search cancel

Cannot use ECDSA alghoritm for JWT validation and creation

book

Article ID: 134038

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

We'd like to know how to make CA SiteMinder to use the ECDSA algorithm to

sign JWT token as the CA API Gateway only uses this ECDSA algorithm

for signature. Is it possible ?


Environment

Release : 12.8

Component : SITEMINDER -POLICY SERVER

Resolution

At first glance, in our latest version SiteMinder 12.8, ECDSA

is not implemented for cookie and token encryption :

  Encryption and Decryption Algorithms

  https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/partnership-federation/encryption-and-decryption-algorithms

and JWT signature algorithm should be one of these :

JWTs can accept the following RSA-based algorithms for certificate

validation:

  Configure JWT Authentication Scheme

    RS256 - RSA signature with SHA-256

    RS384 - RSA signature with SHA-384

    RS512 - RSA signature with SHA-512

  https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/json-web-token-jwt-authentication-scheme

And our Product Roadmap hasn't a mention about such implementation :

  CA Single Sign-On Certification Backlog

  https://casupport.broadcom.com/phpdocs/7/5262/5262_PlatformSupportRoadmap.pdf

Further, as pre-requisites for JWT, you should insure that JWT is RSA

encryption based.

  Ensure that JWT authentication scheme imports the User Public

  Certificate into Policy Server Certificate Database (CDS) to

  validate a JWT successfully for RSA based algorithms.