Online Accounts – Take Care

I read with concern Mat Honan’s blog about how his Google, Apple and Twitter accounts were hacked.

My main concern though are the differing policies between the service providers for resetting user account passwords. As demonstrated in this case a clever hacker can use this to gain access to an account by getting information from one service provider and using it as proof of identity to another service provider.

Take a look at Mat’s blog  here to see what happened.

What can we learn from this?

The first is that everyone needs to learn and employ personal security safeguards when using the internet.

Mat admits to doing the following things wrong

  • He didn’t back-up his data.
  • He daisy-chained the accounts.
  • He used the same e-mail address across several accounts.
  • He should have created a unique recovery e-mail address that’s not associated with other services

In addition to the items that he highlighted he should have made better use of the security options available to him. For instance, had he enabled Google’s two factor authentication this incident may not have occurred.

With regard to the service providers, the hacker was able to take advantage of inconsistencies in the security policies between Apple and Amazon to get the information needed to access the Apple account:

This is an issue that will have to be addressed.  Hopefully, the service providers will come together to create a solution.

Arsenal

Now that we’re halfway through the first international break it’s a good time to review what I’ve seen of Arsenal so far this season.

I’ve watched all of Arsenal’s games up to now and I must admit that I’ve been impressed with the team’s defensive discipline.  True, that two of the teams they’ve played were more interested in not losing than trying to win the game but the Sunderland and Stoke games were the type of games that Arsenal could have lost in the past because of their defensive indiscipline.

In defense we can pair any two from Mertesacker, Vermaelen and Koscielny in the middle of the defense.  I had my doubts about Gibbs and Jenkinson but it’s amazing what defensive coaching can do and both have improved.  We have Sagna coming back soon but I still have a concern about Santos, great going forward but will he ever be able to defend?

In midfield we have a lot of options.  Arsene Wenger is using Arteta and Diaby as the midfield platform to protect the defense and launch attacks with Diaby given license to carry the ball and Arteta playing deeper.  It’s worked so far but I would prefer that at least one of those players was a true defensive midfielder.  Against the better teams we may come under pressure in this area because, although Arteta is a tenacious tackler he’s not a defensive midfielder and is more effective when he plays further forward. As for Diaby, he’s showing what we’ve missed over the last two to three years with his injury problems and the more games he plays the more important he will be to the team. I just hope that he can play a full season without serious injury.

Some people have compared Cazorla negatively to Fabregas.  To me they are two different types of players with Cazorla moving the ball quicker and causing more problems to the opposition because he is two footed and prepared to shoot on sight.  I think that Diaby, Arteta and Cazorla will form the basis of our midfield when fit with other players coming  in as required.

Up front Podolksi and Giroud are going to cause opposition defenses a lot of problems this season.  True, Giroud hasn’t scored yet but he will and when he gets his confidence back he’ll be a real handful. The problem is that we don’t have much in reserve up front unless Chamakh discovers his mojo again and starts playing the way he did when he first joined the club.

The whole team is now working as a defensive unit with the forwards and midfield tracking back to make the team hard to break down.  Against Liverpool, for instance, there were times when it seemed that Podolski was playing left back. It was heartening to see and goes to show that Arsene hasn’t been doing much work on the defensive side of the game over the last few years if Steve Bould can make such a big difference in so little time.

We have sterner tests coming but I feel optimistic that the current team is better equipped to pass them.

OpenSSO – Secure Token Server

I think that the demise of OpenSSO has been greatly over exaggerated. There are positions open for people with OpenSSO skills and there are many forums with people asking for help in solving OpenSSO/OpenAM problems.

One question that comes up regularly is how to configure OpenSSO as a Secure Token Server.

This blog is the first in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

A Secure Token Server is a third-party broker that allows a Web Service client to authenticate and receive a security token which is then sent to a Web Service Provider. The Web Service Provider validates the token and verifies that it came from a trusted secure token server.  It then uses the token to make authentication and authorization decisions.

