Symantec Access Management

We have deployed an application on a load-balanced, auto-scaling cluster of web servers (Apache 2.4) using Amazon Web Services. Due to auto scaling we are installing and configuring a web agents with unattended/silent option on AWS.

ISSUE:

During each auto scaling it will generate a new trusted host entry and not sure how many times scale-up and scale-down will happen, So everytime new trusted host entry is written to policy server.

Understand that when using silent option, runsmreghost.sh file is referred for trusted host registration and this file is created using the inputs provided in .properties file during silent configuration.

1) Currently I can't find any option of (-o overwrite) overwriting trusted host during web agent silent configuration, can this be enhanced to use overwrite option?

2) Is there any way to track the unused trusted host objects? or every time end application has to provide the list of host names they used during registration.

As a work around, currently we are thinking of manually housekeeping the trusted hosts entries at policy server side, but if I would be able to overwrite the trusted host entries then I do not need this extra housekeeping.

Just wanted to check if anyone face similar issue or any better suggestions.

Siteminder Version: 12.51.3.1062

Web Agent Version: 12.51.3.1062

Apache version: 2.4.2

Regards,

Sushant

Hello Sushant,

Maybe something you can do is a 2 steps process :

1. Do the host registration using the smreghost.sh

This script allows you to use the -o option to overwrite existing trusted host

Usage

    smreghost -i ipAddress[:port] -u username [-p password] -hn hostname -hc hostconfigobject

   -i  <IPv4 address or IPv6 address enclosed in square brackets as in [IPv6 address][:port]>

  -hn  <Name for host to be registered>

  -hc  <Name of host configuration object>

[ -sh  <Shared secret for the host> ]

[ -rs  (enable shared secret rollover for host)

[  -u  <Administrator username> ]

[  -p  <Administrator password> ]

[  -f  <File to store registration data in (defaults to ./SmHost.conf)> ]

[ -cf  <Crypto FIPS140 mode (COMPAT or MIGRATE or ONLY)>

[ -cp  <Name of crypto provider (ETPKI)> ]

[  -o  <Overwrite existing Trusted Host> ]

NOTE: Any <value> that contains spaces should be surrounded by quotes.

Example: "value with spaces".

2. Use the ca-wa-config.sh -i silent and bypass the host registration step

Please note that you can use the LAX_DEBUG =true environment variable to debug any SiteMinder installation scripts on Linux/Unix

Hope it helps,

Julien.

Hi Julien,

Thanks for your quick reply, we thought on this option initially. However we can't pass the encrypted password to smreghost utility as we do from silent installation script.

When "ca-wa-config.sh -f ca-wa-installer.properties -i silent" is used with host registration, it creates runsmreghost.sh as below and it seems it does not contain password value, it somehow taking the encrypted password from ca-wa-installer.properties but not sure how.

###########################################################

dev@developer-desktop ~/CA/webagent/bin $ more runsmreghost.sh

#!/bin/sh

LD_LIBRARY_PATH=/home/dev/CA/webagent/bin

SHLIB_PATH=/home/dev/CA/webagent/bin

LIBPATH=/home/dev/CA/webagent/bin

CAPKIHOME=/home/dev/CA/webagent/CAPKI

export LD_LIBRARY_PATH SHLIB_PATH LIBPATH CAPKIHOME

"/home/dev/CA/webagent/bin/smreghost" -i 211.29.157.189 -u "siteminder" -p -hn "myhost" -hc "Apache_HCO" -cf "COMPAT" -f "/home/dev/CA/webagent/config/SmHost.conf"

rc=$?

returnValue()

{

  return $rc

}

returnValue

##########################################################

As the agents are deployed in AWS, we would want to provide the encrypted password instead of plain text password to host registration script. If you could address this issue then we will go ahead and try this option.

Regards,

Sushant

Hi Julien,

Thanks for your quick reply, we thought on this option initially. However we can't pass the encrypted password to smreghost utility as we do from silent installation script.

When "ca-wa-config.sh -f ca-wa-installer.properties -i silent" is used with host registration, it creates runsmreghost.sh as below and it seems it does not contain password value, it somehow taking the encrypted password from ca-wa-installer.properties but not sure how.

###########################################################

dev@developer-desktop ~/CA/webagent/bin $ more runsmreghost.sh

#!/bin/sh

LD_LIBRARY_PATH=/home/dev/CA/webagent/bin

SHLIB_PATH=/home/dev/CA/webagent/bin

LIBPATH=/home/dev/CA/webagent/bin

CAPKIHOME=/home/dev/CA/webagent/CAPKI

export LD_LIBRARY_PATH SHLIB_PATH LIBPATH CAPKIHOME

"/home/dev/CA/webagent/bin/smreghost" -i 211.29.157.189 -u "siteminder" -p -hn "myhost" -hc "Apache_HCO" -cf "COMPAT" -f "/home/dev/CA/webagent/config/SmHost.conf" 

rc=$?

returnValue()

{

  return $rc

}

returnValue

##########################################################

As the agents are deployed in AWS, we would want to provide the encrypted password instead of plain text password to host registration script. If you could address this issue then we will go ahead and try this option.

Regards,

Sushant

Sushant,

The password should comes from the .properties file fro the value : ADMIN_REG_PASSWORD which is encrypted.

If you do not change the ADMIN password you can reuse it.

If you prefer to use plain text password, use DEFAULT_ADMIN_REG_PASSWORD and comment the  ADMIN_REG_PASSWORD in the .properties file.

Hope it helps,

Julien.

Hi Julien,

I think I did not explain the issue properly, as it seems you didn't get it.

There are 2 things here:

1) I do the agent installation and configuration with silent option --> Works perfectly fine for me.

Challange is: Due web servers scale up and scale down in AWS, I would like to know the option of removing the trusted host entries during web agent un-installation (scale down).

2) If I opt to perform the host registration with smreghost using -a (overwrite) option, then Use the ca-wa-config.sh -i silent and bypass the host registration step as you suggested.

Challange is: I can't provide encrypted password to smreghost command, we would like to pass only encrypted password due to security reasons.

I raised this issue with support and got below options to remove trusted host entries:

1) Use Sm_PolicyApi_DeleteTrustedHost() API to remove the trusted host with scale down

2) Manual housekeeping of trusted hosts

Thanks a lot for your guidance and quick response.

Regards,

Sushant

Sushant,

The functionality you are requesting would require an enhancement request.  Please see the following link for directions on how to file one:

Submitting an Idea to Ideation

Regards,

Sandy

Thanks a lot Sandy,

I have submitted the enhancement request.

Regards,

Sushant