aa enabling a closed source legacy application
play

AA enabling a closed source legacy application Jan Du Caju ICT - PowerPoint PPT Presentation

Nov 12, 2022 •150 likes •426 views

EuroCAMP 15nov2007 AA enabling a closed source legacy application Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context

  1. EuroCAMP 15nov2007 AA enabling a closed source legacy application Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be

  2. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  3. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  4. EuroCAMP 15nov2007 Introduction: context association K.U.Leuven educational landscape reflects political situation association K.U.Leuven 1 university and 12 schools of higher education Need for resource sharing 2004: Shibboleth for institutional and inter-institutional web resources Jan.DuCaju@icts.KULeuven.be

  5. EuroCAMP 15nov2007 Introduction: context association K.U.Leuven Every institution of association K.U.Leuven has its own central AAI (Authentication and Authorization Infrastructure incl. Shibboleth IdP) Resources e-learning: Blackboard and other coupled education apps library: Ex Libris, and access to scientific papers, publications and databases work place context: Horde webmail, groupware and inter-institutional offers research context: HPC et al administrative and organizational context: SAP Federations K.U.Leuven (institutional) Association K.U.Leuven K.U.Leuven - UZLeuven (university hospital) Not yet :-\ a national federation at NREN level (Belnet) Jan.DuCaju@icts.KULeuven.be

  6. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  7. EuroCAMP 15nov2007 Case : AA enabling SAP Administrative and organizational applications: SAP K.U.Leuven: Campus management, HR, FI, … Corona project: 6 institutions of association K.U.Leuven for implementing SAP campus management SAP access control possibilities Basic authentication Digest Form Client certificate Evaluate assertion ticket (SAML) SAPssoTicket Goals: password does not pass the application use an AAI component Jan.DuCaju@icts.KULeuven.be

  8. EuroCAMP 15nov2007 Case: AA enabling SAP SAP access control via evaluation of an assertion ticket Problem: SAP speaks a subset of SAML1.1 :-( • Assertions must not contain the elements Condition and AudienceRestrictionCondition • Assertions must have exactly one AuthenticationStatement element which must have a NameIdentifier element • If present, the elements AuthorizationDecisionStatement and AttributeStatement are ignored • Creating or verifying digital signatures is not supported SAP considers to implement SAML2.0 sometime in the future :-( Jan.DuCaju@icts.KULeuven.be

  9. EuroCAMP 15nov2007 Case: AA enabling SAP Shibboleth enabled reverse proxy in front of SAP servers Extra layer of security Usage of AAI Shibboleth component for general access control Jan.DuCaju@icts.KULeuven.be

  10. EuroCAMP 15nov2007 Case: AA enabling SAP Access control Reverse proxy access control via Shibboleth (mod_shib) Only general access control, application specific authZ remain in application SAP access control via a valid SAPssoticket obtained at J2EE-engine (SAP portal) Jan.DuCaju@icts.KULeuven.be

  11. EuroCAMP 15nov2007 EuroCAMP 15nov2007 Case: AA enabling SAP r e v e r s e p r o x y Jan.DuCaju@icts.KULeuven.be Jan.DuCaju@icts.KULeuven.be

  12. EuroCAMP 15nov2007 Access control via SAP SSO ticket JAVA and ABAP web apps access via browser SAP SSO ticket in cookie ABAP non-web apps access via a client: SAPgui link or URL (in SAP portal) to a SAPgui Shortcut file associated in Windows with the SAPgui client contains SAP SSO ticket Jan.DuCaju@icts.KULeuven.be

  13. EuroCAMP 15nov2007 Accessing SAP applications JAVA and ABAP web apps (link in SAP portal or in WAS) ABAP non-web app via link to a SAPgui shortcut file firewall https://webwsp.aps.kuleuven.be https://wsp.cc.kuleuven.be Java / Portal Apache reverse proxy LoginModuleStack mod_SSL (mod_security) Evaluate ticket Login Module SUFFICIENT mod_shib mod_proxy Header Variable Login Module OPTIONAL browser Create ticket Login Module SUFFICIENT p11.cc.kuleuven.be SAPssoTicket ABAP SAPgui Evaluate SAPssoTicket REQUIRED Jan.DuCaju@icts.KULeuven.be

  14. EuroCAMP 15nov2007 Accessing SAP JAVA and ABAP web apps Jan.DuCaju@icts.KULeuven.be

  15. EuroCAMP 15nov2007 Accessing SAP ABAP non-web applications Example of SAPgui Shortcut file (tx.sap) [System] Name=P11 Client=300 GuiParm=/M/P11.cc.kuleuven.be/S/3600/G/productie [User] Name=U0001439 at="MYSAPSSO2=AjExMDAgAA9wb3J0YWw6VTAwMDE0MzmIABNiYXNpY2 F1dGhlbnRpY2F0aW9uAQAIVTAwMDE0MzkCAAM5OTkDAANXU1AEAAw yMDA3MDUxMDE1NTAFAAQAAAAMCgAIVTAwMDE0Mzn/APUwgfIGCSqG SIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNA QcBMYHBMIG+AgEBMBMwDjEMMAoGA1UEAxMDV1NQAgEAMAkGBSsOAw IaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb 3DQEJBTEPFw0wNzA1MTAxNTUwNDJaMCMGCSqGSIb3DQEJBDEWBBRf V5O19GIZCInkdkYoC0N7AxN7XDAJBgcqhkjOOAQDBC8wLQIUL2rYN SImSAsBhWBuRDQzUiISASMCFQCTPasn/RL26iMTko2cSWK/jDtW1A ==" [Options] Reuse=0 Jan.DuCaju@icts.KULeuven.be

  16. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  17. EuroCAMP 15nov2007 Configuration overview Communication reverse proxy and SAP portal: Vhost webwsp.asp.kuleuven.be Adjusting SAP LoginModuleStack Configuration of access to SAP servers SAP transactions : rz10 and strustsso2 Jan.DuCaju@icts.KULeuven.be

  18. EuroCAMP 15nov2007 Vhost webwsp.aps.kuleuven.be SSL enabled # communication to browser SSLEngine On SSLCertificateFile /etc/pki/webwsp.aps.kuleuven.be.crt SSLCertificateKeyFile /etc/pki/webwsp.aps.cc.kuleuven.be.key # mutual certificate authentication with SAP SSLProxyEngine On SSLProxyCACertificateFile /etc/pki/ca-bundle.crt SSLProxyMachineCertificateFile /etc/pki/webwsp.pem SSLProxyVerify require SSLProxyVerifyDepth 3 Jan.DuCaju@icts.KULeuven.be

  19. EuroCAMP 15nov2007 Vhost webwsp.aps.kuleuven.be (continued) Protected with Shibboleth authorization based on affilation header shib-person-uid must be set <Location /> AuthType shibboleth ShibRequireSession on require affiliation member </Location> Reverse proxy ProxyPass / https://wsp.cc.kuleuven.be:8098/ retry=2 ProxyPassReverse / https://wsp.cc.kuleuven.be:8098/ ProxyVia Off ProxyPreserveHost On Jan.DuCaju@icts.KULeuven.be

  20. EuroCAMP 15nov2007 Login Module Stack of J2EE - engine Visual administrator Security Provider SAP-J2EE-engine Jan.DuCaju@icts.KULeuven.be

  21. EuroCAMP 15nov2007 transaction rz10 Allow access with SAPssotickets Jan.DuCaju@icts.KULeuven.be

  22. EuroCAMP 15nov2007 transaction strustsso2 Configure which SAPssotickets are allowed (signed by) Jan.DuCaju@icts.KULeuven.be

  23. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  24. EuroCAMP 15nov2007 AA enabling via reverse proxy remote_user in backend server - complex rewrite rules - use another header variable released by IdP e.g. shib-person-uid Security (spoofing): only uid is passed no password - mutual certificate authentication between proxy and backend server - persistent connection over ssl (keep-alive) is not yet :-/ possible with Apache mod_proxy - firewall filtering Jan.DuCaju@icts.KULeuven.be

  25. EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions Jan.DuCaju@icts.KULeuven.be

  26. EuroCAMP 15nov2007 Conclusion AA enabling a closed source legacy application - dependent on application - one possibility: by means of a Shibboleth enabled reverse proxy in front of the app Credits URL’s Philip Brusten http://kuleuven.be/english Jan Van der Velpen http://associatie.kuleuven.be/eng http://shib.kuleuven.be Jan.DuCaju@icts.KULeuven.be

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Enabling Closed-Source Applications for Virtual Reality via OpenGL Intercept Techniques SEARIS

Enabling Closed-Source Applications for Virtual Reality via OpenGL Intercept Techniques SEARIS

