Provisioning to AD - Is SSL mandatory ?
Hi Experts,
We are in process of designing out landscape for NW IDM 7.1 ( HP UX with Oracle). We have a SAP Portal which will be using AD ( 2003) .
We will be provisioing users onto AD. Is it mandatory to use a SLL connecetion from NW IDM to AD ? or is it optionla securirity feature that will be used in case the company security policy demands it ?
Also what are the licensing considerations for users which are in Produtive AD. How does SAP count those users ?
Thanks,
Shailesh
Hi Matt,
I'm not aware of any documentation. But from the top of my head you have to perform the following steps in a test environment:
- Install Microsoft Enterprise Root CA and reboot the system
- After the reboot, AD will use a certificate from the CA and use SSL on port 636
- Export the Root CA certificate. The certificate can e.g. be downloaded from http://<machine of root ca>/certsrv
- Import the root CA certificate into the cacerts file in <jre>/lib/security. The default password of the cacerts file is "changeit" (the certificate can be imported using keytool).
Now the JRE trusts the CA certificate and you should be able to configure an SSL connection to AD in the ToLDAP pass.
Best regards
Holger
Similar Messages
-
Error while provisioning OIM - AD in SSL
Hi All,
I am trying to configure OIM - AD communication in SSL mode. for that, I installed the AD connector MSFT_AD_Base_91100 and i deployed it. It was successfully configured. and my OIM version is OIM9101.
I configured the IT Resource by mentioning
Use SSL:yes
Allow Password Provisioning: yes
port number:636
I tried to provision a testuser which was created in OIM.But i am getting an error that "Error encountered while connecting to target system."
could anyone please help me in resolving the issue.
Thanks & Regards.Hi suren,
now i am able to connect to AD at 636 through jxplorer. actually i forgot to import the trusted certificate in jxplorer.
Now i am able to connect to AD in SSL mode.
now my purpose is to enable the OIM AD communication in SSL mode and to provision the password. for that i am using Weblogic 10.3.0,OIM 9.1.0.1 and oracle DB 10g. I used the connector MSFT_AD_Base_91100 version.
I tested in non SSL mode by using this connector and its working fine. but when i am trying to provision a user in SSL mode i am getting the following error.
Response: Connection Error encountered
Response Description: Error encountered while connecting to target system
this error was caught in the status of ADuser--->create user.
could you help me in resolvng this issue.
Thanks & Regards. -
Connection error while provisioning to AD in SSL mode
Hi all,
I am trying to establish the OIM-AD communication in SSL mode to provision the passwords.
for that i used the MSFT_AD_base_91100 connector and deployed it on my OIM-9101which is on Win Server 2003
I configured the ITResource by specifying the following details.
use SSL: yes allow password provisioning: yes port:636
and i imported the keystore by executing 'keytool' command at \bea\jdk....\jre\... keytool.exe
but when i am trying to provision the user by using this SSL mode configuration i am getting the error "Error encountered while connecting to target system". and in the logs i am getting the following exception
=========================================================
ERROR,25 Mar 2010 03:40:49,812,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDi
rectory.tcUtilADTasks : createUser
ERROR,25 Mar 2010 03:40:49,812,[OIMCP.ADCS],Connection Error Occur
ERROR,25 Mar 2010 03:40:49,812,[OIMCP.ADCS],Description : Connection Error Occur
ERROR,25 Mar 2010 03:40:49,812,[OIMCP.ADCS],com.thortech.xl.exception.Connection
Exception: Connection Error Occur
==========================================================
Note: 1) checked AD in SSL mode through jxplorer and ldapbrowser and it is connecting in SSL mode.
2) checked by provisioning the user in non-ssl mode using this connector and its working fine.
Could anyone help me in resolving the issue.?????
Thanks in advance.My suggestion would be - Follow the steps religiously and see if you missed any step or not because I have tried it many a times and other people have also did and it works. You are saying that you imported that certificate in OIM too. See the document and verify your steps and finally the connection parameters in IT resource should be:
- Use SSL = yes
- Port Number = *636*
Thanks
Sunny -
LDAP Connector: SSL support and de-provisioning
Hi guys
I have two questions regarding the SAP LDAP Connector (LDAP client):
1) Does the SAP LDAP connector support connections to SSL-enabled directories?
2) Does the SAP LDAP connector make it possible to delete SAP users, when the corresponding user is deleted in the directory (which is the 'leading' system in such a scenario).
BR
Tom BoTom,
The IDM LDAP connector does support SSL. The LDAP connector will support add, modify and delete operations.
This [thread|Provisioning to AD - Is SSL mandatory ?; might be helpful as well.
Matt -
3.0 - Provisioning Service - excel upload error
Just finished installing EID 3.0 and installed provisioning services on non-ssl / default settings (minus turning ssl off).
I'm able to select an excel spreadsheet from the home page in Studio, when I click next, I get the following error.
Looks like it's related to my jdbc settings. I'm using derby as a default, so not sure if I need to change any settings within a eid-ps file and not sure where to set this. Please let me know if anybody has advice. Thanks in advance.
Error while uploading Excel file. EJB Exception: : javax.persistence.PersistenceException: Exception [EclipseLink-7060] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.ValidationException\r\nException Description: Cannot acquire data source [jdbc/oracle.eid-ps].\r\nInternal Exception: javax.naming.NameNotFoundException: While trying to lookup 'jdbc.oracle.eid-ps' didn't find subcontext 'jdbc'. Resolved ''; remaining name 'jdbc/oracle/eid-ps'\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:517)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.getDatabaseSession(EntityManagerFactoryDelegate.java:188)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.createEntityManagerImpl(EntityManagerFactoryDelegate.java:277)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerFactoryImpl.createEntityManagerImpl(EntityManagerFactoryImpl.java:294)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerFactoryImpl.createEntityManager(EntityManagerFactoryImpl.java:272)\r\n\tat weblogic.deployment.TransactionalEntityManagerProxyImpl.newPersistenceContext(TransactionalEntityManagerProxyImpl.java:66)\r\n\tat weblogic.deployment.BasePersistenceContextProxyImpl.getPersistenceContext(BasePersistenceContextProxyImpl.java:178)\r\n\tat weblogic.deployment.BasePersistenceContextProxyImpl.invoke(BasePersistenceContextProxyImpl.java:106)\r\n\tat weblogic.deployment.TransactionalEntityManagerProxyImpl.invoke(TransactionalEntityManagerProxyImpl.java:78)\r\n\tat weblogic.deployment.BasePersistenceContextProxyImpl.invoke(BasePersistenceContextProxyImpl.java:92)\r\n\tat weblogic.deployment.TransactionalEntityManagerProxyImpl.invoke(TransactionalEntityManagerProxyImpl.java:18)\r\n\tat $Proxy131.persist(Unknown Source)\r\n\tat com.oracle.endeca.pdi.bean.manager.workflow.WorkflowManagerEjb.create(WorkflowManagerEjb.java:40)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)\r\n\tat java.lang.reflect.Method.invoke(Method.java:597)\r\n\tat com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)\r\n\tat com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)\r\n\tat com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)\r\n\tatHi Brett,
The connection is working. But when I try to upload an Excel file (doesn't matter which one) I get an error:
Error while uploading Excel file. EJB Exception: : javax.persistence.PersistenceException: Exception [EclipseLink-7060] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.ValidationException\r\nException Description: Cannot acquire data source [jdbc/oracle.eid-ps].\r\nInternal Exception: javax.naming.NameNotFoundException: While trying to lookup 'jdbc.oracle.eid-ps' didn't find subcontext 'jdbc'. Resolved ''; remaining name 'jdbc/oracle/eid-ps'\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:517)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.getDatabaseSession(EntityManagerFactoryDelegate.java:188)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.createEntityManagerImpl(EntityManagerFactoryDelegate.java:277)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerFactoryImpl.createEntityManagerImpl(EntityManagerFactoryImpl.java:294)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerFactoryImpl.createEntityManager(EntityManagerFactoryImpl.java:272)\r\n\tat weblogic.deployment.TransactionalEntityManagerProxyImpl.newPersistenceContext(TransactionalEntityManagerProxyImpl.java:66)\r\n\tat weblogic.deployment.BasePersistenceContextProxyImpl.getPersistenceContext(BasePersistenceContextProxyImpl.java:178)\r\n\tat weblogic.deployment.BasePersistenceContextProxyImpl.invoke(BasePersistenceContextProxyImpl.java:106)\r\n\tat weblogic.deployment.TransactionalEntityManagerProxyImpl.invoke(TransactionalEntityManagerProxyImpl.java:78)\r\n\tat weblogic.deployment.BasePersistenceContextProxyImpl.invoke(BasePersistenceContextProxyImpl.java:92)\r\n\tat weblogic.deployment.TransactionalEntityManagerProxyImpl.invoke(TransactionalEntityManagerProxyImpl.java:18)\r\n\tat com.sun.proxy.