Option A, 2 PE pair per Provider, Redundancy

Hi All,
Requesting suggestions for the following scenario, let's say we have 2 service providers (SP) offering MPLS VPNs through Option A (Back to Back VRF).
These SPs are connecting through two PE/ASBRs each, like SP As, PE_A1 and PE_A2 and SP Bs, PE_B1 and PE_B2.
PE_A1 is connected to PE_B1 and PE_A2 is connected to PE_B2, this configuration is to offer PE redundancy.
I am thinking of having HSRP between these different PEs. But reckon there has to be a better way to do this.
Any suggestions?
Thanks
Cheers
~sultan

Hi Sultan,
You seem to like challenges and thrilling changes ;-)
Well,
I guess what might also be interesting to you: "MPLS VPN - Inter-AS Option AB"
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_ias_optab.html
With this option you have VRF back-to-back, but only 1 MP-BGP session between ASBRs.
Gernerally potential issues are similar to a normal PE-CE situation
- protection from too many routes
- scalability in general
- PE security
- There was something I saw about BGP router-ID being the same for different VRFs and issues arising from this, but can neither remember the details nor find the reference.
Hope this helps!
Regards,
Martin

Similar Messages

_FIX_CONTROL - which option suitable for me as per note Note 830576

My Oracle Version is 10.2.0.4.0 and as per note Note 830576 - Parameter recommendations for Oracle 10g which one of the option is more suitable for me
FIXCONTROL
'4728348:OFF' (10.2.0.2 without fix 5397482 from Note 981875,
                refer to Notes 964858 and 997889)
'5705630:ON' (10.2.0.2 with fix 5705630 from Note 981875
                or 10.2.0.4 or higher)
'5765456:7'   (>= 10.2.0.4)
'6221403:ON' (10.2.0.4 or higher, Note 1165319)
'6440977:ON' (10.2.0.2 with fix 6440977 from Note 981875
                or 10.2.0.4 or higher)
'6626018:ON' (10.2.0.2 with fix 6626018 from Note 981875
                or 10.2.0.4 or higher)
'6660162:ON' (10.2.0.2 with fix 6660162 from Note 981875)
'6972291:ON' (10.2.0.4 or higher, Note 1165319)

Hello Vijay,
if you are using Oracle 10gR2 Patchset 4 (10.2.0.4.0)
'5705630:ON' (10.2.0.2 with fix 5705630 from Note 981875 or 10.2.0.4 or higher)
'5765456:7' (>= 10.2.0.4)
'6221403:ON' (10.2.0.4 or higher, Note 1165319)
'6440977:ON' (10.2.0.2 with fix 6440977 from Note 981875 or 10.2.0.4 or higher)
'6626018:ON' (10.2.0.2 with fix 6626018 from Note 981875 or 10.2.0.4 or higher)
'6972291:ON' (10.2.0.4 or higher, Note 1165319)
Regards
Stefan

Exchange 2010 DAG's - 4 Mailbox Servers in 2 Datacenters with per site redundancy

I recently came into a company with an Exchange 2010 sp1 environment where there are two data centers in two different subnets (10.70.62.0 and 10.80.56.0)
Each datacenter has 2 mailbox servers (4 servers total) but their plan was to have only enough storage space to host 1/2 of the databases on each server. So instead of server 1, 2, and 3 being copies of each other, ServerA is a copy of ServerA and ServerB
is a copy of ServerB
Server     -    Databases
Site1mbA - Primary Database copy 1-10
Site1mbB - Primary Database copy 11-20
Site2mbA - Secondary Database copy 1-10
Site2mbB - Secondary Database copy 11-20
Normally if there were enough storage space I would keep a copy on each server and replicate within 1 DAG.
However since not all the databases are on each member server do I need to use 2 DAGS? 1st for Site1mbA & Site2mbA and 2nd for Site1mbB & Site2mbB
I feel I would need the 2 DAG's because with 1 DAG if Site1mbA server went offline the DAG couldn't switch to the Failover Cluster IP for Site2 because there are still active mailboxes in Site1 on Site1mbB.
Does that make any sense or am I over complicating it?
Thanks!

There is no rule that every server in a DAG must have a copy of every Database. You could do this with one DAG, but if the WAN goes down then the DAG will be active in only a single site not both.
http://technet.microsoft.com/en-us/library/dd979781(v=exchg.141).aspx#FourTwo
As illustrated in the previous example, using a single four-member DAG extended across two datacenters can provide high availability and site resilience for the mailbox services and data. However, if a WAN outage occurs, only the primary datacenter retains
service because it contains the majority of the voters. The datacenter with the minority of voters loses majority, and the DAG members in that datacenter lose quorum and go offline.
To deploy highly available Mailbox servers in a multiple datacenter environment, where each datacenter is actively serving a local user population, we recommend that you deploy multiple DAGs, where each DAG has a majority of voters in a different datacenter,
as illustrated in the following figure.
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter:   LinkedIn:
  Facebook:
  XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

2 x Cisco 4400 series WLC to provide redundancy

Hi all,
can any one point me in the direction of some resources so that I can get a better understanding of configuring 2 4400's in a redundancy group?
I've got experience with the HP wireless module kits in a redundancy group, any one know whether the cisco stuff works in the same sort of way??
Mario

Here are a few docs that should help.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008064a294.shtml
http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60mobil.html

No option to set search provider after updating Lu...

