Symantec Access Management

  • 1.  DEV-OPS: CA Identity Manager & CA SSO - CLI Silent Response Scripts on Centos7

    Posted Sep 21, 2016 06:19 PM

    Team,

     

    I created this deck a few months back to demonstrate how to use a solution silent response processes to leverage automated installs using either CLI (Command Line Interface) installs or to integrate with a DEV OPS solution, e.g. CA Release Automation or Chef.

     

    I used a minimal install ISO of CentOS7 to validate what libraries were needed for CA Identity Manager and CA SSO.

     

    Please review and let me know if you find this of value.

     

    To assist with discovery of how to manage which properties files to update AFTER an install, I used open source WinMerge WinMerge   and  CentOS tool strace   strace(1) - Linux manual page 

     

    Edit:  

     

    Subtitle:  Using WinMerge or BeyondCompare as a tool to the "Reverse Engineering GUI Wizard Installers to build your dev-ops scripts"

     

     

    Edit:  10/13/17 - Sharing examples of using CA Directory as the policy store for CA SSO, per request.

     

    Cheers,

     

    A. 



  • 2.  Re: DEV-OPS: CA Identity Manager & CA SSO - CLI Silent Response Scripts on Centos7

    Posted Oct 28, 2017 09:50 AM

    Hey Alan,

     

    Thanks for starting this thread, can you please let me know how to address the cert db setup and ca directory setup in CA SSO Siteminder automation. I am looking to script the smconsole so that the manual work can be eliminated. 

     

    -Gokul



  • 3.  Re: DEV-OPS: CA Identity Manager & CA SSO - CLI Silent Response Scripts on Centos7

    Posted Oct 30, 2017 01:18 AM

    Hi Gokulnathb,

     

    Take a look at this  (page 6 of the PDF) 

     

    Enable SSL for IME's IMCD/IMPS with Siteminder 

     

     

    or the tech note:   TEC538848

    CA SSO Implementation Document Index - CA Technologies 

     

     

    See if this helps.

     

    Cheers,

     

    A.

     

    #### Example Script below ####

     

    #!/bin/bash
    ##################################################
    #
    # Add IMCD SSL CERT to SiteMinder to enable TLS
    #
    # Only need CA Public Cert
    #
    # No need to copy the Server Certs (personalities)
    #
    # SM will use userid/password for authentication
    #
    #
    ##################################################
    IMCD_HOSTNAME=sandbox01
    IMCD_PORT=41389
    SMHOME=/opt/CA/siteminder
    LDAP_TLS=$SMHOME/ldap_tls
    DXHOME=/opt/CA/Directory/dxserver/config/ssld
    PATH=$SMHOME/bin:$PATH
    PASSWORD=Password01
    USER=smuser
    GROUP=smuser

     


    echo ""
    echo "Step00:  Clean up Prior NSS DB files under $LDAP_TLS"
    mkdir -p $LDAP_TLS
    cd $LDAP_TLS
    rm -rf *.db
    rm -rf trusted-root-ca-public-for-imcd.*
    # Note:  pem format may includes cer (public format) + ascii + optional (private key)

     

     

     

    echo ""
    echo "# Step01: Check if the CA Public Cert exists AND that SSLv3 protocol is available"
    echo "# Siteminder uses SSLv3 protocol for non-FIPS encryption & TLS for FIPS encryption"
    echo ""
    echo "The CA Public Cert should display as the 2nd cert in this list with -showcerts"
    echo "openssl s_client  -connect $IMCD_HOSTNAME:$IMCD_PORT -showcerts"
    echo "The communication will report failure, if SSLv3 protoocl is not enabled."
    echo "openssl s_client  -connect $IMCD_HOSTNAME:$IMCD_PORT -ssl3"
    echo "Run the above lines as a prestep, they are commented out to avoid impacting readablity of the other lines"
    #openssl s_client  -connect $IMCD_HOSTNAME:$IMCD_PORT -showcerts
    #openssl s_client  -connect $IMCD_HOSTNAME:$IMCD_PORT -ssl3
    echo ""

     


    echo ""
    echo "# Step02: Copy IMCD CA Public Cert Only [Not DSA Server Certs (Personalities)]"
    echo "# Ensure that the user of this script has access to the CA Directory SSLD folder"
    cd $LDAP_TLS
    echo "cp -r -p $DXHOME/trusted.pem $LDAP_TLS/trusted.pem"
    cp -r -p $DXHOME/trusted.pem $LDAP_TLS/trusted.pem
    echo "Strip any extra commentary from CA Directory PEM Format.  Keep BEGIN CERTIFICATE / END CERTIFICATE markers"
    echo ""
    echo "openssl x509 -outform der -in trusted.pem -out trusted-root-ca-public-for-imcd.der"
    openssl x509 -outform der -in trusted.pem -out trusted-root-ca-public-for-imcd.der
    echo "Strip any extra commentary from CA Directory PEM Format.  Keep BEING / END"
    echo "openssl x509 -inform der -in trusted-root-ca-public-for-imcd.der -out trusted-root-ca-public-for-imcd.cer"
    openssl x509 -inform der -in trusted-root-ca-public-for-imcd.der -out trusted-root-ca-public-for-imcd.cer

