<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
Yes, it is just Tomcat. MidPoint does not have its own web
listeners. It relies completely on web container. Therefore all
the channel security settings of web container also apply to
midPoint services (both REST and SOAP). Some people also deploy
Apache HTTP Server or nginx as a reverse proxy in front of Tomcat.
So that might also be good point to set up SSL/TLS. The web
service and rest service have fixed URL prefixes, therefore the
policies can be applied selectively (e.g. do not allow non-HTTPS
connection to those prefixes).<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 02/09/2016 11:12 PM, Roberto Casiano wrote:<br>
</div>
<blockquote
cite="mid:SG2PR06MB07271707C08E64AC62851DBFCCD60@SG2PR06MB0727.apcprd06.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1962178090;
mso-list-type:hybrid;
mso-list-template-ids:-932410970 201916431 201916441 201916443 201916431 201916441 201916443 201916431 201916441 201916443;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi Radovan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks for the
explanation.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">How do you
configure REST service to use HTTPS? Is it just in tomcat?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Rob<o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span style="color:#1F497D"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:EN-AU"
lang="EN-US">From:</span></b><span
style="color:windowtext;mso-fareast-language:EN-AU"
lang="EN-US"> midPoint
[<a class="moz-txt-link-freetext" href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>Radovan Semancik<br>
<b>Sent:</b> Wednesday, 10 February 2016 3:51 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Subject:</b> Re: [midPoint] REST - POSTing passwords
in the clear<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi,<br>
<br>
This is a bit complicated. Theoretically you should be able
to send encrypted password, but to do that you will need a
key. The key is symmetric and it is stored in midPoint
keystore. If you take that key, encrypt the data, provide
proper key identifier midPoint should accept that. We
haven't tested that, but it theoretically should work.<br>
<br>
... but ...<br>
<br>
distributing the symmetric key from the midPoint keystore to
the clients may not be a good idea from a security
perspective. The password key in midPoint was designed to
protect cleartext passwords in the database, e.g. if the
attacker manages to make a database dump or if he can get
database backups. The passwords stored there will be
useless, because the key is stored outside of the database
(and as it is regular Java keystore it can be stored even in
HSM). By distributing this key over the network the attack
surface significantly increases. It is all about the
security trade-offs. However, there is one trick that you
might be able to use: midPoint supports several keys used at
the same time. One is (primary) encryption key that is used
to store new password values. But midPoint will be able to
decrypt data encrypted by any key that is in the keystore
and that was properly identified in the ProtectedString data
structure. Therefore you can create a new key and pair-wise
distribute it between client and midPoint. MidPoint should
be able to accept data encrypted like this. The
ProtectedString data structure is based on (slightly
simplified) XML Encryption standard, so you will find all
the necessary documentation there. We have never tested this
use case and therefore there may be some bugs. But any such
bugs will be easy to fix.<br>
<br>
Anyway ... my personal recommendation would be to choose
entirely different solution: send the password in
<clearValue> elements but protect the channel using
HTTPS. This is clearly the simplest solution. It is not
ideal, but it is used all over the cyberspace. Therefore if
you go this way your solution is unlikely to have lower
security than the rest of your system.<br>
<br>
<br>
<span style="font-size:12.0pt;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Radovan Semancik<o:p></o:p></pre>
<pre>Software Architect<o:p></o:p></pre>
<pre>evolveum.com<o:p></o:p></pre>
<p class="MsoNormal"><br>
<br>
On 02/09/2016 08:01 AM, Roberto Casiano wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Using REST, we’re creating and modifying
users, including setting passwords. However, the passwords
are in cleartext. I noticed though that in the repository,
the user passwords are encrypted.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->Is it possible to send
encrypted passwords (during both user creation and
modification)?<o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->Where can the REST client
(which is our app) get the key that midPoint uses for the
password?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Rob<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-AU"><br>
<br>
<i>This email, and any attachment, is confidential and
also privileged. If you have received it in error,
please notify me immediately and delete it from your
system along with any attachments. You should not copy
or use it for any purpose, nor disclose its contents to
any other person. </i><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-AU"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre><o:p> </o:p></pre>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-AU"><br>
<br>
<i>This email, and any attachment, is confidential and also
privileged. If you have received it in error, please
notify me immediately and delete it from your system along
with any attachments. You should not copy or use it for
any purpose, nor disclose its contents to any other
person. </i><o:p></o:p></span></p>
</div>
<br>
<br>
<i>This email, and any attachment, is confidential and also
privileged. If you have received it in error, please notify me
immediately and delete it from your system along with any
attachments. You should not copy or use it for any purpose, nor
disclose its contents to any other person. </i>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>