Deploying Single Sign-On with BMC Action Request System Danny Kellett Java System Solutions
Transcription
Deploying Single Sign-On with BMC Action Request System Danny Kellett Java System Solutions
Deploying Single Sign-On with BMC Action Request System Danny Kellett Java System Solutions Husband and father • Worked for Remedy / Pere***n / BMC from 1999 to 2007 • BSM ITSM Solution Architect / Consultant • Single Sign-On architect for Java System Solutions © 2013 WWRUG © 2012Canada WWRUG Inc.Canada All Rights Inc.Reserved All Rights Reserved 2 Warning – There is a lot of content in this presentation ! This is intentional. Not all of this information will mean anything yet but if/when you decide to embark on a Single Sign-On (SSO) implementation, this presentation will hopefully fill in all those knowledge gaps Feel free to email me at dkellett@javasystemsolutions.com © 2013 WWRUG © 2012Canada WWRUG Inc.Canada All Rights Inc.Reserved All Rights Reserved 3 Agenda What is Single Sign On (SSO) - Important things you should know and understand - External links to why your company should implement SSO Brief explanation of the common authentication methods - Benefits, risks, important things you need to know and recommendations - Quite detailed but stay with me! Planning - Survey the environment - What questions to ask Security risks - With BMC Community and partners code Impact to your AR System © 2013 WWRUG Canada Inc. All Rights Reserved 4 Objects and Results Objectives - To understand the black box of Single Sign On (SSO) specifically aligned to the BMC AR System Results - Have an understanding that SSO is not just about a product - Understand what questions to ask before embarking on an implementation - Decide what authentication method best suites your company - Understand the three phases of SSO with the BMC AR System Skills developed - Gain knowledge of multiple authentication technologies - Be able to plan an SSO implementation - Gain knowledge on how to analyze the risks of some SSO solutions out there © 2013 WWRUG Canada Inc. All Rights Reserved 5 Why Your Company Should Implement SSO “Single Sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property, a user logs in once and gains access to all systems without being prompted to log in again at each of them.” Wikipedia https://en.wikipedia.org/wiki/Single_sign-on Benefits for the end user; Five major benefits for the business; Gartner and password and security research - http://www.javasystemsolutions.com/ Experience has shown SSO can be the success On / Off switch to your Service Request Management (SRM) investment. © 2013 WWRUG Canada Inc. All Rights Reserved 6 Common Misunderstandings And Important Things to Know Shared authentication schemes are not the same as SSO - “SSO requires users to literally sign in once to establish their credentials. Systems that require the user to log in multiple times with the same identity are inherently not SSO” ref Wikipedia https://en.wikipedia.org/wiki/Single_signon#Shared_authentication_schemes_which_are_not_single_sign-on There must always be an authentication provider. A single, trusted source of information about our users. So basically we are removing the job of authentication from the AR System - Examples include but are not limited to Microsoft Active Directory & Federated Services CA SiteMinder Ping Federate LDAP is not SSO Different browsers conduct SSO differently and therefore we recommend that you learn to use Fiddler © 2013 WWRUG Canada Inc. All Rights Reserved 7 Common Misunderstandings And Important Things to Know Not all BMC products have the SSO capability - Developer Studio - Recommendation – Have a standard AR System account that matches your domain login name, and have a second, non-domain account, that is your Developer Studio Administrator account. This will be your non-SSO account Not everyone has to be an SSO user. Every user can be configured to use SSO or the standard user name and password - The AR Server “switch/flag” is ‘CrossRef-Blank-Password’ which means if the AR System user record for that user has a blank password, then the AR Server passes the authentication onto an external source e.g. SSO © 2013 WWRUG Canada Inc. All Rights Reserved 8 Understand the Three Phases of SSO with BMC AR System 1 - Identify and authenticate using an authentication method - Reliably and securely identifying the user name against the