Rights Management problem (http / https)

How do I fix the error: "You are attempting to connect to an adobe livecycle rights management server using an insecure protocol."
Is there a way to leave the server as http and change the policies to not ask for https protocol?
I've tried changing the BASE URL to http://localhost:8443 but cannot find any documentation to help me further.

Is the client using Netscape Navigator or IE? There used to be a problem
with Netscape not sending the cookies established for a domain like:
something.com:7001/xxxxx
if a redirect sends the user to
something.com:7002/zzzzz
Because of the port change in the URL, it treats these as different domains
and doesn't send previous cookie containing session ID.
Works fine if you use default ports for http/https and do NOT put them in
the URL.
Not sure if this is at all related to your problem.
-Greg
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.oreilly.com/catalog/entjbeans3 or www.titan-books.com
"Peter Morelli" <[email protected]> wrote in message
news:3bf478a9$[email protected]..
>
We have an apache 1.3.20 with the weblogic ssl plugin front ending two5.1sp10
weblogic servers.
The plug-in load balances between the two servers, but when a userestablishes
a session, all requests are served by the wl instance that established thesession.
So far, the correct, sticky behavior.
The problem occurs when a user establishes a session with non-SSL http,then switches
to SSL HTTPS, or vice versa. It looks like a new session is established,and in
some cases, the requests are now served by the other server.
Is there any way to maintain sessions across HTTP and HTTPS?
Thanks.
--pete

Similar Messages

Samba4 user groups rights management problem

Hey,
I have a network with an archlinux server as only server on the network.
On the server with samba3 there are different directories with different user and group rights. Every user was existing twice, as a Linux user and as a samba user. In the samba smb.conf force group was set to the linux group, the files were forced 660 and directories 770.
user 1-4 were in officesmbgroup with access only to share1
user 1-2 were in officesmbgroup and extrasmbgroup with access to share1 and share2
all 4 users exist as linux users and have ssh access to the linux server
Example working on samba3
[share1]
available = Yes
browseable = Yes
comment = office
create mask = 660
directory mask = 2770
force create mode = 660
force directory mode = 2770
force group = officesmbuser
guest ok = No
path = /data/office
writeable = Yes
valid users = @officesmbuser
[share2]
available = Yes
browseable = Yes
comment = office
create mask = 660
directory mask = 2770
force create mode = 660
force directory mode = 2770
force group = extrasmbuser
guest ok = No
path = /data/extra
writeable = Yes
valid users = @extrasmbuser
As I understood with samba4 this is no longer possible because it is not possible to force a linux group in samba any more. I figured out to mange this in samba4 standalone role mode. But this has a big disadvantage: I had to set all files on the shares to 666 and folders to 777.
Working wtih samba4 standalone role mode, but security problem
[share1]
available = Yes
browseable = Yes
comment = office
create mask = 666
directory mask = 2777
force create mode = 666
force directory mode = 2777
guest ok = No
path = /data/office
writeable = Yes
valid users = user1, user2, user3, user4
[share2]
available = Yes
browseable = Yes
comment = office
create mask = 666
directory mask = 2777
force create mode = 666
force directory mode = 2777
guest ok = No
path = /data/extra
writeable = Yes
valid users = user1, user2
This would be a problem because linux user3 and user4 have ssh access and would have access to all files on both shares in all directories.
Is there another way to manage this or do I have to set up active directory, manage group rights there and leave the local rights on the linux machine at 660 and 770?
Thanks in advance

Thanks Bill, that was really handy.
I'd used the Add ID option without being on a specific store, and it had placed it under Digital IDs. It was still offering me the option to use that certificate to authenticate against the server with. I imported the certificate into the Windows Digital ID section it now authenticates against the server perfectly.
So problem solved, although I'm still not 100% sure why the Import Digital ID places the certificates into a location which doesn't work with Rights Management, although I'm sure there's a good reason.
I'll make sure that we only add to the Windows Digital ID container in Acrobat/Reader or import directly into the Personal Certificate store in Windows for the demonstration.
Thanks for your help in fixing this.

Rights management setup

would someone tell me the rights management setup step by setp? thank you very much!

CREATE USER WITH ‘RIGHTS MANAGEMENT USER’ ROLE
Using the LiveCycle AdminUI, create a local user with the role “LiveCycle Rights Management User”
ENSURE HTTPS ACCESS TO THE RIGHTS MANAGEMENT WEBUI
Please note that the ‘Administrator’ user cannot login to Rights Management by default.
If the server is using a self-signed certificate, import the certificate to the local Windows certificate store. If this is not done, Acrobat will throw this error:
“Unable to connect to the service. SSL protocol error. Certificate is either invalid or common name or authority are not recognized.”
Launch your browser. Point it to the SSL over HTTP URL of the server such as follows:
https://lces2.adobe.com:9443/edc/Login.do
In IE8, you will get a message that says “There is a problem with this website’s security certificate.”
1) Click “Continue to this website (not recommended).”
2) At the top, to the right of the URL field, there shoul be a button that now says “Certificate Error”.
3) Click it. Then click the link “View Certificates”.
4) Click the button ‘Install Certificate”
5) Let the wizard guide you through the install. Choose “Automatically select the certificate store based on the type of certificate”.
6) If everything went fine, you should get a message that says “The import was successful”.
7) Click OK
8) Load the same URL again (https://lces2.adobe.com:9443/edc/Login.do). This time you should not get a certificate error. Instead, the Rights Management login page should load.
In Windows Vista, instead of letting IE choose the certificate store based on the type of certificate, choose the radiobutton ‘Place all certificates in the following store’, click ‘Browse’ and then choose ‘Trusted Root Certification Authorities‘.
For Firefox, you choose the link “Add an exception”. Click ‘Get Certificate” and then “Confirm Security Exception”.
CONFIGURE ADOBE READER OR ADOBE ACROBAT
- Choose the menu option Advanced->Security Settings
- Highlight “Adobe LiveCycle Rights Management Servers” and click ‘New’
- Put something useful in the name field such as “Test Adobe RM”.
The Server Name should be the fully resolvable DNS name of your server, or that of the Reverse Proxy.
- Change port from 443 to the SSL port of the appserver instance that hosts LiveCycle. This can also be the port on which SSL is configured for the Reverse Proxy (usually 443). In our example, it is 9443.
- Click “Connect to this Server”
CONFIGURE BASE URL FOR POLICIES
Login to the LiveCycle AdminUI. Navigate to Services->LiveCycle Rights Management->Configuration->Server Configuration. Change the ‘Base URL’ to a valid URL such as https://lces2.adobe.com:9443. This URL is a CRITICAL part configuration. If this URL becomes invalid at a later time due to domain registration expiry, corporate acquisitions, server certificate expiry etc, all of the documents published up to that point with this URL will be become totally useless.
Cheers,
Vipin

Problem with adobe livecycle rights management es2 extension for microsoft office

occurs several times an error message in Microsoft Office Excel that says it has experienced a problem with the complement of adobe livecycle rights management es2 extension for microsoft office if the message has appeared several times should disable the add and check for an update.
will refer to this error? as it has sought to upgrade and there is no error and remains not only to excel but also for word.
thanks in advance

Currently, the Rights Management ES Extensions for Microsoft Office plugin is only supported on English, French, Geman and Japanese versions of Office.
http://help.adobe.com/en_US/livecycle/8.2/lcrmext_releasenotes.htm#DocumentationSet
Steve

Emc IRM client (electronic pdf rights management) using problem

Hello,
in our business we receive and print pdf files with electronic rights
the supplier asked us to use this software
http://www.emc.com/enterprise-content-management/information-rights-management.htm#!downlo ad_software
IRM Client for PDF adobe reader 11
Problem:
we have a terminalserver windows 2008 and thinclients
the a.m. software adds a new menue into the adobe reader called rights
If I click on it, I get the error: "error on server - failed while saving file"
This software nvever runs beofre on this server.
Do you have an idea about solving this problem?
My next idea: downgrading to older adobe reader version (do you know a good source?)
thank you in adnvace!

Sorry, I don't know the answer to your problem.
But older Reader versions can be downloaded from the Adobe FTP site ftp://ftp.adobe.com/pub/adobe/reader/win/

Microsoft Office has detected a problem with your Information Right Management configuration.

