SSO and vulnerabilities

Similar Questions

• VCenter Mgmt and calculation with single SSO and related modes?

  I am a great vCAC environment design and want to separate not only Mgmt/Compute clusters, but also of the vCenters.   I want to be able to manage these inLinkedMode vCenter.  My plan is to have 2 vCenter VM and VM Web/asingleSSO.    When you install the two vCenters, I've just direct them to the server shared Web SSO, and then enableLinkedMode?

  Will this work?  Something else I'm missing?  AsingleWeb server instance will be able to manage multiple vCenters?

  Thank you

  -MattG

  Hello, MattG.

  Yes, you can use 1 SS and 1 service WebClient for "single-pane-of-view" for 2 vCenters, I did the same thing recently, and you need not related modes. Just point your SSO and Web when installing two vCenters. But in this case, you can manage both of them single point in the Web Client, no thick vSphere client. If you need to manage two of them only heavy customer too, then you should make the related modes, but in this case as far as I know, you must also install multi-site SSO, not simple SSO node. I use the first schema.

  Sorry for my bad English.

• do not start to vCenter / problem with sso and ad

  Hello

  My vcenter will not start. in the error logs, I found the following errors...

  I changed the server vcenter 5.1 to 5.1 and I insert the vcenter to my Active directroy. I uninstalled sso and installed again the backup file leave 5.1.

  After the updates, I used vmware article because I changed the ad domain:

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 2036170

  but now it does not start. How can I manually set the uri of the admin? I think it will be the problem:

  2012 11-22 T 14: 53:06.575 + 01:00 [04720 info "authvpxdMoSessionManager"] [OSP] [SessionManagerMo::Init] Admin URI the value:
  2012 11-22 T 14: 53:06.575 + 01:00 [04720 info "authvpxdMoSessionManager"] certificates [OSP] [SessionManagerMo::Init] download m root...
  2012 11-22 T 14: 53:08.576 + 01:00 [error 01808 "HttpConnectionPool-000001' '] [ConnectComplete] connection failed for < cs p:000000000a1c48c0, TCP::80 >;
  CNX: (null), error: class Vmacore::SystemException (konnte keine connection available werden, die Zielcomputer der da verweigerte connection.)
  2012 11-22 T 14: 53:08.655 + 01:00 [error 04720 "[OSP] [SsoCertificateManagerImpl]"] [CreateAdminSsoServiceContent] failure when attempting
  to connect to the SSO Admin Server: konnte keine connection available werden, die Zielcomputer der da verweigerte connection.  . Retrying in 10 seconds.
  2012 11-22 T 14: 53:16.332 + 01:00 [02512 WARNING opID "VpxProfiler" SWI-6f09bdcf =] VpxUtil_InvokeWithOpId [TotalTime] took ms 12030
  2012 11-22 T 14: 53:19.073 + 01:00 [02212 info "Default"] detached thread

  Greetings,

  Markus

  It seems that the computer refuses the connection (connection refused so loosely translated from German).

  No firewall between the machines?

  Maybe try to reorient and re-register vCenter? http://KB.VMware.com/selfservice/documentLinkInt.do?micrositeID=&popup=true&LanguageID=&externalID=2033620

• SSO and to handle user with forms using Oracle db roles/privileges

  By train from Oracle Application Server SSO with our application Forms application we are customized using the 10.2.0.1.0 Oracle database all version.
  
  In our Applications forms, we have everything a dozen roles that we have assigned to different users. We need identify each user using our forms because we are using the GLOBAL USER throughout the application.
  
  Issues related to the:
  -Must create users/passwords in the OID and database application?
  -Is it possible to easily manage users and passwords between SSO and forms App/database in one place? For example, how a user change their password once, but actually change in the database and the SSO?
  
  Advice or direction would be greatly appreciated.
  
  Thank you
  
  Mika
  
  Edited by: user11846198, 1 Sep 2009 13:41
  
  Edited by: user11846198, 1 Sep 2009 13:53

  Yes, you can have a global role in the Pb and assign to specific users from OID and the heritage of will this role privileges, you can do it by using Oracle Identity Management Web Tool http://hostname:7777 / oiddas is not complicated.

