List of Contributions

André Leruitte

Contact Details

My Content

1 to 20 of 50+ total

RE: ISAM 10.0.6 to 10.0.7 Upgrade - Kerberos not working

Posted By André Leruitte Mon March 18, 2024 03:55 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, Yes, you need to open a case asking for the fixpack. This information can be found on this page : https://www.ibm.com/support/pages/node/6557516?myns=swgother&mynp=OCSSRGTL&mync=E&cm_sp=swgother-_-OCSSRGTL-_-E #IBMChampion ------------------------------ André Leruitte ----------------- ...

RE: How to configure webseal to ignore "Authorization" header for a specific junction?

Posted By André Leruitte Tue February 06, 2024 12:37 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Tara, Unfortunately I was unable to find any workaround. As Scott explained very clearly, it seems not possible to mix basic-auth for some junctions and completely ignoring the Authorization header for other junctions for the same reverse proxy. I did test on another reverse proxy where the ...

RE: Anyone implemented a persistent session ?

Posted By André Leruitte Tue January 23, 2024 02:13 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Philip, Thanks for your references! Indeed the native remember-me feature of ISAM offers almost all that is needed for these kind of scenarios. On our side, we end up implementing our own remember-me mechanism in our EAI, because we wanted to implemented selfcare functionnalities, where user ...

RE: OIDC - Userinfo endpoint

Posted By André Leruitte Tue December 05, 2023 03:08 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, In the mapping rule PostToken, there is a block where you can customize the response from /userinfo. You could try to override the "groups" claim there: if (request_type == "userinfo") ( produceClaim("groups", "['group1','admin_group','group2','group3']", true); ) ------ ...

RE: option to create multiple TOTP One-time Password (Type) mechanisms

Posted By André Leruitte Fri October 27, 2023 10:34 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Philip, Thanks a lot for your reply and your blog post. It's more or less the solution we finally implemented : Enrollment Infomap is called from the SPA application new HMAC key is generated in the infomap key is returned to the caller the SPA application generates the ...

RE: option to create multiple TOTP One-time Password (Type) mechanisms

Posted By André Leruitte Fri October 13, 2023 03:47 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Jon and Mubashir, Thank you both for having this question answered here, it avoids me sinking hours in trying to find a solution to this problem. Anyway, I wanted to add that 4 years later, this still does not seem possible. It's really a pity, because it is going to force us to implement ...

RE: How to recover admin password

Posted By André Leruitte Thu September 14, 2023 11:21 AM
Found In Egroup: IBM Security Verify \ view thread
Hi all, We ran exactly into this problem on Tuesday and we seem to have found a solution to reset the underlying linux "admin@local" password. We were unable to use our ActiveDirectory credentials for logging in to the LMI after a certificate change on our ActiveDirectory (we did import ...

RE: Memory Leak issue in ISVA 10.0.4.0 IF1

Posted By André Leruitte Fri July 07, 2023 06:47 AM
Found In Egroup: IBM Security Verify \ view thread
Follow-up on the deployment of v10.0.6, which fixes one of the memory leaks: we started deploying in our DEV and TEST environments, but we are now blocked as v10.0.6 breaks any FIDO2 authentication : IJ47417: FIDO2 AUTHENTICATION FAILURES IN ISVA 10.0.6.0 (ibm.com) We are stuck on v10.0.5, being ...

RE: Memory Leak issue in ISVA 10.0.4.0 IF1

Posted By André Leruitte Thu June 29, 2023 08:00 AM
Found In Egroup: IBM Security Verify \ view thread
Hi again, 2 new APAR's spotted today related to memory leaks : https://www.ibm.com/support/pages/apar/IJ47335?myns=swgimgmt&mynp=OCSSRGTL&mync=E&cm_sp=swgimgmt-_-OCSSRGTL-_-E https://www.ibm.com/support/pages/apar/IJ47347?cm_sp=swgimgmt-_-OCSSRGTL-_-E&mync=E&mynp=OCSSRGTL&myns=swgimgmt ...

RE: Memory Leak issue in ISVA 10.0.4.0 IF1

Posted By André Leruitte Thu June 29, 2023 03:09 AM
Found In Egroup: IBM Security Verify \ view thread
Hi all, It seems IBM has identified a memory leak in webseal affecting v10.0.4, 10.0.5 and 10.0.6 : IJ47321: REVERSE PROXY MEMORY LEAK PROCESSING JSON ARRAY DATA (ibm.com) We think there also are memory leaks in the acc/federation runtime that still have to be found, but at last it is ...

RE: Memory Leak issue in ISVA 10.0.4.0 IF1

Posted By André Leruitte Mon June 26, 2023 07:41 AM
Found In Egroup: IBM Security Verify \ view thread
Hello isam'ers, We have recently upgraded our production environment to v10.0.5 IF1 (6 weeks ago) and we are also observing memory leaks. ISVA seems to never free any memory whatsoever, leading to a situation where a process is killed to free some memory, either the DSCD or the Java processes, ...

RE: Acessing ISAM embeddeddatabase

Posted By André Leruitte Thu June 01, 2023 10:23 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Peter, Thanks a lot for your clever workaround! I'd never thought that port forwarding would be possible! This could help us in the future with other "internal issues". Regards, André ------------------------------ André Leruitte ---------------------------- ...

RE: InfoMap and HTTP Method

Posted By André Leruitte Tue May 30, 2023 02:05 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Sylvain, We do some custom authorization based on HTTP method in an Infomap executed via tfim-sso. We retrieve the http method with: var requestMethod = stsuu.getContextAttributes().getAttributeValuesByNameAndType("method", "urn:ibm:names:ITFIM:oauth:request")[0]; I don't remember that ...

RE: ISVA certificate handling fails with ISVA version 10.0.5

Posted By André Leruitte Mon April 24, 2023 08:33 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Jarno, I have run into similar "asn" issues today with a ISVA 10.0.5. The issues were related to making webseal sign a JWT ([jwt:/junction] stanza), and using the jwks local-app. Those issues were logging the following errors, and were breaking webseal's jwt injection and the jwks local-app ...

RE: Retrieving TOTP secret keys

Posted By André Leruitte Fri April 07, 2023 04:40 AM
Found In Egroup: IBM Security Verify \ view thread
Hello, Thanks to both of you for your tips. We were aware of both methods you suggested, but we were hoping there was another one we were not aware of. I think that if we do need to implement this, we will try the custom infomap "batch". Is there any InfoMap execution maximum time that could ...

Retrieving TOTP secret keys

Posted By André Leruitte Mon April 03, 2023 08:29 AM
Found In Egroup: IBM Security Verify \ view thread
Hello everybody, We are using ISAM (AAC) to store TOTP secret keys for our users. Everything is working as intended, our users are able to enroll and strongly authenticate using their TOTP client. We would like to export those TOTP secret keys, but we are unable to understand the format of the ...

RE: Failing authentication with IBMid: missing [code_challenge] error in redirect URL

Posted By André Leruitte Tue December 27, 2022 04:23 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Javier, The error message CSIAQ0147E+The+required+parameter%3A+%5Bcode_challenge%5D+is+missing+in+the+request​ is related to PKCE. It seems that the client is not configured to use PKCE when sending the initial request to the IDP (the call to /authorize) ------------------------------ ...

RE: How to configure webseal to ignore "Authorization" header for a specific junction?

Posted By André Leruitte Fri December 02, 2022 09:56 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Shane, Thanks for the acl detail. This is not working for me, webseal still handles the Authorization header. I will try creating a new reverse proxy for testing the behavior in isolation of the rest of the config. There may be other settings (such as forms-auth = https) that could be modifying ...

RE: How to configure webseal to ignore "Authorization" header for a specific junction?

Posted By André Leruitte Fri December 02, 2022 03:59 AM
Found In Egroup: IBM Security Verify \ view thread
Thanks for your both replies. You both understood very well the requirement :) I tested your suggestion Shane but unfortunately it still does not work. I used the following ACL: Could it be related to our old v10.0.1? ------------------------------ André Leruitte ------------------- ...

RE: How to configure webseal to ignore "Authorization" header for a specific junction?

Posted By André Leruitte Thu December 01, 2022 07:32 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Scott, Thank you for your reply. BA is indeed enabled at the RP level : [ba] ba-auth = https But we specifically try to disable it for a junction, but ISAM still tries validating the credentials coming in the Authorization header [server:/myJunctionThatNeedsToIgnoreBA] ...