Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2016 > June
2016

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 22nd June 2016

 

Issue:

The REMOTE_USER HTTP header value is set to null as user accessed the protected resources from backend Weblogic server. Web Agent is installed on the frontend SunOne webserver.

Siteminder response is invoked accordingly but the header dump page shows REMOTE_USER HTTP header is associated with null value.

 

== Settings ==

ACO parameters:

  • SetRemoteUser = Yes
  • RemoteUserVar = REMOTE_USER

 

Web Agent response attribute type -- WebAgent-HTTP-Header-Variable associate it with an OnAuthAccept rule.

 

Environment:

Webserver: SunOne 6.1 with Weblogic 9.2 SP2 plugin

Webagent: 6QMR5 HF21

 

Cause:

Weblogic returns "null" in response to getRemoteUser() call to guard against a security vulnerability – identity spoofing.

 

Workaround:

Start Weblogic with the following run time argument:

-Dweblogic.http.enableRemoteUserHeader=true

 

Important Note: Please be informed that by enabling this feature, the system would be vulnerable to the REMOTE_USER HTTP header spoofing.

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder)published or updated since 25th May 2016 for your reference:

 

Agent for SharePoint Connection Wizard does not list all my SiteMinder Domains.
I cannot locate my SiteMinder Domain in the Agent for SharePoint Connection Wizard when attempting to create a SharePoint Connection. The drop-down only lists a subset of the Domains in the Policy Store.
Last Update: 6/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1279708

Cannot load :/Program Files (x86)/CA/webagent/bin/ mod_sm22.dll into server:
Unable to login to Apache Server. Trying to restart and finding issue. Error: mod_sm22.dll
Last Update: 6/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1546324

User AZ Cache memory
Information on User AZ Cache registry setting
Last Update: 6/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC544401

Application URL - Partnership Federation
How to add the Application URL using XPSExplorer
Last Update: 6/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1018201

Error removing Fed Partnership using the AdminUI
federation
Last Update: 6/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1011118

In use of Partnership Federation, SP metadata is always output "false" in spite of setting Assertion Signed.
It's because of product issue.
Last Update: 6/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1845867

Unexpected access to a protected resource in the backend server Tomcat without authentication
This article explains a problem which is specific to Apache (proxy) + Tomcat configuration. The Tomcat functionality "Path Parameters" causes it.
Last Update: 6/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1255777

Oauth - Passing Authorization Header
Authorization: Basic, using client_id as username and secret as a password
Last Update: 6/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1488641

Web Agent Log Rollover
ACO parameters for rolling over logs
Last Update: 6/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1265505

REST calls in XML and JSON Format
Authentication and Authorization Web Services
Last Update: 6/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1545897

Is the password is stored in encrypted or hashed format in the policy store when creating an administrator in the fssui?
siteminder administrator account created fss gui stored policy store. Please let us know if the password is stored in encrypted format or hashed in the policy store for the administrator.
Last Update: 6/10/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1017866

How to export global rules, policies, responses etc
XPSExplorer GlobalDomain object contains all the Global rules, policies, responses etc. Use XPSExport -xo to export the GlobalDomain XID
Last Update: 6/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1134591

Issue creating WSFED Partnership after upgrade
After upgrade from 12.52SP1CR02 to 12.52SP1CR04, not able to create new partnership with the AdminUI. Need to upgrade the Policy Store when upgrading in the same Service Pack.
Last Update: 6/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1989202

How can an OnAuthAttempt response be tied to a rule?
This article belongs to “HOW-TO” category and explains how to use the Authentication event OnAuthAttempt and the WebAgent-OnReject-Redirect Response.
Last Update: 6/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1251227

How does Java AgentAPI poll to Policy Servers?
This article belongs to QUESTION / ANSWER TEMPLATE and answers to a questions on custom Agent using Java Agent API: How does Java Agent API poll to Policy Servers?
Last Update: 6/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1440262

