About two years ago, Red Hat IT finished migrating our customer-facing authentication system to Red Hat Single Sign-On (Red Hat SSO). As a result, we were quite pleased with the performance and flexibility of the new platform. Due to some architectural decisions that were made in order to optimize for uptime using the technologies at our disposal, we were unable to take full advantage of Red Hat SSO’s robust feature set until now. This article describes how we’re now addressing database and session replication between global sites.
Continue reading “Transitioning Red Hat SSO to a highly-available hybrid cloud deployment”
In a software world where each day is more hostile than the previous one, security matters and developers are coping with more and more non-functional requirements about security. The most common ones are the “OWASP Top 10”: the ten security risks that every developer should know. There are many more security risks you should care about, but those ten risks are the ones having the most impact on the security of your software. Among them are authentication and access control.
The good news is that authentication and access control are now commodities in the open source world, thanks to Red Hat Single Sign-On Red Hat Single Sign-On is an access management tool that takes care of the details of most authentication protocols such as SAML, OAuth, and OpenID Connect; user consent with UMA; and even access control. It is easy to use, is very well-documented, and has a very active community: Keycloak.
This article describes how to download and install Red Hat Single Sign-On for no cost.
Continue reading “Red Hat Single Sign-On: Give it a try for no cost!”
When deploying Red Hat Single Sign-On/Keycloak for a test or a proof of concept, most users will choose to use a self-signed certificate as explained in the official documentation.
The setup instructions are straightforward, but this self-signed certificate will trigger certificate error messages in your web browser and can also prevent some clients such as Postman from working properly.
This article explains how to use a public certificate from Let’s Encrypt with Red Hat Single Sign-On.
Continue reading “Using a public certificate with Red Hat Single Sign-On/Keycloak”
The Annobin plugin for GCC stores extra information inside binary files as they are compiled. Examining this information used to be performed by a set of shell scripts, but that has now changed and a new program—annocheck—has been written to do the job. The advantage of the program is that it is faster and more flexible than the scripts, and it does not rely upon other utilities to actually peer inside the binaries.
This article is about the annocheck program: how to use it, how it works, and how to extend it. The program’s main purpose is to examine how a binary was built and to check that it has all of the appropriate security hardening features enabled. But that is not its only use. It also has several other modes that perform different kinds of examination of binary files.
Another feature of annocheck is that it was designed to be easily extensible. It provides a framework for dissecting binary files and a set of utilities to help with this examination. It also knows how to handle archives, RPMs, and directories, presenting the contents of these to each tool as a series of ordinary files. Thus, tools need only worry about the specific tasks they want to carry out.
Continue reading “Annocheck: Examining the contents of binary files”
We often use
ssh-copy-id to copy ssh keys from our local Linux computers to RHEL servers in order to connect without typing in a password. This is not only for convenience; it enables you to script and automate tasks that involve remote machines. Also, using ssh keys correctly is considered a best practice. If you are conditioned to respond with your password every time you are prompted, you might not notice a prompt that isn’t legitimate (for example, spoofed).
What about when you can’t use
ssh-copy-id or the target user ID doesn’t have a password (for example, an Ansible service user)? This article explains how to do it manually and avoid the common pitfall of forgetting to set the proper permissions.
Continue reading “How to manually copy SSH public keys to servers on Red Hat Enterprise Linux”
In an effort to improve security, browsers have become stricter in warning users about sites that aren’t properly secured with SSL/TLS. ASP.NET Core 2.1 has improved support for HTTPS. You can read more about these enhancements in Improvements to using HTTPS. In this blog post, we’ll look at how you can add HTTPS to your ASP.NET Core applications deployed on Red Hat OpenShift.
Before we get down to business, let’s recap some OpenShift vocabulary and HTTPS fundamentals. If you are familiar, you can skip over these sections.
OpenShift, pods, services, routes, and S2I
OpenShift is a Kubernetes-based open-source container application platform. A Kubernetes pod is a set of containers that must be deployed on the same host. In most cases, a pod consists of a single container. When we run the same application in several pods, a service does the load balancing across those pods. A route makes a service accessible externally via a hostname.
Continue reading “Securing .NET Core on OpenShift using HTTPS”
This post describes how to configure OpenID Connect (OIDC) authentication using an external Identity Provider (IdP). With the new release of Red Hat 3scale API Management, version 2.3, it is possible to use any OIDC-compliant IdP during the API authentication phase. This is a very important new feature because it makes it possible to integrate any IdP already present in your environment—without having to use an Identity Broker—thus reducing overall complexity.
Continue reading “Integrating third-party identity providers with Red Hat 3scale API Management”
In this article I cover configuring NGINX for OAuth-based Single Sign-On (SSO) using Keycloak/Red Hat SSO. This allows the use of OpenID Connect (OIDC) for federated identity. This configuration is helpful when NGINX is acting as a reverse-proxy server for a backend application server, for example, Tomcat or JBoss, where the authentication is to be performed by the web server.
In this setup, Keycloak will act as an authorization server in OAuth-based SSO and NGINX will be the relaying party. We will be using lua-resty-openidc, which is a library for NGINX implementing the OpenID Connect relying party (RP) and/or the OAuth 2.0 resource server (RS) functionality.
Continue reading “Configuring NGINX for OAuth/OpenID Connect SSO with Keycloak/Red Hat SSO”
This post is a continuation of the series on Red Hat AMQ 7 security topics for developers and ops people started by Mary Cochran. We will see how to configure LDAP authentication on a Red Hat AMQ 7 broker instance. In order to do so, we will go perform the followings actions:
- Set up a simple LDAP server with a set of users and groups using Apache Directory Studio.
- Connect Red Hat AMQ 7 to LDAP using authentication providers.
- Enable custom LDAP authorization policies in Red Hat AMQ 7.
Continue reading “How to set up LDAP authentication for the Red Hat AMQ 7 message broker console”