Tech Tip – How to protect web app using ISAM Web Reverse Proxy

The IBM Security Access Manager appliance Web Reverse Proxy functionality is based on the technology included with the IBM Security Access Manager WebSEAL product.

In this guide, we will see configuration needed to protect your backend web resource using WebSEAL’s Web Reverse Proxy functionality.

ENVIRONMENT:

  • ISAM 9.0.5 (on docker container)
  • For this demo, our backend web app is: https://communities.ca.com/community/ca-security/ca-single-sign-on/content

INSTRUCTIONS:

Login to LMI and Click Secure Web (WebSeal ) Settings –> Manage –> Reverse Proxy

Reverse Proxy

Click on the default instance (assuming this is already created) and click on Manage –> Junction Management

Junction Management

Click New –> Standard Junction and define junction as :

  • Junction Point Name : /community
  • Select “Create Transparent Path Junction” check box.
  • Select Junction Type = SSL

Junction_Name

Click Server tab and define the backend web server as below and click Save.

Junction_Server

At this point, you will probably get following error indicating that WebSeal is not able to connect with the specified backend server. This is expected because, we have not yet imported the junctioned server (communities.ca.com) certificate and Root CA certs to WebSeal cert database, hence it is unable to establish a trusted connection with the backend.

Junction_SaveError

Now, let’s go ahead and import the server and CA certs for our backend.

Click Manage –> SSL Certificates

sslcerts

Click the certificate database “pdsrv” and click Manage –> “Edit SSL Certificate Database”

pdsrv_certs

Next, click Manage –> Load to load the certificate for our backend web server.

Load Certificate

Provide the details of the backend web server and click Load

Cert_Load_CACommunities

You will now see a successful SSL certificate loading confirmation message.

Please ensure that you have the Root CA cert for the backend web server. To identify if the imported cert is Root CA, compare the Issuer and Subject. If they match, then it is Root CA else it is not Root CA.

Cert_Loaded

In the above screenshot, the server certificate used by our backend is signed by Root CA : DST ROOT CA X3. You can usually download the certs for Root CA from the internet if they are public CA. For e.g the cert for DST Root CA X3 could be downloaded from here: https://www.identrust.com/certificates/trustid/root-download-x3.html

DSTROotCA

Now, let’s import the Root CA cert by clicking Manage –> Import

DST_RootCA_Cert_Import

Now, let’s create some users. Click Secure Web (WebSeal ) settings –> Manage –> Policy Administrator

Policy Administration

Click User–>Create User and create following two users :

  • user1 (authorized to access)
  • user2 ( not authorized to access)

CreateUser

Now click ACL –> Create ACL and create ACL to allow user1 access to our web resource.

AllowAccess_ACL

AllowAccess_ACL_Completed

Click on the newly created ACL and click Create ACL Entry for User 1 to allow access for : Traverse, View, Read & Execute

ACL_Entry_user1

ACL_List

Now, let’s attach this ACL to our object space.

Click Policy Administration –> Object Space –> Browse Object Space and select the Path (junction) that we created earlier. If it doesn’t display the newly created junction click Refresh.

Object_Space

Next, attach the ACL created earlier and click Apply.

That’s it, now all our changes are complete. We are now ready to deploy the changes and publish our configuration.

Click on the Home tab and click the notification.

Deploy_Notification

Click Deploy to deploy the pending changes.

Deploy_SSLCerts

Click Container Management –> Publish Configuration.

Publish_Configuration

Now, restart the WebSEAL docker container for it to pick up the new configuration.

TESTING:

Access Reverse Proxy URL appending our backend server URI: https://localhost:12443/community/ca-security/ca-single-sign-on/content.

Login with User1 (Authorized)

Protected

 

Login with User2 (Un-Authorized) :

Unauthorized

 

Leave a Reply