Online Privacy – Remailers


Email anonymity is difficult to achieve because a user provides proof of their identity in the “From field” of a message and the header information contains the email address, the address of the ISP’s outgoing email server and other information.  For email to be anonymous this information must be removed from the message header.

A remailer is a service that allows a user to send email without revealing their name, e-mail address, IP address or the ISP used to the receiver or anyone who attempts to monitor the email traffic.  There are several flavors of remailers, each with their advantages and disadvantages

  • Pseudo Anonymous – This replaces the sender email address with a pseudonym before remailing it to the recipient.
  • Cypherpunk – This strips the sender’s email address from the message before remailing it to the recipient.  A consequence of this is that the recipient can’t answer the email.
  • Mixmaster – This sends messages in fixed sized packets that have been reordered to prevent messages being traced.  These remailers require that the user use special software to create the messages.
  • Mixminion – Similar to Tor, Mixminion messages are split into packets then sent via separate paths through the mix network.  Each packet is encrypted with the public key of each server in its path before it is sent.  At each server the packet is decrypted and the message re-ordered before being sent to the next server in the path.

Many remailers operate outside the United States and Europe to avoid the possibility of being forced to divulge customer information to law enforcement agencies.

OpenSSO Secure Token Server – 4

This blog is the final in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here, part 2 is available here and part 3 is available here

Modify the WSS Configuration Files

The following steps describe how to configure OpenSSO WSS Agents.

  • Download and unzip the file. This file contains OpenSSO Web Services Security Agents, based on JAX-WS Handlers.
  • Expand the zip file.
  • Copy the resources/keystore.jks, resources/.keypass, and resources/.storepass files to a convenient directory.  This directory is represented by @KEYSTORE_LOCATION@ in the <wssagents_unzip_location>/config/ file.
  • Update for StockService as follows:

##### Following properties need to be updated for OpenSSO WSS Agents ##### and Settings/Administrator/StockService/Debug








* Security Credentials to read the configuration data


##### End of properties for OpenSSO WSS Agents #####

  • Update for StockClient as follows:

##### Following properties need to be updated for OpenSSO WSS Agents ##### and Settings/Administrator/StockClient/Debug





com.sun.identity.saml.xmlsig.certalias=client Self-CA



* Security Credentails to read the configuration data


##### End of properties for OpenSSO WSS Agents #####

Modify the StockService Application

  • Expand the unsecured StockService.war file that was created previously using the following command:

jar -xvf StockService.war

  • Create a lib directory under the WEB-INF directory if lib does not exist already then, copy all <wssagents_unzip_location>/lib/*.jar files to the WEB-INF/lib directory.
  • Copy the <wssagents_unzip_location>/config/ file to the WEB-INF/classes directory.
  • Merge the <wssagents_unzip_location>/config/server_handlers.xml file into the existing configuration file WEB-INF/classes/com/sun/stockquote.

The files must be merged so that the following handler is the first handler in the handler chain:









  • Build the secured StockService application into the StockService.war file with the following command:

jar -cvf StockService.war *

  • Deploy the StockService.war file to the WebLogic container.
  • Access the web service WSDL with the following URL:

Modify the StockClient Application

  • Expand the unsecured StockClient.war file that was created previously using the following command:

jar -xvf StockClient.war

  • Create a lib directory under the WEB-INF directory if lib does not exist already. Then, copy all <wssagents_unzip_location>/lib/*.jar files to the WEB-INF/lib directory.
  • Copy the previously updated file into the WEB-INF/classes directory.
  • Merge the <wssagents_unzip_location>/config/server_handlers.xml file into the existing configuration file WEB-INF/classes/server_handlers.xml.

The following handler must be the first handler in the handler chain:









  • Add the following client filter to the WEB-INF/web.xml file.

















