Creating a ToolBox for the Modern Software Factory

bigstock-Toolbox-81236894.jpg

If you’ve recently visited ca.com then you’re probably aware of CA Technologies' focus on the evolving needs of the enterprise as it builds the “Modern Software Factory”.  At CA World 2016, CEO Michael Gregoire used his to keynote to discuss companies that are built to change. Otto Berkes' keynote described what a Modern Software Factory is and why enterprises need to streamline innovation so that ideas can turn into new customer experiences quickly and efficiently.

He identified 5 key principles of a Modern Software Factory:

  1. Agility
  2. Experience
  3. Automation
  4. Security
  5. Insight

    It was a fresh perspective on the challenges our customers face and how to meet them. I recently found myself reflecting on how CoreBlox, a CA Focus Partner, is already aligned with the vision for the Modern Software Factory. Many IAM industry people know of our architecture and services delivery capabilities, but we are also a software company. Our CoreBlox Token Service allows CA Single Sign-On to securely exchange tokens with PingFederate, an increasingly common need within large organizations that have security solutions from multiple vendors. Our ToolBox for CA Single Sign-On automates and streamlines common CA SSO administrative tasks while increasing overall security and easing regulatory compliance. Developing, refining and supporting these products has given us a taste of what it's like to run our own Modern Software Factory. But how do they contribute to our clients' own ability to adapt to an ever changing market?

    Here is a breakdown of how ToolBox for CA Single Sign-On embodies the essence of the Modern Software Factory:

    • ToolBox allows you to be Agile in your daily security management practices. It enables you to easily promote SSO policies across environments and seamlessly onboard new applications.
    • ToolBox helps to drive ever evolving user Experiences. Companies that are releasing new applications and on boarding new users daily need to be able to control access by defining new policies and updating existing ones. ToolBox centralizes the management of these policies across environments so that the user experience is consistent and predictable.
    • ToolBox is the Automation engine for CA Single Sign-On. Its intuitive user interface makes most of your common administrative tasks as simple as pushing a button. ToolBox's template-based approach makes it easy to re-use configurations that have already been created. 
    • ToolBox was designed to bring Security to your CA Single Sign-On operations. With ToolBox, you'll be able to delegate administrative functions and precisely control user access across environments. Simplified policy testing allows you to eliminate errors that cause unintended vulnerabilities. With all of your environment changes audited, compliance requirements are easy to fulfill.
    • ToolBox delivers Insights into how your security policies are being configured and the subtle differences between your environments that could impact user experiences. Its optimization functions highlight subtle configuration tweaks that can improve performance and allow CA Single Sign-On to grow and change along with your business.

    CoreBlox is committed to building products and solutions for the Modern Software Factory while incorporating its key principles into our own day to day experiences as a software company. We're excited to be aligned with CA Technologies on this quest! 

    Unofficial CA Single Sign-On Guide, Chapter 2: The Installation Debugger

    (This is the second chapter in our new series, the Unofficial CA Single Sign-On Guide. You can find Chapter 1 here.)

    I’m sure you’ve seen it! Whether it was on one of those tacky motivation posters or during a 3 a.m. Tony Robbins infomercial… the concept of "trust". It is usually demonstrated by somebody blindly falling backwards and trusting their partner or team to catch them. It looks convincing when you see it on television, but if you are like me you start wondering how many takes it took to make it look that easy. I believe it is part of human nature to want to ‘Trust’ but in the end we usually go with ‘Trust, but verify!’. That verification piece is especially important when it comes to your SSO solution!

    If you have installed a CA security product in the past, you have no doubt seen one of the following conclusion messages: ‘Installation Successful’, ‘Installation Successful but with errors’ or ‘Installation Failed’.  Unfortunately, these messages are not always accurate. I have seen successful completions that were…. well…not successful. Other times it was successful with errors, but when you review the installation log there is little to no information in it.   So, what is one to do?

    This brings us to the installation debugger. It is not in the manual, and often when I am on-site with a client they have no idea this function even exists but Yes, Virginia: there is a debugger!

    Below are the methods for starting the debugger during Windows and Linux installations of CA Single Sign-On:

    Windows

    Running the debugger in Windows is very simple. Once you start the installer just hold down the [Ctrl] button during the initialization screen (see below) until you see a DOS box pop up in the background.  Once the DOS box has opened you can release the [Ctrl] button and continue with your install.   One important thing to note for Windows is that the DOS window will close once you have exited the installer so before you hit that final button to exit, be sure to select all the content of the DOS window and copy and paste to a text editor so that it can be saved for reference.   

