Skip navigation
All People > SungHoon_Kim > Sung Hoon Kim's Blog > 2016 > January
2016

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

Continued from Part 3.

 

02. Standard Authentication Schemes

     - HTML using UID and EMAIL


This is a demonstration on how to add complexity to the login form by adding additional attribute value for authentication.

 

How to Configure HTML Forms Authentication

The use case is described in the online documentation so you can reference it as well.

Also, if you check the <WA>/samples/forms/fullname.fcc it is same use case except it is adding "Full Name" instead of "eMail".

 

Step1: Create loginemail.fcc and loginemail.unauth file

 

Goto "<WA>/samples/forms/" folder and make a copy of login.fcc file (we can copy the fullname.fcc but for demonstration purpose I am choosing vanila login.fcc file) to loginemail.fcc.

Every .fcc file must have matching .unauth file so copy login.unauth to loginemail.unauth file.

 

Modify the loginemail.fcc file as below.

login.fcc (original)

<!-- SiteMinder Encoding=UTF-8; -->

@username=%USER%

@smretries=0

 

<html>

 

<head>

<meta http-equiv="Content-Type" content="text/html;charset=$$SMENC$$">

  <title>SiteMinder Password Services</title>

 

<!-- Cross-frame scripting prevention: This code will prevent this page from being encapsulated within HTML frames. Remove, or comment out, this code if the functionality that is contained in this SiteMinder page is to be included within HTML frames. -->

<STYLE>

   html {

      display : none ;

      visibility : hidden;

   } </STYLE>

<SCRIPT>

   if( self == top ) {

       document.documentElement.style.display = 'block' ;

       document.documentElement.style.visibility = 'visible' ;

   } else {

       top.location = self.location ;

   }

</SCRIPT>

 

 

 

<SCRIPT LANGUAGE="JavaScript">

function resetCredFields()

{

  document.Login.PASSWORD.value = "";

}

 

function submitForm()

{

     document.Login.submit();

}

 

</SCRIPT>

 

</head>

 

<body BGCOLOR="#ffffff" TEXT="#000000" onLoad = "resetCredFields();">

 

<!-- Customer Brand -->

<IMG alt=Logo src="/siteminderagent/dmspages/CATechnologies_logo.png">

 

<form NAME="Login" METHOD="POST">

<INPUT TYPE=HIDDEN NAME="SMENC" VALUE="$$SMENC$$">

<INPUT type=HIDDEN name="SMLOCALE" value="US-EN">

<center>

 

<!-- outer table with border -->

<table width="50%" height=200 border=1 cellpadding=0 cellspacing=0 >

  <tr>

    <td>

      <!-- Login table -->

      <table WIDTH="100%" HEIGHT=200 BGCOLOR="#FFEFD5" border=0 cellpadding=0 cellspacing=0 >

 

    <tr>

      <td ALIGN="CENTER" VALIGN="CENTER" HEIGHT=40 COLSPAN=4 NOWRAP BGCOLOR="#FFDAB9">

        <font size="+1" face="Arial,Helvetica">

        <b>Please Login</b></font>

          </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td WIDTH=20 > </td>

      <td ALIGN="LEFT" >

            <b><font size=-1 face="arial,helvetica" > Username: </font></b>

          </td>

      <td ALIGN="LEFT" >

              <input type="text" name="USER" size="30" style="margin-left: 1px">

          </td>

      <td WIDTH=20 > </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td WIDTH=20 > </td>

      <td >

            <b><font size=-1 face="arial,helvetica" > Password: </font></b>

          </td>

      <td ALIGN="left" >

              <input type="password" name="PASSWORD" size="30" style="margin-left: 1px">

      </td>

      <td WIDTH=20 > </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td colspan=4 NOWRAP WIDTH="50%" HEIGHT="25" align="CENTER">

          <input type=hidden name=target value="$$target$$">

          <input type=hidden name=smquerydata value="$$smquerydata$$">

          <input type=hidden name=smauthreason value="$$smauthreason$$">

          <input type=hidden name=smagentname value="$$smagentname$$">

          <input type=hidden name=postpreservationdata value="$$postpreservationdata$$">

          <input type="button" value="Login" onClick="submitForm();">

      </td>

    </tr>

 

    <tr> <td colspan=4 height=5> <font size=1>   </font> </td> </tr>

      </table>

    </td>

  </tr>

</table>

</form></center>

 

<script language="javascript">

  document.forms["Login"].elements["USER"].focus();

</script>

 

</body>

</html>

 

loginemail.fcc (after modification)

<!-- SiteMinder Encoding=UTF-8; -->

@username=%USER%

@password=PASSWORD=%PASSWORD%&mail=%urlencode(email)%

@smretries=0

 

<html>

 

<head>

<meta http-equiv="Content-Type" content="text/html;charset=$$SMENC$$">

  <title>SiteMinder Login Page with UID and EMAIL</title>

 

<!-- Cross-frame scripting prevention: This code will prevent this page from being encapsulated within HTML frames. Remove, or comment out, this code if the functionality that is contained in this SiteMinder page is to be included within HTML frames. -->

<STYLE>

   html {

      display : none ;

      visibility : hidden;

   } </STYLE>

<SCRIPT>

   if( self == top ) {

       document.documentElement.style.display = 'block' ;

       document.documentElement.style.visibility = 'visible' ;

   } else {

       top.location = self.location ;

   }

</SCRIPT>

 

 

 

<SCRIPT LANGUAGE="JavaScript">

function resetCredFields()

{

  document.Login.PASSWORD.value = "";

}

 

function submitForm()

{

     document.Login.submit();

}

 

</SCRIPT>

 

</head>

 

<body BGCOLOR="#ffffff" TEXT="#000000" onLoad = "resetCredFields();">

 

<!-- Customer Brand -->

<IMG alt=Logo src="/siteminderagent/dmspages/CATechnologies_logo.png">

 

<form NAME="Login" METHOD="POST">

<INPUT TYPE=HIDDEN NAME="SMENC" VALUE="$$SMENC$$">

<INPUT type=HIDDEN name="SMLOCALE" value="US-EN">

<center>

 

<!-- outer table with border -->

<table width="50%" height=200 border=1 cellpadding=0 cellspacing=0 >

  <tr>

    <td>

      <!-- Login table -->

      <table WIDTH="100%" HEIGHT=200 BGCOLOR="#FFEFD5" border=0 cellpadding=0 cellspacing=0 >

 

    <tr>

      <td ALIGN="CENTER" VALIGN="CENTER" HEIGHT=40 COLSPAN=4 NOWRAP BGCOLOR="#FFDAB9">

        <font size="+1" face="Arial,Helvetica">

        <b>Please Login</b></font>

          </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td WIDTH=20 > </td>

      <td ALIGN="LEFT" >

            <b><font size=-1 face="arial,helvetica" > Username: </font></b>

          </td>

      <td ALIGN="LEFT" >

              <input type="text" name="USER" size="30" style="margin-left: 1px">

          </td>

      <td WIDTH=20 > </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

    <tr>

      <td WIDTH=20 > </td>

      <td ALIGN="LEFT" >

            <b><font size=-1 face="arial,helvetica" > Email: </font></b>

          </td>

      <td ALIGN="LEFT" >

              <input type="text" name="email" size="30" style="margin-left: 1px">

          </td>

      <td WIDTH=20 > </td>

    </tr>

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td WIDTH=20 > </td>

      <td >

            <b><font size=-1 face="arial,helvetica" > Password: </font></b>

          </td>

      <td ALIGN="left" >

              <input type="password" name="PASSWORD" size="30" style="margin-left: 1px">

      </td>

      <td WIDTH=20 > </td>

    </tr>

 

    <tr> <td colspan=4 height=10> <font size=1>   </font> </td> </tr>

 

    <tr>

      <td colspan=4 NOWRAP WIDTH="50%" HEIGHT="25" align="CENTER">

          <input type=hidden name=target value="$$target$$">

          <input type=hidden name=smquerydata value="$$smquerydata$$">

          <input type=hidden name=smauthreason value="$$smauthreason$$">

          <input type=hidden name=smagentname value="$$smagentname$$">

          <input type=hidden name=postpreservationdata value="$$postpreservationdata$$">

          <input type="button" value="Login" onClick="submitForm();">

      </td>

    </tr>

 

    <tr> <td colspan=4 height=5> <font size=1>   </font> </td> </tr>

      </table>

    </td>

  </tr>

</table>

</form></center>

 

<script language="javascript">

  document.forms["Login"].elements["USER"].focus();

</script>

 

</body>

</html>

 

At the loginemail.fcc, you will find that we have entered a whole new line below.

@password=PASSWORD=%PASSWORD%&<attributename>=%<form name>%

If you are adding additional attribute for authentication, then you will have to add the @password=PASSWORD=%PASSWORD% first.

Then append the additional attribute(s) starting with a separator ampersand, the userattribute name(mail attribute) in the user directory to be matched, an equal sign and the FORM name (in this case the <input type="text" name="email">).

You can add more attributes this way.

 

Things to note, if you are not using additional attributes, you can just delete the @password line.

Even if you delete it, it is there by default.

If the additional attribute or the password is expected to have values that might need encoding (for example, it has an ampersand making it look like another additional attribute, here is a full list ==> (" . & = + ? ; / : @ = , $ %)) then you can URL encode it as below.

@password=PASSWORD=PASSWORD%&mail=%urlencode(email)%

 

Following is a screenshot of the files create. You do not need to do anything with the loginemail.unauth file.

unauth file will be displayed if you set @smretry=3 and if you fail to submit the correct credential 3 consecutive times.

It is always a good practice to have the matching unauth file.

 

 

Step2: Create Authentication Scheme

 

Logon to AdminUI, navigate to "Infrastructure ==> Authentication ==> Authentication Schemes" and click "Create Authentication Scheme".

 

Select "Create a new object of type Authentication Scheme" and click "OK".

 

Fill in the fields as below.

Ensure that you update the TARGET to point to the loginemail.fcc

And the important part is the "Additional Attribute List".

You must enter the AL=PASSWORD first, a comma then followed by the additional attributes you specified. (AL stands for "Attribute List").

 

Step3: Create Realm, Rule, update Policy

 

Navigate to "Policies ==> Application ==> Applications" and modify(click on the pencil icon at the right end) "www.sso.lab" application.

 

Click on "Create Component".

 

Fill in the details as below and click "OK".

We are protecting /mail/ with the "UID + EMAIL Login Form" Authentication Scheme.

 

 

Click on "Resources" tab and from the "context root" dropdown menu select "/mail/".

Click on "Create" button to create a resource for this component.

 

Fill in the details.

This will allow GET and POST requests for everything under /mail/ if the user is authorized by Policy Server.

 

 

 

Click on "Policy" tab and from the "context root" dropdown menu select "/mail/".

 

Select the "Access UID + Mail Realm" + "Basic Role" check box to apply this "Basic Role" to "Access UID + Mail Realm".

Then click "Submit"

 

 

Then click "Submit" to finalize.

 

Step4: Test login.

 

Before we test login, we have to check the email value for the test user.

Let's create "user1" with "user1@sso.lab" email address.

 

Your web server should have the matching resource created.

And also handy to have the landing page to have a link to the /mail/ resource.

 

And the user get access.

 

smtracedefault.log showing it is handling the mail attribute during authentication.

[01/28/2016][13:48:01][user1][Authenticating user by the auth scheme][LDAP://192.168.201.101 192.168.201.102/CN=user1,CN=Users,DC=sso,DC=lab][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][Processing Attribute [Property = mail] [Trim Property = mail] [Separator = ^]][][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][Registered for XPS notifications for Realm objects modifications.][][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][Failed to get the Realm's SessionAssuranceLink attribute.][][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][SessionAssurance is not enabled.][][][][][][][][][2656][4264]

[01/28/2016][13:48:01][][SmSamlDataContext::~SmSamlDataContext: Cleaning up][Cleaning up][][][][][][][][2656][4264]

[01/28/2016][13:48:01][user1][** Status: Authenticated. ][][agent.iis][][][][][][][2656][4264]

 

 

     - Basic over SSL

 

"Basic" Authentication Scheme and "Basic over SSL" Authentication Scheme are very different thing although they are both prompted for Basic authentication.

 

And as a prerequisite, your web server must have SSL configured, obviously as the name suggests.

I will swiftly go through requesting and issuing server certificates

 

*** Enable SSL on IIS ***

 

# www.sso.lab

 

Load the IIS Manager and at the machine level(left pane) select "Server Certificate"(mid pane).

 

You will see the currently available certificates.

At the right pane, click on "Create Certificate Request..."

 

Enter the fields.

You MUST add the correct FQHN in the "Common name" field.

This certificate request is for https://www.sso.lab so I am entering www.sso.lab

 

Select the desired bit length, 1024 by default.

 

Save the Certificate Sign Request(C:\Users\Administrator\Desktop\www_sso_lab_req.txt)

 

Open IE and goto http://www.sso.lab/certsrv/

 

Click on "Request a certificate"

 

Click on "advanced certificate request"

 

Click on "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file...."

 

Paste "www_sso_lab_req.txt" content to the "Saved Request" field.

Select "Web Server" from "Certificate Template" dropdown menu.

 

Select "Base 64 encoded" (doesn't really matter which format you download at this point) and click "Download certificate".

Click "Save As" and save it as "www_sso_lab.cer" on the desktop.

 

 

Go back to IIS Manager screen where you clicked "Create Certificate Request".

This time, click "Complete Certificate Request...".

 

Select the issued certificate and enter a friendly name that will appear in the certificate list.

 

You can now see the new certificate is added to the list.

 

Your Server Certificate is ready to be applied to a web server instance.

Select "Default Web Site" instance(left pane).

Click on "Bindings" at the right pane.

 

Click "Add..." button.

 

Select type: https

IP address: 192.168.201.101 (as DNS this will resolve www.sso.lab to this IP)

Port: 443

SSL Certificate: Select from dropdown menu the friendly name www.sso.lab

 

Now your web instance is configured to listen on port 80 and 443.

 

You should now see at the right pane the new configuration showing it is listening on port 443.

 

Now, open a browser and visit https://www.sso.lab and it should display the content.

 

# www.partner.lab

Repeat the steps above, just change the "Common name" to "www.partner.lab".

This certificate will be used on the CA Access Gateway(SPS).

I will cover this part later when we are using CA Access Gateway(SPS) in the future.

It should look like below screenshot once the www.partner.lab certificate is imported.

 

Now that SSL is enabled on this IIS server, we can continue with setting up the "Basic over SSL".

 

Step1: Configure the IIS side setting to force Basic over SSL.

 

Load IIS Manager, select the "Default Web Site" instance and navigate to "/siteminderagent/nocert" virtual directory.

 

 

In the mid pane, click on "SSL Settings".

You need to check the "Require SSL" and select "Ignore" client certificate.

 

Click "Apply" button at the right pane to complete this change.

 

 

Step2: Configure "Basic over SSL" Authentication Scheme

 

I will be skipping some basic screens as it has been demonstrated before.

 

Create Authentication Scheme:

Name: Basic over SSL Authentication

Authentication Scheme Type: Basic Over SSL Template

Protection Level: 10

Password Policies enabled for this Authentication Scheme: true

Server Name: www.sso.lab

Port: (can leave it empty since I am using default port 443)

Target: /siteminderagent/nocert/smgetcred.scc

Library: smauthcert

 

Step3: Create Component and Resource to protect the /basicssl/

Modify "www.sso.lab" Application and click "Create Component".

 

Component Name: Basic over SSL Realm

Agent: agent.iis

Resource Filter: /basicssl/

Default Resource Protection: Protected

Authentication Scheme: Basic over SSL Authentication

 

Create Resource

Name: Access BasicSSL

Resource: *

Allow Access: true

Action/Web Agent Actions: GET, POST

 

 

Update Policy to allow "Basic Role" for "Access BasicSSL".

 

Step5: Test the Basic over SSL.

You must ensure your web server has /basicssl/ directory and content to display.

Visit http://www.sso.lab/basicssl/

You are now being redirected to https://www.sso.lab/siteminderagent/nocert/* and get challenged there.

You can tell this is SiteMinder authentication because it shows you the Component(Realm) Name and also there is a timestamp of this challenge.

Now, there is a difference between Basic vs Basic over SSL.

If it was "Basic" authentication then there is NO REDIRECT.

Now with "Basic over SSL", you are redirected.

 

Once authenticated you will be redirected back to the initially requested URL.

 

Now that we have SSL enabled on the Web Server, we should change the HTML Authentication Schemes to make use of it.

Please modify the "Login Form for www.sso.lab" and "UID + EMAIL Login Form" Authentication Scheme to enable "Use SSL Connection" check box.

No credential should be transmitted in clear.

 

 

In the next article, we will be setting up Certificate Authentication. It is exciting!

 

This concludes "Configuring an ALL-IN-ONE VM Image - Part 4"

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

 

02. Standard Authentication Schemes

     - Basic Concepts

 

CA Single Sign-On has Web Agent sitting on the Web Server as a plugin.

Web Agent intercepts all the requests (protected or not protected) and if it is for protected resource and if the user is not authenticated or authorized it will redirect to login page(aka Credential Collector).

 

So, the first call it makes when a request is received is "IsProtected" call (to Policy Server).

If the resource is protected, then Web Agent redirect to the URL defined in the Authentication Scheme that is linked to the protected resource(Realm).

 

Next is "IsAuthenticated" call.

The requesting resource must be protected in order to make this call.

If the user submits user credentials and if it is passed by Policy Server, then the user is authenticated.

This happens as Policy Server submits the user credential received from the login page to the user store.

If the user store finds a matching user and if the password match, then the Policy Server tells the agent that this user is "Authenticated".

Policy Server will generate a unique SessionID and assign it to the user session information(such as the user's UserDN and client IP, authenticated time and so on).

!! If the same user logon from 2 browser sessions, there will be 2 different SessionID. This SessionID allows us to determine which user(although they are the same user account) accessed which resource.

 

If this "IsAuthenticated" call is successful, then you get SMSESSION cookie.

Once you have SMSESSION cookie, you no longer need to submit user credential again unless you access a resource that is not allowed for your access.

!! There is Validation call and it is same as IsAuthenticated call except that IsAuthenticated is when you did not have SMSESSION and Validation is when you already have an SMSESSION cookie.

 

Last is "IsAuthorized" call.

You need to be authenticated before you can make this call.

Web Agent will parse the SMSESSION cookie and ask Policy Server if this user should be given access to the protected resource.

Evaluation is "Rule" + "User Policy".

The rule is created under a realm which defines the URI (such as /protected/).

Rule defines which action/method to allow (such as GET or POST).

User Policy defines which user (either comparing part of the DN, user group, or a specific user, or ALL users).

If they all match up then Policy Server will tell Web Agent this user is Authorized.

 

SMSESSION says you are "UID=user1,OU=People,DC=SM,DC=LAB".

This user is making request for http://www.sm.lab/protected/index.html".

The request method was "GET"

This resource is protected by Agent Name "agent1"

 

Policy Server finds :

* agentname matching "agent1".

* matching realm for the requested uri and protected by above agentname.

* rule having matching method (method was GET).

* policy that is linked to this rule

* userpolicy in that policy (userpolicy condition was to validate DN for "OU=People,DC=SM,DC=LAB")

* userDN matches the validateDN in the userpolicy

 

Now, as all the criteria match, Policy Server tells Web Agent that this user is authorized.

Web Agent then allows the user to access http://www.sm.lab/protected/index.html

 

Above was covered in the Chapter 1.

From now on we will be focusing on the "IsAuthenticated" call.

 

Most of our "CA Single Sign-On" credential collectors are hosted on different URL which requires a redirect(even if it is hosted from the same web server).

The only authentication scheme that does not require redirect is the "Basic" Authentication Scheme.

 

All the SiteMinder authentication schemes redirect to /siteminderagent/xxxx

For example, http://www.sm.lab/siteminder/forms/login.fcc

When it redirects, you need to ensure that the target web server hosting the resource and the login page hosting web server are on the same cookie domain.

 

*Cookie Domain*

 

TARGET Web Server: http://www.sm.lab/protected/index.html

LOGIN Web Server: http://login.sm.lab/siteminderagent/forms/login.fcc

 

So, when the user is authenticated, the user is authenticated at the Login Server and get SMSESSION cookie for ".sm.lab" cookie domain.

The login server will redirect the user back to the TARGET.

At the target, browser submits cookies that match the server's cookie domain and if SMSESSION was from the same cookie domain then it will be submitted.

If you configure this wrong so the TARGET and LOGIN cookie domain are different, then users will not gain access to the TARGET because SMSESSION cookie is not submitted at the TARGET.

 

!! For the 2 URLs above, the IsProtected/IsAuthenticated/IsAuthorized calls are made to each of them. Every individual requests are evaluated.

!! If IsProtected call returns "NO" then IsAuthenticated call is not needed. If IsAuthenticated call returns "NO" then IsAuthorized call is not needed.

 

*User Credential*

 

User credential can be any information that is required to prove your identity.

It can be username + password.

It can be a client certificate.

Anything that the server requires to identify the user.

 

In most cases, this is simple username and password thus login.fcc is used.

FCC stands for Form Credential Collector.

So, if you see xCC extension, it is to do with Credential collection.

 

     - Basic

We already setup the Basic Authentication Scheme in the previous chapter.

 

     - HTML Forms

We are now going to setup HTML Forms Authentication Scheme.

Logon to AdminUI and goto "Infrastructure ==> Authentication".

Click on "Create Authentication Scheme".

 

 

Select "Create a new object of type Authentication Scheme" and click "OK".

Fill in the following and click "Submit"

* "Name"

* "Authentication Scheme Type" (select "HTML Form Template" from dropdown menu)

* "Protection Level" (leave it as 5)

* "Target" (leave it as "/siteminderagent/forms/login.fcc")

* "Library" (leave it as "smauthhtml")

 

 

Other Authentication Schemes are basically same as how you configured "HTML Form Template" with little differences.

What is usually required is the "Name", "Authentication Scheme Type", "Web Server Name", others are usually left untouched.

 

Now that you have created the Authentication Scheme, goto "Policies ==> Application ==> Applications ==> www.sso.lab" and click modify button (the pencil icon at the right end, before the X icon to delete).

 

 

Click on the "Create Component" button.

Enter the following and click "OK".

* Component Name: HTML Realm

* Agent: agent.iis

* Resource Filter: /html/

* Default Resource Protection: Protected (leave it as is)

* Authentication Scheme: Login Form for www.sso.lab

You will be back at the www.sso.lab applications setting.

Click on the "Resources" tab.

At the "Select a context root", select "/html/" from the dropdown list and click on "Create" button.

Enter the following and click "OK"

* Name: Access HTML Rule

* Resource: *

* Allow Access (leave it as is)

* Action/Web AGent actions: GET, POST

You will be shown the Resource(rule) created for /html/.

Click on the "Policies" tab.

At the "Select a context root", select "/html/" from the dropdown list.

You will now see the "Access HTML Rule" application and the "Basic Role" and an empty checkbox for this relationship.

Tick the checkbox for "Access HTML Rule" application and the "Basic Role" and click "Submit" button to complete this setup.

 

 

To test this configuration, goto http://www.sso.lab/html/ and see how the new configuration works.

 

 

In the address bar, your can find the following URL.

 

http://www.sso.lab/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-43eff5e5-5a70-412d-b5a4-8394a090d152&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-http%3a%2f%2fwww%2esso%2elab%2fhtml%2f

 

You are redirected to this login page because the target http://www.sso.lab/html/ was protected.

 

You will find the following in the Web Agent Trace log file.

IsProtected/IsAuthenticated from target web agent

 

 

[01/25/2016][17:37:36][6152][6496][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Start new request.]

[01/25/2016][17:37:36][6152][6496][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Resolved hostname: 'www.sso.lab'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Resolved agentname: 'agent.iis'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][][][Resolved URL: '/html/'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Resolved METHOD: 'GET'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Resolved cookie domain: '.sso.lab'.]

