Symantec Access Management

SiteMinder Idle Timeouts 

09-25-2018 06:03 PM

Scenario
The security auditors have been combing through your CA SSO environment.  They have issued a finding that a sample of your realms have idle timeouts greater than the maximum value prescribed by corporate security guidelines.  You are now required to conduct a complete audit of all realm timeouts and develop a plan to reduce any timeouts that exceed guidelines.

 

Restriction
The sm_idle_timeouts script was developed using the SiteMinder Perl API to address this problem for legacy domains.  Application domains are out of scope because the Perl API cannot access XPS objects, but the coding logic in  sm_idle_timeouts could be used as a model for developing a similar tool using the Java API or, for CA SSO 12.6 or higher, the REST API.

 

Solution Overview

The sm_idle_timeouts tool set is comprised primarily of two files:

  • sm_idle_timeouts_v0.1.6_2018-09-25 – the latest version of the Perl script
  • Domains.txt – an input file used by the Perl script. This input file facilitates processing a large number of domains without having to enter them manually on the command line or during script execution.

Modifying dozens or hundreds of domains and an even greater number of realms via the WAMUI would be time consuming and potentially prone to error, so this script offers a far more efficient way to update the idle timeout for a large number of realms.

 

Please see the attached zip file for the perl script, additional documentation and supporting files.

 

The content of the Word document should probably be migrated to a template with suitable branding, etc.  Any pointers and recommendations are welcome.

Statistics
0 Favorited
7 Views
1 Files
0 Shares
0 Downloads
Attachment(s)
zip file
SM Idle Timeouts 2018-09-26.zip   52K   1 version
Uploaded - 05-29-2019

Tags and Keywords

Comments

09-26-2018 03:25 PM

From the comments of the latest Perl script I just uploaded (don't forget to include the exclamation point at the end of the keyword!):

 

# ARGV[1] - domains file. This is the list of domains for which
# the realm timeouts should be modified, or a single domain
# name. This argument also has a special, case-sensitive
# keyword. Process all legacy domains if:
# ARGV[1]=GetAllDomains!
# This should be quite useful during auditing runs to
# retrieve all timeouts, import the output file into Excel,
# filter as desired, then create a Domains.txt file for more
# focused modification of idle timeouts.

 

The documentation file (.docx) in the .zip file is revised to reflect this change.

09-26-2018 10:05 AM

Thanks, KB.  I'll add a command line option to process all domains: @domains=$session->GetAllDomains().  That should be especially helpful in audit mode, after which initial results may be imported into Excel and filtered to create a Domains.txt file so subsequent modify runs may focus only on domains with realm timeouts that need to be updated.  I should be able to get that done by early next week.

09-25-2018 09:54 PM

Nice script Rich. Was the requirement to modify only few domains at JPMC having a need of input from a file? if not we can set it in loop to go through each domain,realm(s) under it and modify the timeout in a looped fashion if the needed value does not exit as its the same method that can retrieve and set the value via CLI.

Related Entries and Links

No Related Resource entered.