Security in CM 12.1 SP3

Hi
Could you please share how are you handing following scenarios ?
We are using CM 12.1 (not immediate idea to upgrade 13)
Contractor, Project Management Consultant, Design Consultant, all have Edit privilege in Submittal.
All of them can change any dates
All of them can remove the attachment link
All of them can go and change the comments (we use remarks in Submittal revision)
Assume, we are not taking printout or scanning attaching to track the changes ?
Eventhough we are having some process to discipline etc, we can not prove if anything goes wrong. Since there is no proper audit trial (ya aware of the v13, version but not satisfied though fully)
Its bit weak in the security level.

Field-level security, in my own words:
Limiting access to a specific data field. Limiting access could be as restrictive as the user not seeing the field at all. Example: A Contract Manager RFI record has three primary areas of data entry, the Question, the Proposed Solution, and the Answer. I have been in situations where the owner refused to utilize the proposed Solution module because the Contractor could read its content. With field-level security the Contractor could be denied access to the Proposed Solution field; thhey wouldn't even know it exists. The Owner and Architect could then freely discuss the issue in the Proposed Solution field. The Contractor would still be able to view the Answer.
Additionally, record-level security would be nice to have. I'm not referring to Access by Company, either. I would like to see record edit and deletion privileges restricted to the record creator and/or super users/admins.
Selectable auditing, in my own words:
The ability to choose which modules and which records, and which fields and transactions within those modules and records are audited, and to what extent. Maybe I don't want full audtiting on every record. Maybe I only want it when a flag has been set regarding cost and/or follow-on work.
Many-to-many parallel, customizable workflows, in my own words:
Rigid, linear workflows are not realistic. Workflows can+ be simple, but more often than not they are very complex. I would like to be able to design a custom workflow for every business process where it's needed. The workflow capabilities of CM 12 and CM 13 are limited to specific modules and are purely linear, moving from one person to the next (someone from Oracle feel free to step in here and clarify if you disagree.) If you've seen Skire Unifier (or similar products) virtually every module can be created from scratch, without programming knowledge, and custom tailored to your specific business process needs. Granted, those systems usually cost more, and you get what you pay for. A many-to-many workflow, from my perspective, would be a situation where multiple people (in designated roles) could initiate a workflow that may be routed in parallel to multiple people simultaneously, for review and approval. Also, delegation for people on vacation or on sick leave would be part of the system, as well as the ability to set fiscal authority levels. Lastly, I would like to see the current Ball-In-Court functionality enhanced to support an organizational heirarchy. For example, I would like for a Construction Manager to be able to start at the Control Center screen and see his Action Items, as well as those of everyone who is underneath him in the organization (or project.)
While I'm the subject of many-to-many, I still desire the ability to link any document to any number of other documents without having to rely on the Issue builder.
As long as I'm ranting, I want program-level (or Group level) searching. I want module-selectable searching (like in the 8.x days.) I want to be able to specify the number of rows retrieved at the log level (25, 50, 100, ALL.) I want the ability to grant super-user delete privilege, with the ability to select multiple records for deletion AT THE LOG LEVEL. I want the option of enabling the old form view (non-tabbed view) within documents. I want the Next Record link (like in the 8.x days.) I want to hover over a field, or right-click, and see the table/view and field name.
Security in CM, in my own words:
Decent, but could be improved. For instance, let's say the Architect has the ability to Answer RFI's. This is great. The downside, unfortunately, will be revealed if you need custom fields for capturing additonal data. You often have to grant Edit privileges to the RFI module for the Architect (not necessarily Edit rights to the Question, but to the Answer and fields outside the Answer, because your custom fields may not be in the Answer portion of the form.) The Architect now has more privileges than we wanted in that scenario, partly due to the lack of field-level security.

Similar Messages

Moved to iAS SP3 and IIOP to secure app fails

Hello,
I have just moved to iAS SP3 from SP2 and our rich client nolonger asks
me to log in?! In SP2 it did as required by the security roles in the
deployment descriptors. In the CXS log I get the following:
[21/Sep/2001 15:09:58:1] info: ENGINE-ready: ready: 10821
eng =com.kivasoft.types.enumSubKeysIGDSKey@10cb03
eng =com.kivasoft.types.enumSubKeysIGDSKey@6cb8
eng =com.kivasoft.types.enumSubKeysIGDSKey@61a408
eng =com.kivasoft.types.enumSubKeysIGDSKey@581784
[21/Sep/2001 15:12:13:2] error: EB-001: Unable to locate interface
IGXTxnAssocMgr
[21/Sep/2001 15:12:13:4] info: PROT-006: new connection established
I'm wondering about the second last line with the error. Anyone have any
comments/thoughts?
Anyone else using SP3 with an IIOP client to a secure app?
Thanks, Jeff

Hello,
More info. I think it is my deployment descriptor that is the issue.
Somehow SP2 determined what secure application an EJB belonged to and asked
my IIOP client to ask for the user/password. Now I think I need to include
the role information etc within the descriptors for the EJBs. I did this as
described in the DTDs but still nothing. Does anyone have a working secure
IIOP client running with SP3?
Thanks , Jeff
Jeff Williams <[email protected]> wrote in message
news:9og3l8$[email protected]..
Hello,
I have just moved to iAS SP3 from SP2 and our rich client nolongerasks
me to log in?! In SP2 it did as required by the security roles in the
deployment descriptors. In the CXS log I get the following:
[21/Sep/2001 15:09:58:1] info: ENGINE-ready: ready: 10821
eng =com.kivasoft.types.enumSubKeysIGDSKey@10cb03
eng =com.kivasoft.types.enumSubKeysIGDSKey@6cb8
eng =com.kivasoft.types.enumSubKeysIGDSKey@61a408
eng =com.kivasoft.types.enumSubKeysIGDSKey@581784
[21/Sep/2001 15:12:13:2] error: EB-001: Unable to locate interface
IGXTxnAssocMgr
[21/Sep/2001 15:12:13:4] info: PROT-006: new connection established
I'm wondering about the second last line with the error. Anyone have any
comments/thoughts?
Anyone else using SP3 with an IIOP client to a secure app?
Thanks, Jeff

Framemaker 7.2 and Windows XP SP3

For any Framemaker 7.2 users out there who does not already know, Framemaker 7.2 will not work with Windows XP SP3.
A security file in Win XP SP3 causes problems with OLE graphics imported into FM. The problem will only rear its head when you try to save the document and the following error box appears:
"An Internal error occurred while writing imported graphics in this document. The file has been saved, but has lost some image data. Please report this fault to Adobe Technical Support."
Why only OLE imports are affect is beyond my skills as I would expect this problem with referenced imports. Adobe are not aware of this concern and have no fix. There are a couple of fixes, but neither are ideal.
1. Remove all OLE files and import them as referenced files, then save.
2. Roll back Windows XP to SP2. (This is what I had to do as I have a vast quantity of documents with OLE files.)
If anybody has further info please feel free to discuss.

Andy,
It's just OLE, not FM7.2, that is the problem with the SP3 fix. This
has been reported in the Forums numerous times. Using OLE with FM has
consistently been a "not recommended" feature and Adobe is aware of
the issue.
As you point out, the only two fixes known, to date, are either import
by reference or rollback to SP2.

Problems with weblogic clustering in 6.1 sp3

We have spent a lot of time trying to get our application deployed to
          a cluster using weblogic 6.1 sp3 and we consistently receive a failure
          when we attempt to start the managed server. This was not a problem
          with weblogic sp1--we got our application to deploy to the cluster
          successfully; although there was another weblogic bug there with
          clients accessing EJB clusters--we won't go into that here...
          We have tried this on both a Windows 2000 machine and an HP machine
          running weblogic sp3. The same error occurs on both platforms.
          The error in deploying our application to the cluster against weblogic
          sp3 looks to have to do with our custom security realm. Inside our
          custom realm we make use of a configurable providerUrl which we set to
          the cluster address/port. The custom realm makes a call where it
          passes in the providerUrl to:
               weblogic.management.Helper.getMBeanHome(..., providerUrl,...)
          When we have our providerUrl set to the cluster address/port--e.g.,
               t3://clustermember1:7001
          and attempt to start the managed server we get the error:
          Starting WebLogic Server ....
          Connecting to http://adminserver:7117...
          The WebLogic Server did not start up properly.
          Exception raised:
          weblogic.management.configuration.ConfigurationException:
          clustermember1 not found
               at weblogic.management.Admin.getBootstrapLocalServer(Admin.java:1084)
               at weblogic.management.Admin.initialize(Admin.java:340)
               at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:359)
               at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:206)
               at weblogic.Server.main(Server.java:35)
          Reason: Fatal initialization exception
          When we have our providerUrl set to the admin server address--e.g.,
               t3://adminserver:7117
          everything starts up fine.
          Does anyone know why this would work on sp1 and not sp3 of weblogic
          6.1?
          We verified that all passwords are correct and everything else we
          could determine--any ideas would be helpful.
          We don't want the providerUrl to point at our admin server, we want it
          to point at the cluster address/port.
          When we get the managed server error, we received this error on the
          AdminServer:
          2002-08-15 16:52:23,019 ERROR [ExecuteThread: '11' for queue:
          'default'] (com.msa.gabriel.share.security.wlrealm.GabrielRealm) -
          Caught naming exception null; throwing RuntimeException.
          javax.naming.CommunicationException. Root exception is
          java.net.ConnectException: t3://tomtate.msais.com:7119: Destination
          unreachable; nested exception is:
               java.net.ConnectException: Connection refused; No available router to
          destination
               at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:155)
               at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:207)
               at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:307)
               at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:211)
               at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:149)
               at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:665)
               at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:246)
               at javax.naming.InitialContext.init(InitialContext.java:222)
               at javax.naming.InitialContext.<init>(InitialContext.java:198)
               at com.msa.gabriel.share.security.wlrealm.GabrielRealm.getNamingContext(GabrielRealm.java:416)
               at com.msa.gabriel.share.security.wlrealm.GabrielRealm.getConnection(GabrielRealm.java:347)
               at com.msa.gabriel.share.security.wlrealm.GabrielRealm.access$000(GabrielRealm.java:51)
               at com.msa.gabriel.share.security.wlrealm.GabrielRealm$2.run(GabrielRealm.java:225)
               at weblogic.security.acl.Security.doAsPrivileged(Security.java:489)
               at com.msa.gabriel.share.security.wlrealm.GabrielRealm.myDoAsPrivileged(GabrielRealm.java:578)
               at com.msa.gabriel.share.security.wlrealm.GabrielRealm.getUser(GabrielRealm.java:221)
               at weblogic.security.acl.CachingRealm.getUserEntry(CachingRealm.java:832)
               at weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:696)
               at weblogic.security.acl.Security.getCurrentUser(Security.java:250)
               at weblogic.servlet.security.internal.SecurityModule.auditPerm(SecurityModule.java:356)
               at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:205)
               at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:2518)
               at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2260)
               at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
               at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
          <Aug 15, 2002 4:52:23 PM EDT> <Error> <HTTP>
          <[WebAppServletContext(8091823,wl_management_internal2,/wl_management_internal2)]
          Servlet failed with Exception
          java.lang.RuntimeException
               at com.msa.gabriel.share.security.wlrealm.GabrielRealm.getUser(GabrielRealm.java:260)
               at weblogic.security.acl.CachingRealm.getUserEntry(CachingRealm.java:832)
               at weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:696)
               at weblogic.security.acl.Security.getCurrentUser(Security.java:250)
               at weblogic.servlet.security.internal.SecurityModule.auditPerm(SecurityModule.java:356)
               at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:205)
               at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:2518)
               at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2260)
               at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
               at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
          Thanks for any help.
          Rich


Bottom line:
          In our custom realm we were not handling user guest correctly. Even if you
          have guest user disabled, Weblogic seems to have hard-coded guest to
          send messages to the cluster every-so-often. Not sure there--couldn't get
          an answer out of bea as to exactly why we see guest still being used...
          It seems that with sp3, the user guest interaction started happening earlier
          than it did with sp1, consequently making our realm code fail when trying to
          retrieve the guest user like someone we knew about in our system.
          Hence, our getUser and authUserPassword methods now return null for both
          users guest and system, making the secondary realm (file realm) be used to
          authenticate and resolve guest & system. BEA helped get our code fixed;
          however, we still don't have a lot of depth in understanding Weblogic
          server's use of guest...
          Apparently, in 7.x the guest & system user behavior and configuration is
          different also... We'll see when we start digging into that migration.
          Rich
          [email protected] (Rich Koch) wrote in message news:<[email protected]>...
          > Thanks for the responses--we're working with weblogic support now. We
          > think that the custom realm that we have [the developer that wrote it
          > left the company] is the problem.
          >
          > The original developer was told by someone to check:
          > weblogic.security.acl.internal.ClusterRealm.THE_ONE != null
          >
          > In order to determine if the JNDI was available/ready for the whole
          > cluster.
          >
          > It seems that the meaning/setting of THE_ONE changed with this respect
          > from
          > sp1 to sp3--i.e., this is no longer a valid test to tell us if the
          > JNDI is
          > ready for the cluster.
          >
          > We believe this was used because the 'system' user has to be
          > authenticated before the custom realm is up. Originally, before this
          > check was in place, an exception was received when authenticating
          > 'system'. This appears to be a weblogic limitation/issue. Support
          > has told us that this is different in weblogic 7.0. Unfortunately, we
          > can't upgrade from 6.1 yet.
          >
          > We'll post the solution when this gets figured out.
          >
          > Rak
          >
          > "Sabha" <[email protected]> wrote in message news:<[email protected]>...
          > > There was a security restriction enforced from sp2/sp3 onwards in terms of
          > > looking up mbeans from admin server.
          > >
          > > This might cause things to fail if you are attempting to lookup Mbeans with
          > > guest priviliges from admin server. Also, can you try doing the following:
          > >
          > > Run " java weblogic.Admin -url adminServer -username system -password
          > > .... -GET -pretty -type Server" and check whether the named clustermember1
          > > is available in the list or not.
          > >
          > > Also you seem to be getting some security exception - can you check that.
          > >
          > > t3://tomtate.msais.com:7119: Destination
          > > unreachable; nested exception is:
          > >
          > > --- Try running weblogic.Admin PING on this one and see whether you are
          > > able to reach this server upon the error message.
          > >
          > > --Sabha
          > >
          > > "Rich Koch" <[email protected]> wrote in message
          > > news:[email protected]...
          > > > We have spent a lot of time trying to get our application deployed to
          > > > a cluster using weblogic 6.1 sp3 and we consistently receive a failure
          > > > when we attempt to start the managed server. This was not a problem
          > > > with weblogic sp1--we got our application to deploy to the cluster
          > > > successfully; although there was another weblogic bug there with
          > > > clients accessing EJB clusters--we won't go into that here...
          > > >
          > > > We have tried this on both a Windows 2000 machine and an HP machine
          > > > running weblogic sp3. The same error occurs on both platforms.
          > > >
          > > > The error in deploying our application to the cluster against weblogic
          > > > sp3 looks to have to do with our custom security realm. Inside our
          > > > custom realm we make use of a configurable providerUrl which we set to
          > > > the cluster address/port. The custom realm makes a call where it
          > > > passes in the providerUrl to:
          > > > weblogic.management.Helper.getMBeanHome(..., providerUrl,...)
          > > >
          > > > When we have our providerUrl set to the cluster address/port--e.g.,
          > > > t3://clustermember1:7001
          > > >
          > > > and attempt to start the managed server we get the error:
          > > >
          > > > Starting WebLogic Server ....
          > > > Connecting to http://adminserver:7117...
          > > >
          > ***************************************************************************
          > > > The WebLogic Server did not start up properly.
          > > > Exception raised:
          > > > weblogic.management.configuration.ConfigurationException:
          > > > clustermember1 not found
          > > > at weblogic.management.Admin.getBootstrapLocalServer(Admin.java:1084)
          > > > at weblogic.management.Admin.initialize(Admin.java:340)
          > > > at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:359)
          > > > at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:206)
          > > > at weblogic.Server.main(Server.java:35)
          > > > Reason: Fatal initialization exception
          > > >
          > ***************************************************************************
          > > >
          > > > When we have our providerUrl set to the admin server address--e.g.,
          > > > t3://adminserver:7117
          > > >
          > > > everything starts up fine.
          > > >
          > > > Does anyone know why this would work on sp1 and not sp3 of weblogic
          > > > 6.1?
          > > > We verified that all passwords are correct and everything else we
          > > > could determine--any ideas would be helpful.
          > > >
          > > > We don't want the providerUrl to point at our admin server, we want it
          > > > to point at the cluster address/port.
          > > >
          > > > When we get the managed server error, we received this error on the
          > > > AdminServer:
          > > >
          > > > 2002-08-15 16:52:23,019 ERROR [ExecuteThread: '11' for queue:
          > > > 'default'] (com.msa.gabriel.share.security.wlrealm.GabrielRealm) -
          > > > Caught naming exception null; throwing RuntimeException.
          > > > javax.naming.CommunicationException. Root exception is
          > > > java.net.ConnectException: t3://tomtate.msais.com:7119: Destination
          > > > unreachable; nested exception is:
          > > > java.net.ConnectException: Connection refused; No available router to
          > > > destination
          > > > at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:155)
          > > > at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:207)
          > > > at
          > > weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialCon
          > > textFactoryDelegate.java:307)
          > > > at
          > > weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialCon
          > > textFactoryDelegate.java:211)
          > > > at
          > > weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFact
          > > ory.java:149)
          > > > at
          > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:665)
          > > > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:246)
          > > > at javax.naming.InitialContext.init(InitialContext.java:222)
          > > > at javax.naming.InitialContext.<init>(InitialContext.java:198)
          > > > at
          > > com.msa.gabriel.share.security.wlrealm.GabrielRealm.getNamingContext(Gabriel
          > > Realm.java:416)
          > > > at
          > > com.msa.gabriel.share.security.wlrealm.GabrielRealm.getConnection(GabrielRea
          > > lm.java:347)
          > > > at
          > > com.msa.gabriel.share.security.wlrealm.GabrielRealm.access$000(GabrielRealm.
          > > java:51)
          > > > at
          > > com.msa.gabriel.share.security.wlrealm.GabrielRealm$2.run(GabrielRealm.java:
          > > 225)
          > > > at weblogic.security.acl.Security.doAsPrivileged(Security.java:489)
          > > > at
          > > com.msa.gabriel.share.security.wlrealm.GabrielRealm.myDoAsPrivileged(Gabriel
          > > Realm.java:578)
          > > > at
          > > com.msa.gabriel.share.security.wlrealm.GabrielRealm.getUser(GabrielRealm.jav
          > > a:221)
          > > > at weblogic.security.acl.CachingRealm.getUserEntry(CachingRealm.java:832)
          > > > at weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:696)
          > > > at weblogic.security.acl.Security.getCurrentUser(Security.java:250)
          > > > at
          > > weblogic.servlet.security.internal.SecurityModule.auditPerm(SecurityModule.j
          > > ava:356)
          > > > at
          > > weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(Servle
          > > tSecurityManager.java:205)
          > > > at
          > > weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
          > > ntext.java:2518)
          > > > at
          > weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
          > > :2260)
          > > > at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
          > > > at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
          > > > <Aug 15, 2002 4:52:23 PM EDT> <Error> <HTTP>
          > > >
          > > <[WebAppServletContext(8091823,wl_management_internal2,/wl_management_intern
          > > al2)]
          > > > Servlet failed with Exception
          > > > java.lang.RuntimeException
          > > > at
          > > com.msa.gabriel.share.security.wlrealm.GabrielRealm.getUser(GabrielRealm.jav
          > > a:260)
          > > > at weblogic.security.acl.CachingRealm.getUserEntry(CachingRealm.java:832)
          > > > at weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:696)
          > > > at weblogic.security.acl.Security.getCurrentUser(Security.java:250)
          > > > at
          > > weblogic.servlet.security.internal.SecurityModule.auditPerm(SecurityModule.j
          > > ava:356)
          > > > at
          > > weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(Servle
          > > tSecurityManager.java:205)
          > > > at
          > > weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
          > > ntext.java:2518)
          > > > at
          > weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
          > > :2260)
          > > > at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
          > > > at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
          > > >
          > > >
          > > > Thanks for any help.
          > > >
          > > > Rich

Issue with parallel operation of SAP NW SSO 2.0 and SNC Client Encryption (Logon Groups)

Hi!
One of our customers is using the SNC Client Encryption solution to ensure encryption using SNC (based on Kerberos Technology) for their SAP GUI Dialog connections. They have lots of SAP backends DEV, QAS, PRD all with the SNC Client Encryption SNC Lib installed. The profile parameter snc/identity/as contains the following value: p:CN=SAP/<ServiceAccount>@<DOMAIN>.
Example: p:CN=SAP/[email protected]
The customer is using one AD Service Account "SNCServiceUser" with one registered SPN "SAP/SNCServiceUser" for all systems (yes, this is not recommended... but the case).
Important: All users use group entries in the SAP Logon (saplogin.ini). Means, for SAP logon the SNC name can not be manually configured on the SAP Front End. With group logons, the application server's SNC name is dynamically requested by the message server each time a SAP GUI connection is started. The SNC Name is greyed out in this case as dynamically obtained from the applications servers profile parameter snc/identity/as.
Now our customer implements SAP NetWeaver Single Sign-On 2.0 within his landscape. Based on the Secure Login Server 2.0 (SP3) he likes to use X.509 based authentication to his AS ABAP backends using SAP GUI SNC while others still use SNC Client Encryption.
Replacing the SNC Library on the AS ABAP
The Secure Login Library 2.0 (SP3) has been installed on one of the ABAP systems and the SNC Client Encryption SNC Library (which is based on SSO 1.0) is no longer used, thus we changed the parameter snc/gssapi_lib to point to the new SNC library. We removed the old PSE.ZIP containing the keytab and created the new SAPSNCSKERB.PSE incl. the keytab and proper credentials. To ensure parallel operation, we kept the snc/identity/as value as is = p:CN=SAP/[email protected].
After restarting the system with initialized Secure Login Library 2.0, still the SNC client encryption works fine for existing users.
The problem
We created on the Secure Login Server an SNC certificate for the AS ABAP which has the following X.509 Distinguised Name Fomat: CN=SAP/[email protected] This is to avoid having to change the snc/identity/as to an "real" X.509 DN which would lead to non-working SNC Client Encryption for all the other users using SAP GUI and logon groups.
As soon as we install the PSE via STRUST on the system the SNC Client Encryption solution stops working with error „Server refuses kerberos key exchange“.
As part of an pilot implementation we have installed Secure Login Client 2.0 (SP3) on some test PCs. The test PC with SLC is able to perform Single Sign-On with SNC based on X.509 (incl. Encryption) to the ABAP system.
Seems the SAP System now only tries to do X.509 based authentication thus key exchange fails. The problem is, we cannot change the snc/identity/as value because of the logon groups. If we were able to do so, we would in any case set the server identity to X.509 DN and in addition create the SAPSNCSKERB.PSE incl. keytab. This should work, as confirmed by SAP see this post.
Any ideas how to solve this and have both solutions in parallel?
Appreciate any help.
Regards,
Carsten

Hi all,
we was able to fix the issue. It was an issue with the customers cluster configuration and the $SECUDIR variable. This tricky issue leads to non working or sporadic working SNC Client Encryption...
This was how the configuration looks before:
Environment variable $SECUDIR is defined:
"/ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec“
sapgenpse seclogin -l -v
running seclogin with USER="<SID>adm"
Credentials for username '<SID>adm':
0 (LPS:OFF):
         (LPS:OFF): /ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCSKERB.pse
1 (LPS:OFF):
         (LPS:OFF): /usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCS.pse
After changing the $SECUDIR to "/usr/sap/<SID>/DVEBMGSxx/sec“ and re-creating the credentials, it worked like a charm.
As a result of this we can confirm, this configuration and SNC Client Encryption works with CommonCryptoLib in parallel to the SSO configuration.
And Valerie was right with 2. SLC starting from V. 1.0 SP2 PL3 was able to convert the CN= part of the SNC Name into an SPN, was my mistake. In addition SNC Client Encryption starting from Version 1 SP1 PL1 does this also.. just to make this clear
Thread closed hope this helps someone
Carsten

KB2879017 setup error - failed to migrate dependent packages

Hi this error "KB2879017 setup error - failed to migrate dedpendent packages" during installation of Microsoft Security pacthes at Windows XP SP3 pc . I'm using IE7 (version 7.0.5730.13) . Below logs the error. Anyone can advice?
275.407: Destination:C:\Program Files\internet explorer\iexplore.exe (7.0.6000.21357)
275.407: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
275.407: MigrateHotfix: Migrating hotfix KB2586448-IE8
275.407: QFE KB2586448-IE8 has no backup directory to migrate.
275.407: Migrating QFE KB2586448-IE8 with command line: update.exe -Z -Q -B:sp3qfe
289.797: Update.exe failed 1603.
289.797: MigrateHotfixes: Migration of KB2586448-IE8 failed
289.797: DoInstallation: Migration failed
290.641: Failed to migrate dependent packages.
351.032: Message displayed to the user: Failed to migrate dependent packages.
351.032: User Input: OK
351.032: Update.exe extended error code = 0xf0ea
351.032: Update.exe return code was masked to 0x643 for MSI custom action compliance.

This forum is for questions and issues with the MAP Toolkit. You will need to post this question in a forum that is related to the software you are having trouble with.
Please remember to click "Mark as Answer" on the post that helps you, and to click
"Unmark as Answer" if a marked post does not actually answer your question. Please
VOTE as HELPFUL if the post helps you. This can be beneficial to other community members reading the thread.

Sample authenticators

I installed the sample security providers for WLS 8.1(see fileshere.
The provider I use the most is the ManageableSampleAuthenticator. It works fine except for the fact that when a user is in a group, it is impossible to remove this group from the user's group membership.
The method that should be called from the administration console should be in the PrincipalEntry.java class under the method "void removeFromGroup(String parentGroup)". It does not work!! When you add a group, the method (in the same class) "void addToGroup(String parentGroup)" is called and it works.
I can't really fix my problem right now since I don't have access to the code that is called by the administration console when I click on the "Apply" button to remove a Group.
I tested the function called by the method removeFromGroup by hard coding it in the addToGroup method since I am able to launch this method from the console. It removes the group fine.
If someone can help me, I only need to know why the admin console doesn't call my method?
Thanks.

Hi jcharest
I'm member of a development software team in Colombia, I want to implement a security provider on weblogic server SP3 then I refer to help material from Weblogic Site, that includes dvspisec.pdf, some samples code and more.
I want to run the example (SampleSecurityProviders81.zip) I want to get a MBean Implementation and MBean Interface Files from a MBean Information File executing the WebLogicMBeanMaker tool, then follow mistake occur:
java.net.MalformedURLException: no protocol: commo.dtd
at java.net.URL.<init>(Unknown Source)
at java.net.URL.<init>(Unknown Source)
at java.net.URL.<init>(Unknown Source)
at weblogic.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.ja
va:836)
at weblogic.apache.xerces.impl.XMLEntityManager.startDTDEntity(XMLEntityManager
.java:796)
at weblogic.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(XMLDTDScannerIm
pl.java:275)
at weblogic.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(XM
LDocumentScannerImpl.java:841)
at weblogic.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLD
ocumentFragmentScannerImpl.java:329)
at
weblogic.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:
525)
at
weblogic.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:
581)
at
weblogic.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)
at
weblogic.apache.xerces.parsers.DOMParser.parse(DOMParser.java:257)
at weblogic.apache.xerces.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.ja
va:201)
at weblogic.xml.jaxp.RegistryDocumentBuilder.parse(RegistryDocumentBuilder.java
:149)
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
at weblogic.management.commo.WebLogicMBeanMaker.main(WebLogicMBeanMaker.java:72
0)
I saw your topic and I think you may help me about that
Regard,
David

I have windows xp sp3, run Mcaffee security software- when I open I-tunes it does open however it will not connet to the I-tunes store. I-Tunes diagnostic indicates that it does connect to internet but the secure link to I-Tunes fails.

I have windows xp sp3, run Mcaffee security software- when I open I-Tunes it does open however it will not connet to the I-Tunes store. I-Tunes diagnostic indicates that it does connect to the internet but the secure ling to I-Tunes fails. I-Tunes diagnostic attached. Hope some one can help. Microsoft Windows XP Professional Service Pack 3 (Build 2600) Dell Inc. MP061 iTunes 11.0.2.26 QuickTime 7.7.3 FairPlay 2.3.31 Apple Application Support 2.3.3 iPod Updater Library 10.0d2 CD Driver 2.2.3.0 CD Driver DLL 2.1.3.1 Apple Mobile Device 6.1.0.13 Apple Mobile Device Driver 1.64.0.0 Bonjour 3.0.0.10 (333.10) Gracenote SDK 1.9.6.502 Gracenote MusicID 1.9.6.115 Gracenote Submit 1.9.6.143 Gracenote DSP 1.9.6.45 iTunes Serial Number 0012B5500B576CC8 Current user is an administrator. The current local date and time is 2013-04-28 10:27:11. iTunes is not running in safe mode. WebKit accelerated compositing is enabled. HDCP is not supported. Core Media is supported. Video Display Information ATI Mobility Radeon X1400 **** External Plug-ins Information **** No external plug-ins installed. iPodService 11.0.2.26 is currently running. iTunesHelper 11.0.2.26 is currently running. Apple Mobile Device service 3.3.0.0 is currently running. **** Network Connectivity Tests **** Network Adapter Information Adapter Name: {7282B8D2-078A-4414-82D6-A506F9C935D0} Description: WiMAX Network Adapter - McAfee Core NDIS Intermediate Filter Miniport IP Address: 0.0.0.0 Subnet Mask: 0.0.0.0 Default Gateway: DHCP Enabled: Yes DHCP Server: 255.255.255.255 Lease Obtained: Wed Feb 13 12:30:29 2013 Lease Expires: Mon Jan 18 21:14:07 2038 DNS Servers: Adapter Name: {9CE46F79-8015-4C15-A074-B1ACA4388E56} Description: Sierra Wireless Network Adapter - McAfee Core NDIS Intermediate Filter Miniport IP Address: 0.0.0.0 Subnet Mask: 0.0.0.0 Default Gateway: DHCP Enabled: Yes DHCP Server: Lease Obtained: Mon Jan 18 21:14:07 2038 Lease Expires: Mon Jan 18 21:14:07 2038 DNS Servers: Adapter Name: {1A876FC9-50B6-4101-8E4F-838AF1D1CB32} Description: Dell Wireless 1390 WLAN Mini-Card - McAfee Core NDIS Intermediate Filter Miniport IP Address: 0.0.0.0 Subnet Mask: 0.0.0.0 Default Gateway: DHCP Enabled: Yes DHCP Server: Lease Obtained: Mon Jan 18 21:14:07 2038 Lease Expires: Mon Jan 18 21:14:07 2038 DNS Servers: Adapter Name: {E64A2DD8-7A18-4784-8DC0-08B143E504A7} Description: Broadcom 440x 10/100 Integrated Controller - McAfee Core NDIS Intermediate Filter Miniport IP Address: 0.0.0.0 Subnet Mask: 0.0.0.0 Default Gateway: DHCP Enabled: Yes DHCP Server: 10.0.40.20 Lease Obtained: Thu Aug 23 15:54:15 2012 Lease Expires: Thu Aug 23 17:54:15 2012 DNS Servers: Adapter Name: {2A9F97F5-D693-427F-BA40-9C3AA36937B1} Description: WAN (PPP/SLIP) Interface IP Address: 107.42.83.109 Subnet Mask: 255.255.255.255 Default Gateway: 107.42.83.109 DHCP Enabled: No DHCP Server: Lease Obtained: Wed Dec 31 18:00:00 1969 Lease Expires: Wed Dec 31 18:00:00 1969 DNS Servers: 66.1.77.7 68.29.73.7 Active Connection: Mobile Connected: Yes Online: Yes Using Modem: Yes Using LAN: No Using Proxy: No Firewall Information Windows Firewall is on. iTunes is enabled in Windows Firewall. Connection attempt to Apple web site was unsuccessful. The network connection timed out. Basic connection to the store failed. The network connection timed out. Connection attempt to Gracenote server was successful. The network connection timed out. Last successful iTunes Store access was 2013-04-16 10:14:47.

Hello cor-el, thanks for your reply. I changed my settings for downloads to desktop and it has appeared on there. When I double click I am asked which program I want to open file. I click firefox and another box "opening install" says I have chosen to open the file which is an application and do I want to save it. This is the only real option so I press save file. I get a box saying this is an executable file which may contain viruses - do you want to run. I press ok and the final box showing C drive file name and desktop appears stating application not found.
This happens the same whenever I try to install.
To my untrained eye the application is not being recognised as an application and I cannot work out how to get it to do that.
My plugin is still showing as out of date.
Is there anything you could suggest. Thanks for your time.

FF3.6.1 and later won't start on laptop with XP Home, works great on XP pro desktop - both running SP3. Installs but exits after 1-2 secs. I think a security feature in XP Home the cause but no idea what

I don't run Adobe, I uninstalled all addons, I stopped registry mechanic, 3.0.13 and 3.0.15 run fine. IE 7 runs fine
I stopped MS firewall and then tried adding Mozilla to firewall, no diff.
Never had an iota of a problem with desktop only laptop. Even with addons and Adobe installed. Desktop running 2006 version of XP with SP3 added last week. Laptop running 2008 version of XP with SP3 added in 2008.
After install when click to start HD light goes on for 2 secs and off and nada. Second try gets blip and then nada. Restart gets same start pattern..
I think it is an auto security setting in XP Home but no idea what.

Please only use either 3.5.11 or 3.6.8 (or newer versions that are eventually released). Other versions of Firefox are not supported.
That said, hopefully this support article is what you need:
https://support.mozilla.com/en-US/kb/Firefox+will+not+start
In any case, it's possible that you are having a problem with some Firefox add-on that is hindering your Firefox's normal behavior. Have you tried disabling all add-ons (just to check), to see if Firefox goes back to normal?
Whenever you have a problem with Firefox, whatever it is, you should make sure it's not caused by one (or more than one) of your installed add-ons, be it an extension, a theme or a plugin. To do that easily and cleanly, run Firefox in [http://support.mozilla.com/en-US/kb/Safe+Mode safe mode] (don't forget to select ''Disable all add-ons'' when you start safe mode). If the problem disappears, you know it's from an add-on. Disable them all in normal mode, and enable them one at a time until you find the source of the problem. See [http://support.mozilla.com/en-US/kb/Troubleshooting+extensions+and+themes this article] for information about troubleshooting extensions and themes and [https://support.mozilla.com/en-US/kb/Troubleshooting+plugins this one] for plugins.
If you need support for one of your add-ons, you'll have to contact its author.
If the problem does not disappear when all add-ons are disabled, please tell me, so we can work from there. Please have no fear of following my instructions to the line, as all can be easily undone.

Connection attempt failed. Please try again. Cisco AnyConnect Secure Mobility Client on Windows XP SP3 -

When trying to connect with Cisco AnyConnect Secure Mobility Client on Windows XP SP3 getting the following error:
Function: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1170
Invoked Function: HttpSendRequest
Return Code: 806 (0x00000326)
Description: WINDOWS_ERROR_CODE
Function: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1178
Invoked Function: CTransportWinHttp::handleRequestError
Return Code: -30015479 (0xFE360009)
Description: CTRANSPORT_ERROR_UNEXPECTED
and finally I get the following message:
Function: ConnectMgr::processIfcData
File: .\ConnectMgr.cpp
Line: 2763
Invoked Function: ConnectMgr::processIfcData
Return Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
Connection attempt failed. Please try again.
Any ideas, thanks,
Ashok.

