Identity and Access Management

Advanced SSL configuration on IBM Http Server – Restrict unused HTTP methods and Verbose HTTP headers

2011-11-01T22:00:00.000-07:00

Restricting unused HTTP methods

The HTTP method is supplied in the request line and specifies the operation that the client has requested. Browsers will generally just use two methods to access and interact with web sites; GET for queries that can be safely repeated and POST for operations that may have side effects. This means, we need to disable unused http methods. some of them are:(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL). Check with the application teams, if they need any of these methods for the application to work, before disabling them.

Testing before limiting http methods:

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx…
Connected to josephamrithraj.mp.
Escape character is ‘^]’.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:11:57 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

Connection closed by foreign host.

your IBM http servers configuration file [httpd.conf] has 2 sections named main and virtualhost sections. you need to add the following code at both the places. I am explaining this task using mod_rewrite module. So, first make sure that… mod_rewrite is enabled. then, add the following lines to your http.conf files main and virtualhost sections.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL)
RewriteRule .* – [F]

Restart the web server after adding the above lines.

Now, when someone tried to use one of these http methods, they will get forbidden response since we specified [F] in the rewrite rule.

Testing after adding and restarting web server

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx...
Connected to josephamrithraj.mp.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:15:44 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, POST
Connection closed by foreign host.
Testing TRACE methods

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx...
Connected josephamrithraj.mp
Escape character is '^]'.
TRACE / HTTP/1.0
Host: josephamrithraj.mp
testing... <- ENTER twiceHTTP/1.1 403 ForbiddenDate: Thu, 14 Sep 2010 00:18:31 GMTServer: Apache Web ServerContent-Length: 320Connection: closeContent-Type: text/html; charset=iso-8859-1

403 Forbidden

Forbidden

You don't have permission to access / on this server.

Connection closed by foreign host.
Disable verbose HTTP headers:

you might have seen this … when the web server [apache or ibm http server] throws errors page, sometimes it might show the information related to its version, build, modules etc. This is a security issue since you are giving away the details about your web server. for example, take a look at this:

Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80
The line in the server header expose important version and variant information about the Linux operating system and Apache software used on the machine, indirectly expose the possible security holes that are existed to the hackers, or at least make malicious attackers easier to identify your system for available attack points.
To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf configuration file.

ServerTokens

This directive configures what you return as the Server HTTP response Header. The built-in default is ‘Full’ which sends information about the OS-type and compiled in modules. The recommended value is ‘Prod’ which sends the least information.

Options: Full | OS | Minor | Minimal | Major | Prod

“ServerTokens Prod”

This configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.

ServerSignature

This directive lets you add a line containing the server version and virtual host name to server-generated pages. It is recommended to set it to OFF and Set to "EMail" to also include a mailto: link to the ServerAdmin.

Options: On | Off | EMail

“ServerSignature Off”

This instructs Apache not to display a trailing footer line under server-generated documents, which displays server version number, ServerName of the serving virtual host, email setting etc..

Courtesy:http://josephamrithraj.wordpress.com/2010/09/16/advanced-ssl-configuration-on-ibm-http-server-restrict-unused-http-methods-and-verbose-http-headers/

Advanced SSL configuration on IBM Http Server – Client Authentication and Ciphers

2011-11-01T21:59:00.000-07:00

The Advanced SSL Configuration settings are

Client Authentication
Setting Ciphers
SSL for multiple IP virtual Hosts
Client Authentication:

If you enable client authentication, the server validates clients by checking for trusted certificate authority, Known as CA root certificates in the local key database. To enable client authentication, you need to use SSLClientAuth directive. The options to use with this stanza are:

None – The server requests no client certificate from the client.
Optional – The server requests, but does not require, a client certificate. If presented, the client certificate must prove valid.
Required – The server requires a valid certificate from all clients and returns a 403 status code if no certificate is present.
Required_reset – The server requires a valid certificate from all clients, and if no certificate is available, the server sends an SSL alert to the client. This enables the client to understand that the SSL failure is client-certificate related, and will cause browsers to re-prompt for client certificate information on subsequent access. make sure you have GSKit version 7.0.4.19 or later when you choose this option.
For example, If i want all the clients to be authenticated, then i need to add the following stanza
SSLClientAuth required

Ciphers

We set the cipher specification to use during secure transactions. The specified cipher specifications validate against the level of the Global Security Kit (GSK) toolkit that is installed on your system. Invalid cipher specifications cause an error to log in the error log. If the client issuing the request does not support the ciphers specified, the request fails and the connection closes to the client. IBM HTTP Server has a built-in list of cipher specifications to use for communicating with clients over Secure Sockets Layer (SSL). The actual cipher specification that is used for a particular client connection is selected from those which are supported by both IBM HTTP Server and the client.

Some cipher specifications provide a weaker level of security than others, and might need to be avoided for security reasons. Some of the stronger cipher specifications are more computationally intensive than weaker cipher specifications and might be avoided if required for performance reasons. When an SSL connection is established, the client (web browser) and the web server negotiate the cipher to use for the connection. The web server has an ordered list of ciphers, and the first cipher in that list which is supported by the client will be selected.

IBM HTTP Server supports the following SSL ciphers: SSLv3 and TLS and SSLv2

IBM recommends the following setting, keeping in mind both strong security and performance

## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2. Excluding it in the presence of
## the SSLv3 configuration above disables SSLv2 support.

## Uncomment to enable SSLv2 (with 128 bit Ciphers)
#SSLCipherSpec SSL_RC4_128_WITH_MD5
#SSLCipherSpec SSL_RC4_128_WITH_SHA
#SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
View the Ciphers which the server uses for Secure transactions

Set the LogLevel to info in the configuration file. Look in the error log for messages in this format: TimeStamp info_message mod_ibm_ssl: Using Version 2/3 Cipher: longname|shortname. The order that the cipher specifications are displayed in the error log from top to bottom represents the attempted order of the cipher specifications.

View the Ciphers were used for negotiating a connection

You can use the following LogFormat directive to view and log the SSL cipher negotiated for each connection:

LogFormat “%h %l %u %t \”%r\” %>s %b \”SSL=%{HTTPS}e\” \”%{HTTPS_CIPHER}e\” \”%{HTTPS_KEYSIZE}e\” \”%{HTTPS_SECRETKEYSIZE}e\”" ssl_common

CustomLog logs/ssl_cipher.log ssl_common

This logformat will produce an output to the ssl_cipher.log that looks something like this:

127.0.0.1 – - [01/Sep/2010:00:02:05 -0800] “GET / HTTP/1.1″ 200 1582 “SSL=ON” “SSL_RSA_WITH_RC4_128_MD5″ “128″ “128″

SSL for multiple IP virtual hosts

When you do not define an SSL directive on a virtual host, the server uses the directive default. You can define different (SSL) options for various virtual hosts. To enable SSL:

Specify the SSLEnable directive on the virtual host stanza in the configuration file, to enable SSL for a virtual host.
Specify a Keyfile directive and
Any SSL directives you want enabled for that particular virtual host.
Restart the server.
With all the above security options enabled, your virtual host may look like this:

SSLEnable

Keyfile keyfile.kdb

SSLCientAuth required

## SSLv3 128 bit Ciphers

SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5

SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers

## These can still be used, but only if the client does not support any of the ciphers listed above.

SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2.
## Excluding it in the presence of the SSLv3 configuration above disables SSLv2 support.

## Uncomment to enable SSLv2 (with 128 bit Ciphers)

#SSLCipherSpec SSL_RC4_128_WITH_MD5

#SSLCipherSpec SSL_RC4_128_WITH_SHA

#SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5

Courtesy:http://josephamrithraj.wordpress.com/2010/09/04/advanced-ssl-configuration-on-ibm-http-server-client-authentication-and-ciphers/

Virtual Users with SAML in WebLogic

2011-10-24T08:57:00.000-07:00

A small blogpost how you can use virtual users on your SAML Service Provider WebLogic Server. A virtual user is a user who is authenticated on the SAML Identity Provider and this user is transfered ( with all his attributes and roles ) in a SAML Token to the Service Provider, this user does not need to exists on the WebLogic server of the Service Provider.
Before you can use this feature you need to setup SAML 2.0 SSO on your WebLogic Domain. You can follow this blogpost for all the instructions. You can also do this with Web Services but then you need to follow this guide.

First we need to enable Generate Attributes on the Identity Provider Side.
Go to the myrealm security realm -> Providers -> Credentials Mapping -> your SAML 2.0 Credential Mapping Provider -> Provider Specific.
Also do this on the imported Service Provider Partner located at the Management tab of your SAML 2.0 Credential Mapping Provider. Open the Service Provider Partner and also enable here Generate Attributes.

Next step is to configure the SAML Service Provider.
Go to the myrealm security realm -> Providers -> Authentication -> your SAML 2.0 Identity Assertion Provider -> Management Tab.
Open your imported Identity Provider Partner configuration.

Enable Virtual User and also enable Process Attributes.

Now we need to add an extra WebLogic SAML Authentication Provider. This provider will process the virtual user SAML token with all its attributes and roles.

Set the Control Flag to Sufficient also change the other authentication provider from Required to Sufficient.

Courtesy:http://biemond.blogspot.com/2011/09/virtual-users-with-saml-in-weblogic.html

How to collect performance data on Linux

2011-10-24T08:56:00.000-07:00

Collect the following information when high CPU consumption is with IBM Java process:
Enable garbage collection trace to see whether Java garbage collection is thrashing if possible. If you want to enable Java garbage collection trace on IBM WebSphere Application Server, please refer to the following document: Enabling verbose garbage collection (verbosegc) in WebSphere application Server

Run the following command:

top -d delaytime -c -b > top.log

Where delaytime is the number of seconds to delay. This must be 60 seconds or greater, depending on how soon the failure is expected.

Create a script file, vmstat.sh with the following content:

#vmstat.sh
#output file name
VMSTAT_LOG=$1
LIMIT=288
#sleep for 5 miniutes
SLEEP_TIME=300
while true
do
i=0
echo >$VMSTAT_LOG
while [ $i -le "$LIMIT" ];
do
date >> $VMSTAT_LOG;
vmstat 5 12 >> $VMSTAT_LOG;
i=`expr $i + 1`;
sleep $SLEEP_TIME;
done
done

Create a script, ps.sh with the following content:

#ps.sh
#output file name
PS_LOG=$1
LIMIT=288
#sleep for 5 miniutes
SLEEP_TIME=300
while true
do
i=0
echo >$PS_LOG
while [ $i -le "$LIMIT" ];
do
date >> $PS_LOG;
ps -eLf >> $PS_LOG;
i=`expr $i + 1`;
sleep $SLEEP_TIME;
done
done

Run the scripts:

./ps.sh ps_eLf.log
./vmstat.sh vmstat.log

Notes: . The scripts ps.sh and vmstat.sh, as provided, roll over every 24 hours. . You might need to modify the scripts to meet your needs. . The preceding scripts will run forever. After the error condition is reached, you will have to terminate them.

When high CPU consumption occurs, collect the following logs:

netstat -an > netstat1.out

If the Web server is remote, run the following on the Web server system:

netstat -an > netstatwebserver1.out

Run the following:

kill -3 [PID_of_problem_JVM]

The kill -3 commands create javacore*.txt files

Note: If you are not able to determine which JVM process is experiencing the high CPU usage then you should issue the kill -3 PID for each of the JVM processes.

Wait two minutes.

Run the following:

kill -3 [PID_of_problem_JVM]

Wait two minutes.

Run the following:

kill -3 [PID_of_problem_JVM]

Wait two minutes.

Run the following:

netstat -an > netstat2.out

If the Web server is remote, run the following on the Web server system:

netstat -an > netstatwebserver2.out

If you are unable to generate javacore files, then perform the following:

kill -11 [PID_of_problem_JVM]

WARNING: kill -11 will terminate the JVM process, produce a core file, and possibly a javacore.

Review all output files and collect the following files for IBM Performance Analysis Tool for Java for Linux

ps_eLf.log
javacore*.txt files

Courtesy:http://wasissues.blogspot.com/

Configuring OpenLDAP as a SiteMinder Policy Store

2011-10-24T08:46:00.000-07:00

SiteMinder supports OpenLDAP for use as a Policy Store. OpenLDAP provides a freely available, replicated directory that can be used as a redundant store for SiteMinder’s configuration information. Unfortunately, the SiteMinder documentation covering how to configure OpenLDAP is at best incomplete and at worst incorrect. This article breaks down the steps required to enable OpenLDAP to be a Policy Store and configure the Policy Server to leverage the directory. Keep in mind that SiteMinder currently only supports OpenLDAP 2.3.x. This means that only Master/Slave replication is supported. While this is sufficient to ensure the availability of the Policy Store, if the Master directory is down, no policy or key updates can be performed. This article also assumes that the Key Store is set to the default setting of using the Policy Store as the location to store key information. Switch the directory paths outlined below to use backslashes if these steps are being performed on Windows.

1. Download and Install OpenLDAP
This article does not cover the specific details on how to build and install OpenLDAP. The details for this can be found on the OpenLDAP site. A quick start guide is located there as well.

2. Download the OpenLDAP Schema Files for SiteMinder
OpenLDAP is considered a “Tier 2″ directory for SiteMinder. As such, the ability to configure the directory as a Policy Store is not automated. In order to obtain the needed schema files for the Policy Store, the “CA SiteMinder Tier 2 Directories- ESD Only” package must be downloaded. To download this file (current as of 10/12/2011):

1. Log in to the Technical Support Site
2. Click “Download Center” in the lefthand navigation
3. Type siteminder into the “Select a Product” field
4. Select the listed SiteMinder product
5. Select 12.0 in the “Select a Release” drop-down
6. Select SP3 in the “Select a Gen level” drop-down
7. Click the [GO] button
8. Scroll down to the bottom of the list of returned downloads
9. Download and unzip the “CA SiteMinder Tier 2 Directories- ESD Only” download to the Policy Server

3. Configure OpenLDAP To Support the SiteMinder Policy Store
The OpenLDAP server requires manual configuration to support its use as a SiteMinder Policy Store. The following steps are required:

3a. Copy the Policy Store schema files into the OpenLDAP schema directory
3b. Include the SiteMinder Policy Store schema files in the OpenLDAP configuration
3c. Ensure that SiteMinder can detect it is an OpenLDAP Policy Store
3d. Create the base Policy Store structure
3e. Restart OpenLDAP

Note that these instructions assume that the install location for OpenLDAP is under the /usr/local path and the default directories are used. For this example, the root of the directory is “dc=company,dc=com” for the location of the Policy Store. These steps will need to be modified if a different path or directory structure is used.

3a. Copy the Policy Store schema files into the OpenLDAP schema directory
The OpenLDAP schema needs to be extended to support the SiteMinder Policy Store objects. This is done by copying the schema files to the server and adding them into the slapd.conf configuration file. To copy the schema files:
.........
More Here

Courtesy:http://www.coreblox.com/blog/2011/10/configuring-openldap-as-a-siteminder-policy-store/

SiteMinder federation to SharePoint 2010

2011-10-04T17:56:00.001-07:00

This paper shows how to configure identity federation between CA SiteMinder and Microsoft SharePoint 2010, using the CA Federation Manager Add-on for SiteMinder. Two scenarios are presented. The first is an intra-organizational scenario that is useful where SiteMinder, the user accounts, and SharePoint are all maintained within the enterprise. The second is a traditional identity federation scenario where the user accounts are maintained outside of the enterprise hosting SharePoint. A federated identity environment features the following advantages:

· Helps control Information Technology (IT) costs and gain efficiencies. Federation targets areas that require lots of manual processes such as user account management, and access management. These manual processes are the focus of cost control.

· Enables compliance with expanding regulatory requirements. A standards-based identity federation can increase security of websites and portals and enable an organization to identify and authenticate a user only once. The organization can then use that identity information to access multiple systems which can include websites of external partners and various portals.

While both scenarios create a federated identity environment, the techniques or methodology used in the two lab scenarios is different. The two lab scenarios are:

1. Lab scenario 1 - Intra-organization scenario. In this lab scenario, SiteMinder is the Trusted Identity Provider for SharePoint and authenticates users to one or more user directories maintained within the organization. Once authenticated, these users (which may be employees, partners or customers) can access SharePoint as well as other applications protected by SiteMinder. This lab scenario uses the CA Federation Manager Add-on to SiteMinder (a.k.a., SiteMinder Federation Security Services) to generate a WS-Federation 1.0 token that is in turn read by SharePoint 2010.

2. Lab scenario 2 - Cross-organization, traditional Federation scenario. In this lab scenario, SiteMinder is deployed at the external partner organization, along with the CA Federation Manager Add-on, and Microsoft AD FS 2.0 is deployed within the enterprise where SharePoint is hosted. SiteMinder authenticates the partners to the partner organization's user directory and generates a SAML 2.0 token. AD FS 2.0, which acts as a security token service, translates the SAML 2.0 token into a WS-Federation token for use with SharePoint. In this lab scenario, we also configure SharePoint's native claims-based Windows provider to illustrate how employees within the enterprise could access SharePoint alongside partners who use the federated approach (The claims-based Windows provider is listed along with the other Identity Providers configured in ADFS 2.0, in the lab it is identified with as ADFSMachine.CompanyA.com).

Courtesy:http://interopvendoralliance.org/labs/siteminder-federation-to-sharepoint-2010.aspx

SiteMinder Overview

2011-10-04T17:54:00.000-07:00

CA SiteMinder is enterprise level web access management software which allows organizations to manage their web users and help control their access to applications, portals and web services.

SiteMinder consists of two core components:

Policy Server:

The Policy Server provides policy management, authentication, authorization, and accounting.

SiteMinder Agents:

Integrated with a standard Web server or application server, SiteMinder Agents enable SiteMinder to manage access to Web applications and content according to predefined security policies.

How CA SiteMinder Works:

The process for securely accessing web applications:

1. User attempts to access a protected resource.

2. User is challenged for credentials and presents them to the CA SiteMinder web agent or to the Secure Proxy Server.

3. The user’s credentials are passed to the Policy Server.

4. The user is authenticated against the appropriate user store.

5. The Policy Server evaluates the user’s entitlements and grants access.

6. User profile and entitlement information is passed to the application.

7. The user gets access to the secured application, which delivers customized content.

Courtesy:http://webspheresolution.wordpress.com/2011/09/29/siteminder-overview/

Earn Money With iPhone Apps

2011-10-04T12:11:00.000-07:00

Earn Money With iPhone Apps

The most comprehensive guide to creating lucrative iPhone applications (apps for short). Our guide explains how to create new iPhone apps and get them listed on the Apple iPhone App Store. Profit from iPhones now!

Click Here to find more about it

How To Create iPhone Apps With No Programming Experience

2011-10-03T19:32:00.000-07:00

How To Create iPhone Apps With No Programming Experience

Discover how to create iPhone apps easily with no programming experienced required. Learn from some of the top iPhone app developers to get your app created now.

Click Here to find more

Finding a quality server cabinet for less online

2011-08-10T13:13:00.002-07:00

If you run a business that relies on computers then you will be well aware of how important it is to have a good contact that can deal with any computer issues you have. If any parts fail in your computer system it is imperative that you are able to get the replacement parts you need quickly and easily with plenty of choice too. It’s not always easy to do this, so to help yourself in the future you should work on finding a website that can service all your needs. If you find a decent site then you can go back to it and back to it, knowing that you will be able to solve your problems quickly and easily.

Finding the right site depends largely on what your system requires, but if you have things like a server cabinet that might need changing from time to time, it is important that you find a site which is able to give you plenty of options. A server cabinet can be expensive, but there are some sites which will offer new, used and refurbished parts, meaning you can save a bit of money on occasions.

Some sites are fantastic both for sourcing the more unusual parts and keeping in stock the parts that you require more frequently. You should look out for companies who keep a ready stock of things like Netgear routers, because this is the sort of thing that you are going to need sent out the very next day, so stock is important in this respect.

To find the right sort of site you it is best to search for something like computer parts UK to make sure you end up with a company that is based closely. Otherwise, you could find that you are subject to very expensive delivery fees. Look for companies that will source parts for you even if they don't have a stock of them themselves, and try to make sure that the site you find is able to deliver quickly and cheaply and able to offer you plenty of options when it comes to buying computer parts.

Finding a broadband comparison service online

2011-08-10T13:13:00.000-07:00

If you are thinking of finding a new broadband connection then by far and away the best and easiest way to do it is to search for one online. Firstly of all, it is cheaper to buy a broadband deal online. Because it is cheaper for companies to be set up on the net it means their overheads are lesser, so you can expect a better deal. You will also find that there is far more choice online, which makes things easier for you.

Of course, with all of this choice comes another problem in itself. You will find it difficult to narrow things down so that you can choose the right deal! The best way to get around this problem is to use a broadband comparison service on the internet. These sites make searching for broadband deals so much easier. You will be able to look at a range of different broadband deals next to each other so that you can really see which is the most valuable.

