Tips on enabling SSL in Active Directory!!!
Finally I can connect to my Active Directory through SSL connection. I don't know what is wrong with my previous settings because I reinstall the server from scratch. Below is the steps I took:
1. Install Windows 2000 Advanced Server + SP4
2. Install Windows 2000 High Encryption Pack (128-Bits SSL)
3. Install Active Directory Service together with MS DNS Server and Enterprise Certificate Authority Service.
4. Install Windows 2000 Support Tools from Windows 2000 installation CD.
5. Launch ldp.exe and connect to local Active Directory on port 636.
6. It should display the rootDSE content if SSL is working properly.
7. Go to C: drive and get the root CA certificate in root directory. It should be named xxx.crt.
8. Import the certificate into ${JAVA.HOME}/lib/security/cacerts file.
9. Right now everything should be OK.
What surprised me is I didn't follow several 'important' steps suggested by both Microsoft and some other developers in this forum. They are:
1. Open the Domain Controller Policy using the Group Policy Editor.
2. Under Computer Configuration , click Windows Settings .
3. Click Security Settings , and then click Public Key Policies.
4. Click Automatic Certificate Request Settings .
5. Use the wizard to add a policy for Domain Controllers.
I double checked that I didn't enable Automatic Certificate Request Settings. But somehow SSL works. Can somebody explain why?
Regards,
WenBin
I am glad that you can benefit from the tips.
Regarding to you question, the answer is like this:
1. A user named David logon
2. You generate the userPrincipal for him - [email protected]
3. Bind to ADS with this userPrincipal and the password he typed in
4. If succeeds, search user container with sAMAccountName=David and meanwhile request any attributes you want. Please refer to JNDI tutorial on how to search LDAP directory and get back some other attributes at the same time.
Hope this help you.
Regards,
WenBin
Similar Messages
-
Creating MailBox-enabled Users In Active Directory Using JNDI
Thanks to the Various code samples i have come across in this forum i have been able to use the JNDI API to add a new user to the Microsoft Active directory.
The user account that was added using a combination of the various code samples was already enabled. but the problem is that the user does not have an Exchange MailBox created/enabled as well.
When attempts were made to access the users IMAP mailbox from an external webmail client, the following message:
"No Such Object On The Server"
Was Recieved.
I am wondering wether there is an attribute i am missing out. or something.
i would welcome any suggestions.
please treat as urgent.
thank you in anticipation
Below is the list of attributes i set:
BasicAttributes ba=new BasicAttributes();
ba.put(new BasicAttribute("userPrincipalName","[email protected]"));
ba.put(new BasicAttribute("sAMAccountName","fagu"));
ba.put(new BasicAttribute("title","Anyhow"));
ba.put(new BasicAttribute("mail","[email protected]"));
ba.put(new BasicAttribute("mailNickname","fagu"));
ba.put(new BasicAttribute("objectClass","user"));
ba.put(new BasicAttribute("displayName","Festus Agu"));
ba.put(new BasicAttribute("sn","Agu"));
ba.put(new BasicAttribute("userAccountControl","66048"));
//ba.put(new BasicAttribute("unicodePwd ","fagu"));
ba.put(new BasicAttribute("mDBUseDefaults","TRUE"));
ba.put(new BasicAttribute("homeMTA","CN=Microsoft MTA,CN=XSOCKET2,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=SocketWorks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=socketworkscorp,DC=localdomain"));
ba.put(new BasicAttribute("msExchHomeServerName", "/o=SocketWorks/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=XSOCKET2"));
ba.put(new BasicAttribute("distinguishedName","CN=Festus"));I am trying to create a MailBox enabled user in AD.I am setting all the attributes that are mentioned above.
Still i am unable to create a user.I guess i am messing up with password and getting error "javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-031D0AAB,
problem 5003 (WILL_NOT_PERFORM), data 0"
Is it that SSL is must to create a user.I saw a certificate on Exchange server.But i am using a simple protocal to create a user.
Please help me with the steps needed to create a user if i have to use SSL or is there is any settings to be turned on the server.
Thanks!!
