What are the guidelines for configuring a secondary interface?  I am not able to save the IP address of the primary machine hosting the WebSEAL/reverse proxy.  When I try to save the config in LMI get this error:

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

for the following entry:

network-interface = 192.168.1.182 under [server]

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

for the following entry:

interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes under [interfaces]

Currently I am running a container based installation of ISAM 10.0.0.6.  My reverse proxy container is running at https://192.168.1.182:4000/ or https://www.iamlab.ibm.com:4000  and 192.168.1.182 is the IP address of my primary desktop hosting the docker desktop.

Also, can my primary https port remain 443 even through I am accessing the WebSeal at port 4000 as in https://www.iamlab.ibm.com:4000 or should I change that to 4000?  This is currently how I have it:

[server]

https = yes

https-port = 443

Sorry, if this is duplicate post between browser not prompting for certificate thread that I started this month.  Wanted to see if my issue is related to secondary interface/port.

Thanks!

Usually you should have the management interface in a separated network. The warning just announces an overlap. You can use the override button to install anyway if you are sure about. 
be aware that the management interface exposes some critical services which shouldn't be exposed to a DMZ where the WebSEAL interfaces usually are placed. 

------------------------------
Jens Petersen

Original Message:
Sent: Fri December 29, 2023 09:59 AM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

What are the guidelines for configuring a secondary interface?  I am not able to save the IP address of the primary machine hosting the WebSEAL/reverse proxy.  When I try to save the config in LMI get this error:

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

for the following entry:

network-interface = 192.168.1.182 under [server]

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

for the following entry:

interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes under [interfaces]

Currently I am running a container based installation of ISAM 10.0.0.6.  My reverse proxy container is running at https://192.168.1.182:4000/ or https://www.iamlab.ibm.com:4000  and 192.168.1.182 is the IP address of my primary desktop hosting the docker desktop.

Also, can my primary https port remain 443 even through I am accessing the WebSeal at port 4000 as in https://www.iamlab.ibm.com:4000 or should I change that to 4000?  This is currently how I have it:

[server]

https = yes

https-port = 443

Sorry, if this is duplicate post between browser not prompting for certificate thread that I started this month.  Wanted to see if my issue is related to secondary interface/port.

Thanks!

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 05, 2021 04:36 AM
From: Jon Harry
Subject: Business need for Secondary Interface in Reverse Proxy

Secondary interfaces were mainly added in support of Virtual Host Junctions.  Before ability to present different server certificate based on incoming connection, it was common to use secondary interfaces (different IP addresses) for each Virtual Host Junction.  This is much less common now that different certificates can be presented per connection based on target host being available as part of TLS negotiation.

The main time secondary interfaces are used now is to support "prompt-as-needed" client certificate authentication on TLS sessions.

When "prompt-as-needed" function was first introduced, a TLS session could be initially set up with server-side certificate only and then later, as needed, be re-negotiated in order to require a client certificate for authentication.

Changes in browser functionality (led by Chrome) mean that it is now not always possible to force the re-negotiation of a TLS session that has already been established.  I think there is a security reason for this.  In order to support "prompt-as-needed" now, there is a requirement to set up a "secondary interface" (which has TLS set to "required") and configure this as part of the prompt-as-needed setup.  When client certificate authentication is triggered, the session is redirected to the secondary interface so that client certificate authentication can be performed.

Note: a secondary interface for the Reverse Proxy doesn't have to be a different IP address - it could just be a different port.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 04, 2021 10:00 AM
From: Joao Goncalves
Subject: Business need for Secondary Interface in Reverse Proxy

Why would you need a secondary interface defined on a Reverse Proxy?
Is it for load balancing? For increasing Bandwidth? I'm not sure if we can create a Link Aggregation in ISAM, but this could be a solution?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Jens, LMI and WebSeal are running on the same computer right now using Docker.  LMI is at https://lmi.iamlab.ibm.com:3000 and RP/WebSeal is at https://www.iamlab.ibm.com:4000/.  both are on the same computer at IP 192.168.1.182.  I am not trying to install anything right now, all docker images are already installed.  How can I get the secondary interface to be configured correctly for the Prompt as needed option to work for cert based authentication?  That's where I am struggling with.  

------------------------------
Narayan Verma

Original Message:
Sent: Mon January 01, 2024 02:55 PM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Usually you should have the management interface in a separated network. The warning just announces an overlap. You can use the override button to install anyway if you are sure about. 
be aware that the management interface exposes some critical services which shouldn't be exposed to a DMZ where the WebSEAL interfaces usually are placed. 

------------------------------
Jens Petersen

Original Message:
Sent: Fri December 29, 2023 09:59 AM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

What are the guidelines for configuring a secondary interface?  I am not able to save the IP address of the primary machine hosting the WebSEAL/reverse proxy.  When I try to save the config in LMI get this error:

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

for the following entry:

network-interface = 192.168.1.182 under [server]

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

for the following entry:

interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes under [interfaces]

Currently I am running a container based installation of ISAM 10.0.0.6.  My reverse proxy container is running at https://192.168.1.182:4000/ or https://www.iamlab.ibm.com:4000  and 192.168.1.182 is the IP address of my primary desktop hosting the docker desktop.

Also, can my primary https port remain 443 even through I am accessing the WebSeal at port 4000 as in https://www.iamlab.ibm.com:4000 or should I change that to 4000?  This is currently how I have it:

[server]

https = yes

https-port = 443

Sorry, if this is duplicate post between browser not prompting for certificate thread that I started this month.  Wanted to see if my issue is related to secondary interface/port.

