IBM Security Verify

 View Only
  • 1.  WebSEAL Restrict Login with IP instead of FQDN

    Posted Sat August 24, 2019 12:29 PM
    ​Hello All,

    When we access webseal using IP address instead of FQDN, the browser gives SSL error and allows us to ignore and continue.

    If we want to force users to use FQDN to access webseal, is it possible using any default configuration within ISAM? Like, if the user is accessing the webseal using IP, is there some configuration entry to detect and block, and/or redirect using FQDN?

    I believe we can do it using other ways like redirecting with javascript or html meta tag on the login page itself,  or may be some other ways within ISAM, but I was thinking if there is a default functionality in webseal to cater for this?

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------


  • 2.  RE: WebSEAL Restrict Login with IP instead of FQDN

    Posted Mon August 26, 2019 12:43 AM
    AFAIK, Web Reverse Proxy can't be configured to disallow authentication attempts (/pkmslogin) from an IP address; an instance bound to an IP will respond on that IP and to any FQDN that resolves (DNS or hosts) to that IP.

    - If using Virtual Host Junctions (only) and with match-vhj-first = yes means there's not a great deal a user could do if they did happen to authenticate to pkmslogin.

    - If using the auth service for authentication, you could author your own InfoMap and add it to the policy that checked for the request for IP vs FQDN and error out (or redirect) for IP based.

    - If not using auth service for authentication, you could consider a HTTP Request Transformation Rule or Authorization Rule (both based on XSLT) to look for an IP address, most likely in the Host header.

    ------------------------------
    Scott Andrews
    ------------------------------



  • 3.  RE: WebSEAL Restrict Login with IP instead of FQDN
    Best Answer

    Posted Mon August 26, 2019 09:51 AM
    Edited by Jahanzaib Sarwar Mon August 26, 2019 11:06 AM
    You can use the following stanza:

    [validate-headers]
    # This stanza is used to list those headers which should be validated
    # on each request. The format of each configuration entry is:
    #
    # <hdr> = <value>
    #
    # For example to ensure all requests are from www.ibm.com set:
    #
    # host = www.ibm.com
    #
    # If multiple headers of the same name are configured, the corresponding
    # header in the request must match one of the configured values.

    host = a.b.com

    A request with a host header of anything else will return a 400 Bad Request.  Note, if you set one then you have to set for each and every possible host that can be used, i.e. all virtual host junctions.

    ------------------------------
    Nick
    ISAM Level II Support
    ------------------------------



  • 4.  RE: WebSEAL Restrict Login with IP instead of FQDN

    Posted Mon August 26, 2019 11:10 AM
    Hi Nick,

    Thank you very much for your assistance. That was what I was looking for. ​It works smoothly and addressed the issue. I tested it just now with ISAM 9.0.7.

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------