Logout after authentication via j_security_check
how is it possible to logout (clear user perticipals) after logging in using j_security_check?
yes, session invalidation is possible, I'm handling it right now that way, but sessions holds much more than a principle - and on session invalidation, the other information get lost, too.
that's why I'm looking for the solution just to remove user principles out of a session. is it possible at all?!
I know, it maybe quicker to write own session handling than of waiting for the answers, but anyway ;)
Similar Messages
-
Problem getting an LDAPContext after authenticating via Kerberos
Hi,
I am trying to create a Java program that can query an Active Directory server using the currenlty logged in Windows user's credentials to authenticate via LDAP.
I am getting the following error in my output when trying to create the LdapContext object.
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
The full output is as follows
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
Obtained TGT from LSA: Credentials:
[email protected]
server=krbtgt/[email protected]
authTime=20090618162927Z
startTime=20090618162927Z
endTime=20090619022927Z
renewTill=20090625162927Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Principal is [email protected]
Commit Succeeded
Subject:
Principal: [email protected]
Private Credential: Ticket (hex) =
0000: 61 82 03 BC 30 82 03 B8 A0 03 02 01 05 A1 0A 1B a...0...........
<REMOVED>4 8A 8C BE 6B FD 65 5D 2F .R..t#@d...k.e]/
Client Principal = [email protected]
Server Principal = krbtgt/[email protected]
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C0 62 F6 3F 5C 29 F4 7B C1 FC AB A0 77 D1 E7 E0 .b.?\)......w...
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Thu Jun 18 17:29:27 BST 2009
Start Time = Thu Jun 18 17:29:27 BST 2009
End Time = Fri Jun 19 03:29:27 BST 2009
Renew Till = Thu Jun 25 17:29:27 BST 2009
Client Addresses Null
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
Obtained TGT from LSA: Credentials:
[email protected]
server=krbtgt/[email protected]
authTime=20090618162927Z
startTime=20090618162927Z
endTime=20090619022927Z
renewTill=20090625162927Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at com.thalesgroup.planit.ldap.LDAPAction.performLDAPOperation(Main.java:87)
at com.thalesgroup.planit.ldap.LDAPAction.run(Main.java:66)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.thalesgroup.planit.ldap.Main.main(Main.java:46)
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate I am running this using the following VM arguments
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true
Finally my jaas config file is as follows
fsta {
com.sun.security.auth.module.Krb5LoginModule required
debug=true client=false useTicketCache=true;
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};I am running this locally on the AD server (running Windows Server 2003).
Does anybody know how I can get rid of the exception and create an authenticated LdapContext?
Any suggestions would be greatly appreciated.
Thanks
GraemeMy java source is as follows (its a modified example I found online)
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.sun.security.auth.callback.TextCallbackHandler;
public class Main {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "fsta.com");
p.setProperty("java.security.krb5.kdc", "192.168.1.10");
p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext("fsta", new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
Subject subject = lc.getSubject();
System.out.println(subject.toString());
// 2. Perform JNDI work as logged in subject
Subject.doAs(subject, new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("Administrator");
public LDAPAction(String[] origArgs) {
this.args = origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://192.168.1.10:389");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
// env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
//Specify the Base for the search
String searchBase = "DC=fsta,DC=com";
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
catch (NullPointerException e) {
System.err.println("Error listing attributes: " + e);
System.out.println("RABOTIII");
System.out.println("Total results: " + totalResults);
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}Edited by: GraemeK on Jun 18, 2009 11:56 AM -
How to pass back Subject do Client app after authentication via identity assertion
I have developed an Identity Assertion Provider based on
SampleIdentityAsserterProviderImpl provided by BEA.
It seams that all works fine, but I don't now how to pass back authenticated
Subject to client application in order to call methods runAs(Subject,
PrivillegedAction). I have tried build Subject from
connection.getInputStream() but when I use Subject constructed in that way I
have received an error:
lava.lang.SecurityException: Invalid Subject: principals=[user, usergroup1,
usergroup1]
Thanks in advance for any suggestions.
Jerzy NawrotHi,
as per the below comment.
We want to change this and do this dynamic way so that the XCM configuration application can read these dynamic parameters and behave accordingly(like customers with different languages, client systems etc). This is the 1st part .
You have to use different scanrios to be set in XCM like (customer specific to language, and client), and that to be passed in
Where language specifications should maintained in XCM settings only. also to be noted that Product catalog for those should also maintain in that specific language.
"/init.do?scenario=value2;
The 2nd part leading this scenario is after the portal user successfully lands into ISA application, if the user needs to go back to the WDP java screen, would the JSP based ISA application be able to navigate back to the original WD Java iView Screen. ? or would it open in a new window ? (probably this can be set to be launched in same window)
I am not sure, but if you go back to WD from ISA , ISA Session will die.
Let me know if you have any further queries.
Regards,
Devender V -
J_security_check not redirecting after authentication - in one environment
Hi all,
I have a J2EE web application developed in JDeveloper 10.1.3 which uses JAAS security with a custom authentication provider class. I can configure this is both a windows and unix based OC4J. The windows OC4J is stand alone, the unix one is part of a managed instance (OPMN).
When I deploy to windows, attempts to access a protected resource cause the authentication to fire off perfectly and redirect to the appropriate url after login is successful. Absolutely no problems.
When I deploy to unix with the same configuration, the authentication fires off perfectly but after authentication the redirect attempts to go to Base URL/j_security_check which results in a 404 not found as j_security_check is a logical name and not a real url.
I have tried setting the ocfj.formauth.redirect flag in the oc4j startup options and this did not seen to help. I still got the 404 error.
Can anyone advise me on whether there are any switches or parameters I need to set for the j_security_check redirection to work correctly, or is there something else I need to do in a unix (Solaris) environment to cause the redirections to work?
thanks for any suggestions
BenHi,
you are always seeing the j_security_check in the URL. It seems that this problem is OC4J rekated and I suggest to post the question on the Application Server or the J2EE forum here on OTN
Frank -
Hi,
I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
My authentication and authorization rules relating that case are as on following screenshots:
So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
Looking in ISE's Authentication section I can see following:
Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?Hi,
-- Please Go to Administration > Logging > set the Message level to TRACE > Click save
-- Then try to add the ISE.
-- Once it fails, collect the logs from Administration > Logging >
check the "ncs-0-0.log" & search the file for "ERROR" & paste the results here. This will give us exact reason.
- Ashok
Please rate the post or mark as correct answer as it will help others looking for similar information -
ISE Wired guest portal redirect even after authentication
Hi
I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
Here is what I see on the interface
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: a0b3.ccca.2ab1
IP Address: 10.1.3.16
User-Name: A0-B3-CC-CA-2A-B1
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F000001571E52779F
Acct Session ID: 0x00000309
Handle: 0xE6000158
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Here is the ACL
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain (1344 matches)
20 deny ip any host 172.20.5.12 (8122 matches)
30 deny ip any host 172.20.5.14
40 permit tcp any any eq www (3124 matches)
50 permit tcp any any eq 443 (202927 matches)
60 permit tcp any any eq 8080 (114 matches)
70 permit ip any any (8056 matches)Hi Mohannad,
Thanks for your response.
Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
We need to find out why the next Auth policy is not hitting once user is authenticated.
Here is the port configuration and the authen status of the port.
ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
Building configuration...
Current configuration : 427 bytes
interface GigabitEthernet4/0/19
switchport access vlan 103
switchport mode access
switchport voice vlan 135
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
ABQT-3FLR-ACC-01#
Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
ABQT-3FLR-ACC-01#
ABQT-3FLR-ACC-01#sh atuh
ABQT-3FLR-ACC-01#sh atu
ABQT-3FLR-ACC-01#sh authe
ABQT-3FLR-ACC-01#sh authentication se
ABQT-3FLR-ACC-01#sh authentication sessions in
ABQT-3FLR-ACC-01#sh authentication sessions interface gi
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: 0015.c5b4.fd4a
IP Address: 10.1.3.23
User-Name: 00-15-C5-B4-FD-4A
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F0000018A32B4D906
Acct Session ID: 0x00000394
Handle: 0x3E00018B
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success -
Self Assigned IP even though I am Authenticated via PEAP(MSCHAPv2) to WPA2
Help!
After installing Snow Leopard 10.6.1 on my 2.16 GHz Core Duo MacBook Pro running OS 10.5, I can no longer connect to the WPA2 Enterprise network at the University of Ottawa. I can still connect to other encrypted networks, such as my home WEP encrypted network. Before the installation I was able to connect to the WPA2 enterprise network.
When attempting to connect, under network preferences I can see that my computer is Authenticated via PEAP(MSCHAPv2) and a timer showing my time connected is running. However under status, it says that I have a self assigned IP and that I cannot connect to the internet. As a result I cannot connect to the internet.
I have included a picture that describes my problem exactly:
Does anyone have this problem? Can anyone help me?
Thanks!The thing you and many others forget is that these forums are for those with problems. Those for whom the installs works without fault do not visit here. They do not post. There are about 9,000 topics in the Installation and Using forums (the largest two) and even if every topic were an unique fault, this would mean a small fraction of the installed base.
According to AppleInsider the Q1 sales of SL would be circa 5 million copies, and other reports indicate these numbers have been surpassed in the early months. So lets go for one months sales at only 1.5 million copies. 9,000 faults in 1.5 million copies is only a 0.6% rate and that's if every topic is a different fault (which it plainly isn't).
