PK Aoa,mimetypeapplication/epub+zipPKAiTunesMetadata.plist] artistName Oracle Corporation book-info cover-image-hash 66003278 cover-image-path OEBPS/dcommon/oracle-logo.jpg package-file-hash 415454531 publisher-unique-id E35553-01 unique-id 754767658 genre Oracle Documentation itemName Oracle® Communications Converged Application Server Security Guide, Release 5.1 releaseDate 2012-12-12T04:44:03Z year 2012 PK@!b]PKAMETA-INF/container.xml PKYuPKAOEBPS/cover.htmO Cover

Oracle Corporation

PK[pTOPKAOEBPS/title.htm Oracle Communications Converged Application Server Security Guide, Release 5.1

Oracle® Communications Converged Application Server

Security Guide

Release 5.1

E35553-01

December 2012


Oracle Communications Converged Application Server Security Guide, Release 5.1

E35553-01

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

PKk)PKAOEBPS/preface.htm d Preface

Preface

This document describes security features and configuration for Oracle Communications Converged Application Server.

Audience

This document is intended for administrators who configure security for Converged Application Server.

Related Documents

For more information, see the following documents in the Oracle Communications Converged Application Server Release 5.1 documentation set:

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

PKNw PKA!OEBPS/img/passertedidentity40.pngPNG  IHDRJL iCCPICC ProfilexX{xcq1ZvۅF>P+Y"?Ylk >`]Jm mH)Mڴ%pNxxdQ8)sxfOy`W)͛`t<rmc*"ll65`t~?l;3|'ms K[VgN KܞF4 QaaҋFZ۽Ro@XU/Eg9Lr¥hP8bXTe]ã9L+;rN,38R̗2twh`6?Z( schR|aP)ϔG3ބ;B4ll)_\ˏ^ !>R3dITŒꀥ1$DWcFw.l̘.8]a;[D NfU!!bYݹ3fMPĬsw ~3دڌu70:7,mFv0ǝT(0'M2T%sy¦0gY|svh0[N-:Ka^=uG%*لMlulmg9ۦw8Y4J@gKQ8:Pt68`:&0a{, :`-;&8ct:Lp鰅'm$ o9όte/*luyiN3c;GmHMڒ9$c%RL^ jR =;C`Pd}"Mʓh-Iʒ RR T@F$$!vEZblZYR*ّʐ$ $]"iR(e PrYY cvǠə OlQA![ER"k&m0f f5k m #Q-9;d8Q ktFkAeH TLA%,ȋVX;'n.c%VdO!&А3d9Ғu$-5*O! GZb̞G(DYYRY3lT@fMb̖`,1'rڒq(%=-y1KGB!OZ&*F5($0y3#3։4S*!)XdIdMlHT]kQw( : cEa̞'d29m2ʒDYD$*K"/0vI4{$#+Qk2 5q`2})r 琅ox4d,$YLB$gq 1L"{ & D&Q92cHkԒMɤ4:Il[Ƙ%RLfHXdf2),4)Ƙ',dІC6E 2{cEKFffd$!Ix U2hyFA֠T$$z#咉D &%Pj2#Ɍ Iʑd$ZGZ<&b%*d#aQIY(dyW\]E}Qz:_ӑ!A6brؒ˫H aөJ}|uE*UX\\D}r%Y0VE"sR*zrS#LeR"N /5/z E5|yŅJm9q`Q/*ByaEiIR\YʵJYֺLLb•PmR^nԣ(.֪zP\G}QөS˻{/N_xpҫWSQ`a< pgNyt {=#kG{oXYmscg w؏l8mXŗ'g@?uYqphxdѱ5199+=/[_n}׽7۷|-#Gw?xG>>y>}/g~W~>߾΃{/~OӇgW7GG{'O=y_xK+?9u8mzgygsN5uŴM0Kh ߕv}ŕW<=3[ٽk)hg?p7jeH3wZ}ǟxfs^w3c6U]\f" އ$c௸R+; ?pW uwWx j'O}~_7o+?ؿo[nÇoۏ9z-7>{9˲g{λwO||b/w>q?O{?,o;/Oξէ?E7rFY".ŮDJ,cp%XGT#iB pHYs   IDATxy<3c'HѦRi-dmnFm7]%ZI"!c}qryϠǼ>y;^(b`0Lǂ"o0 >Xa0 `: Xa0 `: Xa0 `: Xa0 `: Xa0 `:  :FLy`0?.mBA}&%^46>1 C*ToDe&*6 D%GP( |B:`0d DH Be}}}]], ^bJB5D `%`0d"tD( Hb?[YY&-(J׮]w޻wYf 2`P Nޒb0LDI۠& |H$111!!!+W1bDuhX,.,,,,,|IPPF۲e˄ T*JD"0 dj!W$Ti@ Xkצ]vmРA2Ff{yyy999ڵN+**"=m8 !٩7|>ǫ} ܹsee%JzCI**1 Czh[ J===Elٲ `kkvZqфEEaÆ͘1ӧǏ4hezzzHA݆M7  2{P(۷o㏚[[H_ ƍw P(,X@洵Gd, t0dZkHV\\Lꠐ'O~ɇFbͳG٥K\_c&HZѿpVWW///'iP"|>@D"QFFƀ6oެƒ@ >|x@@@rr۷oxRohP(p/Tѭ[Hq֭={`0wC7 -ٔT#nݺUZZJm[n9Q[: i *6EEEEEEuuAEDD`6KDDĠAch[@ iߐ{ 8h@FGy.Km.{+++:`0h4p0Z6 i=䮤QTTD\{mddl2RGo,[ȨO>i@m #HWoHA:*@ٳggΜqrrb0Q(6@R ӾM7՛lJP h4ٛ`0vyo(j8:5>|F%*r{ÇO@II Yo(7 i=8Id)++?O>zzz<$rǽ{0aj? n`0iAzC>7h4pPɍ?mGuu5Ȟ?*6[[[UUUn#nXa0L!2B,F<ʵ5 TWWݹsh̙}555%/PA/.ׯ_ǟ>}`„ ݻwPWWhpJJJPc`,pq8bu+**߼|D`0 XikkףwTUUL&NT :?N>}:JT*uڴiXa0LRo ())JJJ|`0 XIч=z/0 7@``r``e`0 )[YYHOOO`0QAAA`0EbMb1F-" xA3i%_x Qh@5C6Q$55B3V:ZAD"@ 7_K@ qf~zܸq_|A3^P(-5ӞE6 |ƍUTTP(6B#G}"~~~Ǐ?1J T*UQQL 6voUUE"QffX,vww믿!T*BDxrBi) |3gmv%==={{kkkEEE**;*1WpՈIp_޽{'&&jjjjii%$$)//x`thA LczM $A\.Ç]tw^Ktsɺ>>>>|r84HX,֮]ߟBXjձc/]f&hߡ%D1$33sƌۻw/T{UUղeˆ +R`̷d6ǫZdI^^^rr7!((rذaMl|vZ ILLLHH7vܹslꊃM0D@>p }7/--uvvҥKhh&Q p C%a۷oǎwinݹsgΝwx -H4$rl6ɓ'ϟnҥKJJǏl6Á!ᙉ@ڥd Iuuի?~3ZOIIO?{nMMMli&I|~ll#""<==5֦M"""=:h l4_ $)**6mbzzt@__?--MQQqEEE8 MoٲRmM6߿ƍ8iL{ -iH4O]F.,,\vuttblIzYrǏ߿obb"q?a„s7q i7Ɓ$-..nڵ6m={vѢE;wtpp l[m p8%%%޽sTTTdΝjjj`?3c>rJ0#<<<22266Jbddd-XU6:c$/_ 1ce0+Ұnݺ! kwa~dځz׭[~If||BҸ ^~gyJ"hʕW^=vX߾}`BA9x4HBBB>W^xo*`\!I&''/^x۶mϗP(\dI\\\ddi`<3 b(n4=4:ɔPNBRoyt[yyE-cTUUDC5*$PӧOݻŋ&LMqÇ=ZII >bC^%cccSRR>}TTTf-P(666nnnRc!P(yibbbm--}zxxyEpQ6e˖G>x6z…ӧOX,kw}(1//oƌ&Mb2+Wf2P}%%%///77/_r8Tzhʋ6Q >/4P۶4__UVmP(b8((\__NY%N_13uq܊ ޻w@bƮ˖-+**"qD9 .;}I㠦O?.YD$͝;W  :Th$%$QI.\cǎgN&Ęhq8'N,]TIIIҵ' Ʋeˎ?fc" &&T$Ag\.h銊iii0ӵkiӦr\(pe9"Ql6{[nMHHo8p_~~:FlB4|xÇ,X o ,xJfӉВƁ$H#++kƌ^^^0ãӧk>\GG&2F"-g555VLNN6552p8C oh&ĀIhX}4VyK鵵o3f (es@nhI@薌_zÇO(++P(;wnnl6[n9neeO &&&MϊZn IDATdٟ?&Fܝ;w.((hǎ\ F:ϟ?K=+++w^zկ_͛޽{Kw|O>;wTWW'(PD ~VQQ]N^x_>Db;RSS=<<;Pllܹs_~m۶ >I%ךӋVZܻw/ ++e7n|5_Νuy<<}Z\\\QQQSSb$a1p8L&`ƍiii(11A)mmm`kk;wvEh9sظ8..J,, ^r\}}}X9+8qB[[;**f93B!ǫǏsrr޽,67'N7oo#G.,,400֭[JJʤIgϞٰaѣfΜ9k֬~iڵ!+**CCCCb)Sbq\\kvvmb1ҥ ÑL&SYYݻ999?~K]]ǃsHE/:qh^rss5j͛7Ծㆆ^Yc&MdhhhccGH*LLLRRR|ӧsr޽uuu .\paFF㺺</99&rrrGzYYY ӧIII-֞={6ӧPJ$׭N+A8H~'mYٺu.\ѣQFI}tRRo.]ϟORi...'O.**(t:}„ KNN?~Tb|}}ccc׬YsQ43pD$!C:u$󣣣^qFPhiiݻk׮=zhٲeӧO700XzҥKGϟkjj"""֯_obbr ?~bٳSN6llt;0իW}ZbR%Jm~ Hdcc#-ZMR޽  Ф:w+WFEEwD/PO5prss,--) Ą` F\\ҥKNٷo_F;$7@f?|@vw%%%SSS&xҥE͘1#((4l\ >|8qoPPЌ3'N0ڵkeeeٳgH*enn6*<#V YQQQRRŋqƍ?VYY5y@lf $[MMͧOBxlllƎURRM6V$uuu(d۶m:::oߖ_҈O>9Y,X]Ν;ݻ넅uٳUUUИk3곪⼼=z1Dhɔ)S"##ya9\*?Gq\o Qڶq8tcǎɸ~wnnΨfxM[hkk'%%ݻw&o#?&$$#W@;bH1QSScXĤɶhIIBVYY9o޼ϟ?y~%Ν;sX۷=B_#**rΜ9ϟ?&Q[X*033{ivv6)v\rlWSSm6$jUnCK.DEEXB~zȑDIiZh4ڱc=<<Ӊ3^ ]\\&MD@I<%o6r;<6O@ xJ Lm !>|ٹs}˗sq%F7nիASl9sz]]]]YYwV>w{zzK_G+&V^555=<}Aߟ8˗irYYY?IJJNMM֭\Ξ=KCC ³g8?[N?qĬYNA-C~iʕp1B۷ݻw-@_o߾=sLmm%KzXr_MOO KM" ܹ3sL ޳gڵkbbb***$.%۷ϟ??|0ϔ#""" 8qB |8 prrJNN / -w-o'O\xmۺvcǎ}]p!,,̙3E\ѣG"CnΝ}=zŋY,rדj~k:N>mdddccm۶g{7o`Do455$-444Ft;|}C$Fp_|:u*`ʔ)TJ̟?_UUuܸqp$6lyS5dȐ_~.ƣDDDܽ{.%%%RpkyƍÇѣCCŋKi]_~sqww/++بEERy=nܸƩaz<:ujȑ0t]vfeexBZ!WLmm- ,, &*͘1c…l6Fr ͐Э[}:ujǎ} ^pSTUU%.O!@HHHΝq}||`q&,$ss'O8;;رb)**h4ػq e=TUU飯PÅȑ#˒%K.^]VV;6**$>|hv+,ŋ... %455ꈎk}[b9 ͛,X@n 78P*]+|, O>Ñ(bllرQݵ'N8tP@qq1\a@#?xsqq7o^dd-[nybĨVnR qwQ.]Ki&q'6nDy6o@||WZeaaq…k׾|R_EŰ/ ]-(D6zzzᖖ7o$fg6Vow~X...={\t)o߾ܽ{7ۗFEDD,_|͚5!!!233[(3#^oݺ$tQVV}C222.]DB7$*-O4)11V_+̞=VMt:phjjnݺp8KԨQ޼yŋ۷_j")f ҂@EEE X[[{zzWVVVVVCҩSs˔X 6.H`0К&Q]ԩRQQ!e07(*] hii߿pر=b#G9r$Tcƌ8p[ @eKDTbakk1qĨ(GG/^3fpF988L>[j߿ѣGZZZ(>M(J}p911rّ 2[ffՅB!J={9sƍ's999z)kk#GΜ9&Llf 4(""FϟoM8qƍˆ;wرcԨQE+g .\c_̙ZSS3x%5lEEEeeeSSիWQQQGVPP***M?.99Y$XǏ=;DYGGG55E͙3dۣP]]*n*DU'n1†vL&ӧOyyy?sΕ+W\]]u˖߭JsE$ T˂Ƿ|\Q`NX,H dwuurʝ;w`ROLBƍw)tn:@yyX,;w.N1bDϞ=?N$III(fWWWÈ촴7onݺU[[l xtȑ#'Lw9Xp֭Ǐ[XX? L>q℉ɓӧvuְ0YYY={zjrrrVVV~~~YY\ȫV 5':lv]]]mmmuuuUUUUUݻwcccϟ?@*nqqqv 0ae6nݺ5m4---餮 9wN6IIIIUUN3bWUUəacc)͗/_\fNաNC_,{лwo&,^Dr:@ž@]tiy?ڵ+|-d7Ozhp[UUvuurYf͎;_~YحCGiK.  8㹺jkkg 3|0g+6֧۠ht:.***hrZZZN4]*5/ׯ_?voNJT]jX4##cٷoߞ6m*Z!EA@@mۼz''|Ȱ}|c{(?gϞ=tUU UTT=y왁:Xi&-R|jbXQQV P &<}tذaMV"GfffK,h puu3gNAAӷnݪu˗/:4$$G˗/DMO:EP._|ԩ .?sӧO ?QRR"ܹs}СC 555%%%MKI0ɍ\ 4 U$lْ}2`Q{5JbUTT̘1ݝ-[lէOϰABBBJJʽ{߯CbxŊ7npttz?޵k>BqFPUUR\\w]jjj &7@pM]7660<555..ɸΫW<<<$2۬7$:rSRRB[cuuu MMMMMaÆں_$Iyy||<̙'{ܸq:uuu$aPkMM߿/]aRSSϴĀMdooOR%&3)?w._PP +VL0TUUId%T6 E׮=ző)[TT srr FBշ3f̠RfͲp$Umzxx8SLA-lTakѣQ){ рZ } -9]]]77!CH&MM;}zyy-ZFUTT*d2aUVmذ!1169ǏUp[yBb2pEwr zऎ~t:$  2y䌌߸q6Vrvvb㕔V\yڅ 51q)h(Y ^jVVVJCF< n%FGk3o/$맡jժ/_ٳGVKKٳgg˵*++wﮥ5eʔaÆӧ[ILfHt1c(**խʪIMyzz^^^У7pfD] n޽޼y߈tQRR255e2 o>|8|;wѣ"<~x%"NmmmmmmZz2JW,(sڵzzzWLJȷnŰaÆ fmm O [C_P($.CZZyٜ .ZYbdeeyzzvܹцInkny!13QLa}zzA &9 !Z¹sϟ?~~Ixˉ.b%\.۵n -D$/^}@B4MB" -.w:/^}חMG go8*⮫A;嚚x0 DxҤI;;; A=I# t)o%K @7n諬ɹw^dddKv bƍOGGGCCCfK]]:43Q%zw"2qTWWWTTTTT\vN ƤԨjH 榣bP-˚P3&M:Ã? 2DZY>}:ydQFI,4p P(z:x-,,455,Xe-C8δi?~ݹsgb ! ;GAbuNF[n'$$lذ>Ih7 Mu/b.Q)>Nߴi S˗ܬ  i@FluT :'.jCrQUTT/\.vϟǎ C(kLƋ&o gUUUNNelg^ZYYPvK%4hT ؤҥ޽{y<޸q(La˖-֭srr255E4Pyb$*JOnyC< R:nllO:vaSl;;;ْЕ{ ɯ B)ǎ>}|;/ `:/$I4"UI2!lBcll_`РAƋœ)mT%Jv^BѬY)SDGG[ZZj:R#''K. l̑I[y\awfJsfffVNNN[L&KKKhݺ F-0B\.D^BS4$$ٳݺu;q℃DM? pIchDL/[r9XK(MMMO8سrtSNEFFӴ fGxfަ3ѳ7UlBPXX8qD???׫¨V^M]#{!p8[[UVPm֖xzzx<~/DTOת*5-ZXZZ.Y]q%''oߞY689^I>U aX]t9wܼy._L155h:.R6k֬ &DCRaSEod9*ctHm 5PQQo>:u*<<͍bk춥еf 83iT1O/^8zhXX؆ 6͛7ϟ?bnn{on3/ݶ(RSr***rTVVs+**BaQQݻwsssKKKB/bXXX9::6oĄN f7 5G]g16Ʊw[XX/_|ܸq#OӦM4hPΝI|T4P۴ cUof pСڮN=z4p@++P:t>mk(X,hwz ;;;M B9{lhhh{r˥b$[#ITY$U$D"ʛp\*ot]rcЫ, h̑Ȫ2P1*ʨcǎݻwojVsssڬY3nűm:r1-' lTlk:ԯ_?~yҥ 3oPEAoƶ5 T~cy oԓ.bf2֙0`TI@Æ{w (*noN<ٽ{ǏwA#a?~$,, Č{mc x" _%a얣g޽-,,KP(Nm۶6m0owCctezU8BpMf?5娼17ZWhXXnIڙ~*p5n`;(zʕ+=z8r}_x1((O?O0g$E#CK#G;L:5̘1#;;{ժUjyСCݻ7l0+++IRŠ‡"~ R'>ʛJqƃ%fehy#ﻎTKK*zzzZZZ_>&&Fm?ǧk׮y<s:j.ªfbǬ=DEE۷/'''55Um>IZμbC#ImKH_w[3k:Y$\jпTM-#fZ\8~^zmڴi?T*#""hHf|D3]aYe0'>}XXX 8099yĈ R;w BBBlllkV0@av?m /PB uFj`6Oud.]ruuMOOwssk`/Ν;{yy\>/iD1`)iҠKOTgggssoΝ; .l`bȑ#333 ּysD1rXQT*єTkP`zq=hMq&۷E嗡C6H_|g9;;Ѥ})PM(6ݡCaÆmݺΝ;;wxdh$i@wfgm:VTH[B1ΊB[n૯s… W^ܡCf!Iև&UþU!lvDDDFFQq7o4hPǎ\ln5666ԶEjgMAު?6Z16@S甮䗕cǎyyym۶C%ɘ1cΝ;7dkkk3qlBf6B!98}  ϟ?lH^ IDATÌ }CFկ_?(m#I2ǶQ{'HB{7T>mdd陞nmm]O|߾} e]D̎$Th{@ sB:ׯE߾}wRO\lٲe˂lmm?]ID MXՌ:*jG}ҥKjpw܁  m̱m*T=o=l`X͚5^r%!o߾5 T:f̘ݻwmninnNۜ27n7ٱmBtE:B޽0%yMiӦw}׭[Ν;G ҩEt:$ָ)C7/}fn|>}۷o~zPP?&_}Qppp- }IsZdy#Sf:MT '_r%xwիW'$$8::҉|̼%jh-* bd> U\.ٳv튈HGOOO@gaagw]*&I( Mm_{S-id ܹd";ٺuk#^D# !XUĴ.g)|Ygg'NtڵQQQWT60bEAtL&EB%UTTTzz#G軕|2** nUцF:I68E}||nܸѻw{1mݺu~~~:u211Q1I1A(TdbJO8]^^ʕ+5kFy433cITZ?mu>QA%QBlMemmmeetR>A_urrrXXl9s8IH U^FQw A%6hР^z۷ ""ݽgϞg1oRsh ۫P6ۺŋ׬Yŋ#FXXX@ަcΦ&BoGhoZ+`kH$R]QQ! bG8@ ر#\)."f-fه)҈@´ipf BLHT^^~Jkkk___86266ƱmRt8{T&kA###Xܭ[\Lbhh-n[h$Aj ]\.YdrMLLƌ3{x8fKHII#輼w&e9*utxX,J͛7H$0=݄mC 8m>n6⤡D"H$zCi *ۆ G ``P`ظԔbeeEu6ñmHCacT\.xU8f;f-A DeP\A\T*d&&&p#$H4#z%JU *Ċ7Aqp9b#\Ab@ \8! =3IEd2@y'-IV蛼U#ѣA@lfd\.>BY,-BmRsPDka1zw odJgjj Is)v$AZ R٧O'#B0ORD&&&)jn߾~UgggBСC wڥƾo\bbb" {ـD0 Ǐ?~'lڴqڵʳgK.7رի ~tHZUSH uFC"##w~e?????߄1---55fܹ_}H$*++k۶F.=t迼B:u`?bggWRR݌*++.]t)SC7oCF.,V_ ' ׯ__XXXXXŋGJR//\pA$͙3G" IobX,-++޽7ou6|bMLj ԗ&{Μ9 姟~C iݺGQQњ5k4# R_b_T>zұcGz0??_$uUsq!! GB A&@?MG 4MT>(AƢEo-MG,ɓHhhƍ5 HuaV,,,*++5 i[}ZjrŋAAA殮ODh G7ڵk,YsÇ;;;'&&FFFߚ AʛSX?}0xfͲ:t觟~zQ G&CkT-<[ϟߥKZsppήPGv튿sAC4#-[6~x899xh޿S"ҤiWy!&&F ?~ҦM:'O())`< Hc7 ;ҧcǎ`0 H#7BHJJʘ1cqYYfAA(o#;vMǂ 4m׮݅ _>bĈbX,B.ө. uH6i.\4hP\\ܦMLMM?'J$T Bo =7X,޹s1cRRR&M444ܲe_|xED"H k"ACߜ6*+V:tرcNNNȑ#cƌ8aٰKq :^h,ѼtŇnѢŇ~ہӦMr\.ADП$5(JH ,--Ϝ9m#8;;gee]xqܸqbd& :,ID,gff 6lǎ\.ܹsC-((H$b)h6A-t^ުI*++bnj~Ěݽ{wxxxpppVVT*E .ko +++Avqȑ=z;nܸe˖:144M  w-Q1I͘1Ç[GEE&$$&&!h9Zam/GP(._\mz왙yرI&AS^Ng zNH$uVpp߾}ڴis%D2bĈgϞ&Ԣ 48:&oHID"#Izz×.]dɒ-8pAAAo;%qh6AZtZRHڶiӦ~)))SLYzMA0$4u{ܹs믫Wo߾Qˋf UFԶJ$YXX8n8>jffHܫWEbwJAmCU իWZZڴҡC+W|rԨQ/_c SADKvyݶ cDN9s5k c\]]srrmM  h56Б$%%e{Tll6{ݺuNNN?7!AXD,Zn["?ӧ:u !ĉÇ1cFtt4BQުIRׯǏ/8`ii?;w\ccc4 hZ^#ÇmmmO8UFܹkrrrbccl  hHrҥ͛7&3mĉ666=B yS%Je2H$ڳgرcɓ'k:Əahh?;6$$… aBZb$M",_iiiNNN=z4&&ヒ!A :Ѽmm{ͤI9ҢE FX[g̘lb``fA$HIXHssgꜶB>˗/Ǘ*%MAԆ& ۠& [%IVVVHHȰavIgϞbVk:@A=G3b$m<8z'&&j$ڵ+222(((336 AD=h`R۷9rGjQIMM_lYpp0 MAuo#{|鹹[VsHСCmmm=z4qD B4* Hc$6#F( .蟶nnn׮]KKK0aBYYRXDip'o ltM"7o۷Dm6m\trذaϞ=N& :zG>rŋ/])LLL?`۷oK$4 4n-n$drrƍըh!۶m4ioddfAw5޻3$mbbgΜqvvBΝ;-Z<D"f9477Ĥ-?b`~imqqqׯرcY, xLX,DN  u*&I(H|rхW^m߾} *&&ۃBe2YMpڵ[la:uj^^?`^^޼y!Ν{ }Z[\{ӧC*% H=i,ycvۂ6Dr޽P77t33ھP(=z˂ B!|'NxyBȂ ڷo,!NNN{y{nݺaȐ!EEEH۾}aÆy|r;; ۤ5k}ҤI}%(ʳgBNgϞm۶͚5VyÊ Κ5ŋ;wegg̙3bn߾-Μ9nݺ}N4 N6ҥK]v=z{݃d8(A4nj$mI$UVΝ+?C.667or!ҥK;wO?%B9~С:$''MMM ڴiύ>~ԨQ7n5j=i&'&^^^;vTyA۶m{ٯ_?(Qlܸqaê`ggw͛7Wy>} v933cƌyJ.\C9 IIK.7n̙'On@)666*E"}c#,_z%[jisP3cm=zT}2lܸq.\غuf0nAFMHB$o .ܶm[```ƪͬ^z߾}oW^|yrrr޽\.5aA&]mK$Xǎr_ʪaScǎEGGϟ?ػ AVQT:rX͛I&~ 4qg̘allp P !m0$4i+((:t3gm999IyA$;;;;;Ν;,L+VHII!( 7nB<<<\rJ{{{//lgttt~9\.wΝQQQ!!!YYYRN[͛ߪ|BHLLlݺu6m-Z,76ػ]VV4Ǐ:A'O=Z ܽ{jժ3g8q_VyZ3Çoܸ~zΝ; bӦMݺu*v=nܸsmݺUZPPiӦ;w;V}z{nBȕ+W{!&LHLLܳgOff&!ѣGzɓ?s[JLLLJJ9rdzz:sǷ_~aܰaqʕ'OرnDA4НmB͛7YYY͚5{Y;v,44ɓ~̙3Je<==mO–,Y}uuMT:99=~XT]vŊJSNBJŋ{왫+|i 6mܹQw)J_zekk >2}Bp̙;vx왻{YYYΝSLٸq5ko߾}-[8̵kjP۷o3?"H.^hmm]\\m6Rexٺu Q!qX,V}3AZ*+J\*P(fϞF?֭[9dK,6mo6slO<޽{qq1!vϟ?)-T5$!n:*fN<1{rBȫW !O{KXXX}pi IDAT\u|IbbiPPжmbRzǏm۶ĀRyL&G^|rGjKRR҂ ,,,@ &&&FFF\.:RkΫW% ܬtqqiٲS>}WVV;vw^ccc5 Hu`MQh[YYYinڻwŋǏߨA7d2_}1cZXXXXXkJ>\.@ HkAônZa3F>EeggpiJKK_|ݼys6Fl@!ko, ZBCryUh""""##6\#uÇ..."(<<X5t H-U\a+E``7o\\\T:1R kS ƍo߾}ECE+H+** !Oٳ}MLL~FFFpcA+!P v_|>ojjoccvܹ$00pÆ OrJAA *S啕1ӧO߰aCsrrrHHWJuDCyCN7IX,P8*LMM|>5ѣO>[liX.\e˖/^8..ɓ' bʔ)۷>|8 ]|]PPH$Zdɵk222>|HIIIqpp믟?xEBٳg-Zl5cgg[nupp2d ˛0aŒ3vU/P(&N8k֬Ν;oU $<Oe~7 HujQ (KO u9((hSLkׯӧ D].43c`U+cfaՕv̪-111gϠנANBIIIvv\.wssy&HP(|ﺠ\.ϷG^z< F_YYYªO6p8 AMH=0B{P8T* E"P(|-\yy۷oA^~k.P_&( ??m۞;w/ajŋ~~~2lHB6Ԕ&m`UcFD@y#7 i\EEU8*r4;}џ'?Z7n<# i*I$<LP6Aji(y#9pTRX,B&p۷oE"˗322\\\$ -^^^NNN# u6 C7!RCPH%Ձ,xlhhR@Uwfff}ݱcGHHHC,^xʕ666|[ԕIAZ`F<#𔶩CALL̙3gΜـhR/8uTXXX-TjTޠ#1s,j HhHy# cn`Ǚlmm|~RRRvv-[h?( ,,,,|0Iґ7`$AmCULP(Rl͛ӧO[YY]޽ۺukOOOfIRm#0w> \{# QlBp8rAƜUFl˗/;;;8qk׮HOO>|xϞ=u3(HҚ$tHu R1?fNlnS:O>nݻ޽{ӤX$%%͛7oPzUO!oco6Aq_&8C kquu577ZhQBBBFdq>|844e˖ЍS%un[*PAF_ݡ WiB&૴ .}ƍuRWZZP ?ݵM6Hچ Piv|BMʫ())9}t6m9bnn8Çhiiٯ_?W0$! A%D UG\~wf٧ŋ...'N`5BΜ9ҽ{wfަq$4I"44jlzC| Q_%Я_7o}:97o2ewNlxtݶAu' ̥8a,((;vc8 bʔ)۷o jժζmC# HXM&jAuE ̘1Ν;VҒ۷ Y*^j$H 4  SuQ2[ 3%088855ݻ|>_#S |}}aii$m̼ АAѰzwr\RH$1:NI'gdǏkNS_r%00gϞt HIid9I4QwmbB߅9dbdee;vCaܹ3>>_~]tyo Fa-Au4n p8Rr ! B.?f__M69Rm*č7kj1FFFPW,H"790G&,K.|>os… ՠ"hȑ!!!VVV& 7 -BrT*aN*VVVbPKqt&'Npwwߵkk^x/Jlnco S$j ވV '@b1ӄ۷oϟ?ohh'4F`7no߾;Fl#%q hCq $MhL*mMd׮]֭۟ڰQ8p ::تk$!ocnn6A]F&9]\@ ׯCCC*ŋ\rРA666NI$$Im A䍼k6aS⨶18GGG>?f̘3f̚5aHؓ'O4oޜmb Fy sa4b)\LMM׮]/Ӌ\ZZ$T:IlF ADh#4HRT*HD"P( fB-'B̙3iii͛7lٲwT̘,H26]Ra4 :Ak 0hwJDeR]r]C㏨=ztXe 6hJ#IA7)a&!1%Wݻ={kYk׮MLL"'T %afEA4JxT-@P`ÀYTTԢE&L𑏐d_[lI7QaSOM Zn*%S9U68noo-Zt7[iiippgBBBiF 6p3m!h:H&pv6fE&P(|ӧ۶m{a {>zh^^^?$.ڑ h$AD@k ѡ `p̵7ftˮ'N72m!,oa6T {rb,H"z.oPI{NB|CA o7B>/2}vvvb0`W_}A6ass+V={dgg/_\Q! j@f+Vϯ:uUnݺݮ]/RTTߪU+77+Wh:pA購B<<ݼysBȧ~uűc3s8E,T"(&otM&QmDW^ 5jԶmی[hq33|XLWLj  uC X, ?f̘ 6̜9Oqܝ;wFEEfffb4AD(5ӚD"H$IIIw>z!555..nɒ%!!!\. PA'1荵jL&H$eeeӦM{IfffVMjgg;aH 9-! :fI6X#Fp8 .Dۀ=zdff'N| UVVADmyƍaaaƵz֭[_xQP1ӧh6AEtXުI$P(LOO5jԊ+-ZT[&&& y&l@ ˏ*@bM:QOٶmɓW\ra&l6S"訵iJ"TTT̙3֭[׮]iꫯx<A;% ֢c lPXXoiiw^݀<~8 G-a8sAfoDުI*++E"ݻwCCC=Fi߾իW_x!Hl 茼1$IRPxԩaÆ͝;wՍW*433KKKsss {.N)p koTT$)))k֬ٷowc```4tеkl `AD{ЁM$}wϟ?SNxػ Aވsl,IҢdzX[XX? <366622"A((oDTvY<ҥKFFFҩSk׮=x 66z78AAKC&GFF~7?t,--O8aggCTvJAAM$mBp׮]|MJJĉ5#!p8Aq3* к{$bxGMKKsttt=zܹQQQh6,|ֶ@",FMk$)--4iRii#G7oϝ;wg̘lN~0jFjr0 5WSh}4{tuuݲe^ JJJ277rػbF]HQ`iTJFvlB-7jX,̌0aٳ5cH$_~۷g@PzP*QkJ24* ]h)uFAT:rX,H<8o޼9<<\֖Ennn<vTflF佔lCCC7ҫ7qycIhAR"]v׮]Guuu`xu[hQhh(˅!h6i@h\Z*,,422g>ީ7ٞT@$YVV6}ǏgffjJՇH[[܉'Bz Jx*\aRD"tD;H$B!m&zEّO>1bŋuWۀ=z\v-##c„ o޼MtKv6'HL5T*9p&zGT*nܸ?u֗.]" >ӧb;4 ԋ-c***4ByXzQ3 IDAT7$P G^|E|allܼyŁagGٛvR]lGԉZޔvII6mڔ|޽{3b,Y8rUVp\B)J0u(* 84bIRXxe<>ySws̹uֵklll=z}XXX^^^\\ǃ)k *B RTA! Jb1˥5ҴP%UH+%b˗G~իW[OOϫWN>*lRUnB畦BmZQ3.oՍ$0&''',,wGо}+W=ŋ&uZ#Bށ6!btPHqyM ӧOGEE͙3ojE933cǎ+44ݻÁ+ TZ˅mP=CmC4B#tۢFm۶}{ӵ5k899EFF[LJ^i>\~ ۪(N!cD"т Ξ={;6G _}UN:uԘRDGP;P ޺!QcۊJeVV倀Ο?XT 8x* Hh૧6MDFFvmL:v옙ѣ/իW=n HhHyI… |ͦMhOabaaq;FDDyyy#,Z5y×/_FFF'O yfmCjl&M{nP9 md=_vvvvvԹӧs?W^!\l݉ oHmБ$>>rtt/\eر?ccc֬YC9x𠣣cn>|Hpvvvrrڳg};faa1mڴٳgoݺZn߾ѣċ/BΞ=h"BHXX룣mll)JH۾}aÆyAsqrr~zml@@s֬YdPi xܹÿۀ6lؠϝ1cҥK>s΁D.|W zGNWB-^b$$򢢢7o~͛#N>}Ͱ_~_n]߾}'MD˗gBԩSٳm۶YfG~O?tO>𨬬\lѣG8wdgϞ\/^B>|xƍ˗o޼noO>sN33l9s0~,Xt:|eGGǬR&MBB¬YO~BH~~]bbR,,,>|ѣ;wy搐ۧB_zjBHTTTNN!$'''66rJ{{{//lύ5kG<ɁǏ~" G`P3zGXl֭C r uFvՈ}5y ?$BA(e S*ZEъuj[L\UnDEd@\i<'!~9Opxxxll,n`ڶmٳ(SSӘ?dȐׯ_߿_KKݻ?655ۭaϟ?_fMYYݻ^:p@+++goo?wٳGf2[nMHHСÙ3gu떑AlffiӦkyyy{ʠM6ٰQ\HJJۻwﯿcŋNzڵ7o8qB"=ztĉɓMf… {]~޽{VVVSNؼxԩSn)))7oV߷o_DDDHHȑ#GBǎꫯ޽+.]pWD\*\UTT,]QQQ}GZz7DDI&MuVj!tuuoܸƍtӵkWdo޼a0EEEEEEq.]?rrrڶmPՉ:hddx!X\TT$ΝK| ww"??p6x-H6i.]:wŋsrre2ٕ+W$IzzzϞ=EL.]<<<۷oceeUPP  tzHHH\\\hhhRRB(!!!444!!{)))UUU 獍|-[BBB>;??! ?sӦMSNQ[9•YFFBhٲe}lll^}5ۄBH$WX6bUڵk'O\`ARRRJJB3&HO>!$tL&wqqq100]W*?!4gΜs >W^"OKNN:u9s>}e˖ & B&|FM6<ޔmhTVڶm͛AqqqQQE@@BK.!O~Ç,8N'O FΝ߼y#UWtt45kVllΝ; С%.sacc{^|977NNNgΜurrJOOW[pe׾}{#---;th4MΫjܶwQ {{y楥s<޷oߡCB˗/mӦڵk훖#ϟ_+۷o?~<22rݸlޭ[Bcƌi;@s /|~QQQ~~~fff~AV{UUU Zrss?<#%%%L&+//TKJJJw_z%# +**]?yyyvvvAAAϟ?Cii)ΫKUr/*((@NNNRittt:vlٲFj%Ϙ1ݻeee޽{ݻwӏ;V3`dffx{{{ww:;;r@W_'kN.999 4H(t|̪Pss={P7?~So߾Çw~޽>}|7|]ݛrSS]v={l޸b\.5km߾}?~\ !tر߻w߿/++Dx4_u{ hH$*///..;{lN.\d_@  8opx?yfb޽р;w3&rwoeff$}D"yymYUU'{X%zg~D+B+ ^ry'oýy&((h׮]0\-Zdccd2L&=1)`0GPPuuݳfRӧO?tЄ ~߫/_!fzůckk;~xS FkL߁O!S\ OZ[n+4Fr9"ْ+@h4n߻wի Ķo6665q hѢGy%6nS\\M# \;wH w &`h{ßEۖ-[ƌdɒH7N*⵱UgCwޙxFɓ';wQU# D2mڴ/;w|\.WKKQMgUVYYYiiiỽ{~-^~433$jl֫WITTT:vX6m \.fXSMP=PKpd2++5k֬]vԩ*'N>}+V>}NN-[ӧODDD[nݵkBj:uTyIb77oذȈJ=Q-,Z?w<'oH-++m۶y233ϝ;rk/_ ԩgjx5}Q׍ԆP(ee#d2M/..u,bqƨsx#v$GGG_~ãDщ oHӧO!PsvvzS֭[  P5ז)ԥT(Djzj̙?Ӕ)S:ٳg}љ;wuev"##{٣GKKK.;lذ8c޽###߽{d /7n܃Բӧ?:zD"!w?eڴir9}S;>8͛ǏO2%>>>...,,l˖-uj}校L4I&ٽxB%-Rdd2\LyѢE;w\zuPP\BuYZZ^z577W?k )ץT(Dj:;;3f,^XU… ꝫh۶\.'X,֣G.\ܹΟ?PT]q8M66pEĢB ƂqƙFEE}vƌfͺrʝ;wrrr;vL:pڴiwIW"9boo(_u)\ok׮ŅEW^-_۩V•urI 獉YjӧO +7 La,--quƣPd=zGTBiddgbb2^\R VZ奒Wcǎ'''7?3 .͊rEoRo>##q...YYY;vw'NwWOHH%&&\'GWd]v;w.==_~W] e'Oܷo9Kqqqnn… ;uСIII?>cI ^rr]~=33wϞ= F;` o4Nt&ũ4tPz"*PdԇNlZձvjiif/^xҥ!C(#I!t:=!!… ֭ɑJ W]5悔ccc$U_*^5wĉZZZ>>>999}hjuo$t:_8q\ӳg#FDEE͞=Q"*ԇ5k֤IB2L 'R~r]͛7 µk׮\2-- ɓ'ރ^^^:to,li*ձtg>!!! ?rpp I! Qꪱ8…gxyy8p`$_Wx UknԹF"lpGWWW___WWWGGSN!!!Na1$$$t:rHOOO]]]GGɓ'3 \ΎNヒrss| BԥݻAN:f̘m۶3FKp_~ݯ_#Fjkkm}8ouu%DRQQ2>UJkxŋJCWFFFX?޼yfҥp z@Wuo`0R)dX\./Cq;700uMrS-ad76mǗb[nũ~iƌg…|>w)t\B֬YSZZ*Hڴirrrȋz߮P]gcc訣t[ӭ:w@ӭBƍ:6agg7a777={Ҫ,x<@ HIIaٳf 8p={']?S^5jym΋/oݺpT*Tnx4% veee|>_ ?z())[̘1RGG/%7޸\.8ȩMJ^]>Q TTTqZ~?|O#;t@}J(jiir_DDĐ!CjsRTMJ|;JRP+|>,S-כ׶m[2VTT|vFejaP]r \. Iv_t:<sǎL.GEE޽; k׮:::$I]]]<c~{!~|B ߝ8q"ϯelCJ+i4 @t?<~(޺1Zu O/SU9$7ȗ/ݻތ3~W:V Pccc<6Ezlzzzڸ߆cxSX!ުUڵkVjV( TL&F^-@V@صkאdee:tVyyyÆ #F91Io)<8Km > !DI" 1 RƑ d''gVw6gϞĝ6~^}A%a|Q=AgHO>>>׮]=w\-j'O?ښD5 o5:JIH Mmffe˖}:ÇKppɍp`u M5 )%Gnp.]pppjjq= ijjOc#\lcX4 H@],!J KRF5𿾾666iii~FJNN svv4$$)MVwQexCJ%Jjv?3`#Gཀྵ4̆ bbbwNmN$ IT%لD/߽Oo8ggg/̚5KRD2eʔ;$NΓĝ6H$=u5}MC SN6AX'@*{衯|l߾l5bߏ9Ȉp" ld7H$%oIoS)BBM7E/r977xM 3OOOcc@j"B$IB"I@f^CRH6!}8TѧK% ŋ*)]paĈSXMvpNT۪zu8:N6sŋ#Giӆ:߆k%$dKRض!IkjkkKRTneeT*֨(b#7`Kf'dfƼyΝ;9ӏ?>y$ԸzСC\nPPB-jM!Lu7EQjiibpgB,WUUd2LO2b33R7̂>hJM|?仆lZ\^p_~iiiM/~o>}ȶmJ^ ۶RΔfKRXL'J% pڇF8`X,VD kjL6Q)d0Cu떝]RRRٟrӧYZZI58mS9<&HX,T*WH,J"TUUIRPMERRa7acc&NhѢFj[ee322BCC۵kG-1IHd2a۶ L 9֘lRYYp 5Ӥ0))ig٪mχ󽼼 jEH$̽Mb1^KM+**&zzz)))ƪjIVVСCtJc#\.^܆m$wBaN)g뛑ѧOt++7#%%eԨQ6665nmC$U Ԩ7N( ٕO=ݐlذaɒ%ݻw'6j[ '$4(&$zDu$9;;;}}QF/gϮy%ԩSGٱcG IRml$4tL2ړVI=z_bŃvAE%%%~~~߿9r5$8jb,$@bM8لSdsΙ$$$,ϟ?wwwo۶5Dߦm$H-A-)$P$(J\x=z).^Я_?jı ǝ6V osrd75Թݽ{ԩSC w9oq777;;J m%۰mŁIr{oX&=9܁/---7n 0 00RKK ׍ԥ$mP-;OlGRAf*++===Ϟ=koop8d4l X ZސR j\.pe% 9d!dhhs8q8!$!Z.Mo݅fOzZZZ"=A$cٰmtPu:%Ped7B`D"J!CCCܫ#C$$@Q } X,#qx8q8&I$@Ki }:D,3 T ջH!47l`0$ NgxikkHh$L@K #& !d2q#ۿq8jv%AlNWVVVjii)?Q 6D"򈻻ɓ$MC̙3y<իݣG>|pժUm&`l߾}s]vΝ;6mڄyemێ5Dp?>;mڴ[XX\~… O={;v8jԨE3v۷ott[ so5 >iaa5o<ۓ?njjxɓ' ²Ν;PPkoG!͋Y,BH,^]||9s޽{7rȟLM4{Em'&&VUU9;;?{իBF&@F~H$&Nnݺ}؄Jr(::L&رC__׷cǎNNN7nTw4Tk/^@у<- ---.P {C3fZ֠C?^ݭXZixd77Hp 7Pr 7f@ZixhVޠ7f@Zixh6o4P+ o08 7fk zoZixh6o4P+ o08 &5`0RTݭFAv*B2 @ETuEcǎ5IR*--=rȨQ4P轡ފ:tPUUEaFFFjl7RKܨ 2bhB3f÷f̘h +H|>BHOOlu5ޘLL&7n6H1?|!t-kkku7T zo7\.;u$h4FSw@ Ve2oGR7:PAÛ\.dBFI$NW:4 Vw4HbDRUUUUUuiooxD"n5鮑%HR-[oߞ$f̘1m4d2r9Ֆ-f7d2ATTԃnݺեKН;w|||+Vp\ETKP88cbX,|7plCuƍ%%%aaa޽D;}-Gm8UUUD8:::;;;eee B<Z(Z!&Jp?ڵk'Nݳg7npX,f0jM*`Ҥ&JI" ·ܻw͛O<9hР/!!!3gΜ0a`h4|xС*9˹sF`pH608ZbxVW +VHIIIIIP?~=| p\6d2Y,p0h mI$YfǷiF'񣿿ƍ HK oeͽ)T‰$/_9rd.] !ԦM/o~ȑ/_&P ި$b'ܺu+888""b,f8|mlBCMYiXH"ȞmNٻwo@@@̙3&LXtiPPI6a2xM Nި$dLR$mذرcMܤ>|ԨQ?!M L@xC<՘HRZZ:D4ݻwÇܹ5kx<$o9Ͻ՘Hb^؆211v Ɂdhnix&1ĉG-p8'N1bqYR M@cV!I&%%-X`֭n>|_rõFqlP#D1݀T"ٓ6* 777GJ.dT SqQWN$ .JIIҥIo޼ݻ Ġ[$yyycǎuVsm.]ܺubرyyyl,›m? rqqQwLGG'>>%(( &)+F&==~Xnĉۼzػwܹs7lAF^M h8Djo۶D}'N4hxW &&Q@xCj o$IR"6@sڵݻaaÆ9;;hkk]L&jw70&HBaaaadd$xM*+--1bT*ݼy1 w  7DP#GZYYjFlCx޽{?SB 4oj[8D$eddDFFn۶M ֭[ Q\UUFդXDÇZ꯿j4 S)!r08,Qm$BpʕɖM \.lP-oi[۶Ϟ=ǷiӦL|_WW744jm|rȑ۷xbm6m\tC!!!/_]H7QI6"`_9ҍVc"INNNxx8źv횉IJ=3e^^^nnn9992ʕ+$==gϞg￱xprcǎvhhhRRB(!!!44lӦM ٳgGd2njkk󳳳jڷoU--H6Pex&m߿ Ӑ8qcƍ5>k׮!&|@ (...**P򊍍=pѣY,~Ȉ<ǏO}q#)~m\\ѣG?~-}7o߾?~mI5hР7o.^5QK366ڿ***Z~_xިyx @aaI333UHڧO޽{=z!$---qXڷo/R@(N8k׮F*--EJ:thdd+/_}vƌfͺr RR&͙3k׮aaaYYYzzzFFF<Z4:177|?|@ip,믿D=׮]keew^Peee||{.]MVVVdi W^ꫯN*Ht7o422Q~}yQffy~~׮]+˗,Ye˖nݺ=x ##N?~xݑeeesΝ>}\.ݻ\r[n2do߾*hӦMWsr^^^?~wވ#OxUIIIQQѲ+ IDATm{L&ή$Hݻ_zW"&MC&=yvӦM{챷OMMMOOwrr2dŋ333Gy&k!˺ZX``Y-Z(kbb2uT|kiiݽ{!djjzq=|p۶mϟwuupssF!Ϝ9ӭ[72I$߾}{ԩ3gܾ}[,+SLII0aѫWuF}rPuٰa0[lYbСCLU2n٩Sk׮Gh4Z.]psر>|8uԔ)S<==|~XXXbbm~~~NNNXX֭[B‘sss T!e:W-QQ&+V]vTm6 ͛7 !leeqӧO3ӳ*//}Wܹs񏨕$BE""""""6mڴsNOOO}F丸bXQA嶩ā֬YiӦCjkkkiiX,&Y\.gǎ&M/_&:411Zdɟԩ˗/*4iěD"qttܴiO?`|׏D">}zdd ɓ'ou%DRQQ9ޫWSƨ5\.駟6o__|mh46K]ݻ_޻w/F xѣG߿f͚o$5%?Ν;\̙3_1`ggg;;;:ޣGɓ'u̙3zzz Àƍ۶m7|3jԨ;{_ɓW>Ν;a gϞwYm !WXѩS'jRZbckk/LcǎO>\(:88Lh2uXGqr>_ZZZRRRXXw^>N:}|>ɳ".rI>kii_Сezzz:P(Ң|+rss'Nhlll``tuu\.uwCRWyyyÇdO>?~ׯY,m&g͚اO|rggl!,F oeeeeee%%%)))wMIIoFwׯA5tttޔׯ_3Le#H޼y#J{֦@xCh4 20L\̞d)s1ww<Ot7u@@fX=zf2L333m[$F߭ 66UG[[{YYYK,iF1116m ޽;!o2sd|"4uoe_8zfffaaav:x`gB"d2cccU$??!ԡCUrر7n5jTu(\.Y w@a| bR$ j|>ɝ={妤k׮Q_ç3WAfϞLׯwޭ# BaH ӭs@soNso LaIu7 lÇEEEݻw3gNQQQqqq ROƏ @P\\^Efnnh"\~ܹŋ4ӧ eeeK.]paRRH$R+z 300}Ɓn3J Ex HH$ 8܇+//￯]v!___6}ʕ˖-۶mD"011Y~IȂlCCCLv̙OoYYY{sNaa3N>;dȐ\l144ć7o]l _Nbbѣ;|mӆcɖ$ou(k$ &8fh:::x<>j۷Ϙ1c֮]ڦ̜9d!LMMgΜI-&ҭ[7G~ѣ8LvD޳gό 7R8HFFƽ{Ȟg*v1cG5;'bs%\sNk )|Ԅuꫯ֭[]vJN CKֈ8qÇ7nܸjժ8@P\\*..&NufbxgϞ9r Q;mx 'hiiM5sxC/V!F:t2xġ/rss|Wjjl``3mg޵kפI,-- Ehh?~5ouӧYɓ'iiiݻ]\\wNuttX,kv<==uuuϟAJJJjj?:99M0?5Hi#I$dҪ54H j7&|>̼}ɓ'媍ׯ_w~Qyy9uf!d``Jl9^௿$mdb 50at=o8G8*RtʧO\rڴi*y-˶m,XٳgO$c.&'Ȁ$o;oރTdchL',Ahaa,YM6ղR̙3;ҡCiSl#IHIpbԒ"^ߧO'''p-<2m$@é22 / x҈Ȏq >>>7o?~jvtww/o#նdԛML9ӄ^wsZjfWrO?u҅$IYm$@8>d8iR^^^XXlmm}1mmFjXFz𡷷1uնd$TP7ᔓM7(++KKKJ:uj5\///}͟COOnݺyxxm$JԊ$Pm [S7]ʥ$&x믿5JLL=z5I lMI 7لb)&RR `رWK˩֮]믿S]]]< ۶@S,5&dݻw^^^wfXjiX,QuHo߽{ĉM{{{Kf*ɐHj,)ل8v ;}}+V|۷O={$I)7$ $v%ax8 mj ͛73 J*Μ9رc;vĝ66oc٤ն@6Dv)E+..NII155=} GKCCCmUx@m4ZgxCN.K$⨵ .ٞd62&%)$ o NJ6QjwQG, :wqqi`]קO'''ɨ$mA" 44&~졣c{NNNN<o6m0aBϾHwww "Ommv7a8Dy8:j Nݻ7Ǜ;wnVVիڋ ,ؽ{wPPP.]H$۶@2gklB4)///**JJJ:v옎N-O$Fcccm6H$4O0ZJxC5m]$$--M*;ws_~I\]]k,Dm NlB2*&_kkk}}.++kҥ \tƍMMMI`#]7\j Z:>KS(5CRRSll,AUVVFDD\v׷m۶ Vm0h` jJ6!&82%%ftoooHMצ6ب I-7ԢvX,D$w'Oh1jx#$IZܛZMj̥ Ws玟9#$m`6hZvxC5mG]3@dX,---H$H+~Ȁ$l-ZoNp$)nb!dhh`0pV1t*Ԗ7BdYa7lXÛX,$ $riNxClB!soxJ*" pc82H-F7d!q qǎD'M4^?Û.zOT 6H$N7CpEd26@cN8\d2]psu}`@Z:Mo进 h+Y,,fZTBXGR!s%h4?a Vjk @FLhVh6o47 J?+h*޶lBΟ?O ܶmi~xCDFFM"vWxɓT7иqB:u֭ۉ'Bo޼y왳@5ZWxh7oJE&Lзo_fyTlxⅹUK7<PkJ6n8u7@#jX4|šV{ @h o47{ӵ|O.HF]$.q9Eֽ۠)ǥM()*/-Up^VVA*%IQ$B"u2=?:L\rgv?̞Y3וּk  dƛBD8@фΔ*++#vz)i5NO?d0|}} `8rִzo;vt&B[uQv@kZΝ;ԩ @~VBΝN/ϝ;W@chrJfBV-((0 R7 !Hyzz>8 l8|@p f:vqf͢&Nl@uu @%~հk p%w<hS|@ 7gv]^{*uCjŘBB!BoB<==KI%Z$P^fџ#.҇s ^4RP(O"uc@b;vyÕ1117n=ҪEW6DYnHl3fpGHF{f4xyjh㸂ZRT* 9tT+=3 %%%R5FZ5$iY,Hd2Y,0XK(^>}ěϗ%ij5&d2uGէׯt:Nji7RJ4XZZZHHlʇVNnVjZ,FmWVC?&!xgG9:jE\j=&f뽑ؚRVu^RMyBm4ޤn c3zA5k&uT*R|'W;֮&^~Im6:68l6wJVj º,&Zh6cA4f7h4V`RÄQ x8P9 Ps8F1i7_g 76IvJ XZ bLNd2jBVIUMKN#<F7G{Y/|sb"ۜCߣY7h+a;֠r. d[zzz#}u,ׯ_ nݺ%^J[n~z~eݻw~)o/nڴ\lWnݺuԨQh"qTTT8ptuk?UVrȎ;6l0t}oGmժUrrrppp||U?cӪUϋ7ׯ_xBHAA~-[UV;۷ݻwߟbŊuwwކ)SxzzΚ5kԨQ.!n>}^;~xΝO:3~xR;=I9rd׮]*jܸqǏ0aB6m b4[l9l0m}]JJJ?z/ORnZZZ ??~aΝ; }G+|||?sҤI Vr8WRRB/lْjٯʌFGMQT-Zxm֬!.XGiӦ !8{;vشi !]tر^HF=x˿qW_}599955O>k׮ݻwRRҵkěÇOHH-//3gxt1&###99yРA榗WAAfʢ7;uT޽O8F 7n3=zDGGgee pݻw 5kw|(B޽{O<33ƍ'|j*BHzz:qVuՇڿ+x=wŋGo׮]`0(Gu/Ydʕ˹s~k׮?~µk6klҥ233OT99x͛7ϟ?n:8l)SmvܸqEEE&M^bE֭[juԩwᣏ>6m޼y;v;wnΝ}رaÆ PXX8bĈ &Jwj.]V###׳I&]rE)S:<{BRo9N9n4|/Rx_nC_[IzsC5`8UYYC ={,^~]~stͭzEoS۷G9qĚjzfqZnժӾ}{PVZY4FEt3ٿ||?ؾ}SNBڶm;w\9ӧO<և<~ɓ[lT*gϞ={lq/㱱>>>SL!ҝtVjtƌs!BAby晘*=!~RJM<^O8{ԩݻ0V =ʳ>H)5|lܺuk֭Z;wVkQQ  , *jKmJe.]t"OϩJk:ud2M&$f͚V&W/Zn]llZ'P+* G׏VQrÇƾ -v;[DaakFgϞ5Lz>666666((1<<!gMJwPo͈{ϡP ۷~iӦ"&OuzY0￧7ݻww/+ 6mZ\\܍7;z5eʔ0!vRv̙3NvZwwwVc2^xᅇsleycǮX/|8pÂ'N>}_.\د_>}(ݻB&Ou9WN3Fpܸq5;eZ߿+:lBLB*++ZBlYYY\qm17+**sSfvvoM{5O͢"^KJJ_7 '_q MժT*)nZM&See%=,s Z?qG;www777FVs䧞ޢ\7Kq؂4z=P}}'( xzz:NaޥÇ?/[%ήQl-hYuל4a Prpd2xB !@o C7! '[NV .NDT"q B^<}xG4i`{@T*}wjj ( RRa^T* ¯'KhÒJ{ot*cxv8ST*JV޽l6[, !.5|MLLԭRVU*Nssssww7 KGZO")(JRh4:d2t:.JjfY&mk`0H݄ZoJh4ƭNFv{x{GOZM vXjZJ㍒ЬY3P 4hMjZ^t:NhhOP(v;6flM&jlvnK >jh4o4ܴZ-=3Èg!SƠH.!>VK hZBjB\.nBI^jVZ-oS'oԮ&@I @#fxdGXZNBb׍#uj}8FT&5Cah>ؿJBgh4:&K8oooP;FoM.lxc-A'"* N P`j4j8LvՕW$Uip< 9:-_RC뽱~2DJKK+**F#= K~fO͛O.u+N򢯿'uK\'`t^EF֙M 4Ǻk4j5XUxs8KOt:B( FC7]%>@zwww^hv#0zXsNnB]\Õ5U*' 7z=#װB#pI!ZNYsl|g7KP@k 5.q@s@3nE]j=8I kz=5rKO.&$>0sTc+R^aǷZ Nn+!RZ,m.4%&YrHԍU{SլOjħ_Nu9lx4HBNyZoc%H87AXo*T* 6m.o.Q9Y}*=[]W4$UK9",\"\bRC,:mP7BgG4\qbM)`,RzY٫˒lqRZ:Kp( G&.#GU|XLxs}}}6a^RXюTNBSd|xʔ)?c@@8SAA TUHZ TRRꫯ]vرR-Zʕ+qqq:NRi4v*N< dbfϞiXh[ !@XёIb6lٲtRz Ì36ol6j&X !f3gƌ#u\҂ |k׊TvȐ0,o֧O&jSN6$8(c([VVٓa| L҃/= geeH.ݻ[G{lR7 @h7s)|=zH4 }6'!@nhiݻ͚5ÌңG7nTa| dHB&y ]ѼysZ]XXzor#6ց+//iVVVF罱lCu C-;V^^]=߽{^>y̙3;w~ nݺ1b0JKK+K ֬Y6111::\re~ >~z")))::ի[n5jTyyy,Zgx333-[VVUUVV&$8r#h!wދ/^x BȚ5kCCC_=͛QQQ^'N|ʕ+׮]۫WI&M>W^]j՟:7ߴo>:::''bB.]J~lll֭ 3uׯ[A^OOr$' @1^l o}>csݼys.\xz뭈!CǫTLz7o<޽}ҷo߻wFGG_ps׮]{~L9k֬Gkvӧy?~xΝO:O??^T;3fhϸf^ RS8  ;Jͦjd7nxر;wPTTTTTG*))|||777zAP2>sOOI&%$$ZjӦMO˖- !Zh4>x𠨨(88xYYYϪRZh O),,tsscF: (ux9c\NW\\ܰ;tAAAEEEÇ:ujRR;}h//͖Ufdd$''˴o:urĉ0zWppqbcc餴'OB߿tRҠ tܐp$01dʎ:zobޗ/_5kX,]vy{{WϡCӏ;p‘#Gzyy#GB\QQw^__k׮mٲeڴi%%%1IpN(AN6 F{ijv=<իWnL\|e˖n?!@nAVTB RT(~~~W\u2qҥ6m`Dn @aWP M֭[VT`p dxS*J288899bH:󼿿?}apRo 7!)J//g}R7۷{J8!7S**ܹsBBMsy{ QTtV]lxwhȩjJr,DW999AAAgxaCdh˺n*_]xQ6.]hZMEܰ2{ǛZի.u]n_j?ViBA]7z jj^8q/={h4 F8'9 R~٧O>L6˗0fK8uuĆ(i}HFs={j4Jn  dXfVtwsΕl6,4Zv?G!6Ř~Fh4:N <… ~-usuwwӧă6pBb%DZt1t֭[R7>|x޽ 668I;p6pByr.g^t[իכoԍujyyyo+M_:^O(gH'VZ*'ȤN 5ᕕRIݾ}߿w]veF?%yo+x9s(ckzޭJxxxqq[AAԍu:W^ =z?&Bt-;)uc!@:p=<<^~^z[nXX,˖-4hPXXXnkŲM\WfHdG+VHF l6&n͛7޽{_A8VTMSbX***N>߾/R<<<<<< `tssNU1`VbTVV򲲲 XPPPXXg4m6)e8:}-ZkѢ`=9V]IpN*ЈJF6yW !vyd_@teZ]¾.}+O!o sf]RaINkl6[V6%~&})j`FtssS0, N 2q=T*Aj4h\Հfl6۪ЄS±.A:HN.a>8?ȟB4vFqxQJoVh)l{c'$+1{I|GBAe5a-kM& G+-YNf_JdlN$\7VKaIpr7hh?C|DKúl6Lb<Kĥ7~+C{ltx. KCASAPN}4hщrd/}OomZoЄE4HՉ7RZVBDsA\ZiHv@{6p7hZ 8śMņmYzkm*j 4EщnlLW Vb2 6d4]!GJ_K؆'*q m6p97h .G#+'YO3T9p ! @ d2xB !@o C7! d\:DNIENDB`PK77PKAOEBPS/img/outboundpai.gif@oGIF89a.........&&&888H\fu.V.o.C..ACTSl.AN.UkG\A.W.ot.f.y.CBM\BsjEWDCA.fKtI.yf.HHHEO\L\EC\\\AOXXXPRoPh[Phuh\KuMjslJgggffpfyyrvfwww....OG\\Mfr.V.l.ry.yAM.AOOAA\VsGvrmy\fy..\WmnpDOFH\\O\\\kfffqyvqy....A.LJ\E\O.s.Xql.\AAM\ysOlmtLppvyyy.AoTmwʅdž.̉MˑDɘ\ӖDқ\̞fǟyҟfҟvڧY٧f٩tױf۲xYr͊ⶻ˅¼҅ըݶ˜вλ⽇÷Šʵņɗՙ̈͑Ӕɵר۸ڧ۱!, H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`ÊKٳhӪ]u_?lu W.}8[?{:*DО޼Ers@\س^ XÝABf@L&-/BH*anީ@J$(Vnd\:=)s 5f5;lrXt ^;v!ϊ컼+Й.WݛFvji_Y7 =dn ̂W;D* x =prd1όpͭ <>I}WGÖ K7 "4u \u[l?95!pkũ2%Z?ݒl 79mV^\/\5Kש@^A9A{qZ韫;dYi]F^klh}eن&dκu)騁 ޸lк7;&&v.[E|:ow};vdoQn៺ԛ P , D0eUx ԰d6N3+#uy1]B#bB)l0^p\{&CK$LX~$`ԫE@ҋn#AxqXAQgd=Ē dbIJq)&2Jhd)?i(q%,ҨYڒ$.w^I\{MBPL)2Qf0o".(TFt,kr!o+Ćޱʭ 8$( d77d$1N[Qdd|V#菰0sh zcxHEK=B}Hjeoz x 'w˱}3L$ϕ.MRubJ,(F%:PssIK>ݡo}B}Hw{&ǭk }a0R~\ -+b3]s?Vp)fFD،x[ikq9Mm &$Qavc"&-iB@ nC&scZ ۃ$-.ԏw\؎R16~Pa%/ӯN1FIN(Ft @ 3phqY n2C u]ZAZ6M2" Qo2P㞆/9c1_W%Tu(2ͬ-t k&T%uylIiTL[An _#kw(1&G(Qo}B@~eMmbvetƵ}Dcf7G c97\HuXӧffXNh:8b'472#&opDmKqx>R,`r&tSXTe1TA 'h:udhSjGPST8 _\u=ڷJ}"6FT13 `"UGhkL 'PsR XtKȉQaA DVǠ Ȇ؊)(I;VXb(u 0= 0 X 2(u (8 טwh N P P]vp Q"6AW(!'fˆ!T P PP QyA! s  i )$i( *ɒmT X` 0 "u8EGKٔOSYW[]_P1P0 l 3YWp"|闀)i阐tװU! ֠M !0 ٘ 90-sxɚ I mGp Jz ( np К˩S)l @M\y ٝii鹞@ǰq!` v=S֛ހsj ʠ Ji*tI 9ah.қЏ`)4*7Z9'a@Zx H `աɅRjUz:PJA:3jU1hjJ` ;:xX VGp{ڧ<4w/g,yYtZ/q9O!a5/ hg٩ :Aip p_NE riLqڡIsbTH!3|Ъ(4rY8Wj)床H. &:\^W3:a% :@]T |7ЮqYW\٭ҰDl&*Z'ұb[) K&+-K0or,ʪۇu>A;>QGd Ҫ :> G|b;sH ]ɯ'ksd贤p._&d[v{f{N7ʶd q6@xC4 az.T븠;;7Pتf1Z=L9{6p[kKBһ˻pz@m{뺪!N;Ƌۻ[;d¼+ "L6+ hR ;kKJXjx}۾kkd{\ U8kcy $\&|(,% U {".)<Ö[24~7\! = ӻ PR2V|O< _Vp @G JMXO\lZJ<`,ƚʅGY_| ~<`EX<<Ȇ\ȊLJȅȆ ʞwǦ}ǃŽɌ,Ƞ\ʋLtۮs=q:۸Ms6G}} vY&4u$1QYX\a}j{uäj.Qyq[';2`wNߑmo7]8n-Aue/a އo~taᓩz@}.7R8a֒ /⤄,߾ty$.6.@8;. @k@>nH.dqNMt#Z'NWe ]N';ul^/jm\8),o眄{nHGx$F B^~Iy,~tnGQ^Lp^~ޏ4)~X>X$}.B7a 綎n77a]su#og !-eIV;XCdi>(I':fĺ.| s/@Ns 3KNKInO7܀e*Y#x'd4`^:!@n:85֎=:7v?!骏u/>A_.>8^Oc؋?[NF'Dᩩ?oRǴ6S?qD~ DPB >Q={BhQF[UQ %MDRʔ+^R&ʏ!퍜S'Ǒ@mPw$QM>gPUEVv"=P%8MҲmݾuuXd=v]νvmߙ,\w+aƍx`) #VLSTܬwZCF-ѫgЩW.5Qޑ j6˚"5NS6m|T*G- ЭeIԓo5X&[^cus<}ܯY/yY>~&FF4/ PjvZAg#~1 [ : BJQ*'{pKšGXq Q  (bE츅AAGvb'(H0D/"5$~q| "JG(TC9ҒKs!I^1`GBIJ<Ӎ6~E_9DAGQmDp ɧ 0͇Jk/A tB5Fv@a@K-i~-cEjeI{BX  A:a\M`EK傆bpU# ojq8  'C KR+ff;#ǍđCY#\녻 :)z P^$P)CX:(1?y|@/PD:4hPAN1"}RII%(@tc{X8؏=dUJ}`o4BbxC.ub@\(7ʒ 3a T!?XQzEA*A.,@yhfPFBPd G|`\R'c 27ЁohF-H]J0CF5zKPЏ+GU &MGJ}#"\5`+GE+oE@\Dxu=v&&Hהek[qo*_mIRZmf[%6-_p;\6*eCk(+1{c.\F7%u](&YdPPEfv E nB \mAbי3FD_.V2XL_T&7 ܄*An9M GС gʠHъkxCV>2A,FGG l = 5@&Wcȶ-=!V8rUd" Ǖo L2F zD&?aΜHEd y sY g97DPV]=.uƬ7: =ۚQSZա@ >GCZmf7",QpG hkڈf },d#D(m RDUӜ6VI&0B" cA%P@p[ء١䊀uNvyc4 iSp' 60 kr`'Nh.S-\3%)J@!حVp̝JB UB ? X0Aȏ8R*Ѯ:NPrέ< ]` X:L`5T 99"Nf-j(H](GP-N+$wnx{7>Atz8 At,\ጸ c(8žwy%?}U)_Y/͙mve %PJf`ʠX`> 4f;P: `2R(b3%17 $rjup@ry?. @P(dsS:!=IBƹyȪzЁѓ-c;w@K3ċdB3>BfA^ B/P(%#f.1Tx(H~PCr `B'D=Br?s3RA7Їx,z9 'H;?) û451BCDD\ ~,`HEH,I,JlKl=l D3ÿH8>R \t]z` aRxkpzԈq$"CH,\ezȉ0HzAԢ=̾T`:L HH +IԫInLL9IP ? /g>l7UţȜɊ`f{JJY$ʬLJ c`B,3]gQt ŔRU\[GMV޻ N] ňH =^E߻̜߾߭XIsTT``NpNOqV4X`PFaOevT%ٶ*%IEZ]a YÌ"vPԒP%&P&> ZS,E0n&08[_Q2NV3[e׺M[xҒ0E?@~_ctFe%=p:`V{VgfU^V~>.GfOH|ׂX\v܉&܃h - uEXjBv]hBYKmݭ*ˬ"!rmfAVjmu gPg{N j$g?J:-k밦i|>hkцiFLM7ȕ94> NOwvJ kki??vv(KvЎ:.mlIUUX!emцf*NٞHNjpm$ ccR~j`ɸD>I@.5C/3~L{u\oN ~oDonI{uMoǢv!G*= p~h.p6p DO qG 'T7 7qp)[(~/"߉:+; #ω=8+~i!F'(r(X:J1Q!&_ j+P7$%F4/5gs堄(L{33OT酈)j hx1_^8.=s2:B7~@tEgtGР3g(Y%P&'|ЃA8uP0=?xkWuZu\&#PhRa~UW k(P2JȞ8R%|PvRSGu8Pvn_op3w@~r/xwvwܺfn*ij+ rJoӀ3ymC57}h|j5s.gyyͨ-Q*+AwcH rh:yàoہzx,XLzr~Hr!|o//rz{R})8{4|J|f%'Om˟(k·Ͽ炕}(8T'H_m}u}[&Gٟ:GW&~~:?~ߎ"_~(.Xw2p}Y+h „ 2l!Ĉ'Rhb?7rDB"G$J *%̘2gҜx̕-_͟(Y (ҤG*HhӨ#JxCZrmH+ī-DoEm׷`+mܻ@ż~.+>ov 3nċKlv_}[Ҝ2hb3HGw-T4{Vmoa`˦6\ٛ@1|+Ë|y3Kumۉ%8^v^|A^{T]KW}n>7m@( *0G`!4!Rsa mXBaF;J<"ӌRC9#oU( p7ɉCHZy[K6CQ0ezW:#NgODm~gYޚ 3 NQ9hFhgEI蛤e*^d8l2c1Qj頙~FZ)*Jwj j \5fiH ~F( "ك ݣϳF-G"PmGfU^ EWmZ54oso%hJdk+⻞釰11찘KT;ʤ>qqL kwSȲ4;#kWCK֜q~.(NO`[67sCK]+TiiOs3`JƴBUs Iu"z;q 5emvsU7"]6u*fMlRK-QAyR9ު6J=PV̀t煵W:gq$V5;ιOŸ@<$D>wWzXf1MNA CY+{]ֆ= u zB?*Dp z!|A(`&+PɖUH XB&=1|@DP~H#(82A 0=<~ 1!1--&Ble4Av!q&@8P ܢ {L=,i`@>(b@ h/Wї5q~c &3ӻ !@06HalG;XC0E:Z,pV4"p+Iy/< ~)T pA 4!@?PQ %={BX )Y( .,oTTuS+2D t3I  &ᗳ+Q΁z(7C-1J\EӉ!@=qZ@&,{ޢMXӊT:z3Y TК q#AQJu#m[LR6:5ʞd;a;yI]e{$X*H [2سJJz.$SžZZSZXPe}5r{z[-mB&Ŭ@Eoe] !@ ALQ!r'RX*4 C[K\D 5ާqzB΂Q:.x;aD/@,`.cW'#ZBDPNhA M 1"~#VG;`ٵ+3e_1XBUǕh:(_0ȡ5XCz 8ܰ}a h@:AcRC @F@&Ai01-63~ +ά]Ȅ^jx#-!WB`He0@,QR0E+0=H5}+]>vd -e=,ʎ*ՖD+I\6oH!E?@o&PR[h>G* bLAwEpńGQH>,-A %$]H4 l#GQx y~ ~PB ;vY}o`KHaS3-rhDaC~T%_~y z13g2"u9Pc0?xXSʻб|A^vRs\@y\@ k1: kUg&=Aʔ?$=kQg 1X!т'z -@bĖXr} ˑhJS='4} G|XLAtL0A؁xC2t@,@!B/1ZҕqVYk]O%D jWXC\IP k$9L(ʻa\d8UA}ߋ lXX>X4e…, qad>X T=B聣AQA<|CYH٥eڦy!\E eFl<:V)b&f㰌$ &)`21BóE[6 @=T}Aڭ?Q?گ@8\B:8A*[= TCK'^a*b U`~PL s^o$dNhBhA\y7B*$L@!#G@ 1T#JGB+\7@b>gc*)RDEz܄F -0՞u?䃛^Y#,",Ā6#7* cD%! 0tqnu7Pl1ul@!* +khn,)t`>m* mn7b|k¸!+?+@B&™?$?Ꮞfmi6,ׂm!-mqƂk(܀qHgE]LV-HԱ-"L]k> S% -ў#t:.Ff?D0D/<윦$J,^mc2,+@n!@IDR/xUDDG-p @!GXB*..,J/Z/FXjBbGjL/JNjN%lDI>n $@M>"""D)0$ ok+$,Dpd-GgEQFBX1 ?0‡3m/$^Y5d[ $/@0C pN2n@LnrD)ޭV q20,g*߀_%8H/XC=9&$#'L;\dr/8\ e!q; fq./nRLpT!8 \I /v f 2,k-Wivl5%HAp7@':<&B!]Er.7rHjmNȼQ::0Rij){R~]!ȭ"$LQjB(.y~< @>K*? * #ȵ 3>ۮrKt1-]~=>8t@h ezy'(2DtM*I/;obON/}xX5p,/7u[[K qI($<*aGDk/uUSlDu.?..J p)1&g?+`kisnm*U0C?l]Wj2'eI5Ppkl9:21N sr3rW_TC|l}tSw]@V a!*D^B DxLC.)\xվxx[07 ovYĆ^8Eg`ÀoD4XJČ׸TӊKlڏ6hDJ@8kI6cjr(̲,[ב%xA?hAD`o-KyLvtņr!L7B^~Nzv3G.RL1݈E4.}BT?ġ/x.K{3|F <vEގ4)0?D\@DT+Tv8_u7ǛxY;7'S.Ebؿ/Dw5uTX@$Q(TZ]͞}A7bE1cGA9dȍ%?>kX"ġ "T!D;1DTRsJL7Nh n=paÇ\36Em[jB'eՙju[+XB;`>7۵cvIJ0HRNU0UV5rihIsU1d(x9fA=8NU[2&7X!,4JX7o͜{Vx9yz׳W.4w_NycGjnF!v 4kEPЭ|P겪&G6{P 3Ξ{<.l@QXDŠ!eq/'w\Iƨ2񆛮1#;f(1S/,T Fsd(;R,8uN25Lұ=Ӱ?3+DP꾌Ϸ=*qHnL{4W?r@uIT(uS٣κU AYgVV1 vf̸ $F~#m-v;6eYV V9]pDM 2EIJRFVV`䕒*wHݷkԔ;ou~sn)nܔk7N)E(J<^ dDd#Be~QP"EJ@- P0UYꒂiyh8ۅQrAxƃ8*ʋ oCqKdYs 3M K"j)+&' r (8Ԋw2XlI/6 OXŠG$Be*0)/&f 5ePi~b ;Wf.-;DЂ:Hhu.q L%R Vo\I2.ɐ`Ғ-`zQ@ԉ>m#P#"dtHSQ*󨄑QeѝudEYvө5[=dXVխb/VX k5HzX*c!XC[5,NH%zNeD0Yqֳh:0O Z%r0ZҪlmnwWm .l  Z.l$=7ӭu x+_6r(4 ~`z h}= xЕv.wR/L`#X v0%L^8p ,@mJ,hG:V@pqC0'c۸81} dn FF'br v`cADaYL ْ؋j^ g9sC4Shяg@G2uœ_ ϵ' )bҙt?QԌr V:A |,z[FoW=;d+Ά@mXY=6=\z"XR ն! l[h~{vo__8 ncFyא[A;m-]p~:9#w;^ʿ X4'|MR/3qwCo4hUtR Uz>{E}nU}gk~>uƚi~nI!`9J? vC[?_$g1~?)J_hܷӟKEoo"wj!0R)-+GO"A0PEM20a*\a0epimqc%PP(BM*0w(vIYnjp 0 p < b ; > T:TӐp p A aI?a!AS-3">B4#$$ 4E;">sR72@-B٢&0j("$t|+#(h; ;ct>A(`"GwGJ G3"!X#H+I:I@O-$r@ 6`4.m@!"AX  Ȁpd)b%Vٮ@4 a_ 6AUL);A h `` aA  @` b1Vcb3hhA5_a_)a\j@fmI%<=# Fa!:`"(k)A rM!a ZpԌFlaT4 Au].7sq@0pw`τ,zLӓ/36t>A+~& " 7FL:sm<t!  liAw[!q%͜!|7@2wחx$a>e"ؔ"` 6!LA@rmK~( NaHaP@BPAYsU4Ia D *~DJ>-!>g9؃A8~ڀ@P^8Zaڮ8 h#,ˌX8ژU862C( !nL̘͞!&6#6ab!mĀ5QoK !ov/B4CC(A؁;3y-TKJ"H!1M#yز97_14^&Px` &bJ9f@l1blu`(ڢAME+TifvC#hQ` +  zu`"f ˡ1BZUcz49KOstBOLs3V'`P$aa"<"$9:U1Mvt"r"z-aA˚#":VҚ: ]y8suC-qs6)xsg=ذ5.9S?c3=;Ѣ "AB\#!W4$I"۱EW{"Zc#fQ#ԶaW3{8W)(Z;zNm3Q%,$rsUA"+9B3!ۻ5#;QcMoݚb,@a Q;U ( tA5tm"4Q @h8Y5UW?);|95\!<'·5uA#,YWɫ>'AǾsy퟼E̎~,8<Ґu4X,@K-ن,Aߺ,  ?߾)( yY: >?a yKV_?g-!{0ڬI"Aa]ݞ`5 քEMVQqƊصl1U`ضtlx,Zv}w&Ws;Jɗ]}pQVyhDžWVlDaKꭟ^ i ={9oSMLx%)<ƧK^ȱæN;5e햻{n7G`{֮7Vw igm_umubZnN=*hT^l t}Xm"nqb1 ᇛy6p5;ވ [ "T,UL>zSNWF[j&#$ـbӁaB91&^Ec@f,e֧%9sBơtL*er2K3 o=^w bM7]vf^qǩQܤCܓs|Nx!^'8/8O8WL=Pv̚|#]*8kꮷ;꒿N{׎r9d7Sn:|/||O/%}"M}/oe?)>\C*iY_ pğ*V4hasc f5~ j[};!A@"g)KʢW WB04 _e将; }~>A1J^(e(0T SF CD/d&7 m8f~g;1|p?q,$!؍7)f<;FFr dX9f,F'?9k~ĤAiGTj H#%AJq̈G~`s,&1 sd3w1B tHxKF+ˏ'/`Sl'8YN_N󖸢P^s˓͊? Ѐ ԟAPΊ !$Oi%thA+ьjhXi(It4$-IOҔtXK_ ӒUcӜ:Og #Lԣ*5L]SʐJTU"EW VFd YV|TZZ4l:U+H֔]  B5F;Fv?cWJM>eRJ,f5[ZR6Hg7۞ׂm[XZզ )jk[wmn={\elo;\-ѽs]\N7ٕnp^Eq u[_[&Ǿezkw-%0n*m0~ l`NAp[4ɇe#Ey- \֮aCܨe c&iZ8䌌tVHE(Ta_ζmowۍ q.7LsQP_H4 pu w~um)8A0k'WN@ X<+B2mU'x_m}<y5rr\ d ";iK5Ϊ<0nq.).Y7 Hcj<E%'/w,uZ5z$8FQdwjARޡ P1f+lLV>앆{3³ZT*HVTc!rGHRfNO?0%{o4LGh##xWT~{>'vzhXu'30 > (hu(RnXdurb000Lux,0()rC ')B-tdǘ2  < "芺Q WV7'>)aHCI`)p SBi9~xӓd41IFaD P @ `ѰB ׀'@ 4KyNYQ9Uy [ٕ_Ia KhxgH)v@+Ph`> yvp p /00LA ^p YqAiu yYٙ99yP$vSbX( p `0P*  L ~ 8Pp.0+ 虝ҐPҰ-~ ,*/ʙb͉!։ɝ I扞)iv џZ  ڢ*jp-ߨ^.*p` p m@ p Q`j0  @~ ܐ uPko000+ djp@sj { zY՘.¥^ pezimqsZw{ڧZڨЩJ7ѡے70ؗ P` p~ @ T Up@ @ p opw 'rg ` SI: z ~w-Vz0՚ךڭZ皮ڛ j*ʯ+kʰ{+kpP-;Yu#&zՐ ]D2?Z`JK@X2 9 , f[@]  ;7b2ױ!7@`Z˵^K `+U@J gjۛжo 1u{ [෗ Ka d_y gA pI   I` : p =А` ` Pp +d -" LŻ[[[vpɻͻ+K+ٻ?ʟ[Ŋ˾ Kѿ²0rɋzoI-?ےK]ppp ` P  - Dd|  q  ,<ȨOy>-@|Pb] NQLϥ܌3c{N  xЭL88?дP8:( ݈x7`" 2_?yғ r @4ǰݷGz29 wn2|.Kݗ}xc(7 tB /Զixթ HԪ1'",'М3a/psRRh *>[2أa +s }إ-| ,1Eaװ b{Տ-| Tsp}|$4`xq{ۺ#Gíܘצ ,H\G3bݎ Hϝ"`Mz2 ,@6]=l=w+Gxyٽǽ߰e2~3+-*0--l: ~+=! ,h)*4s~"b ss ?۩h(wLގ):!ΡGٹ rSv,y'|>8sS߁澻hb|4.knumn0M+lR#`H1}2bN @cR 8XMnX0.$1헌,ㅑ^ t f\9 .B-27CG6bȾb[\iVC1b h^+^.2NC.B2XcY0 4? ?/Oo /7;(T~ǐ~60.?123o45;73054P%^8sO/QOSoUWYS02SD&/!Y u/pvOwop7~O#21/o<=^-c5Kc8][`/Se_?/Ooŏǯ4Oqh>ׯ/s'$ND+ W/Oo ͯ,cHyvZVVbȐT!NXE1nhaCUZ$(>TdK1eΤY߾tM[7A%ZQIvɓ)mNZUYnEogϠ!l%*hϦem¶pߪ[ݷ#FPԭk޻<eܓ`cȏ7\eǘ)G7Q&]iSQskرe mjԛu.:I& $>t/7.ѝ'oo8woݻLȗ+c^{ɔ=RwXFyp@ $@DpApB 0߀c90#C@dNE cT- o*F#1mGwԑFH$tRA(RA!H%D KK-HҼG3lL 41N<ԒN sPB 5PDUtQFuQH#tRJ+RL3tSN;SPCuTRK5TTSUuUV[uUXcuVZkV\suW^ ;PKEo@oPKAOEBPS/img/identity40.pngPNG  IHDRJ  iCCPICC ProfilexX{xcq1ZvۅF>P+Y"?Ylk >`]Jm mH)Mڴ%pNxxdQ8)sxfOy`W)͛`t<rmc*"ll65`t~?l;3|'ms K[VgN KܞF4 QaaҋFZ۽Ro@XU/Eg9Lr¥hP8bXTe]ã9L+;rN,38R̗2twh`6?Z( schR|aP)ϔG3ބ;B4ll)_\ˏ^ !>R3dITŒꀥ1$DWcFw.l̘.8]a;[D NfU!!bYݹ3fMPĬsw ~3دڌu70:7,mFv0ǝT(0'M2T%sy¦0gY|svh0[N-:Ka^=uG%*لMlulmg9ۦw8Y4J@gKQ8:Pt68`:&0a{, :`-;&8ct:Lp鰅'm$ o9όte/*luyiN3c;GmHMڒ9$c%RL^ jR =;C`Pd}"Mʓh-Iʒ RR T@F$$!vEZblZYR*ّʐ$ $]"iR(e PrYY cvǠə OlQA![ER"k&m0f f5k m #Q-9;d8Q ktFkAeH TLA%,ȋVX;'n.c%VdO!&А3d9Ғu$-5*O! GZb̞G(DYYRY3lT@fMb̖`,1'rڒq(%=-y1KGB!OZ&*F5($0y3#3։4S*!)XdIdMlHT]kQw( : cEa̞'d29m2ʒDYD$*K"/0vI4{$#+Qk2 5q`2})r 琅ox4d,$YLB$gq 1L"{ & D&Q92cHkԒMɤ4:Il[Ƙ%RLfHXdf2),4)Ƙ',dІC6E 2{cEKFffd$!Ix U2hyFA֠T$$z#咉D &%Pj2#Ɍ Iʑd$ZGZ<&b%*d#aQIY(dyW\]E}Qz:_ӑ!A6brؒ˫H aөJ}|uE*UX\\D}r%Y0VE"sR*zrS#LeR"N /5/z E5|yŅJm9q`Q/*ByaEiIR\YʵJYֺLLb•PmR^nԣ(.֪zP\G}QөS˻{/N_xpҫWSQ`a< pgNyt {=#kG{oXYmscg w؏l8mXŗ'g@?uYqphxdѱ5199+=/[_n}׽7۷|-#Gw?xG>>y>}/g~W~>߾΃{/~OӇgW7GG{'O=y_xK+?9u8mzgygsN5uŴM0Kh ߕv}ŕW<=3[ٽk)hg?p7jeH3wZ}ǟxfs^w3c6U]\f" އ$c௸R+; ?pW uwWx j'O}~_7o+?ؿo[nÇoۏ9z-7>{9˲g{λwO||b/w>q?O{?,o;/Oξէ?E7rFY".ŮDJ,cp%XGT#iB pHYs   IDATxy\ھQɒ,EJRhӾ a ->c̐}fdi c)T*ƗQk(E9ݏsʨr=8tzs}]. T}ASxpo@;Cpo@;Cpo@;nd50G%L VU7T*Hب+j0 WȋБP{~D"H$X,JrFq]4 HzܛKH$"VUU|r ڊoBѤR)`Xl6[___SSFt N@&%X,EEEYYYiiiGWW\)֩SN:uֶk׮ `0PqxD6HH$*..tǭ"##tҦRiaaaQQѣG~XϿuVNNԩS;TBӷoߞyM>wqR DE O",eee;wܴi hUٳA(Ӓ"g&-,,BBB}Ixxx׮]HR h9d|[MMMbb9sTpV˜9s9@ I؁Puo2B@ xqiiRo,--ɡp(I2 4m4[fX,֗_~68%mm@GN=~xȑJo|>m"@,.iL58W]] ݗ SͽË/jkkIN" ? r xiUp@"޿?++ݻwB!TUU%>eeeʶ chhؽ{'OoBh1HNN$)ׯ_ϝ;999|MNNˍʒJ\. +++g͚2gffVRR" c%BH&T7ܽ{bM0A[[;00͛ǏsNjj'Ο?O<==ϟ{nЍ7pڵKFVTToKL&S"tDF{#UKLLLwS„ >rHWWW{{{''˗XCѣGϛ7ٳg{ׯ߮]TB&&&8_JNv/PMNd)111,k$?X~}FFƱcNJvה)STߑGOOT‹OU"%^aao:wGnݺSNGC522/eaavoX76,FͳRTWWW5 6ob7fKJJ?~ܳgɓ'KҲZ/2߫BPYY$"P<뗔(ooŋ3˞={Μ9# q'U__˗/kii_tuuݺu-[T`dIIDl GYݺqN|ʕ+KJJ zVLmm-˥j5\.JJJb1ѡ~mDfff111z222a, ē-AuDI9444;:.{Mnn.&+h&Zݛ5(333Sym+dffٓFadž+m AYL4Ft`0tz^:xeEDԫW/߯n MNRgmZ=C }˗/zV˗/o߾=x`A?@Qt: ; g08p6mܽ7Tad2 tpp8qjwB O81l0&bL&mғر1aL&fŊ@B+lllL&q$S7" Ol6[SSʕ+?X,NOOr劇&v, ~@ QU6d2e|kܸqg~AQQJ${ƍ322n{8xP,J? voZZZvvv<ʳ5 >|8jԨAo@SSq$n AIp,KKKK[[[WWWWWɩ_~Η/_nRiuu+WƌSp䤺hп{e߃t!HTjbbbhhO?|R,p/^}zzz:::ñluQVIe,B@ r›7o}ʪN$//////33311ٹk׮a'E(CTpĆ=ǫp85TWWeee=*//TWRV t:@__hРA8V@|{kU4"NH$L&d&Q}a퉱@  yɓ'+jrzDvvlZZZDWqbQE5D9d2q8-"ɜV#Z'aC1:3r\m DjHӒ8|>Goxz :u${#A7|/Vr{FF7AEܛP( ؽIA ul^!#[_76%:!J#MdM hjjFb=(I2RKj2Jo$QiFpdfyR T"VeeQ_22n@ƥ))# ~PJ/:!".iћp8 ,UfϞ {Qj@t &Mϝ;.eбܛ@ 066p8rFӱ|,kҤIDTB'N ѱBhٚ9sk :Vrcee+P=7мypCy@)t譤!TPP`jjnsCcB:{6֑JL&S*D"jP#3202&G1y Ff4Jԡ-72H$H$g Oq9yJBJ:2_WWײ222 ~m5%sQ.ⱨBի^͍-lHW6P!ߋ{޸qcƌ=zSq+D:`0Oݺ7!