Protection Domains with static permissions are improperly constructed

Similar Messages

• Java Security Model: Java Protection Domains

  1.     Policy Configuration
  Until now, security policy was hard-coded in the security manager used by Java applications. This gives us the effective but rigid Java sandbox for applets.A major enhancement to the Java sandbox is the separation of policy from mechanism. Policy is now expressed in a separate, persistent format. The policy is represented in simple ascii, and can be modified and displayed by any tools that support the policy syntax specification. This allows:
  o     Configurable policies -- no longer is the security policy hard-coded into the application.
  o     Flexible policies -- Since the policy is configurable, system administrators can enforce global polices for the enterprise. If permitted by the enterprise's global policy, end-users can refine the policy for their desktop.
  o     Fine-grain policies -- The policy configuration file uses a simple, extensible syntax that allows you to specify access on specific files or to particular network hosts. Access to resources can be granted only to code signed by trusted principals.
  o     Application policies -- The sandbox is generalized so that applications of any stripe can use the policy mechanism. Previously, to establish a security policy for an application, an developer needed to implement a subclass of the SecurityManager, and hard-code the application's policies in that subclass. Now, the application can make use of the policy file and the extensible Permission object to build an application whose policy is separate from the implementation of the application.
  o     Extensible policies -- Application developers can choose to define new resource types that require fine-grain access control. They need only define a new Permission object and a method that the system invokes to make access decisions. The policy configuration file and policy tools automatically support application-defined permissions. For example, an application could define a CheckBook object and a CheckBookPermission.
  2.     X.509v3 Certificate APIs
  Public-key cryptography is an effective tool for associating an identity with a piece of code. JavaSoft is introducing API support in the core APIs for X.509v3 certificates. This allows system administrators to use certificates from enterprise Certificate Authorities (CAs), as well as trusted third-party CAs, to cryptographically establish identities.
  3.     Protection Domains
  The central architectural feature of the Java security model is its concept of a Protection Domain. The Java sandbox is an example of a Protection Domain that places tight controls around the execution of downloaded code. This concept is generalized so that each Java class executes within one and only one Protection Domain, with associated permissions.
  When code is loaded, its Protection Domain comes into existence. The Protection Domain has two attributes - a signer and a location. The signer could be null if the code is not signed by anyone. The location is the URL where the Java classes reside. The system consults the global policy on behalf of the new Protection Domain. It derives the set of permissions for the Protection Domain based on its signer/location attributes. Those permissions are put into the Protection Domain's bag of permissions.
  4.     Access Decisions
  Access decisions are straightforward. When code tries to access a protected resource, it creates an access request. If the request matches a permission contained in the bag of permissions, then access is granted. Otherwise, access is denied. This simple way of making access decisions extends easily to application-defined resources and access control. For example, the banking application allows access to the CheckBook only when the executing code holds the appropriate CheckBookPermission.
  Sandbox model for Security
  Java is supported in applications and applets, small programs that spurred Java's early growth and are executable in a browser environment. The applet code is downloaded at runtime and executes in the context of a JVM hosted by the browser. An applet's code can be downloaded from anywhere in the network, so Java's early designers thought such code should not be given unlimited access to the target system. That led to the sandbox model -- the security model introduced with JDK 1.0.
  The sandbox model deems all code downloaded from the network untrustworthy, and confines the code to a limited area of the browser -- the sandbox. For instance, code downloaded from the network could not update the local file system. It's probably more accurate to call this a "fenced-in" model, since a sandbox does not connote strict confinement.
  While this may seem a very secure approach, there are inherent problems. First, it dictates a rigid policy that is closely tied to the implementation. Second, it's seldom a good idea to put all one's eggs in one basket -- that is, it's unwise to rely entirely on one approach to provide overall system security.
  Security needs to be layered for depth of defense and flexible enough to accommodate different policies -- the sandbox model is neither.
  java.security.ProtectionDomain
  This class represents a unit of protection within the Java application environment, and is typically associated with a concept of "principal," where a principal is an entity in the computer system to which permissions (and as a result, accountability) are granted.
  A domain conceptually encloses a set of classes whose instances are granted the same set of permissions. Currently, a domain is uniquely identified by a CodeSource, which encapsulates two characteristics of the code running inside the domain: the codebase (java.net.URL), and a set of certificates (of type java.security.cert.Certificate) for public keys that correspond to the private keys that signed all code in this domain. Thus, classes signed by the same keys and from the same URL are placed in the same domain.
  A domain also encompasses the permissions granted to code in the domain, as determined by the security policy currently in effect.
  Classes that have the same permissions but are from different code sources belong to different domains.
  A class belongs to one and only one ProtectionDomain.
  Note that currently in Java 2 SDK, v 1.2, protection domains are created "on demand" as a result of class loading. The getProtectionDomain method in java.lang.Class can be used to look up the protection domain that is associated with a given class. Note that one must have the appropriate permission (the RuntimePermission "getProtectionDomain") to successfully invoke this method.
  Today all code shipped as part of the Java 2 SDK is considered system code and run inside the unique system domain. Each applet or application runs in its appropriate domain, determined by its code source.
  It is possible to ensure that objects in any non-system domain cannot automatically discover objects in another non-system domain. This partition can be achieved by careful class resolution and loading, for example, using different classloaders for different domains. However, SecureClassLoader (or its subclasses) can, at its choice, load classes from different domains, thus allowing these classes to co-exist within the same name space (as partitioned by a classloader).
  jarsigner and keytool
  example : cd D:\EicherProject\EicherWEB\Web Content jarsigner -keystore eicher.store source.jar eichercert
  The javakey tool from JDK 1.1 has been replaced by two tools in Java 2.
  One tool manages keys and certificates in a database. The other is responsible for signing and verifying JAR files. Both tools require access to a keystore that contains certificate and key information to operate. The keystore replaces the identitydb.obj from JDK 1.1. New to Java 2 is the notion of policy, which controls what resources applets are granted access to outside of the sandbox (see Chapter 3).
  The javakey replacement tools are both command-line driven, and neither requires the use of the awkward directive files required in JDK 1.1.x. Management of keystores, and the generation of keys and certificates, is carried out by keytool. jarsigner uses certificates to sign JAR files and to verify the signatures found on signed JAR files.
  Here we list simple steps of doing the signing. We assume that JDK 1.3 is installed and the tools jarsigner and keytool that are part of JDK are in the execution PATH. Following are Unix commands, however with proper changes, these could be used in Windows as well.
  1. First generate a key pair for our Certificate:
  keytool -genkey -keyalg rsa -alias AppletCert
  2. Generate a certification-signing request.
  keytool -certreq -alias AppletCert > CertReq.pem
  3. Send this CertReq.pem to VeriSign/Thawte webform. Let the signed reply from them be SignedCert.pem.
  4. Import the chain into keystore:
  keytool -import -alias AppletCert -file SignedCert.pem
  5. Sign the CyberVote archive �TeleVote.jar�:
  jarsigner TeleVote.jar AppletCert
  This signed applet TeleVote.jar can now be made available to the web server. For testing purpose we can have our own test root CA. Following are the steps to generate a root CA by using openssl.
  1. Generate a key pair for root CA:
  openssl genrsa -des3 -out CyberVoteCA.key 1024
  2. Generate an x509 certificate using the above keypair:
  openssl req -new -x509 -days key CyberVoteCA.key -out CyberVoteCA.crt
  3. Import the Certificate to keystore.
  keytool -import -alias CyberVoteRoot -file CyberVoteCA.crt
  Now, in the step 3 of jar signing above, instead of sending the request certificate to VeriSign/Thawte webform for signing, we 365 - can sign using our newly created root CA using this command:
  openssl x509 -req -CA CyberVoteCA.crt -CAkey CyberVoteCA.key -days 365 -in CertReq.pem -out SignedCert.pem �Cacreateserial
  However, our test root CA has to be imported to the keystore of voter�s web browser in some way. [This was not investigated. We used some manual importing procedure which is not recommended way]
  The Important Classes
  The MessageDigest class, which is used in current CyberVote mockup system (see section 2), is an engine class designed to provide the functionality of cryptographically secure message digests such as SHA-1 or MD5. A cryptographically secure message digest takes arbitrary-sized input (a byte array), and generates a fixed-size output, called a digest or hash. A digest has the following properties:
  � It should be computationally infeasible to find two messages that hashed to the same value.
  � The digest does not reveal anything about the input that was used to generate it.
  Message digests are used to produce unique and reliable identifiers of data. They are sometimes called the "digital fingerprints" of data.
  The (Digital)Signature class is an engine class designed to provide the functionality of a cryptographic digital signature algorithm such as DSA or RSA with MD5. A cryptographically secure signature algorithm takes arbitrary-sized input and a private key and generates a relatively short (often fixed-size) string of bytes, called the signature, with the following properties:
  � Given the public key corresponding to the private key used to generate the signature, it should be possible to verify the authenticity and integrity of the input.
  � The signature and the public key do not reveal anything about the private key.
  A Signature object can be used to sign data. It can also be used to verify whether or not an alleged signature is in fact the authentic signature of the data associated with it.
  ----Cheers
  ---- Dinesh Vishwakarma

  Hi,
  these concepts are used and implemented in jGuard(www.jguard.net) which enable easy JAAS integration into j2ee webapps across application servers.
  cheers,
  Charles(jGuard team).

• Can't grant permissions to protection domains

  Hi, I'm trying to grant some permissions to a couple of protection domains using Visual Administrator (Security Provider item).
  I follow these steps:
  1) I select protection domain, for instance, a jar file
  2) I select the permission I want to grant
  3) I click the Grant button
  4) An error happens. "Unable to refresh protection domains panel!" states an error dialog, and
  SAPEngine_Application_Thread[impl:3]_36##0#0#Path#1#com.sap.engine.services.rmi_p4#
  Plain###> com.sap.engine.services.rmi_p4.DispatchImpl->throwException
  MSG:P4 Call execution: Exception in execute operation :
  <grantPermission(java.lang.String,java.lang.String,java.lang.String,java.lang.String)
  in the server.log file.
  What can be happening?
  Thanks,
  Juan Manuel

  Are you planning for this to be available over the Internet? If it's just for your personal use, I would recommend writing an application instead of an applet. No security hassles to deal with.
  Also, I notice from your error messages that you are trying to use the sun.jdbc.odbc.JdbcOdbcDriver class. You can't use that from an applet, because it requires installing a DLL on the applet's local machine. But you did say you were using MySQL, so you should probably get a JDBC driver that can access it (I'm not even sure if there's an ODBC driver form MySQL).

• (EA4500). With static IP assigned, how to tell of devices are connected?

  I've assigned static IPs to all of my network devices.
  Logging onto the router, there does not appear to be any way to tell whether any device is connected or not.  Is this normal?

  Static IP assignments are only done on the device itself. You switch the device from DHCP to static IP and configure everything on the device itself.
  DHCP reservation is not a static IP assignment. It's telling the DHCP server to assign a specific IP address to a specific device. The device still runs on DHCP and cannot tell whether the IP address received is the IP address reserved or not. That's something entirely different and not to be confused with static IP.
  Linksys routers never showed a complete list of connected devices. As mentioned before, you can only see the list of wireless devices associated. You won't see wired devices with static IP nor DHCP reservation and even the DHCP client list is often incomplete...

• Exchange Online Protection (standalone) permissions are not working as expected

  Exchange Online Protection (standalone)  permissions are not working as expected.
  we provided access to Hygiene Management to some members and they not able to access EOP site.
  This is standalone EOP.
  ksrugi

  Hi,
  what roles did you have assigned to them and what error message do you get?
  Greetings
  Christian
  Christian Groebner MVP Forefront

• Is it possible to protect documents with 2008 \ 2012 R2 AD RMS on Workgroup Machines \ another domain machines?

  Hi Experts,
  I have scenario where I have TWO 2008 R2 AD forests with cross forest trust and also I have some workgroup Win7 Machines.
  I wanted to deploy AD RMS in any one forest (Say Forest A), as forced by customer
  Is it possible that My forest B users can protect documents with AD RMS in Forest (A)
  OR
  Is it possible that my workgroup computers can protect documents with AD RMS of Forest A? Can I use user credentials from forest A to protect documents on workgroup computer
  OR
  Lets take a scenario:
  I create user in forest A with addition of email address of forest B user
  I share this ID to respective forest B user, forest B user logged on to forest B computer
  Now can forest B computers can protect documents with AD RMS from forest A by entering forest A user id \ password when RMS prompts for authentication?
  Thanks in advance
  Thanks Best Regards Mahesh

  Can anybody shade some light on this please?
  Thanks Best Regards Mahesh

• What do I do with this error message: To use this library, make sure its file permissions are set correctly.

  So I cannot even access the application. It was working fine yesterday and today I get this error message:
  To use this library, make sure its file permissions are set correctly.
  I have changed nothing. All the pictures are there on the computer. Help?!

  Reboot.  Close any programs which open at start-up.  Run Disk Utility (you can type this in the Spotlight search field at the right end of your Menubar).
  In Disk Utility, select your drive from the list on the left, and click "Repair Disk Permissions".  This will take a few minutes, but should be less than ten.
  Reboot.
  Try to open your Library in Aperture.  What happens?

• DACL with static IP configuration

  Hi,
  I want to restrict client communication based on dACLs for some Endpoint-Groups with MAB. Most of the clients are configured with DHCP, for these clients everything working fine. But there are also clients with static IP configuration and here is the problem. ISE does not know the ip address of the static configured client, so the 'source any' statement of the dACL can not be replaced with the client IP.
  How is it possible to let ISE learn the static addresses and get this working?
  ISE is on v1.2, IOS on switch is on 15.02.SE1
  Thanks, Florian

  I am not very much sure but can you try this and check (instead of any any just giving your network address)
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html
  Define Local (Default) ACLs on the Switch
  Enable these functions on older switches (with IOS releases earlier than 12.2(55)SE) to ensure Cisco ISE is able to perform the dynamic ACL updates required for authentication and authorization.
  ip access-list extended ACL-ALLOW
  permit ip any any
  ip access-list extended ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    remark Ping
    permit icmp any any
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Allow HTTP/S to ISE and WebAuth portal
    permit tcp any host <Cisco_ISE_IP_address> eq www
    permit tcp any host <Cisco_ISE_IP_address> eq 443
    permit tcp any host <Cisco_ISE_IP_address> eq 8443
    remark Drop all the rest
    deny   ip any any log
  ! The ACL to allow URL-redirection for WebAuth
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny   ip any host <Cisco_ISE_IP_address>
  permit ip any any

• Problems with static member variables WAS: Why is the static initializer instantiating my class?!

  Hi,
  I have been hunting down a NullPointerException for half a day to come to
  the following conclusion.
  My constructor calls a method which uses static variables. Since an intance
  of my class is created in the static block when the class is loaded, those
  statics are probably not fully initialized yet and the constructor called
  from the static block has those null pointer problems.
  I've considered moving the initialization of the static variables from the
  declaration to the static block. But your code is inserted BEFORE any other
  code. Therefore not solving my problem.
  Two questions:
  1) what would be a solution to my problem? How can I make sure my static
  variables are initialized before the enhancer generated code in the static
  block calls my constructor? Short of decompiling, changing the code and
  recompiling.
  2) Why is the enhancing code inserted at the beginning of the static block
  and not at the end? The enhancements would be more transparent that way if
  the static variables are initialized in the static block.
  Thanks,
  Eric

  Hi Eric,
  JDO calls the no-args constructor. Your application should regard this constructor as belonging
  primarily to JDO. For example, you would not want to initialize persistent fields to nondefault
  values since that effort is wasted by JDO's later initilization to persistent values. Typically all
  you want to initialize in the no-args constructor are the transactional and unmanaged fields. This
  rule means that you need initialization after construction if your application uses the no-args
  constructor and wants persistent fields initialized. On the other hand, if your application really
  uses constructors with arguments, and you're initializing persistent fields in the no-args
  constructor either unintentionally through field initializers or intentionally as a matter of
  consistency, you will find treating the no-args constructor differently helpful.
  On the other hand, if Kodo puts its static initializer code first as you report, then it is a bug.
  Spec Section 20.16: "The generated static initialization code is placed after any user-defined
  static initialization code."
  David Ezzio
  Eric Borremans wrote:
  >
  Hi,
  I have been hunting down a NullPointerException for half a day to come to
  the following conclusion.
  My constructor calls a method which uses static variables. Since an intance
  of my class is created in the static block when the class is loaded, those
  statics are probably not fully initialized yet and the constructor called
  from the static block has those null pointer problems.
  I've considered moving the initialization of the static variables from the
  declaration to the static block. But your code is inserted BEFORE any other
  code. Therefore not solving my problem.
  Two questions:
  1) what would be a solution to my problem? How can I make sure my static
  variables are initialized before the enhancer generated code in the static
  block calls my constructor? Short of decompiling, changing the code and
  recompiling.
  2) Why is the enhancing code inserted at the beginning of the static block
  and not at the end? The enhancements would be more transparent that way if
  the static variables are initialized in the static block.
  Thanks,
  Eric

