DIGIPASS Authentication for TAM - Vasco

WHITEPAPER 

DIGIPASS Authentication for TAM

Disclaimer 

1 DIGIPASS Authentication for TAM 

DIGIPASS Authentication for TAM 

Disclaimer of Warranties and Limitation of Liabilities 

All information contained in this document is provided 'as is'; VASCO Data Security assumes no 

responsibility for its accuracy and/or completeness. 

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any 

use of the information contained in this document. 

Copyright 

Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International 

GmbH. All rights reserved. VASCO ® , VACMAN ® , IDENTIKEY ® , aXsGUARD, 

DIGIPASS ® and ® logo are registered or unregistered trademarks of VASCO Data 

Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other 

countries. VASCO Data Security, Inc. and/or VASCO Data Security International 

GmbH own or are licensed under all title, rights and interest in VASCO Products, 

updates and upgrades thereof, including copyrights, patent rights, trade secret rights, 

mask work rights, database rights and all other intellectual and industrial property 

rights in the U.S. and other countries. Microsoft and Windows are trademarks or 

registered trademarks of Microsoft Corporation. Other names may be trademarks of 

their respective owners.

Table of Contents 



Disclaimer ...................................................................................................................... 1 

Table of Contents ........................................................................................................... 2 

Reference guide ............................................................................................................. 3 

1 Preface ..................................................................................................................... 4 

2 About TAM Authentication ........................................................................................ 5 

3 About VASCO and DIGIPASS authentication ............................................................. 6 

4 TAM and DIGIPASS Authentication ........................................................................... 8 

5 Token Repository .................................................................................................... 10 

5.1 STORING VASCO DIGIPASS TOKEN INFORMATION .................................................. 10 

5.2 REPOSITORY FAIL-OVER ...................................................................................... 11 

5.3 SECURITY CONSIDERATIONS ............................................................................... 11 

5.4 TOKEN INITIALISATION ....................................................................................... 11 

5.5 THE DIGIPASS CDAS PROCESS ............................................................................. 12 

6 DIGIPASS CDAS features ........................................................................................ 14 

6.1 FUNCTIONALITY .................................................................................................. 14 

6.2 CONFIGURATION ................................................................................................ 14 

7 About IBM ............................................................................................................... 15 

8 About VASCO Data Security .................................................................................... 15

Reference guide 


DIGIPASS Authentication for TAM

1 Preface 



IBM Tivoli Access Manager (TAM) for e-business is the leading platform for access control 

to web-based applications. TAM supports a number of authentication mechanisms out-ofthe-box 

and provides an interface for other types, called CDAS (Cross Domain 

Authentication Service). 

Based on years of experience in large Access Manager projects, SecurIT has developed its 

revolutionary C-Man concept, library classes and a methodology to speed-up the 

provision of such CDAS implementations according to the highest quality standards. 

VASCO DIGIPASS® provides a strong two-factor authentication mechanism used by more 

than 8000 organizations around the world. For more information on VASCO DIGIPASS: 

http://www.VASCO.com 

SecurIT partners with IBM and VASCO to provide an interface between these products, 

based on this C-Man concept, in order to allow DIGIPASS-based authentication to access 

enterprise applications. 

This paper contains a high-level overview of the architecture of the solution and how it 

integrates with TAM. The solution described in this document has been certified by IBM as 

“Ready for Tivoli Access Manager”.



2 About TAM Authentication 

TAM provides authentication and authorization services for web based resources by 

means of a reversed proxy. This reversed proxy, called WebSEAL, sits between the enduser’s 

browser and the organization’s web servers. It intercepts HTTP requests and 

performs authentication and authorization checks for protected resources. 

The following figure illustrates this process. 

The first time a user requests a protected web resource, WebSEAL will challenge the user 

for authentication. 

1. The user sends his authentication information by means of an HTTP request to 

WebSEAL 

2. WebSEAL extracts the authentication information and forwards it to the CDAS 

module 

3. The CDAS module verifies the authentication data against an external resource 

4. The CDAS module passes the verified identity back to WebSEAL (or an 

authentication failure message) 

5. WebSEAL builds a valid internal credential for the user 

Finally, WebSEAL uses this internal credential to validate the user’s request. 

WebSEAL provides out-of-the-box CDAS modules that deal with: 

Username/password authentication 

One-time password authentication for SecurID 

Client-side X.509 certificates 

However, on top of this WebSEAL provides a developer’s toolkit for building custom CDAS 

modules. This toolkit has served as the basis for building the CDAS module that supports 

both Static and Dynamic DIGIPASS authentication tokens.



3 About VASCO and DIGIPASS 

authentication 

VASCO secures the enterprise from the mainframe to the Internet with infrastructure 

solutions that enable secure e-business and e-commerce, protect sensitive information, 

and safeguard the identity of users. The company’s family of DIGIPASS® and VACMAN® 

products offer end-to-end security through authentication, digital signature, and Radius 

and Web security, while sharply reducing the time and effort required to deploy and 

manage security. 

