Symantec Access Management

  • 1.  Certficate Authentication - Help

    Posted Mar 06, 2013 11:41 AM
    Hello All,
    I am trying to implement Cert + HTML form authentication for an application, but I would like to get Certificate authentication before adding a second factor to it. If anyone has implemented it already, please share your knowledge.

    I have created an authentication scheme with X.509 template with target /siteminderagent/cert/smgetcred.scc. I Have created a certificate mapping
    dc=com,dc=company,dc=global,dc=North America,cn=CompanyIssuingCA, LDAP and cn as Single Attribute. I did a 'Test' which takes me to next screen with Directory Info, Mapping info. There is no info. on Certificate Map test area, I m not sure if there shd be something.

    From client side, I am using IE 8, there are 3 client Certificates in my personal store which are for 3 different applications(templates), issued by dc=com,dc=company,dc=global,dc=North America,cn=CompanyIssuingCA. The purpose of these certificates is 'client authentication'.

    Created a realm,domain with new cert auth scheme. When I access the resource, Webagent trace says:

    [03/06/2013][10:37:28][26838][2950637312][0000000000000000000000008680980a-68d6-513770c8-afdf2700-30b124f26546][CSmHttpPlugin::ProcessResponses][Processing IsProtected responses.]
    [03/06/2013][10:37:28][26838][2950637312][0000000000000000000000008680980a-68d6-513770c8-afdf2700-30b124f26546][SmScc::getCredentials][Failed to get the certificate credentials.]
    [03/06/2013][10:37:28][26838][2950637312][0000000000000000000000008680980a-68d6-513770c8-afdf2700-30b124f26546][ProcessAdvancedAuthentication][CredentialManager returned SmExit, end new request.]

    smps.log : Cert authentication initilazed.
    Smtrace: Nothing.

    How do we trace that my browser is actually presenting the certificate to Webagent? Can I use the client certificates that are created for other purposes, with SiteMinder?

    Any help/insights on how to proceed are appreciated.


  • 2.  RE: Certficate Authentication - Help

    Posted Mar 06, 2013 02:52 PM
    Got a 403 error in apache logs. Is there a way to get sub status error codes in apache? like 403.11,403.17 etc?

    I have an error message in apache access.log:

    x.x.x.71 - - [06/Mar/2013:11:41:57 -0600] "GET /siteminderagent/cert/1362591717/smgetcred.scc?TYPE=16777244&REALM=-SM-Certificate%20Authentication%20[11%3a41%3a57%3a4460]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=wsd1&TARGET=-SM-https%3a%2f%2comp--ux--wsd1%2ena%2ecomp%2ecomp%2ecom%2fcertificate%2ehtml HTTP/1.1" 403 17 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" (-)


  • 3.  RE: Certficate Authentication - Help

    Broadcom Employee
    Posted Mar 06, 2013 02:57 PM
    Good Afternoon SamWalker,

    As I am sure you are aware a 403 error is a forbidden HTTP status error code. I do not know if Apache can provide sub codes or not. May want to check out some Apache support web sites for that.

    However seeing as you are gettin the error on a:
    GET /siteminderagent/cert/1362591717/smgetcred.scc?

    I would think this would mean you are trying to access a SiteMinder protected page and getting the 403 error.

    In your ACO do you have /siteminderagent as part of your ignore query ACO parameter.

    Generally speaking all forms of Authentication and agent functions that happen under /siteminderagent must be unprotected so that they can function properly.

    Are you seeing anything in the web agent logs or trace logs?

    hope this helps

    Gene


  • 4.  RE: Certficate Authentication - Help

    Posted Mar 06, 2013 05:23 PM
    Hi Gene, Thanks for stepping in again.

    I just noticed that I m being redirected to /siteminderagent/cert/1362591717/smgetcred.scc while my authentication scheme is https://webserver/siteminderagent/cert/smgetcred.scc?cert.

    where is this coming from '1362591717'.

    .scc is unprotected with my ACO.


    and I confirmedfrom XPSExplorer that the auth scheme is actually stored as https://webserver/siteminderagent/cert/smgetcred.scc?cert. So something else is rewriting this. Not apache for sure, as I created another auth scheme on IIS server which servers IWA. I still get the same error, and no 403 sub status codes on IIS as well.


    Agent.log shows:
    [CSmHttpPlugin.cpp:7223][ERROR] Credential Collector error. Exiting with HTTP 500 server error '00-0011'.
    [820/3739133696][Wed Mar 06 2013 16:32:24][CSmHttpPlugin.cpp:7223][ERROR] Credential Collector error. Exiting with HTTP 500 server error '00-0011'.
    [821/3917461248][Wed Mar 06 2013 16:32:34][CSmHttpPlugin.cpp:7223][ERROR] Credential Collector error. Exiting with HTTP 500 server error '00-0011'.


