Sunday afternoon security #security #cyberwar

It’s a typical lazy Sunday afternoon.  Watching cartoons with my kids, surfing the net and trying to catch up on the state of the world (via Twitter and Google).  A few interesting things have piqued my interest and I wanted to put down some thoughts on these.

1. Saw the term “securing the castle” for the first time today.  For some reason I really like that term and to me it really resonates for what we (security practitioners) are trying to accomplish.  I saw the term in a blog post on https://www.infosecisland.com/ which is a great security site by the way.
2. I am reading Mike McConnell’s (former DNI) OP-ED on “…how to win the cyberwar that we are currently losing“.  I think he makes a lot of good points and one interesting stat really stood out to me,
   “But the reality is that while the lion’s share of cybersecurity expertise lies in the federal government, more than 90 percent of the physical infrastructure of the Web is owned by private industry. Neither side on its own can mount the cyber-defense we need;”
   This is really interesting as the government theoretically has the expertise to protect my companies network … but I wouldn’t trust the government to protect my network.  I think there in lies the problem.  Either the corporate world will need to trust  the government enough to give them authority or they will need to develop their own security expertise.  I am in optimist but I don’t see how that collaboration will happen effectively.  Honestly, there is very little trust between government agencies (and their on the same team) … I can’t imagine how to implement a co-op between government and public with the necessary level of trust.

Configuring IP Address Validation for WebGates #Oracle #IDM #OAM

This issue bit me in the rear back in 2005 when I first started working with Oracle Access Manager.  I was installing OAM for a 3-letter agency  whose application was deployed behind a Squid-based reverse proxy.  Usually proxies change the IP address that is passed to the web server.  Because of this the IP address of the client won’t match the IP address that is stored as part of the cookie.  Thus IP validation by the webgate will fail and cause authentication problems for your application.  You can set IP Validation to “off” but Oracle recommends that in most cases you should leave this on.

3.5.3 Configuring IP Address Validation for WebGates

IP address validation is specific to WebGates. It determines if a client’s IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on. The IPValidation parameter turns IP address validation on and off. If IPValidation is true, the IP address stored in the ObSSOCookie must match the client’s IP address, otherwise, the cookie is rejected and the user must reauthenticate. The default IPValidation setting is true.

The IPValidation parameter can cause problems with certain Web applications. For example, Web applications managed by a proxy server typically change the user’s IP address, substituting the IP address of the proxy. This prevents single sign-on using the ObSSOCookie.

The IP Validation Exceptions parameter lists IP addresses that are exceptions to this process. If IPValidation is true, the IP address can be compared to the IP Validation Exceptions list. If the address is found on the exceptions list, it does not need to match the IP address stored in the cookie. You can add as many IP addresses as needed. These addresses are the actual IP addresses of the client, not the IP addresses that are stored in the obSSOCookie. If a cookie arrives from one of the exception IP addresses, the Access System ignores the address stored in the ObSSOCookie cookie for validation. For example, the IP addresses in the IP Validation Exceptions parameter can be used when the IP address in the cookie is for a reverse proxy.

To configure single sign-on between WebGate and an access client that does not have the client IP address at authentication, the IP validation can be explicitly turned off. To do this, you set IP Validation to false. When the IP Validation parameter is set to false, the browser or client IP address is not used as a part of the ObSSOCookie. However, Oracle recommends that you keep IP validation on whenever possible.

http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2access.htm#BEIFACBD

Blog title change again #IDM

Once again I am renaming the blog title … it will probably only matter to all 3 of my regular followers, but I want to try and have the title match the focus of the blog.  My focus is to discuss the actual nuts & bolts of deploying an identity management solution.  I’d like to discuss best practices and real-world experiences in this process.  I am starting to expand my coverage area (products) and would like to reflect that here.

