A malicious user can commit an XML signature wrapping attack by changing the content of a document without invalidating the signature. By default, software controls for the Policy Server and Web Agent Option Pack are set to defend against signature wrapping attacks. However, a third-party product can issue an XML document in a way that does not conform to XML specifications. As a result, the default signature checks can result in a signature verification failure.
Signature verification failures occur for the following reasons:
If a federation transaction fails, examine the smtracedefault.log file and the fwstrace.log file for a signature verification failure. These errors can indicate that the received XML document is not conforming to XML standards. As a workaround, you can disable the default Policy Server and Web Agent protection against signature wrapping attacks.
Important! If you disable the protection against signature vulnerabilities, determine another way to protect against these attacks.
To disable the XML signature wrapping checks:
web_agent_option_pack_ home/affwebservices/web-INF/classes.
Note: If the web agent option pack is installed on the same system as the web agent, the file resides in the web_agent_home directory.
Note: The value of the DisableUniqueIDCheck setting must be the same for the Policy Server and the Web Agent Option Pack.
STAR issue: 21321479;1
|
Copyright © 2014 CA.
All rights reserved.
|
|