So I'm afraid your argument is even less convincing - a few people report your fault, and even if only 1% of the installed base uses it, its still infinitesimal. IMO, the vast majority of problems arise from an initial Leopard installation that had enough variability of build to make enhancements problematical. I'd be the first to admit its not Apples finest hour, but its certainly not bad for the overwhelming majority.
Perhaps you could apply to be an Apple tester, to help solve this issue ? Its better than standing on the sidelines complaining about everyone elses work for certain.
Or log a fault request as it will get looked at I can assure you, but only if there is a tester who is actually able and willing to test that particular piece of functionality. -
How to avoid weblogic changing of the sessionid after authentication
Hi all,
I would like to know if there is a way to avoid weblogic changing the session after having called j_security_check and thus after having been authenticated.
I would like to use the same session before and after the authentication process.
Is it possible? Is there any configuration option?
Thanks in advance,
Riccardook, then:
you need to make sure that while your doing this the system (R/3) is locked for users...if this isn't possible do it on the most calm moment (like the weekend or public holiday)...
if you are at this moment :
run the v/3 update job for appl 12. (empty update queue)
run the delta ip twice (empty delta queue and repeat)
before you import you can use program RMCSBWCC to check for any table not yet empty...
all R/3 structures are empty now. You can import your modifications. Your delta will continue with any problem...
However, the delta will not pick up the history of the new fields, of course...
if you need the history for the new fields, there you need to do a full init...or start with all kind of extra dso and so on...this topic has been discussed many times on the forum, you can find many posts on it
M. -
Accessing j_username after authentication
Using Weblogic Server 8.1, I am authenticating a user with FORM based authentication.
Posting j_username and j_password to j_security_check.
Is there a way to access the j_username variable after authentication? After
the user is authenticated, I need a unique identifier to match that user to his/her
data in another database. Is there anything in the request/response headers or
in the session?
Jay"Jay Wright" <[email protected]> wrote in message
news:3f81ebc0$[email protected]..
>
>
Using Weblogic Server 8.1, I am authenticating a user with FORM basedauthentication.
Posting j_username and j_password to j_security_check.
Is there a way to access the j_username variable after authentication?After
the user is authenticated, I need a unique identifier to match that userto his/her
data in another database. Is there anything in the request/responseheaders or
in the session?
I would ask in the weblogic.developer.interest.servlet newsgroup. -
'Contacts' folder with sub folder cannot be removed after synching via iTunes
'Contacts' folder with sub folder cannot be removed after synching via iTunes
I am trying to remove a 'Contacts' subfolder
ie Contacts < default folder
- Contacts Mysubfolder 1 < Trying to remove this subfolder folder
via my microsoft outlook onto my iPhone.
Despite not having 'Contacts Mysubfolder 1' on my PC's outlook after deleting it, it does not delete the subfolder in my iPhone.
I even restored my iPhone settings to the original via iTunes.
I also replaced my physical iPhone but still synching with my original Apple ID + iTunes on the same desktop.
All I did was after replacement of my iP, i setup my microsoft Exchange account, and there it was, the Contacts subfolder which is no longer around, appears on my iPhone contacts folder list.
My outlook is on Microsoft exchange and I am on iP 3Gs
Please help
Thank youFor general advice see Troubleshooting issues with iTunes for Windows updates.
The steps in the second box are a guide to removing everything related to iTunes and then rebuilding it which is often a good starting point unless the symptoms indicate a more specific approach. Review the other boxes and the list of support documents further down the page in case one of them applies.
Your library should be unaffected by these steps but there is backup and recovery advice elsewhere in the user tip.
If you are running 64-bit Windows and the above steps haven't helped try installing the version of iTunes that can be downloaded from this support document. iTunes 12.1 for Windows (64-bit — for older video cards)
If you still have no luck try reinstalling iTunes 12.0, links in the user tip.
tt2 -
I have downloaded After Effects via the creative cloud, however it still asks me for a serial number, and I cannot log in to the licencing site.
Please helpJodie84,
I have just checked your account and found that you indeed have bought a Creative Cloud for Teams subscription but you have assigned the single seat to another user hence you ( If you are using your own Adobe ID ) are getting the trial error message.
Two options : Either reassign the seat to your self or add an additional seat and invite your self in the same Team.
Cheers,
Kartikay Sharma -
iphone 4s not getting detected in macbook after connecting via usb cable, also photos taken in iPhone not showing in macbook pro
Thanks. I realises that i will hv to go to iphoto to see the photo. Its now working !!!!!
-
Authentication via weblogic security realm
My servlet needs to access a session bean. The action in the session bean requires
that a user has been authorized, i.e. at some point the session been calls
String name = d_ctx.getCallerPrincipal().getName()
This name may not be null at this time.
