es-351 bloombase spitfire identity manager essentials
TRANSCRIPT
Bloombase Spitfire Identity Manager Essentials
Bloombase Enterprise Services
ES-351
Training Guide
Revision 1
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people and events depicted herein are fictitious and no association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Bloombase Technologies.
Bloombase Technologies may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Bloombase Technologies, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
This document is the property of Bloombase Technologies. No exploitation or transfer of any information contained herein is permitted in the absence of an agreement with Bloombase Technologies, and neither the document nor any such information may be released without the written consent of Bloombase Technologies.
© 2011 Bloombase Technologies
Bloombase, Spitfire, StoreSafe and Keyparc are either registered trademarks or trademarks of Bloombase Technologies in the United States, People’s Republic of China, Hong Kong Special Administrative Region and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Document No.: BLBS_ES-351_BloombaseSpitfireIdentityManagerEssentials_R1
Table of Contents
Table of Contents 3
About This Course 5
Course Map 6
Topics Not Covered 7
How Prepared Are You? 8
Introductions 9
How to Use Course Materials 10
Introducing Bloombase Spitfire Identity Manager 11
Overview 12
Bloombase Spitfire Identity Manager Installation 14
Spitfire Identity Manager on SpitfireOS Installation 15
Spitfire Identity Manager VMware Virtual Appliance Installation 16
Spitfire Identity Manager for Unix/Linux Installation 17
Spitfire Identity Manager for Microsoft Windows Installation 18
Exercise: Install Spitfire Identity Manager 19
Task 1 – Install Spitfire Identity Manager from ISO disk image 19
Task 2 – Initialize Spitfire Identity Manager 19
Bloombase Spitfire Identity Manager Configuration 20
Bloombase Spitfire Identity Manager Administrator Portal / Web Management Console21
Configure Spitfire Identity Manager for Life-cycle User Identity and Authentication
Policy Management 22
Exercise: Provision Your First Spitfire Identity User 24
Task 1 – Provision a Pin Only Authentication Policy 24
Task 2 – Provision a new Local User 24
Task 2 – Provision a new LDAP User 24
Configure Spitfire Identity Manager for Life-cycle Security Device Management 26
Exercise: Provision Your First OTP Device 28
Task 1 – Google Authenticator 28
Task 2 – Provision Google Authenticator as Your OTP Device 28
Task 3 – Assign Device to User 28
Spitfire Identity API 29
txt 30
json 30
xml 30
Exercise: User Authentication Using Spitfire Identity API 31
Task 1 – Pin Authentication 31
Task 2 – Verify If Fully Authenticated 31
Bloombase Spitfire Identity Manager Essentials
5 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
About This Course
Upon completion of this course, you should be able to:
Install Bloombase Spitfire Identity Manager physical appliance
Install Bloombase Spitfire Identity Manager virtual appliance
Install Bloombase Spitfire Identity Manager software server
Configure Bloombase Spitfire Identity Manager for enterprise-scale user identity management and security device asset management
Make use of Bloombase Spitfire Identity Manager API for application integration
Bloombase Spitfire Identity Manager Essentials
6 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Course Map
The following course map enables you to see what you have accomplished and
where you are going in reference to the course goals
Introducing Bloombase Spitfire Identity Manager
Installation
Bloombase Spitfire Identity Manager on SpitfireOS
Bloombase Spitfire Identity Manager VMware virtual appliance
Bloombase Spitfire Identity Manager for Unix/Linux
Bloombase Spitfire Identity Manager for Microsoft Windows
Operation
Performing basic administration, configuration, user provisioning and security device provisioning
Developing applications to interface with Bloombase Spitfire Identity Manager API for user authentication and identity management
Bloombase Spitfire Identity Manager Essentials
7 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Topics Not Covered
This course does not cover the topics shown on the overhead. Many of the topics
listed on the overhead are described in other courses offered by Bloombase
Enterprise Services:
Bloombase Spitfire Server – Described in ES-311: Bloombase Spitfire Server Essentials
Bloombase Spitfire KeyCastle – Described in ES-319: Bloombase Spitfire KeyCastle Essentials
Bloombase Spitfire Ethernet Encryptor – Described in ES-321: Bloombase Spitfire Ethernet Encryptor Essentials
Bloombase Spitfire High Availability Cluster – Described in ES-361: Bloombase Spitfire High Availability Cluster Essentials
Bloombase Spitfire Identity Manager Essentials
8 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
How Prepared Are You?
