Symantec Access Management

Hi All,

Can help on below.
when I use config-1 as proxy rules (login page occurs, credentials are entered in the backend user is AUTHN/AUTHZ at policy server) but still redirection is not happening to protect resource and stucks at *.fcc page. Once I refresh the same page.. protected page loads as cookie is already generated.
When using case-2 as proxy rules all seem fine.

---config-1

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="https://dev.smspsui.partners.com/" debug="yes">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smtestsso.partners.com"><nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:case value="dev-smauth.partners.com"><nete:forward>https://dev-smauth.partners.com:443$0</nete:forward>
</nete:case>
<nete:default><nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

---config-2

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="https://dev-smspsui.partners.com/" debug="yes">
<nete:cond type="uri" criteria="beginswith">
<nete:case value="/siteminderagent"><nete:forward>https://dev-smauth.partners.com:443$0</nete:forward>
</nete:case>
<nete:case value="/form1/"><nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:default><nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

Below is my Vhost config. I have created 2 vhost. only below is the additional config i made and rest of server.conf remains with default config.

# Virtual Host for sm-test-apps
<VirtualHost name="dev-smtestsso.partners.com">
hostnames="dev-smtestsso.partners.com"
defaultsessionscheme="default"
# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"
enableproxypreservehost="Yes"
<WebAgent>
sminitfile="/appl/CA/secure-proxy/proxy-engine/conf/dev-smtestsso.partners.com/WebAgent.conf"
</WebAgent>
</VirtualHost>

# Virtual Host for sm-authn
<VirtualHost name="dev-smauth.partners.com">
hostnames="dev-smauth.partners.com"
defaultsessionscheme="default"
# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"
enableproxypreservehost="Yes"
<WebAgent>
sminitfile="/appl/CA/secure-proxy/proxy-engine/conf/dev-smauth.partners.com/WebAgent.conf"
</WebAgent>
</VirtualHost>

------------


Also when I use below as per "examples/proxyrules/proxyrules_example6.xml". it's not working. Is nested condition types not allowed in SPS?

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="http://dev-smspsui.partners.com/">
<nete:cond type="host">
<nete:case value="dev-smtestsso.partners.com">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smtestsso.partners.com:443">
<nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:case>
<nete:case value="dev-smauth.partners.com">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smauth.partners.com:443">
<nete:forward>http://dev-smauth.partners.com$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:case>
</nete:cond>
</nete:proxyrules>




------------------------------
Regards,
Gowtham.
------------------------------

What is the protected URL you are accessing and the fcc URL? Nested conditions are allowed in SPS. But the xml file is wrong. Are you repeating the host condition because you have both http and https requests? If so, first complete one set of host condition and then move to next set. Don't mix both same time.

------------------------------
-- Sreekanth
------------------------------

Original Message:
Sent: Sep 19, 2022 08:06 AM
From: goutham reddy Anireddy
Subject: SPS VHOST issue

Hi All,

Can help on below.
when I use config-1 as proxy rules (login page occurs, credentials are entered in the backend user is AUTHN/AUTHZ at policy server) but still redirection is not happening to protect resource and stucks at *.fcc page. Once I refresh the same page.. protected page loads as cookie is already generated.
When using case-2 as proxy rules all seem fine.

---config-1

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="https://dev.smspsui.partners.com/" debug="yes">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smtestsso.partners.com"><nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:case value="dev-smauth.partners.com"><nete:forward>https://dev-smauth.partners.com:443$0</nete:forward>
</nete:case>
<nete:default><nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

---config-2

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="https://dev-smspsui.partners.com/" debug="yes">
<nete:cond type="uri" criteria="beginswith">
<nete:case value="/siteminderagent"><nete:forward>https://dev-smauth.partners.com:443$0</nete:forward>
</nete:case>
<nete:case value="/form1/"><nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:default><nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

Below is my Vhost config. I have created 2 vhost. only below is the additional config i made and rest of server.conf remains with default config.

# Virtual Host for sm-test-apps
<VirtualHost name="dev-smtestsso.partners.com">
hostnames="dev-smtestsso.partners.com"
defaultsessionscheme="default"
# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"
enableproxypreservehost="Yes"
<WebAgent>
sminitfile="/appl/CA/secure-proxy/proxy-engine/conf/dev-smtestsso.partners.com/WebAgent.conf"
</WebAgent>
</VirtualHost>

# Virtual Host for sm-authn
<VirtualHost name="dev-smauth.partners.com">
hostnames="dev-smauth.partners.com"
defaultsessionscheme="default"
# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"
enableproxypreservehost="Yes"
<WebAgent>
sminitfile="/appl/CA/secure-proxy/proxy-engine/conf/dev-smauth.partners.com/WebAgent.conf"
</WebAgent>
</VirtualHost>

------------


Also when I use below as per "examples/proxyrules/proxyrules_example6.xml". it's not working. Is nested condition types not allowed in SPS?

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="http://dev-smspsui.partners.com/">
<nete:cond type="host">
<nete:case value="dev-smtestsso.partners.com">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smtestsso.partners.com:443">
<nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:case>
<nete:case value="dev-smauth.partners.com">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smauth.partners.com:443">
<nete:forward>http://dev-smauth.partners.com$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:case>
</nete:cond>
</nete:proxyrules>




------------------------------
Regards,
Gowtham.
------------------------------

Hi Sreekanth,

Thank you for the response.

Protected URL = https://dev-smtestsso.partners.com/form1/
FCC URL = https://dev-smauth.partners.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-0006ecbf-3132-1323-9dcd-0a1fc0a80000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-dIQ6Jlu2QwTU0U%2felVm%2fPHejoPE6RFBpPsAU%2fTrfmbO103wNwwc3wUwt8Rrjw5Xa%2b3Kkn6XRTlscwgPhIvJHDZfD%2bAsc4LA4&TARGET=-SM-https%3a%2f%2fdev--smtestsso%2epartners%2ecom%2fform1%2f

Below is trace.



For the nested case 


Both hosts are HTTPS. I have created VHOST per application and a VHOST for Authentication (where application will reach this endpoint for AUTHN/AUTHZ).

Could you please let me know where did I do wrong in below XML?

I just used proxyrules_example6.xml and replaced the host entries. Even I have copied the contact from example file and tried to do validation in proxy UI ..it gives an error. Seems the code in example file itself is wrong.


Regards,
Gowtham.


------------------------------
Regards,
Gowtham.
------------------------------

Original Message:
Sent: Sep 19, 2022 10:09 AM
From: Sreekanth Reddy
Subject: SPS VHOST issue

What is the protected URL you are accessing and the fcc URL? Nested conditions are allowed in SPS. But the xml file is wrong. Are you repeating the host condition because you have both http and https requests? If so, first complete one set of host condition and then move to next set. Don't mix both same time.

------------------------------
-- Sreekanth

Original Message:
Sent: Sep 19, 2022 08:06 AM
From: goutham reddy Anireddy
Subject: SPS VHOST issue

Hi All,

Can help on below.
when I use config-1 as proxy rules (login page occurs, credentials are entered in the backend user is AUTHN/AUTHZ at policy server) but still redirection is not happening to protect resource and stucks at *.fcc page. Once I refresh the same page.. protected page loads as cookie is already generated.
When using case-2 as proxy rules all seem fine.

---config-1

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="https://dev.smspsui.partners.com/" debug="yes">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smtestsso.partners.com"><nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:case value="dev-smauth.partners.com"><nete:forward>https://dev-smauth.partners.com:443$0</nete:forward>
</nete:case>
<nete:default><nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

---config-2

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="https://dev-smspsui.partners.com/" debug="yes">
<nete:cond type="uri" criteria="beginswith">
<nete:case value="/siteminderagent"><nete:forward>https://dev-smauth.partners.com:443$0</nete:forward>
</nete:case>
<nete:case value="/form1/"><nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:default><nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

Below is my Vhost config. I have created 2 vhost. only below is the additional config i made and rest of server.conf remains with default config.

# Virtual Host for sm-test-apps
<VirtualHost name="dev-smtestsso.partners.com">
hostnames="dev-smtestsso.partners.com"
defaultsessionscheme="default"
# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"
enableproxypreservehost="Yes"
<WebAgent>
sminitfile="/appl/CA/secure-proxy/proxy-engine/conf/dev-smtestsso.partners.com/WebAgent.conf"
</WebAgent>
</VirtualHost>

# Virtual Host for sm-authn
<VirtualHost name="dev-smauth.partners.com">
hostnames="dev-smauth.partners.com"
defaultsessionscheme="default"
# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"
enableproxypreservehost="Yes"
<WebAgent>
sminitfile="/appl/CA/secure-proxy/proxy-engine/conf/dev-smauth.partners.com/WebAgent.conf"
</WebAgent>
</VirtualHost>

------------


Also when I use below as per "examples/proxyrules/proxyrules_example6.xml". it's not working. Is nested condition types not allowed in SPS?

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="http://dev-smspsui.partners.com/">
<nete:cond type="host">
<nete:case value="dev-smtestsso.partners.com">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smtestsso.partners.com:443">
<nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:case>
<nete:case value="dev-smauth.partners.com">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smauth.partners.com:443">
<nete:forward>http://dev-smauth.partners.com$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:case>
</nete:cond>
</nete:proxyrules>




------------------------------
Regards,
Gowtham.
------------------------------

I guess you had used <nete:case value="dev-smtestsso.partners.com:443"> while testing Config1 else https://dev-smtestsso.partners.com/form1/ will not have any match. I think you are getting confused. To some extent it may be possible to use different types of configs to get desired result. Instead of trying all things at once, start with one config type and try to get the desired result from there. I suggest config1 approach.

1. If your env has multiple apps then use host based setup (config1). You can further define URI if you need. But, no need to define /siteminderagent. It will be handled by SPS automatically.
2. If your env have just few apps and URI are not repeated among apps then you may use URI based setup (config2). What will you do if App1 uses /abc and App2 also uses /abc?  
3. Yes, one or two example files given by the vendor are syntactically wrong, don't use them without proofreading. The below doesn't make any sense. You might have noticed DTD errors in server.log when you tried this. 

<nete:cond type="host">
<nete:case value="dev-smtestsso.partners.com">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smtestsso.partners.com:443">
<nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>

4. If you want to convert http to https requests then use the below in httpd.conf. Easy to read instead of writing a rule again in proxyrules.xml. 

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

5. <nete:case value="dev-smtestsso.partners.com:443"> matches https://dev-smtestsso.partners.com:443 

   <nete:case value="dev-smtestsso.partners.com"> matches http://dev-smtestsso.partners.com . Both cases are different.

May be you can write your requirements with URL as example. I can give proxyrules.xml

------------------------------
-- Sreekanth
------------------------------

Original Message:
Sent: Sep 20, 2022 05:00 AM
From: goutham reddy Anireddy
Subject: SPS VHOST issue

Hi Sreekanth,

Thank you for the response.

Protected URL = https://dev-smtestsso.partners.com/form1/
FCC URL = https://dev-smauth.partners.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-0006ecbf-3132-1323-9dcd-0a1fc0a80000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-dIQ6Jlu2QwTU0U%2felVm%2fPHejoPE6RFBpPsAU%2fTrfmbO103wNwwc3wUwt8Rrjw5Xa%2b3Kkn6XRTlscwgPhIvJHDZfD%2bAsc4LA4&TARGET=-SM-https%3a%2f%2fdev--smtestsso%2epartners%2ecom%2fform1%2f

Below is trace.



For the nested case


Both hosts are HTTPS. I have created VHOST per application and a VHOST for Authentication (where application will reach this endpoint for AUTHN/AUTHZ).

Could you please let me know where did I do wrong in below XML?

I just used proxyrules_example6.xml and replaced the host entries. Even I have copied the contact from example file and tried to do validation in proxy UI ..it gives an error. Seems the code in example file itself is wrong.


Regards,
Gowtham.


------------------------------
Regards,
Gowtham.

Original Message:
Sent: Sep 19, 2022 10:09 AM
From: Sreekanth Reddy
Subject: SPS VHOST issue

What is the protected URL you are accessing and the fcc URL? Nested conditions are allowed in SPS. But the xml file is wrong. Are you repeating the host condition because you have both http and https requests? If so, first complete one set of host condition and then move to next set. Don't mix both same time.

------------------------------
-- Sreekanth

Original Message:
Sent: Sep 19, 2022 08:06 AM
From: goutham reddy Anireddy
Subject: SPS VHOST issue

Hi All,

Can help on below.
when I use config-1 as proxy rules (login page occurs, credentials are entered in the backend user is AUTHN/AUTHZ at policy server) but still redirection is not happening to protect resource and stucks at *.fcc page. Once I refresh the same page.. protected page loads as cookie is already generated.
When using case-2 as proxy rules all seem fine.

---config-1

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="https://dev.smspsui.partners.com/" debug="yes">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smtestsso.partners.com"><nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:case value="dev-smauth.partners.com"><nete:forward>https://dev-smauth.partners.com:443$0</nete:forward>
</nete:case>
<nete:default><nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

---config-2

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="https://dev-smspsui.partners.com/" debug="yes">
<nete:cond type="uri" criteria="beginswith">
<nete:case value="/siteminderagent"><nete:forward>https://dev-smauth.partners.com:443$0</nete:forward>
</nete:case>
<nete:case value="/form1/"><nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:default><nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

Below is my Vhost config. I have created 2 vhost. only below is the additional config i made and rest of server.conf remains with default config.

# Virtual Host for sm-test-apps
<VirtualHost name="dev-smtestsso.partners.com">
hostnames="dev-smtestsso.partners.com"
defaultsessionscheme="default"
# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"
enableproxypreservehost="Yes"
<WebAgent>
sminitfile="/appl/CA/secure-proxy/proxy-engine/conf/dev-smtestsso.partners.com/WebAgent.conf"
</WebAgent>
</VirtualHost>

# Virtual Host for sm-authn
<VirtualHost name="dev-smauth.partners.com">
hostnames="dev-smauth.partners.com"
defaultsessionscheme="default"
# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"
enableproxypreservehost="Yes"
<WebAgent>
sminitfile="/appl/CA/secure-proxy/proxy-engine/conf/dev-smauth.partners.com/WebAgent.conf"
</WebAgent>
</VirtualHost>

------------


Also when I use below as per "examples/proxyrules/proxyrules_example6.xml". it's not working. Is nested condition types not allowed in SPS?

<!-- Proxy Rules -->
<nete:proxyrules xmlns:nete="http://dev-smspsui.partners.com/">
<nete:cond type="host">
<nete:case value="dev-smtestsso.partners.com">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smtestsso.partners.com:443">
<nete:forward>http://192.168.10.15:500$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:case>
<nete:case value="dev-smauth.partners.com">
<nete:cond type="host" criteria="equals">
<nete:case value="dev-smauth.partners.com:443">
<nete:forward>http://dev-smauth.partners.com$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://www.ca.com$1</nete:forward>
</nete:default>
</nete:cond>
</nete:case>
</nete:cond>
</nete:proxyrules>




------------------------------
Regards,
Gowtham.
------------------------------