Symantec Access Management

Expand all | Collapse all

SPS configuration for Web Services

  • 1.  SPS configuration for Web Services

    Posted Mar 17, 2015 04:14 PM

    Hi,

     

    I'm sure I'm missing something. Hoping someone could point me to the error.

     

    I have my SPS configured and enabled authentication and authorization web service. First question.

     

    - Just having the SPS installed and auth az enabled, is that all we need to do to expose the REST and SOAP API? Or is there additional apps that I need to develop and deploy somewhere?

     

    I have the app enabled in server.conf.

     

    I've added a virtual host in the server.conf and pointed it to the webservicesagent/WebAgent.conf. From the logs, i can see that the web services initialized successfully. I can see the web agent initialized successfully.

     

    I've created a test agent and tied that in the ACO. and I protected /authaz context with a x.509 authentication scheme.

     

    When I try to get to the WSDL, i get a 500 server error. The only error I see is in the agenttrace.log, it enters the virtual host, and then throws a 500 error. Doesn't give me any other information.

     

    Regards,

    Anand.



  • 2.  Re: SPS configuration for Web Services

    Posted Mar 19, 2015 04:43 PM

    Hi Anand,

     

    I am having the same problem..I didn't understand this "I have the app enabled in server.conf." and please share when you resolve this issue.

     

    Thanks,



  • 3.  Re: SPS configuration for Web Services

    Posted Mar 19, 2015 05:13 PM

    Anand anand3g 

     

     

    Probable Mistake number-1.

    I have the app enabled in server.conf.

    I state this probable because even this gets enabled from SPS UI. If not then do manually.

     

    Confirmed Mistake number-2.

    I've added a virtual host in the server.conf and pointed it to the webservicesagent/WebAgent.conf. From the logs, i can see that the web services initialized successfully. I can see the web agent initialized successfully.

    I state this confirmed, because I did the same blunder. Then scratched my head for a long time. Then figured out that when I enable the AuthAz App via the SPS UI, it creates a Virtual Host. That is the correct one. I did this via SPS UI, which created a VH for me automatically and it then worked like a smoothie.

     

     

    Roll back your manual edits. Then do it via SPS UI.

     

     

    Regards

     

    Hubert



  • 4.  Re: SPS configuration for Web Services

    Posted Mar 19, 2015 06:25 PM

    Point number - 2 is very deceiving; it may lead us to believe to create a VH first and then enter the name of that VH here. It is actually the other way round. Enter a name which you would like your Virtual Host to be named as when, the SPS UI creates it for you.

     

    Make sure what ever VH name you provide, it is a valid one e.g. resolves to an IP Address. If it is your play pen env, then make a host entry before you add the VH name in the SPS UI.

     

     

    Enable the Web Services

    Use the ACO that you created in the previous procedure to enable the web services through Administrative UI.

    Icon

    Note: If the values of enableauth and enableaz are set to no, the web services do not function even though you enable the support through CA SiteMinder® SPS Admin UI.

     

    Follow these steps:

    1. Navigate to Proxy Configuration, Auth and Az Web Services.
    2. Type the unique host name of the web services virtual host in Host Name.
    3. Type the name of the ACO that is created for the web services in Agent Configuration Object.
    4. Click Save.
      The web services are enabled.

     

     

    1.JPG

     

     

    2.JPG

     

    3.JPG

     

    4.JPG

     

     

    5.JPG

     

     

     

     

    6.JPG

     

    7.JPG

     

     

    8.JPG

     

    9.JPG



  • 5.  Re: SPS configuration for Web Services

    Posted Mar 20, 2015 09:14 AM

    Hi,

     

    I stuck here...I am testing with virtual host..In the document

     

    (The function of the client program is to issue authentication and

    authorization requests

    to the web service on behalf of another application. The client program

    requires code

    for a client stub. The stub manages, sends, and receives messages to

    communicate with

    the web service. The web service support a WSDL file (f

    or the SOAP protocol) and a

    WADL file (for the REST architecture). You can access the WSDL or WADL

    file using a

    web browser, and then save it as an XML file. )

     

    Create the Client Program

    Chapter 1: CA SiteMinder? Authentication and Authorization Web Services

    13

    Follow these steps:

    1.