$Proxy61.persist(Unknown Source)\r\n\tat com.oracle.endeca.pdi.bean.manager.workflow.WorkflowManagerEjb.create(WorkflowManagerEjb.java:40)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)\r\n\tat java.lang.reflect.Method.invoke(Method.java:597)\r\n\tat com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)\r\n\tat com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)\r\n\tat com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)\r\n\tat com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)\r\n\tat com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)\r\n\tat com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)\r\n\tat com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)\r\n\tat weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)\r\n\tat com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)\r\n\tat com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)\r\n\tat com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)\r\n\tat com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)\r\n\tat com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)\r\n\tat com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)\r\n\tat com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)\r\n\tat com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)\r\n\tat com.sun.proxy.$Proxy142.create(Unknown Source)\r\n\tat com.oracle.endeca.pdi.bean.manager.workflow.WorkflowManagerEjb_96rafy_WorkflowManagerImpl.__WL_invoke(Unknown Source)\r\n\tat weblogic.ejb.container.internal.SessionLocalMethodInvoker.invoke(SessionLocalMethodInvoker.java:39)\r\n\tat com.oracle.endeca.pdi.bean.manager.workflow.WorkflowManagerEjb_96rafy_WorkflowManagerImpl.create(Unknown Source)\r\n\tat com.oracle.endeca.pdi.service.UserDataImpl.beginWorkflow(UserDataImpl.java:218)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)\r\n\tat java.lang.reflect.Method.invoke(Method.java:597)\r\n\tat weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:92)\r\n\tat weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:74)\r\n\tat com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:151)\r\n\tat com.sun.xml.ws.server.sei.EndpointMethodHandlerImpl.invoke(EndpointMethodHandlerImpl.java:268)\r\n\tat com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)\r\n\tat com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)\r\n\tat com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)\r\n\tat com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)\r\n\tat com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)\r\n\tat com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:403)\r\n\tat com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:539)\r\n\tat com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:253)\r\n\tat com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140)\r\n\tat weblogic.wsee.jaxws.WLSServletAdapter.handle(WLSServletAdapter.java:171)\r\n\tat weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:708)\r\n\tat weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)\r\n\tat weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)\r\n\tat weblogic.wsee.util.ServerSecurityHelper.authenticatedInvoke(ServerSecurityHelper.java:103)\r\n\tat weblogic.wsee.jaxws.HttpServletAdapter$3.run(HttpServletAdapter.java:311)\r\n\tat weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:336)\r\n\tat weblogic.wsee.jaxws.JAXWSServlet.doRequest(JAXWSServlet.java:99)\r\n\tat weblogic.servlet.http.AbstractAsyncServlet.service(AbstractAsyncServlet.java:99)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:820)\r\n\tat weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)\r\n\tat weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)\r\n\tat weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)\r\n\tat weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)\r\n\tat weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3732)\r\n\tat weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)\r\n\tat weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)\r\n\tat weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)\r\n\tat weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)\r\n\tat weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)\r\n\tat weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)\r\n\tat weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)\r\n\tat weblogic.work.ExecuteThread.run(ExecuteThread.java:221)\r\nCaused by: Exception [EclipseLink-7060] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.ValidationException\r\nException Description: Cannot acquire data source [jdbc/oracle.eid-ps].