SiteMinder Installation and How To Integrate in CA SSO Cookbook

Document ID : KB000053813
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

SiteMinder is the recommended solution to migrate existing and new customers, when Web-based resource protection is required.

Unlike CA SSO, SiteMinder does not provide a comprehensive setup routine for the repositories required to load and run the product.
The advantage of this approach is that SiteMinder is allowing to integrate various databases and directories and its different versions for its specific tasks, as long as they comply with the standards and interfaces designated.
However the drawback is that a high level of knowledge and expertise is required to be able to implement and operate the SiteMinder product.

This document should enable an experienced SSO Administrator, to quickly implement SiteMinder and demonstrate how to integrate SM in CA SSO, by providing a step-by-step description for setup of the respective components.

The guide is focusing on using components also typically used in an SSO Server environment, neglecting any licensing, performance or optimisation discussion.

It is strongly recommended to also review the relevant product documentation for the CA SiteMinder, CA SSO, CA Directory and third party products for background information on the individual components.

Solution:

Architectural Overview of the SiteMinder Infrastructure

Figure 1

Components, Platforms and Versions used

  • OS: Windows 2003
  • Web Server: MS Internet Information Server r6.0
  • Policy Store: CA Directory r8.1 (embedded in CA SSO Server r8.1)
  • Policy Server: SiteMinder r12 SP1
  • Application Server: jboss-4.0.5.GA
  • Object Store: MS SQL 2005
  • Administrator Store: MS Active Directory
  • User Directory: MS Active Directory

Account to install the components with

  • Logon as Domain\Administrator

Install Internet Information Server

  • Control Panel / Add Remove Programs / Windows Components
  • Application Server / IIS
  • Common Files / IIS Manager / WWW Service

Install Java Development Kit

  • download and install JDK 1.5.x (it also includes the JRE)

Create the Policy Store

  • on the SSO Server open a cmd and enter
    dxnewdsa SMPolicyStoreDatabase 12380 o SMPolicyStore
  • startup the DSA in the cmd
    dxserver start SMPolicyStoreDSA
  • in the Services Control Panel configure to startup the service "eTrust Directory - SMPolicyStoreDSA" automatically

Prepare the Policy Store

  • connect anonymously with JXplorer to the newly created DSA (port 12380)
  • Create the Base Tree Structure for Policy Store Data
    ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=SMPolicyStore
  • Create the Directory Manager account
    cn=Directory Manager,o=SMPolicyStore
  • set the value for the userPassword attribute of the Directory Manager account

Install the Servlet Engine

  • open a cmd and cd into
    ..\ps-12.0-sp1-win32\thirdparty-tools\servlet-engine-5.0
  • execute ServletExec_ISAPI_50.exe and follow the wizard

Install the SiteMinder Policy Server

  • open a cmd and cd into
    ..\ps-12.0-sp1-win32
  • execute ca-ps-12.0-sp1-win32.exe and follow the wizard (keep the default settings)
  • point to the SMPolicyStoreDSA host for the Policy Store
    Port: 12380
    Root DN: o=SMPolicyStore
    Admin DN: cn=Directory Manager,o=SMPolicyStore
  • note the default SiteMinder user's password

Test Connectivity from SiteMinder Policy Server to Policy Store

  • open the SiteMinder Policy Server Management Console
  • Data tab / Test LDAP Connection
  • if unsuccessful verify LDAP Policy Store settings

Create the Policy Store Directory Schema

  • on the machine hosting the SMPolicyStoreDSA open a cmd and run the following commands
  • copy "C:\Program Files\CA\siteminder\eTrust\netegrity.dxc" "%dxhome%\config\schema\"
  • copy "C:\Program Files\CA\siteminder\xps\db\etrust.dxc" "%dxhome%\config\schema\"
  • attrib -R "%dxhome%\config\schema\default.dxg"
  • echo source "netegrity.dxc"; >> "%dxhome%\config\schema\default.dxg"
  • echo source "etrust.dxc"; >> "%dxhome%\config\schema\default.dxg"
  • dxschematxt default.dxg

