Friday, May 17, 2013

Securing OpenAM

There are guides describing how to secure OpenAM. Read Security Best Practices when deploying OpenAM and Securing OpenAM.



Both guides talk about URIs Restriction:

  • Restrict access to URIs that you do not use, and prevent internal endpoints such as /sessionservice from being reachable over the Internet. 
  • Restrict access to URIs not used by your use-cases: internal endpoints SHOULD NOT be reachable from the Internet (/sessionservice and accompanies).

What exactly is "such as /sessionservice"? What exactly is "/sessionservice and accompanies"?

Don't you feel annoyed when you read such hardening guide? Which endpoint(s) are to be restricted?

Luckily, there is this Security Advisory from ForgeRock.

Vulnerable endpoints: 
/openam/authservice
/openam/loggingservice
/openam/namingservice
/openam/policyservice
/openam/profileservice
/openam/sessionservice

How do we go about restricting the endpoints in Apache HTTPD server if it is deployed as a reverse proxy to the OpenAM server?




The above only allow access to the endpoints from a fixed range of internal IP address.

If we want to further harden by disallowing REST APIs calls, we can add "identity" to LocationMatch.


Nice.


No comments:

Post a Comment