1 / 16

Web Access Manager Details

Web Access Manager Details. Agenda. Overview Agent / WAM server interaction Agent configuration Expressing access policies Other notes. Agents Application Web server plug-in Intercepts URL Decides when to ask for policy decisions Finds available WAM policy server Applies treatments.

fordon
Download Presentation

Web Access Manager Details

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Access Manager Details

  2. Agenda • Overview • Agent / WAM server interaction • Agent configuration • Expressing access policies • Other notes

  3. Agents Application Web server plug-in Intercepts URL Decides when to ask for policy decisions Finds available WAM policy server Applies treatments Server Holds policies and makes decisions Handles SSL-based authentications Reads/writes cookies Returns treatments WAM Overview

  4. Agent / WAM Server Interaction • A presented URL is passed to the WAM Server for access policy evaluation • The WAM server returns a treatment to the agent • The agent executes the treatment

  5. Agent-WAM-User Flow

  6. Agent Configuration • Exempted URLs • Logging • WAM server selection

  7. Agent Configuration • Exempted URLs • Those URLs which are outside WAM governance (e.g. public) • A presented URL is first compared to the list of exempted URLs • If the URL is exempted, then the agent allows the access itself • Condition can be inverted to describe only those URLs which are under WAM control

  8. Agent Configuration • Access Logs • No logging for exempted URLs • Agent can log either only denied or both denied and allowed access • Higher logging levels are for debugging purposes

  9. WAM Agent Access Logs Allow/deny comments Session ID Date & time

  10. Agent Configuration • WAM server selection • Agent-WAM connections must be persistent and cannot be load-balanced • Agent is configured with an list of WAM servers to use in fail-over order • At Northwestern, we will have a recommended configuration for each campus

  11. Agent Failover

  12. Expressing Policies • Default treatment is to deny access (no applicable policy) • Default access authentication method is NetID & password (level 0) • General URL protection logic: • Deny for a given level (c1) or below • Allow for a higher level (c2) and above • Generally, c2 =c1 + 1

  13. Policy Rules Example

  14. Policy Rules Agent exemption for /zeta, /tau, /tau/open Zeta/pwd/tok – deny =< 0; allow >=1 Tau/pwd/tok – deny =< 0; allow >= 1 By default, all other URLs require level zero authentication.

  15. Other Notes • WAM server-side logs are strictly for debugging – they do not record deny/allow by user • All connections are encrypted via SSL • Agents have credentials for authenticating to the WAM server

  16. Q & A

More Related