Click to

add text

IBM Software Group

®

WebSphere® Support Technical Exchange

Configuring and Deploying IBM Security Access Manager (ISAM) Reverse Proxy in DataPower®

Rao Nanduri and Chin Sahoo rnanduri@us.ibm.com and chintam3@us.ibm.com IBM DataPower Gateway and API Management L2 Support Team

Date: Sept 1, 2015

IBM Software Group

WebSphere® Support Technical Exchange 2

Agenda

Introduction

Configuration of Policy and Lightweight Directory Access Protocol

(LDAP) servers in ISAM Appliance

Configuration of DataPower Artifacts to integrate with ISAM

Configuration of DataPower Service to use in ISAM Reverse Proxy

Troubleshooting

Summary

IBM Software Group

WebSphere® Support Technical Exchange 3

Why do we need IBM Security Access Manager(ISAM) for DataPower ?

Web Workload Management

Virtual Hosting and Security

policies

Session management

URL Rewring

Context Based Access

One-time Password

Muti-factored Authentication

Strong Authentication

With ISAM integration and cached policy database, DataPower becomes

high performing security policy enforcement point (PEP).

IBM Software Group

WebSphere® Support Technical Exchange 4

Requirements to integrate DataPower with ISAM

Firmware: v7.1 or higher

Installation:

License Activation

firmware installation

Platforms: virtual/physical

XG45, XI52, XB62

Reverse Proxy

Reverse Proxy

Policy Server

LDAP

DataPower ISAM

Policy Server of either

Mobile or Web physical or

virtual appliances

LDAP Server (either local or

remote)

IBM Software Group

WebSphere® Support Technical Exchange 5

ISAM Policy Server Configuration

ISAM Runtime server configured with Policy and

LDAP Servers

Policy and LDAP servers can be local or Remote

Local LDAP user registry is by default listens on

port 636 with SSL. Port 389 is available for only

127.0.0.1

IBM Software Group

WebSphere® Support Technical Exchange 6

ISAM Policy Server Configuration

IBM Software Group

WebSphere® Support Technical Exchange 7

Creating users in Embedded LDAP

1

IBM Software Group

WebSphere® Support Technical Exchange 8

Creating users in Embedded LDAP

2

IBM Software Group

WebSphere® Support Technical Exchange 9

Creating Groups in Embedded LDAP

Add users

to the Group

IBM Software Group

WebSphere® Support Technical Exchange 10

Configure IBM Security Access Manager Reverse Proxy on DataPower

1. Setup Access Manager Runtime for connection

to ISAM Policy Server and LDAP

2. Configure Access Manager Reverse Proxy with

security junctions

3. Setup Access Control Lists (ACLs) and attach

to resources in ISAM Policy Server

4. Configure DataPower WebService Proxy

(WS-Proxy) Service to interact with Reverse

Proxy

IBM Software Group

WebSphere® Support Technical Exchange 11

DataPower Access Manager Runtime – Policy and LDAP Servers

Enter ISAM server run time information to connect

the Policy and LDAP Servers.

IBM Software Group

WebSphere® Support Technical Exchange 12

DataPower Access Manager Runtime – Manage Files

IBM Software Group

WebSphere® Support Technical Exchange 13

Configuring DataPower ISAM Reverse Proxy

IP or HostName and the Listening

Port used by the ISAM policy server to

contact the DataPower appliance

ISAM Administrator UserID

and Password Alias

defined as password map

The name of the ISAM management domain

x.xx.xx.xxx

IBM Software Group

WebSphere® Support Technical Exchange 14

Configuring DataPower ISAM Reverse Proxy

Protocol and Ports on the DataPower

appliance using which Client requsts

are listened.

DataPower Appliance Interface

on which Client HTTP(S) Requests

are received

Idle Persistent Client connection

Time, after which Datapower

terminates the connection

The number of threads that are

allocated to service client

requests

IBM Software Group

WebSphere® Support Technical Exchange 15

Configuring DataPower ISAM Reverse Proxy: Enabling SSL on User Registry(Optional)

Optionally enable SSL

on LDAP User

Registry

KeyStore kdb with LDAP

Trusted Certificates.

“.sth” file can also be

uploaded to kdb folder.

IBM Software Group

WebSphere® Support Technical Exchange 16

Configuring DataPower ISAM Reverse Proxy: Junction

The maximum number of time for sending

to and reading from a TCP junction

The max no of connections between the proxy and

a junctioned Webserver that can be cached with an

a max idle cached time of persistent connection

Timeout.

Reverse Proxy Junction.

IBM Software Group

WebSphere® Support Technical Exchange 17

Configuring DataPower ISAM Reverse Proxy : Junction

IBM Software Group

WebSphere® Support Technical Exchange 18

Configuring DataPower ISAM Reverse Proxy: Authentication and Session management

IBM Software Group

WebSphere® Support Technical Exchange 19

DataPower ISAM Reverse Proxy – Configuration Files

IBM Software Group

WebSphere® Support Technical Exchange 20

DataPower Access Manager Reverse Proxy Object

x.xx.xx.xxx

IBM Software Group

WebSphere® Support Technical Exchange 21

Adding ISAM ACLs in the Policy Server for the Junction

IBM Software Group

WebSphere® Support Technical Exchange 22

Configuring DataPower

WebService proxy service

IBM Software Group

WebSphere® Support Technical Exchange 23

Configuring DataPower WebService Proxy Service

IBM Software Group

WebSphere® Support Technical Exchange 24

Configuring HTTP Front Side Handle (FSH)

IBM Software Group

WebSphere® Support Technical Exchange 25

Configuring WS-Proxy Processing rules

IBM Software Group

WebSphere® Support Technical Exchange 26

Making use of Federated User

Registries

IBM Software Group

WebSphere® Support Technical Exchange 27

Federated User Registries

ISAM now supports federating remote user

registries like TDS, AD or Oracle Directory without

adding any schemas or metadatas.

With some manual addition of the information of

the federated LDAP instances into datapower

reverse proxy configuration files, one can use the

federated users or groups in the authentication or

authorization process.

IBM Software Group

WebSphere® Support Technical Exchange 28

ISAM Configuration – Optionally Federating Remote LDAP Servers

IBM Software Group

WebSphere® Support Technical Exchange 29

ISAM Configuration – Optionally Federating Remote LDAP Servers

basic-user-principal-attribute =

sAMAccountName

The embedded LDAP server listens on port 389 (non-ssl) and 636 (ssl) of the

management interface of the appliance by default.

IBM Software Group

WebSphere® Support Technical Exchange 30

DataPower ISAM Reverse Proxy – Update LDAP Configuration file for Federated LDAPs

IBM Software Group

WebSphere® Support Technical Exchange 31

DataPower ISAM Reverse Proxy – Update LDAP Configuration file for Federated LDAPs

1

2

IBM Software Group

WebSphere® Support Technical Exchange 32

Configuring DataPower

Authentication, Authorization and

Auditing (AAA) action to interact

with ISAM based LDAP Server

IBM Software Group

WebSphere® Support Technical Exchange 33

Accessing ISAM LDAP and Policy Servers via Datapower AAA

IBM Software Group

WebSphere® Support Technical Exchange 34

Accessing ISAM LDAP and Policy implementation via Datapower AAA

IBM Software Group

WebSphere® Support Technical Exchange 35

Accessing ISAM LDAP and Policy implementation via Datapower AAA

IBM Software Group

WebSphere® Support Technical Exchange 36

Accessing ISAM LDAP and Policy implementation via Datapower AAA

IBM Software Group

WebSphere® Support Technical Exchange 37

Accessing ISAM LDAP and Policy implementation via Datapower AAA

AAA object can use only key database (kdb) with a password (instead of sth file).

This makes it necessary to create a new kDB file with a known password.

Export the LDAP CA/personal cert keys from the SSL certificates location of System

Management settings of ISAM.

Create an empty kdb

gsk7cmd -keydb -create -db ISAMLDA.kdb -pw passw0rd -stash -type cms -

expire 7200

Add LDAP CA certificates

gsk7cmd -cert -add -db ISAMLDAP.kdb -pw passw0rd -file serv.p12 -label

"Server"

runmqckm -cert -list -db ISAM-LDAP.kdb -pw passw0rd

IBM Software Group

WebSphere® Support Technical Exchange 38

Trouble Shooting DataPower

Services and ISAM Policy Server

IBM Software Group

WebSphere® Support Technical Exchange 39

Trouble Shooting – Custom Log Target

IBM Software Group

WebSphere® Support Technical Exchange 40

Trouble Shooting – Custom Log Target

IBM Software Group

WebSphere® Support Technical Exchange 41

Trouble Shooting – Packet Capture enabled in default domain

IBM Software Group

WebSphere® Support Technical Exchange 42

Trouble Shooting ISAM Policy Server

ISAM Policy Server and user-

registry log files can be viewed and

exported from the top menu, select

Monitor Analysis and Diagnostics >

Application Log Files.

DataPower Junction and

connectivity related problems

Packet Capture

Debug Error Report file

IBM Software Group

WebSphere® Support Technical Exchange 43

Summary Discussed configuration artifacts for ISAM Policy and

LDAP servers

Presented configuration objects and requirements for

Reverse proxy, Webservice proxy and AAA action in

DataPower to integration with ISAM Policy server.

Discussed use case scenarios to deploy DataPower

ISAM Reverse Proxy for the backend WebServer and

DataPower based services.

Provided trouble shooting techniques and tips to debug

Reverse Proxy and ISAM Policy server.

IBM Software Group

WebSphere® Support Technical Exchange 44

Connect with us!

1. Get notified on upcoming webcasts

Send an e-mail to wsehelp@us.ibm.com with subject line “wste

subscribe” to get a list of mailing lists and to subscribe

2. Tell us what you want to learn Send us suggestions for future topics or improvements about our

webcasts to wsehelp@us.ibm.com

IBM Software Group

WebSphere® Support Technical Exchange 45

Questions and Answers

IBM Software Group

WebSphere® Support Technical Exchange 46

Additional WebSphere Product Resources

Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: http://www.ibm.com/software/websphere/support/supp_tech.html

Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/

Join the Global WebSphere Community: http://www.websphereusergroup.org

Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant

View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html

Sign up to receive weekly technical My Notifications emails: http://www.ibm.com/software/support/einfo.html