Single Sign-on and SSL problems

Similar Messages

• Starting single sign-on and directory service

  i am trying to install oracle 9i infrastructure on my clean win2000 box with 2.4 GHz proc and 1GB RAM.
  i am getting falilure messages for the following:
  infrastructure instance configuration assistant: failed
  oracle 9i application server randomize password: failed
  single sign on configuration assistant: failed
  infrastructure mod-osso configuration assistant: failed
  OPMN configuration assistant: failed
  log file says:
  Configuration failed for IAS
  IAS Instance creation failed
  Configuration failed for JAZN
  JAZN configuration failed: unable to establish a directory context.
  Configuration succeeded for IASProperty
  Configuration failed for IAS
  Configuration failed for JAZN
  after which single sign-on and directory service dont start. which means no connectivity :(
  can somebody please guide me about how to avoid this failure in installation or how to manually start these after installation.
  it would be a great help
  ashish

  Hi,
  we're having exactly the same problem.
  Could you tell me what the problem is with the network ?
  You say configure it properly but what do you mean ?
  It's installed on a Windows 2000 Server machine, it's own DNS.
  Thanks,
  Yuri Arts

• Oracle Single Sign on and Oracle Internet Directory

  Hello Gurus,
  What is the relationship between Oracle Single Sign on and Oracle Internet Directory.
  To my understanding, OID is required to install SSO.
  If OID already exist, can we just install SSO and go on integrating it to existing OID.
  Great Thanks,
  vimal jain.
  [email protected]

  Hi Tim,
  I've been working on this and could reproduce the issue with anonymous binds. A fix will be ready in 4.2.1.
  So what I really need is the password used for login to pass to the is_member call.The P101_PASSWORD item does not save state. However, you can access the value during submit processing of the login page, for example in the post authentication function of your authentication scheme. People sometimes put code in there to query the user's groups (e.g. with apex_ldap.member_of2) and save them in an application. This item value can then be used in the authorization schemes.
  Regards,
  Christian

• Single Sign on and Protect URL step

  Hi,
  I have successfully installed Oracle Internet Directory, Identity Server, Web Pass, Policy manager, Access Server and WebGate (attached to Oracle HTTP Server from Oracle Management Infrastructure).
  My questions are:
  - How do I protect URL so the user will need to login to access certain URL?
  - How do I enable single sign on and test it?
  - What are the general steps involve to enable URL protection (so if the url is protected it will prompt for username and password) and single sign on using Oracle Internet Directory?
  Kindly help me if anyone know a solution or can point me to the right documentation. I have tried to read Oracle Access Manager - Access Administration Guide, but keep getting confused.
  Thanks.
  Regards,
  Alfonso

  Hi,
  You can follow Oracle Access Manager Integration Guide (10.1.4.0.1) B25347-01, chapter 4, to achieve this. This document will answer most of your questions.
  Regards,

• Single Sign-On and Data Visibility Rights

  Hello,
  I was wondering whether anyone has any best practices for implementing single sign on and user identification with Excelsius.
  More specifically, I need to interrogate user role, and limit certain data visibility based on that role.
  For example, a sales rep may only see certain data for their own territories, but the regional and national managers can see more.
  With the emphasis in improving enterprise integration with the new version coming up, I'm also wondering if there are any improvements included for this aspect.
  Thanks in advance.
  Derick

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Single Sign-On and session information

  I have an Oracle Portal application with many Java Web Applications. I wish to
  provide Single Sign-On to this applications. I know how to configure Single
  Sign-On and how to get the user login in Java. I want to store session
  information such as: User First and Last Name, User Social Security Number. I
  want to get this information from the database after authentication, store it
  in session and then access this information from all my applications.

  Are you familiarized with sys_context function?
  Hope this is useful help.
  BR,
  Marcos

• How to integrate Single Sign-On and JSF?

  Hi all,
  We are going to develop a web application using Oracle technologies, including ADF and JSF.
  But we´ll need to secure our website using Oracle Identity Manager (Single Sign-On). I am having difficulties to find any resource explaining how to do that.
  Also, the IM (SSO) will run on a Oracle AS instance and our web app (ADF+JSF) will run on a separete OC4J instance, due to ADF version. Is this a problem?
  Thanks

  We too are in the process of implementing iStore with SSO features.
  And if you believe me it seems to me as nightmare.
  In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
  [email protected]
  regards and thanks in advance
  Vikas Deep

• AnyConnect WebVPN Single Sign-on and Sharepoint 2013

  I know  that single sign-on is currently working and supported for Sharepoint 2010 on 9.0 and later code however is Sharepoint 2013 supported? I can't seem to find any documentation or any material on this. Any help on this would be fantastic.
  Thanks!

  I'd like to know if Sharepoint 2013 is supported at all with ASA 9.x clientless SSL VPN. We get this error message:

• Single sign-on and different usernames and passwords

  Hello,
  I am building a Portal with WLPS 3.5 and WLS 6.0. I tried to get
  information about the background of single sign-on.
  I understand, that I need a Realm (i.e. LDAP Realm) to authenticate the
  user for the first login to the portal (with username and password).
  Now I would like to integrate my webmail-programm (to get emails from
  Lotus Notes via Internet) as a portlet.
  For my understanding the user has to authorizate to get access to webmail.
  Therefore I create a ACL for webmail and this ACL is assigned to my
  security Realm.
  I would like the portlet to show after login the number of mails for the
  specific user. But where are the username and password for webmail stored
  and how are they received and forwarded?
  I understand that my ACL included all users that have access to webmail
  (i.e. all users). But I only want emails for the specific user.
  Does WLS get all usernames and passwords while the first login? Do I have to
  implement a algorithmen to get the specific username and password for the
  requested resource in my portlet?
  Has anyone solved a similar problem or can tell me where I can get more
  information. I read the WebLogic Security document but I cant find a
  answer to my questions.
  Thanks
  Lydia

  Lydia,
  I'm not an expert in this area, but I can give you a start.
  As for single sign-on, there are different levels. For single sign-on across web-apps,
  the servlet spec requires this (section 12.6 of th 2.3 spec) and therefore Weblogic
  does this.
  What you are talking about is single sign-on across back-end applications through
  a web-app. BEA has partnered with Securant (just acquired by RSA) to provide this
  kind of functionality. Browse to http://www.rsasecurity.com/products/ and look
  at the ClearTrust product. BEA has also partnered with Netegrity (www.netegrity.com)
  with their SiteMinder product. Neither is included in the Weblogic license. I'm
  sure either vendor would be excited to explain how their product will solve your
  problem if you give them a call.
  As for where the username and passwords are stored, that is up to the realm. If
  you are using the default WLPS RDBMSRealm, the username and encrypted password
  are stored in the WLCS_USER table. If you are using LDAPRealm, they are stored
  in your LDAP server.
  Hope this was useful!
  PJL
  [email protected] wrote:
  Hello,
  I am using PersonalizationServer 3.5 and WLS 6.0 SP 2.
  Now I try to unterstand the functionality of Single sign-on when a user
  has different usernames and passwords for different applications.
  Can someone explain where the usernames and passwords for a user are
  stored (all in the LDAP-realm or a RDBMS-realm?) When a user access the
  application how username and passwords are mapped? Or usernames and
  passwords for all applications are the same and will be equalized?
  Precisely I would like to get access to a mail-account for a specific
  user
  (webmail from Lotus Notes).
  Thanks for any help
  Lydia

• Single Sign on and Macintosh

  Hello,
  we realized single sign on on our mac machines. It runs great. Now i want to combine it with our SAP logon groups. There's an error that he cannot find the KDC. Where's the problem? Is it nit possible to combine groups with using snc?
  We set the followign connection string:
  SAP Prod: conn=/M/sapmachine.firma.de/S/1234/G/example_group&sncon=true&sncname=p:[email protected]&sncqop=9

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Single Sign-on and HTTP Server not started

  I have installed oracle9iAS on SuSE Linux Enterprise Server 8 (SLES 8) which is certified by Oracle to run oracle9iAS. Everything was working propely after installation but when I restarted the server, the listener, the iasdb instance, and the EM started properly but when I went to http://servername:1810 and clicked on start all i got them all started but the HTTP Server and the Single Sign-on. When I tried to start the HTTP Server individually i got the following error:
  oracle.sysman.emSDK.util.jdk.EMException: The opmn request has failed. From opmn: HTTP/1.1 204 No Content Content-Length: 0 Content-Type: text/html Response: 0 of 1 processes started. Check opmn log files such as ipm.log and ons.log for detailed.
  I checked the log and its showing the following:
  03/10/25 16:44:23 Connection 0,192.168.10.11,6200 message missing 'Content-Lengt
  h'
  GET /dms0/Spy?recurse=all&format=xml&operation=get&value=false&units=true&descri
  ption=true&name=%2F HTTP/1.1
  Host: linux2.future:6200
  Connection: Keep-Alive, TE
  TE: trailers, deflate, gzip, compress
  User-Agent: RPT-HTTPClient/0.3-3
  Cache-Control: no-cache
  Pragma: no-cache
  Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress
  I tried to start it from command line with the command
  $dcmctl start -ct ohs
  and it returned ADMN-906025
  Anyone can help me solving this problem??

  This error Can be caused by a syntax error in your httpd.conf file, check it / correct it try reloading OHS.
  Ensure that emctl is not running when you run any dcmctl commands! If you have already run any dcmctl commands with emctl running that can cause your problem - if so to fix it solution is really to re-install.

• Single Sign-on and external applications

  Hi,
  Someone might be able to point me in the right direction about this.
  I have registered each of my applications as external applications within Oracle Portal in order to avail of single sign-on.
  This is fine to a point, but registering applications in this way still requires the user to enter a username and password once in order to login to the application the first time they use it, even though they have already logged into the Portal. As long as the user doesn't log out of the application they can close their browser and when they come back to the application they are still logged in.
  None of the applications I use are oracle partner applications.
  My problem is that I want to avoid the user having to log in to the application the first time they use it.
  Ideally they should login to Portal once and then any subsequent applications they access, they are automatically logged into them without having to enter a username and password.
  Is there a way to do this or will I have to write a custom login for each application to circumnavigate this first time using the application login issue ?
  Are there any docs that someone could point me at.
  Many thanks,

  Maria, I was experimenting with this last night, to answer your question, and I think a cool way of doing this would be the following:
  Create a custom attribute called "App ID" - make this a NUMBER type. This is where the external application id will be stored.
  Create a custom item type: "External Application"
  You have two options for the base type: either "URL" or "<None>". If you pick URL, then you can have the item contain the URL for fapp_process_login, but this is not advisable because it will require the administrator to type in this long URL every time a new application is added.
  If you select base type URL, you should use that URL to let the administrator provide a URL to the application's homepage, or a help page or something of that sort.
  Edit the newly created item to set the Attribute and Procedure properties.
  Add the "App ID" attribute - no default.
  On the Procedure tab, add the following procedures (called as HTTP), each with the App ID passed as "p_app_id":
  Login http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.fapp_process_login
  Edit http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.edit_fappuser
  That's it!
  Add the new custom item type to a folder, and all the administrator needs to do is set the title, and App ID for the new item.
  Excercise for the Reader
  You will notice that clicking on the Edit link will take you to the login server when you are done editing the credentials. To avoid this, pass another parameter to the edit procedure - p_done_url, and set a value for that to point to the page that you want to go to after editing credentials.

• SOAP and SSL problem

  I am using JDeveloper 9.0.3 and the Oracle SOAP library which is shipped with Oracle JDeveloper.
  My application connects to a SSL enabled webservice.
  The first problem I encountered was a 'no njssl9 in java.library.path' error.
  I used the tips from Lehmann's BLogger site (http://radio.weblogs.com/0132036/2004/02/13.html).
  I could not get this working in JDeveloper 9.0.3 because JDev 9.0.3 is using java jdk 1.3 which has not JSSE built in.
  So I decided to use JDeveloper 9.0.5.2. which uses the java jdk 1.4.
  It works, however now I am stuck with an error that the certificate chain is incomplete.
  The webservice to which I connect sends only the 'last' certificate, so not the entire chain. Can this be the problem?
  I have a couple of questions:
  1) what do I have to do to ensure that my application trusts the webservice SSL certificates. I know I have to install
  the certificate somewhere in the cacerts file. But which certificate en how do I store it?
  2) Is it true that the Oracle SOAP library only works with the Oracle Wallet? Does that mean I cannot get Oracle SOAP
  to work on an Oracle Application Server with my application?
  3) Is there any way to solve the 'no njssl9 in java.library.path' error using the Oracle SOAP library in JDeveloper 9.0.3?

  2) For non-oracle wallets, you need to set the following
  # private key
  # certificate chain
  # trusted certificates
  OracleSSLCredential sslCredObj = new OracleSSLCredential();
  // Set trusted certificates
  sslCredObj.addTrustedCert(easQACA);
  // Construct certificate chain. Place CA at the top
  // and user certificate at the bottom. The order of
  // set certificates in the chain is important. You must set
  // root certificate first, then signer certificates, and finally user
  // certificate.
  sslCredObj.addCertChain(rootCA); (set root CA certificate)
  sslCredObj.addCertChain(signer CA);(set signer certificate)
  sslCredObj.addCertChain(userCert); (set user certificate)
  * Set private key
  sslCredObj.setPrivateKey(userKey, password);
  3) If you have Oracle IAS or database installation, the njssl libraries are under ORACLE_HOME\lib. Include ORACLE_HOME/lib in LD_LIBRARY_PATH or starting the javavm using
  -Djava.library.path=ORACLE_HOME/lib
  should solve the njssl error.

• Cherokee and SSL problems

  Hi
  I have a problem and i can't seem to find anything relevant when i am looking around and wondering if someone has had the same problem or if its a bug.
  I have a self signed cert and it works most of the time but sometimes cherokee stops responding on HTTPS but still works with HTTP.
  I get alot of error messages looking like:
  cryptor_libssl.c:343: ERROR: Init OpenSSL: unknown
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:343: ERROR: Init OpenSSL: unknown
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:343: ERROR: Init OpenSSL: unknown
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  cryptor_libssl.c:395: ERROR: SSL_write (1723390601, ..) -> err=-1 'error:00000005:lib(0):func(0):DH lib'
  So i guess something is wrong with that file... ive looked in their bug report but no one reported anything about ssl, anyone got any idea?

  I would open a bug in their bugtracker if I were in your shoes.
  Last edited by cactus (2009-01-17 00:24:52)

• Partner application single sign-on and Oc4j

  hello,
  I'm trying to test portal's partner application single sign-on, following the examples inside the "Oracle9 iAS Single Sign-On Application Developers Guide":
  With Tomcat as jsp engine everything works fine, but with Oc4j when I try to enter the protected jsp page i have this exception:
  oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved
       at SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java:153)
       at SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java:57)
       at /protetta.jsp._jspService(/protetta.jsp.java:37) (JSP page line 4)
  Any suggestion?
  Thanks in advance.

  I get the same problem with my partner application. It runs fine on JServer but I get the following problem on oc4j:
  oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved     
  at oracle.br.aerochain.sso.SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java, Compiled Code)     
  at oracle.br.aerochain.sso.SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java, Compiled Code)     
  at /jsp/papp.jsp._jspService(/jsp/papp.jsp.java, Compiled Code)     
  at com.orionserver[Oracle9iAS (9.0.2.0.0) Containers for J2EE].http.OrionHttpJspPage.service(OrionHttpJspPage.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.serviceJSP(HttpApplication.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.JSPServlet.service(JSPServlet.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java, Compiled Code)     at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.run(HttpRequestHandler.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java, Compiled Code)
  Did anyone get a solution for this?
  TIA