The IBM Security Access Manager appliance Web Reverse Proxy functionality is based on the technology included with the IBM Security Access Manager WebSEAL product.
In this guide, we will see configuration needed to protect your backend web resource using WebSEAL’s Web Reverse Proxy functionality.
ENVIRONMENT:
- ISAM 9.0.5 (on docker container)
- For this demo, our backend web app is: https://communities.ca.com/community/ca-security/ca-single-sign-on/content
INSTRUCTIONS:
Login to LMI and Click Secure Web (WebSeal ) Settings –> Manage –> Reverse Proxy
Click on the default instance (assuming this is already created) and click on Manage –> Junction Management
Click New –> Standard Junction and define junction as :
- Junction Point Name : /community
- Select “Create Transparent Path Junction” check box.
- Select Junction Type = SSL
Click Server tab and define the backend web server as below and click Save.
At this point, you will probably get following error indicating that WebSeal is not able to connect with the specified backend server. This is expected because, we have not yet imported the junctioned server (communities.ca.com) certificate and Root CA certs to WebSeal cert database, hence it is unable to establish a trusted connection with the backend.
Now, let’s go ahead and import the server and CA certs for our backend.
Click Manage –> SSL Certificates
Click the certificate database “pdsrv” and click Manage –> “Edit SSL Certificate Database”
Next, click Manage –> Load to load the certificate for our backend web server.
Provide the details of the backend web server and click Load
You will now see a successful SSL certificate loading confirmation message.
Please ensure that you have the Root CA cert for the backend web server. To identify if the imported cert is Root CA, compare the Issuer and Subject. If they match, then it is Root CA else it is not Root CA.
In the above screenshot, the server certificate used by our backend is signed by Root CA : DST ROOT CA X3. You can usually download the certs for Root CA from the internet if they are public CA. For e.g the cert for DST Root CA X3 could be downloaded from here: https://www.identrust.com/certificates/trustid/root-download-x3.html
Now, let’s import the Root CA cert by clicking Manage –> Import
Now, let’s create some users. Click Secure Web (WebSeal ) settings –> Manage –> Policy Administrator
Click User–>Create User and create following two users :
- user1 (authorized to access)
- user2 ( not authorized to access)
Now click ACL –> Create ACL and create ACL to allow user1 access to our web resource.
Click on the newly created ACL and click Create ACL Entry for User 1 to allow access for : Traverse, View, Read & Execute
Now, let’s attach this ACL to our object space.
Click Policy Administration –> Object Space –> Browse Object Space and select the Path (junction) that we created earlier. If it doesn’t display the newly created junction click Refresh.
Next, attach the ACL created earlier and click Apply.
That’s it, now all our changes are complete. We are now ready to deploy the changes and publish our configuration.
Click on the Home tab and click the notification.
Click Deploy to deploy the pending changes.
Click Container Management –> Publish Configuration.
Now, restart the WebSEAL docker container for it to pick up the new configuration.
TESTING:
Access Reverse Proxy URL appending our backend server URI: https://localhost:12443/community/ca-security/ca-single-sign-on/content.
Login with User1 (Authorized)
Login with User2 (Un-Authorized) :