mobilefirst cannot delete confidential client - ibm-mobilefirst

using mobilefirst client 8.0.0.00-20180817-042259
on WebSphere Application Server V8.5.5.8 Liberty
added a confidential client named Push
after initial setup of allowed scope,
it cannot be modified and deleted.
test, admin, push as predefined confidential client.
Is that case-sensitive?
Or a mobilefirst bug?
Or any other settings to edit the client?

Related

IBM MFP Adapter-based authentication without client-side components

How can i use MFP (8.0) adapter based authentication without installing mfp client sdk / libs.
Is it possible to make REST call to the adpater (login) directly from the client application (mobile) without the client sdk.
Updates:
I have tried confidential client option , but i need individual user details instead of pre-defined client id.
You can't make Adapter Based Authentication in your Client Application without MobileFirst SDK.
However this is possible only with unprotected adapter endpoint.
Security check adapters cannot be accessed via REST calls. You can protect your resources with scopes mapped to these securitychecks and they get invoked when the resources are accessed. At the client, uou handle the challenges that come from the securitychecks. This needs the MFP Client SDK to be in place. You cannot access the securitycheck adapters directly without MFP client SDK.
There are two ways for you to avoid invoking a securitycheck:
Do not mark the resource with any security. In this case default security scopes get applied. However you still need MFP client SDK to handle the OAuth handshakes.
The only other way to avoid invoking security check adapters is to explicitly mark your resources un-protected ( disable OAuth security for that resource). This will prevent any challenge answer mechanism and you can access the resource without MFP client SDK. Do note that your resources (via REST endpoints) will be open to attack - there will not be any security applied on it.

Pubnub-CodeNameOne library - missing methods (Access Manager)

I am using the Pubnub library (Pubnub-CodeNameOne-3.7.8.cn1lib) in my social app project (which includes a real-time chat that I implemented with your great tutorial: https://www.codenameone.com/blog/building-a-chat-app-with-codename-one-part-5.html).
But since Apple will no longer accept http URL connections from applications, I had to reinforce the security of my app, and so I decided to use HTTPS and activate the Access Manager feature in Pubnub dashboard (I followed the Pubnub tutorial https://www.pubnub.com/docs/codenameone-java/pam-security#understanding_access_manager_permissions_hierarchy).
So I changed the instantiation of Pubnub in my CN1 project like :
pb = new Pubnub(PUBNUB_PUB_KEY, PUBNUB_SUB_KEY, SECRET_KEY, true);//enable SSL
pb.setAuthKey(USER_UIID);
Unfortunately I still get an error when I subscribe/publish through Pubnub:
[Error 112-0] : Authentication Failure. Incorrect Authentication Key :
{"message":"Forbidden","payload":{"channels":["myChannelID"]},"error":true,"service":"Access
Manager","status":403}
Therefore, I would like to perform administrative PAM functions, such as granting or revoking, in order to solve the above error message problem.
But I don’t find the pubnub.pamGrant(), or pubnub.pamRevoke() methods which are mentioned in the Pubnub tutorial. So I am still stuck on this error.
Have you an idea about how I can resolve this? Thank you very much for your help.
PubNub Access Manager & SSL/TLS
While you should be using Access Manager to secure your channels on a per device/user basis, Access Manager is not required in order to use PubNub over TLS (SSL is the deprecated/vulnerable predecessor and often these terms are used interchangeably).
So your initialization code is correct to enable TLS (https connections) when PubNub operations are invoked.
pb = new Pubnub(PUBNUB_PUB_KEY, PUBNUB_SUB_KEY, SECRET_KEY, true);
But if you enable Access Manager on your key set (pub/sub keys), then you are required to grant permissions (read, write & manage) for channels on auth-keys. Each end user should have a unique auth-key that has the permissions for the channels that are required for that user to publish, subscribe, get history, presence, etc.
You grant permissions from your secure server which you initialize PubNub with the publish, subscribe and secret keys (secret key is required to execute the grant API). With v4 PubNub SDKs, the server has super admin permissions when it inits with the secret key. v3 SDKs require the server to grant itself access to its own auth-key but since Codename One is for mobile client apps, you don't need to wait for a v4 PubNub SDK for Codename One. And I would assume you would be using Java on your server and our v4 Java SDK v4 has the super admin permissions feature when initialized with the secret key. NOTE: the docs need to be updated as they still state that an auth-key is required even when secret key is used to init.
So my recommendation is, enable SSL (TLS) as you are already doing for your server and clients but disable Access Manager for the short term. Once you have your base functionality working, integrate the use of Access Manager and auth-keys into your server and clients.

