Virtual Users with SAML in WebLogic

A small blogpost how you can use virtual users on your SAML Service Provider WebLogic Server. A virtual user is a user who is authenticated on the SAML Identity Provider and this user is transfered ( with all his attributes and roles )  in a SAML Token to the Service Provider, this user does not need to exists on the WebLogic server of the Service Provider.
Before you can use this feature you need to setup SAML 2.0 SSO on your WebLogic Domain. You can follow this blogpost for all the instructions. You can also do this with Web Services but then you need to follow this guide.

First we need to enable Generate Attributes on the Identity Provider Side.
Go to the myrealm security realm ->  Providers -> Credentials Mapping -> your SAML 2.0 Credential Mapping Provider -> Provider Specific.
Also do this on the imported Service Provider Partner located at the Management tab of your SAML 2.0 Credential Mapping Provider. Open the Service Provider Partner and also enable here Generate Attributes.

Next step is to configure the SAML Service Provider.
Go to the myrealm security realm ->  Providers ->  Authentication -> your SAML 2.0 Identity Assertion Provider -> Management Tab.
Open your imported Identity Provider Partner configuration.
Enable Virtual User and also enable Process Attributes.

Now we need to add an extra WebLogic SAML Authentication Provider. This provider will process the virtual user SAML token with all its attributes and roles.
Set the Control Flag to Sufficient also change the other authentication provider from Required to Sufficient.

Courtesy:http://biemond.blogspot.com/2011/09/virtual-users-with-saml-in-weblogic.html

How to collect performance data on Linux

Collect the following information when high CPU consumption is with IBM Java process:
Enable garbage collection trace to see whether Java garbage collection is thrashing if possible. If you want to enable Java garbage collection trace on IBM WebSphere Application Server, please refer to the following document: Enabling verbose garbage collection (verbosegc) in WebSphere application Server


Run the following command:

top -d delaytime -c -b > top.log

Where delaytime is the number of seconds to delay. This must be 60 seconds or greater, depending on how soon the failure is expected.


Create a script file, vmstat.sh with the following content:

#vmstat.sh
#output file name
VMSTAT_LOG=$1
LIMIT=288
#sleep for 5 miniutes
SLEEP_TIME=300
while true
do
i=0
echo >$VMSTAT_LOG
while [ $i -le "$LIMIT" ];
do
date >> $VMSTAT_LOG;
vmstat 5 12 >> $VMSTAT_LOG;
i=`expr $i + 1`;
sleep $SLEEP_TIME;
done
done

Create a script, ps.sh with the following content:

#ps.sh
#output file name
PS_LOG=$1
LIMIT=288
#sleep for 5 miniutes
SLEEP_TIME=300
while true
do
i=0
echo >$PS_LOG
while [ $i -le "$LIMIT" ];
do
date >> $PS_LOG;
ps -eLf >> $PS_LOG;
i=`expr $i + 1`;
sleep $SLEEP_TIME;
done
done

Run the scripts:

./ps.sh ps_eLf.log
./vmstat.sh vmstat.log

Notes: . The scripts ps.sh and vmstat.sh, as provided, roll over every 24 hours. . You might need to modify the scripts to meet your needs. . The preceding scripts will run forever. After the error condition is reached, you will have to terminate them.


When high CPU consumption occurs, collect the following logs:

netstat -an > netstat1.out


If the Web server is remote, run the following on the Web server system:

netstat -an > netstatwebserver1.out


Run the following:

kill -3 [PID_of_problem_JVM]


The kill -3 commands create javacore*.txt files

Note: If you are not able to determine which JVM process is experiencing the high CPU usage then you should issue the kill -3 PID for each of the JVM processes.



Wait two minutes.


Run the following:

kill -3 [PID_of_problem_JVM]


Wait two minutes.


Run the following:

kill -3 [PID_of_problem_JVM]


Wait two minutes.


Run the following:

netstat -an > netstat2.out



If the Web server is remote, run the following on the Web server system:

netstat -an > netstatwebserver2.out



If you are unable to generate javacore files, then perform the following:

kill -11 [PID_of_problem_JVM]

WARNING: kill -11 will terminate the JVM process, produce a core file, and possibly a javacore.


Review all output files and collect the following files for IBM Performance Analysis Tool for Java for Linux


ps_eLf.log
javacore*.txt files

Courtesy:http://wasissues.blogspot.com/

Configuring OpenLDAP as a SiteMinder Policy Store

SiteMinder supports OpenLDAP for use as a Policy Store. OpenLDAP provides a freely available, replicated directory that can be used as a redundant store for SiteMinder’s configuration information. Unfortunately, the SiteMinder documentation covering how to configure OpenLDAP is at best incomplete and at worst incorrect. This article breaks down the steps required to enable OpenLDAP to be a Policy Store and configure the Policy Server to leverage the directory. Keep in mind that SiteMinder currently only supports OpenLDAP 2.3.x. This means that only Master/Slave replication is supported. While this is sufficient to ensure the availability of the Policy Store, if the Master directory is down, no policy or key updates can be performed. This article also assumes that the Key Store is set to the default setting of using the Policy Store as the location to store key information. Switch the directory paths outlined below to use backslashes if these steps are being performed on Windows.

1. Download and Install OpenLDAP
This article does not cover the specific details on how to build and install OpenLDAP. The details for this can be found on the OpenLDAP site. A quick start guide is located there as well.

2. Download the OpenLDAP Schema Files for SiteMinder
OpenLDAP is considered a “Tier 2″ directory for SiteMinder. As such, the ability to configure the directory as a Policy Store is not automated. In order to obtain the needed schema files for the Policy Store, the “CA SiteMinder Tier 2 Directories- ESD Only” package must be downloaded. To download this file (current as of 10/12/2011):

1. Log in to the Technical Support Site
2. Click “Download Center” in the lefthand navigation
3. Type siteminder into the “Select a Product” field
4. Select the listed SiteMinder product
5. Select 12.0 in the “Select a Release” drop-down
6. Select SP3 in the “Select a Gen level” drop-down
7. Click the [GO] button
8. Scroll down to the bottom of the list of returned downloads
9. Download and unzip the “CA SiteMinder Tier 2 Directories- ESD Only” download to the Policy Server

3. Configure OpenLDAP To Support the SiteMinder Policy Store
The OpenLDAP server requires manual configuration to support its use as a SiteMinder Policy Store. The following steps are required:

3a. Copy the Policy Store schema files into the OpenLDAP schema directory
3b. Include the SiteMinder Policy Store schema files in the OpenLDAP configuration
3c. Ensure that SiteMinder can detect it is an OpenLDAP Policy Store
3d. Create the base Policy Store structure
3e. Restart OpenLDAP

Note that these instructions assume that the install location for OpenLDAP is under the /usr/local path and the default directories are used. For this example, the root of the directory is “dc=company,dc=com” for the location of the Policy Store. These steps will need to be modified if a different path or directory structure is used.

3a. Copy the Policy Store schema files into the OpenLDAP schema directory
The OpenLDAP schema needs to be extended to support the SiteMinder Policy Store objects. This is done by copying the schema files to the server and adding them into the slapd.conf configuration file. To copy the schema files:
.........
More Here

Courtesy:http://www.coreblox.com/blog/2011/10/configuring-openldap-as-a-siteminder-policy-store/

SiteMinder federation to SharePoint 2010

This paper shows how to configure identity federation between CA SiteMinder and Microsoft SharePoint 2010, using the CA Federation Manager Add-on for SiteMinder. Two scenarios are presented. The first is an intra-organizational scenario that is useful where SiteMinder, the user accounts, and SharePoint are all maintained within the enterprise. The second is a traditional identity federation scenario where the user accounts are maintained outside of the enterprise hosting SharePoint. A federated identity environment features the following advantages:

· Helps control Information Technology (IT) costs and gain efficiencies. Federation targets areas that require lots of manual processes such as user account management, and access management. These manual processes are the focus of cost control.

· Enables compliance with expanding regulatory requirements. A standards-based identity federation can increase security of websites and portals and enable an organization to identify and authenticate a user only once. The organization can then use that identity information to access multiple systems which can include websites of external partners and various portals.

While both scenarios create a federated identity environment, the techniques or methodology used in the two lab scenarios is different. The two lab scenarios are:

1. Lab scenario 1 - Intra-organization scenario. In this lab scenario, SiteMinder is the Trusted Identity Provider for SharePoint and authenticates users to one or more user directories maintained within the organization. Once authenticated, these users (which may be employees, partners or customers) can access SharePoint as well as other applications protected by SiteMinder. This lab scenario uses the CA Federation Manager Add-on to SiteMinder (a.k.a., SiteMinder Federation Security Services) to generate a WS-Federation 1.0 token that is in turn read by SharePoint 2010.

2. Lab scenario 2 - Cross-organization, traditional Federation scenario. In this lab scenario, SiteMinder is deployed at the external partner organization, along with the CA Federation Manager Add-on, and Microsoft AD FS 2.0 is deployed within the enterprise where SharePoint is hosted. SiteMinder authenticates the partners to the partner organization's user directory and generates a SAML 2.0 token. AD FS 2.0, which acts as a security token service, translates the SAML 2.0 token into a WS-Federation token for use with SharePoint. In this lab scenario, we also configure SharePoint's native claims-based Windows provider to illustrate how employees within the enterprise could access SharePoint alongside partners who use the federated approach (The claims-based Windows provider is listed along with the other Identity Providers configured in ADFS 2.0, in the lab it is identified with as ADFSMachine.CompanyA.com).

Courtesy:http://interopvendoralliance.org/labs/siteminder-federation-to-sharepoint-2010.aspx

SiteMinder Overview

CA SiteMinder is enterprise level web access management software which allows organizations to manage their web users and help control their access to applications, portals and web services.

SiteMinder consists of two core components:

Policy Server:

The Policy Server provides policy management, authentication, authorization, and accounting.

SiteMinder Agents:

Integrated with a standard Web server or application server, SiteMinder Agents enable SiteMinder to manage access to Web applications and content according to predefined security policies.

How CA SiteMinder Works:

The process for securely accessing web applications:

1. User attempts to access a protected resource.

2. User is challenged for credentials and presents them to the CA SiteMinder web agent or to the Secure Proxy Server.

3. The user’s credentials are passed to the Policy Server.

4. The user is authenticated against the appropriate user store.

5. The Policy Server evaluates the user’s entitlements and grants access.

6. User profile and entitlement information is passed to the application.

7. The user gets access to the secured application, which delivers customized content.

Courtesy:http://webspheresolution.wordpress.com/2011/09/29/siteminder-overview/

Earn Money With iPhone Apps

Earn Money With iPhone Apps

The most comprehensive guide to creating lucrative iPhone applications (apps for short). Our guide explains how to create new iPhone apps and get them listed on the Apple iPhone App Store. Profit from iPhones now!



Click Here to find more about it

How To Create iPhone Apps With No Programming Experience

How To Create iPhone Apps With No Programming Experience


Discover how to create iPhone apps easily with no programming experienced required. Learn from some of the top iPhone app developers to get your app created now.

Click Here to find more