OpenSSO Secure Token Server – 2

This blog is the second in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here.

Configure the WebLogic Trust Keystores

Ensure that the WebLogic containers are using the keystore and trusted certificate stores crea:ted previously.  In Windows this can be done by editing the create service command file as follows

  • Edit the createSvc.cmd file to include the following JAVA_OPTIONS parameters for the web service container and save as createWSPSvc.cmd:
    set JAVA_OPTIONS=-Djavax.net.ssl.trustStore=C:\Sun\Middleware\user_projects\domains\wss\resources\cacerts
    -Djavax.net.ssl.keyStore=C:\Sun\Middleware\user_projects\domains\wss\resources\server.jks
    -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStorePassword=changeit
  • Repeat for the web service client and OpenSSO containers.
  • Run the commands to create the services.
    For example:
    echo off
    SETLOCAL
    set DOMAIN_NAME=wsp
    set USERDOMAIN_HOME=C:\Sun\Middleware\user_projects\domains\wss
    set SERVER_NAME=AdminServer
    set PRODUCTION_MODE=false
    set JAVA_VENDOR=Sun
    set JAVA_HOME=C:\Sun\Middleware\jdk160_24
    set MEM_ARGS=-Xms256m -Xmx512m
    set JAVA_OPTIONS=
    -Djavax.net.ssl.trustStore=C:\Sun\Middleware\user_projects\domains\wsp\resources\cacerts
    -Djavax.net.ssl.keyStore=C:\Sun\Middleware\user_projects\domains\wsp\resources\server.jks
    -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStorePassword=changeit
    call “C:\Sun\Middleware\wlserver_10.3\server\bin\installSvc.cmd”
    ENDLOCAL

Configure OpenSSO Web Service Profiles

Web Services Client http://ws-client.ltes.com:8001
Web Services Provider
http://ws-provider.ltes.com:7001
OpenSSO Server
http://opensso.ltes.com
This deployment uses the default WSC and WSP profiles shipped with OpenSSO.

  • Access the OpenSSO Console by entering the following URL:
    http://opensso.ltes.com/opensso
  • Log in to the OpenSSO Console as amadmin.
  • Go to Access Control -> Default realm -> Agents, as shown below:

Update the Web Service Client Profile

  • Select the Web Service Client tab:

  • In the Agent panel select WSC.
  • Click the WSC profile to edit it.
  • In the Security section select the STSSecurity as the Security Mechanism, SecurityTokenService as the STS Configuration and set Preserve Security Headers in Message as true.

  • Check Is Request Signed Enabled and Is Response Signature Verified in the Signing and Encryption section then uncheck all signing values except Body.

  • Enter the key aliases, keystore location and password

  • Save the changes.

Online Accounts – Take Care

I read with concern Mat Honan’s blog about how his Google, Apple and Twitter accounts were hacked.

My main concern though are the differing policies between the service providers for resetting user account passwords. As demonstrated in this case a clever hacker can use this to gain access to an account by getting information from one service provider and using it as proof of identity to another service provider.

Take a look at Mat’s blog  here to see what happened.

What can we learn from this?

The first is that everyone needs to learn and employ personal security safeguards when using the internet.

Mat admits to doing the following things wrong

  • He didn’t back-up his data.
  • He daisy-chained the accounts.
  • He used the same e-mail address across several accounts.
  • He should have created a unique recovery e-mail address that’s not associated with other services

In addition to the items that he highlighted he should have made better use of the security options available to him. For instance, had he enabled Google’s two factor authentication this incident may not have occurred.

With regard to the service providers, the hacker was able to take advantage of inconsistencies in the security policies between Apple and Amazon to get the information needed to access the Apple account:

This is an issue that will have to be addressed.  Hopefully, the service providers will come together to create a solution.

Arsenal

Now that we’re halfway through the first international break it’s a good time to review what I’ve seen of Arsenal so far this season.

I’ve watched all of Arsenal’s games up to now and I must admit that I’ve been impressed with the team’s defensive discipline.  True, that two of the teams they’ve played were more interested in not losing than trying to win the game but the Sunderland and Stoke games were the type of games that Arsenal could have lost in the past because of their defensive indiscipline.

In defense we can pair any two from Mertesacker, Vermaelen and Koscielny in the middle of the defense.  I had my doubts about Gibbs and Jenkinson but it’s amazing what defensive coaching can do and both have improved.  We have Sagna coming back soon but I still have a concern about Santos, great going forward but will he ever be able to defend?

In midfield we have a lot of options.  Arsene Wenger is using Arteta and Diaby as the midfield platform to protect the defense and launch attacks with Diaby given license to carry the ball and Arteta playing deeper.  It’s worked so far but I would prefer that at least one of those players was a true defensive midfielder.  Against the better teams we may come under pressure in this area because, although Arteta is a tenacious tackler he’s not a defensive midfielder and is more effective when he plays further forward. As for Diaby, he’s showing what we’ve missed over the last two to three years with his injury problems and the more games he plays the more important he will be to the team. I just hope that he can play a full season without serious injury.

Some people have compared Cazorla negatively to Fabregas.  To me they are two different types of players with Cazorla moving the ball quicker and causing more problems to the opposition because he is two footed and prepared to shoot on sight.  I think that Diaby, Arteta and Cazorla will form the basis of our midfield when fit with other players coming  in as required.

Up front Podolksi and Giroud are going to cause opposition defenses a lot of problems this season.  True, Giroud hasn’t scored yet but he will and when he gets his confidence back he’ll be a real handful. The problem is that we don’t have much in reserve up front unless Chamakh discovers his mojo again and starts playing the way he did when he first joined the club.

The whole team is now working as a defensive unit with the forwards and midfield tracking back to make the team hard to break down.  Against Liverpool, for instance, there were times when it seemed that Podolski was playing left back. It was heartening to see and goes to show that Arsene hasn’t been doing much work on the defensive side of the game over the last few years if Steve Bould can make such a big difference in so little time.

We have sterner tests coming but I feel optimistic that the current team is better equipped to pass them.

Blogging Again

After a short hiatus I’m finally blogging again.

Some might think that I needed to recover from England’s unimaginative showing at the Euro’s and their inevitable exit on penalties in the quarter finals.

This is not true, I’ve been a busy working.

One of the things I’ve done is to get more familiar with the available open source cloud offerings, in particular looking at OpenStack, Eucalyptus and CloudStack.

I used Martin Loschwitz’s excellent instructions here for the installation of OpenStack on a Lenovo T5010 laptop running Ubuntu 12.04 Precise Pangolin.

A couple of things to note:

  • Hardware virtualization must be turned on at the BIOS level otherwise the VM fails to start with spawning errors.
  • There is only one NIC on this laptop so I created a virtual adapter for the second NIC.
  • Don’t forget to create the LVM volume group called nova-volumes.  This is mentioned at the end of step 1 but no instructions are given.  For those who need them:

dd if=/dev/zero of=MY_FILE_PATH bs=100M count=10
losetup –show -f MY_FILE_PATH
apt-get install lvm2
vgcreate nova-volumes /dev/loop0

I also installed OpenStack on an ESXi virtual machine.  There are lots of instructions for installing it on VirtualBox but very little for installing it on VMWare.  The issue is the requirement for hardware virtualization support.

It seems that there may be a way around this with VMWare’s vSphere 5 but I didn’t want to start reconfiguring the company ESXi server so I created a Ubuntu 12.04 virtual machine and installed DevStack by following Sam Johnston’s instructions here.  This is a documented shell script to build a complete OpenStack development environments from RackSpace Cloud Builders that installed in less that fifteen minutes.

I shall now get familiar with the APIs and try to determine how easy it is to integrate with Open Source provisioning software.

Cloud Computing and Security

I briefly discussed cloud provisioning in a previous post and am now going to take a closer look at cloud computing and security.

What is cloud computing?

This is computing that leverages the internet as a tool to enable remote computers to share memory, processing, network capacity, software and other IT services on-demand. The cloud paradigm provides utility computing and allows businesses to pay for what they use.

The National Institute of Standards and Technology (NIST) defines cloud computing thus:
Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The basic architecture of the cloud can be described as a cloud pyramid which is composed of three segments: Cloud Infrastructure at the bottom, Cloud Platforms in the middle and Cloud Applications at the top.

At the application level of the cloud clients are served Software as a Service (SaaS) resources and acquire access to fully functioning standard computer software.

At the platform level clients are served Platform as a Service (PaaS) resources and pass the responsibility of the creation and maintenance of the computer platform to the service provider.  However, clients have to create or install their own third-party applications.

At the infrastructure level clients are served Infrastructure as a Service (IaaS) resources and are responsible for building and maintaining their own platforms and applications.

All services provided by a cloud provider will fall into one of these three segments.

Public, Private, Community and Hybrid Clouds

When most people discuss cloud computing they generally mean the public cloud where a provider makes computing resources publicly available over the internet using a pay-as-you-use model with the resources being shared between all subscribers.  However, there are also two other types of cloud models.

A private cloud is similar to a public cloud but the resources are used by one organization. This paradigm eliminates many of the cost-benefits of public cloud computing but allows for virtualization to simulate resource allocation while assuring a more secure operating environment.

A community cloud is similar to a public cloud but all the clients have shared concerns such as mission, security requirements or policy and compliance considerations. It may be managed by the organizations or a third-party and may exist on premise or off premise.  This paradigm reduces the cost-benefits of public cloud because the costs are spread between fewer clients.

A hybrid cloud is a combination of a public and private cloud. This is becoming very popular and currently has two paradigms in use.

  • All operations are run in a private cloud with the public cloud used to increase capacity for expected and unexpected spikes in demand.
  • For the more security conscious organizations data stores containing sensitive and proprietary information are kept in the private cloud and everything else is stored in the public cloud.

Security

There are currently no standards for cloud security. This has led to the creation of three competing organizations formed to develop security guidelines and protocols:

  • Cloud Security Alliance
  • Open Data Center Alliance
  • Cloud Standards Customer Council

The Cloud Security Alliance is a not for profit organization that promotes the use of best practices for providing security assurance within cloud computing environments.

The Open Data Center Alliance is a consortium of large IT consumers intent on developing standards for interoperable Cloud Computing. The organization was initiated by Intel as a means to push its Cloud 2015 vision of which the Intel Expressway Cloud Access 360 (or McAfee Cloud Identity Manager) is its first product.

The Cloud Standards Customer Council is backed by IBM  and CA and is focused on the standards, security and interoperability issues around moving to the cloud.  IBM has entered the cloud identity field by releasing the Tivoli Federated Identity Manager (TFIM) and TFIM Business Gateway as their cloud identity and access management solution.

The two solutions use different approaches to identity and access management for the cloud.

The Intel approach is to use an SSO portal that allows an authenticated user to select a service with each cloud solution having its own connectors. It supports simple username/password authentication and strong authentication using one time passwords. Authentication can be done against the enterprise data store.

The IBM approach uses a federated trust model where the cloud applications grant user access based on their trust of the identity provider.

August Thirteenth

We work with both cloud service providers and clients to implement user authentication and provisioning services using industry best practices and open source software. Check out our website

CISSP Exam Preparation

I’ve been preparing for my upcoming CISSP exam.

I’d intended to take the exam in November but because of my work commitments didn’t feel that I’d be able to prepare properly on my own so I enrolled in a boot-camp where you attend training for a week and then take the  exam immediately afterwards.  The exam fees are paid as part of the course fees and training facility books the exam for you.

Only they didn’t.  Just before the course started and I still hadn’t received confirmation for the exam so I called and when I was finally able to talk to the right person was told that there had been a mix up and I hadn’t been booked to take the exam.  Worse was to follow, by then there were no places left at my local  test center and the next exam wasn’t until the following February.

I took the course anyway as it had already been paid for and agreed to take the exam in February.  The course consisted of a review of all of the items that we were likely to be tested on in each of the 10 domains.  In the evenings we completed the review of materials and ran through the online practice exams that were available as part of the course.

It was a good course but at the end of it I was glad that I wasn’t taking the exam immediately.  I just didn’t feel ready.

I dug out some study materials I’d bought earlier in the year which consists of  a Certification Exam Preparation Guide and practice exam software.  I started preparing for the exam again after Christmas with the emphasis on running through the practice exams.  I now feel much better prepared for the exam than I did after the boot camp.

Practicing the exam over and over has enabled me to identify my areas of weakness and allowed me to brush up on those areas.  It has also allowed me to get used to the way the questions are asked.  Over the past few weeks I’ve seen a steady improvement in my test scores.

I think that this is a much better way of preparing for the exam than attending a boot camp.   The material I bought was from Transcender and comes with 859 practice questions compared to the 250 that I got with the boot camp and cost a fraction of the price.  I was also able to download practice questions from various sources online.  I did this because I wanted to ensure that I had to answer a number of new questions every time I took the test.

My exam is this weekend, wish me luck.

IT Musings and Arsenal Complaints!

I’ve read blogs in the past and often thought about creating my own but never seemed to have the time.

Now I’m going for it.

What should I write about?  Well I’m a technical person so how about technical stuff.

Coming from a Sun background I’m well versed with their software.  Unfortunately, Sun is no more so it’s time for a new direction.

My blog will cover various topics such as Information Security, Oracle Fusion, Open Source software or wherever my musings take me.

But be warned.  I’m an Arsenal supporter and there are  going to be occasions when I just need to blow off steam at the team or the way the club is being run.

Enjoy.