The VASCO DIGIPASS product family consists of a set of hardware and software tokens 

that provide authentication and digital signature services. The following authentication 

mechanisms are supported: 

Dynamic pin code (One time password) 

Static + Dynamic pin code 

Challenge/Response 

The VACMAN product family facilitates the integration of strong DIGIPASS authentication 

into security-critical applications. One of the products in this family is the VACMAN 

Controller. It provides DIGIPASS strong authentication and signatures mechanisms 

natively into any application, in the form of an API regardless of your preferred OS 

(Operating System) or communication protocol, database management system or GUI 

(Graphical User Interface), from PC to mainframe. 

The integration between DIGIPASS and TAM, as described in this paper, supports both 

dynamic and static + dynamic pin codes. It uses the VACMAN Controller API from within 

the CDAS module to verify the pin code. 

The following figure illustrates the combination of a DIGIPASS token and the VACMAN 

Controller.



1. The user retrieves his pin code from the token and enters it together with his 

user ID into the application 

2. The application fetches the corresponding token information from the registry 

3. The application calls the Controller together with the token information and 

user information 

4. The Controller verifies the authentication information and updates the token 

information 

5. The application writes the updated token information into the registry 

The selection of a token registry is an application matter.



4 TAM and DIGIPASS 

Authentication 

This section describes the integration of Access Manager WebSEAL with VASCO DIGIPASS 

tokens. This paper only contains a high level overview of the architecture and 

functionality. For more details we refer to the DIGIPASS CDAS Installation and 

Administration Guide. 

From a user’s perspective “User ID/pin code” authentication is very similar to 

username/password authentication. For this reasons it was decided to build the 

DIGIPASS CDAS as a username/password CDAS where the username would hold the 

user ID associated with the token and the password would reflect the one-time password 

(dynamic or static + dynamic). 

The following figure illustrates the architecture of the solution. 

1. The user retrieves his pincode from the token and enters it together with his 

user ID into the username/password login form of WebSEAL 

2. WebSEAL forwards the authentication information to the DIGIPASS CDAS 

3. The CDAS fetches the corresponding token information from the TAM LDAP 

directory and verifies the authentication information 

4. The CDAS write the updated token information into the TAM LDAP directory 

5. The CDAS module passes the verified identity back to WebSEAL (or an 

authentication failure message) 

6. WebSEAL builds a valid internal credential for the user 

This illustrates the basic process flow of DIGIPASS authentication as carried out by the 

custom CDAS. There are however a couple of points that need more attention.



For token synchronization and to avoid replay, the authentication server needs 

to keep track of information associated with the token. This DIGIPASS CDAS 

uses the LDAP directory for this purpose. 

Token authentication is often used in combination with username/password 

authentication. Therefore, the authentication server (CDAS) needs a 

mechanism to make a distinction between users holding a token and user 

authenticating using username/password. 

These topics are described in slightly more detail in the next chapters.



5 Token Repository 

5.1 STORING VASCO DIGIPASS TOKEN INFORMATION 

As stated above, the DIGIPASS CDAS uses the TAM LDAP Directory as its repository to 

store token information. In the current release both IBM LDAP and SunOne LDAP are 

supported. The token information is stored in an object that is located in a sub tree under 

the user with whom the token is associated. 

The following screen dump shows such an entry. 

This screen dump shows that the token with serial number 0097123456 is associated 

with the TAM user with DN (Distinguished Name) cn=Allowed1, o=sov, c=be. The 

CDAS makes absolutely no assumptions about the format of the DN, as long as it is 

accepted by TAM. The token information is stored as an instance of the Object Class 

sitVASCOToken. The object is created under the secAuthority=Default entry created 

by TAM. 

A token entry basically contains the following information: 

sitVASCO Type of the token (e.g. ResponseOnly) 

sitVASCOApplName Application using the token 

sitVASCOBlob The token details, aka. BLOB (contains e.g. current valid pincode) 

sitVASCODpFlags Token flag (internal use) 

sitVASCOSerialNr Token serial number (to physically associate a token with a 

user) 

sitVASCOMode Mode of operation (optional) 

sitVASCOType Type of token (optional)



For more information on these attribute, please refer to VASCO documentation and/or 

the DIGIPASS CDAS Installation & Administration Guide. 

5.2 REPOSITORY FAIL-OVER 

Validation of the user’s pin code is done by the CDAS using the VACMAN Controller API. 

It is a stand-alone library that takes the user’s pin code and the BLOB that is currently 

associated with the user’s token. To avoid replay of pin codes and to allow for token 

synchronization, the CDAS should always be able to get hold of the latest BLOB. 

Therefore, the DIGIPASS CDAS foresees an LDAP fail-over mechanism. 

This mechanism is shown in the following figure: 

To make sure that the DIGIPASS CDAS is always able to fetch the most up-to-date BLOB, 

it is able to talk in fail-over mode to LDAP. It will always try the first mentioned LDAP 

server first; if that server fails it will try the next LDAP, and so on until it has tried all 

known LDAP servers. If no working LDAP server can be found, the authentication request 

will fail. 

