aa enabling a closed source legacy application
play

AA enabling a closed source legacy application Jan Du Caju ICT - PowerPoint PPT Presentation

Nov 12, 2022 •150 likes •426 views

EuroCAMP 15nov2007 AA enabling a closed source legacy application Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context

  1. EuroCAMP 15nov2007 AA enabling a closed source legacy application Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be

  2. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  3. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  4. EuroCAMP 15nov2007 Introduction: context association K.U.Leuven educational landscape reflects political situation association K.U.Leuven 1 university and 12 schools of higher education Need for resource sharing 2004: Shibboleth for institutional and inter-institutional web resources Jan.DuCaju@icts.KULeuven.be

  5. EuroCAMP 15nov2007 Introduction: context association K.U.Leuven Every institution of association K.U.Leuven has its own central AAI (Authentication and Authorization Infrastructure incl. Shibboleth IdP) Resources e-learning: Blackboard and other coupled education apps library: Ex Libris, and access to scientific papers, publications and databases work place context: Horde webmail, groupware and inter-institutional offers research context: HPC et al administrative and organizational context: SAP Federations K.U.Leuven (institutional) Association K.U.Leuven K.U.Leuven - UZLeuven (university hospital) Not yet :-\ a national federation at NREN level (Belnet) Jan.DuCaju@icts.KULeuven.be

  6. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  7. EuroCAMP 15nov2007 Case : AA enabling SAP Administrative and organizational applications: SAP K.U.Leuven: Campus management, HR, FI, … Corona project: 6 institutions of association K.U.Leuven for implementing SAP campus management SAP access control possibilities Basic authentication Digest Form Client certificate Evaluate assertion ticket (SAML) SAPssoTicket Goals: password does not pass the application use an AAI component Jan.DuCaju@icts.KULeuven.be

  8. EuroCAMP 15nov2007 Case: AA enabling SAP SAP access control via evaluation of an assertion ticket Problem: SAP speaks a subset of SAML1.1 :-( • Assertions must not contain the elements Condition and AudienceRestrictionCondition • Assertions must have exactly one AuthenticationStatement element which must have a NameIdentifier element • If present, the elements AuthorizationDecisionStatement and AttributeStatement are ignored • Creating or verifying digital signatures is not supported SAP considers to implement SAML2.0 sometime in the future :-( Jan.DuCaju@icts.KULeuven.be

  9. EuroCAMP 15nov2007 Case: AA enabling SAP Shibboleth enabled reverse proxy in front of SAP servers Extra layer of security Usage of AAI Shibboleth component for general access control Jan.DuCaju@icts.KULeuven.be

  10. EuroCAMP 15nov2007 Case: AA enabling SAP Access control Reverse proxy access control via Shibboleth (mod_shib) Only general access control, application specific authZ remain in application SAP access control via a valid SAPssoticket obtained at J2EE-engine (SAP portal) Jan.DuCaju@icts.KULeuven.be

  11. EuroCAMP 15nov2007 EuroCAMP 15nov2007 Case: AA enabling SAP r e v e r s e p r o x y Jan.DuCaju@icts.KULeuven.be Jan.DuCaju@icts.KULeuven.be

  12. EuroCAMP 15nov2007 Access control via SAP SSO ticket JAVA and ABAP web apps access via browser SAP SSO ticket in cookie ABAP non-web apps access via a client: SAPgui link or URL (in SAP portal) to a SAPgui Shortcut file associated in Windows with the SAPgui client contains SAP SSO ticket Jan.DuCaju@icts.KULeuven.be

  13. EuroCAMP 15nov2007 Accessing SAP applications JAVA and ABAP web apps (link in SAP portal or in WAS) ABAP non-web app via link to a SAPgui shortcut file firewall https://webwsp.aps.kuleuven.be https://wsp.cc.kuleuven.be Java / Portal Apache reverse proxy LoginModuleStack mod_SSL (mod_security) Evaluate ticket Login Module SUFFICIENT mod_shib mod_proxy Header Variable Login Module OPTIONAL browser Create ticket Login Module SUFFICIENT p11.cc.kuleuven.be SAPssoTicket ABAP SAPgui Evaluate SAPssoTicket REQUIRED Jan.DuCaju@icts.KULeuven.be

  14. EuroCAMP 15nov2007 Accessing SAP JAVA and ABAP web apps Jan.DuCaju@icts.KULeuven.be

  15. EuroCAMP 15nov2007 Accessing SAP ABAP non-web applications Example of SAPgui Shortcut file (tx.sap) [System] Name=P11 Client=300 GuiParm=/M/P11.cc.kuleuven.be/S/3600/G/productie [User] Name=U0001439 at="MYSAPSSO2=AjExMDAgAA9wb3J0YWw6VTAwMDE0MzmIABNiYXNpY2 F1dGhlbnRpY2F0aW9uAQAIVTAwMDE0MzkCAAM5OTkDAANXU1AEAAw yMDA3MDUxMDE1NTAFAAQAAAAMCgAIVTAwMDE0Mzn/APUwgfIGCSqG SIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNA QcBMYHBMIG+AgEBMBMwDjEMMAoGA1UEAxMDV1NQAgEAMAkGBSsOAw IaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb 3DQEJBTEPFw0wNzA1MTAxNTUwNDJaMCMGCSqGSIb3DQEJBDEWBBRf V5O19GIZCInkdkYoC0N7AxN7XDAJBgcqhkjOOAQDBC8wLQIUL2rYN SImSAsBhWBuRDQzUiISASMCFQCTPasn/RL26iMTko2cSWK/jDtW1A ==" [Options] Reuse=0 Jan.DuCaju@icts.KULeuven.be

  16. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  17. EuroCAMP 15nov2007 Configuration overview Communication reverse proxy and SAP portal: Vhost webwsp.asp.kuleuven.be Adjusting SAP LoginModuleStack Configuration of access to SAP servers SAP transactions : rz10 and strustsso2 Jan.DuCaju@icts.KULeuven.be

  18. EuroCAMP 15nov2007 Vhost webwsp.aps.kuleuven.be SSL enabled # communication to browser SSLEngine On SSLCertificateFile /etc/pki/webwsp.aps.kuleuven.be.crt SSLCertificateKeyFile /etc/pki/webwsp.aps.cc.kuleuven.be.key # mutual certificate authentication with SAP SSLProxyEngine On SSLProxyCACertificateFile /etc/pki/ca-bundle.crt SSLProxyMachineCertificateFile /etc/pki/webwsp.pem SSLProxyVerify require SSLProxyVerifyDepth 3 Jan.DuCaju@icts.KULeuven.be

  19. EuroCAMP 15nov2007 Vhost webwsp.aps.kuleuven.be (continued) Protected with Shibboleth authorization based on affilation header shib-person-uid must be set <Location /> AuthType shibboleth ShibRequireSession on require affiliation member </Location> Reverse proxy ProxyPass / https://wsp.cc.kuleuven.be:8098/ retry=2 ProxyPassReverse / https://wsp.cc.kuleuven.be:8098/ ProxyVia Off ProxyPreserveHost On Jan.DuCaju@icts.KULeuven.be

  20. EuroCAMP 15nov2007 Login Module Stack of J2EE - engine Visual administrator Security Provider SAP-J2EE-engine Jan.DuCaju@icts.KULeuven.be

  21. EuroCAMP 15nov2007 transaction rz10 Allow access with SAPssotickets Jan.DuCaju@icts.KULeuven.be

  22. EuroCAMP 15nov2007 transaction strustsso2 Configure which SAPssotickets are allowed (signed by) Jan.DuCaju@icts.KULeuven.be

  23. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  24. EuroCAMP 15nov2007 AA enabling via reverse proxy remote_user in backend server - complex rewrite rules - use another header variable released by IdP e.g. shib-person-uid Security (spoofing): only uid is passed no password - mutual certificate authentication between proxy and backend server - persistent connection over ssl (keep-alive) is not yet :-/ possible with Apache mod_proxy - firewall filtering Jan.DuCaju@icts.KULeuven.be

  25. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  26. EuroCAMP 15nov2007 Conclusion AA enabling a closed source legacy application - dependent on application - one possibility: by means of a Shibboleth enabled reverse proxy in front of the app Credits URL’s Philip Brusten http://kuleuven.be/english Jan Van der Velpen http://associatie.kuleuven.be/eng http://shib.kuleuven.be Jan.DuCaju@icts.KULeuven.be

Recommend

Enabling Closed-Source Applications for Virtual Reality via OpenGL Intercept Techniques SEARIS

Enabling Closed-Source Applications for Virtual Reality via OpenGL Intercept Techniques SEARIS

Enabling Closed-Source Applications for Virtual Reality via OpenGL Intercept Techniques SEARIS 2014 Workshop. March 30th. Co-located with IEEE VR 2014 David J. Zielinski (Duke University) Ryan P. McMahan (The University of Texas at Dallas)

424 views • 25 slides
Net-Centric Adapter for Legacy Systems (NCALS): Affordable Net-Enabling of Joint Service Combat

