Packaging /rep:policy node - Node is protected

Similar Messages

• API for modifying rep:Policy nodes

  The JCR API does not work when we are trying to modify/create rep:policy nodes.
  I tried to have a look at the CqActionsServlet and CQActions class but could not make much progress on understanding the implementation.
  Is there any API documentation on how  to do this.
  Basically the idea is to have a package of permission nodes (rep:policy) in the svn. As part of build process, we want to read the rep_policy.xmls and configure the corresponding permissions in CQ using RMI.

  Could you explain what you mean by the JCR API? While JCR 1.0 didn't have any API for managing access control policies, JCR 2.0 does.
  I don't know think AccessControlManager works over RMI. The JIRA issue is still open: https://issues.apache.org/jira/browse/JCR-2113
  There is a Sling bundle which you can install to manage ACLs via HTTP: http://sling.apache.org/site/managing-permissions-jackrabbitaccessmanager.html. Search this forum for prior discussions.
  For the use case you describe, you should be able to do that with content packages.

• WLC Web Auth Redirect URL point to an ISE Policy NODE only?

  Hi all,
  I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

  Thanks Peter for your clarification regarding the semantic I used and the question I made.
  Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

• Policy Node marked Stale due to time out

  What does this mean, the case is when running Policy Agent for IIS 6.0

  Well I have no idea what this error was about, but in my case it was the error that you have 4 Access Manger domains and I have specified a wrong one in the AMAgent.properties.

• Policy domain doesn't protected

  I have following problems:
  1.I haven't protection for any created policy domain, I have only protection for default policy domains /access and /identity . It can protect requested policy domain, if I put my resources under policy domains . /access or /identity.
  How can I test that Oracle Access Manger really protect created policy domain on web server, I always used access tester, always fine work,but resources aren't protected.
  For simple OAM configuration I used Doc ID: Note:437423.1 Step by Step: How to Protect a Root '/' Policy Domain With A Form Deployed On The Same WebGate HTTP Server, but resources aren't protected again.
  2.When I enable default policy domains, I get very strange case, I have to try to log on at least 2-3 times for requested link on Oracle Access Console , that is very difficult for administration.

  Not the same i had a similar one. I crated my own policy domain. ( As suggested by kiran )
  Just documented the steps, try it out, Hope this helps.
  http://nagarun.wordpress.com/2007/12/22/oracle-access-manager-administration/
  Cheers, Nag

• EMET v5.1 ADMX Group Policy Template Issue - Default protection settings can't be disabled

  I am configuring EMET v5.1 (from 11/18/14) settings via GPO using the custom EMET admx template provided by Microsoft. I am able to enable all the EMET settings via GPMC and disable most of them, but I am not able to disable these 3 EMET setting via
  GPMC in a GPO:
  Default Protections for Internet Explorer
  Default Protections for Popular Software
  Default Protections for Recommended Software
  When configuring any of these 3 EMET GPO settings to disabled and pressing apply or OK, GPMC keeps it at Not Configured, it does not change to disabled as it normally would. I have never before seen this in GPMC, where you try to disable a setting and it
  doesn't change to disabled.
  Unless this is somehow intended by Microsoft for these 3 EMET GPO settings, I think that this is a glitch/bug in the EMET GPO Template or the way that it works in GPMC.
  Looking for some Guidance from a MS Rep to replicate this issue or anyone else who can confirm if they also see this issue. I have tested on multiple Windows 8.1 Enterprise x64 Update 2 Workstations, with GPMC loaded and the latest EMET ADMX file loaded
  from the EMET client on 11/18/14. I have tested this in 2 separate domains, Note that we do not have Central ADMX Stores in either domain.

  I had a similar requirement as yours and found that we were able to get around in a simpler method then what was listed here.  What we did was set GPO Preferences Registry changes which would then override the previously set EMET ADMX settings set from
  another global GPO.
  To be specific we had some thirds applications which were add-ons to Microsoft Excel, and the EMET was preventing the application from talking to Excel.  So for the users that use this application we have a GPO which Does the following in the Preferences
  section:
  Action: Replace
  HIVE: HKEY_LOCAL_MACHINE
  Key path: SOFTWARE\Policies\Microsoft\EMET\Defaults
  Value name: Excel
  Value type: REG_SZ
  Value data: *\OFFICE1*\EXCEL.EXE -Caller -MandatoryASLR

• Audit log of the User access and permissions

  Hi All,
  We need to have the Audit trail of the user access and permission. Meaning Changes to user access rights will be logged.
  This should include:
  Current Access Rights (including Date the access was given),
  Group membership (including Date the access was given),
  Previous Access Rights (including Date the access was given and revoked).
  Can we reuse any out of the box functionality of CQ. Does anybody having any pointer to this?
  Thanks,
  Debasis

  Hi PChamoun,
  At the outset thanks a lot for the clue. I am very new to CQ. Could you please guide me like, what are the API required to track the rep:policy node changes. Even if workflow will be started after any change to rep:policy but how I will be able to get the information of what change happened.
  Thanks,
  Debasis

• Trigger Audit report whenever the user access the report.

  Hi BOBJ Experts,
  I have a requirement to Email a report whenever a particular user access the BOBJ report. I checked the event based scheduling but no luck. Can anyone help me in this regards.
  Thank You,
  Srinadha Reddy Y.

  Hi PChamoun,
  At the outset thanks a lot for the clue. I am very new to CQ. Could you please guide me like, what are the API required to track the rep:policy node changes. Even if workflow will be started after any change to rep:policy but how I will be able to get the information of what change happened.
  Thanks,
  Debasis

• Help on Deleting Node in Tree?

  I'm trying to delete a node on a tree and some weird stuff is
  occurring. Here is my code:
  <?xml version="1.0" encoding="utf-8"?>
  <mx:Application xmlns:mx="
  http://www.adobe.com/2006/mxml"
  initialize="init();" layout="absolute">
  <mx:Script>
  <![CDATA[
  private function click () : void {
  if (MyTree.selectedItems.length > 0) {
  var items:Array = MyTree.selectedItems;
  for (var i:int = 0; i < items.length; i++) {
  var nodeToDelete:XML = XML(items
  var xlcParent:XMLListCollection = new
  XMLListCollection(nodeToDelete.parent().children());
  var iIndex:int = xlcParent.getItemIndex(nodeToDelete);
  xlcParent.removeItemAt(iIndex);
  ]]>
  </mx:Script>
  <mx:XMLListCollection id="MyDP">
  <mx:XMLList>
  <root label="Default Policy">
  <node label="node1"/>
  <node label="node2"/>
  <node label="node3"/>
  <node label="node4"/>
  <node label="node5">
  <node label="node1"/>
  <node label="node2"/>
  <node label="node3"/>
  <node label="node4"/>
  <node label="node5">
  <node label="node1"/>
  <node label="node2"/>
  <node label="node3"/>
  <node label="node4"/>
  </node>
  </node>
  </root>
  </mx:XMLList>
  </mx:XMLListCollection>
  <mx:Tree labelField="@label" id="MyTree"
  dataProvider="{MyDP}" x="141" y="109" width="528" height="440"/>
  <mx:Button click="click();" x="141" y="557" label="Delete
  Selected Node"/>
  </mx:Application>
  For some reason when I expand all the nodes and try to delete
  one of the great grand children all of the great grand children
  shift over as if they are siblings of the node that I deleted the
  great grand children from.
  Anyone have some good ideas? I sure wish deletion of nodes
  was as easy as in actionscript 2.0

  There a quite a few posts about this problem here already -
  it seems to be a tree rendering bug (seems to come in various
  different flavours).
  The safest work around after fiddling with the nodes in the
  tree is to get the axe out and reassign the data provider. To be
  nice to the user, you might want to keep the expansion state (this
  may not work if you made big "structural" changes to the tree).
  The following works for me (after your changed the tree data
  model):
  var openItems:Object = treeopenItems;
  tree.dataProvider = tree.dataProvider;
  this.openItems = openItems;
  Hope this helps.
  Robert.

