Can WebSphere Full Profile scope Requiring Client Certificate authentication to certain paths?

I would like to know whether WebSphere Full Profile (8.5.5.x or 9.x) has any capability to make the SSL Settings QoP “Client authentication” Required for **only** a specific path of an application?

The use-case is that a customer wants to use it for mutual authentication of REST APIs, but not require it for a user interface application that users log in to using a totally different authentication method. Both applications are deployed in the same .ear file.

Currently it appears that the configuration of Client authentication is done at the Cell or Node level through https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/csec_ssl_clientauth.html

Related:

  • No Related Posts

Re: Configuring Centrify LDAP Proxy with OneFS 8.0.0.1; HOW TO?

Has anybody successfully setup Centrify LDAP proxy with OneFS?

# isi auth status

ID Active Server Status

——————————————————————————————-

lsa-activedirectory-provider:mycompany.COM mycompanydc99.mycompany.com online

lsa-local-provider:System – active

lsa-local-provider:Private – active

lsa-file-provider:System – active

lsa-ldap-provider:centrifylinux-ldap-proxy.mycompany.com – offline

lsa-ldap-provider:test-proxy – offline

lsa-nis-provider:rhelnis-master.mycompany.com – online

——————————————————————————————-

Total: 7

The LDAP proxy is responding to ldapsearches but the Isilon fails to online for more than a few seconds.

-D

Related:

LDAP Authentication returning “bad user” error

I need a solution

I’m trying to get LDAP authentication to AzureAD set up with a proxysg server, but I can’t get passed a bad user name errors. 

Using the 6.2 admin guide for my steps.  I’ve added, taken down, re-added the details multiple times at this point and not sure what I’m missing.  Are there any known issues connection to an AzureAD?

0

Related:

Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client SAML Authentication Session Fixation Vulnerability

A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. The authentication would need to be done by an unsuspecting third party.

The vulnerability exists because there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. An attacker could exploit this vulnerability by persuading a user to click a crafted link and authenticating using the company’s Identity Provider (IdP). A successful exploit could allow the attacker to hijack a valid authentication token and use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect

Security Impact Rating: High

CVE: CVE-2018-0229

Related:

Citrix Gateway displays error “HTTP/1.1 504 Gateway Timeout” while connecting to backend resources

When connecting to the Backend in a Citrix Gateway solution. you could face an issue where the Gateway is sending an error to the client when accessing the backend services/resources.

Analyzing the ADC/Gateway traces you could identify that the Gateway has responded with the error without even initiating the connection to the backend server.

Request:

POST /SecureBrowse/https/gateway.reprolab.com/oauth2/token HTTP/1.1

Host: gateway.reprolab.com:444

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

deviceId: 00000000-0000-0000-0000-000000000000

Cookie: NSC_AAAC=bd27ec1fag5b4937a55abc3a06845b260c3a01d41111111158455e445a4a42

Accept: */*

Connection: keep-alive

Content-Length: 143

User-Agent: SO/1.0 (SecureBrowse; build:1.5; iOS 11.4.0)

Accept-Language: en-US;q=1.0

Authorization: Basic abcWEcsdsWs1I1SFZNTF95UGR1aHZ4a111111111111111111112RveFBEZXVDMlVh

Accept-Encoding: gzip;q=1.0, compress;q=0.5

channel=2&deviceId=00000000-0000-0000-0000-000000000000&grant_type=password&password=Pa$$woRD&scope=openid&subChannel=1&username=mytestuser

Response:

HTTP/1.1 504 Gateway Timeout

Content-Length: 58

Connection: close

Cache-Control: no-cache,no-store

Pragma: no-cache

<html><body><b>Http/1.1 Gateway Timeout</b></body> </html>

Related:

CCS-VM User administrator does not work to configure Analytics & Reporting

I need a solution

We install CCS-Vulnerability Manager without apparent inconveniences, we can authenticate in the web console with the user administrator. When trying to configure Analytics & Reporting, ask for a new authentication, we type the same credentials of the administrator user and the message “You have entered an invalid username and password combination” appears.

Attempting to correct the problem we created users administrators members of the default group “Administrators” in Role Based Access -> Users & Groups importing them from Active Directory. These users are created correctly but do not allow authentication even in the console.

In view of the above, we created a new local user also a member of the Administrators group, this user can authenticate in the console but not when trying to configure Analytics & Reporting, the same thing happens as with the user administrator.

Questions:

What is the valid user to configure Analytics & Reporting and where is it defined?
How do we enable the users imported from AD so that they can authenticate in the web console of CCS-VM?

0

Related: