How to Require Re-authentication for Sensitive Resources

Contents
casso10
Contents
2
CA Single Sign-On
defines sensitive resources as those resources for which you always want to require users to re-authenticate before they access. The transfer money section of an online banking website is one possible example of a sensitive resource. Normally, once a user logs in, they would not have to re-authenticate to transfer money.
By defining the transfer-money section as a sensitive resource, users must provide their credentials before accessing that section.
This sensitive resource protection prevents an unauthorized user from transferring money in case the user stepped away from their system without logging out first.
The sensitive resource protection prevents unauthorized users from accessing the transfer-money section without being challenged to confirm their identity.
The following graphic describes how to require re-authentication for sensitive resources:
How to require reauthenitcation for sensitive resources
How to require reauthenitcation for sensitive resources
The Policy Administrator and the Agent Owner Review the Prerequisites
The policy administrator and agent owner work together to require re-authentication for sensitive resources.
This scenario assumes that the following components exist in the environment:
  • A Policy Server that is installed and configured with the following components:
    • A policy domain with a user directory connection, realm, rule, and policy.
    • An .FCC authentication scheme.
  • An agent that is configured for an .FCC authentication scheme.
  • A session store that is fully configured and operating.
  • Disabling the FCCCompatMode parameter.
The agent owner has the following tasks:
  • Provide the policy administrator with the URLs corresponding to the sensitive resources. The policy administrator creates rules to protect the sensitive resources.
  • Create an .FCC file by which reauthenticates users requesting access to sensitive resources. The agent owner provides the name of this .FCC file to the policy administrator. The policy administrator uses the name of the .FCC file to create the response. This response re-directs users to the new .FCC file for re-authentication when they request sensitive resources.
The policy administrator has the following tasks:
  • Modify an existing policy by adding components to protect the sensitive resources.
  • Restart the Policy Server.
The Agent Owner Creates an .FCC File That Contains the Directive for Sensitive Resources
Authenticating the users who request access to sensitive applications requires extra .FCC file. One .FCC file handles the original login of the user. The second .FCC file collects the credentials of the user when they are challenged before accessing a sensitive resource.
Follow these steps:
  1. Log on to the web server on which the agent protecting the sensitive resources operates.
  2. Locate the .FCC file that you use for login. The .FCC files are located in the following directory:
    web_agent_home/samples/forms
     
    web_agent_home
    Indicates the directory where the 
    CA Single Sign-On
     Agent is installed.
    Default
     (Windows 32-bit installations of 
    CA Single Sign-On
     Web Agents only): C:\Program Files\CA\webagent
    Default
     (Windows 64-bit installations [
    CA Single Sign-On
     Web Agents for IIS only]): C:\Program Files\CA\webagent\win64
    Default
     (Windows 32-bit applications operating on 64-bit systems [Wow64 with 
    CA Single Sign-On
     Web Agents for IIS only]): C:\Program Files(x86)\webagent\win32
    Default
     (UNIX/Linux installations): [set the Installation Path variable]/webagent
    Duplicate the FCC file that you use for your login form. Save the duplicate with a unique file name. For example, if you use the login.fcc file for your login form, rename the duplicate file to sensitive_login.fcc.
  3. Open the duplicate file with a text editor.
  4. Locate the following section:
    <!-- SiteMinder Encoding=ISO-8859-1; --> @username=%USER% @smretries=0
  5. Add the following line (after the last line that begins with the @ symbol).
    @validateuser=1
  6. Save the file and close the text editor.
  7. Record the location of the file and inform the policy administrator.
    Repeat Steps 1 through 8 on each web server that protects the sensitive resource.
    Use the same file name and location for each web server.
The Policy Administrator Opens the Administrative UI to Change Policy Server Objects
Change the objects on your Policy Server by opening the Administrative UI.
Follow these steps:
  1. Open the following URL in a browser.
    https://
    host_name
    :8443/iam/siteminder/adminui
    • host_name
      Specifies the fully qualified Administrative UI host system name.
  2. Enter your  super user name in the User Name field.
  3. Enter the super user account password in the Password field.
    If your super user account password contains dollar-sign ($) characters, replace each instance of the dollar-sign character with $DOLLAR$. For example, if the super user account password is $password, enter
    $DOLLAR$password
    in the Password field.
  4. Verify that the proper server name or IP address appears in the Server drop-down list.
  5. Select Log In.
The Policy Administrator Disables the FCCCompatMode Parameter
Agents use an FCCCompatMode configuration parameter for backward compatibility with older versions of the product. For newer versions of the product (such as r12.5), this parameter must be disabled for better security when using certain features.
This procedure assumes you configure your agents centrally, using an agent configuration object on a Policy Server. If you use the local agent configuration method instead, disable the FCCCompatMode parameter in your LocalConfig.conf file.
Follow these steps:
  1. From the Administrative UI, click Infrastructure, Agent Configuration Objects.
  2. Click the edit icon next to the agent configuration object that you want.
  3. Locate the FCCCompatMode parameter.
  4. Verify that the value is set to no. If the value is yes, continue with the following steps:
    1. Click the edit icon to the left of the parameter.
      The Edit parameter dialog appears.
    2. Highlight the Value field, and then type no.
    3. Click OK.
      The Edit parameter dialog closes.
    4. Click Submit.
      The FCCCompatMode parameter is disabled and a confirmation message appears.
The Policy Administrator Modifies a Policy to Protect the Sensitive Resource
Modifying the policy is the first step that the policy administrator takes toward protecting sensitive resources. This modification designates some of the resources that the policy protects are considered sensitive.
Follow these steps:
  1. From the Administrative UI, click Policies, Domain, Domains.
  2. Click the edit icon that corresponds to the domain containing the sensitive resources.
  3. Click the Policy tab.
    The Modify Policy: screen appears with the General tab selected.
  4. Click the Validate Identity check box.
  5. Click OK.
  6. Click Submit.
    A confirmation message appears.
  7. Continue with the next stop of creating a GET/POST rule in the policy.
The Policy Administrator Protects the URL of the Sensitive Resource with a GET POST Rule
Protecting the URL (of the sensitive resource) with a GET/POST rule is the next step that the policy administrator takes toward protecting sensitive resources. This rule designates that the URL protected by the policy is considered sensitive.
Follow these steps:
  1. From the Administrative UI, click Policies, Domain, Domain Policies.
  2. Click the edit icon that corresponds to the policy containing the URL of sensitive resource.
  3. Click the Rules tab.
  4. Click Add Rule.
    The Available Rules dialog appears.
  5. Click Create.
  6. Click the option button for the realm under which you want to create the rule, and then click Next.
  7. Create the GET/POST rule with the following steps:
    1. Enter a name and an optional description.
    2. Click the Resource field and enter the URL of the sensitive resource. The following example defines an HTML page named transfer_funds as the sensitive resource:
      transfer_funds.html
    3. Verify that the Web Agent actions option button is selected.
    4. Click the following items under the Action list:
      • Get
      • Post
    5. (Optional) define any time restrictions that you want.
  8. Click Finish.
    The Available rules dialog appears. The new GET/POST rule appears in the list.
  9. Click OK.
  10. Click Submit.
    The rule is added to the policy, and a confirmation message appears.
  11. Continue with the next stop of creating an OnValidateReject rule in the policy.
The Policy Administrator Creates an OnAccessValidateIdentity Rule for the Sensitive Resource
Creating an OnAccessValidateIdentity rule in the policy is the next step that the policy administrator takes toward protecting sensitive resources. This rule rejects the current credentials of the user which started the session. This rejection forces the user to re-authenticate before accessing the sensitive resource.
Follow these steps:
  1. From the Administrative UI, click Policies, Domain, Domain Policies.
  2. Click the edit icon that corresponds to the policy containing the URL of sensitive resource.
  3. Click the Rules tab.
  4. Click Add Rule.
    The Available Rules dialog appears.
  5. Click Create.
  6. Click the option button for the realm under which you want to create the rule, and then click Next.
  7. Create the OnAccessValidateIdentity rule with the following steps:
    1. Enter a name and an optional description.
    2. Click the Resource field and enter the URL of the sensitive resource. The following example defines an HTML page named transfer_funds as the sensitive resource:
      transfer_funds.html
    3. Click the Authorization events option button.
    4. Click the following item under the Action list:
      OnAccessValidateIdentity
    5. (Optional) define any time restrictions that you want.
  8. Click Finish.
    The Available rules dialog appears. The new OnAccessValidateIdentity rule appears in the list.
  9. Click OK.
  10. Click Submit.
    The rule is added to the policy, and a confirmation message appears.
  11. Continue with the next stop of creating a redirect response to the .FCC file.
The Policy Administrator Creates a Response That Redirects to the .FCC File
Creating a response is the next step that a policy administrator takes to require re-authentication for sensitive resources. The OnAccessValidateIdentity rule rejects the credentials that the user provided originally. The response re-directs the user to the new FCC form. Users requesting sensitive resources re-authenticate using the new FCC form.
Follow these steps:
  1. From the Administrative UI, click Policies, Domain, Domain Policies.
  2. Click the edit icon that corresponds to the policy containing the URL of sensitive resource.
  3. Click the Rules tab.
  4. Locate the OnAccessValidateIdentity rule, and click the Add Response button next to it.
  5. Click Create.
    The Create Response screen appears.
  6. Create a response with the following steps:
    1. Type a name and an optional description.
    2. Verify that the following items appear:
      • The
        CA Single Sign-On
        option button selected.
      • That Web Agent appears in the Agent Type drop-down list.
    3. Click Create Response Attribute.
    4. Click the Attribute drop-down list and select the following item:
      • WebAgent-OnValidate-Redirect
    5. Click the Variable Value field, and then enter the URI for the .FCC file that contains the directive for sensitive resources. Obtain this URI from the agent owner. The following example shows a URI for a file named sensitive_login.fcc:
      /samples/forms/sensitive_login.fcc
    6. Click OK.
    The Create Response screen appears with the response attribute from Step 6c in the list.
  7. Click OK.
  8. Click Submit.
    The response and response attribute are added to the rule, and a confirmation message appears.
  9. Continue with the next step of restarting the Policy Server.
The Policy Administrator Restarts the Policy Server
You restart the Policy Server for certain settings to take effect.
Follow these steps:
  1. Open the Policy Server Management Console.
  2. Click the Status tab, and click Stop in the Policy Server group box.
    The Policy Server stops as indicated by the red stoplight.
  3. Click Start.
    The Policy Server starts as indicated by the green stoplight.
    Note
    : On UNIX, execute the stop-ps and start-ps commands to restart Policy Server. To restart Policy Server and CA Risk Authentication, execute the stop-all and start-all commands.