Security Support Open Mic Client Certificate Authentication

Transcription

1 IBM Security Access Manager, Tuesday, December 8, 2015 Security Support Open Mic Client Certificate Authentication Panelists Jack Yarborough ISAM Level II Nick Lloyd ISAM Level II Scott Stough ISAM Level II Kathy Hansen ISAM Level II Manager Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: USA toll: Participant passcode: Slides and additional dial in numbers: ibm.biz/bdhame NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

2 Table of contents / Agenda Support Best Practice Configuration of Client Certificate Authentication Understanding Client Certificate Mapping Rule Configurations Trouble shooting Client Certificate Authentication Mapping Pre-forum Questions / Questions for the Panel 2

3 Best Practice Configuration Support Recommended Best Practice Configuration for Client Certificate Authentication

4 Best Practice Configuration Determine the SSL Certificate Database file in use by WebSEAL 4

5 Best Practice Configuration Edit the SSL Certificate Database using the LMI 5

6 Best Practice Configuration Users will be presenting a personal, signed-certificate. Ensure the Signer's Public key is in the Signer Certificates. All Certificates along the cert chain must be added. 6

7 Best Practice Configuration Here we have selected the top-level Signer for an in-house CA named SHA256RSACA. This will be a.cer base64 encoded file. 7

8 Best Practice Configuration Verify the cert is added. Do not forget to deploy the change. 8

9 Best Practice Configuration Export the Reverse Proxy instance configuration for backup. 9

10 Best Practice Configuration Save the ZIP file as needed 10

11 Best Practice Configuration For testing just change this to: accept-client-certs = required Deploy and restart 11

12 Best Practice Configuration Create Certificate Mapping rules. 12

13 Best Practice Configuration This is a good rule to have for quick testing. It just returns a hard-coded user name regardless of the cert presented. 13

14 Best Practice Configuration This is the default rule. The subjectdn of the certificate must be an exact match for the user's LDAP DN. 14

15 Best Practice Configuration This rule is used to create a mapping using an LDAP search. 15

16 Best Practice Configuration Set the rules file to: rules-file = DEFAULT_SUBJECTDN This does not require any changes to the rules file. Save, Deploy, and restart. Now when the Reverse Proxy is accessed the end user will be prompted by their browser to present a certificate. 16

17 Best Practice Configuration Example of Internet Explorer prompting for a certificate. 17

18 Best Practice Configuration Successfully authenticated. 18

19 Mapping Rule Configuration Overview of the three mapping rule file configuration options

20 Mapping Rule Configuration Hard Coded User : Basic user Disabled If Basic User is not enabled the search starts under secauthority=default : conn=1001 op=1 SRCH base="principalname=cert-test-user,cn=users,secauthority=default" scope=0 deref=0 filter="(objectclass=secuser)" 20

21 Mapping Rule Configuration Hard Coded User : Basic user Enabled Whatever is returned is treated as an ISAM user. In our example we do not have a cert for this user. If Basic User is enabled this LDAP search is issued in each federated directory and the primary ISAM registry : AuditV :57: :00--V3 Search--bindDN: cn=root \ --client: : connectionID: 40--received: :57: :00--Success operationresponsetime: 1 timeonworkq: 0 rdbmlockwaittime: 0 clientiotime: 0 base: O=FEDERATED scope: wholesubtree derefaliases: neverderefaliases typesonly: false filter: (&(uid=cert-test-user)( (objectclass=eperson)(objectclass=person))) attributes: uid conn=1023 op=1 SRCH base="dc=iswga" scope=2 deref=0 filter="(&(uid=cert-test-user)( (objectclass=eperson)(objectclass=person)))" conn=1023 op=1 SRCH attr=uid Then it checks to see if the user has been imported : conn=1023 op=2 SRCH base="secauthority=default" scope=2 deref=0 \ filter="(&(objectclass=secuser)(secdn=cn=cert test user,dc=iswga)( (secauthority=default)(secauthority=default:)))" 21

22 Mapping Rule Configuration Subject DN : Basic user Disabled If Basic User is not enabled the search starts under secauthority=default: conn=1007 op=1 SRCH base="secauthority=default" scope=2 deref=0 \ filter="(&(objectclass=secuser)(secdn=cn=federated user,o=federated)( (secauthority=default)(secauthority=default:)))" We are looking for a secdn that matches. If no match then there is no ISAM user for this certificate. 22

23 Mapping Rule Configuration Subject DN : Basic user Enabled Here our example is a cert with a subjectdn of "cn=federated user,o=federated" and a user in a federated LDAP of "cn=federated user,o=federated" The subjectdn returned is searched for in LDAP. If Basic User is enabled the searches issued are : Start in ISAM primary registry to check if the user has been imported: conn=1006 op=7 SRCH base="secauthority=default" scope=2 deref=0 \ filter="(&(objectclass=secuser)(secdn=cn=federated user,o=federated)( (secauthority=default)(secauthority=default:)))" If not, then search federated diretory : AuditV :39: :00--V3 Search--bindDN: cn=root \ --client: : connectionID: 51--received: :39: :00--Success operationresponsetime: 0 timeonworkq: 0 rdbmlockwaittime: 0 clientiotime: 0 base: CN=Federated User,O=FEDERATED scope: baseobject derefaliases: neverderefaliases typesonly: false filter: ( (objectclass=eperson)(objectclass=person)) attributes: uid 23

24 Mapping Rule Configuration Advanced Search In this case we have a certificate issued with a subjectdn of "CN= User, MAIL= .user@example.org, O=FEDERATED" but the ID in LDAP is: cn= User,O=FEDERATED objectclass=top objectclass=person objectclass=organizationalperson objectclass=inetorgperson objectclass=eperson cn= cn= User sn=user userpassword=secret uid=euser mail= .user@example.org We need a rule that maps the certificate to the user in LDAP based on their "mail" attribute. We want an ISAM user of "euser". 24

25 Mapping Rule Configuration Advanced Search 25

26 Mapping Rule Configuration Advanced Search The LDAP searches issued are: ## ## Find an object with a attribute of "mail= .user@example.org" and gets the uid. ## AuditV :17: :00--V3 Search--bindDN: cn=root--client: : connectionID: 75--received: :17: :00--Success operationresponsetime: 1 timeonworkq: 0 rdbmlockwaittime: 0 clientiotime: 0 base: O=FEDERATED scope: wholesubtree derefaliases: neverderefaliases typesonly: false filter: (mail= .user@example.org) attributes: uid ## ## Make sure this is a eperson or Person) ## AuditV :17: :00--V3 Search--bindDN: cn=root--client: : connectionID: 75--received: :17: :00--Success operationresponsetime: 0 timeonworkq: 0 rdbmlockwaittime: 0 clientiotime: 0 base: O=FEDERATED scope: wholesubtree derefaliases: neverderefaliases typesonly: false filter: (&(uid=euser)( (objectclass=eperson)(objectclass=person))) attributes: uid 26

27 Mapping Rule Configuration Advanced Search Capturing iv-user and iv-user-l to a backend junction shows this works as needed: HTTP_IV_USER=euser HTTP_IV_USER_L=cn= %20User,O=FEDERATED In the examples the searches shown are just the begining searches use to find the user. Additional searches for group memberships are issued and searches for extended credential attributes may be issued. Also, based on use case the searches may be subtly different. If you are concerned about the impact of LDAP searches we recommend enabling LDAP auditing (or debug for the embedded OpenLDAP) and examing the related searches. 27

28 Troubleshooting This section will review the format of the client certificate authentication mapping tracing output as well as an example debug scenario.

29 Troubleshooting Set: debug-level = 5 This value supports 1-9 but Support has found level 5 is usually all that is needed to resolve issues. 29

30 Troubleshooting While developing the XSLT for the advanced rule we ran into an issue. Note the Windows Cert view shows the DN as: CN= User, O=FEDERATED We wrote the rule assuming E= but it did not work as expected. Note from the trace the real value is MAIL=. <stsuuser:attribute name="subjectdn" type="urn:ibm:security:gskit"> -- <stsuuser:value>cn= -- </stsuuser:attribute> 30

31 Pre-event forum questions: Q1: Is the Client Certificate User Mapping functionality able to set different authentication level for certificate from different issuer? A1: No, but this be can accomplished using an EAI. See the documentation at: 31

32 Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the SmartCloud Meetings chat To ask a question after this presentation: You are encouraged to participate in our Forum topics 32

33 Where do you get more information? Questions on this or other topics can be directed to the product forum: More articles you can review: KnowledgeCenter: onfig/concept/con_client_cert_usr_map.html?lang=en Useful links: ss_manager_for_web?productcontext= IBM Support Portal Sign up for My Notifications Follow us: 33

34 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.