pki

.jive-table THEAD TH { border-top : 1px #666 solid; border-bottom : 1px #666 solid; } .jive-breadcrumbs { color : #000; } #jive-oracle-wrapper { padding-left : 0px; } #jive-oracle-wrapper TD, #jive-oracle-wrapper TH, #jive-oracle-wrapper P, #jive-oracle-wrapper DIV { font-size : 10pt; font-family : arial, helvetica, sans-serif; } #jive-oracle-wrapper A, #jive-oracle-wrapper A:visited { color : #000 !important; } #jive-oracle-wrapper TH A { font-weight : bold; } #jive-oracle-wrapper THEAD TH { border-bottom : 1px #999 solid; } Portal Integration with PKI and CAC ... Community Discussion Forums » Fusion Middleware » Portal Security and Login Server Thread: Portal Integration with PKI and CAC Welcome, Guest Sign In / Register Guest Settings Search FAQ Reply to this Thread Search Forum Back to Thread List Replies: 12 - Pages: 1 - Last Post: Apr 11, 2008 9:07 AM by: bongo Threads: [ Previous | Next ] aaronhirsh Posts: 4 Registered: 7/5/00 Portal Integration with PKI and CAC Posted: May 25, 2006 6:56 AM Reply Hi, I'm hoping someone can point me in the right direction. I need to integrate 10g AS Rel 2 Portal and SSO with client-site PKI certs, specifically NMCI (Navy) CACs. Has anybody done this? I'm trying to find out just how much we can integrate, I'd like to be able to parse info on the server side such as username and supply it to the SSO server so that the user only as to enter a pin.thanks!Aaron reschulz Posts: 3 Registered: 5/9/00 Re: Portal Integration with PKI and CAC Posted: Jun 2, 2006 10:30 AM in response to: aaronhirsh Reply I'm looking at doing the same thing. Any help would be appreciated. hjahangi Posts: 23 Registered: 4/14/04 Re: Portal Integration with PKI and CAC Posted: Jun 5, 2006 10:29 AM in response to: reschulz Reply There are, as usual, a few ways of achieving this. Here was the approach I used to build something for a DoD project:1. Integrate Oracle SSO (engine that protects Oracle Portal) and COREid Access (sso engine for all platforms). Essentially, the integration entails setting a specific header as a post-authentication step in COREid, so that Oracle SSO can trust that session.2. Setup the COREid Access policy for requiring Client-Cert authentication when trying to access the Oracle Portal. This way, when a user hits the application (e.g. Portal), they are automatically redirected to the COREid Access Engine, which then (after a successful PKI Client Certificate was presented), forwards back to the Portal application. Part of this setup happens within Apache's ssl.conf file, which sets the "require" flag for client cert authentication.You can also setup pki authentication inside Oracle SSO, which is well documented in the app server security guide. However, it is less flexible since you are required to run everything application under the Portal Middle tier under a single security policy. Using COREid, there is a separation of enforcement and policies using a concept called "Policy Domains".Hope this helps. hjahangi Posts: 23 Registered: 4/14/04 Re: Portal Integration with PKI and CAC Posted: Jun 5, 2006 10:32 AM in response to: hjahangi Reply My previous post assumes the Client Cert is available in the web browser's session. For DoD CAC cases, you can use some Smart Card software like ActivIdentity to propagate the cert from the card to the browser pretty easily. There are also windows OS functionality to do the same as well, however I don't know the specific of the OS route. paulb Posts: 1 From: San Antonio, TX Registered: 4/11/07 Re: Portal Integration with PKI and CAC Posted: Apr 11, 2007 1:28 PM in response to: aaronhirsh Reply We are trying to do something similar, but with a hardware PKI device which hands Oracle (SSO, Portal?) an authenticated user's information via https header variables. Can the Oracle SSO application receive something like this? I understand we are going to have some custom development to marry the DoD CAC information to the Oracle user account information, but just wondering if this is even possible. user570466 Posts: 3 Registered: 4/19/07 Re: Portal Integration with PKI and CAC Posted: Apr 19, 2007 1:57 PM in response to: paulb Reply Just wondering if you have progressed with this topic as I am looking to do something similar with hopefully javasso, OC4J, JAAS and Oracle AS 10.1.3.1. Are there any sources out there? user570977 Posts: 1 Registered: 4/23/07 Re: Portal Integration with PKI and CAC Posted: Apr 23, 2007 7:43 AM in response to: user570466 Reply I would like to echo your question re: sources.... as am also to implement smart card with JAAS / OC4J based j2ee application on Oracle AS 10.1.3.1. I do not need SSO as yet, just trying to determine how to read cert from browser to register in an Oracle DB and subsequently and convey to a custom JAAS login module for JAAS authentication.Any thoughts are appreciated. bamulder Posts: 7 From: Michigan Registered: 5/13/99 Re: Portal Integration with PKI and CAC Posted: May 4, 2007 8:01 AM in response to: user570977 Reply I want to throw my hat in on this discussion too. I already have our 10.1.2.0.2 Portal application bolted up to SSO. I now need to configure in CAC authentication while still allowing non-CAC users to supply their OID username and password.If you know of a resource or white paper on the topic, please post it in the thread. bledbetter Posts: 14 From: Virginia Registered: 12/14/06 Re: Portal Integration with PKI and CAC Posted: May 16, 2007 11:07 AM in response to: bamulder Reply Bamulder,We're in the process of doing this over at USMC. I've got some basic information over at my website on mapping CAC card identifiers to OID users (unless you want your Oracle usernames to be LASTNAME.FIRSTNAME.M.13914891135134194 ;) ) if you need it. There's also a list of technotes included with the code that should get you on the way. I'd be happy to help via e-mail if you should need it, as well.OracleAS works beautifully within DOD's requirements. The program I'm on is also trying to do this with Microsoft Sharepoint, and they've had a heckuva time. I've been up and running since January with Oracle, and it just burns them up. :)http://www.snappedshot.com/archives/540-What-would-Larry-do.htmlHope this helps!Regards,Brian bamulder Posts: 7 From: Michigan Registered: 5/13/99 Re: Portal Integration with PKI and CAC Posted: May 16, 2007 11:24 AM in response to: bledbetter Reply Hey Brian,That would be GREAT! Unfortunatly, the link you posted is blocked from the office. If you wouldn't mind, can you email me some details? My work address is first.last.CTR@DLA.MIL You should be able to get the spelling of my firast and last name from my profile.Thanks again! bledbetter Posts: 14 From: Virginia Registered: 12/14/06 Re: Portal Integration with PKI and CAC Posted: May 21, 2007 9:06 AM in response to: bamulder Reply [nobr]For anyone else who can't view the website (yeah, sorry about that... I do *try* to keep it family-friendly :) ), the following code should allow you to map your PKI certificate's username to any arbitrary user in Oracle Internet Directory:/* FILE: SSOCertMapperCustom.java DESCRIPTION Use this to map your Certificate's CN to an arbitrary field in OID.*/package oracle.security.sso.server.auth;import java.security.Principal;import java.security.cert.X509Certificate;import javax.servlet.http.HttpServletRequest;import oracle.security.sso.ias904.toolkit.IPASUserInfo;import oracle.security.sso.ias904.toolkit.IPASUserMappingInterface;import oracle.security.sso.ias904.toolkit.IPASException;/* * The following classes must be imported to perform LDAP searches using the pre-configured * OC4J connections. */import oracle.ldap.util.*;import oracle.ldap.util.jndi.*;import javax.naming.*;import javax.naming.directory.*;import java.io.*;public class SSOCertMapperCustom implements IPASUserMappingInterface{ // Name of the certificate attribute. private static final String X509_CERT_CLASS = "javax.servlet.request.X509Certificate"; private InitialDirContext _context; private Subscriber _mysub; /* * Configuration for this Plugin */ private static final String _oid_attribute = "description"; private static final String _oid_host = "localhost"; private static final String _oid_port = "389"; private static final String _oid_search_base = "dc=domain,dc=com"; public SSOCertMapperTfsms() { try { // Notice that this will only bind anonymously... _context = ConnectionUtil.getDefaultDirCtx( _oid_host, _oid_port, "", "" ); _mysub = new Subscriber(_context,Util.IDTYPE_DN,_oid_search_base,false); } catch( Exception e ) { System.out.println(" * * * * There appears to be some kind of problem in the c'tor." ); } } /* * Use this method to strip out the "cn=" attribute from the DN provided. */ private String getUserCn( String inputDn ) { // In this example, the user certificate DN format is: // CN=,CN=users,DC=acme,DC=com // Get the first common name(CN) value as directory nickname int l_indx1 = inputDn.indexOf('='); int l_indx2 = inputDn.indexOf(',', l_indx1 + 2); String userCn = inputDn.substring(l_indx1+1 , l_indx2); return userCn; } /* * This method returns user information derived from the user certificate * * @param request The HttpServletRequest request object * @return IPASUserInfo object that contains user directory nickname and * optionally realm nickname obtained from the user certificate * @exception IPASException if user information can not be obtained */ public IPASUserInfo getUserInfo(HttpServletRequest request) throws IPASException { IPASUserInfo l_usrInfo = null; try { // Get the user certificate from the HTTP request object X509Certificate [] l_usrBCerts = (X509Certificate[])(request.getAttribute(X509_CERT_CLASS)); if( (l_usrBCerts != null) || (l_usrBCerts.length > 1) ) { Principal l_usrPrincipal = l_usrBCerts[0].getSubjectDN(); String l_certDN = l_usrPrincipal.getName().toUpperCase(); String l_usrNickName = getUserCn( l_certDN ); // Search for "description=..." in the JAAS-configured LDAP tree. // (Note: If this is not OC4J/JAAS/JAZN, it'd probably be best not // to try using this method...) String[] _attribs = { "dn", "description", "cn", "sn", _oid_attribute }; User[] _users; try { _users = _mysub.getUsers( _context, Util.IDTYPE_FILTER, "(" + _oid_attribute + "=" + l_usrNickName + ")", null, _attribs ); } catch( Exception e ) { throw new IPASException( "Error obtaining user listing from OID."); } if( _users.length > 1 ) { throw new IPASException( "Oops, found " + _users.length + " user(s), instead of 1. Perhaps your attribute selection is wrong?" ); } else if( _users.length < 1 ) { throw new IPASException( "User not found in OID." ); } else { l_usrNickName = getUserCn( _users[0].getDn(_context) ); } // Set the realm name to null to use the default realm String l_realm = null; l_usrInfo = new IPASUserInfo(l_usrNickName, l_realm); return l_usrInfo; } else { // User certificate not found. throw new IPASException("User certificate not found"); } } catch(Exception e) { throw new IPASException ("User certificate information not found. " + e.toString()); } }}--As an aside, if you need this to work behind an F5 (with backend traffic remaining unencrypted), the following iRule will make your life much easier. It's rudimentary, but should work until something better comes along:when CLIENTSSL_HANDSHAKE{ set cur [SSL::sessionid] set ask [session lookup ssl $cur] if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] }}when HTTP_REQUEST{ HTTP::header replace HTTPS on set id [SSL::sessionid] set the_cert [session lookup ssl $id] if { $the_cert != "" } { HTTP::header insert SSL-Client-Cert [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole $the_cert ] ] ] "" ] } else { HTTP::respond 200 content "

Access Denied

Access to this resource is denied without a valid DOD Common Access Card. If you do not have one, please visit the Common Access website for information on obtaining a CAC card. Otherwise, please insert your CAC card into your reader, close this window, and try accessing this website again." }}Sorry for the formatting... The original can be found at: http://www.snappedshot.com/archives/843-An-Endless-Pile-of-Technical-Cruft.html if it hurts your eyes too much.[/nobr] Dirk I. McComsey Posts: 59 From: Virginia Registered: 1/12/06 Re: Portal Integration with PKI and CAC Posted: Jun 27, 2007 9:51 AM in response to: bledbetter Reply I wish you had posted this about a year ago!We ended up terminating SSL on our server because our networking staff couldn't figure out the iRule to pass on the certificate...Everything else looks great! Similar, but not exactly the same as our implementation.We've implemented OCSP as well though, due to the problems you mentioned on your blog about the CRLs.It ends up being much cleaner and quicker anyway... bongo Posts: 17 Registered: 3/7/99 Re: Portal Integration with PKI and CAC Posted: Apr 11, 2008 9:07 AM in response to: Dirk I. McComsey Reply How is your OCSP solution working? I have some issues over at DISA Montgomery. Can you contact me at kevin.bongiovanni.ctr@gunter.af.mil? Thanks Pages: 1 Back to Thread List Threads: [ Previous | Next ] Legend Active Member: 151 - 10000 pts Member: 50 - 150 pts Oracle ACE Director Oracle ACE Member About Oracle | | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Your Privacy Rights разделы огнезащитный состав гайковерт восстановление файл акриловый пряжа fag безоперационное прерывание беременность поставщик вина развальцовка подогреватель двухтарифные электросчетчик заказ обед прайс зеркало авиатакси ariston опт корпоративный обслуживание конкурентный анализ доставка mobil pegasus pki