Symantec Access Management

 View Only
  • 1.  How to protect backend app that accessed via CA SPS ?

    Posted Oct 04, 2016 03:48 PM

    We have a need not to install CA siteminder webagent in the backend app and thinking of using SPS and tunnel this backend app traffic via CA SPS gateway and protect the app URL at SPS level so that we don't need to install webagent in the backend app. How do we protect if some one call backend app URL directing by invoking app hosting server URL (same URL that SPS will proxy forward) by passing required headers that SPS would provide to backend app ? Basically, how does back end app server will ensure that request came via SPS and user is authenticated ? This may be possible by having source IP  check in backend app, but it is not reliable and difficult to maintain as we add more SPS servers or replace existing SPS server with new server.

     

    Any suggestiongs ? Really appreciate your input.



  • 2.  Re: How to protect backend app that accessed via CA SPS ?
    Best Answer

    Posted Oct 04, 2016 06:25 PM

    Hi Chapati,

     

    There are couple of ways to deal with this.

    We have recently discussed about the same requirement here :

    What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss) 

     

    But let me put the main points that we discussed here as well :

    • Enable firewall on the backend app server to allow request only from the SPS  host. So the end user can't make a direct request to the App server bypassing SPS.
    • Instead of passing a clear text HTTP header from SPS to backend app, send an encrypted response header which can be decrypted only by a special piece of code that sits on app server.            

          For this you can refer to my recent blog post : Tech Tip : CA Single Sign-On :Policy Server::Encrypted Active Response 

    Hope this helps.

     

    Regards,

    Ujwol Shrestha

    Ujwol's Single Sign-On Blog 



  • 3.  Re: How to protect backend app that accessed via CA SPS ?

    Posted Oct 05, 2016 10:42 AM

    Thanks, Ujwol. It is helpful.



  • 4.  Re: How to protect backend app that accessed via CA SPS ?

    Broadcom Employee
    Posted Oct 05, 2016 08:25 PM

    Hi Chapati, just to add a little to what Ujwol wrote:

     

    These are also possible: 

     

    • Restrict clients by IP address
      Most webservers have a way of restricting which client IP address have access to the server - that is usually the simplest way to ensure all the requests come via the SPS server.  
      Here is the setting for IIS7 Configure IPv4 Address Restrictions for Remote Connections (IIS 7) 

    • Use client SSL certificate in SPS to authenticate the backend webserver
      This is more trouble, but you can configure the backend webserver to only accept request via SSL when the user has an appropriate client X.509 SSL certificate.  

      You would need to configure the backend web server to only accept client authenticated SSL requests.  Then issues a client certificate and install that in the SPS server(s). 

     

    Cheers - Mark



  • 5.  Re: How to protect backend app that accessed via CA SPS ?

    Posted Oct 06, 2016 01:14 PM

    I faced the same challenges with a centralized SPS server. I would like to share a solution which I implemented.

    How to protect java web application hosted on Jboss EAP with CA Single Sign On 

    OR you can also refer,
    What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)