Enabling Closed-Source Applications for Virtual Reality via OpenGL Intercept Techniques SEARIS 2014 Workshop. March 30th. Co-located with IEEE VR 2014 David J. Zielinski (Duke University) Ryan P. McMahan (The University of Texas at Dallas)

424 views • 25 slides
Net-Centric Adapter for Legacy Systems (NCALS): Affordable Net-Enabling of Joint Service Combat

Net-Centric Adapter for Legacy Systems (NCALS): Affordable Net-Enabling of Joint Service Combat

Net-Centric Adapter for Legacy Systems (NCALS): Affordable Net-Enabling of Joint Service Combat and Weapon Systems Alan Thomas Senior Scientist Naval Surface Warfare Center Dahlgren The Bottom Line Up Front Net-Centric Adapter for Legacy

423 views • 10 slides
Web-enabling Legacy Systems via Presentation Access: From Webulation to Automation Article

Web-enabling Legacy Systems via Presentation Access: From Webulation to Automation Article

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/267236046 Web-enabling Legacy Systems via Presentation Access: From Webulation to Automation Article CITATIONS READS 0 74 2 authors

369 views • 11 slides
MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in Children v. 13-16 Legacy in Eternity v. 17-31 LEGACY IN MARRIAGE 2 Schools of thought 1. Rabbi Sammai- Strict interpretation. Divorce only

775 views • 9 slides
Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

2.22k views • 189 slides
WG 3 NORM and legacy sites Application of models for assessing radiological impacts arising

WG 3 NORM and legacy sites Application of models for assessing radiological impacts arising

WG 3 NORM and legacy sites Application of models for assessing radiological impacts arising from NORM and radioactively contaminated legacy sites to support the management of remediation Rodolfo Avila Tasks Task 1 Methodology for

550 views • 27 slides
Legacy Pesticides Effects on Water Supply and Ocean Water Quality Concerns about legacy

Legacy Pesticides Effects on Water Supply and Ocean Water Quality Concerns about legacy

Legacy Pesticides Effects on Water Supply and Ocean Water Quality Concerns about legacy pesticides Evaluated extensively in environmental review, design and DDW review processes Few legacy pesticides detected in RTP source waters Of

255 views • 4 slides
Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy and the spirit of Truc Lam Yen Zen Buddhism, the Legacy Yen Tu is an inspiring journey into the past. It offers travelers a stay filled with storied

688 views • 32 slides
Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud

Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud

Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud Developer at SUSE cmurphy @_colleenm Overview Why we needed application credentials What are application credentials? (with demo!)

637 views • 25 slides
Observing Application Proposal ID: GBT/19A-347 Legacy ID: QO43 PI: Trevor Oxholm Type: Regular

Observing Application Proposal ID: GBT/19A-347 Legacy ID: QO43 PI: Trevor Oxholm Type: Regular

Date: Aug 01, 2018 Observing Application Proposal ID: GBT/19A-347 Legacy ID: QO43 PI: Trevor Oxholm Type: Regular Category: Normal Galaxies, Groups, and Clusters Total time: 6.24 Calibration sources for the Tianlai 21 cm Polar Cap Survey

468 views • 24 slides
Transitioning Legacy Applications to Mobile Platforms | Salient CRGT Proprietary |

Transitioning Legacy Applications to Mobile Platforms | Salient CRGT Proprietary |

Transitioning Legacy Applications to Mobile Platforms | Salient CRGT Proprietary | www.SalientCRGT.com | 1 Customer Challenge A legacy application depends upon the manual collection and entry of data: Download paper surveys

689 views • 5 slides
Enabling Our Smart Nation Melvyn Low OCBC Bank 21 August 2019 1 2 Source: Smart Nation

Enabling Our Smart Nation Melvyn Low OCBC Bank 21 August 2019 1 2 Source: Smart Nation

Enabling Our Smart Nation Melvyn Low OCBC Bank 21 August 2019 1 2 Source: Smart Nation Singapore Source: ABS 3 The birth of 2017 A peer-to-peer transfer service 9 banks An opportunity to reduce cash payments 2014 A new era

371 views • 23 slides
Dilute Source CO 2 Capture: Management of Atmospheric Coal-Produced Legacy Emissions FE0026861

Dilute Source CO 2 Capture: Management of Atmospheric Coal-Produced Legacy Emissions FE0026861

Dilute Source CO 2 Capture: Management of Atmospheric Coal-Produced Legacy Emissions FE0026861 Carbon Engineering Management Team Investors / Partners Bill Gates Murray Edwards David Keith Adrian Corless Exec Chair / Founder CEO

