Hi,

I am trying to get the LTPA validation using the STS working.
I have setup a chain which validates the LTPA (provided the keyfile and password) and issues a STUU.

I am using the LocalSTSClient to call the STS with the following code (I was inspired by Jack Yarborough ):
function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");
  // We use the validate request type
  var requestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate";

  // Printing out the at for debug purposes
  trace("makeLtpaValidationRequest :: Input ltpa : " + ltpa.toString());

  // First we need to build a binary security token from the Ltpa:
  var strxmlBst = '<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>'
  trace("makeLtpaValidationRequest :: strxmlBst : " + strxmlBst);
  var xmlBst = IDMappingExtUtils.stringToXMLElement(strxmlBst);

  // validate the token
  var token = LocalSTSClient.doRequest(requestType, "urn:ltpa:validate:customer", "urn:ltpa:validate:customer", xmlBst, null);

  // Token is valid. Parse it as an stsuu
  var tokenStsuu = new STSUniversalUser();

  if(token.errorMessage != null) {
    trace(token.errorMessage);
  } else {
    tokenStsuu.fromXML(token.token);
  }
  return tokenStsuu;
}

In the log I get the message:
[10/25/19 14:45:34:330 CEST] 00020876 com.tivoli.am.fim.trustserver.sts.STSModuleChain I com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.

But no reason why it was not recognised as a LTPA token.

I hope someone can help me with this.


------------------------------
Regards,
Paul van den Brink
------------------------------

Hi Paul, 

In your code above, did you see any logs generated for the "ltpa" token? is the ltpa token valid?

function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");

Best Regards

Chen Yongming

------------------------------
Yongming Chen
------------------------------

Original Message:
Sent: Fri October 25, 2019 10:03 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi,

I am trying to get the LTPA validation using the STS working.
I have setup a chain which validates the LTPA (provided the keyfile and password) and issues a STUU.

I am using the LocalSTSClient to call the STS with the following code (I was inspired by Jack Yarborough ):
function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");
  // We use the validate request type
  var requestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate";

  // Printing out the at for debug purposes
  trace("makeLtpaValidationRequest :: Input ltpa : " + ltpa.toString());

  // First we need to build a binary security token from the Ltpa:
  var strxmlBst = '<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>'
  trace("makeLtpaValidationRequest :: strxmlBst : " + strxmlBst);
  var xmlBst = IDMappingExtUtils.stringToXMLElement(strxmlBst);

  // validate the token
  var token = LocalSTSClient.doRequest(requestType, "urn:ltpa:validate:customer", "urn:ltpa:validate:customer", xmlBst, null);

  // Token is valid. Parse it as an stsuu
  var tokenStsuu = new STSUniversalUser();

  if(token.errorMessage != null) {
    trace(token.errorMessage);
  } else {
    tokenStsuu.fromXML(token.token);
  }
  return tokenStsuu;
}

In the log I get the message:
[10/25/19 14:45:34:330 CEST] 00020876 com.tivoli.am.fim.trustserver.sts.STSModuleChain I com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.

But no reason why it was not recognised as a LTPA token.

I hope someone can help me with this.


------------------------------
Regards,
Paul van den Brink
------------------------------

Hi Chen Yongming,

Thanks for responding to my quistion.

I've created my own version of the token-router inpired by Jack Yarborough's presentation: Leveraging-JWTs_in-ISAM-2019-08-08

The Ltpa part was my addition to it.

Attached is the tracelog.
It was not very helpfull to me, but maybe it gives you a clue.

Regards,
Paul



------------------------------
Paul van den Brink
------------------------------

Original Message:
Sent: Tue October 29, 2019 06:01 AM
From: Yongming Chen
Subject: LTPA vadiation using the STS

Hi Paul, 

In your code above, did you see any logs generated for the "ltpa" token? is the ltpa token valid?

function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");

Best Regards

Chen Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Fri October 25, 2019 10:03 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi,

I am trying to get the LTPA validation using the STS working.
I have setup a chain which validates the LTPA (provided the keyfile and password) and issues a STUU.

I am using the LocalSTSClient to call the STS with the following code (I was inspired by Jack Yarborough ):
function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");
  // We use the validate request type
  var requestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate";

  // Printing out the at for debug purposes
  trace("makeLtpaValidationRequest :: Input ltpa : " + ltpa.toString());

  // First we need to build a binary security token from the Ltpa:
  var strxmlBst = '<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>'
  trace("makeLtpaValidationRequest :: strxmlBst : " + strxmlBst);
  var xmlBst = IDMappingExtUtils.stringToXMLElement(strxmlBst);

  // validate the token
  var token = LocalSTSClient.doRequest(requestType, "urn:ltpa:validate:customer", "urn:ltpa:validate:customer", xmlBst, null);

  // Token is valid. Parse it as an stsuu
  var tokenStsuu = new STSUniversalUser();

  if(token.errorMessage != null) {
    trace(token.errorMessage);
  } else {
    tokenStsuu.fromXML(token.token);
  }
  return tokenStsuu;
}

In the log I get the message:
[10/25/19 14:45:34:330 CEST] 00020876 com.tivoli.am.fim.trustserver.sts.STSModuleChain I com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.

But no reason why it was not recognised as a LTPA token.

I hope someone can help me with this.


------------------------------
Regards,
Paul van den Brink
------------------------------

@JACK YARBOROUGH
Hi Jack,
Do you have a clue what is going wrong here?
Regards,
Paul​

------------------------------
Paul van den Brink
------------------------------

Original Message:
Sent: Tue October 29, 2019 10:47 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi Chen Yongming,

Thanks for responding to my quistion.

I've created my own version of the token-router inpired by Jack Yarborough's presentation: Leveraging-JWTs_in-ISAM-2019-08-08

The Ltpa part was my addition to it.

Attached is the tracelog.
It was not very helpfull to me, but maybe it gives you a clue.

Regards,
Paul



------------------------------
Paul van den Brink

Original Message:
Sent: Tue October 29, 2019 06:01 AM
From: Yongming Chen
Subject: LTPA vadiation using the STS

Hi Paul, 

In your code above, did you see any logs generated for the "ltpa" token? is the ltpa token valid?

function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");

Best Regards

Chen Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Fri October 25, 2019 10:03 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi,

I am trying to get the LTPA validation using the STS working.
I have setup a chain which validates the LTPA (provided the keyfile and password) and issues a STUU.

I am using the LocalSTSClient to call the STS with the following code (I was inspired by Jack Yarborough ):
function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");
  // We use the validate request type
  var requestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate";

  // Printing out the at for debug purposes
  trace("makeLtpaValidationRequest :: Input ltpa : " + ltpa.toString());

  // First we need to build a binary security token from the Ltpa:
  var strxmlBst = '<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>'
  trace("makeLtpaValidationRequest :: strxmlBst : " + strxmlBst);
  var xmlBst = IDMappingExtUtils.stringToXMLElement(strxmlBst);

  // validate the token
  var token = LocalSTSClient.doRequest(requestType, "urn:ltpa:validate:customer", "urn:ltpa:validate:customer", xmlBst, null);

  // Token is valid. Parse it as an stsuu
  var tokenStsuu = new STSUniversalUser();

  if(token.errorMessage != null) {
    trace(token.errorMessage);
  } else {
    tokenStsuu.fromXML(token.token);
  }
  return tokenStsuu;
}

In the log I get the message:
[10/25/19 14:45:34:330 CEST] 00020876 com.tivoli.am.fim.trustserver.sts.STSModuleChain I com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.

But no reason why it was not recognised as a LTPA token.

I hope someone can help me with this.


------------------------------
Regards,
Paul van den Brink
------------------------------

Hello Paul,

The token router was never intended to be used for LTPA Authentication.

The reverse proxy has native LTPA authentication available to consume LTPA cookies for an ISAM Session:
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_ltpa_authe.html

The reason you're getting the error ​​'com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.' is either because the LTPA token value isn't in the correct format or your WS-Trust message is not in the correct format.

Please also make sure that the same LTPA key is setup in Federation such that it can validate the LTPA token.

Why are you trying to do this STS Chain and consume an LTPA Token via the 'Authorization' Header rather than just use the native reverse proxy authentication method?

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Mon November 04, 2019 02:08 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

@JACK YARBOROUGH
Hi Jack,
Do you have a clue what is going wrong here?
Regards,
Paul​

------------------------------
Paul van den Brink

Original Message:
Sent: Tue October 29, 2019 10:47 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi Chen Yongming,

Thanks for responding to my quistion.

I've created my own version of the token-router inpired by Jack Yarborough's presentation: Leveraging-JWTs_in-ISAM-2019-08-08

The Ltpa part was my addition to it.

Attached is the tracelog.
It was not very helpfull to me, but maybe it gives you a clue.

Regards,
Paul



------------------------------
Paul van den Brink

Original Message:
Sent: Tue October 29, 2019 06:01 AM
From: Yongming Chen
Subject: LTPA vadiation using the STS

Hi Paul, 

In your code above, did you see any logs generated for the "ltpa" token? is the ltpa token valid?

function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");

Best Regards

Chen Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Fri October 25, 2019 10:03 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi,

I am trying to get the LTPA validation using the STS working.
I have setup a chain which validates the LTPA (provided the keyfile and password) and issues a STUU.

I am using the LocalSTSClient to call the STS with the following code (I was inspired by Jack Yarborough ):
function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");
  // We use the validate request type
  var requestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate";

  // Printing out the at for debug purposes
  trace("makeLtpaValidationRequest :: Input ltpa : " + ltpa.toString());

  // First we need to build a binary security token from the Ltpa:
  var strxmlBst = '<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>'
  trace("makeLtpaValidationRequest :: strxmlBst : " + strxmlBst);
  var xmlBst = IDMappingExtUtils.stringToXMLElement(strxmlBst);

  // validate the token
  var token = LocalSTSClient.doRequest(requestType, "urn:ltpa:validate:customer", "urn:ltpa:validate:customer", xmlBst, null);

  // Token is valid. Parse it as an stsuu
  var tokenStsuu = new STSUniversalUser();

  if(token.errorMessage != null) {
    trace(token.errorMessage);
  } else {
    tokenStsuu.fromXML(token.token);
  }
  return tokenStsuu;
}

In the log I get the message:
[10/25/19 14:45:34:330 CEST] 00020876 com.tivoli.am.fim.trustserver.sts.STSModuleChain I com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.

But no reason why it was not recognised as a LTPA token.

I hope someone can help me with this.


------------------------------
Regards,
Paul van den Brink
------------------------------

Hi Jack,

Thanks for your answer and your questions.

I did use the native reverse proxy authentication method, this works fine for the Ltpa version 2 format, but it does not work for the Ltpa version 1 format.
So using the token-router is just a simple way for me to reach out to the STS to do the Ltpa version 1 validation.
Unfortunately it does not work, I am probably doing something wrong, but I don't know what I am doing wrong.

I am sure the ltpa.key I am using is the correct one and I've tripple checked the password.

How can I check the correct format for the ws-trust message?
What would be the correct format?

As you can see in my code I used the following format:
<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>

Regards,
Paul

------------------------------
Paul van den Brink
------------------------------

Original Message:
Sent: Mon November 04, 2019 11:10 AM
From: JACK YARBOROUGH
Subject: LTPA vadiation using the STS

Hello Paul,

The token router was never intended to be used for LTPA Authentication.

The reverse proxy has native LTPA authentication available to consume LTPA cookies for an ISAM Session:
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_ltpa_authe.html

The reason you're getting the error ​​'com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.' is either because the LTPA token value isn't in the correct format or your WS-Trust message is not in the correct format.

Please also make sure that the same LTPA key is setup in Federation such that it can validate the LTPA token.

Why are you trying to do this STS Chain and consume an LTPA Token via the 'Authorization' Header rather than just use the native reverse proxy authentication method?

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Mon November 04, 2019 02:08 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

@JACK YARBOROUGH
Hi Jack,
Do you have a clue what is going wrong here?
Regards,
Paul​

------------------------------
Paul van den Brink

Original Message:
Sent: Tue October 29, 2019 10:47 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi Chen Yongming,

Thanks for responding to my quistion.

I've created my own version of the token-router inpired by Jack Yarborough's presentation: Leveraging-JWTs_in-ISAM-2019-08-08

The Ltpa part was my addition to it.

Attached is the tracelog.
It was not very helpfull to me, but maybe it gives you a clue.

Regards,
Paul



------------------------------
Paul van den Brink

Original Message:
Sent: Tue October 29, 2019 06:01 AM
From: Yongming Chen
Subject: LTPA vadiation using the STS

Hi Paul, 

In your code above, did you see any logs generated for the "ltpa" token? is the ltpa token valid?

function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");

Best Regards

Chen Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Fri October 25, 2019 10:03 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi,

I am trying to get the LTPA validation using the STS working.
I have setup a chain which validates the LTPA (provided the keyfile and password) and issues a STUU.

