Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    IBM Security Access Manager for Mobile

    The JSA DSM for IBM Security Access Manager for Mobile collects logs from an IBM Security Access Manager for Mobile device, and an IBM Identity as a Service (IDaaS) device.

    The following table identifies the specifications for the IBM Security Access Manager for Mobile DSM:

    Table 1: IBM Security Access Manager for Mobile DSM Specifications

    Specification

    Value

    Manufacturer

    IBM

    DSM name

    IBM Security Access Manager for Mobile

    RPM file name

    DSM-IBMSecurityAccessManagerForMobile-7.x -Qradar_version-Buildbuild_number.noarch.rpm

    Supported versions

    IBM Security Access Manager for Mobile v8.0.0

    IBM IDaaS v2.0

    Event Format

    Common Base Event Format

    Log Event Extended Format (LEEF)

    Recorded event types

    IBM_SECURITY_AUTHN

    IBM_SECURITY_TRUST

    IBM_SECURITY_RUNTIME

    IBM_SECURITY_CBA_AUDIT_MGMT

    IBM_SECURITY_CBA_AUDIT_RTE

    IBM_SECURITY_RTSS_AUDIT_AUTHZ

    IBM_SECURITY_SIGNING

    CloudOE

    Operations

    Usage

    IDaas Appliance Audit

    IDaaS Platform Audit

    Automatically discovered?

    Yes

    Includes identity?

    No

    Includes custom properties?

    No

    More information

    www.ibm.com/software (http://www-03.ibm.com/software/products/en/access-mgr-mobile).

    To integrate IBM Security Access Manager for Mobile with JSA, complete the following steps:

    1. If automatic updates are not enabled, download the most recent version of the following RPMs on your JSA console:

      TLS Syslog Protocol RPM

      IBM Security Access Manager for Mobile DSM RPM

    2. Configure your IBM Security Access Manager for Mobile device to send syslog events to JSA.

    3. If JSA does not automatically detect the log source, add an IBM Security Access Manager for Mobile log source on the QRadar console. The following table describes the parameters that require specific values for IBM Security Access Manager for Mobile and IBM Identity as a Service event collection:

      Table 2: IBM Security Access Manager for Mobile Log Source Parameters

      Parameter

      Value

      Log Source type

      IBM Security Access Manager for Mobile or IBM Identity as a Service

      Protocol Configuration

      TLS Syslog

      Log Source Identifier

      The IP address or host name in the Syslog header. Use the packet IP address, if the Syslog header does not contain an IP address or host name.

      TLS Listen Port

      Type the port number to accept incoming TLS Syslog Event.

    4. Saving the log source creates a listen port for incoming TLS Syslog events and generates a certificate for the network devices. The certificate must be copied to any device on your network that can forward encrypted syslog. Additional network devices with a syslog-tls certificate file and the TLS listen port number can be automatically discovered as a TLS syslog log source in JSA.

    Configuring IBM Security Access Manager for Mobile to Communicate with JSA

    Configure IBM Security Access Manager for Mobile to send audit logs to JSA through TLS syslog.

    Ensure that IBM Security Access Manager for Mobile has access to JSA for TLS syslog communication.

    1. Select Monitor Analysis and Diagnosis >Logs >Audit Configuration.
    2. Click the Syslog tab and enter the information in the following table.

      Field

      Value

      Enable audit log

      Click Enable audit log.

      Enable verbose audit events

      Click Enable verbose audit events.

      Audit events that are not verbose do not contain the JSON payload, which contains details of user activity.

      Location of syslog server

      Select On a remote server

      Host

      The JSA server host name or IP.

      Port

      The port number that you want to use for JSA to accept incoming TLS syslog events.

      Protocol

      Select TLS

      Certificate database (truststore)

      The truststore that validates the syslog server certificate.

      Enable client certificate authentication

      Click Enable client certificate authentication.

      The client can do client certificate authentication during the SSL handshake upon server request.

      Certificate database (keystore)

      The keystore for client certificate authentication.

      Certificate label

      The personal certificate for client certificate authentication

      Enable disk failover

      Clear Enable disk failover.

    3. Click Save.
    4. Click Click here to review the changes or apply them to the system to review pending changes.
    5. Click Deploy Changes.

      The runtime server restarts automatically if any of the new changes require a restart.

    Configuring IBM IDaaS Platform to Communicate with JSA

    You can enable IBM IDaaS Platform audit events to be generated in LEEF format on your IBM® IDaaS console.

    Ensure that IBM® IDaaS Platform is installed and configured on your WAS console.

    1. Access the IDaas Platform configuration file on your WAS console. <WAS_home>/profiles/<profile_name>/config/idaas/platform.cofig.properties
    2. If the platform.config.properties file does not contain a set of audit properties, configure the following options:

      Property

      Description

      audit.enabled=true

      Audit property is enabled.

      audit.syslog.message.format=leef

      audit.syslog.server=10.108.122.107

      Valid type is LEEF.

      audit.syslog.transport=TRANSPORT_UDP

      audit.syslog.server.port=514

      Transport values are TRANSPORT_UDP and TRANSPORT_TLS.

    3. Restart the IBM IDaaS Platform application on your WAS console.

    Configuring an IBM IDaaS Console to Communicate with JSA

    You can enable audit events to be generated in LEEF Syslog format on your IBM® IDaaS console.

    Ensure that your IBM® IDaaS console is installed and configured.

    1. Select Secure Access Control >Advanced Configuration.
    2. Type idaas.audit.event in the Filter text box. The default format is Syslog.
    3. Click Edit.
    4. Select LEEFSyslog
    5. Click Save.
    6. Click Deploy Changes.

    Modified: 2017-09-13