How to manage Arcot Endpoint on IM Provisioning Manager

Document ID : KB000046475
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

We would like to use CA Identity Manager to manage credentials in CA AuthMinder

Question:

We have some general questions:

  • Any limitations if we use IM Arcot Connector to manage Arcot Endpoints?
  • How to acquire the Arcot Endpoint on IM Provisioning Manager?
  • How to do the basic configuration?
  • How to create the credentials on IM Provisioning Manager
  • Where to collect the logs for troubleshooting?

Environment:

  • IM r12.6

Answer:

Known Arcot Connector limitations on IM r12.6 (up to SP8)

Known enhancement idea

Where to download the connector

The Arcot (a.k.a. CA Strong Authentication or CA Advanced Authentication) Connector is an OOTB component of the JCS connector installation package since IMr12.6 SP1.If you need the individual copy of the connector, please find it here

Acquire an Arcot endpoint on IM Provisioning Manager

  1. Please confirm AuthMinder server version and adjust the value on 'WebFort Server Version' field
  2. 9744 is the AuthMinder transaction service port, it has to be configured and opened on Arcot Administration Console
  3. if AuthMinder transaction service port 9744 is working on TCP mode, 'WebFort Server URL' is a HTTP url
  4. if AuthMinder transaction service port 9744 is working on SSL mode,  'WebFort Server URL' is a HTTPS url
    In such case the Root Certificate of the issuer who signed the AuthMinder server certificate has to be uploaded to JCS trusted certificate store.
    This can be done on JCS Console
    image 
  5. if 'UDS Server URL' is a HTTPS url, the Root Certificate of the issuer who signed the Arcot Application server certificate has to be uploaded to JCS trusted certificate store as well.
  6. if AuthMinder or the Arcot Application server enforced 2 way SSL, then JCS root certificate has to be imported to AuthMinder Side.

Logs for troubleshooting during Endpoint Acquirement

  1. on jcs machine, turn on the verbose log
    • cd <IM>\Connector Server\etc
    • rename org.ops4j.pax.logging.cfg to org.ops4j.pax.logging.cfg.original
    • rename org.ops4j.pax.logging.cfg.verbose to org.ops4j.pax.logging.cfg
  2. restart the JCS service via Windows Service Control Panel
  3. on IdentityMinder Provisioning Manager,
    • try to acquire the Arcot endpoint
    • on Endpoint tab, supply all required info; take a screenshot
    • on logging tab, enable all Message severity checkboxes on Text file direction
    • click OK to acquire the endpoint and reproduce the issue
  4. please collect the following info
    • the test time and duration
    • the collected screen screenshots.
    • etatrans log
      Location: <IM>\Provisioning Server\logs\etatransyyyymmdd-hhmm.log
    • jcs log
      Location: <IM>\Connector Server\jcs\logs\jcs_daily.log.yyyymmdd
    • Endpoint log
      Location: <IM>\Connector Server\jcs\logs\Arcot\jcs_conn_*.*
  5. upload the collected info to support.ca.com

Create an Arcot User


      image

 

Create ArcotID credential

  1. Select Generate ArcotID Action: Create
    Default ArcotID Profile Name: BasicArcotIDProfile
    image 
  2. Supply Reset ArcotID Validity End Date Time Option: Specific End Date
    image
  3. Supply ArcotID Validity End Date time
    image
  4. Supply ArcotID password
    image

Typical Account Template

On an Arcot Account Template, the Default Profile Names have to be supplied, for example

image

 

 

Additional Information:

N/A