chosen authentication identity provider E.g. Active Directory - The goal is to obtain the user name E.g. dkellett 2 - Uniquely identify the user in the User form of the AR System - Once you have the user name, this phase needs to obtain the User record of that user. If the record is not found then the user fails to be identified - Risk / Challenge – Multiple trusted domains where two or more users have the same login name e.g. Dkellett (Danny Kellett in JSS, David Kellett in BMC etc) 3 - Pass the details into the BMC SSO framework to finalise the authentication - Found the user in the User form, and now pass the details to the AR System to finalise the logon process. © 2013 WWRUG Canada Inc. All Rights Reserved 9 Understand the Most Common Types and Protocols of SSO NTLMv2 (NT Land Manager version 2) Kerberos Integrated Windows Authentication (IWA) - The act of negotiating authentication type using SPNEGO - SPNEGO – Simple, Protected GSSAPI Negotiation Mechanism “I don’t know what language to speak to you, so lets negotiate!” SAMLv2 (Security Assertion Markup Language) Enterprise SSO systems such as CA SiteMinder, RSA Access Manager HTTP Header / Cookies (An option used in the community code) © 2013 WWRUG Canada Inc. All Rights Reserved 10 Understand the Types and Protocols of SSO NTLMv2 - NTLM returns/authenticates based on tokens exchanged with the AD - Easier to implement, requires no additional steps if Mid Tier is deployed on Windows http://technet.microsoft.com/en-us/magazine/ee914605.aspx Kerberos - Each host attempting authentication needs Kerberos keys and Service Principle Names to decrypt the ticket to get the user details. - Benefits over NTLM is once the ticket is issued, it lasts for a certain period of time and therefore less authentication traffic on the network because it doesn't have to keep re-authenticating within that time - Important Relies on strict time synchronisation between servers otherwise authentication will fail More complex to setup and debug than most authentication methods © 2013 WWRUG Canada Inc. All Rights Reserved 11 Understand the Types and Protocols of SSO Integrated Windows Authentication (IWA) - Microsoft’s process for SSO within internal/VPN networks and is used by Microsoft's Internet Information Service (IIS) - Refers to the following protocols; NTLMv2, Kerberos and SPNEGO - IWA uses SPNEGO to allow initiators (Browser) and acceptors (AD) to negotiate either Kerberos or NTLMSSP. If a Kerberos ticket can be obtained the Kerberos protocol will be attempted. Otherwise NTLMv2 authentication is attempted. Similarly, if Kerberos authentication is attempted, yet it fails, then NTLMv2 is attempted. Recommendation - If you are on-premise/not authenticating over the unprotected internet, this is the recommended choice of authentication methods because it uses both NTLMv2 and Kerberos protocols having complete 100% compatibility with a Windows network © 2013 WWRUG Canada Inc. All Rights Reserved 12 Understand the Types and Protocols of SSO Security Assertion Markup Language (SAML 2.0) - Prerequisite for customers to have applications such as Microsoft ADFS 2, Ping Federate and others deployed within their domain first - Considered THE cross domain, over the unprotected internet, Web-SSO authentication protocol Users connect to a website, outside the safety of the users domain Website replies with a configured URL which is inside the users domain and instructs the browser to use an authentication service and present the result to the website The result is that no secret/authentication data goes outside the users domain © 2013 WWRUG Canada Inc. All Rights Reserved 13 Understand the Types and Protocols of SSO © 2013 WWRUG Canada Inc. All Rights Reserved 14 Understand the Types and Protocols of SSO CA SiteMinder, RSA Access Manager and others - Deployments such as these are considered Enterprise SSO due to the infrastructure impact and cost - Technically, these are “policy” applications which take feeds from Active Directory and typically HR systems which provides a common interface to other application within the business - For example a user logs into a portal at which they are granted a list of applications they can access. - Upon accessing an application such as BMC ITSM, a software agent installed on the Mid Tier will intercept and cross reference the policy server not only for authentication but permission to