[01/25/2016][17:37:36][6152][6496][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[01/25/2016][17:37:36][6152][6496][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[01/25/2016][17:37:36][6152][6496][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]

[01/25/2016][17:37:36][6152][6496][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Resource is protected from Policy Server.]

[01/25/2016][17:37:36][6152][6496][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Processing IsProtected responses.]

[01/25/2016][17:37:36][6152][6496][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][17:37:36][6152][6496][CSmCredentialManager.cpp:132][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]

[01/25/2016][17:37:36][6152][6496][CSmCredentialManager.cpp:176][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmNoAction.]

[01/25/2016][17:37:36][6152][6496][CSmHighLevelAgent.cpp:583][ProcessRequest][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.]

[01/25/2016][17:37:36][6152][6496][CSmChallengeManager.cpp:105][CSmChallengeManager::DoChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessChallenge.]

[01/25/2016][17:37:36][6152][6496][CSmHttpCredCore.cpp:1680][CSmHttpCredCore::DoFormsChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Executing forms challenge.]

[01/25/2016][17:37:36][6152][6496][CSmHttpCredCore.cpp:1973][CSmHttpCredCore::DoFormsChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Redirecting to credential collector 'http://www.sso.lab/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-43eff5e5-5a70-412d-b5a4-8394a090d152&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-http%3a%2f%2fwww%2esso%2elab%2fhtml%2f'.]

[01/25/2016][17:37:36][6152][6496][SmPluginUtilities.cpp:405][HandleCredCollectorChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Redirecting for credentials 'http://www.sso.lab/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-43eff5e5-5a70-412d-b5a4-8394a090d152&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-http%3a%2f%2fwww%2esso%2elab%2fhtml%2f'.]

[01/25/2016][17:37:36][6152][6496][CSmChallengeManager.cpp:124][CSmChallengeManager::DoChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessChallenge returned SmExit.]

[01/25/2016][17:37:36][6152][6496][CSmHighLevelAgent.cpp:607][ProcessRequest][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Challenge Manager returned SmExit, end new request.]

 

In the above log, you can find the request did not have an existing valid session so the Credential Manager checks for the linked Authentication Scheme and redirect.

The redirect URL is telling the Credential Collector Agent that the user requested request as below.

 

* REALM: 06-43eff5e5-5a70-412d-b5a4-8394a090d152

* METHOD: GET

* AGENTNNAME: encrypted agentname(for agent.iis).

* TARGET: http://www.sso.lab/html/

 

This Credential Collector Agent will then again need to ensure the TARGET is protected when user submits credentials.

 

 

IsProtected/IsAuthenticated from Credential Collector web agent and redirect back to target url

 

 

[01/25/2016][18:00:41][7080][7052][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Start new request.]

[01/25/2016][18:00:41][7080][7052][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Resolved Client IP address '192.168.201.101'.]

[01/25/2016][18:00:41][7080][7052][SmFCC.cpp:2917][SmFcc::getLocalePath][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][][][][Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

[01/25/2016][18:00:41][7080][7052][CSmFormTemplateCache.cpp:209][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' not found in cache.]

[01/25/2016][18:00:41][7080][7052][CSmFormTemplateCache.cpp:226][CSmFormTemplateCache::GetForm][][][][][][][Serving form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' from disk.]

[01/25/2016][18:00:41][7080][7052][CSmFormTemplateCache.cpp:269][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' stored in cache.]

[01/25/2016][18:00:41][7080][7052][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][][/html/][][Resolved cookie domain '.sso.lab'.]

[01/25/2016][18:00:41][7080][7052][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[01/25/2016][18:00:41][7080][7052][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Resource is protected from Policy Server.]

[01/25/2016][18:00:41][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Processing IsProtected responses.]

[01/25/2016][18:00:41][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:41][7080][7052][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[01/25/2016][18:00:41][7080][7052][SmFCC.cpp:703][SmFcc::getCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Success in collecting credentials.]

[01/25/2016][18:00:41][7080][7052][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][POST preservation, handling return from credential collector.]

[01/25/2016][18:00:41][7080][7052][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][http response http://www.sso.lab/html/]

[01/25/2016][18:00:41][7080][7052][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][User 'smuser' is authenticated by Policy Server.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Processing Authentication responses.]

[01/25/2016][18:00:43][7080][7052][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Deleted cookie 'SMTRYNO'.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:1415][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][SAVEDSESSION Cookie Created.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Generated SMSESSION cookie.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][End new request.]

 

IsProtected/IsAuthenticated/IsAuthorized from target web agent

 

 

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Start new request.]

[01/25/2016][18:00:43][7080][7052][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Resolved hostname: 'www.sso.lab'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Resolved agentname: 'agent.iis'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][][][Resolved URL: '/html/'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][Resolved METHOD: 'GET'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][Resolved cookie domain: '.sso.lab'.]

[01/25/2016][18:00:43][7080][7052][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Decoded SMSESSION cookie - User = 'CN=smuser,CN=Users,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processed SMSESSION cookie.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Resource is protected from cache.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processing IsProtected responses.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Found session, no credentials required.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Validating session 'XAEiYfEY6sD2bmJ9l6DXkd3nnV8=' for user 'CN=smuser,CN=Users,DC=sso,DC=lab' in zone 'SM'.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][User 'CN=smuser,CN=Users,DC=sso,DC=lab' is authenticated from cache.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processing Authentication responses.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Generated SMSESSION cookie.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][User 'CN=smuser,CN=Users,DC=sso,DC=lab' is authorized by Policy Server.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processing Authorization responses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Removing HTTP cache request headers.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][AuthorizationManager returned SmYes, end new request.]

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][End new request.]

 

In the above trace log at the target web agent, it is reporting that it has received SMSESSION cookie and the user is "CN=smuser,CN=Users,DC=sso,DC=lab" and the user was authenticated from IP "192.168.201.101".

 

Then it went on with IsProtected/IsAuthenticated/IsAuthorized.

 

As this is ALL-IN-ONE, the target web agent and the credential collector (login) web agent are the same.

So, the user was authenticated from cache when the user was redirected to the target from the login page.

Authorization was from Policy Server as this user has not been authorized by before.

 

Another thing to highlight is the Credential Collector web agent authenticated the user from http://www.sso.lab/siteminderagent/forms/login.fcc page.

This web site's cookie domain is ".sso.lab".

So, the SMSESSION cookie was generated for this cookie domain.

[Resolved cookie domain: '.sso.lab'.]

 

If the Credential Collector's cookie domain and the Target web agent's cookie domain did not match, the SMSESSION cookie would not have been submitted by the browser which will fail at IsAuthenticated call.

 

This will cause a redirect loop.

Fortunately, the "HTML Form Template" authentication scheme is not a seamless login(such as NTLM/IWA) so it is not looping by itself.

It is important that you check if the authentication scheme causes a loop or not for any error conditions.

 

In the next article, we will be adding one more user attribute for authentication(email).

 

This concludes "Configuring an ALL-IN-ONE VM Image - Part 3"

 

ASF Apache 2.4 is certified with Web Agent on Windows Platform.

However, Apache service will not startup when Web Agent is integrated.

It is getting stack overflow exception.

 

The instruction is to use editbin and set the stack size to 512KB.

editbin /STACK:524288 httpd.exe

 

In many online documents are suggesting the default stack size is 1MB.

Then are we reducing the stack size by setting it to 512KB?

 

From research, the default stack size for httpd.exe from ASF Apache 2.4 was as below.

You will need to have "link.exe" that ships with Studio.

 

link /dump /headers httpd.exe

Original httpd.exe from ASF Apache 2.4.17

Microsoft (R) COFF/PE Dumper Version 8.00.50727.42

Copyright (C) Microsoft Corporation.  All rights reserved.

 

 

 

 

Dump of file httpd.exe

 

 

PE signature found

 

 

File Type: EXECUTABLE IMAGE

 

 

FILE HEADER VALUES

            8664 machine (x64)

               6 number of sections

        561A2F0A time date stamp Sun Oct 11 20:42:34 2015

               0 file pointer to symbol table

               0 number of symbols

              F0 size of optional header

              22 characteristics

                   Executable

                   Application can handle large (>2GB) addresses

 

 

OPTIONAL HEADER VALUES

             20B magic # (PE32+)

           14.00 linker version

            2C00 size of code

            4200 size of initialized data

               0 size of uninitialized data

            2FBC entry point (0000000140002FBC)

            1000 base of code

       140000000 image base (0000000140000000 to 000000014000BFFF)

            1000 section alignment

             200 file alignment

            6.00 operating system version

            0.00 image version

            6.00 subsystem version

               0 Win32 version

            C000 size of image

             400 size of headers

            C001 checksum

               3 subsystem (Windows CUI)

            8160 DLL characteristics

                   RESERVED - UNKNOWN

                   RESERVED - UNKNOWN

                   NX compatible

                   Terminal Server Aware

           40000 size of stack reserve

            1000 size of stack commit

          100000 size of heap reserve

            1000 size of heap commit

               0 loader flags

              10 number of directories

            58E0 [      4C] RVA [size] of Export Directory

            592C [      F0] RVA [size] of Import Directory

            9000 [    1034] RVA [size] of Resource Directory

            8000 [     1E0] RVA [size] of Exception Directory

               0 [       0] RVA [size] of Certificates Directory

            B000 [      28] RVA [size] of Base Relocation Directory

            53A0 [      54] RVA [size] of Debug Directory

               0 [       0] RVA [size] of Architecture Directory

               0 [       0] RVA [size] of Global Pointer Directory

               0 [       0] RVA [size] of Thread Storage Directory

            5400 [      94] RVA [size] of Load Configuration Directory

               0 [       0] RVA [size] of Bound Import Directory

            4000 [     470] RVA [size] of Import Address Table Directory

               0 [       0] RVA [size] of Delay Import Directory

               0 [       0] RVA [size] of COM Descriptor Directory

               0 [       0] RVA [size] of Reserved Directory

 

 

 

 

SECTION HEADER #1

   .text name

    2A68 virtual size

    1000 virtual address (0000000140001000 to 0000000140003A67)

    2C00 size of raw data

     400 file pointer to raw data (00000400 to 00002FFF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

60000020 flags

         Code

         Execute Read

 

 

SECTION HEADER #2

  .rdata name

    2976 virtual size

    4000 virtual address (0000000140004000 to 0000000140006975)

    2A00 size of raw data

    3000 file pointer to raw data (00003000 to 000059FF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

40000040 flags

         Initialized Data

         Read Only

 

 

  Debug Directories

 

 

        Time Type       Size      RVA  Pointer

    -------- ------ -------- -------- --------

    561A2F0A cv           49 00005494     4494    Format: RSDS, {71EB6E18-61F7-45A9-9AC2-01D9BE320001}, 2, C:\VC14\Win64\httpd-2.4.17\x64\Release\httpd.pdb

    561A2F0A (   C)       14 000054E0     44E0

    561A2F0A (   D)      27C 000054F4     44F4

 

 

SECTION HEADER #3

   .data name

     6F8 virtual size

    7000 virtual address (0000000140007000 to 00000001400076F7)

     200 size of raw data

    5A00 file pointer to raw data (00005A00 to 00005BFF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

C0000040 flags

         Initialized Data

         Read Write

 

 

SECTION HEADER #4

  .pdata name

     1E0 virtual size

    8000 virtual address (0000000140008000 to 00000001400081DF)

     200 size of raw data

    5C00 file pointer to raw data (00005C00 to 00005DFF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

40000040 flags

         Initialized Data

         Read Only

 

 

SECTION HEADER #5

   .rsrc name

    1034 virtual size

    9000 virtual address (0000000140009000 to 000000014000A033)

    1200 size of raw data

    5E00 file pointer to raw data (00005E00 to 00006FFF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

40000040 flags

         Initialized Data

         Read Only

 

 

SECTION HEADER #6

  .reloc name

      28 virtual size

    B000 virtual address (000000014000B000 to 000000014000B027)

     200 size of raw data

    7000 file pointer to raw data (00007000 to 000071FF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

42000040 flags

         Initialized Data

         Discardable

         Read Only

 

 

  Summary

 

 

        1000 .data

        1000 .pdata

        3000 .rdata

        1000 .reloc

        2000 .rsrc

        3000 .text

 

The HEX 40000 is 262144 (256KB).

So, what this confirms is that the instruction to set stack size to 512KB is basically doubling up the stack size.

 

Thanks to Ujwol for revealing this.

After finding this information, we ran the same on the ASF Apache 2.2 and the stack size remained the same.

So, the memory requirement for Web Agent module for Apache 2.4 seems to have increased.

 

I did not have a full Studio installed but there was editbin and link package found on internet that worked.

http://people.sju.edu/~ggrevera/cscCV/stack/

 

Title:

Failing to run XPSExport with error "Administrator is disabled." but the user is not in disabled state.

 

Search Summary:

Unable to export policy store using XPSExport and getting error message "Administrator is disabled." but the CA Sigle Sign-On Administrative account is not disabled.

 

-----------------------------------------------------

 

Question:

Why am I unable to export policy store using XPSExport and getting "Administrator is disabled." message?

 

Answer:

Based on the code review and looking at strace, it was confirmed that the SYSTEM OS user who is running the XPSExport must have write permission to the $NETE_PS_ROOT folder.

If the user does not have write permission to $NETE_PS_ROOT then the XPSExport will fail with error "Administrator is disabled".

$NETE_PS_ROOT folder is created by the user who installs the Policy Server. So by default the system user(usually "smuser") will create siteminder folder with 775 permission.

If the policy server is run with different user account, then please ensure that user will have write permission to $NETE_PS_ROOT folder or the same error will be returned.

 

Additional Information:

Following is when "smuser" having write permission to $NETE_PS_ROOT folder is running XPSExport.

 

[smuser@localhost apps]$ XPSExport testing.xml -xb -npass

[XPSExport - XPS Version 12.51.0001.972]

Log output: XPSExport.2016-01-20_060907.log

Initializing XPS, please wait...

(WARN) : [sm-xpsxps-03500] CA.SPS: No product library.

Log Time Phase/Section                Objects        %%age       #Err Elapsed

-------- ------------------------ --------------- -----------  -----------------

06:09:13 Initializing

06:09:13 Analyzing                                             00:00:00

06:09:13 Reading                                               00:00:00

06:09:13 Reading/Configuration        157/503        31%       00:00:00  00:00:00

06:09:13 Reading/Policy Data          202/503        40%       00:00:00  00:00:00

06:09:13 Reading/Policy Data          252/503        50%       00:00:00  00:00:00

06:09:13 Reading/Policy Data          302/503        60%       00:00:00  00:00:00

06:09:13 Reading/Policy Data          353/503        70%       00:00:00  00:00:00

06:09:13 Reading/Policy Data          403/503        80%       00:00:00  00:00:00

06:09:14 Reading/Policy Data          453/503        90%       00:00:01  00:00:01

06:09:14 Reading/Security Data        497/503        98%       00:00:01  00:00:01

06:09:14 Sorting/Policy Data            0/338                  00:00:01

06:09:14 Sorting/Policy Data           34/338        10%       00:00:01  00:00:00

06:09:14 Sorting/Policy Data           68/338        20%       00:00:01  00:00:00

06:09:14 Sorting/Policy Data          102/338        30%       00:00:01  00:00:00

06:09:14 Sorting/Policy Data          136/338        40%       00:00:01  00:00:00

06:09:14 Sorting/Policy Data          169/338        50%       00:00:01  00:00:00

06:09:14 Sorting/Policy Data          203/338        60%       00:00:01  00:00:00

06:09:14 Sorting/Policy Data          237/338        70%       00:00:01  00:00:00

06:09:14 Sorting/Policy Data          271/338        80%       00:00:01  00:00:00

06:09:14 Sorting/Policy Data          305/338        90%       00:00:01  00:00:00

06:09:14 Sorting/Policy Data          338/338       100%       00:00:01  00:00:00

06:09:14 Writing/Header                                        00:00:01

06:09:14 Writing/References            16/519         3%       00:00:01  00:00:00

06:09:14 Writing/Policy Data           52/519        10%       00:00:01  00:00:00

06:09:14 Writing/Policy Data          104/519        20%       00:00:01  00:00:00

06:09:14 Writing/Policy Data          156/519        30%       00:00:01  00:00:00

06:09:14 Writing/Policy Data          208/519        40%       00:00:01  00:00:00

06:09:14 Writing/Policy Data          260/519        50%       00:00:01  00:00:00

06:09:14 Writing/Policy Data          312/519        60%       00:00:01  00:00:00

06:09:14 Writing/Policy Data          354/519        68%       00:00:01  00:00:00

06:09:14 Writing/Configuration        364/519        70%       00:00:01  00:00:00

06:09:14 Writing/Configuration        416/519        80%       00:00:01  00:00:00

06:09:14 Writing/Configuration        468/519        90%       00:00:01  00:00:00

06:09:14 Writing/Configuration        511/519        98%       00:00:01  00:00:00

06:09:14 Writing/Security Data        513/519        98%       00:00:01  00:00:00

06:09:14 Writing/Footer                                        00:00:01  00:00:00

06:09:14 Complete                                              00:00:01

Total elapsed time:00:01

 

File is724,877 bytes.

