Using ACLs With iPlanet 4.1

Hello,
I hope somebody can shed some light on the following:
I'm using iPlanet 4.1 on a UN*X box, and I need to restrict access to some web assets it serves. I read through the iPlanet administrator docs and learn't that it has access control built in via ACLs, in either user/group or host-ip modes.
It seems that [by default] user/group is verified by a challege/response system in which the server causes the browser to display a name/password popup dialog, etc, etc. My question is, is it possible to suppress this popup dialog, and use a login form instead?
Also, for user/password authentication mode, it seems I need to use an LDAP server. Is that always necessary? I was hoping I could get away with some sort of config file, which I would generate from, say db information.
The iPlanet 4.1 docs also say that it's possible to authenticate against an external database, if one writes against a C-library API to connect to the database. Going directly against a DB would be great, but this seems to be a more effort than I want to invest. Is there a Java API, perhaps?
Thank you.
--A

To answer my own post:
iPlanet web server 4.1 officially supports only basic and certificate-based authentication; it has no support for forms-based authentication. No known unofficial way to hack this, either. iPlanet 6.0 web server supports forms-based authentication.
LDAP is not necessary for < 100 users. iPlanet supports "htaccess" authentication--a file based system; see docs 4538, 7980, 50267, available from http://sunsolve.sun.com/pub-cgi/show.pl?target=home
iPlanet 4.1 web server has no Java API.
--A

Similar Messages

WebDAv with Iplanet Webserver 4.1

Hi,
I want use Webdav with Iplanet Webserver 4.1 for publication . It's
possible ?
Regards,
herve

I tried this with apache slide.
With no luck.
I think the problem was due to not being able to configure a servlet to
receive the http request for the urls from the web dav root.
For example.
http://mserver/dav
may be the root
then you would have a file at
http://mserver/dav/files/etc
I could not configure the servlet in the rules.properties file to say
/dav/* is servlets WebdavServlet.
However you can do this with tomcat and I hope now that iWS 6.0 supports the
web.xml for deploying servlets that you now will be able to do this.
If you get this working I would like to know how you did it.
Warwick
"herve Merdrignac" <[email protected]> wrote in message
news:[email protected]..
Hi,
I want use Webdav with Iplanet Webserver 4.1 for publication . It's
possible ?
Regards,
herve

Configure Client-cert with ACL in iPlanet

I need to configure iPlanet with "client-cert" configuration.
- It works with this setting (in the console) : [Preference] --> [Encryption Preferences] --> "Require client certificates (regardless of access control):" set to "Yes".
- I have a problem with this setting because all the instance is affected and clients without a certificate can not use other applications under this instance (they receive an "Acces Denied page").
- It seems I can specify this setting to a specific URL via an ACL but it does not work.
- Could you confirm I can do that ? If yes, could you precise the configuration of the ACL ?
I am using iPlanet 4.1 under Solaris 2.8. For information I am using a websphere 4 server with iPlanet. My J2EE application is CLIENT-CERT; that's why I need this setting.
Thanks !

Hi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel

How do I use LDAP with iMQ 2.0?

I am looking for an example to see how to use LDAP with iMQ 2.0.
I was able to set up the config settings to access a local LDAP,
but iMQ authentication still rejects valid logins.
Let me know if I can find more info someplace.

You can also find an example I put togther in the Sun One knowledge base.
If you go here:
http://knowledgebase.iplanet.com/NASApp/ikb/index.jsp
Search for article 7772
Alternatively here is the direct link
http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html

Error occurred while finding users using API with custom field

Hi All,
I am getting the following error while searching user using API with custom attribute. Did anybody faced the same problem before ?
Hashtable<Object,Object> env = new Hashtable<Object,Object>();
env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://localhost:14000");
System.setProperty("java.security.auth.login.config","C:\\Oracle\\Middleware\\Oracle_IDM1\\designconsole\\config\\authwl.conf");
System.setProperty("OIM.AppServerType", "wls");
System.setProperty("APPSERVER_TYPE", "wls");
tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env, "xelsysadm", "Weblogic123$");
OIMClient client = new OIMClient(env);
client.login("xelsysadm", "Weblogic123$".toCharArray());
SimpleDateFormat formatter = new SimpleDateFormat("yyyy-MM-dd");
tcUserOperationsIntf moUserUtility = (tcUserOperationsIntf)ioUtilityFactory.getUtility("Thor.API.Operations.tcUserOperationsIntf");
Hashtable mhSearchCriteria = new Hashtable();
mhSearchCriteria.put("USR_UDF_ACTUALSTARTDATE",formatter.format(date));
tcResultSet moResultSet = moUserUtility.findAllUsers(mhSearchCriteria);
printTcResultSet(moResultSet,"abcd");
log4j:WARN No appenders could be found for logger (org.springframework.jndi.JndiTemplate).
log4j:WARN Please initialize the log4j system properly.
Exception in thread "main" Thor.API.Exceptions.tcAPIException: Error occurred while finding users.
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl_1036_WLStub.findAllUsersx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
at com.sun.proxy.$Proxy2.findAllUsersx(Unknown Source)
at Thor.API.Operations.tcUserOperationsIntfDelegate.findAllUsers(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
at com.sun.proxy.$Proxy3.findAllUsers(Unknown Source)
at oim.standalone.code.OIMAPIConnection.usersearch(OIMAPIConnection.java:209)
at oim.standalone.code.OIMAPIConnection.main(OIMAPIConnection.java:342)
Caused by: Thor.API.Exceptions.tcAPIException: Error occurred while finding users.
at com.thortech.xl.ejb.beansimpl.tcUserOperationsBean.findAllUsers(tcUserOperationsBean.java:4604)
at Thor.API.Operations.tcUserOperationsIntfEJB.findAllUsersx(Unknown Source)
at sun.reflect.GeneratedMethodAccessor1614.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy347.findAllUsersx(Unknown Source)
at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl.findAllUsersx(Unknown Source)
at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Thank you

Hi J,
Thanks for the reply. But the code is working fine for OOTB attributes and for 11g API i am getting permission exception
Exception in thread "main" oracle.iam.platform.authz.exception.AccessDeniedException: You do not have permission to search the following user attributes: USR_UDF_ACTUALSTARTDATE.
at oracle.iam.identity.usermgmt.impl.UserManagerImpl.search(UserManagerImpl.java:1465)
at sun.reflect.GeneratedMethodAccessor1034.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy366.search(Unknown Source)
at oracle.iam.identity.usermgmt.api.UserManagerEJB.searchx(Unknown Source)
at sun.reflect.GeneratedMethodAccessor1449.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy365.searchx(Unknown Source)
at oracle.iam.identity.usermgmt.api.UserManager_nimav7_UserManagerRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at oracle.iam.identity.usermgmt.api.UserManager_nimav7_UserManagerRemoteImpl.searchx(Unknown Source)
at oracle.iam.identity.usermgmt.api.UserManager_nimav7_UserManagerRemoteImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: oracle.iam.identity.exception.SearchAttributeAccessDeniedException: You do not have permission to search the following user attributes: USR_UDF_ACTUALSTARTDATE.
at oracle.iam.identity.usermgmt.impl.UserManagerImpl.search(UserManagerImpl.java:1462)
... 44 more

How to use JNI with Servlets

Hi
i was trying to do some example with JNI. I can use JNI with standalone Java application but I just cannot figure out how I can use JNI with Servlet.
Can some one show me a sample code using JNI with Servlets.
thanks very much

hi,
I am also facing the same problem,
when I am using JNI with stand alone application it works fine but when i tried to use it with a servlet It gives unsatisfied linker error
stack: java.lang.UnsatisfiedLinkError: createSocket
     at RelayConnector.createSocket(Native Method)
     at RelayServlet.doGet(RelayServlet.java:70)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.java:891)
     at com.iplanet.server.http.servlet.NSServletRunner.Service(NSServletRunner.java:458)
It seems i have to do some path settings in my iplenet web server.
If some one have faced the problem i would be glad to know the solution for this, i am literally bugged up,....