In Application model, how can an OnAuthAttempt response be tied to a resource?
This article belongs to “HOW-TO” category and explains how to use the Authentication event OnAuthAttempt and the WebAgent-OnReject-Redirect Response in Application model.
Last Update: 6/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1129806

Certificate issue in Inbound (SP) SAML 2.0 Federation
Inbound SAML 2.0 POST fails for one certificate but works for another certificate. The failing certificate currently is working in production in SM 6 Federation.
Last Update: 6/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1114474

Installing CA Secure Proxy Server on Windows Server 2012
There are a wide variety of issues which can occur when attempting to implement CA Secure Proxy Server (SPS) on Windows Server 2012. This KB details considerations to be aware of when installing CA SPS on Windows Server 2012
Last Update: 6/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1643033

New Web Agent instance refuses to start
This technote discusses a problem with several instances of Web Agents and the ServerPath configuration
Last Update: 5/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1893211

ERP Agent for Siebel does not intercept the request.
This technote discusses about a problem when running latest version of Siebel Server
Last Update: 5/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1193076

Exception when signing SAML Assertion
"Exception when signing SAML Assertion" error can occur due to IDP/SP assertion signing configuration error; or, smkeydatabase issues. One possible solution is provided.
Last Update: 5/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC499176

Search results different from the SSO Policy server and manual search from command line
When the query goes from policy server to ODSEE (ldap store) there has been only 2 records were being returned to policy server, while siteminder team ran the same query manually ODSEE returns 19287 items
Last Update: 5/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1054419

Getting HTTP error 500 after logging at the portal
Getting HTTP error 500 after logging at the portal in the Federation Security Services (FSS) environment.
Last Update: 5/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC451434

Using same port for 2 ProxyUI instances in SPS
Is it possible to use same port for 2 ProxyUI instances on SPS server?
Last Update: 5/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1359416

How can the setup procedure be reset to start a new installation of the SharePoint Agent ?
How can the setup procedure be reset to start a new installation of the SharePoint Agent ?
Last Update: 5/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1444935

What's the meaning of Busy Thread in the Policy Server statistics ?
This technote discusses about the meaning of the Busy Thread from Policy Server statistics
Last Update: 5/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1223963

What's the impact of Policy Server Thread pool set to 128 ?
This technote discusses about the impact of the Thread Pool set to 128
Last Update: 5/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1155006

SharePoint Office integration with CA Single Sign-On Web Agent as Reverse Proxy
This technote discusses about integration of office documents protection with CA Single Sign-On Web Agent.
Last Update: 5/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC537670

Multiple and Frequent initialization or Startup Stop Messages in Web agent Logs.
This technote discusses about informative logs lines that are seen in the log of the Web Agent.
Last Update: 5/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC541462

Smkeydatabase : How to Rebuild the Smkeydatabase for Federation
This technote gives a sample on how to recreate the Federation SmKeyDatabase from scratch.
Last Update: 5/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC542090

Tips on how to troubleshoot the SAML "DSigSigner Initialization Failing" error
This technote gives tips on how to troubleshoot the DSigSigner Initialization Failing error in the Policy Server
Last Update: 5/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC542084

SPS: http_connection_stalecheck=”true” is recommended.
This article belongs to BEST PRACTICES and explains the SPS recommended settings of http_connection_stalecheck.
Last Update: 5/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1871424

Unexpected behavior when using both Responses of HTTP-Header-Variable and OnAccept-Redirect
This article explains specifications of Response Attributes of [HTTP-Header-Variable] and [OnAccept-Redirect] as a result of a customer question.
Last Update: 5/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1255802

Policy Server not Writing to Log Files
Policy server is creating log files, but not writing to them.
Last Update: 5/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1581593

Can you install CA Access Gateway on the same server as a Web Server installation?
Implications of installing CA Access Gateway on the same sevrer as a Web Server
Last Update: 5/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1994743

 

Please note that you can always access the full list going to the following link:

http://www.ca.com/us/support/ca-support-online/support-by-product/ca-single-sign-on.aspx?d=t&language=en&type=Knowledge&…

 

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 22nd June 2016

 

Issue:

Administrative UI installation failed with following error:

The CA SiteMinder Administrative UI installation failed because a required component failed to install.  For more information, see the log files CA_IAM_Suite_InstallLog.log and caiamsuite.log under install directory


adminui-error.PNG

file:///C:/Users/wonsa03/AppData/Local/Temp/WindowsLiveWriter1286139640/supfiles3E3C5B5F/adminui-error5.png

 

The same error is logged in the CA_SiteMinder_Administratove_UI_Install_xx_xx_xxxx_xx_xx_xx.log.

 

Environment:

Applies to R12.x Administrative UI installation.

 

Cause:

The verbose logging shows up as we held down the CTRL-key as the installer initializes:

latest_ctrl.PNG

file:///C:/Users/wonsa03/AppData/Local/Temp/WindowsLiveWriter1286139640/supfiles3E3C5B5F/latest_ctrl7.png

The verbose logging suggested that the Admin UI installation was aborted as it failed to run iamfw.exe. The executable is created under ******.tmp folder as the installer is invoked:

tmp.PNG

file:///C:/Users/wonsa03/AppData/Local/Temp/WindowsLiveWriter1286139640/supfiles3E3C5B5F/tmp5.png

 

The corresponding Event Viewer Application log suggested that the executable was locked by the McAfree AntiVirus program:

EventViewer.PNG

file:///C:/Users/wonsa03/AppData/Local/Temp/WindowsLiveWriter1286139640/supfiles3E3C5B5F/EventViewer13.png

 

Resolution:

Disable the McAfree AntiVirus via mvadm command to allow Administrative UI installation to run accordingly.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 10th June 2016

 

Description:

Exception is returned while executing the following smfedexport command:

 

smfedexport -type saml2idp -expiredays 0 -username ***** -password **** -sign -pubkey

 

Exception returned:

An exception occurred while signing metadata document.com.netegrity.SAML2Security.DSigException:

Caught an Exception calling signXMLDocument using IXMLSignature. nulljava.lang.NullPointerException

at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(XMLDocumentOpsImpl.java:1016)

at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(DSigSigner.java:254)

at com.ca.SAML2METADATA.utils.SMFedUtilities.signMetadata(SMFedUtilities.java:166)

at com.ca.smfedexport.tool.IDPMetadataProcessor.generateIdpDescriptor(IDPMetadata Processor.java:209)

at com.ca.smfedexport.tool.SMFedExport.main(SMFedExport.java:108)

 

There is no exception if they execute the command without the -sign option.

 

Upon inspecting the list of certificates under SmKeyDatabase, the "defaultenterpriseprivatekey" entry is associate with  "CertificateEntry" type instead of "KeyEntry".

 

Solution:

  1. Delete the existing "defaultenterpriseprivatekey" from the Smkeydatabase.

  2. Then convert the private key from PEM(text) file to DER(binary) format with following command:

    openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM private key file> -out <DER private key file>

  3. Ensure that the public certificate file is in PEM(text) and BASE64 encoded.

  4. Add the cert/key pair with the following command:

    smkeytool.bat -addPrivKey -alias defaultenterpriseprivatekey -keyfile "c:\siteminder\certs\post-pkey.der" -certfile "c:\siteminder\certs\post-cert.crt" -password password

 

 

The first part of the command references the private key (in DER format). The second part of the command references the public certificate, followed by the password associated with the private key.

Introduction:

Following guide explains the steps required to configure OHS 12c manually in the supported Single Sign-On Web Agent release.

 

Environment :

  • Oracle HTTP Server 12c
  • Single Sign-On Web Agent :  Certified Web Agent Version for OHS 12c
  • Operating System : Red Hat Linux

 

Instructions:

Step 1. Changes to httpd.conf file at <Instance Directory>\instance1\config\OHS\ohs1

1. Add LoadModule entry to the DSO Support Section

The following line(s) are added to the Dynamic Shared Object (DSO) Support configuration section, which precedes the Main server configuration section of the file.

LoadModule sm_module "<web_agent_home>/bin/libmod_sm24.so"

e.g.

LoadModule sm_module "/home/siteminder/CA/webagent/bin/libmod_sm24.so"

Note: As OHS 12c is based on Apache 2.4 , libmod_sm24.so needs to be loaded, other library files will not work.

2. Add SmInitFile Entry

This entry is placed after the LoadModule entry that you added in (1). A full path is used, not a relative path.

SmInitFile  "<Path_To_The_Component_Directory>/OHS/<component_name>/WebAgent.conf"

e.g.

SmInitFile "/home/siteminder/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/WebAgent.conf"

Note :

In the above example , ohs1 is the component/instance name.

3. Alias Entries Added

In the Aliases section of the file, following entries are added to enable SiteMinder features.

Note:

The Alias /siteminderagent/ "<web_agent_home>/samples/"� entry must come after all other aliases in the Aliases section.

Alias /siteminderagent/nocert/[0-9]+/(.*) "/<web_agent_home>/$1"
<Directory "/<web_agent_home>/$1">
Options Indexes MultiViews
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/pwcgi/ "/<web_agent_home>/pw/"
<Directory "/<web_agent_home>/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/pw/ "/<web_agent_home>/pw/"
<Directory "/<web_agent_home>/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/ "/<web_agent_home>/samples/"
<Directory "/<web_agent_home>/samples/">

e.g.

Alias /siteminderagent/nocert/[0-9]+/(.*) "/home/siteminder/CA/webagent/$1"
<Directory "/home/siteminder/CA/webagent/$1">
Options Indexes MultiViews
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/pwcgi/ "/home/siteminder/CA/webagent/pw/"
<Directory "/home/siteminder/CA/webagent/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/pw/ "/home/siteminder/CA/webagent/pw/"
<Directory "/home/siteminder/CA/webagent/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/ "/home/siteminder/CA/webagent/samples/"
<Directory "/home/siteminder/CA/webagent/samples/">

 

Step 2. Create WebAgent.conf file with the following content and copy it in  "<Path_To_The_Component_Directory>/OHS/<component_name>"� directory

e.g.  "/home/siteminder/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/WebAgent.conf"

# WebAgent.conf - configuration file for SiteMinder Web Agent
# Web Agent Version = 12.52, Build = 2112, Update = 1.5

LOCALE=en-US

HostConfigFile="/<web_agent_home>/config/SmHost.conf"
AgentConfigObject="<name_of_aco>"
EnableWebAgent="Yes"
ServerPath="<Path_To_The_Component_Directory>/OHS/<component_name>"
LoadPlugin="/<web_agent_home>/bin/libHttpPlugin.so"
AgentIdFile="<Path_To_The_Component_Directory>/OHS/<component_name>/AgentId.dat"

e.g.

# WebAgent.conf - configuration file for SiteMinder Web Agent
# Web Agent Version = 12.52, Build = 2112, Update = 1.5

LOCALE=en-US

HostConfigFile="/home/siteminder/CA/webagent/config/SmHost.conf"
AgentConfigObject="aco_ohs"
EnableWebAgent="Yes"
ServerPath="/home/siteminder/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1"
LoadPlugin="/home/siteminder/CA/webagent/bin/libHttpPlugin.so"
AgentIdFile="/home/siteminder/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/AgentId.dat"

(Note : If SmHost.conf is not already created, you can create one by registering the agent with the policy server using smreghost.sh script)

 

Step 3. Create AgentId.dat file with the following content and copy it in <Path_To_The_Component_Directory>/OHS/<component_name> directory

e.g.  "/home/siteminder/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/AgentId.dat"

GUID=000080fe0000000075939d10c0597d33-0bf0-5643dc86-0bf4-0339021c

(Specify unique GUID value for each of the Agent Instance )

Step 4. Change ohs.plugins.nodemanager.properties file at <Path_To_The_Component_Directory>/OHS/<component_name> directory

e.g.  "/home/siteminder/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/ohs.plugins.nodemanager.properties"

Adding following entries right below the line where it says "#Environment variable configuration"

environment.NETE_WA_PATH = /<web_agent_home>/bin;
environment.NETE_WA_ROOT = /<web_agent_home>;
environment.append.1.PATH = $NETE_WA_PATH;
environment.append.1.LD_LIBRARY_PATH = $NETE_WA_PATH;
environment.CAPKIHOME = /<web_agent_home>/CAPKI;

e.g.

environment.NETE_WA_PATH = /home/siteminder/CA/webagent/bin;
environment.NETE_WA_ROOT = /home/siteminder/CA/webagent;
environment.append.1.PATH = $NETE_WA_PATH;
environment.append.1.LD_LIBRARY_PATH = $NETE_WA_PATH;
environment.CAPKIHOME = /home/siteminder/CA/webagent/CAPKI;

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 9th June 2016

 

INTRODUCTION:

When a user chooses to have credentials saved, the Policy Server instructs the Web Agent to create a persistent cookie with the user's credentials. The cookie remains in place for the duration specified in the SaveCredsTimeout configuration parameter for the Agent. The default is 30 days. The cookie allows Web Agents to authenticate a user based on the credentials saved in the cookie, rather than challenging the user to authenticate.

 

QUESTION:

How to setup form authentication with the option to have credentials saved for future use and how does this feature works?

 

ENVIRONMENT:

Apply to all R12.x webagents.

 

ANSWER:

OOTB, Siteminder webagent installation includes a sample login form that incorporates the saved credentials feature -- savecreds.fcc. For starter, setup HTML Form Authentication referencing savecreds.fcc with "Allow this Scheme to Save Credentials" option checked. Protect resources with this authentication scheme and check the option "Remember my Username and Password" on the login form upon login.

 

As user is authenticated by Siteminder, SMSESSION (can be a transient cookie depending on the ACO parameter) and SMDATA (persistent cookie) cookies are generated. The SaveCredsTimeout ACO parameter governs the SMDATA expiration while the realm timeout settings (can be overridden by WebAgent Session Timeout response) governs the SMSESSION cookie expiration. SMDATA cookie stores the user credentials while SMSESSION cookie stores the user session details. During the time interval when the SMDATA cookie is valid, Web Agent authenticates the user with the data stored in the cookie. After this time interval expires, SMDATA cookie is removed and the Web Agent challenges the user again.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 9th June 2016

 

INTRODUCTION:

The Search class, SmDmsSearch, represents a configuration object for the search operation. It holds the search base and the filter. The filter expects a string-based search expression for the object class.

 

The search class returns a list of distinguished names paired with the corresponding class identifier, and optionally, selected attribute information for the items retrieved in the search.

 

QUESTION:

User search is successful via User Directories >> View Contents, but it is failing via SDK API. Policy Server trace logged the following error corresponding to the search:

[01/17/2016][21:10:18.682][21:10:18][49335][4034558832][SmDsDir.cpp:425][CSmDsDir::Search][Advanced search, Root='o=ca.com',Filter='uid=Adm112233'][][Start of call Search.][][][]
[01/17/2016][21:10:18.682][21:10:18][49335][4034558832][SmDsDir.cpp:446][CSmDsDir::Search][false][Return from call Search.][][][]
...
[01/17/2016][21:10:18.682][21:10:18][49335][4034558832][SmEmsCommandBase.cpp:497][CSmEmsCommandBase::traceResponse][1939][<session=siteminder@db7IP13Vp0P/Jkq7YEef93dLPyU=>
<command=search>
<status=E/0793/0/Search failure>
][][Processed EMS2 response.][][][]

 

The same is working with R12.52 Policy Server, failing with R12.52 SP1 CR2 Policy Server.

 

ENVIRONMENT:

Apply to all R12.52 SP1 Policy Servers.

 

ANSWER:

With R12.52 SP1 Policy Server release, additional condition is added to the search call. Policy Server validates if the search root with the SDK API call includes lower hierarchical level compared to the root DN defined with the user directory setup. If so, Policy Server will not allow the search.

 

For example, Policy Server returns the search failure if you have <searchroot=ou=support,o=ca.com> defined as root DN within the user directory setup while having <root=o=ca.com> defined as root DN within the SDK API call.

 

Hence, match the root DN or define top level of the hierarchy as search root within the user directory setup.

Introduction

This scenario helps the CA Single Sign-On security Administrator to replace Administrative UI server self-signed certificate with a certificate signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Administrative UI .

 

Environment:

Product: CA Single Sign-On Administrative UI

Release: r12.0, r12.5, r12.51,r12.52SP1,r12.52SP2(special instructions at the end)

OS: All supported operating systems

 

Instructions:

1.  Stop Administrative UI service.

2.  Backup existing Key Store

CA Single Sign-On Administrative UI stores it's certificate in keyStore.jks file located at $AdminUI_Install_Directory$\server\default\conf folder.

Before proceeding with replacing the self-signed certificate with the trusted certificate, backup this keyStore.jks file.

3.  List current entries from the keystore

Start a command prompt as Administrator and go to following folder:

$AdminUI_Install_Directory$\server\default\conf

Then, execute following command to list current entries from the keystore

keytool -list -keystore keyStore.jks -storepass changeit -v

Note:

  • The default keystore password is "changeit"
  • The alias for the default self-signed certificate and keypair is "tomcat"

list1

4.  Delete current self-signed certificate and key pair from the keystore

Run the following command to delete the current self-signed certificate and keypair
keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v

del

5.  Generate a Key Pair and a Self-Signed Certificate

Generate a key pair (public and private keys) and a self-signed certificate and store in the CA Single Sign-On Administrative UI keystore using the following keytool command.

keytool -genkeypair -alias JBoss_Key -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=vm1.ca.com" -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v

Note:

  • We changed the alias for the new self-signed certificate to "JBoss_Key".
  • Keypass (-keypass) must be same as the key store (-storepass) password
  • Ensure that hostname (-dname) matches the FQDN of your Administrative UI server

genkeypari

A key pair and a self-signed certificate are generated and stored in the keystore.

6.  Go to $AdminUI_Install_Directory$\server\default\default\deploy\jbossweb.sar and edit server.xml

Change

keyAlias="tomcat"

to

keyAlias="jboss_key" (all lower case)

7.  Start the SiteMinder Administrative UI service and verify if the new self-signed certificate is into effect.

Now, if you want to replace the self-signed certificate just created with the trusted certificate signed by Certificate Authority then proceed with the below steps.

8.  Stop Administrative UI.

9.  Generate and Submit a Certificate Signing Request to a Certificate Authority

Generate a PKCS#10 Certificate Signing Request file using the following keytool command and submit to a trusted CA. CA uses the CSR file to generate a signed certificate identifying your server as secure.

keytool -certreq -alias JBoss_Key -sigalg SHA1withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v

2016-06-02_10-17-26

A CSR file "adminui_certreq.p10"� is generated.

10. Submit the "adminui_certreq.p10"� CSR file to a trusted CA for signing.

11. When you receive the signed certificate from CA, run the following command to import it.

keytool -importcert -alias JBoss_Key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v

Note:

  • adminui_cert.p7b is the signed certificate request from CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any) and root certificates.
  • If only server certificate is provided, then you might need to separately import the intermediate and root certificate as well.
  • This overwrites the previously created self-signed certificate with the certificate provided by the CA.

12. Start Administrative UI service and verify if the new trusted certificate is into effect.

 

Additional Note (for r12.52 SP2)

From r12.52 SP2 onward, the embedded JBoss server used by Administrative UI has been upgraded to JBoss 8 WildFly due to which the folder layout has changed significantly. Please consider following if you are performing the above changes for releases after r12.52SP2 

JBoss configuration folder is now moved to : $AdminUI_Install_Directory$\standalone\configuration.

You will find the keystore file keyStore.jks here.

The server.xml related configuration for the alias name is now moved to standalone-full.xml file which can be found at $AdminUI_Install_Directory$\standalone\configuration folder.

vmware_2016-06-02_11-16-01.png