IBM Security Verify Access Version 10.0.0 Mobile Multi-Factor Authentication Deployment Cookbook Jon Harry Shane Weeden Benjamin Martin Version 1.0.4 July 2020 Document Control Release Date Version Authors Comments 23 Jan 2017 1.0 Jon Harry, Version 1.0: Based on 9.0.2.1 Shane Weeden, Benjamin Martin 27 Feb 2017 1.0.1 As above Typos corrected. Removed OAuth SLO URI config. Add link to IBM Verify for Android. 17 May 2017 1.0.2 As above Reference 9.0.3.0 in title and add text requiring fresh install. 12 Dec 2018 1.0.3 Konstantin Updated automated scripts to work with 9.0.6.0, Trofimov corrected typos 14 Jul 2020 1.04 Sharnee Fry/ Rebranding. Updated screenshots for 10.0.0.0. Updated Jasmine Smith section 2.0. Page 2 of 255 Table of Contents 1 Introduction ...................................................................................................................................7 1.1 High Level Architecture and Networking ............................................................................................ 7 1.2 Required Components......................................................................................................................... 7 1.2.1 Verify Access Virtual Appliance ISO Image ................................................................................. 7 1.2.2 Verify Access 10.0 Activation Codes ............................................................................................ 8 1.2.3 Mobile Device running IBM Verify App ......................................................................................... 8 1.2.4 Host machine running VMWare .................................................................................................... 8 1.2.5 VMWare Networking ..................................................................................................................... 8 1.2.6 Hosts file ....................................................................................................................................... 9 1.2.7 Required Files ............................................................................................................................... 9 1.2.8 Browser ....................................................................................................................................... 10 1.3 Manual vs. Programmatic configuration ........................................................................................... 11 2 Virtual Machine creation and Appliance Install ............................................................................12 2.1 Create a new VMWare virtual machine ............................................................................................. 12 2.2 Loading the Firmware Image onto the Virtual Appliance ................................................................. 12 3 Appliance Host and Networking Configuration .............................................................................14 3.1 Manual vs Silent Configuration .......................................................................................................... 14 3.2 OPTION 1: Silent Configuration ........................................................................................................ 14 3.2.1 Use Configuration ISO to configure IP connectivity ................................................................... 14 3.2.2 Complete "First-Steps" process ................................................................................................. 15 3.3 OPTION 2: Manual Configuration ...................................................................................................... 16 3.4 Check internet connectivity............................................................................................................... 24 4 Basic Appliance Configuration......................................................................................................25 4.1 Login and change password for Local Management Interface (LMI) ............................................... 25 4.2 Enable NTP ........................................................................................................................................ 27 4.3 Product Activation ............................................................................................................................. 29 4.4 Disable Built-in Authentication Policies ............................................................................................ 33 4.5 Configure Runtime Interfaces ........................................................................................................... 35 4.6 Update Hosts File on the Appliance .................................................................................................. 38 4.7 Configure Verify Access Runtime Component on the Appliance ...................................................... 40 4.7.1 Update password of built-in LDAP server .................................................................................. 40 4.7.2 Configure Verify Access Runtime (Policy Server and LDAP) ...................................................... 41 4.8 Set Password for easuser .................................................................................................................. 44 5 Create and configure Reverse Proxy instances .............................................................................46 5.1 Reverse Proxy for Browser Traffic..................................................................................................... 46 5.1.1 Create Reverse Proxy Instance .................................................................................................. 46 5.1.2 Modify Reverse Proxy Instance Configuration File .................................................................... 48 5.1.3 Deploy the Changes and Restart the Reverse Proxy Instance .................................................. 49 5.2 Reverse Proxy for Mobile Traffic ....................................................................................................... 51 5.2.1 Create Reverse Proxy Instance .................................................................................................. 51 5.2.2 Modify Reverse Proxy Instance Configuration File .................................................................... 54 5.2.3 Deploy the Changes and Restart the Reverse Proxy Instance .................................................. 55 5.3 Configure Key store for Reverse Proxies ........................................................................................... 55 5.3.1 Import Keypair and Certificate for Reverse Proxy ..................................................................... 56 5.3.2 Edit default Reverse Proxy Settings ........................................................................................... 58 6 Configuration and policy for Reverse Proxy instances ..................................................................62 6.1 Configure MMFA for browser proxy................................................................................................... 62 6.2 Configure MMFA for mobile proxy ..................................................................................................... 65 Page 3 of 255 6.3 Set up ACLs ........................................................................................................................................ 68 7 Configure SCIM ............................................................................................................................70 7.1 Create an Verify Access Runtime Server Connection ....................................................................... 70 7.2 Configure SCIM .................................................................................................................................. 71 7.3 Configure Reverse Proxy for access to SCIM interface..................................................................... 73 7.3.1 Create /scim junction.................................................................................................................. 73 7.3.2 Configure URL filtering for SCIM responses ............................................................................... 77 7.4 Enable Modify and Delete via Reverse Proxy .................................................................................... 78 7.5 Create SCIM Admin Group in Verify Access ...................................................................................... 79 7.6 Create SCIM Administrator and Test User in Verify Access ............................................................. 79 7.7 Enable SCIM Demonstration Application .......................................................................................... 79 7.8 Test SCIM Access .............................................................................................................................. 81 8 Configure API Protection (OAuth) .................................................................................................83 8.1 Create Definition ................................................................................................................................ 83 8.2 Create Client ...................................................................................................................................... 84 9 Configure endpoints and options for Authenticator Client ............................................................87 9.1 MMFA endpoint configuration