Category: Security

Configure Letsencrypt SSL Certificate in Weblogic 12c

Who doesn’t like the security. This is one of critical element of our IT Infrastructure. Recently I was doing one POC and got requirement to setup a valid SSL certificate in Weblogic. However, since it was just an POC we were not having any valid SSL certificate issued by some Certificate Authority. Later, I came across for one website called https://letsencrypt.org/ . Let’s Encrypt is a free, automated, and open certificate authority (CA). they give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, and its free, yes you heard correctly It’s FREE !!!. You don’t need to pay them at all. So if you need a valid SSL certificate for your POC or even for Production environment you can get one from them. Although their certificate comes with 3 month validity, so while using for Production environment user need to keep renewing with them with simple automated process.

In this blog we will be learning how we can generate letsencrypt SSL certificate, what’s prerequisite to get the certificate and setup that certificate in Weblogic server to enable SSL communication.

So, Lets move on. We will be doing below stuff in sequence –

  1. Get a registered domain name (This required while generating SSL Cert)
  2. Install Certbot ACME Tool and Apache HTTP Server
  3. Generate Letsencrypt SSL Certificate
  4. Configure Letsencrypt SSL in Weblogic Identity Store

 

Continue reading “Configure Letsencrypt SSL Certificate in Weblogic 12c”

Oracle Cloud Security is Openly Social

Oracle Identity Cloud Service (IDCS) protects Oracle IaaS, PaaS, SaaS and On-Premises applications. Oracle IDCS provides federated single-sign on experience to its clients. It follows open standards such as SAML 2.0, OAuth 2.0 and OpenID Connect 1.0. In the federation model, Oracle IDCS can either act as an Identity Provider (IdP) or a Service Provider (SP) or both.

Oracle IDCS has a built-in feature that provides multiple social identity providers such as Google, Facebook, LinkedIn and Twitter. It uses underlying OAuth 2.0 protocol to interact with the Social Identity providers. This article presents how to configure IDCS to allow for Social Logins. Let me explain this concept with the sequence diagram below:

Continue reading “Oracle Cloud Security is Openly Social”

Hey Dude, where’s my keys?

I was asked recently to speak at a Developer forum about ways to make life easier for developers to secure their applications in the cloud. The session was great and lots of questions were asked but perhaps the most surprising question asked was from a developer who wants to integrate a custom application with Oracle Identity Cloud. This developer needs access to the public keys used by Identity Cloud Service before a user has authenticated to the service. More importantly, the developer needs the keys represented in the JWK format. According to the specification, a JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.

There are very valid reasons why the developer needs access to the public keys without an authenticated session. Public keys let someone verify the signature on something signed with the associated private key or encrypt a message to send to you.

The developer asked Can I get a JWK from Oracle Identity Cloud Service without an OAuth Access Token?

The answer is simple… YES!!! There are two important API’s available in Oracle Identity Cloud Service

Continue reading “Hey Dude, where’s my keys?”

Policy Based Multi Factor Authentication

In my previous article, Securing Applications with Multi Factor Authentication I discussed how to roll out basic MFA. While this is great if your requirements are very straightforward, there are times when you’ll need a more sophisticated approach. One of the most common examples that I get asked about is how to challenge users for Multi Factor Authentication only when they are connecting remotely from home or when traveling.

In this article I use an example where the business requirement is to enforce MFA for people in the Customer Relations department who are accessing protected applications when they are not on the corporate network. I’ll explain how to configure policies and rules that allow users connected to the corporate network to login with just their User ID and Password, while users connected remotely will need to use Multi Factor Authentication to access protected applications.

Continue reading “Policy Based Multi Factor Authentication”

Teaching best practices to Design, Build, Secure and Monitor APIs

In this blog, I want to share my experience after having created many APIs using different approaches and technologies. I am going to encapsulate a simple process that will help you construct APIs, starting from scratch with an idea or requirement and move it all along to a happy consumption.

The best part of APIs is that they are microservices enablers, which implies that they are not technology prescriptive, so in this blog you will see that your APIs can be implemented using any technology or programming language.

I decided to use “Jokes” as the vehicle to explain the APIs construction best practices, mainly because jokes are a simple concept that anyone can relate to, but also because I want you to feel compelled to consume these APIs and by doing so, get a laugh or two.

My original idea with jokes is to:

  1. Get a random joke.
  2. Translate the joke to any language.
  3. Share the original or the translated joke with a friend via SMS.

This is the high-level view of how our end solution will look like:

Continue reading “Teaching best practices to Design, Build, Secure and Monitor APIs”

Access Management and Micro-services – Part 4: Enabling Other Teams and Inter-Service Authentication

Previously in this series we have examined what is required on an Access Management side in order to support a micro-services architecture, providing services for authentication, user management, assurance, etc. In this post, we expand the scope, looking at how to enable new services to easily implement access and authorisation appropriately, as well as a discussion about how they can authenticate to each other. Ultimately the creation of a secure system involves security of all parts, not just the access management services which facilitate it, and so this post focuses upon working towards enabling that. Security is also built upon organisational culture, and while it is a little difficult to instil that through a blog post, taking steps to create a technical foundation which allows the Access Management teams to be open and collaborative instead of being the team that says ‘no’ is unlikely hinder such cultural development.

Continue reading “Access Management and Micro-services – Part 4: Enabling Other Teams and Inter-Service Authentication”

Access Management and Micro-services – Part 3: Advanced Authorisation and Assurance

Continuing from the previous post which dealt with the core concepts around performing authentication and authorisation in a distributed environment, this post expands upon those concepts, looking at additional factors for authorisation decisions, including supplementary information, authentication challenges and risk assessment. While basic authentication and authorisation requirements can be met through the use of JWTs and OAuth, this post shifts to tackling bespoke requirements, outlining potential services which could provide capabilities above and beyond what is captured in those standards.

Continue reading “Access Management and Micro-services – Part 3: Advanced Authorisation and Assurance”