On January 27th, this site will be read-only as we migrate to Oracle Forums for an improved community experience. You will not be able to initiate activity until January 30th, when you will be able to use this site as normal.

    Forum Stats

  • 3,889,532 Users
  • 2,269,755 Discussions
  • 7,916,774 Comments

Discussions

Protect access to the SGD Gateway balancer-manager

Jan-Oracle
Jan-Oracle Senior Product ManagerUSMember Posts: 122 Employee
edited Sep 13, 2019 2:18PM in Secure Global Desktop

Since SGD 5.4 the gateway injects the client IP address, but usually only for the endpoint /sgd. This can be configured in /opt/SUNWsgdg/etc/gateway.xml. In the following configuration I added the end-point /balancer-manager to also receive the injected client IP address.

SGD 5.5 now base64 encodes the injected data.

/opt/SUNWsgdg/etc/gateway.xml
<client class="HTTPINJECTOR-CLIENT" id="http-injector-client">

    <subClient id="tcpclient"/>

    <maxBufferSize>8192</maxBufferSize>

    <noinject path="/sgdadmin"/>

    <noinject name="TTA_SESSION_OBJECT" path="/sgd" src="cookie"/>

    <inject name="SSL_PEER_ID" path="/sgd" signeddata="uid" src="info"/>

    <inject name="OSGD_CHALLENGE_COOKIE" path="/sgd" signeddata="challenge" src="cookie"/>

    <inject name="CLIENT_IP_ADDR" path="/sgd" signeddata="clientip" src="info"/>

    <inject name="CLIENT_IP_ADDR" path="/balancer-manager" signeddata="clientip" src="info"/>

    <inject path="/sgd" signeddata="gateway-features" src="value" value="gateway-http-upgrade"/>

    <featurelist enabled="true"/>

    <signedDataEncoding>application/base64</signedDataEncoding>

</client>

Now requests will contain

HTTP_OSGD_SIGNED_DATA="clientip=156.151.8.2;gateway-features=routing-token-nocert,gateway-http-upgrade;timestamp=1532641478482"

SGD Gateway apache server configuration

In order to allow access to the balancer-manager only for specific IP addresses, protect the location as follows: In my example it will either allow users coming from class C subnet 156.151.8.0 or the IP address 67.180.102.252 or will ask for a username/password. It is best to consult the apache documentation about expressions to learn more how to use this directive. The file containing user names and passwords (/opt/SUNWsgdg.balancer_manager_passwords) has been created with the apache htpasswd command to be found in the bin directory of any apache install, like for example on the SGD gateway in /opt/SUNWsgdg/httpd/httpd-$(cat /opt/SUNWsgdg/var/info/apacheversion)/bin

Note: to setup you shell environment to be able to run the standard apache commands use the following command

# APACHE_PATH=/opt/SUNWsgdg/httpd/httpd-$(cat /opt/SUNWsgdg/var/info/apacheversion)
# source $APACHE_PATH/bin/envvars

We can create a password file with

# $APACHE_PATH/bin/htpasswd -cb /opt/SUNWsgdg.balancer_manager_passwords username password# chown sgdgsys:sgdgserv /opt/SUNWsgdg.balancer_manager_passwords

So we can use it in our balancer-manager config block for our AuthType Basic. We are combining client IP restriction with password authentication by using RequireAll

httpd-gateway.conf balancer-manager config
LoadModule env_module modules/mod_env.so
# load SetEnvIf module

LoadModule setenvif_module modules/mod_setenvif.so

#

# set Env variable and Header based on the base64 encoded OSGD-Signed-Data header

#

<If "unbase64(%{http:OSGD-Signed-Data}) =~ /clientip=([^;]*);/">

    SetEnvIfExpr "unbase64(req('OSGD-Signed-Data')) =~ /clientip=([^;]*);/" CLIENT_IP=$1

    RequestHeader set X-Client-IP %{CLIENT_IP}e

    # optionally provide the unencoded data as header as well

    RequestHeader set X-OSGD-Unsigned-Data "expr=%{unbase64:OSGD-Signed-Data}"

</If>

<Location /balancer-manager>

    SetHandler balancer-manager

    AuthType Basic

    AuthName<span class="Apple-converted-space"> </span>"Balancer Manager"

    AuthBasicProvider file

    AuthUserFile /opt/SUNWsgdg.balancer_manager_passwords

    <RequireAll>

        <RequireAny>

            Require expr "%{env:CLIENT_IP} -ipmatch '156.151.8.0/24'"

            Require expr "%{env:CLIENT_IP} == '67.180.102.252'"

        </RequireAny>

        Require valid-user

    </RequireAll>

</Location>

After performing these configuration file changes, you can either restart the gateway with the /opt/SUNWsgdg/bin/gateway command or use $APACHE_PATH/bin/apachectl graceful command and access /balancer-manager after entering the proper credentials and coming from the configured IP address.