Posts

Converting .pfx file to .jks file

keytool -importkeystore -srckeystore pkcs12FileName.pfx -srcstoretype pkcs12 -destkeystore jksFileName.jks -deststoretype jks

Setting up SAML-based sign-on for Enterprise application in Azure AD

Image
When I was a developer, I was assigned to a project to enable SAML login from client's IDP to our application. That is the project I wanted to do. I did some study, and then was "requested" to help out a Java project. And someone else "requested" to do research and POC on behalf of myself, and I'll do the development. A funny arrangement by the management. I am trying to convince myself that I am not complaining, but I am not convinced though. Anyway...

In my recent projects (and no longer a developer), I am involved in SAML setup related task. This is my second running on trial version on enterprise tool to figure out, how the client can setup SAML in order to connect to our application. :D

Ignore all the unorganized setup in my Azure account. This is my first time using it, and free trial time is ticking.

This post is mainly to setup the SAML-based sign-on to a 3rd party application in Azure AD. Click on the image to view the original size of it for clea…

CCSP Domain 2 : Cloud Data Security - Part 2

Image
D2 : Cloud Data Security

M6 : Ensure Compliance with Regulations and Controls
IT Service Management (ITSM)
Management and oversight to ensure alignment between IT and business.

Configuration Management
Maintain information about configuration items required to deliver an IT service, including their relationship.

Change Management
An approach to transitioning individuals, teams, and organizations to a desired future state.
Respond to acustomer's changing business requirementsRespond to business and IT requestsEnsure changes are recorded and evaluatedEnsure the authorized changes are prioritized, planned, tested, implemented, documented and reviewed in a controlled mannerEnsure all changes to configuration items are recorded in configuration management systemOptimize overall business risk.Incident Management
To identify, analyze, and correct hazards to prevent a future re-occurrence of an incident.
Event : A change of state that has significance for the management of an IT service or othe…

CCSP Domain 2 : Cloud Data Security - Part 1

Image
OMG! I can't believe that it's a year passed by, and I did not write up for the last 2 topics that I'd like to covered in RHCE! Those posts were prepared after I have finished and passed RHCE. Anyway, I am in preparation for another certification, CCSP. Thought of "document" my study notes in order to help me to organize my notes, and also help me to reinforce my understanding on the topics.

I am going to start from Domain 2.

D2 : Cloud Data Security

M1 : Understand Cloud Data Life Cycle


Process overview
This table is to layout the possible access and allowed access by functions/actor/location. The access control requirement and design can be retrieved from this table.



M2 : Understand Implication of Cloud to Enterprise Risk
Risk management


Risk framework


Key roles associate with data management

Data subject: individual who is the subject of personal data
Data controller : person who determines the purpose and how to process personal data
Data processor : person who process…

Network Manager

Image
This should be the third last topic that I'd like to share related to my RHCE course, but my brain just hang there without any progress. So I proceed with SELinux and firewall first.

I am still trying to understand the networking terms, teaming and bridge are 2 new words that I learned from RH Admin III course. Actually, I still don't quite understand what is the usage for these. When I setup VirtualBox for this series of sharings, I started to understand more for bridge... Anyway, let me stay focus on the topic (how-to).

The Network Manager commands (nmcli) are rather easy to use, if you know what you are trying to do.

Network teaming

I did some hacks to make 2 available interfaces, enp0s8 and enp0s10.


Next, create a team master. This team master will configured to activebackup setting, i.e. one port/link is used while other reserved as backup.


Now create the team slaves (team ports).


Use teamdctl to see the status of the teaming. This is provided in teamd package.


Currently,…

SELinux

Image
SELinux stands for NSA Security-Enhanced Linux.

By default, the setting for SELinux is set at /etc/selinux/config. Theh default setup is permissive, which if the SELinux policy is violated, warnings will be logged rather than prohibit the service from running properly.

SELinux config file content.


In permissive mode, the log is captured in /var/log/audit/audit.log file.

Port related

Let's do a test.


I set the httpd service also listen to port 1234, which is not a convention port number for httpd. When it is in permissive mode, the httpd service is successfully to restart. However, there's an entry in the audit.log file.


When I set SELinux to enforcing, the service failed to start. This is the snippets of log when I get the status of httpd service.


From the log in audit.log file and also the status log, port 1234 is the culprit. It should be added to related SELinux policy. I am adding the port to http_port_t as well.


Now it can be successfully restarted!


File related

SELinux pol…