SungHoon_Kim

Creating an ALL-IN-ONE VM Image - Part 8

Blog Post created by SungHoon_Kim Employee on Nov 13, 2015

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 


15. CA Single Sign-On Web Agent/Option Pack

 

I have downloaded the following files.

 

smwa-12.52-sp01-cr03-win64-64.zip

smwaop-12.52-sp01-cr02-win64-64.zip

 

Extract both files and install the WebAgent first.

 

I will not be rebooting this machine just yet.

I will install WAOP now.

 

Choose the 64bit JDK.

 

Now, we can reboot this machine.

 

Next is to create agent, ACO, HCO and etc to configure this as a functional WebAgent protecting resources.

 

a. Create Agent Identity

Navigate to AdminUI ==> Infrastructure ==> Agent ==> Agents

Click on "Create Agent"

Select "Create a new object of type Agent" and click "OK"

Enter desired agent name and optionally its description.

In my case, I am used to using this format in the names.

<object type>.<name>

For example:

agent.iis

agent.apache2

or, use the FQHN as name.

agent.www.sso.lab

agent.www.partner.lab

 

and this also applies to other objects, for example:

aco.www.sso.lab

hco.www.sso.lab

hco.testmc1

rule.getpost

rule.onauthaccept

policy.testmc1

 

This is especially helpful when looking at the logs, you can immediately tell which site agent it is and which resource it could be.

Back to creation of agent, click "Submit" button.

 

b. Create Agent Configuration Object

 

Navigate to AdminUI ==> Infrastructure ==> Agent ==> Agent Configuration Objects

At the right pane, click "Create Agent Configuration"

 

Select "Create a copy of an object of type Agent Configuration"

Select "IISDefaultSettings"

Then click "OK"

 

 

Enter Name as "aco.www.sso.lab" and enter description "www.sso.lab".

Scroll down to find "#DefaultAgentName" and click on the edit button which looks like a pen.

Note that there are 175 configuration objects and more are available at next pages.

 

 

Next, find "#LogoffUri" and edit it as below.

 

 

Next, find "CookieDomain" and edit as below.

 

Next, find "Logfile" and set the value to "Yes"

Next, find "LogFileName" and set the value to "C:\Program Files\CA\webagent\win64\log\iis_wa.log"

Next, find "TraceConfigFile" and set the value to "C:\Program Files\CA\webagent\win64\config\WebAgentTrace.conf"

Next, find "TraceFile" and set the value to "Yes"

Next, find "TraceFileName" and set the value to "C:\Program Files\CA\webagent\win64\log\iis_watrace.log"

All set, now click on "Submit"

 

 

c. Create Host Configuration Object

Navigate to "AdminUI ==> Infrastructure ==> Hosts ==> Host Configuration Objects"

Click on "Create Host Configuration" button at the right pane.

 

Select "Create a copy of an object of type Host Configuration" and then "DefaultHostSettings".

Then click "OK"

 

Enter the name as "HCO", this is going to be my generic HostConfigObject for most of the Web Agents.

Then enter the Policy Server IP(or hostname). I added 2 IP just to add some fun to it.

Later, you can try adding a new IP and make it as primary. Then disable that NIC while Policy Server is running to see the agent failover.

 

Back to HCO configuration, click "Submit"

 

 

Now, you have created all the minimum requirements(AgentIdentity, ACO, HCO) to configure a Web Agent.

 

d. Agent Configuration

 

Run "Web Agent Configuration Wizard"

 

Select "Yes, I would like to do Host Registration now."

 

Here is what many people get confused.

In the "Admin Registration", this is a SiteMinder's Legacy Administrator who has privilege to register "Trusted Hosts".

If you remember, when you were installing SiteMinder Policy Server, you were also asked to enter a password for the SiteMinder Super User.

You need to enter that user if you have not created any Legacy Administrator who has privilege to register trusted host.

(So, you cannot use "smuser" Administrator User from the AD that you login to AdminUI with. I will add a screenshot later to show what will happen if you use a user who do not have privilege or non-existent user or wrong password)

 

Next you add the Policy Server IP Addresses.

Select "FIPS Compatibility Mode".

 

Following is a screenshot in case if you entered wrong SiteMinder Administrator information.

But if you have entered valid Administrator information you will not see this screen.

 

 

 

Following is the list of Web Servers this Agent Configuration Wizard has detected and can be configured.

If you recall, we did not install Apache 2.4.17, we merely copied the binary.

And had to manually create registry entries for it and without it this Apache would not appear here.

We only have ACO for IIS for now so select "Microsoft IIS 7.5" and  click "Next".

 

You need to select a site and we only have 1 so choose "Default Web Site". Click "Next".

Enter the ACO name and click "Next".

 

Check "YES" and click on "Next".

 

 

 

Restart IIS Web Server and and then use IE to access http://www.sso.lab to see see if the Web Agent Log files are getting generated.

 

 

 

You can see from above that there is "HTTP_SM_TRANSACTIONID", this is a proof that Web Agent is enabled on this site.

 

Web Agent Log files are also generated.

If webagent is working fine, your wa.log should look like below listing all its configuration parameters.

 

e. Deploy WAOP Affwebservices.

 

In general use case, you may not need this but my sample environment is going to do a Federated SSO so this is being deployed.

Logon to NewAtlanta ServletExec AdminUI to deploy the affwebservices.war file.

 

Navigate to "AdminUI ==> Web Applications ==> manage" and click "Add Web Application" button.

 

 

Application Name: any desired name

URL Context Path: /affwebservices

Location: C:\Program Files\CA\webagent\win64\affwebservices

 

Then "Submit".

 

 

It is now deployed.

You need to configure some files before it can work.

 

Open Windows Explorer and navigate to "C:\Program Files\CA\webagent\win64\affwebservices\WEB-INF\classes" folder.

Edit the "AffWebServices.properties" file as below.

 

From:

     AgentConfigLocation=D:\\netscape\\server4\\https-webserv1\\config\\WebAgent.conf

 

To:

     AgentConfigLocation=C:\\Program Files\\CA\\webagent\\win64\\bin\\IIS\\WebAgent.conf

 

What I am doing here is sharing the WebAgent.conf which was created for IIS Web Agent.

WAOP does not recognize all the AgentConfigObject parameters so it is okay to share with the IIS one as long as the cookiedomain is the same.

 

And one more configuration change required for "LoggerConfig.properties" file.

 

From:

     TracingOn=N

 

To:

     TracingOn=Y

 

 

Other parameters should already have correct value.

Also, I would advise to leave the "LogLocalTime=N" as is because assertions are based on GMT time.

With "LogLocalTime=N" this agent will log time in GMT so it is easier to match the FWSTrace.log with the fiddler trace.

 

Restart "ServletExec-testmc1" service (ServletExec).

It is known issue that ServletExec service on Windows has some problem shutting down.

If the services.msc is not able to shut it down, you can run the script to do the same.

 

"C:\Program Files\New Atlanta\ServletExecAS\se-testmc1\StopServletExec.bat"

 

Then you can simply start the service.

 

If everything is configured correctly, you should see the affwebserv.log as below.

 

 

 

This concludes Part 8 of ALL IN ONE Image.

Outcomes