Introducing OpenIG Studio

This blog post was first published @ http://identityrocks.blogspot.fr/, included here with permission.

According to the Twelve-Factor App, OpenIG [1] configuration is considered code [2]. Organizations are driving towards “headless” deployment models meaning that beyond the development stage, administration consoles or management APIs are disabled. It’s the continuous integration and delivery pipeline which takes care of bringing a change from development to production in an automated way.

With this in mind and combined with the need to simplify the creation of OpenIG application protections (routes), we decided build an IDE-type utility, the OpenIG studio. OpenIG studio allows to visually build application or API protection (aka route) enabling message capture, throttling, authentication, authorization and statistics gathering. Further, OpenIG studio allows to do rapid prototyping of what is being built.

You can test drive the OpenIG studio without hassle via Docker. It only takes a couple of docker commands to get OpenIG running. Then point a browser to http://localhost:8080/openig/studio and create an application/API protection.

 

You can export the configuration (ehem code) and then feed your source code management system (e.g. git) and ultimately the continuous delivery pipeline.

For example :

 {
  "name": "rocksock",
  "baseURI": "http://internal.company.com:9080",
  "condition": "${matches(request.uri.path, '^/rocksock')}",
  "monitor": false,
  "handler": "ClientHandler"
}

Now that the configuration (ehem code) is built, how to rapidly test it ? As the studio is packaged with the OpenIG war file, the new configuration can be pushed to this running OpenIG instance. Press “Deploy” !

What all these configuration options are useful for, how to shut down the studio in production deployments and how to deal with deployment environment specific parameters merit separate contemplation.

The studio will be shipped with ForgeRock Identity Gateway 5.0.

Notes

[1] OpenIG is an identity gateway integrating (legacy) applications with modern digital identity tokens and procedures. Based on a reverse proxy type architecture, it can enforce authentication and authorization for access to web applications or APIs.
[2] With the exception for deployment environment specific settings. OpenIG provides a way to deal with this following Twelve-Factor App recommendations.

DDOS Attacks leveraging LDAP !

21382575392_223304551e_z
photo by Christiaan Colen

Yesterday, DDoS mitigation provider Corero Network Security disclosed a zero-day distributed denial of service attack (DDoS) technique, observed in the wild, that is capable of amplifying malicious traffic by a factor of as much as 55x. Several sites published the story as “Attackers are now abusing exposed LDAP servers to amplify DDoS attacks”.

 

According to Corero, the attacks exploited the Lightweight Directory Access Protocol (LDAP), but reading the details of the press release, it appears that the attackers were using Connectionless LDAP services (CLDAP) .

In this case, the attacker sends a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP) and using address spoofing makes it appear to originate from the intended victim. The CLDAP service responds to the spoofed address, sending unwanted network traffic to the attacker’s intended target.

Connectionless LDAP  is a very old technical specification, published in 1995 as RFC 1798.  In 2003, this specification was obsoleted by RFC 3352 and moved to historical status. One of the main reason for obsoleting the proposed standard was its insufficient security capabilities.

OpenDJ, the open source LDAP Directory Services in Java, has never supported CLDAP and thus cannot be used in such attack. So, if you are a  ForgeRock customer, you should not worry about this kind of attack. But if you’re running a legacy product, that has CLDAP enabled by default, it is probably time to think about moving to a more recent and up to date directory service, such as OpenDJ.

 

Filed under: Directory Services, security Tagged: ActiveDirectory, attack, ddos, directory, Directory Services, directory-server, ldap, opendj, security

This blog post was first published @ ludopoitou.com, included here with permission.

Paris Identity Summit, 15 Novembre 2016

paris_summitL’édition Française de l’Identity Summit aura lieu le Mardi 15 Novembre à Paris, au Cercle National des Armées.

L’Identity Summit, c’est l’événement qui permet de comprendre comment l’identité numérique est au coeur de la sécurité, de la transformation numérique et de la révolution des objets connectés. C’est aussi l’occasion d’entendre des retours d’expérience de la solution ForgeRock Identity Platform, de rencontrer d’autres clients et de partager vos besoins ou expérience,  de discuter avec les partenaires qui déroulent les implémentations, d’avoir un aperçu des évolutions à venir de la solution de ForgeRock…

 

Untitled

 

Untitled

 

Untitled

 

Untitled

Pour vous inscrire, c’est ici : https://summits.forgerock.com/paris/ et profitez de 50% de réduction avec le code  Summit50.

J’espère vous y rencontrer !

Filed under: Identity, InFrench Tagged: conference, ForgeRock, identité, IdentitySummit, Paris

This blog post was first published @ ludopoitou.com, included here with permission.

ForgeRock 3.2.2 doc tools released

This blog post was first published @ marginnotes2.wordpress.com, included here with permission.

ForgeRock Logo ForgeRock doc tools 3.2.2 were released today.

This is a maintenance release, compatible with earlier 3.2.x releases.

ForgeRock doc tools 3.2.2 includes the following components:

  • forgerock-doc-maven-plugin
  • forgerock-doc-common-content
  • forgerock-doc-default-branding

This release resolves bugs and includes several improvements. For details, see the release notes.

Big thanks once again for enhancements, for identifying problems, and for help debugging.

Thanks to Chris Lee, Cristina Herraz, Joanne Henry, Lana Frost, Lori Goldman, David Goldsmith, Gene Hirayama, and Mike Jang for fixes, improvements, testing and bug reports.

Thanks also to the ForgeRock BackStage team for their help and continued improvements to release documentation.

ForgeRock 3.2.2 doc tools released

ForgeRock Logo ForgeRock doc tools 3.2.2 were released today.

This is a maintenance release, compatible with earlier 3.2.x releases.

ForgeRock doc tools 3.2.2 includes the following components:

  • forgerock-doc-maven-plugin
  • forgerock-doc-common-content
  • forgerock-doc-default-branding

This release resolves bugs and includes several improvements. For details, see the release notes.

Big thanks once again for enhancements, for identifying problems, and for help debugging.

Thanks to Chris Lee, Cristina Herraz, Joanne Henry, Lana Frost, Lori Goldman, David Goldsmith, Gene Hirayama, and Mike Jang for fixes, improvements, testing and bug reports.

Thanks also to the ForgeRock BackStage team for their help and continued improvements to release documentation.


Managing OpenDJ with REST

OpenDJ, the open source LDAP Directory Server, was the first to propose a native HTTP REST / JSON access to the data.

In the next major release, OpenDJ will be providing many enhancements to the REST interface, that I will describe in a series of posts. To start with, let’s talk about the new administrative interfaces added to manage the OpenDJ server.

When the HTTP access is enabled, OpenDJ creates by default 2 administrative endpoints: /admin/config and /admin/monitor.

/admin/config provides a read-write access to the configuration, with the same view and hierarchy of objects as the LDAP access. All of the operations that are possible with the dsconfig command, can be done over LDAP, and now REST.  As a matter of fact, the /admin/config API is automatically generated from the same XML description files that are used to generate the LDAP view and the dsconfig command line utilities. This means that any extension, plugin added to the server will also be exposed via REST without additional code.

screen-shot-2016-10-25-at-15-03-54

Above is an example of query of the /admin/config endpoint, querying for all  backends , done as a user who has the privilege to read the configuration. A similar query done with a user that doesn’t have the config-read privilege does fail as below:

$ curl -s -u user.2 http://localhost:8080/admin/config/backends/userRoot
Enter host password for user 'user.2': 
{
 "message" : "Insufficient Access Rights: You do not have sufficient 
privileges to perform search operations in the Directory Server
configuration",
 "code" : 403,
 "reason" : "Forbidden"
}

/admin/monitor provides a read-only view on all of the OpenDJ monitoring information that was already accessible via LDAP under the "cn=Monitor" naming context, and JMX.

$ curl -s -u user.0 http://localhost:8080/admin/monitor/
Enter host password for user 'user.0':
{
 "_id" : "monitor",
 "upTime" : "0 days 2 hours 49 minutes 54 seconds",
 "currentConnections" : "1",
 "totalConnections" : "32",
 "currentTime" : "20161024103215Z",
 "startTime" : "20161024074220Z",
 "productName" : "OpenDJ Server",
 "_rev" : "00000000644a67b2",
 "maxConnections" : "3"
}

The /admin REST endpoints can be protected with different authorization mechanisms, from HTTP basic to OAuth2. And the whole endpoint can be disabled as well if needed using dsconfig.

These administrative REST endpoints can be tested with the OpenDJ nightly builds. They are also available to ForgeRock customers as part of our latest update of the ForgeRock Identity Platform.

Filed under: Directory Services Tagged: administration, directory, Directory Services, directory-server, ForgeRock, Json, ldap, opensource, REST, rest2ldap

This blog post was first published @ ludopoitou.com, included here with permission.

Managing OpenDJ with REST

OpenDJ, the open source LDAP Directory Server, was the first to propose a native HTTP REST / JSON access to the data.

In the next major release, OpenDJ will be providing many enhancements to the REST interface, that I will describe in a series of posts. To start with, let’s talk about the new administrative interfaces added to manage the OpenDJ server.

When the HTTP access is enabled, OpenDJ creates by default 2 administrative endpoints: /admin/config and /admin/monitor.

/admin/config provides a read-write access to the configuration, with the same view and hierarchy of objects as the LDAP access. All of the operations that are possible with the dsconfig command, can be done over LDAP, and now REST.  As a matter of fact, the /admin/config API is automatically generated from the same XML description files that are used to generate the LDAP view and the dsconfig command line utilities. This means that any extension, plugin added to the server will also be exposed via REST without additional code.

screen-shot-2016-10-25-at-15-03-54

Above is an example of query of the /admin/config endpoint, querying for all  backends , done as a user who has the privilege to read the configuration. A similar query done with a user that doesn’t have the config-read privilege does fail as below:

$ curl -s -u user.2 http://localhost:8080/admin/config/backends/userRoot
Enter host password for user 'user.2': 
{
 "message" : "Insufficient Access Rights: You do not have sufficient 
privileges to perform search operations in the Directory Server
configuration",
 "code" : 403,
 "reason" : "Forbidden"
}

/admin/monitor provides a read-only view on all of the OpenDJ monitoring information that was already accessible via LDAP under the "cn=Monitor" naming context, and JMX.

$ curl -s -u user.0 http://localhost:8080/admin/monitor/
Enter host password for user 'user.0':
{
 "_id" : "monitor",
 "upTime" : "0 days 2 hours 49 minutes 54 seconds",
 "currentConnections" : "1",
 "totalConnections" : "32",
 "currentTime" : "20161024103215Z",
 "startTime" : "20161024074220Z",
 "productName" : "OpenDJ Server",
 "_rev" : "00000000644a67b2",
 "maxConnections" : "3"
}

The /admin REST endpoints can be protected with different authorization mechanisms, from HTTP basic to OAuth2. And the whole endpoint can be disabled as well if needed using dsconfig.

These administrative REST endpoints can be tested with the OpenDJ nightly builds. They are also available to ForgeRock customers as part of our latest update of the ForgeRock Identity Platform.


Filed under: Directory Services Tagged: administration, directory, Directory Services, directory-server, ForgeRock, Json, ldap, opensource, REST, rest2ldap

Paris Identity Summit, 15 Novembre 2016

paris_summitL’édition Française de l’Identity Summit aura lieu le Mardi 15 Novembre à Paris, au Cercle National des Armées.

L’Identity Summit, c’est l’événement qui permet de comprendre comment l’identité numérique est au coeur de la sécurité, de la transformation numérique et de la révolution des objets connectés. C’est aussi l’occasion d’entendre des retours d’expérience de la solution ForgeRock Identity Platform, de rencontrer d’autres clients et de partager vos besoins ou expérience,  de discuter avec les partenaires qui déroulent les implémentations, d’avoir un aperçu des évolutions à venir de la solution de ForgeRock…

UntitledUntitledUntitledUntitled

Pour vous inscrire, c’est ici : https://summits.forgerock.com/paris/ et profitez de 50% de réduction avec le code  Summit50.

J’espère vous y rencontrer !


Filed under: Identity, InFrench Tagged: conference, ForgeRock, identité, IdentitySummit, Paris