Advanced SSL configuration on IBM Http Server – Restrict unused HTTP methods and Verbose HTTP headers

Restricting unused HTTP methods

The HTTP method is supplied in the request line and specifies the operation that the client has requested. Browsers will generally just use two methods to access and interact with web sites; GET for queries that can be safely repeated and POST for operations that may have side effects. This means, we need to disable unused http methods. some of them are:(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL). Check with the application teams, if they need any of these methods for the application to work, before disabling them.

Testing before limiting http methods:

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx…
Connected to josephamrithraj.mp.
Escape character is ‘^]’.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:11:57 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

Connection closed by foreign host.

your IBM http servers configuration file [httpd.conf] has 2 sections named main and virtualhost sections. you need to add the following code at both the places. I am explaining this task using mod_rewrite module. So, first make sure that… mod_rewrite is enabled. then, add the following lines to your http.conf files main and virtualhost sections.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL)
RewriteRule .* – [F]

Restart the web server after adding the above lines.


Now, when someone tried to use one of these http methods, they will get forbidden response since we specified [F] in the rewrite rule.

Testing after adding and restarting web server

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx...
Connected to josephamrithraj.mp.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:15:44 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, POST
Connection closed by foreign host.
Testing TRACE methods

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx...
Connected josephamrithraj.mp
Escape character is '^]'.
TRACE / HTTP/1.0
Host: josephamrithraj.mp
testing... <- ENTER twice HTTP/1.1 403 Forbidden Date: Thu, 14 Sep 2010 00:18:31 GMT Server: Apache Web Server Content-Length: 320 Connection: close Content-Type: text/html; charset=iso-8859-1

403 Forbidden

Forbidden

You don't have permission to access / on this server.


Connection closed by foreign host.
Disable verbose HTTP headers:


you might have seen this … when the web server [apache or ibm http server] throws errors page, sometimes it might show the information related to its version, build, modules etc. This is a security issue since you are giving away the details about your web server. for example, take a look at this:

Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80
The line in the server header expose important version and variant information about the Linux operating system and Apache software used on the machine, indirectly expose the possible security holes that are existed to the hackers, or at least make malicious attackers easier to identify your system for available attack points.
To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf configuration file.

ServerTokens

This directive configures what you return as the Server HTTP response Header. The built-in default is ‘Full’ which sends information about the OS-type and compiled in modules. The recommended value is ‘Prod’ which sends the least information.

Options: Full | OS | Minor | Minimal | Major | Prod

“ServerTokens Prod”

This configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.

ServerSignature

This directive lets you add a line containing the server version and virtual host name to server-generated pages. It is recommended to set it to OFF and Set to "EMail" to also include a mailto: link to the ServerAdmin.

Options: On | Off | EMail

“ServerSignature Off”

This instructs Apache not to display a trailing footer line under server-generated documents, which displays server version number, ServerName of the serving virtual host, email setting etc..


Courtesy:http://josephamrithraj.wordpress.com/2010/09/16/advanced-ssl-configuration-on-ibm-http-server-restrict-unused-http-methods-and-verbose-http-headers/

Advanced SSL configuration on IBM Http Server – Client Authentication and Ciphers

The Advanced SSL Configuration settings are

Client Authentication
Setting Ciphers
SSL for multiple IP virtual Hosts
Client Authentication:

If you enable client authentication, the server validates clients by checking for trusted certificate authority, Known as CA root certificates in the local key database. To enable client authentication, you need to use SSLClientAuth directive. The options to use with this stanza are:

None – The server requests no client certificate from the client.
Optional – The server requests, but does not require, a client certificate. If presented, the client certificate must prove valid.
Required – The server requires a valid certificate from all clients and returns a 403 status code if no certificate is present.
Required_reset – The server requires a valid certificate from all clients, and if no certificate is available, the server sends an SSL alert to the client. This enables the client to understand that the SSL failure is client-certificate related, and will cause browsers to re-prompt for client certificate information on subsequent access. make sure you have GSKit version 7.0.4.19 or later when you choose this option.
For example, If i want all the clients to be authenticated, then i need to add the following stanza
SSLClientAuth required

Ciphers

We set the cipher specification to use during secure transactions. The specified cipher specifications validate against the level of the Global Security Kit (GSK) toolkit that is installed on your system. Invalid cipher specifications cause an error to log in the error log. If the client issuing the request does not support the ciphers specified, the request fails and the connection closes to the client. IBM HTTP Server has a built-in list of cipher specifications to use for communicating with clients over Secure Sockets Layer (SSL). The actual cipher specification that is used for a particular client connection is selected from those which are supported by both IBM HTTP Server and the client.

Some cipher specifications provide a weaker level of security than others, and might need to be avoided for security reasons. Some of the stronger cipher specifications are more computationally intensive than weaker cipher specifications and might be avoided if required for performance reasons. When an SSL connection is established, the client (web browser) and the web server negotiate the cipher to use for the connection. The web server has an ordered list of ciphers, and the first cipher in that list which is supported by the client will be selected.

IBM HTTP Server supports the following SSL ciphers: SSLv3 and TLS and SSLv2

IBM recommends the following setting, keeping in mind both strong security and performance

## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2. Excluding it in the presence of
## the SSLv3 configuration above disables SSLv2 support.

## Uncomment to enable SSLv2 (with 128 bit Ciphers)
#SSLCipherSpec SSL_RC4_128_WITH_MD5
#SSLCipherSpec SSL_RC4_128_WITH_SHA
#SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
View the Ciphers which the server uses for Secure transactions

Set the LogLevel to info in the configuration file. Look in the error log for messages in this format: TimeStamp info_message mod_ibm_ssl: Using Version 2/3 Cipher: longname|shortname. The order that the cipher specifications are displayed in the error log from top to bottom represents the attempted order of the cipher specifications.

View the Ciphers were used for negotiating a connection

You can use the following LogFormat directive to view and log the SSL cipher negotiated for each connection:

LogFormat “%h %l %u %t \”%r\” %>s %b \”SSL=%{HTTPS}e\” \”%{HTTPS_CIPHER}e\” \”%{HTTPS_KEYSIZE}e\” \”%{HTTPS_SECRETKEYSIZE}e\”" ssl_common

CustomLog logs/ssl_cipher.log ssl_common

This logformat will produce an output to the ssl_cipher.log that looks something like this:

127.0.0.1 – - [01/Sep/2010:00:02:05 -0800] “GET / HTTP/1.1″ 200 1582 “SSL=ON” “SSL_RSA_WITH_RC4_128_MD5″ “128″ “128″

SSL for multiple IP virtual hosts

When you do not define an SSL directive on a virtual host, the server uses the directive default. You can define different (SSL) options for various virtual hosts. To enable SSL:

Specify the SSLEnable directive on the virtual host stanza in the configuration file, to enable SSL for a virtual host.
Specify a Keyfile directive and
Any SSL directives you want enabled for that particular virtual host.
Restart the server.
With all the above security options enabled, your virtual host may look like this:



SSLEnable

Keyfile keyfile.kdb

SSLCientAuth required

## SSLv3 128 bit Ciphers

SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5

SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers

## These can still be used, but only if the client does not support any of the ciphers listed above.

SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2.
## Excluding it in the presence of the SSLv3 configuration above disables SSLv2 support.

## Uncomment to enable SSLv2 (with 128 bit Ciphers)

#SSLCipherSpec SSL_RC4_128_WITH_MD5

#SSLCipherSpec SSL_RC4_128_WITH_SHA

#SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5



Courtesy:http://josephamrithraj.wordpress.com/2010/09/04/advanced-ssl-configuration-on-ibm-http-server-client-authentication-and-ciphers/

Virtual Users with SAML in WebLogic

A small blogpost how you can use virtual users on your SAML Service Provider WebLogic Server. A virtual user is a user who is authenticated on the SAML Identity Provider and this user is transfered ( with all his attributes and roles )  in a SAML Token to the Service Provider, this user does not need to exists on the WebLogic server of the Service Provider.
Before you can use this feature you need to setup SAML 2.0 SSO on your WebLogic Domain. You can follow this blogpost for all the instructions. You can also do this with Web Services but then you need to follow this guide.

First we need to enable Generate Attributes on the Identity Provider Side.
Go to the myrealm security realm ->  Providers -> Credentials Mapping -> your SAML 2.0 Credential Mapping Provider -> Provider Specific.
Also do this on the imported Service Provider Partner located at the Management tab of your SAML 2.0 Credential Mapping Provider. Open the Service Provider Partner and also enable here Generate Attributes.

Next step is to configure the SAML Service Provider.
Go to the myrealm security realm ->  Providers ->  Authentication -> your SAML 2.0 Identity Assertion Provider -> Management Tab.
Open your imported Identity Provider Partner configuration.
Enable Virtual User and also enable Process Attributes.

Now we need to add an extra WebLogic SAML Authentication Provider. This provider will process the virtual user SAML token with all its attributes and roles.
Set the Control Flag to Sufficient also change the other authentication provider from Required to Sufficient.

Courtesy:http://biemond.blogspot.com/2011/09/virtual-users-with-saml-in-weblogic.html

How to collect performance data on Linux

Collect the following information when high CPU consumption is with IBM Java process:
Enable garbage collection trace to see whether Java garbage collection is thrashing if possible. If you want to enable Java garbage collection trace on IBM WebSphere Application Server, please refer to the following document: Enabling verbose garbage collection (verbosegc) in WebSphere application Server


Run the following command:

top -d delaytime -c -b > top.log

Where delaytime is the number of seconds to delay. This must be 60 seconds or greater, depending on how soon the failure is expected.


Create a script file, vmstat.sh with the following content:

#vmstat.sh
#output file name
VMSTAT_LOG=$1
LIMIT=288
#sleep for 5 miniutes
SLEEP_TIME=300
while true
do
i=0
echo >$VMSTAT_LOG
while [ $i -le "$LIMIT" ];
do
date >> $VMSTAT_LOG;
vmstat 5 12 >> $VMSTAT_LOG;
i=`expr $i + 1`;
sleep $SLEEP_TIME;
done
done

Create a script, ps.sh with the following content:

#ps.sh
#output file name
PS_LOG=$1
LIMIT=288
#sleep for 5 miniutes
SLEEP_TIME=300
while true
do
i=0
echo >$PS_LOG
while [ $i -le "$LIMIT" ];
do
date >> $PS_LOG;
ps -eLf >> $PS_LOG;
i=`expr $i + 1`;
sleep $SLEEP_TIME;
done
done

Run the scripts:

./ps.sh ps_eLf.log
./vmstat.sh vmstat.log

Notes: . The scripts ps.sh and vmstat.sh, as provided, roll over every 24 hours. . You might need to modify the scripts to meet your needs. . The preceding scripts will run forever. After the error condition is reached, you will have to terminate them.


When high CPU consumption occurs, collect the following logs:

netstat -an > netstat1.out


If the Web server is remote, run the following on the Web server system:

netstat -an > netstatwebserver1.out


Run the following:

kill -3 [PID_of_problem_JVM]


The kill -3 commands create javacore*.txt files

Note: If you are not able to determine which JVM process is experiencing the high CPU usage then you should issue the kill -3 PID for each of the JVM processes.



Wait two minutes.


Run the following:

kill -3 [PID_of_problem_JVM]


Wait two minutes.


Run the following:

kill -3 [PID_of_problem_JVM]


Wait two minutes.


Run the following:

netstat -an > netstat2.out



If the Web server is remote, run the following on the Web server system:

netstat -an > netstatwebserver2.out



If you are unable to generate javacore files, then perform the following:

kill -11 [PID_of_problem_JVM]

WARNING: kill -11 will terminate the JVM process, produce a core file, and possibly a javacore.


Review all output files and collect the following files for IBM Performance Analysis Tool for Java for Linux


ps_eLf.log
javacore*.txt files

Courtesy:http://wasissues.blogspot.com/

Configuring OpenLDAP as a SiteMinder Policy Store

SiteMinder supports OpenLDAP for use as a Policy Store. OpenLDAP provides a freely available, replicated directory that can be used as a redundant store for SiteMinder’s configuration information. Unfortunately, the SiteMinder documentation covering how to configure OpenLDAP is at best incomplete and at worst incorrect. This article breaks down the steps required to enable OpenLDAP to be a Policy Store and configure the Policy Server to leverage the directory. Keep in mind that SiteMinder currently only supports OpenLDAP 2.3.x. This means that only Master/Slave replication is supported. While this is sufficient to ensure the availability of the Policy Store, if the Master directory is down, no policy or key updates can be performed. This article also assumes that the Key Store is set to the default setting of using the Policy Store as the location to store key information. Switch the directory paths outlined below to use backslashes if these steps are being performed on Windows.

1. Download and Install OpenLDAP
This article does not cover the specific details on how to build and install OpenLDAP. The details for this can be found on the OpenLDAP site. A quick start guide is located there as well.