 

Next is setting $NETE_PS_ROOT folder(/apps/CA/siteminder) to be read-only.

 

[smuser@localhost CA]$ ls -la

total 1408

drwxr-xr-x.  4 smuser smgroup    4096 Jan 20 03:43 .

drwxrwxrwx.  5 root   root       4096 Jan 20 06:09 ..

drwxrwxr-x. 32 smuser smgroup    4096 Jan  6 05:27 siteminder

 

[smuser@localhost CA]$ chmod 555 siteminder/

 

[smuser@localhost CA]$ ls -la

total 1408

drwxr-xr-x.  4 smuser smgroup    4096 Jan 20 03:43 .

drwxrwxrwx.  5 root   root       4096 Jan 20 06:09 ..

dr-xr-xr-x. 32 smuser smgroup    4096 Jan  6 05:27 siteminder

 

Running the same XPSExport command again.

 

[smuser@localhost apps]$ XPSExport testing-readonly.xml -xb -npass

[XPSExport - XPS Version 12.51.0001.972]

Log output: XPSExport.2016-01-20_061005.log

Initializing XPS, please wait...

(WARN) : [sm-xpsxps-03500] CA.SPS: No product library.

(ERROR) : [sm-xpsxps-04400] Administrator is disabled.

 

(FATAL) : [sm-xpsxps-04390] Unable to establish administration context.

 

 

Following is a snippet from strace output showing the user did not have write permission at $NETE_PS_ROOT folder.

 

 

access("/apps/CA/siteminder", W_OK) = -1 EACCES (Permission denied)

 

** This article is now published as a KB Article linked below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1764036.aspx

Title:

Is RelayState part of signature verification?

 

Description:

- SP Initiated Federation is resulting in Failed to Verify Signature.

- IDP Initiated Federation is working fine.

- Comparing the working and failing SP Initiated Federation appears to be change in the RelayState query parameter.

 

-----------------------------------------------------

 

Question:

Is RelayState part of signature verification?

 

Answer:

RelayState is indeed part of signature verification.

Signature Verification at the IDP will fail for the AuthnRequest if there is a change to the RelayState value.

For example,

     * Upper case and Lower case changes.

     * URL Encoding and decoding differences.

     * Change in the RelayState value itself.

 

Additional Information:

- http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf #Page 16. #3.4.3 RelayState

 

** This article is now published as a KB article linked below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1247034.aspx

Title:

    - Troubleshooting CA Access Gateway startup issues

 

Description:

    - You have newly installed CA Access Gateway and it fails to startup.

    - CA Access Gateway has been working fine and suddenly fails to startup.

 

 

Introduction / Summary: 

CA Access Gateway is an Apache + JK Connector + Tomcat bundle.

It also comes with some applications(localapps) that are deployed.

The common places causing startup issues are :

1. Apache Certificate settings

2. Tomcat configuration

3. Tomcat localapps

This is to assist in isolating the startup problems before submitting support ticket for assistance.

 

Instructions:

First of all, run "netstat -an" to see which service is able to startup.

Check if you are seeing port 80 and 443 (if SSL enabled) for apache.

Check if you are seeing port 8080(HTTP), 543(HTTPS), 8005(SHUTDOWN) and 8009(AJP) for tomcat.

 

1. For apache side problem

Enable LogLevel in httpd.conf file to debug

Check the error_log to determine which configuration is causing problem.

 

2. For tomcat side problem

Check the server.log to determine if there are any exceptions and if they point to any particular feature.

In case of Windows, you can try starting up tomcat from command-line by copying SmSpsProxyEngine.properties to SmSpsProxyEngine.bat

And add the following line(which is a copy of NETE_SPS_PROXY_ENGINE_CMD) at the most bottom.

SmSpsProxyEngine.bat (last line of)
"%NETE_SPS_JAVA_HOME%\bin\java.exe" -Xms512m -Xmx1024m -XX:MaxPermSize=256M -Dcatalina.base="%NETE_SPS_TOMCAT_HOME%" -Dcatalina.home="%NETE_SPS_TOMCAT_HOME%" -Djava.endorsed.dirs="%NETE_SPS_TOMCAT_HOME%\endorsed" -Djava.io.tmpdir="%NETE_SPS_TOMCAT_HOME%\temp" -DHTTPClient.log.mask=0 -DHTTPClient.Modules="HTTPClient.RetryModule|org.tigris.noodle.NoodleCookieModule|HTTPClient.DefaultModule" -Dlogger.properties="%NETE_SPS_TOMCAT_HOME%/properties/logger.properties" -DSM_AGENT_LOG_CONFIG="%STS_AGENT_LOG_CONFIG_FILE%" -classpath "%NETE_SPS_TOMCAT_HOME%\bin\proxybootstrap.jar;%NETE_SPS_TOMCAT_HOME%\properties;%NETE_SPS_JAVA_HOME%\lib\tools.jar;%NETE_SPS_TOMCAT_HOME%\bin\bootstrap.jar;%NETE_SPS_ROOT%\resources;%NETE_SPS_ROOT%\agentframework\java\cryptoj.jar" com.netegrity.proxy.ProxyBootstrap -config "%NETE_SPS_ROOT%/proxy-engine/conf/server.conf"

In case of Unix, simply run the "proxyserver.sh" command to startup tomcat from shell. This file has the similar content available in the SmSpsProxyEngine.properties file.

Look for exception errors.

You can add -verbose to the above in case if it is suspected that certain jar files are not being loaded.

 

The default loglevel for server.log file is "INFO" and is sufficient in most cases but can be increased if needed.

<SPS_HOME>/secure-proxy/Tomcat/properties/logger.properties

Change from

log4j.rootCategory=INFO.SvrFileAppender

to

log4j.rootCategory=ALL.SvrFileAppender

 

3. For tomcat localapps

In server.conf file there are <Contexts> section that lists the deployed localapps.

Each <Context> comes with a switch to enable separately.

Try disabling all the localapps to see if the CA Access Gateway starts up.

Then you can try enabling them one by one to determine which app was causing initialization failure.

<Contexts>

  <Context name="Service name1">

    ***="yyy"

    enable="yes"

  </Context>

  <Context name="Service name2">

    ***="yyy"

    enable="yes"

  </Context>

</Contexts>

 

Additional Information:

This article covers only the startup issues.

 

 

Title:

    - Configuring SNMP Agent for CA Single Sign-On

 

Description:

    - You have a SNMP based Monitoring tool and would like to poll CA Single Sign-On Policy Server to get statistics.

    - You have a SNMP based Monitoring tool and would like Policy Server to send trap messages to this tool for critical events.

 

 

Introduction / Summary: 

CA Single Sign-On Policy Server bundles SNMP Sub-Agent that can be configured during installation.

By enabling this SNMP Sub-Agent, one can poll the policy server status and collect information.

Also, in case of critical events such as startup failure it can send SNMP Trap message to the monitoring server such as "CA Services Operations Insight" (aka SOI) in order to page the systems administrators or trigger an automated recovery scenario.