    Write the business logic for your a

    pplication, which gathers the required

    credentials.

    2.

    Create the client stub. Optionally, you can use the WSDL or WADL file with

    a

    third

    -

    party tool to generate the client stub.

    To load the WSDL, use the following URL:

    http://

    hostname:port

    /authazws/auth?wsdl

    To load the WADL, use the following URL:

    http://

    hostname:port

    /authazws/AuthRestService/application.wadl

    Note: To retrieve the metadata from these locations, be sure to set the

    DefaultAgentName parameter in the ACO to one of your age

    nts.

    3.

    Import the client stub and instantiate the stub object to invoke the web

    service.

    The sections that follow list simplified sample SOAP and REST messages for

    reference.

     

    Do we need to write any code..to call WSDL...will you plz guide some steps

    to get work.



  • 6.  Re: SPS configuration for Web Services

    Posted Mar 20, 2015 10:15 AM

    @Hubert : Thank you. That was very helpful.

     

    Now I have the same state as you. I can get to the wsdl and wadl. I get the message that the web services and the web agent are initialized.

     

    As of now, I've unprotected /authazws in the realm. If I get it working unprotected, then I'll protect it with the x.509 auth scheme.

     

    When I use soap UI and send a request using the wsdl, This is what I see in the web service logs.

     

    2015-03-19 16:03:30,177 ERROR [com.ca.soa.services.authaz.webservice.ServiceLogic] - SM_WSZ_00031 - Authentication web service is not configured. Be sure InitServlet runs


    Anything else i've missed?

     

    @sreev You can use Soap UI to test the web services without writing code.

     

    Regards,
    Anand.



  • 7.  Re: SPS configuration for Web Services

    Posted Mar 20, 2015 03:59 PM

    Anand anand3g

     

    Have you configured a Realm to Protected your AppID? e.g.

     

    If you agent_name,appID is agent1,application1

     

    Then create a realm to protected "application1" and a rule with "*". Map "agent1" to the realm protecting "application1".

     

    Now try and suggest. If I get sometime, i'll try myself and see what is causing this error.

     

     

    Capture.JPG



  • 8.  Re: SPS configuration for Web Services

    Posted Mar 20, 2015 04:43 PM

    @Hubert.

     

    Thanks. When I was protecting it I was getting a 500 error. After I unprotected I was able to get to the wsdl and wadl.

     

    So if my agentname,appid is ws-webagent,testapp

    realm I should be protecting is authazws/testapp with a * rule.

    And the Auth scheme should be a x.509 cert auth scheme?

     

    Thank you so much for your help with this!

     

    Regards,

    Anand.



  • 9.  Re: SPS configuration for Web Services

    Posted Mar 20, 2015 05:51 PM

    Anand anand3g

     

    The Auth scheme I think can be a BASIC or FORM. I would try with basic.

     

    Am 100% sure we need not protect /testapp with X509 (X509 is needed to protect only the authaz webservice URL); because we are sending the Credential in XML Request from SOAP UI.

     

    Your realm would be /testapp and not /authazws/testapp.

     

    Try this and let know.

    Realm : /testapp

    Rule :  *

    Method : GET, POST, PUT (wondering should there be anything more; but try with this 3).

    AuthScheme : Basic.

    WebAgent : ws-webagent.

    Policy : All Users Allowed.

     

     

     

    Regards

     

    Hubert



  • 10.  Re: SPS configuration for Web Services

    Posted Mar 23, 2015 07:15 PM

    Hi Hubert.

     

    Thanks for sticking with me. I tried what you suggested. I still get the same error.

     

    Authentication web services not configure. Be sure init servlet runs.

     

    any ideas?

     

    Regards,

    Anand.



  • 11.  Re: SPS configuration for Web Services

    Posted Mar 23, 2015 08:40 PM

    No worries Anand anand3g

     

    Could you confirm the ACO which we are using for AuthAzWS has the following values set.

     

     

    ACO Name : authaz_aco

     

    DefaultAgentNamewa_authaz
    AgentNamewa_authaz_app1,app1
    EnableAuthyes
    EnableAzyes
    RequireAgentEnforcementno

    I am not protecting the authazwebservice URL with X509 authentication as of yet. Hence RequireAgentEnforcement is set to NO.

     

    Capture.JPG

     

     

     

     

    ACO Name : sps_aco.

    DefaultAgentNamewa_sps

     

     

     

     

     

     

    The reason I have 2 ACO's is because I am using different WebAgent.conf for Default Virtual Host and AuthAzWebServices Virtual Host.

     

     

    Capture.JPG



  • 12.  Re: SPS configuration for Web Services

    Posted Mar 23, 2015 09:09 PM

    Anand anand3g

     

    My AuthAzWS does not throw any errors. Therefore I am good from initiatlization perspective.

     

    However something weird, SOAP UI says my resource /app1* is unprotected (I have a realm protecting /app1* with Basic Auth Scheme). So I am close, however I guess I am missing something small. The funny part is I don't see any traffic hitting policy server for the /app1 request. So I need to debug further, would see if I could gather more time.

     

     

    AuthAzWS.log (DEBUG mode, By default authaz-log4j.xml has INFO, changed it to DEBUG and recycled the SPS Services).

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered login()

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getFilterCtxData()

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - appId: app1 resource: /*

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: AAAAAA

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headeraction: GET

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerappid: app1

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerresource: /*

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Printing Headers

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-type: application/soap+xml;charset=UTF-8;action="urn:login"

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header host: wsauthazvhosting.ca.com

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_TRANSACTIONID: 243a26a3-55bce775-6909cb8d-d56e794e-af595471-a0

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header resource: /*

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header appid: app1

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header user-agent: Jakarta Commons-HttpClient/3.1

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_SDOMAIN: .ca.com

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USER:

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_AUTHTYPE: Not Protected

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: AAAAAA

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-length: 788

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header action: GET

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header Accept-Encoding: gzip,deflate

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USERDN:

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Done Printing Headers

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Exit getFilterCtxData()

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogicBackend] - ProcessRequest returned: -1

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered populateResponseAttributes

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-type

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: host

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_TRANSACTIONID

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_T

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: resource

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: reso

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appid

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appi

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user-agent

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_SDOMAIN

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_S

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: password

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: pass

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USER

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_AUTHTYPE

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_A

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: username

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-length

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: action

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: acti

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: Accept-Encoding

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: Acce

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USERDN

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving populateResponseAttributes

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login() returning: com.ca.soa.services.authaz.webservice.LoginResult@361177

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login()

    2015-03-23 21:03:30,659 DEBUG [com.ca.soa.services.authaz.webservice.AuthAzJaxWSService] - Returning com.ca.soa.services.authaz.webservice.LoginResult@361177

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered login()

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getFilterCtxData()

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - appId: app1 resource: /*

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: AAAAAA

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headeraction: GET

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerappid: app1

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerresource: /*

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Printing Headers

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-type: application/soap+xml;charset=UTF-8;action="urn:login"

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header host: wsauthazvhosting.ca.com

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_TRANSACTIONID: 19bc912f-1c25ef63-49925c0b-b2d56980-fdc2e235-1f2

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header resource: /*

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header appid: app1

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header user-agent: Jakarta Commons-HttpClient/3.1

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_SDOMAIN: .ca.com

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USER:

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_AUTHTYPE: Not Protected

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: AAAAAA

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-length: 788

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header action: GET

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header Accept-Encoding: gzip,deflate

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USERDN:

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Done Printing Headers

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Exit getFilterCtxData()

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogicBackend] - ProcessRequest returned: -1

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered populateResponseAttributes

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-type

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: host

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_TRANSACTIONID

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_T

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: resource

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: reso

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appid

    2015-03-23 21:03:36,487 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appi

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user-agent

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_SDOMAIN

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_S

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: password

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: pass

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USER

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_AUTHTYPE

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_A

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: username

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-length

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: action

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: acti

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: Accept-Encoding

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: Acce

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USERDN

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving populateResponseAttributes

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login() returning: com.ca.soa.services.authaz.webservice.LoginResult@1af82d

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login()

    2015-03-23 21:03:36,503 DEBUG [com.ca.soa.services.authaz.webservice.AuthAzJaxWSService] - Returning com.ca.soa.services.authaz.webservice.LoginResult@1af82d

     

     

     

    Capture.JPG



  • 13.  Re: SPS configuration for Web Services
    Best Answer

    Posted Mar 24, 2015 03:53 PM

    Anand anand3g

     

    Finally it is working.

     

    Capture.JPG

     

     

     

    Here what we need to do.

     

    No need to protect the AuthAzWS URL i.e. /authazws/auth for testing purposes. In Prodn we need to protect this using X509 auth.

     

     

     

    Now in the ACO which we are using for AuthAzWS i.e. authaz_aco. Look at the AgentName Parameter. It is wa_authaz_app1,app1

     

    Create a Policy Domain with a realm, with Basic Authentication Scheme, to protect resource /testpage, with rule /* (with GET POST PUT) and associate wa_authaz_app1 to this realm. Add the rule to Policy and allow all users for now.

     

     

    Now open SOAP UI. And use the screenshot above.

     

     

     

    Hopefully you'll be dancing with joy

     

     

    Regards

     

    Hubert



  • 14.  Re: SPS configuration for Web Services

    Posted Mar 26, 2015 05:06 PM

    Hi Hubert and Anand,

     

    Fantastic. I was also struggling with this issue and following your advice above I got it working as well.

     

    Kind regards,

    Bjorn



  • 15.  Re: SPS configuration for Web Services

    Posted Aug 24, 2015 11:45 AM

    I am stuck with this. My authaz.log shows pretty much the same log as above when I try to use the rest login against /app . I don't see my ws-agent hitting the policy server in smaccess.log on the policy sever, is that normal or a sign of a misconfiguration?

     

    HubertDennis

     

    What did you change between these two postings to get it working?

    2015-08-24 11:39:04,830 DEBUG [com.ca.soa.services.authaz.webservice.rest.LoginService] - Entered login GET request for subResources:app/index.html

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered login()

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getFilterCtxData()

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - appId: app resource: /index.html

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: Robm1

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headeraction: GET

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerappid: app

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerresource: /index.html

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Printing Headers

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-type: text/xml

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header host: afdafdafdsafdsafdfasfsaf.com

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_TRANSACTIONID: 23bf94cd-f54a9ac8-b9a116f0-aa41e750-8a765bd7-c4

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header accept: */*

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header resource: /index.html

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header appid: app

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header user-agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_SDOMAIN: .dp.swg.usma.ibm.com

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USER:@

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_AUTHTYPE: Not Protected

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: Robm1

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-length: 109

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header action: GET

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USERDN:

    2015-08-24 11:39:04,838 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Done Printing Headers

    2015-08-24 11:39:04,838 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Exit getFilterCtxData()

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogicBackend] - ProcessRequest returned: -1

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered populateResponseAttributes

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-type

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: host

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_TRANSACTIONID

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_T

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: accept

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: acce

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: resource

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: reso

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appid

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appi

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user-agent

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_SDOMAIN

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_S

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: password

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: pass

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USER

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_AUTHTYPE

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_A

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: username

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-length

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: action

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: acti

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USERDN

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving populateResponseAttributes

    2015-08-24 11:39:04,854 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login() returning: com.ca.soa.services.authaz.webservice.LoginResult@1e99fb1

    2015-08-24 11:39:04,854 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login()



  • 16.  Re: SPS configuration for Web Services

    Posted Mar 27, 2015 12:49 PM

    Just a couple general things I've found from our user of SPS AuthN/AuthZ web services

     

    • The application object you are using as the 'web service' can use a normal FORMS or RSA auth scheme.
      • Simply adding our already existing RSA authentication scheme to an application object allowed the web service to pass the PIN+TokenCode as the password value to do two-factor authentication
    • If you want the sessiontoken value created by the SPS Web Service to work as an SMSESSION cookie for a Web Agent, you must update the Web Agent ACO for "AcceptTPCookie=yes" . Now if you use the Web Service created token against that Web Agent it should work (assuming authlevel and ssozone are same of course).
      • Have not gotten the other direction working yet for Web Agent token --> SPS unfortunately
    • You can return custom attributes by simply adding them as normal header variables on the application object.
      • For exmaple, I add http header variable for myapp_username. The Web Service will return:

                    <response>

                    <name>myapp_username</name>

                    <value>testuser001</value>

                    </response>

      • Should work with any header variable, at least has for us so far including appending values together etc. Such as taking "username" + @ + "location"

                   <response>

                   <name>myapp_username_location</name>

                   <value>testuser001@Huntsville</value>

                   </response>




  • 17.  Re: SPS configuration for Web Services

    Posted Mar 27, 2015 12:54 PM

    Fabulous Chris CBertagnolli

     

    It looks like you resolved the other issue of using SESSION generated by AuthAzWS and SSO to Standard WebAgents by setting AcceptTPCookie. Does it work the other way too i.e. an SMSession generated from standard WebAgent and use that in AuthAzWS Request?

     

     

    Regards

     

    Hubert



  • 18.  Re: SPS configuration for Web Services

    Posted Mar 27, 2015 12:57 PM

    Unfortunately the other way not working yet. We're working with CA Support on it; they're the ones that identified the AcceptTPCookie setting since it's using the SDK essentially to create the session.

     

    If a solution is found will definitely post it out here for everyone. At least for us that's definitely the more useful case if Web Agent session --> AuthAzWs so passing tokens from front-end web apps to downstream services etc allows authn/authz on behalf of some user.



  • 19.  Re: SPS configuration for Web Services

    Posted Mar 30, 2015 09:56 AM

    Thank You Chris, meanwhile am going to paste the reference thread for Session Cookie SSO here. As I have pointed CA Tech Documentation Team to this thread to when they revise the AuthAzWS Documentation (WiKi) "You too have a comment on the WiKi".

     

    Re: Authentication and Authorization Web Service Session Tokens

     

     

    Regards

     

    Hubert



  • 20.  Re: SPS configuration for Web Services

    Posted Jan 20, 2016 10:42 AM

    Hi Hubert,

     

    I'm also working on SPS / Restful integration. Was wondering if you can help. First, do we need to setup 2 ACOs to support Restful - it can not go threw the proxyrules.xml? Which means I need to set another VH to support Restful URL... And can you or someone post a Restful XML file (contents) to assist in testing..

     

    Thank you!!

    Mike



  • 21.  Re: SPS configuration for Web Services

    Posted Jan 21, 2016 10:34 AM

    Mike userca1

     

    I do not have one readily available right now. However have we looked at the AUTHENTICATION REST INTERFACE Section in this link Configuring the Authentication and Authorization Web Services - CA Single Sign-On - 12.52 SP1 - CA Technologies Document…

     

    Also if this does not help, please open a new thread as this thread is now getting claustrophobic due to the piling on queries. In the new thread, we could reference this discussion as a hyperlink and also TAG people for their attention.

     

    Capture.JPG

     

    Regards

     

    Hubert



  • 22.  Re: SPS configuration for Web Services

    Posted Jan 22, 2016 10:46 AM

    Hi Hubert,

     

    Thanks for getting back to me on this... I took the advanced and used WDSL xml file to use as a template and updated it with login id/password, etc info... I'm using SoapUI (non-pro) to do my testing for now.

     

    I do have a question(s) that I hope you can answer.

     

    Based on the docs and articles, it appears that setting up webservices on a SPS server - and we do not use proxyrules.mxl - that you just set the VH in server.conf file with assigned webagent.conf. If this is the case, my questions are;

     

    How do you setup multiple web services with different VH ?

    When setting up the URI that the user is trying to access - where do you store the pages? on the SPS server(s)? Unclear where you setup your pages(site) to use webservices feature?

     

    Also, as far as the client program for webservices - any suggestion on the best practice to use to create one?

     

    Thanks again for your help...

    Mike



  • 23.  Re: SPS configuration for Web Services

    Posted Jan 22, 2016 06:28 PM

    These are very good questions Mike.

     

     

    Q : How do you setup multiple web services with different VH ?

     

    Hubert : The AuthAzWS is an interface (in SOAP and REST form) we provide for Authentication and Authorization decision to be leveraged using a SOAP / REST call be consuming apps which need authentication OR authorization decisions to be made. Hence there would be always only one single AuthAzWS VH, there would not be another AuthAzWS VH on the same SPS. THe whole purpose we built this feature is to only support Authentication and Authorization decisions via a SOAP / REST call. This VH does not serve any other purpose.

     

     

    Q : When setting up the URI that the user is trying to access - where do you store the pages? on the SPS server(s)? Unclear where you setup your pages(site) to use webservices feature?

     

    Hubert : There are no pages deployed on AuthAzWS VH. We just make a SOAP / REST call for Authentication and Authorization decisions. Based on the SOAP / REST Response this WS / VH provides to the client making the call; the client can further process the request at their end.

     

    Q : Also, as far as the client program for webservices - any suggestion on the best practice to use to create one?

     

    Hubert : The core structure / format of call is provided by the WSDL. In scope of the client program making a call to AuthAzWS. We would need to secure that call. We do have a few good discussions on communities which elaborates securing the AuthAzWS call.

     

     

    Regards,

    Hubert



  • 24.  Re: SPS configuration for Web Services

    Posted Jan 23, 2016 06:20 PM

    Hi Hubert,

     

    I have to thank you again for answering my questions and helping me understand more on how this web services functions. I will check on the discussion group per your suggestion....Thank you again - really appreciate it.. Have a great weekend... Talk to you later...

     

     

    Thanks again!

    Mike



  • 25.  Re: SPS configuration for Web Services

    Posted Jan 22, 2016 11:13 AM

    Regarding setting up multiple webservices / VH... Would it be similar to proxyrules. Just add the VH in server.conf file and create a new webagent.conf (new name of the defined VH).....

     

    Thanks,

    Mike



  • 26.  Re: SPS configuration for Web Services

    Posted Apr 08, 2015 10:10 AM

    Hi Anand,

     

    I was away last couple of weeks...Is your issue resolved? I am still not able to protect webservices I can see web services and the web agent are initialized. I have a sample application on different server I want to call that app with webservices Can you please advice me how I have to configure?

     

     

    Thanks,



  • 27.  Re: SPS configuration for Web Services

    Posted Jan 20, 2016 10:45 AM

    Hi Anand3g,

     

    Do you have handy your Restful xml file that you used to test this with? Working on getting this Web service working.... Thanks!



  • 28.  Re: SPS configuration for Web Services

    Posted Mar 14, 2016 12:37 PM

    Sorry to resurrect an old thread. userca1


    CA Made a video on this.

     

     

    https://www.youtube.com/watch?v=6ZMe_7WL_-M

     

     

    Regards,

    Anand.



  • 29.  Re: SPS configuration for Web Services

    Posted Jun 08, 2016 12:21 PM

    Hi,

     

    Can we configure webserive on SPS 12.52 sp0. We see below error in AuthAzlog after testing from SOAPUI (unprotected the Webservice URL).

     

    2016-06-08 11:10:38,481 ERROR [com.ca.soa.services.authaz.webservice.ServiceLogic] - SM_WSZ_00031 - Authentication web service is not configured. Be sure InitServlet runs.

     

    Tested the same on 12.52 sp1 it works from SOAPUI.

     

    Thanks,

    Ajay



  • 30.  Re: SPS configuration for Web Services

    Posted Jun 08, 2016 12:49 PM

    Ajay

     

    I am assuming we shipped AuthAz feature in R12.52 SP1. I need to dig into details. However the simpler way is if we navigate to <secure-proxy-home>/Tomcat/webapps folder you would see the authaz webservices folder. If is is not present in R12.52 base version, that confirms the understanding.

     

    Is there any reason that stops you from using R12.52 SP1 (unless you already have R12.52 base version and are on second thoughts on upgrading).

     

    NOTE : Please open a new thread for new queries, as it help save unnecessary clutter and keeps a thread specific to a discussion.



  • 31.  Re: SPS configuration for Web Services

    Posted Jun 09, 2016 08:57 AM

    Thank you for responding Hubert,

     

    We see AuthAZ webservices under <secure-proxy-home>/Tomcat/webapps on SPS 12.52. the official version should go on SPS12.52, we have configured in the similar way on both SPS versions, still see the issue, and testing through SOAP UI.

     

    Thanks,

    Ajay



  • 32.  Re: SPS configuration for Web Services