List of Contributions

Amitesh Singh

Contact Details

My Content

1 to 20 of 27 total

RE: ISAM AAC: how to add optional "jwk" and "jku" in JOSE header of JWS

Posted By Amitesh Singh Fri July 30, 2021 05:48 AM
Found In Egroup: IBM Security Verify \ view thread
Thanks a lot Jon for your response. Type urn:ibm:JWT:header:claim is a key, I was trying wrong type hence not getting added to header. I will try this. Thank you. ------------------------------ Amitesh Singh ------------------------------

ISAM AAC: how to add optional "jwk" and "jku" in JOSE header of JWS

Posted By Amitesh Singh Thu July 29, 2021 10:09 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Team, We are trying to add "jku" and "jwk" optional parameter of JOSE header. Based on RFC (https://datatracker.ietf.org/doc/html/rfc7515#section-4) these parameters are optional but there should be some way to configure/add these optional parameters in ISAM. May I know if anyone knows how to customize ...

RE: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Posted By Amitesh Singh Wed March 10, 2021 04:04 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Scott, I tested curl with http as below and getting connection reset issue. curl -vi http://cp-iwas-cluster-lb.xxxxx:9080 * Rebuilt URL to: http://cp-iwas-cluster-lb.xxxxx:9080/ * Trying 10.xx.xx.xxx... * TCP_NODELAY set * Connected to cp-iwas-cluster-lb.atm.spcp.gov.sg (10.xx.xx.xxx) ...

RE: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Posted By Amitesh Singh Tue March 09, 2021 09:25 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Scott, Thanks for your quick reply. My understanding is also same like if using istio side-car then junction should be TCP junction. I tested curl with https curl -vi --cacert cpcacerts.cer https://cp-iwas-cluster-lb.xxxxxxxx:9443 Do you need any other info on this to help me out? ...

ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Posted By Amitesh Singh Tue March 09, 2021 08:17 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Team, We have ISAM docker 9072 version in AWS EKS environment with istio proxy for ingress/egress traffic. My backend application is deployed on WAS cluster which is fronted by AWS ALB. Traffic is like below Istio ingress --> ISAM --> Istio egress --> AWS ALB --> WAS cluster when we try ...

RE: TFIM vs ISAM - Design Gap

Posted By Amitesh Singh Sun October 20, 2019 07:50 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, Anyone from IBM team can help to answer my question and help me to find out alternative way to achieve it? ------------------------------ Amitesh Singh ------------------------------

TFIM vs ISAM - Design Gap

Posted By Amitesh Singh Fri October 18, 2019 01:02 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Community, We found some design difference between ISAM Fed and TFIM. TFIM allows multiple service providers having same partner id (but different ACS) ISAM doesn't allow to load metadata at all if partner id already exists. It means ISAM checks the partner id uniqueness. However, it allows ...

RE: ISAM9 Docker - Accessing runtime container on non-ssl port

Posted By Amitesh Singh Fri August 02, 2019 07:14 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Øyvind, Actually in our setup we are going to use ISAM for WRP, FED and also for SMS OTP solution. The first release we are trying to use ISAM for SMS OTP solution. So our app microservice are going to call ISAM runtime to generate and validate OTPs. ISAM WRP and FED we have to setup in next ...

RE: ISAM9 Docker - Accessing runtime container on non-ssl port

Posted By Amitesh Singh Thu August 01, 2019 01:19 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Scott, Thanks for quick reply. We are still debugging on issue why ISAM was not responding with MTLS, if no other choice then may be we go with this path. However, we wanted to streamline ISAM setup with overall architecture where ISAM containers are getting accessed same way as other app's ...

RE: ISAM9 Docker - Accessing runtime container on non-ssl port

Posted By Amitesh Singh Thu August 01, 2019 12:28 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Scott, In our environment we are using Istio Service Mesh and running all microservices in HTTP (non-ssl) mode. Istio proxy (or sidecar) is configured to use mtls when talking to microservices. In this case we don need my ISAM runtime microservice to only access via https. We want to standardize ...

ISAM9 Docker - Accessing runtime container on non-ssl port

Posted By Amitesh Singh Tue July 30, 2019 12:54 AM
Found In Egroup: IBM Security Verify \ view thread
Hi All, We have our ISAM containers installed with Istio, any micro services accessing ISAM runtime, need to access by Istio's sidecar. We want to enable non-ssl port 80 between sidecar and ISAM runtime container. In VA version we had the option to define ip and ports for accessing runtime but ...

RE: TFIM to ISAM Migration - Fed.xml

Posted By Amitesh Singh Wed July 24, 2019 09:27 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Sacha, Thanks a lot. I really appreciate your help on script. It will save my lot of time on figuring out extraction. Thanks, Amitesh ------------------------------ Amitesh Singh ------------------------------

RE: TFIM to ISAM Migration - Fed.xml

Posted By Amitesh Singh Tue July 23, 2019 03:39 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Yongming & Kristof, Thanks for your suggestions. I understand recommended way is to use wsadmin to extract all the partners config metadata, hence, we will look into creating wsadmin based script. Thanks a lot for advising on it. ------------------------------ Amitesh Singh ------ ...

RE: TFIM to ISAM Migration - Fed.xml

Posted By Amitesh Singh Tue July 23, 2019 02:20 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Kristof, Thanks for your reply and suggestion. I believe extracting SP info via wsadmin cli tool may be better if we have few SP (10-20 metadata). The thing is that we have two federation prod environments and each has around 300+ SP metadata. In this case we thought writing XML parsing code ...

TFIM to ISAM Migration - Fed.xml

Posted By Amitesh Singh Sun July 21, 2019 03:32 AM
Found In Egroup: IBM Security Verify \ view thread
Hi All, We are in process of evaluating how to migrate TFIM 6.2.2 to ISAM 9. We have over 300 service providers and manually creating their SP metadata into ISAM is not practically possible, hence we are thinking to write some program to read fed.xml and keystore to read all TFIM metadata information ...

RE: ISAM9 VA & Docker - OTP issues

Posted By Amitesh Singh Sun July 21, 2019 03:09 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Shane, Thanks for your reply. Yes, actually we were invoking it via browser based REST client. We noticed that the issue was happening because of JSESSIONID was stored in browser cookie which was preventing from successful validation of earlier generated OTPs. I think this is expected behavior ...

ISAM9 VA & Docker - OTP issues

Posted By Amitesh Singh Wed July 10, 2019 07:20 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Team, After setting up AAC module we are facing issues in validating otp when two otps continuously generated. Our implementation don't use user registry and calls the AAC runtime api to generate and verify as given below OTP Generation https://192.168.200.194/mga/sps/apiauthsvc?PolicyI ...

RE: ISAM9 Docker - OTP generation/validation

Posted By Amitesh Singh Wed July 03, 2019 09:59 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Shane, Thanks for your reply and recommendation. ------------------------------ Amitesh Singh ------------------------------

RE: ISAM9 Docker - OTP generation/validation

Posted By Amitesh Singh Mon July 01, 2019 08:18 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Jon, Thanks for your reply. Yes, my question was "Can external users (not defined in ISAM user registry) register and receive OTPs", which you have already answered. Regarding your comment "It might be possible to somehow use AAC without using Reverse Proxy (which needs user registry) but I ...

ISAM9 Docker - OTP generation/validation

Posted By Amitesh Singh Tue June 25, 2019 09:55 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Team, We are testing ISAM 9 docker version. We want to use ISAM for OTP Generation and validation. We have noticed that MAC OTP is transnational OTP and does not require user registery for OTP Generation and validation. Can someone please confirm if my assumption is correct and OTP Generation ...