IBM Security Verify

Hi Scott,
thanks for your suggestion.

Unfortunally we tried the solutions listed in IBM link (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm) without solving our problem.

In the IBM link there are 3 methods:
1 - pkmshelp - this page could not be found
2 - macro - we added our macro (CREDATTR{tagvalue_session_index}) but this configuration didn't solve our problem
3 - header - we added our header and we see the token as header in the response page but this configuration didn't solve our problem

Methods 2-3 added macro and header but did not correctly compose the pkmslogout URL (pkmslogout?token=<token value>).

Are there any further configurations/tests to add the token in the logout URL?

Thanks in advance of the support
Best Regards
Alessandro

Gianluca,

 

If you enable secret token validation it means that the majority of pkms pages require the token - and this in turn means that you can't just request a pkms resource (e.g. /pkmslogout), but instead need to generate the link to include the secret token.  The Knowledge Centre has further information on this (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm), but the secret token can be obtained from the tagvalue_session_index attribute within the credential.  There are numerous mechanisms available to get access to this attribute, as documented in the referenced page.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Alessandro,

 

I don't quite understand what you mean when you say 'Methods 2-3 added macro and header but did not correctly compose the pkmslogout URL (pkmslogout?token=<token value>)'.  These methods simply make the token available to the client.  It is still up to the client (e.g. JavaScript) to construct the correct URL.  Put simply, something needs to construct the URL as you cannot simply enter '/pkmslogout' in the browser and expect the token value to be appended.  Most customers have a page which contains a logout reference.  This reference is then either constructed on the server side before the page is sent back to the browser, or on the client side using JavaScript.

 

Does this help?

 

Thanks.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Hi Scott,
thanks for your suggestion.

Unfortunally we tried the solutions listed in IBM link (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm) without solving our problem.

In the IBM link there are 3 methods:
1 - pkmshelp - this page could not be found
2 - macro - we added our macro (CREDATTR{tagvalue_session_index}) but this configuration didn't solve our problem
3 - header - we added our header and we see the token as header in the response page but this configuration didn't solve our problem

Methods 2-3 added macro and header but did not correctly compose the pkmslogout URL (pkmslogout?token=<token value>).

Are there any further configurations/tests to add the token in the logout URL?

Thanks in advance of the support
Best Regards
Alessandro

Gianluca,

 

If you enable secret token validation it means that the majority of pkms pages require the token - and this in turn means that you can't just request a pkms resource (e.g. /pkmslogout), but instead need to generate the link to include the secret token.  The Knowledge Centre has further information on this (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm), but the secret token can be obtained from the tagvalue_session_index attribute within the credential.  There are numerous mechanisms available to get access to this attribute, as documented in the referenced page.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Hi,

At the moment we have a issue on 1 instance (Production and test environment) with the /pkmslogout that looks a bit like this one.

We get a 403 on /pkmslogout if we past it behind the baseURL, the user keeps his session and is not logged off in ISVA 10.0.3.1. The thing is that we setup the /mobile-demo junction and if we hit "logout" there it works just fine.

 I must say that in this instance we have standard-junctions (/mobile-demo is one of them in test environment) and we have a Virtual-junction.

Jasper.

Alessandro,

 

I don't quite understand what you mean when you say 'Methods 2-3 added macro and header but did not correctly compose the pkmslogout URL (pkmslogout?token=<token value>)'.  These methods simply make the token available to the client.  It is still up to the client (e.g. JavaScript) to construct the correct URL.  Put simply, something needs to construct the URL as you cannot simply enter '/pkmslogout' in the browser and expect the token value to be appended.  Most customers have a page which contains a logout reference.  This reference is then either constructed on the server side before the page is sent back to the browser, or on the client side using JavaScript.

 

Does this help?

 

Thanks.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Hi Scott,
thanks for your suggestion.

Unfortunally we tried the solutions listed in IBM link (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm) without solving our problem.

In the IBM link there are 3 methods:
1 - pkmshelp - this page could not be found
2 - macro - we added our macro (CREDATTR{tagvalue_session_index}) but this configuration didn't solve our problem
3 - header - we added our header and we see the token as header in the response page but this configuration didn't solve our problem

Methods 2-3 added macro and header but did not correctly compose the pkmslogout URL (pkmslogout?token=<token value>).

Are there any further configurations/tests to add the token in the logout URL?

Thanks in advance of the support
Best Regards
Alessandro

Gianluca,

 

If you enable secret token validation it means that the majority of pkms pages require the token - and this in turn means that you can't just request a pkms resource (e.g. /pkmslogout), but instead need to generate the link to include the secret token.  The Knowledge Centre has further information on this (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm), but the secret token can be obtained from the tagvalue_session_index attribute within the credential.  There are numerous mechanisms available to get access to this attribute, as documented in the referenced page.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Hi Jasper,

I don't have an immediate answer, but your VHJ setup is possibly somewhat related.  (for example what comes to mind, is the match-vhj-first param) 
(I'm not sure if CSRF check as explained above is the case here, since the "mobile-demo" to my knowledge also doesn't append pkmslogout?token=<token value>)

It's probably worth taking a short trace while you recreate this issue.  More specifically this trace: pdweb.wan.azn , it can be a bit overloaded with info, but the main point if interest is the lines like this:
INPUTS - protected_resource=/WebSEAL/webpi.vwasp.gc.au.ibm.com-default/index.html, operation=r

This can give some insight in whether this is a real WebSEAL object (pkmslogout) or some VHJ referenced file/object.  

(it won't fix anything, but might give more info to work with ;-) )

Hi,

At the moment we have a issue on 1 instance (Production and test environment) with the /pkmslogout that looks a bit like this one.

We get a 403 on /pkmslogout if we past it behind the baseURL, the user keeps his session and is not logged off in ISVA 10.0.3.1. The thing is that we setup the /mobile-demo junction and if we hit "logout" there it works just fine.

 I must say that in this instance we have standard-junctions (/mobile-demo is one of them in test environment) and we have a Virtual-junction.

Jasper.

Alessandro,

 

I don't quite understand what you mean when you say 'Methods 2-3 added macro and header but did not correctly compose the pkmslogout URL (pkmslogout?token=<token value>)'.  These methods simply make the token available to the client.  It is still up to the client (e.g. JavaScript) to construct the correct URL.  Put simply, something needs to construct the URL as you cannot simply enter '/pkmslogout' in the browser and expect the token value to be appended.  Most customers have a page which contains a logout reference.  This reference is then either constructed on the server side before the page is sent back to the browser, or on the client side using JavaScript.

 

Does this help?

 

Thanks.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Hi Scott,
thanks for your suggestion.

Unfortunally we tried the solutions listed in IBM link (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm) without solving our problem.

In the IBM link there are 3 methods:
1 - pkmshelp - this page could not be found
2 - macro - we added our macro (CREDATTR{tagvalue_session_index}) but this configuration didn't solve our problem
3 - header - we added our header and we see the token as header in the response page but this configuration didn't solve our problem

Methods 2-3 added macro and header but did not correctly compose the pkmslogout URL (pkmslogout?token=<token value>).

Are there any further configurations/tests to add the token in the logout URL?

Thanks in advance of the support
Best Regards
Alessandro

Gianluca,

 

If you enable secret token validation it means that the majority of pkms pages require the token - and this in turn means that you can't just request a pkms resource (e.g. /pkmslogout), but instead need to generate the link to include the secret token.  The Knowledge Centre has further information on this (https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.1/com.ibm.isva.doc/wrp_config/concept/con_conf_secret_token.htm), but the secret token can be obtained from the tagvalue_session_index attribute within the credential.  There are numerous mechanisms available to get access to this attribute, as documented in the referenced page.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia