000014982 - How to force RSA Cookie to be created only for HTTP request

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014982
Applies ToRSA Authentication Agent 5.3 for Web
Windows Server 2003
IIS 6.0
RSA Cookie
IssueRSA Cookie works with HTTP and HTTPS requests
RSA Cookie is created after the successful authentication regardless of HTTP or HTTPS protocol
ResolutionThe RSA Authentication Agent for Web does not have an option to protect only either non-SSL or SSL connection. SecurId protection works on a per "Virtual Host" basis (Apache's terminology, "WebServer" in IIS's terminology). So if the virtual host has SecurId protection enabled, ALL listening ports defined in that virtual host will be protected. A cookie is created only after the successful SecurID Authentication regardless of request protocol.

As workaround, if you want to protect a "web site" exclusively on a specific port, example 80 (HTTP) and not 443 (HTTPS), simply create a second virtual host, and protect only that virtual host listening on port 80. 
 
So, using an IIS example:

 
WebSites --> DefaultWebSiteSecurID : listening on port 80, no SSL configured, pointing to folder "C:\Inetpub\wwwroot", RSA protected.
 WebSites --> DefaultWebSite : listening on port 443, SSL configured and required, pointing to folder "C:\Inetpub\wwwroot", not RSA protected.

That way, only non SSL connections will be SecurId protected.
NotesIt is noted that installing RSA Agent enforces some of the required permissions by web servers. RSA Agent does not add or remove permissions on any web server. The functionality of a web server is not altered by installing RSA Agent. RSA Agent behaves like a plugin on any web server.
Legacy Article IDa45540

Attachments

    Outcomes