When customers decide to externalize their authorization and to go for a standards-based solution, namely a XACML-based solution, they need to be extremely careful how the vendor implements XACML. It is not just about implementing XACML’s request-response protocol. It is not just about authoring policies natively in XACML. It is also about implementing in an elegant, efficient, and modular way the XACML architecture. The latter contains several key components as listed hereafter: 1. Firstly, the Policy Decision Point (PDP): this is where policies are evaluated and a decision is reached. 2. Secondly, the Policy Enforcement Point: this is where the request is created sent to the PDP and the response received and handled. The PEP can be application-specific. 3. Thirdly […]

In a recent keynote (Six Sigma For the Secure Cloud – Equip the Enterprise for Success) at the European Identity Conference, Gerry Gebel introduced the concept of the Anywhere Archictecture: Data, applications and users can be anywhere… Does your architecture allow it? “Anywhere Architecture” is required. The whole world is your market place and you need the flexibility that you could deploy [services] anywhere. The Anywhere Architecture is about deploying services and connecting to users and data wherever they might be and enabling these interactions securely. Of course, in such a distributed environment, security needs to be rethought from the ground up. This goes through federated identity, trust establishment, externalized security, and flexible authorization to name but a few items. […]

Increasingly enterprises need to / want to expose their applications to the outside – be it the public internet with consumers or a virtual network of distributed enterprise sites accessing corporate resources. Either way, to securely expose web applications, it is common practice to offer access via a DMZ which is protected by a firewall on the one hand (which handles network-level security) and an XML application gateway (which handles XML security, message transformation, routing, endpoint virtualization…) The application gateway also has 2 security-critical missions: (a) authenticate the requestor and (b) authorize the request. The former is easily achieved by integrating with the authentication solution (e.g. an LDAP) and picking up the credentials from the request (username/password, certificates…). The latter […]

Not all applications use the same certificate format. Sometimes, it is necessary to convert between the different key / certificates formats that exist. Some interesting resources online to figure that out are: (a) OpenSSL’s homepage and guide (b) Keytool’s user reference In our scenario here we have a PKCS12 file which is a private/public key pair widely used, at least on Windows platforms. We want to convert to another format, namely PEM. OpenSSL does that very nicely: openssl pkcs12 -in alice.p12 -passin pass:password -out alice.pem You will need to have openssl installed. It works on either Windows or Linux. The -in option specifies what file to read the keys / certificates from. This is our PKCS12 file. -passin lets the […]