Tech Tip - CA PIM: How to configure ENTM to failover to redundant SiteMinder Policy Servers

Document created by mulan04 Employee on Jun 30, 2015Last modified by kristen.palazzolo on Dec 17, 2016
Version 3Show Document
  • View in full screen mode

CA PIM Tech Tip by Andreas Müller, Principal Support Engineer, July 07, 2015

 

If you have configured ENTM to integrate with CA Single Sign-On / SiteMinder to perform authentication of user logon requests to the ENTM console it might be desirable to configure the CA Privileged Identity Manager Enterprise Manager to failover to redundant SiteMinder Policy Servers. To do so follow these steps

 

  • Configure the SiteMinder WebAgent.conf to redundant SiteMinder Policy Servers putting the list of available SiteMinder PolicyServers which are sharing the same SiteMinder Policy Store
    (in this example the Apache WebAgent on Linux is used)

    [root@rh56sm]# cat /etc/httpd/conf/WebAgent.conf
    # WebAgent.conf - configuration file for SiteMinder Web Agent
    # Web Agent Version = 12.52, Build = 142, Update = 0.0

    LOCALE=en-US

    #agentname="<AgentName>, <IPAddress>"
    HostConfigFile="/opt/CA/webagent/config/SmHost.conf"
    AgentConfigObject="webservernode-ACO"
    EnableWebAgent="YES"
    ServerPath="/etc/httpd/conf"
    #localconfigfile="/etc/httpd/conf/LocalConfig.conf"
    LoadPlugin="/opt/CA/webagent/bin/libHttpPlugin.so"
    #LoadPlugin="/opt/CA/webagent/bin/libAffiliate10Plugin.so"
    #LoadPlugin="/opt/CA/webagent/bin/libSAMLAffiliatePlugin.so"
    #LoadPlugin="/opt/CA/webagent/bin/libeTSSOPlugin.so"
    #LoadPlugin="/opt/CA/webagent/bin/libIntroscopePlugin.so"
    #LoadPlugin="/opt/CA/webagent/bin/libSAMLDataPlugin.so"
    #LoadPlugin="/opt/CA/webagent/bin/libOpenIDPlugin.so"
    #LoadPlugin="/opt/CA/webagent/bin/libDisambiguatePlugin.so"
    #LoadPlugin="/opt/CA/webagent/bin/libOAuthPlugin.so"
    #LoadPlugin="/opt/CA/webagent/bin/libCertSessionLinkerPlugin.so"
    AgentIdFile="/etc/httpd/conf/AgentId.dat"
    [root@rh56sm conf]# cat "/opt/CA/webagent/config/SmHost.conf"
    #NOTE: PKCS11 crypto provider is deprecated. Please use ETPKI instead. (/opt/CA/webagent/config/SmHost.conf)
    #This file contains bootstrap information required by the SiteMinder Agent API to connect to Policy Servers at startup.
    #Be sure the IP addresses and ports below identify valid listening Policy Servers.
    #Please do not edit the encrypted SharedSecret entry.
    hostname="rh56sm.mulan04dom.ca.com"
    sharedsecret="{RC2}lNlLVATuU5RH86F6v6pcsJrI9iLqS8d1u0u0lxX0Ccik4cBy+IxOfO6LKi87cUfmTkskbDqUIgfV4BgQOf9qONxjkn3/XrF0vT0nQmf9BZQ3oH8FOp8bKKcpf46ohb87TdJiERSs2SoOTPQX8D/0tnNsQZEStNVZbppMfw5urWFaHZoFqGT5VkLZuIj54++U"
    sharedsecrettime="0"
    enabledynamichco="NO"
    hostconfigobject="webservernode-HCO"
    #Add additional bootstrap policy servers here for fault tolerance.
    policyserver="rh56sm.mydom.ca.com,44441,44442,44443"
    policyserver="rh56sm2.mydom.ca.com,44441,44442,44443"
    policyserver="rh56sm3.mydom.ca.com,44441,44442,44443"
    requesttimeout="60"
    cryptoprovider="ETPKI"
    fipsmode="COMPAT"

    # <EOF>

  • In the SiteMinder Administrative UI add all SiteMinder Policy Servers to the failover enabled list under
    Host Configuration Objects  ›  View Host Configuration: webservernode-HCO
    (use the host configuration object matching the value used in the WebAgent configuration)

    Configuration Values
        Host                 Accounting Port Authentication Port Authorization Port 

    Policy Server
        rh56sm.mydom.ca.com  44441           44442               44443
        rh56sm2.mydom.ca.com 44441           44442               44443
        rh56sm3.mydom.ca.com 44441           44442               44443

    Enable Failover  x
  • In the ENTM Server configure the redundancy to the SiteMinder Policy Servers
    Edit <jboss-4.2.3.GA>/server/default/deploy/IdentityMinder.ear/policyserver.rar/META-INF/ra.xml
    ...
                <config-property-name>ConnectionURL</config-property-name>
                <config-property-type>java.lang.String</config-property-type>
                <config-property-value>rh56sm.mydom.ca.com,44441,44442,44443</config-property-value>
    ...
                <config-property-name>FailoverServers</config-property-name>
                <config-property-type>java.lang.String</config-property-type>
                <config-property-value>rh56sm2.mydom.ca.com,44441,44442,44443;rh56sm3.mydom.ca.com,44441,44442,44443</config-property-value>
            </config-property>
            <config-property>
                <config-property-name>FailOver</config-property-name>
                <config-property-type>java.lang.String</config-property-type>
                <config-property-value>true</config-property-value>
    ...

In case of issues please confirm:

  • time is in sync on all participating hosts
  • reconfigure the SiteMinder policy store on all Policy Servers
    (this will not recreate the store but will rewrite the current configuration values)
    (in this case the SM-PS is running on Linux using Oracle hence the commands to issue are
      # cd /opt/CA/siteminder/
      # . ./ca_ps_env.ksh
      # ./ca-ps-config.sh
      ...
      4- Policy Store
      ...
      1- Relational Database
      2- Oracle 11g
      To replace the existing DSN entry, choose NO.
      Database Server Name: (DEFAULT: ): rh56sm.mydom.ca.com
      Database Service Name: (DEFAULT: ): XE
      Database Port: (DEFAULT: 1521):
      Database Administrator User Name: (DEFAULT: ): system
      2- Basic Password Services
  • on the ENTM Server clear the JBoss cache
      # /etc/init.d/jboss stop
      # cd /opt/jboss-4.2.3.GA/server/default/
      # rm -rf tmp/ log/ data/ work/
  • On the user workstation running the Web Browser to access the SiteMinder protected ENTM application clear the browser cache and cookies and restart the browser

Attachments

    Outcomes