OAM : Which identity server is used by Password Policy?
Hi,
The OAM setup has two identity servers (ois1, ois2), two webpass (wp1, wp2) on two web servers. wp1 is pointing to ois1 only and wp2 is pointing to ois2.
We have two sets of Policy manager, Access server and WebGate. wg1 is pointing to aaa1 and wg2 is pointing to aaa2.
Now, when a user tries to access a OAM webgate protected page and the password policy gets applied, do the identity server comes into picture? if yes, which identity server is used here, ois1 or ois2?
I want to use ois1 for all the requests coming to webserver with wg1. How do I do it?
Thanks in advance.
Hi Colin,
Thanks for your reply.
The reason I put this question was - in a scenario when I dont have Access Server (any access component), then also Password Polices work. So, I understand identity server is used here. When we have access side components, what makes OAM not to use identity server at all. Or is it the feature of OAM - when the accessed resource is ptotected by WebGate the Password policies are taken care of by Access Server, otherwise by identity server or is it because of the 'obReadPasswdMode' and 'obWritePasswdMode' in the authentication scheme?
I stopped my identity server and I saw the password policy working - so I know the behavior; still asking the above question for my better understanding of OAM.
Thanks for your help!
Similar Messages
-
Which web server is used for openHAB2?
I've recently set up IDE for openHAB2 and built it successfully.
openHAB dashboard & paper UI are web application.
But I can't find any web server settings in openHAB project.
Which web server is used for them?
Is it possible to add java servlet for my custom REST service?This is probably rather a question for the openHAB 2 mailing list. But to answer: Jetty is used in openHAB 2 as you can see here https://github.com/openhab/openhab2/blob/master/products/org.openhab.product.runtime/org.openhab.runtime.product.product#L57.
And yes, you can certainly add custom REST endpoints. You should do this as it is done with the default REST endpoints like https://github.com/eclipse/smarthome/blob/master/bundles/io/org.eclipse.smarthome.io.rest.core/src/main/java/org/eclipse/smarthome/io/rest/core/binding/BindingResource.java.
Regards,
Kai -
How to detect which http server is used ?
Hello
I need a simple method to determine which http server is used on an existing APEX installation, amongst the 3 possible methods.
ThanxIn most cases its the URL that hints at what is behind the scenes.
If you /pls/apex in all probability its Oracle HTTP Server with ModPLSQL
If you see <hist>:8080 then chances are its EPG or OC4J
If you see someother port, but not /pls/apex then chances are its ApexListener.
A more accurate way is to run the command below from within Apex , either an application or SQLWorkshop
select owa_util.GET_CGI_ENV('SERVER_SOFTWARE') from dualEPG Return Oracle Embedded PL/SQL Gateway/10.2.0.1.0 on XE
Apex-Listener returns Mod-Apex
Regards,
Edited by: Prabodh on Aug 19, 2010 5:48 PM -
Which mail server is used in a webapp?
Hi all,
I have a Webapp where the users can send an email
to me including the parameters of a form
( <form action="mailto:[email protected])....>
<input type="hidden" name="param1" value="xx"/>
Now depending on which mail client the user has on his machine the resulting email differs, sometimes the parameters as 1 attachment, sometimes xx attachments.
So I want to implement it with javamail-api.
MY question: I have to tell the API the name of the mailserver. How can I know what mail-server the user uses? Or are all these emails processed through my own mail-server?
Please help me to understand it. Thanks a lot in advance,
PeterHey ho.
You have to hardconde the mail servers in your code to point to the mail server you use (= your ISP's server) or host (= Your own mailserver). All the mails are then processed through that specified server. -
AD and using the password policy of the AD
Hi,
We are using the 8.1.1.p5 and gateways (not connector based) adapter based AD
Today, when you reset a password, the domain account used in the gateway overrides the password policy and lets you set any password
is there a way to implement the AD (or other resource) password policy when resetting passwords from IdM?
i.e. basically we dont want the user to be able to reuse the N latest passwordsHi,
You are correct. This will not work if password is changed in AD. If the password policy is set in AD to not take n passwords, then it will give exception in IDM when you try to give the same password again.
Another alternative is to check the exception that is comingi and check if it is for password in history, then you can ask the user to set the password again.
Regards
Arjun -
I am playing Online and I am getting Communicate server and use ur password
I am able to play on my iPhone but not on my IPad it is asking for password when I put my pastor it is coming communicate server I do no what to do
Contact whoever runs whatever site it is you're having problems with.
-
Using Identity Server as a JAAS authentication provider
My client wants to use Identity Server to provide JAAS authentication for the Java application they're developing.
The JAAS tutorial shows how the name of the Java class that provides the authentication service is provided, then an instance of this class is instantiated and the .login method invoked to actually perform the authentication.
