When a Web Agent communicates with credential collectors, such as the FCC and SCC, the Password Services application (CGI or JSP), or a Cookie Provider, it uses protocol parameters that are shown in clear text in the redirection URL.
The Web Agent can now encrypt all SiteMinder query parameters in a redirect URL, further securing Agent interactions.The Web Agent is only encrypts data sent between SiteMinder components, not for redirects to non-SiteMinder applications.
When query string encryption is enabled, the Web Agent encrypts query data when it returns a 302 redirect response to the browser. The 302 response redirects the user to another SiteMinder resource.
All the query parameters are grouped into a single query parameter called smquerydata. When the SecureUrls parameter is enabled, SiteMinder denies access to any request that does not have an encrypted smquerydata parameter, where required.
The SecureUrls feature is not supported when any of the following parameters are enabled:
Enable an FCC/NTC to serve up forms for resources that 4.x Web Agents protect or third-party applications.
Note: SMUSRMSG is supported for the custom authentication scheme only when FCCCompatMode set to yes.
Limits: yes, no
Default: (traditional agents) Yes
Default: (framework agents) No
Important! Setting this parameter to no removes support for version 4.x of the Netscape browser.
Forces the Web Agent to replace any dollar sign ($) characters in legacy URLs with a hyphen (-). This also ensures backwards comparability with MSR, Password Services, and DMS. When this parameter is set to no, a Web Agent converts the string $SM$ to -SM-. When this parameter is set to yes, the Web Agent does not convert the dollar sign ($) character.
Default: (Framework Agents) No
Default: (Traditional Agents) Yes
If the SecureUrls parameter is set to yes, the Web Agent ignores the values of the previous parameters, even if they are set to yes. When this happens, these parameters have a value of no in the Agent logs, regardless of their settings in the configuration object or configuration file, as shown in the following example:
[12/Jul/2005:05:23:57-975-1-0] SecureUrls: 'YES' [12/Jul/2005:05:23:57-975-1-0] FccCompatMode: 'NO' [12/Jul/2005:05:23:57-975-1-0] LegacyEncoding: 'NO'
You can encrypt the query strings of redirect URLs for credential collectors. The credential collectors provide the keys that are used to encrypt the query data.
For forms authentication schemes, the query string directive, smquerydata, is part of the FCC template. The agent serving the FCC uses this directive to send the encrypted query data to the target agent when the FCC is posted.
The following directive is used:
<INPUT type='hidden' name='smquerydata' value='$$smquerydata$$>
Note: If you are using custom FCCs, add the smquerydata directive with other FCC directives, such as TARGET to the custom FCC.
SiteMinder r12.0 SP3 agents with the SecureUrls parameter enabled can operate only with credential collectors served from other agents that support this functionality.
Copyright © 2012 CA.
All rights reserved.
|
|