IBM Security Verify

 View Only
  • 1.  Device registration failed error after config follow MFA Deployment Cookbook

    Posted Thu September 21, 2023 11:44 PM

    Hi Community,

    We are following MFA Deployment Cookbook based on as below url

    "https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa"

    Our tech data are

    • domain: identity.lab-idam.net
    • environment deploy in Azure Cloud
    • ISVA version 10.0.1
    • Policy server - with active runtime (1 server)
    • Rev proxy/webseal (1 server) -- connected cluster with policy server 

    Then we already finished some steps:

    • Create and config rev proxy: Done
    • Configure SCIM: Done
    • Configure Oauth with definition AuthenticatorClient: Done
    • Configure endpoints refer to wizard: Done 

    We are in position want to test MMFA authenticator registration, by using url

    "https://identity.lab-idam.net/mga/sps/mmfa/user/mgmt/html/mmfa/usc/manage.html"

    But the device from tester is not registered yet, with  error message HTTP 500.

    Is there any advise, fellas ?

    Thanks



    ------------------------------
    Andreas Victor
    ------------------------------


  • 2.  RE: Device registration failed error after config follow MFA Deployment Cookbook

    Posted Fri September 22, 2023 12:09 AM

    Poke @Jon Harry



    ------------------------------
    Andreas Victor
    ------------------------------



  • 3.  RE: Device registration failed error after config follow MFA Deployment Cookbook

    Posted Mon September 25, 2023 12:43 AM

    Poke @Shane Weeden



    ------------------------------
    Andreas Victor
    ------------------------------



  • 4.  RE: Device registration failed error after config follow MFA Deployment Cookbook

    Posted Tue September 26, 2023 01:34 AM

    Not enough context. You never even said how far through the registration process you got (did you get a QR code to scan?).
    I'd check the ISVA runtime logs, and turn on pdweb.snoop logging at WebSEAL and look for clues.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 5.  RE: Device registration failed error after config follow MFA Deployment Cookbook

    Posted Tue September 26, 2023 06:13 AM
    Edited by Andreas Victor Tue September 26, 2023 06:14 AM
      |   view attached

    Hi Shane,

    The testing results:
    1. QRCode displayed, and tester device was success registered.
    2. The device was recorded and displayed in URL https://identity.lab-idam.net/mga/sps/mmfa/user/mgmt/html/mmfa/usc/manage.html
    3. Then, the tester gets an error. The device which installed mobile apps ibm verify, error appears: Invalid Data Reponse (as below capture).

    error ibm verify in device tester - per 26 sept

    4. And in the pdweb.snoop (attached file) there is no indication about the Invalid Data Response.

    Any advise, @Shane Weeden ?



    ------------------------------
    Andreas Victor
    ------------------------------

    Attachment(s)

    log
    pdweb.snoop.log   47.07 MB 1 version


  • 6.  RE: Device registration failed error after config follow MFA Deployment Cookbook

    Posted Tue September 26, 2023 04:52 PM

    Please do not send such large pdweb.snoop files like this. Take the time to:
    1. Have a look at them yourself, and do some investigation.
    2. At least redact them so that PII and secrets are not included.

    It is also very onerous for me to have to try and find your configuration errors from this large volume of information. 

    It appears that oauth-auth is not configured properly, since the PATCH call to SCIM to update the userPresence methods results in a login challenge:

    2023-09-26-16:42:42.311+07:00I----- thread(169) trace.pdweb.snoop.client:1 /build/isam/src/i4w/pdwebrte/webcore/amw_snoop.cpp:164: 
    ----------------------------------------
    Thread 140552904365824; fd 257; local 10.15.2.6:444; remote 10.10.0.6:45144
    Receiving 1384 bytes
    PATCH /scim/Me?attributes=urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:userPresenceMethods HTTP/1.1
    X-FORWARDED-PROTO: https
    X-FORWARDED-PORT: 444
    X-Forwarded-For: 103.171.30.20:26945
    X-Original-URL: /scim/Me?attributes=urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:userPresenceMethods
    Connection: keep-alive
    X-AppGW-Trace-Id: c930329c4bc4ea2df17404f1f3646414
    Host: identity.lab-idam.net
    X-ORIGINAL-HOST: identity.lab-idam.net:444
    Content-Length: 713
    Accept: application/json
    Authorization: bearer b25pfPiMuNbhR2t5kTnV
    User-Agent: com.ibm.security.verifyapp
    Content-Type: application/json
    Accept-Encoding: gzip
    
    {"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","path":"urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:userPresenceMethods","value":[{"keyHandle":"7a9b1f75-a14d-44eb-b1cb-be2e8aee4245.userPresence","algorithm":"SHA256withRSA","publicKey":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjU+pfItJoHd6FlhvmJk1vXRTsn8j1LQ+EDYvkgX23Le7tam8CHdb+4oLEmq4XVYavncx2DvpPhwBzi2Ggq0iJMiipDfijC3\/RQQf7GXhZnONeqjGOiOGvxe+SaIj7wlGauVN8i\/vTt9QU+oC7XGuYsYAW8iCQi9Z5eK215xB47RtOp94Sa092QiZmFANtLtZBifuhEKYqm7o1mwbXCCsFAtKYWS6f1aZwFSY2LtqHm+HVWqXeYLzCM5p5ZVRZczg9uY9V++wv6F12av4gf9WmS5SF1GxpGoRoX+8NMV+91BLEcs5cj2uRam2NuVmj8wI35Up28x+pi8PuQXvK2Fa6QIDAQAB","enabled":true}]}]}
    ----------------------------------------
    
    2023-09-26-16:42:42.311+07:00I----- thread(169) trace.pdweb.snoop.client:1 /build/isam/src/i4w/pdwebrte/webcore/amw_snoop.cpp:190: 
    ----------------------------------------
    Thread 140552904365824; fd 257; local 10.15.2.6:444; remote 10.10.0.6:45144
    Sending 433 bytes
    HTTP/1.1 200 OK
    content-length: 30
    content-type: application/json
    date: Tue, 26 Sep 2023 09:42:42 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    server: WebSEAL/10.0.1.0
    x-frame-options: DENY
    x-content-type-options: nosniff
    cache-control: no-store
    x-xss-protection: 1
    content-security-policy: frame-ancestors 'none'
    strict-transport-security: max-age=31536000; includeSubDomains
    pragma: no-cache
    
    {
        "operation" : "login"
    }


    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 7.  RE: Device registration failed error after config follow MFA Deployment Cookbook

    Posted Tue October 10, 2023 12:09 AM

    Hi Shane,

    We have followed up your suggestion to trace in oauth-auth mechanism,

    then we found our Reverse proxy MFA still trying connected to LDAP data source in port SSL 636. But in condition, the LDAP still not implement SSL, so we changed port non SSL 389. Its working now.

    But the question is: how is detail mechanism, why MFA still need to connect to LDAP ?

    Any comment ?

    Thanks 



    ------------------------------
    Andreas Victor
    ------------------------------