Layer 7 Access Management

Expand all | Collapse all

SPS Auth Web Services - cert auth..(binarycreds or what?)

  • 1.  SPS Auth Web Services - cert auth..(binarycreds or what?)

    Posted 05-08-2015 08:50 PM

    Alright, so hoping someone has used this before.....So we got the SPS AuthN/AuthZ Web Services up and working fine with User ID + Passwords.

     

    However, trying to expand it so that the AuthN service could do certificate based auth.This would to generate a session token based on some signature value.

     

    Problem is, can't seem to find any documentation on doing that. The documents hint at that you should protect the Web Services themselves with x509 - but don't tell you how -- and nothing on if you 'can' further authenticate a signature within the request content to generate a session token for that identity. There's a <binarycreds></binarycreds> but again don't see any details on what exactly that can be used for and just vague references to it can be extended for other auth methods but no guides O_o.

     

    Primarily using the Wiki and Googling for docs, so if there's better I'm all up to reading - https://wiki.ca.com/display/sm1252sp1/Configuring+the+Authentication+and+Authorization+Web+Services#ConfiguringtheAuthenticationandAuthorizationWebServices-ProtecttheWebServices

     

    Basically, what is needed is:

     

    1 - Service A authenticates to SPS Web Service using x509

    2 - Service A passes content of message with signed doc????

    3 - SPS AuthN Service validates signature/cert and returns session token for that identity

     

    Item 1 shouldn't be too crazy I don't think, but item 2 kind of stuck on 'how' to proceed there. Just stick signature/cert in binarycreds or something else? Sign the message with user key and pass cert?

     

    Any clue if this is even possible and if so pointers on how to set it up or better docs from CA.



  • 2.  Re: SPS Auth Web Services - cert auth..(binarycreds or what?)

    Posted 05-13-2015 11:42 AM

    Is anyone able to assist with the above question?

     

    Thank you!

    Christopher Bertagnolli wrote:

     

    Alright, so hoping someone has used this before.....So we got the SPS AuthN/AuthZ Web Services up and working fine with User ID + Passwords.

     

    However, trying to expand it so that the AuthN service could do certificate based auth.This would to generate a session token based on some signature value.

     

    Problem is, can't seem to find any documentation on doing that. The documents hint at that you should protect the Web Services themselves with x509 - but don't tell you how -- and nothing on if you 'can' further authenticate a signature within the request content to generate a session token for that identity. There's a <binarycreds></binarycreds> but again don't see any details on what exactly that can be used for and just vague references to it can be extended for other auth methods but no guides O_o.

     

    Primarily using the Wiki and Googling for docs, so if there's better I'm all up to reading - https://wiki.ca.com/display/sm1252sp1/Configuring+the+Authentication+and+Authorization+Web+Services#ConfiguringtheAuthenticationandAuthorizationWebServices-ProtecttheWebServices

     

    Basically, what is needed is:

     

    1 - Service A authenticates to SPS Web Service using x509

    2 - Service A passes content of message with signed doc????

    3 - SPS AuthN Service validates signature/cert and returns session token for that identity

     

    Item 1 shouldn't be too crazy I don't think, but item 2 kind of stuck on 'how' to proceed there. Just stick signature/cert in binarycreds or something else? Sign the message with user key and pass cert?

     

    Any clue if this is even possible and if so pointers on how to set it up or better docs from CA.



  • 3.  Re: SPS Auth Web Services - cert auth..(binarycreds or what?)

    Posted 03-29-2017 05:23 AM

    Hello,

     

    Maybe you can check the following CA communities thread

     

    Authz Web Services: BinaryCreds & forms 

     

     

    Hope it helps,

    Julien.



  • 4.  Re: SPS Auth Web Services - cert auth..(binarycreds or what?)

    Posted 04-05-2017 10:49 AM

    I completely forgot about this post. We ended up writing our own custom token service since the one provided by CA accepted any public cert (i.e., no proof of key possession); that is not valid for authentication and should not return a token.

     

    And are currently in progress retiring the CA Access Gateway systems due to all the issues they've caused.