  • Build the secured StockClient application into the StockClient.war file with the following command:

jar -cvf StockClient.war *

  • Deploy the StockClient.war file to the WebLogic.
  • Access the web service client with a URL of the following form:

  • The URL redirects to the OpenSSO Authentication service UI for end-user authentication to the default authentication module, as shown in the following figure:

  • After successfully authenticating to the OpenSSO server, the browser is redirected the StockClient application page.

  • Click GetQuote to display the web service response from the StockService application.

Online Privacy – Anonymizers

Web browsing is a lot less anonymous than most people realize. Not only do many sites require their visitors to register, sites also track site visits via cookies. Traffic monitoring software can follow a person from site to site and monitor the pages visited on each site. This software also captures the IP address of the computer visiting the site which makes it relatively easy to find out the geographical location of the computer and which ISP was used to access the internet.

The United States government, like many other governments around the world, is increasingly likely to monitor a person’s online activities, ostensibly for stopping terrorism. However, the net is cast so wide that millions of law-abiding citizens are also caught in it. Government agencies are also increasing their ability to monitor online activity by tapping into the growing amount of consumer data collected by the private sector. This data collection is becoming more and more automated so increasing the odds of a person being tracked by a government agency even if their activities are completely innocent.


An anonymizer can be used to help to hide a user’s presence on the internet. In general, free anonymizers work by acting as a proxy for the users by routing all requests and stripping off the header of each data packet, thereby making the request anonymous. The requested page is then fed through the anonymizer back to the web browser.


Web-Based Anonymizers

Web-based anonymizers only protect web browsing and don’t support other web activities such as e-mail. To use this type of service a user first goes to the anonymizer web page and browses from there by entering the URLs to be visited.  This type of anonymizer is normally free and doesn’t normally support encrypted sites.

Proxy Anonymizers

A web proxy anonymizer acts as a proxy for users by routing all requests and replacing the user’s IP address in the header with that of the anonymizer server. Users configure their browser to use a proxy which sits between the user’s computer and the internet.  Socks proxies are another option.  These proxies can only be used with browsers that support the Socks protocol.  Most Socks proxy anonymizers are commercial and only mask a user’s IP address.  Many proxy anonymizers provide security by using SSH or SSL encryption.  Both web proxy and Socks proxy connections can be passed through an encrypted tunnel.

VPN Tunneling

VPN tunneling requires that a VPN client be installed that connects securely to the Anonymizer service provider.  Customers then have a choice of servers in different locations around the country or world from which to browse the web.  In this way customers browse the web from encrypted connections via constantly changing IP addresses.

Networked Anonymizers

Networked anonymizers route traffic through a network of internet servers between the request and the destination.  Tor (Torrential Onion Routing) is an example of a networked anonymizer.  It consists of a network of private user computers that act as relays for Tor messages. The Tor network is a daisy chained network of anonymizing proxies.  Instead of encrypting user traffic from end to end Tor creates a series of encrypted connections between the relays in the network.


Web-based and proxy anonymizers provide limited protection and are for the occasional surfer who is not too concerned about security.  A big disadvantage of free proxy anonymizers is that many of them use free proxy lists that log user activity.  VPN anonymizers provide much more secure surfing than web-based or proxy anonymizers by sending encrypted traffic from the user’s computer to the exit point server.  They also provide other services such as remailers (discussed in the next post) and user aliases for web-site registering.  A network anonymizer is similar to a VPN anonymizer in that traffic is encrypted but bounces traffic from server to server in its network to hide its origin before it finally leaves the at exit point.


OpenSSO Secure Token Server – 3

This blog is the third in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here and part 2 is available here.

Update the Web Service Provider Profile

The following steps describe how to create the Web Service Provider profile.

  • Click Web Service Provider. Under Agent click WSP.

  • Select all Security Mechanisms and set Preserve Security Headers in Message to true.

  • Click the checkboxes for Is Request Signature Verified, Is Response Signed.

  • Enter the Web Service End Point URL:

  • Enter the key aliases, keystore location and password.

  • Save the changes.