To be sure you are prepared to take this course, can you answer yes to the
following questions?
Can you perform basic Unix-like and Windows Operating System (OS) administration tasks, such as using tar commands, creating user accounts, formatting disk drives, using vi, ssh, sftp, installing Unix-like OS, installing, patches, and adding packages?
Do you have prior experience with enterprise grade hardware?
Do you have hands-on experience on enterprise identity management tools such as LDAP and Microsoft Active Directory?
Are you familiar with data protection and security technologies, such as firewall, network encryption protection, symmetric and asymmetric encryption technologies, public key infrastructure (PKI)?
Do you have prior experience with HTTP web-based server system technologies?
Do you have prior knowledge of programming language such as Java, or C?
Are you familiar with software application installation on Windows or Linux?
Are you familiar with PKCS#11 smart cards and/or smart tokens?
Bloombase Spitfire Identity Manager Essentials
9 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Introductions
Now that you have been introduced to the course, introduce yourself to each
other and the instructor, addressing the item shown in the following bullets.
Name
Company affiliation
Title, function, and job responsibility
Experience related to topics presented in this course
Reasons for enrolling in this course
Expectations for this course
Bloombase Spitfire Identity Manager Essentials
10 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
How to Use Course Materials
To enable you to succeed in this course, these course materials use a learning
model that is composed of the following components:
Goals – You should be able to accomplish the goals after finishing this course and meeting all of its objectives
Objectives – You should be able to accomplish the objectives after completing a portion of instructional context. Objectives support goals and can support other higher-level objectives
Lecture – The instructor will present information specific to the objective of the modules. This information should help you learn the knowledge and skills necessary to succeed with the activities
Activities – The activities take on various forms, such as an exercise, self-check, discussion, and demonstration. Activities help to facilitate mastery of an objective
Visual aids – The instructor might use several visual aids to convey a concept, such as a process, in a visual form. Visual aids commonly contain graphics, animation, and video
Bloombase Spitfire Identity Manager Essentials
11 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Introducing Bloombase Spitfire Identity Manager
Upon completion of this module, you should be able to
Tell what Bloombase Spitfire Identity Manager does
Tell what problems Bloombase Spitfire Identity Manager solves
Tell what applications Bloombase Spitfire Identity Manager is for
Bloombase Spitfire Identity Manager Essentials
12 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Overview
Bloombase Spitfire Identity Manager is a complete strong authentication solution
for enterprise end users. It enables two-factor authentication to protect user
identities and core business information.
The recent rise in phishing attacks and identity theft has increased the need to
protect online identities. Bloombase Spitfire Identity Manager protects user
identities and when used in connected mode defends against phishing attacks by
detecting fraudulent sites.
Bloombase Spitfire Identity Manager combines
User name and password
Light weight directory access protocol
Microsoft Active Directory
OATH-base one time password
SMS-based mobile one-time password
SMTP-based email one-time password
IBM Lotus Notes one-time password
PKI-based smart-card/token
PKI-based soft security vault
authentication methods in a single solution with thin user provisioning
capabilities.
Two factor authentication greatly enhances system security by combining
something the user has, such as a personal device, and something the user knows,
such as password. Bloombase Spitfire Identity Manager uses these elements to
form a unique combination that someone must have to connect to a system.
Smart cards feature a small embedded chip which operates as a mini-computer
that not only securely stores data but also can process information and react to its
Bloombase Spitfire Identity Manager Essentials
13 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
environment. These features give smart cards the unique ability to provide secure,
portable access to personalized services while protecting each user’s privacy and
identity.
