Using IBM Tivoli Access Manager to Secure Tuxedo Services
Wondering if anybody has any experience using 'IBM Tivoli Access Manager for e-business' to perform tuxedo service authorization ?
Is there an out-of-the-box integrated solution available or does one have to basically build a security service that use the Tivoli Access Manager APIs to determine if the user is authorized to invoke service?
Thanks,
Hi,
I followed the steps of establishing SSO using TAM for OBIEE application.
Below is the piece of code that i had inserted in the "instanceconfig.xml" to enable SSO:
<Listener>
<!-- other settings ... -->
</Listener>
<CredentialStore>
<CredentialStorage type="file" path="<OracleBIData>/web/config/credentialstore.xml" passphrase="another"/> </CredentialStore>
<!-- other settings ... -->
<Auth>
<SSO enabled="true">
<ParamList>
<!--IMPERSONATE param is used to get the authenticated user's username and is re quired -->
<Param name="IMPERSONATE"
source="httpHeader" nameInSource="iv-user"/>
</ParamList> <!--Optional. Replace the URLs with actual logoff/logon URL-->
<LogonUrl>http://pkmslogin</LogonUrl>
<LogoffUrl>http://pkmslogout</LogoffUrl>
</SSO>
</Auth>
My credential store file look Like on below
<sawcs:credential type="usernamePassword" alias="impersonation">
<sawcs:username>USER</sawcs:username>
<sawcs:password>password</sawcs:password>
</sawcs:credential>
In the above code i am trying to get the userID of a User through the header of the application's URL, who has been already been authenticated by Windows desktop Authentication mechanism .
but then i try creating a junction using TAM and access the application through the junction i still get the logon page of OBIEE application...
Can any one help me out in this issue..
Thanks in Advance...
Similar Messages
-
Oracle Apex - SSO with IBM Tivoli Access Manager WebSeal - filters out Files with Server Error 500
Hi,
We are using IBM Tivoli Access Manager for SSO to authenticate users to access our APEX application. The authentication works but...
When the application is being accessed with the WebSeal JS/CSS files are randomly not loaded and show up with either HTTP 400 or HTTP 500 error in the FF Toolbar Console. Of course without certain CSS / JS files the application can't be used by the user.
If the application is accessed without WebSeal all files are loaded successful.
Our set up:
There are two APEX Applications using the WebSeal - the first one apparently works
Apex Listener on Tomcat7.0
Apex 4.2.6
We tried all kind of different WebSeal configurations but nothing worked so far.
I found the following:
interactive report problem with SSO
==> Does anyone know how to use mapping tables and does it help?
Interactive report javascript error due to proxy
==> The solution is for EPG but we use Tomcat as Listener so the solution does not apply
Does anyone know how to configure the WebSeal ?
ThanksI have same issue with Apex 4.2.6 and Webseal, but only on Mobile Application. Desktop Application is ok.
I have raise a SR on supportweb, but SR engineer tell me it's may be the Webseal issue, they can't reproduce it with Oracle Access Manger.
It's really a tough issue. -
Is it possible to Integrate IBM Tivoli Access Manager with EBS R12.1.3 ?
Hi All,
We have a requirment to integrate IBM TAM with oracle EBS R12.1.3. We already had such setup with TAM5.1 with oracle EBS 11.5.0. Now we try to replicate setup using R12.1.3 and end up with failures.
- TAM login is unable to bypass the oracle EBS 12.1.3 page (Webseal landing page marks to /OA_HTML/Rf.jsp in R12 and 11i has /OA_HTML/AppsLocalLogin.jsp) which normally gives the home page in 11i.
- I can see EBS is not accepting the TAM post call completly.
Can somebody please throw some light on this.
OS -- IBM AIX 6.1
DB - 11.2.0.3Hi Hussein,
Thanks for the reply. There is no error message as such. TAM Page just route it to apps login page.
I've reviewed above MOS notes. But in our case, we are not using any form services. Just HTTP and oacore services are running in application node.
Below standard IBM note was followed for config,
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itame2.doc_5.1%2Fam51_webseal_guide99.htm
Apache log with debug option gives below messages
10.15.25.71 - - [26/Jun/2013:10:31:35 +0100] "GET /OA_HTML/RF.jsp?function_id=1024788&resp_id=-1&resp_appl_id=-
1&security_group_id=0&lang_code=US HTTP/1.1" 200 13618 6 "https://isup-sit.via.novonet/pkmslogin.form" "Mozilla
/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.45
06.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
10.15.25.71 - - [26/Jun/2013:10:31:35 +0100] "POST /OA_HTML/OA.jsp?page=/oracle/apps/fnd/sso/login/webui/MainLo
ginPG&_ri=0&_ti=1493943578&language_code=US&oapc=2&oas=vAqt8ennrMoGojwjkH3sjA.. HTTP/1.1" 200 12466 0 "https://
isup-sit.via.novonet/isup/OA_HTML/RF.jsp?function_id=1024788&resp_id=-1&resp_appl_id=-1&security_group_id=0&lan
g_code=US" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.507
27; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
In normal course we use to get one more GET to OA.jsp that is not happening here..
GET /OA_HTML/OA.jsp?OAFunc=OAHOMEPAGE
Please note we are not using oracle SSO.
Thanks,
Lakshmanan -
Hyperion integration with Tivoli Access Manager
Hello All:
Does Hyperion supports using pre-authenticated users from IBM Tivoli Access Manager. Please can you point me to any documentation explaining the integration procedure.
TIA.Suggest you read sections 2,3,4 of the below document:
http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/hyp_security_guide.pdf
It doesn't come out and say that this type of agent is supported -- you can potentially log a case with Oracle and they may be able to answer you however as it's not documented I would suggest it's not supported.
If you decided to go forward with this then you need to find someone else who is using it successfully and ask them how it is working out.
Presuming they didn't change too much from 9.3.1 to 11.1 (9.5) then you will find many many issues with SSO working.
IT saving a user a login box or two and making the application non-usable just isn't a good direction to go.
John -
Tivoli Access Manager 6.0 with Sun Java System Directory 6.3
Hi,
We have been using Tivoli Access Manager 6.0 with Sun Java System Directory 6.3 .
Using IBM TAM Java API we can administer the user creation but the API provide support only to create user with required attribute as user name, password, description, setAccoutntvalid etc.
But Sun Java System Directory 6.3 contains the many attributes as just to name a few...
First Name (givenname), User ID (uid),Password (userPassword), Confirm Password
E-mail (mail), Telephone Number (telephoneNumber), Country (c),Fax Number (facsimileTelephoneNumber), Locality (l), Organization (o), Organizational Unit (ou), accessHint, accountHint, departmentNumber, description, destinationIndicator, displayName, employeeNumber ETC...
Now My Issue is if we need to add the values for other attributes as "accessHint" , "employeeNumber" etc, then how can we acheive using IBM TAM Java API or is there any other way.
Thanks for your kind help...Looks like the attribute sunIdentityServerDiscoEntries is defined twice in the schema. Run the following and see where it is defined for the second time.
# cd /var/opt/SUNWdsee/dsins1/config/schema
# grep -w sunIdentityServerDiscoEntries *.ldif | grep -iv objectclasses
Edited by: etst123 on Mar 3, 2009 1:28 PM -
BPC authentication via Tivoli Access Manager
Hello experts,
I'm now investigating BPC authentication mechanism with third vendor authentication software.
Is it possible to login to BPC v7.5 MS version via Tivoli Access Manager with 'Reverse Proxy' ?
And can BPC get a login-user information as a http-header from Tivoli Access Manager at this time ?
If the above situation is possible, can BPC utilize BO enterprise authentication with Tivoli Access Manager ?
Best regards,
Tatsuo ObaSAP BOPC can use Reverse Proxy.
I'm not sure how you want to use Tivoli Access Manager with SAP BOPC?
It is very interesting to know also the reason you woudl like to use SAP BOPC in this way.
It can be a very nice case study.
BPC can not get information like an HTTP header and something like that it will be unsafe from security point of view.
Regarding your question:
BPC to utilize CMS authentication with Tivoli Access Manager
I think you have to provide more information? Why do I need Tivoli Access Manager to access BPC or to do authentication to CMS.
I have to mention I don't know how it is working Tivoli Access Manager and because of that I'm asking you to provide more information.
Regards
Sorin Radulescu -
Punchout - How to post login params to Tivoli Access Manager?
I am trying to help a customer access our parts ordering system. He is using SAP and wants to use the OCI Punchout feature. (Warning: I am a complete and utter SAP novice)
Our application servers are protected by Tivoli Access Manager and users currently login to our application by entering their user/pwd info in a form. This customer wants to store this login info in SAP and perform the login automatically as well as posting other parameters, such as HOOK_URL etc., to our parts ordering application.
I have been struggling with this for a few days now but without success. Can anyone offer some pointers here? Has anyone done something similar?
Thanks
PaulThanks for your reply Masa,
as I mentioned in my post, I am an SAP novice. I am assuming that the user, password and hook url are stored somewhere in SAP for use in the punchout.
The problem I see is this: how to login with TAM and send the hook url to my application. It seems to me to be 2 separate actions.
Paul -
I recently converted from my Blackberry Torch to the Z10. I travel a lot and use the VZ Access manager through my Torch. Can I do the same thing through my new Z10? I don't see that as an option on the software sight.
Hi Atepastt,
Congrats on your new Z10! I know having the right features is important. The Z10 uses Blackberry link software. The device uses the mobile hotspot feature to non-cord tether the device. The mobile hotspot feature is an additional cost. You can add this feature online http://vz.to/1di2TlT .
Thanks,
PamelaF_VZW
Tweet us @vzwsupport -
Tivoli Access Manager WebSeal & Infoview
Post Author: ab129001
CA Forum: Authentication
Is it possible to enable Infoview users to authenticate via Tivoli Access Manager WebSeal (a reverse proxy authentication product)?
Thanks in advance.
AndyPost Author: jsanzone
CA Forum: Authentication
Andy,
It's my understanding that in order to achieve SSO w/ TAM running under WebSeal, that a Portal Integration Kit (PIK) must first be produced from BusinessObjects for the XI R2 platform. Back in early April 2007, before I knew about PIKs, I submitted a trouble ticket to Tech Support in the hopes of getting a "quick" solution, hence the PIK education lesson. In response to my request, tech support submitted an enhancement request for a WebSeal Portal Integration Kit, the Ticket number for the enhancement is ADAPT00755013. If you find out anything further on this situation, I'd be all ears!! -
Using several UMTS access points (APN) for different services
Hello,
I wonder if it is possible to use several UMTS access points (APN) for different services.
situation:
1) The iPhone is used for business AND private purposes.
2) The company's mobile telephone contract includes a APN, which is only usable by the employees' mobile phones.
problem / question:
Is it possible to define two access points in the iPhone, that for example the exchange account uses the company's APN, while all the other apps use the standard APN of the carrier?
Problem is, that some iPhone's benefits like Push-Messages are blocked by the carrier's APN. Now, I have to switch the access point by installing the appropriate profile every time I want to check my e-mails or vice versa for using "normal" apps.
I hope you can hep me.
Greets from Germany
MitchThanks for your help! This really helps a lot! We actually only want to replace the autonmous access point with the controller solution and make one WLAN available at another site. From what I can see, this is possible with our current solution - we just need to switch from Layer 2 to Layer 3 and purchase the corresponding amount of supported Access Points (I think we should be able to get some refurbished ones).
Am I correct in assuming that the Access Points we want to replace (AIR-AP1230B-E-K9 with 802.11b radio only) cannot be upgraded to lightweight ones? Since if I understood document http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html correctly, this is not possible with access points that only have 802.11b radios.
Regarding the switch from Layer 2 to Layer 3: Do we really only need to perform the steps I described in my first post?
And one last question regarding REAP. As far as I understood this is only needed when local traffic needs to be maintained in case the connection to the WLC becomes unavailable. So we really don't need it if we want to access resources that are only available over the WLC?
Thanks again for your help!
Michael -
Using Identity Management for Securing Web Services
My goal is to associate my services with an Oracle Internet Directory. I made some attempts to set up SAML authentication for the web services, but it didn't have the right outcome.
(My identity management server and OID is up and running and I have successfully made authentication modules for other web applications)
Here is what I did:
1. I wrote a simple java file, used jdeveloper tools to create and deploy it as a web service to OC4J. I associated an identity management server with this service through OC4J web tools as security provider.
2. I made a data control for the web service and put it in an ADF application . (client)
3. I deployed the client project(2) to OC4J.
I could use the web service through the page.
Then
I secured the webservice to expect SAML for authentication.
Surprisingly, the client could still communicate with the webservice, Why? Shouldn't it have rejected the request because of the problem in SAML token? (The proxy and the data control were not secured, and didn't provide any SAML tokens)
4.
I added login page to my client project (through ADF security wizard). It used idenity management for authentication successfully. login process completes and web service data control is displayed.
5. I want the authentication information to be propagated through the page so that the web service receives the data and uses Identity Management.
I know I should add <property name="oracle.security.wss.propagate.identity" value ="true"/>
to one of the configuration files, but don't know where exactly.
Best Regards,
FarbodIt doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram -
Unable to use SSL between Access Manager and Directory Server
I am trying to set up Access Manager to use SSL when communicating with Directory Server. Access Manager 7 is running under Sun Web Server 6.1. I have configured Directory Server to use SSL using a Self-Signed CA and have imported the CA certificate into the certificate database for Web Server. When I change the Access Manager configuration as specified in the Admin Guide to use SSL and restart the Web Server, Access Manager fails with the message
(among many others)
netscape.ldap.LDAPException: SSL connection to
eauth1.arc.nasa.gov:636, SSL_ForceHandshake failed: (-8157) Certificate extension not found. (91); Cannot
connect to the LDAP server
I am able to connect to the Directory Server instanc with JXplorer using SSL (with a complaint about an unknown CA). Can someone explain the error message so that I can fix the problem or work around it?
