Using IBM Security Access Manager ISAM for Web WebSEAL with Android and iOS Apps using Appdome MicroVPN
IBM Security Access Manager (ISAM) for Web WebSEAL is the resource manager for web-based resources inside a Security Access Manager secure domain. WebSEAL is a high performance, multi-threaded web server that applies fine-grained security policy to the protected web object space. WebSEAL can provide Single Sign-On and Reverse proxy solutions incorporating back-end web application server resources into its security policy.
Using Appdome MicroVPN with ISAM for WebSEAL, a mobile app can seamlessly leverage ISAM user-based client certificates and private CA certificates for mutual validation of TLS and legacy SSL connections between the mobile client apps and ISAM secure domain server resources. This enables secure client-based access while also preventing common security attacks such as credential stuffing and Man-in-The-Middle attacks.
This Knowledge Base explains how anyone can use Appdome to add ISAM for WebSEAL to Android or iOS mobile apps using Appdome MicroVPNs and establish secure connectivity to IBM Security Access Manager domain resources via mobile apps.
About Adding ISAM for WebSEAL using Appdome’s MicroVPN
Appdome is a mobile integration platform as a service (iPaaS). Appdome allows users to add a wide variety of features, SDKs and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate MicroVPN with ISAM for WebSEAL functionality to any mobile app – instantly, no code or coding required.
Appdome MicroVPN is a flexible, all-in-one, mobile enterprise connectivity solution that supports any enterprise standard network gateway such as a TLS-SSL gateway, proxy, ISAM reverse proxy, or industry standard VPN. Appdome MicroVPN eliminates the need for mobile device VPNs or per application VPNs. Using Appdome MicroVPN each mobile app connects directly and securely to ISAM for WebSEAL secure domains.
Appdome’s MicroVPN does not require all web service endpoints to be published via a gateway or code change to apps to repoint to the newly published addresses of services. Appdome’s MicroVPN can use any TLS-SSL gateway, including ISAM for WebSEAL, Microsoft App Proxy, Netscaler and more in two main modes: transparent mode which does not require resources to be publicly published and reverse proxy mode which is intended for publicly resolvable resources. Modes can also be set on a per-resource basis, providing full granular control over the access and connectively model.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on having a standard or proprietary VPN protocols inside the mobile apps. The Appdome technology adds MicroVPN and relevant standards, protocols, ISAM client capabilities and more to the mobile app automatically.
Two Appdome MicroVPN modes for ISAM for WebSEAL:
On Appdome, you can enable a mobile app to use ISAM for WebSEAL via MicroVPN using two different modes of operation:
- Direct Connection Mode
In this mode, the Appdome MicroVPN layer will serve as the in-app, virtual secure gateway between the application and the world. Inside the Appdome-Fused application, the original application connects to the Appdome MicroVPN layer. This internal connection is protected by Appdome Security and not visible to the outside world. The Appdome MicroVPN Layer connects securely to a corporate gateway like ISAM for WebSEAL. The Appdome MicroVPN layer authenticates to the corporate gateway, enabling secure mobile app access to internal resources.
- Transparent Proxy Mode:
In this mode, the Appdome MicroVPN layer serves as a transparent proxy, routing its connection request to a proxy server, so that the proxy server can act as the secure gateway. Corporate proxies, like ISAM for WebSEAL, are typically accessible via the Internet. The Appdome MicroVPN layer tunnels a secure connection to the proxy to allow the original application to privately connect to the ISAM for WebSEAL secure domain resources.
For mobile end-user authentication, ISAM also supports OpenID Connect and other authentication methods. To leverage these functions inside Android and iOS apps, please refer to Appdome for SSO+. Combining Appdome MicroVPN and Appdome SSO+ into an Android and iOS app will allow each app to utilize the full range of ISAM functionality inside mobile apps. The remainder of this knowledge base article focuses on enterprise access, MicroVPN, functionality only.
Appdome for Mobile MicroVPN Features available on Appdome:
The most straightforward way of ensuring that connections between mobile apps and corporate networks are secure is to restrict the parameters of the connection. Appdome allows you to control two important parts of the connection used by the Appdome MicroVPN layer and should match your ISAM environment.
- Strict Protocol Checking, only connections to protocols in a pre-defined list are permitted. This prevents connections from the fused application to less secure destinations from being established.