\r\nInternal Exception: javax.naming.NameNotFoundException: While trying to lookup 'jdbc.oracle.eid-ps' didn't find subcontext 'jdbc'. Resolved ''; remaining name 'jdbc/oracle/eid-ps'\r\n\tat org.eclipse.persistence.exceptions.ValidationException.cannotAcquireDataSource(ValidationException.java:497)\r\n\tat org.eclipse.persistence.sessions.JNDIConnector.connect(JNDIConnector.java:109)\r\n\tat org.eclipse.persistence.sessions.DatasourceLogin.connectToDatasource(DatasourceLogin.java:162)\r\n\tat org.eclipse.persistence.internal.sessions.DatabaseSessionImpl.loginAndDetectDatasource(DatabaseSessionImpl.java:584)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerFactoryProvider.login(EntityManagerFactoryProvider.java:206)\r\n\tat org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:488)\r\n\t... 77 more\r\nCaused by: javax.naming.NameNotFoundException: While trying to lookup 'jdbc.oracle.eid-ps' didn't find subcontext 'jdbc'. Resolved ''; remaining name 'jdbc/oracle/eid-ps'\r\n\tat weblogic.jndi.internal.BasicNamingNode.newNameNotFoundException(BasicNamingNode.java:1139)\r\n\tat weblogic.jndi.internal.BasicNamingNode.lookupHere(BasicNamingNode.java:247)\r\n\tat weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:182)\r\n\tat weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:206)\r\n\tat weblogic.jndi.internal.WLEventContextImpl.lookup(WLEventContextImpl.java:254)\r\n\tat weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:402)\r\n\tat javax.naming.InitialContext.lookup(InitialContext.java:396)\r\n\tat org.eclipse.persistence.sessions.JNDIConnector.connect(JNDIConnector.java:103)\r\n\t... 81 more\r\n; nested exception is: javax.persistence.PersistenceException: Exception [EclipseLink-7060] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.ValidationException\r\nException Description: Cannot acquire data source [jdbc/oracle.eid-ps].\r\nInternal Exception: javax.naming.NameNotFoundException: While trying to lookup 'jdbc.oracle.eid-ps' didn't find subcontext 'jdbc'. Resolved ''; remaining name 'jdbc/oracle/eid-ps'
The JDBC connection in the console is set to jdbc/oracle.eid-ps
Marco -
ISE - EAP-FAST PAC Provisioning - Identity field??
Hi all, very simple question regarding the fields in the PAC provisioning section of ISE. Basically wondering what the "identity" field under machine and tunnel PAC is meant to be? I am currently planning an EAP-FAST deployment and this is the only area I am wondering about. Essentially planning to auto-provision the PAC hopefully using authenticate in-band. The Cisco doco is a little vague on this particular field.
Thanks in advance - have googled this for a day or so and frankly cannot find the information that I want.Use
PAC
•Tunnel PAC Time To Live—The Time to Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days.
•Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%.
•Allow Anonymous In-band PAC Provisioning—Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC.
•Allow Authenticated In-band PAC Provisioning—Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE.
When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning.
–Server Returns Access Accept After Authenticated Provisioning—Check this check box if you want Cisco ISE to return an access-accept package after authenticated PAC provisioning.
•Allow Machine Authentication—Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. Cisco ISE only supports Active Directory as an external identity source for machine authentication. After these details are correctly verified, no further authentication is performed.
When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client).
•Enable Stateless Session Resume—Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).
Uncheck this check box in the following cases:
–If you do not want Cisco ISE to provision authorization PACs for EAP-FAST clients
–To always perform phase two of EAP-FAST
When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication.
•Preferred EAP Protocol—Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, and EAP-MD5. By default, LEAP is the preferred protocol to use if you do not enable this field. -
Setting field (system condition) required at work order operation level
Hi everyone,
I wanted to make 'required' system condition field at operation level, however neither it's available in OIOPL nor in OIOPD..
I'd appreciate if anyone could suggest something
Thanks in advanceHi Sergey,
The System Condition field enables you to reserve capacity in Production Planning Work Center so that during any maintenance, Production Planning work center should not be undergoing any production.
But the system condition that is taken into account for the above scenario is the System Condition field at the header level which indicates whether the maintenance requires the equipment to be shut down or in operation so apart from the header System Condition field, the operation system condition fields do not create any capacity requirement at PP Work Center.
The Operation Sys Condition field is just for reporting purposes and does not hold any significance in PP-PM integration so for that fact there is no provision for setting this field mandatory at Operation level rather it can be set mandatory at Order header level.
Best Regards,
Muhammad Usman Kahoot -
LDAP Proxy fails to assign custom connection handler
Hi,
I've setup some custom connection handlers, and my proxy server is behaving randomly.
I mean that sometimes it assigns the new handler sometimes not. This randomness occurs
if I delete the handler and create it again with the same configuration options.
I tried restarting the server as well as upgrading to 6.3.1 (Linux/Centos) without any luck.
Now the server does not assign the high priority custom handler when I connect on the SSL port (1636)
but it does assign it if i connect on the NON-SSL port (1389)
This is is my configuration:
dpconf list-connection-handlers -v -p 1636
anonymous true 5
domain2.example.com true 3
default connection handler true 100
directory services administrators true 1
domain1.example.com true 1
schema false 6
dpconf get-connection-handler-prop domain1.example.com
aci-source : none
allowed-auth-methods : simple
allowed-ldap-ports : ldap
allowed-ldap-ports : ldaps
bind-dn-filters : uid=(.*),cn=(.*),ou=People,dc=domain1,dc=example,dc=com
bind-dn-filters : uid=(.*),ou=(.*),ou=People,dc=subdomain,dc=domain1,dc=example,dc=com
data-view-routing-custom-list : DOMAIN1
data-view-routing-policy : custom
description :
domain-name-filters : any
enable-data-view-affinity : false
ip-address-filters : any
is-enabled : true
is-ssl-mandatory : false
priority : 1
request-filtering-policy : Read and Modify
resource-limits-policy : no-limits
schema-check-enabled : false
user-filter : any
ldapsearch -x -b dc=example,dc=com -H ldaps://proxy.example.com:1636 -W -D "uid=user,cn=admin,ou=People,dc=domain1,dc=example,dc=com" '(uid=user)' dn
[07/Apr/2009:19:44:10 +0300] - CONNECT - INFO - conn=33 client=10.0.0.1:40795 server=proxy.example.com:1636 proto
col=LDAPS
[07/Apr/2009:19:44:10 +0300] - PROFILE - INFO - conn=33 assigned to connection handler cn=default connection handler,
cn=connection handlers, cn=config
[07/Apr/2009:19:44:10 +0300] - OPERATION - INFO - conn=33 op=0 BIND dn="uid=user,cn=admin,ou=People,dc=domain1,dc=example,dc=com" method="SIMPLE" version=3
[07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=0 BIND dn="uid=user,cn=admin,ou=People,dc=domain1,dc=example,dc=com" method="SIMPLE"" version=3 s_msgid=18 s_conn=dna:1
[07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=0 BIND RESPONSE err=0 msg="" s_conn=dna:1
[07/Apr/2009:19:44:10 +0300] - OPERATION - INFO - conn=33 op=0 BIND RESPONSE err=0 msg="" etime=0
[07/Apr/2009:19:44:10 +0300] - OPERATION - INFO - conn=33 op=1 msgid=2 SEARCH base="dc=example,dc=com" scope=2 filter="(uid=user)" attrs="dn "
[07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH base="dc=domain1,dc=example,dc=com" scope=2 filter="(uid=user)" attrs="dn " s_msgid=19 s_conn=dna:1
[07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH RESPONSE err=0 msg="" nentries=2 s_conn=dna:1
[07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH base="dc=example,dc=com" scope=2 filter="(uid=user)"
attrs="dn " s_msgid=20 s_conn=dna:1
[07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH RESPONSE err=32 msg="" nentries=0 s_conn=dna:1
[07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH base="dc=domain2,dc=example,dc=com" scope=2 filter="(ui
d=user)" attrs="dn " s_msgid=21 s_conn=dna:1
[07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH RESPONSE err=0 msg="" nentries=2 s_conn=dna:1
[07/Apr/2009:19:44:10 +0300] - OPERATION - INFO - conn=33 op=1 SEARCH RESPONSE err=0 msg="" nentries=4 etime=0
As you see the connection is routed through default connection handler.
This happens sometimes even If I put the client IP in the criteria, without the bind criteria.
I'm a bit comfused. I've also tried to change the priorities but no luck again.
The funny thing is that If I connect through the NON-SSL port on the proxy the connection
is routed through the domain1.example.com connection handler...
[07/Apr/2009:19:51:32 +0300] - PROFILE - INFO - conn=37 assigned to connection handler cn=domain1.example.com,cn=connection handlers,cn=config
any comment on this would be appreciated
regards,
GiannisTalking about randomness, I've deleted the connection handlers,
deleted the default data views, deleted the default data pool, enabled manual routing.
recreated the connection handlers and now it works.
The handlers are the same as before. Same criteria...
Don't get it but there must be something fishy going on there...
any way, what I'm trying to do is a setup like
"Data Views That Route Requests When a List of Subtrees Is Stored on Multiple, Data-Equivalent Data Sources"
http://docs.sun.com/app/docs/doc/820-2763/gbwva?a=view
where requests with the parent domain as base would work as well.
domain1.example.com
domain2.example.com
example.com (includes both)
if I have something new I will post
Giannis -
Hi All,
I am trying to configure OIM with Exchange 2003, for this I am using exchange connector MSFT_Exchange_91100 with OIM 9101. I have copied the jar files to required directory and also imported the xml and according to the documentation I need not do anything else for exchange 2003. But when I try to provision the user to Exchange it fails at create mailbox event. Provisioning with AD is working fine and I am able to provision user both in SSL and Non SSL mode.
While provisioning the user I was not getting any value for mailbox store name in Exchange process form, so I even tried adding the Server Name/Mail box Name/FQDN of Mailbox in the lookup Lookup.ExchangeReconciliation.MailStore but still the mailbox was not getting created.
I have previously configured my OIM 9100 with prior version of connector and that used to ask me Server Name and Store Name but I have not specified these value while using this connector.
Am I missing something that is not creating the mailbox box.
Edited by: [email protected] on May 18, 2009 8:04 AMI have my reconciliation with Exchange working. Now I want to link one more field (proxyAddresses) during reconciliation. For that I have followed the steps mentioned in connector guide. It worked but the attribute is multi valued attribute and on following the guide I was able to get only one value even if I use TextArea as Field Type.
I also followed steps given in Ad connector guide to add multi valued field. For this I created a child form and added it to Exchange form. Then I created a multi valued filed in Exchange Resource object, after this the resource object was linked to process definition multi valued field and entry for the attribute was added to AtMap.Exchange lookup field.
But when I reconcile using this configuration it is throwing me error that it is not able to find the field specified in child table. In reconciliation manager the event for recon is getting received.
I am using Exchange connector 91100. -
DPS 6 bind to backend error?
Getting error for DPS 6. I think I have everything set up correctly. Binds to the DS are ok and anonymous thru DPS are ok. However when I bind thru DPS I get the access error below.
conn=132 op=0 BIND RESPONSE err=1 msg="Unable to retrieve a backend BIND connection" etime=0
Also in the DSCC under routing > data sources for the DPS is states the "operational status" as not available which I cant explain. Any ideas why I am not binding thru to backend DS?Thanks Ludovic!
Actually I have tried to create another connectionhandler like directory-manager-connection-handler
aci-source : none
allowed-auth-methods : anonymous
allowed-auth-methods : sasl
allowed-auth-methods : simple
allowed-ldap-ports : ldap
allowed-ldap-ports : ldaps
bind-dn-filters : cn=directory manager
data-view-routing-custom-list : myView1
data-view-routing-policy : all-routable
description : for cn=Directory Manager
domain-name-filters : any
enable-data-view-affinity : false
ip-address-filters : any
is-enabled : true
is-ssl-mandatory : false
priority : 2
request-filtering-policy : no-filtering
resource-limits-policy : no-limits
schema-check-enabled : false
user-filter : any
Here is my data view:
alternate-search-base-dn : ""
alternate-search-base-dn : dc=com
attr-name-mappings : none
base-dn : dc=example,dc=com
contains-shared-entries : false
description : -
distribution-algorithm : none
dn-join-rule : none
dn-mapping-attrs : none
dn-mapping-source-base-dn : none
excluded-subtrees : -
filter-join-rule : none
is-enabled : true
is-read-only : false
is-routable : true
ldap-data-source-pool : myPool1
lexicographic-attrs : all
lexicographic-lower-bound : none
lexicographic-upper-bound : none
non-viewable-attr : none
non-writable-attr : none
numeric-attrs : all
numeric-default-data-view : false
numeric-lower-bound : none
numeric-upper-bound : none
pattern-matching-base-object-search-filter : all
pattern-matching-dn-regular-expression : all
pattern-matching-one-level-search-filter : all
pattern-matching-subtree-search-filter : all
process-bind : -
replication-role : master
viewable-attr : all except non-viewable-attr
writable-attr : all except non-writable-attr
However, when I did ldapsearch, I still got same error
ldapsearch -D "cn=Directory Manager" -w mypwd -h myhost -p port# -b "dc=example,dc=com" -s one "objectclass=*"
ldap_simple_bind: Operations error
ldap_simple_bind: additional info: Unable to retrieve a backend BIND connection
The reason I have kept trying using cn=Directory manaer is that I don't want to make change on our application (even it's only property file) after I migrate to the new version.
