Portal 30 EAP

Similar Messages

• Optional WEP on Autonomous AP1230

  I would like to enable a single SSID to support EAP and non-EAP clients. This is to enable non-EAP clients to be directed to a captive login portal, and EAP clients to go directly to the network.
  I am able to make EAP optional for authentication, but can't seem to make WEP optional. (WEP is probably not the end-game, but I'm trying to get the lowest common denominator working)
  my configuration contains:
  dot11 ssid MYSSID
  authentication open optional eap EAPAUTH
  guest-mode
  interface Dot11Radio0
  encryption mode wep optional
  This works fine for users using Open authentication, and no encryption.
  Users using Open authentication, with 802.1x and WEP encryption are not able to associate with the AP, and I never even see an authentication/association attempt.
  Thanks in advance.

  You may be out of luck. According to an older document at http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml, there's the following specific statement about static WEP and EAP:
  Q. In Cisco IOS Software-based APs, can you run static Wired Equivalent Privacy (WEP) keys and Extensible Authentication Protocol (EAP) together on the same AP for authentication? This has worked with VxWorks-based APs.
  A. No, you cannot run static WEP keys for encryption and EAP for authentication in the same service set identifier (SSID). VxWorks has allowed this configuration because of software vulnerability, but this ability is not a feature. What you can do is create two SSIDs and two VLANs (one per SSID). Then, configure open authentication with WEP for one SSID and EAP authentication for the other SSID.
  I would seriously consider putting in 2 SSIDs, one for EAP and one for non-EAP. Associate each with a different VLAN (required for the configuration). However, if you want them to be on the same subnet, use bridge group 1 under both subinterfaces on a radio. I think it accomplishes what you are trying to do.

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE - EAP-TLS and then webAuth?

  Hello everyone!
  I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
  Hardware:
  Cisco ISE VM running 1.1.3.124
  WLC 5508 running 7.4.100.0
  AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
  iPod Touch version 6.1.3(10B329)
  Senario:
  •- User Authenticates to SSID that is 802.1x WPA2 AES,
  •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  •- User open’s their browser
  •- WLC redirects them to ISE CWA
  •- User provides credentials on the portal
  •- User to CoA’d to full access network
  Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
  I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
  Thank you in advance!
  Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
  I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• ISE Provisioning Issues - Public Certificate & EAP-TLS

  Anyone run into the issues similar to the below?:
  Public Certificate bound for HTTPS
  Internal AD Certificate Bound for EAP
  Issue is SPW or Native Supplicant will be provisioned with Root CA of Public Cert then SCEP enrolls EAP-TLS with Internal CA however as client device (ipad/iphone/android) doesnt get the Internal Root CA provisioned they will fail EAP-TLS communication
  Running ISE 1.1.2 patch2, 2 node-cluster
  Guest Portal being used for Provisioning if AD credentials passed
  Works a treat if i bind both https & eap on the Internal identity ceritficate (only issue then is Guests/BYOD devices get Certificate Warnings on the portal)
  Cheers
  Kam

  the process doesnt fail as such for the onboarding/provisioning on the iphone, however the when entering domain credentials to the guest portal which intiates the onboarding/provisioning process, i notice the root CA certificate is prompted to be installed on the iphone is that of the public certificate instead of the internal root CA, the rest of the user certificate and scep process properly completes however as the root CA for the internal CA wasnt installed i get warnings when connect to our dot1x eap-tls SSID.
  On other devices this process fails which i can only assume is down to the lack of internal root CA cert
  so as per the above im pretty much following this (differentiated access via certificates) :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  however my setup is slighlty different as the EAP & HTTPS indentity certificate is not the internal, i have installed a public cert for HTTPS to remove certificate warnings on guest portal (as BYOD devices and guests will only have non-domain machines thus a public cert removes the certificate warnings)
  does that clarify anymore?
  Cheers
  Kam

• ISE EAP-FAST chaining EAP-TLS inner method - authorizing against AD

  Just a question surrounding EAP-FAST chaining (EAP-TLS inner)  and the ability to authorize the username in the CN field of the certificate against AD. As an example for standard EAP-TLS I am able to specifiy that the username should be in a specific AD group. WIth EAP-FAST I seem unable to get the same functionality working - I suspect it is using the combined Chained username to poll with. Any advice would be much appreciated as I would like to differentiate users in different groups whilst retaining the EAP-TLS inner method.

