Formatted: Font: Century Gothic, 12 pt

Transcription

1 Formatted: Font: Century Gothic, 12 pt

2 Contents 1 Document Description Overview Glossary Prerequisites Architecture IdP Configuration Creation of the IdP using OIF Generation of IdP SAML 2.0 Metadata Configuring your IdP to Work with your Trusted Partner Create Users in OID Verify that OIF is Communicating with OID Appendix A Metadata XML Schema

3 Superior Court of Orange County 1 Document Description 1.1 Overview The Superior Court of California, County of Orange (SCOC) Court Technology Services (CTS) in association with the Administrative Office of the Courts (AOC) under the supervision of the Global Justice Information Sharing Initiative has been conscripted to create a proof of concept of the Global Federated Identity and Privilege Management (GFIPM) security technology using the Oracle Middleware product suite. In this proof of concept the Court will use Oracle WebLogic Server (WLS), Oracle Identity Federation (OIF), Oracle Internet Directory (OID) and Oracle Database (ODB) to establish a trust between IdP (The Court) and SP (The AOC) using X.509 certificates.. These certificates exchanged via XML to identify which systems to trust. Once a partner is trusted, it will be configured as an SP. When a Court user attempts to access a resource on the SP (CCPOR) via the browser, the user's identity is then authenticated (asserted) by the Court s IdP across security domains in the federation. The table below describes the steps to setting up an IdP using the Oracle Middleware Suite and how these correlate with GFIPM requirements. SETTING UP A GFIPM SAML 2.0 Identity Provider using Oracle WebLogic Server and (WLS) and OIF Oracle Product Specific Configuration Steps Overview TOC Table of Contents Cross Reference Section 2.1 Creation and Configuration of IdP Using OIF GFIPM Architecture Functions OIF allows you to create and configure the IdP and enable the use of x.509 certificate Section 2.2 Generation of SAML 2.0 Assertion Generate the SAML 2.0 Assertion with the configuration set up in 2.2. In this step, the Orange County Court IdP sends the digitally signed Saml Assertion to the CCPOR AOC partner must deliver the public key, agreed upon information and SAML 2.0 schema to the Service Provider (SP) partner Section 2.3 Configuring your IdP to Work with Your Trusted Partner Once you ve received the SP partner s certificate, you must use OIF to add the partner public key to your IDP Federation partner trust file 1.2 Glossary The table describes the terms used in the document: Term Description 1

4 Superior Court of Orange County Term Field Drop-down Check box Radio button Table Column Row Cell Button Path OAS OAM ODB OCA OIF GFIPM Permission Policy PDP PEP XACML SP Description A field describes an area in which a user can enter information A drop-down describes a box which allows the user to choose from a list of selections A check box allows you to select multiple items in a list A radio button allows you to select a single item from a list A table is a group of data organized into columns, rows and cells A column is a vertical list of information usually used to describe cell type A row is a horizontal list of information usually used to describe related cells A cell is a single piece of information in a table A button allows a user to perform an action The full location of a file or folder e.g. C:\WINDOWS\system Oracle Application Server Oracle Access Manager Oracle Database Oracle Application Server Certificate Authority Oracle Identity Federation (provides IdP capability and/or SP capability) Global Federated Identity and Privilege Management Permission refers to rights given to a user on an application A policy is any guide that establishes the parameters for decision making or actions Policy Decision Point Policy Enforcement Point extensible Access Control Markup Language GFIPM enabled SAML 2.0 Service Provider 1.3 Prerequisites Component Microsoft Windows Oracle Internet Directory Oracle Identity Federation Version / Specification Windows 2003 R2 10g 11g Java 2 SDK Oracle WebLogic Server Oracle Database Chip Architecture and Minimum Processor Speed RAM 11g 10g AMD64 (1.3 GHz) 64-bit Xeon (1.3 GHz) 4 GB 2

5 2 Architecture Diagram 2a gives a high level view of the federation used and the flow of data for Phase II of the project. Comment [de1]: Remove OAM and database Reference. If you want, you could associate the database to CCPOR. Also, don t forget to remove from the Glossary. Diagram 2a Comment [JR2]: In step 4 please replace Weblogic with AOC Weblogic SP and in step 5 please replace Weblogic with AOC Weblogic SP 3

