Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

25793466
Community profile 25793466 Level 2
Job title here
Location here
11 BADGES
Level 2

Level 2

Learn more
Joined the community 24-03-2016 5:00:42 PM
Offline
Top badges earned by 25793466
Customize the badges you want to showcase on your profile
Re: Encrypted OSGI configuration properties
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
That is indeed what I was looking for. It works in 6.3 also, even though the documentation seems to be for 6.4. When you view the configuration through the CRX, the value will show the encrypted text. Then AEM magically decrypts it before it is sent to the service or external component. I guess every time a configuration is invoked, AEM reviews all the properties looking for a pattern so it knows to decrypt it.

Views

868

Likes

0

Replies

0
Re: Restricting Query Strings in dispatcher.any not working
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
It turns out there is an issue with the dispatcher version we are using. I don't know if it effects all platforms, but it is not working correctly on 4.2.0 on IIS, x64 non-ssl version.I tested the same exact dispatcher configuration (dispatcher.any) on the latest dispatcher (v4.2.3) and the filter rules are working correctly with query strings.

Views

1.7K

Likes

0

Replies

0
Encrypted OSGI configuration properties
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
It appears this is available starting in 6.3. From the 6.3 release notes: "Support for all OSGI configuration properties to be stored in a protected encrypted form instead of clear text." How do you enable this or is it done automatically?What I am really looking for is the LDAP Identity Provider bind password to be masked when I view through the CRX. In 6.3, I am still seeing it in clear text. Perhaps that's not what this feature is intended to do.

Views

1.1K

Like

1

Replies

2
Re: Store and deploy secure OSGI configuration for OOTB AEM services
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
It appears this indeed is available starting in 6.3. From the 6.3 release notes: "Support for all OSGI configuration properties to be stored in a protected encrypted form instead of clear text." How do you enable this or is it done automatically?What I am really looking for is the LDAP Identity Provider bind password to be masked when I view through the CRX. In 6.3, I am still seeing it in clear text. Perhaps that's not what this feature is intended to do.

Views

906

Likes

0

Replies

0
Re: Restricting Query Strings in dispatcher.any not working
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
That didn't work. We run AEM within an application server and it's not possible to run at the root. (We even had ACS unseccuessufully attempt to change that). All of our /filter rules are prefixed with /mysite and we haven't had any issues since we launched the site over two years ago.I added a fourth rule to test your suggestion. /0004 { /type "allow" /method "GET" /url "/content/test/*" /query "a=*" }https://my.site.com/mysite/content/test/home.html?a=test does not work. It does work when rule...

Views

1.4K

Likes

0

Replies

0
Re: Restricting Query Strings in dispatcher.any not working
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
I should have mentioned that. We are using 4.2.0 on IIS. x64 non-ssl version.

Views

1.4K

Likes

0

Replies

0
Restricting Query Strings in dispatcher.any not working
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
I want to disable any URL with query strings but allow those that don't. The "Note:" section of Configuring Dispatcher says the following should work: /0001 { /type "deny" /method "*" /url "/mysite/content/test/*" } /0002 { /type "allow" /method "GET" /url "/mysite/content/test/*" } /0003 { /type "deny" /method "GET" /url "/mysite/content/test/*" /query "*" }When I try https://my.site.com/mysite/content/test/home.html, it is getting blocked /0003It should work, given "If a rule contains a /query...

Views

3.8K

Likes

0

Replies

7
Re: List all possible selectors and extensions for denial of service (DoS) attack mitigation
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
We do deny everything first. The first line of our dispatcher.any filter section is: /0001 { /type "deny" /glob "*" }Since there are several other sections of the security checklist devoted to the dispatcher, I thought this particular section ("Incorporate controls at the application level; Control the selectors in your application") was implying something additional can be done within the app as well. I'm just trying to be thorough.

Views

1.1K

Likes

0

Replies

0
Re: List all possible selectors and extensions for denial of service (DoS) attack mitigation
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
Right. I know from that perspective. Our deployment has one package that I wrote, so I know our selectors. But I can imagine an application, perhaps poorly architected, that has many code packages where a developer might introduce a selector that could cause problems. It would be nice to query them from an administrative perspective to ensure compliance.And what about the out-of-the-box ones? I am assuming only the .html (Apache Sling Servlet/Script Resolver and Error Handler) and .json (Apache ...

Views

1.1K

Likes

0

Replies

0
List all possible selectors and extensions for denial of service (DoS) attack mitigation
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
Under the guidance of the security checklist (Security Checklist​: "Incorporate controls at the application level; Control the selectors in your application"), how would I determine all possible extensions and selectors that are running in my instance?

Views

2.2K

Likes

0

Replies

5
Sending SSO User ID in "Basic" Format
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
I'm trying to figure out how to encode a user ID for SSO using the Basic format instead of AsIs. Normally basic authentication is the encoded username:password, like admin:12345. I've tried that, just the user ID then colon, and just the user ID. AEM isn't accepting any of them.

Views

551

Likes

0

Replies

0
Re: Disable Basic Authentication
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
Right, I know. I was just wondering if it's feasible to disable. I am doing some security testing.

Views

1.6K

Likes

0

Replies

0
Disable Basic Authentication
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
I want to disable basic authentication and ran across this thread: How to make CQ5 working with enabled basic http authentication dispatcher . I didn't get any hits, maybe because the thread was so old, so I'll post here as a new topic.I know this will break replication, but I'm just curious on how to do it. It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuth enticator to Disabled, but that doesn't seem...

Views

3.0K

Likes

0

Replies

4
Re: How to make CQ5 working with enabled basic http authentication dispatcher
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
I want to disable basic authentication and ran across this thread. I know this will break replication, but I'm just curious on how to do it. It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuthenticator to Disabled, but that doesn't seem to work on several AEM 6.2 instances I have tested on. Replication is still working and I can pass the basic authentication headers to the admin UI and it logs me in.

Views

2.2K

Likes

0

Replies

0
Re: LDAP error resulting from Active Directory server connection reset / MaxConnIdleTime
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
I contacted Support and the error is benign. Specifically:"Your understanding about the warning is absolutely right. AEM doesn't have a function to disconnect with the LDAP. However, If you are using Active Directory, it will be disconnected by a "MaxConnIdleTime" policy of AD. The default value is 15 minutes. AD will send a "rest" packet at intervals determined by the "MaxConnIdleTime". Hence this WARN can be ignored from your end. I don't see an AEM configuration that could help this case as A...

Views

1.7K

Like

1

Replies

0
LDAP error resulting from Active Directory server connection reset / MaxConnIdleTime
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
We integrate with 2 LDAP domains (Active Directory) and frequently see the error below in our error.log files. It is not causing any issues that I am aware of. After reviewing a network trace, I see the Active Directory server close the connection (a reset/RST actually) after 15 minutes of inactivity/idle time. It appears this is a result of the AD MaxConnIdleTime setting (https://technet.microsoft.com/en-us/library/cc770976(v=ws.11).aspx and http://ldapwiki.com/wiki/MaxConnIdleTime). The defaul...

Views

2.8K

Likes

0

Replies

1
Re: [New] Welcome to AEM Community! Please Introduce Yourself
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
Hello Everyone,I'm Dan. I have over 3 years of experience with Sites and 17 years of experience with enterprise content management and portal systems. Glad to be here!

Views

11.3K

Like

1

Replies

0
Is Checking Data Store Consistency needed for TarMK?
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
Is it necessary to run a consistency check if we are using TarMK for the node and data store for AEM 6.2? I cannot find a "Blob GC" Mbean on my JMX console. The documentation here (https://docs.adobe.com/docs/en/aem/6-2/administer/operations/data-store-garbage-collection.html#Checking Data Store Consistency) is pretty clear on what needs to be done on various node and data stores but not in the section "Checking Data Store Consistency."

Views

886

Likes

0

Replies

1
Re: Forcing the Use of the SSL Port / Why Dispatcher Works over HTTP
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
You are correct. It looks like the dispatcher makes the request to the publish instance using the end user facing URL host as the host header, which doesn't match the machinename.port I am forcing SSL on.

Views

658

Likes

0

Replies

0
Forcing the Use of the SSL Port / Why Dispatcher Works over HTTP
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
I want to force the use of SSL in the admin interface of the publish instance. Configuring this "https://docs.adobe.com/docs/en/aem/6-2/deploy/configuring/config-ssl.html#Forcing the Use of the SSL Port", does just that. However, I need my dispatcher to connect over http (set through dispatcher.any). This appears to work but now I'm wondering why publish does not force the redirect to SSL.

Views

728

Likes

0

Replies

2
Re: Change daily log rotation time
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
Sorry, I think I misstated my question. I still want a daily log (one per day), but I want them to rollover not at midnight. I want them to roll at say 11pm. I understand that changing the pattern to something like yyyy-MM-dd-HH would roll them every hour but then I would end up with 24 logs per day.The reason I ask is that we have a process that sweeps/copies logs to a central server. That process has to run at 11:59pm. It is not picking up the AEM logs for that day because they have not rolled...

Views

1.6K

Likes

0

Replies

0
Change daily log rotation time
Avatar
Give Back 10
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct reply

2 solutions
Top badges earned
Give Back 10
Give Back 5
Ignite 5
Ignite 3
Ignite 1
View profile
25793466
- Adobe Experience Manager
If logs are configured to rollover/rotate daily (pattern '.'yyyy-MM-dd), is it possible to set the time that they rollover? For example, 11:55pm instead of midnight.

Views

2.1K

Likes

0

Replies

4