IBM Security Verify

 View Only
  • 1.  TOTP failure (after a while)

    Posted Mon November 09, 2020 07:28 AM
    ISVA 10.0 installed from the official Helm repo into a Kubernetes Cluster.



    Hi we have 3 users that have all registered the TOTP QR code to Google authenticator in their phones.
    In the reverse proxy we have protected a (some) junctions with the TOTP mechanism allowing only these 3 users to access the protected content provided they enter the TOTP code.

    All this has worked for several weeks, but last week 2 of the 3 users receive this message after entering the PIN code:

    Server Error

    The Application Gateway could not complete your request due to an unexpected error.
    Diagnostic Information

    Method: POST

    URL: /mga/sps/authsvc?StateId=qUaNDWhWX5rGTlImo5WSYtiH0r8ebl2rBSGi9cajNGzCwLWb1NJaTvaqSoOwOaTo9bH6918fhyjYL0q4wbd5KjjdsarOhjMYwrpKRgo3Nd9Q5rcsZS1NlcaZYZV75SSI

    Error Code: 0x38cf081d

    Error Text: DPWWA2077E Could not authenticate user. An EAI server returned invalid authentication data.
    Solution

    Provide your System Administrator with the above information to assist in troubleshooting the problem.


    while the 3rd user passes the PIN code page without any issues. The EAI server referenced in the error message I believe is the ISVA internal server, we have no external server EAI server configured.


    What is the root of this problem? And where should we start looking for clues??

    Rgds


    ------------------------------
    Anders Domeij
    CGI Sweden AB
    ------------------------------


  • 2.  RE: TOTP failure (after a while)

    Posted Mon November 09, 2020 03:29 PM
    Anders,
     
    You will get this error message when invalid authentication data is being passed back from AAC to WebSEAL.  More than likely this will be caused by non-utf8 encoded characters being passed back from AAC.  I would suggest that you raise a support ticket for this and get the support team to investigate further.
     
    Thanks.
     
     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor


    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com
    1 Corporate Court
    Bundall, QLD 4217
    Australia
     
     





  • 3.  RE: TOTP failure (after a while)

    Posted Tue November 10, 2020 06:59 AM
    Hi Scott,

    Could it be caused by 'duplicates' in the USER_ATTRIBUTES for myuser:otp.hmac.totp.secret.key in the HVDB database?
    my user has 2 entries of this type (ATTRIBUTE_DATATYPE:Password).
    I can't see any logical reason why I should have more than one :-)

    Rgds

    ------------------------------
    Anders Domeij
    CGI Sweden AB
    ------------------------------



  • 4.  RE: TOTP failure (after a while)

    Posted Wed November 11, 2020 05:52 AM
    Hi Scott,

    Spot on!

    Unfortunately then this was not an 'after a while' mystery, nor a random error.
    The cause is that we implemented some http headers using the TAM_CRED_ATTRS_SVC.

    One of these http-headers contains the surname from the inetorgperson and can contain national Swedish characters.
    Evidently the national characters are not UTF-8 encoded causing the error.
    So any user with one or more national characters in their surname cannot use their totp verification.

    There are other http-headers we need to build/extract from the ldap and pass on down the line that can contain Swedish naitional characters which probably also render this error.

    Are you aware of any workaround for this -- we won't survive without national characters.

    The (legacy) LDAP server is IBM TDS 6.3 (possibly 6.4) and 'unfortunately' already populated with users/groups etc and also used by other applications in the organization.

    many thanks in advance

    ------------------------------
    Anders Domeij
    CGI Sweden AB
    ------------------------------



  • 5.  RE: TOTP failure (after a while)

    Posted Wed November 11, 2020 03:15 PM
    Anders,
     
    I would suggest that you raise a ticket with the support team.  I suspect that this issue might already have been fixed, and the support team will have the details.
     
     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor


    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com
    1 Corporate Court
    Bundall, QLD 4217
    Australia
     
     





  • 6.  RE: TOTP failure (after a while)

    Posted Thu November 12, 2020 07:25 AM
    Thanks again

    a ticket has been opened :-)

    Rgds

    ------------------------------
    Anders Domeij
    CGI Sweden AB
    ------------------------------



  • 7.  RE: TOTP failure (after a while)

    Posted Thu November 12, 2020 11:07 AM
    Hi Scott

    Feedback:

    IN AAC-->Global Settings-->Point of Contact there are 3 default/read-only profiles in a virgin ISVA installation, one marked as 'Current'.
    In the SignIn property sheet for the profile set as 'Current' the attribute url.encoding.enabled was set to 'false'.

    Using the CrateLike option I copied it and set the url.encoding.enabled attribute to true.
    Saved the new profile and set it as 'Current', deployed, published and reloaded all the containers.

    Voila -- OTP code could now be used.

    Thanks again for your help

    ------------------------------
    Anders Domeij
    CGI Sweden AB
    ------------------------------