Secure login (T3S)- and subsequent switch to T3?

We have a fat java client, EJB application.
We want to secure our login against packet sniffer-type attackes.
1. When I create a T3S connection- is the INITIAL message, containing
username/password, encrypted?
2. If it IS- we then want to switch back to a T3 connection, as
our server probably won't support T3S for ALL app data. Having got a
T3S connection, can I switch OFF the encryption? (If I then create
a T3 connection, our problem reappears- I have to send the password
over the network in such a way that it can be sniffed).
Thanks
Gavin GJ

Similar Messages

Secure Login Client and Java

Hi All,
We are having a project to implement NW SSO for NWBC for HTML, Citrix XenApp will be used as the desktop environment. The requirement is that no Java allowed to be installed on the web browser.
According to PAM, Secure Login Client is not support Microsoft Application Virtualization (App-V), so how can we deploy the Secure Login Client to Citrix environment?
If we want to use Secure Login Web Client instead of Secure Login Client, does Secure Login Web Client requires Java installed on users' web browsers? In the latest Secure Login implementation guide (SSO 2.0), it does not mentioned anything about Java runtime. However, because as far as I understand, Secure Login Web Client is a feature of Secure Login Server, while Secure Login Server is pure Java application, I suspect that Secure Login Web Client also require Java runtime to run. Is that true?
Best regards,
Duy

Hello Duy,
The Product Availability Matrix states that Secure Login Web Client needs a Java runtime in the browser. See the footer of the Secure Login Web Client pages for Windows and Linux/MAC OS browser platform support. It says the following:
For Windows: SupportedJava Runtime: Oracle (Sun) JSE 6, 7 and8, 32bit
For Linux/MAC OS: Supported Java Runtime: Oracle (Sun) JSE 6.0 and7.0, 32bit/64bit depending on browser
Best regards,
Martin

Secure login to remote UNIX host and run a shell script

Hi I am new to JAVA. I want to login to remote UNIX host from my application secure login (SSH) and run a shell script reside that remote host. Can any one let me know the way how to do it. If possible provide the code example.

Runtime.exec with an ssh command (not really recommended).
Much better, an SSH API (JSch, which needs JZlib, from http://www.jcraft.com/ is a good one).

Private Login Section and internal work order Information

H All,
I’d like to create a section on my corporate site where our engineers can login and update customer folders with recent work order information.
I use DW about twice a year so it always feels like I’m starting over each time.
Anyhow, if someone can point me in the direction of creating a private login screen and subsequent pages / forms, for creating such a section, I would greatly appreciate it.
Thanks

Not offended....I understand, and most of the time I AM in over my head,
but I always seem to simplify it enough to get it to work.
Looking for something really basic... simple directory scheme locked away
1.      I would just like to create a simple login screen
2.      Revealing a page with customer names
3.      Click on a name and view previous forms or enter work order info. (what the engineer encountered / fixed - that's about it)
I figure I can even do the basic form with something like a viewable/editable pdf file or LiveCycle or equivalent.
I just really need to make sure it is private so the customer can’t just add forward-slash “/their name” to the end of my service page and get in.

Secure Login library

Hi All,
I want to implement single sign on using secure login. Secure login provides 3 components: secure login server,secure login library and secure login client.
In installation guide it says that it is not necessary to install all components.This depends upon the use case scenarios.
In my case it will be active directory using kerberos technology. So I have to install login library and login client. or any one of them.
Please let me know.
Regards,
Josh

Hi,
please do the below steps
Step1: Install SAP library on your local P.C.
Step 2: Configure the sapdoc.ini
Configure file sapdoc.ini with the entry as shown. This file exists on C:\Windows. If it is not found, create it using your favorite text editor.
HtmlHelpFilePath-EN=<C:\Program Files\SAP\SAP ERP Central Component 5.0 English\HELPDATA\EN> : Path of SAP help where you installed it on your P.C.
u2014-
Step3: logon to sap dev system
            u2013> Execute the tcode SR13
            u2013> Click on the tab HtmlHelp file
            u2013 >Click on New entries Enter variant name (ECC5 if u r using SAP ECC5)
            -->Platform =Win32 if you are using xp
            -->Area =IWBHELP
            -->Path = http://help.sap.com Or path of the your server where SAP library is installed.
             Save it. Request Dialog prompts you to create request. Create Request.
            Transport the request to Quality & Production.
Note: Entries in the file sapdoc.ini overwrites the settings present in SR13, if SAP library is not available on your local
system, it starts from central location.
Do you want more details for this issue please find below link
http://www.scribd.com/doc/6213550/How-to-Setup-Sap-Library
Regards,
K.Ramamoorthy

Export/import login server and user grup security

Hi,
I followed the instructions to export Login server, user group
security using the ssoexp.csh, secexp.csh. Then I imported the
login server, and user group security using the ssoimp.csh,
secimp.csh .
I then logged into Portal and check the users, all the users are
imported properly. However, I didn't see any group that are
supposed to be imported. Do I missing anything?
The syntax to run the secimp is as follows:
secimp.csh -s portal30 -p portal30 -o portal30 -m reuse -d
sec.dmp -c target_database
The import finished w/o error. How can I see the groups in the
new portal instance that I tried to import objects in?
I noticed that the wwsec_group$ in the source area is over 3000,
and in the target the count is only 10, which is the number of
group I have before the import. But during the export, I don't
see the wwsec_group$ table being exported, is that the problem?
P.S. versions are: 9iAS 1.0.2, portal version 3.0.9.8 on solaris.
Thanks;
Kelly.

This question is best suited to the Oracle9iAS SSO and Portal Security forum.
Thanks

Why are deleted user accounts showing up in login window and fast user switching menu?

There are several old user accounts, just test accounts when I was studying for ACSA that I deleted, which continue to show up in the login window and the fast user switcher menu. I deleted them before upgrading to Lion (I think it was before). The accounts do not exsist in the /Users folder, nor even the /Users/Deleated Users folder. Additionally they do not show up in the list of users in System Preferences. Can anyone give some advice on how to remove these "ghost" accounts from the login window and drop down menu?
Thanks
dc

Hi. Thanks for the link. Sorry it took me a while to get to this, the problem is not a show stopper, so to speak, so tried your advice when I had the time. Unfortunatly it did not work. Any other suggestions? Thanks.

Secure Login and trust between BO/BW

Hi.
We configured server-side trust between BO and BW using libsapcrypto library. All works fine.
Now we installing Secure Login (SAP NetWeaver Single Sign-On) for SSO from SAP GUI based on Kerberos token. To configure Secure Login we need to modify profile parameters like
snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU
snc/gssapi_lib=/sapmnt/QBW/exe/libsapcrypto.so
which were in use by server-side trust between BO and BW. So when we modify them like in installation guide for Secure Login to this:
snc/identity/as=p:CN=SAP/[email protected]
snc/gssapi_lib=/usr/sap/QBW/DVEBMGS20/SLL/libsecgss.sl
we can use SAP GUI SSO to BW but can't run reports from BO since we broke server-side trust.
We tried many different variations of using these two libraries (including fully regenerating certificates both on BW and BO for server-side trust) but they all failed.
Any suggestions of how we can activate SAP NetWeaver Single Sign-On on our BW systems, without breaking server-side trust between BW and BO?
Thanks in advance
wbr
Stanislav

Thanks, but this problem was resolved. Frane was very helpfull in solving this problem, but it was beyond the forum.
He described the possibility of Secure Login Client that I did not know.
Another possibility is implemented in Secure Login Client 1.0 SP02 Patch 03 and higher (current version is 1.0 SP03 Patch 02).
Secure Login Client is able to “rebuild” the required SPN Name (in your example p:CN=SAP/[email protected]).
This means if the X.509 certificate SNC name is p:CN=KerberosSSO à Secure Login Client will rebuild p:CN=SAP/[email protected]
This works also if the X.509 certificate name is p:CN=KerberosSSO, OU=SAP Security, C=RU
Maybe this solution integration is easier for You? You can use the transaction STRUST to create a self-signed certificate.
Thanks again, Frane.

