Where do I best start if I want to use authentication with client certificates in Hono? In the User Guide is a short description but a this does not show all required steps in one place.
Make sure that you are able to connect to the respective protocol adapter with TLS
(see the Admin Guide for configuration). Here is an article, that
provides a complete walk-through guide for all required steps.
Additionally you can use and adapt the script for the creation of demo certificates in the Hono repository. More information can be found in the user guide of the protocol adapters (MQTT, HTTP).
Related
I am using RabbitMQ with SSL/TLS in order to allow confidentiality, integrity and authentication. The message sent is encrypted using sender and broker certificates between sender and broker and then encrypted using broker and receiver certificates between broker and receiver.
My configuration file looks like this:
{ssl, [{versions, ['tlsv1.2']}]},
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "...ca_certificate.pem"},
{certfile, "...certificate_signed.pem"},
{keyfile, "...private_key.pem"},
{password, "pass"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{versions, ['tlsv1.2']}]}
]}
However this is not enough because I need that a receiver/consumer to be able to assure the sender/publisher identification, like described in here. At the receiver I only can access certificate information from the broker certificate.
A solution to that would be to use user-id message property, like i found in the documentation.
This property, sent in every message, will make sure that a message will only be published successfully if the user-id property is equal to the username used for that user to login in the RabbitMQ broker. Since I am already using certificates for SSL I will probably use them also to serve as user authentication with the broker as described here
My problem:
I am using RabbitMQ for communication between agents in a simulation platform and agents are created dynamically, so I would need for dynamic user creation at RabbitMQ which seems not to be possible.
Does someone know if I can do dynamic user creation somehow? Or suggest another approach to my authentication problem?
Thanks
The user-id property is not a security feature. It just sets information in the message header so that you can know who produced the message.
If you want authentication and autorization using certificates, you can follow the directives in the article you linked (https://weblogs.asp.net/jeffreyabecker/Using-SSL-client-certificates-for-authentication-with-RabbitMQ), especially in the section "Configuring Client authentication via certificates".
In short, you need to install the rabbitmq-auth-mecanism-ssl plugin (see here https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl/blob/master/README.md) and configure it following the documentation. You also need to create a passwordless internal user in RabbitMQ that has the same CN (common name) as your certificate to be able to give it authorizations.
If you want everything to be automated (as it should be), each time you want to create a new agent, you have to :
Generate a client key/certificate pair using openssl (see : https://superuser.com/questions/226192/avoid-password-prompt-for-keys-and-prompts-for-dn-information). Your key needs to be trusted by the same certificate authority that RabbitMQ trusts (in your SSL setup).
Create a user in RabbitMQ using rabbitmqctl (https://www.rabbitmq.com/management.html)
In my view, this is a very secure setup if you protect the generated keys so that only the agents have access to them.
On this page: https://developers.docusign.com/esign-rest-api/code-examples/webhook-status, the last section is called: There’s more. And there you can read that there are 3 ways to check that DocuSign is making the web hook request:
you can check the SSL/TSL certificate of the webhook caller (DocuSign).
set DocuSign to digitally sign the data
DocuSign publishes the IP address ranges
If we examine all these options we have:
This is false, you can't check the SSL certificate of who is making the request to you. SSL certs are designed to be used by clients connecting to servers to check that there is no man in the middle attack. And only the client can verify the cert of a server, not the other way around.
I can't find on the page any mention how to set the signature, and most importantly, how to check it.
The link provided to the Public IPs: https://trust.docusign.com/en-us/trust-certifications/ip-ranges/, does not work.
My questions are:
Where can I find some documentation about the signature process?
Where is the page with the public IPs?
The best way to do that is to create an HMAC key and use that to confirm that the calls are authentic.
Here is a full article on how to do that - https://developers.docusign.com/esign-rest-api/guides/connect-hmac
Thank you for reporting the out of date documentation. I've filed an internal bug report, DEVDOCS-1565, to have it updated.
As Inbar says in his answer, these days, the best solution is HMAC. You can also combine it with Basic Authentication if you're using DocuSign webhooks at the account level.
HMAC gives you the guarantees that the message did originate from DocuSign and that the message was not altered in transmission.
Don't set up a server on the Internet
The old way of receiving webhook messages was to set up a server that is accessible on the public internet. Due to the costs and Information Security issues creating and maintaining a service on the Internet, these days I suggest that you skip it.
Instead, use a cloud PAAS (AWS, Azure, Google Cloud, etc etc) to receive and queue the messages. Then, from behind your firewall, you can dequeue and process them. (With no changes to your firewall.)
See the Connect- series of code examples.
Mutual TLS for checking the client's certificate
Note that you can check the certificate of a client. This feature of the TLS (ne SSL) protocol is called Mutual TLS and is supported by DocuSign webhooks.
But HMAC is better since it also guarantees message integrity.
I want to build a server using Node.js, which acts as some kind of proxy. The clients that connect to my server use NTLMv2 for authentication (there is no chance to change this), but the upstream server my server shall connect to requires a Kerberos token.
So, my question is pretty simple: How do I, using Node.js, transform the information provided by NTLMv2 into a Kerberos token? On npm, so far I have found modules for NTLMv2 authentication, but I somehow would probably need to talk to Windows to translate NTLMv2 data of a user into a token for this user.
Any hints on this, how to approach this problem?
Absolutely not! NTLM and Kerberos operate completely different. First of all, I would highly recommend get rid off NTLM as fast as you can.
You can solve your problem in an easy fashion if you can access C interfaces. I also assume you MIT Kerberos on a Unix-like OS like CentOS or FreeBSD, etc.
NTLM will provide you the downlevel logon name. You need first to convert the NetBIOS domain to a DNS domain via LDAP (use libopenldap) then you can construct the Kerberos principal or the enterprise principal for your client. Then create a service account in your KDC and enable protocol transition and contrained delegation on that account for the target service. Now request a TGT on behalf of that user principal and request a service ticket for the user, voila you can access your Kerberos backend.
Here is a decent read: https://k5wiki.kerberos.org/wiki/Projects/Services4User
If you run HTTPd as your reverse proxy, it might handle all the magic for your with mod_auth_gssapi.
On Windows, this is a bit of a pain with the security API and SSPI. While the the principal transformation comes for free with Windows. You'll need LsaLogonUser with KERB_S4U_LOGON, impersonate with that handle and then require SSPI to acquire a cred handle...
If your KDC allows constrained delegation, you can setup your intermedaite server to allow impersonation. This way it can established security context with the client in one mechanism (in your case, NTLM), and talk to the backend server on behalf of the client in another mechanism (Kerberos). Google for "constrained delegation" and "protocol transition" for more information. Hope this helps.
I have a .net WEB API publicly exposed and also a Xamarin Forms App which uses the API, the app needs to be extremely secure due to the data it manages.
I will create an HTTP Certificate for the WEB API.
The Xamarin Forms app will have a login/password to validate against a local Active Directory. via a /token endpoint, and using an Authorize attribute on all endpoints to assure that every HTTP call has the bearer token in it, I implemented that using this:
I based my implementation on this one:
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Additionally the customer has asked us for Client Certificate Authentication, I dont understand how this totally works.
1. I need to add a certificate to the Xamarin Project, right? How do I Add it? How do I generate it?
2. In the Web API I need to validate each http call has the certificate attached.
I found this but not sure if it will work:
http://www.razibinrais.com/secure-web-api-with-client-certificate/
However when investigating this, I also found something about certificate pinning, which is basically security but the other way around, it means the Xamarin APP will validate if the server certificate is associated with the right server (or something like that), so there is no way of a MAN IN THE MIDDLE Attack.
I found how to implement it here:
https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin
Question is:
1. Do I need both ?
Something else that I should research for on this journey?
Certificate pinning and Client Certificate Authentication are 2 very different things. Certificate pinning makes sure your app is talking to the server it expects to talk to. It also prevents eavesdropping, which is known as a 'Man in the middle' attack. I just recently wrote an article about this on my blog.
Client Certificate Authentication works the other way around. It adds an extra layer of security so your server can be sure only clients that have the certificate can communicate successfully with it. However, since apps can be decompiled without a lot of effort, this client certificate can 'easily' be obtained by a malicious user. So this isn't a silver bullet.
From my experience, Client Certificate Authentication is often used in enterprise apps, when there is an Enterprise Mobility Management solution in place (eg. Mobile Iron or Microsoft Intune or others), where the EMM solution can push the certificates to the users device out of band.
Should you use both? That really depends on the requirements of your customer, since they mitigate 2 very different problems.
The Web API link you included looks like it should do the server job properly at first sight. This article also includes how to generate a client certificate with a Powershell command.
Generating a client side certificate:
Use the Powershell command in the article that you referenced in your question.
Otherwise, this gist might help you on your way.
Installation:
Add the certificate file to each platform specific project as a resource. This is usually done in the form of a .p12 file.
Usage:
That all depends on which HttpClient you are using.
If you use the provided Web API solution, you should add the certificate contents as a X-ARR-ClientCert header with each request.
I want to create a simple backend application in node that can query AAD to get a list of OUs or Groups. My application needs this type of information to create groups of users in our system. I'm having trouble getting started here. I found this example which is in DotNet which does a Daemon server flow. I've found these informative links:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/#daemon-or-server-application-to-web-api
Basically I want to be able to make a backend request using certificate based authentication without any user involvement. I'm assuming an adminsitrator will need to allow my application to make this request through some authorization flow. I'm looking for a simple step-by-step guide to get this going along with some sample NodeJS code. Something similar to this example: https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential
Assuming I don't have a windows machine will I need to somehow run Powershell commandsfrom some sort of mono emulator on my Linux servers?
I figured out how to get the basic certificate flow working. It's not well documented, however if you look at the tests/client-credentials.js in the source code for adal-node, you will see some examples.
If you're using Azure App Service web apps, you can follow this guide to integrate AAD with your application: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Once you have that, auth will be enabled for your app and you can configure the AAD app in the portal. See this blog post for more details: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
To integrate with node.js, see this example for details:
https://github.com/Azure-Samples/active-directory-node-webapi
Once you have that, switch to using cert auth similar to the example you provided. Also you shouldn't need powershell. For more information on how AAD works see: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/