RDBMS Authenticator and Portal Admin

Similar Messages

• SSO between Portal Application and Portal Admin Tool

  Hi All,
  We have a requirement for implementing SSO between a Portal application and
  Portal admin tool.
  We are using WL Portal 8.1 SP4.
  Here is the reason for this requirement -
  A user logged-into Portal Application needs to login to Portal Admin tool to
  do some admin activity. We want to provide a link in the portal application
  using which the user can directly login to the Portal Admin tool without
  having to enter the credentials again.
  If someone has any info on how to implement this, can you please point me in
  the right direction.
  Thanks,
  ~Deepak

  Hi,
  When creating PP you have 2 options
  PP used for compiling and PP used for Building
  You create PP with all the libraries into Developing/Compiling Other DCs
  And another PP with all the libraries into can be packaged into other build results (SDAs).
  Once you have these 2 PP in place you add the DC as used DC.
  And this should resolve the issue.
  Hope this helps.
  Cheers-
  Pramod

• Portal Admin Tool & order of Authentication Providers

  For our app, we use two LDAP authentication providers that point to different LDAP
  repositories.
  Both of them have been configured to have the JAAS flag - OPTIONAL. When the order
  is ProviderA and ProviderB (in WLS Console), the authentication works in Portal
  Admin Tool. But when the order is reversed to ProviderB and ProviderA, it throws
  profileNotFound error and the Portal Admin Tool bombs.
  Since both of the providers have been configured to OPTIONAL, shouldn't the order
  of the providers be immaterial?
  Is this a problem with the Portal Administration Tool?
  Thanks,
  James

  Is this a different problem, then? The ProfileNotFound exception comes only
  after
  authentication succeeds. If you are on SP2, it makes me wonder if the
  credentials
  for weblogic are in both providers and are different (different password)?
  Also, can you tell me which authorizer and role mapper providers you are
  using?
  -Phil
  "James Spencer" <[email protected]> wrote in message
  news:[email protected]...
  >
  Phil,
  We are on SP2. The problem I am having is, the weblogic admin user -weblogic
  - is not able to authenticate in Portal Admin Tool depending upon theorder of
  the providers.
  I thought the authentication for Multiple providers should work in SP2,irrespective
  of the order.
  I read about the users/groups page works only for the first auth provider.
  James
  "Phil Griffin" <BEA> wrote:
  You're right, the order should be immaterial. The problem is the
  portal admin tools (and runtime profile location) rely on a
  userExists() call succeeding against a single (default) ATN provider.
  There is a number of ways to specify which provider this is - see Javadoc
  for getProviderMBean for a description.
  http://edocs.bea.com/wlp/docs81/javadoc/com/bea/p13n/usermgmt/RealmHelper.h
  tml#getProviderMBean
  >>
  Better yet, SP2 includes a fix which automatically allows all providers
  to
  be
  checked. The Portal Admin tools still only operate against a singledefault
  provider
  (to edit users/groups), until SP3.
  -Phil
  "James Spencer" <[email protected]> wrote in message
  news:[email protected]...
  For our app, we use two LDAP authentication providers that point todifferent LDAP
  repositories.
  Both of them have been configured to have the JAAS flag - OPTIONAL.When
  the order
  is ProviderA and ProviderB (in WLS Console), the authentication worksin
  Portal
  Admin Tool. But when the order is reversed to ProviderB and ProviderA,it
  throws
  profileNotFound error and the Portal Admin Tool bombs.
  Since both of the providers have been configured to OPTIONAL, shouldn'tthe order
  of the providers be immaterial?
  Is this a problem with the Portal Administration Tool?
  Thanks,
  James

• Weblogic portal external authentication and authorization

  In our project we are using Weblogic portal 10.3 and Oracle 11g as back end. While creating the domain, I have specifed Oracle as back end. All the portal relevant schemas are created in Oracle database. For our application, We have created a specific schema. In a project specific schema, we have user table which containing fields like user name, password, email and other relevant fields. How to configure in weblogic to access this table for authentication instead of the user table in portal schema? As well as I need to know, in a admin console if a new user is created then the details will be stored in a portal schema table or in a project schema user table? Ultimately, I want to configure the project specific table to store the user details when the user created via admin console.
  Need this urgently.

