We would like to use CA Identity Manager to manage credentials in CA AuthMinder
We have some general questions:
- Any limitations if we use IM Arcot Connector to manage Arcot Endpoints?
- How to acquire the Arcot Endpoint on IM Provisioning Manager?
- How to do the basic configuration?
- How to create the credentials on IM Provisioning Manager
- Where to collect the logs for troubleshooting?
Known Arcot Connector limitations on IM r12.6 (up to SP8)
Known enhancement idea
Where to download the connector
The Arcot (a.k.a. CA Strong Authentication or CA Advanced Authentication) Connector is an OOTB component of the JCS connector installation package since IMr12.6 SP1.If you need the individual copy of the connector, please find it here
Acquire an Arcot endpoint on IM Provisioning Manager
- Please confirm AuthMinder server version and adjust the value on 'WebFort Server Version' field
- 9744 is the AuthMinder transaction service port, it has to be configured and opened on Arcot Administration Console
- if AuthMinder transaction service port 9744 is working on TCP mode, 'WebFort Server URL' is a HTTP url
- if AuthMinder transaction service port 9744 is working on SSL mode, 'WebFort Server URL' is a HTTPS url
In such case the Root Certificate of the issuer who signed the AuthMinder server certificate has to be uploaded to JCS trusted certificate store.
This can be done on JCS Console
- if 'UDS Server URL' is a HTTPS url, the Root Certificate of the issuer who signed the Arcot Application server certificate has to be uploaded to JCS trusted certificate store as well.
- if AuthMinder or the Arcot Application server enforced 2 way SSL, then JCS root certificate has to be imported to AuthMinder Side.
Logs for troubleshooting during Endpoint Acquirement
- on jcs machine, turn on the verbose log
- cd <IM>\Connector Server\etc
- rename org.ops4j.pax.logging.cfg to org.ops4j.pax.logging.cfg.original
- rename org.ops4j.pax.logging.cfg.verbose to org.ops4j.pax.logging.cfg
- restart the JCS service via Windows Service Control Panel
- on IdentityMinder Provisioning Manager,
- try to acquire the Arcot endpoint
- on Endpoint tab, supply all required info; take a screenshot
- on logging tab, enable all Message severity checkboxes on Text file direction
- click OK to acquire the endpoint and reproduce the issue
- please collect the following info
- the test time and duration
- the collected screen screenshots.
- etatrans log
Location: <IM>\Provisioning Server\logs\etatransyyyymmdd-hhmm.log
- jcs log
Location: <IM>\Connector Server\jcs\logs\jcs_daily.log.yyyymmdd
- Endpoint log
Location: <IM>\Connector Server\jcs\logs\Arcot\jcs_conn_*.*
- upload the collected info to support.ca.com
Create an Arcot User
Create ArcotID credential
- Select Generate ArcotID Action: Create
Default ArcotID Profile Name: BasicArcotIDProfile
- Supply Reset ArcotID Validity End Date Time Option: Specific End Date
- Supply ArcotID Validity End Date time
- Supply ArcotID password
Typical Account Template
On an Arcot Account Template, the Default Profile Names have to be supplied, for example