Symantec Access Management

Our friend zestep had a query on "Protecting AuthAz WebServices". Hence opening a discussion on behalf of zestep

In Continuation of thread Re: SPS: Configure Web Services Authz the following additional questions were sought.

Question-1 :

So, the login and auth services seem to work. I'd like to protect the web services using x509 authz... Any advice on how to do this? I've generated a self-signed client cert-key pair and a tried to set up a valid certificate mapping.

Question-2 :

Protect the Web Services We recommend that you protect the web services in a production environment. Protecting the web agent of the web services lets CA SiteMinder® authenticate and authorize the web services client before a user request is processed. When you protect the web services in your production environment, CA SiteMinder® SPS includes the SMSESSION cookie into the user request. If the RequestSmSessionCookie ACO parameter is enabled, CA SiteMinder® ensures that the web services verify the user request for the SMSESSION cookie before processing the user request. To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.

So....do I need another web-agent for the x509 cert scheme?

To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.

Does this mean I am to protect /authazws ? or literally the root directory / .

Id like to "protect the web services root URL" preferably w/ x.509 scheme but I'll start out with a BASIC scheme until I get things working.

I have an existing wsagent, aco and policy domain for web-services authz protecting host.com/app.

My understanding of this process is incomplete. Which agent should protect the "web services root url" ? Should I make a new web-agent and policy-domain to protect /authazws ?

zestep

Leave the configuration that we did this far to get Re: SPS: Configure Web Services Authz Working. Do not change anything in that.

Try this and let know.

The WebService Root URL for SOAP is http://FQDN-VH-AuthAzWS/authazws/auth

The WebServicer Root URL for REST is http://FQDN-VH-authazws/authazws/AuthRestService/login/appID/Resource

Never protect /* as SPS has many other apps and functions; those may get overridden. Clear the head and Start again from Ground-0 i.e. we need to protect a URL http://FQDN-VH-AuthAzWS/authazws/auth and/or http://FQDN-VH-authazws/authazws/AuthRestService/login/appID/Resource using X509 auth.

Create a new Policy Domain to Protect http://FQDN-VH-AuthAzWS/authazws/auth and http://FQDN-VH-authazws/authazws/AuthRestService/

• Create an X509 Auth Scheme, map the auth scheme to the realm protecting /authazwz/*
• Map the wsagent-dummy agent to this realm.

In ACO for AuthAzWS enable RequireAgentEnforcement.

Regards

Hubert

Thanks Hubert!

I think I have it almost working...now when I connect to /authazws using https I get redirected to t /siteminderagent/cert/xxxxx/smgetcred.scc?xxxx.

I'd like to use a self-signed client x509 certificate....do I need to put this certificate in the sps_install_dir/SSL/clientcerts/certs directory? Right now, I think the server is rejecting my self-signed x509 client cert.

zestep

I dont think you need to add the Client Certificate anywhere on SPS.

These are the three steps we need to follow...

X.509 Client Certificate Authentication Schemes - CA SiteMinder® - 12.52 SP1 - CA Wiki

Certificate Mapping for X.509 Client Certificate Authentication Schemes - CA SiteMinder® - 12.52 SP1 - CA Wiki

Enable SSL on SPS Configuring SSL for CA SiteMinder® SPS - CA SiteMinder® - 12.52 SP1 - CA Wiki.

Check WATRACE and POLICYSERVER TRACE log for request.