Title: Title: Arial 28pt'
1ASE123 Implementing SSO and Access Control with
ASE
Govind Seshadri HSBC VP,Database
Administrator govind.seshadri_at_us.hsbc.com Bill
Zhang Sybase Inc. Principal System
Consultant bill.zhang_at_sybase.com August 15-19,
2004
2The Enterprise. Unwired.
3The Enterprise. Unwired.
Industry and Cross Platform Solutions
Unwire People
Unwire Information
Manage Information
- Adaptive Server Enterprise
- Sybase IQ
- Dynamic Archive
- Dynamic ODS
- Real Time Data Services
- Replication Server
- OpenSwitch
- Mirror Activator
- PowerDesigner
- Connectivity Options
- EAServer
- PowerBuilder Family
- Unwired Accelerator
- Unwired Orchestrator
- Unwired Toolkit
- SQL Anywhere Studio
- Mobile Email Applications
- Enterprise Portal
- XcelleNet Frontline Solutions
- PocketBuilder
- AvantGo
Sybase Workspace
4Agenda
- Business Requirement
- Current Solutions
- Proposed Solutions
5Business Requirement
- Need a centralized resource to manage
user/password - Reduce the cost of the resources spent on
maintaining user/password - Meet auditing requirements using centralized
identity management system - All applications should use a centralized
resource for identity management (Single Sign-On) - Global user sign on policies
- Audit trails
- nth level of delegation
- Separate Roles and Privileged Users (role based
access control) - Increase user administration efficiency (easy
user management) - Embrace Open standards (reduce proprietary
systems lock-in)
6Current Solution
- User maintenance is done on individual
application/ASE servers - No standards in password maintenance
- No password expiration
7Proposed Solution
- Integration of LDAP, Tivoli Access Manager and
Sybase ASE Security and Directory Services option - The objective of the SSO Project is to provide a
common mechanism for new and existing
applications to perform authentication based on
the NT login. - First step is to implement Common Sign On
8Near term objectives
- Objective is to achieve Common Sign On.
- Today, a typical HSBC, NY employee has many IDs
and passwords to maintain. - The goal is to reduce the number of User
ID/Password combinations by having all
applications contact the Identity Manager to
perform authentication using the desktop login
credentials. - The exceptions are vendor products.
9Authentication Mechanisms
- Available Authentication Mechanisms
- Pluggable Authentication
- Out-of-box modules to simplify integration into
existing security framework. - LDAP User Authentication
-
- JAAS based authentication framework
- open, standard, flexible and extensible security
architecture - Authentication methods / types
- Configurable on per-organization, per-role,
per-user and per-service/per-application basis
giving fine grained flexibility and control in
creation and enforcement of policies.
10Products
- Sybase ASE 12.5.2 Security Directory Services
Option - Lightweight Directory Access Protocol (LDAP)
- Pluggable Authentication Module (PAM)
- Kerberos interoperability with Active Directory
and MIT - Sun ONE Identity Server
- IBM Tivoli Identity Manager
- Netegrity SiteMinder IdentityMinder
11What is LDAP?
- Lightweight Directory Access Protocol (LDAP) is
an industry standard for accessing directory
services - LDAP URL stands for Uniform Resource Location.
- Specifies a set of objects or values on an LDAP
server
12Background on Identity Management
- What is Identity Management ?
- Project Scope
- Project Architecture
13What is Identity Management?
- Managing an Identitys life cycle and its
relationship to business - applications and services.
- Creating an identity that represents the user
- Activating the services for authentication and
authorization - Administering and Managing Identity
- Deactivating once user is no longer authorized
in system
14Basic Definitions
- Definitions
- Authentication is establishing who you are.
- Authorization is determining what you are allowed
to do. - Identity Management
- Current implementation gives us Reduced / Common
Sign-On, a step towards the holy grail of Single
Sign-on (SSO). Applications running in Tivoli
Secure Domain will use Desktop login credentials
for user authentication
15Project Scope
- Project Scope The objective of the Identity
Management Project is to provide a common method
for new and existing applications to perform
authentication.
16Tivoli Access Manager
- Identity Management is not the same as LDAP.
- LDAP is a set of protocols
- - access a specialized database
- - optimized for read queries.
- - database structure in the form of a directory
tree. - Most vendors use a standalone product that is
designed to perform best with LDAP tree
structure.
17Tivoli Access Manager Components
- Tivoli Identity Management uses an LDAP server
along with other components to achieve the
integration and management of identity
information. - IBM Tivoli Access Manager main component
- WebSphere Application Server (as the main
component of IM) - IBM/Apache Web Server (to allow use of browser as
GUI) - Tivoli Access Manager (for Java and C apps to
use API services) - IBM or Sun LDAP server (as repository for user
info) - Future integration with Identity Manager
18Why Tivoli Access Manager
- Provides wide range of authorization and
management solution - Provides access control management solution
- Solves the audit requirement
- Generate audit reports using Identity Manager
(future)
19Tivoli Identity Manager Architecture
20Current Implementation Overview
21Workflow
- How a user gets authenticated -
User is Registered on NT Domain
User import.sh imports the user information to
tivoli root suffix
Password Synchronization syncs username/password
to LDAP Server
SSOs activate and assign the GSO to the username
Users uses NT login credentials to logon to
applications
22How CSO works
23Going forward
- Current project scope does not include Single
Sign On. - SSO is to have a user login once and only once
using the desktop credentials, then be able to
access application and server accounts
transparently, without having to re-enter the
ID/password each time. - Again, exceptions are vendor products.
24Workflow with SSO
25Future Implementation
26Advantages of SSO
- Although Single Sign On (SSO) is convenient,
realistically, Common Sign On is easier to
achieve. - Common Sign On gives most of the benefits of
SSO, including the important one, that of
maintaining only one ID and password in one
place. For users of multiple applications, this
is a huge benefit.
27LDAP Authentication in ASE
- Technical details
- Need ASE_DIRS license for ASE
- sp_configure enable ldap user auth, 0 1 2
- Only a SSO can do this and it is a dynamic
parameter - Choosing Authentication Algorithm
- Composed DN authentication
- Searched DN authentication
- Administer User Accounts on ASE/LDAP
28LDAP Administration
- How to set the URLs
- sp_ldapadmin set_primary_url, ldapurl
- set_secondary_url, ldapurl null
- set_access_acct, account_distinguished_name,
- account_password
- set_dn_lookup_url, ldapurl
- list_urls check_url, ldapurl
- check_login, login_name
29Composed DN Algorithm
- How this works
- Client connects to ASE
- O/C send internal login record
- ASE listener accepts connection
- ASE reads login record
- ASE binds the login name to LDAP with DN composed
from Primary URL and uses password from login
record - LDAP Authenticates Success/Failure
- LDAP search
- ASE accepts/rejects login
30Composed DN example
- Example
- 'ldap//nysundev01390/ouGroups,dcus,dchsbc??su
b?cn'
31Searched DN Algorithm
- How this works
- Client connects to ASE
- ASE listener accepts connection
- O/C send internal login record
- ASE reads login record
- ASE binds to LDAP server with DS access account
- LDAP authenticated access account
Success/Failure - ASE sends search request to LDAP based on login
record and DN lookup URL - LDAP returns results of the search
- ASE reads results to obtain value of the
attribute for DN lookup URL - ASE uses the value of the attribute as the DN and
the password from the login record to bind to
LDAP - LDAP Authenticates the user Success/Failure
- If Primary URL specifies search, ASE sends to
LDAP - LDAP returns the results of the search
- ASE accepts or rejects login
32Search DN example
- Search DN example
- Access Account information
- sp_ldapadmin set_access_acct , cnDirectory
Manager , secAuthoritydefault , password - Primary URL
- 'ldap//nysundev01.us.hsbc390/cnUsers,secAuthori
tyDefault??sub?((secUid)(secResCredsIDTsybas
e)) - Secondary URL None
- Distinguished Name Lookup URL
- 'ldap//nysundev01.us.hsbc390/ohsbc,cus??sub?cn
'
33How to test the URLs
- Use ldap search
- ./ldapsearch hnysundev01 -p390 -D"cnDirectory
Manager" -wpassword -b "cnusers,secAuthorityDefa
ult" -s sub "secuidseshadrig"
34User Logins
35Login Controls
- Define authentication mechanism
- Sp_addlogin has additional input auth_mech
- Sp_addlogin mylogin , mypassword , _at_auth_mech
LDAP - Map Logins
- This helps the SSOs to define actions if an
external user does not exits in syslogins - Sp_maplogin LDAP , NULL , create login
- This example tells the ASE to create a new login
for all external users authenticated with LDAP - Note Users have to be added to the appropriate
databases by the Database Administrator
36LDAP Services in ASE 12.5.X
- ASE 12.5 provides LDAP directory services for
server look-up
37Using LDAP in lieu of the interfaces File
- ASE 12.5 and Open Client/Open Server can be
configured to use LDAP services to define server
connection information - LDAP directory structure is accessed by a
3rd-party LDAP server - Provides an optional, lightweight alternative to
the traditional interfaces file on Unix and
sql.ini file on Windows NT - Lookup requests are based on server name
- Used to obtain network information
- IP address
- Port number
- Network protocol
38The interfaces File vs. LDAP
- interfaces file
- GTTBKUP2
- master tcp ether gttbkup2 5000
- query tcp ether gttbkup2 5000
- LDAP
-
- dn sybaseServernameGTTBKUP2, secAuthorityDefaul
t - sybaseAddress TCP1gttbkup2.us.hsbc 5001
- sybaseAddress TCP1gttbkup2.us.hsbc 5009
- objectClass sybaseServer
- sybaseServername GTTBKUP2
39LDIF file for interfaces
dn sybaseServernameGTTBKUP2, secAuthorityDefaul
t sybaseAddress TCP1gttbkup2.us.hsbc
