Previous Topic: How to Configure the FCC to Allow Windows AuthenticationNext Topic: Tune the Performance of the FCC

Web Agent GuidesWeb Agent Configuration GuideForms AuthenticationHow to Configure a CA SiteMinder® Agent to Support HTML Forms AuthenticationConfigure Advanced FCC SettingsHow to Allow the NTC to Encode URLs During Redirects to Protected Resources

How to Allow the NTC to Encode URLs During Redirects to Protected Resources

CA SiteMinder® can protect resources using Windows credential collectors (NTCs). Users submit their credentials to the NTC, then the NTC logs the user in to the IIS web server. The IIS web server authenticates the user. The NTC redirects the user to the protected (TARGET) resource after authentication.

The NTC normally encodes the characters in the TARGET portion of the URL during the request, but not during the redirect after authentication. You can change your agent configuration so that the TARGET portion of the URL is encoded during the redirect. The following illustration describes this behavior:

This flowchart describes how the NTC encodes the URL for the TARGET (protected) resource during requests before authentication but not in redirects after authentication

The following illustration shows the process of allowing the NTC to encode URLs during requests for protected resources:

Graphic showing how to Allow NTCs to Encode TARGET URLs During Redirects

To allow the NTC to encode URLs during re–directs to protected resources, follow these steps:

  1. Choose the procedure that matches your agent configuration method from the following list:
  2. For agents using local configuration, repeat Step 1c for each web server.

    The NTC uses encoded URLs during redirects to protected resources.

Change the Policy Server Objects

Change the objects on your Policy Server by opening the Administrative UI.

Follow these steps:

  1. Open the following URL in a browser. 
    https://host_name:8443/iam/siteminder/adminui
    host_name

    Specifies the fully qualified Administrative UI host system name.

  2. Enter your CA SiteMinder® superuser name in the User Name field.
  3. Enter the CA SiteMinder® superuser account password in the Password field.

    Note: If your superuser account password contains dollar‑sign ($) characters, replace each instance of the dollar-sign character with $DOLLAR$. For example, if the CA SiteMinder® superuser account password is $password, enter $DOLLAR$password in the Password field.

  4. Verify that the proper server name or IP address appears in the Server drop-down list.
  5. Select Log In.

Change the Value of the DisableI18N parameter in your Agent Configuration Object

You can configure Windows credential collectors to process HTTP encoded characters in target URLs for centrally configured web agents. Centrally–configured web agents use parameter settings stored in an Agent Configuration object on the Policy Server.

Follow these steps:

  1. Click the Infrastructure, Agent Configuration Objects.

    A list of Agent Configuration objects appears.

    Click the edit icon in the line Agent Configuration Object you want.

    The Modify Agent Configuration dialog appears.

  2. Click the edit icon to the left of the following parameter:
    DisableI18N

    Specifies how the Windows credential collector (NTC) processes the TARGET URL during authentication when the characters of the TARGET URL use HTTP encoding. When the value of this parameter is no, any characters in the URL are decoded during authentication. The decoded characters are used in the redirect to the TARGET resource. When the value of this parameter is yes, characters in the TARGET URL are not decoded during authentication. Any characters using HTTP encoding remain encoded before and after authentication.

    Default: No.

    The Edit Parameter dialog appears.

  3. Change the text in the Value field to yes.
  4. Click OK.

    The Edit Parameter dialog closes, and the Modify Agent Configuration dialog appears.

  5. Click the edit icon to the left of the following parameter:
    BadUrlChars

    Specifies the character sequences that cannot be used in URL requests. The Web Agent checks the characters in the URL that occur before the "?" character against the list in this parameter. If any of the specified characters are found, the Web Agent rejects the request.

    You can specify the following characters:

    • a backward slash (\)
    • Two forward slashes (//)
    • Period and a forward slash (./)
    • Forward slash and a period (/.)
    • Forward slash and an asterisk (/*)
    • An asterisk and a period (*.)
    • A tilde (~)
    • %2d
    • %20
    • %00-%1f
    • %7f-%ff
    • %25

    Separate multiple characters with commas. Do not use spaces.

    You can use the bad URL characters in CGI parameters if the question mark (?) precedes the bad URL characters.