Best Way to Override 'Everyone - Read Only' using ACLs

Hi, let me first clarify that I'm not an 'official' network administrator, I'm just the only one in a small design office able to attempt to figure this stuff out.
We are needing to upgrade our security in a small office (5-7 users, 1 server running OSX Server 10.4.4).
We've been working great since OSX Server 10.3.x using standard POSIX privileges setup as follows:
Owner: Our_Server - R/W
Group: OurGroup - R/W
Everyone: None
We've been able to share files great as we're all in the same group (OurGroup). No problems.
Unfortunately, we now need to add a higher level of security for some incoming freelance workers. Essentially, we need to give them access to only certain folders UNDER our main Share Point directory. But we need to retain all of the freedom we've always had for the entire Shared directory.
From my understanding, the only way to do this is by using ACL's and a different group for the freelancers. I've setup a TEST directory to try this on. I've almost got it setup to work the way we want, but now am experiencing what I've discovered to be one of the drawbacks of using ACL's - the "Inherit Permissions from Parent" feature of AFP is no longer an option.
So using this method, new files added by default pick up the standard POSIX permissions, which allow Read access to Everyone. And I have to 'replicate' the behavior of 'Owner' and 'Group' that we had working before using POSIX or the group would end up Read Only.
- Any way to simulate the inherited permission of 'Everyone: None" using ACLs?
- Is there an easier/better way to allow access to only certain sub-folders of our main Share Point for a different group (FreelanceGroup)?
- Any way to do this while keeping our good working POSIX model?
- What should my POSIX access settings be set now when using ACLs?
- How dangerous is having 'Everyone: Read Access' really? We have guest access disabled, appropriate firewalls, etc.?
Thanks a lot. I hope I'm approaching this properly. I'm open to any tips. We just need to make sure nothing 'appears' to change too much in the workflow we have grown accustomed to (within reason).
G5 Dual 2Ghz Mac OS X (10.4) 1.5GB RAM

If you haven't already, you may find my ACL Tips post helpful: http://discussions.apple.com/thread.jspa?messageID=1696702
My best advice would be to concentrate on defining ACLs for the groups of users for whom access should be granted (Allow rules). These can define inheritance for newly created files and folders, and you don't have the limit of having to think about just one group and everyone else. Remember that the POSIX "everyone" group is actually "everyone else" - that is, any valid user (guest if guest access is enabled) who does NOT match the owner or who is NOT a member of the POSIX group. The way that POSIX permissions are calculated, the connecting user is always granted ownership if possible, then group membership (primary group first, membership lookup by GID second) if that fails. Failing the two, the everyone else permissions are returned.
Here's an example that highlights the difference:
There is a group called "everyone" - that's actually all users, guests included, if guest access is enabled. This group is NOT the POSIX everyone else field. Rather, if you grant an ACL deny for everyone, then that covers all users, not just those for whom you don't have an ACL defined!
Further, there's an "authed users" group, which is the group of all authenticated users (and it never includes guests, even if guest access is enabled). Like the "everyone" group, membership is calculated by GUID by memberd. So you can thinnk of these two groups as "smart groups."
Since the "smart groups" have membership controlled by memberd and GUID values, it's wise to only use them when defining ACL entries. Neither should be used for the group value of the POSIX group field. Either membership calculation will fail, or the "everyone else" POSIX field may never need to be consulted.
As to the missing "inherit from parent" feature, the story is just the opposite: ACLs actually give you better inheritance than that feature ever did. For example, ACLs each support inheritance with the file_inherit, directory_inherit, only_inherit, and limit_inherit controls. For each entry, you can have a group or single user's ACL entry apply to new child files, new child folders, or both. Further, you can control inheritance on a per-folder level, and manage how deeply that inheritance goes (limit_inherit) or whether the permissions are only inheritable.
For example, your example POSIX group permissions would look like this using two ACLs:
ourgroup allow readattr,readextattr,readsecurity,list,search,read,execute, write,delete,append,deletechild,add_file,add_subdirectory,writeextattr,writeattr,file_inherit,directoryinherit
Again, my ACL Tips post explains more, and my answer to this post clarifies how new files, copied files, and moved files/folders get their POSIX and ACL permissions: http://discussions.apple.com/thread.jspa?messageID=3188259&#3188259
Hope this helps!
--Gerrit

How to use authid with rwservlet via WebLogic Thin Client

1. Using J2EE Thin Client for WebLogic (WL) to submit interactive requests for Oracle Reports (App Server 10g) running on another server without SSO.
2. After starting basic Infrastructure, we start rwserver in batch mode (no other mid-tier components are used).
3. It appears that the cgicmd.dat file in the Thin Client conf directory on the WL server controls the DB access with the key:connect string info it has.
4. We had been allowing the testers to come in via the web through a SunOne (iPlanet/Netscape) web server instance, which in turn connects to the WL server running the Thin Client instance.
5. We noticed that anyone could run rwservlet to view report status with the showjobs command via a URL through the same mechanism as point #4 above, and were concerned about security of the reports - "bad".
6. Then someone realized the showmap command could also be specified, and thus see the DB connect string (Id/pw/SID) - "worse".
I researched securing Reports, and read through the white paper, "Securing Oracle9i Reports", and although it discusses security without using SSO, all it says is "users accessing a secured instance of Oracle9iAS Reports Services will be challenged to identify themselves by the Reports Servlet, using its own authentication mechanism (as with Reports6i)", but I can find no explanation of how that works, nor how it would work with the WL Thin Client.
Questions:
1. How are the Id's/passwords set up under AS 10g "as with Reports6i" in this environment going through the WL Thin Client?
2. Is there anything else that needs to be done to secure the created reports, and the connect string info (i.e. using authid with rwservlet?showjob, and not allowing the rwservlet?showmap to be executed at all)?
TIA,
ROC

the JDBC Developer's Guide (11gR2)
gives an example in chapter 9 under "JDBC Thin Driver Support for Encryption and Integrity", sub- "Setting Encryption and Integrity Parameters in Java"
from Oracle SQL Devloper, without redirecting the client to use the OCI/thick driver, choose, new database connection, connection type Advanced. add the entry from the example noted above to the Custom JDBC URL form.
for example:
Properties prop = new Properties();
prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL,"REQUIRED");
prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES,"(AES128)");
OracleDataSource ods = new OracleDataSource(); ods.setProperties(prop); ods.setURL(jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxx)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=xxxx)(INSTANCE_NAME=xxxx))));
Connection conn = ods.getConnection();
strange side note!, we could not get this to encrypt unless the sqlnet.ora file included the SQLNET.ENCRYPTION_SERVER=required. if this was set to default(accepted), and even though the jdbc thin client properties set to required, the network traffic was still clear text.
good luck

Installation Error with iPlanet Directory Server 5.1 SP1 and Windows 2000

Hello,
I'm having real trouble getting iPlanet Directory Server installed on a Windows 200 Server machine. Every time I install it, no matter what options I choose, I get this series of popup boxes at the end:
- Setup is unable to store configuration data in the LDAP directory
- Unable to create Administration Server configuration
- Could not authenticate ldap connection, "Unknown error"
- Unable to set ACI in Configuration Directory Server
But searching on this forum, I have found a lot of post. I have tested the different solution proposed :
* Add on the host file the short name and the long name of my machine with it's IP adress
* When the installation process crash, uninstall the software, reboot the machine and then restart the installation
With all this solution, the problem is always here.
Could you help me ?
Boris MANCHETTE

Are you using Terminal Services. iPlanet DS will not install properly over Terminal Services. You have to install from the direct attached console.
Ted

