RSA Single Sign On (SSO) Chaining example

RSA Single Sign On (SSO) Chaining example

The following shows two (2) servers configurations for Single Sign-On capabilities. There are others servers such as reporting, self service and other applications which would be involved for SSO. These other systems would have the same principles applied to them in order to achieve true SSO. Basically, anything the packets from the user to the end servers needs to be included in the chaining. Lets break it down with the Load Balancer VIP (Virtual IP) included:

Load Balancer terminates SSL/TLS on VIP and re-encrypts (Packet Inspection) or will inject information into packets
  • Load Balancer VIP certificate should be signed from trusted Certificate Authority (CA).
  • IG/SSO Tomcat certificate could be private self-signed (may need to take public certificate and put into Load Balancer resource pool for validation)
  • Entire chain from Load Balancer needs to be in IG Tomcat Keystore
  • Entire chain from Load Balancer needs to be in SSO Tomcat Keystore
  • Entire chain from Load Balancer needs to be in CAcerts directory
  • Private certificates need to be replicated between IG Tomcat nodes, in SSO Keystore and CAcerts directory
  • Proxy public certificate into all Tomcat Keystores and CAcerts directory
  • LDAP (Active Directory or ID Repository) certificates go into SSO Tomcat Keystore and CAcerts directory
  • Sticky session or connections should be enabled
Load Balancer VIP does a SSL/TLS pass-through (cannot inspect or inject into TCP traffic, usually hashmap or source IP LB)
  • Load Balancer VIP does not have a certificate
  • IG/SSO Tomcat certificate should be signed from trusted Certificate Authority (CA) - this is what is returned to user agent. The certificate CN has to be the public DNS name.
  • Entire chain needs to be in IG Tomcat Keystore
  • Entire chain needs to be in SSO Tomcat Keystore
  • Include intermediate certificates into active CAcerts directory
  • Proxy public certificate into IG/SSO Tomcat Keystores and CAcerts directory
  • LDAP (Active Directory or ID Repository) certificates into SSO Tomcat Keystore and CAcerts directory
  • All IG/SSO config needs to point to public facing DNS entry
  • Clustering will not be performed at the Load Balancer level
  • Sticky session or connections may or may not be enabled

Identity Governance example

keytool -genkeypair -size 4096 -keyalg RSA -sigalg SHA384withRSA  -alias ig -keypass changeit -keystore tomcat/conf/PKCS12.keystore -validity 1460 -storepass changeit -storetype pkcs12 -ext san=dns:server.example.com,dns:server,ip:10.10.10.10,ip:::1
keytool -certreq -v -alias ig -sigalg SHA512withRSA -file tomcat/conf/IG.csr -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12 
keytool -import -trustcacerts -alias client_root -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_ROOT.cer -storepass changeit -storetype pkcs12 
keytool -import -trustcacerts -alias client_inter -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_INTER.cer -storepass changeit -storetype pkcs12 
keytool -import -trustcacerts -alias adroot -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/ADRootCA.cer -storepass changeit -storetype pkcs12 
keytool -import -v -alias ospcert -file tomcat/conf/OSP.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12 
keytool -import -v -alias reportingcert -file tomcat/conf/Reporting.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12 
keytool -import -v -alias igcert -file tomcat/conf/IG.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12

*** Do not forget the Load Balancer certificateitifcates in front of any of the above servers

Simple IG Tomcat Config example

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" 
secure="true" scheme="https" SSLEnabled="true" clientAuth="false" enableLookups="false" 
SSLProtocol="TLSv1.2"
keyAlias="ig"
keystorePass="changeit"
keystoreFile="tomcat/conf/PKCS12.keystore"
keystoreType="PKCS12" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>

Single Site Tomcat Config example - Non-SSO

<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" 
   enableLookups="false" 
   scheme="https" 
   secure="true" 
   server="Example" 
   SSLEnabled="true" > 
  <UpgradeProtocol 
   className="org.apache.coyote.http2.Http2Protocol"  /> 
  <SSLHOSTCONFIG 
   CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:HIGH:!ANULL:!ENULL:!EXPORT:!DES:!RC4:!MD5:!KRSA" 
   HONORCIPHERORDER="TRUE" 
   PROTOCOLS="TLSV1.2"  
   INSECURERENEGOTIATION="FALSE" > 
   <certificateificate 
    certificateificateKeyFile="/etc/pki/tls/private/EXAMPLE_com.key" 
    certificateificateFile="/etc/pki/tls/certificates/EXAMPLE/EXAMPLE_com.crt" 
    certificateificateChainFile="/etc/pki/tls/EXAMPLE/EXAMPLE_com_CA.pem" 
   /> 
  </SSLHostConfig> 
 </Connector>

Single Sign-On Provider (SSO) example

keytool -genkeypair -size 4096 -keyalg RSA -sigalg SHA384withRSA -alias sso -keypass changeit -keystore tomcat/conf/PKCS12.keystore -validity 1460 -storepass changeit -storetype pkcs12 -ext san=dns:server.example.com,dns:server,ip:10.10.10.10,ip:::1
keytool -certreq -v -alias osp -sigalg SHA512withRSA -file tomcat/conf/SSO.csr -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12 
keytool -import -trustcacertificates -alias client_root -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_ROOT.cer -storepass changeit -storetype pkcs12 
keytool -import -trustcacertificates -alias client_inter -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_INTER.cer -storepass changeit -storetype pkcs12 
keytool -import -trustcacertificates -alias adroot -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/ADRootCA.cer -storepass changeit -storetype pkcs12 
keytool -import -v -alias IGcertificate -file tomcat/conf/IG.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12 
keytool -import -v -alias Reportingcertificate -file tomcat/conf/Reporting.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12 
keytool -import -v -alias ssocertificate -file tomcat/conf/SSO.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12

*** Do not forget the Load Balancer Certitifcates in front of any of the above servers

Simple SSO Tomcat Config example

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" 
enableLookups="false" 
scheme="https"
secure="true"  
server myserver
SSLEnabled="true"
SSLProtocol="TLSv1.2"
keyAlias="sso"
keystorePass="changeit"
keystoreFile="tomcat/conf/PKCS12.keystore"
keystoreType="PKCS12" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>