Policy Studio to LDAP Repository with WSS Password Digest for Authn
Hi,
We are trying to connect to an external LDAP user repository from OEG for authentication. This is configured via Policy Studio.
Our services are secured with WSS UsernameToken with password digest.
However, the list of available Repository is only limited to Local Repositories. I can't see the LDAP repository that I've added. But when I select clear password, then I can see all repositories including the LDAP repository. Is digest password not supported?
Hope someone could help!
Thanks!
Thanks Patrick! That thread helped. I got the proxy service to use the customized WS-Policy.
Do you know of any tool to create the password digest given a plain text password? Also, is there any particular algorithm that weblogic uses to store the digest in the authenticator? I am currently using soapUI to act as a client for unit testing purposes. I tried supplying the WSS header with the inbuilt feature of 'Add WSS Username Token' in soapUI. It adds the username, password digest, nonce and created date. However, I get the 'Failed to assert identity with UsernameToken' exception in the log. The request never gets through.
Edited by: SOAer on Apr 8, 2011 9:07 AM
Similar Messages
-
LDAP authentication with MD5 passwords
Hi,
in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
I know it is to be done with {crypt} storage scheme.
This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
Thanks in advance,
KristofThanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help.. -
Site Studio Publishing Utility fails with HTTP rsponse 403 for URL
Just installed Publisher with Subscription Client. The two pieces seem to work together until I start a replication. Then I get the following a number of times and it stops.
[1]IOException: Server returned HTTP response code: 403 for URL: http://localhost:9180/MTKRSite/groups/public/documents/web_content/002310.htm http://localhost:9180/MTKRSite/groups/public/documents/web_content/002310.htm
It the Publisher is trying to get content item 002310 there isn't one there.
In the Publisher directory offers I see the web site but no content.
I am really confused because I cannot figure out why it would try to get content 002310.
Thanks for any help.
ArtThe problem is now solved. For those that are using the product here is a hint of where to look.
In the Oracle Site Studio Publishing Utility\offers\31 directory there is a file urlmap.txt. urlmap.txt has all the URL's that are going to be retrieved. If the publishing utility cannot get a file then look into this file and see why it is trying to retrieve it. If necessary a filterset that excludes the missing file can be coded in the sitestudo.config file. -
FTP for Guest with no password asks for password
Greetings,
I have File Sharing turned on and FTP on, and Guest login and sharing on in Accounts.
When I enter ftp:// and my IP in a browser, I get prompted for a User Name and Password. I enter Guest and no password, and it says Password Required, but there is no password.
How do I connect as Guest?
Thankswhat is your router model number?
so all this time you never set a password for your wireless network? @_@ -
How to ZIP a PDF File with a Password Protection
Hi,
i've a pdf file with created smartforms and i want to assign a password to that pdf file but the SAP doesn't let doing that protection. So i want to create a zip file with a password protection for PDF file.
How can i create a zip file with a password protection? Can somebody help me please?
Thanks.Hello,
Check this links
Take a look to the class CL_ABAP_GZIP
open (top-)zip-archive
CALL METHOD lo_zip->load
EXPORTING
zip = lv_zip_file_head
EXCEPTIONS
zip_parse_error = 1
OTHERS = 2.
create sub-zip-archives which contain the files you would assign to a folder
add sub-zip-archive to top-zip-archive
CALL METHOD lo_zip->add
EXPORTING
name = lv_zip_filename
content = lv_zip_file.
save zip-archive
CALL METHOD lo_zip->save
RECEIVING
zip = ev_zip_file.
ABAP Development
How to ZIP a PDF file email attachment
Re: How to ZIP a PDF file email attachment -
How to retrieve all the users along with their password from LDAP
Hello,
Can anyone let me know how to retrieve and list all the user along with their password from LDAP.
ThanksHi Prashant,
I have limited experience with Synchronization, but I agree with you - if you need to synchronize Passwords, you need to have the Password in clear Text.
If you trying to build your own Synchronization Solution using any of the avaliable LDAP APIs, I don't think you can ever retrieve a user's Password in clear text.
However, I did come across an interesting article & I hope you find it useful :-
http://www.oracle.com/technology/obe/obe_as_10g/im/configssl/configssl.htm
I am not sure if SSL is necessary - If you have a look at Metalink Note 277382.1 ( How to Configure OID External Authentication Plug-In for Authentication Via Microsoft Active Directory (MS AD) ), teh question asked by oidspadi.sh for the same is asnwered as "N".
Regards,
Sandeep -
Replacing Certificates of Solaris Studio IPS Repository with New Ones
Hi Steve,
When I accessed the IPS Package Repository just now at https://pkg-register.oracle.com/, I did not see the solarisstudio repository. Before the website revamp, I was still able to access the Installation Instructions for Key and Certificates needed to set up Solaris Studio IPS Repository (I have previously requested access to solarisstudio IPS Repository). My SSL Certificate for solarisstudio will expire in less than 1 month's time.
Hence, I have some questions:
1. How can I re-install the new certificates for solarisstudio IPS Repository to replace the old ones?
2. Will the upcoming version 12.4 be made available in the solarisstudio IPS Repository? Will patches be supported for Solaris Studio packages installed via IPS Repository?
Regards,
BrianHi Darryl Gove,
My current view at https://pkg-register.oracle.com/ does not have Oracle Solaris Studio (see screenshot below), which is strange considering that I have already requested access to Oracle Solaris Studio IPS Repository from the same website before. Right now, I can only see Oracle Solaris Cluster 4 Repository. The Certificate only shows my renewed certificate and from there, I only have the Download Key and Download Certificate buttons. Could you help me to check on this issue? Thanks.
Regards,
Brian -
Solaris 10 openldap authentication with md5 passwords
Hello to everyone,
We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
The error messages when trying to 'su -' to the ldap user are:
Jun 1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
Jun 1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
Jun 1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
Please feel free to ask for any other configuration file:
*/etc/pam.conf*
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_unix_auth.so.1 server_policy debug
login auth required /usr/lib/security/pam_ldap.so.1 debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1 use_first_pass
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1 server_policy
other auth sufficient /usr/lib/security/pam_ldap.so.1 debug
other auth required pam_unix_auth.so.1 use_first_pass debug
passwd auth sufficient pam_passwd_auth.so.1 server_policy
passwd auth required /usr/lib/security/pam_ldap.so.1 debug
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1 server_policy
other account required /usr/lib/security/pam_ldap.so.1 debug
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
base ou=users,ou=Example,dc=staff,dc=example
ldap_version 3
scope sub
pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
pam_member_attribute memberUid
nss_map_attribute uid displayName
nss_map_attribute cn sn
pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
uri ldap://ldapserver01/
ssl no
bind_timelimit 1
bind_policy soft
timelimit 10
nss_reconnect_tries 3
host klnsds01
nss_base_group ou=system_groups,ou=Example,dc=staff,dc=example?sub
pam_password md5*/etc/nsswitch.conf*
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files*/etc/security/policy.conf*
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LOCK_AFTER_RETRIES=YES
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
CRYPT_DEFAULT=1Thanks in advance for any response...!!Thanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help.. -
Setting up LDAP realm with WLI 7
Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7
Pramit Basu <[email protected]> wrote:
Any pointer to Step by step instruction on to how to set up LDAP realm
for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
First, please backup your original config.xml file. Then, you can start configure
the realms. You can do this by modifying the config.xml file, or through WLS console.
After you have done this, your config.xml file should contain the following:
<LDAPRealm AuthProtocol="none"
Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://jpengdesk:389"
Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
--- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
values are correct according to the groups and users stored on your LDAP server.
In my example here, "beasys.com" is my root entry, and I have all the users created
underneath of OU "People", and I have all the groups created in OU "Groups".
<CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
Realm"/>
--- You can do this in console by clicking on "Caching Realms", then click on
the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
<Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
--- you can do this in console by clicking on "Compatibility Security", then click
on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
from the pull down comb box.
Please make sure all the names are related. See above example, the value in blue
color should match, and the value in red color should match too.
Please see the attached config.xml file for reference.
2) Create the users in LDAP server. In my example, I simply created 3 users underneath
of OU “People”, they are:
weblogic
wlisystem
admin
“weblogic” is the user I used as my system administrator user, which
I used to boot my WLS server and access my WLS console.
“wlisystem” and “admin” are the users created for WLI
component.
3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
all these groups underneath of OU “Groups”. These groups are:
ConfigureComponents
Administrators
wlpiUsers
MonitorInstance
ExecuteTemplate
CreateTemplate
UpdateTemplate
DeleteTemplate
AdminsterUser
ConfigureSystem
wlpiAdministrators
Also, add the users created in step 2 into all of these groups.
4) Clean up the fileRealm.properties file.
Backup your original fileRealm.properties file. Then, remove all the entries starting
with “user.xxx” and “group.xxx”, only leave those entries
starting with “acl.xxx”.
Please see the attached “fileRealm.properties” file for reference.
5) Restart your WLI server. Verify the users and groups you defined in LDAP server
are displayed in WLS console correctly. You can see the user and group information
in “Compatibility Security” à “Users”, and “Compatibility
Security” à “Groups” respectively.
6) Start your studio to design a simple Workflow. When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
7) Start your Worklist to execute the workflow. Also, When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
Once you execute the workflow, you can verify that workflow instance in Studio.
You can monitor the instance, and delete the instance. -
Problem with username/password using SQLAuthenticator
I want to setup SQLAuthenticator but authentication is refused because wrong username/password.
I am using JDev Studio Edition Version 11.1.2.1.0 with integrated WLS.
As a base I take this two URLs:
http://weblogic-wonders.com/weblogic/2010/03/11/configuring-sql-authenticator-with-weblogic-server/ and
http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html
1. I create db tables (default table names for SQLAuthenticator), but don't fill users and groups - OK
2. In WLS I create new SQLAuthenticator Authentication provider inside deafult realm myrealm - OK
3. I put this provider to the top among all three providers
4. In JDev I configure ADF Security - define Enterprise Roles to matching to the names in GROUPS table of SQLAuthenticator - ??
5. I Define Application users and roles and setup Resource grants
6. I run my application
7. In database tables USERS, GROUPMEMBERS, GROUPS I can see users and roles from Jdev, that means, at deploy time, this tables are filled too
8. In WLS I can see Users and Groups under myrealm which are transfered at deploy time and mirrors USERS, GROUPMEMBERS, GROUPS
9. In USERS table I can see password is encripted by {SHA-1}
But when try to login I am always rejected with "Invalid username or password".
Before setting up SQLAuthenticator (only default options) the logins were successful, so application shold be OK.
I try also with Plaintext Passwords Enabled and put into USERS table unencripted password, but without success.
I can confirm that SQLAuthenticator mechanism actually get password from USERS table. I replaced default SQL for getting password from
SELECT U_PASSWORD FROM USERS WHERE U_NAME = ?
to
select get_pwd(?) as U_PASSWORD from dual. In my get_pwd PL/SQL function I perform logging in I can see that this function was called.
So the problem is in WLS when comparing passwords.
Any suggestions, where to start digging?
Ragards,
Sašo
Edited by: Sašo C. on 5.10.2011 7:26
Edited by: Sašo C. on 5.10.2011 7:32The problem is solved! Crucial was hint from http://biemond.blogspot.com/2008/12/using-weblogic-provider-as.html:
The Control Flag for my new SQLAuthenticator Authentication provider must be changed from Optional to Sufficient AND
the Control Flag for existing DefaultAuthenticator must be changed from Required to Sufficient!
It seems that before SQLAuthenticator took password from USERS table, but didn't use it in the authentication process.
Regards,
Sašo -
I am running os x 10.7.5, on a macbk, I have been using all the apps fine and not changed anything or run any software updates, suddenly my mail dows not think it can connect with the outgoing server for icloud and requests my password, which I give, but it repeatedly asks again and again. I have tried re-setting all the mail for icloud up again, and it thinks its ok, except the box keeps flagging up can't access outgoing server. I have checked it all a number of times, and I can access the icloud stuff including mail from http when I log in there. Anyone know why my mac will not accept my icloud password? suddenly I cannot get any icloud mail in or out, but I changed nothing. Why does it do this and why can't i fix it?
No carrier "automatically" unlocks at end of contract - many won't do it at all, even if requested. I don't know what your carrier's policy is since you didn't say what country you're in.
However, if I understand you correctly, you didn't change carriers so it doesn't matter if it was unlocked or not. Try the following steps, as needed:
1. Reset phone - press both home and sleep/wake buttons for at least 19 seconds until the Apple logo appears
2. Settings > General > Reset > Reset Network Settings
3. Restore phone in iTunes using a backup
4. Replace SIM card (don't care what Telstra says)
5. Restore phone in iTunes as new, without using a backup
6. Take phone to Apple. -
OS: Windows Server 2008 R2 Enterprise
Domain Level: 2008
Forest Level: 2000
We have Domain Administrators in our domain that reset passwords for user accounts, and the passwords the Administrators set them to are not being enforced follow our default domain password policy. For example, I log on the domain controller, as an administrator
and can reset a password for a user account to be blank.
Is there a reason Domain Administrator password resets for user accounts are not enforced by our default domain password policy? Is there a way to enforce this on password resets by Domain Admins?Do you have fine grant password policy? If not ; by default all the usrs are effected by domain level password policy even domain admins,
Regards~Biswajit
Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
MY BLOG
Domain Controllers inventory-Quest Powershell
Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
Generate a Report for installed Hotfix for Bulk Servers -
I need to create a SQL LOGIN with weak password.
Is there a way to change the password policy or bypass for a specific LOGIN ?
I've tried this:Is there a way to change the password policy or bypass for a specific LOGIN ?
SQL Azure doesn't allow the CHECK_POLCY clause. See
https://msdn.microsoft.com/en-us/library/ms189751.aspx
Why would you want to create a weak password? I think the CHECK_POLICY option is intended only for legacy applications.
Dan Guzman, SQL Server MVP, http://www.dbdelta.com -
How to consume Web Service with Password digest from PLSQL
We have Oracle 10g (10.2.0.3.0) 64 bit. We have a situation where we need to consume web service whose security header looks like as follow,
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-50">
<wsse:Username>weblogic</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">d2enK45chjBPVvvukbYU6OX56kI=</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YAhEtLJfp4lzycLd3hZYjQ==</wsse:Nonce>
<wsu:Created>2013-01-22T06:28:38.897Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
Here we need passowrd digest, Nonce and Timestamp.
How to create password digest from PLSQL? or if any other alternatives available please response soon.I do not see why it will not be possible to do digest authentication with a web server using PL/SQL.
As for the digest password - the web server supplies a token (a nonce) which you need to use for creating the hashed authentication token (the digest password). The URL I posted explains this authentication process.
As for the technical how-to in PL/SQL - as I mentioned, never had to do this (only dealt with Basic and NTLM authentication thus far). But as other auth methods (such as Microsoft's NTLM) can be implemented, I do not see why digest authentication could not.
Suggest you spend some time googling for technical articles/sample code on the subject - and try to find specific PL/SQL related sample code too. -
Securing a BPEL Process with username/password in 10g
securing a BPEL Process with username/password in 10g
use OWSM gateways..
create a gateway and define your policy in the gateway
Maybe you are looking for
-
Burning CD-Rs - Inconsistent Results
My iMac is inconsistent in its ability to burn CD-Rs. I can not burn two CDs in a row. If the system has been idle for several hours, I can burn a CD from iPhoto, Finder, or iTunes. However, after I burn the first CD, I can't not burn another CD. I g
-
Reg : Unable to connect to JDBC Store
Hi all, We are unable to connect to a JDBC Store due to which we are experiencing internal error while launching our application. Could anyone please provide a solution why this error is occuring? Please find the error we are facing below weblogic.st
-
Photoshop Web Gallery won't link
Hello everyone. I'm trying to upload my Photoshop web gallery to an email and have had no luck. The gallery gets processed fine and works properly on my desktop but when I try to link it thru mac mail I get a dialog box that says "Cannot send message
-
Why does my layout keep changing when I make simple changes?
I have made minor changes like changing the font size of a text style and my whole layout spreads all over the place when I publish it. I've tried to add a small section of copy and then all the text on that page squeezes into the first column of my
-
How can I sync calendar on phone, iPad and iCal on Mac.
Having trouble since new iCal replaced old version. All 3 devices are not syncing properly-and my iCal on Desktop has erased all my previous entries/categories for appointments since I updated software. Any tips appreciated.