  I have found the answer to my own question. In short my issues came down to the way that Microsoft populates the certificate subject fields in particular user certificates and the CN field.
  In my deployment I am using a single SSID with the following protocols:
  EAP-FAST (EAP-TLS inner) - Certs deployed via AD GPO
  EAP-TLS Machine Certs - Certs deploted via AD GPO
  EAP-TLS User Certs - Certs deployed via ISE and SCEP (utilising PEAP to auth the user)
  EAP-PEAP for Guest and onboarding purposes (no guest portal or MAB - not using the guest portal and CWA is awesome in my opinion).
  My certificate profile, created in ISE, utilised the CN field in the subject for principle username. This configuration works fine for machine certs and user certifcates generated via ISE as the CN field is acceptable for matching against AD. The problem however is that the user certs issued by AD GPO etc utilise the AD CN which as I understand cannot be used to ascertain group membership in AD.
  The solution seemed obvious - create a new cert profile that utilises the SAN field of the certifcate which is populated with "other name" attributes that can be matched against AD groups. The problem however is that my authentication policy for EAP protocols only allows the selection of one cert profile.... By using the SAN cert profile my EAP-TLS authentications broke but allowed successful auth of the EAP-FAST clients - not a good result.
  I figured that the a failure to match the first authentication policy (based on not matching allowed protocol) would then carry on to the next authentication policy allowing me to specifiy a different cert profile - again no dice as the first policy is matched on the wireless 802.1x condition but EAP-FAST protocol was not specified as an allowed protocol and it fails.
  The way around this was, lucky in my mind, basically I now match wireless 802.1x condition and Network Access Type:EAP-Chaining which allows me to specify the SAN cert profile for EAP-FAST connections. EAP-TLS obviously does not match the first authentication policy at all as it is not chaining. The subsequent policy is matched for EAP-TLS which specifies the CN cert profile.
  I know this explantion is long winded and perhaps obvious to some so for that I apologise. For those of you who are undertaking this and run into the same drama I hope it helps. Feel free to contact me for more information or clarification as this explanation is a mouthful to say the least.

• Guest Portal - untrusted certificate

  All,
  My ISE integration is on our local domain,for example  company.local. I created a rule in the authorization policy that used a static IP address, say guest.company.com for our guests to use for the redirection. When guests get the web auth redirection to guest.company.com they are getting the untrusted certificate.
  I tried to import a certificate from our external CA, and faced errors because it didnt have the .company.local SAN. I did generate that with the CSR but my external CA doesnt give me an option to include this.
  How is this rectified so our guests hit the web portal without getting a certificate error?

  Hi Jason,
  From my experience, this is a common problem.  Typically, what I do on deployments is obtain a trusted 3rd-party signed certificate for my HTTPS usage on the ISE appliances. If you want to use your internal CA certificate to authenticate EAP for your domain computers and other sessions,  you can still do so.
  Note: Sometime in 2014 (it may already be active) the 3rd-party certificate signers are no longer going to allow .local or other internal domains on their certificates. 
  With that said, I've normally been deploying the ISE appliances with an external domain name, example, ise.company.com rather than ise.company.local.  You can setup split DNS on your network to allow ise.company.com to resolve to your internal IP.
  Hope this helps.

• Guest Wireless with Web Portal

  I have my guest wireless accepting terms through a web portal, but it seems they have to accept these terms about every 30 minutes to an hour to get access to the internet again. They are not idle, their session just stops working, and when they open a new browser it redirects them to the web portal. Is there a timer for this somewhere that I am missing?                   

