We currently have a requirement to use MFA for all admin access. There doesn't seem to be any out of the box features for the Layer 7 XML Gateway to use MFA for Administrator login to the GUI. What would be the CA advised work around? Is there an open feature request for this functionality?
It is not possible to have smart card login via policy manager, there is an existing request raised at:-
Enable PIV authentication into Policy Manager
Please add your use case to this idea.
Are there any news in the meanwhile?Is it still not possible to use any form of MFA for Policy Manager access?
Thanks for your update. I'm no longer involved with APIM, however I did reach out to a colleague and confirmed that the feature has not been added to the product and he was aware of any custom solution that has worked.
Please update the idea with you use case as it will continue to be reviewed for future product enhancements.
Broadcom Customer Success
If you use a password vault, such as CA PAM or similar, you can leverage that to generate short-lived passwords for log in. About the best that can be done, so far as we've found; the "certificate" log in it has isn't MFA since it's an unprotected soft certificate.
While it's not directly MFA, it can meet the needs for a short-lived password that are only able to be checked out via a strong credential such as Smartcard or other MFA provider.
Then layer on other protections as needed.
Like if you have Splunk or some other log monitoring tool can implement monitoring of that administrative access to alert in the event it is "outside the norm" - e.g., a global admin logging in outside of standard work hours, unexpected IP address, so on. And only allowing administration on a non-exposed port that is locked down via firewall to only certain systems or network locations.
Basically layering in checks to ensure that (1) administration port is only exposed to those who need it, (2) a strong credential was used to check out a temporary password to begin with, (3) passwords are short-lived to reduce exposure, (4) all access is immediately logged, and (5) all access is actively monitored in the event of misuse.
This still leaves the emergency break glass account the app requires exposed - we did not have much luck having CA PAM manage that password yet. But this can be set to a very long random value that is not stored anywhere or kept in encrypted somewhere for emergencies - again monitored for use and alert if it is ever logged in with.
Edit: This is for the thick client, which is what I assumed you were using.