One Time Password  in Siteminder

Document created by Abhimanyu1989 on Feb 17, 2015
Version 1Show Document
  • View in full screen mode

Does anyone has any idea about  implementing one time password with SiteMinder. When user tries to authenticate using SiteMinder, after 1'st authentication, OTP should be generated and shared with user over email or mobile. Then after OTP verification user should be allowed to login. Any help would be appreciated .

 

Thanks in Advance


Hi Vasu,

 

CA SiteMinder doesn't support two factor authentication (authentication chaining) out of the box. However, this could be achieved using custom authentication scheme.

Alternatively, you can also contact your CA account manager to engage CA Services to discuss your requirement and they should be able to provide a custom solution based on your need.

Please, note CA Services engagement is chargeable.

 

Regards,

Ujwol Shrestha


Hi verma.vasu

I believe this can be done with Arcot. In Siteminder 12.52, we have Arcot came with Siteminder. Some earlier documentation between Arcot and Siteminder can be found here Arcot_SiteMinder_integration_TB.pdf. I don't have much knowledge on Arcot side but I know the OTP is one of the function in Arcot. yonli02 can you provide some insight?

 

Thanks


SiteMinder 12.52 does not come with a full version of Advanced Authentication(aka - Arcot). A limited version is included which provides the new 'Session Assurance' functionality. The full version of Advanced Authentication can be integrated with SiteMinder to provide the OTP functionality described in the original post here.


Hi,

As Bill mentioned, Siteminder does not come with full version of Advanced authentication. I have get some input from my colleague who familiar with Arcot. In order to achieve OTP, a set of Arcot products (AuthMinder, Arcot Adapter) need to be installed and integrate it with SiteMinder before OTP can be used. AuthMinder and Arcot Adapter are not in Siteminder R12.52. Hope this helps.


Hi Ujwol,

 

Thansk for your inputs. Can you please share some information about developing custom authentication scheme. Any link or documentation help would be appreciated,

 

Thanks,

Vasu


Hi Vasu,

 

Sure.

You can refer to the following section in the CA SiteMinder Bookshelf for the detailed steps on how to create and configure custom authentication scheme :

Programming GuidesProgramming Guide for JavaAuthentication and Authorization APIs

 

Here is a direct link for the same from our r12.5 Admin guide :

Authentication and Authorization APIs

 

To develop custom authentication itself, you will need to install Siteminder SDK. It comes with samples for most of the custom modules including authentication and authorization.

Once you have installed SDK , you can find the sample code for custom authentication schema in the following directory :

$SDK Installed Directory$\samples\javaauthapi\AuthApiSample.java

I have attached the same here for your quick reference.

 

Please note, this sample is a basic authentication scheme to get you started with the custom authentication scheme and doesn't take into account any OTP scenario (or any other complex sceneario for that matter).

CA support will not be able to assist you in implementing a custom authentication scheme for your requirement. If you need any further assistance you will have to reach out to CA Services.

 

Hope this helps.

 

Regards,

Ujwol Shrestha


Hi Ujwol,

 

Thanks for providing the information. I tried the sample code, but after deploying the code into the SM policy server and creating the authentication scheme, when I try to access any resouce proctect using the custom made authentication scheme, Internal server Error 500 is returned.

From smtrace log:

[14:41:37][Starting IsProtected processing.][etst.com.au-int][/servicecentre][]
[14:41:37][Resource is protected by realm.][][/servicecentre][]
[14:41:37][** Status: Error. Reject s9/r3 : internal error - failed to obtain scheme credentials for scheme 'CIDSiteminder'][etst.com.au-int][][]
[14:41:37][Leave function CSm_Az_Message::IsProtected, Failed to obtain scheme credentials.][][][]

 

Regards,

Verma.Vasu


Hi Vasu,

 

Did you use the custom authentication scheme sample that I provided earlier ?

That error indicates that the SiteMinder was not able to invoke "query" method from your custom authentication scheme class or it didn't receive the desired response.

This method is invoked to retrieve following basic information about custom authentication scheme :

 

-scheme version

-scheme description

-scheme credential type (e.g basic/html etc)

 

If you are already using the sample class that I provided, then could you please explain what steps did you perform to create the custom authentication scheme ?

Also if possible, please upload smps.log and smtracedefault.log.

 

Regards,

Ujwol Shrestha


Hi Ujwol ,

 

I follwed this particluar Link to configure the authentication scheme using the sample provided by you.  I'm attaching the required logs.


Thanks,

Vasu


Hi Vasu,

 

I think I know what the problem is. There is small flaw in the instruction provided. I have replied to the original thread but for your easy reference I am attaching my reply here as well :

 

==================================================

Hello All,

 

For those of you who are getting following error "Reject s3/r7 : internal error - failed to obtain scheme credentials for scheme'" I think I know what the problem is.

 

It is most likely that in step(1) above java-build.bat/java-build.sh didn't execute successfully.

If you view the java-build.bat, all it is doing is compiling AuthApiSample.java as below :

 

"javac -classpath .;..\..\java\SmJavaApi.jar AuthApiSample.java"

 

As you could see above it is expecting "SmJavaApi.jar" to be in the classpath. But when you move this batch file from it's default location , it is possible that it will no more be able to locate this SmJavaApi.jar file.

To confirm this try running this batch file from a command prompt then you would see some errors like below :

 

"C:\Custom Auth\mycustomclass - Copy\com\netegrity\sdk\javaauthapi>javac -classpath .;..\..\java\SmJavaApi.jar" AuthApiSample.java

AuthApiSample.java:25: error: package com.netegrity.policyserver.smapi does not

exist

import com.netegrity.policyserver.smapi.*;

^"

 

Solution

======

To fix this , you will need to specify the full path to the SmJavaApi.jar file in the batch file.

 

You can find this jar file in :

$Siteminder SDK Installed Directory$\java\SmJavaApi.jar

$Policy Server Installed Directory$\bin\jars\SmJavaApi.jar

 

So your batch file should look something like this :

javac -classpath .;C:\Program Files (x86)\CA\sdk\java\SmJavaApi.jar AuthApiSample.java

 

To confirm, if the batch is executing successfully, you need to check if the "AuthApiSample.class" class file is created or not in the folder.

 

Hope this helps.

 

Regards,

Ujwol Shrestha

====================================================


Hi Ujwol,

I tried this approach also. Still getting the internal server 500 error.

 

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][s4/r4][apache_agent][][][][Headers][][][][][][][][][][][][][][Reject s4/r4 : internal error - failed to obtain scheme credentials for scheme 'MyCustom Authentication'][Send response attribute 158, data size is 104][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][s4/r4][apache_agent][][][][Headers][][][][][][][][][][][][][][][Send response attribute 146, data size is 0][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][s4/r4][apache_agent][][][][Headers][][][][][][][][][][][][][][][Send response attribute 147, data size is 0][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:563][CSm_Az_Message::ProcessMessage][s4/r4][apache_agent][][][][Headers][][][][][][][][][][][][][][][** Status: Error. Reject s4/r4 : internal error - failed to obtain scheme credentials for scheme 'MyCustom Authentication'][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:567][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Az_Message::SendReply][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][IsProtected.cpp:212][CSm_Az_Message::IsProtected][s4/r4][][][][][][][][][][][][][Reject s4/r4 : internal error - failed to obtain scheme credentials for scheme 'MyCustom Authentication'][][][][][][][Leave function CSm_Az_Message::IsProtected, Failed to obtain scheme credentials.][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:371][CSm_Az_Message::ProcessMessage][][][][][][][][][][][][][364][][][][][][][][Leave function CSm_Az_Message::ProcessMessage][].

 

Content from my .bat file.

 

javac -classpath .;C:\smjar\SmJavaApi.jar AuthApiSample.java.

 

 

Regards,

Vasu


Ok, can you answer few more questions for me ?

 

  • Was the class file AuthApiSample.class created after running the batch file ?
    Does the jar file contains the class file ? (You can extract and see )
  • Did you restart Policy server
  • Please share your JVMOptions.txt
  • When defining custom authentication scheme in Admin UI what value did you use for parameter ?

Hi Ujwol ,

 

Class file was created after running the batch file and the jar does contain the class file. After editing the JVMOption.txt , the Policy Server was restarted. I attaching the JVMOption.txt file and screen shot of custom authentication scheme.

 

Thanks,

Vasu


You have included the jar file in the "bootclasspath" instead of "classpath".

 

-Xbootclasspath --> You included the custom authentication jar here.

 

-Djava.class.path --> The jar needs to be included here..

 

I have now corrected the JVMOptions.txt.

Please use this, restart your policy server and test again.

 

Hope this helps.

Regards,

Ujwol Shrestha


This document was generated from the following discussion: One Time Password  in Siteminder

Outcomes