Contents


Overview

Skill Level: Intermediate

Assumes an understanding of the concepts of Federated Directories and Basic User

This recipe shows how to take a Federated Directory configuration from an ISAM appliance and apply it to an ISAM on DP instance
on a DataPower gateway. This is useful as there is no GUI support for this configuration on DataPower.

Ingredients

  • ISAM V8.0.1 or later ISAM appliance with an existing Federated Directory configuration
  • Login credentials for ISAM Appliance administrator, ISAM Security Administrator, DataPower administrator, LDAP administrators for directories being federated.
  • DataPower V7.0 or later gateway with the ISAM module option enabled and an Access Manager Runtime configured against the ISAM appliance.

 

Note: The following steps are best completed with the consoles of both products accessible in the same browser.

Step-by-step

  1. Determine directories to federate.

    On the ISAM appliance navigate to Web Settings->Runtime Component->Manage->Federated Directories.

     

    runtime-screen1

     

    select-fed-dirs

     

     

     

       fed-dirs-window

    Note the labels on the listed federated directories

     

     

     

     

     

     

  2. Capture federation configuration section text

    On the ISAM appliance navigate to Web Settings->Runtime Component->Manage->Configuration Files->ldap.conf

    In the Edit window search for the sections with names like [server:<label>]. These are the sections
    required to be copied to the DataPower configuration. Now is a good time to highlight and copy the section text
    to your system's scratchpad.

     

    select-ldap-conf

     

     

    highlighted-sections

  3. Navigate to LDAP configuration file on DataPower gateway

    On the DataPower gateway navigate to the domain with the configured Access Manager Runtime and the navigate to
    Objects->Security Access Manager->Access Manager Runtime->Manage Files

     

    dp-runtime-screen

     

     

     

     

     

  4. Add federation configuration text to LDAP configuration file

    Bring up the Edit window for the ldap.conf file by clicking on the Edit… button. Enable editting by clicking the Edit button and
    paste the text captured in Step 2 to the bottom of the ldap.conf file.

     

    edit-ldap-conf

     

     

    paste-of-fed

     

     

     

  5. Update LDAP bind password property

    In each of the sections just added to the ldap.conf file there will be a property 'bind-pwd = **obfuscated**'. The bind-pwd
    property value has not been copied across from the ISAM appliance. This password value should now be edited into the bind-pw property. It will
    correspond to the 'bind-dn' property already in the section.

     

    password-update1

    Now click 'Submit' to finally save the ldap.conf file and then 'Apply' to restart the Access Manager Runtime object.

     

     

  6. Transferring federation SSL configuration

    Determine  the SSL certificate keystore on the ISAM appliance and save it to your local desktop system

    The name of the keystore where the federated directory SSL certificates are stored is in Web Settings->Runtime Component->Manage->Federated Directories->SSL Settings

     

    ssl-keystore-window

     

    Then look up the keystore in System Settings->SSL Certificates

    Select-ssl-certs

    Now export the keystore artifacts ( a GSKit keydatabase file and associated stash file) which are stored in a zip file.

    export-ssl-certs

     

     

    save-federated-keys

     

     

    On your local system access the zip file and extract the actual keydb and stash files

     

    select-federated-keyinfo

     

    extract-directory

     

    Then upload them into the isamcert:/keytab directory in the isam domain.

     

    files-system-selection

     

    upload-crypto-files1

     

    upload-capture-window

     

    upload-key-files1

     

    Update edit of ldap.conf file ssl-keyfile entry. Stash file name is assumed.

    update-ssl-keyfile-name

  7. Basic user configuration enhancement

    Basic user functionality can be configured associated with federated directory configuration. There is no GUI option on either appliance for configuration of this functionality. Tranfer of configuration from ISAM to DP appliances is done by editing the same entries into the [ldap] section in the ldap.conf files of both appliances. Some 'basic user' properties are included in the federated directory sections that may already have been copied across. These will not be enabled until the 'basic-user-support = yes' entry has been added to the [ldap] section.

     

     

    basic-user-config

     

    Note that for Active Directory based registries there is a special principal attribute that is different to the normal LDAP attribute of 'uid'

     

    active-dir-extra-bu

  8. Test federation configuration has succeeded.

    To check the federation has succeeded access the DataPower command line and change to the domain and ISAM mode.
    Use 'list' and 'show' users to see customers via the ISAM on DP module and compare with users seen through
    ISAM appliance at Web Settings->Policy Administration

    login_to_isam-pdadmin

     

    User alice

    alice-on-isam

     

     

    alice-on-dp

     

    User jgdef

    jgdef-on-isam

     

     

    jgdef-on-dp

     

Join The Discussion