Symantec Access Management

Expand all | Collapse all

CA SSO : SPS : Protecting AuthAz WebService

  • 1.  CA SSO : SPS : Protecting AuthAz WebService

    Posted 08-25-2015 12:21 PM

    Our friend zestep had a query on "Protecting AuthAz WebServices". Hence opening a discussion on behalf of zestep

     

    In Continuation of thread Re: SPS: Configure Web Services Authz the following additional questions were sought.

     

    Question-1 :

    So, the login and auth services seem to work. I'd like to protect the web services using x509 authz... Any advice on how to do this? I've generated a self-signed client cert-key pair and a tried to set up a valid certificate mapping.

     

    Question-2 :

    Protect the Web Services We recommend that you protect the web services in a production environment. Protecting the web agent of the web services lets CA SiteMinder® authenticate and authorize the web services client before a user request is processed. When you protect the web services in your production environment, CA SiteMinder® SPS includes the SMSESSION cookie into the user request. If the RequestSmSessionCookie ACO parameter is enabled, CA SiteMinder® ensures that the web services verify the user request for the SMSESSION cookie before processing the user request. To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.

     

    So....do I need another web-agent for the x509 cert scheme?

     

    To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.

     

    Does this mean I am to protect /authazws ? or literally the root directory / .



  • 2.  Re: CA SSO : SPS : Protecting AuthAz WebService

    Posted 08-25-2015 12:40 PM

    Id like to "protect the web services root URL" preferably w/ x.509 scheme but I'll start out with a BASIC scheme until I get things working.

     

    I have an existing wsagent, aco and policy domain for web-services authz protecting host.com/app.

     

    My understanding of this process is incomplete. Which agent should protect the "web services root url" ? Should I make a new web-agent and policy-domain to protect /authazws ?



  • 3.  Re: CA SSO : SPS : Protecting AuthAz WebService

    Posted 08-25-2015 12:46 PM

    zestep

     

    Leave the configuration that we did this far to get Re: SPS: Configure Web Services Authz Working. Do not change anything in that.

     

    Try this and let know.

     

    The WebService Root URL for SOAP is http://FQDN-VH-AuthAzWS/authazws/auth

    The WebServicer Root URL for REST is http://FQDN-VH-authazws/authazws/AuthRestService/login/appID/Resource



    Never protect /* as SPS has many other apps and functions; those may get overridden. Clear the head and Start again from Ground-0 i.e. we need to protect a URL http://FQDN-VH-AuthAzWS/authazws/auth and/or http://FQDN-VH-authazws/authazws/AuthRestService/login/appID/Resource using X509 auth.

     

    Create a new Policy Domain to Protect http://FQDN-VH-AuthAzWS/authazws/auth and http://FQDN-VH-authazws/authazws/AuthRestService/

    • Create an X509 Auth Scheme, map the auth scheme to the realm protecting /authazwz/*
    • Map the wsagent-dummy agent to this realm.

     

    In ACO for AuthAzWS enable RequireAgentEnforcement.

     

     

    Regards

     

    Hubert



  • 4.  Re: CA SSO : SPS : Protecting AuthAz WebService

    Posted 08-25-2015 02:03 PM

    Thanks Hubert!

     

    I think I have it almost working...now when I connect to /authazws using https I get redirected to t /siteminderagent/cert/xxxxx/smgetcred.scc?xxxx.

     

    I'd like to use a self-signed client x509 certificate....do I need to put this certificate in the sps_install_dir/SSL/clientcerts/certs directory? Right now, I think the server is rejecting my self-signed x509 client cert.



  • 5.  Re: CA SSO : SPS : Protecting AuthAz WebService

    Posted 08-25-2015 03:14 PM

    zestep

     

    I dont think you need to add the Client Certificate anywhere on SPS.

     

    These are the three steps we need to follow...

    X.509 Client Certificate Authentication Schemes - CA SiteMinder® - 12.52 SP1 - CA Wiki

    Certificate Mapping for X.509 Client Certificate Authentication Schemes - CA SiteMinder® - 12.52 SP1 - CA Wiki

    Enable SSL on SPS Configuring SSL for CA SiteMinder® SPS - CA SiteMinder® - 12.52 SP1 - CA Wiki.

     

     

    Check WATRACE and POLICYSERVER TRACE log for request.