IBM Verify

 View Only
  • 1.  ISAM - How to do the initial setup for AAC?

    Posted Wed May 13, 2020 03:16 PM
    Hi All,

    I am exploring AAC with version ISAM 9.0.6.
    The simple use case I wanted to try the protect the Web application by using email otp once the user is authenticated with username and password.

    Basically I have below questions:

    1. After activating the product, what are the prerequisite before running isamcfg tool? When using this tool, it says that it's deprecated but PDF and info-center show it as a mandatory step. So is that really needed? or I can do it from Secure Web Setting > Manage > Reverse Proxy Instance > Manage > AAC and Federation Configuration > Authentication and ContextBased Configurations ?

    2. Can I have reverse proxy and AAC running on the same server? If yes then can they both run on the same ports or it must be different? or AAC runtime means the management console itself having AAC license activated?

    3. By default, the appliance has Local Runtime Interface configured there with SSL(443) and Non-SSL port(80). What to do with it? Do we need to add interface there with the application interface hostname or IP?

    3. While running isamcfg tool, it asks for
    Advanced Access Control runtime listening interface hostname
    Advanced Access Control runtime listening interface port

    Do I need to specify the management console having AAC activated? Or the application interface host-name with the port?

    4. In one of the configuration guides, I observed there is some modification done to the stepuplogin.html page from management root to put some script. Is this really required when I wanted to try above said simple use case?

    I went through lot of security learning videos and other details on configuring Email OTP, TOP, and other configurations. However, I can not see any detailed and well-sequenced steps to complete the initial appliance set-up for AAC but it covers use cases after setting up the environment.

    In info-center and PDF guides, a lot of forward and backward links that make me jump here and there with no proper sequence. Is there any guide or video which covers why to do it instead of just covering how do it?

    Too much confusion for me or probably I am doing it all wrong.
    Can someone please guide me on this? Thanks in advance!

    ------------------------------
    Thanks and Regards,
    Prashant Narkhede
    ------------------------------


  • 2.  RE: ISAM - How to do the initial setup for AAC?

    Posted Wed May 13, 2020 03:38 PM

    Hello Prashant,

    1a) If you are at ISAM 9.0.6.0 the recommended way to configure a Reverse Proxy for use with AAC Context Based Access Control and Authentication Services (CBA/Authsvc) is via the configuration utility you mentioned :

    Secure Web Settings -> Manage -> Reverse Proxy ->> {select instance} -> Manage -> AAC and Federation Configuration -> Authentication and Context Based Access Configuration

    2a) The Reverse Proxy and the AAC JVM are allowed to run on the same appliance. Two processes on the same server cannot use the same IP and Port combination to listen on.

    EG :

    Have an IP on your appliance of '10.2.1.10'.
    Either the Reverse proxy could listen on '10.2.1.10:443' OR the AAC JVM could listen on '10.2.1.10:443'.
    If you had the Reverse Proxy listening on '10.2.1.10:443' you'd have to make the AAC JVM listen on a different IP:Port combination, such as '10.2.1.10:444'.

    3a-a) By default the appliance has the AAC/Federation JVM (they are the same JVM) listening on '127.0.0.1:443' and '127.0.0.1:80'. This means that only processes on the same appliance would be able to access that JVM. If you have a requirement that processes on another server, such as a Reverse Proxy instance on another appliance or an F5 be able to communicate with the AAC JVM on your specific appliance in question you'd need to add an application interface with a denoted IP:Port combination.

    The AAC JVM can only listen on 'Application' IP Addresses and cannot listen on configured 'Management' IP addresses.

    3b-a) Do not use the 'isamcfg' tool if you can help it. If you must use that tool the value for 'Advanced Access Control runtime listening interface hostname' must be either a hostname or an IP address associated with the configured IP Addresses specified at 'Secure Access Control -> Global Settings -> Runtime Parameters ->> Runtime Listening Interfaces'.
    The same goes for the 'Advanced Access Control runtime listening interface port'

    4a) The step-up HTML is not necessary but can be used to directly invoke the Authentication Service in a step-up scenario.

    The following is a documented example that you can use to make an access control policy to accomplish the OTP:
    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/admin/task/PolicyScenarioPermitAccessAfterOneTimePassword.html

    When running the configuration tool, you'll be prompted to supply a password for a user which is filled in by default as 'easuser'. Here is the documented default password for that user :
    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/config/reference/ref_isamcfg_wga_worksheet.html#ref_isamcfg_wga_worksheet

    Even though it's not recommended to use the 'isamcfg' tool, that document still provides insightful information into how the configuration is performed.

    Using the configuration utility mentioned in 1a) is a simpler, less error-prone way to configure your Reverse Proxy for CBA/Authentication Services.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: ISAM - How to do the initial setup for AAC?

    Posted Wed May 13, 2020 05:02 PM
    Hi Prashant,
    If you have not watched it already, you can check out this step-by-step video tutorial for AAC configuration.  It gives a general idea on how to set it up and probably answer some of your questions.

    https://www.youtube.com/watch?v=VrQF450QCgM

    ------------------------------
    Manish Sethi
    ------------------------------



  • 4.  RE: ISAM - How to do the initial setup for AAC?

    Posted Thu May 14, 2020 09:13 AM

    Hi Manish,

    Thank you for the video link.

    I have watched it and configured AAC successfully. Also, I am able to complete the use case with IBM Verify app and TOTP.

    Regards,
    Prashant Narkhede



    ------------------------------
    Prashant Narkhede
    ------------------------------



  • 5.  RE: ISAM - How to do the initial setup for AAC?

    Posted Mon December 11, 2023 08:43 AM

    Hi Manish,

    Looks like the YouTube link that you shared above is no more accessible. Is there another link or step by step document that I can follow to configure AAC in ISVA 10.X. Please let me know.

    Thanks,

    Abhishek



    ------------------------------
    Abhishek Sharma
    ------------------------------



  • 6.  RE: ISAM - How to do the initial setup for AAC?

    Posted Thu May 14, 2020 03:31 AM
    Hi,

    As others already pointed out the AAC runtime is by default listening only on localhost. There are now two possibilities to access it from outside. You can add a different host:port combination, which would give access to the whole runtime, or you could add a junction to localhost:443. I recommend the second option as in this way you can filter who can access what on the AAC runtime. As you already plan to have a WebSEAL instance on this appliance this is very easy. For calls which are configured in the WebSEAL conf file you can just call out directly to localhost and don't need to use the junction.

    ------------------------------
    Laurent LA Asselborn
    ------------------------------