Installing and Configuring Sun #DSEE 6.3 #Oracle #IDM #DS

To quickly install and configure Sun’s Oracle’s Directory Server Enterprise Edition (DSEE) 6.3:

1. Unpack the download (tar -xvzf)
2. CD into the DSEE_ZIP_DISTRIBUTION folder
3. Install the software:./dsee_deploy install -i /opt/ds6
4. Create a new instance:./dsadm create -p port -P SSL-port instance-path
5. Start the new instance:./dsadm start instance-path
6. Modify the example.ldif and then import (to create a new suffix)./dsconf create-suffix -h localhost -p 1389 dc=example,dc=com

   ./dsconf import -h localhost -p 1389 install-path/ds6/ldif/Example.ldif \ dc=example,dc=com

Oracle IDM environment setup script (bash) #Oracle #IDM #Scripts

I use this script to quickly set up a new Linux environment before installing Oracle IDM components.

You can download the file from here: Oracle IDM env setup.sh

Let me know what kind of mileage you get out of this script.

Yum (public) to update Oracle Linux #Oracle #IDM #OEL

When installing Oracle IDM on Oracle’s Enterprise Linux the easiest way to install the required packages is to use Oracle’s public Yum server,  http://public-yum.oracle.com.

There are a couple of quick steps to configure OEL to use Oracle’s Yum Server:

Note:  03 January 2013:  I found this blog which has updated information for OEL 6 …

http://www.oracle.com/technetwork/articles/servers-storage-admin/ginnydbinstallonlinux6-1845247.html

My instructions are somewhat outdated so YMMV:

• cd /etc/yum.repos.d
• wget http://public-yum.oracle.com/public-yum-el6.repo
• Open the yum configuration file in a text editor
• Locate the section in the file for the repository you plan to update from,  e.g. [el6_u2_base]
• Change enabled=0 to enabled=1

Begin using yum, for example:

$ yum list

$ yum install firefox

Update OEL with packages for Oracle IDM:

Once you get Yum configured there are several packages that are required for Oracle Identity Management.  (Please note that this list changes and you should refer to the Oracle documentation for a complete and current list)

The first command to run is the following:

$ yum install oracle-validated

This will lay down the base packages required by Oracle DB.  Once they have finished installing you can run through the following list and make sure that you have all of the other packages required for OID or OIF.

To install or update the package you should run the following:

******** /// Updated 01/31/2012 ///*************************

# yum update
# yum install gcc
# yum install kernel-uek-devel  
* Note:  OEL 5 includes the uek (unbreakable kernel) and you need to update this package to be able to install VirtualBox Guest Additons

******** //// End of Update //// ********************************

********* //// Update 1/3/2013 ///// *******************

Be sure to check out:  https://blogs.oracle.com/wim/entry/setting_up_oracle_linux_6

for updates on OEL 6.

******** //// End of Update //// *******************************

$yum install [name of package]

I will typically *wildcard* the name to ensure that I am getting the latest version … bear in mind that this is me being lazy and not considered *best practice*.  You’ll end up with more packages installed than necessary.

$yum install glibc-*

… and so on and so on:
gcc-*
gcc-c++*
kernel-dev*
openmotif21-2.1.30-11.RHEL4.6.i386.rpm
openmotif-2.2.3-10.2.e14.x86_64.rpm

compat-glibc-headers-2.3.2-95.30.x86_64.rpm
compat-glibc-2.3.2-95.30.x86_64.rpm
compat-libstdc++-296-132.7.2.i386.rpm
compat-db-4.1.25-9.i386.rpm
compat-db-4.1.25-9.x86_64.rpm
libstdc++-devel-3.4.6-9.i386
libaio-0.3.105.2.x86_64.rpm
libaio-devel-0.3.105-2.x86_65.rpm
libobjc-3.4.6-10.x86_64.rpm
libieee1284-0.2.8-4.x86_64.rpm
sysstat-5.0.5-16.rhel4.x86_64.rpm
glibc-kernheaders-2.4-9.1.100.EL.x86_64.rpm
glibc-headers-2.3.4-2.39.x86_64.rpm
glibc-devel-2.3.4-2.39.i386.rpm
glibc-devel-2.3.4-2.39.x86_64.rpm