Blog Viewer

Integrating Active Directory / LDAP with IBM Sterling B2B Integrator (B2Bi) and IBM Sterling External Authentication Server (SEAS) using IBM Sterling Secure Proxy (SSP)

By Tanvi Kakodkar posted Wed July 15, 2020 06:16 AM

  

This is in continuation of our earlier blog link, In this blog, we will be elaborating B2Bi External Trading Partner Authentication Token Validation by their centralised LDAP via Sterling External Authentication Server (SEAS) and IBM Sterling Secure Proxy (SSP).


SSP is used as a reserve proxy server with B2Bi and other applications that support a single sign-on connection. SSP allows any incoming user to authenticate and access B2Bi using specific protocols that also support Single sign-on (SSO) requests.

SEAS uses Open SAML to create and manage SSO tokens. SAML is very powerful and flexible, but the specification can be quite a handful. SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). However, it is possible to customize your environment to use a third-party application to generate tokens.

Below is the pictorial view of how an authentication request is processed.

authentication.png

  1. Partner connects to Sterling Secure Proxy (SSP) and enters credentials
  2. SSP passes the credentials to Sterling External Authentication server (SEAS)
  3. SEAS authenticates the user against LDAP Database
  4. LDAP sends the true or false to SEAS as per user authentication result
  5. If authentication is unsuccessful, SEAS sends a negative response to SSP and SSP terminates the session. If authentication is successful, SEAS generates and sends the token to SSP in response
  6. SSP passes the username and token to B2Bi.
  7. B2Bi validates SSO Token SEAS and grants/denies access.

 

Let us now see the configuration in SEAS.

  1. Create a “Connection Definition” in SEAS.
authentication1.png

2. Create “Authentication Definitions”. Here, we will define the “Profile” Name - which needs to be configured as is in SSP. Below is the summary image for reference.
authentication2.png

 

Principal summary:
auth3.png

Note the “Match Attributes” value. This is the parameter in LDAP under which user id is store.

 

We will now demonstrate SFTP setup for SSO token user authentication.

Here are the screenshots of SSP SFTP Policy and its adapter configuration:

s1.png

s2.png

Please remember that “External Authentication Profile” name should match with the profile name in SEAS.

The minimum configuration required on B2Bi for token authentication is as follows:     

  1. Login to SEAS server, copy the files and its subdirectories from the SEAS_install_dir/lib/sterling/sfg-sso-plugin directory to a location that is accessible to the B2Bi and let’s refer to that as “base_dir”.
  2. In the servers.properties_seas-sso_ext file present under “base_dir/sfg-sso-plugin/properties”, uncomment the following line and replace <SI_install> with the actual installation path for B2Bi
    • # seas-sso=<SI_install>/properties/seas-sso/1.0/seas-sso.properties
  3. In the servers.properties_seas-auth_ext file present under “base_dir/sfg-sso-plugin/properties”, uncomment the following line and replace <SI_install> with the actual installation path for B2Bi
    • # seas-auth=<SI_install>/properties/seas-auth/1.0/seas-auth.properties
  4. Login to B2Bi File system and Stop the application.
  5. Edit customer_overrides.properties and add the parameters below:

#SEAS
seas-sso.EA_HOST=<<SEAS IP ADDRESS>>
seas-sso.EA_PORT=61365 <<SEAS LISTENING PORT>>
seas-sso.EA_SECURE_CONNECTION=false

  1. Go to B2Bi install_dir/bin and run the following commands.
    • ./install3rdParty.sh seas-sso 1.0 -j base_dir/sfg-sso-plugin/seas-sso.jar
    • ./install3rdParty.sh seas-sso 1.0 -p base_dir/sfg-sso-plugin/properties/seas-sso.properties
    • ./install3rdParty.sh seas-auth 1.0 -p base_dir/sfg-sso-plugin/properties/seas-auth.properties
    • Create a sub directory named “private” under <B2Bi_install_dir>/jar/seas-sso/1.0 and copy all jars present under <<base_dir>>/sfg-sso-plugin/private/ directory.
  2. Restart IBM Sterling B2B Integrator.


Note: For more clarification, refer to the knowledge centre links:

https://www.ibm.com/support/knowledgecenter/en/SS6PNW_6.0.1/com.ibm.help.ssp.scenarios.doc/reverse_proxy/ssp_hsso_prepsfgunx.html

https://www.ibm.com/support/knowledgecenter/en/SS6PNW_6.0.1/com.ibm.help.ssp.scenarios.doc/reverse_proxy/ssp_hsso_modsfgunx.html

 

Then, change the user authentication from “LDAP” to “SEAS” in B2Bi. Here is the screenshot of the modified user authentication of “ibmuser”:
user_accounts.png

Then log on to B2Bi via SSP with “ibmuser” using WinSCP. While logging, SSP Hostname or IP address and its SFTP adapter port number is provided instead of B2Bi server and its SFTP adapter port.

UA2.png

Please refer to the above “Authentication Request” image and its description to know the step number referenced.

Here is the snippet of the log files from SSP, SEAS and B2Bi:

Step2 from the above “Authentication Request” image captured in SSP (sftp.adapter-SFTP_Adapater.log).

21 Apr 2020 04:53:10,667 INFO  [pool-34-thread-4] sys.ADAPTER.SFTP_Adapater - SSE1811I Engine Name=myEngine, Adapter Name=SFTP_Adapater, EA Name=myseas. Connection to EA server successful.

21 Apr 2020 04:53:10,667 DEBUG [pool-34-thread-4] sys.ADAPTER.SFTP_Adapater - Successfully Connected to EA.

21 Apr 2020 04:53:10,669 INFO  [pool-34-thread-4] sys.ADAPTER.SFTP_Adapater - SSE1818I Engine Name=myEngine, Adapter Name=SFTP_Adapater, EA Name=myseas. EA connection component initialization complete.

