Either current versions of PingFederate (8.0) or PingAccess (3.2) fixes the ssl certificate change automatically, despite you have the intermediate certificate installed.
To fix this you simple need to perform the following steps:
1) Determine which intermediate certificate was used to sign the SSL certificate. This may be determined by noting the Issuer DN when viewing certificate details. Export it to a file.
2) Check your runtime server certificate and export only the public key to a file.
3) Combine the exported public key for your runtime server certificate with the intermediates public key. To do this, use the following openssl command:
openssl crl2pkcs7 -nocrl -certfile yourruntimeserversSSLpublickey.crt -certfile publickeyintermediateca.crt -outform PEM -out csr_response.p7
4) Now import the resulting p7 file. You do this by simple choosing Import CSR response.
5) To test that PingFederate/PingAccess is indeed including the intermediate certificate when negotiating SSL, you may test with the following command, which should show both the primary and intermediate certificates in the response:
openssl s_client -connect yourservername:443 -showcerts
torsdag 27 augusti 2015
onsdag 26 augusti 2015
Disable SSLv3 in PingFederate
If you are running PingFederate 7.X or older you have SSLv3 enabled. Since SSLv3 is considered insecure I wanted to remove it from our PingFederate systems.
You disable SSLv3 pretty easy by changing the following configuration file:
$INSTALLDIR/pingfederate/etc/jetty-runtime.xml
Search for a line which looks like this:
<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory"></New>
It should like this instead:
<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory">
<Set name="includeProtocols">
<Array type="java.lang.String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
</Array>
</Set>
PingFederate 8 and newer have SSLv3 disabled by default.
You disable SSLv3 pretty easy by changing the following configuration file:
$INSTALLDIR/pingfederate/etc/jetty-runtime.xml
Search for a line which looks like this:
<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory"></New>
It should like this instead:
<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory">
<Set name="includeProtocols">
<Array type="java.lang.String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
</Array>
</Set>
PingFederate 8 and newer have SSLv3 disabled by default.
onsdag 15 juli 2015
Compile 32-bit Openssl 64 bit system
I had to compile a 32-bit version of openssl at a 64-bit server today. Took me a while to figure it out but you simple must use the configure script when you compile 32-bit at 64-bit. Example:
./Configure no-zlib no-krb5 enable-tlsext shared -m32 linux-generic32 --prefix=/home/peter/32bitopenssl-install
./Configure no-zlib no-krb5 enable-tlsext shared -m32 linux-generic32 --prefix=/home/peter/32bitopenssl-install
Converting .p12 file to a pem
In some cases you want to convert p12 certificate files (PingFederate uses p12 files for example) to PEM files instead. This is easily done with openssl commands:
Certificate conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.crt -clcerts -nokeys -passin pass:YourSecretPassword
MAC verified OK
Key conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.key -nocerts -nodes -passin pass:YourSecretPassword
MAC verified OK
Done!
Certificate conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.crt -clcerts -nokeys -passin pass:YourSecretPassword
MAC verified OK
Key conversion:
$ openssl pkcs12 -in certificateandkey.p12 -out server.key -nocerts -nodes -passin pass:YourSecretPassword
MAC verified OK
Done!
tisdag 14 juli 2015
Openssl, recompile with -fPIC
Today I got the following error when compiling Openssl 1.0.2d:
/usr/bin/ld: libcrypto.a(x86_64-gcc.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC
I simple solved this by compiling openssl this way:
However, important to make clean before compiling again.
/usr/bin/ld: libcrypto.a(x86_64-gcc.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC
I simple solved this by compiling openssl this way:
./config -fPIC shared no-zlib no-krb5 no-mdc2 shared enable-tlsext --prefix=/usr/local/openssl-1.0.2dHowever, important to make clean before compiling again.
Disable Secure Client-Initiated Renegotiation in PingAccess
If you have a system running PingAccess you have maybe notices when scanning the system with ssllabs scanner that it supports Secure Client-Initiated Renegotiation which is not good in a security point of view.
So how do you disable it? Well, since PingAccess is a Java application it simple relies on Java do disable it. The easiest way to disable it is in the run.sh or run.bat:
"$JAVA" -classpath "$CLASSPATH" $JAVA_OPTS \
-Djavax.net.ssl.sessionCacheSize=5000 \
-Djava.net.preferIPv4Addresses=true \
-Djava.net.preferIPv4Stack=true \
-Djava.net.preferIPv6Addresses=false \
-Djava.awt.headless=true \
-Djdk.tls.rejectClientInitiatedRenegotiation=true \
-Dpa.jwk="$pajwk" \
-Dblitz4j.configuration="$BLITZ_PROPS" \
-Drun.properties="$runprops" \
-Dbootstrap.properties="$bootprops" \
-Dpa.home="$PA_HOME" \
com.pingidentity.pa.cli.Starter "$@"
By adding that little tls.reject line you have disabled Secure Client-Initiated Renogoation in PingAccess.
