securing the new digital experience
TRANSCRIPT
Latest Entries
Write secure code, don’t write security code. Read more
Tuning the industry’s most trusted directory server. Read more
Harnessing Sun’s OpenSSO Authentication and Authorization.
Read moreHands-On SOA and Web Security.
Read more
Fine-grained authorization and XACML. Read more
THE NEW DIGITALEXPERIENCE
SECURING
Steffo Weber, Oracle
Tuesday, 11-June-2013Under AttackDesigning Diversified Websystems using Oracle API Gateway
Donnerstag, 13. Juni 13
Measures LimitsRisks
‣ Securing operations
‣What to do under attack
‣ Additional measures‣What cannot be
solved
‣ Redundancy vs Diversity
Overview
Donnerstag, 13. Juni 13
Reducing the riskRisk and Threat‣ Common threats
• Stealing password• Denial of service• Unauthorized access to data
‣ Common counter-measures• Encryption• High-Availabilty• Strong authentication• Screening
Donnerstag, 13. Juni 13
Reducing the riskRisk and Threat‣ Common threats
• Stealing password• Denial of service• Unauthorized access to data
‣ Common counter-measures• Encryption• High-Availabilty• Strong authentication• Screening
What if security mechanisms fail?
Donnerstag, 13. Juni 13
Errors in security implementationsThe SAML Case‣ SAML
• OpenSSL, IBM DataPower‣ SSL vulnerabilities
• Lucky thirteen, BEAST, Renegotiation attack (DoS)• OpenSSL, SSLeay
‣ SSH vulnerabilities• Leak of private data• OpenSSH et al
‣ Packet filtering• Firewalls• iOS
Donnerstag, 13. Juni 13
Download from OracleRecap. WebSSO
Donnerstag, 13. Juni 13
Download from OracleRecap. WebSSOoracle
download
Donnerstag, 13. Juni 13
Download from OracleRecap. WebSSO
Donnerstag, 13. Juni 13
Download from OracleRecap. WebSSO
sign-in first
Donnerstag, 13. Juni 13
Same with support...Recap. WebSSO
Donnerstag, 13. Juni 13
Same with support...Recap. WebSSO
oracle support
Donnerstag, 13. Juni 13
... you have to login.Recap. WebSSO
Donnerstag, 13. Juni 13
... you have to login.Recap. WebSSO
login first
Donnerstag, 13. Juni 13
But once, you’re logged in...Recap. WebSSO
Donnerstag, 13. Juni 13
But once, you’re logged in...Recap. WebSSO
support
Donnerstag, 13. Juni 13
SAML allows for multi-site SSORecap. SAML
oracle.com
Donnerstag, 13. Juni 13
SAML allows for multi-site SSORecap. SAML
oracle.com
otn.oracle.comsupport.oracle.com
SSO
Donnerstag, 13. Juni 13
SAML allows for multi-site SSORecap. SAML
oracle.com
otn.oracle.comsupport.oracle.com
ibm.comLOGIN via Oracle
<samlp:AuthnRequest xmlns:samlp= "urn:oasis:names:tc:SAML:2.0:protocol">FROM: ibm.com</samlp:AuthnRequest>SSO
Donnerstag, 13. Juni 13
SAML allows for multi-site SSORecap. SAML
oracle.com
otn.oracle.comsupport.oracle.com
ibm.comLOGIN via Oracle
<samlp:AuthnRequest xmlns:samlp= "urn:oasis:names:tc:SAML:2.0:protocol">FROM: ibm.com</samlp:AuthnRequest>
<samlp:Response xmlns:samlp= "urn:oasis:names:tc:SAML:2.0:protocol">FROM: oracle.com<saml:Assertion> <saml:Issuer> identity.oracle.com </saml:Issuer></saml:Assertion></samlp>
SSO SSO
Donnerstag, 13. Juni 13
SAML allows for multi-site SSORecap. SAML
oracle.com ibm.com
otn.oracle.comsupport.oracle.com
LOGIN via Oracle
GET /fed/idp/samlv20?SAMLRequest=<base64string> HTTP/1.1Host: identity.oracle.com:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.7,de;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer: http://ibm.com:8080/fedletsample/Pragma: no-cacheCache-Control: no-cache
SSO
Donnerstag, 13. Juni 13
SAML allows for multi-site SSORecap. SAML
oracle.com ibm.com
otn.oracle.comsupport.oracle.com
LOGIN via Oracle
GET /fed/idp/samlv20?SAMLRequest=<base64string> HTTP/1.1Host: identity.oracle.com:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.7,de;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer: http://ibm.com:8080/fedletsample/Pragma: no-cacheCache-Control: no-cache
SSO
Sanity check
Donnerstag, 13. Juni 13
Think of RMI or RPC or....Recap. SOAP WS
<?xml version="1.0"?><soap:Envelopexmlns:soap="http://www.w3.org/2001/12/soap-envelope"soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">
<soap:Body xmlns:m="http://www.example.org/stock"> <m:GetStockPrice> <m:StockName>ORCL</m:StockName> </m:GetStockPrice></soap:Body>
</soap:Envelope>
SOAP Message
HTTP MessagePOST /InStock HTTP/1.1Host: www.example.orgContent-Type: application/soap+xml; charset=utf-8Content-Length: 645
Donnerstag, 13. Juni 13
Think of RMI or RPC or....Recap. SOAP WS
<?xml version="1.0"?><soap:Envelopexmlns:soap="http://www.w3.org/2001/12/soap-envelope"soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">
<soap:Body xmlns:m="http://www.example.org/stock"> <m:GetStockPrice> <m:StockName>ORCL</m:StockName> </m:GetStockPrice></soap:Body>
</soap:Envelope>
SOAP Message
HTTP MessagePOST /InStock HTTP/1.1Host: www.example.orgContent-Type: application/soap+xml; charset=utf-8Content-Length: 645
OAGis made
handle this out-of-the-
box
Donnerstag, 13. Juni 13
Federated Login
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0"> <saml:Issuer>https://ibm.com/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest>
SAML Message
HTTP MessagePOST /InStock HTTP/1.1Host: www.example.orgContent-Type: application/soap+xml; charset=utf-8Content-Length: 645
Donnerstag, 13. Juni 13
Federated Login
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0"> <saml:Issuer>https://ibm.com/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest>
SAML Message
HTTP MessagePOST /InStock HTTP/1.1Host: www.example.orgContent-Type: application/soap+xml; charset=utf-8Content-Length: 645
Not handled out-of-the-
box.
