Environment:
1. Websphere 7
2. Microsoft platform
Both are exposed to public using an instance of IBM WebSEAL and TAM infrastructure.
Application running on Websphere uses IBM TAI++ mechanism to provide SSO to client.
Application running on microsoft implements SSO by talking to user repository (proprietary SSO).
WebSEAL allows LOW ciphers, Both application allow only HIGH ciphers
Issue:
App running on Websphere 7 is responding to the requests from client using LOW encryption, however, application on microsoft is failing handshake for LOW ciphers.
If the app on Websphere is accessed with direct URL (not through WebSEAL), it successfully fails the LOW cipher requests.
How to restrict allowed ciphers to HIGH only?
Related
We need to protect our reserved instance of IBM API Connect that we have in the Cloud with a WAF of our own company and we do not know if this is possible and the steps to perform or if it is only possible with a WAF of IBM's own cloud.
thanks in advance
For this answer, I'm going to assume you're asking primarily about the DataPower API Gateway.
You can either deploy your own gateway in an environment of your choosing (i.e. you're managing it) or leverage the one that IBM provides to you by default.
If you deploy your own, then you control the networking and adding your own WAF is relatively straightforward.
If you use an IBM-managed gateway, then a little creativity is required. You would likely need to set up a Mutual TLS contract between your WAF and the Gateway. You'd terminate the incoming TLS connection at the WAF (e.g. Cloudflare) and then re-encrypt the traffic from the WAF to the Gateway using the client certificate exchange. You'd potentially need to apply a Mutual TLS-enforcing profile to each deployed API on the Gateway. In this scenario, no client can call an API on your gateway without the proper TLS client key/certificate in hand.
You may want to open a support ticket for further/deeper assistance on this topic.
I'm pretty confused concerning the terminology used by IBM. I'm currently working with Watson IoT and embedded devices using MQTT. As you know, embedded devices sometimes do not have the capability to secure a connection via certificates (former SSL). Watson IoT therefore offers a secure connection (?) called "TLS with authentication token". That's what's confusing me. I learned that for a SSL (now TLS) connection you need to pass certificates to the server. How can you establish a TLS connection just by using/sending a auth token? Or do they just mean the authentication process instead of a secured and encrypted connection?
Thanks in advance and have a nice weekend!
If you're using MQTT, the simplest way to connect your device to the Watson IoT Platform is as follows:
When you register your device, you define (or get given) an authentication token - in effect, a password for that device. You have two main options on how you use this token to connect the device to Watson IoT Platform at orgId.messaging.internetofthings.ibmcloud.com:
Port 1883 (this is non-TLS)
Port 8883/443 (this is TLS)
In both cases the password is used to authenticate your device - but only in the second is the on-the-wire traffic encrypted (which is why we strongly recommend using TLS/port 8883/443 where possible). The encrypted connection is over TLS: Watson IoT Platform presents a certificate to allow your TLS-enabled device to validate the certificate and hence trust it's talking to Watson IoT Platform.
There are further options to build on this. You can configure device certificates (e.g., see here) - but I haven't discussed these as - hopefully! - I'll have answered your question using the simple patterns above. Further details on connecting to the platform are available here.
Links correct at the time of writing
I am aware of how to secure a connection: http://sparkjava.com/documentation.html#secure
But this does not enable client certificate-based authentication (I am trying to implement Estonian identity card user authentication)
After research I found a link where it is said that it cannot be done in Spark: https://groups.google.com/forum/#!topic/sparkjava/dnCKl-W018A
Fortunately it is an old post.
How do to this with SparkJava embedded Jetty container?
I have a .NET client-server system, which uses WCF for communication.
The communication must be secure. Up to now I used Windows Credentials for authentication.
But now a new requirement emerged - the system must work in a situation, when client and server are located in different domains (or the client isn't in any domain).
Windows Credentials authentication won't work in this setting. AFAIR, WCF supports following security mechanisms
Windows Authentication
X509 Certificates
Issued Tokens
Username and password.
Which of them should I use, if
I need to implement the fix with the least possible effort,
client and server are located in different domains (therefore, Windows authentication is not an option) and
the communication must be secure (the server must not process requests from unauthorized clients)
?
I have a Web application (.NET/SQL) that I'd like to change the authentication scheme from a local SQL-based username/password to a client/server certificate model.
Kicker is that the client devices are Blackberry Bolds (assuming the most recent) and I have no idea whether Blackberries support this method of authentication.
I should note that these devices are not managed by BES (or the organization for that matter): they will be using the native Blackberry browser to connect to a Web application on the public Internet over untrusted wifi and 3G networks.
Yes, the BlackBerry browser has supported this method of authentication since at least OS 4.6 (the first Bold). The issue is getting the appropriate certificate to the device in a way secure enough for your application without BES.