Thanks!

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 05, 2021 04:36 AM
From: Jon Harry
Subject: Business need for Secondary Interface in Reverse Proxy

Secondary interfaces were mainly added in support of Virtual Host Junctions.  Before ability to present different server certificate based on incoming connection, it was common to use secondary interfaces (different IP addresses) for each Virtual Host Junction.  This is much less common now that different certificates can be presented per connection based on target host being available as part of TLS negotiation.

The main time secondary interfaces are used now is to support "prompt-as-needed" client certificate authentication on TLS sessions.

When "prompt-as-needed" function was first introduced, a TLS session could be initially set up with server-side certificate only and then later, as needed, be re-negotiated in order to require a client certificate for authentication.

Changes in browser functionality (led by Chrome) mean that it is now not always possible to force the re-negotiation of a TLS session that has already been established.  I think there is a security reason for this.  In order to support "prompt-as-needed" now, there is a requirement to set up a "secondary interface" (which has TLS set to "required") and configure this as part of the prompt-as-needed setup.  When client certificate authentication is triggered, the session is redirected to the secondary interface so that client certificate authentication can be performed.

Note: a secondary interface for the Reverse Proxy doesn't have to be a different IP address - it could just be a different port.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 04, 2021 10:00 AM
From: Joao Goncalves
Subject: Business need for Secondary Interface in Reverse Proxy

Why would you need a secondary interface defined on a Reverse Proxy?
Is it for load balancing? For increasing Bandwidth? I'm not sure if we can create a Link Aggregation in ISAM, but this could be a solution?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Narayan,

sry. read it on my phone mail and answered without seeing the trail. I haven't worked with container now. What I see from Johns explanation looks like you need for client auth with Certs. Regarding the ports, usually your container IP/Port is mapped to an external IP/Port on Docker, where Port can but must not be same. So it depends on your Docker config. This could also explain the IP problem. The internal net of your Docker container probably is different from the host network. At lmi you can see the interfaces of your container. Maybe you have a look what's the internal Ip of your WebSEAl Container there or use Docker tools. You can also use portioner as a LMI if you feel uncomfortable with Docker CLI.

------------------------------
Jens Petersen

Original Message:
Sent: Mon January 01, 2024 05:47 PM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Jens, LMI and WebSeal are running on the same computer right now using Docker.  LMI is at https://lmi.iamlab.ibm.com:3000 and RP/WebSeal is at https://www.iamlab.ibm.com:4000/.  both are on the same computer at IP 192.168.1.182.  I am not trying to install anything right now, all docker images are already installed.  How can I get the secondary interface to be configured correctly for the Prompt as needed option to work for cert based authentication?  That's where I am struggling with.  

------------------------------
Narayan Verma

Original Message:
Sent: Mon January 01, 2024 02:55 PM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Usually you should have the management interface in a separated network. The warning just announces an overlap. You can use the override button to install anyway if you are sure about. 
be aware that the management interface exposes some critical services which shouldn't be exposed to a DMZ where the WebSEAL interfaces usually are placed. 

------------------------------
Jens Petersen

Original Message:
Sent: Fri December 29, 2023 09:59 AM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

What are the guidelines for configuring a secondary interface?  I am not able to save the IP address of the primary machine hosting the WebSEAL/reverse proxy.  When I try to save the config in LMI get this error:

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

for the following entry:

network-interface = 192.168.1.182 under [server]

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

for the following entry:

interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes under [interfaces]

Currently I am running a container based installation of ISAM 10.0.0.6.  My reverse proxy container is running at https://192.168.1.182:4000/ or https://www.iamlab.ibm.com:4000  and 192.168.1.182 is the IP address of my primary desktop hosting the docker desktop.

Also, can my primary https port remain 443 even through I am accessing the WebSeal at port 4000 as in https://www.iamlab.ibm.com:4000 or should I change that to 4000?  This is currently how I have it:

[server]

https = yes

https-port = 443

Sorry, if this is duplicate post between browser not prompting for certificate thread that I started this month.  Wanted to see if my issue is related to secondary interface/port.

Thanks!

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 05, 2021 04:36 AM
From: Jon Harry
Subject: Business need for Secondary Interface in Reverse Proxy

Secondary interfaces were mainly added in support of Virtual Host Junctions.  Before ability to present different server certificate based on incoming connection, it was common to use secondary interfaces (different IP addresses) for each Virtual Host Junction.  This is much less common now that different certificates can be presented per connection based on target host being available as part of TLS negotiation.

The main time secondary interfaces are used now is to support "prompt-as-needed" client certificate authentication on TLS sessions.

When "prompt-as-needed" function was first introduced, a TLS session could be initially set up with server-side certificate only and then later, as needed, be re-negotiated in order to require a client certificate for authentication.

Changes in browser functionality (led by Chrome) mean that it is now not always possible to force the re-negotiation of a TLS session that has already been established.  I think there is a security reason for this.  In order to support "prompt-as-needed" now, there is a requirement to set up a "secondary interface" (which has TLS set to "required") and configure this as part of the prompt-as-needed setup.  When client certificate authentication is triggered, the session is redirected to the secondary interface so that client certificate authentication can be performed.

Note: a secondary interface for the Reverse Proxy doesn't have to be a different IP address - it could just be a different port.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 04, 2021 10:00 AM
From: Joao Goncalves
Subject: Business need for Secondary Interface in Reverse Proxy

Why would you need a secondary interface defined on a Reverse Proxy?
Is it for load balancing? For increasing Bandwidth? I'm not sure if we can create a Link Aggregation in ISAM, but this could be a solution?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Jens, where do I see the interfaces of the containers in LMI?

Internal IP of the WebSEAL container (container name = ISVAWRPRP1) seems to be 172.20.0.6 while for the LMI (container name = ISVACOFIG) it seems to be 172.20.0.2.  They both have a Gateway of 172.20.0.1.  This is the information I got from Docker Desktop.

When I tried to use 172.20.0.6 in the LMI as the network-interface I got the same error - Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 172.20.0.6

From Docker installation perspective what's really considered a secondary interface?  Do I need to have another instance/container running for the Reverse Proxy/WebSEAL just like ISVAWRPRP1?  This will have a separate internal IP and external port on host, not sure LMI will accept that IP address either.  How does LMI validate the ip address of the WebSEAL that we enter in the config file?  Are there any network settings to register valid RP addresses in LMI?  Really trying to understand the concept of secondary interface in general for final deployment and for Docker installation in particular for functional/lower lane testing.

Also, the port mapping of the LMI and WebSEAL containers is as below:

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 02, 2024 05:29 AM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Narayan,

sry. read it on my phone mail and answered without seeing the trail. I haven't worked with container now. What I see from Johns explanation looks like you need for client auth with Certs. Regarding the ports, usually your container IP/Port is mapped to an external IP/Port on Docker, where Port can but must not be same. So it depends on your Docker config. This could also explain the IP problem. The internal net of your Docker container probably is different from the host network. At lmi you can see the interfaces of your container. Maybe you have a look what's the internal Ip of your WebSEAl Container there or use Docker tools. You can also use portioner as a LMI if you feel uncomfortable with Docker CLI.

------------------------------
Jens Petersen

Original Message:
Sent: Mon January 01, 2024 05:47 PM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Jens, LMI and WebSeal are running on the same computer right now using Docker.  LMI is at https://lmi.iamlab.ibm.com:3000 and RP/WebSeal is at https://www.iamlab.ibm.com:4000/.  both are on the same computer at IP 192.168.1.182.  I am not trying to install anything right now, all docker images are already installed.  How can I get the secondary interface to be configured correctly for the Prompt as needed option to work for cert based authentication?  That's where I am struggling with.  

------------------------------
Narayan Verma

Original Message:
Sent: Mon January 01, 2024 02:55 PM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Usually you should have the management interface in a separated network. The warning just announces an overlap. You can use the override button to install anyway if you are sure about. 
be aware that the management interface exposes some critical services which shouldn't be exposed to a DMZ where the WebSEAL interfaces usually are placed. 

------------------------------
Jens Petersen

Original Message:
Sent: Fri December 29, 2023 09:59 AM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

What are the guidelines for configuring a secondary interface?  I am not able to save the IP address of the primary machine hosting the WebSEAL/reverse proxy.  When I try to save the config in LMI get this error:

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

for the following entry:

network-interface = 192.168.1.182 under [server]

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

for the following entry:

interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes under [interfaces]

Currently I am running a container based installation of ISAM 10.0.0.6.  My reverse proxy container is running at https://192.168.1.182:4000/ or https://www.iamlab.ibm.com:4000  and 192.168.1.182 is the IP address of my primary desktop hosting the docker desktop.

Also, can my primary https port remain 443 even through I am accessing the WebSeal at port 4000 as in https://www.iamlab.ibm.com:4000 or should I change that to 4000?  This is currently how I have it:

[server]

https = yes

https-port = 443

Sorry, if this is duplicate post between browser not prompting for certificate thread that I started this month.  Wanted to see if my issue is related to secondary interface/port.

Thanks!

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 05, 2021 04:36 AM
From: Jon Harry
Subject: Business need for Secondary Interface in Reverse Proxy

Secondary interfaces were mainly added in support of Virtual Host Junctions.  Before ability to present different server certificate based on incoming connection, it was common to use secondary interfaces (different IP addresses) for each Virtual Host Junction.  This is much less common now that different certificates can be presented per connection based on target host being available as part of TLS negotiation.

The main time secondary interfaces are used now is to support "prompt-as-needed" client certificate authentication on TLS sessions.

When "prompt-as-needed" function was first introduced, a TLS session could be initially set up with server-side certificate only and then later, as needed, be re-negotiated in order to require a client certificate for authentication.

Changes in browser functionality (led by Chrome) mean that it is now not always possible to force the re-negotiation of a TLS session that has already been established.  I think there is a security reason for this.  In order to support "prompt-as-needed" now, there is a requirement to set up a "secondary interface" (which has TLS set to "required") and configure this as part of the prompt-as-needed setup.  When client certificate authentication is triggered, the session is redirected to the secondary interface so that client certificate authentication can be performed.

Note: a secondary interface for the Reverse Proxy doesn't have to be a different IP address - it could just be a different port.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 04, 2021 10:00 AM
From: Joao Goncalves
Subject: Business need for Secondary Interface in Reverse Proxy

Why would you need a secondary interface defined on a Reverse Proxy?
Is it for load balancing? For increasing Bandwidth? I'm not sure if we can create a Link Aggregation in ISAM, but this could be a solution?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

The mention of "reverse proxy" in this post caught my attention. FWIW, we are using NGINX Plus as the "reverse proxy/ingress controller" for our containerized (Docker) workloads. It turns out that NGINX-Plus has published configuration information whereby their proxy can be easily configured to use most OIDC authentication providers (Ping/Okta/Auth0 etc.) I followed their recipe for one of these but adapted it to point to the IBM Verify endpoints and it works very well. The net effect I was after is to have the ingress controller handle the authentication tasks (redirects/JWT validation/token expireation/renewal etc.) rather than having every upstream app have to deal with it. The net result is that the container service doesn't have to "sweat" or know OIDC handshaking. The traffic only gets there and delivers the JWT payload for consumption if the authentication is established. Also, I don't have to worry with any of the container internals (networks/addresses and the like) because all of that remains internal to the containers. This decoupling of authentication from the application is a HUGE maintenance labor saver. In addition, the proxy is designed to do all this VERY efficiently, much more so than you can do in your app code. If you are using containers, there's a good chance that you already are familiar with NGINX. This OIDC feature requires the PLUS version which has a number of other performance enhancements as well. FWIW, I'm a believer in letting the ingress controller handle all the authentication. Your app still has to provide whatever means of access control to manage what the authenticated user can do but then that's always app specific anyway and it's appropriate work for each app. But AUTHENTICATION (determination that you are who you say you are) is the same regardless of application. Those are separate concerns and if you are trying to leverage an authentication product (IBM Verify) to manage ACCESS control then it gets very messy.  I strongly recommend separating those concerns entirely as they are inherently orthogonal. In this case, our Docker workloads never "see" unauthenticated traffic from the proxy. They only recieve properly authenticated HTTP requests with the identity already parsed out of the JWT and in the request header. It's simply elegant. Let your ingress controller take care of AUTHENTICATION. It's a load off the shoulders of your developers.

Don Babcock, P.E.

Hi Jens, where do I see the interfaces of the containers in LMI?

Internal IP of the WebSEAL container (container name = ISVAWRPRP1) seems to be 172.20.0.6 while for the LMI (container name = ISVACOFIG) it seems to be 172.20.0.2.  They both have a Gateway of 172.20.0.1.  This is the information I got from Docker Desktop.

When I tried to use 172.20.0.6 in the LMI as the network-interface I got the same error - Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 172.20.0.6

From Docker installation perspective what's really considered a secondary interface?  Do I need to have another instance/container running for the Reverse Proxy/WebSEAL just like ISVAWRPRP1?  This will have a separate internal IP and external port on host, not sure LMI will accept that IP address either.  How does LMI validate the ip address of the WebSEAL that we enter in the config file?  Are there any network settings to register valid RP addresses in LMI?  Really trying to understand the concept of secondary interface in general for final deployment and for Docker installation in particular for functional/lower lane testing.

Also, the port mapping of the LMI and WebSEAL containers is as below:

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 02, 2024 05:29 AM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Narayan,

sry. read it on my phone mail and answered without seeing the trail. I haven't worked with container now. What I see from Johns explanation looks like you need for client auth with Certs. Regarding the ports, usually your container IP/Port is mapped to an external IP/Port on Docker, where Port can but must not be same. So it depends on your Docker config. This could also explain the IP problem. The internal net of your Docker container probably is different from the host network. At lmi you can see the interfaces of your container. Maybe you have a look what's the internal Ip of your WebSEAl Container there or use Docker tools. You can also use portioner as a LMI if you feel uncomfortable with Docker CLI.

------------------------------
Jens Petersen

Original Message:
Sent: Mon January 01, 2024 05:47 PM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Jens, LMI and WebSeal are running on the same computer right now using Docker.  LMI is at https://lmi.iamlab.ibm.com:3000 and RP/WebSeal is at https://www.iamlab.ibm.com:4000/.  both are on the same computer at IP 192.168.1.182.  I am not trying to install anything right now, all docker images are already installed.  How can I get the secondary interface to be configured correctly for the Prompt as needed option to work for cert based authentication?  That's where I am struggling with.  

------------------------------
Narayan Verma

Original Message:
Sent: Mon January 01, 2024 02:55 PM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Usually you should have the management interface in a separated network. The warning just announces an overlap. You can use the override button to install anyway if you are sure about. 
be aware that the management interface exposes some critical services which shouldn't be exposed to a DMZ where the WebSEAL interfaces usually are placed. 

------------------------------
Jens Petersen

Original Message:
Sent: Fri December 29, 2023 09:59 AM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

What are the guidelines for configuring a secondary interface?  I am not able to save the IP address of the primary machine hosting the WebSEAL/reverse proxy.  When I try to save the config in LMI get this error:

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

for the following entry:

network-interface = 192.168.1.182 under [server]

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

for the following entry:

interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes under [interfaces]

Currently I am running a container based installation of ISAM 10.0.0.6.  My reverse proxy container is running at https://192.168.1.182:4000/ or https://www.iamlab.ibm.com:4000  and 192.168.1.182 is the IP address of my primary desktop hosting the docker desktop.

Also, can my primary https port remain 443 even through I am accessing the WebSeal at port 4000 as in https://www.iamlab.ibm.com:4000 or should I change that to 4000?  This is currently how I have it:

[server]

https = yes

https-port = 443

Sorry, if this is duplicate post between browser not prompting for certificate thread that I started this month.  Wanted to see if my issue is related to secondary interface/port.

