Security advice on mandatory access control

Hi,
i'm trying to optimize my arch setup and also want to improve my security so i came across the MAC-stuff and would like to hear your oppinion.
My usercase is normal browsing/coding/multimedia stuff so nothing so special.
I try to maintain my system with care and and only install/run stuff i really need and trust somehow.
Now reading the wiki i found articles about these MAC-solutions, but i couldn't figure out how much these could improve my system considering the fact,
i have to somehow configure all the stuff more or less. - Is it really worth dealing with them as a normal user and if yes, which one?
Unfortunately neither the wiki nor google helped me with general recommendations so i put my hope in your experiences
Greetings
Knusperkeks

I can only talk about tomoyo because I'm not familiar with other mac systems. My reason for choosing it was that everything needed was already on the repos.
brebs wrote:AppArmor files use a convenient BASH-like syntax, and can have common requirements grouped for easy specification.
Tomoyo's syntax can be a little tricky since it requires a good amount of escaping and it can get tiresome after a while so I guess apparmor might be easier in that regard. Tomoyo does allow you to make permission groups that you can use how many times you want, or you can specify it as global permissions, it all depends on how common certain things are.
I don't know about apparmor but tomoyo allows you to get into the nitty gritty details of what each program can do, up to the point where it can get tiresome. I didn't elaborate much on it in my last post because I don't want to discourage anyone from trying it or any other mac system.
With tomoyo you can specify if a program is allowed to read/write/unlink/truncate/rename files, mkdir/rmdir directories, which chmod values it can use, which values it can use with chown, if you allow it to use tcp/udp/unix sockets, which ioclts it can use, just to name a few common things that will show up in policy files.
Tomoyo can learn all this by recording what a program accesses, then you want to use an utility (tomoyo-patternize) to reduce the amount of rules. Many things can be reduced to a simple rule (image access to a program's config directory). This is where the trouble starts because the config file tomoyo-patternize uses is very bare. You will also find that you may need to take into account not only the program itself but also the toolkit it uses and other things like fontconfig.
One problem that might be common to both tomoyo and apparmor is that if a program's behavior changes slightly, then things will break in subtle ways and you will only find out when you are short on time and really need things to work, unless you are more lax where you allow programs to have free reign, and then you may be leaving some security whole open.
I'm not using tomoyo now but it can be a nice tool to use when you want to find out what a program is doing. Like I said in my previous post, pick the low hanging fruit first, there are other things that can be set and almost forgotten and will not break anything, then give mac a try and be sure to check regularly if you have to update the security policy.

Similar Messages

What is better for security? WPA2 or Access control

I have a Airport express and 2 computers; a Mac and a PC.
When it come to securing your wi-fi connection so you don't get unauthorized clients on your network.
What is better
A- Just using encryption like WPA2 or some other password based system or
B- Just entering the "Airport ID" (MAC) of the computers I want to authorize in my network on the Access control panel.
Seems to me like the later is easier on the clients since they don't need a password or anything, It's completely transparent for the client. And I believe encryption slows down the connection a bit and create overhead for the computer. But maybe I don't have the full picture of the situation.
Is there anybody who can illuminated this subject for me?
thanks
PowerBookG4 Mac OS X (10.3.9)

WPA2 is virtually uncrackable only really vulnerable if you use a real word as a password.
When using access control, MAC addresses are sent unecrypted can be read and spoofed and therefore do not add any security.
Unfortunately "Closed" networks, MAC access control lists, and reduction in transmission power are all more "feel good" security rather than real security. All these various approaches are dated and mistakenly lead to overconfidence.
WPA is your friend if you value wireless security.

[SOLVED] Setting up Mandatory Access Control (MAC)

Hi,
I know it's not the Arch way to ask for instructions but I am very new to Arch and I don't want to screw up the kernel.
From the wiki, I read that Arch has removed Apparmor as well as TOMOYO. I have googled high and low, but I cannot understand why this isn't a security hole. Arch only seems to be using Discretionary Access Control (DAC).
I looked up both Apparmor and TOMOYO in the wiki, but all the instructions pertain to kernels < 3.16, which I'm using.
Linux sim74stic 3.16.3-1-ARCH #1 SMP PREEMPT Wed Sep 17 21:54:13 CEST 2014 x86_64 GNU/Linux
The only options are to either build a custom kernel, which gets complicated for me as I would need to take care of NVIDIA drivers (I have laptop, hence I need to configure with Bumblebee), or to use linux-lts kernel, which is old.
Can anyone tell me if not using MAC is a security loophole, or point me in the right direction on how to install one if it is?
Last edited by prakharsingh95 (2014-10-06 21:27:49)

prakharsingh95 wrote:Can you elaborate on whether MAC is really needed
It's a really tough one as to whether MAC is really needed or not, and it's not something I really know that well
prakharsingh95 wrote:or is Arch secure enough (regular desktop usage) without it? If I can get away without it, I would rather stay away and enjoy my Arch installation, but I don't want to leave my PC unsecured either.
Any operating system is secure for regular day-to-day use, as long as you're careful (firewall, not clicking unknown links without research first etc). This includes Windows.
For both of your above questions, it depends on what your environment you're in. Because I'm surrounded by Ethical Hackers as part of what I do, I should really switch over to a hardened kernel, but I will also have to go to the trouble of configuring the user-space tools for it to be useful. That last sentence is important, because if you have SELinux compiled in, but not configured, you might as well not have it there.
prakharsingh95 wrote: Do I simply install this (linux-pax) from the AUR and it will automatically patch my kernel keeping my current modules or should I (can I?) modify the PKGBUILD for NVIDIA, Xorg and additionally add Apparmor?
Whilst the PKGBUILDs for linux-pax and linux from [core] look similar, they produce different packages with different results. As a result, you'll have to compile the nVidia modules for it. That's true for any (patched) kernel, be it CK, BFS, PaX, CK-PaX, TRESOR, etc.
If you're not up to writing your the modules, there's the nvidia-dkms package, which should be able to compile the nVidia modules for your system.
prakharsingh95 wrote:If it's that simple, can I simply get linux-selinux from the AUR and it will get me up and running with 3.14 + my modules + SELinux?
On paper, it is that simple, as long as you know how to build the modules you need. I'd use nvidia-dkms, but it's up to you on how you do this.
This is an example guide outlining the steps you could take to installing linux-selinux.
Last edited by clfarron4 (2014-10-06 13:42:43)

Link does not work for-End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4

Link does not work for
End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4
How do we get Cisco to fix?
see attachment

Give it a couple of days - it looks like they just sent out the notification before the notice was published on the public page.
Once the ACS 5.4 EoS/EoL notice is published you should see it linked from this page.

OSB - ALSB / WLST / Security / add entry with WLST in Access Control

Hello,
I try to reproduce with WLST script the input from the consol to declare user on Access Control proxy (security).
sbconsol->$Proxy Service->Security->General Confiruration->Access Control->Transport Access Control->Add Conditions
* First implementation without success with the com.bea.wli.sb.security.management.configuration.ServiceSecurityConfigurationMBean : accessControlSecurity1()
* Second try with the service definition of the proxy service but cannot parse with Xpath accessControl Security2()
any idee ???
test case :
prerequisit
create an ALSB domain 10.3 (admin one with username='weblogic' password='weblogic' url='t3://localhost:7001') and create a proxy service on the default project
conf/setEnv.cmd
@CLS
@echo ON
@set BEA_HOME=D:\PRODUCT\MIDDLEWARE\SOA\OSB_10.3
@set WL_HOME=%BEA_HOME%\wlserver_10.3
@set OSB_HOME=%BEA_HOME%\osb_10.3
@set SCRIPTING_HOME=E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security
@set OSB_LIB=%OSB_HOME%/lib/sb-kernel-api.jar;%BEA_HOME%/modules/com.bea.alsb.statistics_1.0.1.0.jar;%OSB_HOME%/lib/sb-kernel-resources.jar;%OSB_HOME%/lib/sb-kernel-common.jar;%OSB_HOME%/lib/sb-kernel-impl.jar;%OSB_HOME%\lib\sb-security.jar;%OSB_HOME%/modules/com.bea.common.configfwk_1.3.0.0.jar;%BEA_HOME%/modules/com.bea.common.configfwk_1.2.0.0.jar;%BEA_HOME%/modules/com.bea.common.configfwk_1.2.1.0.jar;%OSB_HOME%/lib/modules/com.bea.alsb.resources.archive.jar;
@set TOOL_LIB=%SCRIPTING_HOME%\lib\log4j-1.2.15.jar;%SCRIPTING_HOME%\lib\jsch-0.1.43.jar;%SCRIPTING_HOME%\lib\db2jcc.jar
@set CLASSPATH=%OSB_LIB%;%TOOL_LIB%;%CLASSPATH%
@set CLASSPATH=%SCRIPTING_HOME%\lib\db2jcc.jar;%TOOL_LIB%;%CLASSPATH%
@set MODULE_LIB=%SCRIPTING_HOME%\lib
@call %WL_HOME%\server\bin\setWLSEnv.cmd > nul 2<&1
launch.cmd
@CLS
@echo OFF
@SETLOCAL
@call "conf\setEnv.cmd" > nul 2<&1
set PWD=%~dp0
%JAVA_HOME%\bin\java -Dmodule.lib=%MODULE_LIB% weblogic.WLST -skipWLSModuleScanning lib/security.py
lib/security.py
from com.bea.wli.monitoring import StatisticType
from java.util import HashMap
from java.util import HashSet
from java.util import ArrayList
from java.util import Collections
from java.io import FileInputStream
from java.io import FileOutputStream
from java.lang import String
from java.lang import Boolean
from com.bea.wli.sb.util import EnvValueTypes
from com.bea.wli.config.env import EnvValueQuery;
from com.bea.wli.config import Ref
from com.bea.wli.config.customization import Customization
from com.bea.wli.config.customization import EnvValueCustomization
from com.bea.wli.config.customization import FindAndReplaceCustomization
from com.bea.wli.sb.management.configuration import SessionManagementMBean
from com.bea.wli.sb.management.configuration import ALSBConfigurationMBean
from com.bea.wli.sb.management.query import BusinessServiceQuery
from com.bea.wli.sb.management.query import ProxyServiceQuery
from com.bea.wli.sb.management.configuration import ServiceConfigurationMBean
import os
# before, create an ALSB domain 10.3 with a proxy service in the default project and add an Acces Control Policy in the consol
# sbconsol->Project Explorer->default->${proxy service}->Security->Access Control->Create Session->Add Conditions->User->USR_1->Add
# when we try to modify the Acces Control Policy of the proxy service with the ServiceSecurityConfigurationMBean
def accessControlSecurity1( domain_name ):
 # connection
 print "\n\n\n***********************************************************************************************"
 connect( 'weblogic', 'weblogic', 't3://localhost:7001')
 domainRuntime()
 # create a session
 sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
 SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
 SessionMBean.createSession(sessionName)
 # get the ServiceSecurityConfigurationMBean
 serviceSecurityConfigurationMBean = findService(String("ServiceSecurityConfiguration.").concat(sessionName), "com.bea.wli.sb.security.management.configuration.ServiceSecurityConfigurationMBean")
 # get the XACMLAuthorizer
 working_directory=pwd()
 serverConfig()
 xacmlAuthorizer = cd('/SecurityConfiguration/%s/Realms/myrealm/Authorizers/XACMLAuthorizer' % domain_name )
 cd(working_directory)
 domainRuntime()
 # get service ref
 ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
 bsQuery = ProxyServiceQuery()
 bsQuery.setPath("default/*")
 refs = ConfigurationMBean.getRefs(bsQuery)
 for ref in refs:
 print 'ref=%s'%ref
 # use the security Mbean to add : USER_A,USER_B,USER_C to the policy
 policyHolder = serviceSecurityConfigurationMBean.newAccessControlPolicyHolderInstance(xacmlAuthorizer)
 policyHolder.setPolicyExpression("Usr(USER_A,USER_B,USER_C)")
 policyScope = serviceSecurityConfigurationMBean.newDefaultMessagePolicyScope(ref)
 serviceSecurityConfigurationMBean.setAccessControlPolicy(policyScope,policyHolder)
 # print the service definition
 servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
 serviceDefinition = servConfMBean.getServiceDefinition(ref)
 print serviceDefinition
 # we can see the security entry in the service definition has follow
 # <xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env">
 # <ser:coreEntry isProxy="true" isEnabled="true" isAutoPublish="false">
 # <ser:description/>
 # <ser:security>
 # <con:access-control-policies xmlns:con="http://www.bea.com/wli/sb/services/security/config">
 # <con:message-level-policies>
 # <con1:default-policy xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/config">
 # <con:policy provider-id="XACMLAuthorizer">
 # <con:policy-expression>Usr(USER_A,USER_B,USER_C)</con:policy-expression>
 # </con:policy>
 # </con1:default-policy>
 # </con:message-level-policies>
 # </con:access-control-policies>
 # </ser:security>
 # but when we commit
 SessionMBean.activateSession(sessionName, "description for session activation")
 # we got the following exception
 # Unexpected error: com.bea.wli.config.session.SessionConflictException
 # No stack trace available.
 # Problem invoking WLST - Traceback (innermost last):
 # File "E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security\lib\security.py", line 246, in ?
 # File "E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security\lib\security.py", line 105, in accessControlSecurity1
 # com.bea.wli.config.session.SessionConflictException: Conflicts for session SessionScript1363339726764
 # [Non-Critical] Concurrent Modification Conflicts
 # NONE
 # [Critical] Resources with validation errors
 # 1 - ProxyService test/PS_TEST_bis CannotCommit
 # + CannotCommit [OSB Security:386836]Unnecessary proxy wide message access control policy found for service "test/PS_TEST_bis". Hint: The service is neither an active security
 # intermediary nor has custom authentication enabled. ServiceDiagnosticLocation[SECURITY_TAB]:DiagnosticLocation:<con:message-level-policies xmlns:ser="http://www.bea.com/wli/sb/services" xml
 # ns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:con="http://www.bea.com/wli/sb/services/security/config">
 # <con1:default-policy xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/
 # config">
 # <con:policy provider-id="XACMLAuthorizer">
 # <con:policy-expression>Usr(USER_A,USER_B,USER_C)</con:policy-expression>
 # </con:policy>
 # </con1:default-policy>
 # </con:message-level-policies>
 # [Info] Informational messages
 # NONE
 # at com.bea.wli.config.session.SessionManager.commitSessionUnlocked(SessionManager.java:358)
 # at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:339)
 # at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:297)
 # at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:306)
 disconnect()
# when we try to modify the Acces Control Policy of the proxy service whith the service XML definition
def accessControlSecurity2( domain_name ):
 # connection
 print "\n\n\n***********************************************************************************************"
 connect( 'weblogic', 'weblogic', 't3://localhost:7001')
 domainRuntime()
 # create a session
 sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
 SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
 SessionMBean.createSession(sessionName)
 # get service ref
 ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
 bsQuery = ProxyServiceQuery()
 bsQuery.setPath("default/*")
 refs = ConfigurationMBean.getRefs(bsQuery)
 for ref in refs:
 print 'ref=%s'%ref
 servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
 serviceDefinition = servConfMBean.getServiceDefinition(ref)
 # parsing the proxy definition
 nsSer = "declare namespace ser='http://www.bea.com/wli/sb/services'"
 nsXsi = "declare namespace xsi='http://www.w3.org/2001/XMLSchema-instance'"
 nsTran = "declare namespace tran='http://www.bea.com/wli/sb/transports'"
 nsEnv = "declare namespace env='http://www.bea.com/wli/config/env'"
 nsCon = "declare namespace con='http://www.bea.com/wli/sb/services/security/config'"
 nsCon1 = "declare namespace con1='http://www.bea.com/wli/sb/services/security/config'"
 # when we try to parse the following Xpath Expression, it' working but not sufficent to access the <con:policy-expression> element
 confPath = "ser:coreEntry/ser:security/con:access-control-policies/con1:transport-level-policy"
 confElem = serviceDefinition.selectPath(nsSer + nsXsi + nsTran + nsEnv + nsCon + nsCon1 + confPath )
 print "WORKING{%s}" % confElem
 # get the result
 # <xml-fragment xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/config" xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env">
 # <con:policy provider-id="XACMLAuthorizer">
 # <con:policy-expression>Usr(USER_1,USER_2,USER_3)</con:policy-expression>
 # </con:policy>
 # </xml-fragment>
 # and when we try to acces the <con:policy> element whith the following Xpath expression we got an empty result
 confPath = "ser:coreEntry/ser:security/con:access-control-policies/con1:transport-level-policy/con:policy"
 confElem = serviceDefinition.selectPath(nsSer + nsXsi + nsTran + nsEnv + nsCon + nsCon1 + confPath )
 print "DON'T WORKING{%s}" % confElem
 # get empty result
 # array([], org.apache.xmlbeans.XmlObject)
 # want to modify the value like this on the <con:policy-expression> but cannot reach it ...
 #confValue="Usr(USER_A,USER_B,USER_C)"
 #confElem.setStringValue(confValue)
 # commit
 SessionMBean.activateSession(sessionName, "description for session activation")
 disconnect
# print the service definition
def printServiceDefinition( domain_name ):
 # connection
 connect( 'weblogic', 'weblogic', 't3://localhost:7001')
 domainRuntime()
 # create a session
 sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
 SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
 SessionMBean.createSession(sessionName)
 # get service ref
 ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
 bsQuery = ProxyServiceQuery()
 bsQuery.setPath("default/*")
 refs = ConfigurationMBean.getRefs(bsQuery)
 for ref in refs:
 print 'ref=%s'%ref
 servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
 serviceDefinition = servConfMBean.getServiceDefinition(ref)
 servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
 serviceDefinition = servConfMBean.getServiceDefinition(ref)
 print serviceDefinition
 # commit
 SessionMBean.activateSession(sessionName, "description for session activation")
 disconnect
#accessControlSecurity1('cluster_domain')
accessControlSecurity2('cluster_domain')

Hello,
I try to reproduce with WLST script the input from the consol to declare user on Access Control proxy (security).
sbconsol->$Proxy Service->Security->General Confiruration->Access Control->Transport Access Control->Add Conditions
* First implementation without success with the com.bea.wli.sb.security.management.configuration.ServiceSecurityConfigurationMBean : accessControlSecurity1()
* Second try with the service definition of the proxy service but cannot parse with Xpath accessControl Security2()
any idee ???
test case :
prerequisit
create an ALSB domain 10.3 (admin one with username='weblogic' password='weblogic' url='t3://localhost:7001') and create a proxy service on the default project
conf/setEnv.cmd
@CLS
@echo ON
@set BEA_HOME=D:\PRODUCT\MIDDLEWARE\SOA\OSB_10.3
@set WL_HOME=%BEA_HOME%\wlserver_10.3
@set OSB_HOME=%BEA_HOME%\osb_10.3
@set SCRIPTING_HOME=E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security
@set OSB_LIB=%OSB_HOME%/lib/sb-kernel-api.jar;%BEA_HOME%/modules/com.bea.alsb.statistics_1.0.1.0.jar;%OSB_HOME%/lib/sb-kernel-resources.jar;%OSB_HOME%/lib/sb-kernel-common.jar;%OSB_HOME%/lib/sb-kernel-impl.jar;%OSB_HOME%\lib\sb-security.jar;%OSB_HOME%/modules/com.bea.common.configfwk_1.3.0.0.jar;%BEA_HOME%/modules/com.bea.common.configfwk_1.2.0.0.jar;%BEA_HOME%/modules/com.bea.common.configfwk_1.2.1.0.jar;%OSB_HOME%/lib/modules/com.bea.alsb.resources.archive.jar;
@set TOOL_LIB=%SCRIPTING_HOME%\lib\log4j-1.2.15.jar;%SCRIPTING_HOME%\lib\jsch-0.1.43.jar;%SCRIPTING_HOME%\lib\db2jcc.jar
@set CLASSPATH=%OSB_LIB%;%TOOL_LIB%;%CLASSPATH%
@set CLASSPATH=%SCRIPTING_HOME%\lib\db2jcc.jar;%TOOL_LIB%;%CLASSPATH%
@set MODULE_LIB=%SCRIPTING_HOME%\lib
@call %WL_HOME%\server\bin\setWLSEnv.cmd > nul 2<&1
launch.cmd
@CLS
@echo OFF
@SETLOCAL
@call "conf\setEnv.cmd" > nul 2<&1
set PWD=%~dp0
%JAVA_HOME%\bin\java -Dmodule.lib=%MODULE_LIB% weblogic.WLST -skipWLSModuleScanning lib/security.py
lib/security.py
from com.bea.wli.monitoring import StatisticType
from java.util import HashMap
from java.util import HashSet
from java.util import ArrayList
from java.util import Collections
from java.io import FileInputStream
from java.io import FileOutputStream
from java.lang import String
from java.lang import Boolean
from com.bea.wli.sb.util import EnvValueTypes
from com.bea.wli.config.env import EnvValueQuery;
from com.bea.wli.config import Ref
from com.bea.wli.config.customization import Customization
from com.bea.wli.config.customization import EnvValueCustomization
from com.bea.wli.config.customization import FindAndReplaceCustomization
from com.bea.wli.sb.management.configuration import SessionManagementMBean
from com.bea.wli.sb.management.configuration import ALSBConfigurationMBean
from com.bea.wli.sb.management.query import BusinessServiceQuery
from com.bea.wli.sb.management.query import ProxyServiceQuery
from com.bea.wli.sb.management.configuration import ServiceConfigurationMBean
import os
# before, create an ALSB domain 10.3 with a proxy service in the default project and add an Acces Control Policy in the consol
# sbconsol->Project Explorer->default->${proxy service}->Security->Access Control->Create Session->Add Conditions->User->USR_1->Add
# when we try to modify the Acces Control Policy of the proxy service with the ServiceSecurityConfigurationMBean
def accessControlSecurity1( domain_name ):
 # connection
 print "\n\n\n***********************************************************************************************"
 connect( 'weblogic', 'weblogic', 't3://localhost:7001')
 domainRuntime()
 # create a session
 sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
 SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
 SessionMBean.createSession(sessionName)
 # get the ServiceSecurityConfigurationMBean
 serviceSecurityConfigurationMBean = findService(String("ServiceSecurityConfiguration.").concat(sessionName), "com.bea.wli.sb.security.management.configuration.ServiceSecurityConfigurationMBean")
 # get the XACMLAuthorizer
 working_directory=pwd()
 serverConfig()
 xacmlAuthorizer = cd('/SecurityConfiguration/%s/Realms/myrealm/Authorizers/XACMLAuthorizer' % domain_name )
 cd(working_directory)
 domainRuntime()
 # get service ref
 ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
 bsQuery = ProxyServiceQuery()
 bsQuery.setPath("default/*")
 refs = ConfigurationMBean.getRefs(bsQuery)
 for ref in refs:
 print 'ref=%s'%ref
 # use the security Mbean to add : USER_A,USER_B,USER_C to the policy
 policyHolder = serviceSecurityConfigurationMBean.newAccessControlPolicyHolderInstance(xacmlAuthorizer)
 policyHolder.setPolicyExpression("Usr(USER_A,USER_B,USER_C)")
 policyScope = serviceSecurityConfigurationMBean.newDefaultMessagePolicyScope(ref)
 serviceSecurityConfigurationMBean.setAccessControlPolicy(policyScope,policyHolder)
 # print the service definition
 servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
 serviceDefinition = servConfMBean.getServiceDefinition(ref)
 print serviceDefinition
 # we can see the security entry in the service definition has follow
 # <xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env">
 # <ser:coreEntry isProxy="true" isEnabled="true" isAutoPublish="false">
 # <ser:description/>
 # <ser:security>
 # <con:access-control-policies xmlns:con="http://www.bea.com/wli/sb/services/security/config">
 # <con:message-level-policies>
 # <con1:default-policy xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/config">
 # <con:policy provider-id="XACMLAuthorizer">
 # <con:policy-expression>Usr(USER_A,USER_B,USER_C)</con:policy-expression>
 # </con:policy>
 # </con1:default-policy>
 # </con:message-level-policies>
 # </con:access-control-policies>
 # </ser:security>
 # but when we commit
 SessionMBean.activateSession(sessionName, "description for session activation")
 # we got the following exception
 # Unexpected error: com.bea.wli.config.session.SessionConflictException
 # No stack trace available.
 # Problem invoking WLST - Traceback (innermost last):
 # File "E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security\lib\security.py", line 246, in ?
 # File "E:\PROJETS\RECURANT\EDF\linky\WLST\WORKING\Security\lib\security.py", line 105, in accessControlSecurity1
 # com.bea.wli.config.session.SessionConflictException: Conflicts for session SessionScript1363339726764
 # [Non-Critical] Concurrent Modification Conflicts
 # NONE
 # [Critical] Resources with validation errors
 # 1 - ProxyService test/PS_TEST_bis CannotCommit
 # + CannotCommit [OSB Security:386836]Unnecessary proxy wide message access control policy found for service "test/PS_TEST_bis". Hint: The service is neither an active security
 # intermediary nor has custom authentication enabled. ServiceDiagnosticLocation[SECURITY_TAB]:DiagnosticLocation:<con:message-level-policies xmlns:ser="http://www.bea.com/wli/sb/services" xml
 # ns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:con="http://www.bea.com/wli/sb/services/security/config">
 # <con1:default-policy xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/
 # config">
 # <con:policy provider-id="XACMLAuthorizer">
 # <con:policy-expression>Usr(USER_A,USER_B,USER_C)</con:policy-expression>
 # </con:policy>
 # </con1:default-policy>
 # </con:message-level-policies>
 # [Info] Informational messages
 # NONE
 # at com.bea.wli.config.session.SessionManager.commitSessionUnlocked(SessionManager.java:358)
 # at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:339)
 # at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:297)
 # at com.bea.wli.config.session.SessionManager.commitSession(SessionManager.java:306)
 disconnect()
# when we try to modify the Acces Control Policy of the proxy service whith the service XML definition
def accessControlSecurity2( domain_name ):
 # connection
 print "\n\n\n***********************************************************************************************"
 connect( 'weblogic', 'weblogic', 't3://localhost:7001')
 domainRuntime()
 # create a session
 sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
 SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
 SessionMBean.createSession(sessionName)
 # get service ref
 ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
 bsQuery = ProxyServiceQuery()
 bsQuery.setPath("default/*")
 refs = ConfigurationMBean.getRefs(bsQuery)
 for ref in refs:
 print 'ref=%s'%ref
 servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
 serviceDefinition = servConfMBean.getServiceDefinition(ref)
 # parsing the proxy definition
 nsSer = "declare namespace ser='http://www.bea.com/wli/sb/services'"
 nsXsi = "declare namespace xsi='http://www.w3.org/2001/XMLSchema-instance'"
 nsTran = "declare namespace tran='http://www.bea.com/wli/sb/transports'"
 nsEnv = "declare namespace env='http://www.bea.com/wli/config/env'"
 nsCon = "declare namespace con='http://www.bea.com/wli/sb/services/security/config'"
 nsCon1 = "declare namespace con1='http://www.bea.com/wli/sb/services/security/config'"
 # when we try to parse the following Xpath Expression, it' working but not sufficent to access the <con:policy-expression> element
 confPath = "ser:coreEntry/ser:security/con:access-control-policies/con1:transport-level-policy"
 confElem = serviceDefinition.selectPath(nsSer + nsXsi + nsTran + nsEnv + nsCon + nsCon1 + confPath )
 print "WORKING{%s}" % confElem
 # get the result
 # <xml-fragment xsi:type="con:ProviderPolicyContainerType" xmlns:con="http://www.bea.com/wli/sb/security/accesscontrol/config" xmlns:con1="http://www.bea.com/wli/sb/services/security/config" xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env">
 # <con:policy provider-id="XACMLAuthorizer">
 # <con:policy-expression>Usr(USER_1,USER_2,USER_3)</con:policy-expression>
 # </con:policy>
 # </xml-fragment>
 # and when we try to acces the <con:policy> element whith the following Xpath expression we got an empty result
 confPath = "ser:coreEntry/ser:security/con:access-control-policies/con1:transport-level-policy/con:policy"
 confElem = serviceDefinition.selectPath(nsSer + nsXsi + nsTran + nsEnv + nsCon + nsCon1 + confPath )
 print "DON'T WORKING{%s}" % confElem
 # get empty result
 # array([], org.apache.xmlbeans.XmlObject)
 # want to modify the value like this on the <con:policy-expression> but cannot reach it ...
 #confValue="Usr(USER_A,USER_B,USER_C)"
 #confElem.setStringValue(confValue)
 # commit
 SessionMBean.activateSession(sessionName, "description for session activation")
 disconnect
# print the service definition
def printServiceDefinition( domain_name ):
 # connection
 connect( 'weblogic', 'weblogic', 't3://localhost:7001')
 domainRuntime()
 # create a session
 sessionName = String("SessionScript"+Long(System.currentTimeMillis()).toString())
 SessionMBean = findService( SessionManagementMBean.NAME ,SessionManagementMBean.TYPE)
 SessionMBean.createSession(sessionName)
 # get service ref
 ConfigurationMBean = findService(String("ALSBConfiguration.").concat(sessionName), "com.bea.wli.sb.management.configuration.ALSBConfigurationMBean")
 bsQuery = ProxyServiceQuery()
 bsQuery.setPath("default/*")
 refs = ConfigurationMBean.getRefs(bsQuery)
 for ref in refs:
 print 'ref=%s'%ref
 servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
 serviceDefinition = servConfMBean.getServiceDefinition(ref)
 servConfMBean = findService( "%s.%s" % (ServiceConfigurationMBean.NAME, sessionName), ServiceConfigurationMBean.TYPE)
 serviceDefinition = servConfMBean.getServiceDefinition(ref)
 print serviceDefinition
 # commit
 SessionMBean.activateSession(sessionName, "description for session activation")
 disconnect
#accessControlSecurity1('cluster_domain')
accessControlSecurity2('cluster_domain')

Cisco Secure Access Control Server Solution Engine OR Cisco Secure Access Server ?

Which product is really affected, the Cisco Secure Access Control Server Solution Engine which is a hardware applliance with software from 3.2 to 4.2 or the Cisco Secure Access Control Server Software appliance available for installing as a virtual machine into VMware ESX/ESXi 5.0 with 5.X software ?
Thank you for clarifying
Best regards
Marco

Hi Thomas,
You can download ACS for windows 4.1 or 4.2 from the below listed link:
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval
For ACS 5.x, please visit cisco.com
Download software > Security > Cisco Secure Access Control System 5.x > Secure Access Control System Software
HTH
Regards,
Jatin
Plz rate helpful posts-

Cisco Secure Access Control Server for Windows 3.0

I have to rebuild a server using Cisco Secure Access Control Server for Windows 3.0 ... I cannot locate this software under "download software" in cisco.com ..
where can I download a copy for Cisco Secure Access Control Server for Windows 3.0 ?

Hi,
You can not download the ACS windows Solution engines softwares from the cisco.com > download pages as these s/w are not available there. You can only download patches and remote agent software.
In order to get any ACS software/ upgrade assistance you need to open up a TAC case.
Also, ACS 3.0 is not supported by Cisco anymore..getting support for this version or any 3.x is not possible.
HTH
Regards,
JK

Access control for different user groups in APEX 4.0

Hi guys,
in Apex 4.0, is there any way to use the access control page to configure access control for different user groups?
The access control page currently only has an access control list by users with 3 privileges namely, Administrator, Edit & View where Administrator has the highest access level & View the lowest. Therefore 1 user cannot have more than 1 different privilege, however if the user belongs to 2 or more different groups then we can control what access he can have in a more fine grained manner. We also want to have more than the 3 privileges given.
Can we assign different groups to different users and let them have different privileges to be configured by page, region, process or item level?
Now Apex will create 2 tables, Apex_Access_Control & Apex_Access_Setup to store the application access control mode & access control list. It will also create 3 authorization schemes "access control - administrator", "access control - edit" & "access control - view" based on the 2 tables.
Does this mean we have to change the table structures & edit the authorization schemes to suit our usage? We are reluctant to do this because if we upgrade to a newer version of Apex then we would have to merge our pl/sql coding with Apex's updated code.
How can we auto-configure more than the 3 authorization schemes in the access control page? Is there any way to achieve a finer grain of access control based on the current access control administration page given by Apex without writing it ourselves?
We are afraid that we may have missed something on Apex access control & do not want to reinvent the wheel.

Hi Errol,
to build your own application authorization scheme around the security model supplied by Apex for administration of the Apex environment would be a bad idea.
This was never intended for authorization scheme management in custom built Apex applications, it was solely intended to control access in the Apex environment overall. The API for it is not published, and making changes to it, such as adding more roles, would run the risk of breaking the overall Apex security model. It would not be supported by Oracle and Oracle would not guarantee the upwards compatibility of any changes you make in future versions of Apex.
In short, you should follow Tyson's advice and build your own structure. As he indicated, there are plenty of examples around and provided your requirements are not too complicated, it will be relatively simple.
Regards
Andre

Authenticate users & Access Control

Hi All,
(First apologies if this is not the correct forum)
I'm hoping someone can give me a little help or advice on
options available to me.
Using flex2 I have built a fairly simple flash app that
currrently has two panels,
panel1- this presents data in a datagrid which connects to a
mysql4.x db via amfphp1.9.
panel2- this presents textinput boxes and a submit button
(data is submited via php script to the myqsl db)
NB: All my users authenticate via LDAP (novell edirectory)
& there are two kinds of users (Teachers & Students)
What I want to know is:
1- can I allow my users to login to the flash app via their
LDAP usernames? (if so how could I do this)
2- can I assign different rights to the users? (e.g. When a
teacher logs in they get access to view & input data, &
when a student logs in the ONLY have access to view data)
NB: I work in a school so I don't have the budget to buy CF,
FDS. I also do not want to use the userbase in the mysql db, as
this would then require me to maintain two userbases (e.g. LDAP
& MySQL) hence twice the workload.
Any help or suggestions to best approach this problem would
be greatly appreciated.
TIA
Danny

that was my instinct exactly, we do have an LDAP here however this application has a max of 3 users roughly with one as a supper-user, so im not sure if its worth using the LDAP API at present
i am tempted to build and access control page initially, however we are all new to APEX here and were a little worried about security issues mainly because of the nature of the information we are holding this time.
thanks for your thoughts on the matter
Sol

Mandatory Access Contol/ Trusted Labelling

Hi,
I cannot find this in the documentation anywhere but does anyone know if Oracle Server supports Manadory Access Control or Trusted Labelling) following the Bell La Padula model?
Our security consultant is assessing Oracle for a secure programme and this is a mandatory requirement but there is no mention of it in any documentation I can find.
Regards
Garnet

Hi there,
would Oracle Label Security satisfy your requirements?
Please check here:
http://www.oracle.com/technology/deploy/security/db_security/htdocs/ols.html
Good luck, Peter

How to allow multiple domains under Access-Control-Allow-Origin

Hi,
We have a domain where will get CORS request from another domain hosted on seperate DC. We can't set
Access-Control-Allow-Origin as * due to security concerns & IIS can't take more than 1 value at a time. Kindly suggest how to pass multiple httpheader for
Access-Control-Allow-Origin.
Regards,
Dhiraj

Hello Dhiraj,
This is not the suitable forum for your question, you may post in
IIS forums for more help.
Thanks for your understanding.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

SharePoint Provider Hosted App (401) Unauthorized Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable

Hello,
I'm attempting to get a SharePoint 2013 Provider Hosted Application working in a brand new SharePoint environment. I've created snapshots of both my dev and the sharepoint environments along the way and have meticulously documented every step of the
way. I've followed these instructions (among many other resources found along this journey) :
http://msdn.microsoft.com/en-us/library/fp179923(office.15).aspx
http://technet.microsoft.com/en-us/library/fp161236(office.15).aspx
http://msdn.microsoft.com/library/office/fp179901%28v=office.15%29
Upon package and publish of my application to SharePoint, I get a 401 Unauthorized error. I use Fiddler to obtain the SPErrorCorrelationID to ultimately obtain the following ULS Viewer Output. Please explain how to fix if you're able.
Please Note: I was under the impression that a Provider Hosted Application does not use the Azure Access Control service, so I'm confused as to why my system is attempting to make this connection?
Also Note: I've used a self signed and godday obtained certificate to successfully f5 debug my basic web.title (out of the visual studio 2012 box) sharepoint provider hosted application... so I know my certs are good.
Here's my ULS output:
03/24/2014 08:54:47.83   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   Logging Correlation Data   xmnv   Medium   Name=Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.83   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   Authentication Authorization   agb9s   Medium   Non-OAuth request.
IsAuthenticated=True, UserIdentityName=0#.w|cltenet\sp.apps, ClaimsCount=25   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.83   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   Logging Correlation Data   xmnv   Medium   Site=/   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.84   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Deployment   acjjg   Medium   The current user has System.Threading.Thread.CurrentPrincipal.Identity.Name
= 0#.w|cltenet\sp.apps, System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT AUTHORITY\IUSR, System.Web.HttpContext.Current.User.Identity.Name = 0#.w|cltenet\sp.apps.   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.84   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Auth   ajsrv   Medium   redirectLaunUrl after getting it from query
string, web or app instance: https://hightrust31.cltenetapps.com/Pages/Default.aspx?{StandardTokens}   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   General   aib0n   High   trying to get app tokens for site: 888b71f7-51ee-40f5-8344-8de4869d37d0
Unable to load app tokens from appInstanceId: 22d5252f-392c-4f68-b820-a3053b9d4f24   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Auth   ajsrw   Medium   redirectLaunUrl after getting token replacement:
https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Auth   ajsry   Medium   m_oauthAppId after NormalizeAppIdentifier()
i:0i.t|ms.sp.ext|[email protected]8df36d5d. Now getting app principal info.   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Auth   ajsr0   Medium   decided that we need to do a POST to the
app.   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Auth   ajsr1   Medium   m_redirectMessage: EndpointAuthorityMatches
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Auth   ajsr2   Medium   realm matched attempting to get app token
using GetAccessToken()   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Auth   advzm   High   Error when get token for app i:0i.t|ms.sp.ext|[email protected]8df36d5d,
exception: Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable.     at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)
at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken)   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Auth   ajsr3   High   App token requested from appredirect.aspx
for site: 888b71f7-51ee-40f5-8344-8de4869d37d0 but there was an error in generating it. This may be a case when we do not need a token or when the app principal was not properly set up. LaunchUrl:https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http://portal.cltenet.com&SPLanguage=en-US&SPClientTag=0&SPProductNumber=15.0.4420.1017
Exception Message:The Azure Access Control service is unavailable. Stacktrace:    at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)
at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest().
Since this is a nonfatal error, it will be sanitized and posted to the app as part of the app launch.   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   General   ajlz0   High   Getting Error Message for Exception Microsoft.SharePoint.SPException:
The Azure Access Control service is unavailable.     at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)     at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext
serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext userIdentityContext, String applicationId, Uri
applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext serviceContext,
String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest()
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   App Auth   aib0p   Medium   Doing appredirect from appredirect.aspx:
in site: 888b71f7-51ee-40f5-8344-8de4869d37d0 with RedirectLaunchUrl: https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85   w3wp.exe (0x1448)   0x22D8   SharePoint Foundation   Monitoring   b4ly   Medium   Leaving Monitored Scope (Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)).
Execution Time=26.5933938531294   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
Your help is very much appreciated.
With Respect,
Larry

Yes, actually - I was able to resolve it.
However I don't know how, unfortunately. I suspect it was because I needed to have the names of the certificates, defined during the certificate registration (to sharepoint) process, different.
I have a complete document that shows step by step instructions on the exact process I took to complete the provider hosted application creation, deployment and publishing. It was a daunting task, but I finished it successfully.
If there's a way to send private message on this forum, please do so and I'll respond with a way to obtain my document.
NOTE: I'm not all impressed with the way this forum works. This is supposed to be a Microsoft resource and I'll be damned if I ever get a response to highly technical questions. Completely lame. Boooooo Microsoft.

Issue while enabling Access Control for a Coherence server node

Hi
Im trying to enable access control for a Coherence server node, using the default Keystore login method shipped with Coherence. When i start the server i get the error "java.security.AccessControlException: Unsufficient rights to perform the operation". Please see below for the sequence of steps I've followed to enable access control. I just need to be enable Authentication (not authorization) at this stage
1. I have added the following entry in the Coherence Operational override file
<security-config>
 <enabled system-property="tangosol.coherence.security">true</enabled>
 <login-module-name>Coherence</login-module-name>
 <access-controller>
 <class-name>com.tangosol.net.security.DefaultController</class-name>
 <init-params>
 <init-param id="1">
 <param-type>java.io.File</param-type>
 <param-value>keystore.jks</param-value>
 </init-param>
 <init-param id="2">
 <param-type>java.io.File</param-type>
 <param-value>permissions.xml</param-value>
 </init-param>
 </init-params>
 </access-controller>
 <callback-handler>
 <class-name>com.sun.security.auth.callback.TextCallbackHandler</class-name>
 </callback-handler>
 </security-config>
2. The following is the entry in the Permissions.xml
<?xml version='1.0'?>
<permissions>
<grant>
<principal>
<class>javax.security.auth.x500.X500Principal</class>
<name>CN=admin,OU=Coherence,O=Oracle,C=US</name>
</principal>
<permission>
<target>*</target>
<action>all</action>
</permission>
</grant>
</permissions>
3. The following is the content of the Login configuration file "Coherence_Login.conf"
Coherence {
com.tangosol.security.KeystoreLogin required
keyStorePath="keystore.jks";
4. The following is the command line tag for starting the server
java -server -showversion -Djava.security.auth.login.config=Coherence_Login.conf -Xms%memory% -Xmx%memory% -Dtangosol.coherence.cacheconfig=PROXY-cache-config.xml -Dtangosol.coherence.override=FOL-coherence-override.xml -Dcom.sun.management.jmxremote.port=6789 -Dcom.sun.management.jmxremote.authenticate=false -Dtangosol.coherence.security=true -cp "%coherence_home%\lib\coherence.jar" com.tangosol.net.DefaultCacheServer %1
Following is the output on the Console when running the command. It asks for a username and password for the JKS store (If i provide the wrong password, it gives a different error, which shows that it is able to authenticate aganst the Keystore). After i put in the password, it throws the error as shown below "java.security.AccessControlException: Unsufficient rights to perform the operation"
D:\Coherence\FOL_CacheServer>fol-cache-server
java version "1.6.0_20"
Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode)
Username:admin
Password:
Exception in thread "main" java.security.AccessControlException: Unsufficient ri
ghts to perform the operation
at com.tangosol.net.security.DefaultController.checkPermission(DefaultCo
ntroller.java:153)
at com.tangosol.coherence.component.net.security.Standard.checkPermissio
n(Standard.CDB:32)
at com.tangosol.coherence.component.net.Security.checkPermission(Securit
y.CDB:11)
at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeC
luster.CDB:6)
at com.tangosol.coherence.component.net.management.Connector.startServic
e(Connector.CDB:20)
at com.tangosol.coherence.component.net.management.gateway.Remote.regist
erLocalModel(Remote.CDB:10)
at com.tangosol.coherence.component.net.management.gateway.Local.registe
rLocalModel(Local.CDB:10)
at com.tangosol.coherence.component.net.management.Gateway.register(Gate
way.CDB:6)
at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluste
r(SafeCluster.CDB:46)
at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.C
DB:2)
at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:998)
at com.tangosol.net.DefaultConfigurableCacheFactory.ensureServiceInterna
l(DefaultConfigurableCacheFactory.java:923)
at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(Defaul
tConfigurableCacheFactory.java:892)
at com.tangosol.net.DefaultCacheServer.startServices(DefaultCacheServer.
java:81)
at com.tangosol.net.DefaultCacheServer.intialStartServices(DefaultCacheS
erver.java:250)
at com.tangosol.net.DefaultCacheServer.startAndMonitor(DefaultCacheServe
r.java:55)
at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:197)

