License CC-BY-SA 1

Fortress Open Source IAM on LDAPv3

Shawn McKinney

November 18, 2013

Agenda

l  Product Overview l  Technical Introduction l  RBAC SoD Demo l  Commander l  En Masse l  Multitenancy l  Next Steps l  Wrap-up

2

License CC-BY-SA

Product Overview

3

License CC-BY-SA

Fortress Core

ANSI RBAC SDK

Sentry RBAC Policy Enforcer

EnMasse RBAC Policy Server

Commander Web Administration

Perimeter Web Access Mgmt

Patroller Audit Monitoring

1 2

4 5

3

6

October 2011 October 2011 October 2012

October 2013 April 2014 October 2014

ROADMAP

Fortress Introduction

l  ANSI INCITS 359-2004 compliant IAM system l  Policy Decision Points

l  Java APIs (Fortress Core) l  REST services (En Masse)

l  Policy Administration Points l  Java APIs (Fortress Core) l  REST services (EnMasse) l  RBAC Web Management (Commander)

l  Privileged Identity Management

4

License CC-BY-SA

Fortress Introduction (continued)

l  Policy Enforcement Points l  Sentry Java EE Platform Security l  Sentry Other Platforms (in development)

l  Audit Trail l  Authentication – tracks who is accessing the

system l  Authorization – tracks who did what, when and

where l  Administration – tracks historical changes to the

data

5

License CC-BY-SA

Fortress System Architecture

6

License CC-BY-SA

LDAPv3

OpenLDAP

Fortress Core APIs

Java App #2 HTTP/S

LDAPv3

Apache DS

Fortress LDAP HTTP

Applications

Legend

RBAC Accelerator

Other App HTTP/S

LDAPv3 Extended Ops

Java VM

Java VM

Any P

latform

O R

Either LDAP Server works

RBAC policy enforcement on any platform use accelerator

RBAC policy administration and interrogation use Standard LDAPv3 protocols

Fortress RBAC Enforcement APIs will also call accelerator

LDAPv3

ANSI RBAC INCITS 359

1.  RBAC0: Users, Roles, Perms, Sessions

2.  RBAC1: Hierarchical Roles

3.  RBAC2: Static Separation of Duties

4.  RBAC3: Dynamic Separation of Duties

7

License CC-BY-SA

Demo this capability

Dynamic Separation of Duties Demo

2

3

Role 1

Assignment

Role 2

Assignment

Role 3

Assignment

One and only one may be active

1

Java Virtual Machine

Tomcat

Java EE Coarse-grained Security

Dynamic Separation of Duties Demo

Fortress RBAC Proxy

Fortress RBAC PDP

Users: •  User1 is assigned to ROLE_TEST1,

ROLE_TEST2, and ROLE_TEST3 •  User2 is assigned to ROLE_TEST2 •  User3 is assigned to ROLE_TEST3 Permissions: •  Page1.Button1 is granted to ROLE_TEST1 •  Page1.Button2 is granted to ROLE_TEST1 •  Page1.Button3 is granted to ROLE_TEST1 •  Page2.Button1 is granted to ROLE_TEST2 •  Page2.Button2 is granted to ROLE_TES2 •  Page2.Button3 is granted to ROLE_TEST2 •  Page3.Button1 is granted to ROLE_TEST3 •  Page3.Button2 is granted to ROLE_TEST3 •  Page3.Button3 is granted to ROLE_TEST3 Dynamic Separation of Duties: •  Set of roles is [ROLE_TEST1,

ROLE_TEST2, ROLE_TEST3] •  DSD Set Cardinality is 1 • Only one Role can be active in Session

Spring Page-level Security

Apache Wicket

Fortress RBAC PEP

Wicket Buttons

Wicket Links

Wicket Pages

Fine

Aut

hZ G

ranu

larit

y

Coarse

Where to get RBAC Demo

l  Source l  https://github.com/shawnmckinney/fortressdemo1

l  Tutorial & other ANSI RBAC write-ups l  http://symas.com/ansi-rbac-intro/ l  http://symas.com/rbac-security-enforcement-

inside-wicket/ l  https://github.com/shawnmckinney/

fortressdemo1/blob/master/README.txt

10

License CC-BY-SA

Commander Introduction

l  RBAC Web Administration l  Uses the Fortress Core APIs l  Communicate via HTTP or LDAPv3 protocols l  Secured by Fortress, Java EE and Spring l  Full audit trail l  Extensible – add new pages quickly l  Uses Apache Wicket UI framework

