Hi I am trying to make a secure connection to a solace queue using Kerberos. I have developed a client side application using Solace JMS APIs. As far as I know we need to implement following steps for secure connection:
1) Add a keytab to Solace Keytab directory
2) Use SolAdmin to execute certain config commands on Solace
3) Import Kerberos library and set certain properties on your client side application.
Following are my doubts regarding the topic
1) I want to know if these are the steps we need to follow for a secure connection?
2) What role does a keytab play in establishing an secure connection?
3) How do I set an username and password for secure connection using kerberos or is it provided by default?
4) Other than importing the kerberos libraries and setting some properties, is there anything that should be done as part of client side application?
Keytab is used because Solace appliance as an "APP" cannot use user/pass authentication, so all the auth is in the keytab.
the logic interaction between Kerberos and Solace is as follows:
When a Kerberos authentication scheme is used for client authentication, a client must first authenticate with a Kerberos Authentication Server (AS) which grants the client a Ticket Granting Ticket (TGT) for a specified Kerberos User Principal. The TGT is typically obtained as part of a Single Sign-on procedure, such as logging into a Windows domain. With a valid TGT, a client can attempt to log onto a router using a service ticket that is in the client’s local ticket cache or has been obtained from the Ticket Granting Service (TGS). The AS and TGS (components of a Key Distribution Center (KDC)) are hosted on an external server or servers—not on a Solace router.
This authentication scheme allows a client to use the Kerberos mechanism within the GSSAPI (Generic Security Service API) to authenticate its connection with the Solace router. To authenticate with the Solace router, the client must provide a Service Ticket obtained from the KDC ticket granting service (TGS).
KDC services are hosted on an external server. The client then provides this time-stamped ‘Kerberos’ ticket to the Solace router. If the ticket is successfully validated, the client’s connection to the Message VPN is granted.
For this authentication scheme, the client’s assigned client username, which is used for subsequent client authorization, is the user principal name in the ticket provided to the router.
To use Kerberos to authenticate clients connecting to a Solace router, the following configurations are required:
client-side configuration
For clients using Solace messaging APIs, the appropriate Java distribution must be used or the appropriate Kerberos libraries must be installed for the Solace messaging API used, and the client session must use a Kerberos authentication scheme.
Solace router configuration
1. SolOS 7.0 or greater must be used.
2. A Kerberos Keytab must be loaded on the router.
3. Kerberos authentication must be configured and enabled for any Message VPNs that Kerberos-authenticated clients will connect to.
4. Optionally, a Kerberos Service Principal Name (SPN) can be assigned to the IP address for the message backbone VRF that will be
used for Kerberos authenticated clients.
Related
The error below comes up when we stage our Bluemix Liberty app, about 1 in every 10 times. If you try and authenticate, after redirection from the OpenID provider you get a popup asking you for a username and password, which seems to have no effect. Restarting the app fixes it.
CWWKS1707E: The OpenID Connect client [NTBhZGQ4MWMtN2Y5Ni00] was
unable to create an SSL context due to [CWWKS1707E: The OpenID Connect
client [NTBhZGQ4MWMtN2Y5Ni00] was unable to create an SSL context due
to [Null ssl conext]. Ensure that your SSL feature is properly
configured.]. Ensure that your SSL feature is properly configured.
This may be related to injecting the OpenID Client configuration from a user-provided service in our server.xml:
<openidConnectClient
httpsRequired="true" id="blueid" includeIdTokenInSubject="true"
authorizationEndpointUrl="https://${cloud.services.${env.openidservice}.connection.domain}/idaas/oidc/endpoint/default/authorize"
tokenEndpointUrl="https://${cloud.services.${env.openidservice}.connection.domain}/idaas/oidc/endpoint/default/token"
issuerIdentifier="https://${cloud.services.${env.openidservice}.connection.domain}"
clientId="${cloud.services.${env.openidservice}.connection.clientid}"
clientSecret="${cloud.services.${env.openidservice}.connection.clientsecret}"
mapIdentityToRegistryUser="false" scope="openid" signatureAlgorithm="RS256"
trustAliasName="${cloud.services.${env.openidservice}.connection.certificate}"
trustStoreRef="validationKeyStore"
userIdentityToCreateSubject="uniqueSecurityName">
</openidConnectClient>
The injection must be working because the clientId mentioned in the error message is correct. Not sure why the SSL context would be null. I have tried with and without an SSL element in the server.xml, but the problem still occurs.
Does anyone know what the cause might be?
From your openid connect client configuration, you do not have SSL configuration defined for openid connect client, so openid connect client is using the server's default SSL configuration. To have a definitive behavior, I would recommend that you explicitly configure SSL for openid connect client by adding "sslRef=" into openidConnectClient, and your ssl configuration must contain a trust store that has openid provider'scertificate.
i want to encrypt messages in a WCF scenario where the binding is tcp.NetBinding and the security is bound on transport.
I found out, that if i dont encrypt the messages, i dont have to make client credentialhandling between client and server.
But if i want to encryt, it seems that there has to be some kind of
client-authentication (Windows credentials, Certificate ...).
The WCF server wont start with credentials are set to Null and encryption is on.
Is it possible to encrypt messages between the client and the server without authenticating the client?
Thanks a lot
Yes, the scenario is called Transport Security with an Anonymous Client:
This Windows Communication Foundation (WCF) scenario uses transport
security (HTTPS) to ensure confidentiality and integrity. The server
must be authenticated with a Secure Sockets Layer (SSL) certificate,
and the clients must trust the server's certificate. The client is not
authenticated by any mechanism and is, therefore, anonymous.
The bare bones binding is setup as follows:
var binding = new NetTcpBinding();
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.None;
Also in this particular scenario, the security is provided by TLS over TCP to ensure confidentiality and integrity. Again all that is required is to have the client trust the certificate provided by the server. The client is not authenticated by the server and is therefore known as an anonymous client.
I have a .NET client-server system, which uses WCF for communication.
The communication must be secure. Up to now I used Windows Credentials for authentication.
But now a new requirement emerged - the system must work in a situation, when client and server are located in different domains (or the client isn't in any domain).
Windows Credentials authentication won't work in this setting. AFAIR, WCF supports following security mechanisms
Windows Authentication
X509 Certificates
Issued Tokens
Username and password.
Which of them should I use, if
I need to implement the fix with the least possible effort,
client and server are located in different domains (therefore, Windows authentication is not an option) and
the communication must be secure (the server must not process requests from unauthorized clients)
?
I have two WCF Services using WsHttpBinding with transport security mutual certificate authentication that are being hosted on the same windows server. Clients that can access one WCF service should not have access to the other WCF service. I need some help on configuring the client certificates on the windows host. The client certificates are signed by trusted CAs and the intermediate and root certificate chain is already installed on the the server. It seems like the service automatically relies on chain of trust and does not require the actual client certificates installed on the server at all before letting the client access the service - this is not the behavior I want. Can someone please tell me how I should be configuring these client certificates in order explicitly allow access to one service and not the other?
Thanks.
That has nothing to do with certificates themselves. When using mutual SSL authentication certificates are used only to authenticate client and the authentication is done outside of your application (this is difference to message security where you can create custom certificate validator). Once certificate is trusted client is automatically authenticated to anything on the server using certificates for authentication.
You are looking for authorization - the step where you define what can authenticated client do with your service. You can either hardcode your authorization logic into your service by using role based security or you can implement two custom ServiceAuthorizationManagers and assign each to single service.
This is our setup - our customers will have a database server with our database on and multiple clients running our frontend. We have some WCF services to allow the clients to request info from the database and each WCF session is authenticated with a username/password stored (encrypted) in the database. This all works fine and has been in use for a couple of years.
We're now adding the ability to sign in using a USB fingerprint reader attached to client PCs. For this we store each users' fingerprint template in the database and then upload them all to the device. The device can then tell us which user has presented their finger.
What is the best way to securely allow our fingerprint client to authenticate over the WCF service without using the user's password and without opening up the system to attack from unauthorised users?
My first thought is to define a secret key that both client and server know, encrypt it on the client with a timestamp and the logged in user id and send it to the server which can then confirm that the request came from our client.
Is this a good idea? Can an attacker just relay the same message to start an unauthorised session?
I'm not a security expert so I'd prefer an existing solution over rolling my own for obvious reasons.
We're using C# and only targetting Windows.
You could use an x509 certificate stored on the Client to provide the client credentials required for the WCF service. This would work in the same way that server security is provided via SSL certificates.
Some info on working with certificates:
MSDN - Message Security with a Certificate Client
MSDN - Working With Certificates
A word of caution would be that you would obviously have to manage the distribution and validity of certificates.
Th other alternative is to use the clients windows account for authentication purposes if the client machine is on the same domain:
Some info on working with Windows Account:
Message Security with a Windows Client