RADIUS Setup: Figure 2. Configuring The RADIUS Settings
RADIUS Setup: Figure 2. Configuring The RADIUS Settings
RADIUS Setup: Figure 2. Configuring The RADIUS Settings
1. The RADIUS configuration is only configured in the Default domain. Once you
log into the web GUI, click Administration > Access > RADIUS Settings, as shown in
Figure 2.
Figure 2. Configuring the RADIUS settings
2. Click the AAA/RBM Servers tab (Figure 3) to add the RADIUS servers that will
be used.
Figure 3. Adding the RADIUS servers
3. Click Add to add the first primary server (if you have a primary or secondary
RADIUS server set up), as shown in Figure 4.
Figure 4. Adding the RADIUS server address/port/secret
4. Locate the correct RADIUS server for the appliance that is being assigned and
input the parameters specified, as shown in Figure 5.
Figure 5. RADIUS Server parameters entry
Assigning the static route assignment for the RADIUS
connectivity
Figure 6 shows a sample Juniper Steel-Belted RADIUS server user console.
Figure 6. Steel-Belted RADIUS client application
2. Select the interface that will be communicating with the RADIUS server. This is
the IP or host name given to the RADIUS and SecurID team, who will assign the
aforementioned IP or host name to RADIUS and SecurID. Click on the Static
Routes tab as shown in Figure 8.
Figure 8. DataPower static routes on the Ethernet 4 interface
3. Click Add. Enter the following parameters (see Figure 9):
o Destination: IP address of the RADIUS server with its /CIDR notation.
o Gateway: Cross reference the RADIUS server IP to its gateway IP from
the table shown in Figure 8.
o Metric: 0 as its preference value.
Figure 9. DataPower static route entry for the RADIUS Server parameters
4. Once the parameters have been entered, click Apply, then Apply your static
route configuration, and select Save Config.
Testing RADIUS
DataPower provides a testing client to test your RADIUS connection. To test:
1. Log into the appliance under the Default domain.
2. Navigate to the RADIUS Settings again (Objects > Access Settings > RADIUS
Settings, or type inRADIUS in the search field). Click Test RADIUS on the right side of
the RADIUS Settings page, as shown in Figure 10.
Figure 10. DataPower test RADIUS link
3. Once the Test RADIUS prompt opens, enter your user name and SecurID (your
PIN and SecurID), as shown in Figure 11.
Figure 11. DataPower Test Radius page
Troubleshooting RADIUS
There are a few things to consider when troubleshooting RADIUS integration for
DataPower. There are some preliminary factors that may cause your RADIUS
connection to not authenticate your username:
SecurID: You may have forgotten to enter your PIN with your SecurID code. Do
not forget that you will need to enter your PIN and secure ID code from your key fob.
TCP Connection Test: Make sure that DataPower can ping (TCP connection)
the RADIUS server and port (Control Panel > Troubleshooting Panel Icon > TCP
Connection Test).
Note: You may not be able to do a Remote Host ping because the firewall opened only
allows port 1812 to be opened.
Static Route:: You may need a static route in place if you have not already
specified the correct Ethernet interface to communicate with the specific RADIUS
server.
Firewall: Check with the SecurID administrator or team on whether they see
authentications hitting their servers if you still cannot ping the IP and port. If they cannot
see any transaction coming from any of the DataPower Ethernet interfaces, then you
might need to open a firewall.
Configuring basic XML firewall with RADIUS AAA
After completing the RADIUS client setup, the service may be developed for
applications that will be authenticating SecurID users. To create a basic level XML
firewall with AAA authentication for a RADIUS service:
XML firewall configuration with RADIUS AAA
1. Select the Access Control (AAA) as shown in Figure 14 and click Next.
Figure 14. DataPower XML Firewall Wizard
2. Name the firewall service and click Next as shown in Figure 15.
Figure 15. DataPower Create AAA Firewall Service page
3. Select loopback-proxy as shown in Figure 16 and click Next.
Figure 16. DataPower AAA firewall type
6. Enter a name for the AAA Policy and click Create. The example uses RADIUS
DemoAAAPolicy as shown in Figure 19.
Figure 19. DataPower AAA firewall policy name assignment
7. Select Password-carrying UsernameToken Element from WS-Security
Header as shown in Figure 20 and click Next.
Figure 20. DataPower AAA firewall access control policy identification method selection
8. Select Use specified RADIUS Server as shown in Figure 21 and click Next.
Figure 21. DataPower AAA firewall access control policy method selection
9. Select Local Name of Request Element as shown in Figure 22 and click Next.
Figure 22. DataPower AAA firewall access control policy resource identification method selection
10. Select Allow Any Authenticated Client as shown in Figure 23 and click Next.
Figure 23. DataPower AAA firewall access control policy to allow any authenticated client selection
11. Ensure that the defaults are used in the last page, click Commit (Figure 24), and
click Done on the page that follows.
Figure 24. DataPower AAA firewall commit page
12. Click Next in the AAA Information page as shown in Figure 25. Ensure that the
AAA policy you just created is selected in the field. Click Commit and Done on the
pages that follow.
Figure 25. DataPower AAA firewall policy information page
Note: Ensure you select Save Config after you complete this step.
Your completed XML firewall with RADIUS AAA authentication should look like Figure
26.
Figure 26. DataPower XML firewall completed sample page
The Processing Policy for the AAA Policy should look like Figure 27.
Figure 27. DataPower XML firewall completed AAA processing policy page
Testing the SecurID key fob code
After creating the AAA XML firewall, you can conduct an authentication test:
1. Figure 28 shows an RSA SecurID key fob with the secure token displayed.
Figure 28. RSA SecurID key fob containing code to be authenticated
2. Figure 29 shows a sample WS-Trust SOAP file to enter your username and
password to authenticate against the service. You see that a username and
the PIN and securID token code presented on the key fob were saved in the file.
Figure 29. Sample WS-Trust XML file
Create the aaa.xml file as shown in Listing 1.
Listing 1. aaa.xml file to be used as the client side authentication and executed by cURL
1
2 <?xml version="1.0" encoding="UTF8"?>
3 <soapenv:Envelope xmlns:wsse=http://docs.oasisopen.org/wss/2004/01/
4 oasis200401wsswssecuritysecext1.0.xsd
5 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
6 <wsse:Security>
7 <wsse:UsernameToken>
8 <wsse:Username></wsse:Username>
9 <wsse:Password></wsse:Password>
10 </wsse:UsernameToken>
</wsse:Security>
11 </soapenv:Header>
12 <soapenv:Body>
13 <msg>Authentication Passed</msg>
14 </soapenv:Body>
15 </soapenv:Envelope>
16
3. Once you have saved the aaa.xml file, you are ready to run the file against the
DataPower service. By executing curl –databinary @aaa.xml
http://<IP_of_appliance>:1234, a successful authentication returns the full SOAP
message as shown in Figure 30.
Figure 30. cURL execution sample
4. If the authentication is successful, you can see the results of the complete
transactions in the system logs from the DataPower WebGUI as shown in Figure 31.
Figure 31. DataPower log of completed transactions
IHS setup
MQ setup
Are you using MQ Internet Pass-Thru?
gwydiontudur | June 21 2017 | 7,436 Views
MQ Internet Pass-Thru (MQIPT) is an IBM MQ product extension that helps you connect MQ
queue managers or clients that are not on the same network securely. It’s free to download
from the IBM MQ SupportPac website, and is fully supported when used with a supported
version of IBM MQ.
As MQIPT fix pack 2.1.0.3 has just been released, I thought I’d take this opportunity to briefly
highlight what this SupportPac offers.
As MQIPT understands the MQ network protocol it can perform various transformations on the
connection, such as TLS encryption or decryption, and wrapping the connection in HTTP to
enable MQ connections to be tunnelled through the firewall using existing HTTP proxies.
For more flexibility, you can use a pair (or more if you need to!) of MQIPT instances. In this
example a pair of MQIPT instances is used to secure a connection with TLS between the two
instances. The queue managers are unaware that MQIPT or TLS is in use.
Note that you don’t have to use a pair of MQIPT instances to use TLS. MQIPT can also
communicate directly with MQ using TLS.
This has the benefit of pushing security checks out to the edge of your network, as MQIPT can
apply rules to connections, such as checking the client TLS certificate, before the channel can
connect to the queue manager.
If the MQ channels are using TLS, then MQIPT will also provide a break in the TLS session in
the DMZ, which is something that many organizations require.
The other benefit of this configuration is that it reduces the number of firewall rules needed to
allow connections to the queue manager, as all external connections to the queue manager
will now come from the machine where MQIPT is running.
WDP setup
When and How to Setup DMZ Host
for Home Use
DMZ host for home routers is a fairly easy option to setup. However, the usual
routers options or tooltip do not usually tell you how dangerous it can be when you
are setting up DMZ host. In this simple to understand guide, we will go over
everything that you need to know about DMZ and when to set up your common
DMZ host for regular home use.
The problem is that this specific computer can still talk to the rest of your internal
network. This means that if the “DMZ host” has been broken into and infected with
computer virus or internet malware, it may affect the rest of the devices on your
home network.
Thus, when you are setting up a “home” DMZ or DMZ host, you have to be really
careful. In fact, you generally should not use the home router’s DMZ function at all
if you can avoid it.
It should be noted that DMZ or DMZ Host does not improve the performance speed
or latency of your router’s connection to the server. It is simply a security measure
(or lack of) that decides whether or not the devices is completely open to the
internet.
Being a DMZ host means that it will have all its router ports open and respond to
internet queries and pings. Although your PC or server machine may have other
software firewall, the router acts as your first line of defense. By being a DMZ host,
you are open to attacks that your router would have other wise blocked with the
usual router firewall.
2. Use DMZ Host for applications that requires random port to be opened.
You may be stuck with DMZ host if you are dealing an application that requires all
ports to be opened. Make sure your DMZ device has all security updates in place.
Firewall rules
Firewall Rules
A management client will need to be installed on a PC to manage the firewall and create
the configurations needed. See the documentation from your firewall (or other NVA)
vendor on how to manage the device. The remainder of this section will describe the
configuration of the firewall itself, through the vendors management client (i.e. not the
Azure portal or PowerShell).
Instructions for client download and connecting to the Barracuda used in this example
can be found here: Barracuda NG Admin
On the firewall, forwarding rules will need to be created. Since this example only routes
internet traffic in-bound to the firewall and then to the web server, only one forwarding
NAT rule is needed. On the Barracuda NextGen Firewall used in this example the rule
would be a Destination NAT rule (“Dst NAT”) to pass this traffic.
To create the following rule (or verify existing default rules), starting from the Barracuda
NG Admin client dashboard, navigate to the configuration tab, in the Operational
Configuration section click Ruleset. A grid called, “Main Rules” will show the existing
active and deactivated rules on the firewall. In the upper right corner of this grid is a
small, green “+” button, click this to create a new rule (Note: your firewall may be
“locked” for changes, if you see a button marked “Lock” and you are unable to create or
edit rules, click this button to “unlock” the ruleset and allow editing). If you wish to edit
an existing rule, select that rule, right-click and select Edit Rule.
Here any inbound address that hits the Firewall trying to reach HTTP (port 80 or 443 for
HTTPS) will be sent out the Firewall’s “DHCP1 Local IP” interface and redirected to the
Web Server with the IP Address of 10.0.1.5. Since the traffic is coming in on port 80 and
going to the web server on port 80 no port change was needed. However, the Target
List could have been 10.0.1.5:8080 if our Web Server listened on port 8080 thus
translating the inbound port 80 on the firewall to inbound port 8080 on the web server.
A Connection Method should also be signified, for the Destination Rule from the
Internet, "Dynamic SNAT" is most appropriate.
Although only one rule has been created it's important that its priority is set correctly. If
in the grid of all rules on the firewall this new rule is on the bottom (below the
"BLOCKALL" rule) it will never come into play. Ensure the newly created rule for web
traffic is above the BLOCKALL rule.
Once the rule is created, it must be pushed to the firewall and then activated, if this is
not done the rule change will not take effect. The push and activation process is
described in the next section.
http://cs.lewisu.edu/mathcs/msis/projects/msis595_KevinKeay.pdf
http://www.redbooks.ibm.com/redbooks/pdfs/sg247620.pdf
https://www.draytek.com/en/faq/faq-connectivity/connectivity.nat/how-to-set-dmz-host/
https://community.cisco.com/t5/firewalls/nat-for-dmz-access-from-the-inside-network-8-3-and-higher-
on-asa/td-p/2221190
https://sc1.checkpoint.com/documents/R77/CP_R77_Firewall_WebAdmin/6724.htm
http://www.brighthub.com/computing/windows-platform/articles/101914.aspx
https://forums.iis.net/t/1178765.aspx
https://www.networkworld.com/article/2268579/security/lab-10--setting-up-a-dmz.html -------
important
https://infosecwriters.com/Papers/jwebb_network_demilitarized_zone.pdf
https://community.spiceworks.com/topic/400484-so-i-ve-been-asked-to-set-up-a-dmz-but-allow-access-
to-the-internal-network
https://www.techrepublic.com/forums/discussions/dmz-dns-configuration-best-practice/
This is part of POC activity related to expose Web Services to the Internet world using DMZ IP in
WebSphere Datapower SOA Appliance (XI52).
We have two WebSphere Datapower XI52 Appliances in production environment with the Application
Optimization feature in place for the services load balancing between two datapower boxes.
Now there is new requirement to host new web services application in datapower appliance and
publish over the internet using DMZ IP to access from outside (public internet)...
This new web service will be load balance between two datapower boxes using Application
Optimization feature....
I need some clarification on below mentioned points before moving forward with the correct
approach :-
1) Network team will provide one DMZ IP and two Production IP's - DMZ and Production IP's are in
different network segment.
2) I will configure the production ip's on Eth10 Interface on both datapower boxes..
3) For Datapower ETH10 interface - Standby Control - Virtual IP Address will be the DMZ IP.
5) Firewall will be open between DMZ IP and Production IP for new web services SOAP/HTTP listner
port.
6) The web services will be expose to public internet using DMZ IP and this IP will be configure as
application optimizer to distribute the load on both the boxes
6) The DNS name will be register to the DMZ IP.
Kindly suggest the correct approach to publish the new web service over the internet using DMZ in
WebSphere Datapower XI52 Appliances...
https://drupal.stackexchange.com/questions/2364/how-to-migrate-from-test-environment-to-
production-environment
https://www.ibm.com/support/knowledgecenter/SS2L6K_6.0.4/com.ibm.jazz.install.doc/topics/t_prep
are_sandbox_server_rename.html