  Greetings.

• Questions of SSO and vCO

  Hello

  I am trying to put in place a new vCO device and try to use SSO authentication. When I type in the invalid credentials and try to record, I get error messages stating that the credentials are not valid. When I type with the appropriate credentials, a weird error message appears, exactly how it is reflected in my image as an attachment. This account can log in to vCenter and has administrator rights. What could be the problem?

  Thanks in advance.

  Edit: I'm not sure if this helps, but I'm sticking which is added in the log when I try to register SSO. It seems to give the same error, even in the case of a bad name for username/password, but the error message on the authentication page clearly shows that he can make the difference...

  2014-07-03 23:33:50.716 + 0000 [vcoSystemTaskScheduler-1] INFO {} [PurgeSessionAdaptor] Started verification of 0 sessions against the authentication provider.

  2014-07-03 23:33:50.716 + 0000 [vcoSystemTaskScheduler-1] INFO {} [PurgeSessionAdaptor] checked 0 unique sessions in 0ms.

  2014-07-03 23:53:50.716 + 0000 [vcoSystemTaskScheduler-2] INFO {} [PurgeSessionAdaptor] Started verification of 0 sessions against the authentication provider.

  2014-07-03 23:53:50.717 + 0000 [vcoSystemTaskScheduler-2] INFO {} [PurgeSessionAdaptor] checked 0 unique sessions in 0ms.

  00:13:50.717 2014-07-04 + 0000 [vcoSystemTaskScheduler-1] INFO {} [PurgeSessionAdaptor] Started verification of 0 sessions against the authentication provider.

  00:13:50.717 2014-07-04 + 0000 [vcoSystemTaskScheduler-1] INFO {} [PurgeSessionAdaptor] checked 0 unique sessions in 0ms.

  You must create a user on the Web Client SSO administrator. You cannot use a domain account, this user must be a SINGLE sign-on user that allows you to create a unique user Orchestrator

• DR/BC Site, SRM, SSO and AD authentication.

  You don't know where to put this so feel free to move.

  I'm in the midsts of test DR/BC at this time with machines reproducing SRM until our BC site. We have improved at 5.1.1a all levels and since arriving in SSO, we had our fair share of issues. Some we have solved but a particularly important is not being able to authenticate with our domain controller off site on the site of BC when pull us the plug on the metro line.

  I can connect to the outside VC via the Web Client using normal references of our main site absolutely perfect, but when I change the LDAP authentication on the off-site DC via the SSO configuration as admin@system-domain page then I can not connect. I get "authentication failed".

  
  

  I also noticed I 'could not initialize at startup services' and a message informing me about the installation of a vCenter Server system when I login. I am not convinced THAT SSO is configured correctly, even if we have reinstalled three times now.

  
  

  

  
  

  It's obviously an obstacle we have to overcome because if we cannot connect when pull us the plug between the sites to simulate a situation of DR/BC, then we cannot recover virtual machines.

  
  

  Massive failure.
  

  Problem solved.

  Reinstalled one last time and this time a single site configuration. Rebooted everything, including the off-site DC and paid special attention to the Source of identity by using the editor attribute in ADUC to retrieve the DN for users and groups. I also changed the type of authentication to require a username and password and all went fine.

  DR is to go.

• vCenter for lack of SSO and no. log in the same root not

  Hi guys

  A journal of issues was announced today and I tried with my AD credentials to log my vCenter device 5.1 (build 880146). No go.

  Tried with root credentials. I couldn't either.

  So lucky me I found a loged in as Web client session yesterday I'm gone my SSO config I showed me this

  

  then I went to vCenter Web Config and tried to restart the server and still the same issue

  

  So at this moment I don't really know what has failed if was SSO or vCenter Server Service... so any idea that to find the cause?

  -updated

  Hey guys I found this/storage/sore we full-no idea how to avoid this problem?

  Size of filesystem used Avail use % mounted on

  / dev/sda3 9.8 G G 4.2 5.1 G 46%.

  udev 4.0 G 104 K 4.0 G 1% / dev

  tmpfs G 4,0 4,0 G 0 0% / dev/shm

  / dev/sda1 128M 21 M 101M 17% / Boot

  / dev/sdb1 20G 20G 100% 0/storage/core

  / dev/sdb2 20G 3.2 G 16G 17% / storage/log

  / dev/sdb3 it 20G 15 G 4.4 G 77% / storage/db

  Thank you very much

  the kernel contains the dump files... If you don't need those... Delete them... you can also take a look at this thread to have a store NFS to store the unannounced dumps core.

  http://communities.VMware.com/thread/403107?start=0&TSTART=0

  Concerning

  Girish

• Silent installation and scripted of SSO and vCenter 5.1

  Hello

  
  

  I'm looking to do a silent installation and SSO scripted and vCenter.

  
  

  The following worked for v5.0...

  
  

  «"Start/wait d:\vCenter-Server\vmware-vcserver.exe/q/s/w/L1033 /v" /qn DB_SERVER_TYPE custom = DB_DSN =------DB_PASSWORD = ' vc\'-'XXXXXXX\' DB_USERNAME =------'sa\' VPX_USES_SYSTEM_ACCOUNT = 1/l * v \"c:\vcinstall.log\»»

  
  

  ... but does not work by 5.1 and I can't find any documentation.

  
  

  Any help is appreciated as always.

  
  

  Thank you, Andy.

  Hi Andy,.

  As Boloo said, there are some underlying the rules for vCenter 5.1 that did not exist for 5.0, which means that some additional settings are required for an installation script.

  Here are some examples for you which I use when redeploy my lab (note that B:\VIM_51 is my media extracted folder):

  Installation of SSO

  start/wait B:\VIM_51\"Single Sign On"\VMware-SSO-Server.exe/L1033 /v"/ QR MASTER_PASSWORD = VMware1! CONFIRM_MASTER_PASSWORD = VMware1! CONFIG_TYPE = configuration SETUP_TYPE = basic SSO_DB_SERVER_TYPE =-"Custom\" JDBC_DBTYPE = Mssql JDBC_DBNAME = RSA JDBC_HOSTNAME_OR_IP = DC JDBC_HOST_PORT = 1433 JDBC_USERNAME = RSA_USER JDBC_PASSWORD = VMware1! SKIP_DB_USER_CREATION = 1 DBA_JDBC_USERNAME = RSA_DBA DBA_JDBC_PASSWORD = VMware1! COMPUTER_FQDN = VC. Lab.local IS_SSPI_NETWORK_SERVICE_ACCOUNT = 1 SSO_HTTPS_PORT = 7444 "

  Installation of the Web Client

  Start/wait B:\VIM_51\vSphere-WebClient\VMware-WebClient.exe/L1033 /v"HTTP_PORT HTTPS_PORT 9090 9443 SSO_ADMIN_USER=admin@System-Domain SSO_ADMIN_PASSWORD = = = VMware1! "LS_URL = https://vc.lab.local:7444 / lookupservice/sdk/QR".

  Installation of the inventory

  start/wait B:\VIM_51\"Inventory Service"\VMware-inventory-service.exe/L1033 /v"HTTPS_PORT = XDB_PORT = FEDERATION_PORT = QUERY_SERVICE_NUKE_DATABASE = 1 TOMCAT_MAX_MEMORY_OPTION 10111 10109 10443 = S SSO_ADMIN_USER=admin@System-Domain SSO_ADMIN_PASSWORD = VMware1! "LS_URL = https://vc.lab.local:7444 / lookupservice/sdk/QR".

  vCenter installed (at least)

