VPN - Working Principal

 A Virtual Private Network (VPN) connection from a laptop to a company’s VPN server involves several steps. Here’s a detailed explanation:

1. VPN Setup: The first step is to set up the VPN client on the laptop. This involves installing the VPN software provided by the company and configuring it with the necessary details such as the VPN server address, VPN type (e.g., PPTP, L2TP, OpenVPN), and authentication details. The exact setup process can vary depending on the specific VPN client used.

2. VPN Login: Once the VPN client is set up, the user can initiate a VPN connection. This typically involves opening the VPN client, selecting the appropriate VPN profile (if multiple profiles are configured), and entering their login credentials. These credentials are usually a username and password, but they could also include additional factors of authentication, such as a digital certificate or a one-time password (OTP).

3. VPN Connection: After the user has logged in, the VPN client establishes a secure connection to the company’s VPN server. This process involves several steps:

Tunnel Creation: The VPN client and server negotiate a secure tunnel for the VPN connection. This involves agreeing on the encryption protocols and keys to be used for the connection.

Authentication: The VPN client authenticates the VPN server, and vice versa, to ensure that both parties are who they claim to be. This is typically done using digital certificates.

IP Address Assignment: Once the tunnel is established and both parties are authenticated, the VPN server assigns an IP address to the VPN client. This IP address is used for all communication within the VPN tunnel.

Encryption and Decryption: All data sent over the VPN connection is encrypted by the VPN client before being sent through the tunnel. When the data reaches the VPN server, it is decrypted before being sent on to its final destination.

4. Data Transfer: With the VPN connection established, the user can now send and receive data over the internet as if they were directly connected to the company’s private network. All data sent over the VPN connection is encrypted, ensuring that it remains private and secure.

When an employee of a company uses a VPN to access an Azure Virtual Machine (VM), the traffic generally follows this path:

• The traffic originates from the employee’s laptop and is encrypted by the VPN client installed on the laptop.
• This encrypted traffic is then sent over the internet to the company’s VPN server.
• The VPN server decrypts the traffic and sends it to the Azure VM over the VPN connection between the company and the Azure region.
• In terms of IP visibility, the Azure VM will see the IP address of the company’s VPN server, not the employee’s original IP address. This is because the VPN server acts as a gateway between the employee’s laptop and the Azure VM.

It’s important to note that this is a general explanation and the exact details can vary depending on the specific VPN technology and configuration used by your company. For instance, some VPN configurations might involve Network Address Translation (NAT) which could affect the visible IP address. Always refer to your specific VPN and network setup for accurate information.

IDCS - Identity Federation with Azure and Google (SAML IDP & Social IDP)

The setup involves Identity Cloud Service (IDCS) acting as the central identity provider, facilitating seamless authentication and authorization processes. Through Identity Federation, IDCS extends its capabilities to integrate with both Azure and Google, utilizing SAML Identity Provider (IDP) for Azure and Social IDP for Google.

With SAML IDP integration, users can securely access resources across platforms by leveraging their existing credentials. This interoperability streamlines authentication workflows, enhancing user experience and ensuring consistent access control.

Moreover, the inclusion of Social IDP, particularly with Google, broadens the authentication options, allowing users to authenticate using their Google accounts. This not only expands the user base but also simplifies login processes, as users can utilize familiar credentials.

Overall, this setup promotes interoperability, security, and user convenience, aligning with modern identity management practices and enabling efficient collaboration across disparate systems and platforms. 

Collect IDCS Meta Data

• Enable "Access Signing Certificate" option to get the IDCS metadata.   Default Domain Settings ->  Select the Access Signing Certificate
• Use the following IDCS URL to get the metadata details.
• https://idcs-abcsdefghijkl1f.identity.oraclecloud.com/fed/v1/metadata
• Save the the XML data as IDCS metadata file.

Azure

• Login to Azure and Select Active Directory.
• Select the Enterprise Application on the left menu.
• Select add new application.
• Select Oracle as a cloud provider.
• Select OCI Console Option and SSO logo.
• Provide a unique name and click create. 
• This will create an Azure AD Application. 
•  SSO Setup
• Select SSO option under the above AD application. 
• Select SAML IdP provide option. 
• Use upload Metadata option to upload the IDCS metadata downloaded above. 
• Provide the IDCS sign on URL  - https://idcs-abcsdefghijkl1f.identity.oraclecloud.com/ui/v1/myconsole
• Save the data. 
• Download the Federation Metadata XML (Azure) from SAML Signing Certificate section. 
• Under User and Groups menu in the left add user and groups. 

IDCS- Setup IdP - IDCS Console -> Security -> Identity Provider.

• Select Add SAML IDP.
• Provide Name - Azure IDP
• Next and Upload the Azure Metadata downloaded above. 
• Next and select the option as per the requirement . Example NameId as a UserName and of Type Email Address. 
• Select Next and Test the configuration by selecting Testing Option. 
• Click Finish and Complete the setup.
• Activate the IdP.
• Note: 
• Go to IDCS user page and update the user as Federated. 
• This will allow the user to use both IDCS as well as Azure credentials. 

IDCS - Update IDP Policy:

• Update the IDP policy to add the above created IdP for the authentication. 
• Select the Default Provider Policy. 
• Select the Identity Provider Rules tab. 
• Edit the existing Rule and add the above created IDP. Azure IDP
• Save all changes and Logout and test the IDCS login. 
• Use the Azure IDP option on the IDCS login page to login using Azure Credentials. 

Note:  All the above IDCS steps can also be performed using OCI - Console. Under Identity and Security, go to domain,  create a new IDCS domain and under new domain we can perform above activities. 

Google:

• Login to GCP console. 
• Select the GCP project.
• Select the API's and Services under left menu.
• Select Credentials. 
• Note:  We will be creating OAuth 2.0 Client Id's 
• Select the Create Credentials option on the Top
• Select OAuth Client Id option.  For IDCS app. 
• Select Type as Web Application. 
• Add Authorized redirect URL - IDCS -   https://idcs-abcsdefghijkl1f.identity.oraclecloud.com/oauth2/v1/social/callback
• Select Create. 
• This will generate the Client Id and Secret. 
• Copy the Id and Secret. 

• IDCS -  Setup IdP - Add Social IDP
• Select Social IDP Option. 
• Select Google as Type. 
• Provide a name - GOOGLE_IDP
• Select Next
• Provide the above copied Client Id and Secret. 
• Select Finish
• Activate the IdP.
• Update IDP Policies.
• Add the above created IdP to the default policy rule. 

 

Docker - Container Cheat Sheet

Basic and advanced docker commands for reference. Use them as a cheat sheet

• Commands to install docker on Linux 

curl -fsSL https://get.docker.com -o get-docker.sh

sudo sh get-docker.sh

• Command to start the Docker daemon 

sudo service --status-all 

sudo service docker start

•  Command to Pull the docker images from Docker hub - https://hub.docker.com/

docker pull image_name:version
version : default  value is latest 

docker pull mysql

• Command to pull and install the docker image

docker run image_name

docker run mysql

            docker run -d image_name   => To run the command in background mode. 

             docker run -d --name webapp_vk  -d image_name  => To assign a name to the docker container

              docker run -d image_name command ==> We will override the CMD statement in the image or append the value to ENTRYPOINT command.  

•  Command to List the running containers. 

                    docker ps      ==> List all the running containers. 

                    docker ps -a  ==> List both running and stopped containers. 

• Command to List the images present on the host. 

                   docker images  ==> List all the images. 

• Command to Stop the containers.

                    docker stop container_id / container_name.   

• Command to Remove the containers. 

                    docker rm container_id  ==> Make sure containers are stopped before running the command. 

• Command to delete or remove the images. 

                   docker rmi image_id   ==> We can specify first few characters of the Id. 

• Command to run and execute Unix command. 

                docker run ubuntu cat /etc/*releases* ==> This will install a ubuntu on a container and run the command. 

• Command to execute the scripts

            docker exec container_id cat /etc/*release*

• Command to build a docker image

        docker build .   ==> provided the Dockerfile is in the same directory from where we are running this command. 

        docker build -f  DockerFile  -t  vijaya/image_name  ==> Providing tag/name to the image

• Command to push the docker image to Hub

        Before we push the image , we need to login 

        docker login  ==>  This will prompt docker hub credentials.  After successful login

        docker push vijaya/image_name  ==> Push the image to Hub

• Command to pass the environment values

        docker run -d -e ENV_VARIABLE_NAME=VALUE  --name vijaya_container  image_name  ==> This will supply the environment values. 

• Command for Port Mapping to access the applications using Docker Host IP. 

            docker run -d -p host_port :  container_port  image_name

            docker run -d -p 8306:3306 mysql 

OPEN SSL Commands

 Command to get the SSL certificate from the server. 

    openssl s_client -showcerts -connect ip:port

Command to import certificate to custom truststore. 

keytool -import -alias alias_name -file certificate.cer -storetype JKS -keystore CustomTrustStore

SOA Integration with IDCS

•  SCIM - System for Cross-Domain Identity Management
• Standard for Identity Managers API's
• Used by multiple Identity Provider. 
• SOA Roles will be mapped to IDCS groups. 
• Set up Federated SSO through SAML on IDCS and SOA

High-Level Steps. 

• Create IDCS groups for SOA

• Create a Confidential Application in IDCS
• Register as Client
• Select client as Confidential
• Allow following grants types
• Client Credentials
• JWT assertion
• Token Refresh
• SAML2 Assertion. 
• Granted Roles
• Identity Domain Administration
• Cloud Gate
• Assign groups to this application. 

• Configure Identity Provider in SOA weblogic Console. 
• Weblogic Console
• Security Realms
• Myrealm
• Providers
• Select New
• Name - IDCS Provider
• Type - OracleDentityCloudIntegrator
• Click Okay
• Open IDCS provide
• Common
• Control Flag - SUFFICENT : Meaning dont have to check other provider if the IDCS authentication is successful. 
• Active Type
• Authorization
• REMOTE_USER
• Provider Specific:
• Provide the IDCS details. 
• Host
• Port - 443
• SSL - Enabled
• IDCS Tenant Name
• Client Id
• Secret. 
• Save
• Reorder the provider to check IDCS first and then go for default providers. 
• Select DefaultAuthenticator
• Common
• Control Flag - SUFFICIENT
• Save
• Activate the changes. 

• Import IDCS Certificates to Trust Store. 
• Get the IDCS certificates using following URL
• https://$IDCS_HOST_PORT/ui/v1/adminconsole
• Import Certificates into System/Trust using EM console. 
• Add the following property to SetDomainEnv.sh to support wild card certificates using common names.
• -Dweblogic.security.SSL.hostnameverifier=weblogic.security.utils.sslwlswildcardhostnameverifier

• Manual OPSS Configurations. 
• Edit following file in domain dir
• /config/fmwconfig/jps-config.xml
• Search for idstore.ldap and replace it with idstore.scim under jpsContexts
• Create a IDCS property file and run the script as per the following doc-id : 2916662.2

• Configure SSO:
• Create a SAML application in IDCS.
• Give a name.
• Entity Id - Give any value
• Consumer URL - https://$SOA_LB_URL/saml2/sp/acs/post
• NameIdFormat - Unspecified. 
• Can add attributes.
• Name - Groups
• Format - Basic
• Value - Group Membership 
• Condition
• equals
• Value -  All groups
• Add Groups
• Activate
• Download the idcs metadat.xml from the SAML application created above.

• RDBMS Setup for Weblogic LB 
• Refer the below link for more details. 
• Configure SAML Asserter.
• Refer the below link for more details. 

Oracle Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=111700059898561&id=2916662.2&_afrWindowMode=0&_adf.ctrl-state=nbcwpoz12_4

Provisioning Oracle Integration Cloud Service

 OIC Provisioning.

• Provision Identity Cloud Service domain.
• Login into the OCI console.
• Go to Identity and Security Menu
• Select Domains under Identity. This option will be available for the OCI accounts created after December 2018
• Click Create Domains
• Provide Name.  Example - Development
• Provide Description.  Example - Development Domains
• Select Domain Type. Example - Free / Premium /etc.
• If we want to create a new administrator for the domain then we can provide the user name and password.
• Otherwise we can use the OCI admin user credentials by un-selecting Create Admin User option.
• Select the compartment - Development .  If not created then create a new compartment and use it.

• Create an IAM group in the IDCS domain.
• Go to the IDCS console.
• Select the groups menu
• Create a new group called Administrator group
• Provide a description.

• Create an IAM policy in the IDCS domain.
• Go to the OCI console.
• Select Identity and Security
• Select Policies under Identity
• Click Create policy.
• Provide a name - OICIntegrationGroupPolicy
• Use the policy builder to create policy.
• Sample : allow group Development/Administrator to manage integration-instance in compartment Development
• Development/Administrator - DomainName/GroupName
• If we don't provide the Domain Name then it will take the default domain present in the root compartment.
• NOTE: User Federation refers to linking user's identity and attributes across multiple identity management systems.
• Oracle Integration Federation means that identities are linked in IDCS and Oracle Identity And Access Management(IAM).

• Create an Oracle Integration Instance
• NOTE :  Instance will be associated with the IDCS instance to which we login while provisioning the OIC.
• Use the proper Identity domain while login.
• In this case , use the Development domain to login.
• After Signing into the OCI console, select the region.
• Got to Developer Service Menu on OCI console
• Under Application Integration select Integration
• Select the Compartment in which you want to provision the OIC.  In this case it will be the Development compartment.
• Click CREATE.
• Provide Name.
• Select Version - Gen 2 or Gen 3
• Consumption Model -- Universal Credit Limit
• Edition -- Standard or Enterprise.
• Shape -- Development or Production
• NOTE : Based on the shape patches will be applied. Development shapes will receive the patches two weeks early.
• Production shapes will receive the patches two weeks after the Development shapes.
• Advance Options :
• Network Access :
• Only Gen 2 version will allow us to define and configure Allow list.
• Custom Endpoint :
• Available only for Gen 2
• We can provide the custom endpoint.
• It must already be registered on a DNS provider.
• Its SSL certificates must be stored as secret in an OCI vault.

• Email Configurations.
• Sender Policy Framework (SPF) :
• It lets domain owners (InfiniteCloud) identify servers (External Servers) they have approved to send emails on behalf of their domain.
• In Oracle Integration's case, domain owners(InfiniteCloud) need to approve OCI as an approved sender and to add a record for it in their domain.

OCI - WAF - Web Application Firewall

Oracle OCI WAF safeguards our web applications or internet-facing applications against threats like OWASP-defined vulnerabilities. It offers a range of protective measures such as restricting access based on Geo location, implementing rate limiting, and supporting protection rules, access control, and Bot management.

By utilizing WAF, we can defend OCI-based applications, on-premise systems, and multi-cloud applications against potential security risks.

Moreover, WAF supports two types of enforcements to ensure comprehensive protection.

• WAF on OCI Load Balancer
• WAF Edge Enforcement 
• For On-Prime Applications
• Multi Cloud , Multi Region Applications. 

WAF Demo:

• Access OCI Console. 
• Select Identity and Security from the Menu
• Select Web Application Firewall
• Select Create WAF Policy
• Provide a unique name 
• Select the compartment
• Use Legacy Workflow Option to create an Edge Policy
• New Window will open
• Provide the following details. 
• Domain Name :  connect.vijaya.in
• Additional Domain :  oic.dvp.connect.vijaya.in
• WAF Origin : Target application to be Protected 
• Origin Name :  sample-origin-name
• URI : oic.svn-dvp.connect.vijaya.in
• Create Policy
• In case of Edge Policy, once the WAF is activated , OCI console will display the CNAME to be added in DNS Zone. 
• Go to DNS zone and add the CNAME.
• Add a CNAME record
• Domain Name : oic.dvp.connect.vijaya.in
• RDATA :  WAF-CNAME from the OCI console.
• TTL : Time to live.

• In case of WAF for LB continue to the next page. 
• Add Access Control Rules
• Add Access Rules
• Example:
• Geo restrictions
• Source IP List
• HTTP request Methods
• HTTP Request Headers
• Cookies
• Path Check
• Etc
• For Each access control rule select the action to be performed. 
• You can create your own action.
• Select the pre configured actions
• Check and Allow
• Allow
• Check and Block 
• Send Error Response Back to the client. 
• Go to Next Page 
• Apply rate limiting rules if required
• Go to next page
• Apply protect rules. 
• Select predefined  OWASP rules to block the malicious requests. 
• Example :
• Cross Site Scripting
• SQL Injections
• Etc 
• Go to the Next page
• Select the OCI LoadBalncer to which WAF needs to be applied. 
• Review
• Create WAF Policy

Reference for more details: https://www.ateam-oracle.com/post/enhance-security-with-oracle-cloud-infrastructures-web-application-firewall

https://www.ateam-oracle.com/post/using-oci-waf-web-application-firewall-with-oracle-e-business-suite