I am using the LocalSTSClient to call the STS with the following code (I was inspired by Jack Yarborough ):
function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");
  // We use the validate request type
  var requestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate";

  // Printing out the at for debug purposes
  trace("makeLtpaValidationRequest :: Input ltpa : " + ltpa.toString());

  // First we need to build a binary security token from the Ltpa:
  var strxmlBst = '<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>'
  trace("makeLtpaValidationRequest :: strxmlBst : " + strxmlBst);
  var xmlBst = IDMappingExtUtils.stringToXMLElement(strxmlBst);

  // validate the token
  var token = LocalSTSClient.doRequest(requestType, "urn:ltpa:validate:customer", "urn:ltpa:validate:customer", xmlBst, null);

  // Token is valid. Parse it as an stsuu
  var tokenStsuu = new STSUniversalUser();

  if(token.errorMessage != null) {
    trace(token.errorMessage);
  } else {
    tokenStsuu.fromXML(token.token);
  }
  return tokenStsuu;
}

In the log I get the message:
[10/25/19 14:45:34:330 CEST] 00020876 com.tivoli.am.fim.trustserver.sts.STSModuleChain I com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.

But no reason why it was not recognised as a LTPA token.

I hope someone can help me with this.


------------------------------
Regards,
Paul van den Brink
------------------------------

Hello Paul,

Here is an example of an output LTPAv1 Token from the Federation STS Module in Issue : 

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestSecurityTokenResponse xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="uuid42673dce-016e-1324-99ba-845960d3cfc4">
<wst:TokenType>http://www.ibm.com/websphere/appserver/tokentype#LTPA</wst:TokenType>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:EndpointReference>
<wsa:Address>ltpa</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Lifetime>
<wsu:Created>2019-11-06T20:28:12Z</wsu:Created>
<wsu:Expires>2019-11-06T22:28:12Z</wsu:Expires>
</wst:Lifetime>
<wst:RequestedSecurityToken>
<wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2" xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">G8h4Sv4AMT4qFrpJoAePUqKDXGVNz6y9O27qHqa2z0koeCD/ZO2ZC3HgGPjjgfnaGo8/pbMsTwMaT/cSLWjY/sliNtLUAWkEO7ImGU++9wp58IhTHPm1L7Qr68lJvpjqEF6BOqXapNZa5LMIr6klK3Jkd9da/qtey+iz4v9lchssE3AVgGGv03Iu+mSed5BQIctm6GKcB4LXO2GhuXhJkkhL2TR8C+FekG0tJfNOGZFmxVaWHLBK0Tq/fDLHgYlvuh6pBoNbgEwhmcpk7T6XWg==</wsse:BinarySecurityToken>
</wst:RequestedSecurityToken>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

---
So it looks like your encoding algorithm is incorrect.

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Tue November 05, 2019 07:37 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi Jack,

Thanks for your answer and your questions.

I did use the native reverse proxy authentication method, this works fine for the Ltpa version 2 format, but it does not work for the Ltpa version 1 format.
So using the token-router is just a simple way for me to reach out to the STS to do the Ltpa version 1 validation.
Unfortunately it does not work, I am probably doing something wrong, but I don't know what I am doing wrong.

I am sure the ltpa.key I am using is the correct one and I've tripple checked the password.

How can I check the correct format for the ws-trust message?
What would be the correct format?

As you can see in my code I used the following format:
<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>

Regards,
Paul

------------------------------
Paul van den Brink

Original Message:
Sent: Mon November 04, 2019 11:10 AM
From: JACK YARBOROUGH
Subject: LTPA vadiation using the STS

Hello Paul,

The token router was never intended to be used for LTPA Authentication.

The reverse proxy has native LTPA authentication available to consume LTPA cookies for an ISAM Session:
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_ltpa_authe.html

The reason you're getting the error ​​'com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.' is either because the LTPA token value isn't in the correct format or your WS-Trust message is not in the correct format.

Please also make sure that the same LTPA key is setup in Federation such that it can validate the LTPA token.

Why are you trying to do this STS Chain and consume an LTPA Token via the 'Authorization' Header rather than just use the native reverse proxy authentication method?

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Mon November 04, 2019 02:08 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

@JACK YARBOROUGH
Hi Jack,
Do you have a clue what is going wrong here?
Regards,
Paul​

------------------------------
Paul van den Brink

Original Message:
Sent: Tue October 29, 2019 10:47 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi Chen Yongming,

Thanks for responding to my quistion.

I've created my own version of the token-router inpired by Jack Yarborough's presentation: Leveraging-JWTs_in-ISAM-2019-08-08

The Ltpa part was my addition to it.

Attached is the tracelog.
It was not very helpfull to me, but maybe it gives you a clue.

Regards,
Paul



------------------------------
Paul van den Brink

Original Message:
Sent: Tue October 29, 2019 06:01 AM
From: Yongming Chen
Subject: LTPA vadiation using the STS

Hi Paul, 

In your code above, did you see any logs generated for the "ltpa" token? is the ltpa token valid?

function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");

Best Regards

Chen Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Fri October 25, 2019 10:03 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi,

I am trying to get the LTPA validation using the STS working.
I have setup a chain which validates the LTPA (provided the keyfile and password) and issues a STUU.

I am using the LocalSTSClient to call the STS with the following code (I was inspired by Jack Yarborough ):
function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");
  // We use the validate request type
  var requestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate";

  // Printing out the at for debug purposes
  trace("makeLtpaValidationRequest :: Input ltpa : " + ltpa.toString());

  // First we need to build a binary security token from the Ltpa:
  var strxmlBst = '<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>'
  trace("makeLtpaValidationRequest :: strxmlBst : " + strxmlBst);
  var xmlBst = IDMappingExtUtils.stringToXMLElement(strxmlBst);

  // validate the token
  var token = LocalSTSClient.doRequest(requestType, "urn:ltpa:validate:customer", "urn:ltpa:validate:customer", xmlBst, null);

  // Token is valid. Parse it as an stsuu
  var tokenStsuu = new STSUniversalUser();

  if(token.errorMessage != null) {
    trace(token.errorMessage);
  } else {
    tokenStsuu.fromXML(token.token);
  }
  return tokenStsuu;
}

In the log I get the message:
[10/25/19 14:45:34:330 CEST] 00020876 com.tivoli.am.fim.trustserver.sts.STSModuleChain I com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.

But no reason why it was not recognised as a LTPA token.

I hope someone can help me with this.


------------------------------
Regards,
Paul van den Brink
------------------------------

Hello Jack,

Thanks! Yes, that helped!
The token gets validated now.
It does not automatically lead to an authenticated user. I am now in the process of fixing that.

Regards,
Paul

------------------------------
Paul van den Brink
------------------------------

Original Message:
Sent: Wed November 06, 2019 03:30 PM
From: JACK YARBOROUGH
Subject: LTPA vadiation using the STS

Hello Paul,

Here is an example of an output LTPAv1 Token from the Federation STS Module in Issue : 

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestSecurityTokenResponse xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="uuid42673dce-016e-1324-99ba-845960d3cfc4">
<wst:TokenType>http://www.ibm.com/websphere/appserver/tokentype#LTPA</wst:TokenType>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:EndpointReference>
<wsa:Address>ltpa</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Lifetime>
<wsu:Created>2019-11-06T20:28:12Z</wsu:Created>
<wsu:Expires>2019-11-06T22:28:12Z</wsu:Expires>
</wst:Lifetime>
<wst:RequestedSecurityToken>
<wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2" xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">G8h4Sv4AMT4qFrpJoAePUqKDXGVNz6y9O27qHqa2z0koeCD/ZO2ZC3HgGPjjgfnaGo8/pbMsTwMaT/cSLWjY/sliNtLUAWkEO7ImGU++9wp58IhTHPm1L7Qr68lJvpjqEF6BOqXapNZa5LMIr6klK3Jkd9da/qtey+iz4v9lchssE3AVgGGv03Iu+mSed5BQIctm6GKcB4LXO2GhuXhJkkhL2TR8C+FekG0tJfNOGZFmxVaWHLBK0Tq/fDLHgYlvuh6pBoNbgEwhmcpk7T6XWg==</wsse:BinarySecurityToken>
</wst:RequestedSecurityToken>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

---
So it looks like your encoding algorithm is incorrect.

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Tue November 05, 2019 07:37 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi Jack,

Thanks for your answer and your questions.

I did use the native reverse proxy authentication method, this works fine for the Ltpa version 2 format, but it does not work for the Ltpa version 1 format.
So using the token-router is just a simple way for me to reach out to the STS to do the Ltpa version 1 validation.
Unfortunately it does not work, I am probably doing something wrong, but I don't know what I am doing wrong.

I am sure the ltpa.key I am using is the correct one and I've tripple checked the password.

How can I check the correct format for the ws-trust message?
What would be the correct format?

As you can see in my code I used the following format:
<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>

Regards,
Paul

------------------------------
Paul van den Brink

Original Message:
Sent: Mon November 04, 2019 11:10 AM
From: JACK YARBOROUGH
Subject: LTPA vadiation using the STS

Hello Paul,

The token router was never intended to be used for LTPA Authentication.

The reverse proxy has native LTPA authentication available to consume LTPA cookies for an ISAM Session:
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_ltpa_authe.html

The reason you're getting the error ​​'com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.' is either because the LTPA token value isn't in the correct format or your WS-Trust message is not in the correct format.

Please also make sure that the same LTPA key is setup in Federation such that it can validate the LTPA token.

Why are you trying to do this STS Chain and consume an LTPA Token via the 'Authorization' Header rather than just use the native reverse proxy authentication method?

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Mon November 04, 2019 02:08 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

@JACK YARBOROUGH
Hi Jack,
Do you have a clue what is going wrong here?
Regards,
Paul​

------------------------------
Paul van den Brink

Original Message:
Sent: Tue October 29, 2019 10:47 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi Chen Yongming,

Thanks for responding to my quistion.

I've created my own version of the token-router inpired by Jack Yarborough's presentation: Leveraging-JWTs_in-ISAM-2019-08-08

The Ltpa part was my addition to it.

Attached is the tracelog.
It was not very helpfull to me, but maybe it gives you a clue.

Regards,
Paul



------------------------------
Paul van den Brink

Original Message:
Sent: Tue October 29, 2019 06:01 AM
From: Yongming Chen
Subject: LTPA vadiation using the STS

Hi Paul, 

In your code above, did you see any logs generated for the "ltpa" token? is the ltpa token valid?

function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");

Best Regards

Chen Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Fri October 25, 2019 10:03 AM
From: Paul van den Brink
Subject: LTPA vadiation using the STS

Hi,

I am trying to get the LTPA validation using the STS working.
I have setup a chain which validates the LTPA (provided the keyfile and password) and issues a STUU.

I am using the LocalSTSClient to call the STS with the following code (I was inspired by Jack Yarborough ):
function makeLtpaValidationRequest(ltpa) {
  trace("entering makeLtpaValidationRequest(ltpa)");
  // We use the validate request type
  var requestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate";

  // Printing out the at for debug purposes
  trace("makeLtpaValidationRequest :: Input ltpa : " + ltpa.toString());

  // First we need to build a binary security token from the Ltpa:
  var strxmlBst = '<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="Base64Binary" wss:ValueType="wsst:LTPA" xmlns:wsst="http://www.ibm.com/websphere/appserver/tokentype/5.0.2">'+ltpa+'</wss:BinarySecurityToken>'
  trace("makeLtpaValidationRequest :: strxmlBst : " + strxmlBst);
  var xmlBst = IDMappingExtUtils.stringToXMLElement(strxmlBst);

  // validate the token
  var token = LocalSTSClient.doRequest(requestType, "urn:ltpa:validate:customer", "urn:ltpa:validate:customer", xmlBst, null);

  // Token is valid. Parse it as an stsuu
  var tokenStsuu = new STSUniversalUser();

  if(token.errorMessage != null) {
    trace(token.errorMessage);
  } else {
    tokenStsuu.fromXML(token.token);
  }
  return tokenStsuu;
}

In the log I get the message:
[10/25/19 14:45:34:330 CEST] 00020876 com.tivoli.am.fim.trustserver.sts.STSModuleChain I com.tivoli.am.fim.trustserver.sts.STSModuleException: FBTSTS073E The token presented is not an LTPA token.

But no reason why it was not recognised as a LTPA token.

I hope someone can help me with this.


------------------------------
Regards,
Paul van den Brink
------------------------------