IBM i Global

 View Only
  • 1.  MFA for HTTP on IBMi

    Posted Fri January 14, 2022 11:50 AM
    Has anyone implemented MFA for thier applications running on IBMi's HTTP server?   I'm trying to determine what options I have.   Some of the vendors (Helpsystems, Precisley) have MFA solutions but not specifically to work with HTTP. 


    ------------------------------
    Michael Geldert
    ------------------------------


  • 2.  RE: MFA for HTTP on IBMi

    Posted Sun January 16, 2022 12:23 PM
    The IBM Systems Lab Services Advanced Authentication (MFA) asset allows you to call to call it as a service program.  So the question becomes are you running straight up Apache using something like basic auth against an OS user or is there an app server (WAS, Tomcat, Liberty) that would allow you to code in a call to a service program?

    You can see more about Advanced Auth (read the manual, watch a video demo) on our website at https://ibm.biz/IBMiSecurity

    ------------------------------
    Robert Andrews
    Executive Security Consultant
    Rochester MN
    +1-507-253-4205
    ------------------------------



  • 3.  RE: MFA for HTTP on IBMi

    Posted Wed November 09, 2022 08:29 AM
    Thanks Robert, 
    Our application is running on the HTTP server (IBMi) with basic Auth.  We are running ProfoundUI to front end our application and that's the standard config.    Any idea how we'd be able to implement some sort of MFA?

    ------------------------------
    Michael Geldert
    ------------------------------



  • 4.  RE: MFA for HTTP on IBMi

    Posted Wed November 09, 2022 10:12 AM
    Michael - 

    That gets more complicated.  There is no way to add MFA into the basic auth prompt.  Hence you would need to switch from basic auth to auth handled by the web application.  Since this is not your app, you would need to work with Profound to see if there is a way to add MFA without using basic auth.

    ------------------------------
    Robert Andrews
    Executive Security Consultant
    Rochester MN
    +1-507-253-4205
    ------------------------------



  • 5.  RE: MFA for HTTP on IBMi

    Posted Wed November 09, 2022 12:37 PM
    I should clarify - there is no way directly in basic auth.  If you are using basic auth tied to a validation list, you are still out of luck.  However, if you are using basic auth tied to IBM i user profiles and passwords, our Advanced Auth running in Out of Band mode can work.  It works by disabling all user profiles.  This prevents sign on from any interface, including basic auth.  Then the users have to FIRST use an out of band process (green screen) to enable their profiles BEFORE going to the web interface.  This starts a timer (15 mins - admin changeable) where there account is enabled and can sign in.  After the timer expires, the account is disabled again.  But this would require the users to remember to do this before the web login and that they also have green screen emulators and access for ports 23 or 992.

    ------------------------------
    Robert Andrews
    Executive Security Consultant
    Rochester MN
    +1-507-253-4205
    ------------------------------



  • 6.  RE: MFA for HTTP on IBMi

    Posted Wed November 09, 2022 01:04 PM

    Thank you Robert.  I appreciate your assistance



    ------------------------------
    Michael Geldert
    ------------------------------