Showing posts with label OAM 12c. Show all posts
Showing posts with label OAM 12c. Show all posts

Wednesday, 14 December 2016

Enabling OCSP Validation using X.509 Authentication Scheme

Assumptions:

  • You have already configured & tested the X.509 authentication use case. And now we are enabling certificate validation using OCSP Server.
  • To setup OCSP we will be using 'openssl'. So before proceeding check if you installed openssl or not. If not go get it first.
  • You have imported the user certificate in your browser as part of X.509 Authentication.

Brief about OCSP Server:

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

Steps to perform:


1) To setup OCSP Server: Steps to setup OCSP
2) Once you have setup OCSP, you will be having the following items with you;
  • CA Authority certificate (self signed) - ca.pem
  • CA private key - ca-key.pem
  • OCSP Server URL -> i.e. host and port details http://abc.us.oracle.com:6060
  • index.txt -> basically this is the file having the user certificates details which will be checked by the OCSP server for the received cert request. Based on this OCSP will respond 'good', 'revoked' or 'unknown'. It returns 'unknown' in case the cert entry is missing from the file.
    • This file name could be any name of your choice.

a) OCSP server files;

 b) Staring OCSP server


2) Goto Access Manager Configuration Settings: Select Certificate Validation



3) Select OCSP/CDP Settings:


  •  Enter OCSP Url
  •  Provide the OCSP CA Authority Certificate Subject
  • Apply the changes
4)  Now goto Authentication Scheme

5) Select X509Scheme

 6) Provide the details as required for enabling OCSP Validation

7) Now goto Authn Module

8) Select X509 Module

9) Remember to enable Cert Validation & OCSP. Provide the required details.


10) Now we need to attach the X509Scheme in our webgate profile Protected  Resource Policy.





11) Now when you fire a request from your browser, you will be asked for the user cert to be used for authentication. And if this user is not present in OCSP database i.e. the index.txt file or it is been revoked than you should get 'Authentication Failed' message.

12) To implement a use case to check certificate revocation:
Execute this command:
./openssl ca -revoke <user certificate name>
Eg: 
bash-3.2$ ./openssl ca -revoke user1\@oracle.com.crt
Using configuration from /scratch/ckukreja/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Revoking Certificate BE.
Data Base Updated

  •  Here i have copied the cakey.pem, ca.pem & index.txt to 'demoCA' folder. Basically openssl refer to this folder as it is configured in my openssl.cnf file.
  • After this your index.txt gets updated and you can actually see the difference as well. Now when you try to access the protected resource with the user cert who has been revoked in OCSP databse, so this time OCSP will say 'revoked' to OAM server. And hence you will get authentication failed message.

Note: Important points to help you debug;

a) Always check if the log.txt file provided with OCSP server startup is getting populated with request or not.
b) If request is landing on OCSP and its a good cert request but still it is failing to authenticate than check OAM server diagnostic logs. You must be getting an exception there.


Important Informative Links:

Managing Common Services and Certificate Validation
X.509 Certificate Revocation Checking Using OCSP protocol with Oracle WebLogic Server 12c
How to set up OCSP using OpenSSL - I-Space Research Labs



That's All Guys......
Enjoy :-)

Monday, 23 February 2015

Understanding Oracle Identity Federation

Basics of OIF:

What exactly is OIF?

- Basically it enables the different entities to share their services using a global identity maintained by one of the organisation.

So what exactly it means?

Take an example to understand the usage of OIF:
- Let say a company ABC wants to use the service of a Health Care Company, so that ABC company employees can access Health Care Portal.
For this the health care company should have the ABC comapny employee database, so that when the ABC company employees wants to use the Health Care Services they can be authenticate & authorize to do so.
But ABC cann't share the database. So in this scenario how can Health Care Portal be able to become part of ABC comapny?

Answer is Federation
.

Thus here ABC Company using the OAM SSO for their employees, decides to enable the Federation feature. And the similiar OAM setup needs to be done at the Health Care side.
So in this case ABC company acts as Identity Provider (IdP) while the Health Care company as Service Provider (SP). 

What are these 2 things? IdP & SP

Oracle Identity Federation supports two integration modes with Oracle Access Manager: authentication mode and SP mode.
  • Authentication Mode (IdP)
In the authentication mode, Oracle Identity Federation delegates authentication of the user to Oracle Access Manager.
The user is redirected to an Oracle Identity Federation resource protected by WebGate, that triggers the Oracle Access Manager authentication flow. Once the user is identified, it will access the resource, and WebGate will provide to Oracle Identity Federation an HTTP header containing the user's identity.
  • SP Mode
In the SP mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.
 

Use Case:
1) User access the ABC company portal, & hits the health care portal link. User is redirected to health care portal, where he is asked to enter his credentials.
 User submits his credentials which are actually saved in the ABC company database. Thus health care site sends the credentials submitted by user to the ABC comapny using SAMLv2.0 token form.
 ABC company replies in the SAMLv2.0 as well & health care portal reads the token returned by  
 ABC & based on the reply like user is valid & authorized or not. Health care portal takes the 
 decision. And makes the user to access the health care services based on that.
  
So in this way they get federated seamlessly.


References:


Enjoy :-)