The issue was in the way the CA Identity Manager displays error information after a user account has been locked out, which allowed attackers to brute-force credentials and use them after the account is no longer locked.
The system would display 'Error: Username and password do not match' when an incorrect username/password combination was used, which of course, makes sense. However, when correct credentials are used for a locked account, the user is redirected to /iam/im/pub/cui7/index.jsp?SMAUTHREASON=24&task.tag=passwordServices and the error message is: 'Error: You cannot access your account because you have exceeded the limit of login attempts.
The expected functionality is: * Create IM password policy which specifies that user must be disabled after 3 successive failed login attempts * Create a user (say) user1 with the password ‘test’ * Log on successfully * Log on 3 times with the password ‘testxxxx’ * Log on a 4th time with the password ‘testxxx’. You should get a message that you are now disabled * Log on a 5th time with the correct password ‘test’. You should get a message that you are now disabled
These steps noted previously was to test if the vulnerability existed in your system or not.
This functionality is handled by SSO Password Services, why did CA issue a patch for IDM?
Identity Manager and SSO handles authentication differently. If SSO was not integrated the above vulnerability would happen. IF SSO is integrated with Identity Manager, SSO handles all the authentication and would not be affected.
To make sure if this makes sense:
Login with SSO username and password.-> Authentication approves -> Session is sent to IDM
Login with IDM username and password -> Authentication approves -> session is sent to IDM
Hopefully you can see how the authentication is handled differently. With SSO when authentication fails it would send a message to SSO about the failed login versus when the authentication fails with IDM it would send a message to IDM.
Enable Active Directory and LDAP authentication in IG:
security.disable.ADAuthentication = True
security.disable = false
ldap.server: example: 220.127.116.11
security.credential.expiration.seconds = 60
security.disable.ssl.ADAUthentication = True
PersonID in IG Eurekify configuration: istavapp1402\libdo01
Note: The user prefix should be pre-2000 domain complaint (without the .local suffix).
Login to IG: istavapp1402\libdo01
Note: If the system attribute default.domain is set to istavapp1402, then the prefix for the domain when signing into IG is not mandatory (login is permitted via istavapp1402\libdo01 and with libdo01).
A restart of the IG application might be required to apply all system changes.
To set the branding for Identity Portal 14.1 for Virtual Appliance. Navigate to the Branding tab on the top on the bar as shown in the below image:
Click the Logo and select these attributes:
In the image above are some of the sample values I put in. Adjust these as necessary:
The next is to change the logo on the icon when clicking the left-handed panel.
The above show
1) In the branding tab click the Key on the view section
2) Click Logo
3) Change logo to desired image. This will change the image on the login screen
For changing the logo on the panel on the left follow these steps: 1) Under custom click the "+" icon 2) Add this for the "Add CSS Selector Name" [image-error="../static-html/images/CA_logo@2x.png"] and 3) Add .nav-menu-header The first custom script we have added: [image-error="../static-html/images/CA_logo@2x.png"] .
Follow these steps to add onto Identity Portal attributes 1) Click add attribute and look for other 2) enter in display -. value as "none"
In .nav-menu-header this one is a little tricky.
add background-image attribute, background-position, background-size and background-repeat
The values should be as lsited below: background-image: select desired logo background-position: right background-size: contain background-repeat: no-repeat
Why does this NullPointerException appear when doing a Bulk Load on CA Identity Manager?
org.apache.jasper.JasperException: java.lang.NullPointerException at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:409) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242)
Make sure all the required fields are filled out as this is required to upload users. For example, in the feeder file located here:
Oracle Net Listener Control (lsnrctl) is the command-line utility for managing Oracle Net Listener configuration, including passwords. A password can be configured for the listener to provide security for listener administrative operations, such as starting or stopping the listener, viewing a list of supported services, or saving changes to the Listener Control configuration. However, as mentioned earlier, local administration of the listener is secure by default through the local operating system. Therefore configuring a password is neither required nor recommended for secure local administration.
To set a new encrypted password with the CHANGE_PASSWORD command, issue the following commands from the Listener Control utility:
LSNRCTL> CHANGE_PASSWORD Old password: old_password New password: new_secure_password Reenter new password: new_secure_password Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tpc)(HOST=sales-server)(PORT=1521))) Password changed for LISTENER The command completed successfully LSNRCTL> SAVE_CONFIG
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=sales-server)(PORT=1521))) Saved LISTENER configuration parameters. Listener Parameter File /oracle/network/admin/listener.ora Old Parameter File /oracle/network/admin/listener.bak The command completed successfully
During my visit to this conference in NYC, I was able to experience some interesting topics on security. I recently made a presentation on May 15, 2017 discussing what I learned. Attached is the PDF of the presentation. Let me know if you have any thoughts or questions.
The CA Identity Suite Virtual Appliance (vApp) lets you install and deploy Identity Management and Governance products and their associated services quickly with minimal effort. The vApp image is provided in an Open Virtualization Architecture format (OVA) that is compatible with modern Virtualization platforms (see the Platform Support Matrix).
The vApp features a flexible and modular design that provides multiple environment types (Demo, Development, Staging and Production) and support for High Availability (H/A). The vApp is based on a Linux O/S, using Wildfly as the application server and Oracle (Express Edition) as an embedded database (applicable for non-production environments only).
The Virtual Appliance product contains the following CA Identity Suite components:
CA Identity Manager 14.0
CA Identity Governance 14.0
CA Identity Portal 14.0
CA Directory 14.0 (User Store)
CA Identity Manager Provisioning Server 14.0
CA Identity Manager Connector Server 14.0
Oracle database 11g Express Edition
Estimated time of install if done in demo mode is ~20 min.
When disabling Share My Work in Identity Governance users work are still being shared. How would I fully disable the work from being shared?
You would need to enable the Share My Work option and then disable each user indvidually before you disable the Share My Work option. This will stop sharing the work between the users and then you can disable Share My Work from configuration set: shareMyWork.enable set to false.
Enter keystore password: secret Re-enter new password: secret What is your first and last name? [Unknown]: foo.acme.com What is the name of your organizational unit? [Unknown]: Foo What is the name of your organization? [Unknown]: acme corp What is the name of your City or Locality? [Unknown]: Duckburg What is the name of your State or Province? [Unknown]: Duckburg What is the two-letter country code for this unit? [Unknown]: WD Is CN=foo.acme.com, OU=Foo, O=acme corp, L=Duckburg, ST=Duckburg, C=WD correct? [no]: yes
Enter key password for <deva> secret (RETURN if same as keystore password): Re-enter new password: secret
4. Please note that after generating the foo.keystore file, it will be saved in the path you are in at CMD 5. Open this file in a text editor: standalone-full-ca-gm.xml 6.Search for this line: socket-binding name="https" port="8443" and change the port number from 8443 to 443
7. Find this line in the file and put it in a comment (i.e. <!--<value>-->): connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"
8. Add this after the line in comment above: connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443" /> <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true"> <ssl name="foo-ssl" password="secret" protocol="TLSv1" key-alias="foo" certificate-key-file="C:\jboss-eap-6.0\standalone\configuration\foo.keystore" /> </connector>
9. Note that you should point certificate-key-file above to the full path of your foo.keystore location
10. Make sure you import your server certificate in the Java keystore (Ex. keytool -import -trustcacerts -alias root -file myCreatedCert.crt -keystore cacerts)
11. Start the server and use URL: https://<server HOSTNAME>/eurekify/portal/loginForm