We had a customer that wanted to integrate OAuth 2.0 in frontend and do an LTPA authentication in the backend based on user derived from the subscriber id. We created a custom assertion using the plugin provided
herePost that I create the LTPA token that takes input like username and the format to generate the ltpa token and provide an ltpa token that can be sent to the backend ibm server that are ltpa friendly
Sharing the experience and created custom assertion over here
Third party Credits :
LTPA Token Session Manager (JAR)
TokenLTPASessionManager.jar
License :
/*
* The MIT License (MIT)
*
* Copyright (c) 2014 samir.araujo@gmail.com
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
CA APIM Custom Assertion Plugin
Eclipse Plugin
Link : Plugin
Installation
On Gateway
- Login to CA API Gateway console
- Switch User to ssgconfig
- Download LTPA JAR File () at the /home/ssgconfig/
- Run the following command
rm /opt/SecureSpan/Gateway/runtime/modules/lib/ltpaEncodeDecodeAssertion.jar -rf &&
cp /home/ssgconfig/ltpaEncodeDecodeAssertion.jar /opt/SecureSpan/Gateway/runtime/modules/lib -f &&
chown layer7:layer7 ltpaEncodeDecodeAssertion.jar && chmod 444 ltpaEncodeDecodeAssertion.jar && service ssg restart
** red indicate deleting and restart command ** please be careful to ensure correct path of the file where you have loaded the JAR file. The lib location for gateway is /opt/SecureSpan/Gateway/runtime/modules/lib/. The above code is just a placeholder. Location may differ based on your download path for the jar file and the name your renamed the jar file to
- Create a property file in the following location (The property file must be in this location). keyName is the placeholder used in Assertion e.g. ibm will be the keyName for file ibm.properties. You can have multiple property files in this location that can be use to generate ltpa tokens
vi /opt/SecureSpan/Gateway/node/default/etc/conf/[keyName].properties
- Provide the following values property file as per the details below
#IBM WebSphere Application Server key file
## IBM File Creation Date
com.ibm.websphere.CreationDate=Thu Oct 20 10\:00\:53 SAST 2011
## IBM File Version Number (Note the assertion only support version 2)
com.ibm.websphere.ltpa.version=2.0
## Provide the realm over here (This is autogenerated by IBM Key Generator).
com.ibm.websphere.ltpa.Realm=<REALM HERE>
## Public key Attribute
com.ibm.websphere.ltpa.PublicKey=<LTPAPUBLICKEY HERE>
## Password Attribute
com.ibm.websphere.ltpa.KeyPassword=<LTPAPRIVATEKEY HERE>
## Host Attribute
com.ibm.websphere.CreationHost=<LTPA CREATION HOST HERE>
## 3DESkey Attribute
com.ibm.websphere.ltpa.3DESKey=<3DESKEY HERE>
## PrivateKey Attribute
com.ibm.websphere.ltpa.PrivateKey=<PRIVATEKEY HERE>
- Save the file with the following parameter. You should simply copy the file provided by your IBM administrator
- Once server is up look for IBM LTPA - Encrypt – Decrypt assertion
Parameter of the Assertion
Username
User name identifier for LTPA
Format
DN Format for LTPA here %s will be replaced with the username field
Realm
Realm or IBM scope for the generated ltpa token same as Realm section generated by IBM property file
KeyFile Name
Property file name to reference in /opt/SecureSpan/Gateway/node/default/etc/conf/ location.
Note do not enter the suffix i.e. .properties e.g. for ibm.properties file the keyFile name is just ibm
Decrypt Payload [Checkbox]
If enabled the username will contain the ltpatoken to decrypt with the keyfile
Test Policy
Create a Service Request on Gateway
Import Service Policy
Modify Parameter to meet your requirement for testing
Update the keyfile to the name of the file saved in the keyfile location
Test The endpoint with your changes
Expected Errors
Could Not derive Token
- Check your property file has correct permission (layer7:gateway)
- Ensure you property file name is correct and you have 444 permission
- Check if your keyFile Name in the assertion is without a .properties suffix
- Note: The property file is used for creating and decrypting an LTPA token. Make sure you have the right realm and property values when creating the token else the token will be created but may not be decrypted by IBM Websphere
Please Review the ZIP file for all associated codes
Note: The following assertion is not provided by CA and is built only to meet a client requirement. Use it at own risk------------------------------
Pre-Sales Consultant
CA Southern Africa
------------------------------