Symantec Access Management

Good day,

I am trying to use CA siteminder to protect a site like www.example.com/app/..., where everything under app/ will be protected by basic forms based auth.

I created a domain object, realm and associated a rule.

When I go to /app I am prompted for credentials, when I provide the credentials from the user-store they are not accepted and the authentication pop-up quickly returns.

How are users added to LDAP policy store?

How might i find logs for the auth process?

I am trying to identify users by uid, and have set-up the user-directory object accordingly. It seems to work, I can use ldapsearch to find users from the commandline.

I can connect to my policy-store and there is clearly an entry for a user - having a userPassword attribute.

I'm using openLDAP as a policy-store, webagent  is running on apache 2.2.X.

Thanks! All input is greatly appreciated.

Is the user directory you are using set under the policies for your domain? If not you may end up in a loop with the creds not finding a directory to authenticate the user against.

Few things to check:

1. Create LDAP user directory in Siteminder. After the user directory object is created, try the "View Contents" in user directory and lookup the user from there to confirm if result is returned.

2. Associate the user directory with the domain. Create policy under this domain -- associate the GET/POST rule with users from this user directory.

3. Enable Policy Server trace via SM Management Console >> Profiler tab. Enable the "Enable Profiling" checkbox and apply authentication_trace.template under Configure Settings. Check the smtracedefault.log to check on the user authentication.

References:

User directory setup: CA SiteMinder® Integrated Documents 12.52 SP1

Policy Setup: CA SiteMinder® Integrated Documents 12.52 SP1

Hi,

You described pretty well what you did on configuring the Policy Store (where domain object, realm, rule, policies... are stored). What about the User Store? Is it properly configured?

If you suppose all configurations are ok, you could use the Test Tool to help you on basic troubleshooting. Using Test Tool, you can connect to an agent, and check whether policies are working, issuing actions such as "Is Protected?", "Is Authenticated?", and "Is Authorized?".

In the documentation, you will find more info about Test Tool:

https://wiki.ca.com/display/sm1252sp1/Test+Tool

Other topics which might interest you:

Info about SSO (SiteMinder) components and Stores:

https://wiki.ca.com/display/sm1252sp1/Components+and+Stores

How to Configure OpenLDAP as a USER Store:

https://wiki.ca.com/display/sm1252sp1/Configure+OpenLDAP+Server+User+Directory+Connections

How to Configure OpenLDAP as a POLICY Store:

https://wiki.ca.com/display/sm1252sp1/How+to+Configure+OpenLDAP+as+a+Policy+Store

Hope that helps.

Best,

Strutz.

I'm working on a RHEL 6 system, is there any alternative to the smtest tool for linux?

Hi,

Unfortunatly, you need to run the smtool on Windows from windows installation: I guess you would be able to do similar things with SDK custom coding a little.

Best Regards,

Patrick

My logs reveal that I get Authentication accept and Authorization rejection...How to fix?

Hi,

On the Policy you have defined, do you have selected your

user and attach a rule to it ?

How did you configure the realm, rule and policy ?

Best Regards,

Patrick

I guess you should see through rule such as GET & POST , AuthAccept etc  and policy corresponding to rule. Hope you have configured user directory as desired.

Also in policy you would need to provide access to user in policy.

If everything is in place, enable trace on webagent and policy server to see what is the issue.

Thanks,

Ankush

So at first I was just trying to use an application object now I'm trying with a whole domain.

I wish to protect a web service website.com/app with basic http auth.

I have an openLDAP policy store. The root dn is dc=dompany,dc=com, there is an ou=People for users. The only user in ou=People has a uid attribute to identify him. object class inetOrgPerson.

I made a user-directory from this, and it seems to work correctly - I can view the contents and look up my user by UID.

So I made a domain "appdomain" and associated my user-directory with it. It has a realm "apprealm" with resource / and a rule for webagent get,post,put. Also a policy, that has users = All users.

For some reason, when I look the smacess log, i see auth accept and az rejection, even when the realm has "process authorization events" unchecked.

My user seems to be authenticated, how can I make sure they are authorized for /app ?

Defined rule resource as *. Then ensure that both Process Authorization Events and Process Authentication Events are checked. Submit the changes and flush the cache from WAM UI.

Re-test the login and check Policy Server trace to see if policy is identified for the authorization request.

Best regards,

Kelly

Is there any authorization rule and policy in place for that realm and domain, if not create and try.

Thanks,

Ankush

Thank you all for the advice, my policy only contained an auth rule and no az rule...

Just an FYI:

if setting headers is attached to Authentication, you only have headers set at this time. if someone uses tamperdattta or something similar it  is easy to play and sometimes assume another identity in anything you integrate with.

if you switch to Authorization, you now set it on all authorizations, which is likely a bit more secure, and has a litttle more overhead, but for most things, is not going to be noticeable.

Finally you can tie  to a get/post (and other actions). this will reset them on the way in on EVERY access. yes it's the most overhead but it's also the most secure. if your app isn'tso sensitive that this cannot be done, i would suggest it. also, you can then drop to one rule as this will  function for both Authentication and Authorization.