IBM Security Verify

I have configured a junction in ISAM through which users can access the WAS Deployment manager/admin console, which uses LTPA so that uses are logging into it using their ISAM credentials, all good so far, however I have a couple of questions.

1. I want users to be able to click the logout button in the admin console and get logged out of both the admin console and ISAM, what is the best way of doing this? Surely someone has solved this? It feels wrong to log a user out and land them on a login page we don't want them to see.

2. Is it advisable to access the admin console via an IHS server, or is this only really advisable for accessing applications hosted on a WAS application server instance? In theory, I guess it seems best practice to do that, but then I'm not sure the idea of being able to stop an IHS instance in the console that then removes your ability to access the console sounds like a great idea!

------------------------------
Dennis English
------------------------------

Hi Dennis:
I am not sure about question 1. So I'ld better live this to someone who has more experience. But WebSphere Application server uses by default LTPA which provides a way to single-sign on to its applications. The admin console is just another application, and I don't think things change regarding logout and login. WAS, has the capability of supporting multiple single-sign one protocols. But I don't want to go any further than this.

Regarding question 2. It is your option, but usually you can access the admin console without the use of http server. I've worked in many organizations with WAS, and I can't remember one that used HTTP server to access the admin console. If you want to discuss the advantages or disadvantages to both options, I can help you here too.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Tue April 20, 2021 12:53 PM
From: Dennis English
Subject: ISAM integration with WAS Deployment manager/admin console

I have configured a junction in ISAM through which users can access the WAS Deployment manager/admin console, which uses LTPA so that uses are logging into it using their ISAM credentials, all good so far, however I have a couple of questions.

1. I want users to be able to click the logout button in the admin console and get logged out of both the admin console and ISAM, what is the best way of doing this? Surely someone has solved this? It feels wrong to log a user out and land them on a login page we don't want them to see.

2. Is it advisable to access the admin console via an IHS server, or is this only really advisable for accessing applications hosted on a WAS application server instance? In theory, I guess it seems best practice to do that, but then I'm not sure the idea of being able to stop an IHS instance in the console that then removes your ability to access the console sounds like a great idea!

------------------------------
Dennis English
------------------------------

Hi,
I think the following article describes this problem :https://www.ibm.com/support/pages/programmatically-logout-websphere-application-server-form-logout-and-webseal-pkmslogout
You can also perform https://www.ibm.com/docs/fr/sva/10.0.0?topic=off-configuring-single-signoff but there is note on this  on tokes.  Also you want a logout from the WAS console, also triggers a logout on ISAM.  Unless you have a separate WebSEAL instance you will logout and no longer have SSO
Depends if IHS server is on a managed node or node .  If there is a problem with the IHS you might not be able to access your admin console and have to fix first the IHS problem.  If you do not deploy IHS, the Appserver has an embedded HTTP server.

Hope this helps
Kind regards
Serge Vereecke
IBM Security

------------------------------
Serge Vereecke
------------------------------

Original Message:
Sent: Tue April 20, 2021 12:53 PM
From: Dennis English
Subject: ISAM integration with WAS Deployment manager/admin console

I have configured a junction in ISAM through which users can access the WAS Deployment manager/admin console, which uses LTPA so that uses are logging into it using their ISAM credentials, all good so far, however I have a couple of questions.

1. I want users to be able to click the logout button in the admin console and get logged out of both the admin console and ISAM, what is the best way of doing this? Surely someone has solved this? It feels wrong to log a user out and land them on a login page we don't want them to see.

2. Is it advisable to access the admin console via an IHS server, or is this only really advisable for accessing applications hosted on a WAS application server instance? In theory, I guess it seems best practice to do that, but then I'm not sure the idea of being able to stop an IHS instance in the console that then removes your ability to access the console sounds like a great idea!

------------------------------
Dennis English
------------------------------

I think the problem I am describing is misunderstood, so I will try again.

I have configured single sign on perfectly, using LTPA, and I am able to login to the WAS Deployment manager application perfectly. Zero issue, everything is amazing.

The problem is this:
1. The WAS Deployment manager application has a button in the top right corner called "Logout".

2. I want to click that logout button and get logged out of both the WAS Deployment Manager *and* ISAM, and returned to the ISAM login page

3. Currently, clicking that button points to https://<hostname>/ibm/console/logout.do?csrfid=<10-digit-number>  .. and I want it to instead point to https://10.30.10.118/pkmslogout ... I am happy to consider other options, the only essential part is that the logout flow I am looking for starts with clicking the application logout button referenced by point 1 above

4. If I can achieve this, there are options available to clear out other relevant cookies.

Why is this a problem? because it does not feel right that the logout flow is different to the login flow, that it is confusing for a user to be thrown to an unfamiliar login page when they click the logout button

------------------------------
Dennis English
------------------------------

Original Message:
Sent: Wed April 21, 2021 05:14 AM
From: Serge Vereecke
Subject: ISAM integration with WAS Deployment manager/admin console

Hi,
I think the following article describes this problem :https://www.ibm.com/support/pages/programmatically-logout-websphere-application-server-form-logout-and-webseal-pkmslogout
You can also perform https://www.ibm.com/docs/fr/sva/10.0.0?topic=off-configuring-single-signoff but there is note on this  on tokes.  Also you want a logout from the WAS console, also triggers a logout on ISAM.  Unless you have a separate WebSEAL instance you will logout and no longer have SSO
Depends if IHS server is on a managed node or node .  If there is a problem with the IHS you might not be able to access your admin console and have to fix first the IHS problem.  If you do not deploy IHS, the Appserver has an embedded HTTP server.

Hope this helps
Kind regards
Serge Vereecke
IBM Security

------------------------------
Serge Vereecke

Original Message:
Sent: Tue April 20, 2021 12:53 PM
From: Dennis English
Subject: ISAM integration with WAS Deployment manager/admin console

I have configured a junction in ISAM through which users can access the WAS Deployment manager/admin console, which uses LTPA so that uses are logging into it using their ISAM credentials, all good so far, however I have a couple of questions.

1. I want users to be able to click the logout button in the admin console and get logged out of both the admin console and ISAM, what is the best way of doing this? Surely someone has solved this? It feels wrong to log a user out and land them on a login page we don't want them to see.

2. Is it advisable to access the admin console via an IHS server, or is this only really advisable for accessing applications hosted on a WAS application server instance? In theory, I guess it seems best practice to do that, but then I'm not sure the idea of being able to stop an IHS instance in the console that then removes your ability to access the console sounds like a great idea!

------------------------------
Dennis English
------------------------------

Hi Dennis,

There are options available to do what you want here but I don't have any concrete examples so more investigation will be needed.

1) It might be as simple as configuring a logout redirect URL in WAS.  In 8.5.5 I found this reference:

To redirect the logout to another URL, navigate to WAS_HOME > systemApps > isclite.ear > config. Locate and open the console.properties file. To use the redirect feature, modify the redirect and redirectURL properties. Set the redirect to true to clear the session and redirect the console to the specified URL when the software performs the logout.

2) You could add a transformation rule in the Reverse Proxy which matches requests to logout.do and simply re-writes them to point to /pkmslogout instead.

3) You could add an ACL in Reverse Proxy which denies access to logout.do page.  When user attempts to access they get a Forbidden page.  This page could have JavaScript on it which detects it is the logout.do page and redirects to /pkmslogout

4) You could use a snippet filter in Reverse Proxy to rewrite the code on the WAS Console page so that the logout button points to /pkmslogout instead.

Personally I would hope that (1) works.  This would be the best option because it would mean WAS is logged out and then Reverse Proxy is logged out. To make this work you might need to redirect to ../../../../pkmslogout to make sure you hit the logout page in Reverse Proxy.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed April 21, 2021 06:29 AM
From: Dennis English
Subject: ISAM integration with WAS Deployment manager/admin console

I think the problem I am describing is misunderstood, so I will try again.

I have configured single sign on perfectly, using LTPA, and I am able to login to the WAS Deployment manager application perfectly. Zero issue, everything is amazing.

The problem is this:
1. The WAS Deployment manager application has a button in the top right corner called "Logout".

2. I want to click that logout button and get logged out of both the WAS Deployment Manager *and* ISAM, and returned to the ISAM login page

3. Currently, clicking that button points to https://<hostname>/ibm/console/logout.do?csrfid=<10-digit-number>  .. and I want it to instead point to https://10.30.10.118/pkmslogout ... I am happy to consider other options, the only essential part is that the logout flow I am looking for starts with clicking the application logout button referenced by point 1 above

4. If I can achieve this, there are options available to clear out other relevant cookies.

Why is this a problem? because it does not feel right that the logout flow is different to the login flow, that it is confusing for a user to be thrown to an unfamiliar login page when they click the logout button

------------------------------
Dennis English

Original Message:
Sent: Wed April 21, 2021 05:14 AM
From: Serge Vereecke
Subject: ISAM integration with WAS Deployment manager/admin console

Hi,
I think the following article describes this problem :https://www.ibm.com/support/pages/programmatically-logout-websphere-application-server-form-logout-and-webseal-pkmslogout
You can also perform https://www.ibm.com/docs/fr/sva/10.0.0?topic=off-configuring-single-signoff but there is note on this  on tokes.  Also you want a logout from the WAS console, also triggers a logout on ISAM.  Unless you have a separate WebSEAL instance you will logout and no longer have SSO
Depends if IHS server is on a managed node or node .  If there is a problem with the IHS you might not be able to access your admin console and have to fix first the IHS problem.  If you do not deploy IHS, the Appserver has an embedded HTTP server.

Hope this helps
Kind regards
Serge Vereecke
IBM Security

------------------------------
Serge Vereecke

Original Message:
Sent: Tue April 20, 2021 12:53 PM
From: Dennis English
Subject: ISAM integration with WAS Deployment manager/admin console

I have configured a junction in ISAM through which users can access the WAS Deployment manager/admin console, which uses LTPA so that uses are logging into it using their ISAM credentials, all good so far, however I have a couple of questions.

