Issue with Authentication using JAAS for coherence

Hi,
I have configured security frame work using JAAS for storage enabled node,
I am using keystore for authenticating the users, Below is the code used for authentication,
    Subject subject;
        try{ subject = Security.login(sUsername, sPassword.toCharArray()); }
        catch (Throwable t){
            subject = null;
            log("Authentication error:");
            log(t); }
        if (subject != null)
            for (Iterator iter = subject.getPrincipals().iterator(); iter.hasNext(); )
                Principal principal = (Principal) iter.next();
                log("Principal: " + principal.getName());
        Security.runAs(subject, new PrivilegedAction()
            public Object run()
                NamedCache cache = CacheFactory.getCache(CACHE_NAME);
                boolean flag = true;
                while (flag) {}
                return null;
            });and i am calling the above class in the callback handler which is defined in coherence operation descriptor.
        <security-config>
                <enabled system-property="tangosol.coherence.security">true</enabled>
                <login-module-name>TestCoherence</login-module-name>
                 <access-controller>
                <class-name>com.tangosol.net.security.DefaultController</class-name>
                        <init-params>
                        <init-param id="1">
                        <param-type>java.io.File</param-type>
                        <param-value>config/keystore.jks</param-value>
                        </init-param>
                        <init-param id="2">
                        <param-type>java.io.File</param-type>
                        <param-value>config/permissions.xml</param-value>
                        </init-param>
                        </init-params>
                 </access-controller>
                 <callback-handler>
                        <class-name>Test</class-name>
                 </callback-handler>
         </security-config>I am using the following command line parameters for bringing up the storage enabled node.
-Dtangosol.coherence.security.permissions="$CONFIG_PATH/permissions.xml" 
-Dtangosol.coherence.security.keystore="$CONFIG_PATH/keystore.jks" 
-Djava.security.auth.login.config="$CONFIG_PATH/login.config" 
-Dtangosol.coherence.security=trueNow till the callback handler thread is alive, storage enabled node will be up. As soon as the call back handler thread dies. Storage enabled node stops with the following error,
Exception in thread "main" java.lang.SecurityException: Authentication failed: Error initializing keystore
at com.tangosol.coherence.component.net.security.Standard.loginSecure(Standard.CDB:36)
at com.tangosol.coherence.component.net.security.Standard.getTempSubject(Standard.CDB:11)
at com.tangosol.coherence.component.net.security.Standard.checkPermission(Standard.CDB:18)
at com.tangosol.coherence.component.net.Security.checkPermission(Security.CDB:11)
at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeCluster.CDB:6)
at com.tangosol.coherence.component.net.management.Connector.startService(Connector.CDB:25)
at com.tangosol.coherence.component.net.management.gateway.Remote.registerLocalModel(Remote.CDB:8)
at com.tangosol.coherence.component.net.management.gateway.Local.registerLocalModel(Local.CDB:8)
at com.tangosol.coherence.component.net.management.Gateway.register(Gateway.CDB:1)
at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluster(SafeCluster.CDB:50)
at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.CDB:2)
at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:948)
at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(DefaultConfigurableCacheFactory.java:748)
at com.tangosol.net.DefaultCacheServer.start(DefaultCacheServer.java:140)
at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:61)
Please let me know where should i pass the credentials to the default cache server for authentication or should i change the any implementation of authentication here.
Thanks in advance,
Bhargav

Bhargav,
Rather than trying to loop forever in a callback handler try this
import com.tangosol.net.CacheFactory;
import com.tangosol.net.DefaultCacheServer;
import com.tangosol.net.security.Security;
import javax.security.auth.Subject;
import java.security.PrivilegedExceptionAction;
public class SecureCacheServer {
    public static void main(final String[] args) throws Exception {
        LoginContext lc = new LoginContext("Coherence");
        lc.login();      
        Subject subject = lc.getSubject();
        Security.runAs(subject, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                DefaultCacheServer.main(args);
                return null;
}Then when you start your cache server just use the SecureCacheServer class above rather than DefaultCacheServer
As the main method of DefaultCacheServer is running in a PrivilegedExceptionAction Coherence will use this identity anywhere it needs to do anything secured.
I hope the code above compiles OK as it is a modified version of the code I really use.
Hope this helps
JK

