PKI, SSO, LDAP, SSL Client Certificate Verification

Version 1
    Share:|

    I wrote this a while back so it may not feature the latest GUI. For more advanced users some GUIs displayed here are certainly trivial. I also had to obfuscate all company references. The certificate is also company specific, so the "promising candidates" will be different for your company. Nevertheless, I believe it might be useful for those struggling with these topics.

     

     

    Table of Contents

     

    VM Snapshot

    Enable HTTP

    PKI Certificate on Windows

    PKI Certificate on Linux

    Client Certificate via Web Server

    Specifying search/bind parameters

    ADDM, SSO and LDAP Configuration

     

     

     

    VM Snapshot

     

    Before you start with anything else, you should create a VM snapshot of the appliance. This is the most convenient and quickest way to restore an appliance you can log in to.

     

    In case there is no available snapshot, or there is noone available to restore an existing snapshot, you can also restore the most recent working backup from the command line. Depending on the size of the datastore, this can take considerably longer than restoring a VM snapshot. I would not recommend this in PROD as the datastores are usually quite large. Below is an example.

     

    $ tw_restore --backup-dir=/var/addm-backup/<appliance>/2016-09-11_060039_addm_backup/ --backup-ssh --host <appliance> --remote-user=tideway --remote-password=<tpw> --user=system --password=<spw> --stop-services

     

     

    Enable HTTP

     

    When "playing" with LDAP, LDAPS, SSO parameters, you should un-harden the appliance beforehand, to avoid cutting yourself off. This is achieved by enabling HTTP, and disabling HTTP forwarding to HTTPS. Under Administration > (Security) HTTPS, click on Configure.

    1.png

     

    Make sure HTTP is Enabled, then click on Apply.

    2.png

     

    On the command-line, you need to restart the httpd service!

     

    $ sudo service httpd restart

    Stopping httpd: [  OK  ]

    Starting httpd: [  OK  ]

    $

     

    At this point, you should be able to test the Local Login over HTTP:

     

    http://appliance.somedomain.com/ui/LocalLogin

     

    where you can provide the system user credentials. If that works, you should be safe playing with LDAP and SSO parameters. Verify that you have http in the URL. In case you cut yourself off, you can access the GUI using this URL. Of course, to play with SSO and certificates, you'll need to use the HTTPS protocol.

    3.png

     

     

    PKI Certificate on Windows

     

    To see what's available on the PKI certificate, you can use the certmgr.msc tool on windows. Select Zertifikate - Aktueller Benutzer > Eigene Zertificate > Zertifikate and then the one emitted by <COMPANY CA>. Double-click on that one.

    4.png

     

    Select the Details tab.

    5.png

     

    You can then click on each item to see the content. Doing that, we can find 4 promising candidates to use as the SSO extract key to configure in ADDM.

     

    Prinzipalname

    logonid@somedomain.com

    LogonId

    logonid

    serialNumber

    12345

    anzeigename

    bernard stern (logonid)

     

     

    PKI Certificate on Linux

     

    Unfortunately, most of these are extensions that are invalid on linux. To see the available information on linux, save the certificate as Base-64 file. Click on In Datei Kopieren...

    6.png

     

    then Weiter... then Weiter... then select Base-64 and click on Weiter.

    7.png

     

    Select the file to store the certificate then click on Weiter. I chose addm-cert.cer.

    8.png

     

    Click on Fertig stellen.

    9.png

     

    Copy this file on linux and examine its content. The are only 2 candidates remaining.

     

    $ openssl x509 -in addm-cert.cer -text

    Certificate:

        Data:

            Version: 3 (0x2)

            Serial Number: 1410174102 (0x540d8c96)

        Signature Algorithm: sha1WithRSAEncryption

            Issuer: C=ch, O=COMPANY, CN=COMPANY CA

            Validity

                Not Before: Jun 26 05:31:48 2017 GMT

                Not After : Jun 26 06:01:48 2020 GMT

            Subject: C=ch, O=COMPANY, OU=Partner/serialNumber=12345, CN=bernhard stern

            Subject Public Key Info:

                Public Key Algorithm: rsaEncryption

                    Public-Key: (2048 bit)

                    Modulus:

    00:de:18:be:00:82:41:95:66:86:4c:ba:8d:8e:cf:

                        ...

