Second Edition
This documentation and any related computer software help programs (hereinafter referred to as the Documentation) is for the end users informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the product are permitted to have access to such copies. The right to print copies of the Documentation and to make a copy of the related software is limited to the period during which the applicable license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the users responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE. The use of any product referenced in the Documentation is governed by the end users applicable license agreement. The manufacturer of this Documentation is CA. Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.2277014(b)(3), as applicable, or their successors. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Copyright 2006 CA. All rights reserved.
CA Product References
This document references the following CA products: eTrust SiteMinder eTrust TransactionMinder eTrust Identity Manager
Contents
Chapter 1: Web Agent Overview 13
SiteMinder Web Agents ....................................................................... 14 Web Agent Tasks ............................................................................. 15 Web Agents and the Policy Server ............................................................. 16 How the Web Agent and Policy Server Calculate Time ........................................... 18 How the Agent Reads SiteMinder Cookies ...................................................... 19 Agent Key Dynamic Rollovers .............................................................. 20 Key Stores ............................................................................... 20
21
Two Configuration Methods.................................................................... 21 Central Agent Configuration Overview ...................................................... 22 Local Agent Configuration Overview ........................................................ 24 Use Central and Local Configuration Together ............................................... 25 Perform Central Agent Configuration ........................................................... 26 Perform Local Agent Configuration ............................................................. 27 Use an Agent Configuration File ............................................................ 28 Edit an Agent Configuration File ............................................................ 30 Modify the WebAgent.conf File (All Web Agents) ............................................ 31 Modify the LocalConfig.conf File (Framework Agents) ........................................ 35
37
Enable and Disable Web Agents ............................................................... 38 Use Web Agent Monitoring .................................................................... 38 Enforce Policies ............................................................................... 39 Set the Agent Name and Default Agent Name Identities ......................................... 39 Ensure that Agent Names Match ........................................................... 40 Encrypt the Agent Name .................................................................. 40 Manage Web Agents with Multiple Web Server Instances ........................................ 41 Set the ServerPath Parameter for Windows Systems ........................................ 42 Set the ServerPath Parameter for UNIX Systems ............................................ 43 Additional Configurations Requiring the ServerPath Parameter ............................... 44 Loading Plug-ins for .......................................................................... 45 Enable the IIS 6.0 Security Context to Work with the Agent ..................................... 46 Manage Web Agent and Policy Server Communication ........................................... 46 Use Web Agent Accounting ................................................................ 46
Contents v
Set the Polling Frequency to the Policy Server .............................................. 46 Accommodate Network Latency for IIS 6.0 ................................................. 47
49
Set Up Virtual Server Support ................................................................. 50 Enable the Web Agent for an IIS 6.0 Virtual Server Site ..................................... 51 Define Agent Identities for Virtual Servers .................................................. 52 Specify Virtual Servers to be Ignored by the Web Agent ..................................... 53 Resolve Agent Identity by IP Address ...................................................... 54 Integrate an IIS 6.0 Agent with SharePoint Portal Server 2003 .................................. 55 Configure Agents that Sit behind Proxy Servers ................................................. 56 Customize Cache-Control and ExpireForProxy Headers ...................................... 57 Configuration of Agents ................................................................... 58 Usage Notes .............................................................................. 60 Security Considerations ................................................................... 60 Manage 404 Not Found Errors (IIS 6.0 Agent) .................................................. 61 Configure Reverse Proxy Solutions ............................................................. 61 Apache or Sun Java System Reverse Proxy Agent ........................................... 61 SiteMinder Secure Proxy Server............................................................ 62 Use the SiteMinder Reverse Proxy Solution ................................................. 63 Configure the SiteMinder Reverse Proxy Solution............................................ 65 Process Inbound URLs ........................................................................ 66 Decode Query Data ....................................................................... 67 Ignore Query Data ........................................................................ 67 Encrypt Query String Parameters in Redirection URLs ....................................... 68 Use IgnoreURL ........................................................................... 71 Set a Maximum URL Size .................................................................. 72 Use the HTTP HOST Request for the Port Number ............................................... 72 Accommodate P3P Compact Policies (IIS Agent only) ........................................... 72 Limit Size of Post Data (IIS 5.0 Agents only) ................................................... 73
75
URL Monitoring Overview ..................................................................... 75 Ignore File Extensions ........................................................................ 76 Secure the Ignore Extensions Feature .......................................................... 77 Protect Resources Without Extensions.......................................................... 78 Secure Applications ........................................................................... 79 Handle Complex URIs ......................................................................... 80 Specify Bad URL Characters ................................................................... 81 Specify Bad Form Characters .................................................................. 83 Specify Bad Query Characters ................................................................. 84
Protect Web Sites Against Cross-Site Scripting.................................................. 84 Configure the Web Agent to Check For Cross Site-Scripting .................................. 85 Override the Default CSS Character Set .................................................... 85 Compare IP Addresses to Prevent Security Breaches ............................................ 86
87
Set Web Agent Cache ......................................................................... 87 Set the Resource Cache Timeout .............................................................. 88 Set the Maximum Resource Cache Size ........................................................ 89 Set the Maximum User Session Cache Size ..................................................... 90 Cache Anonymous Users ...................................................................... 90
91
Use Credential Collectors for Authentication and Single Sign-On ................................. 92 How Credential Collectors Process Requests ................................................ 94 Associate MIME Types with Credential Collectors ............................................ 95 Configure MIME Types for Each Credential Collector ......................................... 95 Configure Credential Collectors in a Mixed Environment ..................................... 98 Configure the FCC to Use a Single Resource Target ........................................ 103 Enable Forms Cache to Improve Performance .............................................. 103 Force an FCC to Establish Realm Context for Forms Authentication .......................... 104 Use a Relative Target for Credential Collector Redirects..................................... 105 Define Valid Target Domains for CCC Processing ........................................... 105 Enable FCCs/SCCs to Use Agent Names as Fully Qualified Host Names ...................... 106 Map Agent Identities and Web Servers for Use By FCCs and SCCs ........................... 106 Preserve Data Posted to a Form........................................................... 107 Enable Passport Authentication to Protect IIS 6.0 Resources ................................ 107 Use the safeword.fcc File for SafeWord Forms Authentication ............................... 108 Use a Special Forms Template for Passport Authentication .................................. 109 Protect IIS 6.0 Web Server Resources with Passport Authentication ............................. 110 Delete Certificates from Stronghold (Apache Agent Only) ....................................... 110 Accommodate Legacy URL Encoding .......................................................... 110 Configure Password Services for a Web Agent ................................................. 111 Introduce FCC Password Services ......................................................... 111 Localize CGI-based Password Services Change Forms ...................................... 114 Use a Fully Qualified URL for Password Services Redirects .................................. 115 Understand How DMS2 (Registration Services) Handles Localization ......................... 115
117
Contents vii
Domino URL Commands .................................................................. 118 Domino Aliases .......................................................................... 119 Convert Notes Document Names .......................................................... 120 Configure the Domino Web Agent ............................................................. 120 Configure Domino-Specific Agent Functions ................................................... 121 Authenticate Users with the Domino Server ................................................ 122 Force SiteMinder to Authenticate Users .................................................... 123 Authenticate as the Domino Super User ................................................... 124 Authenticate as the Actual User or the Default User ........................................ 124 Modify the Domino Default User and the Domino Super User ............................... 125 Map URLs for FCC Redirects .............................................................. 126 Coordinate SiteMinder and Domino Authentication ............................................. 127 Use a SiteMinder Header for Authentication ................................................ 127 Disable Domino Session Authentication .................................................... 127 Map URLs for FCC Redirects with a Domino Web Agent ..................................... 128 Ensure Requests are Not Rejected Due to URL Normalization ............................... 128 Handle User-Requested Actions on Lotus Notes Documents ..................................... 129 Enable a Domino Agent to Collect Credentials for Authentication ................................ 130 Specify User Directories for Domino........................................................... 130 Configure Policies for Domino ................................................................ 131 Create Rules for Domino Server Resources ................................................ 132 Implement Full Logoff Support for Domino Agents ......................................... 134 Other Considerations for Creating Policies ................................................. 135 Use a Domino Agent with a WebSphere Application Server ..................................... 135
137
Log Web Agent Error and Trace Messages ..................................................... 137 Types of Messages the Web Agent Logs ................................................... 138 Notes About Log Files .................................................................... 138 Types of Log Files ........................................................................ 139 Set Up and Enable Error Logging ............................................................. 139 Set Up and Enable Trace Logging ............................................................. 141 IIS 6.0 Server Logs .......................................................................... 143 Configure the Trace Configuration File ........................................................ 144 Modify the Trace Configuration File ........................................................ 144 Specify Components and Subcomponents in the Trace Log ................................. 145 Specify Data Fields to Include in the Trace Messages ....................................... 148 Filter Data Output to the Trace Log ....................................................... 149 Trace the Agent Connection Manager and Agent API Calls .................................. 149 Default WebAgentTrace.conf File .......................................................... 151 Sample WebAgentTrace.conf File and Resulting Trace Log .................................. 156
159
Secure a Users Security Context in a Page File (IIS 5.0 Only) .................................. 159 Use an IIS Proxy User Account (IIS Only) ..................................................... 160 Use the IIS Default User Name and Password .............................................. 160 Enable Anonymous User Access ........................................................... 161 Use the NetBIOS Name or UPN for IIS Authentication .......................................... 161 Configure NT Challenge/Response Authentication (IIS Only) .................................... 162 Configure the IIS Web Server............................................................. 163 Configure Automatic Logon ............................................................... 164 Configure the Challenge/Response Authentication Scheme.................................. 165 Specify an NTLM Credential Collector ...................................................... 166 Configure Auditing to Track User Activity ...................................................... 167 Use Transaction IDs ...................................................................... 168 Log the Transaction ID in Web Server Logs ................................................ 169 Log Off Users from User Sessions Using Full Logoff ............................................ 170 Configure Full Logoff ..................................................................... 171 Configure Full Logoff for Single Sign-on ................................................... 172
173
Use Single Sign-On .......................................................................... 173 Use Single Sign-On in a Single Domain .................................................... 174 Use Single Sign-On Across Multiple Domains ............................................... 175 Use Authentication Scheme Protection Levels .............................................. 177 Track User Identity Across Anonymous Realms ............................................ 178 Use Agent Key Management and Single Sign-On ............................................... 178 Configure Single Sign-On .................................................................... 179 Modify Single Sign-On Settings ............................................................... 180 Specify the Cookie Provider ............................................................... 180 Specify the Cookie Domain ............................................................... 181 Require Cookies ......................................................................... 181 Session Cookie Creation and Updates ..................................................... 182 Set Secure Cookies ...................................................................... 183 Set Persistent Cookies ................................................................... 183 Control Identity Cookies .................................................................. 184 Modify the Session Grace Period .......................................................... 185 Modify the Session Update Period ......................................................... 185 Set a Timeout for Saved Credentials ...................................................... 186 Enforce Timeouts Across Multiple Realms .................................................. 187 Redirect a User After a Session Timeout ................................................... 188 Session Cookie Validation Periods and Expired Cookie URLs ................................. 189 Configure Support for SDK Third-Party Cookies ................................................ 190
Contents ix
Ignore the Cookie Provider for Unprotected Resources ......................................... 190 Ignore the Cookie Provider for POST Requests (framework agents only) ......................... 191 Manage Cookie Domains ..................................................................... 191 Force the Cookie Domain ................................................................. 191 Implement Cookie Domain Resolution ..................................................... 192 Resolve Cookie Domains Automatically .................................................... 193 Force Fully Qualified Domain Names ...................................................... 194 Modify the Cookie Domain ................................................................ 195
197
Security Zone Definitions..................................................................... 197 Security Zones Overview ..................................................................... 198 Security Zones Benefits .................................................................. 199 Security Zone Basic Use Case ............................................................. 200 User Sessions Across Security Zones ...................................................... 200 Trusted Zone Order ...................................................................... 201 Request Processing with Multiple User Sessions ............................................ 204 Transitive Relationships Across Zones ..................................................... 204 Other Cookies Affected by Single Sign-On Zones ........................................... 205 How Single Sign-On Zones Affect Authorization ............................................ 205 Configure Security Zones .................................................................... 206 Cookie Naming Conventions .............................................................. 207 The Order of Trust and Failover ........................................................... 208
209
SiteMinder Mechanisms for Developing Web Applications ....................................... 210 Use Configurable Response Attributes ......................................................... 211 Configure Response Attributes ............................................................ 214 Use the HTTP Header and Cookie-Variables ................................................ 215 Combine OnAccept and OnReject Events .................................................. 216 Cache Response Attributes ............................................................... 216 Override Session Timeouts with Response Attributes ....................................... 217 Set the REMOTE_USER Environment Variable .................................................. 218 Configure the Web Agent to set the REMOTE_USER Variable ................................ 219 How the IIS Web Agent Populates the REMOTE_USER Variable .............................. 220 Use SiteMinder Default HTTP Headers ......................................................... 221 Disable Default HTTP Header Variables .................................................... 224 Example Applications that Use SiteMinder Default HTTP Headers ............................ 224 Use a Header Variable to Validate End-User IP Addresses ...................................... 228 Use a Custom Header to Validate IP Addresses ............................................ 229 Configure IP Address Validation ........................................................... 230
Previous Web Agent Releases ............................................................. 231 Preserve HTTP Headers ...................................................................... 231 Control How HTTP Header Resources are Cached .............................................. 231 Security Issues Related to Caching HTTP Header Resources................................. 232 Use Lower Case HTTP in Headers (for Sun Java System, Apache, Domino) ...................... 233 Set the HTTP Header Encoding Spec .......................................................... 234 Disable Conformance to RFC 2047 ............................................................ 235 Use SM_AGENT_ATTR_USRMSG Response for a Forms Challenge ............................... 236 Set Legacy Variables ......................................................................... 237 Define HTTPS Ports .......................................................................... 237 Handle Multiple AuthTrans Functions (Sun Java System only) ................................... 238 Custom Error Handling For Applications ....................................................... 239 Configure Custom Error Handling ......................................................... 242 Set Up Error Handling .................................................................... 243
Appendix A: Troubleshooting
245
Check Logs for Start-up Errors ............................................................... 245 Check Error and Trace Logs .................................................................. 245 Solve Problems .............................................................................. 245 Web Server Does Not Prompt for Username or Password ................................... 246 Web Server Authentication Fails .......................................................... 246 Configured Attributes Are Not Reaching Web Application.................................... 246 Agent is Sending Authorization Requests Configured to Ignore to Policy Server .............. 247 Browser Is Not Submitting Cookie......................................................... 248 Solaris/Sun Java System Web Agent Not Loading or Web Server Not Starting ................ 248 Receive WriteLine Failed Error ............................................................ 249 Solaris/Sun Java System Web Agent Not Communicating with Policy Server ................. 249 Apache Web Server Will Not Start/Restart When Web Agent is Enabled ...................... 250 Sun Java System Web Agent on Solaris Not Loading ....................................... 251 iPlanet WebServer Shows Blank Page When Using Basic over SSL ........................... 252
253
259
267
Contents xi
Index
269
Protected Resources Web Server Web Agent Web applications Active server pages Scripts HTML pages
Policy Server
Accounting Logs
Note: For Windows systems, the time zone and the time of day, set in the Date/Time control panel, must agree. For example, to reset a system in the USA from Eastern time to Pacific time, set the systems clock back 3 hours and change the time zone to Pacific Time. If these settings differ, single sign-on across multiple domains and agent key management will not work properly.
