Socket and Security Policy

Similar Messages

• Service level accounts and security policy

  Hello Experts,
  We would like to roll out production environment at a customer. The documentation does not provide very good solution for the scenario when service level accounts are changing.
  Customer's security policy requires all administrative accounts to be named e.g. firstname.lastname@domain. Generic productadmin@domain which are not identifiable can not be used on production servers.
  It is understood that the BPC application server runs using the permissions granted to the user ID which was used during installation (access to the Windows AD, SQL Server &c.
  If specific domain user is also member of local administrators group, he/she can indstall the product. However, if this particular account is made redundant and the administrator's role is appointed to another employee, the latter can not access the system with administrative rights.
  Moreover, if the BPC administrator's account is disabled for whatever reasons, the system fails.
  Is there any good suggestions for this kind of scenario?
  Thanks

  Thanks Scott,
  This is what I have suggested but the problem is that the customer's policy does not allow anonymous accounts controlling their production systems, the administrative accounts can only be personal accounts like firstname.lastname@domain.
  It seems that the only solution is to use administrator's personal credentials and in case those change, they need to go through the Ops guide and change everything manually.
  Lucikly there is a bit simpler way to do this. Instead of manually changing credentials for every COM+ app as Ops Guide suggests, you can olny change three of those:
  OsoftDatabaseADMIN
  OsoftDatabaseSYSADMIN
  OsoftDatabaseUSER
  Then use Service Manager password reset function and it will update all COM+ apps in one go.

• Datagram socket and security manager

  I have subclassed the security manager to implement my own network security rules.
  However when the receive(datagramPacket) method is called by the my datagram socket, the host parameter passed to the checkAccept(host, port) method does not belong to the sender of the packet(to be received).
  How then can malicious addresses be blocked by the security manager, as suggested by the comments in the source code of DatagramSocket.
  Any help is greatly appreciated. Thank you in advance.

  However when the receive(datagramPacket) method is
  called by the my datagram socket, the host parameter
  passed to the checkAccept(host, port) method does
  not belong to the sender of the packet(to be
  received).It should. What are you getting instead?

• Application error while using security.policy feature

  I am learning Java by reading http://java.sun.com/docs/books/tutorial/
  While studying the "Security/Quick Tour of Controlling Applications" part I compile GetProps.java example:
  import java.lang.*;
  import java.security.*;
  class GetProps {
  public static void main(String[] args) {
  String s;
  try {
  System.out.println("About to get os.name property value");
  s = System.getProperty("os.name", "not specified");
  System.out.println(" The name of your operating system is: " + s);
  System.out.println("About to get java.version property value");
  s = System.getProperty("java.version", "not specified");
  System.out.println(" The version of the JVM you are running is: " + s);
  System.out.println("About to get user.home property value");
  s = System.getProperty("user.home", "not specified");
  System.out.println(" Your user home directory is: " + s);
  System.out.println("About to get java.home property value");
  s = System.getProperty("java.home", "not specified");
  System.out.println(" Your JRE installation directory is: " + s);
  } catch (Exception e) {
  System.err.println("Caught exception " + e.toString());
  When I run it without security manger it prints all the property as it has to:
  E:\Test>java -jar GetProps.jar
  About to get os.name property value
  The name of your operating system is: Windows XP
  About to get java.version property value
  The version of the JVM you are running is: 1.6.0_03
  About to get user.home property value
  Your user home directory is: C:\Documents and Settings\mikhail
  About to get java.home property value
  Your JRE installation directory is: C:\Program Files\Java\jdk1.6.0_03\jre
  When I run it with security manager it prints the first two properties only and throws AccessControlException on user.home property as it has to either:
  E:\Test>java -Djava.security.manager -jar GetProps.jar
  About to get os.name property value
  The name of your operating system is: Windows XP
  About to get java.version property value
  The version of the JVM you are running is: 1.6.0_03
  About to get user.home property value
  Caught exception java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
  But when I run it with security manager and security policy allowing access to user.home and java.home properties it nevertheless throws AccessControlException, in spite of that mypolicy file grants access to these properties:
  E:\Test>java -Djava.security.manager -Djava.security.policy=mypolicy -jar GetProps.jar
  About to get os.name property value
  The name of your operating system is: Windows XP
  About to get java.version property value
  The version of the JVM you are running is: 1.6.0_03
  About to get user.home property value
  Caught exception java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
  Here is content of mypolicy file which I created by using policytool utility:
  grant codeBase "file:/E:/Test/" {
  permission java.util.PropertyPermission "java.home", "read";
  permission java.util.PropertyPermission "user.home", "read";
  My system:
  MS WindowsXP Professional, Servis Pack 2
  Sun SE JDK 1.6.0_03
  What am I doing wrong?
  Thank you, Mikhail.

