IBM Security Verify

Hi community

Based on Leo Farrell's blog post (https://community.ibm.com/community/user/security/blogs/leo-farrell/2019/05/26/isam-path-based-authentication-service-kickoff) and other resources from past Masterclass, it is stated that one can set the sps.authService.policyKickoffMethod in AAC's Advanced Configuration to enable referring to Authentication Mechanism Policies as path, such as ../mga/sps/authsvc/policy/totp instead of ../mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:totp for instance.

 

I really want to use this feature and we are on 9.0.7.0+; I really want to believe it is available but the thing is, it is not showing up at all on my appliances (which have be constructed fresh in the past with 9.0.5.0 and thereon upgraded from firmware updates to firmware updates to 9.0.7.0/9.0.7.1).  

The only keys visible when I filter on "sps.authService" are:

• sps.authService.reCAPTCHA.serviceLocation
• sps.authService.reauthenticationEnabled
• sps.authService.stateIdSource.apiauthsvc
• sps.authService.stateIdSource.authsvc

 

Could the upgrade path be the cause for this setting not showing as visible?

 

I've try inserting it programmatically into the Advanced Configuration using an ISAM RESTAPI call, however it got ignored and still does not show up in the LMI. If I try to access the short version of the URL, I get the message "FBTAUT001E The request does not contain any of the these required parameters [TransactionId PolicyId StateId]. Please re-access the protected resource" telling me really that the configuration change triggered with the ISAM RESTAPI didn't apply.  

 

I don't mind opening a case but before heading that direction, I was curious to know if there were any workarounds, allowing us to insert keys that are not visible, as we don't have the luxury to delete and recreate all Appliances with a fresh 9.0.7.1 ISO image; even with Playbook automation, this is a lot of work, and very risky for the business (or is it really if I limit the appliance rebuild to only those ISAM Liberty Appliances - reflexion set aside for some other time). I understand however that with docker, that this would be a no brainer.

 

------------------------------
Sylvain Gilbert
------------------------------

Hi Sylvain,

I'm not aware of any clever trick to fix this.  I think you should open a case.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Sun June 28, 2020 10:19 AM
From: Sylvain Gilbert
Subject: ISAM sps.authService.policyKickoffMethod

Hi community

Based on Leo Farrell's blog post (https://community.ibm.com/community/user/security/blogs/leo-farrell/2019/05/26/isam-path-based-authentication-service-kickoff) and other resources from past Masterclass, it is stated that one can set the sps.authService.policyKickoffMethod in AAC's Advanced Configuration to enable referring to Authentication Mechanism Policies as path, such as ../mga/sps/authsvc/policy/totp instead of ../mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:totp for instance.

 

I really want to use this feature and we are on 9.0.7.0+; I really want to believe it is available but the thing is, it is not showing up at all on my appliances (which have be constructed fresh in the past with 9.0.5.0 and thereon upgraded from firmware updates to firmware updates to 9.0.7.0/9.0.7.1).  

The only keys visible when I filter on "sps.authService" are:

• sps.authService.reCAPTCHA.serviceLocation
• sps.authService.reauthenticationEnabled
• sps.authService.stateIdSource.apiauthsvc
• sps.authService.stateIdSource.authsvc

 

Could the upgrade path be the cause for this setting not showing as visible?

 

I've try inserting it programmatically into the Advanced Configuration using an ISAM RESTAPI call, however it got ignored and still does not show up in the LMI. If I try to access the short version of the URL, I get the message "FBTAUT001E The request does not contain any of the these required parameters [TransactionId PolicyId StateId]. Please re-access the protected resource" telling me really that the configuration change triggered with the ISAM RESTAPI didn't apply.  

 

I don't mind opening a case but before heading that direction, I was curious to know if there were any workarounds, allowing us to insert keys that are not visible, as we don't have the luxury to delete and recreate all Appliances with a fresh 9.0.7.1 ISO image; even with Playbook automation, this is a lot of work, and very risky for the business (or is it really if I limit the appliance rebuild to only those ISAM Liberty Appliances - reflexion set aside for some other time). I understand however that with docker, that this would be a no brainer.

 

------------------------------
Sylvain Gilbert
------------------------------