Key Stores
When the Policy Server generates dynamic keys, it saves and maintains these keys in the key store. The key store is a repository from which all Web Agents retrieve the most current keys. The key store may be part of a SiteMinder policy store or maintained as a stand alone key store. Note: If an administrator issues multiple agent key rollovers in rapid succession, this may invalidate all cookies issued for single sign-on and may disrupt single sign-on for all users currently logged in. After these users reauthenticate, single sign-on will operate normally.
Note: For information about modifying an Agent Configuration Object, see CA eTrust Policy Design. More Information SiteMinder Web Agents (see page 14)
AllowLocalConfig Parameter
The AllowLocalConfig parameter can be set to YES or NO. You can also specify one or multiple agent configuration parameter names to potentially limit local administrator access to specific configuration parameters. The Web Agent, during initial startup and periodic updates, reads the values of all, none, or selective parameters from the local configuration file. The sequence of processing is as follows: If both YES and NO are present, NO takes precedence. If NO and additional parameters are present, NO takes precedence. If YES and additional parameters are present, then YES takes precedence.
Scenario
The following scenario illustrates when central and local configuration might be used together: You need to configure multiple cookie domain single sign-on across a SiteMinder network without configuring Agents individually. The CookieDomain parameter in the Agent Configuration Object is set to acmecorp.com. However, for one Web Agent in your network, you want to set the CookieDomain parameter to .netegrity.com, while still using all the other parameter values set in the Agent Configuration Object.
Solution
To implement the example configuration: 1. 2. 3. At the Policy Server, configure an Agent Configuration Object with all the parameters applicable for your environment. In the Agent Configuration Object, set the AllowLocalConfig parameter to yes. At one Web Agent, modify only the local configuration file by changing the CookieDomain parameter to .netegrity.com. Do not modify any other parameters.
The value for the CookieDomain parameter in the Agent configuration file overrides the value in the Agent Configuration Object, while the Agent Configuration Object determines the settings for all the other parameters.
More Information Modify the LocalConfig.conf File (Framework Agents) (see page 35) Modify the WebAgent.conf File (All Web Agents) (see page 31)
File Location Program Files\netegrity\webagent\bin\IIS <Sun_Java_server_home>/https-hostname/config where <Sun_Java_web_server> is the location in which the Sun Java System web server is installed and hostname is the name of the server. <web_server_home>/conf where <web_server_home> is the installed location of the web server
Apache Stronghold, Covalent FastStart Covalent Enterprise Ready Server IBM HTTP Server Oracle HTTP Server Domino
Initially, the WebAgent.conf file contains only a few parameters, as shown in the following sample for framework Agents:
# WebAgent.conf - configuration file for SiteMinder Web Agent # Web Agent Version = 6QMR5, Build = 000, Update = None HostConfigFile="C:\Program Files\netegrity\webagent\Config\SmHost.conf" AgentConfigObject="LocalConfig" EnableWebAgent="YES" localconfigfile="C:\Program Files\netegrity\webagent\bin\IIS\LocalConfig.conf" LoadPlugin="C:\Program Files\netegrity\webagent\bin\HTTPPlugin.dll" SM_WAF_HTTP_PLUGIN="100,100,100,100,100,100,100,100,100,100,100,10
This file excerpt is an example for an Agent on an IIS 6.0 server. An Agent on an Apache Web server the LoadPlugin path would be one of the following: HP UX: <web_agent_home>/lib/libHttpPlugin.sl Solaris, Linux, AIX: <web_agent_home>/lib/libHttpPlugin.so Notes: For framework Agents, do not add other parameters; only modify the existing settings. You may see some sections of configuration information for SiteMinder products other than the Web Agent. Do not modify these sections. They are added to the WebAgent.conf file so that the Agent can properly interact with the other SiteMinder products. Editing them may break SiteMinder functionality. To include additional parameters in the WebAgent.conf file (traditional Agents only): 1. Open the WebAgent.conf.sample, located in the directory <web_agent_home>/config. This is a fully populated version of the WebAgent.conf file. Add or modify parameters. Set the EnableWebAgent parameter to yes when you are done making changes. Save the file as WebAgent.conf. Copy the modified WebAgent.conf file and overwrite the file in use by the Web Agent. Restart the Web Server.
2. 3. 4. 5. 6.
Initially, the WebAgent.conf file contains only a few parameters. For IIS 6.0, do not add other parameters; only modify the existing settings.
Note: For HP-UX, the LoadPlugin line in the preceding example should end in libHttpPlugin.sl not libHttpPlugin.so.
WebAgent.conf File (All Agents except IIS 6.0 and Apache 2.0)
# WebAgent.conf - configuration file for SiteMinder Web Agent # Web Agent Version = 6QMR5, Build = --, Update = None #agentname="<AgentName>, <IPAddress>" HostConfigFile="C:\Program Files\Netegrity\SiteMinder Web Agent\config\SmHost.conf" AgentConfigObject="iPlanetDefaultSettings" EnableWebAgent="NO"
To include additional parameters in the WebAgent.conf file (all Agents except IIS 6.0 or Apache 2.0), do the following: 1. Open the WebAgent.conf.sample, located in <web_agent_home>/config directory of the SiteMinder Web Agent. This is a fully populated version of the WebAgent.conf file. Add or modify parameters. Set the EnableWebAgent parameter to yes when you are done making changes. Save the file as WebAgent.conf. Copy the modified WebAgent.conf file and overwrite the file in use by the Web Agent. See Figure Framemaker Figure Titles (REMOVE BEFORE IMPORTING) for locations of the original file. Restart the web server.
2. 3. 4. 5.
6.
More Information Alphabetical List of Parameters (see page 259) Edit an Agent Configuration File (see page 30)
Enforce Policies
Enforce Policies
For a Web Agent to perform access control, it must check with the Policy Server to see if resources are protected and challenge the user for authentication credentials. To enforce access control, set the EnforcePolicies to yes (the default setting) if the Web Agent is protecting resources and acting as a credential collector. To disable the enforcement of policies, set the EnforcePolicies to no. The Web Agent can still establish a connection to the Policy Server, but it can only collect management information; it does not restrict access to resources on the Web server. Note: This parameter is not supported for Framework Web Agents. If you want to disable the enforcement of policies, disable the Web Agent. More Information Set Up Virtual Server Support (see page 50)
UNIX:
LoadPlugin="/opt/Netegrity/webagent/lib/libHTTPPlugin.so" SM_WAF_HTTP_PLUGIN="100,100,100,100,100,100,100,100,100,100,100, 100" #LoadPlugin="/opt/Netegrity/webagent/lib/ libSAMLAffiliatePlugin.so" #SM_WAF_SAMLAFFILIATE_PLUGIN="110,110,110,110,110,110,110,110,110,110,110,110"
If you want a framework Web Agent to act as a portal Web Agent so it can communicate with a SAML Affiliate Agent, remove the pound signs (#) from the following SAML Affiliate LoadPlugin entry, and specify the path to the SAML affiliate plug-in DLL, as shown:
LoadPlugin=<path_to_SAMLAffiliatePlugin> SM_WAF_SAMLAFFILIATE_PLUGIN="110,110,110,110,110,110,110,110, 110,110,110,110"
Note: Disregard the AffiliateAgent10 plug-in, which is only used for the 4.x Affiliate Agent. This is not applicable for the SAML Affiliate Agent.
Enable the IIS 6.0 Security Context to Work with the Agent
Enable the IIS 6.0 Security Context to Work with the Agent
The SiteMinder Web Agent on an IIS 6.0 Web server functions as an ISAPI extension. When an HTTP request is made, the IIS 6.0 Web server challenges the user before the Web Agent responds to the request. The IIS server uses its native authentication scheme, Basic authentication for the authentication challenge, if that scheme is selected in the servers Management Console. To avoid being challenged by the IIS Web server: 1. 2. 3. Open the IIS Management Console. Access the Web sites properties. On the Directory Security tab, ensure that Enable anonymous access is checked for the Authentication and access control settings.
Enable the Web Agent for an IIS 6.0 Virtual Server Site
To enable the Web Agent to operate with a IIS 6.0 virtual server, follow these steps: 1. 2. 3. 4. 5. 6. 7. Configure virtual servers for the IIS 6.0 Web Server. Refer to the IIS documentation for instructions. Open the IIS Management Console. Right-click on the Virtual Web Site and select Properties. Select the Home Directory tab. Click on Configuration. In the Wildcard application maps section, click Insert. Click Browse and navigate to the ISAPI6WebAgent.dll file or enter the path to the DLL. The path is: <web_agent_home>\SiteMinder Web Agent\Bin\ISAPI6WebAgent.dll 8. 9. Click OK. Re-start the Virtual Web Site.
To add more than one Agent, place each entry on a separate line. For example: agentname="agent1,123.123.12.12:8080" agentname="agent2,123.123.12.12:8081" agentname="agent3,123.123.12.13" If you add an Agent Identity, also define it in the Policy Server User Interface with the same configuration. Make sure that the Agent Identity is defined in Policy Server User Interface exactly as it is defined for the Agent configuration. If it finds no entries in the AgentName parameter, SiteMinder uses the value of the DefaultAgentName only for a virtual server. Note: If you change the DefaultAgentName, make sure that it is defined in the Policy Server User Interface exactly as it is defined for the Agent.
With the use of cache-control: no-cache for 302 redirects, the ActiveX component that manages in-place document viewing in IE relies on the browsers cache to locate the file. Because this header instructs the browser not to cache the file, the ActiveX component cannot locate the file and fails to display the request properly. Further, when you set the Web Agents ExpireForProxy setting to yes, the back-end server tells the proxy not to cache the resource.
Configuration of Agents
All parameters should be configured using multi-value strings to suit the use of multiple headers, such as cache-control: private and cache-control: maxage=60. The following is the new configuration: 1. 2. 3. ProxyHeadersDefaultTime - defaults to 60 seconds ProxyHeadersTimeoutPercentage defaults to 10 percent Auto-authorized resources: For HTTP/1.1, configure ProxyHeadersAutoAuth parameter(s): (DEFAULT) Expires: Thu, 01 Dec 1994 16:00:00 GMT (SUGGESTED) ProxyHeadersAutoAuth="Cache-control: max-age=60" For HTTP/1.0, configure ProxyHeadersAutoAuth10 parameter(s). (DEFAULT) Expires: Thu, 01 Dec 1994 16:00:00 GMT (SUGGESTED) ProxyHeadersAutoAuth10="Expires: Thu, 01 Dec 1994 16:00:00 GMT" 4. Unprotected content: For HTTP/1.1, configure ProxyHeadersUnprotected parameter(s): (DEFAULT) Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache (SUGGESTED) ProxyHeadersUnprotected="Cache-Control: private" ProxyHeadersUnprotected="Cache-Control: max-age=60" For HTTP/1.0, configure ProxyHeadersUnprotected10 parameter(s): (DEFAULT) Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache (SUGGESTED) ProxyHeadersUnprotected10="Expires: Thu, 01 Dec 1994 16:00:00 GMT"
5.
Protected content: For HTTP/1.1, configure ProxyHeadersProtected parameter(s). (DEFAULT) Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache (SUGGESTED) ProxyHeadersProtected="Cache-Control: private" ProxyHeadersProtected="Cache-Control: max-age=60" For HTTP/1.0, configure ProxyHeadersProtected10 parameter(s). (DEFAULT) Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache (SUGGESTED) ProxyHeadersProtected10="Expires: Thu, 01 Dec 1994 16:00:00 GMT"
When configuring multiple headers, (for example, the cache-control headers in the suggested setting for unprotected HTTP/1.1 content), note the following: You must have multiple occurrences of the configuration parameter and you cannot separate these with a comma (,) or the plus-sign (+). As the values for these configuration parameters are HTTP response headers, they must comply with RFC 2616 (for HTTP/1.1), RFC 1945 (for HTTP/1.0) and RFC 822. Both HTTP/1.1 and HTTP/1.0 specify the format for an HTTP Header as that of an RFC 822 message, namely "Name: Value" (Name, followed by a colon, white space and then a value). If you do not configure the Web Agent to set the appropriate cache expiration headers when a user accesses unprotected resources, then by default, the Web Agent will not set these headers, thereby allowing a proxy (or browser) to cache an SMSESSION cookie. This cached cookie can be re-used by the proxy (or browser) after the user has initiated a different session (and therefore a different user context), causing an unauthorized impersonation.
Usage Notes
To prevent the Web Agent from sending any proxy headers, blank out the ProxyHeadersUnprotected value. For example: ProxyHeadersUnprotected="" Note: To get a double quote character () to appear, use a single quote (). The Web Agent automatically converts it to a double quote. The value, %% or %d (treated identically) may appear within a ProxyHeaders line. This value is replaced with either the smaller of the IdleTimeout and SessionTimeout multiplied by the ProxyHeadersTimeoutPercentage, or, if the timeouts are not set, the ProxyHeadersDefaultTime is used. Ensure that values for the standard (1.1 and higher) and HTTP 1.0 headers are set properly for requests to the back-end server. ExpireForProxy="YES" will expire cookie provider redirects carrying the SMSESSION cookie in the query string.
Security Considerations
Browser sessions can persist after logout, so removing the SMSESSION cookie does not prevent a user from using the same browser session to view previously cached files. This problem occurs because the proxy server is not aware of the logout request and retains any protected/unprotected content in cache for the cache-control: private user until it timed out (cache-control: max-age=60). Thus, such a request would result in a page returned with a valid SMSESSION cookie. The only way to ensure security is to disable keepalives or close the browser. Further, the local browser cache is affected by the private/max-age combination since it observes local cache across sessions. For this reason, the max-age time for protected resources should be as short as possible. Employing the if-modified-since and if-none-match request headers when the allowcacheheaders="FALSE" configuration setting is used (default) does not prevent the proxy server from observing these headers. Thus, these observed headers take effect on the request according to the proxy server. You could work around this issue by installing: a Web Agent on the proxy server. another filter that removes these headers from the request. Since HTTP 1.0, HTTP 1.1, or higher use different headers for specifying instructions to caching proxies, these versions should be configured in a way to ensure the most appropriate handling based on the type of connection.
New HTTP Header for SiteMinder Processing with Secure Proxy Server
The Secure Proxy Server introduces a new layer in the traditional SiteMinder architecture. This layer forwards or redirects all requests to destination servers in the enterprise. When the Secure Proxy Server processes a request, the URL requested by the user is preserved in an HTTP header variable called SM_PROXYREQUEST. This header may be used by other applications that require the original URL requested by a user before the Secure Proxy Server proxied the request.
You can configure an Apache or Sun Java System Web server to function as a reverse proxy server. A reverse proxy server is a special type of proxy server. A proxy server is located between a client application, such as a browser, and a remote server that is hosting resources. Typically, proxy server applications are deployed as part of a firewall strategy for added security and for efficient delivery of resources to clients. A reverse proxy server acts on behalf of the enterprise to forward requests to a companys internal network as opposed to outgoing requests from a private network to the Internet. When a request for a resource is received by a reverse proxy server, the reverse proxy server, which resides in front of the firewall, directs the request to a server behind the firewall. When a reverse proxy server receives a user request, it forwards it to the appropriate resource located on a backend server, as the following figure illustrates.
Reverse proxy servers provide the following advantages: Facilitate intranet implementation By setting up a reverse proxy server, users in a cookie domain, such as companyA.com, can access resources on the backend servers seamlessly. However, users outside the domain must authenticate through the reverse proxy server and typically, a firewall before gaining access to the backend servers. Provide a single point of entry to resources Although there may be multiple backend servers hosting different types of resources, users accessing these resources through the reverse proxy server use the same domain name to gain entry to each resource. Having a single point of entry simplifies the user experience.
Internet IIS Apache or Sun Java System Proxy Server/ Web Agent IIS (SSL)
Marketing Resources
User Store
Firewall
Policy Server
Policy Store
When deploying a SiteMinder reverse proxy Agent, note the following: If a policy has been configured to return response attributes, the variables are sent to both the reverse proxy server and the backend web server on which the protected resource resides. When a request is made for a protected resource, the Policy Server first sends response attributes (CGI or HTTP variables) to the Agent on the Apache or Sun Java System server. The Agent then puts the response attributes in the request that is sent to the backend server. If any of the backend servers or protected applications provide their own authentication functionality, the authentication must be disabled. Disabling the backend authentication ensures that SiteMinders authentication takes precedence. Important! When configuring the cache for the reverse proxy be aware that all cookies are cached, including the SMSession cookie. For assistance contact your Apache or Sun Java System vendor for support. To configure the reverse proxy solution, use the following Agent settings when Web Agents are located behind the Apache reverse proxy server: 1. 2. Set the ProxyAgent value to yes to indicate that this Agent is acting as a reverse proxy Agent. Set ProxyTimeout parameter to a value (in seconds). The reverse proxy uses this value to time out the requests it makes to the Web Agent deployed behind it. Requests should complete very quickly. 3. Optionally, enable the ProxyTrust parameter. By setting this parameter to yes, it instructs the Web Agent behind the proxy Agent to trust the session information sent from the proxy Agent. and not to re-validate it. Enabling this parameter makes communication more efficient because only one call is made from the proxy Agent to the Policy Server. The Agent behind the proxy does not have to contact the Policy Server. The default for this parameter is no. 4. To tell the Apache server which port is set up for SSL, set the httpsports parameter.
If... IgnoreQueryData=Yes
If... IgnoreQueryData=No
Configure SecureURLs
For central Agent configuration, enable SecureUrls in the Agent Configuration Object using the Policy Server User Interface. For local Agent configuration: For IIS 5.0, Domino 5.x/6.x, Apache 1.x, and Sun Java System Agents, set the SecureUrls parameter in the WebAgent.conf file. For IIS 6.0 and Apache 2.0, set the SecureUrls parameter in the LocalConfig.conf file. For Framework Agents, set the SecureUrls parameter in the LocalConfig.conf file. The SecureUrls feature is not supported with the FCCCompatMode or the LegacyEncoding parameter enabled. If the SecureUrls parameter is set to yes, the Web Agent ignores the FCCCompatMode and LegacyEncoding parameter values. These parameters are displayed with a value of no on the Agent logs, even if one or both are set to yes in the Agent's Config Object or configuration file. For example: [12/Jul/2005:05:23:57-975-1-0] SecureUrls: 'YES' [12/Jul/2005:05:23:57-975-1-0] FccCompatMode: 'NO' [12/Jul/2005:05:23:57-975-1-0] LegacyEncoding: 'NO'
Use IgnoreURL
Note: The IgnoreUrl parameter name is misleading. It is the URI that is ignored, not the entire URL. Some URIs may not require security. You can instruct the Agent to "ignore" these URIs and not to challenge users who try to access them. For example, if you set the IgnoreUrl parameter to the following value: http://www.my_company.com/my_server The URI my_server is ignored. Note: The setting in this example causes the URI my_server to be ignored when it is encountered in any URL. For example, my_server would be ignored in all the following URLs: http://www.my_company.com/my_server http://www.your_company.com/my_server http://www.their_company.com/my_server You must enter a fully qualified URL in the IgnoreURL parameter even though this parameter is instructing the Web Agent to ignore only the URI. When you specify a URL for the IgnoreURL parameter, the Web Agent truncates the URI portion of the string after three forward slashes (/). For example, if the specified URL is http://www.mysite.com/directory/page2.html, the Web Agent truncates the string after http://www.mysite.com/ and uses the value /directory/page2.html for the IgnoreURL parameter. It is this URI that also appears in the Web Agent log. If you do not enter a fully qualified URL, the Web Agent ignores the parameter and will not display it in the Agent log file. To ignore URIs with different names, create a separate entry for each one. For example, in the Agent configuration file, the entries would appear on separate lines, such as: IgnoreUrl="http://www.my_company.com/my_server" IgnoreUrl="http://www.my_company.com/your_server" IgnoreUrl="http://www.my_company.com/their_server" In the Agent Configuration Object, edit the parameter by selecting the Multivalue option, which lets you enter multiple entries for a single parameter.
Secure Applications
Secure Applications
An unauthorized user can append a bogus file name to the end of a URL that contains an extension that the Web Agent is configured to ignore. The Agent then allows the unauthorized user access to the resource. For example a user might append the string /junk.jpg to the resource /scripts/myapp to get /scripts/myapp/junk.jpg. If the Agent is configured to ignore the extension .jpg, the unauthorized user gains access. The SecureApps parameter prevents the Agent from authorizing URLs from an unauthorized user. If SecureApps is set to no, the default, the URL /scripts/myapp to get /scripts/myapp/junk.jpg would be auto-authorized. If set to yes, the Web Agent attempts to discover if the resource is legitimate or a bogus URL.
The IIS 6.0 Web server may filter a URL for bad characters before passing the request to the Web Agent. The server maps a URI to a physical Web resource, such as an HTML page or CGI application. As a result, the Web Agent may not see certain characters from the original URI if the URI is modified during the mapping process. The Web Agent only acts on the resource that the Web server passes to it. You need to consider this when including characters in the BadURLChars parameter. Check the Web Agent logs for information on how the Agent is handling requests. Note: After the IIS 6.0 Web server filters some characters, it may return an error page instead of passing the request to the Web Agent. For the BadURLChars parameter: You can specify characters literally or enter the URL-encoded form of that character. For example, you can enter the letter a or enter the equivalent %61. You can also specify ranges of characters separated by a hyphen. The syntax is: <starting_character>-<ending_character> For example, you can enter a-z as a range of characters. If you want to specify quotes (") for the BadQueryChars, or BadCSSChars, you cannot enter this character in ASCII formuse the hexidecimal equivalent, which is %22. For example, BadFormChars="<,>,&,%22" Note: When configuring the Apache 2.0 Reverse Proxy Server and Outlook Web Access (OWA), be sure to turn off the BadURLChars parameter. OWA allows unrestricted characters in the email subject that might be listed in the BadURLChars parameter. More Information Configure Reverse Proxy Solutions (see page 61)
Result No characters are encoded All four characters are encoded < is encoded as < > is encoded as > & is encoded as & " (%22) is encoded as "
BadFormsChars="<,>" BadFormsChars="%22"
Only < and > characters are encoded Only the quotation mark (") is encoded
Note: There are no spaces between the opening and closing quotes and the value the quotes enclose. Only directive substitutions are encoded as raw HTMLthe source lines in the form template, such as login.fcc are unchanged. Keeping the source lines unchanged prevents dynamic data containing scripting code from being sent back to the browser as data in the form.
SSL Forms Credential Collector (SFCC) Like the FCC, the SFCC gathers credentials based on HTML forms but only for the X509 Cert or Forms authentication scheme. The forms that the SFCC presents are based on a templates that end in the file extension .sfcc. For example, the Web Agent is installed with a form called login.sfcc, which you can customize and use as a login form. Note: If an X509 Certificate or Form or X509 Certificate or Basic authentication scheme is protecting a requested resource, and the user submits an expired or invalid certificate, the SSL handshake fails and no further processing takes place. Also, the Web server displays a custom error.
3.
4.
Note: 5.x and 6.x credential collectors operate differently from 4.x credential collectors. In a "mixed environment" that contains 4.x and higher Agents, you must consider how to configure a 6.x credential collector so it can communicate with a 4.x Web Agent. Note: To configure authentication schemes, see the "Authentication Schemes" chapter in CA eTrust Policy Design. More Information Configure Credential Collectors in a Mixed Environment (see page 98)
Credential Collector Forms Credential Collector SSL Credential Collector Cookie Provider NTLM Credential Collector SSL Forms Credential Collector
When you configure an authentication scheme that uses a credential collector, or set up single sign-on across multiple cookie domains, the relevant MIME type is used as a file extension for a file referenced by the authentication scheme or single-sign-on configuration, for example: When configuring single sign-on across multiple cookie domains, you enter a URL like the following to identify the cookie provider: http://myserver.company.com:80/siteminderagent/SmMakeCookie.ccc SmMakeCookie.ccc is the default cookie provider name. You can use this name or create a name of your own; however, it must have the .ccc extension to initiate single sign-on. For Windows authentication, the default target file to enable this scheme is: /siteminderagent/ntlm/creds.ntc Again, you must use a file with the correct MIME type as the extension. The FCC and SFCC are the only credential collectors that require actual files to exist on the Web server where the Agent is installed. These collectors are for forms-based authentication schemes. The .fcc and .sfcc templates are required to define the HTML form presented to the user.
Credential Collector
MIME Type
Cookie Provider Forms Credential Collector SSL Credential Collector SSL Forms Credential Collector NTLM Credential Collector
Note: Be sure to uncomment the parameter in the file. If you do not want to use the default extensions or the defaults are already in use for other purposes, enter your own extensions and the Web Agent will honor them. For example, if you set FCCExt to .myext for the FCC, and rename the FCC template to use this extension, for example, login.myext, the Web Agent will recognize URLs ending in .myext as forms authentication requests.