2. Download the OpenLDAP Schema Files for SiteMinder
OpenLDAP is considered a “Tier 2″ directory for SiteMinder. As such, the ability to configure the directory as a Policy Store is not automated. In order to obtain the needed schema files for the Policy Store, the “CA SiteMinder Tier 2 Directories- ESD Only” package must be downloaded. To download this file (current as of 10/12/2011):

1. Log in to the Technical Support Site
2. Click “Download Center” in the lefthand navigation
3. Type siteminder into the “Select a Product” field
4. Select the listed SiteMinder product
5. Select 12.0 in the “Select a Release” drop-down
6. Select SP3 in the “Select a Gen level” drop-down
7. Click the [GO] button
8. Scroll down to the bottom of the list of returned downloads
9. Download and unzip the “CA SiteMinder Tier 2 Directories- ESD Only” download to the Policy Server

3. Configure OpenLDAP To Support the SiteMinder Policy Store
The OpenLDAP server requires manual configuration to support its use as a SiteMinder Policy Store. The following steps are required:

3a. Copy the Policy Store schema files into the OpenLDAP schema directory
3b. Include the SiteMinder Policy Store schema files in the OpenLDAP configuration
3c. Ensure that SiteMinder can detect it is an OpenLDAP Policy Store
3d. Create the base Policy Store structure
3e. Restart OpenLDAP

Note that these instructions assume that the install location for OpenLDAP is under the /usr/local path and the default directories are used. For this example, the root of the directory is “dc=company,dc=com” for the location of the Policy Store. These steps will need to be modified if a different path or directory structure is used.

3a. Copy the Policy Store schema files into the OpenLDAP schema directory
The OpenLDAP schema needs to be extended to support the SiteMinder Policy Store objects. This is done by copying the schema files to the server and adding them into the slapd.conf configuration file. To copy the schema files:
.........
More Here

Courtesy:http://www.coreblox.com/blog/2011/10/configuring-openldap-as-a-siteminder-policy-store/

SiteMinder federation to SharePoint 2010

This paper shows how to configure identity federation between CA SiteMinder and Microsoft SharePoint 2010, using the CA Federation Manager Add-on for SiteMinder. Two scenarios are presented. The first is an intra-organizational scenario that is useful where SiteMinder, the user accounts, and SharePoint are all maintained within the enterprise. The second is a traditional identity federation scenario where the user accounts are maintained outside of the enterprise hosting SharePoint. A federated identity environment features the following advantages:

· Helps control Information Technology (IT) costs and gain efficiencies. Federation targets areas that require lots of manual processes such as user account management, and access management. These manual processes are the focus of cost control.

· Enables compliance with expanding regulatory requirements. A standards-based identity federation can increase security of websites and portals and enable an organization to identify and authenticate a user only once. The organization can then use that identity information to access multiple systems which can include websites of external partners and various portals.

While both scenarios create a federated identity environment, the techniques or methodology used in the two lab scenarios is different. The two lab scenarios are:

1. Lab scenario 1 - Intra-organization scenario. In this lab scenario, SiteMinder is the Trusted Identity Provider for SharePoint and authenticates users to one or more user directories maintained within the organization. Once authenticated, these users (which may be employees, partners or customers) can access SharePoint as well as other applications protected by SiteMinder. This lab scenario uses the CA Federation Manager Add-on to SiteMinder (a.k.a., SiteMinder Federation Security Services) to generate a WS-Federation 1.0 token that is in turn read by SharePoint 2010.

2. Lab scenario 2 - Cross-organization, traditional Federation scenario. In this lab scenario, SiteMinder is deployed at the external partner organization, along with the CA Federation Manager Add-on, and Microsoft AD FS 2.0 is deployed within the enterprise where SharePoint is hosted. SiteMinder authenticates the partners to the partner organization's user directory and generates a SAML 2.0 token. AD FS 2.0, which acts as a security token service, translates the SAML 2.0 token into a WS-Federation token for use with SharePoint. In this lab scenario, we also configure SharePoint's native claims-based Windows provider to illustrate how employees within the enterprise could access SharePoint alongside partners who use the federated approach (The claims-based Windows provider is listed along with the other Identity Providers configured in ADFS 2.0, in the lab it is identified with as ADFSMachine.CompanyA.com).

Courtesy:http://interopvendoralliance.org/labs/siteminder-federation-to-sharepoint-2010.aspx

SiteMinder Overview

CA SiteMinder is enterprise level web access management software which allows organizations to manage their web users and help control their access to applications, portals and web services.

SiteMinder consists of two core components:

Policy Server:

The Policy Server provides policy management, authentication, authorization, and accounting.

SiteMinder Agents:

Integrated with a standard Web server or application server, SiteMinder Agents enable SiteMinder to manage access to Web applications and content according to predefined security policies.

How CA SiteMinder Works:

The process for securely accessing web applications:

1. User attempts to access a protected resource.

2. User is challenged for credentials and presents them to the CA SiteMinder web agent or to the Secure Proxy Server.

3. The user’s credentials are passed to the Policy Server.

4. The user is authenticated against the appropriate user store.

5. The Policy Server evaluates the user’s entitlements and grants access.

6. User profile and entitlement information is passed to the application.

7. The user gets access to the secured application, which delivers customized content.

Courtesy:http://webspheresolution.wordpress.com/2011/09/29/siteminder-overview/

Earn Money With iPhone Apps

Earn Money With iPhone Apps

The most comprehensive guide to creating lucrative iPhone applications (apps for short). Our guide explains how to create new iPhone apps and get them listed on the Apple iPhone App Store. Profit from iPhones now!



Click Here to find more about it

How To Create iPhone Apps With No Programming Experience

How To Create iPhone Apps With No Programming Experience


Discover how to create iPhone apps easily with no programming experienced required. Learn from some of the top iPhone app developers to get your app created now.

Click Here to find more

Finding a broadband comparison service online

If you are thinking of finding a new broadband connection then by far and away the best and easiest way to do it is to search for one online. Firstly of all, it is cheaper to buy a broadband deal online. Because it is cheaper for companies to be set up on the net it means their overheads are lesser, so you can expect a better deal. You will also find that there is far more choice online, which makes things easier for you.

Of course, with all of this choice comes another problem in itself. You will find it difficult to narrow things down so that you can choose the right deal! The best way to get around this problem is to use a broadband comparison service on the internet. These sites make searching for broadband deals so much easier. You will be able to look at a range of different broadband deals next to each other so that you can really see which is the most valuable.

Another good thing to do is to try to piece together your broadband contract with your home phone contract and you satellite television contract. Doing this normally leads to some sort of discount on all three, and you can still search for comparison sites so that you can look at these deals alongside one another. To find out about broadband phone and digital TV deals you should also search for the review sites online so that you can get the reviews of the best ones. for instance if you are thinking of signing up to a deal with Sky, you should be looking for a Sky broadband review site so you can find out how they perform in terms of their customer service. Just take your time making your decision, and make sure you know exactly what you are signing up for, before you sign up for it!

Finding a quality server cabinet for less online

If you run a business that relies on computers then you will be well aware of how important it is to have a good contact that can deal with any computer issues you have. If any parts fail in your computer system it is imperative that you are able to get the replacement parts you need quickly and easily with plenty of choice too. It’s not always easy to do this, so to help yourself in the future you should work on finding a website that can service all your needs. If you find a decent site then you can go back to it and back to it, knowing that you will be able to solve your problems quickly and easily.

Finding the right site depends largely on what your system requires, but if you have things like a server cabinet that might need changing from time to time, it is important that you find a site which is able to give you plenty of options. A server cabinet can be expensive, but there are some sites which will offer new, used and refurbished parts, meaning you can save a bit of money on occasions.

Some sites are fantastic both for sourcing the more unusual parts and keeping in stock the parts that you require more frequently. You should look out for companies who keep a ready stock of things like Netgear routers, because this is the sort of thing that you are going to need sent out the very next day, so stock is important in this respect.

To find the right sort of site you it is best to search for something like computer parts UK to make sure you end up with a company that is based closely. Otherwise, you could find that you are subject to very expensive delivery fees. Look for companies that will source parts for you even if they don't have a stock of them themselves, and try to make sure that the site you find is able to deliver quickly and cheaply and able to offer you plenty of options when it comes to buying computer parts.

CA Identity Manager High Availability & JBoss Clustering

CA Identity Manager 12.x uses caching for transactions. The utilization of this feature can cause synchronization issues if the application is setup in a high availability mode without application server clustering.

An example I can give is a project I was involved with using JBoss as the CA IdM application server. As such I will be addressing JBoss clustering in this entry.

JBoss uses a Hypersonic database to manage internal JMS data (JMS Queues). JBoss uses the JMS queues for tracking tasks and processes within the application. It is recommended to use a shared MS SQL database for the JMS database. There are documents available online which explain how to migrate from Hypersonic to MS SQL. In my example we opted to use the same MS SQL infrastructure used by Identity Manager to house the JMS database. In simplified terms, the steps to accomplish to clustering of IdM on JBoss is as follows:

1. Create a new SQL database (JBOSS_JMS)
2. Create a user/owner for this DB (jbossjms)
3. Migrate JBoss to SQL from the Hypersonic DB
4. Bring all services back up and test to ensure the migration was successful
5. Follow the procedures in the IdM documentation to configure JBoss clustering

More Here

Courtesy:http://www.idmworks.com/blog/ca-identity-manager-high-availability-jboss-clustering

Oracle Fusion Stack 11g Install Videos

  • Oracle Identity Manger 11g
  • Oracle Access Manager 11g
  • Oracle Adaptive Access Manager 11g
  • Oracle Identity Federation 11g
  • Oracle Internet Directory 11g
  • Oracle Virtual Directory 11g
  • Oracle HTTP Server
  • Oracle Directory Integration Platform 11g
  • Oracle WebLogic Server 11g
  • Oracle Database 11gR2
  • Oracle Identity Navigator 11g
  • Oracle Authorization Policy Manager
  • Oracle Platform Security Services





  1. Installing Oracle Enterprise Linux 5 Update 3 on VMWare
  2. Installing and Configuring Oracle Database 11g Revision 2 (11gR2)
  3. Installing WebLogic Server 11gR1 (10.3.3)
          More Here
    Courtesy:http://idmrockstar.com/blog/2011/04/oracle-fusion-stack-11g-install-videos/

Configuring Design Console for OIM 11g

In OIM 11g, Design Console still is a required tool for system configuration, custom development and customization. But differently from OIM 9.x, Design Console 11g does not have its own installer anymore. It is installed and configured along with the OIM server installation.

One of the common questions around Design Console 11g is: if there is no installer anymore, how do I get it working on my desktop/laptop without installing the whole Identity and Access Management pack?

This is an easy task and this post describes the steps for getting it done:

1. If you don't have a JDK 1.6 in your laptop, you will have to install it.

2. Run the configuration script for OIM once again. The script is available at $IAM_HOME/bin (where IAM_HOME is the folder where the ‘Identity and Access Management Pack’ was installed). You have to run the ‘config.sh’ that is available at $IAM_HOME/bin folder and NOT the one available at ‘$IAM_HOME/common/bin/config.sh’

3. In the configuration wizard, select ‘Design Console’ checkbox ONLY.


4. In the next screen, enter the OIM server host and port name. The wizard will configure the Design Console files for you
Courtesy:http://fusionsecurity.blogspot.com/

GralicWrap Anti-Phising Software

GralicWrap

Phishing scam artist send official-looking emails with authentic looking logos from valid organizations and companies and other identifying email information taken directly from genuine Webpages.

These authentic emails are an attempt to get you to sign in and gain your password and login information. Electronic mail is one of the top methods of identity theft.

To allow these phishing messages in email form, look even more real life, the scam / phisher will position a link so that the link looks like it will to the genuine Webpage, but it in reality it takes you to a counterfeit scam website or possibly a popup box will appear that looks identically, resembling the official site.

You can stop phishing scams with a good and effective Gralicwrap anti-phishing software

Anti Phishing, delete spam, viruses and other unwanted emails right at the server. Gralicwrap learns from good and bad spam using the good filter method to effectively block and stop spam.

Gralicwrap anti phishing software is made up of computer programs which will attempt to identify the phishing content that may be contained in a website or email that has been sent to you. This software is normally to be found as an integrated tool within web browsers and email servers and will display the real name of the domain for the website that you are visiting. In doing this it is hoped it will prevent sites which are fraudulent from being able to masquerade as ones that are actually legitimate. Today such a function may well be included as a built in feature of a lot of web browsers.

SAML EJB Integration with PicketLink STS

In this document we show how to use PicketLink STS to validate SAML assertions and authenticate EJB clients.
Required software: JDK 6, PicketLink version 1.0.3 or superior. (Feature available starting 1.0.3.CR2)

Process Overview

The following picture illustrates the process of using SAML assertions to authenticate clients of EJB applications:

saml-sts-module.png

The client must first obtain the SAML assertion from PicketLink STS by sending a WS-Trust request to the token service. This process usually involves authentication of the client. After obtaining the SAML assertion from the STS, the client includes the assertion in the security context of the EJB request before invoking an operation on the bean. Upon receiving the invocation, the EJB container extracts the assertion and validates it by sending a WS-Trust validate message to the STS. If the assertion is considered valid by the STS (and the proof of possession token has been verified if needed), the client is authenticated.



On JBoss, the SAML assertion validation process is handled by the SAML2STSLoginModule. It reads properties from a configurable file (specified by the configFile option) and establishes communication with the STS based on these properties. We will see how a configuration file looks like later on. If the assertion is valid, a Principal is created using the assertion subject name and if the assertion contains roles, these roles are also extracted and associated with the caller's Subject.

EJB3 Integration Example

In this section we present a sample EJB3 application that authenticates clients by validating their SAML assertions with PicketLink STS. The deployments for both the EJB3 application and the STS can be found attached in this document.