  Start/wait B:\VIM_51\vCenter-Server\VMware-vcserver.exe/L1033 /v"/ QR DB_SERVER_TYPE = Custom DB_DSN = vCenterDB DB_USERNAME = vpx DB_PASSWORD = VMware1! FORMAT_DB = 1 JVM_MEMORY_OPTION = SSO_ADMIN_USER=admin@System-Domain SSO_ADMIN_PASSWORD = VMware1 S! LS_URL =https://vc.lab.local:7444/lookupservice/sdk IS_URL =https://vc.lab.local:10443 VC_ADMIN_USER=vi-admin@lab VC_ADMIN_IS_GROUP_VPXD_TXT = 0 VPX_USES_SYSTEM_ACCOUNT = 1 VCS_GROUP_TYPE = VCS_ADAM_LDAP_PORT unique = 389 VCS_ADAM_SSL_PORT = 636 VCS_HTTPS_PORT = 443 VCS_HTTP_PORT = 80 TC_HTTP_PORT = 8080 TC_HTTPS_PORT = VCS_WSCNS_PORT = VCS_HEARTBEAT_PORT = 902 "60099 8443

  vSphere Client Installation

  "Start/wait B:\VIM_51\vSphere-Client\VMware-viclient.exe/q/s/w/L1033 /v" / QR ".

  VUM Plugin

  "Start/wait B:\VIM_51\updateManager\VMware-UMClient.exe/q/s/w/L1033 /v" / QR ".

  Install the Update Manager

  Start/wait B:\VIM_51\updateManager\VMware-UpdateManager.exe/L1033 /v"/ QR VMUM_SERVER_SELECT = vc.lab.local VC_SERVER_IP = vc.lab.local VC_SERVER_ADMIN_USER =-'lab\vi-admin\' VC_SERVER_ADMIN_PASSWORD = VMware1! VCI_DB_SERVER_TYPE = Custom VCI_FORMAT_DB = 1 DB_DSN = DB_USERNAME VUM = vpx DB_PASSWORD = VMware1! »

  Hope that helps, shout if you have any questions.

• vCenter Server 5.1, SSO and Service of the inventory on a single server?

  It is said in articles vmware all 3 roles can be installed for small deployments on a server with enough hardware requirements (2 hearts and 10 GB of RAM and hard drive 100 GB recommended).

  Question is what is considered to be low?

  Can I install all 3 roles on a server for lets say 14 guests and about 200 virtual machines?

  If I have 3 vCenter servers I'd better install all 3 roles on each of the 3 servers. or have a SSO or SSO HA for all vCenter servers?

  The problem is that we want to separate the vCenter by area.

  A big thank you!

  Yes, you can install all 3 roles on onse Server. We installed it on a virtual machine with 8 GB of RAM, 100 GB HD and 4 CPU.

  For the decision on wheter to install all 3 roles on 3 vCenter servers, I recommend you to read the next page.

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=2032135

  If I should make the decision, I separate completely all 3 areas and thus install 3 with 3 roles vCenter servers. But this does not mean you have to do the same thing.

• Securities and vulnerabilities

  Hi all

  11g

  We have an environment very highly confidential.

  "BA" (East - this means company audit?)  Design Checker run a tool that will display of security vulnerabilities in our systems.

  One of the outputs listed is "http". The listener suggested to disable or refuse services http because it is hackable? Is this true?

  If http is not allowed, what will happen to our (EM) dbconsole, database vault and our ASO - TDE (advance security option: transparent data encryption)?

  Are there ways to manage or run in CLI? You can share your implementation of security on these tools?

  Thank you very much

  zxy

  HTTPS means that the data that is sent is encrypted.  However, it is quite unlikely that the listener is concerned about someone sniffing the SEM HTTP traffic.  It is much more likely that the listener is concerned with the attack surface of the machine.  All service is potentially vulnerable to attack, so maintaining the number of services that run on a machine with a minimum of means that there are fewer services than an attacker can compromise.  If it uses HTTP or HTTPS, a web server will be potentially vulnerable to attack and will be one more element that needs to be patched and managed from a safety perspective.

