This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.
WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.
Following components will be installed.
01. Install OS (Windows 2008 R2 - English)
02. Microsoft Loopback Adapter
03. Active Directory
06. Certificate Authority
07. MSSQL 2012
08. JDK 1.7.0_80 (32bit and 64bit)
09. NewAtlanta ServletExec 6.0
10. ASF Apache
11. CA Directory
12. Oracle Directory Server 11g
13. CA Single Sign-On Policy Server
14. CA Single Sign-On AdminUI
15. CA Single Sign-On Web Agent/Option Pack
16. CA Single Sign-On Secure Proxy Server
17. CABI 3.3
Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.
10. ASF Apache
First, download and install ASF Apache.
There is only 32bit ASF Apache, so if you want to run a 64bit then you will either have to compile yourself or get a thirdparty compiled version.
For example, following site is of the places where you can get the win64 version.
!! From internal research, the ASF Apache 2.4 compined with VC10 is what had been tested by CA so you MUST download the binaries from the following URL(VC10).
In this setup, I will be downloading the following file.
Extract the file and check the "Apache24\logs\install.log" and it will explain where it was installed to.
It is easier to match the same folder although you can move it to other folders.
So, I will be extracing the zip file at "C:\" and so the ServerRoot will remain the same.
Built with Visual Studio® 2015 x64
- Be sure you have installed the Visual C++ Redistributable for Visual Studio 2015 x64.
Download and install, if you not have it already, from:
How Web Agent Configuration Wizard detect the existing Apache instance is by registry and files.
As we are extracting the zip file, there is no registry.
Open regedit and navigate to HKLM\SOFTWARE and create the following key.
"HKLM\SOFTWARE\Apache Source Foundation\Apache\2.4.17"
Under this key, create following entries.
(String) ServerRoot = C:\Apache24\
(DWORD) Shared = 1
!! From internal research, from R12.52 onwards, Agent Configuration Wizard will detect the ASF Apache 2.4 from Windows Service registry as there is no Apache installer that generates the registry. This is different from how Agent Configuration Wizard used to detect the Apache from registry under "Apache Source Foundation". So this step turns out to be unnecessary! However, it will be applicable to lower version of Apache servers.
Need to make some changes such as the IP that it should listen on and the port.
Install a NotePad++ type of tools and modify the httpd.conf file.
|Listen 80||Listen 192.168.201.101:81|
Register a default instance as below.
C:\Apache24\bin> httpd.exe -D SSL -d C:\Apache24 -k install
or if you want to name the service then add "-n" switch
C:\Apache24\bin> httpd.exe -D SSL -d C:\Apache24 -n "ASF Apache 2.4" -k install
Now that this instance is registered as "ASF Apache 2.4" service name, you can start up the service by running the following command.
net start "ASF Apache 2.4"
And accessing http://192.168.201.101:81 should display "It works!" message.
You can also get same result http://www.sso.lab:81
This is just to make the ASF Apache work.
Now that we want this to be listening on its own IP address, add "Microsoft Loopback Adapter" as instructed in the "Part 1" and assign IP 192.168.201.105.
And register a DNS Forward Lookup Zone as "cookie.lab" and add a Host entry as "www" and map it to 192.168.201.105.
Set the DNS not to update automatically. ("Do not allow dynamic updates")
All the instructions remain the same.
Then modify the httpd.conf as below.
|#ServerName www.example.com:80||ServerName www.cookie.lab:80|
Then uninstall the service configuration as below.
C:\Apache24\bin> httpd -D SSL -d C:\Apache24 -n "ASF Apache 2.4" -k uninstall
Then re-register using different name.
I would prefer to register the apache service using their FQHN.
C:\Apache24\bin> httpd -D SSL -d C:\Apache24 -n "www.cookie.lab" -k install
And startup the service.
C:\Apache24\bin> net start www.cookie.lab
Check the http://www.cookie.lab displays "It works!" message.
