Transcription

IBM Security Access Managerfor Versions 9.0.6.0IBM Security Access ManagerMulti-factor Authentication APIVersion 1.0.0

IBM Security App Exchange Installer for ISAM Authentication APIIntegration GuideContentsPREFACE . 4Access to publications and terminology . 4Publication Library . 4IBM Terminology website . 5Accessibility . 5Technical Training . 5Support information . 5Statement of Good Security Practices. 5INTRODUCING THE INTEGRATION . 6Introduction . 6Integration Product Contents . 6Before you start . 6IBM SECURITY ACCESS MANAGER CONFIGURATION . 8ISAM Runtime Component Configuration . 8ISAM ACL Creation . 8RUNNING THE INSTALLATION SCRIPT . 9Extracting the application and installer zip files . 9Running the installer script . 9Example install on a clean environment . 10Example install on an IBM Verify environment . 10Verifying Output of the setup script . 10Usage and Advanced Configuration Options . 11TESTING THE INSTALLATION . 15ADDING A NEW AUTHENTICATION MECHANISM . 15CONFIGURATION TASKS . 16OAuth Backchannel . 16Default Reverse Proxy Instance . 16SCIM Configuration . 17Mobile Multi-factor Authentication (MMFA) . 17 Copyright IBM Corporation 2017, 2018. All rights reserved.2 Preface

IBM Security App Exchange Installer for ISAM Authentication APIIntegration GuideMobile Multi-factor Authentication (MMFA) for APIMFA . 19FIDO U2F Authentication . 19Common Components . 19ERROR MESSAGE REFERENCE . 20Python 2.7 errors . 20Checking your Python version . 20Security Access Manager Appliance Connectivity. 20NOTICES. 21TRADEMARKS . 24 Copyright IBM Corporation 2017, 2018. All rights reserved.3 Preface

IBM Security App Exchange Installer for ISAM Authentication APIIntegration GuidePrefaceAccess to publications and terminologyThe following publications complement the information contained in this document:Publication LibraryThese publications complement the information that is contained in this publication:Base Information IBM Tivoli Access Manager Base Installation GuideExplains how to install, configure, and upgrade Access Manager software, including the Webportal manager interface. IBM Security Access Manager Base Administrator’s GuideDescribes the concepts and procedures for using Access Manager services. Providesinstructions for managing tasks from the Web portal manager interface and by using thepdadmin command.WebSEAL Information IBM Security Access Manager WebSEAL Installation GuideProvides installation, configuration, and removal instructions for the WebSEAL server and theWebSEAL application development kit. IBM Security Access Manager WebSEAL Administrator’s GuideProvides background material, administrative procedures, and technical reference informationfor using WebSEAL to manage the resources of your secure Web domain. IBM Security Access Manager WebSEAL Developer’s ReferenceProvides administration and programming information for the Cross-domain AuthenticationService (CDAS), the Cross-domain Mapping Framework (CDMF), and the Password StrengthModule.Web Gateway Appliance Information IBM Security Access Manager Web Gateway Appliance Administration GuideProvides information about configuring and maintaining a Security Access Managerenvironment. IBM Security Web Gateway Appliance Configuration Guide for Web Reverse ProxyProvides configuration procedures and technical reference information for the Web GatewayAppliance. Copyright IBM Corporation 2017, 2018. All rights reserved.4 Preface

IBM Security App Exchange Installer for ISAM Authentication APIIntegration Guide IBM Security Web Gateway Appliance Web Reverse Proxy Stanza ReferenceProvides a complete stanza reference for the Web Gateway Appliance Web Reverse Proxy.Mobile Information IBM Security Access Manager for Mobile Administration GuideDescribes how to manage, configure, and deploy an existing IBM Security Access Managerenvironment. IBM Security Access Manager for Mobile Configuration GuideExplains how to complete the initial configuration of IBM Security Access Manager for Mobile.IBM Terminology websiteThe IBM Terminology website consolidates terminology for product libraries in one location. You canaccess the Terminology website ology.AccessibilityAccessibility features help users with a physical disability, such as restricted mobility or limited vision,to use software products successfully. With this product, you can use assistive technologies to hearand navigate the interface. You can also use the keyboard instead of the mouse to operate allfeatures of the graphical user interface.Technical TrainingFor technical training information, see the following IBM Education website port informationIBM Support provides assistance with code-related problems and routine, short duration installation orusage questions. You can directly access the IBM Software Support site .Statement of Good Security PracticesIT system security involves protecting systems and information through prevention, detection andresponse to improper access from within and outside your enterprise. Improper access can result ininformation being altered, destroyed, misappropriated or misused or can result in damage to ormisuse of your systems, including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measure can be completelyeffective in preventing improper use or access. IBM systems, products and services are designed tobe part of a comprehensive security approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, ORWILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OFANY PARTY. Copyright IBM Corporation 2017, 2018. All rights reserved.5 Preface

IBM Security App Exchange Installer for ISAM Authentication APIIntegration GuideIntroducing the IntegrationIntroductionIBM Security Access Manager (ISAM) contains authentication mechanisms and policies that can beintegrated into new or existing web applications to provide multi factor authentication. This integrationprovides a method that allows these strong authentication policies to be used to provide multi factorauthentication to traditional mainframe style applications.The strong authentication is implemented by creating an OAuth backchannel between the applicationand the ISAM appliance. A user will generate an expiring one time password (OTP) that they will useas the password to the application. The application must then use the OAuth backchannel to enablethe ISAM appliance to validate the OTP and login the user.You must have an ISAM environment with Advanced Access Control enabled to use this integration.The application must be configured to allow OAuth communication with the ISAM appliance.The installer for this application will allow one or both of Mobile Multifactor authentication using IBMVerify or authentication using a FIDO U2F token. These are provided as an example of 2 commonauthentication mechanisms. Other mechanisms will also work but are not supported as part of theinstaller.The installation has been tested against the following environments:1. A clean ISAM appliance install with:a. Base and Advanced Access Control activatedb. The runtime component configured against the embedded LDAPc. The required ACLs created2. An ISAM appliance that has been setup following the IBM Verify Cookbook.Although these were the main environments tested on. The installation script is flexible enough towork with most environments. Please see the list of parameters and their descriptions to plan theinstallation for any environment.Integration Product ContentsThe integration solution is packaged as a compressed file. The package contains the following files:File Nameisam apimfa appx.pdfDescriptionThis integration guide.isam apimfa appx.zipPackaged ISAM App Exchange App for automateddeployment, configuration and templating for usewith the AppX Installer Python script.Extract this zip before executing the installer script.Table 1: Integration Package contentsBefore you startThis integration guide details the steps that are required to achieve this integration at a high level inyour environment.This guide does not cover the configuration of the entire environment. In particular, the followingproduct installations and configurations must already be complete: Copyright IBM Corporation 2017, 2018. All rights reserved.6 Introducing the Integration

IBM Security App Exchange Installer for ISAM Authentication APIIntegration Guide IBM Security Access Managero IBM Security Access Manager Web Reverse Proxyo IBM Security Access Manager Advanced Access Control IBM Security Appx Installer version 1.0.2o Download the appx installer from the App Exchangeo Ensure that the prerequisites are met for the appx installer as per the documentationfor that application Copyright IBM Corporation 2017, 2018. All rights reserved.7 Introducing the Integration

IBM Security App Exchange Installer for ISAM Authentication APIIntegration GuideIBM Security Access Manager ConfigurationComplete the following configuration steps on the IBM Security Access appliance prior to installing theintegration.1. ISAM Runtime Component Configuration2. ISAM ACL creationNote that if the ISAM appliance has been setup using the IBM Verify cookbook these tasks will havealready been completed.ISAM Runtime Component ConfigurationThe ISAM runtime component must be configured prior to the integration being installed.To perform this configuration use the ISAM local management interface.1. Using the menu select Secure Web Settings — Runtime Component2. Click the Configure button and follow the wizard stepsISAM ACL CreationThe integration requires some existing ACL entries. Please ensure that the following ACLs exist priorto installing the integration and have the permissions shown. isam mobile anyautho any-other Tro User sec master TcmdbsvaBRrxlo unauthenticated To Group iv-admin TcmdbsvaBRrxlo Group webseal-servers Tgmdbsrxlisam mobile nobodyo any-other To User sec master TcmdbsvaBRrxlo unauthenticated To Group iv-admin TcmdbsvaBRrxlo Group webseal-servers Tgmdbsrxlisam mobile resto any-other Tmdro User sec master TcmdbsvaBRrxlo unauthenticated To Group iv-admin TcmdbsvaBRrxlo Group webseal-servers Tgmdbsrxlisam mobile unautho any-other Tro User sec master TcmdbsvaBRrxlo Group iv-admin TcmdbsvaBRrxlo Group webseal-servers Tgmdbsrxlo unauthenticated Trisam mobile rest unautho any-other Tmdrxlo User sec master TcmdbsvaBRrxlo Group iv-admin TcmdbsvaBRrxlo Group webseal-servers Tgmdbsrxlo unauthenticated TmdrxlThe attachment of these ACLs is listed later in this document. Copyright IBM Corporation 2017, 2018. All rights reserved.8 IBM Security Access Manager Configuration

IBM Security App Exchange Installer for ISAM Authentication APIIntegration GuideRunning the Installation ScriptIn this section the installation of the integration will be described.Extracting the application and installer zip filesHaving downloaded the IBM Security Multi-factor Authentication API application and the ISAM AppXInstaller App, extract the isam apimfa appx.zip file into a new directory. Once this is complete thenext step is to extract the isam appx installer.zip file into the same directory. Now amongst other filesand directories the root of the new directory should containFilenameDescriptionsetup.shThe setup script used to install the application.Requires the appx installer.py file.appx installer.pyThe appx installer. This is not run directly to installthe application but is rather called indirectly from thesetup script.Table 2: Directory filesRunning the installer scriptHaving extracted the application and installer zip files into a new directory, execute the setup script toinstall the application by configuring the IBM Security Access Manager appliance.For example:[[email protected] ]# ./setup.shThe setup script can be run in 2 different ways:1. Interactive mode. In this mode the user will be prompted to enter the required configurationoptions. Some of these have default values whilst others are mandatory.Example:./setup.sh -I2. Non interactive mode. In this mode all of the configuration options are specified up front.Some of these have default values whilst others are mandatory.Example:./setup.sh --lmihost isam.test.ibm.com --lmipwd Passw0rd --policypwd Passw0rd --proxyip192.168.42.102 --rthost www.test.ibm.com --easuserpwd passw0rd --oauthclientsecretpassw0rd --ldappwd Passw0rd Copyright IBM Corporation 2017, 2018. All rights reserved.9 Running the Installation Script

IBM Security App Exchange Installer for ISAM Authentication APIIntegration GuideExample install on a clean environmentOne of the tested environment mentioned above was a clean ISAM appliance with:1. Base and Advanced Access Control activated2. The runtime component configured against the embedded LDAP3. The required ACLs createdIn this environment all of the configuration tasks need to be performed. To setup both MMFA andFIDO U2F authentication the setup script command would be:./setup.sh --lmihost isam.test.ibm.com --lmipwd passw0rd --policypwd passw0rd --proxyip192.168.42.102 --rthost www.test.ibm.com --easuserpwd passw0rd --createdefault true -oauthclientsecret passw0rd --ldappwd Passw0rdExample install on an IBM Verify environmentOne of the tested environment mentioned above was an ISAM appliance that has been setupfollowing the IBM Verify Cookbook.In this environment the MMFA tasks and default instances are already setup and can be skipped.Also the OAuth backchannel will need to listen on a non default port. The script command would be:./setup.sh --lmihost isam.test.ibm.com --lmipwd Passw0rd --policypwd Passw0rd --proxyip192.168.42.102 --rthost www.test.ibm.com --easuserpwd Passw0rd --createdefault false -configdefault false --configscim false--oauthproxy backchannel --oauthhttpsport 445 --oauthlistport7236 --oauthclientsecret passw0rd --enablemmfa true --mmfaproxy mobile --createmobile false -configmmfa false --configmmfaapimfa trueNote: This installation assumes that the environment has been setup by following the IBM VerifyCookbook. Please ensure that all of the steps in the cookbook have been completed prior to runningthe above installation script.Verifying Output of the setup scriptThe setup script will update the configuration of the IBM Security Access Manager appliance for usewith this application.Ensure the script completes successfully and check for any errors or warnings in the output.Starting App Deployment2017-11-28 13:48:13,215 - AppX - INFO - replace config variables2017-11-28 13:48:13,216 - AppX - INFO - App Name: IBM Security App ExchangePartner Application 2017-11-28 13:48:13,216 - AppX - INFO - replace original manifest. Copyright IBM Corporation 2017, 2018. All rights reserved.10 Running the Installation Script

IBM Security App Exchange Installer for ISAM Authentication APIIntegration Guide2017-11-28 13:48:13,216 - AppX - INFO - Connecting to ISAM at'https://isam903lmi.mysecure.org'2017-11-28 13:48:13,903 - AppX - INFO 2017-11-28 13:48:22,868 - AppX - INFO - Deploying changes.CompleteUsage and Advanced Configuration OptionsThe following table lists and describes all of the configuration parameters for running the --policypwdYes--domainNo--proxyipYesListening IP address of the reverseproxy instances.--rthostYesAdvanced Access Control runtimelistening interface hostname.--easuserpwdYesAdvanced Access Control runtimeeasuser password.--defaultproxyNodefaultThe name of the default reverse proxyinstance.--createdefaultNofalseBoolean flag indicating whether or not tocreate the default reverse proxyinstance. Only set this to true if theinstance does not already exist. C