• Testing ha-nfs in two node cluster (cannot statvfs /global/nfs: I/O error )

  Hi all,
  I am testing HA-NFS(Failover) on two node cluster. I have sun fire v240 ,e250 and Netra st a1000/d1000 storage. I have installed Solaris 10 update 6 and cluster packages on both nodes.
  I have created one global file system (/dev/did/dsk/d4s7) and mounted as /global/nfs. This file system is accessible form both the nodes. I have configured ha-nfs according to the document, Sun Cluster Data Service for NFS Guide for Solaris, using command line interface.
  Logical host is pinging from nfs client. I have mounted there using logical hostname. For testing purpose I have made one machine down. After this step files tem is giving I/O error (server and client). And when I run df command it is showing
  df: cannot statvfs /global/nfs: I/O error.
  I have configured with following commands.
  #clnode status
  # mkdir -p /global/nfs
  # clresourcegroup create -n test1,test2 -p Pathprefix=/global/nfs rg-nfs
  I have added logical hostname,ip address in /etc/hosts
  I have commented hosts and rpc lines in /etc/nsswitch.conf
  # clreslogicalhostname create -g rg-nfs -h ha-host-1 -N
  sc_ipmp0@test1, sc_ipmp0@test2 ha-host-1
  # mkdir /global/nfs/SUNW.nfs
  Created one file called dfstab.user-home in /global/nfs/SUNW.nfs and that file contains follwing line
  share -F nfs &ndash;o rw /global/nfs
  # clresourcetype register SUNW.nfs
  # clresource create -g rg-nfs -t SUNW.nfs ; user-home
  # clresourcegroup online -M rg-nfs
  Where I went wrong? Can any one provide document on this?
  Any help..?
  Thanks in advance.

  test1#  tail -20 /var/adm/messages
  Feb 28 22:28:54 testlab5 Cluster.SMF.DR: [ID 344672 daemon.error] Unable to open door descriptor /var/run/rgmd_receptionist_door
  Feb 28 22:28:54 testlab5 Cluster.SMF.DR: [ID 801855 daemon.error]
  Feb 28 22:28:54 testlab5 Error in scha_cluster_get
  Feb 28 22:28:54 testlab5 Cluster.scdpmd: [ID 489913 daemon.notice] The state of the path to device: /dev/did/rdsk/d5s0 has changed to OK
  Feb 28 22:28:54 testlab5 Cluster.scdpmd: [ID 489913 daemon.notice] The state of the path to device: /dev/did/rdsk/d6s0 has changed to OK
  Feb 28 22:28:58 testlab5 svc.startd[8]: [ID 652011 daemon.warning] svc:/system/cluster/scsymon-srv:default: Method "/usr/cluster/lib/svc/method/svc_scsymon_srv start" failed with exit status 96.
  Feb 28 22:28:58 testlab5 svc.startd[8]: [ID 748625 daemon.error] system/cluster/scsymon-srv:default misconfigured: transitioned to maintenance (see 'svcs -xv' for details)
  Feb 28 22:29:23 testlab5 Cluster.RGM.rgmd: [ID 537175 daemon.notice] CMM: Node e250 (nodeid: 1, incarnation #: 1235752006) has become reachable.
  Feb 28 22:29:23 testlab5 Cluster.RGM.rgmd: [ID 525628 daemon.notice] CMM: Cluster has reached quorum.
  Feb 28 22:29:23 testlab5 Cluster.RGM.rgmd: [ID 377347 daemon.notice] CMM: Node e250 (nodeid = 1) is up; new incarnation number = 1235752006.
  Feb 28 22:29:23 testlab5 Cluster.RGM.rgmd: [ID 377347 daemon.notice] CMM: Node testlab5 (nodeid = 2) is up; new incarnation number = 1235840337.
  Feb 28 22:37:15 testlab5 Cluster.CCR: [ID 499775 daemon.notice] resource group rg-nfs added.
  Feb 28 22:39:05 testlab5 Cluster.RGM.rgmd: [ID 375444 daemon.notice] 8 fe_rpc_command: cmd_type(enum):<5>:cmd=<null>:tag=<>: Calling security_clnt_connect(..., host=<testlab5>, sec_type {0:WEAK, 1:STRONG, 2:DES} =<1>, ...)
  Feb 28 22:39:05 testlab5 Cluster.CCR: [ID 491081 daemon.notice] resource ha-host-1 removed.
  Feb 28 22:39:17 testlab5 Cluster.RGM.rgmd: [ID 375444 daemon.notice] 8 fe_rpc_command: cmd_type(enum):<5>:cmd=<null>:tag=<>: Calling security_clnt_connect(..., host=<testlab5>, sec_type {0:WEAK, 1:STRONG, 2:DES} =<1>, ...)
  Feb 28 22:39:17 testlab5 Cluster.CCR: [ID 254131 daemon.notice] resource group nfs-rg removed.
  Feb 28 22:39:30 testlab5 Cluster.RGM.rgmd: [ID 224900 daemon.notice] launching method <hafoip_validate> for resource <ha-host-1>, resource group <rg-nfs>, node <testlab5>, timeout <300> seconds
  Feb 28 22:39:30 testlab5 Cluster.RGM.rgmd: [ID 375444 daemon.notice] 8 fe_rpc_command: cmd_type(enum):<1>:cmd=</usr/cluster/lib/rgm/rt/hafoip/hafoip_validate>:tag=<rg-nfs.ha-host-1.2>: Calling security_clnt_connect(..., host=<testlab5>, sec_type {0:WEAK, 1:STRONG, 2:DES} =<1>, ...)
  Feb 28 22:39:30 testlab5 Cluster.RGM.rgmd: [ID 515159 daemon.notice] method <hafoip_validate> completed successfully for resource <ha-host-1>, resource group <rg-nfs>, node <testlab5>, time used: 0% of timeout <300 seconds>
  Feb 28 22:39:30 testlab5 Cluster.CCR: [ID 973933 daemon.notice] resource ha-host-1 added.