Hi there, I have updated my Lumia to Win 7.8 and I have all new features but one is missing; option to set google as search provider in Internet explorer. I can't restore my phone to try install upate once again due to an error 801812E0. Any idea how to get Internet Explorer sorted?

For WP8, it should be available under IE, settings>Advance settings> Default search provider. Don't know you have the same options. Best to check with the guys who just updated their phone to 7.8. Meanwhile, for the error code 801812E0:
The reason for this error is that a previously installed software update is no longer compatible with your phone. In order to keep your phone working correctly, the restore function was disabled.
For more info: see here

Titles: more than 2 lines per screen in 'Centred Multiple' option?

Hi,
Just a quickie. I want to create an opening Title sequence to my movie but the 'centred multiple' option only allows 2 lines per page/screen, and none of the other options fits the bill.
Is there a (preferably freeware) plug-in that allows me to do this?
PowerBook G4 17 1.67 gHz 512Mb/100Gb Mac OS X (10.4.3)

Hello Arcadian:
Our own Lennart Thelander has a great "freeware" Download for Centered Titles. I don't know for sure that it will do all that you want, but it s a great plug in.
LT iMovie Titles.sit
http://www.berga.nu/Lennart_T/imovie/index.html
Otherwise, you could using Scrolling Block...Make your titles and when the scroll gets centered in the page, pause it and go to Edit / Create Still Frame and then drag that down for your centered title. You can even change the length by going to "show info".
Sue

Best way of making redundant AFP/SMB server

We have bought two XServe G5 systems in the hope of setting up a load balanced pair that would provide redundant access to AFP/SMB file shares (plus web and email). We have an XServe RAID box which we where going to attach to both servers.
What have people done to get the redundancy we want. These are the options I have looked at:
1) Put XSan on the RAID and connect both servers to it and then reshare the connection. Reading the XSan I see that XSan is not good for re-sharing via AFP/SMB. Also, it seems that I would have to setup everything on each machine seperately as the settings are stored locally.
2) Split the jobs between the two servers say email/web on one and AFP/SMB on the other. Then setup IP Failover for each server to the other, so that if one server fails the other takes over it's jobs. I presume I cannot simply use a single volume for this as mounting the same volume on each of the servers will cause problems. Is that correct?
3) Put all the services on one machine and setup IP failover to fall back to the second machine as required. This removes the issue of two machines accessing the RAID array at the same time.
Any advice would be greatly accepted.
Thanks
Ian
iMac CoreDuo Mac OS X (10.4.6)

