ISAM for Mobile – ROPC OAuth Username and Password Validation

As of V8.0.1.0 of ISAM for Mobile, there is a helper class in the Javascript mapping rule for Resource Owner Password Validation against the configured LDAP server. There are a few steps required to configure it though. If you haven’t configured it, you will receive the following error on attempting an ROPC flow:

{"error":"mapping_error",
"error_description":"com.tivoli.am.rba.exception.RBARuntimeException: 
FBTRBA318E The username password authentication mechanism configuration is 
invalid."}

And if you configuration isn’t quite right, you’ll probably get one of the following errors:

{"error":"mapping_error",
"error_description":"com.tivoli.pd.rgy.exception.ConfigurationErrorRgyException: 
HPDAA0333E   Unable to determine the registry server type.  
Error message HPDAA0329E   The credentials provided can not be authenticated 
by the registry.."}

or:

{"error":"mapping_error",
"error_description":"com.tivoli.pd.rgy.exception.ServerDownRgyException: 
HPDAA0278E   None of the configured LDAP servers of the appropriate type 
for the operation can be contacted."}

The Username and Password validation logic is found in the <API PolicyName>PreToken mapping rule.

pretokenmappingrule

Javadoc for the available JavaScript libraries are available under the File Downloads section of the appliance. (Under “Manage System Settings”).

javadoc

The isValidUsernamePassword module gets its configuration from the Authentication Services “Username Password” mechanism. In order to utilise this in the mapping rule, we need to configure it and tell it how to contact the relevant LDAP server.

AuthenticationConfig

In the Authentication Mechanisms section, edit the properties for the Username Password module.

Usernameconfig

A properties page will be displayed.

Properties

Here are two sample configurations:

Onboard Appliance LDAP Server – NO SSL:

LDAP Bind DN    cn=root,secAuthority=Default
LDAP Bind Password    passw0rd
LDAP Host Name    localhost
LDAP Port    389
Login Failures Persistent    false
Management Domain    Default
Maximum Server Connections    16
SSL Enabled    false
SSL Trust Store    
User Search Filter    (|(objectclass=ePerson)(objectclass=Person))

Onboard LDAP Server or External LDAP Server
(including on another appliance) – with SSL:

LDAP Bind DN    cn=root,secAuthority=Default
LDAP Bind Password    passw0rd
LDAP Host Name    <LDAP Server IP/FQDN>
LDAP Port    636
Login Failures Persistent    false
Management Domain    Default
Maximum Server Connections    16
SSL Enabled    true
SSL Trust Store    embedded_ldap_keys

Save and deploy the changes, and your ROPC requests should now complete (assuming they have a valid username and password). Here is a sample CURL request to help you along:

curl -k -d "client_id=android_client_id&grant_type=password&
username=emily&password=Passw0rd" 
https://192.168.42.11/mga/sps/oauth/oauth20/token

ROPC

The wrong password will return the error:

{“error”:”mapping_error”,”error_description”:”com.tivoli.pd.rgy.exception.InvalidCredentialsRgyException: HPDAA0329E   The credentials provided can not be authenticated by the registry.”}

For example:

ROPC1

 

One thought on “ISAM for Mobile – ROPC OAuth Username and Password Validation

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: