Month: June 2012

SSH Tunnel (of love) from OS X to EC2


So, this is not my “typical” IDM post but I wanted to save this for my own future reference.

Scenario:
Working from Mac OS X desktop and connecting to an EC2 (Redhat) instance over SSH.  I am installing and configuring Symfony which requires (strongly desires) that you connect to the config.php script from localhost (127.0.0.1).

Options:
1.)  Modify PHP script to comment out the localhost checks (boring)
2.)  Create a SSH tunnel from Mac terminal to the web port on the EC2 instance

The first option is pretty obvious and requires basic skills.  I am not sure what the ripple effects are with this so I’d prefer not to go this route.

The second option earns more “skillz” points and doesn’t require you to modify the config.php file, from Symfony. Note: Originally, I was using port 81 as the local port.  I changed the local port to 1337 vs 81.  Chris (see comments) made an excellent point that you don’t need to use sudo if your local port is higher than 1024.

Steps:
1.  Open Terminal Window from OS X desktop
2.  Type:  ssh -i mykey.pem -L 1337:am.acme.com:80 am.acme.com

So what did we do here:

ssh -i mykey.pem:  connect to remote server using ssh with the key that you use to connect to Amazon instance (you do use keys right??)
-L 1337:am.acme.com:80:  Local port (on OS X) will be 1337 and map that port to 80 on the EC2 instance URL am.acme.com
am.acme.com: this is the remote (EC2 instance) hostname

3.  The first time you connect to this server you will be asked to add this host to your known hosts file (say yes)
4.  Open a web browser (from OS X) and enter “127.0.0.1:1337/Symfony/web/config.php” to connect to the Symfony config on the EC2 instance

As long as you keep the SSH connection open then you can use the tunnel.  To close the tunnel, just exit from the SSH session.

Advertisements

To Federate or not to Federate … #IdM #infosec #SAML


HamletI just finished configuring Oracle Access Manager (OAM) for Common Access Card (CAC) authentication integrated with Axway’s Server Validator (SV)Plugin ( I will blog about this in another post ) for certificate validation.  While discussing this with another engineer on the project he mentioned that this really opened the door for tightly integrating with a lot of their existing partners.  I said that while this is great I would prefer to federate with these partners and not have to deal with managing the extra infrastructure components as well has having to manage several trusted certificates provided by the partners (with intermediate certificates there were about 6 just for this partner alone … I am trying to picture how that scales for each new partner).  I freely admit that I am biased towards Federation.  I am totally sold-out on the benefits of having the Identity Provider (IdP) take care of credentialing and authentication and the Service Provider (SP) can focus on the applications.  His point in preferring to authenticate locally with CAC (vs via Federation) was that by doing so we somehow offer a better user experience. I think you can also make the argument that a particular, potential IdP maybe not have Federation capabilities (this won’t always be the case IMO).  Do you think that you can achieve the same Level of Assurance (LoA) by using Federation instead of authenticating at the SP? (SAML, OpenID or OpenID Connect)

I’d like to crowd-source this discussion and see if we can put together some good arguments for/against either side.  Please RT and comment if you have thoughts/opinions on this.