Hi , I have a Windows Server 2012 RMS Cluster with Cryptograph Version 1 and trusted public certificates. I am using AD RMS at the moment with Exchange and it works fine via Outlook Webapp and client workstations.
I have a Windows 2008R2 Terminal Server which has Office2010 Pro Plus 32bit edition that cannot use ADRMS. The Windows Firewall is turned off on all profiles. The images below show some of the errors that
are being presented on the terminal server.
1.This image . When I reboot the server , the first message states , retrieving rights management url and then the error message pops up.
2.When I try and protect a word document: A prompt pops up to sing in with a Windows Live ID or Use a Microsoft Account.
3.The image below is the output from IRM Check. As you can see there is a warning about Office and there are no user or
machines certificates.
Sean

Hi Sean -
In my experience, this error occurs when the client cannot contact the AD RMS server. Can you confirm that the computer is domain-joined and you have registered the Service Connection Point? This the default way the user finds its RMS cluster.
You can also direct the client using registry keys.
I also recommend trying to reach the licensing/certification pipelines directly using Internet Explorer to confirm you have connectivity from the client to the RMS server. Open IE and navigate to
https://adrmsurl.com/_wmcs/certification/certification.asmx and confirm you do not receive an error.
I hope that helps,
Micah LaNasa
Synergy Advisors
synergyadvisors.biz

Solution Manager Learning Map http error 403

Hi,
I created a new learning map in solution manager using solar_learning_map, when I attempted to display the learning map in the web browser i received the following error.
<i><URL> call was terminated because the corresponding service is not available.
The termination occurred in system ISD with error code 403 and for the reason Forbidden.
The selected virtual host was 0 .</i>
If anyone else has experienced this error before can you please give me some guidance on resolving this issue.

The Note exists in service marketplace. (Topic is Inactive services in the Internet Comm Framework).Here is the solution as per the Note.
Solution
Listed below are some services that must be activated in the system
depending on the operational scenario:
Support for the Internet protocol (HTTP, HTTPS and SMTP) in the SAP Web Application Server
/default_host/sap/public/icman
Note: After you have installed SAP Web Application Server, you must ensure that this service is activated in transaction SICF. Through this the ICMan process can (for example) make decisions concerning the distribution of HTTP requests to the corresponding server.
Using load distribution
with the message server
/default_host/sap/public/icf_info
/default_host/sap/public/icf_info/logon_groups
/default_host/sap/public/icf_info/urlprefix
with the Web Dispatcher
/default_host/sap/public/icf_info
/default_host/sap/public/icf_info/icr_groups
/default_host/sap/public/icf_info/icr_urlprefix
Using Business Server Pages (BSP)
/default_host/sap/bc/bsp/sap
/default_host/sap/bc/bsp/sap/system
/default_host/sap/bc/bsp/sap/public/bc
/default_host/sap/public/bc (available for 620 with Support Package 34)
/default_host/sap/public/bc/ur (available for 620 with Support Package34)
/default_host/sap/public/bsp/sap/public
/default_host/sap/public/bsp/sap/public/bc
/default_host/sap/public/bsp/sap/system
/default_host/sap/public/bsp/sap/htmlb (as of Release 620 Support Package SAPKB62026)
Note: In addition to these general BSP services, you still have to activate the corresponding application services in the ICF tree. The service for the application is generally found under the ICF node /default_host/sap/bc/bsp/sap/<application>.
Using the BSP logon procedure
/default_host/sap/public/bsp/sap
/default_host/sap/bc/bsp/sap/system
/default_host/sap/public/bsp/sap/public
/default_host/sap/public/bsp/sap/system
BSP test applications for troubleshooting
/default_host/sap/bc/bsp/sap/it00
/default_host/sap/bc/bsp/sap/sbspext_htmlb
/default_host/sap/bc/bsp/sap/sbspext_xhtmlb
/default_host/sap/bc/bsp/sap/htmlb_samples
As of Release 6.30:
/default_host/sap/bc/bsp/sap/bsp_verificatio
Using Business Information Warehouse (BW)
/default_host/sap/bw
Web Applications
/default_host/sap/bw/BEx
/default_host/sap/bw/Mime
Reporting agent preliminary calculation
/default_host/sap/bw/ps
Drag and Relate in the portal
/default_host/sap/bw/dr
Data access using XMLA
/default_host/sap/bw/xml and all subordinate subservices
Document integration in the BEx Analyzer and Web Applications.
/default_host/sap/bw/doc and all subordinate subservices
Formatted reporting
/default_host/sap/bw/ce_url
Assignment of SAP icons
/default_host/sap/public/bc
/default_host/sap/public/bc/icons
/default_host/sap/public/bc/icons_rtl
/default_host/sap/public/bc/webicons
/default_host/sap/public/bc/pictograms
Assignment of Web Dynpro ABAP (WDA) applications
/default_host/sap/bc/webdynpro
/default_host/sap/public/bc
/default_host/sap/public/bc/ur
/default_host/sap/public/bc/icons
/default_host/sap/public/bc/icons_rtl
/default_host/sap/public/bc/webicons
/default_host/sap/public/bc/pictograms
/default_host/sap/public/bc/webdynpro/* (ssr, mimes, and so on)
/default_host/sap/public/myssocntl
Note: In addition to these general WDA services, the corresponding application services in the ICF tree also need to be activated. The service for the application is generally found under the ICF node /default_host/sap/bc/webdynpro/sap/<application>.
Assignment of Web Dynpro ABAP (WDA) development environment
/default_host/sap/bc/webdynpro/sap/public/bc/viewdesigner/
/default_host/sap/bc/wdvd/
/default_host/sap/bc/webdynpro/sap/configure_application
/default_host/sap/bc/webdynpro/sap/configure_component
/default_host/sap/bc/webdynpro/sap/wd_analyze_config_appl
/default_host/sap/bc/webdynpro/sap/wd_analyze_config_comp
/default_host/sap/bc/webdynpro/sap/wd_analyze_config_user
Note: These ICF nodes are used for the WDA configuration editor ONLY. The nodes are only allowed to be active in a development system, and under no circumstances in a production system (due to a security risk).
WDA test applications for troubleshooting
/default_host/sap/bc/webdynpro/sap/wdr_test_events
/default_host/sap/bc/webdynpro/sap/wdr_test_ui_elements
/default_host/sap/bc/webdynpro/sap/wdr_test_table
/default_host/sap/bc/webdynpro/sap/wdr_test_popups_rt
ICF test applications:
/default_host/sap/bc/echo
Among other things, this service returns information about the registration procedure being used, the header and form fields, and the generated SSO cookie for the executed request. Therefore, this service should only be activated for troubleshooting purposes.
/default_host/sap/bc/error
This service generates some error situations in the system and should only be activated for troubleshooting purposes.
/default_host/sap/bc/srt/xip/sap
You want to fix the Web service error message "Could not determine WSDL address (ICF_ERROR), SRT_REG038" in connection with XI services.
Using Support Package SAPKB62006, the following problems were solved in connection with inactive services:
The "RAISE_EXCEPTION" ABAP runtime error no longer occurs for an inactive host.
The error text "Forbidden" was replaced with "Service is not active" for an inactive service.
Thanks
Sudhan Shan

