|
Assumptions: Legacy OID SID = infra1 New OID SID = orcl1
Step 1. Export All Objects from the Root realm:
Export the data from, the root realm, out of the legacy directory: ldifwrite -c infra1 -b “o=xxx,c=yy” -f out.ldif
Remove the userpassword attribute: sed ‘/userpassword:/d’ out.ldif > tmp.ldif
Replace the output file with the updated file (passwords removed) mv temp.ldif out.ldif
Stop the OID process of the new OID (opmnctl stopall)
Use bulkload to check the schema and generate an intermediate file: bulkload -connect=orcl -check=true -generate=true -file=out.ldif
Assuming there are no errors, use bulkload to load the data into the new directory. Bulkload -connect=orcl -load=true -file=out.ldif
Restart the OID process of the new OID (opmnctl startall)
Step 2. Migrate userpassword attribute
Export the dn and userpassword attribute from each object that has userpassword: ldapsearch -h hostname -p port -D “cn=orcladmin” -w password -s sub -b “” “objectclass=*” dn userpassword > ./pwdout.ldif
Import the user passwords into the new directory ldapmodify -h hostname -p port -D “cn=orcladmin” -w password -f ./pwdout.ldif |
Hands On Identity
IdM
FREEDOM!! #StopSOPA
To protest SOPA I am sharing this content (that is not my original material).
p.s.
I am also advocating for Freedom for Scotland, Voice Activated for native Scottish speakers, funny videos, and purple unicorns. <— their real … go check Wikipedia…
Recommended IDM Books #IDM #infosec
Here are the books that I refer to in my IDM work:
Oracle:
- Oracle Identity and Access Manager 11g for Administrators
- Designing an IAM Framework with Oracle Identity and Access Management Suite (Oracle Press)
- Effective Oracle Database 10g Security by Design
ForgeRock:
Using sed to clean up an LDIF file for import #Oracle #Identity #UNIX
I needed to import a group of users, into Oracle Internet Directory (OID) with attributes in a variety of backend data stores. I used Oracle Virtual Directory to virtualize the data stores into a single ldap view. I used the OVD adapter configuration to specify which attributes I wanted returned. I then exported using the export control from Apache Directory Studio. This resulted in an ldif file containing all of the records I needed with attributes. There were a few additional attributes as a result of using OVD that I now had to deal with.
I ended up with an ldif file that contained a lot of records like this:
dn: cn=Babs Jensen@ACME.GOV,ou=temp_user_load
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: 1234556677@ACME.GOV
cn: Babs.Jensen@ACME.gov
cn: Jensen, Babs
sn: Jensen
givenName: Babs
mail: BABS.JENSEN@ACME.GOV
vdejoindn: ou=acmeinfo_temp:cn=JENSEN\,BABS,ou=acmeinfo_temp
vdejoindn: AD_temp:CN=babs.jensen@ACME.GOV,OU=locations,OU=park,ou=ad_t
emp,dc=acme,dc=local
fascnDecoded: 1234567890987654321
guid: ABcdedghi1234567890
ssn: 12345678
…
Note: With the SED command you can make changes directly to the source file but I am creating a new target file with each change I can make so that I can always revert back if the command doesn’t work exactly the way I want it to.
I wanted to get rid of lines that don’t start with an attribute name (In my case I am free to get rid of lines that carry over into the second line … YMMV)
I also wanted to specifically wanted to get rid of all lines that start with “vdejoindn:” and there are also some vdejoindn lines that overrun onto a second line that won’t beremoved if I use sed to remove lines with the pattern matching vdejoindn:.
So, first I want to remove all lines that don’t contain a colon. This removes the overrun lines but also all blank lines.
$ sed ‘/:/!d’ input.ldif > tmp.ldif
this keeps the lines with a colon.
But now we don’t have breaks between the records
$ sed ‘s/^dn:/\n&/g’ tmp.ldif > tmp2.ldif
Ok, now I want to get rid of the lines that have “vdejoindn:”.
$ sed ‘/vdejoindn:/d’ tmp2.ldif > tmp3.ldif
Now at some point I ended up with “^M” at the end of each file … I don’t know if this is because I opened with VIM in Windows before moving to Linux … I am going to assume so but either way in this instance I want to remove these characters.
$ dos2unix tmp3.ldif > tmp4.ldif
Alright, Now, for me to import this into Oracle Internet Directory (OID) I’ll need to add the “changetype” directive. I am going to add the string “changetype: add” on a new line after each line with “ou=temp_user_load:” which is the temporary suffix I used in this export.
$ sed ‘/ou=temp_user_load/ a\changetype: add’ tmp4.ldif > tmp5.ldif
Now, should be the last step, prior to importing, is to correct the entries “DN” attribute. Essentially, we need to replace “ou=temp_user_load” with the correct suffix for where these users will be created.
$ sed ‘s/ou=temp_user_load/cn=Users,o=icam,dc=acme,dc=local/g’ tmp5.ldif > tmp6.ldif
At this point my ldif file (“tmp6.ldif”) is ready to import into my directory. You can use the ldapmodify command or since I am using OID you can use bulkload (which is recommended for large record sets).
Migrating User objects (and userpassword) in OID
uh, so … what version was that again? #Oracle #Fusion #Identity #OHS
A really quick post to share something that I found this morning. I am constantly trying to remember the exact version of OHS (Oracle HTTP Server) that is installed (Actually any Fusion Middleware component). Sometimes I am inheriting an existing environment or validating someone else’s environment and need to baseline what is installed.
Here is how to get a list of what components are installed and their current version:
$ORACLE_HOME/OPatch/opatch lsinventory -detail
This will dump out a ton of information on the instance of OHS.
Book Review: Oracle Identity and Access Manager 11g for Administrators (Packt Publishing)
As many of you may know, Atul Kumar, has finished writing his book “Oracle Identity and Access Manager 11g for Administrators“. I had the pleasure of being a technical reviewer for this book. If you know Atul or his website then you know my job was pretty easy as he is well versed and experienced with Oracle Identity Management. I was pretty excited to finally get a hard copy of this book because, to be honest with you, I was already using this book as a reference before it was finished . I had been having some difficulty deploying an access agent within the new 11g framework and I was able to find a very detailed explanation within Atul’s book. I am not sure that I can give a higher compliment to an author than to say, “I was using your book before it was even printed!”.
What I like best about this book is that Atul starts out in the first chapters with a very nice, detailed, explanation of Identity Management and then builds on that explanation to introduce each component of Oracle Identity and Access Manager. Several chapters are tied together in that they build on fundamentals explained in a previous chapter but that doesn’t mean that someone couldn’t jump into a chapter and not still receive a good understanding of those specific concepts.
I have already recommended this book to several people that are new to Oracle Identity Management as well as to some folks that have several years of Oracle Identity Management experience. I recommend this book to anyone who is working with Oracle Identity and Access Management 11g.
Change the Listen Port for Weblogic AdminServer #Oracle #IDM #Identity
I had to re-install my Oracle Identity Management environment server and I must have had a listener running that I forgot to shutdown. The default Admin Port (7001) wasn’t available, so the installer used 7002. Typically, I would have shutdown all of the services, restarted the server and then uninstall the software. This usually frees up all of the default ports and allows me to perform a clean install. I am not sure what happened … but my mistake is an opportunity to share a good lesson. Usually using 7002 for the Admin listener would not be a big deal but in this particular environment all of the ports, except those specifically requested in advance, are blocked by a firewall. So, once I had the new install finished I wasn’t able to reach the Fusion Middleware Console (e.g., http://idm.acme.com:7001/em) from my desktop browser.
I was a little nervous about changing this because sometimes the port number is referenced in a lot of different places which makes changing it a little difficult to say the least.
As it turns out changing this is pretty trivial. You need to change the port referenced in the config.xml file and then in the startup and shutdown scripts. That’s it.
Step 1. Modify the config.xml file:
Open the following file: $Middleware_home/user_projects/domains/IDMDomain/config/config.xml
In the server directive, change the value from 7002 to 7001: (Make sure you catch all instances of the port)
AdminServer
1000
200000
20
21
AdminServer
true
7001
idm.acme.com
7001
Ok, so save those changes and then go to Step 2.
Step 2. Modify shutdown scripts:
Change to the directory that contains the startup and shutdown scripts for Weblogic:
$ cd $MIDDLEWARE_HOME/user_projects/domains/IDMDomain/bin
You will need to edit the following files: startManagedWeblogic.sh, stopWeblogic.sh and stopManagedWeblogic.sh
Look for the ADMIN_URL variable and change the port in the value (e.g., ADMIN_URL=”t3://idm.acme.com:7001″) from 7002 to 7001.
That’s it!
Now, save the changes to those to files and then restart WebLogic Admin and any managed servers.
