Deploying Single Sign-On with BMC Action Request System Danny Kellett Java System Solutions

Deploying Single Sign-On with BMC Action
Request System
Danny Kellett
Java System Solutions
Husband and father
• Worked for Remedy / Pere***n / BMC from 1999 to 2007
• BSM ITSM Solution Architect / Consultant
• Single Sign-On architect for Java System Solutions
© 2013 WWRUG
© 2012Canada
WWRUG
Inc.Canada
All Rights
Inc.Reserved
All Rights Reserved 2
Warning – There is a lot of content in
this presentation !
This is intentional. Not all of this information will mean anything yet but if/when you decide to
embark on a Single Sign-On (SSO) implementation, this presentation will hopefully fill in all those
knowledge gaps
Feel free to email me at [email protected]
© 2013 WWRUG
© 2012Canada
WWRUG
Inc.Canada
All Rights
Inc.Reserved
All Rights Reserved 3
Agenda
What is Single Sign On (SSO)
-
Important things you should know and understand
-
External links to why your company should implement SSO
Brief explanation of the common authentication methods
-
Benefits, risks, important things you need to know and recommendations
-
Quite detailed but stay with me!
Planning
-
Survey the environment
-
What questions to ask
Security risks
-
With BMC Community and partners code
Impact to your AR System
© 2013 WWRUG Canada Inc. All Rights Reserved
4
Objects and Results
Objectives
-
To understand the black box of Single Sign On (SSO) specifically aligned to
the BMC AR System
Results
-
Have an understanding that SSO is not just about a product
-
Understand what questions to ask before embarking on an implementation
-
Decide what authentication method best suites your company
-
Understand the three phases of SSO with the BMC AR System
Skills developed
-
Gain knowledge of multiple authentication technologies
-
Be able to plan an SSO implementation
-
Gain knowledge on how to analyze the risks of some SSO solutions out there
© 2013 WWRUG Canada Inc. All Rights Reserved
5
Why Your Company Should Implement SSO
“Single Sign-on (SSO) is a property of access control of multiple related, but independent
software systems. With this property, a user logs in once and gains access to all
systems without being prompted to log in again at each of them.” Wikipedia https://en.wikipedia.org/wiki/Single_sign-on
Benefits for the end user; Five major benefits for the business; Gartner and password
and security research
-
http://www.javasystemsolutions.com/
Experience has shown SSO can be the success On / Off switch to your Service Request
Management (SRM) investment.
© 2013 WWRUG Canada Inc. All Rights Reserved
6
Common Misunderstandings And Important Things to
Know
Shared authentication schemes are not the same as SSO
-
“SSO requires users to literally sign in once to establish their credentials.
Systems that require the user to log in multiple times with the same identity
are inherently not SSO” ref Wikipedia https://en.wikipedia.org/wiki/Single_signon#Shared_authentication_schemes_which_are_not_single_sign-on
There must always be an authentication provider. A single, trusted
source of information about our users. So basically we are
removing the job of authentication from the AR System
-
Examples include but are not limited to

Microsoft Active Directory & Federated Services

CA SiteMinder

Ping Federate
LDAP is not SSO
Different browsers conduct SSO differently and therefore we
recommend that you learn to use Fiddler
© 2013 WWRUG Canada Inc. All Rights Reserved
7
Common Misunderstandings And Important Things to
Know
Not all BMC products have the SSO capability
-
Developer Studio
-
Recommendation – Have a standard AR System account that matches your
domain login name, and have a second, non-domain account, that is your
Developer Studio Administrator account. This will be your non-SSO account
Not everyone has to be an SSO user. Every user can be configured
to use SSO or the standard user name and password
-
The AR Server “switch/flag” is ‘CrossRef-Blank-Password’ which means if the
AR System user record for that user has a blank password, then the AR
Server passes the authentication onto an external source e.g. SSO
© 2013 WWRUG Canada Inc. All Rights Reserved
8
Understand the Three Phases of SSO with BMC AR System
1 - Identify and authenticate using an authentication method
-
Reliably and securely identifying the user name against the chosen
authentication identity provider E.g. Active Directory
-
The goal is to obtain the user name E.g. dkellett
2 - Uniquely identify the user in the User form of the AR System
-
Once you have the user name, this phase needs to obtain the User record of
that user. If the record is not found then the user fails to be identified
-
Risk / Challenge – Multiple trusted domains where two or more users have
the same login name e.g. Dkellett (Danny Kellett in JSS, David Kellett in BMC
etc)
3 - Pass the details into the BMC SSO framework to finalise the
authentication
-
Found the user in the User form, and now pass the details to the AR System
to finalise the logon process.
© 2013 WWRUG Canada Inc. All Rights Reserved
9
Understand the Most Common Types and Protocols of SSO
NTLMv2 (NT Land Manager version 2)
Kerberos
Integrated Windows Authentication (IWA)
-
The act of negotiating authentication type using SPNEGO
-
SPNEGO – Simple, Protected GSSAPI Negotiation Mechanism