𿕕QQQݻR4(((<<xVq9Ge@dXbPx 6={#Gd0t:wCWD%| p' QIBR x'Oxyy+550%%gϞ>>>O>x BmՋG&xg?cVVBhܹ'N9scȔɢ@k߫EBvX$av֭)S,]4&&5{„ bxܹ ҥ j(Cv$m߿*))IOO777'ﷶ_`AAAémߩJ(u}h+$շNڼy'Ə/&''Oի033ׯoCu9##$<<իW|>\&@SiPH"\-[vڕ !tҟy̙gϞ#&m[ZBMP$wލ5k֎;HwONUVV.Zh"%Mm@PYYp§OfddXYY5666^^^ϯ6l~&m89٘$>>~͚5򋿿/L>}ݺu 6D(x3f=zf7žfff۷o700#'*MB[KԃexܹsӦM-m͛7ܹ_Y rkE}=!/$uuuXXةSBfffo޼x8:ī=i[Bo͛7III[)**϶nj``b4($ ~CBBu fƄ$'Nd0YYYm]޺u`L4&GhPHRWWk׮u֥)з!]vM:ҥK 6yڒD^H4>|8iҤX|U0̰˗;88tԉ( $ĽUWWݻqㆍkkk;f̘(>ooo_ `LrR^Hے/_?N8Q8q"::z^^^8b}XmxEEEQQQ'OV6667oեMpF&1iI%I,ؿ\\\BB ̸s玿3fϞM*0tLHqF _v֍x8tdڀ{9ʕ+?3//oܸQGGTH]6x-%%eɒ%xcLeHe˖:u*..ԑ bcҪYCdKxΜ9FFFgΜUUaaafff\D`iP}xCGGGhc3Jiի0B;w~YXXX^^4k+ Inٲeǎmڷ!븸3gFq 6%jT"BwN<922rǎllK遁UUU-755Ei 4kH)P3 .|7m?~yy~&@;CƄ$k֬9|p@@*QӧO_v-ID^H̜9_~Ge6SرZhtJ};wܼyszzzm!Wnڴiǎ*b|!궱#/$uuuHHȩSڙoC޼ySWW7,,uuu<'*F&ЦQ]֠oϿ|2>+^y?```bCBPjժFvS>zJPPЧ\9>>ܹs3gΈD"T!B0""۷Di&x|*^l4M>p… wuttTҭwMHHXdIUU J%AF&շ'nذa (\p֭[ hѢ?|…xM+777kkUVI˗/G:w\AA.\x{y?=p67gΜ{5`mmx77,&1,TPu\.YSSQjjj߿_XXj.K=9n%ǫ)///..~իMLLnݺzyyI~q7oQ0r;w{nfffRt'O,**8{ǭ R={n*J?s.]x<gaa!Z=jll|ں:K ~뒽z ''˗/*m]]݋/9200uuu$8lH)նfU ֮\۽{3g>~… ?zԩS̢*: IDATtD"yH$zMff&Bϯk׮Ǐ/((h.,k̘1ׯ_=zBZSNMHHXl١C$E7AOt˗/+#G_O^reMM ފ#S bգ0gC|S%Gw3f4"* O-- !tmg``ЧOh&/+/zzz^~hii_L:' кQ{V" I.f͚#GܹsյDCbbb>}ZZZ:}f_uk^'>><_OFuرUVq82@@ v˗ٳGyuttLQBBB<<<󏋋ڵkMLLBK.uww?zhSmmmkii)S'%%6(6Q@1|I6EEE󏫫ѣ+**Zx}P%J===9B~z޽{?.,,oJ\.wڴiݻw X,׫W HҼ,**bbB!Ɇ :uꔖ3***>W[H$zGrbӧ_v6NlllΝO8_ZZZYYp0A["ɷofff̚5 g0ZFӦM~zMMM```YYyCPP_[PbbbAAAnݸ\n\\\tttuu%K͛'fȽ?]*޼yǧW$͞=?xmYYYUU)%I{˗3f̰z䉺mT0ӦM V]:uqׯ_TTTh4?9I.AJ$c!͛7Ν{YCQgŊDZc:u$sss///ss^z_tk׮ X&tkyyy555/_ lǤ鱱ԣ 6$H,++|{lllmٲew7۷:nݺZ@k OT$ǫ;yܹsׅ *PҥKWZڻwJ7?*??_(K%Kȿ_Q5 dRPtt͛w ܩ&uER <ŋ!!!=zzT<_ wӧOgΜY^^MVKsܛO<oƍ{qㆧ E͚5ѣ^^^wܑ1I޽{>|xNN[ 522ܹs? ƍ7l؀aMFݣG.| 2TFڶx3g*ߝK:ի/^6ϵٚ>L^ {H@mfzݯ_?e9r#&O1cƐ"##yJ͗J+W{Nٖ[|?Kw܉DEgccw^T:k,1cѣܹ߹c[[[KK~A-Ji Xf]TTХK 6(ɾ6W7oެԻlڴ?(***//8RQ};vlÆ ǏRۛ7o SRRJKKpEn:>Ӌ~p8UUU%%%Ϟ=:thqqiH4l0X#<Θ1۷2u&7mڴ|rPgϞ;v}~U.]8?G,,, JKKqTr*իFFFIIIyyyR4""" 'O422z}nnn nܸaaaĴ@R!D\ǯX+ǎS`aꫯJJJt:4MCCNkԃ_iQFQ%K>|… cǎ1bرkvҥZ__[Çe[^^lMM B(666..Gsέ ׯf)))ݺuӧϱc6mڄs=v옎K.988`CE֬Yӭ[7+'''&OtT*UKC1cL0aNze߾}<ح[R, &ܗRj@DkΞ=6Po֬Yqqq֭# YI>n 6{y=蔖yyy)))7 ^ZzuddϋSSSBGa0 B(99yƍK.0`ӧ/_-4??޾!D WFFF!,]F^FS˦ ҵk׏S:880K,/^zD"!CL\ Я&72ߑׯ>yL"}s^^YJ|S,)((G lzs,--455l6^&VOllƍS[[l۷:::2ﯨS5kL&`c֬Yb4((hIIITM?8v7n\FFow^oo;w={ }޽+:[ݸqcܸq*`?mڴ={x{{kiiiiilS^ͳ%_ +**lvUUڵkׯ_`Zŕb| QK iHT"p׮]F*--m)޳gy&]aɒ%2Xl٦M.^x |Ri~5k ?oٷo_KYZZݻw}]v߿?MMM}5B(!!C`x366^pݻwx8;;7yQ׮]t|۷X`F4MKKӕ+WzY,---6N O;uԷo_]]KJkk=z >|ԨQQ_94c4}y8vZBB©Shnzarl.333>> ULOO"#####w^KK_x5''֭[>ܰaڵky<ߥK;vL>}9rdYY֭[;T:o޼GO>gSLp8^Zjպuncc#c̙3͛tRss˗_|K(3fƍkג8qD???777CCCCCC===]]]---bTlJH:L.wA778nߔ3f9Iu[O<֭ >}jbb440c\[h2dMM͉'Yo6B.]ٳgrr2Bp=xkvŋ|77#(кw`{eddikkO...Νĕ'ǏO*ON4iQQQݺu۽{I(WW7oޘSoeww۷Ą| *޵kT(Dܹ̙3O:⒘.+rܱc388XSSZB[DlX]2Fc0 bl6mmm=y~!''yIM6!R)NL&3((xرgR=yZ3… e㷑ʓ>}1!!~sttРAϞ=k}...߿4hP@@vww ;vÇ-,, Yj?<!c߰ǏSgg7o|ݟ>}:h @oll[eި {}&b䫭M!CƍO?)ɒ"77/^xo.733ӽ#5ΝiӦM8`-D$EFFnذ!44W^xp/YSSpQ%X`|>˭p85޿޽{.\psskl6?})F200@Co^ڵkOW^ٓ͛ݻ7f XbzC<cTRn%B6g]]p8555յ|?…o޼;v'Oӯxʕ/H$}]XX#""^~$-Z7o/"66~rssp8ׯ_ߵkWNׯ_O4)&&F*.YҥKO_ln=X$Ib8$@g쫨 ߕEhhhRR{BB«1^p!͛#,Yr̙QF :4>>~֬Y 9 H͛jsG8pQQQX311 (--|x^f̘xbCCÊ sssCC & 6ĤXk``r%ɯ`0siicIֆtT [sFxq߆6b[>\!$_&LU'H9x+/ˇqeee :}t:\nxxÇ;w,! mi ~P( $eIj7rss  E"m%O<O&[N]ucxՅU-ZaZt:>]DdMR ?ů988(|j),,ĵ⟪9$[2eOL"$#Їjȑ# njl  FkmRt޽;ulS%Ÿ7Q 5/DJn߾=hР+W sqiwލ7N,"[ weΥfQ{CrbT_V&#li4###?~fJXnΝ;'L`ii<6G&8zE>ʪ  IDAT+%ƍի3u*g[.m@G }8POpd֡nSNuVhh)vf$hӥnӡ*XG掌0`@ZZL3̶N||ɓ]\\ @]uQ6#h(޽!899%''˗Hnzyyq89ED$I- [JBFlBAQ6HF2229r'&LO6mڴuV___+++n}dj om 7 N[$N"ԭ2ܼyzcvGfR$6=##6 5ȏLbŊe˖"k׮Uϥ+,6өSjHLL/ DP76kIM1YmW^v>|0bܶ(++񩬬 622R]R$p4hs(}-ۨB:tQ9b"u$윘ةS'u;vXss &~XFmV$v*R 2*6Wm۶-;;СCm%%"f͚ԭ[7!I+*6Al@0&>ƍzj>}!>+W9::+$lrM"!/6A*d#Xlsmmm.L6m@EQvU^,GT~~~xlccJkijgMMM|AU~XVgliAnCoܸq"̙ܥK.8Q8nC $8d PA2)J1co+ vZ``!C B4T- ui B Ih A_ cbb=zo߾VWUUM0044ظ2GSN[+8$԰:h̑000p˖-gVK.;v u֠3IuBF"gQ%$4f̘u~yⅻ?i$/$m@{E=G~.">}Y&;;{ݭai)H.\x頠 sssjM#}}}jGF$ BVRF EM嗆^jmmB7n:th]"$&$AH'Ԗ[MP,ɩ+et !UOMMM``˗/CBB:u$ɜmmԘ؄I4xxxܽ{wȐ! ...?E{M(@6]czhmJ!Z}Ke{{4KKKkmm퀀̨Et?m"?l2@ w=}t-H,Yrر@sssDIv4u'Fqqݹsg.]rrrRo߿e:˜!IF^lA)Em2@t_lYvvmT Œ /|md~iՏ N1b?8uT믿Ο?ͭo߾gcu)ն455|[E^E>G=t=44󹹹ΝQcǎeX2H]f $:½FDkԍ}u444JyѢE9997oVT*]bE\\g}F4<]?mk|\lBNpl!CRSS?3eyooo[[ÇWj%F&^i- ɵN"DETx|ԩ3ghkk+6.ÐΝ;m $iȌLtOOϬ,;;$wɨ(WWW[[[l9uEB#Њ#b<ː&GiiiÆ KII177WIǏJAAA VS7@HҾ(NFZ(ȑ# :_($Tz}u޽AncBm@չ7 bjH+!C(И?If!Ia8UlBd&̝;7'''&&Fx'޻w/,,sIBRKK`mQ:ѽF&uըaѣ嗐O6mԨQ mCl6 =bɩteXXؑ#GrrrN8r3޽{7~xHDwAHtLZ{CrbRΊ@<###srrcǎ &XZZ#3" I:Qe&iPPPjj+Wt>|8v^z9;;S7ZZZ6zpiPl"#W֡9vn}|_~jjjm4(6!!D" }}}o޼9pA5 ...8aI Ijk+uӪjQqoT'GvOSRRFljjڤ;zyy㴏)"jEۈJV؄*" 2j"N:;;?~ϯwܼy͛}}} $N-}2kVG|}}333ֿOQNNG}}}ejM#! vTd&0!DG~dggg``0u˗/_o$ON2 %n6<2A-f}cjGQ$jddtIERRRxxӠAez7{ 0"6!k N344tϞ=هfXス+**cT! M:2mƽF\5Tbggjժ#߱cڵk==={)3}~XIچ0:,bb2 ɀh!!!W\qqqILLԩSc𰰰PW] B[roHQ&J n}Cz TD"ѬYu6]]] $>Ul>Q(j"FM0ƍ zj߾}/hgg'&sm̽&REL2dWWK.UTTL0844А! m" IƠ7(N^fۃ~qQwUV7?֖I$<I^_*zI:L( z Bٳg{.j!Zn QHʁF :044t!X>^(zxxHQ$ж m~bWm8zȈMdNlxX,7p,$}&;wx6h( .6I&|X,F8 2h=7 Fq$zúG---P-Hɋx!m(>.6E6^2x8ĉZm $o*6ig6-D"P(ē<Ie@WP}]:.d@$diW #4M6QFIO x8$ x38>r@HM7i PhD"6-E"B@CC$!m-%T:rȅ W޼yF(b_c2f===Nh#=z_ 0!d2OYYY/^\xwBBB֬Yceen vohÀ{tV?cIIIIIIQQ˗ӳgnݺUWWߪZB:{2f̘ӧOx<W_m߾޾jh)Xo'L`ee%H t}}}nݺ9::ڵK6-#hR/Bz"/zo߾  C@uo{XXEuo4;. %Q CѣGу|>_CCLV:{TWWoذAV4 7|7Ϟ=y=%%j w\WOȂ8+Z2>nV P*ԭuQW"jQP#@ |9A¸JB}m@ހ:CBBlْaee5e]-N˕+WЀbŊ-JOO?{,yȑ#}۱cW^p= Ӳ!6ݵkWr722Rꉖ(񁁁!I%43zô8 !bB~~~^ P/8ySjzذah|W׋LakJo߾ҥ ~͂~H49iT*ZV*JR.xآ"R?M@3ZE !T*)+V(JpB[[[:N{7h4ghBP*2޽{3g/㏒ ~Z,+ L94uoZr\*&$$,X`֬Yѣ:tKgmmj*.koop_CJJJūWz!]++–|4vdq/TZQQˈچѣG|||RRRTTTffT*uؚ#`ԩ#fgΜْ 5~y0d2T*-//s΢E ݮ}vҤIfͲc؆dhT6D6dȐŋ^Z ltTѣGoڴٙ`idcy#چ3$ P(LNN^fMϞ=7lfu:S\\<}tJxbWWW}}}dhP;(7DpBGGX]/V̙eiid2?qTߩu+~VU^~}ƍiچ}* xà8hP߰IR>qF___жFm۶M(>|sqwB ġ&ⶢ?sΝ6m?~|ïJ0CDuֵjs IDAT }Ҫ !J\O<ߨ_m:t:/\d5sQ@ި$X$77wϞ=/_K?zd2q@#lYdH$^:|dX򋏏5.:V#D"yƍbmllr= Crrɓ;[[[jS@#Ѱam+++3gΈ#,X5ja\]]CCC Utc&d2L& ?naa4KmC}iiibсAqИnDŋ̙3gzuM %%%8~IN@D>֭={4btٳg---/^JܖM1LH$"ȑ#dPsKgg .H$m>NFM$I\bcc׬Yjժ200سgO@@@xx͛7[pؠjΖJiii/^h=3/>}tyyT*oSK>H~mРAFFׯMdd$EMQR=aR$رc^]E=u[چǶeeemݺȑ#M;yd[[[ZM  tVQQq֭m۶8r^&R(t:]R}S4mΜ9A= =m8Uɇ˗K,a0qqq-S0ݻwp³gϢ>| ^JH61p=rpppppա$IbbbRRRRR۷oRib<<|P$x<BRT" D"%%%ԭ&777--MJJG.~~~Ϟ=dCUzՋ)Hdyyݻw-ZԿ~wFűXŋ|g) zr!F|:̸)**?~Ǐ?~|ʕ#G޹s!$HD"R<~ѣGRiaa!C@'1r2H QE[ sٷoB͛ߺu p#Gرc Ν۽{7+Z]\\W^^ψPPP@LZѺu6m_Plٲ%$$dɷo߮[1bĝ;wH8ۡ-ި6RwɸGglUVEFFΙ3#nj5}@C.ӱNҥK( BYYYW^7o\.}O$ĉfΜ)Hz;|iB!FÉx:tHOO r7|s]ibb2o>ՊR*;vܼyOΝwtu@`jjZwsr|[YZZ]=ztbbNr2pm۾{?AOOOT2bUBp == D"ѢERSSju׮]u:jԨ)S9s`K.ykӦٳgU*ns/^2eJtttYYFoSN=ЩS7o޸`sFKюMP=D }|rH$*(((**!D~޽{errr[999<HOO>}ǏoݺqƟ~)//*?????q>WWxXlٲW^D"H6@|Q!ҎÇuLj^TTb|Kӯ_( o>ŋO6<ӧ{&w?j(RdffT׫OG;vܳgOZZZqq@ D P`odeeeiiiVVׯ߿!kkkK(b1bSgrrrwp@IJJruu~g q.b}>uk$ڵŋg#22o}B.../_r劽ݻw?uXSSS f͚R#5<0}6m̝;7??l6[]tJ?z{"`<z`2VVVUu֜N:)n[d$+Wx mj:**… cǎB%8 #pJbM8ŕݻw/++ ,,,ѣ `jr?LHHغukNND"dNNNÂT*h$ M5e BHRYZZz]f+**ju=E>:-))),,ĉZ\ūW߿ƍfkc,--jooG2,''''''11ݻ_nӦ̈́ juqqqEE qKy<ʕ+SSSU@ ` B]xD"Q2Z]Zn N5\O= \.W(.oE62/7n\LL n_[[[s8kks._<88'|W111J?bccd2njs _~Ĉ,"$$d̘1{ݰaCnrxOOW^}8ɓ']\\’B!l[صkCʕ+&&&F"sI==˗}uU:|B3)))ILLdzvȤweJJJM|" ^}&&&&MڦeUx#%@ ())y?ܡCZJ[4YYY?ΖH$59JQ_BhqBLLC޿_ZZZQQGj1[s9vZ___Zx,SS+Wx3g h!sδo>zʕ+Æ 6m|m|w#Fxǎ ۚ\./((jZTx<f߿Ϟ=dʕ2LTdggjJUTT[XXRȉ}]k[p lu h4 BNcm?C6m-ZT\\\R\y%z#H$5O>/(K.դMv*5V7Z}'''tM>=22<妧k-|s/^}Qm}>|8a>ߡCo޼۷o9sfΝ`111EDDnݺ{yy 3fL0A"aaazjȑ#,Xp$jmm`BmڴEQu:0q"D:H}>N]Uu/5k 6ݻw|>'TѮZU@@{TT۹sgrŵ烿/f͢~P ǏIJ`0B·vrru떕եK'//OTQ2nrss{%B}ݻwo۶mdW>`Ys΃vww?vXRRRÇ{ݮ];cc/Çof0@9@@Pk|QP(ׯ///?~|JJ7tI{Ç:+**$ݻwI(޻wO9EEEr͛7333B޽+))Azɤ$,9R y^1Ht:wrron߾S >7o,X=z'?%x>>** Gn|>B֭[{Gd2܈ jzݺu jk׮MNNC ?@p̙)S>G"?жmPr믿vssӧ#""t69vrrڰaCnn3g 7w-cXxC|6o޼y]v=~j*--iL&_1S166֭[Ϟ=e2G\R„:ʕ+Vu̙3pϟꉼ={ګW/" u]K_&LX~}ppG;\mHbBqqq{Q*ƍ>}:ϧHmll 7:u?|p8Ç?ŝ jӧǏÍ7D;nذA&\.C6lXqq;d2YEEŲe=z9CII/o߾ &t҅eSWLu7w׮]Kj߿f͚2777z%(({ΕJeuu|pƍ#Gl6{Сo3f̲ez{{_ˋty-[@.Ϙ1C,kT@ޕvvv4mV300޺uǓ'OB!9̙STTd```aam,6Jz\0&ɤRiEE3YVVV^^_|Ϟ=3+>|>{,$$$<}㏝;w 5kKp''E>~xѢE'O$ڢR,YѣG;99VahhhddppqBZbccB!v#ߩb1uDCI$EM105N$Jvcllm6GGG333CCC<ݔ`h%9 t2LѣGֲZ@AƉ[J:PHjzzz  ӯ:((ӧ!!!_UK LLLg|>T*?@ I7}9Fg==cǞ:uƍCM4֭[ڵX@ 022ŽYjqJJʤIU׎^MLLE f2b+m]4ZrUV_y[ &Y]޴v6qzl@X,"o2DR߿:h3>O#F흔ݻW^m2Ie̘1O~L&{͢E:uꔒ~gy~://c9zh2*!DplTTT;woi׮]߾}x#\>b!)%%% Wi<M#?dS)j$ b2Jfk$_~Ϟ==z;jŢLMMLfƍH w&K,qFnnBuvںgϞ ՋÇzNoժBh…s566vtt$I4{=z4۷oU#JKK۷i&oooWWW<,Аc2D`8hnKv<;;{e .pY4D˚Ϟ=kժR$·obM?ncc&kb%i i%J%H$D8[QQ! w%&&.^xʔ)8)-$xV=FZRRbhhH윓ceeU^<BOO=pvj`ʕ/_4hPV 066r\.6HF F+,B@ <o׮]&L9sf #8ڿ=<<<+9Ivv̙3/]$$߮h IDATD"=LMM9NYY!Y[[#F?^*"ÇݻVJJJΟ?9O(tD@OOTa2b嚘 |~ee%Ʃ Fyy9yNXjmd__6m _hv%.]a0ڵr۶mKKK|q֘W=FZ=i!IG5:@+(ʌٳgs\,itrz# &0U6=j Ù;w.B(111 `ᙙ3g,))/BQQQOubkk+'j߾ɓB2,...77r˖-ŋ}||N}tԩFFFX̰q\|QC6}}}&SKA N=d,\rETy;p@Ϟ=#"":tȑ &(sΝϯ[ĉݻw466}!..NR={LVyڵk'N{ܹsn/ɢѣ'^z֬Y7op8 )..NVVVn:wܽ{k,395 Z"DVŸ\e1 ````hhmLOcccKKK___>?lذGiOU󠲲ҥKF0`y03M7΃n`@A.zv|k׮M6`\|!ӧڧT\{[)))^z=á/_vrr~T*U*722ɓ'WF#G2k׮]v-$$ԴSNYYY-RtL&sʔ)]j?e:)szjI]6Gp䢆f'OݙwVFyҥJm& ?p3zݽ{w###mX،VxA@GdΝ;={·%]E"E J-[/DOf{;;veee4 N`0|}}/\0vXZHeeH$"&qf&>, رcׯRkZ>sLΝL&yIYXDfawނ\.v=Ԕ\=z=}CiMEVpׯر#36.K|Đ$rU;v3?v!C\|ܹs;w}gnng%j>l6m۶EEEl6߿o߾III4m߸q@ ,w),,vZ= rƍ‡:::VO/HII?FaÆOV/Ӫ"KKKEE0@JEmI6ȢIcǎFFFk׮MKK[tU ܦJefffhhhzzСC---IܰBL&߮@8ވ;vxĉZu_¶ɓWXq̣GtM4I&\.5m۶YYY#Gh 333.\gS;&C$40D:xx$5V !deeE-m!|7аEPDY'O?~ܻwoқGM;qS6]~ o 8<88իe͒}ĉݺuݻ7m!ڏ8I:LB" 40$ ]gd/fX۷?uꔮY\xOT*׭[ppgv卾j*ިBjN`eeشiӦzf[~֭[ X \߆$mH:TT!pӧOD]/d}Mddqpf8)n*uZ7ZHe\ 5ӄd7,,,_YYQtJ v횯dHm#mԄ"]hY/N)8ݹsSN!d\.ӓt044$; jSehFHQzs8?yw#_|9~x7dKKKRoPn7D ItN?q7DČ1B[t7j:66vǎ!!!8{:вah,+9Zլ2&?O> R,߾}o&HOIUL}xx 6㈗|)͘ߏ;vС$CWG^ QBq6PUkJ򈃃Caa!.ӪUF gΜ9ӳ{8@%$I_P[}LJեK<<uԔ)Slmmqj]0ՓMHv ɡУ̵hl6޽{ϟӧY#Hp\gHl3v:C" 4 Us.iݺ_|b)u-,wܙ6mڻw FЧj\OʵD]?k.O^-;dȐޒd i-T$H#RR"H$H$+mLqϟx"&&а!\JKK߿iӦM6X̰F-k&@Ih*M"ix*//nVeee^x|>_(bkm!.7cmmݪU;z[?BqA= yO^P*uߤN[ns :uj㩣T/_oݺ56ڈihqHB 4MV Eǿq.~X#uJ 5Bj0=Oh4 :[tPX8 H,@ܸ\nLLLzzzdd΅ATfdd̞=;///00ܜ` _..kmS%P"rEZ#1LDfrT*UVj7ic c=WTUVS4s 5 ϊJ2L,bPϿzΝ;۴iBLɓSOc1wRqolbjTTRWQ)OaU49a`ycU`UI׫Pl B*OqzYo>|ub~啕ٳ;wIu1$ 8CѰb𶎇9Ҕ5 _/Ef\?q7.hA(:zE>14MP,#KQ9too襤#Gڵ믿r 沲G^_~ڵIw6}}}чDhꐭ!{mӈ5͍ް,u5I6!ݪ=z0661cFddMMM`j(**?ö"!.fZMJ===d2xچxUL6u𛀽SD1)4ptFlB5ݨI%q;v422NKK[tuR MKK :$ER Tc2ԴIU m+iNV=kHҐљF!oQxPyUj&'$$ddd8::SL&KNNyHm8F\Dۈ4@ CPଡ଼$m*޷ $QrLmB2sT9H[$UVVoRVy-\ok=D$ݼysƌڵѣ5I =$q5>4㈐H"WJîH*In[oxXeY_7:yCt J WAѣG600bO>/twwI7HB;@6"G6>{$UtjDI5{H(Ꜥzri4Z޽&N7ߘ|Jx<ަM>訑!I۠# LMtuE6WhFAwKka(S?twww##+Wfdd,\ʪ PTaaaIIIAAA666n'%dUmƷ^CZU[!J:%B$hhsuu544<}tzzƍ^>}L& 211H$U2QhxBh7 jlBLϲD&o߾N:j&D"{iÓ!IU$& o&rr{yyPhѢ={zxxR6j?i$ HhL4дτ{#?jVѪU+J}v{{{WW9 $&&&**jРA:tfL4"fH$~u4p$t `ٵkWcc㈈ϙ3WTyyyK.}vPPmRMFB" @dbasM6FFFLKKnݺP(RSSg̘!LMM5"H$h*4؛PnM8<^#WZZz cc_ #BH*>|pʔ)666^^^$yv5uVIX UãP+**޽[XXx^z슊/zzzzzzDlO(DMH-F75F{={vaaaݻw޽ucƌY|=<<6ol2],uA(>yCC 2dHXXBh gΜqtt\bŌ3b@ ϢBhٲe^:{,BՕ6r[uϟ_paAAѣW\%Esp6mbbcǎxL啖vX If@7*hYIЬYl6fgΜA޲ܤR)Bf:::zQiq֛_|o4KZ!BCC CCCu^hqIH$211As8]/>-0pwoz-@R72ɋ%7h4AnM{S*JV+:ubBP**Z4{j,oJRP(|??r===__߂\ENT'zҜ k6\._xѿ={666߿rrL&p͆f{ÞF_͚5k˖-'N$O;| v_t`0 tiF am޽[lx;wp3f0Lpt:T*IJ$%KܻwҥK>gڵ,^(@SYH m2}7yyy=!>|;vX'H S4EU׶ouŋFFF C}T*fa^ajۍ7bbbtzMBӷogTBU@Ӣ94Id2ÇN<9hР:իcƌYl&M-o$ B"DFF^r%!!ͭGNMM]r>$4-it$|>֬YٳyÇڵ 4 jڑDPdwߟm!ssWS;@ @#I5DPHO:uL&S['b26mZ``{R)]UtAmaL&;uԜ9s:4iҤ8WNشoUѡөu)ު'dSN%$$SRRnjxbCqzzzh4y>F ̝;7??… @[[۷C @iު'deeܺua !dmm}-3lذ,H6h4y#F7LS__QF8qf7bl'FH6h4j" ֶӧ/gժ&MԶm[L&|&lݺuWuѣGfdd̛7bjCp:TO$Xp7o.^hggCСƍ w@#14Iry^^ިQ$ɽ{!ݻq- IDAT'HF @ itFۆ/^p8^&'66/99Y&d5Z"+Hm#/_|׻whH6 Qmhx!!!:1lذ7nfh,V}lۑ#G֬YsԩAdIkƌt҉'X,H6ht oջmI$UV]tҥKnnn [ & @C˛F-\gϞ-bccr1 6l]aP@}Ӡc޽{кuW6WmC]v!(((==7 'oDB!J߿?tiӦ8pd6Jtؿ޽ jU=ԩSs=xɓ`>}tyĉ:t@UͺZco}ԩ/~zIJJѣ,Yfq(NOOBqڢ~6@0w .X[[ߩ9</00fƐl]1V=$+++88֭[-YBVVV7orYYYl]KވFƶ%%%1ĉl6ۄ`Ǐ=zǏ!@Kj 5k۹sMs^kx{{;99M4ѱ]v0(@+0{&l۶_rJ={ѣ]]]222ϟbj5@!P8ڣM$5w;wn\\ܓ'O]^z?/߾}[T?`MNAP(޽3+++333?.[nO>>˗?;'Ba("K-"ਂ[K|VZq(p(XPD* H<)#Wr^><<Pxڵ׏?… hO';::6555y_̙ۛ3ÇL&hŊL&˗|gnn.Í0  Fr8ӧOƶ t:](Ν;Ν;,kԩ>|@;fff_;mmm6}0&%%>**JCCC(Ξ=ϟ?y򤡡ayyybbѣcؠ=rqq "! 믿6448;;'&& m۶YyϞ=sC;vĉ꺺F4`0m|"t𸸸dڵW\9~x~w~޾\jՆ ?~(}Uiiiss3 khheddX,ͮe2&&&>>>Wԉ$+99ƍ'Of0"d21X^^ jv ;;Ǐ:ujʕ Xl`0 >aɶӧeffw!!!NNN_y466=%%rMLLeddjjjZ5Cd,/&&FUUWTTϋrrrw 99C233+++O^UU}KQlo>t-e111=o Mgѷyׯ=<<`0:m1cfϞ[gggf…\.Wd3gٳgUVy{{ƺ"2ٳӧwBCC7oqƠ8bOOϗ/_ t&***=?4t&`4 IX,VMM˗BPķ744|B.9ʈ6 ~VVV,۠s Plfʞa޽>>>...;v[|||ˋ`XZZ޾}'`0q:6{;vlgΜiuW'߮C.bMLQ(##6KAA{FBܱ/Z(66_dϞ=ȒiӦmذ=l{CrM6ٳJ)Ettt?zj)}mڴ (aK 6o޼+W-o޼yڵkUUU~ڵ `t椐п6668p`wX֫RjjjҶhiiCD9􊊊Zܹ͛aUU!EEE]4 '$ W&_t:ֶc]X(sOp ۳gqq1Iyyyuu>͛7 q@;dd;)--3f NOLL,))p80P)tHN`0,Y5&fffԫWƌ#r~M`0;A}'Pbvvv#Fxqw7j(V!!!:k׮mϞWdd$:iҤ}Lfϝ;G\Ș;wnJJʌ3DV5t#GFDDTR \wE@ii7ob@:?{Cm&Mz3HHƍ655"fffΝlݺuΝVVVAAAϟgϯ555xDDD;wk׮}}EEťK=F122ս>ܹsfͺt钽˗/;CL,Z8{9spܹ`ww[n{.{ر MMMɓEN`0{#H$L&O(++|ֶRR&N0o׍|葳3C*++ZR d2LaJ<2<|~ ruuJdHsssqq1Jy?3en2L77FjT*UFFFFFF 4ٳgax+VoNNN---aaaṹ[^6jԨ0X:ҥKw^`wBPZݹXXXɹh4ﰌ J%`0_[}F@F`M(kiiURR?uԤI$n4foܸahh|޽~UVVfdd,Zh޼y;wTPPPTTTPPrܙ`r .TWW׏[jqO!ѣGwtqqqfoLMM?At:s222a0LڟȁTF,b744466߾}{ݺuQZ\._~l6N(X,j`2Щ)++V|5nܸA+***))1 ?@o-///'''++KRT*vr A"uӱ l67 l6:%%ȑ#"0"x秤899+(((o3i8`0^vo'dP(IYYYMI)ݻw[mxxx0LOOO%%%8oS7)(($ `{ *REDuB&0a„GYXXH"8/_tuu0` )~`ې{6 iTzd2J%.@?~e=z ܺJ(IIIfff" fDNNN$߆|7O1IQ(KKK/,YDrЇٳgφ o5$NG P N1 #NgCyH$O?ZVW\0`ѷAFuoP o`0{\QG,!>Cx{{'%%999Nj&MTZZᡢ$"66$1 =t޽OC 閖n244̥޾}쬤hFmE0ن}.7ɫ{VQx;ӧ#Gspp|||LMM---aQ$ PH(&}7 #F0 OOݻwϟ?_"f9tR{{{###:j I0 F"HƽOrJq *Sj*nȐ!?w>ʕ+cccݵtz6䰐`ؤT\p˗.\PPPIF++*11F< UI&&ۈI`$D\l"#:6$o ˡCOM gΜYp!Cն Uۂ p- @kb"I8TII۲eK׭lذa߾}nnnն`kMܷa! tnѢTLL566^q00̔ӧOuΘ1#33IMMM<&ېۤ} so M\.9b޽Kђ455H{www.;vXضl $QEԒ I0D ҍIQ`7ɟ/P fffZXX$''[ZZ]!''g„  3f H"liXH`0'ME<GG"lmm رcO@;ő]411QTT\xq^^ޖ-[lܸq޽:::նP6$$!6,$`0^E_ ѢToQH*na2)))666Ok\.w̙=rvvVSSO6b` νA]hUlr\nbݻwOFF&99YSSS䜕&Lp8m1I$m`IQ`~OZ-kqqqyERR:g\]]uuunj*$Ъmbk,$`0Lso(6iQQc"$֖`8888qb3g~7" ѽA$`0LO7x+T bnn:gΜիW_~mРArrrhLBdž|H$ '!Z0'.6A˽!2 .t///FaM݈ն`ľ Zp Wgob.N:kT,tf?~ ݛ"1ن$  VDıT*UFFFVVx<:L!BRm`0Lߢϻ7HbD555AJPϣн`0L kAk`ZfJpA(; ^Dğ!}q .p |Q`bB~ҥhKIIBRR`0L%;\Lsssӧmt#xbgossp@JJJJJʮ],X0h ''L]n``sN`0('?͛ vر[jjjΞ=1)))''gĉUUUGy۷ogΜ3tPi`0.a=zTWWpvv?3n޼iee;`0m5t|Ied۷ò QYYhddtEEEi`0'!@YYJ*((jkki4Z]]w IDAT]dd?|֭|ԩ6`0]˟1009uիWϟ 5jɔ *_ AP9k׮5kX[[n۶PKKKVVv6`0]k@655zJ[[p {tm`0.%|0 7ו{`0WWp `l9,'m+0 F$+=||] \˩T*D[ZZv%'''m0 #I9ŋg͚Dxyi`0'!_]xl6m%0 7ו{9s&B_)ʌ3o`0/˽-ZDg99EI t_VOO[\\,ms0 F$䫛,YBtzXXm`0L9yPXYY (..$H6 `$AJZZZнb0L7ȗ~Kj )Z`0]7^D @&K&d2D"72kLIb0̗DM |@"Ǥ$@ŋ͛7Ȑd*J&) q ӧ2ȷ|>/^tɓt}) tr(%p //0 &mз455555O4IWW755UUUUUU֭[)((@/y"Y: !4F H477s\>y䐐ÇC$J ,IOOp8\.E0 EaCf8'p֭[O<ׯ_ Z~,FP(Xl`88 rRE"lvttt\\܍78'N2eʊ+eeeC 4ؽA$HEm?~`2 yj//GGG+++ph& HBlkjjp8EEEӦMSQQw^{|@]]=--`s8SqXl`0}ވB8or\.7++ڴiOFoF;sL``oVVc`0}><xM6?k֬wq8XT #jjjFadddddDӍ BCCm4KMH3???77˗/KvPyy+W={(6rJ KPSS{ ےji%M(?mhV$x7ovܹbŊnH$WWWuu  B  FZH$yyÇH0)7Bȷc\.r劝]>eʔoN#9%0& FZ}̌¯,--Iҥ+'E$hvCC͛?~3=~۷H(60044411y)N/^XI^=$sCO6Ǐ?|0gΜ ,6`0vyI){I`@װͮ] ˗/;|СC`VDkb:"{644 0޽{=0ȃW=zip($1IݻK.ݶm[HH#ɻw633 ܽ{q?_0 A?Ӡ'rrr/niiA. ~>3Z1>'$9qovy'''iܾ}; `ٲegFs8,6`^ F>'Mw7D}zƮ~!@Ѭ>'$a[ns͛7 "m3ś7oǏ~zyyyFW6`x+F'y]ݗqF& =mğRqrȽ$0& n,[ի6jkk'OLR~] M㰇`PRf\W^UTTTVVJD")((3eҤIB/j_[BgIH2???00֭[ӷTUUoݺehh䔸 !ؠjFEE1"))O<~5DXSNlbLbѣGaaak֬Ybmlv_okkKh4Rb9%e@|X >|mیmIOO_pFLL: e!1E׭H߽TxPHr…m۶?~SvYf[MК,6`4"/|>XpaLLL``mE477ϟ?ĉ^RUU%z8 Hyax6ܹsg||ݻw.] ;GZZĉ߾}rJ'UnuЋ8m\.oݺ{ݽǏ2ŋHDJP|~w{8Pچ.""&!!A]]]*ujooo55h(D뾱swq$|-33344ԩS&L+WÀá݄thOTs8@ee{]PWWwiӊX ]G|jAqǏ׮]}[|w#Gܱc&ew= 3{B? <}4Fy$ F;uԴi5¿+baI(p8LMM̙#mGrr;w\.ǃ`oО&.$AK.zҞo622Bq8 Zh@SS}B˗UUUUUUMMM7͛7 eee***hSgvRUUUXXXUUU__xa6:nnn>e999=ą$<ݻw޽7otqq1czaÆ-Zf[[[bZ9QNb,Yr! ή_~_~-,, $իW?>lذN9q &Y& nW\uY33355\2###FEE:uDGGə1Ò%Ki۷o޽Ƚuڮĥ(rY,ڵk {ƘgĈYYYo߾RRR䔸QӛAS7 >RSS&N󨩩]~nhhs玝]rr+͛,Y"455lr5*mnnHKKsoO?8p`ذaϟ𜺺jjjh^w^UUUHINN>pΝ;?޼yS__\$lp//'BCCƍWRRv000 HzzzUUUˉH$@ ++{rD➖~~~fͲN RfJNN2e :`kkkaa~___55577QFvyyyn;KΝdddcҍQb6Tjf8p`ݺu ȷUUU%&&]ƪ-//oW\o!uuu@ xiCCCEEE 0{k׮_?`P) msg`0թ[mmmVVVoYYY1L''\pUTT|G:z%K\~3fܻw˗/#F344dggۋD ܸqcȐ!<ÇLKKӹ\n'.?((ݻ$j$YŽ ?ujocXׯpBFFѣӧOHOO1c;4k!/ Μ93yd!333%%%<ϱ^zcƌ̼tҺuX,CЭÁJ FzGoii-TuO*((YYY[YY|o> R___VVlgDY"kjjyxEE =KʺtrssۼysNNNaaaeee}}}SS"aִAǪp sθqϳ` >'O'&&=Bɓ'ՋSSSmmmBÇ#""?͛G477EVVaEEEXXؘ1c`&4?  Bk/^̘Lϝ|ˇ>~8d@gϞ۷ ٳg>}Օ|ҥKKJJ>~=*]?,(o߾ɹu떢"a:ǁ\]]7oޔJ֝C$DD߻woڴiW޳gHJ655JDrwwϾB&L ZZZqqq0dƈJ-Zdee%۫9rL&'$$ܾ};::؍---C%C&O6 VA)d0GHLYYYCW1="wdzNbMDHWcǎ-]ܹsG, ~1c'OсZI,?===I (--mnnf2B0""8۷כ7o.]JL&0K>GQQZGf;f bٵL&G< .xcccl6,&@3"ւ(L߿ZAA|u( 7g$[l9|pzzsjjj:;;9r~=z===mmmFYYY۷*a!<***H"MLLeddjjjO5~G9r䧟~jllb F Kíں{+),,lHy' Ԅ.bnnxoiqwWXF:$$Cm 111鶶K,q%\Z/BpppLL̙3*^eecǎ]vرCrtt0g?`kkeoo$ZjKll,\V" ,XP]]+`0PŰDiiiA*ׯQvbsεoZe߾} hq=\Ww IJKK޽kll<vÇ-Z_rVU^^ S; , -$---,KHBu%BP(lnn^`!CܹSZZ&LjL&˗׮]yhHf:. kjjLLLçM&uo޼9**իW"n5(((''G(Ν;8֔)S\y&/_\WW700qۧ=I<^\HC???OTTTGܢ wgJ__s㴴D)))}.iEEETgD"P(EEENP(Ğ8J:thpᤈ<?4$Nttb]ߗ?|0++ȑ#[l8qDmmmYYjffzq<@ ru\p!333//ɓ'k׮ݸqc]yQQtT(DIsܹEƮXBR&~,[-:s DSb0 ? 555<<\MMmܹ3yh4(#y|}}]vԩSϜ9xM6i<7nܘ;wUaaaccc7]1~B_q{CJTmfرc׮]w_-'N={~W6 Ph=oվ}H$ҭ[Жɓ'bzAb FwZYYٿUQw5'!C r/_rFFFZZZ"VSRRj/`B?{Ǐ,YɓÇwǏ?Ѫs744t0""Q 6ɓ'YYY/7SQQ onn1>Fb#n\?uCD:eʔKN:0nܸ4  K7T__us&Kӽ#ʷqܒ@ee崴Ε ;{ӧ۳g\\njccӪ۲eׯ[JKK;agBʨiiijjjEEEηGGG--ݻwlVVVsN[t#G.\0++Ko|~ccc'*@vE]-ꆈHW??iӦu<o5>jV=uHt,,>>^SS322C9saÜa߀V+4 ؐuȑ< ۷o7443fLnn˗ʂϟomٲ"{޺ukɒ%Tp)2._lCqʈd!-,,,,,BaBBΞ=kmmmll LЈ+++aXRRݻ'//OUUjD}||/ ֬Yd2ϟ?&^,Y@PJML IDATq'O@7aHuCDkqq;g;=z֭[rssxRR{CEjkk+++:F9~wccw%%% ?_166ҥK/^ܰaϷùsͅBofffuu5Bٽ{7ZpElhhԄC}}fq\\\޿AV$1qx>}I--~%%%C޴s\xQUU iϻ7PbŊ3f?ׯ_人:Ç{* 넇_ddd7nx5WW?C6ׯ7.55Uچń ֮]{޽gϞVUUX, 3u6l>2ekkk߿*4^P(婩h##7njkkκ=*'dzASSLN{ir8Á9˗MLL\]] 4rHggAYZZv.fggX gDN;wV#7o666FAB{744?B`'4̞?ɓH qu2.`0\)>) ۨ~:ބ0rԩÇvTF (B888@+,,,-- FEb{_vfʐhK F9X8 4@"=a<oʊ700rrrT*B|od]]]YEE@ zjΜ9GuSB ,]R(6m4@@ࣣOЭIQSScll I2A'{q}+vڒ4MOO?+4䌍LbxxyRRRVo޷nprr 04ҕ!· 7UU^;88`[E@ii7oPZ Og JJJAAAqqq<;w.M*..&<#m'"o`RF]]N (gZ'O|*nmm w߻XXXXb{*4OMojjj\]]---LB"lll.\(TTTӳ7q;ԗvժUǏ3fLAAA;͋/ b *IݽHM6l0w\kkQFmڴz 2eȑ#>\]]o>KKKot:13|wp)7E$"ܽ{֭PfIQ__KuI?5b}.%%ڵkgϞmM]]*dEEEb3?0sDA|r--Ă߿cƍӧOrqqQ"NJpU Dli l6ͮ9~/^|֭ѣG:tHYYٳ۷o'H˖-={@ HHHqƫW͛W\\wwQF]reܸq2իSNZ4"7ndٖBӧ4]!((ghwN}bD$@똴pT*UVVVh>APlmmUTT|||,Xu[߽{d@Ǐ8wN߱cqA'O1cnPE555~!...''g˖-O<̙bŊ7ž'Nhcq+VL0:3pPVD\ʍ#Lw(M&544rss{ҽ]~|Ν"---خ9''B[[s8EEś7o%H/jS]!++ 刊9II&| ]BO655e0k׮}.?pܱcBݻ7x+Wdff޺uk̙Ϟ=#c999wYfQ(ѺuΝ;xu==iӦ[n֭ӦM{ɖ-[=zĉ6F(`Ŋ'OA MapF$voLsRSSɓ'6GI$xVH;En矀)8h, D,ħ-qB>}իW_|yE .7oѣhgϞq8젠 @BB :t0h 6#^I-/tIC444~zC //nĩ Nb0 B7PLRzAi[% w ''M>E [5h.?99yԨQIIIDaJQvdvvԩS7nXZZjmm ĪV=b)))qss"6(A LtnP 󟈼S(x\|yM'D3ppyNS %%%eІudZZZB$"=XVv6֚.T$\@̺ubD ;SSK.uЯ_b7o| ϟ?oeeo)eN}u>’PcJJJ 6`0Ǝvԩ jeeuL$[=N: cbb<<>;q1FRi8DQWD-;:"D(nذ!&&fҤI(Fd,vh,  |~sssSSnllu?|PUU~<ɖ#bhh---@BBž={DFr8\__UV?y$--MNNn#G|_v-==;v[r%\x9sXvbbb;OFFӉq$"O aE)Q-`eee}}ӧ8qbԩ@?萧OZ$BpNzĉӧ8iCa Mڰo`z $ StKK˽{vׯ_|_?ϛ7|*q2$;;[ ܽ{ի7nعsիPɓ>y򤮮̙3Oٹs'`Νk֬IMMzjMM _[nݣFB/ݽUY~W̹9VhhhyֶB"6 ***lmm߼y秡!r[k$$I0>m3 Oo''ݻIIIw)))߿xH?sϞ=P=uT%%%kkk{(&P rwwdڵW\9~x~DXvߥ]vXZZ$ N*DbOωMP*SQQQSSQTTz@QK\$AL&MYYY !C۷_cbbbccW\y 񢑣G+++=ztjj*\nqq[xU6lؐlllG:wi.*+UMddd`e(C 8Ə?j(+Wt݀igzèQƏ HzC\F̷a߆<7@8::FGG755uVVVL&ShpvK>zPYYYVVfcc#.!$$)66###b.â1c18JHpά{k#'N,,T*uĈ***{źu:7@ 7o8z%R o>kk-[DDD='ٶmۯ|$$=)|6 F*r$Kh4uu/_[PQQkii)YXXlnn^\\ܹs`ĉ_޹s'DoH_`oo?f̘ÇWTT8;;XvYe^ȿH@9*OPp8͆JU__XYYxQYYَ[OOϟST@puooo-@ XtСCH$ұc͛666ZZZwÖ-[:dǛ7oޝ;w&M&h6C\`$|x<عd2̢}Kl{h$Vػw/]`Fo)&;v8p:tÐzIpz&}* \PKK+ ;;{ر>|p ZhQbb Z >)KK˰0 cc<Úʺ6"2.6@콠ذ6:v3^qt{}U, Ҥ$^s_g::&$p%!OڿK>|xhhӻwm6jԨUNNN-߿߻wo'''KMI@{IGGǶm[.xԨemmMdրiԥF3˗-ի`;Y>W듞PEHfeل:,BCClϿt>y򤣣iaI /{uiPw#""֮] ݉/^찰0;;;2}նРt 3͚5STHǎQ|Rٳg϶mVZٺtT>W{oPAfdnq~nݺ%J۶m۰a9s渻ggg/,Iv޽[nu %|坄\~ܹ޽{7mڴaÆmM.}tQu AޣށD"155J2k׮7ovssޥ ZjV%=ԧ|((,TI_#aҲqAAA}]v7RJK.sL&ST\.+^ ggg>e˖>}+Apn޼헼nݺ޽{6nhcR A &eX7nܸu{Z 8p ݎud ( J!3H, ߪUŲe7n8=<<|||ڶmkooI&h={nڴۛ~l??RB1f̘ǏfG2}4k$bX,Zf4pV* Zj'N0aBzzҥKtҷo<ҲFѕsD4RT*PR*Buʢ"ꔹO]o}P(RSSݙ/~]CL?h[mp A ZV\.DbP  ‚@ǿjӦM͚5Jڹs)Sjժ W ̊4MJR7RL2 ȁEEEBҥK9999͛7۷ и 6 U61pT*Z%X|QQ@  Ν;w ޽{5=#;;;))iǏr۷Y&L ݚu+!/oAt/$X,1M}?~ŋ͹ ={|e߾}옫qHAGZAJ݄f1:.Huϻwzp0H6 NǦOy#ø=KbϞ=6lx4;t`llܳgOHf-4I"HiQ ț {+ BT*S?Ct6 o-Ǩ㕂)G˸*.)00֭[Njڴi)GԫWYf%IhEZ$RP8]8>r6heyzpٌ7atRW/o fGUlbZliccӱcǍ70Ԇzmz{{QSI|Cd2. LBVANڒ6&Q9ooo++?{lɒ%jynݺjm$@# KTrB`XP(a*\y7)W.i1 f6S( )q4;;;ԩS]]QDү_88807hF7`Mm!HD&2U <9&[mC!KnepF\K# z?f;wIرRԩU6A*TbFԟ0u3&c@2 eq&}8Z]t~Ϲs|}}8Guرf͚ZbkP&A*tn9DPppF?2Ly#Vbz!u֭[޽{wnݴ2AlٲAHf4նH  y\C*G T?&o___++aÆ=|Μ9?8e˖EEEuݽĸV$+A*8;W( qM*vCh2? IDAT܇&'Nhժݻe2Yxx+WBBBAh'mAĠ(FlB&gϞ577?s挽w+''s4bcm Nِ7RL gp6:Bի^^^x/^tСJ*mڴ;m̕If6Z< A0ܽ7 لi'an1&@@@ÇcbbϟիWӦM6lH[3~A,X@cVy&ˡ W~ѣGz{{[XX@trPA 2Ad皞ͮUŊ+7mD;YPJ1cbcc{L7htH R(3{o|l"f!w)GG'NX[[tǏ;wѨ$IH R(F)\.H$3"ǴSK.eee{xxB޼yӮ];{{vl6 $5m O[dRvFOox޽FƲ&M1K$J̊$Xm ALP|Q\qUeMZlYr吐ZvmhΔ7lۆ R)FJjǔ:fe%={OF$Flۆ R(p8Df}.C9BHڵl=355-H A QN|㊋y[[[6 C2$ R)?F(R&) B573fІFA2M7e ,NxmҤɽ{ !={xASn7Bwddddd$!$>>>>>~Մ-[xyyyyy[yڵ ޽{s 6(F_޽{gϞ/Y1..nٲeWٸq !SNwJ=jAG)ϋ{{6ݱcǎ;N:iӦ3g9ru޼y#Fjժ5 Cy#ԬYs…'xf̘޽{WT eddDl R)'yomd26nŋ{zxxA 5jԨ*U|gddf9* HMh/ hH$JJJ255ݾ}7-77wdڴipf8^ pj$"߿?sL//C}Blmmcbb<==gΜ@T(ALP%L# m`$|ҥK#""ΝK;~;'00P./_rʕ*Ur̕I4 >eZR$;;;66k׮СÏ̘1&L֭Zrh6A)ɽ7 # h[ZZ֭[IR@ HHH={˱cǴm*U̞=;!!A @/4 2eZR$??ƍ/ׯŋ\l%rΝ;\J*h6A1p$H" D"Ӊ'ٳ|]0?>s!CVǣ b yAI>~{ׯo߾׷0lذVZ 2 & A[FXf͚={8;;lcc3qD7774 +oL# hL&+**zŲew333hرo߾5kV:ǔ@h ZuA{*oō$2,??޽{QQQ}5k~U*ղebbbOޤIkkk###J % 7 `:J`rֻ卩m`$J>}:wܖ-[.\ػwo}9|/2rN:1&pRPP5!f U2:AAD#k&48yӨm2228pܹ[{ݻ#FԩSmtl )JzSN'1]}T06P2g~:W3^M"~߿߻wX))) rqqtqq166f*1"Mz=(7QPPs֭/_fff }`XM6m۶mXXχu,#9CF\^XX+VoٲR"`ȑ9993f̨Y9SAuHJLAAAtt;wܱcG???GGG+++}ϟ믿^z5u>}Mq+i@ x+-ZZ۔2Jr޼ygϞ1cFÆ ---a&Rn`FB{3& `ѢE...yaͷl`dd"GK>dycj@۶/ӦM:t~G]ڵ+**jرڵrpR5I(9 AD"zqJrԨQ۶mKLLtpp[m233cbb֭[wСCG޻wʕ+b8)hhTx!Cܹch7pnZv:>|F-.Rt&Mmmiii7nᡯ III SѣQ5g}AU&$ɵk&N.w_/(dXLyӨ&LMMmfkk["yyyÇDӧOFq4&RSSrssvoS4t,ɖ.]jbbr4i_&d̙^^^*F9t萗̙3߿/JQ9EbP۾ 6ܼy… Av/I\tґ#GΝ;MԩBX|yJ*W {4n{AM*J$K.رٳt?GxǏ db*&>߰a1cƄ2ӽ"^ZT'K4;vk׮رc 4p„ @`e1|xIbq~~~hh;ڶmSBT?o߾cƌxϻwv믿O<9,,lҤI1&jHVs8J 3tH$.\іNNN [n̘1)))_hQxxxBBmNNNpppfͮ]vڵcN0կ_?//d޽l6ȑ#jՂ[[[[YYѪOo~DN7o9rdPPL:k,x[DDΝ;xSN;v3J%Fv))"FW^)))gΜ)xyy9s .|UQQlPgB{f7lK$]v͛7O':}cvܹxpBȼy"""nݺuݣG_E'NLKK+**"?* ><==<ܹ;GYv+WBrrro>p@v1v#F155]J*ݺu۷oT*tx؄)\ފI"IBBٳTaǎZYT*E ,lݸqC,i\W^=+WRSSU*Ս7 ŋkժu !|>?(((55ظz**""bn,ɓ~mڽFBȬY9 ^"Ij[mn݊}"[Z[[Bn޼oԨ۷l/L8ի111@PJ Bɓ'uw qD"IAuUFMǏwv}}}ut2A.]\\\ >dggg]h6A\}]֢E 333ݝٳg bڴi!!!VVV"ٳ\.۶m0`QobbRj:8,QB MMM ~Bj*vmB:vؿO>y v5h?1@" └5kٳY'-{'OB4 ,2 ~wvڵpB _bA:::tϞ=oݺsLw͵xmsInܸ1s:ر_%߸ǷM&ӢgSS۷Μ9ƍyyypcDC҇yN{[nʕ=2Onݻ'B\\L$HO>9sfڵ3f̷yF(Z[[]B!\.xJz'OLMMJJ,r !vvvVPPu`ղeK{{ ZXX8;;1k`.)e`BU6݃=2ɶm|||hS΢1M wܹs;vk׮ÇB ?}T*w,X @gzzzzz:U "333---??yQF>}ȑ#fń@! !YYYB0;;ux_cǎ;u>|#ZNOOʂEݾ}[VK$H$ իמ={vڵstX $)D/hQ))) 4)RiRR}kX;~/_t}RЂsR*H$>_>55ĉ̷P(>|Q^=x}7nܨ_>!֭+**ڴiS ͛ӧ͛/XFGGnzĉΫWpႹ3ڶm;lذϟ߹sGT&%%Y[[GGGK$Ǐ+I&eeeթSgÆ EEEǏʲ]~'O .m޼YT-&M|ㅻ8qBVϝ;711Q(j]R:0BV@JJ YYY >>>>>V" wYfedd\N:7oLKKez{{'''kܸkwr޵Ν[p-[O.~e˖*UBlZ.**;RYFu^t ^Rx|Æ x/Y% ݰaڵk6l|[^^V*ug'N\`ٳgsss=QD.TjjC7LR^f͚թSÇ۷o_n]DDD6=p@.ۿ3gBufaa+ 322>~f{[2Ǐx/^:tvYfNN:n_䭸D"dffݻ?ظqGѣoC:˕H$ﷴ駟7nׯ߭[^|pڵvA͛'$$0FFF2ā?>33s߿~رc?~,j5  IDAT722СCǎ_|Ç0x-[lܸqϞ=p5dggXѣGWǼ@sR1nnniFF;\7|.`w4??/ӚV* (SIo%IJJ 9$e* !߿p8ݻw̴'EԴ50-~7f-X4߿_v˗Zn#Wݻwg͚bŊQFﺹI$'OCÁ &̙3'22ƍ14lpg;vΝkffָqc7qaÆuޝb9;;իϟ?311177"899رc'ND[߿5kf̘3Pزeuq>};6<ȟI""HAPP $4z+,,[[[CH@pźubqttלDO}Kh.K)p8 6̚5 Vm۶3ťvcǎ=x`i AP(߼ys탂ۧRb1Sjժ+F rttdbmmmbbBx<Lj}fD%UVƛ&37?oB"޲eˆ>` E[(JOX,*ٳgO</,,,h:ӧO r=??Tv͛7۴i#󓓓]]]mmm $0^jwcll t\.iRXˋr֭[ÇS˗T,X@[5ND?69o֬D" B ڵkSeZ͉/^|1cƼ{@"={vҥXP :ݻwU!9R,ӌż\pi޿ɒ%O>>}臫u tї/_^t+x[qܹ6l!!!{'OvA_Cn„ o>sLݍj5ϧJ!^z9fvQ(o߾Ϟ=: -777''?Tմ>}-̯T*'M߯_'O@8_zuy_v&M.]:dȐ[nw&%%Dsoɒ%PpΜ9C U?] !\>}L<Ғ⻈1 4u111ԩ }q|ZmllAAA_4iŋEz(..2w5kH$#G޽{7⯋D"H\:E @Ǩ+D+EB%۷ɓ'wy-Z74vssY+W>|;vH bbbx-bƍ 4 r3x}kKKKXE6m _]J(&&&#Fl޼qd̘1.]ۺuJ0al=ztϟٳg7o\R%@i<:t\.7nܸq>}:nܸܠ[[ۉ'o6m\-[֭kkkkcc)TtwGo\.M6>|0p# OݻwJ"""bccO:Ŭ \~W^ b`M>}ٲefD  | ^ |4(|#lvժUoܸA_رRnnZ2e ),Ljݻw߿*U5j|j5T3gNeC=zEEotM&\cccϘ9;;wٳg{~RfYYYݺu#]tiܹbٳgPaJk.//o̘16,Pŋ]tqvv633-1@mC6BR,E m6xBpqq ]vdddӦM/nnnbzl2##۶m lppydddxxx|||=ya -Nha-aXjb8ݔJ mk``[tcǎMB$ :ux\~ӧOD"/rϟ'V;{̬TdQD"sNxxKV,--+q<Ȉ}!agzWW'O.eӦM%Шy?]4Zf7idĈ%m;vNNNڵܹ\.СÎ;nm۶ 2dӦM۷ܹsKm2IHHpttYGfw9ԟ*T*-JCH$ BP  Ǐ?|p՝;wBԩS'Nlذh) `Y?qA H$HZ~~O6o+C.gddhJNNvrr*^+4ČJ*삂+++(kо@WE5k9;;;+++KKK:O}p;p!ta. ׆ ZXXL8199yȑ߲d\1ݲe˚5kڴiSV-@`ejg@0tCC4NNN=K,Z__K}J}P<ʕ+w޽{S.b{lp|>_#~g& ڵk[ZZnڴ׿+mj:==}/^ڵ3h377711I###xDD[u3z^N5kGWIHH0116ޯn6 `BيdiqaaaܴiS5w B4z찰0*lL6 6t¥˭Rу4̇r1///Q$0t}&&&jiiIKҮ]޻wO*j.R޽{R488NC҈P_F0,թS篿_zk}9u͑#Gigߗ fg+++kkkkkkHlӦ[Ϟ=O>]TT(s>}gϞժUkӦ &lя At ma~~8q"&&& ?JԴ4OOOHp9McM+ up\ k0MÔ _GuV.kl2jԨ͛7i҄jJ t tse֪U++++%%E5kܹsOmۺϝ;WVD,\P$̜9yڵ >>>>>>V":ujΜ9mڴ^:\~YPPݻ !b8<<ͭw޺npq///Z71n:&J vWHHȪU͛Z̜7oիCBBZ.$6ZK~AJ9.K7YrN~cǎܹsᄐyAÓw=z?YÇU*իWΞ==c Bٳ,Yp턄CϠAs.N}'oӦ͚5kJ#Z rss<=={>}~zX|xBȝ;w!(@V_p]vŏ}fUVϟ߼yu뚚2!bU6c=I#:Gsk*UV^={lٳg bڴi!!!VVV"ٳ޽FX-jN~;24bH$*** 55… >}.8СCWWWf6Xoq A JRr9]0k"ajjի^[:Q*5jԠB6l H~g=wK]D.ggg3VXx={ƌcgggccWPvdU⵻L42lvj^~zj77>Tɓ''&&9880HRmcV$j[b8 '-,*U ٳ/h^pFmh,}XR Lm#_l$&&XbܸqƟ7:څ,X@GЕIZMcOJ"R?~k}Ԑ剉 I(pB$AH ma :@BP(߽{שS'x{{7iҤ:~/rm۶M4_>Ň|Jwd{^a䎐 4uZjժ9997n_¾X,vZ~Zn $ݨ1Wq A 6 T*vb7oje.]O4[7v9a UfCu999h!XGG=qƍ5_$Ri6ܶ0$cE1@(uqqY|9kٲkpT33={ȼ$ `t@JBm$7mgY&**}uԁtji6V$AԟQTZZ666_%K۷o; Yf=~gϞKAztNj}!o@qctssU=~I&L2̙3;wvuun3^GAJpTp;e˖uV^]#6T*&{ܚ]7f5]0t%r\.J% nh<˻|֭[=== QBxbq@@mF$ @`M"HR$P(ݻu떫k׮]իgllϞ=۷oɓ'MMM۶m[fMZy,f[|G)my#T80 bT*bqaaaQQ@ :' o߾Ç;v4m\$ɝ;w VjUf?Rf}dl311Q@=)0A x,D"ѓ'O222 *HA]B222^gi*.͐YAC7AgP(d2pP@} sSNM4駟~MW$QAtu( bF'"R),MǒnN^99}1ia`Ց>:3Ѥof7}aÆ'ONNNșnٲe͚5mڴU iVM;4k3l|s\AߥU|T* E tQn5&s+(JlBa }PvmKK-[~zѢE~juzzy.]m&8tОmچF)@%0s8%L&J47FoXMG׮h/mpI&_7oڴã&J2))iԨQ۷F1h$ArUd2\o`FoN GC[hiP}ZCvw+T()f6?D"4RRqƧOvٰaJ<kѢ3bVI66)0V碛mR646ʱF> t5&C7F/F*D"f f<}tÆ :u233+A?~رՃ$fffLm{`6EmC +p!L7D>ZZ CI#eF&,I&G9sСCmllt:¼ݻw/[UV lAx^/!H/394B c0'm*iL aig2y#o IDAT ;%)X%QrժUIIIͫ\.>8ZxؐURmcOcĶmRHRѩ 9ҁA.r,oK,F|]78Ʉ.m7@r MxWW 6T^] Jݻw۷Um4qӨX+X(o&׮];vVwALɓaÆ֭[CH6H ΑmaNڂNt}8|Ci`?& olBv{͛~ɀH$rʈ#ԩӤIf IXն@H g9c@{o20M8r .۷FkСCkѢEݺuMMM5r _I1YbFMhKEB˚VVV-JJJ1c8ovvvTTԁ]]]e$!n$>C$q A0I& J4+v`negg{zzY%GRL4:tpppUyƬHնA !oft.??˄۷׫W)rg~gJնm[h\dG# !Szݺ 7s<.⒓ԯ_ ']ֿʕ+nZ367Z< A)3FUfMC*fׯ_XF/UG=ztÆ 7n b}f'n3!m-)lB6E.a>Ι3۷&L8fNNnڡCwww25I4 ʘmGhXf8 ~:**jժ K**--m̙wڵ#GҶmmh$A)[kIq(M&.]266޺u'!˗#F(**j׮ ר۶!QʰbvJB!AD" uEEE"͛)))۶mcÆ suumѢDi iF+JhD)CI ˅ o sOz,^@@'O5kA46ۘI@PAe[lX t6WT*mڴ9jԨ5kBt tHjm6AB7لB !6ҨQ#h&63k$ er"o6VY,B022b+Tlll|GA|P~0J%(IBJB!˕JejԨF  IQAe9Y"+hDؐv+j HY [Zѣ… +iiiuԹvG 9zrJ^_5JFcll! Fo͛sΜ97n8qb*jƌ}}s;vlѢŖ-[:dAD;֪UիWΚ5k>|LJJZr۷?}4p=%%eܹ'NpwwA˛Z޵kٳVOquurJzd2YN&Mdoo߯_sժUɓ'`DA.yqbkll<|p++dP8tЦMj߿ ѣG_niiQ# ?JJ.(ogg\ÇMMM !*Ud͛uʕ+kԨѽ{ի{ ȏR7&|>ճfڱcLJjժekkxw:88Ν;{ ȏRέ%@zz5,HJ$>U^JV'''}RJ+WB\ e !oő+  e :_|YCɠƃ h U\933Sߣ@AtE7^8 H.:$ H*JC@AtH{ׯY.]!tttAmRN>ݽ{wT|ɓʍ RΨXT*mmm}277qT ֩X{oޙ՜>khׂ)&eό"MJA 0Y>5Ì}2vBF-#TEz{)tãs:G~z]ׅL2%d2MVo,GGG.RQQwHk533?tJ>;yC+z,L6'B]vE(z8\M,S@$4t~y#&!"}M'ZL$am# a:IM$t"r8&:HH$jll bDDD=zlٲEEEN3 ΔNA鴓8ѶƆ@͛ & RSSSSSB߼yFFE_tByXax'OTVVVQQsssswwxB9E_ )0~gEA`[ccccc@ |>?>>>44tӦM$FFe``baaannNP :Z Ȟ$߹s={._>;ht$y#+6le$vM??;w,l)d207oRN(}a6'I;vlG3fLpʕ%K())l0[:5k$xׯݻ377c.^XYY& oI͛W[[{y=== lZZZ7o @Irssu떒"OmCݸqC__/77&z#IH W$wެYϟdoݺu7o?Y, elTg W+ [Qv*oMmEٳgWXo>OOOE;w.$$dժU^^^T 9P8z/id#dDB8Li=[Ӷm͛O8q%E7n7|3|\f>))[\I;yIHڅ (z,::ZCC)I80@gELO\B!Dm0B9. YQ5<},D}6l,((5kő#G=fxAAA񇱱1S]JP8daÞ2\䡱СCiiiOii@ PHFSUUҥȑ#}||>:emڶ I233===Ǎ> !7n8OOL(:%1Nō! ϟ?ps禧s8gH$*,,~ѣ/\0`ݻwɜxd.Voӑ0/^x۶m&MR[ıc֯_f蔐F|/c(7oĥV\1*G͘1N޽W`2ԽJYAFPȞ$Nnw}A)vΝ;&LoCCCl6M@ p?-=&;"(""b=200 !&)SIb# /] ާ777;;jjj8G&m@ꈛds͞=ÇS#۷o_z'I!CpR/"coDHE.[TTXSSsΝm!SS;wq\Rل\@ A&j+W}sn޼988 RI֋+țF,///gg/+dlRA]]ŋ...YYY`6Ğ$+++[tݻA>N@@1ce V89L ؜lj$+ׯ_7l0c 9Ivݻ722rӦMF t HZj\.722RSSs޽]vѢE***l6[II LCHI5߿llӧ.!ɔӧ7""bڴimIX_A=C#0\.7>>Ν;Ϟ=)BJJJLgBMM^z'E"ܲԎ?>~N2?,,Tm#Y.?_p!%%r޽… _zL^_R$ #)|>zΜ9ǏѣTN1p@X+Vp܁J&77wӦM#G\RKKk̙[]600իW3fHMM666=ZzuJJɓ'-,,uC!djjZ^^0|pj ٶmeeeaaa4ݻrWHHȶmb1FAehH,p$%!!E' 744D988Ι3'///$$ׁW -++;v__͝;w޼y,_~***qqqdս{w֭[5k{,X{Ao߾ѣ֭5={ 355H()ٶm/^񱶶NJJچJNNΆFq!.݄B![|tOt3g۷o͚5!!!~)444--Ν;O޺u!Cϟ_PPP__-**jllOKދU__9%o_.8Rq\َ544=yCvgtppҲgX}TmmB',oݺ\~7n8qBXCCֶ!T^^.- xSpRd%o$kIUVVfff޿wޭ=ӧO tٳgcbb&Lr97|cjjŹ\nHHH'NHns$s޼y9rbK-[6b 8rL0&&fϞ=aÆ޽{?xÇfͪ @>4b.SJJʈ#TTTdw^mmO HWW32++kAAA[n߾}ڃ-J UUU#G 6mɒ%ϙ3-**jܹRѣG ǟͶ6h#8Meeeiii}vXQQѣO:uKKAQD޾}U,7󃃃mmm²j.K[A EWVV>ݻ#Gܳg  _|IQX,x" /K0~ŋgff|ݻwx#6i!՛Rm >tooCa7'`ccdɒg:tK.M_`llnllܣG7o\xf^:eʔnݺ2fc&L0443fGnrsskkk/]+b NOO'k8jU  H9ppK `XYY>BFIDDKKKAr+/՛4 &$^9s&$$dΝxDFF._<))ں HV֪7o X`/,,,r+**lll1~m1c$''#x<^ܦH ?ݱcΧO0֭rxG>LP8?b/2?ޱO[455 srrp4mVIGިF;jjjSRR޽ ~xVVy( Ҟ>}_VVVWWwu6hۖ5vظ8:hY,Q?e577WRR15XKMMmQ|{yyeffB8Px~$Y</??O>R< ,--=<<\?nA3\kٲe}>|xFFyWIIInnnӼ߿fܸqx1'+URR]AAA˚5k>ƇuUV]x rss>~Z={F?~roܸakk{ٳg뗛ˌ(j]ʂW>~855Ȩټ%K!=33e˖ Ǐw7oܿ?!e-kjjH [n!;$kH{#H L IDAT# ֶ;v,[,>>>00PZCl0LjQbŊ~(M@P\K͛k9jjjÇ|2BŋG=p.SBE"o޼9rȾ}2Jٹ{{HKjkk>^CXZZVUUx<| Ya# ֶ̙3wޕ׸<6YGr-<&T5/_ݻΝ%}ɇ/+--hg&>|j$444~"jȾ}?`ܾ}{ԨQk BR5*1 -$Z]])r&s\nQQQ```UUUzz={6^cZ4;;v틊"ǏCxyyq8V -b E`N 2E Z$E*з+""!?4[V" 7ntԂ\)'}}}mm~׷͗ШU$چs/]voE iZOĉ_|񅣣ÇBw޸$B())ήO>'OD%&&OC%3uppS5R1Fj6|r_Yڅ  啕EfX9>)/_ndddllf;:[l֭ۈ#N>M-1:::rrBh;w{DoӼ& LLLڷo_Ԃ\)RֲC__ϟKf]]S'&٣U>Kjkk+++9{VUxbbzeeeUUU={DK.]payy7|#첲߿oiiYTTtԩ]744sbxڵ-ə8q"Ͽ~X,ӧOmmibŋ̙ݫsСZ쫔gp8 :4rHXuVGGf߾}rHp<+jhhN2%!!ŋwMNN?~ƍ<$.Sg*D^SSJJJ$2>+EZJ<8=)۷Ǐ޽HL`TTTTTT`TSĉ/\S:޷oߏvv\8;;{{{oܸ@[[[MMf3 :N7 & VZHaҲ+!b &sNkcc#é8|X,ҭb܁2e_h[PUUXސ ,7z>ovDΝ;-G}uwȑBpܹ?nGutt;wnpp0phW` FjkkǎjRRbU.+V|h<6l8v^"Cϟ?D=fϞmoo-JJJ,K*{`m人?8_\/_Zmm-qb*k t:`0,KIIIIIIYY4((رc&LgiN ?~'LLL猗TG wz7Ijg$JG⴨ׯĐ(j9JH* ^ګW/\mEikk뛚pI@>ge)Z!oT-d0WUUUOO{?(&SZ^:i>D?Vq~~~zzzx?[H HoUh433Ǐ0%QTVVVTTL05%g233MMM%{֭ިK7"l******jjjjjjcǎԴ'qyґ7o| yН;wMlذ>}`U# A /@@FH*N٣G ;)S|mmm͛ЀӢ<8tP&s###=<<8NBBBRRb/!a``@d jk NŸ#L~iii͜93++#R,55 z5 n:RkD޽;!!An#_jզM<<H 2:n``#I(p7 ѣGJJ 5-ÇiQW\),,444gee)$‚z6'bI3S444455---oKe-DP%1 j(ur`0X ϟ?DZ7Hz˸V;'8eeeUUU444 }||>|lBYЪґv_ORggjhhOxJ 1L@U/MHHPliݻ꺺^ԧLT#YXjOX455uuu=<vXi][ǏtlW@0,BtРAyyy2˗԰Dx6ؓ!(0d2666O,;;ؔ,,,$:tN>=aR%C3[+jN6JB!!|>E)kjjpu+WO ,5$Pð!&&fժUnnnX̰Q#m***xqbhe'9N]]]uuueeeyyΜ9Kٝ2 @CC1111 `Μ9;߿ tXr6ϳX,lÓ5GOtttHHP(5$HaeP( 󳲲lß UUUUTTa@@ Ͷɑ×,Y|E={5)p&OloopN8xbWW#222WХK-[6b 8ӧO t\Kqܹ>}`ٟ$7)"I6$l%%% yFLLL|}}SSSNJʓaÆ@ / >拿l6{7n/_|̙}Y&$$/vΝӧO:ugϞ<D7n(--=w\BBBtt?Ztڵk322nݺQ]]q1}cǎر#::!xW;wԱ433[l.M$EGG;::vj #p f#78x? ' `ݥKOOO>ooo߬ݣmoo٥Ktm8=+mTSRR>|CdZƍ)))zzzMFٳ'66644!ѿ⢢":{Є  njT,YٳҥDK]Z\\ ^#7)Kz:I15ިS6uǛzrrrv횴ўv횓S^\]][!U3#<M?aÆ;v8p`…nZ4rРAϟ/((4hիWB<$ #B6?E\|yRRuUUDK]ZTTСCF`zYgiNO$}L5;::z{{ܹS#iܹ=(H: E#sssLbgg;wz-;;;::FEFF1+Gvqq ?# ^Q$m -u;J(M)P?7NCsrrj6=G1x>}[|$ lnH$b۲e۷o`ѣGIh[ӥ)Y"]?AkRgx+›xݺusrr*((8BaaSnno׮]%*PH6HDuK;{DxEYh&Od$IbG444>\n}}=lIKK{yBB_|!ϡ3ٙܕQ%Z۰lvp]rVZiӦ555l$>-B6Xh4ܽ`b%%%+!8]& @!ʔ)_nF<5qRUU$"NDzGfvr|>_ =*; @Ow0\!Qzj'ihFamΩ?I7iE?$gg]*jRww:mmmhS@ubȢ m7]]UQQ!uek|yτxIR0y{"\YII֤Xu7n\jj}RRR߾}2'O|Wfff6ֆGH2-JUx+<|,oAtFV)xr#۳z6Y`)XBt:/B!nG5>||1ù|r@@T# $ F0:KL*))aYvk!H:KLeF xC-/} U F/_pB 5&&f*NB5$miN!eNPxF (++]8:a%vnv@rmH!oCSp7 '@r޽{_ڵK֕MBY $m`mAje2e B!) 38u.m](=3jA:9 ]}jLH8W___QQ]]] ãd̘1$I5Rmtn[ψICHȭtJERo&M$Zل,ȥ$''KyⅫk׮]G/l FĐei&@~& 5Gʗ4跋؛lzL$ mtN>*\~/PUUlc$IIȺM#A&+/G": IDAT ]1Q$3QFMԛQ[[ggϖ0~ȯgϞXn$7b$!BHN 2-+OTNIQWE QdKMMmʕO`6!لNhkk`OnذC"$,Y{ &QˑJM۶1boTf\Z־KKKs)UUUr8oÇcǎ;ԥZ$Qm $홎'ol6pلT*Ie=IJJD8cƌ_}DmRڶt8:$zFqp}tرcoݺz3C[j[ж Q }QI,kС]t5jԞ={tzHHȨQe!Im@Ǣjb6V@4h`2 ן1c 055URRK7u M$m-o߽b(r˖-aXX 60t8:!J7ڿU wqm@޽;l)++s lBJJJ|>!Cl6<y }lpx  BxeFA7D1]deL `y"J60t: bb1Ū׳gOD1P{[ h@V-ibe޼y|55D yc''t;;;:v옢ȜNzCم#7mT__ߚ92==rӦM}V %TV\ikk{ׯ]`>tss{eII޽{\8a„^z)z@̛/_477G5jFFF&Mr劃۷o555555=jMtĪ ϟOsrrD"S׮]vzΝwލ5jʔ)Æ ڻw N9!---&TRRZf͵k"""켽=dMt ccG"޼yӧOϟ:ujܹ,ѱBgz#0{oڴ͛7/߿u,-- lv@@ o-i ~!;;[__[n >Gy:=W LL-$$DCde-Ao8?3g>Wĉ***7B;v ܒKt3JJJeeePyƏOzphǃt>>/yC͝;WBC SymN"bq׮]Bzzz%%%d1t>F5k.uN9s&Fht:'zt FFHrǏ#^xrJeee:`0 B(@s:'ɢM$ B@ O^ZZz@  {ɓmmmonaaaiicǎ޽{eeex<>ۓt ? M InkhhHIIY`w}7g===rSWW8p Xl aBt*$uOÇ/=T"'''GFFΘ1#((HIIf3LEqcy%HB$6nxl6ܺv cg2&ΰz× G𢭴tҥ7oի3ue`23бm8F$ӧO733۳gOϞ=?m!ѳgݻwxM!0t:Y# KKKN?tڵK.1x`@իW/Rքp,oM$8}ɓׯ_fͤIZ{X~,]TMM!Db1U@3ZҬlٲ{urrRRRO0 << Yfz Mp.0g:Qmyr3gtss_LLLJ*tSSӍ7͜9ݻ\.htkDdRܹsW^lԩSuttdqjUUU}}e˖ZYY/e@ǰm#F@rK.رYEEEv3227o^~~ٳoB]ޭ%2TUUEEEڲX,9 F dee\R[[&v{$???44T,8pN>چbXvvvš`6h_y0`[ff]\\bccͥh$i t:<66e陙XH80کZmj$IHHXl… gΜᩩ9::jjj.[`=ZKmsĉ[6LUUUҚ4i?c {f)(iw֒fmUUU_ٳg۶mkmBhhhxqXXX޽/^&,j6?(&FZWUU9rhBf;889r*<< Zu)zEިFm|>ӧӧO۱cm? bǎvvvӧO)9V80(va-imϿ~… ̙3w\==vGb/_޽{wQM%I|Ç=zh555Eљ6mɢE޼y3yd|iL&&rF֒f$uuu7nLOO߶m_|ѮmICCœ"##l &oj[8FmK.mllܼyU; '^?>f Ʉ]r@1j[$=c 33={ٳ#jB`sϞ=fffӧO&vJ `-iH~ tڵC/nh4BaTTTϞ= { ~ d孩lԶ-''g֬Yچb2666Ԝ9sWQLImr޽ߺmܸTmN711;v~rA."[kDdRQQQ˖-:uŋ]tkA^^^ 5=`KNA o߾ etttzAM>Q$9ζm۶o߾sN???MM_QQxȑ#Æ SQQiBSN򊋋#JLL MXXB<o…...sέiz@Hjժ#FDEE{!ۀCFGGk׮mܸ1 `Ȑ!/_&窩wyk׮'N 'N?~9C=|pZZڏ?XQQWo6:mG!#I~~~hhX,>x𠝝2*o}J!C?*))=}t[nݵk;{,߳gڸqc߷o޼y3ɬEmذa[nMII/))9tҥK̙er.:3W^GEedd)))絰X,;;Ch|0H)˛233g̘knniF}}ѣGk׮%q/UUU}}}ѿ==wٳg扉Mx5~M:!$_zeddt H4x>}xyy?\!@@~O]]]||{ /NwfHHHff&Ul)oj[v-iM<911qĉuuuM_`ff`0lP(D cM_VOOfUWWWWW 2!ԥKŦY v̈́OOV]~ddqe74&o8VTIrvڸqclll```m[m͚5={>Wx+dWC2eJKJJ!rаpww2e*551sI<޵kƍL[V``֭[.K/c8@kQ$D*++W\yʕÇ,k֬)--utt$/Y#((ɓaaa-ꫯpرׯѡhs ë7 $E9ݻ甆2jԨ#G$&&XR6|‘>OZI&ɆŋFGGw޽muF~[SSSRRbnn^VV {NWWFjkkPۢDnݺD"###.[^^^XXhff֭[7#Bo߾511!*--544BKNN466/\n]t:jw6ɛDkmYYY .5jԢEڦXE(~W~-?iTTT/V,/W^P8Ԓ$>kdGn޼yŊ#G;Y,(@ Dykڶ kۑ#GٳqѣGI}H$ݲɋ-6mZpp0V8&b.%3* [mꢣo߾}$Jeee}}'* իWB!ٻwթrŋ={ MihhxAXX###FG 7bĈgϞaWVV.--ӓH>BDHdWRR2o޼Ǐ;99VB˗/8q@ h%ByyyzĉϜ9wމ'VWWn*,,> f8ѣ_xΊß˗!!!fffwٳ'$kjj^xaccs ̕+W|||Nz޽%*C_111?ϟ_\\KЙ3g p5D IiӦ͞=F]za]9}C?^VV,Eݻ ٳ={CBB?NS*P-Zcǎ/^H<طo_---___ ( qk6>_WWWQQQ\\Z[[oܸUrsnnnFFFpppӇaaav7nܥKN>meeu"CCcǎ-]٣Gǎ{#GkΝ;~cc㼼w<׌%NyfF$;9y9s,]te޽](9sJ}]^^7|cr!;uڠA䄻]~y͚5kԨѕ+WLzH СC<طo_Faݻ<իWO:URR:Z`R(QQQ0iҤe˖͛7oW@[(SRR~7H\\?'''N\jһ6nڵkאt$IIIyӧ\>rm۶7orcݼysa)//͛kZWWW<~_6!9|'q$>'OL3tЉ'nݺwdxZZZΝ;Xq"ry(GXbڴif.k]v?.֯_?eʔ={GRSSmgggLUvYQލTʷre˖=yO?}c2ڷoɓ/_te˖ݻWRcǎݰaCRRRvv6.5 Iyk׌FZ}vΝ;9:::99ۓ=( ee6DEEmٲ%---33PRt:Iҩ۰x{{n6m={o?\&yzzhРݻwWSN>}|駹EEEǏwttwttdޕd3]VV֞={Ο?OتUs 7nܪUCfeeZ`~߱cGmQQQzb={l̘1Rt̙%WM[߾}{|;$$dݺu7>zh߾}a[ʱIt:ZT* ={v;wvС#x왫+Ik={RXXwM:CCJVVVupptYYYz^T|0B*8bWWWPnnT*D`ItffKyߢׯGFFj*$$aÆ B.d2D[vn&=lsĉC , &ٳC^:|pvjfH)Ucǎ=x &&fÆ eyVBBBtttaa'p{1.߳gϚ5kI&M;ܹs?T*...xM*G.ɯ"(_xCFbL&Á stt ;ydUu֬Y&L/F_i4wm۶ !3sYfum999gϾvZzzkz}~~ fffΘ1G7nٲ%88!BǏӧO|||~~>BxڴiGʺ}vƓ'O2ɩs'y{q# oSr;29#N)lllllllKr'''__VZM:5665 =zaaa"hFںus޽wٯ_n۶mdȑÇ֭z={6m_x֭[\[ڵk:ѣG5kBhѢE ,={%K7olkkaMxJةSn7!o)~$0WZ[=@Ҍ 1yyyd~!99orL^fF&i4G 6L"رccǎussٳ'oРW JH$j;]\\BBBN>—y#7(2dH=ݻWRRIӴD"zɓ'7l5dȐ#G ryQQQLL͛mll*i?~~~5R(2L^ _Lnx o W}`$- 9#I$aÆڵѱbr...W^%Mnj3sLA"b1P(pD$twttr=VF Œ > iԨQFFF&M\n ȳ<<ȢE֮]qFZP(zjggg988ܸqZݽI&&LXx֭[u:Ν;V':w\TTM)d2L Sq`#yIUq EQz^~]jZR(ʢ 99͛0aB^_3''A3J2777;; 7{ƓZ(BKgg .˵8p@R͟?????77W.SՠA\/*,,*))qwwwtttYYYyyy 4p8CT*J[BW\բE ;;;ƌm$ {:rJ7 VUT/%\\\\aaazz͛7_Way_GGرc;vpss|޽{[lq̃`0̟?۷oҤ s JEM3H$LH |xC%ZptqJdo8|ի^^^۷oW(U򓔑JrqqquuοǏaΝɮmR!6=8"Q( oJ*p4M >>8ͤ*XېMTlc$:u1cDDDT`j{.^y^^^& s I2x2?207z\.[&$''/^NF1&&f߾}b$P~yMqndW-~הJvmJJJ&O|MWWWFn$bX ^PHQ-dÙ&AN$]~}{5FϞ=(..wmn[PHUM#8ڙ6D ܺu+((h׮];vՌ7n| ߿^zAE2mbdB6뛡V϶OT2#)ر?UV :ZW}:_zzzj|gH2/O D"&dͼ~$k۶ͼyRRRKv4f͚[xxxٙlc6($P[M21(T*ݵkWrrƍqOL:]tqss3/4Yl#mU:w0w1 d㋈ٳٹfZaG޽;.$yclIe @ e0T*E:۹7oT*{ɡ˝;w"""RiI`3mRPH>еXFbf kxΝ;߹sgȐ!AAA5<8ydtt7.$a/A-nh+}w|DʹiӦN:};ƶiӦYf3g'|RcCݾ}ʕ+Zhaggnjm$$)Nm`"7](cv%6mdk&''\n&aرcƍ #˶@Q[zӅL$1iӦRĉO<ٱcB?...6%'m"I.\ ,7 ŽqR$]v_~񞞞U>>`0֫Wdg3A! ( SzVVjy9eIIIvvvRRRNNζmۺuV#|}||pl3$I۠PK@$ma^l^*g ;6&&&""JhѢ-Zxyyۛ6FoIjZЛM޸Ǽ-bbb>|xbWW7K.o߾mjЛM뵔xdWL&;xǏ7olccS-))y󦿿+Yf#7HGX,p'I($ڣV7bM$888>>aÆzgϞEDD˶f^ IbɅzZ&%%%ZqDTfggߺu`;v,ܸq?V(ڵWF6&$ ˶j(-A?{#2ZW0wu#FXzСC3gGVeLv1/ۆ'$x @š&d&м~Yip|||lll͛ѣ9sm搦5klݺ_dg%Ij367TFn37 ԍDxK doȊ7P۶mBO>}uJĉ5jԫW+W\nڵk-:dUJKL,^u?ӪUVXѠAѣG+SNݺu)))YYY;v?|x)SN:Yz*Ndo۱cGxxu>}:w{zz\E(~G&ʪˏZÇNNNN\^=gggˎ *JKP o` mڴijTGXGQG&'Q]Dݾ}!d4 EGխ!Cz@***:tXP] o/^jHWWW 7TJK\]];v|cǎԭ6mi,X:jZ{{{ZH$U &'QD"ù\. VR<]!.]Xz8pLn9PMYFf~\\\B/_@3p\rƒ>йw[7](m?!6o!h,=`4|㑻ۖ)T*ݻBFDdcZz\Q G/#`7(bfrjUC>e@-]ti|NPgϞիfo8 z=EQ:86<O p8>O+uٳgϚ5k\agg,8*K)$xNR N0i}8V !@@Q'uVÆ }}}]@Y7c*2-IQ`j`0iaX[zPcv&Mx,3Z8zNh`jz=61do7i˲㱠rLND(^j!YZ&5&koT96~pCH$SNe㏀hko6؆''kUh4|>_ z>׹PambҤI#F0N1WENdO^!/Vz^(-P]@0/`@V|[.]d2^oTyBNWI( ?02fA>& [{Y?ƍRImd/*O+ǤmY5LbPZ@eA2ZOMk6UDA`L&FH+pp}80(Wm M&"UѬ?☱ J j'7*Tf*6|ĝ h4,'ʾ |LYsݛ *'(;r9T;T*RcF#7y7/HꆻU@x6_|¢SVPL7hT iZ܀/ut%N t,{i 7@82?iS:;7 .Ҡp0qx ރّ`0gASx[w.l Pwьkv"Kn e "m'-=`ټ;@xQ'6i'J2w  UWxJ#:u*++mp]]ɓIuwlU-[lq9믿2YjՒ%K/_gYC aU*Gyk~Wm,[,99V3S-m׮]J=ztvbbbT*]К5k6mڭ[;w qưSN>[n2eԩScccR9~zZ4hB(%Kt:N믿ڶmۦM#FctttÆ ?~֍7:tн{y4hի===CBBp'VXbڵk}}}B ,hӦ|pÇj:--W^ .B3gl޼a*EQgϞ=z-^;p@oܸa4L>~W\9sQB)))ƍ3fϜ97<<|ΝROTƔPaa͛7^>|7o޼W^]rٳg޲eˆ g̘A^kѢEk׮gff'))IV'$$˗/:k׮Ԕ7oĬ\r}􉋋H$-xbbbϜ9tyWW*@Q{;uꔫkBBW\\ʕ+-ZdkkꚘȼ~MuÇo߾}ҥ=2@0qD\>f̘SNi!t-Ht Kn߾=|p7a„̼-ɘdȩ_MrrrRvvv8p۷o#Μ9ӻwo`^ Ô)Sx<^߾}ϝ;:|… M^EEEF?D{o| O'N5kh4* //h@ۯ_ӧO#.^vp\㝗Oq֣G4Mzz:yD!,+++;;C3Um߾} yϠAw?FDD۷ovLݲe˕+W]3cƌ!C򐐐Ǐs\3uv՞={d@W_ IDATnݺrf͚sŊSLw޶mKu۷{<O co{ OܴiӰa233>F3{쐐>}޽_~o޽{LLLz 7VT'NpaZ5jԨgϞ͞=<2l0rnjˀ(V[TTի7n={e|:^7JazNc>R\\l=ϟ?7222"8VPP@nGmGuʕw0 LV4T*KJJ? kB8{7RRR^zUTTj(Ph233qWOksٽ{wΝ]RdRiro?))Amذa|uqFСC|xDDDͷn:p@wwݻw4} oϟGDD!1"//Ν;۵kMaaa'N$oȝ;wڵkG~W+Vizҥ>>>ǏOKKiԩSޭ[_h^|5kO|#|;s̍7?~LNw8C5׵wJ Ds2&u)!)&M߿?-M*V B!{=zo$_x ,M״iSgիWTks8k'88ؤiUV^d`xťK_>`;v۷!te[[[۷'~'֬Y?+n޼yҥ7oT<Ǐ kΝ;̙3G]v=^ysݺuk;wDo/,,曜FӰa*2<77M47ku.\k;vB"(((hӦM~~~ſ;tѨQ>}T*gg砠 <ZK\6t~m„ &7og}'ƍo0/{Ѽy>裁XɊ6 bp7Z3322<88΀믓'O~5Bq8[[[rlr4X9.G={… 믖-[qƯ^"w_ziccseB1vؘwWˇwjÇw(ӕJ%sxzZ&=Tke8k훐`4U*յkט/CNNNoKJJ i믿P((zEZZBhҤIzڽ{wPPPbbAD"]/**:sL6m.^xСs'O|Gay… 333{HT{ Bhv|駳f۷/۾}{NW'''\+ãǎ۶mM6 ݖ-[nڴo߾ .dj'ǎ?8::Zkopuuڵkn233x޽۷/_j={DB0 @,8sk޼9B( ˗d;w5qƩQQQ^^^Z/8}tqqg}F 5M׮]'tUN;qℓS֭>|8f̘3g|[ꊋ RT_@ iZR7=<<[:tرc\\Mӹ 򊎎1bmV&.\000ڵkyh*Tr*VnRd^kmd4}}}ͫt #&to,7h<9D$.C^<'jU*UIIIQQQAAAnnnxxxYcǎjٲe oܸpٲe?`1bӧBa=ƍ1wI܂$ B( ࣏>ڵҥK-8819~N۾}[VXhbcc?_~wÇ .tO?/ .?~ʔ)wӧO%ۑp88::HRHͫLod4zNSUrZ ?=z̙3c|sppW(2 {kK$n:y}|~xxGƂR&Uh!!!d'uq??G6id֭\.