Symantec Access Management

  • Private Community

  • 1.  WAM Admin UI - Restrict Acess By Client IP

    Posted Oct 16, 2017 04:55 PM

    Hi,  We are running CA SSO R12.52 SP2 on 2012R2 currently. 

     

    I'm looking to learn how the Admin UI's JBoss HTTP Server can be configured to restrict access to a given client IP address.  I've found documentation on the web for JBoss itself;  but I've been unable to find the corresponding files on the policy server itself.

     

    Their is documentation discusses using a Reverse Proxy server with a SiteMinder agent installed; however, one could still bypass this by hitting the JBoss HTTP Server directly.  Using a firewall to restrict access using a port number does not help as some users are behind the firewall.

     

    Thanks for your consideration.


    Cheers, Jim



  • 2.  Re: WAM Admin UI - Restrict Acess By Client IP
    Best Answer

    Posted Oct 16, 2017 07:03 PM

    Hi Jim,

     

    It is best to achieve this using JBoss config.

     

    For Admin UI version : 12.52SP1.XX and earlier (JBOSS 5)

     

    1. Modify the server.xml located at :

    <adminui_install_directory>\server\default\deploy\jbossweb.sar

     

    add the following under host element:

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.0.1" />

     

     

    followed by Admin UI server restart.

     

    TESTING:

     

    (Access from disallowed IP )

     

     

    For Admin UI version : 12.52SP2 and later (JBOSS  Wildfly 8.2)

     

    • Create a file undertow-handlers.conf file under :

    <adminui_install_directory>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF

    • Specify the list of all IP address from which you want to allow the access to Administrative UI

         You can also specify the IP range and deny list explicitly as below:

    ip-access-control[default-allow=false, acl={'10.0.0.1 deny', '10.0.0.0/24 allow'}]
    • Restart Administrative UI

     

    TESTING:

     

    (Access from disallowed IP )

     

    References :

     

    Regards,

    Ujwol Shrestha

    Ujwol's Single Sign-On Blog 



  • 3.  Re: WAM Admin UI - Restrict Acess By Client IP

    Posted Oct 16, 2017 08:38 PM

    Hi,

     

    We are using SP2.  This worked perfectly!  Thanks you so much!

     

    Cheers, Jim



  • 4.  Re: WAM Admin UI - Restrict Acess By Client IP

    Posted Oct 16, 2017 08:40 PM

    I will publish a KB for this soon  Thanks for confirming that it worked.