                        d1:af

                    Exponent: 65537 (0x10001)

            X509v3 extensions:

                X509v3 Key Usage:

                    Digital Signature, Key Encipherment

                X509v3 Extended Key Usage:

                    TLS Web Client Authentication, Microsoft Smartcardlogin

                X509v3 Certificate Policies:

                    Policy: 1.3.6.1.4.1.4147.30.1.1.24.1

                 1.3.6.1.4.1.4147.30.3.1.1.1:

                    ..logonid

                X509v3 Subject Alternative Name:

                    othername:<unsupported>

                X509v3 CRL Distribution Points:

                     Full Name:

                      DirName: C = ch, O = COMPANY, CN = COMPANY CA, CN = CRL177

                     Full Name:

                      URI:ldap:///cn=CRL,cn=COMPANY CA,cn=CDP,cn=Public Key Services,cn=Services,cn=Configuration,DC=COMPANY,DC=ch?certificateRevocationList

    URI:http://webcrls.somedomain.com/internalca.crl

                 X509v3 Authority Key Identifier:

    keyid:E4:2E:80:CA:52:07:A9:64:FA:20:86:06:31:D2:AA:A4:52:AB:D0:23

                 X509v3 Subject Key Identifier:

    B5:DA:4B:26:7B:EC:19:B2:C5:5A:BF:78:E7:AD:98:8A:9A:90:6D:BD

                X509v3 Basic Constraints:

                    CA:FALSE

                1.2.840.113533.7.65.0:

                    0

    ..V8.1....

        Signature Algorithm: sha1WithRSAEncryption

    8d:95:d9:da:25:44:fe:51:6d:20:05:f3:68:92:36:4e:b0:6d:

             ...

             b5:f3:c0:cd

    -----BEGIN CERTIFICATE-----

    MIIFXDCCBESgAwIBAgIEVA2MljANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJj

    ...

    t0OSqSWQYp6poleHyH/eSXogYonvWER4NlEBBrXzwM0=

    -----END CERTIFICATE-----

    $

     

     

    Client Certificate via Web Server

     

    First you need to switch the User Interface logs to Debug via Administration > Logs in the GUI.

     

    10.png

     

    To see what is actually received by the webserver, we have to look at the /usr/tideway/log/tw_appserver.log file.

    The complete log extract is here with the potentially useful candidates from the client certificate highlighted.

     

    139843994269440: 2017-11-02 13:51:55,833: ui.web.sso.webauth.rsasecurid: DEBUG: WEBAUTH_RSASECURID_ENABLED: Check option

    139843994269440: 2017-11-02 13:51:55,833: ui.web.sso.webauth.rsasecurid: DEBUG: WEBAUTH_RSASECURID_ENABLED disabled

    139843994269440: 2017-11-02 13:51:55,840: ui.web.sso.webauth.sslclientcert: DEBUG: Request environment: {'DOCUMENT_ROOT': '/var/www/html',

    'GATEWAY_INTERFACE': 'CGI/1.1',

    'HTTPS': 'on',

    'HTTP_ACCEPT': 'text/html, application/xhtml+xml, */*',

    'HTTP_ACCEPT_ENCODING': 'gzip, deflate',

    'HTTP_ACCEPT_LANGUAGE': 'fr-CH,en;q=0.7,de-CH;q=0.3',

    'HTTP_AUTHORIZATION': '',

    'HTTP_CONNECTION': 'Keep-Alive',

    'HTTP_COOKIE': 'WT_FPC=id=28d45556845204d098a1492680537275:lv=1509622993321:ss=1509622725776',

    'HTTP_HOST': 'appliance.somedomain.com',

    'HTTP_USER_AGENT': 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',

    'PATH': '/sbin:/usr/sbin:/bin:/usr/bin',

    'PATH_INFO': '/',

    'PATH_TRANSLATED': '/var/www/html/index.html',

    'QUERY_STRING': '',

    'REMOTE_ADDR': 'remote ip address',

    'REMOTE_PORT': 'remote port',

    'REQUEST_METHOD': 'GET',

    'REQUEST_URI': '/ui/',

    'SCRIPT_FILENAME': '/var/www/html/ui',

    'SCRIPT_NAME': '/ui',

    'SCRIPT_URI': 'https://appliance.somedomain.com/ui/',

    'SCRIPT_URL': '/ui/',

    'SERVER_ADDR': 'server address',

    'SERVER_ADMIN': 'support@bmc.com',

    'SERVER_NAME': 'appliance.somedomain.com',

    'SERVER_PORT': '443',

    'SERVER_PROTOCOL': 'HTTP/1.1',

    'SERVER_SIGNATURE': '',

    'SERVER_SOFTWARE': 'Apache',

    'SSL_CIPHER': 'ECDHE-RSA-AES128-SHA256',

    'SSL_CIPHER_ALGKEYSIZE': '128',

    'SSL_CIPHER_EXPORT': 'false',

    'SSL_CIPHER_USEKEYSIZE': '128',

    'SSL_CLIENT_A_KEY': 'rsaEncryption',

    'SSL_CLIENT_A_SIG': 'sha1WithRSAEncryption',

    'SSL_CLIENT_CERT': '-----BEGIN CERTIFICATE-----\nMIIFXDCCBESgAwIBAgIEVA2MljANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJ...

    \nt0OSqSWQYp6poleHyH/eSXogYonvWER4NlEBBrXzwM0=\n-----END CERTIFICATE-----\n',

    'SSL_CLIENT_CERT_CHAIN_0': '-----BEGIN CERTIFICATE-----\nMIIF6zCCA9OgAwIBAgIEQS7nuDANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJ...

    \n1rduhnavbm5JGsW8F7za6UfC6z5phIRFZRIZ3PEUvg==\n-----END CERTIFICATE-----\n',

    'SSL_CLIENT_I_DN': '/C=ch/O=COMPANY/CN=COMPANY CA',

    'SSL_CLIENT_I_DN_C': 'ch',

    'SSL_CLIENT_I_DN_CN': 'COMPANY CA',

    'SSL_CLIENT_I_DN_O': 'COMPANY',

    'SSL_CLIENT_M_SERIAL': '540D8C96',

    'SSL_CLIENT_M_VERSION': '3',

    'SSL_CLIENT_S_DN': '/C=ch/O=COMPANY/OU=Partner/serialNumber=12345/CN=bernhard stern',

    'SSL_CLIENT_S_DN_C': 'ch',

    'SSL_CLIENT_S_DN_CN': 'bernhard stern',

    'SSL_CLIENT_S_DN_O': 'COMPANY',

    'SSL_CLIENT_S_DN_OU': 'Partner',

    'SSL_CLIENT_VERIFY': 'SUCCESS',

    'SSL_CLIENT_V_END': 'Jun 26 06:01:48 2020 GMT',

    'SSL_CLIENT_V_REMAIN': '967',

    'SSL_CLIENT_V_START': 'Jun 26 05:31:48 2017 GMT',

    'SSL_COMPRESS_METHOD': 'NULL',

    'SSL_PROTOCOL': 'TLSv1.2',

    'SSL_SECURE_RENEG': 'true',

    'SSL_SERVER_A_KEY': 'rsaEncryption',

    'SSL_SERVER_A_SIG': 'sha256WithRSAEncryption',

    'SSL_SERVER_CERT': '-----BEGIN CERTIFICATE-----\nMIIFpjCCA46gAwIBAgIKGn8fiAAAAAAPzjANBgkqhkiG9w0BAQsFADBKMQswCQY...

    \nTvDVphYUfT06dg==\n-----END CERTIFICATE-----\n',

    'SSL_SERVER_I_DN': '/C=ch/O=COMPANY/CN=COMPANY CA',

    'SSL_SERVER_I_DN_C': 'ch',

    'SSL_SERVER_I_DN_CN': 'COMPANY CA',

    'SSL_SERVER_I_DN_O': 'COMPANY',

    'SSL_SERVER_M_SERIAL': '1A7F1F88000000000FCE',

    'SSL_SERVER_M_VERSION': '3',

    'SSL_SERVER_S_DN': '/C=CH/O=COMPANY/OU=Webserver/CN=appliance.somedomain.com',

    'SSL_SERVER_S_DN_C': 'CH',

    'SSL_SERVER_S_DN_CN': 'appliance.somedomain.com',

    'SSL_SERVER_S_DN_O': 'COMPANY',

    'SSL_SERVER_S_DN_OU_': 'Webserver',

    'SSL_SERVER_V_END': 'Dec 19 08:23:32 2021 GMT',

    'SSL_SERVER_V_START': 'Dec 20 08:23:32 2016 GMT',

    'SSL_SESSION_ID': '2885936A3D18039B2D0E03DEEB17C4A8D0D00834A44CD1DFF4F4BCC81ADF1EF4',

    'SSL_TLS_SNI': 'appliance.somedomain.com',

    'SSL_VERSION_INTERFACE': 'mod_ssl/2.2.15',

    'SSL_VERSION_LIBRARY': 'OpenSSL/1.0.1e-fips'}

    139843994269440: 2017-11-02 13:51:55,840: ui.web.sso.webauth.sslclientcert: DEBUG: SSL_CLIENT_VERIFY found: SUCCESS

    139843994269440: 2017-11-02 13:51:55,840: ui.web.sso.webauth.sslclientcert: DEBUG: SSL_CLIENT_S_DN: /C=ch/O=COMPANY/OU=Partner/serialNumber=12345/CN=bernhard stern

    139843994269440: 2017-11-02 13:51:55,840: ui.web.sso.webauth.sslclientcert: DEBUG: Certificate has 10 extension(s)

    139843994269440: 2017-11-02 13:51:55,840: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 0: keyUsage

    139843994269440: 2017-11-02 13:51:55,840: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 1: extendedKeyUsage

    139843994269440: 2017-11-02 13:51:55,840: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 2: certificatePolicies

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 3: UNDEF

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 4: subjectAltName

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 5: crlDistributionPoints

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 6: authorityKeyIdentifier

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 7: subjectKeyIdentifier

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 8: basicConstraints

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert: DEBUG: Add Extension 9: UNDEF

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert: DEBUG: Username is 12345 (extracted via serialNumber)

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert:DEBUG: 12345 is a valid LDAP user

    139843994269440: 2017-11-02 13:51:55,841: ui.web.sso.webauth.sslclientcert:DEBUG: 12345: Local validation failed: no such user

    139843994269440: 2017-11-02 13:51:55,842: security.api: DEBUG: Authorize user '12345', operation 'appserver/login'

    139843994269440: 2017-11-02 13:51:55,843: ui.web.sso.webauth.sslclientcert:security.api: DEBUG: Authorize user '12345', operation 'ui/dashboard/admin'

     

    Let's examine the meaningful bit of the client certificate that is available for SSO configuration.

     

    'SSL_CLIENT_I_DN': '/C=ch/O=COMPANY/CN=COMPANY CA',

    'SSL_CLIENT_I_DN_C': 'ch',

    'SSL_CLIENT_I_DN_CN': 'COMPANY CA',

    'SSL_CLIENT_I_DN_O': 'COMPANY',

    'SSL_CLIENT_M_SERIAL': '540D8C96',

    'SSL_CLIENT_M_VERSION': '3',

    'SSL_CLIENT_S_DN': '/C=ch/O=COMPANY/OU=Partner/serialNumber=12345/CN=bernhard stern',

