User Registry Security

Summary:

ISAM stores data about uses. This data is stored in the 'user registry' you deploy against. The security of that data it is dependent upon the settings in that registry. When using Active Directory as your user registry the AD permissions control who has access to ISAM data. If AD permissions are insecure, then ISAM data is insecure.


Details:

Default ISAM Permissions: 

When an object is cerated that has no default permissions, it's parent object class permissions are applied. IBM classes have a parent of 'top' If your directory's 'top' class includes domain user, then they can read your data.


results in default permissions from AD being applied to the ISAM section of the Directory Information Tree.

 If your default permissions allow normal users to Read Data, they will be able to Read Your Tivoli Data. Some of this data should be restricted, such as the GSO credential which uses a weak cipher. To remedy this, you must either lock down AD, or lock down ISAM directory information.

As such, the default IBM class definition must be changed to apply a non-TOP security list  


http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_baseadmin_guide/concept/con_applyacltoldapsfx.html


user objets have the object class of top;SOME and so the parent class (top)'s permissions are also applied



The ivrgy_tool would normally be used, but it only understands  Tivoli Directory Server, Sun Java System Directory Server, Sun ONE Directory Server, Novell eDirectory Server.   "An administrator can also apply and update the schema by using one of these files as the LDAP Data Interchange Format (LDIF) input to the Tivoli Directory Server ldapmodify utility." In AD this would be the schema editor







DSACL to remove default permission



Solution:


# Edit the URAF* classes's default security

# RUN DSACL and replace current permissions with the default set defined above








cn=SecurityGroup

cn=ivacld-servers

cn=remote-acl-users





Test Plan


Can you see the GSO Cred

Does WebSEAL work



test user, and use an existing user. Grant WebSEAL GSO creeds, access to a junction. Test web seal positive and negative. 

Comments