The following tables list guidelines on how to configure 5.x/6.x and 4.x FCCs and NTCs and how each behaves in a mixed environment. Notes: Beginning with Web Agent 5.0, NTLM credential collectors can redirect users from non-IIS Web Servers to IIS Web Servers. For framework Web Agents, refer only to the instructions where FCC compatibility mode is disabled.
Web Agent 5.x/6.x FCC in FCC Protecting Resources Compatibility Mode 5.x or 6.x
5.x/6.x FCC - FCC Compatibility Mode Disabled FCC issues a session cookie Certificate and Forms authentication works. Certificate or Forms authentication works.
FCC issues a credential cookie. Certificate and Forms authentication will not work. Certificate or Forms authentication will not work.
Agent issues a credential cookie Certificate and Forms authentication will not work Certificate or Forms authentication works
5.x or 6.x
Agent issues a credential cookie Certificate and Forms authentication will not work Certificate or Forms authentication works
Web Agent Protecting Resources 4.x QMR 5 or 4.x QMR 6 5.x or 6.x Web Agent Protecting Resources 4.x QMR 5, 4.x QMR 6 5.x or 6.x
5.x/6.x FCC - FCC Compatibility Mode Disabled NTC issues a session cookie NTC issues a session cookie
NTC issues a credential cookie. NTC issues a credential cookie. 4.x QMR 2/3/4 NTC
5.x/6.x SCC
Agent issues an SSL credential cookie. Certificates cannot be collected without redirecting requests, even if the original connection from the browser to Web server is over SSL.
Create mappings in AgentName parameter or set AgentNamesAreFQHost Names to Yes. SCC issues a session cookie Certificates cannot be collected without redirecting requests, even if the original connection from the browser to Web server is over SSL. SCC issues a session cookie Certificates can be collected without redirecting requests.
5.x or 6.x
Agent issues an SSL credential cookie. Certificates can be collected without redirecting requests.
Note: For more information about directives that can be added to FCC templates, see CA eTrust Policy Design.
Map Agent Identities and Web Servers for Use By FCCs and SCCs
The AgentName parameter and its associated IP addresses provide mappings between Web server interfaces and Agent names defined in the policy store. Web Agents need to make Agent API calls in the proper Agent name context for the correct set of rules and policies to apply. If the Web Agent is acting as a forms or SSL credential collector, it needs the name of the Web Agent protecting the requested resource and a users credentials to process requests. By default, SiteMinder includes the Agent name in the URL that redirects the user from the Web Agent to the credential collector. However, if you are working with other applications, you can map the AgentName parameter to the name and IP address of each host using the collector. The credential collector uses the mappings to resolve the Agent name. The following are example values for the AgentName parameter: myagent1,123.1.1.12 myagent, www.sitea.com
d.
You can add these advanced features to the Agent configuration file or an Agent Configuration Object.
2. 3. 4.
For example, to use FCC Password Services for Japanese users, put a copy of the following files in the folder formsja, located in <web_agent_home>/samples: smpwservices.fcc, located in <web_agent_home>/samples/forms smpwservices.unauth, located in <web_agent_home>/samples/forms A new properties file, smpwservicesja.properties Each file requires modifications, such as changing the English messages to Japanese. However, do not alter the format of these files.
Note: If you are using Registration Services (DMS2) together with Password Services, note that Password Services no longer uses SM_LOCALE to determine localized settings. Instead, it uses the ACCEPT_LANGUAGE variable from the users browser. Although DMS2 still uses SM_LOCALE when it passes the value of SM_LOCALE to Password Services, this value is disregarded in favor of the ACCEPT_LANGUAGE variable.
Domino stores data in groups of Notes databases. Resources in a Notes database can be a variety of objects, such as documents, views, forms, and navigators. These objects can include text, video, graphics, and audio content. Notes objects are opened using a URL. To make Notes objects available for the Web, Domino dynamically creates Web pages from the objects in the Notes database. In the case of database views, Domino also creates URL links to the documents in a view. The dynamic creation of pages from the Notes database provides users with the most current information.
Domino Aliases
One of the Notes database conventions is to create aliases for objects. For example, the alias might identify a resource by its Notes ID or Replica ID instead of the object name. Using aliases makes programming easier for developers because the names of the Notes resources can change without requiring code changes. The following Domino URLs access the same resource though the resource is identified by its aliases: http://www.domino.com/85255e01001356a8852554c20756?OpenView http://www.domino.com/85267E00075A80C/people?OpenView http://www.domino.com/__852567E00075A80C.nsf/people?OpenView Regardless of how a resource is identified, the Domino Web Agent converts all Domino naming conventions into a standard URL based on the name of the database resource. This simplifies data entry into the SiteMinder policy store. For example, the following Domino URLs are pointing to the people view in the names.nsf database. The database and view are referred to by Replica ID and Notes ID: http://www.domino.com/85255e01001356a8852554c20756?OpenView http://www.domino.com/85267E00075A80C/people?OpenView The Domino Web Agent converts these URLs to a standard URL, as follows: http://www.domino.com/names.nsf/people?OpenView The following figure shows the conversion of aliases to a named object.
Identified to the Domino Server As Super User Actual User Default User Super User
Notes Super User must be defined in the Domino Directory User must be in the Domino Directory User must be in the Domino Directory The requested resource is automatically authorized, meaning that no authentication challenge will be presented to the user
More Information Authenticate as the Actual User or the Default User (see page 124)
Modify the Domino Default User and the Domino Super User
To modify the DominoDefaultUser and DominoSuperUser parameters, do one of the following: Change it in the Agent Configuration Object, if configuring centrally You can modify the DominoDefaultUser and DominoSuperUser settings in the Agent Configuration Object. You can choose whether the values are encrypted or in plain text. Note: To modify parameters in the Agent Configuration Object, see CA eTrust Policy Design, the chapter on Agents and Agent Groups. Modify the parameters in the Agent configuration file using the encryptkey tool. In the Agent configuration file, the DominoDefaultUser and DominoSuperUser values must be encrypted. Consequently, you have to modify these values using the encryptkey tool. Important: Do not edit these settings directly in the Agent configuration file.
Example 1: Protecting one document and all its aliases. For access to page1 and all its aliases, you create only one rule for the realm db1.nsf. The Domino Agent is able to interpret all the different naming conventions and convert them to a one standard URL format. For your realms and rules, do the following: When creating a realm you would specify a resource filter for the database where page1 resides. For example, to protect all files in the database you would configure the following: Resource filter: /db1.nsf/ To protect not only page1 but all its aliases, you would configure the following: Resource filter: /db1.nsf/page1 To create a rule that protects any action on page1, enter an asterisk (*) in the Resource field of the Rule Properties dialog box. For example: Resource: * This * wildcard indicates that any action, such as ?Open, ?EditDocument can be performed on page1 by the users that are bound to the policy. Example 2: Protecting different documents in the same database. To protect page2 in the db1.nsf database in addition to page1, you need to create a second rule. Resource Filter: /db1.nsf/page2 Resource: * Example 3: Protecting different actions on a single resource To protect individual actions on a resource, for example, if you wanted only some users to perform the action ?EditDocument and all users to perform the action ?ReadForm, each action would require its own rule for each resource, as follows: Rule 1 Resource Filter: /db1.nsf/page1 Resource: ?OpenView Rule 2 Resource Filter: /db1.nsf/page1 Resource: ?EditDocument You could also use one rule as follows:
Resource Filter: /db1.nsf/page Resource: ?Open* Note: In the Resource field, there is no forward slash (/) before ?Open. Even if there are aliases for this resource, the one rule would protect the original page and all its aliases. Instead of creating several rules for different actions, you could specify a single rule and use wildcards to cover all actions, for example: Resource filter: /db1.nsf/page Resource: ?Open* With the rule, you are then protecting the resource: http://www.acme.com/db1.nsf/page*?Open* Note: If you want a rule to be literal, write a regular expression. More Information Log Off Users from User Sessions Using Full Logoff (see page 170)
Parameter LogAppend
How to Configure Set this parameter to yes to add logging information to an existing log file instead of rewriting the entire file each time logging is invoked. The default is no.
Parameter LogFileSize
How to Configure Set the if you want to rollover a log file after it reaches a specific size. Enter a value in megabytes, for example, 80. Rolling over a log file starts a new log file, which prevents a single log file from becoming unmanageable. If you accept the default value for this parameter, which is 0, the log file will not rollover. New log files are named by appending the date and timestamp to the original name. For example: myfile.log.09-18-2003-16-07-07. You are responsible for archiving or removing old files. Note: Rolling logs are not supported for Apache 1.x and Sun Java System on UNIX systems. For these platforms, accept the default, 0 or leave this setting blank.
LogLocalTime
Set this parameter to no if you want the logs to use Greenwich Mean Time (GMT). By default, the logs use local time, so the parameter is set to yes.
You can set these parameters in an Agent Configuration Object at the Policy Server or locally in the Agent configuration file. For example, in the configuration file the parameters might look as follows: LogFile="yes" LogFileName="/export/iPlanet/servers/https-myserver/logs/errors.log" LogAppend="no" LogFileSize="80" LogLocalTime="yes" Note: Web Agents installed on an IIS 6.0 or Apache 2.0 Web server do not support dynamic configuration of log parameters set locally in the Agent configuration file. Consequently, when you modify a parameter, the change does not take effect until the Agent is restarted. However, these log settings can be stored and updated dynamically if you configure them in an Agent Configuration Object at the Policy Server. For Web Agents that protect IIS 6.0 servers, log files are created when the first user request is submitted. For Apache 2.0 Web Servers, log files are created when the Apache server starts.
More Information Configure the Trace Configuration File (see page 144)
Parameter TraceAppend
How to Configure Set to yes to add logging information to an existing file instead of rewriting the entire file each time logging is invoked. The default is no.
Parameter TraceFormat
How to Configure Specify how the trace.conf file should display messages. The default value is default. Formatting options are: fixedfields with a fixed-width delimfields delimited by a user-specified character xmlfields and messages enclosed in XML-like tags. There is no DTD or style sheet provided with the Web Agent. defaultfields enclosed in square brackets []
TraceDelimiter
Set this to a character that serves as a custom delimiter, which separates fields in the trace.conf file. For example, the pipe character (|). Enter a value in megabytes dictating the maximum size of the file. This file rolls over after it reaches the specified size. for example, 80MB. Rolling over a log file starts a new file, which prevents the log file from becoming unmanageable. If you accept the default value for this parameter, 0, the log file will not rollover. Note: Rolling logs are not supported for Apache 1.x and Sun Java System on UNIX systems. For these platforms, accept the default, 0 or leave this setting blank.
TraceFileSize
LogLocalTime
Set this parameter to no if you want the logs to use GMT time. By default, the logs use local time, so the parameter is set to yes.
1. 2.
If you modified the TraceConfigFile parameter, restart the Web Agent to use the new trace configuration file. Configure the WebAgentTrace.conf file so that the Web Agent monitors the activity of interest to you.
Note: Web Agents installed on an IIS 6.0 or Apache 2.0 Web server do not support dynamic configuration of log parameters set locally in the Agent configuration file. Consequently, when you modify a parameter, the change does not take effect until the Agent is restarted. However, these log settings can be stored and updated dynamically if you configure them in an Agent configuration object on the Policy Server. For Web Agents that protect IIS 6.0 servers, the log file is created when the first user request is submitted. For Web Agents that protect Apache 2.0 servers, the log file is created when Apache starts up.
Description All Agent framework messages. (Applies only to framework agents.) Web Agent messages related to the 4.x Affiliate Agent, which is part of Federation Security Services, a separately-purchased product. (Applies only to framework agents.) Web Agent messages related to the SAML Affiliate Agent. (Applies only to framework agents.) Messages specific to the Web Agent. (Applies only to framework agents.) All Web Agent log messages. Applies to all Agents except IIS 6.0 or Apache 2.0 Agents. All Agent API messages. Messages related to internal processing of the Agent API.
For example: components:WebAgent,Agent_Functions If you do not want to log events for an entire component, you can specify a sub-component. This is done on the components line of the file, for example: components: WebAgent/sso This sample entry would log only the single sign-on messages for all Web Agents configured on your Web server. There is a specific set of sub-components for each main component, as shown in the following table. For an explanation of each subcomponent, see the WebAgentTrace.conf file.
Component AgentFramework
WebAgent
Component Agent_Functions
Subcomponents Init UnInit IsProtected Login ChangePassword Validate Logout Authorize Audit FreeAttributes UpdateAttributes GetSessionVariables SetSessionVariables DeleteSessionVariables Tunnel GetConfig DoManagement
Agent_Connection_Manager
SessionIDthe SiteMinder session ID UserDNthe User DN Resourcethe requested resource Actionthe requested action RealmOIDthe realm OID
Messages Collected Provides tracing information for the Agent Connection Manager. Provides tracing information for Agent API calls made by the Web Agent.
