In real life OAM implementation we all use fancy login form , which is called from OAM authentication scheme. These custom login screen often use java scripts. The screen also contain at-least two input parameters 'Login-Name' and 'Password'. So the screen is perfect play ground for XSS (Cross Site Scripting) attack. Here are few tips to make it XSS safe. For more information about XSS venerability check OWASP (https://www.owasp.org/index.php/XSS) website.
1. Make sure your authentication scheme has a challenge parameter called "ssoCookie=httponly". This will ensure that the java-script cannot read the OAM cookies.
2. The user input validation is must. For example evil user may enter "JohnDoe script alert(document.cookie); script" in the username field to test if the login form is venerable to XSS.
3. Always re-encode user output into safe code html, CSS, JS etc. For example, after safe encoding, your javascript should look like "<script> alert(document.cookie); <script>"
The OWASP ESAPI library to do this safe encoding.
Monday, September 24, 2012
Tuesday, May 29, 2012
OVD 11g Quick Tips
Finding OVD version :-
Open file ..../Oracle/Middleware/OVD_INST_1/config/OVD/ovd1/server.os_xml .
Look for section "OVD_INST_1_OVD" .
Setting OVD Log (Alternative to console) :-
You can set OVD log level directly using console UI. But, you may get an error "JAVAX.EL.ELEXCEPTION: JAVA.LANG.NULLPOINTEREXCEPTION AT JAVAX.EL.BEANELRESOLVER" because of an OVD 11.1.1.5 bug while doing it from em console.
Here is an alternative approach Doc
1. Stop OVD :
$ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1
2. Open $ORACLE_INSTANCE/config/OVD/ovd1/ovd-logging.xml change such as to have
<loggers>
<logger name='com.octetstring.vde' level='TRACE:32' useParentHandlers='false' >
<handler name='OVDHandler'/ >
</logger >
<logger name='com.octetstring.accesslog' level='TRACE:32' useParentHandlers='false' >
<handler name='OVDAccessHandler'/ >
</logger >
</loggers>
3. Start OVD: $ORACLE_INSTANCE/bin/opmnctl startproc ias-component=ovd1
Setting Worker Tread :-
10 and change it to 50
Open file ..../Oracle/Middleware/OVD_INST_1/config/OVD/ovd1/server.os_xml .
Look for section "OVD_INST_1_OVD" .
Setting OVD Log (Alternative to console) :-
You can set OVD log level directly using console UI. But, you may get an error "JAVAX.EL.ELEXCEPTION: JAVA.LANG.NULLPOINTEREXCEPTION AT JAVAX.EL.BEANELRESOLVER" because of an OVD 11.1.1.5 bug while doing it from em console.
Here is an alternative approach Doc
1. Stop OVD :
$ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1
2. Open $ORACLE_INSTANCE/config/OVD/ovd1/ovd-logging.xml change such as to have
<loggers>
<logger name='com.octetstring.vde' level='TRACE:32' useParentHandlers='false' >
<handler name='OVDHandler'/ >
</logger >
<logger name='com.octetstring.accesslog' level='TRACE:32' useParentHandlers='false' >
<handler name='OVDAccessHandler'/ >
</logger >
</loggers>
3. Start OVD: $ORACLE_INSTANCE/bin/opmnctl startproc ias-component=ovd1
Setting Worker Tread :-
Does your OVD error log (.../ovd_inst/diagnostics/logs/OVD/ovd1/http-errors.log) shows occasional error message called “Low on Thread” or “Out of thread”. Check $OVD_HOME/config/OVD/listeners.os_xml for at least
50 worker threads in the LDAP listener.
look for entry
do it for "Admin Gateway", "LDAP
Endpoint" and "LDAP SSL Endpoint".
Wednesday, January 11, 2012
OIM 11.1.1.5 User Manager API bug causes double provisioning
I wrote a Post Process Event Handler code, which provide value to a User's attribute during user creation. The event-handler code was using UserManagerment (oracle.iam.identity.usermgmt.api.UserManager) API.
public class GuidGenerationPostProcEventHandler implements oracle.iam.platform.kernel.spi.PostProcessHandler {
:
public EventResult execute(long processId, long eventId, Orchestration orchestration) {
public EventResult execute(long processId, long eventId, Orchestration orchestration) {
HashMap params = orchestration.getParameters();
String uid = this.getParamaterValue(params, Constants.USERID);
oracle.iam.identity.usermgmt.vo.User user = new User(uid);
user.setAttribute("Micam Unique Id", generateUniqueId()); // generateUniqueId is a private method and returns some value
try {
usrMgrService = Platform.getService(UserManager.class);
usrMgrService.modify(Constants.USERID, uid, user);
}
catch (...)
:
:
}
return ( new EventResult() );
:
:
The above said code worked as expected. It generated the value and populated the user attributes called "Micam Unique Id". But, this code did some damage to my auto-provisioning set up to OID. I saw two auto-provisionings are initiated during user creation event instead of one. I could not figure out the cause. so I posted the query to oracle forum ( https://forums.oracle.com/forums/thread.jspa?threadID=2329154 ) and found the following answer from some of our smart users.
There is a known issue in UserManagement APIs in OIM 11.1.15. Using the UsrMngmt APIs to update a User within an Orchestration will cause another user update orchestration to be initiated. The user update is also causing role membership rules to be evaluated, which in turn is triggering second provisioning. So solution is to use Entity Management (oracle.iam.platform.entitymgr.EntityManager) APIs instead . The new code snippet is given here, which works fine so far.
public class GuidGenerationPostProcEventHandler implements oracle.iam.platform.kernel.spi.PostProcessHandler {
:
public EventResult execute(long processId, long eventId, Orchestration orchestration) {
HashMap mapAttrs = new HashMap() ;
mapAttrs.put("Micam Unique Id", generateUniqueId()); // generateUniqueId is a private method and returns some value
try {
String userKey;
if (!orchestration.getOperation().equals("CREATE"))
userKey = orchestration.getTarget().getEntityId();
else {
OrchestrationEngine orchEngine = Platform.getService(OrchestrationEngine.class);
userKey = (String) orchEngine.getActionResult(processID);
}
entMgrService = Platform.getService(EntityManager.class);
entMgrService.modifyEntity(orchestration.getTarget().getType(), userKey, mapAttrs);
}
catch (..) {
:
return ( new EventResult() );
:
:
As of writing this blog, there is no UserMgmt & EntityMgmt API documentations available from Oracle. So good luck.
Monday, January 9, 2012
Quick OIM TIP : Finding out OIM Version and Patch Information
(1) Execute the following query against OIM schema.
select XSD_VALUE from XSD where XSD_CODE='XL_BUILD_NUMBER';
(2) .../Oracle/Middleware/Oracle_IDM1/OPatch/opatch lsinventory -details
select XSD_VALUE from XSD where XSD_CODE='XL_BUILD_NUMBER';
(2) .../Oracle/Middleware/Oracle_IDM1/OPatch/opatch lsinventory -details
Friday, January 6, 2012
OIM 11g: exporting User.xml using MDS utilities
Here are the steps to export OIM's User.xml from metadata using weblogic MDS utilities.
$ cd /opt/Oracle/Middleware/Oracle_OIM/server/bin
Aassuming you have installed OIM at /opt/Oracle/Middleware/Oracle_OIM. The default directory could be /opt/Oracle/Middleware/Oracle_IDM2 for 11.1.1.5 installation
$ vi weblogic.properties. Set the value similar to the example below.
wls_servername=oim_server1
application_name=OIMMetadata
metadata_from_loc=@From_location
metadata_to_loc=/opt/export
metadata_files=/file/User.xml
- The above said example assumes that your oim server name is oim_server1.
- The exported file will land in directory mentioned in metadata_to_loc
- Export operation ignores the value mentioned in metadata_from_loc proerty field.
- Rest of the property fields should be hard-coded as shown in the example.
$ ./weblogicExportMetadata.sh
User Name = weblogic
Password = Your Password
Server URL = t3://weblogic-admin-server:7001
While running this, you may see some warning about the SSL port and admin port. Just ignore it. If the above runs successfully, your exported User.xml will be in /opt/export/file directory.
$ cd /opt/Oracle/Middleware/Oracle_OIM/server/bin
Aassuming you have installed OIM at /opt/Oracle/Middleware/Oracle_OIM. The default directory could be /opt/Oracle/Middleware/Oracle_IDM2 for 11.1.1.5 installation
$ vi weblogic.properties. Set the value similar to the example below.
wls_servername=oim_server1
application_name=OIMMetadata
metadata_from_loc=@From_location
metadata_to_loc=/opt/export
metadata_files=/file/User.xml
- The above said example assumes that your oim server name is oim_server1.
- The exported file will land in directory mentioned in metadata_to_loc
- Export operation ignores the value mentioned in metadata_from_loc proerty field.
- Rest of the property fields should be hard-coded as shown in the example.
$ ./weblogicExportMetadata.sh
User Name = weblogic
Password = Your Password
Server URL = t3://weblogic-admin-server:7001
While running this, you may see some warning about the SSL port and admin port. Just ignore it. If the above runs successfully, your exported User.xml will be in /opt/export/file directory.
Tuesday, October 25, 2011
OIM 11g logging.xml getting overwritten issue
After installing and configuring OID-Connector, I tried to do a simple manual user provisioning to OID. As expected, the user creation in OID was rejected. Time to debug :( So I included OID related login handler in $DOMAIN_NAME/config/fmwconfig/
Finally found the solution in support.oracle.com under support id 1335539.1. This issue shows up when your admin server is in box1 and managed server is in box2. The solution is simple. Just modify the logging.xml file of Box1 (admin server) and restart the OIM managed server. The change will propagate to Box2 where the OIM managed server is running.
Finally found the solution in support.oracle.com under support id 1335539.1. This issue shows up when your admin server is in box1 and managed server is in box2. The solution is simple. Just modify the logging.xml file of Box1 (admin server) and restart the OIM managed server. The change will propagate to Box2 where the OIM managed server is running.
Saturday, May 14, 2011
STRIDE Threat modelling and counter measure
Here is a quick list of threats and its counter measures based on STRIDE treat model. More information at http://msdn.microsoft.com/en-us/magazine/cc163519.aspx .
THREAT COUNTER MEASURE
-------------------------------------------------------------
Spoofing Authentication
Tampering Digital Signature, Hashing
Repudiation Audit
Information Disclosure Encryption
DOS Availability
Elevation of Privileges Authorization, Input data sanitation
THREAT COUNTER MEASURE
-------------------------------------------------------------
Spoofing Authentication
Tampering Digital Signature, Hashing
Repudiation Audit
Information Disclosure Encryption
DOS Availability
Elevation of Privileges Authorization, Input data sanitation
Subscribe to:
Posts (Atom)
