torsdag 27 augusti 2015

Certificate chain, PingFederate/PingAccess

Either current versions of PingFederate (8.0) or PingAccess (3.2) fixes the ssl certificate change automatically, despite you have the intermediate certificate installed.

To fix this you simple need to perform the following steps:

1) Determine which intermediate certificate was used to sign the SSL certificate.  This may be determined by noting the Issuer DN when viewing certificate details. Export it to a file.

2) Check your runtime server certificate and export only the public key to a file.

3) Combine the exported public key for your runtime server certificate with the intermediates public key. To do this, use the following openssl command:

openssl crl2pkcs7 -nocrl -certfile yourruntimeserversSSLpublickey.crt -certfile publickeyintermediateca.crt -outform PEM -out csr_response.p7

4) Now import the resulting p7 file. You do this by simple choosing Import CSR response.


5) To test that PingFederate/PingAccess is indeed including the intermediate certificate when negotiating SSL, you may test with the following command, which should show both the primary and intermediate certificates in the response:

openssl s_client -connect yourservername:443 -showcerts

onsdag 26 augusti 2015

Disable SSLv3 in PingFederate

If you are running PingFederate 7.X or older you have SSLv3 enabled. Since SSLv3 is considered insecure I wanted to remove it from our PingFederate systems.

You disable SSLv3 pretty easy by changing the following configuration file:

$INSTALLDIR/pingfederate/etc/jetty-runtime.xml

Search for a line which looks like this:

<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory"></New>

It should like this instead:

<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory">
                <Set name="includeProtocols">
                <Array type="java.lang.String">
                <Item>TLSv1</Item>
                <Item>TLSv1.1</Item>
                <Item>TLSv1.2</Item>
                </Array>
                </Set>


PingFederate 8 and newer have SSLv3 disabled by default.

onsdag 15 juli 2015

Compile 32-bit Openssl 64 bit system

I had to compile a 32-bit version of openssl at a 64-bit server today. Took me a while to figure it out but you simple must use the configure script when you compile 32-bit at 64-bit. Example:

./Configure no-zlib no-krb5 enable-tlsext shared -m32 linux-generic32 --prefix=/home/peter/32bitopenssl-install

Converting .p12 file to a pem

In some cases you want to convert p12 certificate files (PingFederate uses p12 files for example) to PEM files instead. This is easily done with openssl commands:

Certificate conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.crt -clcerts -nokeys -passin pass:YourSecretPassword
MAC verified OK

Key conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.key -nocerts -nodes -passin pass:YourSecretPassword
MAC verified OK

Done!

tisdag 14 juli 2015

Openssl, recompile with -fPIC

Today I got the following error when compiling Openssl 1.0.2d:

/usr/bin/ld: libcrypto.a(x86_64-gcc.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC

I simple solved this by compiling openssl this way:

./config -fPIC shared no-zlib no-krb5 no-mdc2 shared enable-tlsext --prefix=/usr/local/openssl-1.0.2d

However, important to make clean before compiling again.

Disable Secure Client-Initiated Renegotiation in PingAccess

If you have a system running PingAccess you have maybe notices when scanning the system with ssllabs scanner that it supports Secure Client-Initiated Renegotiation which is not good in a security point of view.

So how do you disable it? Well, since PingAccess is a Java application it simple relies on Java do disable it. The easiest way to disable it is in the run.sh or run.bat:

"$JAVA" -classpath "$CLASSPATH" $JAVA_OPTS \
        -Djavax.net.ssl.sessionCacheSize=5000 \
        -Djava.net.preferIPv4Addresses=true \
        -Djava.net.preferIPv4Stack=true \
        -Djava.net.preferIPv6Addresses=false \
        -Djava.awt.headless=true \
        -Djdk.tls.rejectClientInitiatedRenegotiation=true \
        -Dpa.jwk="$pajwk" \
        -Dblitz4j.configuration="$BLITZ_PROPS" \
        -Drun.properties="$runprops" \
        -Dbootstrap.properties="$bootprops" \
        -Dpa.home="$PA_HOME" \
                com.pingidentity.pa.cli.Starter "$@"

 

By adding that little tls.reject line you have disabled Secure Client-Initiated Renogoation in PingAccess.

OGNL script in PingFederate for allowing different OAuth scopes depending on groupmembership



When configuring OAuth 2.0 in PingFederate you can by issuance criteria demand that a user must be a member of an LDAP group to be able to get a OAuth 2.0 token. But in some cases you have a mobile application with several scopes. And in some of those cases you do not want to give access to all scopes to all users in one group. So here is a little OGNL sample on how to give access to different scopes depending on groupmember ship in LDAP.


#this.get("context.OAuthScopes").toString().matches("(?i).*scope1*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope1group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:#this.get("context.OAuthScopes").toString().matches("(?i).*scope2*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope2group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:@java.lang.Boolean@FALSE

Hopefully this is useful for someone out there!