Bloombase Spitfire Identity Manager provides 3 ways to be integrated with
enterprise applications
AAA RADIUS
Client web portal for web-based authentication workflow integration
Application programming interface (API)
Bloombase Spitfire Identity Manager Essentials
14 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Bloombase Spitfire Identity Manager Installation
Upon completion of this module, you should be able to
Install Bloombase Spitfire Identity Manager on a physical appliance
Install Bloombase Spitfire Identity Manager VMware virtual appliance
Install Bloombase Spitfire Identity Manager as a host application in Unix and Windows environment
Bloombase Spitfire Identity Manager Essentials
15 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Spitfire Identity Manager on SpitfireOS Installation
Spitfire Identity Manager for SpitfireOS ISO disk image can be deployed on
standalone hardware appliances for customers requiring highly customized
system resource allocation.
Spitfire Identity Manager for SpitfireOS iso disk image
bloombase-spitfire-identity-<version>.iso
can be directly mounted as a virtual disk drive on VMware Server/ESXi or it can
be burned as an installation CD/DVD to be installed directly from disk drives of a
physical appliance or virtual machine container such as VMware ESXi.
Bloombase SpitfireOS will guide you through the rest of installation process to get
SpitfireOS installed and automatically install Spitfire Identity Manager.
Bloombase Spitfire Identity Manager Essentials
16 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Spitfire Identity Manager VMware Virtual Appliance Installation
Spitfire Identity Manager is available as VMware virtual appliance for
installation-free deployment on VMware Server and ESXi environment.
Simply import Spitfire Identity Manager VMware virtual appliance file
bloombase-spitfire-identity-<version>.ova
into VMware Server or ESXi to create new virtual appliance that is ready to run in
minutes.
Bloombase Spitfire Identity Manager Essentials
17 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Spitfire Identity Manager for Unix/Linux Installation
Spitfire Identity Manager is available as software-only without bundled with
SpitfireOS for deployment as host application in Unix-like environment.
To start software installation of Spitfire Identity Manager at host operating
system, launch installer by invoking command
./bloombase-spitfire-identity-<version>-<platform>.bin
at command prompt.
By default, Spitfire Identity Manager software server is delivered at file location
/spitfire-identity
Bloombase Spitfire Identity Manager Essentials
18 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Spitfire Identity Manager for Microsoft Windows Installation
Spitfire Identity Manager for Microsoft Windows is available as software-only
without bundled with SpitfireOS for deployment as host application in Microsoft
Windows environment.
To start installation process, launch Spitfire Identity Manager for Windows
installer
bloombase-spitfire-identity-<version>-<platform>.exe
The installer will guide you through the rest of setup process.
By default, Spitfire Identity Manager is installed at
\spitfire-identity
Bloombase Spitfire Identity Manager Essentials
19 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Exercise: Install Spitfire Identity Manager
Task 1 – Install Spitfire Identity Manager from ISO disk image
Create new Linux-based virtual machine with at least 512MB main memory.
Mount Spitfire Identity Manager ISO disk image as a virtual disk drive.
Power on virtual machine and follow SpitfireOS installer to guide you through the
rest of installation.
Task 2 – Initialize Spitfire Identity Manager
Sign on Spitfire Identity Manager CLI console and configure network parameters
for Spitfire Identity Manager.
Sign on Spitfire Identity Manager web based management console and follow
instructions to initialize Spitfire Identity Manager.
