®

Lab Exercises
Using IBM X-Force Deep Packet
Inspection in the IBM Security Access
Manager Appliance

IBM Training
Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 1 Enabling the PAM module in ISAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Exercise 2 Testing the PAM module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Appendix. Junction setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configure the network interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Configure the runtime component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Configure the reverse proxy component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Configure the SSO user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Create the forms-based SSO configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Configure the junction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

© Copyright IBM Corp. 2017 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Exercises
This lab demonstrates how to integrate the Protocol Analysis Module (PAM) engine and the IBM
Security Access Manager (ISAM) appliance. PAM, one of the many IBM X-Force products, can
provide deep packet inspection of the web traffic coming to the Access Manager Reverse Proxy.
PAM is included in several IBM Security products. In Access Manager, PAM inspects and protects
against web-protection-related content.

The following diagram illustrates the lab setup used for this demo.

There are three virtual machines, each connected with the single network interface card to the
virtual switch.
• ISAM is the IBM virtual appliance used for access management solutions. It includes a built-in
authentication and access management engine, internal LDAP-complaint Directory Server, and
reverse proxy module. The reverse proxy module controls access to the back-end web
applications over a special connection called a junction.

© Copyright IBM Corp. 2017 1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Enabling the PAM module in ISAM

Uempty

Note: The transparent path junction is already configured on the ISAM appliance. You can review
the junction setup in Appendix. Junction setup on page 11.

• Vulnerable Server contains several vulnerable applications. This demo uses the fictional
company Altoro Mutual and demonstrates the vulnerability of the Altoro Mutual web application.
• Client Machine is used to access the ISAM administration interface and perform single sign-on
to the Altoro Mutual web application. It is also used to demonstrate SQL Injection and cross-site
scripting attacks, and to show how ISAM can protect your environment.
Note: This virtual machine is running Ubuntu 16.x Linux and uses Firefox.

User names and passwords

The following table summarizes user names and passwords that are used on the virtual machines.

System User Comments

Linux-client user The root user is not enabled. Use sudo commands.
ISAM admin This is the appliance administration account.
sec_master This is the admin account for the access manager domain.
cn=root This is the admin account for the Directory Server (LDAP).
jsmith This is the Access Manager user used to access the Altoro
Mutual application over the junction.
Note: This user’s default password is P@ssw0rd.
Vulnerable server toor The root user is not enabled. Use sudo commands.
jsmith This is an Altoro Mutual user. The password for the jsmith
user is demo1234.

Unless otherwise stated, all passwords are P@ssw0rd.

The Directory Server suffix is dc=iswga.

Exercise 1 Enabling the PAM module in ISAM

This exercise demonstrates how to enable the IBM Protocol Analysis Module (PAM) deep packet
inspection engine in the IBM Access Manager virtual appliance.
1. Log in to the Linux-client virtual machine.

2. Enter the following URL to access the Access Manager administration interface:
https://192.168.42.199

© Copyright IBM Corp. 2017 2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Enabling the PAM module in ISAM

Uempty
3. Log in as admin using password P@ssw0rd.

4. Navigate to Secure Web Settings > Reverse Proxy.

5. Select web1 proxy.

6. Click Manage > Configuration > Web Content Protection.

7. In the Web Content Protection Configuration window, select the following options:
a. Operating Configuration tab
i. Select Enable Web Content Protection.

ii. Select Enable Simulation Mode.

Important: In simulation mode, PAM reports attacks and provides information about blocking
(simulate blocking), but the attack happens because the appliance is in simulation mode. When
you can review attack results, it helps you understand the anatomy of the attack and determine
how to best prevent it. If you want to block attacks, do not select simulation mode.

© Copyright IBM Corp. 2017 3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Enabling the PAM module in ISAM

Uempty
iii. In the Resource Action section, leave the default settings.

iv. Scroll to the Registered Resource section.

v. Click New and add /altoromutual/* as the resource.

b. Click the Issues tab and review the default settings. The issues listed are X-Force
signatures that recognize different HTTP vulnerabilities and block the attacks.

c. Click the Audit tab. To view the attacks blocked by PAM, elect Enable Log Detailed Audit
Events.

© Copyright IBM Corp. 2017 4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Testing the PAM module

Uempty
d. Click the Advanced Configuration tab and leave the default settings.

8. Click Save.

9. Deploy the Web Content Protection Configuration changes.

You are prompted to restart the web1 instance of the Reverse Proxy.

10. Select theweb1 instance and click Restart.

PAM is now enabled and active. Now you can demonstrate and test PAM capabilities.

Exercise 2 Testing the PAM module

This lab uses two common web attacks to test PAM:
• SQL Injection
• Cross-site scripting

Performing SQL Injection attacks

The SQL Injection attacks are a very common attack vector for the web applications. This
demonstration shows how the PAM engine in IBM Access Manager can protect web applications
from that type of attack.
1. From the Linux-client virtual machine, open another tab or web browser instance.

2. Enter the following URL to access the Altoro Mutual web junction:
https://192.168.42.200/altoromutual

3. Log in as jsmith using password P@ssw0rd.

4. At the top of the Altoro Mutual Login page, click the Sign In link.

© Copyright IBM Corp. 2017 5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Testing the PAM module

Uempty
The SSO mechanism automatically logs the user into the application and displays the View
Account Details page.

Note: The Sign On link is now a Sign Off link.

5. In the left menu, click View Recent Transactions.

A page listing recent transactions opens.

6. In the After field, enter the following SQL injection attack:

2001-01-01 00:00:00') and 0=1 UNION SELECT 2999 as TRANSACTION_ID,7 as
ACCOUNTID, TIMESTAMP('2001-01-01 00:00:00') as DATE,'User ID: ' || USER_ID ||
'<BR>password: ' || PASSWORD AS TYPE ,7 as AMOUNT FROM PEOPLE --

© Copyright IBM Corp. 2017 6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Testing the PAM module

Uempty

Hint: You can copy the attack string from the web-attacks-sample text file on the desktop.

7. Click Submit and note that the Action column includes user login credentials.

This type of attack is known as an SQL Injection data manipulation attack and can be blocked
by PAM. In this demo, PAM is configured in Simulation mode. While blocking does not occur in
Simulation mode, the attack details are recorded in the pam.log file.

Performing Cross-site scripting attacks

The second demonstration shows another very common category of web attacks called cross-site
scripting. Before you can demonstrate the cross-site scripting attack, you must disable the
No-Script Firefox add-on1 so that scripts can run in the browser.
1. In Firefox, open another tab or web browser instance and access altoromutual.

2. From the Firefox toolbar, click the No-Scripts icon and select Allow Scripts Globally
(dangerous).

3. If the session has expired, log in to Altoro Mutual as jsmith using password P@ssw0rd.

4. In the Warning window, click OK.

5. At the top of the screen, click the Feedback link.

1
https://addons.mozilla.org/en-US/firefox/addon/noscript/

© Copyright IBM Corp. 2017 7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Testing the PAM module

Uempty
6. On the Feedback form, in the Your Name field, enter the attack script:
<script> alert('Hello World') </script>

7. Click the Submit button.

The cross-site script attack runs and the Hello world window opens.

8. Close the browser.

Review the PAM logs

The PAM logs are located on the ISAM appliance in the row format and contain many messages,
including the security events related to SQL injection and cross-site scripting attacks.
1. Enter the following URL to access the Access Manager administration interface.
https://192.168.42.199

2. Log in as admin using password P@ssw0rd.

3. Navigate to Secure Web Settings > Reverse Proxy.

4. Select web1 proxy.

© Copyright IBM Corp. 2017 8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Testing the PAM module

Uempty
5. Click Manage > Logging.

6. In the Manage Reverse Proxy Log Files window, select pam.log and click View.

7. The file is displayed in the row format.

Hint: You can download the log or copy it into a text editor to enable text search capabilities.

© Copyright IBM Corp. 2017 9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Testing the PAM module

Uempty
8. Look for the security events that are related to SQL injection and cross-site scripting attacks.

Note: Note that even if the action field shows Block, the attack was not blocked, because the
appliance was using simulation mode. Simulation mode is indicated in the log as non-enforcing.

© Copyright IBM Corp. 2017 10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Appendix. Junction setup
This appendix explains the junction configuration specific for this lab. This configuration is not part
of the main topic, but is necessary for PAM demonstration.

To set up the Single Sign On junction from the appliance to the Altoro Mutual web application,
perform the following high-level steps:
• Configure the network interface
• Configure the runtime component
• Configure the reverse proxy component
• Configure the SSO user
• Create the forms-based SSO configuration file
• Configure the junction

Configure the network interface

1. Enter the following URL to log in to the Access Manager appliance local management console
(LMI):
https://192.168.42.199

2. Use user name admin and password P@ssw0rd.

3. Navigate to Manage System Settings > Interfaces.

4. On the Network Configuration page, select the Interfaces tab.

5. Edit the 1.1 current interface.

© Copyright IBM Corp. 2017 11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix. Junction setup

Uempty
6. Add a new IP address: 192.168.42.200/24.

7. Save and deploy the changes.

Configure the runtime component

1. Navigate to Secure Web Settings > Runtime Component.

2. Before you configure the runtime component, you must set the embedded LDAP password.
Select Manage > Embedded LDAP.

3. In the pop-up window, type the password P@ssw0rd and click Submit.

4. Click Configure.

5. In the Runtime Environment Configure window, perform the following steps:

a. For Policy server, use Local.

b. For User Registry, use LDAP Local.

c. Click Next.

d. For Policy Server > Administrator Password, type P@ssw0rd.

e. Confirm the password, and click Next.

f. For LDAP > Password, type P@ssw0rd.

g. Click Finish.

© Copyright IBM Corp. 2017 12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix. Junction setup

Uempty
6. Review the System Notification message and Status to confirm that the runtime component has
been successfully configured.

Configure the reverse proxy component

1. Navigate to Secure Web Settings > Reverse Proxy.

2. To create new reverse proxy instance, click New.

3. In the New Reverse Proxy Instance window, perform the following steps:
a. For Instance Name, use web1.

b. For IP Address of the Primary Interface, use 192.168.42.200.

c. Click Next.

d. On the IBM Security Access Manager tab, for the Administrator Password, type
P@ssw0rd.

e. Click Next.

f. On the Transport tab, select both Enable HTTP and Enable HTTPS.

g. Click Finish.

© Copyright IBM Corp. 2017 13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix. Junction setup

Uempty
4. Review the System Notification message and Status to confirm that the new proxy instance has
been successfully configured.

Configure the SSO user

1. Navigate to Secure Web Settings > Policy Administration.

2. Log in to the Policy Administration tool using user sec_master and password P@ssw0rd.

3. Select GSO Resources > Create GSO and perform the following steps:
a. For GSO Name, enter altoroj.

b. For Description, enter SSO access to Altoro Mutual.

c. Click Create.

d. Click Done.

4. Select User > Create User and configure the following settings:
a. User Id: jsmith

b. Common Name: John

© Copyright IBM Corp. 2017 14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix. Junction setup

Uempty
c. Surname: Smith

d. Password: P@ssw0rd

e. Confirm Password: P@ssw0rd

f. Description: Altoro Mutual SSO account

g. Registry UID: uid=jsmith,dc=iswga

h. Select Account Valid, Password Valid, GSO User.

5. Click Create.

6. Click the new jsmith user.

7. Click GSO Credentials.

8. Click Create and configure the following settings:

a. GSO Name: altoroj

b. Type: GSO

c. User Sign-on ID: jsmith

d. Password: demo1234

© Copyright IBM Corp. 2017 15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix. Junction setup

Uempty
e. Confirm Password: demo1234

9. Click Create.

Create the forms-based SSO configuration file

1. Navigate to Secure Web Settings > Global Settings > Forms Based Single Sign-on.

2. To define a new F-SSO configuration file, click New.

3. In the create window, replace the Content field with following information:
[forms-sso-login-pages]
login-page-stanza = altoro-login

[altoro-login]
login-page = /altoromutual/login.jsp
login-form-action = doLogin
gso-resource = altoroj
argument-stanza = args-for-altoro-login

[args-for-altoro-login]
uid = gso:username
passw = gso:password

4. In the File name field, type fsso.conf.

5. Click OK.

6. Deploy the changes.

© Copyright IBM Corp. 2017 16

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix. Junction setup

Uempty
Configure the junction
1. In the Access Manager web administration interface, navigate to Secure Web Settings >
Reverse Proxy.

2. Select web1 proxy.

3. Click Manage > Junction Management.

4. In the Junction Management - web1 window, select New > Standard Junction.

5. In the Create a Standard Junction window, configure the following steps:

a. On the Junction tab:
i. For Junction point name, enter /altoromutual.

ii. Select Create Transparent Path Junction.

b. On the Server tab, click New and configure these settings:

i. For Host name, enter 192.168.42.201.

ii. For TCP or SSL Port, enter 8080.

iii. For Virtual Host, enter 192.168.42.201.

iv. For Virtual Host Port, enter 8080.

v. For Local Address, enter 192.168.42.200.

vi. Click Save.

c. Leave the default values and skip the Basic Authentication tab.

d. On the Identity tab, perform these steps:

i. For HTTP Header Identity Information, select IV_USER, IV_GROUPS and IV_CREDS.

ii. Select Insert client IP address.

e. Leave the default values and skip the SSO and LTPA tab.

f. On the General tab, select the fsso.conf FSSO Configuration file.

g. Click Save.

6. Close the Junction Management - web1 window.

Test the SSO junction

1. Open the web browser and enter the following URL:
https://192.168.42.200/altoromutual

2. Log in to Access Manager as jsmith using password P@ssw0rd.

© Copyright IBM Corp. 2017 17

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix. Junction setup

Uempty
3. At the top of the Altoro Mutual Login page, click the Sign In link.

4. Confirm that you are not asked for login credentials again and that the Account details page
displays.

5. To log out of the Altoro Mutual, click the Sign Off link.

6. Enter the following URL to log out of Access Manager:

https://192.168.42.200/pkmslogout

Hint: Enter the following URL to access the web application without using a junction and observe
the login behavior: http://192.168.42.201/altoromutual.

© Copyright IBM Corp. 2017 18

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0

Uempty

IBM Training

© Copyright IBM Corporation 201. All Rights Reserved.