Symantec SiteMinder

 View Only

Tech Tip : CA Single Sign-On :: Policy Server:How to Configure Enhanced Session Assurance

By Ujwol posted Aug 03, 2016 09:36 PM

  

Issue/Problem/Symptoms:

This document will provide step by step guide to configure Enhanced Session Assurance with DeviceDNA™ functionality.

Environment:

  • CA Access Gateway (formerly CA Secure Proxy Server ) : R12.52SP1 and above
  • Policy Server : R12.52SP1 and above

Pre-requisites:

Policy Server

  • Ensure "CA RiskMinder" ( Advanced Authentication ) service is up and running on the Policy Server.

Tip:

Check Service Console.

Check <PolicyServer_Install_Directory>\CA\aas\logs\cariskminderstartup.log

The log should say:

"CA RiskMinder Service READY"

  • Ensure that you have installed and configured Session Store.

 

CA Access Gateway Server (formerly CA Secure Proxy Server)

  • Ensure that you have configured CA Access Gateway server to use SSL (Only front end Apache is sufficient)
  • Ensure that you can telnet from CA Access Gateway server to Policy server on port 7680
  • Ensure that JCE ( Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files ) patch is applied on the JRE used by CA Access Gateway server.
  • Ensure "CA Advanced Authentication Flow Application" ( Advanced Authentication ) service is up and running on the CA Single Sign-On CA Access Gateway Server.

This could be verified by accessing following URL :

https://<CA_Access_Gateway_Server_FQDN>:<SSL_PORT>/uiapp/

You should get a page similar to below. (Ignore the error, as it is just indicating that the required parameter is not being passed)

 

Instructions:

  • Create Enhanced Session Assurance end points

    From Administrative UI, click Policies-->Global-->Session Assurance Endpoints.

  • Add Session Assurance End Point to your realm

     Note : For Session Assurance to work it is NOT necessary to enable Persistent Session on the realm.

  • Ensure that the ACO used by your CA Access Gateway server has ".sac" extension included in the IgnoreExt ACO parameter

  • Ensure that ACO used by your CA Access Gateway has the SACExt parameter set to ".sac" as below :

Testing:

Sample working fiddler trace is attached - SessionAssurance_Working.saz

 

Additional Information:

 

  • As the FLOW App on the CA Access Gateway is a local app deployed as web app on the Tomcat server, you do not need to configure any proxy rules in the Proxyrules.xml pertaining to the session assurance.
  • How to configure SSL on CA Access Gateway

Configuring SSL for CA SiteMinder® SPS

  • CA Single Sign-On Bookshelf intro on Session Assurance Configuration

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/enhanced-session-assurance-…

1 comment
0 views