Testing 2 way ssl with openssl s_client

The intent of this post is to learn how to use openssl s_client program to test 2 way ssl between client & server.

Here I am assumig you have configured your server for 2 way SSL & you have generated or gathered the required certifcates.

List of files required;

a) client certificate

b) client private key -> if passphrase is used you must know that

c) root ca public certificate -> i.e the ca authorty who has signed the server certificate that you will get while handshaking.

Openssl s_client - 2 way ssl test

bash> openssl s_client -connect abc.com -CAfile ca.cert.pem  -key client_key.pem -cert client_cert.pem -tls1_2 -state -quiet

Enter pass phrase for client_key.pem:

SSL_connect:before/connect initialization

SSL_connect:SSLv3 write client hello A

SSL_connect:SSLv3 read server hello A

depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = abc.com

verify error:num=18:self signed certificate

verify return:1

depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = ca.com

verify return:1

SSL_connect:SSLv3 read server certificate A

SSL_connect:SSLv3 read server key exchange A

SSL_connect:SSLv3 read server certificate request A

SSL_connect:SSLv3 read server done A

SSL_connect:SSLv3 write client certificate A

SSL_connect:SSLv3 write client key exchange A

SSL_connect:SSLv3 write certificate verify A

SSL_connect:SSLv3 write change cipher spec A

SSL_connect:SSLv3 write finished A

SSL_connect:SSLv3 flush data

SSL_connect:SSLv3 read server session ticket A

SSL_connect:SSLv3 read finished A

SSL3 alert read:warning:close notify

SSL3 alert write:warning:close notify

Note: ca.cert.pem is the root ca public certificate while other 2 are the client cert & client private key which is having passphrase.

Hope this helps :-)

Enjoy :-)

Creating user certificates with encrypted private key using openssl

The intent of this post is to list the steps to generate a self signed user certificate that has an encrypted private key with a passphrase.

Generate private key with passphrase

bash> openssl genrsa -des3 -passout pass:1234 -out client_key.pem 2048

(it has to be atleast 4 characters long)

To verify that this is encrypted private key, easy step is to open this private key in an editor & it will have content like;

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,974D80EBEF938726

hWANCxIG3lT1qaoTqza84pk10JeGD2vUXoVRj92WI2k+eYJvVhnW/tz5cZzNeozu

............................................

............................................

............................................

-----END RSA PRIVATE KEY-----

Generate csr using above generated private key

bash> openssl req -out client.csr -new -nodes -key client_key.pem -sha256

(to proceed, it will ask you for the private key passphrase)

Self Sign the user certifcate with Root CA

bash> openssl x509 -req -days 360 -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client_cert.pem -sha256

(you will be asked for ca cert key password)

Hope this helps :-)

Enjoy :-)

How to block Blacklisted User with OAAM PreAuthenticationCheckpoint

Block Blacklisted User with OAAM Pre Authentication Check

We can block blacklisted users using rules in OAAM. And let's say we want to do this at pre authentication checkpoint, we can add a blacklisted user in a group which we can attach to a condition & that condition will be attached to a rule. For us all this enablement in OAAM gets pre seeded (i am assuming you have imported the snapshot). View this video & get a basic understanding of how policies, rules & conditions come into action at real time.

Hope this helps :-)

Enjoy :-)

How to block a blacklisted IP/IP Range with OAAM Post authentication check

Configure Blacklisted IP in OAAM

We can block ip or range of ip's at post authentication checkpoint. This use case helps you to configure what rules, conditions & groups help you to achieve this in OAAM.

Below video demonstartes how to achieve the usecase;

Hope this helps :-)

Enjoy :-)

How OAAM Scoring Engine Works?

 What role does scoring engine plays? What is the exact flow of scoring mechanism?

To determine a risk score, each level applies its scoring engine to the results from one level below. For example, to determine the policy score, the scoring engine of the policy is applied to the scores of the rules within the policy. To determine the checkpoint score, the scoring engine of the checkpoint is applied to the scores of the policies within the checkpoint. The checkpoint score and action are the final score and action in the assessment. The alerts are propagate from the rules level to the final level.

I have prepared a video series explaining the role, need & work flow of scoring engine. Kindly watch & provide your comments.

 

Hope this helps :-)

Enjoy :-)

OAAM Policy Weights

 What role does policy weights play in OAAM?

Weight is the multiplier values that are applied to policy scores to influence the impact the policy has on determining the total score. Policies have default weights. Weight is used only when a given policy or checkpoint uses a "weighted" scoring engine. The weighted scoring engine uses weights from subcomponents.

For example, if you choose the weighted scoring engine at the policy level, Oracle Adaptive Access Manager uses the weight specified for each rule level when calculating the policy score. Similarly, when you choose a weighted scoring engine at the policy set level, Oracle Adaptive Access Manager uses weights specified for each policy. The score of each policy multiplied by weight is divided by total number of policies multiplied by 100. The range is 0 to 1000.

I have explained the functioning of policy weights in below shared video. Kindly watch & let me know if you have any comments.

Hope this helps :-)

Enjoy :-)

OAAM 11gR2PS3 Post Authentication Checkpoint

Post Authn Checkpoint

Post authn checkpoint is a really important step in checkpoints flow. How this need to be configured & what could be the different outcomes of this checkpoint are explained in below video.

Hope this helps :-)

Enjoy :-)