Steffo's Echolot : Weblog

Sunday Jul 19, 2009

Identity Manager: adding versioning information to your deployment

Identity Manager projects using the NetBeans IDE plugin usually face the problem that when deploying the application e.g. idm.war and loading the custom objects in the database repository (e.g. via lh import custom-init-full.xml). If you use Subversion or CVS, there is a quick and easy way to include a revision number with every build. There a two components which need a revision number:

the web application (here we include a page called 'about.html' which dislays the svn revision number)
the repository (here we add a dummy IDM object e.g. an E-Mail Template which contains the revision number of the working copy when building idm.war). If you import your custom-init-full.xml file, the E-Mail will be imported into the repository. We will use a JSP to retrieve the object from within the BUI

[Read More]

Posted at 07:13AM Jul 19, 2009 by steffo in Identity Systems | Comments[0]

Wednesday May 28, 2008

Cardspace compromised?

My colleague Jörg was listening to the radio when they broadcasted that a weakness in Microsoft's
Cardspace identity metasystem has been found. Here's the link http://demo.nds.rub.de/cardspace/.

From a quick look, the attack is rather an application to dynamic pharming (DNS pinning) and general
browser/user security than an attack on the CardSpace protocol itself. The only thing which is CardSpace related is the fact that a security token can be replayed and that CardSpace doesn't require an undeniable token: whoever possesses the token has access to the service provider. Sun Access Manager has a (weak) approach to undeniable tokens by tying them to an IP address. However, this might lead to problems as in many setups HTTP proxies are used.

The "CardSpace" attack again shows that two or three security issues can easily add up to a bigger problem.

Posted at 02:14PM May 28, 2008 by steffo in Identity Systems | Comments[0]

Thursday Apr 10, 2008

Vaau, Roles and Identity

The acquisition of Vaau enriches our identity portfolio by a role mining and management tool. Tried to figure out the main differences and areas of application between RBACx and Sun's Identity Manager. First of all, Vaau's RBACx (Sun Role Manager) is more a configurable tool rather than a programmable tool as for example Sun's Identity Manager. Programmable means that the configuration language includes things like IF THEN ELSE, WHILE loops. So Identity Manager can be applied to many areas and programmed as desired.

Role Manager is quite static compared to Identity Manager. It has its fixed area of application which is compliance and role management (including role mining). This makes it more a management tool rather than an administration tool. Role Manager can talk to Identity Manager via SPML. So you can drag out all user data from Identity Manager and import it via SPML into Role Manager.

Which tool to start with? Apart from that there is no 'one size fits all' when it comes to enterprise apps, I would recommend to start with a privisioning tool which (IDM). First, you need data cleansing

find out stale data (accounts, attributes etc)
check for compliance violations, segregation of duties

Both tasks can be done with Identity Manager or with Role Manager. However, my personal view is that Identity Manager is more flexible because it accesses data online whereas Role Manager needs a CSV file for data loading if you don't drag out the data via SPML. Compliance tasks and attestation can be implemented in either.

Second, role mining is a nice feature when you haven't defined your roles yet. Role mining is not a black art. It uses a covering algorithm to help the role designer in a way a CAD system helps technical designers. The important point here is that the outcome of the mining process is where technology meets business: whether or not a mined role is useful depends on the business.

The mined roles can be amended to meet business criteria and then be exported to an identity management system (e.g. Sun's Identity Manager) from where the entitlements can be provisioned to the target systems (RACF, AD, LDAP etc). Overall impression: good tool. But beware it's called Role Manager and not sox.exe or security.exe.

Posted at 11:28PM Apr 10, 2008 by steffo in Identity Systems | Comments[0]

Monday Mar 17, 2008

Single Sign On to Google using OpenSSO

Google has a SAML 2 capable single-sign-on service by which you can use Google as a service provider (SP). Google also provides a sample demo application. Rather than using Liberty Alliance's circle-of-trust model, Google uses a peered structure: if Google's SSO service (SP) receives a SAML response, it checks the signature of that request. If the signature is valid, the SAML assertion will be accepted.

