Logging (auditing) on Declarative Security

Similar Messages

• Data Access Service is unable to log audit events to the security event log

  Hi,
  Scenario: SCOM 2012 R2 UR4. (Windows 2012 R2)
  Today SCOM have generated 4 alerts Data Access Service is unable to log audit events to the security event log.
  The service account for "System Center Data Access Service" service is "Local System".
  The users at "Generate security audits" are: LOCAL SERVICE and NETWORK SERVICE.
  The question is:
  how to resolve this alert? (Where look for to obtain more information to resolve this problem)
  Thanks in advance!

  Local system account is differet to local service account. Fo detail description of these accounts, pls. refer
  LocalService Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684188(v=vs.85).aspx
  LocalSystem Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
  Generate security audits which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment of Group policy, determines which accounts can be used by a process to add entries to the security log. This user right
  is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.
  For identified the SDK account
  1) open services.msc
  2) From the system Center Data Access Service, you can see the SDK logon on as account 
  Roger

• Error during JNDI lookup Accessing Remote EJB (access to web service restricted using declarative security model)

  Hello everyone,
  I developed a Web Service prototype accessing remote EJB using the EJB
  control with special syntax in the jndi-name attribute: @jws:ejb
  home-jndi-name="t3://10.10.245.70:7131/AccountDelegatorEJB"
  Everything works fine, but I get an error when I restrict access to my web
  service with a declarative security model by implementing steps provided in
  help doc:
  - Define the web resource you wish to protect
  - Define which security role is required to access the web resource
  - Define which users are granted the required security role
  - Configure WebLogic Server security for my web service(Compatibility
  Security/Users)
  I launch the service by entering the address in a web browser. When prompted
  to accept the digital certificate, click Yes, when prompted for network
  authentication information, enter username and password, navigate to the
  Test Form tab of Test View, invoke the method by clicking the button and I
  get the following exception:
  <error>
  <faultcode>JWSError</faultcode>
  <faultstring>Error during JNDI lookup from
  jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookup failed for
  name:t3://10.10.245.70:7131/AccountDelegatorEJB]</faultstring>
  <detail>
  <jwErrorDetail> weblogic.jws.control.ControlException: Error during JNDI
  lookup from jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookup failed
  for name:t3://10.10.245.70:7131/AccountDelegatorEJB] at
  weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
  8) at
  weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
  .java:220) at
  weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260) at
  ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
  ibas.GetSecure.retrieveVisaHistoryTxn(GetSecure.jws:64) </jwErrorDetail>
  </detail>
  </error>
  I have a simple Hello method as well in my WebService (which is also
  restricted) and it works fine, but remote EJB access doesn't. I tested my
  prototype on Weblogic 7.2 and 8.1 platforms - same result.
  Is that a bug or I am missing some additional configuration in order to get
  that working. Has anyone seen similar behavior? Is there a known resolution?
  Or a suggested way to work around the problem?
  Thank you.
  Andre

  Andre,
  It would be best if this issue is handled as an Eval Support case. Please
  BEA Customer Support at http://support.beasys.com along with the required
  files, and request that an Eval support case be created for this issue.
  Thanks
  Raj Alagumalai
  WebLogic Workshop Support
  "Andre Shergin" <[email protected]> wrote in message
  news:[email protected]...
  Anurag,
  I removed "t3", still get an error but a different one (Unable to create
  InitialContext:null):
  <error>
  <faultcode>JWSError</faultcode>
  <faultstring>Error during JNDI lookup from
  jndi://secuser1:[email protected]:7131/AccountDelegatorEJB[Unable to
  create InitialContext:null]</faultstring>
  <detail>
  <jwErrorDetail> weblogic.jws.control.ControlException: Error during JNDI
  lookup from
  jndi://secuser1:[email protected]:7131/AccountDelegatorEJB[Unable to
  create InitialContext:null] at
  weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
  8) at
  weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
  .java:220) at
  weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260) at
  ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
  ibas.GetVisaHistoryTransactions.getVisaHistoryTxn(GetVisaHistoryTransactions
  .jws:67) </jwErrorDetail>
  </detail>
  </error>
  Note: inter-domain communication is configured properly. The Web Service to
  remote EJB works fine without a declarative security.
  Any other ideas?
  Thank you for your help.
  Andre
  "Anurag" <[email protected]> wrote in message
  news:[email protected]...
  Andre,
  It seems you are using the URL
  jndi:t3://secuser1:[email protected]:7131/AccountDelegatorEJB
  whereas you should not be specifying the "t3:" protocol.
  The URL should be like
  jndi://secuser1:[email protected]:7131/AccountDelegatorEJB
  Please do let me know if you see any issues with this.
  Note that this will only allow you to access remote EJBs in the same WLS
  domain. For accessing EJBs on another domain, you need to configure
  inter-domain communication by
  following a few simple steps as mentioned at
  http://e-docs.bea.com/wls/docs81/ConsoleHelp/jta.html#1106135. This link has
  been provided in the EJB Control Workshop documentation.
  Regards,
  Anurag
  "Andre Shergin" <[email protected]> wrote in message
  news:[email protected]...
  Raj,
  I tried that before, it didn't help. I got similar error message:
  <error>
  <faultcode>JWSError</faultcode>
  <faultstring>Error during JNDI lookup from
  jndi:t3://secuser1:[email protected]:7131/AccountDelegatorEJB[Lookup
  failed for
  name:t3://secuser1:[email protected]:7131/AccountDelegatorEJB]</faultstr
  ing>
  <detail>
  <jwErrorDetail> weblogic.jws.control.ControlException: Error during JNDI
  lookup from
  jndi:t3://secuser1:[email protected]:7131/AccountDelegatorEJB[Lookup
  failed for
  name:t3://secuser1:[email protected]:7131/AccountDelegatorEJB] at
  weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
  8) at
  weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
  .java:220) at
  weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260) at
  ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
  ibas.GetSecure.retrieveVisaHistoryTxn(GetSecure.jws:64) </jwErrorDetail>
  </detail>
  </error>
  Anything else should I try?
  P.S. AccountDelegatorEJB, the remote EJB my Web Service calls is NOTaccess
  restricted.
  I hope there is a solution.
  Thanks,
  Andre
  "Raj Alagumalai" <[email protected]> wrote in message
  news:[email protected]...
  Andre,
  Can you try using the following url with username and password
  jndi://username:password@host:7001/my.resource.jndi.object ?
  once you add webapp level security, the authenticated is the user who
  invokes the EJB.
  http://e-docs.bea.com/workshop/docs81/doc/en/workshop/guide/controls/ejb/con
  CreatingANewEJBControl.html?skipReload=true
  has more info on using remote EJB's.
  Hope this helps.
  Thanks
  Raj Alagumalai
  WebLogic Workshop Support
  "Alla Resnik" <[email protected]> wrote in message
  news:[email protected]...
  Hello everyone,
  I developed a Web Service prototype accessing remote EJB using the EJB
  control with special syntax in the jndi-name attribute: @jws:ejb
  home-jndi-name="t3://10.10.245.70:7131/AccountDelegatorEJB"
  Everything works fine, but I get an error when I restrict access to my
  web
  service with a declarative security model by implementing steps
  provided
  in
  help doc:
  - Define the web resource you wish to protect
  - Define which security role is required to access the web resource
  - Define which users are granted the required security role
  - Configure WebLogic Server security for my web service(Compatibility
  Security/Users)
  I launch the service by entering the address in a web browser. Whenprompted
  to accept the digital certificate, click Yes, when prompted for
  network
  authentication information, enter username and password, navigate tothe
  Test Form tab of Test View, invoke the method by clicking the buttonand
  I
  get the following exception:
  <error>
  <faultcode>JWSError</faultcode>
  <faultstring>Error during JNDI lookup from
  jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookup failed for
  name:t3://10.10.245.70:7131/AccountDelegatorEJB]</faultstring>
  <detail>
  <jwErrorDetail> weblogic.jws.control.ControlException: Error during
  JNDI
  lookup from jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookupfailed
  for name:t3://10.10.245.70:7131/AccountDelegatorEJB] at
  weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
  8) at
  weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
  .java:220) at
  weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260)at
  ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
  ibas.GetSecure.retrieveVisaHistoryTxn(GetSecure.jws:64)</jwErrorDetail>
  </detail>
  </error>
  I have a simple Hello method as well in my WebService (which is also
  restricted) and it works fine, but remote EJB access doesn't. I testedmy
  prototype on Weblogic 7.2 and 8.1 platforms - same result.
  Is that a bug or I am missing some additional configuration in order
  to
  get
  that working. Has anyone seen similar behavior? Is there a knownresolution?
  Or a suggested way to work around the problem?
  Thank you.
  Andre

