Tech Tip – Enhanced Session Assurance with Device DNA

Enhanced Session Assurance with Device DNA

The Enhanced Session Assurance feature prevents session hijacking and replay. When you log in, a DeviceDNA™ check is performed to fingerprint the end-user device. The device is validated by fingerprinting every five minutes by default and comparing the new fingerprint against the original fingerprint that is taken during the log in. If the fingerprint match fails, the user is prompted for re-login thus ensuring the user session is not compromised.

ENVIRONMENT

  • CA Access Gateway : 12.6 and above
  • Policy Server/Admin UI : 12.6 and above

Configuration :

CA Access Gateway
  • Install CA Access Gateway
  • Configure CA Access Gateway to use SSL for front end Apache
  • Ensure SessAssurance Application is enabled in server.conf :
<Context name="SessionAssuarance Application">
 docBase="sessionassuranceapp"
 path="authapp"
 enable="yes"
 </Context>
  • Ensure SACExt ACO parameter value is .sac  enhanced session assurance sacext
  • Ensure IgnoreExt ACO parameter contains .sac extensionignoreext

 

CA SSO Policy Server
    • Install CA SSO Policy server
    • Create Session Assurance End Point as below :sessionasurance_endpointenhanced session assurance
  • Enable Session Store on the Policy server. enable session store

 

  • Add Session Assurance End Point to the realm for which you want to enable the session assurance functionality.  (It is optional to configure realm as persistent) realm_add_session_assurance_endpoin

 

(Optional ) Configure Log Files for Troubleshooting

1. Enable Audit Logs and also configure Enable Enhanced Tracing on the Policy server.

Navigate to following in the registry editor :

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports

Add following dword :

“Enable Enhance Tracing”=1The Audit logs contains authentication and authorisation activity related to Session Assurance flow.

2. Enable debug logging for Session Assurance Flow app on CA Access Gateway

Navigate to CA\secure-proxy\Tomcat\webapps\sessionassuranceapp\WEB-INF\classes and set the log level to DEBUG in log4j.properties as below:

# Define the root logger with appender SAFileAppender
log4j.rootLogger = DEBUG, SAFileAppender
# Set the appender named SAFileAppender to be a File appender
log4j.appender.SAFileAppender=org.apache.log4j.FileAppender
log4j.appender.SAFileAppender.File=${catalina.base}/../proxy-engine/logs/SessionAssuranceApp.log
log4j.appender.SAFileAppender.layout=org.apache.log4j.PatternLayout
log4j.appender.SAFileAppender.layout.conversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:- %m%n
Testing:

test_fiddler_session_assurance

 

 

Leave a Reply