IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  ISAM: Unable to register FIDO U2F key

    Posted Sat October 12, 2019 05:54 AM
    Hello all,

    I have two ISAM version 9.0.7 environments. First one is a fresh built-from-scratch appliance. The second one is upgraded from 9.0.4. I have configured the FIDO Universal 2nd Factor authentication mechanism on both the appliances.

    In the first environment (9.0.7 built-from-scratch), I am able to register FIDO U2F Yubikey successfully. However, I am not able to register it with the second environment (9.0.4 upgraded to 9.0.7).

    In the trace.log, the following errors are observed (pasted just the mains lines and skipped the ones which were defining the class names/stack trace)

    7004 [10/12/19 14:32:15:660 PKT] 00000ad6 id=00000000 com.tivoli.am.fim.u2f.U2FManager I getTokensForUser com.ibm.db2.jcc.am.SqlSyntaxErrorException: "SAMAAC.FIDO_AUTHENTICATORS" is an undefined name.. SQLCODE=-204, SQLSTATE=42704, DRIVER=4.23.42
    7089 [10/12/19 14:32:15:661 PKT] 00000ad6 id=00000000 com.tivoli.am.fim.u2f.U2FManager I getTokensForUser com.tivoli.am.fim.u2f.exception.U2FInternalException: FBTU2F003E The retrieval of the resource failed.
    7155 Caused by: com.ibm.db2.jcc.am.SqlSyntaxErrorException: "SAMAAC.FIDO_AUTHENTICATORS" is an undefined name.. SQLCODE=-204, SQLSTATE=42704, DRIVER=4.23.42
    7262 [10/12/19 14:32:15:663 PKT] 00000ad6 id=00000000 .tivoli.am.fim.authsvc.protocol.delegate.RestAuthSvcDelegate I processRequest(FederationManagerContext, ProtocolActionChain) java.lang.RuntimeException: com.tivoli.am.fim.u2f.exception.U2FInternalException: FBTU2F003E The retrieval of the resource failed.
    7263 at com.tivoli.am.fim.authsvc.action.authenticator.u2f.U2FWorker.getTokens(U2FWorker.java:231)

    What could be the reason? Are there any other configurations that need to be done for the appliance that is upgraded? Hope to hear..

    Regards,



    ------------------------------
    Jahanzaib Sarwar
    ------------------------------


  • 2.  RE: ISAM: Unable to register FIDO U2F key

    Posted Sat October 12, 2019 06:12 AM

    Hello,

    Are you using an external runtime database with the upgraded system ?  If so, you probably need to update the database schema to the 9.0.7.0 level.

    Database update files are available in the file downloads section of the LMI.

    See https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/productoverview/task/tsk_upgrading.html

    Jon. 

    Jon. 



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: ISAM: Unable to register FIDO U2F key

    Posted Sat October 12, 2019 08:17 AM
    Thank you Jon.

    I have updated the database schema and now the error which was coming in the browser trace has gone. But still I was not able to register the Yubikey because I think the template files are old. Do they also need to be updated​?

    I couldn't check the trace.log at the moment, will check once I get back to the environment.

    Regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 4.  RE: ISAM: Unable to register FIDO U2F key

    Posted Sat October 12, 2019 08:23 AM
    Yes, when you upgrade the template pages are not replaced with new versions because of risk of overwriting customisation you might have made.

    The newer version files are also available for download from the LMI file downloads. You can use these to replace the older templates as required.

    Also worth noting that new FIDO2 support in 9.0.7.0 is backward compatible for U2F. Might be worth moving over to that while you're upgrading - but up to you. 

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 5.  RE: ISAM: Unable to register FIDO U2F key

    Posted Sat October 12, 2019 12:37 PM
    Okay. I understand. Thanks. I will upload the new template files and try to register the authenticator again. I hope it will work with the new template files.

    Yes you are right. We have this planned as part of the upgrade process. We are moving over to FIDO2 and also procuring the FIDO2 compliant tokens.

    Regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message