  I installed v7.5 configured the sleeping client feature and I'm not getting the desired result.   My test device (Ipod model MD067LL/A) isn't being added to the sleeping clients list.  I saw the following in the configuration guide.
  The authentication of sleepling clients feature is not supported with Layer 2 security and web authentication enabled.
  I don't think that applies to my situation.
  The WLANs configuration is below.
  WLAN Identifier.................................. 4
  Profile Name..................................... xxxxxxxxxx
  Network Name (SSID).............................. xxxxxxxxxx
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  Client Profiling Status
      Radius Profiling ............................ Disabled
       DHCP ....................................... Disabled
       HTTP ....................................... Disabled
      Local Profiling ............................. Disabled
       DHCP ....................................... Disabled
       HTTP ....................................... Disabled
    Radius-NAC State............................... Disabled
    SNMP-NAC State................................. Disabled
    Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Maximum number of Clients per AP Radio........... 200
  Number of Active Clients......................... 0
  Exclusionlist.................................... Disabled
  Session Timeout.................................. 36000 seconds
  User Idle Timeout................................ 300 seconds
  Sleep Client..................................... enable
  Sleep Client Timeout............................. 8 hours
  User Idle Threshold.............................. 0 Bytes
  NAS-identifier................................... xxxxxxxxxxxxxxx
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ xxxxxxxxxx
  Multicast Interface.............................. Not Configured
  WLAN IPv4 ACL.................................... unconfigured
  WLAN IPv6 ACL.................................... unconfigured
  WLAN Layer2 ACL.................................. unconfigured
  mDNS Status...................................... Disabled
  mDNS Profile Name................................ unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  PMIPv6 Mobility Type............................. none
      PMIPv6 MAG Profile........................... Unconfigured
      PMIPv6 Default Realm......................... Unconfigured
      PMIPv6 NAI Type.............................. Hexadecimal
  Quality of Service............................... Silver
  Per-SSID Rate Limits............................. Upstream      Downstream
  Average Data Rate................................   0             0
  Average Realtime Data Rate.......................   0             0
  Burst Data Rate..................................   0             0
  Burst Realtime Data Rate.........................   0             0
  Per-Client Rate Limits........................... Upstream      Downstream
  Average Data Rate................................   0             0
  Average Realtime Data Rate.......................   0             0
  Burst Data Rate..................................   0             0
  Burst Realtime Data Rate.........................   0             0
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Global Servers
     Accounting.................................... Global Servers
        Interim Update............................. Disabled
        Framed IPv6 Acct AVP ...................... Prefix
     Dynamic Interface............................. Disabled
     Dynamic Interface Priority.................... wlan
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     FT Support.................................... Disabled
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Enabled
        WPA (SSN IE)............................... Disabled
        WPA2 (RSN IE).............................. Enabled
           TKIP Cipher............................. Disabled
           AES Cipher.............................. Enabled
                                                                 Auth Key Management
           802.1x.................................. Disabled
           PSK..................................... Enabled
           CCKM.................................... Disabled
           FT-1X(802.11r).......................... Disabled
           FT-PSK(802.11r)......................... Disabled
           PMF-1X(802.11w)......................... Disabled
           PMF-PSK(802.11w)........................ Disabled
        FT Reassociation Timeout................... 20
        FT Over-The-DS mode........................ Disabled
        GTK Randomization.......................... Disabled
        SKC Cache Support.......................... Disabled
        CCKM TSF Tolerance......................... 1000
     WAPI.......................................... Disabled
     Wi-Fi Direct policy configured................ Disabled
     EAP-Passthrough............................... Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Disabled
     Web-Passthrough............................... Enabled
          IPv4 ACL........................................ Unconfigured
          IPv6 ACL........................................ Unconfigured
          Web-Auth Flex ACL............................... Unconfigured
          Email Input..................................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     FlexConnect Local Switching................... Enabled
     flexconnect Central Dhcp Flag................. Disabled
     flexconnect nat-pat Flag...................... Disabled
     flexconnect Dns Override Flag................. Disabled
     flexconnect PPPoE pass-through................ Disabled
     flexconnect local-switching IP-source-guar.... Disabled
     FlexConnect Vlan based Central Switching ..... Disabled
     FlexConnect Local Authentication.............. Disabled
     FlexConnect Learn IP Address.................. Disabled
     Client MFP.................................... Disabled
     PMF........................................... Disabled
     PMF Association Comeback Time................. 1
     PMF SA Query RetryTimeout..................... 200
     Tkip MIC Countermeasure Hold-down Timer....... 60

• Cisco ISE Guest portal - smart card login

  Does anyone know if Cisco ISE support smart card login to the guest portal page?                    

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• Setting UP Captive Portal ON 5508 WLC

  Dear All,
  I do know that captive portal could be setup on cisco 5508, such that internet users could login as follows:
  Username, password , login duration  etc.
  however i would like to know whether the above configuration would work with just 5508 and MS Active directory.or do we need any other device to achieve this.
  secondly can we upload a customised login web page from which users can login and gain access to the internet ?
  Jude.

  1. i would like to know whether the above configuration would work with just 5508 and MS Active directory
  Yes, you would need to configure an LDAP server on the WLC pointed to your MS AD, binding properly.  Then, make sure your L3 authentication priority is configured to query LDAP first.  This works pretty well in a L3 web-auth scenario, but is limited when using LOCAL EAP
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml
  2. can we upload a customised login web page from which users can login and gain access to the internet ?
  Yes; start by downloading the webauth_bundle.zip for your respective release/platform. 
  http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1049404

• EAP and iPhone

  Hi,
  I have a BYOD setup that is working well except one thing that is enoying, I cant get iOS device's to trust the ISE server certificate.
  Tested on 2 iPads and 2 iPhones.
  When runing Wireshark from a Mac I can see the certificate chain in the TLS packet coming from ISE and my Mac is accepting this with out problem, same for a Win 8 test machine.
  In this document under The Trust Chain, Apple writes:
  'The first time the user joins a device to an 802.1X-protected network, the device will prompt the user to trust the server’s certificate'
  Could it be that iOS devices ignore the cert. chain in a EAP packet?

