Tuesday Tip by Vijay Masurkar, Principal Support Engineer, for 7-17-12
A Knowledge Based Authentication (KBA or KBAuth) mechanism was developed by CA Technologies GSE Division to work with SiteMinder to provide stronger authentication than is available with HTML Forms Authentication alone. However, it doesn’t require the expense of distributing certificates or physical smart cards. The authentication scheme implements a knowledge based, Question/Answer (QA) approach to the KB authentication process that requires the user to answer one or more randomly selected question out of a configurable number of questions the user has previously provided answers to, in addition to providing their login ID and password. If you’re interetsed in evaluating and/or integrating KBA in your SiteMinder environment, send your enquiries to CA Services. Since last year, KBA has been certified for SiteMinder R12 with FIPS (Federal Information Processing Standards) encryption.
The installation of SiteMinder itself is not affected by the KBA authentication scheme; however, several additional components must be installed in order to fully utilize the functionality provided by the scheme.
In 2009, for FIPS support and Identity Minder compatibility, GSE provided new scripts for generating the FIPSkey.dat file and edited the instructions for generating the file accordingly. Note that if you have an existing CA Identity Minder installation and are using FIPS encryption, you should already have a FIPSkey.dat file as part of the IM installation and you should use copies of that FIPSkey.dat file for your SmKBAuth installation. If you are not using IM, then follow the instructions below. A zip file named GenKey.zip is provided with the installation key. This zip file contains the necessary components to generate a FIPSkey.dat file which is required if you are planning to use Identity Manager (IM) compatible, FIPS compliant encryption.
Double check, after following the installation as per the accompanied documentation, that the FIPSkey.dat files on the application server and policy server are the same and that the path above the FIPSkey.dat file contains config/com/netegrity/config/keys. On the policy server, the path to FIPSkey.dat would be siteminder/config/properties/config/com/netegrity/config/keys/FIPSkey.dat. On the application server the path will be <warfiledirectory>/WEB-INF/classes/config/com/netegrity/config/keys/FIPSkey.dat
During Configuring the Enrollment and Login Web Resources, another point to note is for the step: Modify KBAParams.properties configuration file (in the WEB-INF/classes directory), if required.
# This below encryption key is required for RC2 encryption. If FIPS (AES) encryption is used
# the value of this parameter is not used, but still must have some value.
KBAEncryptKey = ThisIsAnEncryptionKeyString
For more details, see the following document in the KBA downloaded install package:
Knowledge Based (SmKBAuth) Authentication Scheme and Supporting Enrollment Process Installation and Configuration Guide.