Symantec SiteMinder

 View Only

Tech Tip : CA Single Sign-On :Policy Server:How to configure Open Format Cookie and consume it

By Ujwol posted Sep 08, 2016 03:37 AM

  

Summary:

In this guide we will discuss how to configure Policy server to send an Open Format Cookie as a response header.

We will also discuss how to write a simple java client program to consume (decrypt) the OFC cookie sent by Policy server.

This can be used for Agent less single sign-on.

Environment:

  • Policy Server : R12.5+,
  • OS : ANY

Instructions:

On Policy Server:

1. Create a Web Agent Response that Generates an Open Format Cookie as below :

For detailed instruction refer to : How to Create a Web Agent Response That Generates an Open Format Cookie - CA Single Sign-On - 12.52 SP1 - CA Technologie…

Note : From the following screen make a note of following two configurations as these will be needed on the client side  :

  • Encryption Key
  • Encryption Algorithm

2. Add the OFC Cookie Response configured in step (2) to either OnAuthAccept or OnAccessAccept rule.

3. Add rule to Policy.

 

On the Client side

Modify the attached SampleOFCConsumer.java  as below :

1. Depending upon which Encryption Algorithm is used while configuring OFC cookie response , edit the following variables appropriately :

If using AES Algorithm :

public static final String DEFAULT_TRANSFORMATION = AES_TRANSFORMATION;
public static final String DEFAULT_ALGORITHM = AES_ALGORITHM;

If using DES Algorithm:

public static final String DEFAULT_TRANSFORMATION = DES_TRANSFORMATION;
public static final String DEFAULT_ALGORITHM = TRIPLE_DES_ALGORITHM;

 

2. In the decrypt() method, update the byte array KEY variable to match the Encryption Key as defined in the Admin UI.

Follow the below steps to convert the string formatted Encryption Key to Byte Array

Step 1 : Copy the value of EncryptionKey from Admin UI==>OFC Cookie Response e.g. : B4578127007497EF8A655E4986D4F63C (see above screenshot)
Step 2  Add space every two characters:
B4 57 81 27 00 74 97 EF 8A 65 5E 49 86 D4 F6 3C
Step 3  Append (byte)0x in front of every two character pairs : (byte)0xB4 (byte)0x57 (byte)0x81 (byte)0x27 (byte)0x00 (byte)0x74 (byte)0x97 (byte)0xEF (byte)0x8A (byte)0x65 (byte)0x5E (byte)0x49 (byte)0x86 (byte)0xD4 (byte)0xF6 (byte)0x3C
Step 4 Separate each two character pair using comma: (byte)0xB4,(byte)0x57,(byte)0x81,(byte)0x27,(byte)0x00,(byte)0x74,(byte)0x97,(byte)0xEF,(byte)0x8A,(byte)0x65,(byte)0x5E,(byte)0x49,(byte)0x86,(byte)0xD4,(byte)0xF6,(byte)0x3C


3. Compile the class. Note; the jre/lib should be in the class path.

4. Ensure that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files patch have been applied to the JRE that is being used.

Testing:

1. Access the protected resource which is configured to return the OFC cookie response and copy the cookie value returned using some script which displays all the response headers :

2. Run the  SampleOFCConsumer class and provide the OFC Cookie value as the input parameter :

 

Additional Information:

11 comments
8 views

Permalink