Webservices security and authentication..?

Hi Guys,
Thanks for the previous help. Can anyone suggest a solution/mechanism to
enforce security and authentication for published webservices?
I have situation where an external system (of Business Partner) would
like to request-services of webservices deployed via SOAP XML messaging.
How could i authenticate the system requesting the service is our
business partner system?
Any suggestions welcome,
thanks\
RA

You have two choices:
1. Use HTTP simple ( password based ) authentication. This is
usually called transportation level authentication.
2. Use SOAP signature and time stamp (X509 Certificate based) authentication.
This is called content level authentication.
In both case, you need modify the SOAP client to put in authentication information
and add interceptor in server side to do actually authentication before SOAP router
actually dispatch the calls to the service.
Heyun Zheng
Ramesh Ankam <[email protected]> wrote:
Hi Guys,
Thanks for the previous help. Can anyone suggest a solution/mechanism
to
enforce security and authentication for published webservices?
I have situation where an external system (of Business Partner) would
like to request-services of webservices deployed via SOAP XML messaging.
How could i authenticate the system requesting the service is our
business partner system?
Any suggestions welcome,
thanks\
RA

Similar Messages

Security and authentication

The bottom line is I don't know anything about either of
these two areas. I've always been a client side interactive
developer and designer, handing off the real backend work to
developers in that field. FMS is finally plunging me into this
area, as now I can apply my knowledge of ActionScript to the server
side of things, and pull together some amazing stuff.
How should I authenticate, say, a basic chat, so only logged
in users can send a message? I can easily require login on the
clientside, but that wouldn't stop spoofing and decompiling. Is the
FMS communication encrypted? I could send username/password for
each message based on the client input, and authenticat securly on
the server against a serverside list, but that seems rather foolish
in the event someone listens in on the clients messages, they would
then see the username and password. But how else would it be
done?

FMS can use SSL just like an https server can, but it's not
configured by default. You'd need to set up a certificate and
configure FMS to use SSL. That said, unless you need to encrypt the
chat (or other data/audio/video), you don't need to secure your FMS
Really, all you need to to is authenticate once when the user
connects. Here's what I like to do:
1. Have the user log in via https (before connecting to the
FMS app)
2. Have the http side login process create a token (I like to
use a random 50 character string) and store it in a database
3. Pass the token back to the client in the response to the
authentication request
4. Connect to FMS, passing the token in the
netconnection.connect arguments
5. Before accepting the client, the FMS app calls back to the
http server (using loadvars, netservices, or an xml object),
sending the token in the request
6 The http service checks the ticket, and returns a success
or failure message. If the ticket is good, the service expires or
deletes it so it can't be used again.
7. The FMS app accepts/rejects the client based on the
response from the token authentication request.
So, the only time a password gets transmitted is when the
client first logs in. That makes it easy to encrypt the sensitive
data, and then just send the token (unencrypted) to the FMS server.
Even if someone intercepts the token, it will be of no use to them,
as it can only be used once.

User and Device Security and Authentication

i'm trying to configure user & device security & authentication by following "http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/ns855/white_paper_c11-492830.html" that has following confg.
============
aaa new-model
aaa group server radius authproxy
server-private <ip address> auth-port 1812 acct-port 1813 key 0 <key>
ip radius source-interface Vlan10
aaa authorization auth-proxy default group authproxy
ip inspect fw test tcp
ip inspect fw test udp
ip inspect fw test rtsp
ip inspect fw test tftp
ip inspect fw test skinny
ip inspect name test sip
ip inspect name test sip-tls
ip admission auth-proxy-banner file http://10.34.250.98/disclaimer.htm
ip admission auth-proxy-banner http ^
This is the authentication proxy challenge
^
ip admission max-login-attempts 6
! Configure 30 minutes of inactivity timeout.
! proxy_acl is the intercept ACL
ip admission name pxy proxy http inactivity-time 30 list proxy_acl
ip admission name test_proxy proxy http list proxy_acl
interface Vlan10
description inside interface
ip inspect fw in
ip access-group proxy_inbound_acl in
ip admission test_proxy
ip access-list extended proxy_acl
remark --- Auth-Proxy ACL -----------
! Deny lines are used to bypass auth-proxy
deny tcp any host 10.10.200.1 eq www
! auth-proxy will intercept http access matching the below permit lines
permit tcp any 10.10.30.0 0.0.255 eq www
ip access-list extended proxy_inbound_acl
remark --- Auth-Proxy Inbound ACL which blocks the traffic ---
! Allow access to certain protcols
permit udp any any eq domain
permit udp any any eq netbios-ns
permit udp any any eq netbios-dgm
permit udp any any eq 5445
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 2000
permit tcp any any eq 2443
permit udp any any eq tftp
! Block corporate subnets. If split tunneling is not enabled denying
! all traffic using
! "deny any any" is sufficient
deny ip any 10.0.0.0 0.255.255.255
Permit ip any any ! if split tunneling is enabled
=========
I've couple questions:
1. "ip admission auth-proxy-banner file http://10.34.250.98/disclaimer.htm" - does it mean banner can reside anywhere or it has to be in the flash of the router?
2. what does "proxy_acl" do?
3. what does "proxy_inbound_acl" do?
4. we don't want to all split tunneling, what should that acl look like?

