1 / 13

Web Authentication Nuts and Bolts: “Authentication Appliance”

Web Authentication Nuts and Bolts: “Authentication Appliance”. EDUCAUSE Dartmouth PKI Deployment Summit 7/27/2005 Presented by: Mark Franklin Dartmouth College PKI Lab Mark.J.Franklin@Dartmouth.EDU. Background. Dartmouth’s Oracle-based web applications allow end user PKI authentication

sari
Download Presentation

Web Authentication Nuts and Bolts: “Authentication Appliance”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Authentication Nuts and Bolts:“Authentication Appliance” EDUCAUSE Dartmouth PKI Deployment Summit 7/27/2005 Presented by: Mark Franklin Dartmouth College PKI Lab Mark.J.Franklin@Dartmouth.EDU

  2. Background Dartmouth’s Oracle-based web applications allow end user PKI authentication Anticipated 12,000 pre-matriculated students checking acceptance status all at once Too much HTTPS/SSL traffic for our Oracle application servers Needed more SSL capacity to avoid a meltdown Selected F5 load balancer/SSL termination appliance

  3. The Problem • PKI authentication happens where SSL is terminated • Used to be in Oracle application server • Now in F5 appliance • Thus, Oracle app server doesn’t have knowledge of authentication Impending doom for our PKI authentication! (queue ominous music)

  4. Original Configuration

  5. The Solution • F5 supports end user PKI authentication • Validate user’s certificate (inc. revocation) • At this point, we have verified user’s identity • Insert custom HTTP headers to pass authentication information to the application server

  6. New Configuration

  7. Security Assumptions • F5 appliance properly verifies certificates (we tested to confirm this) • No alternate route to app servers (users could spoof custom headers) • Network from F5 to app servers is secure (it’s in our computer room) • F5 box is secure (we’re trusting it to do our authentication) • F5 logic eliminates any inbound custom authn headers (we programmed this)

  8. Implementation • Configured SSL normally on F5 • Turned on standard F5 client-side PKI authn • Added iRule (TCL) logic in F5 to insert custom headers for users with PKI credentials • Modified Oracle app server authn logic (PL/SQL) to accept custom headers as valid authn & retrieve user info from them

  9. iRule Logic to Reject Invalid Cert when CLIENTSSL_CLIENTCERT { if { [SSL::verify_result] } { log LOCAL0.warn "Client cert didn't verify, openssl code=[SSL::verify_result]" reject } }

  10. when HTTP_REQUEST { # Eliminate any inbound spoofed authentication headers while {[HTTP::header exists F5PKI_CN]} { HTTP::header remove F5PKI_CN log LOCAL0.warn "removed inbound F5PKI_CN header - possible attack" } if { [SSL::cert count] != 0 } { # User authenticated with PKI, so get PKI DN set subject { } lappend subject [X509::subject [SSL::cert 0]] # Parse out the DN fields we need and set outbound header values foreach entry [ split $subject / ] { foreach {name value} [ split $entry = ] { switch $name { CN { HTTP::header replace F5PKI_CN $value } OU { HTTP::header replace F5PKI_OU $value } UID { HTTP::header replace F5PKI_UID $value } } } } } } iRule Logic for Custom Headers

  11. Gotchas • F5 appliance is complex, takes a while to configure (even without PKI) • F5 by default doesn’t reject authentication using expired or revoked certificates, need to explicitly check for invalid certs and use iRule command to reject the authentication • Had to learn TCL for iRules (not too bad, and it’s extremely powerful) • F5 uses lots of server ID certs (one for each service), we found it useful to get a *.dartmouth.edu cert (from Verisign in order to appease Oracle Java applets)

  12. Gotchas 2 • Internet Explorer has issues with SSL, especially with client-side PKI: • Apache turns off a bunch of stuff when it detects IE (including SSL session persistence) • Lots of experimenting to get SSL profile settings to accommodate IE with client-side PKI: • No SSL persistence cache • Long alert, handshake timeouts (10,000 seconds) • Long renegotiate period (10,000 seconds) • Renegotiate size indefinite, renegotiate max record delay huge (429496729 records) • Unclean shutdown not checked, strict resume checked

  13. Conclusions • Disadvantages: • F5 appliance is expensive, but we needed it anyway for SSL bandwidth and load balancing • Advantages: • No client-side PKI on web server • Implement PKI authentication for any web server without special software or configurations • Only F5 admin needs to deal with PKI at all • Custom headers easy to parse in web applications • F5 appliance working very well, bandwidth to spare • Cost-effective way to offload SSL processing We now have a “PKI authentication appliance”.

More Related