21 Apr 2020 04:53:10,671 INFO  [pool-34-thread-4] sys.ADAPTER.SFTP_Adapater - SSE1849I Engine Name=myEngine, Adapter Name=SFTP_Adapater, EA Name=myseas. Sending user authentication request to EA server to request single-signon (SSO) token. Client: 1.1.1.1 Profile: ldap_profile  User: ibmuser

21 Apr 2020 04:53:10,671 DEBUG [EAProxy-ReqSenderThread-252] sys.ADAPTER.SFTP_Adapater - Checking if connection to EA is alive

21 Apr 2020 04:53:10,671 DEBUG [EAProxy-ReqSenderThread-252] sys.ADAPTER.SFTP_Adapater - Connection to EA is alive

21 Apr 2020 04:53:10,671 DEBUG [EAProxy-ReqSenderThread-252] sys.ADAPTER.SFTP_Adapater - Sending request to EA: id=35, req=SsoAuthenticationRequest: Correlator - 35, ClientId - SFTP_Adapater, SessionId - null, RspLog - on

21 Apr 2020 04:53:10,672 DEBUG [EAProxy-ReqSenderThread-252] sys.ADAPTER.SFTP_Adapater - Request sent to EA: id=35, req=SsoAuthenticationRequest: Correlator - 35, ClientId - SFTP_Adapater, SessionId - null, RspLog - on

Step3 and 4 from the above “Authentication Request” image captured in SEAS (seas.log).

21 Apr 2020 04:53:10,721 1619285843 [Pool Worker - 31] INFO AbstractBindAuthenticationStrategy - AUTH066E Verifying username uid=ibmuser,ou=users,ou=system with Username/Password Policy.

21 Apr 2020 04:53:10,728 1619285850 [Pool Worker - 31] INFO AbstractBindAuthenticationStrategy - AUTH067E Username uid=ibmuser,ou=users,ou=system passed Username/Password Policy test.

21 Apr 2020 04:53:10,728 1619285850 [Pool Worker - 31] INFO AbstractBindAuthenticationStrategy - Bind: DN="uid=ibmuser,ou=users,ou=system" URL=ldap://localhost:10389/

21 Apr 2020 04:53:10,735 1619285857 [Pool Worker - 31] INFO AbstractBindAuthenticationStrategy - AUTH001I Ldap Bind succeeded for uid=ibmuser,ou=users,ou=system.

Step5 from the above “Authentication Request” image captured in SEAS and SSP. SSO token has been created and they are matching in SEAS and SSP logs.

SEAS (seas.log):

21 Apr 2020 04:53:10,756 1619285878 [Pool Worker - 31] INFO com.sterlingcommerce.component.dispatcher.XmlConversionFilter - Sending -> SsoAuthenticationResponse(AUTH001I): Correlator - 35: detailResponseCode - AUTH100D, conversationId - 99gftyTMeElJ0t+4v+eLDexD9V4=, type - Auth, authenticated - true, token- {SHA-512}IaspgT/CWxA0ZFKEldI6FFOlJDk77wU+vnkgWBMBn95uIcCAI6bfajAh9idBD5or3bof/9LYVnxiAFPmn1PdPg==

21 Apr 2020 04:53:10,926 1619286048 [Pool Worker - 32] INFO com.sterlingcommerce.component.dispatcher.XmlConversionFilter - Sending -> AuthenticationResponse(AUTH069I): Correlator - 36: detailResponseCode - null, type - Auth, authenticated - true

21 Apr 2020 04:53:11,064 1619286186 [AccepterThread:NonSecure] INFO com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - ACPT037I Received connection. Address=/127.0.0.1:16429, Session=21

21 Apr 2020 04:53:11,068 1619286190 [Pool Worker - 33] INFO com.sterlingcommerce.component.sso.impl.SingleSignonServiceImpl - AUTH090I SSO token validation succeeded.

21 Apr 2020 04:53:11,070 1619286192 [Pool Worker - 33] INFO com.sterlingcommerce.component.sso.impl.SingleSignonServiceImpl - AUTH070I Authentication succeeded for ibmuser.

SSP (sftp.adapter-SFTP_Adapater.log):

21 Apr 2020 04:53:10,762 INFO  [pool-34-thread-4] sys.ADAPTER.SFTP_Adapater - SSE1827I Engine Name=myEngine, Adapter Name=SFTP_Adapater, EA Name=myseas. Received user authentication response from EA server. Client: 1.1.1.1 Profile: ldap_profile  User: ibmuser Message: AUTH001I Ldap Bind succeeded for uid=ibmuser,ou=users,ou=system.

21 Apr 2020 04:53:10,764 INFO  [pool-34-thread-4] sys.ADAPTER.SFTP_Adapater - SSE1848I Engine Name=myEngine, Adapter Name=SFTP_Adapater, EA Name=myseas. Obtained token from EA. Client: 1.1.1.1 Profile: ldap_profile  User: ibmuser  Token: {SHA-512}IaspgT/CWxA0ZFKEldI6FFOlJDk77wU+vnkgWBMBn95uIcCAI6bfajAh9idBD5or3bof/9LYVnxiAFPmn1PdPg==

Step6 and 7 from the above “Authentication Request” image captured in B2Bi (authentication.log).

[2020-04-21 05:02:50.692] DEBUG SecurityManager user:ibmuser attempting to log in (SSO:false)

[2020-04-21 05:02:50.709] DEBUG SecurityManager user:ibmuser authorization SUCCEEDED (SSO:false)

 

The above logs indicate successful login for useribmuser using SSO token.

This concludes the scope of this blog.

 

0 comments
20 views

Permalink