Question & Answer
Question
Does DataPower permit use of the UserNameToken with Password Digest in an AAA Policy and, if so, how is it configured?
Answer
When creating an AAA Policy, a method for extracting a user's identity from an incoming request is chosen. When the method "Password-carrying UsernameToken Element from WS-Security Header" is used, the claimed identity of the requester is extracted from the WS-Security UsernameToken element (Username and Password) in the security header of the incoming request.
Password digests, i.e. a <Username> element in the header having a Type attribute of "PasswordDigest" , may be used with the following configuration considerations.
In order to use a password digest, your LDAP server must store the password in cleartext (not encrypted) and the DataPower AAA configuration must correctly identify the LDAP Search Attribute that returns this field. The default LDAP Search Attribute used by DataPower is "userPassword".
Before proceeding:
1) Verify that your LDAP configuration stores the password in cleartext (not encrypted). Many LDAP configurations do not store the password in this manner.
2) Determine the appropriate search attribute for your LDAP server for use when configuring the AAA Policy
Then follow the steps below to configure the AAA Policy.
When defining the authentication method in the AAA Policy, choose method "Bind to specified LDAP server" and set the "LDAP Search Attribute" property appropriately for return of the cleartext password.
When defining the authorization method in the AAA Policy, choose method "Check for membership in an LDAP group" and set the "LDAP Search Attribute" property appropriately for return of the cleartext password.
Important Notes:
1) Note that use of SSL for the LDAP server connection is advisable due to retrieval of the cleartext password in this scenario. Security requirements must be evaluated specific to your environment.
2) Note also that AAA Authentication caching benefits are lost when using this configuration. This is because each request will have a unique Identity due to the nonce and creation time that accompanies the request for the purpose of preventing replay attacks. Subsequent requests from the same user will not be found in cache due to the uniqueness of each entry. This is reflected in a debug-level log by the presence of message "Authenticate cache check..." without being followed by message "Authenticate cache hit". Neither message is seen unless debug-level logging is enabled.
Once DataPower retrieves the cleartext password from the LDAP server, the password is hashed using the SHA-1 specification and it is compared to the Password Digest from the token.
For more information, search "Creating AAA Policies", "Defining the authentication method", or "Defining the authorization method" in the (Websphere Datapower Knowledge Center.) http://www.ibm.com/support/knowledgecenter/SS9H2Y_7.5.0/com.ibm.dp.doc/welcome.html
Was this topic helpful?
Document Information
Modified date:
08 June 2021
UID
swg21256170