Layer7 API Management

Expand all | Collapse all

Is it possible to have MFA (Smart Card, RSA, etc) for Admins Logging into Policy Manager GUI?

Jump to Best Answer
  • 1.  Is it possible to have MFA (Smart Card, RSA, etc) for Admins Logging into Policy Manager GUI?

    Posted 05-11-2017 10:20 AM

    We currently have a requirement to use MFA for all admin access. There doesn't seem to be any out of the box features for the Layer 7 XML Gateway to use MFA for Administrator login to the GUI. What would be the CA advised work around? Is there an open feature request for this functionality?

     

    Thanks,

    Matt



  • 2.  Re: Is it possible to have MFA (Smart Card, RSA, etc) for Admins Logging into Policy Manager GUI?
    Best Answer

    Posted 05-11-2017 10:59 AM

    Hello

     

    It is not possible to have smart card login via policy manager, there is an existing request raised at:-

     

    Enable PIV authentication into Policy Manager 

     

    Please add your use case to this idea. 

     

    Regards

    Christopher Clark



  • 3.  Re: Is it possible to have MFA (Smart Card, RSA, etc) for Admins Logging into Policy Manager GUI?

    Posted 05-09-2019 04:57 AM

    Are there any news in the meanwhile?
    Is it still not possible to use any form of MFA for Policy Manager access?

    Thank you!

     

    Ciao Stefan



  • 4.  Re: Is it possible to have MFA (Smart Card, RSA, etc) for Admins Logging into Policy Manager GUI?

    Posted 05-13-2019 10:11 AM

    Hello Stefan

     

    Thanks for your update.  I'm no longer involved with APIM, however I did reach out to a colleague and confirmed that the feature has not been added to the product and he was aware of any custom solution that has worked. 

     

    Please update the idea with you use case as it will continue to be reviewed for future product enhancements. 

     

    Cheers

    Christopher Clark

    Broadcom Customer Success



  • 5.  Re: Is it possible to have MFA (Smart Card, RSA, etc) for Admins Logging into Policy Manager GUI?

    Posted 05-15-2019 12:08 PM

    If you use a password vault, such as CA PAM or similar, you can leverage that to generate short-lived passwords for log in. About the best that can be done, so far as we've found; the "certificate" log in it has isn't MFA since it's an unprotected soft certificate. 

     

    While it's not directly MFA, it can meet the needs for a short-lived password that are only able to be checked out via a strong credential such as Smartcard or other MFA provider.

     

    Then layer on other protections as needed.

     

    Like if you have Splunk or some other log monitoring tool can implement monitoring of that administrative access to alert in the event it is "outside the norm" - e.g., a global admin logging in outside of standard work hours, unexpected IP address, so on. And only allowing administration on a non-exposed port that is locked down via firewall to only certain systems or network locations.

     

    Basically layering in checks to ensure that (1) administration port is only exposed to those who need it, (2) a strong credential was used to check out a temporary password to begin with, (3) passwords are short-lived to reduce exposure, (4) all access is immediately logged, and (5) all access is actively monitored in the event of misuse.

     

    This still leaves the emergency break glass account the app requires exposed - we did not have much luck having CA PAM manage that password yet. But this can be set to a very long random value that is not stored anywhere or kept in encrypted somewhere for emergencies - again monitored for use and alert if it is ever logged in with.

     

    Edit: This is for the thick client, which is what I assumed you were using.