| Back | Next | Contents | Cams Web Agent Guide |
Cams web agents are integrated into web and application servers to protect the resources that they provide. When a user's web browser makes a request to a web or application server, the Cams web agent asks a Cams policy server is access is granted or denied. The Cams web agent enforces the response, including prompting for user authentication if required.
This document provides instructions on how to install and configure the Cams IIS web agent. The Cams IIS web agent is a Microsoft Internet Information Server version 4.0, 5.0, and 6.0 ISAPI filter and extension for Windows NT 4.0, Windows 2000, and Windows 2003 systems. The instructions that follow apply to all supported versions of Windows except where specifically noted.
NOTE: For known issues with the Cams IIS web agent, see ReleaseNotes.html found in the root directory of the Cams IIS web agent distribution.
These instructions guide you through the installation of Cams IIS web agent on a Windows NT/2000 server with IIS already installed. If IIS is not yet installed, you must first do so. You must also download the Cams IIS web agent.
The Cams IIS web agent is packaged in a zip file that contains documentation and the Setup.exe installer. Unzip the distribution into a temporary directory of your choice and double click on the Setup.exe file to begin the installation. The distribution files will install by default into:
c:\cams-webagent-iis
The installer defaults to the drive Windows is installed on (typically c:). You can install to another directory, but you must preserve the Cams IIS web agent subdirectory structure. You will also be given the option to install convenience Windows Start menu items to view the Cams Web Agent Guide and to open the cams-webagent.conf file. The final installer screen provides options to complete the installation:
After installing, open the Windows explorer to the directory where your installed the Cams IIS web agent. You should see the files and subdirectories shown in Figure 1.
<!-- Cams IIS web agent documentation and license --> README.txt LICENSE.txt ReleaseNotes.html Setup.exe <!-- Cams IIS web agent scripts and dlls files --> cams\camsclient_mt_cams_1_0.dll |
| Figure 1 - Directory listing of the Cams IIS web agent files after installation |
NOTE: Setup.exe is provided for convenience in copying files, setting up Start menu options, and configuring the Cams IIS web agent. You can also unzip the distribution to a directory of your choice and browse to the the configuration file, open the documentation, and launch the Internet Services Manager.
The Cams IIS web agent is configured in the cams-webagent.conf file. In addition, you also need to use the Internet Services Manager to configure a filter and a cams virtual directory. This section describes the configuration requirements.
NOTE: To secure resources on your IIS server, you'll also need to configure a Cams security domain. See the Cams Policy Server Configuration section in this document for more information.
Open the c:\cams-webagent-iis\conf\cams-webagent.conf file in a text editor. The file contains comments to help you understand the property values that you may need to change, as shown in Table 1.
| Name | Description |
|---|---|
| cams.cluster.name |
The name of the Cams cluster to which this agent will delegate requests. This value is used to identify Cams session cookies originating from a Cams cluster installation. The default value is MyCamsCluster. NOTE: Every Cams policy server is a member of a cluster, even if the cluster contains only a single server. |
|
cams.server.url.<server-name> |
The URL of a Cams policy server to be used. The actual name of the configuration property will depend on the Cams policy server name. For example:
One property must exist for each Cams policy server in your cluster. For example, the following properties configure an agent for a two node Cams policy server cluster:
Each URL has the form cams://host:port, where host is a host name or an IP address. For example:
WARNING: If the Cams IIS web agent and Cams policy server communicate through a firewall, the firewall must be configured to allow general TCP/IP traffic on the configured Cams policy server port. |
| cams.heartbeat.interval | The interval (in seconds) the Cams Web Agent will send heartbeat messages to the Cams Policy Server to ensure it's availability. |
| cams.cluster.debug |
Toggle on/off clustering debug messages. WARNING: Turning on debug can have an adverse affect on Cams web agent performance. |
| cams.debug |
Toggle on/off debug messages. WARNING: Turning on debug can have an adverse affect on web agent performance and will cause the log file to grow rapidly. Use this flag only while debugging the Cams IIS web agent configuration. Disable debug messages for production use. |
| cams.error.url |
The relative or fully qualified URL to redirect to if an error occurs during authentication or when accessing a protected resource. WARNING: The access control policy must ensure that access to the error page is granted. |
| cams.denied.url |
The relative or fully qualified URL to redirect to if access to a protected resource is denied by the Cams policy server. WARNING: The access control policy must ensure that access to the denied page is granted. |
| cams.login.uri |
The Cams IIS web agent will interpret POST requests to this exact URI as a login (authentication) request. The login URI can be on a different system from the one making the request. Posted parameters (usually hidden fields) MUST include:
and will also usually include callback parameters used by Cams policy server login modules. For example:
The actual callback parameters posted must match those expected by the callback handler login module configured with the specified security domain login config entry. |
| cams.logout.uri |
The Cams IIS web agent will interpret any request to this exact URI as a logout request. The logout URI can be on a different system from the one making the request. Because a given user may be logged into multiple security domains simultaneously, the web page, servlet, JSP, or script referencing this URI must specify the security domain name associated with the logout request as a query parameter. For example, if a web agent hosted on web server www.mysite.com has: cams.logout.uri=/cams/logout then the following request will attempt to logout the user that is logged into security domain system: http://www.mysite.com/cams/logout?cams_security_domain=system |
