Security

Elytron: A New Security Framework in WildFly/JBoss EAP

Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. Elytron is a single security framework that will be usable for securing management access to the server and for securing applications deployed in WildFly. You can still use the legacy security framework, which is PicketBox, but it is a deprecated module; hence, there is no guarantee that PicketBox will be included in future releases of WildFly. In this article, we will explore the components of Elytron and how to configure them in Wildfly.

The Elytron project covers the following: 

  • SSL/TLS
  • Secure credential storage
  • Authentication
  • Authorization

In this article, we are going to explore using SSL/TLS in WildFly with Elytron.

Continue reading “Elytron: A New Security Framework in WildFly/JBoss EAP”

Share

Integrating Intercede RapID with Red Hat Mobile and OpenShift

At Red Hat Mobile we understand the need for a flexible product that enables our customers to integrate with the tools they need to build their current and future applications. Our position as a leading contributor to the Kubernetes project ensures that the Red Hat OpenShift Container Platform offers this tremendous flexibility to customers and end users.

Red Hat Mobile also supports highly flexible integrations to a range of 3rd party services and products. In this article, we’ll demonstrate how Red Hat Mobile v4 and OpenShift v3 enable customers to rapidly deploy and secure their mobile applications by integrating with a third party product provided by Intercede. We’ll be using Intercede’s RapID product to enable two-way TLS (often referred to as Client Certificate Authentication or CCA) for our mobile application.

Continue reading “Integrating Intercede RapID with Red Hat Mobile and OpenShift”

Share

Non-root Open vSwitch in RHEL

In a few weeks, the Fast Datapath Production channel will update the Open vSwitch version from the 2.7 series to the 2.9 series. This is an important change in more ways than one. A wealth of new features and fixes all related to packet movement will come into play. One that will surely be blamed for all your troubles will be the integration of the `–ovs-user` flag to allow for an unprivileged user to interact with Open vSwitch.

Running as root can solve a lot of pesky problems. Want to write to an arbitrary file? No problem. Want to load kernel modules? Go for it! Want to sniff packets on the wire? Have a packet dump. All of these are great when the person commanding the computer is the rightful owner. But the moment the person in front of the keyboard isn’t the rightful owner, problems occur.

Continue reading “Non-root Open vSwitch in RHEL”

Share

3Scale by Red Hat Integration with ForgeRock using OpenID Connect

In my last article, I wrote about how API Management and Identity Management can work together in a complementary fashion to secure and manage the services/endpoints which applications expose as APIs. In that article I covered how Red Hat 3scale API Management can be used to integrate an identity manager, in addition to providing API management functions such as rate limiting and throttling.

Continue reading 3Scale by Red Hat Integration with ForgeRock using OpenID Connect

Share

3scale by Red Hat API and Identity Management Series

Today’s modern infrastructure faces the complex challenge of managing user’s access to the resources. To protect system and data integrity, companies have implemented identity and access management (IAM) solutions for their in-house systems. IAM solutions address three major concepts: identity, authentication, and authorization.  Their job is to ensure that only authenticated and authorized users have access to resources or information. Every IAM solution on the market provides a great set of features such as:

  • Single Sign-On (SSO)
  • Centralized policy-based authentication and authorization
  • Identity federation

Continue reading “3scale by Red Hat API and Identity Management Series”

Share

Annobin – Storing Extra Information in Binaries

Introduction

Compiled files, often called binaries, are a mainstay of modern computer systems. But it is often hard for system builders and users to find out more than just very basic information about these files. The Annobin project exists as means to answer questions like:

  • How was this binary built?
  • What testing was performed on the binary?
  • What sources were used to make the binary ?

The Annobin project is an implementation of the Watermark specification , which details how to record extra information in a binary. One important feature of this specification is that it includes an address range for the information stored. This makes it possible to record the fact that part of a binary was compiled with one set of options and another part was recorded with a different set of options.

Continue reading “Annobin – Storing Extra Information in Binaries”

Share

Integrate RH-SSO 7.x with Liferay DXP using SAML

The aim of this tutorial is to configure Red Hat Single Sign On (RH-SSO) to work as an Identity Provider (IdP) for Liferay DXP through SAML.

Liferay DXP supports functionalities for Single Sign On (SSO) such as NTLM, OpenID, and Token-based and integration with IdPs like Google and Facebook. But when it comes to enterprise environments, the requirements may be stricter, especially regarding integration with externals IdPs.

Continue reading “Integrate RH-SSO 7.x with Liferay DXP using SAML”

Share

Enabling SAML-based SSO with Remote EJB through Picketlink

Lets suppose that you have a remote Enterprise JavaBeans (EJB) application where the EJB client is a service pack (SP) application in a Security Assertion Markup Language (SAML) architecture. You would like your remote EJB to be authenticated using same assertion which was used for SP.

Before proceeding with this tutorial, you should have a basic understanding of EJB and Picketlink.

Continue reading “Enabling SAML-based SSO with Remote EJB through Picketlink”

Share

Dynamically Creating Java Keystores in OpenShift

Introduction

With a simple annotation to a service, you can dynamically create certificates in OpenShift.

Certificates created this way are in PEM (base64-encoded certificates) format and cannot be directly consumed by Java applications, which need certificates to be stored in Java KeyStores.

In this post, we are going to show a simple approach to enable Java applications to benefit from certificates dynamically created by OpenShift.

Continue reading “Dynamically Creating Java Keystores in OpenShift”

Share

Red Hat Developer Program introduces new topic on secure programming

A Ponemon Institute report showed that 71% of developers believed that security was not adequately addressed during the software development lifecycle. This figure is revealing as it demonstrates that developers view security as a development priority, yet you often feel unequipped to engage.

The relationship between security and developers has traditionally been like two teams competing at a tug-of-war. On one end, as developers, you are pulling to produce functional products as fast as possible. You don’t want to be told what to do and definitely do not want the security teams to get in the way of developing code. On the other end, security is pulling to ensure the product is as secure as possible.

Writing secure code should be at the top of your minds, especially given the number of application security breaches that find their way into the news. A critical first step is learning important secure coding principles and how they can be applied so you can code with security in mind.

The good news is that you have a great resource to help with secure programming! On the Red Hat Developer Program website, you will find numerous tools that can help you code with security in mind, such as:

Continue reading “Red Hat Developer Program introduces new topic on secure programming”

Share