Chris_Hackett:
Have a question about CA SiteMinder? Connect with CA Technologies technical experts to get answers via Office Hours for SiteMinder. Our team is here to help you get more out of your technology. Join us for one hour on Thursday, February 20th @ 11 AM ET.
Some sample topics:
• Your pain points
• Product documentation
• Questions on functionality
Check out my Blog Post for more information on Office Hours! Put Down That Smartphone Game, and Come Join Us For Office Hours
Please DO NOT discuss support cases – You will need to open a ticket instead. Also, this is not a forum to discuss support of customizations.
Click HERE to register, add to calendar and join the day of.
*Please note that there is no audio. This is for you to submit your questions only and our experts will respond using webex. Also all participants should consider the implications of any answer provided. Many products are highly configurable and can be tailored to different use cases. An answer for one implementation could be a problem for another.
Did you miss the latest SiteMinder Office Hours? Check out the conversation below!
Roger Myers to Everyone: In Siteminder 12.51, when we create a custom table in OneView Monitor that includes the 'Details' field, we find that the table gets populated with the 'Info' field instead. How can we get the 'Details'field to be included in a table? The 'Info' field displays nothing. (Incidentally, neither of these fields are described in the documentation).
Aaron Berman (CA) to Everyone: @Roger - we are looking at 1 thing right now, we will get right back t you
Roger Myers to Everyone: @Aaron, thanks
Challa Ramakanth (CA) to Everyone: @Roger, For the oneView Monitor issue, I think what you mention as the use case looks like a bug so please open a support ticket with the details of the issue so we can troubleshoot and perhaps get it to SE to fix it.
Roger Myers to Everyone: @Challa, okay thanks.
Aaron Berman (CA) to Everyone: @Roger - since you are looking at the siteminder Monitor data - and i agree we shuld be able to do the custom table but have you looked at ether the Wily for siteMinder to collect monitor data or the IdentityLogix Spylogix tool for gathering perofrmnace and audit data?
Roger Myers to Everyone:
@Mike, we have some customers that use Wiley and Nimsoft, so we may look at integrating those with Siteminder later. Our immediate concern though, was the OneView Monitor which is, of course, comes with siteminder out-of-the-box :)
Aaron Berman (CA) to Everyone: Anyone Else? we have multiple people on and ca handle multiple questions
Roger Myers to Everyone: I got another question..
Roger Myers to Everyone: Is it possible to "XPSExport" Named Expressions from a Siteminder 12.0 SP3 policy store? My colleagues have reported difficulties doing this; it just doesn't seem to work. Are there any special considerations when doing an "XPSExport" of Named Expressions?
Challa Ramakanth (CA) to Everyone: @Roger, for the XPSExport issue, you should be able to export named expressions from applications like you do specific objects and domains in the regular domain, rule, realm etc. But, you will have issues before 12.51 if you have non-ASCII characters in the named expressions. So, If you are at 12.51 and still face an issue, then open a support ticket and we should be able to look at them.
Roger Myers to Everyone: @Challah, my colleague is experiencing trouble exporting Named Expressions from a Siteminder 12.0 SP3 policy store. I don't believe any of the Named Expressions have non-ASCII characters. The Named Expressions are used by EPM Application policies, I don't know if that matters at all?
Challa Ramakanth (CA) to Everyone: @Roger, For the named expression export issue, please open a support ticket with the exact commands you are using along with the export of your store. We can certainly quickly reproduce this issue in house and see where is the issue you are facing.
Roger Myers to Everyone: @Challa, okay thanks.
Tony Pham to Everyone: i read through the info on the Device DNA. it's my understanding that in order to use the feature, you need to have the reverse proxy, is this a must ?
Aaron Berman (CA) to Everyone: @Tony the SPS has the module to collect the Device DNA, however you do not need to run in a reverse proxy mode. This was done to avoid another "web agent option pack"
Tony Pham to Everyone: @Aaron, so i need SPS to implement this feature correct ?
Aaron Berman (CA) to Everyone: @Tony yes, SPS is really becoming much more than a proxy server.. it is our application engine for SiteMinder. Not only do we use it for Session Assurance, but also we use it for REST web servcies, and Federation as well.
