Security and authentication

Similar Messages

• Webservices security and authentication..?

  Hi Guys,
  Thanks for the previous help. Can anyone suggest a solution/mechanism to
  enforce security and authentication for published webservices?
  I have situation where an external system (of Business Partner) would
  like to request-services of webservices deployed via SOAP XML messaging.
  How could i authenticate the system requesting the service is our
  business partner system?
  Any suggestions welcome,
  thanks\
  RA

  You have two choices:
  1. Use HTTP simple ( password based ) authentication. This is
  usually called transportation level authentication.
  2. Use SOAP signature and time stamp (X509 Certificate based) authentication.
  This is called content level authentication.
  In both case, you need modify the SOAP client to put in authentication information
  and add interceptor in server side to do actually authentication before SOAP router
  actually dispatch the calls to the service.
  Heyun Zheng
  Ramesh Ankam <[email protected]> wrote:
  Hi Guys,
  Thanks for the previous help. Can anyone suggest a solution/mechanism
  to
  enforce security and authentication for published webservices?
  I have situation where an external system (of Business Partner) would
  like to request-services of webservices deployed via SOAP XML messaging.
  How could i authenticate the system requesting the service is our
  business partner system?
  Any suggestions welcome,
  thanks\
  RA

• User and Device Security and Authentication

  i'm trying to configure user & device security & authentication by following "http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/ns855/white_paper_c11-492830.html" that has following confg.
  ============
  aaa new-model
  aaa group server radius authproxy
  server-private <ip address> auth-port 1812 acct-port 1813 key 0 <key>
  ip radius source-interface Vlan10
  aaa authorization auth-proxy default group authproxy
  ip inspect fw test tcp
  ip inspect fw test udp
  ip inspect fw test rtsp
  ip inspect fw test tftp
  ip inspect fw test skinny
  ip inspect name test sip
  ip inspect name test sip-tls
  ip admission auth-proxy-banner file http://10.34.250.98/disclaimer.htm
  ip admission auth-proxy-banner http ^
  This is the authentication proxy challenge
  ^
  ip admission max-login-attempts 6
  ! Configure 30 minutes of inactivity timeout.
  ! proxy_acl is the intercept ACL
  ip admission name pxy proxy http inactivity-time 30 list proxy_acl
  ip admission name test_proxy proxy http list proxy_acl
  interface Vlan10
  description inside interface
  ip inspect fw in
  ip access-group proxy_inbound_acl in
  ip admission test_proxy
  ip access-list extended proxy_acl
  remark --- Auth-Proxy ACL -----------
  ! Deny lines are used to bypass auth-proxy
  deny tcp any host 10.10.200.1 eq www
  ! auth-proxy will intercept http access matching the below permit lines
  permit tcp any 10.10.30.0 0.0.255 eq www
  ip access-list extended proxy_inbound_acl
  remark --- Auth-Proxy Inbound ACL which blocks the traffic ---
  ! Allow access to certain protcols
  permit udp any any eq domain
  permit udp any any eq netbios-ns
  permit udp any any eq netbios-dgm
  permit udp any any eq 5445
  permit tcp any any eq 5060
  permit tcp any any eq 5061
  permit tcp any any eq 2000
  permit tcp any any eq 2443
  permit udp any any eq tftp
  ! Block corporate subnets. If split tunneling is not enabled denying
  ! all traffic using
  ! "deny any any" is sufficient
  deny ip any 10.0.0.0 0.255.255.255
  Permit ip any any ! if split tunneling is enabled
  =========
  I've couple questions:
  1. "ip admission auth-proxy-banner file http://10.34.250.98/disclaimer.htm" - does it mean banner can reside anywhere or it has to be in the flash of the router?
  2. what does "proxy_acl" do?
  3. what does "proxy_inbound_acl" do?
  4. we don't want to all split tunneling, what should that acl look like?

  OK so basically what you need to do is doing EAP-TLS with Machince authentication.
  Yes, that can be done. However WHO is it going to be authenticating both? IAS? or ACS?
  Here it is a configuration example on how you can do this using ACS, doing it with IAS would be basically the same.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• How do I bind to directory server with SSL and authentication?

  I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
  Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
  Here are the problems:
  1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
  2) I was never prompted to authenticate for the directory binding.
  So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
  What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
  Thank you.

  You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
  Cheers,
  Vikas

• 10.5.2, Screensaver Security, and Disk Utility

  After installing the 10.5.2 software update, it is appropriate to use Disk Utility (DU) to repair permissions. I learned this from the fact that I had somehow lost the protection I had previously set up by requiring my password to wake up the computer from its screensaver mode. I checked my preferences and found them to continue to call for that form of security with the use of my screensaver. Because my preferred security settings were being ignored, I assumed I needed to repair permissions on my system files. When something isn't working as it should, then it's my understanding that in all likelihood permissions are out of kilter. The Software Update process somehow managed to alter some of my permissions, and again, as I understand it, this is a matter that should be suspected after any software installation.
  So I ran Disk Utility to repair permissions.
  With Leopard, Disk Utility's repair process runs differently from the way it did in Tiger.
  Under Leopard, Disk Utility's repair permissions routine presents a funny user interface. At the outset of the repair process, it ain't exactly clear that anything is really happening even though the repairs are indeed underway.
  First thing DU does when the repair process starts is show you a blue progress bar and words to the effect that the process will require about 1 minute more. Then that blue bar sits there doing nothing whatsoever in terms of measuring progress - until about five minutes have passed. During this 5 minute hiatus, DU is building its own permissions data base which it will subsequently use to do its repair work.
  Once the permissions data base is constructed, DU's progress bar will suddenly come alive again to show about fifteen minutes longer to complete the repair process. That fifteen minute item changes rapidly from then on, with all repairs being completed in just about five minutes more. (DU took altogether about ten minutes to do its repair thing under Leopard on my computer.)
  DU will show you a list of permission faults that it finds, with the ones it can fix, repaired. You may, according to Apple, safely ignore faults listed involving "SUID" or "ACL". (With 10.5.2, the "SUID" faults appear to have stopped showing up but the "ACL" faults continue to be presented on my computer.)
  If you have any wonderment about Disk Utility being at work when it appears that it is hung up for about five minutes, then open your Activity Monitor (AM) and select the CPU column. You'll be able to watch DU's use of the CPU while it is building the permissions data base. When DU's CPU usage ceases, you'll find that your permissions have been repaired. You can keep both DU and AM windows open on your monitor if you wish to suffer along with this sort of discombobulation.
  After repairing permissions, I rebooted to find my screensaver password once again being called for as it should.

  Okay, just a little update.
  I added the replica server to the "Authentication" search in the Directory Utility, right after the OD Master.
  I have also added it to the search path in the Workgroup Manager on my 10.4.11 server, and authenticated. Sees it just fine.
  Now, when I fake a failure of the Master, (IE, shut it down), it just hangs forever, and doesn't timeout and move on to the replica.
  Am I missing something? Isn't this the point of a replica?
  Help?
  Thanks!

