Symantec Access Management

  • 1.  What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)

    Posted Jul 27, 2016 06:04 PM

    I am using SiteMinder SSO 12.5 SP01 CR05 with SPS (not WebAgent) to protect my application deployed on Jboss back-end server. I am already done with the setting up SiteMinder to protected Application URL.

     

    I get that SM will add a HTTP header with a key such as SM_USER that will tell me who the user is. What I don't get is -- what prevents anyone from adding this header themselves and bypassing SM entirely? What do I have to put in my server-side code to verify that the SM_USER really came from SM? Or Do we have any dynamic variable to verify user which should be known to only SM and back-end server.



  • 2.  Re: What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)

    Posted Jul 27, 2016 07:12 PM

    Hi

     

    You mentioned:

    @@

    What I don't get is -- what prevents anyone from adding this header themselves and bypassing SM entirely?

    @@

     

    SM has feature to prevent cross site scripting from happen. If the resource is protected by SM, SM will set the header once user get access the resource (not sure during auth or az that the header set).

    However, in order to answer above question, if you can share how it by pass SM then we can dig in on how SM prevents it.

     

    @@

    What do I have to put in my server-side code to verify that the SM_USER really came from SM?

    @@

    The SM_USER is a header. As per my understanding, don't have server-side code to verify the SM_USER header on where it comes from.

     

    Hope this helps.


    Regards,

    Kar Meng



  • 3.  Re: What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)

    Posted Jul 27, 2016 07:37 PM

    @@

    What I don't get is -- what prevents anyone from adding this header themselves and bypassing SM entirely?

    @@

    It means I have an application hosted on Jboss for example https://servername:port/appname which is currently protected by SiteMinder. So whenever I hit https://servername:port/appname I get error because my HTTP request doesn't contain require Header parameter SM_USER. But I can hack it by using Chrome Extension "ModHeader" by passing request header and value pair "SM_USER=UserID" while accessing https://servername:port/appname

     

    I know that this hack can be done by only internal user of organization but I want to prevent my application from unauthorized user.



  • 4.  Re: What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)

    Posted Jul 27, 2016 08:16 PM

    Couple of ways to address this :

    • Enable firewall on the App server to allow request only from the Web Server. So the end user can't make a direct request to the App server bypassing Web Server.
    • Enable secure (TLS/SSL) channel between Web Server and App server
    • Build a custom active response to send an encrypted value for SM_USER , App server to do the decryption on receiving

     

    Another option would be to use CA SiteMinder Agent for JBoss instead of just front ending it with CA SiteMinder web agent.

    This will have a tighter integration directly with the JBoss security layer avoiding the need to rely just on HTTP headers.

    More here :

     

    https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/installing/siteminder-agent-for-jboss/agent-for-jboss-introduced



  • 5.  Re: What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)

    Posted Jul 27, 2016 10:00 PM

    We are not using SiteMinder Web Agent, we have install SM Secure Proxy Server (SPS) centrally to manage all incoming request.

     

    My comment on your suggested option below:

    • Enable firewall on the App server to allow request only from the Web Server. So the end user can't make a direct request to the App server bypassing Web Server.
      1. This option cannot be implemented because of other application on the same server don’t need such tight security
    • Enable secure (TLS/SSL) channel between Web Server and App server
      1. We already implemented SSL between Apache (act as load balance) and Jboss (multiple instance). And we have protected Apache web server url with SiteMinder Secure Proxy Server (SPS). So this option also I have to drop.
    • Build a custom active response to send an encrypted value for SM_USER , App server to do the decryption on receiving.
      1. I am interested in this option. Can you give some reference docs to encrypt HTTP Header value send by SiteMinder and decryption by Jboss / Apache.

    I will avoid installing CA SiteMinder Agent for JBoss as we have so many Jboss instances to protect.

    Do we have any other dynamic variable to verify user which should be known to only SM and back-end server.



  • 6.  Re: What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)

    Posted Aug 23, 2016 11:00 AM

    Hi Ujwol,

    I'm also interested in the option below:

    "Build a custom active response to send an encrypted value for SM_USER , App server to do the decryption on receiving."

    This option seems like an interesting option and would provide the extra level security that a lot of clients are looking for. I'm actually surprised that it is not an out of the box option for CA SSO.

     

    I have not yet evaluated the pros and cons but I see more positives than negatives here. Have you or anyone else reading this post developed or configured any encrypted active responses? I would be interested to see how you are handling that.

     

     



  • 7.  Re: What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)

    Posted Aug 25, 2016 02:45 AM

    Hi Jean-Baptiste Jean-Jacques,

     

    I haven't tried an encrypted active response yet but can give this a try in the near future and share it with the community.

     

    Regards,

    Ujwol



  • 8.  Re: What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)

    Posted Aug 25, 2016 09:37 AM

    As always it would be greatly appreciated Ujwol!



  • 9.  Re: What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)
    Best Answer

    Posted Jul 28, 2016 04:36 PM

    I found the perfect answer for “How to stop bypassing SiteMinder to access any SM protected application deployed on Jboss / Apache backend server”

    • In Jboss:
      We can restrict IP addresses for incoming connections request to Jboss. To restrict connections for a specific application, configure the valve in your applications WEB-INF/jboss-web.xml, for example:

    <jboss-web>

        <valve>

            <class-name>org.apache.catalina.valves.RemoteAddrValve</class-name>

            <param>

               <param-name>allow</param-name>

               <param-value>127.0.0.1,127.0.0.2</param-value> (Put SiteMinder SPS server IP)

            </param>

        </valve>

    </jboss-web>

    Refer:- https://access.redhat.com/solutions/18412

     

    • In Apache:

    With the help of mod_authz_hosts module in Apache we can restrict access to specific source IP inside virtual host. You can make changes in conf/httpd.conf and conf.d/ssl.conf under your VirtualHost entry like below example:

     

    <VirtualHost ServerHostname:Port>

    ServerAdmin ……..

    DocumentRoot …….. 

                <Location />

       Order deny,allow

       Deny from all

       Allow from 127.0.0.1,127.0.0.2 (Put SiteMinder SPS server IP)
    </Location>

    </VirtualHost>

    Refer :- http://stackoverflow.com/questions/19711716/apache-restrict-access-to-specific-source-ip-inside-virtual-host

     

    Now only way to access your application is SiteMinder, and we are confident that SM request cannot be tampered. Enjoy Security!!!



  • 10.  Re: What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)

    Posted Aug 25, 2016 09:17 AM

    What  is "LegacyVariables" set to? if that controls SMUSER v SM_USER

    also, when do you set headers?

    if you use onAuth, it is only reset on the way in during Authentication

    if you use onAccess then it should be on Authorization calls

    if you use a get/post/etc rule, it should be every call

     

    obviously each impacts performance and security differently.

     

    hope that helps.

    -Josh