Order of Security Policy Configuration

Similar Messages

• NWA 7.3 : Looking for "security roles" (Policy Configuration) ...

  Hi guys,
  We deployed a simple application in our new SAP NW 7.3 JAVA instance; by calling the application, we receive "error 403 : Error: You are not authorized to view the requested resource."; this was fixed wihtin NW 7.x by adding a user/group within security roles of the selected component ( Visual Admin => Security Provider => Policy Configurations => select component and than security roles );
  where to do this within NWA 7.3 ?
  any ideas;
  Thanks
  Oliver

  Hi Oliver,
  Procedure
    Start SAP NetWeaver Administrator with the quick link /nwa/auth.
    Choose Components.
    Select a policy configuration.
    On the Authentication Stack tab, choose the Edit pushbutton.
    Determine if you want to use an existing template or if you want to change the policy configuration of the current component. 
  To use an existing template, select a template from the Used Template field.
  For authscheme references, select a template from Used Authscheme.
  The component uses the settings and authentication stack from the template. To edit these settings, edit the settings of the policy configuration template. To create a new template, see Creating Authentication Stack Templates for Policy Configurations.
    To change the policy configuration of the current component, do the following: 
  Add and remove login modules as required.
  The system applies the login modules in the order they appear in the list.
    Set a processing flag for each login module. 
  For more information about login module flags, see Policy Configurations and Authentication Stacks.
    Add and remove any options to the login modules.
    Set the authentication stack parameters according to the type of policy configuration. 
  Please,go through below help file
  http://help.sap.com/saphelp_nw73/helpdata/en/4a/734e26fa92731fe10000000a42189c/frameset.htm
  Cheers
  Revanth Pasupuleti

• Lost policy configurations in Security proivder  in Visual Administrator

  Hi Portal Gurus,
  I lost Polcy Configurations in Security Provider service in Visual Administrator.Now Iam not able to login to Visual Administrator its giving an error.But portal is up and running .when I check in visualadminconsole log saying "logon module not suceeded"
  Is there anyway to recover Policy configuration ?
  Regards
  Tami

  Pl follow the steps given in the below link.
  Thanks,
  Vuthpala
  [[http://help.sap.com/saphelp_nw70/helpdata/en/7f/c52442ad9f5133e10000000a155106/frameset.htm]]

• Localy configured security policy in domain environment

  Hello.
  I have run in to a problem when configuring security policy for servers in my domain. Due to the large size of my environment and many different local administrators on servers quite a few of those administrators has configured local security policys on
  their servers instead of asking for our central IT-dep to create domain based GPO's for those settings.
  It's quite often settings that give a account the right to logon as a batchjob and so on. This creates the problem for us that work centraly that we can't configure central GPO since we will overwrite the localy configured ones and that will quite often
  create a application to stop working.
  So my question is if there's any way to make a inventory to find out what servers has a local configured  policy so that i can change that to a central one.
  /Lee

  You can use secedit to get the local security policy. You can use
  psexec to get it remotely and store the content in a share. Once done, you can fetch the data using Powershell and get what you need.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• How do I resolve this error in Safari Your page is blocked due to a security policy that prohibits access to Category Remote Proxies"?

  I'm trying to access several pages and keep geting "Your page is blocked due to a security policy that prohibits access to Category Remote Proxies" After going over all my security stuff I just can't find where I would correct the error.
  Is there anyone who could help me?
  Thanks
  Fr. Gary

  very strange,
  1. check time and date on your computer
  2. reset network configuration, make sure there are no proxy servers and you get DNS from your router not manual
  3. Reset certificates database
  Go to Terminal (Applications>Utilities)
  sudo rm /var/db/crls/*cache.db
  (you will be prompted for your password)
  and reboot the computer
  post back

• Create new Security Policy in UME is not available

  Hello,
  We are on NW CE 7.1 EHP1 and MII 12.1.7 build 47.
  I have MII Super Administrator role, few custom roles and I also have Action "Manage_All" and I am able to perform most of the activities on UME but I don't see any option to create new security policies all I can do is modify the Default Security Policy and save it.
  It never shows me an option to create new security policy and I am not sure what roles or actions I am missing.
  1) Are there any roles or actions that my profile needs to have?
  2) Is it something to do with NW CE version or MII version?
  3) Has something gone wrong or have we missed some configuration while installing NW CE or MII?
  Any suggestions will be of great help
  Thanks,
  Adarsh

