Monday, March 7, 2022

Hashing in Action

Hashing is a cryptographic concept that can be used to validate the integrity of files and store passwords. 

What does it mean?

> Let's say I want to download Eclipse, the popular Java IDE
> I google and find the website from where I can download Eclipse

> But wait, how do I know that this file was not tempered and what is this SHA-512 button
> If you are here, you already know where this is going, let's look at SHA-512

> Now download the file and use OpenSSL tool to find hash of your downloaded file
> cat eclipse-inst-jre-win64.exe | openssl dgst -sha512
> Match the hash

I have OpenSSL tool installed on my system, here are the steps:
https://iamsecurity-tips.blogspot.com/2022/03/install-openssl-on-windows-subsystem.html
https://iamsecurity-tips.blogspot.com/2022/03/install-windows-subsystem-for-linux-wsl2.html

Install OpenSSL on Windows Subsystem for Linux (WSL2)

wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.0.tar.gz

<Check latest version and replace everywhere>

tar -xvf libressl-3.5.0.tar.gz

cd libressl-3.5.0/

./configure

You may receive and error configure: error: no acceptable C compiler found in $PATH 

sudo apt-get install -y build-essential checkinstall

sudo make

sudo make check

sudo make install

sudo ldconfig

<In new Terminal>

openssl version

Install Windows Subsystem for Linux (WSL2)

Pre-requisite: You must be running Windows 10 version 2004 and higher (Build 19041 and higher) or Windows 11

> Run powershell as administrator

> Run command:

        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux               

    wsl --install -d Ubuntu 

 > Restart the system, after that find and run Ubuntu and it will ask you to set a user name and password.

    sudo apt update && sudo apt upgrade

  sudo apt install gedit -y


reference: Install WSL | Microsoft Docs


Tuesday, September 28, 2021

AD Provisioning Error - ERROR http-nio-8080-exec-1 sailpoint.connector.ADLDAPConnector:3871 - 1158736412 Exception occurred in handling Object Request.

 More often then not, this is because IIQ machine is not able to connect to IQService. 

  • Check the status of IQService
  • Check network
  • Check firewalls

Full Stack Trace:

2021-09-28 15:10:11,539 ERROR http-nio-8080-exec-1 sailpoint.connector.ADLDAPConnector:3871 - 1158736412 Exception occurred in handling Object Request.
sailpoint.tools.GeneralException: Network is unreachable (connect failed)
        at sailpoint.connector.RPCService.execute(RPCService.java:429)
        at sailpoint.connector.ADLDAPConnector.handleObjectRequest(ADLDAPConnector.java:4203)
        at sailpoint.connector.ADLDAPConnector.provision(ADLDAPConnector.java:3862)
        at sailpoint.connector.ConnectorProxy.provision(ConnectorProxy.java:882)
        at sailpoint.integration.ConnectorExecutor.provision(ConnectorExecutor.java:165)
        at sailpoint.provisioning.PlanEvaluator.provision(PlanEvaluator.java:1541)
        at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:884)
        at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:788)
        at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:687)
        at sailpoint.api.Provisioner.execute(Provisioner.java:1685)
        at sailpoint.workflow.IdentityLibrary.provisionProject(IdentityLibrary.java:3058)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sailpoint.server.ScriptletEvaluator.doCall(ScriptletEvaluator.java:136)
        at sailpoint.server.ScriptletEvaluator.evalSource(ScriptletEvaluator.java:65)
        at sailpoint.api.Workflower.evalSource(Workflower.java:5966)
        at sailpoint.api.Workflower.advanceStep(Workflower.java:5121)
        at sailpoint.api.Workflower.advance(Workflower.java:4510)
        at sailpoint.api.Workflower.startCase(Workflower.java:3091)
        at sailpoint.api.Workflower.launchSubcase(Workflower.java:5424)
        at sailpoint.api.Workflower.launchSubcases(Workflower.java:5317)
        at sailpoint.api.Workflower.advanceStep(Workflower.java:5108)
        at sailpoint.api.Workflower.advance(Workflower.java:4510)
        at sailpoint.api.Workflower.startCase(Workflower.java:3091)
        at sailpoint.api.Workflower.launchSubcase(Workflower.java:5424)
        at sailpoint.api.Workflower.launchSubcases(Workflower.java:5317)
        at sailpoint.api.Workflower.advanceStep(Workflower.java:5108)
        at sailpoint.api.Workflower.advance(Workflower.java:4510)
        at sailpoint.api.Workflower.startCase(Workflower.java:3091)
        at sailpoint.api.Workflower.launchSubcase(Workflower.java:5424)
        at sailpoint.api.Workflower.launchSubcases(Workflower.java:5317)
        at sailpoint.api.Workflower.advanceStep(Workflower.java:5108)
        at sailpoint.api.Workflower.advance(Workflower.java:4510)
        at sailpoint.api.Workflower.assimilate(Workflower.java:4160)
        at sailpoint.api.Workflower.handleWorkItem(Workflower.java:7638)
        at sailpoint.api.Workflower.process(Workflower.java:1824)
        at sailpoint.api.Workflower.process(Workflower.java:1847)
        at sailpoint.api.WorkflowSession.advance(WorkflowSession.java:473)
        at sailpoint.service.WorkflowSessionService.advance(WorkflowSessionService.java:105)
        at sailpoint.service.form.FormService.next(FormService.java:164)
        at sailpoint.service.form.FormService.submit(FormService.java:109)
        at sailpoint.rest.ui.form.BaseFormResource.submit(BaseFormResource.java:130)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161)
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:160)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102)
        at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305)
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154)
        at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473)
        at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:427)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:388)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:341)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:228)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at sailpoint.rest.jaxrs.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:90)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at sailpoint.rest.RestCsrfValidationFilter.doFilter(RestCsrfValidationFilter.java:69)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at sailpoint.rest.AuthenticationFilter.doFilter(AuthenticationFilter.java:100)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at sailpoint.web.SailPointContextRequestFilter.doFilter(SailPointContextRequestFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at sailpoint.web.SailPointPollingRequestFilter.doFilter(SailPointPollingRequestFilter.java:109)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at sailpoint.web.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:63)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:201)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:698)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1629)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.SocketException: Network is unreachable (connect failed)
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:476)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:218)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:200)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:394)
        at java.net.Socket.connect(Socket.java:606)
        at java.net.Socket.connect(Socket.java:555)
        at java.net.Socket.<init>(Socket.java:451)
        at java.net.Socket.<init>(Socket.java:228)
        at sailpoint.connector.RPCService.execute(RPCService.java:412)
        ... 113 more

Wednesday, September 22, 2021

SailPoint Identity IQ JDBC Aggregation: A common mistake

 A common mistake that I have seen being made is how the aggregation query is written. 

Let's say there are three tables:

  1. User
  2. Groups
  3. Membership
The names are exactly what is contained in the tables, User table contains the user data, Groups table contains the group data, Membership table contains the membership data.

Pay attention to both the queries, both will return the result and mostly pass the unit testing. The issue is that if a user is not part of any groups, they would not appear in the result set of query1

Incorrect Query
SELECT User.*, Membership.groupName 
FROM User, Membership 
WHERE User.Id = Membership.UserId;

Correct Query
SELECT User.*, Membership.groupName
FROM User
LEFT JOIN Membership 
ON User.Id = Membership.UserId;

Hope it helps !!

Monday, September 20, 2021

SailPoint IIQ: Delete WorkItems assigned to a User

  • Query the 'spt_work_item' table. Pay attention to 'id' column(used for deleting the workitem) and 'owner' column (used to identifying the owner
  • Use the console utility to delete the workitem
  • Navigate to <tomcat>/webapps/iiq/WEB-INF/bin/
  • Execute ./iiq console
  • delete workitem ff8080817bffde5f017c029a820700ab (where id is the one you queried from database)
  • If multiple ids have to be deleted, you can create a file with content like:
delete workitem ff8080813eb1de6f013eb3d811f10081
delete workitem ff8080813eb1de6f013eb3d82b6b0095
delete workitem ff8080813eb1de6f013eb3d83b1000a9
delete workitem ff8080813eb1de6f013eb3d846b900bd
delete workitem ff8080813eb1de6f013eb3d855cb00d1

  •  Within IIQ console: source deleWorkItem.txt