ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Post Encrypted Password to login.fcc

book

Article ID: 129988

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We have a requirement to log in to our SiteMinder protected application through a Python script that posts the credentials to login.fcc. Can the password be sent encrypted to login.fcc; or, are there any other secure mechanisms?

We have a requirement to login to our SiteMinder protected application through a Python script that posts the credentials to login.fcc. For now, the user name & password are stored in this script in clear text. 

Our requirement is not to store the user password in clear text in this script. Kindly let us know how can this be achieved please - can the password be sent encrypted to login.fcc; or, are there any other secure mechanisms? 
 

Environment

R12.7 SiteMinder

Resolution

Possible answers are outside the scope of SiteMindaer OOB.

Since the user's browser is the HTTP client doing the POST of the credentials, a Web agent ACO parameter cannot really directly work with the POST as credentials are sent from the browser. So, consider to use SSL/TLS; and, that will encrypt entire HTTP communication, -- as a mitigation step. 

So, take this example realistic scenario. A site could have SSL being terminated at the Load Balancer (LB) and there's a central credential collector or login page. SSL/TLS would be the way to go about ensuring that the central login page and communication to and from it is protected with SSL/TLS level encryption, even with traffic that involves more than one hop. 

One other possible way is more on the custom code side and the feasibility is to be determined by the implementer of a Java Script to manipulate and encrypt the Form POST variables and then again custom FCC with Java Script to extract the credentials in the original (unencrypted) form before processing them.