Create and Deploy the SSL Certificates

This deployment uses self-signed certificates. The following instructions describe how to create and install them using OpenSSL and keytool.

  1. Create root certificate.
  2. Create the trusted certificates store
  3. Create key and signing requests.
  4. Sign the requests.
  5. Create the keystores.
  6. Add the public certificates to the keystores.

It is assumed that openssl.cfg has already been created.

Create the root certificate

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

Create the trusted certificates store

openssl x509 -outform DER -in cacert.pem -out cacert.cert
keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias cacert -file cacert.cert

Create a Key and Signing Request

Client

openssl req -new -nodes -out clientReq.pem -keyout private/clientKey.pem -config openssl.cnf

Server

openssl req -new -nodes -out serverReq.pem -keyout private/serverKey.pem -config openssl.cnf

OpenSSO

openssl req -new -nodes -out openssoReq.pem -keyout private/openssoKey.pem -config openssl.cnf

Sign the Requests

Client

openssl ca -out clientCert.pem -config openssl.cnf -infiles clientReq.pem

Server

openssl ca -out serverCert.pem -config openssl.cnf -infiles serverReq.pem

OpenSSO

openssl ca -out openssoCert.pem -config openssl.cnf -infiles openssoReq.pem

Create the Keystores

The following instructions use the ImportKey class to import the keys into the Java keystore.

Client

  • Convert both, the key and the certificate into DER format
    openssl pkcs8 -topk8 -nocrypt -in private\clientKey.pem -inform PEM -out clientKey.der -outform DER
    openssl x509 -in clientCert.pem -inform PEM -out clientCert.der -outform DER
  • Import the files into the JKS
    java ImportKey clientKey.der clientCert.der
  • Copy and rename the keystore
    copy “\<home directory>\keystore.ImportKey client.jks
  • Change keystore password:
    keytool -keystore client.jks -storepasswd
  • Change certificate password:
    keytool -keypasswd -alias importkey -keypass importkey -new changeit -keystore client.jks
  • Change the alias
    keytool -keystore client.jks -storepass changeit -changealias -alias importkey -keypass changeit -destalias client
  • Check the Keystore Contents
    keytool -list -v -keystore client.jks

Server

  • Convert both, the key and the certificate into DER format
    openssl pkcs8 -topk8 -nocrypt -in private\serverKey.pem -inform PEM -out serverKey.der -outform DER
    openssl x509 -in serverCert.pem -inform PEM -out serverCert.der -outform DER
  • Import the files into the JKS
    java ImportKey serverKey.der serverCert.der
  • Copy and rename the keystore
    copy \<home directory>\keystore.ImportKey server.jks
  • Change keystore password:
    keytool -keystore server.jks -storepasswd
  • Change certificate password:
    keytool -keypasswd -alias importkey -keypass importkey -new changeit -keystore server.jks
  • Change the alias
    keytool -keystore server.jks -storepass changeit -changealias -alias importkey -keypass changeit -destalias server
  • Check the Keystore Contents
    keytool -list -v -keystore server.jks

OpenSSO

  • Convert both, the key and the certificate into DER format
    openssl pkcs8 -topk8 -nocrypt -in private\openssoKey.pem -inform PEM -out openssoKey.der -outform DER
    openssl x509 -in openssoCert.pem -inform PEM -out openssoCert.der -outform DER
  • Import the files into the JKS
    java ImportKey openssoKey.der openssoCert.der
  • Copy and rename the keystore
    copy \<home directory>\keystore.ImportKey opensso.jks
  • Change keystore password:
    keytool -keystore opensso.jks -storepasswd
  • Change certificate password:
    keytool -keypasswd -alias importkey -keypass importkey -new changeit -keystore opensso.jks
  • Change the alias
    keytool -keystore opensso.jks -storepass changeit -changealias -alias importkey -keypass changeit -destalias opensso
  • Check the Keystore Contents
    keytool -list -v -keystore opensso.jks

Add the Public Certificates to the KeyStores

Server

  • Add the Client Public Certificate
    keytool -importcert -alias client -trustcacerts -keystore server.jks -storepass changeit -file clientCert.der
  • Add the OpenSSO Public Certificate
    keytool -importcert -alias opensso -trustcacerts -keystore server.jks -storepass changeit -file openssoCert.der
  • Check the contents of the Keystore
    keytool -list -v -keystore server.jks
    Client
  • Add the Server Public Certificate
    keytool -importcert -alias server -trustcacerts -keystore client.jks -storepass changeit -file serverCert.der
  • Add the OpenSSO Public Certificate
    keytool -importcert -alias opensso -trustcacerts -keystore client.jks -storepass changeit -file openssoCert.der
  • Check the contents of the Keystore
    keytool -list -v -keystore client.jks

OpenSSO

  • Add the Client Public Certificate
    keytool -importcert -alias client -trustcacerts -keystore opensso.jks -storepass changeit -file clientCert.der
  • Add the Server Public Certificate
    keytool -importcert -alias server -trustcacerts -keystore opensso.jks -storepass changeit -file serverCert.der
  • Check the contents of the Keystore
    keytool -list -v -keystore opensso.jks

That’s it for now.  I’ll post the next installment next week.

Arsenal

I think that Arsene Wenger has bought well so far in this transfer window but he has to get a more disciplined and defensive minded midfielder in to replace Alex Song.  With two weeks of the transfer window remaining I’ve decided not to give my opinion on the team until it closes.

Arsenal: Season’s Review

The season is over and Arsenal limped into third place with a great deal of help from West Brom’s dodgy keeper.

The game followed a familiar pattern.  Arsenal scored, West Brom equalized and then took the lead.  I was so certain that this was going to happen that I didn’t even get upset I just wondered whether we’d have the bottle to fight back and win the game?  We did but it was a close run thing.

Why does Arsenal concede so many goals?  The goals conceded over the last five years doesn’t make for pleasant reading: 31, 37 , 41 , 43 and 49.  It’s obvious that our defending is getting worse but nothing has been done to rectify the problem.

Are our defenders really bad?  Actually I don’t think so.  Individually, we have some good defenders the problem is that collectively we have a bad defense.  Does anyone actually practice defending at Arsenal? The emphasis seems to be on attack with our defenders regularly in advanced positions in midfield and attack.  This is borne out by the number of times our defenders are caught too far forward allowing the opposition to launch rapid counter-attacks that often result in a goal conceded.

I’ve come to the conclusion that any team in relegation trouble hope to play Arsenal.  The game plan is simple. Drop deep and defend around the penalty box, get in the Arsenal players faces and don’t allow them time on the ball, have a couple of players hang around just inside the half-way line then wait for a misplaced pass or interception.  With all of the Arsenal team camped inside the opposition half a quick pass up-field and Arsenal are in trouble.

It’s a tactic the teams from Manchester United to Wigan to QPR have used over the years but we continue to fall for it and concede stupid goals. This wouldn’t happen if the defenders were told that their primary task is to defend and they were disciplined enough to know when to go forward and when to hang back.  The hope is that Steve Bould will help to instill this mentality into our defense to alleviate this problem.

As for the attacking side of Arsenal’s game, in a nutshell it’s predictable.  Passing the ball from one side of the pitch to the other is not going to break down a well-drilled team.  When playing against teams that bring most players back to defend the penalty area  it’s very difficult to find the pass to open them up and it’s even more difficult to find the room for a strike on goal.  Alex Song is a good passer of the ball but he’s not the type of player we need trying to open up a defense.  His problem is that he gets the ball, looks up then makes the pass.  By the time he makes the pass his intentions have been read by a defender and the pass is more often than not cut out.  We need a player who can see the pass before he gets  the ball and has the skill to make the pass immediately he gets it, you know someone like Cesc Fabragas except we sold him and didn’t buy replacement.  Mikel Arteta has been badly missed the last few games because, whereas most of our passes from midfield are easy to read, he moves the ball on quickly when he gets it giving defenders little time to read in intercept the pass.

Talking about Alex Song, he needs to be reminded that he’s a defensive midfielder not  a play-maker.

With the right mix of players I think we would be able to open up any team.  Barcelona plays a very similar way and they have to overcome the same problems.  However, they vary their attacks and have Lionel Messi who has good close control and can ghost past players to make room for himself or others.  The closest player we had that could give us this type of attacking variety was Samir Nasri but we sold him and didn’t get a replacement.  With both Fabregas and Nasri gone we were left with midfield players who were pretty much alike.  Very few of them can carry the ball and individually hurt the opposition and we don’t have anyone who has the vision to make the killer passes. Consequently, we struggled against teams at the bottom of the table because they were quite happy to defend deeply and hit us on the break.

The upcoming transfer window is going to be interesting.  It will give us an insight into Arsene Wenger’s ambitions for next season.  If he sits on his laurels again and doesn’t shake up the squad then it shows that he’s content just to continue trying to qualify for the Champions League and is not interested in competing for the title or actually winning the Champions League.  I don’t include the domestic cup competitions because with a bit of luck anyone can win those.

If he brings in players that will give some more variety to our attack, buys a defensive midfielder who will play defensive midfield and addresses our defensive attitudes then I believe we’ll be on the right track to competing with the Manchester clubs and Chelsea. Even though those three clubs will be spending a lot of money in the summer at least two of them (Manchester United and Chelsea) currently depend heavily on players in their mid to late thirties so a good portion of their budgets will be spent buying players to replace them. We have the opposite problem, we need to bring in more experience.

I honestly believe we have the core of a very good squad.  If the mix of the squad regarding experience and youth is improved then I think we can compete.  However, if we follow the route of waiting for players such as Abu Diaby to come back (how many games did he play this year before getting injured again?) we will go back to our annual cycle of injury crisis followed by a mini revival followed by struggling to get results from February to the end of the season.  Only this time if the teams around us get their act together we won’t qualify for the Champions League.

OK, next post it’s back to the day job.

Cloud:User Account Provisioning

I’ve met with several prospective customers recently who are interested in cloud technology such as Software as a Service (SaaS) but want to know how to implement identity and access management.

Enterprises often use products and services from various cloud providers who need to have their own identity store for policy, access and authorization.  Consequently, there is a need for identity synchronization and provisioning mechanisms between the enterprise and the SaaS provider.

The answer is to either find a vendor who has created a solution for the problem such as Radiant Logic or create a custom solution by integrating with the SaaS vendor’s API. Different cloud vendors expose custom provisioning APIs which require enterprises to develop and maintain proprietary connectors to integrate with them.

There is a new initiative driven by Google, salesforce.com and Ping Identity called SCIM (Simple Cloud Identity Management). It is an open standard which defines a comprehensive REST API along with a platform neutral schema and a SAML binding to facilitate the user management operations across SaaS applications placing specific emphasis on simplicity and interoperability.  SCIM gives cloud application providers a consistent and simple way to manage their identities in their cloud application as well as other clouds.

There is already a provisioning standard called Service Provisioning Markup Language (SPML) but the industry hasn’t adopted it.  SPML was developed for the enterprise provisioning market and while many identity management vendors support sending and accepting SPML requests, few support SPML as their API for provisioning.   As a result most integrations from IAM vendors still use the vendor API which, as with cloud vendors, varies from vendor to vendor.

Will SCIM be adopted by the major cloud vendors?  Only time will tell.

In the meantime, if the customer doesn’t want to purchase a third-party solution, we’re left with working with the vendors APIs and uploading accounts in a format that they can understand.  If the service is exposed as a web service over SSL then data can be sent this way or it may be as simple as setting up a secure connection with two-way authentication and bulk uploading provisioning information.  Security can be further enhanced if the cloud solution can be configured to only accept connections from specific hosts.  Not very neat or scalable but it gets the job done

Arsenal

I’ve been quietly fuming over the last few weeks because of the pigs ear that Arsenal have made of getting the points necessary to gain automatic qualification to the Champions League.

I’ll wait until after Sunday’s game before discussing further.

OpenSSO – Change Server Instance Information

This is a post from one of our FAQs.

It’s sometimes necessary to change the OpenSSO server instance information such as the host-name or port number.

This can be achieved as follows:

  1. Log onto the console as amadmin.
  2. Select the configuration tab and then the Sites and Servers sub-tab.
  3. Select the check box for the instance to be changed and click the clone button.
  4. Enter the new server URL in the format protocol://hostname.domain:port/context.
  5. Select the Access Control tab.
  6. Click the realm name.
  7. Add the new host to the Realm/DNS Aliases list.
  8. If the domain has changed then the cookie domain must be changed as follows:
    1. Return to Access Control.
    2. Select the Configuration tab.
    3. Select the System sub-tab
    4. Select Platform.
    5. Remove the old domain in the Cookie Domains list and add the new one.
    6. Save the changes.
  9. Edit the bootstrap file in the OpenSSO configuration directory and change the URL to match the New Server URL entered above
  10. Logout and restart the container.

That’s it.

Arsene’s Epiphany

In recent posts I have been a bit pessimistic about Arsenal’s chances of finishing in the top four, mainly because of the team’s recent history of fading in the latter part of the season and bottling the big games.

What a difference having a few experienced players in the team makes.

Players approaching or over 30 that Arsene wouldn’t normally touch with a barge-pole have proved their worth this season.  I’m thinking of the likes of Arteta and Rosicky who, although not blessed  with the ability of  the departed Fabregas and Nasri, have added some steel, drive and experience to the Arsenal team and given the younger players someone to look up to.  It’s been such a success that Arsenal are now favourites to finish third after a horrid start to the season and the papers are suggesting that Arsene has his eye on one or two more older players such as Fulham’s Clint Dempsey.

If only Arsene had had this epiphany two or three years ago who knows what success we might have had instead of always being ‘So close‘.

OpenAM – Adaptive Risk Module

Two new features in OpenAM 10 stand out for me:

  • Adaptive Authentication Module
  • Open Identity Gateway
In this post I’ll look at the Adaptive Risk Module.

Adaptive Risk Module

A couple of years ago one of our customers wanted to be able to adjust the authentication level in OpenSSO based on whether an external or internal user was accessing a protected web resource.  Internal users would just be required to perform LDAP authentication whereas external users would be required to perform both LDAP and one time password authentication.  All users had LDAP user accounts.

OpenSSO authentication levels were considered but these apply to all users and the customer wanted to be able to determine the authentication level on a per user basis.  It was finally decided that external users would have an attribute value set in their profile and I wrote a custom authentication module that presented a standard LDAP authentication page to the user, verified successful authentication before checking the specified attribute value in the user’s profile and then presenting one time password authentication via redirect callback if it was set.

If presented with the same scenario today I would use the Adaptive Risk Module.

In this solution an authentication chain is created as depicted in the following image.

The chain consists of LDAP module, the Adaptive Risk Module and HOTP module.

All users are required to perform LDAP authentication. Upon success OpenAM calls the Adaptive Risk module.

This module is designed to assess risk during authentication so that OpenAM can determine whether to require the user to complete further authentication steps.  The risk threshold is the first value set in the module and various checks can be enabled, each with their own score.  For instance, if the Profile Attribute check is set it can be given a value that exceeds the risk threshold if true thus requiring the user to be passed to the next authentication module, in this case HOTP.