“I don’t know what language to speak to you, so lets negotiate!”
SAMLv2 (Security Assertion Markup Language)
Enterprise SSO systems such as CA SiteMinder, RSA Access
Manager
HTTP Header / Cookies (An option used in the community code)
© 2013 WWRUG Canada Inc. All Rights Reserved
10
Understand the Types and Protocols of SSO
NTLMv2
-
NTLM returns/authenticates based on tokens exchanged with the AD
-
Easier to implement, requires no additional steps if Mid Tier is deployed on
Windows http://technet.microsoft.com/en-us/magazine/ee914605.aspx
Kerberos
-
Each host attempting authentication needs Kerberos keys and Service
Principle Names to decrypt the ticket to get the user details.
-
Benefits over NTLM is once the ticket is issued, it lasts for a certain period of
time and therefore less authentication traffic on the network because it
doesn't have to keep re-authenticating within that time
-
Important

Relies on strict time synchronisation between servers otherwise authentication will fail

More complex to setup and debug than most authentication methods
© 2013 WWRUG Canada Inc. All Rights Reserved
11
Understand the Types and Protocols of SSO
Integrated Windows Authentication (IWA)
-
Microsoft’s process for SSO within internal/VPN networks and is used by
Microsoft's Internet Information Service (IIS)
-
Refers to the following protocols; NTLMv2, Kerberos and SPNEGO
-
IWA uses SPNEGO to allow initiators (Browser) and acceptors (AD) to
negotiate either Kerberos or NTLMSSP.

If a Kerberos ticket can be obtained the Kerberos protocol will be
attempted. Otherwise NTLMv2 authentication is attempted. Similarly, if
Kerberos authentication is attempted, yet it fails, then NTLMv2 is
attempted.
Recommendation - If you are on-premise/not authenticating over
the unprotected internet, this is the recommended choice of
authentication methods because it uses both NTLMv2 and
Kerberos protocols having complete 100% compatibility with a
Windows network
© 2013 WWRUG Canada Inc. All Rights Reserved
12
Understand the Types and Protocols of SSO
Security Assertion Markup Language (SAML 2.0)
-
Prerequisite for customers to have applications such as Microsoft ADFS 2,
Ping Federate and others deployed within their domain first
-
Considered THE cross domain, over the unprotected internet, Web-SSO
authentication protocol

Users connect to a website, outside the safety of the users domain

Website replies with a configured URL which is inside the users domain
and instructs the browser to use an authentication service and present the
result to the website

The result is that no secret/authentication data goes outside the users
domain
© 2013 WWRUG Canada Inc. All Rights Reserved
13
Understand the Types and Protocols of SSO
© 2013 WWRUG Canada Inc. All Rights Reserved
14
Understand the Types and Protocols of SSO
CA SiteMinder, RSA Access Manager and others
-
Deployments such as these are considered Enterprise SSO due to the
infrastructure impact and cost
-
Technically, these are “policy” applications which take feeds from Active
Directory and typically HR systems which provides a common interface to
other application within the business
-
For example a user logs into a portal at which they are granted a list of
applications they can access.
-
Upon accessing an application such as BMC ITSM, a software agent installed
on the Mid Tier will intercept and cross reference the policy server not only
for authentication but permission to access ITSM.
© 2013 WWRUG Canada Inc. All Rights Reserved
15
Understand the Types and Protocols of SSO
© 2013 WWRUG Canada Inc. All Rights Reserved
16
Understand the Types and Protocols of SSO
HTTP Header / Cookie
-
Almost everything you see in your browser is transmitted to your computer
over HTTP.
-
HTTP headers are the core part of these HTTP requests and responses, and
they carry information about the client browser, the requested page, the
server and more.
-
An application, such as Microsoft IIS can add a simple HTTP value or cookie
which can contain the user name
-
This user name is then extracted and is trusted as the user who is attempting
to access the application
-
Typically the lesser secure method

-
Explanation later
Used with the Community code
© 2013 WWRUG Canada Inc. All Rights Reserved
17
Survey the Environment – Existing Enterprise SSO?
Has your company already deployed an Enterprise SSO standard?
-
E.g. CA SiteMinder, MS Sharepoint, Other forms of IDM authentication
proxies
-
JSS has found this to be the second most popular authentication method
Questions to ask
-
Do they deploy agents to web servers or do they require the use of the API?

Agent – Your option is reading the header or cookie
– BMC Community code can do this but be aware of the security risks
– Example jsp code in appendix to show any headers
© 2013 WWRUG Canada Inc. All Rights Reserved
18
Survey the Environment – Existing Enterprise SSO?

API – Implementing the vendors API e.g. CA SiteMinder
– BMC Community code does not interface with any API.
– AtriumSSO is a BMC badged OpenAM solution which includes some
basic integrations to enterprise solutions, for example, the SiteMinder
integration decodes a SiteMinder username but does not check the
user has permission to access the resource (i.e. ITSM)
– JSS SSO Plugin integrates with CA SiteMinder, RSA Access Manager,
RSA SecurID and Central Authentication Service (CAS) using the third
party product API’s.
© 2013 WWRUG Canada Inc. All Rights Reserved
19
Survey the Environment – Utilize the Active Directory
If your company doesn’t have any other form of SSO, then using Active
Directory (AD) is the preferred on-premise choice
-
OnDemand users or users connecting over the unprotected internet should not use
this method due to security risks of passing tokens over the internet
-
JSS has found this to be the most popular authentication method
Options
-
BMC Community code : Install Microsoft IIS and enable the header

Be aware of the security issue with headers and be aware of the issues with IIS.
https://www.javasystemsolutions.com/jss/news/list/50#article-50
-
AtriumSSO : Only in v8.1, Kerberos is implemented. Be aware this is only one half of IWA
and is widely documented (links in previous slides) to not work for all users, difficult to
setup and difficult to diagnose. Case sensitive – all login names must be the same case.

-
If you are using AR Server < 8.1, then you will still need to login to AtriumSSO.
Users required to still login more than once
JSS SSO Plugin : Supports full IWA and therefore is 100% compatible with any
Windows domain. Installed and working within minutes

http://www.javasystemsolutions.com/jss/video/view/SSOPlugin-Installation36-MT
© 2013 WWRUG Canada Inc. All Rights Reserved
20
Survey the Environment – Utilize SAML
If your company has the requirement to authenticate users over the
unprotected internet, then SAML is the recommended authentication choice
Although SAML is a standard, not all standards are created equal
SAML requires a service to be setup on the clients side of the network
-
If your company is using ADFS, make sure it’s ADFS2 and not ADFS(1)
The Mid Tier will need to be listening on HTTPS and not HTTP
-
http://www.javasystemsolutions.com/documentation/ssoplugin/36/configuring-midtierwebtier.pdf
Single point of failure is the SAML service. If the user can not connect to the
Identity Provider (Idp), they will not gain access to the AR System.
Options
-
BMC Community code : Does not support it and therefore design and development is
required
-
AtriumSSO : Available as of version 8.1
-
JSS SSO Plugin : Fully supported and implemented worldwide since 2011 and
provides manual login if SAML fails
© 2013 WWRUG Canada Inc. All Rights Reserved
21
Survey the Environment – Login Names
Do your login names match your AR System login name format? (Phase two of
the three SSO phases)
-
E.g. Dkellett from the Active Directory and Dkellett in the AR System login name, field
101 in the User form?

Typical when the AR System user data is implemented without the knowledge of
domain names

Typical when there are multiple customer companies with multiple domains and
therefore the login name format includes the domain or a unique reference to
those domain users E.g. Bmc\dkellett or jss\dkellett

DoD/CaC Cards/Cookies/Cards return the full Distinguished Name (DN)
– CN=Danny Kellett,CN=admin,DC=corp,DC=jss,DC=COM
Options
-
BMC Community code : Doesn't exist. Design & build code to map the format
-
AtriumSSO : Unable to do it today but I understand there is a hotfix in the pipeline
-
JSS SSO Plugin : Feature called “Aliasing” which allows you to create a dynamic query
to find the unique user. http://www.javasystemsolutions.com/jss/video/view/SSOPlugin-Features
© 2013 WWRUG Canada Inc. All Rights Reserved
22
Security considerations
“Security is, I would say, our top priority because for all the exciting things you will be able to do
with computers - organizing your lives, staying in touch with people, being creative - if we don't
solve these security problems, then people will hold back.”
Bill Gates.
© 2013 WWRUG
© 2012Canada
WWRUG
Inc.Canada
All Rights
Inc.Reserved
All Rights Reserved 23
Security – HTTP Headers
Quote – “HTTP header injection is a kind of web application
vulnerability which exists on those web applications that
generated HTTP headers based on the input given by users. If it
uses user based input in the headers, it can be used for HTTP
response splitting, cross-site scripting (XSS), Session fixation via the
Set-Cookie header, and malicious redirects attacks via the location
header.”
-
http://www.newhackingtricks.com/2013/01/what-is-http-header-injection.html
Example found on an Apple site in January 2013
Tools such as FireFox plugins can inject and change header
information
-
"Live HTTP Headers" https://addons.mozilla.org/en-us/firefox/addon/modify-headers/
Basically means if dkellett is being sent by the browser, you could
change it to anyone you want before it gets to the Mid Tier
© 2013 WWRUG Canada Inc. All Rights Reserved
24
Security – HTTP Headers
Found in the BMC Community Code, Partner developed solutions
(Based on the BMC Community Code)
Recommendations
If using a web server like IIS in front of Tomcat, close the Tomcat
ports to the end users and configure Tomcat to only accept
connections from the web server
-
<Connector port="8080" address="127.0.0.1" maxHttpHeaderSize="8192"
Read how the hackers do it and try on your own system
-
http://www.madleets.com/Thread-HTTP-Header-Injection-tutorial
© 2013 WWRUG Canada Inc. All Rights Reserved
25
Security – Fixed Strings
With one command line, you can login to the AR System as anyone!
Found in the BMC Community SSO Code and one BMC Elite partner developed
solution
Hacking the “Third Phase” of SSO and AR System
areasso.c
-
#define AUTH_STRING_DEFAULT "Qk1DIFJlbWVkeSBBUlN5c3RlbQ=="
-
#define PASS_STRING "c3NvcGFzc3dvcmQ=“
-
if(password && strcmp(password,PASS_STRING)==0) // First lets check the password
and make sure it matches
It’s the same as giving every user the same password!
Even if you change those values and re-compile the code, you can find the new
values by one command line
Example on the next slide
© 2013 WWRUG Canada Inc. All Rights Reserved
26
Security – Fixed Strings
© 2013 WWRUG Canada Inc. All Rights Reserved
27
Security – Fixed Strings
Recommendations
-
Don’t use fixed strings if you can help it
-
If you need to use a string, make it change and keep a list of already used
ones and therefore reject it if any are used again
-
Obfuscate the code

-
http://www.stunnix.com/
Every partners example code we found was vulnerable to this simple hack
© 2013 WWRUG Canada Inc. All Rights Reserved
28
AR System Changes
Ar.cfg/conf
-
Crossref-Blank-Password: T
-
External-Authentication-RPC-Socket: 390695
-
External-Authentication-Return-Data-Capabilities: 31
-
Plugin-Loopback-RPC-Socket: 390626
-
Allow-Guest-Users: F
Mid Tier
-
Web.xml

Add filter (web not workflow)
© 2013 WWRUG Canada Inc. All Rights Reserved
29
List Of Resources We Recommend Learning
"Live HTTP Headers" https://addons.mozilla.org/en-us/firefox/addon/modifyheaders/
“Fiddler” http://fiddler2.com/
-
http://www.javasystemsolutions.com/documentation/ssoplugin/36/troubleshooting.pdf
© 2013 WWRUG Canada Inc. All Rights Reserved
30
Conclusion
Once implemented, SSO can be a massive benefit to users and the
Support Organisation.
SSO “can” be complex. BMC do not provide any courses on SSO
and therefore it’s probably new to most workflow developers. Get
expert advice.
Planning is the key to a successful implementation.
In our experience, for a single AR System server / Mid Tier
deployment, an SSO deployment should be completed within an
hour.
Understand and have contingencies when authentication fails E.g.
manual login, user is not found in either the domain or AR System.
http://www.javasystemsolutions.com/jss/video/view/SSOPlugin-ITSM-RaiseIncident
http://www.javasystemsolutions.com/jss/video/view/SSOPlugin-ITSM-Registration
© 2013 WWRUG Canada Inc. All Rights Reserved
31
Wrap up – JSS Team includes…
Successfully supporting more than 200 BMC / HP customers, globally, 24/7/365 since 2007
• Danny Kellett
Wrap-up
• Integration specialist before joining Remedy professional services UK in 1999
([email protected])
• Principle ITSM consultant on some of Remedy/BMC largest global customers
• Lead the introduction of ITSM 7 into Europe for BMC professional services
•John Baker ([email protected])
• Highly experienced Java & web technology developer and solution architect
• Expert in SSO technologies within the London financial industry
• Andy Clover ([email protected])
• Tremendous reputation within the IT security industry
• Microsoft MVP (IE 2011) and Microsoft MVP (Client security 2005)
• Expert in Microsoft authentication technologies and protocols
Just a few quotes from http://www.javasystemsolutions.com/jss/quotes
“That's awesome!! I'll get it into the test environment and let
you know...great support! “
“Thanks so much for you help in implementing this with
us. You guys take service to a whole new level!! “
“Additionally, Java Systems Solutions dove deep in to logs from servers, server apps,
network sniffing, and Kerberos applications to debug how SSO is integrated in our
environment. I am continually impressed by their service.“
“We had issues with SSO on our upgrade go-live weekend and the
technical support team had answers to our questions within 5 minutes
of contacting them. And the fix recommended by them solved our
problem. The level of support provided by them is of premium quality.
They know their product very well which is evident in the quality of the
support.“
“I would like to take this opportunity to thank the JSS support team on
their excellent support in resolving our issues and giving us a better
understanding of how SSO Plugin interacts with AR System. I hope the
same kind of support and assistance will be continued and they will build
their tools in other areas. Hats off to JSS.“
© 2013 WWRUG Canada Inc. All Rights Reserved
32
The following slides are only here for
reference in case I get asked certain
questions and have something to show
© 2013 WWRUG
© 2012Canada
WWRUG
Inc.Canada
All Rights
Inc.Reserved
All Rights Reserved 33
Resources – jsp Example To Read Headers
Copy the following in to a text file and save as showheaders.jsp
Copy the file to Tomcat\webapps\ROOT\
Browse to http://yourMidTier/showheaders.jsp
<%@ page import="java.util.*" %>
<html>
<head>
<title>Http Request Headers Example</title>
</head>
<body>
<h2>HTTP Request Headers Received</h2>
<table>
<%
Enumeration enumeration = request.getHeaderNames();
while (enumeration.hasMoreElements()) {
String name = (String) enumeration.nextElement();
String value = request.getHeader(name);
%>
<tr><td><%= name %></td><td><%= value %></td></tr>
<%
}
%>
</table>
</body>
</html>
© 2013 WWRUG Canada Inc. All Rights Reserved
34
Microsoft recommended to include NTLMv2
Much of the documentation out there advocates using NTLM
unless there is a compelling need, such as for sites with a high
security service level agreement. Even in this case, if you dig
deeper, the more obvious answer is presented for using NTLM: it’s
easier to implement, requires no additional steps, and likely
reduces support issues. For example, KB 832769 says, “… or if you
cannot configure the service principal name (SPN), choose NTLM
authentication. If you choose Kerberos authentication and cannot
configure the SPN, only server administrators will be able to
authenticate to the SharePoint site.”
-
http://technet.microsoft.com/en-us/magazine/ee914605.aspx
© 2013 WWRUG Canada Inc. All Rights Reserved
35