Lines of code for adding Keyinfo in my code looks like :
sig.addKeyInfo(cert);
logUtil.debug("Start signing");
sig.sign(privateKey);
logUtil.debug("Finished signing");
This gives a key info element like :
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
xxx certificate value xxx
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
But the requirement is to have the X509Data element inside SecurityTokenReference element.
Any views on how to do it with apache santuario / org apache xml security signature is much appreciated.
Related
I wrote a hardening script for CentOS workstation and I'm stuck on a process for Cent6 systems where I want to remove the login screen and have the user enter their login ID.
The file is:
/etc/gconf/gconf.xml.defaults/%gconf-tree.xml
Here is the line I am trying to edit:
<entry name="disable_user_list" mtime="1558109430" type="schema" stype="bool" owner="gdm-simple-greeter" gettext_domain="gdm">
<local_schema locale="C" short_desc="Do not show known users in the login window">
<default type="bool" value="false"/>
<longdesc>Set to true to disable showing known users in the login window.</longdesc>
</local_schema>
</entry>
The line I need to edit is:
value="false"
to:
value="true"
Because there are more than one "disabe_user_list" in this file, I am not sure how I can use inlinefile option to edit this specific field. I'm pretty sure there might be a regex I could use but I couldn't figure it out.
Anyone have any ideas?
TL;DR;
Here is a possible solution for you
- xml:
path: /etc/gconf/gconf.xml.defaults/%gconf-tree.xml
xpath: "/entry[#name='disable_user_list']/local_schema[#short_desc='Do not show known users in the login window']/default[#type='bool']"
attribute: value
value: "true"
The xml module seems to be a better alternative than doing a regex.
This could be a solution for you, but, of course, you'll have to validate this with the other disabe_user_list entries that you might have in your file.
The XPath in this playbook consider that this entry is unique based on the facts that:
the entry node is named disable_user_list
the local_schema node under entry have a short_desc reading `Do not show known users in the login window``
the default node under local_schema is of type: bool
Based on that, the task would target the value attribute and set it to true.
Given this playbook
- hosts: local
gather_facts: no
tasks:
- xml:
path: /etc/gconf/gconf.xml.defaults/%gconf-tree.xml
xpath: "/entry[#name='disable_user_list']/local_schema[#short_desc='Do not show known users in the login window']/default[#type='bool']"
attribute: value
value: "true"
Here is an example of execution
cat /etc/gconf/gconf.xml.defaults/%gconf-tree.xml && ansible-playbook play.yml && cat /etc/gconf/gconf.xml.defaults/\%gconf-tree.xml
<?xml version='1.0' encoding='UTF-8'?>
<entry name="disable_user_list" mtime="1558109430" type="schema" stype="bool" owner="gdm-simple-greeter" gettext_domain="gdm">
<local_schema locale="C" short_desc="Do not show known users in the login window">
<default type="bool" value="false"/>
<longdesc>Set to true to disable showing known users in the login window.</longdesc>
</local_schema>
</entry>
PLAY [local] ***********************************************************************************************************************************************************************************************
TASK [xml] *************************************************************************************************************************************************************************************************
changed: [local]
PLAY RECAP *************************************************************************************************************************************************************************************************
local : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
<?xml version='1.0' encoding='UTF-8'?>
<entry name="disable_user_list" mtime="1558109430" type="schema" stype="bool" owner="gdm-simple-greeter" gettext_domain="gdm">
<local_schema locale="C" short_desc="Do not show known users in the login window">
<default type="bool" value="true"/>
<longdesc>Set to true to disable showing known users in the login window.</longdesc>
</local_schema>
</entry>
This is how my tomcat-users file looks like:
<tomcat-users>
<role rolename="admin"/>
<role rolename="analyst"/>
<role rolename="user"/>
<role rolename="kie-server"/>
<role rolename="developer"/>
<role rolename="manager"/>
<user username="w" password="w" roles="admin"/>
<user username="k" password="k" roles="kie-server"/>
<user username="u" password="u" roles="user,developer,analyst"/>
</tomcat-users>
After entering correct credentials in the KIE IDE WORKBENCH, I get the following exception:
java.lang.IllegalArgumentException: An invalid character [34] was present in the Cookie value
org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateCookieValue(Rfc6265CookieProcessor.java:182)
org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:115)
org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
org.apache.catalina.connector.Response.addCookie(Response.java:967)
org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386)
org.uberfire.ext.security.server.SecurityIntegrationFilter.doFilter(SecurityIntegrationFilter.java:61)
CookieProcessor is a new configuration element, introduced in Tomcat 8.0.15.
The CookieProcessor element allows different cookie parsing configuration in each web application, or globally in the default conf/context.xml file.
According to official docs at Apache Tomcat 8 Configuration Reference
Version 8.0.47 :
The standard implementation of CookieProcessor is: org.apache.tomcat.util.http.LegacyCookieProcessor. Note that it is anticipated that this will change to org.apache.tomcat.util.http.Rfc6265CookieProcessor in a future Tomcat 8 release.
Later..
According to official docs at Apache Tomcat 8 Configuration Reference
Version 8.5.23
The standard implementation of CookieProcessor is org.apache.tomcat.util.http.Rfc6265CookieProcessor
To resolve this issue: add this line in conf/context.xml at location %CATALINA_HOME% (i.e. C:\apache-tomcat-8.5.20\conf\context.xml in my case):
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
This is how it looks like after adding:
<?xml version="1.0" encoding="UTF-8"?>
<Context reloadable="true">
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<Transaction factory="bitronix.tm.BitronixUserTransactionObjectFactory"/>
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
</Context>
I want to store a password for an api endpoint that will be used for any webapps.
In the file catalina-server.xml I put the following configuration
...
<GlobalNamingResources>
<Environment name="paci/connectionUrl" type="java.lang.String" value="http://10.0.0.1:1234/paci/v1.0"/>
<Environment name="paci/adminUser" type="java.lang.String" value="admin"/>
<Environment name="paci/adminPass" svns:secretAlias="Paci.AdminUser.Password" type="java.lang.String" value="password"/>
</GlobalNamingResources>
I configured secure vault using this doc for using the Cipher Tool.
cipher-tool.properties
Paci.AdminUser.Password=repository/conf/tomcat/catalina-server.xml//Server/GlobalNamingResources/Environment[#name='paci/adminPass'][#value],true
cipher-text.properties
Paci.AdminUser.Password=EnCrYpTeDvAlUe123
In the web-app I had to add link to the global resource in the META-INF/context.xml to make JNDI to resolve.
...
<Context>
<ResourceLink global="paci/connectionUrl" name="paci/connectionUrl" type="java.lang.String" />
<ResourceLink global="paci/adminUser" name="paci/adminUser" type="java.lang.String" />
<ResourceLink global="paci/adminPass" name="paci/adminPass" type="java.lang.String" />
</Context>
Here is my code:
Context initCtx = new InitialContext();
String paciPass = (String) initialContext.lookup("java:comp/env/paci/adminPass");
The value of paciPass is "password" and not the encrypted password. I don't know why the vault is not returning the encrypted pass.
What I have to do to the secure vault in wso2 resolve the alias in the JNDI?
I am tasked with getting our ColdFusion 9 app to receive a SAML assertion for single sign-on. We are the service provider. Thus far, I have used the only real source of information about ColdFusion and SAML at the following URL for guidance: http://blog.tagworldwide.com/?p=19
I have a sample SAML XML assertion from the identity provider and it looks very similar to the following example from Salesforce.com.
<samlp:Response ID="_257f9d9e9fa14962c0803903a6ccad931245264310738"
IssueInstant="2009-06-17T18:45:10.738Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://www.salesforce.com
</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_3c39bc0fe7b13769cab2f6f45eba801b1245264310738"
IssueInstant="2009-06-17T18:45:10.738Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://www.salesforce.com
</saml:Issuer>
<saml:Signature>
<saml:SignedInfo>
<saml:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<saml:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<saml:Reference URI="#_3c39bc0fe7b13769cab2f6f45eba801b1245264310738">
<saml:Transforms>
<saml:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<saml:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds saml xs"/>
</saml:Transform>
</saml:Transforms>
<saml:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<saml:DigestValue>vzR9Hfp8d16576tEDeq/zhpmLoo=
</saml:DigestValue>
</saml:Reference>
</saml:SignedInfo>
<saml:SignatureValue>
AzID5hhJeJlG2llUDvZswNUrlrPtR7S37QYH2W+Un1n8c6kTC
Xr/lihEKPcA2PZt86eBntFBVDWTRlh/W3yUgGOqQBJMFOVbhK
M/CbLHbBUVT5TcxIqvsNvIFdjIGNkf1W0SBqRKZOJ6tzxCcLo
9dXqAyAUkqDpX5+AyltwrdCPNmncUM4dtRPjI05CL1rRaGeyX
3kkqOL8p0vjm0fazU5tCAJLbYuYgU1LivPSahWNcpvRSlCI4e
Pn2oiVDyrcc4et12inPMTc2lGIWWWWJyHOPSiXRSkEAIwQVjf
Qm5cpli44Pv8FCrdGWpEE0yXsPBvDkM9jIzwCYGG2fKaLBag==
</saml:SignatureValue>
<saml:KeyInfo>
<saml:X509Data>
<saml:X509Certificate>
MIIEATCCAumgAwIBAgIBBTANBgkqhkiG9w0BAQ0FADCBgzELM
[Certificate truncated for readability...]
</saml:X509Certificate>
</saml:X509Data>
</saml:KeyInfo>
</saml:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
saml01#salesforce.com
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2009-06-17T18:50:10.738Z"
Recipient="https://login.www.salesforce.com"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2009-06-17T18:45:10.738Z"
NotOnOrAfter="2009-06-17T18:50:10.738Z">
<saml:AudienceRestriction>
<saml:Audience>https://saml.salesforce.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2009-06-17T18:45:10.738Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="portal_id">
<saml:AttributeValue xsi:type="xs:anyType">060D00000000SHZ
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="organization_id">
<saml:AttributeValue xsi:type="xs:anyType">00DD0000000F7L5
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="ssostartpage"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">
http://www.salesforce.com/security/saml/saml20-gen.jsp
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="logouturl"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">
http://www.salesforce.com/security/del_auth/SsoLogoutPage.html
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
The Identify Provider also gave us a .pem file that apparently contains two certificate blocks. I don't know what I am supposed to do with this file. If I pull out the X509Certificate block in the assertion and decode it using a website like http://www.sslshopper.com/certificate-decoder.html, I can see the info it contains.
I have example code running so far that tests whether or not the XML signature and cert is valid. It currently is not. However, nothing in the code refers to the .pem file.
So what am I supposed to do with the *.pem file that has been provided? Any hints?
UPDATE:
Okay, I am continuing to try to solve my own problem. As I mentioned, the .pem file I have contains 2 cert blocks, so I decoded them to see the contents. The first one contains info about the Identity Provider. The second contains info about DigiCert Inc.
I am beginning to think that the purpose of the IDP cert in the .pem file is simply to match against the one sent within the XML assertion itself as a primary security check. Is that right?
I'm trying to setup an SAP Web Service that would be consumed by a .NET application. Thinking it was simple, I had set the Service up in SAP to use HTTP. I right-click on the "Service References" in the .NET Project Tree, and choose "Add Service Reference...", Enter the WSDL URL locally hosted on our servers, and press Go, then select the endpoint, then press OK.
I opened up the app.config file to find that it says <httpsTransport> instead of <httpTransport>, although I set it up to use HTTP.
<system.serviceModel>
<bindings>
<customBinding>
<binding name="ZHR_RECRUITNEW1">
<!--WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'urn:sap-com:document:sap:soap:functions:mc-style':-->
<!-- <wsdl:binding name='ZHR_RECRUITNEW'> -->
<!-- <wsaw:UsingAddressing xmlns:wsaw="http://schemas.xmlsoap.org/ws/2004/08/addressing">..</wsaw:UsingAddressing> -->
<!-- <saptrnbnd:OptimizedXMLTransfer xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/">..</saptrnbnd:OptimizedXMLTransfer> -->
<!-- <sapattahnd:Enabled xmlns:sapattahnd="http://www.sap.com/710/features/attachment/">..</sapattahnd:Enabled> -->
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" requireClientCertificate="false" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="http://<host>:8000/sap/bc/srt/rfc/sap/zhr_recruitnew/300/zhr_recruitnew/zhr_recruitnew"
binding="customBinding" bindingConfiguration="ZHR_RECRUITNEW1"
contract="ServiceReference2.ZHR_RECRUITNEW" name="ZHR_RECRUITNEW1" />
</client>
</system.serviceModel>
So, for it to work "properly", I have to rename that xml tag from httpsTransport to httpTransport and remove the attribute requireClientCertificate="false"
So, I go into SAP to set up the Service to use HTTPS, and then go back to the .NET project and re-add that service, to get this error message:
Could not establish trust relationship for the SSL/TLS secure channel with authority '<host>:<portnumber>'.
I'm curious as to whether that comment "WsdlImporter encountered unrecognized policy assertions" in the config file has to do anything with that info being misread from SAP
Could not establish trust relationship for the SSL/TLS secure channel with authority ':'.
You get this because the certificate on the service provider isn't in your trusted root certificates locally.
You can add this to your code(before anything else) to ignore it:
System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);