AA enabling a closed source legacy application Jan Du Caju ICT - - PowerPoint PPT Presentation

▶

Nov 12, 2022 150 likes •426 views

EuroCAMP 15nov2007 AA enabling a closed source legacy application Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context

SLIDE 1

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

AA enabling a closed source legacy application

Jan Du Caju

ICT security officer K.U.Leuven Belgium

SLIDE 2

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

SLIDE 3

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

SLIDE 4

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Introduction: context association K.U.Leuven

educational landscape reflects political situation association K.U.Leuven

1 university and 12 schools

f higher education

Need for resource sharing

2004: Shibboleth for institutional and inter-institutional web resources

SLIDE 5

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Introduction: context association K.U.Leuven

Every institution of association K.U.Leuven has its own central AAI (Authentication and Authorization Infrastructure incl.

Shibboleth IdP)

Resources

e-learning: Blackboard and other coupled education apps library: Ex Libris, and access to scientific papers, publications and databases work place context: Horde webmail, groupware and inter-institutional offers research context: HPC et al administrative and organizational context: SAP

Federations

K.U.Leuven (institutional) Association K.U.Leuven K.U.Leuven - UZLeuven (university hospital) Not yet :-\ a national federation at NREN level (Belnet)

SLIDE 6

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

SLIDE 7

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Case : AA enabling SAP

Administrative and organizational applications: SAP

K.U.Leuven: Campus management, HR, FI, … Corona project: 6 institutions of association K.U.Leuven for implementing SAP campus management

SAP access control possibilities

Basic authentication Digest Form Client certificate Evaluate assertion ticket (SAML) SAPssoTicket

Goals:

password does not pass the application use an AAI component

SLIDE 8

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Case: AA enabling SAP

SAP access control via evaluation of an assertion ticket Problem: SAP speaks a subset of SAML1.1 :-(

Assertions must not contain the elements Condition and

AudienceRestrictionCondition

Assertions must have exactly one AuthenticationStatement

element which must have a NameIdentifier element

If present, the elements AuthorizationDecisionStatement and

AttributeStatement are ignored

Creating or verifying digital signatures is not supported

SAP considers to implement SAML2.0 sometime in the future :-(

SLIDE 9

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Case: AA enabling SAP

Shibboleth enabled reverse proxy in front of SAP servers

Extra layer of security Usage of AAI Shibboleth component for general access control

SLIDE 10

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Case: AA enabling SAP Access control

Reverse proxy access control via Shibboleth (mod_shib) Only general access control, application specific authZ remain in application SAP access control via a valid SAPssoticket obtained at J2EE-engine (SAP portal)

SLIDE 11

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be r e v e r s e p r

y EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Case: AA enabling SAP

SLIDE 12

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Access control via SAP SSO ticket

JAVA and ABAP web apps

access via browser SAP SSO ticket in cookie

ABAP non-web apps

access via a client: SAPgui link or URL (in SAP portal) to a SAPgui Shortcut file associated in Windows with the SAPgui client contains SAP SSO ticket

SLIDE 13

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Apache reverse proxy mod_SSL (mod_security) mod_shib mod_proxy

https://webwsp.aps.kuleuven.be

LoginModuleStack

Evaluate ticket Login Module SUFFICIENT Create ticket Login Module SUFFICIENT Header Variable Login Module OPTIONAL

Java / Portal

Evaluate SAPssoTicket REQUIRED

ABAP https://wsp.cc.kuleuven.be p11.cc.kuleuven.be

SAPgui

SAPssoTicket

browser

firewall

Accessing SAP applications

JAVA and ABAP web apps (link in SAP portal or in WAS) ABAP non-web app via link to a SAPgui shortcut file

SLIDE 14

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Accessing SAP JAVA and ABAP web apps

SLIDE 15

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Accessing SAP ABAP non-web applications Example of SAPgui Shortcut file (tx.sap)

[System] Name=P11 Client=300 GuiParm=/M/P11.cc.kuleuven.be/S/3600/G/productie [User] Name=U0001439 at="MYSAPSSO2=AjExMDAgAA9wb3J0YWw6VTAwMDE0MzmIABNiYXNpY2 F1dGhlbnRpY2F0aW9uAQAIVTAwMDE0MzkCAAM5OTkDAANXU1AEAAw yMDA3MDUxMDE1NTAFAAQAAAAMCgAIVTAwMDE0Mzn/APUwgfIGCSqG SIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNA QcBMYHBMIG+AgEBMBMwDjEMMAoGA1UEAxMDV1NQAgEAMAkGBSsOAw IaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb 3DQEJBTEPFw0wNzA1MTAxNTUwNDJaMCMGCSqGSIb3DQEJBDEWBBRf V5O19GIZCInkdkYoC0N7AxN7XDAJBgcqhkjOOAQDBC8wLQIUL2rYN SImSAsBhWBuRDQzUiISASMCFQCTPasn/RL26iMTko2cSWK/jDtW1A ==" [Options] Reuse=0

SLIDE 16

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

SLIDE 17

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Configuration overview

Communication reverse proxy and SAP portal: Vhost webwsp.asp.kuleuven.be Adjusting SAP LoginModuleStack Configuration of access to SAP servers SAP transactions : rz10 and strustsso2

