SungHoon_Kim

Creating an ALL-IN-ONE VM Image - Part 9

Blog Post created by SungHoon_Kim Employee on Nov 19, 2015

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

16. CA Single Sign-On Secure Proxy Server

 

I have downloaded the following file.

 

     ca-proxy-12.52-sp01-cr02-win32.zip

 

Extract the zip file and execute the "ca-proxy-12.52-sp01-cr02-win32.exe" file.

 

Select the 32bit JDK.

 

 

This is actually the end of installation. Easy!

Shutdown and take a VM snapshot because things can get a bit tricky after this.

 

Before configuring SPS Agent, we need to do some clean up.

Windows "System" ==> Advanced system settings ==> Advanced ==> Environment Variables

Copy the "Path" variable's value into notepad.

 

Current System Environment Variables

1st section : Web Agent Environment Variables (with duplicates)

2nd section : Policy Server

3rd section : The rest

C:\Program Files\CA\webagent\win64\install_config_info\lib;

%NETE_WA_PATH%;

C:\Program Files\CA\webagent\win32\bin;

C:\Program Files\CA\webagent\win64\bin;

C:\Program Files\CA\webagent\win64\install_config_info\lib;

%NETE_WA_PATH%;

C:\Program Files (x86)\Java\jdk1.7.0_80\jre\bin;

C:\Program Files (x86)\CA\siteminder\bin;

C:\Program Files (x86)\CA\siteminder\bin\thirdparty;

C:\Program Files (x86)\CA\siteminder\lib;

C:\Program Files (x86)\CA\siteminder\bin\thirdparty\axis2c\lib;

%SystemRoot%\system32;

%SystemRoot%;

%SystemRoot%\System32\Wbem;

%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;

C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn;

C:\Program Files\Microsoft SQL Server\110\Tools\Binn;

C:\Program Files\Microsoft SQL Server\110\DTS\Binn;

C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\ManagementStudio\;

C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn;

C:\Program Files\CA\Directory\dxserver\bin

 

Clean up the above to the following.

 

New System Environment Variables after clean up and re-ordering

1st section : Policy Server Environment Variables

2nd section : Web Agent Environment Variables

3rd section : The rest

C:\Program Files (x86)\Java\jdk1.7.0_80\jre\bin;

C:\Program Files (x86)\CA\siteminder\bin;

C:\Program Files (x86)\CA\siteminder\bin\thirdparty;

C:\Program Files (x86)\CA\siteminder\lib;

C:\Program Files (x86)\CA\siteminder\bin\thirdparty\axis2c\lib;

C:\Program Files\CA\webagent\win64\install_config_info\lib;

%NETE_WA_PATH%;

C:\Program Files\CA\webagent\win32\bin;

%SystemRoot%\system32;

%SystemRoot%;

%SystemRoot%\System32\Wbem;

%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;

C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn;

C:\Program Files\Microsoft SQL Server\110\Tools\Binn;

C:\Program Files\Microsoft SQL Server\110\DTS\Binn;

C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn\ManagementStudio\;

C:\Program Files (x86)\Microsoft SQL Server\110\DTS\Binn;

C:\Program Files\CA\Directory\dxserver\bin

 

Reboot the machine and verify all the services are up and running fine.

Taking a look at the windows system/application event logs and the service log files would be a good way to confirm.

 

 

Next is to configure the SPS Agent.

But before we go there, we need to create necessary Agent Identity, ACO and HCO.

I will not use the existing HCO because I want all the ***.partner.lab traffic to go to 192.168.201.104 Policy Server only.

 

Steps to create SPS Agent Identity and ACO are the same as the previous steps demonstrated for IIS.

 

Create "agent.sps" as Agent Identity.

Description is "www.partner.lab".

 

 

When creating ACO, Create a copy of "ApacheDefaultSettings"

 

Name is "aco.www.partner.lab".

Description is "www.partner.lab".

 

Following ACO parameters need to be modified.

 

#DefaultAgentName

to (Name = Value)

DefaultAgentName = agent.sps

 

 

#LogoffUri

to (Name = Value)

LogoffUri = /logout/

 

CookieDomain

to (Name = Value)

CookieDomain = .partner.lab

 

LogFileName

to (Name = Value)

LogFileName = C:\Program Files (x86)\CA\secure-proxy\proxy-engine\logs\sps_wa.log

 

TraceConfigFile

to (Name = Value)

TraceConfigFile = C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SecureProxyTrace.conf

 

 

 

 

TraceFile = no

to (Name = Value)

TraceFile = yes

 

TraceFileName

to (Name = Value)

TraceFileName = C:\Program Files (x86)\CA\secure-proxy\proxy-engine\logs\sps_watrace.log

 

 

 

 

 

And click "Submit".

 

 

 

Create HCO for SPS.

Create a copy of "DefaultHostConfiguration" and name it "HCO.SPS".

Enter the IP "192.168.201.104" and click "Submit"

 

Run "Secure Proxy Configuration Wizard".

 

Since our Policy Server is 12.52SP1CR2, select "12.5x.x".

This is to tell SPS which affwebservices.war to deploy, to match the policy server version.

 

To make it look like this SPS is running on a separate machine, I will be registering Trusted Host for SPS.

So, SPS will use exclusive TrustedHostname and its sharedsecret to communicate with Policy Server.

 

Again, this Administrator is a legacy SiteMinder Administrator.

 

I am using only 192.168.201.104 as this IP was reserved for www.partner.lab so it will be easier to identify the communication based on the IP.

 

 

Policy Server is running on "FIPS Compatibility Mode" so this has to be matched.

 

SmHost.conf file will be stored at "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent" folder.

The moment you click "Next" here, it will register trusted host for SPS(Tomcat) as well as the Arcot Component(Session Assurance).

So, if you do click "Back" and "Next" after this, you will get a message saying the "A trusted host with the same name already exists".

However, it does not generate SmHost.conf file just yet. It will however leave SmHost.conf_YYY-MM-DD_HHMMSS.bk" file which would have the same content.

If you do get to this the following message, you should delete the following before going any further.

     1. Delete TrustedHostObject(trust.sps)

     2. Delete TrustedHostObject(trust.sps_sa01)

     3. Delete WebAgent.conf (You would notice "HostConfigFile" value is empty)

     4. Delete AgentIdentity.dat

 

 

 

 

WebAgent.conf file will be stored at "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent" folder as well.

 

This is for protecting "http://<SPS>/proxyui" to administer the SPS.

You can create a dedicated agent identity for that purpose but I am just going to use "agent.sps".

However, I was not able to avoid the following error.

We will continue for now. Click on "Continue". (I will provide the steps to configure manually. The ProxyUI app is actually deployed successfully but is not protected.)

Enter the Server Name as "www.partner.lab"

HTTP Port as "80"

SSL Port as "443"

This will actually listen on ALL IP Address.

So, it will need to be modified manually to listen on specific IP(192.168.201.104). <== We will get to this after the installation.

 

 

Change the HTTP Port from "8080" to "28080"

Change the SSL Port from "543" to "2543"

 

 

Change Shutdown Port from "8005" to "28005"

Change AJP Port from "8009" to "28009"

 

Select "Enable WebAgent" and "Enable Federation Gateway".

 

 

Enter the RiskMinder Master Key (which you entered while configuring Policy Server).

This key does not support special characters.

It only support alphanumeric and you must enter the matching value you entered at the Policy Server side.

 

 

 

Navigate to "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\logs" and you will find all the logs there.

 

affwebserv.log

chsLogin.log

nohup.out20151119_160758.log

proxyui.log

server.log

sps_wa.log

sps_watrace.log

 

What you are missing here is the FWSTrace.log

So, update the "C:\Program Files (x86)\CA\secure-proxy\Tomcat\webapps\affwebservices\WEB-INF\classes\LoggerConfig.properties" file.

 

     // TracingOn can be Y, N

     TracingOn=N

 

to

 

     // TracingOn can be Y, N

     TracingOn=Y

 

 

Now, to make the SPS to listen on specific IP address and not 0.0.0.0, you need to modify the httpd.conf.

Navigate to "C:\Program Files (x86)\CA\secure-proxy\httpd\conf" and edit httpd.conf file as below.

 

Restart "SiteMinder Proxy Engine" and "SiteMinder Secure Proxy" services and verify FWSTrace.log is created and SPS is listening on 192.168.201.104:80.

Below is a screenshot of "Before" and "After" the port configuration.

You can see from the first netstat that there is a service listening on "0.0.0.0:80" and in the latter netstat you don't see it.

Instead, you will see "192.168.201.104:80"

IF YOU RUN SPS CONFIGURATION WIZARD AGAIN OR CONFIGURE SSL, YOU MUST VERIFY THIS PORT SETTING AGAIN!!!

 

Now, if you access http://www.partner.lab and if you get to see the CA website content, then your SPS is working correctly.

 

Now, we don't want to see ca.com site contents in our ALL-IN-ONE image.

SPS needs to have a backend server to host the content so I am going to create another IIS site instance and configure SPS to forward the request to that site instead.

This will allow us to have an isolated environment.

 

Firstly, go to "C:\inetpub\" folder and create "www.partner.lab" folder.

Place some documents in that folder to be hosted by the new web instance.

(In my case, I have asp pages that dump headers so I will be using that. To make it look different from the www.sso.lab site contents, I will use different colour theme)

 

Load the "Internet Information Services (IIS) Manager".

At "Sites" level, there is "Add Web Site" option at the right pane under Actions.

 

 

SiteName: www.partner.lab

Physical Path: C:\inetpub\www.partner.lab

Binding Type: http

Binding IP address: 192.168.201.101

Binding Port: 81

Binding Host Name: <null>

 

Click OK and your web instance is ready.

(Don't forget to check the "Default Document" if you have a specific page that need to be served)

 

 

Test the site by accessing "http://192.168.201.101:81"

Next is to configure SPS to forward the request to this site instead of "http://www.ca.com"

 

Modify the "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\proxyrule.xml"

 

Before edit

     <nete:proxyrules xmlns:nete="http://www.ca.com/">

          <nete:forward>http://www.ca.com$0</nete:forward>

     </nete:proxyrules>

 

After edit

     <nete:proxyrules xmlns:nete="http://www.ca.com/">

          <nete:forward>http://192.168.201.101:81$0</nete:forward>

     </nete:proxyrules>

 

Restart "SiteMinder Proxy Engine" services and access "http://www.partner.lab" and see if the content has changed.

(Note the "Welcome to 192.168.201.101:81" at the title bar as well as the "HTTP_HOST:192.168.201.101:81" in the "ALL_HTTP" section.)

 

It looks good.

Don't worry about the HTTP_HOST header being "192.168.201.101:81" because it won't be disclosed unless you are intentionally revealing as what I am doing here.

You can also choose to forward the HTTP_HOST header value to the backend as well.

Modify the "C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\server.conf" file.

 

Before edit

<VirtualHostDefaults>

# default session scheme

defaultsessionscheme="default"

enablerewritecookiepath="no"

enablerewritecookiedomain="no"

enableproxypreservehost="no"

filteroverridepreservehost="no"

 

After edit

<VirtualHostDefaults>

# default session scheme

defaultsessionscheme="default"

enablerewritecookiepath="no"

enablerewritecookiedomain="no"

enableproxypreservehost="Yes"

filteroverridepreservehost="no"

 

Restart "SiteMinder Proxy Engine" service and access "http://www.partner.lab" and see if the HTTP_HOST value now reflects the correct name.

 

Now, going back to the SPS ProxyUI.

As mentioned before, the proxyui app is deployed successfully.

Test by accessing "http://www.partner.lab:28080/proxyui"

 

As the application reports, it is not protected but the application is running fine.

So, following steps need to be performed to configure the protection.

(If you are not familiar with creating objects right now, you can skip this step and get back when you are familiar with it because there is not much we will be using it at this point. Its okay to do this later)

 

Create the following: (The names do not exactly have to match but what I am listing below is what the configuration wizard would have created)

 

User Directories = SSOLAB DOMAIN USERS

Logon to AdminUI, navigate to "AdminUI ==> Infrastructure ==> Directory == User Directories" and click on "Create User Directory"

Enter the following information.

Name : SSO LAB Domain Users

Namespace: LDAP:

Server: 192.168.201.101 192.168.201.102

Require Credentials: <check this box>

Username: CN=Administrator,CN=Users,DC=SSO,DC=LAB

Password: <Administrator password>

Root: DC=SSO,DC=LAB

Start: (samaccountname=

End: )

 

Then click "Submit"

 

 

Authentication Scheme = AUTHSCHEME-SPSADMINUI

Navigate to "AdminUI ==> Authentication ==> Authentication Schemes" and click on "Create Authentication Scheme"

Select "Create a new object of type Authentication Scheme" and click "OK"

Enter the following information.

Name: AUTHSCHEME-SPSADMINUI

Authentication Scheme Type: HTML Form Template

Protection Level: 5

Password Policies enabled for this Authentication Scheme: <leave it as is, default is checked>

Use Relative Target: <check this box, default is not checked>

Target: /proxyui/siteminderagent/forms/login.fcc

 

Then click "Submit"

 

 

DOMAIN = DOMAIN-SPSADMINUI-agent.sps

Navigate to "AdminUI ==> Policies ==> Domain" and click "Create Domain"

At the "General" tab, enter the following.

Name: DOMAIN-SPSADMINUI-agent.sps

User Directories: <Click "Add/Remove" and select "SSO LAB Domain Users" and click Right Arrow Button(only One Arrow) to move it to "Selected Members" and click "OK">

 

At the "Realms" tab, click on "Create Realm" and enter the following.

Name: REALM-SPSADMINUI-agent.sps

Agent: <Click "Lookup Agent/Agent Group" and select "agent.sps" and click "OK">

Resource Filter: /proxyui

Default Resource Protection: Protected

Authentication Scheme: <Select "AUTHSCHEME-SPSADMINUI" from dropdown menu>

Rules: <Click "Create" and follow instruction below>

Name: RULE-SPSADMINUI-agent.sps

Description: Rule for protecting Proxy UI

Resource: * (leave it as is, default is *)

Allow/Deny: Allow Access (leave it as is, default is Allow Access)

Action: Web Agent actions (leave it as is, default is Web Agent actions)

Action: <select "Get" and "Post", need to press CTRL button to make multiple selection>

Then click "OK"

Back at the "Realm" setting, select "Create" at "Sub-Realms"

Name: REALM-GRPSYNC-SPSADMINUI-agent.sps

Resource Filter: /GroupSyncServlet

Default Resource Protection: Unprotected

Then click "OK"

Back at the "Realm setting, select "OK" to return to Domain menu.

 

At the "Policy" tab, click "Create".

At the "General" tab enter the following.

Name: POLICY-SPSADMINUI-agent.sps

 

At the "Users" tab enter the following.

You will find "SSO LAB Domain Users" user directory appears.

Click on "Add All" button. This basically any user to administer the SPS.

We can change this later but will leave it as simple as possible.

 

At the "Rules" tab enter the following.

Click on "Add Rule"

Select "REALM-SPSADMINUI-agent.sps" rule and click "OK".

Back at Policy menu, click "OK".

Back at the "Domain" menu, click "Submit"

 

SPS ProxyUI is now protected.

Open IE and access "http://www.partner.lab:28080/proxyui" and you will see a login page this time.

Try to logon as "smuser"

You can ignore the "Error: Exception User might not have required permissions to get group information" message.

 

Now, you have successfully configured the basic components of SiteMinder on this machine.

You need to create some resources to protect and add some features to take advantage of this environment but that will come after setting up the report server.

 

The SQL Server installed on this environment is mainly because of the report server.

SiteMinder only supports ODBC as audit store and without that it cannot generate reports.

If you are not going to use reports, then I would not recommend installing SQL server in this ALL-IN-ONE image as it degrades the overall performance.

One good news is that CA Directory is supported as session store so SQL server is not really needed if you don't use report server.

 

 

This concludes Part 9 of ALL IN ONE Image.

Outcomes