Loading...

Follow IDMFUN - More than just Identity & Access Manag.. on Feedspot


Valid
or
Continue with Google
Continue with Facebook

Error:-

<Mar 14, 2018 9:05:45 AM IST> <Emergency> <Management> <BEA-141151> <The admin server could not be reached at http://192.168.65.153:7001.>
<Mar 14, 2018 9:05:45 AM IST> <Info> <Configuration Management> <BEA-150018> <This server is being started in managed server independence mode in the absence of the admin server.>
<Mar 14, 2018 9:05:45 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Mar 14, 2018 9:05:45 AM IST> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Mar 14, 2018 9:05:45 AM IST> <Notice> <Log Management> <BEA-170019> <The server log file /u03/user_projects/domains/oimdomain/servers/oim_server1/logs/oim_server1.log is opened. All server side log events will be written to this file.>
<Mar 14, 2018 9:05:53 AM oracle.security.jps.internal.idstore.util.LibOvdUtil pushLdapNamesToLibOvd
INFO: Pushed ldap name and types info to libOvd. Ldaps : DefaultAuthenticator:idstore.ldap.provideridstore.ldap.
Mar 14, 2018 9:05:53 AM oracle.security.jps.az.internal.runtime.pd.register.PDPRegister run
INFO: PDP registration succeeded.
Mar 14, 2018 9:05:54 AM oracle.iam.platform.auth.providers.wls.OIMAuthenticationProvider initialize
INFO: Authentication module initialized
<Mar 14, 2018 9:05:56 AM IST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Mar 14, 2018 9:05:56 AM IST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: java.lang.SecurityException: Method 'getAdministrationURL' cannot be invoked without administrator access
java.lang.SecurityException: Method 'getAdministrationURL' cannot be invoked without administrator acces at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:223) at weblogic.server.channels.RemoteChannelServiceImpl_1036_WLStub.getAdministrationURL(Unknown Source)  at weblogic.server.channels.RemoteChannelServiceImpl.registerInternal(RemoteChannelServiceImpl.java:184)at weblogic.server.channels.RemoteChannelServiceImpl.registerForever(RemoteChannelServiceImpl.java:147)Truncated. see log file for complete stacktrace
Caused By: java.lang.SecurityException: Method 'getAdministrationURL' cannot be invoked without administrator access at weblogic.rmi.internal.AdminAccessOnlyServerRef.getWorkManager (AdminAccessOnlyServerRef.java:29)at weblogic.rmi.internal.BasicServerRef.getWorkManager(BasicServerRef.java:442) at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:358 at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:1022)at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:1173)
        Truncated. see log file for complete stacktrace
<Mar 14, 2018 9:05:56 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Mar 14, 2018 9:05:56 AM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Mar 14, 2018 9:05:56 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>


Resolution:-

In my case we are troubleshooting issues in DR OIM 11.1.2.3 and server went to hung state
after server was rebooted Weblogic Amin URL is pointing to different IP address.

Note:-We need to point Weblogic Admin URL to correct IPAddress ie:-192.168.65.153:7001.
            Then take backup and remove tmp and cache and start Admin and Managed servers.




Thanks,
Aditya.
Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Readers,

Did you ever add security header X-Content-Type-Options in OHS server configuration to prevent mime based attacks? Since IAM involves lot of security, lot of these security headers are required to be configured at OHS layer to prevent cross site scripting and mime etc.,
Some of the security headers comes with compatibility issues with few browsers for eg., X-Content-Type-Options. We had to deploy custom OAM form pages into OAM servers and proxy it through OHS for general requirements. Since this header was coming in HTTP request headers, it is preventing to load images on Custom OAM form page.
Form page is accessible through direct OAM server URL however it is failing to load via OHS. Thus we had to comment out below line for images to render on custom OAM form jsp page.

#Header always set X-Content-Type-Options "nosniff"

Hope this helps.
Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Error:

<Mar 14, 2018 9:13:36 AM IST> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider Authorizer from file /u03/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider Authorizer from file /u03/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift. at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:466)at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:870)at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1032) at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:888)Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider Authorizer from file /u03/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift. at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)at weblogic.security.service.CSSWLSDelegateImpl.getService(CSSWLSDelegateImpl.java:155)
 Truncated. see log file for complete stacktrace
Caused By: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider Authorizer from file /u03/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift at com.bea.common.store.bootstrap.internal.BootStrapServiceImpl.loadFullLDIFTemplate(BootStrapServiceImpl.java:910) at com.bea.common.store.bootstrap.internal.BootStrapServiceImpl.loadLDIFTemplate(BootStrapServiceImpl.java:688) at com.bea.common.store.bootstrap.internal.BootStrapServiceImpl.loadLDIFXACMLAuthorizerTemplate(BootStrapServiceImpl.java:176)  at com.bea.common.store.bootstrap.internal.BootStrapServiceImpl.loadLDIFXACMLAuthorizerTemplate(BootStrapServiceImpl.java:160)at com.bea.common.security.internal.service.BootStrapServiceImpl.loadLDIFXACMLAuthorizerTemplate(BootStrapServiceImpl.java:106)Truncated. see log file for complete stacktraceCaused By: <openjpa-1.1.1-SNAPSHOT-r422266:1172209 fatal store error> kodo.jdo.FatalDataStoreException: The transaction has been rolled back.  See the nested exceptions for details on the errors that occurred at org.apache.openjpa.kernel.BrokerImpl.newFlushException (BrokerImpl.java:2170)
        at org.apache.openjpa.kernel.BrokerImpl.flush(BrokerImpl.java:2017
        at org.apache.openjpa.kernel.BrokerImpl.flushSafe(BrokerImpl.java:1915)
        at org.apache.openjpa.kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:1833) at org.apache.openjpa.kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81)
        Truncated. see log file for complete stacktrace Caused By: <openjpa-1.1.1-SNAPSHOT-r422266:1172209 fatal store error> kodo.jdo.FatalDataStoreException: error result
        at com.bea.common.ldap.LDAPStoreManager.flush(LDAPStoreManager.java:341)
        at org.apache.openjpa.abstractstore.AbstractStoreManager.flush(AbstractStoreManager.java:277)
        at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)
        at org.apache.openjpa.datacache.DataCacheStoreManager.flush(DataCacheStoreManager.java:571)
        at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)
        Truncated. see log file for complete stacktrace
Caused By: netscape.ldap.LDAPException: error result (49); Invalid credentials
        at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
        at netscape.ldap.LDAPConnection.simpleBind(Unknown Source)
        at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
        at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
        at netscape.ldap.LDAPConnection.bind(Unknown Source)
        Truncated. see log file for complete stacktrace
<Mar 14, 2018 9:13:36 AM IST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Mar 14, 2018 9:13:36 AM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:
There are 1 nested errors:
weblogic.security.service.SecurityServiceRuntimeException: [Security:090399]Security Services Unavailable
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:917)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
        at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:888)
        at weblogic.security.SecurityService.start(SecurityService.java:141)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
<Mar 14, 2018 9:13:36 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Mar 14, 2018 9:13:36 AM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Mar 14, 2018 9:13:36 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>

CAUSE

The root cause is that the RDBMS Tables are not created in the Security Datastore.

SOLUTION 1

Check the following two points as they may be the cause of the reported issue:

1) OPSS Schema

BEAXACMLAP table that is causing the ORA-00092 is the table in the OPSS schema.
Please check whether the BEAXACMLAP table exists in the OPSS schema. 
If this table not exist, perhaps you may not have run the 'rdbms_security_store_oracle.sql'.

Related Information: Note:1327167.1 - WebLogic Server Cannot Start Up with RDBMS Security StoreDelete Reference

2) Database user

Please check the correct database user.

SOLUTION 2

Before booting the domain, the RDBMS tables need to be created in the database:
Specify the same connection properties, including the credentials of the user who has access, the database URL, etc., as specified for that RDBMS during domain creation.
Run the appropriate script to create RDBMS tables. There are a set of SQL scripts for creating/removing RDBMS tables under WL_HOME/server/lib: e.g., for Oracle DB, rdbms_security_store_oracle.sql is to create RRDBMS tables and rdbms_security_store_oracle_remove.sql is to remove these tables.

For details, please refer to "Create RDBMS Tables in theSecurity Datastore" in

http://www.oracle.com/pls/as1111/lookup?id=SECMG346

Thanks,
Aditya.



Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
"You need to think out loud concerning the security of your enterprise application". I say and hear this line every day as a security professional.
As it's growing the importance of application security it became one of the minimum requirements to know the location of the user to avoid any possible fraud. As the saying goes "prevention is better than cure".
There are scenarios that applications need to know the location of the user as it drives the relevant content to be presented to the user once authorized. I would rather park that line of study/discussion as my intent to focus on the web security in this post.
I come across such requirement quiet often and so thought to put together some of the GeoLocation providers out there on the web to serve the job of locating the user before giving access to mission-critical applications without any overhead to the application.
Listing some of the GeoLocation API providers based on the IP Address that is available in the market.
Note: Do your due diligence before implementing any of these API's for your application security as each provider has their advantages and limitations.
  1. https://www.snoopi.io
  2. https://www.ipify.org
  3. http://geobytes.com
  4. https://ipstack.com
  5. http://ipapi.co
  6. https://ipdata.co

Hope this will be helpful.
Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Provides convenient services like who would want search nearby Hotels when they visit a new city or who is in a medical emergency need nearby Hospitals.

Following URL get more about GEONAMES web services.

Gisgraphy is an open source framework for geolocalisation and geocoding. This framework uses
GEONAMES web service API to find the locations.

Find more click here.

The following are GeoNames WebServices

  1. findNearbyPlaceName
  2. findNearbyPostalCodes
  3. countryCode
  4. countryInfo and many more

findNearbyPlaceName
      
     Here nearby place can be populated by giving longitude and latitude.

     
     The return values we can select a format from available formats like XML, JSON.
           
     Find more click here on the following link for findNearbyPlaceName in Gisgraphy.

findNearbyPostalCodes:

    It can find nearest places against to either given longitude, latitude or postal code.

    The return values we can select a format from available formats like XML, JSON.

    Find more click on the following link for findNearbyPostalCodes in Gisgraphy.
   
    https://services.gisgraphy.com/static/leaflet/index.html#

countryCode:

    In this service, we will get Capital, Population, Area in square km etc., against by giving
    a Country name.

countryInfo:

    This service will return the iso country code for the given latitude/longitude.
Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
This API provides a testing environment for developers who want build banking related apps. Here we have to create a Developer account in Sandbox for accessing all the functionalities like accounts access, ATM access, Transaction details, Payments Transaction requests and many more.

For Access, all services use SDK provided by open project API. This SDK helps to connect App to banking services and also need a developer key which was provided when you created a developer account.

For Testing the App with sandbox test customers only.

To get APIs use following URL Click Here

The latest version is 3.0.0 and older versions are from 1.2.1 to 2.2.0.

Here we have different APIs available:

  1. Accounts
  2. Branches, ATM
  3. Transactions
  4. Payments & Transaction requests and many more. 

Accounts: Access user accounts, Balances information about different accounts.
          
The following services can avail in API:
          
          A) Create an account: Create a new Account in the specified Branch
          B) Create view: To balance view use OAuth authentication.
          C) Delete view: Delete access
          D) Get an account by id: Returns information against an account id and many more.

          Click Here to explore more about this API

Branches, ATM: Here we can create new branches and ATMs in specified geolocations.


The following services can avail in API:

          A) Create Bank: Create a new branch
          B) Get Bank: Get bank details
          C) Get Banks: Get all bank names and many more.

          Click Here to explore more about this API


Transactions: Access the transaction info and metadata also.

The following services can avail in API:

          A) Get other accounts of transaction: Returns the details about which party involved.
          B) Get transaction by id: Returns transaction details and many more.

          Click Here to explore more about this API

Payments & Transaction Requests: Initiate transfers, view charges etc.

The following services can avail in API:

         A) Create transaction request: In which we can initiate a transaction followed by account details.
         B) Get Transaction Requests: Get transaction requests given account number in a specified branch and many more
Click Here to explore more about this API
Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
When SAP HANA enabled for external authentication with SAML mechanism you might get "Assertion did not contain a valid MessageID."  error message when trying to log in.

Solution:

Adding SAML parameter, assertion_timeout and set the value to 30 in SAP solves the issue.

Ref: https://blogs.sap.com/2014/07/03/troubleshooting-issues-when-implementing-saml-sso-in-hana-xs-engine/

Thanks

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
                          Oracle Identity Manager(OIM) 12c New Features


In this blog we are going to see some new features introduced in Oracle Identity manager 12C.

From my search, I found there is not much major changes from UI level.

End user experience will be same for access request catalog and approval/ certification.

1. Oracle Identity Governance 12c infrastructure requires below components.
    Oracle database (11.2.0.4, any 12c)
    jdk1.8
    WebLogic 12.2.1.3.0
    SOA 12.2.1.3.0
    OIG 12.1.2.3.0
           
2. RCU (Repository Creation Utility) is in-built and can be run from /u03/oracle_common/bin.

3. OIM 12c finally support encryption of database. During creation of OIM users in database,
    RCU can encrypt database table-space.
    TDE (Transparent Data Encryption) option must be enabled in Oracle 12c database.
    TDE allow application to encrypt the table-space using secret key.
    Data is transparently decrypted for database users and applications that access this data.
    Database users and applications do not need to be aware that the data they are accessing
     is stored  in encrypted form.
    If the TDE is enabled in Oracle 12c database, RCU will automatically provide you an 
    option to make OIM table-space encrypted.

4. If you do not have DBA privilege, then you can create a script for DBA to run.
    Once DBA completed running the RCU generated scripts, you can run the
    post process configuration.
    This is very helpful where Database is managed by different administrative team.
5. OIM 12c is now having Application Onboarding capability through GUI.
    It will allow you to create and manage applications, templates, and instances of applications
    , and clone applications.
   This will faster the on-boarding process of applications into OIM.
6.Access Policy can be created and managed from the Manage tab in Identity Self Service
  In OIM12C By enabling and by settingXL.AllowRoleHierarchicalPolicyEval system property to TRUE
  You can achieve Inheriting the access granted via access policies from the parent role to child role 
7.In OIM 11gR2 PS3, single certifier was supported in the certification workflow
   From OIM 12c supports group of certifiers for Application Instance, Entitlement,
   Role and User certification.
8. In above screenshot as we can able to see OIM 12c introduces custom reviewer
    option in certification.

    It is applicable for Identity certification. Custom reviewer for certifications can 
    be specified by  defining certification rules in the 
    CERT_CUSTOM_ACCESS_REVIEWERS table.

    The advantage of above feature is, we can now assign certification request based on a rule
    defined for custom reviewer.

9. OIM 12c can Limit the entitlement-assignments, Role-assignment and Application-assignment
     to certify for each user option for creating a user certification definition.
     For example, while identity certification assigned to reviewer, only the selected roles,
     selected entitlements and selected Application instances will be visible for certification.
     In this way we can remove the birth rights for being certified.

9.We can publish multiple sandboxes in bulk and in a specified sequence using CSV file.


10.In OIM 12c, From Mange Connector you can define your new connectors from 
      all the available components.
      Below images shows, which allow you to choose components and create your 
      new connector inside OIM.
11.Below is new interface for deployment manager for import and export any new
     Development,Testing or Migration.



Feel free to drop your comments.


Regards,

Aditya.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Issue:

OIF 11g partners are running out of sync in the time.  
That let's fail the federation with the error message: "AuthnResponse failed validation due to an invalid condition related to time".

Available solutions to fix the issue.

Solution 1: Solution Make sure that all the OIF partners are timely in sync.

Solution 2: But as a complete time sync accross all OIF partners could be challenging to accomplishand and verify, then there is actually this ... :
ER 16906719 - FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMLY IN SYNC - CLOCKS SKEW NEEDED

... that has been implemented, and which allows now to set a time clockdrift delta for the times on the SAML Assertion Conditions->NotBefore
The ER (Enhancement Request) bug is implemented only in 11.1.2.2.0 (11gR2 PS2).
So, the OAM/OIF Federation 11.1.2.2.0 has been enhanced to support setting outgoing clock drift adjustment, using WLST command updatePartnerProperty with "senderserverclockdrift" property.

The relevant documentation the WLST command as for this  11.1.2.2.0  release is available at : http://docs.oracle.com/cd/E40329_01/web.1112/e28155/custom_infra_security.htm#CHDEECBH

PS: Oracle Support strongly suggests and recommends the customers to move to the newer releases versions of the products as they use, and thus to benefit to the new available features as well as known bugs fixes.

Solution 3: If you cannot really move or plan to upgrade to OIF 11gR2PS2 for now, but still desperately need this ER fix, then an One-Off patch for the ER (Enhancement Request) bug 16906719  backport as on top of OIF 11gR1 11.1.1.6.0 has been completed.

The patch 16906719 is available from My Oracle Support as per patch 16906719

--> Patch 16906719: FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMELY IN SYNC - CLOCKS SKEW NEEDED (Patch)

p16906719_111160_Generic.zip   59.2 KB

So, if you use the exact release of OIF 11gR1 11.1.1.6.0 version and still would like the fix of this, then please download Patch 16906719 and review the patch README file as included in the zip for patch installation.

Please test this on your testing environment, before moving it to Production environment.

As per this patch 16906719, the OIF 11gR1 11.1.1.6.0 is enhanced with the backport of this bug in order to support setting outgoing clock drift adjustment, using the below WLST command to configure OIF 11.1.1.6.0 :

- setConfigProperty("serverconfig", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
for OIF global setting, replace VALUE_IN_SECONDS by the value in seconds

- setFederationProperty("PROVIDER_ID", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
replace VALUE_IN_SECONDS by the value in seconds and PROVIDER_ID by the partner's ProviderID

Test case:
- set up Fed SSO for SAML2.0
- configure IdP using the WLST commands listed above
- at SP, go to test sp sso
- perform Fed SSO with IdP
- in the result, see the SAML assertion
- look for Conditions->NotBefore

Without fix it will be equals to IssueInstant (in Assertion)

With fix it will be equals to IssueInstant (in Assertion) minus senderserverclockdrift

PS: This patch is only applicable to OIF 11gR1 11.1.1.6.0 and you might need to double-check with possible patches conflict (as if you might have other existing OIF 11gR1 patches as running on the same environment).
4)* If you use any other OIF 11gR1 11.1.1.x (other than the OIF 11.1.1.6.0), then there is currently no other patch available on the same for OIF 11.1.1.x, and thus you would need to double check with OIF product support team on any further specific request on the same.
But still, the best option and recommended solution is to really move to newer version of OAM/OIF 11gR2PS2 11.1.2.2.0 and/or any later/newer version coming after it.

Thanks
Siva Pokuri
Read Full Article
Visit website

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview