Our friend zestep had a query on "Protecting AuthAz WebServices". Hence opening a discussion on behalf of zestep
In Continuation of thread Re: SPS: Configure Web Services Authz the following additional questions were sought.
So, the login and auth services seem to work. I'd like to protect the web services using x509 authz... Any advice on how to do this? I've generated a self-signed client cert-key pair and a tried to set up a valid certificate mapping.
Protect the Web Services We recommend that you protect the web services in a production environment. Protecting the web agent of the web services lets CA SiteMinder® authenticate and authorize the web services client before a user request is processed. When you protect the web services in your production environment, CA SiteMinder® SPS includes the SMSESSION cookie into the user request. If the RequestSmSessionCookie ACO parameter is enabled, CA SiteMinder® ensures that the web services verify the user request for the SMSESSION cookie before processing the user request. To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.
So....do I need another web-agent for the x509 cert scheme?
To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.
Does this mean I am to protect /authazws ? or literally the root directory / .
Id like to "protect the web services root URL" preferably w/ x.509 scheme but I'll start out with a BASIC scheme until I get things working.
I have an existing wsagent, aco and policy domain for web-services authz protecting host.com/app.
My understanding of this process is incomplete. Which agent should protect the "web services root url" ? Should I make a new web-agent and policy-domain to protect /authazws ?
Leave the configuration that we did this far to get Re: SPS: Configure Web Services Authz Working. Do not change anything in that.
Try this and let know.
The WebService Root URL for SOAP is http://FQDN-VH-AuthAzWS/authazws/auth
The WebServicer Root URL for REST is http://FQDN-VH-authazws/authazws/AuthRestService/login/appID/Resource
Never protect /* as SPS has many other apps and functions; those may get overridden. Clear the head and Start again from Ground-0 i.e. we need to protect a URL http://FQDN-VH-AuthAzWS/authazws/auth and/or http://FQDN-VH-authazws/authazws/AuthRestService/login/appID/Resource using X509 auth.
Create a new Policy Domain to Protect http://FQDN-VH-AuthAzWS/authazws/auth and http://FQDN-VH-authazws/authazws/AuthRestService/
In ACO for AuthAzWS enable RequireAgentEnforcement.
I think I have it almost working...now when I connect to /authazws using https I get redirected to t /siteminderagent/cert/xxxxx/smgetcred.scc?xxxx.
I'd like to use a self-signed client x509 certificate....do I need to put this certificate in the sps_install_dir/SSL/clientcerts/certs directory? Right now, I think the server is rejecting my self-signed x509 client cert.
I dont think you need to add the Client Certificate anywhere on SPS.
These are the three steps we need to follow...
X.509 Client Certificate Authentication Schemes - CA SiteMinder® - 12.52 SP1 - CA Wiki
Certificate Mapping for X.509 Client Certificate Authentication Schemes - CA SiteMinder® - 12.52 SP1 - CA Wiki
Enable SSL on SPS Configuring SSL for CA SiteMinder® SPS - CA SiteMinder® - 12.52 SP1 - CA Wiki.
Check WATRACE and POLICYSERVER TRACE log for request.