| cams.after.logout.url | The URL to which a user is directed AFTER successful logout. This might be a web site or portal home page. |
| cams.loginconfig.entry | The login-config-entry to use to authenticate clients. This value corresponds to a login-config-entry that is defined in the corresponding security domain's login-config.xml file, which defines the login modules, callback handler, and any login parameters. Typically, the type value http is used for web resources. |
| cams.access.check.cache | Enable/disable the access control check cache. Caching improves performance by enabling the web agent to remember a previous access control check Cams policy server response for a specified period of time. The Cams IIS web agent currently caches ONLY responses associated with unconditionally granted resources. This enables general resources like GIF and JPEG image files, javascript, style sheets, to avoid unnecessary access control checks. Access to a resource protected by a Cams access control policy is unconditionally granted if the permission matching the resource directly references the Cams intrinsic access control rule. |
| cams.access.check.cache.size | The maximum number of access control responses that can be cached at a given time. Once the cache is full, newly cached responses will eject the least recently used cached response. |
| cams.access.check.cache.refreshTime | The amount of time, in minutes, that is allowed before an access control request is sent to the Cams policy server to check if the cache should be cleared. This ensures that agents can detect changes to a Cams access control policy within this period, forcing the cache to be flushed if necessary. |
| cams.session.cache | Enable/disable session caching. Session caching enables the servlet API and cgi-bin applications to access Cams session attributes as HTTP Request header values. |
| cams.session.hijacking.protection.enable |
Enable/disable Cams session hijacking protection. Use true
to enable and false to disable
hijacking protection. An extra hash value is appended to the base session
identifer and validated each time a Cams session id cookie value is received.
Unless the request is received from an HTTP browser with the same HTTP
request headers (Accept-Language and User-Agent) the session is considered |
| cams.session.hijacking.protection.algorithm |
The message digest algorithm used to compute a unique hash value for hijacking protection. The following algorithms are supported:
|
| cams.session.hijacking.protection.salt |
A unique site value combined as an ingredient with all other session and HTTP request header parameters to ensure that the message digest hash value is unique for a given deployment environment. The default value is epsom. NOTE: Choose a value unique to your site for maximum protection. |
| cams.http.headers | Enable/disable setting of Cams HTTP request headers. If enabled web pages, servlets, JSPs, ASPs, and cgi-bin scripts will have access to HTTP request headers. See the Cams Programmer's Guide - Webapp Programming for a full list of the HTTP request header names and site-specific user attribute values that can be made available to web applications. Disabling Cams request headers when not used improves performance. |
| cams.http.headers.accept.proxied | Enable the agent to accept CAMS HTTP Headers that have been proxied to this web agent via another Cams web agent. The default value is false. |
| connection.authentication.type |
The type of authentication the Cams IIS web agent will use to authenticate connections that it establishes with the Cams policy server. Currently supported types include:
NOTE: this is NOT the authentication type used to authenticate users, it is the type used to authenticate the agent. |
| connection.authentication.principal | The principal (or username) a Cams IIS web agent will use to authenticate connections it establishes with a Cams policy server. |
| connection.authentication.credential | The credential (or password) a Cams IIS web agent will use to authenticate connections it establishes with a Cams policy server. |
| connection.start.timeout |
The number of seconds an agent will wait for a connection to a Cams policy server to start before aborting the attempt. |
| connection.authentication.timeout | The maximum time (in seconds) that a Cams IIS web agent will wait for a response from a Cams policy server. |
| connection.checkAccess.timeout |
The number of seconds an agent will wait for a response from a Cams policy server when attempting to authenticate itself before timing out. |
| cams.skey.algorithm |
The algorithm to be used when encrypting and decrypting selected values sent to/received from the Cams server. Valid values include: None, Blowfish, DES, and DESede (triple DES). If None, then selective encryption is disabled. Blowfish uses a 16 byte encryption key, DES uses an 8 byte key, and DESede uses a 24 byte key. For more information, see: Cams Administrator's Guide - Securing Cams Communications using Secret Keys. |
| cams.skey.key | The secret encryption/decryption key in hexidecimal format. The actual number of bytes used depends on the algorithm, although it is legal to supply more key bytes than needed. |
|
cams.skey.iv |
The encryption/decryption initialization vector in hexidecimal format. This should be an 8 byte (16 hex digit) value. |
| logger.file.append |
(OPTIONAL) If set to true all log messages will be appended to the end of the existing log file. If false the current log file will be overwritten. The default value is false. WARNING: Turning on debug will cause the log file to grow rapidly. |
Table 1 - Import configuration values that you may need to change in cams-webagent.conf
The other properties in this file configure debug and the Cams message protocol. You should not change the message protocol values unless instructed to do so by Cafésoft support.
NOTE: The other two files in the Cams IIS web agent
conf directory (access-control.properties
and webagent.properties) externalize
messages used by the Cams IIS web agent to report errors, warnings, etc. The
contents of these files can be replaced with custom, language-specific messages.
Support is not provided for the presentation of locale-specific values based
upon a browser's international settings.
The Cams IIS web agent filter is an ISAPI extension responsible for enforcing authentication and access control decisions made by a Cams policy server.
If you have not already done so, launch the Internet Services Manager and expand the tree menu.
After you restart the IIS server, you should check the Cams IIS web agent filter to ensure it is correctly initialized by right clicking on the web site and selecting Properties. When you click the ISAPI Filters tab, you should see a green arrow by the Cams IIS Web Agent filter as shown in Figure 1.
Figure 1 - Cams IIS web agent filter after successful installation
NOTE: If you are running multiple web sites on your IIS server then you must add the Cams IIS web agent filter to each web site you want to protect. Alternatively, you can install the Cams IIS web agent filter at the IIS server-level in which case it will protect all server web sites. To do so, right click on the IIS server and select Properties. In the dialog, select the Edit button and add the Cams IIS web agent filter in the ISAPI filters tab as described above.
The order in which ISAPI DLLs execute depends on the priority of the filter as well as the order in which it appears in the ISAPI filters property page in Internet Services Manager. A filter's priority can be either high, medium or low. Filters with a higher priority will execute first, while filters with the same priority setting will capture notifications in the order in which they appear in the ISAPI property page. The Cams IIS web agent filter is set to high priority. If the Cams IIS web agent filter is not at the top of a list a filters, select it and use the arrow buttons on the left to move it to the top of the list.
The Cams IIS web agent virtual directory provides login, denied, and error page resources as well as an ISAPI DLL Cams uses for redirects and authentication services.
If you have not already done so, launch the Internet Services Manager and expand the tree menu.
You should see the cams virtual directory in the Internet Services Manager tree. Right click the cams virtual directory and select Properties. You should see a window similar to the one shown in Figure 2.
Figure 2 - Cams virtual directory configuration
Provided you have already configured a Cams security domain, you should now be ready to test this Cams IIS web agent installation. An self-documented test page is provided in the cams virtual directory that you can use for testing.
WARNING: To avoid security policy conflict, you should remove native IIS security from resources protected by Cams.
NOTE: The instructions in this section apply to Windows 2003®/IIS 6.0 only.
With Windows Server 2003/IIS 6.0, Microsoft has taken a more proactive stance against malicious users and attackers. By default, IIS serves only static content -- meaning the Cams IIS Web Agent and features like ASP, ASP.NET, Server-Side Includes, WebDAV publishing, and FrontPage® Server Extensions do not work unless enabled.
WARNING: If you do not enable the Cams IIS Web Agent as a Web Service Extension, IIS will return a 404 error when the Cams IIS web agent attempts to authenticate a user.
In addition, the standard Cams IIS web agent login, error, and access denied pages are Active Server Pages (.asp), which require use of the ASP.DLL Web Service Extension.
WARNING: If you plan to use the Cams-provided login.asp, error.asp, and denied.asp pages, you'll need to enable the associated ASP Web Service Extension. If your site already makes use of ASPs, then this extension is already enabled.
You can configure these web service extensions, by manipulating the web service extensions node in IIS Manager to allow and prohibit web service extensions. Add new web service extensions. Allow the web service extensions that a specified application can call. Prohibit all web service extensions from running on the local computer. You can enable or disable web service extensions individually if they are registered in the web service extensions node in IIS Manager.
You must be a member of the Administrators group on the local computer to perform the following procedure, or you must have been delegated the appropriate authority.
To enable the Cams IIS Web Agent as an IIS web service extension:
Figure 3 shows the settings used to enable a Cams IIS web agent installed in the default location.
Figure 3 - Populating the new web service extension dialog box (Windows 2003/IIS 6.0)
Figure 4 shows the web service extensions pane after the Cams IIS web agent has been added and allowed as a web service extension.
Figure 4 - The web service extensions pane after adding the Cams IIS web agent extension (Windows 2003/IIS 6.0)
WARNING: The Microsoft documentation indicates (in some places) that All Unknown ISAPI Extensions may be allowed (see Figure 4). Although this would enable the Cams IIS web agent extension to execute within Windows 2003/IIS 6.0, it may also enable unknown and untrusted extensions to execute. Consequently, it is not recommended to allow All Unknown ISAP Extensions.
If you have not done so already, you should secure important IIS configuration and log directories. They may contain IIS SSL certificates, configuration files containing passwords or secret keys, and log files containing sensitive information.
Typically, IIS is started as a Windows service. The general strategy for securing Cams-related configuration files and directories is to:
In the instructions that follow, it is assumed that the IIS server is started by Administrator on your Windows NT/2000/2003 system. This example assumes that you are logged in as Administrator to your Windows NT/2000/2003 server.
This is done using the Windows NT/2000/2003 graphical user interface.
From the same Security tab used in Step 1:
The cams virtual directory includes four sample Active Server Pages (Asps) written in Microsoft Jscript:
You should browse to cams-webagent-test.asp to understand how to configure and use it for testing. The page is posted to the URI specified by the cams.login.uri property in cams-webagent.conf along with the following form name/value pairs:
When you click the submit button, the Cams IIS web agent intercepts the POST to the cams.login.uri and sends the request to the Cams server. The request includes the security domain and a login-config-entry, which the Cams servers will use to attempt login. If you successfully authenticate and are authorized (depending upon how you configure the security domain), the browser is redirected to the cams_orginal_url and user specific information is displayed by cams-webagent-test.asp.
When you request a protected resource that requires authentication and Cams doesn't know your user identity, the Cams IIS web agent displays a login page as specified in the corresponding security domain's login-config.xml file. Instead of hard coding the security domain, login configuration, and original URL, Cams dynamically provides these values to the login page as shown Example 1.
WARNING: You must correctly configure the login-parameters in the security domain's login-config.xml file or the login page will not be displayed. See the Cams Administrator's Guide - Login Configuration for more information on configuring login-parameters in login-config.xml.
<!-- Populate hidden fields from their request parameters -->
<input type="hidden" name="cams_security_domain"
value="<%= Request.QueryString("cams_security_domain") %>">
<input type="hidden" name="cams_login_config"
value="<%= Request.QueryString("cams_login_config") %>">
|
| Example 1 - login.asp example login page |
The difference between cams-webagent-test.asp and login.asp are that you arrive at the former lazy authentication login page after requesting a resource for which your identity is unknown to the Cams policy server. Because of the resource request, Cams knows the security domain and login-config-entry to which the resource belongs (and, of course, the original URL).
If you are denied access to a resource by Cams, the page specified by the cams.denied.url property in cams-webagent.conf is displayed. Example 2 shows a script that displays dynamic messages.
<!-- Display any dynamic access denied messages --> |
| Example 2 - denied.asp displays any dynamic access denied messages |
If an error occurs, Cams displays the page specified by the cams.error.url property in cams-webagent.conf. Example 3 shows a script that displays dynamic messages.
<!-- Display any dynamic error messages -->
<%
var message = null;
message = Request.QueryString("message");
if (message != null)
{
%>
<p class="error"><%= message %></p>
<%
}
%>
|
| Example 3 - error.asp displays any dynamic error messages |
NOTE: In order to ensure that the browser does not cache these pages, it is important that you use the following HTML Meta tags in the HEAD section of each page:
<meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-Control" content="no-cache"> <meta http-equiv="Expires" content="-1">
The Cams IIS web agent installs with default configuration properties. However, you may find it beneficial to configure your installation to more adequately meet the requirements of your environment. See Cams Web Agent Optimizations to learn more about Cams IIS web agent optimizations.
Before you start the IIS server with a Cams IIS web agent, you'll need to ensure that the Cams policy server knows about it. See Web Agent-specific Cams Policy Server Configuration to learn more about Cams policy server configuration requirements.
That's it, you should now be able to start IIS to test your Cams IIS web agent configuration. After you've started both IIS with the Cams IIS web agent and the Cams policy server, test the configuration using:
http://[hostname:port]/cams/cams-webagent-test.asp
Login to an account in the security domain that you've established. See the test page for more configuration and testing information.
© Copyright 1996-2004 Cafésoft LLC. All rights reserved.