Need Evidence of Encrypted Communication Between the API Gateway and Siteminder Policy Server

Document ID : KB000118819
Last Modified Date : 01/11/2018
Show Technical Document Details
Question:
We have an auditing requirement to provide evidence (a screenshot, or CA documentation) of encrypted communications between the API Gateway and Siteminder Policy servers. Can you please explain how this communications channel works? The gateway policy manager does not seem to have any TLS configuration options for this in the Single Sign-On wizard. 

 
Answer:
The comminution between APIM Gateway and SSO Policy Serve is handled by the (Single Sign-On) SSO SDK (custom agent). This SDK is called during each Single-Sign-On assertion when communicating to the policy server

• CA Singe Sign on Check Protected Resource
• Authenticated Againt CA Single Sign-On
• Authorized via CA Single Sign-On
• Change CA Single Sign-On User Password (new)

The encryption is the same as any standard SSO Agent OR customer agent build by SDK to Policy Server:

NON_FIPS (Classic mode) The Policy Server/Agent encrypted data channel uses the RC4 stream cipher with SHA-1 for message integrity. The shared secret is used to mutually authenticate the Agent and the Policy Server
The “TLI Handshake” establishing the above channel uses the RC2 block cipher and the MD5 digest algorithm.

FIPS: The Policy Server/Agent encrypted data channel uses the AES block cipher in OFB mode with HMAC-SHA256 for message integrity.
The “TLI Handshake” establishing the above channel uses the AES Key Wrap algorithm and the SHA-256 digest algorithm.

The modes are defined in the “CA Single Sign-On Configuration properties”
FIPS Mode: COMPAT (classic mode)
MIGRATE (mixed mode)
ONLY (FIPS ONLY)