Chrigu’s blog

I wanted to put some of my work online for a long time now, but always put it off. But today beeing my last day at Hochschule Luzern, I finally can’t put it off anymore. So, here are three of the documents I wrote during my time here. (Sorry, all in German)

Authorization in Enterprise

In this project we are having a closer look at authentication and authorization technologies. We started with Suns Access Manager and later switched to OpenSSO to gather hands-on experience with some of the new technologies. This resulted in documents so far:

•  In the document “Federated Identity Management” we look closer at federation technology itself and try to explain what this term means. We also shade some light on SAML, SAML 2.0 and the Liberty Alliances ID-FF.
• In “Praktischer Einsatz von OpenSSO” we dive into OpenSSO. First, we have a look at its functionality and architecture. This rather theoretical part is followed by a step-by-step guide on how OpenSSO can be used, for example how an Apache Webserver can be protected using OpenSSO.

Security in Mobile Applications

This project was more or less done by the time I joined it. But there was still some time left to have a closer look at GSM and UMTS. This resulted in the document “GSM und UMTS – Eine Übersicht“, which tries to describe a bit of the history of the standards, how the networks are structured, what security features are implemented and how the communication protocols work.

In the course of consolidating our services on Enterprise Lab resources I had to move my SVN-Repos to a new host. Not a problem by itself, simply executing the following two commands usually does the trick:

# dump repos on old host
svnadmin dump /path/to/repo > repo.dump
# load dump into the new repo
svnadmin load /path/to/repo < repo.dump

However, I decided to use this opportunity to change the layout of the repos, namly to split the projects into separate repositories. This is also not to difficult and is very well documented in the subversion book. svndumpfilter can be used to filter a dump-stream based on paths. So, in order to get a dump only containing files in the folder AuthE and below, I’d use something like the following:

svndumpfilter include AuthE < repo.dump > authe_repo.dump

So far, so good. The new dump-file contains now only the folder AuthE and its content. It will still contain the top level folder AuthE, as it has been in repos.dump. In order to change this, e.g. move the content of AuthE to the Repos top level, we need to hack the dump file itself (also described in the subversion book). If you are not up to speed with regular expressions and don’t feel like hacking up your own script to edit the dump-file, you might like the perl script svn-dump-reloc posted on the svn-dev mailing list. So, to remove the AuthE folder in the authe_repo.dump, we would do the following (something like mv /AuthE/* ./):

./svn-dump-reloc AuthE/ / < authe_repo.dump > authe_reloc.dump

Now  we need to remove the directive that creates the AuthE path. It got emptied by the above command, but it’s should be about the only directive with an empty Node-path. In my repos, the passage in question looks as follows:

Node-path:
Node-action: add
Node-kind: dir
Prop-content-length: 10
Content-length: 10


PROPS-END

Remove this whole section. Pay attention to not use an editor which changes anything else on the dump file (like line ending). To test if all went OK you can create a repo, load the dump and then list the repositories root content.

# svnadmin create /home/isis/test_repo
# svnadmin load /home/isis/test_repo < authe_reloc.dump
# svn list file:///home/isis/test_repo
branches/
tags/
trunk/

I’ve just finished a walkthrough for configuring OpenSSO to work as SP with a Shibboleth 2.0 IdP using SAML 2.0. You can find the article on our enterpriselab wiki.

This scenario uses SAML 2.0 POST profile between a Shib2 RC2 IdP and OpenSSO Build 3 SP. There are still some things to be done to make OpenSSO a “real” Shibboleth SP (at least for SAML 2.0):

• automated, regular import of SAML 2.0 Metadata
• some account mapper that reads username/organization from the assertion

While trying to get OpenSSO to work with Shibboleth 2, I had to import a certificate and private key into a Java Keystore. This caused some sort of déjà vu. I had to do the same thing about two months ago while I was trying to get OpenSSO and Shib 1.3 talk together. So I googled this stuff once again just to find the source-files involved in this particular solution still lying around in my $HOME.

Now I’m writing it down, maybe I’ll need this one again sometime. Here is the article.

I recently managed to get OpenSSO working as an SP together with a Shibboleth 1.3 IdP in aaitest. Beside figuring out how the names of the configureation fields map between OpenSSO and Shib, I also had to write a small OpenSSO plugin to read the username from the Shib Assertion and make it available to OpenSSO. This is because Shibboleth doesn’t send the username in the authentication statement (where OpenSSO expects it), but in the attributes section.

This scenario uses SAML 1.1 POST, my own Shib 1.3 IdP with attribute push enabled and some selfcompiled OpenSSO CVS version (but should also work with official builds and Suns Access Manaer). You can find a step-by-step guide for this setup here.

During the past few days I have setup an IdP and an SP running in the aaitest federation of Switch. The federation is based on Shibboleth which is an implementation of SAML 1.1. Switch has nice documents about installing IdPs and SPs on various OS.

My IdP is running Shib 1.3.3 on Solaris 10 in a Tomcat only installation (instructions). For user Authentication/SSO I use CAS2 with esup (instructions) and Windoze 2003R2 with AD. CAS is the Central Authentication System originally developed at the Yale University.

The SP runs on Ubuntu 7.10 with Apache 2.2 and the shibboleth SP that comes with Ubuntu (some of here). Both Server have their own certificate signed by the aaitest CA.

If you’re located in the intranet, you can reach the Service Provider here. On the WAYF choose “HSLU EL Test IdP” and use bilbo/bilbo to login. If it doesn’t work, I’m probably “fixing” things.

An eye for an eye (IdP)

My first approach was to just get a wildcard cert (*.el.hta.fhz.ch), so I could use the same on every host. This was a bad idea! Apparently, this is not supported by Shibboleths SAML-Library, at least according to this message. I found other hints that this star-certs can lead to problems with programs which evaluate certificates. So, this was a no go and I requested two certs, one for each server. And magically, the problems began to disappear or at least leave a *useful* log message.

Next I encountered a nice exception:
javax.servlet.ServletException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] ...
Damn! Deeper in the stacktrace it became evident that tomcat had a problem with verifying the certificate of my cas server (in this case himself). To resolve this I just had to make tomcat use a truststore containing the aaitest certificate (truststore.jks used by the Shib IdP is just fine). I did this by adding the following right below the comments of $TOMCAT_HOME/bin/catalina.sh (see also here under CAS):
CATALINA_OPTS="-Djavax.net.ssl.trustStore= /etc/tomcat/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit"

Strong progress, now I already received a Shibboleth error page : org.opensaml.SAMLException: Invalid assertion consumer service URL
This exception was caused by crap metadata about my SP I hacked into metadata.aaitest.xml because I thought it was necessary. Just don’t enter metadata about your SP on your own, use the AAI Resource Registry instead. I deleted this erroneous entry and inserted an entry into the IdPs ARP (Attribute Release Policy) to release attributes to AnyTarget.

At the topic of Metadata: I already figured that the metadata for IdP could be important and hacked it in early enough (before I got an exception for not doing it; if you didn’t you may receive something like “Unauthorized Identity Provider”). I copied the entry of some aai-test IdP and changed some fields, hostnames and keynames. The proper way to do this would be to use the AAI resource registry.

A tooth for a tooth (SP)

The SP was much simpler to setup, at least on Linux (even compiling the whole shit has been a walk in the park). On Ubuntu Server, you don’t even need to do this compiling thingy, just aptitude install libapache2-mod-shib and you are done. Internet2 also provided RPMs and other package formats (look here).

After the SP was installed, the configuration part had to be done. I followed another nice Switch HOWTO, which also explains how you’d have to compile the SP. If you don’t follow the complete guide (e.g. because you skip the compiling part), pay attention to the various paths inside the config files.

So far, I didn’t have success on Solaris 10, but I only tried with the packages provided for Solaris 8 by the shib-guys. I think I had some missmatch with compiler/compiled against versions. At least the apache thread exited with SIGSEGV or something, every single time I requested a shib-protected page.

For most of my writing tasks I use LyX. I didn’t feel like learning LaTeX when I decided to turn my back on conventional Word Processors like MS Word or OpenOffice, so I gave LyX a try, and I have not been disappointed.

With the beginning of the new semester, a new Corporate Design for the Hochschule Luzern has been introduced. Of course, there came no Latex-style with it, just a bunch of halfway useable MS Word Templates (the users cursing them where already in place, waiting for this trigger).

So I decided to hack something like a LyX/LaTeX style together which resembles those Word templates (without the cursing-users part, of course). The template is not identical to the official templates, however. I don’t like page numbers on top left, for example.

You can find the a template for a paper together with a small guide how to use it HERE. I borrowed the idea for this template from the UNSW thesis template.