®
IBM Software Group
Configuring and Deploying IBM Security Access Manager (ISAM) Reverse Proxy in DataPower® Rao Nanduri and Chin Sahoo
[email protected] and
[email protected] IBM DataPower Gateway and API Management L2 Support Team
Date: Sept 1, 2015
WebSphere® Support Technical Exchange Click to add text
IBM Software Group
Agenda Introduction Configuration of Policy and Lightweight Directory Access Protocol (LDAP) servers in ISAM Appliance
Configuration of DataPower Artifacts to integrate with ISAM Configuration of DataPower Service to use in ISAM Reverse Proxy Troubleshooting Summary
WebSphere® Support Technical Exchange
2
IBM Software Group
Why do we need IBM Security Access Manager(ISAM) for DataPower ? With ISAM integration and cached policy database, DataPower becomes high performing security policy enforcement point (PEP).
Web Workload Management
Context Based Access
Virtual Hosting and Security
One-time Password
policies
Session management URL Rewring
WebSphere® Support Technical Exchange
Muti-factored Authentication
Strong Authentication
3
IBM Software Group
Requirements to integrate DataPower with ISAM Reverse Proxy
Policy Server Reverse Proxy
LDAP
DataPower Firmware: v7.1 or higher
Installation: License Activation firmware installation
Platforms: virtual/physical
ISAM Policy Server of either Mobile or Web physical or virtual appliances
LDAP Server (either local or remote)
XG45, XI52, XB62
WebSphere® Support Technical Exchange
4
IBM Software Group
ISAM Policy Server Configuration ISAM Runtime server configured with Policy and LDAP Servers
Policy and LDAP servers can be local or Remote Local LDAP user registry is by default listens on port 636 with SSL. Port 389 is available for only 127.0.0.1
WebSphere® Support Technical Exchange
5
IBM Software Group
ISAM Policy Server Configuration
WebSphere® Support Technical Exchange
6
IBM Software Group
Creating users in Embedded LDAP
1
WebSphere® Support Technical Exchange
7
IBM Software Group
Creating users in Embedded LDAP
2
WebSphere® Support Technical Exchange
8
IBM Software Group
Creating Groups in Embedded LDAP
Add users to the Group
WebSphere® Support Technical Exchange
9
IBM Software Group
Configure IBM Security Access Manager Reverse Proxy on DataPower 1. 2. 3. 4.
Setup Access Manager Runtime for connection to ISAM Policy Server and LDAP Configure Access Manager Reverse Proxy with security junctions Setup Access Control Lists (ACLs) and attach to resources in ISAM Policy Server Configure DataPower WebService Proxy (WS-Proxy) Service to interact with Reverse Proxy
WebSphere® Support Technical Exchange
10
IBM Software Group
DataPower Access Manager Runtime – Policy and LDAP Servers Enter ISAM server run time information to connect the Policy and LDAP Servers.
WebSphere® Support Technical Exchange
11
IBM Software Group
DataPower Access Manager Runtime – Manage Files
WebSphere® Support Technical Exchange
12
IBM Software Group
Configuring DataPower ISAM Reverse Proxy
IP or HostName and the Listening Port used by the ISAM policy server to contact the DataPower appliance
ISAM Administrator UserID and Password Alias defined as password map
x.xx.xx.xxx
The name of the ISAM management domain
WebSphere® Support Technical Exchange
13
IBM Software Group
Configuring DataPower ISAM Reverse Proxy Protocol and Ports on the DataPower appliance using which Client requsts are listened.
DataPower Appliance Interface on which Client HTTP(S) Requests are received Idle Persistent Client connection Time, after which Datapower terminates the connection The number of threads that are allocated to service client requests WebSphere® Support Technical Exchange
14
IBM Software Group
Configuring DataPower ISAM Reverse Proxy: Enabling SSL on User Registry(Optional)
Optionally enable SSL on LDAP User Registry
KeyStore kdb with LDAP Trusted Certificates. “.sth” file can also be uploaded to kdb folder.
WebSphere® Support Technical Exchange
15
IBM Software Group
Configuring DataPower ISAM Reverse Proxy: Junction
Reverse Proxy Junction.
The maximum number of time for sending to and reading from a TCP junction
WebSphere® Support Technical Exchange
The max no of connections between the proxy and a junctioned Webserver that can be cached with an a max idle cached time of persistent connection Timeout.
16
IBM Software Group
Configuring DataPower ISAM Reverse Proxy : Junction
WebSphere® Support Technical Exchange
17
IBM Software Group
Configuring DataPower ISAM Reverse Proxy: Authentication and Session management
WebSphere® Support Technical Exchange
18
IBM Software Group
DataPower ISAM Reverse Proxy – Configuration Files
WebSphere® Support Technical Exchange
19
IBM Software Group
DataPower Access Manager Reverse Proxy Object
x.xx.xx.xxx
WebSphere® Support Technical Exchange
20
IBM Software Group
Adding ISAM ACLs in the Policy Server for the Junction
WebSphere® Support Technical Exchange
21
IBM Software Group
Configuring DataPower WebService proxy service
WebSphere® Support Technical Exchange
22
IBM Software Group
Configuring DataPower WebService Proxy Service
WebSphere® Support Technical Exchange
23
IBM Software Group
Configuring HTTP Front Side Handle (FSH)
WebSphere® Support Technical Exchange
24
IBM Software Group
Configuring WS-Proxy Processing rules
WebSphere® Support Technical Exchange
25
IBM Software Group
Making use of Federated User Registries
WebSphere® Support Technical Exchange
26
IBM Software Group
Federated User Registries ISAM now supports federating remote user registries like TDS, AD or Oracle Directory without adding any schemas or metadatas.
With some manual addition of the information of the federated LDAP instances into datapower reverse proxy configuration files, one can use the federated users or groups in the authentication or authorization process.
WebSphere® Support Technical Exchange
27
IBM Software Group
ISAM Configuration – Optionally Federating Remote LDAP Servers
WebSphere® Support Technical Exchange
28
IBM Software Group
ISAM Configuration – Optionally Federating Remote LDAP Servers
basic-user-principal-attribute = sAMAccountName
The embedded LDAP server listens on port 389 (non-ssl) and 636 (ssl) of the management interface of the appliance by default.
WebSphere® Support Technical Exchange
29
IBM Software Group
DataPower ISAM Reverse Proxy – Update LDAP Configuration file for Federated LDAPs
WebSphere® Support Technical Exchange
30
IBM Software Group
DataPower ISAM Reverse Proxy – Update LDAP Configuration file for Federated LDAPs
1
2
WebSphere® Support Technical Exchange
31
IBM Software Group
Configuring DataPower Authentication, Authorization and Auditing (AAA) action to interact with ISAM based LDAP Server
WebSphere® Support Technical Exchange
32
IBM Software Group
Accessing ISAM LDAP and Policy Servers via Datapower AAA
WebSphere® Support Technical Exchange
33
IBM Software Group
Accessing ISAM LDAP and Policy implementation via Datapower AAA
WebSphere® Support Technical Exchange
34
IBM Software Group
Accessing ISAM LDAP and Policy implementation via Datapower AAA
WebSphere® Support Technical Exchange
35
IBM Software Group
Accessing ISAM LDAP and Policy implementation via Datapower AAA
WebSphere® Support Technical Exchange
36
IBM Software Group
Accessing ISAM LDAP and Policy implementation via Datapower AAA AAA object can use only key database (kdb) with a password (instead of sth file). This makes it necessary to create a new kDB file with a known password.
Export the LDAP CA/personal cert keys from the SSL certificates location of System Management settings of ISAM.
Create an empty kdb gsk7cmd -keydb -create -db ISAMLDA.kdb -pw passw0rd -stash -type cms expire 7200 Add LDAP CA certificates gsk7cmd -cert -add -db ISAMLDAP.kdb -pw passw0rd -file serv.p12 -label "Server"
runmqckm -cert -list -db ISAM-LDAP.kdb -pw passw0rd
WebSphere® Support Technical Exchange
37
IBM Software Group
Trouble Shooting DataPower Services and ISAM Policy Server
WebSphere® Support Technical Exchange
38
IBM Software Group
Trouble Shooting – Custom Log Target
WebSphere® Support Technical Exchange
39
IBM Software Group
Trouble Shooting – Custom Log Target
WebSphere® Support Technical Exchange
40
IBM Software Group
Trouble Shooting – Packet Capture enabled in default domain
WebSphere® Support Technical Exchange
41
IBM Software Group
Trouble Shooting ISAM Policy Server ISAM Policy Server and userregistry log files can be viewed and exported from the top menu, select Monitor Analysis and Diagnostics > Application Log Files.
DataPower Junction and connectivity related problems Packet Capture
Debug Error Report file
WebSphere® Support Technical Exchange
42
IBM Software Group
Summary Discussed configuration artifacts for ISAM Policy and LDAP servers
Presented configuration objects and requirements for Reverse proxy, Webservice proxy and AAA action in DataPower to integration with ISAM Policy server.
Discussed use case scenarios to deploy DataPower ISAM Reverse Proxy for the backend WebServer and DataPower based services.
Provided trouble shooting techniques and tips to debug Reverse Proxy and ISAM Policy server.
WebSphere® Support Technical Exchange
43
IBM Software Group
Connect with us! 1. Get notified on upcoming webcasts Send an e-mail to
[email protected] with subject line “wste subscribe” to get a list of mailing lists and to subscribe
2. Tell us what you want to learn Send us suggestions for future topics or improvements about our webcasts to
[email protected]
WebSphere® Support Technical Exchange
44
IBM Software Group
Questions and Answers
WebSphere® Support Technical Exchange
45
IBM Software Group
Additional WebSphere Product Resources
Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: http://www.ibm.com/software/websphere/support/supp_tech.html
Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/
Join the Global WebSphere Community: http://www.websphereusergroup.org
Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant
View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html
Sign up to receive weekly technical My Notifications emails: http://www.ibm.com/software/support/einfo.html
WebSphere® Support Technical Exchange
46