Thursday Nov 05, 2009

Harden OpenSSO By Disabling ssoadm.jsp

Notwithstanding that it is still a secret, we've just added a property that allows you to disable the ssoadm.jsp to harden your system and reduce attack vectors. The property is ssoadm.disabled and can be added with a value of true to the Advanced properties.

  1. Log into the OpenSSO console as administrator.
  2. Click the Configuration tab.
  3. Click the Servers and Sites tab.
  4. Click the Server name in the Servers table.
  5. Click the Advanced tab.
  6. Click Add in the Advanced Properties table.
  7. Enter ssoadm.disabled as the Property Name and true as the Property Value.
  8. Click Save.

You can also add this property as a default setting for future server configurations by clicking the Default Server Settings button under the Servers and Sites tab.

And now here's the only song that I know of that uses the word harden. The video is a live performance of Quarterflash singing (and playing saxophone on) Harden My Heart.

Wednesday Jul 29, 2009

OpenSSO's Secret Place

Look in the OpenSSO-Deploy-Base\*/opensso directory and you'll find ssoadm.jsp. This best kept secret is the web version of the ssoadm command line interface and can be used as such - although it's technically a secret. So check it out but don't tell them I sent you.

And now listen to Joni Mitchell and Peter Gabriel singing My Secret Place.

\* OpenSSO-Deploy-Base represents the directory in which your particular web container deploys the opensso.war.

Tuesday Mar 31, 2009

Get Off My Case if You Can't Export OpenSSO Configuration Data

I wanted to export the configuration data on my install of OpenSSO so I went back to the directory that was created after I expanded opensso.zip to setup the ssoadm command line utility. Here are the steps I followed.
  1. Set JAVA_HOME and PATH variables to point to the correct version of Java; in this case, version 1.5.
    # JAVA_HOME=/usr/java/jdk1.5.0_14
    # export JAVA_HOME
    # PATH=$JAVA_HOME/bin:$PATH;
    # export PATH
  2. Create a directory into which you will expand the ssoAdminTools.zip.
    # mkdir /ssoadmtool
  3. Unzip ssoAdminTools.zip into the top-level directory created.
    # cd /opensso/tools
    # unzip ssoAdminTools.zip -d /ssoadmtool
    # cd /ssoadmtool
    # ls -la
    total 320
    drwxr-xr-x   6 root     root          10 Mar 31 10:42 .
    drwxr-xr-x  42 root     root          47 Mar 31 08:16 ..
    -rw-r--r--   1 root     root        4796 Mar 18 01:31 README.setup
    drwxr-xr-x   2 root     root          25 Mar 18 03:55 lib
    -rw-r--r--   1 root     root       17003 Mar 18 01:31 license.txt
    drwxr-xr-x   3 root     root           3 Mar 31 10:42 opensso
    drwxr-xr-x   2 root     root        1161 Mar 18 03:55 resources
    -rwxr-xr-x   1 root     root        2638 Mar 18 01:31 setup
    -rw-r--r--   1 root     root        3182 Mar 18 01:31 setup.bat
    drwxr-xr-x   4 root     root           4 Mar 18 01:31 template
  4. Run setup from the top-level ssoadmtool directory.
    # ./setup
    
    Path to config files of OpenSSO server (example: /opensso):/opensso
    Debug Directory:/opensso/debug
    Log Directory:/opensso/log
    The scripts are properly setup under directory: /ssoAdmin/opensso
    Debug directory is /opensso/debug.
    Log directory is /opensso/log.
    The version of this tools.zip is: (2009-March-18 01:14)
    The version of your server instance is: (2009-March-18 01:14)
  5. Run ssoadm using the export-svc-cfg option.

    ./ssoadm export-svc-cfg -e secretenckey -o /var/tmp/config.xml -u amadmin -f /tmp/password

    • e defines the key that will be used to encrypt any sensitive information in the configuration data store.
    • o defines the name and location of the XML file to which the configuration data will be written.
    • u defines the OpenSSO administrator; by default, amadmin.
    • f defines the name and location of the file that contains the OpenSSO administrator's password.

    config.xml is created in /var/tmp and contains the configuration data stored in the OpenSSO embedded configuration data store.
Now I'm exporting (-o you) the loveliness that is the Comateens singing Get Off My Case in the old train station in Hoboken, New Jersey. They are a great band singing in a great city in an OK state. And I would know - I lived in Hoboken for three years.

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today