Similar Messages

  • An issue with authentication and authorization on ISE 1.2

    Hi, I'm new to ISE.
    I have an issue with authentication and authorization.
    I have ISE 1.2 plus patch 6 installed on VMware.
    I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
    On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
    I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
    I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
    I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
    What  should I do to resolve this issue?
    Switch configuration:
     testISE#sh runn
    Building configuration...
    Current configuration : 7103 bytes
    ! Last configuration change at 12:20:15Tue Apr 15 2014
    ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname testISE
    boot-start-marker
    boot-end-marker
    no logging console
    logging monitor informational
    enable secret 5 ************
    enable password ********
    username radius-test password 0 ********
    username admin privilege 15 secret 5 ******************
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
     client 172.16.0.90 server-key ********
    aaa session-id common
    clock timezone 4 0
    system mtu routing 1500
    authentication mac-move permit
    ip dhcp snooping vlan 1,22
    ip dhcp snooping
    ip domain-name elauloks
    ip device tracking probe use-svi
    ip device tracking
    epm logging
    crypto pki trustpoint TP-self-signed-1888913408
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1888913408
     revocation-check none
     rsakeypair TP-self-signed-1888913408
    crypto pki certificate chain TP-self-signed-1888913408
    dot1x system-auth-control
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    ip ssh version 2
    interface FastEthernet0/5
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/6
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/7
    interface Vlan1
     ip address 172.16.0.204 255.255.240.0
     no ip route-cache
    ip default-gateway 172.16.0.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-ALLOW
     deny   icmp any host 172.16.0.1
     permit ip any any
    ip radius source-interface Vlan1
    logging origin-id ip
    logging source-interface Vlan1
    logging host 172.16.0.90 transport udp port 20514
    snmp-server community public RO
    snmp-server community ciscoro RO
    snmp-server trap-source Vlan1
    snmp-server source-interface informs Vlan1
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move
    snmp-server host 172.16.0.90 ciscoro
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    radius server ISE-Alex
     address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key ******
    ntp server 172.16.0.1
    ntp server 172.16.0.5
    end

    Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

  • Directory Caching issue with Cisco Jabber client for Windows

    Hi ,
    I am facing cache issue with Cisco Jabber client for Windows. If I do any change related to modification or deletion of contacts in Active Directory/ Callmanager, it does not reflect in the Jabber. Because jabber takes the contacts from the locally stored cache file in the Windows system.
    Every time I have to remove the cache file to overcome this issue, practically it's not possible to do the same with all the Widows users. As, if any employee leaves the company and still I can see his contact appears in the "Cisco Jabber client". I have not seen this issue with Android/Apple iOS.
    Is there any automated way to remove the cache file? 
    Here is the detail of CUCM,Presence and Jabber.
    CUCM version: 9.1.x
    Presence          : 9.1.X
    Jabber              : 10.5 and 10.6

    Hello
    On our environment we had to install a dedicated Microsoft Certificate Authority "just for Cisco Jabber usage" to house the
    Network Device Enrollment Service.
    Our certificate for the CUPS were generated on this Certification Authority too.
    I discussed this certificate matter with my colleagues this afternoon and nobody seems to remember how these certificates were deployed into the
    Enterprise Trust store for the users.
    But I think they asked all 400 users to accept the 3 certificates by answering "yes" to the popup instead of using a script deployed by GPO...
    I wish you success with that deployment and really hope you have a technical partner that *Knows* this subject.
    Our partner left us alone with that unfortunately.
    Florent
    EDIT: If the "Certutil script method" works, please let me know. This could be useful in our own deployment.

  • Issue with Audit Vault Collector for Peoplesoft-MS Sql Server

    Experts,
    Requesting your valuable inputs regarding below issue :
    Environment:
    - Peoplesoft with SQL Server 2008
    - Oracle Audit Vault.
    Current issue with Audit Vault collector for SQL server is that it is not giving PSFT login ID instead it is giving Peoplesoft DB service Account ID.
    Is this expected ?. If yes, what is the workaround ? Can Database Firewall is a best option to capture PSFT login ID ?
    Thanks

    Hi Rabi ,
      just do one think here ..
    During data source creation , in the Additional tab area , in the SQL Engine session , select "Vendor SQL"  instead of "Open SQL".
    HOw could u create data source without selecting the driver corrsponding to MS SQL.?
    it is recommended to download the latest Driver and use this for Driver creation.
    let me know ..
                                       Regards
                                       Kishor Gopinathan

  • Issue with voice over narration for a presentation

    When I record a voice over narration (Keynote 09) and then play back - the slides do not always play back with the sound. It seems to be an issue with slides using a build-up ... although it finishes - it then sticks and the sound for the next slide carries on out of sync to the visual - EG - every time I try it happens on the same slides - A good example is one that is followed by a .mov built into a slide. The sound track runs before the new slide image appears - Also I have problems with the movie - as the sound from the .mov file does not come through, so I have to record the movie sound on the narration rack .. confused!?

    It sounds like you are making too many assumptions and not actually testing anything.
    For instance, emoji may not cause issues for other contacts (maybe it is and you don't know it) but if I were testing this issue, the first thing I would do is remove the emoji from the contact info.
    Next thing I would do is make a fake contact called "Home Other". And see if the Voice Control asks you to pick between Home and Home Other
    Another thing I would do is add multiple numbers for your home contact (real or fake) And see if you can get the Voice control to find the contact and ask you what number you want to pick. (home or mobile)
    And last thought that I had....You mentioned that the Voice Control dials a random person every time, but how random is it really? Are you sure that part of these people's names don't phonetically sound similar to the word Home?

  • [svn:fx-trunk] 12982: Fix for issue with exposing accessible names for combobox list items

    Revision: 12982
    Revision: 12982
    Author:   [email protected]
    Date:     2009-12-15 20:44:23 -0800 (Tue, 15 Dec 2009)
    Log Message:
    Fix for issue with exposing accessible names for combobox list items
    QE notes: none
    Doc notes: none
    Bugs: n/a
    Reviewer: Gordon
    Tests run: checkintests
    Is noteworthy for integration: no
    Modified Paths:
        flex/sdk/trunk/frameworks/projects/spark/src/spark/accessibility/ComboBoxAccImpl.as
        flex/sdk/trunk/frameworks/projects/spark/src/spark/accessibility/ListBaseAccImpl.as

    Add this to the end of your nav p CSS selector at Line 209 of your HTML file, after 'background-repeat...':
    margin-bottom: -2px;
    Your nav p will then look like this:
    nav p {
              font-size: 90%;
              font-weight: bold;
              color: #FFC;
              background-color: #090;
              text-align: right;
              padding-top: 5px;
              padding-right: 20px;
              padding-bottom: 5px;
              border-bottom-width: 2px;
              border-bottom-style: solid;
              border-bottom-color: #060;
              background-image: url(images/background.png);
              background-repeat: repeat-x;
              margin-bottom: -2px;

  • Hi All, can i have some production support issues with rootcasue and resolution for SAP TM?

    Hi All, can i have some production support issues with rootcasue and resolution for SAP TM?
    Thanks,
    Sreenivas

    Hi Sreenivas,
    I would recommend that you read the Rules of Engagement and other documents in the Getting Started link (top right) before posting anymore.  Your Discussion will most likely get reported as non-specific and get removed.  If you have a specific problem with TM, please post it in a new thread with error messages, version and SPs installed, and how the error occurs and what you are trying to get TM to do.
    There are a lot of resources available in the TM Overview page which can help, so start there and maybe also look at some of the MKS (Monday Knowledge Session) recordings which should also be listed.  There are also a lot of experienced people who can help resolve issues your TM installation, but you need to provide enough information on the problems you are having.  If you are just looking for information on past problems, do a Search or simply browse through past Discussions which are marked with a green Check (Correct Answer).
    Regards, Mike
    SAP Customer Experience Group - CEG (and a Moderator)

  • Issue with Alerts using BPM : Trigerred for Successful messages also

    Hi Everybody,
    I am working on configuring Alerts using BPM.
    I have followed the below blog by Micheal.
    /people/michal.krawczyk2/blog/2005/03/13/alerts-with-variables-from-the-messages-payload-xi--updated
    In BPM after the receive step I have used container and control steps to capture the Idoc Number as mentioned in the blog.
    I am facing an issue with it now as an Alert message is send to my Inbox even when the message is succesfully processed by the adapter.
    This is a strange behaviour when we talk about Alerts.
    Can somebody help me out in this?
    Thanks & Regards,
    Zabiulla

    Hi Zabiulla,
    Michal explained just the basic, the logic of your process is to build by yourself. Usually an alert will be raised inside of an exception branch. You can define exceptions for critical operations, f.e. send steps or transformations, the exception will be catched by jumping to the exception branch, where you can store a suitable reaction - f.e. an alert.
    Regards,
    Udo

  • Client remote Authentication using JAAS and EJB Access

    Hi,
    I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
    I have implemented an EJB who's methods are protected through the deployment descriptor:
            <assembly-descriptor>
                 <security-role>
                    <description>role for clients outside of the server </description>
                    <role-name>sedna</role-name>
                  </security-role>
                <method-permission>
                  <role-name>sedna</role-name>
                  <method>
                    <ejb-name>ServerInfoBean</ejb-name>
                    <method-intf>Remote</method-intf>
                    <method-name>*</method-name>
                  </method>
                </method-permission>
                <method-permission>
                  <unchecked/>
                  <method>
                    <ejb-name>ServerInfoBean</ejb-name>
                    <method-name>getVersion</method-name>
                  </method>
                  <method>
                    <ejb-name>ServerInfoBean</ejb-name>
                    <method-name>create</method-name>
                  </method>
                </method-permission>
            </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
    I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
    But then I try to access another method which is protected and then I get this exception
    org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000  minor code: 1806 completed: Maybe
            at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
            at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
            at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
    ...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
    After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
    After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
    Am I doing something wrong?
    Need help! Thx,
    Stephan

    Hi.
    I understand correctly that you call Subject.doAs on
    the client to call the remote EJB. I guess It isn't
    right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
    >
    >
    Subject contextSubject =
    Subject.getSubject(AccessController.getContext());
    contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
    But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
    Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
    Again, thanks for your effort,
    Stephan

  • Using JAAS for third-party webapp

    I'm developing a webapp that will be marketed to enterprise customers. Right now, it handles its own authentication by validating the userid/password against its own user table. I'd like to give customers the ability to plug in whatever type of authentication they want, for example, one that authenticates a user against an Active Directory domain.
    It seems like JAAS was expressly designed for this purpose, but as I read up on it, I forsee all sorts of problems that could be caused by it. If I'm missing something, I'm hoping someone here can set me straight.
    According to the docs, when an app creates a LoginContext and provides it with CallbackHandlers, the LoginContext will check the Configuration to see if any LoginModules are configured for the app (based on the name parameter passed into the LoginContext). If it doesn't find one, it will look for a set of LoginModules for "other".
    Here's the behavior I would like: If there is no set of LoginModules configured specifically for my app, I do NOT want the LoginModule(s) for "other" used, since I have no clue what it/they will be. Instead, I would like to my code to be gracefully notified that no LoginModules are configured, so it can default back to its own authentication mechanism. From the looks of the API docs, however, there doesn't seem to be any surefire way to tell why a LoginException has thrown.
    I thought I might be able to check programattically to see if there's a LoginModule configured for my webapp with Configuration.getConfiguration().getAppConfigurationEntry(appName), but, 1) it looks like that will probably throw a SecurityException, and 2) it also looks like it would return the AppConfigurationEntries for "other" in the event there's no entry for my app.
    It's important that my app not require the appserver administrator to explicitly configure a LoginModule for it, since that could turn into a support nightmare; I simply want to give powerusers the ability to do so if they choose to.
    Is it possible to get the behavior I want from JAAS, without a lot of contortions and workarounds? As I said, I may be missing something, but it doesn't seem like I can.

    This is from the javadocs
    public LoginContext(String name)
    throws LoginException
    Initialize the new LoginContext object with a name.
    LoginContext uses the specified name as the index
    into the Configuration to determine which
    LoginModules should be used. If the provided name
    does not match any in the Configuration, then the
    LoginContext uses the default Configuration entry,
    "other". If there is no Configuration entry for
    "other", then a LoginException is thrown.
    Throws:
    LoginException - if the specified name does not
    appear in the Configuration and there is no
    Configuration entry for "other", or if the
    auth.login.defaultCallbackHandler security property
    was set, but the implementation class could not be
    loaded.
    The or condition here could be ignored because you
    wouldnt be using CallbackHandlers or even if you are
    using them, you could ensure that the classes are
    'loadable'.The problem is, that LoginException is going to be called for anything that goes wrong inside a LoginContext. If there is an "other" LoginModule set, but it doesn't recognize my user's name and password, then it will throw a FailedLoginException. How is my code supposed to know that the user's name/password will never be accepted by that LoginModule?
    >
    2.
    An alternative would be to provide your own
    own implementation of the abstract class
    javax.security.auth.login.Configuration overriding
    the default implementation provided by Sun. Remember, this is a third-party webapp running in an appserver with other webapps from different providers. It has to use whatever Configuration is already there.
    This is
    the same technique if you wish to provide the login
    module information in any other location than a text
    file (as is required by the default implementation)
    You could then throw specific custom exceptions
    ons from your implementation code and choose to
    handle it in the manner you desire.Even if I could do that, which I can't, as I explained, I have to keep this SIMPLE for customers who might not be very knowledgeable in the more esoteric aspects of J2EE and Java.

  • Font Issue with Report Generation Toolkit for Microsoft Office

    I have been using this toolkit for only a few days now, but I just have to get this issue off my back. When developing a toolkit it would be a good idea to use the same cluster to represent fonts in ALL places. If you look at "Excel Set Graph Font" vs. "Excel Easy Table" they take two completely different clusters. Why? I don't know, but it is *very* annoying.
    How could something like this slip through the cracks? Is there some reason why there is this discrepancy? From my perspective as a software engineer I see no excuse, but maybe someone else can justify this oversight for me. I just hope that I don't find any more issues with the toolkit...
    Naveen.

    Naveen,
    what you said is true when dealing with same kind of objects, but in this circumstance, different cluster defines the font of a differnt object. For example, you may not want the user have as many options with defining the font for the X Y axis title as that for defining the text in the table. This is ture when you want your generated report to have similiar styles.
    But this is certainly something we will think about, thanks for your constructive suggestion,
    XD Gao
    Application Engineer
    National Instruments

  • Issue with reversal of MIRO for Planned Delivery Cost

    Hi Xperts
    We have found out an issue while reversing the MIRO document for Planned Del costs. When we have done the MIRO, the accounting entry got correctly posted with correct account keys.Conditions are not inventoried.
    However, when we had reversed it - the stock account got hit.Do not understand, why that happened.Do you have any clue?
    1. Suppose we have done the MIRO for Del Cost & then performed GR.Now Stock has already consumed & afterwards we have found that the MIRO for Del Cost is wrong & reverse - in this scenario shall the Stock account will get a hit????
    2. I have maintained Price Control "V" in Material Master.However, I have maintained a Standard Price by mistake.In that case shall SAP ignores the MAP & takes Standard Price into account & post PRD??
    Regards
    Soumick 

    Hi,
    Before checking Planned Delivery costs accounting documents in MIRO posting and MIRO cancellation document, 1st check how Planned Delivery costs designed for your procurement process.
    Use t.code:ME23N, check your Purchase order
    Option-1:
    Is Planned Delivery costs added to inventory account and at the same time Planned Delivery costs posted to Separate Planned Delivery costs G/L account.
    OR
    Option-2:
    Is Planned Delivery costs posted to Planned Delivery costs G/L account ONLY
    OR
    Option-3:
    Is Planned Delivery costs added to inventory account ONLY.
    Based the above one setting, system  will post goods receipt and invoice posting document with corresponding accounting entries. Also cancellation of invoice posting document refer to these setting.But account posting depends on price control available in material master.
    NOTE:
    Standard price procedure (price control “S”):The system carries out all stock postings at a price defined in the material master. Variances in price are posted to price difference accounts.
    Moving average price (price control “V”): The system valuates goods receipts with the purchase order price and goods issues with the current moving average price.Differences in price between the purchase order price and the invoice are posted directly to the relevant stock account if there is sufficient stock coverage.
    Regards,
    Biju K

  • Issue with Member Formula written for Balance Type

    Folks,
    I am facing an issue with a member formula written for a balance type dimension,
    The code says
    IIF( IsUda([Accounts].CurrentMember, "BalanceSheet"),
    CASE
    *WHEN IS([Time].currentmember,[YearTotal]) THEN MISSING*
    WHEN IsLevel([Time].CurrentMember, 0) THEN (BALTYPE.[EndOfPeriod])
    WHEN IS([Time].currentmember,[Q1]) THEN (BALTYPE.[EndOfPeriod],Time.[MAR])
    WHEN IS([Time].currentmember,[Q2]) THEN (BALTYPE.[EndOfPeriod],Time.[JUN])
    WHEN IS([Time].currentmember,[Q3]) THEN (BALTYPE.[EndOfPeriod],Time.[SEP])
    WHEN IS([Time].currentmember,[Q4]) THEN (BALTYPE.[EndOfPeriod],Time.[DEC])
    END
    ,MISSING)
    Outline Structure for Time dimension looks like below
    +Time
    --|+YearTotal
    ------|+Q1
    ----------|+Jan
    ----------|+Feb
    ----------|+Mar
    The highlighted Part of the code works good for all the Measures which is With the UDA tag BalanceSheet, Except if the Measure with BalanceSheet UDA is a Parent Member.
    Parent Level Measures are populated with Data(populating Dec Data) instead of showing #MISSING.
    Any help on this issue will be appreciated.
    Thanks
    Sathish

    Hello Gurus,
    I raised an SR with Oracle support and they have replied by saying that, In EPM 11.1.2.4, the IE11 is only supported for interactive reporting and we will have to use IE 10 & 9 for workspace.
    Yes. It works fine in IE 10 & 9.
    Thanks,
    Siva

  • Issue with Receiver SOAP adapter for synchronous scenario

    Hello All,
    We are facing a strange issue with the SOAP adapter in the interface we have setup. This is the 1st time we are using SOAP adapter in our system (PI 7.11 SP7). We are making a synchronous HTTP call to the web service exposed by another system in our landscape. The payload is send with SOAP envelope and there are no credentials to be maintained in PI settings.
    The issue is that we are always getting timeout exception in PI audit logs after sending the request (3 minutes - standard timeout value, no additional config for this). But target system has confirmed that they are sending the response back. We tested from our server OS level and have received the response back in the same screen (to verify there is no firewall/port issue in between the systems). But when tried from RWB, it is always giving the timeout exception and we are not able to see any other log.
    We have tried checking in the NWA logs as well after increasing the logging level to ALL for com.sap.aii.adapter.soap. But surprisingly, we didn't get any logs at all for the outgoing SOAP call or incoming response and hence we are unable to trace the issue.
    We have setup another synchronous inbound SOAP interface (PI exposing the webservice) and it is working fine. We are also able to trace the logs in both audit log and NWA logs.
    Is there anywhere else we can check for the logs? Audit logs is showing timeout error and we are not able to see anything in NWA logs.
    Does the target system need to maintain PI credentials in the header when they send the synchronous response back?
    Are there any specific settings which should be checked to enable the sync communication? (this should not be the case since the inbound interface is working fine)
    Please help.
    Thanks
    Justin

    Hi Amit,
    Thanks for the reply.
    Yes we had tested successfully via SOAP UI as well (forgot to mention that). We are getting back the expected response in SOAP UI without using any credentials. We got the same response when we tested it through OS commands from PI server.
    The WS is hosted by the target system and they haven't maintained any credentials at their end. So when PI is trying to access, we don't need to provide any credentials. My question is, whether the target system should keep any credentials to send the synchronous response back to PI (java stack). We have tried that as well but since there aren't any logs, we are unable to verify whether the credentials are coming correctly.
    The service interfaces are correct and PI configuration are OK. I will try the XPI inspector for logs as you have suggested.
    Thanks
    Justin

  • Display issue with LiveCycle Designer ES4 for cropped PDF in WIN7

    Hi,
    I am having issue displaying the cropped PDF file in the LiveCycle Designer ES4. The PDF files are cropped 3 inches from bottom using Adobe Acrobat 8 Professional. It used to display properly when we have a WinXP machine but once we moved to a Win7 machine, it cannot display the top part of the PDF anymore. Can anyone help on how to fix the display issue? Thanks.
    Kenny
    Environment:
    Adobe LiveCycle Designer ES4 V11.0.0.2013.0303.1.892433
    Adobe Acrobat 8.0.0
    Screenshots
    Win 7, LiveCycle Designer does not display properly
    Win XP, LiveCycle Designer used to display properly

    Thanks vNohria.
    I am having same issue with Adobe Acrobat 9. The Acrobat 9 cropped file is displaying properly under WinXP but have the same issue as above in Win7. This issue seems uncommon as I tried to look for similar issue  and couldn't find any.
    P.S. It's only the Design View in Win7 that has the issue, I can still see the file fine with Preview PDF in both enviornment.
    Design View:
    Preview PDF:

Maybe you are looking for