sso saml with weblogic and openam

I'm trying to setup saml sso with openam and weblogic.
The reason why I want to use saml is that I have multiple application where I can't change the web.xml to use the j2ee agent.
My question is if there is a good document explaining the setup with weblogic and openam.
I have read several guides, but I'm still confused...
Just looking for a good howto!
My current setup is
openam on tomcat installed on host1
weblogic installed on host2.
Webapp deployed on host2
So openam will be the IdP and weblogic will be the SP? right?
I have configured the openam hosted IdP.
I have added the saml identity asserter on weblogic and configured a web sso identity provider partner.
You can configure WebLogic to enable SAML SSO implementation. This requires the following steps to be completed.
WebLogic and IDP(OpeanAM) should be coupled - you can register OpeanAM as an authentication service provider inside WebLogic container using the administration console.
This requires a SSL communication, hence ideally, it's better to install a SSL certificate inside the container.
WebLogic can be configured to implement SAML SP (Identity asserter and Assertion consumer) by configuring the required through the administration console.
In fact it can be configured to work as a Credential mapper and Assertion receiver on the same way.
All these steps can be done inside a single WebLogic instance or between instances using a WebLogic federation.
Please refer the below link for more details.
I don't think WebLogic itself can act as SAML SP. Every application has to implement an SAML SP. Doing this via Spring Security SAML extension is quite neat. If you want more efforts look at the OpenAM Fedlet (it's also a lightweight SP). However the sample app generated when creating the Fedlet is not too helpful. The 'Fedlet' is not the sample all ,but more or less the jars and metadata included in the sample app.

Cannot register in sample BlackBerry push application

I am developing a BlackBerry application in which I need to use PUSH API. I already have registered with RIM and they have sent me the credentials for evaluation service. In my BlackBerry device, I installed sample push API application just to test that the push messaging works. After setting the content provider URL which is publicly accessible, I entered all the details for the sample application to register the it for receiving notification messages. When trying to register it asks for username and password but I don't know what they are for. In the email received from RIM, there are passwords for server application and content provider admin portal applications but not for the push client.
When I added an arbitrary username and password it fails with the message that java.lang.Exception Registration with Push API failed, caused by port is unavailable. But when I unregister it successfully unregisters the user with the given arbitrary username and password. By the I use the port given in the RIM's email.
I have no idea why this happens and I appreciate immediate response from you. Thank you.
The first thing to point out is that the RIM sample push application is ridiculously overcomplicated. The username and password you are referring to are used to authenticate against the sample push initiator web application which runs on your tomcat server. It doesn't matter what you put in there, they are not used for authentication. I can only assume they were added to show you that you can send a username and password to a web based service.
The only things you need in your BlackBerry app to register for the push service are:
Push Application ID (e.g. 2672-c870l6c924r1i298O4o33cc5391y0e75134)
Push Port (e.g. 31940)
BlackBerry Push Server URL (e.g. http://pushapi.eval.blackberry.com)
The port is unavailable message you're receiving is probably because the device you're using has not been provisioned for BlackBerry Internet Services (BIS). Make sure it has a SIM with an active BlackBerry data plan.

Authentication in IBM Websphere Portal

I'm involved in an Java Web Application Migration project to IBM Websphere Portal (IBM WP) Platform.
The actual application in production environment validates manually user credentials (username and password) against a Database Table that stores the data. I understand that the idea behind a Portal application is that the Portal Container handles this Security issues, but I'm not sure how IBM WP can consume the credentials that now are on Database.
There's a brand new Tivoli Directory Server in the Company, and I'm aware that I can't connect IBM WP to this LDAP Server so, do I need to migrate every user in the Database to this LDAP Server, or there's a Way that Tivoli recognize the credentials that are on the database?
Trust Association Interceptor are powerful, but they totally override Websphere Authentication mechanisms, so be sure to write a quite robust one! As Carlos Gavidia suggested, I'd also give a look to Custom User Registry. I'd also suggest to consider Property Extenstion Repository (also know as Lookaside), so you can define your own attributes and read/write them directly from Portal API
http://www-01.ibm.com/support/docview.wss?uid=swg21248674
You can hook in any kind of custom authentication you need using a Trust Association Interceptor. Your custom authenticator would probably work a lot like the authentication code in your existing system. It would display a page prompting the user for their credentials, and then check them against the DB.
I'm not sure how this relates to your Tivoli LDAP, but there seems to be a provided TAI for TAM integration: Tivoli Access Manager Trust Association Interceptor (TAI++)