Page 1
Latest Entries
Write secure code, don’t write security code. Read more
Tuning the industry’s most trusted directory server. Read more
Harnessing Sun’s OpenSSO Authentication and Authorization.
Read moreHands-On SOA and Web Security.
Read more
Fine-grained authorization and XACML. Read more
THE NEW DIGITALEXPERIENCE
SECURING
[email protected]
Steffo Weber, Oracle
Tuesday, 11-June-2013Under AttackDesigning Diversified Websystems using Oracle API Gateway
Donnerstag, 13. Juni 13
Page 2
Measures LimitsRisks
‣ Securing operations
‣What to do under attack
‣ Additional measures‣What cannot be
solved
‣ Redundancy vs Diversity
Overview
Donnerstag, 13. Juni 13
Page 3
Reducing the riskRisk and Threat‣ Common threats
• Stealing password• Denial of service• Unauthorized access to data
‣ Common counter-measures• Encryption• High-Availabilty• Strong authentication• Screening
Donnerstag, 13. Juni 13
Page 4
Reducing the riskRisk and Threat‣ Common threats
• Stealing password• Denial of service• Unauthorized access to data
‣ Common counter-measures• Encryption• High-Availabilty• Strong authentication• Screening
What if security mechanisms fail?
Donnerstag, 13. Juni 13
Page 5
Errors in security implementationsThe SAML Case‣ SAML
• OpenSSL, IBM DataPower‣ SSL vulnerabilities
• Lucky thirteen, BEAST, Renegotiation attack (DoS)• OpenSSL, SSLeay
‣ SSH vulnerabilities• Leak of private data• OpenSSH et al
‣ Packet filtering• Firewalls• iOS
Donnerstag, 13. Juni 13
Page 6
Download from OracleRecap. WebSSO
Donnerstag, 13. Juni 13
Page 7
Download from OracleRecap. WebSSOoracle
download
Donnerstag, 13. Juni 13
Page 8
Download from OracleRecap. WebSSO
Donnerstag, 13. Juni 13
Page 9
Download from OracleRecap. WebSSO
sign-in first
Donnerstag, 13. Juni 13
Page 10
Same with support...Recap. WebSSO
Donnerstag, 13. Juni 13
Page 11
Same with support...Recap. WebSSO
oracle support
Donnerstag, 13. Juni 13
Page 12
... you have to login.Recap. WebSSO
Donnerstag, 13. Juni 13
Page 13
... you have to login.Recap. WebSSO
login first
Donnerstag, 13. Juni 13
Page 14
But once, you’re logged in...Recap. WebSSO
Donnerstag, 13. Juni 13
Page 15
But once, you’re logged in...Recap. WebSSO
support
Donnerstag, 13. Juni 13
Page 16
SAML allows for multi-site SSORecap. SAML
oracle.com
Donnerstag, 13. Juni 13
Page 17
SAML allows for multi-site SSORecap. SAML
oracle.com
otn.oracle.comsupport.oracle.com
SSO
Donnerstag, 13. Juni 13
Page 18
SAML allows for multi-site SSORecap. SAML
oracle.com
otn.oracle.comsupport.oracle.com
ibm.comLOGIN via Oracle
<samlp:AuthnRequest xmlns:samlp= "urn:oasis:names:tc:SAML:2.0:protocol">FROM: ibm.com</samlp:AuthnRequest>SSO
Donnerstag, 13. Juni 13
Page 19
SAML allows for multi-site SSORecap. SAML
oracle.com
otn.oracle.comsupport.oracle.com
ibm.comLOGIN via Oracle
<samlp:AuthnRequest xmlns:samlp= "urn:oasis:names:tc:SAML:2.0:protocol">FROM: ibm.com</samlp:AuthnRequest>
<samlp:Response xmlns:samlp= "urn:oasis:names:tc:SAML:2.0:protocol">FROM: oracle.com<saml:Assertion> <saml:Issuer> identity.oracle.com </saml:Issuer></saml:Assertion></samlp>
SSO SSO
Donnerstag, 13. Juni 13
Page 20
SAML allows for multi-site SSORecap. SAML
oracle.com ibm.com
otn.oracle.comsupport.oracle.com
LOGIN via Oracle
GET /fed/idp/samlv20?SAMLRequest=<base64string> HTTP/1.1Host: identity.oracle.com:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.7,de;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer: http://ibm.com:8080/fedletsample/Pragma: no-cacheCache-Control: no-cache
SSO
Donnerstag, 13. Juni 13
Page 21
SAML allows for multi-site SSORecap. SAML
oracle.com ibm.com
otn.oracle.comsupport.oracle.com
LOGIN via Oracle
GET /fed/idp/samlv20?SAMLRequest=<base64string> HTTP/1.1Host: identity.oracle.com:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.7,de;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer: http://ibm.com:8080/fedletsample/Pragma: no-cacheCache-Control: no-cache
SSO
Sanity check
Donnerstag, 13. Juni 13
Page 22
Think of RMI or RPC or....Recap. SOAP WS
<?xml version="1.0"?><soap:Envelopexmlns:soap="http://www.w3.org/2001/12/soap-envelope"soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">
<soap:Body xmlns:m="http://www.example.org/stock"> <m:GetStockPrice> <m:StockName>ORCL</m:StockName> </m:GetStockPrice></soap:Body>
</soap:Envelope>
SOAP Message
HTTP MessagePOST /InStock HTTP/1.1Host: www.example.orgContent-Type: application/soap+xml; charset=utf-8Content-Length: 645
Donnerstag, 13. Juni 13
Page 23
Think of RMI or RPC or....Recap. SOAP WS
<?xml version="1.0"?><soap:Envelopexmlns:soap="http://www.w3.org/2001/12/soap-envelope"soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">
<soap:Body xmlns:m="http://www.example.org/stock"> <m:GetStockPrice> <m:StockName>ORCL</m:StockName> </m:GetStockPrice></soap:Body>
</soap:Envelope>
SOAP Message
HTTP MessagePOST /InStock HTTP/1.1Host: www.example.orgContent-Type: application/soap+xml; charset=utf-8Content-Length: 645
OAGis made
handle this out-of-the-
box
Donnerstag, 13. Juni 13
Page 24
Federated Login
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0"> <saml:Issuer>https://ibm.com/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest>
SAML Message
HTTP MessagePOST /InStock HTTP/1.1Host: www.example.orgContent-Type: application/soap+xml; charset=utf-8Content-Length: 645
Donnerstag, 13. Juni 13
Page 25
Federated Login
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0"> <saml:Issuer>https://ibm.com/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest>
SAML Message
HTTP MessagePOST /InStock HTTP/1.1Host: www.example.orgContent-Type: application/soap+xml; charset=utf-8Content-Length: 645
Not handled out-of-the-
box.
Donnerstag, 13. Juni 13
Page 26
Check SAMLRequest messagesThe SAML Case
identity.oracle.comOAGReverseProxySAML
Request
Donnerstag, 13. Juni 13
Page 27
Get SAMLRequestConfigure OAG
GET /fed/idp/samlv20?SAMLRequest=<base64string> HTTP/1.1Host: identity.oracle.com:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.7,de;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer: http://ibm.com:8080/fedletsample/Pragma: no-cacheCache-Control: no-cache
Donnerstag, 13. Juni 13
Page 28
Get SAMLRequestConfigure OAG
GET /fed/idp/samlv20?SAMLRequest=<base64string> HTTP/1.1Host: identity.oracle.com:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.7,de;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer: http://ibm.com:8080/fedletsample/Pragma: no-cacheCache-Control: no-cache
Request is- zipped- base64 enc
Donnerstag, 13. Juni 13
Page 29
From HTTP param to DOM objectConfiguring OAG
import com.vordel.mime.XMLBody;import com.vordel.mime.HeaderSet;import com.vordel.mime.ContentType;import com.vordel.mime.ContentType.Authority;import java.lang.String;import com.vordel.common.base64.Decoder;import com.oracle.identity.SamlRequest;import groovy.xml.DOMBuilder;import groovy.xml.dom.DOMCategory;
def invoke(msg) { def saml = msg.get("saml.request"); def reader = new StringReader(SamlRequest.decode(saml)); def samlRequest = DOMBuilder.parse(reader); def samlMimeBody = new XMLBody(new HeaderSet(),new ContentType(ContentType.Authority.MIME,"text/xml"), samlRequest); msg.put("content.body",samlMimeBody); return true; }
Donnerstag, 13. Juni 13
Page 30
From HTTP param to DOM objectConfiguring OAG
import com.vordel.mime.XMLBody;import com.vordel.mime.HeaderSet;import com.vordel.mime.ContentType;import com.vordel.mime.ContentType.Authority;import java.lang.String;import com.vordel.common.base64.Decoder;import com.oracle.identity.SamlRequest;import groovy.xml.DOMBuilder;import groovy.xml.dom.DOMCategory;
def invoke(msg) { def saml = msg.get("saml.request"); def reader = new StringReader(SamlRequest.decode(saml)); def samlRequest = DOMBuilder.parse(reader); def samlMimeBody = new XMLBody(new HeaderSet(),new ContentType(ContentType.Authority.MIME,"text/xml"), samlRequest); msg.put("content.body",samlMimeBody); return true; }
Groovy Filter: dynamic language support
Donnerstag, 13. Juni 13
Page 31
From HTTP param to DOM objectConfiguring OAG
import com.vordel.mime.XMLBody;import com.vordel.mime.HeaderSet;import com.vordel.mime.ContentType;import com.vordel.mime.ContentType.Authority;import java.lang.String;import com.vordel.common.base64.Decoder;import com.oracle.identity.SamlRequest;import groovy.xml.DOMBuilder;import groovy.xml.dom.DOMCategory;
def invoke(msg) { def saml = msg.get("saml.request"); def reader = new StringReader(SamlRequest.decode(saml)); def samlRequest = DOMBuilder.parse(reader); def samlMimeBody = new XMLBody(new HeaderSet(),new ContentType(ContentType.Authority.MIME,"text/xml"), samlRequest); msg.put("content.body",samlMimeBody); return true; }
Groovy Filter: dynamic language support
Now we can apply OAG default filters.Donnerstag, 13. Juni 13
Page 32
Applying security filtersConfiguring OAG‣ Check whether XML document (SAML Request) is
• well-formed• does not exceed a certain size• has a limited number of children/attributes per node• does not contain a virus
‣ Preventing DoS attacks via throttling• restricting the no of messages per minute
Donnerstag, 13. Juni 13
Page 33
Applying security filtersConfiguring OAG
Donnerstag, 13. Juni 13
Page 34
Applying security filtersConfiguring OAG
Donnerstag, 13. Juni 13
Page 35
Admin Console w FiltersConfiguring OAG
Donnerstag, 13. Juni 13
Page 36
vs. RedundancyDiversification ‣ Scenario
• SAML vulnerability becomes public• SSL implmentation is vulnerable• DataPower and OpenSSO affected
‣ Solution (other possible)• Only authenticated users are allowed to use OIF
service• Establish SSO via Access Manager• Terminate SSL traffic at a different implentation/box
Donnerstag, 13. Juni 13
Page 37
vs. RedundancyDiversification
identity.oracle.com
SAMLRequest
OAGReverseProxy
WebGate LDAPOAM
Donnerstag, 13. Juni 13
Page 38
Summary
Benefits LimitsProtection
‣ SOAP/REST‣ SAML‣ HTML Form‣ Custom
‣ Training‣ Coding Skills
‣ Flexibility‣ Diversification‣ Integrated with
Oracle Stack
Donnerstag, 13. Juni 13