OK so basically what you need to do is doing EAP-TLS with Machince authentication.
Yes, that can be done. However WHO is it going to be authenticating both? IAS? or ACS?
Here it is a configuration example on how you can do this using ACS, doing it with IAS would be basically the same.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

REST Webservices security

I am trying to set up the REST Webservices module, but I seem to be running into issues with security and authentication. I can get sessions from the client side properly, but I cannot call any methods on components.
*/atg/rest/security/restSecurityConfiguration.xml*
<programlisting>
<rest-security>
    <default-acl value="EVERYONE:read,write,execute"/>
      <resource component="/path/to/component/TestComponent" secure="false" requiresSessionConfirmation="false">
        <method name="getTestComponentName" secure="false">
          <acl value="EVERYONE:read,write,execute" />
        </method>
      </resource>
</rest-security>
</programlisting>
TestComponent.java
public class TestComponent {
public String getTestComponentName() {
    return this.getClass().getCanonicalName();
}I have turned on the DEBUG level logging in ACC for the RestSecurityProcessor and this is what I see in my logs when I try to access my TestComponent (which is just testing to see if I have access to methods):
INFO [RestSecurityProcessor] DEBUG Received POST request for
INFO [RestSecurityProcessor] DEBUG Resource container is valid component. Returning true.
INFO [RestSecurityProcessor] DEBUG handlePostRequest: Handling component /path/to/component/TestComponent
INFO [RestSecurityProcessor] DEBUG getParentSecurityConfiguration: Looking for wild card ComponentSecurityConfiguration for component /path/to/component/TestComponent
INFO [RestSecurityProcessor] DEBUG getParentSecurityConfiguration: Looking for default ComponentSecurityConfiguration
INFO [RestSecurityProcessor] DEBUG handlePostRequest: Can't find ComponentSecurityConfiguration for component /path/to/component/TestComponent
ERROR [RestSecurityServlet] Error code: 401
Access to the requested resource is not allowed: /path/to/component/TestComponent
atg.rest.RestException: Access to the requested resource is not allowed: /path/to/component/TestComponent
     at atg.rest.processor.RestSecurityProcessor.handlePostRequest(RestSecurityProcessor.java:315)
     at atg.rest.processor.RestSecurityProcessor.doRESTPost(RestSecurityProcessor.java:208)
     at atg.rest.servlet.RestPipelineServlet.serviceRESTRequest(RestPipelineServlet.java:406)
*snip*Edited by: Gommy on Apr 8, 2013 6:19 AM - Fix typo in package path

After finding a default restSecurityConfiguration.xml inside of REST/config.jar:/atg/rest/security/, I located a .dtd ( http://www.atg.com/dtds/rest/restSecurity_1.0.dtd ) to figure out what exactly ATG was expecting for a configuration.
1. Turns out the <programlisting> tag isn't expected (error in the documentation for our version of ATG, apparently), <rest-security> is the top-level element for this configuration file. This was causing the file to not be parsed at all.
2. requiresSessionConfirmation does not exist on the resource element.
The TestComponent and its properties were correct. Just the restSecurityConfiguration.xml was incorrect due to very poor documentation, no full example to see what a correct file should look like, and lack of obvious schemas (i.e., no schemas or links to schemas are provided in any documentation) to validate against.

Web Services, WS-Security and WebServices Assembler

Two questions about WebServices and jDev 10.1.2
1 - What underlying technologies is WebServcies Assembler using to generate WS code? Axis? Suns' WS developer kit? Other?
2 - We need to utilize WS security and 509 certs to secure some web services, can WSA handle this? If so, what's the general recommeneded approach? If not, any other recommendations?
_mike

1 - What underlying technologies is WebServcies Assembler using to generate
WS code? Axis? Suns' WS developer kit? Other?A. JDev uses its own stack to generate this code
2 - We need to utilize WS security and 509 certs to secure some web services,
can WSA handle this? If so, what's the general recommeneded approach? If
not, any other recommendations?A. Web Service Security is supported in 10.1.3

BPEL to invoke a webservice secured by BASIC auth

Hi
I have been trying to write a simple BPEL process to invoke a remote webservice secured by basic authentication. I was able to build the BPEL process and then the composite application that I deployed successfully to glassfish, all within NetBeans IDE. As per the wiki notes: http://wiki.open-esb.java.net/Wiki.jsp?page=HTTPBasicAuthentication, I also added the Policy element to the wsdl for the service that I am trying to invoke as follows:
<wsdl:service name="PMSDatabase">
        <wsdl:port name="PMSDatabaseSOAP11port_http" binding="ns2:PMSDatabaseSOAP11Binding">
            <soap:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
        </wsdl:port>
        <wsdl:port name="PMSDatabaseSOAP12port_http" binding="ns2:PMSDatabaseSOAP12Binding">
            <soap12:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
        </wsdl:port>
        <wsdl:port name="PMSDatabaseHttpport" binding="ns2:PMSDatabaseHttpBinding">
            <http:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
            <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
        </wsdl:port>
    </wsdl:service>
    <wsp:Policy wsu:Id="HttpBasicAuthBindingBindingRealmPolicy">
        <mysp:MustSupportBasicAuthentication on="true">
            <mysp:BasicAuthenticationDetail>
               <mysp:WssTokenCompare/>
            </mysp:BasicAuthenticationDetail>
        </mysp:MustSupportBasicAuthentication>
        <mysp:UsernameToken mysp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
           <wsp:Policy>
                <sp:WssUsernameToken10>mcs_user</sp:WssUsernameToken10>
                <sp:WssPassword>${pass_token}</sp:WssPassword>
           </wsp:Policy>
      </mysp:UsernameToken>
    </wsp:Policy>When i try to run a testcase, the BPEL process fails during the invoke activity and I get the following error in the output:
<detailText>BPCOR-6135:A fault was not handled in the process scope; Fault Name is {http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling}systemFault; Fault Data is <?xml version="1.0" encoding="UTF-8"?><jbi:message xmlns:sxeh="http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling" type="sxeh:faultMessage" version="1.0" xmlns:jbi="http://java.sun.com/xml/ns/jbi/wsdl-11-wrapper"><jbi:part>HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
    URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
    QUERY:
    PATH_INFO:
    Exception detail: request requires HTTP authentication: User mcs_user not found in directory.</jbi:part></jbi:message>. Sending errors for the pending requests in the process scope before terminating the process instance
   Caused by: BPCOR-6131:An Error status was received while doing an invoke (partnerLink=PartnerLink1, portType={http://service.messagecentre.dha.gov.au}PMSDatabasePortType, operation=deletePMSVoidPeriod)
BPCOR-6129:Line Number is 48
BPCOR-6130:Activity Name is Invoke1
   Caused by: HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
    URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
    QUERY:
    PATH_INFO:
    Exception detail: request requires HTTP authentication: User mcs_user not found in directory.
   Caused by: request requires HTTP authentication: User mcs_user not found in directory.</detailText>Where else do i need to configure the BASIC auth details to get this to work?

Please post your request to [email protected] for quick response.
Error states "mcs_user" is invalid user. Please make sure that the user is valid.

How do I bind to directory server with SSL and authentication?

I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
Here are the problems:
1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
2) I was never prompted to authenticate for the directory binding.
So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
Thank you.