Trying to use Google's demo code with OpenSSO as an identity provider (IDP) requires some tweaks.

Step 1: Making OpenSSO to accept Google's SAML request

The SAML request sent out by Google's demo code cannot be understood by OpenSSO due to a compression (deflate) problem (from what I saw in the code, it seems that Google inflates according to RFC 1950 but SAML specification dictates RFC 1951 and that's also what OpenSSO implements). All you need to do to replace Google's RequestUtil.encodeMessage(String) code with OpenSSO's SAML2Utils.encodeForRedirect(String).
Google's code uses a simple template for constructing the SAML request. In fact too simple for OpenSSO. Add a few XML elements to the AuthnRequestTemplate.xml

<?xml version="1.0" encoding="UTF-8"?>
<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:protocol file:/Documentation/Federation-SAML-Liberty/SAML%202.0/XSD/saml-2.0-os-xsd/saml-schema-protocol-2.0.xsd" 
    ID="<AUTHN_ID>" 
	Version="2.0"
	IssueInstant="<ISSUE_INSTANT>"
	ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
	ProviderName="<PROVIDER_NAME>"
            ForceAuthn="true"
	AssertionConsumerServiceURL="<ACS_URL>">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion" format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
google
</Issuer>
 <Subject xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <NameID>google</NameID>
 </Subject>
</AuthnRequest>

Point ssoURL in CreateRequestServlet.doPost(HttpServletRequest, HttpServletResponse) to you OpenSSO instance (e.g. http://localhost:8080/opensso/idpSSOFederate/metaAlias/idp where 'idp' is your IDP entity.

Step 2: Making Google applications to accept OpenSSO's SAML response

Import Google's sample private key to Java keystore. Since keytool cannot import arbitrary private keys, I convert Google's keys to PKCS#12 and then use one of the PKCS12Import classes (source can be found on the net) to import the key to JKS.
Since Google's keys are DSA keys and are only good for signing, but not for encrypting you need to tell OpenSSO via browser GUI (Service Configuration > Global > Common Federation Configuration) to sign, but not to encrypt the SAML response.
You also need an account mapper that generates the SAML response message. Pat Patterson posted a sample on the OpenSSO mailing list (check the OpenSSO archives). Google wants the email address as an identity ('demouser@psosamldemo.com' is the default one in case you don't own a Google apps premier account). You can use Pat's version out of the box if your OpenSSO user has ID='demouser@psosamldemo.com' or you can extend Pat's code returning the user's email adress (e.g. via OpenSSO's DataStoreProvider.getAttribute(String, String)).

Posted at 01:16PM Mar 17, 2008 by steffo in Identity Systems | Comments[11]

Friday Mar 14, 2008

Identity Manager IDE 8.0 is open-source

The new IDE (https://identitymanageride.dev.java.net) comes as a NetBeans Plugin. Quick tests show that it's stable. Compared to the IDM 7.x IDE,
you can use the new version with NetBeans 6 and also Eclipse (if you like to work in the dark ;-).

Posted at 09:51AM Mar 14, 2008 by steffo in Identity Systems | Comments[0]

Monday Nov 05, 2007

Monitoring Identity Manager

Sun Java System Identity Manager has decent JMX capabilities which allows you to

check reconciliation status
check whether all connected systems (resources) are available
monitor the status of the server
many, many other things

In order to use these features, you only have to enable JMX (disabled by default) via "Configure > Servers" from the HTTPS admin interface. Additionally, you have to 'enable' JMX at the application server level. For Tomcat, you can add the following to the catalina.sh

JAVA_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false
    -Dcom.sun.management.jmxremote.port=9002 
    -Dcom.sun.management.jmxremote.password.file=/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Home/lib/management/management.jmxremote.password 
    -D java.rmi.server.hostname=localhost 
    -Dcom.sun.management.jmxremote.ssl=false"

You can see a bunch of JMX data at e.g. http://localhost:8080/idm/debug/Show_MBeanInfo.jsp. You could also tools like jconsole to set and query JMX attributes.