• Error:- weblogic.security.SecurityInitializationException: Authentication

  Hi,
  I am getting below error when ever i am trying to start the Managed server in cluster environment(unix).
  I am able to start the server on local machine but in case of remote machine its not gettig started.
  I have tried most of the steps as mentioned below:-
  1) Changed the weblogic passowrd.
  2) Delete boot.properties.
  3) deleted $DOMAIN_DIR\servers\<admin-server-name>\data\ldap
  4) Followed below post also but nothing worked:-
  https://forums.oracle.com/forums/thread.jspa?threadID=956750&start=30&tstart=0
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1321279888310> <BEA-000000> <WebLogic Server "soa_server2" version:
  WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 Copyright (c) 1995, 2009, Oracle and/or its affiliates. All rights reserved.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Notice> <Log Management> <infva05177.vshodc.lntinfotech.com> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1321279888419> <BEA-170019> <The server log file /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/logs/soa_server2.log is opened. All server side log events will be written to this file.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Log Management> <infva05177.vshodc.lntinfotech.com> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1321279888426> <BEA-170023> <The Server Logging is initialized with Java Logging API implementation.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Diagnostics> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888494> <BEA-320001> <The ServerDebug service initialized successfully.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "t3" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "t3s" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "http" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "https" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888561> <BEA-002622> <The protocol "iiop" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888562> <BEA-002622> <The protocol "iiops" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888562> <BEA-002622> <The protocol "ldap" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888562> <BEA-002622> <The protocol "ldaps" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888564> <BEA-002622> <The protocol "cluster" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888565> <BEA-002622> <The protocol "clusters" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888568> <BEA-002622> <The protocol "snmp" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888568> <BEA-002622> <The protocol "admin" is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888569> <BEA-002624> <The administration protocol is "t3s" and is now configured.>
  ####<Nov 14, 2011 7:41:28 PM IST> <Info> <RJVM> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888583> <BEA-000570> <Network Configuration for Channel "soa_server2"
  Listen Address          172.17.103.42:8101
  Public Address          N/A
  Http Enabled          true
  Tunneling Enabled     false
  Outbound Enabled     false
  Admin Traffic Enabled     true>
  ####<Nov 14, 2011 7:41:29 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889336> <BEA-002609> <Channel Service initialized.>
  ####<Nov 14, 2011 7:41:29 PM IST> <Info> <Socket> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889410> <BEA-000436> <Allocating 4 reader threads.>
  ####<Nov 14, 2011 7:41:29 PM IST> <Info> <Socket> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889412> <BEA-000446> <Native IO Enabled.>
  ####<Nov 14, 2011 7:41:29 PM IST> <Info> <IIOP> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889612> <BEA-002014> <IIOP subsystem enabled.>
  ####<Nov 14, 2011 7:41:32 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279892649> <BEA-090894> <Successfully loaded the OPSS Policy Provider using oracle.security.jps.internal.policystore.JavaPolicyProvider.>
  ####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893102> <BEA-000000> <Starting OpenJPA 1.1.1-SNAPSHOT>
  ####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893224> <BEA-000000> <StoreServiceImpl.initJDO - StoreService is initialized with Id = ldap_qMT60FRl3kIPYftFoWhBFbhSxuY=>
  ####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893501> <BEA-000000> <BootStrapServiceImpl.loadLDIFTemplate - Did not find /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/data/ldap/XACMLAuthorizermyrealmInit.initialized, will load full LDIFT.>
  ####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893509> <BEA-090074> <Initializing Authorizer provider using LDIF template file /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift.>
  ####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893921> <BEA-090075> <The Authorizer provider has had its LDIF information loaded from: /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift>
  ####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894240> <BEA-000000> <BootStrapServiceImpl.loadLDIFTemplate - Did not find /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/data/ldap/DefaultCredentialMappermyrealmInit.initialized, will load full LDIFT.>
  ####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894240> <BEA-090827> <LDIF template file /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DefaultCredentialMapperInit.ldift was empty. The WebLogic provider CredentialMapper has been bootstrapped but has not been initialized with any LDIF data.>
  ####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894250> <BEA-000000> <BootStrapServiceImpl.loadLDIFTemplate - Did not find /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/data/ldap/XACMLRoleMappermyrealmInit.initialized, will load full LDIFT.>
  ####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894251> <BEA-090074> <Initializing RoleMapper provider using LDIF template file /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/security/XACMLRoleMapperInit.ldift.>
  ####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894265> <BEA-090075> <The RoleMapper provider has had its LDIF information loaded from: /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/security/XACMLRoleMapperInit.ldift>
  ####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894442> <BEA-090093> <No pre-WLS 8.1 Keystore providers are configured for server soa_server2 for security realm myrealm.>
  ####<Nov 14, 2011 7:41:34 PM IST> <Notice> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894442> <BEA-090082> <Security initializing using security realm myrealm.>
  ####<Nov 14, 2011 7:41:34 PM IST> <Critical> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894594> <BEA-090403> <Authentication for user weblogic denied>
  ####<Nov 14, 2011 7:41:34 PM IST> <Critical> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894596> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
  weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
       at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
       at weblogic.security.SecurityService.start(SecurityService.java:141)
       at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Authentication Failed: User weblogic weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090295]caught unexpected exception
       at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:251)
       at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
       at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
       at $Proxy28.login(Unknown Source)
       at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
       at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
       at $Proxy46.authenticate(Unknown Source)
       at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
       at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:929)
       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
       at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
       at weblogic.security.SecurityService.start(SecurityService.java:141)
       at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  >
  ####<Nov 14, 2011 7:41:34 PM IST> <Notice> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894605> <BEA-000365> <Server state changed to FAILED>
  ####<Nov 14, 2011 7:41:34 PM IST> <Error> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894605> <BEA-000383> <A critical service failed. The server will shut itself down>
  ####<Nov 14, 2011 7:41:34 PM IST> <Notice> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894608> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  ####<Nov 14, 2011 7:41:34 PM IST> <Info> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894618> <BEA-000236> <Stopping execute threads.>
  Please help.
  thanks in advance

