Monthly Archives: June 2014

IT-Security: Part 1 to 5 as PDF file

Key words:IT-Security, Security Challenges, OPSS Architecture, WebLogic Server, JAAS, JAAS LoginModules, Authentication, Basic Authentication, Certificate Authentication, Digest Authentication, perimeter Authentication and Identity Assertion

Until now I have published five parts of a series of articles on IT-Security and Oracle Fusion Middleware:

  1. http://thecattlecrew.wordpress.com/2014/02/17/it-security-weblogic-server_1/
  2. http://thecattlecrew.wordpress.com/2014/03/05/it-security-part-2-weblogic-server-and-oracle-platform-security-services-opss-2/
  3. http://thecattlecrew.wordpress.com/2014/03/14/it-security-part-3-weblogic-server-and-java-security-features/
  4. http://thecattlecrew.wordpress.com/2014/06/05/it-security-weblogic-server-and-authentication-part-4/
  5. http://thecattlecrew.wordpress.com/2014/06/22/it-security-part-5-weblogic-server-perimeter-authentication-and-identity-assertion/

I’m going to continue the IT-Security’s articles and you can access to complete first five parts as PDF-file here:

WebLogic-Server_IT_Security_1til5

Advertisements

IT-Security (Part 5): WebLogic Server, perimeter Authentication and Identity Assertion

I tried to discuss about “perimeter authentication” in one extra part of IT-Security’s blogs, because this authentication’s process is an essential approach in a heterogonous world of systems, applications and technologies that they need to trust and communicate to each other.  Generally, we discussed about perimeter authentication, if a remote user requires an asserted identity and some form of proof material to an authentication server that performs the verification and then passes an artifact, or token, to the application server domain.[1]

If we want to identify a remote user outside of the WebLogic server domain, as an authentication server, then we need to another approach for authenticating’s process instead basic authentication with username and password[2]. This authentication’s process is called perimeter authentication. It establishes trust via a passphrase, e.g. tokens. Tokens will be generated as part of the authentication process of users or system processes and could have many different types and / or vendors, e.g. Kerberos and Security Assertion Markup Language (SAML). WebLogic Server is able to use the token(s) so that users are not requested to sign on more than once.

This form of authentication operates with authentication agent. It performs an authentication process that outcomes in a token. It contains the authentication information of user and guarantees for the user’s identity. The Figure1 Perimeter Authentication[3] presents the sequence of events in authenticating process:

Remote User sends a request with passphrase to Authentication Agent. It creates a token and sends to WebLogic Server to access resources and / or application(s). The WebLogic Server perform perimeter authentication via Identity Assertion.

p5_PerimeterAuthentication_1

Perimeter Authentication

Figure 1 Perimeter Authentication

We can define the Identity Assertion provider, as a specific form of Authentication provider that permits users or applications to assert their identity using tokens. With other words, it supports user’s mappers, which map a valid token to a WLS-User. It is possible to develop your own or use a third-party security vendor’s Identity Assertion providers. Identity assertion can use perimeter authentication schemes such as the Security Assertion Markup Language (SAML), the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO), or enhancements to protocols such as Common Secure Interoperability (CSI) v2 and support single sign-on.[4]  The WebLogic Identity Assertion providers support the following token types[5] (here is a selected list of token types):

  • AU_TYPE, for a WebLogicAuthenticatedUserused as a token.
  • X509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI) and RFC 4158 provides information and guidance for certification path building.[6]
  • X509_TYPE, for an X509 client certificate used as a token:
  • CSI_X509_CERTCHAIN_TYPE, for a CSIv2 X509 certificate chain identity used as a token.

“The Negotiate Identity Assertion provider is used for SSO with Microsoft clients that support the SPNEGO protocol. The Negotiate Identity Assertion provider decodes SPNEGO tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic Security Service (GSS) Application Programming Interface (API) to accept the GSS security context via Kerberos. The Negotiate Identity Assertion provider is for Windows NT Integrated Login.” [7]

  • AUTHORIZATION_NEGOTIATE, for a SPNEGO internal token used as a token.
  • WWW_AUTHENTICATE_NEGOTIATE, for a SPNEGO internal token used as a token.

