Symantec Access Management

  • 1.  CA SSO : SecureProxyServer :  Customization on SPS Doc Root

    Posted Sep 29, 2015 10:55 AM

    Could I know if the following customization's are possible on Secure Proxy Server within the remit of the current design.

     

     

    The parameter document_root in server.conf currently points to <install_home>/proxy-engine/examples.

     

     

    #########################################

    Question : If we are using the current doc root?

    #########################################

     

     

    1. We would like to add their Custom Error Pages under the default Doc Root in Server.conf i.e. under ?examples? folder.

    2. We does not want to expose any other pages from current doc root i.e. ../../proxy-engine/example ;

        a. Is it safe to remove all the folders (We are guessing Yes, except login.fcc which is served off forms/login.fcc).

        b. What is the purpose of ?sessionscheme? and ?filters? folder under 'examples' folder? are they just examples and is safe to move these folder elsewhere if only default session scheme would be used in end user transactions?

    3. Could we serve .html pages in addition to .fcc pages?

     

     

    #########################################

    Question : If we are using a different doc root?

    #########################################

     

     

    1. Could we point the Doc Root in Server.conf to some other folder path?

    2. Would we just need to change the document_root parameter in server.conf OR would it need to be changed elsewhere too?

    3. Would this have any cascading impact of any other functionality?

    4. Could we serve .html pages in addition to .fcc pages?

     

     

     

     

    #########################################

    Updates from my testing.

    #########################################

     

     

    I was able to change the "document root" in server.conf to <sps_install_home>/proxy-engine/templates.

    1. This folder only had the forms folder and siteminderagent folder.

    2. All siteminder credential collector pages were working.

    3. ProxyUI login was working.

    4. I created a HTML page and JSP page under <sps_install_home>/proxy-engine/templates/sites.

        a. They did not work.

        b. JSP and HTML was handled by proxyrules and being sent to backend.

    5. I created a HTML page and JSP page under <sps_install_home>/proxy-engine/Tomcat/webapps/sites.

        a. They did not work.

        b. JSP and HTML was handled by proxyrules and being sent to backend.

     

    Is there any way to host a few pages on SPS?

     

     

     

     

    The only other alternative is to host the application pages on another Web/App Server on the same SPS machine and proxy it. We would prefer avoiding to do this, as these pages are the custom login pages and error pages. Unless we state that this is absolutely not possible and proxying is the only solution.

     

     

     

     

     

     

    Regards

     

     

    Hubert



  • 2.  Re: CA SSO : SecureProxyServer :  Customization on SPS Doc Root
    Best Answer

    Broadcom Employee
    Posted Oct 01, 2015 01:54 AM

    Hi Hubert,

     

    You may already have part of the answer you need, as I was asked this same question internally, and I assume the engineer was asking on your behalf.

     

    But essentially the answer was yes, you can remap document root as long as you copy across any .fcc pages that you are using.   If you are not using any then you will not need them. 

     

    The other directories, in examples, sessionschemes and filters are just examples, and are not needed.

     

    For the final question hosting some pages directly on the SPS itself, the anwer to that is also YES.

     

    For pages that can be served directly from Apache (eg vanilla html pages, or .jpg files, etc) you can direct apache to serve those pages directly, as per the JkIgnore directives in the httpd.conf file - there are some there for the .fcc page .gif files, that you can use as a template.  A note that these pages are returned before Siteminder rules are evaluated - so cannot be protected.

     

    For .jsp / .war files, which is what your example above uses, those can also be deployed in the SPS tomcat app engine - here is a quick way to show you how to do it .

     

    In the proxy-engine server.conf in the <Contexts> section.  I've added a new "Context" called "test1" :  Capture1.PNG

     

    And then in the  <secure-proxy>/Tomcat/webapps/ I have created a new directory test1.  For my part I have cheated to create this directory just copied the ROOT directory and renamed it as "test1", but for real deployment you can create your own .war or app directory.  Here is the directory:

     

    Capture2.PNG

     

    And then when I access http://www.example.com/test1/   I get redirected to the login page (since I had it protected), and then when authenticated it runs the webapp in test1 directory. Aka:

     

    Capture3.PNG

     

    So that is a method that allows me to run .jsp and/or a local .war deployment on the SPS tomcat instance.

     

    Cheers - Mark



  • 3.  Re: CA SSO : SecureProxyServer :  Customization on SPS Doc Root

    Posted Oct 01, 2015 09:18 AM

    Mark

     

    Thank You so very much for detailing out each and every point I queried on. It means a lot when someone take the effort to read every point and answers / suggest / comments on every point that is queried. That is the complete essence of being in Support or Services.

     

    I did not find this amount of finer details on the Ticket though it is the same content I copied from the ticket I raised. The only option suggested was jkIgnore Directive. There was no update on any of the other points. Hence I reached out to the wider forum on communities and it paid off. I was directly able to run this past your eyes

     

    I am also going to cross reference this in the Ticket. So that the conclusion remains complete.

     

     

    Regards

     

    Hubert.



  • 4.  Re: CA SSO : SecureProxyServer :  Customization on SPS Doc Root

    Posted May 28, 2018 11:34 PM

    HubertDennis and Mark.ODonohue

    We have SPS 12.52 set up in our environment and have below as document root in server.conf

    document_root="../../proxy-engine/mypages"  so when I put any .sec or .unsec file under this directory I get the http 200 however it doesnt work for html or jsp.

    How can I server html pages from same doc root?

    I tried to find the config which forces this behavior, but couldn't find any.

     

    Regards

    -

    Rohit



  • 5.  Re: CA SSO : SecureProxyServer :  Customization on SPS Doc Root

    Posted Feb 06, 2019 10:51 AM

    Nice article.  Will CA Support be OK with customers hosting local content on the Access Gateway?  I seem to remember specific statements to the contrary in Docops.

     

    Granted, they won't support the customer's applications but the configurations needed to enable this content to be hosted locally - will that be supported?  Are we leading customers down a customization path to nowhere?

     

    Asking for a friend

    Brian