HTTP Transformation Rules with IBM Security Access Manager

Transcription

1 HTTP Transformation Rules with IBM Security Access Manager IBM SECURITY SUPPORT OPEN MIC To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line. For more information, visit: October 17, 2017 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.

2 HTTP Transformation Rules with IBM Security Access Manager IBM SECURITY SUPPORT OPEN MIC October 17, 2017

3 Panelists Reagan Knowles Presenter L2 Support Engineer Nick Lloyd Presenter L2 Support Engineer Kathy Hansen Moderator L2 Support Manager 3 IBM Security

4 Goals of session HTTP Transformation Rules Description Configuration Troubleshooting Example Rules 4 IBM Security

5 Description of HTTP Transformation Rules

6 What are HTTP Transformation Rules? Modify - Add - Remove HTTP requests and responses as they pass through the ISAM reverse proxy Specify rules with XSL transformation rule (XSLT) Invoked by a POP (old method) or a pattern in the request-match (new method) 6 IBM Security

7 What are HTTP Transformation Rules? Supported Modifications Add/remove header Modify existing header Modify URI (request only) Modify method (request only) Modify authorization object name (request only) Modify HTTP version Modify HTTP status code (response only) Modify status reason (response only) Add/remove cookie Modify existing cookie Add a body (response only) Limitations Can not modify the body of the request or response Can not modify cookies or headers that are inserted by the reverse proxy Headers like: iv-user, iv-creds, Authorization, Host Cookies like: PD-S-SESSION-ID (session), PD-ID (failover), IV_JCT 7 IBM Security

8 Configuration

9 Configuration Overview POP extended attribute value or Pattern Match points to Resource Name Resource Name points to XSL Transformation Rule The evaluation of the rule occurs early in the request processing. As a result, credential attributes are not available in the evaluation of the rule for Pattern Matches. If you want to use credential attributes in your request transformation, use the POP mechanism for invoking the rule. POP (pdadmin or WPM) Resource Name (config file) XSL Transformation Rule (loaded in LMI) Pattern Match (config file) 9 IBM Security

10 Configuration Load the XSL file with the rule into the LMI. XSL rule can be edited in the LMI. Example below will add a header. 10 IBM Security

11 Configuration Edit the [http-transformations] stanza in the reverse proxy configuration file Matches extended attribute value from POP Or matches resource name in stanza Refers to the xsl file that was loaded in LMI 11 IBM Security

12 Two Methods for Configuration Use a POP (old method) Create a POP named http-transformation-pop Attach the POP to the resource Create extended attributes Extended attribute name must match HTTPTransformation Extended attribute value must start with Request= or Response= Extended attribute value refers to the resource-name in the reverse proxy configuration file under the stanza [http-transformations] 12 IBM Security

13 Two Methods for Configuration Pattern Match (new method) [http-transformations] # The following files are currently available for this configuration entry: # - addexampleheader.xsl addexampleheader = addexampleheader.xsl # # The [http-transformations:<resource-name>] stanza is used to house # configuration which is specific to a particular HTTP transformation resource. # [http-transformations:addexampleheader] # For example: # request-match = request:get /index.html HTTP/1.1 # request-match = response:get /jct/* # request-match = response:[ /login/* # request-match = request:get /apple/index.html HTTP/ IBM Security

14 Two Methods for Configuration Example from pdweb.debug log Browser ===> PD Thread ; fd 19; local :445; remote :62353 GET /apple/ HTTP/1.1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-encoding: gzip, deflate, br accept-language: en-us,en;q=0.5 connection: keep-alive host: fimlnx.tivlab.austin.ibm.com:445 referer: user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/ Firefox/52.0 upgrade-insecure-requests: 1 dnt: 1 Cookie: PD-S-SESSION-ID=1_2_1_wcTvV9llm7RNB6XpxwjrBLyi-hF6+XSslQe+3YKkF4shkRXv PD ===> BackEnd Thread ; fd 24; local :43876; remote :8080 GET / HTTP/1.1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-language: en-us,en;q=0.5 connection: close content-length: 0 host: osseal.tivlab.austin.ibm.com:8080 user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/ Firefox/52.0 via: HTTP/1.1 fimlnx.tivlab.austin.ibm.com:445 this_was_added: ADDED_VALUE upgrade-insecure-requests: 1 iv_server_name: reagan-webseald-fimlnx.tivlab.austin.ibm.com dnt: 1 14 IBM Security

15 Troubleshooting & Known APARs

16 Troubleshooting Enable Tracing pdweb.debug pdweb.http.transformation Check the reverse proxy message log IBM Security Access Manager WebSEAL Version (Build ) Copyright (C) IBM Corporation All Rights Reserved Fatal Error.Occurred at file /var/pdweb/shared/xslt/http-transformation/addexampleheader.xsl, line 16, column 9. Illegal sequence '--' in comment :53: :00I x1005B3B5 webseald ERROR acl authzn HTTPTransformationRule.cpp 83 0x7f845755d HPDAC0949E Validation of the rule text for rule object "/var/pdweb/shared/xslt/http-transformation/addexampleheader.xsl" failed. Error code 0xfffffffe was returned along with error message "SAXParseException: Illegal sequence '--' in comment (/var/pdweb/shared/xslt/http-transformation/addexampleheader.xsl, line 16, column 9)". Try the other method (POP vs. Pattern Match) Use an XSLT checker like 16 IBM Security

17 Troubleshooting APAR IV98133 HTTP Transformation Rule breaks with query string and ampersand character If the request URI contains a query string with more than one parameter (i.e. there is an ampersand in the request URI), then the final URL incorrectly transforms the ampersand character to & in the URI. Example: Transforms to: GET /jsonsnoop.jsp?x=1&y=2 Fixed in ISAM IBM Security

18 Troubleshooting APAR IV98994 small memory leak while performing WebSEAL HTTP Response Transformation. Even though the leak is small, a long running ISAM reverse proxy can run out of memory and crash. Scheduled to be fixed in ISAM and ISAM Monitor memory usage until the fix is released. APAR IV74702 URI HTTP Transformation Rule results in duplicate junction requests Transformation Rule is executed twice in single request Fixed in ISAM and ISAM IF1 18 IBM Security

19 Troubleshooting Documentation APAR IV99195 Wrong If an error occurs during HTTP transformation processing, a 501 Internal Server Error is returned to the browser. Right! If an error occurs during HTTP transformation processing, a 500 Internal Server Error is returned to the browser. 19 IBM Security

20 Troubleshooting Pattern Match - a wildcard or slash must be used in the request-match value. Currently investigating to determine whether or not this is a defect request-match = request:get /apple/index.html request-match = request:get /apple/index.html HTTP/1.1 request-match = request:get /apple/index.htm* fails! succeeds succeeds 20 IBM Security

21 Example XSL Transformation Rules

22 Example XSL transformation rules erated%20identity%20manager/page/http%20transformation 11 examples from common PMRs Will likely be published to IBM Security GitHub in the near future Delivered As Is, not supported Add comments to developerworks wiki or IBM Security GitHub to get help 22 IBM Security

23 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dw Answers forum: < 23 IBM Security

24 Where do you get more information? Questions on this or other topics can be directed to the product forum: <hotspot to forum for this product>. More information you can review: Security Learning Academy: <link> Technote x: <link> IBM developerworks articles: <link> IBM Knowledge Center: <link to product welcome page> Useful links: Get started with IBM Security Support IBM Support Portal Sign up for My Notifications FREE learning resources on the Security Learning Academy Follow us: 24 IBM Security

25 THANK YOU FOLLOW US ON: facebook.com/ibmsecuritysupport SecurityLearningAcademy.com securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

26 HTTP Transformation Rules with IBM Security Access Manager 26 IBM Security