• Steps to set up my domain with Apache

  Hello,
  I would like to know the steps to set up my domain with Apache including the use of DNS Services. I have DNS services (http://www.dnsexit.com) . I just don't know where to begin with it adding my domain. I've already went  to my preferences>>sharing>> web sharing and turned it on. My domain host is netfirms. I have an actiontec model- m1424-wr  router  and I have a verizon fios wireless connection that's always on. I've been doing my research on this. I'm just stuck on this part. However is it true that php/mysql is pre-installed on Mac osx 10.6? I hope I can get help. Thank you in advance.

  Your description is somewhat incomplete. I assume that dnsexit.com provides dynamic DNS and that you registered a domain name with NetFirms (you say "domain host", but I presume that you just registered the domain name and they aren't actually hosting it; hosting means that your web site is on their computers instead of yours). I'll also assume that you mean that you intend to run a web server on your Mac through your FiOS connection (not a great idea, and potentially a violation of FiOS' terms of service unless you bought their commercial plan).
  If all of those assumptions are correct, you need to:
  1. Contact NetFirms and tell them to point your domain to DNSExit's name servers: ns1.dnsExit.com and ns2.dnsExit.com and ns3.dnsExit.com and ns4.dnsExit.com
  2. After step 1 is complete, you need to install a dynamic DNS update client on a computer in your network that will always be on (DNSExit has them and installation and set-up instructions). These programs will periodically check the IP address of your network and, if it changes, will update the record at DNSExit so that sites can find it. Note that you are using FiOS so the IP address of your router is expected to change periodically; this works around that. Your router has 2 IP addresses: the WAN is the IP address exposed to the world through your FiOS connect, and the LAN, which is an address local to your home network.
  3. Login to your ActionTEC router as the adminsitrator. You can do this through your web browser. The LAN IP address of the router is the gateway address indicated in the Network preference pane for your ethernet connection. The modem documentation tells you the default password for the router (make sure to change it).
  Perform the following tasks on the router (though the advanced options, you'll want to poke around to find them):
  a. check the DHCP address ranges (usually it says that it will give out IP addresses from 192.168.1.100-192.168.1.200 or similar). Note it down. You're going to want to give the computer that acts as the web server a static IP address outside that range.
  b. Choose an address outside the DHCP range that isn't already in use and write it down. This will be the static IP addres you will set on your web server.
  c. Locate the Firewall/NAT settings on the router and add a rule to forward traffic on ports 80 and 443 to the IP address you had chosen.
  4. On the computer that will be the web server, start web-sharing.
  5. Go to the network preferences and configure the static IP address that you selected. Use the same gateways and DNS settings that were assigned by DHCP.
  ... and that's it. If you performed all those steps properly, requests to your domain will be sent to your FiOS modem and forwarded on to the designated computer for a response.
  PHP and Apache are preinstalled on the Mac. MySQL is not. You will need to download and install MySQL yourself.

• 2008 r2 hyper-v guest with static IP always looses network connectivity after every restart - no problem with DHCP

  Hello,
  We are running 2008 R2 domain with one physical DC and other running in VM on Hyper-V host (2008 R2 Standard). The host has 4 NICs and is configured to use one physical NIC for itself (management) and the hyper-v guest is configured to use another dedicated/physical
  NIC (through microsoft virtual switch) just for itself.
  I noticed that after setting the hyper-v guest with a static IP address all works fine only until guest restart. When the guest boots up the IP address is still configured correctly in IPv4 properties, but there is no network connectivity at all and in fact
  the guest shows running APIPA config in ipconfig /all output. That situation continues until I remove the virtual NIC from hyper-v guest, remove the virtual switch from dedicated NIC on host and then reconfigure it (using same settings as they were). very
  annoying.
  For time being I switched the virtual DC (problematic hyper-v guest) to a DHCP IP and configured DHCP server (running on physical DC machine, not on hyper-v host) to store a reservation for the hyper-v guest so it always gets the same "static"
  IP configuration.
  Is there some kind of a problem/bug with using static IP on (2008 R2) hyper-v guests? is there a hotfix for static IP config in hyper-v guest environment?
  both 2008 R2 OSes (host and guest) are up to date with all updates (synced with Microsoft, not WSUS).