Ǐ}vFFEQgΜٿøq2- P}⪻v-^xaooem߾=n矫T*"233Ò2!.JJJjSzp2Zr-[FGGwݻ>>>111vvv}!"eBڒQQQSLYfÇqspcN8q׮])))?s֭Ov1yȵkd22? piۤ7lذ:ZZZ @˗/]]])R666FիW̎\x=*JK<.-PZbAq8x<jr&L.+aa Ax` BX!o7V+  Ax` u>.b\.p8p͍Z$C .u \.\yrW- | &-k*^CxQ$iCx<> jFt(K3zhKoA BX,d2Bÿd .|ħN>/ BH$JFtB`0FK|Xw-e< )bD"b:x<TskodZD`^7 4M[zP(,=>?^HJu>c&D"D"(V(ٛP$$AN$q*c7@r)"`J4M9IN)2 oNNNB9uP@?XRT*D"2x27]uY/\˭giE B $v:NFՕ` o!2QWD"^x8''djYP%\.M!3|EE8ukoB9  cA),,_x#gU'<\`O7XBK"8fpex96xLt:uk`EY~}0ÑJ"bg<3A4m͕>xqxP`X `|8AAA|>>|9<9Ib$p 6!KAx goW\ Ьï]` 72k&ToooKx{{7n^0JdAAANNN-=4kЬYB2 `/oeH] ҢE >@r-[LII!KhK`F.Ү];KzI X ` r,DQTjjj,=4ѡCtmݐ6XjIג\[ӒMXWRikkkY\T*7YzPTlœ.NT*999Y!D"G5mu&JUѼxӓ|ʕ3g5 !m۶~=yDզ|3f̨|lC)J6^k1OVN:uܹ '''xyp̙-Z~W_}DAAAoؿ4h0mڴ1cƼ :uk֬Y^Ν;<~xӦMO<鲲ϑ#G~j16 ALNV"`BX\c^ON~w{ST!//֭[?vpp7pe݋/j^zuq!U$bO4Z`@ HKKS2jcOaa!>*|jdoM϶j_7//OPxyyGGG \T)ٽx!t…2~_5 nX͏suZ/^أG`ppMtttddӧe2Y߾}Bf:u7|VC JL&cPUݻa!!!}ٽ{w~<==ݻm۶ 6|Ϟ=+15k֮]^zs̙qttݻw.]HEhsssۮ]s8UV'%%[lrJBT ! X:N(ʢ¼ [wE5m;B!M*J&h!##8:^z._!)u4jTVDʷ>{/^P(lmmmllRH$кER''x<m!>/ 73c# qlKKK޽;~٤F#B"TI)**Jp8 Zrp8 ɓ'Wuiذ[%U3e*9m] 6as17nXz\ՂWSow~:.L M8 \.4j֭[uVFx<~{WK X99יx<^ƍ-Uh4&''7l1dKAxlB rC&988|ײe˟K6f 9`#oM|>> ۟>>N$% 6!Z &M(8K٣P(7n, f% a> g={h^dI``P( " u t_J$y{{Su1K}=JQ7@61" Y~9>Ju}Ŗ#,^[n"H,I*'{Ax,CB D":tPXXqFKM6nXTTK>%|X `!2YIDAT7|" bX,KҰ <|d.X 44T*b 72$-OI$ #<<` tssu%7jI|Ʊ$pݺuj .0kYfiZ???D"HȜn !œxOI$T*Hd2ٰagYzט1cv1h \.J[7R< 7>$ B7T7zM65iDZzV4iٳgN$lllpx#;ޘ-=^*`+VC 5DbS/^^^.\`k .xyy]xqȑ$ocfo&-=d*oP838(J,(2wСC]\\>^zYz5˗֭[_xצMr\.p$sZR7vhbXh4Ft:NSJ$%%%'''##HR՝?{#Jmmmݝ<==mlld2BP(8ڑIWdoɗi@`4%EQ8o3|~6mZm `isVȤ"YB˓xWr[[[BR7`5 S4MIX_IgPht:B4M[YlCfٽ /\ ON7Pxª]|>*F$9@E2/ o$x nj@xF8@@ӴX,&3S7Xj*EQ7fg5Hl#Hx;qC^oM&5؍!B!BH,:{t:V88[{#Wh#]bı %5X$‘܅4$m(YYyŒ $xN6` kpx鍓EzR3ꘁAL86I.#u#y^okIoc):y7fդ6`e`[7*0҆w4, 1DH#s*AxVG/fm$pGoՍ`F8RBL7`ˤf$¡#*AxVddTD;j.y/` :+7V+  Ax` BX!o/IENDB`PKʠ ;PKAOEBPS/img/digestauth.gif\GIF89a-7$)6,6..99'''666G[fu,X)i*r?g6wAADs.\O$Im*Mw3I`3Q`3QsF[A.D+\.V3Q/2evy.f.h5w+y6l9$@@A.poCkK9mQ3yO.~Q$~Y?wc0PPPIUuIjynJFtAkuiOfff`smpyfuuu.-JWen/W0h$m*u.t7uyN-CRJjBoy\ijfyzi.-[DLU[ZpbfiepstrGYkqty.FN-Z(ec*`3f(m;s.s3W\.lh*p.u5y.VSqIuqwEypyfXoYI[[atfyevsfyǃ̉-ΓFʛkܨ\Ťjwȱpڨfרtزxqy†āׅʄؕŕڊ㦷ȸýבÿŽɻ͐ȥغǴ׺ԫ›ɧ«Ʋɹҫ۱ַȫźƹҷ⼎·řäȸұ©ǶշДخ!, H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`ÊKٳhӪ];u_|'۸l6ۺs[.ܽ[7_U;j(@ jo\CX:k_*UR}7o`ǷvK7ÿK7VU{=ʸ=㇮+3$,dQ{3y%HV]:!@s^1fO-3;ԂnbhU~c,S:ٍ݉4J.΄2XKɅO< * tV!L&%dN)7Mݤ=L`s4㹁9=,P>~+l3=(C5<5ۍ]6CiIuَ:q~X D7 @D?sUK 28r;F> Xн?灋 !:zsO3&J5>9@OO?); Ԃ̠F/8?lBо'Yp mjь䥏j<_d>L@qcD`*&"#:`Y31 ЅtX7~'Dj 4"[UFAi,I{JG#ZB92 v Xq0ʢDC$Q P)CU&O tC%<Ut; X—ȎjZlդ~xF`'ijN 6SD&GRPN `w41ӉU=y,E)|s"I0wH\JU<; )Pj:f!z~Lh/}SlQJ*xBH'"e|@1,`5yNlf쀥-j>SʔIC\CŔd&C\F(TW)h=*2!(MlERbh_G,;v*8僮ɒZPkfZ ZvAXH= $z=|&geY~ ?ZZBVenb<ؑR]Ԧ8z,%[ar"e|:BC)9r25.ƛ tVBb?= <@7K[/\|Res&@Åpf 8`JS[ec & (Z%H7 h,2m.X(2N7&$J@Ɛx(#D[H(~ᴔH|\fFE6OF`9"78Fd1y4%sFtЉiO=2P@z)E@ÔlkA{7bGii)<eA VMҰK> <RdsεW5<-a"m//# }706%A0Q蔔&^wSNy&RDFBDVWk;FAUgDoS[B;=K?K/O:ѵQsI( 萊G.YÊb!v#fp 3Dipș;KeH-x@P(ts!z .{$uF/yNy#-)QF5Q!1 S#p s0B w~ݣ  s}Pzh|:F@ ` ayA7@ n)Z o;xXP]sGq4sQpw,PϢ Y#r*S*wFl6@jC`v2 @@'yy`9gbѓD8 :lZ7P}@q;W؈3X1B@ް}P __80}# @P=^Hv#Jx9m-!0]yè ChU7r#{ t6XBP{N!gYZֵ8z"WofymIRh'kSgigA<#[Ajw$ j=K&jѱB[Pt/ 1}7w!pS+,0I)c/45\zI{30p03z;3sq1 P8ѲlqMsay'~' 8ݣB`|7΀AI0z bEN Ϡj oڲgк2Vpc /tZpēs(f9Y=acaȨz Ej`b¡:DёR૏(/`!0㿐^3Oqi:3, 3PJvq *?D:ȸU23<[H( X@Lc>"$b-<H#b$[A\HGWU\QƈHQ,X|tRar,ǂ<ȅLȎȎ\#1/}G\Bbpoɧɨɩʫv [QL U7˼˾<̾ K[ 'b<\|7#BY\;DP?fY+=0[={Wa|W!!.ba#"P2T=lXLr p g-RjA=\q]aCXL50p R ࡄ{"JS,1S1|W3^B  +G<Pp!xZW =2 0 =B$ AazhG;{HG& K% s |s9۾;;1T1J0qpՂ@բ ] }q=O=}c\ÊZ &( *;-!"R  $D0 A !%ߛ" e<Ud_|IL+Q CNRۻb#-nur.G^䇹T"= ?-Q۔z-D,]G"*_bKdfM@^ ^BR S-U}p&ea+P@-7\!5H.De\O1^qHdd"?$AIM ҰKnBWX4_68:<X4LTeQN<$TLN R?T/UX$>;&$$^Yd_fhKGlnVeDLsݢaJ16O4Dg\lV5_e eTeX$B)2$]@UuN?5E ?"F#pB*ru]@@ȟX^O/__%##)`5OD4L_;v DxPaB .^<{/?=~RH%MDReU VSA5m/E|}VhbС>R> TU"jg}7~v]bͪ Z9㷓\uRw"\EX1Z.+ W'͚n^KKjάSvy?ÔmKw vVpC^G]ma]M]/]wxvGOrGݯ~Pk_~ `暴Z D0AԑQPj8@:|ȨCۋ'`DJ9OEiEF0?qlzH|h>Th'<+Rχ K DS0ͯs3ίVӽʒ&-S&_A-B4Vi4R>IMK7'>t%C տ$ StUP9LKk@%=XbWI1SԑR5~+9yGZ_Ѭ+R98bbz͓FM6*h#~@s2 'ş~fN3Q ޅ7ɫgVy+$)! hDd&%xglڎplfR{ {: ;Yf{<`#>@gh@yaD29: Saꇺ C1':  25|`1R"tT kёkte{Sj1}=ғ6ue٣Kvl0%`^GK|M_>%JMM8 GAK֖A7La} .aBPJ&XA/̎[I5c Tt !" I@ fp! faPN=N^CH1: ( υ_!`胗C9vPIxh9ӠXG| kۋ9[Nrʰ?1!,GyDlu!xC :@У$g> [^nstmtBh(`#5isI*K :>$'+3:+ +A[ھv=JM< ]9@ {^w?%b{Arq*Y鰒lKRy@t@5F.~p}0a"Ŀ _Ii?D_\4-PJ=r&Kb`5u *42+9Q9ges<`#$2zPZ㊹}W\$Ioi0mi\ӫQAB|lQہHԏH8܅ a$] #<~qw`φv=$sp:wM ev]Q..[1&%*7to$I&{bf% @Y-mFUЕq4g O2#I̯^.N̓y 'PɧuP$!K-Zve+Es\~йt uX6@qLm|z@8GhXN&t󭹒;Y.ilDdwO\\D=:jW#:;#zy=ь#>E+zBpFE\ #mB09ɿD DV +&77r{,]2>ٻg'`7jc҈a4{;$NEPxّPV=ƾ.ޠi?"hwa ]P?ܹT!3kdؿ(T9YppB \D[3`4VG@@)' T\Ț8هӠA?v?IB@@\:u704;p'$ \M` "H \< Q[w@Ú!‘HU "@FԞ/k )L;: _RUJZB܍ZD6>yBhB6R>T h7>YyED6zP/p` T<r  ?Ȅ+ a 5@*<\-${8: h$B능t% ƓЛpXAsD [4ƐptltЁz&H.0&@@$xQh94{`qSlh{*x(CADbTG&Jk!h_&7~H4 GÚyMY+8!v,!h/o,v; >\<@J0t< ~+ Z(68%C&Hp\DႉQx}(qy2e?XzL唛{ S! 9L ~(4H hXX 30jtUPϦ2@E|̅&YP 4FRδ1@ ]Nd O) dHJ 4 =(;shρ˲4bO@ʽ##yy']Nj8>Ȝ儩QKb,XE&Ṗ c[$ȟİ~I'QX lQܴ @@I)Y~`ج90hHN,S;u #`D)%AE Џ@E\ YlaR!Fl`n$AF F  KMC|~apPJU E&eURLB'6] Uh GRXT(ı zH JCyqM ]9X( I\X8 KᶘNRqS| u0UЅ)3]@a(+؛"pVFGe 0\8oDٛ`ְ:W{eڻ=j5x*݁U5<0 (ȓppښ 3 үLcu(וM XXth窨1 S۽@-)VIȍU^p\ʉAJ JHP$[]H ~=P/a,M X8*e"wM ڜfr0<5̪r^5 ={`qڗp։#ZX~Xh]]$]mۥS 7"n2Rnò%̟4NzwY`YNsN >z"pj@ۡ!uUxW]_$AT6Y٪-Y'^^<ҴP\P}=ʧ|=(ayXU8'ڭ%] v=ҀDxkA`(NR(~`d5R$}{Ps_wR!Q# {]*]6>8c+Xv+9Zn[ ṅ*I Swad'^!]HT;4+L=ufT8YۻVWw>T(9gfZ {02$D1+bʱ `۴bWe`h7ĂR=ah#%ӥ8;%Y@9CVcl>EH%J =p%a9n:"%f<\pZj\~8׷h,18]#R]uwBfSv|[ap0h6w(kvH9&) յ8kv(9 RpAYT׍4} x2XIwZ{M=X[7f`kFa̳[롖!~0\Bzέq(tn 04M |P%6N|ػ=羉SxM-+2 8o҄}J؇m@sQ9d;{a+h0bքzph $¾o̮V2~Ȝ$6}pCȕ]Xu`܁_3)gsȄRޅ ]$b!jr~#Og'9n ލk g~R@/ Qu>ׄ@]RPލHc'߳A?~k ^ 1Mg 1^PT6rUE  aV8F(<=)GZH39Mg]W3eCjݩp8|sEY$8f;̄tactC9 !8o+wsp\0mO =LDu;y\p]#kł '{vv{w|geĎǸO_O#mqu]or/ȓ_P1|A`Oy\UPaiH#TD6gz4vj`VXݢGZ@֭Rz7W`I0\N@Ti{=v{~x؁vpr3kc wA֙LJk[*П{P/z͇r3[:8;ׅavH{8Ư߈{ ·Ew:X~o;)o*׎ ~\~}I|N۠sG{\}5,h B$lUtAh"FK]<|2,i$ʔ*W"̇oV;7QΠ*}=|2m)ԂًW-T+x vk`pLZ,ܸrϪԙUcnA\}#HnC0eaZB~c*\GClUZls-15Sjsk1¡ֽ.w`WٜNBL::,]{ ת,W".,K.d:22g<4V-lb*@U *㝵K1Ht|m8vyx\YHbF셦ˁ#ٵV;U U^9bD [HMqJU EO9=Y'ҖaBf"r)BgO柘 G)%bu#~cT L,igC h * MTZ2㟋F%6z3- T6O }jPxFߪބg~{~MMǦ:5:lJB$PM峕PJ@PʗKB{-FڪSҮdOܵ"V$Y:%JKO HJ쯈ޫ.ikVP^ 0P[!)/9蝨/ J& Ú;Lq>]50UJ;|@ZK[ '>;O5mcj)Uں {NW@l<Ӂ2%Փ@A=D9?sQ?v RRCcwS&Ўx F?A  rO{`.R?lMפUEpQ&c7FSH10ltFG(֋ ڋ@C3)@ :zt0D` ;(&d"QD@qx!Va a{G a)=H`fDc18})B1vLHs7*(jơB$;Q(@zxQ|E<==rps4l>{<4#Bǁb|CA2>0(Ϙ̦y>t$ 7M x,9xNK3Iџ;kS{($@1`$ >Q ~x>IlvӚK&QyT`83xL !hp %Y3RMLr<8A7 @#$&{{4E+t 0Delo R$8zu LG^Ut0kBwLZxҷRUHJɼ>f$@{ a@G?!nN-(&Kc~=  wMڐ46=EH'{ HqߨDă$% :!R$n|IF b3Q! h@BW!&@2OxE@p! {GŴM"acH[ N!az7 {|B ,: }*B ʇ!$+u" >㤘$'= PF/8rx =C= Q3A-6j1Ր9L#>i Y>BMh&L`/f6i{̄t{ #m@D`p`IчNڑ{O˻kϟõa,7ٔޣ:RR>&Ot<2 u}-{ pF;1Z|Ft~J(MVJqp@F v;u/YN7Bzud+,ʁ1=AHXh_DŽ(V&} 'a'>F wM2b<8ˠb>h:% rW] )f@[, ;nr!ڏ$D$@&]ns0VⰫ8q Z%܄0Rc 0Tt B scO$ A{yL&=d" !\yѠHzp΃DiI^bש{vqt^2fi%&6[KUy+яll(24G/hkSĩyP-4CpA{YД?CM8H ё_$U>ԃ3|`JG7I)pL?\ESY>  D?̌FpQSW3ù ^f(`4nnUkіmZ`֕$ALCX3C@xAl 1e%vIHD"!I@^C A;T8%?u+F #f[44] 0[1E WNcg 5SJ=0q0[9^TR  `;>#c\<.J@@ub  !y_z)\TI$>#xB-f U^\0a9Ux$4"H]l,>ҡbD EK^D?AdbԘ5C%!PC$r%b&r" }b(("b*`D?@ DX~%%aIZ"/011"22*:a*&TcIfl6)8Z991;hni%,B]=#cf?@6 A5ڏ ocDqNdU$0g1FNG_Ng *u^IQJdLq ]t$O%tc\ILeU`eh AWW*Xe'_,':Ev6E`&aET'HcŎe!oY7Qg]Gnȏgr}hDNi^)N)[F6iԃBę)J,iItMJ(TxH}*阖)Vꤪ. YxpjԂԆ*i£Ʀ٢-; ǘji E3| @I *j<㘎nj h)ꬮ]G~ɣB**+븊ikiI,JMMj)k$ u*d/>4BMeEY,EFoi/οt8 a)|)T}XSoGRC{M:DTʆHL.npcK3~8$+ZooB`0 GMC`h4a름Dh,(McQ̈ICm7>F`EV\q? ijF*D k;F\Mf!2"ǎ3p F^2&g&o2&p2((r+JDGȭ",2-ײ-2.i,@.//Q . Pbŷ+4G4O35W5[._6o37k3,($q,~:B:3<<3=s:IQs<׳>3?>3Êh@p*z3vI,.MXbIg`P4 |"b?8 ҏ~~0Ы d,8EHFa?tG vs@y!D&ГFcW_;lYgѦUm[jopi.q_m^ @ ~Lj/aD U]T5΃݆V0/hн^L>?A- Bpu{w7.@-ugWdk䇯}~ ;_}b/bšYПFJ 1P ۊ'R8 QDΡjD:aQFYf{~|,#A{l+X)ʶP @+a. S)u `1eGK4l Q7GE:SO=ëaN@ -TO%1<|xGG! s`UTMNZPI-D%4,{HTWa3cLkUWQ]YL`-+%)_m6xJIX>ukcUl24*7IpJq~Ο{:Ȩ΢L^頨9D]tQn 5$ix\ߊwwѪ5nʩA -Xe Bؾ5(xt: t/2'(hyx& '3&:) 07dTڕ._Pa,ᇟOZH x\IpF&b*spCgjJ0:z `g),h.!! d a5&n->9\=xI fb],24B \ w@bc@Ny0/7j?H9ODF< e9R@ iV>AEb`›db00P_P,]^c"GрD{G96,,^(b3QA4C!Hc֦Q0@/q%bcF=3<9b?$ru2^QC ˏJG*ʉT"2 (:B@5уkjH0iʱ]t$g♣jcp‰%z/ -/,F ӞN@4Y?&r/hGopi>ּ&>A̦E pk>O r18"ҠJqWQC(j$Pk RBm63RbvYSNٌR`@ P \#/]PubZhuԚޜ]ՌD*j@B+]K>zԯ&^!j< ٣pAS?ȎT9:{ rjaaRҺ]S؉q.҈Qx…9GUuQζM)ɢżk `b$]TvWG5tHg8A2^H\gle+Z?q Q  ؙ Dg::\P3x]c(˄S@VZ/6KFG;*RLt칇Uxȫ2d`0AC](!Ue͗tzgC_#gfc8Ɖ!tB sfg"so_Y>VvE:]Ȫ;F5]3?$!(3{Fم$5a9@=\-F8;(2ΏP(@s Ko:Yvx{ 0Ļm,?0C}]s2GeH뢓 Ml2JzR I<]0lxr!BW& Qwp`S|ջ ~.QijHoah^*-(.tIs*$  Y FX?ڿw޼汄6H\C`* ~/B¥k A >#?"0'N0R+Dږ'O# pj`%<KNP b<@BJŚAÂ}EԁpVZ}v ⻐čkTazDU#ېA"|jj Gʫldtx ,VAC8-vaȪ-ưA < V;ڐpDnB;t d;>1 tb>!'I6ءqYA9,ooa'tn{"%d![pRͱIGQdArP nG 1"ARpa j 13iR/_%f,/-$y+Fފ/ֱ|a" B1F&!,a'N`a+Enn2 Q'r.$,\NHxtݢa+.屫xcj,&)(z '1s.GJP!j stF-2d&017=3mӛԑc/bب056O`a 7)8Q+9*tq9ɉ7J.fJ 8q''SSFfS+s.PXk_* ó(7RGR? '3/<843As$'_J>+@s>c$+9CAAFfS.I4 Py-+(P0sEDZ>s] MȈ,ʾ TGQ!t-4 -649?CwKHGJQ{T-ƎKo;Lw!O,TO~lK73t>,Δ6?NAM), TP@uk!QAN%4G-PGDCSRAA+D4PI0_.@sx&}b `^r/_RtC[uPEYT@Z 6L6+pUuxVndr)r4"z) "\4QR1SEZ'溂 ti\$T`Z*RQ_Zs5ܕL />@hC@. b8;5Y;Rx§+ a4)'*4A. &?N@[5\f*`,+fhs*^ 8AvN9k}Tukn$`*( gu_jrV25B*a`V zB #i!_)pxu@6O1d= kA+tgKnqSvqTvcWSuQ4@wGz@ xyy7zWzwz=J2uX7C>Bi ױw}W}7~W~w~pE{/|ͷA4 8xxA{٪OD ã|!=A8ExI=Xv3$?_ "1OPhmq8uxy}Xaa Eqњ8x{xRTX8xmK.,2*N88D\xš m8);d Qx?nT` j8: hXTؒ1 $twx` r)}rwsmX)FZ`!†$y]aY-ZMSjT,x '/\@2:)A\ *ka ;YfiXAx f8`a^ hxl`!!4a8`i4@z,8QИS,nX' 4K Y<` :A!YP3&z3 ` 4`|&xẲ`:<:`$@BU@̩XoP  fmn 4K1qoZyo kC;am( mX@`AYH ~y A) .AAֺr <VZ`YjʪA }@sY^qyQ#Y/zǗ%9 [[yyc `[R ۆ=A<; {pϳЫ=F e۱Oa [tҀXL{k!;ē jաa!ƀiX&(GaV!۶_9dh[4ݛ9lZXWQWZ|oA:o!l ͧ`Fy1ZiX}='!!T\Нk|V йy<,>U/Y %Twz3qX"l$vh1@. `.3\ n.r.K@sЧ}z4گqA$!Ԯ؇sŁ^uA۝Jm3_yݻptJ>^EĻAX5ҙ?ڹiOy!㝞㟾mX[)dءkdixP!4 š?ꣾ!Cޛ>~9aEHųaf~b/+4q_=?'CwBd7:\7%Anj-v5J?gƸ|>d?o?+୩aL hBb:H`XȈp#x%{tqhDȑ$KiGa^QI21hUT b4pc:--2\   XsMaN> ui!R@Hu" M@%bCf3%n\#GU,CYZbe(OS6(Qg. #h`h`xer&: dMEI]%kfR6g7"5ޱͲSlP ^m)E%~ nݭڞn2 rNz :**;/%,r6ce/BKRKN?M>\*(hZou^ vbMv,̺S-P PKը;w~ xNxwޥJ-1GdܒOޓ%7Uyoyz袏Nz{8KMS{5yΘݩ{|O|񽟂,?n}U ڣ;w=ߏ}O>KI}R<;<,ǭn,*p lv]p#={ ^ Bc:H&a}cX" u1Bn0+4a U. YP<!2FCy/a4DqP)P;(B1Tbh,VqZ"0qaTz#rIlc͘F;&q̃ȼ:|ܣ? 2!8Aa2,%%/Ljr'?iI22&)AF(ICjp`ZXNO-kKZ%/YUĤ\;dsl3 hJsԬ5ljs7 ps,9ωtsl; O;PKM\\PKAOEBPS/img/multipleldap.gif,GIF89a.a....'''777G\fs.\.pAo.OyE\N.O..fwv.AAAApAyO.GGGOO\VVVA\yoEJok\fffpyfuuu.-LF\O\\fffpv.O.\.\.f.yyAfJv\f\f\pHfAp\yy\ffzm.--.\M\ffqyffprEI\\frfqvyfty..J\B\O.ff.f.\\.mp.u.O\\O\\\AfAfArGp\ppfAvA.o\D\\tffy‚ˇ-͐-ґ.ȉȂB͘\ҕDқ\ԟkܨ\שmfsy‚ȁׂ͉דƇ㔽൷ѽȱ܇׽Ŵ׻ҥ˜̦ķ˻ҫ۱ضи㻅མȘ¨ʺƵȇǗҐˉ͑҉ҕͧ٫׵کܴ!,.a H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`-رaӆ-UKW+[}4WC8}s z7"0*_K^ֱG!E+w3` |=. ^Zx csC[ Y?cVշC}?&zjs)%ΐ[o|5{|{'ƸmS~yF 7qؐhQ>\(Av8ᆼH`nr}'tHwa]J}s*ˆ\y{zӕ#h!e6k-Lc\K҅ ĠaiUMe`eV>!N!?U[TĢBYlu|*(T5xPᐶ}.T d?#Lci9LV<$gaP3@&P ^q<.# h1-Nn.10֣hD _"78ZLAlc4HG@sÛ1H`#"&? d,P '@æqJ `Ed,Ay&C1H9 i` Mu< wleڑ ZvA#ŜJ0ٹ`D>嚘i$B>CX44xChWt)<h!d ej'2jF*!Z@%#)(H䲱mΠ@+TJAdʏI$;^KV#h54@(W4 @a @S>萉k/:H.&^@a =Q'`BӦv4fBJ 3@-Ft%#p[> xuRq*NA #x+@6$Yd-V4ΚLj kG"D@MP2x5j@B9N'Fykҏ: BbX*/GRA ((#}@ڠ+>Po܁L[!84Y) UnofؑB9DYFyHFJٔNPٔ8zk2\aZA}u0AG$$rFhvd`hQb`Iuy¸zxҥP`m+EbplM_іR0%SIL~U藏 XMC7@Vf%:c:`X~%V0B\UP8{ :M pr%׀V8p] ɠUXW9Hmi7XV=׃@E^'Bإ]QtTc ` f0o#EPDODf`Ysf@c(ڤ:(ׂP HHqqpd@kM+*H kpjp5`M6ZipoNjGVkk;Y&އ:㫦EITdpjr oop$`ppЖ˽nx rJT 7vR45P9@5ت;so[Pj'v0tQ7uuvpivA mWh%VMX%֊CRxMظ0 ,0Eٵ]d۞ {~{A`;Fbr6 iJh־ Qȶ[|hg#9:4BehA8ZhUKm\Wf D; G:lζW)8HAH;% qm p%G@*q f:G'|eF ~үxtzvv|q60J͛8; w*M=L#Ͱ!JBI9P4=0WJ<4NJ;zWYcTehh= opag0w'^5y]qݛlrC7v&c`MfESF˸s\c!+): qDUiG 5`P -4[ 7KLhJqӷmE2)PTk<6ѿh %m]$AZ*zHs6`0 ugύM̐ӂ 1Fڂzf86wUMSV7 vhndݙXX9\R0Pg}X}n|g=9\ltmx^{=׀-D؆M5ܝ=m.Avh̗8 KM-o@ jژ4=۲=eں$FЋn^ۜ Z^B_-ݓ=alٽT)THPn/|G߸qV{i|^N@v JWC$D5ncӞN=609>ϩ(GohXN{%yjX>LY.qψp "  P_h R1* ?𗰓^XX)ɇ/?#o ,._O$]N$| !/𾁓RXjy !; 3;UPZP 41}QPMY쐈jW |} d2)_or|;؈w'&ҷ ; _0B_1B+P"Q/kR! _*y (?BǨ/}u3^Qߧ}G ph"hOBB/.|OB >QD&/cA9 (P0p,زSL5mv В(Pv5[xx0MMZ#BIjIN <UenO͞E;g)hnEj?~Rt鿨 f 7jTKA "g-7  r\8$R _FF\Q>e@a8յm?O ._ d; ۜ8thԽ{ק/HP7 wӯgxv.?͊!N~d2k pA g!.)1,D) l.\ƙ#@dH1AD"I$,$k+4 QF;mJ/ L QrxLq4ܯ5PRSE3a@ QaKʧKGdmLLDKCԀ'O:°jVܯQ` `RtT1ӠL`UR-=V: f +p<o?R9Q9$Wt4S)N ^DT[ ko 6[PRt@ڕضDJ (c ʌ}yٲ3pM9?}&хc ^A)Ky@}j!8 e 椽)5Fkeeɢ?!$ |)*(!f,aEFCkfp`62,HթɖXN#ajilOk{O|e`QQ|D;;t$4 tݲVDA'>x'xGxB2=ʔN2DH{?|'|?_KT8ZGl;9${!`8@Ѐ_b./~hC"u_5AvЃaE8B0`]=,УޡjFX pC0?!}D"шBDbxD"(A)@d!)kV4Ŵ͋_c8F2ьgDcHEcȔ]V[V>яd 9HBҐA!ҩI!HLrғ'EJRҔD)UO H$i T" K`$e/"^d,f0 c*ӛ́f2Li R$ Or&)F42ΣӜDg:չNv3\D"M(&S UO~Ve?PԠ=hAPm:-"{gLsU=FQp4hH7*R)UhE&,}(`{!Y"Ӆ<5K-z%[)>NȦ5]S SF)+)Jԁ[e TaS20 4Kku ` #&uj,J^x5~@PV$=bq=p56&LKxJt2M%;mE8>-Rje;9@eekbeۈgx2μS*QGgMG\InskG.h2F\r#wmq\&FP8əKw{w#Ϋ#18`(. @ [*s[>*LE&<'x .`1Ӊr@,X+;db 1~m)fҊ5b89FT"8_E8$e۔xBD QUG7 bfO[#o@zW2Cr|-?U*gd~%r %Z]XwYF6{t0bQ*dgQW⅟bmIA>huSp2N=N>n Ai8`brST7\mxcD&RݻZ?qC Wӏa;op`]ʪ+@S}!ߦKQ.܆!GA˷e]tGU#ҩ0[L1ސooye87$Cb|w%Dy%.o76טS];p1)C>꒏HA.t j^-$8Z!6pC\dNԙ"/J] !} \{ٽ}{e~p|/Iפ MAۤ D9:\#/_#l0.6s!+X?Q6+@kX@ "@Xbg? #D #@s<<K#?4 " sbt@i?Z!QB. ?z d<53TA+6)A+a?9B 9?d;TB8(LD0T*< 6Cx C1N ܪA4@;lšHC2T &C?Q+|D <3BDU?t0CM6FE$bD 9T*)AEI6DeA4)(ReB$D,ȩcNT@l $E@~DxЉ,Q(xtljc l HrHȉH ȏHȐ,I<ɑT BGH$HDȖPSED|h3 Px|-C/kH߁Ǡʢ LJXJhʩIlFV|C4~<*Xj]PFH5p8#JaDZxGy|KTKL$̪Dm\$d\+|0X|kD|p)qrL$<\LKؔMڬ͞>EM8#g`ʹʃԉ(4F*FJNΜd lZ@͹ MhJ8 ~L.Х\ =PuNA\OdzPn( ̘,˔IφN]J%Q/|χFOJHD*HX X4hx8WGLH"hm RҢ#ER%e p(L, HYǖH8QHXF@q`0_z`$U$XCJ#b/tGb 6L\T54Wb+ZREZb!Y2^2]|(cD~3)dx!MŅNK,c'$F`6 ={P J">5S+kq{NGFK"[ =(qP(:(jg|0 Ph${dH+#eY膶 [, V$ģUqa@ Ŋi`{1Q ;џk1-;X{&Je810c36.{j{1}QVa) N 0 b~&0X L*ٟ"JhHŸ ֙.N̛0&UkK X <.+J͸Y Q۞&26c6B(pnɠ۟F Nf)-bl¶m Π>n6A! ֗'l6Mꢳl  nX$WB '#/ M!!'JdL! 'j6B8LLb=* p >b$W"6*XnMro0qpq"Sf.b#2r!/N¦#ymIp1 s>!' h WĀ9' J)3@$( gFB0ԭ _ >d8"9^7·?QĀQ&$Y 6a W:A7HlV+w"+^<(.~Hyx̣= ?E BscCD|1E  z&7JRrE*V\$%iG/]A,gEY2".aK[$ ɉ#!fo4IjZ6):J3%3!dհ'p')z 1O|Sϋȉ l ^$Gg"&ÊR+юfԣ(,d@Dm<@ Vs3DIY7eNmӞiMwJԞT4u8M(T!,m)a䎙5eXͪVլ` Vq[H}2QE\J׺vͫ^ZUh.j5V騪b*6xc'Kϯ֑[`UE. u2{:촦M-! UoC[ÜjYp[~`0M.q4+eg Fͺvjw/"^8w;y+dT/|W(w/~Qr"w?/Kx9~0Dp/4VxAoavX>o3;'nͶx7/VkW3c817"s^E&H ]EB2?㴈2X2K)@i2Zāa#ZF "/o$g1[ff&sR3jgƳ\}/z볂 t{-Hq-+tA9Wz DQӂm99Ҩvd!kIF'f 84.΀D8bvb:UAd>Kc/SuJی4:Ȱn>x9j~GiN ,SH;>2BQ@q(|@K.HSyl7An|_$G|>qǁ&,oK-28,XLQ>Tf:Q4&?Y441Md.7ɶ=^ f8nWP. dww]AvGDw/Q~QDZԥj[/@`4yo//ʋG7г.GPcV{?aiKZ7_}/hG 0U}W_l3ky]C WPPCfewAwgOj~Al:k–rZ%|Wr=BilDH W yDQmPuEaB61mF;72k&rdv8fEJ3RHn䧂-Hb7Uk;(`&i-J' 0NEVC ~= 諾Ԩ!M kCcB)m-*qP<ت芦2 3GdG =Ѵ)] P2"Cz8@JO[˵^  Ln.zE^ӦiS)[Z+P@b]Jx+eYDýދQ材&LGl(,@&p硳ٛHb6ʙZE|oSեYn J백~OT2QD'۬W*~RH% ’-w/Fg^5cF ^T1t2Jn2T.acU]R钣ˢsC6ũSN?4TPGSRIeuUW[OPS|0Ԓ-k>[ >E,@4R~udmZk6[mog6\q6Y#ًk/!ִC@Cfl&27`&`XPMa`gj,߂XTAԳ rĉҨ ;l,vY@{lP {w=xxIV㍇y']Yv}p:}@`EG=wCdM痿~?G6RAD?πi] ,C&CV ;up_`_iN$4̢d`2MІ# ;- \b I))(H:C&Ⰹ a*Ӻĥ%1]dOcbrF]D f /Bd|;i$юEB9c9Qu(wlGv H䑑{YF8Ca!-qW,)IA!{Bc p @R֒$e&ūPR3VȡWve2KKe"hRi Ԩn" fv#frGN,uB/ eV g<"O#MJ Jef$D~d2X3 v%z"4(dƫ246  'B1g1u g,DYjFQ fђ[ ;_|fK R]~(ID3=&OݳI1!,5JWJi-:ZPU|F@DԬ}+vn˞\Sٝ1"2X6V$uld%N" xg% !ڝ+C GqZG ehn ?a4 au ,@1N-XbG;ҡGf Џm6Zjsw}/?~dC?azc@GwG@_E'l kW5nS~p6 PƈI,cb !gc/2.T+dw|d2&yNfy)G99U.-[#Ae1̬=sEyنi,L9Osʝ#gG܃Sw[3 >!N3,>!4b?Cr{*n+AHk"s@t02;c" ѣtS'hqv&d„u芾d3ϰ'3 TGH؅CJ3 l*,L(F~,I CyhcB`~(+CmP-OPJt"8;JЁ~)VlX6($ "d39 ;Cn*ٚ `2FOS}x86Cw5gԽی$C kF(` m~3$Lp3hYR0)$CnGvs՝կwݓ_qN.]P}3o\{p_apt};x~9Cb o7ɺPc, 7NThD( *HLC"m$\g݂jSaFbxK:iU ,f8#Ň|MQA G LM6 =@(!LÒ :kOF׏\!I&Pmg\ZɢcT΂_wsI7j䟉mU}^'P:;{;:_ fVaorzhEF3dj-;.{.醕GfҷYfa;Q:#J7!?0|0 +0 / %  W%b_ά )#S΢_z݆? d\{ `<׫mqsu1J@`3`8 cC\4:aV0o jx6y =B$0@!8Fљں3 4鎎KV54I4dt! , 5(@ A/? !L`Ah&pdʖqY0'5@ TRC:pS@1UEWC?tLJ,8tH<ضqJЎ)Asa~hC{8C?Aj,'88 B8GD ŀL RVp3٤< :Dv`DrmР3SPl6?@!P1: "&Z3ͫ"53@iuʪV&pF7~`x"ip l6~TCȃ@J:(7pF t89C)6T Q2JRG. [@d1f X-a F~R"=  zAEEzEFӐD2=O( zR8ѕDRaP&~J5$~I&an/g~ 2Q8?"Ј g} ^6p##ʡ"@D4r&"ד̂"M ӌ 8 ,) w6shy >YF Ժ\a#لAF0SJ4C (+f!(dC{QcY da^.P@aYp(2n `ʺ@2;Qx40 AOl(C_[p@J%g ņlC04HHEi& f4!9&J*]TC&@R_@H vu,$aKaBGKu3ܬW-F6h"Lp)@i $<`, @mDD;]A@P?8 .UR_!L" b5=lVf6jV?,C-c9@?54'nv4+@bMa .AL+"ID$( @@r@CBL @ґv4")+JWyO}Ѥ؀2C m6(14C Zq)h wUaDJ"\D6rgAT=>li XZ @HDCj瀎2l ?Wvg.y1PTuT%̀ I,Y@=dY?5&= 0܂ga@lb7"F؄vQaA:+hW-9(M}U@:(&0@:4Rh2H@H@C74B 僀-5@-O0D}lC|UCR>>#GpJzgҠFګZe ;t)=R &u@4qDRh(DRs8P xSDX;u b=<7A)=tn۸f?Y YmE>[%<rYю iC d~f^ %bIYՁ!ef`@.@*?`$xbC|^lW R4aU=V:,BF$tD!= Ζ(0[DrCڕ%58$PάxB*8hCQjff櫨B A@xBX??ā?_]g5(:r+Ey*ŽjE8ǝm",WF5\Ρ[}(Sy%\a'l =%Ua,/`R?h}."J%@ks΀ @uX 2JD\$lpjp"_D@]?A@Z ?dجMdk1.qALz֪63E?DCeB78aEp i78>¾,+b-bF9.&FEBvUb.њE$,HKT*bDL RTr~x,du(J pF=/-b"@PGz$H6DOD2>Džġ|6l)ڣSVK"WCe8N?4C9cgW~cۃNxCX vvX V)pE# $r/L`gnz&8D|ҧ}~f66a~C$~ʙ@%Ae(/;=\)T7+˴ DeZH DJR"oe闆阶VBZM/!WYij2qC Cjshi^f/ D,`ĕGBH2ұ(,k(WMmz]?(8 >6#p.VᙅYܳ~@310Kg",!N/JmF$b=pBH 'V.d8"?kVjn1B-m.ҽL1ū-kP1q bJڂ*dCMH(g)Äbn*#gbD.2:D躰%c2A+S!ggzUj)C T0x5S\cZHqfu\qG Ţ>0>aLcAvGb*=0)Hpm~n bsFA' @H5g0F(a!o߄*cvHPQqrKT#Wq[r &~&){,G` 8u,kKf_]#Wu*{o'>8GLķVu;E`^b?7UFTh&/E#T8Ǹ8׸8縌7$rwElZUm׳J^yi+8W_9go9w97&%vrp+_ VtsJdG99z#z91貶Łp 6wKTa p>Qb -J::ǺGeT.þ8yPa~ 18uې/H5i+"/,Ăr2'GnOSg;c_;o{["6{tHEԚDZVV-;%Rb7! <<+3|#"BK78Y/'vO1o>F6dJK8;Ui<8CWˮlƱ3~:İc4; J3 ~~Ӿ>Ͼ[ I`r_21[${r}A<@P@X?,uo?_[A6lgc63bT=pV O:poB69@58wo_?!F8bE1fԸcGA9dIݻ'N\7g^%JFDC LS`9ReC}&&UiSO:ݷ=w-9sMg H0cm[oƕ_ʫ͊i < `bQgns!GݲXa$Ί5:m{W}ӔV9gKf7a|%| P@nN;^Tc -3j 1P:,/ָZ! :-5QsmyNaQTZ3R.'MŵX#::KvIbN|KR- 4Q 1+c5lS":Dг1K WlE7ɺ4QWa5(Lh8?m|R(BM9pXj'gNYm=:%BEȿ=]UWhTI!\w-gL%5Vm!b W\HsMWum7={0!n*{ş`Tv x]~Al@`U0Zn  yaP0аXb3`vU’駝tVU~08mXb-y$iNa~@}zه xZF ڟ] 1:[6kz^@TB(O\].x\-#r#\3;\BtJ?]uR_Z]vbno=uݩ})2Kz>7%v~QhX!;%5ߟoo!yq蟼!a.ȡP$ J>. \ Cu骀uᔒ Ey<8~j3#̠ ?A)`'誵*,r#{CZŇ@$TD#G\!8W&A<1Ce,3zdh8q),]G7L [ (A>CVň$"Hwyn3bELH33 2I ,e DQ45ʋyZ-5ݐImG(=BiIzx#Cъ&R<18bˎ`݄?Ԁ ܩxFGCԩˁm A=̌HЇ#Ѐc1 aQQ v J"8du<ȧD2@ L ?`)Nߨ3c raLKd٪@ 8GG|@"D#FHT BPoB`k~̣~0;:(Ӓ6rs p с~dxZ gC B9*ID!ȅ ~ xC s2jxbfF=,ڏOh-`ZC"d72ERP-IqܰM]G!7ܕA= 7I!f+ c8Q2ٲAhA<ۏ`BM~#BǭAr1 - jfÀ̐\{T(څE{3M_<ۏ8AUF!bt !4K8G`"w 1r S/3nKϯQ *q"g-(9P8{Pk'ѦxH;FyјJ8S\hA? $@ɣ&pBϐ47NAq$A M2zNt" F%&\}As؅$v V#c <Ҧa[BhY@vH0$J v$v.hA.;4బZ8>0IL5p}'w?p @bL!+=(r92<3~ϣ[x5w63"@ƚtӅ?$}^3nj',{Tbf%i0."i8J"x;>cPC\ kYk D %ndz^xIAU&t [̶F@'rBЀ?k\IDZ1l@vL޲=d_FW$`$27ܠw cІ?h*`! xAԡ􊯆 JBΏ)nD0` Afp ܐਆa`a6`!îA,f j h˶h`,BK$D8P.BvMb FjV /w.h N䅾!j!(`hP KB"O Ap%fHJa~0A&1 ; @fۉĨ Ff栐>^$*%(A~ fA,e:@p,fff J/:CI)""N"L ?:c-WLa !X(,$vC`5+r$kQ/.!nC C#K.8C+t).hflCJ%7"V4z)!f`04 .6R"'M Ѯ G-*!n4  pࢸ~B(l+(wQ(!A <Ρ &.H#ja(8.I-AT f`"B1-"&v-Aa@@a*6A482 5E(R`&|6@bޢ&V 8I"L lpd"";&SDN3Fi~ .!!+ e"OLւĆBczI4JtJJJGCD̢J 3HH="3l$ o,"d@شMM4NtN4NT4L<8TL'B"d&B0ȢPPP5QuQ5R!uRQPSdHOS%`&4T}TQUM5UYuU]UUaUc5UD9Z?O95",:cN %&X'UXX5YuYYYY#P.UtWS4CT\BH[5\u\ɵ\͵\e!.E1̣;5)D%78A5_u___6` 9P=%^:4^Caa!6b%vb)bYBl1ta/bZzFz0vdIdMdQ6eIb (”c;>N.(!pfu6gyvg}gg^fe6 ZvZ"hi6YiiiejjcՄik6lvlɶll6mvmٶmmVu;PKKpv#QQPKAOEBPS/sec_introduction.htm-+ Converged Application Server Security Overview

1 Converged Application Server Security Overview

This chapter describes the Oracle Communications Converged Application Server security features:

Basic Security Considerations

The following principles are fundamental to using any application securely:

  • Keep software up to date. This includes the latest product release and any patches that apply to it.

  • Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.

  • Monitor system activity. Establish who should access which system components, and how often, and monitor those components.

  • Install software securely. For example, use firewalls, secure protocols such as SSL and secure passwords.

  • Learn about and use the Converged Application Server security features. See "Converged Application Server Security Concepts" for additional overview information on Converged Application Server security features.

  • Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security. See Oracle Communications Converged Application Server Developer's Guide for more information.

  • Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See the “Critical Patch Updates and Security Alerts” Web site:

    http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Overview of Converged Application Server Security

Converged Application Server relies on the underlying security features of the Oracle WebLogic platform. As such, Converged Application Server benefits from the security features of the underlying WebLogic platform, including security realms, security monitoring features, and more.

See "Oracle Security Documentation" for information about securing the WebLogic platform.

Additional security features applicable to Converged Application Server include:

  • Network channel-based security in the form of support for HTTPS and SIPS. See Oracle Communications Converged Application Server Administrator's Guide for more information on network channel security.

  • Flexible client authentication mechanisms, including identity assertions by security providers, client certificate authentication, and digest-based authentication.

This document describes the security features specific for Converged Application Server. For WebLogic information, including information about performing a secure installation and implementing application security, see the Oracle WebLogic Server 11g documentation.

Understanding the Converged Application Server Environment

When planning your Converged Application Server implementation, consider the following:

  • Which resources need to be protected?

    • You need to protect customer data, such as credit-card numbers.

    • You need to protect internal data, such as proprietary source code.

    • You need to protect system components from being disabled by external attacks or intentional system overloads.

  • Who are you protecting data from?

    For example, you need to protect your subscribers' data from other subscribers, but someone in your organization might need to access that data to manage it. You can analyze your workflows to determine who needs access to the data; for example, it is possible that a system administrator can manage your system components without needing to access the system data.

  • What will happen if protections on a strategic resources fail?

    In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource will help you protect it properly.

Oracle Security Documentation

To implement security, you configure Converged Application Server security features as well as those in the products on which it relies.

See the following documents for more information:

  • Oracle Fusion Middleware Securing Oracle WebLogic Server in the Oracle WebLogic Server 11g documentation.

  • Oracle Fusion Middleware Application Security Guide in the Oracle WebLogic Server 11g documentation

  • Oracle Communications Converged Application Server Administrator's Guide.

  • Oracle Communications Converged Application Server Developer's Guide.

Common Security Configuration Tasks

Table 1-1 lists Converged Application Server configuration tasks and provides links to additional information.

Table 1-1 Security Configuration Tasks

TaskDocument Reference

Understanding the Digest identity assertion providers

Configuring LDAP Digest authentication

Configuring Digest authentication with an RDBMS

See "Configuring Digest Authentication".

Understanding client-cert authentication solutions

Delivering X509 certificates over 2-way SSL

Developing a Perimeter authentication solution

Using the Converged Application Server WL_Client_Cert header to deliver X509 certificates

See "Configuring Client-Cert Authentication".

Understand forwarding rules for SIP messages having the P-Asserted-Identity header

Configuring P-Asserted-Identity providers

See "Overview of SIP Servlet Identity Assertion Mechanisms".

Defining security constraints for a SIP Servlet

Mapping SIP Servlet roles to Converged Application Server roles and principals

Debugging SIP Servlet security constraints

See "Securing SIP Servlet Resources" in Converged Application Server Developer's Guide

Configuring trusted hosts

See information on the sip-security setting in sipserver.xml, as described in Oracle Communications Converged Application Server Administrator's Guide


PKuZ2+-+PKA OEBPS/toc.ncx Oracle® Communications Converged Application Server Security Guide, Release 5.1 Cover Oracle Communications Converged Application Server Security Guide , Release 5.1 Oracle Communications Converged Application Server Security Guide, Release 5.1 Preface Converged Application Server Security Overview Converged Application Server Security Concepts Configuring Digest Authentication Configuring Client-Cert Authentication Configuring SIP Servlet Identity Assertion Mechanisms Configuring 3GPP HTTP Authentication Assertion Providers Copyright PK%|  PKAOEBPS/sec_3gpp_http.htm5! Configuring 3GPP HTTP Authentication Assertion Providers

6 Configuring 3GPP HTTP Authentication Assertion Providers

This chapter describes how to configure Oracle Communications Converged Application Server to handle the X-3GPP-Asserted-Identity header for HTTP authentication:

Overview

In order to function as an Application Server in an IMS network, Converged Application Server supports handling the X-3GPP-Asserted-Identity header as specified in 3GPP TS 33.222 Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS) (http://www.3gpp.org/ftp/Specs/html-info/33222.htm). Converged Application Server provides this support via a configured security provider, X3gppAssertedIdentityAsserter or X3gppAssertedIdentityStrictAsserter. The providers use the same authentication process, but the "strict" assertion provider also throws an exception when the header is received from a non-trusted host (which enables you to audit asserted identity requests from non-trusted hosts).

The X-3GPP-Asserted-Identity header functions for HTTP requests in the same manner that the P-Asserted-Identity header functions for SIP requests. When the container receives an incoming HTTP requesting having a X-3GPP-Asserted-Identity header, it first verifies that the request was received from a trusted host. If the host was trusted, the container asserts the user's identity using the information in the header, authenticates the user, and logs the user in if that user is authorized to access the requested resource. (If a request comes from a non-trusted host, the container simply ignores the header.)

The X-3GPP-Asserted-Identity header may contain multiple names in a list (for example, user1@oracle.com, user2@oracle.com). When configured with the default user name mapper class, the Converged Application Server providers remove the domain portion of the addresses (@oracle.com) and use the remainder as the user name. The default user name mapper always chooses the first username in the list and uses it for asserting the identity. This behavior can be changed by creating and configuring a custom user name mapper class. For example, if you must support overlapping usernames from different names (for example, sipuser@oracle.com and sipuser@cea.com), a custom user-name mapper might process the header contents into a unique username (for example, sipsuser_b and sipuser_c). Using a custom user name mapper also enables you to support WebLogic user names that contain an "@" character, such as @oracle.com.

In order for SIP Servlets to support authentication with the X-3GPP-Asserted-Identity header, the auth-method element must be set to CLIENT-CERT in the web.xml deployment descriptor. See Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

Configuring a X-3GPP-Asserted-Identity Provider

Follow these steps to configure a security provider used to support the X-3GPP-Asserted-Identity header in HTTP requests. Note that one of two providers can be selected, as described in the "Overview":

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane of the Console, select the Security Realms node.

  3. Select the name of your security realm in the right pane of the Console.

  4. Select the Providers tab, then select the Authentication tab.

  5. Click New.

  6. Enter a name for the new provider, and select one of the following options for the Type field:

    • X3gppAssertedIdentityAsserter: Select this option to configure a provider that does not throw an exception when the header is invalid or is received from a non-trusted host.

    • X3gppAssertedIdentityStrictAsserter: Select this option to configure a provider that throws an exception when the header is received from a non-trusted host and is therefore ignored.

    See "Overview" for more information.

  7. Click OK.

  8. Select the name of the new provider you just created.

  9. In the Active Types Chooser list, select the X-3GPP-Asserted-Identity type and use the arrow to move it to the Chosen column.

  10. Click Save.

  11. Select the Configuration tab, the select the Provider Specific tab.

  12. Fill in the fields of the configuration page as follows:

    • Trusted Hosts: Enter one or more host names that the provider will treat as trusted hosts. Note that the provider does not use trusted hosts configured in the sipserver.xml file (see information on sip-security in the Oracle Communications Converged Application Server Administrator's Guide). You can enter a list of IP addresses or DNS names, and wildcards are supported.

    • User Name Mapper Class Name: Enter the name of a custom Java class used to map user names in the X-3GPP-Asserted-Identity header to user names in the default security realm. A custom user name mapper is generally used if user names are received from two or more different domains. In this case additional logic may be required to map user names received from each domain. A custom user name mapper class is required if you want to map usernames to WebLogic usernames, or if you want to logically process multiple usernames specified in the X-3GPP-Asserted-Identity header (rather than using only the first username). See Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

      Alternatively, leave this field blank to use the default user name mapper. The default mapper simply discards the domain name and takes the first resulting user name to assert the identity. For example, the default user name mapper takes the following header:

      X-3GPP-Asserted-Identity: "user1@oracle.com", "user2@oracle.com"
      

      and asserts the identity "user1."

  13. Click Save.

PKJȉ:!5!PKA!OEBPS/sec_sip_assert_identity.htmB4 Configuring SIP Servlet Identity Assertion Mechanisms

5 Configuring SIP Servlet Identity Assertion Mechanisms

This chapter describes how to configure and use Oracle Communications Converged Application Server Identity Asserter providers:

Overview of SIP Servlet Identity Assertion Mechanisms

A SIP Servlet can be configured to use one of the following identity assertion mechanisms:

  • P-Asserted-Identity: With this mechanism, identity must be asserted using the P-Asserted-Identity header in a SIP message that originates from a trusted domain. This identity assertion mechanism is described in RFC 3325.

  • Identity: With this mechanism, identity must be asserted using the Identity and Identity-Info headers in SIP messages, which can originate from other domains. This identity assertion mechanism is described in RFC 4474.

The selected identity assertion mechanism is defined in the identity-assertion element of the sip.xml deployment descriptor. The identity-assertion-support element determines whether the identity assertion mechanism is required for the Servlet, or whether alternate authentication mechanisms can be used with SIP messages that do not contain the required headers. See the SIP Servlet Specification v1.1 for more information on configuring identity assertion for a Servlet.

Converged Application Server supports identity assertion mechanisms using security providers. The sections that follow describe how Converged Application Server handles messages with each identity assertion mechanism, and how to configure the required security providers.


Note:

Converged Application Server version provides backward compatibility for applications that conform to the SIP Servlet v1.0 specification.

Understanding Trusted Host Forwarding with P-Asserted-Identity

The P-Asserted-Identity header is honored only within a trusted domain. In a Converged Application Server system, trusted domains are purely configuration-based. To enable use of the header, you must configure one of two available P-Asserted Identity Assertion providers as described in "Configuring a P-Asserted-Identity Assertion Provider". The P-Asserted-Identity assertion providers expose the trusted domain configuration for P-Asserted-Identity headers. If you do not configure a provider, the header considers no IP addresses as being "trusted."

When Converged Application Server receives a message having the P-Asserted-Identity header from a trusted host configured with the provider, it logs in the user specified in the header to determine group membership and other privileges. The value contained in the P-Asserted-Identity header must be a SIP address (for example, sipuser@oracle.com). By default, Converged Application Server removes the domain portion of the address (@oracle.com) and uses the remainder as the user name. If you must support overlapping usernames from different names (for example, sipuser@oracle.com and sipuser@cea.com), you can create and use a custom user-name mapper to process the header contents into a unique username (for example, sipsuser_b and sipuser_c). Using a custom user name mapper also enables you to support WebLogic user names that contain an "@" character, such as @oracle.com.

The presence of a P-Asserted-Identity header combined with the Privacy header also determines the way in which Converged Application Server proxies incoming requests. The value of the identity-assertion-support element in sip.xml is also considered. Figure 5-1 describes how incoming SIP requests are managed in relation to the P-Asserted-Identity header.

Figure 5-1 Managing Inbound Requests Having P-Asserted-Identity and Privacy Headers

Surrounding text describes Figure 5-1 .

Figure 5-2 describes the standard security check procedure that Converged Application Server uses when an asserted user name is not authorized to access a requested resource. The standard security check is performed according to the auth-method defined in the login-config element of the sip.xml descriptor for the current application.

Figure 5-2 Standard Security Check Procedure

Surrounding text describes Figure 5-2 .

The presence of a P-Asserted-Identity header or a P-Preferred-Identity header also affects the processing of outbound SIP requests. Figure 5-3 describes the behavior.

Figure 5-3 Managing Outbound Requests Having P-Asserted-Identity or P-Preferred Identity

Surrounding text describes Figure 5-3 .

Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers

If the contents of a P-Asserted-Identity header are invalid, or if the header is received from a non-trusted host, then the security provider returns an "anonymous" user to the SIP Servlet container. If you configured the PAsserted Identity Strict Asserter provider, an exception is also thrown so that you can audit the substitution of the anonymous user. (If you configured the basic PAsserted Identity Asserter provider, no exception is thrown.)

With either provider, if identity assertion fails and the requested resource is protected (the request matches a security-constraint defined in sip.xml), the SIP container uses the auth-method defined in the sip.xml deployment descriptor to challenge the end user. For example, digest authentication may be used if the Servlet specifies the digest authentication method.

If the requested resource is not protected, the anonymous user is simply passed to the SIP Servlet without authorization. Because the 3GPP TS 24.229 specification recommends forced authorization even when a resource is unrestricted (and privacy is not requested), you should use declarative security to protect all of a SIP Servlet's resources to remain compliant with the specification. See "Securing SIP Servlet Resources" in Converged Application Server Developer's Guide for more information.

If authorization of the anonymous user fails, Converged Application Server then forces authentication by challenging the user.

Configuring a P-Asserted-Identity Assertion Provider

Follow these steps to configure a security provider used to support the P-Asserted-Identity header. Note that one of two providers can be selected, as described in "Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers".

In addition to configuring one of the above providers, configure a secondary, "fallback" login method (for example, using DIGEST or CLIENT-CERT authentication).

To configure a P-Asserted-Identity provider:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane of the Console, select the Security Realms node.

  3. Select the name of your security realm in the right pane of the Console.

  4. Click New.

  5. Enter a name for the new provider, and select one of the following options for the Type:

    • PAssertedIdentityAsserter: Select this option to configure a provider that does not throw an exception when the P-Asserted-Identity header is invalid or is received from a non-trusted host and an anonymous user is substituted.

    • PAssertedIdentityStrictAsserter: Select this option to configure a provider that throws an exception when the P-Asserted-Identity header is invalid or is received from a non-trusted host and an anonymous user is substituted.

    See "Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers" for more information.

  6. Click OK.

  7. Select the name of the provider you just created.

  8. Select Configuration, and then select the Provider Specific tab.

  9. Fill in the fields of the configuration tab as follows:

    • Trusted Hosts: Enter one or more host names that the provider will treat as trusted hosts. You can enter a list of IP addresses or DNS names, and wildcards are supported.


      Note:

      The provider does not use trusted hosts configured in the sipserver.xml file. See information on sip-security in the Oracle Communications Converged Application Server Administrator's Guide.

    • User Name Mapper Class Name: Enter the name of a custom Java class used to map user names in the P-Asserted-Identity header to user names in the default security realm. A custom user name mapper is generally used if user names are received from two or more different domains. In this case additional logic may be required to map usernames received from each domain. A custom user name mapper class is required if you want to map usernames in the P-Asserted-Identity header to WebLogic usernames. See Securing Oracle WebLogic Server in the Oracle WebLogic Server 11g documentation for more information.

      Alternatively, leave this field blank to use the default user name mapper. The default mapper simply discards the domain name and takes the resulting user name without applying any additional logic.

  10. Click Save.

Understanding Identity Assertion with the Identity and Identity-Info Headers

Converged Application Server can also perform identity assertion using the Identity and Identity-Info headers, as described in RFC 4474. As with the p-asserted-identity assertion mechanism, Identity header assertion requires that you first configure the appropriate security provider (the IdentityHeaderAsserter provider) in Converged Application Server.

When asserting the identity of inbound requests having the Identity and Identity-Info headers, Converged Application Server considers the values of the identity-assertion and identity-assertion-support elements in sip.xml as well as the presence of a configured security provider. Figure 5-4 describes how incoming messages are processed using this assertion mechanism.

Figure 5-4 Managing Inbound Requests Having Identity and Identity-Info Headers

Surrounding text describes Figure 5-4 .

Configuring the Identity Header Assertion Provider

Follow these steps to configure the security provider used to support the Identity header:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane of the Console, select the Security Realms node.

  3. Select the name of your security realm in the right pane of the Console.

  4. Click Providers, and then select the Authentication tab in the right pane.

  5. Click New.

  6. Enter a name for the new provider, and select IdentityHeaderAsserter for the Type.

  7. Click OK.

  8. Select the name of the provider you just created.

  9. Select the Provider Specific tab.

  10. Fill in the fields of the configuration tab as follows:

    • Date Period: Enter the valid period for Date header, in seconds.

    • Https Channel Name: Enter the name of an HTTPS channel the provider should use to initialize an HTTPS client. An HTTPS channel is required (and must be configured separately) if a remote certificate must be retrieved via HTTPS.

    • User Name Mapper Class Name (optional): Enter the name of a custom Java class used to map user names in the Identity header to user names in the default security realm. A custom user name mapper class is required if you want to map usernames in the Identity header to WebLogic usernames. See Securing Oracle WebLogic Server in the Oracle WebLogic Server 11g documentation for more information.

  11. Click Save.

PK%5BBPKAOEBPS/content.opfD Oracle® Communications Converged Application Server Security Guide, Release 5.1 en-US E35553-01 Oracle Corporation Oracle Corporation Oracle® Communications Converged Application Server Security Guide, Release 5.1 2012-12-12T04:44:03Z Oracle® Communications Converged Application Server Security Guide, Release 5.1 PKa`PKAOEBPS/sec_client_cert.htmL\ Configuring Client-Cert Authentication

4 Configuring Client-Cert Authentication

This chapter describes how to configure Oracle Communications Converged Application Server to use Client-Cert authentication:

Overview of Client-Cert Authentication

Client-Cert authentication uses a certificate or other custom tokens in order to authenticate a user. The token is "mapped" to a user present in the Converged Application Server security realm in which the Servlet is deployed. SIP Servlets that want to use Client-Cert authentication must set the auth-method element to CLIENT-CERT in their sip.xml deployment descriptor.

The token used for Client-Cert authentication can be obtained in several different ways:

  • X509 Certificate from SSL: In the most common case, an X509 certificate is derived from a client token during a two-way SSL handshake between the client and the server. The SIP Servlet can view the resulting certificate in the javax.servlet.request.X509Certificate request attribute. This method for performing Client-Cert authentication is the most common and is described in the SIP Servlet specification (JSR-116). Converged Application Server provides two security providers that can be used to validate the X509 certificate; see "Configuring SSL and X509 for Converged Application Server".

  • WL-Proxy-Client-Cert Header: Converged Application Server provides an alternate method for supplying a Client-Cert token that does not require a two-way SSL handshake between the client and server. Instead, the SSL handshake can be performed between a client and a proxy server or load balancer before reaching the destination Converged Application Server. The proxy generates the resulting X509 certificate chain and encrypts it using base-64 encoding, and finally adds it to a special WL-Proxy-Client-Cert header in the SIP message. The server hosting the destination SIP Servlet then uses the WL-Proxy-Client-Cert header to obtain the certificate. The certificate is also made available by the container to Servlets via the javax.servlet.request.X509Certificate request attribute.

    To use this alternate method of supplying client tokens, you must configure Converged Application Server to enable use of the WL-Proxy-Client-Cert header; see "Configuring Converged Application Server to Use WL-Proxy-Client-Cert". You must also configure an X509 Identity Asserter provider as described in "Configuring SSL and X509 for Converged Application Server".

SIP Servlets can also use the CLIENT-CERT auth-method to implement perimeter authentication. Perimeter authentication uses custom token names and values, along with a custom security provider, to authenticate clients. See "Supporting Perimeter Authentication with a Custom IA Provider" for a summary of steps required to implement perimeter authentication.

Configuring SSL and X509 for Converged Application Server

Converged Application Server includes two separate Identity Assertion providers that can be used with X509 certificates. The LDAP X509 Identity Asserter provider receives an X509 certificate, looks up the LDAP object for the user associated with that certificate in a separate LDAP store, ensures that the certificate in the LDAP object matches the presented certificate, and then retrieves the name of the user from the LDAP object. The Default Identity Asserter provider maps the user according to its configuration, but does not validate the certificate.

With either provider, Converged Application Server uses two-way SSL to verify the digital certificate supplied by the client. You must ensure that a SIPS transport (SSL) has been configured in order to use Client-Cert authentication. See information on configuring secure transport in the Oracle Communications Converged Application Server Administrator's Guide.

See "Configuring the Default Identity Asserter" to configure the Default Identity Asserter provider. In most production installations you will have a separate LDAP store and will need to configure the LDAP X509 Identity Asserter provider to use client-cert authentication; see "Configuring the LDAP X509 Identity Asserter".

Configuring the Default Identity Asserter

The Default Identity Asserter can be configured to verify an X509 certificate passed to it by a client over a secure (SSL) connection. The Default Identity Asserter requires a separate user name mapper to map the associated client "certificate" to a user configured in the default security realm. You can use the default user name mapper installed with Converged Application Server, or you can create a custom user name mapper class. See the chapters on configuring a WebLogic credential mapping provider in Securing Oracle WebLogic Server the Oracle WebLogic Server 11g Documentation for information on creating a custom user name mapper class.

Follow these instructions to configure the Default Identity Asserter:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane of the Console, select the Security Realms node.

  3. Select the name of your security realm in the right pane of the Console.

  4. Select the Providers > Authentication tab.

  5. In the right pane of the Console, select DefaultIdentityAsserter from the table of configured providers.

  6. On the Configuration > Common page, select X.509 in the Available column of the Active Types table and use the arrow to move it to the Chosen column.

  7. Click Save to apply the change.

  8. You can use either a custom Java class to map names in the X509 certificate to user names in the built-in LDAP store, or you can use the default user name mapper. To specify a custom Java class to perform user name mapping:

    1. Select the Configuration > Provider Specific tab.

    2. Enter the name of the custom class in the User Name Mapper Class Name field.

    3. Click Save.

    To use the default user name mapper:

    1. Select the Configuration > Provider Specific tab.

    2. Select Use Default User Name Mapper.

    3. In the Default User Name Mapper Attribute Type list, select either CN (for Common Name) or E (for Email address) depending on the user name attribute you have stored in the security realm.

    4. In the Default User Name Mapper Attribute Delimiter field, accept the default delimiter of "@". This delimiter is used with the E (Email address) attribute type to extract the email portion from the client token. For example, a token of "joe@mycompany.com" would be mapped to a username "joe" configured in the default security realm.

    5. Click Save.

Configuring the LDAP X509 Identity Asserter

Follow these steps to create and configure the X509 Authentication Provider.

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane of the Console, select the Security Realms node.

  3. Select the name of your security realm in the right pane of the Console.

  4. Select Providers, then select the Authentication tab.

  5. Click New.

  6. Enter a name for the new provider, and select "LDAPX509IdentityAsserter" as the type.

  7. Click OK.

  8. In the list of providers, select the name of the provider you just created.

  9. In the Configuration > Provider Specific tab, enter LDAP server information into the fields as follows:

    • User Field Attributes: Enter an LDAP search filter that Converged Application Server will use to locate a given username. The filter is applied to LDAP objects beneath the base DN defined in the Certificate Mapping attribute described below.

    • User Name Attribute: Enter the LDAP attribute that stores the user's name.

    • Certificate Attribute: Enter the LDAP attribute that stores the certificate for the user name.

    • Certificate Mapping: Specify how a query string to construct the base LDAP DN used to locate the LDAP object for the user.

    • Host: Enter the host name of the LDAP server to verify the incoming certificate. If you are using multiple LDAP servers for failover capabilities, enter the host name:port value for each server separated by spaces. For example: ldap1.mycompany.com:1050 ldap2.mycompany.com:1050

      See Securing Oracle WebLogic Server in the Oracle WebLogic Server documentation for more information about configuring failover.

    • Port: Enter the port number of the LDAP server.

    • SSL Enabled: Select this option if you are using SSL to communicate unencrypted passwords between Converged Application Server and the LDAP Server.

    • Principal: Enter the name of a principal that Converged Application Server uses to access the LDAP server.

    • Credential: Enter the credential for the above principal name (generally a password).

    • Confirm Credential: Re-enter the principal's credential.

    • Cache Enabled: Specifies whether a cache should be used with the associated LDAP server.

    • Cache Size: Specifies the size of the cache, in Kilobytes, used to store results from the LDAP server. By default the cache size is 32K.

    • Cache TTL: Specifies the time-to-live (TTL) value, in seconds, for the LDAP cache. By default the TTL value is 60 seconds.

    • Follow Referrals: Select this to specify that a search for a user or group within the LDAP X509 Identity Assertion provider should follow referrals to other LDAP servers or branches within the LDAP directory.

    • Bind Anonymously On Referrals: By default, the LDAP X509 Identity Assertion provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, check this box.

    • Results Time Limit: Specifies the number of milliseconds to wait for LDAP results before timing out. Accept the default value of 0 to specify no time limit.

    • Connect Timeout: Specifies the number of milliseconds to wait for an LDAP connection to be established. If the time is exceeded, the connection times out. The default value of 0 specifies no timeout value.

    • Parallel Connect Delay: Specifies the number of seconds to delay before making concurrent connections to multiple, configured LDAP servers. If this value is set to 0, the provider connects to multiple servers in a serial fashion. The provider first tries to connect to the first configured LDAP server in the Host list. If that connection attempt fails, the provider tries the next configured server, and so on.

      If this value is set to a non-zero value, the provider waits the specified number of seconds before spawning a new thread for an additional connection attempt. For example, if the value is set to 2, the provider first tries to connect to the first configured LDAP server in the Host list. After 2 seconds, if the connection has not yet been established, the provider spawns a new thread and tries to connect to the second server configured in the Host list, and so on for each configured LDAP server.

    • Connection Retry Limit: Specifies the number of times the provider tries to reestablish a connection to an LDAP server if the LDAP server throws an exception while creating a connection.

  10. Click Save to save your changes.

  11. Reboot the server to realize the changed security configuration.

Configuring Converged Application Server to Use WL-Proxy-Client-Cert

In order for Converged Application Server to use the WL-Proxy-Client-Cert header, a proxy server or load balancer must first transmit the X509 certificate for a client request, encrypt it using base-64 encoding, and then add the resulting token WL-Proxy-Client-Cert header in the SIP message. If your system is configured in this way, you can enable the local Converged Application Server instance (or individual SIP Servlet instances) to examine the WL-Proxy-Client-Cert header for client tokens.

To configure the server instance to use the WL-Proxy-Client-Cert header:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane, select Environment, then select the Servers node.

  3. Select the name of a configured engine tier server.

  4. Select Configuration, then select the General tab in the right pane.

  5. Select Client Cert Proxy Enabled.

  6. Click Save to save your changes.

  7. Follow the instructions under "Configuring SSL and X509 for Converged Application Server" to configure either the default identity asserter or the LDAP Identity Asserter provider to manage X509 certificates.

  8. Reboot the server to realize the changed configuration.

To enable the WL-Proxy-Client-Cert header for an individual Web Application, set the com.bea.wcp.clientCertProxyEnabled context parameter to true in the application's sip.xml deployment descriptor.

Supporting Perimeter Authentication with a Custom IA Provider

With perimeter authentication, a system outside of WebLogic Server establishes trust via tokens. The system is generally comprised of an authentication agent that creates an artifact or token that must be presented to determine information about the authenticated user at a later time. The actual format of the token varies from vendor to vendor (for example, SAML or SPNEGO).

Converged Application Server supports perimeter authentication through the use of an Identity Assertion provider designed to recognize one or more token formats. When the authentication type of a SIP Servlet is set to CLIENT-CERT, the SIP container in Converged Application Server performs identity assertion on values from the request headers. If the header name matches the active token type for a configured provider, the value is passed to the provider for identity assertion.

The provider can then use a user name mapper to resolve the certificate to a user available in the security realm. The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource.

If you want to use custom tokens to pass client certificates for perimeter authentication, you must create and configure a custom Identity Assertion provider in place of the LDAP X509 or Default Identity Asserter providers described above. See Securing Oracle WebLogic Server in the Oracle WebLogic Server documentation for information about creating providers for handling tokens passed with perimeter authentication.

