This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.
WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.
Following components will be installed.
01. Install OS (Windows 2008 R2 - English)
02. Microsoft Loopback Adapter
03. Active Directory
06. Certificate Authority
07. MSSQL 2012
08. JDK 1.7.0_80 (32bit and 64bit)
09. NewAtlanta ServletExec 6.0
10. ASF Apache
11. CA Directory
12. Oracle Directory Server 11g
13. CA Single Sign-On Policy Server
14. CA Single Sign-On AdminUI
15. CA Single Sign-On Web Agent/Option Pack
16. CA Single Sign-On Secure Proxy Server
17. CABI 3.3
Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.
14. CA Single Sign-On AdminUI
There are 2 components to install.
You need to extract the files and combine the files in the same folder so you will have following 3 files in the same folder.
Server Host: TESTMC1.sso.lab <== This is fine.
Server Port: 18080 <== Default is 8080 and this will conflict with SPS Tomcat so changing it to 18080
That is all. When you click "Done" it will close this Pre-req installation and launch the AdminUI installer.
Installer automatically detects where to install.
Installation is complete.
IE will open and load https://testmc1.sso.lab:8443/iam/siteminder/adminui
Before you can logon, you need to prepare registration.
Open a command-line and run the following command. (To avoid confusion, XPSRegclient need to be run at the Policy Server side)
"XPSRegClient <SiteMinder Administrator Name:Password> -adminui-setup" is the syntax.
C:\> xpsregclient siteminder:password -adminui-setup
This will create "<AdministratorName>.XPSReg" file at "<Policy Server>/bin" folder.
When you try to login to AdminUI with the same username and password, if you have specified a policy server HOST/IP then AdminUI will contact the policy server on that IP and check if such *.XPSReg file exist and if it matches.
(If you do not specify a hostname/IP, then it will assume localhost)
If the file exist, Policy Server generates TrustedHost and other objects to trust this AdminUI.
AdminUI also creates similar files at "<AdminUI>/server/default/data" folder.
You can now logout and try login again to see the differences.
The difference now is that there is a dropdown menu for the "Server" where it was just an input box before.
Once you successfully logon for the first time, the "siteminder.XPSReg" file is deleted.
And at the "<AdminUI>/server/default/data/siteminder" folder, you will find a conf file is created with the details about the policy server.
"policystorename" is what appears in the "Server" drop down list.
In case if you are going to manage multiple Policy Servers, then you will need to configure External Administrator.
Configuring External Administrator
First, you need to know where the Administrators are.
In my case, I will have them in the Active Directory.
So, before we go and configure anything, we need to create some users in the AD.
I am creating "smuser" to Administer SiteMinder.
I am also setting the password to not expire nor allow changing.
Logon to SiteMinder AdminUI and navigate to "Administration ==> Admin UI ==> Configure Administrative Authentication"
Select Directory Type to be "Active Directory (AD)"
Enter the details. Then click on "Show Certificates" button to import the ROOTCA.cer to AdminUI.
Enter desired Alias and the filepath to the ROOTCA.cer (C:\Program Files (x86)\CA\siteminder\certs\ROOTCA.cer) and click "OK and "Next".
You get to choose the objectclass for the Administrator.
If you are going to have Administrator having "inetorgperson" then you may need to choose that here.
But in my case they are created using "User" objectclass so I will just click "Next".
All the attributes are pre-populated except for the "Disabled State".
It has to be an attribute that can store string. It does not need to be able to store binary.
So, instead of creating any new attribute, I simply chose "carLicense". I will need to make sure I am not updating carLicense for any other purpose.
It has to be then exclusive to SiteMinder so I don't cause confusion to Policy Server.
As I created "smuser" to be registered as SiteMinder Administrator, I am searching "smuser".
"smuser" is found. Click "Next".
You will be shown some details about what you are configuring.
Click "Finish" to complete this.
This will re-configure AdminUI so you will not be able to logon to AdminUI using "siteminder" user which exists in the policy store.
AdminUI will be restarted automatically.
Once the AdminUI logon screen is displayed again, you can now logon as "smuser".
Enter the credential and click "SIGN IN".
You are now logged on as external administrative user.
If you go back to "Administration ==> Admin UI ==> Configure Administrative Authentication" again, it will show you what is currently configured and provide an option to re-configure.
And if you go to "Administration ==> Administrator ==> Administrators" you will find the "smuser" that was registered.
If you goto "<AdminUI>/server/default/data/siteminder" folder, you will find new folder called "directories" is created and in that folder there is "ActiveDirectory---xxxxxxxx.xml" file created.
It has the information that you configured for External Administrator.
There are no objects created at this point but we will create as we go.