Symantec Access Management

Hi All,

    I am trying to create a proxy rule which can have combination of 2-3 conditions like for hosts/URI's/header, I don't want to full fill all the requirements in one request, but I want to trigger them individually as per the incoming request I am not sure if this is achievable, I don't have a use case as such this came in a thought process, for example we have created proxy rules for an application who agrees to have a rule based on URI, now other application comes and they are not interested in  URI they need hosts or header or expression based rules.

I tried to create rules in this way but those are not getting saves or validated I hope that's expected because they were not full filling the proxyrules.dtd methods. So how can we achieve the above situation by installing multiple instances of SPS on same server? Or there could be some other way.

If someone have some example of proxyrules.xml getting this implemented please suggest.

Thanks in Advance.

i think what you want starts around page 79.

im not sure what version you are on so i used the latest docs. most of this is present since the 12.0 line.

https://support.ca.com/cadocs/0/CA%20SiteMinder%20Secure%20Proxy%20Server%2012%2052%20SP1-ENU/Bookshelf_Files/PDF/sps_ad…

hope that helps.

Richard Richard.Leto

Just my 2cents.

The Question that we need to ask ourselves is whether we define process methodology OR allow others to dictate. Notice the way proxyrules.xml is designed; it always has only one entry point into a NETE:COND. I don't think we can define multiple entry points. Hence my guesstimate would be to have multiple SPS installed on the same server. Each SPS has a structured proxyrules.xml which defines a template for processing entry; e.g. see the below one is based on using header as entry point.

<nete:proxyrules xmlns:nete="http://FQDN/">

       <nete:cond type="header" headername="SMAUTHDIRNAME">           

              <!-- Check if UD1 is the authenticated UserStore then use XXXXXXXX -->

              <nete:case value="UD1">

                     <nete:xprcond>

                           <!-- If it is an authentication URL handle desitnation -->

                            <nete:xpr>

                                  <nete:rule>^/_login/default.aspx\?ReturnUrl=%2f_layouts%2fAuthenticate.aspx(.*)</nete:rule>

                                  <nete:result>https://FQDN:71/_trust/default.aspx?trust=spdemotip&ReturnUrl=%2f_layouts%2fAuthenticate.aspx$1</nete:result>

                           </nete:xpr>

                           <nete:xpr-default>

                                  <nete:forward>https://FQDN:71$0</nete:forward>

                           </nete:xpr-default>

                     </nete:xprcond>

SERVER-1:

• SPS Instance-1 : HEADER as entry point, then further conditions / expressions.
• SPS Instance-2 : HOSTNAME as entry point, then further conditions / expressions.
• SPS Instance-3 : URI as entry point, then further conditions / expressions.

Regards

Hubert

Thanks Hubert, Thanks for confirming that we would need to have multiple instances for multiple conditions, As I said that was just a thought process no use cases as such, I guess you are right as having ownership with SPS should give us control to decide what we want to keep as entry point.

Can this could be an enhancement in future? I am not sure if some other SPS users have raised this kind of questions to CA support or not but I don't see any chain asking this question. Hope everyone have defined multiple hosts or made strict rules for implementing.

Hubert,

is there a limit on base conditions?

-J

Josh

How do I best explain this, but let me try.

This is again my understanding based on my experience fiddling around.

I think the way proxyrules is structured limits us to define only one entry point. Once inside the loop, I can again have sub conditions or rules / expressions (this can keep looping by creating further conditions or expressions). However I cannot have 2 entry points defined within a single proxyrules.xml.

USECASE-1 : We would like to do traffic routing based on HOST NAME.

<!-- Proxy Rules-->

<nete:proxyrules xmlns:nete="http://www.ca.com/">

<nete:cond type="host" criteria="equals">

        <nete:case value="sp1.krike02-test1.ca.com:80">

                <nete:forward>http://lodivm10se038:2000$1</nete:forward>

        </nete:case>

        <nete:case value="sp1.krike02-test1.ca.com:443">

                <nete:forward>http://lodivm10se038:2000$1</nete:forward>

        </nete:case>

        <nete:case value="sp2.krike02-test1.ca.com:80">

                <nete:forward>http://lodivm10se004:1000$1</nete:forward>

        </nete:case>

        <nete:default>

                <nete:forward>http://www.ca.com$0</nete:forward>

        </nete:default>

</nete:cond>

</nete:proxyrules>

USECASE-2 : Now if some one asks me to do HTTP HEADERS into the above MIX and wants HTTP HEADERS to be evaluated as entry point i.e. Parent (same level as "host").

<!-- Proxy Rules-->

<nete:proxyrules xmlns:nete="http://www.ca.com/">

<nete:cond type="host" criteria="equals">

        <nete:case value="sp1.krike02-test1.ca.com:80">

                <nete:forward>http://lodivm10se038:2000$1</nete:forward>

        </nete:case>

        <nete:case value="sp1.krike02-test1.ca.com:443">

                <nete:forward>http://lodivm10se038:2000$1</nete:forward>

        </nete:case>

        <nete:case value="sp2.krike02-test1.ca.com:80">

                <nete:forward>http://lodivm10se004:1000$1</nete:forward>

        </nete:case>

        <nete:default>

                <nete:forward>http://www.ca.com$0</nete:forward>

        </nete:default>

</nete:cond>

<nete:cond type="header" headername="SMAUTHDIRNAME">

        <nete:case value="ud_mssql_ud">

                <nete:forward>http://machinevm6128:1000$0</nete:forward>

        </nete:case>

        <nete:case value="ud_ad2k8">

                <nete:forward>http://machinevm6128:10001$0</nete:forward>

        </nete:case>

        <nete:default>

                <nete:forward>http://www.ca.com$0</nete:forward>

        </nete:default>

</nete:cond>

</nete:proxyrules>

This fail to load the SPS and fails with unable to parse proxyrules.xml.

[06/Apr/2015:15:57:14-524] [ERROR] - Proxy Rules: ** Proxy Rules Parsing Error **

[06/Apr/2015:15:57:14-524] [ERROR] - Proxy Rules: File: 'file:///C:/CA/secure-proxy/proxy-engine/conf/proxyrules.xml'

[06/Apr/2015:15:57:14-524] [ERROR] - Proxy Rules: Line: 34

[06/Apr/2015:15:57:14-524] [ERROR] - Proxy Rules: Message: The content of element type "nete:proxyrules" must match "(nete:description?,(nete:cond|nete:xprcond|nete:forward|nete:redirect|nete:local))".

[06/Apr/2015:15:57:14-540] [ERROR] - Error while parsing proxy rules: C:\CA\secure-proxy\proxy-engine\conf\proxyrules.xml

org.xml.sax.SAXException: Error encountered

org.xml.sax.SAXParseException; systemId: file:///C:/CA/secure-proxy/proxy-engine/conf/proxyrules.xml; lineNumber: 34; columnNumber: 19; The content of element type "nete:proxyrules" must match "(nete:description?,(nete:cond|nete:xprcond|nete:forward|nete:redirect|nete:local))".

  at com.netegrity.proxy.rules.parser.ErrorHandlerImpl.error(ErrorHandlerImpl.java:78)

  at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)

  at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)

  at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)

  at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)

  at org.apache.xerces.impl.dtd.XMLDTDValidator.handleEndElement(Unknown Source)

  at org.apache.xerces.impl.dtd.XMLDTDValidator.endElement(Unknown Source)

  at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source)

  at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)

  at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)

  at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)

  at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)

  at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)

  at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)

  at com.netegrity.proxy.rules.parser.ProxyRuleParser.parseDoc(ProxyRuleParser.java:66)

  at com.netegrity.proxy.rules.task.RuleWatcherTask.buildTree(RuleWatcherTask.java:84)

  at com.netegrity.proxy.rules.task.RuleWatcherTask.doOnChange(RuleWatcherTask.java:94)

  at com.netegrity.util.timer.task.AbstractFileWatcherTask.run(AbstractFileWatcherTask.java:81)

  at com.netegrity.proxy.service.SmProxyRules.init(SmProxyRules.java:145)

  at com.netegrity.proxy.service.SmProxyRules.init(SmProxyRules.java:106)

  at org.apache.catalina.core.ApplicationFilterConfig.initFilter(Unknown Source)

  at org.apache.catalina.core.ApplicationFilterConfig.getFilter(Unknown Source)

  at org.apache.catalina.core.ApplicationFilterConfig.<init>(Unknown Source)

  at org.apache.catalina.core.StandardContext.filterStart(Unknown Source)

  at org.apache.catalina.core.StandardContext.startInternal(Unknown Source)

  at org.apache.catalina.util.LifecycleBase.start(Unknown Source)

  at org.apache.catalina.core.ContainerBase$StartChild.call(Unknown Source)

  at org.apache.catalina.core.ContainerBase$StartChild.call(Unknown Source)

  at java.util.concurrent.FutureTask.run(FutureTask.java:262)

  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

  at java.lang.Thread.run(Thread.java:744)

Caused by: org.xml.sax.SAXParseException; systemId: file:///C:/CA/secure-proxy/proxy-engine/conf/proxyrules.xml; lineNumber: 34; columnNumber: 19; The content of element type "nete:proxyrules" must match "(nete:description?, nete:cond|nete:xprcond|nete:forward|nete:redirect|nete:local))".

  at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)  ... 31 more

[06/Apr/2015:15:57:14-540] [ERROR] - The Secure Proxy Server Cannot Be Started Without a Valid Set Of Proxy Rules.

[06/Apr/2015:15:57:14-540] [ERROR] - You MUST Shutdown the Secure Proxy Server, Correct This Error, and Restart.

Hence my assumption that only one parent condition could exist in proxyrules.xml and rest is all sub conditions within the parent (i.e. Single Entry Point).

Hope this helps in understanding what I meant by limited by design.

Regards

Hubert