I've installed and configured a httpd and a web agent in VPC on AWS.
All wok fine in VPC, using all private IP addresses.
Now I tried to access the same protected content from internet (external address),
and I got either not authorized message or login box looping.
I did not configure DNS so the FQDNs of httpd are all default value -
Accessing httpd + wa as ip-nn-nn-nn-nn.ap-northeast-1.compute.internal succeeded
but accessing httpd + wa as ec2-NN-NN-NN-NN.ap-northeast-1.compute.amazonaws.com
At this moment, the following are all default.
How should I configure in this scenario?
- CentOS 7.5.1804 on AWS
- httpd was build from source code (2.4.25 with apr, apr-util)
- using ca-wa-12.52-sp01-cr09-linux-x86-64.zip
- Policy Server 12.8
Since the Siteminder session is stored in a cookie, you have to make sure your configuration will support all DNS domains in which you have protected resources.
As you may be aware, a browser will only accept a set-cookie if the domain in the set-cookie statement matches the domain in the browser request. Likewise, a browser will only present cookies to a host if the domain set in the cookie matches the domain of the request.
The CookieDomain and CookieDomainScope Agent Configuration Object (ACO) parameters come into play here. Since you need to support more than one domain, you should not be setting any value for CookieDomain unless you use .amazonaws.com as the CookieDomain value since this part of the domain name matches both domains you need to support in the example given. If all domains you need to support end with .amazonaws.com, you can use this value for CookieDomain as the solution. The CookieDomainScope parameter is ignored when a value for CookieDomain is specified.
If you also need to support domains that may not end in .amazonaws.com, you may need to configure a cookie provider in addition to determining the best values for the cookie domain ACO parameters. If you leave CookieDomain blank, the cookie domain will be automatically detected by the agent based on the incoming HOST header and the CookieDomainScope value. CookieDomainScope determines how many dots will be in the resolved cookie domain. This alone will work if user requests do not cross domains during their sessions. As user sessions do commonly cross domains, however, the use of a cookie provider may be needed. Specifying a CookieProvider (this is another ACO parameter) allows a user to get a cookie for each needed domain after authenticating once (the domain serviced by the specified cookie provider becomes the master cookie domain, all agents pointing to this cookie provider trust the authentications made by this provider and thus will create cookies for additional domains based on the session in the master cookie domain).
You can find much more detail about cookies in a Siteminder/SSO environment here, including the topics/parameters mentioned above:
Configure Web Agent Single Sign-On Settings - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation