Skip navigation
All People > SungHoon_Kim > Sung Hoon Kim's Blog > 2015 > November > 05

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

 

14. CA Single Sign-On AdminUI

 

There are 2 components to install.


adminui-12.52-sp01-cr02-win32.zip

adminui-pre-req-12.52-sp01-cr02-win32.zip

 

You need to extract the files and combine the files in the same folder so you will have following 3 files in the same folder.

 

adminui-pre-req-12.52-sp01-cr02-win32.exe

ca-adminui-12.52-sp01-cr02-win32.exe

layout.properties

 

Execute "adminui-pre-req-12.52-sp01-cr02-win32.exe".

 

Server Host: TESTMC1.sso.lab <== This is fine.

Server Port: 18080 <== Default is 8080 and this will conflict with SPS Tomcat so changing it to 18080

 

 

That is all. When you click "Done" it will close this Pre-req installation and launch the AdminUI installer.

 

 

Installer automatically detects where to install.

 

Installation is complete.

 

IE will open and load https://testmc1.sso.lab:8443/iam/siteminder/adminui

 

 

Before you can logon, you need to prepare registration.

 

Open a command-line and run the following command. (To avoid confusion, XPSRegclient need to be run at the Policy Server side)

"XPSRegClient <SiteMinder Administrator Name:Password> -adminui-setup" is the syntax.

 

C:\> xpsregclient siteminder:password -adminui-setup

 

This will create "<AdministratorName>.XPSReg" file at "<Policy Server>/bin" folder.

When you try to login to AdminUI with the same username and password, if you have specified a policy server HOST/IP then AdminUI will contact the policy server on that IP and check if such *.XPSReg file exist and if it matches.

(If you do not specify a hostname/IP, then it will assume localhost)

 

If the file exist, Policy Server generates TrustedHost and other objects to trust this AdminUI.

AdminUI also creates similar files at "<AdminUI>/server/default/data" folder.

 

 

 

You can now logout and try login again to see the differences.

The difference now is that there is a dropdown menu for the "Server" where it was just an input box before.

 

 

Once you successfully logon for the first time, the "siteminder.XPSReg" file is deleted.

 

 

And at the "<AdminUI>/server/default/data/siteminder" folder, you will find a conf file is created with the details about the policy server.

"policystorename" is what appears in the "Server" drop down list.

 

In case if you are going to manage multiple Policy Servers, then you will need to configure External Administrator.

 

  • Configuring External Administrator

First, you need to know where the Administrators are.

In my case, I will have them in the Active Directory.

 

So, before we go and configure anything, we need to create some users in the AD.

 

I am creating "smuser" to Administer SiteMinder.

 

I am also setting the password to not expire nor allow changing.

 

Logon to SiteMinder AdminUI and navigate to "Administration ==> Admin UI ==> Configure Administrative Authentication"

 

Select Directory Type to be "Active Directory (AD)"

 

Enter the details. Then click on "Show Certificates" button to import the ROOTCA.cer to AdminUI.

Enter desired Alias and the filepath to the ROOTCA.cer (C:\Program Files (x86)\CA\siteminder\certs\ROOTCA.cer) and click "OK and "Next".

 

You get to choose the objectclass for the Administrator.

If you are going to have Administrator having "inetorgperson" then you may need to choose that here.

But in my case they are created using "User" objectclass so I will just click "Next".

 

All the attributes are pre-populated except for the "Disabled State".

It has to be an attribute that can store string. It does not need to be able to store binary.

So, instead of creating any new attribute, I simply chose "carLicense".  I will need to make sure I am not updating carLicense for any other purpose.

It has to be then exclusive to SiteMinder so I don't cause confusion to Policy Server.

 

As I created "smuser" to be registered as SiteMinder Administrator, I am searching "smuser".

 

"smuser" is found. Click "Next".

 

You will be shown some details about what you are configuring.

Click "Finish" to complete this.

 

This will re-configure AdminUI so you will not be able to logon to AdminUI using "siteminder" user which exists in the policy store.

AdminUI will be restarted automatically.

 

 

Once the AdminUI logon screen is displayed again, you can now logon as "smuser".

Enter the credential and click "SIGN IN".

 

You are now logged on as external administrative user.

 

If you go back to "Administration ==> Admin UI ==> Configure Administrative Authentication" again, it will show you what is currently configured and provide an option to re-configure.

 

 

And if you go to "Administration ==> Administrator ==> Administrators" you will find the "smuser" that was registered.

SharePoint_310.jpg

 

If you goto "<AdminUI>/server/default/data/siteminder" folder, you will find new folder called "directories" is created and in that folder there is "ActiveDirectory---xxxxxxxx.xml" file created.

It has the information that you configured for External Administrator.

 

There are no objects created at this point but we will create as we go.

 

 

This concludes Part 7 of ALL IN ONE Image.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

 

13. CA Single Sign-On Policy Server

 

Downloaded "ps-12.52-sp01-cr02-win32.zip"

In order to enable most available features of Policy Server, I will be installing some additional Windows services.

 

Load "Server Manager" and goto "Features".

 

Click on "Add Features" and select "SNMP Services" and install.

 

This will install "SNMP Service".

Double click on the "SNMP Service" and configure the "Traps" and "Security" tab.

 

 

  • Install Policy Server

Extract the zip file and run the "ca-ps-12.52-sp01-cr02-win32.exe"

 

Policy Store cannot be configured right now because I will be using CA Directory as Policy Store.

 

Advanced Auth Service is being configured but this is not a valid configuration because there is no policy store.

So, this need to be configured again later.

 

Don't restart the machine yet.

 

Create a Policy Server user account.

Under "Managed Service Accounts" (actually it doesn't really matter where), create a "User".

Load the System Properties and check the Environment Variables for "System".

You will find "ARCOT_HOME=C:\Program Files (x86)\CA\aas".

This is from the RiskMinder component introduced to Policy Server.

Later when SPS is installed, it also needs to set this same ARCOT_HOME but with different value.

So, in order to prevent this conflict, I am moving this to "policyserver" user's local user environment.

 

But first, you need to remove this "ARCOT_HOME" from here.

And in order to logon to this Domain Controller as "policyserver" user, I need to add this user to "Domain Admins" group.

Now, Switch User (Start Menu ==> Log off ==> Switch user) to policyserver user.

 

Now, set the ARCOT_HOME environment variable as user variable as above.

Next is to make the Policy Server run as "policyserver" service account.

 

You will get a notification that policyserver account is granted service rights.

 

You should see on the service entry that "Log On As" is set to "policyserver".

 

You MUST do the same for the "CA RiskMinder Service" as well.

These 2 services must be started as "policyserver" user.

After this, if the RiskMinder service starts up, you should be able to confirm it is functional by looking at its cariskminderstartup.log located in "C:\Program Files (x86)\CA\aas\logs" folder.

 

Now, logout policy server user and logon as "Administrator".

Because the Policy Server's environment variables are set at System Level, and only ARCOT_HOME was transferred to user variable, Administrator can run all the Policy Server commands.

 

  • smreg

It is officially mentioned in the documentation not to leave a copy of smreg.exe and XPSSecurity.exe on the policy server machine but as this is a sandbox I am placing it in the "<policyserver>/bin" folder.

 

 

  • Preparing CA Directory as Policy Store

Policy Server cannot automatically configure CA Directory as Policy Store.

It has to be performed manually.

 

 

Copy the following policy store schema files over to "C:\Program Files\CA\Directory\dxserver\config\schema\" folder.

     C:\Program Files (x86)\CA\siteminder\eTrust\netegrity.dxc

     C:\Program Files (x86)\CA\siteminder\xps\db\etrust.dxc

 

Copy "C:\Program Files\CA\Directory\dxserver\config\schema\default.dxg" to "SiteMinder.dxg"

Modify "SiteMinder.dxg" file to add the policy store schema files as below and save.

 

source "netegrity.dxc";

source "etrust.dxc";

 

Copy "C:\Program Files\CA\Directory\dxserver\config\limits\default.dxc" to "SiteMinder.dxc"

Remove the "Read-Only" attribute.

Update the tuning parameters as below.

 

# size limits

#set max-users = 255;

set max-op-size = 20000; #This determines max entries to be returned at a time. This value has to be high enough if you have a large policy store.

#set multi-write-queue = 20000;

# size limits

set max-users = 1000;

set credits = 5;

set max-local-ops = 1000;

# set max-op-size = 4000;

set multi-write-queue = 20000;

 

 

Update "C:\Program Files (x86)\CA\Directory\dxserver\config\servers\PRIMARY.dxi" for schema dxc

Update references

 

# schema

# source "../schema/default.dxg";

source "../schema/SiteMinder.dxg";

# service limits

# source "../limits/default.dxc";

source "../limits/SiteMinder.dxc";

 

Update Tuning parameter for Policy Store (CADir r12 SP1 or later).

 

set ignore-name-bindings = true;

 

 

Restart DSA instance

 

dxserver stop PRIMARY

dxserver start PRIMARY

 

 

Connect to Policy Store instance using JXPlorer

 

If everything went well, when you navigate to the "Schema" tab and look at the "objectclass" branch, you should see all the SiteMinder objectclasses.

Those with "sm*" are for the legacy and "xps*" are for the XPS Policy Store.

 

The work is not complete yet, you will need to manually create the OU structure.

 

At O=SM brance, right click and select "New" to create "OU=Netegrity".

You need to repeat the steps to create the following.

 

OU=XPS,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,O=SM

 

 

Now this PRIMARY instance is ready to be setup as policy store.

 

  • Configuring Policy Store

Load "smconsole" (aka, Policy Server Management Console) and enter the PRIMARY DSA instance details and click "Test LDAP Connection" to confirm it is connected successfully.

 

 

Also, configure the Key Store settings to point to the Policy Store. Click "Apply"

 

 

Open a command-line and change directory to "C:\Program Files (x86)\ca\siteminder\xps\dd"

Run the command "XPSDDInstall SmMaster.xdd"

 

You will find objects are created under the OU=XPS.

 

Now change directory to "C:\Program Files (x86)\ca\siteminder\db".

There are several "xml" files but all xml files are incorporated into the "smpolicy.xml".

So, you only need to import the "smpolicy.xml"

 

xpsimport smpolicy.xml -npass

You will find objects are created under OU=PolicySvr4.

 

Now, you need to create the "SiteMinder" super user.

Run "smreg -su <password>" to create and set the password.

 

Reboot the machine as it has not been done yet after the installation.

 

  • Reconfigure the RiskMinder component.

During the installation, Policy Store was not configured by the Wizard and the RiskMinder component was configured.

RiskMinder component cannot be configured properly without the policy store so this need to be run again.

 

Run the "Policy Server Configuration Wizard".

 

No need to choose any features to configure. Just click "Next".

 

You will be asked to enter the "Master Key".  This only accepts alphanumeric!!!

This is not Policy Store encryption Key. This is a key used by RiskMinder component.

You must keep a record of this key as you will need it in the future.

 

It asks again to set a password for the "SiteMinder" super user.

You cannot skip this part without entering a value so enter whatever password suits you. You will use that to administer the policy server.

 

Note: As the configuration wizard will set the "ARCOT_HOME" in the system variables, please remove it again.

 

Also, later when you have configured SiteMinder AdminUI, you will see "Default_<PolicyServerMachineName>_AAS" HostConfigObject would have been created as below.

AdminUI is not installed yet so you won't be able to see this but you can check from XPSExplorer.

 

If you have 2 Policy Server, then you are expected to see 2 HCO named "Default_<PolicyServerMachineName>_AAS"

If you don't have the matching number of HCO objects, then you will need to check the Policy Server hostnames to determine which one need to run the configuration wizard to register this.

 

 

  • OneView Monitor

At this point, you will be able to access http://www.sso.lab/sitemindermonitor/ to view the OneView Monitor.

 

 

  • SSL communication to LDAP backends

It is common to communicate to backend ldap servers using ssl communication.

 

Navigate to http:.//www.sso.lab/certsrv/ and download the "CA Certificate"

 

Create "C:\Program Files (x86)\ca\siteminder\certs" folder.

Rename the newcer.cer to ROOTCA.cer and copy it to "C:\Program Files (x86)\ca\siteminder\certs"

 

Open a command-line and change directory to "C:\Program Files (x86)\ca\siteminder\certs"

Run the following command to create cert8.db file.

 

"certutil -A -n "ALLINONE Root CA" -t "C,," -i ROOTCA.cer -d ."

 

This command will create cert8.db, key3.db and secmod.db files if it did not exist, and also add the certificate as trusted Root CA certificate.

If you already have the cert8.db, key3.db and secmod.db files, then it will only add.

 

Now, load the smconsole and enter the configuration at the "Data" tab.

Select "cert8.db" file and click "Apply"

 

 

Now, Policy Server should be able to connect to any LDAP server via ssl as long as its certificate was issued by this RootCA that was imported into cert8.db.

 

  • SNMP monitoring

 

Navigate to "C:\Program Files (x86)\CA\siteminder\bin" and run "SnmpWalkRun.bat

Then in the "OID" type "products" (or select an entry from dropdown menu) and click on "Walk".

If it is configured correctly, you should see the following. (Ignore the popup message about "End of MIB")

In this case, you can see that the port used was "161" which is going through the OS's master SNMP agent.

If you want to test the "Netegrity SNMP Agent" directly, change the port to "8001" and try.

Configuration is in "C:\Program Files (x86)\CA\siteminder\config\snmp.conf" file.

Update the file as below.

 

LOG_FILE=C:\Program Files (x86)\CA\siteminder\log\SNMP.log

TRAP_RECEIVER(Y/N)=Y

 

And for snmp trap messages, modify "C:\Program Files (x86)\CA\siteminder\config\snmptrap.conf" file as below.

 

 

  • Adding Event Handler

 

 

Execute the following commands.

 

Follow these steps:

  1. Open a command line on the Policy Server, and enter the following command: xpsconfig

    The tool starts and displays the name of the log file for this session, and a menu of choices opens.

  2. Enter the following: xps

    A list of options appears.

  3. Enter the following: 5(AuditSMHandlers)

    The settings for the event handler libraries appear.

  4. Type C, and then enter the path and file name of the event handler library ("C:\Program Files (x86)\CA\siteminder\bin\eventsnmp.dll"). The settings for the event handler libraries appear. The value you added is shown at the bottom of the settings as a "pending value."

    5. Enter Q and [ENTER] three times to end your XPS session.

 

    6. Policy Server need to be restarted.

 

In the smps.log, you should find the following entry.

 

     [5032/5036][Thu Nov 05 2015 15:47:20][SmEventWedge.cpp:321][LateInit][INFO][sm-xpsxps-06860] Event handler library loaded: "C:\Program Files (x86)\CA\siteminder\bin\eventsnmp.dll"

 

 

 

This concludes Part 6 of ALL IN ONE Image.