Layer7 Access Management

Tech Tip : CA Single Sign-On :Policy Server::Encrypted Active Response

By Ujwol posted 09-12-2016 11:42 PM

  

Title:

In this guide we will write a sample Active Response which will use AES encryption algorithm to encrypt the USERDN and return an encrypted USERDN to the client.

Instruction:

Step 1: Create an active response as shown below :

Step 2 : Configure the Active Response with either OnAuthAccept or OnAccessAccept rule.

 

Step 3 : Compile the attached sample ActiveResponseSample.java &  ActiveResponseDecryptor.java classes by running java-build.bat (windows) /java-build.sh (unix).

Note: Prior to running you will need to update the path to the JDK install directory in the JAVA_HOME variable by editing the java-build.bat (windows) /java-build.sh (unix) files.

 

Step 4. Once compiled, copy the ActiveResponseSample.class and copy it to the <Policy server>/config/properties directory.

 

Note: This "properties" directory is by default in the classpath of Policy server so you don't need to modify JVMOptions.txt.

If you choose to deploy the class in any other directory, then you will need to add the path to that directory as a classpath in the JVMOptions.txt file.

 

Testing:

1. Access the resource which is configured to return the active response. Copy the value of the encrypted response returned (using the server side scripting which prints all the HTTP headers)  :

2. Next, decrpyt the encrypted response header using the attached sample ActiveResponseDecryptor class by running java-run.bat (windows) /java-run.sh (unix)

 

 

6 comments
1 view

Permalink

Comments

01-12-2017 06:40 AM

Hello Ujwol,

 

Tried and tested it in my lab and works fine. Nice way to see how javax.crypto.Cipher class could be used in ActiveResponse. 

 

Thanks a lot,

Julien.

12-14-2016 12:16 AM

Hi Alex,


Try running policy server directly from command prompt by executing smpolicysrv.exe.


All the errors from JVM will then show up in console.

That should give you hint as to what is happening.


Don't think 12.0 is the issue.


Regards,

Ujwol

12-13-2016 10:12 PM

Hi Ujwol,

 

Thank you for this information. It accomplishes some of the use cases we are trying to achieve.

I followed your guide but I am not able to have the Active Response trigger correctly.

When I look at the smtracedefault.log I see the following:


[12/13/2016][21:36:57.227][15347][2907933584][SmActiveExpr.cpp:915][CSmActiveExprLibrary::GetActiveValue][Leave function CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][Active expression 'GetActiveAttr;smjavaapi;JavaActiveExpression;ActiveResponseSample' failed with error 'SmJavaAPI: Expression evaluation returned a null'][][][]

 

I am not sure if it is because of the version we are testing in (12.0.0305.427) or because of another reason.

I would have expected to see the error message as stated in setErrorText, unless the condition is failing where the setErrorText is not set.

 

Any thoughts on where else I can look? Any clues from what you have seen with other customers?

 

Thank you,

-Alex

11-16-2016 09:14 PM

Update 17/11/2016: Added sample scripts to compile and run the test program as some customer were having difficulty compiling and running it.

09-19-2016 09:18 PM

09-12-2016 11:48 PM

This techip was created as followup to the following community thread where we discussed about an option of building custom active response which will send an encrypted response header and the web/app server will decrypt at the receiving end. https://communities.ca.com/thread/241758303?commentID=241908904#comment