Some Smaller Problems concerning HTTP-Server and iSQL*PLUS

Hi!
System: WIN2K, ORA 9.0.0.1
1. Problem: With HTTP-Server launched by ORACLE at System Start
can not connect to DB via iSQL*Plus, message: ORA-12638 (german
message:"Abruf des Berechtigungsnachweis misslungen") Credential
retrieval failed. Does no longer occur when shutting down
service and relaunching Apache manually. Why?
2. HTTP Server dies instantly when accidentially sending /*
somewhere in SQL-Statement or alone via iSQL*Plus (in SQL*Plus
Window /* starts DOC-Mode without chance to end DOC-mode with #)
Can anyone help? Thank you!
TIP: Manipulating Database via iSQL*Plus on a Eudora-Browser
with IR Cellular impresses every Boss! :-)

Hello CJ
1st of all: Thank you for your answer!
What privilege iSQL*Plus connection are you trying make?Tried as normal user and as sysdba. Both works well with Apache
in Console, both doesn4t work with Apache as a Service started
(even if there is a 2nd Apache started in Console window)
Can you connect as a normal user
if you specify a full DB connection string? By full connection
string I mean the "(DESCRIPTION=(ADDRESS_LIST=(ADDRESS...)))"
etc. syntax commonly seen in tnsnames.ora. No! Error "SP2-0306 Invalid Option" occurs.
that the problem also occurs in the old GUI (non-web version)
version of SQL*Plus?Right! Typing DOC means entering (now unsupported) DOC Mode
(DOC> Prompt) return to SQL> with #. Typing /* gets you into DOC-
Mode but you can4t leave with #. (SQL*Plus userguide and
reference Part F Obsolete Commands)
In iSQL*Plus (web based version) typing /* caused apache to die
(on console!! as service as I mentioned: no connection ).
Somehow problem no longer occurs. (Miracle?)
3. Your Palm efforts sound neat! Can you share with the forum
how usable it is? Are there any configuration tricks
you found?No tricks needed, I just started a connection to a local
Provider via IR and Nokia Cellular. Connected to DB via
iSQL*Plus using Eudora-Browser, logged in as sysdba and shutdown
DB and started it again. Looked at some v$-views, killed a
session or two had a good time and impressed everyone. Decide
for yourself if this could be useful. Might be helpful for
remote troubleshooting during holidays so don4t tell your boss
about it.
(Did anyone try this on Windows CE? Like to know!)
Dominic

SQL Server 2012 Reporting Services Report Manager using non-HTTPS URLs on part of site

For potential ease of understanding, I am seeing the same issue as this person
here.
Currently, my site is successfully using HTTPS in all areas of the /Reports site, with a single exception. If you drill down to a report and go to "Manage", the following links are all http://, not https://:
Parameters
Data Sources
Subscriptions
Processing Options
Cache Refresh Options
Report History
Snapshot Options
Security
These remain regardless of the configuration combinations I enter in Reporting Services Configuration Manager. I'm not sure what makes this part of Report Manager special. Even if I only enable https in the Report Manager URL settings, these links all stay
as http (port 80). I can find no references in config files to this.
Any assistance is welcome. Obviously having non-encrypted links is not acceptable.

Hi SteveKSM,
According to your description, you specify the report manager URL as https://. When you open the child items on report manager, the URL change to the http://.
In your scenario, since you want to set SSRS to require all SSL connections, you need to change the SecureConnectionLevel value to 3 in RSReportServer.config file (located in C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer).
It means that all communication must use secure connections. So please specify this attribute like below:
<Add Key="SecureConnectionLevel" Value="3"/>
Reference:
Configuring the Report Server for SSL Communication and Internet Deployment:
https://msdn.microsoft.com/en-us/library/cc304416.aspx
Report Manager Links with SSL
If you have any question, please feel free to ask.
Best regards,
Qiuyun Yu
Qiuyun Yu
TechNet Community Support

Haveing problems with Safari. It gives me an error message. Safari can't open the web page, because it can't establish a secure connection to the server. It only seams to have a problem on https sites. Any help would be apreciated.

Safari keeps giving and error message. " Safari can't open the web page( insert web page here) , because it can't establish a secure connetion to the server.
It only seams to have a problem with https sites.
Any help would be appreciated

The "s" in "https" indicates the site is a secure server--usually a site that will require a password. Connections to secure servers can be blocked by parental controls. Are you using any parental controls, either through OSX's settings (in System Preferences) or third party parental control software (such as Netnanny)? If so, check the settings to make sure they will allow the connection.

Problem redirecting HTTPS trafic using WCCP on a Cisco 6509

Hi
I am implementing af Ironport web scanning solution in a current network and i have som problems with HTTPS trafic.
I am using the following command.
ip wccp 70 group-list 9 password xxx accelerated
interface Vlan2
ip wccp 70 redirect in
access-list 9 permit <Ironport IP>
on the Ironport the "Dynamic service ID" of 70 is configuret to accept port 80 and 443 but i only recive port 80 trafic, but if i use windows proxy settings to direct the trafik i recieve trafic from both ports.
So i think the problem is in my WCCP configuration.

Can you reset the WCCP session between the Ironport and the 6K, SPAN the interface where the Ironport is connected, re-establish the WCCP session and collect the captures in pcap format, then upload them?!
Can you get the show ip wccp commands from the 6K to check the WCCP status?