  Hi Rajesh
  Basically you need Custom Authenticator to store and authenticate all your users from your own specific DB Tables (that has user information). For this you need to develop Custom Authenticator. Please note that this has nothing to do with the Portal. This is core weblogic security stuff. I compiled some links for you. Incase if you have Oracle Support, open a ticket with them Oracle support do have a fully working sample custom RDBMS Authenticator that stores and authenticates Users from specific set of custom Tables. They will send you right away. I hope someone in these forums may have this sample also in their personal blogs/forums.
  And, Yes, you can force your Custom Authenticator to be the default one and to store the users when you create the users in Admin Console. Basically when you create the users you should see the option like to create the users in which Authentication Provider like that.
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/atn.html (Authentication Providers)
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/atn.html#wp1145342 (Do You Need to Develop a Custom Authentication Provider?)
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/atn.html#wp1089150 (How to Develop a Custom Authentication Provider)
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1204261 (Changing the Order of Authentication Providers)
  Thanks
  Ravi Jegga

• RDBMS Authentication in Weblogic Portal console 8.1 (SP5)

  HI,
  I have configured RDBMSBased authentication for oracle in Weblogic portal console 8.1.For Authenticating thru code,do i need to write any custom authentication for RDBMS or Is there any default authenticator?
  Regards,
  Senthil

  Hi subha,
  Thanks for ur reply.
  U meant to say that i need to create RDBMSBeased Authentication provider for oracle in the existing myRealm. This RDBMS authenticator is one of the authenticator in the Authenticator list.Am i correct?
  I have certain issues regarding this type of config:
  1)If i create a user thru program,where does it go? either embaddedLDAP or oracle database
  2)Since point base not used in production,we have to use oracle for Authentication as well as Autherization server.
  In the default configuration, user preferences are stored in point base database but it should go to oracle.
  Is it possible to redirect to oracle?
  What i had done that I have created new Realm where i configured RDBMSBased authenticator. Using this config, can i do Authentication as well as Authorization?
  Pls suggest.
  Regards,
  Senthil

• SAPGUI and Portal Authentication using AD Credentials with usr/passw prompt

  Hi Experts,
  We have the following requirements:
  1. Portal/EP has UME set to ABAP (in other words using ECC6 system's user/password).
  2. ECC6 user-id's differ from Active Directory user.
  3. User logs in to Active Directory.
  4. User wants to log on to SAPGUI (ECC6 system), with a user-name password prompt, using the Active directory Credentials.
  5. User wants to log on to Portal/EP, with a user-name password promt, using the Active Directory Credentials.
  The following suggested solution was the closest to the requirement (without to much technical detail):
  1. For SAPGUI, implement SSO on the workstation GUI's and maintain the Active Directory user in transaction SU01 in the ALIAS field.
  This should enable the user to, after having logged onto the Active Directory, to open the SAPGUI and WITHOUT user-name password prompt, be authenticated and logged into SAP. This would entail settings to be done on each workstations GUI.
  2. For the Portal/EP, implement Kerberos on the portal, setting it to authenticate to the AD. As per note 935644 maintain an additional attribute on the UME, to enable the mapping between the UME and the AD users.
  This should enable the user, after having logged onto the Active Directory, to open Internet Explorer, go to the Portal URL, and be authenticated and logged into the portal, without WITHOUT user-name password prompt.
  Do you know the viability of this solution, or whether there is any better suggestion (especially to keep the user-name password prompt, and without changing the ECC6 or Active directory users).
  Regards.

