Integration of N-tiers application

Size: px

Start display at page:

Download "Integration of N-tiers application"

Brenda Brown
6 years ago
Views:

1 Integration of N-tiers application Using CAS Single Sign On system a webmail application, Horde K.U.Leuven Association velpi@groupt.be

2 2

3 Introducing CAS Proxy CAS login scenario Implementing proxy CAS Beyond... 3

4 Introducing CAS: the project Originally developed by Yale University JA-SIG project since December

5 Introducing CAS: the technology Originally open-source WebISO Loosely based on Kerberos *model* Server: Java & Spring framework Client: lots of implementations + libs available ( source) velpi@groupt.be 5

6 Introducing CAS: the protocol XML 6

7 Introducing CAS: N-tiers Proxy CAS 7

8 Proxy CAS: the problem space Passwords are passing all clients Credentials have to be cached Caching has to be done in plain text 8

9 Proxy CAS: a solution One-time passwords Passwords are replaced by tickets One-time=request new for next authn velpi@groupt.be 9

10 Introducing CAS Proxy CAS login scenario Implementing proxy CAS Beyond... 10

11 login scenario BROWSER: cookies enabled BROWSER 11

12 login scenario CAS SERVER CAS: a trusted arbiter of authenticity BROWSER velpi@groupt.be 12

13 login scenario CAS SERVER Performance enhancement IMAP PROXY Horde / IMP phpcas CLIENT Service: webapp that authenticates users via CAS Proxy: service that wants to access other services on behalf of a particular user BROWSER velpi@groupt.be 13

14 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Target (back-end service): service that accepts proxied credentials from at least one particular proxy Horde / IMP phpcas CLIENT BROWSER velpi@groupt.be 14

15 login scenario: the players CAS: a trusted arbiter of authenticity Service: webapp that authenticates users via CAS Proxy: service that wants to access other services on behalf of a particular user Target (back-end service): service that accepts proxied credentials from at least one particular proxy CAS Horde IMP IMAP velpi@groupt.be 15

16 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Horde / IMP phpcas CLIENT BROWSER velpi@groupt.be 16

17 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Horde / IMP phpcas CLIENT (PHP-SESSION) HTTP REQ BROWSER velpi@groupt.be 17

18 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY (+TGC) Horde / IMP phpcas CLIENT S1 (PHP-SESSION) HTTP REQ BROWSER velpi@groupt.be 18

19 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY (+TGC) (LOGIN PAGE) (LT) (LT) (CREDENTIALS) Horde / IMP phpcas CLIENT S1 (PHP-SESSION) HTTP REQ BROWSER velpi@groupt.be 19

20 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Horde / IMP phpcas CLIENT S1 (PHP-SESSION) HTTP REQ (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 20

21 login scenario: Credentials OR TicketGrantingCookie (TGC) response Redirect to: eg TICKET=ST m09bXdf770aEJfq9VsotayLh6OyE0MoovLM-20 21

22 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Horde / IMP phpcas CLIENT S1 (PHP-SESSION) HTTP REQ (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 22

23 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) HTTP REQ (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 23

24 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 24

25 login scenario: ServiceTicket (ST) validation 1/2 CAS server requests: eg PGT=TGT m09bXdf770aEJfq9VsotayLh6OyE0MoovLM-20 25

26 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 26

27 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 27

28 login scenario: ServiceTicket (ST) validation 2/2 <cas:serviceresponse xmlns:cas=' <cas:authenticationsuccess> <cas:user>netid</cas:user> <cas:proxygrantingticket>pgtiou</cas:proxygrantingticket> </cas:authenticationsuccess> </cas:serviceresponse> 28

29 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 29

30 login scenario IMAP SERVER PAM PAM_CAS PT CAS SERVER IMAP PROXY S2 PGT Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 30

31 login scenario: ProxyGrantingTicket (PGT) response <cas:serviceresponse xmlns:cas=' <cas:proxysuccess> <cas:proxyticket>pt</cas:proxyticket> </cas:proxysuccess> </cas:serviceresponse> 31

32 login scenario IMAP SERVER PAM PAM_CAS PT CAS SERVER IMAP PROXY S2 PGT Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 32

33 login scenario IMAP SERVER PAM PAM_CAS PT CAS SERVER PT NETID (PT) NETID IMAP PROXY S2 PGT Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 33

34 login scenario IMAP SERVER PAM PAM_CAS PT CAS SERVER PT NETID (PT) NETID IMAP PROXY S2 PGT Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 34

35 login scenario IMAP SERVER =? PAM PAM_CAS PT S2 NETID S1(proxy[]) PT CAS SERVER PT NETID (PT) NETID IMAP PROXY S2 PGT Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 35

36 login scenario: ProxyTicket (PT) validation <cas:serviceresponse xmlns:cas=' <cas:authenticationsuccess> <cas:user>netid</cas:user> <cas:proxygrantingticket>pgtiou</cas:proxygrantingticket> <cas:proxies> <cas:proxy>proxy1</cas:proxy> <cas:proxy>proxy2</cas:proxy>... </cas:proxies> </cas:authenticationsuccess> </cas:serviceresponse> 36

37 login scenario IMAP SERVER =? PAM PAM_CAS PT S2 NETID S1(proxy[]) PT CAS SERVER PT NETID (PT) NETID IMAP PROXY S2 PGT Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 37

38 login scenario IMAP SERVER =? PAM PAM_CAS PT S2 NETID S1(proxy[]) PT CAS SERVER persistent connection IMAP PROXY imap PT NETID (PT) NETID S2 PGT Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) velpi@groupt.be 38

39 login scenario IMAP SERVER =? PAM PAM_CAS PT S2 NETID S1(proxy[]) PT CAS SERVER persistent connection IMAP PROXY imap PT NETID (PT) NETID S2 PGT Horde / IMP phpcas CLIENT pgt-url ok? ST S1 S1 PGT-URL (PHP-SESSION) PGT PGTIOU HTTP REQ NETID PGTIOU (+TGC) (LT) (LOGIN PAGE) (CREDENTIALS) (LT) ST BROWSER (SET TGC) HTTP RESP PHP-SESSION velpi@groupt.be 39

40 login scenario IMAP SERVER PAM PAM_CAS CAS SERVER IMAP PROXY PT imap NETID persistent connection Horde / IMP phpcas CLIENT (PHP-SESSION) HTTP REQ BROWSER HTTP RESP PHP-SESSION velpi@groupt.be 40

41 login scenario IMAP SERVER =? PAM PAM_CAS PT S2 NETID S1(proxy[]) PT CAS SERVER persistent connection IMAP PROXY imap PT NETID PT NETID S2 PGT Horde / IMP phpcas CLIENT (PHP-SESSION) HTTP REQ BROWSER HTTP RESP PHP-SESSION velpi@groupt.be 41

42 Tickets... LT: Login Ticket timeout for login page: if user typed password but didn't press login TGC: Ticket Granting Cookie browser cookie CAS-server: Single Sign On (https; host scope!) ST: Service Ticket CAS->service using browser get, user+service specific, validated PGT: Proxy Granting Ticket CAS->service directly using https, user+service specific PGTIOU: Proxy Granting Ticket IOU also sent PGT so webapp can correlate netid PT: Proxy Ticket CAS->proxy->backend ~ password, user(+proxy)+service2 specific velpi@groupt.be 42

43 Introducing CAS Proxy CAS login scenario Implementing proxy CAS Beyond... 43

44 Implementing proxy CAS IMAPPROXY => standard :) & absolutely necessary now IMAP: pam enabled => pam_cas standard pam; openssl dependency Apache/horde/IMP => phpcas+glue code; Apache CAS trust phpcas client library using ESUP glue-code 44

45 Implementing: IMAPPROXY (IMAPPROXY+) ~0min Requires no changes :) Keeps the IMAP connection alive and checks if PT ( password ) is still the same using a hash => PT replayed to local IMAPPROXY velpi@groupt.be 45

46 Implementing: IMAP&pam_cas Compile it: pam_cas.so needs: pam devel, openssl devel Configure it: pam_cas.conf needs to trust CA cert of CAS-server! Enable it: /etc/pam.d/imap 46

47 Implementing: IMAP&pam_cas /etc/pam.d/imap auth sufficient /lib/security/pam_cas.so -simap://localhost -f/etc/security/pam_cas.conf options: -s serviceid -e excludeuser -f configurationfile (IMAP+) ~2h required: this really has to be ok, though pam continues to check the other modules requisite: if this is not ok, it's not ok and do not continue checking the others sufficient: if this is ok, it's ok and do not continue checking the others optional: only decides if no other flags decided before or after You'll probably want to chain pam_cas pam_unix, pam_ldap,... pam_cas only tries validation on ticket-shaped passwords (eg PT-1-nFBuJY5SdWiuSvb3BPxn) this might be someone's real password ;) but that's unlikely => put pam_cas first as sufficient or last as required/requisite, depending on setup 47

48 Implementing: Apache--CAS (SSL+) ~5min Apache/PHP that powers Horde (curl lib) checks hostname-certificate of CAS-server Reason: ST validation,pt requests (w PGT) Note: CURLOPT_SSL_VERIFYPEER is set to 0 in client.php, you may want to change that, but then you need a tiny adjustment in apache conf (mod_ssl): httpd.conf SSLCertificateFile /etc/pki/myhordeserver.pem SSLCertificateChainFile /etc/pki/ca_cert.pem #added for the trust mechanism---- SSLCACertificateFile /etc/pki/ca_cert.pem #----added velpi@groupt.be 48

49 Implementing: Apache--CAS IMPORTANT NOTE (proxy CAS only): CAS-server also needs to trust certificate of Apache/PHP Reason: PGT sent in request by CAS-server Ok: Java truststore (cacerts) contains CA's If using a self-signed cert at apache (not good!) or unknown CA: $ keytool -import -trustcacerts -alias "sensible-name-for-ca" -file CAcert.crt -keystore $JAVA_HOME/lib/security/cacerts (default pwd=changeme) (SSL+) ~0min velpi@groupt.be 49

50 Implementing: Horde3/IMP4 install phpcas cp -r source/cas/* $HORDE_DIR/lib/CAS/ install glue-code (from ESUP package) cp $CAS_DIR/cas.php $HORDE_DIR/lib/Horde/Auth/ cp $CAS_DIR/casProxy.php $HORDE_DIR/ patch Horde&IMP imp/lib/imap.php: to fetch new PT if needed config/conf.xml: easy admin configuration [recommended] config/hooks.php: _cas_hook_authorisation() to a backend (Horde+) ~4h velpi@groupt.be 50

51 IMAP SERVER IMAP PROXY Implementing PAM (IMAP+) PAM_CAS ~2h compile,install,configure (IMAPPROXY+) ~0min CAS SERVER configure if using allowedservices Horde / IMP phpcas CLIENT (Horde+) ~4h install, patch, configure BROWSER velpi@groupt.be 51

52 Implementing proxy CAS CAS Server: 1-2days, fully operational (excl Java, Spring, auth backend) regular CAS client: ½ day... (excl knowing the technology of the application) Proxy CAS client: ½ week... BUT ALSO 52

53 Implementing: the catch... Think about everything that can go wrong when using SSL and add some Distributed systems & knowledge eg: case insensitive login at the CAS server but not proxy, firewalls... Multiple technologies & knowledge 53

54 Implementing: the beauty... Multiple deployments since 2006 K.U.Leuven: 2 front-end Horde web-servers (Apache) 4 backend mail-servers (UW-IMAP on AIX) ~40000 users (total) ~40000/d webmail logins ~60000/d portlet logins No stability issues so far... velpi@groupt.be 54

55 Introducing CAS Proxy CAS login scenario Implementing proxy CAS Beyond... 55

56 Beyond...: portals & webservices portlet/building block for Blackboard <create your own client>: various libs Webservices

57 Beyond...: SAML CAS supports 1-tier SAML1.1/2.0 (Google) PAML: Pluggable Authentication Mod-AML? KAML: IETF Kerberos-SAML discussions 57

58 Introducing CAS Proxy CAS login scenario Implementing proxy CAS? Beyond... References:

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT Ta Table of Contents Table of Contents TA TABLE OF CONTENTS 1 TABLE OF CONTENTS 1 BACKGROUND 2 CONFIGURATION STEPS 2 Create a SSL