IBM Verify

 View Only

How To Setup IFA Using ISVA Lightweight Containers

By BEN STRAUBINGER posted Mon June 24, 2024 04:53 AM

  
With the 10.0.8 release of the IBM Security Verify Access product, the team has continued to improve its container support with the addition of a lightweight configuration container image.
In the legacy deployment scenario, the base ISVA image contained all of the configuration and runtime services. Over recent releases, these were separated out into lightweight container images for each service. 
The addition of the lightweight configuration container provides the final piece of this new lightweight deployment model.
 
This post will outline the steps to configure the environment on a clean linux host with docker installed.

Host Environment

Update hosts file

Update the hosts file of the VM host with entries used to connect to the LMI config page and web reverse proxy:

127.0.0.2    config.docker-isva.ibm.com
127.0.0.3    www.docker-isva.ibm.com

Certificate files

Generate database and SSL certificate files

Generate postgres certificate:

$ mkdir -p ./certs/postgresql
$ openssl req -x509 -newkey rsa:4096 -keyout ./certs/postgresql/postgres.key -out ./certs/postgresql/postgres.crt -days 3650 -subj "/CN=postgresql/O=ibm/C=us" -nodes -addext "subjectAltName = DNS:postgresql"
Generating a 4096 bit RSA private key
.......................++++
........................................................................................................................++++
writing new private key to './certs/postgresql/postgres.key'
-----
$ cat ./certs/postgresql/postgres.crt ./certs/postgresql/postgres.key > ./certs/postgresql/postgres.pem

Generate SSL certificate: (see included file: openssl-docker-isva.cnf)

$ mkdir -p ./certs/ssl
$ openssl req -x509 -newkey rsa:4096 -keyout ./certs/ssl/docker-isva-key.pem -out ./certs/ssl/docker-isva-cert.pem -days 3650 -nodes -config ./openssl-docker-isva.cnf
Generating a 4096 bit RSA private key
...................................................................................................++++
......................................................................................................++++
writing new private key to './certs/ssl/dockermmfa-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:QLD
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM Security
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.docker-isva.ibm.com   
Email Address []:
$ openssl pkcs12 -export -out ./certs/ssl/docker-isva-keystore.p12 -inkey ./certs/ssl/docker-isva-key.pem -in ./certs/ssl/docker-isva-cert.pem
Enter Export Password: Passw0rd
Verifying - Enter Export Password: Passw0rd

We should now have the following certificate and key files:

$ tree certs/
certs/
├── postgresql
│   ├── postgres.crt
│   ├── postgres.key
│   └── postgres.pem
└── ssl
    ├── docker-isva-cert.pem
    ├── docker-isva-key.pem
    └── docker-isva-keystore.p12

Import and trust browser certificate

Import the SSL certificate for your host OS and set it as trusted.

Starting containers

Postgres container

First, we need to start the database container using the latest verify-access-postgresql image from the IBM Container Registry (ICR).
We need to include the pgdata volume mount for persisting data, as well as mounting the postgresql certificate directory.
We supply the postgres username postgres and use the password Passw0rd.
We need to point to the postgres SSL keystore (using the mounted directory path), which will be at /var/local/postgres.pem.
We specify the database name isva and point to the server certificate we created earlier.
Lastly, we set the name and hostname of the container to postgresql, and specify to use the isva docker network.

$ docker run -t -d --restart always -v pgdata:/var/lib/postgresql/data -v ./certs/postgresql:/var/local -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=Passw0rd -e POSTGRES_DB=isva -e POSTGRES_SSL_KEYDB=/var/local/postgres.pem --hostname postgresql --name postgresql --network isva icr.io/isva/verify-access-postgresql:10.0.8.0

ISVA configuration container

Next, we need to start the ISVA configuration container using the verify-access-config image from ICR.
We need to include the isvaconfig volume mount for persisting data, which will be shared with the runtime and web reverse proxy containers.
We supply the admin user password Passw0rd.
We publish the local port to the bind address: 127.0.0.2:443 which will allow us to connect to the local management interface (LMI).
Lastly, we set the name and hostname of the container to isvaconfig, and specify to use the isva docker network.

$ docker run -t -d --restart always -v isvaconfig:/var/shared -e CONTAINER_TIMEZONE=Europe/London -e ADMIN_PWD=Passw0rd -p 127.0.0.2:443:9443 --hostname isvaconfig --name isvaconfig --network isva icr.io/isva/verify-access-config:10.0.8.0

ISVA web reverse proxy container

We can start the ISVA web reverse proxy container, though it won't be ready until we complete the required configuration steps.
This container uses the verify-access-wrp image from ICR.
We need to include the isvaconfig volume mount which will contain the configuration data.
We publish the local port to the bind address: 127.0.0.3:443 which will allow us to connect to the web reverse proxy.
We must specify the reverse proxy instance name, which must match the value we configure in later steps.
Lastly, we set the name and hostname of the container to isvawrp, and specify to use the isva docker network.

$ docker run -t -d --restart always -v isvaconfig:/var/shared -e CONTAINER_TIMEZONE=Europe/London -p 127.0.0.3:443:9443 -e INSTANCE=default --hostname isvawrp --name isvawrp --network isva icr.io/isva/verify-access-wrp:10.0.8.0

ISVA runtime container

We can start the ISVA runtime container, though it won't be ready until we complete the required configuration steps.
This container uses the verify-access-runtime image from ICR.
Again, we need to include the isvaconfig volume mount, which will contain the configuration data.
Lastly, we set the name and hostname of the container to isvaruntime, and specify to use the isva docker network.

$ docker run -t -d --restart always -v isvaconfig:/var/shared -e CONTAINER_TIMEZONE=Europe/London --hostname isvaruntime --name isvaruntime --network isva icr.io/isva/verify-access-runtime:10.0.8.0

Check running containers

We can see the status of the running containers with the docker ls command:

$ docker ls
CONTAINER ID   IMAGE                                           COMMAND                CREATED         STATUS                     PORTS                               NAMES
529a8f9c09eb   icr.io/isva/verify-access-runtime:10.0.8.0      "/sbin/bootstrap.sh"   2 minutes ago   Up 2 minutes (unhealthy)   9080/tcp, 9443/tcp                  isvaruntime
d2f65f58957c   icr.io/isva/verify-access-wrp:10.0.8.0          "/sbin/bootstrap.sh"   2 minutes ago   Up 2 minutes (unhealthy)   9080/tcp, 127.0.0.3:443->9443/tcp   isvawrp
f71996e3749e   icr.io/isva/verify-access:10.0.8.0              "/sbin/bootstrap.sh"   2 minutes ago   Up 2 minutes (healthy)     443/tcp, 127.0.0.2:443->9443/tcp    isvaconfig
0fd238cf042e   icr.io/isva/verify-access-postgresql:10.0.8.0   "/sbin/bootstrap.sh"   2 minutes ago   Up 2 minutes               5432/tcp                            postgresql

Note the "unhealthy" status of the runtime and web reverse proxy containers can be ignored until we have completed the required configuration steps.

Configuring the environment

First steps

Now the configuration container is started, we can connect to the LMI: https://config.docker-isva.ibm.com/
Login as the admin user:

  • Username: admin
  • Password: Passw0rd

To complete the First Steps wizard, we must first agree to the Software License Agreement.
On the second page we have the option of changing the admin password. We will skip this and keep our initial password.
Once the setup is completed, we can reload the LMI. The dashboard should now be shown.

Configure the runtime

Before configuring the runtime database, we need to import the postgresql certificate so the verify access containers can communicate with the database.
First, use the menu at the top of the screen to navigate to: System > SSL Certificates

Select the lmi_trust_store certificate database and import the signer certificate:

  • Certificate file: ./dockerkeys/postgresql/postgres.crt
  • Label: postgres
Postgres Certificate Import

Next, select the rt_profile_keys certificate database and import the signer certificate:

  • Certificate file: ./dockerkeys/postgresql/postgres.crt
  • Label: postgres

After updating both certificate databases, deploy and publish the pending changes.

Now we have loaded the required certificate, we can configure the runtime database.
Navigate to: System > Database Configuration
Switch to the Runtime Database tab.
Configure the runtime database using the parameters we provided when starting the containers.
We can use the postgresql hostname, which docker networking should resolve to the correct address.
The username, password and database name were all provided when starting the postgresql container.

  • Type: PostgreSQL
  • Address: postgresql
  • Port: 5432
  • Secure: true
  • Username: postgres
  • Password: Passw0rd
  • DB Name: isva
Runtime Database Configuration

Once configured, deploy and publish the pending changes.