Adjust Operational Settings for the Policy Store Directory

  • Add the following lines to the end of the DSA's DXI file(%DXHOME%\config\servers\SMPolicyStoreDSA.dxi):
    ...
    # cache configuration
    set max-cache-size = 100;
    set cache-index = all-attributes;
    set cache-attrs = all-attributes;
    set cache-load-all = true;
    set lookup-cache = true;
    set ignore-name-bindings=true;

    # Note: The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the policy store.
  • edit (%DXHOME%\config\limits\default.dxc (unset the file's RO flag if necessary):
    # size limits
    set max-users = 1000;
    set credits = 5;
    set max-local-ops = 1000;
    set max-dsp-ops = 1000;
    set max-op-size = 2000;
    set multi-write-queue = 20000;

    # Note: Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files.
  • edit (%DXHOME%\config\settings\default.dxc (unset the file's RO flag if necessary):
    # security controls
    set min-auth = clear-password;

    # Note: This prevents anonymous binding to the access to the SMPolicyStoreDSA

Stop and Restart the SMPolicyStoreDSA

  • open a cmd and execute the following commands to make the modified settings effective:
    dxserver stop SMPolicyStoreDSA
    dxserver start SMPolicyStoreDSA

Set the SiteMinder Super User Password

  • copy the file smreg.exe from the installation archive to the %NETE_PS_ROOT%\bin
  • ensure the SiteMinder Policy Server service is started up
  • from a cmd execute the command:
    smreg -su log69in

Import the Default Policy Store Objects

  • ensure the SiteMinder Policy Server service is started up
  • from a cmd execute the commands:
    smobjimport -i"C:\Program Files\CA\siteminder\db\smdif\smpolicy.smdif" -dSiteMinder -wlog69in -v
    smobjimport -i"C:\Program Files\CA\siteminder\db\smdif\ampolicy.smdif" -dSiteMinder -wlog69in -f -v -l -c
    XPSDDInstall "C:\Program Files\CA\siteminder\xps\dd\Smobjects.xdd"
    XPSDDInstall "C:\Program Files\CA\siteminder\xps\dd\EPMObjects.xdd"
    XPSDDInstall "C:\Program Files\CA\siteminder\xps\dd\SecCat.xdd"
    XPSDDInstall "C:\Program Files\CA\siteminder\xps\dd\FssSmObjects.xdd"

Create the Object Store

  • install MS SQL Server + Management Tools
  • Server Collation: case insensitive (default)
  • Security: Mixed Mode
  • logon as to the SQL Server Management Studio as user: sa
  • create a new database with name: SiteMinder (all settings can remain default)

Setup the WAM-User Interface

  • download the jboss-4.0.5.GA archive and unzip it to C:\jboss-4.0.5.GA\
  • copy the original file \wamui-12.0-sp1-win32\DirectoryConfigurationSamples\ActiveDirectory\directory.xml to C:\
  • edit the copied file and modify the ##-prefixed attributes
    ...
    ... physicalname="telexNumber" displayname="Disabled State" ...
    ...
    ... physicalname="userPassword" displayname="Password Data" ...
    ...
  • open a cmd and cd into
    ..\wamui-12.0-sp1-win32
  • execute ca-wamui-12.0-sp1-win32.exe and follow the wizard (keep the default settings)
  • install only the UI with JBoss Application Server
  • use the FQDN for the App Server URL
  • select SQL 2005 as database
    Database Name: SiteMinder
    User Name: sa
  • Administrator Store is LDAP pointing to the hosting Windows Domain Controller
  • Directory Configuration File: C:\directory.xml
  • finish the installation
  • launch Start Task Engine from the IAM Suite program group
  • launch SiteMinder Administrative User Interface from the IAM Suite program group
  • login to the WAM-UI as user Administrator (Windows user who performed the WAM-UI setup)

Register the Administrative UI:

  • from a cmd execute the command:
    xpsregclient WAMUI1 -adminui -su
  • from the WAM-UI select:
    Register Administration UI Server
    Name: WAMUI1_ Hostname
    Policy Server Host FQDN
    Policy Server Port: 44441
    Client Name: WAMUI1
    Passphrase: as set via xpsregclient

Create the Registration Credentials for the FSS Administrative UI

  • WAM-UI / Infrastructure/ Agents / Agent / Create Agent / create new object / OK
  • Agent Name: FSSUIAgent
  • Agent Type: 4.x agents
  • IP Address of the Policy Server
  • Shared Secret

Configure Java for the FSS

  • Control Panel / Java / Advanced tab
    <Applet> tag support: check Internet Explorer
  • modify the link file for the SiteMinder FSS Administrative UI in the SiteMinder program group
    amend the URL to FQDN

Login to SiteMinder FSS Administrative UI

  • launch the SiteMinder FSS Administrative UI from the SiteMinder program group
    Username: SiteMinder
    Host Name: FSSUIAgent

Create Host Configuration Object

  • login SiteMinder FSS Administrative UI
  • System / Host Conf Objects
  • right click DefaultHostSettings / Duplicate
  • Name: ACMESM12HostSettings
  • edit PolicyServer
    (remove #, enter FQDN of Policy Server box, leave all else default)

Create Web Agent Configuration Object

  • login SiteMinder FSS Administrative UI
  • System / Agent Conf Objects
  • right click IISDefaultSettings / Duplicate
  • Name: ACMESM12IISWASettings
  • edit DefaultAgentName
    (remove #, enter FQDN of WebAgent box, leave all else default)
  • ForceIISProxyUser yes
  • DefaultUserName Administrator
  • DefaultPassword ******

Create Web Agent Object

  • login SiteMinder FSS Administrative UI
  • System / Agents
  • right click Agents / Create Agent
  • Name: same value as DefaultAgentName in Web Agent Conf Object
    (i.e. FQDN of WebAgent box)

Install WebAgent

  • launch Internet Information Services (IIS) Manager
  • add IIS Web Service extensions and set status to allowed for each of the following modules
    C:\Program Files\CA\webagent\bin\ISAPI6WebAgent.dll
    C:\Program Files\CA\webagent\pw\smpwservicescgi.exe
    C:\Program Files\CA\webagent\pw_default\smpwservicescgi.exe
  • run Web Agent Configuration Wizard (ca-wa-config.exe)
    • do Host Registration now
    • Admin User: SiteMinder
    • Trusted Host Name: FQDN of WebAgent box
    • Host Config Object: ACMESM12HostSettings
    • Policy Server IP: FQDN of Policy Server box
    • FIPS Compatibility
    • Host Configuration File: Restore Default
    • check Microsoft IIS
    • Agent Config Object: ACMESM12IISWASettings
    • No Self Registration
  • edit file C:\Program Files\CA\webagent\bin\IIS\WebAgent.conf
    ...
    EnableWebAgent="YES"
    ...
  • Reboot
  • open Browser to http://FQDN-of-WebAgent-Box
  • all should be fine / no error should be displayed
  • in case of problems check IIS 6 configuration technote: https://support.ca.com/phpdocs/7/5262/auth2_IIS6-TechNote.pdf

Configure the WebAgent for logging and tracing

  • edit IISDefaultSettings Agent Conf Object (please create a copy of original object before)
  • LogFileName: "C:\Program Files\CA\webagent\log\webagent.log"
  • TraceFile: yes
  • TraceFileName: "C:\Program Files\CA\webagent\log\webagent.trace"
  • TraceConfigFile: "C:\Program Files\CA\webagent\config\WebAgentTrace.conf"
  • edit C:\Program Files\CA\webagent\config\WebAgentTrace.conf
    (remove # in front of this two lines)
    ...
    components: AgentFramework, HTTPAgent
    data: Date, Time, Pid, Tid, TransactionID, Function, Message
    ...

    (anyway, see Windows Event log for messages as well,
    check Naming Resolution: nslookup Hostname, FQDN, IP )

To get more detailed information in the Browser

  • Advanced settings / Show friendly HTTP error messages / disable
  • Turn off Pop-Up Blocker

Define MS Active Directory as UserDirectory for SiteMinder Policies

  • login SiteMinder FSS Administrative UI
  • System / User Directories
  • right click User Directories / Create User Directory
  • Name: ACMEdomAD
  • Directory Setup tab
    • NameSpace: AD
    • Server: ACMEdc.ACMEdom.com:389
    • LDAP Search:
      • Root: dc=ACMEdom,dc=com
    • LDAP User DN Lookup
      • Start: cn=
      • End: ,cn=users,dc=ACMEdom,dc=com
        (note the leading comma, verify the resulting DN in the displayed Example)
  • Credentials and Connection tab
    • Administrator Credentials
      • check Require Credentials
      • Username: ACMEdom\administrator
  • User Attributes tab
    • Universal ID: sAMAccountName
    • Disabled Flag: otherPager
    • Password Attribute: userPassword
    • Password Data: ImPwdHistory
    • Anonymous ID: otherIpPhone
    • Email: otherMailbox
    • Challenge/Response: otherTelephone
  • click Apply and then View Contents... to verify connectivity

Define a new SiteMinder Policy Domain

  • login SiteMinder FSS Administrative UI
  • System / Domains
  • right click Domains / Create Domain
  • Name: ACMEdomain
  • User Directories tab
    • select ACMEdomAD and click <<Add

Define a new SiteMinder Policy Realm (Web Resources to protect)

  • login SiteMinder FSS Administrative UI
  • Domains / ACMEdomain / Realms
  • right click Realms / Create Realm
  • Name: IIS-Root
  • Resource tab
    • Agent: click Lookup... to select ACMEsm12.ACMEdom.com
    • Resource Filter: /

Define a new Policy Rule (Events and Actions when accessing the protected resource)

  • login SiteMinder FSS Administrative UI
  • Domains / ACMEdomain / Realms / IIS-Root
  • right click IIS-Root / Create Rule under Realm
  • Name: IIS-Files
  • Web Agent Actions: Get,Post

Define a new Policy (Authorise users to resources)

  • login SiteMinder FSS Administrative UI
  • Domains / ACMEdomain / Policies
  • right click Policies / Create Policy
  • Name: IIS-Policy
  • Users Tab:
    • Add/Remove...
    • Manual Entry: (sAMAccountName=*)
    • Add to Current Members / OK
  • Rules Tab:
    • Add/Remove Rules...
    • put IIS-Files to Current Members / OK

      (Close the Browser, flush SiteMinder resource cache using SiteMinder UI, restart IIS and open its Homepage in a new Browser Session.
      Note the LoginDialog issued by the SiteMinder WebAgent.
      Enter Administrator and its password while prompted by the SM-WebAgent and verify successful page access.)

Allow Authenticated CA SSO Client User Access to SiteMinder Protected Resource

Figure 2

  • Ensure that the SiteMinder and CA SSO Policy Servers use the same user or authentication store.
  • Remove the comment (#) character from the following line in the WebAgent.conf file:
    #LoadPlugin=<Path to eTSSOPlugin.dll or libetssoplugin.so>
  • Configure the scope of the SSO Client generated Cookie (should be the same as the domain defined in SM) in the CA SSO Client.ini file by setting the following parameter:
    CookieURLs=http://ACMEsm12.ACMEdom.com/
  • login SiteMinder FSS Administrative UI
  • System / Authentication Schemes
  • right click Authentication Scheme / Create Authentication Scheme
  • Name: caSSOauthScheme
  • Authentication Scheme Type: Custom Template
  • Scheme Setup tab:
    • Library: smauthetsso
    • Secret / Confirm Secret: <ps-admin password>
    • Parameter: <Mode> ; <CA SSO AdminID> ; <CA SSO Server>
      e.g.: cookieorbasic ; ps-admin ; ACMEsso81.ACMEdom.com
      (use cookie for Mode if you want to force users to authenticate to SSO first prior to access protected web-resources)
  • Domains / ACMEdomain / Realms / IIS-Root
  • right click IIS-Root / Properties of Realm
    • Resource Tab:
      • Authentication Scheme: caSSOauthScheme

(Close the Browser, flush its Cache, restart IIS.
Login to SSO Client and open the IIS Homepage in a new Browser Session and verify successful page access without having to reauthenticate to SiteMinder.)

File Attachments:
TEC479627.zip