Update the Agent Authenticator Profile

This Agent Authenticator (agentAuth) acts as the application user. It authenticates WSS agents to the OpenSSO server through the OpenSSO client SDK in order to retrieve agent profiles or configurations from the OpenSSO server. To do its job, agentAuth requires permission to read the configuration information of the newly created WSC and WSP agent profiles.

Set the agentAuth read permission as follows:

  • Select the Agent Authenticator tab.

  • Under Agent, click agentAuth to edit it.
  • Under the heading Agent Profiles allowed ensure that WSC and WSP are selected.
  • Save the changes and log out of OpenSSO.

Edit the Security Token Service Configuration Parameters

Log onto OpenSSO and navigate to Configuration -> Global -> Security Token Service.

Make the following changes:

  • In the Token Issuance Attributes section change the issuer to Self-CA and the Certificate Alias Name to opensso

  • In the Key Store section change the Private Key Alias and the Public Key Alias of Web Service (WS-Trust) Client to opensso.

  • In the Token Validation Attributes section change the Trusted Issuers to cacert:Self-CA.

Change the Cookie c66Encode Flag

The c66Encode flag resolves a problem whereby some application servers return the wrong cookie id if certain characters are used in the id.  C66Encoding ensures that those characters are not used in the cookie id.

Follow these steps to turn c66Encoding on.

  • Log onto the OpenSSO console and navigate to Configuration -> Servers and Sites.
  • Click the Default Servers Settings button.
  • Select the Advanced tab.
  • Change the value of to true

  • Save the changes
  • Restart the OpenSSO web container

OpenSSO Secure Token Server – 2

This blog is the second in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here.

Configure the WebLogic Trust Keystores

Ensure that the WebLogic containers are using the keystore and trusted certificate stores crea:ted previously.  In Windows this can be done by editing the create service command file as follows

  • Edit the createSvc.cmd file to include the following JAVA_OPTIONS parameters for the web service container and save as createWSPSvc.cmd:
  • Repeat for the web service client and OpenSSO containers.
  • Run the commands to create the services.
    For example:
    echo off
    set DOMAIN_NAME=wsp
    set USERDOMAIN_HOME=C:\Sun\Middleware\user_projects\domains\wss
    set SERVER_NAME=AdminServer
    set PRODUCTION_MODE=false
    set JAVA_VENDOR=Sun
    set JAVA_HOME=C:\Sun\Middleware\jdk160_24
    set MEM_ARGS=-Xms256m -Xmx512m
    set JAVA_OPTIONS=\Sun\Middleware\user_projects\domains\wsp\resources\cacerts\Sun\Middleware\user_projects\domains\wsp\resources\server.jks
    call “C:\Sun\Middleware\wlserver_10.3\server\bin\installSvc.cmd”

Configure OpenSSO Web Service Profiles

Web Services Client
Web Services Provider
OpenSSO Server
This deployment uses the default WSC and WSP profiles shipped with OpenSSO.

  • Access the OpenSSO Console by entering the following URL:
  • Log in to the OpenSSO Console as amadmin.
  • Go to Access Control -> Default realm -> Agents, as shown below:

Update the Web Service Client Profile

  • Select the Web Service Client tab:

  • In the Agent panel select WSC.
  • Click the WSC profile to edit it.
  • In the Security section select the STSSecurity as the Security Mechanism, SecurityTokenService as the STS Configuration and set Preserve Security Headers in Message as true.

  • Check Is Request Signed Enabled and Is Response Signature Verified in the Signing and Encryption section then uncheck all signing values except Body.

  • Enter the key aliases, keystore location and password

  • Save the changes.

Online Accounts – Take Care

I read with concern Mat Honan’s blog about how his Google, Apple and Twitter accounts were hacked.

My main concern though are the differing policies between the service providers for resetting user account passwords. As demonstrated in this case a clever hacker can use this to gain access to an account by getting information from one service provider and using it as proof of identity to another service provider.

Take a look at Mat’s blog  here to see what happened.

What can we learn from this?

The first is that everyone needs to learn and employ personal security safeguards when using the internet.

Mat admits to doing the following things wrong

  • He didn’t back-up his data.
  • He daisy-chained the accounts.
  • He used the same e-mail address across several accounts.
  • He should have created a unique recovery e-mail address that’s not associated with other services

In addition to the items that he highlighted he should have made better use of the security options available to him. For instance, had he enabled Google’s two factor authentication this incident may not have occurred.

With regard to the service providers, the hacker was able to take advantage of inconsistencies in the security policies between Apple and Amazon to get the information needed to access the Apple account:

This is an issue that will have to be addressed.  Hopefully, the service providers will come together to create a solution.


Now that we’re halfway through the first international break it’s a good time to review what I’ve seen of Arsenal so far this season.

I’ve watched all of Arsenal’s games up to now and I must admit that I’ve been impressed with the team’s defensive discipline.  True, that two of the teams they’ve played were more interested in not losing than trying to win the game but the Sunderland and Stoke games were the type of games that Arsenal could have lost in the past because of their defensive indiscipline.

In defense we can pair any two from Mertesacker, Vermaelen and Koscielny in the middle of the defense.  I had my doubts about Gibbs and Jenkinson but it’s amazing what defensive coaching can do and both have improved.  We have Sagna coming back soon but I still have a concern about Santos, great going forward but will he ever be able to defend?

In midfield we have a lot of options.  Arsene Wenger is using Arteta and Diaby as the midfield platform to protect the defense and launch attacks with Diaby given license to carry the ball and Arteta playing deeper.  It’s worked so far but I would prefer that at least one of those players was a true defensive midfielder.  Against the better teams we may come under pressure in this area because, although Arteta is a tenacious tackler he’s not a defensive midfielder and is more effective when he plays further forward. As for Diaby, he’s showing what we’ve missed over the last two to three years with his injury problems and the more games he plays the more important he will be to the team. I just hope that he can play a full season without serious injury.

Some people have compared Cazorla negatively to Fabregas.  To me they are two different types of players with Cazorla moving the ball quicker and causing more problems to the opposition because he is two footed and prepared to shoot on sight.  I think that Diaby, Arteta and Cazorla will form the basis of our midfield when fit with other players coming  in as required.

Up front Podolksi and Giroud are going to cause opposition defenses a lot of problems this season.  True, Giroud hasn’t scored yet but he will and when he gets his confidence back he’ll be a real handful. The problem is that we don’t have much in reserve up front unless Chamakh discovers his mojo again and starts playing the way he did when he first joined the club.

The whole team is now working as a defensive unit with the forwards and midfield tracking back to make the team hard to break down.  Against Liverpool, for instance, there were times when it seemed that Podolski was playing left back. It was heartening to see and goes to show that Arsene hasn’t been doing much work on the defensive side of the game over the last few years if Steve Bould can make such a big difference in so little time.

We have sterner tests coming but I feel optimistic that the current team is better equipped to pass them.

OpenSSO – Secure Token Server

I think that the demise of OpenSSO has been greatly over exaggerated. There are positions open for people with OpenSSO skills and there are many forums with people asking for help in solving OpenSSO/OpenAM problems.

One question that comes up regularly is how to configure OpenSSO as a Secure Token Server.

This blog is the first in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

A Secure Token Server is a third-party broker that allows a Web Service client to authenticate and receive a security token which is then sent to a Web Service Provider. The Web Service Provider validates the token and verifies that it came from a trusted secure token server.  It then uses the token to make authentication and authorization decisions.

Create and Deploy the SSL Certificates

This deployment uses self-signed certificates. The following instructions describe how to create and install them using OpenSSL and keytool.

  1. Create root certificate.
  2. Create the trusted certificates store
  3. Create key and signing requests.
  4. Sign the requests.
  5. Create the keystores.
  6. Add the public certificates to the keystores.

It is assumed that openssl.cfg has already been created.

Create the root certificate

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

Create the trusted certificates store

openssl x509 -outform DER -in cacert.pem -out cacert.cert
keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias cacert -file cacert.cert

Create a Key and Signing Request


openssl req -new -nodes -out clientReq.pem -keyout private/clientKey.pem -config openssl.cnf


openssl req -new -nodes -out serverReq.pem -keyout private/serverKey.pem -config openssl.cnf


openssl req -new -nodes -out openssoReq.pem -keyout private/openssoKey.pem -config openssl.cnf

Sign the Requests


openssl ca -out clientCert.pem -config openssl.cnf -infiles clientReq.pem


openssl ca -out serverCert.pem -config openssl.cnf -infiles serverReq.pem


openssl ca -out openssoCert.pem -config openssl.cnf -infiles openssoReq.pem

Create the Keystores

The following instructions use the ImportKey class to import the keys into the Java keystore.


  • Convert both, the key and the certificate into DER format
    openssl pkcs8 -topk8 -nocrypt -in private\clientKey.pem -inform PEM -out clientKey.der -outform DER
    openssl x509 -in clientCert.pem -inform PEM -out clientCert.der -outform DER
  • Import the files into the JKS
    java ImportKey clientKey.der clientCert.der
  • Copy and rename the keystore
    copy “\<home directory>\keystore.ImportKey client.jks
  • Change keystore password:
    keytool -keystore client.jks -storepasswd
  • Change certificate password:
    keytool -keypasswd -alias importkey -keypass importkey -new changeit -keystore client.jks
  • Change the alias
    keytool -keystore client.jks -storepass changeit -changealias -alias importkey -keypass changeit -destalias client
  • Check the Keystore Contents
    keytool -list -v -keystore client.jks


  • Convert both, the key and the certificate into DER format
    openssl pkcs8 -topk8 -nocrypt -in private\serverKey.pem -inform PEM -out serverKey.der -outform DER
    openssl x509 -in serverCert.pem -inform PEM -out serverCert.der -outform DER
  • Import the files into the JKS
    java ImportKey serverKey.der serverCert.der
  • Copy and rename the keystore
    copy \<home directory>\keystore.ImportKey server.jks
  • Change keystore password:
    keytool -keystore server.jks -storepasswd
  • Change certificate password:
    keytool -keypasswd -alias importkey -keypass importkey -new changeit -keystore server.jks
  • Change the alias
    keytool -keystore server.jks -storepass changeit -changealias -alias importkey -keypass changeit -destalias server
  • Check the Keystore Contents
    keytool -list -v -keystore server.jks


  • Convert both, the key and the certificate into DER format
    openssl pkcs8 -topk8 -nocrypt -in private\openssoKey.pem -inform PEM -out openssoKey.der -outform DER
    openssl x509 -in openssoCert.pem -inform PEM -out openssoCert.der -outform DER
  • Import the files into the JKS
    java ImportKey openssoKey.der openssoCert.der
  • Copy and rename the keystore
    copy \<home directory>\keystore.ImportKey opensso.jks
  • Change keystore password:
    keytool -keystore opensso.jks -storepasswd
  • Change certificate password:
    keytool -keypasswd -alias importkey -keypass importkey -new changeit -keystore opensso.jks
  • Change the alias
    keytool -keystore opensso.jks -storepass changeit -changealias -alias importkey -keypass changeit -destalias opensso
  • Check the Keystore Contents
    keytool -list -v -keystore opensso.jks