Now, we can complete the Runtime configuration.
Navigate to: Web > Runtime Component
We will use the local LDAP server in this environment, so we just need to set the admin password.

  • User Registry: LDAP Local
  • Admin Password: Passw0rd

Once configured, deploy and publish the pending changes.

Finally, we need to activate the Base, AAC and FIM modules.
Navigate to: System > Activated Modules.
Import each of the license files, saving the configuration after uploading each file.
Once imported, deploy and publish the pending changes.

After activating the required modules, we must restart the config container:

$ docker stop isvaconfig && docker start isvaconfig

The environment is now configured with a local policy server and a local user registry.

Configure the web reverse proxy

Now we have the runtime configred, we can set up the web reverse proxy.

First we need to import the SSL certificate used when connecting to the reverse proxy.
Navigate to: System > SSL Certificates

Select the pdsrv certificate database and import the personal certificate:

  • Type: PKCS12
  • Certificate file: ./dockerkeys/ssl/docker-isva-keystore.p12
  • Password: Passw0rd

After updating the certificate database, deploy and publish the pending changes, then restart the runtime container:

$ docker stop isvaruntime && docker start isvaruntime

Now we can configure the reverse proxy instance.
Navigate to: Web > Reverse Proxy
Configure a new Reverse Proxy instance:

  • Instance name: default
  • Host name: isvawrp
  • Administrator password: Passw0rd

The remaining parameters can be left to their default values.
Once configured, deploy and publish the pending changes.

Next, we need to update the reverse proxy configuration to make use of our SSL certificate.
Select the new default instance and click the Edit button to show the reverse proxy configuration screen.
Switch to the SSL tab and update the SSL Server Certificate to use the www.docker-isva.ibm.com certificate.

Save the configuration update, deploy and publish the pending changes.

After publishing the new configuration, we can restart the wrp container:

$ docker stop isvawrp && docker start isvawrp

Create the test user

Before we can confirm the current configuration, we will need a test user to test basic username password authentication to the web reverse proxy.
Navigate to: Web > Policy Administration
Login as the sec_master user:

  • Username: sec_master
  • Password: Passw0rd

From the side menu, expand the User section and navigate to the Create User screen.
Create the test user with the following details:

  • User ID: testuser
  • Common name: testuser
  • Surname: user
  • Password: Passw0rd
  • Registry UID: cn=testuser,dc=iswga
  • Account valid: yes
  • Password valid: yes
  • GSO User: no
  • No Password Policy: no
Create Test User

Create the user, then navigate back to the LMI dashboard. You should see a pending change notification.
Deploy and publish the pending changes.

Restart the wrp and runtime containers:

$ docker stop isvawrp && docker stop isvaruntime && docker start isvaruntime && docker start isvawrp

Test the reverse proxy configuration

Now we have the reverse proxy configured, we can try to authenticate with our test user to confirm everything is working as expected.
Connect to the reverse proxy: https://www.docker-isva.ibm.com/
You should see the Application Gateway login screen.
Attempt to authenticate with the test username and password we just created:

  • Username: testuser
  • Password: Passw0rd
Reverse Proxy Login

You should see a black screen with "IBM Security Verify Access" shown.

Configure the FIDO2 PAIR Scenario

Now we have our reverse proxy instance, we can configure it for use with our contex based access and authentication services.
Navigate to: Web > Reverse Proxy
Select the default instance and use the Manage dropdown to select: AAC and Federation Configuration > Authentication and Context Based Access Configuration
Complete the Authentication and Context Based Access Configuration wizard with the following settings: (note the easuser password differs from our existing admin passwords)

  • AAC Runtime:
    • Hostname: isvaruntime
    • Port: 9443
    • Username: easuser
    • Password: passw0rd
    • Load certificate: yes
    • Junction: /mga
  • FIDO2 PAIR:
    • Configure Remember Me for FIDO2 PAIR: yes
    • Remember Me Encryption Key Label: (www.docker-isva.ibm.com certificate label)
    • Configure FIDO2 PAIR login template: yes
  • Reuse Options:
    • Reuse certificates: yes
    • Reuse ACLs: yes
CBA Wizard

After completing the configuration wizard, deploy and publish the pending changes, then restart the runtime and wrp container:

$ docker stop isvawrp && docker stop isvaruntime && docker start isvaruntime && docker start isvawrp

Next, we need to configure a FIDO2 Relying Party.
Navigate to: AAC > FIDO2 Configuration
Add a new relying party with the following settings:

Save the new relying party configuration, deploy and publish the pending changes, then restart the runtime container:

$ docker stop isvaruntime && docker start isvaruntime

The IFA authentication scenario will make use of several authentication policies.
All of our authentication policies are disabled by default, so we will need to enable them before we continue.
Navigate to: AAC > Authentication
Use the dropdown menu to enable all authentication policies.

