Multiple Virtual Hosts with different ACO setting.

Document ID : KB000015395
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

We are looking to establish the following: 

Apache -- 2 vhosts -- both pointing to their own ACO setting with their own agent and Policies as well. 

NOTE: We need separate ACO and not just AgentName with 1 ACO. We have 2 separate entry channels (domain1.com and Domain2.com) and they need to have different ACO settings. 

Environment:
Policy Server: 12.51; Update: 00.05; Build: 1232; CR: 05 Policy Server OS: Windows Server 2008 r2 SiteMinder APACHE 2.2 WebAgent, Version 12.5, Update HF-01, Label 813. Agent OS: RHEL6
Answer:

It is dependent on how the web server is configured if it's a single Web Server instances e.g. Apache Instance (single httpd.conf) you could only have one ACO configured.

 

Apache we can create multiple instances of Apache using a single install of Apache. Thus, there is an httpd.conf per instance of Apache. 

We could now map a unique WebAgent.conf (with a unique ACO in each) to each httpd.conf. Each httpd.conf could be an independent WebSite (e.g. abc.com or xyz.com).

NOTE:

- A virtual host will not support different ACO but Apache instance will.

- The server Path within each WebAgent.conf has to be Unique so the Shared memory and Semaphore do not overlap.

- Running Vhost configuration with separate ACO can cause anomalies.

Additional Information:

To SSO between the two domain you will need to configure Security zones or Cookie provider:

 

All Web Agents can act as a CookieProvider. It is only a matter of designating one to act as the Cookie Provider. Pointing all other Web Agent to that CookieProvider.

 

For more info:

Using a Cookie Provider for Cross Domain SSO - CA Technologies

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec456839.aspx

 

For more info:

Security Zones for Single Sign-on

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/security-zones-for-single-sign-on