Hi,

How do we configure the cred-attribute-entitlement-services in ISVA?

We believe we've followed the instructions correctly, updating the reverse proxy conf file in the isva-config container.

After saving the conf file and publishing the changes to the isvawrp container, the reverse proxy no longer starts :-(

We see  this in the container log file

{"log":"Verifying checksums... Done\n","stream":"stdout","time":"2020-09-02T13:27:31.557509233Z"} {"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.504183652Z"} {"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.514445018Z"} {"log":"Error: WGAWA0280E Examine the log of the Web Reverse Proxy instance for further information on the failure.\n","stream":"stdout","time":"2020-09-02T13:28:08.684393581Z"} {"log":"2020-09-02T13:28:10+0000: --- Running.\n","stream":"stdout","time":"2020-09-02T13:28:10.089151671Z"} {"log":"2020-09-02T13:28:10+0000: Log file: /var/application.logs.local/wrp/webseal/log/msg__webseald-webseal.log\n","stream":"stdout","time":"2020-09-02T13:28:10.092247242Z"} {"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093426436Z"} {"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Policy Director Extended Attributes Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093444566Z"} {"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093450659Z"} {"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = TAM Policy Entitlements Service 10.0.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093455363Z"} {"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093460071Z"} {"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Registry Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09346484Z"} {"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09346967Z"} {"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Credential Attributes Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09347468Z"} {"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09348944Z"} {"log":"DPWIV0203E Additional information from azn-api: AZN_VERSION = 10.0.0 (Build 200602))\n","stream":"stdout","time":"2020-09-02T13:28:10.093495365Z"} {"log":"2020-09-02T13:28:40+0000: Shutting down....\n","stream":"stdout","time":"2020-09-02T13:28:40.377423793Z"} {"log":"\n","stream":"stdout","time":"2020-09-02T13:28:41.678015787Z"} {"log":"Stopping all processes\n","stream":"stdout","time":"2020-09-02T13:28:41.678047408Z"} {"log":"2020-09-02T13:28:44+0000: ---- Shutdown.\n","stream":"stdout","time":"2020-09-02T13:28:44.764305735Z"}​
 and the container restarts after 5 mins with the same result..
(Env: ISVA helm deployed in kubernetes)
Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Anders,

You need two configuration stanzas to set up the credential attribute service.  Make sure that they don't already exist - creating 2 stanzas with the same name will likely cause a startup error.

The first stanza specifies how to look up the LDAP object.  Usually:

[TAM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id

You can add multiple entries to this stanza but usually only one (for the user object) is used.

The second stanza references the first and specifies the attributes to pull.  For example:

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
email = mail

In this case, email is the attribute to be created in the credential and mail is the LDAP attribute name.
It is common to have multiple entries in this stanza; one for each attribute to be retrieved.

Last thing to know is that there is a configuration entry in the [server] stanza called force-tag-value-prefix which defaults to yes.
When set to yes, it will prefix all cred attr attributes with tagvalue_ and will only allow attributes with this prefix to be added to HTTP headers.
I almost always change this configuration entry to no.

I hope this helps.

Jon.


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed September 02, 2020 11:22 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi,

How do we configure the cred-attribute-entitlement-services in ISVA?

We believe we've followed the instructions correctly, updating the reverse proxy conf file in the isva-config container.

After saving the conf file and publishing the changes to the isvawrp container, the reverse proxy no longer starts :-(

We see  this in the container log file

{"log":"Verifying checksums... Done\n","stream":"stdout","time":"2020-09-02T13:27:31.557509233Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.504183652Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.514445018Z"}{"log":"Error: WGAWA0280E Examine the log of the Web Reverse Proxy instance for further information on the failure.\n","stream":"stdout","time":"2020-09-02T13:28:08.684393581Z"}{"log":"2020-09-02T13:28:10+0000: --- Running.\n","stream":"stdout","time":"2020-09-02T13:28:10.089151671Z"}{"log":"2020-09-02T13:28:10+0000: Log file: /var/application.logs.local/wrp/webseal/log/msg__webseald-webseal.log\n","stream":"stdout","time":"2020-09-02T13:28:10.092247242Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093426436Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Policy Director Extended Attributes Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093444566Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093450659Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = TAM Policy Entitlements Service 10.0.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093455363Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093460071Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Registry Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09346484Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09346967Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Credential Attributes Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09347468Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09348944Z"}{"log":"DPWIV0203E Additional information from azn-api: AZN_VERSION = 10.0.0 (Build 200602))\n","stream":"stdout","time":"2020-09-02T13:28:10.093495365Z"}{"log":"2020-09-02T13:28:40+0000: Shutting down....\n","stream":"stdout","time":"2020-09-02T13:28:40.377423793Z"}{"log":"\n","stream":"stdout","time":"2020-09-02T13:28:41.678015787Z"}{"log":"Stopping all processes\n","stream":"stdout","time":"2020-09-02T13:28:41.678047408Z"}{"log":"2020-09-02T13:28:44+0000: ---- Shutdown.\n","stream":"stdout","time":"2020-09-02T13:28:44.764305735Z"}​
 and the container restarts after 5 mins with the same result..
(Env: ISVA helm deployed in kubernetes)
Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Thanks Jon,

Unfortunately it isn't working.

In the [aznapi-entitlement-services] stanza we added the HRM_CRED_ATTRS_SVC (see below)

[aznapi-entitlement-services]
AZN_ENT_EXT_ATTR = azn_ent_ext_attr
TAM_CRED_POLICY_SVC = amwcredpolsvc
TAM_REG_ENT_SVC = azn_ent_registry_svc
TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901
HRM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901

Then we added the following stanzas to configure the HRM_CRED_ATTRS_SVC

# AD 20200901
[HRM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id
ePerson = azn_cred_authzn_id

[HRM_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_hrmattrs_epost = mail
tagvalue_hrmattrs_namn = cn
tagvalue_hrmattrs_efternamn = surname
tagvalue_hrmattrs_tele = telephoneNumber
tagvalue_hrmattrs_uid = Uid

[HRM_CRED_ATTRS_SVC:ePerson]
tagvalue_hrmattrs_o = o
tagvalue_hrmattrs_ou = ou
# AD 20200901

In the verify-access-isvaconfig conntainer we opened a shell and ran the following

pdadmin -a sec_master
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_o=hrm-o
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_ou=hrm-ou
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_uid=hrm-uid
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_namn=hrm-namn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_mail=hrm-mail
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_efternamn=hrm-efternamn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_tele=hrm-tele

So that the attributes would be present on the junction jct.

After a deploy, publish and reload cycle, the tags are set on the http request but they all have the value "NOT_FOUND"

From the isva documentation,
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/base_admin/reference/ref_credattrentlserv.html

there should be an entry

[aznapi-configuration]
# AD 20200902
cred-attributes-entitlement-services = HRM_CRED_ATTRS_SVC
# AD 20200902

but if we add that , we get a system error when trying to save the configuration file

System Error

Error: DPWAP0014E The 'cred-attributes-entitlement-services' configuration entry, in the [aznapi-configuration] stanza, is an unsupported configuration entry.


------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Original Message:
Sent: Wed September 02, 2020 12:36 PM
From: Jon Harry
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Anders,

You need two configuration stanzas to set up the credential attribute service.  Make sure that they don't already exist - creating 2 stanzas with the same name will likely cause a startup error.

The first stanza specifies how to look up the LDAP object.  Usually:

[TAM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id

You can add multiple entries to this stanza but usually only one (for the user object) is used.

The second stanza references the first and specifies the attributes to pull.  For example:

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
email = mail

In this case, email is the attribute to be created in the credential and mail is the LDAP attribute name.
It is common to have multiple entries in this stanza; one for each attribute to be retrieved.

Last thing to know is that there is a configuration entry in the [server] stanza called force-tag-value-prefix which defaults to yes.
When set to yes, it will prefix all cred attr attributes with tagvalue_ and will only allow attributes with this prefix to be added to HTTP headers.
I almost always change this configuration entry to no.

I hope this helps.

Jon.


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed September 02, 2020 11:22 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi,

How do we configure the cred-attribute-entitlement-services in ISVA?

We believe we've followed the instructions correctly, updating the reverse proxy conf file in the isva-config container.

After saving the conf file and publishing the changes to the isvawrp container, the reverse proxy no longer starts :-(

We see  this in the container log file

{"log":"Verifying checksums... Done\n","stream":"stdout","time":"2020-09-02T13:27:31.557509233Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.504183652Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.514445018Z"}{"log":"Error: WGAWA0280E Examine the log of the Web Reverse Proxy instance for further information on the failure.\n","stream":"stdout","time":"2020-09-02T13:28:08.684393581Z"}{"log":"2020-09-02T13:28:10+0000: --- Running.\n","stream":"stdout","time":"2020-09-02T13:28:10.089151671Z"}{"log":"2020-09-02T13:28:10+0000: Log file: /var/application.logs.local/wrp/webseal/log/msg__webseald-webseal.log\n","stream":"stdout","time":"2020-09-02T13:28:10.092247242Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093426436Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Policy Director Extended Attributes Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093444566Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093450659Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = TAM Policy Entitlements Service 10.0.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093455363Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093460071Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Registry Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09346484Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09346967Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Credential Attributes Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09347468Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09348944Z"}{"log":"DPWIV0203E Additional information from azn-api: AZN_VERSION = 10.0.0 (Build 200602))\n","stream":"stdout","time":"2020-09-02T13:28:10.093495365Z"}{"log":"2020-09-02T13:28:40+0000: Shutting down....\n","stream":"stdout","time":"2020-09-02T13:28:40.377423793Z"}{"log":"\n","stream":"stdout","time":"2020-09-02T13:28:41.678015787Z"}{"log":"Stopping all processes\n","stream":"stdout","time":"2020-09-02T13:28:41.678047408Z"}{"log":"2020-09-02T13:28:44+0000: ---- Shutdown.\n","stream":"stdout","time":"2020-09-02T13:28:44.764305735Z"}​
 and the container restarts after 5 mins with the same result..
(Env: ISVA helm deployed in kubernetes)
Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Hi Anders,

The ability to specify credential providers in the configuration file has not been there since ISAM 7.0.  In the later ISAM (and Verify Access) versions, the [aznapi-entitlement-services] stanza is pre-populated with TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs (under-the-covers) and you can't change it.  Do not try to add this stanza to the configuration - it will cause failure as you have seen.

You will need to change your stanzas to use TAM_CRED_ATTRS_SVC instead of HRM_CRED_ATTRS_SVC.

i.e.

[AZN_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id
ePerson = azn_cred_authzn_id

[AZN_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_hrmattrs_epost = mail
tagvalue_hrmattrs_namn = cn
tagvalue_hrmattrs_efternamn = surname
tagvalue_hrmattrs_tele = telephoneNumber
tagvalue_hrmattrs_uid = Uid

[AZN_CRED_ATTRS_SVC:ePerson]
tagvalue_hrmattrs_o = o
tagvalue_hrmattrs_ou = ou

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu September 03, 2020 07:36 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Thanks Jon,

Unfortunately it isn't working.

In the [aznapi-entitlement-services] stanza we added the HRM_CRED_ATTRS_SVC (see below)

[aznapi-entitlement-services]
AZN_ENT_EXT_ATTR = azn_ent_ext_attr
TAM_CRED_POLICY_SVC = amwcredpolsvc
TAM_REG_ENT_SVC = azn_ent_registry_svc
TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901
HRM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901

Then we added the following stanzas to configure the HRM_CRED_ATTRS_SVC

# AD 20200901
[HRM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id
ePerson = azn_cred_authzn_id

[HRM_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_hrmattrs_epost = mail
tagvalue_hrmattrs_namn = cn
tagvalue_hrmattrs_efternamn = surname
tagvalue_hrmattrs_tele = telephoneNumber
tagvalue_hrmattrs_uid = Uid

[HRM_CRED_ATTRS_SVC:ePerson]
tagvalue_hrmattrs_o = o
tagvalue_hrmattrs_ou = ou
# AD 20200901

In the verify-access-isvaconfig conntainer we opened a shell and ran the following

pdadmin -a sec_master
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_o=hrm-o
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_ou=hrm-ou
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_uid=hrm-uid
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_namn=hrm-namn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_mail=hrm-mail
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_efternamn=hrm-efternamn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_tele=hrm-tele

So that the attributes would be present on the junction jct.

After a deploy, publish and reload cycle, the tags are set on the http request but they all have the value "NOT_FOUND"

From the isva documentation,
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/base_admin/reference/ref_credattrentlserv.html

there should be an entry

[aznapi-configuration]
# AD 20200902
cred-attributes-entitlement-services = HRM_CRED_ATTRS_SVC
# AD 20200902

but if we add that , we get a system error when trying to save the configuration file

System Error

Error: DPWAP0014E The 'cred-attributes-entitlement-services' configuration entry, in the [aznapi-configuration] stanza, is an unsupported configuration entry.


------------------------------
Anders Domeij
CGI Sweden AB

Original Message:
Sent: Wed September 02, 2020 12:36 PM
From: Jon Harry
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Anders,

You need two configuration stanzas to set up the credential attribute service.  Make sure that they don't already exist - creating 2 stanzas with the same name will likely cause a startup error.

The first stanza specifies how to look up the LDAP object.  Usually:

[TAM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id

You can add multiple entries to this stanza but usually only one (for the user object) is used.

The second stanza references the first and specifies the attributes to pull.  For example:

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
email = mail

In this case, email is the attribute to be created in the credential and mail is the LDAP attribute name.
It is common to have multiple entries in this stanza; one for each attribute to be retrieved.

Last thing to know is that there is a configuration entry in the [server] stanza called force-tag-value-prefix which defaults to yes.
When set to yes, it will prefix all cred attr attributes with tagvalue_ and will only allow attributes with this prefix to be added to HTTP headers.
I almost always change this configuration entry to no.

I hope this helps.

Jon.


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed September 02, 2020 11:22 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi,

How do we configure the cred-attribute-entitlement-services in ISVA?

We believe we've followed the instructions correctly, updating the reverse proxy conf file in the isva-config container.

After saving the conf file and publishing the changes to the isvawrp container, the reverse proxy no longer starts :-(

We see  this in the container log file

{"log":"Verifying checksums... Done\n","stream":"stdout","time":"2020-09-02T13:27:31.557509233Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.504183652Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.514445018Z"}{"log":"Error: WGAWA0280E Examine the log of the Web Reverse Proxy instance for further information on the failure.\n","stream":"stdout","time":"2020-09-02T13:28:08.684393581Z"}{"log":"2020-09-02T13:28:10+0000: --- Running.\n","stream":"stdout","time":"2020-09-02T13:28:10.089151671Z"}{"log":"2020-09-02T13:28:10+0000: Log file: /var/application.logs.local/wrp/webseal/log/msg__webseald-webseal.log\n","stream":"stdout","time":"2020-09-02T13:28:10.092247242Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093426436Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Policy Director Extended Attributes Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093444566Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093450659Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = TAM Policy Entitlements Service 10.0.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093455363Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093460071Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Registry Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09346484Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09346967Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Credential Attributes Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09347468Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09348944Z"}{"log":"DPWIV0203E Additional information from azn-api: AZN_VERSION = 10.0.0 (Build 200602))\n","stream":"stdout","time":"2020-09-02T13:28:10.093495365Z"}{"log":"2020-09-02T13:28:40+0000: Shutting down....\n","stream":"stdout","time":"2020-09-02T13:28:40.377423793Z"}{"log":"\n","stream":"stdout","time":"2020-09-02T13:28:41.678015787Z"}{"log":"Stopping all processes\n","stream":"stdout","time":"2020-09-02T13:28:41.678047408Z"}{"log":"2020-09-02T13:28:44+0000: ---- Shutdown.\n","stream":"stdout","time":"2020-09-02T13:28:44.764305735Z"}​
 and the container restarts after 5 mins with the same result..
(Env: ISVA helm deployed in kubernetes)
Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Thanks Jon,
Sorry for the long follow-up below

Hi Jon,

I now have:

[aznapi-entitlement-services]
AZN_ENT_EXT_ATTR = azn_ent_ext_attr
TAM_CRED_POLICY_SVC = amwcredpolsvc
TAM_REG_ENT_SVC = azn_ent_registry_svc
TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs

[TAM_CRED_ATTRS_SVC]

#
# This stanza is used to configure the credential attributes entitlement
# service. This entitlement service can be used to add attributes to the
# credential which are based on LDAP attributes of the authenticated user.
#
# Entries in this stanza are used to define the sources of attributes to be
# retrieved. The source names, such as user and group, are used to identify
# the source location in the registry. You need to define these. The values
# for these sources are registry identifiers that exist in the registry. The
# values can be existing credential attribute names. If this is the case,
# the service automatically finds and uses the respective values.
#
# For example:
# eperson = azn_cred_registry_id
# organisationalPerson = azn_cred_registry_id
#
# Each entry should then have a corresponding stanza which maps the LDAP
# attribute into a credential attribute.
#
# For example:
# [TAM_CRED_ATTRS_SVC:eperson]
# emailAddress = mail
# mobileNumber = mobile
#
# [TAM_CRED_ATTRS_SVC:organisationalPerson]
# emailAddress = mail
# mobileNumber = mobile
#
inetOrgPerson = azn_cred_authzn_id
ePerson = azn_cred_authzn_id

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
tag_value_hrm_epost = mail
tag_value_ = cn
tag_value_hrm_efternamn = surname
tag_value_hrm_tele = telephoneNumber
tag_value_hrm_uid = uid

[TAM_CRED_ATTRS_SVC:ePerson]
tagvalue_hrm_o = o
tag_value_hrm_ou = ou
# AD 20200907

and
force-tag-value-prefix = no
per your suggestion

I have run the following pdadmin commands in the isva-config container, deployed, published and reloaded the isva-webseal container.
pdadmin -a sec_master
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_hrm_o=hrm-o
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_ou=hrm-ou
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_uid=hrm-uid
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_namn=hrm-namn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_mail=hrm-mail
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_efternamn=hrm-efternamn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_tele=hrm-tele

and the junction now shows:

pdadmin sec_master> object show /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas
Name: /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas
Description: Object from host verify-access-isvaconfig-564cd8758f-898w2.
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes
Name: HTTP-Tag-Value
Value(s): tagvalue_hrm_o=hrm-o
tagvalue_hrm_uid=hrm-uid
tagvalue_ou=hrm-ou
tagvalue_namn=hrm-namn
tagvalue_mail=hrm-mail
tagvalue_efternamn=hrm-efternamn
tagvalue_tele=hrm-tele
Attached ACL:
Attached POP:
Attached AuthzRule:

Effective Extended Attributes
Protected Object Location: /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas
Name: HTTP-Tag-Value
Value(s): tagvalue_hrm_o=hrm-o
tagvalue_hrm_uid=hrm-uid
tagvalue_ou=hrm-ou
tagvalue_namn=hrm-namn
tagvalue_mail=hrm-mail
tagvalue_efternamn=hrm-efternamn
tagvalue_tele=hrm-tele
Effective ACL: default-webseal
Effective POP:
Effective AuthzRule:

I have tried both

inetOrgPerson = azn_cred_authzn_id
ePerson = azn_cred_authzn_id

eperson = azn_cred_registry_id
organisationalPerson = azn_cred_registry_id

with the same result

hrm-xxx tags are present in the headers, but all have the value 'NOT FOUND'

Dump of HttpServletRequest headers:

Headers:
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Accept-Language: en-US,en;q=0.9,sv;q=0.8
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Connection: close
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Host: 164.9.162.69:9083
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-creds: Version=1, BAKs3DCCB14MADCCB1gwggdUAgIQADCBkDAsMB8CBGkzYLgCAwDusAICEeoCAgCjAgIAqQQGdkB6lpx3DAlsb2RvbWVpamEwYDAuMB4CBMSt+tACAwDw6QICEeoCAgCQAgFvBAZ2QHqWnHcMDGVhcmNoaXZlLUlDTjAuMB4CBN3CqbICAwDw6QICEeoCAgCQAgFvBAZ2QHqWnHcMDGVhcmNoaXZlLU1GQQIBATCCBrYwggayMCIMFEFVVEhFTlRJQ0FUSU9OX0xFVkVMMAowCAIBBAwBMQQAMDEMF0FaTl9DUkVEX0FVVEhOTUVDSF9JTkZPMBYwFAIBBAwNTERBUCBSZWdpc3RyeQQAMGEMEkFaTl9DUkVEX0FVVEhaTl9JRDBLMEkCAQQMQnVpZD1sb2RvbWVpamEsY249dXNlcnMsb3U9ZWJjLG91PWlsLG91PXNlLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMC8MGEFaTl9DUkVEX0FVVEhfRVBPQ0hfVElNRTATMBECAQQMCjE1OTk0OTE0NDgEADApDBRBWk5fQ1JFRF9BVVRIX01FVEhPRDARMA8CAQQMCHBhc3N3b3JkBAAwgZQMFUFaTl9DUkVEX0JST1dTRVJfSU5GTzB7MHkCAQQMck1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS84NS4wLjQxODMuODMgU2FmYXJpLzUzNy4zNgQAMD0MD0FaTl9DUkVEX0dST1VQUzAqMBMCAQQMDGVhcmNoaXZlLUlDTgQAMBMCAQQMDGVhcmNoaXZlLU1GQQQAMH8MG0FaTl9DUkVEX0dST1VQX1JFR0lTVFJZX0lEUzBgMC4CAQQMJ2NuPWVhcmNoaXZlSUNOLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMC4CAQQMJ2NuPWVhcmNoaXZlTUZBLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMHIMFEFaTl9DUkVEX0dST1VQX1VVSURTMFowKwIBBAwkYzRhZGZhZDAtZjBlOS0xMWVhLTkwNmYtNzY0MDdhOTY5Yzc3BAAwKwIBBAwkZGRjMmE5YjItZjBlOS0xMWVhLTkwNmYtNzY0MDdhOTY5Yzc3BAAwJgwSQVpOX0NSRURfSVBfRkFNSUxZMBAwDgIBBAwHQUZfSU5FVAQAMCkMEEFaTl9DUkVEX01FQ0hfSUQwFTATAgEEDAxJVl9MREFQX1YzLjAEADAzDBxBWk5fQ1JFRF9ORVRXT1JLX0FERFJFU1NfQklOMBMwEQIBBAwKMHgwYTY4M2Y0ZAQAMDUMHEFaTl9DUkVEX05FVFdPUktfQUREUkVTU19TVFIwFTATAgEEDAwxMC4xMDQuNjMuNzcEADAtDBlBWk5fQ1JFRF9QUklOQ0lQQUxfRE9NQUlOMBAwDgIBBAwHRGVmYXVsdAQAMC0MF0FaTl9DUkVEX1BSSU5DSVBBTF9OQU1FMBIwEAIBBAwJbG9kb21laWphBAAwSAwXQVpOX0NSRURfUFJJTkNJUEFMX1VVSUQwLTArAgEEDCQ2OTMzNjBiOC1lZWIwLTExZWEtYTNhOS03NjQwN2E5NjljNzcEADAiDBFBWk5fQ1JFRF9RT1BfSU5GTzANMAsCAQQMBE5vbmUEADBjDBRBWk5fQ1JFRF9SRUdJU1RSWV9JRDBLMEkCAQQMQnVpZD1sb2RvbWVpamEsY249dXNlcnMsb3U9ZWJjLG91PWlsLG91PXNlLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMB8MEkFaTl9DUkVEX1VTRVJfSU5GTzAJMAcCAQQMAAQAMCcMEEFaTl9DUkVEX1ZFUlNJT04wEzARAgEEDAoweDAwMDAxMDAwBAAwLgwYdGFndmFsdWVfbG9naW5fdXNlcl9uYW1lMBIwEAIBBAwJbG9kb21laWphBAAwNgwkdGFndmFsdWVfbWF4X2NvbmN1cnJlbnRfd2ViX3Nlc3Npb25zMA4wDAIBBAwFdW5zZXQEADBHDBZ0YWd2YWx1ZV9zZXNzaW9uX2luZGV4MC0wKwIBBAwkNGY3ZjI1ZGEtZjExYy0xMWVhLWEyZTYtN2ViMDc5YzhjMmNmBAAwHQwKdGFnX3ZhbHVlXzAPMA0CAQQMBkFuZGVycwQAMDYMF3RhZ192YWx1ZV9ocm1fZWZ0ZXJuYW1uMBswGQIBBAwSRG9tZWlqw6XDpMO2w4XDhMOWBAAwNQwTdGFnX3ZhbHVlX2hybV9lcG9zdDAeMBwCAQQMFWFuZGVycy5kb21laWpAY2dpLmNvbQQAMC0MEnRhZ192YWx1ZV9ocm1fdGVsZTAXMBUCAQQMDis0NiA4IDUxNzUwNTIxBAAwJwwRdGFnX3ZhbHVlX2hybV91aWQwEjAQAgEEDAlsb2RvbWVpamEEAA==
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-groups: "earchive-ICN","earchive-MFA"
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-remote-address: 10.104.63.77
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-user: xxxxxxx
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O Referer: https://hostname/
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O Via: HTTP/1.1 verify-access-isvawrp-webseal-5ffbf4ff7b-qss4c:80
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-user-l: uid=xxxxxx,cn=yyyyyy,ou=aaa,ou=bbb,ou=ccc,o=Company,DC=DDDDDD,DC=SE
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-o: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O x-request-id: d17ac865202e06a2bb046055c850d4e8
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O x-forwarded-proto: https
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-efternamn: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-namn: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-ou: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O x-scheme: https
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-mail: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-tele: NOT_FOUND
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O hrm-uid: NOT_FOUND
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-forwarded-host: hostname/
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O Upgrade-Insecure-Requests: 1
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O sec-fetch-site: same-origin
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O iv_server_name: webseal-webseald-verify-access-isvaconfig-564cd8758f-898w2
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-original-forwarded-for: ipaddress
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O sec-fetch-dest: document
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-forwarded-for: ipaddress
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-real-ip: ipaddress
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-forwarded-port: 443
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O sec-fetch-mode: navigate
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O Cookie: INGRESSCOOKIE=1599491438.525.1048.406002
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O


What is missing?
Please advise

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Original Message:
Sent: Thu September 03, 2020 08:20 AM
From: Jon Harry
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi Anders,

The ability to specify credential providers in the configuration file has not been there since ISAM 7.0.  In the later ISAM (and Verify Access) versions, the [aznapi-entitlement-services] stanza is pre-populated with TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs (under-the-covers) and you can't change it.  Do not try to add this stanza to the configuration - it will cause failure as you have seen.