Hi Harry,
I only wish I were more up to speed on all of the security technology. I will contact the network administrator and pass your request to him. I will let you know the results (probably later today).
Here is a little background on this issue (optional reading). All clients worked fine up until around the end of September 2013. Then, a rash of Windows updates came along. Around Sept. 20th, I noticed I could no longer connect using the VPN. So, I uninstalled (Mobility Client) but was not able to re-install as the https://site was not longer able to be reached. I got the standard Microsoft 'Diagnose Connection Problems'. So I manually installed the 'Mobility Client' but only get errors. However, I'm only guessing at the 'AnyConnectProfile.xml'. I may have the settings all wrong. Don't know.
We also noticed that all of our Windows 7 clients work fine. None of the Windows XP clients work any longer. I figured it was 'time to upgrade' all of our Windows XP clients.
Regards,
Stan

Security Chip Incompatible with XP SP3 !

Also see my post about security chip lockup on boot with XP SP3...
Just talked to Lenovo support about my problem. They told me that my T60 security chip was incompatible with XP SP3 and the fix was to not load SP3. Hard to believe that is their "solution" !!!
In any even, BEWARE ! Be sure to set a back up / restore point before installing XP SP3. You will likely need it.
If anyone has a solution, I sure would like to know about it. Per the previous post, Inactivating or disabling the security chip from bios will not prevent the hang. Only restoring the system to pre-SP3 will let the machine boot.
Thanks,
Woody

I have a Treo 680 and I spent about an hour on the phone at my computer with tech support from Palm trying to resolve this and when it
was all said and done I still can not get my calendar and contacts to sync. Tech support told me that I have a corrupted database and that
there is problems with the SP3 and the hot sync manager. They told me they were working on it but couldn't give a timeframe for when
it would be fixed. I can not remove SP3 from my computer. I have enough issues already with security without adding to it. Palm needs
to fix this problem right away.
Post relates to: Treo 680 (AT&T)

MSSQL 2008R2 SP3 will it include all security updates and cumulative patched released before this patch ? Example this security patch KB2977319, KB2977320 ?

If I install MSSQL 2008R2 SP3 will that cover all the security patched released before this patch ?
I also want to specifically know about this two Vulnerabilities in SQL Server Could Allow Elevation of Privilege
KB2977319, KB2977320
Please see more information about this in below blog: https://technet.microsoft.com/en-us/library/security/ms14-044.aspx
Regards, Srini

To read about the details of the fixes included in the service pack3 please refer this page
http://support.microsoft.com/kb/2730301
or this link
http://support.microsoft.com/kb/2979597
List of fixes included in SQL Server 2008 R2 SP3
Microsoft SQL Server 2008 R2 service packs are cumulative updates and SQL Server 2008 R2 SP3 upgrades
all editions and service levels of SQL Server 2008 R2 to SQL Server 2008 R2 SP3.
Satheesh
My Blog |
How to ask questions in technical forum

SP3 - Secure portal SSL performance improvements ?

Portal Gurus,
One of the major enhancements I was looking for in SP3 was an improvement in
the SSL gateway performance. However testing I've done so far only shows a
30% improvement in Requests/second and in open mode SP3 actually seems a
little slower than SP2. I realize there are environment and specific
workload factors at work, but under near identical conditions comparing SP2
to SP3 secure mode, the performance increase wasn't what I had hoped for.
I followed the tuning instructions in the SP3 release notes and noticed a
small improvement, ~5%, and was wondering what other people are seeing.
Given the numbers I'm seeing I have to wonder if using SSL is really viable
for a busy portal site.
Anyone seeing a big improvement in SSL performance with SP3 ?
Cheers,

I would recommend applying sp3a. The ssl have changed only in sp3a, this should give you much better and faster performance.
Else, these tuning parameters should help the performance. Goto Admin Console | Gateway Management | Manage Gateway Profile | select "Show Advanced Options" in the bottom of the page and change the following...
1) Increase the value of "Maximum Thread Pool Size". The default is 200, and it can be increased to 800.
2) Also increase the Gateway Timeout. The default is 120000. This can be increased to 125000. Then click Submit
3) Finally on the Gateway server, modify the /opt/SUNWips/bin/ipsgateway script. Find the line that defines the CMD environment variable and change the '-mx128m' parameter to '-mx256m'.

Using WS-Security with Web Service Controls in WLI 8.1 SP3

We have a process that calls a web service hosted on a .NET environment. The technique we have used is to generate a service control from the web service WSDL and call that control from a process. The web service is protected using a WS-Security usernameToken policy. The problem is that the .NET environment requires the wsse:Nonce and wsu:Created elements to be provided along with the token and I cannot see how I can specify this using a wsse policy file in WebLogic workshop. Does anyone have any advice for the best way to add this information to the security element in the SOAP header from within a WLI process? I've seen some example code for a java web service client, but that would not really fit with the control-based approach normally adopted in a WLI environment.

You won't be able to do this using the WSSE file.
An easy way to get around this is to use an XML Bean built from the WS-Security XML Schema. You'll have to read the WS-Security spec to determine how to create the nonce, but you'll be able to convert this XML Bean into the Element[] that the setOutputHeaders() method, which is on the service control you call the .NET Web Service with.
Regards,
Mike Wooten

Security Update for SQL Server 2005 SP3 (KB2494113) failed

Here is the Error, Can't get the update install, please help.
KB Number: KB2494113
Machine: MJA01
OS Version: Server 4.0 Service Pack 1 (Build 7601)
Package Language: 1033 (ENU)
Package Platform: x86
Package SP Level: 3
Package Version: 4060
Command-line parameters specified:
Cluster Installation: No
Prerequisites Check & Status
SQLSupport: Passed
Products Detected Language Level Patch Level Platform Edition
SQL Server Database Services 2005 (BKUPEXEC) ENU SP3 2005.090.4035.00 x86 EXPRESS
SQL Server Tools and Workstation Components 2005 ENU SP2 9.2.3042 x86 EXPRESS
Products Disqualified & Reason
Product Reason
SQL Server Tools and Workstation Components 2005 The product instance SQL Tools does not have prerequisite update 4035 installed. Update 4060 is dependent on prerequisite update 4035. Exit setup and refer to the Knowledge Base article to find the prerequisite
patch. Install the prerequisite and rerun the installation.
Processes Locking Files
Process Name Feature Type User Name PID
Product Installation Status
Product : SQL Server Database Services 2005 (BKUPEXEC)
Product Version (Previous): 4035
Product Version (Final) :
Status : Failure
Log File : C:\Program Files (x86)\Microsoft SQL Server\90\Setup Bootstrap\LOG\Hotfix\SQL9_Hotfix_KB2494113_sqlrun_sql.msp.log
SQL Express Features :
Error Number : 29528
Error Description : MSP Error: 29528 The setup has encountered an unexpected error while Setting Internal Properties. The error is: Fatal error during installation.
Product : SQL Server Tools and Workstation Components 2005
Product Version (Previous): 3042
Product Version (Final) :
Status : NA
Log File :
SQL Express Features :
Error Description : The product instance SQL Tools does not have prerequisite update 4035 installed. Update 4060 is dependent on prerequisite update 4035. Exit setup and refer to the Knowledge Base article to find the prerequisite
patch. Install the prerequisite and rerun the installation.
Summary
One or more products failed to install, see above for details
Exit Code Returned: 29528

Hi Bhanu,
I have uninstall the SQL Server Tools and Workstation Components 2005.
But still unable to upg the SQL Server with the KB249411. Any more ideas?
This is the Summary log.
Time: 09/10/2014 11:09:48.218
KB Number: KB2494113
Machine: MJA01
OS Version: Server 4.0 Service Pack 1 (Build 7601)
Package Language: 1033 (ENU)
Package Platform: x86
Package SP Level: 3
Package Version: 4060
Command-line parameters specified:
Cluster Installation: No
Prerequisites Check & Status
SQLSupport: Passed
Products Detected Language Level Patch Level Platform Edition
SQL Server Database Services 2005 (BKUPEXEC) ENU SP3 2005.090.4035.00 x86 EXPRESS
Products Disqualified & Reason
Product Reason
Processes Locking Files
Process Name Feature Type User Name PID
Product Installation Status
Product : SQL Server Database Services 2005 (BKUPEXEC)
Product Version (Previous): 4035
Product Version (Final) :
Status : Failure
Log File : C:\Program Files (x86)\Microsoft SQL Server\90\Setup Bootstrap\LOG\Hotfix\SQL9_Hotfix_KB2494113_sqlrun_sql.msp.log
SQL Express Features :
Error Number : 29528
Error Description : MSP Error: 29528 The setup has encountered an unexpected error while Setting Internal Properties. The error is: Fatal error during installation.
Summary
One or more products failed to install, see above for details
Exit Code Returned: 29528
Here is what is log in the SQL9_Hotfix_KB2494113_sqlrun_sql.msp.log
Property(S): CommonFilesFolder.D9BC9C10_2DCD_44D3_AACC_9C58CAF76128 = C:\Program Files (x86)\Common Files\
MSI (s) (B8:F0) [11:09:39:826]: Product: Microsoft SQL Server 2005 Express Edition - Update 'GDR 4060 for SQL Server Database Services 2005 ENU (KB2494113)' could not be installed. Error code 1603. Additional information is available in the log file C:\Program
Files (x86)\Microsoft SQL Server\90\Setup Bootstrap\LOG\Hotfix\SQL9_Hotfix_KB2494113_sqlrun_sql.msp.log.
MSI (s) (B8:F0) [11:09:39:827]: Windows Installer installed an update. Product Name: Microsoft SQL Server 2005 Express Edition. Product Version: 9.3.4035.00. Product Language: 1033. Manufacturer: Microsoft Corporation. Update Name: GDR 4060 for SQL Server Database
Services 2005 ENU (KB2494113). Installation success or error status: 1603.
MSI (s) (B8:F0) [11:09:39:828]: Note: 1: 1729
MSI (s) (B8:F0) [11:09:39:828]: Product: Microsoft SQL Server 2005 Express Edition -- Configuration failed.
MSI (s) (B8:F0) [11:09:39:829]: Windows Installer reconfigured the product. Product Name: Microsoft SQL Server 2005 Express Edition. Product Version: 9.3.4035.00. Product Language: 1033. Manufacturer: Microsoft Corporation. Reconfiguration success or error
status: 1603.
MSI (s) (B8:F0) [11:09:39:829]: Attempting to delete file C:\Windows\Installer\63906e.msp
MSI (s) (B8:F0) [11:09:39:829]: Unable to delete the file. LastError = 32
MSI (s) (B8:F0) [11:09:40:092]: Deferring clean up of packages/files, if any exist
MSI (s) (B8:F0) [11:09:40:092]: Attempting to delete file C:\Windows\Installer\63906e.msp
MSI (s) (B8:F0) [11:09:40:094]: MainEngineThread is returning 1603
MSI (s) (B8:6C) [11:09:40:097]: RESTART MANAGER: Session closed.
MSI (s) (B8:6C) [11:09:40:097]: No System Restore sequence number for this installation.
=== Logging stopped: 9/10/2014 11:09:39 ===
MSI (s) (B8:6C) [11:09:40:098]: User policy value 'DisableRollback' is 0
MSI (s) (B8:6C) [11:09:40:098]: Machine policy value 'DisableRollback' is 0
MSI (s) (B8:6C) [11:09:40:098]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (B8:6C) [11:09:40:098]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (B8:6C) [11:09:40:098]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (B8:6C) [11:09:40:098]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress 3: 2
MSI (s) (B8:6C) [11:09:40:098]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress 3: 2
MSI (s) (B8:6C) [11:09:40:098]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (B8:6C) [11:09:40:099]: Restoring environment variables
MSI (s) (B8:6C) [11:09:40:099]: Destroying RemoteAPI object.
MSI (s) (B8:30) [11:09:40:099]: Custom Action Manager thread ending.
MSI (c) (FC:60) [11:09:40:100]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (FC:60) [11:09:40:101]: MainEngineThread is returning 1603
Thanks,
Alice

Security in CM 12.1 SP3

Similar Messages

Maybe you are looking for