- Server Validation, after establishing a connection to a destination, the Appdome-fused app can do advanced checks to verify that the destination is who it says it is and is not a fake or malicious destination that impersonates your destination.
When Strict Protocol Checking is enabled, fused apps will only be able to make connections to secure ISAM servers using these algorithms:
DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256.
Static Client Pinning
A more advanced security measure is to apply restrictions on the ISAM secure domain servers or gateway which is the destination for the mobile app. If you set up the secure domain servers or gateway to only accept connections from clients that can identify themselves using specific client certificates, Appdome can integrate the ISAM issued certificates needed to identify the client and present them as part of the secured connections.
Dynamic Client Pinning
Dynamic client pinning is an enterprise extension for static client pinning. It allows the use of a unique client-side certificate distributed by a SCEP server on a per-user basis. Currently, users are identified when fusing an app together with MicroVPN and Microsoft Intune. For more details read this article.
Inclusive routing means you can decide that only some secure domains (regular expressions can be used) are securely connected using MicroVPN, while other connections that are not included in the secure domain list are allowed to pass directly. This gives you the option to choose particular settings in different domains, which is especially useful for defining multiple profiles with different configurations.
Appdome allows you to define one or more profiles to configure all the above settings. In this manner, you can protect some domains with Static Client Pinning, while protecting others by securing them using Transparent Proxy mode. Note: When using multiple profiles, all the profiles should be set up with Inclusive Routing in order to have the handling of each ISAM secure domain well defined.
Prerequisites for using Appdome MicroVPN
In order to use Appdome’s no code implementation of MicroVPN on Appdome, you’ll need:
- Appdome account – IDEAL or Higher.
- Mobile App (.ipa for iOS, or .apk or .aab for Android)
- IBM Security Access Manager (ISAM) and all required components including an TLS-SSL gateway, proxy, reverse proxy, or industry standard VPN that is the authentication or termination endpoint for the MicroVPN
- List of internal domains the mobile app will access
- Signing Credentials (e.g., signing certificates and provisioning profile)
How to Add ISAM for WebSEAL using Appdome MicroVPN to Mobile Apps on Appdome
Follow these step-by-step instructions to add MicroVPN to mobile apps on Appdome:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
From the “Build” tab, select “Access” category
- Go to the Access tab
- Toggle on Mobile Access and MicroVPN Profiles
- Select scheme MicroVPN by Appdome
Note! that all the features are optional, and any combination can be chosen. If none of the features are on, Appdome will take basic measures to ensure connection hardening (by ensuring the application’s connection uses a secure TSL/SSL connection).
- Toggle on the Inclusive Routing feature when you can click + Add button to add domains that will be protected. When this toggle is off all domains are protected (and you can only have a single profile). You can add multiple domains or use * as a wildcard that will match any sub-domain.
- Toggle on Transparent proxy mode and enter the proxy domain (can contain port in the standard format host:port)
- Toggle on session hardening to enable Strict Protocol Checking and/or Server Validation.
- Toggle on Static Client Pinning and add the client certificate. The certificate is added in PEM format as two separate files, the certificate itself and its key file.
- Click on Add profile to set up more profiles for your app
- Click Build My App
The technology behind Build My App has two major elements – (1) a micro service architecture filled with 1000s of code sets needed for mobile integrations, and (2) an AI-based code generation engine that can recognize the development environment, frameworks and methods in each app and build the code needed to add MicroVPN with ISAM support to the mobile app in seconds.
Congratulations! When your implementation is complete, you’ll see the notice below. You now have a mobile app fully integrated with MicroVPN with ISAM.
After Adding MicroVPN with ISAM support to a Mobile App on Appdome
After you have added MicroVPN with ISAM support to any mobile app on Appdome, there are a few additional steps needed to complete your mobile integration project.
Add Context™ to the Appdome-Built App
Appdome is a full featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the application.
For more information on the range of options available in Context™, please read this knowledge base article.
Sign the MicroVPN enabled Appdome-Built App (Required)
In order to deploy an Appdome-Built application, it must be signed. Signing iOS app and Signing an Android app are easy using Appdome. Alternatively, you can use Private Signing, download your unsigned application and sign locally using your own signing methods.
Deploy the Appdome-Built App to a Mobile Device
Once you have signed your Appdome-Built application, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built applications, please read this knowledge base.
That is it – Enjoy MicroVPN with ISAM in your application!
General and References
How Do I Learn More?
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.
IBM and WebSEAL References