Configuring and Deploying IBM Security Access Manager ...
Transcript of Configuring and Deploying IBM Security Access Manager ...
Click to
add text
IBM Software Group
®
WebSphere® Support Technical Exchange
Configuring and Deploying IBM Security Access Manager (ISAM) Reverse Proxy in DataPower®
Rao Nanduri and Chin Sahoo [email protected] and [email protected] IBM DataPower Gateway and API Management L2 Support Team
Date: Sept 1, 2015
IBM Software Group
WebSphere® Support Technical Exchange 2
Agenda
Introduction
Configuration of Policy and Lightweight Directory Access Protocol
(LDAP) servers in ISAM Appliance
Configuration of DataPower Artifacts to integrate with ISAM
Configuration of DataPower Service to use in ISAM Reverse Proxy
Troubleshooting
Summary
IBM Software Group
WebSphere® Support Technical Exchange 3
Why do we need IBM Security Access Manager(ISAM) for DataPower ?
Web Workload Management
Virtual Hosting and Security
policies
Session management
URL Rewring
Context Based Access
One-time Password
Muti-factored Authentication
Strong Authentication
With ISAM integration and cached policy database, DataPower becomes
high performing security policy enforcement point (PEP).
IBM Software Group
WebSphere® Support Technical Exchange 4
Requirements to integrate DataPower with ISAM
Firmware: v7.1 or higher
Installation:
License Activation
firmware installation
Platforms: virtual/physical
XG45, XI52, XB62
Reverse Proxy
Reverse Proxy
Policy Server
LDAP
DataPower ISAM
Policy Server of either
Mobile or Web physical or
virtual appliances
LDAP Server (either local or
remote)
IBM Software Group
WebSphere® Support Technical Exchange 5
ISAM Policy Server Configuration
ISAM Runtime server configured with Policy and
LDAP Servers
Policy and LDAP servers can be local or Remote
Local LDAP user registry is by default listens on
port 636 with SSL. Port 389 is available for only
127.0.0.1
IBM Software Group
WebSphere® Support Technical Exchange 6
ISAM Policy Server Configuration
IBM Software Group
WebSphere® Support Technical Exchange 7
Creating users in Embedded LDAP
1
IBM Software Group
WebSphere® Support Technical Exchange 8
Creating users in Embedded LDAP
2
IBM Software Group
WebSphere® Support Technical Exchange 9
Creating Groups in Embedded LDAP
Add users
to the Group
IBM Software Group
WebSphere® Support Technical Exchange 10
Configure IBM Security Access Manager Reverse Proxy on DataPower
1. Setup Access Manager Runtime for connection
to ISAM Policy Server and LDAP
2. Configure Access Manager Reverse Proxy with
security junctions
3. Setup Access Control Lists (ACLs) and attach
to resources in ISAM Policy Server
4. Configure DataPower WebService Proxy
(WS-Proxy) Service to interact with Reverse
Proxy
IBM Software Group
WebSphere® Support Technical Exchange 11
DataPower Access Manager Runtime – Policy and LDAP Servers
Enter ISAM server run time information to connect
the Policy and LDAP Servers.
IBM Software Group
WebSphere® Support Technical Exchange 12
DataPower Access Manager Runtime – Manage Files
IBM Software Group
WebSphere® Support Technical Exchange 13
Configuring DataPower ISAM Reverse Proxy
IP or HostName and the Listening
Port used by the ISAM policy server to
contact the DataPower appliance
ISAM Administrator UserID
and Password Alias
defined as password map
The name of the ISAM management domain
x.xx.xx.xxx
IBM Software Group
WebSphere® Support Technical Exchange 14
Configuring DataPower ISAM Reverse Proxy
Protocol and Ports on the DataPower
appliance using which Client requsts
are listened.
DataPower Appliance Interface
on which Client HTTP(S) Requests
are received
Idle Persistent Client connection
Time, after which Datapower
terminates the connection
The number of threads that are
allocated to service client
requests
IBM Software Group
WebSphere® Support Technical Exchange 15
Configuring DataPower ISAM Reverse Proxy: Enabling SSL on User Registry(Optional)
Optionally enable SSL
on LDAP User
Registry
KeyStore kdb with LDAP
Trusted Certificates.
“.sth” file can also be
uploaded to kdb folder.
IBM Software Group
WebSphere® Support Technical Exchange 16
Configuring DataPower ISAM Reverse Proxy: Junction
The maximum number of time for sending
to and reading from a TCP junction
The max no of connections between the proxy and
a junctioned Webserver that can be cached with an
a max idle cached time of persistent connection
Timeout.
Reverse Proxy Junction.
IBM Software Group
WebSphere® Support Technical Exchange 17
Configuring DataPower ISAM Reverse Proxy : Junction
IBM Software Group
WebSphere® Support Technical Exchange 18
Configuring DataPower ISAM Reverse Proxy: Authentication and Session management
IBM Software Group
WebSphere® Support Technical Exchange 19
DataPower ISAM Reverse Proxy – Configuration Files
IBM Software Group
WebSphere® Support Technical Exchange 20
DataPower Access Manager Reverse Proxy Object
x.xx.xx.xxx
IBM Software Group
WebSphere® Support Technical Exchange 21
Adding ISAM ACLs in the Policy Server for the Junction
IBM Software Group
WebSphere® Support Technical Exchange 22
Configuring DataPower
WebService proxy service
IBM Software Group
WebSphere® Support Technical Exchange 23
Configuring DataPower WebService Proxy Service
IBM Software Group
WebSphere® Support Technical Exchange 24
Configuring HTTP Front Side Handle (FSH)
IBM Software Group
WebSphere® Support Technical Exchange 25
Configuring WS-Proxy Processing rules
IBM Software Group
WebSphere® Support Technical Exchange 26
Making use of Federated User
Registries
IBM Software Group
WebSphere® Support Technical Exchange 27
Federated User Registries
ISAM now supports federating remote user
registries like TDS, AD or Oracle Directory without
adding any schemas or metadatas.
With some manual addition of the information of
the federated LDAP instances into datapower
reverse proxy configuration files, one can use the
federated users or groups in the authentication or
authorization process.
IBM Software Group
WebSphere® Support Technical Exchange 28
ISAM Configuration – Optionally Federating Remote LDAP Servers
IBM Software Group
WebSphere® Support Technical Exchange 29
ISAM Configuration – Optionally Federating Remote LDAP Servers
basic-user-principal-attribute =
sAMAccountName
The embedded LDAP server listens on port 389 (non-ssl) and 636 (ssl) of the
management interface of the appliance by default.
IBM Software Group
WebSphere® Support Technical Exchange 30
DataPower ISAM Reverse Proxy – Update LDAP Configuration file for Federated LDAPs
IBM Software Group
WebSphere® Support Technical Exchange 31
DataPower ISAM Reverse Proxy – Update LDAP Configuration file for Federated LDAPs
1
2
IBM Software Group
WebSphere® Support Technical Exchange 32
Configuring DataPower
Authentication, Authorization and
Auditing (AAA) action to interact
with ISAM based LDAP Server
IBM Software Group
WebSphere® Support Technical Exchange 33
Accessing ISAM LDAP and Policy Servers via Datapower AAA
IBM Software Group
WebSphere® Support Technical Exchange 34
Accessing ISAM LDAP and Policy implementation via Datapower AAA
IBM Software Group
WebSphere® Support Technical Exchange 35
Accessing ISAM LDAP and Policy implementation via Datapower AAA
IBM Software Group
WebSphere® Support Technical Exchange 36
Accessing ISAM LDAP and Policy implementation via Datapower AAA
IBM Software Group
WebSphere® Support Technical Exchange 37
Accessing ISAM LDAP and Policy implementation via Datapower AAA
AAA object can use only key database (kdb) with a password (instead of sth file).
This makes it necessary to create a new kDB file with a known password.
Export the LDAP CA/personal cert keys from the SSL certificates location of System
Management settings of ISAM.
Create an empty kdb
gsk7cmd -keydb -create -db ISAMLDA.kdb -pw passw0rd -stash -type cms -
expire 7200
Add LDAP CA certificates
gsk7cmd -cert -add -db ISAMLDAP.kdb -pw passw0rd -file serv.p12 -label
"Server"
runmqckm -cert -list -db ISAM-LDAP.kdb -pw passw0rd
IBM Software Group
WebSphere® Support Technical Exchange 38
Trouble Shooting DataPower
Services and ISAM Policy Server
IBM Software Group
WebSphere® Support Technical Exchange 39
Trouble Shooting – Custom Log Target
IBM Software Group
WebSphere® Support Technical Exchange 40
Trouble Shooting – Custom Log Target
IBM Software Group
WebSphere® Support Technical Exchange 41
Trouble Shooting – Packet Capture enabled in default domain
IBM Software Group
WebSphere® Support Technical Exchange 42
Trouble Shooting ISAM Policy Server
ISAM Policy Server and user-
registry log files can be viewed and
exported from the top menu, select
Monitor Analysis and Diagnostics >
Application Log Files.
DataPower Junction and
connectivity related problems
Packet Capture
Debug Error Report file
IBM Software Group
WebSphere® Support Technical Exchange 43
Summary Discussed configuration artifacts for ISAM Policy and
LDAP servers
Presented configuration objects and requirements for
Reverse proxy, Webservice proxy and AAA action in
DataPower to integration with ISAM Policy server.
Discussed use case scenarios to deploy DataPower
ISAM Reverse Proxy for the backend WebServer and
DataPower based services.
Provided trouble shooting techniques and tips to debug
Reverse Proxy and ISAM Policy server.
IBM Software Group
WebSphere® Support Technical Exchange 44
Connect with us!
1. Get notified on upcoming webcasts
Send an e-mail to [email protected] with subject line “wste
subscribe” to get a list of mailing lists and to subscribe
2. Tell us what you want to learn Send us suggestions for future topics or improvements about our
webcasts to [email protected]
IBM Software Group
WebSphere® Support Technical Exchange 45
Questions and Answers
IBM Software Group
WebSphere® Support Technical Exchange 46
Additional WebSphere Product Resources
Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: http://www.ibm.com/software/websphere/support/supp_tech.html
Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/
Join the Global WebSphere Community: http://www.websphereusergroup.org
Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant
View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html
Sign up to receive weekly technical My Notifications emails: http://www.ibm.com/software/support/einfo.html