11

License CC-BY-SA

Commander System Architecture

12

License CC-BY-SA

Fortress Core APIs

Commander

HTTP/S

LDAPv3 HTTP/S

LDAPv3

OpenLDAP

LDAPv3

Apache DS

Fortress LDAP HTTP

Legend

O R

Fortress Core APIs

EnMasse

HTTP/S

LDAPv3

O R

Java VM

Java VM

Java VM

Commander can use either HTTP or LDAPv3 protocol

Either LDAP Server works

HTTP protocol aids in firewall traversals

Commander Demo

l  View RBAC demo audit trail l  View RBAC management capabilities l  Enable REST communication with En Masse l  Run Commander Selenium automated test l  View wireshark trace

13

License CC-BY-SA

Where to get Commander

l  Source l  http://www.openldap.org/devel/gitweb.cgi?

p=openldap-fortress-commander.git;a=summary

l  Quickstart l  http://iamfortress.org/download

l  Maven l  http://search.maven.org/#search%7Cga

%7C1%7Ccommander

14

License CC-BY-SA

En Masse Introduction

l  RBAC Policy Server l  Firewall Friendly l  120+ RESTful services l  Multitenant process and services l  Secured using Fortress RBAC enforcement l  Binds directly to Fortress entity model l  Uses Fortress Core to communicate LDAPv3 l  Uses Apache CXF for RESTful processing

15

License CC-BY-SA

En Masse System Architecture

16

License CC-BY-SA

LDAPv3

OpenLDAP

Fortress Core APIs

Java App HTTP/S

HTTP/S

LDAPv3

Apache DS

Fortress LDAP HTTP

Applications

Legend

Java VM

Java VM

Fortress Core APIs

EnMasse

HTTP/S

LDAPv3

Java VM

REST

Other App HTTP/S

HTTP/S

Any P

latform

O R

Either LDAP Server works

Apps may use any REST lib or Fortress APIs to connect with En Masse

HTTP protocol less efficient than LDAP but aids in firewall traversals

Where to get En Masse

l  Source l  http://www.openldap.org/devel/gitweb.cgi?

p=openldap-fortress-enmasse.git;a=summary l  Quickstart

l  http://iamfortress.org/download l  Maven

l  http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22enmasse%22

17

License CC-BY-SA

Introduction

18

License CC-BY-SA

Multitenant LDAP Data Structure

l  Leverage LDAP's natural affinity to partition data by client organization.

l  Each tenant has its own complete copy of DIT segregated by organizational unit

l  Reduced cost due to fewer servers to maintain

19

License CC-BY-SA

Multitenant Programming Model

l  Client’s id is passed to Fortress in factory initialization

l  Lifecycle of ‘Manager’ object processes data on behalf of the client id passed during initialization l  AnyMgr:

l  createInstance(tenantId);

20

License CC-BY-SA

// Instantiate the AccessMgr implementation. AccessMgr accessMgr = AccessMgrFactory.createInstance( “Client123” );

Multitenant Demo

l  Load demo users Client 1, 2 & 3 l  Run test-full Client 1, 2 & 3

21

License CC-BY-SA

Where to get Fortress Multitenancy

l  Source l  http://www.openldap.org/devel/gitweb.cgi?

p=openldap-fortress-core.git;a=summary l  Binaries <dependency>

<groupId>us.joshuatreesoftware</groupId>

<artifactId>fortress</artifactId>

<version>RC-1.0-33</version>

</dependency>

22

License CC-BY-SA

Next Steps

l  RBAC Accelerator l  OpenLDAP overlay l  RBAC Policy Decision Point

l  Web Access Management/SSO l  RBAC Policy-Enhance Standard (RPE)

l  INCITS 494-2011 l  Support for dynamic attributes

l  Attribute-based Access Control (ABAC) l  Maybe

23

License CC-BY-SA

License CC-BY-SA 24

Thanks!