1 / 39

E219 EP Security: Now What?

E219 EP Security: Now What?. Jeff Pryslak EP Technical Evangelist eBusiness Jeff.Pryslak@sybase.com. John Anderson Senior Consultant Sybase SPS janders2@sybase.com. Overview. EP Security Basics LDAP Integration Using Digital Certificates EA Server Integration. Administration.

brand
Download Presentation

E219 EP Security: Now What?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E219 EP Security: Now What? • Jeff Pryslak • EP Technical Evangelist • eBusiness • Jeff.Pryslak@sybase.com • John Anderson • Senior Consultant • Sybase SPS • janders2@sybase.com

  2. Overview EP Security Basics LDAP Integration Using Digital Certificates EA Server Integration

  3. Administration Self Registration Account Expiration based on last login Password Expiration based on date Strong Password Module Proxy Authentication Simplified • User -> Role -> Asset Inheritance Passwords are stored as a Hash (SHA)

  4. Authentication Standard Authentication Types • User Name/Password • Digital Certificate • PKI Integrated into Portal Server (EA Server) as AuthService J2EE JAAS Compliant LDAP Integration Third Party Integration Single Sign-On

  5. Authorization Role-Based LDAP Integration Migrates Group Memberships Mutual Exclusion of Roles • At Time of Assignment • At Time of Activation Role Hierarchies Integrated into Portal Server (EA Server) as Authorization and Role Service

  6. Role Management Demo User Knowledge Base HR TechSupt Read Permission Role Assigned Emp #1 #2 Engr Engineering Specs

  7. Data Confidentiality & Integrity Access Control Repository has Encrypted Elements Accessible to User via Session Level Security Transportation Layer Security is available for any Connections within the Portal • Client to Web Server • Web Server to Portal Server • Portal Server to Database

  8. Auditing Pluggable Write method • File and Database Table Supplied as examples Authentication • Login Success/Failure • Account Lock Out based on Config. • Forced Delay between attempts Authorization • Access Allowed/Rejected • Account Lock Out based on attempts Alerts available via JMS Connector (SMTP by default)

  9. Single Sign-On Store • Username • Password • URL Multiple Levels to ease administration • Asset (URL specified) • Role • User (Username/Password) Session Level Access User Credentials are maintained by User Lookup Occurs From User to Asset, Roles have Priorities

  10. Single Sign-On:Existing Web Application SWP my.Sybase.com Not Allowed Internet Intranet Sybase Consultant Working at client site Partner Sybase Employee

  11. Single Sign-On:Web Application SSO EnterprisePortal SWP my.Sybase.com Old Route Internet Intranet Sybase Consultant Working at client site Partner Sybase Employee

  12. Interface Pubs2 DB Single Sign-On:Data Access PRPortlet Browser Pubs2 Component SBO Portal Application Server Demo?

  13. LDAP Overview Client LDAP Integration • Can be done with EAServer alone • May integrate with a Web Server • See PKI Integration • Advantages: • Automatic Mapping of Users and Roles • Maximizes the Power of Dynamic LDAP Groups • Minimal interaction with the Security Admin GUI Portal ACDB LDAP

  14. Overview… LDAP Integration • LDAP is the revenge of the Hierarchists • It is fast, dynamic, and powerful • Once you go LDAP, you’ll never go back

  15. Overview… Client PKI Integration • Requires LDAP Integration • Requires Web Server Integration • with Sybase EP Web Plugins • Advantages: • Attributable Actions • Encryption • Auditing Web Server Portal ACDB LDAP

  16. Overview… PKI Integration • Certificate Authentication • No Passwords! • Basis for an Ultra Secure Environment • Extensible to meet your needs! • Emerging US Government Standard…

  17. Overview… • Focus today on iPlanet suite: • Directory Server 4.12  5.1 • Web Server 4.1sp9  6.02 • Other directories and web servers have been integrated on a case by case basis: • Apache Web Server, IIS • Active Directory, Novell Directory Services

