POODLE SSL Bug and OpenDJ

A new security issue hit the streets this week: the Poodle SSL bug. Immediately we’ve received a question on the OpenDJ mailing list on how to remediate from the vulnerability.
While the vulnerability is mostly triggered by the client, it’s also possible to prevent attack by disabling the use of SSLv3 all together on the server side. Beware that disabling SSLv3 might break old legacy client applications.

OpenDJ uses the SSL implementation provided by Java, and by default will allow use of all the TLS protocols supported by the JVM. You can restrict the set of protocols for the Java VM installed on the system using deployment.properties (on the Mac, using the Java Preferences Panel, in the Advanced Mode), or using environment properties at startup (-Ddeployment.security.SSLv3=false). I will let you search through the official Java documentations for the details.

But you can also control the protocols used by OpenDJ itself. If you want to do so, you will need to change settings in several places :

  • the LDAPS Connection Handler, since this is the one dealing with LDAP over SSL/TLS.
  • the LDAP Connection Handler, if the startTLS extended operation is to be used to negotiate SSL/TLS establishment on the LDAP connection.
  • the HTTP Connection Handler, if you have enabled it to activate the RESTful APIs
  • The Crypto Manager, whose settings are used by Replication and possibly the Pass Through Authentication Plugin.
  • The Administration Connector, which is also using LDAPS.

For example, to change the settings in the LDAPS Connection Handler, you would run the following command :

# dsconfig set-connection-handler-prop --handler-name "LDAPS Connection Handler" \
--add ssl-protocol:TLSv1 --add ssl-protocol:TLSv1.1 --add ssl-protocol:TLSv1.2 \
-h localhost -p 4444 -X -D "cn=Directory Manager" -w secret12 -n

Repeat for the LDAP Connection Handler and the HTTP Connection Handler.

For the crypto manager, use the following command:

# dsconfig set-crypto-manager-prop \
--add ssl-protocol:TLSv1 --add ssl-protocol:TLSv1.1 --add ssl-protocol:TLSv1.2 \
-h localhost -p 4444 -X -D "cn=Directory Manager" -w secret12 -n

And for the Administration Connector :

# dsconfig set-administration-connector-prop \
--add ssl-protocol:TLSv1 --add ssl-protocol:TLSv1.1 --add ssl-protocol:TLSv1.2 \
-h localhost -p 4444 -X -D "cn=Directory Manager" -w secret12 -n

All of these changes will take effect immediately, but they will only impact new connections established after the change.

, , , , , , ,

5 Comments

Join us for the 2014 European IRM Summit, Nov 3-5 2014…

There are conferences and there are Conferences. The Conferences are the ones that you remember, because they happened in unusual places, because they’ve had a different atmosphere, you’ve met lots of friendly and bright persons. They are the ones you leave with the satisfaction of having learned something, having received value, and you’re looking forward to come back next year.

The IRM Summit is one of these Conferences. The next European IRM Summit is taking place in November, 3 – 5, near Dublin, Ireland, at the Powerscourt Estate pictured here. It’s a 2 days event where you can learn and discuss about the Identity Relationship Management space, standards, platforms, solutions…There will be many presentations, demos, trainings, plenty of time for discussions and meetings, a free half day Kantara Initiative workshop around “Trusted IDentity Exchange (TIDX)”, and some fun. I can already hear the fiddle, the pipes, the harp and smell the Guinness ! And I hope the weather will let us enjoy the wonderful garden.

Check out the agenda and the list of speakers, and don’t wait until last minute to register. While there are hundreds of rooms available, they are still counted and limited. Last year’s summit was sold out !

I’m looking forward to see you in beautiful Ireland !

, , , , , , , , , , , , , ,

Leave a comment

Some OpenIG related articles…

OpenIGMy coworkers have been better than me at writing blog articles about OpenIG (at least faster).

Here are a few links :

Simon Moffat describes the benefits of OAuth2.0 and OpenID Connect and how to start using those with OpenIG 3.0.

Warren Strange went a little bit further and with a short introduction to OpenIG, made available on GitHub sample configuration files for OpenIG 3.0 to start using OpenID Connect.

Mark, who run ForgeRock documentation team, describes the improvements done on the Introduction section of the OpenIG docs that we’re making based on received feedback since the release of OpenIG 3.0.

, , , ,

Leave a comment

New ForgeRock product available : OpenIG 3.0

Since the beginning of the year, I’ve taken an additional responsibility at ForgeRock: Product Management for a new product finally named ForgeRock Open Identity Gateway (built from the OpenIG open source project).

OpenIG is not really a new project, as it’s been an optional module of OpenAM for the last 2 years. But with a new engineering team based in Grenoble, we’ve taken the project on a new trajectory and made a full product out of it.

OpenIGOpenIG 3.0.0 was publicly released on August 11th and announced here and there. But as I was on holidays with the family, I had not written a blog post article about it.

So what is OpenIG and what’s new in the 3.0 release ?

OpenIG is a web and API access management solution that allows you to protect enterprise applications and APIs using open standards such as OAuth 2.0, OpenID Connect and SAMLv2.

Enhanced from the previous version are the Password Capture and Replay and SAMLv2 federation support features. But OpenIG 3.0 also brings several new features:

  • Support for OAuth 2.0 and OpenID Connect standard protocol to ease authentication and authorized access from clients, browsers, mobile devices and things
  • Support for scripting using the Groovy language to quickly develop complex flows
  • Support for protecting multiple applications or APIs with a single instance and splitting configuration in multiple dynamically reloaded files

I’ve presented publicly the new product and features this week through a Webinar. The recording is now available, and so is the deck of slides that I’ve used.

You can download OpenIG 3.0 from ForgeRock.com, or if you would like to preview the enhancements that we’ve already started for the 3.1 release, get a nightly build from ForgeRock.org.

Play with it and let us know how it is working for you, either by email, using a blog post or writing an article on our wiki. I will be reviewing them, relaying and advertising your work. And I’m also preparing a surprise for the authors of the most outstanding use cases !

I’m looking forward to hear from you.

, , , , , , , , , , , ,

Leave a comment

4 years !

ForgeRock logoFour years ago, exactly I was free from all obligations with my previous employer and started to work for ForgeRock.

My first goal was to setup the French subsidiary and start thinking of building a team to take on development of what we named a coming later OpenDJ.

4 years later, I look at where we are with ForgeRock and I feel amazed and really proud of what we’ve built. vertical-logo_webForgeRock is now well established global business with several hundreds of customers across the globe, and plenty of opportunities for growth. The company has grown to more than 200 employees worldwide and still expanding. The ForgeRock Grenoble Engineering Center has moved to new offices end of May and counts 13, soon 14 employees and we’re still hiring.

Thanks to the ForgeRock founders for the opportunity and let’s keep rocking !!!
ForgeRock CEOForgeRock CTO and Founder

, , , , ,

1 Comment

What we build at ForgeRock…

Since I’ve started working at ForgeRock, I’ve had hard times to explain to my non-technical relatives and friends, what we were building. But those days are over.

Thanks to our Marketing department, I can now refer them to our “ForgeRock Story” video :

, , , , , ,

Leave a comment

Forgerock’s startup journey

Great article about ForgeRock and its CTO and founder, that tells a lot about the culture of the company: Forgerock’s startup journey.

 

, , ,

1 Comment

Follow

Get every new post delivered to your Inbox.

Join 1,249 other followers

%d bloggers like this: