Can you help me to understand the below queries?
What is the purpose of CrytoProvider in Siteminder?
In a form based auth scheme, where the posting happens to login.fcc, can the credentials captured by middle man attack? I am trying to understand, in a client machine, how securely the credentials can be posted to login.fcc? I am aware that the SSL/TLS connection is there and Men-in-middle attack can be prevented. But on the client side "form posting" , can the credentials captured?
How effectively Siteminder can be used to secure web applications? I am aware of CSS checks, Bad chars related checks are there. Can we list out the list of ACO parameters supports in enhancing web app security?
As for the Crypto used by Siteminder and in particualar in the webagent - where the credential are collected - the default configuiration is the BSAFE.
In this way, for example in the transaction of a federation, The RSA BSAFE library contains fixes against the following SSL and TLS communications vulnerabilities:
Lucky Thirteen Attack (CVE-2013-0169)
BEAST Exploit (CVE-2011-3389)
SSL/TLS Renegotiation Denial of Service Exploit (CVE-2011-5094)
There are also many java components within CA Single Sign On use the BSAFE crypto.jar from RSA Security including CA Secure Gateway.
List of Agent Configuration Parameters - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
ACO Parameters which are linked to security & integrity. The motto here is keep data minimal & to what is needed in a secure manner.
BadCSSCharsBadFormCharsBadQueryCharsBadUrlCharsCSSCheckingCookieDomainCookieDomainScopeCookieValidationPeriodDisableAuthSrcVarsDisableSessionVarsDisableUserNameVarsEncryptAgentNameFCCCompatMode=NOForceCookieDomainForceFQHostPersistentCookies [We do not want SMSESSION TO BE PERSISTANT COOKIE].PersistentIPCheck.RequireClientIPRequireCookiesSecureURLsSecureAppsTrackCPSessionDomainTrackSessionDomainTransientIDCookiesTransientIPCheckUseHttpOnlyCookiesUseSecureCookiesUseSecureCPCookiesValidFedTargetDomainValidTargetDomain