Skip navigation
All People > SungHoon_Kim > Sung Hoon Kim's Blog > 2015 > November
2015

I wrote this article 2 years ago and I am moving it here from Integration - SM + SOI + EEM

 

 

ReadMe1st

 

 

SOI 3.0 Installer shows the following components to install

Install them in the listed order. Connectors are optional.

Platform

 

Product

Windows

 

Java runtime (required by EEM installation) : JRE 1.6.0_05 (32bit)

Windows

 

CA Embedded Entitlements Manager (EEM)

Windows

 

CA Service Operations Insight

Windows

 

CA Service Operations Insight - Integration Services

Windows

 

CA Service Operations Insight - Sample Connector

Windows

 

CA Service Operations Insight - Domain Connector

 

 

 

Components

1. JRE 1.6.0_05                   : 32bit, C:\Program Files (x86)\Java\jre1.6.0_05

                                                   Installed from SOI 3.0 installation

2. EEM                                  : 32bit, C:\Program Files (x86)\SC\

                                                   Installs CA Directory (32bit, C:\Program Files (x86)\CA\Directory)

                                                   EiamAdmin/password

                                                   C:\Program Files (x86)\CA\SharedComponents\Embedded IAM

                Integrated with SM. (Follow EEM documentation of  SM integration)

                Can view SM user directory list if correct values are entered.

1.png

                Check the following log for any error if this does not connect to SM.

                C:\Program Files (x86)\CA\SharedComponents\iTechnology\eiamsm.log

                Or try restarting dxserver and iGateway service.

 

3. SOI 3.0                             : 32bit, C:\Program Files (x86)\CA\SOI

                Service Assurance Administrator Credential:

                samuser/Siteminder1

 

                As EEM is now integrated with  SM, you need to configure EEM.

                Logon to SOI application SSA-SOI as Eiam/password

2.png

Goto "Manage Identities" and click "Go" button.

3.png

4.png

Click on the user(in my case it is "Sung Hoon Kim"), click "Add Application User Details"!!!

make  sure user is in adequate group and save.

5.png

You can logout and login to SOI using the SM users.

6.png

console will  also show your username

7.png

 

 

 

DB Admin Credential

                sa/Siteminder1

                Database Name: SAMStore

 

4. MSSQL 2008 R2

                sa/Siteminder1

 

5. Adobe Flash  Player

 

6. Apache 2.2.17 installed as reverse proxy

 

#============ Added for SOI Integration ==============#

 

ProxyRequests off

ProxyPreserveHost on

 

 

<Location /sam>

                ProxyPass http://soi.kim.net.my:7070/sam

                ProxyPassReverse http://soi.kim.net.my:7070/sam

</Location>

 

 

<Location /sam/admin>

                ProxyPass http://soi.kim.net.my:7090/sam/admin

                ProxyPassReverse http://soi.kim.net.my:7090/sam/admin

</Location>

 

<Location /sam/debug>

                ProxyPass http://soi.kim.net.my:7090/sam/debug

                ProxyPassReverse http://soi.kim.net.my:7090/sam/debug

</Location>

 

                http://soi.kim.net.my/sam/ui

                and you get access to the backend SOI

 

                some additional proxy is setup for troubleshooting

                http://soi.kim.net.my/sam/admin

                http://soi.kim.net.my/sam/debug

 

7. SiteMinder Web  Agent

                As the web server is 32bit, I installed R12.51CR1 Web Agent.

                Agent Configuration Wizard detects the apache web server successfully.

                Configured to protect /sam/ui/(normal agent) and /iamt.html(4.x agent)

                Authenticates and authorizes users from "CA Directory", which is selected in the

                EEM side configuration

                Please follow the EEM document for SM side configuration.

 

                /sam/ui/ is protected by HTML Authentication Scheme to make it easier to

                differentiate whether the login challenge is from SiteMinder or SOI.

 

 

VERY IMPORTANT: Apache Proxy should proxy "/sam" to backend SOI.

But WebAgent must not protect "/sam", it should protect "/sam/ui/"

Otherwise, you will get multiple unexpected challenges and get exception when accessing "console".

 

1st challenge (in this  sample, I used Basic Auth for easier view)

8.png

2nd challenge

9.png

3rd challenge

10.png

Exception

11.png

 

 

 

 

 

==========================================

Applied SOI 3.1

SOI 3.1 console requires JRE 1.6.0_25+ so existing JRE1.6.0_05 will not work.

Workaround is, login from client that has 1.6.0_25+.

Or, if you need to login from SOI machine, you can install 1.6.0_25+ on SOI machine.

Note: DO NOT UNINSTALL existing JRE 1.6.0_05 because EEM will not display the SM integration and will fail to connect to SiteMinder Policy Server.

 

VERY IMPORTANT: You MUST have at least SOI 3.1 to SSO with SiteMinder. 3.0 does not recognize SMSESSION cookie so the SSO will not work.

 

Steps to upgrade

  1. 1. Shutdown all SOI services.

C:\Program Files (x86)\CA\SOI\jsw\bin> SAM_Services.cmd stop

 

  1. 2. Run the SOI 3.1 installer

RO56291.exe

                Select "Do not start services", this can be done manually after upgrade.

 

  1. 3. Install JRE 1.6.0_25+ (32bit)

I installed 1.6.0_45 (32bit).

                Do not uninstall the previous JRE 1.6.0_05 (32bit) from this maching as it is

                required by the EEM. SM integration will break if you uninstall JRE 1.6.0_05

                In case if you did, you must update the "C:\Program Files (x86)\CA\SharedComponents\iTechnology\igateway.conf" file, locate <JVMSettings>.

 

If your JRE is not 1.6.0_25+, SOI console will fail to load and throw exception.

If you will not logon to SOI from this machine, you can skip this step.

You can also install 1.7.x (32bit) on client machine that you will be logging on to SOI from, I tested and worked. But it is always a best practise to match the major version required.

 

 

  1. 4. Startup SOI services.

C:\Program Files (x86)\CA\SOI\jsw\bin> SAM_Services.cmd start

 

  1. 5. Test logging on to SOI using SiteMinder user

If this fails, the upgrade is not successful.

                If the upgrade is deemed failure, you can uninstall 3.1.

 

  1. 6. Uninstall 3.1 if the upgrade failed.

cd "C:\Program Files (x86)\CA\SOI\Patches"

You will find "Uninstall_<Patch Name>" folder

cd "Uninstall_SOIPatch_RO56291"

run "Uninstall_RO56291.exe"

 

===========================================

After posting this to the communities, yuhung asked if IWA can be used for authentication.

SiteMinder picks up username as "Domain\UserID" thus no matching user will be found from SOI.

 

Option is to use a Solution Module called "SmOverrideAuth" which will use "UserID" and strip-off the Domain from IWA.

Or, customer can develop a custom authentication module to do the same.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Basic Concepts

 

This is continuing from Part 1 where we were creating basic objects to protect a resource.

 

Next is creating a Domain.

Navigate to "AdminUI ==> Policies ==> Domain ==> Domains" and click on "Create Domain".

Enter the required field.

 

Name: "www.sso.lab"

This is just a name, it does not need to reflect your FQHN of your web server.

You can just name it "Test1" as well.

But to me it is easier to use the FQHN.

 

Now, you can see that the first thing you do with this Domain is to link a User Directory.

That is the reason why you must have a User Directory configured first.

 

Click on "Add/Remove" under User Directories.

Select "SSO LAB Domain Users" from the left pane and move it to the right pane by clicking on the "arrow" button and click "OK".

 

Then click on "Realms" tab and click on "Create Realm" button.

Enter required Fields.

Name : Basic Realm

Agent: agent.iis

Resource Filter: /basic/

Authentication Scheme: Basic

Scroll down and click "Create" for Rules.

Enter required fields.

Name: Access Basic

Resource: *

Scroll down and select Action: Get and Post

Then click "OK

Click on "Policies" tab and click "Create".

 

Entered the required fields.

 

Name: Basic Policy

 

Then click on the "Users" tab.

In general, if you click on "Add Members" it will present you with a list where you can choose from.

But if it does not give you the desired list, then you can enter manually by clicking on "Add Entry".

 

I choose, "Validate DN" because I just want to check if the user is found to be within this DN.

Click "OK" and click on "Rules" tab.

As the Rule is already created, click on "Add Rule".

You will be presented with a list to choose from.

Check "Basic Realm" and click "OK".

Click "OK" and you will.back at "Policies". Click "Submit"

This is how you protect a resource using "Domain" type

.

What you configured is:

 

You created a User directory that contains user who you want to grant access.

Then you created an Authentication Scheme, how the users will be submitting their credentials to prove their identity.

Then you created a Domain and linked the User directory.

You created a Realm for "/basic/" URI to protect it.

Then you linked the Authentication Scheme to the Realm so when users acess /basic/ they will be prompted with Basic Authentication.

In the same Realm, you created Rules for "GET" and "POST" Method/Action.

This means requests that are submitted to /basic/ Realm are evaluated for authorization only for the GET and POST requests. Other requests are all rejected.

You have created a Policy to link those Rules and added "CN=Users,DC=SSO,DC=LAB" for authorization.

What this means is that, if the user is found to be located within this "CN=Users,DC=SSO,DC=LAB", they will be authorized. Others will be rejected.

 

So, in simple terms, you are creating all these to "Authorize" the user for resources.

Now, if you access "http://www.sso.lab/basic/" then you will get challenged as below.

From the Basic prompt, you can see it is saying "The server reports that it is from Basic Realm".

This shows it is from SiteMinder and not the web server because it is saying the resource is "Basic Realm" which is the Realm Name we entered.

 

Let's login as "smuser"

 

You can see above that "smuser" is logged on as the "USERNAME" shows "smuser".

You can also find "SMSESSION" cookie.

If you scroll down, you can also see the user is accessing "Basic Realm".

The User Directory is "SSO LAB Domain Users".

UserDN is "CN=smuser,CN=Users,DC=sso,DC=lab".

 

Now, access "http://www.sso.lab/logout/" which in previous configuration we have defined "/logout/" as "LogoffURI".

You can see "USERNAME" no longer shows "smuser" and the SMSESSION cookie has value of "LOGGEDOFF".

You have successfully logged out.

If you go to "http://www.sso.lab/basic/" you will be prompted to enter user credential again.

 

Now, I am going to delete all the configuration and show you how to create the same using "Application" type.

To delete all the configuration, goto "AdminUI ==> Policies ==> Domain ==> Domains".

Select "www.sso.lab" and click on the "X" button at the right end.

This will delete everything but not the "User Directory" and "Authentication Scheme" because they are stand-alone objects and not a child object belonging to a domain. They are only referenced objects.

 

Now, let's perform the same thing using "Application".

Goto "AdminUI ==> Policies ==> Application ==> Applications" and click "Create Application"

 

You should be familiar with all the information displayed here.

Enter the required fields.

 

Name: www.sso.lab

Component Name: Basic Realm

Agent: agent.iis

Resource Filter: /basic/

Authentication Scheme: Basic

User Directory: SSO LAB Domain Users.

 

Then navigate to "Resources" tab and click "Create".

Enter required fields.

Name: Access Basic

Action: Get and Post

Then navigate to "Roles" tab and click "Create Role".

 

Scroll down to "Advanced ==> User Expression" and enter the following.

     (AT("CN=Users,DC=sso,DC=lab",SM_USERDN))

 

In general, SiteMinder will list all the groups and OU and O for you to choose from.

But this "CN=Users" is a unique use case because it is a user container but is not using OU.

 

So, that is the reason why it was not listed when you were trying to create a Policy in the Domain.

You are faced with the same problem here as well.

 

For this specific use case, or any similar special conditions, you can enter the expression manually as above.

 

That that expression means is, if the user is "AT" the "CN=Users,DC=sso,DC=lab" based on the UserDN, then the user matches this role.

This "AT" condition means you must be exactly at the "CN=Users", not further below.

If the UserDN is "CN=User1,OU=ABC,CN=Users,DC=sso,DC=lab" then the user does not match this role. <== You must remember this!

 

Click on the "Validate" button to ensure there is no typo error.

Navigate to "Policies" tab. Check the "Basic Role" for "Access Basic" Resource and then click "Submit"

 

Now you have protected /basic/ using Application mode.

Goto "http://www.sso.lab/basic/" and logon as smuser.

SharePoint_606.jpg

SharePoint_607.jpg

SharePoint_608.jpg

SharePoint_609.jpg

You can see all the information is the same as when you protected this resource using Domain or Application.

 

I hope this gave you a good comparison of both.

They are the same, just slight difference as Role is introduced.

 

I will not delete this Application. I will be adding more Components(Realms) to this Application.

Next article will be creating Authentication Schemes.

 

Stay tuned!!!

 

This concludes "Configuring an ALL-IN-ONE VM Image - Part 2"

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

 

The All-In-One image has too many services to startup at boot time.

This puts all the services in competition for resources and results in slower startup or fail.

 

To workaround this, I set those services startup mode to "Manual".

Then use a batch file to startup the services in serial order.

 

First, you need to have a list of services that we need to manage and need to put them in an order.

 

Service startup sequence should be as below.

1. LDAP/DB (backend services)

2. Policy Server

3. RiskMinder (and other Policy Server related services)

4. AdminUI

5. Web Servers/SPS

6. Application Servers (NewAtlanta ServletExec)

7. Report Server (optional)

 

The shutdown sequence will be the opposite.

 

Following are the actual service names in the startup sequence.

 

Service NameDescription
MSSQLSERVERMS SQL Server (exclude this from this list, this one can be running all the time)
DXserver_PRIMARYCA Directory (Policy Store)
Dsccagent11g-1DSCC Agent for Oracle Directory Server
DirectoryServer7-2Oracle Directory Primary Instance
DirectoryServer7-1Oracle Directory ADS service
smpolicysrvSiteMinder Policy Server
SmServMonSiteMinder Health Monitor Service
CARiskMinderSiteMinder Policy Server RiskMinder Service
SMADMINUISiteMinder AdminUI
"Agent Service"SiteMinder SNMP Agent
W3SVCIIS Web Server
www.cookie.labApache Web Server
"SiteMinderSecureProxy"Secure Proxy Server - Apache
"SiteMinder Proxy Engine"Secure Proxy Server - Tomcat
ServletExec-testmc1NewAtlanta ServletExec for IIS.
(for shutdown, use "C:\Program Files\New Atlanta\ServletExec AS\se-testmc1\StopServletExec.bat")
BOE120SIATESTMC1SIA Service for Report Server
SQLANYs_BOE120SQLAWDB Service for Report Server
BOE120TomcatTomcat Service for Report Server

 

Not load "services.msc" and set all the above services "Startup type" to "Manual" except for "MSSQLSERVER"

 

     - Startup/Shutdown scripts

 

Next is to create scripts to startup and shutdown services.

 

The Startup script would be simply listing the above services but it is also important to delete the log files before starting up.

Also, some services need some time to initialize so the batch file need to monitor some log files to determine if the service is started up fine, or retry if the service failed to initialize.

 

Shutdown script would be easy as it just needs to shutdown all the services and there is no need to check if the services went down successfully or not.

 

Lastly, Restart script would be mostly used. So, I will not create a separate Startup script.

This is a combination of "Shutdown" script + "Startup" script.

In this case, if certain services do not go down quickly, Restart script need to kill those processes to move on to next services.

Logs also need to be cleared and it must ensure all services are shutdown before starting up again.

 

And for convenience purpose, I will create separate startup and stop script for Report Server because this will not be started up that frequently.

 

Stop-SM.bat

@echo off

:BEGINSCRIPT

echo [%DATE%][%TIME%] Stopping Web Server

net stop w3svc >nul

net stop www.cookie.lab >nul

net stop SiteMinderSecureProxy >nul

net stop "SiteMinder Proxy Engine" >nul

net stop ServletExec-testmc1 >nul

net stop "Agent Service" >nul

taskkill /IM javaw.exe /F >nul

cd C:\Progra~1\NewAtl~1\Servle~1\se-testmc1\

call C:\Progra~1\NewAtl~1\Servle~1\se-testmc1\StopServletExec.bat >nul

 

 

echo [%DATE%][%TIME%] Stopping WAMUI

net stop SMADMINUI >nul

 

 

echo [%DATE%][%TIME%] Stopping SiteMinder Monitor

net stop smservmon >nul

 

 

echo [%DATE%][%TIME%] Stopping Risk Minder

net stop CARiskMinder >nul

 

 

echo [%DATE%][%TIME%] Stopping SiteMinder Policy Server

net stop smpolicysrv >nul

 

 

echo [%DATE%][%TIME%] Stopping CA Directory (PolicyStore)

dxserver stop all >nul

 

 

echo [%DATE%][%TIME%] Stopping Oracle Directory Server (UserStore)

net stop DirectoryServer7-2 >nul

net stop DirectoryServer7-1 >nul

net stop Dsccagent11g-1 >nul

Above is the Stop-SM.bat script.

I don't really need to shutdown the SQL server each time. It can stay up

CA Directory can be shutdown using the "dxserver stop all" so using that command.

"Agent Service" is actually a java process.

AdminUI is also a java process.

SerlvetExec-testmc1 is also a java process.

ServletExec is known ot have problem shutting down via Service control on Windows 2008 and above.

So, I am actually calling the "StopServletExec.bat" but even before thant I am actually killing all javaw.exe process before that to cleanup all the java processes.

 

Restart-SM.bat

@echo off

 

:BEGINSCRIPT

@set /A smcount=1

echo [%DATE%][%TIME%] Stopping Web Server

net stop w3svc >nul

net stop www.cookie.lab >nul

net stop SiteMinderSecureProxy >nul

net stop "SiteMinder Proxy Engine" >nul

net stop ServletExec-testmc1 >nul

net stop "Agent Service" >nul

taskkill /IM javaw.exe /F >nul

cd C:\Progra~1\NewAtl~1\Servle~1\se-testmc1\

call C:\Progra~1\NewAtl~1\Servle~1\se-testmc1\StopServletExec.bat >nul

 

 

echo [%DATE%][%TIME%] Stopping WAMUI

net stop SMADMINUI >nul

 

 

echo [%DATE%][%TIME%] Stopping SiteMinder Monitor

net stop smservmon >nul

 

 

echo [%DATE%][%TIME%] Stopping Risk Minder

net stop CARiskMinder >nul

 

 

echo [%DATE%][%TIME%] Stopping SiteMinder Policy Server

net stop smpolicysrv >nul

 

 

echo [%DATE%][%TIME%] Stopping CA Directory (PolicyStore)

dxserver stop all >nul

 

 

echo [%DATE%][%TIME%] Stopping Oracle Directory Server (UserStore)

net stop DirectoryServer7-2 >nul

net stop DirectoryServer7-1 >nul

net stop Dsccagent11g-1 >nul

 

 

 

:WAITCLRFILES

echo [%DATE%][%TIME%] Deleting IIS Web Agent Log files... This may take time until all processes locking the log files are shutdown.

@taskkill /F /IM LLAWP.exe >nul

@del /q "%NETE_WA_ROOT%"\log\*.* >nul

@del /q C:\inetpub\logs\LogFiles\W3SVC1\*.* >nul

@del /q C:\inetpub\logs\LogFiles\W3SVC2\*.* >nul

@del /q C:\inetpub\logs\FailedReqLogFiles\W3SVC1\*.* >nul

@del /q C:\inetpub\logs\FailedReqLogFiles\W3SVC2\*.* >nul

@del /q C:\inetpub\temp\appPools\*.tmp >nul

@ping -n 2 127.0.0.1 >nul

if not exist "%NETE_WA_ROOT%"\log\wa.log GOTO WAITCLRFILES2

if exist "%NETE_WA_ROOT%"\log\wa.log GOTO WAITCLRFILES

 

 

 

:WAITCLRFILES2

echo [%DATE%][%TIME%] Deleting www.cookie.lab Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Apache24\logs\*.* >nul

@ping -n 2 127.0.0.1 >nul

if not exist C:\Apache24\logs\*.log GOTO WAITCLRFILES3

if exist C:\Apache24\logs\*.log GOTO WAITCLRFILES2

 

 

:WAITCLRFILES3

echo [%DATE%][%TIME%] Deleting SPS Server Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Progra~2\CA\secure-proxy\proxy-engine\logs\*.* >nul

@del /q C:\Progra~2\CA\secure-proxy\proxy-engine\*.log >nul

@del /q C:\Progra~2\CA\secure-proxy\proxy-engine\*.mdmp >nul

@del /q C:\Progra~2\CA\secure-proxy\arcot\logs\*.* >nul

@del /q C:\Progra~2\CA\secure-proxy\arcot\logs\backup\*.* >nul

@ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\secure-proxy\proxy-engine\logs\*.log GOTO WAITCLRFILES4

if exist C:\Progra~2\CA\secure-proxy\proxy-engine\logs\*.log GOTO WAITCLRFILES3

 

 

 

 

:WAITCLRFILES4

echo [%DATE%][%TIME%] Deleting Policy Server Log files... This may take time until all processes locking the log files are shutdown.

echo [%DATE%][%TIME%] Deleting Policy Server Logs retry count: %smcount%

if %smcount% GTR 10 (

    @taskkill /F /IM smpolicysrv.exe

    )

 

@del /q C:\Progra~2\CA\siteminder\log\*.* >nul

@del /q C:\Progra~2\CA\aas\logs\*.* >nul

@del /q C:\*.log >nul

@del /q C:\*.log >nul

@ping -n 2 127.0.0.1 >nul

@set /A smcount+=1

if not exist C:\Progra~2\CA\siteminder\log\smps.log GOTO WAITCLRFILES5

if exist C:\Progra~2\CA\siteminder\log\smps.log GOTO WAITCLRFILES4

 

 

 

 

:WAITCLRFILES5

echo [%DATE%][%TIME%] Deleting Audit Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Progra~2\CA\siteminder\audit\xps*.* >nul

@del /q C:\Progra~2\CA\siteminder\audit\harvest.log >nul

 

@ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\siteminder\audit\xps*.* GOTO WAITCLRFILES6

if exist C:\Progra~2\CA\siteminder\audit\xps*.* GOTO WAITCLRFILES5

 

 

 

 

:WAITCLRFILES6

echo [%DATE%][%TIME%] Deleting Temporary Audit Log files... This may take time until all processes locking the log files are shutdown.

@rd /s /q C:\Progra~2\CA\siteminder\audit_R6tmp >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\siteminder\audit_R6tmp GOTO WAITCLRFILES7

if exist C:\Progra~2\CA\siteminder\audit_R6tmp GOTO WAITCLRFILES6

 

 

 

:WAITCLRFILES7

echo [%DATE%][%TIME%] Deleting Archived Audit Log files... This may take time until all processes locking the log files are shutdown.

@rd /s /q C:\Progra~2\CA\siteminder\audit_archive >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\siteminder\audit_archive GOTO WAITCLRFILES8

if exist C:\Progra~2\CA\siteminder\audit_archive GOTO WAITCLRFILES7

 

 

 

:WAITCLRFILES8

echo [%DATE%][%TIME%] Deleting WAMUI Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Progra~2\CA\siteminder\adminui\server\default\log\*.* >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\siteminder\adminui\server\default\log\server.log GOTO WAITCLRFILES9

if exist C:\Progra~2\CA\siteminder\adminui\server\default\log\server.log GOTO WAITCLRFILES8

 

 

 

:WAITCLRFILES9

echo [%DATE%][%TIME%] Deleting CADIR Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Progra~1\CA\Directory\dxserver\logs\*.* >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~1\CA\Directory\dxserver\logs\PRIMARY_alarm.log GOTO WAITCLRFILESA

if exist C:\Progra~1\CA\Directory\dxserver\logs\PRIMARY_alarm.log GOTO WAITCLRFILES9

 

 

 

:WAITCLRFILESA

echo [%DATE%][%TIME%] Deleting Oracle Directory Server Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\dsee7\ldapinstances\slapd-primary\logs\*.* >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\dsee7\ldapinstances\slapd-primary\logs\errors.rotationinfo GOTO WAITCLRFILESB

if exist C:\dsee7\ldapinstances\slapd-primary\logs\errors.rotationinfo GOTO WAITCLRFILESA

 

:WAITCLRFILESB

echo [%DATE%][%TIME%] Deleting Report Server logs.

@del /q "C:\Program Files (x86)\CA\SC\CommonReporting3\BusinessObjects Enterprise 12.0\logging\"*.*

 

:WAITCLRFILESC

echo [%DATE%][%TIME%] Clearing Windows Event logs...

wevtutil cl Application

wevtutil cl System

wevtutil cl Security

wevtutil cl Setup

wevtutil cl "DNS Server"

wevtutil cl "Active Directory Web Services"

wevtutil cl "DFS Replication"

wevtutil cl "Directory Service"

 

:WAITCLRFILESD

echo [%DATE%][%TIME%] Clearing Crashdump files...

rmdir /S /Q C:\ProgramData\Microsoft\Windows\WER\ReportQueue

ping -n 2 127.0.0.1 >nul

mkdir C:\ProgramData\Microsoft\Windows\WER\ReportQueue

 

GOTO STARTODIR

 

 

 

:STARTODIR

echo [%DATE%][%TIME%] Starting Oracle Directory Server

net start Dsccagent11g-1

net start DirectoryServer7-1

net start DirectoryServer7-2

GOTO STARTCADIR

 

 

 

 

:STARTCADIR

echo [%DATE%][%TIME%] Starting CA Directory (Policy Store)

@dxserver start all

GOTO STARTSMPS

 

 

 

:STARTSMPS

echo [%DATE%][%TIME%] Starting Policy Server

@net start "Agent Service"

@net start "SNMP"

@net start smpolicysrv

@net start SmServMon

@net start CARiskMinder

GOTO CHECKSMPS

 

 

 

:CHECKSMPS

echo [%DATE%][%TIME%] Waiting for SiteMinder Policy Server to fully initialize... This may take some time...

ping -n 2 127.0.0.1 >nul

@find "SiteMinder Policy Server is ready" C:\Progra~2\CA\siteminder\log\smps.log >nul

if errorlevel 1 GOTO CHECKSMPS

if errorlevel 0 GOTO STARTWAMUI

 

 

 

:STARTWAMUI

echo [%DATE%][%TIME%] Starting Administrative UI

@net start SMADMINUI

GOTO STARTIIS

 

 

 

:STARTIIS

echo [%DATE%][%TIME%] Starting Web Servers

@net start w3svc

@net start www.cookie.lab

@net start SiteMinderSecureProxy

@net start "SiteMinder Proxy Engine"

@net start ServletExec-www.kimmy.lab

 

 

:END

echo [%DATE%][%TIME%] Everything is started up successfully.

ping -n 5 127.0.0.1 >nul

What you need to note here is that I am also clearing out the event logs.

At times there are too many historical event records that makes things confusing so clearing the events and looking at only the new records related to the test is a good thing.

Another thing is that in the report server logs folder, there were 2 files that I did not want to delete so I made them Read-Only.

Those 2 files are "BOEInstall_0.log" and "boe_upgrade.xsl".

So, when this script deletes everything in that folder, those 2 files will remain.

In case of WER report files from Windows, I am actually deleting the whole folder and re-create the folder.

 

Next is the Stop-Report.bat

Stop-Report.bat

@echo off

 

echo [%DATE%][%TIME%] Stopping Server Intelligence Agent

net stop BOE120SIATESTMC1 >nul

 

echo [%DATE%][%TIME%] Stopping Report Server Tomcat

net stop BOE120Tomcat >nul

 

echo [%DATE%][%TIME%] Stopping Other Report Server Services

net stop SQLANYs_BOE120SQLAW >nul

 

And the Restart-Report.bat

Restart-Report.bat

@echo off

 

echo [%DATE%][%TIME%] Stopping Server Intelligence Agent

net stop BOE120SIATESTMC1 >nul

 

echo [%DATE%][%TIME%] Stopping Report Server Tomcat

net stop BOE120Tomcat >nul

 

echo [%DATE%][%TIME%] Stopping Other Report Server Services

net stop SQLANYs_BOE120SQLAW >nul

 

ping -n 30 127.0.0.1 >nul

 

 

echo [%DATE%][%TIME%] Startingg Other Report Server Services

net start SQLANYs_BOE120SQLAW >nul

 

echo [%DATE%][%TIME%] Starting Report Server Tomcat

net start BOE120Tomcat >nul

 

echo [%DATE%][%TIME%] Starting Server Intelligence Agent

net start BOE120SIATESTMC1 >nul

 

     - Logging

 

The challenge with log collection is that the logs are scattered in different folders and it takes time to collect a full set of logs and keep them in a single zip file for each iteration of test.

 

To workaround this problem, here is what I do.

You need a tool called "junction" from SysInternals. It is creating a symbolic link.

And you need 7zip to compress the files.

 

First, create a folder "C:\Logs"

Download and extract the junction.exe to "C:\Windows" or any folder that is within the PATH variable.

Install 7zip.

 

Open a command-line and goto "C:\Logs" folder.

 

junction IISLog1 "C:\inetpub\logs\LogFiles\W3SVC1

junction IISLog2 "C:\inetpub\logs\LogFiles\W3SVC2

junction IISWALogs C:\Progra~1\CA\webagent\win64\log

junction IISFRLog1 "C:\inetpub\logs\FailedReqLogFiles\W3SVC1

junction IISFRLog2 "C:\inetpub\logs\FailedReqLogFiles\W3SVC2

junction ApacheLog C:\Apache24\logs

junction SPSLogs "C:\Progra~2\CA\secure-proxy\proxy-engine\logs"

junction ArcotLogs "C:\Progra~2\CA\secure-proxy\arcot\logs"

junction PSLOGS "C:\Program Files (x86)\CA\siteminder\log"

junction PSAudit "C:\Program Files (x86)\CA\siteminder\audit"

junction RISKMLogs "C:\Program Filex (x86)\CA\aas\logs"

junction AdminUILogs C:\Progra~2\CA\siteminder\adminui\server\default\log

junction CADIRLogs C:\Progra~1\CA\Directory\dxserver\logs

junction ORADIRLogs C:\dsee7\ldapinstances\slapd-primary\logs

junction WER C:\ProgramData\Microsoft\Windows\WER\ReportQueue

 

There is no need to create junction for Report Server Logs folder.

After this, you should have the junctions created as below.

 

Now you need to create a LogCollection.bat script to create a zip file that includes all the log folders.

 

LogCollection.bat

@echo off

 

reg export HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity "%NETE_PS_ROOT%\log\policyserver.reg"

reg export HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ODBC "%NETE_PS_ROOT%\log\ODBC.reg"

reg export HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity "%NETE_WA_ROOT%\log\webagent.reg"

 

 

if %time:~0,2% LSS 10 GOTO FILENAME2

 

 

:FILENAME1

set filename=Logs_ALLINONE2_%date:~-4,4%%date:~4,2%%date:~-7,2%-%time:~0,2%%time:~3,2%%time:~6,2%.zip

GOTO MAIN

 

 

:FILENAME2

set filename=Logs_ALLINONE2_%date:~-4,4%%date:~4,2%%date:~-7,2%-0%time:~1,1%%time:~3,2%%time:~6,2%.zip

GOTO MAIN

 

 

 

:MAIN

echo %filename%

 

set CONTAINER=C:\Logs

cd %CONTAINER%

 

C:\Progra~2\7-Zip\7z a -x!*.zip -ssw %filename%

 

I created a "Scripts" folder on the Administrator's Desktop and saved all the above batch files there.

Then I dragged those scripts to the "Start" menu so I will have easier access to those scripts.

 

 

And for the Policy Server, we need to have a profiler setting that would be good for most use cases but also not to generate too much log entries.

 

I have the following template that I use for general purpose.

simple_support_trace.template

components: AgentFunc/IsProtected, AgentFunc/Login, AgentFunc/ChangePassword, AgentFunc/Validate, AgentFunc/Logout, AgentFunc/Authorize, AgentFunc/GetConfig, AgentFunc/DoManagement, AgentFunc/GetSingleUseCookie, AgentFunc/SetSingleUseCookie, AgentFunc/DelSingleUseCookie, IsProtected, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Active_Expression, Login_Logout/Password_Service, Login_Logout/Certificates, Login_Logout/Session_Management, IsAuthorized/Policy_Evaluation, LDAP/Connection_Management, LDAP/Performance_Measurement, LDAP/Ldap_Error_Messages, Fed_Client/General_Info, Fed_Client/Single_Sign_On, Fed_Client/Single_Logout, Fed_Client/Configuration, Fed_Server/Assertion_Generator, Fed_Server/Auth_Scheme, Fed_Server/Configuration, Fed_Server/Single_Logout, Fed_Server/Saml_Requester

data: Date, Time, User, Message, Data, AgentName, Resource, AuthStatus, AuthReason, CertDistPt, Query, CallDetail, Pid, Tid

It is actually 2 lines(3 lines including an empty line at the bottom)

First line is "components" and the second is "data".

Depending on the components and data you choose, you will get a different log output.

In case if you are unsure of what to add and if it need real analysis effort, you should add all components and data to ensure that you did not miss anything out.

 

Save this file at "C:\Program Files (x86)\CA\siteminder\config\profiler_templates\" folder.

Load "smconsole" (aka Policy Server Management Console" and goto "Profiler" tab to load this template.

Check the "Enable Profiling" option.

Then click on the "Configure Settings" button.

At the "Template" drop down menu, select "simple_support_trace.template".

Click "Load Template" button.

Click "OK" and click "OK" to close smconsole.

 

And you can configure a scheduler to run "smpolicysrv -stats" command to get the policy server statistics.

 

Open "Task Scheduler" and click "Create Basic Task..."

 

Click "OK to save.

Since this is not running at the moment, select the task and click "Run" button at the right pane.

Now, if you look at smps.log, you will find the "Statistics" information.

 

Once you reboot the machine, from then on you will find this task is running every 2 minutes.

If you did startup SiteMinder Services(Restart-SM.bat) then in the smps.log you will find the following statistics every 2 minutes.

 

     - Basic Concepts

 

Before you jump into SiteMinder world, you need to have some basics.

I will not be going in too much here because you will pick up most of it from subsequent articles but here is really the basics.

 

SiteMinder has 4 main components.

1. Web Agent

2. Policy Server

3. Policy Store

4. User Store

 

The main reason why you are interested in SiteMinder is because of 2 reasons.

1. Protect Web Resources

2. Achieve Single Sign-On

 

So the resource we are going to be talking about is Web Server resources.

http://www.sso.lab/protected/index.html

 

The blue is the protocol that you are using to access the website.

http is not encrypted so if people can tap into your network, they may be able to capture the network traffic and pick up your userID and Password.

https is encrypted.

 

The green is the Fully Qualified Hostname which is constructed with 2 section.

Server Name + Domain

The first part before the dot(.) is the hostname and the rest is the domain (cookie domain).

In this case, "www" is the hostname and ".sso.lab" is the domain.

 

SiteMinder uses cookies(encrypted) to store user session information so the domain value is used to set the cookies at the browser.

If the browser visits any website that has matching cookie domain, then the cookie will be submitted by browser.

For example, browser has SiteMinder session cookie (called SMSESSION cookie) that was set for .sso.lab cookie which was set from www.sso.lab web site, if the brower visits hello.sso.lab, the SMSESSION cookie will be submitted by browser because the cookie domain matches.

 

How SiteMinder protects a web site is by installing Web Agent.

Web Agent is a plugin to the Web Server and that gives it ability to intercept a request coming into the web server.

As the Web Agent can intercept requests, it can perform the following whenever there is a request to a resource.

 

WebAgent makes following calls to Policy Server.

* Is the requested resource protected? (aka IsProtected)

* Is the requesting browser have an SMSESSION cookie representing a user identity? (aka IsAuthenticated)

* Is the user identity allowed to access this resource? (aka IsAuthorized)

 

The orage above is the resource and that is what the Web Agent will ask Policy Server whether it is protected or not.

If the request did not have an SMSESSION, then the Web Agent will redirect the browser to a login page so user can submit userID and Password to login.

This login is what we call "Authenticated" because by submitting the userID and a valid Password, a unique user in the user store is identified to be you.

 

When Web Agent asks Policy Server if a resource is protected, it asks by submitting the following information.

 

1. Agent Identity

2. URI (This is the resource part above)

 

For example, Web Agent submits "agent1" and "/protected/index.html" to Policy Server.

Policy Server will say it is protected if it finds the "agent1" Agent Identity and a "Realm" that is having a matching "Resource Filter" such as "/protected/"

 

This "Realm" is what you will be creating in the Policy Server to protect resources.

Realm has following additional properties.

 

1. Authentication Scheme (login method)

2. Resource Filter (The URI for the protected resource)

 

That is how Policy Server determines whether the resource is protected.

 

How it determines whether you are who you claim to be, SiteMinder redirects browser to a login page for user to submit userID and Password.

In general, the UserID that you submit will be searched in the userstore.

 

If a matching user is found, then the submitted password will be compared with the password stored for that matching user.

If they match, then Policy Server tells Web Agent that the user is Authenticated.

 

WebAgent will then set SMSESSION cookie with the user information.

Once SMSESSION is made available, the user do not need to submit userID/Password anymore as long as they remain authorized to access the resources.

 

How SiteMinder determines wheher you are Authorized to access certain resources is by reviewing a Policy.

Policy is where SiteMInder links the Users and Resources.

If the Policy is configured to allow users from certain group to access resource X, then if you belong to that group then you will be Authorized.

If you are not, then you will be redirected to login page again.

 

I hope you are liking my articles.

If you have attended "SiteMinder 200" training then you should be good here.

 

 

Now, lets configure SiteMinder to protect a resource on IIS web server.

There are 2 ways to protect a resource. At the lower level, they are essentially the same but one is called "Domain" and other is called "Application"

The "Domain" is what had been there from the beginning of SiteMinder and Application is something new as it was supposed to make the configuration easier and introduce Role based authorization.

 

I will demonstrate how to protect a resource using "Domain" and "Application" so that you can spot the differences and the commonalities.

 

The sequence of objects to create in the SiteMinder AdminUI is as below.

 

DomainApplication
User DirectoryUser Directory
Authentication SchemeAuthentication Scheme
DomainApplication
RealmComponent
RuleResources
N/ARole
PolicyPolicy

 

 

Let's create a User Directory.

Logon to "AdminUI ==> Infrastructure ==> Directory ==> User Directories" and click "Create User Directory"

The steps are documented previously in the following article while trying to protect the ProxyUI.

Creating an ALL-IN-ONE VM Image - Part 9

 

That actually demonstrates how to create a "Domain" to protect /proxyui/.

We will use the same AD user directory made from the previous step.

SSO LAB Domain Users

Enter the following information.

Name : SSO LAB Domain Users

Namespace: LDAP:

Server: 192.168.201.101 192.168.201.102

Require Credentials: <check this box>

Username: CN=Administrator,CN=Users,DC=SSO,DC=LAB

Password: <Administrator password>

Root: DC=SSO,DC=LAB

Start: (samaccountname=

End: )

 

Then click "Submit"

 

However, this AD is not using SSL connection and we need to configure SSL communication to this AD.

AD does not allow changing user password if the connection is not secure.

 

When you promote a server to become a domain controller, AD is installed on that server.

And if you have a Microsoft Certificate System configured, it will automatically issue a certificate for that domain controller by default (there is auto enroll policy).

That means, your AD is already secured. You can run "netstat -an|findstr LISTEN|findstr 636" you will find "0.0.0.0:636"

 

All you need to do now is to import that RootCA certificate and store it in cert8.db file and let Policy Server reference it.

 

Download ROOT CA Certificate from http://www.sso.lab/certsrv

Click on "Download a CA certificate, certificate chain, or CRL"

Click on "Download CA certificate".

It will be downloaded to your "Downloads" folder as "certnew.cer". Rename it to "ROOTCA.cer".

Following is a screenshot of the CA certificate for reference. It is SHA2 certificate.

This was already performed in the previous article.

Creating an ALL-IN-ONE VM Image - Part 6

 

Creating cert8.db

Create "C:\Program Files (x86)\ca\siteminder\certs" folder.

Rename the newcer.cer to ROOTCA.cer and copy it to "C:\Program Files (x86)\ca\siteminder\certs"

 

Open a command-line and change directory to "C:\Program Files (x86)\ca\siteminder\certs"

Run the following command to create cert8.db file.

 

"certutil -A -n "ALLINONE Root CA" -t "C,," -i ROOTCA.cer -d ."

 

This command will create cert8.db, key3.db and secmod.db files if it did not exist, and also add the certificate as trusted Root CA certificate.

If you already have the cert8.db, key3.db and secmod.db files, then it will only add.

 

Now, load the smconsole and enter the configuration at the "Data" tab.

Select "cert8.db" file and click "Apply"

 

Once this step is completed, then you can configure the "SSO LAB Domain Users" user directory to connect using secure channel.

 

From AdminUI, modify the "SSO LAB Domain Users" (click on "Modify" button).

Check on the "Secure Connection".

If you entered "Server" the IP and Port, then you will need to update the port.

In the above case, I only used IP because I was using default ports (389 for non-secure and 636 for secure).

And since we will be connecting to 636

 

Then at the "User Attributes", enter "unicodePWD" at "Password (RW)" then Submit.

