I'm trying to implement a reverse proxy in our system, for a micro-services architecture.
The proxy server is HAProxy that works with SSL Termination and needs to proxy requests to a backend server with Https and Kerberos authentication.
I succeeded to terminate the ssl on the proxy server and pass the request to the https server (I need the termination in order to route requests by their body, to specific backend services) , but failing to authenticate with kerberos on the backend server.
Is it possible to implement Kerberos auth on the proxy server and then pass the TGT to the different backend services?
I have successfully done this and it took some work.
At the time I was using HDP so I used ambari to setup a hive server on the HAproxy node. (This was done solely for the purpose of having Ambari manage the kerberos principle. The hive server itself never ran)
Then I merged the keytab for my hive server (on the proxy) with my Hive server keytabs so that the principle could be used on the hive servers. I think I also allowed it as a principle to work with hive. I'm sure there is another path that would allow you to use delegation but this was the past of least resistance and made it so hive managed mostly managed the keytab. I did have to re-merge the keytab when they where regenerated but it wasn't as bad as manually managing keytabs.
Related
I researched about any plugin/module WSGI for Oracle WebLogic 12c that allows me run a python flask app, with no success.
The reason for why i need to run from WebLogic 12c, it's because i need to use the SSL certfied living there.
Researching, i found many web server (Apache, Gunicorn, etc) can act as proxy of WebLogic, here is an example, where Nginx receive all the requests with SSL and then passed them to WebLogic:
https://medium.com/#Dracontis/nginx-as-proxy-for-weblogic-with-ssl-c7e1076e2c0c
So, i wonder if there is a manner to invert this order? I mean, WebLogic receive all the requests (safely because of SSL certified) and then pass them to any web server with the WSGI standard.
Thanks in advance.
I didn't find a sort of solution that accomplished the topic above. However, in case someone needs implements this topology here is what i did:
I've installed an Oracle HTTP Server (OHS) and creating a wallet for the SSL certified, in certain way in which the OHS can receive the requests secure, then inside the OHS with specific setting achieve forward the request to the Apache running with the module WSGI.
We have an Oracle application (Agile PLM) which is deployed in a clustered environment. We have one admin node and two managed nodes supporting our application, where admin and 1 managed nodes are on the same server. We also have Load balancer which manages the traffic between the cluster.
We want to configure SSL in our application so that the application URL will be accessible over https only. We have already configured SSL at Load Balancer level(by installing security certificates in weblogic server which is the admin server) but want to know if we have to configure SSL on the managed server as well or bringing Load Balancer on https is sufficient?
All the users access the application using the Load Balancer URL only but since I am from the development team, so is only aware of the fact that we can also connect to the application with Managed server URLs, which are still running on http. Is it must to bring Managed servers also on https or it is just a good practice but not necessary?
It's not necessary, though probably a good practice.
I believe I have read in Oracle's installation guide that the recommended way is HTTP on the managed servers and terminating SSL on the load balancer. This may have changed.
For what it's worth, I leave HTTP on the managed servers.
We have IIB 10.0.0.12 running on Windows Server 2012 R2. We are looking to setup Kerberos -Token based authentication for SOAP services that are exposed to internal/external consumers.
We have around 4 System test servers running on a Same domain. The test servers are not load balanced; can we create a Single User account (Say "IIBTestPrincipal") in Active Directory and map multiple SPN's to this user account and setup the test environments like below.
setspn -A HTTP/server3.somedomain.co.uk#SOMEDOMAIN.CO.UK IIBADPrincipal
setspn -A HTTP/server5.somedomain.co.uk#SOMEDOMAIN.CO.UK IIBADPrincipal
Can somebody please advice/ guide on process for setting the same in load balanced environment.?
We have 4 broker servers load balanced via Netscalar. Can the load balancer perform a kerberos passthrough and broker perform all the kerberos authentication work ? If so should we be creating a SPN on Load balancer Host name and map all the prod servers as alias to that SPN ?
Couldn't find much info from Info center,Any thoughts on the above are much appreciated.
Netscaler supports Kerberos impersonation and Kerberos contrained delegation. I'm not that familiar with Kerberos, take a look in their documentation
https://support.citrix.com/article/CTX222453
We are currently running a PHP application on apache httpd with mod_auth_kerb for SSO. We'd like to scale it to multiple hosts and make it highly available while we are at it.
Generally, HAproxy seems to be the recommended tool for this task, so i'll refer to this for the rest of the post - am open to alternatives here though. I haven't been able to find a way to combine HAproxy with Kerberos-based SSO - this seems to only be available for comercial load balancers (F5 for example).
We do not need the actual Kerberos ticket on the Webservers, it's literally just for authentication - is there a way to have HAproxy authenticate users via Kerberos and just pass the sAMAccountName as Header to the webservers? Alternatively full passthrough would work aswell of course.
We are setting up replication between RavenDB instances running in server mode. The instances are in different availability zones so we need a secure connection between the servers. According this this post SSL is not supported in server mode but
should be easy to add
Is there an extensibility point in the API where SSL support can be plugged in?
The API doesn't have any place for this currently, but I'm sure it would be a welcome contribution if you were so inclined to write this and submit a pull request. The underlying server is just a System.Net.HttpListener, which can be wired for ssl.
Your entry point would be at Raven.Database.Server.HttpServer.StartListening()
You would want the SSL certificate to be as easy to configure as the hostname or port. The cert itself should probably be pulled in from the Windows certificate store.