Chat Transcript: Office Hours for CA Single Sign-On [Nov. 19th]

Document created by Chris Stallone Employee on Nov 19, 2015Last modified by kristen.palazzolo on Dec 17, 2016
Version 2Show Document
  • View in full screen mode

Kristen Malzone (CA) :

Thanks for joining Sam and Hector!

 

Kristen Malzone (CA) :

Hi Siva!

 

Siva Reddy :

Hi Kristen

 

Kristen Malzone (CA) :

Alright, let's get started!

 

Kristen Malzone (CA) :

If you have a question about SSO, enter it here in the chat window.

 

Siva Reddy :

How to avoid cross scripting in login.fcc...My pentest team always ask for SAMEORIGIN. Do we have a way to configure it to be SAMEORIGIN?

 

Kristen Malzone (CA) :

@Siva - Great question! Working on getting you an answer now...

 

Kristen Malzone (CA) :

@Hector @Sam - Got a question for our team of experts?

 

Tony Pham (eComm SSO Services) :

can you tell me if 12.51 is certified to use with RHEL 7.x?

 

joseph rahme :

@Tony --> Tony ,no 12.51 Siteminder is only certified with RHEL 5.x and 6.x .Please refer to the support matrix https://support.ca.com/phpdocs/7/5262/5262_1251_PSM.pdf for more details

 

Tony Pham (eComm SSO Services) :

ok, when will you certified it?

 

Sam Dikeman :

I have multiple site id's associated with my account.  I read the doc on how to set which one to be the primary but can't seem to get it to work. Is that a support case or can someone just do a quick run through here?

 

Tony Pham (eComm SSO Services) :

or is it one of the "you need to upgrade to 12.52" ?

 

Kevin :

Is it correct that 12.52 SP2 is a Policy Server upgrade, and the Web Agent hasn't been released?

 

Akshata Sahasrabudhe :

@Kevin, yes that is correct.

 

Akshata Sahasrabudhe :

@Kevin, the older agents will still work with the R12.52 SP2 Policy Server though.

 

joseph rahme :

@Tony --> We have ERP agent support on RHEL7 for 12.51  and RedHat Jboss EWS 2.1 with RHEL7  for the Next CR on R12.52 SP01 certification on the work based on the support Matrix https://support.ca.com/phpdocs/7/5262/5262_PlatformSupportRoadmap.pdf  . are you asking for the policy server particularly ?

 

Kevin :

@Akshata - Thanks!

 

Tony Pham (eComm SSO Services) :

@Joseph -- yes, SM policy server

 

Kristen Malzone (CA) :

The CA SSO product survey is now open! Please take a few minutes to share your feedback: http://ca.com/productfeedback

 

Kevin :

We have a dozen policy servers in total (all Windows). Is there an easy script (PowerShell, WMI, VB, etc) that will pull the PSMC settings  all Policy Servers to make sure our settings are uniform across all Policy Servers?

 

joseph rahme :

@Tony --> I Do not see the certification of Policy server on RHEL7 within the roadmap app . What I would suggest is that you open an enhacemet request (through our communities) which we can vote for and will be reviewed by our

Product management

 

Tony Pham (eComm SSO Services) :

i did.  haven't check to see if there is/are any comment(s)

 

Sandra Green :

Sam, can you give more details about your question?

 

joseph rahme :

@ Tony --> send me the link if you have it and I will ask my team to vote for it ,I will try to look it up in the communities

 

Sam Dikeman :

@Sandra.  When I login to the support site, I have approx 5 site id's associated with my account.  I can access them through the dropdown.  But in almost all instances, there is only 1 that I want to use but that is not the default one that is in use when I login.  Supposedly there is a way using the support site, to allow me to change the default site id to be used by the support site when I  login.

 

Sandra Green :

@Sam - you need to contact the CA Support Site group.  I'll get you a link.

 

Joseph rahme :

@ Tony --> I believe this is the link https://communities.ca.com/ideas/235726810 for RHEL 7 with Siteminder Policy server , I will vote for it and ask my team to do the same

 

Akshata Sahasrabudhe :

@Kevin, we do not a script  the SiteMinder side that can do that. All the settings will be stored on registry. So your windows team could possibly come up with a script to pull the registry settings  each box to compare. But we do not have that feature within SiteMinder's scope.

 

Sandra Green :

@Sam - call 1-800-CALL-CAI (225-5224) and you want customer care.

 

Tony Pham (eComm SSO Services) :

@Joseph -- thx. that's one of the link.  i've master my way around the community to find my post.

 

Kevin :

@Akshata - Thanks. What is the registry path

 

Kevin :

?

 

joseph rahme :

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity

 

joseph rahme :

@ Kevin --> here is the link HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity

 

Kristen Malzone (CA) :

We're looking for SSO customers to try our Identity as a Service product for free. Read more here: https://communities.ca.com/thread/241742641

 

Siva Reddy :

@Kristen, did we able toget any answer for my question?

 

Kevin :

Is there a way to find out exactly (or somewhat approximately) when a Shared Secret Rollover will take place on an Agent?

 

Kristen Malzone (CA) :

@Siva - Yes - we are still working on it - will be posting an answer shortly! Sorry for the delay!

 

Tony Pham (eComm SSO Services) :

at CA World today, it's my udnerstanding taht CA is going to provide several road map.   1.  road map for Advanced Authentication and CA Single Sign-On.  2. road map for Identity Suite.  3. road map for Privileged Identity Management, and 4.  road map for ecurity as a Service. 

 

Sandra Green :

@Siva - regarding your question about SAMEORIGIN, we do not have that functionalty.  You can open an enhanement request on the ideation site.

 

Tony Pham (eComm SSO Services) :

would that road map info will be available for end users after the confernce any where?

 

Kristen Malzone (CA) :

@Siva - Here's where you can submit an idea: https://communities.ca.com/community/ca-security/content?filterID=contentstatus%5Bpublished%5D~category%5Bca-single-sign-on%5D&filterID=contentstatus%5Bpublished%5D~objecttype~objecttype%5Bidea%5D

 

Joe O'Donnell :

Siva, the Web Agent Configuration Guide goes over Cross-Site Scripting settings in detail. There is not a way to allow scripting for SAMEORIGIN. CA does not recommend allowing scripting, even in limited scope.

 

Siva Reddy :

@Kristen @Sandra  Thank you

 

Kristen Malzone (CA) :

@Tony - I will find an answer for you and follow up via email after this session.

 

vijay masurkar (CA) :

@kevin: The Policy Server supports manual and periodic rollover of shared secrets for trusted hosts.

 

Kristen Malzone (CA) :

@Tony - My best advice right now is to keep an eye on the CA Security Community for updates  CA World.

 

vijay masurkar (CA) :

@kevin: Periodic rollovers can be configured hourly, daily, weekly, or monthly; one hour is the shortest allowable period between rollovers. The Policy Server initiates periodic rollovers based on the age of the shared secret for each trusted host, rather than at a specific time of the day, week, or month. By rolling over each shared secret as it expires, the processing associated with the rollover is distributed over time, and avoids placing a heavy processing load on the Policy Server.

 

Siva Reddy :

@Joe  we are following configuration guide for CSS, but still pentests shows its vulnerable to attacks unless it has xfram options to SAMEORIGIN

 

Sandra Green :

@Kevin - it is in the sharedsecrettime in the SmHost.conf file.  Can you please post the value you have in the case that you have open?

 

Tony Pham (eComm SSO Services) :

@Vijay - that's a good info to know (for the periodic roll-over)

 

vijay masurkar (CA) :

@kevin: If you use the manual rollover feature, future periodic rollovers will generally be clustered together for all trusted hosts, since the manual rollover sets new shared secrets for all trusted hosts that allow shared secret rollover.

 

Kevin :

@Sandra - Can you tell me how to convert the value to a time?

 

vijay masurkar (CA) :

@kevin: Please see teh PS admin guide for further details on configuring trusted host shared secret rollover. Rgds.

 

Sandra Green :

Its in in EPOCH time. You can use an online converter to convert it.

 

Kristen Malzone (CA) :

8 minutes left! Get your final questions in now!

 

Sandra Green :

@Siva - we'd like to speak to you in more detail regarding your question.  Can you open a case so we can address this?  Thank you.

 

Kevin :

@Vijay - Thanks!

 

Siva Reddy :

@Sandra, will definately do Thanks

Attachments

    Outcomes