Category: Directory

Posted on

Cobalt 1.5 – New Capabilities

Overview

This release adds new functionality and features to Cobalt, our web based role and user provisioning tool. You can find out more about Cobalt here.

Multiple Cobalt Servers

This enhancement enables multiple Cobalt servers to be run against a single directory. There are two reasons for this.

  1. In a distributed environment it is useful to have multiple Cobalt servers at different locations, each connected to the local node of a multi-master directory.
  2. Where a read only directory is replicated, for example using Sodium Sync to a Mobile Unit, it is useful to run Cobalt (read only) against the replica, to allow local administrators to conveniently view the configuration using Cobalt.

Password Management and Password Policy

This update includes a number of enhancements relating to password management:

  1. Cobalt is now aware of password policy. A key change is that after administrator creation or change of password, when password policy requires user change, Cobalt will mark the password as requiring user change. To be useful in deployment, the applications used also need to be password policy aware.
  2. Cobalt added a user UI to enable password change/reset, to complement Administrator password change.
  3. Administrator option to email new password to user.

Security Management

  1. Directory Access Rights Management. M-Vault Directory Groups enable specification of user rights, to directory and messaging configuration in the directory. This can be configured by Cobalt by domain administrators.
  2. Certificate expiry checking. When managing a directory holding many certificates, it is important to keep them up to date. Cobalt provides a tool which can be run at intervals to determine certificates which have expired and certificates which will expire soon.

User Directory Viewer

Cobalt’s primary purpose is directory administration. This update adds a complementary tool which enables users to access information in the directory managed by Cobalt. This uses anonymous access for user convenience.

Miscellaneous

  1. Flexible Search. Cobalt administrators have the option to configure search fields available for users. Configuration is per-domain.
  2. Users, Roles and mailing list members now sorted alphabetically.
  3. Base DN can be specified for users for a domain. If specified, Cobalt allows browsing users under this DIT (entry) using subtree search. Add user operation is disabled if this is specified. This allows Cobalt to:
    1. Utilize User provision by other means, for reference from within Cobalt managed components.
    2. To modify the entries, but does not allow addition of new entries.
Posted on

Cobalt 1.4 – New Capabilities

Cobalt provides a web interface for provisioning users and roles in an LDAP directory. It enables the easy deployment of XMPP, Email and Military Messaging systems.

Listed below are the changes brought in with 1.4.

HSM Support

Cobalt is Isode’s tool for managing PKCS#11 Hardware Security Modules (HSM) which may be used to provide improved server security by protecting PKI private keys.

  • Cobalt provides a generic capability to initialize  HSMs and view keys
    • Multiple HSMs can be configured and one set to active
    • Tested with Nitrokey, Yubikey, SoftHSM and Gemalto networked HSM
  • Enables key pair generation and Certificate Signing Request (CSR) interaction with Certificate Authority (CA)
  • Support for S/MIME signing and encryption
    • User identities for email
    • Organization and Role identities for military messaging
  • Server identities that can be used for TLS with Isode servers

Isode Servers 

A new tab for Isode servers is added that:

  • Enables HSM identities to be provisioned
  • Enables a password to be set, which is needed for Isode servers that bind to directory to obtain authorization, authentication and other information
  • Facilitates adding Isode servers to a special directory access control group, that enables passwords (usually SCRAM hashed) to be read, to enable SCRAM and other SASL mechanisms to be used by the application

Profiler Enhancement

  • Extend the SIC rule so that multiple SICs or SIC patterns can be set in a single rule

Posted on

Directory Products Update – 19.0 Capabilities

The below is a list of the new capabilities brought to our Directory products for the 19.0 release. 19.0 adds a lot of extra functionality across the board for our messaging products, along with a complete rewrite of the codebase so that future releases and bug fixes can be developed more quickly. For the full release notes please check the individual product updates, available from the customer portal and evaluation sections of our website.

Dependencies

Use of several new 19.0 features depend on Cobalt 1.3 or later.

M-Vault

Product Activation 

M-Vault uses the new product activation.  Product activation is managed with the Messaging Activation Server (MAS) which provides a Web interface to facilitate managing activation of messaging and other Isode products. MAS is provided as a tool, but installed as an independent component.   

Headless Setup

M-Vault, in conjunction with Cobalt, provides a mechanism to set up a server remotely with a Web interface only. This complements setup on the server using the M-Vault Console GUI.

Password Storage

Password storage format defaults to SCRAM-SHA-1 (hashed). This hash format is preferred as it enables use of SASL SCRAM-SHA-1 authentication which avoids sending plain passwords. Storage of passwords in the plain (previous default) is still allowed but discouraged.

LDAP/AD Passthrough

An LDAP Passthrough mechanism is added so that M-Vault users can be authenticated over LDAP against an entry in another directory. The key target for this mechanism is where there is a need to manage information in M-Vault, but to authenticate users with password against users provisioned in Microsoft Active Directory.  This is particularly important for Isode applications such as M-Switch, M-Link, and Harrier which utilize directory information not generally held in Active Directory.

Cobalt provides capabilities to manage accounts utilizing LDAP Passthrough.

OAuth Enhancements

A number of enhancements to OAuth, which was introduced in R18.1

  • OAUTH service has been integrated  into the core M-Vault server, which simplifies configuration and improves security,
  • Operation without Client Secret, validating OAUTH Client using TLS Client Authentication.  This improves security and resilience.
  • Allow client authentication using Windows SSO, so that Windows SSO can work for OAUTH Clients.  This enables SSO to be used for Isode’s applications using OAuth.

Sodium Sync

  • Some enhancements to Sodium Sync to improve operation on Windows Server.
  • Option that will improve performance for any remote server with a large round-trip-time. 
Posted on

Cobalt 1.3 Release Features

Cobalt 1.3 depends on M-Vault 19.0 or subsequent versions

M-Vault Management Support

  • M-Vault Bootstrap.   Enables operation in conjunction with M-Vault 19.0 to support headless bootstrap.
  • Managing users in M-Vault groups, such as Directory Server Administrators  and Messaging Configuration Read/Write.  This enables Cobalt to control user and operator rights to access M-Vault.
  • AD/LDAP passthrough support
    • Allow users (per domain) to support mandatory or partial passthrough
    • Set and validate passthrough entry for user
    • Identify users in passthrough server that might be added to domain

Messaging Management

  • Profile Editor for supporting and managing M-Switch Profiler.
    • SIC Coverage UI. Provide full list of SICS, showing which addresses each one goes to.   This enables operator to ensure that all SICs are sensibly handled.
  • File Transfer By Email capability is now managed by Cobalt, replacing capability previously in MConsole.
  • For Organizations and Military DLs enable control manage capability functions:
    • Max Message Size
    • Max Line Length (for ACP 127 destinations)
    • Charset Restrictions (for ACP 127 destinations)
    • Allows/block attachments
  • Option to show for a user which DLs the user is in, and give easy addition to other DLs.  This facilitates managing DL membership.

New Views

  • Non-Human Users (Special Users).  Need to support accounts with passwords that are not humans.   For XMPP, Email or both.  
  • View for end users, rather than administrators.  User can:
    • Change password. 
    • See all of own entry and modify  attributes.   The list of modifiable attributes can be configured.
    • See references to entry and email list membership.
  • User Groups, to enable management of directory groups (Distinguished Names).

Cobalt Access Control

  • New Cobalt roles, that can enable selective control of which users can access directory admin controls, and which users can set OAUTH rights and can add OAUTH Clients.  
  • Restrict Password set/change rights, so that only selected Cobalt administrators can do this.

Security Enhancements

  • When deleting a user, remove the password.   This will make it safe for applications searching whole DIT as you can’t authenticate with a deleted user’s account. 
  • Security Clearance can be selected for any role or user, based on a configured catalogue.  This supports key M-Switch and Harrier feature to check clearances. 

Miscellaneous

  • When assigning a new email, search entire DIT for conflicts, not just Cobalt area.   This  helps SASL resilience
  • Can add Photos to Routed UAs and Organizations.  
  • Check References on Delete. Cobalt has a “References” button on user/role form that displays all references of a user/role.  On deleting, references are deleted as well.
  • Tool to check references to users in AD, so that when users in AD are deleted, dangling references can be picked up.
  • Remove default domain concept
  • On deletion of domain in Cobalt, give option to delete all the domain data
  • Option to end all  cobalt logged in sessions of an operator, to allow an operator to logout from all browsers with a single action
  • There is also an option for an operator with appropriate rights  to end sessions of another Cobalt operator.
Posted on

Creating & Managing a Security Label Policy (new whitepaper)

Security Labels are a key component of systems providing security, particularly for military and government use where they are used to provide protective marking on information and as the basis for access control. Security Label Policy (generally simply termed “security policy” in most security label standards) controls the detailed structure of security labels and how they are used to provide access control.

A new whitepaper on the Isode website explains our open standards approach to supporting security policies in extremely complex environments. It also shows how our tools can be used to support simple environments using open standards, avoiding the need for a proprietary approach.

The whitepaper introduces some of the key concepts in this area and then describes the capabilities of Isode’s Security Policy Information File (SPIF) Editor in a way that enables a quick evaluation of the product.

Whitepaper Update

We’ve also made significant updates to an earlier whitepaper Using OSCP, LDAP & HTTP for Certificate Checking in a Large Scale Distributed Environment and over Constrained Networks adding a new section, Management Tools, that illustrates our product capabilities in this area.