Thanksin the initial part of AMConfig.properties, you'll find an entry similar to trustSSLCerts . This, by default, is set to false. Trying setting it to true (AM web server instance will need a restart). This lets AM continue with SSL handshaking inspite of errors. Am not sure if this affects AM to DS connectivity as well. It sure affects AM to AM communication (in a multiple server configuration).
Naturally, it is not recommended that you use this feature when you are ready for production, but atleast it'll let you be sure that apart from the cert issue, everything else is okay.
Hope this helps. -
Access Manager 6 2005Q1 naming service behind load balancer
Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
The load balancer VIP is setup in active/failover mode so all requests go to one server. We implemented it this way because our load balancers do not support SSL with cookies.
The data returned to the agent from a call to the naming service contains the host name of our AM hosts instead of the load balancer VIP. Subsequent calls from the agent to AM bypass the load balancer and go directly to one of the AM hosts.
We are looking to upgrade our load balancers to a version that supports cookies with ssl in order to take advantage of the second AM host.
How do we configure AM so the values returned by the naming service contain the load balancer VIP instead of the actual AM host names?Bernhard,
We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
AMAgent.properties
com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
AMConfig.properties
com.iplanet.am.server.protocol=https
com.iplanet.am.server.host=am.mydomain.com
com.iplanet.am.server.port=443
com.iplanet.am.console.protocol=https
com.iplanet.am.console.host=lb-mydomain.com
com.iplanet.am.console.port=443
com.iplanet.am.profile.host=lb-mydomain.com
com.iplanet.am.profile.port=443
com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
tionservice
If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
Thanks,
Craig -
Task List Access Manager Role in Shared Services
Hi
The documentation says this role "Assigns task lists and tasks to other users". I have assigned this role to a group (in Shared Services), I have given that group Manage and Assign access to the Task List (in Planning), and have even done a security Refresh.
Yet, when I go in as a user who is in that group, I do not see the Assign Access button in Manage Task Lists.
Is this a bug or have I missed a step?
We are on 11.1.2.1
Thanks!Hi,
Have you tried generating a provisioning report in Shared Services, have a read of :- http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_cas_help/provrep.htm
If that doesn't suit your requirements then you could always have a look at using CSSImportExportUtility to export provisioning to a csv file. The utility is located in hyperion\common\utilities and has a pdf on instructions how to use it.
Cheers
John
http://john-goodwin.blogspot.com/ -
Unable to use the Assign Access Control feature in shared services
Hi,
When I try to right click on the essbase applicaiton in Shared Services to assign access control( to assign a new filter) I keep getting the following error
" Internet cannot display the webpage" message with the following
This problem can be caused by a variety of issues, including:
Internet connectivity has been lost.
The website is temporarily unavailable.
The Domain Name Server (DNS) is not reachable.
The Domain Name Server (DNS) does not have a listing for the website's domain.
There might be a typing error in the address.
If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section
All the services are running file and I can create new users/ groups and also perform appication migration.
I'm using Hyperion 11.1.3.24 on windows 2003 r2.
Any help is appreciated. Thanks.
Regardsvs wrote:
John,
I tried the refresh button and nothing appears. I have created a group and gave it filter access. Now I'm trying to attach that filter to the group.
Appreciate your help.Can we replace backup .sec file for shared services?
For example: In planning if the .sec file corrupted then we replaced with old .sec file...rite...the same way can we do it in shared services?
I know if we replace the old sec in planning...it will take old securities only...
Edited by: Prabhas on Feb 12, 2013 9:27 PM
Maybe you are looking for
-
DirectAccess Problem on Windows 8.1, working on Windows 7
We are currently migrating to new Windows 8.1 clients, but we are having problems getting DirectAccess running. The same configuration works fine for Windows 7 clients, but the Windows 8.1 seem stuck with a status of "connecting". The troubleshooting
-
About reversal of Outbound delivery generated from Project system due to sale return
Hi SAP Expert , We have made delivery from project system using t.code CNS0 and billing document is generated with reference of sales order. Now Goods is return by customer due to some technical reason, We created return sales order with reference of
-
The recent version of Firefox apparently does not support/permit me to see/use the Yahoo toolbar. Therefore, I have to manually page back thru all of the yahoo pages I've visited to get back to the main page. Also the recent version of Firefox appare
-
'Send Print Request' button can send paystub output to R/3 print spool:
Hi Portal Experts Current state of the SAP environment on ECC 5.0 and EP 6 SP17 'Send Print Request' button can send paystub output to R/3 print spool: When I clicked on send print request, I expected a printout to my default printer but didnt g
-
HT201303 make apple id with IMEI no
my iphone thats loced to my privase apple id and now i update the ipsw 7.0.4 and ascked apple id like ( n**********@gmail.com i forgot this email and apple id please help me <Personal Information Edited by Host>