Hi Jürgen,
You can force reauthentication directly before access to a resource by applying a POP with a specific extended attribute
(name: reauth value: true). This is documented here:
https://www.ibm.com/support/knowledgecenter/SSPREK_7.0.0/com.ibm.isam.doc_80/ameb_webplugin_guide/concept/con_cre_app_reauthe_pop.htmlI don't see this documented after SAM 7.0.0 but I can't imagine the function was removed. Worth a try.
One word of warning, I'm not sure it will work with client certificate authentication because that is negotiated much lower in the stack and re-authentication would require re-initiation of the SSL/TLS session. You would almost certainly need to have "accept-client-certs = prompt_as_needed". Use of the secondary port for the client-certificate exchange might be a factor too.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Mon November 04, 2019 02:27 PM
From: Jürgen Hitt
Subject: ISAM force reauthentication
Hello,
we have a requirement from your data protection department.
The user should be forced to perform reauthentication using client certificate before executing a critical application transaction. This should happen even of the user has a valid session and is already authenticated via client certificate.
Is there a way to achieve this with ISAM?
Regards,
Juergen
------------------------------
Jürgen Hitt
------------------------------