Using Active Directory as the User Store for WSO2 Identity Server in Read Write Mode

Using an Active directory as a read only user store in WSO2 Identity Server is very much straight forward. It can be treated as a read-only LDAP and can be configured with slight modifications to the read only LDAP user store configurations.

However configuring an AD as a read/write user store need some additional work, because the update operations need to be run in ldaps (ldap + ssl). In this post I will show how to generate a certificate for the AD to be used for SSL connection. The next post will be on the configurations to be done at WSO2 IS to use this AD.

Configure Fingerprint Log in with Ubuntu 16.04

Fingerprint authentication is not out-of-the box supported in Ubuntu. However it can be enabled with fingerprint-gui.


Checking Whether Your Fingerprint Reader is Supported

Not all fingerprint readers are supported for fingerprint gui. To check whether your reader is supported,

• Open Terminal
• Run 'lsusb' command
• Locate the ID of the finger print reader. For example my 'lsusb' output contains the following line,

Bus 003 Device 003: ID 138a:0017 Validity Sensors, Inc. Fingerprint Reader

So the ID of my fingerprint reader is 138a:0017 (as highlighted above)

• Go to https://launchpad.net/~fingerprint and check whether the fingerprint reader is supported by searching for your ID from above step
  

If the ID is there you should be able to use the fingerprint reader as expected.

Installing Fingerprint GUI

In the command line run the following commands

sudo apt-add-repository ppa:fingerprint/fingerprint-gui

sudo apt-get update

sudo apt install libbsapi policykit-1-fingerprint-gui fingerprint-gui

Setting up the Fingerprints

• Run 'fingerprint-gui' in the command line to open fingerprint-gui
• Select the finger print reader driver and click next
• Select a finger and click next to configure the fingerprint of that finger
• You'll be prompted to use that finger on the fingerprint reader for 5 times. Once this is done the fingerprint of that fnger will be registered
• Repeat for all 10 fingers
• Once all fingers are registered go to settings tab and test the fingerprint authentication for "sudo". You sould see 'Authentication successful.' in the text field if the finger is recognized.

That's it. Now you should be able to use the fingerprint authentication when you log in, unlock computer or when you use sudo.

Note: Even though you can log in using fingerprint after setting up, It won't unlock the gnome keyring (which requires the password). Fingerprint GUI has an option to use a external drive with encrypted password which will unlock the keyring. But it is not always practical. So my personal approach is to use the password to log in and then use finger print to unlock the computer and to authenticate for sudo.  

Signing Certificate Signing Request (CSR) using bouncycastle 1.49

Digital Certificates are used to used to prove the ownership of public keys in the Public Key Infrastructure. It usually consist of the details of the Subject (The entity to whom the certificate is issued), the details of the Issuer by whom the certificate is signed (Usually a Certificate Authority (CA), can be the subject itself in case of self signed certificates), the public key, a serial number and optionally some other properties.

To get the public key signed, the subject first create a Certificate Signing Request (CSR), Which contains the public key and the details of the subject such as Distinguished Name (DN), Organization (O), Organization Unit (OU), State (ST), Country(C). The CA then verify these details and sign (or reject) the request.

If you are using Java to sign a certificate, you can use Bouncy Castle to sign the CSRs programmatically. Following code will explain how it can be done with bouncycastle 1.49.
In order to use bouncycastle, you need to add the bcprov and bcpkix jars to the classpath which can be downloaded from [1] and add the bouncycastle provider as,

Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

We'll begin by creating a PKCS10CertificationRequest object from the CSR

encodedCsr = "....." //The PEM encoded CSR's text content
PEMParser pemParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(encodedCsr.getBytes())));
PKCS10CertificationRequest request = (PKCS10CertificationRequest) pemParser.readObject();

Then sign the above created PKCS10CertificationRequest as follows,

try {
            int validity = 365; //No of days the certificate should be valid
            String serialNo = ...; // a unique number
            privateKey = ...; // The CA's private key
            caCert = ...; //The CA's certificate as a X509Certificate
            Date issuedDate = new Date();
            Date expiryDate = new Date(System.currentTimeMillis() + validity * MILLIS_PER_DAY); //MILLIS_PER_DAY=86400000l
            JcaPKCS10CertificationRequest jcaRequest = new JcaPKCS10CertificationRequest(request);
            X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(caCert,
                    new BigInteger(serialNo), issuedDate, expiryDate, jcaRequest.getSubject(), jcaRequest.getPublicKey());
            JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
            certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false,
                    extUtils.createAuthorityKeyIdentifier(caCert))
                    .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(jcaRequest
                            .getPublicKey()))
                    .addExtension(Extension.basicConstraints, true, new BasicConstraints(0))
                    .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage
                            .keyEncipherment))
                    .addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
            ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(privateKey);

            //Add the CRL endpoint
            DistributionPointName crlEp = new DistributionPointName(new GeneralNames(new GeneralName(GeneralName
                    .uniformResourceIdentifier, CA_CRL_ENDPOINT_URL)));
            DistributionPoint disPoint = new DistributionPoint(crlEp, null, null);
            certificateBuilder.addExtension(Extension.cRLDistributionPoints, false,
                    new CRLDistPoint(new DistributionPoint[]{disPoint}));

            //Add the OCSP endpoint
            AccessDescription ocsp = new AccessDescription(AccessDescription.id_ad_ocsp,
                    new GeneralName(GeneralName.uniformResourceIdentifier, CA_OCSP_ENDPOINT_URL)
            );
            ASN1EncodableVector authInfoAccessASN = new ASN1EncodableVector();
            authInfoAccessASN.add(ocsp);
            certificateBuilder.addExtension(Extension.authorityInfoAccess, false, new DERSequence(authInfoAccessASN));
            X509Certificate signedCert = new JcaX509CertificateConverter().setProvider("BC").getCertificate
                    (certificateBuilder.build(signer));
        } catch (Exception e) {
            throw new CaException("Error in signing the certificate", e);
        }

[1] https://www.bouncycastle.org/latest_releases.html

Application Authentication using IWA with WSO2 IS 5.0

WSO2 Identity Server is an open source Identity and Entitlement management server. It supports a wide array of authentication and authorization mechanisms. One of its' new features is the application authentication framework, which is capable of translating between heterogeneous authentication protocols and transforming and mediating any identity assertion.

Integrated Windows Authentication (IWA) is an authentication mechanism introduced by Microsoft to authenticate users in Microsoft Windows NT based operating systems. IWA authentication provides an easier way for users to log in to web applications that use Windows Active Directory as an user store. It is a popular choice of authentication among Windows server users and administrators, since it eliminate the need of remembering extra credentials to the users and, reduces the authentication overhead for the server administrators.

In this post I will explain how to configure WSO2 Identity Server to authenticate users to web applications using Integrated Windows Authentication. I will use the “Travelocity.com” sample application that is available in WSO2 Identity Server samples, for the demonstration.