    Agenttrace:
    [03/06/2013][16:19:52][820][3917461248][0000000000000000000000008680980a-0334-5137c108-e97fb700-703f2f26acd0][CSmHttpCredCore::DoSSLChallenge][Executing SSL challenge.]
    [03/06/2013][16:19:52][820][3917461248][0000000000000000000000008680980a-0334-5137c108-e97fb700-703f2f26acd0][CSmHttpCredCore::DoSSLChallenge][Redirecting to credential collector 'https://webserver/siteminderagent/cert/1362608392/smgetcred.scc?TYPE=16777244&REALM=-SM-Certificate%20Authentication%20[16%3a19%3a52%3a140445430586165]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=agentname&TARGET=-SM-https%3a%2f%2fbga--ux--agentname%2enorthamerica%2edir%2ecompany%2ecom%2fcertificate%2ehtml'.]
    [03/06/2013][16:19:52][820][3917461248][0000000000000000000000008680980a-0334-5137c108-e97fb700-703f2f26acd0][HandleCredCollectorChallenge][Redirecting for credentials 'https://webserver/siteminderagent/cert/1362608392/smgetcred.scc?TYPE=16777244&REALM=-SM-Certificate%20Authentication%20[16%3a19%3a52%3a140445430586165]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=agentname&TARGET=-SM-https%3a%2f%2fxxx--ux--agentname%2enorthamerica%2edir%2ecompany%2ecom%2fcertificate%2ehtml'.]
    [03/06/2013][16:19:52][820][3917461248][0000000000000000000000008680980a-0334-5137c108-e97fb700-703f2f26acd0][ProcessRequest][Challenge Manorthamericager returned SmExit, end new request.]
    [03/06/2013][16:19:52][820][3917461248][][ReportHealthData][Accumulating HealthMonitorCtxt.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][ProcessRequest][Start new request.]
    [03/06/2013][16:19:52][821][3802072832][][CSmApache22WebFilterCtxt::SetP3PCompactPolicy][sP3PCompactPolicy: '']
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][CSmHttpPlugin::ProcessResource][Resolved HTTP_HOST: 'webserver'.]
    [03/06/2013][16:19:52][821][3802072832][][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][webserver]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][CSmHttpPlugin::ProcessResource][Resolved hostnorthamericame: 'webserver'.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][CSmHttpPlugin::ProcessResource][Resolved agentnorthamericame: 'agentname'.]
    [03/06/2013][16:19:52][821][3802072832][][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address 'x.x.x.x'.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][CSmHttpPlugin::ProcessResource][Resolved URL: '/siteminderagent/cert/1362608392/smgetcred.scc?TYPE=16777244&REALM=-SM-Certificate%20Authentication%20[16%3a19%3a52%3a140445430586165]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=agentname&TARGET=-SM-https%3a%2f%2fbga--ux--agentname%2enorthamerica%2edir%2ecompany%2ecom%2fcertificate%2ehtml'.]
    [03/06/2013][16:19:52][821][3802072832][][CSmHttpPlugin::AutoAuthorizedUrl][Auto-authorizing resource, matches IgnoreExt filter.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][CSmHttpPlugin::ProcessResource][Resolved METHOD: 'GET'.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][CSmHttpPlugin::ProcessResource][Resolved cookie domain: '.company.com'.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][CSmSessionManorthamericager::EstablishSession][No plugins responded, returning SmNoAction.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][ProcessRequest][ProtectionManorthamericager returned SmNo, end new request.]
    [03/06/2013][16:19:52][821][3802072832][][ReportHealthData][Accumulating HealthMonitorCtxt.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][ProcessAdvancedAuthentication][Start new request.]
    [03/06/2013][16:19:52][821][3802072832][][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address 'x.x.x.x'.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][SmAdvancedAuthCore::parseTargetUrl][Resolved cookie domain '.company.com'.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][IsResourceProtected][Resource is protected from cache.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][CSmHttpPlugin::ProcessResponses][Processing IsProtected responses.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][SmScc::getCredentials][Failed to get the certificate credentials.]
    [03/06/2013][16:19:52][821][3802072832][0000000000000000000000008680980a-0335-5137c108-e29f0700-7f5e6022637b][ProcessAdvancedAuthentication][CredentialManorthamericager returned SmExit, end new request.]
    [03/06/2013][16:19:52][821][3802072832][][ReportHealthData][Accumulating HealthMonitorCtxt.]


  • 5.  RE: Certficate Authentication - Help

    Posted Mar 06, 2013 07:21 PM
    I think I made some progress. I added the following configuration to httpd.conf, and I am being redirected to /opt/netegrity/webagent/smgetcred.scc instead of /siteminderagent/cert/1362591717/smgetcred.scc , however being blocked by apache with the error:

    client denied by server configuration: /opt/netegrity/webagent/smgetcred.scc

    Updated httpd.conf with the following:

    AddHandler cgi-script .exe

    AddHandler smformsauth-handler .fcc

    AddHandler smsslformsauth-handler .sfcc

    AddHandler smadvancedauth-handler .scc

    AddHandler smcookieprovider-handler .ccc


    AliasMatch /siteminderagent/cert/[0-9]+/(.*) "/opt/netegrity/webagent/$1"
    <Directory "/opt/netegrity/webagent/$1">
    AddHandler smformsauth-handler .fcc

    AddHandler smsslformsauth-handler .sfcc

    AddHandler smadvancedauth-handler .scc

    AddHandler smcookieprovider-handler .ccc


    AliasMatch /siteminderagent/cert/[0-9]+/(.*) "/opt/netegrity/webagent/$1"
    <Directory "/opt/netegrity/webagent/$1">
    Options Indexes
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>


    # Alias /siteminderagent/certoptional/ "/opt/netegrity/webagent/samples"
    # <Directory "/opt/netegrity/webagent/samples/">
    # Options Indexes
    # AllowOverride None
    # Order allow,deny
    # Allow from all
    # </Directory>


    Alias /siteminderagent/pwcgi/ "/opt/netegrity/webagent/pw/"
    <Directory "/opt/netegrity/webagent/pw/">
    Options Indexes MultiViews ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>

    Alias /siteminderagent/pw/ "/opt/netegrity/webagent/pw/"
    <Directory "/opt/netegrity/webagent/pw/">
    Options Indexes MultiViews ExecCGI
    AllowOverride None

    Any thoughts? Anyone? thx.


  • 6.  Re: Certficate Authentication - Help

    Posted Nov 26, 2018 04:06 PM

    Hi SamWalker Any chance you resolved this 403 error. I am also getting the same error for my X509 cert Auth Scheme. Thanks