Who shall create a specific Security Domain compliant to GP 2.1?

Similar Messages

• How to create a Supplementary security domain

  Hi all, i am new to javaCard. i want to create a Supplementary security domain, but i have no idea.
  is it that i need to create an applet implements SecureChannel, then install the applet with the privileges 0x80(security domain)?
  is it right? Anybody any suggest? It would be really helpful.

  I've seen this if the database is down or in a funky state. Try shutting down BPEL, and restart the database, then bring BPEL back up. If you're using Oracle Lite just use the "Stop SOA Suite" GUI from the Start Menu.

• How can I create a new Security Domain ?

  Hi everyone,
  I would like to know how can I create an Security Domain other than ISD ?(If my card support multi SD and delegated management)
  I read Global Platform v2.1.1 ,but I don't know how can I create new SD practically(how can I write it's code ,how can I install it and how can I associate an applet to it,...).
  if there is any document or link can help me ,please inform me.
  I'll appreciate for any one if explain it to me step by step.
  yours sincerely.
  Orchid.

  You're right, it is not visible looking at your script, but at the APDU log. /card is an internal JCShell script to do the following:
  cm>  /card
  resetCard with timeout: 0 (ms)First the card is reset. This is analogous with /atr
  --Waiting for card...
  ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 34 31 56    ;.....1.EJCOP41V
      32 33 31 97                                        231.
  ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V231"Then an /identify command is issued.
  => 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF          .........gA0..
  (163429 nsec)
  <= 09 01 01 29 00 00 00 00 50 48 36 35 30 41 00 00    ...)....PH650A..
      6A 82                                              j.
  Status: File not foundNow the Issuer Security Domain (ISD) is selected. You can do the same sending the JCShell 'select' command.
  => 00 A4 04 00 07 A0 00 00 00 03 00 00 00             .............
  (650082 nsec)
  <= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65    oe...........Y.e
      01 FF 9F 6E 06 40 51 70 92 29 00 73 4A 06 07 2A    ...n.@Qp.).sJ..*
      86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B    .H..k.`...*.H..k
      02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64    ....c...*.H..k.d
      0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09    ...*.H..k...e...
      2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01    +...Hd...f...+..
      04 01 2A 02 6E 01 02 90 00                         ..*.n....
  Status: No ErrorThe answer is the File Control Information (FCI) returned by the ISD. The format is also described in GP.

• In RSA Authentication Manager 7.1, how create multiple security domains

  Hi,
  RSA Authentication Manager 7.1 in configured with LDAP(Sun java system directory server); how create multiple security domains 7.1, is this security domains is releted to LDAP?
  thanks

  I think what you need to do is create an identity sequence with RSA as the selection in
  Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

• File Server Migration - For ORG A Forest to ORG B Forest ( Need to create and Map Security Group automatically on new Migrated Folders - Please Help

  I have two forest With Trust works Fine .
  I have file server in ORG – A ( Forest ) with 2003 R2 Standard
  I have a File server in ORG  - B ( Forest ) With Windows server 2012 ( New Server for Migration )
  I have 1000 + folders with each different permission sets on ORG-A. We are using Security groups for providing permission on the share Folders on ORG A
  I need to Migrate  all the folders from ORG – A to ORG – B.
  I am looking for an automated method of creating Security Groups on AD during the Migration, Once the Migration is Done, I can add the required users to the security groups manually.
  Example.
  Folder 1 on ORG – A has Security Group Called SEC-FOLDER1-ORGA
  I need an automated method of Copying the files to ORG – B and Creating a new security Groups on ORG –B Forest with the same permission on parent and child Folders. I shall Add the users manually to the Group.
  Output Looks Like
  Folder 1 on ORG – B has Permission called SEC-FOLDER1-ORGB ( New Security Group )
  Also I need a summarized report of security Group Mapping, Example – Which security Group on ORGA is mapped with Security Group Of ORGB

  Hi,
  I think you can try ADMT to migrate your user group to target domain/forest first. Once user groups are migrated, you can use Robocopy to copy files with permission - that permission will continue be recognized in new domain as you migrated already. 
  Migrate Universal Groups
  http://technet.microsoft.com/en-us/library/cc974367(v=ws.10).aspx
  If you have any feedback on our support, please send to [email protected]

• Use of robots.txt to disallow system/secure domain names?

  I've got a client who's system and secure domains are ranking very high on google.  My SEO advisor has mentioned that a key way to eliminate these URLs from google is through the use of disallowing content through robots.txt.  Given BC's unique nature of dealing with system and secure domains I'm not too sure if this is even possible as any disallowances I've seen or used before have been directories and not absolute URL's, nor have I seen any mention of this possibility around.  Any help or advice would be great!

  Hi Mike
  Under Site Manager > Pages, when accessing a specific page, you can open the SEO Metadata section and tick “Hide this page for search engines”
  Aside from this, using the robots.txt file is indeed an efficient way of instructing search engine robots which pages are not to be indexed.

• Extradition of an AID to a security domain that is in "selectable" state

  following this post: http://forum.java.sun.com/thread.jspa?messageID=10227711
  in following this example (i've found it very helpful), i want to know if it is a requirement that the SSD be personalized instead of in "Selectable" state? if so, that would explain the errors i get when i try to extradite an AID to it from the ISD.
  your example:
  GP 2.1.1, SSD section (concept) and APDU commands Install [for load], [install] and [extradition].
  Example:
  - select ISD
  - open a secure channel
  - Install [for install & make selectable] on a pre-loaded SD package/module --> optionally you need to specify in the install parameters that this SD accepts extradition
  - select SSD
  - open a secure channel (using the default keys)
  - personalize (put secure channel keys)
  - install [for load] an application, specify the SSD to be associated

  Clemson wrote:
  ... errors i get when i try to extradite an AID to it from the ISD.
  GlobalPlatform Card Specification 2.1.1, 03/25/2003, p. 70
  +6.4.3 Content Extradition+
  The GlobalPlatform Card Content extradition process is designed to allow the association, to a different Security Domain, of a previously installed Application. The Issuer Security Domain shall verify the extradition request before the OPEN will allow the extradition.
  Runtime Behavior
  The following runtime behavior requirements apply to the OPEN during the Card Content extradition process.
  The OPEN shall:
  +...+
  Check that this Security Domain is in a valid Life Cycle State (i.e. PERSONALIZED)+,
  +...+
  Therefore, the SD which should accept the applet has to be in state PERSONALIZED.

• Java Card Security domain

  Hi ,
  According to the visa Open platform architecture, each Java card applet is associated with a Security domain.
  I am using GemXpressoRAD211 toolkit for developing Java Card applets.
  In the Gemxpresso211IS card, the default security domain is the Card Manager, whose AID is A0 00 00 00 03 00 00 . It is basically the card issuer security domain.
  When I install an applet to the card , the Card Manager is assumed to be the associated security domain .
  My questions are....
  1.
  How can I associate my applet to application provider security domain rather than the card issuer security domain? Form where Do I get this security domain ? Do I need to write my own security domain, or some body else provide it ?

  there's a card issuer, with its ISD
  then there's another company who wants to have ability to install/remove some applets on this card
  we create another SD for this company and "delegate" some limited capabilities to manage the contents of the card
  read about the delegated managament in GP
  regards
  Kuba

• Is there a way for an end user to see who has membership in a security group

  Windows Server 2008 R2
  Active Directory Domain
  Windows 7 workstations
  I am looking for a way that my end users can look at a folder security tab and then discover who has membership in the security groups listed.
  Is that possible? Any drawbacks or concerns?

  Hi Tod,
  Based on my research, other than viewing group membership in ADUC, we can use this PowerShell cmdlet
  Get-ADGroupMember GroupName and Net Group GroupName to view members in a group:
  However, these commands can only be used on Domain Controllers or when connecting to DCs remotely. That’s because accounts and account membership are stored on Domain Controllers, therefore we can only view group membership on DCs.
  More information for you:
  Viewing the Direct Members of a Group
  http://technet.microsoft.com/en-us/library/dd391915(v=WS.10).aspx
  Net group
  http://technet.microsoft.com/en-us/library/cc754051.aspx
  Best Regards,
  Amy

• I have a requirement where I have to give the list of users who can access a specific computer. I am new with PS. Do you have a script to list users that can access a computer object of AD ?

  I have a requirement where I have to give the list of users who can access a specific computer define in AD.
  I am new with PS.
  Do you have a script to list users that can access a computer object of AD ?
  I have executed the following script  but it does not give me the access rights of who can access the computer 'computername'
  How can i have this information. please help
  Import-Module activedirectory
  $computer=get-adcomputer "computername" -properties ntSecurityDescriptor
  $omputer.ntsecurityDescriptor.Access | select-object -expandproperty IdentityReference | sort-object -unique

  I would say that, since the OP has so little info, there are no policies in use.  It there were then this question would never be asked the way it is being asked.
  I had a client call with a letter from their insurance company; an accountant with malpractice insurance.  THey asked the same question inmuch the same way.  "What computer can you users access?"  The question should be more like
  "Do you have a policy that restricts access to computers and do you audit for compliance?"
  I have had other clients whose insurance asked the question in that way.  It produces a better view of what should be happening and how to show compliance.
  I recommend that companies being asked these questions by their legal departments or insurance companies should contract with a god computer security consultant to assist with answering these very tricky questions.  Of course if it is just you boss's
  curiosity  then you may need to discuss his requirements with him in more depth.
  ¯\_(ツ)_/¯

• LabVIEW 8.0:: How to get the group name of a user logged to a NI Security Domain?

  Hello all,
  I am using LabVIEW 8.0 PDS.
  I created a new local domain called "MyDomain" in the "NI Domain Account Manager" . I added a new User called "MyUser" and a new group called "Maintenance". I set "MyUser" to be a member of the "Maintenance" group. Then, I configured LabVIEW to invoke the login dialog at start-up in order to log "MyUser" with the correct password.
  I would like to get the group name of the current user logged programmatically in a VI. I tried with the VI Server >> Application >> Security properties and methods and also with the properties and methods of the NI Security Class but it seems to be not so simple as I believed at start.
  I do not find any informations or KB on this (all the documents I found deal with LV DSC or TestStand).
   The final goal is to be able to manage a list of user for my application. Each user is a member of a group ("Administrator", "Operator", "Maintenance") and depending on the group, the user can or cannot access to some parts of the application.
  Thanks for your help.
  Matthieu
  Eurilogic

  Re,
  Here is a screenshot of this functions...
  If you really own LV DSC 8.2 the best thing to do is to reinstall it.
  Regards, 
  Message Edité par Richard K. le 04-02-2007 04:00 AM
  Richard Keromen
  National Instruments France
  #adMrkt{text-align: center;font-size:11px; font-weight: bold;} #adMrkt a {text-decoration: none;} #adMrkt a:hover{font-size: 9px;} #adMrkt a span{display: none;} #adMrkt a:hover span{display: block;}
  >> Découvrez, en vidéo, les innovations technologiques réalisées en éco-conception
  Attachments:
  security.jpg ‏3841 KB

• How to create an empty WLS domain in v7.0.2?

