160 likes | 311 Views
Web Access Manager Details. Agenda. Overview Agent / WAM server interaction Agent configuration Expressing access policies Other notes. Agents Application Web server plug-in Intercepts URL Decides when to ask for policy decisions Finds available WAM policy server Applies treatments.
E N D
Agenda • Overview • Agent / WAM server interaction • Agent configuration • Expressing access policies • Other notes
Agents Application Web server plug-in Intercepts URL Decides when to ask for policy decisions Finds available WAM policy server Applies treatments Server Holds policies and makes decisions Handles SSL-based authentications Reads/writes cookies Returns treatments WAM Overview
Agent / WAM Server Interaction • A presented URL is passed to the WAM Server for access policy evaluation • The WAM server returns a treatment to the agent • The agent executes the treatment
Agent Configuration • Exempted URLs • Logging • WAM server selection
Agent Configuration • Exempted URLs • Those URLs which are outside WAM governance (e.g. public) • A presented URL is first compared to the list of exempted URLs • If the URL is exempted, then the agent allows the access itself • Condition can be inverted to describe only those URLs which are under WAM control
Agent Configuration • Access Logs • No logging for exempted URLs • Agent can log either only denied or both denied and allowed access • Higher logging levels are for debugging purposes
WAM Agent Access Logs Allow/deny comments Session ID Date & time
Agent Configuration • WAM server selection • Agent-WAM connections must be persistent and cannot be load-balanced • Agent is configured with an list of WAM servers to use in fail-over order • At Northwestern, we will have a recommended configuration for each campus
Expressing Policies • Default treatment is to deny access (no applicable policy) • Default access authentication method is NetID & password (level 0) • General URL protection logic: • Deny for a given level (c1) or below • Allow for a higher level (c2) and above • Generally, c2 =c1 + 1
Policy Rules Agent exemption for /zeta, /tau, /tau/open Zeta/pwd/tok – deny =< 0; allow >=1 Tau/pwd/tok – deny =< 0; allow >= 1 By default, all other URLs require level zero authentication.
Other Notes • WAM server-side logs are strictly for debugging – they do not record deny/allow by user • All connections are encrypted via SSL • Agents have credentials for authenticating to the WAM server
Q & A