Main configuration aspects for Kobil AST

The basis for any Kobil AST configuration in Airlock IAM is the connection to the SSMS. The plugin Kobil SSMS Client has trhee main properties:

  • Portal Lib Config
  • Trust Store
  • Key Store

These are 3 files that can be exported from the SSMS installation. The Portal Lib Config is an XML file that contains the connection information.

Make sure that you use authenticated communication with the SSMS server, to avoid interference with other applications communicating with the server. This is achieved by configuring the "Portal Services" on the SSMS and adding the libPortalAstId and portalSharedSecret Properties in the XML file.asdfasdf

A PortalLib configuration XML will look similar to this example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<portalLib>
    <deviceEventInterval_ms>0</deviceEventInterval_ms>
    <libPortalAstId>myIAM</libPortalAstId>
    <portalSharedSecret>123456</portalSharedSecret>
    <properties>
        <entry>
            <key>com.sun.xml.ws.connect.timeout</key>
            <value xsi:type="xs:int" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">20000</value>
        </entry>
        <entry>
            <key>com.sun.xml.ws.request.timeout</key>
            <value xsi:type="xs:int" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">20000</value>
        </entry>
        <entry>
            <key>javax.xml.ws.session.maintain</key>
            <value xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">true</value>
        </entry>
    </properties>
    <ssmsNode>
        <internalUrl>https://kobilssms.local:8443/ssms-gui</internalUrl>
        <ssmsNodeType>MGT</ssmsNodeType>
    </ssmsNode>
    <keystorePassword>123456</keystorePassword>
    <truststorePassword>123456</truststorePassword>
    <usingExternalLoadBalancer>false</usingExternalLoadBalancer>
</portalLib>

The Kobil SSMS Client plugin is used in various Kobil-related plugins, depending on which feature should be activated:

Feature

Plugin

Where

Options/Comments

Authentication

Kobil AST Authenticator

Authentication settings, typically in the Main Authenticator as second factor.

Most default values should be good. The Message property (Advanced Settings) defines the message that will be displayed on the smartphone app on login.

Administration

Kobil Credential Controller

Adminapp >> Users >> Authentication Tokens settings

Enables common administration tasks (add, migrate, order letter, lock/unlock).

Activation letters

Kobil AST Activation Letter Task

Service Container

Creates letters with activation codes for the initial activation of a Kobil AST device.

Self-registration

Kobil AST Self-Service Configuration

Loginapp >> Self Service Settings

Allows a user to register a Kobil AST device during login.

Migration

Migration Config

Loginapp >> Self-Service Settings >>Migration Hint Page Config

Enables migration from another authentication method to Kobil AST

Device management self-service

Property Enable Device Management

Kobil AST Self-Service Configuration

Device management ist then reachable under the Loginapp URL /kobil-device-management

DB Consistency

Kobil Ssms Consistency

User Persister Plugins (DB, LDAP)

Maintains consistency between user database and SSMS.

Activation Codes

Role-based Access Control

Adminapp >> Access Control (View Kobil Activation Code)

Specifies the admin roles required to view or retrieve (REST service) Kobil AST activation codes