• ISE does not register nodes - (blank pop-up window)

  Hello everyone !
  There CiscoISE 1.1.4.218 (all 8 patches) consisting of 6 nodes (2 admin, 2 monitors, 2 policy) on virtual machines.
  When testing failover between policy node, one of policy nodes has been removed from scheme of deployment. The  result of attempting to register this node is the blank warning pop-up  window, progress of registration stops without registration of policy  node (screenshot in attachment). The same
  thing  happens when I try to register a secondary monitoring nodes (that was  removed earlier, like in the case with police node). I  also attach a portion of log file taken from admin node (CLI) in the  moment of attempts registration of police / monitoring nodes.
  In the DNS is ok (defined in both side), all certificates are valid.
  Maybe somebody has already found a similar mistake ?
  Sincerely,
  Andrey

  Please check the following Prerequisites
  The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.  Otherwise, node registration will fail. You must enter the IP addresses  and FQDNs of the ISE nodes that are part of your distributed deployment  in the DNS server.
  •The  primary Administration ISE node and the standalone node that you are  about to register as a secondary node should be running the same version  of Cisco ISE.
  •Node  registration fails if you provide the default credentials (username:  admin, password: cisco) while registering a secondary node. Before you  register a standalone node, you must log into its administrative user  interface and change the default password (cisco).
  •You  can alternatively create an administrator account on the node that is  to be registered and use those credentials for registering that node.  Every ISE administrator account is assigned one or more administrative  roles. To register and configure a secondary node, you must have one of  the following roles assigned: Super Admin, System Admin, or RBAC Admin.  See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
  •If  you plan to register a secondary Administration ISE node for high  availability, we recommend that you register the secondary  Administration ISE node with the primary first before you register other  Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence,  you do not have to restart the secondary ISE nodes after you promote the  secondary Administration ISE node as your primary.
  •If  you plan to register multiple Policy Service ISE nodes running Session  services and you require mutual failover among those nodes, you must  place the Policy Service ISE nodes in a node group. You must create the  node group first before you register the nodes because you need to  select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
  •Ensure  that the Certificate Trust List (CTL) of the primary node is populated  with the appropriate Certificate Authority (CA) certificates that can be  used to validate the HTTPS certificate of the standalone node (that you  are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
  •After  registering your secondary node to the primary node, if you change the  HTTPS certificate on the registered secondary node, you must obtain  appropriate CA certificates that can be used to validate the secondary  node's HTTPS certificate and import it to the CTL of the primary node.  See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

• Cisc ISE 1.1.3: PS not shown in Admin Node and no live authentications

  Dear folks,
  I have a distributed deployment of ISE. 4 Applicances, two are Admin and Monitoring while remaining two are Policy Server.
  Policy Nodes are showing down... But, actualy they are running and working fine. Clients are being authenticated.
  I checked the services "show application status ise", all are fine.
  Any thoughts...
  Thanks,
  Regards,
  Mubasher Sultan

  I believe that the following link would help you with your query.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1035890
  Moreover, I feel that there could be various reasons for this kind of issue, as in:
  1. Incorrect System time and NTP server settings
  2. The server certificate operations have not been performed directly on each individual node
  3. The switch is not transmitting RADIUS accounting packets (attributes) to the RADIUS server.
  The above three maybe a reason, please check and revert if they actually are the reason for PSN to be down.