  Hello All,
  WLS 7.0.2 does not provide option to create an empty WLS domain with no custom
  applications. This feature was supported in WLS 7.0.1.
  Any clues/suggestions.
  rgds
  MS

  I'm not sure what you are doing.
  You should be doing something like this:
  D:\70domains\test>set CLASSPATH=D:\wls702\weblogic700\server\lib\weblogic.
  jar
  D:\70domains\test>java weblogic.Server
  <Mar 17, 2003 3:08:04 PM PST> <Info> <Security> <090065> <Getting boot
  identity
  from user.>
  Enter username to boot WebLogic server:
  You should see that.
  No need to set WLS_HOME. No need to copy the weblogic.jar. Just point the
  CLASSPATH to the weblogic.jar of where you installed WLS.
  Eric
  "MS" <[email protected]> wrote in message news:3e727b1a$[email protected]..
  >
  Hello,
  I am getting the following error:
  G:\wlstest>set WLS_HOME=g:\wlstest
  G:\wlstest>set CLASSPATH=g:\wlstest\weblogic.jar
  G:\wlstest>java weblogic.Server
  The WebLogic Server did not start up properly.
  Exception raised:
  java.lang.ExceptionInInitializerError
  atweblogic.security.internal.BootProperties.<clinit>(BootProperties.jav
  a:28)
  atweblogic.security.internal.ServerAuthenticate.main(ServerAuthenticate
  java:73)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:273)
  at weblogic.Server.main(Server.java:32)
  Caused by: java.lang.RuntimeException: error in finding weblogic.Home
  at weblogic.Home.<init>(Home.java:52)
  at weblogic.Home.getInstance(Home.java:79)
  at weblogic.Home.getPath(Home.java:87)
  atweblogic.management.internal.BootStrap.<clinit>(BootStrap.java:135)
  ... 4 more
  Reason: Fatal initialization exception
  Throwable: java.lang.ExceptionInInitializerError
  java.lang.ExceptionInInitializerError
  atweblogic.security.internal.BootProperties.<clinit>(BootProperties.jav
  a:28)
  atweblogic.security.internal.ServerAuthenticate.main(ServerAuthenticate
  java:73)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:273)
  at weblogic.Server.main(Server.java:32)
  Caused by: java.lang.RuntimeException: error in finding weblogic.Home
  at weblogic.Home.<init>(Home.java:52)
  at weblogic.Home.getInstance(Home.java:79)
  at weblogic.Home.getPath(Home.java:87)
  atweblogic.management.internal.BootStrap.<clinit>(BootStrap.java:135)
  ... 4 more
  >

• How to create a new BPEL Domain

  Hi,
  Need a huge favor... thanks in advance..
  Database - 10.2.0.2.0
  BPEL (SOA Suite) -- 10.1.3.0
  a) Installation went fine
  b) Able to use the software using the url provided at the end of installtion
  c) I want to create a NEW BPEL domain.
  When I create new domain, it gives the below errors..
  Exception
  Operation failed because:
  Exception not handled by the Collaxa Cube system.
  An unhandled exception has been thrown in the Collaxa Cube system. The exception reported is: "java.sql.SQLException: ORA-00942: table or view does not exist
  at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:138)
  at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:316)
  at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:282)
  at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:639)
  at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:185)
  at oracle.jdbc.driver.T4CPreparedStatement.execute_for_describe(T4CPreparedStatement.java:503)
  at oracle.jdbc.driver.OracleStatement.execute_maybe_describe(OracleStatement.java:1029)
  at oracle.jdbc.driver.T4CPreparedStatement.execute_maybe_describe(T4CPreparedStatement.java:535)
  at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1126)
  at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3001)
  at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:3043)
  at oracle_jdbc_driver_T4CPreparedStatement_Proxy.executeQuery()
  at com.collaxa.cube.admin.data.DomainConfigManager.loadProperties(DomainConfigManager.java:203)
  at com.collaxa.cube.engine.CubeEngine.load(CubeEngine.java:423)
  at com.collaxa.cube.admin.ServerManager.loadDomain(ServerManager.java:1111)
  at com.collaxa.cube.admin.ServerManager.createDomain(ServerManager.java:731)
  at com.collaxa.cube.admin.ServerManager.createDomain(ServerManager.java:617)
  at com.collaxa.cube.ejb.impl.ServerBean.createDomain(ServerBean.java:181)
  at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
  at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
  at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
  at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
  at com.evermind.server.ejb.interceptor.system.JAASInterceptor$1.run(JAASInterceptor.java:31)
  at com.evermind.server.ThreadState.runAs(ThreadState.java:620)
  at com.evermind.server.ejb.interceptor.system.JAASInterceptor.invoke(JAASInterceptor.java:34)
  at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
  at com.evermind.server.ejb.interceptor.system.TxNotSupportedInterceptor.invoke(TxNotSupportedInterceptor.java:43)
  at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
  at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
  at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
  at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
  at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
  at ServerBean_RemoteProxy_4bin6i8.createDomain(Unknown Source)
  at com.oracle.bpel.client.Server.createDomain(Server.java:327)
  at _doCreateDomain._jspService(_doCreateDomain.java:89)
  at com.orionserver.http.OrionHttpJspPage.service(OrionHttpJspPage.java:59)
  at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:453)
  at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:591)
  at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:515)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
  at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
  at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
  at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)
  at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
  at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
  at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
  at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
  at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
  at java.lang.Thread.run(Thread.java:595)
  Exception: java.sql.SQLException: ORA-00942: table or view does not exist
  Handled As: com.collaxa.cube.CubeException
  THANKS
  Rgds
  Natrajan
  Also.. Here are the details of BPEL create domain screen..
  Create New BPEL Domain
  BPEL Domain is a logical grouping of processes, instances and activities. A domain may be accessed either by the domain or administrative password.
  Domain Id: <<Nattest>>
  Each domain requires access to a JDBC datasource to store instances and activities. Tx Datasource JNDI must refer to a datasource with JTA support. Datasource JNDI may refer to any datasource (JTA not required).
  Datasource JNDI: <<<<JUST took default..>>>
  Tx Datasource JNDI: <<JUST took default>>>

