web access manager details. agenda overview agent / wam server interaction agent configuration...
Post on 21-Dec-2015
219 views
TRANSCRIPT
Agenda
• Overview
• Agent / WAM server interaction
• Agent configuration
• Expressing access policies
• Other notes
WAM Overview
Agents• Application Web
server plug-in• Intercepts URL• Decides when to ask
for policy decisions• Finds available WAM
policy server• Applies treatments
Server• Holds policies and
makes decisions• Handles SSL-based
authentications• Reads/writes cookies• Returns treatments
Agent / WAM Server InteractionAgent / WAM Server Interaction• A presented URL is passed to the
WAM Server for access policy evaluation
• The WAM server returns a treatment to the agent
• The agent executes the treatment
B ro wser
URL
A gent
W eb S erver W A M P o licy S erver LD A P R egistry
O T P S ervice
R equest
P o licyreferral
C hallenge/R espo nse
C o nf irmC redentials &A utho rizatio n
C o nf irmC redentials
W riteco o kie
T reatm entR esult
Agent-WAM-User Flow
Agent Configuration
• Exempted URLs– Those URLs which are outside WAM
governance (e.g. public)– A presented URL is first compared to the list
of exempted URLs– If the URL is exempted, then the agent allows
the access itself– Condition can be inverted to describe only
those URLs which are under WAM control
Agent Configuration
• Access Logs– No logging for exempted URLs– Agent can log either only denied or both
denied and allowed access– Higher logging levels are for debugging
purposes
WAM Agent Access Logs
Date & time
Session ID
Allow/deny comments
8/4/2006 9:12:26 28029:26e038 User tboard was allowed access to http://wamqa3.itcs.northwestern.edu:80/portal/index.html.
8/4/2006 9:12:45 28029:26e038 User tboard was denied access to http://wamqa3.itcs.northwestern.edu:80/zeta/pwd/tok/index.html.
Agent Configuration
• WAM server selection– Agent-WAM connections must be persistent
and cannot be load-balanced– Agent is configured with an list of WAM
servers to use in fail-over order– At Northwestern, we will have a
recommended configuration for each campus
U R L
A gent
W eb S erver
W A M 1
U R L
A gent
W eb S erver
W A M 2 W A M 3 W A M 4
1. W A M 32. W A M 43. W A M 14. W A M 2
1. W A M 12. W A M 23. W A M 34. W A M 4
C am pus A C am pus B
Agent Failover
Expressing Policies
• Default treatment is to deny access (no applicable policy)
• Default access authentication method is NetID & password (level 0)
• General URL protection logic:– Deny for a given level (c1) or below
– Allow for a higher level (c2) and above
– Generally, c2 = c1 + 1
Policy Rules ExampleA uthentica tion Tes tbed
tau/pw d
tau/pw d/tok tau/pw d/qtau/pw d/p
publictau porta lze ta
zeta /pw d
zeta /pw d/tok
tau/open
Policy Rules
A uthentica tion Tes tbed
tau/pw d
tau/pw d/tok tau/pw d/qtau/pw d/p
publictau porta lze ta
zeta /pw d
zeta /pw d/tok
tau/open
• Agent exemption for /zeta, /tau, /tau/open• Zeta/pwd/tok – deny =< 0; allow >=1• Tau/pwd/tok – deny =< 0; allow >= 1
• By default, all other URLs require level zero authentication.
Other Notes
• WAM server-side logs are strictly for debugging – they do not record deny/allow by user
• All connections are encrypted via SSL
• Agents have credentials for authenticating to the WAM server