Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2015 > July
2015

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 14th July 2015.

 

1. Stop the WAM UI service.

 

2. Update the SSL port in bindings-jboss-beans.xml file residing under <adminui>\server\default\conf\bindingservice.beans\META-INF\ directory:

 

<xsl:template match="Connector[@SSLEnabled='true' and @port = '8443']">

 

<entry>
<key>httpsPort</key>
<value>8443</value>
</entry>


3. Update the SSL port in server.xml residing under <adminui>\server\default\deploy\jbossweb.sar\ directory:


<Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" connectionTimeout="20000" emptySessionPath="true" enableLookups="false" maxHttpHeaderSize="10240" maxPostSize="0" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="tomcat" keystoreFile="jsse.keystore" keystorePass="changeit" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/>

 

4. If you have previously registered the WAM UI over SSL before, please remove the ‘data’ folder residing under <adminui>\server\default\ directory, cleanup the relevant trusted host and admin objects.

 

5. Start WAM UI and access the WAM UI over SSL with the new SSL port.

Use case: IDP is sending 2 user attributes and SP(SiteMinder) need to store the value for later use but SiteMinder is returning null value.

 

IDP (3rd party): www.kimmy.lab

SP (SiteMinder): www.ondemand.lab

 

IDP is sending following SAML Response. (This is just a sample)

IDP is sending 2 user attributes, UID and Name (it is located at the bottom of this SAML Response)

SAML Response Sample

<UserCredentials><Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.ondemand.lab/affwebservices/public/saml2assertionconsumer" ID="_5cf9c6f49d05027488d50a64224f85b18a97" IssueInstant="2015-07-02T02:21:17Z" Version="2.0">

    <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://www.kimmy.lab</ns1:Issuer>

    <Status>

        <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

    </Status>

    <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d00e3fb7d5498e1978545bb11730960cc22e" IssueInstant="2015-07-02T02:21:17Z" Version="2.0">

        <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://www.kimmy.lab</ns2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI="#_d00e3fb7d5498e1978545bb11730960cc22e">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>hJsu2Ow9gXcjaHyAyAes6Eygl+s=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>

Trimmed

</ds:SignatureValue>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

Trimmed

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</ds:Signature>

        <ns2:Subject>

            <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Kim</ns2:NameID>

            <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <ns2:SubjectConfirmationData NotOnOrAfter="2015-07-02T02:22:47Z" Recipient="https://www.ondemand.lab/affwebservices/public/saml2assertionconsumer"/>

            </ns2:SubjectConfirmation>

        </ns2:Subject>

        <ns2:Conditions NotBefore="2015-07-02T02:20:47Z" NotOnOrAfter="2015-07-02T02:22:47Z">

            <ns2:OneTimeUse/>

            <ns2:AudienceRestriction>

                <ns2:Audience>https://www.ondemand.lab</ns2:Audience>

            </ns2:AudienceRestriction>

        </ns2:Conditions>

        <ns2:AuthnStatement AuthnInstant="2015-07-02T02:21:16Z" SessionIndex="Hn83hYcT0+SpMdbq+vs7KcjszsQ=EMkuBw==" SessionNotOnOrAfter="2015-07-02T02:22:47Z">

            <ns2:AuthnContext>

                <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>

            </ns2:AuthnContext>

        </ns2:AuthnStatement>

        <ns2:AttributeStatement>

            <ns2:Attribute Name="UserID" NameFormat="urn:oasis:names:tc:SAML:2.0:assertion">

                <ns2:AttributeValue>kimsu05</ns2:AttributeValue>

            </ns2:Attribute>

            <ns2:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:assertion">

                <ns2:AttributeValue>Sung Hoon Kim</ns2:AttributeValue>

            </ns2:Attribute>

        </ns2:AttributeStatement>

    </ns2:Assertion>

</Response><Binding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</Binding><AssertionConsumerServiceURL>https://www.ondemand.lab/affwebservices/public/saml2assertionconsumer</AssertionConsumerServiceURL><FederationAPIVersion>FederationAPIVersion=1</FederationAPIVersion></UserCredentials>

 

At SiteMinder AdminUI, The SP Partnership is configured to persist these attributes so that it can be used again.

And these attributes will be use un-modified, so no attribute mapping is configured.

Capture.PNG

However, these attributes are not being stored in the session store.

Following is an expected result and actual result you will find in the smtracedefault.log

 

smtracedefault.log (search keyword "255:")

Expected Result: You should see the following entry in the smtracedefault.log

 

[SAMLData: SAMLData:

   nameId: Kim

   format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

   loginId: Kim

   authnContext: urn:oasis:names:tc:SAML:2.0:ac:classes:Password

   providerId: https://www.kimmy.lab

   assertionId: _d00e3fb7d5498e1978545bb11730960cc22e

   nameQualifier: null

   isPostBinding: true

   txnId: 201e6e54-00a943f5-92fc97ae-1a7419bf-9d8b40d0-893

   sessionIndex: Hn83hYcT0+SpMdbq+vs7KcjszsQ=EMkuBw==

   assnExpire: null

   allowCreate: null

   authnContextStrength: null

   smcAuthLevel: null

   Attributes:

      Name=(Sung Hoon Kim)

      UserID=(kimsu05)

   AllowCreate: null

   WA fedApiVersion: -1

   PS fedApiVersion: 1

   BUFFER: null

   UNKNOWN: null]

Actual Result: Following is logged and you can see the Name and UserID is having null value

 

[SAMLData: SAMLData:

   nameId: Kim

   format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

   loginId: Kim

   authnContext: urn:oasis:names:tc:SAML:2.0:ac:classes:Password

   providerId: https://www.kimmy.lab

   assertionId: _d00e3fb7d5498e1978545bb11730960cc22e

   nameQualifier: null

   isPostBinding: true

   txnId: 201e6e54-00a943f5-92fc97ae-1a7419bf-9d8b40d0-893

   sessionIndex: Hn83hYcT0+SpMdbq+vs7KcjszsQ=EMkuBw==

   assnExpire: null

   allowCreate: null

   authnContextStrength: null

   smcAuthLevel: null

   Attributes:

      Name=

      UserID=

   AllowCreate: null

   WA fedApiVersion: -1

   PS fedApiVersion: 1

   BUFFER: null

   UNKNOWN: null]

 

It was found that this is an expected behavior by design.

SiteMinder accepts 3 types for attribute format.

 

In case if you are IDP using SiteMinder, you will find the following "Assertion Attributes" section where you can add user attributes.

Note there are "Unspecified", "Basic" and "URI" Format types.

Capture1.PNG

 

And according to the OASIS SAML 2.0 Specification, only these formats are available.


https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf


Capture2.PNG

Capture3.PNG


Now if we go back to the previous SAML Response, it had the following format.

 

NameFormat

        <ns2:AttributeStatement>

            <ns2:Attribute Name="UserID" NameFormat="urn:oasis:names:tc:SAML:2.0:assertion">

                <ns2:AttributeValue>kimsu05</ns2:AttributeValue>

            </ns2:Attribute>

            <ns2:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:assertion">

                <ns2:AttributeValue>Sung Hoon Kim</ns2:AttributeValue>

            </ns2:Attribute>

        </ns2:AttributeStatement>


NameFormat="urn:oasis:names:tc:SAML:2.0:assertion" is not adhering to the OASIS SAML Specification.


When a non-supported NameFormat attribute is received, SiteMinder sets the value to "null".

That is why the name is stored but not the value.


In this case, IDP side must modify the assertion according to the specification.


CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 5th July 2015


CA Secure Proxy Server requires Java Runtime Environment used by agent to support unlimited key strength in the Java Cryptography Extension package.

 

Configure the JVM to Use the JSafeJCE Security Provider

To enable encryption, configure the JVM that is running the CA SiteMinder® SPS so it uses the JSafeJCE Security Provider.


Follow these steps:

  1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files package for the Java version you are using from the Oracle website.
  2. Navigate to the <JDK>\jre\lib\security file directory
  3. Patch the following files with the files from the JCE Unlimited Strength Jurisdiction Policy Files package:
    • local_policy.jar
    • US_export_policy.jar
  4. Open the java.security file.
  5. Add the following line in the List of Providers section JSafeJCE is added as the second security provider:

       security.provider.2=com.rsa.jsafe.provider.JsafeJCE

  1. Increment the order of preference of the other security providers by 1.
  2. Add the following line at the end of the existing security providers list. This line sets the initial FIPS mode of JSafeJCE:

       com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE

   8. Save the changes.

   9.  Restart CA SPS service.


The following example shows the List of Providers section of the java.security file after you configure the JVM:

security.provider.1=sun.security.provider.Sun
security.provider.2=com.rsa.jsafe.provider.JsafeJCE
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=sun.security.mscapi.SunMSCAPI
com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE

 

If you are still getting the following error in STS log:
ERROR [sts=Office365] [txn=] [com.netegrity.tm.contenthelper.api.ContentHelperService] JsafeJCE is not installed as a security provider - this is an unsupported configuration


Perform the following:

Update SmSpsProxyEngine.properties file (resides under SPS_home\proxy-engine\conf file directory), include the ‘%NETE_SPS_ROOT%\agentframework\java\cryptoj.jar’ in the –classpath

 

OR

 

Copy cryptoj.jar file from <SPS>\agentframework\java to <JDK>\jre\lib\ext file directory.

Restart CA SPS service.