  OK, I'm not at the office now, but took my time to test out the restart scenarios on problematic virtual guest remotely.
  No dice, same as it was, everything works fine after guest has IP configured in DHCP mode (IP reservation of 192.168.1.5 for specific MAC address) and it doesn't work after restart in static IP mode (same address, works before restart of guest).
  I also took "arp -a" outputs at each step from host server and that was always saying there is only a single host (192.168.1.5 = VDC = problematic virtual guest) assigned to that IP address and always with same MAC, so that pretty much rules out
  ARP/MAC troubles and no issues with switches/routers getting spoofed. Problem is most likely with the virtual guest (WS2008R2) or within the host running same OS.
  Here are outputs:
  A) VDC has IP configured in DHCP mode - always same, survives through restart (all works)
  Ethernet adapter Local Area Connection:
  Connection-specific DNS Suffix . : CD.lan
  Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
  Physical Address. . . . . . . . . : 00-15-5D-01-D3-00
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::b9af:6679:3142:8799%13(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Thursday, January 30, 2014 5:34:48 PM
  Lease Expires . . . . . . . . . . : Friday, February 07, 2014 5:35:26 PM
  Default Gateway . . . . . . . . . : 192.168.1.254
  DHCP Server . . . . . . . . . . . : 192.168.4.5
  DHCPv6 IAID . . . . . . . . . . . : 268440925
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-6F-5F-C2-00-15-5D-01-D3-00
  DNS Servers . . . . . . . . . . . : 192.168.1.5
  192.168.4.5
  NetBIOS over Tcpip. . . . . . . . : Enabled
  ARP -a output from host server at that time:
  Interface: 192.168.1.4 --- 0xc
  Internet Address Physical Address Type
  192.168.1.5 00-15-5d-01-d3-00 dynamic
  B) VDC has IP configured in static mode - BEFORE RESTART (all works)
  Ethernet adapter Local Area Connection:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
  Physical Address. . . . . . . . . : 00-15-5D-01-D3-00
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::b9af:6679:3142:8799%13(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.1.254
  DHCPv6 IAID . . . . . . . . . . . : 268440925
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-6F-5F-C2-00-15-5D-01-D3-00
  DNS Servers . . . . . . . . . . . : 192.168.1.5
  192.168.4.5
  NetBIOS over Tcpip. . . . . . . . : Enabled
  ARP -a output from host server at that time:
  Interface: 192.168.1.4 --- 0xc
  Internet Address Physical Address Type
  192.168.1.5 00-15-5d-01-d3-00 dynamic
  C) VDC has the same IP configured in static mode - AFTER RESTART (no more network connectivity at all, LAN in Public zone)
  Windows IP Configuration
  Host Name . . . . . . . . . . . . : VDC
  Primary Dns Suffix . . . . . . . : CD.lan
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : CD.lan
  Ethernet adapter Local Area Connection:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
  Physical Address. . . . . . . . . : 00-15-5D-01-D3-00
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::b9af:6679:3142:8799%13(Preferred)
  Autoconfiguration IPv4 Address. . : 169.254.135.153(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.0.0
  Default Gateway . . . . . . . . . : 192.168.1.254
  DHCPv6 IAID . . . . . . . . . . . : 268440925
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-6F-5F-C2-00-15-5D-01-D3-00
  DNS Servers . . . . . . . . . . . : 192.168.1.5
  192.168.4.5
  NetBIOS over Tcpip. . . . . . . . : Enabled
  ARP -a output from host server at that time:
  Interface: 192.168.1.4 --- 0xc
  Internet Address Physical Address Type
  192.168.1.5 00-15-5d-01-d3-00 dynamic
  Throughout the testing, the hyper-v host IP configuration and IPconfig output was always staying same.
  The Network Connection #2 is the only one the host uses (not shared with hyper-v guests).
  The Network Connection #4 is assigned to Microsoft Virtual Switch hence why it doesn't show up in results, like below:
  Windows IP Configuration
  Host Name . . . . . . . . . . . . : HYPER-V
  Primary Dns Suffix . . . . . . . : CD.lan
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : CD.lan
  Ethernet adapter Local Area Connection 3:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : HP Ethernet 1Gb 4-port 331i Adapter #3
  Physical Address. . . . . . . . . : 9C-8E-99-52-15-91
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Local Area Connection 2:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : HP Ethernet 1Gb 4-port 331i Adapter #2
  Physical Address. . . . . . . . . : 9C-8E-99-52-15-90
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::dc78:8a3b:38a5:7af3%12(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.1.254
  DHCPv6 IAID . . . . . . . . . . . : 312250009
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-67-52-8F-9C-8E-99-52-15-93
  DNS Servers . . . . . . . . . . . : 192.168.4.5
  192.168.1.5
  NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Local Area Connection:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : HP Ethernet 1Gb 4-port 331i Adapter
  Physical Address. . . . . . . . . : 9C-8E-99-52-15-93
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  On Monday I will install more test guests in Hyper-V host (WS2008R2), in variety of flavors like 7x64, 8.1x64, ws2012r2, and see if they show similar problems with static IP configuration when utilizing a dedicated NIC from host server.
  Don't get me wrong, I can live with virtual DC running on DHCP IP reservation (which is based on MAC), because the virtual DC pretty much requires a physical PDC (hosting also DHCP in my network) to be present for safety reasons ... however I prefer a static
  IP configuration on all servers, hence my question and surprise why it doesn't work.

• OBIEE 10g - Logical column with static value

  I created a logical column with static numeric value in it and added it to presentation layer. The column is not showing up in Answers. All other columns I added are showing up. The issue is with this one only.
  I have verified permissions on this column in presentation layer. I tried reloading server metadata in answers, restarting all services but it didn't help.
  One thing I noticed this column is showing fx icon instead of Σ icon.

  Kid,
  The fx means it is a calculated column/formula and the sigma means that you've added some aggregation type to the column.
  Either way it shouldn't matter and your column should be showing up.
  I would attempt to create a new column and in the fx field try entering static text and see if that allows the column to be visible after dragging it to the presentation layer subject area.
  Also what is the value that you are adding?

• Configuring one LDAP domain with two OU (one RO, another RW)

  Hi Team,
  My client is implementing NW 7.0 Enterprise Portal on SP14, AIX 5.3 & Oracle 10.2.0.4.
  We're using MS-ADS LDAP as an UME data source. The client wishes to configure UME for one single ADS LDAP (domain) with two OU (NOT domains) such that:
      1. One OU has read only access
      2. Second OU has read/write access
  Following is an illustration of the LDAP tree structure:
  CORP_DOM
  -- INT_USERS    (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
  -- INT_GROUPS  (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
  -- EXT_USERS    (CN=ExtUsers, DC=CORP_DOM, DC=NET) - read/write
  -- EXT_GROUPS  (CN=ExtGrp, DC=CORP_DOM, DC=NET) - read/write
     |-- SAccounts
     |--
     |--
  Note the single LDAP domain, multiple user and group paths with different access privileges.
  Based on what I've read so far, this does not seem feasible as the datasource configuration file has to have unique datasource id and the private section allows only one tag for user path and group path.
  I checked OSS, SDN but could only find information on configuring multiple domain/LDAP and not one LDAP domain but two OU/CN.
  Kindly let me know if anyone has come across or done such a configuration.
  Thanks.

  Hi GLM,
  You are right, access permissions to the OU are given to the service account used to access the directory from the portal.
  The issue I have is not about granting permissions - its more about whether it is possible at all to configure UME for one single ADS LDAP (domain) containing two OU (NOT domains). I'd need to access the directory with two different service users having differen access privileges.
  I don't see how it can be done, since the datasource id in the portal datasource configuration file has to be same as the domain and the private section allows only one tag for user path and group path.
  Thanks.

• Static fields ARE being serialized

  Hi there,
  I wrote a small test class that serializes an object, writes the serialized object to file, read the serialized object from the file and then deserialize the object. The object being serialized contains normal fields, a transient field, and a few 4 static fields with varying access modifiers. For some reason the static variables ARE being serialized. From what I've read this should not happen, and for very good reasons.
  Here is the object being serialized:
  package serialization;
  import java.io.Serializable;
  import java.util.Formatter;
  public class MySerializableObject implements Serializable {
       private static final long serialVersionUID = 1L;
       private int a = 1;
       private int b = 2;
       private transient int c = 3;
       static public int d = 4;
       static protected int e = 5;
       static private int f = 6;
       static int g = 7;
       @Override
       public String toString() {
            Formatter formatter = new Formatter();
            formatter.format("a=%1$s b=%2$s c=%3$s d=%4$s e=%5$s f=%6$s g=%7$s", a,b,c,d,e,f,g);
            return formatter.toString();
       public void setNewD(int newVal) {
            d = newVal;
  }And here is the code that does the serialization:
  package serialization;
  import java.io.File;
  import java.io.FileInputStream;
  import java.io.FileOutputStream;
  import java.io.IOException;
  import java.io.ObjectInputStream;
  import java.io.ObjectOutputStream;
  public class FileContentsObjectSerializer {
       File file;
       public FileContentsObjectSerializer(String name) {
            this.file = new File(name);
            if (this.file.exists()) {
                 this.file.delete();
            try {
                 this.file.createNewFile();
            } catch (IOException e) {
                 e.printStackTrace();
       public void serialize(Object o) throws IOException {
            FileOutputStream fos = new FileOutputStream(this.file);
            ObjectOutputStream oos = new ObjectOutputStream(fos);
            oos.writeObject(o);
            oos.close();
            fos.close();
       public Object deserialize() throws IOException, ClassNotFoundException {
            FileInputStream fis = new FileInputStream(this.file);
            ObjectInputStream ois = new ObjectInputStream(fis);
            Object o = ois.readObject();
            fis.close();
            ois.close();
            return o;
       public static void main(String args[]) {
            MySerializableObject mso = new MySerializableObject();
            mso.setNewD(100);
            System.out.println("Object being serialized:"+mso.toString());
            FileContentsObjectSerializer ofs = new FileContentsObjectSerializer("c:/temptest.txt");
            try {
                 ofs.serialize(mso);
                 MySerializableObject result = (MySerializableObject) ofs.deserialize();
                 System.out.println("Deserialized Object:    "+result.toString());
            } catch (Exception e) {
                 e.printStackTrace();
  }And here is the results I get:
  Object being serialized:a=1 b=2 c=3 d=100 e=5 f=6 g=7
  Deserialized Object:    a=1 b=2 c=0 d=100 e=5 f=6 g=7As you can see, both results are exactly the same, even though the setNewD value is not called on the deserialized object.
  Any ideas?

  You are misinterpreting the result. Try this main instead:
      public static void main(String args[]) {
          MySerializableObject mso = new MySerializableObject();
          mso.setNewD(100);
          System.out.println("Object being serialized:"+mso.toString());
          FileContentsObjectSerializer ofs = new FileContentsObjectSerializer("c:/temptest.txt");
          try {
              ofs.serialize(mso);
              mso.setNewD(-100); //a-oogah!
              MySerializableObject result = (MySerializableObject) ofs.deserialize();
              System.out.println("Deserialized Object:    "+result.toString());
          } catch (Exception e) {
              e.printStackTrace();
      }

• BranchCache - multiple domains and file permissions

  I have been researching BranchCache and looking into its feasibility given my requirements and constraints.
  I am considering replacing servers in branch offices with a single BranchCache server [per branch] in 'hosted' mode.
  1. It has been suggested that each hosting server can only host files from content servers in the same domain as the caching/hosting server. Is this correct? For jurisdictional purposes, we have a 'shared, global' forest but also 'local, jurisdictional'
  forests. Each branch needs to access data which resides in either/several/all of these forests.
  2. A simpler but related question - how are file permissions adhered to? Are the NTFS perms simply included as metadata? How does the hosting server authorise the requesting client access to the file at the point of request? Does the content server provide
  the authorisation instead and hence client and content server must be in the same domain?
  I'm keen to pursue this technology further but suspect it has limitations which mean it is not feasible within my environment.
  Thanks,
  neil
  Neil Ruston

  Hi Neil -
  I forwarded your questions to the BranchCache team, and this is their response:
  "All of the entities in the BranchCache system can be on different domains and BranchCache will work just fine.  It’s ok to have content servers and hosted cache servers on different domains or on no domain at all.  The client and server
  just need to be able to communicate to get BranchCache working.
  "As far as permissions go, clients in the branch office need to be able to download hashes from the remote file/web server to use BranchCache.  The file or web server authenticates and authorizes the client using whatever means it would if BranchCache
  were not in the picture.  Once the client is granted permission, it can retrieve the hashes and pull from the local cache.  Permissions are not embedded in the hashes.  Ownership of the hashes is all a client needs to download from the cache. 
  Hashes are a substitute for content and are kept secure the same way content is."
  Thanks -
  James McIllece