Our friend zestep had a query on "Protecting AuthAz WebServices". Hence opening a discussion on behalf of zestep
In Continuation of thread the following additional questions were sought.
Question-1 :
So, the login and auth services seem to work. I'd like to protect the web services using x509 authz... Any advice on how to do this? I've generated a self-signed client cert-key pair and a tried to set up a valid certificate mapping.
Question-2 :
Protect the Web Services We recommend that you protect the web services in a production environment. Protecting the web agent of the web services lets CA SiteMinder® authenticate and authorize the web services client before a user request is processed. When you protect the web services in your production environment, CA SiteMinder® SPS includes the SMSESSION cookie into the user request. If the RequestSmSessionCookie ACO parameter is enabled, CA SiteMinder® ensures that the web services verify the user request for the SMSESSION cookie before processing the user request. To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.
So....do I need another web-agent for the x509 cert scheme?
To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.
Does this mean I am to protect /authazws ? or literally the root directory / .