#EIC2010: The Anywhere Architecture is Any-Depth too

In a recent keynote (Six Sigma For the Secure Cloud – Equip the Enterprise for Success) at the European Identity Conference, Gerry Gebel introduced the concept of the Anywhere Archictecture: Data, applications and users can be anywhere… Does your architecture allow it? “Anywhere Architecture” is required. The whole world is your market place and you need the flexibility that you could deploy [services] anywhere. The Anywhere Architecture is about deploying services and connecting to users and data wherever they might be and enabling these interactions securely. Of course, in such a distributed environment, security needs to be rethought from the ground up. This goes through federated identity, trust establishment, externalized security, and flexible authorization to name but a few items. […]

Securing web apps – Extend your gateways with fine-grained access control

Increasingly enterprises need to / want to expose their applications to the outside – be it the public internet with consumers or a virtual network of distributed enterprise sites accessing corporate resources. Either way, to securely expose web applications, it is common practice to offer access via a DMZ which is protected by a firewall on the one hand (which handles network-level security) and an XML application gateway (which handles XML security, message transformation, routing, endpoint virtualization…) The application gateway also has 2 security-critical missions: (a) authenticate the requestor and (b) authorize the request. The former is easily achieved by integrating with the authentication solution (e.g. an LDAP) and picking up the credentials from the request (username/password, certificates…). The latter […]

Export PKCS12 files to PEM format using OpenSSL

Not all applications use the same certificate format. Sometimes, it is necessary to convert between the different key / certificates formats that exist. Some interesting resources online to figure that out are: (a) OpenSSL’s homepage and guide (b) Keytool’s user reference In our scenario here we have a PKCS12 file which is a private/public key pair widely used, at least on Windows platforms. We want to convert to another format, namely PEM. OpenSSL does that very nicely: openssl pkcs12 -in alice.p12 -passin pass:password -out alice.pem You will need to have openssl installed. It works on either Windows or Linux. The -in option specifies what file to read the keys / certificates from. This is our PKCS12 file. -passin lets the […]

Securing web services with Metro – com.sun.xml.wss.impl.XWSSecurityRuntimeException: PrivateKey returned by PrivateKeyCallback was Null

Typical exception: PrivateKey returned by PrivateKeyCallback was Null SEVERE: WSS1417: Error while processing signature java.lang.RuntimeException: com.sun.xml.wss.impl.XWSSecurityRuntimeException: PrivateKey returned by PrivateKeyCallback was Null 09-Apr-2010 10:27:09 com.sun.xml.wss.jaxws.impl.SecurityTubeBase secureOutboundMessage SEVERE: WSSTUBE0024: Error in Securing Outbound Message. com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: java.lang.RuntimeException: com.sun.xml.wss.impl.XWSSecurityRuntimeException: PrivateKey returned by PrivateKeyCallback was Null at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:241) at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93) at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:268) at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:186) at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:147) at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:346) at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:236) at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:167) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439) at com.sun.xml.ws.client.Stub.process(Stub.java:222) at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118) at $Proxy48.instanceAccessQuery3(Unknown Source) at eu.webfarmr.servlet.ws.WSConnection.evaluate(WSConnection.java:156) at eu.webfarmr.servlet.ServletEnforcer.enforce(ServletEnforcer.java:150) at eu.webfarmr.servlet.AuthFilter.doFilter(AuthFilter.java:133) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:558) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:619) Caused by: com.sun.xml.wss.XWSSecurityException: java.lang.RuntimeException: com.sun.xml.wss.impl.XWSSecurityRuntimeException: PrivateKey returned by […]