Add the Public Certificates to the KeyStores


  • Add the Client Public Certificate
    keytool -importcert -alias client -trustcacerts -keystore server.jks -storepass changeit -file clientCert.der
  • Add the OpenSSO Public Certificate
    keytool -importcert -alias opensso -trustcacerts -keystore server.jks -storepass changeit -file openssoCert.der
  • Check the contents of the Keystore
    keytool -list -v -keystore server.jks
  • Add the Server Public Certificate
    keytool -importcert -alias server -trustcacerts -keystore client.jks -storepass changeit -file serverCert.der
  • Add the OpenSSO Public Certificate
    keytool -importcert -alias opensso -trustcacerts -keystore client.jks -storepass changeit -file openssoCert.der
  • Check the contents of the Keystore
    keytool -list -v -keystore client.jks


  • Add the Client Public Certificate
    keytool -importcert -alias client -trustcacerts -keystore opensso.jks -storepass changeit -file clientCert.der
  • Add the Server Public Certificate
    keytool -importcert -alias server -trustcacerts -keystore opensso.jks -storepass changeit -file serverCert.der
  • Check the contents of the Keystore
    keytool -list -v -keystore opensso.jks

That’s it for now.  I’ll post the next installment next week.


I think that Arsene Wenger has bought well so far in this transfer window but he has to get a more disciplined and defensive minded midfielder in to replace Alex Song.  With two weeks of the transfer window remaining I’ve decided not to give my opinion on the team until it closes.


This is a quick post about Oracle Unified Directory.

Oracle released Oracle Unified Directory (OUD) with very little fanfare in July last year and have now updated it to OUD 11gR2 as part of the Oracle Identity Management 11gR2 suite of products

For those of you that don’t know OUD is based on Sun’s Open DS project and has three components in common with ODSEE:

  • Directory Server
  • Proxy Server
  • Replication Server

The Directory Server provides the main LDAP functionality, the proxy server can be used for proxying LDAP requests and the Replication Server is used for replication from one OUD to another OUD or even ODSEE server.

At first I didn’t see the point in Oracle releasing another lightweight directory server until I took a closer look at the product.  In addition to the services mentioned above it has other services such as virtualization capabilities and Oracle’s Directory Integration Platform which allows for the synchronization of data with other directory servers such as Active Directory.  Oracle has also been optimizing OUD for the SPARC T4-1 hardware.

This makes me wonder what the future is for ODSEE.

I’ve had limited experience with OUD but can confirm that it works well as a OpenAM data-store.

Blogging Again

After a short hiatus I’m finally blogging again.

Some might think that I needed to recover from England’s unimaginative showing at the Euro’s and their inevitable exit on penalties in the quarter finals.

This is not true, I’ve been a busy working.

One of the things I’ve done is to get more familiar with the available open source cloud offerings, in particular looking at OpenStack, Eucalyptus and CloudStack.

I used Martin Loschwitz’s excellent instructions here for the installation of OpenStack on a Lenovo T5010 laptop running Ubuntu 12.04 Precise Pangolin.

A couple of things to note:

  • Hardware virtualization must be turned on at the BIOS level otherwise the VM fails to start with spawning errors.
  • There is only one NIC on this laptop so I created a virtual adapter for the second NIC.
  • Don’t forget to create the LVM volume group called nova-volumes.  This is mentioned at the end of step 1 but no instructions are given.  For those who need them:

dd if=/dev/zero of=MY_FILE_PATH bs=100M count=10
losetup –show -f MY_FILE_PATH
apt-get install lvm2
vgcreate nova-volumes /dev/loop0

I also installed OpenStack on an ESXi virtual machine.  There are lots of instructions for installing it on VirtualBox but very little for installing it on VMWare.  The issue is the requirement for hardware virtualization support.

It seems that there may be a way around this with VMWare’s vSphere 5 but I didn’t want to start reconfiguring the company ESXi server so I created a Ubuntu 12.04 virtual machine and installed DevStack by following Sam Johnston’s instructions here.  This is a documented shell script to build a complete OpenStack development environments from RackSpace Cloud Builders that installed in less that fifteen minutes.

I shall now get familiar with the APIs and try to determine how easy it is to integrate with Open Source provisioning software.