Configuring the reCAPTCHA Verification authentication mechanism

The reCAPTCHA Verification authentication mechanism provides anti-robot protection.

Before you begin

The appliance uses the Google reCAPTCHA service to provide such verification. For more information, see www.google.com/recaptcha.

Note: The appliance supports only Google reCAPTCHA V2.

Before configuring a reCAPTCHA Verification mechanism, you must first complete the following steps.

  • Ensure that the appliance can connect to www.google.com. You can test the connection in the CLI, for example:

     
myappliance.example.ibm.com:tools>
myappliance.example.ibm.com:tools> connect www.google.com:443
Test:   www.google.com (address: 216.58.197.68) on port 443
Status: connection was successful

  • Add the issuer of the Google CA certificate to the HTTP client default trust store, which is set by the value of the util.httpClient.defaultTrustStore advanced tuning parameter. The default value of the util.httpClient.defaultTrustStore parameter is rt_profile_keys.

    1. From the top menu, select Manage System Settings > Secure Settings > SSL Certificates.
    2. Select the rt_profile_keys key database.
    3. Select Manage > Edit SSL Certificate Database.
    4. Select the Signer Certificates tab.
    5. Select Manage > Load.
    6. Specify the following fields.
      Server: www.google.com
Port:443
Certificate Label: Google
    7. Click Load.

About this task

The reCAPTCHA Verification mechanism can provide protection against spam or abuse caused by robots. With this mechanism, the user is presented with a web page that contains a simple Turing test provided by the Google reCAPTCHA API. These tests can distinguish a human user from a robot. You can add this mechanism to your policy to prevent robots from accessing your applications.

The following HTML snippet shows an example of embedding the reCAPTCHA mechanism in the template page:

<form method="POST" action="@ACTION@">
      <input type="hidden" name="operation" value="verify"></input>
      <div class="g-recaptcha" data-sitekey="@SITE_KEY@"></div>
      <br>	
      <div class="controls">
      <input class="submitButton" id="Submit" name="Submit" 
      type="submit" value="Submit"></input>	
      </div>
</form>

Procedure

  1. Log in to the local management interface.
  2. Click Secure Access Control.
  3. Under Policy, click Authentication.
  4. Click Mechanisms.
  5. Click reCAPTCHA Verification.
  6. Click the Properties tab.
    1. Select a property that you want to configure.
    2. Click Modify Property.
    3. Enter the value for that property.
    4. Click OK.
  7. Take note of the properties for the mechanism.
    Site Key

    This property is embedded in the HTML template and used to generate the CAPTCHA in the client browser.

    Default value: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI

    Secret Key

    This property is used on the server side by the appliance to verify reCAPTCHA responses with Google.

    Default value: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

    Note: The default Site Key and Secret Key values are designated Google test credentials. When these default values are used, all verification requests will pass.
    Template Page
    The path to the template HTML page to be displayed to the user.

    Default value: /authsvc/authenticator/recaptcha/standalone.html

  8. Click Save.

What to do next

After you have configured the mechanism, a message that indicates the changes are not deployed will be displayed. Deploy changes when you are finished. For more information, see Deploying pending changes.

After deploying the changes, you can create policies that include this mechanism. For more information, see Creating an authentication policy.

Parent topic: Authentication