  The last two days have been frustrating. The error above also appeared when I was trying to view one of the relationships in one of my entities.
  What seems to have been happening is Designer showed a relationship existing after it had been deleted. This seems to be a bug in Designer. These rouge links can be deleted in the RON (although if you try to look at their details the RON will crash with the error in original query). After this cleanup everything worked like clockwork.
  Hannah Fraser

• Group Policy won't apply, No mapping between account names and security IDs was done.

  I am using Group Policy Preferences to remove users from the local admin group and add a local admin account.  This GPO is working on 90% of the Win7 machines on the network, but three laptops are not accepting the GPO.  I get the following error:
  Log Name:      Application
  Source:        Group Policy Local Users and Groups
  Date:          6/24/2014 8:49:28 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      laptop1.internal.com
  Description:
  The user 'Administrators' preference item in the 'Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security
  IDs was done.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Local Users and Groups" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-24T13:49:28.000000000Z" />
      <EventRecordID>68771</EventRecordID>
      <Channel>Application</Channel>
      <Computer>laptop1.internal.com</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>user</Data>
      <Data>Administrators</Data>
      <Data>Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}</Data>
      <Data>0x80070534 No mapping between account names and security IDs was done.</Data>
    </EventData>
  </Event>
  I've searched high and low for an answer and nothing I find on-line seems to apply.  I also notice that the option to 'Run as Administrator' does not work.  If I right-click on cmd.exe and select 'run as administrator', the command box opens but
  I am not prompted for credentials and the command box does not have admin rights.  Not sure if this is related or not.
  Any help on this would be greatly appreciated.
  Thanks,
  Joe

  Hi,
  Delete your  remove action from the GPP and push it again, does this issue still occur?
  If it still exists, let’s collect the GPP log for analysis:
  Group policy Preference debug logging policy settings are located under:
  Computer Configuration\Administrative Templates\System\Group Policy
  Click Logging and tracing, select local users and group preference logging and trace.
  Meanwhile, just a similar issue, but it is worth trying:
  A user is added to the wrong group on a client computer that is running Windows 7 or Windows Server 2008 R2
  http://support.microsoft.com/kb/2280515
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Error Message and Shut Down When Trying to Add Security Policy

  Acrobat 8.1.5  I'm trying to add a security policy. When I click on Finish, I get a message saying there has been an error and Adobe must shut down.
  I've checked for updates, restarted Adobe, restarted my computer. Nothing is helping. Here's the details about the message:
  AppName: acrobat.exe     AppVer: 8.1.0.137     ModName: ppklite.api
  ModVer: 8.1.3.0     Offset: 0012d2cb
  I've confimed I'm using 8.1.5 in the Help section.
  Running Windows XP Home Edition.
  Any suggestions?
  Thank you.

  Apple Mail crashes when I try to print after installing Mavericks...

• WebStart, custom security policy and debugging

  Hi,
  Please forgive the long post, it's an obscure problem.
  A year ago I implemented a custom instance-centric security policy that uses a database for storing permission data. It has served our needs very well on the server side. Now, however, I need to reuse it in a client application deployed to about 50 users via WebStart (there are more similar applications coming which will take the user base to about 200).
  For some reason, the permissions are not being properly evaluated under WebStart. Tracing through my policy code, I can see that calls to imply() return with expected true/false values, however, when the internals of Java's underlying security API aggregate the results, calls to AccessController.checkPermission() don't raise exceptions when and where they are expected to.
  This is really a hard problem to debug/trace. When I run the application locally, I have no problems with security checks even if I run it under a security manager (via -D.java.security.manager). Tracing to standard helps to a point and I can see that there is a difference: during the local runs, calls to MyCustomPolicy.implies(Permission, Domain) are made once per every AccessController.checkPermission() call made from the business layer. Under WebStart, there are three calls to MyCustomPolicy.implies() per every call to AccessController.checkPermission(). All three calls seem to come from the same stack frame. All three return 'false', yet AccessController.checkPermission() doesn't raise an exception.
  Analyzing stack's state at the point MyCustomPolicy.implies() is been called, I think the answer to my problem may lie in the following code snippet of AccessControlContext.checkPermission(Permission):
          for (int i=0; i< context.length; i++) {
              if (context[i] != null &&  !context.implies(perm)) {
  if (debug != null) {
  debug.println("access denied "+perm);
  if (Debug.isOn("failure")) {
  Thread.currentThread().dumpStack();
  final ProtectionDomain pd = context[i];
  final Debug db = debug;
  AccessController.doPrivileged (new PrivilegedAction() {
  public Object run() {
  db.println("domain that failed "+pd);
  return null;
  throw new AccessControlException("access denied "+perm, perm);
  I believe that somehow one of the iterations gets to "return null" line, but at the moment I have no way of verifying this.
  I'm finally getting to my question. In order for me to understand what's going on, I need to enable debugging of AccessControlContext. I can do this by setting java.security.debug system property. Again, I have no problem enabling debugging on a local system, but not under WebStart.
  Here's what the relevant markup in the .jnlp file looks like:
  <resources>
  <j2se version="1.5" max-heap-size="128m" initial-heap-size="32m" java-vm-args="-Djava.security.debug=all">
  </j2se>
  <!-- a bunch of jar declarations -->
  <property name="java.security.auth.login.config" value="jar:swing-app-SNAPSHOT.jar!/jaas_login.properties">
  </property>
  <property name="java.security.debug" value="all">
  </property>
  </resources>
  this seems to have no effect and no debugging output appears. Any ideas why? Is there anything else I can do to enable debugging of AccessControlContext under WebStart?
  I don't expect too many replies to my post (unless 3 sleepless weeks made me miss something really obvious), but if anyone can offer a hit/hit/insightful comment :), that would be great.
  Dmitry

  Hey
  I have just finished such a policy implemention - boy could I have done with your help!
  I've never seen the java.security.debug property before - not to say it doesn't exist, but don't confuse system properties and security properties. Try setting it programmatically via Security.setProperty() or the Java Admin console [if you can], or even in the JRE WebStart uses via the java.security file.
  When you run it locally with security switched on, do you observe the 3-to-1 behaviour also? I'm not sure if this is important - depends on your answer. As for the checks being performed from the same stack frame, the AC iterates over the protection domains as it checks them; the 3-to-1 behaviour is the result of there being 3 extra frames to check, possibly due to the fact your executing from JWS [although I'd expect JWS to be considered system code]. If the execution in AC gets to return null; then Debug.isOn("failure") must evaluate to true [...I'd slump in my chair at this point] but there's no way to figure out accurately what the semantics of this is AS THERE'S NO FRICKIN SRC AVAILABLE [...this really annoys me]. The only thing I can suggest for that is to not try and switch debugging on.
  I suspect you are using JAAS [hence the dynamic policy need]? I have an idea if you are.
  I totally know what you mean about the sleepless nights mate - I'm glad I done it all now, learnt all about security within Java which I knew nothing about 6 months ago.
  Warm regads,
  D

• This is what I get when I try to download my college text: This document requires global security policy to be disabled.  Please go to Edit Preferences JavaScript and uncheck the "Enable global object security policy" checkbox. NOTE: In some versions

  My college text is on my college website. When I try to download it this is what I get:
  "This document requires global security policy to be disabled.
  Please go to Edit > Preferences > JavaScript and uncheck the "Enable global object security policy" checkbox. NOTE: In some versions of Adobe Reader you may need to enable JavaScript first.
  Message code: 005"
  Help

  matermax wrote:
  Please go to Edit > Preferences > JavaScript and uncheck the "Enable global object security policy" checkbox. NOTE: In some versions of Adobe Reader you may need to enable JavaScript first.
  And - did you?

• JVM (from C++) won't recognize security policy

  I can't get the JVM to recognize a security policy file when the JVM is invoked from C++.
  Using the Invocation API of JNI from C++ (in W2K) I am creating a Java object which then sets
  an RMISecurityManager. I am passing the location of my security policy file in the JavaVMOption
  array :
       options[opidx++].optionString = "-Djava.security.policy=\"d:\\jini1_1\\policy\\policy.all\"";
  The JVM starts fine, and the object gets instantiated, but once the RMISecurityManager is set,
  the code no longer has permission to open files or sockets, etc etc. This would indicate that the security policy is not allowing permissions - but the policy file actually has the following:
  permission java.security.AllPermission "", "";
  (This "promiscuous" policy is just for testing.)
  My problem seems to be that in spite of the explicit security policy being passed to the JVM, it is being ignored. This only happens if the code is run from the C++ program. Using the same code and same command line argument for the policy file, everything works fine if it is run as a Java program separately.
  What is the special incantation required to get the JVM to recognize a security policy file when it is invoked using the JNI Invocation API?
  Thanks

  Fixed!
  The problem was the additional, inner set of quotes, which were cut and pasted from the batch file used to call the Java program from the command line.

• Ssl-sockets and classloading

  hi,
  i use rmi using ssl-sockets. the server rebinds to the
  rmiregistry -> it works fine but
  when i try to connect from client (browser ie) -> the needed classes (RMISSLCLientSocketFactory...)
  could not loaded
  whats the problem??
  mike

  hi,
  i use following code to test rmi with ssl-sockets:
  interface:
  import java.rmi.*;
  public interface StringTag extends java.rmi.Remote
            public String appendX(String s) throws RemoteException;
  server:
  import java.rmi.*;
  import java.rmi.server.UnicastRemoteObject;
  import java.rmi.registry.*;
  public class StringTagImpl extends UnicastRemoteObject implements StringTag
            public StringTagImpl() throws RemoteException
                      super(0, new RMISSLClientSocketFactory(), new RMISSLServerSocketFactory());
            public String appendX(String s) throws RemoteException
                      return (s + "xxx");
            public static void main(String[] arg)
                 System.setProperty("java.security.policy", "F:\\rmi\\security.policy");
                 System.setSecurityManager(new RMISecurityManager());
                 try{
                      Registry reg = LocateRegistry.createRegistry(Registry.REGISTRY_PORT);
                      StringTagImpl so = new StringTagImpl();
                      reg.rebind("StringTag", so);
                      System.out.println("StringTag bound in registry");
                 catch(Exception e){
                      System.out.println("StringTagImpl: \n" + e);
  applet:
  import java.awt.*;
  import java.rmi.*;
  public class StringTagApplet extends java.applet.Applet
  String tagged;
  public void init()
            try
                      String host = "127.0.0.1";
                      int port = 1099;
                      StringTag st = (StringTag)Naming.lookup("//" + host + ":" + port + "/" + "StringTag");
                      tagged = st.appendX("The String: ");
            catch(Exception e)
                      System.out.println(e);
                      e.printStackTrace();
  public void paint(Graphics g)
            g.drawString(tagged,25,30);
  clientsocket:
  import java.rmi.server.*;
  import javax.net.ssl.*;
  import java.io.*;
  import java.net.*;
  public class RMISSLClientSocketFactory implements RMIClientSocketFactory, Serializable{
       public Socket createSocket(String host, int port) throws IOException{
            SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            return factory.createSocket(host, port);          
  serversocket:
  import java.rmi.server.*;
  import javax.net.ssl.*;
  import java.io.*;
  import java.net.*;
  public class RMISSLServerSocketFactory implements RMIServerSocketFactory, Serializable{
       public ServerSocket createServerSocket(int port) throws IOException{
            SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
            return factory.createServerSocket(port);
  the html-file:
  <HTML>
  <title>String appending</title>
  <center><h2>Append X and Y</h2></center>
  The result of appending to the Strings is:
  <p>
  <applet codebase="." code="StringTagApplet" width=500 height=120>
  </applet>
  </html>
  policy:
  grant
       permission java.security.AllPermission;
  all files are in the same folder.
  the class-file(RMISSLClientSocketFactory) could not loaded from client!
  when i make a new instance from RMISSLClientSocketFactory before line:
  StringTag st = (StringTag)Naming.lookup("//" + host + ":" + port + "/" + "StringTag");
  --> the client could not loaded class StringTag ...and so on
  i dont know why it not work!!
  i were very happy to solve this problem!!

• How do I resolve this error in Safari Your page is blocked due to a security policy that prohibits access to Category Remote Proxies"?

  I'm trying to access several pages and keep geting "Your page is blocked due to a security policy that prohibits access to Category Remote Proxies" After going over all my security stuff I just can't find where I would correct the error.
  Is there anyone who could help me?
  Thanks
  Fr. Gary

  very strange,
  1. check time and date on your computer
  2. reset network configuration, make sure there are no proxy servers and you get DNS from your router not manual
  3. Reset certificates database
  Go to Terminal (Applications>Utilities)
  sudo rm /var/db/crls/*cache.db
  (you will be prompted for your password)
  and reboot the computer
  post back

• Invoke a business service base in a WSDL with customer WS-Security Policy

  Customer write a Web service (Refer to the attachment file “HTTPS_PartyServicePortType.WSDL”)which declare a WS-Security Policy and apply this it to WS binding ,How can I generate a business service base in this WSDL and invoke it successfully?
  When create a business service in OSB, we get a error with below messages
  [[OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy. For the Business Service, either you can add the necessary client policies manually by clicking Add button or you can let Oracle Service Bus automatically pick and add compatible client policies by clicking Add Compatible button.
  After enhanced the OSB domain with OWSM extension, we found the OOTB OWSM defined cannot support the HttpsToken and OSB cannot support below WS-Policy defined in OWSM, refer to http://docs.oracle.com/cd/E21764_01/doc.1111/e15866/owsm.htm#OSBDV1681
  51.2.8.1 Unsupported Assertion
  •     binding-permission-authorization
  •     http-security
  •     OptimizedMimeSerialization (MTOM)
  •     RMAssertion (Reliable Messaging)
  •     sca-component-authorization
  •     sca-component-permission-authorization
  •     UsingAddressing
  •     wss-saml-token-bearer-over-ssl (Authentication)
  it means that we cannot generate a web service with customer WS-security Policy
  The WS-Security Policy is shown as below:
  <wsp:Policy wsu:Id="WSHttpBinding_IPartyServicePortType_policy">
  <wsp:ExactlyOne>
  <wsp:All>
  <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  <wsp:Policy>
  <sp:TransportToken>
  <wsp:Policy>
  <sp:HttpsToken RequireClientCertificate="false"/>
  </wsp:Policy>
  </sp:TransportToken>
  <sp:AlgorithmSuite>
  <wsp:Policy><sp:Basic256/></wsp:Policy>
  </sp:AlgorithmSuite>
  <sp:Layout><wsp:Policy><sp:Strict/></wsp:Policy></sp:Layout>
  </wsp:Policy>
  </sp:TransportBinding>
  <wsaw:UsingAddressing/>
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  BestRegards!
  Simon

  Hi
  According to
  http://e-docs.bea.com/wls/docs90/webserv/annotations.html#1050414
  If you are going to publish the policy file in the Web Service archive, the policy XML file must be located in either the META-INF/policies or WEB-INF/policies directory of the EJB JAR file (for EJB implemented Web Services) or WAR file (for Java class implemented Web Services), respectively.
  Can you make sure the policy file is in there?
  Also there is a sample from the developer at http://dev2dev.bea.com/blog/jlee/archive/2005/09/how_to_use_anno.html
  Vimala-

• How to pass Username from OWSM Security policy in Oracle Apps Adapter .jca file

  My BPEL process uses Oracle Applications Adapter. The following is the .jca file for the Adapter.  The Username is initialized statically to "sysadmin" when I created the Adapter.Is it possible to pass in the username from the OWSM Security policy for the username value below? If so how to do? I appreciate your response.
  <adapter-config name="EBSAdapter" adapter="Apps" wsdlLocation="../WSDLs/EBSAdapter.wsdl" xmlns="http://platform.integration.oracle/blocks/adapter/fw/metadata">
    <connection-factory UIConnectionName="EBS1" location="eis/Apps/EBS1" UIConcurrentPgmName="" UIOracleAppType="DBOBJECT"/>
    <endpoint-interaction portType="EBSAdapter_ptt" operation="EBSAdapter">
      <interaction-spec className="oracle.tip.adapter.apps.AppsStoredProcedureInteractionSpec">
        <property name="SchemaName" value="APPS"/>
        <property name="PackageName" value="INTG"/>
        <property name="ProcedureName" value="GET_USER_PROFILE1"/>
        <property name="IRepInternalName" value="PLSQL:INTG:WEBCENTER_GET_USER_PROFILE1"/>
        <property name="Username" value="sysadmin"/>
        <property name="Responsibility" value="System Administrator"/>
      </interaction-spec>
    </endpoint-interaction>
  </adapter-config>

  1. Go to Invoke activity
  2. Click on Properties tab.
  3. click Add
  4. Add this property "jca.apps.Username" and map it with either variable or expression.
  5. Populate variable defined at previous step with some valid username value at runtime.
  hope this helps.
  Regards,
  Karan
  Oracle Fusion Middleware Blog

• Create new Security Policy in UME is not available

  Hello,
  We are on NW CE 7.1 EHP1 and MII 12.1.7 build 47.
  I have MII Super Administrator role, few custom roles and I also have Action "Manage_All" and I am able to perform most of the activities on UME but I don't see any option to create new security policies all I can do is modify the Default Security Policy and save it.
  It never shows me an option to create new security policy and I am not sure what roles or actions I am missing.
  1) Are there any roles or actions that my profile needs to have?
  2) Is it something to do with NW CE version or MII version?
  3) Has something gone wrong or have we missed some configuration while installing NW CE or MII?
  Any suggestions will be of great help
  Thanks,
  Adarsh

  Adarsh,
  I am not a NW UME expert, but I know this issue has nothing to do with MII.  Not sure if you have rights but providing the Administrators Group for the UME database should allow you to do this. 
  I would try posting this thread on the NW UME Forum.  Modifying policies in NW has nothing to do with MII. 
  Just to verify what policies are you trying to change, I am assuming they are in NW UME and not MII, is this correct?  If they are in MII can you be more specific.
  Good luck.

• Digital Signatures and Security Policies

  Is there a way to combine a digital signature and a Security Policy. We have a need to digitally sign a document, but not allow that signature to be removed and to not allow any further editing of the document?

  Hello Francesco,
  I want to  generate a digital signature (PKCS#7,XML) using SAP SSF API as explained in
  http://help.sap.com/saphelp_nw04/helpdata/en/4f/65c3b32107964996a56e4165077e24/content.htm and in Amol Joshi's reply in
  Digital Signatures and Document Encryption api
  so my question  is From which PI/XI version and its SPS this SAP SSF LIBRARY is supported ?
  Kind Regards,
  Kubra fatima.