Monday, May 23, 2011

IWA, PIV and Form Based Authentication -- Oracle Access Manager 10.1.4.3


Please Review this excellent blog posted by David Abramowicz, a Senior Sales Consultant for Oracle in Sweden, put together a how to for setting up OAM with multiple authentication types while maintaining the originally requested URL This post uses his idea but in different way.

Business Case: If a user is logged into their windows workstation in their intranet, and try to access any protected resource he should be able to access it seamlessly (Using IWA), User can login to their windows workstation either by using Active Directory account username/password, or using PIV card and PIN.

If IWA fails or if a user is trying to access the protected resource from outside of the network, user will be presented with option to choose either PIV(Cert) and Form based login.

Part I ( Make IWA work)

1.      Configure AccessGate in OAM access management console.
2.      Install WebGate on IIS ( I am using default website)
3.      Create a folder under wwwroot/ called “protected”
4.      Create a asp page called headers.asp (you can modify to test the headers) and empty test.html(nothing in this page)
5.      Protect this directory in IIS Management console with IWA.
6.      Create an authentication scheme in OAM admin console
7.      Create a policy to protect the /protected folder on IIS.
8.      Check the IWA authentication is successful by looking at obSSOCookie.

Apache Webserver, Mod_jk, Tomcat, ssl, client authentication

Apache+ssl webserver, and Tomcat6 with Client Authentication
1.       Download and install Apache http server 2.2 with openssl from here.
2.        Download Apache with SSL
3.       Download and install Open SSL from the following link for Windows.
4.       Download Open SSL
5.       Download and install Tomcat 6 from Download Tomcat
Add C:\OpenSSL-Win32\bin (the folder you have installed openssl) directory to the path variable under environmental variables.
Create a folder “CA” under “C:” Create a folder “certificates” under “c:\ca”
Create a  “servercerts” and “clientcerts” folders under “c:\ca\certificates”
Open command prompt and cd to “C:\CA\”
Create the Certificate Authority (CA)
·         Generate a private key
·         Create a certificate request
·         Self-sign the certificate.
Generate a private key
C:\CA>openssl genrsa -out ca.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.......++++++
....++++++
e is 65537 (0x10001)
Create a certificate request
C:\CA>openssl req -new -key ca.key -out ca.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:sterling
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ptcube
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:ptcube
Email Address []:admin@ptcube.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:ptcube
Self-sign the certificate.
C:\CA>openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=VA/L=sterling/O=ptcube/OU=it/CN=ptcube/emailAddress=admin@ptcub
e.com
Getting Private key

Setup the Web Server Certificate

On the web server, create a self-signed certificate for SSL requests

·         C:\CA>cd certificates

·         C:\CA\certificates>cd servercerts

·         Generate a private key
·         Create a certificate request
·         Sign the certificate
Generate a private key
C:\CA\certificates\servercerts>openssl genrsa -out server.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.......................................................................++++++
.........................++++++
e is 65537 (0x10001)
Create a certificate request
C:\CA\certificates\servercerts>openssl req -new -key server.key -out server.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:sterling
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ptcube
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:ptcube-iam.ptcube.com
Email Address []:admin@ptcube.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:ptcube
Sign the certificate
C:\CA\certificates\servercerts>openssl x509 -req -days 365 -in server.csr -signk
ey server.key -out server.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=VA/L=sterling/O=ptcube/OU=it/CN=ptcube-iam.ptcube.com/emailAddr
ess=admin@ptcube.com
Getting Private key

Install the CA Certificate on the Web Server

Tell the web server (Apache) where it can find the CA certificate, in httpd-ssl.conf. This file is located as shown below( on my machine)

Modify SSLCACertificateFile to point to the ca.crt you have created as shown below.
Modify SSLCertificateFile and SSLCertificateKeyFile to point to respective locations as shown below.
 SSLCACertificateFile "C:/Apache2.2/conf/ca/ca.crt"
Restart your Apache server and check whether you can access using https protocol.

