Integrating CyberArk’s PAS Solution With DUO’s 2FA

CyberArk’s PAS solution uses the Password Vault Web Access System which provides the method by which users request passwords and high-level administrators approve the requests. Access to this system should be as secure as possible. Integrating with a multi-factor authentication system like Duo would make the login process more secure by authenticating the user based on LDAP password as well as the response received by the Duo Authentication Proxy using Duo Push setup on the user’s mobile device.

In the current demo, an LDAP user with the name “testuser” is created on the Active Directory Domain Controller as well as the DUO instance.

Once the accounts have been created, the DUO Authentication Proxy is setup and is configured as the primary LDAP host for authentication.

The Duo Authentication Proxy is a service that runs either on Windows or Linux. It is configured by using the file authproxy.cfg 

The details of the Duo instance and the details of the LDAP server which is being used for primary authentication are configured in authproxy.cfg

The firewall must allow outbound traffic to the Duo instance using HTTPS.

Only on successful primary and secondary authentication, access to the PVWA is granted.

Sailpoint IdentityIQ – Perform Maintenance Task

The Perform Maintenance Task in Sailpoint’s IdentityIQ plays a crucial role in ensuring that background maintenance activities are carried out periodically.

The following presentation is an attempt to deep dive into :

  • XML object structure of the Perform Maintenance Task
  • Native Java-based Sailpoint  objects associated with the Perform Maintenance Task
  • Understanding the flow of execution of the Perform Maintenance Task

 

Please leave your comments below

Troubleshooting the EBS Forms Launch Failure

The Forms functionality on Oracle E-Business Suite is an integral part of an organization’s ERP Solution. In situations where Forms need to be accessed from a machine running Oracle Linux 6, the default browser Konqueror does not support it.
Through the course of this blog, I will attempt to resolve this issue by using the Firefox browser.

Detection

A current release of the Firefox browser (version 58) has dropped NPAPI support which disables Forms to detect the JRE version installed on the machine.
Firefox Extended Support Release continues to offer plug-in support. End-users who need to use Forms-based content in EBS must run the Firefox Extended Support Release.
The latest version of Firefox Extended Support Release (version 52) needs the GTK 3 library which is not supported on Oracle Linux 6 (by default) to circumvent this, Firefox Extended Support Release version 49 can be installed (which uses GTK library 2).
For all Linux distributions, a tarball is offered as a download link which can be found on the official Mozilla website.

Solution

Extract the tarball into the ~ directory of the root user.
Once it has been extracted, launch Firefox by entering
./firefox

The next step is to enable the libnpjp2.so plugin that allows EBS Forms to use JRE from the browser.
The Forms functionality also needs JDK version 1.8.0_102 (or above)
Get the required JDK version by downloading the rpm package from the Oracle Archives Page
Once the JDK is in place, navigate to the directory
/usr/java/jdk1.8.0_120/jre/lib/amd64/libnpjp2.so (FOR 64 Bit Version)
And ensure that the libnpjp2.so file exists in that location.

Create a Symbolic Link

Create symbolic links in 3 directories

cd /usr/lib64/mozilla/plugins
cd /usr/lib64/mozilla/plugins-wrapped
cd /etc/skel/.mozilla/plugins

by using the command

ln -s /usr/java/jdk1.8.0_102/jre/lib/amd64/libnpjp2.so
while in each of the directory

Bounce Firefox to view changes when about: plugins is entered in the address bar

Java(TM) Plug-in 1.8.0_102
Filename: libnpjp2.so The next generation Java plug-in for Mozilla browsers.

Configuring Java to allow self-signed certificates

When EBS Forms is being used in a development environment, it is essential to configure Java to accept self-signed certificates.
Due to the default security settings, Java blocks requests from domains that have self-signed certificates.

To allow a local domain to access Java, a Site Exception can be added, to do so, Java Control Panel needs to be started.
To start the control center, navigate to the /bin folder of the installed JRE version; in case of a default install it would be :

/usr/java/jre1.8.0_102/bin

And launch the Control Panel by issuing the

./ControlPanel

command.

Click on the Add an Exception button at the bottom and the local domain on which the EBS application is running.
Save changes and bounce the server to notice the effects.

Troubleshooting a Linux Partition with Corrupted Metadata

A corruption in the Linux file system causes the system to boot into emergency mode by default.

The following error message is displayed on boot up

Welcome to emergency mode! After logging in, type “journalctl -xb” to view system log, “systemctl reboot” to reboot, “systemctl default” or ^D to try again to boot into default mode.

Filesystems can be corrupted by

  • Hardware Errors
    • Media errors are common
    • Disks are getting bigger and bigger
  • To a much lesser degree, bugs in the filesystem

Filesystems are able to “repair” themselves since they consist of lists, links and reference counts that can be validated

  • But not all information is always recovered, inodes that do not have a parent directory is common due to the directory structure being corrupted

Detection

The OS shows the following error:

Corruption detected. Unmount and run xfs_repair.

Corruption of in-memory data detected. Shutting down filesystem(s)

Please unmount the filesystem and rectify the problem(s)

Solution

Enter lvdisplay. This command would bring up the logical volumes present in the Linux machine, the common logical volumes (assuming no changes have been made) are root, home and swap.

To mount a logical volume the command mount /dev/ol/logical_volume_name needs to be entered.

If a logical volume’s metadata is corrupted, the following error is observed after trying to mount it.

XFS(dm-2) Metadata corruption detected at xfs_inode_buf_verify 0x75/0xd0 [xfs]

For the course of this blog it is assumed that the home logical volume is corrupted, so the error is encountered when the following command is executed

mount /dev/ol/home

To fix this enter the command

xfs_repair -L /dev/mapper/ol-home

Where ol-home is the default partition created by Logical Volume Manager (LVM) on the home logical volume. To view the list of partitions the command fdisk –l can be used.

The –L option specifies Force Log Zeroing.

Forces xfs_repair to zero the log even if it is dirty (contains metadata changes).

It is important to understand that this option should be used only if data of that partition has been backed up before, using this in a mission-critical environment without prior testing would spell trouble as in certain cases, the inode tree could end up with even more corrupted metadata.

With fresh metadata, the inode tree of the filesystem is rebuilt and the /home directory can now be mounted by using:

mount dev/ol/home

 

The changes in the filesystem can be observed by checking the df-l

Reboot the OS for changes to show effect.