The big question is "How to integrate IDM into a system monitoring tool?" is quite easy to answer since there is a small Java program called 'jmxquery'. Unfortunately I do not know who the author is but all credits go to her or him. What we want to achieve is that IDM‘s status and the resources health check show in our monitoring tool. E.g. with nagios you'll get the following screen

The basic idea is that Nagios calls an external programm like a (modified) version of jmxquery which able to retrieve and set IDM's JMX objects. Three things are sufficient

jmxquery tool
a modification of Nagios' command.cfg
a modification of Nagios' localhost.cfg

You can find the modified jmxquery as a NetBeans project file here:

IDM-Nagios.zip
Add the following lines to command.cfg

##############################
#
#
# Sample commands for Sun Java System Identity Manager
#
##############################


define command{
        command_name     check-idm-resources
        command_line    /opt/lib/nagios/check_jmx -IDM resources
}

define command{
        command_name     check-idm-server-status
        command_line    /opt/lib/nagios/check_jmx -IDM serverStatus
}

Now modify localhost.cfg by adding

define service{
       use                             local-service         ; Name of service template to use
       host_name                       localhost
        service_description             IDM Status
        check_command                                           check-idm-server-status
        }

define service{
       use                             local-service         ; Name of service template to use
        host_name                       localhost
        service_description             IDM Connected Systems
        check_command                                           check-idm-resources
       }

Of course, this can only be used for demo purposes as there is no security wrt to JMX access.

Posted at 01:31PM Nov 05, 2007 by steffo in Identity Systems | Comments[3]

Tuesday Jul 10, 2007

Integration of IDM SPE and Access Manager

As announced, the PDF version of the paper (v3) is available on sharespace (login required) and on
bigadmin (no login required).

Posted at 08:51AM Jul 10, 2007 by steffo in Identity Systems | Comments[0]

Tuesday Jun 26, 2007

Integration of Identity Manager and Access Manager

We have extended the whitepaper that describes how to integerate Sun Java Identity Manager and Sun Java Access Manager in Realm Mode. Also the shortly upcoming version will discuss an approach to Single-Sign On into the Service Provider Edition (SPE) of Identity Manager.

Posted at 02:41PM Jun 26, 2007 by steffo in Identity Systems | Comments[6]

Wednesday May 16, 2007

Against 'Least Privilege'

The principle of 'least privilege' (LP) states that a subject should have access to the smallest number of objects necessary to perform some task (p. 242 of Security in Computing, by C. Pfleger, 1997 Prentice Hall). I never questioned this principle until I came in touch with Identity Management. The more I looked on the management side of security rather than on its technical side, I found that in most cases LP leads to systems whose security is more diffcult to manage. These systems are less secure than a system which doesn't follow the LP paradigm.

Tales from the field: a company with 5000 employees has 3000 AD groups (I didn't count the RACF groups but there are many). The big question is: how many business roles (e.g. sales rep, developer) do exists in this company (the sales rep role might imply memebership in 10 LDAP groups so the pure amount of LDAP groups doen't say anything about least privilege). The number of business roles vary from company to company. One my customers told me that an an organization having 1000 employees should have at most 50 (five percent!) business roles, otherwise there is no oranizational benefit from a role model.

I think if an organization's role amount is ten percent, that's still a good number. I met other customers who do not even have roles but maintain a list of privileges for each individual user (according to LP).

To me it seems that LP hinders organizations to achieve a low number of roles which in turn means that it hinders you in defining a proper security management structure. I'm willing to give up LP (and maybe use audit facilities to monitor access rather to prevent access) as a general principle. LP must be questioned under practical aspects and in many cases LP is a requirement that comes from regulations rather than from reality.

Posted at 05:20PM May 16, 2007 by steffo in Identity Systems | Comments[0]

Thursday Apr 26, 2007

Identity Manager: Neogent's Rapid Deployment Tool

Sun acquired Neogent a couple of months ago. Neogent has an excellent tool which can ease deployment of IdM at customers. Velocity Identity Deployment Tool (VIDT) is a code generator that is able to generate code on the basis of use-cases. The implementor selects a use-case (e.g. create user) and an actor (e.g. a resource like HR Active Sync) and VIDT generates all the code that is required for a synchronization of the HR resource (e.g. SAP ot PeopleSoft) and IDM.

As with every tool VIDT has it's pros and cons. On the pro side we have

repeatable process
can be used by IDM newbies
produces a documentation (which can be used as a start for an appropriate documentation later on)
can export IDVT projects to CBE (common build environment) projects (very important if you're an experienced IDM code warrior)
can easily compete with Novell's and Oracle's build-in tools
can be extended to incorporate other use cases

And then there's certainly a downside of such a tool: like many tools, it tries to embrace the unexperienced user and loses the professional one. It's like YaST (anyone remembering this?) or Windows network configuration (what the hell is the difference between an office network and a home dial-up access?).

Is VIDT really another YaST? Not quite. VIDT has it's own 'logic' but fortunately, all it does it to produce XML files that can be read and modified if needed. Also, IDVT projects can be exported to a CBE structure (if you're not familiar with CBE, check out https://idm-cbe.dev.java.net). This allows a transition from a code base that was generated by a rapid deployment tool to a code base that can be used for a long term (> 6 months) projects.

VIDT currently aims at the following project phases or users:

proof of concept (PoC)
small projects
initial project phases
enablement of unexperienced users

My impression is that VIDT will currently not be used by experienced implementors throughout a longer project. The reason is that an experienced coder is faster using NetBeans or Oxygen than using VIDT. Does that mean that VIDT is useless for larger projects? No. VIDT can be used for rapid prototyping. Moreover, VIDT can be extended to incorporate additional uses cases (e.g. move and rename a user) and it depends on the community to share those new plugins.

Posted at 09:06AM Apr 26, 2007 by steffo in Identity Systems | Comments[2]

Saturday Apr 14, 2007

Weird modeling in X.500/LDAP and ActiveDirectory: cn in distinguished names

Over the last years I came across some common issues on the modeling in LDAP and ActiveDirectory, well, more on AD than LDAP. The first issue is on distinguished names.

I never understood why so many AD implementation use the cn rather than uid or employeeNumber as part of the distinguished name. The problem is that if there are employees with common common names like 'John Smith' the dn's look like

dn: cn=John Smith,ou=People,dc=company,dc=com
dn: cn=John J Smith,ou=People,dc=company,dc=com
dn: cn=John Smith 1,ou=People,dc=company,dc=com
dn: cn=John Smith 2,ou=People,dc=company,dc=com

This might not appear to be a problem from an LDAP perspective, but it is a problem from an identity management perspective. If John Smith gets married to Jane Miller and changes his name the key (dn) must be changed as well. Employee numbers don't change. Moreover, if the entries do not contain a company wide unique attribute at all it is difficult to tell whether 'jsmith5' on UNIX belongs to the same person as 'cn=John Smith 3' on LDAP/AD.

When an IDM is deployed, no enterprise infomation system can be anyl longer regarded as an island. Data quality is one major issue in identity management projects and improper naming convention do contribute this this issue.

Posted at 12:00AM Apr 14, 2007 by steffo in Identity Systems | Comments[4]

Wednesday Apr 11, 2007

IDM and SAP

There's a frequent question that comes up when configuring the schema mapping between Sun Java System Identity Manager and SAP: how can I tell from looking at SAP GUI what attribute to configure on the right hand side (RHS) of the schema mapping?

For example, in SAP GUI you see a tab entry "Parameters". What's the technical name of "Parameters" to be configured in IDM's resource adapter? Answer and procedure can be found at Sun Sharespace (look for "What's behind SAP GUI's displayed attributes?").

Posted at 02:25AM Apr 11, 2007 by steffo in Identity Systems | Comments[0]

Sunday Mar 11, 2007

Security: Risk analysis

"Please continue shopping via our Security Server. It uses encryption to protect your data." Sentences like these always surprise me. I've never seen a bank advertising "Please open an account at our bank. We use armoured cars to transport your money."

One problem with IT security is that a lot of technical people tend to implement a plethora of mechanisms without doing a proper risk analysis before. The tems in risk analysis are not standardised. However, some terms like 'threat' and 'risk' are by no means identical. A threat is something like: Someone holding a gun enters the bank building saying 'I want your money'. This risk is an evaluation of the threat regarding two aspects:

likelihood that he gets the money and
the amount of money he gets.

So a risk is a point in a two dimensional matrix (x: likelihood that the event happens and y: potential amount of loss).

A risk analysis is a process:

Determine the threat. A threat is an event.
Determine the weaknesses that favour the threat (e.g. missing encryption, missing cameras, no bulletproof glass).
Set up an appropriate scale for the risk matrix: the likelihood can be qualitive (neglectible, low, middle high) whereas the potential loss might be (10^5 EUR, 10^7 EUR and 10^9 EUR). Try to capture the 'out of business' case as well which might occur either through

Acting against legal requirements.
A high loss (that's easy).
Loss of image and customer confidence.

Determine the likehood that the threatening event occurs by relating (combinations of) weaknesses to threats.

Sounds too theoretical? Here's the classical example from Star Wars:

Threat. Death Star will be destroyed.
Weakeness. A small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system.
Likelihood. Low (difficult to approach; approaches will be detected).
Potential amount of loss. Out of business

Now you can start of developing counter-measures. A lot of things can be done wrong here. Most notably: technical measures lacking proper organizational support (believe me, I've seen large banks where the whole network traffic must be encrypted, the operators however, being unable to set-up a procedure for changing the certificates or keys). In that case a security strategy might help: if you cannot go for the complicated mechanism right now, why not choosing a weaker mechanism plus an organizational mechanism (e.g. insurance) for a transitional period?

I agree, that sounds too simple and I haven't seen a company that uses an insurance to make up for such operational drawbacks. My only point is: don't always think too technical. Use a combination of technical and organizational things. And if you set up online banking, don't only tell your customers that you use SSL military grade encryption, but also that you set up processes and took an insurance, just in case.

Posted at 02:48AM Mar 11, 2007 by steffo in Identity Systems | Comments[1]

Thursday Mar 08, 2007

Java ES 5 and Zones

Java ES 5 supports sparse zones for most components (e.g. Directory Server, Directory Proxy, Web Server, Access Manager). You must install the shared components in the global zone first. After that create sparse zones for your apps.
Here's the config I use:

zonecfg:ds> export
create -b
set zonepath=/zones/ds
set autoboot=true
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/usr/sfw
end
add net
set address=192.168.0.150
set physical=bge0
end

Now you can install Directory Proxy, Access Manager all using seperate zones.

Posted at 03:22AM Mar 08, 2007 by steffo in Identity Systems | Comments[0]

Tuesday Mar 06, 2007

Groovy Identity Manager: integrating IdM and Groovy

I'm actively doing Identity Manager projects for about 4 years now. I really like the product because of its flexibility. There is one obstacle: the XPress language. With respect to its language features, XPress is comparable to Shell script (bash, tcsh etc.). Here is a sample of Xpress code:

<block trace=true>
   <set name="foo">
     <concat>
        <s>Hello, </s>
        <ref>input</ref>
        <s>!</s>
     </concat>
  </set>
  <ref>foo</foo>
</block>

The variable foo will contain the value "Hello, world!" (assuming that input has a vlue of "world").

You can also call any Java class from XPress code

<invoke class="com.sun.idm.Hello" name="print">
   <ref>input</ref>
</invoke>

which leads to the same result.

The good thing about XPress is that you can change the code while your IdM is running (i.e. you don't have to redeploy IdM if you change the code. The bad thing is that XPress suffers from XML-bola (tags, brackets etc): the code becomes easily unreadable. Given the fact, that everything in IdM needs to be serializble in order to write it to the persistent storage (SQL database), it is propably difficult to fully replace XPress.