Thanks!

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 05, 2021 04:36 AM
From: Jon Harry
Subject: Business need for Secondary Interface in Reverse Proxy

Secondary interfaces were mainly added in support of Virtual Host Junctions.  Before ability to present different server certificate based on incoming connection, it was common to use secondary interfaces (different IP addresses) for each Virtual Host Junction.  This is much less common now that different certificates can be presented per connection based on target host being available as part of TLS negotiation.

The main time secondary interfaces are used now is to support "prompt-as-needed" client certificate authentication on TLS sessions.

When "prompt-as-needed" function was first introduced, a TLS session could be initially set up with server-side certificate only and then later, as needed, be re-negotiated in order to require a client certificate for authentication.

Changes in browser functionality (led by Chrome) mean that it is now not always possible to force the re-negotiation of a TLS session that has already been established.  I think there is a security reason for this.  In order to support "prompt-as-needed" now, there is a requirement to set up a "secondary interface" (which has TLS set to "required") and configure this as part of the prompt-as-needed setup.  When client certificate authentication is triggered, the session is redirected to the secondary interface so that client certificate authentication can be performed.

Note: a secondary interface for the Reverse Proxy doesn't have to be a different IP address - it could just be a different port.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 04, 2021 10:00 AM
From: Joao Goncalves
Subject: Business need for Secondary Interface in Reverse Proxy

Why would you need a secondary interface defined on a Reverse Proxy?
Is it for load balancing? For increasing Bandwidth? I'm not sure if we can create a Link Aggregation in ISAM, but this could be a solution?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hello Don,

thats a good point and true, while WebSEAL or VA could also take that job. But right, if you want all features of VA features it needs deep knowledge for customization. 

Anyway I think here it's more about running VA as containerized version rather than virtual appliance or hardware. What I wonder a bit is why it would take burden of your developers. WebSEAL as Ingres does exactly what NGINX does and will sends bearer token or header to backend apps usually.

The mention of "reverse proxy" in this post caught my attention. FWIW, we are using NGINX Plus as the "reverse proxy/ingress controller" for our containerized (Docker) workloads. It turns out that NGINX-Plus has published configuration information whereby their proxy can be easily configured to use most OIDC authentication providers (Ping/Okta/Auth0 etc.) I followed their recipe for one of these but adapted it to point to the IBM Verify endpoints and it works very well. The net effect I was after is to have the ingress controller handle the authentication tasks (redirects/JWT validation/token expireation/renewal etc.) rather than having every upstream app have to deal with it. The net result is that the container service doesn't have to "sweat" or know OIDC handshaking. The traffic only gets there and delivers the JWT payload for consumption if the authentication is established. Also, I don't have to worry with any of the container internals (networks/addresses and the like) because all of that remains internal to the containers. This decoupling of authentication from the application is a HUGE maintenance labor saver. In addition, the proxy is designed to do all this VERY efficiently, much more so than you can do in your app code. If you are using containers, there's a good chance that you already are familiar with NGINX. This OIDC feature requires the PLUS version which has a number of other performance enhancements as well. FWIW, I'm a believer in letting the ingress controller handle all the authentication. Your app still has to provide whatever means of access control to manage what the authenticated user can do but then that's always app specific anyway and it's appropriate work for each app. But AUTHENTICATION (determination that you are who you say you are) is the same regardless of application. Those are separate concerns and if you are trying to leverage an authentication product (IBM Verify) to manage ACCESS control then it gets very messy.  I strongly recommend separating those concerns entirely as they are inherently orthogonal. In this case, our Docker workloads never "see" unauthenticated traffic from the proxy. They only recieve properly authenticated HTTP requests with the identity already parsed out of the JWT and in the request header. It's simply elegant. Let your ingress controller take care of AUTHENTICATION. It's a load off the shoulders of your developers.

Don Babcock, P.E.

Hi Jens, where do I see the interfaces of the containers in LMI?

Internal IP of the WebSEAL container (container name = ISVAWRPRP1) seems to be 172.20.0.6 while for the LMI (container name = ISVACOFIG) it seems to be 172.20.0.2.  They both have a Gateway of 172.20.0.1.  This is the information I got from Docker Desktop.

When I tried to use 172.20.0.6 in the LMI as the network-interface I got the same error - Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 172.20.0.6

From Docker installation perspective what's really considered a secondary interface?  Do I need to have another instance/container running for the Reverse Proxy/WebSEAL just like ISVAWRPRP1?  This will have a separate internal IP and external port on host, not sure LMI will accept that IP address either.  How does LMI validate the ip address of the WebSEAL that we enter in the config file?  Are there any network settings to register valid RP addresses in LMI?  Really trying to understand the concept of secondary interface in general for final deployment and for Docker installation in particular for functional/lower lane testing.

Also, the port mapping of the LMI and WebSEAL containers is as below:

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 02, 2024 05:29 AM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Narayan,

sry. read it on my phone mail and answered without seeing the trail. I haven't worked with container now. What I see from Johns explanation looks like you need for client auth with Certs. Regarding the ports, usually your container IP/Port is mapped to an external IP/Port on Docker, where Port can but must not be same. So it depends on your Docker config. This could also explain the IP problem. The internal net of your Docker container probably is different from the host network. At lmi you can see the interfaces of your container. Maybe you have a look what's the internal Ip of your WebSEAl Container there or use Docker tools. You can also use portioner as a LMI if you feel uncomfortable with Docker CLI.

------------------------------
Jens Petersen

Original Message:
Sent: Mon January 01, 2024 05:47 PM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Jens, LMI and WebSeal are running on the same computer right now using Docker.  LMI is at https://lmi.iamlab.ibm.com:3000 and RP/WebSeal is at https://www.iamlab.ibm.com:4000/.  both are on the same computer at IP 192.168.1.182.  I am not trying to install anything right now, all docker images are already installed.  How can I get the secondary interface to be configured correctly for the Prompt as needed option to work for cert based authentication?  That's where I am struggling with.  

------------------------------
Narayan Verma

Original Message:
Sent: Mon January 01, 2024 02:55 PM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Usually you should have the management interface in a separated network. The warning just announces an overlap. You can use the override button to install anyway if you are sure about. 
be aware that the management interface exposes some critical services which shouldn't be exposed to a DMZ where the WebSEAL interfaces usually are placed. 

------------------------------
Jens Petersen

Original Message:
Sent: Fri December 29, 2023 09:59 AM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

What are the guidelines for configuring a secondary interface?  I am not able to save the IP address of the primary machine hosting the WebSEAL/reverse proxy.  When I try to save the config in LMI get this error:

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

for the following entry:

network-interface = 192.168.1.182 under [server]

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

for the following entry:

interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes under [interfaces]

Currently I am running a container based installation of ISAM 10.0.0.6.  My reverse proxy container is running at https://192.168.1.182:4000/ or https://www.iamlab.ibm.com:4000  and 192.168.1.182 is the IP address of my primary desktop hosting the docker desktop.

Also, can my primary https port remain 443 even through I am accessing the WebSeal at port 4000 as in https://www.iamlab.ibm.com:4000 or should I change that to 4000?  This is currently how I have it:

[server]

https = yes

https-port = 443

Sorry, if this is duplicate post between browser not prompting for certificate thread that I started this month.  Wanted to see if my issue is related to secondary interface/port.

Thanks!

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 05, 2021 04:36 AM
From: Jon Harry
Subject: Business need for Secondary Interface in Reverse Proxy

Secondary interfaces were mainly added in support of Virtual Host Junctions.  Before ability to present different server certificate based on incoming connection, it was common to use secondary interfaces (different IP addresses) for each Virtual Host Junction.  This is much less common now that different certificates can be presented per connection based on target host being available as part of TLS negotiation.

The main time secondary interfaces are used now is to support "prompt-as-needed" client certificate authentication on TLS sessions.

When "prompt-as-needed" function was first introduced, a TLS session could be initially set up with server-side certificate only and then later, as needed, be re-negotiated in order to require a client certificate for authentication.

Changes in browser functionality (led by Chrome) mean that it is now not always possible to force the re-negotiation of a TLS session that has already been established.  I think there is a security reason for this.  In order to support "prompt-as-needed" now, there is a requirement to set up a "secondary interface" (which has TLS set to "required") and configure this as part of the prompt-as-needed setup.  When client certificate authentication is triggered, the session is redirected to the secondary interface so that client certificate authentication can be performed.

Note: a secondary interface for the Reverse Proxy doesn't have to be a different IP address - it could just be a different port.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 04, 2021 10:00 AM
From: Joao Goncalves
Subject: Business need for Secondary Interface in Reverse Proxy

Why would you need a secondary interface defined on a Reverse Proxy?
Is it for load balancing? For increasing Bandwidth? I'm not sure if we can create a Link Aggregation in ISAM, but this could be a solution?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hello Don,

thats a good point and true, while WebSEAL or VA could also take that job. But right, if you want all features of VA features it needs deep knowledge for customization. 

Anyway I think here it's more about running VA as containerized version rather than virtual appliance or hardware. What I wonder a bit is why it would take burden of your developers. WebSEAL as Ingres does exactly what NGINX does and will sends bearer token or header to backend apps usually.

The mention of "reverse proxy" in this post caught my attention. FWIW, we are using NGINX Plus as the "reverse proxy/ingress controller" for our containerized (Docker) workloads. It turns out that NGINX-Plus has published configuration information whereby their proxy can be easily configured to use most OIDC authentication providers (Ping/Okta/Auth0 etc.) I followed their recipe for one of these but adapted it to point to the IBM Verify endpoints and it works very well. The net effect I was after is to have the ingress controller handle the authentication tasks (redirects/JWT validation/token expireation/renewal etc.) rather than having every upstream app have to deal with it. The net result is that the container service doesn't have to "sweat" or know OIDC handshaking. The traffic only gets there and delivers the JWT payload for consumption if the authentication is established. Also, I don't have to worry with any of the container internals (networks/addresses and the like) because all of that remains internal to the containers. This decoupling of authentication from the application is a HUGE maintenance labor saver. In addition, the proxy is designed to do all this VERY efficiently, much more so than you can do in your app code. If you are using containers, there's a good chance that you already are familiar with NGINX. This OIDC feature requires the PLUS version which has a number of other performance enhancements as well. FWIW, I'm a believer in letting the ingress controller handle all the authentication. Your app still has to provide whatever means of access control to manage what the authenticated user can do but then that's always app specific anyway and it's appropriate work for each app. But AUTHENTICATION (determination that you are who you say you are) is the same regardless of application. Those are separate concerns and if you are trying to leverage an authentication product (IBM Verify) to manage ACCESS control then it gets very messy.  I strongly recommend separating those concerns entirely as they are inherently orthogonal. In this case, our Docker workloads never "see" unauthenticated traffic from the proxy. They only recieve properly authenticated HTTP requests with the identity already parsed out of the JWT and in the request header. It's simply elegant. Let your ingress controller take care of AUTHENTICATION. It's a load off the shoulders of your developers.

Don Babcock, P.E.

Hi Jens, where do I see the interfaces of the containers in LMI?

Internal IP of the WebSEAL container (container name = ISVAWRPRP1) seems to be 172.20.0.6 while for the LMI (container name = ISVACOFIG) it seems to be 172.20.0.2.  They both have a Gateway of 172.20.0.1.  This is the information I got from Docker Desktop.

When I tried to use 172.20.0.6 in the LMI as the network-interface I got the same error - Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 172.20.0.6

From Docker installation perspective what's really considered a secondary interface?  Do I need to have another instance/container running for the Reverse Proxy/WebSEAL just like ISVAWRPRP1?  This will have a separate internal IP and external port on host, not sure LMI will accept that IP address either.  How does LMI validate the ip address of the WebSEAL that we enter in the config file?  Are there any network settings to register valid RP addresses in LMI?  Really trying to understand the concept of secondary interface in general for final deployment and for Docker installation in particular for functional/lower lane testing.

Also, the port mapping of the LMI and WebSEAL containers is as below:

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 02, 2024 05:29 AM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Narayan,

sry. read it on my phone mail and answered without seeing the trail. I haven't worked with container now. What I see from Johns explanation looks like you need for client auth with Certs. Regarding the ports, usually your container IP/Port is mapped to an external IP/Port on Docker, where Port can but must not be same. So it depends on your Docker config. This could also explain the IP problem. The internal net of your Docker container probably is different from the host network. At lmi you can see the interfaces of your container. Maybe you have a look what's the internal Ip of your WebSEAl Container there or use Docker tools. You can also use portioner as a LMI if you feel uncomfortable with Docker CLI.

------------------------------
Jens Petersen

Original Message:
Sent: Mon January 01, 2024 05:47 PM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Jens, LMI and WebSeal are running on the same computer right now using Docker.  LMI is at https://lmi.iamlab.ibm.com:3000 and RP/WebSeal is at https://www.iamlab.ibm.com:4000/.  both are on the same computer at IP 192.168.1.182.  I am not trying to install anything right now, all docker images are already installed.  How can I get the secondary interface to be configured correctly for the Prompt as needed option to work for cert based authentication?  That's where I am struggling with.  

------------------------------
Narayan Verma

Original Message:
Sent: Mon January 01, 2024 02:55 PM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Usually you should have the management interface in a separated network. The warning just announces an overlap. You can use the override button to install anyway if you are sure about. 
be aware that the management interface exposes some critical services which shouldn't be exposed to a DMZ where the WebSEAL interfaces usually are placed. 

------------------------------
Jens Petersen

Original Message:
Sent: Fri December 29, 2023 09:59 AM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

What are the guidelines for configuring a secondary interface?  I am not able to save the IP address of the primary machine hosting the WebSEAL/reverse proxy.  When I try to save the config in LMI get this error:

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

for the following entry:

network-interface = 192.168.1.182 under [server]

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

for the following entry:

interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes under [interfaces]

Currently I am running a container based installation of ISAM 10.0.0.6.  My reverse proxy container is running at https://192.168.1.182:4000/ or https://www.iamlab.ibm.com:4000  and 192.168.1.182 is the IP address of my primary desktop hosting the docker desktop.

Also, can my primary https port remain 443 even through I am accessing the WebSeal at port 4000 as in https://www.iamlab.ibm.com:4000 or should I change that to 4000?  This is currently how I have it:

[server]

https = yes

https-port = 443

Sorry, if this is duplicate post between browser not prompting for certificate thread that I started this month.  Wanted to see if my issue is related to secondary interface/port.

Thanks!

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 05, 2021 04:36 AM
From: Jon Harry
Subject: Business need for Secondary Interface in Reverse Proxy

Secondary interfaces were mainly added in support of Virtual Host Junctions.  Before ability to present different server certificate based on incoming connection, it was common to use secondary interfaces (different IP addresses) for each Virtual Host Junction.  This is much less common now that different certificates can be presented per connection based on target host being available as part of TLS negotiation.

The main time secondary interfaces are used now is to support "prompt-as-needed" client certificate authentication on TLS sessions.

When "prompt-as-needed" function was first introduced, a TLS session could be initially set up with server-side certificate only and then later, as needed, be re-negotiated in order to require a client certificate for authentication.

Changes in browser functionality (led by Chrome) mean that it is now not always possible to force the re-negotiation of a TLS session that has already been established.  I think there is a security reason for this.  In order to support "prompt-as-needed" now, there is a requirement to set up a "secondary interface" (which has TLS set to "required") and configure this as part of the prompt-as-needed setup.  When client certificate authentication is triggered, the session is redirected to the secondary interface so that client certificate authentication can be performed.

Note: a secondary interface for the Reverse Proxy doesn't have to be a different IP address - it could just be a different port.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 04, 2021 10:00 AM
From: Joao Goncalves
Subject: Business need for Secondary Interface in Reverse Proxy

Why would you need a secondary interface defined on a Reverse Proxy?
Is it for load balancing? For increasing Bandwidth? I'm not sure if we can create a Link Aggregation in ISAM, but this could be a solution?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Jens, where do I see the interfaces of the containers in LMI?

