When running CA Access Gateway (SPS), how to implement "Simple URL
Rewriting Session Scheme" functionality ?
CA Access Gateway (SPS) 12.8SP5 on RedHat 8
At first glance, as per the documentation, follow these steps described (1).
To do that configuration as described, there are 2 ways to configure
the simple_url for session management. There's one accessing the
ProxyUI and the other one manually. Using the ProxyUI, follow the
steps above, and also, define the "Default Session Scheme" and the
"User Agent-Session Scheme Mappings" in the virtualhost the scheme
will be used.
Here are the manual settings.
Edit manually the CA Access Gateway (SPS) server.conf.
To illustrate :
server.conf
Make sure this config is not commented :
<SessionScheme name="simple_url">
class="com.netegrity.proxy.session.SimpleURLSessionScheme"
accepts_smsession_cookies="false"
session_key_name="SMID"
</SessionScheme>
After the <SessionScheme> section define a UserAgent :
<UserAgent name="user_agent_name">
sm_useragent="user123"
</UserAgent>
Then define the property "defaultsessionscheme" and the
SessionSchemeMappings for the virtualhost where you want to be in
use :
<VirtualHostDefaults>
# default session scheme
defaultsessionscheme="simple_url"
<SessionSchemeMappings>
user_agent_name=simple_url
</SessionSchemeMappings>
When testing, send the header sm_useragent=user123 along the request
in order for CA Access Gateway (SPS) to apply the Session Scheme, like
in this test using curl :
# curl -H "sm_useragent=user123" -b "SMCHALLENGE=YES;" -c cookie-jar.txt -v -u jsmith:password http://sps.training.com/backend/allheaders.php
# Trying 192.168.1.108...
# TCP_NODELAY set
# Connected to sps.training.com (192.168.1.108) port 80 (#0)
# Server auth using Basic with user 'jsmith'
> GET /backend/allheaders.php HTTP/1.1
> Host: sps.training.com
> Authorization: Basic anNtaXRoOnBhc3N3b3Jk
> User-Agent: curl/7.55.1
> Accept: */*
> Cookie: SMCHALLENGE=YES;
>
< HTTP/1.1 302 302
< Date: Wed, 13 Oct 2021 11:24:11 GMT
< Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2x-fips mod_jk/1.2.48
< Location: http://sps.training.com/SMID=17c796541d7a4ce3edf0bc0a4c0/backend/allheaders.php
< Content-Length: 0
<
# Connection #0 to host sps.training.com left intact
The CA Access Gateway (SPS) Agent reports :
sps.training.com.trace :
[10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
[ProxyValve::invoke][Using session scheme: simple_url]
[10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
[ProxyValve::invoke][Using default user agent]
[10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
[ProxyValve::resolveSession][Session scheme simple_url could not find an SESSION cookie.]
[10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
[ProxyValve::resolveSession][Session scheme simple_url found a valid session scheme.]
[10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
[ProxyValve::resolveSession][Session scheme simple_url found a session key.]
[10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
[CSmHttpPlugin::ProcessResource][Resolved URL: '/backend/allheaders.php'.]
[10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
[CSmHttpPlugin::ProcessResource][Resolved METHOD: 'GET'.]
[10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
[Tomcat5SerializedAgentData.addCookie][Not Using default scheme and cookie name
[SMCHALLENGE] not SMSESSION, ignoring the cookie.]
[10/13/2021][13:30:01][22182][140065915770624][14c6d67a-e9d70270-b7950a17-40940ef3-703ffdb6-d23c]
[doNewSessionProcessing]
[Adding session id 06a567610a8a957cfc5205d61774704d14a97467c5f13f53bb11957e3bcb02183a63c3e381597b
180ebd0f3b979feee30978fe7fe05a2abe84844e6ce7f68e69 to session store.]
In this above sample, you'll notice that the CA Access Gateway (SPS)
add a key to the URL in the location (redirect) :
http://sps.training.com/SMID=17c796541d7a4ce3edf0bc0a4c0/backend/allheaders.php
The "sm_useragent=user123" is a header and its value definition. This
is sent by the browser as a header, and SPS will map this with the
following configuration in the virtualhost :
<SessionSchemeMappings>
user_agent_name=simple_url
</SessionSchemeMappings>
This is not bound to an Agentname or other configuration in the
AdminUI.
user_agent_name can be whatever you want, as well as sm_useragent and
its value.
The only important config is to have the user_agent_name the same for
both configuration parts :
<UserAgent name="user_agent_name">
sm_useragent="user123"
</UserAgent>
<SessionSchemeMappings>
user_agent_name=simple_url
</SessionSchemeMappings>
(1)
Configure the Simple URL Rewriting Session Scheme
Follow these steps:
1. Navigate to Virtual Hosts, Sessions Schemes.
2. Click Actions, Edit against the simple_url session scheme in the Available Session Schemes list.
3. Configure the following parameters:
Class
Specifies the Java class that handles the session scheme. If
you want to use the cookieless rewriting session scheme
session scheme, do not modify the value.
Default: com.netegrity.proxy.session.SimpleURLSessionScheme
Accepts SMsession Cookies
Specifies if SMSESSION cookies are accepted.
session_key_name
Specifies the SiteMinder ID (SMID) session identifier.
4. Click OK and Save.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/access-gateway-administrative-ui/session-scheme-settings-configuration.html