Security Level on Navigation (6.0 sp9)

I use a custom iview launch from the UWL. The custom iview comes up based off of the navigation from the default uwl screen. I am trying to code the cancel action of the custom iview.
I put a link on the page that has a reference back to the pcd location of the default page.
The portal is now complaining with the following error:
Access denied (Object(s): com.sap.portal.system/security/sap.com/NetWeaver.Portal/high_safety/com.sap.portal.runtime.system.console/components/default).
I tried to overide this by setting the security level in the portalapp.xml file to low_security.
    <component name="ApproveReject">
      <component-config>
        <property name="ClassName" value="ApproveReject"/>
        <property name="ComponentType" value="jspnative"/>
        <property name="JSP" value="pagelet/ApproveRejectJSP.jsp"/>
        <property name="SafetyLevel" value="low_safety"/>
      </component-config>
      <component-profile>
        <property name="tagLib" value="/SERVICE/htmlb/taglib/htmlb.tld"/>
      </component-profile>
    </component>
htmlb link code:
          <hbj:link
                   id="backLink"
                   text="Main Menu"
                   target="_self"
                   tooltip="Click to return to Main Menu"
                 reference="pcd!3aportal_content!/portal_content/com.nexeninc.NEXEN/fld_tots/com.sap.netweaver.bc.uwl.uwl_page">
          </hbj:link>

i had applied the patch from note 796540. however, it dint seem to help (

Similar Messages

Item level security on a navigation page

I am trying to set up item level security on a navigation page (9IR2) so that only certain users will be able to see a link that hte are authorized to follow (or at least this is the intent). After setting this up and creating a test user, this user can see all the links and follow them including the ones for which access should not be allowed.
Has anyone run accross this behavior or offer some tips on what I might be doing wrong?
Thanks,
Curt

I'd appeciate a reply as well. For now I've been using content as a PL/SQL stored procedure in a package and then wrapping is_logged_in code around it. It works but isn't cusomizable.

Help with asp ... security levels

I made a change to the security level for the end user. i add
a security feature by adding 12345 to their security level.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
'check to see if the page is submitted
Dim validLogin
Dim strErrorMessage
Dim intLevel
Dim sLevel
If (Request.Form("uname")<>"") Then
'user has submitted the form
'get the entered values and hit the database
Dim strUserName
Dim strPassword
'going to use an implicit connection, no connection object
needed
Dim objRS
strUserName = UCase(Request.Form("uname"))
strPassword = UCase(Request.Form("pwd"))
response.write("strUserName")
'prepare the RS
Set objRS = Server.CreateObject("ADODB.Recordset")
'set the sql statement
objRS.Source = "SELECT * FROM tblEmployee WHERE
strEmpUserName = '" & strUserName & "' AND strEmpPassword =
'" & strPassword & "'"
' heres the implicit connection
objRS.ActiveConnection =
"Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=c:\Inetpub\db\IMPCustomers.mdb"
objRS.CursorType = 0
objRS.CursorLocation = 3
objRS.Open
'check for EOF
If(objRS.EOF) Then
'no records matched, invalid login
Response.Redirect("invalidLogin.asp")
'strErrorMessage = "Invalid Login. Try Again."
validLogin = false
Else
'added intLevel to add more security on 3/29/07
intLevel = Cint(objRS("intEmpSecurityLevel"))
intLevel = intLevel + 12345
sLevel = intLevel
'valid login, set session variables
Session("username") = UCase(strUserName)
Session("userpass") = UCase(strPassword)
Session("sLevel") = sLevel
'Session("sLevel") = objRS("intEmpSecurityLevel") - changed
to add more security on 3/29/07
Session("fn") = objRS("strEmpFN")
'release the RS
Set objRS.ActiveConnection = Nothing
Set objRS = nothing
'redirect off this page
Response.Redirect("custSearch.asp")
End If
End If
%>
I'm now having trouble removing the 12345 from their security
level in the custSearch.asp.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
Dim strUserName
Dim strPassword
Dim intSLevel
Dim isum
Dim intS
Dim intNewSLevel
Dim sLevel
Dim strFN
Dim strErrorMessage
Dim strError
'get pass parameters
strUserName = Session("username")
strPassword = Session("userpass")
intSLevel = Session("sLevel")
'add on 3/29/07 for security
'get the security level
isum = sLevel
'take isum which contains sLevel and subtract 12345 from it
isum = isum - 12345
'now intS equals security level in the db
intS = isum
'put into a session
Session("intS") = intS
strFN = Session("fn")
strErrorMessage = ("strError")
'If strErrorMessage = "" Then
'strError = "There is no customer with that last name."
'End If
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<title>Employee Intranet - Customer Database, Search
for a particular customer.</title>
<meta http-equiv="content-type" content="text/html;
charset=utf-8" />
<link rel="stylesheet" type="text/css"
href="../css/pop_style.css" />
<link rel="stylesheet" type="text/css"
href="../css/forms.css" />
<style type="text/css">
/* HMTL selectors start here */
h2 {
margin-bottom:15px;
p {
margin-bottom:20px;
hr {
border:thin;
border-color:#CCCCCC;
border-style:dotted;
width:100%;
text-align:center;
table {
width:300;
align:center;
cellpadding:2px;
cellspacing:2px;
margin-left:30%;
td {
font-size:14px;
font-style:normal;
font-weight:normal;
border:0;
padding:0;
/* HMTL selectors start here */
/* ID selectors start */
#mainText {
height:400px;
font-family:Arial, Helvetica, sans-serif;
font-size:14px;
text-align:left;
margin-left:1%;
margin-right:1%;
padding: 10px 5px;
word-spacing:1px;
letter-spacing:1px;
/* id ends here */
</style>
<script language="JavaScript" type="text/JavaScript">

</script>
</head>
<body>

<script language="javascript" type="text/javascript"
src="../js/pop_core.js"></script>
<script language="javascript" type="text/javascript"
src="../js/pop_data.js"></script>

<div id="border">

<div id="secNavBar"><a
href="../index.htm">Home</a> | <a
href="../htm/quality.htm">Quality</a>
| <a href="../htm/contactUs.htm">Contact
Us</a> | <a
href="../htm/siteMap.htm"> Site
Map</a></div>

<div id="logo">
<img src="../art/NewLogo.jpg" alt="Logo of IMPulse NC,
INC." usemap="#Map" />
<map name="Map" id="Map">
<area shape="rect" coords="5,3,280,74"
href="../index.htm" alt="Return to home page" />
</map>
</div>

<div id="priNav">
<a id="home" name="home"
style="visibility:hidden;">Home</a>

</div>

<div id="mainText">
<h2>Customer Database </h2>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Welcome
<%=strFN%></p>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Please
search for a customer by using the fields below. You can use one
field or multiple fields for your search.</p>

<div id="signIn">
<div id="CSearch">
<table>
<form action="results.asp" method="post" name="search"
id="search">
<tr>
<td width="98" height="29">Last Name:</td>
<td width="150" tabindex="1"><input type="text"
name="clname" size="25" maxlength="25" /></td>
</tr>
<tr>
<td height="30">First Name:</td>
<td tabindex="2"><input type="text" size="25"
maxlength="25" name="cfname" /></td>
</tr>
<tr>
<td height="30">Company:</td>
<td tabindex="3"><input type="text" size="25"
maxlength="25" name="ccomp" /></td>
</tr>
<tr>
<td height="48" colspan="2" tabindex="4">
<input type="submit" name="login" value="Submit" />
<input type="reset" name="Reset" value="Reset" />
<a href="logOut.asp">
<input type="button" name="logOut" value="Log Out" />
</a> </td>
</tr>
</form>
</table>

</div>
<blockquote> </blockquote>

</div>

</div>
<div id="btm_Bar">
100 IMPulse Way • Mount Olive, North Carolina 28365
• Main (919) 658-2200 • Fax (919) 658-2268<br />
©2006 IMPulse NC, Inc. All Rights Reserved. </div>
</div>
<script language="javascript" type="text/javascript"
src="../js/pop_events.js"></script>

<script language="javascript" type="text/javascript">
document.search.clname.focus();
</script>

<%
Response.Write(Session("username")) & "<br />"
Response.Write(Session("userpass")) & "<br />"
Response.Write(Session("sLevel")) & "<br />"
Response.Write(Session("intS")) & "<br />"
%>
</body>
</html>
What am I doing wrong?

"pqer" <[email protected]> wrote in message
news:eugsik$kt5$[email protected]..
> What am I doing wrong?
1. You're allowing unfiltered user input into your SQL query.
I could do
some horrible damage to your system.
2. You have SELECT * in your query.
3. You're doing something that doesn't make any sense. Why
add a constant
to the security level just to subtract it again when you
actually want to
use it? You're just making more work for yourself. There is
no benefit
there.

ASA 5505 Interface Security Level Question

I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: end

Hi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni

The security level is set to High

Windows 2008R2 terminal Server
Office 2013
Adobe Acrobat XI update 9
When trying to create a PDF from a word document (have not tried other files yet), Adobe hangs for about 2 mins and then gives the following message
The Security Level is set to High
Please run the application which created this document, in the "Security Warning" dialog select the check box "Always trust macros from this source" and enable macro's created by Adobe Systems inc
No 1. There is absolutely no need for an apostrophe in the second instance of the word macros
Have deployed the Adobe Acrobat Administrative template and enabled the following setting
'Automatically Trust Sites for Win OS Security Zones' (Elevates the trusted sites list in Internet Explorer to privileged locations so that they may bypass enhanced security restrictions. When enabled, the trust list is a union of IE's trust list and Acrobat's privileged locations list. GUI mapping: Edit > Preferences > Security (Enhanced) > Automatically trust sites for my Win OS security zones)
- not a fix
Have exported every digital signature from the pdf office dlls and imported to the computer certificate store - not a fix
Have disabled every office macro and security setting - not a fix
Does not matter if the file being converted is on a UNC path, mapped drive, or local drive
Have added all file locations containing office docs to trusted folders in Word and Adobe - not a fix
R-Click context menus for combining and conversion work fine however I understand that this uses the Adobe PDF Printer and not the office addons
Opening a file in Word and converting to a PDF using the Addon is fine as is printing to the PDF Printer
This issue only occurs from within the Adobe Acrobat Application 'Create file from PDF' and currently only seems to affect Office documents
I cannot see how to give Adobe any more trust

Solved
I was running Office in a 'RunVirtual' environment. This man explains it best
http://ppe.blogs.technet.com/b/gladiatormsft/archive/2014/02/05/app-v-5-on-run-virtual-rds -run-virtual-virtualizable-ext…
Essentially Office and Acrobat are installed Natively however all Office Apps are configured to run in a Virtual environment so that Office Addins which are true AppV applications can be linked into Office.
My 'Empty' 'RunVirtual Office package did not have 'Com Integration' enabled
Adobe Acrobat makes use of a Com Addin for Office, so Office was unable to expose that to Adobe Acrobat until the 'Empty' 'RunVirtual Office package was updated accordingly

Why SharePoint 2013 have only 2 level global navigation ??

I just want to know why SharePoint 2013 have 2 levels of global navigation hierarchy by default. Is it possible to make it up to 3,4 levels.
For example:
Main Site -> Subsite -> Subsite Nodes -> Subsite Nodes Subsite -> Child Nodes & so on
Something like above hierarchy.
Thanks in advance for your answers..!!

