by IDAMGroup
CA Siteminder Protecting Web Application Part 2
Protecting a simple web application using CA Siteminder r12.51
In my previous post i have detailed the installation and configuration of webagent on Linux environment http://mytechreference.com/ca-siteminder-protecting-web-application-part-1.
This post i am going to configure the Siteminder objects to protect a simple static application. Following are the minimal steps we need to configure to successfully protect a site.
- Create Agent
- Configuring ACO with required values
- Configure User Store
- Configure Authentication Scheme
- Create Domain,Realm and Policy.
Access the siteminder admin console https://hostname:8443/iam/siteminder/adminui
Create the Agent
Create a Siteminder Webagent version 5.x “Infrastructure–>Agent–>Agents”
Configure ACO (Agent Configuration Object)
Since we have already created the ACO modelling the default Apache version before webagent installation/configuration. we need to do minimal changes for now to get started
Go to Infrastructure–>Agent–>Agent Configuration Agent
- DefaultAgentName : webagent_one
- TraceConfigFile : /opt/siteminder/webagent/config/WebAgentTrace.conf
- TraceFileName : /opt/siteminder/webagent/log/webagenttrace.log
- TraceFile : YES
Note: If you modify the Trace details make sure you restart the Webagent by restarting the webserver.
Configure User store
Infrastrusture–>Directory–>User Directory
Provide all the user store details something similar to the below screenshot.
Authentication Scheme
Infrastructure–>Authentication–>Authentication Scheme
I am going to use the Basic Authentication Scheme which come out of box.
Domain,Realm and Policy
Domain
Policies–>Domains–>Domains –Create Domain
Naming the domain as: “SiteA domain”
Add the user store by clicking Add button
Assign the newly created user directory
You should see the user directory assigned to this domain.
Realm and Rules
Now click on the Realm tab and create a Realm
Naming Realm as: “SiteA Realm”
Assign the Agent, Resource to be Protected and Authentication Scheme (Basic)
Click on create Rules as per the below screenshot.
Create Rule with Get and Post Action.
Click Submit
Policy
Click Policy tab and create policy and assign user and rules to the Policy as shown in below screen shots.
Click Create on the policy tab
Naming the policy as: “SiteA Main Page”
Click on the User tab and click Add All to look for all members/users in the user directory.
Click the Rule tab and Add the Rule “Protect Main Page” and click Ok.
By this time you have completed all the required configuration needed to protect a web application.
Now when we access the URL http://webone.mysitea.com:82 we will be challenged for user credentials (Basic Authentication)
Excerpt of the webagent log
[02/08/2014][11:10:09][23858][3940448016][CSmHighLevelAgent.cpp:321][ProcessRequest][00000000000000000000000059670a0a-5d32-52f656e1-eade7710-607c1c4d632e][][][][][][Start new request.]
[02/08/2014][11:10:09][23858][3940448016][CSmLowLevelAgent.cpp:3079][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]
[02/08/2014][11:10:14][23858][3940448016][CSmHighLevelAgent.cpp:321][ProcessRequest][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Start new request.]
[02/08/2014][11:10:14][23858][3940448016][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]
[02/08/2014][11:10:14][23858][3940448016][SmApache24WebFilterCtxt.cpp:1655][CSmApache24WebFilterCtxt::SetP3PCompactPolicy][][][][][][][sP3PCompactPolicy: '']
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:384][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Resolved HTTP_HOST: 'webone.mysitea.com:82'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:5001][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][webone.mysitea.com:82]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:475][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Resolved hostname: 'webone.mysitea.com:82'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:494][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][][][][][][Resolved agentname: 'webone_agent'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:5354][CSmHttpPlugin::ResolveClientIp][][][][][][][Resolved Client IP address '10.10.103.135'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:642][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][][][Resolved URL: '/'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:757][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Resolved METHOD: 'GET'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:810][CSmHttpPlugin::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Resolved cookie domain: '.mysitea.com'.]
[02/08/2014][11:10:14][23858][3940448016][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]
[02/08/2014][11:10:14][23858][3940448016][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]
[02/08/2014][11:10:14][23858][3940448016][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]
[02/08/2014][11:10:14][23858][3940448016][CSmLowLevelAgent.cpp:499][IsResourceProtected][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Resource is protected from cache.]
[02/08/2014][11:10:14][23858][3940448016][CSmResponseManager.cpp:193][ProcessResponses][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpPlugin.cpp:2685][CSmHttpPlugin::ProcessResponses][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Processing IsProtected responses.]
[02/08/2014][11:10:14][23858][3940448016][CSmResponseManager.cpp:231][ProcessResponses][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]
[02/08/2014][11:10:14][23858][3940448016][CSmCredentialManager.cpp:130][CSmCredentialManager::GatherCredentials][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]
[02/08/2014][11:10:14][23858][3940448016][SmPluginUtilities.cpp:160][DeleteCookie][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Deleted cookie 'SMCHALLENGE'.]
[02/08/2014][11:10:14][23858][3940448016][CSmHttpCredCore.cpp:592][CSmHttpCredCore::GatherBasicCredentials][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][Decoded BASIC Context - User 'kmith']
[02/08/2014][11:10:14][23858][3940448016][CSmCredentialManager.cpp:167][CSmCredentialManager::GatherCredentials][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmSuccess.]
[02/08/2014][11:10:15][23858][3940448016][CSmLowLevelAgent.cpp:1200][AuthenticateUser][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][][User 'kmith' is authenticated by Policy Server.]
[02/08/2014][11:10:15][23858][3940448016][CSmResponseManager.cpp:193][ProcessResponses][00000000000000000000000059670a0a-5d32-52f656e6-eade7710-018322baf66][*10.10.103.135][][webone_agent][/][kmith][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
---------------------------------------------------------------------------------------------------------------------------------------------
Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.