This may help:
About IP Failover
First off, the IP Failover feature won't magically
configure the backup server to do what the primary
one was doing. In other words, with one server
configured for file services and the other for web
and email services, if the file server failed, the
other one wouldn't just start up file services by
itself!
IP Failover is best used where one server is
configured exactly as another. One server is used,
and the backup server is not used until the first one
fails. The backup server has a separate IP address
and network connection that it uses to periodically
poll the main server. If the main server leaves the
network, then the backup server enables a second
Ethernet interface which has been configured with the
main server's IP address. (You may be able to
multi-home one Ethernet connection, but I haven't
tried that. Plus, each of your Xserves has two
Ethernet ports, so that shouldn't be a problem.)
Yes, but you are not getting good value for money out of that solution.
Looking at the IP Failover it seems to work by having the secondary server monitor the primary. Once it fails it activates that address on the secondary and then enabling the required services on there. This doesn't seem to preclude each server being the master for the others secondary, as long as the services on each master are different.
Lets say mail runs on server 1 and AFP runs on server 2. Server 2 acts as the secondary for server 1 and has a script that activates mail on server 2 when it detects failure. Similarly if server 2 fails it will migrate the ip address server 1 and then startup the AFP service. Obviously each will have to be configured with matching services on each server.
Using the Xserve RAID
If you plan on storing all of your data on the Xserve
RAID, you need to know how "full" the RAID unit is
going to be and how many RAID volumes you wish to
create so that you can decide on how to connect it to
each server.
As we're migrating from an existing server to these we have a very good idea of what the sizes and volumes should be. We have a Xserve raid with four disks all on one side. Setup as a Raid 5 array that is suffient space for all our services. We can either partition that down into multiple volumes for each server/service.
What I don't have my mind around yet is how you control which server sees which volumes. We have to have each server be able to access each volume (so it can run that service in the event of failure) but I think it's going to be an issue to have two servers access the same volume at once. Is that correct? If two servers access the same volume at the same time it's going to cause trouble?
Think of the Xserve RAID as two
devices: each one has a fibre-channel port and holds
seven hard drives. Each "group of seven" can be
connected to any other device on the fibre-channel
network. Without a fibre-channel switch, you can
connect one or two other devices (one or two other
Xserves) to the Xserve RAID.
So you have these scenarios:
Using 1-7 drives and creating one large RAID volume:
you'll use one of two RAID controllers on your
Xserve RAID. You can connect the RAID to only one
Xserve or to a fibre-channel switch in order to
connect it to more devices.
Using 2-7 drives and creating two RAID volumes:
you'll use both RAID controllers (say, 3 on one side
and 3 on the other). Each RAID controller connects
to another fibre-channel device; thus, without a
switch, you can connect one to each server or both
to the same one.
Using 8 to 14 drives and creating one large RAID
volume: you'll be filling up one RAID controller and
all or part of the second, connecting both
fibre-channel connectors to the same Xserve, unless
you use a switch.
Using 8 to 14 drives and creating two RAID volumes:
You have the same options as with 2-7 drives.
See http://www.apple.com/xserve/raid/deployment.html
for some pictures, which may help.
We have the fibre switch so each server can access all drives. I just don't know to limit what sees what, or if I need to do that.
Xsan
If you're just connecting the Xserve RAID to one or
two servers and planning to reshare the volume(s)
created on the Xserve RAID, then Xsan is not
necessary, nor should it be used.
But is it possible for two servers to use the same disk, I know it is with XSan but what about without it.
I think what you want is the ability to use the
Xserve RAID as a locally-connected volume on each
server, where share points can be defined. The
server is connected to the Xserve RAID using a
fibre-channel cable, just as a FireWire, USB, or
eSATA hard drive would be connected to the server.
As far as the server is concerned, the Xserve RAID
controller or controllers represent external hard
disks. The difference is that the Xserve RAID also
has Ethernet connectivity so that you can manage it
without having to log into your server. Once
connected, addressing using fibre-channel is
automatic; the Xserve RAID gets a WWPN address and
the RAID volume appears on the desktop of the server
- no Xsan required at all. From there, it's
perfectly safe to create share points and share them
via AFP or SMB; clients would connect using AFP or
SMB protocols with IP addressing over an Ethernet
network to which both the Xserve and the client
computers are connected. Even though the Xserve
RAID may also have an Ethernet connection to that
network, no read and write commands are sent via
Ethernet to the RAID; the server sends those via its
fibre-channel connection to the Xserve RAID as it
would with any other drive when housing share
points.
As I say it's fine for one machine at a time, what about 2.
For load balancing concerns, see Apple's File
Services Guide for recommendations. On an Xserve G5
with 2GB or more of memory, you should easily
accommodate 50 simultaneously connected users
(mixture of AFP and SMB) without a performance hit.
Depending on what your users are doing (and the
speed of the Ethernet network to which your clients
and Xserve are connected), you may be able to handle
more or less users. More RAM in the Xserve and a
Gigabit Ethernet network for the server and clients
would allow you to simultaneously balance more
clients with less of a reduction in performance.
Xsan works differently, and its requirements are
somewhat different. With Xsan, your Xserve RAID is
connected to a fibre-channel network. (In the
previous direct-to-server example, the fibre-channel
network consisted of just the Xserve and the Xserve
RAID.) In this network, all clients, at least one
Xserve, and the Xserve RAID are all connected via a
fibre-channel network. The Xserve has Xsan software
installed on it and becomes a dedicated metadata
controller. Clients must have special Xsan client
software installed for the SAN volumes to appear. In
such cases, the protocol used to mount the SAN
volumes is the Xsan client protocol, not AFP or SMB.
Although you technically can reshare an Xsan volume
via AFP or SMB, performance would take a hit. Since
the Xsan volume is writeable by all other clients on
the fibre-channel network, adding an Xserve to
reshare the SAN volume via AFP or SMB would allow
clients to connect via Ethernet (Wi-Fi, etc.), but
the server wouldn't have exclusive access to the SAN
volume.
To be honest, two Xserves and an Xserve RAID simply
aren't enough to warrant a SAN in my book. Typically
SANs are used where there are a large number of "done
servers" doing computation tasks, and they all need
to be able to have access to the same "local volume."
They're also used in cases where clients need access
to large amounts of storage set up to work like a
"local disk" on a few video production computers.
Just for comparison, Gigabit Ethernet offers
throughput bursts of up to 125MB/s (megabytes per
second), and Fibre Channel offers burst of up to
200MB/s. (Apple's 400MB/s claim only somewhat makes
sense if you're using both Xserve RAID controllers
connected to the same server.) Even so, both media
sustain around 50MB/s to 75MB/s, which is quite good.
In fact, that matches local disk performance. The
local serial ATA hard disks that are used in Power
Mac G5 models are serial ATA 1.5Gb/s (gigaBITS per
second) or 187.5MB/s at maximum bursts;I typically
see performance in the 40MB/s to 50MB/s range.
Just for fun, here are throughput speeds of several
common connectors, in megabytes per second:
Serial ATA "3.0": bursts up to 375MB/s, sustains
about 75MB/s
LVD SCSI 320: bursts up to 320MB/s, sustains about
100MB/s
Fibre Channel: bursts up to 200MB/s, sustains about
60MB/s
Serial ATA "1.5": bursts up to 187.5 MB/s, sustains
about 50MB/s
SCSI-3 LVD SCSI 160: bursts up to 160MB/s, sustains
about 60MB/s
Ultra ATA/133 (PATA): bursts up to 133MB/s, sustains
about 50MB/s
Gigabit Ethernet: bursts up to 125MB/s, sustains
about 50MB/s
FireWire 800: bursts up to 100MB/s, sustains about
50MB/s
ATA/66 (PATA): bursts up to 66MB/s, sustains about
40MB/s
USB 2.0: bursts up to 60MB/s, sustains about 30MB/s
FireWire 400: bursts up to 50MB/s, sustains about
20MB/s
10/100 "Fast" Ethernet: bursts up to 12.5MB/s
Judging by your request, I think the "no Xsan"
scenario is the one you want.
--Gerrit
I would love to take XSan out of the picture and if that means that I can only use one of the servers at a time then fine I can live with that, but, I would rather have both active and working for me even if I have to split the services between the systems.

MultiValue Parameters as Optional in SSRS[Using SharePointList as DataSource]

I have four parameters in my SSRS report which uses SharePoint List as data Source. And I want to make all the four parameters as optional. i.e if the user provides one parameter value and if he/she doesn't provide any other parameter value then the report
should still execute with results filtering on the value passed by one parameter only.
Please let me know if there is any solution to achieve this in SSRS. I can't use SQL in any Case.
Thanks in advance.

Hi SQL_Query,
Per my understanding that you have four parameters and the filter will only filter based on the parameters which have choosed values and ignore the blank parameters, right?
If you don't want to use any CAML queries and your parameters are not multiple value parameters, please reference to details information below:(Here I will use two parameters for an example):
The "Available values" for all the parameters should be "none" and please specify the "Default Values" for all the parameters, select the "Allow Blank Values":
Modify the filter and use the expression as below to filter the report:
=Switch(Parameters!ProductID.Value="" or Parameters!ProductName.Value="",Fields!CarMakes.Value=Parameters!ProductID.Value or Fields!CarModel.Value=Parameters!ProductName.Value,Parameters!ProductID.Value<>"" and Parameters!ProductName.Value<>"",
Fields!CarMakes.Value=Parameters!ProductID.Value and Fields!CarModel.Value=Parameters!ProductName.Value )
If all the parameters you are using are multiple value parameters, it will hard for us to achieve not using the query.
Regards,
Vicky Liu
Vicky Liu
TechNet Community Support

Data centre connectivity options

Hello
I am currently investigating a dual data centre design running
in active/active mode. The data centres will each have connectivity to
our WAN (MPLS) and to the Internet. They will have also have dedicated
links to each other for site replication etc.
Having read a few of the Cisco SRND's what i am still a little unclear
about is whether it is better to connect the two data centres over the
dedicated link using layer 2 or layer 3 and what the pros and cons are of
each. I would appreciate any experiences (good and bad) that people have had
in this area.
My instinct is to go layer 3 eliminating a potential spanning tree issue
that could affect both data centres but i am sure there are more issues
than this to take into account.
Many thanks

i have redundant data centers and they have been setup as follows for specific reasons:
(these data centers are not separated by a WAN, if they were, a T3 or better would be required in my case but i'd opt for a metro fiber type of solution to provide GB+)
using the 3 hierarchial network design: core, distribution, access
1) the CORE is L3/routed; we do not want a L2/switched core for a few reasons. one is to allieviate STP and its inherent problems.
(the core should be moving packets as fast and predictable as possible; stp can interrupt this and cause complete packet forwarding delay or worse; with todays routers, they can route packets just as fast as switching them, or faster in some cases)
2) the distribution layer is switched with fully meshed GB or greater trunks to both the cores. also provides redundant intra VLAN routing for all the VLANs controlled in their specific 'distribution blocks'; i have 5 fully redundant distribution blocks with VLAN routing and VLAN load balancing via HSRP.
(i channel upto 6 GB trunks in a given link)
3) the access layer is switched with fully meshed GB or greater trunks to at least two distribution switches per access switch; one trunk to each core, at least.
(there is no routing performed at the access layer)
other reasons such as the routing operation, location and number of distribution switches, administration and speed affect the design.

WLC geographical redundancy

Hello,
There are two "central" locations each one having one satellite or spoke site. Let's have:
- zone A and its spoke_zone A1
- zone E and its spoke_zone E1.
Both region A and region E have a similar deployment scenarios:
- 1 x 5508 WLC
- several LWAPs in the existing network (local network).
- FlexConnect for other several LWAPs for the spoke zones A for the A1 and E for the E1.
I'm thinking how can I achieve a backup solution for all these 4 sites:
- A1 and E1 can achieve it through FlexConnect and one mode only: local switching & local authentication.
- what about A and E regions? How can I bring some backup WLC solution here? I know of Mobility Groups, still I don't think it helps too much as I have only L3 connectivity between A and E region through MPLS.
What if I try and get L2 connectivity in between using some solutions like "poor-man's EoMPLS" like L2TP v3, I will be able to connect one VLAN pair, will this be enough ?
- what else can I do in case of WLC breakdown in either of the two regions (A or E)?
Thanks in advance!

During these days, here are some advices I received:
Traditionally, utilizing Backup Controllers was the main way to provide redundancy for a WLC failure. For Zone A, you could just select the Wireless LAN Controller at Zone E, and assign that as the Secondary Controller for each AP as desired. You can set the Primary and Secondary controllers for the AP on the controller via the GUI, the CLI. With Backup Controllers, in the case of a WLC failure AP's would begin to search for their Secondary Controller and re-establish their CAPWAP tunnel. The obvious downside to this, is the outage that occurs from the client prospective while the AP drops it's tunnel and begins to build it again to the Secondary Controller.In response to the need for a somewhat better failover scenario, Cisco brought out High Availability in WLC firmware 7.3. In this scenario, you purchase a second WLC and license it specifically to serve as a standby. You place it adjacent to your existing WLC, and it shares an IP address and session/Config/AP information with the main controller. Now in the event of a WLC failure, the failover from the AP perspective is intended to be transparent.
Now, 'cause of budgeting I can't think of HA solution so I would go for the Backup Controllers, especially now when there are two primary zones only.
Except that I myself though at another solution:
- what if both zone A and E have all LWAPs configured using FlexConnect mode with local switching and authentication? I mean all LWAPs both the APs next to the WLC and also the LWAPs on A1 or E1 zones.
This will result in having only FlexConnect mode APs and of course some features less available, still for the redundancy point of view what do you think of this?
You think would be better or worse than "Backup Controllers" solution?
P.S. the L3 connection between A and E is provided with 150ms or less.

