IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  ISAM9 VA & Docker - OTP issues

    Posted Wed July 10, 2019 07:20 AM
    Hi Team,

    After setting up AAC module  we are facing issues in validating otp when two otps continuously generated.

    Our implementation don't use user registry and calls the AAC runtime api to generate and verify as given below

    OTP Generation
    https://192.168.200.194/mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:spcpotp
    Request body
    {
    'abc':'xyz'
    }

    Response 
    {
    "mechanism": "urn:ibm:security:authentication:asf:mechanism:macotp",
    "stateId": "fc97f4c4-2605-4421-ae48-0cea91988075",
    "location": "/mga/sps/apiauthsvc?StateId=fc97f4c4-2605-4421-ae48-0cea91988075",
    "otp.user.otp-hint": "6767-565920",
    "otp.user.sentTo": "",
    "mappingRuleData": ""
    }

    We got the otp, no issues, but if without validation generate the OTP again by just executing same API again, this time new otp will generated and new stateid will be generated

    Now if we verify with old state id, then getting below error


    {"exceptionMsg":"FBTAUT017E Authentication service received an invalid state ID [fc97f4c4-2605-4421-ae48-0cea91988075].","state":"","message":""}

    Verification
    https://192.168.200.194/mga/sps/apiauthsvc?StateId=fc97f4c4-2605-4421-ae48-0cea91988075

    Request Body
    {"otp.user.otp": "565920","otp.user.otp-hint": "6767","Submit":"Submit","operation":"verify"}

    We generated 2 otps with two different stateids which we can see in HVDB, but issue is that when verifying first generated otp can not be verified, even in HVDB both OTPs with respective state ids are available.

    Can someone guide us if we are missing any configuration? If HVDB has two records with two different state ids, and we are passing stateid while validating then it should validate OTP of given stateid, but ISAM is not doing it. Please let me know if anyone faces this issue?

    Thanks,

    ------------------------------
    Amitesh Singh
    ------------------------------


  • 2.  RE: ISAM9 VA & Docker - OTP issues

    Posted Thu July 18, 2019 05:00 AM

    Where are you actually invoking the apiauthsvc from - have you tried in a standalone client (like curl in a bash script), or are you doing this via AJAX from a browser page?

    The reason I ask is that I wonder if session state is an issue if calling from AJAX (cookies will still maintain session state). The first think I'd suggest you do is try writing a completely standalone bash/curl script to eliminate this as a cause.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 3.  RE: ISAM9 VA & Docker - OTP issues

    Posted Sun July 21, 2019 03:09 AM
    Hi Shane,
    Thanks for your reply.

    Yes, actually we were invoking it via browser based REST client. We noticed that the issue was happening because of JSESSIONID was stored in browser cookie which was preventing from successful validation of earlier generated OTPs. I think this is expected behavior and also I think would be better using cookieless approach as mentioned  in below link
    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/config/task/tsk_config_aac_cookieless.html

    Thanks,
    Amitesh

    ------------------------------
    Amitesh Singh
    ------------------------------

    Original Message


  • 4.  RE: ISAM9 VA & Docker - OTP issues

    Posted Sun July 21, 2019 04:27 AM
    Sounds like you are on top of it. Let us know if any problems sorting out a solution.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


Related Content