(ATS6-PLAT05) Security enhancements in AEP 9


Published on

In the latest version of the Accelrys Enterprise Platform we have streamlined how permissions are managed and added the capability for packages to define groups and permission sets. In addition, enhancements have been made to File Based Authentication, we have added support for enterprise authentication solutions like Kerberos and SAML and improved the usability of the Administration Portal. This session describes the new features and how to manage them through the Administration Portal.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

(ATS6-PLAT05) Security enhancements in AEP 9

  1. 1. (ATS6-PLAT05) Securityenhancements in AEP 9Jon HurleySenior ManagerPlatform R&DJon.Hurley@accelrys.com
  2. 2. The information on the roadmap and future software development efforts areintended to outline general product direction and should not be relied on in makinga purchasing decision.
  3. 3. • Security– Authentication– Authorization– Session Security• Administration Portal– Home Page– Extensible WAF container– New and updated Security pagesContent
  4. 4. • Authentication– Determination ofidentity, i.e. who you are– Usually provided by anexternal service, e.g.Active Directory• Authorization– Controls access toresources– E.g. ability to use theadmin portal– E.g. access to aparticular XMLDB folderAuthentication vs. Authorization
  5. 5. Authentication• New Authentication Providers in AEP 9.0
  6. 6. • AEP can use an external authentication service– Local or Domain authentication– ‘File’ authentication can be enabledindependently– SSL can be required• File authentication active with other methods– File is attempted first, then external service– DO NOT create File users with the same name asDomain accounts• Anonymous account can be a ‘File’ or a domainaccount– Protocols run with file accounts will notimpersonate• Administration portal uses standardauthentication– Platform/Administration/Logon permissionrequiredAuthentication
  7. 7. • Kerberos Delegation on Windows– Full or Restricted Impersonation– Protocols can use their Kerberostoken to connect to otherKerberized resources (e.g. UNCfiles, HTTP services, SQL Serverdatabases)– Requires AEP server configured forImpersonation and the Kerberosrealm (e.g. Active Directory)configured to allow Delegation• Kerberos Authentication on Linux– Kerberos authentication is nowsupported on Linux– Delegation is NOT supported on Linux inAEP 9.0• Kerberos requires clients that supportSPNEGO– Web browsers: IE, Firefox, Chrome– Windows SDKs:• .NET Client SDK, JavaScript Client SDK, CClient SDK, RunProtocol– Not supported: other SDKs (Java), LinuxSDKs or Pipeline Pilot clientEnhanced support for Kerberos/SPNEGO
  8. 8. • Kerberos is ticket based authenticationbaked into the Operating System– Many components (e.g. Web Browsers)are able to transmit Kerberos tickets• Provides Single Sign On – if you are alreadysigned on to the browser, the Kerberosticket can log you in to another system– The server requests an ‘authenticationnegotiation’ with the browser• If the browser (and OS account) isappropriately configured, a Kerberos ticketcan be transmitted in response• Kerberos requires clients that supportSPNEGO:– Web browsers: IE, Firefox, Chrome– Windows SDKs: .NET Client SDK, JavaScriptClient SDK, C Client SDK, RunProtocol– Not supported: other SDKs (Java), LinuxSDKs or Pipeline Pilot clientWhat is Kerberos?
  9. 9. AEP Authentication ProvidersAuthenticationProvider8.5 9.0Windows Linux Windows LinuxFile Y Y Y YLocal Y Y Y YDomain Y Y Y YKerberos Y Y YKerberosw/delegationYSAMLSender VouchesY YChanges for 9.0• Kerberos on Linux• Kerberos delegation onWindows• SAML Sender Vouches– SOAP-based– Inbound/Outbound• File authentication activewith other methods• Administration portal usesstandard authenticationNew for 9.0
  10. 10. • SAML is Security Assertions Markup Language– Commonly associated to SOAP services– SAML allows federation of multiple Identify Providers (IdP)• Often used in externalization scenarios to link IdPs across companies• SAML Sender Vouches Sender Confirmation in AEP 9– Web Services securely calling AEP– AEP securely calling SAML protected Web ServicesSAML Support
  11. 11. Outbound SAML Sender VouchesInbound SAML Sender VouchesInbound/Outbound SAML SupportSAMLKerberosUsernameCustom CookieServiceContainerWebLogicServerOtherServerSAMLKerberosForm BasedBasicAEP 9.0ServerBrowserIE, FF,ChromeOtherClientsSAMLKerberosForm BasedBasicServiceContainerWebLogicServerOtherServerSAMLKerberosForm BasedBasicAEP 9.0ServerBrowserIE, FF,ChromeSDKsCALPP,NALPP, JALPP
  12. 12. Authorization• Changes to permissions, groups• Greater support for package specification
  13. 13. AEP 9.0 Security ModelGoals• Implement scalable model– Assignment via APIs– Envision thousands ofpermission assignments• Standardize terminology– Groups, Users, Permissions• Establish extension points– Packages can manage their ownsecurityChanges from 8.5• Roles renamed to Permissions– Role was really a permission todo something (e.g. useWebPort)• All assignment happensagainst AEP users/groups– OS groups cannot be useddirectly• Packages can define Groups,Permissions, and Assignments
  14. 14. • Permissions should be verbs– E.g. Platform/Logon,Platform/Administration/Logon• Groups are used to define roles– E.g. Platform/Administrators• Previously roles could be ‘Allow All’– If no explicit assignment, all users had therole• Now permissions must be explicitly assigned– If you haven’t been assigned the permission,you don’t have it• NEW: If you do not have the Platform/Logon,you cannot log on to any AEP service orapplication8.5 Role Name 9.0 Permission NameAdmin Portal Platform/Administration/LogonPPClient Platform/PipelinePilot/LogonPPClient/Administrator Platform/PipelinePilot/AdministerRun Protocol Platform/RunProtocolWebPort Platform/WebPort/LogonPlatform/LogonPermissions
  15. 15. Group Members PermissionsAdministrators scitegicadmin(user)Administration/LogonLogonRunProtocolDeniedUsers – ~LogonPowerUsers – LogonPipelinePilot/LogonPipelinePilot/AdministerRunProtocolUsers Everyone LogonPipelinePilot/LogonPipelinePilot/AdministerRunProtocolWebPort/Users Everyone WebPort/Logon• AEP Built-In Groups:– Platform/Everyone• All users automatically belong to this group– Platform/Users• All general users of the AEP installation– Platform/PowerUsers• General user rights + ability to administerPipeline Pilot– Platform/Administrators• Ability to use the Administration Portal and runadministration components– Platform/WebPort/Users• Users that can log into WebPort– Platform/DeniedUsers• Used to prevent users from logging in to AEPDefault ‘Platform’ Permission AssignmentsAll group and permission names above start with Platform/(E.g. Platform/Administrators, Platform/Everyone,Platform/Administration/Logon, Platform/WebPort/Logon)
  16. 16. • In 8.5 (and earlier) we could specifythat a user had to belong to one ormore groups in order to log on tothe platform– If groups were specified, user has tobelong to one of these groups tologin– This was ‘authorization’ on the‘authentication’ page• In 9.0, the Platform/Logon permissioncontrols the ability to log on to AEP– By default all users (e.g. the groupPlatform/Users) have this permission• By default every authenticated user canlog in to AEP– Since the Platform/Everyone group is amember of the Platform/Users group– And the Platform/Users group has thePlatform/Logon permission• IMPORTANT: Always assignPlatform/Logon to thePlatform/Administrators group!Logon Authorization
  17. 17. Additional DetailsPackages• Each package can define– Groups– Permissions– Assignments (i.e. which groups have whichpermissions)• Permission assignments can be overwritten bythe administrator– Will be remembered when a package isreinstalled• Package developers can use/extend the AEPAuthorization Model– Define their own groups and permissions– Within protocols, use the ‘Check User HasPermission’ and ‘Check User Is Group Member’components to restrict accessOS Group Usage• In 9.0, operating system groups areonly used to define GroupMembership– We call groups (i.e. the groups definedin AEP) Group throughout the system(administration portal and components)– Group memberships are determined atlogin (may be determined from OSgroups) and then stored with thesession– The administrator can control whetherOperating System groups are used in aparticular AEP installation• The installer will migrate OS groupsecurity settings to the AEP 9 securitymodel
  18. 18. Session Cookie• Security Enhancements
  19. 19. • Restrict session cookies to a server– Additional encryption key– Session cookie can only be used on servers with the same key– Set ‘Session Salt’ in Server Configuration to activate• Leave empty to retain 8.5 behavior• Non-persistent session cookies– Delete cookie when browser is closed– Set ‘Retain session cookie beyond web browser session’ to No• Set to Yes to retain 8.5 behavior• Restrict cookie use to secure connection– Set ‘secure’ flag on cookies if SSL-only mode• Do not set SSL-only to retain 8.5 behaviorSession Cookie Security Enhancements
  20. 20. Administration• What’s new in the Administration Portal
  21. 21. • Home Page– Orient the administrator– Shortcuts to common andrecently used pages• Extensible WAF container– Applications can add theirown administration pages– Pages can be protected bypermissionsAdministration Portal Highlights
  22. 22. • New and updated Securitypages– Authentication– Groups– Permissions– SAML• Consolidated serverinformation pages (Tomcat,Apache, etc.)• Refreshed existing pages forconsistencyAdministration Portal Highlights
  23. 23. DemoAdministration Portal• New Administration Portal Home Page• Sample Security Pages
  24. 24. • In this session we reviewed new security and administrationfeatures in 9.0– Authentication methods– Authorization model– Session security• More detailed information is available– Kerberos/SPNEGO– SAML– Package development and the permissions model– ATS6-DEV09 – Discussion of the SOAP Connector accessing SAML SenderVouches protected SOAP Web ServicesSummary