  AJP,
  The description you have given is an exact description of the capability of our product. I represent a company called CyberSafe, and our products are designed and sold to SAP customers for integrating the SAP user authentication with Active Directory authentication. We have some unique features in our product which you could benefit from, e.g. our SAP GUI SNC library has the ability to popup a logon screen asking user for Active Directory account and password before it logs the user onto SAP. Also, when the SAP system has authenticated the user, either via the Web browser or via SAP GUI their Kerberos principal name (determined from AD account name and domain) is mapped onto a SAP user using a table in the ABAP system. The browser authentication even uses this same table for mapping so that an authenticated account name does not need to be same as the SAP user they log onto.
  If you would like to discuss our product more, and/or arrange a free evaluation please contact me using the email address in my SDN business card.
  Thankyou,
  Tim

• Not able to display users from Opneldap in Weblogic 8.1 Portal Admin

  Hi
            I had configured openldap for multiple authentication in weblogic 8.1. I am able to see users and groups from openldap in weblogic admin console but when i go to Portal Administration i am not able to see those users and groups. Also as per weblogic documentation it says that Authentication provider selection is shown automatically in Portal Admin. Also i am able to log to portal application from openldap users.
            I want set entitlements using Portal Admin for openldap users
            Can anyone suggest how to make it work.

  Hi
            I had configured openldap for multiple authentication in weblogic 8.1. I am able to see users and groups from openldap in weblogic admin console but when i go to Portal Administration i am not able to see those users and groups. Also as per weblogic documentation it says that Authentication provider selection is shown automatically in Portal Admin. Also i am able to log to portal application from openldap users.
            I want set entitlements using Portal Admin for openldap users
            Can anyone suggest how to make it work.

• Authentication and authorization capability in weblogic application server

  Hi,
  Need input from architecture point of view -
  Requirement is typical - have to build a web center portal application with authentication and authorization capability.
  I can think of three architecture options:
  1. weblogic server (where webcenter portal application will be deployed) with oracle IDM (or any other full blown IDM suite)...
  2. weblogic server with Active Directory (or any other LDAP directory), and a LDAP authenticator is configured in weblogic...
  3. only weblogic server (users created in weblogic admin console)...
  Obviously 1st one is costliest option (product cost, infrastructure cost, maintenance cost) and most flexible. However I am discarding it purely because of cost.
  Confused between 2nd and 3rd.
  2nd option - separate user store, user can be added/deleted without touching application server, cost wise - 1 extra server and 1 LDAP directory product (or open source LDAP server)...
  3rd option - application server becomes very 'heavy' with all users information, you need to access server to add/delete users, probably cheapest option money wise... However it might affect application performance if users grow large...
  Please let me know if I should consider more parameters/points before deciding. Is there any important thing I am missing? Your input appreciated.
  Thanks.

  Hi,
  You are right your first requirement make more costly and complex environment.
  I would recommend to go with Second option instead of the third one.
  In cause in future if you want to use different server also you will have option to use external AD.
  Well now you will think why I recommend you second option instead of the third option.
  external LDAP is more secure than internal one.
  If you have any further query let me know.
  Regards,
  Kal

• OiD and Portal Integration (WWC-41400)