  The trusted CAs only come into effect when navigating to web portals. Because the user is actually initiated a browser session to a secure site where the url is entered.
  With eap authentication this behavior is different. When a user sends their credentials the supplicant on the iphone automatically prompts the client to validate the radius server identity. It will also show you that the identity is trusted, but it will still prompt the user by informing them that their credentials are being forwarded to a specific radius server.
  You can also verify this by using a windows machine, if you set the supplicant to "validate the server certificate" but leave the certificate entries unchecked, you will still be prompted to validate the radius server's identity.
  Thanks,
  Tarik Admani
  Sent from Cisco Technical Support iPad App

• Is local EAP + Web Authentication possible in Auto Anchor Configuration

  Hi,
  I have a wireless network setup in an auto-anchor configuration with the foreign and anchor controllers. Due to the foreign controller being owned and managed by another company, I have an interesting authentication scenerio I would like to acheive. We can't implement full EAP-TLS as we would have to allow authentications from the foreign controller which is owned and managed by another company.
  Currently Web Authentication is working correctly for the Wireless Network. As another layer of security, I want to know if its possible for the wireless clients to trust a certificate installed on the foreign controller?  If so, are you able to point me in the direction of a user guide to implement.
  I found the following document which describes local EAP configuration . Would this work with Web Authentication?
  Thanks

  so, kinda but no.  EAP is a layer 2 authentication that uses encryption as well.
  WebAuth is a layer3 authentication only.
  Now the kinda....you can create guest/network users on the WLC local database, and if someone logins to the webauth portal with those credentials they will be able to get on.
  I'm not really sure what you are looking to do based on your post.
  Personally, if I had users that were going to roam to this controller, I'd work with that companies IT and get it linked to my AAA server and keep the EAP-TLS that I had working already going. Just because that WLC would be able to communicate to your AAA doesn't mean their users would be able to get on, as they wouldn't have the machine or client certificate nor the Root CA cert on their machines.
  HTH,
  Steve