6 3 IdP Configuration This section will detail the creation and configuration of the Court s IdP which will access the AOC s CCPOR application. It contains the following sections: Creation of the IdP Using OIF Generation of IdP SAML 2.0 Metadata Configuring your IdP to Work with your Trusted Partner 3.1 Creation of the IdP using OIF Initially we will need to create an Identity Provider (IdP) using OIF. To open OIF we must first log into the WLS Admin Console. Open IE and navigate to the URL of Oracle WebLogic Server. 4

7 You will now see the WLS Admin Console screen. Under the Help section click Oracle Enterprise Manager. Comment [de3]: Need to tell user to click the OEM link. Comment [de4]: Your are studdering. You will now see the Enterprise Manager login screen. Enter the User Name and Password and click Login. You now see the OEM main screen. In the navigation panel expand the Identity and Access folder. 5

8 6

9 Now we will need to enter OIF and begin creating the IdP. Right click on OIF and click Administration then click Identity Provider. You now see the Identity Provider screen. We will begin by configuring the IdP. 7

10 Click the SAML 2.0 tab. 8

11 Superior Court of Orange County OIF will automatically generate the SAML Assertion for you, but it is necessary to make sure it is configured correctly. First, make sure the following are checked under assertion settings: X509 Subject Name Send Encrypted Attributes Send Encrypted NameIDs Send Encrypted Assertions Send Signed Assertion 9

12 There are considerable more settings that appear in the SAML 2.0 tab. Scroll down to Protocol Settings. Make sure the following are checked: Enable SAML 2.0 Protocol This informs the SP that SAML 2.0 protocol will be used by the IdP Enable Single Sign-On Protocol This informs the SP that SSO willl be used by the IdP Enable NameID Management Protocol: Register (Default) Enable NameID Management Protocol: Terminate (Default) 10 Comment [JR5]: Ok to leave in but the AOC isn t using Account Linking to allow the IDP to register and terminate user-accounts in the SP as the IDP employee changes roles/jobs.

13 Under Enable Protocol Bindings select the following: SSO HTTP POST Authentication Request HTTP POST (You must scroll down in the Enable Protocol Bindings window to see this.) In the Default Binding drop-down list select HTTP POST 11

14 In the Default SSO Response Binding drop-down select HTTP POST To insure that the message authorization requirements are met, under Messages to Send/Require Signed check the following: Responsee HTTP POST: Send Signed Responsee HTTP POST: Require Signed Request HTTP POST: Send Signed Request HTTP POST: Require Signed 12

15 AuthnRequest: Require Signed Once you ve selected all of these, click Apply. 3.2 Generation of IdP SAML 2.0 Metadataa Once you have created and configured your IdP, you will need to export the encrypted SAML 2.0 assertionmetadataa file. This process can easily be done in OIF. 13

16 From the SAML 2..0 tab, click the navigation drop-down arrow. Click Administration then click Security and Trust. 14

17 You now see the Security and Trust screen. Click the Provider Metadata tab. You now see the Provider Metadata tab. As we have configured OIF as an IdP under General Metadata make sure that Provider Type selected is Identity Provider. 15

18 As SAML 2.0 is the GFIPM standard, under Protocol make sure that SAML 2 is selected. Click Generate to generate SAML 2.0 Metadata filecertificate. 16

19 A pop-up box will appear asking you to save or open the file, click Save. This is the SAML data which you will need deliver to your Service Provider, so navigate to a folder you will remember and click Save. Note: if you receive an error or nothing happens, be sure to check your browser to ensure you are allowing pop-up windows. 17

20 Once the file has finished saving, click Close. 18

21 Note: If you wish to view the data, you may open the XML in a text editor or other programming environment. 3.3 Configuring your IdP to Work with your Trusted Partner Once you have received your SP s Metadata XML file which includes their x.509 (To view the metadata generated, please refer to Appendix A XML Metadata) public key and certificate you must incorporate it into your IdP SAML Metadata 2.0 Federation trust file. From the Generatee Metadata screen, click the arrow to the right of the Oracle Identity Federation click Administration then click Federations. 19

22 You now see the Federations screen. From here you will add the partner certificate to the IdP. In cases where you have multiple partners in your federation, you would do this for each partner. To do this click the Addd tab. You will now see the Add Trusted Provider popup window. To begin adding your trusted partner, check Enable Provider and click Browse. Note: This step cannot be completed unless you have received the Metadata XML file (The x.509 certificate and identifying information) from your trusted partner. 20

23 Navigate to wheree you have saved the file, and select the data provided by your trusted partner, then click Open. 21

24 Enter a description that will allow you to identify the partner (For this example we use CCPOR). Click OK. A confirmation message appears, and you can now see the provider information from the file you just added. Now you will need to adjust the provider settings to work with your IdP. Select your Provider ID and click edit. 22

25 You now see the Edit Trusted Provider screen. Leave the settings on the main screen and the Trusted Provider Settings tab as default. You now see the OIF Settings tab. Click the Oracle Identity Federation Settings tab. 23

26 Scroll down to Assertion Settings, and make sure Send Signed Assertion is checked. Select X509 Subject Name in the Default Name ID Format. 24

27 Scroll down to Protocol Settings and make sure the following are selected: Enable NameID Management Protocol: Register (Default) Enable NameID Management Protocol: Terminate (Default) Use Identity Federation for Attribute Response Default Binding HTTP POST Default SSO Response Binding HTTP POST 25

28 Scroll down to Enable Protocol Bindings. Select HTTP POST from the drop-down list. If the drop-down list does not appear, click the lock icon to the left of SSO Bindings HTTP POST. This will unlock the setting. Repeat this process with all of the bindings. 26

29 Scroll down to Messages to Send/Require e Signed, and make sure the following are selected: Responsee HTTP POST Request HTTP POST Responsee with Assertion HTTP POST AuthnRequest Click Apply Your SP should now be part of the trusted federation. (We will check the connection after creating users in OID, please refer to Section 4 of this document.) 27

30 4 Createe Users in OID Now we are going to go over how to create a user in Oracle Internet Directory (OID). This will allow you to add users to the federation and we will then use this user to verify our connection between OID and OIF. To create users we will user OID Delegated Administration Services (oiddas). This is a simple browser interface that allows us to manage users and other OID information. When you install OID, oiddas is included in the installation. Launch IE and navigate to the location of oiddas (By default the url will be /). Click the Directory Tab. You now see the oiddas Sign In screen. Enter the Oracle Directory Root Admin User Name and Password. If you chose the default user during installation, the user name will be (Defaults to orcladmin. )/ 28

31 Click OK. You now see the Users screen. Creating and managing users in this application is very simple. Click Create. 29

32 You now see the Create User screen. Enter the required user information (For this example we will use the Basic Information). Click Submit. 30

33 You are now brought back to the Users screen. To verify that the user was successfully created click Go. You will now see the search results. Scroll down to verify that the user was added. 31

34 5 Verify that OIF is Communicating with OID Now we are going to verify that OIF is communicating correctly with OID. To do this Launch WLS Admin Console and Click Oracle Enterpriseitlements Manager. You will now see the OEM Log In screen. Log into OEM. You now see the OEM main screen. In the navigation panel expand the Identity and Access folder. 32

35 Now we will need to enter OIF and begin creating the IdP. click the navigation drop-down arrow. Click Administration then click Identities. You now see the Identities screen. To verify communication between the two products, we will check to see if the user we created is part of the federation. 33

36 Click the Local Users tab. Formatted: Font: (Default) Arial, 10 pt, Bold, Font color: Auto You now see the Local Users tab. Click Search. 34

