ES-351 Bloombase Spitfire Identity Manager Essentials

Bloombase Spitfire Identity Manager Essentials

Bloombase Enterprise Services

ES-351

Training Guide

Revision 1

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people and events depicted herein are fictitious and no association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Bloombase Technologies.

Bloombase Technologies may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Bloombase Technologies, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

This document is the property of Bloombase Technologies. No exploitation or transfer of any information contained herein is permitted in the absence of an agreement with Bloombase Technologies, and neither the document nor any such information may be released without the written consent of Bloombase Technologies.

© 2011 Bloombase Technologies

Bloombase, Spitfire, StoreSafe and Keyparc are either registered trademarks or trademarks of Bloombase Technologies in the United States, People’s Republic of China, Hong Kong Special Administrative Region and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Document No.: BLBS_ES-351_BloombaseSpitfireIdentityManagerEssentials_R1

Table of Contents

Table of Contents 3

About This Course 5

Course Map 6

Topics Not Covered 7

How Prepared Are You? 8

Introductions 9

How to Use Course Materials 10

Introducing Bloombase Spitfire Identity Manager 11

Overview 12

Bloombase Spitfire Identity Manager Installation 14

Spitfire Identity Manager on SpitfireOS Installation 15

Spitfire Identity Manager VMware Virtual Appliance Installation 16

Spitfire Identity Manager for Unix/Linux Installation 17

Spitfire Identity Manager for Microsoft Windows Installation 18

Exercise: Install Spitfire Identity Manager 19

Task 1 – Install Spitfire Identity Manager from ISO disk image 19

Task 2 – Initialize Spitfire Identity Manager 19

Bloombase Spitfire Identity Manager Configuration 20

Bloombase Spitfire Identity Manager Administrator Portal / Web Management Console21

Configure Spitfire Identity Manager for Life-cycle User Identity and Authentication

Policy Management 22

Exercise: Provision Your First Spitfire Identity User 24

Task 1 – Provision a Pin Only Authentication Policy 24

Task 2 – Provision a new Local User 24

Task 2 – Provision a new LDAP User 24

Configure Spitfire Identity Manager for Life-cycle Security Device Management 26

Exercise: Provision Your First OTP Device 28

Task 1 – Google Authenticator 28

Task 2 – Provision Google Authenticator as Your OTP Device 28

Task 3 – Assign Device to User 28

Spitfire Identity API 29

txt 30

json 30

xml 30

Exercise: User Authentication Using Spitfire Identity API 31

Task 1 – Pin Authentication 31

Task 2 – Verify If Fully Authenticated 31


5 Bloombase Spitfire Identity Manager Essentials

Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1

About This Course

Upon completion of this course, you should be able to:

Install Bloombase Spitfire Identity Manager physical appliance

Install Bloombase Spitfire Identity Manager virtual appliance

Install Bloombase Spitfire Identity Manager software server

Configure Bloombase Spitfire Identity Manager for enterprise-scale user identity management and security device asset management

Make use of Bloombase Spitfire Identity Manager API for application integration




Course Map

The following course map enables you to see what you have accomplished and

where you are going in reference to the course goals

Introducing Bloombase Spitfire Identity Manager

Installation

Bloombase Spitfire Identity Manager on SpitfireOS

Bloombase Spitfire Identity Manager VMware virtual appliance

Bloombase Spitfire Identity Manager for Unix/Linux

Bloombase Spitfire Identity Manager for Microsoft Windows

Operation

Performing basic administration, configuration, user provisioning and security device provisioning

Developing applications to interface with Bloombase Spitfire Identity Manager API for user authentication and identity management




Topics Not Covered

This course does not cover the topics shown on the overhead. Many of the topics

listed on the overhead are described in other courses offered by Bloombase

Enterprise Services:

Bloombase Spitfire Server – Described in ES-311: Bloombase Spitfire Server Essentials

Bloombase Spitfire KeyCastle – Described in ES-319: Bloombase Spitfire KeyCastle Essentials

Bloombase Spitfire Ethernet Encryptor – Described in ES-321: Bloombase Spitfire Ethernet Encryptor Essentials

Bloombase Spitfire High Availability Cluster – Described in ES-361: Bloombase Spitfire High Availability Cluster Essentials




How Prepared Are You?

To be sure you are prepared to take this course, can you answer yes to the

following questions?

Can you perform basic Unix-like and Windows Operating System (OS) administration tasks, such as using tar commands, creating user accounts, formatting disk drives, using vi, ssh, sftp, installing Unix-like OS, installing, patches, and adding packages?

Do you have prior experience with enterprise grade hardware?

