IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  ISVA runtime behind a proxy using virtual hostnames (SNI) - Will it work?

    Posted Mon March 06, 2023 05:17 PM

    Is anyone aware if the webseal configuration to utilize the RTSS (not sure if this is considered EAS), for example specifically servers listed in tfim-cluster and rtss-cluster stanzas, will send the hostname in the TLS SNI header?

    I know I can get SNI working on the junction going to the RTSS as we can with any other backend that we can do this today.  But integrating with RTSS for OAuth and MFA purposes is a bit more than just the junction and of course have a different configuration inside the webseal conf file.

    I have not tested this yet, but what I want to know this information for is if I can place the ISVA runtime behind an OpenShift SSL passthrough route, which utilize SNI.  We use these today on our dev environments for getting traffic into our web reverse proxy instances, since the client browsers do send the SNI header, and it works great even with x509 mTLS client cert authentication.  However, I have a need to place the runtime behind one of these routes to try to eliminate some extra networking we are currently utilizing to expose the runtime via other methods to allow traffic from webseals in one network to get to the runtime in a different network.

    I know for DSC this will not work (unless it has changed in future versions).  In the past I tried to place the DSC servers behind a passthrough route and webseal could not reach the DSC servers/instances.  I always suspected this was because webseal was not sending the SNI header more than likely when contacting the DSC.  So this is why I am specifically asking about runtime right now (although if this has changed for DSC please let me know, that would be another one I can utilize the passthrough routes for).

    Thanks for any input!

    Matt



    ------------------------------
    Matt Jenkins
    ------------------------------


  • 2.  RE: ISVA runtime behind a proxy using virtual hostnames (SNI) - Will it work?

    Posted Mon March 06, 2023 06:12 PM

    Matt,

     

    The DSC uses the same code to access the server as the RTSS uses – so, if this doesn't currently work for the DSC this will not work for the RTSS.  I've just taken a look at the applicable code (which is used by both the DSC and the RTSS) and unfortunately it does not currently allow you to specify or set an SNI.

     

    If you need this capability it might be worthwhile to create an 'idea' against the product.

     

    I'm sorry that I don't have better news for you.

     

    Thanks. 

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     




    Original Message


  • 3.  RE: ISVA runtime behind a proxy using virtual hostnames (SNI) - Will it work?

    Posted Wed March 08, 2023 09:34 AM

    @Scott Exton Thanks for the follow up.  I greatly appreciate it as this saved me from going down a rabbit hole of testing and trying to get it working.  I'll have to stick with exposing the services via nodeports as I had before, and then we have to have VIPs created to service those nodeports.  It's very complex and causing a lot of confusion here, but it is the only way to guarantee full high availability since the containers using the runtime and DSC can move between any OpenShift node.

    I opened ISAM-I-1176 to inquire about getting this done.  IDK what it would require on the development side, but it seems the change overall would be rather simple.

    Thanks again!

    Matt



    ------------------------------
    Matt Jenkins
    ------------------------------

    Original Message