SSO with SSL not working

Similar Messages

• SSO with WIA not working yet...

  Hi,
  We are trying to deploy SSO in our PT 5.0.2 portal (running on Windows 2000), but have not been able to get it to work
  successfully yet. Microsoft Active Directory 2000 is our user/group source.
  The server architecture is as follows:
  Server A = Serves as Admin Portal, Portal Server, and Image Server (resides in the DMZ)Server B = Serves as Automation Server (resides inside the firewall)Server C = Serves as Database Server (running SQL Server 2000; resides inside the firewall)Server D = Serves as the Application Server (portlets reside on this server; resides in the DMZ)
  All servers reside in the SAME domain.
  This is what we have done so far:
  1. Installed prerequisite software (i.e. IIS 5.0 and .NET Framework 1.1.4322) on Server C. Successfully installed and
  configured the Active Directory Authentication Web Service (i.e. PT Optional Enterprise Web Component) on Server C.
  2. Imported the above Web component, ADAWS, into Server A, using the PT Migration Wizard. This automatically created a
  "Remote Server" and 2 "Web Services" (namely Authentication Web Service and Profile Web Service) objects on Server A.
  3. Created a "Authentication Source - Remote" on Server A. The value in the "Authentication Source Category: " field is
  EXACTLY the same as the Active Directory Source Domain. Selected "Authentication and Synchronization" as the Synchronization
  setting, and "Full Synchronization."
  4. Created a Job and added the above Remote Auth Source as the operation. The JOb ran successfully and imported all users and
  groups from Active Directory.
  5. Users can successfully login to the portal using the above Remote Auth Source (User ID example: Domain\joe_user).
  6. Enabled "Integrated Windows Authentication" ONLY on the "\portal\sso" folder in Internet Services Manager on Server A.
  Ensured that the security is set to "Anonymous" on "\portal" and "\portal\bin" folders.
  7. Enabled SSO in the Portal, by entering the SSO Secret key in the SSO tab in the PT Admin Applet on Server A.
  8. Created a "Authentication Source - SSO" on Server A. Entered the same SSO Secret key entered above and successfully
  validated it.
  9. Configured SSO integration with Windows Integrated Authentication (WIA) by editing the PTconfig.xml file. The edits are as
  follows:
  <SSOVendor value="5"/><DefaultAuthSourcePrefix value=""/><CookieDomain value=".companyname.com" />
  NOTE: I did not have to edit the "sso.xml" file since the Auth Source category is EXACTLY the same as the Active Directory
  Source Domain.
  10. Edited the "Authentication Source - Remote" that we created in step 3 above, and changed the setting to
  "Synchronization." And then selected the "Authentication Source - SSO" (created in step 8 above) from the "Authentication
  Partners: " drop down list.
  11. Users can still successfully login to the portal using the Remote Authentication Source after the above change.
  12. Server D hosts a remote portlet. It is an IFRAME portlet (written in ASP) that has "href" links to several apps that
  reside on Server D. The security on the folder, that contains this portlet, in Internet Services Manager, is set to
  "Integrated Windows Authentication." Created a "Remote Server" object for Server D on Server A. Then created a "Web Service -
  Remote Portlet" object for the portlet. In the Web Service, I selected the Remote server that I created, and entered only the
  remaining path to the portlet (i.e. Portlet URL setting), since PT provided the "http://serverD/" portion. Finally created a
  "Portlet" object.
  13. users login to the portal using their domain ID (i.e. Domain\joe_user). They are then able to add the portlet to their
  page. But when they attempt to click on the links in the portlet they are challenged to enter their user name and password
  again.
  What step or setting are we missing here? Any help will be sincerely appreciated.
  Best regards,Kiran

  Hi Rajendrakumar,
  You probably haven't updated the ACL properly via STRUSTSS02.
  The portal server digitally signs logon tickets as it issues them to the portal users. SAP Systems need to accept the tickets and verify the portal server’s digital signature. The following information is important for the SAP System to be able to accept and verify logon tickets:
  ·        The SAP System should only accept logon tickets issued from their designated portal server. Therefore, the identity of the portal server needs to be entered in the SAP System’s Single Sign-On (SSO) access control list (ACL).
  ·        The SAP System needs to be able to verify the portal server’s digital signature. The portal server has a self-signed certificate, therefore the SAP System needs access to the portal server’s public-key information, which needs to be entered in the SAP System’s certificate list.
  Check the following procedure
  http://help.sap.com/saphelp_nw70/helpdata/en/78/f1a8490e7011d6999500508b6b8a93/frameset.htm
  Regards,
  Siddhesh

• SSO with BSP Not Working

  Hi
  I am running Nw2004s Portal with ECC5 as BackEnd.
  I have Configured the ECC5 for SSO using RZ10 and strustsso2.
  The Portal UserIDs are same as those in  ECC5 .
  The SSO is working fine with ESS in the Portal.
  But when i run  a BSP iView then it asks for UID,PWD in a PopUp.
  I am accessing the Portal with FQDN and in the properties of the System
  referred by BSP also maintained FQDN of the backend WebAS.
  How to get rid of this Login PopUp for BSP ?
  Any Help will be highly appreciated !
  Regards,
  Rajendra

  Hi Rajendrakumar,
  You probably haven't updated the ACL properly via STRUSTSS02.
  The portal server digitally signs logon tickets as it issues them to the portal users. SAP Systems need to accept the tickets and verify the portal server’s digital signature. The following information is important for the SAP System to be able to accept and verify logon tickets:
  ·        The SAP System should only accept logon tickets issued from their designated portal server. Therefore, the identity of the portal server needs to be entered in the SAP System’s Single Sign-On (SSO) access control list (ACL).
  ·        The SAP System needs to be able to verify the portal server’s digital signature. The portal server has a self-signed certificate, therefore the SAP System needs access to the portal server’s public-key information, which needs to be entered in the SAP System’s certificate list.
  Check the following procedure
  http://help.sap.com/saphelp_nw70/helpdata/en/78/f1a8490e7011d6999500508b6b8a93/frameset.htm
  Regards,
  Siddhesh

• OBIEE 11.1.1.6.2 BP1 SSO with AD not working on MAC OS 10.6.8

  Hi Experts,
  We have setup SSO in our production with OBIEE 11.1.1.6.2 BP1 version and Active directory. All seems to work fine on all browsers. But on MAC OS 10.6.8 when we use Safari 5.1.7 it doesn't work. But when we use the application on MAC OS version 10.7.5 and safari version 6.0.1 and it is working fine. Can anyone please let me know if you have come across the scenario and the solution for this. In windows it works perfectly fine on all browsers. Only this version of MAC and Safari is giving us the trouble.
  Thanks in advance for any solution provided.
  Regards,
  Satyabrat

  JavaScript and Cookies are enabled.  my cookies list shows at least 3 associated with hulu.  Funny thing is, if I grab the up/down control bar on right side of screen with my mouse, then hulu plays in a somewhat chopped frame by frame. As soon as I let go, the frame freezes yet audio portion continues.
  I don't know what a munged Hulu cookie is, however.

