Monday, July 18, 2011

5 Minutes or less: Kerberos

Every time I talk to someone about Kerberos I need to take a few minutes to go through the concepts. This post is intended to just write down what I usually say and draw with a white board.

If you want to know more about Kerberos there's a metric ton of info out there on the internet. I'll leave it to you to go read up. For those of you that are experts on Kerberos please note that I'm going to simplify some stuff and gloss over a few important things; don't judge me for that - I'm just trying to make this all easy to understand!

A Kerberos Domain can be thought of as an island of single sign-on. Anything in the domain can authenticate securely to anything else in the domain without ever transmitting a clear text password over the network.

Everything in Kerberos is a Principal - machines, services and even users. A Principal is identified by a simple string called a Service Principal Name or SPN in one of two forms - either PROTOCOL/hostname for services (e.g. HTTP/www.mydomain.com for a web server) or username@DOMAIN for users (e.g. cjohnson@ATEAMDEMO.COM). The case of the string is important; the Protocol and domain name are always in CAPITAL LETTERS and the hostname and username are always in lower case.

There's a service on the network called a Key Distribution Center, abbreviated to KDC. The KDC has a list of every user and every service on the network and has a secret keys for each and every one of those Principals.

When a Service enrolls with the KDS the KDC generates a secret key for the service. That secret key is stored in two places - on the KDC and by the service (usually in a file).

When a user first logs in they use their password to the KDC prove their identity and get something called a Ticket Granting Ticket, abbreviated to TGT. Note that the password is never actually sent over the wire.

When a user wants to authenticate to a Service they go to the KDC and use their TGT to ask for a Service Ticket (ST) to talk to that service. The user asks for a ST for a particular service identified by the service's Service Principal Name (PROTOCOL/hostname). Note that, as usual, the user doesn't actually send the TGT to the KDC. Instead the client uses the TGT to prove its identity to the KDC, just as it did with the password.

In order to construct a Service Ticket the KDC takes the username, the service's SPN, a timestamp and a couple of other bits of information, puts them all together in a particular way and then encrypts that data with the Service's secret key and adds on some unencrypted data describing the ticket. Remember that only two things know that secret key - the KDC and the Service itself.

The KDC then securely returns the ST to the user.

Finally, the user sends their service ticket to the Service. To verify the Service Ticket the Service takes the encrypted ticket and tries to decrypt it using the secret key it got when it enrolled with the KDC. If the the ST decrypts correctly with that key then the service knows that the user was authenticated by the KDC; all the that remains is to check the timestamp and other information to make sure that the ticket isn't expired. If all of that checks out then the user is considered authenticated.

You'll note that the Service does not need to go to the KDC to verify the Service Ticket - all it needs is its Secret Key which it already has.

Here's a sequence diagram for you.

Remember when I said I was glossing over or simplifying a few things?

One of those things is how the Service gets its secret key. In my text above I said it gets that key when it "enrolls", but in the diagram I used the word "start" instead. That's one of those hand wavey places.

Another one is the TGT. A TGT is just a ST for the KDC itself. So if you look at a TGT you'll see that it's a special Service Ticket for krbtgt/DOMAIN.COM@DOMAIN.COM. For example here's mine: 

Ticket cache: FILE:cjohnson.cache
Default principal: cjohnson@ATEAMDEMO.COM

Valid starting     Expires            Service principal
07/18/11 07:51:14  07/18/11 17:51:19  krbtgt/ATEAMDEMO.COM@ATEAMDEMO.COM
        renew until 07/19/11 07:51:14, Flags: RIA
Most of our posts here are pretty long and can take a while to digest. This one is intended to be read in 5 minutes or less. If you'd like to see more "5 minutes or less" posts please let us know in the comments below. If you DON'T want to see more of them please let us know that too.

Note: we may not publish the comments, but we promise to read them all.

Posted by Chris Johnson (Oracle) at 10:05 PM 0 comments
Labels: ,

Thursday, July 7, 2011

Enterprise Gateway (OEG) External Service Calls

I’ve had the opportunity recently to work with the Oracle Enterprise Gateway (OEG) for a DoD opportunity. For those that aren’t familiar, OEG is an OEM from Vordel. The definitive blog on Vordel is at http://xmlgateway.blogspot.com/ where our old friend Josh Bregman writes. There were a couple of patterns that emerged in my work that I wanted to post.

One pattern is the need to make an external call to a service. In my case, I needed to call to an attribute sharing service (See Chris’ blog on XASP for more details on one approach for this) and a XACML PDP. Note, OEG has an embedded PDP solution using Oracle Entitlements Server (OES) that provides a faster service, but in my case, I had to stay with the standards-based solution. This is very easy to accomplish with OEG with a 3-step circuit:







The Set Message defines the parameters of the request. In my case, I have an attribute service that takes a user DN and returns specified attributes.

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

<SOAP-ENV:Body>

<orafed-arxs:AttributeRequest xmlns:orafed-arxs="http://www.oracle.com/fed/ar/10gR3" TargetIDP="SpaceFenceIDP">

<orafed-arxs:Subject>cn=${user.cn},ou=${user.physicalDeliveryOffice},dc=service,dc=mil</orafed-arxs:Subject>

<orafed-arxs:Attribute Name="mail"/>

<orafed-arxs:Attribute Name="clearance"/>

</orafed-arxs:AttributeRequest>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

Notice the wildcards with ${variable}. These were attained earlier in the circuit with a “Retrieve from Directory Server” node after authentication to the Gateway. In the Policy Editor, create a policy and drag the Set Message onto the easel. Enter “text/xml” for the Content-type and optimally, import the request from a file, then save.