Federal #ICAM “Reading List” #IDM #Identity
- What is Identity, Credential, and Access Management (ICAM)?
- Trust Framework Provider Adoption Process (TFPAP) | For Levels of Assurance 1,2, and Non-PKI 3
- National Strategy for Trusted Identities in Cyberspace
- M-04-04
- M-11-11
- M-06-22
- NIST 800-63
- ID Management.gov (ICAM Website)
- Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance
- Open Identity Solutions for Open Government
- Chris Louden – Open Solutions for Open Government | Portable Identity Technical Approach
- Chris Louden – Open Identity Solutions Trust Frameworks
- Federal Identity, Credentialing, and Access Management Identity Scheme Adoption Process
- Kantara Initiative
- Business-Centric, Cloud-Aware Identity and Access Management
- Available Support for ICAM Adopted Schemes
- The Federated Physical Access Control System (PACS) Demonstration Project
- Personal Identity Verification InteroperabilityForNon-Federal Issuers
claims-based authorizations conversation
| I was following a conversation on Twitter about claims-based authorizations … the guys having the conversation brought up some pretty good points and I thought it would be great to have a copy of this conversation. Feel free to correct any mistakes I may have made in my notes. I’d like to eventually follow up with Nishant and get more information on his last tweet about the RP not needing to know the decision context. I generally agree with the statement but I am wondering about the use cases where the RP does want/need to know about the decision context. … maybe you guys @nishantK, @paulmadsen, or @indpendentid could add some examples of what a “decision context” would or coud look like.
paulmadsen Is it within a PDPs job description to respond to queries of the form ‘I intend to do X at Y. That OK?’ with a signed ‘You can do X at Y’ |
| bobblakley
@paulmadsen You’ve essentially described a subject-bound capability. You can do this as a bearer token too; “the bearer can do X at Y” |
| bobblakley
@bobblakley @paulmadsen (and to answer your actual question: it depends. On the PDP’s interface and semantic description) |
| paulmadsen
@bobblakley thanks Bob, that’s what I expected. So PDP not necessarily constrained to y/n answers |
| independentid
@paulmadsen Pre-use decisions carry the same issues as claims-based attributes. Tendency towards more information in case of need>gtr costs |
| paulmadsen
@independentid you seem to be interpreting ‘claims- based’ more narrowly than I, ie that they necessarily imply capabilities/pre-use authz? |
| NishantK
@paulmadsen But that’s the model that is needed to deliver on the promise of claims-based authorization, isn’t it? /cc @independentid |
| paulmadsen
@NishantK I think a claim can carry (as per Hal) either a property or a capability – the latter implies the issuer does some ‘pre-authz’ |
| NishantK
@paulmadsen Agreed. But to @independentid’s point, both cases precede actual use, and force sender of claim to “plan” for all possibilities |
| independentid
@NishantK @paulmadsen How does sender know what decisions will be needed? Discovery – securityconstaint? Can decider decide without context? |
| paulmadsen
@NishantK but with the property model, the issuer doesnt need to know the particulars of the subsequent use – like a passport |
| paulmadsen
@independentid agreed. Capabilities model implies resource info made available to PAP |
| independentid
@paulmadsen Kind of like the “visa”s we use to have meetings in the US? The analogy that advance decisions are like passport visas. |
| paulmadsen
@independentid who issued the visa – Canada or the US? |
| independentid
@paulmadsen Well, I believe since you are in Canada, the PDP is US. I know its confusing, since your US PDP is actually in Ottawa |
| paulmadsen
@independentid its an exit visa Im thinking of, ie Canada saying Im allowed to leave |
| NishantK
@paulmadsen Yes, property model means issuer doesn’t need to know, but also can’t know if it wants to (which is a real issue for enterprise) |
| NishantK
@paulmadsen Also externalizing authZ is about RP not needing to know decision context (something they’re often bad at), leaving it to Issuer
|
|
benatnovell
@brad_tumy I think @nishantk was right on about RP not needing to know decision context… I feel it is a core tenant of externalizing autZ 4/7/11 5:41 PM |
| benatnovell @brad_tumy @nishantk I think it is a separation of duties issue… if info is to be shared with the RP, should be by the issuer not the PDP 4/7/11 5:45 PM |
