Hi Peter,
We were short on time then and I hadn't explored InfoMap much, so I developed a gateway app outside of ISAM (a separate Java App where I had the grip...:).
We recently got another similar requirement so I am trying to implement what you suggested, as now I have some know how of working with InfoMaps and got to work on it during this time.
So, I am developing an InfoMap which would read the request headers,body and parameters, then create a SOAP message and send an HTTP POST as you suggested. Just to test the InfoMap integration with SMS OTP mechanism, I am calling a basic InfoMap from SMS OTP mechanism which reads the request headers/parameters and displays them. I am trying to call this InfoMap authentication policy from within the SMS One-Time Password authentication mechanism by mentioning the URL for the InfoMap policy:
https://localhost/mga/sps/authsvc/policy/<policy-name> where we mention the URL of SMS gateway.
However, I get the following error in the trace logs:
246 [6/11/20 21:51:32:931 PKT] 0000006a id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils > traceString ENTRY ##### otpDeliveryAttr: +923345026062
247 [6/11/20 21:51:32:936 PKT] 0000006a id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils < traceString RETURN
248 [6/11/20 21:51:33:003 PKT] 0000006a id=00000000 com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer E initSSL invalid_truststore_passed
249 [6/11/20 21:51:33:004 PKT] 0000006a id=00000000 com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer E getSSLSocketInfo error_initializing_ssl
250 [6/11/20 21:51:33:009 PKT] 0000006a id=00000000 com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer I getSSLSocketInfo com.tivoli.am.fim.soap.client.exception.SSLInitializationFailedException: FBTSOC002E An error occurred in initializing SSL with the SOAP endpoint.
251 at com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer.getSSLSocketInfo(SSLSocketFactoryInitializer.java:164)
252 at com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer.getInstance(SSLSocketFactoryInitializer.java:131)
253 at com.tivoli.am.fim.soap.client.HttpClientImpl.<init>(HttpClientImpl.java:265)
254 at com.tivoli.am.fim.otp.deliveries.sms.SMSOTPDelivery.deliver(SMSOTPDelivery.java:203)
255 at com.tivoli.am.fim.trustserver.sts.modules.OTPDeliverySTSModule.map(OTPDeliverySTSModule.java:110)
256 at com.tivoli.am.fim.trustserver.sts.modules.OTPDeliverySTSModule.invoke(OTPDeliverySTSModule.java:64)
257 at com.tivoli.am.fim.trustserver.sts.STSModuleChain.invoke(STSModuleChain.java:319)
258 at com.tivoli.am.fim.trustserver.sts.STSModuleChainManager.executeChain(STSModuleChainManager.java:1083)
259 at com.tivoli.am.fim.trustserver.sts.STSModuleChainManager.processthroughChains(STSModuleChainManager.java:170)
260 at com.tivoli.am.fim.trustserver.sts.STSModuleChainManager.process(STSModuleChainManager.java:117)
261 at com.tivoli.am.fim.trustserver.sts.STSManager.process(STSManager.java:60)
262 at com.tivoli.am.fim.trustserver.service.SecurityTokenProcessor.process(SecurityTokenProcessor.java:63)
263 at com.tivoli.am.fim.trustserver.service.SecurityTokenService.requestSecurityToken(SecurityTokenService.java:136)
264 at com.tivoli.am.fim.fedmgr2.trust.TokenExchangeCommandImpl.exchange(TokenExchangeCommandImpl.java:163)
265 at com.tivoli.am.fim.authsvc.action.authenticator.otp.UniversalOTPWorker.exchangeOTPToken(UniversalOTPWorker.java:563)
266 at com.tivoli.am.fim.authsvc.action.authenticator.otp.UniversalOTPWorker.exchangeOTPToken(UniversalOTPWorker.java:642)
267 at com.tivoli.am.fim.authsvc.action.authenticator.otp.UniversalOTPWorker.callSTSForOTPOperation(UniversalOTPWorker.java:514)
268 at com.tivoli.am.fim.authsvc.action.authenticator.otp.UniversalOTPWorker.generateAndDeliver(UniversalOTPWorker.java:264)
.
.
.
Kindly could you guide about how to call the InfoMap from within an authentication mechanism, particularly from SMS OTP mechanism? Would we need to add /mga in the URL?
Best regards,
------------------------------
Jahanzaib Sarwar
------------------------------
Original Message:
Sent: Wed April 03, 2019 03:43 PM
From: Peter Volckaert
Subject: ISAM SMS OTP send GET request instead of POST
Hi Jahanzaib,
In such more challenging case I would write an Infomap. Such Infomap would then be a stub/gateway from what ISAM sends and what the SMS Gateway expects. In other words: the Infomap will be an API service that talks to your SMS Gateway.
So:
ISAM's "SMS One-time Password" authentication mechanism <-> Infomap <-> SMS Gateway
That Infomap would then:
- Read the incoming HTTP request (headers, parameters, body) from the "SMS One-time Password"
- Using that incoming data to construct the SOAP message
- Do an HTTP request with the SOAP message, and read the result
- Use the result to build a response to the "SMS One-time Password"
There are many Infomap examples; I guess the Twitter authentication example is a good starting point for you. Since it includes (a lot) of HTTP requests. Find it here: https://exchange.xforce.ibmcloud.com/hub/extension/51ca8ce8d325d84d00ae62fc1e1b62e5
For examples on how to deal with SOAP I suggest you take a look here at the whoami.js over here: https://www.ibm.com/blogs/sweeden/implementing-isam-credential-viewer-infomap/
Happy scripting!
Kind regards, Peter.
------------------------------
Peter Volckaert
Sales Engineer
IBM Security
Original Message:
Sent: Wed April 03, 2019 02:16 PM
From: Jahanzaib Sarwar
Subject: ISAM SMS OTP send GET request instead of POST
Hi Peter,
I really liked your idea and just wanted to ask a related thing, is there a way we can send the SMS OTP request in SOAP message format? There is a customer who has the SMS gateway exposing only the SOAP interface, and not accepting parameters in HTTP POST Request body supported by ISAM. Would this also be possible using a proxy instance (does ISAM allow it)?
Best regards,
Jahanzaib
------------------------------
Jahanzaib Sarwar
Original Message:
Sent: Tue April 02, 2019 06:03 AM
From: Peter Volckaert
Subject: ISAM SMS OTP send GET request instead of POST
Hi,
Here's one idea: send the HTTP request via a WebSEAL proxy instance to the SMS gateway. That way you can use an ISAM HTTP Transformation Rule to change the method from POST to GET.
I'm surprised that your SMS gateway requires a GET instead of a POST. Did you check with the SMS gateway provider if they can change this (atypical) requirement? Most SMS gateway API's accept either a POST or accept both POST and GET.
Kind regards,
------------------------------
Peter Volckaert
Sales Engineer
IBM Security
Original Message:
Sent: 03-29-2019 10:43 AM
From: Sander Meyfroot
Subject: ISAM SMS OTP send GET request instead of POST
Hello,
We are currently building a two-factor authentication mechanism using the ISAM SMS OTP.
We have a SMS API that is handling GET requests with the SMS options in the URL parameters.
According to the IBM documentation: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.5/com.ibm.isam.doc/config/task/ConfiguringOneTimePasswordDelivery.html
ISAM sends the SMS using POST and this cannot be changed (we verified this with a packet trace)
Is there any possibility to modify the HTTP Method used to GET?
Thank you,
------------------------------
Sander Meyfroot
------------------------------