Another good thing to do is to try to piece together your broadband contract with your home phone contract and you satellite television contract. Doing this normally leads to some sort of discount on all three, and you can still search for comparison sites so that you can look at these deals alongside one another. To find out about broadband phone and digital TV deals you should also search for the review sites online so that you can get the reviews of the best ones. for instance if you are thinking of signing up to a deal with Sky, you should be looking for a Sky broadband review site so you can find out how they perform in terms of their customer service. Just take your time making your decision, and make sure you know exactly what you are signing up for, before you sign up for it!

CA Identity Manager High Availability & JBoss Clustering

2011-05-26T08:41:00.000-07:00

CA Identity Manager 12.x uses caching for transactions. The utilization of this feature can cause synchronization issues if the application is setup in a high availability mode without application server clustering.

An example I can give is a project I was involved with using JBoss as the CA IdM application server. As such I will be addressing JBoss clustering in this entry.

JBoss uses a Hypersonic database to manage internal JMS data (JMS Queues). JBoss uses the JMS queues for tracking tasks and processes within the application. It is recommended to use a shared MS SQL database for the JMS database. There are documents available online which explain how to migrate from Hypersonic to MS SQL. In my example we opted to use the same MS SQL infrastructure used by Identity Manager to house the JMS database. In simplified terms, the steps to accomplish to clustering of IdM on JBoss is as follows:

1. Create a new SQL database (JBOSS_JMS)
2. Create a user/owner for this DB (jbossjms)
3. Migrate JBoss to SQL from the Hypersonic DB
4. Bring all services back up and test to ensure the migration was successful
5. Follow the procedures in the IdM documentation to configure JBoss clustering

More Here

Courtesy:http://www.idmworks.com/blog/ca-identity-manager-high-availability-jboss-clustering

Oracle Fusion Stack 11g Install Videos

2011-05-26T08:34:00.000-07:00

Oracle Identity Manger 11g
Oracle Access Manager 11g
Oracle Adaptive Access Manager 11g
Oracle Identity Federation 11g
Oracle Internet Directory 11g
Oracle Virtual Directory 11g
Oracle HTTP Server
Oracle Directory Integration Platform 11g
Oracle WebLogic Server 11g
Oracle Database 11gR2
Oracle Identity Navigator 11g
Oracle Authorization Policy Manager
Oracle Platform Security Services

More Here

Courtesy:http://idmrockstar.com/blog/2011/04/oracle-fusion-stack-11g-install-videos/

Configuring Design Console for OIM 11g

2011-05-05T13:30:00.001-07:00

In OIM 11g, Design Console still is a required tool for system configuration, custom development and customization. But differently from OIM 9.x, Design Console 11g does not have its own installer anymore. It is installed and configured along with the OIM server installation.

One of the common questions around Design Console 11g is: if there is no installer anymore, how do I get it working on my desktop/laptop without installing the whole Identity and Access Management pack?

This is an easy task and this post describes the steps for getting it done:

1. If you don't have a JDK 1.6 in your laptop, you will have to install it.

2. Run the configuration script for OIM once again. The script is available at $IAM_HOME/bin (where IAM_HOME is the folder where the ‘Identity and Access Management Pack’ was installed). You have to run the ‘config.sh’ that is available at $IAM_HOME/bin folder and NOT the one available at ‘$IAM_HOME/common/bin/config.sh’

3. In the configuration wizard, select ‘Design Console’ checkbox ONLY.

4. In the next screen, enter the OIM server host and port name. The wizard will configure the Design Console files for you
Courtesy:http://fusionsecurity.blogspot.com/

GralicWrap Anti-Phising Software

2011-04-28T10:33:00.000-07:00

GralicWrap

Phishing scam artist send official-looking emails with authentic looking logos from valid organizations and companies and other identifying email information taken directly from genuine Webpages.

These authentic emails are an attempt to get you to sign in and gain your password and login information. Electronic mail is one of the top methods of identity theft.

To allow these phishing messages in email form, look even more real life, the scam / phisher will position a link so that the link looks like it will to the genuine Webpage, but it in reality it takes you to a counterfeit scam website or possibly a popup box will appear that looks identically, resembling the official site.

You can stop phishing scams with a good and effective Gralicwrap anti-phishing software

Anti Phishing, delete spam, viruses and other unwanted emails right at the server. Gralicwrap learns from good and bad spam using the good filter method to effectively block and stop spam.

Gralicwrap anti phishing software is made up of computer programs which will attempt to identify the phishing content that may be contained in a website or email that has been sent to you. This software is normally to be found as an integrated tool within web browsers and email servers and will display the real name of the domain for the website that you are visiting. In doing this it is hoped it will prevent sites which are fraudulent from being able to masquerade as ones that are actually legitimate. Today such a function may well be included as a built in feature of a lot of web browsers.

SAML EJB Integration with PicketLink STS

2011-04-25T16:04:00.001-07:00

In this document we show how to use PicketLink STS to validate SAML assertions and authenticate EJB clients.
Required software: JDK 6, PicketLink version 1.0.3 or superior. (Feature available starting 1.0.3.CR2)

Process Overview

The following picture illustrates the process of using SAML assertions to authenticate clients of EJB applications:

The client must first obtain the SAML assertion from PicketLink STS by sending a WS-Trust request to the token service. This process usually involves authentication of the client. After obtaining the SAML assertion from the STS, the client includes the assertion in the security context of the EJB request before invoking an operation on the bean. Upon receiving the invocation, the EJB container extracts the assertion and validates it by sending a WS-Trust validate message to the STS. If the assertion is considered valid by the STS (and the proof of possession token has been verified if needed), the client is authenticated.

On JBoss, the SAML assertion validation process is handled by the SAML2STSLoginModule. It reads properties from a configurable file (specified by the configFile option) and establishes communication with the STS based on these properties. We will see how a configuration file looks like later on. If the assertion is valid, a Principal is created using the assertion subject name and if the assertion contains roles, these roles are also extracted and associated with the caller's Subject.

EJB3 Integration Example

In this section we present a sample EJB3 application that authenticates clients by validating their SAML assertions with PicketLink STS. The deployments for both the EJB3 application and the STS can be found attached in this document.

EJB3 Sample App

Our EJB3 application consists of a simple stateless session bean. The session interface can be seen bellow:

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2010, Red Hat Middleware LLC, and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors. 
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.jboss.test.security.ejb3;
 
 
import java.security.Principal;
 
 
/**
 * 
 * This is the remote interface of session beans used in the EJB3 security tests.
 * 
* 
 * @author Stefan Guilhen
 */
public interface SimpleSession
{
   /**
    * 
    * This is a method available for regular users and administrators. Implementations must annotate either the class or
    * this method with {@code @RolesAllowed({"RegularUser", "Administrator"})} to enforce that only these roles should
    * be granted access to this method.
    * 
    * 
    * @return the caller's {@code Principal}.
    */
   public Principal invokeRegularMethod();
 
 
   /**
    * 
    * This is a method available for administrators only. Implementations must annotate either the class or this method
    * with {@code @RolesAllowed({"Administrator"})} to enforce that only administrators should be granted access to
    * this method.
    * 
    * 
    * @return the caller's {@code Principal}.
    */
   public Principal invokeAdministrativeMethod();
 
 
   /**
    * 
    * This is a method available for all authenticated users, regardless or role. Implementations must annotate this
    * method with {@code @PermitAll} to specify that all security roles should be granted access.
    * 
    * 
    * @return the caller's {@code Principal}.
    */
   public Principal invokeUnprotectedMethod();
 
 
   /**
    * 
    * This is a method that is unavailable for everybody. Implementations must annotate this method with
    * {@code @DenyAll} to specify that access should be restricted for everybody.
    * 
    * 
    * @return the caller's {@code Principal}.
    */
   public Principal invokeUnavailableMethod();
 
 
}

And this is the implementation class:

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2010, Red Hat Middleware LLC, and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors. 
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.jboss.test.security.ejb3;
 
 
import java.security.Principal;
 
 
import javax.annotation.Resource;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Remote;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
 
 
/**
 * 
 * Stateless session bean implementation used in the EJB3 security tests.
 * 
* 
 * @author Stefan Guilhen
 */
@Stateless
@Remote(SimpleSession.class)
@RolesAllowed({"RegularUser", "Administrator"})
public class SimpleStatelessSessionBean implements SimpleSession
{
 
 
   @Resource
   private SessionContext context;
 
 
   /*
    * (non-Javadoc)
    * 
    * @see org.jboss.test.security.ejb3.SimpleSession#invokeRegularMethod()
    */
   public Principal invokeRegularMethod()
   {
      // this method allows the same roles as the class.
      return this.context.getCallerPrincipal();
   }
 
 
   /*
    * (non-Javadoc)
    * 
    * @see org.jboss.test.security.ejb3.SimpleSession#invokerAdministrativeMethod()
    */
   @RolesAllowed({"Administrator"})
   public Principal invokeAdministrativeMethod()
   {
      // this method overrides the roles defined by the class to grant access to admnistrators only.
      return this.context.getCallerPrincipal();
   }
 
 
   /*
    * (non-Javadoc)
    * 
    * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnprotectedMethod()
    */
   @PermitAll
   public Principal invokeUnprotectedMethod()
   {
      // this method overrides the roles defined by the class to grant access to all roles.
      return this.context.getCallerPrincipal();
   }
 
 
   /*
    * (non-Javadoc)
    * 
    * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnavailableMethod()
    */
   @DenyAll
   public Principal invokeUnavailableMethod()
   {
      // this method should never be called - it overrides the class roles to deny access to all roles.
      return this.context.getCallerPrincipal();
   }
}

The session defines four methods: invokeRegularMethod (available to both Administrators and RegularUsers), invokeAdministrativeMethod (available to Administrators only), invokeUnprotectedMethod (available to all authenticated clients), and invokeUnavailableMethod (annotated with @DenyAll and thus unavailable to all roles).

Besides the sample session classes, our ejb3-sampleapp.jar contains the application policy definition for the EJBs:





   
   
      
         
            useFirstPass
            sts-config.properties
         
         
            useFirstPass
            ejb3-sampleapp-users.properties
            ejb3-sampleapp-roles.properties

The policy defines two login modules: SAML2STSLoginModule and UsersRolesLoginModule. The first will be responsible for validating the assertion with the STS in order to authenticate the client, while the second will be responsible for retrieving the client's roles from a properties file. In order to validate the SAML assertions, SAML2STSLoginModule needs information about the STS, like its endpoint URL, service name, port name, etc. This information is supplied by the sts-config.properties file:

serviceName=PicketLinkSTS
portName=PicketLinkSTSPort
endpointAddress=http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS
username=JBoss
password=JBoss

The last two properties specify the username and password that will be used to authenticate the JBoss server to the STS when the WS-Trust validate message is dispatched. In other words, SAML2STSLoginModule needs to authenticate to the STS when validating the SAML assertions and these properties specify the username and password that will be used for that.

In our sample applications we will have three users (UserA, UserB, UserC), each with different roles. The ejb3-sampleapp-roles.properties file specifies the roles that have been assigned to each user:

UserA=RegularUser,Administrator
UserB=RegularUser
UserC=Guest

As we can see, UserA is both a RegularUser and Administrator, so he should be able to call all methods except for invokeUnavailableMethod. UserB is a RegularUser, so he should be able call invokeRegularMethod and invokeUnprotectedMethod methods. UserC is a Guest and should be able to invoke only the unprotected method of our sample EJB.

For the sake of completeness, here we can see the jboss.xml file of our ejb3-sampleapp.jar:



      -//JBoss//DTD JBOSS 5.0//EN
      http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd>

   java:/jaas/ejb3-sampleapp

All the configuration files can be found in the ejb3-sampleapp.jar that has been attached to this document.

PicketLink STS

Our PicketLink STS application is a tweaked version of the picketink-sts.war file that is available in the PicketLink project downloads page. More specifically, we created a new security domain for the STS in jboss-web.xml, included an application policy for the new domain that uses the UsersRolesLoginModule to authenticate STS clients, included the users and roles properties files, and changed the required role in web.xml to STSClient.

This is the content of the STS web.xml:



   -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN
   http://java.sun.com/dtd/web-app_2_3.dtd>


   
     PicketLinkSTS
     org.picketlink.identity.federation.core.wstrust.PicketLinkSTS
   
   
      PicketLinkSTS
      /*
   

  
     
       TokenService
       /*
       GET
       POST
     
     
       STSClient
     
   

   
      BASIC
      PicketLinkSTSRealm
   

   
      STSClient

STS callers must all have the STSClient role in order to send a WS-Trust request to the STS.

The STS security domain is specified by the jboss-web.xml file:




  java:/jaas/sts-domain

The application policy for the sts-domain is defined in the sts-jboss-beans.xml file:





   
   
      
         
            sts-users.properties
            sts-roles.properties

The sts-users.properties specify the username/passwords of the STS callers:

JBoss=JBoss
UserA=PassA
UserB=PassB
UserC=PassC

The sts-roles.properties specify the roles of the STS callers:

JBoss=STSClient
UserA=STSClient
UserB=STSClient
UserC=STSClient

Notice that the JBoss user represents the JBoss server during the SAML validation process. All other users are the clients of the EJB3 sample application - they send a message to the STS to acquire a SAML assertion before calling the methods on the EJB3 application.

Client Application

The SAMLEJB3IntegrationTest shows what happens when each of the users (UserA, UserB, and UserC) acquire a SAML assertion from PicketLinkSTS and invoke all methods on the sample EJB3. Let's take a look at the code:

/*
 * JBoss, Home of Professional Open Source Copyright 2009, Red Hat Middleware
 * LLC, and individual contributors by the @authors tag. See the copyright.txt
 * in the distribution for a full listing of individual contributors.
 * 
 * This is free software; you can redistribute it and/or modify it under the
 * terms of the GNU Lesser General Public License as published by the Free
 * Software Foundation; either version 2.1 of the License, or (at your option)
 * any later version.
 * 
 * This software is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
 * details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with this software; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
 * site: http://www.fsf.org.
 */
package test;
 
import java.security.Principal;
import java.util.Hashtable;
 
import javax.ejb.EJBAccessException;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
 
import org.jboss.security.client.SecurityClient;
import org.jboss.security.client.SecurityClientFactory;
import org.jboss.test.security.ejb3.SimpleSession;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient.SecurityInfo;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.WSTrustException;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.w3c.dom.Element;
 
/**
 * 
 * This class tests the usage of SAML assertions to authenticate clients of EJB3 applications on JBoss. This is
 * accomplished by having the client first obtain a SAML assertion from the PicketLink STS service and then use
 * the assertion as the credential when calling the protected EJB3.
 * 
* 
 * The protected EJB3 application used in this test has configured the {@code SAML2STSLoginModule}. This login
 * module sends the SAML assertion to the STS for validation in order to authenticate the caller. A second login
 * module, {@code UsersRolesLoginModule}, has been used to provide the client's roles.
 * 
* 
 * @author Stefan Guilhen
 */
public class SAMLEJB3IntegrationTest
{
 
   private Hashtable env;
   
   public static void main(String[] args) throws Exception
   {
      SAMLEJB3IntegrationTest test = new SAMLEJB3IntegrationTest();
      test.testSAMLEJB3Integration("UserA", "PassA");
      test.testSAMLEJB3Integration("UserB", "PassB");
      test.testSAMLEJB3Integration("UserC", "PassC");
   }
   
   public SAMLEJB3IntegrationTest()
   {
      // initialize the JNDI env that will be used to lookup the test EJB.
      this.env = new Hashtable();
      this.env.put("java.naming.factory.initial", "org.jnp.interfaces.NamingContextFactory");
      this.env.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
      this.env.put("java.naming.provider.url", "localhost:1099");
   }
   
   public void testSAMLEJB3Integration(String username, String password) throws Exception
   {
      // create a WSTrustClient instance.
      WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort", 
            "http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS", 
            new SecurityInfo(username, password));
      
      // issue a SAML assertion using the client API.
      Element assertion = null;
      try 
      {
         System.out.println("\nInvoking token service to get SAML assertion for " + username);
         assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);
         System.out.println("SAML assertion for " + username + " successfully obtained!");
      }
      catch (WSTrustException wse)
      {
         System.out.println("Unable to issue assertion: " + wse.getMessage());
         wse.printStackTrace();
         System.exit(1);
      }
 
      // use the SecurityClient API to set the assertion in the client security context.
      SecurityClient securityClient = SecurityClientFactory.getSecurityClient();
      securityClient.setSimple(username, new SamlCredential(assertion));
      securityClient.login();
      
      // invoke the EJB3 bean - the assertion will be propagated with the security context.
      System.out.println(username + " invoking secure EJB3 session bean");
      Context context = new InitialContext(env);
      Object object = context.lookup("SimpleStatelessSessionBean/remote");
      SimpleSession session = (SimpleSession) PortableRemoteObject.narrow(object, SimpleSession.class);
      
      // invoke method that requires the Administrator role.
      try
      {
         Principal principal = session.invokeAdministrativeMethod();
         System.out.println(principal.getName() + " successfully called administrative method!");
      }
      catch (EJBAccessException eae)
      {
         System.out.println(username + " is not authorized to call administrative method!");
      }
      
      // invoke method that requires the RegularUser role.
      try
      {
         Principal principal = session.invokeRegularMethod();
         System.out.println(principal.getName() + " successfully called regular method!");
      }
      catch (EJBAccessException eae)
      {
         System.out.println(username + " is not authorized to call regular method!");
      }
 
      // invoke method that allows all roles.
      try
      {
         Principal principal = session.invokeUnprotectedMethod();
         System.out.println(principal.getName() + " successfully called unprotected method!");
      }
      catch (EJBAccessException eae)
      {
         // this should never happen as long as the user has successfully authenticated.
         System.out.println(username + " is not authorized to call unprotected method!");
      }
 
      // invoke method that denies access to all roles.
      try
      {
         Principal principal = session.invokeUnavailableMethod();
         // this should never happen because the method should deny access to all roles.
         System.out.println(principal.getName() + " successfully called unavailable method!");
      }
      catch (EJBAccessException eae)
      {
         System.out.println(username + " is not authorized to call unavailable method!");
      }
   }
}

As we can see, the assertion is first obtained using the WSTrustClient API. Once the assertion has been acquired, we use the SecurityClient API to push it to the client-side security context. Then we attempt to call all methods on the sample EJB3 session and print the results of these calls.

Deploying and Running the EJB3 Sample Application on JBoss AS5

In order to get the sample application running you must first install the PicketLink jar files on JBoss. This is accomplished by copying picketlink-fed-1.0.3.jar and picketlink-bindings-jboss-1.0.3.jar (both attached in this document) files to the JBOSS_HOME/server/partition/lib folder. After installing the required PicketLink libs you must copy the ejb3-sampleapp.jar and picketlink-sts-1.0.0.war to JBOSS_HOME/server/partition/deploy.

After copying the required PicketLink jars and deploying the sample application and the STS war, start your JBoss partition. If everything is ok, you should see something like the following in the log:

21:02:10,099 INFO  [SessionSpecContainer] Starting jboss.j2ee:jar=ejb3-sampleapp.jar,name=SimpleStatelessSessionBean,service=EJB3
21:02:10,108 INFO  [EJBContainer] STARTED EJB: org.jboss.test.security.ejb3.SimpleStatelessSessionBean ejbName: SimpleStatelessSessionBean
21:02:10,152 INFO  [JndiSessionRegistrarBase] Binding the following Entries in Global JNDI:

    SimpleStatelessSessionBean/remote - EJB3.x Default Remote Business Interface
    SimpleStatelessSessionBean/remote-org.jboss.test.security.ejb3.SimpleSession - EJB3.x Remote Business Interface

21:02:10,306 INFO  [TomcatDeployment] deploy, ctxPath=/
21:02:11,375 INFO  [WSDLFilePublisher] WSDL published to: file:/opt/workspace-jboss/jbossas-trunk/build/target/jboss-6.0.0-SNAPSHOT/server/default/data/wsdl/picketlink-sts-1.0.0.war/PicketLinkSTS.wsdl
21:02:11,482 INFO  [DefaultEndpointRegistry] register: jboss.ws:context=picketlink-sts-1.0.0,endpoint=PicketLinkSTS
21:02:11,543 INFO  [TomcatDeployment] deploy, ctxPath=/picketlink-sts-1.0.0

In order to compile the sample client application, you need to have ejb3-sampleapp.jar, picketlink-fed-1.0.3.jar (both attached in this document), and jbossall-client.jar (found in JBOSS_HOME/client) in your classpath. If using an IDE like Eclipse, all jars referenced by jbossall-client.jar will be automatically included in the classpath. If not, you may need to add these jars manually.

In order to run the client, all you have to do is specify the aforementioned classpath:

java -cp CLASSPATH test.SAMLEJB3IntegrationTest

If everything has been configured and deployed properly, you should see the following output:

Invoking token service to get SAML assertion for UserA
SAML assertion for UserA successfully obtained!
UserA invoking secure EJB3 session bean
UserA successfully called administrative method!
UserA successfully called regular method!
UserA successfully called unprotected method!
UserA is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserB
SAML assertion for UserB successfully obtained!
UserB invoking secure EJB3 session bean
UserB is not authorized to call administrative method!
UserB successfully called regular method!
UserB successfully called unprotected method!
UserB is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserC
SAML assertion for UserC successfully obtained!
UserC invoking secure EJB3 session bean
UserC is not authorized to call administrative method!
UserC is not authorized to call regular method!
UserC successfully called unprotected method!
UserC is not authorized to call unavailable method!

As we can see, each user had access to the expected methods. Authentication was performed by the SAML2STSLoginModule, which validated the supplied assertion with PicketLink STS, and the roles were provided by the UsersRolesLoginModule.

EJB2 Integration Example

In this section we present the EJB2 version of the sample application (ejb2-sampleapp.jar which can be found attached to this document). The sample session bean performs the same operations as in the EJB3 example, but let's take a look at the classes anyway.

The remote and home interfaces look as follows:

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2010, Red Hat Middleware LLC, and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors. 
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.jboss.test.security.ejb2;
 
import java.rmi.RemoteException;
import java.security.Principal;
 
import javax.ejb.EJBObject;
 
/**
 * 
 * This is the remote interface of the session bean used in the EJB2 SAML security test.
 * 
* 
 * @author Stefan Guilhen
 */
public interface SimpleEJB2Session extends EJBObject
{
   /**
    * 
    * This is a method available for regular users and administrators. The deployment descriptor must enforce that
    * only users in RegularUser or Administrator roles are granted access to this method.
    * 
    * 
    * @return the caller's {@code Principal}.
    */
   public Principal invokeRegularMethod() throws RemoteException;
 
   /**
    * 
    * This is a method available for administrators only. The deployment descriptor must enforce that only users in the
    * Administrator role are granted access to this method.
    * 
    * 
    * @return the caller's {@code Principal}.
    */
   public Principal invokeAdministrativeMethod() throws RemoteException;
 
   /**
    * 
    * This is a method available for all authenticated users, regardless or role. The deployment descriptor must
    * contain an {@code unchecked} element for this method.
    * 
    * 
    * @return the caller's {@code Principal}.
    */
   public Principal invokeUnprotectedMethod() throws RemoteException;
 
   /**
    * 
    * This is a method that is unavailable for all roles. The deployment descriptor must add this method to the
    * {@code exclude-list} element.
    * 
    * 
    * @return the caller's {@code Principal}.
    */
   public Principal invokeUnavailableMethod() throws RemoteException;
 
}

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2010, Red Hat Middleware LLC, and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors. 
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.jboss.test.security.ejb2;
 
import java.rmi.RemoteException;
 
import javax.ejb.CreateException;
import javax.ejb.EJBHome;
 
/**
 * 
 * This is the home interface of the session bean used in the EJB2 SAML security test.
 * 
* 
 * @author Stefan Guilhen
 */
public interface SimpleEJB2SessionHome extends EJBHome
{
   /**
    * 
    * Creates and returns a reference to the {@code SimpleEJB2Session} interface.
    * 
    *
    * @return a reference to the {@code SimpleEJB2Session} remote interface.
    */
   public SimpleEJB2Session create() throws CreateException, RemoteException;
 
}

And here we can see the implementation class:

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2010, Red Hat Middleware LLC, and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors. 
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.jboss.test.security.ejb2;
 
import java.rmi.RemoteException;
import java.security.Principal;
 
import javax.ejb.CreateException;
import javax.ejb.EJBException;
import javax.ejb.SessionBean;
import javax.ejb.SessionContext;
 
public class SimpleEJB2SessionBean implements SessionBean
{
    private SessionContext context;
 
    /**
     * 
     * {@code ejbCreate} method required by the EJB2 specification. 
     * 
     *
     * @throws CreateException if an error occurs while creating the session bean.
     */
    public void ejbCreate() throws CreateException
    {
    }
 
    /*
     * (non-Javadoc)
     * 
     * @see javax.ejb.SessionBean#ejbActivate()
     */
    public void ejbActivate()
    {
    }
 
    /*
     * (non-Javadoc)
     * 
     * @see javax.ejb.SessionBean#ejbPassivate()
     */
    public void ejbPassivate()
    {
    }
 
    /*
     * (non-Javadoc)
     * 
     * @see javax.ejb.SessionBean#ejbRemove()
     */
    public void ejbRemove()
    {
    }
 
    /*
     * (non-Javadoc)
     * 
     * @see javax.ejb.SessionBean#setSessionContext(javax.ejb.SessionContext context)
     */
    public void setSessionContext(SessionContext context)
    {
        this.context = context;
    }
 
    /*
     * (non-Javadoc)
     * 
     * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokeRegularMethod()
     */
    public Principal invokeRegularMethod()
    {
       // this method can be invoked by RegularUser and Administrator roles.
       return this.context.getCallerPrincipal();
    }
 
   /*
    * (non-Javadoc)
    * 
    * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokerAdministrativeMethod()
    */
   public Principal invokeAdministrativeMethod()
   {
      // this method can be invoked by the Administrator role only.
      return this.context.getCallerPrincipal();
   }
 
   /*
    * (non-Javadoc)
    * 
    * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokeUnprotectedMethod()
    */
   public Principal invokeUnprotectedMethod()
   {
      // this method can be invoked by any role.
      return this.context.getCallerPrincipal();
   }
 
   /*
    * (non-Javadoc)
    * 
    * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokeUnavailableMethod()
    */
   public Principal invokeUnavailableMethod()
   {
      // this method cannot be invoked by any role.
      throw new EJBException("Excluded method - no access should be allowed");
   }
}

The application policy definition (ejb2-sampleapp-jboss-beans.xml), the properties files used by the UsersRolesLoginModule, the STS configuration file, and the META-INF/jboss.xml file are all very similar to the ones found in the EJB3 example. For this reason we are not going to show them here.

Now, the authorization rules must be defined in the META-INF/ejb-jar.xml deployment descriptor:



      -//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN
      http://java.sun.com/dtd/ejb-jar_2_0.dtd>


   EBJ2 SAML Tests
   
      
         A secured stateless session bean
         SimpleEJB2Session
         org.jboss.test.security.ejb2.SimpleEJB2SessionHome
         org.jboss.test.security.ejb2.SimpleEJB2Session
         org.jboss.test.security.ejb2.SimpleEJB2SessionBean
         Stateless
         Container
      
   

   
      
         The role required to invoke administrative methods
         Administrator
      
      
         The role required to invoke regular methods
         RegularUser
      

      
      
         
         
            SimpleEJB2Session
            invokeUnprotectedMethod
         
         
            SimpleEJB2Session
            Home
            create
         
      

      
      
         Administrator
         
            SimpleEJB2Session
            Remote
            *
         
      

      
      
         RegularUser
         
            SimpleEJB2Session
            Remote
            invokeRegularMethod
         
      

      
      
         A method that no one can access in this deployment
         
            SimpleEJB2Session
            invokeUnavailableMethod

As we can see, the invokeUnprotectedMethod is available to all roles. The Administrator role can call all methods on the bean except for invokeUnavailableMethod, which is in the exclude-list section. The RegularUser role is allowed to call only the invokeRegularMethod method besides the unprotected method.

Client Application

The client application for the EJB2 example is also very similar to the one used to test the EJB3 SAML integration. The main differences are the lookup code and the way we use to establish the client-side security context.

/*
 * JBoss, Home of Professional Open Source Copyright 2010, Red Hat Middleware
 * LLC, and individual contributors by the @authors tag. See the copyright.txt
 * in the distribution for a full listing of individual contributors.
 * 
 * This is free software; you can redistribute it and/or modify it under the
 * terms of the GNU Lesser General Public License as published by the Free
 * Software Foundation; either version 2.1 of the License, or (at your option)
 * any later version.
 * 
 * This software is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
 * details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with this software; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
 * site: http://www.fsf.org.
 */
package test;
 
import java.rmi.AccessException;
import java.security.Principal;
import java.util.Hashtable;
 
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
 
import org.jboss.test.security.ejb2.SimpleEJB2Session;
import org.jboss.test.security.ejb2.SimpleEJB2SessionHome;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient.SecurityInfo;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.WSTrustException;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.w3c.dom.Element;
 
/**
 * 
 * This class tests the usage of SAML assertions to authenticate clients of EJB2 applications on JBoss. This is
 * accomplished by having the client first obtain a SAML assertion from the PicketLink STS service and then use
 * the assertion as the credential when calling the protected EJB2.
 * 
* 
 * The protected EJB3 application used in this test has configured the {@code SAML2STSLoginModule}. This login
 * module sends the SAML assertion to the STS for validation in order to authenticate the caller. A second login
 * module, {@code UsersRolesLoginModule}, has been used to provide the client's roles.
 * 
* 
 * @author Stefan Guilhen
 */
public class SAMLEJB2IntegrationTest
{
 
   private Hashtable env;
   
   public static void main(String[] args) throws Exception
   {
      SAMLEJB2IntegrationTest test = new SAMLEJB2IntegrationTest();
      test.testSAMLEJB2Integration("UserA", "PassA");
      test.testSAMLEJB2Integration("UserB", "PassB");
      test.testSAMLEJB2Integration("UserC", "PassC");
   }
   
   public SAMLEJB2IntegrationTest()
   {
      // initialize the JNDI env that will be used to lookup the test EJB.
      this.env = new Hashtable();
      this.env.put("java.naming.factory.initial", "org.jboss.security.jndi.JndiLoginInitialContextFactory");
      this.env.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
      this.env.put("java.naming.provider.url", "localhost:1099");
   }
   
   public void testSAMLEJB2Integration(String username, String password) throws Exception
   {
      // create a WSTrustClient instance.
      WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort", 
            "http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS", 
            new SecurityInfo(username, password));
      
      // issue a SAML assertion using the client API.
      Element assertion = null;
      try 
      {
         System.out.println("\nInvoking token service to get SAML assertion for " + username);
         assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);
         System.out.println("SAML assertion for " + username + " successfully obtained!");
      }
      catch (WSTrustException wse)
      {
         System.out.println("Unable to issue assertion: " + wse.getMessage());
         wse.printStackTrace();
         System.exit(1);
      }
 
      // invoke the remote EJB using the assertion as the credential.
      this.env.put("java.naming.security.principal", username);
      this.env.put("java.naming.security.credentials", new SamlCredential(assertion));
 
      System.out.println("Invoking secure EJB2 session bean with " + username + " SAML assertion");
      Context context = new InitialContext(env);
      Object object = context.lookup("SimpleEJB2Session/home");
      SimpleEJB2SessionHome home = (SimpleEJB2SessionHome) PortableRemoteObject.
         narrow(object, SimpleEJB2SessionHome.class);
      SimpleEJB2Session session = home.create();
      
      // invoke method that requires the Administrator role.
      try
      {
         Principal principal = session.invokeAdministrativeMethod();
         System.out.println("User " + principal.getName() + " successfully called administrative method!");
      }
      catch (AccessException ae)
      {
         System.out.println("User " + username + " is not authorized to call administrative method!");
      }
      
      // invoke method that requires the RegularUser role.
      try
      {
         Principal principal = session.invokeRegularMethod();
         System.out.println("User " + principal.getName() + " successfully called regular method!");
      }
      catch (AccessException ae)
      {
         System.out.println("User " + username + " is not authorized to call regular method!");
      }
 
      // invoke method that allows all roles.
      try
      {
         Principal principal = session.invokeUnprotectedMethod();
         System.out.println("User " + principal.getName() + " successfully called unprotected method!");
      }
      catch (AccessException ae)
      {
         // this should never happen as long as the user has successfully authenticated.
         System.out.println("User " + username + " is not authorized to call unprotected method!");
      }
 
      // invoke method that denies access to all roles.
      try
      {
         Principal principal = session.invokeUnavailableMethod();
         // this should never happen because the method should deny access to all roles.
         System.out.println("User " + principal.getName() + " successfully called unavailable method!");
      }
      catch (AccessException ae)
      {
         System.out.println("User " + username + " is not authorized to call unavailable method!");
      }
 
   }
}

In this case we are using the JndiLoginInitialContextFactory to set the SAML assertion in the security context just to show an alternative to the SecurityClient API. The JndiLoginInitialContextFactory gets the principal and credentials from the InitialContext properties and pushes them to the security context.

NOTE: The JndiLoginInitialContextFactory approach doesn't work for EJB3 beans on JBoss AS 5.1.0.GA. An issue (JBAS-7010) has been flagged and a fix is available for JBoss 5 EAP and JBoss AS 6. So if you are using JBoss AS 5.1.0.GA make sure to use the SecurityClient API to invoke EJB3 beans using SAML.

Deploying and Running the EJB2 Sample Application on JBoss AS5

If the PicketLink libs haven't been installed yet, you need to do this before deploying the sample application and the STS. This is accomplished by copying picketlink-fed-1.0.3.jar and picketlink-bindings-jboss-1.0.3.jar (both attached to this document) files to the JBOSS_HOME/server/partition/lib folder. After installing the required PicketLink libs you must copy the ejb2-sampleapp.jar and picketlink-sts-1.0.0.war to JBOSS_HOME/server/partition/deploy.

In order to compile the EJB 2 sample client application, you need to have ejb2-sampleapp.jar, picketlink-fed-1.0.3.jar (both found in this document), and jbossall-client.jar (found in JBOSS_HOME/client) in your classpath. If using an IDE like Eclipse, all jars referenced by jbossall-client.jar will be automatically included in the classpath. If not, you may need to add these jar manually.

In order to run the client, just specify the aforementioned classpath:

java -cp CLASSPATH test.SAMLEJB2IntegrationTest

If everything has been configured and deployed properly, you should see the following output (similar to the output produced by the EJB3 client application we've shown before):

Invoking token service to get SAML assertion for UserA
SAML assertion for UserA successfully obtained!
Invoking secure EJB2 session bean with UserA SAML assertion
User UserA successfully called administrative method!
User UserA successfully called regular method!
User UserA successfully called unprotected method!
User UserA is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserB
SAML assertion for UserB successfully obtained!
Invoking secure EJB2 session bean with UserB SAML assertion
User UserB is not authorized to call administrative method!
User UserB successfully called regular method!
User UserB successfully called unprotected method!
User UserB is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserC
SAML assertion for UserC successfully obtained!
Invoking secure EJB2 session bean with UserC SAML assertion
User UserC is not authorized to call administrative method!
User UserC is not authorized to call regular method!
User UserC successfully called unprotected method!
User UserC is not authorized to call unavailable method!

KariChat Live Chat Software

2011-04-24T10:20:00.000-07:00

KariChat enables webmasters to chat with their visitors in real-time, enabling live help and live support, and providing means to engage the visitor into instant sale. KariChat is so much more than just a chatting service, you can also use this software to track your customers and gather information that can be used to close the sale. For this reason, along with many others, we decided to make KariChat the best for live chat software.

Below are the points you would like when buying the KariChat, the live chat software

Easy Setup & Operation
Look for a live chat service that is simple to set up and maintain.

Customer Convenience
Little conveniences make all the difference to a customer, like knowing their question is receiving attention even before the live chat operator sends the response (typing indicator) or the offer to email a transcript of the live chat session to the customer afterward.

Big conveniences make a difference too, like your customers' ability to receive documents, images or the right webpage from your live chat operator. Look for features like these to delight customers.

Operator/Manager Convenience
Make live chat simple, not a chore for your operators. Features that add to operator convenience include: prewritten chat greetings you can edit, visual and sound alerts, a built-in spellchecker, ability to run several chat sessions at the same time and the ability to transfer live chats to other operators.
Built-in, customizable chat buttons and images can reinforce your company's branding efforts and remote administration means you can make changes on the fly from any computer. Management will be delighted with the automatic online/offline status and messaging system to avoid losing a single customer.

Monitoring and Tracking Abilities
With the right tools, you can collect rich information about online visitors, including the website they came from, what pages they visit on your site and the browser they use. You can see if the visitor has been on your website before, look up past chats and customer information then launch a live chat. Some chat services offer a built-in "Who Is" browser lookup if you want to learn more about a specific customer.

Flexible Features
Top features to look for include live keywords to help you understand your customers' goals, and the ability to send your customer a survey after chat is complete. On your website, you can add a floating invitation to chat, or place advertisements in your live chat window.

All these features give you the opportunity to serve your customer better (and to get your customer's attention).

Customer Support
Look for live chat support software that is willing to help you in ways you find most convenient: live chat support, email and/or a toll-free telephone number. With live chat support services, you have all the tools and resources you need to turn a first-time customer into a lifetime customer.

Conclusion
Get sound and good support when you would use the live chat software provided by KariChat

SEO Importance

2011-04-23T22:08:00.000-07:00

Simply stated, Search Engine Optimization, or SEO, is the process of optimizing a website in order to make it easier for search engines like Google and Yahoo! to crawl or scan your site. When executed properly, search engines will come to understand what your site is actually about. This is important because it helps determine where your website will rank in their search results.

In today’s web-based marketplace, SEO is one of the most profitable skills you can possess. Never before has it been possible to “catch” prospects as they are in the heat of looking for exactly what you sell. Furthermore, customers who find you are more motivated than customers you approach yourself. Unfortunately, all your competitors are aware of that, too.

Without proper optimization, you lose twice: not only do searchers not find you, they then find one or more of your competitors instead. The same goes for bloggers who have nothing to sell but are competing for readers.

Courtesy:http://www.contactme.com/blog/advice/what-is-seo-and-how-can-i-rank-higher-in-google/

Get Manager approval in SharePoint Designer 2010 - Step by Step

2011-04-20T19:01:00.000-07:00

A fundamental condition that you always encountered when gathering workflow requirement is to get the user's manager approval, a tedious amount of coding to connect to active directory retrieve user profile information, get his manager login name, pass it as a parameter to the workflow, create a custom task for the manager with a notification.

SharePoint 2010 Designer to the rescue, you can do all the above in 15 clicks, with ZERO code involved. Just by doing the following:

Open SharePoint Designer 2010 and connect to your SharePoint site.

Click Workflows and select the workflow type you need, for this presentation I'll use reusable workflow with All content types as my scope. But this doesn't affect the following logic, the same steps applies for the List and Site workflows.

From the Workflow ribbon select Actions > Collect Data from User, you can also select assign a to-do task but collect action from user allows you to create a custom task for the manager

This will show you the Action in the workflow editor.

The action is constructed from three parts:
1. The data, which is the custom task that will be collected
2. This user, which in our case the manager
3. Output to variable: collect. Collect is the task ID which you can change it, use it to refer to the task when you need to pass a variable through this task.

Clicking on data will allow you to create the custom task by starting the task wizard, open the wizard and click Next.
You will need to specify a Task name, and you can also specify a description. For now lets call the task "Review Task". And click Next

Now you can Specify the Task custom field by clicking Add and select the field type, I will specify two field:
1. Approved as a choice with Yes/No.
1. Comment as a text area.

More Here

Courtesy:http://blogs.technet.com/b/meacoex/archive/2010/11/01/get-manager-approval-in-sharepoint-designer-2010-step-by-step.aspx

Remote Active Directory Administration with Windows PowerShell

2011-04-20T18:58:00.000-07:00

Windows Server 2008 R2 automatically installs the Active Directory Module for Windows PowerShell and Active Directory Administrative Center when you add the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) role. When you promote the server to an AD DS domain controller or create an AD LDS instance, the system then installs and activates Active Directory Web Services, which is everything you need to manage Active Directory using Windows PowerShell on that computer.

However, administrators often want to manage Active Directory from another computer at a remote location, and you can do so with the Active Directory Module and ADAC, as long as you are running Windows Server 2008 R2 or Windows 7 on the remote computer.

To manage AD DS or AD LDS resources from a computer running Windows Server 2008 R2 that is not an AD DS domain controller and that does not host an AD LDS instance, you must install the Active Directory Module for Windows PowerShell and (optionally) the ADAC module, using the Add Features Wizard, accessible in Server Manager or the Initial Configuration Tasks window. If you prefer, you can also install the features using Windows PowerShell cmdlets or the Servercmd.exe command-line tool.

Install Remote Server Administration Tools with the Add Features Wizard
The Active Directory Module for Windows PowerShell and the ADAC are part of the Remote Server Administration Tools feature, which you can add as a whole or by selecting individual modules. Both modules require you to install the .NET Framework 3.5.1 feature as well, and to install ADAC, you must also install the Active Directory Module for Windows PowerShell and AD DS Snap-Ins and Command-Line Tools features.

Note that your server must be a member of an AD DS domain with at least one Windows Server 2008 R2 domain controller.

Install Remote Server Administration Tools with Windows PowerShell
You can also install individual parts of the Remote Server Administration Tools feature from the Windows PowerShell prompt, using the capabilities provided in the ServerManager module.

More Here

Courtesy:http://technet.microsoft.com/en-us/magazine/gg413289.aspx

The Benefits of Private Cloud Computing

2011-04-20T18:56:00.001-07:00

While we've all heard the terms private and public cloud over the last year, those terms may still seem vague to some. So it's probably a good idea to discuss each concept in some detail, and since it's near and dear to my heart I'll start with private cloud. No, it's not a gated community in heaven; though it can be a religious experience when properly implemented.

To use the formal definition: A private cloud pools and dynamically allocates your IT resources across business units, so that services can be deployed quickly and scaled out to meet business needs whenever they occur. Usage of these resources can be tracked and billed back to each business unit. With private cloud you get many of the benefits of (public) cloud computing with the additional control and customization associated with using resources that are dedicated to your organization.

What's that all mean? It means that a private cloud takes the concepts of a dynamic datacenter to the next level. In a dynamic datacenter, we use virtualization to - for all intents and purposes - divorce hardware considerations from your IT workloads. The infrastructure you have siloed to different departments, buildings, campuses or what have you, can now be combined into one virtualized pool of resources - infrastructure that IT can offer as a service, quickly and elastically, anywhere in the organization where it's needed. Hence the moniker, Infrastructure as a Service (IaaS). Servers, platforms and applications run on virtualized servers that are quickly deployed and scaled without requiring much integration with the hardware layer. IaaS is currently the beating heart of a private cloud design, but Platform as a Service (PaaS) is coming soon to a private cloud near you (see below).

The private cloud enables this next-level of IT service, using identity management and advanced systems management tools to enable IT pros and even end users to build up, maintain and tear down resources that before would have required lengthy IT intervention. Take the case of a developer looking to test a new software product. Previously, she'd have to ring up IT and request a server be built to her testing specifications. Wait two weeks for IT to approve the request and someone might then get around to giving her a machine. Meanwhile, her testing process is in limbo. In a private cloud, she'll be able to log into a self-service portal, build her own virtual server decked out just the way she needs it, test till her head turns blue and then tear the whole thing down in the end. To the IT manager, this whole transaction will simply take place in his event and audit logs.

Does this mean he's out of a job? Heck, no. For one, the elements that comprise a private cloud are the same ones you need him for today - Windows Server 2008 R2, Active Directory, Hyper-V, System Center and more. For another, even with these platforms optimized into a working private cloud, you'll need to align these new capabilities with your company's workflows and business requirements. Yes, the IT pro role will likely need to evolve in this scenario. Grow from being solely a technologist to being able to strategize with technology - add new value to the business by combining technology expertise with business expertise . Find new ways of doing things and push that competitive edge.

More Here

Courtesy:http://blogs.technet.com/b/itinsights/archive/2010/11/09/the-benefits-of-private-cloud-computing.aspx

Configuring ADFS Trusts For Multiple Identity Providers with SharePoint 2010

2011-04-20T18:54:00.000-07:00

To begin with, start on the ADFS server to which your SharePoint site has the trust (we'll call it RP).

Open the federationmetadata.xml file from the ADFS server that users will be authenticating against (we'll call it IP) in the browser. By default the location will be https://myIpAdfsServer/FederationMetadata/2007-06/FederationMetadata.xml. If you get an untrusted certificate error in the browser you'll need to add the root authority certificate for the IP ADFS server's SSL to your trusted root authorities store. NOTE: This assumes that you have the same root authority certificate for both the SSL access to the IP ADFS web server and the IP ADFS token signing certificate. If they are not the same then you need to add the root certificate authority for BOTH to the local RP ADFS server's certificate store. To do that:
1. Click through to view the web site, which should show the Xml file.
2. Click on the View Certificates icon so you can see the SSL certificate that was used.
3. Click on the Certificate Path tab.
4. Double-click on the top certificate in the chain - this is the root authority certificate.
5. Click on the Details tab.
6. Click on the Copy to File... button and save the certificate in CER format to the local disk. You can now close out all of the certificate dialogs and browser.
7. Open up the Certificates MMC; if you don't have a shortcut for this then just start the MMC from the Run menu, Add snap-ins, and add the Certificates snap-in for the Computer (local).
8. Expand the Trusted Root Certification Authorities node, right-click on the Certificates node, and choose the Import menu. Follow the wizard to import the root authority .CER file you exported above.
Open up the AD FS 2.0 Management application.
Expand the Trust Relationships node, then right-click on the Claim Provider Trusts node and select Add Claims Provider Trust...
Click the Start button to begin the wizard.
Leave the default option selected to Import data about the claims provider published online or on a local network, and in the edit box put in the address to the FederationMetadata.xml file (https://myIpAdfsServer/FederationMetadata/2007-06/FederationMetadata.xml by default) then click the Next button. If your root authority certificate is correctly installed and the name can be resolved, then the wizard will continue to the next step. If not, you have troubleshooting to do.
Provide a Display Name and optionally Notes, then click the Next button.

More Here

Courtesy:http://blogs.technet.com/b/speschka/archive/2010/11/24/configuring-adfs-trusts-for-multiple-identity-providers-with-sharepoint-2010.aspx

Configuring SharePoint to use a Specific Identity Provider in ADFS

2011-04-20T18:53:00.000-07:00

One example where this may be necessary is if you have one ADFS server that is a sort of hub for other ADFS servers being used. If we follow this scenario out, suppose you have multiple web applications in SharePoint, and for each one your users should authenticate against a different Active Directory forest via ADFS. Well, using the procedures I described in the previous posting, you can create the trusts in ADFS to make that scenario work. However, the first time your users navigate to the SharePoint site that uses that hub ADFS server, or if they use the In Private features of IE to navigate to the site, they will get an intermediary page from ADFS before they log on. That intermediary page will list ALL of the claims identity providers and ask the user to select the one against which they wish to authenticate. Then they are redirected over to the login page for that identity provider (IP).

In a perfect world though, we don't want users to see that intermediary page - we'd rather redirect them immediately to the correct IP for authentication. Fortunately ADFS provides support for this through a "whr" query string parameter. If you add this query string parameter when navigating to ADFS then it will do a look up of the whr parameter to find a matching IP. If it finds one, then it automatically redirects you to that IP. In ADFS 1.x that parameter was a URN, like urn:foo:monkey. In ADFS 2.0 it takes the format of a Uri. To find the value you should use for the whr query string parameter, open up the AD FS 2.0 Management application. Expand the Trust Relationships...Claims Provider Trusts node, then double-click on the IP that you want used. Click on the Identifiers tab and you will see a grayed out edit box called Claims provider identifier:. The value in there is what should be in your whr query string parameter. For example, in my environment the IP identifier is http://tgen1.terri.local/adfs/services/trust. In order to get users of a web application to redirect immediately over to that IP I need to append the following to the normal login query string that SharePoint uses: &whr=http://tgen1.terri.local/adfs/services/trust When I do that I no longer see the IP selection page in ADFS, I just go directly to logging in.

More Here

Courtesy:http://blogs.technet.com/b/speschka/archive/2010/11/24/configuring-sharepoint-to-use-a-specific-identity-provider-in-adfs.aspx

Auto Populate Telephone Numbers form Active Directory to Office Communicator 2007/R2

2011-04-20T18:49:00.002-07:00

In some OCS 2007/R2 Implementation scenarios without Enterprise Voice it is required that all user’s Telephone numbers in Active Directory to be populated to Office Communicator 2007/R2 though Office Communication Server 2007/R2 Address Book, so Communicator user can know Telephone Numbers for his contacts with one click on a contact inside Office Communicator without query the Corporate Directory in Outlook or from Corporate Telephone System, below picture show what user will see from one click in communicator when User’s Telephone Numbers Auto Populated from Active Directory to Office Communicator.

This Microsoft article http://support.microsoft.com/kb/961947 shows that if the telephone number stored in Active Directory is not in standard format ………………. Then numbers will not be populated to Office Communicator

Create Company Normalization Rule File

To overcome the non standard telephone numbers issue and allow Auto Population for User’s Telephone Numbers from Active Directory to Office Communication Server 2007/R2 you need to create Company_Phone_Number_Normalization_Rules text file include all customer Normalization Rules related to how customer store Telephone Numbers in Active Directory, to this there is a template file named “Company_Phone_Number_Normalization_Rules.txt” and stored in OCS Front End Server in this path “C:\Program Files\Microsoft Office Communications Server 2007 R2\Web Components\Address Book Files\Files” this template file is like the one in picture below:

More Here

Courtesy:http://blogs.technet.com/b/bettertogether/archive/2011/01/09/auto-populate-telephone-numbers-form-active-directory-to-office-communicator-2007-r2.aspx

Import Bulk Users to Active Directory

2011-04-20T18:49:00.000-07:00

1) Build CSV file that include Organization Users with specific attributes to be imported in the new Windows 2008 R2 Active Directory,
Sample of CSV can be as the following:
Recommendation
For simplicity’s sake we’ll keep it to a few basic properties like Name and Description, of course Organization IT team can and normally would have significantly more. To make it easier IT team can add a few extra columns like the SamAccountName and the Path (OU) where Organization would like the account to be created, and for account password IT team can configure random or fixed password for all users and force it for all users and distribute the new passwords for each user individually while configure all users to be forced to change password after first login.

2) Use cmdlet Import-CSV which read from a standard CSV file and create a set of objects based on data inside the CSV file, then send the results of this cmdlet using PowerShell pipeline to New-ADUser cmdlet from ActiveDirectory module to create the specified users in the Active Directory, as a sample cmdlet: “Import-CSV C:\Users.csv | New-ADUser” this command to be run from Active Directory PowerShell Module.
3) Verify that the users in CSV are imported in the Active Directory.

More Here

Courtesy:http://blogs.technet.com/b/bettertogether/archive/2011/01/09/import-bulk-users-to-active-directory.aspx

Active Directory Forest Discovery and Publishing in Configuration Manager 2012 Beta 2

2011-04-20T18:25:00.000-07:00

Background
In many large organizations, network configuration and Active Directory Domain Services are managed separately from Configuration Manager. Changes to the network topology or AD structure must be communicated between these teams to ensure Configuration Manager boundary settings are accurate. Up to date boundary information results in efficient application and software update deployments to all managed client computers. This is especially critical for roaming scenarios, which require boundary information to always be available and up to date. Now in Configuration Manager 2012 Beta 2, Active Directory Forest Discovery and publishing improvements enable organizations to centrally manage distribution of key site system roles across forests without the requirements to deploy additional sites.
Forest Discovery and Publishing Overview
To improve manageability of an ever-changing network environment, Active Directory Forest Discovery is added in Configuration Manager 2012 Beta 2. With it, Configuration Manager can discover Active Directory forests, their domains, AD Sites and IP subnets. Because domain users (or domain computer accounts) have permission to query forest relationships, Active Directory Forest Discovery can return information about other forests and their trust direction. The system can programmatically connect to all the forests and build a complete mapping of the corporate environment. It can also cross forest boundaries using specific credentials for each forest regardless of the trust type. The information obtained through Active Directory Forest Discovery can be directly exported as boundaries or boundary groups. Changes to discovered data are updated dynamically and aged out from the database if no longer present in Active Directory Domain Services. The discovered data is also used when clients request a management point or distribution point to ensure they receive the best possible site system.
Credentials specified for each Active Directory forest are used for both discovery and publishing and enable Configuration Manager 2012 sites to publish Configuration Manager site information in remote trusted or untrusted forests. Publishing stores information such as site system locations and capabilities, boundaries, and security information required by client computers to establish trusted connections with site systems and information such as the client's trust relationship with the forest, and the management point's communication mode (HTTPS/HTTP) and the network information (boundaries) that are used to locate the most appropriate management point or distribution point to communicate with. This enables client computers to more readily locate servers in a trusted forest to ensure user targeted applications.
How to use AD Forest Discovery

Enable Forest Discovery Active Directory Forest Discovery is a new discovery method located in the Administration workspace of the Configuration Manager console. It can be enabled on the central administration site and primary sites. It is not supported on secondary sites.

To enable Active Directory Forest Discovery, open the Active Directory Forest Discovery method properties dialog, and enable the method by checking "Enable Active Directory Forest Discovery". Active Directory Forest Discovery discovers AD Sites and IP Subnets from the forests, so there are two more flexible options asking whether you want to create the AD Site or IP Subnet boundaries automatically based on the discovery results. Discovery can be scheduled by hour/day/week. Discovery will automatically create the boundaries, but it will still be necessary for you to add the boundaries to a boundary group and to associate them with a site system to ensure content is available to your clients or the boundaries are used for site assignment.

Active Directory Forest Discovery can be run on demand by selecting the "Run full discovery now" action from the ribbon or a right-click menu.
Monitor Forest Discovery Running Status Active Directory Forest Discovery progress can be monitored by viewing forest discovery log located in (SMS Installation Directory)\Logs\ADForestDisc.log or by viewing Active Directory Forest Discovery component status messages. In the Configuration Manager console, click Monitoring, expand System Status, click Component Status, select SMS_AD_Forest_Discovery_Manager, and click Show Messages to see status messages for this component.

More Here

Courtesy:http://blogs.technet.com/b/configmgrteam/archive/2011/03/30/active-directory-forest-discovery-and-publishing-in-configuration-manager-2012-beta-2.aspx

Delegation of control with SCVMM 2008 R2 self service portal

2011-04-20T18:09:00.000-07:00

This topic is about delegation of controle of virtual machines with Virtual Machine Manager self service portal.
you can make a profile with in VMM, and the user of that profile can only controle the virtual machines you want as an administrator.

First you login for example via SharePoint Portal to the Vitual Machine environment :

You login with the right user credentials to get in the VMM self service portal.
Then you get in the serverrole environment of Microsoft System Center Virtual Machine Manager.
The administrator gives you the rights to the right environment in SCVMM with the right Virtual Machine to manage with
delegation of controle.

You can connect all your own virtual machine with the right delegation of controle :

More Here

Courtesy:http://mountainss.wordpress.com/2011/04/20/delegation-of-control-with-scvmm-2008-r2-self-service-portal/

Quick “Report” of all OIM Open Tasks

2011-04-19T21:09:00.000-07:00

Here’s a quick SQL script that’ll list out all the open tasks with their login, date, and details:

select oti.sch_actual_start,oti.sch_data,usr.usr_login from oti inner join orc on oti.orc_key=orc.orc_key inner join usr on orc.usr_key=usr.usr_key where oti.sch_actual_start>’15-AUG-10′

More Here

Courtesy:http://idmrockstar.com/blog/2010/08/quick-report-of-all-oim-open-tasks/

Oracle Access Management (OAM 11gR1)

2011-04-17T16:23:00.000-07:00

# Oracle Access Manager 11gR1 provides a single authoritative source for all authentication and authorization services.
# Oracle Access Manager 11g provides single sign-on (SSO), authentication, authorization to registered agents (in any combination) protecting resources. Agents include:

* OAM 11g WebGates
* OAM 10g WebGates
* IDM Domain Agent
* OSSO Agents (10g mod_osso)

# OAM 11g can be integrated with any Web applications currently using Oracle ADF Security and the OPSS SSO Framework

More Here

Courtesy:http://www.gdbsinc.com/blog/

Oracle Access Manager (11g OAM) Request Flow

2011-04-17T16:22:00.000-07:00

Oracle Access Manager Request Flow:

The user tries to access an application (resource) protected by Oracle Access Manager 11gR1 using his web browser.
The Oracle Access Manager agent intercepts the request and tries to ascertain if the user has an authenticated session. Since this is the user’s first access, the user is redirected to the Oracle Access Manager 11gR1 Access Server for authentication.
Access Server’s credential collector component displays a Login Form as defined in authentication scheme. The user submits his credentials to the Access Server.
OAM validates the user’s credentials against user directory and generates a security token. The user is redirected to the resource he tried to access in Step 1.

Oracle Access Manager Session revalidate request flow:

The Oracle Access Manager agent intercepts the request and extracts the security token (cookie).
The Oracle Access Manager agent then makes a back channel call to the Access Server (OAP over TCP) to validate the session and authorize the request.
Oracle Access Manager authenticates the user from the LDAP repository.
Access server verifies the user’s permissions against the configured policy for the web resource.
Access server responds to the WebGate request indicating that access is allowed.
The Oracle Access Manager agent allows the request to go through.
The user is now able to access the web resource he tried to access in Step 1.

Posted in 11g IDM | Leave a comment

Oracle Access Manager 11gR1 Architecture

Posted on March 25, 2011 by kyadav

Oracle Access Manager 11gR1 architecture:

User agents: These include web browsers, Java applications, and Web services applications. The user agents access the Access Server and the administration and configuration tools using HTTP.
Protected resources: A protected resource is an application or web page to which access is restricted. Access to protected resources is controlled by WebGates or Custom Agents.
Administration and configuration tools: Oracle Access Manager can be administered and configured by the Oracle Access Manager console, the Oracle Enterprise Manager Fusion Middleware Control and the Oracle Enterprise Manager Grid Control, and the WebLogic Scripting Tool (WLST).

More Here

Courtesy:http://www.gdbsinc.com/blog/

Starting/Stoping Oracle 11g Identity management stack

2011-04-17T16:19:00.000-07:00

Starting/Stoping Oracle 11g Identity management stack

Starting IDM Admin server:

MW_HOME/user_projects/domains/domain_name/startWebLogic.sh

Starting IDM wls_ods1 managed server:

MW_HOME/user_projects/domains/domain_name/startWebLogic.sh wls_ods1

Starting Oracle Internet Directory and Oracle Virtual Directory:

ORACLE_INSTANCE/bin/opmnctl startall

You can verify that the system components have started by:

ORACLE_INSTANCE/bin/opmnctl status -l

Starting IAM Admin server:

MW_HOME/user_projects/domains/domain_name/startWebLogic.sh

Starting OAM, SOA and OIM managed servers:

MW_HOME/user_projects/domains/domain_name/bin/startManagedWebLogic.sh oam_server1

MW_HOME/user_projects/domains/domain_name/bin/startManagedWebLogic.sh soa_server1

Always start SOA managed server, before OIM. Although both independent, but OIM needs some of SOA workflow functionality.

More Here

Courtesy:http://www.gdbsinc.com/blog/?p=46

How to migrate users from Ebusiness suite 11i/R12 to OID

2011-04-17T16:12:00.000-07:00

After Integrating the Existing E-business suite R12 Instance with Single Sign On(OID)
we will find that the existing users are NOT automatically migrated to the Oracle Internet Directory.

Later on depending upon the provisioning profile It will synchronize accordingly.(default setting is bi-directional).

step I.Use AppsUserExport to export apps user information from R12 E-Business Suite…

$java oracle.apps.fnd.oid.AppsUserExport -v -dbc $INST_TOP/appl/fnd/12.0.0/secure/VIS.dbc
-o usersr12.txt -pwd apps -g -l usersr12.log

Step II.Convert Intermediate LDIF file to Final LDIF File from OID Server…

Transfer the file usersr12.txt which we got from AppsUserExport to OID Server and
Execute the following command

$ldifmigrator “input_file=usersr12.txt” “output_file=usersr12.ldif”
“s_UserContainerDN=cn=users,dc=vectorconsulting,dc=co.uk”
“s_UserNicknameAttribute=uid”

Output

Migration of LDIF data completed.All entries are successfully migrated…

Step III.Loading Final LDIF File into Oracle Internet Directory..

a. disable the provisioning profile with oidprovtool..

$oidprovtool operation=disable ldap_host=sso.vectorconsulting.co.uk ldap_port=369
ldap_user_dn=cn=orcladmin ldap_user_password=welcome123 application_dn=”orclApplicationCommonName=VIS,
cn=EBusiness,cn=Products,cn=OracleContext,dc=vectorconsulting,dc=co.uk” profile_mode=BOTH

b. Stop OID Server using $ORACLE_HOME/opmn/bin/opmnctl stopall

c. Incase you used oidmon or oidctl then check using ldapcheck whether they are stopped..

d. Shutdown any other running OID processes manually by
oidctl connect=VIS server= instance=3 stop

and now grep the procesess and ensure that no OID processes are running..

e. Finally coming to the actual loading part.

we use bulkload for loading but before loading we should use the -check and -generate option
as follows to check duplicates and if duplicates are found in the logfile ,manually edit the LDIF file
and remove those user entries like follows

$bulkload connect=”IASDB” check=true generate=true file=”usersr12.ldif”

More Here

Courtesy:http://vivekrajendran.wordpress.com/2011/02/23/how-to-migrate-users-from-ebusiness-suite-11ir12-to-oid/

what is oidpasswd tool in oracle identity management and How to Use it.

2011-04-17T16:10:00.001-07:00

We have to use oidpasswd in many important situations in Oracle Identity Management or in Oracle Application Server.

It can be used
1.To reset ods internal user password (ODS is the internal user for Oracle Identity Management)
using
$oidpasswd
$enter old password : *******
$enter new password : *******
$confirm new password : *******
Output:- password is reset(for ODS).

2.To reset orcladmin(super user for Oracle Identity Management)without knowing the password of which we can not do anything in OIM.
$oidpasswd connect=connect_string reset_su_password=true
it will ask for the database sys password
and ask the new password for orcladmin
if you confirm the new password your “orcladmin” password is reset.
3.To unlock orcladmin password (if password is expired)
$oidpasswd connect=connect_string unlock_su_acct=true
enter the current password of orcladmin
and the “orcladmin” user is unlocked

More Here

Courtesy:http://vivekrajendran.wordpress.com/2011/02/23/what-is-oidpasswd-tool-in-oracle-identity-management-and-how-to-use-it/

Oracle Internet Directory Integration with Microsoft Active Directory

2011-04-17T16:09:00.000-07:00

Pre-requisites

1.Install Oracle Identity Management Suite 10.1.4.0.1-Choose Infrastructure and Metadata Repository option and choose components SSO,ODISRV,AND All the components except Certificate Authroity and HA).

2.Install Windows 2003 Server and Configure Microsoft Active Directory in that Server

3.Bring these Servers in the same network.

Step -I.
Login to the OID Server and invoke dipassistant(oracle directory integration and provisioning admin console) using the following options

$dipassistant -gui
login as dipadmin and password will be the same as of the orcladmin super user which you gave during the installation of OID.

In the dipadmin console from the left pane in System Objects choose Active Directory beneath the icon ConfigurationSet1 and In the right pane You will see the Express Configuration Wizard.

Enter the Active Directory Server information and in credentials enter the Superuser Account as administrator@ and in the connector name give any reasonable name and
if you press then the Import and export profile prepends the connector name and then
Click the check box Configure Access Control Policies if you want to enforce ACL.and then press OK to save this information which will start the actual integration.

On Successfull Integration dipadmin displays a success message which is given as below

Step II- Enable Bidirectional Synchronization in dipadmin for OID to AD
To achieve the bi-directional Synchronization — in dipadmin console choose the configured configset1 in the
left pane(system objects and in the right pane you will see the configured adImport and adExport(since i have given
the connector name as ad).choose those connector profile and edit and Enable those profiles for both export and Import.
If You enable both ,then synchronization of Users is bi-directional(both ways)(i.e from OID to AD and from AD to OID).
you can also note that bootstrap status(which has not started yet). I have given the screenshots below for editing
the connector profiles.

Enable AD Import connector Profile

Enable AD Export connector Profile

Step-III.
The initial migration of Users from Microsoft Active Directory to Oracle Internet Directory is called “bootstrap” process.
to do the bootstrap we need to execute the command as shown below..

Migrating initial Users from AD to OID

Confirm the bootstrap is successfull by choosing the adImport profile (connector) in the configset1(in the right pane and doing an edit and check the status) which will show you that bootstrap is successfull which i have shown below.

Check the bootstrap(migration of users from AD to OID) is successfull

Step IV:-
Now the initial Import of Users from AD to OID is complete.To start the synchronization of Users that are created both in AD and OID we need to start the odiserver(odisrv) with the configuration set 1(the one we have configured with dipadmin) we have use the following command

start the odisrv using configset1 to facilitate synchronization of Users bothways

You can also verify that synchronization has started by editing the profiles and checking the status or by checking odisrvlogs in $ORACLE_HOME/ldap/logs ,you can also find the trc and aud files for these connectors in $ORACLE_HOME/ldap/odi/logs.

Step 5:-
The final step in the configuration process is to deploy the Active Directory External Authentication Plug-in,
which validates user-supplied passwords with AD during a user login sequence.
The following steps involve execution of a Unix shell script.
$ cd $ORACLE_HOME/ldap/admin
$ sh oidspadi.sh
A series of messages and prompts will be displayed as the script executes. Sample prompt responses:
Please enter Active Directory host name: ad.vectorconsulting.co.uk
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string: iasdb
Please enter ODS password: oracleadmin1
Please enter confirmed ODS password: admin01
Please enter OID host name: sso.vectorconsulting.co.uk
Please enter OID port number [389]: 13061
Please enter orcladmin password: oracleadmin01
Please enter confirmed orcladmin password: oracleadmin01
Please enter the subscriber common user search base [orclcommonusersearchbase]: cn=Users,dc=vectorconsulting,dc=co,dc=uk
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]:
Do you want to setup the backup Active Directory for failover? (y/n) n

Return to the Oracle Directory Manager console upon successful completion
of the plug-in deployment process and navigate to the click the Plug-In Management fork.
Make sure that the Plug-in Enable property is set for both adwhencompare and adwhenbind.
Testing
At this point, OID has been populated with an initial set of users and groups via bootstrap migration from Active directory,
and the Oracle Directory Integration and Provisioning tool has been configured such that it will use the Active Directory
Connector to keep this information synchronized. The Oracle Directory Server has been directed to authenticate users
migrated from Active Directory using the Oracle-supplied Active Directory External Authentication
Plug-in. It should now be possible to log in to Oracle SSO or any integrated applications like E-Business Suite using
one of the migrated Active Directory users with its corresponding password.

Note: The username must be of the form name@

Step VI:- open the Oracle Directory Manager and verify that Users are Imported from Active Directory by navigating
to defaut domain and cn=Users and find the users of Active Directory which i have shown below.

Verify Active Directory Users are imported in OID

More Here

Courtesy:http://vivekrajendran.wordpress.com/2011/02/23/oracle-internet-directory-integration-with-microsoft-active-directory/

What is OVF?

2011-04-16T13:14:00.000-07:00

With the rapid adoption of virtualization, there is a great need for a standard way to package and distribute virtual machines. VMware and other leaders in the virtualization field have created the Open Virtualization Format (OVF), a platform independent, efficient, extensible, and open packaging and distribution format for virtual machines.
OVF enables efficient, flexible, and secure distribution of enterprise software, facilitating the mobility of virtual machines and giving customers vendor and platform independence. Customers can deploy an OVF formatted virtual machine on the virtualization platform of their choice.
With OVF, customers’ experience with virtualization is greatly enhanced, with more portability, platform independence, verification, signing, versioning, and licensing terms. OVF lets you:

Improve your user experience with streamlined installations
Offer customers virtualization platform independence and flexiblity
Create complex pre-configured multi-tiered services more easily
Efficiently deliver enterprise software through portable virtual machines
Offer platform-specific enhancements and easier adoption of advances in virtualization through extensibility

The portability and interoperability inherent in OVF will enable the growth of the virtual appliance market as well as virtualization as a whole.

Package and Distribute OVF-Formatted Virtual Machines

The Open Virtualization Format (OVF) describes an open, secure, portable, efficient, and flexible format for the packaging and distribution of one or more virtual machines. Key features and benefits of OVF:
Enables optimized distribution- OVF enables the portability and distribution of virtual appliances. In addition to support for compression for more efficient package transfers, OVF supports industry standard content verification and integrity checking, and provides a basic scheme for the management of software licensing.

More Here

Courtesy:http://www.vmware.com/appliances/getting-started/learn/ovf.html

How to find Apache Version in Oracle Application Server

2011-04-11T21:17:00.000-07:00

Oracle HTTP Server is developed using Apache server as base. So if you have Oracle Application Server installed in your environment and if you want to know the in built Apache version then you can use either of the approaches.

1. Goto $ORACLE_HOME/Apache/Apache/bin and execute ./httpd -v or ./httpd -version.

In most of the environments you may not be succesful with the above command then you can use 2nd approach as given below.

2. UNIX:

$ORACLE_BASE/oraInventory/Components/oracle.apache.apache/

$ORACLE_HOME/inventory/Components/oracle.apache.apache/

WINDOWS:

INST_LOC\Components\oracle.apache.apache\

INST_LOC is a regitry entry, which was used by the Installation:

HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\inst_loc

More Here

Courtesy:http://talkidentity.blogspot.com/2011/01/how-to-find-apache-version-in-oracle.html

Enabling SSO for WebCenter 11g using Oracle Access Manager (OAM)

2011-04-11T20:42:00.000-07:00

Configuring Single sign-on (SSO) between WebCenter components and/or other partner applications is an important part of WebCenter setup. OAM configuration with a WebCenter application is covered in detail in the WebCenter Admin Guide on OTN. Other solutions that can leveraged for SSO are SAML (“built-in” solution in WebLogic Server), Oracle SSO (OSSO), Windows Native Auth (WNA), etc. Each one has different setup requirements but the following few common “concepts” and functional points exist across the board.

Policy Decision Point (PDP): Point that evaluates and makes (authorization) decisions

Policy Enforcement Point (PEP): Point which intercepts a request and channels it to the PDP

Policy Administration Point (PAP): Points which help manage and administer policies

Identity Assertion Provider (IAP): A type of Authenticator that allows users or processes to assert their identity based on tokens (specific to the SSO solution)

The figure below shows where these functional points are. If you note, the Webgate, an out-of-the-box plugin that intercepts HTTP requests and forwards them to the Access Manager is the PEP and the Access Server the PDP. It also shows the sequence of the events in Single sign-on process.

More Here

Courtesy:http://mdevgan.wordpress.com/2011/01/09/enabling-sso-for-webcenter-11g-using-oracle-access-manager-oam/

Using Apache to simulate an SSL Load balancer

2011-04-11T16:54:00.000-07:00

The numbers indicate the TCP port used on the server side. All of the red lines are HTTP. The green line (from OHS to the OAM Server) is the OAM NAP protocol.

1. SSLProxyEngine on

2.
3. Order deny,allow
4. Allow from all
5.

7. RewriteEngine on

8. ProxyPreserveHost on

10. NameVirtualHost *:443

11.

12.
13. ServerName login.oracledemo.com
14.
15. SSLEngine on
16. SSLProtocol all -SSLv2
17. SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
18. SSLCertificateFile /home/oracle/simpleCA/login.oracledemo.com.crt
19. SSLCertificateKeyFile /home/oracle/simpleCA/login.oracledemo.com.key
20.
21. ProxyPass / http://localhost:14100/
22. ProxyPassReverse / http://localhost:14100/
23.

24.

25.
26. ServerName idm11g.oracledemo.com
27.
28. SSLEngine on
29. SSLProtocol all -SSLv2
30. SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
31. SSLCertificateFile /home/oracle/simpleCA/idm11g.oracledemo.com.crt
32. SSLCertificateKeyFile /home/oracle/simpleCA/idm11g.oracledemo.com.key
33.
34. RequestHeader set IS_SSL ssl
35.
36. ProxyPass / http://localhost:7777/
37. ProxyPassReverse / http://localhost:7777/
38.

SSLProxyEngine on

Order deny,allow
Allow from all

RewriteEngine on

ProxyPreserveHost on

NameVirtualHost *:443

ServerName login.oracledemo.com

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /home/oracle/simpleCA/login.oracledemo.com.crt
SSLCertificateKeyFile /home/oracle/simpleCA/login.oracledemo.com.key

ProxyPass / http://localhost:14100/
ProxyPassReverse / http://localhost:14100/

ServerName idm11g.oracledemo.com

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /home/oracle/simpleCA/idm11g.oracledemo.com.crt
SSLCertificateKeyFile /home/oracle/simpleCA/idm11g.oracledemo.com.key

RequestHeader set IS_SSL ssl

ProxyPass / http://localhost:7777/
ProxyPassReverse / http://localhost:7777/

There are a couple of interesting bits in that configuration...

First is that when you use mod_proxy Apache will use the host name in the URL specified in ProxyPass when it talks to the back end server. In this case that means that the OHS server would see a request with a host header that said "localhost:7777". Which can confuse the application and isn't at all what a conventional load balancer would do. Adding "ProxyPreserveHost on" to the configuration makes mod_proxy use the same name when it talks to the backend server (again OHS in my case) as the browser sent in the original request.

More Here

Courtesy:http://fusionsecurity.blogspot.com/2011/04/using-apache-to-simulate-ssl-load.html

OAM 11g session management

2011-04-11T16:52:00.000-07:00

In OAM 10g and other products in the WAM space there is no actual tracking of a user's session. Usually in those products when a user logs in they are issued an encrypted cookie that tracks the login time, authentication level, the idle and maximum session times and a few other bits of information. If a user had such a cookie they were logged in, if they didn't they weren't. This sort of architecture was designed in a time when building massively scalable session tracking mechanisms wasn't really possible; in other words there was no way to build a million concurrent user SSO scheme deployed worldwide if you had to keep track of every active user session in a database or LDAP directory.
Times have changed.
OAM 11g takes advantage of a cool technology called Oracle Coherence. I'd tell you what Coherence does, but they do a pretty good job right there:

Coherence provides replicated and distributed (partitioned) data management and caching services on top of a reliable, highly scalable peer-to-peer clustering protocol. Coherence has no single points of failure; it automatically and transparently fails over and redistributes its clustered data management services when a server becomes inoperative or is disconnected from the network. When a new server is added, or when a failed server is restarted, it automatically joins the cluster and Coherence fails back services to it, transparently redistributing the cluster load. Coherence includes network-level fault tolerance features and transparent soft re-start capability to enable servers to self-heal

.

By plugging Coherence into the OAM architecture Oracle added the ability of the OAM Server to track all active users sessions without needing to go back to a massive central store (for example a database) and without needing to worry about building a replication strategy. Coherence hides all of that complexity and solves what is still a massive problem for some of our competitors. In the sequence diagram in my previous post I only drew the lines for HTTP traffic. I left out a bunch of stuff like the OAP communication from WebGate to OAM Server and the fact that the OAM Server will check that the session is active and legal before granting access. The more accurate, but still simplified, OAM architecture diagram looks more like this:

Each time the OAM WebGate talks to the OAM Server to ask "is the user authorized to see this resource?" the OAM Server checks the Coherence cache and will say "NO!" if the session has been deleted.
So if you want to terminate an user's session you can!

More Here

Courtesy:http://fusionsecurity.blogspot.com/2011/04/oam-11g-session-management.html

OAM 11g Single Sign-On and OAM 11g Cookies

2011-04-11T16:51:00.000-07:00

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Plus if you're already familiar with OSSO or OAM 10g you probably already know what their cookies look like. So for the purposes of this post I'm only going talk about OAM 11g Server and the 11g WebGate cookies when you do an "HTML form" style login.
Basically if you want the contents Eric's post in pretty pictures and simplified down to include only the 11g cookies then this post is for you!
Here's a very simple diagram of the communication between the user, one OAM Server, one WebGate and one Application:

Note: In this diagram I've separated out the WebGate and the Application, though in reality the WebGate is plugged into the OHS Server and the app could be something as simple as a .CGI running in the same server. I've also shown the user talking directly to the OAM Server; in the real world this interaction would likely be through an OHS server with mod_wl installed.

More Here

Courtesy:http://fusionsecurity.blogspot.com/2011/04/oam-11g-single-sign-on-and-oam-11g.html

Oracle Internet Directory (OID) and Weblogic installation on Linux

2011-04-10T10:19:00.000-07:00

Installation manual:

http://download.oracle.com/docs/cd/E17904_01/install.1111/e12002/instps2001.htm

Basic steps:
1. Install Oracle
2. Install OID (and FMW control and ODSM)
Oracle installation is quite trivial, so let’s focus on the OID installation.
- Just remember to use the AL32UTF8 character set on the database!
You need to download:
- Oracle WebLogic Server 10.3.4.
- Oracle Identity Management 11.1.1.2.0 & 11.1.1.3.0

Actual installation:
1. Install WLS 10.3.4
- Run the installation .bin
* In 64 bit environments use: JAVA_HOME/bin/java -jar wls1034_generic.jar
* You need JDK 1.6 or later
- Create a new FMW home
- Register for security updates..
- Typical or Custom
- Change or accept the installation directories (df -h …)
- Summary => Next
- Installation…
2. Install OID 11.1.1.2.0
- unzip ../ofm_idm_linux_11.1.1.2.0_32_disk1_1of1.zip …
- ./runInstaller
- Install Software – DO NOT CONFIGURE!
- Use SAME MIDDLEWARE HOME as WLS above!
- Oracle Home Directory: This will be the directory name under Middleware Home
- Installation …
- Run root script: /middleware_home_directory/oracle_home_dir/oracleRoot.sh
- Save Summary.
3. Install OID 11.1.1.3.0 Patch Set
- unzip ../ofm_idm_linux_11.1.1.3.0_32_disk1_1of1.zip …
- ./runInstaller
- Install Software
- Use same homes !
- Next, next
- Root script
- Save Summary
OID Configuration with FMW Control and ODSM:
1. Configuration
/middleware_home_directory/oracle_home_dir/bin/config.sh
- Installer starts
- Create new domain
=> FMW Control is being configured to manage OID here
* User Name: WLS Admin user details
* Domain name
- Installation location
* Weblogic Server Directory
* Oracle Instance location, new “ASInstance” (Not actual Oracle Instance)
* Oracle Instance Name, new “ASInstance” (Not actual Oracle Instance)
- De-select others than Oracle Internet Directory
=> We will configure only that
- Auto configuration ports normally OK, you can select them if you want
- Create Schema
* Create ODS Database Schema
* Connect string, for example: myserver:1521:orcl
* SYS
* Sys_password
- OID Passwords
* ODS Schema password & confirm (all directory content)
* ODSSM Schema password & confirm (OID statistics and DIP schema)
- OID information
* Realm, for example: dc=us,dc=oracle,dc=com
* Admin user: orcladmin
* Admin password: …
- Install
- Save Summary
* Note: Weblogic Console ie: http://myhost.us.oracle.com:7001/console
Verify installation:
- …home/bin/opmnctl status -l
- Alive:
* OVD
* oidldapd
* oidldapd
* oidmon => LDAP port, LDAPS port
* EMAGENT
- ldapsearch -p LDAP_port -b “” -s base “objectclass=*” orcldirectoryversion
=> orcldirectoryversion=OID 11.1.1.3.0
Open Enterprise Manager Fusion Middleware Control 11g
* For example: http://myhost.us.oracle.com:7001/em
- Find oid1 in FMW Control
- Verify version number in FMW Control
Open Oracle Directory Services Manager
* For example: http://myhost.us.oracle.com:7005/odsm
- Connect to a directory
* OID – directory name
* User Name: cn=orcladmin
* password
- Verify OID version
After you’re done installing and configuring the OID itself, you can proceed to netca to configure the destination databases “tnsnames.ora”.
That will update sqlnet.ora and ldap.ora
Examples
LDAP.ORA:
DEFAULT_ADMIN_CONTEXT = “ou=ora,dc=company,dc=com”
DIRECTORY_SERVERS = (ldap1.company.com:389, ldap2.company.com:389)
DIRECTORY_SERVER_TYPE = OID
Oracle can “officially” only use OID or AD as LDAP servers.
The type can be OID or AD. The multiple servers are for redundancy; it will not try each one in turn. Then in SQLNET.ORA:
NAMES.DIRECTORY_PATH=(LDAP, TNSNAMES)
The means try LDAP first, then try TNSNAMES.ORA, then give up.
If you want to use a third-party LDAP server, Oracle has a product called Virtual Directory that will act as a proxy between them.

More Here

Courtesy:http://www.database.fi/2011/03/oracle-internet-directory-oid-and-weblogic-installation-on-linux/

Validating Authentication and Authorization in an Oracle Access Manager Application Domain

2011-04-09T20:41:00.000-07:00

This tutorial elucidates the steps involve in several methods for confirming that Agent registration
and authentication and authorization policies are operational. The procedures are
nearly identical for both OAM Agents and OSSO Agents (mod_osso). However, OSSO
Agents use only the authentication policy and not the authorization policy.

Prerequisites

Users and groups who are granted access must exist in the primary LDAP User Identity Store that is registered with OAM 11g
Agents must be registered to operate with OAM 11g. After registration, protected resources should be accessible with proper authentication without restarting the Administration or Managed Server.
Application domain, authentication policies, and authorization policies must be configured.

To verify authentication and access

Using a Web browser, enter the URL for an application protected by the registered Agent to confirm that the login page appears (proving that the authentication redirect URL was specified appropriately). For example: http://myWebserverHost.us.abc.com:8100/resource1.html
Confirm that you are redirected to the login page.
On the Sign In page, enter a valid username and password when asked, and click Sign In.
Confirm that you are redirected to the resource and proceed as follows:

More Here

Courtesy:http://oraclesoaandoim.blogspot.com/2011/02/validating-authentication-and.html

How SSO works in OAM 11g

2011-04-09T20:38:00.000-07:00

Here at Oracle, the access management PM team gets asked a lot of questions about how Oracle Access Manager 11g works, especially about the overall SSO model, what cookies are created and what they do, and processing flows between components, and how specific component interactions work to achieve authentication and SSO. In this post, we will explore the OAM 11g SSO model. It’s quite a bit different from the OAM 10g model, especially since we now support things like server side credential collection, server-based session management, and application scoped sessions.

