Chat Transcript: Office Hours for CA Single Sign-On [Aug 20 2015]

Document created by Chris Stallone Employee on Aug 20, 2015Last modified by kristen.palazzolo on Dec 17, 2016
Version 2Show Document
  • View in full screen mode

Kristen Malzone (CA) :

 

Alright - let's get started!

 

Kristen Malzone (CA) :

If you have a question about CA Single Sign-On (formerly CA SiteMinder), enter it here in the chat window.

 

Kristen Malzone (CA) :

Product experts are standing by to answer your questions LIVE!

 

Kristen Malzone (CA) :

@Karen - Thanks for joining us today!

 

sanjay :

I have question with CA Federation Manager

 

sanjay :

It is in scope for session?

 

Kristen Malzone (CA) :

@Sanjay - Ok - what's your question?

 

sanjay :

I have created partnership and I would migrate to upper environment

 

sanjay :

XPSexplorer is good option for that ?

 

sanjay :

and If i select Partnerships will it migrate Entityies also

 

Karen :

My question is regarding the keystore, when I do a list certs command does the keystore know the difference between cert authority and the actual public/private keys? 

 

Rob Lindberg (CA) :

@Sanjay - XPSExplorer should not be used as the tool for moving policies. You would use XPSExport/XPSImport to create the XML for the partnerships/entities to move between environments

 

Prakhar CA :

@Sanjay below link should help:

 

Prakhar CA :

https://support.ca.com/cadocs/0/CA%20Federation%20Manager%2012%205-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?2059537.html

 

Stephen McQuiggan (CA) :

@Karen are you referring the cert8.db used by the policy server for SSL to LDAP

 

Stephen McQuiggan (CA) :

@Karen or fed keystore

 

Karen :

@Stephen   fed keystore

 

Karen :

Also my second question is will SHA1 still work for SAML2 configurations?   I have several keys that are SHA1 that do not expire for a few more years

 

Prakhar CA :

@Karen when using -alias alias

(Optional) Lists the metadata details of the certificate and key that are associated with the alias specified.

 

Prakhar CA :

https://support.ca.com/cadocs/0/CA%20Federation%20Manager%2012%205-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1808824.html

 

Vivek :

Does CA recommend using LTM for user directories instead on individual servers ,we currently have indivual LDAP ip's defined in failover and Load Balacning , how can that be achieved with a single LTM IP ?

 

Karen :

@Prakhar  thank you for that!

 

Prakhar CA :

@Karen Your WC..!!

 

Jim L :

When will support for SiteMinder R12.5x on Windows 2012 be added to the roadmap?

 

Dave :

smpolicysrv -stats command is normally showing up during policy server boot up, if we schedule this command to run every 1 hr will it causes any performance issues on the env ?. Espicially running this cmd spawns new process everytime.

 

Vivek :

Dave we run it every 10 minutes , havent seen any issues with running it

 

Steven Bankowitz (CA) :

@Dave: The -stats argument to smpolicysrv has very little impact to a production server.  It really jsut sends a signal to the main process, and the main process will log to smps.log.  If anything I always recommend to have stats go off every 5 minutes. There is a nice tool on the communities page that can read in the smps.log and print out a nice PDF.

 

Prakhar CA :

@ Vivek.. You may check the below link for the configuration of LTM with Siteminder:

 

Prakhar CA :

https://www.f5.com/pdf/deployment-guides/ca-siteminder-dg.pdf

 

Stephen McQuiggan (CA) :

@Vivek - support it but do not recommend it, it becomes difficult to troubleshoot PS to LDAP issue. PS creates 4 impendent connection per LDAP BANK, in a load balancer (F5) configuration these connections can be spread across multiple LDAP servers.  The it open idea for add connection pooling to the LDAP this would allow easier F5 modei; https://communities.ca.com/ideas/235718429

 

Apoorva Choudhary :

@Jim We are currently in customer validation (beta) phase for 12.52 SP2. This release adds support for Windows Server 2012 R2 for Policy Server. We have just a few slots left in the beta program. If you are interested, let me know. I can follow up with you offline and get you signed up.

 

Dave :

@ Steven Bankowitz (CA): There is a nice tool on the communities page that can read in the smps.log and print out a nice PDF.- Do you have link to the community page ?

 

Kristen Malzone (CA) :

@Dave Here's a link to the community page: https://communities.ca.com/community/ca-security

 

Kristen Malzone (CA) :

@Dave An easier to remember link is ca.com/talksecurity

 

Vivek :

Thanks @Steve McQuiggan

 

Prakhar CA :

@Karen yes SHA1 is supported with saml2..

 

Kristen Malzone (CA) :

Here's a link to the SSO Policy Trace Analysis Tool: https://communities.ca.com/thread/97563057

 

Dave :

@Apoorva: Are there any date for GA of SP2 release ?

 

Dave :

Are there any Green Book publications planned for CA SSO r12.5x release ?

 

Jim L :

@Apoorva Choudhar: When is the expected end date of the Beta program?  Will a GA for this version be released this year?

 

Dave :

does the smpolicysrv -stats command output is available by any chance via Wily Monitoring for SiteMinder ?

 

Steven Bankowitz (CA) :

@Dave: Concerning green books, do you have any that you are particularly looking for?

 

Steven Bankowitz (CA) :

@Dave: Concerning -stats, the content that comes  the stats is available via Wily. (APM).

 

Dave :

@steven bankowitz: regarding green book - looking for best practice guidelines for optimizing the components

 

Apoorva Choudhary :

@Jim The validation program is currently underway. We are looking to get all the feedback by early Sep and no later than 9/15.

 

Steven Bankowitz (CA) :

@Dave: (Greenbooks) We will need to search here behind the scenes as we do not have representation  the folks that handle this.

 

Steven Bankowitz (CA) :

@Dave: Kristen just put up an image that shows the Wily SiteMinder component that has some of the stats metrics.

 

Steven Bankowitz (CA) :

(sorry for the blurriness, the Wily component is maintained by a different team here at CA.)

 

Dave :

@Steven Bankowitz (CA): Is this information available on any CA documents ?

 

Dave :

@Steven Bankowitz (CA): i see the image  kristen, but the stats command gives a lot of information (connections, max queue depth etc) which is missing here in this wily metrics

 

Kristen Malzone (CA) :

15 minutes left!!! Get your final questions in now...

 

Dave :

@Steven Bankowitz (CA): looks to me that wily metrics is not complete, we still need to run stats command besides wily to get additional metrics.

 

Apoorva Choudhary :

@Dave @Jim Regarding the release date, as you know this is our next release and it has reached customer validation (beta) stage. The exact release date will depend on the feedback  the beta program.

 

Ravi Kanukollu (CA) :

@Dave: we would follow up on this to answer your queries.

 

Steven Bankowitz (CA) :

@Dave: As Ravi mentioned, we will have a seaparate conversation on the gaps between Wily and the stats output.  It would be interesting to know what you would need.  (I am a big fan of knowing the current queue depth personally.)

 

Dave :

same here

 

Dave :

@Steven Bankowitz (CA): Primarily want to see current depth queue, max threads, Current connections, Max Limit, Exceeded Limit

 

Steven Bankowitz (CA) :

@Dave: thanks Dave. this is useful information when we chat with the Wily folks.

 

Dave :

@Steven Bankowitz : are there APM office hours coming up this week or so?

 

Kristen Malzone (CA) :

@Dave They happened this week already. Next APM Office Hours are in September. RSVP here: https://communities.ca.com/events/2175

 

Dave:

We normally need to access SM Management Console on our Prod SSO policy servers via jump host, its hard to copy the x11/authority files all the times. Does CA have any plans to completely get rid off SM Managament console and incorporate them to Admin UI ?

 

Kristen Malzone (CA):

@Dave Here's the transcript from this week's APM Office Hours: https://communities.ca.com/docs/DOC-231159593

 

Rob Lindberg (CA):

@Dave - there are no current plans to remove the management console at this time but please suggest a community idea to discuss your concerns and request so we can all vote on it.

 

Kristen Malzone (CA):

That's all the time we have for today!

 

Kristen Malzone (CA):

We'll post the transcript from today's session to the CA Security Community shortly... https://communities.ca.com/community/ca-security

Attachments

    Outcomes