IBM Security Access Manager Notes
SAM Virtual Appliance internals
Mount the iso
sudo mount -o loop sam_appliance.iso /media/temp
inside isolinux folder:
boot.msg and img1a.cfg are the initial syslinux message and the config file, xored with FF. Open text of img1a.cfg:
SERIAL 0 9600 0x003 DEFAULT linux TIMEOUT 100 PROMPT 1 display boot.msg LABEL linux KERNEL img2a MENU LABEL Boot IBM Security Appliance Installer APPEND initrd=img3a rw root=/dev/ram0 ramdisk_size=237416 console=tty0 console=ttyS0 pcie_aspm=off nopat quiet vga=0x303 LANG=en_US.UTF-8 LABEL boothdd MENU LABEL Boot from Hard Drive localboot -1
Could have been created with with the IBM boot tools.
img2a is a zipped Xen linux kernel, img3a is a zipped ram drive. Unzip them by looking up gzip signature offset and unpacking from that point, like this:
$ od -A d -t x1 img2a | grep '1f 8b 08 00' 0016480 48 8d 83 90 56 3c 00 ff e0 1f 8b 08 00 74 2b a5 $ dd if=img2a bs=1 skip=16489 | zcat > img2a.uncomp $ od -A d -t x1 img3a | grep '1f 8b 08 00' 0002048 1f 8b 08 00 95 87 f4 52 00 03 b4 3d 0d 70 1c e5 $ dd if=img3a bs=1 skip=2048 | zcat > img3a.uncomp 79233137+0 records in 79233137+0 records out 79233137 bytes (79 MB) copied, 76.4194 s, 1.0 MB/s
(this one is around 210M unzipped)
Both files are cpio archives that you can investigate by unpacking. Once inside you can see it's an ISS device (many iss references) RedHat based linux.
You can fix and repack it as follows:
cpio -idv < ../img3a
then do modification, then repack
find . | cpio -o -H newc | gzip > ../img3a.new
gzip and attach original header to recreate the compressed archive
then recreate the ISO
mkiso
or run the ISO and modify it in memory as shown below
Running the ISO boot in virtual box will result in message that the vm is incompatible. You can trick it into thinking it's inside VMWare by changing the Boot variable (see ISIM VA notes).
You can also boot it in Virtual box by adding a command to drop into shell before doing INIT like this (type at the boot: prompt)
img2a initrd=img3a rw root=/dev/ram0 ramdisk_size=237416 console=tty0 console=ttyS0 vga=0x303 LANG=en_US.UTF-8
run /linuxrc to continue booting
Or drop into shell using an ISS switch acted upon in /etc/rc.sysinit
img2a initrd=img3a rw root=/dev/ram0 ramdisk_size=237416 single_postswitchroot console=tty0 vga=0x303 LANG=en_US.UTF-8
exit shell or
to continue booting
Note second console=ttyS0 causes single mode to be ignored for some reason, pcie and/or nopat cause kernel panic in VirtualBox
Make it not care about VMWare too much by
vi /usr/sbin/mesa_hwdetect set PRODUCTION to 0
The main install package (pkg) is a disk image, offset by 2k (probably the header and the integrity signature) . Trim with dd and mount or mount via a loop device with an offset, like this:
sudo losetup /dev/loop1 -o 2048 /media/temp/isam_8.0.0.2_20140207-0000.pkg sudo mount -t ext2 /dev/loop1 /media/vm
Its filesystem is ext2. view and then tear down
sudo umount /media/vm sudo losetup -d /dev/loop1
inside the package there is a cgz archive of the cpio archive of the actual SAM root file system (rootfs.cgz). Unroll it and open up as cpio
Other
iss-external.kdp password - ibmss01 (.sth xor with F5)
Grub menu admin edit password contains a single nonprintable delete character so that administrator can never edit grub menu:
password --md5 $(/bin/echo -e 'pass\0177word' | openssl passwd -1 -stdin)
admin gets /usr/sbin/mesa_cli
root password is disabled (two exclamations in front of the hash in shadow)
root:$6$salt$blahblah/:16108:0:99999:7::: admin:$6$salt$blahblah:16108:0:99999:7:::
only other actual user is "cluster" with /usr/sbin/wga_clustersh. sshd etc gets /sbin/nologin
services started
pd and pdweb rc0,3,5
components (in /opt)
db2 FIM iswga java-x86_64-70 ldap rba - db upgrade soliddb Tivoli wlp (websphere liberty profile) dsc isam itimpwd pdweb pdwebrte PolicyDirector rtss (clustering) iss-pam
Configuring SMS
com.tivoli.am.sms.config.DSessLogConfigurator configure() CTGSM server.domain.com IP CTGSM1354I Updating the session management server logging configuration file, \E:\WebSphere\AppServer\profiles\AppSrv01\installedApps\serverCell01\DSess.ear\DSess.war\WEB-INF\server1\DSessLog.properties. com.tivoli.am.sms.config.AMJRTEConfigurator doPDJrteCfg() CTGSM server.domain.com IP CTGSM1350I Running the Tivoli Access Manager Runtime for Java configuration command, E:\WebSphere\AppServer\java\jre\bin\java.exe -Dpd.home=E:\WebSphere\AppServer\java\jre\PolicyDirector com.tivoli.pd.jcfg.PDJrteCfg -action unconfig -java_home E:\WebSphere\AppServer\java\jre -was. com.tivoli.am.sms.config.AMJRTEConfigurator doPDJrteCfg() CTGSM server.domain.com IP CTGSM1350I Running the Tivoli Access Manager Runtime for Java configuration command, E:\WebSphere\AppServer\java\jre\bin\java.exe -Dpd.home=E:\WebSphere\AppServer\java\jre\PolicyDirector com.tivoli.pd.jcfg.PDJrteCfg -action config -config_type full -java_home E:\WebSphere\AppServer\java\jre -host iam-t-mps.domain.com -was -port 7135 -domain Default. com.tivoli.am.sms.config.AMJRTEConfigurator doConfigure() CTGSM server.domain.com IP CTGSM1350I Running the Tivoli Access Manager Runtime for Java configuration command, E:\WebSphere\AppServer\java\jre\bin\java.exe com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd ******** -appsvr_id SMS-serverNode01 -port 7777 -mode remote -domain Default -policysvr iam-t-mps.domain.com:7135:1 -authzsvr server.domain.com:7136:1, iam-t-rpps.domain.com:7136:1 -cfg_file \E:\WebSphere\AppServer\profiles\AppSrv01\installedApps\serverCell01\DSess.ear\DSess.war\WEB-INF\pdjrtecfg.properties -key_file \E:\WebSphere\AppServer\profiles\AppSrv01\installedApps\serverCell01\DSess.ear\DSess.war\WEB-INF\pdjrtecfg.jks. com.tivoli.am.sms.config.AMJRTEConfigurator configureKeyFiles() CTGSM server.domain.com IP CTGSM1351I Creating SSL key files, E:\WebSphere\AppServer\profiles\AppSrv01\etc\SMSKeyStore.jks and E:\WebSphere\AppServer\profiles\AppSrv01\etc\SMSTrustStore.jks, for Tivoli Access Manager certificate authentication.
Check SAM standard vs minimal ldap config
check a user entry in o=company, see if it has any child entries, if not, that’s a good sign.
now check the corresponding entry for that user under secauthority=default
does it use principalname=UID
or does it use uuid=XXXXXXXXXXXXXXXXXX
check cn=users,secauthority=default
if the DN of the entries under there uses principlname=uid, then it’s the minimum format, if it uses secuuid=XXXXXXXXXXXX then it’s the standard format
Configuring WebSphere to communicate with Authorization and Policy Server
am51_was_guide.pdf is helpful Create TAM WebSphere Administrative User Program Files/Tivoli/Policy Director/bin
pdadmin -a sec_master -p sec_master <Tivoli Access Manager administrator password> pdadmin sec_master>user create tamwasadmin "CN=tamwasadmin,CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" tamwasadmin tamwasadmin tamwasadmin<you decide> pdadmin sec_master>user modify tamwasadmin account-valid true
PDJrteCfg Run on deployment manager first, then each node :
<WAS HOME>/bin/setupCmdLine.bat %WAS_HOME%\java\jre\bin\java -Djava.ext.dirs -Dpd.home="%WAS_HOME%\java\jre\PolicyDirector" -cp "%WAS_HOME%\java\jre\lib\ext\PD.jar;%WAS_HOME%\java\jre\lib\ext\ibmjceprovider.jar;%WAS_HOME%\java\jre\lib\ext\ibmpkcs.jar;%CLASSPATH%" com.tivoli.pd.jcfg.PDJrteCfg -action config -was -config_type full -host win2k3was5.domain.com
Use this if you need to unconfigure:
%WAS_HOME%\java\jre\bin\java -Djava.ext.dirs -Dpd.home="%WAS_HOME%\java\jre\PolicyDirector" -cp "%WAS_HOME%\java\jre\lib\ext\PD.jar;%WAS_HOME%\java\jre\lib\ext\ibmjceprovider.jar;%WAS_HOME%\java\jre\lib\ext\ibmpkcs.jar;%CLASSPATH%" com.tivoli.pd.jcfg.PDJrteCfg -action unconfig -was -config_type full -host win2k3was5.domain.com
SvrSslCfg Run on deployment manager first, then each node :
dmgr -> %WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd sec_master -appsvr_id dmgr -appsvr_pwd tamadminpwd -port 7135 -mode remote -host win2k3was5.domain.com -policysvr win2k3was5.domain.com:7135:1 -authzsvr win2k3was5.domain.com:7136:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -key_file %WAS_HOME%\java\jre\lib\security\PdPerm.ks -cfg_action create appserver1 -> %WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd sec_master -appsvr_id appserver1 -appsvr_pwd tamadminpwd -port 7135 -mode remote -host win2k3was5.domain.com -policysvr win2k3was5.domain.com:7135:1 -authzsvr win2k3was5.domain.com:7136:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -key_file %WAS_HOME%\java\jre\lib\security\PdPerm.ks -cfg_action create appserver2 -> %WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd sec_master -appsvr_id appserver2 -appsvr_pwd tamadminpwd -port 7135 -mode remote -host win2k3was5.domain.com -policysvr win2k3was5.domain.com:7135:1 -authzsvr win2k3was5.domain.com:7136:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -key_file %WAS_HOME%\java\jre\lib\security\PdPerm.ks -cfg_action create dmgr -> If this has already been run, use this to replace: %WAS_HOME%\java\jre\bin\java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd sec_master -appsvr_id dmgr -appsvr_pwd password -port 7135 -mode remote -host win2k3was5.domain.com -policysvr win2k3was5.domain.com:7135:1 -authzsvr win2k3was5.domain.com:7136:1 -cfg_file %WAS_HOME%\java\jre\PdPerm.properties -key_file %WAS_HOME%\java\jre\lib\security\PdPerm.ks -cfg_action replace
PDWasCfg
setupCmdLine.bat for each WAS instance set PDWAS_HOME=%WAS_HOME% dmgr -> %WAS_HOME%\bin\pdwascfg.bat -action configWAS5 -remote_acl_user pdpermadmin -sec_master_pwd sec_master -pdmgrd_host win2k3was5.domain.com -pdacld_host win2k3was5.domain.com -was_home %WAS_HOME% -amwas_home %WAS_HOME% -embedded true -action_type local -verbose true appserver1 -> %WAS_HOME%\bin\pdwascfg.bat -action configWAS5 -remote_acl_user pdpermadmin -sec_master_pwd sec_master -pdmgrd_host win2k3was5.domain.com -pdacld_host win2k3was5.domain.com -was_home %WAS_HOME% -amwas_home %WAS_HOME% -embedded true -action_type local -verbose true appserver2 -> %WAS_HOME%\bin\pdwascfg.bat -action configWAS5 -remote_acl_user pdpermadmin -sec_master_pwd sec_master -pdmgrd_host win2k3was5.domain.com -pdacld_host win2k3was5.domain.com -was_home %WAS_HOME% -amwas_home %WAS_HOME% -embedded true -action_type local -verbose true
Migrate the Admin Console App and security
migrateEAR5 -j "c:\WebSphere\DeploymentManager\installedApps\was5\adminconsole.ear" -a sec_master -p sec_master -w tamwasadminpwd -d "CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" -c file:/"c:\WebSphere\DeploymentManager\java\jre\PdPerm.properties" -e adminconsole migrateEAR5 -j "c:\WebSphere\DeploymentManager\config\cells\was5\admin-authz.xml" -a sec_master -p sec_master -w tamwasadminpwd -d "CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" -c file:/"c:\WebSphere\DeploymentManager\java\jre\PdPerm.properties" migrateEAR5 -j "c:\WebSphere\DeploymentManager\config\cells\was5\naming-authz.xml" -a sec_master -p sec_master -w tamwasadminpwd -d "CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" -c file:/"c:\WebSphere\DeploymentManager\java\jre\PdPerm.properties"
Example of a successful run:
C:\WebSphere\DeploymentManager\bin>migrateEAR5 -j "c:\WebSphere\DeploymentManager\installedApps\was5\adminconsole.ear" -a sec_master -p sec_master -w tamwasadmin-d "CN=users,CN=system,CN=Default,CN=Tivoli PD Domains,DC=domain,DC=com" -c file:/"c:\WebSphere\DeploymentManager\java\jre\PdPerm.properties" -e adminconsole AWXWS0021I Logging all activity to the file .//pdwas_migrate.log. AWXWS0025W The pdwas-admin group already exists, and its members are []. AWXWS0051E The migrate tool has successfully completed.
Difference between Stateful UUID and server UUID
- Stateful Junction :the client system that contains the Unique Universal Identifier (UUID) of the designated back-end server. When the client makes future requests to the same resource, this UUID information ensures that the requests are consistently routed to the same back-end server.
- Stateful UUID : If you selected Stateful Junction, type the UUID of the back-end server.
The two fields are referring to the UUID of the back-end server. When a junction is created to a backend web server, Webseal generates a UUID to identify the backend server. That is the "Server UUID", that is populated when you go to the "Junction Server Properties".
If the junction is a stateful junction, then you need to specify in the "Stateful UUID" field which Server UUID to use.
Basically if you want a junction be stateful by always usin ONE server - put its UUID in there (if it is down it will failover). If you want to be statefull but not glued to a specific server. i.e. use the least busy algoritm to decide to which server to go and then use statefully (aka anybody from an IP goes to this server) - leave it empty
Enabling credential vault externalization
Enabling credential vault externalization may cause performance problems in portal 5.0 (5.1 too?) since portal handles the requests inefficiently.
Forms Single Sign On
There is not a way to send the TAM userid/password information to a backend resource. Also there is not a way to create a user with addl. LDAP attributes via TAM management interfaces (CLI or WPM).
Both these requirements can be solved with TIM in the picture. TIM can be configured to create an user with addl. LDAP attributes and then use the TAM agent to import that into TAM. We have done this at a few customers and there is enough ICAP on this technique.
We can also use TIM to provision the TAM userid/password as a GSO resource for your backend forms based SSO but would compromise the security of the solution. I would suggest that we investigate any alternate approaches were the backend is configured to use a dummy password for all users and simply trust the authentication performed by WebSEAL.
Installing and Configuring Tivoli Access Manager v5.1 for authentication into WAS 5
Set-up: 2 WebSeal servers 1 Policy Server / Director 1 Web Administration Machine
SETUP/INSTALL
On Win2k3
TAM Base CD:\Windows\JRE\install.exe
TAM Base CD:\Windows\GSKIT\setup policydirector
TAM Base CD:\Windows\Policy Director\Disk Images\Disk 1\setup.exe
Runtime
Policy Server
Authorization Server
JRE ( only need for web interface )
Full install
JRE was IBM JRE
Configure each one after install using the configure application
On Win2k3Was5
TAM Base CD:\Windows\JRE\install.exe
TAM Base CD:\Windows\Directory\setup.exe ( only choose the client )
Web CD:\Windows\Policy Director\Disk Images\Disk 1\setup.exe
Runtime
configure after install
ad host win2k3.domain.com
7135
Active Directory
not multiple domains
ad host win2k3.domain.com
domin dc=domain,dc=com
not secure
tamadmin/tamadmin
dn dc=domain,dc=com
enable logging checked
log directory ...
Web Security Runtime ( let it reboot, it won't until after WebSEAL )
WebSEAL
configure after install
instance name default
host name win2k3was5
listening port 7234
admin id sec_master
admin password sec_master
Allow http access checked
port 88 ( changed because IBM HTTP Server )
allow https checked
port 444 ( changed because IBM HTTP Server )
web doc root default
Windows XP
Web Portal Interface for TAM 5.1 CD ( web admin interface )
Web Portal Interface for TAM 5.1:\Windows\JRE
Web Portal Interface for TAM 5.1:\Windows2003\WebSphere\Windows2003\install.exe
Custom
Just turn off embedded messaging
Default for paths
Node winxpsp2
Host winxpsp2.domain.com
Log on as a services checked
user/password some/some
Manually put IBM JRE in the path -
Web Portal Interface for TAM 5.1:\Windows\Policy Director\Disk Images\Disk 1\setup.exe
Runtime
After installation:
cd \Program Files\Tivoli\Policy Director\sbin
run pdjrtecfg -active config -interactive
Full
JRE Path
host win2k3
port 7135
domain Default
logging enable
run amwpmcfg -action config -interactive
was location c:\program files\websphere\appserver
host win2k3
port 7135
admin sec_master
password sec_master
domain Default
if this fails due to invalid user/password, jre isn't in the path or
pdjrtecfg wasn't correct
Portal Manager
Accept default paths
test: http:/winxpsp2.domain.com:9080/snoop ( probably don't have to use 9080 )
test: admin https:/win2k3was5:444/ sec_master / sec_master
test: admin https:/win2k3was5:444/pkmslogout
test: admin https:/win2k3was5:444/pkmspasswd
admin http://winxpsp2:9080/pdadmin
create a user xxx/xxx
admin http://winxpsp2:9080/pdadmin
WebSEAL
List Junctions ( each protected application )
Create Junction
point /info
host winxpsp2.domain.com
tcp port 9080
win32 file.. checked
Basic Auth Supply < this is the "-b supply" argument >
User Name (short) checked
User credentials checked
test: admin https:/win2k3was5:444/info/snoop
Changing from basic to forms based auth:
WebSeal server (win2k3was5)
C:\Program Files\Tivoli\PDWeb\etc\webseald-default.conf
[ba]
ba-auth = none
[forms]
forms-auth = both
[junction]
basicauth-dummy-password = passw0rd < password for was_tai user >
Restart Access Manager WebSEAL service
test: admin https:/win2k3was5:444/info/snoop ( should see iv-... items )
TAI Config.
admin http://winxpsp2:9080/pdadmin
create a user
user was_tai/passw0rd
account valid checked
password valid checked
gso user checked
registry cn=was_tai,cn=users,dc=domain,dc=com
WebSphere ( winxpsp2 )
Security | Auth Mech | LTPA | Trust Assoc.