 

Instructions:

It has the following prerequisites:

1. SNMP Master Agent must be installed (This is provided by the OS side)

2. SNMP Master Agent is configured (Ensure the community and SNMP server is defined)

3. SNMP Port (UDP 161) must be open

4. UDP 8001 is not occupied by other service

 

Install Master SNMP Agent (This sample is based on Windows Platform, conceptually unix will be the same)

 

Load "Server Manager" and goto "Features".

Click on "Add Features" and select "SNMP Services" and install.

This will install "SNMP Service".

Double click on the "SNMP Service" and configure the "Traps" and "Security" tab.

Trap destination should be the Monitoring server. In this case, it is "testmc1" machine.

The Community is set to public but if you want to use different community string you will need to ensure that same community is used in other configurations too.

 

 

Install SNMP Sub-Agent

 

This can be done during installation or you will have to run the Policy Server Configuration Wizard again to set it up.

Select the "SNMP" option.

 

SNMP Sub-Agent Service

 

Ensure the "Netegrity SNMP agent" service is running.

This is the SNMP Sub-Agent and the service executable should be pointing to C:\Windows\JavaService.exe

The default configuration will work.

Configuration for this service is stored in C:\Windows\Java_Service.ini file.

You will notice this executable is just a wrapper for java and it actually will run "javaw.exe".

 

Optional:

If you want to differentiate this with other java processes running on your Windows server, you can copy "javaw.exe" file to something else like "subsnmp.exe" and update Java_Service.ini file for "JRE_PATH" parameter and make sure it is pointing to the subsnmp.exe.

 

 

 

Test with SNMP Walker utility

 

Navigate to "C:\Program Files (x86)\CA\siteminder\bin" and run "SnmpWalkRun.bat

Then in the "OID" type "products" (or select an entry from dropdown menu) and click on "Walk".

If it is configured correctly, you should see the following. (Ignore the popup message about "End of MIB")

In this case, you can see that the port used was "161" which is going through the OS's master SNMP agent.

If you want to test the "Netegrity SNMP Agent" directly, change the port to "8001" and try.

Configuration is in "C:\Program Files (x86)\CA\siteminder\config\snmp.conf" file.

Update the file as below.

 

LOG_FILE=C:\Program Files (x86)\CA\siteminder\log\SNMP.log

TRAP_RECEIVER(Y/N)=Y

 

Adding Event Handler

 

As instructed from the Policy Server Configuration Wizard, you must add the event handler.

 

  Execute the following commands. Follow these steps:

  1. Open a command line on the Policy Server, and enter the following command: xpsconfig (The tool starts and displays the name of the log file for this session, and a menu of choices opens.)
  2. Enter the following: xps A list of options appears.
  3. Enter the following: 5(AuditSMHandlers)The settings for the event handler libraries appear.
  4. Type C, and then enter the path and file name of the event handler library ("C:\Program Files (x86)\CA\siteminder\bin\eventsnmp.dll"). The settings for the event handler libraries appear. The value you added is shown at the bottom of the settings as a "pending value."

    5. Enter Q and [ENTER] three times to end your XPS session.

 

    6. Policy Server need to be restarted.

 

In the smps.log, you should find the following entry.

 

     [5032/5036][Thu Nov 05 2015 15:47:20][SmEventWedge.cpp:321][LateInit][INFO][sm-xpsxps-06860] Event handler library loaded: "C:\Program Files (x86)\CA\siteminder\bin\eventsnmp.dll"

SNMP Trap configuration

 

And for snmp trap messages, modify "C:\Program Files (x86)\CA\siteminder\config\snmptrap.conf" file as below.

In the above sample, there are 3 fields.

1. Trap Event

2. Trap destination

3. Community

 

For trap events, you can select which events to send trap message. Above sample shows all events are enabled.

For trap destination, above sample shows it is being sent to "testmc1" and the port is 162.

But if you are using default port then you can specify the host/IP only and will work.

And in case if you want to send to multiple destinations then you can separate them by comma but no spaces after the comma.

For example, "testmc1:162,testmc2:162".

For community, you need to ensure you use the same community string so your policy server and the monitoring server will be using common community string for this monitoring.

 

Restart Policy Server once everything is configured.

 

SNMP Trap Logging

 

Set environment variable "NETE_SNMPLOG_ENABLED=1" and it will generate smpolicysrv_snmptrap.log file in the "C:\Program Files (x86)\CA\siteminder\log" folder.

This log can generate lot of data so it should be used only for troubleshooting purpose.

Policy Server restart is required to enable or disable this logging as it is reading this environment variable at startup.

Sample log below.

smpolicysrv_snmptrap.log

## Event log file was sucessfully opened. ##

### SmEventInit::The EventSNMP dll is initializing ... ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 18, nEventID 1 ###

SmEventTrap::Send - trap (MIB id = 1) was sent successfully.

### SmEventRecord::SNMP Trap ( MIB id 1) was successfully sent nCategoryType: 3, nCategory: 1, nEventID: 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 9, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 13, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 11, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 13, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 11, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 13, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 11, nEventID 1 ###

### SmEventRecord::Event is currently not SNMP supported : nCategoryType 6 , nCategory 13, nEventID 1 ###

 

Importing MIB file at the monitoring server

 

Any SNMP polling or trap receiving servers must import Policy Server MIB file in order to understand what the message is about.

"C:\Program Files (x86)\CA\siteminder\mibs\NetegrityMIB.mib" file is available for importing.

 

** This article is now published as a Knowledge Document linked below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1841322.aspx

 

 

Reformatting this previous article for publishing as Knowledge Document.

 

Title:

    - How to configure RiskMinder component at the Policy Server manually.

 

Description:

    - You configured the Policy Store manually and find the RiskMinder component is not configured.

    - You try to configure CA Gateway(SPS) and its tomcat service is crashing.

    - You are trying to configure SessionAssurance but Policy Server side RiskMinder is not working.

 

Introduction / Summary: 

    The RiskMinder component at the Policy Server is configured during the Policy Server installation given that the Policy Store is already configured or is one of those servers that the Installation Wizard can setup Policy Store automatically without requiring manual steps.

    However, if the Policy Store had to be configured manually, then it is not going to configure the RiskMinder component.

    The following steps will guide you to configure the RiskMinder component and also show how to verify it is setup(or to check if it is not setup).

 

Instructions:

Run the "Policy Server Configuration Wizard".

 

DO NOT choose any features to configure. Just click "Next".

 

You will be asked to enter the "Master Key".  This only accepts alphanumeric!!!

This is not Policy Store encryption Key. This is a key used by RiskMinder component.

You must keep a record of this key as you will need it in the future.

 

It asks again to set a password for the "SiteMinder" super user.

You cannot skip this part without entering a value so enter whatever password suits you. You will use that to administer the policy server.

 

If the RiskMinder Component is configured successfully, you will find the "Default_<PolicyServerMachineName>_AAS" HostConfigObject.

If you do not have AdminUI installed yet you still can check from XPSExplorer.

In the following sample, the Policy Server machine name(hostname) is "TESTMC1" so you should have "Default_TESTMC1_AAS" HCO object.

If you have 2 Policy Server, then you are expected to see 2 HCO named "Default_<PolicyServerMachineName>_AAS"

If you don't have the matching number of HCO objects, then you will need to check the Policy Server MachineName to determine which one need to run the configuration wizard to register.

 

** This article is now published as a Knowledge Document linked below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1356284.aspx

 

Reformatting this previous article for publishing as Knowledge Document.

 

Title:

    - How to protect SOI using Apache Proxy Server (with CA Single Sign-On enabled)

 

Description:

    - You already have CA Single Sign-On in your environment and want to extend its SSO to your new SOI(CA Service Operations Insight).

    - You have Apache Proxy Server (That is CA SSO enabled) in front of SOI and would like to seamlessly SSO to SOI.

    - You tried Apache Proxy Server but with CA SSO enabled you are getting double challenged.

 

Introduction / Summary: 

    - This is based on CA Single Sign-On version R12.52SP1 but this should be generic and not limited to specific version.

    - This is based on SOI 3.1 but newer versions should work the same.

