Julien_Nitot

Tech Tip - CA Single Sign-On : How to to protect web resources on an webserver only in an specific ip:port

Discussion created by Julien_Nitot Employee on Jul 1, 2015

CA Single Sign-On Tech Tip by Julien Nitot, Support Engineer for July the 1st 2015

Problem:

 

How to to protect web resources on a webserver only in an specific ip:port, the rest of request commig to a different IPs we need not be protected.

With a standard configuration of an agent that protected all the resources in all the IP and ports of the server (apache Web Server).

How we can limit the protection to an specific IP?

 

Solution:

 

you can define an agentname in ACO and map the agentname to ip:port and use this agentname in the domain/realm definition for protection.
You can then define a defaultagent name and do not associated it to any domain/realm. It will be unprotected by default.

 

AgentName


Defines the identity of the web agent. This identity links the name and the IP address or FQDN of each web server instance hosting an Agent.

The value of the DefaultAgentName is used instead of the AgentName parameter if any of the following events occur:

The AgentName parameter is disabled.
The value of AgentName parameter is empty.
The values of the AgentName parameter do not match any existing agent object.
Note: This parameter can have more than one value. Use the multivalue option when setting this parameter in an Agent Configuration Object. For local configuration files, add each value to a separate line in the file.

 

Default: No default

Limit: Multiple values are allowed, but each AgentName parameter has a 4,000 character limit. Create additional AgentName parameters as needed by adding a character to the parameter name. For example, AgentName, AgentName1, AgentName2.

Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.

Example: myagent1,192.168.0.0 (IPV4)

Example: myagent2, 2001:DB8::/32 (IPV6)

Example: myagent,www.example.com

Example (multiple AgentName parameters): AgentName1, AgentName2, AgentName3. The value of each AgentNamenumber parameter is limited to 4,000 characters.

 

DefaultAgentName


Defines a name that the agent uses to process requests. The value for DefaultAgentName is used for requests on an IP address or interface when no agent name value exists in the AgentName parameter.

If you are using virtual servers, you can set up your CA SiteMinder® environment quickly by using a DefaultAgentName. Using DefaultAgentName means that you do not need to define a separate agent for each virtual server.

Important! If you do not specify a value for the DefaultAgentName parameter, then the value of the AgentName parameter requires every agent identity in its list. Otherwise, the Policy Server cannot tie policies to the agent.

 

Default: No default.

Limit: Use only one value.Multiple values are prohibited.

Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.

Outcomes