Tuesday, April 2, 2013

Soap kerberos Authentication

 

This blog is an attempt to capture the key points related to different security authentication mechanisms, focusing more on Kerberos.

 

Different Authentication Mechanism

Basic authentication 


   -  base64 ENCODING
   encoded but not ENCRYPTED ,  Not a secure authentication protocol.
   -  Secure transport mechanism (HTTPS) is applied in most deployment scenarios.

Form based authentication 

   - has the same lack of security as Basic Authentication
   - User credentials is transmitted as plain text and the target server is not authenticated
   - https or security at the network level is applied in deployment scenarios. 

Authentication using OASIS WSS – (Web Service Security)


   -  WSS4J is an implementation of the OASIS Web Services Security (WS-Security)
   -  Incorporates user credentials as part of SOAP Header
  -   wss4j also implements: X.509 Certificate Token Profile 1.1

Authentication using SSL / X-509


 - HTTPS (HTTP over SSL) is a strong authentication mechanism. 
 - Uses Symmetric Encryption and Asymmetric Encryption.  
 - X-509 Certificate can be provided as part of SOAP Header This certificate can be obtained from a certification authority (CA).

Authentication using Spnego (Negotiation Protocol)


SPNEGO  


  Used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.
  Negotiable sub-mechanisms includes NTLM and Kerberos.

NTLM 

-  Server generates an NTLM challenge for the client, the client calculates an NTLM response, and the server validates that response.

  - The NTLM challenge-response mechanism only provides client authentication. 
  - Using NTLM, users might provide their credentials to a bogus server.  
  - RC4 for encryption.  Recent cryptographic methods, such as AES or SHA-256 not supported.

Kerberos :  

    
  -  Active Directory based  Single sign on Scheme developed by MIT.
  -  Authenticates the user against Kerberos Key Distribution Centre (KDC).  
  -  Microsoft adopted Kerberos as the preferred authentication protocol over NTLM.
  -  Kerberos builds on symmetric key Cryptography

Kerberos  advantage :  

 

  - Provides mutual authentication - both the server and the client verify each other's identity.  

  - Eliminates the transmission of unencrypted passwords across the network 

  - Protected against eavesdropping and replay attacks.


Kerberos KDC Communication

 

KDC Communication (Step 4) : 

 

-  KDC validates user principal 

 -  Reply back with  kerberos target Principal Name,  Kerberos ticket, & Ticket life time 
 -  Response is encrypted by a user key  created by KDC based on user's password. 
 -  Kerberos Ticket(TGT) is encrypted by  a secret Key which only KDC knows.

Spring Security Extension-Kerberos  :   


 -  An Extension project contributed by Mike Wiener
 -  Integrated well with Spring Security
 -  Supports authentication with Web,  but not extended for Web Services.

Online URL’s :

http://blog.springsource.org/2009/09/28/spring-security-kerberos/

http://spnego.sourceforge.net/protected_soap_service.html

 

Friday, October 26, 2012

Cracking OCMJEA !!!


"Congratulations! You have passed the Oracle Certified Master, Java EE 5 Enterprise Architect certification. You are among the elite 1% of certified Java professionals who have gone on to achieve the Java Enterprise Architect certification. "

I am very excited to read the above mail from Oracle last week, as this certification is very special to me and involves tackling part1 to part-3. Part-2 assignment (Gusher Oil) is quite interesting doing the design , creating UML diagrams, documenting our decision criteria's ++.

This blog aims at providing tips to ocmjea aspirants focusing more on Step2 Assignment. hope it will help ocmjea aspirant's. This blog is not much specific to assignment or its solution due to oracle’s exam policy. 


0. Introduction


OCMJEA (Oracle Certified Master Java Enterprise Architect) formerly known as SCEA (Sun Certified Enterprise architect) is the highest level of certification in Java Stack. This certification is for enterprise architects responsible for architecting and designing Java EE compliant applications. It provides developers with knowledge needed to develop robust architectures for enterprise applications using Java Platform.

This certification involves tackling part1 to part-3 including the part-2 assignment.

Java Enterprise Edition 5 Enterprise Architect Certified Master Exam (Step 1 of 3)
Java Enterprise Edition 5 Enterprise Architect Certified Master Assignment (Step 2 of 3)
Java Enterprise Edition 5 Enterprise Architect Certified Master Essay Exam (Step 3 of 3)

To succeed, OCMJEA candidates must demonstrate a deep understanding of UML’s, Design principles & pattern’s plus current Java EE technologies.

Note : Oracle recently introduced a mandatory training course as part of ocmjea certification.

1. Exam -Part1 (Step 1 of 3)

Part1 involves 120 minutes Objective exam and passing score is 57%. 

For syllabus refer Oracle Certification site, 

http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=41&p_exam_id=1Z0_864

Lots of books are available in the market. Couple of them are mentioned below:

SCEA Certification Guide from Dream-tech Publisher’s.
SCEA for Java EE5 - Mark Cade

Taking mock exam before the actual exam is highly recommended as the objective of the exam is to test how well we can apply the theories to business scenarios. 

Dream-tech provides with mock exam kit which is very helpful to evaluate ourselves. 

Below is another blog with sample exam questions.

http://reddymails.blogspot.com/2011/07/scea-part1-questions.html

2. Exam -Part2 (Step 2 of 3)


Part2 assignment is quite interesting doing the design, creating UML diagrams, documenting our decision criteria's ++.  But most of the time, ocmjea aspirants are confused in terms of where to start and what all we need to do for the assignment

Once the step-1 is passed we can download the assignment via Pearson vue site. Both assignment and essay (step-3) need to be submitted within 6 months of assignment purchase. 

We need to score 72% to pass the step 2 and step3 examinations, evaluated together. Assignment will be provided with system requirements, business domain Model and use cases and we need to come up with the design addressing the functional and non-functional requirements. 

Deliverables includes UML’s diagram’s (Class diagram, Component diagram, Deployment Diagram, Sequence Diagram for each use case)  , design documentation including technical risks involved. 


2.1 Design Tips:

Ø The assignment is slightly vague and one need to make a lot of assumptions and that might affect your design decisions. You might observe a lot of conflicting views about the solution for the same problem.
It’s expected.

Ø Refresh your UML & Design pattern's knowledge.

Ø Finalise on the architecture first before going with the uml’s. This saves lots of re-work on your uml diagrams. Analyse different design options for each layer’s client Tier, Business Tier and Data Tier. 

Ø Creating wire-frame’s (UI) of the system also help in terms of top-down design as one can visualize the views and how the user interaction will be taken care in the architecture.

Ø Document your assumption’s in the design document. Ensure the assumption is logical and makes sense in context to the problem. 

Ø Explain your architecture in your document. For example - Why you have opted for 3-tier architecture? Either load balancing, caching etc is provided ++.

Ø Document on below questions while doing the design itself which helps in part-3 exam also.

ü How we are going to communicate to external Systems?  
ü How we are going to handle security?  
ü How we can achieve Session & Transaction Management?
ü How to achieve non-functional requirements like scalability, performance and availability?
ü Decisions on deployment Infrastructure?

2.2 UML Deliverables:

Ø Once the basic architecture is ready, we can go ahead with UML diagrams.  Below are the points against each UML diagram:
ü Component Diagram(40 points)
ü Class Diagram (40 points)
ü Sequence Diagram (16 points)
ü Deployment Diagram (24 points)
ü Assumptions and Design decisions (Extras)
ü Technical Risks and mitigation (16 points)
Ø UML’s can be developed using Sparx EA Tool or Rational Rose.

o Class Diagram:   

Class Diagram takes more time as compared to other diagrams. We need to identify the different classes, their attributes; operation’s and defines the relationship between the classes. No of classes can vary from person to person. Good to keep the no of classes below 50. 

o Component Diagram:   

Component diagram depicts how the different components are wired together to form larger components. Describes the Structural relationships between the components. 


o Deployment Diagram :  

Deployment diagram is quite easy compared to the other diagrams. Based on your architecture, present your Server’s (Firewall Server, Managed Server, Admin Server, Database ++) here.



o Sequence Diagram :




Create one sequence diagram for each use-case provided in your assignment.





2.3 Design Document:

ü Below are sample table of Content’s for the design document.  
     


It’s good to include UI wire frame, which gives a good understanding to the evaluator what’s there in your mind. Also document Technical risk and mitigation plan. Once done with the UML’s and design document, it’s highly recommended to get it reviewed before submitting the same to Oracle. 

2.4 Assignment Submission :

Once completed with the design document, UML Diagrams ++, we need to create an index.html with your Name, Oracle testing ID, and provide link to UML diagrams and design document.  Build the jar file and the same can be uploaded to Pearson Vue site before the deadline mentioned.


3. Exam Part-3 (Step 3 of 3)

Part 3 is all about defending your architecture solution. It involves 120 minutes essay exam based on the assignment submitted in step2. Assignment must be submitted before we can register for the essay exam. We will be provided with 8-10 Questions’, and we are required to provide explanation on our design decision’s and why we have chosen one framework or technology over the other. If you have documented all your design decision, then step-3 will be quite easy.  



Good luck to all OCMJEA aspirants !!! 

                     “The act of getting certified will make you a better architect.”
                                                                       (Humphrey Sheil, CTO, SCEA, and SCEA examiner)

            
            Last modified @ 01-Nov-2012 11:30 PM  by Shameer Thaha