IBM Security Verify

 View Only
Expand all | Collapse all

ISAM SMS OTP send GET request instead of POST

  • 1.  ISAM SMS OTP send GET request instead of POST

    Posted Fri March 29, 2019 10:44 AM
    Hello,

    We are currently building a two-factor authentication mechanism using the ISAM SMS OTP.
    We have a SMS API that is handling GET requests with the SMS options in the URL parameters.
    According to the IBM documentation: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.5/com.ibm.isam.doc/config/task/ConfiguringOneTimePasswordDelivery.html
    ISAM sends the SMS using POST and this cannot be changed (we verified this with a packet trace)
    Is there any possibility to modify the HTTP Method used to GET? 
    Thank you,



    ------------------------------
    Sander Meyfroot
    ------------------------------


  • 2.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Tue April 02, 2019 06:04 AM
    Hi,

    Here's one idea: send the HTTP request via a WebSEAL proxy instance to the SMS gateway. That way you can use an ISAM HTTP Transformation Rule to change the method from POST to GET. 

    I'm surprised that your SMS gateway requires a GET instead of a POST. Did you check with the SMS gateway provider if they can change this (atypical) requirement? Most SMS gateway API's accept either a POST or accept both POST and GET. 

    Kind regards,

    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------

    Original Message


  • 3.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Wed April 03, 2019 02:17 PM
    Hi Peter,
    I really liked your idea and just wanted to ask a related thing, is there a way we can send the SMS OTP request in SOAP message format? There is a customer who has the SMS gateway exposing only the SOAP interface, and not accepting parameters in HTTP POST Request body supported by ISAM. Would this also be possible using a proxy instance (does ISAM allow it)?
    Best regards,
    Jahanzaib

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 4.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Wed April 03, 2019 03:44 PM
    Edited by Peter Volckaert Wed April 03, 2019 04:30 PM

    Hi Jahanzaib,

    In such more challenging case I would write an Infomap. Such Infomap would then be a stub/gateway from what ISAM sends and what the SMS Gateway expects. In other words: the Infomap will be an API service that talks to your SMS Gateway.

    So:
    ISAM's "SMS One-time Password" authentication mechanism <-> Infomap <-> SMS Gateway

    That Infomap would then:
    - Read the incoming HTTP request (headers, parameters, body) from the "SMS One-time Password"
    - Using that incoming data to construct the SOAP message
    - Do an HTTP request with the SOAP message, and read the result
    - Use the result to build a response to the "SMS One-time Password"

    There are many Infomap examples; I guess the Twitter authentication example is a good starting point for you. Since it includes (a lot) of HTTP requests. Find it here: https://exchange.xforce.ibmcloud.com/hub/extension/51ca8ce8d325d84d00ae62fc1e1b62e5
    For examples on how to deal with SOAP I suggest you take a look here at the whoami.js over here: https://www.ibm.com/blogs/sweeden/implementing-isam-credential-viewer-infomap/

    Happy scripting!

    Kind regards, Peter.



    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------

    Original Message


  • 5.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Thu June 11, 2020 02:07 PM
    Hi Peter,

    We were short on time then and I hadn't explored InfoMap much, so I developed a gateway app outside of ISAM (a separate Java App where I had the grip...:).

    We recently got another similar requirement so I am trying to implement what you suggested, as now I have some know how of working with InfoMaps and got to work on it during this time.

    So, I am developing an InfoMap which would read the request headers,body and parameters, then create a SOAP message and send an HTTP POST as you suggested. Just to test the InfoMap integration with SMS OTP mechanism, I am calling a basic InfoMap from SMS OTP mechanism which reads the request headers/parameters and displays them. I am trying to call this InfoMap authentication policy from within the SMS One-Time Password authentication mechanism by mentioning the URL for the InfoMap policy: https://localhost/mga/sps/authsvc/policy/<policy-name> where we mention the URL of SMS gateway.

    However, I get the following error in the trace logs:

    246 [6/11/20 21:51:32:931 PKT] 0000006a id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils > traceString ENTRY ##### otpDeliveryAttr: +923345026062
    247 [6/11/20 21:51:32:936 PKT] 0000006a id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils < traceString RETURN
    248 [6/11/20 21:51:33:003 PKT] 0000006a id=00000000 com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer E initSSL invalid_truststore_passed
    249 [6/11/20 21:51:33:004 PKT] 0000006a id=00000000 com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer E getSSLSocketInfo error_initializing_ssl
    250 [6/11/20 21:51:33:009 PKT] 0000006a id=00000000 com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer I getSSLSocketInfo com.tivoli.am.fim.soap.client.exception.SSLInitializationFailedException: FBTSOC002E An error occurred in initializing SSL with the SOAP endpoint.
    251 at com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer.getSSLSocketInfo(SSLSocketFactoryInitializer.java:164)
    252 at com.tivoli.am.fim.soap.client.SSLSocketFactoryInitializer.getInstance(SSLSocketFactoryInitializer.java:131)
    253 at com.tivoli.am.fim.soap.client.HttpClientImpl.<init>(HttpClientImpl.java:265)
    254 at com.tivoli.am.fim.otp.deliveries.sms.SMSOTPDelivery.deliver(SMSOTPDelivery.java:203)
    255 at com.tivoli.am.fim.trustserver.sts.modules.OTPDeliverySTSModule.map(OTPDeliverySTSModule.java:110)
    256 at com.tivoli.am.fim.trustserver.sts.modules.OTPDeliverySTSModule.invoke(OTPDeliverySTSModule.java:64)
    257 at com.tivoli.am.fim.trustserver.sts.STSModuleChain.invoke(STSModuleChain.java:319)
    258 at com.tivoli.am.fim.trustserver.sts.STSModuleChainManager.executeChain(STSModuleChainManager.java:1083)
    259 at com.tivoli.am.fim.trustserver.sts.STSModuleChainManager.processthroughChains(STSModuleChainManager.java:170)
    260 at com.tivoli.am.fim.trustserver.sts.STSModuleChainManager.process(STSModuleChainManager.java:117)
    261 at com.tivoli.am.fim.trustserver.sts.STSManager.process(STSManager.java:60)
    262 at com.tivoli.am.fim.trustserver.service.SecurityTokenProcessor.process(SecurityTokenProcessor.java:63)
    263 at com.tivoli.am.fim.trustserver.service.SecurityTokenService.requestSecurityToken(SecurityTokenService.java:136)
    264 at com.tivoli.am.fim.fedmgr2.trust.TokenExchangeCommandImpl.exchange(TokenExchangeCommandImpl.java:163)
    265 at com.tivoli.am.fim.authsvc.action.authenticator.otp.UniversalOTPWorker.exchangeOTPToken(UniversalOTPWorker.java:563)
    266 at com.tivoli.am.fim.authsvc.action.authenticator.otp.UniversalOTPWorker.exchangeOTPToken(UniversalOTPWorker.java:642)
    267 at com.tivoli.am.fim.authsvc.action.authenticator.otp.UniversalOTPWorker.callSTSForOTPOperation(UniversalOTPWorker.java:514)
    268 at com.tivoli.am.fim.authsvc.action.authenticator.otp.UniversalOTPWorker.generateAndDeliver(UniversalOTPWorker.java:264)
    .
    .
    .

    Kindly could you guide about how to call the InfoMap from within an authentication mechanism, particularly from SMS OTP mechanism? Would we need to add /mga in the URL?

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 6.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Fri June 12, 2020 04:53 AM
    Hi Jahanzaib,

    As you are calling the policy on localhost just call it in http and not in https. That way you also have less overhead. If you have to call it in https, for example because the call leaves the appliance, the you have to either import the certificate in the standard truststore or explicitely set a different truststore.
    Could you just tell us how you are making the https call? Because it seems you are calling it incorrectly as the truststore can't be found: invalid_truststore_passed

    ------------------------------
    Laurent LA Asselborn
    ------------------------------

    Original Message


  • 7.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Fri June 12, 2020 04:59 AM
    You indeed have to remove the /mga/ from the URL as you are not calling a junction but directly to /sps

    ------------------------------
    Laurent LA Asselborn
    ------------------------------

    Original Message


  • 8.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Fri June 26, 2020 01:40 AM
    Hello Laurent,

    Thank you for your valuable comments. As per your suggestions, I have used http instead of https to avoid overhead as the traffic is for the localhost. Also, I removed the /mga and called directly to /sps. With these changes, I am now able to make it work successfully. Also, got a better understanding of how to call the InfoMaps internally.

    Now I need to return the required HTTP response code from this InfoMap to the SMS OTP Authentication Mechanism, for it to know whether the execution has succeeded or failed. As the SMS OTP Authentication Mechanism determines the success/failure of delivery using the HTTP response, I need to send this from InfoMap. At this time, I only know of success.setValue(); function to declare authentication success/failure. As we are not working in context of authentication here, I have currently put it to success.setValue(false);

    Would it be possible to set the HTTP response code of the request coming from the SMS OTP mechanism?

    Regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 9.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Fri June 26, 2020 05:11 AM
    Hello Jahanzaib,

    That's an interesting question and I don't know the answer. But I think it would be a useful feature. Perhaps someone from IBM can weigh in if this is possible.

    ------------------------------
    Laurent LA Asselborn
    ------------------------------

    Original Message


  • 10.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Fri June 26, 2020 05:38 AM
    Hi Jahanzaib,

    Take a look at this page of the Knowledge Center: https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/config/reference/template_file_scripting_aac.html

    With template scripting you can put some Javascript in the page that you return from your Infomap.
    For example, if you want to set the status to 400 (standard code for a bad request):
    templateContext.response.setStatus(400);


    Hopefully that's useful.
    Cheers, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 11.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Sun July 05, 2020 09:07 AM
    Hi Peter,

    Yes, really useful. Thank you. I am able to set the response code using the template scripting and the SMS OTP mechanism detects it as well. I have set the status code 400 in the error page which I return from InfoMap in case of execution failure.

    Thanks and Best regards,
    Jahanzaib

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 12.  RE: ISAM SMS OTP send GET request instead of POST

    Posted Thu April 04, 2019 03:39 AM
    Hello Peter,

    Thank you for your answer. Eventually we used another API which indeed was able to receive a POST. We still had to reformat the POST request because ISAM is sending the values in form-encoded format and the API was expecting JSON. 
    For this transformation we could indeed use infomap.
    Best regards,
    Sander

    ------------------------------
    Sander Meyfroot
    ------------------------------

    Original Message