  18. Overview… Presentation based on a canned environment • Integrating Sybase EP with LDAP and PKI For Windows 2000 or Unix • John.H.Anderson@sybase.com • Three accompanying jar files containing configuration info for • iPlanet Web Server • iPlanet Directory Server • Sybase EP • Available for download at… • This is considered a solution and is only supported by on-site resources

  19. Overview… Before you start… • Good background in LDAP • Extensive skills in Web Server • Basic understanding of EP Security • +Conceptual knowledge of Certificate Authentication

  20. LDAP Integration: Client What you have to do: • Define EP Roles in ACDB • Define LDAP Structure • Define Mappings in Security.Properties Demo Troubleshooting Portal ACDB LDAP

  21. Managed by Security Admin GUI Managed by Netscape Directory Console • Ldap • ACDB • Groups • Groups PIAdmin PIAdmin • Roles Mappings done in Security.Properties PIAdmin PIUser PIUser Auditors Auditors Managers Managers LDAP Integration… ACDB Role Strategy:

  22. LDAP Integration… LDAP Structure (it can be done anyway you want): • Top: o=Sybase.com • People: ou=People,o=Sybase.com • cn=John Anderson… • Groups / Roles: ou=Groups,o=Sybase.com • cn=PIAdmin… • cn=PIUsers… • Servers: ou=Servers,o=Sybase.com • Delegate: ou=Delegate,o=Sybase.com Do not forget Access Control Instructions!

  23. LDAP Integration… Security.Properties Mappings • EAServer/java/classes/com/sybase/ep/security • ACDB / LDAP Delegate: #com.sybase.ep.security.authdelegate=com.sybase.ep.security.authdelegate/ACDBDelegate com.sybase.ep.security.authdelegate=com.sybase.ep.security.authdelegate/LDAPDelegate • Required LDAP Definitions: com.sybase.ep.security.ldap.connection.bindname=cn\=eportal5.sybase.com,ou\=Jaguar,ou\=Servers,o\=Sybase.com com.sybase.ep.security.ldap.connection.bindpassword=jaguar com.sybase.ep.security.ldap.connection.host=eportal5 com.sybase.ep.security.ldap.connection.port=389 • Map EP Distinguish Names to LDAP Distinguish Names: • Required Group Mappings • Optional Role Mappings • Required Delegate Mappings

  24. LDAP Integration… Demo • Security Admin GUI (Role Strategy) • iPlanet Directory Server console (LDAP Structure) • Security.Properties (Mappings) • 1st Time User into EPI via EAServer (port 8080) • Automatic mapping of a new Subject • Power of Dynamic vs Static LDAP Groups

  25. LDAP Integration… Power of Dynamic vs Static LDAP Groups Static dn: CN=Managers Static,ou=Groups,o=Sybase.com description: Static list of all Managers – a difficult list to maintain uniquemember: CN=Arthur Geiger,ou=People,o=Sybase.com uniquemember: CN=Charles Mattingly,ou=People,o=Sybase.com uniquemember: CN=Daniel Askin,ou=People,o=Sybase.com Dynamic dn: cn=Consultants,ou=Groups,o=Sybase.com description: Dynamic list of all Consultants – very powerful memberurl: ldap:///ou=People,o=Sybase.com??sub?(&(objectclass=inetorgperson)(title=*Consultant)) dn: cn=John H Anderson,ou=People,o=Sybase.com l: Bethesda title: Sr Consultant displayname: John H Anderson mail: john.h.anderson@sybase.com

  26. LDAP Integration… Troubleshooting • Most likely problem is in the Security.Properties mappings of EP DNs to LDAP DNs • Security.Log (via EAServer / java / classes / log4j.properties • LDAP Access log • Create web pages to provide quick access to logs, configuration information and documentation • You may go back to the ACDB Delegate at any time!

  27. PKI Integration: Client What you have to do Certificates Certificate Mapping Certificate Revocation Extensions Demo Performance Tip Web Server Portal ACDB LDAP

  28. PKI Integration… What you have to do: • LDAP Integration • Sybase Redirector Plugin • Allows access to EAServer via the web server • Sybase Secure Web Plugin • Initial Login Authentication • Define EPI assets in Security Admin GUI • Forces EP login at Web Server • Create a secure web server • Require SSL as a start, then Certificate Authentication • Always provide an open server to catch authentication failures

  29. PKI Integration… Certificates • User • Best obtained via local CMS • EAServer can generate Test certificates • No LDAP or CRL support though • Server • Short-term: Can easily be facilitated by EAServer • Only the Web Server requires one, though one may be acquired for EAServer as well • Possibly for JSSE integration • Establish Trust!

  30. PKI Integration… Certificate Mapping • The Certificate DN and the LDAP DN can be different! • Web Server maps the certificate to LDAP certmap sybase CN=Certificate Manager,OU=Admin,O=Sybase.com sybase:DNComps OU,O sybase:FilterComps CN sybase:verifycert on • EP also maps the certificate to the LDAP • Security.properties AttributeMapper Certificate DN cn=John H Anderson,ou=People,o=Sybase.com,c=US LDAP DN dn: uid=janders2,ou=People,o=Sybase.com cn: John H Anderson

  31. PKI Integration… Certificate Revocation • Client Certificates are issued to users • And published to LDAP • Users do not loose their certificate when revoked • Web Server may verify certificate when mapping • If the unPublishing is unreliable, a CRL may be used • Manually into the Web Server • Extend Attribute Mapper to call an OCSP

  32. PKI Integration… Possible Extensions • Organization Mapper • Attribute Mapper • Audit Implementation • May create quasi-Document Level Access Control • Featuring Need to Know • Feature of Demo

  33. PKI Integration… Demo • Redirector Integration • Simple Web Plugin Integration (authentication) • Advanced Web Plugin Integration (EPI authorization) • Security Admin GUI (Assets & Access Control Element)

  34. PKI Integration… Demo… • Get a client certificate • 1st Time User into EPI via Secure Web Server (port 443) • Welcome User • Limited Document Level Access Control • Need to Know • Data Base auditing Integration with additional assets • Secure Web Proxy into Web Server Reports • Auditable user actions • Using a Revoked Certificate

  35. PKI Integration… Performance Tip • Secure and Audit only what you need to…(Web Plugin) <Object ppath="*"> PathCheck fn="get-client-cert" dorequest="1" require="1" PathCheck fn="check-acl" acl="*" PathCheck fn="sec_path_check" AddLog fn="flex-log" name="access" </Object> <Object ppath="*~e:/netscape/server4/docs/images/*"> PathCheck fn="get-client-cert" dorequest="1" require="1" PathCheck fn="check-acl" acl="*" PathCheck fn="sec_path_check" AddLog fn="flex-log" name="access" </Object>

  36. Iplanet Web Server (Open) Http 80 generated.https-server.acl Connection Manager EP Jaguar Server Iplanet Web Server (Secure) Browser Https 443 Portlets 9000 SybSecurityPluginConfig.txt Obj.conf conn_config portalInterface.properties 8080 password.conf Plugin Certmap.conf Dbswitch.conf Issue ACDB Docs Logs Logs Logs 636 PKI LDAP Login Servlet 389/636 Security.Properties Publish The BIG Picture:

  37. Recommendations and Notes: • Follow the recommended order of installation • Always introduce encryption last • Place secure server on same box as EAServer • Place this behind firewall. Only encryption required then is between user and server. • Best place to troubleshoot is the logs • Typical installation from 1 day to 1 week • Provide an open server to catch authentication errors • May integrate with multiple LDAPs

  38. EA Server Integration Authentication Service Role Service What does this mean? J2EE Role Mapping Container Level Security

  39. Questions? Jeff Pryslak jpryslak@sybase.com John Anderson janders2@sybase.com

More Related