• ISE and Node Groups

  Hi,
  Does anyone know if node groups are purely for policy server nodes behind a load balancer such as ACE.  If you have a pair of policy server nodes at a site with no load balancer, and both nodes configured in all NAS's can these be in a node group.
  Does anyone know if you can use a load balanced set of policy nodes with LWA and WLC.  There has to be affinity between the portal ISE and the AAA ISE configured in the WLC, these would be two different sessions one Radius and one HTTP, so the ACE would not be able to distinguish.
  Thanks.
  Gary

  Hi Pon -
  Do you mean groups of users or group of pages?
  If you mean groups of users, you can create your sub-groups as a regular groups, and then when assigning users to your Main Finance group ... add the 2 groups which are your subGroups.
  If you are talking about the Portal Page Group structure, you cannot nest page groups, but you can create pages and subpages.
  Hope this helps,
  Candace

• Oracle 11gR2 2 node RAC on Oracle Linux - can't discover

  Hi folks,
  My rac1 can't discover iscis targets on openfiler, please assist/help/guide, been stuck for quite some time :-(
  [root@rac1 send_targets]#
  [root@rac1 send_targets]# iscsiadm -m discovery -t sendtargets -p openfiler
  [root@rac1 send_targets]# ping openfiler
  PING openfiler (192.168.1.11) 56(84) bytes of data.
  64 bytes from openfiler (192.168.1.11): icmp_seq=1 ttl=64 time=0.284 ms
  64 bytes from openfiler (192.168.1.11): icmp_seq=2 ttl=64 time=0.224 ms
  64 bytes from openfiler (192.168.1.11): icmp_seq=3 ttl=64 time=0.226 ms
  64 bytes from openfiler (192.168.1.11): icmp_seq=4 ttl=64 time=0.211 ms
  ^C
  --- openfiler ping statistics ---
  4 packets transmitted, 4 received, 0% packet loss, time 3000ms
  rtt min/avg/max/mdev = 0.211/0.236/0.284/0.030 ms
  [root@rac1 send_targets]# iscsiadm -m discovery -t sendtargets -p 192.168.1.11
  [root@rac1 send_targets]# service iscsid status
  iscsid (pid  2446) is running...
  [root@rac1 send_targets]# uname -a
  Linux rac1.mydomain 2.6.32-100.26.2.el5 #1 SMP Tue Jan 18 20:11:49 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
  [root@rac1 send_targets]#
  If possible to just direct me to some link, I'm following this: http://www.oracle.com/technetwork/articles/hunter-rac11gr2-iscsi-088677.html#8
  But it is not telling, if it doesn't discover ... then what?
  Thanks in advance.

  Hi ,
  Did you install the iscsi-initiator-utils rpm package in all nodes? we must install this package in all rac nodes, and then discover the LUN in all nodes.
  Also try giving the ip address of openfiler instead of giving the hostname
  Regards,

• Deregistering node successful but it is still listed in deployment page

  During an upgrade to 1.1.4, one of the Policy nodes didn't deregister successfully. The Primary shows it as now a standalone, but it seems to still be a part of the distributed deployment. I upgraded the Policy node and the rest of the nodes. I tried to add (register) the Policy node back but the error says the node is already listed. Is there a way to manually delete a node via the CLI?
  Thanks

  If I understand your issue correctly, I think this is what happening. When you tried to deregister, it didn't work but secondary shows as STANDALONE on primary deployment page.
  When you try to register secondary node you're getting the following exception on screen:
  "An error occurred while registering node Large - java.net.UnknownHostException: Large"
  When you click 'Save' again you're getting the following:
  "An error occurred while registering node Large - HostConfig 'Large' already exist.; nested exception is: HostConfig 'Large' already exist."
  To perform the operations (deregistering)  you must have one of the following roles assigned: Super Admin or System Admin.
  In case the above suggestion doesn't work than we can probably look at the support bundle or reset the config.
  I don't see any command that can help us to delete the NODE from the deployment.
  http://www.cisco.com/en/US/docs/security/ise/1.0/cli_ref_guide/ise10_cli_app_a.html
  Jatin Katyal
  - Do rate helpful posts -