If you want to have both, readable code plus the agility of a scripting language, you can use e.g. Groovy (the trick basically is to invoke your own class loader). Suppose you have a Java class "GroovyWrapper" that has a method "run(String groovyScript)". You can call this method (e.g. with a workflow):

<Activity id='10' name="groovyTest">
        <Action>
          <invoke name="run" >
            <new class="com.sun.idm.GroovyWrapper"></new>
            <s>/Users/steffo/CodeWarrior/helloWorld.groovy</s>
          </invoke>
       </Action>
</Activity>

You can now change your groovyScript from

def name='World'; println "Hello $name!"

def name='Sun'; println "Hello $name!"

without redeploying IdM.

GroovyWrapper is very simple. First you need to download Groovy from groovy.codehouse.org. There
is also a nice Section on how to integrate Groovy which can be the basis for your GroovyWrapper

/*
* GroovyWrapper.java
*
* Created on March 5, 2007, 11:11 AM
*
* To change this template, choose Tools | Template Manager
* and open the template in the editor.
*/

/*
* The following JARs must be copied to $WSHOME/WEB-INF/lib
*
* antlr-2.7.5.jar
* asm-2.2.jar
* asm-analysis-2.2.jar
* asm-attrs-2.2.jar
* asm-tree-2.2.jar
* asm-util-2.2.jar
* groovy-1.0.jar
* groovy-starter.jar
* groovy-xmlrpc-0.3.jar
*/

package com.sun.idm;

import java.io.File;
import java.io.IOException;
import groovy.lang.GroovyObject;
import groovy.lang.GroovyClassLoader;

import groovy.lang.Binding;
import groovy.util.GroovyScriptEngine;
import groovy.util.ResourceException;
import groovy.util.ScriptException;

/**
*
* @author steffo
*/
public class GroovyWrapper {

/** Creates a new instance of GroovyWrapper */
private GroovyClassLoader loader;
private Class groovyClass;

public GroovyWrapper() {

}
public Object run(String groovySrc){
ClassLoader parent = getClass().getClassLoader();
loader = new GroovyClassLoader(parent);

Object obj = null;

try {
groovyClass = loader.parseClass(new File(groovySrc));
} catch (IOException e) {
System.out.println("File " + groovySrc + "does not exists or is unreadabl");
}

try {
GroovyObject groovyObject = (GroovyObject) groovyClass.newInstance();
Object[] args = {};
obj = groovyObject.invokeMethod("run", args);

} catch (Exception e) {
System.out.println("Cannot instantiate Groovy object");

}

return obj;

}

The problem with the run method is that is does not return any object. This can be achieved by the following method:

/** Runs the script 'script'. This script must have an output variable 'outputVariable' */
public Object runScript(String script, String outputVariable) {
Object obj = null;
String root = new String("/Users/steffo/CodeWarrior");

try {
GroovyScriptEngine gse = new GroovyScriptEngine(root);
Binding binding = new Binding();
binding.setVariable("input", "world");
gse.run(script, binding);

obj = binding.getVariable(outputVariable);
} catch (IOException e) {
System.out.println("Path " + root + " does not exist");
} catch (ResourceException e) {
System.out.println("Error running " + script);
} catch (ScriptException e) {
System.out.println("Error running " + script);
}

return obj;

}

You can use this method via:

<block>
<set name="groovyResult">
<invoke name="runScript" >
<new class="com.sun.idm.GroovyWrapper"></new>
<s>helloWorldScript.groovy</s>
<s>output</s>
</invoke>
</set>
<ref>groovyResult</ref>
</block>

The veriable groovyResult contains the object that is passed from Groovy to IdM.

A last remark: I currently have no idea of the potential drawbacks (e.g. performance) of this approach. What I know is that our support stuff says: try to use XPress, if that doesn't work use JavaScript. If that doesn't work, use Java. Please take this into account when developing IdM solutions or opening support cases.

Posted at 05:44PM Mar 06, 2007 by steffo in Identity Systems | Comments[4]