Title: Arial 28pt'

About This Presentation

Title:

Title: Arial 28pt'

Description:

IBM/Apache Web Server (to allow use of browser as GUI) ... http://www.informationweek.com/story/showArticle.jhtml?articleID=6500072&pg no=1 ... – PowerPoint PPT presentation

Number of Views:184

Avg rating:3.0/5.0

Slides: 55

Provided by: fellenm

Category:

more less

Transcript and Presenter's Notes

Title: Title: Arial 28pt'

1
ASE123 Implementing SSO and Access Control with
ASE
Govind Seshadri HSBC VP,Database
Administrator govind.seshadri_at_us.hsbc.com Bill
Zhang Sybase Inc. Principal System
Consultant bill.zhang_at_sybase.com August 15-19,
2004
2
The Enterprise. Unwired.
3
The Enterprise. Unwired.
Industry and Cross Platform Solutions
Unwire People
Unwire Information
Manage Information

Adaptive Server Enterprise
Sybase IQ
Dynamic Archive
Dynamic ODS
Real Time Data Services
Replication Server
OpenSwitch
Mirror Activator
PowerDesigner
Connectivity Options
EAServer
PowerBuilder Family

Unwired Accelerator
Unwired Orchestrator
Unwired Toolkit

SQL Anywhere Studio
Mobile Email Applications
Enterprise Portal
XcelleNet Frontline Solutions
PocketBuilder
AvantGo

Sybase Workspace
4
Agenda

Business Requirement
Current Solutions
Proposed Solutions

5
Business Requirement

Need a centralized resource to manage
user/password
Reduce the cost of the resources spent on
maintaining user/password
Meet auditing requirements using centralized
identity management system
All applications should use a centralized
resource for identity management (Single Sign-On)
Global user sign on policies
Audit trails
nth level of delegation
Separate Roles and Privileged Users (role based
access control)
Increase user administration efficiency (easy
user management)
Embrace Open standards (reduce proprietary
systems lock-in)

6
Current Solution

User maintenance is done on individual
application/ASE servers
No standards in password maintenance
No password expiration

7
Proposed Solution

Integration of LDAP, Tivoli Access Manager and
Sybase ASE Security and Directory Services option
The objective of the SSO Project is to provide a
common mechanism for new and existing
applications to perform authentication based on
the NT login.
First step is to implement Common Sign On

8
Near term objectives

Objective is to achieve Common Sign On.
Today, a typical HSBC, NY employee has many IDs
and passwords to maintain.
The goal is to reduce the number of User
ID/Password combinations by having all
applications contact the Identity Manager to
perform authentication using the desktop login
credentials.
The exceptions are vendor products.

9
Authentication Mechanisms

Available Authentication Mechanisms
Pluggable Authentication
Out-of-box modules to simplify integration into
existing security framework.
LDAP User Authentication
JAAS based authentication framework
open, standard, flexible and extensible security
architecture
Authentication methods / types
Configurable on per-organization, per-role,
per-user and per-service/per-application basis
giving fine grained flexibility and control in
creation and enforcement of policies.

10
Products

Sybase ASE 12.5.2 Security Directory Services
Option
Lightweight Directory Access Protocol (LDAP)
Pluggable Authentication Module (PAM)
Kerberos interoperability with Active Directory
and MIT
Sun ONE Identity Server
IBM Tivoli Identity Manager
Netegrity SiteMinder IdentityMinder

11
What is LDAP?

Lightweight Directory Access Protocol (LDAP) is
an industry standard for accessing directory
services
LDAP URL stands for Uniform Resource Location.
Specifies a set of objects or values on an LDAP
server

12
Background on Identity Management

What is Identity Management ?
Project Scope
Project Architecture

13
What is Identity Management?

Managing an Identitys life cycle and its
relationship to business
applications and services.
Creating an identity that represents the user
Activating the services for authentication and
authorization
Administering and Managing Identity
Deactivating once user is no longer authorized
in system

14
Basic Definitions

Definitions
Authentication is establishing who you are.
Authorization is determining what you are allowed
to do.
Identity Management
Current implementation gives us Reduced / Common
Sign-On, a step towards the holy grail of Single
Sign-on (SSO). Applications running in Tivoli
Secure Domain will use Desktop login credentials
for user authentication

15
Project Scope

Project Scope The objective of the Identity
Management Project is to provide a common method
for new and existing applications to perform
authentication.

16
Tivoli Access Manager

Identity Management is not the same as LDAP.
LDAP is a set of protocols
- access a specialized database
- optimized for read queries.
- database structure in the form of a directory
tree.
Most vendors use a standalone product that is
designed to perform best with LDAP tree
structure.

17
Tivoli Access Manager Components

Tivoli Identity Management uses an LDAP server
along with other components to achieve the
integration and management of identity
information.
IBM Tivoli Access Manager main component
WebSphere Application Server (as the main
component of IM)
IBM/Apache Web Server (to allow use of browser as
GUI)
Tivoli Access Manager (for Java and C apps to
use API services)
IBM or Sun LDAP server (as repository for user
info)
Future integration with Identity Manager

18
Why Tivoli Access Manager

Provides wide range of authorization and
management solution
Provides access control management solution
Solves the audit requirement
Generate audit reports using Identity Manager
(future)

19
Tivoli Identity Manager Architecture

20
Current Implementation Overview
21
Workflow

How a user gets authenticated -

User is Registered on NT Domain
User import.sh imports the user information to
tivoli root suffix
Password Synchronization syncs username/password
to LDAP Server
SSOs activate and assign the GSO to the username
Users uses NT login credentials to logon to
applications
22
How CSO works
23
Going forward

Current project scope does not include Single
Sign On.
SSO is to have a user login once and only once
using the desktop credentials, then be able to
access application and server accounts
transparently, without having to re-enter the
ID/password each time.
Again, exceptions are vendor products.

24
Workflow with SSO
25
Future Implementation
26
Advantages of SSO

Although Single Sign On (SSO) is convenient,
realistically, Common Sign On is easier to
achieve.
Common Sign On gives most of the benefits of
SSO, including the important one, that of
maintaining only one ID and password in one
place. For users of multiple applications, this
is a huge benefit.

27
LDAP Authentication in ASE

Technical details
Need ASE_DIRS license for ASE
sp_configure enable ldap user auth, 0 1 2
Only a SSO can do this and it is a dynamic
parameter
Choosing Authentication Algorithm
Composed DN authentication
Searched DN authentication
Administer User Accounts on ASE/LDAP

28
LDAP Administration

How to set the URLs
sp_ldapadmin set_primary_url, ldapurl
set_secondary_url, ldapurl null
set_access_acct, account_distinguished_name,
account_password
set_dn_lookup_url, ldapurl
list_urls check_url, ldapurl
check_login, login_name

29
Composed DN Algorithm

How this works
Client connects to ASE
O/C send internal login record
ASE listener accepts connection
ASE reads login record
ASE binds the login name to LDAP with DN composed
from Primary URL and uses password from login
record
LDAP Authenticates Success/Failure
LDAP search
ASE accepts/rejects login

30
Composed DN example

Example
'ldap//nysundev01390/ouGroups,dcus,dchsbc??su
b?cn'

31
Searched DN Algorithm

How this works
Client connects to ASE
ASE listener accepts connection
O/C send internal login record
ASE reads login record
ASE binds to LDAP server with DS access account
LDAP authenticated access account
Success/Failure
ASE sends search request to LDAP based on login
record and DN lookup URL
LDAP returns results of the search
ASE reads results to obtain value of the
attribute for DN lookup URL
ASE uses the value of the attribute as the DN and
the password from the login record to bind to
LDAP
LDAP Authenticates the user Success/Failure
If Primary URL specifies search, ASE sends to
LDAP
LDAP returns the results of the search
ASE accepts or rejects login

32
Search DN example

Search DN example
Access Account information
sp_ldapadmin set_access_acct , cnDirectory
Manager , secAuthoritydefault , password
Primary URL
'ldap//nysundev01.us.hsbc390/cnUsers,secAuthori
tyDefault??sub?((secUid)(secResCredsIDTsybas
e))
Secondary URL None
Distinguished Name Lookup URL
'ldap//nysundev01.us.hsbc390/ohsbc,cus??sub?cn
'

33
How to test the URLs

Use ldap search
./ldapsearch hnysundev01 -p390 -D"cnDirectory
Manager" -wpassword -b "cnusers,secAuthorityDefa
ult" -s sub "secuidseshadrig"

34
User Logins
35
Login Controls

Define authentication mechanism
Sp_addlogin has additional input auth_mech
Sp_addlogin mylogin , mypassword , _at_auth_mech
LDAP
Map Logins
This helps the SSOs to define actions if an
external user does not exits in syslogins
Sp_maplogin LDAP , NULL , create login
This example tells the ASE to create a new login
for all external users authenticated with LDAP
Note Users have to be added to the appropriate
databases by the Database Administrator

36
LDAP Services in ASE 12.5.X

ASE 12.5 provides LDAP directory services for
server look-up

37
Using LDAP in lieu of the interfaces File

ASE 12.5 and Open Client/Open Server can be
configured to use LDAP services to define server
connection information
LDAP directory structure is accessed by a
3rd-party LDAP server
Provides an optional, lightweight alternative to
the traditional interfaces file on Unix and
sql.ini file on Windows NT
Lookup requests are based on server name
Used to obtain network information
IP address
Port number
Network protocol

38
The interfaces File vs. LDAP

interfaces file
GTTBKUP2
master tcp ether gttbkup2 5000
query tcp ether gttbkup2 5000
LDAP
dn sybaseServernameGTTBKUP2, secAuthorityDefaul
t
sybaseAddress TCP1gttbkup2.us.hsbc 5001
sybaseAddress TCP1gttbkup2.us.hsbc 5009
objectClass sybaseServer
sybaseServername GTTBKUP2

39
LDIF file for interfaces
dn sybaseServernameGTTBKUP2, secAuthorityDefaul
t sybaseAddress TCP1gttbkup2.us.hsbc
5001 sybaseAddress TCP1gttbkup2.us.hsbc
5009 objectClass sybaseServer sybaseServername
GTTBKUP2
40
Our implementation

To make full use and a centralized place for
maintaining interfaces files, we integrated the
interfaces entry into LDAP
Libtcl64.cfg on Server Side
DIRECTORY
ldaplibdldap64.so ldap//nysundev01.us.hsbc390
/secAuthorityDefault??one??bindnamecnDirectory
Manager?password
Libtcl.cfg on Client Side
DRIVERS
NLWNSCKTCP Winsock TCP/IP Net-Library driver
NT_DIRECTORY
LDAPLIBDLDAP ldap//nysundev01.us.hsbc390/secAu
thorityDefault??one??bindnamecnDirectory
Manager?password

41
Add sybase entries to 99user.ldif

In order to start the ASE using LDAP, make sure
the user99.ldif file in the config directory of
LDAP server is updated and the LDAP server
restarted
Sample output from 99user.ldif
attributeTypes ( 1.3.6.1.4.1.897.4.2.1 NAME
'sybaseVersion' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
27 SINGLE-VALUE)
attributeTypes ( 1.3.6.1.4.1.897.4.2.2 NAME
'sybaseServername' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes ( 1.3.6.1.4.1.897.4.2.3 NAME
'sybaseService' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes ( 1.3.6.1.4.1.897.4.2.4 NAME
'sybaseStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
7 SINGLE-VALUE)
attributeTypes ( 1.3.6.1.4.1.897.4.2.5 NAME
'sybaseAddress' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes ( 1.3.6.1.4.1.897.4.2.6 NAME
'sybaseSecurity' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes ( 1.3.6.1.4.1.897.4.2.7 NAME
'sybaseRetryCount' SYNTAX 1.3.6.1.4.1.1466.115.121
.1.27 SINGLE-VALUE)

42
Tivoli Access Manager
43
User Setup with TAM
44
GSO Credential Setup
45
Policy
46
Policy - User Properties
47
Sample LDAP output
48
More sample output
uid sybadmin objectClass inetOrgPerson objectCla
ss ePerson objectClass organizationalPerson obje
ctClass person objectClass top sn Admin cn
Sybase cn sybadmin dn secAuthorityDefault,
cnsybadmin, ohsbc,cus secLoginType
DefaultLDAP secDomainId Defaultsybadmin secPwdV
alid TRUE principalName sybadmin objectClass
secUser objectClass eUser objectClass
cimManagedElement objectClass top secAcctValid
true secHasPolicy false secUUID
fe7df758-8e25-11d8-a6ed-ac100101aa77 secAuthority
Default secPwdLastChanged 20040527191045.0Z
49
secAuthority tree structure
50
More on the secAuthority
dn principalNamesybadmin, cnUsers,
secAuthorityDefault secLoginType
DefaultLDAP secAcctValid True secDN
cnsybadmin,ohsbc,cus description
objectClass top objectClass cimManagedElement o
bjectClass eUser objectClass secUser principalNa
me sybadmin secAuthority Default dn
cnResCreds, principalNamesybadmin, cnUsers,
secAuthorityDefault objectClass
top objectClass container cn ResCreds
51
Contd..
dn secResCredsIdTSybaseAdmin,cnResCreds,
principalNamesybadmin, cnUsers ,
secAuthorityDefault secAuthnType
2 secResCredsID TSybaseAdmin secAuthnLength
40 secUid sybadmin secType 1 secValid
True objectClass top objectClass
secResCreds secAuthnData IUAjbioqKioqKip2JCQkJCQ
kJCQkJCQkJGIhZEBAQEBAQEBwIXchAA description
dn secResCredsIdTSybase,cnResCreds,
principalNamesybadmin, cnUsers, sec
AuthorityDefault secAuthnType 2 secResCredsID
TSybase secAuthnLength 62 secUid
sybadmin secType 1 secValid True objectClass
top objectClass secResCreds secAuthnData
IUAjbioqKioqKip2JCQkJCQkJCQkJCQkJGIhZEBAQEBAQEBwIX
chMSEzQEBAQE BAQDUjIyMjIyMjIyMjIwA description

52
The final picture.
53
URL References