| paulmadsen RT @brad_tumy @benatnovell @nishantk agree they don’t “need” to know most cases … is there a case where would need to know? < Audit? 4/7/11 5:47 PM |
| Steve_Lockstep @paulmadsen @brad_tumy CCW as in COM Callable Wrapper? Too tech for me  I just say context usually clear to RP so design claims to match4/7/11 5:50 PM |
| NishantK @paulmadsen So you’re saying that “Because he told me to” won’t hold up under auditors stern (but loving) gaze? @brad_tumy @benatnovell 4/7/11 6:01 PM |
| NishantK @brad_tumy @benatnovell Usually done for regulatory CYA. But sometimes it’s needed because of specifics in contract SLAs 4/7/11 6:02 PM |
| NishantK @brad_tumy @benatnovell In any case, most RPs don’t know anyway. Role acts as proxy for context. RP usually doesn’t know why user has role 4/7/11 6:05 PM |
| Steve_Lockstep @paulmadsen @benatnovell @brad_tumy @NishantK What’s a good catalog of externalised authz use cases? Issuer != PDP seems so academic to me 4/7/11 6:51 PM |
| Steve_Lockstep @paulmadsen @benatnovell @brad_tumy @NishantK That was genuine request for catalog of extern’ed authz use cases please. I need enlightening 4/7/11 9:38 PM |
| paulmadsen @Steve_Lockstep For externalized authz examples, ‘To the Cloud!’ ( well actually to @ggebel ) @benatnovell @brad_tumy @NishantK 4/8/11 6:39 AM |
| brad_tumy @Steve_Lockstep @paulmadsen @benatnovell @nishantk I think the Federal ICAM BAE is a good source http://t.co/cUpFGEX 4/8/11 8:26 AM |
|
brad_tumy
@brad_tumy @steve_lockstep @paulmadsen @benatnovell @nishantk I think @aniltj could add some insight as well to use cases for external authz 4/8/11 8:31 AM |
Creating self-signed certs for a development environment. #Oracle #IDM #PKI
Implementing Identity and Access Management requires working with PKI certs to secure communication channels. For development purposes you can create your own self-signed certificates. I use OpenSSL as the RootCA (Signing Authority) and keytool as interface to the Java Key Store (JKS).
The following outlines the steps required to create a RootCA, generate a certificate request, sign the request and then import the signed certificate back into the JKS.
A few notes about my environment:
- These instructions were validated on Oracle Enterprise Linux (for most flavors of Linux these instructions will be the same)
- OpenSSL and Keytool were already installed on the server
- In my example everything was installed on the same server … your OpenSSL instance may be on a different server.
- OpenSSL and Keytool are available on my users $PATH … yours may not be.
So, let’s do this thing …
Configure a CA, using OpenSSL
- Create a working directory:mkdir /opt/rootCA
- Under /opt/rootCA make the following directories: private, certs, newcerts
- Change the permissions of rootCA (and subdirectories):chmod -R 700 /opt/rootCA
- From the /opt/rootCA directory, find (system wide) and make a local copy of the openssl.cnf (/opt/rootCA/openssl.cnf). You do not have to use the default configuration file that is installed with OpenSSL. In my case it was owned by root and I couldn’t change it anyway. So, I made a copy of it and was able to make the changes I needed. Note: I set all of the attributes to optional because I kept getting an error when I tried to sign the certificate that some of the required attributes were missing from the server certificate (maybe a bug??)
- Create the CA certificate:openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
Create a keystore and private key:
keytool -genkey -alias alias -keyalg RSA -keysize 1024 -dname “server dn” -keypass keypass -keystore keystore.jks -storepass storepass
Create a certificate request (CSR) from the application server:
keytool -certreq -v -alias alias -file servername.csr -keypass keypass -storepass storepass -keystore ./keystore.jks
Sign the Certificate Requst:
- Sign the CSRopenssl ca -config openssl.cnf -in ../Middleware/keystores/servername.csr -out newcerts/servername.pem
Import the Trusted Root CA into the servers keystore:
keytool -import -v -noprompt -trustcacerts -alias rootcacert -file rootCA.cer -keystore keystore.jks -storepass storepass
Convert the signed cert (*.cer) into DER format (keytool preference) **
openssl x509 -outform der -in certificate.pem -out certificate.der
Import the signed cert into they server’s keystore:
keytool -import -v -alias alias-file servername.der -keystore keystore.jks -keypass keypass -storepass storepass
**Note: keytool whined that the cert was not in der format so, I used openssl to convert it.
I would love to hear feedback on these instructions and any steps that would make this easier.
