Leo Farrell 16/12/2014, V0.3

Transcription

1 Context Based access using Security Access Manager on DataPower Automated configuration of Reverse Proxy instance with Security Access Manager for Mobile Leo Farrell 16/12/2014, V0.3 Abstract: IBM Security Access Manager provides context based access policy and decisions for DataPower. The new ISAM for DataPower module provides the ISAM Web Reverse Proxy as a policy enforcement point for policy governed web and API access attempts. This paper describes the configurations to enable the integration between ISAM for DataPower and ISAM for Mobile appliances. A script is provided to automate the integration.

2 Table of Contents 1Introduction.3 2Requirements.3 2.1Infrastructure requirements Script requirements3 3Configuration.4 3.1Assumptions.4 3.2Script configuration General configuration Override Configs Certificate Configuration.8 3.4CBA configuration9 3.5External Authorization Service configuration OAuth configuration The ISAM for Mobile Junction13 4Troubleshooting Testing the service junction17 4.2Checking integration with ISAM for Mobile17 5Resources..18 6About the authors..18 Table of Figures Figure 1: Access Manager Reverse Proxy configuration screen on DataPower.9 Figure 2: Junction page of Junction Configuration.14 Figure 3: Identity settings for the Junction.15 Figure 4: Backend server configuration for Junction.17 Index of Tables Table of Listings Listing 1: Properties file used by the script5 Listing 2: Standard configuration entries7 Listing 3: pdadmin commands ran to create ACLs, attach ACLs and HTTP-Tag configuration..8 Listing 4: Example of curl request to retrieve ISAM for Mobile override configs..8 Listing 5: configuration entries which need to reference the MgaJunction trust store9 Listing 6: CBA configuration file changes..10 Listing 7: pdadmin commands ran when configuring CBA..11 Listing 8: Extra CBA configurations when also configuring EAS.11 Listing 9: Commands ran when configuring the EAS..12 Listing 10: Configurations made for OAuth..12 Listing 11: pdadmin commands ran for OAuth13 Listing 12: Raw XML of ISAMReverseProxyJunction Object16

3 1 Introduction IBM Security Access Manager(ISAM) for mobile provides context based security access features for mobile and web based access use cases. With the release of ISAM for DataPower it is now possible to deploy the ISAM Reverse Proxy component as a Point of Contact and Policy Enforcement Point for IBM Security Access Manager for Mobile. This deployment is offered as a complementary alternative to the existing reverse proxy capability offered by ISAM for Web. Integration between ISAM for Web and ISAM for Mobile is supported by the isamcfg.jar utility. When using the Security Access Manager offering on DataPower, isamcfg.jar is not compatible so alternate configuration methods must be used. Manual configuration of a reverse proxy instance can be cumbersome and require troubleshooting in order achieve correct working function. The perl script attached leverages the remote web API interfaces of the DataPower and ISAM for Mobile appliances to automate the integration and configuration of an ISAM Reverse Proxy on DataPower. The result is a web reverse proxy which acts as a point of contact and policy enforcement point for ISAM for Mobile. The remainder of this document describes the configuration changes made by the attached script. 2 Requirements This guide assumes you have some existing hardware(virtual or physical) as well as some commonly available software available(perl, curl). 2.1 Infrastructure requirements At a bare minimum the following are required: DataPower XI52 Must have Security Access Manager(ISAM) on DataPower offering enabled. This appliance will be running the Web Reverse Proxy instance. Must have xml management interface enabled(soma) ISAM (or newer). Must have Security Access Manager for Mobile(ISAM for Mobile) Capabilities enabled. This appliance will be running the ISAM for Mobile runtime, Policy Server and LDAP. More elaborate ISAM configurations can be used to provide HA.

4 2.2 Architecture Figure 1: Basic ISAM for Mobile deployment using Security Access Manager on DataPower The labels in Figure 1: Basic ISAM for Mobile deployment using Security Access Manager on DataPower are described below, This is not a order of operations or a flow diagram: 1. The Browser connects to WebSEAL when the user requests a protected page. 2. WebSEAL forwards requests to the backend if they are authroized to access the resource. 3. WebSEAL connects to the Policy Server to get its access policy.

5 4. WebSEAL connects to the LDAP to retrieve user credentials. 5. WebSEAL will redirect the user to the Mobile Runtime if the policy dictates further authentication is required before authorization is granted. 6. The Policy Server reads and updates the user information stored on the LDAP. 2.3 Script requirements The script provided to automate this configuration requires the following: perl V or newer with the following perl modules: Term::ReadKey XML::LibXML MIME::Base64 curl or newer basic Linux commands: find, head, rm, ls, cp 3 Configuration Configuration of this service makes changes to an ISAM Reverse Proxy instance on DataPower only. The only exception to this is some certificate management which occurs on the ISAM for Mobile appliance. This will be outlined further below. 3.1 Assumptions It is assumed that you have a configured policy server and LDAP running and that the ISAM for Mobile appliance has been configured to share that runtime(it could be hosting the policy server and embedded LDAP internally). It is also assumed that DataPower is configured and has an Application Domain with a Security Access Manager Runtime configured to the same runtime as the ISAM for Mobile. Additionally an ISAM Reverse Proxy configured and running in the same domain. It is recommended that hostname resolution is configured on both appliances. This can be done using hostname aliases on DataPower and host file entries on the ISAM for Mobile Appliance. 3.2 Script configuration The script provided is driven by a properties file. Included is an example properties file, see Listing 1: Properties file used by the script for the contents and required entries. All password fields if not set will result in a user prompt to enable secure entry of the password values during script execution.

6 #lines which start with a # will be ignored, otherwise should be in the format: #key=value; #if multivalued should be in the format #key=value,value,value # #Any fields which contain passwords can be left blank and the user will be #prompted for the password. #available components (chose one or more): # RBA # EAS # OAUTH components=oauth,rba,eas #address to your ISAM for Mobile appliance(required) isamappliancehostname=<hostname> #port the ISAM LMI is running on(required) isamapplianceport=443 #admin username to log into ISAM LMI(REQUIRED) isamapplianceadmin=admin #admin password to log into ISAM LMI isamapplianceadminpwd=<password> #isam Runtime address. (REQUIRED) isamruntimehostname=<ip address or hostname> #isam Runtime port. (REQUIRED) isamruntimeport=443 #isam Runtime Certificate label. Optional(Must set this or BA credentials). #isamruntimecertlbl=server #Whether or not to replace the certificate if it already exists in the key #database replacecert=true #isam Runtime BA user(optional. Must set this and runtime BA password or runtimecertlbl). isamruntimebauser=easuser #isam Runtime BA password isamruntimebapwd=<password> #datapower hostname(required) dphostname=<hostname> #datapower SOMA port(required) dpport=5550 #datapower domain (REQUIRED) dpdomain=isam #datapower administrator(required) dpadmin=admin #datapower admin password dpadminpwd=<password> #name of the ISAMReverseProxy Object to configure on datapower(required) dpproxy=notdefault #whether or not to set "HTTP Basic Authentication Header" on the junction to ISAM for Mobile(Optional. #defaults to false). dpproxyforwardauthzheader=true #the following 3 entries are paths to the 400,401 and 502 error pages if #configuring the OAUTH Component. These are optional and default to: #isamwebroot:/default/oauth/oauth_template_rsp_400_bad_request.html #isamwebroot:/default/oauth/oauth_template_rsp_401_unauthorized.html #isamwebroot:/default/oauth/oauth_template_rsp_502_bad_gateway.html #respectively: #dpproxy400page=isamwebroot:/default/oauth/oauth_template_rsp_400_bad_request.html #dpproxy401page=isamwebroot:/default/oauth/oauth_template_rsp_401_unauthorized.html #dpproxy502page=isamwebroot:/default/oauth/oauth_template_rsp_502_bad_gateway.html #pdadmin credentials(required) pdadminusr=sec_master pdadminpwd=<password> #if pdadmin should replace or reuse any existing pops,(optional, defaults to #false) #pdadminreplace= #if pdadmin should loginto an alternate isam secure domain(optional) uses #"Default" if not set #isamdomain= Listing 1: Properties file used by the script

7 3.3 General configuration When running the script there are three components that may be configured. These are defined and enabled by the line components=oauth,rba,eas in Listing 1: Properties file used by the script. The three components are: Context Based Access (CBA) for managing access based on risk score (referenced as RBA in the script) External Authentication Service(EAS) for doing step up authentication API protection using OAuth(OAUTH) See Resources for more information on ISAM for Mobile. All of the configurations made can be categorized into one of the following items: Configuration file changes(in the Reverse Proxy's webseald.conf) ISAM Policy changes(using pdadmin) Junction creation(creation of an ISAMReverseProxy object on DataPower) Keystore management. See Certificate Configuration. Regardless of which offerings are selected, there are some entries which are always added. See Listing 2: Standard configuration entries. It should be noted that the name of the junction specific stanza [junction:/mga] will change based on the context root the ISAM for Mobile runtime is running under(default is /mga), this as well as the ac.uuid value in the reset-cookies-list entry which will change based on the cookie name are explained further in the Override Configurations section Override Configurations There are two advanced configuration entries which are read from the ISAM for Mobile appliance. They are: attributecollection.servicelocation Default value: /mga This is the context root deployed on the ISAM for Mobile runtime. attributecollection.cookiename Default value: ac.uuid This is the cookie name used by the attribute collection service. Refer to Listing 4: Example of curl request to retrieve ISAM for Mobile override configs for an example curl request to retrieve these values. If these values cannot be retrieved the user will be prompted to enter them.

8 [server] http-method-disabled-remote = TRACE,CONNECT [certificate] accept-client-certs = never [eai] eai-auth = https eai-xattrs-header = am-fim-eai-xattrs eai-pac-header = am-fim-eai-pac eai-user-id-header = am-fim-eai-user-id eai-redir-url-header = am-fim-eai-redir-url retain-eai-session = yes eai-redir-url-priority = yes [authentication-levels] level = ext-auth-interface [eai-trigger-urls] trigger = /mga/sps/auth* trigger = /mga/sps/authservice/authentication* trigger = /mga/sps/authsvc* [ba] ba-auth = none [forms] forms-auth = https [session] user-session-ids = yes [junction] jct-cert-keyfile = MgaJunction.kdb jct-cert-keyfile-stash = MgaJunction.sth [junction:/mga] reset-cookies-list = *ac.uuid,*jsessionid Listing 2: Standard configuration entries. Note: some of these values may change based on override configs Some ISAM policy changes are made regardless of the offerings selected also. These changes are primarily the creation of ACLs(Access Control List). See Listing 3: pdadmin commands run to create ACLs, attach ACLs and HTTP-Tag configuration. for the commands which update policy settings

9 acl create isam_mobile_nobody acl modify isam_mobile_nobody description ISAM autoconfiguration tool ACL acl modify isam_mobile_nobody set user sec_master TcmdbsvaBRrxl acl modify isam_mobile_nobody set group iv-admin TcmdbsvaBRrxl acl modify isam_mobile_nobody set group webseal-servers Tgmdbsrxl acl modify isam_mobile_nobody set any-other T acl modify isam_mobile_nobody set unauth T acl create isam_mobile_unauth acl modify isam_mobile_unauth description ISAM autoconfiguration tool ACL acl modify isam_mobile_unauth set user sec_master TcmdbsvaBRrxl acl modify isam_mobile_unauth set group iv-admin TcmdbsvaBRrxl acl modify isam_mobile_unauth set group webseal-servers Tgmdbsrxl acl modify isam_mobile_unauth set any-other Tr acl modify isam_mobile_unauth set unauth Tr acl create isam_mobile_rest acl modify isam_mobile_rest description ISAM autoconfiguration tool ACL acl modify isam_mobile_rest set user sec_master TcmdbsvaBRrxl acl modify isam_mobile_rest set group iv-admin TcmdbsvaBRrxl acl modify isam_mobile_rest set group webseal-servers Tgmdbsrxl acl modify isam_mobile_rest set any-other Tmdr acl modify isam_mobile_rest set unauth T acl create isam_mobile_anyauth acl modify isam_mobile_anyauth description ISAM autoconfiguration tool ACL acl modify isam_mobile_anyauth set user sec_master TcmdbsvaBRrxl acl modify isam_mobile_anyauth set group iv-admin TcmdbsvaBRrxl acl modify isam_mobile_anyauth set group webseal-servers Tgmdbsrxl acl modify isam_mobile_anyauth set any-other Tr acl modify isam_mobile_anyauth set unauth T object modify /WebSEAL/dpclient2-default/mga set attribute HTTP-Tag-Value user_session_id=user_session_id acl attach /WebSEAL/dpclient2-default/mga/sps/auth isam_mobile_anyauth Listing 3: pdadmin commands run to create ACLs, attach ACLs and HTTP-Tag configuration. /bin/curl -s -k -H 'Content-Type: application/json' -H 'Accept:application/json' --user admin:admin %20containsignorecase%20attributeCollection.serviceLocation Listing 4: Example of curl request to retrieve ISAM for Mobile override configs Certificate Configuration For connection to the SSL junction, STS and the EAS the ISAM for Mobile Runtime certificate must be in the trust store of the junction keyfile as well as the rtss and oauth cluster keyfiles. The script provided uses the ISAM for Mobile host appliance to support the certificate management. The script creates a trust store on the ISAM appliance called MgaJunctions, it then uses the load certificate functionality to fetch the ISAM for Mobile runtime CA certificate. Following this, the trust store is exported and uploaded to DataPower. The trust store will not be committed to the ISAM appliance. It remains as a pending change for the user to delete or modify at their convenience. Figure 2: Access Manager Reverse Proxy configuration screen on DataPower Illustrates the result of this certificate keystore configuration on the DataPower appliance. Listing 5: configuration entries

10 which need to reference the MgaJunction trust store identifies the entries into the ISAM Reverse Proxy configuration file on DataPower. Figure 2: Access Manager Reverse Proxy configuration screen on DataPower [junction] jct-cert-keyfile = MgaJunction.kdb jct-cert-keyfile-stash = MgaJunction.sth [rtss-cluster:cluster1] ssl-keyfile = MgaJunction.kdb ssl-keyfile-stash = MgaJunction.sth [tfim-cluster:oauth-cluster] ssl-keyfile = MgaJunction.kdb ssl-keyfile-stash = MgaJunction.sth Listing 5: configuration entries which need to reference the MgaJunction trust store 3.4 CBA configuration Configuring a ISAMReverseProxy for CBA involves primarily changes to its configuration file to allow for attribute mapping. There is also an ACL attached which allow access to the attribute collection service. See Listing 6: CBA configuration file changes and Listing 7: pdadmin commands run when configuring CBA for the values and commands. Additionally. If CBA and EAS options are set to be configured the following configurations will be applied, Listing 8: Extra CBA configurations when also configuring EAS.

11 [azn-decision-info] urn:ibm:security:worklight:adapter:procedure = post-data:procedure urn:ibm:security:worklight:version:native = header:x-wl-native-version Host = header:host urn:ibm:security:worklight:version:app = header:x-wl-app-version urn:ibm:security:trusteer:header:rapport-extra = header:x-trusteer-rapport-extra Connection = header:connection Pragma = header:pragma Cache-Control = header:cache-control rspcode = header:rspcode Accept-Language = header:accept-language Authorization = header:authorization scheme = scheme Transfer-Encoding = header:transfer-encoding urn:ibm:security:trusteer:header:rapport = header:x-trusteer-rapport urn:ibm:security:worklight:version:platform = header:x-wl-platform-version Accept = header:accept urn:ibm:security:worklight:device:id = header:x-wl-device-id Missing = header:missing urn:ibm:security:worklight:adapter:parameters = post-data:parameters urn:ibm:security:subject:ipaddress = client_ip X-Requested-With = header:x-requested-with ac.uuid = cookie:ac.uuid User-Agent = header:user-agent uri = uri Accept-Charset = header:accept-charset Accept-Encoding = header:accept-encoding method = method urn:ibm:security:worklight:adapter:adapter = post-data:adapter Content-Type = header:content-type [rtss-eas] apply-tam-native-policy = true trace-component = pdweb.rtss cluster-name = cluster1 context-id = context-inherited-pop [aznapi-configuration] special-eas = trigger_rba_eas [user-attribute-definitions] urn:ibm:security:worklight:version:platform.category = Environment urn:ibm:security:worklight:version:app.datatype = string urn:ibm:security:worklight:device:id.datatype = string urn:ibm:security:worklight:version:native.category = Environment urn:ibm:security:trusteer:header:rapport-extra.datatype = string urn:ibm:security:trusteer:header:rapport.datatype = string urn:ibm:security:worklight:version:platform.datatype = string urn:ibm:security:worklight:adapter:adapter.datatype = string urn:ibm:security:worklight:version:app.category = Environment urn:ibm:security:worklight:adapter:adapter.category = Environment urn:ibm:security:worklight:adapter:procedure.datatype = string urn:ibm:security:worklight:version:native.datatype = string urn:ibm:security:worklight:adapter:procedure.category = Environment urn:ibm:security:trusteer:header:rapport.category = Environment urn:ibm:security:worklight:device:id.category = Environment urn:ibm:security:worklight:adapter:parameters.category = Environment urn:ibm:security:worklight:adapter:parameters.datatype = string urn:ibm:security:trusteer:header:rapport-extra.category = Environment [rtss-cluster:cluster1] ssl-keyfile-stash = MgaJunctions.sth basic-auth-user = easuser handle-idle-timeout = 240 handle-pool-size = 10 basic-auth-passwd = ssl-keyfile = MgaJunctions.kdb server = 9, timeout = 240 Listing 6: CBA configuration file changes

12 acl attach /WebSEAL/dpclient2-default/mga/sps/ac isam_mobile_anyauth pop create rba-pop pop modify rba-pop set attribute eas-trigger trigger_rba_eas Listing 7: pdadmin commands run when configuring CBA [obligations-urls-mapping] urn:ibm:security:authentication:asf:* = /mga/sps/authsvc urn:ibm:security:authentication:asf:password_ otp = /mga/sps/authsvc urn:ibm:security:authentication:asf:password_smsotp = /mga/sps/authsvc urn:ibm:security:authentication:asf: = /mga/sps/authsvc urn:ibm:security:authentication:asf:password_rsa = /mga/sps/authsvc urn:ibm:security:authentication:asf:http_redirect = /mga/sps/authsvc urn:ibm:security:authentication:asf:macotp = /mga/sps/authsvc urn:ibm:security:authentication:asf:password_knowledge_questions = /mga/sps/authsvc urn:ibm:security:authentication:asf:rsa = /mga/sps/authsvc urn:ibm:security:authentication:asf:totp = /mga/sps/authsvc urn:ibm:security:authentication:asf:hotp = /mga/sps/authsvc urn:ibm:security:authentication:asf:otp = /mga/sps/authsvc urn:ibm:security:authentication:asf:sms = /mga/sps/authsvc urn:ibm:security:authentication:asf:password_hotp = /mga/sps/authsvc urn:ibm:security:authentication:asf:consent_register_device = /mga/sps/authsvc urn:ibm:security:authentication:asf:password = /mga/sps/authsvc urn:ibm:security:authentication:asf:password_eula = /mga/sps/authsvc urn:ibm:security:authentication:asf:password_totp = /mga/sps/authsvc urn:ibm:security:authentication:asf:knowledge_questions = /mga/sps/authsvc urn:ibm:security:authentication:asf:password_otp = /mga/sps/authsvc urn:ibm:security:authentication:asf:eula = /mga/sps/authsvc urn:ibm:security:authentication:asf:password_macotp = /mga/sps/authsvc [TAM_CRED_ATTRS_SVC] eperson = azn_cred_registry_id [TAM_CRED_ATTRS_SVC:eperson] address = mail mobilenumber = mobile Listing 8: Extra CBA configurations when also configuring EAS 3.5 External Authorization Service configuration Technically ISAM for Mobile context based access is integrated as a ISAM External Authorization Server (EAS). Configuration of the EAS is primarily command driven attaching some ACLs. It is intended to always be used with CBA configuration with only advanced deployments requiring otherwise. The commands run for EAS configuration can be found at Listing 9: Commands ran when configuring the EAS.

13 acl attach /WebSEAL/dpclient2-default/mga/sps/authsvc isam_mobile_unauth acl attach /WebSEAL/dpclient2-default/mga/sps/authservice/authentication isam_mobile_unauth acl attach /WebSEAL/dpclient2-default/mga/sps/static isam_mobile_unauth acl attach /WebSEAL/dpclient2-default/mga/sps/mga/user/mgmt/device isam_mobile_rest acl attach /WebSEAL/dpclient2-default/mga/sps/mga/user/mgmt/questions isam_mobile_rest acl attach /WebSEAL/dpclient2-default/mga/sps/mga/user/mgmt/otp isam_mobile_rest acl attach /WebSEAL/dpclient2-default/mga/sps/ac isam_mobile_anyauth acl attach /WebSEAL/dpclient2-default/mga/sps/xauth isam_mobile_anyauth acl attach /WebSEAL/dpclient2-default/mga/sps/mga/user/mgmt/html isam_mobile_anyauth Listing 9: Commands ran when configuring the EAS. Note: some of these commands are run when configuring OAuth also. When configuring both the EAS and CBA the configurations at Listing 8: Extra CBA configurations when also configuring EAS will be added to the configuration file. 3.6 OAuth configuration The configurations made for OAuth are more stand alone than the previous two components. Like CBA OAuth requires configuration file updates and attaches some ACLs. The configurations can be found at Listing 10: Configurations made for OAuth and the policy administration commands at Listing 11: pdadmin commands run for OAuth [azn-decision-info] HTTP_CONTENT_TYPE_HDR = header:content-type HTTP_HOST_HDR = header:host HTTP_REQUEST_METHOD = method HTTP_TRANSFER_ENCODING_HDR = header:transfer-encoding HTTP_AZN_HDR = header:authorization HTTP_REQUEST_URI = uri HTTP_REQUEST_SCHEME = scheme [oauth] fed-id-param = FederationId default-fed-id = user-identity-attribute = username oauth-auth = both cluster-name = oauth-cluster [tfim-cluster:oauth-cluster] ssl-keyfile-stash = MgaJunctions.sth basic-auth-user = easuser handle-idle-timeout = 240 handle-pool-size = 10 basic-auth-passwd = ssl-keyfile = MgaJunctions.kdb server = 9, [oauth-eas] default-mode = OAuth20Bearer [eai-trigger-urls] trigger = /mga/sps/oauth/oauth20/session* Listing 10: Configurations made for OAuth

14 acl attach /WebSEAL/dpclient2-default/mga/sps/oauth/oauth20/authorize isam_mobile_unauth acl attach /WebSEAL/dpclient2-default/mga/sps/static isam_mobile_unauth acl attach /WebSEAL/dpclient2-default/mga/sps/oauth/oauth20/session isam_mobile_unauth acl attach /WebSEAL/dpclient2-default/mga/sps/oauth/oauth20/token isam_mobile_unauth acl attach /WebSEAL/dpclient2-default/mga/sps/mga/user/mgmt/grant isam_mobile_rest acl attach /WebSEAL/dpclient2-default/mga/sps/wssoi isam_mobile_anyauth acl attach /WebSEAL/dpclient2-default/mga/sps/mga/user/mgmt/html isam_mobile_anyauth acl attach /WebSEAL/dpclient2-default/mga/sps/oauth/oauth20/clients isam_mobile_anyauth acl attach /WebSEAL/dpclient2-default/mga/sps/common/qr isam_mobile_anyauth pop create oauth-pop pop modify oauth-pop set attribute eas-trigger trigger_oauth_eas Listing 11: pdadmin commands run for OAuth Note: The wssoi endpoint will only be exposed when only the OAuth offering is being configured. 3.7 The ISAM for Mobile Junction The final step of configuring a ISAM Reverse Proxy integrated with ISAM for Mobile is creating the junction to the ISAM for Mobile runtime. There are included figures and listings showing both the junction parameters in the DataPower GUI. Additionally the raw DataPower XML junction object representation is supplied. See figures & listings: Figure 3: Junction page of Junction Configuration Figure 4: Identity settings for the Junction Figure 5: Backend server configuration for Junction Listing 12: Raw XML of ISAMReverseProxyJunction Object. Some of these values will change based on the properties configured, such as the address and port of the backend server. Examples of this include isamruntimehostname and isamruntimeport in the propeties file.

15 Figure 3: Junction page of Junction Configuration

16 Figure 4: Identity settings for the Junction

17 <ISAMReverseProxyJunction xmlns:env=" name="mga"> <madminstate>enabled</madminstate> <UserSummary>Automatically created by isamcfg.pl </UserSummary> <JunctionPointName>/mga</JunctionPointName> <JunctionType>standard</JunctionType> <TransparentPathJunction>off</TransparentPathJunction> <StatefulJunction>on</StatefulJunction> <JunctionTypeStandard>ssl</JunctionTypeStandard> <JunctionTypeVirtual>tcp</JunctionTypeVirtual> <TargetBackendServersStandard> <Hostname> </Hostname> <Port>443</Port> <VirtualHost/> <VirtualHostPort>0</VirtualHostPort> <LocalAddress/> <ResolvedLocalAddress/> <QueryContents>/sps/cgi-bin/query_contents</QueryContents> <ServerUUID/> <DN/> <WindowsFSSupport>off</WindowsFSSupport> <URLCaseInsensitive>off</URLCaseInsensitive> </TargetBackendServersStandard> <BasicAuth>off</BasicAuth> <MutualAuth>off</MutualAuth> <BasicAuthHeader>none</BasicAuthHeader> <HeaderIdentityInfo> <iv-user>on</iv-user> <iv-user-l>on</iv-user-l> <iv-groups>on</iv-groups> <iv-creds>on</iv-creds> </HeaderIdentityInfo> <HeaderEncoding>none</HeaderEncoding> <JunctionCookieJSBlock>inhead</JunctionCookieJSBlock> <UniqueCookieNames>off</UniqueCookieNames> <PreserveJuncName>off</PreserveJuncName> <IncludeSessionCookie>off</IncludeSessionCookie> <IncludeJuncName>on</IncludeJuncName> <InsertClientIP>off</InsertClientIP> <TFIMSSO>off</TFIMSSO> <LTPACookie>off</LTPACookie> <LTPAV2Cookie>off</LTPAV2Cookie> <PercentHardLimitWT>100</PercentHardLimitWT> <PercentSoftLimitWT>90</PercentSoftLimitWT> <IncludeAuthRules>off</IncludeAuthRules> </ISAMReverseProxyJunction> Listing 12: Raw XML of ISAMReverseProxyJunction Object.

18 Figure 5: Backend server configuration for Junction 4 Running the script The provided script can be envoked from the command line. $./isamcfg.pl usage: isamcfg.pl [properties FILE] [verbose] [-v] The first parameter must be the path to your properties file. The second is an optional parameter to turn on verbose output. Typical output from running the script is as follows:

19 $./isamcfg.pl isam.props INFO:logging to /tmp/isamcfgpl.log Please enter your Datapower Admin Password value: Please enter your pdadmin Password value: Please enter your ISAM Runtime easuser password value: INFO: Configuration Complete. 5 Troubleshooting 5.1 Testing the service junction To test the junction visit the following URL: hostname or address>/mga/sps/xauth?target= Authenticate as a user(do NOT use the sec_master account as this will bypass the ACLs). If you recieve a delivery selection page the junction is working. 5.2 Checking integration with ISAM for Mobile If the integration is not working properly it will be logged in logtemp:/default-log on the DataPower appliance. This is usually a SSL issue. Check the ssl configuration in the [rtss-cluster:cluster1] and [tfim-cluster:oauth-cluster] stanzas. The following trace strings in pdadmin can help debug the rtss and oauth clusters: server task <server name> trace set pdweb.rtss 9 file=rtss.log server task <server name> trace set pdweb.oauth 9 file=oauth.log This will make the trace available at logtemp:/var/pdweb/<instancename>/trace/[rtss.log oauth.log] 6 Resources Visit the ISAM for Mobile product page for more information on ISAM for Mobile. 7 About the authors

20 Leo Farrell is a software engineer working on the IBM Security Access Manager on DataPower offering. He has a background working on the ISAM appliance including ISAM for Mobile.