Before we get started, it’s worth noting that OAM 11g supports the use of both OAM 10g and 11g Webgates as well as mod_osso plug-ins for Oracle HTTP Server (OHS). We support this through what we call the Protocol Compatibility Framework, which lets the OAM server communicate with and interpret protocol messages from the webtier agents mentioned above. This is an extensible framework so has the potential to support other clients or agents in the future.

OAM 11g uses a combination of host cookies or domain cookies (depending on the version of Webgate you use), a server cookie, and an in-memory session store (based on Oracle Coherence technology) to maintain and correlate user session information.
Since OAM 11g supports different Webgate versions and mod_osso, you will see different cookies depending on the version of Webgate being used, you will either see the ObSSOCookie (for 10g) or OAMAuthnCookie_host:port (for 11g).
However in both cases, the contents of the cookies are:

Authenticated User Identity (User DN)
Authentication Level
IP Address
SessionID (Reference to Server side session – OAM11g Only)
Session Validity (Start Time, Refresh Time)
Session InActivity Timeouts (Global Inactivity, Max Inactivity)
Validation Hash

These cookies are updated periodically using an algorithm of 1/4 of idle session timeout. There are two main differences between the 10g and 11g cookies:

The 10g ObSSOCookie is domain scoped and cookie encryption uses a shared key for all 10g Webgates.
The 11g OAMAuthnCookie is hosted scoped and different host cookies may be issued for each resource accessed that is protected by a different 11g Webgate. Cookie encryption for each 11g Webgate is unique to that Webgate.

The values of the cookies will change over the life of a user's session, however you'll notice that the Session ID that is present is a reference to the server side session object, which remains the same across the life of a session.
In the typical deployment topology, you’ll have one or more Webgates deployed on web servers in the Web Tier, a variety of components deployed in the App Tier including an OAM admin server running on the Weblogic domain’s admin server, one or more OAM runtime servers deployed on Weblogic managed servers, a database to support the OAM policies, an LDAP directory against which you will authenticate users, an optional auditing database, and an optional BI Publisher instance for reporting.
Using an OAM 11g Webgate in the flow, let’s recap how this works:

1) An OAM 11g Webgate intercepts the incoming request for a resource, determines whether the resource is protected, and – if it is – the OAM 11g server constructs and returns a response back to the Webgate. That response contains the authentication scheme required to authenticate the user.

2) Next the Webgate sets a cookie (called OAM_REQ) to keep track of the target/requested URL and then redirects to the OAM 11g server, which routes the request to the credential collector. The credential collector serves up the login page, which captures credentials and posts the credentials to the OAM server. The credentials are validated against the ID store configured for this particular authentication scheme. Once the credentials are validated, the OAM server creates an authentication token, the session in Coherence, and creates a server side session cookie called the OAM_ID cookie, which has details about the user, the time the session was created, the idle timeout, and session identifier to the coherence session.

More Here

Courtesy:http://oracleaccessmanagement.blogspot.com/2011/03/here-at-oracle-access-management-pm.html

Webcast, April 12: Automating User Provisioning, A User’s Perspective

2011-04-09T20:33:00.001-07:00

User provisioning solutions offer tangible, often quantifiable, benefits. A Forrester Study* based on data from 4 customers concluded an ROI of over 200% and net cost savings of over $8M over 3 years post implementation of Oracle Identity Manager, Oracle’s user provisioning solution. Additional benefits seen were around improved security and a tremendous boost in user productivity.

Join this FREE webcast to find out how Educational Testing Service (ETS), a private nonprofit organization devoted to educational measurement and research, is leveraging Oracle Identity Manager to meet its user administration needs. Hear first-hand from your peer how you can improve security and user productivity in your organization while reducing IT administration, helpdesk and other overhead costs at the same time.

More Here

Courtesy:http://identigov.wordpress.com/2011/04/07/webcast-april-12-automating-user-provisioning-a-users-perspective/

Using SiteMinder authentication in Sharepoint

2011-04-09T20:19:00.000-07:00

Introduction
Many enterprise IT environments use Netegrity SiteMinder (hereafter called SiteMinder) to secure Web applications and servers. When customers decide to move to MS SharePoint 2007 (MOSS), they want to continue to use SiteMinder for their existing Web environment, and also as the authentication mechanism for their portal.
This article is an example of the implementation of the solution that allows using the SiteMinder authentication with WSS 3.0.

The key technical points of the solution:
1. SiteMinder authentication.
2. FBA (Form Based Authentications) for SharePoint applications.
3. Custom login form.
4. Custom membership and role providers.

SiteMinder authentication

The SiteMinder authentication is used for single sign on (SSO) functionality. Once SiteMinder authenticates a user it adds a special HTTP header with the user name to each HTTP request. SiteMinder can also create an authentication cookie that can be used if you want client software integration, for example, if you want to modify a document from a document library, using MS Word.
Since the SiteMinder authenticates users, the SharePoint authentication can be, and should be bypassed, we trust that the user is already authenticated and her name is contained in the HTTP header. The custom login form pulls the UserID from the HTTP header, creates the authentication token and redirects the request to the destination page. The trick is to make the SharePoint framework to authorize (or deny) the authenticated user correctly. To resolve users and role names the SharePoint framework has to use custom membership and role providers.
FBA (Form Based Authentications) and custom login form.
Since we are going to use the custom authentication mechanism (not Windows authentication) we have to use the Form Based Authentication. Our form shouldn’t have any UI, and user shouldn’t even be aware that the form is called.
The FBA has to be set up on the SharePoint Central Administration website. After opening the site go to: Application management->application security->authentication providers
At this point make sure that you are changing the right SharePoint application, the application URL is displayed at the upper-right corner of the page.
When you see the authentication type for your application (it’s windows by default) click “Default” and you will be navigated to the “Edit authentication” page.
On this page you can set up the Form Based authentication and the membership and role providers.
If you want to be able to edit documents from document libraries using MS Office software, don’t forget to click the “client software integration” radio-button
After you set up the FBA authentication for a SharePoint application, the central administration web site changes the web.config file of the SharePoint application. It sets up the authentication to “Forms” and loginURL to _layouts\logon.aspx. In the modified web.config file of the SharePoint application you will see something like this:

More Here

Courtesy:http://mosssiteminderauthentication.blogspot.com/

Human Behavior = Biggest Security Risk

2011-04-09T20:17:00.000-07:00

Two quick examples (both considered 'spear phishing' or targeted phishing attacks) from today's headlines:

1. The perpetrators of the RSA data breach which may have compromised the security of RSA's premium two-factor authentication solution, as it turns out, got help from RSA employees when they opened an email attachment. An Excel spreadsheet containing an Adobe Flash exploit opened the doors to RSA's network.

2. Conde Nast recently paid $8 Million to a fake company in response to a single believeable email that
asked them politely to update their payee information on one of their vendors.

Both of these examples make the clear, simple point that it doesn't really matter how much technology you put between an attacker and your business assets. If an employee opens the door, they can walk right in. We're either going to get extreme in terms of limiting behavioral options (disallow all email attachments?) or we need to do much better in employee training.

More Here

Courtesy:http://360tek.blogspot.com/

An Entitlement-Centric Approach to Security

2011-04-09T20:16:00.000-07:00

Superb explanation from Nishant Kaushik

http://www.slideshare.net/NishantKaushik/an-entitlementcentric-approach-to-security

Cloud Identity Management: CSC and Symplified Partner Up

2011-04-09T20:13:00.000-07:00

Access and identity management remains one of the hottest topics in cloud computing, as developers, vendors, and service providers alike race to find answers to the lingering questions around the SaaS model. Enter Government- and large enterprise-focused systems integrator Computer Sciences Corp., which has partnered with security specialist Symplified for CSC CloudIAM, a solution to extend existing customer credential stores to the cloud.
Here are the major benefits of the Symplified-powered CloudIAM identity and access management (or “IAM,” get it?) solution in convenient bullet-point form, taken directly from CSC’s press release:

Providing [a single sign-on (SSO)] experience to employees that maintains control over user credentials.
Controlling access to applications based on individual employee functions.
Providing automated on-boarding and off-boarding to improve efficiency and eliminate security holes when employees are hired and depart the company.
The ability to quickly and efficiently respond to requests for detailed access logs for SaaS applications to meet compliance auditing requirements.

This product is a potential fit for CSC’s customer base, especially cosnidering all the chatter around security in the cloud.

More Here

Courtesy:http://www.talkincloud.com/cloud-identity-management-csc-and-symplified-partner-up/

SailPoint Offers Identity Management for Cloud Adoption

2011-04-09T20:12:00.000-07:00

While many companies are deploying software as a service (SaaS ) applications and have selectively deployed enterprise applications in private clouds, very few have moved mission-critical applications to the public cloud . In fact, a recent SailPoint survey of Global 1000 showed that only 7% of respondents have moved compliance-relevant applications to the public cloud; security and compliance issues were the primary inhibitors to cloud adoption.

SailPoint is helping companies address these compliance and security barriers with a new solution, the Cloud Identity Bridge, which seamlessly extends the identity management capabilities of SailPoint IdentityIQ to all applications deployed in cloud environments. With Cloud Identity Bridge, SailPoint is removing key roadblocks to cloud adoption by enabling organizations to manage identities and access privileges in the cloud in the same manner that they govern them for applications in the datacenter.

While many companies are deploying software as a service (SaaS) applications and have selectively deployed enterprise applications in private clouds, very few have moved mission-critical applications to the public cloud. In fact, a recent SailPoint survey of Global 1000 showed that only 7% of respondents have moved compliance-relevant applications to the public cloud; security and compliance issues were the primary inhibitors to cloud adoption.

"Organizations face too many unknowns related to compliance and security in cloud environments to consider moving mission-critical IT assets there," said Darran Rolls, CTO of SailPoint. "Yet, many business units are already deploying SaaS applications without engaging the IT organization, creating major gaps in the visibility and control over potentially sensitive data. In order to safely adopt cloud computing, companies need to govern identity and access data deployed in the cloud in the same manner that they govern applications in the datacenter."

More Here

Courtesy:http://www.enterprise-security-today.com/story.xhtml?story_id=01300000LPMI

IDM made easy

2011-04-09T20:09:00.000-07:00

Previously, the price tag of Identity Management systems confined it to businesses with deep pockets. In addition, the complexity of the software required a strong understanding of security.
OpenIAM provides full featured, simplified and affordable IDM at a fraction of the cost of other vendors. This is intuitive software that makes sense, is available to everyone, and can be used by anyone. View our webdemo here.

More Here

Courtesy:http://openiam.org/

What is OpenIAM?

2011-04-09T20:04:00.000-07:00

As the number of users in your organization grows so does the potential for security risks, such as Identity Theft. In addition, lost/forgotten passwords are accompanied by costly and time consuming calls to the help desk.
OpenIAM is an Open Source Identity and Access Management system that lets you keep your organization secure by effortlessly controlling users’ access to sensitive materials, and automates otherwise tedious tasks through Single Sign On and Self Service. For more details on how OpenIAM improves the user experience, click here.

More Here

Courtesy: http://openiam.org/

Salesforce.com Single Sign On using ADFS v2

2011-02-16T08:53:00.000-08:00

This is the universal identity problem – too many user accounts for the same person. As such, one of my internal goals here is to simplify identity at ObjectSharp.
While working on another internal project with Salesforce i got to thinking about how it manages users. It turns out Salesforce allows you to set it up as a SAML relying party. ADFS v2 supports being a SAML IdP. Theoretically we have both sides of the puzzle, but how does it work?
Well, first things first. I checked out the security section of the configuration portal:

There was a Single Sign-On section, so I followed that and was given a pretty simple screen:

There isn’t much here to setup. Going down the options, here is what I came up with:
SAML Version
I know from previous experience that ADFS supports version 2 of the SAML Protocol.

Issuer
What is the URI of the IdP, which in this case is going to be ADFS? Within the ADFS MMC snap-in, if you right click the Service node you can access the properties:

In the properties dialog there is a textbox allowing you to change the Federation Service Identifier:

We want that URI.
Within Salesforce we set the Issuer to the identifier URI.
Identity Provider Certificate
Salesforce can’t just go and accept any token. It needs to only be able to accept a token from my organization. Therefore I upload the public key used to sign my tokens from ADFS. You can access that token by going to ADFS and selecting the Certificates node:

Once in there you can select the signing certificate:

Just export the certificate and upload to Salesforce.
Custom Error URL
If the login fails for some reason, what URL should it go to? If you leave it blank, it redirects to a generic Salesforce error page.
SAML User ID Type
This option is asking what information we are giving to Salesforce, so it can correlate that information to one of their internal ID’s. Since for this demo I was just using my email address, I will leave it with Assertion contains User’s salesforce.com username.
SAML User ID Location
This option is asking where the above ID is located within the SAML token. By default it will accept the nameidentifier but I don’t really want to pass my email as a name so I will select user ID is in an Attribute element.
Now I have to specify what claim type the email address is. In this case I will go with the default for ADFS, which is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
On to Active Directory Federation Services
We are about half way done. Now we just need to tell ADFS about Salesforce. It’s surprisingly simple.
Once you’ve saved the Salesforce settings, you are given a button to download the metadata:

Selecting that will let you download an XML document containing metadata about Salesforce as a relying party.
Telling ADFS about a relying party is pretty straightforward, and you can find the detailed steps in a previous post I wrote about halfway through the article.
Once you’ve added the relying party, all you need to do is create a rule that returns the user’s email address as the above claim type:

More Here

Courtesy:http://blogs.objectsharp.com/cs/blogs/steve/archive/2011/02/14/salesforce-com-single-sign-on-using-adfs-v2.aspx

Using Simple Web Token (SWT) with WIF

2011-02-16T08:48:00.001-08:00

SAML 1.1/SAML 2.0 is the default token format when using ACS as the authentication service for your website. In this model, your website talks to ACS using WS-Federation protocol and what it normally gets back is a Saml token. This scenarios is fairly straight-forward as WIF natively supports WS-Federation protocol & SAML1.1/SAML 2.0 token formats.
There are cases where you might want to return a Simple Web Tokens (SWT) after a successful authentication. For example, you might want to use this same SWT (available as a bootstrap token) to call other downstream REST/OData services as depicted in the following diagram.

ACS fully supports returning an SWT token after a successfully WS-Fed authentication but WIF currently doesn’t support SWT tokens. You would have to write a custom Security Token Handler for WIF to process SWT tokens coming back to your website. I have created some extensions which enables this and other OAuth WRAP related scenarios. Feel free to download the code from my SkyDrive.

More Here

Courtesy:http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/

Access Control Service Architectural Model

2011-02-16T08:46:00.000-08:00

The Access Control Service is an easily configurable, cloud-based Security Token Service (STS) that supports the authentication of user name/password, Windows CardSpace, certificate, and third-party STS-issued SAML tokens and provides an authorization framework that uses flexible, claims-based rules. The Access Control Service uses the same basic architectural model for Web applications, Web services, and smart clients. In the basic scenario, there are three participants:

The Access Control Service STS.

An application that trusts the virtual Access Control Service STS (Relying Party).

The application that uses the Relying Party (Requester).

These participants interact with one another in the following manner, discussed in more detail in this section:

A trust relationship is established between the relying party and the Access Control Service STS. The owner of the relying party provides the Access Control Service STS with its certificate. This certificate is used by the Access Control Service STS to encrypt tokens that the relying party will accept.

Before the requester can use the relying party, the owner of the relying party application defines access control rules in the STS. These rules logically grant the requester access to the relying party.

The requester sends a WS-Trust 1.3-compliant Request for Security Token (RST) to the Access Control STS.

The Access Control STS receives the RST, and uses the input claims in the RST to initiate processing of the Access Control rules defined in that STS.

After Access Control rule processing, the Access Control STS packages the output into a SAML security token, signs the token, encrypts that token with the certificate provided in step 1, and sends the token back to the Requestor.

More Here

Courtesy:http://asher2003.wordpress.com/2011/02/14/accesscontrolservice-architectural-model/

WPS 7 – install an ifix silently with IBM Installation Manager

2011-01-31T13:04:00.000-08:00

From WebSphere 7, IBM recommend to install all fixes with IBM Installation Manager for WebSphere. However, IBM, for now, still keeps UpdateInstaller for installing the ifixes for WAS7. Although UpdateInstaller can install ifixes for WPS7 through specifing the pak file location, you will not see the installed ifixes in IBM Installation Manager, which is not easy to managment the ifixes.

so I recommend to install WPS7 ifixes (JRXXXXX) using IBM Installation Manager. But, it is slower if you use Installation Manager UI which was installed UNIX platform (must using Xterm) to install an ifix.

Here is the way to install and ifix silently for WPS 7

(1) copy WPS7 ifix to the temp directory, and unzip it. In general, an ifix for WPS7 is a ZIP format file. for example, 7.0.0.3-WS-WBI-MultiOS-IFJR38536.zip

(2) go to the directory /IBM/InstallationManager/eclipse

(3) create a installation response xml file, for example, JR38536_repsonsefile.xml, the content should be like this and change the necessary fields. see the bold type character

More Here

Courtesy:http://webspherecloud.wordpress.com/2011/01/31/wps-7-install-an-ifix-silently-with-ibm-installation-manager/

Windows Domain to Amazon EC2 Single Sign-On Access Solutions

2011-01-25T17:10:00.000-08:00

David Chappell, the Principal of Chappell & Associates, US, has writtena whitepaper proposing several solutions for Single Sign-on (SSO) accessto applications deployed on Amazon EC2 from a Windows domain. InfoQexplored these solutions to understand what the benefits and tradeoffseach one presented.

The paper is: "Connecting to the Cloud: Providing Single Sign-On toAmazon EC2 Applications from an On-Premises Windows Domain." Excerpt:"Users hate having multiple passwords. Help desks hate multiple passwordstoo, since users forget them. Even IT operations people hate them,because managing and synchronizing multiple passwords is expensive andproblematic. Providing single sign-on (SSO) lets users log in just once,then access many applications without needing to enter more passwords.It can also make organizations more secure by reducing the number ofpasswords that must be maintained. And for vendors of Software as aService (SaaS), SSO can make their applications more attractive by lettingusers access them with less effort...

With the emergence of cloud platforms, new SSO challenges have appeared.For example, Amazon Web Services (AWS) provides the Amazon ElasticCompute Cloud (Amazon EC2). This technology lets a customer create AmazonMachine Images (AMIs) containing an operating system, applications, andmore. The customer can then launch instances of those AMIs (virtualmachines) to run applications on the Amazon cloud. Similarly, Microsoftprovides Windows Azure, which lets customers run Windows applications onMicrosoft's cloud. When an application running on a cloud platform needsto be accessed by a user in an on-premises Windows domain, giving thatuser single sign-on makes sense. Fortunately, there are several waysto do this..."

More Here

Courtesy:http://realworldxml.blogspot.com/2010/01/windows-domain-to-amazon-ec2-single.html

The Arrival of HTML 5: Lots of New Features

2011-01-25T16:49:00.000-08:00

"HTML (Hyper Text Markup Language) is one of the underpinnings
technologies of the modern web with the lion's share of web users'
Internet activities founded on it. HTML now stands on the brink of
the next change -- the coming of HTML 5. At present, the Internet
already contains a handful of HTML 5 specification outlines which
partially cover HTML 5 features and conceptions. In this article, we
review the current state of HTML and describe the most significant
HTML 5 innovations.

Offline Potential: Some time ago, a new specification for client-side
database support with interesting applications was introduced. While
this feature had vast potential, it has been excluded from current
specification drafts due to insufficient interest from vendors which
use various SQL back-ends. As such, the only offline feature currently
available in HTML 5 is flexible online/offline resources management
using cache manifests. Cache manifests allow an author of a document
to specify which referenced resources must be cached in browser data
store (e.g., static images, external CSS and JavaScript files) and
which must be retrieved from a server (e.g., time-sensitive data like
stock price graphs, responses from web services invoked from within
JavaScript). The manifest also provides means for specifying fallback
offline replacements for resources which must not be cached. This
mechanism gives the ability to compose HTML documents which can be
viewed offline.

REST in Forms: REST application can be characterized by a clear
separation between clients and servers, stateless communications with
the server (no client context is stored on the server between requests)
and uniform client-server protocol that can be easily invoked from other
clients. Applied to HTTP, it encourages usage of URI for identifying
all entities and standard HTTP methods like GET (retrieve), POST (change),
PUT (add) and DELETE (remove) for entity operations. HTML 5 now fully
supports issuing PUT and DELETE requests from HTML forms without any
workarounds. This is an unobtrusive, but ideologically important
innovation which brings more elegance into web architecture and simplifies
development of HTML UI for REST services.

Communicating Documents: Now documents opened in browsers can exchange
data using messages. Such data exchange may be useful on a web page
that includes several frames with the data loaded from different origins.
Usually, a browser does not allow JavaScript code to access/manipulate
the objects of other documents opened from a different origin. This is
done to prevent cross-site scripting and other malicious and destructive
endeavors..." More Info See also HTML5 differences from HTML4:

More Here

Courtesy:http://realworldxml.blogspot.com/2010/08/arrival-of-html-5-lots-of-new-features.html

PingFederate as an IdM suite federation alternative

2011-01-25T16:46:00.000-08:00

PingFederate provides the same functionality as Identity Management suite federation components without requiring extensive upgrades, lengthy deployments or custom integration work- and all at a much lower cost.

Identity management suite customers often choose to implement PingFederate instead of the federated identity module offered by their suite vendor for one or more of the following reasons:

Easier to learn, deploy and use
Much faster time-to-connection
Out-of-the-box integration with other products, particularly those from their suite vendorʼs competitors
Extensive support for SaaS SSO: provisioning, mobile devices, email clients etc.
No need to upgrade to the latest version of the IdM suite just to use the federation module
Availability of PingEnable implementation and support services
Significantly lower total cost of ownership

Many IdM suite users choose PingFederate to deliver Internet SSO functionality instead of the federated identity module sold by their suite vendor.

More Here

Courtesy:http://www.pingidentity.com/tech-answers/use-cases/Identity-management-suite-federation-alternative.cfm

Internet SSO for commercial applications PingIdentity

2011-01-25T16:45:00.000-08:00

Companies in virtually every industry are now enhancing or expanding their product offerings via additional functionality delivered via the Internet.

These companies differ from pure on-demand (SaaS) providers in that their products are more than software. They also tend to be larger, more established companies such as Rearden Commerce or Morgan Stanley that have multiple federated identity use cases. These types of companies use PingFederate in a hybrid manner. They support both incoming Single Sign-On for their customers, as well as outgoing SSO for their employees.
PingFederate is a particularly good choice for this use case because pricing is connection-based, versus seat-based, the model most common with identity management products designed to manage employee identities.

SaaS and BPO providers use PingFederate both to establish SAML-based Internet SSO connections with their customers and to create services mashups.

More Here

Courtesy:http://www.pingidentity.com/tech-answers/use-cases/sso-for-customer-facing-apps.cfm

SaaS Connector PingIdentity

2011-01-25T16:42:00.000-08:00

SaaS Connectors install within PingFederate running as an IdP to expedite and optimize creating connections to leading SaaS providers.
SaaS Connectors offer additional functionality including support for automated SaaS user account management, non-browser-based access devices, including email clients and mobile apps; support for advanced use cases, such as email links; and support for proprietary SSO APIs. Specific functionality varies depending on the capabilities and requirements of the target SaaS applications. Quick Connection Templates guide you through configuration of the SaaS connection, pre-populating configuration information where possible.
SaaS Connectors are currently available for Salesforce, Google Apps, Webex, and Workday with more connectors planned for future release.

More Here

Courtesy:http://www.pingidentity.com/tech-answers/use-cases/SaaSConnector-use-cases.cfm

SSO to external/SaaS Applications PingIdentity

2011-01-25T16:40:00.000-08:00

Federated identity has evolved into an essential ingredient of Internet security technologies. As the number of Software-as-a-Service applications continue to grow the ability to implement Internet SSO and federated identity has become a fundamental use case for virtually every major SaaS provider.
While some SaaS providers started by offering a proprietary SSO mechanism, the industry trend is moving toward support of standards such as SAML 2. This allows employees, contractors or other members of an enterprise workforce to use their corporate credentials to access external applications.
In this use case, PingFederate connects to one or more service providers such as Software as a Service (SaaS) providers, enterprise applications hosted on an IaaS platform (Amazon EC2), enterprise applications developed using a PaaS provider (Force.com) or Business Process Outsourcing (BPO) suppliers that provide applications for employee use. The enterprise can provide SSO access to external applications from multiple devices including Web browsers, mobile devices and rich clients such as Microsoft Outlook. Employees benefit from SSO access whether they are in the office or on the road. PingConnect can also support this use case for small to medium enterprises who prefer a hosted solution, eliminating the need for on-premise hardware and IT resources.

SaaS Connectors provide support for advanced use cases, including user account management, and optimize the creation and configuration of connections.

In this use case, an enterprise uses PingFederate to give its workforce easy and secure access to external cloud based applications provided by IaaS, PaaS SaaS, outsourcers and other service providers.

More Here

Courtesy:http://www.pingidentity.com/tech-answers/use-cases/outbound-sso.cfm

One-Time Passwords with OneLogin and YubiKey

2011-01-25T15:09:00.000-08:00

Using multiple authentication factors is an effective way of preventing someone from accessing your sensitive data even if they manage to get hold of your username or password. For a brief introduction to the topic, read the article Authentication Factors.
OneLogin supports both VeriSign VIP Access and Yubico's YubiKey for one-time password generation. These solutions fall the "something you have" category, which means that if you successfully authenticate, the authenticating party knows that the user has the key in their possession. This significantly reduces the chances of someone else hacking into that user's account.

Enabling OTP

In order to use OTP with OneLogin, one of your account's admins has to turn it on. This is done under Security -> OTP.

OneLogin lets you use VIP Access and YubiKey at the same time, which is an advantage if you have different users with different needs. For example, someone who works from an office all day maybe prefer YubiKey because of its easy-of-use while someone who travels may prefer VIP Access because always it's in their phone.
OTP can be required for all administrators only, all users or select users.

Registering OTP Devices

In order for an OTP device to be used, it must be associated with a user. This can be done manually by the administrator user by user, but that's not practical on a large scale, especially with VIP Access where only the employee has access to the device. If OTP is required for a user, the user will be prompted to register the device at the first successful login.

Configuring users

Once OTP is enabled for, you will be able to register the device on the individual users as shown below. Go to People -> Users and select a user. This is also where you deregister OTP devices.

To register a YubiKey, insert the key in the USB port and press the button. This will insert a 30 long string in the field of which the first 12 will be stored on the user. These 12 character uniquely identify the key and are now tied to this user.
To register VIP Access, enter the Credential ID shown in the mobile application.
Make sure you that you register your own key before you log out, or you will not be able to log in again.

When is OTP Required?

Use the required setting to enforce whether users have to use OTP at every login or just when they log in from an unknown or expired browser.

Logging in

Once OTP has been turned all, all users will see a login page as shown below. Once Email and Password have been entered, a YubiKey or VIP Access field will appear.

More Here

Courtesy:http://support.onelogin.com/entries/129685-yubikey-guide

Configuring WebEx for SAML with OneLogin

2011-01-25T14:58:00.000-08:00

Configure WebEx Enterprise in OneLogin

If you haven't already added WebEx Enterprise to your OneLogin account, you can do it via this link:
https://app.onelogin.com/apps/new/3036
Now, configure the application.

Choose SAML as authentication method
Enter your subdomain, e.g. mycompany
Select the roles you want to have access to WebEx
Save the app

Configure SAML in WebEx

Sign into your WebEx Enterprise account as the admin
Click Site Administration in the menu bar
Click SSO Configuration in the sidebar
You should now see the page below
Set WebEx SAML Issuer to "http://www.webex.com"
Set Issuer for SAML to the SAML Issuer from the WebEx app in OneLogin
Set Customer SSO Service Login URL to the SAML Login URL from the WebEx app in OneLogin
Set AuthContextClassRef to "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

More Here

Courtesy:http://support.onelogin.com/entries/362606-configuring-webex-for-saml-with-onelogin

Configuring WordPress for SAML with OneLogin

2011-01-25T14:55:00.000-08:00

OneLogin's SAML plugin for WordPress allows you to easily and securely sign users into WordPress. By default users will be signed in using the email address registered in OneLogin, but you can override this by editing the logins on the app if they don't match the ones in WordPress.
If you want to prevent users from signing into WordPress directly using a password, we recommend simply obfuscating the passwords in WordPress so that users don't know them. Just make sure the admin can still sign in using password.
Configuration

Sign into your WordPress account as a user who has privileges to install plugins
Click Plugin in the left sidebar
Now you can either search for OneLogin or you can upload the plugin attached to this article.
Once the plugin is installed, activate it
The next step is to configure your OneLogin X.509 certificate so the plugin can validate SAML responses coming from your OneLogin account. In OneLogin, go to Security -> SAML and copy.
Click Settings in the sidebar in WordPress and then click SSO/SAML Settings
Paste the certificate into the text field and click Save Changes. This completes the setup of WordPress.
Now add WordPress to your OneLogin account. The Site URL should be the root URL of your wordpress site. VERY IMPORTANT: The URL must end with a slash (/) or the plugin will not pick up SAML responses.

More Here

Courtesy:http://support.onelogin.com/entries/383540

New Active Directory Connector Simplifies User Authentication

2011-01-25T14:33:00.000-08:00

OneLogin announces its Active Directory Connector that enables the authentication of cloud application users against an organization's Active Directory.

While IT benefits from having a single directory integration point, employees can use their Windows credentials to access web applications, hosted in the cloud and behind the firewall. By eliminating the need for employees to remember several usernames, passwords and login URLs, OneLogin increases the adoption of cloud applications and reduces the security risks inherent with the repeated use of weak login credentials.

“Enterprises are keen to reap the benefits of cloud computing, but do not want to abandon their existing IT infrastructure,” explains Thomas Pedersen, CEO at OneLogin. “Our new Active Directory Connector allows them to extend their directories deep into the cloud with no custom development required.”

As enterprises continue to adopt cloud computing, integrating their existing directory with various applications’ proprietary authentication APIs poses both security risks and maintenance headaches. OneLogin’s Active Directory Connector provides a single integration point that enables enterprises to centralize authentication, eliminate passwords and make it easier for employees to access web applications.

OneLogin enables any enterprise to get single sign-on within minutes via Security Assertion Markup Language (SAML). Users can easily and securely connect to SAML enabled applications, such as Salesforce, WebEx, Google Apps, Workday, Yammer, Central Desktop, SugarCRM, KnowledgeTree, SAManage and many others.

More Here

Courtesy:http://blog.onelogin.com/blog/2010/12/13/new-active-directory-connector-simplifies-user-authenticatio.html

SAML Plug-In for WordPress

2011-01-25T14:29:00.001-08:00

WordPress has long been one of the most popular integrations among our customers and some customers manage multiple WordPress accounts with many contributors. The original WordPress integration uses form-based authentication, which means we simply automate the login process using email address and password.

However, since we're on a crusade against passwords and WordPress has a nice plug-in framework, we decided to implement a SAML plug-in that you can use with OneLogin. In addition to simply eliminating passwords, the SAML integration provides these benefits:

* Easy, one-click access to WordPress
* Users can sign in with their Active Directory or LDAP credentials
* Multi-factor authentication for added security
* Centrally de-provision former employees and contractors

Plug-ins are available to anyone who hosts WordPress themselves (i.e. not on wordpress.com) and you can add it in a matter of seconds. Just click Plugins in WordPress' sidebar and search for SAML. OneLogin's plug-in will appear at the top.

More Here

Courtesy:http://blog.onelogin.com/

How to Parse XML in CakePHP

2011-01-25T13:19:00.000-08:00

Hi all, this is a basic tutorial on how to parse xml file in cakephp.
We all know that cakephp vastly utilizes the array concept in php. Here, I am going to explain you how to parse XML in CakePHP and convert it into an array.
Step1:
Get the XML Feed; for example you might be having an xml feed from a search engine or any other type of feed which is in xml. get the contents of the URL to do so, I’m going to create a function in my controller and utilize the XML helper.
create the function, say: parse_xml

function  parse_xml() {

App::import('Xml');
$raw_xml = file_get_contents("type your xml url here");
$parsed_xml = & new XML($raw_xml);

$parsed_xml = Set::reverse($parsed_xml);  // reversing the xml to array. this can be also used to convert an array to xml also.

return $parsed_xml;
}

That’s all.. everything done
to get the array to a variable

$xml_array = $this->parse_xml();

now try printing the array

echo "";
print_r($xml_array)
die;

More Here

Courtesy:http://cakeleak.wordpress.com/2010/05/28/how-to-parse-xml-in-cakephp/

What is XML

2011-01-25T13:18:00.000-08:00

* XML stands for EXtensible Markup Language
* XML is a markup language much like HTML
* XML was designed to carry data, not to display data
* XML tags are not predefined. You must define your own tags
* XML is designed to be self-descriptive
* XML is a W3C Recommendation

The Difference Between XML and HTML

XML is not a replacement for HTML.

XML and HTML were designed with different goals:

* XML was designed to transport and store data, with focus on what data is.
* HTML was designed to display data, with focus on how data looks.

HTML is about displaying information, while XML is about carrying information.
XML is Just Plain Text

XML is nothing special. It is just plain text. Software that can handle plain text can also handle XML.

However, XML-aware applications can handle the XML tags specially. The functional meaning of the tags depends on the nature of the application.
With XML You Invent Your Own Tags

The tags in the example above (like and ) are not defined in any XML standard. These tags are “invented” by the author of the XML document.

That is because the XML language has no predefined tags.

The tags used in HTML (and the structure of HTML) are predefined. HTML documents can only use tags defined in the HTML standard

XML allows the author to define his own tags and his own document structure.
XML is Not a Replacement for HTML

XML is a complement to HTML.

It is important to understand that XML is not a replacement for HTML. In most web applications, XML is used to transport data, while HTML is used to format and display the data.

My best description of XML is this:

XML is a software- and hardware-independent tool for carrying information.
XML is Everywhere

We have been participating in XML development since its creation. It has been amazing to see how quickly the XML standard has developed, and how quickly a large number of software vendors have adopted the standard.

XML is now as important for the Web as HTML was to the foundation of the Web.

More Here

Courtesy:http://indonetasia.wordpress.com/2009/04/06/what-is-xml/

Introduction to XACML: Access Control Policies in XML

2011-01-25T13:15:00.000-08:00

Introduction

This document discusses the eXtensible Access Control Markup Language (XACML), an XML language for specifying security policies. Security policies are ways to describe who has access to what resources under what conditions. For a large enterprise, there are multiple places at which such security policies must be enforced. It would therefore seem logical to define security policies in a technology neutral way, so that they can be reused. That is exactly the purpose that XACML serves.

Intended Audience

Anyone with an interest in security: developers, administrators, HR people, etc. Basic knowledge of XML is assumed.

XACML Overview

The following figure shows the components (orange rectangles) that make up an XACML-based security system and the data (blue ovals) that those components need as input:

A Request comes in at a Policy Enforcement Point (PEP).
The PEP forwards the Request to the Context Handler.
The Context Handler asks the Policy Information Point (PIP) for Context Attributes.
The PIP collects Context Attributes from the Subject (e.g. the role), the Resource (e.g. it's location), and the Environment (e.g. the location from where the Request is made) and returns them to the Context Handler.
The Context Handler gets the Resource's content.
The Context Handler presents the Request to the Policy Decision Point (PDP), along with the Context Attributes and (optionally) the Resource's content.
The PDP makes a decision based on the security policies that the Policy Administration Point (PAP) has previously made available.
The PDP returns its decision to the Context Handler, which returns it to the PEP.
The PEP either grants or denies access to the Request, based on the PDP's decision

There are two main points to take away from this. The first is that the system is made up of components that can be standardized. For instance, the PDP takes well-defined data as input and provides a well-defined interface to the PAP and Context Handler. So organizations don't need to re-invent the wheel by implementing their own PDP, instead they can reuse an existing implementation and hook it up to their implementation of non-standard components, like the PEP.

The second important point is that security policies are specified separately from where they are enforced, which means that we can reuse them in multiple enforcement places. And there is yet another way in which XACML promotes reuse. To see that, we need to take a closer look at how security policies are specified in XACML.

Specifying Access Control: Rules, Policies, and Policy Sets

Rules

A Rule combines a Target, an Effect and a Condition. The Target specifies what the Rule is applicable for: any or all of the requested Action, the Subject requesting the Action, the Resource that the requested Action pertains to, and the Environment within which the Action is to be performed. The Effect of the Rule is to deny or permit the Action. The optional Condition further refines the applicability of the Target.

Here's a simple example of a Rule:

 
  
    Some optional text that explains the purpose of the rule
  
  
    
      
                    "urn:oasis:names:tc:xacml:2.0:function:string-equal">
                        "http://www.w3.org/2001/XMLSchema#string">
            developer
          
          
            role

This piece of XACML specifies that anybody with the developer role can do anything to any resource. In the example above, we assume the role Attribute to be a single string value, but XACML also supports multi-valued Attributes.

Note that the PIP component needs to be able to extract a value from the Request (see below) that belongs to the Subject attribute named in the SubjectAttributeDesignator element (role in the above example). An alternative way of extracting values from the Request is by providing an XPath expression in the AttributeSelector element.

The PDP component needs to be able to understand the function specified using the MatchId attribute (urn:oasis:names:tc:xacml:2.0:function:string-equal in the example). XACML makes many standard functions available to policy writers, and the specification allows for adding custom ones as well.

A Rule can also contain a Condition that must be satisfied for the Rule to return its Effect. If the Condition returns Indeterminate, the Rule also returns Indeterminate. If the Condition returns False, the Rule returns NotApplicable. If the Condition returns True, the value of the Effect element is returned, which is either Permit or Deny. If the Condition is missing, as in the above example, it is assumed to be True.

Rules can be separately evaluated, but they cannot live on their own: they must be part of a Policy. Rules are the smallest unit of reuse in XACML, while Policies are the smallest unit of evaluation.

Policies

A Policy has a Target, a Rule-Combining Algorithm, some Rules, and some Obligations. We've seen the Target already as part of a Rule. Since a Policy also specifies a Target, a Rule need not specify one. If it doesn't, then it inherits the Target from the Policy. The Rule-Combining Algorithm specifies the procedure by which the results of evaluating the Rules are combined when evaluating the Policy. An Obligation is an operation specified in a Policy that should be performed by the PEP in conjunction with the enforcement of an authorization decision.

Here's the above example Rule wrapped in a Policy:

    "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
  
    Some optional text that explains the purpose of the policy
  
  
    
      
                    "urn:oasis:names:tc:xacml:2.0:function:string-equal">
                        "http://www.w3.org/2001/XMLSchema#string">
            developer

The RuleCombiningAlgId attribute on the Policy identifies the algorithm that combines Effects from multiple Rules into a single result. The PDP must implement such an algorithm. The Policy may also specify parameters to be used as input for combining algorithms.

The Rule in this Policy example does not specify a Target, but it could. In that case, the Rule would only be evaluated for the Policy if its Target is matched.

Policy Sets

Just as Rules can be reused in Policies, entire Policies can be reused in Policy Sets. A Policy Set contains a Target, a Policy-Combining Algorithm, a set of Policies, and some Obligations. The Policy-Combining Algorithm specifies the procedure by which the results of evaluating the component Policies are combined. Note that a Policy Set can reuse not just Policies, but also entire Policy Sets. This Lego-like structure makes it possible to build complex security policies without duplication.

Here's the above Policy wrapped in a Policy Set:

More Here

Courtesy:https://community.emc.com/docs/DOC-7314

Migrating from Websphere 6.0 to Websphere 7.0

2011-01-24T13:24:00.000-08:00

The application I manage at work is a client/server application written entirely in java. My company for years has been an IBM shop, so we have a large Websphere presence which is where the server is deployed. The application had been running on Websphere 5.1 for a few years and was fairly recently migrated to Websphere 6.0 to remain on a supported version of Websphere. Because the end of life for Websphere 6.0 is September 2010, we’re starting to plan for another upgrade now (we have major releases in January and June, so we’re targeting the June ’10 release for the upgrade). Websphere 6.1, if IBM holds to it’s pattern of every 2 years or so will remain supported until September 2012, however there’s no current end of life date documented yet (link). To get the longest life possible, I’m looking at Websphere 7.0 as the target platform for our June ’10 upgrade.

We have RAD 7.5 in house and a couple members of my team have installed it. I’ve been working on getting a local WAS 7.0 server up and running and getting our app deployed on it. There are some major differences between Websphere 5.1/6.0 and 7.0. I won’t go into details as those are readily available on IBM’s website, but would like to share some of my observations and pain so far.

Application Background: The server side of our application is effectively broken down into 2 pieces. One component is what we call a provision server that is essentially a cache of configuration data read from DB2. This configuration information contains rules which drive how the second component operates. The second component is the main workhorse app which receives a request, and creates a response based on configuration data retrieved from the provision server (if necessary) and data retrieved from any number of other applications we interface with. We have 2 provision server jvms for load balancing and fail over and roughly 20 app engine jvms spread across 2 data centers (the app engine hosts roughly 3500 end users and we target 200 users per jvm…roughly).

Unsolved Problem 1 – Remote EJB calls across separate local jvm/profiles doesn’t work: Now that you have a high level view of our applications architecture, here’s my first dilema which I haven’t found a solution to. Websphere now has the concept of profiles. Basically a profile equates to a jvm instance. It’s a little more than that, but that’s a good enough understanding for now. So if you want 2 distinct/separate JVMs configured differently, you would need to create 2 profiles and create servers associated with each profile. In all our lifecycles, we have distinct jvms setup for provision and app engine – we don’t cluster the app engine with the provision server because we want our dev/test lifecycles to mirror production, and production is separate because we don’t want a 1:1 correlation of provision server to app engine as the provision server is memory intensive and 2 jvms can handle the entire app engine load very effectively. So I want to replicate that with my RAD 7.5 setup – 1 app engine jvm and 1 provision server jvm running locally within RAD 7.5. That requires 2 separate profiles to be created, then a server defined and associated for each one. No problem. Where I run into problems is at runtime. The app engine makes remote (cross-jvm) EJB calls to the provision server. That requires a JNDI lookup of an EJB remote home object. For some reason, jvm 1 cannot see any JNDI objects that are stored in jvm 2. When I do an initial context and dump out the contents, all I ever get are the local JVM’s name server items. But if I point the local server at one of our test lifecycle provision servers, it sees those just fine. I have no idea why 1 local jvm can’t access another local jvm’s name server. I’m not sure if it’s because of the base version of Websphere that’s running, or some other limitation of the development environment, but that is one hurdle I can’t get over. So my workaround is to just deploy the provision server and app engine in the same jvm as local ejb calls work just fine.

Solved Problem 2 – creating a secure socket for an outbound ssl SOAP request: The app engine is a portal of sorts. It will call any number of external systems to retrieve data and aggregate that data as needed based on the request. There are several system we currently interface and several protocols we use to do so…SOAP over SSL, EJB, JDBD for example. We use apache soap (old, but still works) to call several external systems, one of which is the main system we interface with. In Websphere 5.1 and 6.0, we set our own JKS truststore for the request using the javax.net.ssl.truststore property. This truststore contains the SSL certificates of our target URL. It just worked. Now we move to Websphere 7.0 and the same requests which work in a local WAS 6.o server no longer work. After much digging and reading of documentation, it turns out WAS 6.1 (and 7.0) changed how SSL security was handled. Long story short, when WAS sees a secure socket being created, it assumes responsibility for securing that connection (Big Brother?) instead of letting you do your own thing. Now, there are ways around it, but the point is it is NOT backwards compatible. The quick fix for this was to put the SSL certs in Websphere’s default truststore (go to the admin console, under security and then ssl configuration and you can find a whole bunch of related config). There are several articles on this and I highly recommend reading the Websphere Application Server V7.0 Security Guide for background on this. It is extremely helpful.

More Here

Courtesy:http://bairdblog.wordpress.com/

Mozilla blocks Skype's glitchy Firefox toolbar extension

2011-01-24T07:43:00.000-08:00

skype-large-logoThe Skype toolbar add-on has became a headache for Mozilla, and will be blocked from the Firefox browser until further notice. Mozilla announced yesterday that the Skype feature was responsible for roughly 40,000 crashed browsers in the last week, and was seriously slowing down page loading.

We can’t imagine there are too many people who are crushed about losing a toolbar plug-in, but for those of you that are – don’t worry too much yet. Mozilla reassures users that this is only a “soft block” while it looks into identifying and fixing the issues with help from the Skype Toolbar team. This also means that while the extension is currently disabled on Firefox’s end, you will be notified of the block and allowed to re-enable it as you see fit.

So what are you missing until the toolbar is fully functional? The plug-in cooperates with Skype software to identify phone numbers on individual web pages and making it that much easier to make VoIP calls.

More Here

Courtesy:http://news.yahoo.com/s/digitaltrends/20110121/tc_digitaltrends/mozillablocksskypesglitchyfirefoxtoolbarextension;_ylt=AikQKv2wWnWc95POlNT_2auor7oF;_ylu=X3oDMTQycHEwOW5lBGFzc2V0A2RpZ2l0YWx0cmVuZHMvMjAxMTAxMjEvbW96aWxsYWJsb2Nrc3NreXBlc2dsaXRjaHlmaXJlZm94dG9vbGJhcmV4dGVuc2lvbgRwb3MDNQRzZWMDeW5fcGFnaW5hdGVfc3VtbWFyeV9saXN0BHNsawNtb3ppbGxhYmxvY2s-

New Firefox Feature Blocks Behavioral Ads

2011-01-24T07:42:00.001-08:00

Mozilla, the developer of the Firefox browser, is working a feature that will allow users to opt-out of online behavioral advertising.

The goal is to give users "a deeper understanding of and control over personal information online," Mozilla's head of privacy said in a blog posted on Sunday.

The feature will allow users to configure their Firefox browser to tell websites and advertisers that they would like to opt-out of any advertising based on their behavior, Alex Fowler [cq] wrote in his blog post. The user's preference is communicated to websites and third party ad servers using a new "Do Not Track HTTP header", which is sent with every click or page view in Firefox.

The feature wouldn't block advertising altogether, only personalized ads. If the user has enabled the feature, the advertiser would have to exchange the personalized ad for a standard ad, according to a diagram included in the blog post.

Mozilla believes the header-based approach will be better for the Web in the long run, compared to cookies or blacklists. Using a header is less complex, more persistent than cookie-based solutions and at the same time simple to locate and use. It doesn't rely on a user's finding and loading lists of ad networks and advertisers to work, Fowler wrote.

However, rolling out the feature will be a challenge. For it to work, both browsers and sites will have to implement it. To get past this issue, Mozilla wants to work with the technical community to standardize the header across the industry, according to Fowler. It is also proposing that the feature be considered for upcoming releases of Firefox.

More Here

Courtesy:http://news.yahoo.com/s/pcworld/20110124/tc_pcworld/newfirefoxfeatureblocksbehavioralads;_ylt=AlXHhNQyzJGhm5MssKh57mGor7oF;_ylu=X3oDMTNmbzhxZHEzBGFzc2V0A3Bjd29ybGQvMjAxMTAxMjQvbmV3ZmlyZWZveGZlYXR1cmVibG9ja3NiZWhhdmlvcmFsYWRzBHBvcwMxBHNlYwN5bl9wYWdpbmF0ZV9zdW1tYXJ5X2xpc3QEc2xrA25ld2ZpcmVmb3hmZQ--

Business booming for cyber criminals: security firm

2011-01-24T07:40:00.000-08:00

Cyber criminals are selling stolen credit card details for as little as two dollars each and renting computer networks for spam for 15 dollars as part of a vast online black market, according to a report released Thursday.
PandaLabs, the anti-malware laboratory of computer security company Panda Security, published the various prices for cyber crime-related products after conducting an undercover investigation into online crime networks.

"This is a rapidly growing industry and cyber-criminals are aiding and abetting each other's efforts to steal personal information for financial profit," PandaLabs said.

"PandaLabs discovered a vast network selling stolen bank details along with other types of products in forums and more than 50 dedicated online stores."

The computer security firm said cyber criminals had diversified from stolen bank and credit card details to a "much broader range of hacked confidential information" including log-ins, passwords, fake credit cards and other data.

"Since anonymity is of the utmost importance, many sellers use underground forums to keep out of sight," PandaLabs said. "Their offices are effectively the Internet.

"Some are more brazen about their activities, and have accounts on Facebook and Twitter which they use as shop windows."

PandaLabs said a credit card number or bank account details can be purchased for two dollars but that does not include any information on the available credit line or bank balance.

"The price increases to 80 dollars for smaller bank balances and upwards of 700 dollars to access accounts with a guaranteed balance of 82,000 dollars," it said.

PandaLabs said the price for rental of a botnet, a network of infected computers, for sending spam or other purposes begins at 15 dollars.

More Here

Courtesy:http://news.yahoo.com/s/afp/20110120/ts_alt_afp/usitcomputersecuritycrimepandalabs;_ylt=Aop13UJrRqGYRwjBxySuVgmDzdAF;_ylu=X3oDMTNhampnYjdzBGFzc2V0A2FmcC8yMDExMDEyMC91c2l0Y29tcHV0ZXJzZWN1cml0eWNyaW1lcGFuZGFsYWJzBHBvcwMxNgRzZWMDeW5fcGFnaW5hdGVfc3VtbWFyeV9saXN0BHNsawNidXNpbmVzc2Jvb20-

Twitter Targeted With Fake Antivirus Software Scam

2011-01-24T07:39:00.000-08:00

Twitter has been resetting passwords for accounts that started distributing links promoting fake antivirus software in an attack that used Google's Web address shortening service to conceal the links' destination.

The links, masked by Google "goo.gl" URL shortener, bounce through a series of redirect URLs before landing on a Ukrainian top-level domain that then redirects to an IP address associated with other fake antivirus software scams, wrote Nicolas Brulez of Kaspersky Lab on a company blog.

Victims landing on the fake antivirus software page are prompted to scan their computer. If they approve the scan, the page asks if they want to remove threats from their computer: doing so starts the download of a bogus security program called "Security Shield."

Fake antivirus programs remain a pervasive problem on the Internet, with hundreds of variations. The applications target Windows users, and the programs are often installed by exploiting vulnerabilities in a computer's software. Once installed, the applications badger users to pay for a full version of the program. Many of the programs are totally ineffective at actually removing malware from a computer.

Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that "we're working to remove the malware links and reset passwords on compromised accounts."

"Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?" she wrote. "That's malware. Don't install."

Although Brulez classifed the attack as a worm, implying it spreads from account to account, Harvey said the issue was not related to a worm.

More Here

Courtesy:http://news.yahoo.com/s/pcworld/20110121/tc_pcworld/twittertargetedwithfakeantivirussoftwarescam;_ylt=ApQopnp9SFXhgtN5sicrG_CDzdAF;_ylu=X3oDMTNvMW1yMmRoBGFzc2V0A3Bjd29ybGQvMjAxMTAxMjEvdHdpdHRlcnRhcmdldGVkd2l0aGZha2VhbnRpdmlydXNzb2Z0d2FyZXNjYW0EcG9zAzEyBHNlYwN5bl9wYWdpbmF0ZV9zdW1tYXJ5X2xpc3QEc2xrA3R3aXR0ZXJ0YXJnZQ--

Cybercrooks Tire of Windows -- They're After Your iPhone Now

2011-01-24T07:35:00.001-08:00

Cybercrime is moving away from traditional targets, like Windows PCs, and focusing more on mobile devices, according to Cisco's 2010 Annual Security Report (PDF)]. As Microsoft becomes more savvy about patching holes in its OS, cybercriminals are treading into new territories, with a strong focus on iOS and Android.

When the Federal government declared jailbreaking cellphones legal, intrepid hackers sought and discovered more exploits in mobile operating systems. A prominent example used by Cisco is JailbreakMe 2.0, the Safari-based iPhone flaw -- which has since been patched -- that allowed users to jailbreak with very little tampering of iOS.

Cisco threat research manager Scott Olechowski also said that the proliferation of Android will likely lead to major attacks on Google's OS in the future. Olechowski noted that the more devices that adopt Android -- such as smartphones, tablets, even vehicles -- the more enticing the open-source OS becomes, especially when it comes to the big bucks in the enterprise.

Most concerning for mobile hacks are apps, many of which access user information without permission. Just yesterday, Trapster, an app that warns drivers when a speed trap is ahead, was hacked, exposing millions of iPhone, Android, BlackBerry, and Windows Mobile phone passwords -- some of which may also have been linked to a user's PayPal account.

Many companies using smartphones for work do not have a cybersecurity strategy planned or in place, according to Cisco. This is a major concern for iOS business consumers, given that the iPhone is being used at 88 percent of the Fortune 100 companies and 83 percent of the Fortune 500.

And for you PC users out there: Tired of your Mac-using friends' snooty condescension about how their machines are impervious to viruses? Turns out that hackers are targeting Mac users more and more.

More Here

Courtesy:http://news.yahoo.com/s/pcworld/20110121/tc_pcworld/cybercrookstireofwindowstheyreafteryouriphonenow;_ylt=Aouh6fYbPbbxyiJYwGk9OJmDzdAF;_ylu=X3oDMTNzb2RyajBvBGFzc2V0A3Bjd29ybGQvMjAxMTAxMjEvY3liZXJjcm9va3N0aXJlb2Z3aW5kb3dzdGhleXJlYWZ0ZXJ5b3VyaXBob25lbm93BHBvcwMxMARzZWMDeW5fcGFnaW5hdGVfc3VtbWFyeV9saXN0BHNsawNjeWJlcmNyb29rc3Q-

Google: Search Engine Spam on the Rise

2011-01-24T07:34:00.002-08:00

If you've noticed lately that Google's search results are a bit spammy, you're not alone.

In a blog post, Google Principal Engineer Matt Cutts acknowledged that "we have seen a slight uptick of spam in recent months," and that tech watchers are growing critical. Cutts then outlined a few new initiatives to improve the quality of Google's search results.

Among them: Google has a new "document-level classifier" that's better at detecting the hallmarks of spam, such as oft-repeated keywords; Google is improving its ability to detect hacked sites, which were a big source of spam last year; and the company is evaluating other changes, including a crackdown on Websites that primarily copy other sites' content.

But on the issue of "content farms," Cutts didn't have all the answers. If you're not familiar with the term, you've probably stumbled upon some content from purveyors. For example, many in the media call sites Demand Media and AssociatedContent content farms. Rich in search keywords and produced on the cheap, content from these sites appears prominently in search results but seem geared solely towards appeasing search algorithms.

Although Google tweaked its algorithms last year to give content mills less prominence, the problem hasn't gone away, and Cutts' blog post offered no further solutions. "The fact is that we're not perfect, and combined with users' skyrocketing expectations of Google, these imperfections get magnified in perception," he wrote. "However, we can and should do better."

Cutts reiterated that Websites don't get preferential treatment by purchasing or displaying Google ads. Their rankings don't improve and they're just as likely to be punished for violating Google's quality guidelines.

I suppose it's comforting to hear Google address issues of search quality, especially as criticism grows louder. Notably, new search competitor Blekko has created a spam clock to count how many spam pages have been created since the start of the year. Google says its results have half the spam they did five years ago, but that count is meaningless if low-quality content mills are able to game the system and get high page rankings.

More Here

Courtesy:http://news.yahoo.com/s/pcworld/20110121/tc_pcworld/googlesearchenginespamontherise;_ylt=As40wMweskfdCma18z44CwuDzdAF;_ylu=X3oDMTNhNjU0bmllBGFzc2V0A3Bjd29ybGQvMjAxMTAxMjEvZ29vZ2xlc2VhcmNoZW5naW5lc3BhbW9udGhlcmlzZQRwb3MDOARzZWMDeW5fcGFnaW5hdGVfc3VtbWFyeV9saXN0BHNsawNnb29nbGVzZWFyY2g-

Beware Goo.gl Fake Antivirus Worm on Twitter

2011-01-24T07:34:00.000-08:00

Twitter and Twitter users are being targeted by a malicious worm. The worm sends out tweets with a goo.gl shortened URL link directed to a rogue antivirus application. The attack demonstrates once again how URL shortening can be a Pandora's box as users click on links with no clue where they might lead.
A post on Naked Security by Sophos' Graham Cluley describes the threat. "Thousands of Twitter users are finding that their accounts have been tweeting out malicious links without their permission, pointing to a fake anti-virus attack," adding, "A quick search on the popular micro-blogging network finds many tweets from users containing no message other than a goo.gl shortened link (Google's equivalent to bit.ly or tinyurl), which itself points to a URL ending with "m28sx.html".

Attacks hiding behind shortened URLs are not new, and are also not technically challenging to execute. By their very nature, URL shortening services like goo.gl and bit.ly take cumbersome, long URLs and condense them down to a nice, short alias that can be used in its place. The concept makes it much easier to send some exceptionally long links, and is a necessity for a site like Twitter which caps messages at 140 characters.
Adam Wosotowsky, principal researcher at McAfee Labs, explains, "Shortened URL sites are not 100 percent malicious, so blocking the domain completely can cause false positives, which is something researchers try and avoid. Goo.gl is an example of a site associated with Google, so blocking the domain may be frowned upon by Google, allowing the spammer to continually abuse the site."
Wosotowsky elaborates, "As we stated in our 2011 Threat Predictions, we currently track and analyze--through multiple social media applications and all URL shortening services--more than 3,000 shortened URLs per minute. We see a growing number of these used for spam, scamming and other malicious purposes, and we expect to see shortened URL abuse invade all other forms of Internet communications."
Shortened URLs provide attackers a simple, and commonly accepted means of obscuring malicious links. McAfee recommends using its proprietary URL shortening service--mcaf.ee. McAfee's shortened URLs are scanned and filtered to weed out malware. Of course, you can't really control what URL shortening service other people use to send links to you.

More Here

Courtesy:http://news.yahoo.com/s/pcworld/20110121/tc_pcworld/bewaregooglfakeantiviruswormontwitter;_ylt=AkYzObtzkEvuxfACgaveXiSDzdAF;_ylu=X3oDMTNnM3BocXZwBGFzc2V0A3Bjd29ybGQvMjAxMTAxMjEvYmV3YXJlZ29vZ2xmYWtlYW50aXZpcnVzd29ybW9udHdpdHRlcgRwb3MDNgRzZWMDeW5fcGFnaW5hdGVfc3VtbWFyeV9saXN0BHNsawNiZXdhcmVnb29nbGY-

Don't Fear the Android Security Bogeyman

2011-01-24T07:33:00.000-08:00

Academic security researchers have created an ingenious piece of malware that runs on Android cell phones and steals credit card details.
As is typical, many are heralding it as a sign of a smartphone security apocalypse, but they need to calm down. Cybercriminals simply aren't that smart, and there's nothing new to be worried about.
The so-called Soundminer malware listens in on phone conversations and uses speech recognition to decode credit card and PIN details that users might mention when calling their bank, as an example. DTMF tones heard when keys are pressed are also recognized and decoded.
The data is then passed to another piece of malware, called Deliverer, which sends it off to the hacker's HQ via the Internet.
The clever part is how the two pieces of malware bypass Android's built-in security.
Individual permission is required from the user for each newly-installed app that wants to access a specific hardware component.

A program that wanted permission to access the microphone and also send data would be a little suspicious, so Soundminer only requests to use the microphone. The Deliverer malware only requests to send data.
Data exchange between the two programs would also be viewed as suspicious, so they use system communication channels built into Android that are designed to share system settings information. These only allow a handful of bytes to be transferred, but that's enough for a credit card number.
Soundminer could be hidden in simple app that, for example, required microphone access permissions in order to make an on-screen balloon blow-up based on how much the user shouted. Deliverer could easily be integrated into a simple game that requests data transmission permission in order to report high scores, for example.
In all, Soundminer is a well thought-out and ingenious piece of programming.
And that's why we'll never, ever see anything like it in the real world.
Criminals always prefer a quick and dirty approach. It's one of their defining characteristics
There are two ways to rob a bank. You could get a job there and embezzle money secretly. Or you can run in, wave guns, and run out as quickly as possible with bags of money.
Guess which is more popular?
Sophistication, subtlety, and mastermind intelligence is limited to the movie criminals. The most successful criminals in the real world are those who keep things simple, and cybercrime is no different.
I'm not suggesting we underestimate cybercriminals but the chances of them creating something as clever as Soundminer are extremely limited. It took a team of university researchers to come up with Soundminer, working at the City University of Hong Kong and Indiana University.
Ultimately, why would cybercriminals want to bother with something as elaborate as Soundminer, when they can just send phony e-mails that catch-out gullible users and rake in the money?
Good malware doesn't need to be clever or well made. It just needs some way of fooling people into handing over useful personal details, which history has proved is actually pretty easy. It also needs some way of travelling around from device to device and, crucially, there's nothing new in the Soundminer research to indicate how this might be done.
Soundminer highlighted some design flaws within Android, that hopefully will get addressed quickly, but there's really nothing else to cause concern.
Security companies are hailing 2011 as the year smartphone malware goes mainstream but we should guard against such pronouncements. The more scared we are, the more likely we are to buy malware protection products. We can't trust the word of people who are trying to sell us something.

More Here

Courtesy:http://news.yahoo.com/s/pcworld/20110121/tc_pcworld/dontfeartheandroidsecuritybogeyman;_ylt=Amlk36SxvOmYw6GPaEkqCUODzdAF;_ylu=X3oDMTNkZDhpNDk3BGFzc2V0A3Bjd29ybGQvMjAxMTAxMjEvZG9udGZlYXJ0aGVhbmRyb2lkc2VjdXJpdHlib2dleW1hbgRwb3MDNARzZWMDeW5fcGFnaW5hdGVfc3VtbWFyeV9saXN0BHNsawNkb24zOXRmZWFydGg-