|Applies To||RSA Access Manager 4.8 Agent|
|Issue||AxM - What is the purpose of the RSA 4.8 Agent parameter "cleartrust.agent.trusted_domains_list"|
New feature introduced iin RSA Agent version 4.8. This did not exist in previous versions and could lead to a man in the middle attack.
|Resolution||The cleartrust.agent.trusted_domains_list feature is to prevent someone from doing a man in the middle attack by substituting the CT_ORIG_URL with some bogus site and having CT redirect them there without them knowing.|
This could occur if the ct_logon page's POST to itself with the ct_orig_url intercepted and the form data is modified.
Altough it can be enabled on a per virtual host basis it really should be used globally (if you want to guard against this type of attack). If you use it in a per virtual host then all web sites on the server may not benefit from this protection.
The agent will take any incoming url, filter the domain name out, compare it against the domain list provided and if there is no match then the CT_ORIG_URL will not be set so redirection could not take place to the bogus URL. The User in this case would end up at the ct_home page.
|Notes||# Specifies a list of domain names that can be trusted by the agent. Do not|
# specify fully qualified domain names(FQDN).
# 1. Agents participating in ISSO environment should include respective master
# or slave domain names in this parameter.
# 2. Mandatory to add domain name of this host, if this parameter is not
# Allowed Values:
# Comma-separated list of valid domain names(Do not prepend with a period).
# cleartrust.agent.trusted_domains_list=rsact.com, rsa.com
|Legacy Article ID||a41502|