Bloombase Spitfire Identity Manager Essentials
20 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Bloombase Spitfire Identity Manager Configuration
Upon completion of this module, you should be able to
Spitfire Identity Manager web based management console
Configure Spitfire Identity Manager for life-cycle user identity and authentication policy management
Configure Spitfire Identity Manager for LDAP and Microsoft Active Directory identity management
Configure Spitfire Identity Manager for life-cycle security device management
Configure Spitfire Identity Manager for one time password management
Configure Spitfire Identity Manager for smart card and smart token management
Bloombase Spitfire Identity Manager Essentials
21 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Bloombase Spitfire Identity Manager Administrator Portal / Web Management Console
Bloombase Spitfire Identity Manager web management console for administrators
can be accessed by pointing web browser to below URL
https://<spitfireim>:8451
or
https://<spitfireim>:8451/admin
Bloombase Spitfire Identity Manager Essentials
22 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Configure Spitfire Identity Manager for Life-cycle User Identity and Authentication Policy Management
Spitfire Identity Manager combines
User identity management
Key management
Multi-factor authentication
Strong authentication device management
Authentication policy management
in a purpose-built solution for large scale enterprises and organizations.
A user can possess multiple security devices of multiple types including
HMAC-based OTP device(s)
Time-based OTP device(s)
SMS OTP
Email OTP
Smart card(s)
Smart token(s)
X.509 key pair(s)
To assure the identity of a user, Spitfire Identity Manager offers customizable
rule-based multiple-factor authentication mechanism which fits for any security
requirements for any organizations.
Spitfire Identity Manager provides local management of user credentials while for
most large organizations having identity manager deployed, a more manageable
option would be to integrate their existing identity manager to Spitfire Identity
Manager for user provisioning and password management.
Bloombase Spitfire Identity Manager Essentials
23 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Spitfire Identity Manager supports directory access to major identity servers
including LDAP and Microsoft Active Directory. Spitfire Identity Manager also
provides the ability to process user ID and passphrase authentication at relational
database user tables which are commonly seen for enterprises running ERP, CRM
or other groupware.
Bloombase Spitfire Identity Manager Essentials
24 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Exercise: Provision Your First Spitfire Identity User
Task 1 – Provision a Pin Only Authentication Policy
Sign on Spitfire Identity Manager web management console.
Start ‘Authentication Policies’ under ‘Identity Management’ menu.
Push ‘Add’ to provision a new authentication policy, in this case a pin only profile.
Assign name pin to the authentication policy and in Policy input box, enter PIN.
Press ‘Submit’ button to commit changes.
Task 2 – Provision a new Local User
Launch ‘Users’ tool under ‘Identity Management’ menu and press ‘Add’ to
provision a new user.
Select Type as Local and assign user ID as user01. Enter the rest of user
information accordingly.
Pick pin as the Authentication Policy for user01.
Task 2 – Provision a new LDAP User
Launch ‘User Repository Profiles’ and provision your testing LDAP or Microsoft
Active Directory.
Launch ‘Users’ tool under ‘Identity Management’ menu and press ‘Add’ to
provision a new remote user.
Bloombase Spitfire Identity Manager Essentials
25 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Select Type as Remote and use the user lookup tool to pick an existing user in the
previously configure directory server.
Again, assign Authentication Policy as pin.
Bloombase Spitfire Identity Manager Essentials
26 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Configure Spitfire Identity Manager for Life-cycle Security Device Management
Spitfire Identity Manager provides the capability for enterprises to manage their
various kinds of security devices and enables security officers to assign devices to
individual users easily and effectively.
Spitfire Identity Manager supports management of
HMAC-based OTP devices
Time-based OTP devices
SMS OTP devices
Email OTP devices
Smart cards and tokens
Spitfire Identity Manager is interoperable with any brand of OATH-compliant
HMAC-based or time-based OTP devices or software applications. Spitfire
Identity Manager provides the ability to register shared secrets of OTP devices.
When it comes to software-based OTP applications, Spitfire Identity Manager
also offers shared secret generation and the tools for synchronizing share secret to
the applications easily.
Users can also leverage their mobile phones or email addresses to strengthen
authentication process by means of SMS-OTP and email-OTP. Spitfire Identity
Manager provides highly customizable delivery profiles for automatic dispatch of
randomly generated OTPs without the need to carry extra hardware devices and
the complex procedure to initialize an OTP token.
One-time password introduces second means to assure the identity of a user such
that in worst case scenario the authentication channel is tapped or the first factor
credentials, e.g. passwords, are known, it effectively blocks hackers and crackers
Bloombase Spitfire Identity Manager Essentials
27 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
from impersonating a user. OTP also adds randomness to the authentication
process making replay attacks impossible.
OTP raises difficulty of identity theft thus strengthen authentication. Technically,
the strongest type of data protection is cryptography. Applying to strong identity,
public key infrastructure enables user to claim his/her identity by digital signing
of random challenges by his/her private key, follow by verification of the
generated signature by his/her public key. Spitfire Identity Manager provides
management of keys and industry standard cryptographic services enabling
strong authentication even stronger.
Bloombase Spitfire Identity Manager Essentials
28 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Exercise: Provision Your First OTP Device
Task 1 – Google Authenticator
Google Authenticator is a free software based OTP application supporting both
HOTP and TOTP standards
Download Google Authenticator from Android market or Apple iTunes App Store
and install on your smart phone or tablet
Task 2 – Provision Google Authenticator as Your OTP Device
Launch ‘Devices’ tool under ‘Identity Management’ menu.
Push ‘Add’ to create a new device totp01.
Select Type as TOTP.
Push ‘Generate’ button to generate a new Shared Secret. Press ‘Barcode’ to display
a 2-d QR code which is to be synchronized to Google Authenticator.
Task 3 – Assign Device to User
Locate user01 and assign totp01 to user.
Create a new authentication policy named pin-totp with Policy PIN && TOTP
Bloombase Spitfire Identity Manager Essentials
29 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Spitfire Identity API
Bloombase Spitfire Identity Manager exposes its strong authentication and
security services via an application programming interface (API).
The Bloombase Spitfire Identity Manager API includes a set of RESTful methods
to send and receive security data.
REST does not require specific client API library to be deployed and configured. It
is based on industry standard HTTP connectivity. Therefore, it guarantees
platform portability and is capable of supporting virtually on all operating
systems and devices.
HttpURLConnection httpConn = null;
httpConn = (HttpURLConnection) (new
URL("https://spitfireim:8451/SpitfireIdentityServlet?Comman
d=AuthenticatePassword&UserID=user01&Password=password&Form
at=txt")).openConnection();
httpConn.setDoOutput(false);
httpConn.connect();
InputStream is = null;
try {
is = httpConn.getInputStream();
} catch (IOException e) {
is = httpConn.getErrorStream();
}
BufferedReader reader = new BufferedReader(new
InputStreamReader(is));
while (true) {
String line = reader.readLine();
if (line == null) break;
System.out.println(line);
}
Bloombase Spitfire Identity Manager Essentials
30 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Depending on Format parameter, service response from Spitfire Identity API
might take one of below forms
txt
OK
json
{
"SID":"1E6FEC0D14D044541DD84D2D013D29ED",
"Status":"OK"
}
xml
<?xml version="1.0" encoding="UTF-8"?>
<SpitfireIdentityResponse>
<SID>1E6FEC0D14D044541DD84D2D013D29ED</SID>
<Status>OK</Status>
</SpitfireIdentityResponse>
Bloombase Spitfire Identity Manager Essentials
31 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1
Exercise: User Authentication Using Spitfire Identity API
Task 1 – Pin Authentication
Write a Java program, shell-script or simply with help of a web browser, attempt
to sign on user user01
As an example, the URL for Spitfire Identity REST API should assume the
following form
https://spitfireim:8451/SpitfireIdentityServlet?Command=Aut
henticatePassword&UserID=user01&Password=123456& Format=xml
Task 2 – Verify If Fully Authenticated
Use command IsAuthenticated to verify if user has successfully authenticated
Note from previous AuthenticatePassword service invocation, an SID is
returned which has to be reused to check if user authentication sequence already
satisfies preconfigured authentication policy.
Copyright © 2011 Bloombase Technologies, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Bloombase Technologies in United States and/or other jurisdictions. All other product and service names mentioned are the trademarks of their respective companies. The information contained herein is subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Bloombase shall not be liable for technical or editorial errors or omissions contained herein.