Problem In Policy

Similar Messages

• Problem fetching policy-file-request

  According to
  http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_print.html
  quote:
  * A SWF file may no longer make a socket connection to its
  own domain without a socket policy file. Prior to version
  9,0,115,0, a SWF file was permitted to make socket connections to
  ports 1024 or greater in its own domain without a policy file.
  * HTTP policy files may no longer be used to authorize
  socket connections. Prior to version 9,0,115,0, an HTTP policy
  file, served from the master location of /crossdomain.xml on port
  80, could be used to authorize a socket connection to any port 1024
  or greater on the same host.
  So with the tighter security measures, a policy file has to
  be fetched on port 843 or on the same port on which a connection is
  desired. That leads to another problem. The policy file request
  made by the player has a simple format: clear text
  <policy-file-request/> is sent as raw data bytes on
  the ports.
  As most firewalls block such raw data traffic (of unknown
  protocols) on all the ports, this means that the policy file fetch
  will fail almost always if the user is behind any firewall.
  This will render all SWFs, that do not use well known ports,
  unusable. Does anyone know what is the solution to this
  problem? Or am I missing something here?

  Common guys, someone has to know what to do here.
  I have read all that I can read and tried all that I could
  and the flash app is not accepting my policy file.

• How to resolve problems in policy file of signed Applet

  Hi to All,
  I want to connect the web site through my Signed Applet which is working as a Proxy server. but i m facing certain problems in my policy file:
  this is my policy file :-
  grant {
  permission java.security.AllPermission "", "";
  permission java.net.SocketPermission "http://www.google.com:4321", "connect, accept,resolve";
  permission java.security.UnresolvedPermission;
  n i got such type of exceptions n my Applet prompt applet not initialized.
  Got connection Socket[addr=/192.168.1.232,port=1200,localport=4321]
  Reading request...
  URI is: http://www.google.com/
  Host to contact is: www.google.com at port 80
  Got request...
  java.security.AccessControlException: access denied (java.net.SocketPermission www.google.com resolve)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
  at java.security.AccessController.checkPermission(AccessController.java:427)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
  at java.lang.SecurityManager.checkConnect(SecurityManager.java:1031)
  at java.net.InetAddress.getAllByName0(InetAddress.java:1117)
  at java.net.InetAddress.getAllByName0(InetAddress.java:1098)
  at java.net.InetAddress.getAllByName(InetAddress.java:1061)
  at java.net.InetAddress.getByName(InetAddress.java:958)
  at java.net.InetSocketAddress.<init>(InetSocketAddress.java:124)
  at java.net.Socket.<init>(Socket.java:179)
  at ProxyApplet.handle(ProxyApplet.java:75)
  at ProxyApplet.<init>(ProxyApplet.java:132)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
  at java.lang.Class.newInstance0(Class.java:350)
  at java.lang.Class.newInstance(Class.java:303)
  at sun.applet.AppletPanel.createApplet(AppletPanel.java:721)
  at sun.applet.AppletPanel.runLoader(AppletPanel.java:650)
  at sun.applet.AppletPanel.run(AppletPanel.java:324)
  at java.lang.Thread.run(Thread.java:595)
  here 4321 is Port no. which i've as a random port no.
  plz Help
  thnx in advance
  with regards
  pank_naini

  Please, if you can't help me, could you tell me who can I contact ?

• Problems assigning policy to roles

  Hello,
  I am trying to assign a simple policy that I have created to a role that I have created.
  I am following the instructions from the administration guide.
  In the final step,
  From the View UserManegement I choose the role that I want to apply the policy and I click on assign. It gives me a choice of policies that I can choose.
  Here is the problem: When I choose the policy and hit assign button, nothing happens !!!
  Any ideas on what I am doing wrong ?
  Thanks.
  Murat

  check your amSDK log. Looks like you don't have some required indexes in your directory.

• Problem with Policy "Display information about previous logons during user logon"

  Hello,
  I've a problem with the Policy "Setting Display information about previous logons during user logon".
  It is applied correctly on computer, but I can't login anymore and message "Security policies on this computer are set to display information about the last interactive logon. Windows could not retrieve this information. Please contact your network administrator
  for assistance" is appearing.
  My home test domain has 2008 R2 functionality level since months, and I've raised my company infra level functionality to 2012 this morning. Both domain are making the same error.
  This is non-sense, so any idea how to troubleshoot it ? Thanks in advance ! ;-)
  PS : I was able to remove it in order to login again, no worries on this one...

  Did you follow the guidance in http://technet.microsoft.com/en-us/library/dd446680%28v=ws.10%29.aspx?
  Especially the following paragraph - the setting has to be applied to DCs and Members...:
  You configure last interactive logon through a GPO. You must configure the following setting for the GPO with domain controllers in its scope of management if you want to report last interactive logon information to the directory service:
  Computer Configuration| Policies | Administrative Templates | Windows Components | Windows Logon Options | Display information about previous logons during user logon = Enabled
  If you want to display last interactive logon information to the user, you must configure this setting for both the GPO with domain controllers in its scope of management as well as any GPO with Windows Server 2008 and Windows Vista client
  computers in its scope of management.
  Martin
  NO THEY ARE NOT EVIL, if you know what you are doing:
  And if IT bothers me - :))
  Restore the forum design -
  Martin-
  I'm struggling with the TechNet article you direct us to.  We see in the TechNet article that Last Login Notification works ONLY with Server 2008 R2 and Vista.  Do we interpret that correctly?
  We need it to work with Server 2003, Server 2008, Win7, Win8, Win8.1, Server 2012, et. al.
  What is the work around to enable *Last Login Notifications to Users* functionality for these OSs?
  Thanks in advance,
  Robin

• Problem with policy file in Activatable tutorial

  hi all,
  i am just playing with the classes that comes with the RMITutorial.
  i am actually trying to execute the code that comes with the 'Creating an Activatable Object' tutorial, but i am having a lot of problems due to the policy file.
  First of all, i must say that i extracted all the classes in the directory d:\FalcoDevelopment;
  all the files has been put in the following directory:
  d:\FalcoDevelopment\examples\activation
  In hte Setup.java class there is the following line of code:
  props.put("java.security.policy", "examples/activation/policy");
  when i have to run the Setup.class, i have to enter the following command
  java -Djava.security.policy=/home/rmi_tutorial/activation/policy
  -Djava.rmi.server.codebase=file:/home/rmi_tutorial/activation/ examples.activation.Setup
  so, since i have to change to my own path,and since i am in the d:\FalcoDevelopment directory, i entered
  java -Djava.security.policy=/examples/activation/policy -Djava.rmi.server.codebase=file:/d:/FalcoDevelopment/examples/activation/ examples.activation.Setup
  when i then run the Client with the following command
  java -Djava.security.policy=/examples/activation/policy
  examples.activation.Client myhostname
  it always return me a Security exception..
  can anyone tell me what is the CORRECT path that i have to put for the above -D properties??
  thanx in advance and regards
  marco

  Hello,
  I am having the same problem but to start with you are mixing up NT and UNIX things, like file paths
  Other thing is you are using the tutorial given file paths. You must use your own file paths, as you have installed the classes.
  I know its not much help, but still :0)
  Kudos
  ravi

• WebLogic 7 - problem with policy

  I have a testcase, which I sign on as 'myuser', the EJB session bean returns
  correctly about its caller identity
  myuser belongs group Developers and this group has Developer global role
  java.security.Principal p = ctx.getCallerPrincipal();
  System.out.println("callerPrincipal=" + p);
  System.out.println("isAdminRole=" + ctx.isCallerInRole("Admin"));
  System.out.println("isDeveloperRole=" + ctx.isCallerInRole("Developer"));
  output:
  callerPrincipal=myuser
  isAdminRole=false
  isDeveloperRole=true
  isAdminRole returns false and isDeveloperRole returns true as expected
  Now, I want to set the permission on this session bean
  Define policies and roles for the indivisual beans -> Define Policies
  Methods:
  ALL
  Policy Conditions:
  Caller is granted the role
  Admin
  Since myuser does not have Admin role, I expected permission error but I
  don't. What am I doing wrong?
  TIA,
  Andy

  Is the web logic server on the same dns domain as
  Identity Server ?
  Does the agent log or web logic server logs show any
  errors ? Yes, they are under same domain.
  There is no error in agent log and weblogic log by default. But when I set debug level to higher value, Exception thrown out, as shown. Is it a problem?
  <Sep 18, 2002 8:20:52 PM HKT> <Agent> <Info> AgentRealmManager.authenticate(system, ...)
  <Sep 18, 2002 8:20:52 PM HKT> <Agent> <Info> AgentRealmManager.authenticate(system, ...): Exception caught: Invalid transport string version
  <Sep 18, 2002 8:20:52 PM HKT> <Agent> <Info> AgentRealmManager.authenticate(system, ...): Exception caught
  [AgentException Stack]
  com.iplanet.amagent.arch.AgentException: Invalid transport string version
  at com.iplanet.amagent.util.TransportToken.<init>(TransportToken.java:74)
  at com.iplanet.amagent.weblogic.realm.AgentRealmManager.authenticate(AgentRealmManager.java:130)
  at com.iplanet.amagent.weblogic.realm.AgentRealm.authUserPassword(AgentRealm.java:69)
  at weblogic.security.acl.AbstractListableRealm.authInternal(AbstractListableRealm.java:186)
  at weblogic.security.acl.AbstractListableRealm.authenticate(AbstractListableRealm.java:127)
  at weblogic.security.acl.AbstractListableRealm.getUser(AbstractListableRealm.java:110)

• Problem Installing Policy Agent 2.2 on Apache 2.2.3

  Hi all,
  I'm trying to configure policy agent 2.2 on apache 2.2.3 on linux platform CentOS (red hat 5.1).
  The configuration and the installation seem to work properly, in effect in the log file install.log you can find :
  [06/10/2008 16:38:49:865 CEST] Creating directory layout and configuring Agent file for Agent_001 instance ...SUCCESSFUL.
  [06/10/2008 16:38:49:936 CEST] Reading data from file /opt/web_agents/apache22_agent/passwordFile and encrypting it ...SUCCESSFUL.
  [06/10/2008 16:38:49:937 CEST] Generating audit log file name ...SUCCESSFUL.
  [06/10/2008 16:38:50:022 CEST] Creating tag swapped AMAgent.properties file for instance Agent_001 ...SUCCESSFUL.
  [06/10/2008 16:38:50:026 CEST] Creating a backup for file /etc/httpd/conf/httpd.conf ...SUCCESSFUL.
  [06/10/2008 16:38:50:031 CEST] Adding Agent parameters to /opt/web_agents/apache22_agent/Agent_001/config/dsame.conf file ...SUCCESSFUL.
  [06/10/2008 16:38:50:032 CEST] Adding Agent parameters to /etc/httpd/conf/httpd.conf file ...SUCCESSFUL.
  But, when I try to restart Apache it gives me an error and in the error.log file in Apache you can read:
  [Tue Jun 10 16:57:33 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
  [Tue Jun 10 16:57:34 2008] [notice] Digest: generating secret for digest authentication ...
  [Tue Jun 10 16:57:34 2008] [notice] Digest: done
  [Tue Jun 10 16:57:34 2008] [alert] Policy web agent configuration failed: NSPR error
  Configuration Failed
  Well, I found in the Sun documentation a well known bug about the NSPR and NSS library :
  Error message issued during installation of Policy Agent 2.2 on Linux systems
  When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
  Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
  At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
  To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
  *+
  Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
  o
  NSPR: http://www.mozilla.org/projects/nspr/
  o
  NSS: http://www.mozilla.org/projects/security/pki/nss/
  So, I checked my libraries but they are upgraded to the latest version.
  If I comment the line that includes the libamapc22.so in the apache configuration file
  LoadModule dsame_module /opt/web_agents/apache22_agent/lib/libamapc22.so
  Apache can restart but the agent is misconfigurated!
  Any Idea?

  thank you Subhodeep for your reply,
  I didn't try to change the library file and I didn't find in licterature any information about library file changing in the Policy agent installation. Please, could you suggest me something more about which library to use instead of libamapc22.so?
  ps. I am using red hat 5.1, and from the release note of the policy agent seems that the latest platform version supported is red hat enterprise linux 4.0 versions.....
  this one could definitely be the reason of the misconfiguration.

• Little Problem with Policy Setting in EM 11g

  Hi all !!
  I wanna revoke some privileges such as UTL_HTTP, UTL_FILE for Database Security
  But I don't know if I can revoke above privileges by disabling them in Policy Rule Setting in EM 11g instead of using SQL*plus ???
  Regards

  I've disabled some Pocily rules (Execute Privileges on UTL_FILE) in EM 11g . I just wonder if I need also to revoke it from PUBLIC by using SQL'Plus
  SQL>REVOKE execute on utl_file FROM public .

• Problem With Policy Agent 2.2 for APACHE on WINDOWS !!!!

  I have been getting a nasty error for weeks configuring PolicyAgent 2.2 for Apache (tried 2.2.x and 2.0.x) on a Windows Server. After the configuring apache could not even start. I get the following error :
  Syntax error on line 1 of "C:/Sun/Access_Manager/Agents/2.2/apache/config/apache_80/dsame.conf":
  Cannot load C:/Sun/Access_Manager/Agents/2.2/apache/bin/libamapc2.dll into server. The specified module does not exist
  Does anyone have any ideas? (I have been pulling my hair off trying to resolve this and I am about to lift up the server and drop it !!! ) The dll file above is available in that path.
  Message was edited by:
  lreju

  This dll file may need/depend other dlls. So sometimes you may still get this error after you download the dll into your windows system folder. But you can use a tool such as http://www.dependencywalker.com to find out which other dlls are needed for your installation....Hope this helps someone !!!

• Granting different permissions to different codebases : policy file problem

  Hi all. I'm having a bit of a problem with policy files and granting different persmissions to different codebases. What I have at the moment is a server app that copies a class file from the client to a specified directory on the server, and then dynamically loads and runs that class. This all works fine, but obviously as user submitted code is going to be run on the server I want to restrict what they are allowed to do. My app is going to be bundled up in a single jar file, and the directory that the client code is being copied to a subdirectory of the app installtion (not that this should make much difference). What i want to do is grant all permissions to my code in the jar file and resrict the permssions granted to code in the strategies directory. I assumed i would just be able to do this using my own policy file, but at the moment i'm not having much luck.
  Directory structure:
  c:/project/code/
  |
  |-labyrinth.jar
  |-strategies/
  Contents of labyrinth.policy:
  grant codeBase "file:../code/labyrinth.jar" {
  permission java.security.AllPermission;
  Command line arguments:
  java -Djava.security.manager -Djava.security.policy==./labyrinth.policy -classpath .;./labyrinth.jar;./strategies/;%CLASSPATH%; labyrinth.LabyrinthServer
  I've tried specifiying the absolute path to the jar file in the policy file as well as the relative path, i've tried including -Xbootclasspath/a and appending the jar file. All I seem to be able to manage though is either granting all permissions system wide, including the strategies dir, or none and getting security exceptions within my code. Anyone tried doing anything similair or got any idea where I might be going wrong? Any help would be appreciated as its really starting to doing my head in.
  TIA. Matt.

  Did you try putting a slash at the beginning of your "file" specification? e.g., instead of saying
  grant codeBase "file:../code/labyrinth.jar" {
  permission java.security.AllPermission;
  say
  grant codeBase "file:/../code/labyrinth.jar" {
  permission java.security.AllPermission;
  Hope this helps.

• Policy Trace not returning the Correct policy

  Hi Everybody,
  Our issue here is that when we run a policy trace on any of our Active Directory users - it does not match the Correct policies and match the Global Access policy although the Trace return right Identity policy
  However if i try access an any URL  and monitor the activity from the cli OR  Ftp Access log - i cann see that the user has in fact had certain policies applied to it.
  i think there ara problem in policy trace to fatch the coorect policy form GUI
  Does anyone have any suggestions as to how resolve this.
  Running the command testauthconfig - completes successfully.
  Web Security Appliance Version Information
  Model:
  S160
  Version:
  7.5.1-079 for Web
  Ahmed mostafa

  A TAC engineer informed me a while back that Policy Trace was currently unreliable, and they hope to fix it in the future. I wouldn't rely on it for accuracy.

• Traffic exceeding the policy limit on ASR9K Bundle-Ether

  Hi,
  I have a problem regarding an issue on ASR 9000 bundle interface.
  I apply 20mbps input and output policy to the interface to limit our customers traffic but sometimes I see 40mbps of customer traffic. It doesn't happens always but it occurs on different customers on different bundle interface.
  What would be the possible reason? Thanks in advance.
  note: we have different burst values on other ASR9 devices  such as:
  police rate 20000000 bps burst 3750000 bytes
  police rate 20000000 bps burst 3200000 bytes
  police rate 20000000 bps burst 3000000 bytes
  police rate 20000000 bps burst 2500000 bytes
  but not sure if indeed this is the problem,
  Configurations:
  policy-map 20mbps
  class class-default
    police rate 20000000 bps burst 3200000 bytes
     conform-action transmit
     exceed-action drop
  interface Bundle-Ether1
  mtu 9216
  load-interval 30
  interface Bundle-Ether1.100
  service-policy input 20mbps
  service-policy output 20mbps
  ipv4 address 10.10.10.1
  encapsulation dot1q 100
  interface GigabitEthernet0/0/0/1
  bundle id 1 mode active
  interface GigabitEthernet0/0/0/2
  bundle id 1 mode active
  when i send traffic of 40mb to the customer:
  ASR9#sh  int Bundle-Ether1.100  
  Bundle-Ether1.100 is up, line protocol is up
    30 second input rate 11361000 bits/sec, 6642 packets/sec
    30 second output rate 40558000 bits/sec, 6877 packets/sec

  Hi Rivalino,
  Here is the output, the thing is this time even if I've sent 40m, peak is 26m.
  Bundle-Ether1.100
    30 second input rate 4291000 bits/sec, 886 packets/sec
    30 second output rate 24492000 bits/sec, 2574 packets/sec
       3763694312 packets input, 1626561697099 bytes, 108538 total input drops
       3365349 drops for unrecognized upper-level protocol
       Received 38 broadcast packets, 3365349 multicast packets
       4012226890 packets output, 3050913586640 bytes, 42481432 total output drops
       Output 123 broadcast packets, 0 multicast packets
  ASR9#show policy-map interface Bundle-Ether1.100 output
  Wed Jan 22 08:06:41.049 Turkiye
  Bundle-Ether1.100 output: 20mb
  Class class-default
    Classification statistics          (packets/bytes)     (rate - kbps)
      Matched             :           413918382/342268391637         42461
      Transmitted         :           N/A
      Total Dropped       :             5387815/7327884962           17684
    Policing statistics                (packets/bytes)     (rate - kbps)
      Policed(conform)    :           408530567/334940506675         24777
      Policed(exceed)     :             5387815/7327884962           17684
      Policed(violate)    :                   0/0                    0
      Policed and dropped :             5387815/7327884962        

• Policy Domain not found

  Hy everybody!
  Please help me, I have problem with Policy Doman,
  when I test access with option Access Tester on my Policy Domain,
  i get following message:
  Evaluation result
  Policy Domain      <not found>
  I checked in OID, my Policy Domain exists in following entry
  obname=policy_domain_id, obapp=PSC, o=Oblix <DN>
  but as you see error says that Policu Domain not found.
  best regards!

  Hi!
  I have :
  - 2 Authorization Rules
  - 1 Default Authentication Rule
  - 1 Default Authorization Expression
  I checked Host identifier with ping command, it's correct.
  Do you have any ideas about problem?
  On following URL I posted picture of the my Policy Domain
  http://img205.imageshack.us/img205/8909/policydomainhx6.jpg
  <img src="http://img205.imageshack.us/img205/8909/policydomainhx6.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" />

• Getting unexpected 3338 errors when your DRM policy is set to USE_IF_AVAILABLE?

  [ Background ]
  A popular restriction to set in an Adobe Access DRM policy deals with Output Protection - where playback of a content is disallowed unless the device's hardware can support Copy Protection technologies, such as HDCP or CGMS-A.
  A possible Output Restriction setting to set is "USE_IF_AVAILABLE".  When a license with this restriction is consumed by a device, the device will first check to see if an Output Protection technology is available, like HDCP, and if available - attempt to engage it before playing the content.  Regardless on if the Output Protection technology is available, playback of the content will always occur, since "USE_IF_AVAILABLE" is considered a best-effort enforcement.
  [ Problem Which Existed Prior to Flash Player 11.8.800.168 ]
  Sometimes, when "USE_IF_AVAILABLE" was used as the Output Protection policy setting, the Flash Player client would return an highly-intermittent "3338" error event and prevent video playback.  An attempt to re-play the content resolves the issue.  This does not affect other runtimes supported by Adobe Access, such as iOS or Android.
  [ Resolution ]
  2. (End User) Upgrade to Flash Player 11.8.800.168 or later, where this issue has been addressed.
  1. (Video Player Application Developer) If your business/contractual rules don't require Output Protection to be enabled (even on a best-effort basis), consider changing the Output Protection restriction to NO_PROTECTION.  Setting NO_PROTECTION instructs Adobe Access DRM to not even attempt to detect if Output Protection is available, preventing this OS error to even occur.
  [ Problem Not Resolved? ]
  This article details what Adobe believes will resolve 3338 errors from occuring when the DRM policy has only set USE_IF_AVAILABLE for analog or digital output channel.  If this hasn't resolved your issue - we would love to hear more from you!  Please reply below with the following information:
  - Your manifestation of the problem
  - The policy you used during packaging
  - OS & OS version this was observed on
  - Browser & browser version this was observed on
  - (Video Player Application Developer) The SWF version of your video player application
  cheers,
  /Eric.

  Hi ,
  1.Please empty the auto complete cache in outlook and try sending the email by manually typing the user email address on the to field while composing the new message.
  2.Please ensure the AD replication is working properly.
  3.Then use the below mentioned command to check the recipient is available in your exchange or not.
  get-recipient -identity "[email protected]" | ft -au
  4.Make sure you are running your outlook in online mode.
  5.Please update the GAL manually.
  6.In case if you want have the outlook in cached mode , you need to have updated OAB in outlook client.
  Regards
  S.Nithyanandham
  Thanks & Regards S.Nithyanandham