Question:
Do any SSO community experts know the exact steps I should follow to properly secure logging.jsp in ca idm?
Background:
I've read this technical article TEC537308 on how to enable logging.jsp which I'm planning to implement within the bank's production environment, but this doesn't cover the siteminder configurations needed to securely make this change.
Please provide the siteminder steps needed to complete this procedure: https://support.ca.com/us/knowledge-base-articles.tec554335.html but steps 3 & 4 do NOT cover what needs to be completed within siteminder to ensure logging.jsp is secured from malicious intruders.
If this is a CA Identity Manager issue please redirect to the appropriate place, but clearly these steps should be published and referred to within this technical article or ca idm bookshelf since logging.jsp was removed due to security concerns. Siteminder is used to ensure security which is far more robust than CA IdM's native auth and further guidance from CA on how to properly secure logging.jsp through siteminder is clearly needed to ensure it's properly protected.
Business Impact:
Logging JSP will enable the bank be more agile by rapidly addressing PROD issues, which are adversely affecting the external customer environment. Quickly enabling DEBUG (without getting approvals for RESTARTs) will greatly help the bank work with CA support. However, not effectively securing this feature will open the bank to unnecessary vulnerabilities, which is NOT acceptable and will block this from being rolled out, unnecessarily delaying resolutions to production issues requiring additional logging.
Additional Background:
something like this should be published for logging.jsp either in the bookshelf or in the technical document:
Here is a link to the documentation on how to secure the management console using Siteminder. https://support.ca.com/cadocs/0/CA%20Identity%20Manager%2012%206%204-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?425934.html
The way the steps are written today in the technical document, they seem to encourage the use of native auth through ca idm, which wouldn't you agree is much less secure than using siteminder? Just imagine how many customer deployments have only secured their management console and logging.jsp with native auth rather than siteminder simply because these simple steps weren't publicized within the technical document.