Security Manager claims missing interface name on ASAs physical interface of vlan trunks

Hi
I've got a CSM who manages ASA firewalls. When deploying changes, it claims that the physical interface has no name and ACL on it. Which is right but also it's part of the design. IPs and names are only on the vlan sub interfaces and not on the physical interface.
Is there a way to get rid of the nerving warning of the CSM as he comes up on every deployment?
Kind regards
Roberto

Thanks for sharing this info. May be useful to someone on this migration path.
Rasika

Similar Messages

  • Security Manager traceroute ASA 5520

    How can I use Security Manager (3.2) to configure a ASA 5520 to show up in a traceroute, have found a doc on how to do this from the cmd line but would prefer to keep everything in CSM.
    Mike

    There used to be a similar bug in IDM.
    The sensor itself does not declare an interface as promiscuous.
    SO CSM has to intepret the configuration to determine if the interface is promiscuous.
    On an Appliance an Interface is InLine only if it is configured as part of an InLine Interface Pair, or has InLine Vlan Pairs assigned.
    So CSM makes the assumption that if it is not part of an InLine Interface Pair and does not have InLine Vlan Pairs created, but is active and being monitored by a virtual sensor then it must be Promiscuous.
    And the above is True for Appliances.
    What the CSM developers may not have realized is that this is NOT true for Modules.
    For most modules like the AIP-SSMs, the sensor is configured to monitor the interface, but there is nothing in the module configuration itself that tells you whether it is inline or promiscuous.
    That knowledge is only within the configuration of the ASA chassis itself.
    CSM is simply incorrectly using the rules for Appliances against the SSMs.
    This was corrected in IDM by always just marking the SSM port as "monitored" if I remember right and not trying to specify whether it is promiscuous or inline.
    CSM would likely have to make the same change, and just then just tell the user they need to check ASA configuration to determine whether or not the ASA is configured to send packets to the SSM promiscuously or inline.
    Marco

  • Security Manager Missing

    Welcome,
    I've installed Oracle 10g EE on Win XP and Enterprise Security MAnager is missing. I don't have esm.bat. How can I install ESM. Enterprise Manager works fine. I did not installed Internet Directory nor Single Sign On. Is that a problem?
    Thank You,
    Peter

    Enterprise Security Manager won't be found as an executable or batch script as you pretend. You have to install the administrative client and invoke this as:
    oemapp esm
    Enterprise security manager is a component launched with the Oracle Enterprise Manager Java console infrastructure.
    For a demo on esm you may want to read this Oracle By Example article: Enterprise User Security.
    ~ Madrid

  • " plug-in name does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari Security "Manage Website Settings"?

    Hi,
    Wondering why "<plug-in name> does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari > Security > "Manage Website Settings"?
    Have been trying to get to the root cause of the problem but did not find much on this. I am trying to figure out what can get the warning to go away completely than using the Allow/Always Allow options for the plug-in
    Thanks,
    Shyam

    Hi Linc,
    Thank you for your response. Here is the screenshot of the warning that I am talking about.
    Here is what I do:
    1. Launch Safari and open its Preferences. I have Safari 7.1 installed on my machine.
    2. Click Security Tab and click Manage WebSite Settings
    3. A window opens showing me all the Plug-ins that I have (listed on the left hand side).
    4. One of them is the Adobe Reader plug-in. When I click Adobe Reader, the following details about the plug-in show up on the right
    I was referring to the highlighted section that warns me about this plug-in not using the highest level of security for Safari Plug-ins.
    Note: I do not see this for all my plug-ins (QuickTime, Adobe Flash Player don't give me this warning) which tells me that there is a way to make the warning go away.
    Thanks again,
    Shyam

  • ASA 5585-X CX20 Prime Security Manager

    Hi Everyone
    I'm trying to add our two 5585-X + CX20 units to Cisco Prime Security Manager. The ASAs seem to add correctly but the CX20s appear "undefined" for software version and model. Clicking on "Device Configuration" I get the error "Message From Server: SyntaxError: Unexpected token <"
    I've tried removing and re-adding the devices but the same thing happens. Any ideas?
    Thanks
    James

    Two contexts are included with the base licensing on the 5585-X. Up to 250 can be licensed.
    The SKU (Stock Keeping Unit = part number) for 10 licenses would be ASA-5500-SC10.
    FYI. here are all the SKUs for 5585 context licenses (click to enlarge):