  Justin

• SSO and calculations of the Application

  Having a problem with the application and SSO level calculations. Here's what's happening. I have an application with some elements of application level which must be calculated (say an identification number of a certain type) in order for my projects of security clearance at the level of the work page. I'm having a severe setback when people try to access a specific page in the application vs. the public home page. He gets permission controls appear to be pulled before the essential application-level calculations to do their job. I have check and the fields are null session (yet they inhabit very well when I leave a public page). I tried before and after the page header, as well as the new session and nothing works, fields always end null and the person who made it gets an error message mean denying them access. Can anyone offer ideas here? Perhaps a thought for the next version of the APEX, but add a point of transformation for essential operations that says "Prior authorization checks" that would cause them must be assessed and ran before trying to check your access to pages or the application level.
  
  Thank you
  David Pulliam

  One option that might work is to initialize the necessary application objects for authorizations in a process of "Message authentication" instead of a calculation of "new instance".

  CITY

• OBIEE, SSO and serverVariable

  Hello
  When you configure SSO for OBIEE, we have the choice between Httpentete, cookie and serverVariable for the source the user name to authenticate.
  
  I did find much documentation on this subject so I ask here:
  
  -ServerVariable correspond to variables in POST or GET?
  
  
  I ask because I have an application located on server A, and from there I want to redirect and connect the user to OBIEE (located on server B).
  Problem is that I can't create a cookie that contains the user name in a server because it is on a different server, and the same goes for my Httpentete who is ignored because it is from another server.
  
  My last solution seems the OBIEE server with GET or POST parameters to pass the variable. Is it possible? Thank you
  
  If this isn't the case, don't you know that I might be able to solve my problem?
  Thank you

  ServerVariable corresponds to set POST or GET variables?

  None of the two. Variable Server means that it is a variable in memory on the Web application server, so you can really set it up via PST or GET unless you deploy a Web Application that let's do you it.

  I ask because I have an application located on server A, and from there I want to redirect and connect the user to OBIEE (located on server B).
  Problem is that I can't create a cookie that contains the user name in a server because it is on a different server, and the same goes for my Httpentete who > get ignored because it is from another server.

  Not correct. Cookies and HTTP headers can be sent between different servers, the restriction is between servers in different domains. This means that if site1.domain.com sets a cookie and you go to site2.domain.com then your browser it will pass with happiness. Therefore, what you need is in the server names fully qualified in the field of your company (server1.company.com or server2.company.local, etc.). If you do not use areas in your business you "fudge" the areas in your file hosts like this (replacing IP addresses with the correct IP addresses):

  127.0.0.1 server1.test.com
  127.0.0.1 server2.test.com

  Then you can navigate to server1.test.com and server2.test.com your browser will think they are part of the same domain and he will share cookies between them.

• SSO and IIS 7.5

  Does anyone have advice on how to configure JBoss 7.1.1.Final to enable SSO using IIS 7.5 with integrated windows authentication successfully. This used to be a simple process on CCP 9.3.2 but I had no chance configuration JBoss 7.1.1.Final to use SSO. The papers always just the "LoginId not found for SSO in Httpentete.

  I install IIS redirection successfully using the isapi filter to connect to the application for an SPC, but got nothing more.

  I think that the stand-alone file - full.xml needs to be changed in a way to allow the standards body, ideas?

  Hello

  We have solved this problem, it is a known with JBoss 7.1.1 bug where headers are not passed through correctly. TAC had given us a JAR of JBoss file patched version to solve this problem.

• SSO and entirely virtual Envorinment

  Here's a scenario that we are turned around. I would go completely virtual next year. If I were to virtualize my 5.1 vCenter and all of my domain on a cluster 3 host controllers. What is the start-up procedure in case I have to turn off all hosts? Connects locally to one of the hosts still an option on 5.1?

  Well Yes, you can always connect to guests locally by using the vSphere Client, as long as you have the root password.

  Your boot priority would be:

  High - DC

  Medium - vCenter

  Bass - everything else

• What is SSO and how set in obiee 11g?

  Thank you

  Check these
  http://docs.Oracle.com/CD/E14571_01/bi.1111/e10543/SSO.htm
  http://www.addidici.com/blog/?p=8
  http://www.Oracle.com/technetwork/articles/IDM/WebLogic-SSO-Kerberos-1619890.html

  Mark correct/good