Enable All Policies

Once enabled, deploy and publish the pending changes, then restart the runtime container:

$ docker stop isvaruntime && docker start isvaruntime

Next, we need to configure the FIDO2 PAIR authentication scenario.
Navigate to: AAC > Authentication
Switch to the Scenarios tab, then open the Configure FIDO2 PAIR scenario wizard.

FIDO2 PAIR Scenario

Complete the configuration with the following details: (note the LDAP Bind password differs from our existing admin passwords)

  • FIDO2 PAIR:
  • Username Password:
    • LDAP Hostname: 127.0.0.1
    • LDAP Port: 6389
    • LDAP Bind DN: cn=root,secAuthority=Default
    • LDAP Bind Password: passw0rd
    • SSL: no
LDAP Settings

Deploy and publish the pending changes, then restart the runtime container:

$ docker stop isvaruntime && docker start isvaruntime

Finally, we can configure the IFA authentication scenario.
For this scenario, we will offer the user the choice of username/password or Passkey authentication.
Navigate to: AAC > Authentication
Switch to the Scenarios tab, then open the Configure Identifier First Authentication scenario wizard.
Configure the IFA scenario with the following settings: (note the LDAP settings should already be populated)

  • IFA:
    • FIDO2: yes
    • MMFA: no
    • Redirect: no
    • FIDO2PAIR: yes
    • Allow discovery: yes
  • FIDO2:
  • Username Password:
    • LDAP Hostname: 127.0.0.1
    • LDAP Port: 6389
    • Bind DN: cn=root,secAuthority=Default
    • Bind Pass: passw0rd
    • SSL: false
IFA Wizard

Save the configuration, deploy and publish pending changes, then restart the runtime container:

$ docker stop isvaruntime && docker start isvaruntime

Test the IFA policy

Now we have completed the configuration, we can test the IFA policy with our test user to confirm everything is working as expected.
Connect to the reverse proxy and trigger the IFA scenario: https://www.docker-isva.ibm.com/mga/sps/authsvc/policy/ifa
You should see the Welcome screen with a Username input.

IFA Welcome

We start by entering the username for our test user:

  • Username: testuser

After clicking Continue, we are shown the Username Password screen, as we have not yet registered a Passkey.

IFA Username Password

Complete the login with the testuser details:

  • Username: testuser
  • Password: Passw0rd

After clicking the Sign In button and successfully authenticating, we are shown the Sign In Faster screen where we can now register our device.

Sign In Faster

Click the Yes button to start the device registration process.

Lets Go

Click the Let's Go button, which will prompt you to register your passkey device.

TouchID Sign In

After completing the passkey registration, we are shown the Success page to indicate the registration was successful.

Passkey Registration Complete

Now we can logout to unauthenticate before testing our Passkey login.
First, logout by navigating to the url: https://www.docker-isva.ibm.com/pkmslogout

Next, retrigger the IFA scenario: https://www.docker-isva.ibm.com/mga/sps/authsvc/policy/ifa
We are presented with the Welcome screen where we can again enter our test user's username.

IFA Welcome 2

This time, we are shown the Sign In Options screen where we are given the option of signing in using either our passkey device or password.

Sign In Options

We can select the Security Key / Touch ID option and are prompted to authenticate with our passkey device.

TouchID Sign In Again

After completing the sign in process, we are shown a screen confirming our login was successful.

Passkey Authentication Complete

This confirms our environment is configured correctly and the IFA scenario is working as expected.

Environment Cleanup

To clean up our environment, first stop and remove the running containers:

$ docker rm -fv isvawrp
$ docker rm -fv isvaruntime
$ docker rm -fv isvaconfig
$ docker rm -fv postgresql

Next, remove the Docker persistent volumes:

$ docker volume rm isvaconfig
$ docker volume rm pgdata

Finally, remove the Docker network:

$ docker network rm isva

0 comments
7 views

Permalink