What I would like to have is that the user executing the URL gets authenticated
by my server realm 'myrealm' and that the associated prinicpal gets passed to
the session bean. Is this possible. If so, how can the user pass along the username
and password as this query is executed programmatically?
markus
http://www.weblogic.com/docs51/classdocs/API_acl.html
Michael Girdley
BEA Systems Inc
"gennot" <[email protected]> wrote in message
news:[email protected]..
Could you send me the complete URL of these example, please?
Thanks
Enrico
Michael Girdley <[email protected]> wrote in message
39b87078$[email protected]..
The passing of the client's certificate should be automatic to WebLogic.We
have an example of getting the client side certificate from inside of
WebLogic in our documentation.
This does not require for SSL to be used from the Web server to
WebLogic.
>>
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Bob Simonoff" <[email protected]> wrote in message
news:[email protected]..
I have read through the docs and haven't found anything that would
address
the following confusion:
Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
the back end application server (obviously). I have the need to use 2way
SSL authentication. As I understand it the following applies:
Client (browser) has a certificate as does the web server. Theyauthenticate
each other.
Now, the web server and weblogic need to communicate. WebLogic, in our
environment does authentication via the security realm.
What do I have to do to get the the web server (Apache or IPlanet) to
communicate the client's certificate to WebLogic so the WebLogic canperform
the authentication?
Does the communication between the web server and WebLogic also need
to
be
SSL?
Thanks
Bob Simonoff -
Hi All,
Just a basic question regarding MAC based authenitcation of AP with ACS.
The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
When working in a LAN I know its possible, but how will it work over the WAN.
Pls. suggest ASAP.
Thanks in Advance.
Regards
HarishHarish:
As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
CAPWAP RFC metniones that you can do AP authorization by two ways:
- with certificates
- with PSK.
The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
2.4.4.4. PSK Usage
When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
contain the "PSK identity hint" field and the ClientKeyExchange
message MUST contain the "PSK identity" field. These fields are used
to help the WTP select the appropriate PSK for use with the AC, and
then indicate to the AC which key is being used. When PSKs are
provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
the key MUST be specified.
The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
SHOULD uniquely identify the WTP. It is RECOMMENDED that these hints
and identities be the ASCII HEX-formatted MAC addresses of the
respective devices, since each pairwise combination of WTP and AC
SHOULD have a unique PSK. The PSK Hint and Identity SHOULD be
sufficient to perform authorization, as simply having knowledge of a
PSK does not necessarily imply authorization.
If a single PSK is being used for multiple devices on a CAPWAP
network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
longer be a MAC address, so appropriate hints and identities SHOULD
be selected to identify the group of devices to which the PSK is
provisioned
you may spend more time reading the CAPWAP RFC if you are interested
CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
Hope this answers your concern.
Amjad -
802.1x wired authentication via PEAP, MD5
Hi everyone,
Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
i would really appreciate if someone could point me some where to find detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
hop of security work but the next no.
Thank you in advance to read this.Hi,
According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
Some articles and just for your reference:
802.1X Authenticated Wired Access Overview
https://technet.microsoft.com/en-us/library/hh831831.aspx
802.1X Authenticated Wired Access Design Guide
https://technet.microsoft.com/library/dd378864(WS.10).aspx
IEEE 802.1X Wired Authentication
https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
How can I change the email address for my photosmart 5520 ?
Hi , I have a photosmart 5520 and tried to set up an email address for my printer when I installed the printer. At the time. the HP site was down for maintanence and I have a very long an complicated email address now that I will never ever remember
-
HT1379 Help! can´t get 2560 resolution in dell 2711 on macbook pro retina late 2013, only 1920...
can´t get 2560 resolution in dell 2711 on macbook pro retina late 2013, only 1920...i have the apple thunderbolt to dvi adapter and the dual dvi cable... thanks for any help
-
Property inspector not showing classes
Though the page is linked to a style sheet, and also has css in the head, when I try and find styles to apply to new text none appear either in the html or css subpanels. Classes only appear if I put the cursor in previously styled text. Page is at:
-
I am considering a Time capsule but .....
I have an Airport Express connected to my Sky (Netgear) router and set it up as a separate network and (as this gives me the best coverage) I use this to connect to the internet. I also have a Linksys WRT-54GL which I use as a booster. Reception is
-
ORACLE 10G - NOT ABLE TO CONNECT THRU EM
HI , I NEED HELP FROM ORACLE EXPERTS PLEASE , I HAVE INSTALLED ORA10G. FROM COMMAND LEVEL I CAN CONNECT AS SYSDBA . BUT FROM ENTERPRISE MGR I GET ERROR SQLException Listener refused the connection with the following error: ORA-12514, TNS:listener doe