IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

ISAM decrypt iv-creds value

  • 1.  ISAM decrypt iv-creds value

    Posted Thu October 03, 2019 09:43 AM
    ​Hello all,

    We need to get the value of the header 'iv-creds' which webseal passes to the backend server. The default value is encrypted. Can we decrypt the value?

    Regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------


  • 2.  RE: ISAM decrypt iv-creds value

    Posted Thu October 03, 2019 11:26 AM
    Hello Jahanzaib,

    iv-creds header is not encrypted - it is encoded (actually it's a Base-64 encoded ASN.1 object).
    The format isn't published so the only supported way to get information from it is to use the Java APIs that ship in the JDK.

    Really you don't want to go down this path unless you have to.

    If you want only a few attributes from the credential at the backend, use the WeBSEAL tag-value support to send these in HTTP headers which the back-end app can easily read.

    If you want more information than that (and you have the Federation add-on), use the "TFIM Junction" support to send a JSON Web Token to the backend.  This is a standard identity assertion object which you can more easily access.  It can also be signed and/or encrypted if you like.  See this blog post: https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/

    Cheers... Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: ISAM decrypt iv-creds value

    Posted Sat October 05, 2019 10:39 AM
    Hi John,

    Thank you for your reply.

    Yes we would not go for Java APIs because of just this particular requirement. I believe tag-value support will not work in our case because we need user's identity information (username and password)​.

    I am interested in JWT but the client does not have the Federation add-on (I guess its a separate license). So I have to think of some way of passing authenticated user information to the backend app which can then use it to authenticate to ISIM at the backend for Web Services.

    I am thinking of using LTPA token for this purpose. WebSEAL will pass LTPA to the backend app which will use it to talk to ISIM Web Services. What do you think about it?

    Regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 4.  RE: ISAM decrypt iv-creds value

    Posted Thu October 10, 2019 02:16 AM
    Hi Jahanzaib,

    First you need to determine how you can authenticate to these ISIM web services. As far as I remember, these required a username and a password, and LTPA was not supported. Please verify for your release of ISIM.

    Assuming these ISIM web services do need a username and password, then how are you going to pass the the password to the backend? Except for the GSO Lock Box mechanism, which implies the sync'ing of passwords and thus is a pain, there is no out-of-the-box way of passing a password over a junction. In other words: sending over a JWT won't help you neither - the password simply isn't in the ISAM credential.

    You may have to fall back to using a 'technical account' like 'itim manager' (or so...) to authenticate to the ISIM web services.

    Kind regards, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 5.  RE: ISAM decrypt iv-creds value

    Posted Fri October 11, 2019 11:54 AM
    Hi Peter,

    Thank you for your reply. We are using the latest version of ISIM which is version 7.0.1.13. As per my current understanding, this version supports LTPA as well for authentication. That's why I am thinking of utilizing this feature. I have not tested it but this is what I read. Also, I am not sure whether this method is for authentication to consoles only or will it work for web services as well.

    Yes, we might have to fall back to using the itim manager or another service account, but before that, I want to explore other options and the best practices for such a use case.

    We have TAI implemented for giving Single Sign-on to ISIM console if the user is coming from WebSEAL. Can we use this concept in web service calls as well? Assuming if we call the web service endpoints through the webseal, we authenticate at webseal level using any supported mechanisms (basic auth,oauth etc) and then WebSEAL gives Single Sign-on, returning the session handle which we can then use for the subsequent web service calls? Would that be possible?

    Best regards,​

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 6.  RE: ISAM decrypt iv-creds value

    Posted Fri October 11, 2019 04:03 AM
    Hi Jahanzaib,

    Please use the standard instructions for SSO of ISIM with ISAM that uses the ISAM TAI plugin, e.g. see https://www.ibm.com/support/knowledgecenter/SSRMWJ_7.0.1.13/com.ibm.isim.doc/securing/cpt/cpt_ic_security_sing_tai_oview.html.
    There should be no need to decode the iv-creds yourself, leave it to the plugin. If you follow the instructions, the WebSphere application server under ISIM will set the LTPA cookie for you. There is an option to keep this cookie in the WebSEAL cookie jar for the user if you like.

    ------------------------------
    Peter Gierveld
    Security Architect
    SecurIT
    Amsterdam
    ------------------------------

    Original Message


  • 7.  RE: ISAM decrypt iv-creds value

    Posted Fri October 11, 2019 12:02 PM
    Hi Peter,

    Thank you for the reply, yes we have the ISIM TAI configured with ISAM and giving single sign-on​ to users coming from the webseal. But this works for the consoles. Are you saying that this will work for the web services as well?

    I have tested a scenario with SOAP UI in which I have tried to call WSSessionService endpoint through webseal but I am not getting the session handle. I authenticate at the webseal level by passing the basic auth header. ISAM authentication goes success, but the ISIM web service returns an error that the username and password is null. If I supply the username and password for ISIM in the SOAP message, then I receive the session handle. In this case, SSO is not working. What are your thoughts on this?

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 8.  RE: ISAM decrypt iv-creds value

    Posted Mon October 14, 2019 02:34 AM
    Hi Jahanzaib,

    How are you passing the username/password to the ISIM webservice?
    In other words: what type of junction did you use?  Some ways of doing so are: "client identity in BA headers" or "client identity with fixed password".
    The error you get indicates that no identity information is passed to the ISIM webservice endpoint -> please verify this with pdweb.debug traces.

    Kind regards, Peter


    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 9.  RE: ISAM decrypt iv-creds value

    Posted Mon October 14, 2019 02:50 AM
    Hi Peter,

    ​I am passing the username and password by using the "client identity with fixed password" method. I configured it by following the steps here as part of the TAI configuration.

    As this is working for ISIM Consoles, I believe identity information is passed successfully, so shouldn't it also work for ISIM webservice endpoint?

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 10.  RE: ISAM decrypt iv-creds value

    Posted Mon October 14, 2019 03:59 AM
    Hi Jahanzaib,

    I'm not 100% sure what you are trying to achieve.
    My understanding is that the credentials for the call to the WSSessionService web service are passed as part of the SOAP message. That's different from passing credentials over a junction: that will not change the SOAP message, but instead manage the BA HTTP header "Authorization". There is no (easy) way to have WebSEAL inject credentials into the body of such applicative SOAP message. The way credentials are passed for this web service are quite different as for the ISIM console where TAI can be used.
    Note: I used this link to get a better insight to the ISIM web services:https://www.youtube.com/watch?v=SFZjhOqbeA0

    Hope this helps.

    Kind regards, Peter




    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 11.  RE: ISAM decrypt iv-creds value

    Posted Mon October 14, 2019 05:51 AM
    Hi Peter,

    I am trying to achieve Single Sign-on to ISIM web services from my custom portal which is behind the WebSEAL​. The flow is as follows:

    1) User authenticates to WebSEAL
    2) User accesses my custom portal through a junction
    3) The page on my portal allows user to request an account on ISIM. When the user presses the request account button, the Java code in my custom portal calls the web service. Now, at this stage, my code needs to pass credentials in the SOAP message. I need to get the credentials somehow from the webseal which is not possible. Whereas getting LTPA token from WebSEAL is possible, that's why I believe I can get the LTPA token from the webseal and inject it in the SOAP Request Header when creating the SOAP request. I got to this understanding by reading the Web Services Single Sign-on configuration explained here. Is me understanding correct?

    I hope now you understand what I am trying to achieve. Hope to hear your comments.

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 12.  RE: ISAM decrypt iv-creds value

    Posted Tue October 15, 2019 02:52 AM
    Hi Jahanzaib,

    It's now clear what you are trying to do. I suggest you carefully follow the instructions on the SSO link and do some deeper troubleshooting to pinpoint the problem:
    - Do you see the LTPA token going over the line in the SOAP message?
    - Is the LTPA token a valid token for the ISAM web service? For the correct domain?
    - What does the log/trace on the ISIM side say?
    - ...


    Kind regards, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 13.  RE: ISAM decrypt iv-creds value

    Posted Tue October 15, 2019 03:41 AM
    Hi Jahanzaib,

    In addition to the suggestions of Peter Volckaert, did you create a separate account for your portal?

    Since the portal is creating a separate session to ISIM, you would need 2 accounts: 1 (in ISAM registry) for the WebSEAL API call (to be put in the BA header) and one in ITIM (with correct privileges) in the SOAP message body to call the WebService (in the login flow). If any of those is to be the user that logged on the WebSEAL; you can not use this for the BA header (as it requires a password, that you do not have and can not use a dummy password), so please configure a separate user for the portal service.

    ------------------------------
    Peter Gierveld
    Security Architect
    SecurIT
    Amsterdam
    ------------------------------

    Original Message


  • 14.  RE: ISAM decrypt iv-creds value

    Posted Fri March 25, 2022 06:11 AM
    I know that thread is quite old, but I would like to check:
    Is it possible today (with ISVA 10 and newer) to use JWT header for sending credentials to junctioned server, with ISAM base module only (no federation license)?

    https://www.ibm.com/docs/en/sva/10.0.0?topic=overview-whats-new-in-this-release

    Thanks,

    Mita


  • 15.  RE: ISAM decrypt iv-creds value

    Posted Fri March 25, 2022 01:15 PM
    Mita,

    Yes, this is possible in v10.x (at least in 10.0.2.0 that I am checking):

    #
# The JWT stanza is used to control the generation of JSON Web Tokens for the
# specified junction.  The '{jct-id}' refers to the junction point for a
# standard junction (include the leading '/'), or the virtual host label for a
# virtual host junction.
#

[jwt:<jct-id>]​
    You don't get as much control as you would using the "TFIM Junction" approach and STS but hopefully it will be enough for most standard use cases.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 16.  RE: ISAM decrypt iv-creds value

    Posted Sat March 26, 2022 03:21 AM
    Thanks!