     

     

     

    echo ""
    echo "# Step03: Create a NSS keystore for Siteminder with CertUtil  (cert8.db, key3.db, secmod.db)"
    echo " NSS = Netscape Network Security Services & ensure SM version of certutil is being used in the path"
    echo ""
    echo "( echo $PASSWORD ) > $LDAP_TLS/pwdfile.txt"
    ( echo $PASSWORD ) > $LDAP_TLS/pwdfile.txt
    echo "( echo "$PASSWORD"; echo "$PASSWORD" ) | $SMHOME/bin/certutil -N -d $LDAP_TLS  -f $LDAP_TLS/pwdfile.txt"
    ( echo "$PASSWORD"; echo "$PASSWORD" ) | $SMHOME/bin/certutil -N -d $LDAP_TLS    -f $LDAP_TLS/pwdfile.txt

     

     

     

    echo ""
    echo "# Step04: Store the IMCD ROOT CA Certificate from CA Directory 'clean version' of IMCD trusted-root-ca-public-for-imcd.pem"
    echo "$SMHOME/bin/certutil -A -n "IMCD_TRUSTED_CA_PUBLIC_CERT"  -t "C,," -i $LDAP_TLS/trusted-root-ca-public-for-imcd.cer -d $LDAP_TLS"
    $SMHOME/bin/certutil -A -n "IMCD_TRUSTED_CA_PUBLIC_CERT"  -t "C,," -i $LDAP_TLS/trusted-root-ca-public-for-imcd.cer -d $LDAP_TLS

     


    echo ""
    echo "# Step05: Store IMCD DSA Server Public Cert from IMCD personalities IMCD_DSA_HOSTNAME.pem"
    echo "$SMHOME/bin/certutil -A -n "IMCD_DSA_HOSTNAME_PUBLIC_CERT"  -t "P,," -i $LDAP_TLS/$IMCD_HOSTNAME-imcd-public.cer -d $LDAP_TLS"
    echo "### Confirmed this step from bookshelf is NOT required for standard userid/password authentication over SSL/TLS"
    echo "### Confirmed this step from bookshelf is NOT required for standard userid/password authentication over SSL/TLS"
    echo "### Confirmed this step from bookshelf is NOT required for standard userid/password authentication over SSL/TLS"
    echo ""

     


    echo ""
    echo "# Step06: List all CA and Server Public Certs in NLS Keystore"
    echo "$SMHOME/bin/certutil -L -d $LDAP_TLS"
    $SMHOME/bin/certutil -L -d $LDAP_TLS

     


    echo ""
    echo "# Step06b: Update ownership of the DB files of $LDAP_TLS/cert8.db"
    chown -R $USER:$GROUP $LDAP_TLS
    chmod -R 640 $LDAP_TLS/*.db

     


    echo ""
    echo "# Step07: Use XPSConfig to update the  SM:LdapObjCertDbPath  to $LDAP_TLS/cert8.db"
    echo "# su - smuser ;  XPSConfig   ;  Select SM  ; Select # for LdapObjCertDbPath  Likely #83"
    echo ""
    echo "# Alternatives:  Use SMCONSOLE on the Data Tab for Netscape certificate file or"
    echo "# edit the SMHOME/registry/smregistry.xml file & update CertDbPath under "
    echo "# HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore"
    echo ""

     


    echo ""
    echo "# Step08: Start / Stop SM Policy Server"
    echo "# Shown below for manual step AFTER the above update is done"
    echo "$SMHOME/stop-ps"
    echo "$SMHOME/start-ps"

     

     

     

    echo ""
    echo "#################################################"
    echo ""
    echo "Validate NON-SSL/TLS to directory"
    echo " if running this script as root, it will have access to run dxsearch as dsa"
    echo " if running this script as smuser, you will need to type the password for dsa account"
    echo ""
    echo "dxsearch  -L -H ldap://sandbox01:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"
    echo ""
    su - dsa -c "dxsearch -L -H ldap://sandbox01:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w $PASSWORD -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"

     


    echo ""
    echo "Validate SSL/TLS to directory"
    echo "Update /etc/hosts to have alias where DSA_NAME = HOSTNAME"
    echo "Example:  192.168.92.129  sandbox01 sandbox01.im.dom sandbox01-imcd"
    echo "Note:  CA Directory CLI commands use DXHOME\config\ssld\dxldap.conf file"
    echo ""
    echo " if running this script as root, it will have access to run dxsearch as dsa"
    echo " if running this script as smuser, you will need to type the password for dsa account"
    echo ""
    echo "dxsearch -Z -L -H ldaps://sandbox01-imcd:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"
    echo ""
    #su - dsa -c "dxsearch -d 1 -Z -L -H ldaps://sandbox01-imcd:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"
    su - dsa -c "dxsearch  -Z -L -H ldaps://sandbox01-imcd:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w $PASSWORD -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"

     

    # Ignore ERROR MESSAGE:  ldap_start_tls: Operations error (1)
    # This message occurs when using both the -Z switch & -H ldaps://hostname:port  URI
    # This script uses both to confirm that SSL/TLS is being used; and can be seen visually without the need of debug switches.

     


    # Note:  If error returned is:

     

    #dxsearch -Z -H ldaps://sandbox01:41389 -c -x -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca'
    #ldap_start_tls: Can't contact LDAP server (-1)
    #        additional info: TLS: hostname does not match CN in peer certificate

     

    # Add the DSA_HOSTNAME as an alias to the local host file to ensure the CN matches the HOSTNAME=DSA_NAME
    #dxsearch -Z -H ldaps://sandbox01-imcd:41389 -c -x -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca'

     


    echo ""
    echo "# View certs in cert8.db file for CA PUBLIC CERT"
    echo ""
    echo "$SMHOME/bin/certutil -L -a -n IMCD_TRUSTED_CA_PUBLIC_CERT -d $LDAP_TLS"
    echo ""
    $SMHOME/bin/certutil -L -a -n IMCD_TRUSTED_CA_PUBLIC_CERT -d $LDAP_TLS
    echo ""

     


    # As a test to ensure the CA cert was added correctly
    #$SMHOME/bin/certutil -L -a -n IMCD_TRUSTED_CA_PUBLIC_CERT -d $LDAP_TLS > test_ca.cer
    echo ""
    # diff test_ca.cer  trusted-root-ca-public-for-imcd.cer

     

    ###### Script above ####



  • 4.  Re: DEV-OPS: CA Identity Manager & CA SSO - CLI Silent Response Scripts on Centos7

    Posted Dec 11, 2017 12:15 PM

    Hi Alan, great to see many of these products can be installed in silent mode. Could you please share CA IDM silent install properties on JBOSS for cluster mode? i could find only the single node installation type on dacops.

    Would like to see all if specific to each node.

     

    Thanks.



  • 5.  Re: DEV-OPS: CA Identity Manager & CA SSO - CLI Silent Response Scripts on Centos7

    Posted Dec 13, 2017 12:42 AM

    Hi Shashidhar,

     

    For both the cluster and standalone installation the silent installation file is same, but we need to provide the values for the below properties if it is cluster installation. Depends on the cluster [Unicast, Multicast] these values will change.

     

    Node 1 Properties

     

    DEFAULT_JBOSS_PROFILE=all
    DEFAULT_JBOSS_SERVER_ID=1
    DEFAULT_JBOSS_CLUSTER_INSTALL=1
    DEFAULT_JBOSS_CLUSTER_UNICAST=false
    DEFAULT_JBOSS_CLUSTER_REPLICATION=true
    DEFAULT_JBOSS_CLUSTER_UNICAST_HOSTNAMES=

     

    Node 2 Properties

    DEFAULT_JBOSS_FOLDER=C:\\wildfly-8.2.0.Final
    DEFAULT_JBOSS_PROFILE=default
    DEFAULT_JBOSS_SERVER_ID=2
    DEFAULT_JBOSS_CLUSTER_INSTALL=1
    DEFAULT_JBOSS_CLUSTER_UNICAST=false
    DEFAULT_JBOSS_CLUSTER_REPLICATION=true
    DEFAULT_JBOSS_CLUSTER_UNICAST_HOSTNAMES=

     

     

    Regards,

    Venkat Atluri



  • 6.  Re: DEV-OPS: CA Identity Manager & CA SSO - CLI Silent Response Scripts on Centos7

    Posted Dec 13, 2017 01:43 PM

    Recommend using Beyond Compare or WinMerge to assist with tracking the changes between the two (2) or more property files:

     

    Dev-ops example: where replacement strings are defined to be easier to identify and replace.

    - Example : DEFAULT_JBOSS_CLUSTER_UNICAST_HOSTNAMES=_HOSTNAME01_[7600],_HOSTNAME02_[7700]

     

    The hostname(s) would be updated in these fields.

     

     

     

    Cheers,

     

    A.



  • 7.  Re: DEV-OPS: CA Identity Manager & CA SSO - CLI Silent Response Scripts on Centos7

    Posted Dec 12, 2017 11:01 AM

    Hi Shashidhar,

     

    Since the solutions are likely updated with additional properties on new versions, I usually validate the configurations settings with two (2) sample installations.

     

    1) Install the solution in standalone mode.   zip up the folder.   Uninstall (or keep for cluster)

    2) Install the solution in cluster mode.  zip up the folder.  Uninstall.

    3) move both zip files to my workstation 

    4) Review the deltas (ignore logs/temp files) within the various configuration files.

    5) Compare with the recorded configuration in the Uninstall folders.

     

     

    Here is the process I use for Health Checks and building DevOps properties input files.

     

    Quickly Identify Incorrect Configurations For ANY Solution 

     

    See if this works for you.

     

     

    Cheers,

     

    A.