Hello,
I have two different setups of ISAM Reverse Proxies one is 9.0.6.0 and other is at version 9.0.7.1.

I have RP instance configured on both these servers. I have setup MGA junction using the advance access control on this RP Instance. MGA junction and the ACLs attached on it are exact same on both the servers. I am actually testing the authentication using REST API call as below

Method: PUT
URL : https://<IP>/mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:password
BODY : { "username" : "<validuser>", "password" : <validPassword>"}

On Server with 9.0.6.0, this REST API call returns response 204 with no contents and 2 cookies set - 1. PD-S-SESSION_ID and 2. AMWEBJCT!%2Fmga!JSESSIONID
In the request log here I can see - 
<USERID> 02/Apr/2020:21:28:05 +1100 "PUT /mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:password HTTP/1.1" 204 -

On Server with 9.0.7.1, this REST API Call returns response { "operation" : "login"} with only 1 cookie PD-S-SESSION-ID and request log shows
unauthenticated 02/Apr/2020:21:52:15 +1100 "PUT /mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:password HTTP/1.1" 200 30

Can someone help me to understand why is this different in responses? Request log on 9.0.7.1 showing 'unauthenticated' is actually more of my concern.

Thanks
Kedar

------------------------------
Kedar Kulkarni
------------------------------

Hello Kedar,

The { "operation" : "login"} response is most likely coming from the Reverse Proxy.  It is indicating that you need to authenticate in order to reach the URL you are requesting (/mga/sps/apiauthsvc).

You should check the ACL associated with this URL.  Usually this would be set to allow unauthenticated access when you run the "Authentication and Context-based Access" configuration wizard for the Reverse Proxy.

The reason you're seeing different cookies is because you are not getting to the AAC Runtime which is what sets the JSESSIONID cookie.

I would normally expect the user to be "unauthenticated" in the request log until authentication has completed... which it has not.  Actually I'm a bit confused how you're showing an authenticated user in the 9.0.6.0 session in the request for authentication?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu April 02, 2020 07:49 AM
From: Kedar Kulkarni
Subject: MGA Junction behaving differently

Hello,
I have two different setups of ISAM Reverse Proxies one is 9.0.6.0 and other is at version 9.0.7.1.

I have RP instance configured on both these servers. I have setup MGA junction using the advance access control on this RP Instance. MGA junction and the ACLs attached on it are exact same on both the servers. I am actually testing the authentication using REST API call as below

Method: PUT
URL : https://<IP>/mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:password
BODY : { "username" : "<validuser>", "password" : <validPassword>"}

On Server with 9.0.6.0, this REST API call returns response 204 with no contents and 2 cookies set - 1. PD-S-SESSION_ID and 2. AMWEBJCT!%2Fmga!JSESSIONID
In the request log here I can see - 
<USERID> 02/Apr/2020:21:28:05 +1100 "PUT /mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:password HTTP/1.1" 204 -

On Server with 9.0.7.1, this REST API Call returns response { "operation" : "login"} with only 1 cookie PD-S-SESSION-ID and request log shows
unauthenticated 02/Apr/2020:21:52:15 +1100 "PUT /mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:password HTTP/1.1" 200 30

Can someone help me to understand why is this different in responses? Request log on 9.0.7.1 showing 'unauthenticated' is actually more of my concern.

Thanks
Kedar

------------------------------
Kedar Kulkarni
------------------------------

Thank you for the help Jon.
I got the issue, I mistakenly created the /mga junction using the 'OAuth and OpenID Connect Provider configuration' instead of 'Authentication and context based access configuration' on 9.0.7.1. After the change it stared giving me both the cookies.
By the way, in the request log it shows userid and not 'unauthenticated', may be it shows the result of the API hit.


------------------------------
Kedar Kulkarni
------------------------------

Original Message:
Sent: Thu April 02, 2020 11:02 AM
From: Jon Harry
Subject: MGA Junction behaving differently

Hello Kedar,

The { "operation" : "login"} response is most likely coming from the Reverse Proxy.  It is indicating that you need to authenticate in order to reach the URL you are requesting (/mga/sps/apiauthsvc).

You should check the ACL associated with this URL.  Usually this would be set to allow unauthenticated access when you run the "Authentication and Context-based Access" configuration wizard for the Reverse Proxy.

The reason you're seeing different cookies is because you are not getting to the AAC Runtime which is what sets the JSESSIONID cookie.

I would normally expect the user to be "unauthenticated" in the request log until authentication has completed... which it has not.  Actually I'm a bit confused how you're showing an authenticated user in the 9.0.6.0 session in the request for authentication?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu April 02, 2020 07:49 AM
From: Kedar Kulkarni
Subject: MGA Junction behaving differently

Hello,
I have two different setups of ISAM Reverse Proxies one is 9.0.6.0 and other is at version 9.0.7.1.

I have RP instance configured on both these servers. I have setup MGA junction using the advance access control on this RP Instance. MGA junction and the ACLs attached on it are exact same on both the servers. I am actually testing the authentication using REST API call as below

Method: PUT
URL : https://<IP>/mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:password
BODY : { "username" : "<validuser>", "password" : <validPassword>"}

On Server with 9.0.6.0, this REST API call returns response 204 with no contents and 2 cookies set - 1. PD-S-SESSION_ID and 2. AMWEBJCT!%2Fmga!JSESSIONID
In the request log here I can see - 
<USERID> 02/Apr/2020:21:28:05 +1100 "PUT /mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:password HTTP/1.1" 204 -

On Server with 9.0.7.1, this REST API Call returns response { "operation" : "login"} with only 1 cookie PD-S-SESSION-ID and request log shows
unauthenticated 02/Apr/2020:21:52:15 +1100 "PUT /mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:password HTTP/1.1" 200 30

Can someone help me to understand why is this different in responses? Request log on 9.0.7.1 showing 'unauthenticated' is actually more of my concern.

Thanks
Kedar

------------------------------
Kedar Kulkarni
------------------------------