Apache Tomcat. Implementation Guide. (Version 5.7) Copyright 2013 Deepnet Security Limited

Transcription

1 Implementation Guide (Version 5.7) Copyright 2013 Deepnet Security Limited Copyright 2013, Deepnet Security. All Rights Reserved. Page 1

2 Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Comer Business Innovation Centres North London Business Park Oakleigh Road South London N11 1GN United Kingdom Tel: +44(0) Fax: +44(0) Web: support@deepnetsecurity.com Copyright 2013, Deepnet Security. All Rights Reserved. Page 2

3 Table of Contents 1. Overview Prerequisites Configuration DualShield Configuration Logon Procedure Application Service Provider Tomcat Configuration Install DualShield Tomcat Valve Create Keystore Create Context.xml Edit Web.xml Authentication Copyright 2013, Deepnet Security. All Rights Reserved. Page 3

4 1. Overview is an open source web server and servlet container developed by the Apache Software Foundation (ASF). Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run in. This document describes how to implement two-factor authentication in Tomcat using the DualShield Tomcat Valve and the DualShield SSO service provided by the DualShield Unified Authentication Platform. 2. Prerequisites You must have the DualShield Authentication Platform 5.7+ installed and operating. For the installation, configuration and administration of DualShield Authentication Platform please refer to the following documents: DualShield Authentication Platform Installation Guide DualShield Authentication Platform Quick Start Guide DualShield Authentication Platform Administration Guide You should also have your Tomcat 7.0 server installed and operating. For the purpose of this document, we make the following assumptions: 1. The domain name of your Tomcat server is acme.org and the name of your web application is sample. The port that your web application operates on is In other words, the URL of your web site is: 2. The domain name of your DualShield server is dualshield.deepnetsecurity.local Copyright 2013, Deepnet Security. All Rights Reserved. Page 4

5 3. Configuration 3.1 DualShield Configuration In the DualShield authentication server we need to create an application for your web application. An application in DualShield needs a realm which links to a user directory that contains users who will be granted access to the application, it also needs a logon procedure which defines how users will be authenticated when they attempt to logon to the application. For the instruction of how to create realm, domain and identity source, please refer to the DualShield Platform Administration Guide Logon Procedure Firstly, create a Web SSO logon procedure: Then, modify its logon steps and add two logon steps, e.g. one-time password and static password: Application The next step is to create an application in DualShield for the Web application in your Tomcat, and publish the application on the DualShield SSO server. Copyright 2013, Deepnet Security. All Rights Reserved. Page 5

6 Use the Self-Test function to verify that the application is ready Service Provider We need to also create a SSO Service Provider for your Tomcat web application. Select SSO Service Providers and click Create button on the toolbar. The Type of the Service Provider must be set to SAML 2.0. Effectively, your Tomcat will become a SAML Service Provider (SP). Therefore, you need to provide the Metadata for your Tomcat SP. Below is a template of a SP metadata. Copy it to a text editor, and replace the text in red colour accordingly with the domain name of your Tomcat web server and the domain name of your DualShield server. <?xml version="1.0" encoding="utf-8" standalone="yes"?> <EntityDescriptor xmlns="urn:oasis:names:tc:saml:2.0:metadata" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" xmlns:ds=" entityid=" <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol"> <SingleLogoutService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" /> <AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Copyright 2013, Deepnet Security. All Rights Reserved. Page 6

7 Location=" /> <AttributeConsumingService index="0" isdefault="true"> <ServiceName xml:lang="en">undefined Attribute Service</ServiceName> <RequestedAttribute Name="password" NameFormat="urn:string" FriendlyName="Password" isrequired="false" /> </AttributeConsumingService> </SPSSODescriptor> </EntityDescriptor> The, copy the modified version to the Service Provider creation window in DualShield: Now, click the Edit button next to the Attributes label. Then, press Create button: Copyright 2013, Deepnet Security. All Rights Reserved. Page 7

8 You must add an attribute in the HTTP BODY named roles and give it a fixed value. For the purpose of this document, we name the role as ROLE_USER, as shown above. This role will be used in your Tomcat server for the access restriction to the webpages that required two-factor authentication, as explained in section below. Finally, enable the option: Sign on SAML assertion. 3.2 Tomcat Configuration Install DualShield Tomcat Valve To install the DualShield Tomcat Valve, simply download and unzip DualShield Tomcat Valve.zip to the Lib folder in your Tomcat server: Create Keystore Below is the file structure of the sample application. Your Tomcat web application would have a similar file structure. In the WEB-INF folder, if there is no such a file named keystore.jks, then you need to create keystore. You can use the JAVA Keytool to generate a keystore and a key pair: Copyright 2013, Deepnet Security. All Rights Reserved. Page 8

9 keytool -genkey -alias acme -keyalg RSA -keystore keystore.jks -keysize 2048 Replace acme with your own host or domain name. The alias is used to identify the key pair entry in the keystore, and is used in the next section Create Context.xml In the META-INF folder, if there is no such file called context.xml, then use a text editor to create it with the context below: <Context> <Valve classname="org.apache.catalina.authenticator.samlauthenticator" keystore="/web-inf/keystore.jks" keystorepassword="password" key="acme" keypassword="password" idp="/web-inf/idp.xml"> </Valve> </Context> Replace the text in red colour accordingly. The value of the key should be the alias that you provided to the keytool in the last section Edit Web.xml In the WEB-INF folder, open the web.xml file in a text editor and add the following content: <security-constraint> <web-resource-collection> <web-resource-name>protected</web-resource-name> <url-pattern>/hello.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>role_user</role-name> </security-role> In which, /hello.jsp is the web page that we want to protect with two-factor authentication. ROLE_USER is defined in the Service Provider settings in section above. We have finished all settings and configuration. Finally, restart your Tomcat server. Copyright 2013, Deepnet Security. All Rights Reserved. Page 9

10 4. Authentication Now, your Tomcat server is enabled with two-factor authentication, and the access to the web page /sample/hello.jsp requires two-factor authentication. To make a quick test, visit the /sample application in a web browser by URL: Clicking the link page protected by 2FA, you ll be redirected to the DualShield SSO server to be authenticated with TFA: Copyright 2013, Deepnet Security. All Rights Reserved. Page 10

11 Once you have been successfully authenticated, you ll be redirected back to your web application and granted access to the protected page, /sample/hello.jsp Copyright 2013, Deepnet Security. All Rights Reserved. Page 11