5001 sybaseAddress TCP1gttbkup2.us.hsbc
5009 objectClass sybaseServer sybaseServername
GTTBKUP2
40Our implementation
- To make full use and a centralized place for
maintaining interfaces files, we integrated the
interfaces entry into LDAP - Libtcl64.cfg on Server Side
- DIRECTORY
- ldaplibdldap64.so ldap//nysundev01.us.hsbc390
/secAuthorityDefault??one??bindnamecnDirectory
Manager?password - Libtcl.cfg on Client Side
- DRIVERS
- NLWNSCKTCP Winsock TCP/IP Net-Library driver
- NT_DIRECTORY
- LDAPLIBDLDAP ldap//nysundev01.us.hsbc390/secAu
thorityDefault??one??bindnamecnDirectory
Manager?password
41Add sybase entries to 99user.ldif
- In order to start the ASE using LDAP, make sure
the user99.ldif file in the config directory of
LDAP server is updated and the LDAP server
restarted - Sample output from 99user.ldif
- attributeTypes ( 1.3.6.1.4.1.897.4.2.1 NAME
'sybaseVersion' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
27 SINGLE-VALUE) - attributeTypes ( 1.3.6.1.4.1.897.4.2.2 NAME
'sybaseServername' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SYNT - AX 1.3.6.1.4.1.1466.115.121.1.15 )
- attributeTypes ( 1.3.6.1.4.1.897.4.2.3 NAME
'sybaseService' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX - 1.3.6.1.4.1.1466.115.121.1.15 )
- attributeTypes ( 1.3.6.1.4.1.897.4.2.4 NAME
'sybaseStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
7 SINGLE-VALUE) - attributeTypes ( 1.3.6.1.4.1.897.4.2.5 NAME
'sybaseAddress' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX - 1.3.6.1.4.1.1466.115.121.1.15 )
- attributeTypes ( 1.3.6.1.4.1.897.4.2.6 NAME
'sybaseSecurity' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX - 1.3.6.1.4.1.1466.115.121.1.15 )
- attributeTypes ( 1.3.6.1.4.1.897.4.2.7 NAME
'sybaseRetryCount' SYNTAX 1.3.6.1.4.1.1466.115.121
.1.27 SINGLE-VALUE)
42Tivoli Access Manager
43User Setup with TAM
44GSO Credential Setup
45Policy
46Policy - User Properties
47Sample LDAP output
48More sample output
uid sybadmin objectClass inetOrgPerson objectCla
ss ePerson objectClass organizationalPerson obje
ctClass person objectClass top sn Admin cn
Sybase cn sybadmin dn secAuthorityDefault,
cnsybadmin, ohsbc,cus secLoginType
DefaultLDAP secDomainId Defaultsybadmin secPwdV
alid TRUE principalName sybadmin objectClass
secUser objectClass eUser objectClass
cimManagedElement objectClass top secAcctValid
true secHasPolicy false secUUID
fe7df758-8e25-11d8-a6ed-ac100101aa77 secAuthority
Default secPwdLastChanged 20040527191045.0Z
49secAuthority tree structure
50More on the secAuthority
dn principalNamesybadmin, cnUsers,
secAuthorityDefault secLoginType
DefaultLDAP secAcctValid True secDN
cnsybadmin,ohsbc,cus description
objectClass top objectClass cimManagedElement o
bjectClass eUser objectClass secUser principalNa
me sybadmin secAuthority Default dn
cnResCreds, principalNamesybadmin, cnUsers,
secAuthorityDefault objectClass
top objectClass container cn ResCreds
51Contd..
dn secResCredsIdTSybaseAdmin,cnResCreds,
principalNamesybadmin, cnUsers ,
secAuthorityDefault secAuthnType
2 secResCredsID TSybaseAdmin secAuthnLength
40 secUid sybadmin secType 1 secValid
True objectClass top objectClass
secResCreds secAuthnData IUAjbioqKioqKip2JCQkJCQ
kJCQkJCQkJGIhZEBAQEBAQEBwIXchAA description
dn secResCredsIdTSybase,cnResCreds,
principalNamesybadmin, cnUsers, sec
AuthorityDefault secAuthnType 2 secResCredsID
TSybase secAuthnLength 62 secUid
sybadmin secType 1 secValid True objectClass
top objectClass secResCreds secAuthnData
IUAjbioqKioqKip2JCQkJCQkJCQkJCQkJGIhZEBAQEBAQEBwIX
chMSEzQEBAQE BAQDUjIyMjIyMjIyMjIwA description
52The final picture.
53URL References
- http//www-3.ibm.com/software/tivoli/products/iden
tity-mgr/ - http//wwws.sun.com/software/products/identity_srv
r/home_identity.html - http//publib.boulder.ibm.com/tividd/td/IdentityMa
nager4.4.html - http//www.projectliberty.org/
- http//www7b.software.ibm.com/wsdd/library/techart
icles/0305_lucas/lucas.html - http//www.oasis-open.org/
- http//www.informationweek.com/story/showArticle.j
html?articleID6500072pgno1 - http//www.sybase.com
54Acknowledgements
- Shailesh Bhaisare, HSBC
- Bob Izen, Alliance Engineer, Sybase
- Rajnish Chitkara, Sybase