Layer7 API Management

  • 1.  Two factor authentication of policy manager

    Posted Dec 10, 2017 03:03 AM

    We have a requirement to use two factor authentication before managing the policies in the gateway. Does somebody has setup this scenario already or a good suggestion how to setup this scenario?



  • 2.  Re: Two factor authentication of policy manager

    Posted Dec 11, 2017 04:35 AM

    Hi Edward,

     

    Here is something to get to you started.

     

    https://communities.ca.com/message/241874649

     

    Regards

    Seenu Mathew



  • 3.  Re: Two factor authentication of policy manager

    Posted Dec 11, 2017 04:47 AM

    Hi Seenu,

     

    Could you please share the document? It is protected for me.

    Thank you!

     

    Regards,

     

    Edward



  • 4.  Re: Two factor authentication of policy manager

    Posted Dec 11, 2017 05:10 AM

    Here you go...

     



  • 5.  Re: Two factor authentication of policy manager

    Posted Dec 11, 2017 05:28 AM

    Hi Seenu,

     

    Thank you Seenu!

    Is it possible to use a policy like this for the policy manager itself? We have to protect management of the policies.

     

    With regards,

     

    Edward



  • 6.  Re: Two factor authentication of policy manager

    Posted Dec 12, 2017 05:24 AM

    Hi Edward,

     

    I have not heard anyone do this for Policy manager, but I don't see a reason why not.

     

    Regards

    Seenu Mathew



  • 7.  Re: Two factor authentication of policy manager

    Posted Dec 12, 2017 12:01 PM

    Thick client or the web based? 

     

    For thick client, we use CA PAM and connect to managed users with rotated passwords. This way it meets 2FA compliance by providing short-lived passwords that are "checked out" via smartcard authentication.

     

    So a user has to checkout their short-lived password and log into the thick client with that. If they need to log in later again, might require them to checkout a new password.

     

    That works in our setup to meet 2FA but does require you to have managed accounts in some system like CA PAM (or equivalent) and that meeting your two factor requirement. 

     

    The thick client at least supports client cert auth, but given that you have to add the key to it directly it's not very secure and definitely not up to medium hardware.



  • 8.  Re: Two factor authentication of policy manager

    Posted Dec 14, 2017 06:12 PM

    Thanks C Bertagnolli,

     

    We prefer to use the thick client. With PAM you manage the accounts in the api gateway identity store or only the access to the workstation where the policy manager is installed or another construction?



  • 9.  Re: Two factor authentication of policy manager
    Best Answer

    Posted Dec 15, 2017 12:24 PM

    External LDAP directory that has PAM managed accounts in it. Not sure if PAM can handle the accounts local to the API GW DB...we tried that briefly but couldn't get it work (haven't circled back to it yet though, would be cool if it could).

     

    Also, it appears the product requires you to keep at least one permanent local super user, which can then be locked down with a max length password and toss on additional mitigations for that account. Just all depends on what is acceptable there; but that'd be your emergency "everything is dorked up" credential .

     

    Mitigation ideas:

    - Policy Management listener only on a non-exposed port (i.e., don't have it enabled on the ports you are exposing for services) and require connection coming from a specific secure network (possibly even coming only from a specific monitored management server that requires smartcard log in + role access).

     

    - Email alert if emergency super user account logs in or has log in attempts. If you have something like Tripwire or other monitoring tools in place already they can do this - just have it look at the logs for specific events and take some action if it's not during a known event.

     

    - Regular change of admin password and only known to a small set of trusted admins.

     

    - Store the password itself in CA PAM that only certain groups can even view it to use after logging in with a strong certificate auth (medium hardware). 

     

    -------

     

    I'm sure other folks may have some ideas that have used the product for a while .

     

    Anyhoo, just some thoughts.



  • 10.  Re: Two factor authentication of policy manager

    Posted Dec 15, 2017 05:23 PM

    Thank you for your thoughts!