Need some direction on FW Redundancy and opening ports

I would appreciate any advice on the current ways of connecting 2 Firewalls directly for redundancy and also the best practice for allowing data through the firewall. Do firewalls have a stacking technology similar to StackWise or FlexStack? I need to allow specific ports through my network into another private network. Although this won't be connected to the internet the same type of security as if it were, is important. Sorry if this is a generic question but what methods would be best for allowing data to and from through my network firewall? I would grealty appreciate any sample configurations (I don't plan on configuring zones) or documentation on the current way of allowing these functions. Thanks for your help!

Hi,
There are 2 different options to my knowledge to have firewall redundancy with Cisco firewalls.
The most common one is Active/Standby Failover which you have 2 identical (hardware & software) Cisco firewalls connected by a Failover link. One of the the firewalls is the Active unit and handles traffic while the other unit is Standby monitoring the state of the Active device (and vice versa). When the Active unit fails the Standby unit will take the Active role.
Another option is Active/Active which basically means that you would be running multiple virtual Firewalls inside the actual hardware firewall. Some virtual firewalls would be Active on hardware unit 1 and some virtual firewalls would be Active unit would be Active on hardware unit 2. Hence the term Active/Active, both firewalls would be handling traffic.
ASA 9.0 Configuration Guide section on Failover
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_overview.html
The second and new option is Cluster setup where you essentially combine multiple identical firewalls together. This is a subject though that I have not gotten to test myself so my knowledge is very limited. Though to my understanding this is available only with high end ASA5585-X units so it might not be an option for most.
ASA 9.0 Configuration Guide section on Cluster
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html
So most likely you will be using Active/Standby Failover with 2 identical Cisco firewalls.
Their configuration format compared to a standalone firewall doesnt differ much.
You will configure a "standby" IP address also on the ASA that will be the IP address that the Standby unit uses
You will configure the actual Failover interface
You will configure general Failover related settings
You can tune the Failover settings and define which interfaces are monitored (and can effect the Failover) and set some other additional parameters
So there is not that much to configure compared to the standalone Cisco firewall setup.
Your post seems to indicate that this firewall or firewall pair would be used for Internal network usage. I mean a firewall between 2 LAN/DMZ networks. This would in turn mean that unless you specifically need NAT between these network segments, you could actually leave the NAT configuration of the firewall completely blank and only configure the Routing&Firewalling related settings.
How you would configure access between the 2 different network segments would naturally depend on your own setup.
From what I understood from your above post it would seem to me that you should configure ACLs on both interfaces connected to their own network segments. These ACLs would be configured in Inbound direction (which would control traffic heading towards the firewall from that segment and into the other segment). You could then configure both ACLs in the manner that ONLY the required source/destination IP addresses/networks/ports are allowed and all other traffic is blocked.
I am not really sure what kind of example configuration we could give you as we dont really know what the whole setup is going to be.
Hope this helps
- Jouni

Redundancy link - Fiber & Microwave

hi,
We have an existing fiber link from 2 sites: Exchange 1 <---> Exchange 2
We would like to engage a contractor to supply us a secondary/redundant Microwave link; linking both sites.
If we have a single 2900 Series router at both sites.
Question is: what is the best method to provide redundancy OR load sharing for both fiber & microwave link?
Have not dealt with microwave link before; is there any special config that is needed on Cisco 2900 router side?
From my understanding; microwave vendor will be giving us a copper/RJ45 connection to our cisco 2900 router.
Please advise.

i would recommend you to use L3 /30 p2p per link rather than L2 to avoid extending spanning tree and increasing the complexity unless L2 is required between the sites
using IGP or static routes with differnt administrative distance AD as Collin mentioned is the simplest way you can use
also you can use IP SLA to improve the static route and make it more network aware
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
hope this help

Security realm - Security:097533 - Developing own authentication provider

hi everyone,
i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server encountered the below Exeption:
<10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
Truncated. see log file for complete stacktrace
this is the config.xml :
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
<name>base_domain</name>
<domain-version>12.1.1.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
<sec:name>AS400Realm</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:user-lockout-manager>
<sec:lockout-enabled>false</sec:lockout-enabled>
</sec:user-lockout-manager>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:security-dd-model>DDOnly</sec:security-dd-model>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
<cross-domain-security-enabled>true</cross-domain-security-enabled>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address>localhost</listen-address>
<staging-mode>nostage</staging-mode>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
</embedded-ldap>
<configuration-version>12.1.1.0</configuration-version>
this is the mbean xml (A400Realmmbean.xml):
<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">
<MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
Package = "co.com.claro.security"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate"
>
<MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
Writeable = "false"
Default =
""co.com.claro.AS400Realm""
/>
<MBeanAttribute Name = "Description" Type = "java.lang.String"
Writeable = "false" Default = ""My Identity Assertion Provider""
/>
<MBeanAttribute Name = "Version" Type = "java.lang.String"
Writeable = "false" Default = ""1.0""
/>
</MBeanType>
and the runtime class:
AS400Realm.java:
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
public final class AS400Realm implements AuthenticationProviderV2
private String description;
// private SimpleSampleAuthenticatorDatabase database;
private LoginModuleControlFlag controlFlag;
// public String PARAM_JAAS_CONTEXT = "jaas-context";
// public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
// public String DEFAULT_GROUP_NAME = "default";
public void initialize(ProviderMBean mbean, SecurityServices services)
System.out.println("AS400Realm.initialize");
AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
// database = new SimpleSampleAuthenticatorDatabase(myMBean);
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("invalid flag value" + flag);
public String getDescription()
return description;
public void shutdown()
System.out.println("AS400Realm.shutdown");
private AppConfigurationEntry getConfiguration(HashMap options)
options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
return new
AppConfigurationEntry(
"co.com.claro.security.AS400LoginModule",
controlFlag,
options
public AppConfigurationEntry getLoginModuleConfiguration()
HashMap options = new HashMap();
return getConfiguration(options);
public AppConfigurationEntry getAssertionModuleConfiguration()
HashMap options = new HashMap();
options.put("IdentityAssertion","true");
return getConfiguration(options);
public PrincipalValidator getPrincipalValidator()
return new PrincipalValidatorImpl();
public IdentityAsserterV2 getIdentityAsserter()
return null;
AS400LoginModule.java :
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import com.ibm.as400.access.AS400;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;
import javax.sql.DataSource;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* @author dmunoz
final public class AS400LoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
private String DEFAULT_GROUP_NAME = "default";
// Determine whether this is a login or assert identity
private boolean isIdentityAssertion;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsForSubject = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
// only called (once!) after the constructor and before login
System.out.println("SimpleSampleLoginModuleImpl.initialize");
this.subject = subject;
this.callbackHandler = callbackHandler;
// Check for Identity Assertion option
isIdentityAssertion =
"true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
private boolean authenticateAS400(String user, String passwd) throws Exception {
String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
AS400 as400System;
as400System = new AS400(host, user, passwd);
return as400System.validateSignon();
public boolean login() throws LoginException {
// only called (once!) after initialize
System.out.println("SimpleSampleLoginModuleImpl.login");
// loginSucceeded should be false
// principalsInSubject should be false
Callback[] callbacks = getCallbacks();
String userName = getUserName(callbacks);
if (userName.length() > 0) {
if (!isIdentityAssertion) {
String passwordHave = getPasswordHave(userName, callbacks);
try{
loginSucceeded = authenticateAS400(userName, passwordHave);
}catch(Exception e){
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
throw new LoginException(e.getMessage());
} else {
// anonymous login - let it through?
System.out.println("\tempty userName");
if (loginSucceeded) {
principalsForSubject.add(new WLSUserImpl(userName));
addGroupsForSubject(userName);
return loginSucceeded;
public boolean commit() throws LoginException {
// only called (once!) after login
// loginSucceeded should be true or false
// principalsInSubject should be false
// user should be null if !loginSucceeded, null or not-null otherwise
// group should be null if user == null, null or not-null otherwise
System.out.println("SimpleSampleLoginModule.commit");
if (loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
// The abort method is called to abort the authentication process. This is
// phase 2 of authentication when phase 1 fails. It is called if the
// LoginContext's overall authentication failed.
// loginSucceeded should be true or false
// user should be null if !loginSucceeded, otherwise null or not-null
// group should be null if user == null, otherwise null or not-null
// principalsInSubject should be false if user is null, otherwise true
// or false
System.out.println("SimpleSampleLoginModule.abort");
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsForSubject);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
// should never be called
System.out.println("SimpleSampleLoginModule.logout");
return true;
private void throwLoginException(String msg) throws LoginException {
System.out.println("Throwing LoginException(" + msg + ")");
throw new LoginException(msg);
private void throwFailedLoginException(String msg) throws FailedLoginException {
System.out.println("Throwing FailedLoginException(" + msg + ")");
throw new FailedLoginException(msg);
private Callback[] getCallbacks() throws LoginException {
if (callbackHandler == null) {
throwLoginException("No CallbackHandler Specified");
Callback[] callbacks;
if (isIdentityAssertion) {
callbacks = new Callback[1];
} else {
callbacks = new Callback[2];
callbacks[1] = new PasswordCallback("password: ", false);
callbacks[0] = new NameCallback("username: ");
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throwLoginException(e.toString() + " " + e.getCallback().toString());
return callbacks;
private String getUserName(Callback[] callbacks) throws LoginException {
String userName = ((NameCallback) callbacks[0]).getName();
if (userName == null) {
throwLoginException("Username not supplied.");
System.out.println("\tuserName\t= " + userName);
return userName;
private void addGroupsForSubject(String userName) {
try {
for (Enumeration e = getGroupNamesAS400(userName);
e.hasMoreElements();) {
String groupName = (String) e.nextElement();
System.out.println("\tgroupName\t= " + groupName);
principalsForSubject.add(new WLSGroupImpl(groupName));
} catch (Exception ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
public Enumeration getGroupNamesAS400(String usuario)
throws Exception {
if(usuario == null) {
throw new Exception("Usuario no puede ser vacio");
Vector<String> grupos = new Vector<String>();
grupos.add(DEFAULT_GROUP_NAME);
Connection conn = null;
ResultSet rs = null;
PreparedStatement statement = null;
try {
Context c = new InitialContext();
DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
conn = dst.getConnection();
String query = "SELECT COD_ROL AS ROL " +
"FROM gestionnew.us_rol_perfil " +
"JOIN gestionnew.usuarios " +
"ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
"WHERE upper(usuarios.usuariorr) = ?";
statement = conn.prepareStatement(query);
statement.setString(1, usuario.toUpperCase());
rs = statement.executeQuery();
while (rs.next()) {
grupos.add(rs.getString("ROL"));
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} catch (NamingException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (rs != null) {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (statement != null) {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
return grupos.elements();
private String getPasswordHave(String userName, Callback[] callbacks) throws
LoginException {
PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
char[] password = passwordCallback.getPassword();
passwordCallback.clearPassword();
if (password == null || password.length < 1) {
throwLoginException("Authentication Failed: User " + userName +
". Password not supplied");
String passwd = new String(password);
System.out.println("\tpasswordHave\t= " + passwd);
return passwd;
thanks

