How to prevent access to external websites from Cube browser embedded in the IM GINA and Vista Credential Provider

book

Article ID: 48967

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

This Techdoc provides information on how to stop the Cube from accessing external websites, which may lead to exposure to various vulnerabilities.

Solution:

The Cube browser that is embedded in the GINA and Vista Credential Provider is primarily used for accessing IM Self-Service Tasks, such as performingpassword reset. Within the IM web interface, it is possible for a user to click on links that will eventually lead to an external web site such as www.ca.com/support. This intentional from the IM web interface as the user may be accessing the IM Help page that contains an external link to CA Support website. However, this presents a risk when an external website is being accessed from an unauthenticated Windows session while Cube is running prior to Windows logon.

To stop Cube from accessing any web site outside of IM:

  1. Run ginaconfig.exe (for GINA) or CAIMCredProvConfig.exe (for Vista Credential Provider) as Administrator.

  2. Enter the IM base URL as a regular expression in the Allow text field. If your hostname is myhostname.domain.com and port number is 8080, use the regular expression "(^http://myhostname\.domain\.com:8080|^C:\\Program Files\\CA\\Identity Manager\\Provisioning GINA\\404\.html|^C:\\Program Files\\CA\\Identity Manager\\Provisioning GINA\\unreachable\.html)" (without quotes). Note that the dot literal characters need to be escaped. This tells Cube that access to links to matching http://myhostname.domain.com:8080, and the local HTML files (404.html/unreachable.html) are explicitly allowed. In this example, it is assumed that you have chosen to install IM Gina in the default location. If you have chosen a different path then adjust the values accordingly.

  3. Enter the regular expression ".*" (without quotes) in the Deny text field. This tells Cube to deny access to everything else.

  4. Reboot the machine.

An alternative setting that is less restrictive would be to allow access to all links and only deny access to ClickOnce application. This is a Microsoft technology that allows user to install application through the browser. To specifically stop ClickOnce application, clear the Allow text field and set ".*\.application" (without quotes).

Environment

Release: CAPUEL99000-12.5-Identity Manager-Blended upgrade to Identity &-Access Mgmt Ente
Component: