Experts David Cline and Ryan Babbitt discuss how Zero Trust Security…
In this age of internet security issues, it is an increasingly common task for Zirous’ clients to implement improved system security for their web-based applications and services. Often, a key component of this is to create a user self-service capability. Typical functions provided include:
- Change Password
- Forgot Password
- Modify Account Profile
- Forgot Username
- Request Access & Privileges
- Manage Requests
Basic information about the above functions can be found in Part 1 of this PWM Blog series, linked here.
As this sort of functionality becomes increasingly uniform on sites across the internet, it becomes clear that clients are often “recreating the wheel”; designing and implementing functionality that has been done countless times before in very similar ways. Enter PWM. An open source implementation of a password self-service module that provides common baseline functionality and can be readily customized for each client’s unique needs.
PWM is a stand-alone java web application with an interface written in JSP/HTML. It is designed to run against an LDAP repository (or database), which acts as a storage area for user data (i.e. user account information, user’s answers to challenge questions, etc). Initial configuration of the PWM web app is done using the PWM web application, itself.
Setup and Configuration
The PWM code base is straight-forward to set up. It can be downloaded from googlecode.com, loaded into an IDE such as eclipse, built and then deployed. Note that the necessary supporting libraries are not included with the PWM download (which is typical for open source projects and, in many cases, is a requirement of the licenses for the libraries) but they can be found on the web. The war file created using the default target of the provided ant script can be easily deployed to a web container.
Once the web app is built and deployed, configuration is required for the LDAP repository. This includes creating object types for the PWM user data to be stored in the LDAP repository and accounts for performing the data changes. Configuration is also required for the PWM application, both to inform it how to communicate with the LDAP repository and to customize its behavior in a variety of ways (including selecting which PWM functions to utilize and which optional behaviors to include, customizing internationalized text, and much more).
PWM is reportedly supported with several technologies, mostly open-source. It has been used with the Apache Tomcat web container for deployment of the PWM web application and has been exercised using several LDAP containers (e.g. generic LDAP, Directory 389, Novell eDirectory, Microsoft Active Directory and OpenLDAP). In some cases LDIF-formatted configuration files are provided with the PWM download as a starting point in configuring the LDAP repositories for use by PWM.
Zirous has also verified that PWM can be successfully used with some of the common Oracle products, notably Weblogic as a container for the PWM web application and Oracle Internet Directory (OID) and Oracle Unified Directory (OUD) as LDAP repositories.
The good, the bad and the… meh!
On the plus side, PWM provides a solid baseline implementation that seems to work. It provides a broad array of functions common to many self-service implementations, is readily customizable and extensible for unique requirements. The code base is still being actively expanded and refined. In addition to the self-service components, the web app provided includes functionality for configuration and customization.
On the darker side, PWM does not come configured for any kind of use out-of-the-box. While one would expect to have to configure the LDAP repository and to configure PWM to use it, it might also be expected that the PWM default configuration would correspond to the recommended LDAP configuration, though this is not the case. This means that the application is not even minimally usable (even for basic exploration and evaluation) until the user determines how to configure it all to work together. Disappointingly, the documentation provided leaves much to be desired in this regard (and others). The sole document provided with the download, an administration guide, is more suggestive than concrete. And there are no overview, architecture or feature documents. This makes getting started with PWM more complicated than it needs to be.
It should also be noted that the user component of the web interface for PWM, while it is functional and serves as a solid example of utilizing the PWM java code, is likely to be heavily modified for any client’s actual use. And, while new and improved features are likely on the PWM horizon, it may not be straight-forward to integrate them into a customized code base.
This package should offer a solid leg up to any client looking to create their own user self-service implementation. While the interface may be example quality, much of the underlying java code should be usable just as it comes and that is where the real meat and potatoes of PWM lies. Plan to spend some time on redeveloping an interface and in getting up to speed on the configuration. The effort should pay off by saving significant development effort on the underlying functions and result in a system that neatly meets much industry (de facto) standard functionality.
You can download PWM from https://code.google.com/p/pwm/.
You may benefit from the user documentation of a product developed using PWM. While it is not a 100% match to the current PWM version (or, likely, any PWM version), it offers significantly more by way of descriptive content about the features of PWM than anything PWM offers. Look here: https://www.netiq.com/documentation/sspr3/adminguide/