PKVLLPKAOEBPS/dcommon/prodbig.gif GIF87a!!!)))111BBBZZZsss{{ZRRcZZ!!1!91)JB9B9)kkcJJB991ssc絽Zcc!!{祽BZc!9B!c{!)c{9{Z{{cZB1)sJk{{Z{kBsZJ91)Z{!{BcsRsBc{9ZZk甽kBkR!BZ9c)JJc{!))BZks{BcR{JsBk9k)Zck!!BZ1k!ZcRBZcZJkBk1Z9c!R!c9kZRZRBZ9{99!R1{99R{1!1)c1J)1B!BJRkk{ƽ絵ތkk絵RRs{{{{JJsssBBkkk!!9ss{{ZZssccJJZZRRccRRZZ))cBBJJ99JJ!!c11991199Z11!c!!))Z!!!1BRck{)!cJBkZRZ,HP)XRÇEZ֬4jJ0 @ "8pYҴESY3CƊ@*U:lY0_0#  5tX1E: C_xޘeKTV%ȣOΏ9??:a"\fSrğjAsKJ:nOzO=}E1-I)3(QEQEQEQEQEQEQE֝Hza<["2"pO#f8M[RL(,?g93QSZ uy"lx4h`O!LŏʨXZvq& c՚]+: ǵ@+J]tQ]~[[eϸ (]6A&>ܫ~+כzmZ^(<57KsHf妬Ϧmnẁ&F!:-`b\/(tF*Bֳ ~V{WxxfCnMvF=;5_,6%S>}cQQjsOO5=)Ot [W9 /{^tyNg#ЄGsֿ1-4ooTZ?K Gc+oyڙoNuh^iSo5{\ܹ3Yos}$.nQ-~n,-zr~-|K4R"8a{]^;I<ȤL5"EԤP7_j>OoK;*U.at*K[fym3ii^#wcC'IIkIp$󿉵|CtĈpW¹l{9>⪦׺*ͯj.LfGߍԁw] |WW18>w.ӯ! VӃ :#1~ +މ=;5c__b@W@ +^]ևՃ7 n&g2I8Lw7uҭ$"&"b eZ":8)D'%{}5{; w]iu;_dLʳ4R-,2H6>½HLKܹR ~foZKZ࿷1[oZ7׫Z7R¢?«'y?A}C_iG5s_~^ J5?œ tp]X/c'r%eܺA|4ծ-Ե+ْe1M38Ǯ `|Kյ OVڅu;"d56, X5kYR<̭CiطXԮ];Oy)OcWj֩}=܅s۸QZ*<~%뺃ȶp f~Bðzb\ݳzW*y{=[ C/Ak oXCkt_s}{'y?AmCjޓ{ WRV7r. g~Q"7&͹+c<=,dJ1V߁=T)TR՜*N4 ^Bڥ%B+=@fE5ka}ędܤFH^i1k\Sgdk> ֤aOM\_\T)8靠㡮3ģR: jj,pk/K!t,=ϯZ6(((((((49 xn_kLk&f9sK`zx{{y8H 8b4>ÇНE|7v(z/]k7IxM}8!ycZRQ pKVr(RPEr?^}'ðh{x+ՀLW154cK@Ng C)rr9+c:׹b Жf*s^ fKS7^} *{zq_@8# pF~ [VPe(nw0MW=3#kȵz晨cy PpG#W:%drMh]3HH<\]ԁ|_W HHҡb}P>k {ZErxMX@8C&qskLۙOnO^sCk7ql2XCw5VG.S~H8=(s1~cV5z %v|U2QF=NoW]ո?<`~׮}=ӬfԵ,=;"~Iy7K#g{ñJ?5$y` zz@-~m7mG宝Gٱ>G&K#]؃y1$$t>wqjstX.b̐{Wej)Dxfc:8)=$y|L`xV8ߙ~E)HkwW$J0uʟk>6Sgp~;4֌W+חc"=|ř9bc5> *rg {~cj1rnI#G|8v4wĿhFb><^ pJLm[Dl1;Vx5IZ:1*p)إ1ZbAK(1ׅ|S&5{^ KG^5r>;X׻K^? s fk^8O/"J)3K]N)iL?5!ƾq:G_=X- i,vi2N3 |03Qas ! 7}kZU781M,->e;@Qz T(GK(ah(((((((Y[×j2F}o־oYYq $+]%$ v^rϭ`nax,ZEuWSܽ,g%~"MrsrY~Ҿ"Fت;8{ѰxYEfP^;WPwqbB:c?zp<7;SBfZ)dϛ; 7s^>}⍱x?Bix^#hf,*P9S{w[]GF?1Z_nG~]kk)9Sc5Ո<<6J-ϛ}xUi>ux#ţc'{ᛲq?Oo?x&mѱ'#^t)ϲbb0 F«kIVmVsv@}kҡ!ˍUTtxO̧]ORb|2yԵk܊{sPIc_?ħ:Ig)=Z~' "\M2VSSMyLsl⺿U~"C7\hz_ Rs$~? TAi<lO*>U}+'f>7_K N s8g1^CeКÿE ;{+Y\ O5|Y{/o+ LVcO;7Zx-Ek&dpzbӱ+TaB0gNy׭ 3^c T\$⫫?F33?t._Q~Nln:U/Ceb1-im WʸQM+VpafR3d׫é|Aү-q*I P7:y&]hX^Fbtpܩ?|Wu󭏤ʫxJ3ߴm"(uqA}j.+?S wV ~ [B&<^U?rϜ_OH\'.;|.%pw/ZZG'1j(#0UT` Wzw}>_*9m>󑓀F?EL3"zpubzΕ$+0܉&3zڶ+jyr1QE ( ( ( ( ( ( ( (UIdC0EZm+]Y6^![ ԯsmܶ捆?+me+ZE29)B[;я*wGxsK7;5w)}gH~.Ɣx?X\ߚ}A@tQ(:ͧ|Iq(CT?v[sKG+*רqҍck <#Ljα5݈`8cXP6T5i.K!xX*p&ќZǓϘ7 *oƽ:wlຈ:Q5yIEA/2*2jAҐe}k%K$N9R2?7ýKMV!{W9\PA+c4w` Wx=Ze\X{}yXI Ү!aOÎ{]Qx)#D@9E:*NJ}b|Z>_k7:d$z >&Vv󃏽WlR:RqJfGإd9Tm(ҝEtO}1O[xxEYt8,3v bFF )ǙrPNE8=O#V*Cc𹾾&l&cmCh<.P{ʦ&ۣY+Gxs~k5$> ӥPquŽўZt~Tl>Q.g> %k#ú:Kn'&{[yWQGqF}AЅ׮/}<;VYZa$wQg!$;_ $NKS}“_{MY|w7G!"\JtRy+贾d|o/;5jz_6fHwk<ѰJ#]kAȎ J =YNu%dxRwwbEQEQEQEQEQEQEQEQEQE'fLQZ(1F)hQ@X1KEQE-Q@ 1KE3h=iPb(((1GjZ(-ʹRPbR@ 1KE7`bڒyS0(-&)P+ ڎԴP11F)h&:LRmQ@Q@Š(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((&xǧ[]eid!~Bz0̼q?Y}m vZ3]A`QphNযtPJ$j@WB3(,w$Wۼ#m3fvx\V|Z7ۼVOmc991JM.5ӪhnV 2Bq}jQYWcag]E7dtbS Y3h$#`pÃ(NM[MTKPMBdLW^yTH[;J g Ҿfl~g6;:6(zepZZǍO $< UwGVǙKfs'hBjnnic8EeK` cW(ǫijiqjBYʋ,2GqD.hɾ+FD򩜑 v>r?i_n|}?3ݛss[NVu {-B{Gs3+-0ʑ}*q<7x&7Q1i7vP r0?/€ +xV+{O+8fv'$+r +xV[{9/VF[ +r +ψn'bj C9L6`V1#f~oNc%K9v4%VZ8fWh[$a9S#UxoH4M_~ncoڠa~_c]V=<7Gga *L v$A@tH5_dkt$n8g{ZLt}oloydIvg8q4(mn%. 9I#%d`pAdI19(=~E<;<75r.F̣fSe6WW~GCj֚]E3Nfq9^d)8k(ý{I5<{W+mq~7ggq*Sȱ2#wpʑǞĹxSv9xKƑe,Sϔ&Q($wZ>wi'үc*YFRCJ q]$:DtῆOt{oxOzBFo%$qC*q% @Wohtr{yK$#(?1V r~cyZ襯?'u@49KÚ47R[ 1Ri#y;2@<îY}3rYZZk}P3cd-@'u^@>|(ᨥM֏8EICyWVdU*W6CZge!% Zdtwbۀ!J2 9g'dQQG<+;IaXT5X=jM9*_q,~)x*CV>!2*ΘTŝņ=:*?ְ(hsxׇ4hnzbG!FwNey1\ >x_5Ŭ{''Dx#W7 8;VLj|'`?о 9,-gGw1rG o_xg}0 $Tc*C²訨A%wG9QB/V3hQ-֬'$ĠcbX(ŏP'Tۊ{|pO_#[[K*6sG*\(%hey^_'ߍ7g=tׅt|4uY6 H2unYI#1#?c+;i^OmJqyy߻Í⸿zm4]>b86жFPs7_{Mm2[t!W^n#TUQ}NJJɐgo5N=I9YA\ #|!մsvdzn. TE@j@Xz>t}&]?ui-^t͘gvWS@{<}Oڶy߾Ms77OZ[O}ROiOh~*7tș cLt}oloydIvg8q<?6~,GU}h;l8W*J1| ;£FVuVa>whGب'"bq]5_-44LEtbnk ;N8"?%5=UɫWfO1369cABcumӴl*PX+WQ<[oqsA*92<G(~wmdg8l۟qq]CkoQH8Ppb1 h_~E֩/xkc1 rjƷi#ukXϷ̋{&rZP{ }3N˵!7'ZϸwOgWǚb?}Jآ1<-]ij"0q؄0#h;OnҶ(17m:t-d漙r'.IĞѼ]GaY9DʞkLJr:آ#n巸9 I]H#W ??nr;y{y{mn88i^ ]c&[W7`R 3@%DžkZx{=F.<miwVV?-xGNC%<ד.@=~UEcѴGT,R_:o58b@ۦ:օg%vc|3$FeOU(kO^7KI<9 = d>Wo,y~^6n8LU(kO^7KI<9 = O~xmvMPm^H݂J*F:V ^+k ;|9șY&CG(T8ֻ(  [F%gKY%32y&\ ˒z('oikkQ2 ζ( zw]ɍ<\\>\K;v09v̊ 9UQwP{ =2;; H--c`FIŽI'Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@X ܎˱9p $VK⏍lԵOՓ2 '89͏VykG/a1'>@'y? Ix4IfVye(y ϶Q^WgZZ >e(S9HA=@Ex3k~|uqw?gZԺ\>bX9 q(=@E| 0.Y4SZJ2ݙxShx{|0| J{'ArʤȌ Jo_A8/]@hSw1R|$;֟us?}mK;]:-Pǧ@Q^7A7~4~HT]GR-]XpTģn;4xRH5f{r`NFYB H+%[^]`F!,z<3ƧoZ/ MJK)s K4 rY,1'p J+cGu/:fO֑} o -̧Ϧk1? n/GoE]R C #g~((;}G$^,f}<eApb]N2UFt3qsρuֶzC ԡ+0ld) Q\o|qqvΰZE&+g3uیEy'W:o"b,Ss|Ä w@Ex~k|#u<+nWw.ڈ8m,yw>,֩·rZZΓP.O@%Yӻ+CaQn*3垙}@&kߚ#]7c/H|w!?ϻ|ӏJ (kpsZ?RČʛBͅH|M|Iğ꺭 r.$|'6znkM`^[A pU< /RaiJ ,y[ToXrCm f}]# )~8>p8(iEKU~Kk8_kڭƻ6Y eXF28% 302@=7zׁysZOn.4y ڣ*$13b]nWyjpv90q@@Q^/}>YKjģpb r9J?69>Z据I#k2>` ŀ?+'V'f~jA%wGQ/(i>4~F|̉F[iq?NѷxN A`ǎo<hy)Ar7:3ϖzF~$u ^]i0m">0@c|W7 m-NpjD(^G' +/g I5HC_CNY; (Q@\ş^𭮩i4ޥ-3(RYNry|9#׼-?م%Ėr?) RT'??dnc,3=vx?Q/(i>4~F|̉F[ic[৆#;MrU~ĞXr`cޱC'C?IPQ^w{Ʒd.6b8H,B`So_dt~Mm?5jD;*͌ @.I=k [߇*'ԷEw+fP79fʖf!LEAYWמ 𮽪zlOsijUUebG|: NJhLr>wFh K`3QEQEQEQEQEQEQEQEQEQEQE, gA#];U) n`88]KK9Ei`,DT[ nW<\y]]Aa0Ur?u ~x#G涻:g>yiv6x;gx-CD,a~,+.T !< dB{sٿn8۱<פh9,4,Wd)71̀2$@_J q]$:DuiuR{'֮>r:F‚d=I*|7g]wOkꣵW' *E-yş:vo.fm@"YT y+pi:l:6c۴v*p=r8aT Qd(H8bĀA v޴[ް#krN"F błnB`BF1oЬ_u=^ ŚH]K'*@x8䐏3gHM,Iluf9$I5]*\4N;;,OчG F#yajvgd]"6  #~^ 𷊵9|;]fIa}БwϟulʗzYb2 tdtMzx>x46;4C02I8>,T zgtٵ ]FMoHHP΅A8'}j>0{_ۋycg_((ۜz%y_~_Gwi ִn]pm# y3\M"K9 {1'\x¿W_\i:7r|#Kc$IF?2$\'OhRu{^kJ|(ۅ`fkH%@=Oy5ilϻKɐXшV9? k-/}{YVsr6Ȟ^T[ {y~Z-%V2ĒHWV\(` ˱?xFE׵/p6r\!tg۞H4O$*۽9/-1AHG8¿ x2+:Iuѐ^H^L1S*#AsHNncݡp*áVR  //NLH>(qݜc99#Cn,\F+#8>,gZ^G<귱s +qׂ:zq]<7Qo4:jʲ ł,j6Fx:W7#[uv$,8b($ǒ_qy$`nOi\w6oo{hEA*A'[ExCV[XYC$ڊQoZNߊ<[^&q;˫YZ(J,c>Za>Q#,/uY.wI匡܌ FF=뤽V};v5 soj"As7B: /[ mt=C̸ ѲB1m,z^k4V\=2;;ч /,;9, 1"6#*x8 ¼yU.ecAp 7=y'_hصm6Y4#3$ĬXp6`OJ:*?ֽ#м)fmt=2 ($r͍'x+M:6uʍש=O'xW_)%$B(M[MYѯ`F]J2~ݟ|9iI<< r@EPEPEPEPEPEPEPEPEPEPEPEy7txsM6SH,n 1YY@)">8$z@Es~ mM!MB 9mHqSfq(((((((~x'_^Q {wI!I$C1$'ִ<7 xG:d4i$ +m(;s5Ǿ+<+="5[`}bm1c|sICyO-Gvg\nQր=}6c. pjo]EʤFdu?SW(((((ĞѼ]GaY9DʞkLJr:خ?>Oz]]7dta$Tk'=[i-ϕn[npqc84XѮQiY`\lBQUL|!cj?qv3޺ ((G[֤ KT Zf$UԱy s@W[xcIٺ)/1*rŁ*ʊ$H%|sǗJ$>S(Xб;1.q@EgZ߇[~iϕvnp38@W?m+X!}h`9ى@XeC=h+[iz/+$Tqry5@umKF-Ɨ]ڜhZ1_*STq+((((((((((((((%h~ |s|B,?NZϧ"1. .ܓ+@8a?;-^Un)s-S8`W8A<-p,ftEw0ܪą$u`}ң䳿LoxĈ  k_t/ཱུl vêʜEyQx~;Qbjz8،G 2hF'?᎛4DZGV_H C&2 @'?)J湍7{:4^2ơ5bo#fyH*p#xrM_Ejv}da"lFi+ ^ş.Y Gs /G"a@axT0~S>x6jMWTI/dΑ ,l ܆\q@A7k>ipfPٔ9˜Ԑ0wVvjzn/奘1*ј*]uIaY?TU6sayku2n#r0!G# Oz>#֛儼IJ$A&ԫeOxNJ<fXO=ŷuy1,ܑde*GY^'9&yňTܠ/ Ak UO$%peGF <{=}KkGk"uz],'p˴38W_q[$ vܣ<`xC/'j,ssF_댴odVT0~S>uZn qa<F:4> x={K%I~DÜb|]ᯀ _7Whr(g;%JA5 ;£FPa_o~_ntvQ@)OxWß[)}ۺH{Rpt'kD7zcD\B@%="BK0`X;؂+;|Cg'"ڎ :~6{r6>g>yiv6xϏ~/Ij[q˲D9PxAnHo: ̄ԟ `ޛI#ȗr2X洃q<1'?KL66n$ű,p%Q6@KH4Om^Ax$.3ubZ (*@OM𧃥wpSjL,p#t yg^XK:ݣAWnOLf?঑a}=[Tl,M}f^q@MW|''qxU7,q| ʎpTK Wx)m؏/HLxg$T pWA6~!{kwʙ UlFx Р+YjZ"[w0Zja-fu|P0=n|_>7s]Gl n0pÑHkC<+/]K2af1{nF lX!m'{B8}=q@oן0gٷovy\ךxLv/n&"Q#]]HRN CzSm(%$B(9?x#i+B=L$K2c`Ev{_=Z};qKw7' aG rw?±k& K{%i) ؇_1`G|D \I@q$mY;pIx]!=7J8aj(>k1*M9;`PY^?&,7֍kk =,gYBcv @b 6Qs3לg5X=jM9*_q˰_λ;4AƅtV@1̓ *dž^Bvee`\av;AB͍W_]|cnl|R ?A *?u(|KjZ;IR[h/bf.DZcV2Ns(((((((((((((|*}jG{$.o 8!8=Mx rO63.L99zWQ@߃< K{) q9 ,ǜn I9>g62Z#,#'=pצs7|=;J1 h> ۙ%,IV8/+\i??on !e񝤂0@x=@#5K?A C\[v'oE>q zWQ@C|iw9ppO\)?jܻOl>ynw1Q@Q@O||Cwx{ڮ}},:|ۼJ2KgNkŽ?qkd2ESҴK4hdQ'E̒rI0ߵy_߳?3<C!c}e?y{Hrqں (_X~ݭϛy:sO7VEJ$E `*J(iO4>Z{lݴX 8q3^Es~5V/T"[kWUbYpw+ aoJ}S@|sI4q`q,X]e!~뎼|o| 渜c7$ x!(T)$r(eu#x 1RQ@G&TGxi J3 +oW+$cAJ%_5{Oīe#:)pz?K0~nw(Xz][Gmgn":(dII5u-ֽj^w{ ,C:2WQ@/~ϖ^Z첫ϩe܊B/SfV1HH?1ϱm"vz( Lwm"v߱N3&^.^%׼7KwpcFPX # J(SӋ]Uy;̻C(@2 r0  ռG4I#C+ qM/ n|X] P69 |,Ojvf8 (7oEO DWU"FA8¶HzPEPEPEPEPEPEPEPEPEPEPEPR׈<#rV7wZBX :'n OƫOiRɣ,1Fqn{ikc6y$(ܒI9wu741$ cװJ>>~ h^E%JY99(N@bv+"ΝyDp6Ă 0< Q^o⛏ڿ Eci1^+2*/Cm s^#^:$Ԗ1% \`HQ\|Yg'ۭb$@TtK/3 W4mr][hm>~Q𷊴6{+#pjlǴH+&xT?k^@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@/Së [A7Kp#OJ~xKӤ1\K!0G8 +RGYOi-鸹Y:R gEw|Ww}xKZ1Ǭx}區S'qFR rI$^^CLO-/ܙ*'.jVm|eOh\VZUC@T;FC~<ͅ#Zݢp2؀@??W<uSo6{I_-Tjχ46v9fE% x\瞛x7/o]뚆iX DLtp _|Y`Zo̺ei}x6Vp9ui^ Ԭ~20{C-QFXm?v ? OxKl/ǕqZ/nS8G9ߕzFZ}=푷w,cJj{V|>ѦΛ5n).|<Ʃ}x\5MLZƈ\"ds@9N滣h^$@;V2N", QikG{~>$jZE.ዎ/Ol? McCo~5ԭ崧?0\8;I*yq߃7񅄗^']yvF-RPrWxL- V: LRX)?Ar`;m !?ԭu{M>ST ͏/895I ~YxZ}BK;,sЄ*N q|bXXk3gtr<Ӡu=~ĺ|]rjГDJ!@D#dB;f"mR4)-oYnoczKAfSnH z߆+˭oXC{5Ԏ"ar%Q68U/9w«ˏ<ako: 7-Xۜg`U {|j hrZD̞X 2-2 ^w&VnCWq@=v.?\Rk=k|:w DTu PttmKi +xi,U(' z E)WާAmky}nK}<;^,tGCM1cr'mrXq3?yst#:| 73N_K_aGfM}hݘou{Nş A`kj~%jqg;m0mqzZOYxF/jvnBjN99(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((PKzmzhzPKAOEBPS/dcommon/contbig.gif`GIF87a!!!111999BBBJJJRRRccckkksss{{{skk{{ZRRRJJƽ{sZRJRJB91)kcZB9)sskZRJ1޽ƽ{{ssskkkcƵZZRccZRRJJJB{BB9991ssckkZccR))!RRB!!JJ1))99!11ƌ)1R)k֔)s1RZJR{BJs9R1J!11J1J9k{csZk!1J!)cBR9J1B)91B!cRs{!)s!){1B!k!s!{ksksckckZc9B)1!)!)BJ9B1919έƌ!!)JJcZZ{!!!1RR{JJsBBkJJ{!!9BB{1!!J9)!!Z!!c1!!kR!!s9Z!BckJs)19!!c!!ZRZ,H rrxB(Kh" DժuICiи@S z$G3TTʖ&7!f b`D 0!A  k,>SO[!\ *_t  Exr%*_}!#U #4 & ֩3|b]L ]t b+Da&R_2lEٱZ`aC)/яmvUkS r(-iPE Vv_{z GLt\2s!F A#葡JY r|AA,hB}q|B`du }00(䡆<pb,G+oB C0p/x$…– ]7 @2HFc ) @AD \0 LHG',(A` `@SC)_" PH`}Y+_|1.K8pAKMA @?3҄$[JPA)+NH I ,@8G0/@R T,`pF8Ѓ)$^$ DDTDlA@ s;PKPKAOEBPS/dcommon/darbbook.cssPKPKA!OEBPS/dcommon/O_signature_clr.JPG"(JFIF``C    $.' ",#(7),01444'9=82<.342C  2!!22222222222222222222222222222222222222222222222222" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (?O '~MQ$Vz;OlJi8L%\]UFjޙ%ԯS;rA]5ފ<׈]j7Ouyq$z'TQuw7Ŀ KX߁M2=S'TQt?.5w'97;~pq=" ~k?`'9q6 E|yayM^Om'fkC&<5x' ?A?Zx'jß={=SßM gVC.5+Hd֪xc^)Җufz{Cީ|D Vkznq|+Xa+{50rx{|OG.OϞ~f/ xxX[2H )c+#jpUOZYX\=SG ߨC|K@;_߆'e?LT?]:?>w ڔ`D^So~xo[Ӡ3i7B:Q8 Vc-ďoi:FM292~y_*_闱YN\Fr=xZ3鳎OwW_QEzW~c]REeaSM}}Hӏ4&.E]u=gMѠ+mF`rNn$w9gMa꺢nTuhf2Xv>އ a(Û6߭?<=>z'TQuw7Ŀ KX߁M2=S'TQt?.5Kko\.8S$TOX߀Gw?Zx汴X)C7~.i6(Щ=+4{mGӭ¸-]&'t_kV*I<1)4thtIsqpQJ+> \m^[aJ5)ny:4o&QEnyAEPEEss 72,PDۢ׃K W{Wjr+wگ iM/;pd?~&?@;7E4gv8 $l'z'TQuw7Ŀ Gֱ=ɿ&G?. iR(5W*$|?w᫼gkmIbHe/_t>tg%y.l}N5[]+Mk0ĠeHdPrsst'UiC,y8`V%9ZIia|ܪvi מYG,o}+kk{YbyIeb*sAtի82zWoEK5z*o-eo;n(P u-I)4Š(HQEQEQEQEhz(X/Đ?}Bk˩ ݏrk0]4>8XzV? }6$}d^F>nU K ?Bտk_9׾x~w'ߞ  uDŽtL ؈5c-E/"|_Oo.IH쐍=i*Iw5(ںw?t5s.)+tQ2dUt5Vĺ.jZ"@IRrZƅY4ߡ_;}ų(KyQf1Aǵt?sZg+?F5_oQR&Dg߿]6FuRD u>ڿxl7?IT8'shj^=.=J1rj1Wl$얲cPx;E,p$֟ˏkw qg"45(ǛkV/=+ũ)bYl~K#˝J_כ5&\F'I#8/|wʾ_Xj Q:os^T1.M_|TO.;?_  jF?g N 8nA2F%i =qW,G=5OU u8]Rq?wr'˻S+۾.ܼ 87Q^elo/T*?L|ۚ<%<,/v_OKs B5f/29n0=zqQq(ª=VX@*J(э(f5qJN_EVǞQEOuoѕOuoa5}gO?:߂8Wא|cڽ~]N&O( (<]>͠@VQ=^~U ̴m&\խ5i:}|}r~9՝f}_>'vVֲ$~^f30^in{\_.O F8to}?${φ|#x^#^n~w=~k~?'KRtO.㌡h![3Zu*ٷճ(ԟ]z_/W1(ԟ]v~g|Yq<ז0 ; b8֮s,w9\?uEyStKaª@\,)) (!EPEPEPEPEPzѧts{v>C/"N6`d*J2gGӧWqBq_1ZuΓ\X]r?=Ey88Mp&pKtO-"wR2 K^-Z< \c>V0^@O7x2WFjs<׻kZ(<Т(OFw/6$1[:ޯԯ#q~4|,LVPem=@=YLUxӃV}AUbcUB.Ds5*kٸAeG>PJxt͝ b88?*$~@ׯD VkraiJs}Q.20x&mXξ,Z]“A-J#`+-E/"<]\a'tZGy.(|lދ~gMK OZdxDŽU9T6ϯ^<Ϡt5CZ]].t۫S=s`ڳ%8iVK:nqe+#<.T6U>zWoy3^I {F?J~=G}k)K$$;$de8*G Uӟ4Ocºw}|]4=ݣ\x$ʠms?q^ipw\"ȿPs^Z Q_0GڼU.t}ROM[G#]8wٞ ӫ87}Cgw vHȩBM55vof =A_٭`Ygx[6 P,5}>蚊(0(+?>+?> k|TuXq6_ +szk :u_ Z߶Ak_U}Jc2u/1[_»ݸG41-bሬ۴}}Eȹפ_c?5gi @cL\L<68hF_Ih>X4K7UТ sMj =J7CKo>Օ5s:߀t ~ηaٿ?|gdL8+gG%o?x`دOqȱwc¨&TW_V_aI=dpG!wu۞սZ1yL50$(l3(:~'ַo A}a3N*[0ǭ HKQV}G@֜$ 9of$ArNqUOgË05#m?D)^_h//5_/<?4}Jį+GkpG4"$ r| >S4Ђ"S 1%R:ȝ 8;PKPz PKAOEBPS/dcommon/feedback.gif7GIF89a'%(hp|fdx?AN5:dfeDGHɾTdQc`g*6DC\?ؘ||{;=E6JUՄfeA= >@,4`H.|`a (Q 9:&[|ځ,4p Y&BDb,!2@, $wPA'ܠǃ@CO~/d.`I @8ArHx9H75j L 3B/` P#qD*s 3A:3,H70P,R@ p!(F oԥ D;"0 ,6QBRɄHhI@@VDLCk8@NBBL2&pClA?DAk%$`I2 #Q+l7 "=&dL&PRSLIP)PɼirqМ'N8[_}w;PK-PKAOEBPS/dcommon/booklist.gifGIF89a1޵֥΄kZ{Jk1Rs!BZ)B),@I9Z͓Ca % Dz8Ȁ0FZЌ0P !x8!eL8aWȠFD(~@p+rMS|ӛR$ v "Z:]ZJJEc{*=AP  BiA ']j4$*   & 9q sMiO?jQ = , YFg4.778c&$c%9;PKː5PKAOEBPS/dcommon/cpyr.htm1 Oracle Legal Notices

Oracle Legal Notices

Copyright Notice

Copyright © 1994-2012, Oracle and/or its affiliates. All rights reserved.

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

License Restrictions Warranty/Consequential Damages Disclaimer

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

Warranty Disclaimer

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

Restricted Rights Notice

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

Hazardous Applications Notice

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Third-Party Content, Products, and Services Disclaimer

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

Alpha and Beta Draft Documentation Notice

If this document is in prerelease status:

This documentation is in prerelease status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

Oracle Logo

PKN61PKAOEBPS/dcommon/masterix.gif.GIF89a1ޜΌscJk1Rs!Bc1J),@IS@0"1 Ѿb$b08PbL,acr B@(fDn Jx11+\%1 p { display: none; } /* Class Selectors */ .ProductTitle { font-family: sans-serif; } .BookTitle { font-family: sans-serif; } .VersionNumber { font-family: sans-serif; } .PrintDate { font-family: sans-serif; font-size: small; } .PartNumber { font-family: sans-serif; font-size: small; } PKeӺ1,PKAOEBPS/dcommon/larrow.gif#GIF87a絵ƌֵƽ{{ss֜ƔZZ{{{{ZZssZZccJJJJRRBBJJJJ991111))!!{,@pH,Ȥrl:ШtpHc`  өb[.64ꑈ53=Z]'yuLG*)g^!8C?-6(29K"Ĩ0Яl;U+K9^u2,@@ (\Ȱ Ë $P`lj 8x I$4H *(@͉0dа8tA  DсSP v"TUH PhP"Y1bxDǕ̧_=$I /& .)+ 60D)bB~=0#'& *D+l1MG CL1&+D`.1qVG ( "D2QL,p.;u. |r$p+5qBNl<TzB"\9e0u )@D,¹ 2@C~KU 'L6a9 /;<`P!D#Tal6XTYhn[p]݅ 7}B a&AƮe{EɲƮiEp#G}D#xTIzGFǂEc^q}) Y# (tۮNeGL*@/%UB:&k0{ &SdDnBQ^("@q #` @1B4i@ aNȅ@[\B >e007V[N(vpyFe Gb/&|aHZj@""~ӎ)t ? $ EQ.սJ$C,l]A `8A o B C?8cyA @Nz|`:`~7-G|yQ AqA6OzPbZ`>~#8=./edGA2nrBYR@ W h'j4p'!k 00 MT RNF6̙ m` (7%ꑀ;PKl-OJPKAOEBPS/dcommon/index.gifGIF89a1޵ΥΥ{sc{BZs,@IM" AD B0 3.R~[D"0, ]ШpRNC  /& H&[%7TM/`vS+-+ q D go@" 4o'Uxcxcc&k/ qp zUm(UHDDJBGMԃ;PK(PKAOEBPS/dcommon/bookbig.gif +GIF89a$!!!)))111999BBBJJJRRRZZZccckkksss{{{skkB991)))!!B11))1!JB9B9!!cZ9ƭƽssk{ZZRccZRRJJJBBB9c!!ν)1)k{s絽ƌkssֽZccJRRBJJ{9BB)11)99!!))11!!k!JZ!)RcJccBcs)1c)JZ!BR!)BZ)99J!Rk9!c11B)Z{)9Bkc1kB9BZ!Z{9Rs)Jkksk9kB1s1Jk9Rƥc{k9s)Z{1k91)s1Rk)Jc1J!))BZ!1k{csc{)19B!)Bcsc{ksc{kZs!RkJkJkքc{9Zks{ck9R)Bks9R9R1J!)Z1B!)c)9)99BR19kksBBJcc{ccBBZ))9kk!!199c11ZBB{9!!R!!Z!!c))!!kR!!s!!BcksRZ1c9B)R91c1)Z!R9B9k1)RcZ{)!1B9JB9B)!)J9B!& Imported from GIF image: bookbig.gif,$!!!)))111999BBBJJJRRRZZZccckkksss{{{skkB991)))!!B11))1!JB9B9!!cZ9ƭƽssk{ZZRccZRRJJJBBB9c!!ν)1)k{s絽ƌkssֽZccJRRBJJ{9BB)11)99!!))11!!k!JZ!)RcJccBcs)1c)JZ!BR!)BZ)99J!Rk9!c11B)Z{)9Bkc1kB9BZ!Z{9Rs)Jkksk9kB1s1Jk9Rƥc{k9s)Z{1k91)s1Rk)Jc1J!))BZ!1k{csc{)19B!)Bcsc{ksc{kZs!RkJkJkքc{9Zks{ck9R)Bks9R9R1J!)Z1B!)c)9)99BR19kksBBJcc{ccBBZ))9kk!!199c11ZBB{9!!R!!Z!!c))!!kR!!s!!BcksRZ1c9B)R91c1)Z!R9B9k1)RcZ{)!1B9JB9B)!)J9BH`\Ȑ:pظа"A6DBH,V@Dڹ'G"v Æ ܥ;n;!;>xAܽ[G.\rQC wr}BŊQ A9ᾑ#5Y0VȒj0l-GqF>ZpM rb ;=.ސW-WѻWo ha!}~ْ ; t 53 :\ 4PcD,0 4*_l0K3-`l.j!c Aa|2L4/1C`@@md;(H*80L0L(h*҇҆o#N84pC (xO@ A)J6rVlF r  fry†$r_pl5xhA+@A=F rGU a 1х4s&H Bdzt x#H%Rr (Ѐ7P`#Rщ'x" #0`@~i `HA'Tk?3!$`-A@1l"P LhʖRG&8A`0DcBH sq@AXB4@&yQhPAppxCQ(rBW00@DP1E?@lP1%T` 0 WB~nQ@;PKGC PKAOEBPS/dcommon/rarrow.gif/GIF87a絵ƌֵƽ{{ss֜ƔZZ{{{{ZZssZZccJJJJRRBBJJJJ991111))!!{,@pH,Ȥrl:ШLlԸ NCqWEd)#34vwwpN|0yhX!'+-[F 'n5 H $/14w3% C .90" qF 7&E "D mnB|,c96) I @0BW{ᢦdN p!5"D`0 T 0-]ʜ$;PKJV^PKAOEBPS/dcommon/mix.gifkGIF89aZZZBBBJJJkkk999sss!!!111cccֽ{{{RRR)))猌ƭ{s{sks!,@@pH,B$ 8 t:<8 *'ntPP DQ@rIBJLNPTVEMOQUWfj^!  hhG H  kCúk_a Ǥ^ h`B BeH mm  #F` I lpǎ,p B J\Y!T\(dǏ!Gdˆ R53ټ R;iʲ)G=@-xn.4Y BuU(*BL0PX v`[D! | >!/;xP` (Jj"M6 ;PK枰pkPKAOEBPS/dcommon/doccd_epub.jsM /* Copyright 2006, 2012, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2012.3.17 */ function addLoadEvent(func) { var oldOnload = window.onload; if (typeof(window.onload) != "function") window.onload = func; else window.onload = function() { oldOnload(); func(); } } function compactLists() { var lists = []; var ul = document.getElementsByTagName("ul"); for (var i = 0; i < ul.length; i++) lists.push(ul[i]); var ol = document.getElementsByTagName("ol"); for (var i = 0; i < ol.length; i++) lists.push(ol[i]); for (var i = 0; i < lists.length; i++) { var collapsible = true, c = []; var li = lists[i].getElementsByTagName("li"); for (var j = 0; j < li.length; j++) { var p = li[j].getElementsByTagName("p"); if (p.length > 1) collapsible = false; for (var k = 0; k < p.length; k++) { if ( getTextContent(p[k]).split(" ").length > 12 ) collapsible = false; c.push(p[k]); } } if (collapsible) { for (var j = 0; j < c.length; j++) { c[j].style.margin = "0"; } } } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(compactLists); function processIndex() { try { if (!/\/index.htm(?:|#.*)$/.test(window.location.href)) return false; } catch(e) {} var shortcut = []; lastPrefix = ""; var dd = document.getElementsByTagName("dd"); for (var i = 0; i < dd.length; i++) { if (dd[i].className != 'l1ix') continue; var prefix = getTextContent(dd[i]).substring(0, 2).toUpperCase(); if (!prefix.match(/^([A-Z0-9]{2})/)) continue; if (prefix == lastPrefix) continue; dd[i].id = prefix; var s = document.createElement("a"); s.href = "#" + prefix; s.appendChild(document.createTextNode(prefix)); shortcut.push(s); lastPrefix = prefix; } var h2 = document.getElementsByTagName("h2"); for (var i = 0; i < h2.length; i++) { var nav = document.createElement("div"); nav.style.position = "relative"; nav.style.top = "-1.5ex"; nav.style.left = "1.5em"; nav.style.width = "90%"; while (shortcut[0] && shortcut[0].toString().charAt(shortcut[0].toString().length - 2) == getTextContent(h2[i])) { nav.appendChild(shortcut.shift()); nav.appendChild(document.createTextNode("\u00A0 ")); } h2[i].parentNode.insertBefore(nav, h2[i].nextSibling); } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(processIndex); PKo"nR M PKAOEBPS/dcommon/toc.gifGIF89a1ΥΥ{c{Z{JkJk1Rk,@IK% 0| eJB,K-1i']Bt9dz0&pZ1o'q(؟dQ=3S SZC8db f&3v2@VPsuk2Gsiw`"IzE%< C !.hC IQ 3o?39T ҍ;PKv I PKAOEBPS/dcommon/topnav.gifGIF89a1ֽ筽ޭƔkZZk{Bc{,@ ) l)-'KR$&84 SI) XF P8te NRtHPp;Q%Q@'#rR4P fSQ o0MX[) v + `i9gda/&L9i*1$#"%+ ( E' n7Ȇ(,҅(L@(Q$\x 8=6 'נ9tJ&"[Epljt p#ѣHb :f F`A =l|;&9lDP2ncH R `qtp!dȐYH›+?$4mBA9 i@@ ]@ꃤFxAD*^Ŵ#,(ε  $H}F.xf,BD Z;PK1FAPKAOEBPS/dcommon/bp_layout.css# @charset "utf-8"; /* bp_layout.css Copyright 2007, Oracle and/or its affiliates. All rights reserved. */ body { margin: 0ex; padding: 0ex; } h1 { display: none; } #FOOTER { border-top: #0d4988 solid 10px; background-color: inherit; color: #e4edf3; clear: both; } #FOOTER p { font-size: 80%; margin-top: 0em; margin-left: 1em; } #FOOTER a { background-color: inherit; color: gray; } #LEFTCOLUMN { float: left; width: 50%; } #RIGHTCOLUMN { float: right; width: 50%; clear: right; /* IE hack */ } #LEFTCOLUMN div.portlet { margin-left: 2ex; margin-right: 1ex; } #RIGHTCOLUMN div.portlet { margin-left: 1ex; margin-right: 2ex; } div.portlet { margin: 2ex 1ex; padding-left: 0.5em; padding-right: 0.5em; border: 1px #bcc solid; background-color: #f6f6ff; color: black; } div.portlet h2 { margin-top: 0.5ex; margin-bottom: 0ex; font-size: 110%; } div.portlet p { margin-top: 0ex; } div.portlet ul { list-style-type: none; padding-left: 0em; margin-left: 0em; /* IE Hack */ } div.portlet li { text-align: right; } div.portlet li cite { font-style: normal; float: left; } div.portlet li a { margin: 0px 0.2ex; padding: 0px 0.2ex; font-size: 95%; } #NAME { margin: 0em; padding: 0em; position: relative; top: 0.6ex; left: 10px; width: 80%; } #PRODUCT { font-size: 180%; } #LIBRARY { color: #0b3d73; background: inherit; font-size: 180%; font-family: serif; } #RELEASE { position: absolute; top: 28px; font-size: 80%; font-weight: bold; } #TOOLS { list-style-type: none; position: absolute; top: 1ex; right: 2em; margin: 0em; padding: 0em; background: inherit; color: black; } #TOOLS a { background: inherit; color: black; } #NAV { float: left; width: 96%; margin: 3ex 0em 0ex 0em; padding: 2ex 0em 0ex 4%; /* Avoiding horizontal scroll bars. */ list-style-type: none; background: transparent url(../gifs/nav_bg.gif) repeat-x bottom; } #NAV li { float: left; margin: 0ex 0.1em 0ex 0em; padding: 0ex 0em 0ex 0em; } #NAV li a { display: block; margin: 0em; padding: 3px 0.7em; border-top: 1px solid gray; border-right: 1px solid gray; border-bottom: none; border-left: 1px solid gray; background-color: #a6b3c8; color: #333; } #SUBNAV { float: right; width: 96%; margin: 0ex 0em 0ex 0em; padding: 0.1ex 4% 0.2ex 0em; /* Avoiding horizontal scroll bars. */ list-style-type: none; background-color: #0d4988; color: #e4edf3; } #SUBNAV li { float: right; } #SUBNAV li a { display: block; margin: 0em; padding: 0ex 0.5em; background-color: inherit; color: #e4edf3; } #SIMPLESEARCH { position: absolute; top: 5ex; right: 1em; } #CONTENT { clear: both; } #NAV a:hover, #PORTAL_1 #OVERVIEW a, #PORTAL_2 #OVERVIEW a, #PORTAL_3 #OVERVIEW a, #PORTAL_4 #ADMINISTRATION a, #PORTAL_5 #DEVELOPMENT a, #PORTAL_6 #DEVELOPMENT a, #PORTAL_7 #DEVELOPMENT a, #PORTAL_11 #INSTALLATION a, #PORTAL_15 #ADMINISTRATION a, #PORTAL_16 #ADMINISTRATION a { background-color: #0d4988; color: #e4edf3; padding-bottom: 4px; border-color: gray; } #SUBNAV a:hover, #PORTAL_2 #SEARCH a, #PORTAL_3 #BOOKS a, #PORTAL_6 #WAREHOUSING a, #PORTAL_7 #UNSTRUCTURED a, #PORTAL_15 #INTEGRATION a, #PORTAL_16 #GRID a { position: relative; top: 2px; background-color: white; color: #0a4e89; } PK3( # PKAOEBPS/dcommon/bookicon.gif:GIF87a!!!)))111999BBBJJJRRRZZZccckkksss{{{ޭ{{ZRRcZZRJJJBB)!!skRB9{sν{skskcZRJ1)!֭ƽ{ZZRccZJJBBB999111)JJ9BB1ZZB!!ﭵBJJ9BB!!))Jk{)1!)BRZJ{BsR!RRJsJ!J{s!JsBkks{RsB{J{c1RBs1ZB{9BJ9JZ!1BJRRs!9R!!9Z9!1)J19JJRk19R1Z)!1B9R1RB!)J!J1R)J119!9J91!9BkksBBJ119BBR!))9!!!JB1JJ!)19BJRZckތ1)1J9B,H*\hp >"p`ƒFF "a"E|ժOC&xCRz OBtX>XE*O>tdqAJ +,WxP!CYpQ HQzDHP)T njJM2ꔀJ2T0d#+I:<жk 'ꤱF AB @@nh Wz' H|-7f\A#yNR5 /PM09u UjćT|q~Yq@&0YZAPa`EzI /$AD Al!AAal 2H@$ PVAB&c*ؠ p @% p-`@b`uBa l&`3Ap8槖X~ vX$Eh`.JhAepA\"Bl, :Hk;PKx[?:PKAOEBPS/dcommon/conticon.gif^GIF87a!!!)))111999BBBJJJRRRZZZccckkksss{{{ZRR޽{{ssskkkcccZ991ccRZZBBJJZck)19ZcsBJZ19J!k{k)Z1RZs1!B)!J91{k{)J!B!B911)k{cs!1s!9)s!9!B!k)k1c!)Z!R{9BJcckZZcBBJ99B119{{!!)BBRBBZ!))999R99Z!!999c1!9!)19B1)!B9R,  oua\h2SYPa aowwxYi 9SwyyxxyYSd $'^qYȵYvh ч,/?g{н.J5fe{ڶyY#%/}‚e,Z|pAܠ `KYx,ĉ&@iX9|`p ]lR1khٜ'E 6ÅB0J;t X b RP(*MÄ!2cLhPC <0Ⴁ  $4!B 6lHC%<1e H 4p" L`P!/,m*1F`#D0D^!AO@..(``_؅QWK>_*OY0J@pw'tVh;PKp*c^PKAOEBPS/dcommon/blafdoc.cssL@charset "utf-8"; /* Copyright 2002, 2011, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2011.10.7 */ body { font-family: Tahoma, sans-serif; /* line-height: 125%; */ color: black; background-color: white; font-size: small; } * html body { /* http://www.info.com.ph/~etan/w3pantheon/style/modifiedsbmh.html */ font-size: x-small; /* for IE5.x/win */ f\ont-size: small; /* for other IE versions */ } h1 { font-size: 165%; font-weight: bold; border-bottom: 1px solid #ddd; width: 100%; } h2 { font-size: 152%; font-weight: bold; } h3 { font-size: 139%; font-weight: bold; } h4 { font-size: 126%; font-weight: bold; } h5 { font-size: 113%; font-weight: bold; display: inline; } h6 { font-size: 100%; font-weight: bold; font-style: italic; display: inline; } a:link { color: #039; background: inherit; } a:visited { color: #72007C; background: inherit; } a:hover { text-decoration: underline; } a img, img[usemap] { border-style: none; } code, pre, samp, tt { font-family: monospace; font-size: 110%; } caption { text-align: center; font-weight: bold; width: auto; } dt { font-weight: bold; } table { font-size: small; /* for ICEBrowser */ } td { vertical-align: top; } th { font-weight: bold; text-align: left; vertical-align: bottom; } ol ol { list-style-type: lower-alpha; } ol ol ol { list-style-type: lower-roman; } td p:first-child, td pre:first-child { margin-top: 0px; margin-bottom: 0px; } table.table-border { border-collapse: collapse; border-top: 1px solid #ccc; border-left: 1px solid #ccc; } table.table-border th { padding: 0.5ex 0.25em; color: black; background-color: #f7f7ea; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } table.table-border td { padding: 0.5ex 0.25em; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } span.gui-object, span.gui-object-action { font-weight: bold; } span.gui-object-title { } p.horizontal-rule { width: 100%; border: solid #cc9; border-width: 0px 0px 1px 0px; margin-bottom: 4ex; } div.zz-skip-header { display: none; } td.zz-nav-header-cell { text-align: left; font-size: 95%; width: 99%; color: black; background: inherit; font-weight: normal; vertical-align: top; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-header-link { font-size: 95%; } td.zz-nav-button-cell { white-space: nowrap; text-align: center; width: 1%; vertical-align: top; padding-left: 4px; padding-right: 4px; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-button-link { font-size: 90%; } div.zz-nav-footer-menu { width: 100%; text-align: center; margin-top: 2ex; margin-bottom: 4ex; } p.zz-legal-notice, a.zz-legal-notice-link { font-size: 85%; /* display: none; */ /* Uncomment to hide legal notice */ } /*************************************/ /* Begin DARB Formats */ /*************************************/ .bold, .codeinlinebold, .syntaxinlinebold, .term, .glossterm, .seghead, .glossaryterm, .keyword, .msg, .msgexplankw, .msgactionkw, .notep1, .xreftitlebold { font-weight: bold; } .italic, .codeinlineitalic, .syntaxinlineitalic, .variable, .xreftitleitalic { font-style: italic; } .bolditalic, .codeinlineboldital, .syntaxinlineboldital, .titleinfigure, .titleinexample, .titleintable, .titleinequation, .xreftitleboldital { font-weight: bold; font-style: italic; } .itemizedlisttitle, .orderedlisttitle, .segmentedlisttitle, .variablelisttitle { font-weight: bold; } .bridgehead, .titleinrefsubsect3 { font-weight: bold; } .titleinrefsubsect { font-size: 126%; font-weight: bold; } .titleinrefsubsect2 { font-size: 113%; font-weight: bold; } .subhead1 { display: block; font-size: 139%; font-weight: bold; } .subhead2 { display: block; font-weight: bold; } .subhead3 { font-weight: bold; } .underline { text-decoration: underline; } .superscript { vertical-align: super; } .subscript { vertical-align: sub; } .listofeft { border: none; } .betadraft, .alphabetanotice, .revenuerecognitionnotice { color: #e00; background: inherit; } .betadraftsubtitle { text-align: center; font-weight: bold; color: #e00; background: inherit; } .comment { color: #080; background: inherit; font-weight: bold; } .copyrightlogo { text-align: center; font-size: 85%; } .tocsubheader { list-style-type: none; } table.icons td { padding-left: 6px; padding-right: 6px; } .l1ix dd, dd dl.l2ix, dd dl.l3ix { margin-top: 0ex; margin-bottom: 0ex; } div.infoboxnote, div.infoboxnotewarn, div.infoboxnotealso { margin-top: 4ex; margin-right: 10%; margin-left: 10%; margin-bottom: 4ex; padding: 0.25em; border-top: 1pt solid gray; border-bottom: 1pt solid gray; } p.notep1 { margin-top: 0px; margin-bottom: 0px; } .tahiti-highlight-example { background: #ff9; text-decoration: inherit; } .tahiti-highlight-search { background: #9cf; text-decoration: inherit; } .tahiti-sidebar-heading { font-size: 110%; margin-bottom: 0px; padding-bottom: 0px; } /*************************************/ /* End DARB Formats */ /*************************************/ @media all { /* * * { line-height: 120%; } */ dd { margin-bottom: 2ex; } dl:first-child { margin-top: 2ex; } } @media print { body { font-size: 11pt; padding: 0px !important; } a:link, a:visited { color: black; background: inherit; } code, pre, samp, tt { font-size: 10pt; } #nav, #search_this_book, #comment_form, #comment_announcement, #flipNav, .noprint { display: none !important; } body#left-nav-present { overflow: visible !important; } } PKʍPKAOEBPS/dcommon/rightnav.gif&GIF89a1ֽ筽ޭƔkZZk{Bc{,@ ) l)- $CҠҀ ! D1 #:aS( c4B0 AC8 ְ9!%MLj Z * ctypJBa H t>#Sb(clhUԂ̗4DztSԙ9ZQҀEPEPEPEPEPEPEPM=iԍP Gii c*yF 1׆@\&o!QY00_rlgV;)DGhCq7~..p&1c:u֫{fI>fJL$}BBP?JRWc<^j+χ5b[hֿ- 5_j?POkeQ^hֿ1L^ H ?Qi?z?+_xɔŪ\썽O]χ>)xxV/s)e6MI7*ߊޛv֗2J,;~E4yi3[nI`Ѱe9@zXF*W +]7QJ$$=&`a۾?]N T䏟'X)Ɣkf:j |>NBWzYx0t!* _KkoTZ?K Gc+UyڹgNuh^iSo5{\ܹ3Yos}.>if FqR5\/TӮ#]HS0DKu{($"2xִ{SBJ8=}Y=.|Tsц2UЫ%.InaegKo z ݎ3ֹxxwM&2S%';+I',kW&-"_¿_ Vq^ܫ6pfT2RV A^6RKetto^[{w\jPZ@ޢN4/XN#\42j\(z'j =~-I#:q[Eh|X:sp* bifp$TspZ-}NM*B-bb&*xUr#*$M|QWY ~p~- fTED6O.#$m+t$˙H"Gk=t9r娮Y? CzE[/*-{c*[w~o_?%ƔxZ:/5𨴟q}/]22p qD\H"K]ZMKR&\C3zĽ[PJm]AS)Ia^km M@dК)fT[ijW*hnu Ͳiw/bkExG£@f?Zu.s0(<`0ֹoxOaDx\zT-^ѧʧ_1+CP/p[w 9~U^[U<[tĽwPv[yzD1W='u$Oeak[^ |Gk2xv#2?¹TkSݕ| rݞ[Vi _Kz*{\c(Ck_܏|?u jVڔ6f t?3nmZ6f%QAjJf9Rq _j7Z-y.pG$Xb]0')[_k;$̭?&"0FOew7 z-cIX岛;$u=\an$ zmrILu uٞ% _1xcUW%dtÀx885Y^gn;}ӭ)場QEQ@Q@Q@Q@Q@Q@!4xPm3w*]b`F_931˜[ן+(> E ly;<;MF-qst+}DH @YKlLmؤciN<|]IU)Lw(8t9FS(=>og<\Z~u_+X1ylsj'eՃ*U3`C!N9Q_WܱhKc93^ua>H ƕGk=8~e#_?{ǀe-[2ٔ7;=&K挑5zsLdx(e8#{1wS+ΝVkXq9>&yஏh$zq^0~/j@:/«Vnce$$uoPp}MC{$-akH@ɫ1O !8R9s5ԦYmϧ'OUṡ5T,!Ԛ+s#1Veo=[)g>#< s)ƽُA^䠮ωFUj(ǩ|N3Jڷ睁ϱuږZYGOTsI<&drav?A^_f׻B$,O__ԿC`it{6>G׈C~&$y؎v1q9Sc1fH[ѽ>,gG'0'@Vw,BO [#>ﱺg5ΒFVD%Yr:O5 Tu+O멃]ی38Ze}R&ѝ_xzc1DXgس;<,_,{ƽY'AS#oF.M#~cBuEx7G+Y)(5q+GCV;qF+CLQ)qEC&6z𿊘z}?&w=+)??&\g{;V??׻xGœdٿ׼-Nc')3K]N)iLTӿCdb7Q^a N sd>Fz[0S^s'Zi 77D}kWus ab~~H(>.fif9,~|Jk;YN3H8Y(t6Q݉k͇_÷Z+2߄&[ +Tr^藺97~c܎=[f1RrBǓ^kEMhxYVm<[џ6| kqbѱ| YA{G8p?\UM7Z66 g1U1igU69 u5Pƪ:VVZC=[@ҹ¨$kSmɳО\vFz~i3^a Osŧυ9Q}_3 όO{/wgoet39 vO2ea;Ύ7$U#?k+Ek&dpzbӱ+TaB0gN{[N7Gי}U7&@?>Fz~E!a@s ?'67XxO*!?qi]֏TQN@tI+\^s8l0)2k!!iW8F$(yOּT.k,/#1:}8uT˾+5=O/`IW G֯b.-<= HOm;~so~hW5+kS8s.zwE| ?4ӿw/K N 9?j(#0UT` Wzw}:_*9m>󑓀F?ELzv=8q:=WgJ`nDr Zе<ֹ](Q@Q@Q@Q@Q@Q@Q@Q@ 'IdC0EYJVcMty_~u+Sw-aO n<[YJgL#6i g5ЖDZ14cʝ!!\/M}/_AYR__>oC? _?7_G#RERW쏞KB}JxGSkǕA pƱơP m]hwB7U$Zq M95"3q1ioATߚ{g.t uu2k=;h#YB= fgS :TdLԃ!44mFK{Hrd^7oz|BVr<{)6AXգV»|>*/hS܏z͆OM=Εq (s|s׊LKQI :9NJ)P+!ʣoAF>+=@I}"x/}۠1aנc¹4emC:>p_xWKX` >R3_S½èųp3޺u3N e یbmͺ<_ mnݮ1Op?Gm)Qb%N585'%Ahs\6yw!"&Ɨ._wk)}GP;Z!#\"< *oƾ\)}N>"լ/~]Lg}pBG X?<zZ#x69S=6) jzx=y9O&>+e!!? ?s~k5Gʏ)?*ce7Ox~k5􇔾Q/e7/Ԑ#3OgNC0] ;_FiRl>Q.g>!%k#ú:Kn'&}?U@\pџPtp)v<{_i}Oվֲ3XIYIx~b<D?(=_JXH=bbi=Oh?_ C_O)}oW쏜? %Ƶ;-RYFi`wۭ{ϖZMtQ$"c_+ԃx1*0b;ԕ݋ESQEQEQEQEQEQEQEQEQEQZ(1F)h1K@XLRE&9P (bf{RӨ&)PEPEPbԴPGKZ(iإbn(:A%S0(-&)P+ ڎԴP11F)h&:LRmQ@Q@Š(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((PKje88PKAOEBPS/dcommon/help.gif!GIF89a1εֵ֜֜{kZsBc{,@ )sƠTQ$8(4ʔ%ŌCK$A HP`$h8ŒSd+ɡ\ H@%' 6M HO3SJM /:Zi[7 \( R9r ERI%  N=aq   qƦs *q-n/Sqj D XZ;PKއ{&!PKA OEBPS/toc.htm, Oracle Communications Converged Application Server Security Guide , Release 5.1