• Error Log during logon of RAR 5.3 Portal - please help

  Hi Experts,
  We are unable to login into the CC portal [GRC RAR 5.3]. The login screen is appearing again and again without logging into the CC portal
  Below is the log file which we are getting and we understand that the product is not responding properly to the application
  Can somebody please help us in resolving this at the earliest
  Thanks in Advance
  Best Regagards,
  Srihari.K
  Date : 12/05/2008
  Time : 2:38:16:008
  Message : Exception of type com.sap.sql.log.OpenSQLException caught: Cannot assign NULL to host variable 1. setNull() can only be used in INSERT and UPDATE statements. The statement is "SELECT MIN("YEARMONTH") "YEARMONTH",MIN("VIOLTYPE") "VIOLTYPE",MIN("VSYSKEY") "VSYSKEY",MIN("ANLTYPE") "ANLTYPE",MIN("USERGROUP") "USERGROUP",SUM("TOTCOUNT") "TOTCOUNT",SUM("RISKLOW") "RISKLOW",SUM("RISKMED") "RISKMED",SUM("RISKHIGH") "RISKHIGH",SUM("RISKCRT") "RISKCRT",SUM("URNONE") "URNONE",SUM("URLOW") "URLOW",SUM("URMED") "URMED",SUM("URHIGH") "URHIGH",SUM("URCRT") "URCRT",SUM("URMIT") "URMIT",MAX("TOTCRTCD") "TOTCRTCD",SUM("CRTCD") "CRTCD",MAX("TOTCRROLE") "TOTCRROLE",SUM("CRROLE") "CRROLE",SUM("TOTUSER") "TOTUSER",MIN("RUNDATE") "RUNDATE" FROM "VIRSA_CC_MGMTTOT" WHERE "YEARMONTH" = ? AND "VIOLTYPE" = ? AND "VSYSKEY" LIKE ? AND "ANLTYPE" = ? AND "USERGROUP" LIKE ?"..
  [EXCEPTION]
  com.sap.sql.log.OpenSQLException: Cannot assign NULL to host variable 1. setNull() can only be used in INSERT and UPDATE statements. The statement is "SELECT MIN("YEARMONTH") "YEARMONTH",MIN("VIOLTYPE") "VIOLTYPE",MIN("VSYSKEY") "VSYSKEY",MIN("ANLTYPE") "ANLTYPE",MIN("USERGROUP") "USERGROUP",SUM("TOTCOUNT") "TOTCOUNT",SUM("RISKLOW") "RISKLOW",SUM("RISKMED") "RISKMED",SUM("RISKHIGH") "RISKHIGH",SUM("RISKCRT") "RISKCRT",SUM("URNONE") "URNONE",SUM("URLOW") "URLOW",SUM("URMED") "URMED",SUM("URHIGH") "URHIGH",SUM("URCRT") "URCRT",SUM("URMIT") "URMIT",MAX("TOTCRTCD") "TOTCRTCD",SUM("CRTCD") "CRTCD",MAX("TOTCRROLE") "TOTCRROLE",SUM("CRROLE") "CRROLE",SUM("TOTUSER") "TOTUSER",MIN("RUNDATE") "RUNDATE" FROM "VIRSA_CC_MGMTTOT" WHERE "YEARMONTH" = ? AND "VIOLTYPE" = ? AND "VSYSKEY" LIKE ? AND "ANLTYPE" = ? AND "USERGROUP" LIKE ?".
       at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85)
       at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:124)
       at com.sap.sql.jdbc.common.CommonPreparedStatement.setNull(CommonPreparedStatement.java:303)
       at com.sap.sql.jdbc.common.CommonPreparedStatement.setString(CommonPreparedStatement.java:509)
       at com.sap.sql.sqlj.runtime.profile.ref.RTStatementJDBCPrepared.setString(RTStatementJDBCPrepared.java:359)
       at com.virsa.cc.xsys.mgmreport.dao.sqlj.MGMTotalDAO.getResult(MGMTotalDAO.sqlj:63)
       at com.virsa.cc.ui.RARiskVGraph.refreshData(RARiskVGraph.java:476)
       at com.virsa.cc.ui.RARiskVGraph.wdDoInit(RARiskVGraph.java:130)
       at com.virsa.cc.ui.wdp.InternalRARiskVGraph.wdDoInit(InternalRARiskVGraph.java:191)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doInit(DelegatingView.java:61)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
       at com.sap.tc.webdynpro.progmodel.view.View.initController(View.java:445)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:709)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bindRoot(ViewManager.java:579)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.init(ViewManager.java:155)
       at com.sap.tc.webdynpro.progmodel.view.InterfaceView.initController(InterfaceView.java:43)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:709)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bindRoot(ViewManager.java:579)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.init(ViewManager.java:155)
       at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.doOpen(WebDynproWindow.java:295)
       at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.show(ApplicationWindow.java:183)
       at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.open(ApplicationWindow.java:178)
       at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:364)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:754)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:289)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Severity : Error
  Category : /System/Database/sql/jdbc/common
  Location : com.sap.sql.jdbc.common.CommonPreparedStatement
  Application : sap.com/tcwddispwda
  Thread : SAPEngine_Application_Thread[impl:3]_32
  Datasource : 1666450:/apps/usr/sap/HLG/JC00/j2ee/cluster/server0/log/defaultTrace.trc
  Message ID : 0003BAF96A51006E0000001F0000265200045D4A46588084
  Source Name : com.sap.sql.jdbc.common.CommonPreparedStatement
  Argument Objs : com.sap.sql.log.OpenSQLException,Cannot assign NULL to host variable 1. setNull() can only be used in INSERT and UPDATE statements. The statement is "SELECT MIN("YEARMONTH") "YEARMONTH",MIN("VIOLTYPE") "VIOLTYPE",MIN("VSYSKEY") "VSYSKEY",MIN("ANLTYPE") "ANLTYPE",MIN("USERGROUP") "USERGROUP",SUM("TOTCOUNT") "TOTCOUNT",SUM("RISKLOW") "RISKLOW",SUM("RISKMED") "RISKMED",SUM("RISKHIGH") "RISKHIGH",SUM("RISKCRT") "RISKCRT",SUM("URNONE") "URNONE",SUM("URLOW") "URLOW",SUM("URMED") "URMED",SUM("URHIGH") "URHIGH",SUM("URCRT") "URCRT",SUM("URMIT") "URMIT",MAX("TOTCRTCD") "TOTCRTCD",SUM("CRTCD") "CRTCD",MAX("TOTCRROLE") "TOTCRROLE",SUM("CRROLE") "CRROLE",SUM("TOTUSER") "TOTUSER",MIN("RUNDATE") "RUNDATE" FROM "VIRSA_CC_MGMTTOT" WHERE "YEARMONTH" = ? AND "VIOLTYPE" = ? AND "VSYSKEY" LIKE ? AND "ANLTYPE" = ? AND "USERGROUP" LIKE ?".,com.sap.sql.log.OpenSQLException: Cannot assign NULL to host variable 1. setNull() can only be used in INSERT and UPDATE statements. The statement is "SELECT MIN("YEARMONTH") "YEARMONTH",MIN("VIOLTYPE") "VIOLTYPE",MIN("VSYSKEY") "VSYSKEY",MIN("ANLTYPE") "ANLTYPE",MIN("USERGROUP") "USERGROUP",SUM("TOTCOUNT") "TOTCOUNT",SUM("RISKLOW") "RISKLOW",SUM("RISKMED") "RISKMED",SUM("RISKHIGH") "RISKHIGH",SUM("RISKCRT") "RISKCRT",SUM("URNONE") "URNONE",SUM("URLOW") "URLOW",SUM("URMED") "URMED",SUM("URHIGH") "URHIGH",SUM("URCRT") "URCRT",SUM("URMIT") "URMIT",MAX("TOTCRTCD") "TOTCRTCD",SUM("CRTCD") "CRTCD",MAX("TOTCRROLE") "TOTCRROLE",SUM("CRROLE") "CRROLE",SUM("TOTUSER") "TOTUSER",MIN("RUNDATE") "RUNDATE" FROM "VIRSA_CC_MGMTTOT" WHERE "YEARMONTH" = ? AND "VIOLTYPE" = ? AND "VSYSKEY" LIKE ? AND "ANLTYPE" = ? AND "USERGROUP" LIKE ?".
       at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85)
       at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:124)
       at com.sap.sql.jdbc.common.CommonPreparedStatement.setNull(CommonPreparedStatement.java:303)
       at com.sap.sql.jdbc.common.CommonPreparedStatement.setString(CommonPreparedStatement.java:509)
       at com.sap.sql.sqlj.runtime.profile.ref.RTStatementJDBCPrepared.setString(RTStatementJDBCPrepared.java:359)
       at com.virsa.cc.xsys.mgmreport.dao.sqlj.MGMTotalDAO.getResult(MGMTotalDAO.sqlj:63)
       at com.virsa.cc.ui.RARiskVGraph.refreshData(RARiskVGraph.java:476)
       at com.virsa.cc.ui.RARiskVGraph.wdDoInit(RARiskVGraph.java:130)
       at com.virsa.cc.ui.wdp.InternalRARiskVGraph.wdDoInit(InternalRARiskVGraph.java:191)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doInit(DelegatingView.java:61)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
       at com.sap.tc.webdynpro.progmodel.view.View.initController(View.java:445)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:709)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bindRoot(ViewManager.java:579)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.init(ViewManager.java:155)
       at com.sap.tc.webdynpro.progmodel.view.InterfaceView.initController(InterfaceView.java:43)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:709)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bindRoot(ViewManager.java:579)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.init(ViewManager.java:155)
       at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.doOpen(WebDynproWindow.java:295)
       at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.show(ApplicationWindow.java:183)
       at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.open(ApplicationWindow.java:178)
       at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:364)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:754)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:289)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Arguments : com.sap.sql.log.OpenSQLException,Cannot assign NULL to host variable 1. setNull() can only be used in INSERT and UPDATE statements. The statement is "SELECT MIN("YEARMONTH") "YEARMONTH",MIN("VIOLTYPE") "VIOLTYPE",MIN("VSYSKEY") "VSYSKEY",MIN("ANLTYPE") "ANLTYPE",MIN("USERGROUP") "USERGROUP",SUM("TOTCOUNT") "TOTCOUNT",SUM("RISKLOW") "RISKLOW",SUM("RISKMED") "RISKMED",SUM("RISKHIGH") "RISKHIGH",SUM("RISKCRT") "RISKCRT",SUM("URNONE") "URNONE",SUM("URLOW") "URLOW",SUM("URMED") "URMED",SUM("URHIGH") "URHIGH",SUM("URCRT") "URCRT",SUM("URMIT") "URMIT",MAX("TOTCRTCD") "TOTCRTCD",SUM("CRTCD") "CRTCD",MAX("TOTCRROLE") "TOTCRROLE",SUM("CRROLE") "CRROLE",SUM("TOTUSER") "TOTUSER",MIN("RUNDATE") "RUNDATE" FROM "VIRSA_CC_MGMTTOT" WHERE "YEARMONTH" = ? AND "VIOLTYPE" = ? AND "VSYSKEY" LIKE ? AND "ANLTYPE" = ? AND "USERGROUP" LIKE ?".,com.sap.sql.log.OpenSQLException: Cannot assign NULL to host variable 1. setNull() can only be used in INSERT and UPDATE statements. The statement is "SELECT MIN("YEARMONTH") "YEARMONTH",MIN("VIOLTYPE") "VIOLTYPE",MIN("VSYSKEY") "VSYSKEY",MIN("ANLTYPE") "ANLTYPE",MIN("USERGROUP") "USERGROUP",SUM("TOTCOUNT") "TOTCOUNT",SUM("RISKLOW") "RISKLOW",SUM("RISKMED") "RISKMED",SUM("RISKHIGH") "RISKHIGH",SUM("RISKCRT") "RISKCRT",SUM("URNONE") "URNONE",SUM("URLOW") "URLOW",SUM("URMED") "URMED",SUM("URHIGH") "URHIGH",SUM("URCRT") "URCRT",SUM("URMIT") "URMIT",MAX("TOTCRTCD") "TOTCRTCD",SUM("CRTCD") "CRTCD",MAX("TOTCRROLE") "TOTCRROLE",SUM("CRROLE") "CRROLE",SUM("TOTUSER") "TOTUSER",MIN("RUNDATE") "RUNDATE" FROM "VIRSA_CC_MGMTTOT" WHERE "YEARMONTH" = ? AND "VIOLTYPE" = ? AND "VSYSKEY" LIKE ? AND "ANLTYPE" = ? AND "USERGROUP" LIKE ?".
       at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:85)
       at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:124)
       at com.sap.sql.jdbc.common.CommonPreparedStatement.setNull(CommonPreparedStatement.java:303)
       at com.sap.sql.jdbc.common.CommonPreparedStatement.setString(CommonPreparedStatement.java:509)
       at com.sap.sql.sqlj.runtime.profile.ref.RTStatementJDBCPrepared.setString(RTStatementJDBCPrepared.java:359)
       at com.virsa.cc.xsys.mgmreport.dao.sqlj.MGMTotalDAO.getResult(MGMTotalDAO.sqlj:63)
       at com.virsa.cc.ui.RARiskVGraph.refreshData(RARiskVGraph.java:476)
       at com.virsa.cc.ui.RARiskVGraph.wdDoInit(RARiskVGraph.java:130)
       at com.virsa.cc.ui.wdp.InternalRARiskVGraph.wdDoInit(InternalRARiskVGraph.java:191)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doInit(DelegatingView.java:61)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
       at com.sap.tc.webdynpro.progmodel.view.View.initController(View.java:445)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:709)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bindRoot(ViewManager.java:579)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.init(ViewManager.java:155)
       at com.sap.tc.webdynpro.progmodel.view.InterfaceView.initController(InterfaceView.java:43)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:709)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bind(ViewManager.java:555)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:724)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.bindRoot(ViewManager.java:579)
       at com.sap.tc.webdynpro.progmodel.view.ViewManager.init(ViewManager.java:155)
       at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.doOpen(WebDynproWindow.java:295)
       at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.show(ApplicationWindow.java:183)
       at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.open(ApplicationWindow.java:178)
       at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:364)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:754)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:289)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Dsr Component : n/a
  Dsr Transaction : d2d9c100c2b811dd9eb60003baf96a51
  Dsr User :
  Indent : 0
  Level : 0
  Message Code : com.sap.sql_0019
  Message Type : 1
  Relatives : /System/Database/sql/jdbc/common
  Resource Bundlename :
  Session : 92
  Source : com.sap.sql.jdbc.common.CommonPreparedStatement
  ThreadObject : SAPEngine_Application_Thread[impl:3]_32
  Transaction :
  User : ac_admin

  Hi,
  The shear length  of your post is frightening - this would keep many potential replies away !!
  What i woudl recommend is --> Open an OSS messgae ! This would resolve your problem !!
  Thanks

• HOW TO SET UP PARTNER APPLICATION TO USE SSO OUTSIDE OF PORTAL

  If anyone knows how Portal switches context to run as the db user mapped to the lightweight schema and how it knows the db schema password please let me know.
  Should you have any queries please do not hesitate to contact me on 07775 896738.
  From document Oracle Portal Security Overview on PortalStudio.oracle.com:
  In Single Sign On mode (EnableSSO=Yes in the DAD), mod_plsql determines the name of the light-weight user and mapped database schema by calling
  WPG_SESSION_PRIVATE.GET_LW_USER and WPG_SESSION_PRIVATE.GET_DB_USER respectively.
  ** These calls are done using the Portal Schema (PORTAL30) and Portal schema password **
  mod_plsql then executes the procedure in the requested URL by using the N-Tier Authentication feature to connect to the database as the user returned from
  WPG_SESSION_PRIVATE.GET_DB_USER. ..... Note that N-Tier Authentication requires all schemas to be used for Portal user mappings to be granted 'connect
  through' privleges to the Portal schema (PORTAL30).
  The WWCTX packages are also used.
  So this is how it works with standard Portal
  - the document states that the WPG_SESSION_PRIVATE package is only accessible to the Portal schema
  - but I checked and it is also available to PORTAL30_SSO
  SQL> desc WPG_SESSION_PRIVATE
  PROCEDURE CREATE_SESSION
  Argument Name Type In/Out Default?
  P_COOKIE_NAME VARCHAR2 IN
  FUNCTION GET_DB_USER RETURNS VARCHAR2
  FUNCTION GET_LW_USER RETURNS VARCHAR2
  PROCEDURE GET_SESSION_INFO
  Argument Name Type In/Out Default?
  NUM_PARAMS NUMBER OUT
  PARAM_NAMES TABLE OF VARCHAR2(32000) OUT
  PARAM_VALUES TABLE OF VARCHAR2(32000) OUT
  PROCEDURE RESET_SESSION
  Argument Name Type In/Out Default?
  P_COOKIE_NAME VARCHAR2 IN
  In my case only the Login Server (PORTAL30_SSO) is going to be used/installed
  - the SAMPLE_SSO_PAPP application will only work if the DAD used to access is it set to use Basic authentication, i.e. the actual integration with the Login Server
  is done in the sample application code calls, stored in the database
  - when a DAD has enableSSO=yes it automatically accesses Portal (PORTAL30) packages to implement N-Tier authentication
  I'm currently testing:
  1. Configuring the SAMPLE_SSO_PAPP sample as documented with a DAD with Basic authentication
  2. Amending the ssoapp procedure to set context to another (db) user on successful authentication:
  wwctx_api.set_context (
  p_user_name => 'SCOTT',
  p_password => 'TIGER' );
  3. If this works then set_context with get_lw_user instead
  I have now amended the ssoapp procedure as follows to print out
  1. The userid entered when the login box is presented
  2. The Database user which the Portal Lightweight user is mapped to
  3. The Lightweight user Portal has used for authentication
  Amendments to papp.pkb:
  (ssoapp procedure, declare db_user_info and lw_user_info as VARCHAR2 in declare section)
  htp.p('Congratulations! It is working!<br>');
  db_user_info := wwctx_api.get_db_user;
  lw_user_info := wwctx_api.get_user;
  htp.p('User Information:' || l_user_info || '<br>');
  htp.p('DB User Information:' || db_user_info || '<br>');
  htp.p('LW User Information:' || lw_user_info || '<br>');
  The following shows the interesting results from my testing:
  - if the user owning the sample_sso_papp package is PORTAL30_SSO then the call to wwctx_api.get_db_user succeeds
  - if the user owning the sample_sso_papp package is a non-portal schema e.g. SSOAPP below the call to wwctx_api.get_db_user generates a User Defined exception
  Steps to test:
  Created new schema SSOAPP on the database
  - edited it in Portal and checked the use this schema for Portal users checkbox
  - created new Lightweight user SSO_LW in Portal, mapped it to SSOAPP schema
  - created new Lightweight user SSO_SCOTT in Portal, mapped to SCOTT schema
  - loadjava -user ssoapp/ssoapp@portal30 SSOHash.class
  - sqlplus portal30/portal30@portal30
  @provsyns ssoapp
  - sqlplus ssoapp/ssoapp@portal30
  @loadsdk.sql
  @loadpapp.sql
  Created DAD with basic authentication SAMPLE_SSO_PAPP
  - username: ssoapp
  - default home page: sample_sso_papp.ssoapp
  Registered the Sample SSO Partner Application with the Login Server and ran regapp.sql
  Commented out the calls to get_db_user in papp.pkb to avoid exception
  - called http://<server>/pls/sample_sso_papp
  - logged on as SSO_LW/sso_lw
  - got output:
  Congratulations! It is working!
  User Information: SSO_LW
  LW User Information: PUBLIC
  So the Portal lightweight user is not returned as SSO_LW
  if anyone knows why the Lightweight User in my test is returned as PUBLIC not SSO_LW
  Best Regards
  MIchael

  http://support.mozilla.com/en-US/kb/Changing+the+e-mail+program+used+by+Firefox

• SSO to ECC (without java stack), BI (on NetWeaver), & Portal

  I have a client that wants to configure their SAP systems in such a way so that the users sign onto their Windows workstations, are authenticated by Windows Active Directory and from then on they can sign on directly to an ECC ABAP instance, a BI instance, and an SAP Portal without having to supply a user/password combination again. (We already have SSO setup for users access some BI reports through the Portal, but in this case we want to setup direct access to the ECC and BI systems without necessarily going through the Portal environment).
  The servers are running HP-UX, the clients Windows XP, and the AD system is running under Windows 2003.
  Is this possible without using a third-party tool and if so,can anyone point me to the appropriate documentation (I've done a lot of searching, but can't find anything).
  Thanks in advance!

  I am sure this has been done before and often discussed here?
  Take a look in the FAQ thread at the top of the forum for a general overview discussion of SSO. If you keep an eye out for the note numbers, terms used and those folks who contributed to it when searching, then I am sure will find plenty of infos to start with.
  Specific vendor evaluation details and comparisons (outside of the technical realm) are generally not provided, as the 3rd parties are generally competitors...
  Cheers,
  Julius