How to configure Open Format Cookie and consume it
search cancel

How to configure Open Format Cookie and consume it

book

Article ID: 46708

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On CA Single Sign On Federation (SiteMinder)

Issue/Introduction

In this article, how to configure the Policy server to send an Open Format Cookie as a response header.

How to write a simple java client program to consume (decrypt) the OFC cookie sent by Policy server.

This can be used for Agent-less single sign-on.

Environment

  • Policy Server : R12.8.8.01,
  • OS : ANY

Resolution

On Policy Server:

 

1. Create a Web Agent Response that Generates an Open Format Cookie as below :

For detailed instructions refer to: How to Create a Web Agent Response That Generates an Open Format Cookie.

Note: From the following screen, make a note ofthe  following two configurations as these will be needed on the client side  :

    • Encryption Key
    • Encryption Algorithm

 


 

2. Add the OFC Cookie Response configured in step (2) to either OnAuthAccept or OnAccessAccept rule.

3. Add rule to Policy.

 

On the Client side

Modify the attached SampleOFCConsumer.java  as below :

1. Depending upon which Encryption Algorithm is used while configuring OFC cookie response , edit the following variables appropriately :

If using AES Algorithm :

public static final String DEFAULT_TRANSFORMATION = AES_TRANSFORMATION;
public static final String DEFAULT_ALGORITHM = AES_ALGORITHM;

 

If using DES Algorithm:

public static final String DEFAULT_TRANSFORMATION = DES_TRANSFORMATION;
public static final String DEFAULT_ALGORITHM = TRIPLE_DES_ALGORITHM;


 

2. In the decrypt() method, update the byte array KEY variable to match the Encryption Key as defined in the Admin UI.

Follow the below steps to convert the string formatted Encryption Key to Byte Array

Step 1 : Copy the value of EncryptionKey from Admin UI==>OFC Cookie Response e.g. : B4578127007497EF8A655E4986D4F63C (see above screenshot)
Step 2  Add space every two characters: B4 57 81 27 00 74 97 EF 8A 65 5E 49 86 D4 F6 3C
Step 3  Append (byte)0x in front of every two character pairs : (byte)0xB4 (byte)0x57 (byte)0x81 (byte)0x27 (byte)0x00 (byte)0x74 (byte)0x97 (byte)0xEF (byte)0x8A (byte)0x65 (byte)0x5E (byte)0x49 (byte)0x86 (byte)0xD4 (byte)0xF6 (byte)0x3C
Step 4 Separate each two character pair using comma: (byte)0xB4,(byte)0x57,(byte)0x81,(byte)0x27,(byte)0x00,(byte)0x74,(byte)0x97,(byte)0xEF,(byte)0x8A,(byte)0x65,(byte)0x5E,(byte)0x49,(byte)0x86,(byte)0xD4,(byte)0xF6,(byte)0x3C

3. Compile the class. Note; the jre/lib should be in the class path.

4. Ensure that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files patch have been applied to the JRE that is being used.

 

Testing:

1. Access the protected resource which is configured to return the OFC cookie response and copy the cookie value returned using some script which displays all the response headers :

 

2. Run the  SampleOFCConsumer class and provide the OFC Cookie value as the input parameter :

 

Attachment:

  1. ActiveResponseSample.java 
  2. ActiveResponseDecryptor.java

 

Additional Information

 

  • Additional sample programs can be found at :

      • Policyserver_installation_directory\siteminder\samples\SmOpenFormatCookie\Java (Java)

      • Policyserver_installation_directory\siteminder\samples\SmOpenFormatCookie\dotnet (.NET)

Attachments

1558534761290TEC1487052.zip get_app
Powered by Wolken Software