You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
Cheers,
Vikas

10.5.2, Screensaver Security, and Disk Utility

After installing the 10.5.2 software update, it is appropriate to use Disk Utility (DU) to repair permissions. I learned this from the fact that I had somehow lost the protection I had previously set up by requiring my password to wake up the computer from its screensaver mode. I checked my preferences and found them to continue to call for that form of security with the use of my screensaver. Because my preferred security settings were being ignored, I assumed I needed to repair permissions on my system files. When something isn't working as it should, then it's my understanding that in all likelihood permissions are out of kilter. The Software Update process somehow managed to alter some of my permissions, and again, as I understand it, this is a matter that should be suspected after any software installation.
So I ran Disk Utility to repair permissions.
With Leopard, Disk Utility's repair process runs differently from the way it did in Tiger.
Under Leopard, Disk Utility's repair permissions routine presents a funny user interface. At the outset of the repair process, it ain't exactly clear that anything is really happening even though the repairs are indeed underway.
First thing DU does when the repair process starts is show you a blue progress bar and words to the effect that the process will require about 1 minute more. Then that blue bar sits there doing nothing whatsoever in terms of measuring progress - until about five minutes have passed. During this 5 minute hiatus, DU is building its own permissions data base which it will subsequently use to do its repair work.
Once the permissions data base is constructed, DU's progress bar will suddenly come alive again to show about fifteen minutes longer to complete the repair process. That fifteen minute item changes rapidly from then on, with all repairs being completed in just about five minutes more. (DU took altogether about ten minutes to do its repair thing under Leopard on my computer.)
DU will show you a list of permission faults that it finds, with the ones it can fix, repaired. You may, according to Apple, safely ignore faults listed involving "SUID" or "ACL". (With 10.5.2, the "SUID" faults appear to have stopped showing up but the "ACL" faults continue to be presented on my computer.)
If you have any wonderment about Disk Utility being at work when it appears that it is hung up for about five minutes, then open your Activity Monitor (AM) and select the CPU column. You'll be able to watch DU's use of the CPU while it is building the permissions data base. When DU's CPU usage ceases, you'll find that your permissions have been repaired. You can keep both DU and AM windows open on your monitor if you wish to suffer along with this sort of discombobulation.
After repairing permissions, I rebooted to find my screensaver password once again being called for as it should.

Okay, just a little update.
I added the replica server to the "Authentication" search in the Directory Utility, right after the OD Master.
I have also added it to the search path in the Workgroup Manager on my 10.4.11 server, and authenticated. Sees it just fine.
Now, when I fake a failure of the Master, (IE, shut it down), it just hangs forever, and doesn't timeout and move on to the replica.
Am I missing something? Isn't this the point of a replica?
Help?
Thanks!

Error:- weblogic.security.SecurityInitializationException: Authentication

Hi,
I am getting below error when ever i am trying to start the Managed server in cluster environment(unix).
I am able to start the server on local machine but in case of remote machine its not gettig started.
I have tried most of the steps as mentioned below:-
1) Changed the weblogic passowrd.
2) Delete boot.properties.
3) deleted $DOMAIN_DIR\servers\<admin-server-name>\data\ldap
4) Followed below post also but nothing worked:-
https://forums.oracle.com/forums/thread.jspa?threadID=956750&start=30&tstart=0
####<Nov 14, 2011 7:41:28 PM IST> <Info> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1321279888310> <BEA-000000> <WebLogic Server "soa_server2" version:
WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 Copyright (c) 1995, 2009, Oracle and/or its affiliates. All rights reserved.>
####<Nov 14, 2011 7:41:28 PM IST> <Notice> <Log Management> <infva05177.vshodc.lntinfotech.com> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1321279888419> <BEA-170019> <The server log file /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/logs/soa_server2.log is opened. All server side log events will be written to this file.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Log Management> <infva05177.vshodc.lntinfotech.com> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1321279888426> <BEA-170023> <The Server Logging is initialized with Java Logging API implementation.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Diagnostics> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888494> <BEA-320001> <The ServerDebug service initialized successfully.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "t3" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "t3s" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "http" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "https" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888561> <BEA-002622> <The protocol "iiop" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888562> <BEA-002622> <The protocol "iiops" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888562> <BEA-002622> <The protocol "ldap" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888562> <BEA-002622> <The protocol "ldaps" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888564> <BEA-002622> <The protocol "cluster" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888565> <BEA-002622> <The protocol "clusters" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888568> <BEA-002622> <The protocol "snmp" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888568> <BEA-002622> <The protocol "admin" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888569> <BEA-002624> <The administration protocol is "t3s" and is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <RJVM> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888583> <BEA-000570> <Network Configuration for Channel "soa_server2"
Listen Address          172.17.103.42:8101
Public Address          N/A
Http Enabled          true
Tunneling Enabled     false
Outbound Enabled     false
Admin Traffic Enabled     true>
####<Nov 14, 2011 7:41:29 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889336> <BEA-002609> <Channel Service initialized.>
####<Nov 14, 2011 7:41:29 PM IST> <Info> <Socket> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889410> <BEA-000436> <Allocating 4 reader threads.>
####<Nov 14, 2011 7:41:29 PM IST> <Info> <Socket> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889412> <BEA-000446> <Native IO Enabled.>
####<Nov 14, 2011 7:41:29 PM IST> <Info> <IIOP> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889612> <BEA-002014> <IIOP subsystem enabled.>
####<Nov 14, 2011 7:41:32 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279892649> <BEA-090894> <Successfully loaded the OPSS Policy Provider using oracle.security.jps.internal.policystore.JavaPolicyProvider.>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893102> <BEA-000000> <Starting OpenJPA 1.1.1-SNAPSHOT>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893224> <BEA-000000> <StoreServiceImpl.initJDO - StoreService is initialized with Id = ldap_qMT60FRl3kIPYftFoWhBFbhSxuY=>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893501> <BEA-000000> <BootStrapServiceImpl.loadLDIFTemplate - Did not find /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/data/ldap/XACMLAuthorizermyrealmInit.initialized, will load full LDIFT.>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893509> <BEA-090074> <Initializing Authorizer provider using LDIF template file /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift.>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893921> <BEA-090075> <The Authorizer provider has had its LDIF information loaded from: /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894240> <BEA-000000> <BootStrapServiceImpl.loadLDIFTemplate - Did not find /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/data/ldap/DefaultCredentialMappermyrealmInit.initialized, will load full LDIFT.>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894240> <BEA-090827> <LDIF template file /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DefaultCredentialMapperInit.ldift was empty. The WebLogic provider CredentialMapper has been bootstrapped but has not been initialized with any LDIF data.>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894250> <BEA-000000> <BootStrapServiceImpl.loadLDIFTemplate - Did not find /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/data/ldap/XACMLRoleMappermyrealmInit.initialized, will load full LDIFT.>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894251> <BEA-090074> <Initializing RoleMapper provider using LDIF template file /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/security/XACMLRoleMapperInit.ldift.>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894265> <BEA-090075> <The RoleMapper provider has had its LDIF information loaded from: /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/security/XACMLRoleMapperInit.ldift>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894442> <BEA-090093> <No pre-WLS 8.1 Keystore providers are configured for server soa_server2 for security realm myrealm.>
####<Nov 14, 2011 7:41:34 PM IST> <Notice> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894442> <BEA-090082> <Security initializing using security realm myrealm.>
####<Nov 14, 2011 7:41:34 PM IST> <Critical> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894594> <BEA-090403> <Authentication for user weblogic denied>
####<Nov 14, 2011 7:41:34 PM IST> <Critical> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894596> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
     at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
     at weblogic.security.SecurityService.start(SecurityService.java:141)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Authentication Failed: User weblogic weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090295]caught unexpected exception
     at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:251)
     at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
     at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
     at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
     at $Proxy28.login(Unknown Source)
     at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
     at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
     at $Proxy46.authenticate(Unknown Source)
     at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
     at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:929)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
     at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
     at weblogic.security.SecurityService.start(SecurityService.java:141)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>
####<Nov 14, 2011 7:41:34 PM IST> <Notice> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894605> <BEA-000365> <Server state changed to FAILED>
####<Nov 14, 2011 7:41:34 PM IST> <Error> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894605> <BEA-000383> <A critical service failed. The server will shut itself down>
####<Nov 14, 2011 7:41:34 PM IST> <Notice> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894608> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894618> <BEA-000236> <Stopping execute threads.>
Please help.
thanks in advance

I've tried every trick in the book but no luck and finally I found a solution for this problem. Maybe it is not the best practice but it works:
1-Uninstall JDeveloper.
2-Delete Oracle Middleware file located in C:\Oracle
3-Delete the JDeveloper file located in C:\Users\MyUser\AppData\Roaming (Because the integrated Weblogic server is actually there)
4-Reinstall JDeveloper
That solved the issue.
Thanks

What is the best way to secure and harden a Macbook Pro against unwanted surveillance?

What is the best way to secure and harden a Macbook Pro against unwanted surveillance? Tor, VPN, Little Snitch, etc. This would be for that latest version of Mavericks.

djbabybokchoy wrote:
Nothing specific, just speaking in general. Ex-wives, governments, bad guys...anyone really. I'm just looking to make my Mac a bit more private and secure, especially when on public networks.
Governments and ex's will/may have recourse to the legal process (or in the case of the Gov they can choose to ignore the legal system if they feel like it) when they want to see something of yours, good luck hardening your Mac against that. The best way to avoid the possibility of snooping over public networks is to avoid them but if you can't then Kappy's suggestion will help.
Strong passwords (everywhere) and don't use the same password in multiple locations.
If you really want to secure your home wireless use Mac address connection authentication, do not allow unknown Mac addresses to connect. It's much stronger than a WPA password alone.

WS-Security and UsernameToken 1.0 with PI 7.0

Hello experts,
we use PI 7.0 and we want to establish a connection to a web service which requires the use of "Message Security 1.0 (WS-Security)" and "UsernameToken Profile 1.0". I can't find the correct settings in the SOAP adapter. Do we have to use PI 7.1 and the WS adapter to establish this connection, is it possible to install the WS adapter on PI 7.0 or is there any workaround to connect to a web service like this?
The standards are described here:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
Best regards,
David

UsernameToken works with the WS-RM adapter very well, basically with every standard compliant SOAP implementation.
You have to choose User ID/password message authentication in the receiver channel, then you get a Username Token. In the receiver agreement you then enter the actual username and password to use for the call.
Choosing Asymmetric Message Signature/Encryption the messages will be signed and encrypted in a standadized WS-Security way. The signature will be performed based on a private key (stored inside a PSE of transaction STRUST of the integration server) you supply in the receiver agreement.
The other option Symmetric Message Signature/Encryption will also add signature and encryption to the SOAP message. However the signature is done with a symmetric key that is created for the particular message exchange.

PHP_MySQL version of a high security user authentication web app.

Since you folks deal with PHP Application Development, I am posting this here.
For a demo of the PHP_MySQL version of the UltraSuite High Security User Authentication Web Application, you can sign up at http://bit.ly/hgNjek.
It offers a multi-layered approach security approach towards protecting important information like user authentication credentials. Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more.
I hope your feedback will help make the application even more useful and secure.
Thank you!
J.S.

Hi,
could you or someone tell me if ADDT supports protection against these methods you mention:
Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more??
And can this system work alongside ADDT?
thanks again

SJSAS 8.2 secure and unsecure methods in one web service with ws-security

Hi
I'm trying to deploy a web-service (using SJSAS 8.2) using JAXRPC using message security (at the application level).
I have one simple question:
I have an EJB that exposes 2 methods as web-services, I specified in the sun-ejb-jar.xml that one of those methods is secure (and said nothing about the other) however when i run my test client I get a "WSS0202: No wsse:Security element in the message" error for both calls (instead of only for the secure call).
Is this normal? Isn't it possible to have a normal (with no security headers) call to one method and another (with security headers and secure envelope) to another in the same webservice (from the same EJB)?.

I wasn't clear?
This is a big dev problem for a major Sun client.
No one knows or wants to answer?

Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

With Namit Agarwal and Rahul Govindan
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
This is a continuation of the live webcast.
Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.
Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
Remember to use the rating system to let Namit and Govindan know if you have received an adequate response.
Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Webcast related links:
Slides from the live webcast
Video Recording of the live webcast
Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

Hello Namit and Rahul,
Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
1)      How is ASA CX different from other UTM solutions ?
2)      How is dynamic application inspection of CX better than other inspection engines ?
3)      What features or functionalities on the CX are available by default ?
4)      what are the different ways we can run or install CX on the ASA platform ?
5)      What VPN features are supported with multi context ASA in the 9.x release ?
6)      What are the IPv6 Enhancements in the ASA version 9.x ?
Request you to please provide your responses to them individually.
Thanks.

Use smart card for 802.1x secured WiFi authentication

Hi,
is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
and granted access.
To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
fails.
As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
the local client computer configuration or in the Safenet software on the client computer.
I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
Thanks + Best Regards
Matt

Hi,
I found some links form technet site which can be helpful in this case
Network access authentication and certificates
http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
Enable smart card or other certificate authentication
http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
Quote:
Client certificate requirements
With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
Yolanda Zhu
TechNet Community Support

Webservices security and authentication..?

Similar Messages

Maybe you are looking for