  Outside of the steps below what can be done to integrate Portal and OiD ?
  Thanks in Advance !
  This is a new install of Oid and Portal.
  Portal is installed using ias10221 in a 8.1.7.2 database on Sun Solaris 2.7 w/patches.
  Used Configuring Oracle 9iASPortal for LDAP Authentication. White Paper.
  December 2000. To defined OID/Portal steps.
  I've reviewed
  Note: 133123.1 WWC-41400 trying to login to Portal using LDAP authentication
  http://otn.oracle.com/products/iportal/htdocs/portal_faq.htm selecting from dba_libraries shows these items.
  PORTAL30_SSO AUTH_EXT
  /u01/app/oracle/product/8.1.7.2/lib/ssoxldap.so
  Y VALID
  SYS AUTH_EXT
  /u01/app/oracle/product/8.1.7.2/lib/ssoxldap.so
  Y VALID
  PORTAL30 AUTH_EXT
  /u01/app/oracle/product/8.1.7.2/lib/ssoxldap.so
  Y VALID
  The file exists:
  -rw-r--r-- 1 oracle dba 8324 Dec 5 14:37
  /u01/app/oracle/product/8.1.7.2/lib/ssoxldap.so
  cmrapp:/ >echo $TNS_ADMIN
  /u01/app/oracle/product/8.1.7.2/network/admin
  cmrapp:/ >tnsping extproc_connection_data
  TNS Ping Utility for Solaris: Version 8.1.7.2.0 - Production on 10-DEC-2001
  (c) Copyright 1997 Oracle Corporation. All rights reserved.
  Attempting to contact (ADDRESS=(PROTOCOL=IPC)(KEY=extprocO))
  OK (30 msec)
  Here is the listener.ora
  LISTENER2 =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = cmrapp.ssd.census.gov)(PORT = 1526))
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = IPC)(KEY = extprocO))
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (PROGRAM = extprocO)
  (SID_NAME = PLSExtProc)
  (ORACLE_HOME = /u01/app/oracle/product/8.1.7.2)
  (ENVS =
  'LD_LIBRARY_PATH=/u01/app/oracle/product/8.1.7.2/ctx/lib:/u01/app/oracle/product/8.1.7.2/lib:/u01/app/oracle/product/8.1.7.2/bin:/u01/app/oracle/product/8.1.7.2/ctx/bin')
  (SID_DESC =
  (GLOBAL_DBNAME = oiddev)
  (ORACLE_HOME = /u01/app/oracle/product/8.1.7.2)
  (ENVS = 'TNS_ADMIN=/u01/app/oracle/product/8.1.7.2/network/admin')
  (SID_NAME = oiddev)
  TNS_ADMIN is set to /u01/app/oracle/product/8.1.7.2/network/admin in the
  apachectl script and at the OS level.
  Additionally
  The Apache/Apache/logs and Apache/Jserv/logs are clear and no invalid database objects.
  I also looked within the Portal30 schema for errors, but found none.
  SQL> select * from wwv_rw_errors$;
  no rows selected
  SQL> select * from wwv_errors$;
  no rows

  Hello Lorenzo,
  Currently the procedure on how to do this can be found at:
  http://technet.oracle.com/products/iportal/pdf/conf_ldap.pdf
  9iAS v2 will be in production sometime in the next month or two.
  The procedure for setting this up will be more siplified in 9iAS
  v2.
  Thanks,
  Jay

• Can't access to Portal Admin Console.

  Hi all,
  I'm working with WLP 10.2. I've created the ear-file (using maven) and deployed it on server (with Unix-system). The current application works well.
  My current task is a creation portal in streaming mode. Unfortunately I can't access to Portal Admin console for resolving task. I always retrieve "Error 404 (Not found)".
  As I know the admin-tools.war is responsible for Portal Admin Console. I've checked admin-tools.war is running on server (with status "Active").
  I'm using the next path for running Portal Admin Console: {serverhost:port}/{context root of admin-tools}/portal.portal.
  Maybe, Should I set up(correct) application.xml or weblogic.xml?
  Please let me know if you have any ideas.
  Thanks,
  Yuriy

  I think your URL is wrong, try with the following...
  http://{server:port}/{name_your_ear}Admin/portal.portal
  name_your_ear= The name of your Enterprise Application.
  For example,
  http://localhost:7001/DemosEarAdmin/portal.portal
  I hope this helps

