®

IBM Software Group

Configuring and Deploying IBM Security Access Manager (ISAM) Reverse Proxy in DataPower® Rao Nanduri and Chin Sahoo [email protected] and [email protected] IBM DataPower Gateway and API Management L2 Support Team

Date: Sept 1, 2015

WebSphere® Support Technical Exchange Click to add text

IBM Software Group

Agenda  Introduction  Configuration of Policy and Lightweight Directory Access Protocol (LDAP) servers in ISAM Appliance

 Configuration of DataPower Artifacts to integrate with ISAM  Configuration of DataPower Service to use in ISAM Reverse Proxy  Troubleshooting  Summary

WebSphere® Support Technical Exchange

2

IBM Software Group

Why do we need IBM Security Access Manager(ISAM) for DataPower ? With ISAM integration and cached policy database, DataPower becomes high performing security policy enforcement point (PEP).

 Web Workload Management

 Context Based Access

 Virtual Hosting and Security

 One-time Password

policies

 Session management  URL Rewring

WebSphere® Support Technical Exchange

 Muti-factored Authentication

 Strong Authentication

3

IBM Software Group

Requirements to integrate DataPower with ISAM Reverse Proxy

Policy Server Reverse Proxy

LDAP

DataPower  Firmware: v7.1 or higher

 Installation:  License Activation  firmware installation

 Platforms: virtual/physical 

ISAM  Policy Server of either Mobile or Web physical or virtual appliances

 LDAP Server (either local or remote)

XG45, XI52, XB62

WebSphere® Support Technical Exchange

4

IBM Software Group

ISAM Policy Server Configuration  ISAM Runtime server configured with Policy and LDAP Servers

 Policy and LDAP servers can be local or Remote  Local LDAP user registry is by default listens on port 636 with SSL. Port 389 is available for only 127.0.0.1

WebSphere® Support Technical Exchange

5

IBM Software Group

ISAM Policy Server Configuration

WebSphere® Support Technical Exchange

6

IBM Software Group

Creating users in Embedded LDAP

1

WebSphere® Support Technical Exchange

7

IBM Software Group

Creating users in Embedded LDAP

2

WebSphere® Support Technical Exchange

8

IBM Software Group

Creating Groups in Embedded LDAP

Add users to the Group

WebSphere® Support Technical Exchange

9

IBM Software Group

Configure IBM Security Access Manager Reverse Proxy on DataPower 1. 2. 3. 4.

Setup Access Manager Runtime for connection to ISAM Policy Server and LDAP Configure Access Manager Reverse Proxy with security junctions Setup Access Control Lists (ACLs) and attach to resources in ISAM Policy Server Configure DataPower WebService Proxy (WS-Proxy) Service to interact with Reverse Proxy

WebSphere® Support Technical Exchange

10

IBM Software Group

DataPower Access Manager Runtime – Policy and LDAP Servers Enter ISAM server run time information to connect the Policy and LDAP Servers.

WebSphere® Support Technical Exchange

11

IBM Software Group

DataPower Access Manager Runtime – Manage Files

WebSphere® Support Technical Exchange

12

IBM Software Group

Configuring DataPower ISAM Reverse Proxy

IP or HostName and the Listening Port used by the ISAM policy server to contact the DataPower appliance

ISAM Administrator UserID and Password Alias defined as password map

x.xx.xx.xxx

The name of the ISAM management domain

WebSphere® Support Technical Exchange

13

IBM Software Group

Configuring DataPower ISAM Reverse Proxy Protocol and Ports on the DataPower appliance using which Client requsts are listened.

DataPower Appliance Interface on which Client HTTP(S) Requests are received Idle Persistent Client connection Time, after which Datapower terminates the connection The number of threads that are allocated to service client requests WebSphere® Support Technical Exchange

14

IBM Software Group

Configuring DataPower ISAM Reverse Proxy: Enabling SSL on User Registry(Optional)

Optionally enable SSL on LDAP User Registry

KeyStore kdb with LDAP Trusted Certificates. “.sth” file can also be uploaded to kdb folder.

WebSphere® Support Technical Exchange

15

IBM Software Group

Configuring DataPower ISAM Reverse Proxy: Junction

Reverse Proxy Junction.

The maximum number of time for sending to and reading from a TCP junction

WebSphere® Support Technical Exchange

The max no of connections between the proxy and a junctioned Webserver that can be cached with an a max idle cached time of persistent connection Timeout.

16

IBM Software Group

Configuring DataPower ISAM Reverse Proxy : Junction

WebSphere® Support Technical Exchange

17

IBM Software Group

Configuring DataPower ISAM Reverse Proxy: Authentication and Session management

WebSphere® Support Technical Exchange

18

IBM Software Group

DataPower ISAM Reverse Proxy – Configuration Files

WebSphere® Support Technical Exchange

19

IBM Software Group

DataPower Access Manager Reverse Proxy Object

x.xx.xx.xxx

WebSphere® Support Technical Exchange

20

IBM Software Group

Adding ISAM ACLs in the Policy Server for the Junction

WebSphere® Support Technical Exchange

21

IBM Software Group

Configuring DataPower WebService proxy service

WebSphere® Support Technical Exchange

22

IBM Software Group

Configuring DataPower WebService Proxy Service

WebSphere® Support Technical Exchange

23

IBM Software Group

Configuring HTTP Front Side Handle (FSH)

WebSphere® Support Technical Exchange

24

IBM Software Group

Configuring WS-Proxy Processing rules

WebSphere® Support Technical Exchange

25

IBM Software Group

Making use of Federated User Registries

WebSphere® Support Technical Exchange

26

IBM Software Group

Federated User Registries  ISAM now supports federating remote user registries like TDS, AD or Oracle Directory without adding any schemas or metadatas.

