Wednesday, 14 December 2016

Enabling OCSP Validation using X.509 Authentication Scheme

Assumptions:

  • You have already configured & tested the X.509 authentication use case. And now we are enabling certificate validation using OCSP Server.
  • To setup OCSP we will be using 'openssl'. So before proceeding check if you installed openssl or not. If not go get it first.
  • You have imported the user certificate in your browser as part of X.509 Authentication.

Brief about OCSP Server:

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

Steps to perform:


1) To setup OCSP Server: Steps to setup OCSP
2) Once you have setup OCSP, you will be having the following items with you;
  • CA Authority certificate (self signed) - ca.pem
  • CA private key - ca-key.pem
  • OCSP Server URL -> i.e. host and port details http://abc.us.oracle.com:6060
  • index.txt -> basically this is the file having the user certificates details which will be checked by the OCSP server for the received cert request. Based on this OCSP will respond 'good', 'revoked' or 'unknown'. It returns 'unknown' in case the cert entry is missing from the file.
    • This file name could be any name of your choice.

a) OCSP server files;

 b) Staring OCSP server


2) Goto Access Manager Configuration Settings: Select Certificate Validation



3) Select OCSP/CDP Settings:


  •  Enter OCSP Url
  •  Provide the OCSP CA Authority Certificate Subject
  • Apply the changes
4)  Now goto Authentication Scheme

5) Select X509Scheme

 6) Provide the details as required for enabling OCSP Validation

7) Now goto Authn Module

8) Select X509 Module

9) Remember to enable Cert Validation & OCSP. Provide the required details.


10) Now we need to attach the X509Scheme in our webgate profile Protected  Resource Policy.





11) Now when you fire a request from your browser, you will be asked for the user cert to be used for authentication. And if this user is not present in OCSP database i.e. the index.txt file or it is been revoked than you should get 'Authentication Failed' message.

12) To implement a use case to check certificate revocation:
Execute this command:
./openssl ca -revoke <user certificate name>
Eg: 
bash-3.2$ ./openssl ca -revoke user1\@oracle.com.crt
Using configuration from /scratch/ckukreja/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Revoking Certificate BE.
Data Base Updated

  •  Here i have copied the cakey.pem, ca.pem & index.txt to 'demoCA' folder. Basically openssl refer to this folder as it is configured in my openssl.cnf file.
  • After this your index.txt gets updated and you can actually see the difference as well. Now when you try to access the protected resource with the user cert who has been revoked in OCSP databse, so this time OCSP will say 'revoked' to OAM server. And hence you will get authentication failed message.

Note: Important points to help you debug;

a) Always check if the log.txt file provided with OCSP server startup is getting populated with request or not.
b) If request is landing on OCSP and its a good cert request but still it is failing to authenticate than check OAM server diagnostic logs. You must be getting an exception there.


Important Informative Links:

Managing Common Services and Certificate Validation
X.509 Certificate Revocation Checking Using OCSP protocol with Oracle WebLogic Server 12c
How to set up OCSP using OpenSSL - I-Space Research Labs



That's All Guys......
Enjoy :-)

Monday, 15 February 2016

Enabling IP Validation in Load Balancer Environment using ProxyTrustedList & ProxyRemoteIPHeaderVar in OAM 11g

Why we are discussing this topic?

  • It is important to understand the configuration required to be done in OAM for validating the IP addresses when the application server is behind the proxies.

What difference will it make if app server is behind the proxy?

  • The client ip calculation will be different if proxy is present.

How client ip is fetched in OAM/Webgate?

  • remote_addr contains the client ip, in case of proxy this remote_addr will have the last proxy IP Address.

How can i than validate the IP in this scenario where proxies are used?

  • For such scenario we have to configure 2 user defined parameters in Webgate Profile:
    • ProxyRemoteIPHeaderVar = <by default it is set to HTTP_X_FORWADED_FOR>
    • ProxyTrustedIPList = <list of comma seperated IP Addresses>
  • Along with these parameter we need to set the IP Validation flag in webgate profile.

How remote_addr & x_forwaded_for header are related?

  • Remote_addr: Actually it contains the IP address of the client in general. But in scenarios where proxies are involved, this remote_addr conatins the last proxy IP Address.
  • HTTP_X_FORWARDED_FOR: header is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

Considering the scenario such as:

Client -> Proxy1 -> Proxy2 -> OHS Server(having Webgate)
 
Thus in this scenario, the headers contains following values;
  • REMOTE_ADDR = Proxy2 IP
  • HTTP_X_FORWARDED_FOR = Client IP, Proxy1 IP

So how the ProxyTrustedIPList is to be configured?

  • This parameter should have all the proxies IP Addresses that are present in the deployment or production environment.

How HTTP_X_FORWADED_FOR & ProxyTrustedIPList co-relates?

The IP Addresses present in x_forwaded_for header are backtracked against trustediplist & when the Ip is not found in TrustedList than that is considered to be the client ip.

Consider the scenario:
Client -> Proxy1 -> Proxy2 -> OHS Server(having Webgate)

Headers:
  • HTTP_X_FORWADED_FOR = ClientIp, Proxy1
  • REMOTE_ADDR = Proxy2
Configuration:
  • ProxyTrustedIPList = Proxy1, Proxy2

 
Enjoy :-)

Thursday, 4 February 2016

[SQL SERVER 2012/2008]: the remote procedure call failed [0x800706be]

The remote procedure call failed [0x800706be]

What this issue is all about?

  • I have recently installed SQL SERVER 2012 on Windows 2012 R2 machine. And when i start the SQL SERVER CONFIGURATION MANAGER, it shows me this error for SQL SERVER SERVICES:


Now this is hampering my task.

So what's the resolution?

  • Remember one thing that too in bold letters that "If you install SQL SERVER 2012 on Windows Server 2012 R2, it has pre-installed SQL SERVER 2008. Thus always apply SQL SERVER 2008 SP3 patch."
  • Once you download & install the SQL SERVER 2008 SP3 patch, the issue will be resolved.


Thanks to:


Enjoy :-)

Thursday, 26 November 2015

OAM - allowedaccessgatelist user defined parameter

Ever wondered what this "allowedaccessgatelist" parameter does or why it is their ....... Let's understand it.....

  

First of all what does Oracle doc tell you about this paramtere;

allowedAccessGateList= Authentication Scheme challenge parameter configured with SPACE separated list of WebGate IDs defining those WebGates that are allowed to enforce authentication by this scheme. 
For example:
allowedAccessGateList=WebgateID1 WebgateID2


Where to configure it & how?

This parameter is applicable for Authn Scheme configured as user defined parameter. 
  •  for 11g -> allowedAccessGateList=WebgateID1 WebgateID2
  • for 10g -> allowedAccessGateList:WebgateID1 WebgateID2
 The only difference is that '=' is used in 11g while ':' is used in 10g

What does it do if configured?

It ensures that the no other webgate profile can use the authn scheme other than configured in this parameter.
Like;
allowedAccessGateList=WebgateID1 WebgateID2

If while accessing the resource it is found that the webgate id profile mismatches with the one configured, what will happen?

User will not be able to access the resource even if the provided creds are correct.

Demo:  

ECC & DCC : Call flow with allowedAccessGateList parameter defined in authn scheme;



Configuration Steps:

  •  Open /oamconsole

  •  I have created an auth scheme that i will use for ECC

  •  In user defined parameter define the allowedAccessGateList parameter with its value.

  •  I have already created DCC Authn Scheme that i will with for RWG protected resources.


  •  Goto ur ECC & RWG Profile in Application Domain;

  •  Assign the respective Authn Scheme in the Protected Resource Policy;


In the shown configuration, i have configured corrected webgate id in the allowedAccessGateList parameter; 
In case their is a mismatch following errors are shown by ECC & RWG webgate when protected resource is accessed:

ECC:


 

RWG:




Hope it clears the funda.... !!!!

Enjoy :-)

Wednesday, 4 November 2015

OAM Webgate DCC NAP TUNNELING

Enabling DCC NAP TUNNELING:

NOTE: DCC as a Resource Webgate doesn't support NAP Tunneling, which means if you want to access a resource protected by DCC itself than in that case NAP TUNNELING is not supported.
You have to have a separate resource webgate which is DCC Protected & in DCC webgate you have enabled nap tunneling.

  • Supported Case:



  • Non-Supported Case:


Prerequisites:

  • 2 profiles has already been created i.e.
    • One for resource webgate.
    • Other one for DCC Webgate
  • If possible do test whether you are able to access a resource protected by DCC. So that we are sure that things are working in DCC Mode & we just need to test NAP Tunneling via DCC.
Note: I will be demonstrating Login Page NAP Tunneling Via DCC Webgate.

Let's Start:


1) Make sure the parameter "DirectAuthenticationServiceDescriptor" is set to true in oam-config.xml file.



2) Create an authentication scheme, that will be used to protect the resources on Resource Webgate.


3) Now update the authentication scheme, in the protected resource policy of the resource webgate profile;


Note: This policy scheme needs to be updated for RESOURCE WEBGATE PROFILE not for DCC WEBGATE PROFILE


4) Once done, now we need to update DCC WEBGATE PROFILE:
  • Update the user defined parameter; add the tunneled url information, i.e. which url you want to tunnel.


Note: here i have tunneled '/oam' url, thus any request landing on dcc webgate having /oam in the url will be tunneled to oam server.

  • Now we need to create a new resource in dcc webgate profile; goto the launch pad -> Application domain -> <DCC WEBGATE PROFILE> -> Resources -> Create new resource.
    • This new resource name should be the one that you have added in the tunneled url above.
    • And this resource should use PUBLIC RESOURCE POLICY.
    • Keep one thing in mind, if you have tunneled 2 urls, like /oam,/oamfed than 2 resources should be created.


Note:
  • In the above step you can see we have added a resource '/oam/**' as a public resource which means, any url which has /oam, will be treated as public resource by DCC WEBGATE PROFILE.
  • Also, you can see i have added 3 more resources i.e. for the DCC WEBGATE itself. It has nothing to do with the NAP TUNNELING. You can skip this as well.

Demo:
1) Say you access a resource /index.html, that is protected by DCC & in DCC NAP TUNNELING is enabled;
2) DCC Webgate need to show the OAM server login page rather than its own, thats what we intent to see in this demo.

resource webgate: abc.com
dcc webgate - xyx.com








So we are able to tunnel the login page, & thus DCC shows the oam server login page instead of the one that is present on DCC itself.
But it doesn't mean that credential collection will be done by OAM SERVER.... no no no....
It is just that DCC has shown the login page of oam server that it has received via NAP tunnel. Rest all functionality remains the same.



Enjoy :-)

Thursday, 29 October 2015

OAM - Deny if not protected Flag impact on webgate 10g and 11g

Ever wondered what does 'Deny if not protected 'flag signifies?

This flag is present in webgate profile, by default when you create a profile 10g or 11g, it is 'ON' or 'Checked'.

To whom does it impact?

Basically the significance of this flag is only for 10g webgate profiles. It has no impact on 11g webgates.

What impact does this flag has?

If this flag is set 'ON', than any resource which you are accessing & has no policy defined in OAM, than you will get 404 error. And the reason for this is 'Resource Access Denied'.

As in case of 10g you will face this problem, if this flag is set 'ON'.

Why this flag has no impact on 11g webgate?

The reason for this is: In case of 11g webgate by default access is denied for any resource whose policy is not defined in OAM.
If you want access for such resources than you have an option to make an unprotected/excluded resource type.


Enjoy :-)

Wednesday, 28 October 2015

OAM Webgate - Unable to get https redirect back to load balancer

Problem Description:

Load Balancer running on 'https' i.e. SSL enabled and behind it their is a web server (OTD/OHS/APACHE...any) on which webgate is integrated. 

The web server may be SSL enabled or may be not. But this webserver expects that the load balancer will tell about its SSL  state i.e. http or https. And this info actually not provided


Lets Understand the Use Case:

Say Load Balancer listening on - https://abc.com, the web server behind it is listening on http://xyz.abc.com:7777.

Now when the request lands on the load balancer it gives this request to the proxied web server where webgate redirects this to OAM Server by making a http://<host:port>/obrareq.cgi?<querystring> request.
OAM Server authenticates/authorizes the user's request & thus makes a redirect back to the server by making a http://<host:port>/obrar.cgi?<quesrystring> request. 

Thus here lies the issue, this obrar.cgi redirect should be on https:// rather it is on http://

Ever wondered why so; the reason is that the load balancer has not sent any info about its SSL state, that whether it is running in http or https mode.
That's why webgate has not given this same info to OAM Server, thus OAM server makes the obrar.cgi redirect on http instead of https.
 

Solution:

IS_SSL header is the solution; this header need to be set in the load balancer config file;
Now if load balancer is;
  • Apache/OHS than one need to set this header in the virtual host config
    • RequestHeader set IS_SSL ssl
  • OTD; one need to set this in the server obj conf file;
    • AuthTrans fn="set-variable" set-headers="is_ssl=ssl"     ;
After this restart the load balancer  ; test the use case & the issue is resolved;

Read More:
http://fusionsecurity.blogspot.in/2011/04/ssl-offloading-and-weblogic-server.html


Enjoy :-)