Do you have hands-on experience on enterprise identity management tools such as LDAP and Microsoft Active Directory?

Are you familiar with data protection and security technologies, such as firewall, network encryption protection, symmetric and asymmetric encryption technologies, public key infrastructure (PKI)?

Do you have prior experience with HTTP web-based server system technologies?

Do you have prior knowledge of programming language such as Java, or C?

Are you familiar with software application installation on Windows or Linux?

Are you familiar with PKCS#11 smart cards and/or smart tokens?




Introductions

Now that you have been introduced to the course, introduce yourself to each

other and the instructor, addressing the item shown in the following bullets.

Name

Company affiliation

Title, function, and job responsibility

Experience related to topics presented in this course

Reasons for enrolling in this course

Expectations for this course




How to Use Course Materials

To enable you to succeed in this course, these course materials use a learning

model that is composed of the following components:

Goals – You should be able to accomplish the goals after finishing this course and meeting all of its objectives

Objectives – You should be able to accomplish the objectives after completing a portion of instructional context. Objectives support goals and can support other higher-level objectives

Lecture – The instructor will present information specific to the objective of the modules. This information should help you learn the knowledge and skills necessary to succeed with the activities

Activities – The activities take on various forms, such as an exercise, self-check, discussion, and demonstration. Activities help to facilitate mastery of an objective

Visual aids – The instructor might use several visual aids to convey a concept, such as a process, in a visual form. Visual aids commonly contain graphics, animation, and video




Introducing Bloombase Spitfire Identity Manager

Upon completion of this module, you should be able to

Tell what Bloombase Spitfire Identity Manager does

Tell what problems Bloombase Spitfire Identity Manager solves

Tell what applications Bloombase Spitfire Identity Manager is for




Overview

Bloombase Spitfire Identity Manager is a complete strong authentication solution

for enterprise end users. It enables two-factor authentication to protect user

identities and core business information.

The recent rise in phishing attacks and identity theft has increased the need to

protect online identities. Bloombase Spitfire Identity Manager protects user

identities and when used in connected mode defends against phishing attacks by

detecting fraudulent sites.

Bloombase Spitfire Identity Manager combines

User name and password

Light weight directory access protocol

Microsoft Active Directory

OATH-base one time password

SMS-based mobile one-time password

SMTP-based email one-time password

IBM Lotus Notes one-time password

PKI-based smart-card/token

PKI-based soft security vault

authentication methods in a single solution with thin user provisioning

capabilities.

Two factor authentication greatly enhances system security by combining

something the user has, such as a personal device, and something the user knows,

such as password. Bloombase Spitfire Identity Manager uses these elements to

form a unique combination that someone must have to connect to a system.

Smart cards feature a small embedded chip which operates as a mini-computer

that not only securely stores data but also can process information and react to its




environment. These features give smart cards the unique ability to provide secure,

portable access to personalized services while protecting each user’s privacy and

identity.

Bloombase Spitfire Identity Manager provides 3 ways to be integrated with

enterprise applications

AAA RADIUS

Client web portal for web-based authentication workflow integration

Application programming interface (API)




Bloombase Spitfire Identity Manager Installation


Install Bloombase Spitfire Identity Manager on a physical appliance

Install Bloombase Spitfire Identity Manager VMware virtual appliance

Install Bloombase Spitfire Identity Manager as a host application in Unix and Windows environment




Spitfire Identity Manager on SpitfireOS Installation

Spitfire Identity Manager for SpitfireOS ISO disk image can be deployed on

standalone hardware appliances for customers requiring highly customized

system resource allocation.

Spitfire Identity Manager for SpitfireOS iso disk image

bloombase-spitfire-identity-<version>.iso

can be directly mounted as a virtual disk drive on VMware Server/ESXi or it can

be burned as an installation CD/DVD to be installed directly from disk drives of a

physical appliance or virtual machine container such as VMware ESXi.

Bloombase SpitfireOS will guide you through the rest of installation process to get

SpitfireOS installed and automatically install Spitfire Identity Manager.




Spitfire Identity Manager VMware Virtual Appliance Installation

Spitfire Identity Manager is available as VMware virtual appliance for

installation-free deployment on VMware Server and ESXi environment.

Simply import Spitfire Identity Manager VMware virtual appliance file

bloombase-spitfire-identity-<version>.ova

into VMware Server or ESXi to create new virtual appliance that is ready to run in

minutes.




Spitfire Identity Manager for Unix/Linux Installation

Spitfire Identity Manager is available as software-only without bundled with

SpitfireOS for deployment as host application in Unix-like environment.

To start software installation of Spitfire Identity Manager at host operating

system, launch installer by invoking command

./bloombase-spitfire-identity-<version>-<platform>.bin

at command prompt.

By default, Spitfire Identity Manager software server is delivered at file location

/spitfire-identity




Spitfire Identity Manager for Microsoft Windows Installation

Spitfire Identity Manager for Microsoft Windows is available as software-only

without bundled with SpitfireOS for deployment as host application in Microsoft

Windows environment.

To start installation process, launch Spitfire Identity Manager for Windows

installer

bloombase-spitfire-identity-<version>-<platform>.exe

The installer will guide you through the rest of setup process.

By default, Spitfire Identity Manager is installed at

\spitfire-identity




Exercise: Install Spitfire Identity Manager

Task 1 – Install Spitfire Identity Manager from ISO disk image

Create new Linux-based virtual machine with at least 512MB main memory.

Mount Spitfire Identity Manager ISO disk image as a virtual disk drive.

Power on virtual machine and follow SpitfireOS installer to guide you through the

rest of installation.

Task 2 – Initialize Spitfire Identity Manager

Sign on Spitfire Identity Manager CLI console and configure network parameters

for Spitfire Identity Manager.

Sign on Spitfire Identity Manager web based management console and follow

instructions to initialize Spitfire Identity Manager.




Bloombase Spitfire Identity Manager Configuration


Spitfire Identity Manager web based management console

Configure Spitfire Identity Manager for life-cycle user identity and authentication policy management

Configure Spitfire Identity Manager for LDAP and Microsoft Active Directory identity management

Configure Spitfire Identity Manager for life-cycle security device management

Configure Spitfire Identity Manager for one time password management

Configure Spitfire Identity Manager for smart card and smart token management




Bloombase Spitfire Identity Manager Administrator Portal / Web Management Console

Bloombase Spitfire Identity Manager web management console for administrators

can be accessed by pointing web browser to below URL

https://<spitfireim>:8451

or

https://<spitfireim>:8451/admin




Configure Spitfire Identity Manager for Life-cycle User Identity and Authentication Policy Management

Spitfire Identity Manager combines

User identity management

Key management

Multi-factor authentication

Strong authentication device management

Authentication policy management

in a purpose-built solution for large scale enterprises and organizations.

A user can possess multiple security devices of multiple types including

HMAC-based OTP device(s)

Time-based OTP device(s)

SMS OTP

Email OTP

Smart card(s)

Smart token(s)

X.509 key pair(s)

To assure the identity of a user, Spitfire Identity Manager offers customizable

rule-based multiple-factor authentication mechanism which fits for any security

requirements for any organizations.

Spitfire Identity Manager provides local management of user credentials while for

most large organizations having identity manager deployed, a more manageable

option would be to integrate their existing identity manager to Spitfire Identity

Manager for user provisioning and password management.




Spitfire Identity Manager supports directory access to major identity servers

including LDAP and Microsoft Active Directory. Spitfire Identity Manager also

provides the ability to process user ID and passphrase authentication at relational

database user tables which are commonly seen for enterprises running ERP, CRM

or other groupware.




Exercise: Provision Your First Spitfire Identity User

Task 1 – Provision a Pin Only Authentication Policy

Sign on Spitfire Identity Manager web management console.

Start ‘Authentication Policies’ under ‘Identity Management’ menu.

Push ‘Add’ to provision a new authentication policy, in this case a pin only profile.

Assign name pin to the authentication policy and in Policy input box, enter PIN.

Press ‘Submit’ button to commit changes.

Task 2 – Provision a new Local User

Launch ‘Users’ tool under ‘Identity Management’ menu and press ‘Add’ to

provision a new user.

Select Type as Local and assign user ID as user01. Enter the rest of user

information accordingly.

Pick pin as the Authentication Policy for user01.

Task 2 – Provision a new LDAP User

Launch ‘User Repository Profiles’ and provision your testing LDAP or Microsoft

Active Directory.

Launch ‘Users’ tool under ‘Identity Management’ menu and press ‘Add’ to

provision a new remote user.




Select Type as Remote and use the user lookup tool to pick an existing user in the

previously configure directory server.

Again, assign Authentication Policy as pin.




Configure Spitfire Identity Manager for Life-cycle Security Device Management

Spitfire Identity Manager provides the capability for enterprises to manage their

various kinds of security devices and enables security officers to assign devices to

individual users easily and effectively.

Spitfire Identity Manager supports management of

HMAC-based OTP devices

Time-based OTP devices

SMS OTP devices

Email OTP devices

Smart cards and tokens

Spitfire Identity Manager is interoperable with any brand of OATH-compliant

HMAC-based or time-based OTP devices or software applications. Spitfire

Identity Manager provides the ability to register shared secrets of OTP devices.

When it comes to software-based OTP applications, Spitfire Identity Manager

also offers shared secret generation and the tools for synchronizing share secret to

the applications easily.

Users can also leverage their mobile phones or email addresses to strengthen

authentication process by means of SMS-OTP and email-OTP. Spitfire Identity

Manager provides highly customizable delivery profiles for automatic dispatch of

randomly generated OTPs without the need to carry extra hardware devices and

the complex procedure to initialize an OTP token.

One-time password introduces second means to assure the identity of a user such

that in worst case scenario the authentication channel is tapped or the first factor

credentials, e.g. passwords, are known, it effectively blocks hackers and crackers




from impersonating a user. OTP also adds randomness to the authentication

process making replay attacks impossible.

OTP raises difficulty of identity theft thus strengthen authentication. Technically,

the strongest type of data protection is cryptography. Applying to strong identity,

public key infrastructure enables user to claim his/her identity by digital signing

of random challenges by his/her private key, follow by verification of the

generated signature by his/her public key. Spitfire Identity Manager provides

management of keys and industry standard cryptographic services enabling

strong authentication even stronger.




Exercise: Provision Your First OTP Device

Task 1 – Google Authenticator

Google Authenticator is a free software based OTP application supporting both

HOTP and TOTP standards

Download Google Authenticator from Android market or Apple iTunes App Store

and install on your smart phone or tablet

Task 2 – Provision Google Authenticator as Your OTP Device

Launch ‘Devices’ tool under ‘Identity Management’ menu.

Push ‘Add’ to create a new device totp01.

Select Type as TOTP.

Push ‘Generate’ button to generate a new Shared Secret. Press ‘Barcode’ to display

a 2-d QR code which is to be synchronized to Google Authenticator.

Task 3 – Assign Device to User

Locate user01 and assign totp01 to user.

Create a new authentication policy named pin-totp with Policy PIN && TOTP




Spitfire Identity API

Bloombase Spitfire Identity Manager exposes its strong authentication and

security services via an application programming interface (API).

The Bloombase Spitfire Identity Manager API includes a set of RESTful methods

to send and receive security data.

REST does not require specific client API library to be deployed and configured. It

is based on industry standard HTTP connectivity. Therefore, it guarantees

platform portability and is capable of supporting virtually on all operating

systems and devices.

HttpURLConnection httpConn = null;

httpConn = (HttpURLConnection) (new

URL("https://spitfireim:8451/SpitfireIdentityServlet?Comman

d=AuthenticatePassword&UserID=user01&Password=password&Form

at=txt")).openConnection();

httpConn.setDoOutput(false);

httpConn.connect();

InputStream is = null;

try {

is = httpConn.getInputStream();

} catch (IOException e) {

is = httpConn.getErrorStream();

}

BufferedReader reader = new BufferedReader(new

InputStreamReader(is));

while (true) {

String line = reader.readLine();

if (line == null) break;

System.out.println(line);

}




Depending on Format parameter, service response from Spitfire Identity API

might take one of below forms

txt

OK

json

{

"SID":"1E6FEC0D14D044541DD84D2D013D29ED",

"Status":"OK"

}

xml

<?xml version="1.0" encoding="UTF-8"?>

<SpitfireIdentityResponse>

<SID>1E6FEC0D14D044541DD84D2D013D29ED</SID>

<Status>OK</Status>

</SpitfireIdentityResponse>




Exercise: User Authentication Using Spitfire Identity API

Task 1 – Pin Authentication

Write a Java program, shell-script or simply with help of a web browser, attempt

to sign on user user01

As an example, the URL for Spitfire Identity REST API should assume the

following form

https://spitfireim:8451/SpitfireIdentityServlet?Command=Aut

henticatePassword&UserID=user01&Password=123456& Format=xml

Task 2 – Verify If Fully Authenticated

Use command IsAuthenticated to verify if user has successfully authenticated

Note from previous AuthenticatePassword service invocation, an SID is

returned which has to be reused to check if user authentication sequence already

satisfies preconfigured authentication policy.

Copyright © 2011 Bloombase Technologies, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Bloombase Technologies in United States and/or other jurisdictions. All other product and service names mentioned are the trademarks of their respective companies. The information contained herein is subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Bloombase shall not be liable for technical or editorial errors or omissions contained herein.

Technology

ES-351 Bloombase Spitfire Identity Manager Essentials