privilege for login. After migration,
we have to hand code all login codes manually. Session control
is pretty standard in j2ee, i'm wondering whether there is a
best practice example available for netD login feature.
Since security was one of the outstanding feature in netD, it will
be a great idea to have a stadard plugin to support this feature
after migration. I wish v1.2 could supply a direction, although
there are several login methods in j2ee.
Thanks,
Alex Lin
--- In iPlanet-JATO@y..., "Todd Fast" <todd.fast@s...> wrote:
Small correction: the name of the method in ViewBean is"securityCheck()",
not "onSecurityCheck()". The method would've been better named
"checkSecurity()", but too late now. <grin>
Todd
----- Original Message -----
From: "Craig V. Conover" <craig.conover@s...>
Sent: Monday, December 17, 2001 12:47 PM
Subject: Re: [iPlanet-JATO] onSecurityCheckFailedEvent & &
onSessionTimeoutEvent
The iMT has a ND to JATO/J2EE mapping document that covers ND
events and
common ND class/variable/method mapping.
To answer you two questions below:
onSessionTimoutEvent is onSessionTimeout in JATO and can beoverriden in
any class the subclasses JATO'scom.iplanet.jato.ApplicationServletBase.
Typically, this is done in you application servlet class which allof
your module servlets in the application will subclass.
onSecurityCheckFailedEvent is an ND specific event that istriggered
when a Security exception is thrown in ND. In JATO, a
SecurityCheckException is thrown when the default securitychecking in
JATO fails. JATO's default security is to make sure theRequestContext
object is not null. This is done in the ViewBean API. The
onSecurityCheck event in JATO allows you to hook into thisbehavior and
write your own security checking, or hook in a third party API.You can
call super so that you still get the RequextContext null check.
You should create a "non-visual" ViewBean (behavior only) thatoverrides
the onSecurityCheck event, and all other ViewBeans in yourapplication
extend it to inherit this security checking behavior.
You could also hook in the security in your application Servlet by
overriding one of the events in ApplicationServletBase, like
onBeforeRequest.
craig
njdoe123 wrote:
Hi,
We have the following two events (onSecurityCheckFailedEvent
& onSessionTimeoutEvent) across all ND projects. I guess
it's pretty common for netdynamics project.
How do you solve the corresponding issues in j2ee ?
Is there any example available ?
Thanks,
Alex
//[[SPIDER_EVENT<this_onSecurityCheckFailedEvent>
public int this_onSecurityCheckFailedEvent
(CSpProjectSecurityEvent event)
switch (event.getFailureType() )
case NEW_SECURITY_CHECK_PRIV_FAILURE_TYPE:
// do something
CSpPage loginPage1 = CSpider.getPage("PgLogin");
CSpString msg1 = new CSpString("Wrong District Code, UserID
or
Password. Try again.");
loginPage1.setDisplayFieldValue("StMsg1", msg1);
loginPage1.load (false);
break;
case SESSION_CONTINUITY_FAILURE_TYPE:
// do something else
CSpPage loginPage2 = CSpider.getPage("PgLogin");
CSpString msg2 = new CSpString("You must login first...");
loginPage2.setDisplayFieldValue("StMsg1", msg2);
loginPage2.load (false);
break;
return (STOP);
//]]SPIDER_EVENT<this_onSecurityCheckFailedEvent>
//[[SPIDER_EVENT<this_onSessionTimeoutEvent>
public int this_onSessionTimeoutEvent(CSpProjectSessionEventevent)
CSpString msg3 = new CSpString("You were gone too long - login
again");
CSpPage loginPage3 = CSpider.getPage("PgLogin");
loginPage3.setDisplayFieldValue("StMsg1", msg3);
// stop any further processing of this original user request
loginPage3.setDisplayFieldValue("District_ID", newCSpString(""));
loginPage3.setDisplayFieldValue("User_ID", new CSpString(""));
loginPage3.setDisplayFieldValue("Password", newCSpString(""));
loginPage3.load (false);
return (PROCEED);
//]]SPIDER_EVENT<this_onSessionTimeoutEvent>
For more information about JATO, please visit:
http://developer.iplanet.com/tech/appserver/framework/index.jsp
For more information about JATO, please visit:
http://developer.iplanet.com/tech/appserver/framework/index.jsp
Service.
For more information about JATO, including download information,
please
visit:
http://developer.iplanet.com/tech/appserver/framework/index.jsp
For more information about JATO, including download information, pleasevisit:
http://developer.iplanet.com/tech/appserver/framework/index.jsp
For more information about JATO, including download information, pleasevisit:
http://developer.iplanet.com/tech/appserver/framework/index.jsp

Thank you - Jin and Todd.
Will try that.
Atul
--- In iPlanet-JATO@y..., Byung Jin Chun <bchun@n...> wrote:
try using kregedit and modify the key for the jvm args, using the -x
parameters for the 1.2 runtime
Jin
-----Original Message-----
From: Todd Fast [mailto:<a href="/group/SunONE-JATO/post?protectID=101233080150035167169232031248066208071048">Todd.Fast@S...</a>]
Sent: Tuesday, February 19, 2002 8:40 PM
Subject: Re: [iPlanet-JATO] Re: OutOfMemoryError
Atul--
Out of curiosity - How do you modify the memory parameters for
the container's VM ?? I know I should try to do some research but
figured you may already have some insight and willingness to
share.
Please consider this as low priority.It differs by container; I don't remember details of any particular one.
>
Todd
For more information about JATO, including download information, please
visit:
http://developer.iplanet.com/tech/appserver/framework/index.jsp
<http://developer.iplanet.com/tech/appserver/framework/index.jsp>
[Non-text portions of this message have been removed]

Re: [iPlanet-JATO] Back Button functionality

Hi Mike,
Our test environment does not include proxy server.
regards,
syam.
Please respond to [email protected]
cc:
Subject: Re: [iPlanet-JATO] Back Button functionality
Guys,
Please clarify something for me, the JATO code is commented as follows
protected void addResponseHeaders(RequestContext requestContext)
// These values should make any proxy between the client and
// server avoid caching, and ensure that pages from one user
// can never be seen by another user (if they're cached anyway)
requestContext.getResponse().addHeader("Pragma","no-cache");
requestContext.getResponse().addHeader
("Cache-Control","private");Yet you make no mention of whether your test environment includes a Proxy
Server, or does your browser
go directly to the Application Server's web server?
Can you clarify, please?
----- Original Message -----
From: <syam_reddy@p...>
Sent: Wednesday, April 25, 2001 2:59 PM
Subject: [iPlanet-JATO] Back Button functionality
>
Hi,
We observed the following difference in behaviour between JATO pages
and NetD served pages.
We have the following scenario. User will login to the
site. After login he will get a frame set. This frame set has threeframes.
Top and bottom frames are used for navigation (to switch between various
sections on the site.) .The middle frame(main frame) shows the actual
content. When the the frame set gets loaded main frame shows page1. User
will click on a link on page1. Page 2 will be loaded in main frame. Atthis
point if the user clicks on back button , with migrated application(JATO
pages) the following message appears in the main frame.
In Netscape Communicator 4.61 the following message appears in the main
frame :
Data Missing
This document resulted from a POST operation and has expired fromcache.If
you wish you can repost the form data to recreate the document by
presenting the reload button.
In IE 4.72/5.5 the following message appears in the main frame:
Warning : Page has Expired
The page you requested was created using information you submitted in a
form.This page is no longer available.As a security precaution, Internet
Explorer does not automatically resubmit your information for you. To
resubmit your information and view the web page click teh refresh button.
However, in the NetD site page1 will appear in main frame.
How do we mimic the NetD behaviour with the migrated
applications ?
We think the above behaviour with migrated Apps, is due to the
headers that are get set in Application ServletBase , see the following
code snippet :
protected void addResponseHeaders(RequestContext requestContext)
// These values should make any proxy between the client and
// server avoid caching, and ensure that pages from one user
// can never be seen by another user (if they're cached anyway)
requestContext.getResponse().addHeader("Pragma","no-cache");
requestContext.getResponse().addHeader
("Cache-Control","private");
If we comment the above code , we were able to mimic theNetD
behaviour. Are there any alternatives/thoughts on how to mimic the NetD
behaviour ?
Thanks in Advance,
syam&ravi.
[email protected]
[email protected]

OK, here's what I'm trying to do: We have, like you said, a menu
page. The pages that it goes to and the number of links are all
variable and read from the database. In NetD we were able to create
URLs in the form
pgXYZ?SPIDERSESSION=abcd
so this is what I'm trying to replicate here. So the URL that works
is
pgContactUs?GXHC_GX_jst=fc7b7e61662d6164&GXHC_gx_session_id_=cc9c6dfa5
601afa7
which I interpreted to be the equivalent of the old Netd way. Our
javascript also loads other frames of the page in the same manner.
And I believe the URL-rewritten frame sources of a frameset look like
this too.
This all worked except for the timeout problem. In theory we could
rewrite all URLs to go to a handler, but that would be...
inconvenient.

IPlanet authentication over SSL

I've written a when_compare_replace plugin for out 9.0.2.0 OID server to perform user authentication against our iPlanet LDAP server for portal users. Authentication works great as is shown in the plugin souce below but it is being done in the clear, with no encryption on any of the data.
I've been looking and looking for ways to do the DBMS_LDAP.simple_bind_s over a secure connection and have come up with nothing. Our LDAP server has a SSL port running and performes authentication for other C and Java applications over an encrypted connection.
I've been trying to get the DBMS_LDAP.open_ssl command to work but I'm lost when it comes to the wallets. Why does the client need a wallet with a certificate to establish a secure connection? If we have to use a wallet with a certificate, what certificate do we use? Do we need to get a cert for the OID server so we can perform encrypted authentication?
Below is the full PL/SQL source of my OID plugin. It works as is for clear text authentication but this is not acceptable for a production system.
PACKAGE BODY PLUGIN_WHEN_COMPARE_REPLACE AS
--Writen by Eric Dalquist, [email protected] - 07/01/2003 for use by Michigan
--Technological University. This code may be freely used and modified as
--long as the original author's name, email address and creation date are
--included.
PROCEDURE WHEN_COMPARE_REPLACE
ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
local_session    DBMS_LDAP.session;
local_bind_return   PLS_INTEGER;
local_ldap_host    VARCHAR(256);
local_ldap_port    PLS_INTEGER;
remote_session DBMS_LDAP.session;
remote_bind_return PLS_INTEGER;
remote_ldap_host VARCHAR(256);
remote_ldap_port PLS_INTEGER;
remote_ssl_results PLS_INTEGER;
search_attributes   DBMS_LDAP.STRING_COLLECTION;
search_return    PLS_INTEGER;
search_result    DBMS_LDAP.MESSAGE;
search_entry DBMS_LDAP.MESSAGE;
search_entries PLS_INTEGER;
MTU_userid VARCHAR(16);
MTU_dn VARCHAR(256);
retval PLS_INTEGER;
--DEBUGING VARIABLES
auth_location   VARCHAR(16);
auth_server    VARCHAR(256);
auth_port    PLS_INTEGER;
context_data VARCHAR(2048);
BEGIN
remote_ldap_host := 'test1.mtu.edu';
remote_ldap_port := 389;
--Exceptions make fall-through authentication much more difficult
--Turn them off.
DBMS_LDAP.USE_EXCEPTION := FALSE;
--Move this into the local auth section later
--Cut down on proccessing time to save CPU
FOR l_counter IN 1..ldapplugincontext.COUNT LOOP
IF l_counter = 1 THEN
local_ldap_host := ldapplugincontext(l_counter);
ELSIF l_counter = 2 THEN
local_ldap_port := ldapplugincontext(l_counter);
END IF;
--Debuging purposes only
IF l_counter = ldapplugincontext.COUNT THEN
context_data := context_data || ldapplugincontext(l_counter);
ELSE
context_data := context_data || ldapplugincontext(l_counter) || ', ';
