Security Support Open Mic Build Your Own POC Setup

Size: px

Start display at page:

Download "Security Support Open Mic Build Your Own POC Setup"

Delphia Burns
5 years ago
Views:

1 IBM Security Access Manager 08/25/2015 Security Support Open Mic Build Your Own POC Setup Panelists Reagan Knowles Level II Engineer Nick Lloyd Level II Support Engineer Kathy Hansen Level II Support Manager Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: USA toll: Participant passcode: Slides and additional dial in numbers: NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

2 The goal of this OpenMic is to show you how to set up a properly working ISAM for Web POC lab. You will understand the following: - VM settings - Installed License and Activation Codes - 3 Interfaces on different subnets - Policy Server (Using embedded OpenLDAP) - Reverse Proxy - Static Route for back-end traffic to control which interface is used. 2

3 Where do you get more information? Questions on this or other topics can be directed to the product forum: IBM Security Identity and Access Management More useful links: Knowledge Center Getting Support for IBM Security Products ISAM 8 Tuning Guide IBM Support Portal Sign up for My Notifications 3

4 Virtual Machine Settings Image, OS Type, CPU, interfaces, hardware, and memory

5 Use.iso for fresh build 5

6 Operating System Type 6

7 Virtual Machine Name 7

8 Processors 8

9 Memory 9

10 Network 10

11 I/O Controller 11

12 Disk size 12

13 SCSI 13

14 Disk size 14

15 Other interfaces 15

16 VM Boot 16

17 Appliance Configuration License, FIPS, Hostname, Network, Time/Date

18 Unconfigured on first boot 18

19 License Acceptance (I) 19

20 License Acceptance (II) 20

21 License Acceptance (III) 21

22 FIPS 22

23 Hostname 23

24 Interfaces 24

25 Interfaces 25

26 Interfaces 26

27 Interfaces 27

28 Interfaces 28

29 Interfaces 29

30 Interfaces 30

31 Interfaces 31

32 Date and Time 32

33 Accept Configuration 33

34 Appliance is configured. 34

35 Product Configuration LMI Access, NTP, License, Activation, Verify Networking

36 Initial LMI Access 36

37 First login 37

38 NTP 38

39 Changes must be deployed 39

40 Install Support License 40

41 Install Support License 41

42 Install Support License 42

43 Import Product Activations 43

44 Import Product Activations 44

45 Verify Interfaces 45

46 Verify Routes 46

47 ISAM Runtime and Reverse Proxy Embedded LDAP, ISAM Runtime, Reverse Proxy

48 Change LDAP Password 48

49 ISAM Runtime (Policy Server) 49

50 ISAM Runtime (Policy Server) 50

51 ISAM Runtime (Policy Server) 51

52 ISAM Administration (WPM) 52

53 Create a snapshot 53

54 Create a snapshot 54

55 Reverse Proxy Instance 55

56 Reverse Proxy Instance 56

57 Reverse Proxy Instance 57

58 Reverse Proxy Instance 58

59 Reverse Proxy Instance 59

60 Static route for back-end traffic.

61 We want backend to use

62 We want backend to use

63 Active route 63

64 Summary At this point you have a properly set up Web Gateway Appliance. Stay tuned for Federated Directories, Basic Users, and Mobile setup... 64

65 Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the SmartCloud Meetings chat To ask a question after this presentation: You are encouraged to participate in our Forum topics at IBM Security Identity and Acess Management 65

66 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

67 IBM Security Access Manager 08/25/2015 Security Support Open Mic Build Your Own POC Setup Panelists Reagan Knowles Level II Engineer Nick Lloyd Level II Support Engineer Kathy Hansen Level II Support Manager Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: USA toll: Participant passcode: Slides and additional dial in numbers: NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call. 1

68 The goal of this OpenMic is to show you how to set up a properly working ISAM for Web POC lab. You will understand the following: - VM settings - Installed License and Activation Codes - 3 Interfaces on different subnets - Policy Server (Using embedded OpenLDAP) - Reverse Proxy - Static Route for back-end traffic to control which interface is used. 2

69 Where do you get more information? Questions on this or other topics can be directed to the product forum: IBM Security Identity and Access Management More useful links: Knowledge Center Getting Support for IBM Security Products ISAM 8 Tuning Guide IBM Support Portal Sign up for My Notifications 3

70 Virtual Machine Settings Image, OS Type, CPU, interfaces, hardware, and memory 4

71 Use.iso for fresh build 5 Just install the iso. The pkg is only for an upgrade. When building out an image there is no need to start at Always start with the latest level of the.iso.

72 Operating System Type 6 We have seen PMRs in which the actual VM appliance crashed at the OS level. In these PMRs a different OS was picked. If you have built using the wrong OS type you can build a new VM and apply a snapshot.

73 Virtual Machine Name 7

74 Processors ISAM 8 Tuning Guide. Before opening a PMR always check for proper VM settings. 8

75 Memory Should always use at least 4GB, even for a POC. 9

76 Network 10 These will be different for you setup. We are using Vmware's NAT network for our management interface. This will let us set static routes to the ISS update servers and an NTP server.

77 I/O Controller Take the default here. 11

78 Disk size Check requirements for you environment and supported hypervisor. 12

79 SCSI 13 Check requirements for you environment and supported hypervisor but normally SCSI works just fine.

80 Disk size 14 Disk Capacity GB. This is used for two 50GB partitions. Split virtual disk into multiple files. There are no supported methods to increase the disk size after creating the image (3rd party tools do exist but they are use at your own risk). If you find you need more disk space then best to create a new VM with desired settings and apply a snapshot. Snapshots are firmware level specific. Choose "Allocate all disk space now." for production.

81 Other interfaces 15 Add other interfaces for Web and Mobile. Each interface must be on its own subnet. Starting at 8012 the requirement to have at least 3 interfaces attached to the VM has been removed. However, when using only one the first IP will be used for management. When adding other interfaces after initial config the VM must be powered off. The appliance does not support hot swapping.

82 VM Boot 16 For many hypervisors it is normally at this time to offer the option of installing a tools package such as Vmware Tools. The appliance is a locked device and does not support

83 Appliance Configuration License, FIPS, Hostname, Network, Time/Date 17

84 Unconfigured on first boot 18 This configuration may also be done using the LMI and REST APIs. There is also the ability to setup a VM using a silent config. This will create a VM with basic settings already in place.

85 License Acceptance (I) This is not the same as the License key received from Flexera. 19

86 License Acceptance (II) 20

87 License Acceptance (III) 21 If you need to print this license you should perform the configuration via the LMI. Then you can print the license from your browser.

88 FIPS 22 Once set this cannot be undone. This has impacts later to the options presented when settings up the ISAM Runtime. This creates stronger certificates. Be careful. You cannot just set up a new WGA with FIPS enabled then apply a snapshot from a non-fips enabled WGA. Check your requirement carefully before starting a deployment. You should also change the default admin password as well.

89 Hostname 23 Hostname really should be tied to a resolvable address. Treat this as the 1.1 mgmt interface for ease of use.

90 Interfaces 24

91 Interfaces 25

92 Interfaces 26

93 Interfaces 27

94 Interfaces 28

95 Interfaces 29

96 Interfaces 30

97 Interfaces 31

98 Date and Time 32

99 Accept Configuration 33

100 Appliance is configured. 34

101 Product Configuration LMI Access, NTP, License, Activation, Verify Networking Optional section slide with descriptor 35

102 Initial LMI Access 36 Access LMI first time get you will see SSL warning. You can install a custom cert if needed to match the hostname.

103 First login 37 Local clock is not syncronized. This is normal. Recommed for VM to use NTP server. We know for VMware ESXi there are known drift issues and they have knowledge articles which address this at the ESXi level.

104 NTP Contact your network admin for NTP server address. We are using: 0.north-america.pool.ntp.org 38

105 Changes must be deployed This applies when using the REST APIs as well. 39

106 Install Support License 40 License you must get from Flexera. Support cannot provide licenses. Browse and select license. Don't forget to deploy the change. The license is required to install updates from the ISS update servers. It is possible to install firmware and X-Force updates manually but it is best to have a valid support license and schedule at least automatic updates of the X-Force module. The X-Force module is the signature database used by the Web Application Firewall.

107 Install Support License 41 The file you receive will have a similar format. Your company name will be part of the name.

108 Install Support License You will see your company details in the white box. 42

109 Import Product Activations The activation keys must be downloaded from Passport Advantage. Without activation the only component active is the Policy Server. ISAM for Web activates Reverse Proxy (WebSEAL) Front-end Load Balancer Web Application Firewall Authorization Server Distributed Session Cache ISAM for Mobile activates Context-based access API Protection Reverse Proxy (WebSEAL) Distributed Session Cache 43

110 Import Product Activations 44 Mobile takes a minute to start some services. The "Session Ended" message is expected. Just wait a minute before reloading the LMI.

111 Verify Interfaces 1.1 == Management 1.2 == Web 1.3 == Mobile 45

112 Verify Routes 46 WGA at the moment is DESTINATON BASED ROUTING WITH ONLY ONE DEFAULT GATEWAY. WE DO NOT SUPPORT SOURCE BASED OR POLICY BASED ROUTING. A common PMR we see is trying to access both the LMI and Reverse Proxy from the same machine. For networks that have firewalls which check for IP spoofing this is not possible. This is because traffic hits the WGA on 1.1 and returns out 1.2. The best-practice is to define a management network and create a static route to it over 1.1. If you want to use the same system you will need to NICs or at least two virtual IP addresses on the system with routing defined accordingly.

113 ISAM Runtime and Reverse Proxy Embedded LDAP, ISAM Runtime, Reverse Proxy Optional section slide with descriptor 47

114 Change LDAP Password Do not need to know the default. 48

115 ISAM Runtime (Policy Server) 49

116 ISAM Runtime (Policy Server) 50 You can not change the name of the Administrator account, it will always be sec_master. You can pick additional SSL Compliance. If you have configured the appliance for FIPS, you can not choose "No additional compliance". If you have configured the appliance for FIPS, you must choose FIPS, NIST, or NSA. Furthermore, the rest of the environment must be configured the same way for FIPS, NIST or NSA.

117 ISAM Runtime (Policy Server) 51

118 ISAM Administration (WPM) 52 You can login to the console and use the traditional pdadmin command. You can also use the REST APIs for batch pdadmin tasks (separate OpenMIC by Chet has examples).

119 Create a snapshot 53

120 Create a snapshot 54 Snapshots are firmware level specific. That requirement is by design. Download the snapshot. The snapshot isn't safe unless it is downloaded from the appliance and stored somewhere safe.

121 Reverse Proxy Instance 55 Certain things like the LMI and certain TAM internal components will only run on a management interface. Other components will only work on an application interface. The reverse proxy will listen on port 7234 for policy updates. The hostname is what the policy server will use to contact the reverse proxy and needs to be resolvable by the policy server. "IP Address for the Primary Interface" (i.e. front-end internet traffic)... you can select and the Reverse Proxy will listen on all interfaces including management. We do not recommend that for a production environment. You do not want a component in the DMZ exposing a management interface.

122 Reverse Proxy Instance We pick our application interface which is also the default gateway. 56

123 Reverse Proxy Instance 57 ISAM Subdomains are supported. We are not discussing in this presentation but this is where the setting located.

124 Reverse Proxy Instance Set desired transports. 58

125 Reverse Proxy Instance The default instance up and running. 59

126 Static route for back-end traffic. Optional section slide with descriptor 60

127 We want backend to use Note that backend's IP address is Because this is not in the same subnet as one of the defined interfaces outbound traffic to it will go out 1.2 (the default). We want to use 1.3.

128 We want backend to use

129 Active route 63 If the route did not move to the active table is is not valid. This can happen for several reason including: The route does not make sense with respect to networking. For example the wrong gateway for the subnet. The route does not work due to external problems. For example the gateway is correct but unreachable.

130 Summary At this point you have a properly set up Web Gateway Appliance. Stay tuned for Federated Directories, Basic Users, and Mobile setup... 64

131 Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the SmartCloud Meetings chat To ask a question after this presentation: You are encouraged to participate in our Forum topics at IBM Security Identity and Acess Management 65

132 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Mandatory closing slide with copyright and legal disclaimers. 66

Disk Space Management of ISAM Appliance

IBM Security Access Manager Tuesday, 5/3/16 Disk Space Management of ISAM Appliance Panelists David Shen Level 2 Support Engineer Steve Hughes Level 2 Support Engineer Nicholas Hasten Level 2 Support Engineer