Thursday Feb 12, 2015

Sudden SSLv3-related errors in OUD explained

Starting with the January 20, 2015 Critical Patch Update releases (JDK 8u31, JDK 7u75, JDK 6u91 and above) the Java Runtime Environment has SSLv3 disabled by default. More details about this change is available at http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

Any attempt to connect to OUD with SSLv3 after applying the Java update above will fail with the error message below in the access logs:

[09/Feb/2015:12:51:48 +0100] DISCONNECT conn=102 reason="I/O Error" msg="Client requested protocol SSLv3 not enabled or not supported"
[09/Feb/2015:12:51:48 +0100] CONNECT conn=102 from=****:14123 to=****:1636 protocol=LDAPS

For testing purpose only, a procedure to re-enable SSLv3 is described in http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html howewer it is time to identify the LDAP client culprit and apply the appropriate security fix so that it uses TLS.


Tuesday Feb 04, 2014

Binding a server to privileged port on Linux w/o running as root

This is applicable to any service using privileged ports (< 1024), for instance to run a HTTP server on port 80 or a LDAP directory server on port 389.

  • Running the server as root is not a recommended option for security reasons.
  • Using iptables to map privileged port (e.g. 389) to non-privileged port is a well-know method.
  • Updating the Linux config to put 389 on the non-privileged port list is another option.

There is another option that I use frequently, based on setcap to run OUD on port 389 in my labs:

This solution requires install and modification of a java 7 JVM specifically for OUD use.

Such configuration has security implications, as anyone running that JVM has the right to bind on privileged ports (settings are JVM wide, not restricted to a specific jar file/application), so the jvm access should be restricted to the appropriate user only (the one allowed to start OUD)

Here is the procedure:

  1. download patchelf sources from here and compile them on target Linux.
  2. install setcap package on Linux if needed
  3. install a java 7 SDK on target system e.g. /space/java/jdk1.7.0_45
  4. restrict access to that jvm (java and jre) to the appropriate user only (the one used to start OUD).
    Put in place additional security if needed.
  5. as root, run the following commands to allow java to bind as priviledged ports

    setcap cap_net_bind_service=+epi <JAVA_HOME>/bin/java
    setcap cap_net_bind_service=+epi <JAVA_HOME>/jre/bin/java


  6. - change java dynamic library loading strategy as default strategy is not compatible with setcap

    patchelf --set-rpath <JAVA_HOME>/jre/lib/amd64/jli <JAVA_HOME>/jre/bin/java
    patchelf --set-rpath <JAVA_HOME>/lib/amd64/jli <JAVA_HOME>/bin/java


  7. - Modify jvm used by oud

    edit java.properties and modify property e.g default.java-home
    run dsjavaproperties

  8. - start OUD with standard start-ds command.


Wednesday Nov 06, 2013

New Oracle White Paper about Directory Services Integration with Database Enterprise User Security

I've written a new Oracle White Paper about Directory Services Integration with
Database Enterprise User Security based on 2 recent posts, https://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db and  https://blogs.oracle.com/sduloutr/entry/oud_eus_take_1_db

The official document is available at http://www.oracle.com/technetwork/database/security/dirsrv-eus-integration-133371.pdf

Friday Aug 30, 2013

Migrating SSL Certificates to OUD

By default, self-signed certificates are automatically asssigned to OUD instances.

In some cases, you might want to reuse a DSEE server certificate for the new OUD instance, so that the migration is transparent for SSL clients. Note that this might require installation of the OUD instance on the same box as the DSEE depending on SSL certificate options used.

If you want to have your OUD instance reuse the SSL servert certificate,  perform the following steps

1. export the DSEE server certificate to a PKCS12 file (e.g dsee.p12) as described in the ODSEE admin guide
    The exact procedure may depend on the DSEE release. On DSEE 6.x, DSEE 7.x and ODSEE, run the command below:

    dsadm export-cert -o dsee.p12  <instance_path> defaultCert

Note: By default, the alias of the DSEE server cert is defaultCert. Use the appropriate alias in case you choosed to use another value.

2. copy the PKCS12 file to <OUD_INSTANCE>/config

3. create a pin file containing the pkcs12 file password e.g. dsee.p12.pin in the <OUD_INSTANCE>/config directory

At that stage, the DSEE server certificate can be imported in the OUD instance in 2 different ways:
- either configure a PKCS12 OUD keystore pointing to the file exported from DSEE
or
- import the DSEE certificate to the default JKS OUD keystore

To configure a OUD PKCS12 keystore, perform the following steps:

4.1 Configure the PKCS12 keystore

dsconfig set-key-manager-provider-prop \
         --provider-name PKCS12 \
         --set key-store-file:config/dsee.p12 \
         --set key-store-pin-file:config/dsee.p12.pin \
         --set enabled:true \
         ...


4.2 Configure the LDAPS connection handler to use the pkcs#12 keystore

dsconfig set-connection-handler-prop \
         --handler-name LDAPS\ Connection\ Handler \
         --set key-manager-provider:PKCS12 \
         ...


To import the DSEE certificate key pair to the existing OUD JKS keystore, perform the following steps:

5.1 Locate the JAVA_HOME of the jvm used by OUD

    The version of the JVM used is displayed at startup in the OUD error log

5.2 Run the following command to import the DSEE certificate

JAVA_HOME/bin/keytool -v -importkeystore -srckeystore <Path to PKCS12 cert file exported from DSEE>  -srcstoretype PKCS12 -destkeystore <OUD_INSTANCE_DIR>/OUD/config/keystore  -deststoretype JKS

    When prompted, specify the JKS pin (available in <OUD_INSTANCE_DIR>/OUD/config/keystore.pin  and the PKCS12 pin you used to export the DSEE server cert

5.3 Check import

    To list the content of the OUD JKS keystore, use the following:

    JAVA_HOME/bin/keytool -list -keystore <OUD_INSTANCE_DIR>/OUD/config/keystore

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries

defaultcert, Aug 29, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): 10:63:DC:B5:6B:C8:F3:A0:6B:A7:23:9E:0B:EA:9C:30

server-cert, Aug 29, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): BE:C9:F3:8A:49:98:96:15:EF:AC:B4:08:6F:76:FB:05


By default, the DSEE server cert alias is defaultcert.
By default, the OUD server cert alias is server-cert.
By default, OUD let java  automatically choose the best server-cert amongst those present in the keystore. If you want to force the use of  one certificate, do the following:

dsconfig set-connection-handler-prop \
         --handler-name LDAPS\ Connection\ Handler \
         --set ssl-cert-nickname:defaultcert \

         ...

About


I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today