Core Security Patterns Weblog
Practical security facts and fun….off the record
2
In a typical Single Sign-On (SSO)/Federation scenario using SAML, the Service Provider (SP) initiates the user authentication request using SAML AuthnRequest assertion with an Identity Provider (IDP). The IDP authenticates the principal and returns a SAML AuthnStatement assertion response confirming the user authentication. If the user is successfully authenticated, the SP is required to have the subject’s profile attributes of the authenticated principal for making local authorization decisions. To obtain the subject’s profile attributes (ex. organization, email, role), the SP initiates a SAML AttributeQuery request with the target IDP. The IDP returns a response SAML AttributeStatement assertion listing the name of the attributes and the associated values. Using the subject’s profile attributes, the SP can perform authorization operations.
Ofcourse, it looks simple…here is the complexity – Last two weeks I spent on building a Proof-of-Concept that conforms to HSPD-12 Back-end Attribute Exchange specifications and SAMLv2 Attribute Sharing Profile for X.509 Authentication based systems (Both specifications are mandated as part of Federal Identity, Credential and Access Management (ICAM) initiative of Federal CIO Council). I had been experimenting with an Identity Federation scenario that makes use of Smartcard/PKI credentials – Card Authentication Key (CAK)/X.509 Certificate on a PIV card authenticates a PKI provider (using OCSP) and then using its X.509 credential attributes (Subject DN) for looking up off-card user attributes from an IDP (that acts as an Attribute Authority). The IDP provides the user profile attribute information to the requesting SP. In simpler terms, the SP initiated X.509 authentication directly via OCSP request/response with a Certificate Validation Authority (VA) of a Certificate Authority (CA). Upon successful authentication, the SP initiates a SAML AttributeQuery to the IDP (which acts as an Attribute Authority), the SAML AttributeQuery uses the SubjectDN of the authenticated principal from the X.509 certificate and requests the IDP to provide the subject’s user profile attributes.
Using Fedlet for SAML X.509 Authentication based Attribute Sharing
SAML Attribute Exchange for X.509 based Authentication
Fedlet is a lightweight SAMLv2 based Service Provider (SP) implementation (currently part of Sun OpenSSO 8.x and sooner to be available in Oracle Identity Federation) for enabling SAMLv2 based Single Sign-On environment. In simpler terms, Fedlet allows an Identity Provider (IDP) to enable an SP that need not have federation implemented. The SP plugs in the Fedlet to a Java/.NET web application and then ready to initiate SAML v2 based SSO authentication, authorization and attribute exchanges. A Fedlet installed and configured with a SP can set up to use multiple IDPs where select IDPs can acts as Attribute Authorities. In this case, the Fedlet need to update its configuration with the IDP Metadata configuration (such as entity ID, IDP Meta Alias, Attribute Authority Meta Alias – same as IDP ). In addition, the Fedlets are capable of performing XML signature verification and decryption of responses from the IDP must identify the alias of signing and encryption certificates.
Here is the quick documentation, which I referred for putting together the solution using Fedlets for SAMLv2 Attribute Sharing for X.509 based authentication scenarios. In case, if you want your Service Provider to use OpenSSO for PIV/CAC based certificate authentication, you may refer to my earlier entry on Smartcard/PKI authentication based SSO (Using OpenSSO). Besides that you should be good to test-drive your excercise. Ofcourse, you can use Fedlets for Microsoft .NET service providers but it was’nt in my scope of work !
In case of SP requiring to fetch multiple user profile attributes you may also choose to use SPML based queries (SPML Lookup/Update/Batch Request/Response) to an Identity Manager (acting as Attribute Authority) – assuming it facilitates an SPML implementation). If you are looking for a solution that requires user profile attributes after a single-user X.509 authentication, then SAML Attribute query should help fetching a single user profile of an authenticated principal !
The untold reality is ….when your Web application on the DMZ hits the Internet… the colorful performance graphs/numbers does’nt mean anything ! Unless your performance guru in the lab captured the QoS requirements and realized it proactively and accounted its actual overheads associated with Security, Network bandwidth, High-availability and other mission-critical requirements. Otherwise…performance is the nagging issue that every datacenter guy gnaws…. when an application bloats up with its cryptograhic shields such as SSL and WS-Security and then goes into production. If you are one of them in the datacenter, who is pulling the hair out on Security performance issues and compelled to meet the SLA including IT Security and compliance requirements mandating the use of cryptography for securing the exposed application layers – transport, data and network – Then this Sun solution blueprint should help you for accelerating the real-world performance of Java EE based Web applications (especially Oracle Weblogic) delivering Security ground-up and all WITHOUT your performance engineer help :-)
No magic or surprises – The Sun CMT server features On-chip Cryptography and multi-threaded 10GbE networking out of the box – No kidding! If you are curious to know more or seize the power of your Sun CMT servers for security, take a look at the blueprint and also take a look at my previous post highlighting our presentation at Oracle Open World - Wire-speed Cryptographic Acceleration for SOA and Java EE Security.
I admit that I am not a SOA expert or pretend to be one ! Lately, I had a chance to explore few security features intended for securing XML Web Services and Java EE applications. With my little knowledge to SOA, I found that XML Web services play a vital role in SOA to enable loosely-coupled services and ensuring interoperability. From a security perspective, the core foundation of securing SOA solutions builds on XML Web Services Security standards and the underlying Java platform (unless you are using Microsoft .NET) . Last two weeks, Chad Prucha and I were test-driving SOA applications using Oracle Weblogic and Oracle Fusion Middleware on a Sun CMT server (T5440) particularly test driving SSL and WS-Security scenarios using WS-Policy/WS-SecurityPolicy standards. Our primary aim was to take advantage of On-chip Cryptographic acceleration provided by the UltraSPARC T2 processors of the T5440 server supporting the cryptographic mechanisms/cipher suites used by SSL and WS-SecurityPolicy. Believe it or not, it worked as piece of cake…. and the performance numbers were stunningly amazing. The Sun CMT servers (using its on-chip crypto accelerators) cruised on SSL and WS-Security with its cryptographic performance….RSA, AES, SHA2…too long to list here. If you consider yourself as a SOA enthusiast and have these following questions – Why should we care about Wire-speed Cryptographic acceleration for SOA or J2EE or XML Web Services performance ? Why it should even be considered in first place ? Is there is any security benefits ? If you do have those questions, then you may find this blog entry helpful otherwise please ignore.
Wire-speed Crypto Acceleration for SOA Security
Cryptographic operations plays a critical role in securing SOA application components particularly Java EE (formerly J2EE) applications and XML Web services supporting their transport-layer security (SSL) and message-layer security (WS-Security including XML Encryption, XML Digital Signature, WS-Policy, WS-SecurityPolicy) requirements. Adopting to cryptographic techniques helps IT organizations securing critical application infrastructures and adhere to industry-specific regulatory compliance mandates such as PCI DSS, HIPAA, FISMA and so forth.
But using Crypto for accomplishing SOA Message-level and Transport-level security induces significant performance degradation and taxes your CPU, Memory and Network bandwidth. SOA security experts often resort to using dedicated XML security appliances for delegating CPU intensive cryptographic operations such as Public-key cryptography (ex.RSA, DSA) based encryption and digital-signature, Symmetric-key based encryption (ex. AES, 3DES) to dedicated hardware-based accelarators – Which helps freeing up the main CPU resources and resulting significant performance gains in overall application throughput. In simpler terms, cryptographic accelerators and HSMs allows offloading computationally expensive cryptographic functions to dedicated hardware that supports cryptographic algorithms and handle cryptographic operations. Under the hood, the cryptographic functions are usually pushed through PKCS#11 standard interfaces using Solaris Cryptographic Framework (On Solaris) and OpenCryptoki (On Linux), or CryptoAPI framework (CAPI/CNG) in the case of Microsoft Windows environment. As a result, cryptographic accelerators proven to demonstrate significant gains in SOA application throughput and scalability by reducing the known CPU bottlenecks and related latency issues caused by cryptographic operations.