439 views • 21 slides
Michael Mrozek (EvilDragon) 1. The GP32 started it all (2001) Originally closed source,

Michael Mrozek (EvilDragon) 1. The GP32 started it all (2001) Originally closed source,

GP32, the Pandora and the Pyra past, present and future of OpenSource-(Gaming)-Handhelds Michael Mrozek (EvilDragon) 1. The GP32 started it all (2001) Originally closed source, commercial handheld made by a small company from Korea

328 views • 19 slides
L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The Legacy Residents Association was created for the homeowners of Legacy, with the intent of augmenting the lifestyle in Legacy. The goal is to create

1.18k views • 56 slides
L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G WELCOME The Legacy Residents Association was created for the homeowners of Legacy, with the intent of augmenting the lifestyle in Legacy. The goal

412 views • 40 slides
A&quot;Study&quot;of&quot;Credential&quot;Integration&quot;Model&quot;

A&quot;Study&quot;of&quot;Credential&quot;Integration&quot;Model&quot;

A&quot;Study&quot;of&quot;Credential&quot;Integration&quot;Model&quot; in&quot;Academic&quot;Research&quot;Federation&quot; Supporting&quot;a&quot;Wide&quot;Variety&quot;of&quot;Services International,Symposium,Grids,&amp;,Clouds,2018 20 th

282 views • 16 slides
Social Media apart, together Gabriela Avram Introduction to Digital Media 2017 Social

Social Media apart, together Gabriela Avram Introduction to Digital Media 2017 Social

Social Media apart, together Gabriela Avram Introduction to Digital Media 2017 Social Media p the use of web-based and mobile technologies to turn communication into an interactive dialogue. p &quot;a group of Internet-based

856 views • 51 slides
Co-Protg: Motivation To have a platform to develop an ontology in a collaborative fashion

Co-Protg: Motivation To have a platform to develop an ontology in a collaborative fashion

CO-Protg : A Groupware Tool for Supporting Collaborative Ontology Design with Divergence Alicia Daz 1,2 , Guillermo Baldo 1 1 Lifia, UNLP, La Plata, Argentina 2 Loria, Nancy, France Co-Protg: Motivation To have a platform to develop

426 views • 13 slides
Support the development of object oriented, synchronous, interactive, and complex

Support the development of object oriented, synchronous, interactive, and complex

COAST An Open Source Smalltalk Framework to Build Synchronous Collaborative Applications Jan Schmmer, Till Schmmer, Christian Schuckmann GMD - IPSI, Darmstadt, Germany intelligent views, Darmstadt, Germany

479 views • 30 slides
Meeting tutorial Allen Dutoit dutoit@in.tum.de Technische Universitt Mnchen Institut fr

Meeting tutorial Allen Dutoit dutoit@in.tum.de Technische Universitt Mnchen Institut fr

Meeting tutorial Allen Dutoit dutoit@in.tum.de Technische Universitt Mnchen Institut fr Informatik Lehrstuhl fr Angewandte Softwaretechnik (Prof. Bruegge) Overview: communication, part 2 Now that we use groupware, why meet?

603 views • 13 slides
Reducing GHGs with ICTs Entretien Jacques Cartier November 20th 2012 Myriam Blais, MFE Outlook

Reducing GHGs with ICTs Entretien Jacques Cartier November 20th 2012 Myriam Blais, MFE Outlook

Reducing GHGs with ICTs Entretien Jacques Cartier November 20th 2012 Myriam Blais, MFE Outlook Green ICTs ICTs carbon footprint and ways to reduce it (actions in Smart 2020 report and actions in Quebec) Greening with ITCs

611 views • 36 slides
An Open Source tool helps a global community of professionals

An Open Source tool helps a global community of professionals

An Open Source tool helps a global community of professionals shift from traditional contacts and annual meetings to continuous interaction on the web

505 views • 37 slides
Introductions CSEP 510: Human Computer n Instructor Interaction n Richard Anderson n CSE 582 n

Introductions CSEP 510: Human Computer n Instructor Interaction n Richard Anderson n CSE 582 n

Introductions CSEP 510: Human Computer n Instructor Interaction n Richard Anderson n CSE 582 n anderson@cs.washington.edu Lecture 1: History n 206-543-4305 n Teaching Assistant Richard Anderson n Alan Liu n aliu@cs.washington.edu My Background

291 views • 7 slides

More recommend