IBM SECURITY ACCESS MANAGER IBM Verify Cookbook Mobile Multi-Factor Authentication with IBM SAM 9.0.6.0 Jon Harry Shane Weeden BenJamin Martin Version 1.0.3 December 2018 Document Control Release Date Version Authors Comments 23 Jan 2017 1.0 Jon Harry, Version 1.0: Based on 9.0.2.1 Shane Weeden, Benjamin Martin 27 Feb 2017 1.0.1 As above Typos corrected. Removed OAuth SLO URI config. Add link to IBM Verify for Android. 17 May 2017 1.0.2 As above Reference 9.0.3.0 in title and add text requiring fresh install. 12 Dec 2018 1.0.3 Konstantin Updated automated scripts to work with 9.0.6.0, corrected Trofimov typos Page 2 of 250 Table of Contents 1 Introduction ............................................................................................................................................. 7 1.1 High Level Architecture and Networking ............................................................................................. 7 1.2 Required Components ........................................................................................................................ 7 1.2.1 Access Manager Virtual Appliance ISO Image ............................................................................ 7 1.2.2 Access Manager 9.0 Activation Codes ........................................................................................ 8 1.2.3 Mobile Device running IBM Verify App ......................................................................................... 8 1.2.4 Host machine running VMWare ................................................................................................... 8 1.2.5 VMWare Networking .................................................................................................................... 8 1.2.6 Hosts file ...................................................................................................................................... 9 1.2.7 Required Files .............................................................................................................................. 9 1.2.8 Browser ........................................................................................................................................ 9 1.3 Manual vs. Programmatic configuration ........................................................................................... 10 2 Virtual Machine creation and Appliance Install .................................................................................. 11 2.1 Create a new virtual machine ........................................................................................................... 11 2.2 Loading the FirmWare Image onto the Virtual Appliance .................................................................. 19 3 Appliance Host and Networking Configuration .................................................................................. 21 3.1 Manual vs Silent Configuration ......................................................................................................... 21 3.2 OPTION 1: Silent Configuration ........................................................................................................ 21 3.2.1 Use Configuration ISO to configure IP connectivity ................................................................... 21 3.2.2 Complete "First-Steps" process ................................................................................................. 22 3.3 OPTION 2: Manual Configuration ..................................................................................................... 23 3.4 Check internet connectivity ............................................................................................................... 31 4 Basic Appliance Configuration ............................................................................................................ 32 4.1 Login and change password for Local Management Interface (LMI) ................................................ 32 4.2 Enable NTP ...................................................................................................................................... 34 4.3 Product Activation ............................................................................................................................. 36 4.4 Disable Built-in Authentication Policies ............................................................................................. 40 4.5 Configure Runtime Interfaces ........................................................................................................... 42 4.6 Update Hosts File on the Appliance ................................................................................................. 45 4.7 Configure ISAM Runtime Component on the Appliance ................................................................... 46 4.7.1 Update password of built-in LDAP server .................................................................................. 46 4.7.2 Configure ISAM Runtime (Policy Server and LDAP) ................................................................. 47 4.8 Set Password for easuser ................................................................................................................. 50 5 Create and configure Reverse Proxy instances ................................................................................. 52 5.1 Reverse Proxy for Browser Traffic .................................................................................................... 52 5.1.1 Create Reverse Proxy Instance ................................................................................................. 52 5.1.2 Modify Reverse Proxy Instance Configuration File .................................................................... 54 5.1.3 Deploy the Changes and Restart the Reverse Proxy Instance .................................................. 55 5.2 Reverse Proxy for Mobile Traffic ...................................................................................................... 57 5.2.1 Create Reverse Proxy Instance ................................................................................................. 57 5.2.2 Modify Reverse Proxy Instance Configuration File .................................................................... 59 5.2.3 Deploy the Changes and Restart the Reverse Proxy Instance .................................................. 60 5.3 Configure Key store for Reverse Proxies ......................................................................................... 61 5.3.1 Import Keypair and Certificate for Reverse Proxy ...................................................................... 62 5.3.2 Edit default Reverse Proxy Settings ........................................................................................... 64 6 Configuration and policy for Reverse Proxy instances ..................................................................... 67 6.1 Configure MMFA for browser proxy .................................................................................................. 67 6.2 Configure MMFA for mobile proxy .................................................................................................... 70 6.3 Set up ACLs ...................................................................................................................................... 73 7 Configure SCIM ..................................................................................................................................... 75 7.1 Create an ISAM Runtime Server Connection ................................................................................... 75 7.2 Configure SCIM ................................................................................................................................ 76 7.3 Configure Reverse Proxy for access to SCIM interface ................................................................... 78 7.3.1 Create /scim junction .................................................................................................................. 78 Page 3 of 250 7.3.2 Configure URL filtering for SCIM responses .............................................................................. 81 7.4 Enable Modify and Delete via Reverse Proxy .................................................................................. 82 7.5 Create SCIM Admin Group in SAM .................................................................................................. 83 7.6 Create SCIM Administrator and Test User in SAM ........................................................................... 83 7.7 Enable SCIM Demonstration Application .......................................................................................... 83 7.8 Test SCIM Access ............................................................................................................................ 85 8 Configure API Protection (OAuth) ....................................................................................................... 88 8.1 Create Definition ............................................................................................................................... 88 8.2 Create Client ..................................................................................................................................... 89 9 Configure endpoints and options for Authenticator Client ............................................................... 92 9.1 MMFA endpoint configuration ..........................................................................................................