IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  ISAM force reauthentication

    Posted Mon November 04, 2019 02:28 PM
    Hello,

    we have a requirement from your data protection department. 

    The user should be forced to perform reauthentication using client certificate before executing a critical application transaction. This should happen even of the user has a valid session and is already authenticated via client certificate.

    Is there a way to achieve this with ISAM?

    Regards,
    Juergen

    ------------------------------
    Jürgen Hitt
    ------------------------------


  • 2.  RE: ISAM force reauthentication

    Posted Tue November 05, 2019 03:33 AM
    Hi Jürgen,

    You can force reauthentication directly before access to a resource by applying a POP with a specific extended attribute
    (name: reauth value: true).  This is documented here:

    https://www.ibm.com/support/knowledgecenter/SSPREK_7.0.0/com.ibm.isam.doc_80/ameb_webplugin_guide/concept/con_cre_app_reauthe_pop.html

    I don't see this documented after SAM 7.0.0 but I can't imagine the function was removed.  Worth a try.

    One word of warning, I'm not sure it will work with client certificate authentication because that is negotiated much lower in the stack and re-authentication would require re-initiation of the SSL/TLS session.  You would almost certainly need to have "accept-client-certs = prompt_as_needed".  Use of the secondary port for the client-certificate exchange might be a factor too.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: ISAM force reauthentication

    Posted Tue November 05, 2019 03:38 AM
    We had a similar use case, where we tested the following round trip: You could use an infomap which simply decreases the auth level to 0 (keeping the actual user session), use a target which requires (via classic POP) a cert authentication (like Jon mentioned: prompt_as_needed), using as 2nd target the original URI.

    ------------------------------
    Frank Thurau
    ------------------------------



  • 4.  RE: ISAM force reauthentication

    Posted Fri November 08, 2019 09:57 AM