Quick Tip: Encrypted Pass Through Authentication (EPTA) Initialization Vectors

When setting up Encrypted PTA, configuring the correct Initialization Vector in the PTA_ENCRYPTION_IV configuration setting can be confusing. I find the setting documentation misleading unless you really understand what it is asking for.

Per the field documentation:

Security Vulnerabilites in Customer Portal pagesets

If your Customer Portal site has a "mobile" or "basic" directory and associated pages in your "views/pages" directory your site might be at risk; especially if you don't use these pages! For nearly all sites created since the release of CP2, this will be the case unless you've taken manual steps to remove them.

SAML Knowledge Roundup


RightNow + SAML is a pain, impossible to debug, but possible to do. The following is a running collection of tips and knowledge around implementing SAML in RightNow

Verify Peer setting with RightNow cURL

When making an HTTPS connection with cURL, it is essential to validate the certificate of the host you are connecting to. While it is possible to turn off this verification using the CURLOPT_SSL_VERIFYPEER cURL configuration, it leaves your code vulnerable to man in the middle attacks.

Other developers I know (myself included) tend to turn off PEER verification while doing initial development because dealing with certs is often a PITA. I always tell myself, I'll just deal with that later; I have much more important business logic to write.

Agent SSO Lessons Learned: SAML and Security Zones

Configuring SAML SSO for the CX Agent Console is always a painful process. Online documentation is vague and mostly lacking. Additionally, there is absolutely no way to debug a problem when your initial configuration fails. There are no available logs and the visible error message gives no indication of what specifically failed. There is some ability to have tracing enabled, but RightNow Customer Care will not do so willing.

Catching Requests Rejected by the F5 Security Module

The F5 is a security layer that filters all incoming and outgoing traffic to any site hosted on the PS pod. Yes, all traffic. If it sees anything it doesn't like, based on some secure, cryptic string parsing rules, it will reject the entire request, kick back a 503 error (for some reason), and puke out an ugly HTML page with a long support ID.

Zircon - This is a contributing Drupal Theme
Design by WeebPal.