DIGIPASS Authentication for TAM - Vasco
DIGIPASS Authentication for TAM - Vasco
DIGIPASS Authentication for TAM - Vasco
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
WHITEPAPER<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong>
Disclaimer<br />
1 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
Disclaimer of Warranties and Limitation of Liabilities<br />
All in<strong>for</strong>mation contained in this document is provided 'as is'; VASCO Data Security assumes no<br />
responsibility <strong>for</strong> its accuracy and/or completeness.<br />
In no event will VASCO Data Security be liable <strong>for</strong> damages arising directly or indirectly from any<br />
use of the in<strong>for</strong>mation contained in this document.<br />
Copyright<br />
Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International<br />
GmbH. All rights reserved. VASCO ® , VACMAN ® , IDENTIKEY ® , aXsGUARD,<br />
<strong>DIGIPASS</strong> ® and ® logo are registered or unregistered trademarks of VASCO Data<br />
Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other<br />
countries. VASCO Data Security, Inc. and/or VASCO Data Security International<br />
GmbH own or are licensed under all title, rights and interest in VASCO Products,<br />
updates and upgrades thereof, including copyrights, patent rights, trade secret rights,<br />
mask work rights, database rights and all other intellectual and industrial property<br />
rights in the U.S. and other countries. Microsoft and Windows are trademarks or<br />
registered trademarks of Microsoft Corporation. Other names may be trademarks of<br />
their respective owners.
Table of Contents<br />
2 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
Disclaimer ...................................................................................................................... 1<br />
Table of Contents ........................................................................................................... 2<br />
Reference guide ............................................................................................................. 3<br />
1 Preface ..................................................................................................................... 4<br />
2 About <strong>TAM</strong> <strong>Authentication</strong> ........................................................................................ 5<br />
3 About VASCO and <strong>DIGIPASS</strong> authentication ............................................................. 6<br />
4 <strong>TAM</strong> and <strong>DIGIPASS</strong> <strong>Authentication</strong> ........................................................................... 8<br />
5 Token Repository .................................................................................................... 10<br />
5.1 STORING VASCO <strong>DIGIPASS</strong> TOKEN INFORMATION .................................................. 10<br />
5.2 REPOSITORY FAIL-OVER ...................................................................................... 11<br />
5.3 SECURITY CONSIDERATIONS ............................................................................... 11<br />
5.4 TOKEN INITIALISATION ....................................................................................... 11<br />
5.5 THE <strong>DIGIPASS</strong> CDAS PROCESS ............................................................................. 12<br />
6 <strong>DIGIPASS</strong> CDAS features ........................................................................................ 14<br />
6.1 FUNCTIONALITY .................................................................................................. 14<br />
6.2 CONFIGURATION ................................................................................................ 14<br />
7 About IBM ............................................................................................................... 15<br />
8 About VASCO Data Security .................................................................................... 15
Reference guide<br />
3 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong>
1 Preface<br />
4 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
IBM Tivoli Access Manager (<strong>TAM</strong>) <strong>for</strong> e-business is the leading plat<strong>for</strong>m <strong>for</strong> access control<br />
to web-based applications. <strong>TAM</strong> supports a number of authentication mechanisms out-ofthe-box<br />
and provides an interface <strong>for</strong> other types, called CDAS (Cross Domain<br />
<strong>Authentication</strong> Service).<br />
Based on years of experience in large Access Manager projects, SecurIT has developed its<br />
revolutionary C-Man concept, library classes and a methodology to speed-up the<br />
provision of such CDAS implementations according to the highest quality standards.<br />
VASCO <strong>DIGIPASS</strong>® provides a strong two-factor authentication mechanism used by more<br />
than 8000 organizations around the world. For more in<strong>for</strong>mation on VASCO <strong>DIGIPASS</strong>:<br />
http://www.VASCO.com<br />
SecurIT partners with IBM and VASCO to provide an interface between these products,<br />
based on this C-Man concept, in order to allow <strong>DIGIPASS</strong>-based authentication to access<br />
enterprise applications.<br />
This paper contains a high-level overview of the architecture of the solution and how it<br />
integrates with <strong>TAM</strong>. The solution described in this document has been certified by IBM as<br />
“Ready <strong>for</strong> Tivoli Access Manager”.
