Symantec Access Management

Hello.

We are interesting to know how SSL / TLS works in Siteminder.

In particular we need to integrate Siteminder 12.51 with SAP Netweare. The servers we have are:

- Apache (Reverse Proxy) with agent

- Policy Server

- SAP AS with the agent for SAP

We think to use:

EXTERNAL USERS to APACHE (webagent): TLS 1.2

APACHE (webagent) to Policy Server: TLS 1.2

Policy Server to SAP AS: SSL

Is it possible to have and use these different protocols?

Thanks all!

Hello fmoro,

SSL/TLS is used for the communication between Web browser and Web server. It isn't handled by SiteMinder.
Webagent and Policy Server communicate with our proprietary protocol. It cannot be replaced with SSL/TLS.

Regards,
Seiji

Hi Moriyama,

thanks for your reply.

I'm not understanding....

I know that SiteMinder uses a specific proprietary algorithm but it is for encrypt data.

In our case what we need is to move our SAP - SM integration from http to https so that:

- Apache Webserver will talk with policy server over https, using TLS 1.2

- Policy Server will talk with SAP AS over https, using SSL

- General users will contact Apache Webserver over https, using TLS 1.2

So, let's say, we need to understand if we can use different TLS 1.2 and SSL in the same time, configured as explained for the specifics channels.

Thanks again and Regards

Hi fmoro,

Apache Webserver receives HTTP requests over SSL/TLS. The received HTTP requests are not encrypted in the memory of Apache Webserver. CA SSO Web Agent installed on the webserver intercepts the HTTP requests and checks with the Policy Server if the requested URLs are protected or not, then the HTTP requests are rejected or passed to the proxy module for forwarding the HTTP requests to the SAP AS. (Authentication is omitted for simplicity.)

At this time, the communication between the Web Agent and the Policy Server is done over encrypted TCP connections. We don't use either SSL or TLS for this encrypted TCP communication.

This is the same for the agent for SAP.

Best regards,

Seiji

fmoro,

Here is some general information regarding CA SSO's usage of TLS:

https://communities.ca.com/thread/241733532

I hope you find this helpful.

Regards

Hi,

From the link posted by my colleague, pay attention that this section is outdated
and should be corrected :

    https://communities.ca.com/thread/241733532

- SiteMinder Policy Server version 12.5 and above:
  The SiteMinder Policy Server uses an updated version of Mozilla LDAP SDK
  that supports TLS 1.1 and 1.2

The NSS libraries version does support TLSv1.1, but for compatibility purpose,
these libraries only does TLSV1.0 calls. So Policy Server can only do TLSv1.0 so
far.

Stay tune for the next CR and versions to get the TLSV1.1 and TLSv1.2 to be fully
supported and working.

Best Regards,

Patrick

Thank you for the correction Patrick.

Patrick,

The TLS versions you mentioned are used for the communication between the Policy Server and Policy Store/User Store, not between the Policy Server and Web Agents.

Please do not confuse the places where TLS/SSL is used in an entire CA Single Sign-On environment.

The communication between Policy Servers and Web Agents is not either HTTPS or LDAPS. Encrypted data are exchanged over TCP connections.

Regards,

Seiji

Thanks all for these answers...

But I'm a bit confused by the different answers.

Let me resume:

-SSL/TLS is used for the communication between Web browser and Web server.

-SSL/TLS is used for the communication between Policy Server and Policy Store/User Store. In this second case, we have to check about the Mozilla LDAP SDK.

What I'm not understanding is the communication between the agent (webserver) and Policy Server.

I saw different time the mandatory task to insert a certificate on Apache to contact the backend. This means that SSL is enabled.

But, reading "The communication between Policy Servers and Web Agents is not either HTTPS or LDAPS"... this means that SSL is not present from Webserver to Policy Server?

And to complete the use case: we have policy server needs to talk to SAP AS. In this case, can we use SSL?

Thanks all

Hi fmoro,

SSL/TLS may be the most popular protocol for encrypted communication on the Internet but there are some other protocols such as SSH (Secure Shell).
CA SSO Policy Server and Agents are using our proprietary protocol based on symmetric key encryption.
Let me try answering your questions.

> I saw different time the mandatory task to insert a certificate on Apache to contact the backend. This means that SSL is enabled.

It seems the certificate is used for SSL communication between Apache proxy module and the backend server which is SAP AS in your case.

> But, reading "The communication between Policy Servers and Web Agents is not either HTTPS or LDAPS"... this means that SSL is not present from Webserver to Policy Server?
>

Correct. The Policy Server is listening for TCP connections from agents on ports 44441, 44442 and 44443 by default. SSL/TLS isn't accepted by these ports.

> And to complete the use case: we have policy server needs to talk to SAP AS. In this case, can we use SSL?

Do you mean the Agent for SAP AS? It doesn't use SSL/TLS either. SSL/TLS can be used between Apache and SAP AS, but we don't use SSL/TLS between the Agent for SAP AS and the Policy Server.

Regards,
Seiji