access ITSM. © 2013 WWRUG Canada Inc. All Rights Reserved 15 Understand the Types and Protocols of SSO © 2013 WWRUG Canada Inc. All Rights Reserved 16 Understand the Types and Protocols of SSO HTTP Header / Cookie - Almost everything you see in your browser is transmitted to your computer over HTTP. - HTTP headers are the core part of these HTTP requests and responses, and they carry information about the client browser, the requested page, the server and more. - An application, such as Microsoft IIS can add a simple HTTP value or cookie which can contain the user name - This user name is then extracted and is trusted as the user who is attempting to access the application - Typically the lesser secure method - Explanation later Used with the Community code © 2013 WWRUG Canada Inc. All Rights Reserved 17 Survey the Environment – Existing Enterprise SSO? Has your company already deployed an Enterprise SSO standard? - E.g. CA SiteMinder, MS Sharepoint, Other forms of IDM authentication proxies - JSS has found this to be the second most popular authentication method Questions to ask - Do they deploy agents to web servers or do they require the use of the API? Agent – Your option is reading the header or cookie – BMC Community code can do this but be aware of the security risks – Example jsp code in appendix to show any headers © 2013 WWRUG Canada Inc. All Rights Reserved 18 Survey the Environment – Existing Enterprise SSO? API – Implementing the vendors API e.g. CA SiteMinder – BMC Community code does not interface with any API. – AtriumSSO is a BMC badged OpenAM solution which includes some basic integrations to enterprise solutions, for example, the SiteMinder integration decodes a SiteMinder username but does not check the user has permission to access the resource (i.e. ITSM) – JSS SSO Plugin integrates with CA SiteMinder, RSA Access Manager, RSA SecurID and Central Authentication Service (CAS) using the third party product API’s. © 2013 WWRUG Canada Inc. All Rights Reserved 19 Survey the Environment – Utilize the Active Directory If your company doesn’t have any other form of SSO, then using Active Directory (AD) is the preferred on-premise choice - OnDemand users or users connecting over the unprotected internet should not use this method due to security risks of passing tokens over the internet - JSS has found this to be the most popular authentication method Options - BMC Community code : Install Microsoft IIS and enable the header Be aware of the security issue with headers and be aware of the issues with IIS. https://www.javasystemsolutions.com/jss/news/list/50#article-50 - AtriumSSO : Only in v8.1, Kerberos is implemented. Be aware this is only one half of IWA and is widely documented (links in previous slides) to not work for all users, difficult to setup and difficult to diagnose. Case sensitive – all login names must be the same case. - If you are using AR Server < 8.1, then you will still need to login to AtriumSSO. Users required to still login more than once JSS SSO Plugin : Supports full IWA and therefore is 100% compatible with any Windows domain. Installed and working within minutes http://www.javasystemsolutions.com/jss/video/view/SSOPlugin-Installation36-MT © 2013 WWRUG Canada Inc. All Rights Reserved 20 Survey the Environment – Utilize SAML If your company has the requirement to authenticate users over the unprotected internet, then SAML is the recommended authentication choice Although SAML is a standard, not all standards are created equal SAML requires a service to be setup on the clients side of the network - If your company is using ADFS, make sure it’s ADFS2 and not ADFS(1) The Mid Tier will need to be listening on HTTPS and not HTTP - http://www.javasystemsolutions.com/documentation/ssoplugin/36/configuring-midtierwebtier.pdf Single point of failure is the SAML service. If the user can not connect to the Identity Provider (Idp), they will not gain access to the AR System. Options - BMC Community code : Does not support it and therefore design and development is required - AtriumSSO : Available as of version 8.1 - JSS SSO Plugin : Fully supported and implemented worldwide since 2011 and provides manual login if SAML fails © 2013 WWRUG Canada Inc. All Rights Reserved 21 Survey the Environment – Login Names Do your login names match your AR System login name format? (Phase two of the three SSO phases) - E.g. Dkellett from the Active Directory and Dkellett in the AR System login name, field 101 in the User form? Typical when the AR System user data is implemented without the knowledge of domain names Typical when there are multiple customer companies with multiple domains and therefore the login name format includes the domain or a unique reference to those domain users E.g. Bmc\dkellett or jss\dkellett DoD/CaC Cards/Cookies/Cards return the full Distinguished Name (DN) – CN=Danny Kellett,CN=admin,DC=corp,DC=jss,DC=COM Options - BMC Community code : Doesn't exist. Design & build code to map the format - AtriumSSO : Unable to do it today but I understand there is a hotfix in the pipeline - JSS SSO Plugin : Feature called “Aliasing” which allows you to create a dynamic query to find the unique user. http://www.javasystemsolutions.com/jss/video/view/SSOPlugin-Features © 2013 WWRUG Canada Inc. All Rights Reserved 22 Security considerations “Security is, I would say, our top priority because for all the exciting things you will be able to do with computers - organizing your lives, staying in touch with people, being creative - if we don't solve these security problems, then people will hold back.” Bill Gates. © 2013 WWRUG © 2012Canada WWRUG Inc.Canada All Rights Inc.Reserved All Rights Reserved 23 Security – HTTP Headers Quote – “HTTP header injection is a kind of web application vulnerability which exists on those web applications that generated HTTP headers based on the input given by users. If it uses user based input in the headers, it can be used for HTTP response splitting, cross-site scripting (XSS), Session fixation via the Set-Cookie header, and malicious redirects attacks via the location header.” - http://www.newhackingtricks.com/2013/01/what-is-http-header-injection.html Example found on an Apple site in January 2013 Tools such as FireFox plugins can inject and change header information - "Live HTTP Headers" https://addons.mozilla.org/en-us/firefox/addon/modify-headers/ Basically means if dkellett is being sent by the browser, you could change it to anyone you want before it gets to the Mid Tier © 2013 WWRUG Canada Inc. All Rights Reserved 24 Security – HTTP Headers Found in the BMC Community Code, Partner developed solutions (Based on the BMC Community Code) Recommendations If using a web server like IIS in front of Tomcat, close the Tomcat ports to the end users and configure Tomcat to only accept connections from the web server - <Connector port="8080" address="127.0.0.1" maxHttpHeaderSize="8192" Read how the hackers do it and try on your own system - http://www.madleets.com/Thread-HTTP-Header-Injection-tutorial © 2013 WWRUG Canada Inc. All Rights Reserved 25 Security – Fixed Strings With one command line, you can login to the AR System as anyone! Found in the BMC Community SSO Code and one BMC Elite partner developed solution Hacking the “Third Phase” of SSO and AR System areasso.c - #define AUTH_STRING_DEFAULT "Qk1DIFJlbWVkeSBBUlN5c3RlbQ==" - #define PASS_STRING "c3NvcGFzc3dvcmQ=“ - if(password && strcmp(password,PASS_STRING)==0) // First lets check the password and make sure it matches It’s the same as giving every user the same password! Even if you change those values and re-compile the code, you can find the new values by one command line Example on the next slide © 2013 WWRUG Canada Inc. All Rights Reserved 26 Security – Fixed Strings © 2013 WWRUG Canada Inc. All Rights Reserved 27 Security – Fixed Strings Recommendations - Don’t use fixed strings if you can help it - If you need to use a string, make it change and keep a list of already used ones and therefore reject it if any are used again - Obfuscate the code - http://www.stunnix.com/ Every partners example code we found was vulnerable to this simple hack © 2013 WWRUG Canada Inc. All Rights Reserved 28 AR System Changes Ar.cfg/conf - Crossref-Blank-Password: T - External-Authentication-RPC-Socket: 390695 - External-Authentication-Return-Data-Capabilities: 31 - Plugin-Loopback-RPC-Socket: 390626 - Allow-Guest-Users: F Mid Tier - Web.xml Add filter (web not workflow) © 2013 WWRUG Canada Inc. All Rights Reserved 29 List Of Resources We Recommend Learning "Live HTTP Headers" https://addons.mozilla.org/en-us/firefox/addon/modifyheaders/ “Fiddler” http://fiddler2.com/ - http://www.javasystemsolutions.com/documentation/ssoplugin/36/troubleshooting.pdf © 2013 WWRUG Canada Inc. All Rights Reserved 30 Conclusion Once implemented, SSO can be a massive benefit to users and the Support Organisation. SSO “can” be complex. BMC do not provide any courses on SSO and therefore it’s probably new to most workflow developers. Get expert advice. Planning is the key to a successful implementation. In our experience, for a single AR System server / Mid Tier deployment, an SSO deployment should be completed within an hour. Understand and have contingencies when authentication fails E.g. manual login, user is not found in either the domain or AR System. http://www.javasystemsolutions.com/jss/video/view/SSOPlugin-ITSM-RaiseIncident http://www.javasystemsolutions.com/jss/video/view/SSOPlugin-ITSM-Registration © 2013 WWRUG Canada Inc. All Rights Reserved 31 Wrap up – JSS Team includes… Successfully supporting more than 200 BMC / HP customers, globally, 24/7/365 since 2007 • Danny Kellett Wrap-up • Integration specialist before joining Remedy professional services UK in 1999 (dkellett@javasystemsolutions.com) • Principle ITSM consultant on some of Remedy/BMC largest global customers • Lead the introduction of ITSM 7 into Europe for BMC professional services •John Baker (jbaker@javasystemsolutions.com) • Highly experienced Java & web technology developer and solution architect • Expert in SSO technologies within the London financial industry • Andy Clover (andy@javasystemsolutions.com) • Tremendous reputation within the IT security industry • Microsoft MVP (IE 2011) and Microsoft MVP (Client security 2005) • Expert in Microsoft authentication technologies and protocols Just a few quotes from http://www.javasystemsolutions.com/jss/quotes “That's awesome!! I'll get it into the test environment and let you know...great support! “ “Thanks so much for you help in implementing this with us. You guys take service to a whole new level!! “ “Additionally, Java Systems Solutions dove deep in to logs from servers, server apps, network sniffing, and Kerberos applications to debug how SSO is integrated in our environment. I am continually impressed by their service.“ “We had issues with SSO on our upgrade go-live weekend and the technical support team had answers to our questions within 5 minutes of contacting them. And the fix recommended by them solved our problem. The level of support provided by them is of premium quality. They know their product very well which is evident in the quality of the support.“ “I would like to take this opportunity to thank the JSS support team on their excellent support in resolving our issues and giving us a better understanding of how SSO Plugin interacts with AR System. I hope the same kind of support and assistance will be continued and they will build their tools in other areas. Hats off to JSS.“ © 2013 WWRUG Canada Inc. All Rights Reserved 32 The following slides are only here for reference in case I get asked certain questions and have something to show © 2013 WWRUG © 2012Canada WWRUG Inc.Canada All Rights Inc.Reserved All Rights Reserved 33 Resources – jsp Example To Read Headers Copy the following in to a text file and save as showheaders.jsp Copy the file to Tomcat\webapps\ROOT\ Browse to http://yourMidTier/showheaders.jsp <%@ page import="java.util.*" %> <html> <head> <title>Http Request Headers Example</title> </head> <body> <h2>HTTP Request Headers Received</h2> <table> <% Enumeration enumeration = request.getHeaderNames(); while (enumeration.hasMoreElements()) { String name = (String) enumeration.nextElement(); String value = request.getHeader(name); %> <tr><td><%= name %></td><td><%= value %></td></tr> <% } %> </table> </body> </html> © 2013 WWRUG Canada Inc. All Rights Reserved 34 Microsoft recommended to include NTLMv2 Much of the documentation out there advocates using NTLM unless there is a compelling need, such as for sites with a high security service level agreement. Even in this case, if you dig deeper, the more obvious answer is presented for using NTLM: it’s easier to implement, requires no additional steps, and likely reduces support issues. For example, KB 832769 says, “… or if you cannot configure the service principal name (SPN), choose NTLM authentication. If you choose Kerberos authentication and cannot configure the SPN, only server administrators will be able to authenticate to the SharePoint site.” - http://technet.microsoft.com/en-us/magazine/ee914605.aspx © 2013 WWRUG Canada Inc. All Rights Reserved 35