    'SSL_CLIENT_S_DN_C': 'ch',

    'SSL_CLIENT_S_DN_CN': 'bernhard stern',

    'SSL_CLIENT_S_DN_O': 'COMPANY',

    'SSL_CLIENT_S_DN_OU': 'Partner',

    'SSL_CLIENT_VERIFY': 'SUCCESS',

    'SSL_CLIENT_V_END': 'Jun 26 06:01:48 2020 GMT',

    'SSL_CLIENT_V_REMAIN': '967',

    'SSL_CLIENT_V_START': 'Jun 26 05:31:48 2017 GMT',

    'SSL_COMPRESS_METHOD': 'NULL',

    'SSL_PROTOCOL': 'TLSv1.2',

    'SSL_SECURE_RENEG': 'true',

    'SSL_SERVER_A_KEY': 'rsaEncryption',

    'SSL_SERVER_A_SIG': 'sha256WithRSAEncryption',

     

    We see that the only available key that uniquely identifies the user is the serialNumber. This is the only key we can use as Extract Key in the ADDM SSL Client Certificate Verification configuration.

     

     

    Specifying search/bind parameters

     

    While the simple bind connection takes place in a single step, the search/bind operation requires two steps. First the directory is searched for the user name attribute. If located, a bind operation follows to check the user’s credentials against the external directory.

     

    1. In the User Search Base field, specify where in the directory to begin the search for the LDAP user name. This should be the DN of the search base object. Example: cn=Users,dc=somedomain,dc=com
    2. Specify the template for translating the LDAP user name to a valid LDAP search filter in the User Search Filter Template field. Must contain the following placeholder: %(username)s. Examples:
      • (sAMAccountName=%(username)s)
      • (uid=%(username)s)

     

    Documentation link:  <https://docs.mesosphere.com/1.11/security/ent/ldap/ldap-auth/>

     

     

    ADDM, SSO and LDAP Configuration

     

    One of the conclusions of the above sections is we can only use serialNumber spelled this way as SSO extract key. This is configured in Administration > Single Sign On, Web Authentication Tab. The SSL Client Certificate Verification is enabled at COMPANY, click on Configure.

    11.png

     

    Fill in serialNumber as Extract Key and click on Apply.

    12.png

     

    The LDAP configuration is done under Administration > LDAP, in the LDAP tab.

    13.png

     

    The Search Base and the Filter depend on the way the LDAP tree is organised. (Below is  the view from the LDAP side of things.)

     

    The "old" way uses the Partner tree for user authentication ...

    14.png

     

    ... and uniqueMember entries in the ADDM groups referencing the entry of the Partner tree for authorisation.

    15.png

     

    In this configuration, the LDAP parameters are straightforward (search base and search template are used for authentication, group query and membership attribute for authorisation).

     

    Search Base

    o=COMPANY,c=ch

    Search Template

    (&(objectClass=Person)(serialnumber=%(username)s))

    Group Query

    (objectClass=Recht)

    Membership Attribute

    uniqueMember

     

    The "new" way introduces a user subtree within ou=ADDM,ou=Rollen,o=COMPANY,c=ch (thus a

    ou=user,ou=ADDM,ou=Rollen,o=COMPANY,c=ch subtree) for authentication. Its members are referenced by the uid (the COMPANY logonID). Every such entry contains a principalPtr attribute that references the CifNr of the ou=Partner,o=COMPANY,c=ch tree, for the reason stated above.

    16.png

     

    For authorisation, the uniqueMember parameter references the uid of the ou=users tree.

    17.png

     

    Since we no longer reference the Partner tree, we can focus the search base on ADDM only. The search template (filter for authentication) is a bit more complicated, the ,* at the end is mandatory.

     

    Search Base

    ou=ADDM,ou=Rollen,o=COMPANY,c=ch

    Search Template

    (&(objectClass=PasswordUser)(principalPtr=cifnr=%(username)s,*))

    Group Query

    (objectClass=Recht)

    Membership Attribute

    uniqueMember