Thanks! -
Error while trying to provision OIM user to Active Directory using SSL
Hi All,
I am able to see the users through LDAP browser using SSL but am getting the following error while trying to provision OIM users to AD using SSL.
I am using Microsoft Active Directory connector type 9.11.
Response: Connection Error encountered
Response Description: Error encountered while connecting to target system
I did some testing using "Diagnostic Dashboard" and the following are the results.
Test Name: Target System SSL Trust Verification: Passed
Test Name: Test Basic Connectivity: Failed
Exceptions:
ITResource information values are not correct. Enter the correct values.
java.lang.reflect.InvocationTargetException
javax.naming.CommunicationException: simple bind failed:
unable to find valid certification path to requested target.Test Name: Test Provisioning:Failed
Note: Without SLL all the above tests got Passed.
Can anybody help me out from this issue.
Thanks in advance.
Pradeep Kumar.I am able to connect to AD using 636 port number from LDAP browser and as the following test got Passed i think that my certificatee should be correct.
Test Name: Target System SSL Trust Verification.
Input Parameters
Target System: idm.orademo.com
Port: 636 Certificate Store
Location: /usr/java/jdk1.6.0_14/jre/lib/security/cacerts
Result : Passed
ITResource Values:
ADAM LockoutThreshold Value
ADGroup LookUp Definition Lookup.ADReconciliation.GroupLookup
Admin FQDN cn=Administrator,cn=Users,dc=orademo,dc=com
Admin Password *******
Allow Password Provisioning yes
AtMap ADGroup AtMap.ADGroup
AtMap ADUser AtMap.AD
Invert Display Name no
Port Number 636
Remote Manager Prov Lookup AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path
Root Context dc=orademo,dc=com
Server Address idm.orademo.com
Target Locale: TimeZone GMT
UPN Domain orademo.com
Use SSL yes
isADAM no
isLookupDN no
isUserDeleteLeafNode no
Thansk & Regards,
Pradeep Kumar. -
Problem in provisioning user from oim to active directory using ssl
hi,
problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
AvailableAD():simple bind failed: 172.16.30.35:636
15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
me problems: Must set a query before executing
com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
nnectToAvailableNextAD(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
archResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
known Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
ce)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
on.run(Unknown Source)
at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
ource)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
ava:520)
can any one help.
Thanks and Regards,
praveen,Are you able to connect to AD over SSL through some LDAP Browser ?
Check the validity of Certificate ?
Does your certificate appear in the list ? -
OIM 11g R2 - Setting a field as mandatory while provisioning through catalo
Hi,
May I know how i can make a field as mandatory (Red Asterick) while trying to provision an account through catalog wizard.I dont see any option to set required=true while creating a form for an application instance.Thanks.login to sysadmin-> create sandbox-> go to form designer->select your form now click on customize link(right top corner)->select your attribute and set the required field as true and then save it. finally export sandbox. run catalog sync job. and then verify if attribute is mandatory in the request form/dataset or not.
same mentioned in R2 release note -
SPA303 Provisioning over SSL with Client Verification problem
Hello,
We use DHCP (66) HTTPS URL for provisioning and initial configuration of SPA303 phones.
When Client Verification is enabled - the phones fail to authenticate to the web server and provisioning fails. It works perfectly when Client Verification is disabled. Debug logs and ssl traffic sniffing revealed only that the phones fail to authenticate properly with the built-in certificates to the server.
The server certificate passes validation (Cisco issued), however, since no full CA chain is availible from Cisco - we can't be completely sure it's valid.
Server side is Apache, the SSL conf is as follows:
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:+MEDIUM
SSLCertificateFile /usr/local/apache2/conf/ssl/conf/ssl/pserv.dom.com.cert
SSLCertificateKeyFile /usr/local/apache2/conf/ssl/conf/ssl/pserv.dom.com.key
SSLProtocol All -SSLv2
SSLVerifyClient require
SSLCACertificatePath /usr/local/apache2/conf/ssl/conf/ssl/
SSLCACertificateFile /usr/local/apache2/conf/ssl/conf/ssl/combinedca.crt
Could it be a problem with the server conf or certificate(s) issue?
PS.
We followed those to obtain the certs:
https://supportforums.cisco.com/docs/DOC-9852
https://supportforums.cisco.com/docs/DOC-12709
Any ideas appriciated!SOLVED!
I solved the problem.
The key to the solution was the ifolder39_admin.pdf - page 226.
Best regards
Andre -
Do i have to configure ssl on cisco unified provisioning manager for it to work
Here is the code
#include <userint.h>
#include "iface.h"
#define DAQmxErrChk(functionCall) if( DAQmxFailed(error=(functionCall)) ) goto Error; else
int write_onoff(uInt8 HL, const char linename[])
int error=0; // error code (initialized to zero i.e. no error)
TaskHandle taskHandle=0; // task ID for DAQmx
char errBuff[2048]={'\0'}; // error message
// DAQmx Configure Code
SetWaitCursor(1);
DAQmxErrChk(DAQmxCreateTask("", &taskHandle));
DAQmxErrChk(DAQmxCreateDOChan(taskHandle, linename, "", DAQmx_Val_ChanPerLine ));
// DAQmx Start Code
DAQmxErrChk(DAQmxStartTask(taskHandle));
// DAQmx Write Code
DAQmxErrChk(DAQmxWriteDigitalU8(taskHandle, 1, 1, 10.0, DAQmx_Val_GroupByChannel, &HL, NULL, NULL));
Error:
SetWaitCursor(0);
if (DAQmxFailed(error)) DAQmxGetExtendedErrorInfo(errBuff, 2048);
if (taskHandle!=0)
// DAQmx Stop Code
DAQmxStopTask(taskHandle);
DAQmxClearTask(taskHandle);
if (DAQmxFailed(error)) MessagePopup("DAQmx Error", errBuff);
return error;
} // end write_digital_line
int CVICALLBACK test (int panel, int control, int event, void *callbackData, int eventData1, int eventData2)
uInt8 onoff=0;
if (event==EVENT_COMMIT)
GetCtrlVal(panel, control, &onoff);
write_onoff(onoff, "Dev1/port0/line0");
return 0; // return 0 to tell the system the message has been handled
Maybe you are looking for
-
External Display Flickers (Intel on board)
Hi, I have recently made a fresh installation of Arch Linux and trying to setup it for my work environment. I made a basic installation of xfce4 with slim login manager. I wanted to hook my laptop with an external display. I used xrandr to extend my
-
Adobe flash player for 64 bit system
I am having difficulities with down loading Adobe Flash Player. Adobe recognises my system as 64 bit but keeps downloading a 32 bit application that will not function on my computyer.
-
Encryption in Web dynpro application
Hi, I have application built using ABAP webdynpro. Is there any way in which I can encrypt the data on the browser itself before sending it to my webdynpro application. I do not want my data to travel through a unsecure channel from browser to Web
-
Hi, I want to ask when should the Account Type be set to S (GL Account) when creating a payment advice using transaction FBE1. Thanks
-
Hi In my usecase i created a adf page. where i have created three "adf form layouts" in "panel group layout" which is aligned horizontal. But the number of rows in each form are different, since i have kept border their sizes are reflecting the page