IBM Security Verify

 View Only
Expand all | Collapse all

ISAM force reauthentication

  • 1.  ISAM force reauthentication

    Posted Mon November 04, 2019 02:28 PM
    Hello,

    we have a requirement from your data protection department. 

    The user should be forced to perform reauthentication using client certificate before executing a critical application transaction. This should happen even of the user has a valid session and is already authenticated via client certificate.

    Is there a way to achieve this with ISAM?

    Regards,
    Juergen

    ------------------------------
    Jürgen Hitt
    ------------------------------


  • 2.  RE: ISAM force reauthentication

    Posted Tue November 05, 2019 03:33 AM
    Hi Jürgen,

    You can force reauthentication directly before access to a resource by applying a POP with a specific extended attribute
    (name: reauth value: true).  This is documented here:

    https://www.ibm.com/support/knowledgecenter/SSPREK_7.0.0/com.ibm.isam.doc_80/ameb_webplugin_guide/concept/con_cre_app_reauthe_pop.html

    I don't see this documented after SAM 7.0.0 but I can't imagine the function was removed.  Worth a try.

    One word of warning, I'm not sure it will work with client certificate authentication because that is negotiated much lower in the stack and re-authentication would require re-initiation of the SSL/TLS session.  You would almost certainly need to have "accept-client-certs = prompt_as_needed".  Use of the secondary port for the client-certificate exchange might be a factor too.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: ISAM force reauthentication

    Posted Tue November 05, 2019 03:38 AM
    We had a similar use case, where we tested the following round trip: You could use an infomap which simply decreases the auth level to 0 (keeping the actual user session), use a target which requires (via classic POP) a cert authentication (like Jon mentioned: prompt_as_needed), using as 2nd target the original URI.

    ------------------------------
    Frank Thurau
    ------------------------------



  • 4.  RE: ISAM force reauthentication

    Posted Fri November 08, 2019 09:57 AM