Cloud Identity Management

This post discusses why cloud identity is such a difficult problem to resolve.

Why Is Cloud Identity Such a Hard Problem?

Online Privacy – Remailers


Email anonymity is difficult to achieve because a user provides proof of their identity in the “From field” of a message and the header information contains the email address, the address of the ISP’s outgoing email server and other information.  For email to be anonymous this information must be removed from the message header.

A remailer is a service that allows a user to send email without revealing their name, e-mail address, IP address or the ISP used to the receiver or anyone who attempts to monitor the email traffic.  There are several flavors of remailers, each with their advantages and disadvantages

  • Pseudo Anonymous – This replaces the sender email address with a pseudonym before remailing it to the recipient.
  • Cypherpunk – This strips the sender’s email address from the message before remailing it to the recipient.  A consequence of this is that the recipient can’t answer the email.
  • Mixmaster – This sends messages in fixed sized packets that have been reordered to prevent messages being traced.  These remailers require that the user use special software to create the messages.
  • Mixminion – Similar to Tor, Mixminion messages are split into packets then sent via separate paths through the mix network.  Each packet is encrypted with the public key of each server in its path before it is sent.  At each server the packet is decrypted and the message re-ordered before being sent to the next server in the path.

Many remailers operate outside the United States and Europe to avoid the possibility of being forced to divulge customer information to law enforcement agencies.

OpenSSO Secure Token Server – 4

This blog is the final in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here, part 2 is available here and part 3 is available here

Modify the WSS Configuration Files

The following steps describe how to configure OpenSSO WSS Agents.

  • Download and unzip the file. This file contains OpenSSO Web Services Security Agents, based on JAX-WS Handlers.
  • Expand the zip file.
  • Copy the resources/keystore.jks, resources/.keypass, and resources/.storepass files to a convenient directory.  This directory is represented by @KEYSTORE_LOCATION@ in the <wssagents_unzip_location>/config/ file.
  • Update for StockService as follows:

##### Following properties need to be updated for OpenSSO WSS Agents ##### and Settings/Administrator/StockService/Debug








* Security Credentials to read the configuration data


##### End of properties for OpenSSO WSS Agents #####

  • Update for StockClient as follows:

##### Following properties need to be updated for OpenSSO WSS Agents ##### and Settings/Administrator/StockClient/Debug





com.sun.identity.saml.xmlsig.certalias=client Self-CA



* Security Credentails to read the configuration data


##### End of properties for OpenSSO WSS Agents #####

Modify the StockService Application

  • Expand the unsecured StockService.war file that was created previously using the following command:

jar -xvf StockService.war

  • Create a lib directory under the WEB-INF directory if lib does not exist already then, copy all <wssagents_unzip_location>/lib/*.jar files to the WEB-INF/lib directory.
  • Copy the <wssagents_unzip_location>/config/ file to the WEB-INF/classes directory.
  • Merge the <wssagents_unzip_location>/config/server_handlers.xml file into the existing configuration file WEB-INF/classes/com/sun/stockquote.

The files must be merged so that the following handler is the first handler in the handler chain:









  • Build the secured StockService application into the StockService.war file with the following command:

jar -cvf StockService.war *

  • Deploy the StockService.war file to the WebLogic container.
  • Access the web service WSDL with the following URL:

Modify the StockClient Application

  • Expand the unsecured StockClient.war file that was created previously using the following command:

jar -xvf StockClient.war

  • Create a lib directory under the WEB-INF directory if lib does not exist already. Then, copy all <wssagents_unzip_location>/lib/*.jar files to the WEB-INF/lib directory.
  • Copy the previously updated file into the WEB-INF/classes directory.
  • Merge the <wssagents_unzip_location>/config/server_handlers.xml file into the existing configuration file WEB-INF/classes/server_handlers.xml.

The following handler must be the first handler in the handler chain:









  • Add the following client filter to the WEB-INF/web.xml file.

















  • Build the secured StockClient application into the StockClient.war file with the following command:

jar -cvf StockClient.war *

  • Deploy the StockClient.war file to the WebLogic.
  • Access the web service client with a URL of the following form:

  • The URL redirects to the OpenSSO Authentication service UI for end-user authentication to the default authentication module, as shown in the following figure:

  • After successfully authenticating to the OpenSSO server, the browser is redirected the StockClient application page.

  • Click GetQuote to display the web service response from the StockService application.

Online Privacy – Anonymizers

Web browsing is a lot less anonymous than most people realize. Not only do many sites require their visitors to register, sites also track site visits via cookies. Traffic monitoring software can follow a person from site to site and monitor the pages visited on each site. This software also captures the IP address of the computer visiting the site which makes it relatively easy to find out the geographical location of the computer and which ISP was used to access the internet.

The United States government, like many other governments around the world, is increasingly likely to monitor a person’s online activities, ostensibly for stopping terrorism. However, the net is cast so wide that millions of law-abiding citizens are also caught in it. Government agencies are also increasing their ability to monitor online activity by tapping into the growing amount of consumer data collected by the private sector. This data collection is becoming more and more automated so increasing the odds of a person being tracked by a government agency even if their activities are completely innocent.