Re: nsapi problem with WL 4.5.2 no sp with iPlanet 4.0

          We are noticing the same problem with WL5.1, esp.
          I can replicate this by reducing the number of executeThreads
          within WebLogic to a very low number (say 5). It seems to
          me that there is a problem with the WebLogic proxy (NSAPI); it seems to be gettting into a state where it is not able to do handle connection startups/shutdowns in a graceful manner leaving IDLE connections.
          Any pointers would be appreciated.
          Thanks.
          -dev
          "Jaime Chambron" <[email protected]> wrote:
          >here is more details on the probs we are seeing:
          >
          >Besides a number of other issues that I am experiencing with iPlanet 4.0
          >there are two specific issues that I need your help in resolving. These
          >issues are as follows:
          >
          >Idle connection on the web server. Summary: While running load tests on the
          >site I see up to 500 or more idle connection that will not time out or
          >recycle. Has anyone come across this issue? How was it resolved? Any
          >thoughts on what could be causing the idle connections? Below is an example
          >of the idle connection.
          >
          >*.* *.* 0 0 33232 0 IDLE
          > *.* *.* 0 0 33232 0 IDLE
          > *.* *.* 0 0 33232 0 IDLE
          > *.* *.* 0 0 33232 0 IDLE
          > *.* *.* 0 0 33232 0 IDLE
          > *.* *.* 0 0 33232 0 IDLE
          >
          >
          >
          >
          >2. Logging. How do I turn off verbose logging or minimize it?
          >Summary: Our error log files are continuing to fill up causing sluggish
          >performance and web server crashes. Any suggestions? Here are some
          >of the errors being logged.. (Suspect the NSAPI plugin)
          >
          >[25/Jul/2000:12:54:57] failure ( 1324): Error accepting connection -5971,
          >oserr=24 (PR_PROC_DESC_TABLE_FULL_ERROR)
          >[25/Jul/2000:12:54:57] failure ( 1324): Error accepting connection -5971,
          >oserr=24 (PR_PROC_DESC_TABLE_FULL_ERROR)
          >[25/Jul/2000:12:54:57] failure ( 1324): Error accepting connection -5971,
          >oserr=24 (PR_PROC_DESC_TABLE_FULL_ERROR)
          >[25/Jul/2000:12:54:57] failure ( 1324): for host 208.29.209.9 trying to GET
          >/, wl-proxy reports: Cannot connect to WebLogic: timed out after 10 seconds.
          >
          >[25/Jul/2000:13:18:18] warning ( 1324): DaemonProcessor::Run terminating
          >with 404 sessions still in progress
          >[25/Jul/2000:13:18:19] info ( 1437): successful server startup
          >[25/Jul/2000:13:18:19] info ( 1437): Netscape-Enterprise/4.0 SP4
          >BB1-02/07/100 17:53
          >[25/Jul/2000:13:34:49] failure ( 1437): for host 208.29.209.9 trying to GET
          >/, wl-proxy reports: Cannot connect to WebLogic: timed out after 10 seconds.
          >
          >[25/Jul/2000:13:35:43] failure ( 1437): for host 208.29.209.9 trying to GET
          >/, wl-proxy reports: Cannot connect to WebLogic: timed out after 10 seconds.
          >
          >
          >
          >
          >Jaime Chambron wrote in message <[email protected]>...
          >>hi -
          >>
          >>we are having a ton of probs with our error log on our web servers filling
          >>up and degrading performance b/c we are seeing the following error with our
          >>jsps (the web server sees up to a point in runnign,then all of a sudden
          >>starts to get errors after some load testing)
          >>
          >>the prob causes errors in the proxy.cpp file to occur (at different line
          >>numbers, i believe 400 something and 830) and says things like "file not
          >>found" (though it is there) or timeout...
          >>
          >>this is causing our webservers to eventually grind to a hault, and it looks
          >>like is has something to do with the nsapi plug in. do we need a patch? do
          >>we have something configured wrong?
          >>
          >>
          >>please help!!
          >>thanks
          >>j
          >>
          >>
          >
          >


          Hi,
          I'm experiencing the same problem with wls 5.1 sp 9 and iPlanet 4.1 sp 5.
          Did you figure this problem out?
          Regards,
          Torleif Galteland
          "Michael Caughey" <[email protected]> wrote:
          >
          >Have you had any luck in figuring out what is the root cause of your
          >problem?
          >We are having a simalar problem using weblogic 5.1 SP6 & iPlanet 4.1
          >SP2.
          >Thanks,
          >
          >"Dev Worah" <[email protected]> wrote:
          >>
          >>We are noticing the same problem with WL5.1, esp.
          >>
          >>I can replicate this by reducing the number of executeThreads
          >>within WebLogic to a very low number (say 5). It seems to
          >>me that there is a problem with the WebLogic proxy (NSAPI); it seems
          >>to be gettting into a state where it is not able to do handle connection
          >>startups/shutdowns in a graceful manner leaving IDLE connections.
          >>
          >>Any pointers would be appreciated.
          >>
          >>Thanks.
          >>-dev
          >>"Jaime Chambron" <[email protected]> wrote:
          >>>here is more details on the probs we are seeing:
          >>>
          >>>Besides a number of other issues that I am experiencing with iPlanet
          >>4.0
          >>>there are two specific issues that I need your help in resolving.
          >These
          >>>issues are as follows:
          >>>
          >>>Idle connection on the web server. Summary: While running load tests
          >>on the
          >>>site I see up to 500 or more idle connection that will not time out
          >>or
          >>>recycle. Has anyone come across this issue? How was it resolved?
          >
          >>Any
          >>>thoughts on what could be causing the idle connections? Below is an
          >>example
          >>>of the idle connection.
          >>>
          >>>*.* *.* 0 0 33232 0 IDLE
          >>> *.* *.* 0 0 33232 0
          >>IDLE
          >>> *.* *.* 0 0 33232 0
          >>IDLE
          >>> *.* *.* 0 0 33232 0
          >>IDLE
          >>> *.* *.* 0 0 33232 0
          >>IDLE
          >>> *.* *.* 0 0 33232 0
          >>IDLE
          >>>
          >>>
          >>>
          >>>
          >>>2. Logging. How do I turn off verbose logging or minimize it?
          >>>Summary: Our error log files are continuing to fill up causing sluggish
          >>>performance and web server crashes. Any suggestions? Here are
          >>some
          >>>of the errors being logged.. (Suspect the NSAPI plugin)
          >>>
          >>>[25/Jul/2000:12:54:57] failure ( 1324): Error accepting connection
          >-5971,
          >>>oserr=24 (PR_PROC_DESC_TABLE_FULL_ERROR)
          >>>[25/Jul/2000:12:54:57] failure ( 1324): Error accepting connection
          >-5971,
          >>>oserr=24 (PR_PROC_DESC_TABLE_FULL_ERROR)
          >>>[25/Jul/2000:12:54:57] failure ( 1324): Error accepting connection
          >-5971,
          >>>oserr=24 (PR_PROC_DESC_TABLE_FULL_ERROR)
          >>>[25/Jul/2000:12:54:57] failure ( 1324): for host 208.29.209.9 trying
          >>to GET
          >>>/, wl-proxy reports: Cannot connect to WebLogic: timed out after 10
          >>seconds.
          >>>
          >>>[25/Jul/2000:13:18:18] warning ( 1324): DaemonProcessor::Run terminating
          >>>with 404 sessions still in progress
          >>>[25/Jul/2000:13:18:19] info ( 1437): successful server startup
          >>>[25/Jul/2000:13:18:19] info ( 1437): Netscape-Enterprise/4.0 SP4
          >>>BB1-02/07/100 17:53
          >>>[25/Jul/2000:13:34:49] failure ( 1437): for host 208.29.209.9 trying
          >>to GET
          >>>/, wl-proxy reports: Cannot connect to WebLogic: timed out after 10
          >>seconds.
          >>>
          >>>[25/Jul/2000:13:35:43] failure ( 1437): for host 208.29.209.9 trying
          >>to GET
          >>>/, wl-proxy reports: Cannot connect to WebLogic: timed out after 10
          >>seconds.
          >>>
          >>>
          >>>
          >>>
          >>>Jaime Chambron wrote in message <[email protected]>...
          >>>>hi -
          >>>>
          >>>>we are having a ton of probs with our error log on our web servers
          >>filling
          >>>>up and degrading performance b/c we are seeing the following error
          >>with our
          >>>>jsps (the web server sees up to a point in runnign,then all of a sudden
          >>>>starts to get errors after some load testing)
          >>>>
          >>>>the prob causes errors in the proxy.cpp file to occur (at different
          >>line
          >>>>numbers, i believe 400 something and 830) and says things like "file
          >>not
          >>>>found" (though it is there) or timeout...
          >>>>
          >>>>this is causing our webservers to eventually grind to a hault, and
          >>it looks
          >>>>like is has something to do with the nsapi plug in. do we need a
          >patch?
          >>do
          >>>>we have something configured wrong?
          >>>>
          >>>>
          >>>>please help!!
          >>>>thanks
          >>>>j
          >>>>
          >>>>
          >>>
          >>>
          >>
          >

Invoke-Command and $using:ACL problem

Hi,
Can anyone point me in the right direction.
I want to modify and ACL on a remote server, but i cannot assign a variable inside the invoke-command where i'm also refferencing an local variable.
When the first invoke-command is ran i get an error:
A Using variable cannot be retrieved. A Using variable can be used only with Invoke-Command, Start-Job, or InlineScript
in the script workflow. When it is used with Invoke-Command, the Using variable is valid only
if the script block is invoked on a remote computer.
$DriveFunctionDirectoryStructure="z:\projects\1"
Invoke-Command
-Session$s-ScriptBlock{$acl=get-acl$using:DriveFunctionDirectoryStructure}
Invoke-Command
-Session$s-ScriptBlock{$acl.SetAccessRuleProtection($using:True,$using:ToggleAccessRuleFlag)}
Invoke-Command
-Session$s-ScriptBlock{Start-Sleep-Seconds5}
Invoke-Command
-Session$s-ScriptBlock{$rule=New-ObjectSystem.Security.AccessControl.FileSystemAccessRule("localdomain\$using:groupName","$using:AccessOption","ContainerInherit,
ObjectInherit","None","Allow")}
Invoke-Command
-Session$s-ScriptBlock{$acl.AddAccessRule($rule)}
Invoke-Command
-Session$s-ScriptBlock{Set-Acl$using:DriveFunctionDirectoryStructure$acl}

Hi RFalken,
you can use the -ArgumentList parameter of Invoke-Command like this:
$script = {
Param (
$Parameter1,
$Parameter2
Invoke-Command -ScriptBlock $script -ArgumentList @(2,42)
Cheers,
Fred
There's no place like 127.0.0.1

Version of jdk compatible with iPlanet 5.0

Hi,
I want to know the version of jdk compatible with iPlanet 5.0
thanks

:-) I think they are using iplanet 4.1.
It used JDK 1.2 as per [http://www.networkcomputing.com/1106/1106sp3.html|http://www.networkcomputing.com/1106/1106sp3.html]
"iPlanet 4.1 Offers Improved Java Support and Upgraded Security
Out of the box, iPlanet Web Server supports JavaServer Pages 1.1PR1 (and is backward-compatible with JSP 1.0), servlets (with API-level support for 2.2 PR1), native JVM (Java Virtual Machine in Java Development Kit 1.2), LiveWire (server-side JavaScript) with JavaScript 1.4, and LiveConnect 3, which uses native JVMs instead of the Netscape JVM. "

Software works with iplanet and Solaris

Hi,
I'm interested in a software working like CrystalReport. The software has to work with iplanet and Solaris. I use jsp as GUI front to report.
A appreciate you if you can suggest a product.
Thanks.
Jerry

I don't use Quicken, but believe there is now a version that is compatible with Lion.

ACL with password over ride?

I'm using ACL to a Folder I call Master Images, it is set up to allow anyone to add images and open the images, but they are prevented from deleting them. But there are occations when users do need to be able to alter these images. My intial soloution was to set up a user that did have permission to delete, this works but in practice no one uses it cos it interrupts their work to log out and in the out and back in.
Ideally I'd like a window to pop up and let the user enter a password to authorize the delete, but with ACL all the user see is a message saying you don;t have permissions, any other ways round this. it is important the files are not easy to accidently delete.
Maybe its possible to write a applescript that would take on extra permissions to delete a file?

I slightly modified the script because although it worked it gave an error message when used on a network home, so I changed it to:
set the_path to "Volumes/RAID/test/Master Images/"
set the_string to POSIX file the_path as alias
tell application "Finder"
set the_names to (name of items of folder the_string)
end tell
set the_item to item 1 of (choose from list the_names)
set the_path to "'" & the_path & the_item & "'"
do shell script "rm " & the_path with administrator privileges
I'd like to be able to just save the App in a folder and have it automatically recongnise the folder it is in, rather than having to change the first line to the path of the folder manually, any pointers?

Pb with Iplanet 3.6 SP7 (OK with 3.6 no SP)

Hi
First sorry but my english is bad !!.
I have a problem when a server of my society try to connect with another server through Iplanet proxy.
In the access log file :
10.107.116.102 - - [15/Jun/2005:09:56:21 +0200] "CONNECT re7bam.targetserver.fr:443 HTTP/1.0" 400 0 "-" "-" CONNECT connect://re7bam.targetserver.fr:443 - "-" 0 0 0 0 0 0 0 0 125 - - - - -
In the error log file :
[15/Jun/2005:09:56:21] failure: for host 10.107.116.102, http-parse-request reports: while scanning proxy HTTP headers, read failed, error is Op�ration r�ussie.
I haven't this problem with Iplanet 3.6 (no service pack) with the same configurations files. Our server use a specific tool to connect.
Are there diagnostic tools for my problem ?
Any suggestions/recommendations are mostly welcome !!!

Unfortunately, since your code is doing a "CONNECT" instead of a "GET" there is no way to see the actual url that the tool is requesting. The connect statement is basically telling the proxy that the client wants to start its own session to the remote server. The proxy doesn't participate in the http part of the CONNECT request.
The only ways you can see the actual client requests are if you control either the client or server side. If you control the server side, then you can simply look in the webserver log file. If you only control the client side (and its a special tool) then you have to figure out a way to get the tool's writer to log his/her requests somewhere. (if you have control of the server side, and have a copy of the keys, then potentially you can decrypt the traffic in ethereal or ssldump)
There are other man in the middle techniques also, but they involve setting up a type of reverse proxy that terminate and re-creates the ssl session. (i think one such tool is called grinder)
This is strange, yes
-rich

Using ACLs With iPlanet 4.1

Similar Messages

Maybe you are looking for