The checks that could be used to determine the authentication risk in this scenario are the IP Address Range and Profile Attribute.  Other available checks include:

  • Authentication Level
  • IP Address History
  • IP History Check
  • Known Cookie
  • Device Cookie
  • Max Time Since Last Login
  • Geo Location
  • Request Header
Using this authentication method would have saved over two weeks in coding and testing effort.

Arsenal v Newcastle

Arsenal have the opportunity to close to within a point of Spurs on Monday after their defeat to Everton on Saturday.

It’s a home game against Newcastle that we’d normally be expected to win.  However, Arsenal have been in this position many times over the last few years and have each time failed to take the opportunity.  OK, in the past they’ve been vying for the title but at the end of the day the team’s got previous for choking under pressure.  I only hope that this time we have the character to get a result when it’s needed.  The good news is that the team has finally shown over the last two weeks that it has.

Diaby’s injured again (wow he lasted a whole 20 minutes) but on the bright side Santos, Arteta and Benayoun should be available.  A win will put pressure on Spurs and my feeling is that both Arsenal and Chelsea will be hunting them down from now until the end of the season.  This is new for Spurs and we’ll see how well they cope.

The papers are full of stories of all the players that Arsenal are interested in buying.  We’ve been here before.  In fact every year around this time the stories start and every year we buy no one.  This year should be different though.  After the mess that the club made in last summer’s transfer window culminating in the mad dash to buy players after the 8-2 drubbing at United I’m sure we’ll be in and out of the transfer market early this time so I’m not surprised to hear that negotiations have already started with players like Podolski.

Considering the club is trying to persuade van Persie to sign a new contract I don’t think there’s any choice but to invest in new players.  However, there’s no way the club is going to spend the 65-70 million pounds that is being touted in some newspapers.

Oh well that’s for the summer, in the meantime there’s the small matter of beating Newcastle on Monday.

A Look at OpenAM 10

ForgeRock was born from the ashes of Sun Microsystems and continues the development of Sun’s Open Source product OpenSSO renamed OpenAM since Oracle now own the rights to the OpenSSO product name.

OpenAM 10 Early Access is now available and promises the following features:

  • Open Identity Gateway
    • Java based reverse proxy for integrated SSO
    • Integrates legacy and complex applications
    • Credential replay and header passing
    • Fedlet integrated with the gateway
    • Federate enables any web application
    • Deployed as a reverse proxy or co-located with the application
  • SAML2 IdP Adaptor extension
    • new plug-in hook in the IdP
    • Allows to execute code and even interact with the user before releasing the SAML2 assertion
  • Risk Based Authentication
    • Authentication plug-in model
    • Sample risk auth modules and documentation
  • Integration enhancements
    • SharePoint 2010
    • AD Password reset
  • Self Service User Interface
  • Shared module with OpenIDM
  • User registration and password management
  • Yubikey Authentication Module
  • OAuth 2.0 Authentication Module (Relying party)
  • Upgrade tools
  • Easy upgrade to OpenAM 10.0

Since the sale of Sun both products have been pretty much the same with both Oracle and ForgeRock performing necessary bug fixes to Sun’s last release.  I now expect to see a divergence of the products as ForgeRock enhances OpenAM along the lines of the product road-map while Oracle will quietly kill off OpenSSO.

Over the next few weeks I intend to test-drive ForgeRock’s suite of products:

  • OpenAM – Authentication, Authorization, Federation and Security Token Service.
  • OpenDJ – LDAP v3 Directory Server.
  • OpenIDM – Identity Management and Provisioning
  • OpenIGS – Identity Gateway and Reverse Proxy Server

I can’t sign off without saying a huge well done to Arsenal for last night’s performance.

Trying to overturn a 4 goal deficit against a team like AC Milan was always going to be a huge task but the boys came close, failing by a single goal.  Let’s hope that performance sets the team up for the rest of the season and gives the players the belief that they can overhaul Spurs in 3rd place.