DIGIPASS Authentication for TAM - VASCO · 2 DIGIPASS Authentication for TAM ... to web-based...

DIGIPASS Authentication for TAM

WHITEPAPER

1 DIGIPASS Authentication for TAM


Disclaimer

Disclaimer of Warranties and Limitation of Liabilities

All information contained in this document is provided 'as is'; VASCO Data Security assumes no

responsibility for its accuracy and/or completeness.

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any

use of the information contained in this document.

Copyright

Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International

GmbH. All rights reserved. VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD™™,

DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data

Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other

countries. VASCO Data Security, Inc. and/or VASCO Data Security International

GmbH own or are licensed under all title, rights and interest in VASCO Products,

updates and upgrades thereof, including copyrights, patent rights, trade secret rights,

mask work rights, database rights and all other intellectual and industrial property

rights in the U.S. and other countries. Microsoft and Windows are trademarks or

registered trademarks of Microsoft Corporation. Other names may be trademarks of

their respective owners.



Table of Contents

Disclaimer ...................................................................................................................... 1

Table of Contents ........................................................................................................... 2

Reference guide ............................................................................................................. 3

1 Preface ..................................................................................................................... 4

2 About TAM Authentication ........................................................................................ 5

3 About VASCO and DIGIPASS authentication ............................................................. 6

4 TAM and DIGIPASS Authentication ........................................................................... 8

5 Token Repository .................................................................................................... 10

5.1 STORING VASCO DIGIPASS TOKEN INFORMATION .................................................. 10

5.2 REPOSITORY FAIL-OVER ...................................................................................... 11

5.3 SECURITY CONSIDERATIONS ............................................................................... 11

5.4 TOKEN INITIALISATION ....................................................................................... 11

5.5 THE DIGIPASS CDAS PROCESS ............................................................................. 12

6 DIGIPASS CDAS features ........................................................................................ 14

6.1 FUNCTIONALITY .................................................................................................. 14

6.2 CONFIGURATION ................................................................................................ 14

7 About IBM ............................................................................................................... 15

8 About VASCO Data Security .................................................................................... 15



Reference guide



1 Preface

IBM Tivoli Access Manager (TAM) for e-business is the leading platform for access control

to web-based applications. TAM supports a number of authentication mechanisms out-of-

the-box and provides an interface for other types, called CDAS (Cross Domain

Authentication Service).

Based on years of experience in large Access Manager projects, SecurIT has developed its

revolutionary C-Man™ concept, library classes and a methodology to speed-up the

provision of such CDAS implementations according to the highest quality standards.

VASCO DIGIPASS® provides a strong two-factor authentication mechanism used by more

than 8000 organizations around the world. For more information on VASCO DIGIPASS:

http://www.VASCO.com

SecurIT partners with IBM and VASCO to provide an interface between these products,

based on this C-Man concept, in order to allow DIGIPASS-based authentication to access

enterprise applications.

This paper contains a high-level overview of the architecture of the solution and how it

integrates with TAM. The solution described in this document has been certified by IBM as

“Ready for Tivoli Access Manager”.



2 About TAM Authentication TAM provides authentication and authorization services for web based resources by

means of a reversed proxy. This reversed proxy, called WebSEAL, sits between the end-

user’s browser and the organization’s web servers. It intercepts HTTP requests and

performs authentication and authorization checks for protected resources.

The following figure illustrates this process.

The first time a user requests a protected web resource, WebSEAL will challenge the user

for authentication.

1. The user sends his authentication information by means of an HTTP request to

WebSEAL

2. WebSEAL extracts the authentication information and forwards it to the CDAS

module

3. The CDAS module verifies the authentication data against an external resource

4. The CDAS module passes the verified identity back to WebSEAL (or an

authentication failure message)

5. WebSEAL builds a valid internal credential for the user

Finally, WebSEAL uses this internal credential to validate the user’s request.

WebSEAL provides out-of-the-box CDAS modules that deal with:

Username/password authentication

One-time password authentication for SecurID

Client-side X.509 certificates

However, on top of this WebSEAL provides a developer’s toolkit for building custom CDAS

modules. This toolkit has served as the basis for building the CDAS module that supports

both Static and Dynamic DIGIPASS authentication tokens.



3 About VASCO and DIGIPASS

authentication

VASCO secures the enterprise from the mainframe to the Internet with infrastructure

solutions that enable secure e-business and e-commerce, protect sensitive information,

and safeguard the identity of users. The company’s family of DIGIPASS® and VACMAN®

products offer end-to-end security through authentication, digital signature, and Radius

and Web security, while sharply reducing the time and effort required to deploy and

manage security.