-
Active Directory Server Problem
Hi All,
This mail Seeks to get help from people who have worked with Active Directory Server.
The following is our Current scenario.
We are in the process of establishing an SSL connection to Active Directory Server from java environment(a standalone class) in Windows 2000.
1.Active Directory Server is installed in an independent Win 2k machine.
2.SSL is enabled in the Active Directory Server Machine by installing the Enterprise Root Certificate.
3.Microsoft High Encryption pack is installed in both the client and the Server(AD)
4.The .cer file from the AD machine is imported in to the Client's keystore(cacerts) using the keytool utility.
5.The AD m/c is part of a domain named "rsa" and client m/c is part of the domain named "cts"
With the above setup,The following code tries to Establish an SSL context to the AD through JNDI.
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://blr03srv1.rsa.com:636");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL,"CN=Administrator,CN=Users,DC=rsa,DC=com");
env.put(Context.SECURITY_CREDENTIALS,"password");
try{
DirContext ctx = new InitialDirContext(env);
ctx.close();
}catch (Exception e){
e.printStackTrace();
When we try to run this Client we are facing a SSLHandShakeException with a message saying "No trusted certificate found".
As far as we know the .cer file is successfully imported in to the cacerts which is used by the J2SE as the default keystore.
Hence we ran out of ideas,as we think that there could be some other issue which is causing this problem.
We are looking forward to get inputs from AD enlightened people to Solve this issue
Thanks in Advance,
Manivannan.AI had problem the same and still I did not obtain to decide it, if for perhaps obtaining he passes me the solution.
thank's
Fernando Queiroz Fonseca
Graduando em Engenharia El�trica
Universidade Federal de Uberl�ndia
http://www.fernandoqueiroz.com.br
email : [email protected] -
Create a User account in active directory from SharePoint online 2013 list data
Hello,
I am trying to create a SharePoint list through which i can create a user account into active directory,
1 - HR is sending the detail in the email body to a Specific email address ([email protected]) like below..
First Name: XYZ
Last Name: ABC
Address: ABC 123
Designation: Analyst
Employee ID: 10492
and so on
2 - I need to pickup every new email data of the above section into sharepoint list (in Column)
First Name Last Name Address Designation Employee ID
3 - I want to create a event receiver through which i can go ahead and find the new data in the list and then create a user in the active directory,
I tried very hard and since i dont have much experience in coding part, any help will be highly appreciated
Thank you
Aman1- Configure Incoming Email Setting at your SharePoint Farm -
https://technet.microsoft.com/en-us/library/cc262947.aspx
http://blogs.technet.com/b/harmeetw/archive/2012/12/29/sharepoint-2013-configure-incoming-emails-with-exchange-server-2013.aspx
2- Configure your Sharepoint List Incoming e-mail settings for [email protected] - ListSetting-Communications->Incoming e-mail settings. -
https://support.office.com/en-in/article/Enable-and-configure-e-mail-support-for-a-list-or-library-dcaf44a0-1d9b-451a-84c7-6c52e7db908e
3- Write an Incoming Email Receiver , and Add you Email Body Parsing Code (retrive value of fields , firstname , lastname etc) in
EmailReceived() method. also add the code for adding new user in Active Directory
http://blogs.msdn.com/b/tejasr/archive/2010/03/06/event-handler-code-to-add-incoming-emails-with-subject-discussion-id-as-replies.aspx
https://pholpar.wordpress.com/2010/01/13/creating-a-simple-email-receiver-for-a-document-library/
4- Active Directory Code Help -
http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C
http://www.codeproject.com/Tips/534718/Add-User-to-Active-Directory
Thanks
Ganesh Jat [My Blog |
LinkedIn | Twitter ]
Please click 'Mark As Answer' if a post solves your problem or 'Vote As Helpful' if it was useful. -
How to map active directory and wordpress ?
i want to import my existing wordpress users in Active Directory but status is not changed.
This topic first appeared in the Spiceworks Community1) I want to Import wordpress user in active Directory
2) so,I install one plugin like "Active Directory Integrate".
3) I configure this plugin and import users in Active Directory
4) I want to Enable user in Active directory and importing in Active Direcoty.
help me -
Crystal Reports and Windows Active Directory
Hi,
I am trying to authenticate using the Windows Active Directory. I have created a test group in the Active directory and added myself as a member to that group. On the Crystal reports server side, I have enabled the Windows Active Directory. I can see the group that I created on the Active Directory. But I do not see any users. I have a Java infoview and I changed the web.xml file. I changed the authentication parameter to secWinAD. But does anyone know how to restart the web application server? I restarted the service Intelligent Agent. But when I login using my user id and password it still gives me the same error:
Account Information Not Recognized: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
Any help will be appreciated.
Thanks.Infoview doesn't even need to be restarted.
You said "I have a Java infoview and I changed the web.xml file" in your original post
If you have .net IIS then it would be a web.config file that needs to be changed. IIS will pick up the changes as soon as you save the file and open an infoview logon page. you may also opt to set authentication.visible to true so users will have the ability to select AD when logging in.
Regards,
Tim -
Oim 9.1.0.1 to active directory using ssl
Hi,
I am working on OIM 9.1.0.1 and AD IS on WIN2K3 R2.
I successfully installed CA certificate in AD Server as given in AD Connector Document 9.1.0.1 given below.
Configuring SSL for Microsoft Active Directory
To configure SSL communication between Oracle Identity Manager and Microsoft Active Directory, you must perform the following tasks:
a) Installing Certificate Services
b) Enabling LDAPS
c) Setting Up the Target System Certificate As a Trusted Certificate
a) Installing Certificate Services
To install Certificate Services on the target system host computer:
Before you begin installing Certificate Services, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.
Note:
1. Insert the operating system installation media into the CD-ROM or DVD drive.
2. Click Start, Settings, and Control Panel.
3. Double-click Add/Remove Programs.
4. Click Add/Remove Windows Components.
5. Select Certificate Services.
6. In the Windows Components Wizard, follow the instructions to start Certificate Services.
I selected Enterprise root CA as the CA type as said in AD connector Doc.
b) Enabling LDAPS
The target system host computer must have LDAP over SSL (LDAPS) enabled. To enable LDAPS:
1. On the Active Directory Users and Computers console, right-click the domain node, and select Properties.
2. Click the Group Policy tab.
3. Select Default Domain Policy.
4. Click Edit.
5. Click Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
6. Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. A wizard is started.
7. Use the wizard to add a policy with the Domain Controller template.
At the end of this procedure, the certificate is created and LDAPS is enabled on port 636. You can use an LDAP browser utility to verify that LDAPS is working.
But my problem is i am not able to connect to AD over SSL through JExplorer LDAP Browser in AD Server itself.
its saying Socket closed and some times binding failed.
And Firewall is on and Telnet is happening to both 389 and 636 ports from outside AD Server and in AD Server
Please give the solution to overcome this issue.
regards
RamuHi
From Apache Directory Studio i am able to connect over SSL (port 636) to AD and also imported certificate in oim.
In Diagnostic Dashboard Test Connectivy of AD i found the below error.
ITResource information values are not correct. Enter the correct values.
The root cause is . . .
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.thortech.xl.systemverification.tests.TestConnector.runInterfaceMethods(Unknown Source)
at com.thortech.xl.systemverification.tests.TestConnector.execute(Unknown Source)
at com.thortech.xl.systemverification.webapp.SystemVerificationServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:176)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3498)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: javax.naming.CommunicationException: simple bind failed: adr.oimad.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:287)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)
at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.getLDAPConnection(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.testBasicConnectivity(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.thortech.xl.systemverification.tests.TestConnector.runInterfaceMethods(Unknown Source)
at com.thortech.xl.systemverification.tests.TestConnector.execute(Unknown Source)
at com.thortech.xl.systemverification.webapp.SystemVerificationServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
... 8 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at com.sun.jndi.ldap.Connection.run(Connection.java:805)
at java.lang.Thread.run(Thread.java:619)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
... 18 more
regards
Ramu -
Unable to expand Roles n policies after enabling Active directory security
I am running weblogic 10.3 on Linux and integrated console security with Microsoft AD.
Below error occurs when I tried to expand roles and policies.
Please help.
Message: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression
Stack Trace: com.bea.console.exceptions.ManagementException: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression at com.bea.console.actions.security.roles.RoleTableAction.createRoleNode(RoleTableAction.java:678) at com.bea.console.actions.security.roles.RoleTableAction.expandGlobalRolesNode(RoleTableAction.java:208) at com.bea.console.actions.security.roles.RoleTableAction.expandNode(RoleTableAction.java:193) at com.bea.console.actions.security.roles.RoleTableAction.execute(RoleTableAction.java:102) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116) at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:255) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158) at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:256) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:133) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266) at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107) at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292) at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:54) at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(Unknown Source) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) Caused by: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression at com.bea.security.providers.xacml.entitlement.RoleManager.getRole(RoleManager.java:134) at weblogic.security.providers.xacml.authorization.XACMLRoleMapperImpl.getRoleExpression(XACMLRoleMapperImpl.java:499) at weblogic.security.providers.xacml.authorization.XACMLRoleMapperMBeanImpl.getRoleExpression(XACMLRoleMapperMBeanImpl.java:389) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:445) at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:443) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor$10$1.run(AuthenticatedSubjectInterceptor.java:582) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor$10.run(AuthenticatedSubjectInterceptor.java:580) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor.invoke(AuthenticatedSubjectInterceptor.java:573) at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:307) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426) at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source) at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy70.getRoleExpression(Unknown Source) at com.bea.console.actions.security.roles.RoleTableAction.createRoleNode(RoleTableAction.java:671) ... 81 more<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd">
<name>ABC</name>
<domain-version>10.0.1.0</domain-version>
<security-configuration>
<name>ABC</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MYSECURITY</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>ad.win.XYZ.com</wls:host>
<wls:port>3210</wls:port>
<wls:user-name-attribute>SamAccountName</wls:user-name-attribute>
<wls:principal>CN=ABC (APPLICATION),OU=Service Accounts,OU=Infrastructure Solutions,OU=USPC,DC=americas,DC=win,DC=xyz,DC=com</wls:principal>
<wls:user-base-dn>DC=americas,DC=win,DC=xyz,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{3DES}3gr1b24C1+ZescfrcJGfTA==</wls:credential-encrypted>
<wls:user-from-name-filter>(&(SamAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
<wls:cache-size>3200</wls:cache-size>
<wls:group-base-dn>DC=americas,DC=win,DC=xyz,DC=com</wls:group-base-dn>
<wls:bind-anonymously-on-referrals>true</wls:bind-anonymously-on-referrals>
<wls:all-groups-filter>(objectclass=group)</wls:all-groups-filter>
<wls:group-membership-searching>limited</wls:group-membership-searching>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{3DES}Da9bWdtd5q7ah0l1OlmgTprs5EsrhL0siPsTNKzMDOasnQwrpgSVnAKFIdM3O/CjsXOzrq2fBACcbtup4aQCbNpjynWFUDB1</credential-encrypted>
<node-manager-username>system</node-manager-username>
<node-manager-password-encrypted>{3DES}IwjibsnAdGEU/pYi+0n1bg==</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<rotation-type>byTime</rotation-type>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25000</listen-port>
<server-debug>
<debug-scope>
<name>default</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic</name>
<enabled>true</enabled>
</debug-scope>
</server-debug>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server1</name>
<ssl>
<enabled>false</enabled>
</ssl>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25010</listen-port>
<listen-port-enabled>true</listen-port-enabled>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
<java-compiler>javac</java-compiler>
<client-cert-proxy-enabled>false</client-cert-proxy-enabled>
</server>
<server>
<name>ABC_server2</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25020</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server4</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25040</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server5</name>
<ssl>
<enabled>false</enabled>
</ssl>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<machine xsi:nil="true"></machine>
<listen-port>25050</listen-port>
<cluster xsi:nil="true"></cluster>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
</server>
<server>