    Default: Disabled (all characters are allowed).

    Limits:

    • The default hexadecimal numbers apply to English characters. For other languages, remove any hexadecimal values that correspond to the characters of the language that you want to allow. Examples of such languages include (but are not limited to), Brazilian Portuguese, French, Japanese, and Chinese.
    • You can specify characters literally. You can also enter the URL-encoded form of that character. For example, you can enter the letter a, or you can enter the encoded equivalent of %61.
    • You can specify a maximum number of 4096 characters (including commas that are used for separating characters).
    • You can specify ranges of characters that are separated with hyphens. The syntax is: starting_character-ending_character. For example, you can enter a-z as a range of characters.
    • Specify any quotation marks (") with the URL-encoded equivalent of %22. Do not use ASCII.

    The Edit Parameter dialog appears.

  6. Remove the following text from the Value field: 
    ,%25
  7. Click OK.

    The Edit Parameter dialog closes, and the Modify Agent Configuration dialog appears.

  8. Click Submit.

    The Modify Agent Configuration dialog closes, and a confirmation message appears.

  9. (Optional) Enter any remarks about the change in the Comment field for future reference.
  10. Click Yes.

    Your changes will be applied the next time the Web Agent polls the Policy Server.

Change the Value of the DisableI18N parameter in your LocalConfig.conf File

You can configure Windows credential collectors to process HTTP encoded characters in target URLs. Locally–configured web agents use parameter settings stored in a configuration file on each web server.

Follow these steps:

Locate the LocalConfig.conf file on your web server. Use the examples in the following list to locate the file on your type of web server:

IIS web server

web_agent_home\bin\IIS

Oracle iPlanet web server

Oracle_iPlanet_home/https-hostname/config

Apache web server

Apache_home/conf

  1. Open your LocalConfig.conf file with a text editor, and then locate the following parameter:
    DisableI18N

    Specifies how the Windows credential collector (NTC) processes the TARGET URL during authentication when the characters of the TARGET URL use HTTP encoding. When the value of this parameter is no, any characters in the URL are decoded during authentication. The decoded characters are used in the redirect to the TARGET resource. When the value of this parameter is yes, characters in the TARGET URL are not decoded during authentication. Any characters using HTTP encoding remain encoded before and after authentication.

    Default: No.

  2. Change the value of the DisableI18n parameter to yes.
  3. Locate the following parameter:
    BadUrlChars

    Specifies the character sequences that cannot be used in URL requests. The Web Agent checks the characters in the URL that occur before the "?" character against the list in this parameter. If any of the specified characters are found, the Web Agent rejects the request.

    You can specify the following characters:

    • a backward slash (\)
    • Two forward slashes (//)
    • Period and a forward slash (./)
    • Forward slash and a period (/.)
    • Forward slash and an asterisk (/*)
    • An asterisk and a period (*.)
    • A tilde (~)
    • %2d
    • %20
    • %00-%1f
    • %7f-%ff
    • %25

    Separate multiple characters with commas. Do not use spaces.

    You can use the bad URL characters in CGI parameters if the question mark (?) precedes the bad URL characters.

    Default: Disabled (all characters are allowed).

    Limits:

    • The default hexadecimal numbers apply to English characters. For other languages, remove any hexadecimal values that correspond to the characters of the language that you want to allow. Examples of such languages include (but are not limited to), Brazilian Portuguese, French, Japanese, and Chinese.
    • You can specify characters literally. You can also enter the URL-encoded form of that character. For example, you can enter the letter a, or you can enter the encoded equivalent of %61.
    • You can specify a maximum number of 4096 characters (including commas that are used for separating characters).
    • You can specify ranges of characters that are separated with hyphens. The syntax is: starting_character-ending_character. For example, you can enter a-z as a range of characters.

    Specify any quotation marks (") with the URL-encoded equivalent of %22. Do not use ASCII.

  4. Remove the following values from the BadURLChars list: 
    ,%25
  5. Save the changes to your LocalConfig.conf file, and then close the text editor.
  6. Repeat Steps 1 through 5 on all web servers which you want to change.

    Windows credential collectors are allowed to process HTTP encoded characters in TARGET URLs.