Saturday, November 17, 2007

BEA Aqualogic Portal (ALUI) - Single Sign On (SSO) Concerns and Techniques

As explained very well on this great post "Changing SSO Settings" from Function1, it is highly recommended to protect only the "SSOServlet" (default path= /portal/SSOServlet) when you want to SSO-enable the ALUI Portal. As I worked recently with an integration of ALUI with CA Siteminder, I am going to go a little bit further so that the SSO solution is complete.

But first, the 2 benefits of protecting only SSOServlet are:

  • Performance (as explained in Function1's post)
  • Enable guest access to the portal with same url (the portal is the gate, not the SSO agent)

But the main concerns are related to the SSO Session versus the Portal Session. As explained in Function1's post, the timeouts of portal and SSO agent should be in sync so that the user is actually logged out when the portal session times out (20 minutes by default). As it is well explained, you want both timeout to be very close, the portal timeout being trigged a bit before the SSO timeout.

But that's where I want to go just a little further...timeout sync is not enough to make the system perfect. Indeed, 2 extra use cases exist (and are not covered yet):

  1. SSO session "keep-alive"
  2. SSO session Logged out.

SSO session "keep-alive"

Basically, after the user successfully logged into ALUI portal (using SSO login screen), a SSO token has been created for its session (SSO cookie embedded in the browser session). But the problem is that after a successful login, the portal won't call SSOServlet again, and thus the SSO agent (generally on the web server front end, or the application server hosting the portal) has no longer anything to say about the traffic going through its agent since it is all unprotected from its point of view. Actually, it is as if the agent is not even seeing that traffic at all. Why do we care?? Well, the SSO session timeout is only refreshed if the agent is actually seeing any protected traffic. When the agent is not seeing any protected traffic, the timeout count down starts.

So to sum up, when the user successfully logged in the portal and is browsing the portal protected content, it is as if the session was idle from the Siteminder point of view. That is perfectly fine (at least you wont notice the problem) if you only use SSO for the portal. But imagine you use SSO for any other application in your enterprise (which is the use of SSO by the way :) ), or even portlets within your ALUI portal, then you probably don't want your SSO session to timeout while you are browsing the portal. Otherwise, after 20 or 30 minutes (whatever is set up on your SSO system for SSO timeout), you will still be able to browse the portal fine (since you are not idle from the portal point of view), but your SSO Session WILL HAVE TIMED OUT...and you will have to login again if you go to another of your favorite enterprise SSO protected sites...

So how can we make that work?? How can we ensure that the SSO session (or SSO token) is "kept alive" while we browse the portal?? Very simple trick actually: I basically created a dummy SSO protected content on the front end web server (for example http://portal.com/sec/dummy.html) and embedded that url in an invisible iframe in every portal pages (well suited for the footer portlet of your portal, or better, put that in your favorite liquidskin component - see my liquidskin ongoing serie "Overview of BEA ALUI LiquidSkin: Part 1" and "Overview of BEA ALUI LiquidSkin: Part 2")...

Basically, you have <iframe src="http://portal.com/sec/dummy.html" width="0" height="0"></iframe> at the bottom of every page you wish...it seems low tech, but works pretty well: every portal pages that have that footer portlet will initiate a request to that protected url, letting the SSO agent know: Hey, i am not idle, my session is still alive!!

Ok, good...but I am still not happy yet :)

SSO Log out

When you logout from the portal, you also want the SSO session to be logged out too. this is easy enough with CA siteminder: in the SSO policy you just provide the log out pattern to look for (usually something like /portal/server.pt?open=space&name=Login&control=Login&doLogout=&clearsession=true">/portal/server.pt?open=space&name=Login&control=Login&doLogout=&clearsession=true">/portal/server.pt?open=space&name=Login&control=Login&doLogout=&clearsession=true">http://<portal>/portal/server.pt?open=space&name=Login&control=Login&doLogout=&clearsession=true) and the SSO agent (remember it is on your front end web server or application server) will kill the SSO token if it intercept such a pattern in the request url. Cool!! That way, when you click log off in the portal, you are actually logged out.

But again, let's imagine we have multiple systems that uses the SSO session. You first loggedin the portal, browse it a little, and then decide to go to this other SSO-protected application. Then you decide you are finished and logout from there. What happens if you log out from another system apart from the portal?? Well if you don't do anything special, you will logoff from this other application, which will normally kill the SSO session (same "finding logout url pattern" technique)...but if you go back to the portal after that (and you were previously logged in)...oh surprise, you can go in no problem!! Well that's normal, your portal session is not over yet (provided that you were not away from the portal more than the portal timeout) and you did not do anything to finish it...

But that is not how it should work, right? If the SSO session is over (by logging off from any SSO protected system), you should not be able to go in any other SSO protected system!! Just imagine if your favorite banking web site was working this way...you logoff from your savings account, but your checking account interface is not logged off...I would not particularly like that from a security point of view :)

So we have to deal with it: I see 2 options in order to make sure all your systems are logging out when 1 is logging out:

  • Having an independent logout page that initiates logout requests for all the protected applications in your enterprise (for example an HTML page containing as many <img> tags or <iframe> tags as you have application to log out) -- I don't like this method so much because I will have to maintain this central logout page as soon as I add / remove a protected application in my environment,
  • Making applications log out on their own if the SSO token is not there. (or at least forcing any requests to SSO login if the SSO token is not present in the request)

The second solution is to me the best since it works once and for all. But it is a little more complex than the first one since we are protecting only the SSOServlet...(if the site was fully protected, that would work without doing anything...the agent would not see the SSO token and would not let you pass as long as you don't authenticate successfully)

How can we do that in the portal? I chose to implement a JAVA filter (I was working with JAVA portal with that client) that checks for SSO token presence (you can implement the same filter functionality in DOTNET too: it is called http module). The simplified logic is:

  • If SSO token is present and valid, do nothing,
  • Otherwise, force portal logout (if you actually previously logged in)...which will make the request being redirected to SSO login...

Et Voila! That way, the portal will logout nicely, on his own, when no SSO token is found.

I hope this helps you better understand the different concerns of implementing Single Sign On with your favorite ALUI portal (would actually apply to other portals too)

Saturday, November 3, 2007

How to Change ALUI Components Passwords

Each ALUI component requires Database information (host, schema, user, password, etc…) in order to interact with their respective Database.

When DBAs change the password of a database user (in some companies, it can actually happen pretty often) that is used by an Aqualogic User Interaction component, a similar “password change” procedure has to be done for each the concerned components’ configuration files.

If that was just it, that could be easy...but thanks to security, every passwords in the ALUI configuration files are encrypted...and thus, you need to encrypt the password too. But how do you encrypt those passwords? Where is the encryption utility?

ALUI provides several encryption mechanisms that you can apply to each component. I will try to walk you through what I call the encryption maze so that changing ALUI passwords becomes a breeze. (Note: files *.bat or *.cmd exist also in the unix/linux world...extension sh)

ALI Portal

DB Configuration File(s) path :

<PORTAL_HOME>\settings\common\serverconfig.xml

Encryption Utility path:

  • <PORTAL_HOME>\ptportal\<VERSION>\bin\ptconfig.exe (this utility will change the password directly in the serverconfig.xml file, OR
  • <PORTAL_HOME>\ptportal\<VERSION>\bin\cryptoutil.bat (must be executed in a shell or dos prompt -- provides the encrypted version of the text provided)

ALI publisher / Workflow

DB Configuration File(s) path:

  • <PORTAL_HOME>\ptcs\<VERSION>\settings\config\database.content.properties (publisher DB connection)
  • <PORTAL_HOME>\ptcs\<VERSION>\settings\config\database.portal.properties (portal DB connection)
  • <PORTAL_HOME>\ptworkflow\<VERSION>\settings\config\application.conf (workflow DB connection)

Encryption Utility path:

<PORTAL_HOME>\ptcs\<VERSION>\bin\native\pcsencrypt.cmd

Note: You can use that same utility to encrypt the publisher basic authentication user password too.

ALI Collaboration

DB Configuration File(s) path:

  • <PORTAL_HOME>\ptcollab\<VERSION>\settings\config\database.xml (collaboration DB connection)
  • <PORTAL_HOME>\ptnotification\<VERSION>\settings\config\database.xml (notification DB connection)

Encryption Utility path:

<PORTAL_HOME>\ptcollab\<VERSION>\bin\passwordChanger.bat

The utility passwordChanger.bat will change the password in both config file and database directly. This is very useful indeed, but what if the DBA only can change the password, or what if he already did change it...What now? Well another solution is available to you...you can use another encryption utility that works (weirdly): The publisher encryption utility <PORTAL_HOME>\ptcs\<VERSION>\bin\native\pcsencrypt.cmd

Note: You can use that same utility to encrypt the collaboration basic authentication user password too.

Studio

DB Configuration File(s) path:

  • <PORTAL_HOME>\ptstudio\<VERSION>\settings\config\PTStudioConfig.xml (studio and portal DB connections)

Encryption Utility path: No encryption utility is provided in the studio directory, so believe it or not...you guessed it...again the publisher encryption utility can be used for both studio and portal DB passwords.

<PORTAL_HOME>\ptcs\<VERSION>\bin\native\pcsencrypt.cmd

Analytics

  • <PORTAL_HOME>\ptanalytics\<VERSION>\settings\config\security\securityservice-config.xml (portal DB connection)
  • <PORTAL_HOME>\ptanalytics\<VERSION>\settings\config\hibernate.properties (analytics DB connection)
  • <PORTAL_HOME>\ptanalytics\<VERSION>\settings\config\configurator.properties (analytics, portal, collaboration and publisher DB connections)
  • <PORTAL_HOME>\ptanalytics\<VERSION>\settings\config\jobs.properties (portal, collaboration and publisher DB connections)

Encryption Utility path: Analytics provide a web configuration interface for changing DB connections and passwords in all the configuration files. But if you need to do it yourself without this web interface, again a solution exist: this time use the ... portal encryption for all the passwords!!

<PORTAL_HOME>\ptportal\<VERSION>\bin\cryptoutil.bat

 

That's all I got for now! Hope this helps to navigate in ALUI Password encryption hell! :)