Setup Apache webserver to enforce Client Certificate for Access

Modify SSLVerifyClient attribute in httpd-ssl.conf file and set to “require”

SSLVerifyClient require

Request a Client Certificate

·         Generate a private key
·         Create a certificate request
·         Sign the certificate with your CA you created before
Generate a private key

C:\CA\certificates\clientcerts>openssl genrsa -out client.key 1024

Loading 'screen' into random state - done

Generating RSA private key, 1024 bit long modulus

..............................++++++

..............++++++

e is 65537 (0x10001)

Create a certificate request
C:\CA\certificates\clientcerts>openssl req -new -key client.key -out client.csr
-config c:\Apache2.2\conf\openssl.cnf
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:sterling
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ptcube
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:venkat kakanaboyina
Email Address []:venkat3012gs@yahoo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:password
Sign the certificate with your CA you created before

C:\CA\certificates\clientcerts>

C:\CA\certificates\clientcerts>openssl x509 -req -days 365 -CA c:\ca\ca.crt -CAk

ey c:\ca\ca.key -CAcreateserial -in client.csr -out client.crt

Loading 'screen' into random state - done

Signature ok

subject=/C=US/ST=VA/L=sterling/O=ptcube/OU=it/CN=venkat kakanaboyina/emailAddres

s=venkat3012gs@yahoo.com

Getting CA Private Key

Import the Client Certificate

Create a PKCS#12 document from the client private key and the signed certificate:

C:\CA\certificates\clientcerts>openssl pkcs12 -export -clcerts -in client.crt -i

nkey client.key -out client.p12

Loading 'screen' into random state - done

Enter Export Password:

Verifying - Enter Export Password:

Now try accessing a same url as before. You should be challenged to pick the cert.

Now integrate Apache with Tomcat using mod_jk 
 Download mod_jk from this link.  Read installation and configuration document Mod_JK configuration
Copy the mod_jk-1.2.31-httpd-2.2.3.so in the directory “c:/apache2.2/modules/” directory.
Add the following line in your server.xml file in tomcat/conf directory..
<Listener className="org.apache.jk.config.ApacheConfig" modJk="C:/Apache2.2/modules/mod_jk-1.2.31-httpd-2.2.3.so" />
Restart your tomcat. You should see a folder “auto” created under  “conf” and a mod_jk.conf file.
Create folder “jk” under “conf” as shown above and copy the ”mod_jk.conf”  file from “auto” directory to here. The  mod_jk.conf file under “auto” directory will be generated every time you restart the tomcat.  To avoid overwriting  our custom changes to this file we move it to “jk” folder.
Delete the following in mod_jk.conf file
<VirtualHost localhost>
    ServerName localhost
    JkMount /examples ajp13
    JkMount /examples/* ajp13
    JkMount /host-manager ajp13
    JkMount /host-manager/* ajp13
    JkMount /docs ajp13
    JkMount /docs/* ajp13
    JkMount /manager ajp13
    JkMount /manager/* ajp13
</VirtualHost>
Add the following to this file..
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions     +ForwardKeySize +ForwardURICompat -ForwardDirectories +ForwardSSLCertChain
# JkRequestLogFormat set the request format
JkRequestLogFormat     "%w %V %T"
# JkMount points
JkMount /example/* worker1
JkMount /*/* worker1
# Should mod_jk send SSL information to Tomcat (default is On)
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)
JkCERTSIndicator SSL_CLIENT_CERT
Create wokers.properties file under in “jk” folder with following content.
workers.tomcat_home=C:/apache-tomcat-6.0.18
workers.java_home=C:/Program Files/Java/jdk1.5.0_22
ps=\
# Define 3 workers, 2 real workers using ajp12, ajp13, the last one being a loadbalancing worker
# worker.list=worker1, worker2, worker3
worker.list=worker1
# Set properties for worker2 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=ptcube-iam.ptcube.com
worker.worker1.port=8009
worker.worker1.lbfactor=1
worker.worker1.connection_pool_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.socket_timeout=60
worker.worker1.cachesize=10

Include “mod_jk.conf”  file in httpd-ssl.conf file
Include C:/apache-tomcat-6.0.18/conf/jk/mod_jk.conf
Restart both tomcat and apache. Now you can access the tomcat files using apache webserver using ssl with client authentication.