You will need to change your stanzas to use TAM_CRED_ATTRS_SVC instead of HRM_CRED_ATTRS_SVC.

i.e.

[AZN_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id
ePerson = azn_cred_authzn_id

[AZN_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_hrmattrs_epost = mail
tagvalue_hrmattrs_namn = cn
tagvalue_hrmattrs_efternamn = surname
tagvalue_hrmattrs_tele = telephoneNumber
tagvalue_hrmattrs_uid = Uid

[AZN_CRED_ATTRS_SVC:ePerson]
tagvalue_hrmattrs_o = o
tagvalue_hrmattrs_ou = ou

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu September 03, 2020 07:36 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Thanks Jon,

Unfortunately it isn't working.

In the [aznapi-entitlement-services] stanza we added the HRM_CRED_ATTRS_SVC (see below)

[aznapi-entitlement-services]
AZN_ENT_EXT_ATTR = azn_ent_ext_attr
TAM_CRED_POLICY_SVC = amwcredpolsvc
TAM_REG_ENT_SVC = azn_ent_registry_svc
TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901
HRM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901

Then we added the following stanzas to configure the HRM_CRED_ATTRS_SVC

# AD 20200901
[HRM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id
ePerson = azn_cred_authzn_id

[HRM_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_hrmattrs_epost = mail
tagvalue_hrmattrs_namn = cn
tagvalue_hrmattrs_efternamn = surname
tagvalue_hrmattrs_tele = telephoneNumber
tagvalue_hrmattrs_uid = Uid

[HRM_CRED_ATTRS_SVC:ePerson]
tagvalue_hrmattrs_o = o
tagvalue_hrmattrs_ou = ou
# AD 20200901

In the verify-access-isvaconfig conntainer we opened a shell and ran the following

pdadmin -a sec_master
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_o=hrm-o
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_ou=hrm-ou
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_uid=hrm-uid
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_namn=hrm-namn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_mail=hrm-mail
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_efternamn=hrm-efternamn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_tele=hrm-tele

So that the attributes would be present on the junction jct.

After a deploy, publish and reload cycle, the tags are set on the http request but they all have the value "NOT_FOUND"

From the isva documentation,
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/base_admin/reference/ref_credattrentlserv.html

there should be an entry

[aznapi-configuration]
# AD 20200902
cred-attributes-entitlement-services = HRM_CRED_ATTRS_SVC
# AD 20200902

but if we add that , we get a system error when trying to save the configuration file

System Error

Error: DPWAP0014E The 'cred-attributes-entitlement-services' configuration entry, in the [aznapi-configuration] stanza, is an unsupported configuration entry.


------------------------------
Anders Domeij
CGI Sweden AB

Original Message:
Sent: Wed September 02, 2020 12:36 PM
From: Jon Harry
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Anders,

You need two configuration stanzas to set up the credential attribute service.  Make sure that they don't already exist - creating 2 stanzas with the same name will likely cause a startup error.

The first stanza specifies how to look up the LDAP object.  Usually:

[TAM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id

You can add multiple entries to this stanza but usually only one (for the user object) is used.

The second stanza references the first and specifies the attributes to pull.  For example:

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
email = mail

In this case, email is the attribute to be created in the credential and mail is the LDAP attribute name.
It is common to have multiple entries in this stanza; one for each attribute to be retrieved.

Last thing to know is that there is a configuration entry in the [server] stanza called force-tag-value-prefix which defaults to yes.
When set to yes, it will prefix all cred attr attributes with tagvalue_ and will only allow attributes with this prefix to be added to HTTP headers.
I almost always change this configuration entry to no.

I hope this helps.

Jon.


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed September 02, 2020 11:22 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi,

How do we configure the cred-attribute-entitlement-services in ISVA?

We believe we've followed the instructions correctly, updating the reverse proxy conf file in the isva-config container.

After saving the conf file and publishing the changes to the isvawrp container, the reverse proxy no longer starts :-(

We see  this in the container log file

{"log":"Verifying checksums... Done\n","stream":"stdout","time":"2020-09-02T13:27:31.557509233Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.504183652Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.514445018Z"}{"log":"Error: WGAWA0280E Examine the log of the Web Reverse Proxy instance for further information on the failure.\n","stream":"stdout","time":"2020-09-02T13:28:08.684393581Z"}{"log":"2020-09-02T13:28:10+0000: --- Running.\n","stream":"stdout","time":"2020-09-02T13:28:10.089151671Z"}{"log":"2020-09-02T13:28:10+0000: Log file: /var/application.logs.local/wrp/webseal/log/msg__webseald-webseal.log\n","stream":"stdout","time":"2020-09-02T13:28:10.092247242Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093426436Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Policy Director Extended Attributes Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093444566Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093450659Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = TAM Policy Entitlements Service 10.0.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093455363Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093460071Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Registry Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09346484Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09346967Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Credential Attributes Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09347468Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09348944Z"}{"log":"DPWIV0203E Additional information from azn-api: AZN_VERSION = 10.0.0 (Build 200602))\n","stream":"stdout","time":"2020-09-02T13:28:10.093495365Z"}{"log":"2020-09-02T13:28:40+0000: Shutting down....\n","stream":"stdout","time":"2020-09-02T13:28:40.377423793Z"}{"log":"\n","stream":"stdout","time":"2020-09-02T13:28:41.678015787Z"}{"log":"Stopping all processes\n","stream":"stdout","time":"2020-09-02T13:28:41.678047408Z"}{"log":"2020-09-02T13:28:44+0000: ---- Shutdown.\n","stream":"stdout","time":"2020-09-02T13:28:44.764305735Z"}​
 and the container restarts after 5 mins with the same result..
(Env: ISVA helm deployed in kubernetes)
Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Hi Anders,

There's a naming mismatch between what you have in the configuration file (which controls what goes into the credential) and what you have in the HTTP-Tag-Value configuration (which controls what is put in HTTP headers).

For example, this line:
tag_value_hrm_efternamn = surname
adds the surname from LDAP into tag_value_hrm_efternamn in the credential... BUT, this command:
object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_efternamn=hrm-efternamn
is expecting a credential called tagvalue_efternamn.

My advice would be to modify the configuration file to make sure your credential attribute names match.   Also, if you are reading all the attributes from the same object, there's not need to separate by objectclass - it might even cause an issue.

I would suggest this configuration:

[TAM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_authzn_id

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_mail = mail
tagvalue_namn = cn
tagvalue_efternamn = surname
tagvalue_tele = telephoneNumber
tagvalue_uid = uid
tagvalue_hrm_o = o
tagvalue_hrm_ou = ou

I'm not sure that requesting the o and ou will work.  It will only work if those attributes are set on the user object - rather than being part of the DN.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon September 07, 2020 11:26 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Thanks Jon,
Sorry for the long follow-up below

Hi Jon,

I now have:

[aznapi-entitlement-services]
AZN_ENT_EXT_ATTR = azn_ent_ext_attr
TAM_CRED_POLICY_SVC = amwcredpolsvc
TAM_REG_ENT_SVC = azn_ent_registry_svc
TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs

[TAM_CRED_ATTRS_SVC]

#
# This stanza is used to configure the credential attributes entitlement
# service. This entitlement service can be used to add attributes to the
# credential which are based on LDAP attributes of the authenticated user.
#
# Entries in this stanza are used to define the sources of attributes to be
# retrieved. The source names, such as user and group, are used to identify
# the source location in the registry. You need to define these. The values
# for these sources are registry identifiers that exist in the registry. The
# values can be existing credential attribute names. If this is the case,
# the service automatically finds and uses the respective values.
#
# For example:
# eperson = azn_cred_registry_id
# organisationalPerson = azn_cred_registry_id
#
# Each entry should then have a corresponding stanza which maps the LDAP
# attribute into a credential attribute.
#
# For example:
# [TAM_CRED_ATTRS_SVC:eperson]
# emailAddress = mail
# mobileNumber = mobile
#
# [TAM_CRED_ATTRS_SVC:organisationalPerson]
# emailAddress = mail
# mobileNumber = mobile
#
inetOrgPerson = azn_cred_authzn_id
ePerson = azn_cred_authzn_id

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
tag_value_hrm_epost = mail
tag_value_ = cn
tag_value_hrm_efternamn = surname
tag_value_hrm_tele = telephoneNumber
tag_value_hrm_uid = uid

[TAM_CRED_ATTRS_SVC:ePerson]
tagvalue_hrm_o = o
tag_value_hrm_ou = ou
# AD 20200907

and
force-tag-value-prefix = no
per your suggestion

I have run the following pdadmin commands in the isva-config container, deployed, published and reloaded the isva-webseal container.
pdadmin -a sec_master
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_hrm_o=hrm-o
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_ou=hrm-ou
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_uid=hrm-uid
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_namn=hrm-namn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_mail=hrm-mail
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_efternamn=hrm-efternamn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_tele=hrm-tele

and the junction now shows:

pdadmin sec_master> object show /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas
Name: /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas
Description: Object from host verify-access-isvaconfig-564cd8758f-898w2.
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes
Name: HTTP-Tag-Value
Value(s): tagvalue_hrm_o=hrm-o
tagvalue_hrm_uid=hrm-uid
tagvalue_ou=hrm-ou
tagvalue_namn=hrm-namn
tagvalue_mail=hrm-mail
tagvalue_efternamn=hrm-efternamn
tagvalue_tele=hrm-tele
Attached ACL:
Attached POP:
Attached AuthzRule:

Effective Extended Attributes
Protected Object Location: /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas
Name: HTTP-Tag-Value
Value(s): tagvalue_hrm_o=hrm-o
tagvalue_hrm_uid=hrm-uid
tagvalue_ou=hrm-ou
tagvalue_namn=hrm-namn
tagvalue_mail=hrm-mail
tagvalue_efternamn=hrm-efternamn
tagvalue_tele=hrm-tele
Effective ACL: default-webseal
Effective POP:
Effective AuthzRule:

I have tried both

inetOrgPerson = azn_cred_authzn_id
ePerson = azn_cred_authzn_id

eperson = azn_cred_registry_id
organisationalPerson = azn_cred_registry_id

with the same result

hrm-xxx tags are present in the headers, but all have the value 'NOT FOUND'

Dump of HttpServletRequest headers:

Headers:
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Accept-Language: en-US,en;q=0.9,sv;q=0.8
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Connection: close
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Host: 164.9.162.69:9083
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-creds: Version=1, BAKs3DCCB14MADCCB1gwggdUAgIQADCBkDAsMB8CBGkzYLgCAwDusAICEeoCAgCjAgIAqQQGdkB6lpx3DAlsb2RvbWVpamEwYDAuMB4CBMSt+tACAwDw6QICEeoCAgCQAgFvBAZ2QHqWnHcMDGVhcmNoaXZlLUlDTjAuMB4CBN3CqbICAwDw6QICEeoCAgCQAgFvBAZ2QHqWnHcMDGVhcmNoaXZlLU1GQQIBATCCBrYwggayMCIMFEFVVEhFTlRJQ0FUSU9OX0xFVkVMMAowCAIBBAwBMQQAMDEMF0FaTl9DUkVEX0FVVEhOTUVDSF9JTkZPMBYwFAIBBAwNTERBUCBSZWdpc3RyeQQAMGEMEkFaTl9DUkVEX0FVVEhaTl9JRDBLMEkCAQQMQnVpZD1sb2RvbWVpamEsY249dXNlcnMsb3U9ZWJjLG91PWlsLG91PXNlLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMC8MGEFaTl9DUkVEX0FVVEhfRVBPQ0hfVElNRTATMBECAQQMCjE1OTk0OTE0NDgEADApDBRBWk5fQ1JFRF9BVVRIX01FVEhPRDARMA8CAQQMCHBhc3N3b3JkBAAwgZQMFUFaTl9DUkVEX0JST1dTRVJfSU5GTzB7MHkCAQQMck1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS84NS4wLjQxODMuODMgU2FmYXJpLzUzNy4zNgQAMD0MD0FaTl9DUkVEX0dST1VQUzAqMBMCAQQMDGVhcmNoaXZlLUlDTgQAMBMCAQQMDGVhcmNoaXZlLU1GQQQAMH8MG0FaTl9DUkVEX0dST1VQX1JFR0lTVFJZX0lEUzBgMC4CAQQMJ2NuPWVhcmNoaXZlSUNOLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMC4CAQQMJ2NuPWVhcmNoaXZlTUZBLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMHIMFEFaTl9DUkVEX0dST1VQX1VVSURTMFowKwIBBAwkYzRhZGZhZDAtZjBlOS0xMWVhLTkwNmYtNzY0MDdhOTY5Yzc3BAAwKwIBBAwkZGRjMmE5YjItZjBlOS0xMWVhLTkwNmYtNzY0MDdhOTY5Yzc3BAAwJgwSQVpOX0NSRURfSVBfRkFNSUxZMBAwDgIBBAwHQUZfSU5FVAQAMCkMEEFaTl9DUkVEX01FQ0hfSUQwFTATAgEEDAxJVl9MREFQX1YzLjAEADAzDBxBWk5fQ1JFRF9ORVRXT1JLX0FERFJFU1NfQklOMBMwEQIBBAwKMHgwYTY4M2Y0ZAQAMDUMHEFaTl9DUkVEX05FVFdPUktfQUREUkVTU19TVFIwFTATAgEEDAwxMC4xMDQuNjMuNzcEADAtDBlBWk5fQ1JFRF9QUklOQ0lQQUxfRE9NQUlOMBAwDgIBBAwHRGVmYXVsdAQAMC0MF0FaTl9DUkVEX1BSSU5DSVBBTF9OQU1FMBIwEAIBBAwJbG9kb21laWphBAAwSAwXQVpOX0NSRURfUFJJTkNJUEFMX1VVSUQwLTArAgEEDCQ2OTMzNjBiOC1lZWIwLTExZWEtYTNhOS03NjQwN2E5NjljNzcEADAiDBFBWk5fQ1JFRF9RT1BfSU5GTzANMAsCAQQMBE5vbmUEADBjDBRBWk5fQ1JFRF9SRUdJU1RSWV9JRDBLMEkCAQQMQnVpZD1sb2RvbWVpamEsY249dXNlcnMsb3U9ZWJjLG91PWlsLG91PXNlLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMB8MEkFaTl9DUkVEX1VTRVJfSU5GTzAJMAcCAQQMAAQAMCcMEEFaTl9DUkVEX1ZFUlNJT04wEzARAgEEDAoweDAwMDAxMDAwBAAwLgwYdGFndmFsdWVfbG9naW5fdXNlcl9uYW1lMBIwEAIBBAwJbG9kb21laWphBAAwNgwkdGFndmFsdWVfbWF4X2NvbmN1cnJlbnRfd2ViX3Nlc3Npb25zMA4wDAIBBAwFdW5zZXQEADBHDBZ0YWd2YWx1ZV9zZXNzaW9uX2luZGV4MC0wKwIBBAwkNGY3ZjI1ZGEtZjExYy0xMWVhLWEyZTYtN2ViMDc5YzhjMmNmBAAwHQwKdGFnX3ZhbHVlXzAPMA0CAQQMBkFuZGVycwQAMDYMF3RhZ192YWx1ZV9ocm1fZWZ0ZXJuYW1uMBswGQIBBAwSRG9tZWlqw6XDpMO2w4XDhMOWBAAwNQwTdGFnX3ZhbHVlX2hybV9lcG9zdDAeMBwCAQQMFWFuZGVycy5kb21laWpAY2dpLmNvbQQAMC0MEnRhZ192YWx1ZV9ocm1fdGVsZTAXMBUCAQQMDis0NiA4IDUxNzUwNTIxBAAwJwwRdGFnX3ZhbHVlX2hybV91aWQwEjAQAgEEDAlsb2RvbWVpamEEAA==
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-groups: "earchive-ICN","earchive-MFA"
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-remote-address: 10.104.63.77
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-user: xxxxxxx
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O Referer: https://hostname/
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O Via: HTTP/1.1 verify-access-isvawrp-webseal-5ffbf4ff7b-qss4c:80
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-user-l: uid=xxxxxx,cn=yyyyyy,ou=aaa,ou=bbb,ou=ccc,o=Company,DC=DDDDDD,DC=SE
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-o: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O x-request-id: d17ac865202e06a2bb046055c850d4e8
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O x-forwarded-proto: https
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-efternamn: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-namn: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-ou: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O x-scheme: https
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-mail: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-tele: NOT_FOUND
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O hrm-uid: NOT_FOUND
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-forwarded-host: hostname/
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O Upgrade-Insecure-Requests: 1
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O sec-fetch-site: same-origin
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O iv_server_name: webseal-webseald-verify-access-isvaconfig-564cd8758f-898w2
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-original-forwarded-for: ipaddress
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O sec-fetch-dest: document
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-forwarded-for: ipaddress
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-real-ip: ipaddress
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-forwarded-port: 443
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O sec-fetch-mode: navigate
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O Cookie: INGRESSCOOKIE=1599491438.525.1048.406002
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O


What is missing?
Please advise

------------------------------
Anders Domeij
CGI Sweden AB

Original Message:
Sent: Thu September 03, 2020 08:20 AM
From: Jon Harry
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi Anders,

The ability to specify credential providers in the configuration file has not been there since ISAM 7.0.  In the later ISAM (and Verify Access) versions, the [aznapi-entitlement-services] stanza is pre-populated with TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs (under-the-covers) and you can't change it.  Do not try to add this stanza to the configuration - it will cause failure as you have seen.

You will need to change your stanzas to use TAM_CRED_ATTRS_SVC instead of HRM_CRED_ATTRS_SVC.

i.e.

[AZN_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id
ePerson = azn_cred_authzn_id

[AZN_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_hrmattrs_epost = mail
tagvalue_hrmattrs_namn = cn
tagvalue_hrmattrs_efternamn = surname
tagvalue_hrmattrs_tele = telephoneNumber
tagvalue_hrmattrs_uid = Uid

[AZN_CRED_ATTRS_SVC:ePerson]
tagvalue_hrmattrs_o = o
tagvalue_hrmattrs_ou = ou

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu September 03, 2020 07:36 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Thanks Jon,

Unfortunately it isn't working.

In the [aznapi-entitlement-services] stanza we added the HRM_CRED_ATTRS_SVC (see below)

[aznapi-entitlement-services]
AZN_ENT_EXT_ATTR = azn_ent_ext_attr
TAM_CRED_POLICY_SVC = amwcredpolsvc
TAM_REG_ENT_SVC = azn_ent_registry_svc
TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901
HRM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901

Then we added the following stanzas to configure the HRM_CRED_ATTRS_SVC

# AD 20200901
[HRM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id
ePerson = azn_cred_authzn_id

[HRM_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_hrmattrs_epost = mail
tagvalue_hrmattrs_namn = cn
tagvalue_hrmattrs_efternamn = surname
tagvalue_hrmattrs_tele = telephoneNumber
tagvalue_hrmattrs_uid = Uid

[HRM_CRED_ATTRS_SVC:ePerson]
tagvalue_hrmattrs_o = o
tagvalue_hrmattrs_ou = ou
# AD 20200901

In the verify-access-isvaconfig conntainer we opened a shell and ran the following

pdadmin -a sec_master
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_o=hrm-o
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_ou=hrm-ou
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_uid=hrm-uid
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_namn=hrm-namn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_mail=hrm-mail
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_efternamn=hrm-efternamn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_tele=hrm-tele

So that the attributes would be present on the junction jct.

After a deploy, publish and reload cycle, the tags are set on the http request but they all have the value "NOT_FOUND"

From the isva documentation,
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/base_admin/reference/ref_credattrentlserv.html

there should be an entry

[aznapi-configuration]
# AD 20200902
cred-attributes-entitlement-services = HRM_CRED_ATTRS_SVC
# AD 20200902

but if we add that , we get a system error when trying to save the configuration file

System Error

Error: DPWAP0014E The 'cred-attributes-entitlement-services' configuration entry, in the [aznapi-configuration] stanza, is an unsupported configuration entry.


------------------------------
Anders Domeij
CGI Sweden AB

Original Message:
Sent: Wed September 02, 2020 12:36 PM
From: Jon Harry
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Anders,

You need two configuration stanzas to set up the credential attribute service.  Make sure that they don't already exist - creating 2 stanzas with the same name will likely cause a startup error.

The first stanza specifies how to look up the LDAP object.  Usually:

[TAM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id

You can add multiple entries to this stanza but usually only one (for the user object) is used.

The second stanza references the first and specifies the attributes to pull.  For example:

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
email = mail

In this case, email is the attribute to be created in the credential and mail is the LDAP attribute name.
It is common to have multiple entries in this stanza; one for each attribute to be retrieved.

Last thing to know is that there is a configuration entry in the [server] stanza called force-tag-value-prefix which defaults to yes.
When set to yes, it will prefix all cred attr attributes with tagvalue_ and will only allow attributes with this prefix to be added to HTTP headers.
I almost always change this configuration entry to no.

I hope this helps.

Jon.


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed September 02, 2020 11:22 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi,

How do we configure the cred-attribute-entitlement-services in ISVA?

We believe we've followed the instructions correctly, updating the reverse proxy conf file in the isva-config container.

After saving the conf file and publishing the changes to the isvawrp container, the reverse proxy no longer starts :-(

We see  this in the container log file

{"log":"Verifying checksums... Done\n","stream":"stdout","time":"2020-09-02T13:27:31.557509233Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.504183652Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.514445018Z"}{"log":"Error: WGAWA0280E Examine the log of the Web Reverse Proxy instance for further information on the failure.\n","stream":"stdout","time":"2020-09-02T13:28:08.684393581Z"}{"log":"2020-09-02T13:28:10+0000: --- Running.\n","stream":"stdout","time":"2020-09-02T13:28:10.089151671Z"}{"log":"2020-09-02T13:28:10+0000: Log file: /var/application.logs.local/wrp/webseal/log/msg__webseald-webseal.log\n","stream":"stdout","time":"2020-09-02T13:28:10.092247242Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093426436Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Policy Director Extended Attributes Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093444566Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093450659Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = TAM Policy Entitlements Service 10.0.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093455363Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093460071Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Registry Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09346484Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09346967Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Credential Attributes Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09347468Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09348944Z"}{"log":"DPWIV0203E Additional information from azn-api: AZN_VERSION = 10.0.0 (Build 200602))\n","stream":"stdout","time":"2020-09-02T13:28:10.093495365Z"}{"log":"2020-09-02T13:28:40+0000: Shutting down....\n","stream":"stdout","time":"2020-09-02T13:28:40.377423793Z"}{"log":"\n","stream":"stdout","time":"2020-09-02T13:28:41.678015787Z"}{"log":"Stopping all processes\n","stream":"stdout","time":"2020-09-02T13:28:41.678047408Z"}{"log":"2020-09-02T13:28:44+0000: ---- Shutdown.\n","stream":"stdout","time":"2020-09-02T13:28:44.764305735Z"}​
 and the container restarts after 5 mins with the same result..
(Env: ISVA helm deployed in kubernetes)
Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Thats what I get for having 'fat fingers'  and/or working late.
I was convinced I had the spelling relationsships correct.

Works like a charm once you do.

And -- YES in this case 'o' and 'ou' are explicitly set as ldap attributes on the user :-)

Thanks (again)

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Original Message:
Sent: Mon September 07, 2020 11:54 AM
From: Jon Harry
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi Anders,

There's a naming mismatch between what you have in the configuration file (which controls what goes into the credential) and what you have in the HTTP-Tag-Value configuration (which controls what is put in HTTP headers).

For example, this line:
tag_value_hrm_efternamn = surname
adds the surname from LDAP into tag_value_hrm_efternamn in the credential... BUT, this command:
object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_efternamn=hrm-efternamn
is expecting a credential called tagvalue_efternamn.

My advice would be to modify the configuration file to make sure your credential attribute names match.   Also, if you are reading all the attributes from the same object, there's not need to separate by objectclass - it might even cause an issue.

I would suggest this configuration:

[TAM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_authzn_id

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_mail = mail
tagvalue_namn = cn
tagvalue_efternamn = surname
tagvalue_tele = telephoneNumber
tagvalue_uid = uid
tagvalue_hrm_o = o
tagvalue_hrm_ou = ou

I'm not sure that requesting the o and ou will work.  It will only work if those attributes are set on the user object - rather than being part of the DN.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon September 07, 2020 11:26 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Thanks Jon,
Sorry for the long follow-up below

Hi Jon,

I now have:

[aznapi-entitlement-services]
AZN_ENT_EXT_ATTR = azn_ent_ext_attr
TAM_CRED_POLICY_SVC = amwcredpolsvc
TAM_REG_ENT_SVC = azn_ent_registry_svc
TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs

[TAM_CRED_ATTRS_SVC]

#
# This stanza is used to configure the credential attributes entitlement
# service. This entitlement service can be used to add attributes to the
# credential which are based on LDAP attributes of the authenticated user.
#
# Entries in this stanza are used to define the sources of attributes to be
# retrieved. The source names, such as user and group, are used to identify
# the source location in the registry. You need to define these. The values
# for these sources are registry identifiers that exist in the registry. The
# values can be existing credential attribute names. If this is the case,
# the service automatically finds and uses the respective values.
#
# For example:
# eperson = azn_cred_registry_id
# organisationalPerson = azn_cred_registry_id
#
# Each entry should then have a corresponding stanza which maps the LDAP
# attribute into a credential attribute.
#
# For example:
# [TAM_CRED_ATTRS_SVC:eperson]
# emailAddress = mail
# mobileNumber = mobile
#
# [TAM_CRED_ATTRS_SVC:organisationalPerson]
# emailAddress = mail
# mobileNumber = mobile
#
inetOrgPerson = azn_cred_authzn_id
ePerson = azn_cred_authzn_id

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
tag_value_hrm_epost = mail
tag_value_ = cn
tag_value_hrm_efternamn = surname
tag_value_hrm_tele = telephoneNumber
tag_value_hrm_uid = uid

[TAM_CRED_ATTRS_SVC:ePerson]
tagvalue_hrm_o = o
tag_value_hrm_ou = ou
# AD 20200907

and
force-tag-value-prefix = no
per your suggestion

I have run the following pdadmin commands in the isva-config container, deployed, published and reloaded the isva-webseal container.
pdadmin -a sec_master
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_hrm_o=hrm-o
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_ou=hrm-ou
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_uid=hrm-uid
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_namn=hrm-namn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_mail=hrm-mail
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_efternamn=hrm-efternamn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas set attribute HTTP-Tag-Value tagvalue_tele=hrm-tele

and the junction now shows:

pdadmin sec_master> object show /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas
Name: /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas
Description: Object from host verify-access-isvaconfig-564cd8758f-898w2.
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes
Name: HTTP-Tag-Value
Value(s): tagvalue_hrm_o=hrm-o
tagvalue_hrm_uid=hrm-uid
tagvalue_ou=hrm-ou
tagvalue_namn=hrm-namn
tagvalue_mail=hrm-mail
tagvalue_efternamn=hrm-efternamn
tagvalue_tele=hrm-tele
Attached ACL:
Attached POP:
Attached AuthzRule:

Effective Extended Attributes
Protected Object Location: /WebSEAL/verify-access-isvaconfig-564cd8758f-898w2-webseal/edmwas
Name: HTTP-Tag-Value
Value(s): tagvalue_hrm_o=hrm-o
tagvalue_hrm_uid=hrm-uid
tagvalue_ou=hrm-ou
tagvalue_namn=hrm-namn
tagvalue_mail=hrm-mail
tagvalue_efternamn=hrm-efternamn
tagvalue_tele=hrm-tele
Effective ACL: default-webseal
Effective POP:
Effective AuthzRule:

I have tried both

inetOrgPerson = azn_cred_authzn_id
ePerson = azn_cred_authzn_id

eperson = azn_cred_registry_id
organisationalPerson = azn_cred_registry_id

with the same result

hrm-xxx tags are present in the headers, but all have the value 'NOT FOUND'

Dump of HttpServletRequest headers:

Headers:
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Accept-Language: en-US,en;q=0.9,sv;q=0.8
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Connection: close
[9/7/20 17:10:48:467 CEST] 000000a4 SystemOut O Host: 164.9.162.69:9083
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-creds: Version=1, BAKs3DCCB14MADCCB1gwggdUAgIQADCBkDAsMB8CBGkzYLgCAwDusAICEeoCAgCjAgIAqQQGdkB6lpx3DAlsb2RvbWVpamEwYDAuMB4CBMSt+tACAwDw6QICEeoCAgCQAgFvBAZ2QHqWnHcMDGVhcmNoaXZlLUlDTjAuMB4CBN3CqbICAwDw6QICEeoCAgCQAgFvBAZ2QHqWnHcMDGVhcmNoaXZlLU1GQQIBATCCBrYwggayMCIMFEFVVEhFTlRJQ0FUSU9OX0xFVkVMMAowCAIBBAwBMQQAMDEMF0FaTl9DUkVEX0FVVEhOTUVDSF9JTkZPMBYwFAIBBAwNTERBUCBSZWdpc3RyeQQAMGEMEkFaTl9DUkVEX0FVVEhaTl9JRDBLMEkCAQQMQnVpZD1sb2RvbWVpamEsY249dXNlcnMsb3U9ZWJjLG91PWlsLG91PXNlLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMC8MGEFaTl9DUkVEX0FVVEhfRVBPQ0hfVElNRTATMBECAQQMCjE1OTk0OTE0NDgEADApDBRBWk5fQ1JFRF9BVVRIX01FVEhPRDARMA8CAQQMCHBhc3N3b3JkBAAwgZQMFUFaTl9DUkVEX0JST1dTRVJfSU5GTzB7MHkCAQQMck1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS84NS4wLjQxODMuODMgU2FmYXJpLzUzNy4zNgQAMD0MD0FaTl9DUkVEX0dST1VQUzAqMBMCAQQMDGVhcmNoaXZlLUlDTgQAMBMCAQQMDGVhcmNoaXZlLU1GQQQAMH8MG0FaTl9DUkVEX0dST1VQX1JFR0lTVFJZX0lEUzBgMC4CAQQMJ2NuPWVhcmNoaXZlSUNOLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMC4CAQQMJ2NuPWVhcmNoaXZlTUZBLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMHIMFEFaTl9DUkVEX0dST1VQX1VVSURTMFowKwIBBAwkYzRhZGZhZDAtZjBlOS0xMWVhLTkwNmYtNzY0MDdhOTY5Yzc3BAAwKwIBBAwkZGRjMmE5YjItZjBlOS0xMWVhLTkwNmYtNzY0MDdhOTY5Yzc3BAAwJgwSQVpOX0NSRURfSVBfRkFNSUxZMBAwDgIBBAwHQUZfSU5FVAQAMCkMEEFaTl9DUkVEX01FQ0hfSUQwFTATAgEEDAxJVl9MREFQX1YzLjAEADAzDBxBWk5fQ1JFRF9ORVRXT1JLX0FERFJFU1NfQklOMBMwEQIBBAwKMHgwYTY4M2Y0ZAQAMDUMHEFaTl9DUkVEX05FVFdPUktfQUREUkVTU19TVFIwFTATAgEEDAwxMC4xMDQuNjMuNzcEADAtDBlBWk5fQ1JFRF9QUklOQ0lQQUxfRE9NQUlOMBAwDgIBBAwHRGVmYXVsdAQAMC0MF0FaTl9DUkVEX1BSSU5DSVBBTF9OQU1FMBIwEAIBBAwJbG9kb21laWphBAAwSAwXQVpOX0NSRURfUFJJTkNJUEFMX1VVSUQwLTArAgEEDCQ2OTMzNjBiOC1lZWIwLTExZWEtYTNhOS03NjQwN2E5NjljNzcEADAiDBFBWk5fQ1JFRF9RT1BfSU5GTzANMAsCAQQMBE5vbmUEADBjDBRBWk5fQ1JFRF9SRUdJU1RSWV9JRDBLMEkCAQQMQnVpZD1sb2RvbWVpamEsY249dXNlcnMsb3U9ZWJjLG91PWlsLG91PXNlLG89bG9naWNhLERDPUxPR0lDQSxEQz1TRQQAMB8MEkFaTl9DUkVEX1VTRVJfSU5GTzAJMAcCAQQMAAQAMCcMEEFaTl9DUkVEX1ZFUlNJT04wEzARAgEEDAoweDAwMDAxMDAwBAAwLgwYdGFndmFsdWVfbG9naW5fdXNlcl9uYW1lMBIwEAIBBAwJbG9kb21laWphBAAwNgwkdGFndmFsdWVfbWF4X2NvbmN1cnJlbnRfd2ViX3Nlc3Npb25zMA4wDAIBBAwFdW5zZXQEADBHDBZ0YWd2YWx1ZV9zZXNzaW9uX2luZGV4MC0wKwIBBAwkNGY3ZjI1ZGEtZjExYy0xMWVhLWEyZTYtN2ViMDc5YzhjMmNmBAAwHQwKdGFnX3ZhbHVlXzAPMA0CAQQMBkFuZGVycwQAMDYMF3RhZ192YWx1ZV9ocm1fZWZ0ZXJuYW1uMBswGQIBBAwSRG9tZWlqw6XDpMO2w4XDhMOWBAAwNQwTdGFnX3ZhbHVlX2hybV9lcG9zdDAeMBwCAQQMFWFuZGVycy5kb21laWpAY2dpLmNvbQQAMC0MEnRhZ192YWx1ZV9ocm1fdGVsZTAXMBUCAQQMDis0NiA4IDUxNzUwNTIxBAAwJwwRdGFnX3ZhbHVlX2hybV91aWQwEjAQAgEEDAlsb2RvbWVpamEEAA==
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-groups: "earchive-ICN","earchive-MFA"
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-remote-address: 10.104.63.77
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-user: xxxxxxx
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O Referer: https://hostname/
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O Via: HTTP/1.1 verify-access-isvawrp-webseal-5ffbf4ff7b-qss4c:80
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O iv-user-l: uid=xxxxxx,cn=yyyyyy,ou=aaa,ou=bbb,ou=ccc,o=Company,DC=DDDDDD,DC=SE
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-o: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O x-request-id: d17ac865202e06a2bb046055c850d4e8
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O x-forwarded-proto: https
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-efternamn: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-namn: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-ou: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O x-scheme: https
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-mail: NOT_FOUND
[9/7/20 17:10:48:468 CEST] 000000a4 SystemOut O hrm-tele: NOT_FOUND
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O hrm-uid: NOT_FOUND
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-forwarded-host: hostname/
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O Upgrade-Insecure-Requests: 1
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O sec-fetch-site: same-origin
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O iv_server_name: webseal-webseald-verify-access-isvaconfig-564cd8758f-898w2
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-original-forwarded-for: ipaddress
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O sec-fetch-dest: document
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-forwarded-for: ipaddress
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-real-ip: ipaddress
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O x-forwarded-port: 443
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O sec-fetch-mode: navigate
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O Cookie: INGRESSCOOKIE=1599491438.525.1048.406002
[9/7/20 17:10:48:469 CEST] 000000a4 SystemOut O


What is missing?
Please advise

------------------------------
Anders Domeij
CGI Sweden AB

Original Message:
Sent: Thu September 03, 2020 08:20 AM
From: Jon Harry
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi Anders,

The ability to specify credential providers in the configuration file has not been there since ISAM 7.0.  In the later ISAM (and Verify Access) versions, the [aznapi-entitlement-services] stanza is pre-populated with TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs (under-the-covers) and you can't change it.  Do not try to add this stanza to the configuration - it will cause failure as you have seen.

You will need to change your stanzas to use TAM_CRED_ATTRS_SVC instead of HRM_CRED_ATTRS_SVC.

i.e.

[AZN_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id
ePerson = azn_cred_authzn_id

[AZN_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_hrmattrs_epost = mail
tagvalue_hrmattrs_namn = cn
tagvalue_hrmattrs_efternamn = surname
tagvalue_hrmattrs_tele = telephoneNumber
tagvalue_hrmattrs_uid = Uid

[AZN_CRED_ATTRS_SVC:ePerson]
tagvalue_hrmattrs_o = o
tagvalue_hrmattrs_ou = ou

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu September 03, 2020 07:36 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Thanks Jon,

Unfortunately it isn't working.

In the [aznapi-entitlement-services] stanza we added the HRM_CRED_ATTRS_SVC (see below)

[aznapi-entitlement-services]
AZN_ENT_EXT_ATTR = azn_ent_ext_attr
TAM_CRED_POLICY_SVC = amwcredpolsvc
TAM_REG_ENT_SVC = azn_ent_registry_svc
TAM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901
HRM_CRED_ATTRS_SVC = azn_ent_cred_attrs
# AD 20200901

Then we added the following stanzas to configure the HRM_CRED_ATTRS_SVC

# AD 20200901
[HRM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id
ePerson = azn_cred_authzn_id

[HRM_CRED_ATTRS_SVC:inetOrgPerson]
tagvalue_hrmattrs_epost = mail
tagvalue_hrmattrs_namn = cn
tagvalue_hrmattrs_efternamn = surname
tagvalue_hrmattrs_tele = telephoneNumber
tagvalue_hrmattrs_uid = Uid

[HRM_CRED_ATTRS_SVC:ePerson]
tagvalue_hrmattrs_o = o
tagvalue_hrmattrs_ou = ou
# AD 20200901

In the verify-access-isvaconfig conntainer we opened a shell and ran the following

pdadmin -a sec_master
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_o=hrm-o
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_ou=hrm-ou
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_uid=hrm-uid
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_namn=hrm-namn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_mail=hrm-mail
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_efternamn=hrm-efternamn
pdadmin sec_master> object modify /WebSEAL/verify-access-isvaconfig-564cd8758f-khknn-webseal/jct set attribute HTTP-Tag-Value hrmattrs_tele=hrm-tele

So that the attributes would be present on the junction jct.

After a deploy, publish and reload cycle, the tags are set on the http request but they all have the value "NOT_FOUND"

From the isva documentation,
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/base_admin/reference/ref_credattrentlserv.html

there should be an entry

[aznapi-configuration]
# AD 20200902
cred-attributes-entitlement-services = HRM_CRED_ATTRS_SVC
# AD 20200902

but if we add that , we get a system error when trying to save the configuration file

System Error

Error: DPWAP0014E The 'cred-attributes-entitlement-services' configuration entry, in the [aznapi-configuration] stanza, is an unsupported configuration entry.


------------------------------
Anders Domeij
CGI Sweden AB

Original Message:
Sent: Wed September 02, 2020 12:36 PM
From: Jon Harry
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Anders,

You need two configuration stanzas to set up the credential attribute service.  Make sure that they don't already exist - creating 2 stanzas with the same name will likely cause a startup error.

The first stanza specifies how to look up the LDAP object.  Usually:

[TAM_CRED_ATTRS_SVC]
inetOrgPerson = azn_cred_registry_id

You can add multiple entries to this stanza but usually only one (for the user object) is used.

The second stanza references the first and specifies the attributes to pull.  For example:

[TAM_CRED_ATTRS_SVC:inetOrgPerson]
email = mail

In this case, email is the attribute to be created in the credential and mail is the LDAP attribute name.
It is common to have multiple entries in this stanza; one for each attribute to be retrieved.

Last thing to know is that there is a configuration entry in the [server] stanza called force-tag-value-prefix which defaults to yes.
When set to yes, it will prefix all cred attr attributes with tagvalue_ and will only allow attributes with this prefix to be added to HTTP headers.
I almost always change this configuration entry to no.

I hope this helps.

Jon.


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed September 02, 2020 11:22 AM
From: Anders Domeij
Subject: Reverse proxy fails -- ISVA 10 and cred-attribute-entitlement-services

Hi,

How do we configure the cred-attribute-entitlement-services in ISVA?

We believe we've followed the instructions correctly, updating the reverse proxy conf file in the isva-config container.

After saving the conf file and publishing the changes to the isvawrp container, the reverse proxy no longer starts :-(

We see  this in the container log file

{"log":"Verifying checksums... Done\n","stream":"stdout","time":"2020-09-02T13:27:31.557509233Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.504183652Z"}{"log":"MAC verified OK\n","stream":"stderr","time":"2020-09-02T13:28:08.514445018Z"}{"log":"Error: WGAWA0280E Examine the log of the Web Reverse Proxy instance for further information on the failure.\n","stream":"stdout","time":"2020-09-02T13:28:08.684393581Z"}{"log":"2020-09-02T13:28:10+0000: --- Running.\n","stream":"stdout","time":"2020-09-02T13:28:10.089151671Z"}{"log":"2020-09-02T13:28:10+0000: Log file: /var/application.logs.local/wrp/webseal/log/msg__webseald-webseal.log\n","stream":"stdout","time":"2020-09-02T13:28:10.092247242Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093426436Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Policy Director Extended Attributes Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093444566Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093450659Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = TAM Policy Entitlements Service 10.0.0\n","stream":"stdout","time":"2020-09-02T13:28:10.093455363Z"}{"log":"2020-09-02-13:27:33.422+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.093460071Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Registry Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09346484Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09346967Z"}{"log":"DPWIV0203E Additional information from azn-api: azn_svc_version = Tivoli Access Manager Credential Attributes Entitlements Service v1.0\n","stream":"stdout","time":"2020-09-02T13:28:10.09347468Z"}{"log":"2020-09-02-13:27:33.423+00:00I----- 0x38AD50CB webseald ERROR wiv azn WsMgr.cpp 2276 0x7f795db7f880\n","stream":"stdout","time":"2020-09-02T13:28:10.09348944Z"}{"log":"DPWIV0203E Additional information from azn-api: AZN_VERSION = 10.0.0 (Build 200602))\n","stream":"stdout","time":"2020-09-02T13:28:10.093495365Z"}{"log":"2020-09-02T13:28:40+0000: Shutting down....\n","stream":"stdout","time":"2020-09-02T13:28:40.377423793Z"}{"log":"\n","stream":"stdout","time":"2020-09-02T13:28:41.678015787Z"}{"log":"Stopping all processes\n","stream":"stdout","time":"2020-09-02T13:28:41.678047408Z"}{"log":"2020-09-02T13:28:44+0000: ---- Shutdown.\n","stream":"stdout","time":"2020-09-02T13:28:44.764305735Z"}​
 and the container restarts after 5 mins with the same result..
(Env: ISVA helm deployed in kubernetes)
Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------