IBM Security Verify

 View Only
Expand all | Collapse all

How many registries does ISAM have

  • 1.  How many registries does ISAM have

    Posted Sun September 27, 2020 05:34 PM
    Edited by Joao Goncalves Sun September 27, 2020 05:53 PM
    I believe there are at least 3 registries (likely 4) that ISAM is using:
    • Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
      • Used when we ssh to the appliance
      • Since no one can change /etc/passwd, we cannot create additional users of this type.
    • LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
      • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
      • We can create new users here and groups with different permissions for ISAM management.
      • I can find the predefined group named isam-tenants.
      • If I change the password of admin in LMI, it affects the password of the Appliance user.
      • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
    • Local LDAP (or remote)
      • Used by the policy server for authentication and authorization, where we can find sec_master

    Something that I don't understand is where does Secure Access Control -> Global Settings -> User Registry users are defined. Likely a 4th registry.
    • Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
    • If I create a new user what is it used for?
    • I can't find a way to create new groups, but I can assign users to adminGroup group.
    • The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!
    Of course ISAM can use many other registries, and I can federate them, but that is not what I am looking for.

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------


  • 2.  RE: How many registries does ISAM have

    Posted Mon September 28, 2020 03:03 AM
    Hi Joao,

    I think you've identified the 4 account stores in Verify Access.  3 of these are "internal" and a storing management and connection-validation passwords.

    Your description of /etc/passwd is accurate. Your description of System "Account Management" is accurate too.

    The Fed/AAC User Registry is the Liberty user registry for the Runtime Liberty instance - where AAC and Federation code runs. This is distinct from the Liberty instance that runs the LMI.  This registry isn't really used for management - it's mainly used for creating users to be used for connection security for connections to AAC/Fed runtime. Usually I'm only using "easuser" but you could create more users if the need arises. I would agree having an "admin" user in this registry is confusing. It may be that this is just created by default by Liberty. Not sure.

    The other registry is the LDAP where your "real" users are stored - this is mostly used by the Policy Server and Reverse Proxy. There are some management users (sec_master) and groups (iv-admin) in here too.  As you said, you can federate other LDAPs (and AD) here too.

    The only other store of user data is the High Volume Database (sometimes also called Runtime Database). This is where information associated with authentication mechanisms supported by AAC Authentication Service are stored. It's indexed by username.

    I hope this helps complete your understanding.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: How many registries does ISAM have

    Posted Mon September 28, 2020 08:56 AM
    Edited by Joao Goncalves Mon September 28, 2020 09:05 AM
    Yes it does, but it creates now a problem for me to solve!
    In a different post, I asked if I loose admin's password, how can I restore its password. You told me it is not possible, unless there is an additional user with the same privileges as admin's.

    How is this possible, since I cannot create any additional user in /etc/passwd?

    From your answer, you also referred to AAC. I'm just wondering if AAC is just another application running on the same instance as LMI, or are they running in different application servers instances?
    How about the Policy Server? What is it really, a web application running also on an Application Server instance?
    How about padmin, is it like wsadmin for WAS, but with different CLI API?
    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------



  • 4.  RE: How many registries does ISAM have

    Posted Mon September 28, 2020 12:12 PM
    Joao,

    I looked into the admin password reset a little more and discovered that the option to reset via /admin_cfg using another admin user does NOT work.  It still requires the old password in order to perform the change.  This is probably because it needs to make the change at the OS level and (without root) that always requires the old password.

    So, I have to revert to answer that you cannot recover from a forgotten admin password.  The only option is to restore a configuration snapshot to a new virtual appliance where you know the admin password.  I will also update the other thread.

    The AAC/Federation runtime (they are the same thing) is a 2nd WebSphere Liberty instance running in the Virtual Appliance.  It is independent from the Liberty instance that runs the LMI.

    The Policy Server is a native process (C++ I think).  It's communication protocol is proprietary (and binary).  pdadmin is a command-line which can communicate using this protocol to send management instructions to the Policy Server.

    FYI, the Policy Server and Reverse Proxy (the "base" components) are much older than the AAC/Federation runtime and the LMI.  Their heritage goes right back to the very beginnings of the product when it was all native code installed as software.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 5.  RE: How many registries does ISAM have

    Posted Mon September 28, 2020 04:31 PM
    Joao,

    I just wanted to add two additional points about your original post:
    1. Currently the CLI uses '/etc/passwd' and the LMI uses a different registry for authentication (either a local file based user registry or an external LDAP user registry).  In the upcoming 10.0.1 release we have provided the option of using the LMI user registry for authentication to the CLI;
    2. There was originally an oversight in the implementation of the AAC user registry support which meant that you couldn't manage group membership.  The Web services were available, but the panels were not implemented in the LMI.  This oversight has been corrected in the upcoming 10.0.1 release.

    Thanks.

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------



  • 6.  RE: How many registries does ISAM have

    Posted Tue January 26, 2021 02:11 PM
    I am now trying to configure SCIM. And according to the documentation, I must create a WebService Server Connection. When configuring this WebService, I must use a AAC user, and he must belong to the adminGroup. Why is this? What special access does this group have that is required for WebService?

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------



  • 7.  RE: How many registries does ISAM have

    Posted Tue November 14, 2023 03:00 AM

    Hi Jon and Joao

    I'm working on changing the password for easuser and believe that I've changed it everywhere but the fed trace log still reports 

    [11/9/23, 7:35:16:982 CET] 00000cba id=00000000 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID easuser. An invalid user ID or password was specified.

    I cannot find out why.

    I've searched a snapshot file and found the easuser also stored in a 

    \etc\policies\cml\mga\runtime_profile\runtime_profile14_0_0.xml

    Could this be the culprit? A way to fix it?

    BR,  Carsten



    ------------------------------
    Carsten Jensen
    ATP
    +4530595704
    ------------------------------



  • 8.  RE: How many registries does ISAM have

    Posted Tue November 14, 2023 04:38 PM

    Carsten,

     

    I don't quite follow what you mean when you said that you had changed the password everywhere.  You only need to change the password in a single location.  Using the LMI you just need to change the password using the 'AAC' -> 'User Registry' screen.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     






  • 9.  RE: How many registries does ISAM have

    Posted Wed November 15, 2023 02:11 AM

    Hi Scott

    I mean in all Reverse Proxy instances using BA for calling fed-runtime

    and likewise with some junctions with fed-runtime as backend.

    BR Carsten



    ------------------------------
    Carsten Jensen
    ATP
    +4530595704
    ------------------------------



  • 10.  RE: How many registries does ISAM have

    Posted Wed November 15, 2023 03:20 AM

    Hi again

    I just made at test and the password in

    \etc\policies\cml\mga\runtime_profile\runtime_profile14_0_0.xml

    in the snapshot file gets changed when I change the password i  User Registry and create at new snapshot. So that is not the culprit.

    I've checked all the federations identify mappings, but no one is using BA for fed-runtime.

    Where else could the easuser password be specified?

    BR Carsten



    ------------------------------
    Carsten Jensen
    ATP
    +4530595704
    ------------------------------



  • 11.  RE: How many registries does ISAM have

    Posted Wed November 15, 2023 03:50 PM

    Carsten,

     

    Of course, after changing the easuser password using the LMI you will also need to change all of the locations which reference that password.  I can't tell you specifically where you might be using the password as this is entirely dependent on your environment, but it sounds like you have some junctions which are using the password.  You will need to edit those junctions and modify the BA password to match the new password for the easuser.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 12.  RE: How many registries does ISAM have

    Posted Fri November 17, 2023 01:22 AM

    Hi

    Hmm.. After a restart of all RP instances and federation runtime, the error disappeared. Case is closed.



    ------------------------------
    Carsten Jensen
    ATP
    +4530595704
    ------------------------------