Portal Integration with PKI and CAC
Hi, I'm hoping someone can point me in the right direction. I need to integrate 10g AS Rel 2 Portal and SSO with client-site PKI certs, specifically NMCI (Navy) CACs. Has anybody done this? I'm trying to find out just how much we can integrate, I'd like to be able to parse info on the server side such as username and supply it to the SSO server so that the user only as to enter a pin.
thanks!
Aaron
For anyone else who can't view the website (yeah, sorry about that... I do try to keep it family-friendly :) ), the following code should allow you to map your PKI certificate's username to any arbitrary user in Oracle Internet Directory:
<blockquote>/*
FILE:
SSOCertMapperCustom.java
DESCRIPTION
Use this to map your Certificate's CN to an arbitrary field in OID.
package oracle.security.sso.server.auth;
import java.security.Principal;
import java.security.cert.X509Certificate;
import javax.servlet.http.HttpServletRequest;
import oracle.security.sso.ias904.toolkit.IPASUserInfo;
import oracle.security.sso.ias904.toolkit.IPASUserMappingInterface;
import oracle.security.sso.ias904.toolkit.IPASException;
* The following classes must be imported to perform LDAP searches using the pre-configured
* OC4J connections.
import oracle.ldap.util.*;
import oracle.ldap.util.jndi.*;
import javax.naming.*;
import javax.naming.directory.*;
import java.io.*;
public class SSOCertMapperCustom implements IPASUserMappingInterface
// Name of the certificate attribute.
private static final String X509_CERT_CLASS = "javax.servlet.request.X509Certificate";
private InitialDirContext _context;
private Subscriber _mysub;
* Configuration for this Plugin
private static final String oidattribute = "description";
private static final String oidhost = "localhost";
private static final String oidport = "389";
private static final String oidsearch_base = "dc=domain,dc=com";
public SSOCertMapperTfsms()
try
// Notice that this will only bind anonymously...
context = ConnectionUtil.getDefaultDirCtx( oid_host, oidport, "", "" );
mysub = new Subscriber(context,Util.IDTYPE_DN,_oid_search_base,false);
catch( Exception e )
System.out.println(" * * * * There appears to be some kind of problem in the c'tor." );
* Use this method to strip out the "cn=" attribute from the DN provided.
private String getUserCn( String inputDn )
// In this example, the user certificate DN format is:
// CN=,CN=users,DC=acme,DC=com
// Get the first common name(CN) value as directory nickname
int l_indx1 = inputDn.indexOf('=');
int l_indx2 = inputDn.indexOf(',', l_indx1 + 2);
String userCn = inputDn.substring(l_indx1+1 , l_indx2);
return userCn;
* This method returns user information derived from the user certificate
* @param request The HttpServletRequest request object
* @return IPASUserInfo object that contains user directory nickname and
* optionally realm nickname obtained from the user certificate
* @exception IPASException if user information can not be obtained
public IPASUserInfo getUserInfo(HttpServletRequest request)
throws IPASException
IPASUserInfo l_usrInfo = null;
try
// Get the user certificate from the HTTP request object
X509Certificate [] l_usrBCerts
= (X509Certificate[])(request.getAttribute(X509_CERT_CLASS));
if( (l_usrBCerts != null) || (l_usrBCerts.length > 1) )
Principal l_usrPrincipal = l_usrBCerts[0].getSubjectDN();
String l_certDN = l_usrPrincipal.getName().toUpperCase();
String l_usrNickName = getUserCn( l_certDN );
// Search for "description=..." in the JAAS-configured LDAP tree.
// (Note: If this is not OC4J/JAAS/JAZN, it'd probably be best not
// to try using this method...)
String[] _attribs = { "dn", "description", "cn", "sn", _oid_attribute };
User[] _users;
try { _users = _mysub.getUsers( _context,
Util.IDTYPE_FILTER,
"(" + oidattribute + "=" +
l_usrNickName +
")", null, _attribs );
catch( Exception e )
throw new IPASException(
"Error obtaining user listing from OID.");
if( _users.length > 1 )
throw new IPASException( "Oops, found " +
_users.length +
" user(s), instead of 1. Perhaps your attribute selection is wrong?" );
else if( _users.length < 1 )
throw new IPASException( "User not found in OID." );
else
l_usrNickName = getUserCn( users[0].getDn(context) );
// Set the realm name to null to use the default realm
String l_realm = null;
l_usrInfo = new IPASUserInfo(l_usrNickName, l_realm);
return l_usrInfo;
else
// User certificate not found.
throw new IPASException("User certificate not found");
catch(Exception e)
throw new IPASException ("User certificate information not found. "
+ e.toString());
}</blockquote>
As an aside, if you need this to work behind an F5 (with backend traffic remaining unencrypted), the following iRule will make your life <i>much</i> easier. It's rudimentary, but should work until something better comes along:
<blockquote>when CLIENTSSL_HANDSHAKE
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } {
session add ssl [SSL::sessionid] [SSL::cert 0]
when HTTP_REQUEST
HTTP::header replace HTTPS on
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
if { $the_cert != "" }
HTTP::header insert SSL-Client-Cert [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole $the_cert ] ] ] "" ]
} else {
HTTP::respond 200 content "<html><body>
<h1>Access Denied</h1>
Access to this resource is denied without a valid
DOD Common Access Card. If you do not have one,
please visit the <a href=\"https://www.cac.mil/Home.do\">Common
Access</a> website for information on obtaining a CAC
card. Otherwise, please insert your CAC card into your
reader, close this window, and try accessing this website again.
</body></html>"
}</blockquote>
Sorry for the formatting... The original can be found at: http://www.snappedshot.com/archives/843-An-Endless-Pile-of-Technical-Cruft.html if it hurts your eyes too much.
Similar Messages
-
ESS-portal integration with Time and Travel management(HR) in R/3
Hi,
Im doing with ESS-portal configuration with Time and Travel Management in R/3,So please kindly send me Documents for integration part.I'll b so thankful if u people send me docu as soon as possible.
send me documents to [email protected]
thanks
paviHi
Please go through this functional module HRMS_BIW_EXTRACT_PY1 in r/3 side to know the exact table where u r getting the data.
There are lot of tables involved in HR-payroll info types.
As far as your problem is concerned you take one employee and go to PA20 and analyse the payroll for each week or twice a month (depends up on ur client)
run the report on the payroll cube and find out exactly what u want.
Thanks
Roopa
Assign points if help full -
Securing WebCenter applications with PKI and CAC
I have a potential customer who has a need to secure WebCenter apps using PKI and CAC. Can this be done in the current version? or in 11g? If so, what are the basic steps?
Thanks in advance,
-MattHi Matt,
You can configure WebCenter applications to use Oracle Internet Directory, which in turn has support for PKI and has an SDK for developing extensions to external devices.
You might want to try posting your question in the Oracle Identity Management forum.
regards,
Stewart -
Portal integration with workflow and contracts
gurus,
are there any whitepapers on the integration of the portal with oracle workflow and oracle contracts.
it would be great help ...
has anyone done this before ...?
pls reply ...
thanx a bunch ...reposted for attention ...
has anyone done this ??
oracle contracts integrated with oracle portal ... -
Webcenter Spaces/Portal integration with UCM and use of FrameworkFolders
Hi All,
We are looking at the possibility of using Desktop Integration Suite organisation wide.. We are also in the process of an organisation wide roll out of Webcenter spaces.
The preference is to use FrameworkFolders because its replacing the folders_g component and address the limitations posed by folders_g (for example can have a max of only 1000 content within a folder, time to load the pages when a folder has large no of content items).
Since only folders_g can be used for integrating with Webcenter Spaces/Portal we are not sure of what our strategy should be. Is there plan to use framework folders with Webenter in the future?
Thanks,
Manjunath
Edited by: 890922 on 14-Aug-2012 18:20Since only folders_g can be used for integrating with Webcenter Spaces/Portal we are not sure of what our strategy should be. Is there plan to use framework folders with Webenter in the future?Certainly there are. Unfortunately, no exact date/release has been communicated so far. If you need a quick implementation (following few next months) I'm afraid you will have to go with folder_g
-
SAP Portal Integration with InfoView
Hi Experts,
I have successfully configured SAP Portal Integration with InfoView using the following steps provided by Ingo:
- set the system that you want to be authenticated against as the DEFAULT system in the options of the SAP authentication.
- go to the webapps folder of your app server and navigate to the InfOView folder
For the Java version of InfoView (Windows environment) you need to edit the file web.xml, which is located (assuming Tomcat as application server) in the directory \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF for the actual deployment.
In addition you can make the change to the file in the folder <INSTALLDIR>\BusinessObjects Enterprise12.0\warfiles\WebApps\InfoViewApp\WEB-INF. The files in the second locations are being used when you redeploy the web applications with a tool like wdeploy. You need to change the following values
authentication.default = secSAPR3
siteminder.enabled = False
sso.enabled = True
Then I have created URLiView to InfoView login page, when the user click on the link, BOBJ will use the DEFAULT system to authenticate user.
However, there is a new requirement for users who exist in another SAP system to SSO into InfoView too. My question is whether we can specify in URLiView url or other configuration to select which SAP System to authenticate user on?
I would like to create Role A and Role B in Portal and each will display different URLiView that will authenticate user against different SAP System if possible.
Appreciate your advise.
Regards,
MedyHi Ingo,
Thank you for your reply.
We are trying to create an URLiView to the logon page of InfoView: http://<BOBJ Server>/InfoViewApp/logon.jsp that will bring the user to InfoView home if SSO passed instead of OpenDocument URL.
I have tried to add URL parameters to the URLiView (http://<BOBJ Server>//InfoViewApp/logon.jsp?SAP_SYSID=DCD&SAP_CLIENT=200), but InfoView is still using the default system in CMC to authenticate user.
Please advise.
Best Regards,
Medy
Edited by: Medy henry on Apr 29, 2010 4:00 AM -
Enterprise Portal integration with E-Sourcing Portal
Hi,
Has anyone done Enterprise Portal integration with E-Sourcing Portal.How can we use the E-Sourcing portal url in Enterprise Portal?
Thanks,
RajaniHello Rajani,
For Connecting web based Application we have to use AppIntergator Application.
Please go thorugh the blog and implement the same thing its many connect to your java portal.
blog is Integrating your Web Front-ends into the SAP Enterprise Portal using the Application Integrator
Please go through the below blog where its define how to pass user and password it the url iview.
SP12/SP20: Setting URL Dynamically in URL iView
Thanks
Chittya Bej
Edited by: Chittya Bej on Apr 5, 2010 11:31 AM
Edited by: Chittya Bej on Apr 5, 2010 11:33 AM -
Portal Integration with JAVA ?
Hello All,
I've been working in the Portal for the past 1 Year.
The work which I've done is :
1. Creation of BSP's in SAP
2. Create iViews in Portal accessing these BSP Applications.( BSP , IAC, URL,BW etc )
3. Create Roles.
Now I'm moved to one more Project which does the Portal Integration with JAVA.
Can any one tell me what is it and how it can be done ?
Regards,
Deepu.KHi Deepu
You can achieve the same,please visit the following links:-
http://help.sap.com/saphelp_nw04s/helpdata/en/d8/6ee03fc2269615e10000000a155106/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/d8/6ee03fc2269615e10000000a155106/frameset.htm
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/771fa290-0201-0010-3d93-865e66cc6d7e
Regards
Navneet
Please revert incase of doubt. -
Hi Guru's,
Could any one tell me two scenarios where we integrate Portals with the XI system.
If Portal is the receiver/sender then what could be the possible sender/receivers respectively.
Please, also let me know what scenarios (IDOC to HTTP etc) is used for ECC and Portal integration with XI.
What are the Adaptors used for Portals.
Thanks in advance. I will assign points.Hi,
Take a look at this blog,
https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1334 [original link is broken] [original link is broken] [original link is broken] [original link is broken]
You can make a webservice ( SOAP ) call from the portals to XI, or a HTTP call for the same.
For integrating XI and ECC , as usual IDOC's , RFC or Proxies can be used. This blog discusses the same,
/people/ravikumar.allampallam/blog/2005/08/14/choose-the-right-adapter-to-integrate-with-sap-systems
Regards,
Bhavesh -
CRM 5.0 Integration with Twitter and facebook
HI Experts,
i am working with SAP CRM 5.0 version,
My existing client want to set up SAP CRM with twitter and Facebook specially customor services ,
Does SAP CRM 5.0 has tight integration with twitter and facebook ,
if yes will you please share iinformation in terms of
1)Effort Estimation :manpoer
2)Costing details
Thanking you in advance
Pravin shete@sherrysarath: Could you share some documents to understand how standards works for this issue? And if there aren't standards requirements, could you share your custom solution.
@pravin wipro : Could you explain what are your requirements? -
DMS integration with PP and PS.
Hi SAP PLM experts,
I would like to know how mySAP PLM's DMS module is integrated with PS and PP module.
Any small scenario with T codes and configuration help is highly appriciated.
If you guyz have any documents/materials for this question, please mail the same to sudhu03 at gmail dot com.
Thanks in advance,
S.Achar.It is only through the object linkwhich you provide.
In the business perpective, we attach the contract documents, design drawings and other doucuments to the project for ready referance.
You can create the DIR directly from PS transaction or you can create it in DMS and attach it to the Project.
We do have the red lining to identify teh changes reqd in the document. -
Enterprise portal integration with Oracle forms
Hi
Can anyone help me on this .
"Enterprise portal integration with Oracle forms".
I want to integrate oracle forms to EP .I am trying to work with app Integrator but I am not able to make any headway.Do you have any documents pertaining to this or any place where I can look for details.
Thanks
AlokHi,
i'm not aware of special integration feature with Oracle forms, but if as you said we are talking about a web application available via url then i see no problem doing so. the way you can implement the SSO is using something called Application Integrator which helps you build smart URL iView's that can use the portal framework (like systems, user profile , etc) , so you can build your oracle forms integration iView that will take the user password data from the portal (via system) using user mapping or sap logon tickets.
for more details on Application Integrator see
http://help.sap.com/saphelp_nw04/helpdata/en/70/5a3842134bad04e10000000a1550b0/frameset.htm
regarding to the java applet, i don't really know what you mean by "jinitiator" but if your regular browser can do it then i see no reason for problems.
i hope it helps -
Weblogic portal Integration with UCM by weblogic virtual repository
Anyone has experience with Weblogic portal Integration with UCM by weblogic virtual repository? Thanks.
Since only folders_g can be used for integrating with Webcenter Spaces/Portal we are not sure of what our strategy should be. Is there plan to use framework folders with Webenter in the future?Certainly there are. Unfortunately, no exact date/release has been communicated so far. If you need a quick implementation (following few next months) I'm afraid you will have to go with folder_g
-
Portal integration with bo report was not opening from folders
Dear friend,
Please can u give me suggestion/solution on the following area, we are implementing business objects XIR2 portal integration with weblogic in which after login to business objects through portal report was not opening.
Regards
sekharhi,
please can you provide solution on this it is very urget purpose. i am able login to portal from portal when clicking on the report it was not opening.
regards
sekhar -
Portal integration with Agile systems
Hi All,
Has anybody worked on Portal integration with Agile systems. I mean pulling data from Agile systems.
Any specific documentation would be of help.
Regards,
TomTom,
you may want to check this
https://www.sdn.sap.com/irj/scn/advancedsearch?query=agile&cat=sdn_all
Thanks
Bala Duvvuri
Maybe you are looking for
-
How can I capture Microsoft EventSource Events on a Windows Phone?
I use Microsoft EventSource Library to create events to instrument our applications. For Windows Applications running on Windows 7/8/8.1 I can use xperf to capture the events (xperf.exe" -start UserLogger -on GUID -f User.etl). But how can I do this
-
Hyperlinks (a href) have been outdated for a very long time
I have felt that "a href" hyprlinks have been outdated for a very long time. so much so that they should no longer be known to most developers (like frames and html based hyperlink maps) the only thing they can do is cause a new page to load. The eve
-
Removing background shadow on transparent PNG image without losing shading on the object?
I have a pillow bevel applied to a paint splatter brush image, and I'm having trouble with the shadows. I want to save this splatter as a transparent PNG. The problem is that a drop shadow effect is showing up when I save it this way. I think it's a
-
Data source selection check box Enabling
Hi All, Good day, This in Ravi . I need one small help from you. We have a data source named 0co_pc_pcp_01. we need to check the selection check box for the field ELEM(cost component number). But it was in disable mode. Please could you tell how to
-
Extracting customer and outstanding debits
Hello everyone, I want to extract customer master data as well as all the debits that have not yet been paid by these customers. Can anyone give me the names of the relevant IDocs? How is a debit marked to be unpaid in SAP R/3? Thanks a lot for your