  • Results Table (2.2.2) export missing Security Manager filters

    Hello OEID forum,
    I'm working with the Results Table portlet (v2.2.2), and notice that my exports are not including security filters which we have added in a custom Security Manager.
    When I trace through the ResultsExportPortlet (doExport method) and AbstractExport classes (source included in the endeca-results-export-portlet.war) I seem to see 2 different implementations:
    1. For MDEX 7...
    This code will craft the request to the MDEX web service. I don't see it calling the Security Manager anywhere.
    2. For MDEX 6...
    This code will eventually call com.endeca.portal.data.DataSource.execute, which I believe will call the Security Manager.
    Can anyone confirm that this is correct? So Results Table export for MDEX 7 will not invoke the Security Manager, while the MDEX 6 implementation will?
    Thanks,
    Jerome

    Hi Jerome,
    Thanks for your post. It's worthwhile raising a Service Request for this, so it can be investigated.
    Best
    Brett

  • Rmi with security manager not working in netbeans

    Hello i'm trying to use rmi but get the error java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve) when i run it in netbeans. here is my code
    public static void main(String[] args) {
            if (System.getSecurityManager() == null) {
                System.setSecurityManager(new SecurityManager());
            try {
                String name = "Compute";
                Compute engine = new ComputeEngine();
                Compute stub =
                    (Compute) UnicastRemoteObject.exportObject(engine, 0);
                Registry registry = LocateRegistry.getRegistry();
                registry.rebind(name, stub);
                System.out.println("ComputeEngine bound");
            } catch (Exception e) {
                System.err.println("ComputeEngine exception:");
                e.printStackTrace();
        }It works if i don't have a security manager and it works with a security manager if i don't use netbeans to run it and use the command line. i need to use a secuirty manager because the client code is running in eclipse and it moans that there is no security manager if i run it without one
    this is the error i get when running with no security manager
    java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
         java.lang.ClassNotFoundException: takenoteremote.Compute (no security manager: RMI class loader disabled)
    Please help

    I have sort of got it to work, i took out the security manager and used the code base parameter on the command line, and put my interface into a jar file. I can only get it to work though on the command line, if i run it in netbeans it doesn't find the class in the jar file it needs.
    Any ideas?

  • Using the Security Manager to restrict access to a single package

    After reading up on the Security Manager, the package.access property and the use of the [accessClassInPackage RuntimePermission|http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] , it seemed to me that it would possible to set up the following: I have a security-sensitive code base packaged in a jar, and I want to make sure that only one client code base that I specify is permitted to access it. The idea here is to prevent malicious code from executing anything in the sensitive code base; the sensitive code is only accessible to one client that I name in a security policy file. Perhaps rather foolishly, I advised a client to consider this before testing out a sample myself, because much to my surprise, it appears to me that it isn't possible to get the Security Manager to do this at all. Am I missing something? I'm a bit startled by this conclusion -- it seems like such an obvious use for the Security Manager, I'm hard-pressed to be believe that it can't be done, and more inclined to suspect that I'm going about it wrong.
    Here's what I thought I could do: set up the package.access property so that it denies access to any package; then in the policy file, grant the RuntimePermission/accessClassInPackage to the client code base that is permitted to access the sensitive code.
    Of course, you wouldn't want the package.access property to exclude all packages in the global java.security file, because then no code could be accessed at all. It would be necessary to use the trick of resetting the package.access property within the code, as [illustrated in the secure coding guidelines|http://java.sun.com/security/seccodeguide.html#1-1a] .
    But the problem lies in the idea of "use the package.access property to deny access to +any+ package". There doesn't seem to be any way to use wildcards or the like with the property -- it has to specifically name packages (or package prefixes) to which access is forbidden. It wouldn't do to try to name the packages to which I'm trying to prevent access, since we're trying to prevent access from malicious code -- the attacker could just choose package names that aren't on the list. I'd really need to say that access is denied to all packages, except for those in the permitted code base, but the security mechanisms for package access don't seem to allow that.
    Moreover, the trick of changing the value of package.access can't be done within the client code -- otherwise, the attacker client would just set the property to his own purposes. But it can't really be done within the sensitive package either, because the whole idea is to prevent access to that package, and by the time it's busy setting the property, it's already too late, because the package has to have been accessed by a client to get there at all.
    It seems to me that this a symptom of something I've never really understood about the design of the Security Manager -- you can grant permissions to specific code bases, but you can't revoke permissions from specific code bases, let alone all code bases. What I want to do here is grant access permission to one specific code base and revoke it from all others. There doesn't seem to be any way to express that with the mechanisms of the Security Manager.
    The more I look at it, the more it seems that there's just no way to use the Security Manager this way -- set up package access so that a specific code base can only be accessed by one specific client code base. There are surely other ways to get the effect that I'm looking for, but as far as I can tell, none of them involve restricting package access (for example: define a custom permission, grant it only to the permitted client. and check against that permission within the sensitive code base; meaning that the sensitive code has to be accessible to anyone in the first place). This conclusion really surprises me (not to mention my bit of embarrassment with the client); wouldn't this be precisely the sort of thing the Security Manager ought to be good for?

    You're looking at this back to front. The security policy file is there for the client to decide how much access he is going to give this application, not for to application to restrict who can use it. If you want to control what used to be called 'state orientation' you can do that directly by looking down the stack trace inside your code.

  • Managed Server missing error.

    Hi,
    I have installed Weblogic10.3 upgrading from Weblogic 8.1. I am able to start the admin server successfully but cannot start the managed server using a startup script. I get the following error:
    There are 1 nested errors:
    weblogic.management.ManagementException: [Management:141223]The server name MRO2
    26NTS_BENCALC specified with -Dweblogic.Name does not exist. The configuration i
    ncludes the following servers {MRO250WIN_ADMIN}.
    at weblogic.management.provider.internal.RuntimeAccessImpl.<init>(Runtim
    eAccessImpl.java:149)
    at weblogic.management.provider.internal.RuntimeAccessService.start(Runt
    imeAccessService.java:39)
    at weblogic.t3.srvr.ServerServicesManager.startService(ServerServicesMan
    ager.java:459)
    at weblogic.t3.srvr.ServerServicesManager.startInStandbyState(ServerServ
    icesManager.java:164)
    at weblogic.t3.srvr.T3Srvr.initializeStandby(T3Srvr.java:711)
    at weblogic.t3.srvr.T3Srvr.startup(T3Srvr.java:482)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:440)
    at weblogic.Server.main(Server.java:67)
    I cannot find the managed server instance when I log onto the console. How is it missing totally?
    This is the script used to start the managed server: named start_bc_managed_server.cmd
    S:
    cd S:\bea\user_projects\db_dev_domain\bin
    set DBES_ROOT=S:\BenefitCal_WL
    *@rem cmd /K startManagedWebLogic MRO226NTS_BENCALC http://localhost:7000 %DBES_ROOT% 7001 -Xms512m+-Xmx512m BenefitCal*
    *@rem set JAVA_OPTIONS=%JAVA_OPTIONS% -Dlog4j.configuration=file:/%DBES_ROOT%/dbsystem/config/log4j.xml*
    *@rem set JAVA_OPTIONS=%JAVA_OPTIONS% -Drule.client.location=%DBES_ROOT%\dbsystem\com\fidelity\definedbenefit\benefitcalculator\rule\client*
    cmd /K startManagedWebLogic MRO226NTS_BENCALC http://localhost:7000 %DBES_ROOT% 7001 -Xms512m+-Xmx512m BenefitCal
    THINGS I HAVE DONE:
    1) I have checked config.xml found in S:\bea\user_projects\domain1\config and found it does not contain all the target servers and have replaced it with a config xml that contains all the target servers(MRO226NTS_BENCALC is one of them).
    startManagedWebLogic
    *@ECHO OFF*
    *@REM WARNING: This file is created by the Configuration Wizard.*
    *@REM Any changes to this script may be lost when adding extensions to this configuration.*
    SETLOCAL
    *@REM --- Start Functions ---*
    GOTO :ENDFUNCTIONS
    *:usage*
    *     echo Need to set SERVER_NAME and ADMIN_URL environment variables or specify*
    *     echo them in command line:*
    *     echo Usage: %1 SERVER_NAME {ADMIN_URL}*
    *     echo for example:*
    *     echo %1 managedserver1 http://localhost:7000*
    GOTO :EOF
    *:ENDFUNCTIONS*
    *@REM --- End Functions ---*
    echo in STARTMANAGEDWEBLOGIC------
    *@REM **************************************************************************
    *@REM This script is used to start a managed WebLogic Server for the domain in*
    *@REM the current working directory. This script can either read in the SERVER_NAME and*
    *@REM ADMIN_URL as positional parameters or will read them from environment variables that are*
    *@REM set before calling this script. If SERVER_NAME is not sent as a parameter or exists with a value*
    *@REM as an environment variable the script will EXIT. If the ADMIN_URL value cannot be determined*
    *@REM by reading a parameter or from the environment a default value will be used.*
    *@REM*
    *@REM For additional information, refer to the WebLogic Server Administration*
    *@REM Guide (http://e-docs.bea.com/wls/docs103/adminguide)*
    *@REM **************************************************************************
    *@REM Set SERVER_NAME to the name of the server you wish to start up.*
    set DOMAIN_NAME=db_dev_domain
    set ADMIN_URL=http://localhost:7000
    *@REM Set WLS_USER equal to your system username and WLS_PW equal*
    *@REM to your system password for no username and password prompt*
    *@REM during server startup. Both are required to bypass the startup*
    *@REM prompt.*
    set WLS_USER=
    set WLS_PW=
    *@REM Set JAVA_OPTIONS to the java flags you want to pass to the vm. i.e.:*
    *@REM set JAVA_OPTIONS=-Dweblogic.attribute=value -Djava.attribute=value*
    set JAVA_OPTIONS=-Dweblogic.security.SSL.trustedCAKeyStore="S:\bea\wlserver_10.3\server\lib\cacerts" %JAVA_OPTIONS%
    *@REM Set JAVA_VM to the java virtual machine you want to run. For instance:*
    *@REM set JAVA_VM=-server*
    set JAVA_VM=
    *@REM Set SERVER_NAME and ADMIN_URL, they must by specified before starting*
    *@REM a managed server, detailed information can be found at*
    *@REM http://e-docs.bea.com/wls/docs103/adminguide*
    if "%1"=="" (
    *     if "%SERVER_NAME%"=="" (*
    *          CALL :usage %0*
    *          GOTO :EOF*
    *) else (*
    *     set SERVER_NAME=%1*
    *     shift*
    if "%1"=="" (
    *     if "%ADMIN_URL%"=="" (*
    *          CALL :usage %0*
    *          GOTO :EOF*
    *) else (*
    *     set ADMIN_URL=%1*
    *     shift*
    *@REM **************************************************************************
    *@REM Customization by A375886*
    *@REM If you are here with input parameter*
    *@REM %1 = APP_ROOT*
    *@REM %2 = PORT*
    *@REM %3 = (min heap)+(max heap)*
    *@REM (ie -Xms500m+-Xmx500m)*
    *@REM %4 = APPNAME*
    *@REM **************************************************************************
    set DOMAIN_HOME=S:\bea\user_projects\db_dev_domain
    set APP_ROOT=S:
    if "%1" == "" goto setPort
    set APP_ROOT=%1
    *:setPort*
    set PORT=7000
    if "%2" == "" goto setMemArgs
    set PORT="%2"
    *:setMemArgs*
    set MEM_ARGS=-Xms256m -Xmx512m
    if "%3" =="" go setAppName
    set MEM_ARGS="%3"
    *:setAppName*
    if "%4" =="" go setGoOne
    set APPNAME="%4"
    *:setGoOne*
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dlog4j.configuration=%APP_ROOT%\other\dbsystem\config\log4j.xml
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Drule.client.location=%APP_ROOT%\presentation\com\fidelity\definedbenefit\benefitcalculator\rule\client
    set JAVA_OPTIONS=%JAVA_OPTIONS% -DConfigLocation="%APP_ROOT%\other\dbsystem\config"
    set JAVA_OPTIONS=%JAVA_OPTIONS% -DListenPort=%PORT% -Dweblogic.ListenPort=%PORT%
    set JAVA_OPTIONS=%JAVA_OPTIONS% -DListenAddress=%ADMIN_URL%
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dbea.home=%APP_ROOT%\bea\license
    set JAVA_OPTIONS=%JAVA_OPTIONS% -DAppName=%APPNAME%
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.allowAnonymous=true
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.disableMBeanAuthorization=true
    set JAVA_OPTIONS=%JAVA_OPTIONS% -DDOMAIN_FOLDER=%DOMAIN_HOME%
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.admin.username=system
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.admin.password=weblogic
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.admin.url=http://localhost:7000
    echo JAVA_OPTIONS= %JAVA_OPTIONS%
    echo APP_ROOT = %APP_ROOT%
    echo PORT = %PORT%
    echo MEM_ARGS = %MEM_ARGS%
    echo APPNAME = %APPNAME%
    *@REM Export the admin_url whether the user specified it OR it was sent on the command-line*
    set ADMIN_URL=%ADMIN_URL%
    set SERVER_NAME=%SERVER_NAME%
    *@REM set application specific setting*
    echo domain is %DOMAIN_HOME%
    echo App is %APPNAME%
    call "%DOMAIN_HOME%\bin\setAppEnv.cmd" %APPNAME%
    if "%1"=="" (
    *     @REM Call Weblogic Server with our default params since the user did not specify any other ones*
    *     call "%DOMAIN_HOME%\bin\startWebLogic.cmd" nodebug nopointbase noiterativedev notestconsole*
    *) else (*
    *     @REM Call Weblogic Server with the params the user sent in INSTEAD of the defaults*
    *     call "%DOMAIN_HOME%\bin\startWebLogic.cmd" %1 %2 %3 %4 %5 %6 %7 %8 %9*
    ENDLOCAL

    It seems that you have to check "config.xml" in S:\bea\user_projects\db_dev_domain, not the one in S:\bea\user_projects\domain1\config.
    Please check also that you have started the correct administrative instance (try also to log into the console to check the configuration).
    Bye
    Mariano

  • Import Network host objects to Cisco Security Manager

    Is it possible to import complete lists of Network Hosts objects to Cisco Security Manager?
    Exporting the hosts already defined in the ASAs is easy but how to import them in CSM??
    Thanks

    No hostnames discovered go the Policy Object Manager (nor to the Access rules), only group-names (there's a bug in ASAs related to single host names too). The way CSM handles single hosts is previously creating them, so when we later discover devices, the single hosts names set in the discovered device are not considered, only their IP addresses; then you can see that in the discovered access rules CSM shows the hostname as the previously defined ones in the Policy Object Manager. If you dont define those hostnames before the device discovery, you will only see IP addresses, no hostnames, no matter they are set in your firewalls.
    Imagine discovering a couple FWSM modules with 500 access rules, and you only get to see the IP addresses of the 2,500 hosts on your network. And you have all those hosts already defined in your FWSM firewalls, when you log via ASDM you view your hard created rules with hostnames, and when you log to CSM you only view IP addresses. The clients get very disappointed with CSM after that, and discard it. The bigger the network, the faster they reject CSM.
    The only way to add hosts in the Policy Object Manager is 1 by 1. But as this may have happened to more than one company and considering how easy it is to code a feature like that, I assume that it's possible to import a complete list of single hosts to CSM.
    is that really possible? it should be.
    thanks for the replies so far

  • CSM Cisco Secure Manager - deploy a Blank configuration!

    Hi all,
    need some help. Its just installed a CSM, v.4.8. It adds a device and its configuration from the network, a FW ASA 8.3 correctly.
    i make a change on the local policy and as soon i make a deploy to device it start doing a:
    no xxxx
    no xxxx1
    no xxxx2
    for each line of the current configuration! so it deletes all!
    I am missing a point in here. User guide says that i have to bind a policy to the device but that easy step i do not know how to do it.
    thanks in advance for the help
    Regards
    José

    Security Manager does not currently leverage object groups for ACL objects used in VPNs. An enhancement bug has been filed under CSCsl20196 and is something we are looking to address in the upcoming Security Manager 3.2 release due late 1QCY08.

  • FlexConfigs in Cisco Security Manager 3.2.1 SP1

    Hi,
    I have a problem with Cisco Security Manager 3.2.1 SP1 (fresh intall).
    When I create a FlexConfig with any IP AUDIT commands or VPDN (for PPPoE config) every time I deploy the configurations in file the flexconfig is repeated in the configuration. The behavior is the same on PIX and ASA configuration.
    If I deploy 20 times my devices than I'll have 20 times the same line in the configuration !
    Any way to solve that problem in CSM??
    The server is Win 2003 Standard English and there's absolutely nothing else than CSM installed on it...so??

