Symantec Access Management

  • 1.  Queries related security Siteminder ?

    Posted Sep 17, 2017 08:53 AM

    Hello Experts,

     

    Can you help me to understand the below queries?

     

    What is the purpose of CrytoProvider in Siteminder?

     

    In a form based auth scheme, where the posting happens to login.fcc, can the credentials captured by middle man attack? I am trying to understand, in a client machine, how securely the credentials can be posted to login.fcc? I am aware that the SSL/TLS connection is there and Men-in-middle attack can be prevented. But on the client side "form posting" , can the credentials captured? 

     

    How effectively Siteminder can be used to secure web applications? I am aware of CSS checks, Bad chars related checks are there. Can we list out the list of ACO parameters supports in enhancing web app security?

     

    UjwolHubertDennis



  • 2.  Re: Queries related security Siteminder ?
    Best Answer

    Posted Sep 18, 2017 04:55 AM

    Hi,

    As for the Crypto used by Siteminder and in particualar in the webagent - where the credential are collected - the default configuiration is the BSAFE.

    In this way, for example in the transaction of a federation, The RSA BSAFE library contains fixes against the following SSL and TLS communications vulnerabilities:

     

    There are also many java components within CA Single Sign On use the BSAFE crypto.jar from RSA Security including CA Secure Gateway.

     

    Cheers,

    Pasquale



  • 3.  Re: Queries related security Siteminder ?

    Posted Sep 22, 2017 04:52 PM

    List of Agent Configuration Parameters - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation  

     

    ACO Parameters which are linked to security & integrity. The motto here is keep data minimal & to what is needed in a secure manner.

     

    BadCSSChars
    BadFormChars
    BadQueryChars
    BadUrlChars
    CSSChecking
    CookieDomain
    CookieDomainScope
    CookieValidationPeriod
    DisableAuthSrcVars
    DisableSessionVars
    DisableUserNameVars
    EncryptAgentName
    FCCCompatMode=NO
    ForceCookieDomain
    ForceFQHost
    PersistentCookies [We do not want SMSESSION TO BE PERSISTANT COOKIE].
    PersistentIPCheck.
    RequireClientIP
    RequireCookies
    SecureURLs
    SecureApps
    TrackCPSessionDomain
    TrackSessionDomain
    TransientIDCookies
    TransientIPCheck
    UseHttpOnlyCookies
    UseSecureCookies
    UseSecureCPCookies
    ValidFedTargetDomain
    ValidTargetDomain