Contents

Title and Copyright Information

Preface

1 Converged Application Server Security Overview

2 Converged Application Server Security Concepts

3 Configuring Digest Authentication

4 Configuring Client-Cert Authentication

5 Configuring SIP Servlet Identity Assertion Mechanisms

6 Configuring 3GPP HTTP Authentication Assertion Providers

PK܌1,PKAOEBPS/sec_security_overview.htm&I Converged Application Server Security Concepts

2 Converged Application Server Security Concepts

This chapter describes the Oracle Communications Converged Application Server security features:

About Application Security

The SIP Servlet Specification (JSR 289) describes programmatic security considerations applicable to SIP Servlets. SIP Servlet security features are similar to those applicable to HTTP Servlets. Security features provided by the underlying WebLogic server platform can be applied to both types of servlets. You can find additional information about HTTP Servlet security by referring to the Oracle WebLogic Server 11g documentation.

For SIP servlet security programming considerations specific for Converged Application Server development, see information about securing SIP servlet resources in the Oracle Communications Converged Application Server Developer's Guide.

Authentication for SIP Servlets

Converged Application Server users must be authenticated when they request access to a protected resource, such as a protected method within a deployed SIP Servlet. Converged Application Server enables you to implement user authentication for SIP Servlets using any of the following techniques:

  • DIGEST authentication uses a simple challenge-response mechanism to verify the identity of a user over SIP. This technique is described in "Configuring Digest Authentication". To authenticate over HTTP, application developers must provide their own implementations.

  • CLIENT-CERT authentication uses an X509 certificate chain passed to the SIP application to authenticate a user. The X509 certificate chain can be provided in a number of different ways. In the most common case, two-way SSL handshake is performed before transmitting the chain to ensure secure communication between the client and server. CLIENT-CERT authentication is described fully in "Configuring Client-Cert Authentication".

  • BASIC authentication uses the Authorization SIP header to transmit the username and password to SIP Servlets. BASIC authentication is deprecated in RFC 3261 and is not recommended for production systems. This document does not provide configuration instructions for using BASIC authentication.

Different SIP Servlets deployed on Converged Application Server can use different authentication mechanisms as necessary. The required authentication mechanism is specified in the auth-method element of the SIP Servlet's sip.xml deployment descriptor. The deployment descriptor may also define which resources are to be protected, listing specific role names that are required for access. The SIP Servlet v1.1 specification introduces the ability to specify the realm name and identity assertion mechanism required or supported by an application.

See "Securing SIP Servlet Resources" in Converged Application Server Developer's Guide for information about securing resources and mapping roles in the SIP Servlet deployment descriptor. See the SIP Servlet v1.1 specification for information about defining the Servlet authentication and identity assertion mechanism.

Authentication Providers

Converged Application Server authentication services are implemented using one or more authentication providers. An authentication provider performs the work of proving the identity of a user or system process, and then transmitting the identity information to other components of the system.

You can configure and use multiple authentication providers to use different authentication methods, or to work together to provide authentication. For example, when using Digest authentication you typically configure both a Digest Identity Asserter provider to assert the validity of a digest, and a second LDAP or RDBMS authentication provider that determines the group membership of a validated user.

When linking multiple authentication providers, you must specify the order in which providers are used to evaluate a given user, and also specify how much control each provider has over the authentication process. Each provider can contribute a "vote" that specifies whether or not the provider feels a given user is valid. The provider's control flag indicates how the provider's vote is used in the authentication process.

See "Configuring Digest Authentication" or "Configuring Client-Cert Authentication" for more information about configuring providers.

Overriding Authentication with Trusted Hosts

Converged Application Server also enables you to designate trusted hosts for your system. Trusted hosts are hosts for which Converged Application Server performs no authentication. If the server receives a SIP message having a destination address that matches a configured trusted host name, the message is delivered without Authentication. See engine tier configuration reference information (sipserver.xml) in the Oracle Communications Converged Application Server Administrator's Guide for more information.

Identity Assertion Support

Converged Application Server supports the P-Asserted-Identity SIP header as described in RFC 3325. This functionality automatically logs in using credentials specified in the P-Asserted-Identity header when they are received from a trusted host. When combined with the privacy header, P-Asserted-Identity also determines whether the message can be forwarded to trusted and non-trusted hosts.

Converged Application Server also supports identity assertion using the Identity and Identity-Info headers as described in RFC 4474.

Both identity assertion mechanisms require that you configure an appropriate security provider with Converged Application Server. See "Overview of SIP Servlet Identity Assertion Mechanisms" for more information.

Role Assignment for SIP Servlet Declarative Security

The SIP Servlet API specification defines a set of deployment descriptor elements that can be used for providing declarative and programmatic security for SIP Servlets. The primary method for declaring security constraints is to define one or more security-constraint elements and role definitions in the sip.xml deployment descriptor. Converged Application Server adds additional deployment descriptor elements to help developers easily map SIP Servlet roles to actual principals and/or roles configured in the SIP Servlet container. See "Securing SIP Servlet Resources" in Converged Application Server Developer's Guide for more information.

Security Event Auditing

Converged Application Server includes an auditing provider that you can configure to monitor authentication events in the security realm. See Securing Oracle WebLogic Server in the Oracle WebLogic Server 11g documentation for more information.

PKnͿ&&PKAOEBPS/sec_digest_auth.htm Configuring Digest Authentication

3 Configuring Digest Authentication

This chapter describes how to configure Oracle Communications Converged Application Server to use Digest authentication with a supported LDAP server or RDBMS:

Overview of Digest Authentication

The following sections provide a basic overview of Digest authentication, and describe Digest authentication support and configuration in Converged Application Server.

What Is Digest Authentication?

Digest authentication is a simple challenge-response mechanism used to authenticate a user over SIP or HTTP. Digest authentication is fully described in RFC 2617.

When using Digest authentication, if a client makes an un-authenticated request for a protected server resource, the server challenges the client using a nonce value. The client uses a requested algorithm (MD5 by default) to generate an encrypted response—a Digest—that includes a username, password, realm, the nonce value from the challenge, the SIP method, and the requested URI.

The server verifies the client Digest by recreating the Digest value and comparing it with the client's Digest. To recreate the Digest value the server requires a hash of the "A1" value (see RFC 2617) that includes, at minimum, the nonce, username, password and realm name. The server either recreates the hash of the A1 value using a stored clear-text password for the user, or by obtaining a precalculated hash value. Either the clear-text password or precalculated hash value can be stored in an LDAP directory or accessed from an RDBMS using JDBC. The server then uses the hash of the A1 value to recreate the Digest and compare it to the client's Digest to verify the user's identity.

Digest authentication provides secure authorization over HTTP because the clear text password is never transmitted between the client and server. The use of nonce values in the client challenge also ensures that Digest authentication is resistant to replay attacks. See Figure 3-1, "Digest Authentication in Converged Application Server" for a more detailed explanation of the challenge-response mechanism for a typical request.

Digest Authentication Support in Converged Application Server

Converged Application Server includes LDAP Digest Identity Asserter security providers for asserting the validity of a client's Digest using LDAP or an RDBMS. A separate authorization provider is required to complete the authentication process (see "Configure an Authenticator Provider").

The Digest Identity Asserter only verifies a user's credentials using the client Digest. After the Digest is verified, the configured authorization provider completes the authentication process by checking for the existence of the user (by username) and also populating group membership for the resulting javax.security.auth.Subject.

The Digest Identity Asserter provider requires that user credentials be stored in an LDAP server or RDBMS in one of the following ways:

  • Unencrypted (clear text) passwords. The simplest configuration stores users' unencrypted passwords in a store. If you choose this method, Oracle recommends using an SSL connection to the LDAP store or database to reduce the risk of exposing clear text passwords in server-side network traffic. Some LDAP stores do not support storing unencrypted passwords by default; in this case you must create or use a dedicated credential attribute on the LDAP server for storing the password. See "Configure the LDAP Server or RDBMS" for more information.

  • Reverse-Encrypted Passwords. Converged Application Server provides a utility to help you compute the Encryption Key, Encryption Init Vector, and Encrypted Passwords values used when you configure the Digest Authorization Identity Asserter provider.

  • A pre-calculated hash of each password, username, and realm. If storing unencrypted or reverse-encrypted passwords is unacceptable, you can instead store a pre-calculated hash value of the username, security-realm, and password in a new or existing attribute in LDAP or an RDBMS. The Digest Identity Asserter then retrieves only the hash value for comparison to the client-generated hash in the Digest. Storing pre-calculated hash values provides additional security.

The LDAP Digest Identity Asserter is compatible with any LDAP provider that permits storage of a clear text password or pre-calculated hash value.


Note:

You cannot change the schema for the built-in LDAP store to add a dedicated field for storing clear text passwords or pre-calculated hash values. However, you can use the predefined "description" field to store password information for testing or demonstration purposes.

If you do not use the DefaultAuthenticator provider for authentication decisions, you must make DefaultAuthenticator an optional provider (ControlFlag="SUFFICIENT" or lower) before you can use Digest authentication. This will generally be the required configuration in production installations where a separate LDAP store is used to maintain clear text or hashed password information.


Figure 3-1 Digest Authentication in Converged Application Server

Surrounding text describes Figure 3-1 .

Figure 3-1 shows the basic architecture and use of an Identity Asserter provider for a typical client request:

  1. The client makes an unauthorized request for a protected application resource. (SIP Servlet resources can be protected by specifying security constraints in the sip-xml deployment descriptor. See "Securing SIP Servlet Resources" in Converged Application Server Developer's Guide.)

  2. The Digest Identity Asserter provider generates a challenge string consisting of the nonce value, realm name, and encryption algorithm (either MD5 or MD5-sess). The SIP container delivers the challenge string to the client.


    Note:

    The Digest Identity Asserter maintains a cache of used nonces and timestamps for a specified period of time. All requests with a timestamp older than the specified timestamp are rejected, as well as any requests that use the same timestamp/nonce pair as the most recent timestamp/nonce pair still in the cache.

  3. The client uses the encryption algorithm to create a Digest consisting of the username, password, real name, nonce, SIP method, request URI, and other information described in RFC 2617.

  4. The Digest Identity Asserter verifies the client Digest by recreating the Digest value using a hash of the A1 value, nonce, SIP method, and other information. To obtain a hash of the A1 value, the Identity Asserter either generates HA1 by retrieving a clear-text password from the store, or the Identity Asserter retrieves the pre-calculated HA1 from the store.

  5. The generated Digest string is compared to the client's Digest to verify the user's identity.

  6. If the user's identity is verified, an authentication provider then determines if the user exists and if it does, the authentication provider populates the javax.security.auth.Subject with the configured group information. This step completes the authentication process.


    Note:

    If you do not require user existence checking or group population, you can use the special "no-op" Identity Assertion Authenticator to avoid an extra connection to the LDAP Server; see "Configure an Authenticator Provider" for more information.

    After authentication is complete, the SIP Servlet container performs an authorization check for the logged in javax.security.auth.Subject against the declarative security-constraints defined in the Servlet's sip.xml deployment descriptor.

The LDAP Digest Identity Asserter and the configured Authentication provider can either use the same LDAP store or different stores.


Note:

If you use multiple LDAP stores, you must also create some infrastructure to keep both stores synchronized in response to adding, removing, or changing user credential changes, as shown in Figure 3-2. Maintaining LDAP stores in this manner is beyond the scope of this documentation.

Figure 3-2 Multiple LDAP Servers

Surrounding text describes Figure 3-2 .

Prerequisites for Configuring LDAP Digest Authentication

In order to configure Digest authentication you must understand the basics of LDAP servers and LDAP administration. You must also understand the requirements and restrictions of your selected LDAP server implementation, and have privileges to modify the LDAP configuration as well as the Converged Application Server configuration.

Table 3-1, "Digest Identity Asserter Checklist" summarizes all of the information you will need in order to fully configure your LDAP server for Digest authentication with Converged Application Server.

Note that the LDAP authentication provider and the Digest Authentication Identity Asserter provider can be configured with multiple LDAP servers to provide failover capabilities. If you want to use more than one LDAP server for failover, you will need to have connection information for each server when you configure Digest Authentication. See "Steps for Configuring Digest Authentication".

Table 3-1 Digest Identity Asserter Checklist

ItemDescriptionSample Value

Host

The host name of the LDAP server.

MyLDAPServer

Port

The port number of the LDAP server. Port 389 is used by default.

389

Principal

A Distinguished Name (DN) that Converged Application Server can use to connect to the LDAP Server.

cn=ldapadminuser

Credential

A credential for the above principal name (generally a password).

ldapadminuserpassword

LDAP Connection Timeout

The configured timeout value for connections to the LDAP server (in seconds). For best performance, there should be no timeout value configured for the LDAP server. If a timeout value is specified for the LDAP server, you should configure the Digest Identity Asserter provider timeout to a value equal to or less than the LDAP server's timeout.

30 seconds

User From Name Filter

An LDAP search filter that Converged Application Server will use to locate a given username. If you do not specify a value for this attribute, the server uses a default search filter based on the user schema.

(&(cn=%u)(objectclass=person))

User Base DN

The base Distinguished Name (DN) of the tree in the LDAP directory that contains users.

cn=users,dc=mycompany,dc=com

Credential Attribute Name

The credential attribute name used for Digest calculation. This corresponds to the attribute name used to store unencrypted passwords or pre-calculated hash values. See "Configure the LDAP Server or RDBMS".

hashvalue

Digest Realm Name

The realm name to use for Digest authentication.

mycompany.com

Digest Algorithm

The algorithm that clients will use to create encrypted Digests. Converged Application Server supports both MD5 and MD5-sess algorithms. MD5 is used by default.

MD5

Digest Timeout

The Digest authentication timeout setting. By default this value is set to 2 minutes.

2


Steps for Configuring Digest Authentication

Follow these steps to configure Digest authentication with Converged Application Server:

  1. Configure the LDAP Server or RDBMS.

  2. Reconfigure the DefaultAuthenticator Provider.


    Note:

    DefaultAuthenticator is set up as a required authentication provider by default. If the DefaultAuthentication provider, which works against the embedded LDAP store, is not used for authentication decisions, you must change the Control Flag to "SUFFICIENT".

  3. Configure an Authenticator Provider.

  4. Configure a New Digest Identity Asserter Provider.

The sections that follow describe each step in detail.

Configure the LDAP Server or RDBMS

The LDAP server or RDBMS used for Digest verification must store either unencrypted, clear text passwords, pre-calculated hash values, or passwords encrypted by a standard encryption algorithm (3DES_EDE/CBC/PKCS5Padding by default). The sections below provide general information about setting up your LDAP server or RDBMS to store the required information. Be aware that LDAP server uses different schemas and different administration tools, and you may need to refer to your LDAP server documentation for information about how to perform the steps below.

If you are using multiple LDAP servers to enable failover capabilities for the security providers, you must configure each LDAP server as described below.

Using Unencrypted Passwords

If you are using an RDBMS, or if your LDAP server's schema allows storing unencrypted passwords in the user's password attribute, no additional configuration is needed. The Digest Identity Asserter provider looks for unencrypted passwords in the password field by default.

If the schema does not allow unencrypted passwords in the password attribute, you have two options:

  • Store the unencrypted password in an existing, unused credential attribute in the LDAP directory.

  • Create a new credential attribute to store the unencrypted password.

See your LDAP server documentation for more information about credential attributes available in the schema. Regardless of which method you use, record the exact attribute name used to store unencrypted passwords. You must enter the name of this attribute when configuring the LDAP Digest Identity Asserter provider.

Using Precalculated Hash Values

If you want to use precalculated hash values, rather than unencrypted passwords, you can store the hash values in one of two places in your LDAP directory:

  • In an existing, unused credential attribute.

  • In a new credential attribute that you create for the hash value.

See your LDAP server documentation for more information using or creating new credential attributes.

For RDBMS stores, you can place the hash values in any column in your schema; you will define the SQL command used to obtain the hash values when configuring the RDBMS Identity Assertion Provider.

Converged Application Server provides a simple utility (PreCalculatedHash) to generate a hash of the A1 value from a given username, realm name, and unencrypted password. The utility is packaged as com.bea.wcp.sip.security.utils.PreCalculatedHash. Use the syntax:

java com.bea.wcp.sip.security.utils.PreCalculatedHash user_name realm_name password

You can use also use 3rd-party utilities for generating the hash value, or create your own method using information from RFC 2617.

Note that you must also create the necessary infrastructure to update the stored hash value automatically when the user name, password, or realm name values change. Maintaining the password information in this manner is beyond the scope of this documentation.

Using Reverse-Encrypted Passwords

Converged Application Server provides a utility to help you compute the Encryption Key, Encryption Init Vector, and Encrypted Passwords values used when you configure the Digest Authorization Identity Asserter provider. The utility is named com.bea.wcp.sip.security.utils.JSafeEncryptionUtil and is packaged in the wlss.jar file in the WL_HOME/sip/server/lib directory, where WL_HOME is the directory where the WebLogic Server component of Converged Application Server is installed.

To view usage instructions and syntax:

  1. Add wlss.jar to your classpath. The default path is:

    export CLASSPATH=$CLASSPATH:~/oracle/middleware/wlserver_10.3/sip/server/lib/wlss.jar
    
  2. Execute the utility without specifying options:

    java com.bea.wcp.sip.security.utils.JSafeEncryptionUtil
    

Reconfigure the DefaultAuthenticator Provider

In most production environments you will use a separate LDAP provider for storing password information, and therefore the DefaultAuthenticator, which works against the embedded LDAP store, must not be required for authentication. Follow the instructions in this section to change the provider's control flag to "sufficient".


Note:

DefaultAuthenticator is set up as a required authentication provider by default. If the DefaultAuthentication provider, which works against the embedded LDAP store, is not used for authentication decisions, you must change the Control Flag to "SUFFICIENT".

To reconfigure the DefaultAuthenticator provider:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane of the Console, select the Security Realms node.

  3. Select the name of your security realm in the right pane of the Console.

  4. Select Providers, then select the Authentication tab.

  5. Select the DefaultAuthenticator provider.

  6. In the Configuration > Common tab, change the Control Flag value to SUFFICIENT.

  7. Click Save to save your changes.

Configure an Authenticator Provider

In addition to the Digest Identity Asserter providers, which only validate the client digest, you must configure an "authentication" provider, which checks for a user's existence and populates the user's group information. Follow the instructions provided in Oracle Fusion Middleware Securing Oracle WebLogic Server to create an LDAP authentication provider for your LDAP server. Use the information from Table 3-1, "Digest Identity Asserter Checklist" to configure the provider.

If you do not require user existence checking or group population, then, in addition to a Digest Identity Asserter provider, you can configure and use the special "no-op" authentication provider, packaged by the name "IdentityAssertionAuthenticator." This provider is helpful to avoid an extra round-trip connection to the LDAP server. Note that the provider performs no user validation and should be used when group information is not required for users.

To configure the "no-op" authorization provider:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane of the Console, select the Security Realms node.

  3. Select the name of your security realm in the right pane of the Console.

  4. Select Providers, then select the Authentication tab.

  5. Click New.

  6. Enter a name for the new provider, and select IdentityAssertionAuthenticator as the type.

  7. Click OK.

  8. Select the name of the new provider from the list of providers.

  9. Set the Control Flag to SUFFICIENT in the Configuration > Common tab.

  10. Click Save to save your changes.

Configure a New Digest Identity Asserter Provider

Follow these instructions in one of the sections below to create the Digest Identity Asserter provider and associate it with your LDAP server or RDBMS store:

Configure an LDAP Digest Identity Asserter Provider

Follow these instructions to create a new LDAP Digest Identity Asserter Provider:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane of the Console, select the Security Realms node.

  3. Select the name of your security realm in the right pane of the Console.

  4. Select Providers, then select the Authentication tab.

  5. Click New.

  6. Enter a name for the new provider, and select LdapDigestIdentityAsserter as the type.

  7. Click OK.

  8. Select the name of the new provider from the list of providers.

  9. Select Configuration, then select the Provider Specific tab in the right pane.

  10. On the configuration page, enter LDAP server and Digest authentication information into the fields as follows (use the information from Table 3-1, "Digest Identity Asserter Checklist"):

    • User From Name Filter: Enter an LDAP search filter that Converged Application Server will use to locate a given username. If you do not specify a value for this attribute, the server uses a default search filter based on the user schema.

    • User Base DN: Enter the base Distinguished Name (DN) of the tree in the LDAP directory that contains users (for example, cn=Users,dc=example,dc=com).

    • Credential Attribute Name: Enter the credential attribute in the LDAP directory that stores either the pre-calculated hash value or the unencrypted password (for example, authpassword;wlss). By default Converged Application Server uses the password attribute of the user entry. If you use a pre-calculated has value instead of an unencrypted password, or if the unencrypted password is stored in a different attribute, you must specify the correct attribute name here.

    • Group Attribute Name: Enter the group attribute in the LDAP directory that stores a the set of group names to which the user belongs.

    • Password Encryption Type: Select the format in which the password is stored: PLAINTEXT, PRECALCULATEDHASH, or REVERSIBLEENCRYPTED.

    • Encryption Algorithm: If you have stored encrypted passwords, enter the encryption algorithm that the Digest identity assertion provider will use for reverse encryption.

    • Encryption Key and Please type again to confirm: If you have stored encrypted passwords, enter the base-64 encrypted key used as part of the reverse encryption algorithm.

    • Encryption Init Vector and Please type again to confirm: If you have stored encrypted passwords, enter the base-64 encrypted init vector string used as part of the reverse encryption algorithm.

    • Digest Realm Name: Enter the realm name to use for Digest authentication (for example, example.com).

    • Digest Algorithm: Select either MD5 or MD5-sess as the algorithm to use for encrypting Digests.

    • Digest Timeout: This value defines the nonce timeout value for the digest challenge. If the nonce timeout is reached before the client responds, the client is re-challenged with a new nonce. By default, the Digest Timeout is set to 120 seconds.

    • Host: Enter the host name of the LDAP server to use for Digest verification. If you are using multiple LDAP servers for failover capabilities, enter the host_name:port value for each server separated by spaces. For example: ldap1.mycompany.com:1050 ldap2.mycompany.com:1050

      See Oracle Fusion Middleware Securing Oracle WebLogic Server for more information about configuring failover.

    • Port: Enter the port number of the LDAP server.

    • SSL Enabled: Select this option if you are using SSL to communicate unencrypted passwords between Converged Application Server and the LDAP Server.

    • Principal: Enter the name of a principal that Converged Application Server uses to access the LDAP server (for example, orclApplicationCommonName=WLSSInstance1,cn=WLSS,cn=Products,cn=OracleContext,dc=example,dc=com).

    • Credential and Please type again to confirm: Enter the credential for the above principal name (generally a password).

    • OIDSupportEnabled: Select this checkbox if you are using Oracle Internet Directory as your LDAP provider. This checkbox is necessary when using a precalculated hash value because Oracle Internet Directory prefixes the hash value with {SASL/MD5} as described in RFC 2307. Other LDAP providers may omit the prefix.

  11. Click Save to save your changes.

  12. Select the Performance tab in the right pane.

  13. On the Performance page, enter the caching and connection information into the fields as follows:

    • LDAP Connection Pool Size: Enter the number of connections to use for connecting to the LDAP Server. This value should be equal to or less than the total number of execute threads configured for Converged Application Server. To view the current number of configured threads, right-click on the Converged Application Server name in the left pane of the Administration Console and select View Execute Queues; the SIP Container uses the Thread Count value of the queue named sip.transport.Default. The default value of LDAP Connection Pool Size is 10.

      Note that stale connections (for example, LDAP connections that are timed out by a load balancer) are automatically removed from the connection pool.

    • Cache Enabled: Specifies whether a cache should be used with the associated LDAP server.

    • Cache Size: Specifies the size of the cache, in Kilobytes, used to store results from the LDAP server. By default the cache size is 32K.

    • Cache TTL: Specifies the time-to-live (TTL) value, in seconds, for the LDAP cache. By default the TTL value is 60 seconds.

    • Results Time Limit: Specifies the number of milliseconds to wait for LDAP results before timing out. Accept the default value of 0 to specify no time limit.

    • Connect Timeout: Specifies the number of milliseconds to wait for an LDAP connection to be established. If the time is exceeded, the connection times out. The default value of 0 specifies no timeout value.

    • Parallel Connect Delay: Specifies the number of seconds to delay before making concurrent connections to multiple, configured LDAP servers. If this value is set to 0, the provider connects to multiple servers in a serial fashion. The provider first tries to connect to the first configured LDAP server in the Host list. If that connection attempt fails, the provider tries the next configured server, and so on.

      If this value is set to a non-zero value, the provider waits the specified number of seconds before spawning a new thread for an additional connection attempt. For example, if the value is set to 2, the provider first tries to connect to the first configured LDAP server in the Host list. After 2 seconds, if the connection has not yet been established, the provider spawns a new thread and tries to connect to the second server configured in the Host list, and so on for each configured LDAP server.

    • Connection Retry Limit: Specifies the number of times the provider tries to reestablish a connection to an LDAP server if the LDAP server throws an exception while creating a connection.

  14. Click Save to save your changes.

Configure an RDBMS Digest Identity Asserter Provider

Follow these instructions to create a new RDBMS Digest Identity Asserter Provider:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. Click Lock & Edit to obtain a configuration lock.

    (If you are using a development domain, Lock & Edit is only present if you enable configuration locking. See "Enable and disable the domain configuration lock" in the Administration Console Online Help for more information.)

  3. In the left pane of the Console, select the Security Realms node.

  4. Select the name of your security realm in the right pane of the Console.

  5. Select Providers > Authentication tab.

  6. Click New.

  7. Enter a name for the new provider, and select DBMSDigestIdentityAsserter as the type.

  8. Click OK.

  9. Select the name of the new provider from the list of providers.

  10. Select the Configuration > Provider Specific tab in the right pane.

  11. In the configuration tab, enter RDBMS server and Digest authentication information into the fields as follows:

    • Data Source Name: Enter the name of the JDBC DataSource used to access the password information.

    • SQLGet Users Password: Enter the SQL statement used to obtain the password or hash value from the database. The SQL statement must return a single record result set.

    • SQLList Member Groups: Enter a SQL statement to obtain the group information from a specified username. The username is supplied as a variable to the SQL statement, as in SELECT G_NAME FROM groupmembers WHERE G_MEMBER = ?.

    • Password Encryption Type: Select the format in which the password is stored: PLAINTEXT, PRECALCULATEDHASH, or REVERSIBLEENCRYPTED.

    • Encryption Algorithm: If you have stored encrypted passwords, enter the encryption algorithm that the Digest identity assertion provider will use for reverse encryption.

    • Encryption Key and Please type again to confirm: If you have stored encrypted passwords, enter the base-64 encrypted key used as part of the reverse encryption algorithm.

    • Encryption Init Vector and Please type again to confirm: If you have stored encrypted passwords, enter the base-64 encrypted init vector string used as part of the reverse encryption algorithm.

    • Digest Realm Name: Enter the realm name to use for Digest authentication.

    • Digest Algorithm: Select either MD5 or MD5-sess as the algorithm to use for encrypting Digests.

    • Digest Timeout: This value defines the nonce timeout value for the digest challenge. If the nonce timeout is reached before the client responds, the client is re-challenged with a new nonce. By default, the Digest Timeout is set to 120 seconds.

  12. Click Save to save your changes.

Sample Digest Authentication Configuration Using Embedded LDAP

You can use Converged Application Server's embedded LDAP implementation for Digest authentication in a test or demo environment. Because you cannot change the schema of the embedded LDAP store, you must store password information in the existing "description" field.

To use the embedded LDAP store for Digest authentication, follow the instructions in the sections that follow.

Store User Password Information in the Description Field

To create new users with password information in the existing description field:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane of the Console, select the Security Realms node.

  3. Select the name of your security realm in the right pane of the Console.

  4. Select the Users and Groups, then select the Users tab.

  5. Click New.

  6. Enter a name for the new user in the Name field.

  7. Enter the Digest password information for the user in the Description field. The password information can be either the clear-text password, a pre-calculated hash value, or a reverse-encrypted password.

  8. Enter an 8-character password in the Password and Confirm Password fields. You cannot proceed without adding a standard password entry.

  9. Click OK.

Set the Embedded LDAP Password

Follow these instructions to set the password for the embedded LDAP store to a known password. You will use this password when configuring the Digest Identity Asserter provider as described in "Configure an LDAP Digest Identity Asserter Provider":

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane, click the name of the domain you are configuring.

  3. Select Security, then select Embedded LDAP in the right pane.

  4. Enter the password you would like to use in the Credential and Confirm Credential fields.

  5. Click Save.

  6. Reboot the server.

Configure the Digest Identity Asserter Provider

Example 3-1 shows the security provider configuration in config.xml for a domain that uses LDAP implementation embedded in Converged Application Server. Note that such a configuration is recommended only for testing or development purposes. Example 3-1 highlights values that you must define when configuring the provider using the instructions in "Configure an LDAP Digest Identity Asserter Provider".

Example 3-1 Sample Security Provider Configuration with Embedded LDAP

<sec:authentication-provider xmlns:ext="http://www.bea.com/ns/weblogic/90/security/extension" xsi:type="ext:ldap-digest-identity-asserterType">
        <sec:name>myrealmLdapDigestIdentityAsserter</sec:name>
        <ext:user-base-dn>ou=people, ou=myrealm, dc=mydomain</ext:user-base-dn>
        <ext:credential-attribute-name>description</ext:credential-attribute-name>
        <ext:digest-realm-name>wlss.oracle.com</ext:digest-realm-name>
        <ext:host>myserver.mycompany.com</ext:host>
        <ext:port>7001</ext:port>
        <ext:principal>cn=Admin</ext:principal>
      </sec:authentication-provider>
PKbWMPK Aoa,mimetypePKA@!b]:iTunesMetadata.plistPKAYuMETA-INF/container.xmlPKA[pTO OEBPS/cover.htmPKAk)OEBPS/title.htmPKANw OEBPS/preface.htmPKA77!(OEBPS/img/passertedidentity40.pngPKAEo@o`OEBPS/img/outboundpai.gifPKAʠ ;jOEBPS/img/identity40.pngPKAM\\OEBPS/img/digestauth.gifPKAA!,,OEBPS/img/multipleldap.gifPKAKpv#QQ2LOEBPS/img/standardsecurity.gifPKAuZ2+-+OEBPS/sec_introduction.htmPKA%|  OEBPS/toc.ncxPKAJȉ:!5!^OEBPS/sec_3gpp_http.htmPKA%5BB!OEBPS/sec_sip_assert_identity.htmPKAa`7OEBPS/content.opfPKAVLLPOEBPS/sec_client_cert.htmPKA_ OEBPS/dcommon/prodbig.gifPKAY@ ?OEBPS/dcommon/doclib.gifPKAzmzhzOEBPS/dcommon/oracle-logo.jpgPKAL OEBPS/dcommon/contbig.gifPKA7&OEBPS/dcommon/darbbook.cssPKAMά""!&OEBPS/dcommon/O_signature_clr.JPGPKAPz IOEBPS/dcommon/feedbck2.gifPKA-KOEBPS/dcommon/feedback.gifPKAː5ROEBPS/dcommon/booklist.gifPKAN61SOEBPS/dcommon/cpyr.htmPKA!:3.eOEBPS/dcommon/masterix.gifPKAeӺ1,tgOEBPS/dcommon/doccd.cssPKA7 iOEBPS/dcommon/larrow.gifPKA#lOEBPS/dcommon/indxicon.gifPKAS'"|nOEBPS/dcommon/leftnav.gifPKAhu,oOEBPS/dcommon/uarrow.gifPKAl-OJsOEBPS/dcommon/oracle.gifPKA({OEBPS/dcommon/index.gifPKAGC |OEBPS/dcommon/bookbig.gifPKAJV^OEBPS/dcommon/rarrow.gifPKA枰pkOEBPS/dcommon/mix.gifPKAo"nR M ΋OEBPS/dcommon/doccd_epub.jsPKAv I iOEBPS/dcommon/toc.gifPKA r~$OEBPS/dcommon/topnav.gifPKA1FA OEBPS/dcommon/prodicon.gifPKA3( # OEBPS/dcommon/bp_layout.cssPKAx[?:OEBPS/dcommon/bookicon.gifPKAp*c^OEBPS/dcommon/conticon.gifPKAʍQOEBPS/dcommon/blafdoc.cssPKA+&POEBPS/dcommon/rightnav.gifPKAje88OEBPS/dcommon/oracle-small.JPGPKAއ{&!OEBPS/dcommon/help.gifPKA܌1, nOEBPS/toc.htmPKAnͿ&&"OEBPS/sec_security_overview.htmPKAbWMIOEBPS/sec_digest_auth.htmPK55~