Technologies

Configuring Step-up authentication in BIG-IP v13

Why integrating a step-up authentication ? When publishing web applications, you may be required to provide different level of authentication based on some context. Most of the time, the URL is used to decide which level of authentication is required but you can easily use some other context information like HTTP headers, Hostname, … Configuration steps To have a working Step-up authentication process, you should configure at least : an Access Profile a Per-Request Policy Those profile then needs to be applied to a Virtual Server. Defining the Main Access Profile   Configuring a Per-Request Policy We will use a Subroutine to create a sub session that trigger Multi Factor Authentication for specific URLs. Configuring URL branching   Testing the configuration   Primary authentication   Accessing the backend server   What happen when reaching an URL that require Multi Factor Authentication   Viewing the active session and sub session       This article describes one of the many available ways to configure a Step-up authentication process using Access Policy Manager (APM). For users running BIG-IP 11.x or 12.x, you can use a dedicated configuration we published on devcentral.f5.com to implement a granular step-up authentication process.   The original article is available on...

Syncing 1000+ ifiles using iControl REST API

I often use the ifile feature to provide customized web content to users targeting my web applications through a BIG-IP device. I already had a request to import 1000+ files to the F5 BIG-IP in order to build a complete web framework full of .css, .js and .html file extensions. Uploading those files one by one is really time-consuming and boring. That’s why we have developed a small piece of code that automatically watch a folder and create, modify or delete ifiles accordingly. Managing ifiles using Curl tool When an administrator decides to manually upload few files to the BIG-IP device using iControl REST API, he has to execute several consecutive commands. Uploading a file to the BIG-IP You need to calculate the size of the file you want to upload: du -b testfile.txt 930 testfile.txt 1234 du -b testfile.txt  930 testfile.txt Then, you can upload the file to the BIG-IP device: curl -v -k -X POST -H <span class="hljs-string">"Content-Type: application/octet-stream"</span> -H <span class="hljs-string">"Content-Range: 0-929/930"</span> -u <span class="hljs-symbol">admin:</span>admin --data-binary <span class="hljs-string">"@testfile.txt"</span> <span class="hljs-symbol">https:</span>/<span class="hljs-regexp">/bigip_host/mgmt/shared/file</span>-transfer/uploads/testfile.txt 1 curl -v -k -X...

How to automate the discovery of SSL certificates ?

As a security company, we are often dealing with SSL certificates. We are using them to configure Server Certificate Authentication, Client Side Authentication, Signing or Encryption of payloads and some more technical stuffs. To simplify the management of those certificates, we developed a solution able to discover and monitor them. We are now proud to present SSLCert. SSLCert provides an innovative solution to automate the discovery and alerting of SSL / TLS certificates across the corporate network. This solution is available on-premise or in SaaS mode and is currently free of charge. To take benefits of our service, you only need to request an account to our support team : support@e-xpertsolutions.com You can see below which features of SSLCert you can use to discover and manage your SSL certificates. Automatic discovery and inventory Learn about known and unknown certificates that are installed on your applications, servers, network equipment, and other assets. SSLCert maintains an inventory of certificates discovered for better day-to-day management.   Complete view of certificates SSLCert provides information about certificates, certification chain, and control that the certificate validity and compliance. In addition, the solution offers the ability to integrate with Qualys SSL Labs to verify the grade of the SSL/TLS service monitored.   Qualys SSL Labs...

How to define advanced filters for your certificates ?

How to define advanced filters for your certificates ? SSLCert tutorial SSLCert is an online service helping IT professionals to monitor efficiently deployed SSL certificates. We are excited to announce that the search bar has been enhanced to help administrators to define granular filters based on fields of certificates.   Our solution is able to provide three kind of queries : Standard queries to quickly find a certificate based on the common name or DNS names, Advanced queries to search in specific certificate fields and for some specific events like the expiration date, Conditional queries to create search combinations. Standard query When doing a simple search request, the query engine will look for the text input in DNS names and object name fields of certificates.   Advanced query An administrator can also build more complex queries. There is several parameters available to query specific fields in the certificate.    Filters By Common Name cn:google.com 1 cn:google.com By attached SSL monitor name m:www.twitter.com 1 m:www.twitter.com By DNS Names dns:e-xpertsolutions 1 dns:e-xpertsolutions By Certificate Serial Number serial:"63:02:70:2e:b4:16:f8:01:bf:6d:8d:b6:5c:5e:d1:4a" 1 serial:"63:02:70:2e:b4:16:f8:01:bf:6d:8d:b6:5c:5e:d1:4a" By Signature Algorithm salgo:sha1 1 salgo:sha1 By Expiration date in days expires:10 1 expires:10 Expired certificates...

Architecture de notre portail d’applications

Dans cet article, nous allons traiter de l’architecture de notre portail d’applications, et plus particulièrement de la partie authentification. Nous allons nous intéresser à tout ce qui a trait à la gestion de l’identité et à l’autorisation. Avant de rentrer dans le vif du sujet, attardons nous un peu sur comment sont organisés notre portail et nos applications. Tout d’abord, nous fonctionnons avec une API REST. Chaque application est en réalité une simple API qui est exposée et l’application web n’est qu’un client de cette API, au même titre que le serait une application mobile Android. Nous avons donc deux parties complètement distinctes et détachées pour chaque application, le backend (API) et le frontend (web app). Afin d’unifier chacun de nos services, nous avons besoin d’un pilier central qui soit capable de gérer la partie identité de nos utilisateurs. Cette application, nommée “Accounts”, se charge de toute la partie authentification, authorization et gestion d’identité de notre portail. Le schema ci-dessous illustre notre portail et ses applications:     Afin de gérer l’accès à nos API, nous avons choisi d’utiliser le protocol OAuth 2.0 et pour la couche identité nous utilisons le protocol OpenID Connect 1.0, basé sur OAuth. Le schema ci-dessous montre de manière...

Automatisez la découverte des certificats SSL/TLS

SSLCert fournit une solution innovante pour automatiser la découverte et l’alerting sur les certificats SSL/TLS à travers le réseau d’entreprise. Cette solution est disponible on-premise ou en mode SaaS et est actuellement gratuite pour les clients e-Xpert Solutions.   Découverte automatique et inventaire Découvrez les certificats connus et inconnus qui sont installés sur vos applications, serveurs, équipements réseau et autres assets. SSLCert maintien un inventaire des certificats découverts pour une meilleure gestion au quotidien.   Vue complète des certificats SSLCert fourni les informations concernant les certificats, la chaine de certification et contrôle que le certificat est valide et conforme. De plus, la solution offre la possibilité de s’intégrer avec le service Qualys SSL Labs pour vérifier le grade de la connexion SSL/TLS du service publié.   Alerting et Reporting de l’expiration des certificats SSLCert intègre un moteur permettant de définir des règles sur le monitoring des certificats. L’utilisateur peut configurer des notifications en cas d’expiration ou pour les certificats proches de l’expiration permettant aux administrateurs de réagir proactivement pour renouveler les certificats identifiés. Lire aussi – SSLCert Release notes: June (anglais) – SSLCert: Un nouveau service pour monitorer les certificats SSL Information Téléphone :...