With this change, the users or the Administrator can reset the password via SiteMinder.

!! This does not mean you can authenticate a user using the attribute you define here. This does not replace a password attribute to something you specify here. What it does is, telling the policy server to update this attribute when there is password change request. It is because the password attribute as you can see above, can have different attribute name.

 

Next is creating Authentication Scheme.

But there is a default "Basic" authentication scheme out of the box. We will use this one for now.

We did create "AUTHSCHEME-SPSADMINUI" before for protecting SPS "/proxyui".

In the up coming articles, we will go into Authentication Schemes more.

 

In the next article, we will be setting up both Domain and Application and see what are the differences.

 

This concludes "Configuring an ALL-IN-ONE VM Image - Part 1"

2011 Q1 Kantara Initiative SAML 2.0 Full-Matrix Interoperability Testing - Approval Programs - Kantara Initiative

 

This site shows which products were tested and certified for which features.

 

CA has participated with "CA Federation Manager" and passed certification for "IDP Lite", "SP Lite" and "eGov 1.5".

Full report can be downloaded from here.

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-ti…

Snippet from above link.

Enforcement details

 

Certificate TypeWindows BehaviorMicrosoft Policy
TLS certificatesCertificates signed with SHA-1 will be Blocked after 1/1/2017CAs must move all new certs to SHA-2 after 1/1/2016
Code signing certificatesOn Win 7 and above, blocked on 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after 1/1/2016 for Mark of the Web files.CAs should issue new code signing certs with SHA-1 after 1/1/2016 only for developers targeting Vista/2008, otherwise, move all new certs to SHA2
S/MIME certificatesNo OS specific policies. Application policies.CAs are recommended to move to SHA-2
Time-stamping certificatesNo changes until SHA-1 preimage is possibleCAs must issue new TS certs with SHA-1 after 1/1/2016 only for developers targeting Vista/2008, otherwise, move all new certs to SHA2
OCSP signing and CRL signing certificatesNo changes until SHA-1 preimage is possibleNo changes until SHA-1 preimage is possible
OCSP signatures

On Windows 10 and above for certificates with the Must Staple extension, SHA-1 signatures will not be accepted after 1/1/2016

On Windows 10 and above, SHA-1 signatures will not be accepted for any TLS certificate after 1/1/2017

CAs should move to using SHA-2 starting 1/1/2016 for SHA-2 TLS certificates.

CAs should prepare to move to SHA-2 for all TLS certificates by 1/1/2017

CRL signaturesNo changes until SHA-1 preimage is possibleNo changes until SHA-1 preimage is possible
Code signing signaturesNo changes until SHA-1 preimage is possibleNo changes until SHA-1 preimage is possible
Time-stamp signaturesOn Win 10 and above, blocked on 1/1/2017 for Mark of the Web files.CAs should move to using SHA-2 starting 1/1/2016

 

Schedule

 

Now -> 12/31/2015 1/1/2016 -> 1/1/2017 ->
CAsWindowsCAsWindowsCAsWindows
TLS CertificatesCAs can issue SHA-1 and SHA-2SHA-1 and SHA-2 are supportedCAs must issue SHA-2 onlyNo changeNo changeWindows trusts SHA- 2 only
Code Signing CertificatesCAs can issue SHA-1 and SHA-2SHA-1 and SHA-2 are supportedCAs SHOULD issue SHA-2 only, unless developer is targeting Vista and Server 2008 (for them, CAs MAY issue SHA-1)Windows trusts SHA1 (if timestamped prior to 1/1/2016) and SHA-2 (any timestamp) for Mark of the Web files. (Note: no kernel mode enforcement)No changeNo change
Timestamp CertificatesCAs can issue SHA-1 and SHA-2SHA-1 and SHA-2 are supportedCAs SHOULD issue SHA-2 only, unless developer is targeting Vista and Server 2008 (for them, CAs MAY issue SHA-1)No changeNo changeNo change
S/MIME CertificatesCAs can issue SHA-1 and SHA-2, although Microsoft recommends SHA-2SHA-1 and SHA-2 are supportedNo changeNo changeNo changeNo change
OCSP and CRL Signing CertificatesCAs can issue SHA-1 and SHA-2SHA-1 and SHA-2 are supportedNo changeNo changeNo changeNo change
OCSP SignaturesCAs can sign OCSP responses with SHA-1 and SHA-2SHA-1 and SHA-2 are supportedCAs SHOULD sign OCSP responses with SHA-2 onlyWindows no longer trusts OCSP signatures made with SHA-1 for certificates with the Must Staple extensionNo changeWindows no longer trusts OCSP signatures made with SHA-1 for any TLS certificate
CRL SignaturesCAs can sign CRLs with SHA-1 and SHA-2SHA-1 and SHA-2 are supportedNo changeNo changeNo changeNo change

 

 

 

Also, another source.

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

 

 

And there is this article explaining how to upgrade your corporate Microsoft Certificate Authority from SHA1 to SHA2.

How to Prepare Your Microsoft PKI Infrastructure for the Deprecation of the SHA1 Hash Algorithm | The Gotham Blog

 

Time is fast, I am already celebrating 11 years at CA.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

17. CABI 3.3

 

This is a continuation from

Creating an ALL-IN-ONE VM Image - Part 10-1

 

This is where SiteMinder (CA Single Sign-On) integrates to Report Server(CABI).

 

But before you do anything, you need to setup a Audit DB for SiteMinder.

Load "Microsoft SQL Server Management Studio" and logon as "sa" user.

If you cannot logon, double check the SQL Service is started up and running.

Right click on the "Databases" branch and select "New Database..."

Enter desired DB name and click "OK"

Right click on the new "smauditdb" instance and select "New Query"

Copy the content of "C:\Program Files (x86)\CA\siteminder\db\SQL\sm_mssql_logs.sql" file.

Then click on "Execute" button at the top.

You should be able to find "dbo.smaccesslog4" and "dbo.smobjlog4" tables at the left hand side.

 

Now the DB is ready but you still need to configure Policy Server side for the connection. (This must be configured at the Policy Server machine)

 

Open a command-line and run the following command.

C:\Windows\SysWOW64\odbcad32.exe (Advisable to create a taskbar shortcut as you will run this again later)

At the "System DSN" you should find many entries.

If you do not find any, you must be running the 64bit odbcad32.exe. Make sure you run the correct executable.

 

Click "Add..." button to create a new DSN.

Select "SiteMinder SQL Server Wire Protocol".

 

Enter the following:

 

Data Source Name: SiteMinder Logs Data Source

     (The reason why I use this name is because it is the default one from SiteMinder)

Host Name: TESTMC1

Port Number: 1433

Database: smauditdb

 

 

Then click on the "Test Connect" button at the bottom and enter the "sa" user and password and click "OK" to test the connectivity.

You must get the "Connection established!" message or please check the configuration again.

 

Load "smconsole" and navigate to "Data" tab and select "Audit Logs" and Storage as "ODBC".

Then enter the required information as below and click "Apply".

Click on "Test Connection" and you must get "Success" message as below or check the configuration again.

 

 

Now load the odbcad32.exe again and goto "System DSN" again. (This must be run from the Report Server machine)

Click "Add..." button to create a new DSN.

What you created before was the ODBC connection from the Policy Server to the AuditDB.

 

What you are creating now is the ODBC connection from the Report Server to the AuditDB.

Select "SQL Server" driver for this connection.

Click on "Test Data Source..."

You must get SUCCESS message or check the configuration again.

 

 

Now we can start the integration.

 

I have downloaded smrs-12.52-sp01-cr02-win32.zip. <== This must be done at the Report Server machine.

Extract it and execute "ca-rs-config-12.52-sp01-cr02-win32.exe".

Just for clarification, this executive file must run on the report server machine.

It installs files required to register trustedhost and also a "biar" file which contains the sample report templates.

 

 

Enter the same Administrator password that you set during Report Server installation.

There will be a quick screen testing CMS connection.

At this point, if you have a supported Report Server instance then it will not throw any error message.

But if you have version 4 CABI, then the installer may throw an error message at this point and will not be able to continue.

 

You can shutdown the VM and take a snapshot here.

 

If you logon to Report Server CMC and goto "Folders", you should find the "SiteMinder" folder as below.

 

Now, logon to SiteMinder AdminUI.

Navigate to "AdminUI ==> Administration ==> Admin UI ==> Audit Report Connections"

This is the information that AdminUI will be sending to the Report Server, telling it to use this DSN for the audit records.

Report Server does not keep the auditstore information although it will have DSN configured at the OS level.

AdminUI sending this DSN information allows the Report Server to connect and fetch audit records.

That being said, the DSN name that you define here MUST MATCH the DSN that was created at the Report Server.

Click on "Create Audit Report Connection".

 

Next is to create a "Report Server Connections".

Navigate to "AdminUI ==> Administration ==> Admin UI ==> Report Server Connections"

Click on "Create Report Server Connections"

Enter the information.

Note the port is 38080 as defined during the installation.

You must note the "Connection Name" value as well.

 

Open a command-line and run the following command. <== This must be run at the Policy Server machine.

xpsregclient reportserver:password -report

 

 

Navigate to "C:\Program Files (x86)\CA\SC\CommonReporting3\external\scripts" and run the following command. <== This must be run at the Report Server machine.

regreportserver.bat -pshost 192.168.201.101 -client reportserver -passphrase password

 

 

Now that the report server is configured and integrated, you can generate and view reports.

 

1) If you navigate to "AdminUI ==> Reports ==> Audit", this cannot generate any report as there is no audit record.

2) If you navigate to "AdminUI ==> Reports ==> Store Operations", this cannot generate any reports as XPS Audit are generated in text files and you need to manually import the audit records to view from here.

3) If you navigate to "AdminUI ==> Reports ==> Analysis", you can actually run reports right now although it will return an empty report(because you have not protected any resources yet). But it is a good indication that reporting works.

 

Navigate to "AdminUI ==> Reports ==> Analysis ==> Resource Based ==> Applications"

Click on "Submit" to generate the report now.

Click "OK".

 

Navigate to "AdminUI ==> Reports ==> General ==> View SiteMinder Reports".

You will find the report that you just generated.

Select the report and click on "Select" to view it.

If you see this "Please wait while the document is being processed" message, it confirms it is working.

 

This concludes all the "Installation" part of ALL-IN-ONE.

There will be more installations after this but this basically covers the essential part of ALL-IN-ONE setup.

 

Next, I will be going through the configuration part that makes this ALL-IN-ONE image real value.

Stay tuned!!!

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

17. CABI 3.3

 

I have downloaded "DVD02155537E_CA Business Intelligence r3.3 for Windows DVD.iso"

 

"CA Business Intelligence Setup" is just a wrapper for the actual report server installer.

The options that you chose before this is what need to be run after the actual report server is complete.

You actually have an option here whether to "Install SQL Anywhere Database Server" or "Use an existing database server".

In case if you choose "Use an existing database server", it will limit what database server your SiteMinder Audit DB can be or vice versa.

If you choose existing SQL server then your SiteMinder AuditDB must be the SQL server.

If you choose existing Oracle DB then your SiteMinder AuditDB must be Oracle DB as well.

If you choose "Install SQL Anywhere Database Server" then the SiteMinder AuditDB can be either SQL or Oracle.

Don't touch the CMS port, leave it as 6400. This port must be opened from your firewall.

Administrator password only supports alphanumeric so you cannot use special characters.

 

Leave the Port as is. This port must be opened from your firewall.

Leave the settings as is, only enter the desired password for the administrator accounts.

Here again you have an option whether to install an application server(tomcat) for report server or use existing one.

I will let it install a tomcat instance.

 

It also gives you option to configure an IIS server.

What it does is to configure a proxy on the IIS to forward the request to its tomcat but we already have proxy module for NewAtlanta ServletExec so we don't want to make it more complicated by installing another proxy module.

So, I have unchecked the "IIS Web Application Server" option.

The default port it suggests are 8080, 8005 and 8443 but I will use different port.

Run netstat to check which ports are already occupied and use the next available one.

I am going to use 38080, 38005 and 38443. <== 38080 and 38443 ports need to be opened from firewall.

Installation is complete! That was easy!

 

Once you click "Finish" the handle goes back to the previous installer and will continue to perform some additional tasks.

Don't restart yet.

Try to logon to the CMC as Administrator with the password you entered during installation.

This is sufficient to confirm the Report Server is working.

 

At the dropdown menu showing "CMC Home", select "Servers".

Locate "<ServerName>.InputFileRepository" service and check its service port.

You can see the PID is "7872"

 

Download "Process Explorer" and install and run.

Right click on the PID "7872" and select "Properties" then select "TCI/IP" tab.

You can see that this service is listening on TCP Port "54736".

You should set this to a static port in the service configuration and have this port open in the firewall.

If you do not open this port, you will get errors while trying to access the generated reports.

 

 

You must do the same for the "<Server Name>.OutputFileRepository" service as well.

 

You can see the PID is "6688"

Right click on the PID and select Properties and select "TCP/IP".

 

It is listening on Port "54726".

You should set this to a static port in the service configuration and have this port open in the firewall.

If you do not open this port, you will get errors while trying to access the generated reports.

 

So, now we have a list of ports to open at the Report Server side.

6400, 6410, 38080, 38443, 54736 and 54726

 

Load "Windows Firewall with Advanced Security" and select "Inbound Rules" and click "New Rule"

Select "Port" and click "Next"

 

 

Next will be integrating SiteMinder and Report server.

 

This concludes Part 10-1 of ALL IN ONE Image.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

16. CA Single Sign-On Secure Proxy Server

 

I have downloaded the following file.

 

     ca-proxy-12.52-sp01-cr02-win32.zip

 

Extract the zip file and execute the "ca-proxy-12.52-sp01-cr02-win32.exe" file.

 

Select the 32bit JDK.

 

 

This is actually the end of installation. Easy!

Shutdown and take a VM snapshot because things can get a bit tricky after this.

 

Before configuring SPS Agent, we need to do some clean up.

Windows "System" ==> Advanced system settings ==> Advanced ==> Environment Variables

Copy the "Path" variable's value into notepad.

 

Current System Environment Variables

1st section : Web Agent Environment Variables (with duplicates)

2nd section : Policy Server

3rd section : The rest

C:\Program Files\CA\webagent\win64\install_config_info\lib;

%NETE_WA_PATH%;

C:\Program Files\CA\webagent\win32\bin;

C:\Program Files\CA\webagent\win64\bin;

C:\Program Files\CA\webagent\win64\install_config_info\lib;

%NETE_WA_PATH%;

C:\Program Files (x86)\Java\jdk1.7.0_80\jre\bin;

C:\Program Files (x86)\CA\siteminder\bin;

C:\Program Files (x86)\CA\siteminder\bin\thirdparty;

C:\Program Files (x86)\CA\siteminder\lib;

C:\Program Files (x86)\CA\siteminder\bin\thirdparty\axis2c\lib;

%SystemRoot%\system32;

%SystemRoot%;

%SystemRoot%\System32\Wbem;

%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;

C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn;

C:\Program Files\Microsoft SQL Server\110\Tools\Binn;

C:\Program Files\Microsoft SQL Server\110\DTS\Binn;

C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\ManagementStudio\;

C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn;

C:\Program Files\CA\Directory\dxserver\bin

 

Clean up the above to the following.

 

New System Environment Variables after clean up and re-ordering

1st section : Policy Server Environment Variables

2nd section : Web Agent Environment Variables

3rd section : The rest

C:\Program Files (x86)\Java\jdk1.7.0_80\jre\bin;

C:\Program Files (x86)\CA\siteminder\bin;

C:\Program Files (x86)\CA\siteminder\bin\thirdparty;

C:\Program Files (x86)\CA\siteminder\lib;

C:\Program Files (x86)\CA\siteminder\bin\thirdparty\axis2c\lib;

C:\Program Files\CA\webagent\win64\install_config_info\lib;

%NETE_WA_PATH%;

C:\Program Files\CA\webagent\win32\bin;

%SystemRoot%\system32;

%SystemRoot%;

%SystemRoot%\System32\Wbem;

%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;

C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn;

C:\Program Files\Microsoft SQL Server\110\Tools\Binn;

C:\Program Files\Microsoft SQL Server\110\DTS\Binn;

C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\ManagementStudio\;

C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn;

C:\Program Files\CA\Directory\dxserver\bin

 

Reboot the machine and verify all the services are up and running fine.

Taking a look at the windows system/application event logs and the service log files would be a good way to confirm.

 

 

Next is to configure the SPS Agent.

But before we go there, we need to create necessary Agent Identity, ACO and HCO.

I will not use the existing HCO because I want all the ***.partner.lab traffic to go to 192.168.201.104 Policy Server only.

 

Steps to create SPS Agent Identity and ACO are the same as the previous steps demonstrated for IIS.

 

Create "agent.sps" as Agent Identity.

Description is "www.partner.lab".

 

 

When creating ACO, Create a copy of "ApacheDefaultSettings"

 

Name is "aco.www.partner.lab".

Description is "www.partner.lab".

 

Following ACO parameters need to be modified.

 

#DefaultAgentName

to (Name = Value)

DefaultAgentName = agent.sps

 

 

#LogoffUri

to (Name = Value)

LogoffUri = /logout/

 

CookieDomain

to (Name = Value)

CookieDomain = .partner.lab

 

LogFileName

to (Name = Value)

LogFileName = C:\Program Files (x86)\CA\secure-proxy\proxy-engine\logs\sps_wa.log

 

TraceConfigFile

to (Name = Value)

TraceConfigFile = C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf

 

 

 

 

TraceFile = no

to (Name = Value)

TraceFile = yes

 

TraceFileName

to (Name = Value)

TraceFileName = C:\Program Files (x86)\CA\secure-proxy\proxy-engine\logs\sps_watrace.log

 

 

 

 

 

And click "Submit".

 

 

 

Create HCO for SPS.

Create a copy of "DefaultHostConfiguration" and name it "HCO.SPS".

Enter the IP "192.168.201.104" and click "Submit"

 

Run "Secure Proxy Configuration Wizard".

 

Since our Policy Server is 12.52SP1CR2, select "12.5x.x".

This is to tell SPS which affwebservices.war to deploy, to match the policy server version.

 

To make it look like this SPS is running on a separate machine, I will be registering Trusted Host for SPS.

So, SPS will use exclusive TrustedHostname and its sharedsecret to communicate with Policy Server.

 

Again, this Administrator is a legacy SiteMinder Administrator.

 

I am using only 192.168.201.104 as this IP was reserved for www.partner.lab so it will be easier to identify the communication based on the IP.

 

 

Policy Server is running on "FIPS Compatibility Mode" so this has to be matched.

 

SmHost.conf file will be stored at "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent" folder.

The moment you click "Next" here, it will register trusted host for SPS(Tomcat) as well as the Arcot Component(Session Assurance).

So, if you do click "Back" and "Next" after this, you will get a message saying the "A trusted host with the same name already exists".

However, it does not generate SmHost.conf file just yet. It will however leave SmHost.conf_YYY-MM-DD_HHMMSS.bk" file which would have the same content.

If you do get to this the following message, you should delete the following before going any further.

     1. Delete TrustedHostObject(trust.sps)

     2. Delete TrustedHostObject(trust.sps_sa01)

     3. Delete WebAgent.conf (You would notice "HostConfigFile" value is empty)

     4. Delete AgentIdentity.dat

 

 

 

 

WebAgent.conf file will be stored at "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent" folder as well.

 

This is for protecting "http://<SPS>/proxyui" to administer the SPS.

You can create a dedicated agent identity for that purpose but I am just going to use "agent.sps".

However, I was not able to avoid the following error.

We will continue for now. Click on "Continue". (I will provide the steps to configure manually. The ProxyUI app is actually deployed successfully but is not protected.)

Enter the Server Name as "www.partner.lab"

HTTP Port as "80"

SSL Port as "443"

This will actually listen on ALL IP Address.

So, it will need to be modified manually to listen on specific IP(192.168.201.104). <== We will get to this after the installation.

 

 

Change the HTTP Port from "8080" to "28080"

Change the SSL Port from "543" to "2543"

 

 

Change Shutdown Port from "8005" to "28005"

Change AJP Port from "8009" to "28009"

 

Select "Enable WebAgent" and "Enable Federation Gateway".

 

 

Enter the RiskMinder Master Key (which you entered while configuring Policy Server).

This key does not support special characters.

It only support alphanumeric and you must enter the matching value you entered at the Policy Server side.

 

 

 

Navigate to "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\logs" and you will find all the logs there.

 

affwebserv.log

chsLogin.log

nohup.out20151119_160758.log

proxyui.log

server.log

sps_wa.log

sps_watrace.log

 

What you are missing here is the FWSTrace.log

So, update the "C:\Program Files (x86)\CA\secure-proxy\Tomcat\webapps\affwebservices\WEB-INF\classes\LoggerConfig.properties" file.

 

     // TracingOn can be Y, N

     TracingOn=N

 

to

 

     // TracingOn can be Y, N

     TracingOn=Y

 

 

Now, to make the SPS to listen on specific IP address and not 0.0.0.0, you need to modify the httpd.conf.

Navigate to "C:\Program Files (x86)\CA\secure-proxy\httpd\conf" and edit httpd.conf file as below.

 

Restart "SiteMinder Proxy Engine" and "SiteMinder Secure Proxy" services and verify FWSTrace.log is created and SPS is listening on 192.168.201.104:80.

Below is a screenshot of "Before" and "After" the port configuration.

You can see from the first netstat that there is a service listening on "0.0.0.0:80" and in the latter netstat you don't see it.

Instead, you will see "192.168.201.104:80"

IF YOU RUN SPS CONFIGURATION WIZARD AGAIN OR CONFIGURE SSL, YOU MUST VERIFY THIS PORT SETTING AGAIN!!!

 

Now, if you access http://www.partner.lab and if you get to see the CA website content, then your SPS is working correctly.

 

Now, we don't want to see ca.com site contents in our ALL-IN-ONE image.

SPS needs to have a backend server to host the content so I am going to create another IIS site instance and configure SPS to forward the request to that site instead.

This will allow us to have an isolated environment.

 

Firstly, go to "C:\inetpub\" folder and create "www.partner.lab" folder.

Place some documents in that folder to be hosted by the new web instance.

(In my case, I have asp pages that dump headers so I will be using that. To make it look different from the www.sso.lab site contents, I will use different colour theme)

 

Load the "Internet Information Services (IIS) Manager".

At "Sites" level, there is "Add Web Site" option at the right pane under Actions.

 

 

SiteName: www.partner.lab

Physical Path: C:\inetpub\www.partner.lab

Binding Type: http

Binding IP address: 192.168.201.101

Binding Port: 81

Binding Host Name: <null>

 

Click OK and your web instance is ready.

(Don't forget to check the "Default Document" if you have a specific page that need to be served)

 

 

Test the site by accessing "http://192.168.201.101:81"

Next is to configure SPS to forward the request to this site instead of "http://www.ca.com"

 

Modify the "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\proxyrule.xml"

 

Before edit

     <nete:proxyrules xmlns:nete="http://www.ca.com/">

          <nete:forward>http://www.ca.com$0</nete:forward>

     </nete:proxyrules>

 

After edit

     <nete:proxyrules xmlns:nete="http://www.ca.com/">

          <nete:forward>http://192.168.201.101:81$0</nete:forward>

     </nete:proxyrules>

 

Restart "SiteMinder Proxy Engine" services and access "http://www.partner.lab" and see if the content has changed.

(Note the "Welcome to 192.168.201.101:81" at the title bar as well as the "HTTP_HOST:192.168.201.101:81" in the "ALL_HTTP" section.)

 

It looks good.

Don't worry about the HTTP_HOST header being "192.168.201.101:81" because it won't be disclosed unless you are intentionally revealing as what I am doing here.

You can also choose to forward the HTTP_HOST header value to the backend as well.

Modify the "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\server.conf" file.

 

Before edit

<VirtualHostDefaults>

# default session scheme

defaultsessionscheme="default"

enablerewritecookiepath="no"

enablerewritecookiedomain="no"

enableproxypreservehost="no"

filteroverridepreservehost="no"

 

After edit

<VirtualHostDefaults>

# default session scheme

defaultsessionscheme="default"

enablerewritecookiepath="no"

enablerewritecookiedomain="no"

enableproxypreservehost="Yes"

filteroverridepreservehost="no"

 

Restart "SiteMinder Proxy Engine" service and access "http://www.partner.lab" and see if the HTTP_HOST value now reflects the correct name.

 

Now, going back to the SPS ProxyUI.

As mentioned before, the proxyui app is deployed successfully.

Test by accessing "http://www.partner.lab:28080/proxyui"

 

As the application reports, it is not protected but the application is running fine.

So, following steps need to be performed to configure the protection.

(If you are not familiar with creating objects right now, you can skip this step and get back when you are familiar with it because there is not much we will be using it at this point. Its okay to do this later)

 

Create the following: (The names do not exactly have to match but what I am listing below is what the configuration wizard would have created)

 

User Directories = SSOLAB DOMAIN USERS

Logon to AdminUI, navigate to "AdminUI ==> Infrastructure ==> Directory == User Directories" and click on "Create User Directory"

Enter the following information.

Name : SSO LAB Domain Users

Namespace: LDAP:

Server: 192.168.201.101 192.168.201.102

Require Credentials: <check this box>

Username: CN=Administrator,CN=Users,DC=SSO,DC=LAB

Password: <Administrator password>

Root: DC=SSO,DC=LAB

Start: (samaccountname=

End: )

 

Then click "Submit"

 

 

Authentication Scheme = AUTHSCHEME-SPSADMINUI

Navigate to "AdminUI ==> Authentication ==> Authentication Schemes" and click on "Create Authentication Scheme"

Select "Create a new object of type Authentication Scheme" and click "OK"

Enter the following information.

Name: AUTHSCHEME-SPSADMINUI

Authentication Scheme Type: HTML Form Template

Protection Level: 5

Password Policies enabled for this Authentication Scheme: <leave it as is, default is checked>

Use Relative Target: <check this box, default is not checked>

Target: /proxyui/siteminderagent/forms/login.fcc

 

Then click "Submit"

 

 

DOMAIN = DOMAIN-SPSADMINUI-agent.sps

Navigate to "AdminUI ==> Policies ==> Domain" and click "Create Domain"

At the "General" tab, enter the following.

Name: DOMAIN-SPSADMINUI-agent.sps

User Directories: <Click "Add/Remove" and select "SSO LAB Domain Users" and click Right Arrow Button(only One Arrow) to move it to "Selected Members" and click "OK">

 

At the "Realms" tab, click on "Create Realm" and enter the following.

Name: REALM-SPSADMINUI-agent.sps

Agent: <Click "Lookup Agent/Agent Group" and select "agent.sps" and click "OK">

Resource Filter: /proxyui

Default Resource Protection: Protected

Authentication Scheme: <Select "AUTHSCHEME-SPSADMINUI" from dropdown menu>

Rules: <Click "Create" and follow instruction below>

Name: RULE-SPSADMINUI-agent.sps

Description: Rule for protecting Proxy UI

Resource: * (leave it as is, default is *)

Allow/Deny: Allow Access (leave it as is, default is Allow Access)

Action: Web Agent actions (leave it as is, default is Web Agent actions)

Action: <select "Get" and "Post", need to press CTRL button to make multiple selection>

Then click "OK"

Back at the "Realm" setting, select "Create" at "Sub-Realms"

Name: REALM-GRPSYNC-SPSADMINUI-agent.sps

Resource Filter: /GroupSyncServlet

Default Resource Protection: Unprotected

Then click "OK"

Back at the "Realm setting, select "OK" to return to Domain menu.

 

At the "Policy" tab, click "Create".

At the "General" tab enter the following.

Name: POLICY-SPSADMINUI-agent.sps

 

At the "Users" tab enter the following.

You will find "SSO LAB Domain Users" user directory appears.

Click on "Add All" button. This basically any user to administer the SPS.

We can change this later but will leave it as simple as possible.

 

At the "Rules" tab enter the following.

Click on "Add Rule"

Select "REALM-SPSADMINUI-agent.sps" rule and click "OK".

Back at Policy menu, click "OK".

Back at the "Domain" menu, click "Submit"

 

SPS ProxyUI is now protected.

Open IE and access "http://www.partner.lab:28080/proxyui" and you will see a login page this time.

Try to logon as "smuser"

You can ignore the "Error: Exception User might not have required permissions to get group information" message.

 

Now, you have successfully configured the basic components of SiteMinder on this machine.

You need to create some resources to protect and add some features to take advantage of this environment but that will come after setting up the report server.

 

The SQL Server installed on this environment is mainly because of the report server.

SiteMinder only supports ODBC as audit store and without that it cannot generate reports.

If you are not going to use reports, then I would not recommend installing SQL server in this ALL-IN-ONE image as it degrades the overall performance.

One good news is that CA Directory is supported as session store so SQL server is not really needed if you don't use report server.

 

 

This concludes Part 9 of ALL IN ONE Image.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 


15. CA Single Sign-On Web Agent/Option Pack

 

I have downloaded the following files.

 

smwa-12.52-sp01-cr03-win64-64.zip

smwaop-12.52-sp01-cr02-win64-64.zip

 

Extract both files and install the WebAgent first.

 

I will not be rebooting this machine just yet.

I will install WAOP now.

 

Choose the 64bit JDK.

 

Now, we can reboot this machine.

 

Next is to create agent, ACO, HCO and etc to configure this as a functional WebAgent protecting resources.

 

a. Create Agent Identity

Navigate to AdminUI ==> Infrastructure ==> Agent ==> Agents

Click on "Create Agent"

Select "Create a new object of type Agent" and click "OK"

Enter desired agent name and optionally its description.

In my case, I am used to using this format in the names.

<object type>.<name>

For example:

agent.iis

agent.apache2

or, use the FQHN as name.

agent.www.sso.lab

agent.www.partner.lab

 

and this also applies to other objects, for example:

aco.www.sso.lab

hco.www.sso.lab

hco.testmc1

rule.getpost

rule.onauthaccept

policy.testmc1

 

This is especially helpful when looking at the logs, you can immediately tell which site agent it is and which resource it could be.

Back to creation of agent, click "Submit" button.

 

b. Create Agent Configuration Object

 

Navigate to AdminUI ==> Infrastructure ==> Agent ==> Agent Configuration Objects

At the right pane, click "Create Agent Configuration"

 

Select "Create a copy of an object of type Agent Configuration"

Select "IISDefaultSettings"

Then click "OK"

 

 

Enter Name as "aco.www.sso.lab" and enter description "www.sso.lab".

Scroll down to find "#DefaultAgentName" and click on the edit button which looks like a pen.

Note that there are 175 configuration objects and more are available at next pages.

 

 

Next, find "#LogoffUri" and edit it as below.

 

 

Next, find "CookieDomain" and edit as below.

 

Next, find "Logfile" and set the value to "Yes"

Next, find "LogFileName" and set the value to "C:\Program Files\CA\webagent\win64\log\iis_wa.log"

Next, find "TraceConfigFile" and set the value to "C:\Program Files\CA\webagent\win64\config\WebAgentTrace.conf"

Next, find "TraceFile" and set the value to "Yes"

Next, find "TraceFileName" and set the value to "C:\Program Files\CA\webagent\win64\log\iis_watrace.log"

All set, now click on "Submit"

 

 

c. Create Host Configuration Object

Navigate to "AdminUI ==> Infrastructure ==> Hosts ==> Host Configuration Objects"

Click on "Create Host Configuration" button at the right pane.

 

Select "Create a copy of an object of type Host Configuration" and then "DefaultHostSettings".

Then click "OK"

 

Enter the name as "HCO", this is going to be my generic HostConfigObject for most of the Web Agents.

Then enter the Policy Server IP(or hostname). I added 2 IP just to add some fun to it.

Later, you can try adding a new IP and make it as primary. Then disable that NIC while Policy Server is running to see the agent failover.

 

Back to HCO configuration, click "Submit"

 

 

Now, you have created all the minimum requirements(AgentIdentity, ACO, HCO) to configure a Web Agent.

 

d. Agent Configuration

 

Run "Web Agent Configuration Wizard"

 

Select "Yes, I would like to do Host Registration now."

 

Here is what many people get confused.

In the "Admin Registration", this is a SiteMinder's Legacy Administrator who has privilege to register "Trusted Hosts".

If you remember, when you were installing SiteMinder Policy Server, you were also asked to enter a password for the SiteMinder Super User.

You need to enter that user if you have not created any Legacy Administrator who has privilege to register trusted host.

(So, you cannot use "smuser" Administrator User from the AD that you login to AdminUI with. I will add a screenshot later to show what will happen if you use a user who do not have privilege or non-existent user or wrong password)

 

Next you add the Policy Server IP Addresses.

Select "FIPS Compatibility Mode".

 

Following is a screenshot in case if you entered wrong SiteMinder Administrator information.

But if you have entered valid Administrator information you will not see this screen.

 

 

 

Following is the list of Web Servers this Agent Configuration Wizard has detected and can be configured.

If you recall, we did not install Apache 2.4.17, we merely copied the binary.

And had to manually create registry entries for it and without it this Apache would not appear here.

We only have ACO for IIS for now so select "Microsoft IIS 7.5" and  click "Next".

 

You need to select a site and we only have 1 so choose "Default Web Site". Click "Next".

Enter the ACO name and click "Next".

 

Check "YES" and click on "Next".

 

 

 

Restart IIS Web Server and and then use IE to access http://www.sso.lab to see see if the Web Agent Log files are getting generated.

 

 

 

You can see from above that there is "HTTP_SM_TRANSACTIONID", this is a proof that Web Agent is enabled on this site.

 

Web Agent Log files are also generated.

If webagent is working fine, your wa.log should look like below listing all its configuration parameters.

 

e. Deploy WAOP Affwebservices.

 

In general use case, you may not need this but my sample environment is going to do a Federated SSO so this is being deployed.

Logon to NewAtlanta ServletExec AdminUI to deploy the affwebservices.war file.

 

Navigate to "AdminUI ==> Web Applications ==> manage" and click "Add Web Application" button.

 

 

Application Name: any desired name

URL Context Path: /affwebservices

Location: C:\Program Files\CA\webagent\win64\affwebservices

 

Then "Submit".

 

 

It is now deployed.

You need to configure some files before it can work.

 

Open Windows Explorer and navigate to "C:\Program Files\CA\webagent\win64\affwebservices\WEB-INF\classes" folder.

Edit the "AffWebServices.properties" file as below.

 

From:

     AgentConfigLocation=D:\\netscape\\server4\\https-webserv1\\config\\WebAgent.conf

 

To:

     AgentConfigLocation=C:\\Program Files\\CA\\webagent\\win64\\bin\\IIS\\WebAgent.conf

 

What I am doing here is sharing the WebAgent.conf which was created for IIS Web Agent.

WAOP does not recognize all the AgentConfigObject parameters so it is okay to share with the IIS one as long as the cookiedomain is the same.

 

And one more configuration change required for "LoggerConfig.properties" file.

 

From:

     TracingOn=N

 

To:

     TracingOn=Y

 

 

Other parameters should already have correct value.

Also, I would advise to leave the "LogLocalTime=N" as is because assertions are based on GMT time.

With "LogLocalTime=N" this agent will log time in GMT so it is easier to match the FWSTrace.log with the fiddler trace.

 

Restart "ServletExec-testmc1" service (ServletExec).

It is known issue that ServletExec service on Windows has some problem shutting down.

If the services.msc is not able to shut it down, you can run the script to do the same.

 

"C:\Program Files\New Atlanta\ServletExecAS\se-testmc1\StopServletExec.bat"

 

Then you can simply start the service.

 

If everything is configured correctly, you should see the affwebserv.log as below.

 

 

 

This concludes Part 8 of ALL IN ONE Image.

This article is actually from Ujwol.

 

This use case is about installing OHS instance on a non-default folder(out side the ORACLE_HOME) and Web Agent Configuration Wizard fails to detect the existence of this instance.

 

Use case:

 

OS : Winodws 2012

Web Server : OHS 11g(2.2) 64bit

Web Agent version : R12.52 sp1 cr002

 

--- [REPRODUCTION STEPS]----

1. Install and configure OHS 11g R1 on Windows 2012 Std.

2. Configure Oracle Home as : C:\Middleware\Oracle_WT1 (Note , the default is : C:\Middleware\Oracel_WT1)

3. Configure Oracle Instance as : C:\otherplace\instance1 ( Note , the default is : C:\MIddlerware\Oracle_WT1\instances\instance1)

4. Install and configure web agent

5. Note , Web Agent Configuration Wizard won't be able to recognize this OHS instance.

 

 

Solution:

 

Not available at the moment.

Workaround is the solution for now.

 

 

Workaround:

 

Following needs to be followed.

 

 

Step 1. Changes to httpd.conf file at <Instance Directory>\instance1\config\OHS\ohs1

 

A. Add LoadModule entry to the DSO Support Section

The following line(s) are added to the Dynamic Shared Object (DSO) Support configuration section, which precedes the Main server configuration section of the file.

LoadModule sm_module "<web_agent_home>/win64/bin/mod_sm22.dll"

 

     Note:

          The SiteMinder Agent requires one of the following modules in order to load:

     Apache 2.0

LoadModule sm_module web_agent_home/bin/libmod_sm20.so

     Apache 2.0 running on Windows

LoadModule sm_module web_agent_home/bin/mod_sm20.dll

     Apache 2.2 running on Windows

LoadModule sm_module web_agent_home/bin/mod_sm22.dll

 

B. Add SmInitFile Entry

This entry is placed after the LoadModule entry that you added in (1). A full path is used, not a relative path.

SmInitFile "<Instance Directory>/instance1/config/OHS/ohs1/WebAgent.conf"

 

C. Alias Entries Added

In the Aliases section of the file, following entries are added to enable SiteMinder features.

 

     Note:

          The Alias /siteminderagent/ “<web_agent_home>/samples/” entry must come after all other aliases in the Aliases section.

          AliasMatch URI list must be in reverse alphabetical order.

          Also, the Alias URI list must be in reverse alphabetical order. (for example, /siteminderagent/pwcgi/ first and /siteminderagent/ last)

          <web_agent_home> need to be replaced with your actual %NETE_WA_ROOT% value.

 

     AliasMatch /siteminderagent/nocert/[0-9]+/(.*) "<web_agent_home>/win64/$1"

     <Directory "<web_agent_home>/win64/$1">

     Options Indexes MultiViews

     AllowOverride None

     Order allow,deny

     Allow from all

     </Directory>

     Alias /siteminderagent/pwcgi/ "<web_agent_home>/win64/pw/"

     <Directory "<web_agent_home>/win64/pw/">

     Options Indexes MultiViews ExecCGI

     AllowOverride None

     Order allow,deny

     Allow from all

     </Directory>

     Alias /siteminderagent/pw/ "<web_agent_home>/win64/pw/"

     <Directory "<web_agent_home>/win64/pw/">

     Options Indexes MultiViews ExecCGI

     AllowOverride None

     Order allow,deny

     Allow from all

     </Directory>

     Alias /siteminderagent/ "<web_agent_home>/win64/samples/"

     <Directory "<web_agent_home>/win64/samples/">

     Options Indexes MultiViews

     AllowOverride None

     Order allow,deny

     Allow from all

     </Directory>

 

Step 2. Create WebAgent.conf file with the following content and copy it in <Instance Directory>\instance1\config\OHS\ohs1

 

     Note: Replace <web_agent_home> with actual Web Agent Root(%NETE_WA_ROOT% value) folder

               Replace <Instance Directory> with the OHS instance folder

 

# WebAgent.conf - configuration file for SiteMinder Web Agent

# Web Agent Version = 12.51, Build = 1402, Update = 07

 

LOCALE=en-US

 

#agentname="<AgentName>, <IPAddress>"

HostConfigFile="<web_agent_home>\win64\config\SmHost.conf"

AgentConfigObject="<aco_name>"

EnableWebAgent="YES"

ServerPath=""

#localconfigfile="<Instance Directory>\instance1\config\OHS\ohs1\LocalConfig.conf"

LoadPlugin="<web_agent_home>\win64\bin\HttpPlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\Affiliate10Plugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\SAMLAffiliatePlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\eTSSOPlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\IntroscopePlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\SAMLDataPlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\OpenIDPlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\DisambiguatePlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\OAuthPlugin.dll"

AgentIdFile="<Instance Directory>\instance1\config\OHS\ohs1\AgentId.dat"

 

 

Step 3. Create AgentId.dat file with the following content and copy it in <Instance Directory>\instance1\config\OHS\ohs1

 

     Note: (This value is supposed to be unique but as it is not generated you will have to copy one from another agent and change the value to make it unique. In this sample, I copied one and modified the last character 'b' to 'c')

GUID=000080fe0000000075939d10c0597d33-0bf0-5643dc86-0bf4-0339021c

 

 

Step 4. Change opmn.xml file at <Instance Directory>\instance1\config\OPMN\opmn

=======================================================================

Add following lines after

<ias-instance id="instance1" name="instance1">

<environment>

 

section

 

<variable id="NETE_WA_PATH" value="<web_agent_home>/win64/bin"/>

<variable id="NETE_WA_ROOT" value="<web_agent_home>/win64" />

<variable id="PATH" value="$NETE_WA_PATH;$PATH"/>

Note:

     a. All the sections within <> need to be changed with the actual path

     b. After making all these changes OS needs to be restarted.

          (In fact, haven't figured out which process loads this configuration file. If you are aware of how to get this recognized without rebooting the machine please let me know)

 

For your reference, please take a look at the sample attachment files.

 

And thanks to Ujwol for preparing and sharing this content.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

 

14. CA Single Sign-On AdminUI

 

There are 2 components to install.


adminui-12.52-sp01-cr02-win32.zip

adminui-pre-req-12.52-sp01-cr02-win32.zip

 

You need to extract the files and combine the files in the same folder so you will have following 3 files in the same folder.

 

adminui-pre-req-12.52-sp01-cr02-win32.exe

ca-adminui-12.52-sp01-cr02-win32.exe

layout.properties

 

Execute "adminui-pre-req-12.52-sp01-cr02-win32.exe".

 

Server Host: TESTMC1.sso.lab <== This is fine.

Server Port: 18080 <== Default is 8080 and this will conflict with SPS Tomcat so changing it to 18080

 

 

That is all. When you click "Done" it will close this Pre-req installation and launch the AdminUI installer.

 

 

Installer automatically detects where to install.

 

Installation is complete.

 

IE will open and load https://testmc1.sso.lab:8443/iam/siteminder/adminui

 

 

Before you can logon, you need to prepare registration.

 

Open a command-line and run the following command. (To avoid confusion, XPSRegclient need to be run at the Policy Server side)

"XPSRegClient <SiteMinder Administrator Name:Password> -adminui-setup" is the syntax.

 

C:\> xpsregclient siteminder:password -adminui-setup

 

This will create "<AdministratorName>.XPSReg" file at "<Policy Server>/bin" folder.

When you try to login to AdminUI with the same username and password, if you have specified a policy server HOST/IP then AdminUI will contact the policy server on that IP and check if such *.XPSReg file exist and if it matches.

(If you do not specify a hostname/IP, then it will assume localhost)

 

If the file exist, Policy Server generates TrustedHost and other objects to trust this AdminUI.

AdminUI also creates similar files at "<AdminUI>/server/default/data" folder.

 

 

 

You can now logout and try login again to see the differences.

The difference now is that there is a dropdown menu for the "Server" where it was just an input box before.

 

 

Once you successfully logon for the first time, the "siteminder.XPSReg" file is deleted.

 

 

And at the "<AdminUI>/server/default/data/siteminder" folder, you will find a conf file is created with the details about the policy server.

"policystorename" is what appears in the "Server" drop down list.

 

In case if you are going to manage multiple Policy Servers, then you will need to configure External Administrator.

 

  • Configuring External Administrator

First, you need to know where the Administrators are.

In my case, I will have them in the Active Directory.

 

So, before we go and configure anything, we need to create some users in the AD.

 

I am creating "smuser" to Administer SiteMinder.

 

I am also setting the password to not expire nor allow changing.

 

Logon to SiteMinder AdminUI and navigate to "Administration ==> Admin UI ==> Configure Administrative Authentication"

 

Select Directory Type to be "Active Directory (AD)"

 

Enter the details. Then click on "Show Certificates" button to import the ROOTCA.cer to AdminUI.

Enter desired Alias and the filepath to the ROOTCA.cer (C:\Program Files (x86)\CA\siteminder\certs\ROOTCA.cer) and click "OK and "Next".

 

You get to choose the objectclass for the Administrator.

If you are going to have Administrator having "inetorgperson" then you may need to choose that here.

But in my case they are created using "User" objectclass so I will just click "Next".

 

All the attributes are pre-populated except for the "Disabled State".

It has to be an attribute that can store string. It does not need to be able to store binary.

So, instead of creating any new attribute, I simply chose "carLicense".  I will need to make sure I am not updating carLicense for any other purpose.

It has to be then exclusive to SiteMinder so I don't cause confusion to Policy Server.

 

As I created "smuser" to be registered as SiteMinder Administrator, I am searching "smuser".

 

"smuser" is found. Click "Next".

 

You will be shown some details about what you are configuring.

Click "Finish" to complete this.

 

This will re-configure AdminUI so you will not be able to logon to AdminUI using "siteminder" user which exists in the policy store.

AdminUI will be restarted automatically.

 

 

Once the AdminUI logon screen is displayed again, you can now logon as "smuser".

Enter the credential and click "SIGN IN".

 

You are now logged on as external administrative user.

 

If you go back to "Administration ==> Admin UI ==> Configure Administrative Authentication" again, it will show you what is currently configured and provide an option to re-configure.

 

 

And if you go to "Administration ==> Administrator ==> Administrators" you will find the "smuser" that was registered.

SharePoint_310.jpg

 

If you goto "<AdminUI>/server/default/data/siteminder" folder, you will find new folder called "directories" is created and in that folder there is "ActiveDirectory---xxxxxxxx.xml" file created.

It has the information that you configured for External Administrator.

 

There are no objects created at this point but we will create as we go.

 

 

This concludes Part 7 of ALL IN ONE Image.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

 

13. CA Single Sign-On Policy Server

 

Downloaded "ps-12.52-sp01-cr02-win32.zip"

In order to enable most available features of Policy Server, I will be installing some additional Windows services.

 

Load "Server Manager" and goto "Features".

 

Click on "Add Features" and select "SNMP Services" and install.

 

This will install "SNMP Service".

Double click on the "SNMP Service" and configure the "Traps" and "Security" tab.

 

 

  • Install Policy Server

Extract the zip file and run the "ca-ps-12.52-sp01-cr02-win32.exe"

 

Policy Store cannot be configured right now because I will be using CA Directory as Policy Store.

 

Advanced Auth Service is being configured but this is not a valid configuration because there is no policy store.

So, this need to be configured again later.

 

Don't restart the machine yet.

 

Create a Policy Server user account.

Under "Managed Service Accounts" (actually it doesn't really matter where), create a "User".

Load the System Properties and check the Environment Variables for "System".

You will find "ARCOT_HOME=C:\Program Files (x86)\CA\aas".

This is from the RiskMinder component introduced to Policy Server.

Later when SPS is installed, it also needs to set this same ARCOT_HOME but with different value.

So, in order to prevent this conflict, I am moving this to "policyserver" user's local user environment.

 

But first, you need to remove this "ARCOT_HOME" from here.

And in order to logon to this Domain Controller as "policyserver" user, I need to add this user to "Domain Admins" group.

Now, Switch User (Start Menu ==> Log off ==> Switch user) to policyserver user.

 

Now, set the ARCOT_HOME environment variable as user variable as above.

Next is to make the Policy Server run as "policyserver" service account.

 

You will get a notification that policyserver account is granted service rights.

 

You should see on the service entry that "Log On As" is set to "policyserver".

 

You MUST do the same for the "CA RiskMinder Service" as well.

These 2 services must be started as "policyserver" user.

After this, if the RiskMinder service starts up, you should be able to confirm it is functional by looking at its cariskminderstartup.log located in "C:\Program Files (x86)\CA\aas\logs" folder.

 

Now, logout policy server user and logon as "Administrator".

Because the Policy Server's environment variables are set at System Level, and only ARCOT_HOME was transferred to user variable, Administrator can run all the Policy Server commands.

 

  • smreg

It is officially mentioned in the documentation not to leave a copy of smreg.exe and XPSSecurity.exe on the policy server machine but as this is a sandbox I am placing it in the "<policyserver>/bin" folder.

 

 

  • Preparing CA Directory as Policy Store

Policy Server cannot automatically configure CA Directory as Policy Store.

It has to be performed manually.

 

 

Copy the following policy store schema files over to "C:\Program Files\CA\Directory\dxserver\config\schema\" folder.

     C:\Program Files (x86)\CA\siteminder\eTrust\netegrity.dxc

     C:\Program Files (x86)\CA\siteminder\xps\db\etrust.dxc

 

Copy "C:\Program Files\CA\Directory\dxserver\config\schema\default.dxg" to "SiteMinder.dxg"

Modify "SiteMinder.dxg" file to add the policy store schema files as below and save.

 

source "netegrity.dxc";

source "etrust.dxc";

 

Copy "C:\Program Files\CA\Directory\dxserver\config\limits\default.dxc" to "SiteMinder.dxc"

Remove the "Read-Only" attribute.

Update the tuning parameters as below.

 

# size limits

#set max-users = 255;

set max-op-size = 20000; #This determines max entries to be returned at a time. This value has to be high enough if you have a large policy store.

#set multi-write-queue = 20000;

# size limits

set max-users = 1000;

set credits = 5;

set max-local-ops = 1000;

# set max-op-size = 4000;

set multi-write-queue = 20000;

 

 

Update "C:\Program Files (x86)\CA\Directory\dxserver\config\servers\PRIMARY.dxi" for schema dxc

Update references

 

# schema

# source "../schema/default.dxg";

source "../schema/SiteMinder.dxg";

# service limits

# source "../limits/default.dxc";

source "../limits/SiteMinder.dxc";

 

Update Tuning parameter for Policy Store (CADir r12 SP1 or later).

 

set ignore-name-bindings = true;

 

 

Restart DSA instance

 

dxserver stop PRIMARY

dxserver start PRIMARY

 

 

Connect to Policy Store instance using JXPlorer

 

If everything went well, when you navigate to the "Schema" tab and look at the "objectclass" branch, you should see all the SiteMinder objectclasses.

Those with "sm*" are for the legacy and "xps*" are for the XPS Policy Store.

 

The work is not complete yet, you will need to manually create the OU structure.

 

At O=SM brance, right click and select "New" to create "OU=Netegrity".

You need to repeat the steps to create the following.

 

OU=XPS,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,O=SM

 

 

Now this PRIMARY instance is ready to be setup as policy store.

 

  • Configuring Policy Store

Load "smconsole" (aka, Policy Server Management Console) and enter the PRIMARY DSA instance details and click "Test LDAP Connection" to confirm it is connected successfully.

 

 

Also, configure the Key Store settings to point to the Policy Store. Click "Apply"

 

 

Open a command-line and change directory to "C:\Program Files (x86)\ca\siteminder\xps\dd"

Run the command "XPSDDInstall SmMaster.xdd"

 

You will find objects are created under the OU=XPS.

 

Now change directory to "C:\Program Files (x86)\ca\siteminder\db".

There are several "xml" files but all xml files are incorporated into the "smpolicy.xml".

So, you only need to import the "smpolicy.xml"

 

xpsimport smpolicy.xml -npass

You will find objects are created under OU=PolicySvr4.

 

Now, you need to create the "SiteMinder" super user.

Run "smreg -su <password>" to create and set the password.

 

Reboot the machine as it has not been done yet after the installation.

 

  • Reconfigure the RiskMinder component.

During the installation, Policy Store was not configured by the Wizard and the RiskMinder component was configured.

RiskMinder component cannot be configured properly without the policy store so this need to be run again.

 

Run the "Policy Server Configuration Wizard".

 

No need to choose any features to configure. Just click "Next".

 

You will be asked to enter the "Master Key".  This only accepts alphanumeric!!!

This is not Policy Store encryption Key. This is a key used by RiskMinder component.

You must keep a record of this key as you will need it in the future.

 

It asks again to set a password for the "SiteMinder" super user.

You cannot skip this part without entering a value so enter whatever password suits you. You will use that to administer the policy server.

 

Note: As the configuration wizard will set the "ARCOT_HOME" in the system variables, please remove it again.

 

Also, later when you have configured SiteMinder AdminUI, you will see "Default_<PolicyServerMachineName>_AAS" HostConfigObject would have been created as below.

AdminUI is not installed yet so you won't be able to see this but you can check from XPSExplorer.

 

If you have 2 Policy Server, then you are expected to see 2 HCO named "Default_<PolicyServerMachineName>_AAS"

If you don't have the matching number of HCO objects, then you will need to check the Policy Server hostnames to determine which one need to run the configuration wizard to register this.

 

 

  • OneView Monitor

At this point, you will be able to access http://www.sso.lab/sitemindermonitor/ to view the OneView Monitor.

 

 

  • SSL communication to LDAP backends

It is common to communicate to backend ldap servers using ssl communication.

 

Navigate to http:.//www.sso.lab/certsrv/ and download the "CA Certificate"

 

Create "C:\Program Files (x86)\ca\siteminder\certs" folder.

Rename the newcer.cer to ROOTCA.cer and copy it to "C:\Program Files (x86)\ca\siteminder\certs"

 

Open a command-line and change directory to "C:\Program Files (x86)\ca\siteminder\certs"

Run the following command to create cert8.db file.

 

"certutil -A -n "ALLINONE Root CA" -t "C,," -i ROOTCA.cer -d ."

 

This command will create cert8.db, key3.db and secmod.db files if it did not exist, and also add the certificate as trusted Root CA certificate.

If you already have the cert8.db, key3.db and secmod.db files, then it will only add.

 

Now, load the smconsole and enter the configuration at the "Data" tab.

Select "cert8.db" file and click "Apply"

 

 

Now, Policy Server should be able to connect to any LDAP server via ssl as long as its certificate was issued by this RootCA that was imported into cert8.db.

 

  • SNMP monitoring

 

Navigate to "C:\Program Files (x86)\CA\siteminder\bin" and run "SnmpWalkRun.bat

Then in the "OID" type "products" (or select an entry from dropdown menu) and click on "Walk".

If it is configured correctly, you should see the following. (Ignore the popup message about "End of MIB")

In this case, you can see that the port used was "161" which is going through the OS's master SNMP agent.

If you want to test the "Netegrity SNMP Agent" directly, change the port to "8001" and try.

Configuration is in "C:\Program Files (x86)\CA\siteminder\config\snmp.conf" file.

Update the file as below.

 

LOG_FILE=C:\Program Files (x86)\CA\siteminder\log\SNMP.log

TRAP_RECEIVER(Y/N)=Y

 

And for snmp trap messages, modify "C:\Program Files (x86)\CA\siteminder\config\snmptrap.conf" file as below.

 

 

  • Adding Event Handler

 

 

Execute the following commands.

 

Follow these steps:

  1. Open a command line on the Policy Server, and enter the following command: xpsconfig

    The tool starts and displays the name of the log file for this session, and a menu of choices opens.

  2. Enter the following: xps

    A list of options appears.

  3. Enter the following: 5(AuditSMHandlers)

    The settings for the event handler libraries appear.

  4. Type C, and then enter the path and file name of the event handler library ("C:\Program Files (x86)\CA\siteminder\bin\eventsnmp.dll"). The settings for the event handler libraries appear. The value you added is shown at the bottom of the settings as a "pending value."

    5. Enter Q and [ENTER] three times to end your XPS session.

 

    6. Policy Server need to be restarted.

 

In the smps.log, you should find the following entry.

 

     [5032/5036][Thu Nov 05 2015 15:47:20][SmEventWedge.cpp:321][LateInit][INFO][sm-xpsxps-06860] Event handler library loaded: "C:\Program Files (x86)\CA\siteminder\bin\eventsnmp.dll"

 

 

 

This concludes Part 6 of ALL IN ONE Image.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

 

12. Oracle Directory Server 11g

 

Oracle Directory Server uses Web Application to Administer the server.

So you need to have an existing application server to deploy the application.

We already have New Atlanta ServletExec so we will be using that.

Otherwise, I usually use GlassFish.

 

 

  • Installation

Downloaded ofm_odsee_win_11.1.1.7.0_disk1_1of1.zip

If you extract the file, there is "ODSEE_ZIP_Distribution" folder.

In that folder, there is "sun-dsee7.zip" which need to be extracted.

After extraction, you will find "dsee7" folder. This is the folder that has everything.

I am moving this to C:\ so the path will be "C:\dsee7".

 

 

  • Configuration

Open a command prompt and navigate to "C:\dsee7\bin" folder.

 

C:\dsee7\bin> dsccsetup ads-create

 

You are asked to enter the password for Directory Service Manager. You will need to remember this for later use.

 

C:\dsee7\bin> dsccsetup war-file-create

This creates dscc7.war file that can be deployed.

 

C:\dsee7\bin> dsccagent create

Note the "DSCC agent" port number, 3997.

Also, note the Agent instance path "C:/dsee7/var/dcc/agent"

C:\dsee7\bin> dsccreg add-agent C:/dsee7/var/dcc/agent

 

Start up the DSCC Agent and ADS.

C:\dsee7\bin> dsccagent start

C:\dsee7\bin> dsadm start C:/dsee7/var/dcc/ads

 

Next time if you reboot the machine, you will need to ensure the following command is run to startup the required services.

 

C:\dsee7\bin> dsccagent start

C:\dsee7\bin> dsadm start C:/dsee7/var/dcc/ads

 

But this is going to be forgotten and cause frustration later.

So, it is better to register them as a service.

 

First, you must stop the dscc agent.

 

C:\dsee7\bin> dsccagent stop

 

Then register a service


C:\dsee7\bin> dsccreg add-agent C:/dsee7/var/dcc/agent

 

Then you will find this in the service list as below.

 

 

You can now start it from service. Start it up now.

 

Then register the ADS instance as service as well.

 

C:\dsee7\bin> dsadm enable-service C:/dsee7/var/dcc/ads

Startup the service now.

 

Now, all services will startup automatically.

You need to remember do the same for the LDAP instances that you create.

 

 

  • Application Deployment

This section will be skipped at the moment.

It is because there is no compatible web application server installed on this machine yet.

NewAtlanta ServletExec 6 is not compatible from my testing thus it will not be used.

 

At the moment, we will have to use command-line to setup instance and configure.

 

Later on, when Secure Proxy Server is installed, I will try and see if this can be deployed on the tomcat.

 

 

  • Setup an Instance

 

C:\dsee7\bin> dsadm create -p 2389 -P 2636 C:/dsee7/ldapinstances/slapd-primary

C:\dsee7\bin> dsadm start C:/dsee7/ldapinstances/slapd-primary

C:\dsee7\bin> dsconf create-suffix --unsecured -p 2389 dc=sso,dc=lab

 

Start the service now.

You can also start it from command-line as below.

C:\dsee7\bin> dsadm start C:/dsee7/ldapinstances/slapd-primary

 

You will find that it is listening on ALL IP address.

 

C:\dsee7\bin> dsconf create-suffix --unsecured -p 2389 dc=sso,dc=lab

 

Use JXPlorer to connect to this LDAP instance.

 

Host: cadir.sso.lab

Port: 2389

Base DN: dc=sso,dc=lab

Security Level : User + Password

User DN: cn=Directory Manager

Password: xxxxxxxx

 

Oracle LDAP instance is ready for use.

 

 

  • Create sample objects

Right click on the baseDN and select "New"

Create "OU=People" under "dc=sso,dc=lab"

 

Create "user1" using "inetOrgPerson" objectclass and place under OU=People.

Detailed steps skipped as it has been demonstrated during CA Directory setup.

 

This concludes Part 5 of ALL IN ONE Image.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

10. ASF Apache

 

  • Binary

First, download and install ASF Apache.

There is only 32bit ASF Apache, so if you want to run a 64bit then you will either have to compile yourself or get a thirdparty compiled version.

For example, following site is of the places where you can get the win64 version.

!! From internal research, the ASF Apache 2.4 compined with VC10 is what had been tested by CA so you MUST download the binaries from the following URL(VC10).

 

https://www.apachelounge.com/download/VC10/

 

In this setup, I will be downloading the following file.

https://www.apachelounge.com/download/VC10/binaries/httpd-2.4.17-win64.zip

 

Extract the file and check the "Apache24\logs\install.log" and it will explain where it was installed to.

ServerRoot= c:/Apache24

 

It is easier to match the same folder although you can move it to other folders.

So, I will be extracing the zip file at "C:\" and so the ServerRoot will remain the same.

 

  • Prerequisite

Built with Visual Studio® 2015 x64

--------------------------------------------------

- Be sure you have installed the Visual C++ Redistributable for Visual Studio 2015 x64.

  Download and install, if you not have it already, from:

 

Download Microsoft Visual C++ 2010 SP1 Redistributable Package (x64) from Official Microsoft Download Center

for vcredist.x64.exe

 

Download Microsoft Visual C++ 2010 SP1 Redistributable Package (x86) from Official Microsoft Download Center

for vcredist_x86.exe

 

  • Registry

How Web Agent Configuration Wizard detect the existing Apache instance is by registry and files.

As we are extracting the zip file, there is no registry.

Open regedit and navigate to HKLM\SOFTWARE and create the following key.

"HKLM\SOFTWARE\Apache Source Foundation\Apache\2.4.17"

Under this key, create following entries.

(String) ServerRoot = C:\Apache24\

(DWORD) Shared = 1

!! From internal research, from R12.52 onwards, Agent Configuration Wizard will detect the ASF Apache 2.4 from Windows Service registry as there is no Apache installer that generates the registry. This is different from how Agent Configuration Wizard used to detect the Apache from registry under "Apache Source Foundation". So this step turns out to be unnecessary! However, it will be applicable to lower version of Apache servers.

 

 

  • httpd.conf

Need to make some changes such as the IP that it should listen on and the port.

Install a NotePad++ type of tools and modify the httpd.conf file.

 

BeforeAfter
Listen 80Listen 192.168.201.101:81

 

  • Service

Register a default instance as below.

C:\Apache24\bin> httpd.exe -D SSL -d C:\Apache24 -k install

or if you want to name the service then add "-n" switch

C:\Apache24\bin> httpd.exe -D SSL -d C:\Apache24 -n "ASF Apache 2.4" -k install

Now that this instance is registered as "ASF Apache 2.4" service name, you can start up the service by running the following command.

net start "ASF Apache 2.4"

 

And accessing http://192.168.201.101:81 should display "It works!" message.

You can also get same result http://www.sso.lab:81

 

This is just to make the ASF Apache work.

 

Now that we want this to be listening on its own IP address, add "Microsoft Loopback Adapter" as instructed in the "Part 1" and assign IP 192.168.201.105.

And register a DNS Forward Lookup Zone as "cookie.lab" and add a Host entry as "www" and map it to 192.168.201.105.

Set the DNS not to update automatically. ("Do not allow dynamic updates")

All the instructions remain the same.

 

Then modify the httpd.conf as below.

BeforeAfter
Listen 192.168.201.101:81

Listen 192.168.201.105:80

#ServerName www.example.com:80ServerName www.cookie.lab:80

 

Then uninstall the service configuration as below.

 

C:\Apache24\bin> httpd -D SSL -d C:\Apache24 -n "ASF Apache 2.4" -k uninstall

 

Then re-register using different name.

I would prefer to register the apache service using their FQHN.

 

C:\Apache24\bin> httpd -D SSL -d C:\Apache24 -n "www.cookie.lab" -k install

 

And startup the service.

 

C:\Apache24\bin> net start www.cookie.lab

 

Check the http://www.cookie.lab displays "It works!" message.

(The reason I am showing the above changes here is because there will be more to come later on. Which will make this single apache binary installation to act as multiple apache instances by manipulating config files.)

 

 

11. CA Directory

 

  • Installation

There are 2 ISO files.

In this setup I am using CA Directory 12.0 SP16.

DVD08104223E.iso  <== 1,387,130KB This is the DX Server installation

DVD08104321E.iso  <==    398,658KB This is AdminTools

 

Mount the DVD08104223E.iso file.and select "dxsetup.exe" when autorun screen pops up.

If you did not get the autorun window then you can manually execute the following.

<DVD/ISO>/windows_x86_64/dxserver/windows/dxsetup.exe

 

 

 

 

  • Configuration

CA Directory is installed but it does not create any DSA instances so you need to manually create one.

C:\> dxnewdsa PRIMARY 1389 O=SM

This command creates a DSA instance named "PRIMARY" and listen on port "1389" and creates rootDN as "O=SM"

However, this DSA instance will listen on all IP address so we need to limit it to listen only on 192.168.201.102 and also listen on IPv4 only.

 

Modify the "C:\Program Files\CA\Directory\dxserver\config\knowledge\PRIMARY.dxc" file above as below.

NOTE : The address has to be double quoted or it will fail to startup. You cannot use port 389 because AD is listening on ALL IP ADDRESSES.

 

Restart the DSA.

C:\> dxserver stop all   <== This will stop all DSA instances

C:\> dxserver stop PRIMARY <== This will stop only the PRIMARY instance.

Just run whichever is appropriate.

 

If there are any failure to startup, you need to check the logs below.

"C:\Program Files\CA\Directory\dxserver\logs\<InstanceName>_alarm.log"

"C:\Program Files\CA\Directory\dxserver\logs\<InstanceName>_trace.log"

 

It should give you some good clue on what the reason is.

Usually it is a syntax error or failing to register to address.

 

If that still does not provide meaningful message, you can raise the log level in the following file.

"C:\Program Files\CA\Directory\dxserver\config\logging\default.dxc"

You will find the "set trace = error;" line.

Before you can modify this file, you will need to remove the read-only bit on the file.

In fact, it is not good to share "default.dxc" file, it is better to have a separate logging configuration file but we will not touch go any further on this topic here.

We will get to it later on when we use this DSA instance as policy store.

 

 

  • Accessing DSA Instance

Mount the other DVD08104321E.iso file. Do not click on AutoRun window.

I am only going to install JXPlorer.

Navigate to "D:\windows_x86_32\jxplorer\windows" folder and run "JXv3.2_install_windows.exe"

 

 

 

The installer will hang at this point where it is installing "Uninstaller". It is a known issue.

In fact, all the necessary files to run JXPlorer is already copied so you can kill this installer process.

C:> taskkill /IM "JXV*" /F

C:> taskkill /IM "jxp*" /F

C:> taskkill /IM "javaw*" /F

 

This will kill the installer and other related processes.

 

Navigate to "C:\Program Files\CA\Directory\JXPlorer\" and run the "jxplorer.bat" script.

Click on the socket icon above at the upper left corner and enter the details of the "PRIMARY" DSA instance information.

Host: 192.168.201.102

Port: 1389

Protocol: LDAP v3

Base DN: O=SM

Security Level: Anonymous

 

Then click on the "Save" button to save the setting for future use.

You can see the O=SM at the left pane.

Right click on it and create an "OU=Admin" by selecting "New".

Click "Submit" to finish creating this object.

Now, right click on "OU=Admin" from left pane and select "New" to create a user object.

Those attributes that are mandatory to have a value are at the top and in bold letters.

For "inetorgperson" objectclass, "sn" is mandatory so you need to have a value. I entered "Administrator".

And as this user will need to have a password to login, enter the password at the "userPassword" attribute.

Click "Submit" to complete creating this user object.

Now, right click on the "CN=diradmin" at the left pane and select "Copy DN".

Then click on the "Connect to DSA", the socket icon at the upper left to bring up the connection and update as above.

Security Level: User + Password <== This was Anonymous before.

User DN: CN=diradmin,OU=Admin,O=SM

Password: password that you entered when creating this admin user.

 

Click on the "Save" button to save this change. Then click "OK" to connect.

This time it is connecting to this DSA as "CN=diradmin,OU=Admin,O=SM" user and not Anonymous.

 

 

  • Service startup

When you create DSA instance, it also creates a Windows Service.

But the services is set to startup manually by default.

So, this should be configured to startup automatically.

 

 

Double click on the service named "CA Directory - PRIMARY" and configure the startup to "Automatic" and click "Apply"

 

This concludes Part 4 of ALL IN ONE Image.