IBM ISAM Integration
- Georg Johansen
Introduction
Buypass Code is a Multi-factor One-Time Password authentication solution. The first factor is the hardware device in which the Buypass Code app is activated and the second factor is a PIN code or a fingerprint scan.
While activating the Buypass Code app on a hardware device the end user must enter his mobile phone number. An activation code is sent to the end user's phone, which establish a binding between the mobile phone number and the hardware device. The end user must set a PIN code the first time he activates a Buypass Code app.
Overview of the solution
The Buypass Code authentication mechanism for IBM Security Access Manager combines LDAP lookup of the user and verfication of One-Time Passwords generated with a Buypass Code app.
The user must exist in the LDAP directory under the configured ldapBaseDn and the username must be in the LDAP attribute as in the configured ldapUserAttrName. It is required that the user mobile phone number is present in the LDAP user registry in the attribute corresponding to the configured ldapPhoneNumberAttrName.
If the user is found in the LDAP user directory a HTML page is presented to the user. On this page, the user must enter a One-Time Password from his Buypass Code app. The Authentication Mechanism sends the One-Time Password to the Buypass Code Authentication API, which returns either a success or a failure message.
The following sequence diagram shows the authentication flow
Prerequisites
In order to use Buypass Code with IBM Security Access Manager (ISAM) you need the following:
- IBM Security Access Manager version 9.0.2.1
- The Buypass Code Authentication Mechanism bundle (buypass-code-api-isam-<version>-bundle.jar)
- The HTML pages which must be imported in ISAM (buypass-code-api-template-files-<version>.zip)
- A PKCS12 keystore file containing your client certificate issued by Buypass (p12 file)
- The password protecting the PKCS12 keystore file
- Knowledge about IBM Security Access Manager
Setup and configuration of IBM Security Access Manager is outside the scope of this document.
Adding your keystore file
When registering to use Buypass Code you will recieve a client certificate. The certificate is delivered as a PKCS12 keystore file with .p12 extension. You will also recieve a password, which is required to open the keystore file.
The p12 file must be added to the authentication mechanism bundle jar file
- Open the authentication mechanism bundle jar file with a ZIP File Opener like WinZip or 7-zip.
- Drag the p12 file into the archive.
Deploying the authentication mechanism
Import bundle
The first step is to import the Buypass Code Authentication Mechanism bundle. Logon to the IBM Security Access Manager and select Secure Access Control->Extensions. Click the Import button and browse to the buypass-code-api-isam-<version>.jar.
Then click the Import button in the Import Bundle view. The bundle is now registered as an extension as shown below.
New Authentication Mechanism
Now select Secure Access Control->Authentication. Then select the Mechanism tab and click New Authentication Mechanism. Finally select Buypass Code API Authentication as shown below.
Fill in the New Authentication Mechanism view as shown below.
Then select the Properties tab.
The properties are explained in the table below.
| Name | Type | Definition | Sample Value |
|---|---|---|---|
| ldapProviderUrl | String | URL of LDAP server with port number if not the default TCP port 389. | ldap://10.10.10.10:389, ldap://somehost:389, ldap://myldap.example.com |
| ldapSecurityPrincipal | String | ldap.bindDN for user with read access to LDAP (Active Directory) | cn=admin,ou=People,dc=example,dc=com |
ldapSecurityCredentials | String | Policy Server user administration password | Passw0rd |
| ldapPhoneNumberAttrName | String | A comma separated list of accepted LDAP attribute names storing the telephone number. | telephonenumber, mobile |
ldapAppIdAttrName | String | A comma separated list of accepted LDAP attribute names storing the App-ID. This parameter is optional. | |
ldapBaseDn | String | The top level of the LDAP directory tree used for searching | ou=People,dc=example,dc=com |
| ldapUserAttrName | String | The LDAP attribute that stores the username | samaccountname |
| codeApiUrl | String | The url to the Buypass Code Authentication API | https://api.buypass.no/code- authentication-api |
| clientId | String | The identifier of the client (MerchantID) at Buypass. | 666669 |
| keystoreName | String | The name of the p12 file used for client authentication. | client-certificate.p12 |
| keystorePassword | String | The password for the p12 file | Passw0rd |
| proxyUrl | String | An optional parameter defining the HTTP proxy to use. If no port is present the default port is 8080. | http://proxy.hostname:8080 |
proxyUsername | String | The username used for proxy authentication. Ignored if proxyUrl is not set. | myname |
| proxyPassword | String | The password used for proxy authentication. Ignored if proxyUrl is not set. | Passw0rd |
Click the Save button and the Authentication Mechanism shows up in the Mechanism tab.
New Authentication Policy
Select the Policies tab and click New Authentication Policy. Fill in the values as shown below.
Click the Add Step button and select Buypass Code API from the list.
Then click the Save button.
Create Policy
Select Secure Access Control→Access Control. On the Policies tab click Create Policy.
Fill in the name of the Policy and click the Add Rule down arrow.
Select Permit with Authentication from the first dropdown list and Buypass Code API from the second.
Click the OK button followed by the Save button.
Now select the Resources tab.
Here you should configure the resources that you want to protect with the Authentication Mechanism. Consult the IBM Security Access Manager documentation for details.
Select the resource you want to protect and click the Attach button.
In the Attach Policies view, select the Buypass Code API policy.
Then click the OK button.
The Buypass Code API policy is now attached to the resource.
Click the Publish button to make the changes take effect.
Upload template files
Select Secure Access Control→Template Files
Navigate to the C folder
Then select Manage→Import Zip.
Browse to the buypass-code-api-template-files-<version>.zip file in the Import a file dialog and click the Import button.
Load the Buypass endpoint certificate
The Authentication Mechanism use HTTPS for communicating with the Buypass Code Authentication service. The SSL certificate for Buypass endpoint must be loaded into the IBM Security Access Manager.
The first step is to export the certificate from the endpoint.
Open a Chrome browser window and enter https://api.buypass.no
Then press F12 to open the Chrome developer tools.
Select the Security tab and click the View certificate button.
In the Certificate window select the Details tab and click the Copy to File... button.
Finish the Certificate Export Wizard by saving the certificate to a buypass.cer file.
Select Manage System Settings→SSL Certificates.
Select the rt_profile_keys entry and click Manage→Edit SSL Certificate Database.
In the Import Signer Certificate dialog browse to the buypass.cer file.
Then choose a Certificate Label, for instance "Buypass" and click Import.
Now the Buypass endpoint certificate is loaded in the IBM Security Access Manager.
Verify Network Configuration
In order to assure network connectivity with the Buypass endpoint we should inspect the Network Configuration.
Select Manage System Settings→Static Routes
If there is no default route click the New button.
Type default in the Destination field and your default gateway in the Gateway field.
Then click the Save Configuration button.
Testing the authentication mechanism
There are two different approaches for testing the authentication mechanism.
Use a direct link
This method requires that an enabled authentication policy is configured. The link below will invoke the authentication mechanism.
https://<reverse-runtime-ip>/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:buypass_code_api
Access a protected resource
This method requires that a policy is attached to a resource. By accessing a protected resource, the authentication mechanism will be invoked.
https://<reverse-proxy-ip>/test/<resource>
Troubleshooting
For troubleshooting the Authentication Mechanism you can enable logging.
Select Monitor Analysis and Diagnostics→Runtime Tracing.
Enter no.buypass=ALL in the Tracing Specification.
Then click the Save button.
The log output is written to a trace file. Select Monitor Analysis and Diagnostics→Application Log Files. Under access_control/runtime the trace.log file is located.
Downloadable resources
Maven project for Buypass Code API ISAM Authentication Mechanism
code-authentication-api-isam-v1.0.4.zip
SHA-256 checksum: 737735CD897AECDE5C986D2910A933716502BC2B16B2E055D63B21D27F76BA5C
Buypass Code Authentication API Client Library for Java
code-authentication-api-client-1.0.3-jar-with-dependencies.jar
SHA-256 checksum: 0D8348555D8CA0178C464DF47329BFD2711F80D53C67AF7538593BBCF2F6DC3C
Maven project for Buypass Code Authentication API Client Library for Java
code-authentication-api-client-v1.0.3.zip
SHA-256 checksum: 4C54A33E2CD108298E65DEBE5C6986612B6C544F02E2A1446B11BEB434E9A6FB