END IF;
END LOOP;
IF attrname = 'userpassword' THEN
remote_session := DBMS_LDAP.init(remote_ldap_host, remote_ldap_port);
--Instead of putting it in a STRING_COLLECTION first just extract
--the first element (MTU userid) right away
MTU_userid := DBMS_LDAP.explode_dn(dn, 1)(0);
--Find the users MTU dn based on their user id
search_attributes(1) := 'michigantechuniqueidentifier';
search_return := DBMS_LDAP.search_s
remote_session,
'ou=people,dc=mtu,dc=edu',
DBMS_LDAP.SCOPE_SUBTREE,
'(&(uid=' || MTU_userid || ')(objectclass=posixaccount))',
search_attributes,
0,
search_result
rc := search_return;
--Get the number of entries found for the user id
search_entries := DBMS_LDAP.count_entries(remote_session, search_result);
IF search_return = DBMS_LDAP.SUCCESS AND search_entries = 1 THEN
--for debuging
auth_location := 'remote';
auth_server := remote_ldap_host;
auth_port := remote_ldap_port;
--Retrieve the MTU dn from the search results
search_entry := DBMS_LDAP.first_entry(remote_session, search_result);
MTU_dn := DBMS_LDAP.get_dn(remote_session, search_entry);
--Perform a simple bind against the remote LDAP server with the MTU dn and
--password passed to us.
remote_bind_return := DBMS_LDAP.simple_bind_s(remote_session, MTU_dn, attrval);
rc := remote_bind_return;
--If the bind was successful unbind from the server.
IF remote_bind_return = DBMS_LDAP.SUCCESS THEN
retval := DBMS_LDAP.unbind_s(remote_session);
END IF;
ELSIF search_entries < 1 THEN
--for debuging
auth_location := 'local';
auth_server := local_ldap_host;
auth_port := local_ldap_port;
--If the user does not exist on the remote LDAP server
--attempt to authenticate it with the local LDAP server
local_session := DBMS_LDAP.init(local_ldap_host, local_ldap_port);
local_bind_return := DBMS_LDAP.simple_bind_s(local_session, dn, attrval);
rc := local_bind_return;
IF local_bind_return = DBMS_LDAP.success THEN
retval := DBMS_LDAP.unbind_s(local_session);
END IF;
ELSE
--for debuging
auth_location := 'none';
--Too many results returned
rc := DBMS_LDAP.RESULTS_TOO_LARGE;
END IF;
--the value of 'result' determines if the user is authenticated or not
IF rc = DBMS_LDAP.SUCCESS THEN
result := DBMS_LDAP.COMPARE_TRUE;
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
END IF;
errormsg := DBMS_LDAP.err2string(rc);
ELSE
-- Do what WHEN_COMPARE_REPLACE would have done????
rc := DBMS_LDAP.SUCCESS;
-- Return false if unsure that the user should be authenticated
result := DBMS_LDAP.COMPARE_FALSE;
errormsg := 'Not sure what I should have done here :-)';
--Correct behavior is probably to do a search based on the DN for
--the specified attribute and then compare the passed value to the
--found value but until logs show this procedure is used for
--anything other than password authentication the functionality is
--going to be left out.
END IF;
INSERT INTO WHEN_COMPARE_REPLACE_LOG VALUES
to_char(sysdate, 'Month DD, YYYY HH24:MI:SS'),
dn,
attrname,
attrval,
MTU_userid,
MTU_dn,
result,
rc,
errormsg,
'No Exception - Auth From: ' || auth_location,
auth_server,
auth_port,
context_data
COMMIT;
EXCEPTION
WHEN OTHERS THEN
--An exception was raised
rc := SQLCODE;
errormsg := SUBSTR(SQLERRM, 1, 255);
--Return false so authentication can't happen
result := DBMS_LDAP.COMPARE_FALSE;
INSERT INTO WHEN_COMPARE_REPLACE_LOG VALUES
to_char(sysdate, 'Month DD, YYYY HH24:MI:SS'),
dn,
attrname,
attrval,
MTU_userid,
MTU_dn,
result,
rc,
errormsg,
'Exception - Auth From: ' || auth_location,
auth_server,
auth_port,
context_data
COMMIT;
END;
END PLUGIN_WHEN_COMPARE_REPLACE;