hi everyone,
i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server encountered the below Exeption:
<10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
Truncated. see log file for complete stacktrace
this is the config.xml :
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
<name>base_domain</name>
<domain-version>12.1.1.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
<sec:name>AS400Realm</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:user-lockout-manager>
<sec:lockout-enabled>false</sec:lockout-enabled>
</sec:user-lockout-manager>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:security-dd-model>DDOnly</sec:security-dd-model>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
<cross-domain-security-enabled>true</cross-domain-security-enabled>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address>localhost</listen-address>
<staging-mode>nostage</staging-mode>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
</embedded-ldap>
<configuration-version>12.1.1.0</configuration-version>
this is the mbean xml (A400Realmmbean.xml):
<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">
<MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
Package = "co.com.claro.security"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate"
>
<MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
Writeable = "false"
Default =
""co.com.claro.AS400Realm""
/>
<MBeanAttribute Name = "Description" Type = "java.lang.String"
Writeable = "false" Default = ""My Identity Assertion Provider""
/>
<MBeanAttribute Name = "Version" Type = "java.lang.String"
Writeable = "false" Default = ""1.0""
/>
</MBeanType>
and the runtime class:
AS400Realm.java:
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
public final class AS400Realm implements AuthenticationProviderV2
private String description;
// private SimpleSampleAuthenticatorDatabase database;
private LoginModuleControlFlag controlFlag;
// public String PARAM_JAAS_CONTEXT = "jaas-context";
// public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
// public String DEFAULT_GROUP_NAME = "default";
public void initialize(ProviderMBean mbean, SecurityServices services)
System.out.println("AS400Realm.initialize");
AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
// database = new SimpleSampleAuthenticatorDatabase(myMBean);
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("invalid flag value" + flag);
public String getDescription()
return description;
public void shutdown()
System.out.println("AS400Realm.shutdown");
private AppConfigurationEntry getConfiguration(HashMap options)
options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
return new
AppConfigurationEntry(
"co.com.claro.security.AS400LoginModule",
controlFlag,
options
public AppConfigurationEntry getLoginModuleConfiguration()
HashMap options = new HashMap();
return getConfiguration(options);
public AppConfigurationEntry getAssertionModuleConfiguration()
HashMap options = new HashMap();
options.put("IdentityAssertion","true");
return getConfiguration(options);
public PrincipalValidator getPrincipalValidator()
return new PrincipalValidatorImpl();
public IdentityAsserterV2 getIdentityAsserter()
return null;
AS400LoginModule.java :
* To change this template, choose Tools | Templates
* and open the template in the editor.
package co.com.claro.security;
import com.ibm.as400.access.AS400;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;
import javax.sql.DataSource;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* @author dmunoz
final public class AS400LoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
private String DEFAULT_GROUP_NAME = "default";
// Determine whether this is a login or assert identity
private boolean isIdentityAssertion;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsForSubject = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
// only called (once!) after the constructor and before login
System.out.println("SimpleSampleLoginModuleImpl.initialize");
this.subject = subject;
this.callbackHandler = callbackHandler;
// Check for Identity Assertion option
isIdentityAssertion =
"true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
private boolean authenticateAS400(String user, String passwd) throws Exception {
String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
AS400 as400System;
as400System = new AS400(host, user, passwd);
return as400System.validateSignon();
public boolean login() throws LoginException {
// only called (once!) after initialize
System.out.println("SimpleSampleLoginModuleImpl.login");
// loginSucceeded should be false
// principalsInSubject should be false
Callback[] callbacks = getCallbacks();
String userName = getUserName(callbacks);
if (userName.length() > 0) {
if (!isIdentityAssertion) {
String passwordHave = getPasswordHave(userName, callbacks);
try{
loginSucceeded = authenticateAS400(userName, passwordHave);
}catch(Exception e){
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
throw new LoginException(e.getMessage());
} else {
// anonymous login - let it through?
System.out.println("\tempty userName");
if (loginSucceeded) {
principalsForSubject.add(new WLSUserImpl(userName));
addGroupsForSubject(userName);
return loginSucceeded;
public boolean commit() throws LoginException {
// only called (once!) after login
// loginSucceeded should be true or false
// principalsInSubject should be false
// user should be null if !loginSucceeded, null or not-null otherwise
// group should be null if user == null, null or not-null otherwise
System.out.println("SimpleSampleLoginModule.commit");
if (loginSucceeded) {
subject.getPrincipals().addAll(principalsForSubject);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
// The abort method is called to abort the authentication process. This is
// phase 2 of authentication when phase 1 fails. It is called if the
// LoginContext's overall authentication failed.
// loginSucceeded should be true or false
// user should be null if !loginSucceeded, otherwise null or not-null
// group should be null if user == null, otherwise null or not-null
// principalsInSubject should be false if user is null, otherwise true
// or false
System.out.println("SimpleSampleLoginModule.abort");
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsForSubject);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
// should never be called
System.out.println("SimpleSampleLoginModule.logout");
return true;
private void throwLoginException(String msg) throws LoginException {
System.out.println("Throwing LoginException(" + msg + ")");
throw new LoginException(msg);
private void throwFailedLoginException(String msg) throws FailedLoginException {
System.out.println("Throwing FailedLoginException(" + msg + ")");
throw new FailedLoginException(msg);
private Callback[] getCallbacks() throws LoginException {
if (callbackHandler == null) {
throwLoginException("No CallbackHandler Specified");
Callback[] callbacks;
if (isIdentityAssertion) {
callbacks = new Callback[1];
} else {
callbacks = new Callback[2];
callbacks[1] = new PasswordCallback("password: ", false);
callbacks[0] = new NameCallback("username: ");
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throwLoginException(e.toString() + " " + e.getCallback().toString());
return callbacks;
private String getUserName(Callback[] callbacks) throws LoginException {
String userName = ((NameCallback) callbacks[0]).getName();
if (userName == null) {
throwLoginException("Username not supplied.");
System.out.println("\tuserName\t= " + userName);
return userName;
private void addGroupsForSubject(String userName) {
try {
for (Enumeration e = getGroupNamesAS400(userName);
e.hasMoreElements();) {
String groupName = (String) e.nextElement();
System.out.println("\tgroupName\t= " + groupName);
principalsForSubject.add(new WLSGroupImpl(groupName));
} catch (Exception ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
public Enumeration getGroupNamesAS400(String usuario)
throws Exception {
if(usuario == null) {
throw new Exception("Usuario no puede ser vacio");
Vector<String> grupos = new Vector<String>();
grupos.add(DEFAULT_GROUP_NAME);
Connection conn = null;
ResultSet rs = null;
PreparedStatement statement = null;
try {
Context c = new InitialContext();
DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
conn = dst.getConnection();
String query = "SELECT COD_ROL AS ROL " +
"FROM gestionnew.us_rol_perfil " +
"JOIN gestionnew.usuarios " +
"ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
"WHERE upper(usuarios.usuariorr) = ?";
statement = conn.prepareStatement(query);
statement.setString(1, usuario.toUpperCase());
rs = statement.executeQuery();
while (rs.next()) {
grupos.add(rs.getString("ROL"));
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} catch (NamingException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (rs != null) {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
if (statement != null) {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
return grupos.elements();
private String getPasswordHave(String userName, Callback[] callbacks) throws
LoginException {
PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
char[] password = passwordCallback.getPassword();
passwordCallback.clearPassword();
if (password == null || password.length < 1) {
throwLoginException("Authentication Failed: User " + userName +
". Password not supplied");
String passwd = new String(password);
System.out.println("\tpasswordHave\t= " + passwd);
return passwd;
thanks