  I've seen this if the database is down or in a funky state. Try shutting down BPEL, and restart the database, then bring BPEL back up. If you're using Oracle Lite just use the "Stop SOA Suite" GUI from the Start Menu.

• How do you created object level security in BI for roles.

  How do you created object level security in BI for roles.  For example if I want users to only execute reports in BI for a particular "object" report how would I do that.
  Thanks.

  Hi Maritza,
  Can you be more specific.
  If you are looking for BI Security concept, check this presentation:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
  Regards,
  Zaheer

• How can one use one specific security realm per application ? The realm-name attribute of the login-config tag of web.xml does not make any difference

  Hi,
  I have different sets of users coming from different databases and using different
  roles mapping for each of my web applications. I would like to configure a specific
  security realm per application in my weblogic server 7.0 . Is it possible ?
  I try to specify the realm-name of the login-config tag from the web-xml deployement
  descriptor but it doesn't make any difference. The default realm is always used.
  I also would like to tell the Weblogic server to use the default realm in case
  the realm isn't specified or isn't found. For example, the default would contains
  my admin users.
  Thanks a lot for your answer.
  Iz

  I thik this is a common mistake the ralm-name tag in the deployment descriptor is used
  just by the browser for display purposes (when it opens the basic auth dialog box) so as
  of now there is only 1 active realm which can have multiple providers as Kevin pointed
  out
  Kevin Lewis wrote:
  WebLogic 7 now ignores the realm-name tag (I found that out yesterday).
  My understanding is that there is only one realm active at a time for a domain
  (I would be interested in being contradicted in this).
  However, you can have multiple providers in each category of a realm: authentication,
  authorization, etc. Therefore, what you can do is key authentication, et al,
  off of some other information. We have our users enter their company, for example,
  and use the TextInputCallback to get it. You could also encode something in the
  initial page, based on the URL they hit, or whatever, and get that back in your
  callback.
  You can store that information in your own Principal implementation, and key off
  of that in your authorization provider, going to a different database as appropriate,
  or abstaining when a specific provider doesn’t have anything to say about a subject.
  Anyway, there should be a way to do it, even if it's more complex than you would
  have hoped.
  --Kevin