# For example, an actual configuration file might look like: # # # # # The remainder of this file lists the components, sub-components, # data fields, and filters you can use in the trace configuration file. # # COMPONENTS # The available components for the Web Agent are: AgentFramework - All Agent Framework messages. This component is only for the IIS 6.0 agent. AffiliateAgent - Web Agent messages for 4.x Affiliate Agent support. This component is only for framework agents. components: WebAgent data: TransactionID, Function, IPAddr, Resource, Action, Message Resource: !=/default.asp
SAMLAgent - Web Agent messages for SAML Affiliate Agent support. This component is only for framework agents. HTTPAgent - All Web Agent messages for for framework agents. WebAgent - All Agent log messages. This component is for all Agents other than framework agents. AgentFunc - All Agent API messages. # # SUB-COMPONENTS # You can log sub-components instead of entire components. # To specify sub-components, include the following entry on # the "components" line of the configuration file: # # # # For example: WebAgent/AgentCore # # The available sub-components are: AgentFramework: Administration - All Agent administration messages. Filter - All filter messages. The filter interfaces with the web server. HighLevelAgent - High level request processing messages. LowLevelAgent - Low level request processing messages. The Low Level Agent interfaces with the Agent Api. LowLevelAgentWP - Worker process messages. AffiliateAgent: RequestProcessing - Core Affiliate Agent request processing messages. <component>/<subcomponent>
SAMLAgent: RequestProcessing - Core SAML request processing messages. HTTPAgent: AdvancedAuthentication - All advanced authentication messages, such as Forms or Certificates. RequestProcessing - Core request processing messages. SingleSignOn - Single sign-on messages. WebAgent: AgentCore - All core messages to the Agent. Cache - All cache messages. Authentication - All authentication messages. Responses - All response messages. Management - All DoManagement messages. SSO - All single sign-on messages. Filter - All filter messages. # # DATA FIELDS # Use data fields to define what each trace message contains # for a given component. # # Data fields are: Message - The actual trace message. # # # SrcFile - The source file and line number of the trace message. Pid - The process ID. Tid - The thread ID.
# # # # # # # # # # # # # # # # # # # # # #
Date - The date. Time - The time. PreciseTime - The time including milliseconds. Function - The function containing the trace message. User - The name of the user. Domain - The SiteMinder domain. Realm - The SiteMinder realm. AgentName - The Agent name being used. TransactionID - The transaction ID. DomainOID - The SiteMinder domain oid. IPAddr - The client IP address. IPPort - The client IP port CertSerial - The certificate serial number SubjectDN - The subject DN of the certificate. IssuerDN - The Issuer DN of the certificate SessionSpec - The SiteMinder session spec. SessionID - The SiteMinder session id. UserDN - The User DN Resource - The requested resource. Action - The requested action. RealmOID - The realm OID.
# FILTERS # Use Filters to focus on a specific area of Web Agent operation. # For example, for problems with index.html pages, use the filter,
# #
Resource: ==/index.html
# Add filter entries after the "components" and "data field" entries. # The syntax is: # <data_field>:<filter> The
# <filter> specifies boolean logic (== or !=) followed by a value. # value should be an exact match (i.e. /index.html does NOT match # /RealmA/index.html). # # For example: # # Resource: !=/default.asp Resource: ==/index.html
# For all other Web Agents components: WebAgent data: Date, Time, Pid, Tid, TransactionID, Function, Message
[][OnPreProcHeaders][][][][Request handled, exiting.] [][OnEndOfNetSession][][][][Received request.] [][OnReadRawData][][][][Received request.] [][OnReadRawData][][][][Nothing to do, exiting...] [][OnPreProcHeaders][][][][Received request.] [35041aac-1238-3f83160b-1118-013718be][Process][][][][Request HOST: 'jsmith.netegrity.com'.]
More Information Configure Automatic Logon (see page 164) Configure the Challenge/Response Authentication Scheme (see page 165) Specify an NTLM Credential Collector (see page 166)
Click OK.
To configure the virtual directory and ensure it requires NT challenge and response for credentials: 1. 2. 3. 4. 5. Open the Internet Services Manager. Select Default Web Site and right-click Properties. Select the Directory Security tab. In the Anonymous Access and Authentication Control group box, click Edit. Do the following: a. b. Deselect Allow Anonymous Access. Select Integrated Windows authentication.
Note: You may need to reboot and then verify that the virtual directory and its appropriate settings are still valid.
Note: If you are using replicated user directories with non-replicated policy stores, the user directory must be name identically for all policy stores. Also, the session ticket key, which encrypts session tickets, must be the same for all key stores in the SSO environment. The session ticket determines the duration of a valid user session.
4.
7.
More Information Configure MIME Types for Each Credential Collector (see page 95) Modify Single Sign-On Settings (see page 180) Compare IP Addresses to Prevent Security Breaches (see page 86)
Require Cookies
Cookies are used to provide secure single sign-on in a SiteMinder environment and to track session and idle time-outs. It is important to require cookies if you want to strictly enforce all time-outs and make sure that single sign-on functions properly. By default, cookies are required. RequireCookies is a special setting that is useful only if basic authentication was set during the Policy Server configuration. This setting instructs the agent to require either an SMSESSION or an SMCHALLENGE cookie in order to successfully process HTTP requests, including basic Authorization headers. If you configure the Web Agent to require cookies, a users Web browser must accept HTTP cookies. If the browser does not, the user receives an error message from the Agent denying them access to all protected resources. If the Web Agent does not require cookies, but the users Web browser is accepting cookies, the Web Agent functions normally; however, the user may get challenged for their credentials unexpectedly and the Web Agent may not strictly enforce time-outs.
Note: If you are doing central Agent configuration, these parameters will have to be added to the Agent Configuration Object. They will be present in the sample WebAgent.conf and LocalConfig.conf files. Session timeouts are part of realm configuration that takes place at the Policy Server. Note: For further instructions on configuring session timeouts, see CA eTrust Policy Design.
Ignore the Cookie Provider for POST Requests (framework agents only)
Ignore the Cookie Provider for POST Requests (framework agents only)
When a framework Agent sends a POST request to a traditional Web Agent configured as a cookie provider, the redirected request becomes a GET instead of a POST and fails. To control whether or not a POST request is sent to a cookie provider, use the LegacyCookieProvider parameter. This parameter is only valid for framework Agents. If this parameter is set to NO, which is the default, the framework Agent sends the POST request to the cookie provider. If this parameter is set to YES, the framework Agent does not sent the POST request to the cookie provider. Note: If you are using central configuration, you will have to add this parameter to the Agent Configuration Object.
Domain Name
Cookie Domain
server.myorg.com server.division.myorg.com
server.subdivision.division.myo 4 rg.com 3 2
For example, the domain division.myorg.com has a scope of 3. By default, the Web Agent assumes a scope of 2; cookie domains cannot have a scope of 1.
Definition A mechanism by which a Web Agent borrows its configuration properties from a Web Agent configuration object defined in the policy store. A mechanism by which single sign-on is implemented in Web Agents across multiple domains. One of the domains is designated as the master domain, and the Web Agents from the other domains are re-directed to a Web Agent in the master domain to provide them with the cookies in that domain. A mechanism by which a user authenticated once will not be rechallenged for credentials. A sub-set of SSO, defined by an arbitrary identifier (zone name) used to segment application SSO within a single cookie domain. All applications in the same SSO zone allow SSO amongst themselves. SSO to and from other SSO zones may or may not be allowed as defined by zone trust relationships. A foreign zone trusted by a local zone for SSO.
3.
With SSO Security Zones, APP1 can be placed in zone Z1 and APP2 can be placed in zone Z2. Now logging into APP1 creates a Z1SESSION cookie and access to APP2 results in a Z2SESSION cookie. With different names, the cookies no longer overwrite each other so there is only one login per application now, not one for each time the user moves between the applications as in the example above. Prior to the SSO Security Zones feature, the only way to perform the same grouping of SSO for applications was to create different network domains and therefore different cookie domains (CA1.COM, CA2.COM, and so on), and use various multi-cookie domain configurations with cookie providers. This is not desirable in most enterprises, since using multiple network domains has certain IT maintenance and support consequences.
The trust relationship in the above figure is indicated by the arrow, meaning that the user sessions established in Zone A can be used for single sign-on in Zone B. In this example, Zone A might be an administrator-only zone, while Zone B might be a common access zone. An administrator authenticated in Zone A gains access to Zone B without being rechallenged. However, a user authenticated in Zone B is re-challenged when trying to access Zone A. User sessions in different zones are independent of each other. Suppose a user authenticates in Zone B first, and then authenticates again in Zone B. Two different sessions are created. In fact, the user may have different identities in both sessions. When the user returns to Zone A, the session established in that zone is used. Consider what would happen if a user is validated using single sign-on in a zone where that user does not yet have a session. If the user authenticates in Zone A and then visits Zone B for the first time, then a user session is created in Zone B, based on the session information in Zone A, possibly updated by the Policy Server. Note that the user session in Zone A is not updated until the user returns to Zone A.
In this figure, Zone C trusts both Zone A and Zone B. Neither Zone A nor Zone B trusts any other zone, but all zones trust themselves. When a user makes a request in Zone C, the Web Agent looks for a session or identity cookie in the trusted zones, in the order in which the zones are listed. In this example, Zone C has a list of trusted zones that include C, A, and B. The following is an order of events that might occur: 1. 2. 3. 4. 5. 6. The Web Agent first checks to see if the user has a session in Zone C. If no session is found, the Web Agent checks to see if the user has a session in Zone A. If no session is found, the Web Agent checks to see if the user has a session in Zone B. The session specification from each cookie that is found is used to process authentication requests until a successful login occurs. After a successful authentication, the Web Agent proceeds to authorization. If no cookies are found or no cookies pass authentication, the agent challenges the user for credentials as usual.
Note that the user experience may depend on the order in which the zones are accessed. In this example, if the user accesses Zone B first followed by Zone C, the users identity in Zone B is also used in Zone C. If the user accesses Zone A first followed by Zone B and Zone C, the users identity in Zone A is used, despite the fact that the user was re-challenged in Zone B before going to Zone C. This will also be the case when sessions with different max and idle session timeouts begin to expire. In the current example, a user with valid cookies in Zone A and Zone C will first get access with the Zone C cookie. If the Zone C cookie expires, the Zone A cookie will be used if it has not expired. Therefore, the users identity could change from a Zone C identity to a Zone A identity without a credential challenge occurring. Two or more Web Agents may have different lists of trusted zones but still use a common trusted zone name. In this case, the agents implicitly trust each other but will not trust the same foreign zones. This functionality enables applications to be segmented for single sign-on. A Web Agent supports only a single sign-on zone name. All session, identity, and state cookies generated by that agent use the same single sign-on zone name. Therefore, if two applications do not share the same single sign-on trust requirements, they must be hosted on separate Web servers each with its own Web Agent and list of trusted zones.
Note: Foreign zones refer to zones other than the one supported by a given Web Agent. For example, if an agent is configured with SSOZoneName=Z1, then any other zone would be foreign to it. This includes the default zone SM.
Description Enter the name of the single sign-on zone a Web Agent is to support. This parameter is case sensitive. If left empty or not specified, it defaults to SM. Define the ordered list of trusted SSOZoneNames. This parameter is case sensitive. Use SM to add the default zone if necessary. Agents always trust their own SSOZoneName above all other trusted single sign-on zones. If not specified, it defaults to SM or the SSOZoneName if provided.
SSOTrustedZone
Multi-Valued
If the user is validated in a single sign-on zone in which that user has not yet established a session, the session specification returned by the Policy Server is used to create a new session cookie for that zone. When a new cookie is created, its zone parameter is set to the zone name, in order to prevent the user from swapping cookies from different zones by simply renaming them. The cookie validation engine verifies if the zone name matches the prefix used in the cookie's name. This applies only to SESSION and IDENTITY cookies.
To simplify the task of maintaining responses, define a separate response for each type of event. For example, define one response for an OnAccept event and another response for an OnReject event. Creating a separate response makes it easier to find attributes when you need to modify response values. The following table lists the Web Agent response attributes.
Description Defined and reserved for future SiteMinder use. Generates a SetCookie header, which then sets a non-persistent cookie in a Web browser. The cookies only exist in the cookie domain where the Web Agent is configured. You can enter multiple WebAgent-HTTP-Cookie-Variables.
Description Allows you to specify an arbitrary dynamic name/value pair for use by a Web application. You can enter multiple WebAgent-HTTP-Header-Variables. The Web Agent does not include header variables in the responses that it sends back to a Web browser. Instead, these responses, generated by the Policy Server, reside in the request headers of the Web server. Consequently, the header variables will not be visible in the debug logs that you can enable from the Policy Server Management Console.
WebAgent-OnAuthAccept-Session- Overrides the number of seconds a user Idle-Timeout session can be idle. Once this limit is reached, the user is forced to reauthenticate. Associate this response with a rule configured with an OnAuthAccept authentication event. WebAgent-OnAuthAccept-Session- Overrides the total number of seconds a Max-Timeout user session can be active. Once this limit is reached, the user session is terminated and the user is forced to re-authenticate. Associate this response with a rule configured with an OnAuthAccept authentication event. WebAgent-OnReject-Redirect In an authorization response, this defines a URL to redirect the user to if the user is denied access to a resource. In an authentication response, this defines a URL to redirect the user to if the user has failed to authenticate for a security realm. To determine whether or not this is an authorization or authentication response, include it in a policy with a rule that specifies an OnAuthReject or OnAccessReject event action.
Description In an authorization response, this defines a URL to redirect the user to if the user is allowed access to a resource. In an authentication response, this defines a URL to redirect the user to if the user was authenticated for a security realm. To determine whether or not this is an authorization or authentication response, include it in a policy with a rule that specifies an OnAuthAccept or OnAccessAccept event action.
WebAgent-OnReject-Text
Text that the Web Agent puts in the HTTP_ONREJECT_TEXT environment variable when it redirects the user after a failed authorization or authentication attempt. Text that the Web Agent puts in the HTTP_ONACCEPT_TEXT environment variable when it redirects the user after a successful authorization or authentication attempt.
WebAgent-OnAccept-Text
Response Attribute
Response Attribute
Note: For detailed information about configuring responses and response attributes, see CA eTrust Policy Design. Note: When configuring response attributes note that the maximum buffer size for the Web server for agent responses is 32 KB. There is no length limit of a response other than the total buffer size.
If...
Then...
Then... The REMOTE_USER variable cannot be set because the Web Agent does not pass along a user security context. The lack of a user security context forces the IIS Web server to use the credentials from the HTTP_Authorization header that the Agent modified; however it is incomplete because it contains only the user name. The Web Agent can pass along a user context of some type, depending on how other parameters are set, such as DefaultUserName, DefaultPassword, or ForceIISProxyUser. If the Web Agent does pass on a security context, the IIS Web server ignores the incomplete HTTP_Authorization header in favor of the credentials provided by the Web Agent.
Description The name of the directory against which the Policy Server authenticates the user. The administrator specifies this directory in the SiteMinder User Directory dialog box in the Policy Server User Interface.
Description The directory namespace against which the Policy Server authenticates the user. The administrator specifies this namespace in the SiteMinder User Directory dialog box in the Policy Server User Interface. Directory object identifier (OID) from the Policy Server database. The directory server against which the Policy Server authenticates the user. The administrator specifies this directory server in the SiteMinder User Directory dialog box in the Policy Server User Interface. The code the Web Agent returns to the user after a failed authentication attempt or secondary authentication challenge. Type of authentication scheme the Policy Server uses to verify the users identity. Users Domino canonical name if a Domino LDAP directory is used to authenticate users. For example: HTTP_SM_DOMINOCN="CN=jsmith/O=netegrit y." SiteMinder realm in which the resource exists. Realm object ID that identifies the realm where the resource exists. This ID is may be used by third party applications to make calls to the Policy Server. Agents local cookie domain.
HTTP_SM_AUTHDIROID HTTP_SM_AUTHDIRSERV ER
HTTP_SM_AUTHREASON
HTTP_SM_AUTHTYPE HTTP_SM_DOMINOCN
HTTP_SM_REALM HTTP_SM_REALMOID
HTTP_SM_SDOMAIN
HTTP_SM_SERVERIDENTI Policy Server identity ticket, which keeps track TYSPEC of the user identity. The Web Agent uses this to access content protected by anonymous authentication schemes so it can personalize the content for the user. HTTP_SM_SERVERSESSIO A unique string identifying a user session. NID HTTP_SM_SERVERSESSIO Ticket that contains user session information. NSPEC Only the Policy Server knows how to decode this information.
Description
HTTP_SM_SESSIONDRIFT Amount of time the Web Agent can keep a session active using the information in its cache before validating the session with the Policy Server. The session server at the Policy Server must be enabled and a session validation period must be configured for this header to be set. HTTP_SM_TIMETOEXPIRE Amount of time remaining for a SiteMinder session.
HTTP_SM_TRANSACTIONI Agent-generated unique ID for each user D request. HTTP_SM_UNIVERSALID Policy Server-generated universal user ID. This ID is specific to the customer and identifies the user to the application, but it is not the same as the user login. Login name of the authenticated user. If a user does not provide a user name at log in, such as certificate-based authentication, then this variable is not set. An authenticated users distinguished name as determined by the Policy Server. For anonymous authentication schemes, this returns a Globally Unique Identifier (GUID). HTTP_SM_USERMSG The text that the Agent presents to the user after an authentication attempt. Some authentication schemes supply challenge text or a reason why an authentication has failed.
HTTP_SM_USER
HTTP_SM_USERDN
More Information Disable Default HTTP Header Variables (see page 224)
The following PERL script returns all the environment variables to the browser, not just SiteMinder variables.
#!/export/home/iplanet/server4/install/perl print "content-type: text/html\n\n"; print "<HTML>\n"; print "<HEAD>\n"; print "<TITLE>echo cgi env. vars.</TITLE>\n"; print "<H2>Echo CGI Environment Variables</H2>\n"; print "</HEAD>\n"; print "<BODY>\n"; print "<HR>\n"; print "<H3>Environment Variables</H3>\n"; print "<UL>\n"; foreach $key (keys %ENV) { print "<LI>$key = $ENV{$key}\n"; } print "</UL>\n"; print "</BODY>\n";
Result = mid(AllAttrs, Location + Len(RealAttrName) + 1) Location = instr(Result, chr(10)) if Location <= 0 then Location = len(Result) + 1 GetAttribute = left(Result, Location - 1) End Function %>
Definition A name/value pair that describes a single element of an HTTP request. A user-defined HTTP request header used by intermediate HTTP network applications or hardware devices to store the requestors IP address. Feature that enables the Web Agent to check requests for authenticity by comparing the REMOTE_ADDR in the request with the REMOTE_ADDR value stored in the SMSESSION cookie, after an initial request. This feature is also known as IP validation.
IP Checking
Term REMOTE_ADDR
Definition Web server variable representing the IP address of the HTTP client making a request to the Web server. Also known as REMOTE_IP or CLIENT_IP. This differs from the Requestor IP Address when a proxy server, NAT firewall, or other network service or device sits between the requestor and the target Web server. The initiator of an HTTP request, typically a user at a browser. The IP address of the user making the original HTTP request. Feature that requires a user to enter credentials for secure access to a protected Web site only once during a session. HTTP mechanism used by Web Agents to track single sign-on state.
SMSESSION cookie
Use Lower Case HTTP in Headers (for Sun Java System, Apache, Domino)
Use Lower Case HTTP in Headers (for Sun Java System, Apache, Domino)
If you have server applications that are case-sensitive, you can specify the case of the Agents HTTP headers. The Web Agent defaults to lower case headers. For example, Sun Java System Web servers, by default, provide the HTTP header variables in lower-case, such as http_sm_user. Note: IIS Web Agents do not benefit from this feature, because IIS forces all headers to an upper case format. To use lower case headers, set the LowerCaseHTTP parameter to yes. If you require upper-case header variables, set LowerCaseHTTP to no.
Note: See the "Authentication Schemes" chapter in CA eTrust Policy Design for information about using forms authentication templates. Note: SMUSRMSG is supported for the custom authentication scheme only when FCCCompatMode set to yes.
The following dialog box is an example of a custom require cookies error page.
This customized page provides specific instructions to the user to help them solve the problem. Note: For an Apache server being used as a proxy or reverse proxy server, the Apache Agent will not return custom SiteMinder error pages, but will return the standard Apache HTTP 500 and 403 error pages. More Information Web Agent Error Codes (see page 253)
Appendix A: Troubleshooting
This section contains the following topics: Check Logs for Start-up Errors (see page 245) Check Error and Trace Logs (see page 245) Solve Problems (see page 245)
Solve Problems
The following sections discuss potential Web Agent problems and the actions you can take to diagnose and solve them.
Troubleshooting 245
Solve Problems
Solve Problems
Troubleshooting 247
Solve Problems
Solaris/Sun Java System Web Agent Not Loading or Web Server Not Starting
Issue: The Solaris/Sun Java System Web Agent is not loading or the Web server is not starting, and the lines are properly entered in the obj.conf file (see previous table entry). Solution: Check the error log for the server in the file:
Solve Problems
/iplanet/servers/https-servername/logs/errors
Solaris/Sun Java System Web Agent Not Communicating with Policy Server
Issue: The Solaris/Sun Java System Web Agent is loading, but it is not communicating with the Policy Server. Solution: Make sure the Agent configuration file includes the EnableWebAgent parameter and it is set to yes. The default setting is no. Check that the Agent has TCP connectivity to the Policy Server. If there is a firewall between the Web Agent and the Policy Server, be sure that TCP ports 44441, 44442, and 44443 are not blocked by the firewall for twoway traffic.
Troubleshooting 249
Solve Problems
Apache Web Server Will Not Start/Restart When Web Agent is Enabled
Issue: The Apache Web server will not start or restart when the Web Agent is enabled. Solution: If the Web server will not start: Check the Apache error log located in: <apache_server_home>/logs/error_log and look for SiteMinder errors. The Apache Web Agent may be trying to allocate more shared memory or semaphores than your kernel is set to allow. See the CA eTrade SiteMinder Web Agent Installation Guide for information about tuning Solaris for the Apache Web Agent. If you start your Apache Web server from multiple user accounts, you may have orphaned semaphores on your system. Reboot or use the ipcrm -s command to remove the orphaned semaphores. It is recommended that you always start the Web server from the same user account. If the Web server will not restart, do not use the restart command. Use the stop and start commands to restart the server.
Solve Problems
Troubleshooting 251
Solve Problems
iPlanet WebServer Shows Blank Page When Using Basic over SSL
Issue: iPlanet WebServer shows blank page when using Basic over SSL. The way Microsoft Internet Explorer (MSIE) handles SSL version 3 (SSLv3) and Transport Layer Security (TLS) keep-alive connections causes interoperability problems with non-Microsoft Web servers such as iPlanet Web server. When accessing a Web server over SSL (https://) connections, Internet Explorer may inappropriately display error messages or blank pages. Solution: iPlanet Web Server 6.0 SP2 introduces new functionality to work around this problem. Two remedies are possible: Add the following line immediately below the <Object name="default"> line in the server's obj.conf files: AuthTrans fn="match-browser" browser="*MSIE*" ssl-uncleanshutdown="true" This line instructs the server to not send a close_notify alert when it closes SSLv3 connections from MSIE browsers. The close_notify packet is a required component of the SSLv3 and TLS specifications, but it is misinterpreted by MSIE. Note: The close_notify packet is used in SSLv3 and TLS connections to inform the other party in the transaction that the connection is being closed. Instructing iPlanet WebServer to not send the close_notify packet may make MSIE vulnerable to a truncation attack. Add the following line immediately below the <Object name="default"> line in the server's obj.conf files: AuthTrans fn="match-browser" browser="*MSIE*" keep-alive="disabled" This line instructs the server to disable keep-alive connections for Internet Explorer browsers. Disabling keep-alive connections may decrease your server's performance.
00-0002
Action to Take Investigate the Web Agent acting as the secure credential collector (SCC) and verify its configuration. Typically, this error only occurs when the SCC agent cannot acquire credentials from its environment, indicating a possible configuration error.
00-0005
Investigate the Web Agent acting as the forms credential collector (FCC) and verify its configuration. Typically, this error only occurs when the FCC agent cannot acquire credentials from its environment, indicating a possible configuration error.
00-0006
Investigate the Windows authentication scheme NTLM Protected Resource not found in setup to verify the configuration. resource cache as expected ASCII encoding error This is an internal Web Agent error. Investigate the Web Server and Web Agent to diagnose possible service instability. Contact Customer Support with the Web Agent log and configuration files available for review.
00-0007
00-0008
This error indicates a bad certificate or that the user is not authenticated. Try a different certificate or investigate the SSL authentication scheme configuration for possible issues.
00-0009
Try a different certificate or username/password pair. Investigate the SSL authentication scheme configuration for possible issues. This error indicates a general failure that resulted in blocked access. Investigate the Web Agent and Policy Server logs to determine the root cause of the failure.
00-0010
Action to Take This indicates a general failure in Forms or SSL based advanced authentication resulted in blocked access. Investigate Web Agent and Policy server logs to determine the root cause of the failure. Also, investigate the advanced authentication scheme setup for issues.
00-0012
Encryption Error
This indicates an Internal Web Agent error. Investigate the Web Server and Web Agent to diagnose a possible service instability. Also, review Key Store setup to verify that proper Agent Keys are in use. Contact Customer Support with the Web Agent log and configuration files available for review.
00-0013
One or more errors occurred during startup preventing valid configuration of the Web Agent. On Windows, check the Application Event Log for more information. For apache agents, check the Apache error log for more information. For Sun Java System UNIX agents, start Sun Java System from a shell prompt and look for possible errors displayed there through STDERR. Check that SmHost.conf file exists (host is registered properly) and contains valid entries. Check that Agent Configuration file contains a valid HostConfigFile entry that points to a valid SmHost.conf file. Check that AgentConfigObject contains a valid value.
The following table lists Web Agent HTTP header parsing error codes, their meanings, and what action to take for a particular error. HTTP Header Parsing Error Codes Error Code 10-0001 Meaning Unable to read 'SERVER_NAME' HTTP variable. Unable to read 'URL' HTTP variable. Unable to read 'method' HTTP variable. Unable to read 'host' HTTP variable. Unable to read 'URI' HTTP variable URL too long. Increase the MaxUrlSize parameter; the default setting is 4096 bytes. Action to Take Check that the Web browser and Web server are HTTP 1.0-compliant.
10-0002 10-0003
The following table lists SiteMinder communication error codes, their meanings, and what action to take for a particular error. SiteMinder Communication Error Codes Error Code 20-0001 Meaning Unable to reach SiteMinder accounting server or an unexpected Policy Server error occurred. Unable to reach SiteMinder authentication server or an unexpected Policy Server error occurred. Unable to reach SiteMinder authorization server or an unexpected Policy Server error occurred. Action to Take Check Policy Server logs for more information on the error. Check connectivity between the Web Agent and the Policy Server by pinging the Policy Server. If a firewall is configured between the Agent and the Policy Server, check that it is not blocking the appropriate service port: accounting: 44441, authentication: 44442, authorization: 44443.
20-0002
20-0003
SiteMinder Password Services Error Codes Error Code 30-0026 Meaning Action to Take
Password Services Check that you have configured the Redirect URL is not redirection URL for password services. available More Information Custom Error Handling For Applications (see page 239)
Parameter BadUrlChars CacheAnonymous dynamic updates not supported by framework agents CCCExt ConformToRFC2047 CookieDomain CookieDomainScope CookieProvider CookieValidationPeriod ConstructFullPwsvcUrl CSSChecking CSSErrorFile Custom401ErrorFile CustomIpHeader DecodeQueryData DefaultAgentName DefaultPassword (IIS only) DefaultUsername (IIS only) DeleteCerts DisableAuthSrcVars
More Information Specify Bad URL Characters (see page 81) Cache Anonymous Users (see page 90)
.ccc yes Empty 0 No default Empty no yes No default No default No default no No default No default
Configure MIME Types for Each Credential Collector (see page 95) Disable Conformance to RFC 2047 (see page 235) Modify the Cookie Domain (see page 195) Implement Cookie Domain Resolution (see page 192) Specify the Cookie Provider (see page 180)
Use a Fully Qualified URL for Password Services Redirects (see page 115) Protect Web Sites Against Cross-Site Scripting (see page 84) Custom Error Handling For Applications (see page 239) Custom Error Handling For Applications (see page 239) Configure IP Address Validation (see page 230) Decode Query Data (see page 67) Set the Agent Name and Default Agent Name Identities (see page 39) Use the IIS Default User Name and Password (see page 160) Use the IIS Default User Name and Password (see page 160) Delete Certificates from Stronghold (Apache Agent Only) (see page 110) Disabling Default HTTP Header Variables (see page 224)
No default
no no
Parameter DisableDotDotRule DisablePostDataLimit Not used by framework agents. DisableSessionVars DisableUserNameVars DominoDefaultUser (Domino only) DominoLegacyDocumentSupport (Domino only) DominoLookUpHeaderForLogin (Domino only) DominoSuperUser (Domino only) DominoUseHeaderForLogin (Domino only) EnableAuditing EnableMonitoring EnableOtherAuthTrans EnableWebAgent (Agent configuration file only) EncryptAgentName EnforcePolicies Not used by framework agents. EnforceRealmTimeouts ExpireForProxy (Proxy servers only)
More Information Handling Complex URIs (see page 80) Limiting Size of Post Data (IIS 5.0 Agent only) (see page 73) Disable Default HTTP Header Variables (see page 224) Disable Default HTTP Header Variables (see page 224) Modify the Domino Default User and the Domino Super User (see page 125) Handle User-Requested Actions on Lotus Notes Documents (see page 129) Use a SiteMinder Header for Authentication (see page 127) Authenticate as the Domino Super User (see page 124) Use a SiteMinder Header for Authentication (see page 127) Configure Auditing to Track User Activity (see page 167) Use Web Agent Monitoring (see page 38) Handle Multiple AuthTrans Functions (Sun Java System only) (see page 238) Enable and Disable Web Agents (see page 38) Encrypt the Agent Name (see page 40) Enforce Policies (see page 39)
no no No default
no
no
No default
No default
no no no no
yes yes
no no
Enforce Timeouts Across Multiple Realms (see page 187) Configure Agents that Sit behind Proxy Servers (see page 56)
Parameter FCCCompatMode (Netscape 4.x browser is not supported if you set this parameter to no.) FCCExt ForceCookieDomain ForceFQHost ForceIISProxyUser (IIS only) GetPortFromHeaders (Required for Apache Agents) HostConfigFile (Agent configuration file only) IIS 6.0 and Apache 2.0 dynamic updates not supported. HTTPHeaderEncodingSpec HttpsPorts (Required for Apache Agents; can be used by others) IgnoreCPForNotprotected (traditional agents only) IgnoreExt
More Information Configure Credential Collectors in a Mixed Environment (see page 98)
.fcc no no no no
Set Up Credential Collectors for IIS and Domino Web Servers (see page 96) Force the Cookie Domain (see page 191) Force Fully Qualified Domain Names (see page 194) Use an IIS Proxy User Account (IIS only) (see page 160) Use the HTTP HOST Request for the Port Number (see page 72) Use an Agent Configuration File (see page 28)
No default
No default Empty no
Set the HTTP Header Encoding Spec (see page 234) Define HTTPS Ports (see page 237) Ignore the Cookie Provider for Unprotected Resources (see page 190) Ignore File Extensions (see page 76)
.class, .gif, .jpg, .jpeg, .png, .fcc, .scc, .sfcc, .ccc, .ntc No default no No default no
IgnoreHost IgnoreQueryData IgnoreUrl InsecureServer (IIS 5 only) Not used by framework agents. FCCForceIsProtected
Specify Virtual Servers to be Ignored by the Web Agent (see page 53) Ignore Query Data (see page 67) Use IgnoreURL (Sun Java System, Apache, Domino only) (see page 71) Physically Secure a Users Security Context (IIS 5.0 only) (see page 159) Force an FCC to Establish Realm Context for Forms Authentication (see page 104)
yes
Default Value no
More Information Ignore the Cookie Provider for POST Requests (framework agents only) (see page 191) Accommodate Legacy URL Encoding (see page 110)
LegacyVariables
Additional Parameters for Framework Agents (see page 29) Additional Parameters for Framework Agents (see page 29) Set Up and Enable Error Logging (see page 139) Set Up and Enable Error Logging (see page 139) Set Up and Enable Error Logging (see page 139) Set Up and Enable Error Logging (see page 139) Log Off Users from User Sessions Using Full Logoff (see page 170) Use Lower Case HTTP in Headers (for Sun Java System, Apache, Domino) (see page 233) Set the Maximum Resource Cache Size (see page 89)
MaxResourceCacheSize dynamic updates not supported by framework agents. MaxSessionCacheSize dynamic updates not supported by framework agents.
700
700
Set the Maximum User Session Cache Size (see page 90)
Parameter MaxUrlSize NTCExt OverlookSessionForMethods OverlookSessionForUrls OverrideIgnoreExtFilter P3PCompactPolicy PersistentCookies PersistentIPCheck PreserveHeaders PreservePostData ProxyAgent (Apache only) ProxyDefinition ProxyTimeout (Apache only) ProxyTrust PSPollInterval RemoteUserVar ReqCookieErrorFile RequireCookies ResourceCacheTimeout dynamic updates not supported by framework agents. SaveCredsTimeout
Default Value 4096 .ntc No default No default No default No default no yes no yes no No default No default no 30 No default No default yes 600
More Information Set a Maximum URL Size (see page 72) Specify an NTLM Credential Collector (see page 166) Avoid SMSESSION Cookie Creation and Updates (see page 182) Avoid SMSESSION Cookie Creation and Updates (see page 182) Protect Resources Without Extensions (see page 78) Accommodate P3P Compact Policies (IIS Agent only) (see page 72) Set Persistent Cookies (see page 183) Enable IP Checking of Cookies to Prevent Security Breaches (see page 86) Preserve HTTP Headers (see page 231) Enable or Disable POST Preservation (see page 107) Configure Reverse Proxy Solutions (see page 61) Configure IP Address Validation (see page 230) Configure Reverse Proxy Solutions (see page 61) Configure Agents that Sit behind Proxy Servers (see page 56) Set the Polling Frequency to the Policy Server (see page 46) Set the REMOTE_USER Environment Variable (see page 218) Custom Error Handling For Applications (see page 239) Require Cookies (see page 181) Set the Resource Cache Timeout (see page 88)
720
Parameter SCCExt SecureURLs ServerErrorFile ServerPath (Apache and Sun Java System only) SessionGracePeriod SessionUpdatePeriod SetRemoteUser SFCCExt SkipDominoAuth (Domino only) SSOZoneName SSOTrustedZone TargetAsRelativeURI TraceFileName TraceConfigFile TraceAppend TraceFormat TraceDelim TraceFile TraceFileSize
More Information Configure MIME Types for Each Credential Collector (see page 95) Encrypt Query Strings in URLs (see page 68) Set Up Error Handling (see page 243) Manage Web Agents with Multiple Web Server Instances (see page 41)
Modify the Session Grace Period (see page 185) Modify the Session Update Period (see page 185) Set the REMOTE_USER Environment Variable (see page 218) Configure MIME Types for Each Credential Collector (see page 95) Force SiteMinder to Authenticate Users (see page 123) Cookie Naming Conventions (see page 207) The Order of Trust and Failover (see page 208) Use a Relative Target for Credential Collector Redirects (see page 105) Set Up and Enable Trace Logging (see page 141) Set Up and Enable Trace Logging (see page 141) Set Up and Enable Trace Logging (see page 141) Set Up and Enable Trace Logging (see page 141) Set Up and Enable Trace Logging (see page 141) Set Up and Enable Trace Logging (see page 141) Set Up and Enable Trace Logging (see page 141)
More Information Control Identity Cookies (see page 184) Enable IP Checking of Cookies to Prevent Security Breaches (see page 86) Enable Anonymous User Access (see page 161) Set Secure Cookies (see page 183) Resolve Agent Identity by IP Address (see page 54) Define Valid Target Domains for CCC Processing (see page 105)
Index
A
Accommodate Legacy URL Encoding 110 Accommodate Network Latency for IIS 6.0 47 Accommodate P3P Compact Policies (IIS Agent only) 72 Additional Configurations Requiring the ServerPath Parameter 44 Additional Parameters for Framework Agents 29 Advanced Authentication Scheme Configuration 91 Agent See also Web Agent zzz 265 Agent is Sending Authorization Requests Configured to Ignore to Policy Server 245 Agent Key Dynamic Rollovers 20 AllowLocalConfig Parameter 24 Alphabetical List of Parameters 257 Apache or Sun Java System Reverse Proxy Agent 61 Apache reverse proxy httpsports, setting 65 ProxyAgent, setting 65 ProxyTimeout, setting 65 Apache Web Server Will Not Start/Restart When Web Agent is Enabled 248 ASP script, using to extract HTTP headers 226 Associate MIME Types with Credential Collectors 95 auditing logs 168 Authenticate as the Actual User or the Default User 124 Authenticate as the Domino Super User 124 Authenticate Users with the Domino Server 122 authentication schemes SafeWord Server 108 authentication source variables disabling (IIS) 223
B
Basic Operations Enable and Identify Agents 37 Browser Is Not Submitting Cookie 246
C
CA Product References iii cache emptying 87 management 87 Cache Anonymous Users 90 Cache Response Attributes 215 CCC See also credential collector zzz 92 description 92 CCCExt parameter, setting 96 Central Agent Configuration Overview 22 Check Error and Trace Logs 243 Check Logs for Start-up Errors 243 Combine OnAccept and OnReject Events 215 Compare IP Addresses to Prevent Security Breaches 86 Configuration of Agents 58 Configure Agents that Sit behind Proxy Servers 56 Configure Auditing to Track User Activity 167 Configure Automatic Logon 164 Configure Credential Collectors in a Mixed Environment 98 Configure Custom Error Handling 241 Configure Domino-Specific Agent Functions 121 Configure FCC Password Services 112 Configure Form Cache 104 Configure Full Logoff 171 Configure Full Logoff for Single Sign-on 172 Configure IP Address Validation 229 Configure MIME Types for Each Credential Collector 95 Configure NT Challenge/Response Authentication (IIS Only) 162 Configure Password Services for a Web Agent 111
Index 269
Configure Policies for Domino 131 Configure Response Attributes 214 Configure Reverse Proxy Solutions 61 Configure SecureID Authentication with FCC Password Services 112 Configure SecureURLs 69 Configure SecureUrls with Single Sign-on 70 Configure Security Zones 206 Configure Single Sign-On 179 Configure Support for SDK Third-Party Cookies 190 Configure the Challenge/Response Authentication Scheme 165 Configure the Domino Web Agent 120 Configure the FCC to Use a Single Resource Target 103 Configure the IIS Web Server 163 Configure the SiteMinder Reverse Proxy Solution 65 Configure the Trace Configuration File 144 Configure the Web Agent to Check For Cross Site-Scripting 85 Configure the Web Agent to set the REMOTE_USER Variable 218 Configured Attributes Are Not Reaching Web Application 244 ConformToRFC2047 parameter, setting 234 Contact Technical Support iii Control How HTTP Header Resources are Cached 230 Control Identity Cookies 184 Convert Notes Document Names 120 cookie credential collector. See CCC 92 Cookie Naming Conventions 207 cookie provider domain 176 cookies third-party support 190 Coordinate SiteMinder and Domino Authentication 127 Create Rules for Domino Server Resources 132 credential collector types 92 cryptographic hardware support 38 Custom Error Handling For Applications 238 Custom401ErrorFile parameter, setting 241 CustomIpHeader parameter, setting 229
D
Data Stored in the Form Cache 104 Decode Query Data 67 default HTTP headers description 223 disabling 223 Default User, identity for Domino server 124 Default WebAgentTrace.conf File 151 Define Agent Identities for Virtual Servers 52 Define HTTPS Ports 236 Define Valid Target Domains for CCC Processing 105 Delete Certificates from Stronghold (Apache Agent Only) 110 Disable Conformance to RFC 2047 234 Disable Default HTTP Header Variables 223 Disable Domino Session Authentication 127 DisableDotDotRule parameter, setting 80 Domino Agents Overview 117 Domino Aliases 119 Domino Application Server configuring policies 131 using Domino Directory 130 Domino URL Commands 118 Domino Web Agent authentication process 122 specifying a default user 124 specifying a super user 122 specifying a user 124 URL commands 119 Domino Web Agents 117 DominoDefaultUser parameter, setting 125 DominoSuperUser parameter, setting 125
E
Edit an Agent Configuration File 30 Enable a Domino Agent to Collect Credentials for Authentication 130 Enable and Disable Web Agents 38 Enable Anonymous User Access 161 Enable FCCs/SCCs to Use Agent Names as Fully Qualified Host Names 106 Enable Forms Cache to Improve Performance 103 Enable or Disable POST Preservation 107
Enable Passport Authentication to Protect IIS 6.0 Resources 107 Enable the IIS 6.0 Security Context to Work with the Agent 46 Enable the Web Agent for an IIS 6.0 Virtual Server Site 51 Encrypt Query String Parameters in Redirection URLs 68 Encrypt the Agent Name 40 Enforce Policies 39 Enforce Security with URL Monitoring 75 Enforce Timeouts Across Multiple Realms 187 Ensure Requests are Not Rejected Due to URL Normalization 128 Ensure that Agent Names Match 40 Error Codes for the Web Agent 251 Example Applications that Use SiteMinder Default HTTP Headers 223 Extract HTTP Headers Using a Shell Script 224 Extract HTTP Headers Using ASP 226 Extract HTTP Headers Using NSAPI 224 Extract HTTP Headers Using PERL 225
How Single Sign-On Zones Affect Authorization 205 How the Agent Reads SiteMinder Cookies 19 How the IIS Web Agent Populates the REMOTE_USER Variable 219 How the SecureUrls Functionality Operates with Credential Collectors 69 How the Web Agent and Policy Server Calculate Time 18
I
Ignore File Extensions 76 Ignore Query Data 67 Ignore the Cookie Provider for POST Requests (framework agents only) 191 Ignore the Cookie Provider for Unprotected Resources 190 IgnoreCPForNotprotected parameter setting 190 IIS 6.0 Server Logs 143 IIS 6.0 Web Agent 404 Not Found Errors 61 LocalConfig.conf file 28 SharePoint Portal Server 55 Implement Cookie Domain Resolution 192 Implement Full Logoff Support for Domino Agents 134 Implement Single Sign-On Across Multiple Cookie Domains 176 Integrate an IIS 6.0 Agent with SharePoint Portal Server 2003 55 Introduce FCC Password Services 111 iPlanet WebServer Shows Blank Page When Using Basic over SSL 250
F
FCC configuration after upgrade 99 configuration, mixed network 99 description 92 See also credential collector zzz 92 FCCExt parameter, setting 96 Filter Data Output to the Trace Log 149 Force an FCC to Establish Realm Context for Forms Authentication 104 Force Fully Qualified Domain Names 194 Force SiteMinder to Authenticate Users 123 Force the Cookie Domain 191 forms credential collector. See FCC 94
K
Key Stores 20
L
Limit Size of Post Data (IIS 5.0 Agents only) 73 Loading Plug-ins for 45 Local Agent Configuration Overview 24 Local Configuration File Samples 265 LocalConfig.conf File for Framework Web Agents 266 Localize CGI-based Password Services Change Forms 114
H
Handle Complex URIs 80 Handle Multiple AuthTrans Functions (Sun Java System only) 237 Handle User-Requested Actions on Lotus Notes Documents 129 How Credential Collectors Process Requests 94
Index 271
Localize FCC-based Password Services Change Forms 113 Log Off Users from User Sessions Using Full Logoff 170 Log the Transaction ID in Web Server Logs 169 Log Web Agent Error and Trace Messages 137 LogAppend parameter, setting, error log 139 LogFileName parameter setting, error log 139 LogFileSize parameter setting, error log 139 logging enabling 137 overview 137 LogLocalTime setting, error log 139 LogLocalTime parameter, setting, trace log 141
New HTTP Header for SiteMinder Processing with Secure Proxy Server 62 Notes About Log Files 138 Notes for Custom 401 Pages 241 NT challenge/response configuring 162 NT, setting time zones 18 NTC See also credential collector zzz 92 NTCExt parameter, setting 96
O
Other Considerations for Creating Policies 135 Other Cookies Affected by Single Sign-On Zones 205 Override Session Timeouts with Response Attributes 216 Override the Default CSS Character Set 85
M
Manage 404 Not Found Errors (IIS 6.0 Agent) 61 Manage Cookie Domains 191 Manage Web Agent and Policy Server Communication 46 Manage Web Agents with Multiple Web Server Instances 41 Map Agent Identities and Web Servers for Use By FCCs and SCCs 106 Map URLs for FCC Redirects 126 Map URLs for FCC Redirects with a Domino Web Agent 128 Modify Single Sign-On Settings 180 Modify the .fcc File for Forms POST Preservation 107 Modify the Cookie Domain 195 Modify the Domino Default User and the Domino Super User 125 Modify the LocalConfig.conf File (Framework Agents) 35 Modify the Session Grace Period 185 Modify the Session Update Period 185 Modify the Trace Configuration File 144 Modify the WebAgent.conf File (All Web Agents) 31
P
parameter descriptions 257 Pass on Localized Settings to Protected Resources 115 Pass on Localized Settings to Unprotected Resources 116 Perform Central Agent Configuration 26 Perform Local Agent Configuration 27 PERL, using to extract HTTP headers 225 personalization, using response attributes 211 POST preservation limiting data size 73 Preserve Data Posted to a Form 107 Preserve HTTP Headers 230 Previous Web Agent Releases 230 Process Inbound URLs 66 Protect IIS 6.0 Web Server Resources with Passport Authentication 110 Protect Resources Without Extensions 78 Protect Web Sites Against Cross-Site Scripting 84 protection levels for single sign-on 177 ProxyAgent parameter, setting 65 ProxyDefinition parameter, setting 229 ProxyTimeout parameter, setting 65 ProxyTrust parameter, setting 65
N
nCipher cryptographic modules 38
R
Receive WriteLine Failed Error 247 Redirect a User After a Session Timeout 188 RemoteUserVar parameter, setting 218 Request Processing with Multiple User Sessions 204 Require Cookies 181 require cookies errors, description 238 RequireCookieErrorFile parameter, setting 238 Resolve Agent Identity by IP Address 54 Resolve Cookie Domains Automatically 193 resource cache emptying 87 response attributes configuring 214 for personalization 16, 211
S
SafeWord Server authentication schemes 108 Sample Use of AgentFunctions.conf Template 150 Sample WebAgentTrace.conf File and Resulting Trace Log 156 SCC description 92 See also credential collector zzz 92 SCCExt parameter, setting 96 Secure a Users Security Context in a Page File (IIS 5.0 Only) 159 Secure Applications 79 Secure the Ignore Extensions Feature 77 Security Considerations 60 Security Issues Related to Caching HTTP Header Resources 231 Security Zone Basic Use Case 200 Security Zone Definitions 197 Security Zones Benefits 199 Security Zones Overview 198 Session Cookie Creation and Updates 182 Session Cookie Validation Periods and Expired Cookie URLs 189 Set a Maximum URL Size 72 Set a Timeout for Saved Credentials 186 Set Legacy Variables 236 Set Persistent Cookies 183 Set Secure Cookies 183
Set the Agent Name and Default Agent Name Identities 39 Set the HTTP Header Encoding Spec 233 Set the Maximum Resource Cache Size 89 Set the Maximum User Session Cache Size 90 Set the Polling Frequency to the Policy Server 46 Set the REMOTE_USER Environment Variable 217 Set the Resource Cache Timeout 88 Set the ServerPath Parameter for UNIX Systems 43 Set the ServerPath Parameter for Windows Systems 42 Set Up and Enable Error Logging 139 Set Up and Enable Trace Logging 141 Set Up Credential Collectors for Apache Web Servers 97 Set Up Credential Collectors for IIS and Domino Web Servers 96 Set Up Credential Collectors for Sun Java System Web Servers 96 Set Up Error Handling 242 Set Up Virtual Server Support 50 Set Web Agent Cache 87 SFCC description 92 See also credential collector 92 See also credential collector zzz 92 SFCCExt parameter, setting 96 SharePoint Portal Server 55 single sign-on agent key management 178 configuring full logoff 172 configuring, overview 179 cookie provider, description 92 multiple domains 175 protection levels 177 single domain 174 Single Sign-on 173 Single Sign-On Security Zones for Strong Authentication 197 SiteMinder and Web Applications 209 SiteMinder Mechanisms for Developing Web Applications 210 SiteMinder Secure Proxy Server 62 SiteMinder Web Agents 14
Index 273
SMSESSION cookie support for third party cookies 190 Solaris/Sun Java System Web Agent Not Communicating with Policy Server 247 Solaris/Sun Java System Web Agent Not Loading or Web Server Not Starting 246 Solve Problems 243 Specify an NTLM Credential Collector 166 Specify Bad Form Characters 83 Specify Bad Query Characters 84 Specify Bad URL Characters 81 Specify Components and Subcomponents in the Trace Log 145 Specify Data Fields to Include in the Trace Messages 148 Specify the Cookie Domain 181 Specify the Cookie Provider 180 Specify User Directories for Domino 130 Specify Virtual Servers to be Ignored by the Web Agent 53 SSL forms credential collector 92 SSL-based credential collector. See SCC 92 Steps to Use a Template 150 Sun Java System reverse proxy httpsports, setting 65 ProxyAgent, setting 65 Sun Java System Web Agent on Solaris Not Loading 249 Super User, identity for Domino server 122
for auditing 168 Transitive Relationships Across Zones 204 troubleshooting 243 Troubleshooting 243 Trusted Zone Order 201 Two Configuration Methods 21 Types of Log Files 139 Types of Messages the Web Agent Logs 138
U
Understand How DMS2 (Registration Services) Handles Localization 115 Unsupported Parameters for Framework Web Agents 29 URIs, handling complex URIs 80 URL Monitoring Overview 75 Usage Notes 60 Use a Custom Header to Validate IP Addresses 228 Use a Domino Agent with a WebSphere Application Server 135 Use a Fully Qualified URL for Password Services Redirects 115 Use a Header Variable to Validate End-User IP Addresses 227 Use a Relative Target for Credential Collector Redirects 105 Use a SiteMinder Header for Authentication 127 Use a Special Forms Template for Passport Authentication 109 Use Agent Key Management and Single SignOn 178 Use an Agent Configuration File 28 Use an IIS Proxy User Account (IIS Only) 160 Use Authentication Scheme Protection Levels 177 Use Central and Local Configuration Together 25 Use Configurable Response Attributes 211 Use Credential Collectors for Authentication and Single Sign-On 92 Use Encryptkey to Set the Domino Default or Super User 126 Use FCCs and NTCs in a Mixed Environment 99 Use IgnoreURL 71
T
The Default Single Sign-On Zone and Trusted Zone List 203 The Order of Trust and Failover 208 time zones, setting (NT) 18 Trace the Agent Connection Manager and Agent API Calls 149 TraceAppend parameter, setting 141 TraceDelim parameter, setting 141 TraceFileSize parameter, setting 141 TraceFormat parameter, setting 141 Track User Identity Across Anonymous Realms 178 transaction IDs adding to server logs (Apache) 169 adding to server logs (IIS) 168 adding to server logs (Sun Java System) 169
Use Lower Case HTTP in Headers (for Sun Java System, Apache, Domino) 232 Use SCCs in a Mixed Environment 102 Use SecureUrls with FCC-based Password Services 70 Use Single Sign-On 173 Use Single Sign-On Across Multiple Domains 175 Use Single Sign-On in a Single Domain 174 Use SiteMinder Default HTTP Headers 220 Use SM_AGENT_ATTR_USRMSG Response for a Forms Challenge 235 Use the HTTP Header and Cookie-Variables 215 Use the HTTP HOST Request for the Port Number 72 Use the IIS Default User Name and Password 160 Use the NetBIOS Name or UPN for IIS Authentication 161 Use the safeword.fcc File for SafeWord Forms Authentication 108 Use the SiteMinder Reverse Proxy Solution 63 Use Transaction IDs 168 Use Web Agent Accounting 46 Use Web Agent Monitoring 38 User Access Management and Activity Tracking 159 user session variables disabling 223 User Sessions Across Security Zones 200 UseServerRequestIp parameter setting 54
Web Agent Error Codes 251 Web Agent Logging 137 Web Agent Overview 13 Web Agent Performance Tuning 87 Web Agent Tasks 15 Web Agents and the Policy Server 16 Web Server and Web Agent Interaction 49 Web Server Authentication Fails 244 Web Server Does Not Prompt for Username or Password 244 Web servers configuring logs (Apache) 169 configuring logs (IIS) 168 configuring logs (Sun Java System) 169 supported platforms 15 WebAgent.conf File (All Agents except IIS 6.0 and Apache 2.0) 34 WebAgent.conf File (Apache 2.0 Agents) 33 WebAgent.conf File (IIS 6.0 Agents) 33 WebAgent.conf.sample for Traditional Web Agents 265
V
virtual servers ignored by a web agent 53 using IP addresses to find agents 54
W
Web Agent FCC operation 99 logging 137 purpose 15 SCC operation 102 Web servers supported 15 Web Agent Configuration Methods 21 Web Agent Configuration Parameters 257
Index 275