IBM Security Verify

 View Only

  • 1.  Dangerous oauth configuration wizard

    Posted Mon May 13, 2019 02:51 PM
    not click bate ;-)

    Seriously if you run the oauth configuration wizard with only one object space root like /WebSEAL/roota it works nicely.
    but if you add another webseal instance (same domain) and run the wizard against it removes the all stuff against /WebSEAL/roota and adds them to the new WebSEAL instance object space and this is not good because the first webseal instance is now broken. 

    Any dev that can look into the code to see if this is by design or mistake.



    Sample output from my lab environment:
    Beginning oauth configuration 2019/05/11 10:21:16
    ...
    ....


    Performing pdadmin cmd:Performing pdadmin cmd: acl detach /WebSEAL/unconfigured.appliance-a-01/mga/sps/oauth/oauth20/device_authorize
    Performing pdadmin cmd: acl detach /WebSEAL/unconfigured.appliance-a-01/mga/sps/oauth/oauth20/introspect
    Performing pdadmin cmd: acl detach /WebSEAL/unconfigured.appliance-a-01/mga/sps/oauth/oauth20/jwks
    Performing pdadmin cmd: acl detach /WebSEAL/unconfigured.appliance-a-01/mga/sps/oauth/oauth20/metadata
    Performing pdadmin cmd: acl detach /WebSEAL/unconfigured.appliance-a-01/mga/sps/oauth/oauth20/revoke
    Performing pdadmin cmd: acl detach /WebSEAL/unconfigured.appliance-a-01/mga/sps/oauth/oauth20/token
    Performing pdadmin cmd: acl detach /WebSEAL/unconfigured.appliance-a-01/mga/sps/oauth/oauth20/userinfo

    Performing pdadmin cmd:Performing pdadmin cmd: acl attach /WebSEAL/wsl/mga/sps/oauth/oauth20/introspect isam_oauth_unauth
    Performing pdadmin cmd: acl attach /WebSEAL/wsl/mga/sps/oauth/oauth20/jwks isam_oauth_unauth
    Performing pdadmin cmd: acl attach /WebSEAL/wsl/mga/sps/oauth/oauth20/metadata isam_oauth_unauth
    Performing pdadmin cmd: acl attach /WebSEAL/wsl/mga/sps/oauth/oauth20/register isam_oauth_rest_unauth
    Performing pdadmin cmd: acl attach /WebSEAL/wsl/mga/sps/oauth/oauth20/revoke isam_oauth_unauth
    Performing pdadmin cmd: acl attach /WebSEAL/wsl/mga/sps/oauth/oauth20/token isam_oauth_unauth
    Performing pdadmin cmd: acl attach /WebSEAL/wsl/mga/sps/oauth/oauth20/userinfo isam_oauth_unauth

    ------------------------------
    Regards Mikael
    ------------------------------


  • 2.  RE: Dangerous oauth configuration wizard

    Posted Mon May 13, 2019 03:00 PM
    Another way to do it is by running the wizard with junction /mga1 as parameter and the run it again and try to create a  /mga2 same behaviour.

    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 3.  RE: Dangerous oauth configuration wizard

    Posted Mon May 13, 2019 03:32 PM

    Hello @Mikael Lindblad,

    Can you confirm whether unchecking the 'Reuse ACLs' has any effect on this behavior?

    This option should allow you to have a distinct set of ACLs for each configuration.​​



    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 4.  RE: Dangerous oauth configuration wizard

    Posted Mon May 13, 2019 09:06 PM
    I'm not sure clearing "Reuse ACLs" is a good idea. I think this will, in fact, delete all the ACLs (which removes them from previous config) and then recreates them.

    I could be wrong but I think that's why the reuse ACLs is now checked by default.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 5.  RE: Dangerous oauth configuration wizard

    Posted Tue May 14, 2019 12:41 AM
    Hi,

    The only difference between the settings is that when you use "reuse" it don't recreate (delete/create) acl's, the detach/attach is done in both scenarios.

    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 6.  RE: Dangerous oauth configuration wizard

    Posted Tue May 14, 2019 02:48 AM
    Hi,

    I can confirm that the "reuse ACL" of the OAuth wizard does not work correctly.
    When you select "reuse ACL", the ACL's are detached, deleted and recreated - which causes existing config to be broken.
    I opened a case for this: TS001691909. This problem will be fixed in ISAM 9.0.7.

    Cheers, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 7.  RE: Dangerous oauth configuration wizard

    Posted Fri May 17, 2019 09:57 AM
    Thanks @Peter Volckaert

    Will you check the other wizards to or should i do it?



    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 8.  RE: Dangerous oauth configuration wizard

    Posted Fri May 17, 2019 10:39 AM
    Hi Mikael, @Mikael Lindblad

    I did not check the other wizards, neither have I heard from others that these would not work.
    I would be great if you check the other wizards too - I'm a bit too busy right now. Thanks!

    Kind regards, Peter






    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message