Over the past year I have become a big fan of Sun CMT Servers — and more specifically its Cryptographic capabilities, which makes it very compelling for delivering ultra-fast security for security sensitive SOA and Java EE applications.
On-chip Crypto Acceleration using Sun CMT Servers
Sun CMT servers are (Based On UltraSPARC T1/T2/T2Plus processors) based on Chip Multithreading Technology – CMT, which introduced on-chip cryptographic acceleration support through a dedicated cryptographic
accelerator implemented on each core of the chip (8 Crypto Accelerators/Chip) – referred to as “Niagara Crypto Provider” (NCP). The introductory UltraSPARC T1 processor included a NCP implementation that facilitated public-key cryptographic mechanisms including RSA and DSA algorithms. The latest UltraSPARC T2 and T2+ processors extended more algorithms support by introducing symmetric-key based encryption/decryption mechanisms such as DES, 3DES, AES-128, AES-192, AES-256, RC4, Hashing operations such as MD5, SHA1, SHA256 and support for ECC algorithms (ECCp-160 and ECCb-163). In addition, the UltraSPARC T2 processors provides an on-chip Random Number Generator (N2RNG) to support random number generation operations intended for cryptographic applications. In practice, NCP makes use of Solaris Cryptographic Framework (SCF) for allowing user-level applications to offload their cryptographic operations and in effect the user applications can take advantage of NCP based on-chip cryptographic acceleration.
You had the gist of the story…now I am rushing out to catch the plane to Boston in an hour…… ! Yes, last three days I was attending Oracle Open World and co-presented with Chad on topic ”Wire Speed Cryptography for SOA and Java EE applications” - In our presentation, we put together all the concepts and tried our best to illustrate the applied crypto mechanisms related to SOA security and the secret sauce configuration/deployment of Sun CMT based cryptographic acceleration for delivering wire-speed security performance for SOA and Java EE applications. You may find the presentation is tailored to Oracle SOA and Weblogic but frankly speaking it applies well to all Java EE based SOA application deployments.
Click here to download the slides
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
View more presentations from Ramesh Nagappan.
Enjoy the slides for now ! Feel free to ping for questions………all I can promise now… is sooner you will see a detailed Sun Blueprint on this topic ! So please stay tuned.
Last few weeks, I have been pulled into an interesting gig for demonstrating security for _____ SOA/XML Web Services and Java EE applications…. so I had a chance to play with some untold security features of Solaris 10. KSSL is one of the unsung yet powerful security features of Solaris 10. As the name identifies, KSSL is a Solaris Kernel Module that helps representing server-side SSL protocol to help offloading operations such as SSL/TLS based communication, SSL/TLS termination and reverse-proxying for enduser applications. KSSL takes advantage of Solaris Cryptographic Framework (SCF), to act as an SSL proxy server performing complete SSL handshake processing in the Solaris Kernel and also using the underlying hardware cryptographic providers (SSL accelerators, PKCS11 Keystores and HSMs) to enable SSL acceleration and supporting secure key storage.
Before I jump into how to use KSSL for offloading SSL operations, here is some compelling aspects you may want to know:
- Helps non-intrusively introduce an SSL proxy server for Web servers, Java EE application servers and also applications that does’nt implement SSL.
- KSSL proxy listens to all secured requests on the designated SSL port (ex. HTTPS://:443) and renders a cleartext traffic via reverse proxy (ex. HTTP://:8080) port for the underlying Web or application server. All SSL operations including the SSL handshake and session state are performed asynchronously in the Solaris Kernel and without the knowledge of the target application server.
- KSSL automatically uses SCF for offloading operations to underlying hardware cryptographic providers with no extra effort needed.
- Manages all the SSL certificates independently supporting most standard formats (ex. PKCS12, PEM), the key artifacts can be stored in a flatfile or a PKCS11 conformant keystore (If you are worried about loosing the private key).
- Supports the use Solaris zones, where each IP identified zone can be configured with a KSSL proxy
- Delivers 25% – 35% faster SSL performance in comparison with traditional SSL configurations of most popular Web servers and Java EE application servers.
- KSSL can be used to delegate Transport-layer security and the applications may choose to implement WS-Security mechanisms for message-layer security.
Those are some compelling aspects of KSSL that are hard to ignore…. if you really understand the pain from performance overheads associated with SSL/TLS As I verified, KSSL works well with most common Web servers and Java EE applications servers.
Try it yourself
Certainly it is worth a try…and you should able to do it very quickly than configuring SSL for your web sever !
- Obtain your server SSL and CA certificates. If you just want to test-drive KSSL and considering to using a self-signed OpenSSL certificate.. just follow the example commands and make sure that your web server hostname is correct. If you choose to use a flatfile based SSL keystore, KSSL requires to have all your certificate artifacts (including private key and certificates) in a single file. If you need more OpenSSL help, read my earlier post.
Ex. To create a self-signed server certificate using OpenSSL (in PEM format).
openssl req -x509 -nodes -days 365 -subj"/C=US/ST=Massachusetts/L=Burlington/CN=myhostname"-newkey rsa:1024 -keyout myServerSSLkey.pem -out mySelfSSLcert.pem
Ex. Concatenate the server certificates in a single file.
cat mySelfSSLcert.pem myServerSSLkey.pem > mySSLCert.pem
- Configure the KSSL proxy service, assuming the secured requests are forwarded to an SSL port (ex. 443) and the reverse-proxy of your backend Web server listens to a non-SSL port (ex. 8080). Use -f option to identify the certificate fomat, to represent PEM (-f pem) and to represent PKCS12 (-f pk12). If the certificates are located in a HSM/PKCS11 Keystore, use -f pkcs11 to identify the token directory, -T to identify the token label and -C to identify the certificate_subject.
Ex. To configure the KSSL proxy service with SSL Port 443 and reverse-proxy port is 8080 using PEM based certificates and the passphrase stored in file (ex. password_file).
ksslcfg create -f pem -i mySSLCert.pem -x 8080 -p password_file webserver_hostname 443
-
Verify the KSSL proxy service under Solaris Service Management Framework (SMF) controls, the KSSL services is identified with FMRI svcs:/network/ssl/proxy.
svcs - a | grep "kssl"
-
Assuming your webserver in the backend listens at port 8080, you should able to test the SSL configuration provided by the KSSL proxy. Open your browser, goto https://webserver_host:443/ you should be prompted by the SSL dialog warning to accept a self-signed certificate.
-
More importantly, if your Solaris host is a Sun CMT server (based on UltraSPARC T1/T2 processor), KSSL automatically takes advantage of the cryptographic acceleration and no additional configuration is necessary.
Here is an unofficial benchmark that highlights performance comparisons with KSSL and other SSL options. The following shows the latency of an Web application running on Oracle Weblogic server using different SSL configurations (Certificate using RSA 1024) on a Sun CMT server (T5440) – To interpret the graph, make a note “Smaller the Latency means Faster”.
Adopting to Sun CMT servers (based on UltraSPARC T1/T2 processors) helps delivering on-chip cryptographic acceleration for supporting SSL/TLS and its cryptographic functions. With KSSL based SSL deployment, you will atleast get an additional 30% performance advantage while comparing with other Web server based SSL deployments. I heard that Intel Nehalem EX processors are expected to provide similar on-chip crypto capabilities, not sure ! Either way, using KSSL is a no brainer and it works. If you are itching the head to provide transport-layer security for your applications, this could be easiest way to go ! Ofcourse, it can help you score some points in those IT infrastructure security assessment checklists verifying for PCI-DSS, FISMA, HIPPA and/or similar regulatory/industry compliance mandates ! :-)
Are you tired of the high-level SPML content floating around the web from couple of analysts with no practical guidance ! If you are a practical guy..who want to explore SPML, here is something that you may find worth test-driving for SPML 1.0 amd SPML 2.0 based provisioning operations.
I had been using SPML using Sun IDM 7.0 for a while now. Most frequently, I forget the steps for configuration and also did’nt have the patience of going through the documentation (Frankly..I’m bit lazy). So, I ended up doing my crazy way and here is the cheat sheet of the steps required.
Configuring SPML Web Services Endpoint in Sun IDM
1. Make sure Sun IDM is deployed and tested to run in your Web container environment (My choice would be Glassfish on Solaris 10). Sorry, I am not a Windows guy
2. Open a terminal, set your JAVA_HOME and WSHOME environment variables
bash-3.00# export JAVA_HOME=export JAVA_HOME=/usr/java
bash-3.00# export WSHOME=/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm
bash-3.00# export
bash-3.00# export DISPLAY=<your host_name>:0.0
bash-3.00# cd /opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm/bin
bash-3.00# ./lh console
3. Configure SPML 1.0 and SPML 2.0 objects by importing them.
Configurator> import -f /opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm/sample/spml.xml
Added TaskDefinition:SPMLRequest
Added Configuration:SPML
Added Configuration:SPMLPerson
Added Configuration:SPMLRole
Added Configuration:SPMLResourceGroup
Added Configuration:BasicUser
Added Configuration:Empty
Added Configuration:SPMLviewtest1
Added Configuration:SysInfoForm
Configurator> exit
Configurator> import -f /opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm/sample/spml2.xml
Added TaskDefinition:SPML2Request
Updated Configuration:User Extended Attributes
Added Configuration:SPML2
Added Configuration:spml2PersonForm
Configurator> exit
4. Set the Username/Password properties in Waveset.properties file.
bash-3.00# vi /opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm/config/Waveset.properties
Add the following to the end of Waveset.properties file:
soap.username=configurator
soap.password=configurator
4. Restart your Application Server:
bash-3.00# /opt/SUNWappserver/bin/asadmin stop-domain domain1
bash-3.00# /opt/SUNWappserver/bin/asadmin start-domain –user admin domain1
5. Test your SPML Web services connection. The following command will launch “SPML Monitor” Java application.
bash-3.00# ./lh spml
Sample code
Here is my code for testing (both SPML 1.0 and SPML 2.0), just compile and run it.
Enjoy !
Last week, I was at RSA Conference and I joined a panel with Mark Diodati (Burton Group) and Sampo Kellomaki (Symlabs) to discuss interoperable Identity provisioning ! I delved into SPML 2.0 and highlighted the strategies of using SPML 2.0 for interoperable provisioning. Here is the link to our slides – Interoperable Identity Provisioning in a Distributed World (With emphasis on SPML).
Last week, I was at Biometric Consortium Conference 2006 to present “Biometric Single Sign-On using SAML: Architecture and Design Strategies” and demonstrate one of my favorite topic of interest – Stronger authentication solution that combines “Web Access Management/SSO/Federation” using “Biometrics”. I used my previous JAAS Module integration work between Sun Java System Access Manager 6.x (SunONE Identity Server) and BioBex (Advance Biometric Controls) and then extended it to configure SAML Browser Artifact Profile, that enables SAML based SSO between an IdP (Sun Access Manager) and a J2EE application.
For those curious, here is the link to my presentation….”Biometric Single Sign-On using SAML: Architecture and Design Strategies“.
Enjoy !
Back to top