Should IAM solution manage admin accounts of applications

This post stems from a recent major breach at U.S.-based credit card processor Global PaymentsPersonally I was affected by this breach as well: One of my credit card issuer sent me a new card even though it’s neither expiring soon nor I reported a stolen card. (A good practise however and thumb up to my card issuer).

According to Avivah Litan from Gartner, “the crime was perpetrated … broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently.”  If it’s true, apparently an administrative account was comprised by KBA.  IT folks at Global Payments have a big hole to patch and a lot of explanation to make.  Now let’s think a step further: Should IAM solution even manage admin accounts of applications at all?

Obviously IdM would manage identities and Access Management would manage access to applications/systems, the whole things is called IAM (Identity and Access Management). But should IAM also manage the administrative accounts for apps/systems? even including root account for those apps/systems. To be flexibly, usually the IAM passes an identity (user name) and a list of roles to the app and let the app/system decides what privileges in the app/system this identity should have rather than let the IAM dictates the privileges.  If IAM does manage admin accounts for the apps/systems, how should the risks like the KBA compromise being mitigated? There are a few options that we can explore:

  1. not allow regular user to have admin privilege at all
  2. separate the admin function from the regular function in the system and make it not accessible outside the intranet
  3. add multi factor authentication, especially for highly sensitive apps/systems and privileged accounts

Option 1 is easy to implement but less convenient to end users. Option 2 is hard to implement  and varies from app to app, for some app, it maybe impossible to implement. Option 3 is a more sensible approach. Multi factor authentication is picking up steam and is flexible. It’s not only applicable for accounts that has admin privileges, but also applicable for sensitive applications, for example, Finance or HR apps. However, devil is in the details, it is important to have a versatile  Single Sign On solution that support multi factor authentication.

Posted in GENERAL | Leave a comment

It is a great idea to front Tomcat with Apache httpd

There are many benefits to front Tomcat with httpd, chief among them are:

  • Allow Tomcat to stay behind firewall

It mitigates a big security problem for Tomcat based web applications. httpd and Tomcat can be separated to run on different machines. Thus it’s possible to put the sever that hosts httpd in DMZ and leave the server that hosts tomcat behind a more secure firewall, so that it can happily make connections to the heavily guarded database servers or the ultra sensitive enterprise directories, which in turns make the ‘paranoid’ security folks happy. The security folks have every reasons to be paranoid, by the way.

A bit of anecdotal experience. One Java bases system that we built had exactly the same issue as mentioned above. Then mod_proxy_ajp wasn’t available and httpd’s proxy ability wasn’t as good. We had to leave Tomcat in DMZ where the web app can’t access database. To get around the issue, we built another standalone java server and ran it behind the internal firewall. Web app connected to it via RMI. This actually led to another issue. We planed to use Hibernate as our ORM layer. It didn’t work out as you can’t do lazy loading over RMI. Eventually we settled for iBatis. In retrospect, we wouldn’t need to go through this had we been able to front tomcat with httpd. When we do a major upgrade to this system, we will most likely to get rid of RMI and may try hibernate again.

That being said, a lot of our systems’ architecture is using httpd/tomcat combination. It has worked beautifully for us.

  • Use httpd as load balancer

Httpd can be configured to connected to multiple Tomcat instances and load balances the traffic amongst the tomcat cluster. The service can be scaled horizontally easily, with sticky session and session replica support.

  • Off load static content, SSL, compression etc to httpd

With the improvement of JVM and Tomcat itself, Tomcat’s performance as a web server had improved dramatically and is compatible with httpd. But still it is better to let it do what it’s best at: Servlet Container. And leave the other stuff to httpd.

We haven’t seen any performance issues in our production environment. But I recently bumped into the following: “Whatever you do, using Apache HTTPD to proxy your requests should be avoided at all costs, as it will decrease your performance by nearly 50%.” @ And it’s the first question I have asked over @ StackOverflow: Is it a bad idea to use Apache HTTPD to proxy Tomcat? The responses I have got is “No, not at all”, it’s quite the opposite actually and it is recommended to front Tomcat with httpd. I think mulesoft made the statement without supporting facts, which is a quite disappointing thing, as I respect Mulesoft tremendously for its core software: Mule.

Posted in JAVA, OPEN SOURCE | Tagged | Leave a comment

Opt-In,Do Not Opt-In, Opt-Out and Do Not Opt-Out

When moving your organization’s email system to Google Apps, often an Opt-In/Opt-Out feature is desirable, particularly in the academic world, i.e., the Google Apps for Education world.

Here is the Google Opt Out Feature that Lets Users Protect Privacy By Moving To Remote Village:

Barring that, the IT department does need to provide an option to allow end users to Opt-in or Opt-out of Google Apps.

Per Meriam-Webster,

Opt-in means that one choose to do or to be involved in something.
Opt-out means that one choose not do or to be involved in something.

Here is the confusion part: if you are out, you can’t opt-out, but you can stay out, i.e.,
do not opt-in; if you are in, you can’t opt-in, but you can stay in by do not opt-out.

We need to distinguish between what’s the initial state:

  • If you are out to begin with, you can choose to opt-in. Since you are out to begin with, you cannot choose to opt out, as you are out already, but you can choose not to opt-in, i.e., stay as is.
  • If you are in to begin with, you can choose to opt-out. Since you are in to begin with, you cannot choose to opt in, as you are in already, but you can choose not to opt-in, i.e., stay as is.
Posted in GENERAL | Tagged , , , | Leave a comment

Bring a techie along in a sales pitch

Have been busy these days participating in vendor sales pitch and presentations. Some good, some bad, some ugly. Three of those are really bad.

  • This vendor was short listed for a RFP. It came on site to do a presentation, which was the key to decide who gets the deal. Representing the vendor was an account executive, who seems to be confident. Two engineers called in from their headquarter. One was a senior engineer, the other one was pretty new, who has recently joined the vendor. The AE started the presentation, which looked very generic and did not appear to be tailored for us. Five minuets into the presentation, the senior engineer left the conference without any advanced notice. During the Q&A session, the junior engineer was either not able to answer the questions raised at all or answered them inadequately. This turned into a disaster. Of course, you can guess the result: they didn’t get the deal.
  • This next one is from an established security product vendor. The presenter wasted 20 minutes talking about its position on Gartner’s magic quadrant. As if by locating on the upper right corner would guarantee a sale. Unfortunately he was tortured literally with quite a few technical questions. Obviously, as a tenured sales guy, he wasn’t able to answer the questions. And he doesn’t have a sales engineer to back him up either. When you heard too many “That’s a great question’ and ‘I don’t know the answer'”, you kind of wondering what this guy was doing here to waste everyone’s time.
  • The AE for this other vendor actually wasn’t that bad. The big issue was that the engineer bailed on her in the last minute. We told the AE that we will have technical questions and she replied that she would bring a technical colleague along. But she wasn’t able to. That turned out to be a big mistake. As the AE could not answer the technical questions and to add insult to injury, she also gave the wrong answer for another critical question. The product itself lacks a few features, but the demo/presentation itself was the real killer and this vendor was counted as part of “due diligence”

What these three have in common is that all of them did not pay enough attention to technical questions. In addition, no adequate feedback has been seek from the audience. Only half heartedly asking “do you have any questions?” without genuinely wanting to answer questions won’t cut it, period.

Posted in GENERAL | Tagged | Leave a comment

Wading into the Node.js water – Part I

I have been wanting to get into the Node.js game for a while. Finally I made the plunge and installed Node in MacBook. I will summarize my experience in a series of post. The first post is on installation of node. Overall, it was a straightforward process, but with a few twists.

First get the package, you can either download the package:

tar -zxf node-v0.X.XX.tar.gz
cd node-v0.X.XX
sudo make install

or get the whole repository:

 git clone
 cd node
 git checkout v0.X.XX
 ./configure --prefix=/opt/node
 sudo make install

You may also want to add /opt/node/bin to /etc/paths

While I was running configure, it prompted me that no compiler found. It turns out that I need to install the Command Line Tools for XCode.
Go to
Xcode ->
Preferences ->
Downloads ->
Components ->
Command Line Tools
Make sure it’s installed.

And voila… I am able to run my first Node.js “Hello Node” program.

Posted in GENERAL, JAVA SCRIPT, Node.js, OPEN SOURCE | Tagged , , | Leave a comment

User Centric Design

User Centric Design

We have recently rolled a new feature in the our IdM (Identity Management System). Essentially we added a new role. But to activate the new role, the user needs to go through a series of web pages, user agreement acceptance, setting up password and picking challenge phrases. It’s all good. But this is a new role that is added to your existing identity, and you already picked a password and challenge phrases for that identity, why you need to do it all over again? Without trying it ourselves, we do not know how annoying it is. Of course the team immediately sprinted into action and started to work to remove the unnecessary nuisance. We are an agile team, aren’t we?

Posted in GENERAL | Leave a comment

Share Point Protocol Support in Alfresco 3.4 – Continued

In my last post I talked about how we configured the SPP (Share Point Protocol) support in Alfresco 3.4, including how to add SSL (https).

We have since also load balanced the SPP ports. But the journey is not as smooth as expected. I will share what we have learned in the process.

It looks very trivial. If you have a decent load balancer, you can just load balance (SPP) and to and Apache on the dmx servers knows how to direct the traffic to either the AJP port for regular alfresco traffic or to the Jetty port for Share Point Protocol traffic.

Indeed, it did work, but only half way.  Clicking Edit Online option for a MS Word file in Alfresco Share in IE,  MS Word is launched and opened the file prompting to enter user name and password again. It’s understandable, as behind the scene, MS Word builds a WebDAV connection to the embedded Jetty server within the Alfresco DM server. Now I am  happy and edit away. Being cautious, I save the changes that I have just happily made.  The progress bar shows that the changes are saved remotely to the server. Now I  go back to the IE window and refresh the file preview page again, I notice that my hard work does not get saved, even though the time stamp has changed.

So we turned the SPP debug on and also watched the Apache access log and error log files. We separated the log files for and The logs did not show anything unusual.


16:56:25,581 DEBUG [org.alfresco.module.vti.web.VtiFilter] Checking request for VTI
16:56:25,581 DEBUG [org.alfresco.module.vti.web.VtiFilter] Check authentication16:56:25,586 DEBUG [org.alfresco.module.vti.handler] Resolved file info for 'xxxxx/_vti_bin/_vti_aut/author.dll' is null
16:56:25,588 DEBUG [org.alfresco.module.vti.handler] Resolved file info for 'xxxxx/_vti_bin/_vti_aut' is null
16:56:25,590 DEBUG [org.alfresco.module.vti.handler] Resolved file info for 'xxxx/_vti_bin' is null
16:56:25,592 DEBUG [org.alfresco.module.vti.handler] Resolved file info for 'xxxx' is FileInfo[name=xxxx, isFolder=true, nodeRef=workspace://SpacesStore/86c1e943-5ea7-4afc-8bea-b7c44eb81455]
16:56:25,593 DEBUG [org.alfresco.module.vti.handler.alfresco.v3.AlfrescoMethodHandler] WebUrl: /alfresco/xxxxxx, fileUrl: '_vti_bin/_vti_aut/author.dll'

Apache access.log:

 [12/Apr/2011:16:56:16 -0400] "OPTIONS /alfresco/xxxx/documentLibrary/ HTTP/1.1" 401 - "-" "Microsoft Office Protocol Discovery"
[12/Apr/2011:16:56:24 -0400] "OPTIONS /alfresco/xxxx/documentLibrary/ HTTP/1.1" 200 - "-" "Microsoft Office Protocol Discovery"
[12/Apr/2011:16:56:24 -0400] "GET /_vti_inf.html HTTP/1.1" 200 246 "-" "Mozilla/4.0 (compatible; MS FrontPage 14.0)"
[12/Apr/2011:16:56:24 -0400] "POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1" 200 230 "-" "MSFrontPage/14.0"
[12/Apr/2011:16:56:24 -0400] "POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1" 200 193 "-" "MSFrontPage/14.0"
[12/Apr/2011:16:56:25 -0400] "POST /alfresco/xxxxx/_vti_bin/_vti_aut/author.dll HTTP/1.1" 401 - "-" "MSFrontPage/14.0"

It all looks fine, but the file did not get saved, no matter how hard MS Word tried.

Here comes the rescue of tcpdump, by looking deeply into the packets, here is what we found:

HTTP Request:

LOCK /alfresco/alfadmin/documentLibrary/***.doc HTTP/1.1

HTTP Response:

HTTP/1.0 501 Not Supported

We called upon our firewall and networking folks again. But this does not appear to be a firewall issue, as firewall usually does not inspect layer 4 protocol such as http. Our networking group found the following:

HTTP lock method does not always get to the client.

HTTP lock method does not always get to the client.
501 http error sent from switch.

Lock/Unlock http method is not supported in Nortel Application Switch Operating System (formerly known as AlteonOS) 21.0

Lock and unlock http method are not supported on code. The reason why some worked and some did not was because on packet streams where the Switch VIP sees a supported method (GET etc…) the switch will allow the following Lock and Unlock. On the streams where the lock is the first http method seen by the VIP a 501 error is sent back to the client.
An additional feature to support additional HTTP methods has been introduced in 22.0.
You will have to add the lock and unlock methods using the following command after you have your old configuration on the switch.
/cfg/slb/layer7/slb/addmet LOCK
/cfg/slb/layer7/slb/addmet UNLOCK

There we have it, the problem is in the load balancer and as soon as the LOCK and UNLOCK methods were added to the load balancer, it’s working like a charm.

So when load balancing any applications, watch for the fine prints, especially hardware load balancer.

Posted in JAVA, OPEN SOURCE | Tagged , , , , | Leave a comment