Internal IP of the WebSEAL container (container name = ISVAWRPRP1) seems to be 172.20.0.6 while for the LMI (container name = ISVACOFIG) it seems to be 172.20.0.2.  They both have a Gateway of 172.20.0.1.  This is the information I got from Docker Desktop.

When I tried to use 172.20.0.6 in the LMI as the network-interface I got the same error - Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 172.20.0.6

From Docker installation perspective what's really considered a secondary interface?  Do I need to have another instance/container running for the Reverse Proxy/WebSEAL just like ISVAWRPRP1?  This will have a separate internal IP and external port on host, not sure LMI will accept that IP address either.  How does LMI validate the ip address of the WebSEAL that we enter in the config file?  Are there any network settings to register valid RP addresses in LMI?  Really trying to understand the concept of secondary interface in general for final deployment and for Docker installation in particular for functional/lower lane testing.

Also, the port mapping of the LMI and WebSEAL containers is as below:

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 02, 2024 05:29 AM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Narayan,

sry. read it on my phone mail and answered without seeing the trail. I haven't worked with container now. What I see from Johns explanation looks like you need for client auth with Certs. Regarding the ports, usually your container IP/Port is mapped to an external IP/Port on Docker, where Port can but must not be same. So it depends on your Docker config. This could also explain the IP problem. The internal net of your Docker container probably is different from the host network. At lmi you can see the interfaces of your container. Maybe you have a look what's the internal Ip of your WebSEAl Container there or use Docker tools. You can also use portioner as a LMI if you feel uncomfortable with Docker CLI.

------------------------------
Jens Petersen

Original Message:
Sent: Mon January 01, 2024 05:47 PM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

Hi Jens, LMI and WebSeal are running on the same computer right now using Docker.  LMI is at https://lmi.iamlab.ibm.com:3000 and RP/WebSeal is at https://www.iamlab.ibm.com:4000/.  both are on the same computer at IP 192.168.1.182.  I am not trying to install anything right now, all docker images are already installed.  How can I get the secondary interface to be configured correctly for the Prompt as needed option to work for cert based authentication?  That's where I am struggling with.  

------------------------------
Narayan Verma

Original Message:
Sent: Mon January 01, 2024 02:55 PM
From: Jens Petersen
Subject: Business need for Secondary Interface in Reverse Proxy

Usually you should have the management interface in a separated network. The warning just announces an overlap. You can use the override button to install anyway if you are sure about. 
be aware that the management interface exposes some critical services which shouldn't be exposed to a DMZ where the WebSEAL interfaces usually are placed. 

------------------------------
Jens Petersen

Original Message:
Sent: Fri December 29, 2023 09:59 AM
From: Narayan Verma
Subject: Business need for Secondary Interface in Reverse Proxy

What are the guidelines for configuring a secondary interface?  I am not able to save the IP address of the primary machine hosting the WebSEAL/reverse proxy.  When I try to save the config in LMI get this error:

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

for the following entry:

network-interface = 192.168.1.182 under [server]

Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

for the following entry:

interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes under [interfaces]

Currently I am running a container based installation of ISAM 10.0.0.6.  My reverse proxy container is running at https://192.168.1.182:4000/ or https://www.iamlab.ibm.com:4000  and 192.168.1.182 is the IP address of my primary desktop hosting the docker desktop.

Also, can my primary https port remain 443 even through I am accessing the WebSeal at port 4000 as in https://www.iamlab.ibm.com:4000 or should I change that to 4000?  This is currently how I have it:

[server]

https = yes

https-port = 443

Sorry, if this is duplicate post between browser not prompting for certificate thread that I started this month.  Wanted to see if my issue is related to secondary interface/port.

Thanks!

------------------------------
Narayan Verma

Original Message:
Sent: Tue January 05, 2021 04:36 AM
From: Jon Harry
Subject: Business need for Secondary Interface in Reverse Proxy

Secondary interfaces were mainly added in support of Virtual Host Junctions.  Before ability to present different server certificate based on incoming connection, it was common to use secondary interfaces (different IP addresses) for each Virtual Host Junction.  This is much less common now that different certificates can be presented per connection based on target host being available as part of TLS negotiation.

The main time secondary interfaces are used now is to support "prompt-as-needed" client certificate authentication on TLS sessions.

When "prompt-as-needed" function was first introduced, a TLS session could be initially set up with server-side certificate only and then later, as needed, be re-negotiated in order to require a client certificate for authentication.

Changes in browser functionality (led by Chrome) mean that it is now not always possible to force the re-negotiation of a TLS session that has already been established.  I think there is a security reason for this.  In order to support "prompt-as-needed" now, there is a requirement to set up a "secondary interface" (which has TLS set to "required") and configure this as part of the prompt-as-needed setup.  When client certificate authentication is triggered, the session is redirected to the secondary interface so that client certificate authentication can be performed.

Note: a secondary interface for the Reverse Proxy doesn't have to be a different IP address - it could just be a different port.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 04, 2021 10:00 AM
From: Joao Goncalves
Subject: Business need for Secondary Interface in Reverse Proxy

Why would you need a secondary interface defined on a Reverse Proxy?
Is it for load balancing? For increasing Bandwidth? I'm not sure if we can create a Link Aggregation in ISAM, but this could be a solution?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------