Layer7 Access Management

Tech Tip : CA Single Sign-On :CA Access Gateway : How to protect Auth/Az Web services with Basic Authentication

By Ujwol posted 11-22-2016 09:26 PM

  

Summary:

In this guide, we will see how to protect Auth/AZ SPS web service with Basic Authentication and also how to configure web service client to pass the credential while invoking the Auth/AZ web service.

 

For this use case , we will test with REST web service but the procedure is exactly the same for SOAP web service call as well.

Environment:

  • Web Agent : 12.52 and above
  • OS : ANY

Instructions:

 

Protect CA Access Gateway Auth/AZ web service

 

Create Domain/Realm/Rule/Policy to protect the root URL /authazws/. For this demo, only the user "shruj01" is authorised to access Auth/AZ web service resource.

 

 

TEST 1 : REST Client ( e.g SOAPUI)

 

1. Base64 encode the Web service user credential in the format "username:password". This can be done using online tool Base64 Decode and Encode - Online 

Copy the encoded output , this will be needed in next step while configuring the REST client.

 

2. Configure the REST Post request as below.

The important thing to note is , as the web service is protected, we now need to send following headers along with the   actual REST request.

a. Authorization: Basic <Based64 encoded value of username:password> 

b. SMCHALLENGE=YES cookie header ( This is required if RequireCookies= YES in the ACO of the agent protecting the AuthAZ web service resource.

 

TEST 2: REST Client ( e.g Java)

1. Modify the following properties in UserAuthenticationServiceImpl.java as per your environment

2. Modify the JDK home in the java-build.bat and java-run.bat (windows)

3. Compile the Test class by running java-build.bat (windows)/ java-build.sh (unix)

4. Execute the class by running java-run.bat (windows)/java.run.sh (unix)

  Sample output :

Sample class :

 

Attachment:

1. Sample Java program 

 

Additional Information:

Configuring the Authentication and Authorization Web Services - CA Single Sign-On - 12.52 SP1 - CA Technologies Document… 

13 comments
3 views

Comments

10-23-2018 10:27 AM

What I understand is We have to fetch SMSESSION from Cookie after my first Authorization call and add it in my subsequent REST call as a cookie header? Can you share some ref link how can achieve this in REST web services. Thanks

10-22-2018 07:31 PM

Hi Vipul, the actual index.html page is never returned when calling the Authorize request, authorize call returns a YES or NO saying if the user has permission to access the index.html page or not - but does not return the contents of the index.html page itself. 

 

There is bit of a disconnect, with how the AuthAz webservices are used. 

 

The design of the API is really more for other servers to delegate login/authorize call, and then provide the user the content if it was authorize call.  

 

But In practice, the most common use case was a mobile app making the AuthAz login call.   Because there was a need for a process where a mobile app could navigate the SM login process and get an SMSESSION token that it could then use for access to a real resource (even the first demo apps of the api's usage were all mobile based apps making login calls).

 

But in a mobile app the Authorize call does not make as much sense, since it only returns a status of if you have permission to access the resource or not, it does not return the actual resource.   To get the actual resource you need to do a HTTP request, with the SM token as an SMSESSION cookie and send it to the webserver that has the resource. 

 

The mismatch explains a bit why their is this two layered authentication requirement, where you need to be authenticated to get access to the webservices api, that then allows you to make a login call on behalf of a user.   And why the authorize returns if you have permission to access, rather than the actual content.   Those are how a delegated server would use the AuthAz api, not how a mobile app would want to use it. 

 

Probably a good enhancement to the example above, for use from a mobile app point of view, would be calling the  AuthAz Login function, then extracting the smtoken making it a SMSESSION cookie, and making a request to a normal webagent for the actual resource.   If someone from the SSO team has the time. 

 

Cheers - Mark

10-22-2018 04:24 PM

Ujwol , Can I get index.html (http://wssps02.ca.com/authazws/AuthRestService/login/1234/html/index.html). Actually I am trying to grab "resultCode and sessionToken" post authentication.

09-04-2017 08:45 AM

Guys, thank you for the help. Finally, it is working...

Well, resuming, I did this:

 

requireagentenforcement=no

1. Either not have any realm matching the resource or if you have the realm matching the resource ..set the default resource protection to UNPROTECTED.

2. Also , if you have the realm, ensure that there are NO rule under this realm

 

 

Thank you very much! 

09-04-2017 08:16 AM

Hum, thank for you for the answer. However, if I set the EnableAuth or EnableAZ to NO, I will need to set to unprotected the Realm AND disable the Rule ?

09-04-2017 02:40 AM

Ednei_Rodrigues

To unprotect the resource you need to ensure two things :

 

1. Either not have any realm matching the resource or if you have the realm matching the resource ..set the default resource protection to UNPROTECTED.

2. Also , if you have the realm, ensure that there are NO rule under this realm. 

 

Even if you have realm set as unprotected, if you have any rule under it, the resource becomes protected.

09-01-2017 03:46 PM

It works without a protection:

 

change this settings to :

requireagentenforcement=no

 

Restart SPS and try it again.

09-01-2017 03:26 PM

Ok, i removed from agent the policy related. However, i got this message:

SM_WSZ_00033 - The service is not protected by an agent as required by the requireagentenforcement setting.

 

So, I think the Web Service doesn't work without a protection, right ?

09-01-2017 02:56 PM

Makesh.T I think that it will not work. Would be better remove the webagent config from Apache (CA Access Gateway), wouldn't ? 

09-01-2017 01:30 PM

Delete the domain you previously created, then see if WebServices is still protecting or not.

09-01-2017 01:20 PM

Yes, i know that, however, Like I said, it's only for test. I checked Unprotected choice, however, the Web Service keeps protecting the resource! That's my problem.

09-01-2017 01:16 PM

Skip this Section that says, "Protect CA Access Gateway Auth/AZ web service" from the above instruction:  That will keep the Web Service unprotected.

09-01-2017 12:34 PM

Hello!! How are you ?

Ujwol

I have a question about this protection. Is it possible Unprotect the  Auth/AZ web service  ? I want to access this WSDL without authentication for tests reasons.

 

 

Thank you!