SSL Primer - Day 4 - Self-Signed Certificate

Self-Signed Certificate

Self-signed can be a contentious term.  Many would say a certificate is self-signed because it is not issued by a well-known certificate authority.  Well-known can mean VeriSign, Go Daddy or your company's certificate authority.  Using this definition does us a disservice because it complicates SSL/TLS language by using a practical definition instead of a technical definition. 

Continue reading
3651 Hits
0 Comments

Using Windows Authentication to Achieve Single Sign-On

Back to Single Sign-On again.  Today, we are not talking about Serena Single Sign-On so much, but having the user automatically authenticated using the user credentials logged on to the workstation.  I refer to this as auto-logon using Kerberos or NTLM credentials of the workstation user. 

The browser needs to be capable of auto-logon using the WWW-Authenticate header; it is the browser that makes auto-logon possible.  Chrome has this ability built in, and you can specify sites to do this auto-logon in Firefox.  Neither Firefox nor Chrome use the Security Zones that Internet Explorer uses. 

Recent Comments
David Berner
Is there a way to have the same passthough (kerberos) authentication also for webservices? I found an option on SBM system adminis... Read More
Thursday, 03 December 2015 11:11 AM
David Goodale
Web Services can authentication in 3 ways as defined in the web services API guide. 1. Argument 2. HTTP Basic 3. WS-Security All t... Read More
Thursday, 03 December 2015 5:05 PM
Continue reading
11212 Hits
2 Comments

Logjam! New Security Vulnerability in the News

Logjam!  New Security Vulnerability in the News

Logjam is a new security vulnerability that has been in the news recently.  Logjam affects customers using SSL / TLS with weak cryptographic ciphers available on web servers.  If these weak ciphers are not disabled, a man-in-the-middle attack can be used to downgrade a strong cipher suggested by the browser to a vulnerable cipher.

This vulnerability affects all browsers except Internet Explorer 11.  I have seen reports that Chrome 45 has been released on the developer release channel that also protects against Logjam.  These "fixed" browsers protect against Logjam by denying access to the website if a weak cipher is suggested by the server.  The default set of ciphers used by Tomcat include weak ciphers.

For full details on the vulnerability and the configuration necessary to protect your server, see this paper on Mitigating-LogJam-in-SBM.

Continue reading
4957 Hits
0 Comments

Advanced Security: Smart Card Authentication in SBM Composer

Composer users have always authenticated to the Application Repository by providing username and password credentials on the repository tab of the Composer settings dialog. In SBM 10.1.5.1 we have added the smart card as a new method for authentication in Composer. This won't matter to many of our customers, but those who need it - really - need it because, for them, it is a legal requirement.  As with two-way SSL, we've hidden the interface for this so that the majority of users (who don't use smart cards) won't ever see the corresponding options.

                

U.S. Department of Defense Common Access Card (CAC)

Recent Comments
David Goodale
A great new feature, and excellent post. I learned a lot about the process.
Tuesday, 31 March 2015 11:11 PM
Anthony Pisano
Thanks Tom. Not sure our timeline for implementation but seeing these screenshots and a quick blurb about the feature makes me fee... Read More
Thursday, 02 April 2015 3:03 PM
Tom Clement
Thank you Anthony. Feel free to contact me if I can help in any way.
Thursday, 02 April 2015 5:05 PM
Continue reading
6932 Hits
5 Comments

Advanced Security: Two-Way Authentication in SBM Composer

Composer has long supported secure communication with the Application Repository with the Use secure connection option on the Repository tab of the SBM Composer Options dialog. When you use this setting, you can be sure the server you are connecting to is the server you expect it to be, and all subsequent communications between Composer and the server are encrypted to ensure privacy.

Continue reading
6413 Hits
0 Comments

Recent Tweets