IBM Security Access Manager (ISAM) for Web WebSEAL is the resource manager for web-based resources inside a Security Access Manager secure domain. WebSEAL is a high performance, multi-threaded web server that applies fine-grained security policy to the protected web object space. WebSEAL can provide Single Sign-On and Reverse proxy solutions incorporating back-end web application server resources into its security policy.
Using Appdome MicroVPN with ISAM for WebSEAL, a mobile app can seamlessly leverage ISAM user-based client certificates and private CA certificates for mutual validation of TLS and legacy SSL connections between the mobile client apps and ISAM secure domain server resources. This enables secure client-based access while also preventing common security attacks such as credential stuffing and Man-in-The-Middle attacks.
This Knowledge Base explains how anyone can use Appdome to add ISAM for WebSEAL to Android or iOS mobile apps using Appdome MicroVPNs and establish secure connectivity to IBM Security Access Manager domain resources via mobile apps.
Appdome is a mobile integration platform as a service (iPaaS). Appdome allows users to add a wide variety of features, SDKs and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate MicroVPN with ISAM for WebSEAL functionality to any mobile app – instantly, no code or coding required.
Appdome MicroVPN is a flexible, all-in-one, mobile enterprise connectivity solution that supports any enterprise standard network gateway such as a TLS-SSL gateway, proxy, ISAM reverse proxy, or industry standard VPN. Appdome MicroVPN eliminates the need for mobile device VPNs or per application VPNs. Using Appdome MicroVPN each mobile app connects directly and securely to ISAM for WebSEAL secure domains.
Appdome’s MicroVPN does not require all web service endpoints to be published via a gateway or code change to apps to repoint to the newly published addresses of services. Appdome’s MicroVPN can use any TLS-SSL gateway, including ISAM for WebSEAL, Microsoft App Proxy, Netscaler and more in two main modes: transparent mode which does not require resources to be publicly published and reverse proxy mode which is intended for publicly resolvable resources. Modes can also be set on a per-resource basis, providing full granular control over the access and connectively model.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on having a standard or proprietary VPN protocols inside the mobile apps. The Appdome technology adds MicroVPN and relevant standards, protocols, ISAM client capabilities and more to the mobile app automatically.
Two Appdome MicroVPN modes for ISAM for WebSEAL:
On Appdome, you can enable a mobile app to use ISAM for WebSEAL via MicroVPN using two different modes of operation:
For mobile end-user authentication, ISAM also supports OpenID Connect and other authentication methods. To leverage these functions inside Android and iOS apps, please refer to Appdome for SSO+. Combining Appdome MicroVPN and Appdome SSO+ into an Android and iOS app will allow each app to utilize the full range of ISAM functionality inside mobile apps. The remainder of this knowledge base article focuses on enterprise access, MicroVPN, functionality only.
Appdome for Mobile MicroVPN Features available on Appdome:
The most straightforward way of ensuring that connections between mobile apps and corporate networks are secure is to restrict the parameters of the connection. Appdome allows you to control two important parts of the connection used by the Appdome MicroVPN layer and should match your ISAM environment.
When Strict Protocol Checking is enabled, fused apps will only be able to make connections to secure ISAM servers using these algorithms:
DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256.
Static Client Pinning
A more advanced security measure is to apply restrictions on the ISAM secure domain servers or gateway which is the destination for the mobile app. If you set up the secure domain servers or gateway to only accept connections from clients that can identify themselves using specific client certificates, Appdome can integrate the ISAM issued certificates needed to identify the client and present them as part of the secured connections.
Dynamic Client Pinning
Dynamic client pinning is an enterprise extension for static client pinning. It allows the use of a unique client-side certificate distributed by a SCEP server on a per-user basis. Currently, users are identified when fusing an app together with MicroVPN and Microsoft Intune. For more details read this article.
Inclusive routing means you can decide that only some secure domains (regular expressions can be used) are securely connected using MicroVPN, while other connections that are not included in the secure domain list are allowed to pass directly. This gives you the option to choose particular settings in different domains, which is especially useful for defining multiple profiles with different configurations.
Appdome allows you to define one or more profiles to configure all the above settings. In this manner, you can protect some domains with Static Client Pinning, while protecting others by securing them using Transparent Proxy mode. Note: When using multiple profiles, all the profiles should be set up with Inclusive Routing in order to have the handling of each ISAM secure domain well defined.
Prerequisites for using Appdome MicroVPN
In order to use Appdome’s no code implementation of MicroVPN on Appdome, you’ll need:
Follow these step-by-step instructions to add MicroVPN to mobile apps on Appdome:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
The technology behind Build My App has two major elements – (1) a micro service architecture filled with 1000s of code sets needed for mobile integrations, and (2) an AI-based code generation engine that can recognize the development environment, frameworks and methods in each app and build the code needed to add MicroVPN with ISAM support to the mobile app in seconds.
Congratulations! When your implementation is complete, you’ll see the notice below. You now have a mobile app fully integrated with MicroVPN with ISAM.
After you have added MicroVPN with ISAM support to any mobile app on Appdome, there are a few additional steps needed to complete your mobile integration project.
Add Context™ to the Appdome-Built App
Appdome is a full featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the application.
For more information on the range of options available in Context™, please read this knowledge base article.
Sign the MicroVPN enabled Appdome-Built App (Required)
In order to deploy an Appdome-Built application, it must be signed. Signing iOS app and Signing an Android app are easy using Appdome. Alternatively, you can use Private Signing, download your unsigned application and sign locally using your own signing methods.
Deploy the Appdome-Built App to a Mobile Device
Once you have signed your Appdome-Built application, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built applications, please read this knowledge base.
That is it – Enjoy MicroVPN with ISAM in your application!
How Do I Learn More?
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.
IBM and WebSEAL References
IBM ISAM Guide