IBM Security Verify

Hi All,

I have configured the AAC for the ISAM 9.0.6 appliance.
As part of my requirement, I wanted to send an OTP over mail for a second-factor authentication after a normal username/password.
Hence I created a policy as shown in the attached file and attached it to the junction.

However, I am getting below error
DPWBA0311W Unable to contact runtime security services

Infocenter talks about permitting when runtime security service is not available but I don't want to do that and omit the second factor.
Please suggest where I am missing or configuration might be incorrect.

Thank you.

------------------------------
Prashant Narkhede
------------------------------

Hello Prashant,

Make sure you ran the AAC Configuration tool for the Reverse Proxy instance:
Secure Web Settings -> Manage -> Reverse Proxy ->> _instance_ -> Manage -> AAC and Federation Configuration -> Authentication and Context Based Access Configuration

The hostname it asks for is the address to your AAC JVM, which if you're using a single appliance is traditionally 'localhost'.

The default 'easuser' password is 'passw0rd'.

After running this it will configure the Reverse Proxy to handle the 'rba-pop' requests that were attached when you attached the access control policy to an object.

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Thu April 02, 2020 11:32 AM
From: Prashant Narkhede
Subject: ISAM - Facing DPWBA0311W Unable to contact runtime security services error for step up with email otp

Hi All,

I have configured the AAC for the ISAM 9.0.6 appliance.
As part of my requirement, I wanted to send an OTP over mail for a second-factor authentication after a normal username/password.
Hence I created a policy as shown in the attached file and attached it to the junction.

However, I am getting below error
DPWBA0311W Unable to contact runtime security services

Infocenter talks about permitting when runtime security service is not available but I don't want to do that and omit the second factor.
Please suggest where I am missing or configuration might be incorrect.

Thank you.

------------------------------
Prashant Narkhede
------------------------------

Hi Jack,

I think isam > aac > config does the same thing that you suggested to do from Secure Web Settings -> Manage -> Reverse Proxy ->> _instance_ -> Manage -> AAC and Federation Configuration -> Authentication and Context Based Access Configuration.

However, I did the configurations again that you suggested and still facing the same issue.
When I checked the logs I observed below in logs

message.log
2020-04-03-09:42:16.676+05:30I----- 0x38CF0460 webseald ERROR wwa http HTTPParser.cpp 946 0x7efd52e39700 -- DPWWA1120E The POST body of the client request contains misformated or invalid data
3 2020-04-03-09:42:16.676+05:30I----- 0x38B9A4BC webseald WARNING wns httperrs WSAuthChallengeRules.cpp 115 0x7efd52e39700 -- DPWNS1212W The authentication challenge type rules could not be applied because WebSEAL received a request without the User-Agent HTTP header.

Any other things that I should check?

------------------------------
Prashant Narkhede
------------------------------

Original Message:
Sent: Thu April 02, 2020 12:01 PM
From: JACK YARBOROUGH
Subject: ISAM - Facing DPWBA0311W Unable to contact runtime security services error for step up with email otp

Hello Prashant,

Make sure you ran the AAC Configuration tool for the Reverse Proxy instance:
Secure Web Settings -> Manage -> Reverse Proxy ->> _instance_ -> Manage -> AAC and Federation Configuration -> Authentication and Context Based Access Configuration

The hostname it asks for is the address to your AAC JVM, which if you're using a single appliance is traditionally 'localhost'.

The default 'easuser' password is 'passw0rd'.

After running this it will configure the Reverse Proxy to handle the 'rba-pop' requests that were attached when you attached the access control policy to an object.

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Thu April 02, 2020 11:32 AM
From: Prashant Narkhede
Subject: ISAM - Facing DPWBA0311W Unable to contact runtime security services error for step up with email otp

Hi All,

I have configured the AAC for the ISAM 9.0.6 appliance.
As part of my requirement, I wanted to send an OTP over mail for a second-factor authentication after a normal username/password.
Hence I created a policy as shown in the attached file and attached it to the junction.

However, I am getting below error
DPWBA0311W Unable to contact runtime security services

Infocenter talks about permitting when runtime security service is not available but I don't want to do that and omit the second factor.
Please suggest where I am missing or configuration might be incorrect.

Thank you.

------------------------------
Prashant Narkhede
------------------------------

Hello Prashant,

You could collect 'pdweb.rtss' tracing and see whether the health checks are working as expected.

The above message log entries do not related to the DPWBA0311W message.

If you cannot find the issue from the traces and need them reviewed further you'll need to open a support Case.

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Fri April 03, 2020 12:22 AM
From: Prashant Narkhede
Subject: ISAM - Facing DPWBA0311W Unable to contact runtime security services error for step up with email otp

Hi Jack,

I think isam > aac > config does the same thing that you suggested to do from Secure Web Settings -> Manage -> Reverse Proxy ->> _instance_ -> Manage -> AAC and Federation Configuration -> Authentication and Context Based Access Configuration.

However, I did the configurations again that you suggested and still facing the same issue.
When I checked the logs I observed below in logs

message.log
2020-04-03-09:42:16.676+05:30I----- 0x38CF0460 webseald ERROR wwa http HTTPParser.cpp 946 0x7efd52e39700 -- DPWWA1120E The POST body of the client request contains misformated or invalid data
3 2020-04-03-09:42:16.676+05:30I----- 0x38B9A4BC webseald WARNING wns httperrs WSAuthChallengeRules.cpp 115 0x7efd52e39700 -- DPWNS1212W The authentication challenge type rules could not be applied because WebSEAL received a request without the User-Agent HTTP header.

Any other things that I should check?

------------------------------
Prashant Narkhede

Original Message:
Sent: Thu April 02, 2020 12:01 PM
From: JACK YARBOROUGH
Subject: ISAM - Facing DPWBA0311W Unable to contact runtime security services error for step up with email otp

Hello Prashant,

Make sure you ran the AAC Configuration tool for the Reverse Proxy instance:
Secure Web Settings -> Manage -> Reverse Proxy ->> _instance_ -> Manage -> AAC and Federation Configuration -> Authentication and Context Based Access Configuration

The hostname it asks for is the address to your AAC JVM, which if you're using a single appliance is traditionally 'localhost'.

The default 'easuser' password is 'passw0rd'.

After running this it will configure the Reverse Proxy to handle the 'rba-pop' requests that were attached when you attached the access control policy to an object.

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Thu April 02, 2020 11:32 AM
From: Prashant Narkhede
Subject: ISAM - Facing DPWBA0311W Unable to contact runtime security services error for step up with email otp

Hi All,

I have configured the AAC for the ISAM 9.0.6 appliance.
As part of my requirement, I wanted to send an OTP over mail for a second-factor authentication after a normal username/password.
Hence I created a policy as shown in the attached file and attached it to the junction.

However, I am getting below error
DPWBA0311W Unable to contact runtime security services

Infocenter talks about permitting when runtime security service is not available but I don't want to do that and omit the second factor.
Please suggest where I am missing or configuration might be incorrect.

Thank you.

------------------------------
Prashant Narkhede
------------------------------