DataPower

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

How can we create a AAA solution which can support both the internal and external devices in the same service

1. How can we create a AAA solution which can support both the internal and external devices in the same service

Like
Community Support Admin
Posted Wed September 16, 2020 10:18 AM

Reply
Suppose a web service proxy is deployed on internal Datapower device.
An F5 Load Balancer is in between consumer and Datapower
If internal F5 is used, the consumer directly provides their CN name from their certificate to F5 and then to us, and our AAA action configured in request rule will match this CN name with a XML file containing credentials to authenticate the consumer.
If 3rd pary F5 is used, the consumer sends their CN name in the header of the request and at the Datapower AAA action we extract that CN name from the request header through a XSLT file first and then compare it with a XML file(like in case 1)
Now we want to create a AAA solution which will integrate both the case 1 and case 2 for the same operation in the same service.
Or is there any other way of integrating both the cases together apart from using a AAA action.

#DataPower
#Support
#SupportMigration
2. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

Like
Community Support Admin
Posted Thu September 17, 2020 11:40 AM

Reply
Hi,
You can use two identity extraction methods and then use custom stylesheet or gatewayscript to authenticate the extracted identities.
--Hermanni

#DataPower
#Support
#SupportMigration
3. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

Like
Community Support Admin
Posted Fri September 18, 2020 10:56 AM

Reply
Hi Hermanni,
Can you please help us with how can we configure 2 different methods for identity extraction on the same request rule on our datapower service based on the request coming from internal F5 or external F5.

Thanks in advance.

#DataPower
#Support
#SupportMigration
4. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

Like
Community Support Admin
Posted Mon September 21, 2020 10:50 AM

Reply
This forum doesn't seem to allow attachments so I'll try to describe how you can achieve this.
In your AAA configuration on "Identity Extraction" tab you'll select two methods, or example "Subject DN of TLS certificate from connection peer" and "Custom processing". For "Custom processing" you can use for example this stylesheet or something else that better suits your requirements:

<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions"
xmlns:dpconfig="http://www.datapower.com/param/config"
extension-element-prefixes="dp dpconfig">
<xsl:output method="xml"/>
<xsl:template match="/">

<dn>
<xsl:value-of select="dp:request-header('auth-header')"/>
</dn> 
<issuer /> 
<cert /> 
<serial/> 
</xsl:template>
</xsl:stylesheet>

The combined identity extraction methods provide the following XML that is processed as an input of an authenticate action:

<identity xmlns:dp="http://www.datapower.com/schemas/management" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<entry type="client-ssl">
<dn>dn entry in here</dn>
<issuer>issuer entry in here</issuer>
<cert>XXXXXXXX</cert>
<serial>111111111111111111</serial>
</entry>
<entry type="custom" url="local:///extract-id-from-header.xsl">
<dn>dn extracted from http header here</dn>
<issuer/>
<cert/>
<serial/>
</entry>
</identity>

The DN entries in XML can then be validated using for example a custom stylesheet in "Authentication" step. You can modify the following example:

<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions"
xmlns:dpconfig="http://www.datapower.com/param/config" xmlns:aaa="http://www.datapower.com/AAAInfo"
xmlns:dpfunc="http://www.datapower.com/extensions/functions"
extension-element-prefixes="dp dpconfig">
<xsl:output method="xml"/>
<xsl:template match="/">


<xsl:variable name="dn" select="/*[local-name()='identity']/*[local-name()='entry'][='custom']/*[local-name()='dn']/text()"/>


<xsl:variable name="aaa" select="document('local:///aaa.xml')"/>


<xsl:if test="$aaa//*[local-name()='DN'][text()=$dn]">
<aaa:OutputCredential>
<xsl:value-of select="$aaa//*[local-name()='DN'][text()=$dn]/following-sibling::*[local-name()='OutputCredential']/text()"/>
</aaa:OutputCredential>
</xsl:if>
</xsl:template>
</xsl:stylesheet>

