MyTechReference - Technical Notes

MyTechReference


by IDAMGroup

CA Siteminder Protecting Web Application Part 2

Protecting a simple web application using CA Siteminder  r12.51

In my previous post i have detailed the installation and configuration of webagent on Linux environment http://mytechreference.com/ca-siteminder-protecting-web-application-part-1.

This post i am going to configure the Siteminder objects to protect a simple static application. Following are the minimal steps we need to configure to successfully protect a site.

  1. Create Agent
  2. Configuring ACO with required values
  3. Configure User Store
  4. Configure Authentication Scheme
  5. Create Domain,Realm and Policy.

 

Access the siteminder admin console https://hostname:8443/iam/siteminder/adminui

Create the Agent

Create a Siteminder Webagent version 5.x   “Infrastructure–>Agent–>Agents”

webapp_protect_79

 

Configure ACO (Agent Configuration Object)

Since we have already created the ACO modelling the default Apache version before webagent installation/configuration. we need to do minimal changes for now to get started

Go to Infrastructure–>Agent–>Agent Configuration Agent

  • DefaultAgentName : webagent_one
  • TraceConfigFile     : /opt/siteminder/webagent/config/WebAgentTrace.conf
  • TraceFileName      : /opt/siteminder/webagent/log/webagenttrace.log
  • TraceFile             : YES

Note: If you modify the Trace details make sure you restart the Webagent by restarting the webserver.

 

Configure User store

Infrastrusture–>Directory–>User Directory

Provide all the user store details something similar to the below screenshot.

webapp_protect_61

 

Authentication Scheme

Infrastructure–>Authentication–>Authentication Scheme

I am going to use the Basic Authentication Scheme which come out of box.

webapp_protect_64

 

Domain,Realm and Policy

Domain

Policies–>Domains–>Domains –Create Domain

Naming the domain as: “SiteA domain”

webapp_protect_68

Add the user store by clicking Add button

webapp_protect_72

Assign the newly created user directory

webapp_protect_73

You should see the user directory assigned to this domain.

webapp_protect_75

 

Realm and Rules

Now click on the Realm tab and create a Realm

webapp_protect_77

Naming Realm as:  “SiteA Realm”

Assign the Agent, Resource to be Protected and Authentication Scheme (Basic)

Click on create Rules as per the below screenshot.  

webapp_protect_82

Create Rule with Get and Post Action.

webapp_protect_80

Click Submit

webapp_protect_83

 

Policy

Click Policy tab and create policy and assign user and rules to the Policy as shown in below screen shots.

Click Create on the policy tab

webapp_protect_84

Naming the policy as: “SiteA Main Page”

webapp_protect_85

Click on the User tab and click Add All to look for all members/users in the user directory.

webapp_protect_86

Click the Rule tab and Add the Rule “Protect Main Page” and click Ok.

webapp_protect_89

webapp_protect_90

By this time you have completed all the required configuration needed to protect a web application.

Now when we access the URL http://webone.mysitea.com:82 we will be challenged for user credentials (Basic Authentication)

 

webapp_protect_91

Excerpt of the webagent log


[02/08/2014][11:10:09][23858][3940448016][CSmHighLevelAgent.cpp:321][ProcessRequest][00000000000000000000000059670a0a-5d32-52f656e1-eade7710-607c1c4d632e][][][][][][Start new request.]
[02/08/2014][11:10:09][23858][3940448016][CSmLowLevelAgent.cpp:3079][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]
[02/08/2014][11:10:14][23858][3940448016][CSmHighLevelAgent.cpp:321][ProcessRequest][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Start new request.]
[02/08/2014][11:10:14][23858][3940448016][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]
[02/08/2014][11:10:14][23858][3940448016][SmApache24WebFilterCtxt.cpp:1655][CSmApache24WebFilterCtxt::SetP3PCompactPolicy][][][][][][][sP3PCompactPolicy: '']
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:384][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Resolved HTTP_HOST: 'webone.mysitea.com:82'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:5001][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][webone.mysitea.com:82]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:475][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Resolved hostname: 'webone.mysitea.com:82'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:494][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Resolved agentname: 'webone_agent'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:5354][CSmHttpPlugin::ResolveClientIp][][][][][][][Resolved Client IP address '10.10.103.135'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:642][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][][][Resolved URL: '/'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:757][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Resolved METHOD: 'GET'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:810][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Resolved cookie domain: '.mysitea.com'.]
[02/08/2014][11:10:14][23858][3940448016][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]
[02/08/2014][11:10:14][23858][3940448016][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]
[02/08/2014][11:10:14][23858][3940448016][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]
[02/08/2014][11:10:14][23858][3940448016][CSmLowLevelAgent.cpp:499][IsResourceProtected][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Resource is protected from cache.]
[02/08/2014][11:10:14][23858][3940448016][CSmResponseManager.cpp:193][ProcessResponses][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:2685][CSmHttpPlugin::ProcessResponses][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Processing IsProtected responses.]
[02/08/2014][11:10:14][23858][3940448016][CSmResponseManager.cpp:231][ProcessResponses][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]
[02/08/2014][11:10:14][23858][3940448016][CSmCredentialManager.cpp:130][CSmCredentialManager::GatherCredentials][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]
[02/08/2014][11:10:14][23858][3940448016][SmPluginUtilities.cpp:160][DeleteCookie][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Deleted cookie 'SMCHALLENGE'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpCredCore.cpp:592][CSmHttpCredCore::GatherBasicCredentials][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Decoded BASIC Context - User 'kmith']
[02/08/2014][11:10:14][23858][3940448016][CSmCredentialManager.cpp:167][CSmCredentialManager::GatherCredentials][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmSuccess.]
[02/08/2014][11:10:15][23858][3940448016][CSmLowLevelAgent.cpp:1200][AuthenticateUser][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][User 'kmith' is authenticated by Policy Server.]
[02/08/2014][11:10:15][23858][3940448016][CSmResponseManager.cpp:193][ProcessResponses][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][kmith][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

---------------------------------------------------------------------------------------------------------------------------------------------

Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.