  Adarsh,
  I am not a NW UME expert, but I know this issue has nothing to do with MII.  Not sure if you have rights but providing the Administrators Group for the UME database should allow you to do this. 
  I would try posting this thread on the NW UME Forum.  Modifying policies in NW has nothing to do with MII. 
  Just to verify what policies are you trying to change, I am assuming they are in NW UME and not MII, is this correct?  If they are in MII can you be more specific.
  Good luck.

• "Security policy error" while setting up "Microsoft Exchange Hosted Services" Exchange Account (corporate user)

  I'm a corporate user with a very large company that is using Microsoft Hosted Exchange services actually hosted by Microsoft employees at their facilities.  I called Palm support and they were clueless and zero help.  The lady pointed me to some Palm KB article that I had already read and only remotely had anything to do with my problem.  I see nothing on this error message in the forums and google searches. Sprint has even replaced my palm pre due to other reasons and the same error occurs after I configure the exchange account. I'm also seeing the error when I configure my account on my wifes brand new pixi. Both our pre and pixi already have exchange accounts successfully configured on our phones that are hosted by sherweb. The sherweb exchange accounts work without issue. I have tried configuring this microsoft hosted exchange account 5-6 times with the same result. It accepts my configuration information and adds it to the list of available email accounts in the pre. However, it keeps popping up this message stating "Security policy error: "Exchange... Tap for details" (with a yellow exclamation mark). Then it says "Security Policy Error" The account Exchange (first part of my email address) is disabled because security policies cannot be set." "Leave it disabled" or "Remove Account". I know something is working because it enforced a Password or Pin policy on to my phone which is not required unless this account has been added. I can also see it in the "Mobile Devices" section of web outlook when I login. This is the place in web outlook where you can see the last time the device synced, where you can remote wipe the phone etc. If anyone has any idea how to resolve my issue please post. Any ideas? I'm fresh out of ideas on this problem and very frustrated with Palm Developers. Just another example of poor development and testing practices by Palm. I hope they correct this issue on subsequent releases but I am only marginally optimistic that they will ever get this exchange mail support to the level necessary to support large corporations. What I do know is that my Microsoft Hosted Exchange account works fine on a Windows Mobile phone and a iPhone 3GS (confirmed by other coworks who have configured their phones using our exchange services). As a result, I have no choice but to blame Palm for this problem instead of Microsoft. Palm please fully support microsoft exchange mail users!!!!
  Post relates to: Pre p100eww (Sprint)
  This question was solved.
  View Solution.

  From my understanding of EAS and PDA devices, if the server as a policy to enforce and the device cannot provide that policy then the server will not allow the device to connect. The KB I gave you has a listing of what policies the devices supports, if your server supports more than that then it could deny the connection. As for what the iPhone does and does not do we cannot answer that due to we are not iPhone.
  I did find an article that may explain a little better for PDA and exchange: http://www.infoworld.com/d/mobilize/how-avoid-smartphone-exchange-policy-lie-004

• Do i need to be a technology expert in order to secure it?

  Hello Everyone,
  I received an offer from one of the top oil & gas employers in the gulf region. I will be responsible for server & desktop systems hardening, network security hardnening, and other IT security related tasks. One of the critical server systems that
  i will be going to harden is Exchange 2010 server. I don't have much experience in Exchange except basic installation and creating couple of mailbox-enabled users. My question is, do i really need to know how the e-mail system works in order to secure it?
  I mean my job is going to be a pure security job and i will not configure SMTP, POP3, connectors,..etc. The same applies to other technologies, for example, do i need to know how Lync, Hyper-V, System Center servers work first prior securing them?
  Appreciate your prompt response.