“The SAML Identity Assertion providers handle SAML assertion tokens when WebLogic Server acts as a SAML destination site. The SAML Identity Assertion providers consume and validate SAML assertion tokens and determines if the assertion is to be trusted (using either the proof material available in the SOAP message, the client certificate, or some other configuration indicator).”[8]   I am going back to SAML topic in an additional article(s).

  • SAML_ASSERTION_B64_TYPE, for a Base64 encoded SAML.assertion used as a token.
  • SAML_ASSERTION_DOM_TYPE, for a SAML DOM element used as a token.
  • SAML_ASSERTION_TYPE, for a SAML string XML form used as a token.
  • SAML2_ASSERTION_DOM_TYPE, for a SAML2 DOM element used as a token.
  • SAML2_ASSERTION_TYPE, for a SAML2 string XML form used as a token.
  • SAML_SSO_CREDENTIAL_TYPE, for a SAML string consisting of the TARGET parameter concatenated with the assertion itself and used as a token.

I introduced about Digest Authentication[9] in previous blog and WebLogic supports für Web Service application the following Digest type:

  • WSSE_PASSWORD_DIGEST_TYPE, for a username token with a password type of password digest used as a token.

The Authentication and Identity Assertion Process

Now, we can compare Basic authentication Process with Identity Assertion Process. On Figure 2 Authentication Process (Principal Validation Process)[10] shows the authentication process for a fat-client login. A user attempts to log into a system using a username/password combination. WebLogic Server establishes trust by calling the configured Authentication provider’s LoginModule, which validates the user’s username and password and returns a subject that is populated with principals per Java Authentication and Authorization Service (JAAS) [11] requirements. In this way, an authentication context will be established and user can access to certain resource and / or components in WebLogic Domain.

Authentication Process (Principal Validation Process)

Authentication Process (Principal Validation Process)

 

Figure 2 Authentication Process (Principal Validation Process)

Figure 3 Perimeter Authentication presents the perimeter authentication process[12].

  1. A token from outside of WebLogic Server is passed to an Identity Assertion provider that is responsible for validating tokens of that type and that is configured as “active”.
  2. If the token is successfully validated, the Identity Assertion provider maps the token to a WebLogic Server username, and sends that username back to WebLogic Server, which then continues the authentication process as described above. It requires the same components, but also adds an Identity Assertion provider. Specifically, the username is sent via a Java Authentication and Authorization Service (JAAS)CallbackHandlerand passed to each configured Authentication provider’s LoginModule, so that the LoginModule can populate the subject with the appropriate principals.
Perimeter Authentication

Perimeter Authentication

 

Figure 3 Perimeter Authentication

If you compare the two ways of authentication, then you can find out a core security characteristic of WebLogic Server too. It is mean; WebLogic Server security architecture has a consistence modular structure and therefore can response rapid to new challenges and technologies in security area. This architecture is capable to expand its features und integrate new security components in itself.

[1] Oracle® Fusion Middleware: Understanding Security for Oracle WebLogic Server, 11g Release 1 (10.3.6), E13710-06

[2] For „Basic Authentication: Username/Password“ see: http://thecattlecrew.wordpress.com/2014/06/05/it-security-weblogic-server-and-authentication-part-4/

[3] Oracle® Fusion Middleware: Understanding Security for Oracle WebLogic Server, 11g Release 1 (10.3.6), E13710-06

[4] Oracle® Fusion Middleware Developing Security Providers for Oracle WebLogic Server, 11g Release 1 (10.3.6), Part Number E13718-05, http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

[5] Oracle® Fusion Middleware Developing Security Providers for Oracle WebLogic Server, 11g Release 1 (10.3.6), Part Number E13718-05, http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

[6] See: http://tools.ietf.org/html/rfc4158

[7] Oracle® Fusion Middleware Developing Security Providers for Oracle WebLogic Server, 11g Release 1 (10.3.6), Part Number E13718-05, http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

[8] Oracle® Fusion Middleware Developing Security Providers for Oracle WebLogic Server, 11g Release 1 (10.3.6), Part Number E13718-05, http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

[9] See http://thecattlecrew.wordpress.com/2014/06/05/it-security-weblogic-server-and-authentication-part-4/

[10] See: http://docs.oracle.com/cd/E23943_01/web.1111/e13718/atn.htm#i1141106

[11] IT-Security (Part 3): WebLogic Server and Java Security Features: http://thecattlecrew.wordpress.com/2014/03/14/it-security-part-3-weblogic-server-and-java-security-features/

[12] See http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

How to fix the ADF Security error “JpsAnonymousRoleImpl” in Jdev 11.1.1.6.0

How to fix the ADF Security error “JpsAnonymousRoleImpl” in Jdev 11.1.1.6.0

Udaya's Blog

I have created a sample ADF application in Jdev 11.1.1.6.0 and when executed in “Integrated Weblogic server” within Jdev, it did not display any error message in the console and the application web page is loaded in the default browser successfully.

Now I added the ADF Security for the Application. To do this, From the Menu options select the Application –> select Secure->Configure ADF Security

ADF Authentication and Authorization –> Form Based Authentication (Generate the default login and error pages. Should be something like “/login.html“) -> No Automatic Grants -> Finish.

Now when I executed my Application in Jdev, I was getting the “<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}. oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl”   error before my web page opens up in the browser.

Even after you delete the ADF security this error still occurs.

So Now lets see how to fix…

View original post 302 more words

How to redirect Webcenter Content Server or UCM to Remote Database

How to redirect Webcenter Content Server or UCM to Remote Database

Udaya's Blog

Inorder to redirect the Webcenter Content Server or UCM to Remote Database, both Remote Database & RCU should be compatible versions and remote DB machine should be reachable from Content Server (CS) machine.

Pointing can be changed from Weblogic Server (WLS) console:

1) Please take backup of config.xml & cs-ds-jdbc.xml

  •  OracleMiddlewareuser_projectsdomainsbase_domainconfig
  •  OracleMiddlewareuser_projectsdomainsbase_domainconfigjdbc

2) Login to WLS console as admin user (weblogic) and browse through (  Home >Summary of JDBC Data Sources >CSDS >Summary of JDBC Data Sources >CSDS )

3) Click on Connection Pool tab

4) Change hostname, service id, port, user & passwords.

5) Just restart the managed servers first & monitor logs for errors if any.

6) Shutdown managed & admin server & start.

Now the WebCenter Content server or UCM will use the schema available in the remote database.

View original post

IT-Security: WebLogic Server and Authentication – Part 4

As I mentioned, JAAS is able for two important tasks: authentication and authorization of users. Now, let us see more about them.

Authentication: Who are you?

Authentication verifies that the user is who she/he claims to be. But user is also an entity and could be a person, a software entity or other instances of WebLogic Server (so called “resources”). WLS performs proof material typically through a JAAS LoginModule and JAAS authentication is implemented in a pluggable method. A user’s identity is confirmed through the credentials presented by that user, such as:

  1. something one has, e.g. credentials issued by a trusted authority such as a passport or a smart card
  2. something one knows, e.g. a shared secret such as a password,
  3. something one is, e.g. biometric information

A combination of several types of credentials is known as “strong” authentication; e.g. using an ATM card (credential 1) with a PIN or password (credential 2).[1]

Types of Authentication

WebLogic Server is able to perform the different types of authentication, because it can use the WebLogic Authentication provider or custom security providers. Administrators are able to define a user and password with WebLogic Authentication provider. The all passwords will be encrypted. Users may be placed into groups or be related with security roles.

p4_wls_usr_grp

Basic Authentication: Username/Password

Basic authentication is defined via The Internet Engineering Task Force (IETF®) so: “The “basic” authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm.  The realm value should be considered an opaque string which can only be compared for equality with other realms on that server. The server will service the request only if it can validate the user-ID and password for the protection space of the Request-URI. There are no optional authentication parameters.”[2]

In this type of authentication will be user/password requested. WebLogic scenario looks like this: the user and sent ID/PW to WebLogic Server. It checks them and if it is reliable, gives access to the protected WebLogic resource. In background, WebLogic Server checks the security policy of the WebLogic resource and the principal (that the user has been assigned) to make sure that the user has the obligatory permissions to continue.

p4_login

 

In addition, you can use https. User/password will be encrypted between client and server through SSL communication. It is an extra advantage that the transaction between client and server will not be performed in clear text.

Certificate Authentication

We are going to discuss about Secure Sockets Layer (SSL) in the next articles. SSL delivers protected connections. The SSL-communicating authenticate identity of two entity and/or application that communicate through a network connection. In addition, the whole SSL-communication is encrypted. WebLogic Server provides a pure-Java implementation of SSL and supports One-Way- and Two-Way- SSL authentication.

Simple to say, if a WLS to authenticate to a client, then we have a One-Way SSL. If a client to authenticate to a WLS, then we have Two-Way SSL. One-Way SSL is obligatory but Two-Way SSL is optional. During “handshaking” exchange the applications and/ or entities digital certificates. The digital certificate is supplied by an entity, which authenticates the identity of WebLogic Server.

Afterwards, the both sides, also WebLogic Server and client, decide on the encryption algorithms to be used. As third step, SSL-connection generates the encryption keys to be used for the remainder of the session. The encryption keys is a hybrid encryption approach that it uses advantages of asymmetric and symmetric encryption therefore, it is known as a good combination between better performance and security in network communication.

Digest Authentication

We are going back to this topic for deeper discussion. As an introduction, we can start with the definition of The Internet Engineering Task Force (IETF®): “Like Basic Access Authentication, the Digest scheme is based on a simple challenge-response paradigm. The Digest scheme challenges using a nonce value. A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI. In this way, the password is never sent in the clear. Just as with the Basic scheme, the username and password must be prearranged in some fashion not addressed by this document.”[3]

Weblogic Server supports digest authentication and is resistant to replay attacks. “The implementation maintains a cache of used nonces/timestamps for a specified period of time. All requests with a timestamp older than the specified timestamp are rejected as well as any requests that use the same timestamp/nonce pair as the most recent timestamp/nonce pair still in the cache. WebLogic Server stores this cache in a database.”[4]

I’m going to continue with Authentication’s topic in next part of IT-Secrutity and WebLogic Server.

 

[1] See Oracle Fusion Middleware Security Overview http://docs.oracle.com/cd/E23943_01/core.1111/e12889.pdf

Oracle Fusion Middleware 11.1.1.5, Security Guides http://docs.oracle.com/cd/E21764_01/security.htm

Oracle® Fusion Middleware Securing Oracle WebLogic Server http://docs.oracle.com/cd/E21764_01/web.1111/e13707/toc.htm

Oracle Platform Security Services 11gR1 (White Paper)

http://www.oracle.com/technetwork/middleware/id-mgmt/opss-tech-wp-131775.pdf

[2] Request for Comments: 2617: The Internet Engineering Task Force (IETF®): https://datatracker.ietf.org/doc/rfc2617/

[3] Request for Comments: 2617: The Internet Engineering Task Force (IETF®): https://datatracker.ietf.org/doc/rfc2617/

[4] Oracle® Fusion Middleware Understanding Security for Oracle WebLogic Server 11g Release 1 (10.3.5) http://docs.oracle.com/cd/E21764_01/web.1111/e13710/toc.htm