Layer7 Access Management

Expand all | Collapse all

CA SSO: How handshake will happen between WAMUI and Policy server?

Jump to Best Answer
  • 1.  CA SSO: How handshake will happen between WAMUI and Policy server?

    Posted 09-13-2017 03:20 AM

    Hi,

     

    If I add more than one policy server connection to the existing WAMUI, how handshake will happen between WAMUI and additional policy server as the file generated by XPSRegClient is getting removed automatically after the registration in WAMUI? I could see Trusted Host object and Admin object is getting created in Policy Store. But, in which file, shared secret details will be saved in the policy server side? Would be better if someone can explain this flow in detail.

     

    Thanks.

     

    Regards,

    Dhilip



  • 2.  Re: CA SSO: How handshake will happen between WAMUI and Policy server?

    Posted 09-13-2017 03:34 AM

    Hi Dhilip,

     

    XPSRegClient will generate the siteminder.XPSReg file and once you register a trusted host will get generated and the registration file goes away.

     

    In the below location you could see a " *.conf  "file which is nothing but smhost.conf file for adminui.

     

    <Install_location>CA\siteminder\adminui\server\default\data\siteminder\

     

    Admin UI uses this file to establish/initialize a connection with Policy server as like webagent does.

     

    Regards,

    Leo Joseph.



  • 3.  Re: CA SSO: How handshake will happen between WAMUI and Policy server?

    Posted 09-13-2017 03:36 AM

    Thanks Leo , you saved me from typing

     

    Will just add the screenshot here :



  • 4.  Re: CA SSO: How handshake will happen between WAMUI and Policy server?

    Posted 09-13-2017 05:22 AM

    Hi Leo and Ujwol,

     

    Thanks for your response. I think I have to rephrase my question. I would like to know how handshake will happen between the WAMUI and additional policy server (which do not have adminui component installed but is registered as a Policy Server Connection in WAMUI).

     

    Thanks.

     

    Regards,

    Dhilip



  • 5.  Re: CA SSO: How handshake will happen between WAMUI and Policy server?

    Posted 09-14-2017 12:39 PM

    There are two parts....

     

    [A] the conf files on the WAMUI Server.

     

    [B] The trusted host object for that WAMUI within the Policy Store (of the additional policy server which is registered as a Policy Server connection).

     

    I think I don't have to talk about [B] because we know how that works and it is explained above.

     

    Regarding [A] if we see under the <Install_location>CA\siteminder\adminui\server\default\data\siteminder\ there is a single conf file which lists the first Policy Server against which this WAMUI was first registered (deleting the data folder is equivalent to registering the first time).

     

    Now to find where are all the other additional policy server connection listed in WAM UI.

     

    For that run a simple command.

    Go to <Install_location>CA\siteminder\adminui\server\default\  directory.

    Run "grep -nr -i "AdditionalPolicyServerHostName".

     

    You'll see that within <Install_location>CA\siteminder\adminui\server\default\data\derby\siteminder\   there is "objectstore" and "taskpersistence" folder which have gibberish *.dat files which has the additional Policy Server connection details, trusted hostname & shared secret within it. I believe the WAMUI uses these *.dat files to read the additional policy server connection details & shared secret; then uses it to make a successful handshake with the Additional Policy Server. When The Additional Policy Server receives the handshake request, it looks into its Policy Store to see if a trusted host exists. If a trusted host exists verifies the Shared Secret. This is same process for the WebAgent.



  • 6.  Re: CA SSO: How handshake will happen between WAMUI and Policy server?

    Posted 09-15-2017 02:48 AM

    Hi Hubert,

     

    Thanks for your detailed explanation.

     

    Generally, we will be having webagent (installed on top of webserver) that will interrupt the request on launching the URL. Then following flow, httpd.conf --> WebAgent.conf --> SmHost.conf. Webagent will get policy server connection details and handshake will happen.

     

    1) When we launch WAMUI URL, what will happen? what is the exact flow?


    2) Please let me know if .conf file which is in data\siteminder\ will be used for handshake as I am able to login to WAMUI even after deleting this file and restarting the WAMUI service.

     

    3) Also, on executing grep -ir "MainPolicyServerHostName" command from ../server/default/data folder, I get few .dat file entries from "objectstore" and "taskpersistence" folder, will this be used for handshake?

     

    Thanks.

     

    Regards,

    Dhilip



  • 7.  Re: CA SSO: How handshake will happen between WAMUI and Policy server?
    Best Answer

    Posted 09-18-2017 11:47 AM

    Dhilip

     

    When we start jboss OR launch the WAMUI URL there is no connection attempt made, atleast I don't see that in the server.log. It is just a Page being served off an app server / war. It does load the external directory configuration to see if WAMUI can connect to the external directory for authentication.

     

    The connection to Policy Server will be made only when we click "Sign In" button.  The connection to which Policy Server will be made depends on what Policy Server is selected on the "Server:" drop down field in the UI.

     

    My guess is YES! ;  That the *.dat files from "objectstore" and "taskpersistence" folder would be used for ADDITIONAL POLICY SERVER Connection. Because the conf file under <Install_location>CA\siteminder\adminui\server\default\data\siteminder\ only contains a single Policy Server connection detail. This is the first Policy Server with which the WAM UI was registered. None of the additional policy server connections are listed within the conf file in <Install_location>CA\siteminder\adminui\server\default\data\siteminder\

     

    As you suggested you've deleted the conf file within <Install_location>CA\siteminder\adminui\server\default\data\siteminder\ and yet are able to login. If we see the *.dat file they not only contain the additional policy server, but they also contain the first policy server connection data (which is also present in conf file within <Install_location>CA\siteminder\adminui\server\default\data\siteminder folder). Thus the *.dat files contain all the connection details for all the Policy Servers.

     

    I am just trying to connect the dots for you. The final word has to come via a Support Case after review from Engineering.

     

    Just a word of caution as I can feel where this would lead to next - if the real intension is to tinker / modify the connection details (assuming how we are able to do it in WebAgent.conf / SmHost.conf for WebAgents) ; then be careful with the *.dat files. They have a non standard format & also some gibberish characters when we list the contents.



  • 8.  Re: CA SSO: How handshake will happen between WAMUI and Policy server?

    Posted 09-20-2017 09:38 AM

    Hi Hubert,

     

    Thanks for your response.

     

    Support Case has been raised.

     

    Regards,

    Dhilip