  Good point Paul and thank you.
  I agree with you that having a strong knowledge on a specific technology will greatly help in the journey of securing it. However, in-depth understanding is not required as told by some info sec friends. For example, do you really need to know about technology's
  installation software prerequisites, server roles placement, emails got stuck in the Queue, failure in the SMTP service, database maintenance, and stuff like that as a full time Exchange admin knows? Of course it will not hurt to get this knowledge but it
  will hurt me in terms of time as i need to quickly focus on the security side of the equation.  I don't have the time to grab an Exchange cookbook of 780 pages and read them. I already have tens of security books that i need to read and finish.
  What do you think?

• EAP-TLS client security policy enforcement question using ISE

  Hi Experts ,
  I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
  I am using EAP-TLS and machine authentication.
  In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  I am not sure ... will it get pushed through AD ? how will it happen ?
  It would be really helpful if someone could put light on this ..

  Hello Vino,
  Some answers below :
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
  It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
  If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
  In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
  In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
  Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
  Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
  I hope it helps.

• GRC 10.1 custom security policy

  On GRC Java system, I am not able to create custom security policy under UME->Configuration->Security Policy. I am able to create on all other systems except GRC and NWDI system   I it related to support pack level or facility is not available on these releases
  Thanks Shankar

  Shailendra:
  Might be because there is no Java stack.  AC and PC now run on the ABAP stack and I think SAP recommends not using dual stack.  The only Java stack in the GRC 10.0 landscape that I'm aware of is for ADS.
  Thanks.
  Matt

• Content Player / Policy Configuration component login modules

  Problem using Content Player u2013 HTTP 401 errors, not authorized
  Because of security concerns, we have modified our login Policy Configuration component, u201Cticketu201D to no longer use the login module u201CBasicPasswordLoginModuleu201D. We use the login module u201CSAMLLoginModuleu201D instead and direct our users through our Shibboleth based identity provider.
  We now are having a problem with the Content Player. We have configured it in http://<server>:<port>/lms/mediator/config with connection information including a username and password for both access to the ABAP system and the CMS user. We also have set SNC.
  With the BasicPasswordLoginModule removed, we get HTTP 401 errors, not authorized. We see this in a pop-up window when we try to run a WBT course and we see it in the trace files.
  When we put the BasicPasswordLoginModule back in place, we can access the course.
  We are looking for a way to redirect the Content Player to a different Policy Configuration component that we can then allow to include the BasicPasswordLoginModule.
  Is this possible?
  Where is the configuration defined that directs the Content Player to use that default Policy Configuration component?
  Can we change it to use a different Policy Configuration component?
  Deb Nugent

  It appears that we cannot (or should not) redirect the login module for the Content Player to something other than the "ticket" login method. Since we require Content Player, we re-added the BasicLoginPassword Module to the "ticket" method of logon. We knew this would allow Content Player to work. We are using other / additional security measures to ensure no one is directly accessing our systems with username/password.
  Thank-you all.
  Deb Nugent.

• Partially Trusted Security Policy

  Hi,
  I'm using the ODAC1110510beta.exe in my Windows XP SP2 "development" machine and Windows 2003 SP2 "test deployment" machine.
  I am able to use the Personalization Data Provider in both windows xp and 2003. The sample web app project was using WebPartManager, WebPartZone, CatalogZone, DeclarativeCatalogPart, PageCatalogPart, EditorZone, AppearanceEditorPart, BehaviorEditorPart, LayoutEditorPart, PropertyGridEditorPart.
  Upon checking in the Oracle tables that was created, several rows has been inserted when testing out the sample web app project. (note that there was an error in the installation scripts - something to do with a missing "s" in one of the tables)
  Ok, now that I have established my current setup and situation, my question now is, why is that when I run ASP.NET AJAX Toolkit "Samples" website, I get the following error message:
  Server Error in '/MicrosoftAJAXToolkit' Application.
  Configuration Error
  Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
  Parser Error Message: Type 'Oracle.Web.Management.OracleWebEventProvider' cannot be instantiated under a partially trusted security policy (AllowPartiallyTrustedCallersAttribute is not present on the target assembly).
  Source Error:
  [No relevant source lines]
  Source File: machine.config Line: 160
  Version Information: Microsoft .NET Framework Version:2.0.50727.832; ASP.NET Version:2.0.50727.832
  Things I did to try to resolve this problem is by following the instructions in the following site: http://msdn2.microsoft.com/en-us/library/zdc263t0(VS.80).aspx
  I followed and executed the following steps in:
  "To grant full trust to an assembly or folder on your local computer"
  The location C:\oracle\product\11.1.0\client_1\ASP.NET\bin\2.x\* is now added for FullTrust
  I also followed and executed the following steps in:
  "To grant full trust to an assembly or folder on a network computer or mapped drive"
  The location C:\oracle\product\11.1.0\client_1\ASP.NET\bin\2.x\* is now added for FullTrust
  But still I get the same error message when running the "Samples" AJAX Toolkit website.
  Please help on how to go about this.
  Many Thanks,
  Henry Wu

  I am, 6 months later, getting the same issue. Has something to do with Oracle.web. My intention as of now is to remove Oracle.Web.*
  What did you do?
  Thanks

• User gets locked in lesser attempts than security policy setting

  Hi
  I have written my customized login code to login a user to the
  portal and I user the following code:
  IUser myUser = UMFactory.getUserFactory().getUserByLogonAlias(username, null);
  IUserAccountFactory accountFactory = UMFactory.getUserAccountFactory();
  IUserAccount account = accountFactory.getUserAccountByLogonId(myUser.getUniqueName());
  ILogonAuthentication ILA = UMFactory.getLogonAuthenticator();
  req.setAttribute(JUSER,myUser.getUniqueName());
  req.setAttribute(JPASSWORD,password);
  ILA.logon(req,res,AUTHSCHDEFAULT);     
  I notice that whenever I try to logon using my code with a
  wrong password, the user gets locked in 3 attemps even though the security policy
  (at ABAP and in Portal UME Configuration) setting for number of failed attempts is set to 5.
  (Although, please note that my code works fine logging the
  user into the portal when he enters the correct password)
  I try to check if the same thing happens with the standard logon module - com.sap.portals.runtime.logon,
  and notice that it locks correctly after 5 attempts.
  Would I have to add anything else in my code to make it work
  correctly?
  Thanks
  oj

  Hi All
  I tried to check in the CUA table the incorrect logon attempts value, and noticed that for every time I login (using my above code) with the wrong password, it increments the count by 2!! And that's the reason it gets locked out by the third time.
  What am I doing wrong?
  Thanks
  OJ

• Option to Create new Security Policy in UME is not available

  Hello,
  We are on NW CE 7.1 EHP1 and MII 12.1.7 build 47.
  I have "Administrator" role, "MII Super Administrator" role, few custom roles and I also ensured that "Administrator" role has Action "Manage_All" and I am able to perform all of the activities on UME except that I don't see any option to create new security policies, all I can do is modify the Default Security Policy and save it.
  It never shows me an option to create new security policy and I am not sure what roles or actions I am missing.
  I need have different security polices for different users based on their roles.
  1) Are there any roles or actions that my profile needs to have?
  2) Is it something to do with NW CE version?
  3) Has something gone wrong or have we missed some configuration while installing NW CE?
  I had posted similar question in MII forum but was recommended to post in NW forums.
  So any suggestions will be of great help
  Thanks,
  Adarsh

  what is Security Policy ?

• NAC appliance(security policy/update-files)

  Does anyone know something concerning to the following issues?
  Please teach me what I can refer to on the WEB,if possible.
  1. Is there any way to apply the policy(checking OS/AV) to the kind of client devices which CAA hadn't been installed such like guest user?
  2. Is it possible that NAC appliance does clients only "port-scanning" (not checking OS/AV)?
  3. If user-company already has their own "Anti-Virus Server" or "Windows-update Server", can CAM refer to their servers(not Cisco's policy-update-server) to get current update files?
  4. How long does it take the update-files become available via Cisco's policy-update-server after each OS/AV-vender had released them?
  Regards

  No, we should install Cisco Trust agent S/W in order to collect the information about the OS versions, AV versions etc to the Policy server. And based on the security policy of the organisation, we can communicate with the AV vendors like symmntac, Mcafee servers directly for the latest patches and updates.