An anonymizer can be used to help to hide a user’s presence on the internet. In general, free anonymizers work by acting as a proxy for the users by routing all requests and stripping off the header of each data packet, thereby making the request anonymous. The requested page is then fed through the anonymizer back to the web browser.


Web-Based Anonymizers

Web-based anonymizers only protect web browsing and don’t support other web activities such as e-mail. To use this type of service a user first goes to the anonymizer web page and browses from there by entering the URLs to be visited.  This type of anonymizer is normally free and doesn’t normally support encrypted sites.

Proxy Anonymizers

A web proxy anonymizer acts as a proxy for users by routing all requests and replacing the user’s IP address in the header with that of the anonymizer server. Users configure their browser to use a proxy which sits between the user’s computer and the internet.  Socks proxies are another option.  These proxies can only be used with browsers that support the Socks protocol.  Most Socks proxy anonymizers are commercial and only mask a user’s IP address.  Many proxy anonymizers provide security by using SSH or SSL encryption.  Both web proxy and Socks proxy connections can be passed through an encrypted tunnel.

VPN Tunneling

VPN tunneling requires that a VPN client be installed that connects securely to the Anonymizer service provider.  Customers then have a choice of servers in different locations around the country or world from which to browse the web.  In this way customers browse the web from encrypted connections via constantly changing IP addresses.

Networked Anonymizers

Networked anonymizers route traffic through a network of internet servers between the request and the destination.  Tor (Torrential Onion Routing) is an example of a networked anonymizer.  It consists of a network of private user computers that act as relays for Tor messages. The Tor network is a daisy chained network of anonymizing proxies.  Instead of encrypting user traffic from end to end Tor creates a series of encrypted connections between the relays in the network.


Web-based and proxy anonymizers provide limited protection and are for the occasional surfer who is not too concerned about security.  A big disadvantage of free proxy anonymizers is that many of them use free proxy lists that log user activity.  VPN anonymizers provide much more secure surfing than web-based or proxy anonymizers by sending encrypted traffic from the user’s computer to the exit point server.  They also provide other services such as remailers (discussed in the next post) and user aliases for web-site registering.  A network anonymizer is similar to a VPN anonymizer in that traffic is encrypted but bounces traffic from server to server in its network to hide its origin before it finally leaves the at exit point.


OpenSSO Secure Token Server – 3

This blog is the third in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here and part 2 is available here.

Update the Web Service Provider Profile

The following steps describe how to create the Web Service Provider profile.

  • Click Web Service Provider. Under Agent click WSP.

  • Select all Security Mechanisms and set Preserve Security Headers in Message to true.

  • Click the checkboxes for Is Request Signature Verified, Is Response Signed.

  • Enter the Web Service End Point URL:

  • Enter the key aliases, keystore location and password.

  • Save the changes.

Update the Agent Authenticator Profile

This Agent Authenticator (agentAuth) acts as the application user. It authenticates WSS agents to the OpenSSO server through the OpenSSO client SDK in order to retrieve agent profiles or configurations from the OpenSSO server. To do its job, agentAuth requires permission to read the configuration information of the newly created WSC and WSP agent profiles.

Set the agentAuth read permission as follows:

  • Select the Agent Authenticator tab.

  • Under Agent, click agentAuth to edit it.
  • Under the heading Agent Profiles allowed ensure that WSC and WSP are selected.
  • Save the changes and log out of OpenSSO.

Edit the Security Token Service Configuration Parameters

Log onto OpenSSO and navigate to Configuration -> Global -> Security Token Service.

Make the following changes:

  • In the Token Issuance Attributes section change the issuer to Self-CA and the Certificate Alias Name to opensso

  • In the Key Store section change the Private Key Alias and the Public Key Alias of Web Service (WS-Trust) Client to opensso.

  • In the Token Validation Attributes section change the Trusted Issuers to cacert:Self-CA.

Change the Cookie c66Encode Flag

The c66Encode flag resolves a problem whereby some application servers return the wrong cookie id if certain characters are used in the id.  C66Encoding ensures that those characters are not used in the cookie id.

Follow these steps to turn c66Encoding on.

  • Log onto the OpenSSO console and navigate to Configuration -> Servers and Sites.
  • Click the Default Servers Settings button.
  • Select the Advanced tab.
  • Change the value of to true

  • Save the changes
  • Restart the OpenSSO web container

OpenSSO Secure Token Server – 2

This blog is the second in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here.

Configure the WebLogic Trust Keystores

Ensure that the WebLogic containers are using the keystore and trusted certificate stores crea:ted previously.  In Windows this can be done by editing the create service command file as follows

  • Edit the createSvc.cmd file to include the following JAVA_OPTIONS parameters for the web service container and save as createWSPSvc.cmd:
  • Repeat for the web service client and OpenSSO containers.
  • Run the commands to create the services.
    For example:
    echo off
    set DOMAIN_NAME=wsp
    set USERDOMAIN_HOME=C:\Sun\Middleware\user_projects\domains\wss
    set SERVER_NAME=AdminServer
    set PRODUCTION_MODE=false
    set JAVA_VENDOR=Sun
    set JAVA_HOME=C:\Sun\Middleware\jdk160_24
    set MEM_ARGS=-Xms256m -Xmx512m
    set JAVA_OPTIONS=\Sun\Middleware\user_projects\domains\wsp\resources\cacerts\Sun\Middleware\user_projects\domains\wsp\resources\server.jks
    call “C:\Sun\Middleware\wlserver_10.3\server\bin\installSvc.cmd”

Configure OpenSSO Web Service Profiles

Web Services Client
Web Services Provider
OpenSSO Server
This deployment uses the default WSC and WSP profiles shipped with OpenSSO.

  • Access the OpenSSO Console by entering the following URL:
  • Log in to the OpenSSO Console as amadmin.
  • Go to Access Control -> Default realm -> Agents, as shown below:

Update the Web Service Client Profile

  • Select the Web Service Client tab:

  • In the Agent panel select WSC.
  • Click the WSC profile to edit it.
  • In the Security section select the STSSecurity as the Security Mechanism, SecurityTokenService as the STS Configuration and set Preserve Security Headers in Message as true.

  • Check Is Request Signed Enabled and Is Response Signature Verified in the Signing and Encryption section then uncheck all signing values except Body.

  • Enter the key aliases, keystore location and password

  • Save the changes.

Online Accounts – Take Care

I read with concern Mat Honan’s blog about how his Google, Apple and Twitter accounts were hacked.

My main concern though are the differing policies between the service providers for resetting user account passwords. As demonstrated in this case a clever hacker can use this to gain access to an account by getting information from one service provider and using it as proof of identity to another service provider.

Take a look at Mat’s blog  here to see what happened.

What can we learn from this?

The first is that everyone needs to learn and employ personal security safeguards when using the internet.

Mat admits to doing the following things wrong

  • He didn’t back-up his data.
  • He daisy-chained the accounts.
  • He used the same e-mail address across several accounts.
  • He should have created a unique recovery e-mail address that’s not associated with other services

In addition to the items that he highlighted he should have made better use of the security options available to him. For instance, had he enabled Google’s two factor authentication this incident may not have occurred.

With regard to the service providers, the hacker was able to take advantage of inconsistencies in the security policies between Apple and Amazon to get the information needed to access the Apple account:

This is an issue that will have to be addressed.  Hopefully, the service providers will come together to create a solution.


Now that we’re halfway through the first international break it’s a good time to review what I’ve seen of Arsenal so far this season.

I’ve watched all of Arsenal’s games up to now and I must admit that I’ve been impressed with the team’s defensive discipline.  True, that two of the teams they’ve played were more interested in not losing than trying to win the game but the Sunderland and Stoke games were the type of games that Arsenal could have lost in the past because of their defensive indiscipline.

In defense we can pair any two from Mertesacker, Vermaelen and Koscielny in the middle of the defense.  I had my doubts about Gibbs and Jenkinson but it’s amazing what defensive coaching can do and both have improved.  We have Sagna coming back soon but I still have a concern about Santos, great going forward but will he ever be able to defend?

In midfield we have a lot of options.  Arsene Wenger is using Arteta and Diaby as the midfield platform to protect the defense and launch attacks with Diaby given license to carry the ball and Arteta playing deeper.  It’s worked so far but I would prefer that at least one of those players was a true defensive midfielder.  Against the better teams we may come under pressure in this area because, although Arteta is a tenacious tackler he’s not a defensive midfielder and is more effective when he plays further forward. As for Diaby, he’s showing what we’ve missed over the last two to three years with his injury problems and the more games he plays the more important he will be to the team. I just hope that he can play a full season without serious injury.

Some people have compared Cazorla negatively to Fabregas.  To me they are two different types of players with Cazorla moving the ball quicker and causing more problems to the opposition because he is two footed and prepared to shoot on sight.  I think that Diaby, Arteta and Cazorla will form the basis of our midfield when fit with other players coming  in as required.

Up front Podolksi and Giroud are going to cause opposition defenses a lot of problems this season.  True, Giroud hasn’t scored yet but he will and when he gets his confidence back he’ll be a real handful. The problem is that we don’t have much in reserve up front unless Chamakh discovers his mojo again and starts playing the way he did when he first joined the club.

The whole team is now working as a defensive unit with the forwards and midfield tracking back to make the team hard to break down.  Against Liverpool, for instance, there were times when it seemed that Podolski was playing left back. It was heartening to see and goes to show that Arsene hasn’t been doing much work on the defensive side of the game over the last few years if Steve Bould can make such a big difference in so little time.

We have sterner tests coming but I feel optimistic that the current team is better equipped to pass them.