<name>ABC_server6</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25060</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server7</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25070</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server8</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25080</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server10</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25100</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server9</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25090</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server3</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25030</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<server-debug>
<debug-scope>
<name>default</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic</name>
<enabled>true</enabled>
</debug-scope>
</server-debug>
<listen-address></listen-address>
</server>
<embedded-ldap>
<name>ABC</name>
<credential-encrypted>{3DES}RhnPr+8XsDxhU8rgpPiikqpyeP74wxX/T2mnALX9oFI=</credential-encrypted>
</embedded-ldap>
<configuration-version>10.0.1.0</configuration-version>
<configuration-audit-type>logaudit</configuration-audit-type>
<app-deployment>
<name>ABC25090</name>
<target>ABC_server9</target>
<module-type>ear</module-type>
<source-path>/home/arajpoot/working/default-app/dist/ABC.9.5.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25080</name>
<target>ABC_server8</target>
<module-type>ear</module-type>
<source-path>/home/aherleka/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25030</name>
<target>ABC_server3</target>
<module-type>ear</module-type>
<source-path>/home/rprajapa/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25060</name>
<target></target>
<module-type>ear</module-type>
<source-path>/home/xyin/working/default-app/dist/ABC.10.1.0.ear</source-path>
<sub-deployment>
<name>/</name>
<target></target>
</sub-deployment>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<app-deployment>
<name>ABC25010</name>
<target>ABC_server1</target>
<module-type>ear</module-type>
<source-path>/home/payadav/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25050</name>
<target>ABC_server5</target>
<module-type>ear</module-type>
<source-path>/home/nchanda1/working/default-app/dist/ABC.10.0.3.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8070</name>
<target>ABC_server7</target>
<module-type>ear</module-type>
<source-path>/home/irakshit/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8020</name>
<target>ABC_server2</target>
<module-type>ear</module-type>
<source-path>/home/wchou/working/default-app/ABC.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8100</name>
<target>ABC_server10</target>
<module-type>ear</module-type>
<source-path>/home/amulik/working/default-app/dist/ABC.9.5.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8040</name>
<target>ABC_server4</target>
<module-type>ear</module-type>
<source-path>/home/nchanda1/working/default-app/dist/ABC.10.0.3.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<admin-server-name>AdminServer</admin-server-name>
<jdbc-system-resource>
<name>ABCCDWDataSource</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCCDWDataSource-2021-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCCDWDataSource_coper</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCCDWDataSource_coper-9655-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCOracleDS</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCOracleDS-5997-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCReportDataSource</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCReportDataSource-6033-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABC_NEON_DATASOURCE</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABC_NEON_DATASOURCE-9653-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCRDRDS</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCRDRDS-5401-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCtest</name>
<target>ABC_server6</target>
<descriptor-file-name>jdbc/ABCtest-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCreport</name>
<target>ABC_server6</target>
<descriptor-file-name>jdbc/ABCreport-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain> -
Apply SSL in JSP with internal CA signed by Active Directory
Hi geniuses, who has any idea how to apply SSL into JSP pages.
I am try add SSL to my authentication JSP pages. My company has exist internal CA signed by Microsoft Server 2003 Active Directory.
Who's have any idea or tutorial, can you please share to me?webster wrote:
Hi geniuses, who has any idea how to apply SSL into JSP pages.
I am try add SSL to my authentication JSP pages. My company has exist internal CA signed by Microsoft Server 2003 Active Directory.
Who's have any idea or tutorial, can you please share to me?This really has nothing to do with JSP or this forum. It's a matter of setting up your Servlet/JSP container properly. Consult the docs for your servlet/jsp container for how to enable SSL. -
Hi everyone,
I installed SSL certificate according to Active Directory Connector Guide(part 2.2.3.4.).
But I have an error :
ConnectorServer.exe Error: 0 : Error processing request
System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.
Dou you have any idea ?
Thanks.
Best regards.Hi,
I did all requirements but I have an error.
In Connector Server log :
ConnectorServer.exe Error: 0 : Error processing request
System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.
In OIM diagnostic log :
org.identityconnectors.framework.common.exceptions.ConnectorException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Do you have any idea ?