How do I print multiple (PDF) pages per sheet in Lion?

The printing interface has changed in preview, and whereas there used to be an option to print multiple pages per sheet, there's now only an option to print multiple copies per sheet. The latter is of no use to me, whereas printing multiple pages per sheet was very useful since I often print large documents.

Well, in Snow Leopard I used to print PDFs from Preview, and if I recall correctly, where it now says 'copies per page', it used to say 'images per page'. So of course, I now have a couple of printouts with two copies of each page per sheet.
But the preview tab and then the option 'layout' works. I don't understand why this interface had to change though.
Message was edited by: Sebastian0883

Printing from iPhoto to Epson Stylus R1900-Lack of Layout and other options

I have just begun using my MacBook Pro for photo use, and also just acquired an Epson R1900. When I print from iPhoto to the R1900, I can only print 1 photo per page. The usual Epson screen which has an option to change layout, e.g., to multiple photos per page does not appear. If I try to print from Mail the usual Epson screen does appear. Why not in iPhoto like it always has in the past on my iMac when printing to my previous, Canon i950? This is a major concern to me since my wife likes to keep our photos as multiples per page in a scrapbook. I'm using iPhoto '09, vers. 8.1.2., and OS 10.5.8, and the latest update of the Epson driver for the R1900 which claims to be fine with OS 10.5.8.

Well, I found how to get to "Settings." There is a button in the photo area entitled "Customize," which leads to a screen with various options on the bottom, one of which is "Settings." If I click on that I get a small dialog box including the option to select "Multiple Photos per Page." So far it looks like I need to do some very tedious custom sizing to get, say, 4 photos on 1 8x10 page. There is a "Layout" button on the "Customize" screen; however, it only wants to give me horizontal or vertical page orientations; or ones which have the option of adding a title underneath. In the past, if I choose multiple photos per page (or "N up") I could then choose how many: 2, 3, 4, etc photos per page and the program sizes them accordingly. I still get that when I use my old iMac with iPhoto '05 to print to the Epson R1900. Works nice and easy.
Also, I'm confused by the fact that iPhoto '09 does not allow a "Page Setup" file command. This is making it difficult for me to get the photos oriented in a way that they will fit in groups. So far, iPhoto '09 is proving to be very awkward to work with compared with my past experience with iPhoto '05.

Option A, 2 PE pair per Provider, Redundancy

Similar Messages

Maybe you are looking for