The VASCO DIGIPASS product family consists of a set of hardware and software tokens

that provide authentication and digital signature services. The following authentication

mechanisms are supported:

Dynamic pin code (One time password)

Static + Dynamic pin code

Challenge/Response

The VACMAN product family facilitates the integration of strong DIGIPASS authentication

into security-critical applications. One of the products in this family is the VACMAN

Controller. It provides DIGIPASS strong authentication and signatures mechanisms

natively into any application, in the form of an API regardless of your preferred OS

(Operating System) or communication protocol, database management system or GUI

(Graphical User Interface), from PC to mainframe.

The integration between DIGIPASS and TAM, as described in this paper, supports both

dynamic and static + dynamic pin codes. It uses the VACMAN Controller API from within

the CDAS module to verify the pin code.

The following figure illustrates the combination of a DIGIPASS token and the VACMAN

Controller.



1. The user retrieves his pin code from the token and enters it together with his

user ID into the application

2. The application fetches the corresponding token information from the registry

3. The application calls the Controller together with the token information and

user information

4. The Controller verifies the authentication information and updates the token

information

5. The application writes the updated token information into the registry

The selection of a token registry is an application matter.



4 TAM and DIGIPASS

Authentication

This section describes the integration of Access Manager WebSEAL with VASCO DIGIPASS

tokens. This paper only contains a high level overview of the architecture and

functionality. For more details we refer to the DIGIPASS CDAS Installation and

Administration Guide.

From a user’s perspective “User ID/pin code” authentication is very similar to

username/password authentication. For this reasons it was decided to build the

DIGIPASS CDAS as a username/password CDAS where the username would hold the

user ID associated with the token and the password would reflect the one-time password

(dynamic or static + dynamic).

The following figure illustrates the architecture of the solution.

1. The user retrieves his pincode from the token and enters it together with his

user ID into the username/password login form of WebSEAL

2. WebSEAL forwards the authentication information to the DIGIPASS CDAS

3. The CDAS fetches the corresponding token information from the TAM LDAP

directory and verifies the authentication information

4. The CDAS write the updated token information into the TAM LDAP directory

5. The CDAS module passes the verified identity back to WebSEAL (or an

authentication failure message)

6. WebSEAL builds a valid internal credential for the user

This illustrates the basic process flow of DIGIPASS authentication as carried out by the

custom CDAS. There are however a couple of points that need more attention.



For token synchronization and to avoid replay, the authentication server needs

to keep track of information associated with the token. This DIGIPASS CDAS

uses the LDAP directory for this purpose.

Token authentication is often used in combination with username/password

authentication. Therefore, the authentication server (CDAS) needs a

mechanism to make a distinction between users holding a token and user

authenticating using username/password.

These topics are described in slightly more detail in the next chapters.



5 Token Repository

5.1 STORING VASCO DIGIPASS TOKEN INFORMATION

As stated above, the DIGIPASS CDAS uses the TAM LDAP Directory as its repository to

store token information. In the current release both IBM LDAP and SunOne LDAP are

supported. The token information is stored in an object that is located in a sub tree under

the user with whom the token is associated.

The following screen dump shows such an entry.

This screen dump shows that the token with serial number 0097123456 is associated

with the TAM user with DN (Distinguished Name) cn=Allowed1, o=sov, c=be. The

CDAS makes absolutely no assumptions about the format of the DN, as long as it is

accepted by TAM. The token information is stored as an instance of the Object Class

sitVASCOToken. The object is created under the secAuthority=Default entry created

by TAM.

A token entry basically contains the following information:

sitVASCO Type of the token (e.g. ResponseOnly)

sitVASCOApplName Application using the token

sitVASCOBlob The token details, aka. BLOB (contains e.g. current valid pincode)

sitVASCODpFlags Token flag (internal use)

sitVASCOSerialNr Token serial number (to physically associate a token with a

user)

sitVASCOMode Mode of operation (optional)

sitVASCOType Type of token (optional)



For more information on these attribute, please refer to VASCO documentation and/or

the DIGIPASS CDAS Installation & Administration Guide.

5.2 REPOSITORY FAIL-OVER

Validation of the user’s pin code is done by the CDAS using the VACMAN Controller API.

It is a stand-alone library that takes the user’s pin code and the BLOB that is currently

associated with the user’s token. To avoid replay of pin codes and to allow for token

synchronization, the CDAS should always be able to get hold of the latest BLOB.

Therefore, the DIGIPASS CDAS foresees an LDAP fail-over mechanism.

This mechanism is shown in the following figure:

To make sure that the DIGIPASS CDAS is always able to fetch the most up-to-date BLOB,

it is able to talk in fail-over mode to LDAP. It will always try the first mentioned LDAP

server first; if that server fails it will try the next LDAP, and so on until it has tried all

known LDAP servers. If no working LDAP server can be found, the authentication request

will fail.

The CDAS should however also make sure that the updated BLOB gets written back to

LDAP. As such it would be best practice to work with a multi-master LDAP cluster.

However, as this is not always possible, the CDAS can be configured to continue with the

authentication process even if it cannot write the BLOB back into LDAP. As long as this

situation is not persistent, the token will be synchronized (if needed) at a later stage.

Anyhow, the CDAS will also report BLOB update failures in its log file.

5.3 SECURITY CONSIDERATIONS

The DIGIPASS CDAS can be configured to talk LDAP over SSL with the LDAP servers. It

will bind to LDAP using a (configurable) user with appropriate credentials to read and

write the token information.

5.4 TOKEN INITIALISATION

The DIGIPASS CDAS comes with a command line tool for initializing tokens. This tool

takes two input files:

DPX file

“TAM user to token” mapping file



The DPX file is delivered by VASCO together with the tokens. It contains all the token

related information that goes into the LDAP server. The second file contains an entry for

each existing TAM user that needs a new or updated token. The tool basically generates

the DIGIPASS subentry as shown above.

5.5 THE DIGIPASS CDAS PROCESS

The DIGIPASS CDAS is fully in line with the CDAS specification as listed in the WebSEAL

Developers Reference guide. This means that it supports the following functions:

xauthn_initialize()

xauthn_shutdown()

xauthn_authenticate()

xauthn_change_password()

Although the DIGIPASS CDAS can be used where step-up authentication is needed, it

should be noted that in some cases the selection of the authentication mechanism is not

necessarily controlled by the required authentication levels but merely by the fact that a

user possesses a token or not. In such a case the DIGIPASS CDAS can be configured to

support both username/password and one-time password. This is controlled by setting

the LDAP attribute employeeType, as shown by the following screen dump.



The current release of the DIGIPASS CDAS supports the following values for the

employeesType attribute:

Username/password 1

DIGIPASS response-only 2

DIGIPASS challenge/response 3 (placeholder)

It should be noted that these are only the default settings. The LDAP attribute and the

corresponding values are configurable.



6 DIGIPASS CDAS features

This paragraph summarizes the key features of the DIGIPASS CDAS. For more details

please refer to the DIGIPASS CDAS Installation & Administration Guide and the

DIGIPASS Administration Tool User Guide.

6.1 FUNCTIONALITY

Supports both username/password and DIGIPASS one-time passwords

Supports password change for username/password

Supports static pincode change for one-time password

Supports token synchronisation

Supports token unlocking

Compliant with Tivoli Access Manager 4.1

Supported both on Windows 2000 and Solaris

Uses LDAP as token registry

Supports both IBM LDAP and SunOne LDAP

Provides token initialisation tool

6.2 CONFIGURATION

Supports LDAP over SSL

Configurable log level

LDAP Master/Slave configuration

Username/password authentication using BIND or COMPARE

Configurable authentication method switch

GSO to Extended Attributes mapping

Configurable VASCO LDAP object and attributes

Several configurable DIGIPASS parameters



7 About IBM

With 80 years of leadership in helping businesses innovate, IBM is the world's largest

information technology company.

IBM is a leading provider of e-business solutions and is dedicated to helping companies,

Business Partners and developers leverage the potential of the Internet and network

computing across a wide range of businesses and industries.

The company offers a host of cross-industry and industry specific solutions designed to

meet the needs of companies of all sizes.

For more information on IBM, please visit: http://www.ibm.com/mediumbusiness.

8 About VASCO Data Security

VASCO designs, develops, markets and supports patented Strong User Authentication

products for e-Business and e-Commerce.

VASCO’s User Authentication software is carried by the end user on its DIGIPASS

products which are small “calculator” hardware devices, or in a software format on

mobile phones, other portable devices, and PC’s.

At the server side, VASCO’s VACMAN products guarantee that only the designated

DIGIPASS user gets access to the application.

VASCO’s target markets are the applications and their several hundred million users that

utilize fixed password as security.

VASCO’s time-based system generates a “one-time” password that changes with every

use, and is virtually impossible to hack or break.

VASCO designs, develops, markets and supports patented user authentication products

for the financial world, remote access, e-business and e-commerce. VASCO’s user

authentication software is delivered via its DIGIPASS hardware and software security

products. With over 25 million DIGIPASS products sold and delivered, VASCO has

established itself as a world-leader for strong User Authentication with over 1500

international financial institutions and almost 8000 blue-chip corporations and

governments located in more than 100 countries.

http://www.ibm.com/mediumbusiness

DIGIPASS Authentication for TAM - VASCO · 2 DIGIPASS Authentication for TAM ... to web-based...

Documents

Transcript of DIGIPASS Authentication for TAM - VASCO · 2 DIGIPASS Authentication for TAM ... to web-based...