CA PIM Tech Tip by Andreas Müller, Principal Support Engineer, July 07, 2015
If you have configured ENTM to integrate with CA Single Sign-On / SiteMinder to perform authentication of user logon requests to the ENTM console it might be desirable to configure the CA Privileged Identity Manager Enterprise Manager to failover to redundant SiteMinder Policy Servers. To do so follow these steps
[root@rh56sm]# cat /etc/httpd/conf/WebAgent.conf
# WebAgent.conf - configuration file for SiteMinder Web Agent
# Web Agent Version = 12.52, Build = 142, Update = 0.0
LOCALE=en-US
#agentname="<AgentName>, <IPAddress>"
HostConfigFile="/opt/CA/webagent/config/SmHost.conf"
AgentConfigObject="webservernode-ACO"
EnableWebAgent="YES"
ServerPath="/etc/httpd/conf"
#localconfigfile="/etc/httpd/conf/LocalConfig.conf"
LoadPlugin="/opt/CA/webagent/bin/libHttpPlugin.so"
#LoadPlugin="/opt/CA/webagent/bin/libAffiliate10Plugin.so"
#LoadPlugin="/opt/CA/webagent/bin/libSAMLAffiliatePlugin.so"
#LoadPlugin="/opt/CA/webagent/bin/libeTSSOPlugin.so"
#LoadPlugin="/opt/CA/webagent/bin/libIntroscopePlugin.so"
#LoadPlugin="/opt/CA/webagent/bin/libSAMLDataPlugin.so"
#LoadPlugin="/opt/CA/webagent/bin/libOpenIDPlugin.so"
#LoadPlugin="/opt/CA/webagent/bin/libDisambiguatePlugin.so"
#LoadPlugin="/opt/CA/webagent/bin/libOAuthPlugin.so"
#LoadPlugin="/opt/CA/webagent/bin/libCertSessionLinkerPlugin.so"
AgentIdFile="/etc/httpd/conf/AgentId.dat"
[root@rh56sm conf]# cat "/opt/CA/webagent/config/SmHost.conf"
#NOTE: PKCS11 crypto provider is deprecated. Please use ETPKI instead. (/opt/CA/webagent/config/SmHost.conf)
#This file contains bootstrap information required by the SiteMinder Agent API to connect to Policy Servers at startup.
#Be sure the IP addresses and ports below identify valid listening Policy Servers.
#Please do not edit the encrypted SharedSecret entry.
hostname="rh56sm.mulan04dom.ca.com"
sharedsecret="{RC2}lNlLVATuU5RH86F6v6pcsJrI9iLqS8d1u0u0lxX0Ccik4cBy+IxOfO6LKi87cUfmTkskbDqUIgfV4BgQOf9qONxjkn3/XrF0vT0nQmf9BZQ3oH8FOp8bKKcpf46ohb87TdJiERSs2SoOTPQX8D/0tnNsQZEStNVZbppMfw5urWFaHZoFqGT5VkLZuIj54++U"
sharedsecrettime="0"
enabledynamichco="NO"
hostconfigobject="webservernode-HCO"
#Add additional bootstrap policy servers here for fault tolerance.
policyserver="rh56sm.mydom.ca.com,44441,44442,44443"
policyserver="rh56sm2.mydom.ca.com,44441,44442,44443"
policyserver="rh56sm3.mydom.ca.com,44441,44442,44443"
requesttimeout="60"
cryptoprovider="ETPKI"
fipsmode="COMPAT"
# <EOF>
Host Configuration Objects › View Host Configuration: webservernode-HCO
Configuration Values
Host Accounting Port Authentication Port Authorization Port
Policy Server
rh56sm.mydom.ca.com 44441 44442 44443
rh56sm2.mydom.ca.com 44441 44442 44443
rh56sm3.mydom.ca.com 44441 44442 44443
Enable Failover x
...
<config-property-name>ConnectionURL</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value>rh56sm.mydom.ca.com,44441,44442,44443</config-property-value>
<config-property-name>FailoverServers</config-property-name>
<config-property-value>rh56sm2.mydom.ca.com,44441,44442,44443;rh56sm3.mydom.ca.com,44441,44442,44443</config-property-value>
</config-property>
<config-property>
<config-property-name>FailOver</config-property-name>
<config-property-value>true</config-property-value>
In case of issues please confirm:
# cd /opt/CA/siteminder/
# . ./ca_ps_env.ksh
# ./ca-ps-config.sh
4- Policy Store
1- Relational Database
2- Oracle 11g
To replace the existing DSN entry, choose NO.
Database Server Name: (DEFAULT: ): rh56sm.mydom.ca.com
Database Service Name: (DEFAULT: ): XE
Database Port: (DEFAULT: 1521):
Database Administrator User Name: (DEFAULT: ): system
2- Basic Password Services
# /etc/init.d/jboss stop
# cd /opt/jboss-4.2.3.GA/server/default/
# rm -rf tmp/ log/ data/ work/