ACE : Stickyness problem with http cookies

Hi,
I am facing a serious problem with stickyness in a e-commerce configuration.
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 441)
     sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
       cookie insert browser-expire
       timeout 240
       replicate sticky
       serverfarm ECOM_FARM_TEST_HTTP
          sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
       cookie insert browser-expire
       timeout 240
       replicate sticky
       serverfarm ECOM_FARM_TEST_HTTPS
     serverfarm host ECOM_FARM_TEST_HTTP
       description *** e-Commerce Test Server Farm ***
       probe ECOM_PROBE_TEST
       rserver HQCHECOM01 80
        inservice
       rserver HQCHECOM02 80
        inservice
         serverfarm host ECOM_FARM_TEST_HTTPS
      description *** e-Commerce Test Server Farm ***
      probe ECOM_PROBE_TEST
      rserver HQCHECOM01 443
       inservice
      rserver HQCHECOM02 443
       inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received) !!
The ACE sees the cookie "B" but does not find it in its database for the sticky group ECOM_STICKY_TEST_HTTP
The ACE perform another load balancing decision and selects SERVER-2 ! (instead of SERVER-1)
The page is reloaded, but the name of the user does not appear on it
The question :
As it is not possible to have only one sticky group in this configuration what would be the solution to make sure that the same server is selected for http and https ?
Thank you for any hints,
Yves

Hi Gilles,
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849   for the server HQCHECOM01
R105852786   for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695   for the server HQCHECOM01
R357158616   for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
   inservice
rserver HQCHECOM02 80
   inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
   inservice
rserver HQCHECOM02 443
   inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE...

Problem custom HTTP Protocol

Hello
I have a ISA Server 2006 Enterprise SP1.
I created a rule with a custom HTTP protocol (HTTP-Custom outbound TCP 80).
But when I monitoring logging, my users are acessing internet via another rule.
If I remove HTTP-Custom and include HTTP protocol, the users access internet via this rule.
This is a bug? Is there a fix?
Regards,
Marcos

Hi
That's exactly what I did, but ISA bypass the rule.
ID
Name
Protocol
From
To
User
1
Allow Custom HTTP
HTTP-Custom (Outbound TCP 80)
Internal
*.contoso.com
All Users
2
Deny
HTTP
Internal
*.contoso.com
All Users
ISA Server ignores the rule 1, traffic always is blocked by rule 2.
Thanks,
Marcos

Office 2013 Rights Management Services??

I am trying to make a powerpoint file I have created in Office 2013 (on Windows 7 64 bit) a read-only file so that presenters cannot change content, but can still view and present the file normally.
This was very easy to do with previous versions of Office, but in 2013 I am asked to sign in to "Rights Management Services" using my live ID. I have no problem with that, but it has not worked for me yet - I get the following error:
Any advice or help would be much appreciated!
A couple notes: I can still encrypt with a password, but this would not allow presenters to open, view and present the file without the password.

Hi Dan,
It seems that PowerPoint doesn't have Restrict Editing option available as described here: https://support.office.com/en-us/article/Protect-your-document-workbook-or-presentation-with-passwords-permission-and-other-restrictions-05084cc3-300d-4c1a-8416-38d3e37d6826?ui=en-US&rs=en-US&ad=US
So the only option I see to complete your scenario is to use RMS - Rights Management Servers. However RMS can be installed as on-premises service, so you have to deploy and configure AD RMS server (it is not easy as it requires certificates, SQL, designing,
etc).
You can other options as weel - for example use Office 365 E3 or E4 licences. Those include Azure RMS subscription. If you have such license assigned to your user account, once you get prompt for credentials - type your O365 user credentials.
Another option is to use RMS for individuals. Go to the page http://aka.ms/rms and register your private account to use RMS and then you would be able to sign in to RMS Service with your private e-mail account. Be advised that not all private e-mail domains
are supported. For example you will not be able to register your @gmail.com or @hotmail.com account...
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

LiveCycle Rights Management questions

1. When user is authenticated (via LDAP), then during policy creation process, at the "Add User or Group" page [https://aps8:8443/edc/UserGroupSearchWizard.do ], unable to find any users or groups. Any ideas what the problem is? From the adminui page [https://aps8:8443/adminui/secured/admin.faces] find users and group is not a problem.
2. When trying to open a policy (policy on LC8) enabled pdf from Acrobat 8.x, I get this Acrobat Security error. "You are attempting to connect to an Adobe LiveCycle Policy Server using an insecure protocol (http). The connection attemp has been cancelled. Use the https protocol instead..."
I have been using the same PC and openning policy (policy on LC7) enable pdf without such error. How to resolve this error.
3. How can I disable http and use only https for LC8 adminui and Rights Management pages?
Thanks!

Problems above solved for now.
But still getting log-in problem (user account can not log-in) to LC Rights Manamagent page with user accounts that have multiple LC Rights Management roles.

Rights Management problem (http / https)

Similar Messages

Maybe you are looking for