--Hermanni

#DataPower
#Support
#SupportMigration
5. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

Like
Community Support Admin
Posted Mon September 21, 2020 10:50 AM

Reply
This forum doesn't seem to allow attachments so I'll try to describe how you can achieve this.
In your AAA configuration on "Identity Extraction" tab you'll select two methods, or example "Subject DN of TLS certificate from connection peer" and "Custom processing". For "Custom processing" you can use for example this stylesheet or something else that better suits your requirements:

<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions"
xmlns:dpconfig="http://www.datapower.com/param/config"
extension-element-prefixes="dp dpconfig">
<xsl:output method="xml"/>
<xsl:template match="/">

<dn>
<xsl:value-of select="dp:request-header('auth-header')"/>
</dn> 
<issuer /> 
<cert /> 
<serial/> 
</xsl:template>
</xsl:stylesheet>

The combined identity extraction methods provide the following XML that is processed as an input of an authenticate action:

<identity xmlns:dp="http://www.datapower.com/schemas/management" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<entry type="client-ssl">
<dn>dn entry in here</dn>
<issuer>issuer entry in here</issuer>
<cert>XXXXXXXX</cert>
<serial>111111111111111111</serial>
</entry>
<entry type="custom" url="local:///extract-id-from-header.xsl">
<dn>dn extracted from http header here</dn>
<issuer/>
<cert/>
<serial/>
</entry>
</identity>

The DN entries in XML can then be validated using for example a custom stylesheet in "Authentication" step. You can modify the following example:

<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions"
xmlns:dpconfig="http://www.datapower.com/param/config" xmlns:aaa="http://www.datapower.com/AAAInfo"
xmlns:dpfunc="http://www.datapower.com/extensions/functions"
extension-element-prefixes="dp dpconfig">
<xsl:output method="xml"/>
<xsl:template match="/">


<xsl:variable name="dn" select="/*[local-name()='identity']/*[local-name()='entry'][='custom']/*[local-name()='dn']/text()"/>


<xsl:variable name="aaa" select="document('local:///aaa.xml')"/>


<xsl:if test="$aaa//*[local-name()='DN'][text()=$dn]">
<aaa:OutputCredential>
<xsl:value-of select="$aaa//*[local-name()='DN'][text()=$dn]/following-sibling::*[local-name()='OutputCredential']/text()"/>
</aaa:OutputCredential>
</xsl:if>
</xsl:template>
</xsl:stylesheet>

--Hermanni

#DataPower
#Support
#SupportMigration

DataPower

DataPower

How can we create a AAA solution which can support both the internal and external devices in the same service

Community Support AdminWed September 16, 2020 10:18 AM

Community Support AdminThu September 17, 2020 11:40 AM

Community Support AdminFri September 18, 2020 10:56 AM

Community Support AdminMon September 21, 2020 10:50 AM

Community Support AdminMon September 21, 2020 10:50 AM

1. How can we create a AAA solution which can support both the internal and external devices in the same service

2. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

3. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

4. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

5. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

Additional
Resources

Office

Quick Links

DataPower

DataPower

How can we create a AAA solution which can support both the internal and external devices in the same service

Community Support AdminWed September 16, 2020 10:18 AM

Community Support AdminThu September 17, 2020 11:40 AM

Community Support AdminFri September 18, 2020 10:56 AM

Community Support AdminMon September 21, 2020 10:50 AM

Community Support AdminMon September 21, 2020 10:50 AM

1. How can we create a AAA solution which can support both the internal and external devices in the same service

2. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

3. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

4. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

5. RE: How can we create a AAA solution which can support both the internal and external devices in the same service

Related Content

An AAA Solution Using LDAP and AAA File

RBM with both RADIUS and LDAP via custom stylesheet

DataPower: How to use password map aliases for safekeeping

DataPower Security Capabilities

How to capture the IP address in the AAA

Additional Resources

Office

Quick Links

Additional
Resources