check enable
Security | Auth Mech | LTPA
password/password
Security | Auth Mech | LTPA | Trust Assoc. | Interceptors | ...WebSealTrust... | Custom properties
com.ibm.websphere.security.trustassociation.types WebSEAL
com.ibm.websphere.security.webseal.loginid was_tai
com.ibm.websphere.security.webseal.id iv-user
com.ibm.websphere.security.webseal.hostnames win2k3was5, win2k3was5.domain.com
com.ibm.websphere.security.webseal.ports 444
com.ibm.websphere.security.webseal.mutualSSL no
com.ibm.websphere.security.webseal.ignoreProxy true
Security | Global Security
Enabled checked
Enforce J2ee unchecked
Active Auth SWAM
Active User Reg LDAP
Security | User Registries | LDAP
user/pass wasadmin/wasadmin
type Active Directory
host win2k3
port 389
base dn dc=domain,dc=com
bind dn cn=wasadmin,cn=Users,dc=domain,dc=com
password wasadmin
stopserver server1 -user wasadmin -password wasadmin
startserver server1 -user wasadmin -password wasadmin
test: admin https:/win2k3was5:444/info/snoop
Win2k3 Setup ( Windows Server 2003 Enterprise )
Active Directory Domain Controller (netbios domain, DNS domain.com)
DHCP
DNS
Users
domain\Administrator:password ( Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator, Schema Admins )
restore mode password: password
domain\wasadmin:wasadmin ( Domain Users )
domain\xxxx:xxxx ( Domain Users )
domain\tamadmin:tamadmin ( Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator, Schema Admins )
Win2k3was5 Setup ( Windows Server 2003 Enterprise )
WebSphere 5.1.1.5 ND (DeploymentManager, AppServer1, AppServer2)
Users
win2k3was5\wasadmin:wasadmin ( Administrators )
win2k3was5\tamadmin:tamadmin ( Administrators )
domain\wasadmin ( Administrators )
domain\tamadmin ( Administrators )
Give domain\tamadmin access to the local security policy log on as a service
WinXpSp2 Setup ( Windows XP Service Pack 2 )
Users
winxpsp2\xxxx:xxxx ( Administrators )
domain\xxxx ( Administrators )
Internal SSL
Do not enable SSL on internal in-box communication to avoid the unnecessary complexity and computational overhead
Log types
Mgmt audit log is available on PD only html - on webseal both have azn and auth.
SPNEGO authentication limitations
The following WebSEAL features are not supported with SPNEGO authentication: -POP or session-timer-based reauthentication of SPNEGO authenticated clients. -Password change using pkmspasswd. -SPNEGO clients cannot log out of WebSEAL.
Clients must log out from the workstation. Clients that access WebSEAL pkms command pages (except switch user) receive the PKMS help page.
-Reauthentication when the inactive session timer expires for SPNEGO clients. The user cache entry is deleted. Information in the header received from the SPNEGO client is used to reauthenticate. The client does not have to log in again, but the client receives a new session cache entry. -Reauthentication when a user accesses an object with a reauthentication policy attached. In this case access is denied, and user receives a message stating that reauthentication is required. The following limitation also applies: -Microsoft NT LAN Manager (NTLM) authentication is not supported. However, the Tivoli Access Manager Web Plug-in for IIS supports NTLM. WebSEAL can be deployed in an e-community single signon solution that uses the Web Plug-in for IIS to accomplish SPNEGO authentication using NTLM. -Using SPNEGO simultaneously with other authentication methods does not work with Netscape 4.7
TAIxx
When configuring tai++ pay attention to the difference in fields for was 5.1.1 (default for portal 5.1) and was 6.0
TAM as JAAC
WAS.TAM Java configs
e:/Tivoli/POLICY~1/java/export/pdwpm/pdwpm.ks e:\WEBSPH~1\APPSER~1\java\jre\PolicyDirector\PDCA.ks
WebSEAL LDAP failover
As a general rule WebSEAL would only be able to fail over in case of a lost connection to an ldap due to a network, hardware or service failure. It would not be able to recover from a "soft" error inside of an LDAP server software, such as suffix unaccessibility. Therefore, please make sure you are up to the latest fix packs on the LDAP server. Make sure it is properly configured and monitored
Stateful Junctions
Stateful junctions allow requests from a specific session to always be sent to the same server on a junction. If the junctioned server being used is throttled, the stateful session is allowed to continue accessing that server. However, new stateful sessions are blocked from using that server. If a junctioned server is taken offline, then stateful sessions are no longer allowed to access the server. These sessions must choose a new junctioned server and possibly loose the original state information. (from am60_webseal_admin.pdf section on junction throttling)
@TechnicalNotes @TAM