Yes, you can absolutely have more than 2 levels of navigation. You will need to update your master page through to allow for more dynamic levels of navigation.
You might find the following thread helpful.
https://social.msdn.microsoft.com/Forums/sharepoint/en-US/05cfb854-9a18-4f61-a9f4-55d9cd3130ec/create-multilevel-global-navigation-menu-in-sharepoint
Also be aware that there was a bug in SP2013 where only two levels of navigation would ever show. This was fixed last year.
http://ericoverfield.com/sharepoint-2013-structured-navigation-dynamic-menus-fixed-august-2013-cu/
Eric Overfield - PixelMill -
ericoverfield.com -
@EricOverfield

ORA-20100: AppDomain could not be created for the specified security level

We recently updated our development environment to Visual Studio 2010. We have previously deployed (with success) .Net stored procedures from Visual Studio 2005 to our Oracle 10gR2 database. I am currently trying to configure a local instance (called local) of Oracle 10gR2 database to test deployment of .Net stored procedures to Oracle 10gR2 via Visual studio 2010 and ODT version 11.2.0.1.2. I have built the demo from the ode developer guide and gotten as far as deploying it but executing the stored procedures from VS 2010 or SQL*Plus produces the following error...
ORA-20100: AppDomain could not be created for the specified security level
ORA-06512: at "SYS.DBMS_CLR", line 152
ORA-06512: at "SCOTT.GETDEPTNO", line 7
Here is what I have done.
(Server)
1. Installed oracle 10gR2 with ODE.Net
2. Installed Oracle 10gR2 patch set 22
3. Installed ODE upgrade from Oracle Developer Tools for Visual Studio .NET with Oracle 10g Release 2 ODAC 10.2.0.2.21
(Client)
4. Installed Oracle Developer Tools for Visual Studio .NET with Oracle 10g Release 2 ODAC 10.2.0.2.21 (In new client home).
5. Installed patch set 22 on 10g client home.
6. Installed Oracle 11g Release 2 ODAC 11.2.0.1.2 with Oracle Developer Tools for Visual Studio(in new 11g client home, only for VS 2010)
I have made some minor changes (GAC) etc. per the following threads...
ODE.NET 11.1.0.7.20 on 10g Database?!
Re: Error: System.TypeInitializationException
The database appears to be fully functional via TOAD - SQL plus etc. I can't find much on this error but it appears Oracle needs some permissions to launch an ASP.Net application that it does not have. Any help would be GREATLY appreciated, don't hesitate to ask for additional details.

The KB article is almost what we have apart from theitalic underlined
part
Consider the following scenario:
You use a domain administrator account to log on to a computer that is running Windows 7 or Windows Server 2008 R2.
You use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to connect to a domain controller.
You open the Properties dialog box of a user account.
The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
You set the Remote Desktop Services Home Folderattribute to the shared folder path.
NoteThis attribute is located on the
Remote Desktop Services Profiletab.
You click Apply or OK.
In this scenario, you receive the following error message:
The home folder could not be created because: The network name cannot be found.
Note If you click Apply or OK again, no error message is returned. However, the setting is not saved.
I think the important bit is
The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
We manually create the shares on our NAS and then just want to enter the path in the profile tab, I suppose the question is how to we stop it trying to create the shares ?

Setting security level of infopath files

Hi,
At work i have designed an Infopath file and it has some code behind it which will be executed when a memo button is clicked. But when i try to preview it by hitting F5 in keyboard it shows error , so i checked the security level and it was set to auto.
When i changed it to Full Trust, it is working fine. Is it really due to the Full Trust and is there any other way we can make it work by setting the security as full trust.
Thanks in Advance
Arjun Menon U.K

Hi,
Did you add Visual Studio code behind it? In that case you need to create a certificate for your file. This certificate should also be on the receving server in order to create a secure setting as full trust. One of the reasons I always try to avoid
coding in InfoPath to much hassle on the server side.
Maurice
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer. Thank You

Assist , how do i allow hosts in inside segment to reach out segment and vice versa taking into account the security levels

ASA Version 7.0(8)
hostname BUJ-IT-ASA-LAN-2
domain-name leo.bi
enable password MgKXXPviZgW4zhKc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description connects ucom lan
nameif inside
security-level 100
ip address 192.168.0.13 255.255.248.0
interface Ethernet0/1
description out interface
nameif outside
security-level 0
ip address 192.168.254.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username UcomIT password Tx95VR7l4gIiavnh encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.248.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
Cryptochecksum:ba068a6f85d256ce9351d903c60873e5
: end

Hi,
Its success really depends on the rest of the network that I dont know about.
If you hosts that you are using to PING/ICMP through the ASA are connected to the same network as the ASAs interface then you will have to make sure that the hosts both have routes towards the other network.
Also if on the "outside" of the ASA there are additional networking devices then you have to configure default route on the ASA also as mentioned in the other discussion.
route outside 0.0.0.0 0.0.0.0
The above replys ACL was just an example of the configuration format. If you wanted to allow ICMP then you would also have to allow ICMP
access-list OUTSIDE-IN permit icmp 192.168.254.0 255.255.255.0 192.168.0.0 255.255.248.0 echo
I dont see anything else wrong with the ASA configuration related to ICMP other than possibly the lacking of default route and allowing the ICMP from the "outside" with the ACL "OUTSIDE-IN".
Go through the network setup from one host to the other. On each step confirm that that device has route towards both of the networks. Otherwise the devices will naturally not be able to forward the ICMP messages from end to end.
- Jouni

SOAP Adapter with Security Levels - HTTP & HTTPS

We have a successfully working interface scenario where SAP XI is hosting a web service and the partner systems calling it using SOAP Adapter URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel with Security Level HTTP on the SOAP Sender Communication channel.
Going forward, for other similar interfaces (SAP XI hosting Web Service and partner systems calling it), we would like to use HTTPS and/or certificates.
If we enable HTTPS on XI J2EE server as per the guide How to configure the [SAP J2EE Engine for using SSL - Notes - PDF|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc]....
can partner systems still use the URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel or should they switch to https://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel?
can we continue to have the existing interface working using HTTP Security Level i.e. partners not having to send the certificate with each message?
If we use HTTPS security level, is it mandatory for the partner system need to send the certificate? Is it possible to have an HTTPS scenario w/o certificates?
What is the difference between Security Levels 'HTTPS Without Client Authentication' & 'HTTPS with Client Authentication'?
I appreciate your inputs on this.
thx in adv
praveen
PS: We are currently on SAP PI 7.0 SP17

Hi Praveen,
There is no need to change the interface and It is manditory for the partners to send certificates in order to validate each other. Use the https in url.
HTTPS With Client authentication:
The HTTPS client identifies itself with a certificate that is to be verified by the server. To validate the HTTPS clientu2019s certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the clientu2019s certificate, the server maps the certificate to an actual system user executing the HTTP request.
and check this link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
Regards,
Prasanna

Adding Content To the Top-Level of Navigation bar ?

Hi,experts ,
   i have a problem with adding content to the top-level of navigation bar ?
I have the authority of administration.I have added a customizing role with the entry-point property to myself userid . I have checked my navigation-target page's property can be visible in top-level navigation. I checked my my display level is set as 2 .
   However ,i dont get the folder content at the top-level navigation.Anyway,when i check the delta link trace,there is no folder that connect to my role .
   Anyone helps me out ?
Thanks in Advance .

Hi Eleanor,
If you already created a role with an entry point and assigned it directly to you user, you may just have to refresh the portal page. You may also check the authorizations of you role.

Use of Security Level on ASA with ACLs

Hi,
On my configuration, I'm using extended on the inbound of my 3 interfaces (inside,dmz,outside). I was wondering if there I should remove the security levels or if they are of any use since I have ACL in place already.

Hi,
After you have attached an ACL inbound to an interface it controls the traffic for networks behind that interface. So security-levels dont have a major role anymore.
Though you should consider that there are still situations where the "security-level" might come into the picture.
If you have identical "security-level" interfaces and you want to allow traffic between them then ACLs wont be enough but you also need to use the "same-security-traffic permit " format command to allow the traffic.
Atleast in software 8.2 there is still some limitations regarding NAT depending on the "security-level" of the source and destination of the interface. I think for example you need to do Dynamic NAT/PAT between interfaces you cant do this from lower to higher direction.
Best bet is to refer to your current software level Cisco documents. Both the Command Reference and Configuration Guide PDFs found online provide good information on these commands
Please rate if the information was helpfull and/or ask more questions if needed
- Jouni

Changing Default Security Levels

I have several Windows 7 Enterprise machines that have already been deployed via image and need to lower the security settings for use on internal web based applications.
Is there an easy way to manipulate the configuration (a file) so that I may simply make the changes by overwriting the current configuration settings instead of, having to go to each device, opening the Java console, and changing the security settings that way?
I have attempted to login as the machine administration, make the changes on the Java console with the hopes this configuration would have migrated to all user profiles that log into the PC. Is there a "public profile" configuration file I can change and if so, what should I do.
Thank you in advance for the assistance

Create a "deployment.properties" file with the line "deployment.security.level=HIGH" (or what ever level you need that is supported by your version of Java) and save it in "C:/Windows/Sun/Java/Deployment/" (assuming windows client device).
More in depth info found below:
Deployment Configuration File and Properties

Security Level Medium is not working for PO initial version

Hi ,
    We have maintained security level as Medium in Purchaser user personalization. In order to restart the PO SAVED event workflow only there is a value changed while the PO is awaiting for approval.. Here is the scenario and how the start condition maintained for PO - WS 14000145 - SAVED event.
Start condition maintained for event SAVED for WF template WS14000145 as below
&_EVT_OBJECT.POTotalValue& GE 0.00
Security level(BBP_WFL_SECURITY) maintained as Medium in personalization of SU01.
my requirement is when the PO create first time ( Initial Version ) and route for approval. Three level approval is determined for the PO and first approval approved. while the PO is awainiting for second level of approval the purchaser changed the quantity. based on above start condition my expectation is , the PO has to restart and route from beginning. but that is not happening. when i see the approval preview the approval path shows the workitem is waiting in second level of approval.
I tried the below start conditions also
&_EVT_OBJECT.SimpleListOfChanges&CE TOTAL_VAL, but no result..
What is the Medium functionality?
here is the help i found from help.sap.com, but i am not clear about this..
MEDIUM It is possible to change the document The system evaluates the workflow start conditions and starts the approval workflow again if the change necessitates a new approval If this is not the case, the approval workflow continues.
Regards,
John

Hi John,
The security level works differently for PO's.
In the function 'BBP_PDH_WFL_CHECK_RESTART is a desription how the
system should work:
The workflow will be RESTARTED in the following cases:
a) One has a standard workflow with the usual type of approval (not a
   'back&forth' one). It will always be restarted independent on the
   authorization levels of the user and whether the user is a PO
   creator or not;
b) One has the 'back&forth' type of approval but the user reordering
   the PO is not the PO creator (this could be another purchaser from
   the same purchasing group);
c) It is the 'back&forth' type of approval and the user reordering the
   PO is the PO creator but he has the authorization levels that are
   less then 2, i.e '0'(not defined') or '1' (no changes allowed);
That means the security level must be below '2' to force a restart.
I hope that this clarifies how the system is working.
Kind regards,
Siobhan

Port forwarding & security level

[was orig sent to fios internetforum in error- I'm on a dsl line]
I've set up port forwarding for various services (mIRC, ftp, etc) on my Versalink gateway (Westell 327W router/modem). Ports are OK, Still, I can't access these when my firewall is set to "Typical Security" - I have to go down to Minimum for anything to get through. Is this the way it's supposed to work? I thought that port forwarding opened my selected ports in the firewall without compromising security otherwise. If I have to choose min. security, what's the point of port forwarding? Thanks for any feedback - ed

At this time I can't tell you about the Security Level setting, but I can answer this question
eda wrote:
What's the point of port forwarding?
I point to the info at
grc.com's pure CSS menu (Research -> Recent -> NAT Router Security)
Direct URL: http://www.grc.com/nat/nat.htm
But, it gets kind of weird.
For example, I point to the info at
DSLR (dslreports.com) -> FAQs -> Verizon Online FiOS FAQ -> Troubleshooting -> What is the NAT Table problem in the Actiontec?
Direct URL: http://www.dslreports.com/faq/16233
^^^
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

Security Level on Navigation (6.0 sp9)

Similar Messages

Maybe you are looking for