Setting the URL is very straightforward, just enter the URL and any trust certificates if necessary.

The response from the attribute service (Oracle Identity Federation in this case) is:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

<SOAP-ENV:Body>

<orafed-arxs:AttributeResponse CacheFor="1499" xmlns:orafed-arxs="http://www.oracle.com/fed/ar/10gR3">

<orafed-arxs:Status>Success</orafed-arxs:Status>

<orafed-arxs:Subject>cn=Jane Wilson,ou=CDC,dc=service,dc=mil</orafed-arxs:Subject>

<orafed-arxs:Attribute Name="mail">

<orafed-arxs:Value>jwilson@service.mil</orafed-arxs:Value>

</orafed-arxs:Attribute>

<orafed-arxs:Attribute Name="businessCategory">

<orafed-arxs:Value>Secret</orafed-arxs:Value>

</orafed-arxs:Attribute>

</orafed-arxs:AttributeResponse>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

Knowing this response format will help in parsing the response in OEG. When editing “Retrieve from Message”, re-name the node appropriately and select “Add” under the attribute location.





Name the attribute (arbitrary) and select magic wand button. Browse to the response file saved on disk, and you should see the contents in the XPATH Wizard. Select the node which you wish to have returned to the gateway.









Select “Use this path” and the XPath Expression should show up in the XPath field. Select OK. Name the attribute you want to populate in the gateway and save the node.

Debugging on OEG typically consists of adding a “Trace” node to your circuit and putting the listener in DEBUG or DATA mode. This gives you the “System.out” visibility into what’s going on in the Gateway.

Thanks to Dave Roberts from Vordel for getting me over the humps and for stealing second in 2004.

Posted by Chew at 12:37 PM 0 comments

Monday, June 27, 2011

Working with OWSM Policies – Part 1 of some

In this post I discuss the available options to work with OWSM (Oracle Web Services Manager) policies in JDeveloper and Enterprise Manager. OWSM is a component available along with the Oracle SOA Suite and provides policy enforcement point (PEP) agents for SOAP-based messages.

Typically, a service policy is attached to a service endpoint to enforce some pre-defined rules (like enforcing a SAML token, Kerberos token, message confidentiality, SSL, etc). And a corresponding client policy is attached to the client in order to transform the outgoing SOAP message, making it suitable to be enforced in the server side.

OWSM Policies in JDeveloper


OWSM supports two types of repositories for its policy files: file system or database.
When working with JDeveloper, you can choose which one you want to use.
By default, JDeveloper reads policies from the file system. To check that out, go to Tools –> Preferences –>WS Policy Store (on left).

image

The File Store Default Location refers to DefaultDomain oracle/store/gmds directory under $JDEV_USER_DIR’s systemxx.x.x.x.xx.xx.xx folder. Policies are under owsm/policies and assertions are under owsm/assertiontemplates.

Read more »
Posted by Andre Correa at 9:41 AM 0 comments
Labels: , , ,

Friday, June 17, 2011

Oracle Identity Manager Academy from the Fusion Security Blog

Index to the Oracle Identity Manager Series from the Fusion Security Blog Team

OIM 11g is the current release of the Oracle provisioning tool, this post is to be used as basis for all the other OIM related posts in this blog. Through the posts we try to help OIM customers and developers by things like giving technical and architectural recommendations, discussing specific implementation topics and their caveats, giving tips about problems we face in our daily work and much more.

OIM Concepts

OIM Tips & Examples

OIM & SOA

OIM & LDAP Synch

OIM Integration

 Patches and Patching

Posted by Daniel Gralewski at 1:57 PM 8 comments
Labels: , , ,

Tuesday, June 14, 2011

Oracle Entitlements Server 11g launch party!

OK, well maybe party isn't the right word, but there is a launch event:

We will be offering a live launch webcast featuring Roger Wigenstam from Oracle and Swapnil Mehta from SENA systems on Jul 14 at 10 am PT. The webcast is titled “Introducing Oracle Entitlements Server 11g” . During this webcast we will cover what’s new in Oracle Entitlements Server 11g in addition to recommendations for planning a real world deployment for externalizing authorization from apps.
Roger is a Product Manager at Oracle in charge of OES, OPSS, OWSM and OEG (technically he's a Senior Director of Product Management).

Swapnil is the Director of SENA Systems' Global Access Management Practice. I've worked with him since I went to work at BEA as part of the sales team for OES' predecessor product Aqualogic Entitlements Server.

The product has been improved and enhanced quite dramatically in the 11g release and there's plenty to talk about. This event is basically two really smart guys talking about what's in OES 11g and why we're all pretty excited about the release.

More information on the event is available on the event page.

Those of you that can't make it to the online event can rest assured that I'll be blogging a whole lot more about OES 11g here for both new and existing users of OES!

Posted by Chris Johnson (Oracle) at 7:40 AM 0 comments
Labels:
Subscribe to: Posts (Atom)