    Initialization Screen - Hold down the [Ctrl] button until you see the screen below then release the control button.

    Initialization Screen - Hold down the [Ctrl] button until you see the screen below then release the control button.

    You know the debugger has started once you see this DOS window pop-up in the background.

    You know the debugger has started once you see this DOS window pop-up in the background.

     Linux

    Unlike Windows, running the debugger in Linux will automatically write the content to a log file. 

    Before running the installation script, enter the following command (note this command could vary slightly depending on the shell in use)

    export LAX_DEBUG=true

     Then start the installer script as you normally would.

    Running the debugger during the installation will not ‘fix’ a potential problem, but it may provide some specific information (or errors if you are lucky) to assist you with finding the source of the problem so that you can resolve it.

     

    Extend CA Single Sign-On with Axiomatics!

    Two decades in the Identity & Access Management space has exposed us to our fair share of “where did we go wrong?” scenarios - organizations that thought they were following best practices and ended up creating problems for themselves over time.  One especially problematic area has to do with role management and traditional RBAC (role-based access control). Often, organizations start off with the best intentions and establish just a few roles:

    • Admin
    • Employee
    • Customer
    • Partner

    The roles become more granular over time:

    Admin Employee Customer Partner
    SuperAdmin Employee - HR Customer - Platinum Support Partner - Support
    RegularAdmin Employee - IT Customer - Gold Support Partner - Implementation
    LightAdmin Employee - Sales Customer - Trial Partner - Temp
    AdminTemp Employee - Support Customer - Temp Partner - Marketing

    Before you know it, that “handful” of roles you started with has expanded into a tangled web, creating an administrative burden and taxing the systems whose rules rely upon them. CoreBlox has seen environments that have over 15,000 roles! In the IAM industry this is generally referred to as the dreaded “role proliferation” (cue Darth Vadar theme).

    Fortunately, there is a great alternative to RBAC. Our partner, Axiomatics, has pioneered the concept of Attribute-Based Access Control, also known as “ABAC”. The thought process behind ABAC is easy to understand: why create new data attributes to manage (e.g. Roles) when you can let the user data speak for itself?

    Organizations that already use CA Single Sign-On for web access control have a distinct advantage when it comes to implementing an ABAC approach. The Axiomatics Extension for CA Single Sign-On allows policy decisions to be made by Axiomatics’ ABAC-based engine. A simple yes/no response is returned to CA SSO based upon the user’s attributes. It just works, no coding necessary!

    Are you interested in exploring the benefits of ABAC for your organization? Download this new white paper: Making a Business Case for Attribute Based Access Control

    Unofficial CA Single Sign-On Guide, Chapter 1: Ports!

    One of the most common questions that comes up during CA Single Sign-On Professional Services engagements is: “What ports do I need to open for CA Single Sign-On?". This is generally followed by: “What does each port do?”. These are great questions and we wanted to consolidate the answers in one place. And so, without further ado, CoreBlox proudly presents our first chapter in our Unofficial CA Single Sign-On Guide: Ports!

    When CA Single Sign-On is configured correctly, it just works and it works well! Sometimes getting through that initial configuration can be a bit like playing a game of Tetris, especially in an organization that relies on firewalls to control access to specific ports.

    Below is a list of the default ports that are commonly associated with CA Single Sign-On implementations. By no means is this definitive, as configurations will vary between organization based upon requirements and standards. However, this is a good starting point when working with security and network teams during the installation and configuration of CA Single Sign-On.

    Port # Use Open Between Comment
    44441 Web Agent Accounting Port Web Agent / Policy Server Accounting Port
    44442 Web Agent Authentication Port Web Agent / Policy Server * Required - Peforms Authentication Requests to Policy Server
    44443 Web Agent Authorization Port Web Agent / Policy Server * Required - Peforms Authorization Requests to Policy Server
    44444 Web Agent Administration Port Policy Server Not used by the WebAgent , Used by Policy Server for AdminUI
    8080 AdminUI HTTP Browser / AdminUI Service Used for non-secure connection to the WAMUI console
    8443 AdminUI HTTPS Browser / AdminUI Service Used for secure connection to the WAMUI console
    8180 JBOSS Service Ports Browser / JBOSS Not used in normal operation
    389 LDAP Policy Server / User-Policy Store Used for non-secure connection to an LDAP Sever
    636 LDAP (Secure) Policy Server / User-Policy Store Used for secure-connection to an LDAP Server
    1433 SQL Policy Server / User-Policy Store Used for communication with an SQL data source
    44449 OneView Agent OneView Agent/ OneView Montor Used for communication between the OneView Agent and Montitor
    44450 OneView Monitor Browser / OneView Monitor Port used by the OneView Montior
    7680 Enhanced Assurance/Device DNA Access Gateway / Policy Server Used for Session Assurance Functionality
    8080 Access Gateway ProxyUI Browser / ProxyUI Should not be installed on same server as AdminUI
    543 Access Gateway ProxyUI Browser / AdminUI Service SSL for port for ProxyUI
    8001 SMNP Agent SMNP Agent / SMNP Monitor Used if SMNP has been configured
    161 SMNP Port SMNP Service Used if SMNP has been configured
    80 HTTP Browser / WebAgent Standard Communication Port
    443 HTTPS Browser / WebAgent Standard Communication Port

     

     

    CA SSO: On-Premise or Cloud? Now you can do both!

    Image courtesy of CA Technologies

    Image courtesy of CA Technologies

     

    The entire CoreBlox team was excited about the announcement that the latest CA Single Sign-On release (R12.6.02) includes integration with CA Identity Service!  I had a chance to see CA Identity Service in action at CA World last November. As impressive as it was as a standalone solution,  I think everyone knew that it would go to another level once it could work hand in hand with CA SSO. This announcement is a major step forward for CA, as companies that are already running CA SSO can now transition to a true hybrid cloud environment by pairing with CA IDaaS. Got Salesforce? Dropbox? Google G Suite? Office 365? No problem.  Your existing CA SSO users can now seamlessly transition from their on-prem apps to their cloud/SaaS apps with a single click.

    Bridging The Gap Between CA Single Sign-On and PingFederate

    Photo credit: Ian McWilliams

    Photo credit: Ian McWilliams

    Let’s face it: some things just go well together. Chocolate & Peanut Butter; Coffee & Cream; Vinz Clortho & Zuul; PingFederate and CA Single Sign-On (formerly SiteMinder) ….  I’ll give you a moment to let that last one sink in. Traditionally organizations prefer to consolidate on a single vendor suite, however recently there has been a more accepting attitude toward combining different vendor technologies. That’s understandable given that there are so many great products out there each offering their own unique advantages.  The driving factor for these combinations are varied. Often it’s to get best of all technologies, sometimes it may be to fill a gap, and every now and then it might involve a transition between technologies.  Regardless of the driving factor, you need a plan in place if you want to successfully ‘bridge’ these technologies.  Success in this case could mean a seamless implementation with no noticeable impact to the end users.  In this example we will look at a common deployment which combines CA Single Sign-On, an industry leading access management solution, with PingFederate, a leading SAML Federation solution. 

    Both products are great at what they do and maintain a large implementation footprint.  Both products provide a ‘single sign-on’ function, but with a different method of implementation.  Since both products have the ability to ‘authenticate’ users and act as an authoritative source, wouldn’t it be great if they could work together?  Great News!  They Can!

    To facilitate this functionality, we need to be able to exchange information and trust between both platforms while maintaining their native processing.  This is accomplished through token exchange.  Specifically, through use of the CoreBlox Token Server (CTS) and the PingFederate CoreBlox Token Translator. 

    The exchange of tokens facilitates a bi-directional flow of trust between both vendors, meaning that if a user has already authenticated with one service its token can be trusted and exchanged for a token from the other service. This is accomplished through the two components mentioned earlier. The CoreBlox Token Service is deployed within the Ping Jetty engine, or as a stand-alone instance. Depending on the use case, the Ping Adapter (IDP/SP) CTS will validate an incoming SMSESSION, redirect a user to authenticate to get an SMSESSION, or will create an SMSESSION based on information provided by the Ping Adapter.  Likewise, the Ping CTS Adapter works with CTS to provide the same functionality on its side, ensuring a new session is created based upon the trust with the CTS service.

    In addition to basic trust and token exchange, there are also specific customizations which allow identifying attributes to be exchanged for additional authorization enforcement or content delivery bi-directionally.   

    To sum up: whether you need on-going seamless sign-on between CA SSO and PingFederate OR just a temporary bridge between these products, look no further than the CoreBlox Token Service. Click here to download CTS for free and get started today!