1. I want users to be able to click the logout button in the admin console and get logged out of both the admin console and ISAM, what is the best way of doing this? Surely someone has solved this? It feels wrong to log a user out and land them on a login page we don't want them to see.

2. Is it advisable to access the admin console via an IHS server, or is this only really advisable for accessing applications hosted on a WAS application server instance? In theory, I guess it seems best practice to do that, but then I'm not sure the idea of being able to stop an IHS instance in the console that then removes your ability to access the console sounds like a great idea!

------------------------------
Dennis English
------------------------------

Thanks!

The first option worked perfectly, thank you for that! I wish it came up during my searches on this subject.

I considered trying to implement the second suggestion, alongside the idea of IHS rewrite rules, but that first option is the cleanest in my opinion. Glad I asked instead of implementing a solution that, even if I got it working, still wouldn't feel right because my feeling was that the ideal solution would sit within WAS itself :)

------------------------------
Dennis English
------------------------------

Original Message:
Sent: Wed April 21, 2021 07:04 AM
From: Jon Harry
Subject: ISAM integration with WAS Deployment manager/admin console

Hi Dennis,

There are options available to do what you want here but I don't have any concrete examples so more investigation will be needed.

1) It might be as simple as configuring a logout redirect URL in WAS.  In 8.5.5 I found this reference:

To redirect the logout to another URL, navigate to WAS_HOME > systemApps > isclite.ear > config. Locate and open the console.properties file. To use the redirect feature, modify the redirect and redirectURL properties. Set the redirect to true to clear the session and redirect the console to the specified URL when the software performs the logout.

2) You could add a transformation rule in the Reverse Proxy which matches requests to logout.do and simply re-writes them to point to /pkmslogout instead.

3) You could add an ACL in Reverse Proxy which denies access to logout.do page.  When user attempts to access they get a Forbidden page.  This page could have JavaScript on it which detects it is the logout.do page and redirects to /pkmslogout

4) You could use a snippet filter in Reverse Proxy to rewrite the code on the WAS Console page so that the logout button points to /pkmslogout instead.

Personally I would hope that (1) works.  This would be the best option because it would mean WAS is logged out and then Reverse Proxy is logged out. To make this work you might need to redirect to ../../../../pkmslogout to make sure you hit the logout page in Reverse Proxy.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed April 21, 2021 06:29 AM
From: Dennis English
Subject: ISAM integration with WAS Deployment manager/admin console

I think the problem I am describing is misunderstood, so I will try again.

I have configured single sign on perfectly, using LTPA, and I am able to login to the WAS Deployment manager application perfectly. Zero issue, everything is amazing.

The problem is this:
1. The WAS Deployment manager application has a button in the top right corner called "Logout".

2. I want to click that logout button and get logged out of both the WAS Deployment Manager *and* ISAM, and returned to the ISAM login page

3. Currently, clicking that button points to https://<hostname>/ibm/console/logout.do?csrfid=<10-digit-number>  .. and I want it to instead point to https://10.30.10.118/pkmslogout ... I am happy to consider other options, the only essential part is that the logout flow I am looking for starts with clicking the application logout button referenced by point 1 above

4. If I can achieve this, there are options available to clear out other relevant cookies.

Why is this a problem? because it does not feel right that the logout flow is different to the login flow, that it is confusing for a user to be thrown to an unfamiliar login page when they click the logout button

------------------------------
Dennis English

Original Message:
Sent: Wed April 21, 2021 05:14 AM
From: Serge Vereecke
Subject: ISAM integration with WAS Deployment manager/admin console

Hi,
I think the following article describes this problem :https://www.ibm.com/support/pages/programmatically-logout-websphere-application-server-form-logout-and-webseal-pkmslogout
You can also perform https://www.ibm.com/docs/fr/sva/10.0.0?topic=off-configuring-single-signoff but there is note on this  on tokes.  Also you want a logout from the WAS console, also triggers a logout on ISAM.  Unless you have a separate WebSEAL instance you will logout and no longer have SSO
Depends if IHS server is on a managed node or node .  If there is a problem with the IHS you might not be able to access your admin console and have to fix first the IHS problem.  If you do not deploy IHS, the Appserver has an embedded HTTP server.

Hope this helps
Kind regards
Serge Vereecke
IBM Security

------------------------------
Serge Vereecke

Original Message:
Sent: Tue April 20, 2021 12:53 PM
From: Dennis English
Subject: ISAM integration with WAS Deployment manager/admin console

I have configured a junction in ISAM through which users can access the WAS Deployment manager/admin console, which uses LTPA so that uses are logging into it using their ISAM credentials, all good so far, however I have a couple of questions.

1. I want users to be able to click the logout button in the admin console and get logged out of both the admin console and ISAM, what is the best way of doing this? Surely someone has solved this? It feels wrong to log a user out and land them on a login page we don't want them to see.

2. Is it advisable to access the admin console via an IHS server, or is this only really advisable for accessing applications hosted on a WAS application server instance? In theory, I guess it seems best practice to do that, but then I'm not sure the idea of being able to stop an IHS instance in the console that then removes your ability to access the console sounds like a great idea!

------------------------------
Dennis English
------------------------------