Thanks. -
Error while trying to provision OIM user to Active Directory using SSL
Hi All,
I am able to see the users through LDAP browser using SSL but am getting the following error while trying to provision OIM users to AD using SSL.
I am using Microsoft Active Directory connector type 9.11.
Response: Connection Error encountered
Response Description: Error encountered while connecting to target system
I did some testing using "Diagnostic Dashboard" and the following are the results.
Test Name: Target System SSL Trust Verification: Passed
Test Name: Test Basic Connectivity: Failed
Exceptions:
ITResource information values are not correct. Enter the correct values.
java.lang.reflect.InvocationTargetException
javax.naming.CommunicationException: simple bind failed:
unable to find valid certification path to requested target.Test Name: Test Provisioning:Failed
Note: Without SLL all the above tests got Passed.
Can anybody help me out from this issue.
Thanks in advance.
Pradeep Kumar.I am able to connect to AD using 636 port number from LDAP browser and as the following test got Passed i think that my certificatee should be correct.
Test Name: Target System SSL Trust Verification.
Input Parameters
Target System: idm.orademo.com
Port: 636 Certificate Store
Location: /usr/java/jdk1.6.0_14/jre/lib/security/cacerts
Result : Passed
ITResource Values:
ADAM LockoutThreshold Value
ADGroup LookUp Definition Lookup.ADReconciliation.GroupLookup
Admin FQDN cn=Administrator,cn=Users,dc=orademo,dc=com
Admin Password *******
Allow Password Provisioning yes
AtMap ADGroup AtMap.ADGroup
AtMap ADUser AtMap.AD
Invert Display Name no
Port Number 636
Remote Manager Prov Lookup AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path
Root Context dc=orademo,dc=com
Server Address idm.orademo.com
Target Locale: TimeZone GMT
UPN Domain orademo.com
Use SSL yes
isADAM no
isLookupDN no
isUserDeleteLeafNode no
Thansk & Regards,
Pradeep Kumar. -
Problem in provisioning user from oim to active directory using ssl
hi,
problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
AvailableAD():simple bind failed: 172.16.30.35:636
15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
me problems: Must set a query before executing
com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
nnectToAvailableNextAD(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
archResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
known Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
ce)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
on.run(Unknown Source)
at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
ource)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
ava:520)
can any one help.
Thanks and Regards,
praveen,Are you able to connect to AD over SSL through some LDAP Browser ?
Check the validity of Certificate ?
Does your certificate appear in the list ? -
SGD 4.7 - Cannot enable Active Directory authentication
I've followed the steps in the Admin Guide, and have a service object created. Running tarantella service list --name service_name produces the following output (obfuscated):
Name: service_name
Enabled: 1
Url: ad://url_to_dc
Base-domain: same as above
Security-mode: kerberos
Type: ad
...all of which looks correct. I've added the recommended log filters. Directory services (server/directoryservices/*) returns the following INFO message when attempting a logn:
No Login authorities are available.
The configured service objects will not be used.
When I click the "Test" button in the service object property screen, the above log fills with what look like appropriate log messages and a Success result from the AD server, then the above message is displayed. Running the tarantella config list | grep login command produced the following output:
login-ad-base-domain: same domain as above
login-ad-default-domain: ""
login-ldap-thirdparty-ens: 1
login-lday-thirdparty-profile: 1
login-thirdparty-ens: 0
login-thirdparty-nonens: 0
login-thirdparty-superusers: sgd_trusted_user
login-web-tokenvalidity: 180
server-login: enabled
Any ideas?Problems can be
Incorrect domain
Name resolutions fails: OSGD server must be able to resolve the global catalog server
Timeserver: OSGD server must have the same time as the AD
Wrong /etc/krb5.conf
Global Catalog Server
Check, if the domain has a global catalog server:
nslookup -query=any _gc._tcp.DOMAIN_lowercase
Example for Domain TBSOL.DE
[root@tab-ol5u7-SGD1dev-adm tmp]# nslookup -query=any _gc._tcp.tbsol.de
Server: 192.168.99.1
Address: 192.168.99.1#53
Non-authoritative answer:
_gc._tcp.tbsol.de service = 0 100 3268 office-ad.tbsol.de.
Authoritative answers can be found from:
tbsol.de nameserver = office-ad.tbsol.de.
office-ad.tbsol.de internet address = 172.16.1.14
Kerberos Layer
Simple Kerberos file
[libdefaults]
default_realm = TBSOL.DE
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
TBSOL.DE = {
kdc = office-ad.tbsol.de
admin_server = office-ad.tbsol.de
[domain_realm]
.tbsol.de = TBSOL.DE
tbsol.de = TBSOL.DE
Icon
The format (tabs and spaces) of the Kerberos file is not relevant.
(other experience: after correcting the format of the kerberos file, pwd change works !)
Use kinit to test the Kerberos file.
Tarantella needs a restart, if this file is changed.
Icon
The OSGD documentation mentions in "2.2.4.2 Active Directory Password Expiry" to set
kpasswd_protocol = SET_CHANGE
This was not needed in these tests.
Login check via kinit
kinit <userprincibalename>@DOMAIN_uppercase
Example of kinit
[root@tab-ol5u7-SGD1dev-adm tmp]# kinit [email protected]; echo $?
Password for [email protected]:
kinit(v5): Preauthentication failed while getting initial credentials
1
[root@tab-ol5u7-SGD1dev-adm tmp]# kinit [email protected]; echo $?
Password for [email protected]:
0
[root@tab-ol5u7-SGD1dev-adm tmp]#
Check password change with KPASSWD
[root@tab-ol5u7-SGD1dev-adm log]# kpasswd [email protected]
Password for [email protected]:
Enter new password:
Enter it again:
Password changed.
Check password change on AD request
Mark user, that he has to change his password on the next login in the AD.
[root@tab-ol5u7-SGD2dev-adm tmp]# kinit [email protected]
Password for [email protected]:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@tab-ol5u7-SGD2dev-adm tmp]# kinit [email protected]
C -
Enable SSO APEX 4 and MS Active Directory
Hi,
I want enable SSO on my APEX applications. Actually, we use Microsoft Active Directory and Windows 2003 (tomorrow maybe Windows 2008).
Regarding your experiences, what is the best solution that I can us in order to implement SSO ?
Thanks for your help,
I have forget to give this informations :
- Our Oracle Server is under Linux.
- We use Oracle Database 11GR2.
- Our domain controller is under Windows 2003 (we will probably upgrade to 2008 this year).
- Our APEX version is 4.1.0.00.32.
Edited by: user7224400 on 3 févr. 2012 16:23Morten -- Interesting. I wish we had found that before we implemented WebLogic and the APEX listener, it may have been an interesting other option to consider. I'm not sure it would have made it past our change control folks as they might bark at the supportability/security, but it is a intriguing option.
Patrick -- (You have a great blog by the way.). We are talking about upgrading our APEX 3.1 instances this year so I am very interested in the new authentication type. Is it doing anything other than simply retrieving the logon_user? i.e., is it actually authenticating against anything or would it just read the logon_user and let them in if they matched a known username?
AJ -- We just converted from Oracle Portal last year. When I had Oracle Portal, I had it setup to use Windows Native Authentication following the supported solution for that and then had APEX set up as a partner application for portal. So if someone hit portal first, they'd automatically logon as their active directory user through WNA and would be dropped into portal. If they then hit a link for APEX in portal, it would (in rapid succession) go to APEX, redirect back to the portal SSO server, see they were authenticated in app server, and drop them into APEX with barely a visible screen flicker. It worked flawlessly UNTIL we started upgrading to Windows 7. Then a number of changes and patches are required to get WNA to work with app server 10g and Windows 7. If you are using portal in your 10g IAS, you may want to consider that route.
Pardon me while I hop on my soapbox briefly -- I think if our friends in Oracle land could come out with a fully supported method of using NTLM or similar technologies to automatically login to APEX applicaitons, it would help considerably in the adoption of APEX and the APEX listener in customers that have Oracle databases and Active Directory which is a pretty decent size market.
Ok, soapbox moment ended. :-)
Rgds/Mark M. -
Solution: Active Directory over LDAP over SSL
Hey all
I have the solution and i will describe how i solved it.
- Install windows 2000 server
- install service pack 2
- install high encription pack from windows
http://www.microsoft.com/windows2000/downloads/recommended/encryption/
- install active directory
also install a dns server, if there isn't one.
- install a Certificate Authority
a stand alone, that requires Active Directory
- install JDK 1.4
- goto http://localhost/certsrv
choose: "Retrieve the CA certificate or certificate revocation list"
then choose: "Download CA certificate"
save this file to the hard disk
- use keytool to import this file in the cacerts file
keytool -import -alias foo -storetype jks -keystore cacerts -file yourca.cer
the cacerts file must be in C:\j2sdk1.4.0_01\jre\lib\security or something
- then run the followin code for a connection
import java.util.*;
import javax.naming.*;
import javax.naming.directory.*;
import java.io.*;
import java.net.*;
public class HBUserAdmin {
public HBUserAdmin() {}
private Hashtable env;
private void _initialize() {
env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://your.server.com:636");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "CN=Administrator,CN=Users,DC=jellie,DC=com");
env.put(Context.SECURITY_CREDENTIALS, "youknowit");
env.put(Context.REFERRAL, "ignore");
env.put(Context.SECURITY_PROTOCOL, "ssl");
//THE LOCATION OF THE CACERTS MUST BE SPECIFIED
System.setProperty("javax.net.ssl.keyStore", "D:\\j2sdk1.4.0_01\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStore", "D:\\j2sdk1.4.0_01\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStoreType", "jks");
public void bindAs(String principal, String credentials, String baseDN) {
env.put(Context.PROVIDER_URL, baseDN);
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, credentials);
DirContext ctx = null;
try {
ctx = new InitialDirContext(env);
System.out.println("bind Successful...");
ctx.close();
} catch(AuthenticationException aex) {
System.out.println("Invalid userid or password... Please try again");
} catch (Exception ex) {
ex.printStackTrace();
public static void main(String[] args) {
System.out.println("Starting to execute");
HBUserAdmin testUser = new HBUserAdmin();
System.out.println("Binding...");
testUser.bindAs("CN=Administrator,CN=Users,DC=jellie,DC=com", "youknowit", "ldap://your.server.com:636");
I hope this will help all of you
questions?....mail
Jellie
[email protected]System.setProperty("javax.net.ssl.keyStore", "D:\\j2sdk1.4.0_01\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStore", "D:\\j2sdk1.4.0_01\\jre\\lib\\security\\cacerts");
Do not forget to alter these values.
IT MUST BE POINTING TO THE FILE YOU HAVE IMPORTED THE CERTIFICATE TO.
good luck
Maybe you are looking for
-
Add custom local group with similar power as Windows BUILTIN\Administrators group
In windows 7 or windows 8 Is there any possibility to create a custom Local group having the same power/privileges as it does the BUILTIN\Administrators group. If yes; how? For instance: I created a new local group, then in Local Security Policy(sec
-
Date format function for 5/2/2010 9:46:00 AM?
Hi, I want to convert date format in dd/mm/yyyy hh:mm:ss AM/PM format. Any suggestion? Thanks.
-
Can't install updates to OS X 10.4
I currently only have version 10.4 and need to update to 10.4.2. I downloaded versions 10.4.1 10.4.2 and the 10.4.2 Combo -- none of which work. When I am in the installation process -- I get to the part where it asks where you would like to install
-
Need help re: Google Calendar (CalDAV)
Hi everyone- I use Exchange for my work account, so until 4.0 comes out I am left syncing my personal Google Calendar through CalDAV. I noticed earlier today that many of the new entries that I made in Google Calendar were not syncing to my iPhone. S
-
Macbook Pro backlit keyboard query
I've just received my Macbook Pro 13 inch 2.4 ghz i5 and I have noticed whenever I load a cd into the drive some of the keyboard lights above the drive flicker a couple of times. Is this normal behaviour?