Post Encrypted Password to login.fcc
Article ID: 129988
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We have a requirement to log in to our SiteMinder protected application through a Python script that posts the credentials to login.fcc. Can the password be sent encrypted to login.fcc; or, are there any other secure mechanisms?
We have a requirement to login to our SiteMinder protected application through a Python script that posts the credentials to login.fcc. For now, the user name & password are stored in this script in clear text.
Our requirement is not to store the user password in clear text in this script. Kindly let us know how can this be achieved please - can the password be sent encrypted to login.fcc; or, are there any other secure mechanisms?
We have a requirement to login to our SiteMinder protected application through a Python script that posts the credentials to login.fcc. For now, the user name & password are stored in this script in clear text.
Our requirement is not to store the user password in clear text in this script. Kindly let us know how can this be achieved please - can the password be sent encrypted to login.fcc; or, are there any other secure mechanisms?
Environment
R12.7 SiteMinder
Resolution
Possible answers are outside the scope of SiteMindaer OOB.
Since the user's browser is the HTTP client doing the POST of the credentials, a Web agent ACO parameter cannot really directly work with the POST as credentials are sent from the browser. So, consider to use SSL/TLS; and, that will encrypt entire HTTP communication, -- as a mitigation step.
So, take this example realistic scenario. A site could have SSL being terminated at the Load Balancer (LB) and there's a central credential collector or login page. SSL/TLS would be the way to go about ensuring that the central login page and communication to and from it is protected with SSL/TLS level encryption, even with traffic that involves more than one hop.
One other possible way is more on the custom code side and the feasibility is to be determined by the implementer of a Java Script to manipulate and encrypt the Form POST variables and then again custom FCC with Java Script to extract the credentials in the original (unencrypted) form before processing them.
Since the user's browser is the HTTP client doing the POST of the credentials, a Web agent ACO parameter cannot really directly work with the POST as credentials are sent from the browser. So, consider to use SSL/TLS; and, that will encrypt entire HTTP communication, -- as a mitigation step.
So, take this example realistic scenario. A site could have SSL being terminated at the Load Balancer (LB) and there's a central credential collector or login page. SSL/TLS would be the way to go about ensuring that the central login page and communication to and from it is protected with SSL/TLS level encryption, even with traffic that involves more than one hop.
One other possible way is more on the custom code side and the feasibility is to be determined by the implementer of a Java Script to manipulate and encrypt the Form POST variables and then again custom FCC with Java Script to extract the credentials in the original (unencrypted) form before processing them.
Feedback
Yes
No
Powered by
