Symantec Access Management

Has anyone got the two working together?

We're getting errrors that SiteMinder is expecting a certificate. I'm not sure why SiteMinder would be expecting a certificate...

We set up an Agent Name and Password in 4.x style for ease here.
Made a basic Domain (not application)

still having issues... any help appreciated.

Related posts found via Google:

IBM link #1: can this be done?
IBM link #2: showing it can be done
IBM link #3: no longer supported by IBM?
IBM link #4: showing people have it working

A Past CA Forums discussion
A More Recent Past CA Forums Discusion


So I get the feeling this will go no where.
It obviously has a built-in 4.x style Web Agent, so my guess is that IBM is responsible for upkeep on this agent....

For CA people wondering about DataPower.


It has a place for a "User Agent" that takes a server, username and password... or in SM terms: Server, Agent Name and Shared Secret

It then has something called "AAA Rules" which can outsource Authentication and/or Authorization to siteminder which takes a Host, Port and URI

I am trying to get screen shots of this unfillied out for my own records on the chance we get this working here. If i can, I will send the blank screen shots to this thread for SiteMinder folk to have some idea if they get questions in the future.

-Josh

More information to collect....


if it's not supportedby IBM, why canone find "Contact Netegrity SiteMinder" on IBM Data Power Authentication Documentation

Authorize Tab Also has it....


hmmm.... looks more and more like this is an IBM thing to be asking yet I'm being pushed by the DataPower people at my company to blame CA....

clearly they have a 4.x agent archetype built in.....

Hi All,

Any additional thoughts here for Josh?

Thanks!
Chris

The error is similar to the message logged by monitoring services – these monitor services would not be send enough info the policy server to process the three way hand shake

In this case the SMPS logs the corresponding info from the trace logs show “failed to receive client hello”

We can take a look into some more data – provide it the issue, but you should also contact the vendor for custom code

Collect packet trace - looking for the initial three way
Also need API/agent side logging and policy server logs

This is customer code do not think it’s related to SSL
After collect the API log you may find an issue with cryptography libraries

Steve,

data power is convoluted.
it requires talking to a full agent (ibm is scared of using the SDK for licensing)
it requires a valid server (example.com) with a valid port (80) and uri (protected/exists.html) that actually exists.

(examples in the parenthesis based on what is used at my location. note for URI that DataPower puts a / infront of the URI given....)

we have this seemingly working now... it appears data power splits authentication and authorization and due to not having an sdk agent actually have SM do both at both stages. hahaha.....

-Josh