    Hello,
    I'm having the same problem for one of our customers! but flexconfig didn't work!
    Can you please be more specific what exactly you did! Flex config doens't remove generated command it's adding the no crypto ca enroll 'trustpoint name' after the generated crypto ca enroll 'trustpoint name'
    I've been also looking for related bugs but didn't find any!
    Regards

  • Weblogic 6.1 and -Djava.security.manager license failed

    I just tried to run (under jbuilder6), weblogic 6.1 sp3 (evaluation) and I have
    got a :
    $$$$$$$$$$$$$$$$ License Exception $$$$$$$$$$$$$$$$
    Unable to start WebLogic Server !!
    Null public key
    $$$$$$$$$$$$$$$$ License Exception $$$$$$$$$$$$$$$$
    The VM parameters I use are :
    -ms64m -mx64m
    -Djava.library.path=C:/bea/wlserver6.1/bin
    -Dbea.home=C:/bea
    -Dweblogic.Domain=cyradeladomain -Dweblogic.Name=name
    -Djava.security.policy==C:/bea/wlserver6.1/lib/weblogic.policy --Dweblogic.management.password=xxxxxxx
    -Djava.security.manager
    -Djava.security.debug=failure
    Did I missed some VM parameters ? What should I do to bypass this error?
    thanks!

    I'm getting the same problem running weblogic 7.0 with sp 1.
    Any other ideas on how to solve it?
    "kirann" <[email protected]> wrote:
    do you need to run the server with java security manager if not required
    then remove -Djava.security.manager
    else given full permission to the code based weblogic is in!
    thanks
    kiran
    "ezablith" <[email protected]> wrote in message
    news:3ddce60a$[email protected]..
    I just tried to run (under jbuilder6), weblogic 6.1 sp3 (evaluation)and I
    have
    got a :
    $$$$$$$$$$$$$$$$ License Exception $$$$$$$$$$$$$$$$
    Unable to start WebLogic Server !!
    Null public key
    $$$$$$$$$$$$$$$$ License Exception $$$$$$$$$$$$$$$$
    The VM parameters I use are :
    -ms64m -mx64m
    -Djava.library.path=C:/bea/wlserver6.1/bin
    -Dbea.home=C:/bea
    -Dweblogic.Domain=cyradeladomain -Dweblogic.Name=name
    -Djava.security.policy==C:/bea/wlserver6.1/lib/weblogic.policy --Dweblogic..management.password=xxxxxxx
    -Djava.security.manager
    -Djava.security.debug=failure
    Did I missed some VM parameters ? What should I do to bypass this error?
    thanks!

  • Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520

    Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520
    Will this patch be installed in a version which I can use on ASA5520, if I understand the documentation correct, this patch is only installed in versions which are running on -X models of the ASA. 9.2, 9.3

    Once the ASA has dynamic NAT enabled to an outside interface, routing between same security level will not work.
    You need to add route exempt the inside interfaces to all private subnet.

  • Cannot assign custom security manager to repository

    Hello,
    I've been following the details on how to implement a read-only security manager (https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e2ddd63d-0b01-0010-46bb-e092790068cb) and I have run into the following problem:
    After following the instructions for option B in the document (creating a security manager only) and  deploying my project, the new security manager appears in the list of managers on the admin screen (Content Management -> Repository Managers -> Security Manager) but it is not available in the drop down list of security managers for my repository. Without that entry I cannot apply the new security manager to my repository.
    According to the document, the new security manager should be part of this list but it is not even after I've restarted the J2EE engine.
    The document is dated May 2006 so perhaps there have been some changes to the system that are not covered in the document. We are running NW 7.0 SP14.
    Any help in determining why my custom security manager is not part of the security manager drop down list would be appreciated.

    Ok, after much decompiling and inspection of the standard KM security manager implementations I found the answer to my question.
    Basically I found that the security manager tutorial only applies if you plan on using your custom security manager with your own custom repository manager. You cannot apply a security manager created using that document to a standard KM repository manager.
    In my case I want to apply a custom security manager to a standard KM File System Repository. By inspecting the SFSRepositoryManager.cc.xml file I found the following entry:
    <attribute name="securitymgr.ref" type="ref" refType="/cm/repository_managers/security_managers/SecurityManager" mandatory="false" hotReload="true" />
    The refType value defines which security managers are displayed in the drop down list of available Security Managers at runtime for the repository manager. In order to get a custom security manager to be available you must define the cc.xml for your custom security manager so that it extends "SecurityManager" not "SecurityManagerMi" as the tutorial describes.
    Changing the extension means your security manager implementation must also change so that it extends com.sapportals.wcm.repository.manager.AbstractRepositorySubManager and implements com.sapportals.wcm.repository.manager.ISecurityManager.
    Now if only I could figure out how to reward points to myself .....

Maybe you are looking for