  I've tried every trick in the book but no luck and finally I found a solution for this problem. Maybe it is not the best practice but it works:
  1-Uninstall JDeveloper.
  2-Delete Oracle Middleware file located in C:\Oracle
  3-Delete the JDeveloper file located in C:\Users\MyUser\AppData\Roaming (Because the integrated Weblogic server is actually there)
  4-Reinstall JDeveloper
  That solved the issue.
  Thanks

• What is the best way to secure and harden a Macbook Pro against unwanted surveillance?

  What is the best way to secure and harden a Macbook Pro against unwanted surveillance? Tor, VPN, Little Snitch, etc. This would be for that latest version of Mavericks.

  djbabybokchoy wrote:
  Nothing specific, just speaking in general. Ex-wives, governments, bad guys...anyone really. I'm just looking to make my Mac a bit more private and secure, especially when on public networks.
  Governments and ex's will/may have recourse to the legal process (or in the case of the Gov they can choose to ignore the legal system if they feel like it) when they want to see something of yours, good luck hardening your Mac against that. The best way to avoid the possibility of snooping over public networks is to avoid them but if you can't then Kappy's suggestion will help.
  Strong passwords (everywhere) and don't use the same password in multiple locations.
  If you really want to secure your home wireless use Mac address connection authentication, do not allow unknown Mac addresses to connect. It's much stronger than a WPA password alone.

• WS-Security and UsernameToken 1.0 with PI 7.0

  Hello experts,
  we use PI 7.0 and we want to establish a connection to a web service which requires the use of "Message Security 1.0 (WS-Security)" and "UsernameToken Profile 1.0". I can't find the correct settings in the SOAP adapter. Do we have to use PI 7.1 and the WS adapter to establish this connection, is it possible to install the WS adapter on PI 7.0 or is there any workaround to connect to a web service like this?
  The standards are described here:
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
  Best regards,
  David

  UsernameToken works with the WS-RM adapter very well, basically with every standard compliant SOAP implementation.
  You have to choose User ID/password message authentication in the receiver channel, then you get a Username Token. In the receiver agreement you then enter the actual username and password to use for the call.
  Choosing Asymmetric Message Signature/Encryption the messages will be signed and encrypted in a standadized WS-Security way. The signature will be performed based on a private key (stored inside a PSE of transaction STRUST of the integration server) you supply in the receiver agreement.
  The other option Symmetric Message Signature/Encryption will also add signature and encryption to the SOAP message. However the signature is done with a symmetric key that is created for the particular message exchange.

• PHP_MySQL version of a high security user authentication web app.

  Since you folks deal with PHP Application Development, I am posting this here.
  For a demo of the PHP_MySQL version of the UltraSuite High Security User Authentication Web Application, you can sign up at http://bit.ly/hgNjek.
  It  offers a multi-layered approach security approach towards protecting  important information like user authentication credentials.  Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more.
  I hope your feedback will help make the application even more useful and secure.
  Thank you!
  J.S.

  Hi,
  could you or someone tell me if ADDT supports protection against these methods you mention:
  Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more??
  And can this system work alongside ADDT?
  thanks again

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Use smart card for 802.1x secured WiFi authentication

  Hi,
  is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
  I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
  WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
  and granted access.
  To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
  certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
  fails.
  As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
  the local client computer configuration or in the Safenet software on the client computer.
  I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
  Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
  Thanks + Best Regards
  Matt

  Hi,
  I found some links form technet site which can be helpful in this case
  Network access authentication and certificates
  http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
  Enable smart card or other certificate authentication
  http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
  Quote:
  Client certificate requirements
  With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
  The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
  The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
  by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
  The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
  For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
  For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
  Yolanda Zhu
  TechNet Community Support

• Port security and 802.1x (ISE)

  Hi everyone,
  I'm implemmenting ISE in a network with Port Security enabled.
  According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.
  I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.
  Someone?
  Thanks!

  Hi Neno,
  Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.
  Please find below logs from switch - 
  Oct  1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY
  Oct  1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT
  Oct  1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID  Unassigned
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Oct  1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3
  Oct  1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Can you guide us how to fix this one
  Regards
  Pranav

• WS-Security and UsernameToken in WS Adapter

  Hi
  I am working on a scenario WS Adapter to proxy.
  Is it possible to use WS Security and UsernameToken authentication in WS Adapter?
  If possible then how to configure it? how to acheive it?
  Please help

  Hi,
  If you are working on PI7.1 ,refer below guide..
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b04408cc-f10e-2c10-b5b7-af11026b2393?quicklink=index&overridelayout=true
  Regards,
  Raj

• Weblogic.security.SecurityInitializationException: Authentication for user

  Folks,
  I've newly installed Weblogic server on my home laptop.
  I can't startup the weblogic server.
  Errors are
  Now, I know the location of the boot.properties file the server accesses, because if I delete and restart the server it asks for userid/password.
  If that file does not exists it gives the following error
  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  So, I thought the best way is to RECOVER the password and tried following the steps
  1. At the command line, change directory to the domain and run the setEnv script to set the PATH and CLASSPATH.
  2. cd <domain_home>/security
  3. mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit.ldift_BKP
  4. run java weblogic.security.utils.AdminAccount <tempadmin> <temppassword> ./
  -above command will Create a new DefaultAuthenticatorInit.ldift
  4. cd <domain_home>/servers/<AdminServer>/data/ldap
  5. mv DefaultAuthenticatormyrealmInit.initialized DefaultAuthenticatormyrealmInit.initialized_BKP
  6. Restart the Admin Server.
  7. Login with new username/password
  The question is how do I run Step 4) above? Like what is the Java home, or jar file that has the weblogic.security.utils.AdminsAccount class?
  Thanks
  Ravi

  The class "weblogic.security.utils.AdminAccount" is part of weblogic.jar
  And JAVA_HOME would be the java installation directory, for example "D:\Middleware\wls1036\jdk160_29\bin"
  So, for example, the same command can be read as
  D:\Middleware\wls1036\jdk160_29\bin\java -cp D:\Middleware\wls1036\wlserver_10.3\server\lib\weblogic.jar weblogic.security.utils.AdminAccount <tempadmin> <temppassword> .
  OR
  Another option for you is to just run setDomainEnv to set the JAVA_HOME and CLASSPATH variables for us.
  For windows open a command prompt and run,
  <domain_home>/bin/setDomainEnv.cmd
  For linux run,
  . <domain_home>/bin/setDomainEnv.sh {Remember the dot and space, ". ", at the beginning are very important for a open shell with the environment variables set}
  After running the above command, then cd <domain_home>/security (step 2)
  Now, after doing the above, you can directly run the command in step 4
  java weblogic.security.utils.AdminAccount <tempadmin> <temppassword> ./
  Arun

• Weblogic.security.SecurityInitializationException: Authentication for user system denied

  Reason: weblogic.security.SecurityInitializationException: Authentication for user system denied
  I tried my user name.But server didn't start.PLz help me and tell me what i have to do.
  Thanks

  Hi,
  The admin server is also able to start the managed server. The easiest way is
  to use a script. The command of starting a managed server is not much different
  from the one for the admin server. Just make sure that you reference the admin
  server URL (eg. http://localhost:7001). The more production environment way of
  managing managed server is to use the notemanger. See the admin guide for more
  infos.
  Which version are you using?
  Kai
  "hari" <[email protected]> wrote:
  >
  Hi!Kai..
  I tried with system/weblogic....but same error.Actually i created domain
  and managed
  server in existing domain throgh config.sh
  But the admin server is running properly.But the manager is not starting,user
  authentication problem is coming.When i was created domain..i created
  a user.I
  started admin server with that user...but manged server is not starting.Plz
  help
  me.