ES-351 Bloombase Spitfire Identity Manager Essentials

Bloombase
Spitfire Identity Manager Essentials

Bloombase Enterprise Services

ES-351
Training Guide
Revision 1

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
noted, the example companies, organizations, products, people and events depicted herein are fictitious and no association with any real
company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Bloombase Technologies.

Bloombase Technologies may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Bloombase Technologies, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

This document is the property of Bloombase Technologies. No exploitation or transfer of any information contained herein is permitted in
the absence of an agreement with Bloombase Technologies, and neither the document nor any such information may be released without
the written consent of Bloombase Technologies.

© 2011 Bloombase Technologies

Bloombase, Spitfire, StoreSafe and Keyparc are either registered trademarks or trademarks of Bloombase Technologies in the United States,
People’s Republic of China, Hong Kong Special Administrative Region and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Document No.: BLBS_ES-351_BloombaseSpitfireIdentityManagerEssentials_R1

Table of Contents

Table of Contents 3

About This Course 5
Course Map 6
Topics Not Covered 7
How Prepared Are You? 8
Introductions 9
How to Use Course Materials 10

Introducing Bloombase Spitfire Identity Manager 11
Overview 12

Bloombase Spitfire Identity Manager Installation 14
Spitfire Identity Manager on SpitfireOS Installation 15
Spitfire Identity Manager VMware Virtual Appliance Installation 16
Spitfire Identity Manager for Unix/Linux Installation 17
Spitfire Identity Manager for Microsoft Windows Installation 18
Exercise: Install Spitfire Identity Manager 19
Task 1 – Install Spitfire Identity Manager from ISO disk image 19
Task 2 – Initialize Spitfire Identity Manager 19

Bloombase Spitfire Identity Manager Configuration 20
Bloombase Spitfire Identity Manager Administrator Portal / Web Management Console21
Configure Spitfire Identity Manager for Life-cycle User Identity and Authentication
Policy Management 22
Exercise: Provision Your First Spitfire Identity User 24
Task 1 – Provision a Pin Only Authentication Policy 24
Task 2 – Provision a new Local User 24
Task 2 – Provision a new LDAP User 24
Configure Spitfire Identity Manager for Life-cycle Security Device Management 26

Exercise: Provision Your First OTP Device 28
Task 1 – Google Authenticator 28
Task 2 – Provision Google Authenticator as Your OTP Device 28
Task 3 – Assign Device to User 28
Spitfire Identity API 29
txt 30
json 30
xml 30
Exercise: User Authentication Using Spitfire Identity API 31
Task 1 – Pin Authentication 31
Task 2 – Verify If Fully Authenticated 31

Bloombase Spitfire Identity Manager Essentials

About This Course
Upon completion of this course, you should be able to:
 Install Bloombase Spitfire Identity Manager physical appliance
 Install Bloombase Spitfire Identity Manager virtual appliance
 Install Bloombase Spitfire Identity Manager software server
 Configure Bloombase Spitfire Identity Manager for enterprise-scale user
identity management and security device asset management
 Make use of Bloombase Spitfire Identity Manager API for application
integration

5 Bloombase Spitfire Identity Manager Essentials
Copyright 2011 Bloombase Technologies. All Rights Reserved. Bloombase Enterprise Services. Revision 1


Course Map
The following course map enables you to see what you have accomplished and
where you are going in reference to the course goals
 Introducing Bloombase Spitfire Identity Manager
 Installation
 Bloombase Spitfire Identity Manager on SpitfireOS
 Bloombase Spitfire Identity Manager VMware virtual appliance
 Bloombase Spitfire Identity Manager for Unix/Linux
 Bloombase Spitfire Identity Manager for Microsoft Windows
 Operation
 Performing basic administration, configuration, user provisioning and
security device provisioning
 Developing applications to interface with Bloombase Spitfire Identity
Manager API for user authentication and identity management



Topics Not Covered
This course does not cover the topics shown on the overhead. Many of the topics
listed on the overhead are described in other courses offered by Bloombase
Enterprise Services:
 Bloombase Spitfire Server – Described in ES-311: Bloombase Spitfire Server
Essentials
 Bloombase Spitfire KeyCastle – Described in ES-319: Bloombase Spitfire
KeyCastle Essentials
 Bloombase Spitfire Ethernet Encryptor – Described in ES-321: Bloombase
Spitfire Ethernet Encryptor Essentials
 Bloombase Spitfire High Availability Cluster – Described in ES-361:
Bloombase Spitfire High Availability Cluster Essentials



How Prepared Are You?
To be sure you are prepared to take this course, can you answer yes to the
following questions?
 Can you perform basic Unix-like and Windows Operating System (OS)
administration tasks, such as using tar commands, creating user accounts,
formatting disk drives, using vi, ssh, sftp, installing Unix-like OS,
installing, patches, and adding packages?
 Do you have prior experience with enterprise grade hardware?
 Do you have hands-on experience on enterprise identity management tools
such as LDAP and Microsoft Active Directory?
 Are you familiar with data protection and security technologies, such as
firewall, network encryption protection, symmetric and asymmetric
encryption technologies, public key infrastructure (PKI)?
 Do you have prior experience with HTTP web-based server system
technologies?
 Do you have prior knowledge of programming language such as Java, or C?
 Are you familiar with software application installation on Windows or
Linux?
 Are you familiar with PKCS#11 smart cards and/or smart tokens?



Introductions
Now that you have been introduced to the course, introduce yourself to each
other and the instructor, addressing the item shown in the following bullets.
 Name
 Company affiliation
 Title, function, and job responsibility
 Experience related to topics presented in this course
 Reasons for enrolling in this course
 Expectations for this course



How to Use Course Materials
To enable you to succeed in this course, these course materials use a learning
model that is composed of the following components:
 Goals – You should be able to accomplish the goals after finishing this course
and meeting all of its objectives
 Objectives – You should be able to accomplish the objectives after
completing a portion of instructional context. Objectives support goals and
can support other higher-level objectives
 Lecture – The instructor will present information specific to the objective of
the modules. This information should help you learn the knowledge and
skills necessary to succeed with the activities
 Activities – The activities take on various forms, such as an exercise, self-
check, discussion, and demonstration. Activities help to facilitate mastery of
an objective
 Visual aids – The instructor might use several visual aids to convey a
concept, such as a process, in a visual form. Visual aids commonly contain
graphics, animation, and video



Introducing Bloombase Spitfire Identity
Manager
Upon completion of this module, you should be able to
 Tell what Bloombase Spitfire Identity Manager does
 Tell what problems Bloombase Spitfire Identity Manager solves
 Tell what applications Bloombase Spitfire Identity Manager is for



Overview
Bloombase Spitfire Identity Manager is a complete strong authentication solution
for enterprise end users. It enables two-factor authentication to protect user
identities and core business information.

The recent rise in phishing attacks and identity theft has increased the need to
protect online identities. Bloombase Spitfire Identity Manager protects user
identities and when used in connected mode defends against phishing attacks by
detecting fraudulent sites.

Bloombase Spitfire Identity Manager combines
 User name and password
 Light weight directory access protocol
 Microsoft Active Directory
 OATH-base one time password
 SMS-based mobile one-time password
 SMTP-based email one-time password
 IBM Lotus Notes one-time password
 PKI-based smart-card/token
 PKI-based soft security vault
authentication methods in a single solution with thin user provisioning
capabilities.

Two factor authentication greatly enhances system security by combining
something the user has, such as a personal device, and something the user knows,
such as password. Bloombase Spitfire Identity Manager uses these elements to
form a unique combination that someone must have to connect to a system.

Smart cards feature a small embedded chip which operates as a mini-computer
that not only securely stores data but also can process information and react to its



environment. These features give smart cards the unique ability to provide secure,
portable access to personalized services while protecting each user’s privacy and
identity.

Bloombase Spitfire Identity Manager provides 3 ways to be integrated with
enterprise applications
 AAA RADIUS
 Client web portal for web-based authentication workflow integration
 Application programming interface (API)



Bloombase Spitfire Identity Manager
Installation
 Install Bloombase Spitfire Identity Manager on a physical appliance
 Install Bloombase Spitfire Identity Manager VMware virtual appliance
 Install Bloombase Spitfire Identity Manager as a host application in Unix and
Windows environment



Spitfire Identity Manager on SpitfireOS Installation
Spitfire Identity Manager for SpitfireOS ISO disk image can be deployed on
standalone hardware appliances for customers requiring highly customized
system resource allocation.

Spitfire Identity Manager for SpitfireOS iso disk image

bloombase-spitfire-identity-<version>.iso

can be directly mounted as a virtual disk drive on VMware Server/ESXi or it can
be burned as an installation CD/DVD to be installed directly from disk drives of a
physical appliance or virtual machine container such as VMware ESXi.

Bloombase SpitfireOS will guide you through the rest of installation process to get
SpitfireOS installed and automatically install Spitfire Identity Manager.



Spitfire Identity Manager VMware Virtual Appliance
Installation
Spitfire Identity Manager is available as VMware virtual appliance for
installation-free deployment on VMware Server and ESXi environment.

Simply import Spitfire Identity Manager VMware virtual appliance file

bloombase-spitfire-identity-<version>.ova

into VMware Server or ESXi to create new virtual appliance that is ready to run in
minutes.



Spitfire Identity Manager for Unix/Linux Installation
Spitfire Identity Manager is available as software-only without bundled with
SpitfireOS for deployment as host application in Unix-like environment.

To start software installation of Spitfire Identity Manager at host operating
system, launch installer by invoking command

./bloombase-spitfire-identity-<version>-<platform>.bin

at command prompt.

By default, Spitfire Identity Manager software server is delivered at file location

/spitfire-identity



Spitfire Identity Manager for Microsoft Windows Installation
Spitfire Identity Manager for Microsoft Windows is available as software-only
without bundled with SpitfireOS for deployment as host application in Microsoft
Windows environment.

To start installation process, launch Spitfire Identity Manager for Windows
installer

bloombase-spitfire-identity-<version>-<platform>.exe

The installer will guide you through the rest of setup process.

By default, Spitfire Identity Manager is installed at

spitfire-identity



Exercise: Install Spitfire Identity Manager
Task 1 – Install Spitfire Identity Manager from ISO disk image

Create new Linux-based virtual machine with at least 512MB main memory.

Mount Spitfire Identity Manager ISO disk image as a virtual disk drive.

Power on virtual machine and follow SpitfireOS installer to guide you through the
rest of installation.

Task 2 – Initialize Spitfire Identity Manager

Sign on Spitfire Identity Manager CLI console and configure network parameters
for Spitfire Identity Manager.

Sign on Spitfire Identity Manager web based management console and follow
instructions to initialize Spitfire Identity Manager.



Bloombase Spitfire Identity Manager
Configuration
 Spitfire Identity Manager web based management console
 Configure Spitfire Identity Manager for life-cycle user identity and
authentication policy management
 Configure Spitfire Identity Manager for LDAP and Microsoft Active
Directory identity management
 Configure Spitfire Identity Manager for life-cycle security device
management
 Configure Spitfire Identity Manager for one time password management
 Configure Spitfire Identity Manager for smart card and smart token
management



Bloombase Spitfire Identity Manager Administrator Portal /
Web Management Console
Bloombase Spitfire Identity Manager web management console for administrators
can be accessed by pointing web browser to below URL

https://<spitfireim>:8451

or

https://<spitfireim>:8451/admin



Configure Spitfire Identity Manager for Life-cycle User
Identity and Authentication Policy Management
Spitfire Identity Manager combines
 User identity management
 Key management
 Multi-factor authentication
 Strong authentication device management
 Authentication policy management
in a purpose-built solution for large scale enterprises and organizations.

A user can possess multiple security devices of multiple types including
 HMAC-based OTP device(s)
 Time-based OTP device(s)
 SMS OTP
 Email OTP
 Smart card(s)
 Smart token(s)
 X.509 key pair(s)
To assure the identity of a user, Spitfire Identity Manager offers customizable
rule-based multiple-factor authentication mechanism which fits for any security
requirements for any organizations.

Spitfire Identity Manager provides local management of user credentials while for
most large organizations having identity manager deployed, a more manageable
option would be to integrate their existing identity manager to Spitfire Identity
Manager for user provisioning and password management.



Spitfire Identity Manager supports directory access to major identity servers
including LDAP and Microsoft Active Directory. Spitfire Identity Manager also
provides the ability to process user ID and passphrase authentication at relational
database user tables which are commonly seen for enterprises running ERP, CRM
or other groupware.



Exercise: Provision Your First Spitfire Identity User
Task 1 – Provision a Pin Only Authentication Policy

Sign on Spitfire Identity Manager web management console.

Start ‘Authentication Policies’ under ‘Identity Management’ menu.

Push ‘Add’ to provision a new authentication policy, in this case a pin only profile.

Assign name pin to the authentication policy and in Policy input box, enter PIN.

Press ‘Submit’ button to commit changes.

Task 2 – Provision a new Local User

Launch ‘Users’ tool under ‘Identity Management’ menu and press ‘Add’ to
provision a new user.

Select Type as Local and assign user ID as user01. Enter the rest of user
information accordingly.

Pick pin as the Authentication Policy for user01.

Task 2 – Provision a new LDAP User

Launch ‘User Repository Profiles’ and provision your testing LDAP or Microsoft
Active Directory.

Launch ‘Users’ tool under ‘Identity Management’ menu and press ‘Add’ to
provision a new remote user.



Select Type as Remote and use the user lookup tool to pick an existing user in the
previously configure directory server.

Again, assign Authentication Policy as pin.



Configure Spitfire Identity Manager for Life-cycle Security
Device Management
Spitfire Identity Manager provides the capability for enterprises to manage their
various kinds of security devices and enables security officers to assign devices to
individual users easily and effectively.

Spitfire Identity Manager supports management of
 HMAC-based OTP devices
 Time-based OTP devices
 SMS OTP devices
 Email OTP devices
 Smart cards and tokens

Spitfire Identity Manager is interoperable with any brand of OATH-compliant
HMAC-based or time-based OTP devices or software applications. Spitfire
Identity Manager provides the ability to register shared secrets of OTP devices.
When it comes to software-based OTP applications, Spitfire Identity Manager
also offers shared secret generation and the tools for synchronizing share secret to
the applications easily.

Users can also leverage their mobile phones or email addresses to strengthen
authentication process by means of SMS-OTP and email-OTP. Spitfire Identity
Manager provides highly customizable delivery profiles for automatic dispatch of
randomly generated OTPs without the need to carry extra hardware devices and
the complex procedure to initialize an OTP token.

One-time password introduces second means to assure the identity of a user such
that in worst case scenario the authentication channel is tapped or the first factor
credentials, e.g. passwords, are known, it effectively blocks hackers and crackers



from impersonating a user. OTP also adds randomness to the authentication
process making replay attacks impossible.

OTP raises difficulty of identity theft thus strengthen authentication. Technically,
the strongest type of data protection is cryptography. Applying to strong identity,
public key infrastructure enables user to claim his/her identity by digital signing
of random challenges by his/her private key, follow by verification of the
generated signature by his/her public key. Spitfire Identity Manager provides
management of keys and industry standard cryptographic services enabling
strong authentication even stronger.



Exercise: Provision Your First OTP Device
Task 1 – Google Authenticator

Google Authenticator is a free software based OTP application supporting both
HOTP and TOTP standards

Download Google Authenticator from Android market or Apple iTunes App Store
and install on your smart phone or tablet

Task 2 – Provision Google Authenticator as Your OTP Device

Launch ‘Devices’ tool under ‘Identity Management’ menu.

Push ‘Add’ to create a new device totp01.

Select Type as TOTP.

Push ‘Generate’ button to generate a new Shared Secret. Press ‘Barcode’ to display
a 2-d QR code which is to be synchronized to Google Authenticator.

Task 3 – Assign Device to User

Locate user01 and assign totp01 to user.

Create a new authentication policy named pin-totp with Policy PIN && TOTP



Spitfire Identity API
Bloombase Spitfire Identity Manager exposes its strong authentication and
security services via an application programming interface (API).

The Bloombase Spitfire Identity Manager API includes a set of RESTful methods
to send and receive security data.

REST does not require specific client API library to be deployed and configured. It
is based on industry standard HTTP connectivity. Therefore, it guarantees
platform portability and is capable of supporting virtually on all operating
systems and devices.

HttpURLConnection httpConn = null;
httpConn = (HttpURLConnection) (new
URL("https://spitfireim:8451/SpitfireIdentityServlet?Comman
d=AuthenticatePassword&UserID=user01&Password=password&Form
at=txt")).openConnection();
httpConn.setDoOutput(false);
httpConn.connect();

InputStream is = null;
try {
is = httpConn.getInputStream();
} catch (IOException e) {
is = httpConn.getErrorStream();
}

BufferedReader reader = new BufferedReader(new
InputStreamReader(is));
while (true) {
String line = reader.readLine();
if (line == null) break;
System.out.println(line);
}



Depending on Format parameter, service response from Spitfire Identity API
might take one of below forms

txt

OK

json

{
"SID":"1E6FEC0D14D044541DD84D2D013D29ED",
"Status":"OK"
}

xml

<?xml version="1.0" encoding="UTF-8"?>
<SpitfireIdentityResponse>
<SID>1E6FEC0D14D044541DD84D2D013D29ED</SID>
<Status>OK</Status>
</SpitfireIdentityResponse>



Exercise: User Authentication Using Spitfire Identity API
Task 1 – Pin Authentication

Write a Java program, shell-script or simply with help of a web browser, attempt
to sign on user user01

As an example, the URL for Spitfire Identity REST API should assume the
following form

https://spitfireim:8451/SpitfireIdentityServlet?Command=Aut
henticatePassword&UserID=user01&Password=123456& Format=xml

Task 2 – Verify If Fully Authenticated

Use command IsAuthenticated to verify if user has successfully authenticated

Note from previous AuthenticatePassword service invocation, an SID is
returned which has to be reused to check if user authentication sequence already
satisfies preconfigured authentication policy.


Copyright © 2011 Bloombase Technologies, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of Bloombase Technologies in United States and/or other jurisdictions.
All other product and service names mentioned are the trademarks of their respective companies. The information contained herein is
subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Bloombase shall not be liable for technical or editorial errors or omissions contained herein.

ES-351 Bloombase Spitfire Identity Manager Essentials

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a ES-351 Bloombase Spitfire Identity Manager Essentials

Semelhante a ES-351 Bloombase Spitfire Identity Manager Essentials (20)

Mais de Bloombase

Mais de Bloombase (20)

Último

Último (20)

ES-351 Bloombase Spitfire Identity Manager Essentials