• Midtier removal of Forms and Reports and Portal failing

  Hi
  I am having an issue removing the midtier of a forms/Report/BI and portal midtier,
  The deconfigtool.pl hang and I am recieving the following message in a deconfigportal.log.
  Invoking OPCA in DEINSTALL mode with the following arguments :
  Install Mode : DEINSTALL
  Portal Schema : portal
  Connect String : cn=orcl,cn=oraclecontext
  OID Host : hresources
  OID Port : 389
  OID Admin DN : cn=orcladmin
  Use SSL to OID : N
  Drop mode : midtier
  STEP 1 : Deleting Portal Partner application
  Parameters passed to SSO registration tool :
  param0:-oracle_home_path param1:D:\Oracle\CoreMid param2:-config_sdk_papp param3:TRUE param4:-papp_schema param5:portal param6:-old_lsn_token param7:hresources.ncirl.ie param8:-update_mode param9:DELETE param10:-papp_password param11:**** param12:-pappDBConnect param13:cn=orcl,cn=oraclecontext param14:-ssoDBConnect param15:cn=orcl,cn=oraclecontext param16:-pass param17:**** param18:-schema param19:orasso_pa
  -DinstallType=
  -DoldOracleHome=
  -DoldOHSUser=SYSTEM
  Check D:\Oracle\CoreMid\sso\log\ssoreg.log for details of this registration
  SSO registration tool failed. Please check the log file D:\Oracle\CoreMid\sso\log\ssoreg.log, correct the problem and re-run the tool.
  STEP 2 : Deleting Portal DAD
  STEP 3 : UDDI deinstallation
  STEP 4 : Ultrasearch deinstallation
  Anyone know how to get around this.

  And what does D:\Oracle\CoreMid\sso\log\ssoreg.log say?
  Thanks
  Shail

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• SSO and portal timeout  -- other bug?

  ...this is very probably related to the other post talking about SSO and portal timeout...
  I am having another weird issue with dotnet portlets that uses inline refresh (done automatically by dotnet accelerator) and SSO.
  When you let the portal session expire, and then click on a button/link within a portlet (hence generate an inline refresh gatewayed request), the full portal window (header/footer etc...) appears within the portlet, instead of the portlet content alone.
  I did some http traces (see below) and it seems the problem is due to the windows SSOLogin.aspx (we are using windows auth SSO) not taking the requested portlet gatewayed request url as a post login redirect info... but taking instead the current page url (which is wrong)
  Thus, after the gatewayed portlet request is successfully authenticated by the SSOLogin.aspx component, it is automatically redirected to the wrong urll...making the full portal page refresh into the portlet.
  So my question is: have anyone already seen such behavior? And has anything been done to fix this?
  It really seems like a bug with the SSO servlet...but maybe i am doing something wrong...Just want to have your thoughts on this.
  Thanks,
  Fabien
  ============================================================================================
  HTTP Trace:
  POST     302     Redirect to /portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login     http://your.portal.com/portal/server.pt/gateway/PTARGS_0_15046_362_205_0_43/http%3B/your.portletserver.com/yourapp/youraspx.aspx
  GET     401     text/html     http://your.portal.com/portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login
  GET     401     text/html     http://your.portal.com/portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login
  GET     302     Redirect to http://your.portal.com/portal/server.pt?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login     http://your.portal.com/portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login
  GET     200     text/html; charset=utf-8     http://your.portal.com/portal/server.pt?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login

  I have this happen in v6.0 sp1. We have worked around the problem with a bit of work and synchronization of settings. Below, I've outlined how we've worked around the problem (which is indeed a problem that should be fixed). Also, if you have a load balancer, you'll need to set your session timeout on the load balancer to a bit more than the refresh rate that you set for your communities and My Pages.
  Resolving the Portlet Timeout / Refresh Problem in ALUI Portal_
  Problem: Users occasionally receive the portal page within a portlet error
  Cause: The root cause has not been determined; however it appears that the primary event that exhibits the behavior is when a teammember’s session has expired on the portal server and they then utilize a .NET form-based portlet which refreshes in place. Because we are using WIA SSO to enable automatic logins to the portal, it makes the error seem to occur randomly.
  Resolution:
  The workaround solution is to – 1) increase the portal session timeout on the portal web servers from the default 20min to 4 hours, and 2) set the MyPage refresh interval setting for all portal users to 3 hours. The setting name is a bit of a misnomer, as it will actually refresh the entire portal page automatically if the user is idle on either a My Page or a Community Page, as these are the only two places that portlets reside.
  Increasing the portal session timeout:
  The portal session timeout is controlled in two places, and both settings should match. On the portal virtual directory in IIS, edit the configuration and increase the timeout setting to 240 (minutes). Then, edit the portal application’s web.config file (d:\portal\ptportal\6.0\webapp\portal\web\) and increase the sessionState Timeout variable to 240. Editting the config file will require you to restart the services before you see the change.
  Initial setting of the MyPage refresh interval:
  The initial setting will need to be done by a SQL script in order to apply it to all existing users. The Default Profile should also be updated so that all new user synched from AD will have this setting applied automatically.
  /* Delete refresh interval settings for all users first so that there are no conflicts on the inserts */
  DELETE FROM portaldbuser.ptprefs WHERE prefname = 'intMyPageRefreshRate'
  /* Insert desired page refresh setting for all users */
  INSERT INTO portaldbuser.ptprefs (userid,gadgetid,prefclassid,prefobjectid,prefname,prefvaluetype,prefvalue,pagenumber) SELECT objectid,0,0,0,'intMyPageRefreshRate',3,180,0 FROM portaldbuser.ptusers
  From Administration, access the Default Profiles utility. Check the Default Profile entry and click on the Edit Profile Layout link. Click on the My Account link in the Portal Settings portlet and then on the Display Options link on the next page. In the Page and Portlet Settings, update the Your My Page will be updated: setting to 4 hours. Click Finish twice to return to Administration.
  Updating the MyPage refresh interval:
  To update the setting just modify the insert portion of the SQL script. Change the prefvalue number (180) to the desired timeout in minutes and rerun both statements of the script.
  The Default Profile should be also be modified per the instructions above.
  I hope this helps...
  -tom

• Weblogic portal admin - delegates book contents are visible to anonymous us

  weblogic portal admin - delegates book contents are visible to anonymous users !!!
  In the weblogic portal administration console, we have configured a desktop and under which there are some portlets and one delegates book (delegates book contains portlets which are visible to the logged in users only by configuring entitlements)
  The desktop URL is something like : http://10.0.1.1:7010/TTDPortalWeb/appmanager/TTDPortal/desktop
  accessing this URL shows the main page contents perfectly before and after login (ie. it only shows the services which are supposed to show to the logged in user)
  but if somebody accesses the below url delibrately, all the contents are shown even without login.
  http://10.0.1.1:7010/TTDPortalWeb
  when i select a portlet inside the delegates book, I can see the Portlet publishing link URL as:
  http://10.0.1.1:7010/TTDPortalWeb/bea/wlp/api/portlet/publish?context=/TTDPortalWeb/appmanager/TTDPortal/desktop&portlet=CompletionCertificatePortlet_1
  but when I roll mouse over the service's link on the actuall page, I see url as http://10.0.1.1:7010/TTDPortalWeb/wlp.c?__c=7d6 (also when I click the service, I takes me to this URL)
  When I roll mouse over the forgot password which is at the main desktop (not inside the delegates book) it shows the correct URL which is http://10.0.1.1:7010*/TTDPortalWeb/appmanager/TTDPortal/desktop*?_nfpb=true&_windowLabel=portlet_3_1_1&portlet_3_1_1_actionOverride=%2Fttd%2Fportal%2Fpageflow%2Fuser%2Flogin%2FforgotPassword
  Any help would be highly appreciated
  Thanks and Regards
  Ushas Symon

  Solved the problem by editing the entitlements on the books under the Library section at the portal admin...

• Authentication and Authorization question.

  Hi All,
  I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
  Authentication.
  1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
  2. The end result of this process is true/false.
  Authorization.
  1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
  2. The end result of this process is true/false.
  Role mapping.
  1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
  2. The end result is list of roles for a user.
  Security policy configuration.
  Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
  Thanks,
  Prashanth Bhat.

  The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
  The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
  The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
  My question is whether thess(DAs and VEs) can also be put
  our datastore for access rights??
  Thanks,
  Prashanth Bhat.