DIGIPASS Authentication for TAM - VASCO · 2 DIGIPASS Authentication for TAM ... to web-based...
Transcript of DIGIPASS Authentication for TAM - VASCO · 2 DIGIPASS Authentication for TAM ... to web-based...
1 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any
use of the information contained in this document.
Copyright
Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International
GmbH. All rights reserved. VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD™™,
DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data
Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other
countries. VASCO Data Security, Inc. and/or VASCO Data Security International
GmbH own or are licensed under all title, rights and interest in VASCO Products,
updates and upgrades thereof, including copyrights, patent rights, trade secret rights,
mask work rights, database rights and all other intellectual and industrial property
rights in the U.S. and other countries. Microsoft and Windows are trademarks or
registered trademarks of Microsoft Corporation. Other names may be trademarks of
their respective owners.
2 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
Table of Contents
Disclaimer ...................................................................................................................... 1
Table of Contents ........................................................................................................... 2
Reference guide ............................................................................................................. 3
1 Preface ..................................................................................................................... 4
2 About TAM Authentication ........................................................................................ 5
3 About VASCO and DIGIPASS authentication ............................................................. 6
4 TAM and DIGIPASS Authentication ........................................................................... 8
5 Token Repository .................................................................................................... 10
5.1 STORING VASCO DIGIPASS TOKEN INFORMATION .................................................. 10
5.2 REPOSITORY FAIL-OVER ...................................................................................... 11
5.3 SECURITY CONSIDERATIONS ............................................................................... 11
5.4 TOKEN INITIALISATION ....................................................................................... 11
5.5 THE DIGIPASS CDAS PROCESS ............................................................................. 12
6 DIGIPASS CDAS features ........................................................................................ 14
6.1 FUNCTIONALITY .................................................................................................. 14
6.2 CONFIGURATION ................................................................................................ 14
7 About IBM ............................................................................................................... 15
8 About VASCO Data Security .................................................................................... 15
4 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
1 Preface
IBM Tivoli Access Manager (TAM) for e-business is the leading platform for access control
to web-based applications. TAM supports a number of authentication mechanisms out-of-
the-box and provides an interface for other types, called CDAS (Cross Domain
Authentication Service).
Based on years of experience in large Access Manager projects, SecurIT has developed its
revolutionary C-Man™ concept, library classes and a methodology to speed-up the
provision of such CDAS implementations according to the highest quality standards.
VASCO DIGIPASS® provides a strong two-factor authentication mechanism used by more
than 8000 organizations around the world. For more information on VASCO DIGIPASS:
http://www.VASCO.com
SecurIT partners with IBM and VASCO to provide an interface between these products,
based on this C-Man concept, in order to allow DIGIPASS-based authentication to access
enterprise applications.
This paper contains a high-level overview of the architecture of the solution and how it
integrates with TAM. The solution described in this document has been certified by IBM as
“Ready for Tivoli Access Manager”.
5 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
2 About TAM Authentication TAM provides authentication and authorization services for web based resources by
means of a reversed proxy. This reversed proxy, called WebSEAL, sits between the end-
user’s browser and the organization’s web servers. It intercepts HTTP requests and
performs authentication and authorization checks for protected resources.
The following figure illustrates this process.
The first time a user requests a protected web resource, WebSEAL will challenge the user
for authentication.
1. The user sends his authentication information by means of an HTTP request to
WebSEAL
2. WebSEAL extracts the authentication information and forwards it to the CDAS
module
3. The CDAS module verifies the authentication data against an external resource
4. The CDAS module passes the verified identity back to WebSEAL (or an
authentication failure message)
5. WebSEAL builds a valid internal credential for the user
Finally, WebSEAL uses this internal credential to validate the user’s request.
WebSEAL provides out-of-the-box CDAS modules that deal with:
Username/password authentication
One-time password authentication for SecurID
Client-side X.509 certificates
However, on top of this WebSEAL provides a developer’s toolkit for building custom CDAS
modules. This toolkit has served as the basis for building the CDAS module that supports
both Static and Dynamic DIGIPASS authentication tokens.
6 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
3 About VASCO and DIGIPASS
authentication
VASCO secures the enterprise from the mainframe to the Internet with infrastructure
solutions that enable secure e-business and e-commerce, protect sensitive information,
and safeguard the identity of users. The company’s family of DIGIPASS® and VACMAN®
products offer end-to-end security through authentication, digital signature, and Radius
and Web security, while sharply reducing the time and effort required to deploy and
manage security.
The VASCO DIGIPASS product family consists of a set of hardware and software tokens
that provide authentication and digital signature services. The following authentication
mechanisms are supported:
Dynamic pin code (One time password)
Static + Dynamic pin code
Challenge/Response
The VACMAN product family facilitates the integration of strong DIGIPASS authentication
into security-critical applications. One of the products in this family is the VACMAN
Controller. It provides DIGIPASS strong authentication and signatures mechanisms
natively into any application, in the form of an API regardless of your preferred OS
(Operating System) or communication protocol, database management system or GUI
(Graphical User Interface), from PC to mainframe.
The integration between DIGIPASS and TAM, as described in this paper, supports both
dynamic and static + dynamic pin codes. It uses the VACMAN Controller API from within
the CDAS module to verify the pin code.
The following figure illustrates the combination of a DIGIPASS token and the VACMAN
Controller.
7 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
1. The user retrieves his pin code from the token and enters it together with his
user ID into the application
2. The application fetches the corresponding token information from the registry
3. The application calls the Controller together with the token information and
user information
4. The Controller verifies the authentication information and updates the token
information
5. The application writes the updated token information into the registry
The selection of a token registry is an application matter.
8 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
4 TAM and DIGIPASS
Authentication
This section describes the integration of Access Manager WebSEAL with VASCO DIGIPASS
tokens. This paper only contains a high level overview of the architecture and
functionality. For more details we refer to the DIGIPASS CDAS Installation and
Administration Guide.
From a user’s perspective “User ID/pin code” authentication is very similar to
username/password authentication. For this reasons it was decided to build the
DIGIPASS CDAS as a username/password CDAS where the username would hold the
user ID associated with the token and the password would reflect the one-time password
(dynamic or static + dynamic).
The following figure illustrates the architecture of the solution.
1. The user retrieves his pincode from the token and enters it together with his
user ID into the username/password login form of WebSEAL
2. WebSEAL forwards the authentication information to the DIGIPASS CDAS
3. The CDAS fetches the corresponding token information from the TAM LDAP
directory and verifies the authentication information
4. The CDAS write the updated token information into the TAM LDAP directory
5. The CDAS module passes the verified identity back to WebSEAL (or an
authentication failure message)
6. WebSEAL builds a valid internal credential for the user
This illustrates the basic process flow of DIGIPASS authentication as carried out by the
custom CDAS. There are however a couple of points that need more attention.
9 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
For token synchronization and to avoid replay, the authentication server needs
to keep track of information associated with the token. This DIGIPASS CDAS
uses the LDAP directory for this purpose.
Token authentication is often used in combination with username/password
authentication. Therefore, the authentication server (CDAS) needs a
mechanism to make a distinction between users holding a token and user
authenticating using username/password.
These topics are described in slightly more detail in the next chapters.
10 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
5 Token Repository
5.1 STORING VASCO DIGIPASS TOKEN INFORMATION
As stated above, the DIGIPASS CDAS uses the TAM LDAP Directory as its repository to
store token information. In the current release both IBM LDAP and SunOne LDAP are
supported. The token information is stored in an object that is located in a sub tree under
the user with whom the token is associated.
The following screen dump shows such an entry.
This screen dump shows that the token with serial number 0097123456 is associated
with the TAM user with DN (Distinguished Name) cn=Allowed1, o=sov, c=be. The
CDAS makes absolutely no assumptions about the format of the DN, as long as it is
accepted by TAM. The token information is stored as an instance of the Object Class
sitVASCOToken. The object is created under the secAuthority=Default entry created
by TAM.
A token entry basically contains the following information:
sitVASCO Type of the token (e.g. ResponseOnly)
sitVASCOApplName Application using the token
sitVASCOBlob The token details, aka. BLOB (contains e.g. current valid pincode)
sitVASCODpFlags Token flag (internal use)
sitVASCOSerialNr Token serial number (to physically associate a token with a
user)
sitVASCOMode Mode of operation (optional)
sitVASCOType Type of token (optional)
11 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
For more information on these attribute, please refer to VASCO documentation and/or
the DIGIPASS CDAS Installation & Administration Guide.
5.2 REPOSITORY FAIL-OVER
Validation of the user’s pin code is done by the CDAS using the VACMAN Controller API.
It is a stand-alone library that takes the user’s pin code and the BLOB that is currently
associated with the user’s token. To avoid replay of pin codes and to allow for token
synchronization, the CDAS should always be able to get hold of the latest BLOB.
Therefore, the DIGIPASS CDAS foresees an LDAP fail-over mechanism.
This mechanism is shown in the following figure:
To make sure that the DIGIPASS CDAS is always able to fetch the most up-to-date BLOB,
it is able to talk in fail-over mode to LDAP. It will always try the first mentioned LDAP
server first; if that server fails it will try the next LDAP, and so on until it has tried all
known LDAP servers. If no working LDAP server can be found, the authentication request
will fail.
The CDAS should however also make sure that the updated BLOB gets written back to
LDAP. As such it would be best practice to work with a multi-master LDAP cluster.
However, as this is not always possible, the CDAS can be configured to continue with the
authentication process even if it cannot write the BLOB back into LDAP. As long as this
situation is not persistent, the token will be synchronized (if needed) at a later stage.
Anyhow, the CDAS will also report BLOB update failures in its log file.
5.3 SECURITY CONSIDERATIONS
The DIGIPASS CDAS can be configured to talk LDAP over SSL with the LDAP servers. It
will bind to LDAP using a (configurable) user with appropriate credentials to read and
write the token information.
5.4 TOKEN INITIALISATION
The DIGIPASS CDAS comes with a command line tool for initializing tokens. This tool
takes two input files:
DPX file
“TAM user to token” mapping file
12 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
The DPX file is delivered by VASCO together with the tokens. It contains all the token
related information that goes into the LDAP server. The second file contains an entry for
each existing TAM user that needs a new or updated token. The tool basically generates
the DIGIPASS subentry as shown above.
5.5 THE DIGIPASS CDAS PROCESS
The DIGIPASS CDAS is fully in line with the CDAS specification as listed in the WebSEAL
Developers Reference guide. This means that it supports the following functions:
xauthn_initialize()
xauthn_shutdown()
xauthn_authenticate()
xauthn_change_password()
Although the DIGIPASS CDAS can be used where step-up authentication is needed, it
should be noted that in some cases the selection of the authentication mechanism is not
necessarily controlled by the required authentication levels but merely by the fact that a
user possesses a token or not. In such a case the DIGIPASS CDAS can be configured to
support both username/password and one-time password. This is controlled by setting
the LDAP attribute employeeType, as shown by the following screen dump.
13 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
The current release of the DIGIPASS CDAS supports the following values for the
employeesType attribute:
Username/password 1
DIGIPASS response-only 2
DIGIPASS challenge/response 3 (placeholder)
It should be noted that these are only the default settings. The LDAP attribute and the
corresponding values are configurable.
14 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
6 DIGIPASS CDAS features
This paragraph summarizes the key features of the DIGIPASS CDAS. For more details
please refer to the DIGIPASS CDAS Installation & Administration Guide and the
DIGIPASS Administration Tool User Guide.
6.1 FUNCTIONALITY
Supports both username/password and DIGIPASS one-time passwords
Supports password change for username/password
Supports static pincode change for one-time password
Supports token synchronisation
Supports token unlocking
Compliant with Tivoli Access Manager 4.1
Supported both on Windows 2000 and Solaris
Uses LDAP as token registry
Supports both IBM LDAP and SunOne LDAP
Provides token initialisation tool
6.2 CONFIGURATION
Supports LDAP over SSL
Configurable log level
LDAP Master/Slave configuration
Username/password authentication using BIND or COMPARE
Configurable authentication method switch
GSO to Extended Attributes mapping
Configurable VASCO LDAP object and attributes
Several configurable DIGIPASS parameters
15 DIGIPASS Authentication for TAM
DIGIPASS Authentication for TAM
7 About IBM
With 80 years of leadership in helping businesses innovate, IBM is the world's largest
information technology company.
IBM is a leading provider of e-business solutions and is dedicated to helping companies,
Business Partners and developers leverage the potential of the Internet and network
computing across a wide range of businesses and industries.
The company offers a host of cross-industry and industry specific solutions designed to
meet the needs of companies of all sizes.
For more information on IBM, please visit: http://www.ibm.com/mediumbusiness.
8 About VASCO Data Security
VASCO designs, develops, markets and supports patented Strong User Authentication
products for e-Business and e-Commerce.
VASCO’s User Authentication software is carried by the end user on its DIGIPASS
products which are small “calculator” hardware devices, or in a software format on
mobile phones, other portable devices, and PC’s.
At the server side, VASCO’s VACMAN products guarantee that only the designated
DIGIPASS user gets access to the application.
VASCO’s target markets are the applications and their several hundred million users that
utilize fixed password as security.
VASCO’s time-based system generates a “one-time” password that changes with every
use, and is virtually impossible to hack or break.
VASCO designs, develops, markets and supports patented user authentication products
for the financial world, remote access, e-business and e-commerce. VASCO’s user
authentication software is delivered via its DIGIPASS hardware and software security
products. With over 25 million DIGIPASS products sold and delivered, VASCO has
established itself as a world-leader for strong User Authentication with over 1500
international financial institutions and almost 8000 blue-chip corporations and
governments located in more than 100 countries.