    - This article only covers the part on how to configure the ASF Apache proxy and CA Single Sign-On Realm setting as this is where customers are facing double challenge and fail to SSO.

 

Instructions:

    - Prerequisites:

     * CA SSO and CA SOI are both configured and integrated for SSO.

     * ASF Apache Proxy Server is CA SSO enabled.

     * SOI is accessible via http://soi.kim.net.my:7070/sam

     * Proxy server is accessible via http://soi.kim.net.my

      

    - Following is how the ASF Proxy Server need to be configured.

Apache Proxy Setting for SOI

ProxyRequests off

ProxyPreserveHost on

 

<Location /sam>

                ProxyPass http://soi.kim.net.my:7070/sam

                ProxyPassReverse http://soi.kim.net.my:7070/sam

</Location>

 

 

<Location /sam/admin>

                ProxyPass http://soi.kim.net.my:7090/sam/admin

                ProxyPassReverse http://soi.kim.net.my:7090/sam/admin

</Location>

 

<Location /sam/debug>

                ProxyPass http://soi.kim.net.my:7090/sam/debug

                ProxyPassReverse http://soi.kim.net.my:7090/sam/debug

</Location>

 

To get access to SOI, visit http://soi.kim.net.my/sam/ui and you get access to the backend SOI

 

Following are some additional proxy url for troubleshooting

http://soi.kim.net.my/sam/admin

http://soi.kim.net.my/sam/debug

 

    - Following is the resource filter that need to be protected by CA Single Sign-On.

CA Single Sign-On side realm resource filter
/sam/ui

You can choose your preferred Authentication Scheme to protect this URI.

You MUST NOT protect "/sam" from CA Single Sign-On.

You do not need to create a separate realm to unprotect this, just create a realm only for "/sam/ui" and that is sufficient.

With this configuration, you will not be double challenged.

 

Additional Information:

In case if you were proxying /sam from apache and also protecting /sam from CA Single Sign-On, you get challenged as below when accessing "console".

 

1st challenge (in this  sample, I used Basic Authentication Scheme from CA Single Sign-On)

8a.png

2nd challenge

9a.png

3rd challenge

10.png

Exception

11.png

** This article is now published as a Knowledge Document linked below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1872722.aspx

 

 

 

Title:

        - Web Agent does not log its cache utilization nor how many authentications it has performed in its log files, then how can you check the statistics?

 

Description:

In order to get the cache utilization and other statistics you will need to setup OneView monitor.

OneView monitor will give you the list of Web Agent and you get the statistics from there.

Or, Wily Instroscope would give you even more details with user friendly views.

But even when you don't have those configured, you can still get the statistics.

Out of the box, your Web Agent is configured to send its statistics to the Policy Server for One View Monitor.

In the Policy Server trace log(smtracedefault.log) you will find <SMMON:***> entries which is a statistics report from that Web Agent.

        By capturing the SMMON data that is sent by Web Agent, we get access to the statistics information of that particular Web Agent.

 

Instructions:

- Step1: Ensure that your Agent Configuration Object has (enablemonitoring='yes') and webagent.log shows the same.

     * This tells Web Agent to send the SMMON data to Policy Server

- Step2: Check which Policy Server this agent will be connecting to and send SMMON data every 30 seconds.

     * webagent.log will show if you are running in failover mode(enablefailover='yes') and which policy server it is connecting to (policyserver='192.168.1.100,44441,44442,44443).

- Step3: Setup Policy Server profiler to log the SMMON data. Minimum requirement is as below 2 lines for components and data.

     * components: Loogin_Logout/Receive_Request

     * date: Date, Time, AgentName, Data

     * Optionally you can filter only the SMMON data by adding "Data: @@SMMON" in a separate line.

     Sample smtracedefault.txt file below.

  

Sample "<PS>/config/smtracedefault.txt" file with filter to log only "SMMON" data. (5th line is empty line)

components: Login_Logout/Receive_Request

data: Date, Time, AgentName, Data

version: 1.1

Data: @@SMMON

 

It should generate smtracedefault.log as below.

The [AgentName] section shows the TrustedHost name where this message is coming from.

The [Data] section has the SMMON data and you need to check the "AgentName" within the SMMON data in order to understand which agent statistics it is for because you may have multiple agents sharing the same SmHost.conf file.

 

     - Step4: Now that you have SMMON data, you need to extract the information.

          * It will be easier to view each entry if you  have some sort of XML parser.

SMMON data sample

<SMMON:ComponentRegistered xmlns:SMMON='http://netegrity.com/monitor'>

    <Host HostId='192.168.201.105'>

        <SmComponent CompPath='Agent;6128'></SmComponent>

    </Host>

</SMMON:ComponentRegistered>

<SMMON:ComponentData xmlns:SMMON='http://netegrity.com/monitor'>

    <Host HostId='192.168.201.105'>

        <SmComponent CompPath='Agent;6128' Version='12.52QMR01'>

            <Name>agent.iis</Name>

            <Info>Product=WebAgent,Platform=IIS75/Windows,Version=12.52QMR01,Update=HF03,Label=767,FileVersion=12.52.0103.767,UTC=1452575359,TZ=-10,Crypto=128</Info>

            <ResourceCacheHits>14</ResourceCacheHits>

            <ResourceCacheMisses>5</ResourceCacheMisses>

            <UserSessionCacheHits>1</UserSessionCacheHits>

            <UserSessionCacheMisses>3</UserSessionCacheMisses>

            <IsProtectedCount>5</IsProtectedCount>

            <IsProtectedErrors>0</IsProtectedErrors>

            <LoginCount>3</LoginCount>

            <LoginErrors>0</LoginErrors>

            <LoginFailures>0</LoginFailures>

            <ValidationCount>0</ValidationCount>

            <ValidationErrors>0</ValidationErrors>

            <ValidationFailures>0</ValidationFailures>

            <AuthorizeCount>4</AuthorizeCount>

            <AuthorizeErrors>0</AuthorizeErrors>

            <AuthorizeFailures>0</AuthorizeFailures>

            <CrosssiteScriptHits>0</CrosssiteScriptHits>

            <BadURLCharsHits>0</BadURLCharsHits>

            <BadCookieHitsCount>0</BadCookieHitsCount>

            <ExpiredCookieHitsCount>0</ExpiredCookieHitsCount>

            <IsProtectedAvgTime>1</IsProtectedAvgTime>

            <LoginAvgTime>270</LoginAvgTime>

            <ValidationAvgTime>0</ValidationAvgTime>

            <AuthorizeAvgTime>1</AuthorizeAvgTime>

            <ResourceCacheCount>5</ResourceCacheCount>

            <UserSessionCacheCount>3</UserSessionCacheCount>

            <ResourceCacheMax>1000</ResourceCacheMax>

            <UserSessionCacheMax>1000</UserSessionCacheMax>

        </SmComponent>

    </Host>

</SMMON:ComponentData>

          * The important part of the data above is "HostId", "Name" and the rest of the statstics information in the "SmComponent" section.

 

Additional Information:

- This is part of Web Agent Core feature so all regular Web Agents will generate and send this SMMON data to policy server regardless of platform or version.

 

** This article is now published as a Knowledge Document linked below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1479852.aspx

I like listening to music.

I walk to office and back home listening to music.

Mainly KPOP and POP.

IMG_20160104_142024.jpg

Above is my current mobile setup. I have FIIO X5 2nd Edition DAP + FIIO L17 cable + FIIO E18 AMP + Custom OFC cable for IE80 + Sennheiser IE80.

FIIO L17 did bring out more details and so did the OFC cables.

music.jpg

Above is without(before) custom cables.

music2.jpg

Above is a photo of my Samsung Galaxy Note 3(in UAG casing) connected to FIIO E18 via OTG cable.

 

athm50.jpg

Above is a picture of my AudioTechnica ATH-M50 headphone which I removed the cable and customized it with removable cable.

I cut the original cable and as you can see the original plug is still there. On the other end of cable I put a connector which matches the female connector I attached to the heaphone.

No change in the sound signature.

I used to use this ATH-M50 on the road but as I am wearing specs it is not as convenient as the IEMs.

But sound-wise and sound stage, this is way better.