• How to configure sso with SSL step by step

  Purpose
  In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
  Overview
  In this document we will demonstrate:
  1.     How to configure OHS support SSL
  2.     How to Register SSO with SSL
  3.     Configure SSO for certificates
  Prerequisites
  Before start this document, you should have:
  1.     Oracle AS 10g infrastructure installed (10.1.2)
  2.     OCA installed
  Note:
  1.     “When you install Oracle infrastructure, please make sure you have select OCA.
  2.     How Certificate-Enabled Authentication Works:
  a.     The user tries to access a partner application.
  b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
  c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
  Enable SSL on the Single Sign-On Middle Tier
  The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
  l     You must configure SSL on the computer where the single sign-on middle tier is running.
  l     You are configuring one-way SSL.
  l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
  1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
  2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
  <ias-component id="HTTP_Server">
  <process-type id="HTTP_Server" module-id="OHS">
  <module-data>
  <category id="start-parameters">
  <data id="start-mode" value="ssl-enabled"/>
  </category>
  </module-data>
  <process-set id="HTTP_Server" numprocs="1"/>
  </process-type>
  </ias-component>
  3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
  4.     Reload the modified opmn configuration file:
  ORACLE_HOME/opmn/bin/opmnctl reload
  5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
  6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
  Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
  <VirtualHost ssl_host:port>
  RewriteEngine on
  RewriteOptions inherit
  </VirtualHost>
  Save and close the file.
  7.     Update the distributed cluster management database with the changes:
  ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
  8.     Restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
  9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
  Reconfigure the Identity Management Infrastructure Database
  Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
  1.     Change Single Sign-On URLs
  Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
  UNIX:
  $ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
  Windows:
  %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
  In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
  Here is an example:
  ssocfg.sh https login.acme.com 4443
  2. Restart OC4J_SECURITY instance and verify the configuration
  To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
  If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Then try logging in to the single sign-on server at its SSL address:
  https://host:ssl_port/pls/orasso/
       3. Back up the file targets.xml:
  cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
  4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
  ·     HTTPMachine—the server host name
  ·     HTTPPort—the server port number
  ·     HTTPProtocol—the server protocol
  If, for example, you run ssocfg like this:
  ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
  Update the three attributes this way:
  <Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
  <Property NAME="HTTPPort" VALUE="4443"/>
  <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
  5.Save and close the file.
  6.     Reload the OracleAS console:
       ORACLE_HOME/bin/emctl reload
  7. Issue these two commands:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Registering mod_osso
  1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
  $ORACLE_HOME/sso/bin/ssoreg.sh
       -oracle_home_path $ORACLE_HOME
       -config_mod_osso TRUE
       -mod_osso_url https://myhost.mydomain.com:4443
  2.     Restarting the Oracle HTTP Server
  After running ssoreg, restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  Configuring the Single Sign-On System for Certificates
  1.     Configure policy.properties with the Default Authentication Plugin
  Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
  DefaultAuthLevel = MediumHighSecurity
  Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
  MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
  2.     Restart the Single Sign-On Middle Tier
  After configuring the server, restart the middle tier:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Bringing the SSO Users to OCA User Certificate Request URL
  The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
  The URL for the SSO certificate Request is:
  https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
  You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
  To link the OCA server to OracleAS SSO server, use the following command:
  ocactl linksso
  opmnctl stoproc type=oc4j instancename=oca
  opmnctl startproc type=oc4j instancename=oca
  You also can use ocactl unlinksso to unlink the OCA to SSO.

  I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
  The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
  on a URL that looks like this :
  http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  and gives the error :
  ( Forbidden
  You don't have permisission to access /sso/auth on this server at port 7777)
  when I manually change the URL to :
  https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  the SSO works correctly.
  The question is :
  How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
  Any ideas ?
  Thanks in advance

• Apache SSL not working

  Hello,
  I Have a SLES 11 SP1 Web access server running the newest groupwise. I have configured the SSL vhost but apache does not listen on port 443. In fact it appears as if the vhost is ignored. I have a SLES10 SP4 WebAcc server that runs SSL just fine and I have been using its configs as a base.
  Any ideas?
  SSL vhost:
  # Template for a VirtualHost with SSL # Note: to use the template, rename it to - Pastebin.com
  Thanks in advance!
  -Will

  On 21/11/2011 04:16, clintosaurus wrote:
  > I Have a SLES 11 SP1 Web access server running the newest groupwise. I
  > have configured the SSL vhost but apache does not listen on port 443. In
  > fact it appears as if the vhost is ignored. I have a SLES10 SP4 WebAcc
  > server that runs SSL just fine and I have been using its configs as a
  > base.
  >
  > Any ideas?
  Does /etc/sysconfig/apache2 have 'ssl' included in APACHE_MODULES?
  Does /etc/sysconfig/apache2 have 'SSL' included in APACHE_SERVER_FLAGS?
  HTH.
  Simon
  Novell Knowledge Partner (NKP)
  Do you work with Novell technologies at a university, college or school?
  If so, your campus could benefit from joining the Novell Technology
  Transfer Partner (TTP) program. See novell.com/ttp for more details.

• Axis bank net secure with webpin not working on ipad2

  Hi,
  Axis bank net secure with webpin not working on ipad2
  Lt me know how to proceed

  Try using their App:
  https://itunes.apple.com/in/app/axis-bank-mobile-application/id517266358?mt=8

• Since installing Yosemite, Airplay with Freebox not working

  Since installing Yosemite, Airplay with Freebox not working
  With Maverick Airplay working well

  If you haven't done so already, try resetting the printing system.
  OS X Mavericks: Reset the printing system  also Yosemite
  Try deleting the printer and scanner and add them back.
  Also try Applications/Image Capture to see if it can find the printer and scanner.

• Wifi connection with 4s not working after installing new software ios6

  wifi connection with 4s not working after installing ios 6.

  Go to Settings > WiFi > Select your network and hit the right arrow to "Forget Network"
  Then go to Settings > General > Reset Network Settings  and try connecting again when the phone restarts.

• I'm having constant problems with pages not working. I.E.: I cannot fill in writeable fields, click on buttons... or anything... nothing on the page works. And, this is not exclusive to a particular site. I can, however, work well in Explorer.

  For the last few weeks I have had constant problems with pages not working. I.E.: I cannot fill in writeable fields, click on buttons... or anything... nothing on the page works. And, this is not exclusive to a particular site. It does seem to be a browser issue, because I can work well in Explorer.

  Both the Yahoo! Toolbar extension and the Babylon extension have been reported to cause an issue like that. Disable or uninstall those add-ons.
  * https://support.mozilla.com/kb/Troubleshooting+extensions+and+themes

• Applications associated with workstations not working

  Hello,
  I have onld zen 7.x, on netware.
  Applications associated with workstations not working or appearing in one container. Not sure if it every worked. Apps work fine with users.
  I am in a bind, since I need to get the app out in the workstation space.
  It maybe rights or simple install error with the ZEN from the begining.
  thanks for any help or ideas.. Yes I know I need to get to Zen 11.
  Phil

  PhilJannusch,
  > Applications associated with workstations not working or appearing in
  > one container. Not sure if it every worked. Apps work fine with users.
  >
  > I am in a bind, since I need to get the app out in the workstation
  > space.
  Please tell us more as "not working" can mean a lot of things. So:
  Are they user or workstation associated?
  Are those for whick they do not work (users or workstations) all in the
  same container?
  In what way do they not work?
  Any errors?
  Anders Gustafsson (NKP)
  The Aaland Islands (N60 E20)
  Have an idea for a product enhancement? Please visit:
  http://www.novell.com/rms

• I am getting frustrated with Apple not working with Flash player on some of my favorite web sites. Is there any alternative that will work on I-pad instead of flash?

  I am getting frustrated with Apple not working with Flash Player on some of my favorite web sites! Is there another alternative to watching these site options on my I-pad?

  Flash is not, and probably never will be, supported on the iPad : http://www.apple.com/hotnews/thoughts-on-flash/ . Plus it would be up to Adobe to make a version of their flash player that works on iOS devices - something which they have never managed to do and which they have now given up on trying to do.
  Browser apps such as Skyfire, iSwifter and Puffin 'work' on some sites, but judging by their reviews not all sites. Also some websites, especially news sites, have their own apps in the App Store, so your could try checking there for your sites (and there is the built-in YouTube app).

• My orignal computer that I sync my iPhone 4 with does not work...can I sync it with a new computer?

  My original computer that I set up my iPhone 4 with
  Does not work.....can I use a new computer to sync
  The phone....how do I do this and is there a risk of
  Of losing any apps, music etc

  Try this:
  Syncing to a "New" Computer or replacing a "crashed" Hard Drive

• SSO to R3 not working after system copy

  Hi Experts,
  Recently our QA R3 client XXX was deleted and the whole system was rebuild using system copy of client ZZZ of R3 production. Now we had to reconfigure the SSO between portal and QA R3 with the new client.
  But it is not working. It was found that the QA R3's own self signed certificate shows CN=ERP (same as R3 Prod) and not ERU as it should have been. We changed the CN value to ERP,in Visual Admin (Services ->key storage , Ticket ). Still the result is same.
  How to re-generate the self signed certificate in R3 with CN=ERU ?
  or a workaround for this problem.
  Regards
  Jimmy

  HI Jayendra 
  Recreate the saplogonticketkeypair following the procedure outlined here
  http://help.sap.com/saphelp_nw70/helpdata/en/75/c80b424c6cc717e10000000a155106/content.htm
  Then you can export the SAPLogonticketkeypair-cert (public key certificate) of the Java AS and import it into the target ABAP system
  Important: the following two steps must be done in the ABAP client that will receive the logon tickets i.e the ABAP client that the component/application on the Java AS is configured to connect to e.g the client specified in the portal iview properties or the client specified in a Web Dynpro JCo Destination
  (1) Import the public-key certificate of the Java AS into the ABAP systems certificate list using transaction STRUSTSSO2
  (2) Add the certificate to access control list
  When adding the certificate to the ACL the SID should be set to the SID of the ticket issuing Java AS and the client should be set to the client that the Java AS is writing to the logon tickets i.e the value of login.ticket_client in the Java AS
  Remember, in an Add-In installation, where the system IDs are the same, you must change the default client for the J2EE Engine (000) to a client that does not exist on the SAP Web AS ABAP system e.g change login.ticket_client to 999
  See: http://help.sap.com/saphelp_nw70/helpdata/en/cb/ac3d41a5a9ef23e10000000a155106/content.htm
  The reason for this change is that the system ID and client combination must be unique when tickets are to be accepted by an SAP Web AS ABAP system
  By the way it is better to start a new thread with your question rather than bumping a thread that was already set to 'answered'

• Read Only Display of Radio group and Text area with counter not working

  Hello,
  I am using Apex 3.2, with 10g for the database
  I have this form, with fields that will set to read only when status = 'closed'
  All of the fields display as read only except for 2. I cannot figure out why this is not working correctly.
  1st field is Issues that is a text area with character counter, with a sql query behind it, that is set to null unless the query is pulling in the data.
  2nd field is Status which is a radio group that will not display as read only when status = 'closed'
  I have other fields on the form with the same format and they change to read only when the status = 'closed', I have even copied the pl/sql expression from one field to these fields and it still doesn't work correctly. I have also tried javascript for an on load event, which works, but once I click on the save button, it disables all of the page items, which works correctly, but I purposely forget to enter information, to make sure the validations are firing correctly, which it does, but the script disables everything, not allowing me to correct the errors. The javascript is firing on the on page load event.
  Any help on this is greatly appreciated.
  Mary

  Dung,
  That API seems to have a bug, it returns true/false/null, so you could use 'return not nvl(htmldb_util.current_user_in_group(p_group_name => 'APP Admin'),false)' to get a false value.
  Unfortunately there's another problem: using the read-only attributes for checkbox or radiogroup item makes them hidden. My suggestion would be to create another item that has disabled="disabled" in the HTML Form Element attribute in the item definition and display that item or the non-disabled item alternately, using conditions based on the current_user_in_group logic.
  Scott