Symantec Access Management

  • Private Community

  • 1.  How to authorize to Advanced Authentication SOAP Web Service?

    Posted Jan 12, 2018 09:31 PM

    Hi,

    I am trying to consume RiskFortEvaluateRiskSvc listAssociations operation, but authentication fails whenever I use authToken or just iserId/credential/orgName headers, i.e.

     

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsdl="http://ws.arcot.com/RiskFortEvaluateRiskAPI/3.0/wsdl">
       <soap:Header>
    <authToken xmlns="02eabf4c-dfa1-473f-87cb-308a717f3e49</authToken" rel="nofollow" target="_blank">http://ws.arcot.com/UDSTransaction/1.0">02eabf4c-dfa1-473f-87cb-308a717f3e49</authToken>
      </soap:Header>
       <soap:Body>
          <wsdl:ListAssociationsRequest>
             <wsdl:userContext>
                  <wsdl:userName>userIdHere</wsdl:userName>
             </wsdl:userContext>        
          </wsdl:ListAssociationsRequest>
       </soap:Body>
    </soap:Envelope>

     

     

    Response:

    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:rf1="http://ws.arcot.com/RiskFortEvaluateRiskAPI/2.0/wsdl/EvaluateRiskAPISOAP11Binding" xmlns:rf2="http://ws.arcot.com/RiskFortEvaluateRiskAPI/2.0/wsdl" xmlns:rf10="http://ws.arcot.com/RiskFortEvaluateRiskAPI/3.0/wsdl/EvaluateRiskAPISOAP11Binding" xmlns:rf11="http://ws.arcot.com/RiskFortEvaluateRiskAPI/3.0/wsdl" xmlns:rf12="http://ws.arcot.com/RiskFortEvaluateRiskAPI/3.0/wsdl/EvaluateRiskAPISOAP12Binding" xmlns:rf3="http://ws.arcot.com/RiskFortEvaluateRiskAPI/2.0/wsdl/EvaluateRiskAPISOAP12Binding" xmlns:rf4="http://ws.arcot.com/RiskFortIssuanceAPI/2.0/wsdl/IssuanceAPISOAP11Binding" xmlns:rf5="http://ws.arcot.com/RiskFortIssuanceAPI/2.0/wsdl" xmlns:rf6="http://ws.arcot.com/RiskFortIssuanceAPI/2.0/wsdl/IssuanceAPISOAP12Binding" xmlns:rf7="http://ws.arcot.com/RiskFortIssuanceAPI/3.0/wsdl/IssuanceAPISOAP11Binding" xmlns:rf8="http://ws.arcot.com/RiskFortIssuanceAPI/3.0/wsdl" xmlns:rf9="http://ws.arcot.com/RiskFortIssuanceAPI/3.0/wsdl/IssuanceAPISOAP12Binding">
       <SOAP-ENV:Header/>
       <SOAP-ENV:Body>
          <SOAP-ENV:Fault>
             <SOAP-ENV:Code>
                <SOAP-ENV:Value>SOAP-ENV:Sender</SOAP-ENV:Value>
             </SOAP-ENV:Code>
             <SOAP-ENV:Reason>
                <SOAP-ENV:Text xml:lang="en">TRANS_FAULT</SOAP-ENV:Text>
             </SOAP-ENV:Reason>
             <SOAP-ENV:Detail>
                <rf11:RiskFortFault>
                   <rf11:responseCode>7691</rf11:responseCode>
                   <rf11:errorMessage>Authentication / Authorization Failed</rf11:errorMessage>
                   <rf11:paramName/>
                   <rf11:paramValue/>
                   <rf11:reasonCode>8000</rf11:reasonCode>
                   <rf11:transactionID/>
                </rf11:RiskFortFault>
             </SOAP-ENV:Detail>
          </SOAP-ENV:Fault>
       </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

     

    The same token works fine with REST API.

    How properly path authentication/authorization headers in my case?

     

    Thanks,

    Vlad



  • 2.  Re: How to authorize to Advanced Authentication SOAP Web Service?

    Posted Jan 16, 2018 10:18 AM

    Please pass the admin details to authenticate/authorize the api.

     

    <soap:Header>
    <userID>xyz</userID>
    <orgName>xyz</orgName>
    <credential>xyz</credential>
    </soap:Header>

     

    For ex:

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsdl="http://ws.arcot.com/RiskFortEvaluateRiskAPI/3.0/wsdl">
    <soap:Header>
    <userID>xyz</userID>
    <orgName>xyz</orgName>
    <credential>xyz</credential>
    </soap:Header>

    <soap:Body>
    <wsdl:ListAssociationsRequest>
    <wsdl:userContext>
    <wsdl:userName>userIdHere</wsdl:userName>
    </wsdl:userContext>
    </wsdl:ListAssociationsRequest>
    </soap:Body>
    </soap:Envelope>

     

    Hope this helps.

     

    Thanks,
    Sharan



  • 3.  Re: How to authorize to Advanced Authentication SOAP Web Service?

    Posted Jan 16, 2018 10:35 AM

    Hi Sharan,

    I tried this option many times before, it is generates the same error. Seems like UDS does not receive those credentials at all according to arcotuds.log

     

    2018-01-16 10:27:00,142 EST : [http-nio-8080-exec-4] : ERROR : anamgmt.ws.ArcotAnARegistrySvcSkeleton : [null] : [null] : [31119] : User identifier is mandatory.
    com.arcot.admin.framework.ana.api.AuthenticationException: User identifier is mandatory.
            at com.arcot.admin.framework.ana.impl.AuthenticateAndAuthorizeManagerImpl.authenticate(AuthenticateAndAuthorizeManagerImpl.java:162)
            at com.arcot.euds.anamgmt.ws.ArcotAnARegistrySvcSkeleton.authenticate(ArcotAnARegistrySvcSkeleton.java:269)
            at com.arcot.euds.anamgmt.ws.ArcotAnARegistrySvcMessageReceiverInOut.invokeBusinessLogic(ArcotAnARegistrySvcMessageReceiverInOut.java:51)
            at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
            at org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:114)
            at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:181)
            at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)

     

    Thanks,

    Vlad



  • 4.  Re: How to authorize to Advanced Authentication SOAP Web Service?

    Posted Jan 16, 2018 06:39 PM

    Apparently according to CA support and later tested it should be like this . You will not find it in the documentation.

    <soap:Envelope xmlns:rf2="http://ws.arcot.com/RiskFortEvaluateRiskAPI/2.0/wsdl" xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsdl="http://ws.arcot.com/RiskFortEvaluateRiskAPI/3.0/wsdl">
       <soap:Header>
    <rf2:INFO>
    <userID>gaadmin</userID>
    <orgName>defaultorg</orgName>
    <credential>admin@123</credential>
    </rf2:INFO>
      </soap:Header>

      
       </soap:Body>
    </soap:Envelope>

     

    or this

    <soap:Envelope xmlns:rf2="http://ws.arcot.com/RiskFortEvaluateRiskAPI/2.0/wsdl" xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsdl="http://ws.arcot.com/RiskFortEvaluateRiskAPI/3.0/wsdl">

       <soap:Header>

    <rf2:INFO>
             <TOKEN>c6204940-4bc9-4661-a040-bb6b66101f0d</TOKEN>
    </rf2:INFO>

      </soap:Header>  

    </soap:Envelope>

     

    Thanks,

    Vlad



  • 5.  Re: How to authorize to Advanced Authentication SOAP Web Service?
    Best Answer

    Posted Jan 17, 2018 09:01 PM

    Hi Vlad,

     

    This step is mentioned in doc.

     

     

    Managing Web Services Security - CA Advanced Authentication - 9.0 - CA Technologies Documentation 

     

    Authentication Header Elements

    The following table lists the elements that have to be included in the call header for authentication.

    ElementMandatoryDescription
    userIDYesThe unique identifier of the user whose account is to be authenticated.
    orgNameYesThe organization name to which the authenticating user belongs.
    credentialYesThe credential of the user to be used for authentication

    Authorization Header Elements

    The following table lists the elements that you must pass in the call header for authorization.

    ElementMandatoryDescription
    authTokenYes

    The authentication token that is returned after successful user verification. This token indicates that the user is already authenticated, eliminating the need for user credentials for successive authentication attempts.

    By default, the authentication token is valid for one day, after which you authenticate again.

    Note: You can set any one of the following elements.
    targetorgNo

    The organization to which your calling application must authorize before performing any operation.

    Note: If you want to enable authorization for more than one organization, then repeat this entry for every organization.

    targetAllOrgsNoIndicates whether authorization is required before operations on all organizations can be performed. Set the value of this element to TRUE to enable authorization for all organizations.
    globalEntityNoIndicates whether authorization is required for performing global configurations. Set this value to TRUE to enable authorization for global configuration operations, such as fetching attributes for users.


  • 6.  Re: How to authorize to Advanced Authentication SOAP Web Service?

    Posted Jan 26, 2018 08:51 AM

    Thanks, I saw it. It was added after I raised a ticket.



  • 7.  Re: How to authorize to Advanced Authentication SOAP Web Service?

    Posted Jan 31, 2018 12:59 PM

    Is it Possible to use this instead of the SMSESSION of CA SSO, in a project just with CA API-GW + CA AA?



  • 8.  Re: How to authorize to Advanced Authentication SOAP Web Service?

    Posted Jan 25, 2018 02:33 AM

    You may find more details of Request and Response here:

    https://docops.ca.com/display/AA9/Manage+Web+Services+Security