Hands On Identity

FREEDOM!! #StopSOPA

Brad Tumy — Wed, 18 Jan 2012 18:14:29 +0000

To protest SOPA I am sharing this content (that is not my original material).

p.s.
I am also advocating for Freedom for Scotland, Voice Activated for native Scottish speakers, funny videos, and purple unicorns. <— their real … go check Wikipedia…

Filed under: IdM

Recommended IDM Books #IDM #infosec

Brad Tumy — Wed, 11 Jan 2012 19:04:01 +0000

Here are the books that I refer to in my IDM work:

Oracle:

ForgeRock:

OpenAM

Filed under: IdM

Using sed to clean up an LDIF file for import #Oracle #Identity #UNIX

Brad Tumy — Tue, 10 Jan 2012 16:06:47 +0000

I needed to import a group of users, into Oracle Internet Directory (OID) with attributes in a variety of backend data stores. I used Oracle Virtual Directory to virtualize the data stores into a single ldap view. I used the OVD adapter configuration to specify which attributes I wanted returned. I then exported using the export control from Apache Directory Studio. This resulted in an ldif file containing all of the records I needed with attributes. There were a few additional attributes as a result of using OVD that I now had to deal with.

I ended up with an ldif file that contained a lot of records like this:

dn: cn=Babs Jensen@ACME.GOV,ou=temp_user_load
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: 1234556677@ACME.GOV
cn: Babs.Jensen@ACME.gov
cn: Jensen, Babs
sn: Jensen
givenName: Babs
mail: BABS.JENSEN@ACME.GOV
vdejoindn: ou=acmeinfo_temp:cn=JENSEN\,BABS,ou=acmeinfo_temp
vdejoindn: AD_temp:CN=babs.jensen@ACME.GOV,OU=locations,OU=park,ou=ad_t
emp,dc=acme,dc=local
fascnDecoded: 1234567890987654321
guid: ABcdedghi1234567890
ssn: 12345678

…

Note: With the SED command you can make changes directly to the source file but I am creating a new target file with each change I can make so that I can always revert back if the command doesn’t work exactly the way I want it to.

I wanted to get rid of lines that don’t start with an attribute name (In my case I am free to get rid of lines that carry over into the second line … YMMV)

I also wanted to specifically wanted to get rid of all lines that start with “vdejoindn:” and there are also some vdejoindn lines that overrun onto a second line that won’t beremoved if I use sed to remove lines with the pattern matching vdejoindn:.

So, first I want to remove all lines that don’t contain a colon. This removes the overrun lines but also all blank lines.

$ sed ‘/:/!d’ input.ldif > tmp.ldif

this keeps the lines with a colon.

But now we don’t have breaks between the records

$ sed ‘s/^dn:/\n&/g’ tmp.ldif > tmp2.ldif

Ok, now I want to get rid of the lines that have “vdejoindn:”.

$ sed ‘/vdejoindn:/d’ tmp2.ldif > tmp3.ldif

Now at some point I ended up with “^M” at the end of each file … I don’t know if this is because I opened with VIM in Windows before moving to Linux … I am going to assume so but either way in this instance I want to remove these characters.

$ dos2unix tmp3.ldif > tmp4.ldif

Alright, Now, for me to import this into Oracle Internet Directory (OID) I’ll need to add the “changetype” directive. I am going to add the string “changetype: add” on a new line after each line with “ou=temp_user_load:” which is the temporary suffix I used in this export.

$ sed ‘/ou=temp_user_load/ a\changetype: add’ tmp4.ldif > tmp5.ldif

Now, should be the last step, prior to importing, is to correct the entries “DN” attribute. Essentially, we need to replace “ou=temp_user_load” with the correct suffix for where these users will be created.

$ sed ‘s/ou=temp_user_load/cn=Users,o=icam,dc=acme,dc=local/g’ tmp5.ldif > tmp6.ldif

At this point my ldif file (“tmp6.ldif”) is ready to import into my directory. You can use the ldapmodify command or since I am using OID you can use bulkload (which is recommended for large record sets).

Filed under: Directory Services, IdM, Linux, Oracle Tagged: Identity, Linux, Oracle, sed

Migrating User objects (and userpassword) in OID

Brad Tumy — Mon, 09 Jan 2012 20:31:09 +0000

Assumptions:

Legacy OID SID = infra1

New OID SID = orcl1

Step 1. Export All Objects from the Root realm:

Export the data from, the root realm, out of the legacy directory:

ldifwrite -c infra1 -b “o=xxx,c=yy” -f out.ldif

Remove the userpassword attribute:

sed ‘/userpassword:/d’ out.ldif > tmp.ldif

Replace the output file with the updated file (passwords removed)

mv temp.ldif out.ldif

Stop the OID process of the new OID (opmnctl stopall)

Use bulkload to check the schema and generate an intermediate file:

bulkload -connect=orcl -check=true -generate=true -file=out.ldif

Assuming there are no errors, use bulkload to load the data into the new directory.

Bulkload -connect=orcl -load=true -file=out.ldif

Restart the OID process of the new OID (opmnctl startall)

Step 2. Migrate userpassword attribute

Export the dn and userpassword attribute from each object that has userpassword:

ldapsearch -h hostname -p port -D “cn=orcladmin” -w password -s sub -b “” “objectclass=*” dn userpassword > ./pwdout.ldif

Import the user passwords into the new directory

ldapmodify -h hostname -p port -D “cn=orcladmin” -w password -f ./pwdout.ldif

Filed under: IdM

uh, so … what version was that again? #Oracle #Fusion #Identity #OHS

Brad Tumy — Thu, 13 Oct 2011 15:21:32 +0000

A really quick post to share something that I found this morning. I am constantly trying to remember the exact version of OHS (Oracle HTTP Server) that is installed (Actually any Fusion Middleware component). Sometimes I am inheriting an existing environment or validating someone else’s environment and need to baseline what is installed.

Here is how to get a list of what components are installed and their current version:

$ORACLE_HOME/OPatch/opatch lsinventory -detail

This will dump out a ton of information on the instance of OHS.

Filed under: IdM

Book Review: Oracle Identity and Access Manager 11g for Administrators (Packt Publishing)

Brad Tumy — Fri, 07 Oct 2011 13:03:51 +0000

As many of you may know, Atul Kumar, has finished writing his book “Oracle Identity and Access Manager 11g for Administrators“. I had the pleasure of being a technical reviewer for this book. If you know Atul or his website then you know my job was pretty easy as he is well versed and experienced with Oracle Identity Management. I was pretty excited to finally get a hard copy of this book because, to be honest with you, I was already using this book as a reference before it was finished . I had been having some difficulty deploying an access agent within the new 11g framework and I was able to find a very detailed explanation within Atul’s book. I am not sure that I can give a higher compliment to an author than to say, “I was using your book before it was even printed!”.

What I like best about this book is that Atul starts out in the first chapters with a very nice, detailed, explanation of Identity Management and then builds on that explanation to introduce each component of Oracle Identity and Access Manager. Several chapters are tied together in that they build on fundamentals explained in a previous chapter but that doesn’t mean that someone couldn’t jump into a chapter and not still receive a good understanding of those specific concepts.

I have already recommended this book to several people that are new to Oracle Identity Management as well as to some folks that have several years of Oracle Identity Management experience. I recommend this book to anyone who is working with Oracle Identity and Access Management 11g.

Filed under: IdM

Change the Listen Port for Weblogic AdminServer #Oracle #IDM #Identity

Brad Tumy — Thu, 01 Sep 2011 20:29:48 +0000

I had to re-install my Oracle Identity Management environment server and I must have had a listener running that I forgot to shutdown. The default Admin Port (7001) wasn’t available, so the installer used 7002. Typically, I would have shutdown all of the services, restarted the server and then uninstall the software. This usually frees up all of the default ports and allows me to perform a clean install. I am not sure what happened … but my mistake is an opportunity to share a good lesson. Usually using 7002 for the Admin listener would not be a big deal but in this particular environment all of the ports, except those specifically requested in advance, are blocked by a firewall. So, once I had the new install finished I wasn’t able to reach the Fusion Middleware Console (e.g., http://idm.acme.com:7001/em) from my desktop browser.

I was a little nervous about changing this because sometimes the port number is referenced in a lot of different places which makes changing it a little difficult to say the least.

As it turns out changing this is pretty trivial. You need to change the port referenced in the config.xml file and then in the startup and shutdown scripts. That’s it.

Step 1. Modify the config.xml file:

Open the following file: $Middleware_home/user_projects/domains/IDMDomain/config/config.xml

In the server directive, change the value from 7002 to 7001: (Make sure you catch all instances of the port)

    AdminServer
    1000
    200000
    20
    21

      AdminServer
      true
      7001

    idm.acme.com
    7001

Ok, so save those changes and then go to Step 2.

Step 2. Modify shutdown scripts:

Change to the directory that contains the startup and shutdown scripts for Weblogic:

$ cd $MIDDLEWARE_HOME/user_projects/domains/IDMDomain/bin

You will need to edit the following files: startManagedWeblogic.sh, stopWeblogic.sh and stopManagedWeblogic.sh

Look for the ADMIN_URL variable and change the port in the value (e.g., ADMIN_URL=”t3://idm.acme.com:7001″) from 7002 to 7001.

That’s it!

Now, save the changes to those to files and then restart WebLogic Admin and any managed servers.

Filed under: IdM

Federal #ICAM “Reading List” #IDM #Identity

Brad Tumy — Tue, 26 Apr 2011 12:49:46 +0000

I have had a number of conversations over the last few weeks regarding ICAM, which is the U.S. Government’s Identity, Credentialing, and Access Management initiative. Essentially, these are a set of guidelines, frameworks and specifications to assist Federal agencies in implementing Identity and Access Management. I have had my own library that I often refer to and I thought it would be good to share these links here:

Filed under: ICAM, IdM

claims-based authorizations conversation

Brad Tumy — Thu, 07 Apr 2011 21:29:39 +0000

I was following a conversation on Twitter about claims-based authorizations … the guys having the conversation brought up some pretty good points and I thought it would be great to have a copy of this conversation. Feel free to correct any mistakes I may have made in my notes. I’d like to eventually follow up with Nishant and get more information on his last tweet about the RP not needing to know the decision context. I generally agree with the statement but I am wondering about the use cases where the RP does want/need to know about the decision context. … maybe you guys @nishantK, @paulmadsen, or @indpendentid could add some examples of what a “decision context” would or coud look like.

paulmadsen

Is it within a PDPs job description to respond to queries of the form ‘I intend to do X at Y. That OK?’ with a signed ‘You can do X at Y’

4/7/11 1:40 PM

bobblakley

@paulmadsen You’ve essentially described a subject-bound capability. You can do this as a bearer token too; “the bearer can do X at Y”

4/7/11 1:47 PM

bobblakley

@bobblakley @paulmadsen (and to answer your actual question: it depends. On the PDP’s interface and semantic description)

4/7/11 1:50 PM

paulmadsen

@bobblakley thanks Bob, that’s what I expected. So PDP not necessarily constrained to y/n answers

4/7/11 2:02 PM

independentid

@paulmadsen Pre-use decisions carry the same issues as claims-based attributes. Tendency towards more information in case of need>gtr costs

4/7/11 2:17 PM

paulmadsen

@independentid you seem to be interpreting ‘claims- based’ more narrowly than I, ie that they necessarily imply capabilities/pre-use authz?

4/7/11 2:27 PM

NishantK

@paulmadsen But that’s the model that is needed to deliver on the promise of claims-based authorization, isn’t it? /cc @independentid

4/7/11 2:52 PM

paulmadsen

@NishantK I think a claim can carry (as per Hal) either a property or a capability – the latter implies the issuer does some ‘pre-authz’

4/7/11 2:56 PM

NishantK

@paulmadsen Agreed. But to @independentid’s point, both cases precede actual use, and force sender of claim to “plan” for all possibilities

4/7/11 3:28 PM

independentid

@NishantK @paulmadsen How does sender know what decisions will be needed? Discovery – securityconstaint? Can decider decide without context?

4/7/11 3:32 PM

paulmadsen

@NishantK but with the property model, the issuer doesnt need to know the particulars of the subsequent use – like a passport

4/7/11 3:32 PM

paulmadsen

@independentid agreed. Capabilities model implies resource info made available to PAP

4/7/11 3:36 PM

independentid

@paulmadsen Kind of like the “visa”s we use to have meetings in the US? The analogy that advance decisions are like passport visas.

4/7/11 3:36 PM

paulmadsen

@independentid who issued the visa – Canada or the US?

4/7/11 3:41 PM

independentid

@paulmadsen Well, I believe since you are in Canada, the PDP is US. I know its confusing, since your US PDP is actually in Ottawa

4/7/11 3:43 PM

paulmadsen

@independentid its an exit visa Im thinking of, ie Canada saying Im allowed to leave

4/7/11 3:49 PM

NishantK

@paulmadsen Yes, property model means issuer doesn’t need to know, but also can’t know if it wants to (which is a real issue for enterprise)

4/7/11 4:28 PM

NishantK

@paulmadsen Also externalizing authZ is about RP not needing to know decision context (something they’re often bad at), leaving it to Issuer

4/7/11 4:41 PM

Additional comments made: The conversation continued after I had left work … and then picked up briefly this morning. I wanted to add the additional comments so that the entire thread was captured.

I agree with Steve and would like to see a collection of use cases that focus on externalized authorization. @paulmadsen suggested that @ggebel was the go to source for such use cases. I know that he has been blogging about these here (http://analyzingidentity.com/).

benatnovell
@brad_tumy I think @nishantk was right on about RP not needing to know decision context… I feel it is a core tenant of externalizing autZ
4/7/11 5:41 PM

benatnovell
@brad_tumy @nishantk I think it is a separation of duties issue… if info is to be shared with the RP, should be by the issuer not the PDP
4/7/11 5:45 PM

paulmadsen
RT @brad_tumy @benatnovell @nishantk agree they don’t “need” to know most cases … is there a case where would need to know? < Audit?
4/7/11 5:47 PM

Steve_Lockstep
@paulmadsen @brad_tumy CCW as in COM Callable Wrapper? Too tech for me I just say context usually clear to RP so design claims to match
4/7/11 5:50 PM

NishantK
@paulmadsen So you’re saying that “Because he told me to” won’t hold up under auditors stern (but loving) gaze? @brad_tumy @benatnovell
4/7/11 6:01 PM

NishantK
@brad_tumy @benatnovell Usually done for regulatory CYA. But sometimes it’s needed because of specifics in contract SLAs
4/7/11 6:02 PM

NishantK
@brad_tumy @benatnovell In any case, most RPs don’t know anyway. Role acts as proxy for context. RP usually doesn’t know why user has role
4/7/11 6:05 PM

Steve_Lockstep
@paulmadsen @benatnovell @brad_tumy @NishantK What’s a good catalog of externalised authz use cases? Issuer != PDP seems so academic to me
4/7/11 6:51 PM

Steve_Lockstep
@paulmadsen @benatnovell @brad_tumy @NishantK That was genuine request for catalog of extern’ed authz use cases please. I need enlightening
4/7/11 9:38 PM

paulmadsen
@Steve_Lockstep For externalized authz examples, ‘To the Cloud!’ ( well actually to @ggebel ) @benatnovell @brad_tumy @NishantK
4/8/11 6:39 AM

brad_tumy
@Steve_Lockstep @paulmadsen @benatnovell @nishantk I think the Federal ICAM BAE is a good source http://t.co/cUpFGEX
4/8/11 8:26 AM

brad_tumy
@brad_tumy @steve_lockstep @paulmadsen @benatnovell @nishantk I think @aniltj could add some insight as well to use cases for external authz
4/8/11 8:31 AM

Filed under: IdM

Creating self-signed certs for a development environment. #Oracle #IDM #PKI

Brad Tumy — Wed, 06 Apr 2011 20:52:56 +0000

Implementing Identity and Access Management requires working with PKI certs to secure communication channels. For development purposes you can create your own self-signed certificates. I use OpenSSL as the RootCA (Signing Authority) and keytool as interface to the Java Key Store (JKS).

The following outlines the steps required to create a RootCA, generate a certificate request, sign the request and then import the signed certificate back into the JKS.

A few notes about my environment:

These instructions were validated on Oracle Enterprise Linux (for most flavors of Linux these instructions will be the same)
OpenSSL and Keytool were already installed on the server
In my example everything was installed on the same server … your OpenSSL instance may be on a different server.
OpenSSL and Keytool are available on my users $PATH … yours may not be.

So, let’s do this thing …

Configure a CA, using OpenSSL

Create a working directory:mkdir /opt/rootCA
Under /opt/rootCA make the following directories: private, certs, newcerts
Change the permissions of rootCA (and subdirectories):chmod -R 700 /opt/rootCA
From the /opt/rootCA directory, find (system wide) and make a local copy of the openssl.cnf (/opt/rootCA/openssl.cnf). You do not have to use the default configuration file that is installed with OpenSSL. In my case it was owned by root and I couldn’t change it anyway. So, I made a copy of it and was able to make the changes I needed. Note: I set all of the attributes to optional because I kept getting an error when I tried to sign the certificate that some of the required attributes were missing from the server certificate (maybe a bug??)
Create the CA certificate:openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf

Create a keystore and private key:

keytool -genkey -alias alias -keyalg RSA -keysize 1024 -dname “server dn” -keypass keypass -keystore keystore.jks -storepass storepass

Create a certificate request (CSR) from the application server:

keytool -certreq -v -alias alias -file servername.csr -keypass keypass -storepass storepass -keystore ./keystore.jks

Sign the Certificate Requst:

Sign the CSRopenssl ca -config openssl.cnf -in ../Middleware/keystores/servername.csr -out newcerts/servername.pem

Import the Trusted Root CA into the servers keystore:
keytool -import -v -noprompt -trustcacerts -alias rootcacert -file rootCA.cer -keystore keystore.jks -storepass storepass

Convert the signed cert (*.cer) into DER format (keytool preference) **

openssl x509 -outform der -in certificate.pem -out certificate.der

Import the signed cert into they server’s keystore:
keytool -import -v -alias alias-file servername.der -keystore keystore.jks -keypass keypass -storepass storepass

**Note: keytool whined that the cert was not in der format so, I used openssl to convert it.

I would love to hear feedback on these instructions and any steps that would make this easier.

Filed under: IdM