I've written a when_compare_replace plugin for out 9.0.2.0 OID server to perform user authentication against our iPlanet LDAP server for portal users. Authentication works great as is shown in the plugin souce below but it is being done in the clear, with no encryption on any of the data.
I've been looking and looking for ways to do the DBMS_LDAP.simple_bind_s over a secure connection and have come up with nothing. Our LDAP server has a SSL port running and performes authentication for other C and Java applications over an encrypted connection.
I've been trying to get the DBMS_LDAP.open_ssl command to work but I'm lost when it comes to the wallets. Why does the client need a wallet with a certificate to establish a secure connection? If we have to use a wallet with a certificate, what certificate do we use? Do we need to get a cert for the OID server so we can perform encrypted authentication?
Below is the full PL/SQL source of my OID plugin. It works as is for clear text authentication but this is not acceptable for a production system.
PACKAGE BODY PLUGIN_WHEN_COMPARE_REPLACE AS
--Writen by Eric Dalquist, [email protected] - 07/01/2003 for use by Michigan
--Technological University. This code may be freely used and modified as
--long as the original author's name, email address and creation date are
--included.
PROCEDURE WHEN_COMPARE_REPLACE
ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
local_session    DBMS_LDAP.session;
local_bind_return   PLS_INTEGER;
local_ldap_host    VARCHAR(256);
local_ldap_port    PLS_INTEGER;
remote_session DBMS_LDAP.session;
remote_bind_return PLS_INTEGER;
remote_ldap_host VARCHAR(256);
remote_ldap_port PLS_INTEGER;
remote_ssl_results PLS_INTEGER;
search_attributes   DBMS_LDAP.STRING_COLLECTION;
search_return    PLS_INTEGER;
search_result    DBMS_LDAP.MESSAGE;
search_entry DBMS_LDAP.MESSAGE;
search_entries PLS_INTEGER;
MTU_userid VARCHAR(16);
MTU_dn VARCHAR(256);
retval PLS_INTEGER;
--DEBUGING VARIABLES
auth_location   VARCHAR(16);
auth_server    VARCHAR(256);
auth_port    PLS_INTEGER;
context_data VARCHAR(2048);
BEGIN
remote_ldap_host := 'test1.mtu.edu';
remote_ldap_port := 389;
--Exceptions make fall-through authentication much more difficult
--Turn them off.
DBMS_LDAP.USE_EXCEPTION := FALSE;
--Move this into the local auth section later
--Cut down on proccessing time to save CPU
FOR l_counter IN 1..ldapplugincontext.COUNT LOOP
IF l_counter = 1 THEN
local_ldap_host := ldapplugincontext(l_counter);
ELSIF l_counter = 2 THEN
local_ldap_port := ldapplugincontext(l_counter);
END IF;
--Debuging purposes only
IF l_counter = ldapplugincontext.COUNT THEN
context_data := context_data || ldapplugincontext(l_counter);
ELSE
context_data := context_data || ldapplugincontext(l_counter) || ', ';
END IF;
END LOOP;
IF attrname = 'userpassword' THEN
remote_session := DBMS_LDAP.init(remote_ldap_host, remote_ldap_port);
--Instead of putting it in a STRING_COLLECTION first just extract
--the first element (MTU userid) right away
MTU_userid := DBMS_LDAP.explode_dn(dn, 1)(0);
--Find the users MTU dn based on their user id
search_attributes(1) := 'michigantechuniqueidentifier';
search_return := DBMS_LDAP.search_s
remote_session,
'ou=people,dc=mtu,dc=edu',
DBMS_LDAP.SCOPE_SUBTREE,
'(&(uid=' || MTU_userid || ')(objectclass=posixaccount))',
search_attributes,
0,
search_result
rc := search_return;
--Get the number of entries found for the user id
search_entries := DBMS_LDAP.count_entries(remote_session, search_result);
IF search_return = DBMS_LDAP.SUCCESS AND search_entries = 1 THEN
--for debuging
auth_location := 'remote';
auth_server := remote_ldap_host;
auth_port := remote_ldap_port;
--Retrieve the MTU dn from the search results
search_entry := DBMS_LDAP.first_entry(remote_session, search_result);
MTU_dn := DBMS_LDAP.get_dn(remote_session, search_entry);
--Perform a simple bind against the remote LDAP server with the MTU dn and
--password passed to us.
remote_bind_return := DBMS_LDAP.simple_bind_s(remote_session, MTU_dn, attrval);
rc := remote_bind_return;
--If the bind was successful unbind from the server.
IF remote_bind_return = DBMS_LDAP.SUCCESS THEN
retval := DBMS_LDAP.unbind_s(remote_session);
END IF;
ELSIF search_entries < 1 THEN
--for debuging
auth_location := 'local';
auth_server := local_ldap_host;
auth_port := local_ldap_port;
--If the user does not exist on the remote LDAP server
--attempt to authenticate it with the local LDAP server
local_session := DBMS_LDAP.init(local_ldap_host, local_ldap_port);
local_bind_return := DBMS_LDAP.simple_bind_s(local_session, dn, attrval);
rc := local_bind_return;
IF local_bind_return = DBMS_LDAP.success THEN
retval := DBMS_LDAP.unbind_s(local_session);
END IF;
ELSE
--for debuging
auth_location := 'none';
--Too many results returned
rc := DBMS_LDAP.RESULTS_TOO_LARGE;
END IF;
--the value of 'result' determines if the user is authenticated or not
IF rc = DBMS_LDAP.SUCCESS THEN
result := DBMS_LDAP.COMPARE_TRUE;
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
END IF;
errormsg := DBMS_LDAP.err2string(rc);
ELSE
-- Do what WHEN_COMPARE_REPLACE would have done????
rc := DBMS_LDAP.SUCCESS;
-- Return false if unsure that the user should be authenticated
result := DBMS_LDAP.COMPARE_FALSE;
errormsg := 'Not sure what I should have done here :-)';
--Correct behavior is probably to do a search based on the DN for
--the specified attribute and then compare the passed value to the
--found value but until logs show this procedure is used for
--anything other than password authentication the functionality is
--going to be left out.
END IF;
INSERT INTO WHEN_COMPARE_REPLACE_LOG VALUES
to_char(sysdate, 'Month DD, YYYY HH24:MI:SS'),
dn,
attrname,
attrval,
MTU_userid,
MTU_dn,
result,
rc,
errormsg,
'No Exception - Auth From: ' || auth_location,
auth_server,
auth_port,
context_data
COMMIT;
EXCEPTION
WHEN OTHERS THEN
--An exception was raised
rc := SQLCODE;
errormsg := SUBSTR(SQLERRM, 1, 255);
--Return false so authentication can't happen
result := DBMS_LDAP.COMPARE_FALSE;
INSERT INTO WHEN_COMPARE_REPLACE_LOG VALUES
to_char(sysdate, 'Month DD, YYYY HH24:MI:SS'),
dn,
attrname,
attrval,
MTU_userid,
MTU_dn,
result,
rc,
errormsg,
'Exception - Auth From: ' || auth_location,
auth_server,
auth_port,
context_data
COMMIT;
END;
END PLUGIN_WHEN_COMPARE_REPLACE;

Problem with Iplanet/JWS 6.1 connecting to Weblogic on Solaris

We have an application which runs JSPs and Servlets on SJSWS/Iplanet 6.1 and uses
EJBs on
Weblogic 8.1 for database access.
When the Weblogic server is running on a Windows box, there is no problem accessing
the EJBs. But
we have not been able to get connected when the Weblogic is running on a Solaris
box.
Also, we don't have a problem connecting to the Weblogic on Solaris from a Tomcat
webserver, so
the EJBs and URI are correct.
Any help appreciated.
Here's the stacktrace of the exception:
info: CORE3282: stdout: 10:16:46,296 ERROR [UserMaintenance] Error looking up
user.UserManagement.
Exception is javax.naming.NamingException: Unhandled exception in lookup.
Root exception is org.omg.CORBA.UNKNOWN: vmcid: 0x0 minor code: 0 completed:
No
info: CORE3282: stdout: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
info: CORE3282: stdout: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
info: CORE3282: stdout: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
info: CORE3282: stdout: at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
info: CORE3282: stdout: at java.lang.Class.newInstance0(Class.java:306)
info: CORE3282: stdout: at java.lang.Class.newInstance(Class.java:259)
info: CORE3282: stdout: at com.sun.corba.se.internal.iiop.messages.ReplyMessage_1_2.getSystemException(ReplyMessage_1_2.java:90)
info: CORE3282: stdout: at com.sun.corba.se.internal.iiop.ClientResponseImpl.getSystemException(ClientResponseImpl.java:105)
info: CORE3282: stdout: at com.sun.corba.se.internal.corba.ClientDelegate.invoke(ClientDelegate.java:314)
info: CORE3282: stdout: at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectImpl.java:457)
info: CORE3282: stdout: at weblogic.corba.cos.naming._NamingContextAnyStub.resolve_any(_NamingContextAnyStub.java:80)
info: CORE3282: stdout: at weblogic.corba.j2ee.naming.ContextImpl.lookup(ContextImpl.java:213)
info: CORE3282: stdout: at weblogic.corba.j2ee.naming.ContextImpl.lookup(ContextImpl.java:171)
info: CORE3282: stdout: at javax.naming.InitialContext.lookup(InitialContext.java:347)
info: CORE3282: stdout: at com.cmg.util.ejb.EJBHomeFactory.lookupHome(EJBHomeFactory.java:77)
info: CORE3282: stdout: at com.cmg.adp.tpc.UserMaintenance.getManager(UserMaintenance.java:94)
info: CORE3282: stdout: at com.cmg.adp.tpc.LogonAction.doAuthenticate(LogonAction.java:133)
info: CORE3282: stdout: at com.cmg.adp.tpc.LogonAction.doExecute(LogonAction.java:94)
info: CORE3282: stdout: at com.cmg.adp.tpc.BaseAction.execute(BaseAction.java:51)
info: CORE3282: stdout: at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:465)
info: CORE3282: stdout: at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
info: CORE3282: stdout: at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1422)
info: CORE3282: stdout: at com.cmg.adp.tpc.PaycardServlet.process(PaycardServlet.java:178)
info: CORE3282: stdout: at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:523)
info: CORE3282: stdout: at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
info: CORE3282: stdout: at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
info: CORE3282: stdout: at org.apache.catalina.core.StandardWrapperValve.invokeServletService(StandardWrapperValve.java:771)
info: CORE3282: stdout: at org.apache.catalina.core.StandardWrapperValve.access$000(StandardWrapperValve.java:118)
info: CORE3282: stdout: at org.apache.catalina.core.StandardWrapperValve$1.run(StandardWrapperValve.java:293)
info: CORE3282: stdout: at java.security.AccessController.doPrivileged(Native
Method)
info: CORE3282: stdout: at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:289)
info: CORE3282: stdout: at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
info: CORE3282: stdout: at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
info: CORE3282: stdout: at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
info: CORE3282: stdout: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
info: CORE3282: stdout: at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
info: CORE3282: stdout: at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
info: CORE3282: stdout: at com.iplanet.ias.web.WebContainer.service(WebContainer.java:586)

when i access
http://localhost/portal
A serious error has occured in the Desktop. This may have been caused by a mis-configuration on the server.
Please report this problem to your administrator.
Return to front page

Is there a way to avoid a iPlanet Messaging Express home user to copy from the email message ( email content ) body and paste on to a local place( it Hard disk, for an ex )?

Is there a way to avoid a iPlanet Messaging Express home user to copy and paste email body content and avoid attachment deliver attempts?Cause this could grant home users to take ownership of enterprise's documents, sending to them selves and after that, in their own homes, they access Messaging Express, recieve their email with the forbbiden content and then copy and paste to it's own's hard disk.

It may be possible, but then what would prevent the user from running a "screen grabber" to capture the data. The underlying question that you need to ask is, "Who can you trust?" If you're concerned about confidential documents being stolen/disclosed, then that is where your security starts. If someone can't access a document, they can't E-mail it or transport it elsewhere. Who says they can only use E-mail? Using ftp is more efficient, or a floppy/Zip/Jazz drive could also be used. Trying to "secure" the E-mail client would be like plugging a single hole in a water pipe full of leaks. You have to shut off the water at the source.

Iplanet 6.0 Security

Similar Messages

Maybe you are looking for