37 You now see the search results. If your IdP is working properly, you should see the user we added. 35

38 Formatted... [1] Superior Court of Orange County Appendix A Metadata XML Schema <md:entitydescriptor xmlns:md="urn:oasis:names:tc:saml:2.0:metadata" ID="id-4asq- C0WJxmsB8r-vOayaLk385g-" entityid=" validuntil=" t21:01:08z"> <md:idpssodescriptor WantAuthnRequestsSigned="true" protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol"> <md:keydescriptor use="signing"> <dsig:keyinfo xmlns:dsig=" <dsig:x509data> <dsig:x509certificate>miic6tccaqegawibagies2ncljalbgcqhkjooaqdbqawwdelmakga1uebhmcvvmx GTAXBgNVBAoTEENvdW50eSBvZiBPcmFuZ2UxFzAVBgNVBAsTDlN1cGVyaW9yIENv dxj0mruwewydvqqdewxeyw5uesbfagxlcnmwhhcnmtawmjazmjaynzi2whcnmjmx MDEzMjAyNzI2WjBYMQswCQYDVQQGEwJVUzEZMBcGA1UEChMQQ291bnR5IG9mIE9y YW5nZTEXMBUGA1UECxMOU3VwZXJpb3IgQ291cnQxFTATBgNVBAMTDERhbm55IEVo bgvyczccabcwggesbgcqhkjooaqbmiibhwkbgqd9f1obhxuskvlfspwu7otn9hg3 UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQ pasfn+geexaiwk+7qdf+t8yb+dtx58aophupbpud9tpfhsmcnvqtwharmvz1864r Ydcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3e y7yrxda4v7l5lk+7+jrqgvlxtas9b4jnuvlxjrruwu/mcqcqgyc0srzxi+hmkbyt t88jmozipue8fnqlvhynkocjrh4rs6z1kw6jfwv6itvi8ftiegeko8yk8b6ouzcj qipf4vrlnwasi2zeghtvjwqbtdv+z0kqa4geaakbgb7o2raybj39vw7l5ucs2/py O/i4Kk7c2R6+Rm5d2h+fp3Q+k6Vv8wn5N2yBB2gxMNfdRCzhloAJ0xoHZ5tzrFis 3P54PvaWZfgt97DPfIzUrcQXKP1NEb5ygBkrL+0ybN0YmA+bJ2FagOz47AbS6kCY UHj5WDd+BGLSeI5LTc2EMAsGByqGSM44BAMFAAMvADAsAhR2dOOmrRnLFM/KKgqY FF9dnrEahAIUT1MFkVuvPis4zGNFiOBfB9W4UG0= </dsig:x509certificate> <dsig:x509issuerserial> <dsig:x509issuername>cn=oifserver1.ocsuperior.occourts.org, OU=Superior Court, O=County of Orange, C=US</dsig:X509IssuerName> <dsig:x509serialnumber> </dsig:x509serialnumber> </dsig:x509issuerserial> <dsig:x509subjectname>cn=oifserver1.ocsuperior.occourts.org, OU=Superior Court, O=County of Orange, C=US</dsig:X509SubjectName> </dsig:x509data> </dsig:keyinfo> </md:keydescriptor> <md:keydescriptor use="encryption"> <dsig:keyinfo xmlns:dsig=" <dsig:x509data> <dsig:x509certificate>miic6tccaqegawibagies2ncljalbgcqhkjooaqdbqawwdelmakga1uebhmcvvmx GTAXBgNVBAoTEENvdW50eSBvZiBPcmFuZ2UxFzAVBgNVBAsTDlN1cGVyaW9yIENv dxj0mruwewydvqqdewxeyw5uesbfagxlcnmwhhcnmtawmjazmjaynzi2whcnmjmx MDEzMjAyNzI2WjBYMQswCQYDVQQGEwJVUzEZMBcGA1UEChMQQ291bnR5IG9mIE9y YW5nZTEXMBUGA1UECxMOU3VwZXJpb3IgQ291cnQxFTATBgNVBAMTDERhbm55IEVo bgvyczccabcwggesbgcqhkjooaqbmiibhwkbgqd9f1obhxuskvlfspwu7otn9hg3 UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQ pasfn+geexaiwk+7qdf+t8yb+dtx58aophupbpud9tpfhsmcnvqtwharmvz1864r Ydcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3e y7yrxda4v7l5lk+7+jrqgvlxtas9b4jnuvlxjrruwu/mcqcqgyc0srzxi+hmkbyt t88jmozipue8fnqlvhynkocjrh4rs6z1kw6jfwv6itvi8ftiegeko8yk8b6ouzcj qipf4vrlnwasi2zeghtvjwqbtdv+z0kqa4geaakbgb7o2raybj39vw7l5ucs2/py O/i4Kk7c2R6+Rm5d2h+fp3Q+k6Vv8wn5N2yBB2gxMNfdRCzhloAJ0xoHZ5tzrFis 3P54PvaWZfgt97DPfIzUrcQXKP1NEb5ygBkrL+0ybN0YmA+bJ2FagOz47AbS6kCY UHj5WDd+BGLSeI5LTc2EMAsGByqGSM44BAMFAAMvADAsAhR2dOOmrRnLFM/KKgqY FF9dnrEahAIUT1MFkVuvPis4zGNFiOBfB9W4UG0= </dsig:x509certificate> <dsig:x509issuerserial> <dsig:x509issuername>cn=oifserver1.ocsuperior.occourts.org, OU=Superior Court, O=County of Orange, C=US</dsig:X509IssuerName> <dsig:x509serialnumber> </dsig:x509serialnumber> 36 Formatted... [2] Formatted... [3] Formatted... [4] Formatted... [5] Formatted... [6] Formatted... [7] Formatted... [8] Formatted... [9] Formatted... [10] Formatted... [11] Formatted... [12] Formatted... [13] Formatted... [14] Formatted... [15] Formatted... [16] Formatted... [17] Formatted... [18] Formatted... [19] Formatted... [20] Formatted... [21] Formatted... [22] Formatted... [23] Formatted... [24] Formatted... [25] Formatted... [26] Formatted... [27] Formatted... [28] Formatted... [29] Formatted... [30] Formatted... [31] Formatted... [32] Formatted... [33] Formatted... [34] Formatted... [35] Formatted... [36] Formatted... [37] Formatted... [38] Formatted... [39] Formatted... [40] Formatted... [41] Formatted... [42] Formatted... [43] Formatted... [44] Formatted... [45] Formatted... [46] Formatted... [47] Formatted... [48] Formatted... [49] Formatted... [50] Formatted... [51] Formatted... [52] Formatted... [53]

39 Superior Court of Orange County </dsig:x509issuerserial> <dsig:x509subjectname>cn=oifserver1.ocsuperior.occourts.org, OU=Superior Court, O=County of Orange, C=US</dsig:X509SubjectName> </dsig:x509data> </dsig:keyinfo> <md:encryptionmethod Algorithm=" <md:encryptionmethod Algorithm=" <md:encryptionmethod Algorithm=" <md:encryptionmethod Algorithm=" </md:keydescriptor> <md:singlelogoutservice Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" ResponseLocation=" <md:managenameidservice Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" ResponseLocation=" <md:nameidformat>urn:oasis:names:tc:saml:1.1:nameidformat:x509subjectname</md:nameidformat> <md:singlesignonservice Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" </md:idpssodescriptor> </md:entitydescriptor> Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: Formatted: 37

40 Page 36: [1] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [1] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [2] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [2] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [3] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [3] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [4] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [4] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [5] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [5] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [6] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [6] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [7] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [7] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [8] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [8] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [9] Formatted sfaulkner 10/18/ :26:00 AM

41 Page 36: [10] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [10] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [11] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [11] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [12] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [12] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [13] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [13] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [14] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [14] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [15] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [15] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [16] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [16] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [17] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [17] Formatted sfaulkner 10/18/ :26:00 AM

42 Page 36: [18] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [19] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [19] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [20] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [20] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [21] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [21] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [22] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [22] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [23] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [23] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [24] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [24] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [25] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [25] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [26] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [26] Formatted sfaulkner 10/18/ :26:00 AM

43 Page 36: [27] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [28] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [28] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [29] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [29] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [30] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [30] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [31] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [31] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [32] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [32] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [33] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [33] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [34] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [34] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [35] Formatted sfaulkner 10/18/ :26:00 AM

44 Page 36: [36] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [36] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [37] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [37] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [38] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [38] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [39] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [39] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [40] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [40] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [41] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [41] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [42] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [42] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [43] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [43] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [44] Formatted sfaulkner 10/18/ :26:00 AM

45 Page 36: [45] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [45] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [46] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [46] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [47] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [47] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [48] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [48] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [49] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [49] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [50] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [50] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [51] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [51] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [52] Formatted sfaulkner 10/18/ :26:00 AM Page 36: [52] Formatted sfaulkner 10/18/ :26:00 AM

46 Page 36: [53] Formatted sfaulkner 10/18/ :26:00 AM