(The reason I am showing the above changes here is because there will be more to come later on. Which will make this single apache binary installation to act as multiple apache instances by manipulating config files.)
11. CA Directory
There are 2 ISO files.
In this setup I am using CA Directory 12.0 SP16.
DVD08104223E.iso <== 1,387,130KB This is the DX Server installation
DVD08104321E.iso <== 398,658KB This is AdminTools
Mount the DVD08104223E.iso file.and select "dxsetup.exe" when autorun screen pops up.
If you did not get the autorun window then you can manually execute the following.
CA Directory is installed but it does not create any DSA instances so you need to manually create one.
C:\> dxnewdsa PRIMARY 1389 O=SM
This command creates a DSA instance named "PRIMARY" and listen on port "1389" and creates rootDN as "O=SM"
However, this DSA instance will listen on all IP address so we need to limit it to listen only on 192.168.201.102 and also listen on IPv4 only.
Modify the "C:\Program Files\CA\Directory\dxserver\config\knowledge\PRIMARY.dxc" file above as below.
NOTE : The address has to be double quoted or it will fail to startup. You cannot use port 389 because AD is listening on ALL IP ADDRESSES.
Restart the DSA.
C:\> dxserver stop all <== This will stop all DSA instances
C:\> dxserver stop PRIMARY <== This will stop only the PRIMARY instance.
Just run whichever is appropriate.
If there are any failure to startup, you need to check the logs below.
It should give you some good clue on what the reason is.
Usually it is a syntax error or failing to register to address.
If that still does not provide meaningful message, you can raise the log level in the following file.
You will find the "set trace = error;" line.
Before you can modify this file, you will need to remove the read-only bit on the file.
In fact, it is not good to share "default.dxc" file, it is better to have a separate logging configuration file but we will not touch go any further on this topic here.
We will get to it later on when we use this DSA instance as policy store.
Accessing DSA Instance
Mount the other DVD08104321E.iso file. Do not click on AutoRun window.
I am only going to install JXPlorer.
Navigate to "D:\windows_x86_32\jxplorer\windows" folder and run "JXv3.2_install_windows.exe"
The installer will hang at this point where it is installing "Uninstaller". It is a known issue.
In fact, all the necessary files to run JXPlorer is already copied so you can kill this installer process.
C:> taskkill /IM "JXV*" /F
C:> taskkill /IM "jxp*" /F
C:> taskkill /IM "javaw*" /F
This will kill the installer and other related processes.
Navigate to "C:\Program Files\CA\Directory\JXPlorer\" and run the "jxplorer.bat" script.
Protocol: LDAP v3
Base DN: O=SM
Security Level: Anonymous
Then click on the "Save" button to save the setting for future use.
You can see the O=SM at the left pane.
Right click on it and create an "OU=Admin" by selecting "New".
Click "Submit" to finish creating this object.
Now, right click on "OU=Admin" from left pane and select "New" to create a user object.
Those attributes that are mandatory to have a value are at the top and in bold letters.
For "inetorgperson" objectclass, "sn" is mandatory so you need to have a value. I entered "Administrator".
And as this user will need to have a password to login, enter the password at the "userPassword" attribute.
Click "Submit" to complete creating this user object.
Now, right click on the "CN=diradmin" at the left pane and select "Copy DN".
Then click on the "Connect to DSA", the socket icon at the upper left to bring up the connection and update as above.
Security Level: User + Password <== This was Anonymous before.
User DN: CN=diradmin,OU=Admin,O=SM
Password: password that you entered when creating this admin user.
Click on the "Save" button to save this change. Then click "OK" to connect.
This time it is connecting to this DSA as "CN=diradmin,OU=Admin,O=SM" user and not Anonymous.
When you create DSA instance, it also creates a Windows Service.
But the services is set to startup manually by default.
So, this should be configured to startup automatically.
Double click on the service named "CA Directory - PRIMARY" and configure the startup to "Automatic" and click "Apply"