This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.
WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.
Following components will be installed.
01. Install OS (Windows 2008 R2 - English)
02. Microsoft Loopback Adapter
03. Active Directory
04. DNS
05. IIS
06. Certificate Authority
07. MSSQL 2012
08. JDK 1.7.0_80 (32bit and 64bit)
09. NewAtlanta ServletExec 6.0
10. ASF Apache
11. CA Directory
12. Oracle Directory Server 11g
13. CA Single Sign-On Policy Server
14. CA Single Sign-On AdminUI
15. CA Single Sign-On Web Agent/Option Pack
16. CA Single Sign-On Secure Proxy Server
17. CABI 3.3
Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.
15. CA Single Sign-On Web Agent/Option Pack
I have downloaded the following files.
smwa-12.52-sp01-cr03-win64-64.zip
smwaop-12.52-sp01-cr02-win64-64.zip
Extract both files and install the WebAgent first.
I will not be rebooting this machine just yet.
I will install WAOP now.
Choose the 64bit JDK.
Now, we can reboot this machine.
Next is to create agent, ACO, HCO and etc to configure this as a functional WebAgent protecting resources.
a. Create Agent Identity
Navigate to AdminUI ==> Infrastructure ==> Agent ==> Agents
Click on "Create Agent"
Select "Create a new object of type Agent" and click "OK"
Enter desired agent name and optionally its description.
In my case, I am used to using this format in the names.
<object type>.<name>
For example:
agent.iis
agent.apache2
or, use the FQHN as name.
agent.www.sso.lab
agent.www.partner.lab
and this also applies to other objects, for example:
aco.www.sso.lab
hco.www.sso.lab
hco.testmc1
rule.getpost
rule.onauthaccept
policy.testmc1
This is especially helpful when looking at the logs, you can immediately tell which site agent it is and which resource it could be.
Back to creation of agent, click "Submit" button.
b. Create Agent Configuration Object
Navigate to AdminUI ==> Infrastructure ==> Agent ==> Agent Configuration Objects
At the right pane, click "Create Agent Configuration"
Select "Create a copy of an object of type Agent Configuration"
Select "IISDefaultSettings"
Then click "OK"
Enter Name as "aco.www.sso.lab" and enter description "www.sso.lab".
Scroll down to find "#DefaultAgentName" and click on the edit button which looks like a pen.
Note that there are 175 configuration objects and more are available at next pages.
Next, find "#LogoffUri" and edit it as below.
Next, find "CookieDomain" and edit as below.
Next, find "Logfile" and set the value to "Yes"
Next, find "LogFileName" and set the value to "C:\Program Files\CA\webagent\win64\log\iis_wa.log"
Next, find "TraceConfigFile" and set the value to "C:\Program Files\CA\webagent\win64\config\WebAgentTrace.conf"
Next, find "TraceFile" and set the value to "Yes"
Next, find "TraceFileName" and set the value to "C:\Program Files\CA\webagent\win64\log\iis_watrace.log"
All set, now click on "Submit"
c. Create Host Configuration Object
Navigate to "AdminUI ==> Infrastructure ==> Hosts ==> Host Configuration Objects"
Click on "Create Host Configuration" button at the right pane.
Select "Create a copy of an object of type Host Configuration" and then "DefaultHostSettings".
Then click "OK"
Enter the name as "HCO", this is going to be my generic HostConfigObject for most of the Web Agents.
Then enter the Policy Server IP(or hostname). I added 2 IP just to add some fun to it.
Later, you can try adding a new IP and make it as primary. Then disable that NIC while Policy Server is running to see the agent failover.
Back to HCO configuration, click "Submit"
Now, you have created all the minimum requirements(AgentIdentity, ACO, HCO) to configure a Web Agent.
d. Agent Configuration
Run "Web Agent Configuration Wizard"
Select "Yes, I would like to do Host Registration now."
Here is what many people get confused.
In the "Admin Registration", this is a SiteMinder's Legacy Administrator who has privilege to register "Trusted Hosts".
If you remember, when you were installing SiteMinder Policy Server, you were also asked to enter a password for the SiteMinder Super User.
You need to enter that user if you have not created any Legacy Administrator who has privilege to register trusted host.
(So, you cannot use "smuser" Administrator User from the AD that you login to AdminUI with. I will add a screenshot later to show what will happen if you use a user who do not have privilege or non-existent user or wrong password)
Next you add the Policy Server IP Addresses.
Select "FIPS Compatibility Mode".
Following is a screenshot in case if you entered wrong SiteMinder Administrator information.
But if you have entered valid Administrator information you will not see this screen.
Following is the list of Web Servers this Agent Configuration Wizard has detected and can be configured.
If you recall, we did not install Apache 2.4.17, we merely copied the binary.
And had to manually create registry entries for it and without it this Apache would not appear here.
We only have ACO for IIS for now so select "Microsoft IIS 7.5" and click "Next".
You need to select a site and we only have 1 so choose "Default Web Site". Click "Next".
Enter the ACO name and click "Next".
Check "YES" and click on "Next".
Restart IIS Web Server and and then use IE to access http://www.sso.lab to see see if the Web Agent Log files are getting generated.
You can see from above that there is "HTTP_SM_TRANSACTIONID", this is a proof that Web Agent is enabled on this site.
Web Agent Log files are also generated.
If webagent is working fine, your wa.log should look like below listing all its configuration parameters.
e. Deploy WAOP Affwebservices.
In general use case, you may not need this but my sample environment is going to do a Federated SSO so this is being deployed.
Logon to NewAtlanta ServletExec AdminUI to deploy the affwebservices.war file.
Navigate to "AdminUI ==> Web Applications ==> manage" and click "Add Web Application" button.
Application Name: any desired name
URL Context Path: /affwebservices
Location: C:\Program Files\CA\webagent\win64\affwebservices
Then "Submit".
It is now deployed.
You need to configure some files before it can work.
Open Windows Explorer and navigate to "C:\Program Files\CA\webagent\win64\affwebservices\WEB-INF\classes" folder.
Edit the "AffWebServices.properties" file as below.
From:
AgentConfigLocation=D:\\netscape\\server4\\https-webserv1\\config\\WebAgent.conf
To:
AgentConfigLocation=C:\\Program Files\\CA\\webagent\\win64\\bin\\IIS\\WebAgent.conf
What I am doing here is sharing the WebAgent.conf which was created for IIS Web Agent.
WAOP does not recognize all the AgentConfigObject parameters so it is okay to share with the IIS one as long as the cookiedomain is the same.
And one more configuration change required for "LoggerConfig.properties" file.
From:
TracingOn=N
To:
TracingOn=Y
Other parameters should already have correct value.
Also, I would advise to leave the "LogLocalTime=N" as is because assertions are based on GMT time.
With "LogLocalTime=N" this agent will log time in GMT so it is easier to match the FWSTrace.log with the fiddler trace.
Restart "ServletExec-testmc1" service (ServletExec).
It is known issue that ServletExec service on Windows has some problem shutting down.
If the services.msc is not able to shut it down, you can run the script to do the same.
"C:\Program Files\New Atlanta\ServletExecAS\se-testmc1\StopServletExec.bat"
Then you can simply start the service.
If everything is configured correctly, you should see the affwebserv.log as below.