Manually create the required Policy Store objects to protect the R12.52x Access Gateway ProxyUI with CA Single Sign On.

Document ID : KB000009962
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

The R12.52x Access Gateway (fka SiteMinder Secure Proxy Server)provides a ProxyUI hosted by the Access Gateway to allow configuration\Administration of the Access Gateway. During the configuration of the Access Gateway using the Configuration Wizard, you can select to have the ProxyUI protected with Single Sign On Policies. The Configuration Wizard creates the required Policy Store objects (Domain, Realms, Rules, Policies, etc...) to allow the ProxyUI to be protected with CA Single Sign On.

Background:

If the SiteMiner Administrator defined during the install/config does not have sufficient rights to create Policy Store objects, this step will fail requiring a manual configuration of the Policy Store objects. Also, if the Policy Server defined during the install/config is at an earlier version than the R12.52x Access Gateway, then automatic creation of the Policy Store objects will also fail requiring a manual configuration of the Policy Store objects.

 

NOTE: In a CA Single Sign On environment, the Policy Server should be at a version equal to or higher than any Agent in the environment.

Environment:
R12.52x CA Access Gateway
Instructions:

The configuration of the R12.52x Access Gateway will attempt to create the following Policy Store objects. If any of the following objects are not created automatically by the Configuration Wizard, please log into the SiteMinder Administrative UI as an Administrator with Full rights, and create the objects;

 

1.) An Authentication Scheme called "AUTHSCHEME-SPSADMINUI".

 

Name: AUTHSCHEME-SPSADMINUI

Descritption: "AuthScheme for protecting Proxy Server Admin UI"

Authentication Scheme Type: HTML Form Template

Protection Level: 5

Password Policies Apply: enabled

Use Relative Target: enabled

Target: /proxyui/siteminderagent/forms/login.fcc

Library: smauthhtml

 

2.) A Doamin that is called "DOMAIN-SPSADMINUI-<AgentName>".  

 

Name: DOMAIN-SPSADMINUI-<AgentName>

Where "<AgentName>" is the name of the Agent provided to the Configuration Wizard.

Description: "Domain for protecting proxyUI".

 

3.) A Realm under this Domain called "REALM-SPSADMINUI-<AgentName>".

 

Name: REALM-SPSADMINUI-<AgentName>

Where "<AgentName>" is the name of the Agent provided to the Configuration Wizard.

Agent: same as <AgentName>

Resource Filter: /proxyui

Default Resource Protection: Protected

Authentication Scheme: Scheme created in step #1 Above.

 

4.) A Rule under this Realm called "RULE-SPSADMINUI-<AgentName>"

 

Name: RULE-SPSADMINUI-<AgentName>

Where "<AgentName>" is the name of the Agent provided to the Configuration Wizard.

Description: "Rule for protecting Proxy UI"

Resource: /*

Effective Resource: <AgentName>/proxyui/*

Where "<AgentName>" is the name of the Agent provided to the Configuration Wizard.

Allow Access: enabled

Web Agent Actions: Post,Get

 

5.) An "unprotected" Sub-Realm under this Realm called "REALM-GRPSYNC_SPSADMINUI-<AgentName>"

 

Name: REALM-GRPSYNC_SPSADMINUI-<AgentName>

Where "<AgentName>" is the name of the Agent provided to the Configuration Wizard.

Resource Filter: "/GroupSyncServlet

Effective Resource: <AgentName>/proxyui/GroupSyncServlet

Where "<AgentName>" is the name of the Agent provided to the Configuration Wizard.

Default Resource Protection: Unprotected

Authentication Scheme: AUTHSCHEME-SPSADMINUI

 

6.) A Policy under the Domain called "POLICY-SPSADMINUI-<AgentName>".

 

Name: POLICY-SPSADMINUI-<AgentName>

Where "<AgentName>" is the name of the Agent provided to the Configuration Wizard.

Description: "Policy for protecting Proxy UI"

Rules: RULE-SPSADMINUI-<AgentName>

Where "<AgentName>" is the name of the Agent provided to the Configuration Wizard.

Additional Information:

After creating these objects, you will need to ADD a User Directory to the Domain, and then Modify the "Users" for the Policy to include those users allowed to access the ProxyUI.

If you are not using an External Admin Directory as the User Directory for this Domain, then you will receive an Error when you log into the ProxyUI;

 

"Error: Exception User might not have required permissions to get group information"

 

This will prevent you from doing "Administration>Group Configuration". If you re-fresh this page, the error will go away and you can then navigate through the ProxyUI Tabs and menus.

 

Please refer to the KB Article entitled "How to resolve the "Error: Exception User might not have required permissions to get group information" when logging into the R12.52 SP1 ProxyUI." located at the following link;

http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC1304259.html