So how do you disable it? Well, since PingAccess is a Java application it simple relies on Java do disable it. The easiest way to disable it is in the run.sh or run.bat:
"$JAVA" -classpath "$CLASSPATH" $JAVA_OPTS \
-Djavax.net.ssl.sessionCacheSize=5000 \
-Djava.net.preferIPv4Addresses=true \
-Djava.net.preferIPv4Stack=true \
-Djava.net.preferIPv6Addresses=false \
-Djava.awt.headless=true \
-Djdk.tls.rejectClientInitiatedRenegotiation=true \
-Dpa.jwk="$pajwk" \
-Dblitz4j.configuration="$BLITZ_PROPS" \
-Drun.properties="$runprops" \
-Dbootstrap.properties="$bootprops" \
-Dpa.home="$PA_HOME" \
com.pingidentity.pa.cli.Starter "$@"
By adding that little tls.reject line you have disabled Secure Client-Initiated Renogoation in PingAccess.
OGNL script in PingFederate for allowing different OAuth scopes depending on groupmembership
When configuring OAuth 2.0 in PingFederate you can by issuance criteria demand that a user must be a member of an LDAP group to be able to get a OAuth 2.0 token. But in some cases you have a mobile application with several scopes. And in some of those cases you do not want to give access to all scopes to all users in one group. So here is a little OGNL sample on how to give access to different scopes depending on groupmember ship in LDAP.
#this.get("context.OAuthScopes").toString().matches("(?i).*scope1*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope1group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:#this.get("context.OAuthScopes").toString().matches("(?i).*scope2*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope2group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:@java.lang.Boolean@FALSE
Hopefully this is useful for someone out there!
måndag 13 juli 2015
Getting D-Link DWA-525 RT5360 working in Ubuntu 14.04, 14.10 and 15.04
I have been struggling a while with getting my D-Link DWA-525 with the chipset RT5360 working.
After quite a bite of investigation I found that there are many links to a ralink website where you should be able to download drivers and compile. However, you can no longer download that driver from the site. Thankfully there is now support for this device in Ubuntu with the rt2800pci module.
However, neither Ubuntu 14.04, 14.10 and 15.04 managed to get the wireless network up and running after the installation.
So I was have to do the following below. I have been running this solution for a couple of days and I find it stable.
iwconfig wlan0 power off
modprobe rt2800pci
wpa_passphrase wirelessnetwork password >> /etc/wpa_supplicant.conf
After that I edited the file and added some lines:
vi /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="wirelessnetwork"
scan_ssid=1
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
group=CCMP
psk=a37cd5be4e6d5215d467d08e6bc08b6d179195ec973e8f23c8bbbfa000f8b768
}
wpa_supplicant -i wlan0 -c/etc/wpa_supplicant.conf -B
dhclient wlan0
ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr c8:be:19:14:70:25
inet addr:192.168.1.187 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::cabe:19ff:fe04:7025/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3434 errors:0 dropped:32 overruns:0 frame:0
TX packets:4544 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7621658097 (0.1 GB) TX bytes:1280056191 (0.1 GB)
After quite a bite of investigation I found that there are many links to a ralink website where you should be able to download drivers and compile. However, you can no longer download that driver from the site. Thankfully there is now support for this device in Ubuntu with the rt2800pci module.
However, neither Ubuntu 14.04, 14.10 and 15.04 managed to get the wireless network up and running after the installation.
So I was have to do the following below. I have been running this solution for a couple of days and I find it stable.
iwconfig wlan0 power off
modprobe rt2800pci
wpa_passphrase wirelessnetwork password >> /etc/wpa_supplicant.conf
After that I edited the file and added some lines:
vi /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="wirelessnetwork"
scan_ssid=1
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
group=CCMP
psk=a37cd5be4e6d5215d467d08e6bc08b6d179195ec973e8f23c8bbbfa000f8b768
}
wpa_supplicant -i wlan0 -c/etc/wpa_supplicant.conf -B
dhclient wlan0
ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr c8:be:19:14:70:25
inet addr:192.168.1.187 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::cabe:19ff:fe04:7025/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3434 errors:0 dropped:32 overruns:0 frame:0
TX packets:4544 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7621658097 (0.1 GB) TX bytes:1280056191 (0.1 GB)
torsdag 9 juli 2015
Connect to a SSL protected site with openssl using tls
Since many have started removing SSLv3 many now receive this error when connecting to SSL sites using openssl:
# openssl s_client -connect www..example.com:443
CONNECTED(00000003)
25370:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
This is easily solved by forcing openssl to use tls instead:
# openssl s_client -connect www.example.com:443 -tls1
# openssl s_client -connect www..example.com:443
CONNECTED(00000003)
25370:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
This is easily solved by forcing openssl to use tls instead:
# openssl s_client -connect www.example.com:443 -tls1
Prenumerera på:
Inlägg (Atom)