EJB3 Sample App

Our EJB3 application consists of a simple stateless session bean. The session interface can be seen bellow:

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb3;
 
 
import java.security.Principal;
 
 
/**
*
* This is the remote interface of session beans used in the EJB3 security tests.
*
*
* @author Stefan Guilhen
*/

public interface SimpleSession
{
   /**
    *
    * This is a method available for regular users and administrators. Implementations must annotate either the class or
    * this method with {@code @RolesAllowed({"RegularUser", "Administrator"})} to enforce that only these roles should
    * be granted access to this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeRegularMethod();
 
 
   /**
    *
    * This is a method available for administrators only. Implementations must annotate either the class or this method
    * with {@code @RolesAllowed({"Administrator"})} to enforce that only administrators should be granted access to
    * this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeAdministrativeMethod();
 
 
   /**
    *
    * This is a method available for all authenticated users, regardless or role. Implementations must annotate this
    * method with {@code @PermitAll} to specify that all security roles should be granted access.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeUnprotectedMethod();
 
 
   /**
    *
    * This is a method that is unavailable for everybody. Implementations must annotate this method with
    * {@code @DenyAll} to specify that access should be restricted for everybody.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeUnavailableMethod();
 
 
}

And this is the implementation class:

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb3;
 
 
import java.security.Principal;
 
 
import javax.annotation.Resource;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Remote;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
 
 
/**
*
* Stateless session bean implementation used in the EJB3 security tests.
*
*
* @author Stefan Guilhen
*/

@Stateless
@Remote(SimpleSession.class)
@RolesAllowed({"RegularUser", "Administrator"})
public class SimpleStatelessSessionBean implements SimpleSession
{
 
 
   @Resource
   private SessionContext context;
 
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb3.SimpleSession#invokeRegularMethod()
    */

   public Principal invokeRegularMethod()
   {
      // this method allows the same roles as the class.
      return this.context.getCallerPrincipal();
   }
 
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb3.SimpleSession#invokerAdministrativeMethod()
    */

   @RolesAllowed({"Administrator"})
   public Principal invokeAdministrativeMethod()
   {
      // this method overrides the roles defined by the class to grant access to admnistrators only.
      return this.context.getCallerPrincipal();
   }
 
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnprotectedMethod()
    */

   @PermitAll
   public Principal invokeUnprotectedMethod()
   {
      // this method overrides the roles defined by the class to grant access to all roles.
      return this.context.getCallerPrincipal();
   }
 
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnavailableMethod()
    */

   @DenyAll
   public Principal invokeUnavailableMethod()
   {
      // this method should never be called - it overrides the class roles to deny access to all roles.
      return this.context.getCallerPrincipal();
   }
}

The session defines four methods: invokeRegularMethod (available to both Administrators and RegularUsers), invokeAdministrativeMethod (available to Administrators only), invokeUnprotectedMethod  (available to all authenticated clients), and invokeUnavailableMethod (annotated with @DenyAll and thus unavailable to all roles).

Besides the sample session classes, our ejb3-sampleapp.jar contains the application policy definition for the EJBs:





  
  
     
        
            useFirstPass
            sts-config.properties
        
        
            useFirstPass
            ejb3-sampleapp-users.properties
            ejb3-sampleapp-roles.properties
        
     
  


The policy defines two login modules: SAML2STSLoginModule and UsersRolesLoginModule. The first will be responsible for validating the assertion with the STS in order to authenticate the client, while the second will be responsible for retrieving the client's roles from a properties file. In order to validate the SAML assertions, SAML2STSLoginModule needs information about the STS, like its endpoint URL, service name, port name, etc. This information is supplied by the sts-config.properties file:

serviceName=PicketLinkSTS
portName=PicketLinkSTSPort
endpointAddress=http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS
username=JBoss
password=JBoss

The last two properties specify the username and password that will be used to authenticate the JBoss server to the STS when the WS-Trust validate message is dispatched. In other words, SAML2STSLoginModule needs to authenticate to the STS when validating the SAML assertions and these properties specify the username and password that will be used for that.

In our sample applications we will have three users (UserA, UserB, UserC), each with different roles. The ejb3-sampleapp-roles.properties file specifies the roles that have been assigned to each user:

UserA=RegularUser,Administrator
UserB=RegularUser
UserC=Guest

As we can see, UserA is both a RegularUser and Administrator, so he should be able to call all methods except for invokeUnavailableMethod. UserB is a RegularUser, so he should be able call invokeRegularMethod and invokeUnprotectedMethod methods. UserC is a Guest and should be able to invoke only the unprotected method of our sample EJB.

For the sake of completeness, here we can see the jboss.xml file of our ejb3-sampleapp.jar:



      -//JBoss//DTD JBOSS 5.0//EN
      http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd>

   java:/jaas/ejb3-sampleapp

All the configuration files can be found in the ejb3-sampleapp.jar that has been attached to this document.

PicketLink STS

Our PicketLink STS application is a tweaked version of the picketink-sts.war file that is available in the PicketLink project downloads page. More specifically, we created a new security domain for the STS in jboss-web.xml, included an application policy for the new domain that uses the UsersRolesLoginModule to authenticate STS clients, included the users and roles properties files,  and changed the required role in web.xml to STSClient.

This is the content of the STS web.xml:



   -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN
   http://java.sun.com/dtd/web-app_2_3.dtd>


  
     PicketLinkSTS
     org.picketlink.identity.federation.core.wstrust.PicketLinkSTS
  
  
      PicketLinkSTS
      /*
  

 
    
       TokenService
       /*
       GET
       POST
    
    
       STSClient
    
  

  
      BASIC
      PicketLinkSTSRealm
  

  
      STSClient
  


STS callers must all have the STSClient role in order to send a WS-Trust request to the STS.

The STS security domain is specified by the jboss-web.xml file:




  java:/jaas/sts-domain

The application policy for the sts-domain is defined in the sts-jboss-beans.xml file:





  
  
     
        
            sts-users.properties
            sts-roles.properties
        
     
  


The sts-users.properties specify the username/passwords of the STS callers:

JBoss=JBoss
UserA=PassA
UserB=PassB
UserC=PassC

The sts-roles.properties specify the roles of the STS callers:

JBoss=STSClient
UserA=STSClient
UserB=STSClient
UserC=STSClient

Notice that the JBoss user represents the JBoss server during the SAML validation process. All other users are the clients of the EJB3 sample application - they send a message to the STS to acquire a SAML assertion before calling the methods on the EJB3 application.

Client Application

The SAMLEJB3IntegrationTest shows what happens when each of the users (UserA, UserB, and UserC) acquire a SAML assertion from PicketLinkSTS and invoke all methods on the sample EJB3. Let's take a look at the code:

/*
* JBoss, Home of Professional Open Source Copyright 2009, Red Hat Middleware
* LLC, and individual contributors by the @authors tag. See the copyright.txt
* in the distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it under the
* terms of the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 2.1 of the License, or (at your option)
* any later version.
*
* This software is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
* details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this software; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
* site: http://www.fsf.org.
*/

package test;
 
import java.security.Principal;
import java.util.Hashtable;
 
import javax.ejb.EJBAccessException;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
 
import org.jboss.security.client.SecurityClient;
import org.jboss.security.client.SecurityClientFactory;
import org.jboss.test.security.ejb3.SimpleSession;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient.SecurityInfo;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.WSTrustException;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.w3c.dom.Element;
 
/**
*
* This class tests the usage of SAML assertions to authenticate clients of EJB3 applications on JBoss. This is
* accomplished by having the client first obtain a SAML assertion from the PicketLink STS service and then use
* the assertion as the credential when calling the protected EJB3.
*
*
* The protected EJB3 application used in this test has configured the {@code SAML2STSLoginModule}. This login
* module sends the SAML assertion to the STS for validation in order to authenticate the caller. A second login
* module, {@code UsersRolesLoginModule}, has been used to provide the client's roles.
*
*
* @author Stefan Guilhen
*/

public class SAMLEJB3IntegrationTest
{
 
   private Hashtable env;
  
   public static void main(String[] args) throws Exception
   {
      SAMLEJB3IntegrationTest test = new SAMLEJB3IntegrationTest();
      test.testSAMLEJB3Integration("UserA", "PassA");
      test.testSAMLEJB3Integration("UserB", "PassB");
      test.testSAMLEJB3Integration("UserC", "PassC");
   }
  
   public SAMLEJB3IntegrationTest()
   {
      // initialize the JNDI env that will be used to lookup the test EJB.
      this.env = new Hashtable();
      this.env.put("java.naming.factory.initial", "org.jnp.interfaces.NamingContextFactory");
      this.env.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
      this.env.put("java.naming.provider.url", "localhost:1099");
   }
  
   public void testSAMLEJB3Integration(String username, String password) throws Exception
   {
      // create a WSTrustClient instance.
      WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort",
            "http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS",
            new SecurityInfo(username, password));
     
      // issue a SAML assertion using the client API.
      Element assertion = null;
      try
      {
         System.out.println("\nInvoking token service to get SAML assertion for " + username);
         assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);
         System.out.println("SAML assertion for " + username + " successfully obtained!");
      }
      catch (WSTrustException wse)
      {
         System.out.println("Unable to issue assertion: " + wse.getMessage());
         wse.printStackTrace();
         System.exit(1);
      }
 
      // use the SecurityClient API to set the assertion in the client security context.
      SecurityClient securityClient = SecurityClientFactory.getSecurityClient();
      securityClient.setSimple(username, new SamlCredential(assertion));
      securityClient.login();
     
      // invoke the EJB3 bean - the assertion will be propagated with the security context.
      System.out.println(username + " invoking secure EJB3 session bean");
      Context context = new InitialContext(env);
      Object object = context.lookup("SimpleStatelessSessionBean/remote");
      SimpleSession session = (SimpleSession) PortableRemoteObject.narrow(object, SimpleSession.class);
     
      // invoke method that requires the Administrator role.
      try
      {
         Principal principal = session.invokeAdministrativeMethod();
         System.out.println(principal.getName() + " successfully called administrative method!");
      }
      catch (EJBAccessException eae)
      {
         System.out.println(username + " is not authorized to call administrative method!");
      }
     
      // invoke method that requires the RegularUser role.
      try
      {
         Principal principal = session.invokeRegularMethod();
         System.out.println(principal.getName() + " successfully called regular method!");
      }
      catch (EJBAccessException eae)
      {
         System.out.println(username + " is not authorized to call regular method!");
      }
 
      // invoke method that allows all roles.
      try
      {
         Principal principal = session.invokeUnprotectedMethod();
         System.out.println(principal.getName() + " successfully called unprotected method!");
      }
      catch (EJBAccessException eae)
      {
         // this should never happen as long as the user has successfully authenticated.
         System.out.println(username + " is not authorized to call unprotected method!");
      }
 
      // invoke method that denies access to all roles.
      try
      {
         Principal principal = session.invokeUnavailableMethod();
         // this should never happen because the method should deny access to all roles.
         System.out.println(principal.getName() + " successfully called unavailable method!");
      }
      catch (EJBAccessException eae)
      {
         System.out.println(username + " is not authorized to call unavailable method!");
      }
   }
}

As we can see, the assertion is first obtained using the WSTrustClient API. Once the assertion has been acquired, we use the SecurityClient API to  push it to the client-side security context. Then we attempt to call all methods on the sample EJB3 session and print the results of these calls.

Deploying and Running the EJB3 Sample Application on JBoss AS5

In order to get the sample application running you must first install the PicketLink jar files on JBoss. This is accomplished by copying picketlink-fed-1.0.3.jar and picketlink-bindings-jboss-1.0.3.jar (both attached in this document) files to the JBOSS_HOME/server/partition/lib folder. After installing the required PicketLink libs you must copy the ejb3-sampleapp.jar and picketlink-sts-1.0.0.war to JBOSS_HOME/server/partition/deploy.

After copying the required PicketLink jars and deploying the sample application and the STS war, start your JBoss partition. If everything is ok, you should see something like the following in the log:

21:02:10,099 INFO  [SessionSpecContainer] Starting jboss.j2ee:jar=ejb3-sampleapp.jar,name=SimpleStatelessSessionBean,service=EJB3
21:02:10,108 INFO  [EJBContainer] STARTED EJB: org.jboss.test.security.ejb3.SimpleStatelessSessionBean ejbName: SimpleStatelessSessionBean
21:02:10,152 INFO  [JndiSessionRegistrarBase] Binding the following Entries in Global JNDI:

    SimpleStatelessSessionBean/remote - EJB3.x Default Remote Business Interface
    SimpleStatelessSessionBean/remote-org.jboss.test.security.ejb3.SimpleSession - EJB3.x Remote Business Interface

21:02:10,306 INFO  [TomcatDeployment] deploy, ctxPath=/
21:02:11,375 INFO  [WSDLFilePublisher] WSDL published to: file:/opt/workspace-jboss/jbossas-trunk/build/target/jboss-6.0.0-SNAPSHOT/server/default/data/wsdl/picketlink-sts-1.0.0.war/PicketLinkSTS.wsdl
21:02:11,482 INFO  [DefaultEndpointRegistry] register: jboss.ws:context=picketlink-sts-1.0.0,endpoint=PicketLinkSTS
21:02:11,543 INFO  [TomcatDeployment] deploy, ctxPath=/picketlink-sts-1.0.0

In order to compile the sample client application, you need to have ejb3-sampleapp.jar, picketlink-fed-1.0.3.jar (both attached in this document), and jbossall-client.jar (found in JBOSS_HOME/client) in your classpath. If using an IDE like Eclipse, all jars referenced by jbossall-client.jar will be automatically included in the classpath. If not, you may need to add these jars manually.

In order to run the client, all you have to do is specify the aforementioned classpath:

java -cp CLASSPATH test.SAMLEJB3IntegrationTest


If everything has been configured and deployed properly, you should see the following output:

Invoking token service to get SAML assertion for UserA
SAML assertion for UserA successfully obtained!
UserA invoking secure EJB3 session bean
UserA successfully called administrative method!
UserA successfully called regular method!
UserA successfully called unprotected method!
UserA is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserB
SAML assertion for UserB successfully obtained!
UserB invoking secure EJB3 session bean
UserB is not authorized to call administrative method!
UserB successfully called regular method!
UserB successfully called unprotected method!
UserB is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserC
SAML assertion for UserC successfully obtained!
UserC invoking secure EJB3 session bean
UserC is not authorized to call administrative method!
UserC is not authorized to call regular method!
UserC successfully called unprotected method!
UserC is not authorized to call unavailable method!

As we can see, each user had access to the expected methods. Authentication was performed by the SAML2STSLoginModule, which validated the supplied assertion with PicketLink STS, and the roles were provided by the UsersRolesLoginModule.

EJB2 Integration Example

In this section we present the EJB2 version of the sample application (ejb2-sampleapp.jar which can be found attached to this document).  The sample session bean performs the same operations as in the EJB3 example, but let's take a look at the classes anyway.

The remote and home interfaces look as follows:

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb2;
 
import java.rmi.RemoteException;
import java.security.Principal;
 
import javax.ejb.EJBObject;
 
/**
*
* This is the remote interface of the session bean used in the EJB2 SAML security test.
*
*
* @author Stefan Guilhen
*/

public interface SimpleEJB2Session extends EJBObject
{
   /**
    *
    * This is a method available for regular users and administrators. The deployment descriptor must enforce that
    * only users in RegularUser or Administrator roles are granted access to this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeRegularMethod() throws RemoteException;
 
   /**
    *
    * This is a method available for administrators only. The deployment descriptor must enforce that only users in the
    * Administrator role are granted access to this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeAdministrativeMethod() throws RemoteException;
 
   /**
    *
    * This is a method available for all authenticated users, regardless or role. The deployment descriptor must
    * contain an {@code unchecked} element for this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeUnprotectedMethod() throws RemoteException;
 
   /**
    *
    * This is a method that is unavailable for all roles. The deployment descriptor must add this method to the
    * {@code exclude-list} element.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeUnavailableMethod() throws RemoteException;
 
}

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb2;
 
import java.rmi.RemoteException;
 
import javax.ejb.CreateException;
import javax.ejb.EJBHome;
 
/**
*
* This is the home interface of the session bean used in the EJB2 SAML security test.
*
*
* @author Stefan Guilhen
*/

public interface SimpleEJB2SessionHome extends EJBHome
{
   /**
    *
    * Creates and returns a reference to the {@code SimpleEJB2Session} interface.
    *
    *
    * @return a reference to the {@code SimpleEJB2Session} remote interface.
    */

   public SimpleEJB2Session create() throws CreateException, RemoteException;
 
}

And here we can see the implementation class:

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb2;
 
import java.rmi.RemoteException;
import java.security.Principal;
 
import javax.ejb.CreateException;
import javax.ejb.EJBException;
import javax.ejb.SessionBean;
import javax.ejb.SessionContext;
 
public class SimpleEJB2SessionBean implements SessionBean
{
    private SessionContext context;
 
    /**
     *
     * {@code ejbCreate} method required by the EJB2 specification.
     *
     *
     * @throws CreateException if an error occurs while creating the session bean.
     */

    public void ejbCreate() throws CreateException
    {
    }
 
    /*
     * (non-Javadoc)
     *
     * @see javax.ejb.SessionBean#ejbActivate()
     */

    public void ejbActivate()
    {
    }
 
    /*
     * (non-Javadoc)
     *
     * @see javax.ejb.SessionBean#ejbPassivate()
     */

    public void ejbPassivate()
    {
    }
 
    /*
     * (non-Javadoc)
     *
     * @see javax.ejb.SessionBean#ejbRemove()
     */

    public void ejbRemove()
    {
    }
 
    /*
     * (non-Javadoc)
     *
     * @see javax.ejb.SessionBean#setSessionContext(javax.ejb.SessionContext context)
     */

    public void setSessionContext(SessionContext context)
    {
        this.context = context;
    }
 
    /*
     * (non-Javadoc)
     *
     * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokeRegularMethod()
     */

    public Principal invokeRegularMethod()
    {
       // this method can be invoked by RegularUser and Administrator roles.
       return this.context.getCallerPrincipal();
    }
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokerAdministrativeMethod()
    */

   public Principal invokeAdministrativeMethod()
   {
      // this method can be invoked by the Administrator role only.
      return this.context.getCallerPrincipal();
   }
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokeUnprotectedMethod()
    */

   public Principal invokeUnprotectedMethod()
   {
      // this method can be invoked by any role.
      return this.context.getCallerPrincipal();
   }
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokeUnavailableMethod()
    */

   public Principal invokeUnavailableMethod()
   {
      // this method cannot be invoked by any role.
      throw new EJBException("Excluded method - no access should be allowed");
   }
}

The application policy definition (ejb2-sampleapp-jboss-beans.xml), the properties files used by the UsersRolesLoginModule, the STS configuration file, and the META-INF/jboss.xml file are all very similar to the ones found in the EJB3 example. For this reason we are not going to show them here.

Now, the authorization rules must be defined in the META-INF/ejb-jar.xml deployment descriptor:



      -//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN
      http://java.sun.com/dtd/ejb-jar_2_0.dtd>


   EBJ2 SAML Tests
  
     
         A secured stateless session bean
         SimpleEJB2Session
         org.jboss.test.security.ejb2.SimpleEJB2SessionHome
         org.jboss.test.security.ejb2.SimpleEJB2Session
         org.jboss.test.security.ejb2.SimpleEJB2SessionBean
         Stateless
         Container
     
  

  
     
         The role required to invoke administrative methods
         Administrator
     
     
         The role required to invoke regular methods
         RegularUser
     

     
     
        
        
            SimpleEJB2Session
            invokeUnprotectedMethod
        
        
            SimpleEJB2Session
            Home
            create
        
     

     
     
         Administrator
        
            SimpleEJB2Session
            Remote
            *
        
     

     
     
         RegularUser
        
            SimpleEJB2Session
            Remote
            invokeRegularMethod
        
     

     

     
         A method that no one can access in this deployment
        
            SimpleEJB2Session
            invokeUnavailableMethod
        
     
  


As we can see, the invokeUnprotectedMethod is available to all roles. The Administrator role can call all methods on the bean except for invokeUnavailableMethod, which is in the exclude-list section. The RegularUser role is allowed to call only the invokeRegularMethod method besides the unprotected method.

Client Application

The client application for the EJB2 example is also very similar to the one used to test the EJB3 SAML integration. The main differences are the lookup code and the way we use to establish the client-side security context.

/*
* JBoss, Home of Professional Open Source Copyright 2010, Red Hat Middleware
* LLC, and individual contributors by the @authors tag. See the copyright.txt
* in the distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it under the
* terms of the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 2.1 of the License, or (at your option)
* any later version.
*
* This software is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
* details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this software; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
* site: http://www.fsf.org.
*/

package test;
 
import java.rmi.AccessException;
import java.security.Principal;
import java.util.Hashtable;
 
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
 
import org.jboss.test.security.ejb2.SimpleEJB2Session;
import org.jboss.test.security.ejb2.SimpleEJB2SessionHome;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient.SecurityInfo;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.WSTrustException;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.w3c.dom.Element;
 
/**
*
* This class tests the usage of SAML assertions to authenticate clients of EJB2 applications on JBoss. This is
* accomplished by having the client first obtain a SAML assertion from the PicketLink STS service and then use
* the assertion as the credential when calling the protected EJB2.
*
*
* The protected EJB3 application used in this test has configured the {@code SAML2STSLoginModule}. This login
* module sends the SAML assertion to the STS for validation in order to authenticate the caller. A second login
* module, {@code UsersRolesLoginModule}, has been used to provide the client's roles.
*
*
* @author Stefan Guilhen
*/

public class SAMLEJB2IntegrationTest
{
 
   private Hashtable env;
  
   public static void main(String[] args) throws Exception
   {
      SAMLEJB2IntegrationTest test = new SAMLEJB2IntegrationTest();
      test.testSAMLEJB2Integration("UserA", "PassA");
      test.testSAMLEJB2Integration("UserB", "PassB");
      test.testSAMLEJB2Integration("UserC", "PassC");
   }
  
   public SAMLEJB2IntegrationTest()
   {
      // initialize the JNDI env that will be used to lookup the test EJB.
      this.env = new Hashtable();
      this.env.put("java.naming.factory.initial", "org.jboss.security.jndi.JndiLoginInitialContextFactory");
      this.env.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
      this.env.put("java.naming.provider.url", "localhost:1099");
   }
  
   public void testSAMLEJB2Integration(String username, String password) throws Exception
   {
      // create a WSTrustClient instance.
      WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort",
            "http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS",
            new SecurityInfo(username, password));
     
      // issue a SAML assertion using the client API.
      Element assertion = null;
      try
      {
         System.out.println("\nInvoking token service to get SAML assertion for " + username);
         assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);
         System.out.println("SAML assertion for " + username + " successfully obtained!");
      }
      catch (WSTrustException wse)
      {
         System.out.println("Unable to issue assertion: " + wse.getMessage());
         wse.printStackTrace();
         System.exit(1);
      }
 
      // invoke the remote EJB using the assertion as the credential.
      this.env.put("java.naming.security.principal", username);
      this.env.put("java.naming.security.credentials", new SamlCredential(assertion));
 
      System.out.println("Invoking secure EJB2 session bean with " + username + " SAML assertion");
      Context context = new InitialContext(env);
      Object object = context.lookup("SimpleEJB2Session/home");
      SimpleEJB2SessionHome home = (SimpleEJB2SessionHome) PortableRemoteObject.
         narrow(object, SimpleEJB2SessionHome.class);
      SimpleEJB2Session session = home.create();
     
      // invoke method that requires the Administrator role.
      try
      {
         Principal principal = session.invokeAdministrativeMethod();
         System.out.println("User " + principal.getName() + " successfully called administrative method!");
      }
      catch (AccessException ae)
      {
         System.out.println("User " + username + " is not authorized to call administrative method!");
      }
     
      // invoke method that requires the RegularUser role.
      try
      {
         Principal principal = session.invokeRegularMethod();
         System.out.println("User " + principal.getName() + " successfully called regular method!");
      }
      catch (AccessException ae)
      {
         System.out.println("User " + username + " is not authorized to call regular method!");
      }
 
      // invoke method that allows all roles.
      try
      {
         Principal principal = session.invokeUnprotectedMethod();
         System.out.println("User " + principal.getName() + " successfully called unprotected method!");
      }
      catch (AccessException ae)
      {
         // this should never happen as long as the user has successfully authenticated.
         System.out.println("User " + username + " is not authorized to call unprotected method!");
      }
 
      // invoke method that denies access to all roles.
      try
      {
         Principal principal = session.invokeUnavailableMethod();
         // this should never happen because the method should deny access to all roles.
         System.out.println("User " + principal.getName() + " successfully called unavailable method!");
      }
      catch (AccessException ae)
      {
         System.out.println("User " + username + " is not authorized to call unavailable method!");
      }
 
   }
}

In this case we are using the JndiLoginInitialContextFactory to set the SAML assertion in the security context just to show an alternative to the SecurityClient API. The JndiLoginInitialContextFactory gets the principal and credentials from the InitialContext properties and pushes them to the security context.

NOTE: The JndiLoginInitialContextFactory approach doesn't work for EJB3 beans on JBoss AS 5.1.0.GA. An issue (JBAS-7010) has been flagged and a fix is available for JBoss 5 EAP and JBoss AS 6. So if you are using JBoss AS 5.1.0.GA make sure to use the SecurityClient API to invoke EJB3 beans using SAML.

Deploying and Running the EJB2 Sample Application on JBoss AS5

If the PicketLink libs haven't been installed yet, you need to do this before deploying the sample application and the STS. This is accomplished by copying picketlink-fed-1.0.3.jar and picketlink-bindings-jboss-1.0.3.jar (both attached to this document) files to the JBOSS_HOME/server/partition/lib folder. After installing the required PicketLink libs you must copy the ejb2-sampleapp.jar and picketlink-sts-1.0.0.war to JBOSS_HOME/server/partition/deploy.

In order to compile the EJB 2 sample client application, you need to have ejb2-sampleapp.jar, picketlink-fed-1.0.3.jar (both found in this document), and jbossall-client.jar (found in JBOSS_HOME/client) in your classpath. If using an IDE like Eclipse, all jars referenced by jbossall-client.jar will be automatically included in the classpath. If not, you may need to add these jar manually.

In order to run the client, just specify the aforementioned classpath:

java -cp CLASSPATH test.SAMLEJB2IntegrationTest

If everything has been configured and deployed properly, you should see the following output (similar to the output produced by the EJB3 client application we've shown before):

Invoking token service to get SAML assertion for UserA
SAML assertion for UserA successfully obtained!
Invoking secure EJB2 session bean with UserA SAML assertion
User UserA successfully called administrative method!
User UserA successfully called regular method!
User UserA successfully called unprotected method!
User UserA is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserB
SAML assertion for UserB successfully obtained!
Invoking secure EJB2 session bean with UserB SAML assertion
User UserB is not authorized to call administrative method!
User UserB successfully called regular method!
User UserB successfully called unprotected method!
User UserB is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserC
SAML assertion for UserC successfully obtained!
Invoking secure EJB2 session bean with UserC SAML assertion
User UserC is not authorized to call administrative method!
User UserC is not authorized to call regular method!
User UserC successfully called unprotected method!
User UserC is not authorized to call unavailable method!