5 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
2 About <strong>TAM</strong> <strong>Authentication</strong><br />
<strong>TAM</strong> provides authentication and authorization services <strong>for</strong> web based resources by<br />
means of a reversed proxy. This reversed proxy, called WebSEAL, sits between the enduser’s<br />
browser and the organization’s web servers. It intercepts HTTP requests and<br />
per<strong>for</strong>ms authentication and authorization checks <strong>for</strong> protected resources.<br />
The following figure illustrates this process.<br />
The first time a user requests a protected web resource, WebSEAL will challenge the user<br />
<strong>for</strong> authentication.<br />
1. The user sends his authentication in<strong>for</strong>mation by means of an HTTP request to<br />
WebSEAL<br />
2. WebSEAL extracts the authentication in<strong>for</strong>mation and <strong>for</strong>wards it to the CDAS<br />
module<br />
3. The CDAS module verifies the authentication data against an external resource<br />
4. The CDAS module passes the verified identity back to WebSEAL (or an<br />
authentication failure message)<br />
5. WebSEAL builds a valid internal credential <strong>for</strong> the user<br />
Finally, WebSEAL uses this internal credential to validate the user’s request.<br />
WebSEAL provides out-of-the-box CDAS modules that deal with:<br />
Username/password authentication<br />
One-time password authentication <strong>for</strong> SecurID<br />
Client-side X.509 certificates<br />
However, on top of this WebSEAL provides a developer’s toolkit <strong>for</strong> building custom CDAS<br />
modules. This toolkit has served as the basis <strong>for</strong> building the CDAS module that supports<br />
both Static and Dynamic <strong>DIGIPASS</strong> authentication tokens.
6 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
3 About VASCO and <strong>DIGIPASS</strong><br />
authentication<br />
VASCO secures the enterprise from the mainframe to the Internet with infrastructure<br />
solutions that enable secure e-business and e-commerce, protect sensitive in<strong>for</strong>mation,<br />
and safeguard the identity of users. The company’s family of <strong>DIGIPASS</strong>® and VACMAN®<br />
products offer end-to-end security through authentication, digital signature, and Radius<br />
and Web security, while sharply reducing the time and ef<strong>for</strong>t required to deploy and<br />
manage security.<br />
The VASCO <strong>DIGIPASS</strong> product family consists of a set of hardware and software tokens<br />
that provide authentication and digital signature services. The following authentication<br />
mechanisms are supported:<br />
Dynamic pin code (One time password)<br />
Static + Dynamic pin code<br />
Challenge/Response<br />
The VACMAN product family facilitates the integration of strong <strong>DIGIPASS</strong> authentication<br />
into security-critical applications. One of the products in this family is the VACMAN<br />
Controller. It provides <strong>DIGIPASS</strong> strong authentication and signatures mechanisms<br />
natively into any application, in the <strong>for</strong>m of an API regardless of your preferred OS<br />
(Operating System) or communication protocol, database management system or GUI<br />
(Graphical User Interface), from PC to mainframe.<br />
The integration between <strong>DIGIPASS</strong> and <strong>TAM</strong>, as described in this paper, supports both<br />
dynamic and static + dynamic pin codes. It uses the VACMAN Controller API from within<br />
the CDAS module to verify the pin code.<br />
The following figure illustrates the combination of a <strong>DIGIPASS</strong> token and the VACMAN<br />
Controller.
7 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
1. The user retrieves his pin code from the token and enters it together with his<br />
user ID into the application<br />
2. The application fetches the corresponding token in<strong>for</strong>mation from the registry<br />
3. The application calls the Controller together with the token in<strong>for</strong>mation and<br />
user in<strong>for</strong>mation<br />
4. The Controller verifies the authentication in<strong>for</strong>mation and updates the token<br />
in<strong>for</strong>mation<br />
5. The application writes the updated token in<strong>for</strong>mation into the registry<br />
The selection of a token registry is an application matter.
8 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
4 <strong>TAM</strong> and <strong>DIGIPASS</strong><br />
<strong>Authentication</strong><br />
This section describes the integration of Access Manager WebSEAL with VASCO <strong>DIGIPASS</strong><br />
tokens. This paper only contains a high level overview of the architecture and<br />
functionality. For more details we refer to the <strong>DIGIPASS</strong> CDAS Installation and<br />
Administration Guide.<br />
From a user’s perspective “User ID/pin code” authentication is very similar to<br />
username/password authentication. For this reasons it was decided to build the<br />
<strong>DIGIPASS</strong> CDAS as a username/password CDAS where the username would hold the<br />
user ID associated with the token and the password would reflect the one-time password<br />
(dynamic or static + dynamic).<br />
The following figure illustrates the architecture of the solution.<br />
1. The user retrieves his pincode from the token and enters it together with his<br />
user ID into the username/password login <strong>for</strong>m of WebSEAL<br />
2. WebSEAL <strong>for</strong>wards the authentication in<strong>for</strong>mation to the <strong>DIGIPASS</strong> CDAS<br />
3. The CDAS fetches the corresponding token in<strong>for</strong>mation from the <strong>TAM</strong> LDAP<br />
directory and verifies the authentication in<strong>for</strong>mation<br />
4. The CDAS write the updated token in<strong>for</strong>mation into the <strong>TAM</strong> LDAP directory<br />
5. The CDAS module passes the verified identity back to WebSEAL (or an<br />
authentication failure message)<br />
6. WebSEAL builds a valid internal credential <strong>for</strong> the user<br />
This illustrates the basic process flow of <strong>DIGIPASS</strong> authentication as carried out by the<br />
custom CDAS. There are however a couple of points that need more attention.
9 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
For token synchronization and to avoid replay, the authentication server needs<br />
to keep track of in<strong>for</strong>mation associated with the token. This <strong>DIGIPASS</strong> CDAS<br />
uses the LDAP directory <strong>for</strong> this purpose.<br />
Token authentication is often used in combination with username/password<br />
authentication. There<strong>for</strong>e, the authentication server (CDAS) needs a<br />
mechanism to make a distinction between users holding a token and user<br />
authenticating using username/password.<br />
These topics are described in slightly more detail in the next chapters.
10 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
5 Token Repository<br />
5.1 STORING VASCO <strong>DIGIPASS</strong> TOKEN INFORMATION<br />
As stated above, the <strong>DIGIPASS</strong> CDAS uses the <strong>TAM</strong> LDAP Directory as its repository to<br />
store token in<strong>for</strong>mation. In the current release both IBM LDAP and SunOne LDAP are<br />
supported. The token in<strong>for</strong>mation is stored in an object that is located in a sub tree under<br />
the user with whom the token is associated.<br />
The following screen dump shows such an entry.<br />
This screen dump shows that the token with serial number 0097123456 is associated<br />
with the <strong>TAM</strong> user with DN (Distinguished Name) cn=Allowed1, o=sov, c=be. The<br />
CDAS makes absolutely no assumptions about the <strong>for</strong>mat of the DN, as long as it is<br />
accepted by <strong>TAM</strong>. The token in<strong>for</strong>mation is stored as an instance of the Object Class<br />
sitVASCOToken. The object is created under the secAuthority=Default entry created<br />
by <strong>TAM</strong>.<br />
A token entry basically contains the following in<strong>for</strong>mation:<br />
sitVASCO Type of the token (e.g. ResponseOnly)<br />
sitVASCOApplName Application using the token<br />
sitVASCOBlob The token details, aka. BLOB (contains e.g. current valid pincode)<br />
sitVASCODpFlags Token flag (internal use)<br />
sitVASCOSerialNr Token serial number (to physically associate a token with a<br />
user)<br />
sitVASCOMode Mode of operation (optional)<br />
sitVASCOType Type of token (optional)
11 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
For more in<strong>for</strong>mation on these attribute, please refer to VASCO documentation and/or<br />
the <strong>DIGIPASS</strong> CDAS Installation & Administration Guide.<br />
5.2 REPOSITORY FAIL-OVER<br />
Validation of the user’s pin code is done by the CDAS using the VACMAN Controller API.<br />
It is a stand-alone library that takes the user’s pin code and the BLOB that is currently<br />
associated with the user’s token. To avoid replay of pin codes and to allow <strong>for</strong> token<br />
synchronization, the CDAS should always be able to get hold of the latest BLOB.<br />
There<strong>for</strong>e, the <strong>DIGIPASS</strong> CDAS <strong>for</strong>esees an LDAP fail-over mechanism.<br />
This mechanism is shown in the following figure:<br />
To make sure that the <strong>DIGIPASS</strong> CDAS is always able to fetch the most up-to-date BLOB,<br />
it is able to talk in fail-over mode to LDAP. It will always try the first mentioned LDAP<br />
server first; if that server fails it will try the next LDAP, and so on until it has tried all<br />
known LDAP servers. If no working LDAP server can be found, the authentication request<br />
will fail.<br />
The CDAS should however also make sure that the updated BLOB gets written back to<br />
LDAP. As such it would be best practice to work with a multi-master LDAP cluster.<br />
However, as this is not always possible, the CDAS can be configured to continue with the<br />
authentication process even if it cannot write the BLOB back into LDAP. As long as this<br />
situation is not persistent, the token will be synchronized (if needed) at a later stage.<br />
Anyhow, the CDAS will also report BLOB update failures in its log file.<br />
5.3 SECURITY CONSIDERATIONS<br />
The <strong>DIGIPASS</strong> CDAS can be configured to talk LDAP over SSL with the LDAP servers. It<br />
will bind to LDAP using a (configurable) user with appropriate credentials to read and<br />
write the token in<strong>for</strong>mation.<br />
5.4 TOKEN INITIALISATION<br />
The <strong>DIGIPASS</strong> CDAS comes with a command line tool <strong>for</strong> initializing tokens. This tool<br />
takes two input files:<br />
DPX file<br />
“<strong>TAM</strong> user to token” mapping file
12 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
The DPX file is delivered by VASCO together with the tokens. It contains all the token<br />
related in<strong>for</strong>mation that goes into the LDAP server. The second file contains an entry <strong>for</strong><br />
each existing <strong>TAM</strong> user that needs a new or updated token. The tool basically generates<br />
the <strong>DIGIPASS</strong> subentry as shown above.<br />
5.5 THE <strong>DIGIPASS</strong> CDAS PROCESS<br />
The <strong>DIGIPASS</strong> CDAS is fully in line with the CDAS specification as listed in the WebSEAL<br />
Developers Reference guide. This means that it supports the following functions:<br />
xauthn_initialize()<br />
xauthn_shutdown()<br />
xauthn_authenticate()<br />
xauthn_change_password()<br />
Although the <strong>DIGIPASS</strong> CDAS can be used where step-up authentication is needed, it<br />
should be noted that in some cases the selection of the authentication mechanism is not<br />
necessarily controlled by the required authentication levels but merely by the fact that a<br />
user possesses a token or not. In such a case the <strong>DIGIPASS</strong> CDAS can be configured to<br />
support both username/password and one-time password. This is controlled by setting<br />
the LDAP attribute employeeType, as shown by the following screen dump.
13 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
The current release of the <strong>DIGIPASS</strong> CDAS supports the following values <strong>for</strong> the<br />
employeesType attribute:<br />
Username/password 1<br />
<strong>DIGIPASS</strong> response-only 2<br />
<strong>DIGIPASS</strong> challenge/response 3 (placeholder)<br />
It should be noted that these are only the default settings. The LDAP attribute and the<br />
corresponding values are configurable.
14 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
6 <strong>DIGIPASS</strong> CDAS features<br />
This paragraph summarizes the key features of the <strong>DIGIPASS</strong> CDAS. For more details<br />
please refer to the <strong>DIGIPASS</strong> CDAS Installation & Administration Guide and the<br />
<strong>DIGIPASS</strong> Administration Tool User Guide.<br />
6.1 FUNCTIONALITY<br />
Supports both username/password and <strong>DIGIPASS</strong> one-time passwords<br />
Supports password change <strong>for</strong> username/password<br />
Supports static pincode change <strong>for</strong> one-time password<br />
Supports token synchronisation<br />
Supports token unlocking<br />
Compliant with Tivoli Access Manager 4.1<br />
Supported both on Windows 2000 and Solaris<br />
Uses LDAP as token registry<br />
Supports both IBM LDAP and SunOne LDAP<br />
Provides token initialisation tool<br />
6.2 CONFIGURATION<br />
Supports LDAP over SSL<br />
Configurable log level<br />
LDAP Master/Slave configuration<br />
Username/password authentication using BIND or COMPARE<br />
Configurable authentication method switch<br />
GSO to Extended Attributes mapping<br />
Configurable VASCO LDAP object and attributes<br />
Several configurable <strong>DIGIPASS</strong> parameters
7 About IBM<br />
15 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>TAM</strong><br />
With 80 years of leadership in helping businesses innovate, IBM is the world's largest<br />
in<strong>for</strong>mation technology company.<br />
IBM is a leading provider of e-business solutions and is dedicated to helping companies,<br />
Business Partners and developers leverage the potential of the Internet and network<br />
computing across a wide range of businesses and industries.<br />
The company offers a host of cross-industry and industry specific solutions designed to<br />
meet the needs of companies of all sizes.<br />
For more in<strong>for</strong>mation on IBM, please visit: http://www.ibm.com/mediumbusiness.<br />
8 About VASCO Data Security<br />
VASCO designs, develops, markets and supports patented Strong User <strong>Authentication</strong><br />
products <strong>for</strong> e-Business and e-Commerce.<br />
VASCO’s User <strong>Authentication</strong> software is carried by the end user on its <strong>DIGIPASS</strong><br />
products which are small “calculator” hardware devices, or in a software <strong>for</strong>mat on<br />
mobile phones, other portable devices, and PC’s.<br />
At the server side, VASCO’s VACMAN products guarantee that only the designated<br />
<strong>DIGIPASS</strong> user gets access to the application.<br />
VASCO’s target markets are the applications and their several hundred million users that<br />
utilize fixed password as security.<br />
VASCO’s time-based system generates a “one-time” password that changes with every<br />
use, and is virtually impossible to hack or break.<br />
VASCO designs, develops, markets and supports patented user authentication products<br />
<strong>for</strong> the financial world, remote access, e-business and e-commerce. VASCO’s user<br />
authentication software is delivered via its <strong>DIGIPASS</strong> hardware and software security<br />
products. With over 25 million <strong>DIGIPASS</strong> products sold and delivered, VASCO has<br />
established itself as a world-leader <strong>for</strong> strong User <strong>Authentication</strong> with over 1500<br />
international financial institutions and almost 8000 blue-chip corporations and<br />
governments located in more than 100 countries.