Login Problems and General JSP Security Questions

I'm new to this, so I'm still not sure if I'm approaching this problem the right way. But after a user logs in with the correct username/password, I create a session attribute like so:
session.setAttribute("loggedIn", "true");
Now, inside of every other JSP page I make the following check before the user can continue:
<%
          String loggedIn = (String)(session.getAttribute("loggedIn"));
          if( loggedIn == null || !loggedIn.equals("true")) {
%>
               <jsp:forward page="../login.html" />
<%
%>
And to logout I simply set the attribute to false:
session.setAttribute("loggedIn", "false");
Unfortunately, this doesn't work very well. It seems to be very inconsistent. Does anyone know of a better, not-so-difficult, method to do this? Or do you see any problems with what I have?
Another thing, how do I prevent a user from accessing my JSP directory? For example, I have my JSPs stored in public_html/jsp directory, how do I prevent someone from simply visiting www.mysite.com/jsp without using the web.xml file?

I use sessions in this way without any problems, what are the inconsistencies??
You can protect folders with Tomcat security but it requires XML configuration.

Change login page and logout_url

I created with apex 2.1 a new login page.
How/where can I reset the login process to page 1 or page 101 ?
Where can I edit which page corresponds with LOGOUT_URL ?
In Shared Components > Security > Authentication Schemes > Change > Next
I can see which page corresponds at the moment, but I do not know where to change these settings
(Authentication schema is the default Application Express)
The string looks like:
wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_se
ss=&APP_ID.:102

I just had a look at the documentation and realize it was slightly different back in 2.1.
You need to use the LOGOUT procedure rather than just setting it in shared components:
Here is the link to the documentation:
http://download.oracle.com/docs/cd/B25329_01/doc/appdev.102/b25309.pdf
If you search for the "LOGOUT Procedure" which part of the Oracle Application Express API's it gives an example of how it used.
There is also a procedure API for the login which can also be searched for under "LOGIN Procedure" and also has an example of how it can be used.
Thanks
Paul

Claims Based Authentication SPSecurityTokenService.Issue() failed: The security token username and password could not be validated.

Please excuse the lousy table...Its late :-)
I have a multi-server SP2010 farm. Patched up to
Configuration database version: 14.0.6106.5002
My goal is to have a claims based web application that authenticated to ADAM for Extranet. I have configured the servers exactly to MSDN and technet specs (following this spec to the
letter (
http://technet.microsoft.com/en-us/library/ee806882.aspx) to allow the forms side of the web app to authenticate to ADAM.
IT WORKS IN DEV!!! , which is a single server farm. However, it does not work in production. I get the following:
Claims Auth log entries:
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
f2ut
Verbose
Authenticated with login provider. Validating request security token.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Using membership provider 'ADAMProvider'.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Doing password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Failed password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Unexpected
Password check on '[email protected]' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security
token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
fo1t
Monitorable
SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password
could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
fsq7
High
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
8306
Critical
An exception occurred when trying to issue security token: The security token username and password could not be validated..
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
f2un
Verbose
Form authentication failed.
I have tried EVERYTHING (well, nt everything, I don’t have the fix I suppose).
I found plenty out there and nothing directly correlates with this issue.
I searched on all parts of the errors I got.
This contains an interesting blurb about setting up access for the apppool id correctly.
That’s not the case for me. It works in dev and the same id are used there.
http://sharepoint-2010-world.blogspot.com/2011/03/adam-forms-based-authentication-in.html
This was good but it doesn’t give specs on what the environment looks like:
http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/557143a6-4b36-4939-bb7f-d62a9335fd18
The was interesting…but I am patched up beyond the June 2011 CU so it’s a moot point:
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/9b8368ef-c5e5-4ead-b348-7b2b5587cfc8
Any and all help would be greatly appreciated!

Hi.
You say its a multiserver farm, do you have more than one web server then?
If thats the case, have you tried accessing the site on each server directly?
Found this for you, maybe that can help?
Troubleshooting Exceptions: System.ServiceModel.FaultException`1
http://msdn.microsoft.com/en-us/library/bb907220.aspx
and this:
SharePoint 2010 Claims Authentication - The security token username and password could not be validated reoccurring every morning
http://social.technet.microsoft.com/Forums/pl-PL/sharepoint2010setup/thread/383f1f9b-5c4a-4e19-b770-2a54b7ab1ca1
and
This seems to be a good guide:
http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
Good luck
Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com

Secure login client is not working in VPN

Hi,
We have scenario where users connect to office network though VPN and access SSO. When users connect through VPN, users are not able to login in SLC and hence not receiving X.509 user certificate. It shows the following error when try to login in SLC.
"There are currently no logon servers available to service the logon request"
But the same SLC is working when users connect directly (ex LAN or WI-FI) to the network.
We have enabled secure login client trace and found the below errors in the trace when user is connected through VPN.
SLC trace file
[2014.04.23 14:23:24.531][ERROR][sbus.exe            ][BASE        ][ 6060] ERROR(0xA0100017) in CRYPT->sec_crypt_cipher_get_cipher_len(): An attribute is missing
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056] Getting kerberos ticket for 'HTTP/ssodev' with algorithm 23 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056]     0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056] Getting kerberos ticket for 'HTTP/ssodev' with algorithm 3 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056]     0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056] Getting kerberos ticket for 'HTTP/ssodev' failed (user name is [email protected])
[2014.04.23 14:23:39.578][ERROR][sbus.exe            ][Kerberos    ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service
[2014.04.23 14:23:39.578][ERROR][sbus.exe            ][Kerberos    ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_spnego_CreateToken(): No Kerberos ticket for the requested service
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056] Getting kerberos ticket for 'HTTP/[email protected]' with algorithm 23 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056]     0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056] Getting kerberos ticket for 'HTTP/[email protected]' with algorithm 3 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056]     0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe            ][Kerberos    ][ 6056] Getting kerberos ticket for 'HTTP/[email protected]' failed (user name is [email protected])
[2014.04.23 14:23:39.578][ERROR][sbus.exe            ][Kerberos    ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service
[2014.04.23 14:23:39.578][ERROR][sbus.exe            ][Kerberos    ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_spnego_CreateToken(): No Kerberos ticket for the requested service
[2014.04.23 14:28:38.171][TRACE][sbus.exe            ][sbusslogin.d][ 6056] { CSecureLogin_Protocol_2_0::Send_DeleteSession
Anyone suggest us to fix this issue.
Regards,
Yogesh Kumar D

Hello,
which kind of VPN do you use?
Does this guarantee full network access to the domain servers?
Is the VPN network IPv4 or IPv6 based?
thanks for the information
best regards
Alexander Gimbel

Please Help! 10.6.8 Update and subsequent problems

On Friday, 2/10/2012, the Software Update popped up and informed me that new updates were ready to be installed on my MacBook Pro.
I clicked the update button and the updater installed the following updates:
iTunes v10.5.3
Security Update 2012-001 v1.1
MacBook Pro Video Update v1.0
Remote Desktop Client Update v3.5.2
Keynote 5.1.1 v5.1.1
Safari v5.1.2
Java for Mac OS X 10.6 Update 6 v6.0
Soon after installation Safari started crashing whenever I opened new tabs. I reset Safari and that problem went away.
I also run a Virtual Machine (Windows Vista imported from a Sony Vaio). The virtual machine has never had a problem and I used it on Thursday before the update and it worked fine. However, after the updates, I can no longer use the virtual machine. It has been corrupted. I get a message that says "Unable to Access Hard Drive 1: input/output error."
Then my whole Mac started running slow, especially Safari. In Safari, pages are slow to load and I get the spinning color wheel (or "beach ball," as I have heard it referred to) when I'm on any web page. Pages take long to load. After they load, I still get the spinning color wheel consistently.
Other programs are somewhat slower to load, as well, and when switching between open programs, there are delays and even more spinning color wheels and beach balls.
My computer has never had a problem until after I installed those updates.
I have repaired permissions and I have also re-donloaded the combo straight from the Apple website, but that did not work.
Is anyone else having this problem? Or has anyone else had this problem? What to do?
Thanks.
And, uhm, no- I did not have Time Machine set up, unfortunately.

Grant, thanks for the reply.
I have NOT been considering a new hard drive. My MacBook Pro is not even two years old, yet (I bought it in May 2010). So, the thought of having to replace my hard drive within 2 years has not even entered my mind and (as I stated) I only started having these problems within the past 2 weeks after having installed the latest updates via Software Update.
Really, if my Hard Drive needs to be replaced after less than 2 years of light use, then I will just chalk this up as a lesson learned and just not buy another Apple product and would probably just buy a Windows-based laptop rather than replace the HD in my MBP.
I am working on transferring my files (the ones that will still open and/or copy) to an external hard drive and doing a clean install of my OS X. I also am trying to figure out if I can somehow manage to save my pics that will not copy to the external hard drive but are saved on my iPad before I do so.
I'm not a computer or Mac genius by any stretch of the imagination, but I do appreciate your reply and advice. Unfortunately, I don't have any idea what it means to re-write a "wvwey block with a known-good pattern." Is that something I have to do manually? You stated that the option is in Disk Utility. Is "write zeroes" an option that you can select or is something you have to input manually? Can you break it down in simple terms for me or give me some step-by-step instructions or a link?
I apologize for my ignorance, but (again) I do appreciate your replay and advice as well as that of HackInt0sh.
Thanks.

How to pass login name and password

Hi all,
If this question has been asked before, please let me know, and I am sorry for duplicate the question raising.
I want to use the login name and password which are entered from the left frame(topic frame) in the right frame ( the content frame).
I have 3 jsp programs, "A.jsp" is for validate the login (name and password), "B.jsp" contains a form-submit to add the records to a database. "C.jsp" is the actual one which does the updating to the database.
Q1, how can I re-use the login name and password for "B.jsp" and "C.jsp"?
Q2, is there any security problem to do so?
your useful reply will give me a great help.
ths

or try here:
http://forum.java.sun.com/thread.jsp?forum=31&thread=308840
http://forum.java.sun.com/thread.jsp?forum=31&thread=295349

Secure login form as part of a not-secure page

I know how to make a login page secure via SSL, and I also know how to do a login box on the other application pages that aren't secure. What I can't find out how to do -- or if it is even possible -- is to make a secure (via SSL) login box on a page that otherwise is not downloaded via SSL. Does anyone know how this might be done? I don't want to just force the whole application page to go via https.
If this is possible there would have a way to tell the browser to include (via JSP include tag?) a page at a URL starting with https: inside a table box or something. I'm using JSF but would be willing to script at a low level if I knew which way to go.

Please search the net. It have your solution as i told earlier . Keyword you can use: secure ajax login
Excerpt from a page which also contain the source code of what said below.
1) You signal that you intend to log in by focussing on the username or password text box on the page.
2)The server then obtains a random number ("seed" in the code) for the transaction that will be used only for the current transaction, and once the transaction is complete, the seed is useless. (Note this means that if data is intercepted, it cannot be reconstructed to log in the user that was intercepted.)
3)Once you enter a username and password, the server md5 hashes your password, and then md5 hashes that hash with the seed, and sends thi to the server for authentication (along with your username and the id of the transaction).
4)The server compares the hash it recieved with the hash of the password hash stored in the database concatenated with the seed for the transaction given by the id from the client.
5)If these two hashes match, the user is logged in. Otherwise, the appropriate error message is sent back to the client.
i will not give you the link of above page. Better you find it yourself such pages.

Secure login (T3S)- and subsequent switch to T3?

Similar Messages

Maybe you are looking for