The stated principle behind the tutorial is one of using a pluggable authentication framework, and one should not care how authentication is performed. As long as the callbacks to allow the authentication framework to ask for the credentials required, it should not matter.
The example of how to do LDAP authentication using Identity server requires using some identity server classes. ie the com.sun.identity.authentication.AuthContext class. They specifically want to use pure JAAS authentication rather than creating a dependance in their application on Identity Server.
Is a Java class available which provides this functionality?
ThanksIn Apache you can specify the authentication parameters in the virtual host configuration
-
How does Mail decide which outgoing SMTP server to use?
I have Mail setup with two accounts - one for home use and one for work. Each has its own outgoing SMTP server. My question: how does mail decide which outgoing server to use? I don't want to mix work and home stuff.
Specifically, what happens in these three scenarios?
1) I compose a new mail. Does it always use the first account's outgoing SMTP server or does Mail look at the recipient's domain and base its decision on that?
2) I reply to a work email. Is Mail smart enough to look at my domain or the sender's to know to use the work outgoing SMTP server?
3) I reply to home email. Is Mail smart enough to look at my domain or the sender's to know to use the home outgoing SMTP server?
Any information is much appreciated.
TomHi Juergen,
Thanks for the suggestion - I had to "Customize" the viewable header to include the "From:" ("Von:") line to see who I was sending as. As far as the "use this SMTP only" checkbox is concerned - they're checked on both my accounts - so I'm not sure how much of an impact that has. To be honest, I thought this checkbox was meant to limit your outgoing mail (for that account) to this mail server only. I thought that if it was not checked, Mail will try to send the mail via another SMTP server if the one for this account is not reachable.....after all, why else would Apple allow you to check both servers' "use this SMTP only" checkbox?
But this is good enough for me - now I can see who i'ms ending as.
Thanks,
tom -
Linux and Solaris Clients with password policy using LDAP
Anybody managed to get Linux (RHEL) and Solaris 9 Client authenticate against Sun Directory Server 5.2p4 using the same password policy?
For me it looks like Linux needs attribute shadowlastchanged set to display proper Warnings, that the password will expire/needs to be changed now. On the other hand Solaris (using pam_ldap) never writes this attribute, because it's using the password policy attribute pwdchangedtime.
Hints very wellcome!
Can anybody confirm Solaris9 pam_unix still sets this shadow* attributes correct on any password change executed by a user?Hi Jeremy,
here the answers to your questions:
>My question is which system takes precedence over the password policy?
Unfortunately there is no policy verification between the portal and your Sun One LDAP. So if you reset the password from the portal then only the portal password policies can be checked.
> If I wanted to do password resets from the Portal, does the portal then store only the password in its database?
No, the password will be stored in the LDAP, but only if it also corresponds with the LDAP policies. If not, then you will get an error, but you will not see the real LDAP exception.
> Also what would then happen if you tried to reset the password from the LDAP?
The password in the LDAP does not have to fit to the Portal password policies. When you log in, the portal will only check if the password you tipped in is the new one in LDAP and will not check any policies.
Hope this brings some light in,
Robert -
Using class of service to manage password policy
We implemented password policy on our old DS across the board, which entailed finding all of the special administrative accounts used by software and setting an expiration date at the end of the epoch. I was wondering if a smarter way to do this is to create a class of service template for normal and special accounts and tie those into our user accounts. Has anyone done this?
Thanks.Sun DS 5.2 supposedly has support for the latest LDAP password policy internet draft which allows you to explicitly setup password policy on a subtree or user basis. It uses roles and class of service under the covers. I would use that instead of rolling your own.
-
OAM 11G Weblogic Server Not listening
I have installed few things including OAM, OAAM, entitlement server etc using the 11G installation suite. (on windows 2003 server)
Also I have installed the weblogic server (forget the version, should 11 something).
I have created the weblogic domains for OAM
I have done RCU with no error message, tables created.
There seems to be no error during the installation. I ironed the steps that there are no more warning and error message.
I started weblogic server. It goes to the point to a "STARTED" state. not in RUNNING STATE. ANd the windows console stay still.
When I try to access admin console 7001 weblogic. Seems that the server is not listening, I cannot access to the user interface.
Meanwhile there are no error messages or exceptions I can trace while the weblogic server is not working.
Personally I do not feel the weblogic server is not listening because of the memory leak.
When I observe the windows task manager, I saw memory leak, the memory of the server increase steadily even the weblogic is not working. After half an hour, it throw out of memory exception. I tried to play with the heap size of java to 1024G, but no help. Problem is it is leaking no matter how much memory allocate there will be problem.
Can anyone tell me is there some steps I am missing? or is there known bugs? Or what else I can do to troubleshoot this?
I can provide you all the version of the software I am using. AFter two weeks.... since the lab would be down for renovation purposes.
Thanks
EricEric,
try to install JRockit Mission control to grab more details of what is going wrong there.
link:
http://docs.oracle.com/cd/E13150_01/jrockit_jvm/jrockit/releases/R27/install/install.html
and
http://www.oracle.com/technetwork/middleware/jrockit/downloads/index.html
I hope this helps,
Thiago Leoncio. -
Which CAS server user connects
How to check which CAS server did user (outlook) hit among the group of CAS servers (Exchange 2013 CU3) behind F5 load balancer
SAHHi Shaik ,
In my environment also we are using the F5 load balancers ,If i wanted to check which user is connecting to which cas server then i need to contact the person who is handling the F5 device.
Like you i have also searched for the same query before six months.Finally what i found is given below.
Basically we can use the netstat commands to find out the client connectivity to the cas servers .If we run the commands on the cas server ,we will not be getting the client ip address on the netstat output instead we will be getting the ip address of the
F5 device.
But on the F5 device we can able to see which client is connecting to which cas server by using some commands.
Thanks & Regards S.Nithyanandham -
Does URL Policy Agent of SunONE Web Server 6.1 works with Identity Server 6
Hi,
I'm using URL Policy Agent of SunONE Web Server 6.1, and using Identity Server 6.1 to configure policy to access web resource such as http://myweb.org.cn/test/*
After configyration, I try to access the resources http://myweb.org.cn/test/test.html
The redirection is ok, the IS login appear, but after login successfully, it still tell me that I don't have permission to view this web page.
Is this because of URL policy agent don't support IS 6.1?
Many thanks,Can anybody help me with the steps to generate core for this issue.. I followed the steps as said in http://blogs.sun.com/meena/entry/troubleshooting_server_crashes_enabling_core but I don't see any core generated when server crashes..
Setup Info:
- OS is RHEL 4.0
- Sun ONE Web Server 6.1SP7
- Policy Agent 2.2 -
Is it best practice to use account lockout policy
Windows Server 2008 r2 (will be moving to 2012 r2)
since implementing account lockout policy two days ago, we've been bombarded by calls to unlock accounts. and after a few minutes, same users get their accounts locked again.
my question, since we are already using strong password policy (8 chars min, 90 days max to expire), at this day and age is it still best practice to rely on account lockout policy? keeping in mind the above flood of calls.since implementing account lockout policy two days ago, we've been bombarded by calls to unlock accounts. and after a few minutes, same users get their accounts locked again.
my question, since we are already using strong password policy (8 chars min, 90 days max to expire), at this day and age is it still best practice to rely on account lockout policy? keeping in mind the above flood of calls.
account lockout is generally considered un-necessary if you have implemented a very strong password complexity/history policy.
There are many discussions on the topic of password/passphrase "strength", and it's important to consider the various factors involved, and, how they affect your organisation's view of "security".
I would say that 8 chars is not very strong. You should also consider if password aging/expiry is a useful control at all.
Since this forum is related to Group Policy, and, password/security is really quite a separate topic, you should consider the DS forum or the security forum, or separate research or consulting services, to get a broad understanding of the things to consider
for your particular requirements/scenario.
Other considerations include any security standards which can be useful reading to understand the nature of the topic (e.g. PCI DSS, HIPAA, FIPS, etc)
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Password policy support RedHat openldap client
I am using Directory Server 5.2 patch4 for a naming service for about 250 servers which are mostly Solaris 8 & 9 clients. But I also have some RedHat 2.1, 3.0, 4.0, HP-UX 11, and AIX 5 clients. Does anyone know if and how I can use the password policy I have created in the Directory Server to work with non-solaris clients?
MikeI believe that most of pam_ldap modules on these machines understand the Sun DS password policy controls.
Maybe you are looking for
-
Best Monitors for video editing??? NEC LCD2690WUXi² Vs 24"Apple GLOSSY LED
I am so stuck finding the right monitor for video editing in my price range i just cant afford the 30" apple cinema display, what is next best solution out there...? Is Anyone using the NEC LCD2690WUXi² Monitors? from what i can tell they are better
-
UCM11g and SharePoint 2010 integration
Hi everybody, I got a question if it's possible integrate Oracle UCM11g with Ms SharePoint2010. The SharePoint will be the user interface and UCM only the background storage. I found the threads about UCM10g. Where can I find the information about in
-
Wifi will connect to other routers but not the one at my house
This macbook has had no trouble connecting to this particular router since we got it in august, but all of a sudden 3 days ago it stopped connection, just says connection timed out. It connects to any other router, bt hotspots, mobile tethering, just
-
Why my iPad doesn't support adobe format so can't download adobe documents
my iPad doesn't support adobe format so can't download adobe documents
-
TS4002 over email limits when sending to less than 100 recipients
I am below my email sending limits of 100 messages and 100 receipients and I still get "mail undeliverable" message from system administrator. How many recipients can I send 1 message to?