Did you create the weblogic domain with the Oracle Webcenter Spaces option selected? This should install the relevant libraries into the domain that you will need to deploy your application. My experience is based off WC 11.1.1.0. If you haven't, you can extend your domain by re-running the Domain Config Wizard again (WLS_HOME/common/bin/config.sh)
Cappa

Access control exception only on Linux/Debian not on Windows!?

We have a rmi server application with a webstart rmi swing client that we have been running successfully on Windows. The client is downloaded and running without any problems on Windows platforms (W2003, Win2K, WinXP). The client webstart jar is signed and all permissions is set in the jnlp file.
As soon as we setup a server on linux/debian sarge we get these access control exceptions when the server tries to send events back to the client. It complains on
file permssions not being set on the server jar file and the strange thing is that the path separator is backslash on linux?
I've tried the following:
1) java.policy. Added All permssions to the server jar file and/or bin the folder.
2) Running without any security manager, i.e., System.setSecurityManager(null)
3) Explicitly setting the policy on the server. Policy.setPolicy(...)
4) Explicitly setting a policy on the client. URL policyUrl = Thread.currentThread().getContextClassLoader().getResource("server.policy");
5) Building the server and client on debian
I'm at my wits end... I've searched these forums and it seems that this is might be a common problem but I've not found a solution yet.
Our system works 100% on Windows without any problems, it's only on linux/debian that we get these access control problems.
2005-sep-19 09:39:19 se.xxx.xxx.admin.AdminManager change
ERROR: java.security.AccessControlException: access denied (java.io.FilePermission \\usr\local\XXX\bin\server.jar read)
java.security.AccessControlContext.checkPermission(Unknown Source)
java.security.AccessController.checkPermission(Unknown Source)
java.lang.SecurityManager.checkPermission(Unknown Source)
java.lang.SecurityManager.checkRead(Unknown Source)
java.io.File.exists(Unknown Source)
sun.net.www.protocol.file.Handler.openConnection(Unknown Source)
sun.net.www.protocol.file.Handler.openConnection(Unknown Source)
java.net.URL.openConnection(Unknown Source)
sun.rmi.server.LoaderHandler.addPermissionsForURLs(Unknown Source)
sun.rmi.server.LoaderHandler.access$300(Unknown Source)
sun.rmi.server.LoaderHandler$Loader.<init>(Unknown Source)
sun.rmi.server.LoaderHandler$Loader.<init>(Unknown Source)
sun.rmi.server.LoaderHandler$1.run(Unknown Source)
java.security.AccessController.doPrivileged(Native Method)
sun.rmi.server.LoaderHandler.lookupLoader(Unknown Source)
sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
java.rmi.server.RMIClassLoader$2.loadClass(Unknown Source)
java.rmi.server.RMIClassLoader.loadClass(Unknown Source)
sun.rmi.server.MarshalInputStream.resolveClass(Unknown Source)
java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
java.io.ObjectInputStream.readClassDesc(Unknown Source)
java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
java.io.ObjectInputStream.readObject0(Unknown Source)
java.io.ObjectInputStream.readObject(Unknown Source)
sun.rmi.server.UnicastRef.unmarshalValue(Unknown Source)
sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
sun.rmi.transport.Transport$1.run(Unknown Source)
java.security.AccessController.doPrivileged(Native Method)
sun.rmi.transport.Transport.serviceCall(Unknown Source)
sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
java.lang.Thread.run(Unknown Source)
sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source)
sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
sun.rmi.server.UnicastRef.invoke(Unknown Source)
se.xxx.xxx.client.XXXApplication_Stub.notify(Unknown Source)
)

I have two suggestions. The first is that you didn't indicate the permissions of the file and the directories above it along with the user you're running the program as. In Unix it is easier to get an access issue as you're probably not running as root. In a traditional Windows environment everything runs with admin permission allowing access to anything. While the error comes from the security manager it has nothing to do with traditional J2SE security - it may be an O/S level thing.
But the second suggestion touches on the other question you have - why is this showing up as backslashes? Is there perhaps an issue with the JNLP file? Is there any code that should be using System.getProperty( "file.separator") and is instead just using the backslash?

Is Compliance Calibrator the same as GRC Access Control?

I have been asked to look at Compliance Calibrator and am getting confused about what functionality is offered. I have done the basic e-learning course for Compliance Calibrator (GRC200): this was all about separation of duties etc. Fair enough. But I also have a Document called "SAP GRC Access Control" which talks about the same S.O.D compliance functionality but also talks of "roles triggering workflows", "users creating roles", "automated approvals for roles" eg:
"SAP GRC Access Control streamlines access requests by filling each request automatically with user identity information from a lightweight directory access protocol (LDAP) directory or HR database, thereby eliminating the need for user intervention. Approvers receive an e-mail with a direct hyperlink to the request inside the application, where they can easily view and approve the request. The application then checks for security violations before updating accounts automatically."
None of this was covered on the Compliance Calibrator course, so what product offers this? I can see another product by Virsa called Access Enforcer but have no info on this... can anyone enlighten me?

SAP GRC Access Control is the SAP application that comprises the former Virsa products Compliance Calibrator, Access Enforcer, Risk Terminator, Firefighter and Role Expert.

Security advice on mandatory access control

Similar Messages

Maybe you are looking for