Donnerstag, 13. Juni 13
Check SAMLRequest messagesThe SAML Case
identity.oracle.comOAGReverseProxySAML
Request
Donnerstag, 13. Juni 13
Get SAMLRequestConfigure OAG
GET /fed/idp/samlv20?SAMLRequest=<base64string> HTTP/1.1Host: identity.oracle.com:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.7,de;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer: http://ibm.com:8080/fedletsample/Pragma: no-cacheCache-Control: no-cache
Donnerstag, 13. Juni 13
Get SAMLRequestConfigure OAG
GET /fed/idp/samlv20?SAMLRequest=<base64string> HTTP/1.1Host: identity.oracle.com:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.7,de;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer: http://ibm.com:8080/fedletsample/Pragma: no-cacheCache-Control: no-cache
Request is- zipped- base64 enc
Donnerstag, 13. Juni 13
From HTTP param to DOM objectConfiguring OAG
import com.vordel.mime.XMLBody;import com.vordel.mime.HeaderSet;import com.vordel.mime.ContentType;import com.vordel.mime.ContentType.Authority;import java.lang.String;import com.vordel.common.base64.Decoder;import com.oracle.identity.SamlRequest;import groovy.xml.DOMBuilder;import groovy.xml.dom.DOMCategory;
def invoke(msg) { def saml = msg.get("saml.request"); def reader = new StringReader(SamlRequest.decode(saml)); def samlRequest = DOMBuilder.parse(reader); def samlMimeBody = new XMLBody(new HeaderSet(),new ContentType(ContentType.Authority.MIME,"text/xml"), samlRequest); msg.put("content.body",samlMimeBody); return true; }
Donnerstag, 13. Juni 13
From HTTP param to DOM objectConfiguring OAG
import com.vordel.mime.XMLBody;import com.vordel.mime.HeaderSet;import com.vordel.mime.ContentType;import com.vordel.mime.ContentType.Authority;import java.lang.String;import com.vordel.common.base64.Decoder;import com.oracle.identity.SamlRequest;import groovy.xml.DOMBuilder;import groovy.xml.dom.DOMCategory;
def invoke(msg) { def saml = msg.get("saml.request"); def reader = new StringReader(SamlRequest.decode(saml)); def samlRequest = DOMBuilder.parse(reader); def samlMimeBody = new XMLBody(new HeaderSet(),new ContentType(ContentType.Authority.MIME,"text/xml"), samlRequest); msg.put("content.body",samlMimeBody); return true; }
Groovy Filter: dynamic language support
Donnerstag, 13. Juni 13
From HTTP param to DOM objectConfiguring OAG
import com.vordel.mime.XMLBody;import com.vordel.mime.HeaderSet;import com.vordel.mime.ContentType;import com.vordel.mime.ContentType.Authority;import java.lang.String;import com.vordel.common.base64.Decoder;import com.oracle.identity.SamlRequest;import groovy.xml.DOMBuilder;import groovy.xml.dom.DOMCategory;
def invoke(msg) { def saml = msg.get("saml.request"); def reader = new StringReader(SamlRequest.decode(saml)); def samlRequest = DOMBuilder.parse(reader); def samlMimeBody = new XMLBody(new HeaderSet(),new ContentType(ContentType.Authority.MIME,"text/xml"), samlRequest); msg.put("content.body",samlMimeBody); return true; }
Groovy Filter: dynamic language support
Now we can apply OAG default filters.Donnerstag, 13. Juni 13
Applying security filtersConfiguring OAG‣ Check whether XML document (SAML Request) is
• well-formed• does not exceed a certain size• has a limited number of children/attributes per node• does not contain a virus
‣ Preventing DoS attacks via throttling• restricting the no of messages per minute
Donnerstag, 13. Juni 13
Applying security filtersConfiguring OAG
Donnerstag, 13. Juni 13
Applying security filtersConfiguring OAG
Donnerstag, 13. Juni 13
Admin Console w FiltersConfiguring OAG
Donnerstag, 13. Juni 13
vs. RedundancyDiversification ‣ Scenario
• SAML vulnerability becomes public• SSL implmentation is vulnerable• DataPower and OpenSSO affected
‣ Solution (other possible)• Only authenticated users are allowed to use OIF
service• Establish SSO via Access Manager• Terminate SSL traffic at a different implentation/box
Donnerstag, 13. Juni 13
vs. RedundancyDiversification
identity.oracle.com
SAMLRequest
OAGReverseProxy
WebGate LDAPOAM
Donnerstag, 13. Juni 13
Summary
Benefits LimitsProtection
‣ SOAP/REST‣ SAML‣ HTML Form‣ Custom
‣ Training‣ Coding Skills
‣ Flexibility‣ Diversification‣ Integrated with
Oracle Stack
Donnerstag, 13. Juni 13