ISIM7VA SSO WITH ISAM9.0.X

16/02/2017

Ranvijay Singh ISAM Support

Agenda

• ISAM configuration for SSO

• ISAM Service Creation in ISIM VA

• ISIM SSO Configurations

• SSO Validation

ISAM configuration for SSO

ISAM configuration for SSO

• We are assuming ISAM environment is already setup ,means that Policy server ,WebSeal and Authorization serveris already installed and configured .

• Here We are using below host for sso configuration :

Policy Server : isamnode1Authorization Server : isamauth1 , isamauth2WebSeal Server : labweb1sso.ibm.comISDS Server : masterldapTDI Server : tdiadapter

• We can use either “pdadmin” console or “WPM” for creating users , junctions ,ACLS etc..

• Please make sure your ISIM-7 virtual appliance is deployed and configured before starting the SSO configuration

Continue …

• Create SSO user on ISAM

Create userpdadmin sec_master> user create isamssodemo cn=isamssodemo,o=ibm,c=in isamssodemo isamssodemo admin@123

Modify user pdadmin sec_master> user modify isamssodemo account-valid yes

Show userpdadmin sec_master> user show isamssodemoLogin ID: isamssodemoLDAP DN: cn=isamssodemo,o=ibm,c=inLDAP CN: isamssodemoLDAP SN: isamssodemoDescription:Is SecUser: YesIs GSO user: NoAccount valid: YesPassword valid: Yes

Modify WebSeal Configuration File and take a restart

basicauth-dummy-passwd = admin@123

Continue …

• Create Groups and add user in the groups

Create Grouppdadmin sec_master> group create ITIM-Group cn=ITIM-Group,o=ibm,c=in ITIM-Grouppdadmin sec_master> group create ITIM-Self-Service-Group cn=ITIM-Self-Service-Group,o=ibm,c=in ITIM-Self-Service-Grouppdadmin sec_master> group create ITIM-ISC-Group cn=ITIM-ISC-Group,o=ibm,c=in ITIM-ISC-Group

Modify Group pdadmin sec_master> group modify ITIM-Group add "isimuser"pdadmin sec_master> group modify ITIM-Self-Service-Group add "isimuser" pdadmin sec_master> group modify ITIM-ISC-Group add “isimuser”

Continue …

• Import ISIM certificate in WebSeal kdb

Navigate to Manage System Setting – Secure Setting – Select kdb Go to Manage – Edit SSL Certifcate Database Go to Manage – Load

• We can also export and import the certificate in kdb

Continue …

• Create Junction Here I am creating standard junction , Customer’s can create junction according to the business requirement .

pdadmin sec_master> server task isim7appsso-webseald-labweb1sso.ibm.com create -t ssl -h isimserver -p 9082 -c iv_creds -b supply -j /isimapp

• Create ACLs and attach on the resource Create ACLs

pdadmin sec_master>acl create ITIM-ACLpdadmin sec_master>acl create ITIM-Self-Help-ACLpdadmin sec_master>acl create ITIM-ISC-ACL

Modfiy ACLspdadmin sec_master>acl modify ITIM-ACL set group ITIM-Group Trxpdadmin sec_master>acl modify ITIM-ACL set any-other Tpdadmin sec_master>acl modify ITIM-ACL set unauthenticated T pdadmin sec_master>acl modify ITIM-Self-Help-ACL set group ITIM-Self-Service-Group Trxpdadmin sec_master>acl modify ITIM-Self-Help-ACL set any-other Tpdadmin sec_master>acl modify ITIM-Self-Help-ACL set unauthenticated Tpdadmin sec_master>acl modify ITIM-ISC-ACL set any-other Tpdadmin sec_master>acl modify ITIM-ISC-ACL set unauthenticated Tpdadmin sec_master>acl modify ITIM-ISC-ACL set group ITIM-ISC-Group Trx

Continue …

Attach ACLspdadmin sec_master>acl attach /WebSEAL/labweb1sso.ibm.com-isim7appsso/isimapp/itim/console ITIM-ACLpdadmin sec_master>acl attach /WebSEAL/labweb1sso.ibm.com-isim7appsso/isimapp/itim/self ITIM-Self-Help-ACLpdadmin sec_master>acl attach /WebSEAL/labweb1sso.ibm.com-isim7appsso/isimapp/itim/ui ITIM-ACL

• Show Object and verify that ACL is attached

pdadmin sec_master> object show /WebSEAL/labweb1sso.ibm.com-isim7appsso/isimapp/itim/consoleName: /WebSEAL/labweb1sso.ibm.com-isim7appsso/isimapp/itim/consoleDescription: Object from host isamnode5.Type: 16 (Management Object)Is Policy Attachable: YesExtended Attributes:Attached ACL: ITIM-ACLAttached POP:Attached AuthzRule:Effective Extended Attributes:Effective ACL: ITIM-ACLEffective POP:Effective AuthzRule:

Continue …

pdadmin sec_master> object show /WebSEAL/labweb1sso.ibm.com-isim7appsso/isimapp/itim/selfName: /WebSEAL/labweb1sso.ibm.com-isim7appsso/isimapp/itim/selfDescription: Object from host isamnode5.Type: 16 (Management Object)Is Policy Attachable: YesExtended Attributes:Attached ACL: ITIM-Self-Help-ACLAttached POP:Attached AuthzRule:Effective Extended Attributes:Effective ACL: ITIM-Self-Help-ACLEffective POP:Effective AuthzRule:

pdadmin sec_master> object show /WebSEAL/labweb1sso.ibm.com-isim7appsso/isimapp/itim/uiName: /WebSEAL/labweb1sso.ibm.com-isim7appsso/isimapp/itim/uiDescription: Object from host isamnode5.Type: 16 (Management Object)Is Policy Attachable: YesExtended Attributes:Attached ACL: ITIM-ISC-ACLAttached POP:Attached AuthzRule:Effective Extended Attributes:Effective ACL: ITIM-ISC-ACLEffective POP:Effective AuthzRule:

ISAM Service Creation in ISIM7VA

ISAM Service Creation in ISIM VA

• Please make sure you have imported the ISAM service profile in ISIM and RMI dispatcher is installed and running.

• Downlaod "pdjrte" from ISAM applaince. Navigate to Manage System Setting -> File Downlaods -> ISAM

• Need to Execute this two command on the server where TDI Dispatcher is installed and configure.

#pdjrtecfg -action config -host isamnode1 -p 7135 -java_home <TDI_JAVA_HOME>

#java -cp <TDI_JAVA_HOME>/lib/ext/PD.jar com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd object00 -appsvr_idisamadapterRegAPI -port 9988 -mode remote -policysvr isamnode1:7135:1 -authzsvr isamauth1:7136:1,isamauth2:7136:2-cfg_file <TDI_HOME>/timsol/tamtdiRegAPI.conf -key_file <TDI_HOME>/timsol/tamtdiRegAPI.ks -ldap_mgmt true -ldap_svrs masterldap:1389:readwrite:5 -ldap_ssl_enable false -certrefresh false -cfg_action replace

• Above command will create these two files "tamtdiRegAPI.conf" and "tamtdiRegAPI.ks" ,which we will use during creating the ISAM service

Continue …

• Open ISIM console and Navigate to Manage Services ,Click on Create and select "IBM Security Access Manager Profile"

Continue …

This file created after running “SvrSslCfg"

Continue …

Adapter Details

Service Created

Continue …

• After creating the service we need to run reconciliation , customer's can run full reconciliation or only Reconcile supporting data Full Reconciliation - It will import all users from ISAM to ISIM Reconcile supporting data - It will import all the groups from ISAM to ISIM

Continue …

• After successful reconciliation you can see groups Details under Service

ISIM7VA SSO Configuration

ISIM SSO Configurations

• Open ISIM LMI • Navigate to Configure Identity Manager -> Manage Server Setting - Single Sign-On Configuration

Continue…

Policy server:Port:Rank

Authorization server:Port:Rank

Need to use the same user name which we have created above for SSO user .This user will be use for creating the server definition.

pdadmin sec_master> s s isamssodemo-9.182.195.177isamssodemo-9.182.195.177Description:Hostname: 9.182.195.177Principal: isamssodemo/9.182.195.177Administration Request Port: 7135Listening for authorization database update notifications: No

Continue…

• Account Mapping In SSO

Single sign-on, account mapping occurs between IBM Security Access Manager and IBM Security Identity Manager during login authentication. The values are as follows:

True : No mapping is attempted. The IBM Security Access Manager user account that is passed in the iv-user HTTP request header must be identical to an IBM Security Identity Manager user account. This user account is defined in the IBM Security Identity Manager directory for the user to log in to IBM Security Identity Manager.

False: The IBM Security Access Manager user account that is passed in the iv-user HTTP request header searches the ISIM directory for a matching IBM Security Identity Manager user account.

Continue…

• If accounts are not identical, then we can configure IBM Security Identity Manager user account mapping.

They are controlled by the “enrole.authentication.idsEqual” attribute in the “enRoleAuthentication.properties” file.

Log on to the IBM Security Identity Manager virtual appliance console. Navigate to Configure > Advanced Configuration > Update Click Identity server property files and Select enRoleAuthentication.properties.

Continue…

enrole.authentication.idsEqual=true

No mapping is attempted.

enrole.authentication.idsEqual=false

The ISAM user account passed in the iv-user HTTP request header searched the ISIM directory for a matching ISIM user account:

If an identical ISIM account is found, the user can log in to IBM Security Identity Manager. If an identical ISIM account is not found, then IBM Security Identity Manager attempts to

locate a matching IBM Security Identity Manager user account with the following mapping logic:

a. The ISAM user account in the iv-user HTTP request header searches the ISIM directory for a ISAM user account.b. If an identical ISAM user account is found in the ISIM directory, it searches for the ISIM Person entity that owns the user

account. If an owning Person entity cannot be located, the user cannot log in.c. If the Person entity that owns the matching ISAM user account is found, then a search is performed for ISIM user account

owned by that entity. If user account owned by the Person is found, then the user can log in to IBM Security Identity Managerwith that IBM Security Identity Manager user account. Otherwise, the user cannot log in.

SSO Validation

• Here We will see a demo for SSO Validation

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or securitymeasure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

FOLLOW US ON:

THANK YOU