How to secure the ADMINUI with SSL communication?

Document ID : KB000049887
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

For security purpose you may need to configure the SiteMinder ADMIN UI (embedded JBOSS) access over SSL.

Please see the different steps...

Solution:

  1. The SSL connector is disabled by default in the deployed server.xml file
    The default server.xml file is located in the following directory:

    /<siteminder>/adminui/server/default/deploy/jboss-web.deployer/server.xml
    There are two (2) Connector Sections in this XML file, the second is commented out and looks like the following:

    <!-- ENABLE SSL
    <Connector
    protocol="HTTP/1.1"
    address="${jboss.bind.address}"
    port="8443"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    emptySessionPath="true"
    enableLookups="true"
    maxPostSize="0"
    acceptCount="100"
    connectionTimeout="20000"
    minSpareThreads="5"
    maxSpareThreads="75"
    keystoreFile="${javax.net.ssl.keyStore}"
    keystorePass="${javax.net.ssl.keyStorePassword}"
    keystoreType="${javax.net.ssl.keyStoreType}"
    truststoreFile="${javax.net.ssl.trustStore}"
    truststoreType="${javax.net.ssl.trustStoreType}"

    truststorePass="${javax.net.ssl.trustStorePassword}" />
    ENABLE SSL -->

    tags <!-- ENABLE SSL and ENABLE SSL --> around this connector have disabled it, by making it a comment. You must remove these tags to enable the SSL connector.

  2. Note that in this SSL connector there are variables that hold values for the key & trust store.
    Customer may choose to either hard code the values here, or set them in the config file where they are passed back to this server.xml file upon startup.

    If customer chooses to hardcode values here, then you are done enabling SSL. Once you restart you should be able to access
    https://hostname:8443/iam/siteminder/adminui

    To configure values in the setup.sh file that are passed to the server.xml
    you must go to:
    /opt/CA/siteminder/adminui/bin/setup.sh and enter the keyStore directory,
    Password, type, etc&

    The above file is called by the run.sh script when you start the ADMINUI.


****************************************************************************
CHANGE SSL PORT FOR WAMUI:

  1. Change the port that will be used for SSL: (Lets say we want to use 98443 as new port)
    The config file for this is located in the following directory:
    /<siteminder>/adminui/conf/service-bindings.xml

    The important line here:
    <binding name="secureConnector" host="R12SP3 CA SiteMinderWUx64"
    port="8443" />
    You are interested in changing the secureConnector listening port.
    <binding name="secureConnector" host="R12SP3 CA SiteMinderWUx64"
    port="98443" />

    Once you change this your WAMUI will now listen @ https://hostname:98443/iam/siteminder/adminui for SSL connections. YOU ARE NOT DONE. You must tell the server to use this port for SSL.

  2. Update
    /opt/CA/siteminder/adminui/server/default/deploy/jboss-web.deployer/server.xml

    You want to change the default ports in the server.xml file as below:

    In the first original Connector section you will want to update your redirect port.

    Basically the redirect port tells the tomcat server when I receive an https call on the default http port (8080) to redirect it to the secure port (default 8443). You want to update this to the new port: 98443

    redirectPort="8443"
    update this to:
    redirectPort="8443"

    In the second SSL Connector section you will want to update the following port:
    port="8443"
    to the new port:
    port= 98443 J$/
    Restart the WAMUI. Load https://hostname:98443/iam/siteminder/adminui

    You will need to provide the certificate information for the server.xml or to be imported into the certificate database