Aaron Berman (CA) to Everyone: @tony Also i have become more willing to use multiple SiteMinder security modules - one for security and another for app integration. I can see some circumstances where you start with a SPS in front of an app, have that SPS create the OFC then have the app read the OFC data instead of doing standard SiteMinder headers.... Sort of like how we are using SAMl in some cases these days
Joshua Coffman to Everyone: Is there any plan to support the ability to do AZ against attributes in an assertion? We want to be able to authorize on the SP side against dynamic attributes in an assertion.
Joshua Coffman to Everyone: It would be nice to be able to "persist attributes" in the session store, and then write AZ policies against them.
Manjari Gangwar-Warty(CA) to Everyone: @Josh Could you please submit this AZ through SAML attributes use case as an idea on the Ideation site. We discussed it with CA teams here and we suggest it as an enhancement.
Joshua Coffman to Everyone: @Manjari - Will Do! Thanks!
Shawn Sprague (CA) to Everyone: @ Josh, We are actively looking at ways to provide better analysis of XPS and as a result overall improvements to the tool. If you have ideas you would like us to consider please open of in Ideas section of the CA Security Global User Community https://communities.ca.com/web/ca-identity-and-access-mgmt-distributed-global-user-community/welcome
Alfredo Villagomez to Everyone: do any body knows if we can use the SMPolicyReader to identify orphan objects? for example if we have a policy tie to a web agent that either one don't exist anymore. Any ideas?
Alfredo Villagomez to Everyone: my question was related to siteminder
Challa Ramakanth (CA) to Everyone: @Alfredo, I think the current version of SMPolicyReader does not help identify orphans. There is a future version coming which may have it. The only way would be to run an XPSSweeper and to see if you can find any and then use XPSExplorer to fix those orphans.
Mike Butler to Everyone: @Aaron, good meeting you the other day. I'm interested in using the applet admin gui instead of the new web UI. Didn't realize that was an option in R12! Can the applet be hosted from the management server, or does it have to be hosted from a policy server? (We don't currently have a web server active on the policy servers.)
Aaron Berman (CA) to Everyone: @Mike, always nice to meet up. the applet really has to be hosted on a Policy Server. What some accounts have done is to create a separate "management" Policy server to run the applet on.
vikram to Everyone: can you give us a brief on what session assurance. Do we need auth/riskminder for utilizing this feature?
Aaron Berman (CA) to Everyone: @vikram, esentially the problem is to avoid session hijacking - when someone steals a siteminder session cookie and then attempts to relay it. It ses technology from RiskMinder (DeviceDNA) but you do not need to license or install RisKMinder seperately.. all the bits are part of the SM 12.52 and the SPS install package. We did a webinar about this yesterday. It was recoreding and available at https://www.brighttalk.com/webcast/7845/101285
Tony Pham to Everyone: have anyone here implement agentless integration? if yes, can you provide the top 5 items that need to watch out for ?
Aaron Berman (CA) to Everyone: @Tony, I think you are referring to the Open format cookie... the primary thing to be careful of is that you want to use standard hygene with cookie, limit the scope, only put the data in there that you want, and i would advice setting a proper (strong) encryption key
Aaron Berman (CA) to Everyone: @tony remember there are no "timeouts" with that cookie so the longer it is around the higher chance someone may crack the encryption
Tony Pham to Everyone: @Aaron, right, the Open Format cookie. ah, no "timeouts" info is good, didn't realize it, will look into this thx. anyone else ???
Tony Pham to Everyone: @Aaron, when i read through the OFC, i see it has some similar to OT if you know what i mean
Aaron Berman (CA) to Everyone: @tony - Not entirely sure what you are referencing "OT"
Keats Kirsch to Everyone: Is there any plan to make the XPS tools more user friendly? They seem like a throwback to the mainframe era. How about a UI? Are there any better tools out there for managing policy stores?
Shawn Sprague (CA) to Everyone: @Keats, We are actively looking at ways to provide better analysis of XPS and as a result overall improvements to the tool. If you have ideas you would like us to consider please open of in Ideas section of the CA Security Global User Community
Joshua Coffman to Everyone: To build on @Keats Kirsch question: Is a full set of documentation coming on the XPStools? There are so many options and objects in the XPStools that it would be nice to have more detailed documents on the XPS structure and the tools used to support it.
Aaron Berman (CA) to Everyone: @keats / @ shawn the URL Shawn referenced is at https://communities.ca.com/web/ca-identity-and-access-mgmt-distributed-global-user-community/welcome
Tony Pham to Everyone: @Keat, there is at least one company out there that i'm aware of that create some SM tools
Tony Pham to Everyone: @Keat & Josh, i view XPSExplorer is another LDAP client (since i store my policy data in LDAP), however, it has the intelligent to pull in other information such as OID about the object. the plus feature is using this tool, i would have a consistent OID if i decide to export/import the policy data. in general, the first export/import would have the following objects in the xcart: Web Agent, Web Agent group, ACO, AuthScheme, and Policy Domain. there after, only Policy Domain is needed.
Tony Pham to Everyone: @Keat & Josh, most of the time, i would use overlay option. replace is if i make a lot of changes to the policy domain such as added/remove realms, update descriptions field, update responses
Joshua Coffman to Everyone: @Tony, we use XPS for all of our migrations through dev, test, UAT, and prod too. All auth shcemes and directories through all four environments share common OIDs, so that exports and imports between the environments are pretty seamless. I can just see that there are so many options in xpsexplorer, xpssecurity, and xpsconfig that are undocumented. I feel that there is a lot that can be done to improve the documentation of these "very low level" tools, that can be of benefit to power users. That being said, it sounds like we just need to ask for that on the enhancement request site.
Alfredo Villagomez to Everyone: do any body has an opinion of OneViewMonitor in the new version of sitemender v12.52? is it good or not so good to implement?
Challa Ramakanth (CA) to Everyone: @Alfredo, 12.52 has no changes in OneViewMonitor since the previous versions of SiteMinder.
Alan Lankin to Everyone: It would be nice to have more examples of XPSEplorer commands
Manjari Gangwar-Warty(CA) to Everyone: @Alan I am sharing at least one example on XPSExplorer here and then can start a trhead on user community for more as getting started on this.
Roger Myers to Everyone: Do you know when a Siteminder 12.51 web agent will available for IIS8/Windows 2012? The current support matrix only lists IIS 7.0/7.5. Also, some of our customers are now using Nginix, are there any plans to create an agent for this web server?
Shawn Sprague (CA) to Everyone: @Roger you can use current 12.5 cr3 has support for this. We will also be releasing in upcoming 12.51 cr2 which should be out shortly. As for the Nginix agent there are currently no plans at this time to create and agent for this. I would open this up as a request on the Ideas section of the CA Security Global User Community https://communities.ca.com/web/ca-identity-and-access-mgmt-distributed-global-user-community/welcome
Roger Myers to Everyone: @Shawn, thanks that's great.
Alfredo Villagomez to Everyone: Does any body did a parallel upgrade of siteminder v6.x to the new one v12.52? What the 5 top things to watch out for? Or your recommendations?
Tony Pham to Everyone: @Alfredo, do you have common kstore/pstore w/ your 6.x or separate ?
Challa Ramakanth (CA) to Everyone: @Alfredo, Always get your export from a 6.x store and see if you can import into a dummy 12.52 or 12.51 policy server and generate an XPSExport out of it. You can then run it through an import validation tool on a 12.51 PS or above to find out inconsistencies and/or corruptions of your policy store. You can then clean them up so your upgrade goes fine. The reason I said import into a dummy 12.51 or 12.52 is because the validation tool only takes .XML files as an input and not an SMDIF.
Alfredo Villagomez to Everyone: @Tony we have a common p/store
Tony Pham to Everyone: 1. have new pstore for 12.x. 2. share keystore, 3.continue to have 6.x do key rotation, and ensure keys are replicated out. 4to ensure continua SSO have the same user directory object name in 6.x & 12.52
Roger Myers to Everyone: Any plans to upgrade SNMP support to v3?
Shawn Sprague (CA) to Everyone: @Roger, Yes this is something we have in our backlog of items for 3rd party support.
Roger Myers to Everyone: @Shawn, thanks.
Keats Kirsch to Everyone: Can CA publish information on making the apache agent work under SELinux?
Aaron Berman (CA) to Everyone: @Keats - what we have done with Lnux is to say that we do our QA work on RHEL, but then we will use a best level of effort to support other Linux Variants. I dont know offhand how different SELinux is from RHEL.