SLIDE 18

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Vhost webwsp.aps.kuleuven.be

SSL enabled

# communication to browser SSLEngine On SSLCertificateFile /etc/pki/webwsp.aps.kuleuven.be.crt SSLCertificateKeyFile /etc/pki/webwsp.aps.cc.kuleuven.be.key # mutual certificate authentication with SAP SSLProxyEngine On SSLProxyCACertificateFile /etc/pki/ca-bundle.crt SSLProxyMachineCertificateFile /etc/pki/webwsp.pem SSLProxyVerify require SSLProxyVerifyDepth 3

SLIDE 19

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Vhost webwsp.aps.kuleuven.be (continued) Protected with Shibboleth

authorization based on affilation header shib-person-uid must be set

<Location /> AuthType shibboleth ShibRequireSession on require affiliation member </Location>

Reverse proxy

ProxyPass / https://wsp.cc.kuleuven.be:8098/ retry=2 ProxyPassReverse / https://wsp.cc.kuleuven.be:8098/ ProxyVia Off ProxyPreserveHost On

SLIDE 20

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Login Module Stack of J2EE - engine Visual administrator

Security Provider

SAP-J2EE-engine

SLIDE 21

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

transaction rz10

Allow access with SAPssotickets

SLIDE 22

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

transaction strustsso2

Configure which SAPssotickets are allowed (signed by)

SLIDE 23

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

SLIDE 24

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

AA enabling via reverse proxy

remote_user in backend server

complex rewrite rules
use another header variable released by IdP

e.g. shib-person-uid

Security (spoofing): only uid is passed no password

mutual certificate authentication between proxy and backend

server

persistent connection over ssl (keep-alive) is not yet :-/ possible

with Apache mod_proxy

firewall filtering

SLIDE 25

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

SLIDE 26

EuroCAMP 15nov2007 Jan.DuCaju@icts.KULeuven.be

Conclusion

AA enabling a closed source legacy application

dependent on application
one possibility: by means of a Shibboleth

AA enabling a closed source legacy application

Jan Du Caju

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

Introduction: context association K.U.Leuven

educational landscape reflects political situation association K.U.Leuven

1 university and 12 schools

Need for resource sharing

2004: Shibboleth for institutional and inter-institutional web resources

Introduction: context association K.U.Leuven

Every institution of association K.U.Leuven has its own central AAI (Authentication and Authorization Infrastructure incl.

Resources

Federations

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

Case : AA enabling SAP

Administrative and organizational applications: SAP

K.U.Leuven: Campus management, HR, FI, … Corona project: 6 institutions of association K.U.Leuven for implementing SAP campus management

SAP access control possibilities

Basic authentication Digest Form Client certificate Evaluate assertion ticket (SAML) SAPssoTicket

Goals:

password does not pass the application use an AAI component

Case: AA enabling SAP

SAP access control via evaluation of an assertion ticket Problem: SAP speaks a subset of SAML1.1 :-(

AudienceRestrictionCondition

element which must have a NameIdentifier element

AttributeStatement are ignored

SAP considers to implement SAML2.0 sometime in the future :-(

Case: AA enabling SAP

Shibboleth enabled reverse proxy in front of SAP servers

Extra layer of security Usage of AAI Shibboleth component for general access control

Case: AA enabling SAP Access control

Reverse proxy access control via Shibboleth (mod_shib) Only general access control, application specific authZ remain in application SAP access control via a valid SAPssoticket obtained at J2EE-engine (SAP portal)

Case: AA enabling SAP

Access control via SAP SSO ticket

JAVA and ABAP web apps

access via browser SAP SSO ticket in cookie

ABAP non-web apps

access via a client: SAPgui link or URL (in SAP portal) to a SAPgui Shortcut file associated in Windows with the SAPgui client contains SAP SSO ticket

Accessing SAP applications

JAVA and ABAP web apps (link in SAP portal or in WAS) ABAP non-web app via link to a SAPgui shortcut file

Accessing SAP JAVA and ABAP web apps

Accessing SAP ABAP non-web applications Example of SAPgui Shortcut file (tx.sap)

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

Configuration overview

Communication reverse proxy and SAP portal: Vhost webwsp.asp.kuleuven.be Adjusting SAP LoginModuleStack Configuration of access to SAP servers SAP transactions : rz10 and strustsso2

Vhost webwsp.aps.kuleuven.be

SSL enabled

Vhost webwsp.aps.kuleuven.be (continued) Protected with Shibboleth

authorization based on affilation header shib-person-uid must be set

Reverse proxy

Login Module Stack of J2EE - engine Visual administrator

Security Provider

transaction rz10

Allow access with SAPssotickets

transaction strustsso2

Configure which SAPssotickets are allowed (signed by)

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

AA enabling via reverse proxy

remote_user in backend server

e.g. shib-person-uid

Security (spoofing): only uid is passed no password

server

with Apache mod_proxy

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

Conclusion

AA enabling a closed source legacy application

enabled reverse proxy in front of the app

Philip Brusten http://kuleuven.be/english Jan Van der Velpen http://associatie.kuleuven.be/eng http://shib.kuleuven.be

Credits URL’s