"ibm-auth-api":{}
This section configures the connection to the IBM® Verify server.
Format
"ibm-auth-api":{
"client-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"obf-client-secret":"xxxxxxxxxx", /* Use /opt/ibm/ibm_auth/ibm_authd[_64] --obf <secret> */
"protocol":"https",
"host":"xxxx.verify.ibm.com",
"port":"443",
"max-handles":"16"
},Values:
- "client-id":"84e8da25-d7ed-47cc-9782-b852cb64365c"
- This value is required. An VerifyAPI client must be created for use by the IBM Verify Gateway for Linux® PAM and AIX® PAM (Pluggable Authentication Modules) module.
- "obf-client-secret":"asjKZsKrbbgNaPe7+kYIcOyWzZdzYNtF4KlCyYoNEFA="
- This value is required. The IBM Verify
client is given a client-secret (password) when it is created and must be set in this configuration
setting. The obf-client-secret is client-secret in an obfuscated form. Use the
/opt/ibm/ibm_auth/ibm_authd_64 --obf client-secretcommand to generate the obf-client-secret value.Note: This obf-client-secret can alternatively be provided in clear text by using the "client-secret" option instead. For example."client-secret”:"xxxxxxxxxx" - "protocol":"https"
-
This value is optional and defaults to “https”. This protocol is used to communicate to the Verify server. Either value, “http” or “https”, can be used. When https is used and the /etc/pam_ibm_auth.pem file is present, the Verify server certificate and server name are validated.
- "host":"slick.verify.ibm.com"
-
This value is required. It identifies the Verify server that you are using.
- "port":443
-
This value is optional and defaults to 443. This port is the port that the Verify server is listening on for requests.
- "max-handles":16
- This value is optional and defaults to 16. This value is the maximum number of parallel connections that the IBM Verify Gateway for Linux PAM and AIX PAM (Pluggable Authentication Modules) server makes to the Verify server for user authentication.
- "authd-port": 12
-
This value is no longer supported.
Note: To use a proxy, the authd-port must be disabled. - "proxy": "http://proxy.ibm.com:1080"
- This value is optional and defaults to not using a proxy, and to use direct connections.Set the proxy to access the Verify tenant. The values is a host name or a dotted numerical IP address. A numerical IPv6 address must be written within [brackets]. To specify port number in this string, append
:[port]to the end of the host name. The proxy's port defaults toport :1080. The proxy string can be prefixed with[scheme]://to specify which kind of proxy is used.Note: To use a proxy, you must configure the proxy settings and disable the authd-port.- http://
- HTTP Proxy. The default type when no scheme or proxy type is specified.
- https://
- HTTPS Proxy. Added in 7.52.0 for OpenSSL, GnuTLS and NSS.
- socks4://
- SOCKS4 Proxy.
- socks4a://
- SOCKS4a Proxy. The proxy resolves the URL host name.
- socks5://
- SOCKS5 Proxy.
- socks5h://
- SOCKS5 Proxy. The proxy resolves the URL host name.
"", an empty string, explicitly disables the use of a proxy, even if an environment variable is set for it.A proxy host string can also include protocol scheme
http://and embedded user and a password. - "proxytunnel":true
- This value is optional and defaults to true if the proxy is enabled.
Set the
proxytunnelargument to true to make Verify tenant operation tunnel through the HTTP proxy. Using a proxy is different than to tunneling through it. Tunneling means that an HTTP CONNECT request is sent to the proxy, asking it to connect to a remote host on a specific port number and then the traffic is passed through the proxy. Proxies allowlist the specific port numbers that it allows CONNECT requests to. Typically, only ports 80 and 443 are allowed. - "token-type": "Bearer"
- Specifies the access token type of "access-token".
- "access-token": "{token}"
- Specifies the access token to use for the tenant. This is an alternative to using "client-id" and "client-secret" options if the access token is already known.
- "ca-path": "{path-to-ca-file}"
- Specifies a file with a list of permitted certificate authority signers of the Verify tenant server certificate. This text file contains one or more PEM CA public key certificates in base64 format.
- "origin-user-agent": "IBM Verify"
- Specifies the user agent sent in the request to initiate a push (device) transaction.
- "connect-timeout": 10
- Specifies the maximum amount of time in seconds that you allow the connection phase of an operation against the Verify tenant REST API to take. This timeout only limits the connection phase. It has no impact after it is connected.
- "timeout": 40
- Specifies the maximum amount of time in seconds that you allow individual tenant REST API operation to take.
- "proxy-ca-path": "{path-to-ca-file}"
- Specifies a file with a list of permitted certificate authority signers of the proxy server certificate. This text file contains one or more PEM CA public key certificates in base64 format.
- "crl-file": "{path-to-crl-file}"
- Defines the CRL for validating the certificate of the Verify tenant REST API server.
- "proxy-crl-file": "{path-to-crl-file}"
- Defines the CRL for validating the certificate of the proxy server (not the targeted Verify tenant REST API server).
"ibm-authd":{}
A trace file can be set for the ibm_authd process.
"pam":{}
A trace file can be set for the pam_ibm_auth.so module.
Other files
The file /etc/pam_ibm_auth.pem can be set up to allow verification of the tenant certificate and to verify that the tenant host name is valid for the certificate that it provides. This text file contains one or more PEM CA certificates, base64 translation of the x509 ASN.1 CA public keys.