Symantec Access Management

  • Private Community
 View Only

  • 1.  How do I use an X.509 Auth Scheme with Secure Proxy Server

    Posted May 17, 2013 09:52 AM
    I have HTML Forms auth configued and working, but I haven't found any information on configuring an X.509 authentication scheme using CA SiteMinder Secure Proxy Server r12.51 as the credential collector webserver. Can anyone help? I basically just need to know how to get SPS to prompt for the user's certificate.


  • 2.  RE: How do I use an X.509 Auth Scheme with Secure Proxy Server

    Posted May 17, 2013 10:56 AM
    I created an X.509 auth scheme in the admin ui and pointed it to the Secure Proxy Server address.

    I added a location stanza to the sps_home/secure-proxy/htpd/conf/extra/httpd-ssl.conf and am getting prompted for my certificate. Once I enter my certificate info I am getting a 500 error.


    <Location "/siteminderagent/cert">
    SSLVerifyClient require
    SSLVerifyDepth 10
    </Location>


  • 3.  RE: How do I use an X.509 Auth Scheme with Secure Proxy Server

    Posted May 20, 2013 03:44 PM
    Do I need to enable a Web Agent plugin in WebAgent.conf?


  • 4.  RE: How do I use an X.509 Auth Scheme with Secure Proxy Server

    Broadcom Employee
    Posted May 23, 2013 12:22 AM
    Hi Brett

    brettcarroll wrote:

    Do I need to enable a Web Agent plugin in WebAgent.conf?
    Yes.

    You've done the hard work, which is getting apache to have prompt the user for the certificate, Once you enable the webagent it will process the GET request for the .scc resource.

    How it works is that Siteminder does not do anything particularly clever, it just captures the CERT and DN from what was passed into apache, and then the agent passes those back to the policy server. The policy server then has the rules to extract the user name from the cert.

    Older versions of SPS did not work with CERT Auth schemes, but recent ones do.

    So, enabling the agent should be all you should need to do now - but do that and lets see :-)

    Cheers - Mark


  • 5.  RE: How do I use an X.509 Auth Scheme with Secure Proxy Server

    Posted May 28, 2013 08:55 AM

    mark.odonohue wrote:

    enabling the agent should be all you should need to do now
    The Web Agent is enabled. Is there something else I need to do to enable the Web Agent to process X.509 authentication schemes?


  • 6.  RE: How do I use an X.509 Auth Scheme with Secure Proxy Server

     
    Posted Jun 06, 2013 12:56 PM
    Hi All,

    Any other ideas here for Brett?

    Thanks!
    Chris


  • 7.  RE: How do I use an X.509 Auth Scheme with Secure Proxy Server

    Posted Jun 25, 2013 10:40 AM
    Is this the correct URI for x.509 authentication in CA SiteMinder Secure Proxy Server r12.51?
    /siteminderagent/cert/smgetcred.scc


    The error I am getting in the web browser says "
    Server Error. The server was unable to process your request.
    "

    Here are the related webagent trace log messages: 
    [06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProxyValve::invoke][Entering the agent.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProxyValve::invoke][Virtual Host: default]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProxyValve::invoke][Using session scheme: default]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProxyValve::invoke][Using default user agent]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProcessRequest][Start new request.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmResourceManager::ProcessResource][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmHttpPlugin::ProcessResource][Resolved HTTP_HOST: 'sps.mydomain.com'.]
[06/25/2013][10:33:04][8096][100][][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][sps.mydomain.com]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmHttpPlugin::ProcessResource][Resolved hostname: 'sps.mydomain.com'.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmHttpPlugin::ProcessResource][Resolved agentname: 'wa-smsps1'.]
[06/25/2013][10:33:04][8096][100][][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address '192.168.1.1'.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmHttpPlugin::ProcessResource][Resolved URL: '/siteminderagent/cert/smgetcred.scc'.]
[06/25/2013][10:33:04][8096][100][][CSmHttpPlugin::AutoAuthorizedUrl][Auto-authorizing resource, matches IgnoreExt filter.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmHttpPlugin::ProcessResource][Resolved METHOD: 'POST'.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmHttpPlugin::ProcessResource][Resolved cookie domain: '.mydomain.com'.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmResourceManager::ProcessResource][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmResourceManager::ProcessResource][Calling SM_WAF_SPS_PLUGIN->ProcessResource.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmResourceManager::ProcessResource][SM_WAF_SPS_PLUGIN->ProcessResource returned SmNoAction.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmSessionManager::EstablishSession][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmSessionManager::EstablishSession][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmSessionManager::EstablishSession][Calling SM_WAF_SPS_PLUGIN->EstablishSession.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmSessionManager::EstablishSession][SM_WAF_SPS_PLUGIN->EstablishSession returned SmNoAction.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProcessRequest][ProtectionManager returned SmNo, end new request.]
[06/25/2013][10:33:04][8096][100][][ReportHealthData][Accumulating HealthMonitorCtxt.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProcessAdvancedAuthentication][Start new request.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmResourceManager::ProcessAdvancedAuthResource][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmHttpPlugin::ProcessAdvancedAuthResource][Resolved HTTP_HOST: 'sps.mydomain.com'.]
[06/25/2013][10:33:04][8096][100][][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][sps.mydomain.com]
[06/25/2013][10:33:04][8096][100][][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address '192.168.1.1'.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmHttpPlugin::ProcessAdvancedAuthResource][ParseParameters returned SmFailure.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][CSmResourceManager::ProcessAdvancedAuthResource][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmExit.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProcessAdvancedAuthentication][ResourceManager returned SmExit, end new request.]
[06/25/2013][10:33:04][8096][100][][ReportHealthData][Accumulating HealthMonitorCtxt.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][Tomcat5SerializedAgentData::doResponse][HTTP Status Code = 500]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProxyValve::invoke][Exit status returned from the agent.]
[06/25/2013][10:33:04][8096][100][1bc1c28a-7deda059-10011644-c1f37dd2-a7599fcd-0e][ProxyValve::invoke][Leaving the agent.]


  • 8.  Re: How do I use an X.509 Auth Scheme with Secure Proxy Server
    Best Answer

    Posted Jun 07, 2017 07:44 PM

    I know its late, but here is the step by step instruction in achieving this :

     

    Tech Tip : CA Single Sign-On :CA Access Gateway:X.509 Cert Authentication