 With some manual addition of the information of the federated LDAP instances into datapower reverse proxy configuration files, one can use the federated users or groups in the authentication or authorization process.

WebSphere® Support Technical Exchange

27

IBM Software Group

ISAM Configuration – Optionally Federating Remote LDAP Servers

WebSphere® Support Technical Exchange

28

IBM Software Group

ISAM Configuration – Optionally Federating Remote LDAP Servers

basic-user-principal-attribute = sAMAccountName

The embedded LDAP server listens on port 389 (non-ssl) and 636 (ssl) of the management interface of the appliance by default.

WebSphere® Support Technical Exchange

29

IBM Software Group

DataPower ISAM Reverse Proxy – Update LDAP Configuration file for Federated LDAPs

WebSphere® Support Technical Exchange

30

IBM Software Group

DataPower ISAM Reverse Proxy – Update LDAP Configuration file for Federated LDAPs

1

2

WebSphere® Support Technical Exchange

31

IBM Software Group

Configuring DataPower Authentication, Authorization and Auditing (AAA) action to interact with ISAM based LDAP Server

WebSphere® Support Technical Exchange

32

IBM Software Group

Accessing ISAM LDAP and Policy Servers via Datapower AAA

WebSphere® Support Technical Exchange

33

IBM Software Group

Accessing ISAM LDAP and Policy implementation via Datapower AAA

WebSphere® Support Technical Exchange

34

IBM Software Group

Accessing ISAM LDAP and Policy implementation via Datapower AAA

WebSphere® Support Technical Exchange

35

IBM Software Group

Accessing ISAM LDAP and Policy implementation via Datapower AAA

WebSphere® Support Technical Exchange

36

IBM Software Group

Accessing ISAM LDAP and Policy implementation via Datapower AAA  AAA object can use only key database (kdb) with a password (instead of sth file). This makes it necessary to create a new kDB file with a known password.

 Export the LDAP CA/personal cert keys from the SSL certificates location of System Management settings of ISAM.

 Create an empty kdb  gsk7cmd -keydb -create -db ISAMLDA.kdb -pw passw0rd -stash -type cms expire 7200  Add LDAP CA certificates  gsk7cmd -cert -add -db ISAMLDAP.kdb -pw passw0rd -file serv.p12 -label "Server"

 runmqckm -cert -list -db ISAM-LDAP.kdb -pw passw0rd

WebSphere® Support Technical Exchange

37

IBM Software Group

Trouble Shooting DataPower Services and ISAM Policy Server

WebSphere® Support Technical Exchange

38

IBM Software Group

Trouble Shooting – Custom Log Target

WebSphere® Support Technical Exchange

39

IBM Software Group

Trouble Shooting – Custom Log Target

WebSphere® Support Technical Exchange

40

IBM Software Group

Trouble Shooting – Packet Capture enabled in default domain

WebSphere® Support Technical Exchange

41

IBM Software Group

Trouble Shooting ISAM Policy Server  ISAM Policy Server and userregistry log files can be viewed and exported from the top menu, select Monitor Analysis and Diagnostics > Application Log Files.

 DataPower Junction and connectivity related problems Packet Capture

Debug Error Report file

WebSphere® Support Technical Exchange

42

IBM Software Group

Summary  Discussed configuration artifacts for ISAM Policy and LDAP servers

 Presented configuration objects and requirements for Reverse proxy, Webservice proxy and AAA action in DataPower to integration with ISAM Policy server.

 Discussed use case scenarios to deploy DataPower ISAM Reverse Proxy for the backend WebServer and DataPower based services.

 Provided trouble shooting techniques and tips to debug Reverse Proxy and ISAM Policy server.

WebSphere® Support Technical Exchange

43

IBM Software Group

Connect with us! 1. Get notified on upcoming webcasts Send an e-mail to [email protected] with subject line “wste subscribe” to get a list of mailing lists and to subscribe

2. Tell us what you want to learn Send us suggestions for future topics or improvements about our webcasts to [email protected]

WebSphere® Support Technical Exchange

44

IBM Software Group

Questions and Answers

WebSphere® Support Technical Exchange

45

IBM Software Group

Additional WebSphere Product Resources 

Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: http://www.ibm.com/software/websphere/support/supp_tech.html



Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/



Join the Global WebSphere Community: http://www.websphereusergroup.org



Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant



View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html



Sign up to receive weekly technical My Notifications emails: http://www.ibm.com/software/support/einfo.html

WebSphere® Support Technical Exchange

46