IBM Security Verify

Hello Community,

We are doing a POC to expose API hosted on IBM WAS and need your views. Below are the flow details:

1. Mobile App request a WAS API protected by ISAM.
2. Authorization/Authentication is managed by Axway API Manager. Once user is successfully authenticated via AD. JWT token will be generated from Axway
3. ISAM will receive JWT token and convert it to IV-Cred. We need to configure ISAM proxy server to do token-based authentication
4. IV-Cred will be passed to the WAS API Server and it will generate the LTPA token, response and pass it back to ISAM
5. ISAM will pass the LTPA token, response to Axway
6. Axway will store the LTPA token and pass the response back to Client App.

 

can it be achieved technically and if yes What ISAM modules do we need to achieve this?



------------------------------
AIYUB KHAN
------------------------------

Hello,

Step (3) in your picture is the complex part here.  In order for Access Manager to consume an incoming JWT, it will need to handle it as a custom Bearer token.  You will need to set up a custom Trust Chain in the Federation STS which can validate the JWT and map it to an Access Manager user.  To do this you'll need the Access Manager Federation add-on.

The rest of the flow looks pretty standard.

One question: What version of WAS are you using?  If I remember correctly, ETAI is not supported on most recent versions of WAS because it is not certified against Java 8.  If WAS and ISAM are sharing a user registry you could use LTPA SSO from WebSEAL to WAS.  Side-effect of this is that LTPA is *not* returned to the API Gateway - I don't know if that is an issue or not for your architecture.

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: 03-07-2019 09:23 PM
From: AIYUB KHAN
Subject: Axway ISAM Integration to do Token based authentication

Hello Community,

We are doing a POC to expose API hosted on IBM WAS and need your views. Below are the flow details:

1. Mobile App request a WAS API protected by ISAM.
2. Authorization/Authentication is managed by Axway API Manager. Once user is successfully authenticated via AD. JWT token will be generated from Axway
3. ISAM will receive JWT token and convert it to IV-Cred. We need to configure ISAM proxy server to do token-based authentication
4. IV-Cred will be passed to the WAS API Server and it will generate the LTPA token, response and pass it back to ISAM
5. ISAM will pass the LTPA token, response to Axway
6. Axway will store the LTPA token and pass the response back to Client App.

 

can it be achieved technically and if yes What ISAM modules do we need to achieve this?



------------------------------
AIYUB KHAN
------------------------------

Hi Jon,
Thanks for your help much appreciated. The version of WAS/J is 8.5.5.13 / 7.0.10.15. 

Base on your feedback we are now following the article: https://www.ibm.com/blogs/security-identity-access/oauth-jwt-access-token/

 (we were originally looking at the AAC module and api protect)

and have created the following STS chain:

1./ jwt-to-stsuu template  with Default JWT Module (Validate) and  Default STSUU (issue)
1a./ AppliesTo Address: urn:jwt:validate
1b./ Issuer Address: urn:jwt:validate
1c./ jwt Module validate (config: RS256 and jwks ui points to Axway jwks endpoint)

2./ stsuu_to_ivcreds with Default STSUU (Validate) and Default IVCred(Issue)
2a./ AppliesTo Address: urn:ivcreds:issue
2b./ Issuer Address: urn:ivcreds:issue

We are not sure if the addresses are correct, right format etc

Lastly we believe (based on oauth-jwt-access-token article) we need to set up Reverse proxy authentication with Oauth Chain. For the article this is for a JWT, we need an ivcred and are not sure about the default mapping rule (I had a assumed we had to map the jwt content to the iv-cred) and again the address formats are getting us a little confused.

Thanks again for any help

------------------------------
Chris Solomon
------------------------------

Original Message:
Sent: 03-08-2019 04:23 AM
From: Jon Harry
Subject: Axway ISAM Integration to do Token based authentication

Hello,

Step (3) in your picture is the complex part here.  In order for Access Manager to consume an incoming JWT, it will need to handle it as a custom Bearer token.  You will need to set up a custom Trust Chain in the Federation STS which can validate the JWT and map it to an Access Manager user.  To do this you'll need the Access Manager Federation add-on.

The rest of the flow looks pretty standard.

One question: What version of WAS are you using?  If I remember correctly, ETAI is not supported on most recent versions of WAS because it is not certified against Java 8.  If WAS and ISAM are sharing a user registry you could use LTPA SSO from WebSEAL to WAS.  Side-effect of this is that LTPA is *not* returned to the API Gateway - I don't know if that is an issue or not for your architecture.

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: 03-07-2019 09:23 PM
From: AIYUB KHAN
Subject: Axway ISAM Integration to do Token based authentication

Hello Community,

We are doing a POC to expose API hosted on IBM WAS and need your views. Below are the flow details:

1. Mobile App request a WAS API protected by ISAM.
2. Authorization/Authentication is managed by Axway API Manager. Once user is successfully authenticated via AD. JWT token will be generated from Axway
3. ISAM will receive JWT token and convert it to IV-Cred. We need to configure ISAM proxy server to do token-based authentication
4. IV-Cred will be passed to the WAS API Server and it will generate the LTPA token, response and pass it back to ISAM
5. ISAM will pass the LTPA token, response to Axway
6. Axway will store the LTPA token and pass the response back to Client App.

 

can it be achieved technically and if yes What ISAM modules do we need to achieve this?



------------------------------
AIYUB KHAN
------------------------------