• Https through load balancer breaks declarative security

  Hello,
  My desired setup is for a Jboss cluster serving requests behind a load balancer. Also I intend to use declarative security on the deployed units and have ssl client side authentication.
  I need someone to please confirm/deny the following statements:
  1) ssl has to be negotiated by the load balancer, whether hardware or software based (apache with mod_proxy/mod_jk).
  2) if using apache with mod_jk it is possible to configure it to send the client side authentication details (certificate) in such a way that jboss may enforce declarative authorization as if it had done the authentication itself. This also means that the programatic means to get the authenticated user identity described in the ejb and servlet specs will still work.
  3) there is no hardware load balancer that supports the behavior described in 2), which means that with a hardware load balancer it is impossible to use declarative authorization enforcement.
  After a whole lot testing and digging up for info, I'm quite desperate to solve this question, so if someone could help me I would be most thankfull.
  Nuno

  After further research, I think the best course of action will be to create a VLAN for the zone behind the BigIP and then create the corresponding interface in the vlan and zone. Using this links as my references in case anyone is interested. I'll post what I come up with.
  https://blogs.oracle.com/stw/entry/using_ip_instances_with_vlans
  https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common
  http://docs.oracle.com/cd/E19253-01/816-4554/816-4554.pdf # AdministeringVirtualLocalAreaNetworks
  http://docs.oracle.com/cd/E19053-01/ldoms.mgr11/820-4913-10/820-4913-10.pdf # Assign VLANs to a Virtual Switch and Virtual
  Network Device

• Do I need to add new users under sun-web for declarative security to work?

  Hello,
  Do I need to add a <principal-name> element under sun-web.xml whenever a new user registers on my website? I am planning to use declarative security for my website, so I went ahead and created a custom realm that uses JDBC to get users information from MySQL. To do a simple test I added a new user under a new group that does not have a mapping under sun-web.xml. However, web.xml has the needed security-constraint and security-role elements that define the role and the protected resources. The problem is that when I deploy the application under SJSAS PE9 I get the following warning: "No Principals mapped to Role [jdev]". Does that mean I have to add each and every use to sun-web.xml for the declarative security to work?

  Good question. I am having the same problem with my LDAP realm. Funny thing is that the exact same approach worked fine and dandy with Sun AS 8. Sounds to me like something broke under AS 9 ...

• Declarative Security, Authorization and SSL

  Hi all, I'm trying to find the most elegant and simple way to restrict access to my web content and I'd like to have your opinion on how to make it better or how other solve similar tasks.
  The situation is:
  My web-site (Tomcat 5.5/JBoss) has 50% of pages with access restricted by declarative security in deployment descriptor.
  I use web container authorization (BASIC or FORM-based).
  Many of my prospective web-clients have old PCs with old web-browsers, so I consider usage of SSL everywhere is not a good idea. Neither DIGEST authentication is.
  Therefore, I want to secure with SSL only the stage of authorization. I realize that in this case the restricted content is not secure, but the information is not confidential. Only user's login and password are.
  How should I do that?
  The problem is that web container intersepts the request to the restricted content and tries to authorize the client via BASIC or FORM methods, but they are not secure, as the page where interception happens may be accessed not via SSL! And, therefore, all authorization interaction with client is not encrypted too.
  I found an ugly trick - in FORM-based authentication I changed the action of my login form to "https://j_security_check" - this ensures that login/password are sent via encrypted channel, but upon successfull authentication Tomcat brings you back not to the page originally requested: "http://mypage.jsp", but to "httpS://mypage.jsp"!!! I.e it does not switch back from SSL to unencrypted connection. In order to avoid this I can assign a special servlet filter to all pages with the restricted, but unencrypted contents, so that this filter will change httpS to http, but this is quite an ugly way, isn't it?
  Can you share some better ideas how to organize this?
  I just don't want to write my own security system while we have one allready.

  Hello,
  I use Tomcat 5.5.4 or 5.5.6 - not sure, home and work... or the other way around.
  Yes you would need to - perhaps it's time to use a header include? They are useful for this kind of thing. Anyway, it does not seem to be flawless; have you tested it on a couple of your pages?
  In my test setup I:
  (1) attempt to access a restricted resource as an unauthenticated user with http
  (2) get redirected to login page which tests for https i.e. isSecure() and redirects to itself with https if test fails
  (3) i login and get redirected to the resource which tests for http and redirects to itself using http if test fails.
  In theory its straightforward... but the redirects that are caused by failed protocol tests don't always 'succeed'; I get left with a blank screen! Of course when omitting these test everything works dandy. Still, hitting refresh a couple times then brings up the page (login or resource) that is expected... which leads me to believe authentication is not failing nor is the attempt to invalidate the session. I say this as I read somewhere that some balls-up causes the browser to get stuck in the j_security_check servlet (or something like that) but I can't remember what causes this. Perhaps you've also read this and can refresh my memory.
  Best regards,
  D

• I logged 3 times wrong security question. please help me

  I logged 3 times wrong security question. please help me

  Hey annamyle91,
  Thanks for the question. If you are having issues with the security questions associated with your Apple ID, follow these steps:
  If you forgot the answers to your Apple ID security questions
  http://support.apple.com/kb/HT6170
  Reset your security questions
  1. Go to My Apple ID (appleid.apple.com).
  2. Select “Manage your Apple ID” and sign in.
  3. Select “Password and Security” on the left side of the page.
  4. If you have only one security question, you can change the question and answer now.
  5. If you have more than one security question:
            - Select “Send reset security info email to [your rescue email address].” If you don't see this link or don't have access to your rescue address, contact Apple Support as described in the next section.
            - Your rescue address will receive a reset email from Apple. Follow its instructions to reset your security questions and set up new questions and answers.Didn't receive the email?
  After resetting your security questions, consider turning on two-step verification. With two-step verification, you don't need security questions to secure your account or verify your identity.
  If you can't reset your security questions
  Contact Apple Support in either of these circumstances:
            - You don't see the link to send a reset email, which means you don't have arescue address.
            - You see the link to send a reset email, but you don't have access to email at the rescue address.
  A temporary support PIN isn't usually required, but Apple may ask you to generate a PIN if your identity needs to be verified.
  Thanks,
  Matt M.

• Error during netlist generation and log audit trail error

  I am not able to run the simulation application on my Multisim 10.  The two following error were generated every time I try to run the simultion:
  Error: log /Audit Trail, C: \document~1\xxx: Permission denied
  Error during netlist generation, C:\document~1\xxx: Permision denied
  Can any body help me fix this problem that make it impossible for me to use the Multisim10 simualtion tool?

  There are two KBs I would like for you to see, since they might have the answer to the problem you are having:
  1. This KB is related to having access to the TEMP directories where Multisim stores temp files for simulation:
  http://digital.ni.com/public.nsf/allkb/15526EB2464F3EDD8625722C00696BB0
  2. This other KB deals with non-Administrator users of Windows, it talks about v9 but the idea is the same for v10, just look for the v10 installation paths:
  http://digital.ni.com/public.nsf/allkb/0DF597C217A235BE862571FB004F24BD
  Nestor
  National Instruments

• Facing Problem with Declarative Security

  There is a J2EE Security related issue on the web and enterprise layer of my project. This project uses Struts framework for web tier and ejb's for enterprise layer.
  Declarative Security is used through web.xml and ejb-jar.xml. We have created roles and groups and mapped users to them. We are referring this information from the property file (IAP).
  User Principal object is retrieved properly for the first time, when invoked from the ActionHandler (LoginAction.java). For all subsequent calls, this information is returned as null.
  We want to know how the web and ejb container picks up the user credentials using declarative security management for subsequent calls after authentication ? If this information is picked from session, then what is the variable used to store user credentials in session ?

  the repos may have even been down at that time.
  just try again later.
  it should work fine.

• Why is there no little lock on my screen when logging in to a secure site ?

  When logging in to sites secured with '''htpps''' there should appear a little lock in the righthand corner of my screen.
  This is not happening.
  How come ?
  What can I do ?

  The padlock has been replaced by the site identity button, for details on using it see https://support.mozilla.com/kb/Site+Identity+Button
  If you want to add a padlock icon to the location bar, you can use the Padlock add-on - https://addons.mozilla.org/firefox/addon/padlock-icon/

• Can programmatic security work without declarative security?

  Hi,
  I have the case where there is no declarative security in the deployment descriptor and where the User Agent spontaneously provides credentials (through the Authorization header). Can the getUserPrincipal method return "null" in this case? In the javadoc for that method there is no constraint then that the user should be authenticated.
  The use-case is an implementation of WebDAV ACLs. Those can be expressed in terms of "unauthenticated". This means that depending on the requested resource a method may require authentication or not. Declarative security doesn't work in this case, because then authentication would always be required.
  When an ACL requires authentication, the implementation returns the status code 401 itself.
  Regards,
  Werner.

  VersaLink 7500 User Guide.pdf
  Having taken a quick look see in the  User Guide, it seems the 7500 is WPA capable; there's one way to find out for certain.
  Message Edited by bamboo on 09-16-2008 05:16 AM

• I'm in Afghanistan with limited internet options. I have a wifi service plan I am signed up for however, a log in and password are required via browser log in, not a security key attached to the wifi. Please help...

  I'm in Afghanistan with limited internet options. I have a wifi service plan I am signed up for however, a log in and password are required via browser log in, not a security key attached to the wifi (like a hotel). Please help...

  the appletv will not be able to work on it's own
  you can use a computer or iphone acting the role of hotspot login using it's browser and getting internet access and then sharing it with the appletv
  so the appletv sees it as a wifi router it connects to

• Need details of people logged on when the Security audit log was deactive

  Respected Guru's,
  Security audit log was deactivated, i have activated it recently in sm19.
  Now, i should get the details of people logged on when the audit log was deactive.
  What are the posibilities of Security audit being deactivated.
  Regards,
  Daya.

  Dear Alex,
  Please let me know how to check in ST03N.
  Further, how to retrive user logon data which is not recorded in the audit files.
  Edited by: Dayananadan Anandan on Nov 12, 2009 10:03 AM

• HFM Security Access Edit Logs - Audit

  I have been asked by our internal audit group to provide logs of when users access within HFM have been edited (i.e. added, changed roles, added to groups, etc.). Is there anyone else that has received this request, and more importantly how have you met this request (logs in the system, etc)?
  The only way I have been able to track this is offline via spreadsheets.
  Any/all advice is appreciated.
  Thanks.
  LJ
  Edited by: user8357096 on Mar 23, 2010 7:28 AM

  I have had a couple clients ask for something like this. At least now with user provisioning you can get reports of what the security was, like a snapshot. Then compare it to another time. But this will only tell you part of the story. If you are using groups for example, it possible a user gets added to one group then removed. You would not have access to that change in HFM, it would keep no record of it.
  I would recommend taking and extract and report and archiving them to reference.

• Portal ESS use log / audit / control

  Hi all.
  Is there any way to have a log of all the changes the user does on their own personal data?? A registry for each change of familiar data, bank information... Any change done through the ESS...
  Do you know anything about that??

  Can´t find the way to use them accurately...
  Security Audit seems to fits more to my goal, but far from it yet.
  I need to find something I can show to the user like:
  User: ess001
  Change: Name = Roberw => Robert
  The Security Audit seems very technical and shows the RFCs called, but not the content modified or anything like that...
  Is what I want possible?? Does exist anything like I need??
  Thanks.