The CDAS should however also make sure that the updated BLOB gets written back to 

LDAP. As such it would be best practice to work with a multi-master LDAP cluster. 

However, as this is not always possible, the CDAS can be configured to continue with the 

authentication process even if it cannot write the BLOB back into LDAP. As long as this 

situation is not persistent, the token will be synchronized (if needed) at a later stage. 

Anyhow, the CDAS will also report BLOB update failures in its log file. 

5.3 SECURITY CONSIDERATIONS 

The DIGIPASS CDAS can be configured to talk LDAP over SSL with the LDAP servers. It 

will bind to LDAP using a (configurable) user with appropriate credentials to read and 

write the token information. 

5.4 TOKEN INITIALISATION 

The DIGIPASS CDAS comes with a command line tool for initializing tokens. This tool 

takes two input files: 

DPX file 

“TAM user to token” mapping file



The DPX file is delivered by VASCO together with the tokens. It contains all the token 

related information that goes into the LDAP server. The second file contains an entry for 

each existing TAM user that needs a new or updated token. The tool basically generates 

the DIGIPASS subentry as shown above. 

5.5 THE DIGIPASS CDAS PROCESS 

The DIGIPASS CDAS is fully in line with the CDAS specification as listed in the WebSEAL 

Developers Reference guide. This means that it supports the following functions: 

xauthn_initialize() 

xauthn_shutdown() 

xauthn_authenticate() 

xauthn_change_password() 

Although the DIGIPASS CDAS can be used where step-up authentication is needed, it 

should be noted that in some cases the selection of the authentication mechanism is not 

necessarily controlled by the required authentication levels but merely by the fact that a 

user possesses a token or not. In such a case the DIGIPASS CDAS can be configured to 

support both username/password and one-time password. This is controlled by setting 

the LDAP attribute employeeType, as shown by the following screen dump.



The current release of the DIGIPASS CDAS supports the following values for the 

employeesType attribute: 

Username/password 1 

DIGIPASS response-only 2 

DIGIPASS challenge/response 3 (placeholder) 

It should be noted that these are only the default settings. The LDAP attribute and the 

corresponding values are configurable.



6 DIGIPASS CDAS features 

This paragraph summarizes the key features of the DIGIPASS CDAS. For more details 

please refer to the DIGIPASS CDAS Installation & Administration Guide and the 

DIGIPASS Administration Tool User Guide. 

6.1 FUNCTIONALITY 

Supports both username/password and DIGIPASS one-time passwords 

Supports password change for username/password 

Supports static pincode change for one-time password 

Supports token synchronisation 

Supports token unlocking 

Compliant with Tivoli Access Manager 4.1 

Supported both on Windows 2000 and Solaris 

Uses LDAP as token registry 

Supports both IBM LDAP and SunOne LDAP 

Provides token initialisation tool 

6.2 CONFIGURATION 

Supports LDAP over SSL 

Configurable log level 

LDAP Master/Slave configuration 

Username/password authentication using BIND or COMPARE 

Configurable authentication method switch 

GSO to Extended Attributes mapping 

Configurable VASCO LDAP object and attributes 

Several configurable DIGIPASS parameters

7 About IBM 



With 80 years of leadership in helping businesses innovate, IBM is the world's largest 

information technology company. 

IBM is a leading provider of e-business solutions and is dedicated to helping companies, 

Business Partners and developers leverage the potential of the Internet and network 

computing across a wide range of businesses and industries. 

The company offers a host of cross-industry and industry specific solutions designed to 

meet the needs of companies of all sizes. 

For more information on IBM, please visit: http://www.ibm.com/mediumbusiness. 

8 About VASCO Data Security 

VASCO designs, develops, markets and supports patented Strong User Authentication 

products for e-Business and e-Commerce. 

VASCO’s User Authentication software is carried by the end user on its DIGIPASS 

products which are small “calculator” hardware devices, or in a software format on 

mobile phones, other portable devices, and PC’s. 

At the server side, VASCO’s VACMAN products guarantee that only the designated 

DIGIPASS user gets access to the application. 

VASCO’s target markets are the applications and their several hundred million users that 

utilize fixed password as security. 

VASCO’s time-based system generates a “one-time” password that changes with every 

use, and is virtually impossible to hack or break. 

VASCO designs, develops, markets and supports patented user authentication products 

for the financial world, remote access, e-business and e-commerce. VASCO’s user 

authentication software is delivered via its DIGIPASS hardware and software security 

products. With over 25 million DIGIPASS products sold and delivered, VASCO has 

established itself as a world-leader for strong User Authentication with over 1500 

international financial institutions and almost 8000 blue-chip corporations and 

governments located in more than 100 countries.

DIGIPASS Authentication for TAM - Vasco

Create successful ePaper yourself

Delete template?

Save as template?