search cancel

CA Access Gateway (SPS) session schemes configuration and sample

book

Article ID: 228845

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS), how to implement "Simple URL
Rewriting Session Scheme" functionality ?

 

Environment

 

CA Access Gateway (SPS) 12.8SP5 on RedHat 8

 

Resolution

 

At first glance, as per the documentation, follow these steps described (1).

To do that configuration as described, there are 2 ways to configure
the simple_url for session management. There's one accessing the
ProxyUI and the other one manually. Using the ProxyUI, follow the
steps above, and also, define the "Default Session Scheme" and the
"User Agent-Session Scheme Mappings" in the virtualhost the scheme
will be used.

Here are the manual settings.

Edit manually the CA Access Gateway (SPS) server.conf.

To illustrate :

server.conf

Make sure this config is not commented :

  <SessionScheme name="simple_url">
          class="com.netegrity.proxy.session.SimpleURLSessionScheme"
          accepts_smsession_cookies="false"
          session_key_name="SMID"
  </SessionScheme>

After the <SessionScheme> section define a UserAgent :

  <UserAgent name="user_agent_name">
             sm_useragent="user123" 
  </UserAgent>

Then define the property "defaultsessionscheme" and the
SessionSchemeMappings for the virtualhost where you want to be in
use :

  <VirtualHostDefaults>

    # default session scheme
    defaultsessionscheme="simple_url"
    <SessionSchemeMappings>
        user_agent_name=simple_url
    </SessionSchemeMappings>

When testing, send the header sm_useragent=user123 along the request
in order for CA Access Gateway (SPS) to apply the Session Scheme, like
in this test using curl :

  # curl -H "sm_useragent=user123" -b "SMCHALLENGE=YES;" -c cookie-jar.txt -v -u jsmith:password http://sps.training.com/backend/allheaders.php
  #   Trying 192.168.1.108...
  # TCP_NODELAY set
  # Connected to sps.training.com (192.168.1.108) port 80 (#0)
  # Server auth using Basic with user 'jsmith'
  > GET /backend/allheaders.php HTTP/1.1
  > Host: sps.training.com
  > Authorization: Basic anNtaXRoOnBhc3N3b3Jk
  > User-Agent: curl/7.55.1
  > Accept: */*
  > Cookie: SMCHALLENGE=YES;
  >
  < HTTP/1.1 302 302
  < Date: Wed, 13 Oct 2021 11:24:11 GMT
  < Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2x-fips mod_jk/1.2.48
  < Location: http://sps.training.com/SMID=17c796541d7a4ce3edf0bc0a4c0/backend/allheaders.php
  < Content-Length: 0
  <
  # Connection #0 to host sps.training.com left intact

The CA Access Gateway (SPS) Agent reports :

sps.training.com.trace :

  [10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
  [ProxyValve::invoke][Using session scheme: simple_url]

  [10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
  [ProxyValve::invoke][Using default user agent]
  
  [10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
  [ProxyValve::resolveSession][Session scheme simple_url could not find an SESSION cookie.]
  
  [10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
  [ProxyValve::resolveSession][Session scheme simple_url found a valid session scheme.]
  
  [10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
  [ProxyValve::resolveSession][Session scheme simple_url found a session key.]
  
  [10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
  [CSmHttpPlugin::ProcessResource][Resolved URL: '/backend/allheaders.php'.]
  
  [10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
  [CSmHttpPlugin::ProcessResource][Resolved METHOD: 'GET'.]
  
  [10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
  [Tomcat5SerializedAgentData.addCookie][Not Using default scheme and cookie name
  [SMCHALLENGE] not SMSESSION, ignoring the cookie.]
  
  [10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
  [doNewSessionProcessing]
  [Adding session id 06a567610a8a957cfc5205d61774704d14a97467c5f13f53bb11957e3bcb02183a63c3e381597b
  180ebd0f3b979feee30978fe7fe05a2abe84844e6ce7f68e69 to session store.]
  


In this above sample, you'll notice that the CA Access Gateway (SPS)
add a key to the URL in the location (redirect) :

  http://sps.training.com/SMID=17c796541d7a4ce3edf0bc0a4c0/backend/allheaders.php

The "sm_useragent=user123" is a header and its value definition. This
is sent by the browser as a header, and SPS will map this with the
following configuration in the virtualhost :

    <SessionSchemeMappings>
        user_agent_name=simple_url
    </SessionSchemeMappings>

This is not bound to an Agentname or other configuration in the
AdminUI.

user_agent_name can be whatever you want, as well as sm_useragent and
its value.

The only important config is to have the user_agent_name the same for
both configuration parts :

    <UserAgent name="user_agent_name">
             sm_useragent="user123" 
    </UserAgent>

    <SessionSchemeMappings>
        user_agent_name=simple_url
    </SessionSchemeMappings>

 

Additional Information

 

(1)

    Configure the Simple URL Rewriting Session Scheme

       Follow these steps: 
       1. Navigate to Virtual Hosts, Sessions Schemes.
       2. Click Actions, Edit against the simple_url session scheme in the Available Session Schemes list.
       3. Configure the following parameters:

   Class

 Specifies the Java class that handles the session scheme. If
  you want to use the cookieless rewriting session scheme
  session scheme, do not modify the value.

  Default: com.netegrity.proxy.session.SimpleURLSessionScheme

  Accepts SMsession Cookies
  Specifies if SMSESSION cookies are accepted.

  session_key_name
  Specifies the SiteMinder ID (SMID) session identifier.

       4. Click OK and Save.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/access-gateway-administrative-ui/session-scheme-settings-configuration.html