Month: September 2023

Is Copy-n-Paste operations impacting your Identity & Governance solutions?

Posted on by Leave a comment

Microsoft Office Suite’s Autocorrect: How Character Replacements Impact Identity and Governance Solutions => Garbage-In-Garbage-Out (GIGO)

When thinking about identity and governance solutions, many of us consider factors such as password security, multi-factor authentication, or access control. Rarely do we contemplate the subtle implications of character replacements in our word processing software. However, Microsoft Office Suite’s Autocorrect feature, while intended to enhance the user experience, has introduced concerns around the copy-paste process, especially with characters like the dash and quotes. Let’s delve into the nuances of this issue and its potential impacts for two (2) of the most common replacements that have impact.

A Common Scenario:

Automated emails from Ticket Systems are forwarded to administrators or users, then these admin/users may copy-n-paste these strings from the email (or MS word document) to an identity / governance solution, as they wish to be efficient and ensure no mistyped characters happen from one solution to another. These fields could be used for provisioning access by a business role name or kicking off a governance campaign search.

Dash vs. Emdash: What’s the Big Deal?

Microsoft Word (and other programs within the Office Suite) has a habit of automatically converting the standard dash (-) to an emdash (—) when it assumes the user is attempting to create a longer break in the sentence. On the surface, this appears to be a simple formatting choice. Yet, when you copy content containing these characters and paste them into identity or governance platforms, unexpected issues may arise. This “emdash” decision appears to be following British style formatting per this reference. https://www.sussex.ac.uk/informatics/punctuation/hyphenanddash/dash

Identity systems often depend on exact character matching for elements like usernames, role names, domain names, or system strings. For instance, if a user is instructed to input “domain-name.com” but inadvertently pastes “domain—name.com” (with an emdash), the system will not recognize the latter as a valid entry. This leads to failed authentication attempts, locked accounts, and potential security concerns as users and admins scramble to correct the discrepancies. Worst case, the identity/governance solution is using UTF-8 or newer character sets to accept the special characters, but the underlying IG/IM database is still using older ASCII format, that do not recognize the newer character sets. If this occurs, then a data clean up operation is typically needed by the IM/IG/DBA teams.

The Smart Quotes Dilemma

Similarly, Microsoft’s Autocorrect feature replaces standard double quotes (“) with smart quotes (“ ”) for a more visually appealing look in documents. While they may enhance the aesthetic feel of a document, smart quotes can wreak havoc in systems expecting the simpler ASCII version.

A code or script that depends on specific string matching will fail if smart quotes are used instead of standard quotes. This can lead to malfunctioning applications, scripts, or integrations when developers or administrators copy and paste content from Office documents directly into configuration files or codebases.

Governance Solutions and Data Integrity

In governance solutions, consistency and data integrity are of the utmost importance. Consider a scenario where policy documents or terms of use agreements are drafted in Word. Any auto-replaced characters might be unintentionally added to official records or database entries. When such documents are parsed or processed by automated systems, unexpected behaviors might occur due to these seemingly innocuous character changes.

Recommendations and Best Practices:

  1. Awareness: Ensure that your team is aware of these auto-corrections. Training sessions or instructional guides can be used to inform users about these pitfalls.
  2. Disable Autocorrect: If you frequently copy and paste between Office Suite and other platforms, consider disabling these specific autocorrect features for these two (2) common ones (dash/quotes). See the below screen shots how to disable these two (2) features in MS Outlook, MS Word, and MS Powerpoint. Fortunately, we do not have to modify MS Excel. From a global updates, companies may wish to visit their patch process, to update the MS registry for these auto correction behavior for all users.
  3. Post-Copy Verification: After pasting content, always double-check critical characters to ensure they have not been auto-replaced. It may be necessary to incorporate policy verification rules to prevent entry of these two (2) common replacement characters, e.g. PX Policy UI data verification rules.
  4. Use Plain Text Editors: When dealing with sensitive or system-related information, use plain text editors like Notepad, Notepad++ or VSCode to avoid any auto-formatting.

Location of auto-correction of dash (-) to emdash (–) & quotes in MS Outlook

Location of auto-correction of dash (-) to emdash (–) & quotes in MS Word

Location of auto-correction of dash (-) to emdash (–) & quotes in MS Powerpoint

Fortunately, we do NOT have this issue in MS Excel for the two (2) characters we are reviewing in this blog.

An impact of copy-n-paste:

For example, if you are using an Oracle database, and you may see upside down question mark characters ¿ in your data sets, this is a strong indicator that the database is doing an auto-replacement for the special characters that it does not recognize. The below example showcases when users/administrators would use copy-n-paste operations to create new IM/IG objects, that would not be returned when searching later upon these objects, as the names would no longer match what was entered the 1st time.

If the database has a default character map, this effort will not be simple, as the DBAs must make a major change and will require an outage window. The DBAs may also need to be involved in the data clean up or replacement exercise to adjust the malformed entries.

Conclusion

The Microsoft Office Suite’s Autocorrect feature demonstrates how even well-intentioned, user-friendly functionalities can introduce unforeseen challenges. For those operating in the realm of identity and governance, an awareness of these issues is essential. It’s a testament to the intricate nature of modern software environments, where even the simplest character can have significant implications. Confirm your identity access / governance solutions have a matching character set between the solution stack and the underlying database.

Leveling Up: The Imperative of Upgrading Your Symantec Identity Suite Virtual Appliance to 14.5 (Centos Stream 9) for Robust Randomness, Enhanced Jitterentropy, and Bouncy Castle Entropy Insights

Posted on by Leave a comment

In the intricate world of cybersecurity and identity management, evolving threats and vulnerabilities demand our undivided attention. When considering upgrading your Symantec Identity Suite Virtual Appliance, understanding the nuanced technological landscape, including the perks of Jitterentropy and the challenges associated with Java’s Bouncy Castle entropy, can make a world of difference.

The Technological Need:

  1. Robust Randomness with Jitterentropy: Relying on the natural timing jitter of CPUs, Jitterentropy has emerged as a game-changing hardware random number generator (RNG). The latest renditions of the Symantec Identity Suite Virtual Appliance leverage this RNG, ensuring unparalleled randomness, making decoding by potential threats a herculean task.
  2. Operational Efficiency: Upgrades tuned with contemporary features promise optimized performance. Coupled with Jitterentropy, the RNG processes are turbocharged, promising minimal downtime and an elevated user experience.
  3. Challenges with Bouncy Castle Entropy in Java: Bouncy Castle, despite its vast utility in cryptographic operations in Java, has had its share of entropy-related issues. Some known problems include:
  • Predictability: Certain RNG implementations in Bouncy Castle have been found to be somewhat predictable, which could compromise security.
  • Seed Reuse: There have been instances where seeds were reused, which again poses security concerns.
  • Slow Entropy Accumulation: At times, the entropy collection is slower than expected, leading to potential operational delays. With security solutions the lack of entropy impacts scale and usability.

Business Justification for Rapid Response:

With the business landscape in perpetual flux, the right tech decisions can spell the difference between stagnation and growth:

  1. Enhanced Security: Incorporating Linux OS with Jitterentropy is synonymous with state-of-the-art security. Such forward-thinking measures drastically curtail potential security breaches.
  2. Cost Savings: Forward-looking upgrades, especially those that incorporate cutting-edge features like Jitterentropy, offer tangible long-term financial advantages. Fewer breaches, reduced system errors, and saved manual efforts contribute positively to the bottom line.
  3. Staying Competitive: In an era of rapid technological advancements, integrating elements like Jitterentropy ensures you’re leading from the front.
  4. Compliance and Regulatory Adherence: With cybersecurity standards constantly on the move, staying updated is non-negotiable. Evade potential legal issues and hefty fines by staying on top of these norms.
  5. Customer Trust: By showcasing a commitment to data safety through advanced systems (and by addressing known entropy issues like those in Bouncy Castle), businesses can strengthen customer trust and foster long-term loyalty.

Validating Jitterentropy Integration in the Linux Kernel: A Comprehensive Guide

As the world of Linux continues to evolve, one exciting development is the incorporation of jitterentropy into the kernel. This robust hardware random number generator (RNG) enhances the quality of randomness, making our systems even more secure. If you’re keen on understanding, implementing, or validating this feature in your Linux setup, this guide is tailored just for you.

What is Jitterentropy?

Jitterentropy is an RNG based on the natural timing jitter that occurs in CPUs. In the realm of cybersecurity, RNGs are of paramount importance; they generate the random numbers pivotal for cryptographic operations. The less predictable these numbers are, the tougher it becomes for malicious actors to crack them.

Why is Jitterentropy Essential?

For systems relying on cryptographic functions, such as encryption, the RNG’s caliber can’t be overstated. Jitterentropy guarantees first-rate randomness, upping your system’s security game. https://www.chronox.de/jent.html

How to Validate Jitterentropy Integration:

  1. Identify Your Kernel Version:
    Kick things off by determining your kernel version using the uname -r or uname -acommand.
   uname -r

This will provide insights into your system’s hostname, kernel version, build date, and architecture. You can deterermine if your Linux kernel is greater than 5.6, when entropy functionality was added directly to the kernel. https://github.com/torvalds/linux/commit/3f2dc2798b81531fd93a3b9b7c39da47ec689e55

  1. Is Jitterentropy Part of Your Kernel Configuration?:
    Deploy this simple grep command to figure out if jitterentropy is enabled in your kernel:
   grep -HRin jitter /boot/config*

An output showing CONFIG_CRYPTO_JITTERENTROPY=y confirms that jitterentropy is enabled. The “y” here indicates that the feature is in-built in the kernel.

  1. Time-Driven Testing for Jitterentropy:
    By simulating multiple pulls from the entropy source, you can gauge how efficient jitterentropy is:
   time for i in {1..1000}; do time dd if=/dev/random bs=1 count=16 2>/dev/null | base64; done

This command performs two functions:

  • It times each of the 1000 pulls from /dev/random, allowing you to measure the average time taken, basically emulating 1000 rapid password changes of 16 characters.
  • It provides an overall timing for 1000 pulls, letting you know the total duration for the entire operation. If your system remains responsive and completes the pulls swiftly, it’s a strong indication that your entropy source is in prime working condition. Which implies that any solution on the appliance has adequate entropy to service users and processes to scale.

Another command that add counters to see that 1000 iteration have passed. Note, if there is no entropy pump, this process will NOT succeed. The Linux OS entropy will be rapidly depleted and any solution on the host will be delayed. Ensure there is an entropy pump to keep the performance you need.

counter=1;MAX=1000;time while [ $counter -le $MAX ]; do echo "##########  $counter ##########" ; time dd if=/dev/random bs=16 count=1 2> /dev/null | base64; counter=$(( $counter + 1 )); done;

Wrapping Up:

The integration of Jitterentropy in the Linux kernel underscores the open-source community’s relentless dedication to fortifying security. By understanding, testing, and leveraging it, you ensure that your system is bolstered against potential threats, always staying a step ahead in the cybersecurity arena. Keep exploring, stay updated, and most importantly, remain secure!

Review upgrade your Symantec Identity Suite to improve your performance for users and scale to millions of transactions.

For non-appliances or older Linux OS (Kernel release < 5.6):

Review adding the haveged or jitterentropy packages to your Linux OS, to avoid delays to any business processes. See prior blog discussing entropy, of how adding an entropy pump to your Linux OSes has value. https://anapartner.com/2021/06/25/the-hidden-cost-of-entropy-to-your-business/

SiteMinder / CA SSO Metrics

Posted on by Leave a comment

These are exciting times, marked by a transformative change in the way modern applications are rolled out. The transition to Cloud and related technologies is adding considerable value to the process. If you are utilizing solutions like SiteMinder SSO or CA Access Gateway, having access to real-time metrics is invaluable. In the following article, we’ll explore the inherent features of the CA SSO container form factor that facilitate immediate metrics generation, compatible with platforms like Grafana.

Our Lab cluster is an On-Premise RedHat OpenShift Kubernetes Cluster which has the CA SSO Container solution, available as part of the Broadcom Validate Beta Program. The deployment of different SSO elements like policy servers and access gateway is facilitated through a Helm package provided by Broadcom. Within our existing OpenShift environment, a Prometheus metrics server is configured to gather time-series data. By default, the tracking of user workload metrics isn’t activated in OpenShift and must be manually enabled. To do so, make sure the ‘enableUserWorkload‘ setting is toggled to ‘true‘. You can either create or modify the existing configmap to ensure this setting is activated.

Grafana is also deployed for visuals and connected to the Prometheus data source to create metrics visuals. Grafana data source can be created using the YAML provided below. Note that creation of the grafana datasource will require the Prometheus URL as well as an authorization token to access stored metrics. This token can be extracted from the cluster using the below commands.

SECRET_NAME=`oc get secret -n openshift-user-workload-monitoring | grep prometheus-user-workload-token | head -n 1 | awk '{print $1 }'`
TOKEN=`echo $(oc get secret $SECRET_NAME -n openshift-user-workload-monitoring -o json | jq -r '.data.token') | base64 -d`

Also ensure that a role binding exists to allow the service account (prometheus-k8s) in the openshift-monitoring namespace access to the role which allows monitoring of resources in the target (smdev) namespace.

Once the CA SSO helm chart is installed with metrics enabled, we must also ensure that the namespace in which CA SSO gets deployed has openshift.io/cluster-monitoring label set as true.

We are all set now and should see the metrics getting populated using the OpenShift console (Observe -> Metrics menu item) as well as available for Grafana’s consumption.

In the era of next-generation application delivery, integrated monitoring and observability features now come standard, offering considerable advantages, particularly for operations and management teams seeking clear insights into usage and solution value. This heightened value is especially notable in deployments via container platforms. If you’re on the path to modernization and are looking to speed up your initiatives, feel free to reach out. We’re committed to your success and are keen to partner with you.