Saturday, April 7, 2018

A failure occurred attempting to load LDIF for provider Authorizer from file /u03/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift


Error:

<Mar 14, 2018 9:13:36 AM IST> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider Authorizer from file /u03/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider Authorizer from file /u03/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift. at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:466)at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:870)at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1032) at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:888)Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider Authorizer from file /u03/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift. at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)at weblogic.security.service.CSSWLSDelegateImpl.getService(CSSWLSDelegateImpl.java:155)
 Truncated. see log file for complete stacktrace
Caused By: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider Authorizer from file /u03/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift at com.bea.common.store.bootstrap.internal.BootStrapServiceImpl.loadFullLDIFTemplate(BootStrapServiceImpl.java:910) at com.bea.common.store.bootstrap.internal.BootStrapServiceImpl.loadLDIFTemplate(BootStrapServiceImpl.java:688) at com.bea.common.store.bootstrap.internal.BootStrapServiceImpl.loadLDIFXACMLAuthorizerTemplate(BootStrapServiceImpl.java:176)  at com.bea.common.store.bootstrap.internal.BootStrapServiceImpl.loadLDIFXACMLAuthorizerTemplate(BootStrapServiceImpl.java:160)at com.bea.common.security.internal.service.BootStrapServiceImpl.loadLDIFXACMLAuthorizerTemplate(BootStrapServiceImpl.java:106)Truncated. see log file for complete stacktraceCaused By: <openjpa-1.1.1-SNAPSHOT-r422266:1172209 fatal store error> kodo.jdo.FatalDataStoreException: The transaction has been rolled back.  See the nested exceptions for details on the errors that occurred at org.apache.openjpa.kernel.BrokerImpl.newFlushException (BrokerImpl.java:2170)
        at org.apache.openjpa.kernel.BrokerImpl.flush(BrokerImpl.java:2017
        at org.apache.openjpa.kernel.BrokerImpl.flushSafe(BrokerImpl.java:1915)
        at org.apache.openjpa.kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:1833) at org.apache.openjpa.kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81)
        Truncated. see log file for complete stacktrace Caused By: <openjpa-1.1.1-SNAPSHOT-r422266:1172209 fatal store error> kodo.jdo.FatalDataStoreException: error result
        at com.bea.common.ldap.LDAPStoreManager.flush(LDAPStoreManager.java:341)
        at org.apache.openjpa.abstractstore.AbstractStoreManager.flush(AbstractStoreManager.java:277)
        at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)
        at org.apache.openjpa.datacache.DataCacheStoreManager.flush(DataCacheStoreManager.java:571)
        at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)
        Truncated. see log file for complete stacktrace
Caused By: netscape.ldap.LDAPException: error result (49); Invalid credentials
        at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
        at netscape.ldap.LDAPConnection.simpleBind(Unknown Source)
        at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
        at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
        at netscape.ldap.LDAPConnection.bind(Unknown Source)
        Truncated. see log file for complete stacktrace
> 
<Mar 14, 2018 9:13:36 AM IST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Mar 14, 2018 9:13:36 AM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:
There are 1 nested errors:
weblogic.security.service.SecurityServiceRuntimeException: [Security:090399]Security Services Unavailable
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:917)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
        at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:888)
        at weblogic.security.SecurityService.start(SecurityService.java:141)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
> 
<Mar 14, 2018 9:13:36 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Mar 14, 2018 9:13:36 AM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Mar 14, 2018 9:13:36 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>

CAUSE

The root cause is that the RDBMS Tables are not created in the Security Datastore.

SOLUTION 1

Check the following two points as they may be the cause of the reported issue:

1) OPSS Schema

BEAXACMLAP table that is causing the ORA-00092 is the table in the OPSS schema.
Please check whether the BEAXACMLAP table exists in the OPSS schema. 
If this table not exist, perhaps you may not have run the 'rdbms_security_store_oracle.sql'.

Related Information: Note:1327167.1 - WebLogic Server Cannot Start Up with RDBMS Security StoreDelete Reference

2) Database user

Please check the correct database user.

SOLUTION 2

Before booting the domain, the RDBMS tables need to be created in the database:
Specify the same connection properties, including the credentials of the user who has access, the database URL, etc., as specified for that RDBMS during domain creation.
Run the appropriate script to create RDBMS tables. There are a set of SQL scripts for creating/removing RDBMS tables under WL_HOME/server/lib: e.g., for Oracle DB, rdbms_security_store_oracle.sql is to create RRDBMS tables and rdbms_security_store_oracle_remove.sql is to remove these tables.

For details, please refer to "Create RDBMS Tables in theSecurity Datastore" in

http://www.oracle.com/pls/as1111/lookup?id=SECMG346

Thanks,
Aditya.



Friday, April 6, 2018

API's for GeoLocation based on IP Address

"You need to think out loud concerning the security of your enterprise application". I say and hear this line every day as a security professional.
As it's growing the importance of application security it became one of the minimum requirements to know the location of the user to avoid any possible fraud. As the saying goes "prevention is better than cure".
There are scenarios that applications need to know the location of the user as it drives the relevant content to be presented to the user once authorized. I would rather park that line of study/discussion as my intent to focus on the web security in this post.
I come across such requirement quiet often and so thought to put together some of the GeoLocation providers out there on the web to serve the job of locating the user before giving access to mission-critical applications without any overhead to the application.
Listing some of the GeoLocation API providers based on the IP Address that is available in the market.
Note: Do your due diligence before implementing any of these API's for your application security as each provider has their advantages and limitations.
  1. https://www.snoopi.io
  2. https://www.ipify.org
  3. http://geobytes.com
  4. https://ipstack.com
  5. http://ipapi.co
  6. https://ipdata.co


Hope this will be helpful.

GeoNames Web Services API

Provides convenient services like who would want search nearby Hotels when they visit a new city or who is in a medical emergency need nearby Hospitals.

Following URL get more about GEONAMES web services.

Gisgraphy is an open source framework for geolocalisation and geocoding. This framework uses
GEONAMES web service API to find the locations.

Find more click here.

The following are GeoNames WebServices

  1. findNearbyPlaceName
  2. findNearbyPostalCodes
  3. countryCode
  4. countryInfo and many more

findNearbyPlaceName
      
     Here nearby place can be populated by giving longitude and latitude.

     
     The return values we can select a format from available formats like XML, JSON.
           
     Find more click here on the following link for findNearbyPlaceName in Gisgraphy.

findNearbyPostalCodes:


    It can find nearest places against to either given longitude, latitude or postal code.

    The return values we can select a format from available formats like XML, JSON.

    Find more click on the following link for findNearbyPostalCodes in Gisgraphy.
   
    https://services.gisgraphy.com/static/leaflet/index.html#

countryCode:

    In this service, we will get Capital, Population, Area in square km etc., against by giving
    a Country name.

countryInfo:

    This service will return the iso country code for the given latitude/longitude.

Friday, March 30, 2018

Forty Seven Bank Project API (Open Project Bank API)

This API provides a testing environment for developers who want build banking related apps. Here we have to create a Developer account in Sandbox for accessing all the functionalities like accounts access, ATM access, Transaction details, Payments Transaction requests and many more.

For Access, all services use SDK provided by open project API. This SDK helps to connect App to banking services and also need a developer key which was provided when you created a developer account.

For Testing the App with sandbox test customers only.

To get APIs use following URL Click Here

The latest version is 3.0.0 and older versions are from 1.2.1 to 2.2.0.

Here we have different APIs available:

  1. Accounts
  2. Branches, ATM
  3. Transactions
  4. Payments & Transaction requests and many more. 

Accounts: Access user accounts, Balances information about different accounts.
          
The following services can avail in API:
          
          A) Create an account: Create a new Account in the specified Branch
          B) Create view: To balance view use OAuth authentication.
          C) Delete view: Delete access
          D) Get an account by id: Returns information against an account id and many more.

          Click Here to explore more about this API

Branches, ATM: Here we can create new branches and ATMs in specified geolocations.


The following services can avail in API:

          A) Create Bank: Create a new branch
          B) Get Bank: Get bank details
          C) Get Banks: Get all bank names and many more.

          Click Here to explore more about this API


Transactions: Access the transaction info and metadata also.

The following services can avail in API:

          A) Get other accounts of transaction: Returns the details about which party involved.
          B) Get transaction by id: Returns transaction details and many more.

          Click Here to explore more about this API

Payments & Transaction Requests: Initiate transfers, view charges etc.

The following services can avail in API:

         A) Create transaction request: In which we can initiate a transaction followed by account details.
         B) Get Transaction Requests: Get transaction requests given account number in a specified branch and many more
Click Here to explore more about this API

Wednesday, March 21, 2018

Troubleshoot: SAP HANA SAML integration

When SAP HANA enabled for external authentication with SAML mechanism you might get "Assertion did not contain a valid MessageID."  error message when trying to log in.

Solution:

Adding SAML parameter, assertion_timeout and set the value to 30 in SAP solves the issue.

Ref: https://blogs.sap.com/2014/07/03/troubleshooting-issues-when-implementing-saml-sso-in-hana-xs-engine/

Thanks

Tuesday, March 13, 2018

Oracle Identity Manager(OIM) 12c New Features

                          Oracle Identity Manager(OIM) 12c New Features


In this blog we are going to see some new features introduced in Oracle Identity manager 12C.

From my search, I found there is not much major changes from UI level.

End user experience will be same for access request catalog and approval/ certification.

1. Oracle Identity Governance 12c infrastructure requires below components.
    Oracle database (11.2.0.4, any 12c)
    jdk1.8
    WebLogic 12.2.1.3.0
    SOA 12.2.1.3.0
    OIG 12.1.2.3.0
           
2. RCU (Repository Creation Utility) is in-built and can be run from /u03/oracle_common/bin.

3. OIM 12c finally support encryption of database. During creation of OIM users in database,
    RCU can encrypt database table-space.
    TDE (Transparent Data Encryption) option must be enabled in Oracle 12c database.
    TDE allow application to encrypt the table-space using secret key.
    Data is transparently decrypted for database users and applications that access this data.
    Database users and applications do not need to be aware that the data they are accessing
     is stored  in encrypted form.
    If the TDE is enabled in Oracle 12c database, RCU will automatically provide you an 
    option to make OIM table-space encrypted.

4. If you do not have DBA privilege, then you can create a script for DBA to run.
    Once DBA completed running the RCU generated scripts, you can run the
    post process configuration.
    This is very helpful where Database is managed by different administrative team.
5. OIM 12c is now having Application Onboarding capability through GUI.
    It will allow you to create and manage applications, templates, and instances of applications
    , and clone applications.
   This will faster the on-boarding process of applications into OIM.
6.Access Policy can be created and managed from the Manage tab in Identity Self Service
  In OIM12C By enabling and by setting XL.AllowRoleHierarchicalPolicyEval system property to TRUE
  You can achieve Inheriting the access granted via access policies from the parent role to child role 
7.In OIM 11gR2 PS3, single certifier was supported in the certification workflow
   From OIM 12c supports group of certifiers for Application Instance, Entitlement,
   Role and User certification.
8. In above screenshot as we can able to see OIM 12c introduces custom reviewer
    option in certification.

    It is applicable for Identity certification. Custom reviewer for certifications can 
    be specified by  defining certification rules in the 
    CERT_CUSTOM_ACCESS_REVIEWERS table.

    The advantage of above feature is, we can now assign certification request based on a rule
    defined for custom reviewer.

9. OIM 12c can Limit the entitlement-assignments, Role-assignment and Application-assignment
     to certify for each user option for creating a user certification definition.
     For example, while identity certification assigned to reviewer, only the selected roles,
     selected entitlements and selected Application instances will be visible for certification.
     In this way we can remove the birth rights for being certified.

9.We can publish multiple sandboxes in bulk and in a specified sequence using CSV file.


10.In OIM 12c, From Mange Connector you can define your new connectors from 
      all the available components.
      Below images shows, which allow you to choose components and create your 
      new connector inside OIM.
11. Below is new interface for deployment manager for import and export any new
     Development,Testing or Migration.


Feel free to drop your comments.
Regards, 
Aditya.