Net-Centric Adapter for Legacy Systems (NCALS): Affordable Net-Enabling of Joint Service Combat

Net-Centric Adapter for Legacy Systems (NCALS): Affordable Net-Enabling of Joint Service Combat and Weapon Systems Alan Thomas Senior Scientist Naval Surface Warfare Center Dahlgren The Bottom Line Up Front Net-Centric Adapter for Legacy

423 views • 10 slides
Web-enabling Legacy Systems via Presentation Access: From Webulation to Automation Article

Web-enabling Legacy Systems via Presentation Access: From Webulation to Automation Article

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/267236046 Web-enabling Legacy Systems via Presentation Access: From Webulation to Automation Article CITATIONS READS 0 74 2 authors

369 views • 11 slides
MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in Children v. 13-16 Legacy in Eternity v. 17-31 LEGACY IN MARRIAGE 2 Schools of thought 1. Rabbi Sammai- Strict interpretation. Divorce only

775 views • 9 slides
Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

2.22k views • 189 slides
WG 3 NORM and legacy sites Application of models for assessing radiological impacts arising

WG 3 NORM and legacy sites Application of models for assessing radiological impacts arising

WG 3 NORM and legacy sites Application of models for assessing radiological impacts arising from NORM and radioactively contaminated legacy sites to support the management of remediation Rodolfo Avila Tasks Task 1 Methodology for

550 views • 27 slides
Legacy Pesticides Effects on Water Supply and Ocean Water Quality Concerns about legacy

Legacy Pesticides Effects on Water Supply and Ocean Water Quality Concerns about legacy

Legacy Pesticides Effects on Water Supply and Ocean Water Quality Concerns about legacy pesticides Evaluated extensively in environmental review, design and DDW review processes Few legacy pesticides detected in RTP source waters Of

255 views • 4 slides
Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy and the spirit of Truc Lam Yen Zen Buddhism, the Legacy Yen Tu is an inspiring journey into the past. It offers travelers a stay filled with storied

688 views • 32 slides
Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud

Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud

Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud Developer at SUSE cmurphy @_colleenm Overview Why we needed application credentials What are application credentials? (with demo!)

637 views • 25 slides
Observing Application Proposal ID: GBT/19A-347 Legacy ID: QO43 PI: Trevor Oxholm Type: Regular

Observing Application Proposal ID: GBT/19A-347 Legacy ID: QO43 PI: Trevor Oxholm Type: Regular

Date: Aug 01, 2018 Observing Application Proposal ID: GBT/19A-347 Legacy ID: QO43 PI: Trevor Oxholm Type: Regular Category: Normal Galaxies, Groups, and Clusters Total time: 6.24 Calibration sources for the Tianlai 21 cm Polar Cap Survey

468 views • 24 slides
Transitioning Legacy Applications to Mobile Platforms | Salient CRGT Proprietary |

Transitioning Legacy Applications to Mobile Platforms | Salient CRGT Proprietary |

Transitioning Legacy Applications to Mobile Platforms | Salient CRGT Proprietary | www.SalientCRGT.com | 1 Customer Challenge A legacy application depends upon the manual collection and entry of data: Download paper surveys

689 views • 5 slides
Enabling Our Smart Nation Melvyn Low OCBC Bank 21 August 2019 1 2 Source: Smart Nation

Enabling Our Smart Nation Melvyn Low OCBC Bank 21 August 2019 1 2 Source: Smart Nation

Enabling Our Smart Nation Melvyn Low OCBC Bank 21 August 2019 1 2 Source: Smart Nation Singapore Source: ABS 3 The birth of 2017 A peer-to-peer transfer service 9 banks An opportunity to reduce cash payments 2014 A new era

371 views • 23 slides
Dilute Source CO 2 Capture: Management of Atmospheric Coal-Produced Legacy Emissions FE0026861

Dilute Source CO 2 Capture: Management of Atmospheric Coal-Produced Legacy Emissions FE0026861

Dilute Source CO 2 Capture: Management of Atmospheric Coal-Produced Legacy Emissions FE0026861 Carbon Engineering Management Team Investors / Partners Bill Gates Murray Edwards David Keith Adrian Corless Exec Chair / Founder CEO

439 views • 21 slides
Michael Mrozek (EvilDragon) 1. The GP32 started it all (2001) Originally closed source,

Michael Mrozek (EvilDragon) 1. The GP32 started it all (2001) Originally closed source,

GP32, the Pandora and the Pyra past, present and future of OpenSource-(Gaming)-Handhelds Michael Mrozek (EvilDragon) 1. The GP32 started it all (2001) Originally closed source, commercial handheld made by a small company from Korea

328 views • 19 slides
L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The Legacy Residents Association was created for the homeowners of Legacy, with the intent of augmenting the lifestyle in Legacy. The goal is to create

1.18k views • 56 slides
L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G WELCOME The Legacy Residents Association was created for the homeowners of Legacy, with the intent of augmenting the lifestyle in Legacy. The goal

412 views • 40 slides
Open source and my life Otvio Santana @otaviojava successful Success to my Family Legacy

Open source and my life Otvio Santana @otaviojava successful Success to my Family Legacy

Open source and my life Otvio Santana @otaviojava successful Success to my Family Legacy Hacking the success I see software everywhere Software behind Software Me and Open Source Community Conferences Take a note Track it Follow

398 views • 38 slides
LEAVE A LEGACY Qubec And your legacy! What will it be? Action Plan 2010 LEAVE A LEGACY TM

LEAVE A LEGACY Qubec And your legacy! What will it be? Action Plan 2010 LEAVE A LEGACY TM

LEAVE A LEGACY Qubec And your legacy! What will it be? Action Plan 2010 LEAVE A LEGACY TM Qubec , is comprised of 163 charitable organizations that support its mission which is to encourage the population of Quebec to make a planned

312 views • 18 slides
Migrating Legacy.com Migrating a top 50 most visited site in the U.S. onto Drupal - Legacy.com

Migrating Legacy.com Migrating a top 50 most visited site in the U.S. onto Drupal - Legacy.com

Migrating Legacy.com Migrating a top 50 most visited site in the U.S. onto Drupal - Legacy.com Case Study Migrating Legacy.com Jordan Ryan Product Owner Ankur Gupta Lead Developer Bassam Ismail Front-end Lakshmi Narasimhan RESTful

458 views • 45 slides
Corporate presentation Rhea - Because Data Matters Legacy and Self-Service Applications High

Corporate presentation Rhea - Because Data Matters Legacy and Self-Service Applications High

Corporate presentation Rhea - Because Data Matters Legacy and Self-Service Applications High maintenance cost A legacy application is like an antique car it may continue to operate, but every additional year of usage makes it more fragile

382 views • 21 slides
ERSAT - EAV ERTMS on SATELLITE Enabling Application Validation Alessandro Neri 1 , Gianluigi

ERSAT - EAV ERTMS on SATELLITE Enabling Application Validation Alessandro Neri 1 , Gianluigi

Pacific PNT May 2-4, 2017 Honolulu, Hawaii ERSAT - EAV ERTMS on SATELLITE Enabling Application Validation Alessandro Neri 1 , Gianluigi Fontana 2 , Salvatore Sabina 2 , Francesco Rispoli 2 , Roberto Capua 3 , Giorgia Olivieri 3 , Fabio

523 views • 23 slides
LEGACY/PACIFICSOURCE JOINT VENTURE George Brown, M.D. President and CEO, Legacy Health Systems

LEGACY/PACIFICSOURCE JOINT VENTURE George Brown, M.D. President and CEO, Legacy Health Systems

LEGACY/PACIFICSOURCE JOINT VENTURE George Brown, M.D. President and CEO, Legacy Health Systems I. Legacy Outline I. Legacy a) Mission and History b) People, Services, and Locations c) Financial Strength II. Partnership a)

603 views • 26 slides
The Legacy of Godfrey Stafford a Celebration Andrew Harrison Diamond Light Source RAL -

The Legacy of Godfrey Stafford a Celebration Andrew Harrison Diamond Light Source RAL -

The Legacy of Godfrey Stafford a Celebration Andrew Harrison Diamond Light Source RAL - January 24 th 2014 The Legacy of Godfrey Stafford a Celebration Andrew Harrison Diamond Light Source RAL - January 24 th 2014 Running motorbike

340 views • 33 slides
Mobile CORD (M-CORD) - Enabling 5G on CORD Kang-Won Lee (kangwon@sk.com) SVP of R&amp;D, Network

Mobile CORD (M-CORD) - Enabling 5G on CORD Kang-Won Lee (kangwon@sk.com) SVP of R&amp;D, Network

Mobile CORD (M-CORD) - Enabling 5G on CORD Kang-Won Lee (kangwon@sk.com) SVP of R&amp;D, Network IT Convergence Operator Challenges State of the infrastructure: Built with closed proprietary boxes Inefficient utilization (including

404 views • 9 slides

More recommend