Saturday 20 July 2013

Cisco ASA virtual appliance on ESXi


I followed the forum thread ASA 8.4(2) on QEMU and created a cisco ASA virtual machine ISO which can be used on ESXi.

Please read this link for the details. It also tells you how to
  • create and attach a serial port
  • activate a new license
  • change ip address of NICs
  • upload ASDM through tftp server.

Serial Port made easy under ESXi

When you are first time to configure your cisco device(router, switch and firewall), you need a console cable to connect to its console port, and attach the other end to PC serial port, then use HyperTerminal (on Windows).

What if it is a virtual appliance on ESXi? With the new type of virtual serial port "Connect over Network", the job becomes easy. Please read this link for the details.

Thursday 11 July 2013

SAML Authentication on F5 Big-IP (Part 4)

The battle goes on.

F5 Product Development/Engineering Services came back  with following response:

Some research with "Apache Santuario" was done.

We tried the tool which came with install "c14n" "tool to dump a XML file to the console after canonacalising it through c14n"

We checked different options and found the following:

c14n -n -x assertion.xml      => This generates the canonicalized xml which is exactly same as what F5 generates.
c14n -n -x -1.1 assertion.xml => This generates what is explained in the BUG which is different from what F5 generated.

In the above command "1.1" refers to "Use c14n 1.1".
From the source code xml-security-c-1.7.1/xsec/dsig/DSIGConstants.hpp

#define URI_ID_C14N11_NOC       "http://www.w3.org/2006/12/xml-c14n11"
#define URI_ID_EXC_C14N_NOC     "http://www.w3.org/2001/10/xml-exc-c14n#"

This tells us that the canonicalization used by Apache Santuario is 'URI_ID_C14N11_NOC' but we see the inside SAML response which is not right.
Look at "http://www.w3.org/TR/DSig-usage/"

The solution to this problem is that, do not use "1.1" option with c14n when SAML response is generated to work with F5.


Basically, they doubted I was using C14N 1.1.

I can't find the authority in this field to get the verdict on this dispute, so I have to dive deeply into C14N, hopefully in the end I can convince F5 guys in theory where and why they were wrong.

After spending a whole week on trying to understand C14N in XML signature validation,  I can confirm F5  PD/EC opinion was  wrong.

Basically,  the CanonicalizationMethod (in my case which is "http://www.w3.org/2001/10/xml-exc-c14n#" ) defined in SignedInfo should be ONLY used on the second step of core validation - Signature Validation.

However, F5 also employed the same method (the exclusive one) onto the first step (Reference Validation), which  is wrong.

You can check my research details at this link.