Most enterprises have become diligent about who is accessing their applications/systems. Do they really need access? Is it temporary or permanent access? What about privileged accounts like root users/admins? It would be a risk to share those credentials with a user or group for an activity with a limited time period. To cater to all of these aspects is where identity and access management (IAM) comes in.
How do you authenticate to access the console? Instead of authenticating using local credentials, why not centralize the authentication mechanism using IBM Verify Identity Access or any IAM platform. This ensures that the users don’t have to remember another set of credentials and are able to use their corporate credentials to access application.
What is IBM Guardium Key Lifecycle Manager?
IBM Guardium Key Lifecycle Manager is an encryption key management tool that centralizes, simplifies and automates the key management process. It offers robust and security-rich key storage, key serving, and key lifecycle management for self-encrypting applications and solutions by using interoperability protocols, including KMIP, IPP, and REST APIs.
IBM Guardium Key Lifecycle Manager GKLM supports OpenID Connect protocol (OIDC) and LDAP based authentication mechanisms. This tutorial explains how you can set up OIDC with IBM Verify Identity Access.
What is IBM Verify Identity Access?
IBM Verify Identity Access is a complete authorization and network security policy management solution. It provides end-to-end protection of resources over geographically dispersed intranets and extranets. IBM Verify Identity Access offers the following features:
- Authentication: Provides a wide range of built-in authenticators and supports external authenticators.
- Authorization: Provides permit and deny decisions for protected resources requests in the secure domain through the authorization API.
- Data security and centralized resource management: Manages secure access to private internal network-based resources by using the public internet's broad connectivity and ease of use with a corporate firewall system.
Learning objectives
In this tutorial, you will set up the IBM Verify Identity Access appliance as a OIDC Identity Provider (IdP), providing single sign-on authentication to GKLM.
This use case has a mix of technologies including IBM Guardium Key Lifecycle Manager, and IBM Verify Identity Access. However, it can be extended to any IAM solution that supports OIDC for authentication.
OIDC: OpenID Connect is a simple identity protocol and open standard that is built on the OAuth 2.0 protocol that enables client applications to rely on authentication that is performed by an OpenID Connect Provider to verify the identity of a user.
OpenID Connect uses OAuth 2.0 for authentication and authorization and then builds identities that uniquely identify users. Client applications can also obtain basic profile information about a user in an interoperable and REST-like manner from OpenID Connect Providers.
We have used the Authorization Code Flow grant type registered as a public client with PKCE enabled.
Prerequisites
To follow this tutorial, you need:
- IBM Verify Identity Access Appliance with Reverse Proxy configured (Note: This tutorial is based on IBM Security Verify Access v10.0.8.0)
- IBM GKLM with Admin access (Note : This tutorial is based on GKLM v5.0)
Estimated time
It should take you approximately 30 minutes to complete the tutorial.
Steps
Step 1: Configuring Reverse Proxy for OpenID Connect Provider
- On the Verify Access admin console, navigate to Web>Reverse Proxy
- Select the Reverse Proxy instance and click on Manage>AAC and Federation Configuration>OAuth and OpenID Connect Provider Configuration
- Select AAC and Federation Runtime based provider and click Next
- In the Main panel, select all the checkboxes
- Configure for browser interaction – the /authorize and the /session endpoints are made accessible
- Configure for API Protection – this configures the oauth-auth and oauth-cluster stanza
- Require authentication to register a client – this sets an anyauth ACL to the client registration endpoint.
- Click Next
- Inside the AAC Runtime pane, provide the details to authenticate with federation runtime. The details include the host, port, user name and password. All of them are required. When you move to the next pane, these details are used to connect to the Runtime
- The default junction name used is /mga
- Click Next
- The next tab is the ACLs and Certificates panel, select the checkboxes to reuse ACLs and Certificates
- Click on Finish and then Deploy the Pending changes
Step 2: Create API Definition with OIDC Enabled in Verify Access
- Open OpenID Connect and API Protection page by navigating to Federation>OpenID Connect and API Protection
- Create a new definition by clicking the plus icon under definition page
- Provide a name to identify the definition and select an access policy as per your configuration
- Select Authorization code for Grant Types
- Leave the Token Management and Trusted Clients and Consent as default
- Enable OpenID Connect by enabling the checkbox Enable OpenID Connect
- Enter the hostname of Reverse Proxy for Issuer identifier and add additional junction name in this case /mga for the Point of Contact Prefix
- Metadata URI will be automatically populated which will be used while configuring GKLM
- In this tutorial, we are using the default certificate used for the reverse proxy which is WebSEAL-Test-Only under the database pdsrv
- Select the checkbox Enable client registration and Issue client secret
- Click Save to create the API Definition
Step 3: Create OIDC Client in Verify Access
- Navigate to Clients under OpenID Connect and API Protection
- Click on the plus icon to add a new client
- Note down the Client ID and Client secret to be used while configuring GKLM
- Provide a Client name to identify the OIDC client
- Deselect the checkbox corresponding to Confidential.
- Provide a Company name as this is mandatory
- Make sure the checkbox corresponding to Require PKCE(RFC 7636) is selected
- Click Ok to complete the setup
Step 4: Downloading SSL Certificate from Verify Access
- Navigate to System>Secure Settings>SSL Certificates
- Select pdsrv, then navigate to Manage>Edit SSL Certificate Database
- On the Personal Certificate tab, select WebSEAL-Test-Only and the navigate to Manage>Export
- This SSL Certificate file will be used during GKLM setup
Step 5. Set up IBM GKLM
- On the GKLM admin console, navigate to User management>Authentication providers
- Click on the edit button corresponding to OIDC authentication
- Select the radio button corresponding to OIDC
- Select the checkbox to Enable OIDC-based authentication
- Edit Client credentials and enter the Client ID and Client secret obtained from Step 3
- Click Save
- Edit Authorization server details
- Enter the Metadata URI obtained from Step 2 under the Discovery URL
- Select Method as userinfo
- Endpoint URL can be found by accessing the Metadata URI on your browser corresponding to userinfo
- Enter sub under the User identifier field
- Click Save
- Under Provider certificate section import the certificate downloaded from Step 4
- Click Test connection
- Once test connection is successful click Save and the configuration will be saved
- You will get a notification that the GKLM server will be restarted
- Once the GKLM server restarts, you fill find an option to Log in with SSO on the login page
- Selecting Log in with SSO will redirect to Verify Access for authentication and will land on the GKLM homepage after successful authentication
Ensure that the user who is trying to access the console through the Verify Access already exists in GKLM. If the user does not exist, create the user identity by providing a dummy password.
Summary
In this tutorial, you learned how to integrate IBM Verify Identity Access with IBM Guardium Key Lifecycle Manager. If you’d like to learn about more security applications, see the Security hub on IBM Developer.
Authors: Sushmita Das, Monali Behra, Suraj Kanth