SungHoon_Kim

Configuring an ALL-IN-ONE VM Image - Part 1

Blog Post created by SungHoon_Kim Employee on Nov 26, 2015

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

 

The All-In-One image has too many services to startup at boot time.

This puts all the services in competition for resources and results in slower startup or fail.

 

To workaround this, I set those services startup mode to "Manual".

Then use a batch file to startup the services in serial order.

 

First, you need to have a list of services that we need to manage and need to put them in an order.

 

Service startup sequence should be as below.

1. LDAP/DB (backend services)

2. Policy Server

3. RiskMinder (and other Policy Server related services)

4. AdminUI

5. Web Servers/SPS

6. Application Servers (NewAtlanta ServletExec)

7. Report Server (optional)

 

The shutdown sequence will be the opposite.

 

Following are the actual service names in the startup sequence.

 

Service NameDescription
MSSQLSERVERMS SQL Server (exclude this from this list, this one can be running all the time)
DXserver_PRIMARYCA Directory (Policy Store)
Dsccagent11g-1DSCC Agent for Oracle Directory Server
DirectoryServer7-2Oracle Directory Primary Instance
DirectoryServer7-1Oracle Directory ADS service
smpolicysrvSiteMinder Policy Server
SmServMonSiteMinder Health Monitor Service
CARiskMinderSiteMinder Policy Server RiskMinder Service
SMADMINUISiteMinder AdminUI
"Agent Service"SiteMinder SNMP Agent
W3SVCIIS Web Server
www.cookie.labApache Web Server
"SiteMinderSecureProxy"Secure Proxy Server - Apache
"SiteMinder Proxy Engine"Secure Proxy Server - Tomcat
ServletExec-testmc1NewAtlanta ServletExec for IIS.
(for shutdown, use "C:\Program Files\New Atlanta\ServletExec AS\se-testmc1\StopServletExec.bat")
BOE120SIATESTMC1SIA Service for Report Server
SQLANYs_BOE120SQLAWDB Service for Report Server
BOE120TomcatTomcat Service for Report Server

 

Not load "services.msc" and set all the above services "Startup type" to "Manual" except for "MSSQLSERVER"

 

     - Startup/Shutdown scripts

 

Next is to create scripts to startup and shutdown services.

 

The Startup script would be simply listing the above services but it is also important to delete the log files before starting up.

Also, some services need some time to initialize so the batch file need to monitor some log files to determine if the service is started up fine, or retry if the service failed to initialize.

 

Shutdown script would be easy as it just needs to shutdown all the services and there is no need to check if the services went down successfully or not.

 

Lastly, Restart script would be mostly used. So, I will not create a separate Startup script.

This is a combination of "Shutdown" script + "Startup" script.

In this case, if certain services do not go down quickly, Restart script need to kill those processes to move on to next services.

Logs also need to be cleared and it must ensure all services are shutdown before starting up again.

 

And for convenience purpose, I will create separate startup and stop script for Report Server because this will not be started up that frequently.

 

Stop-SM.bat

@echo off

:BEGINSCRIPT

echo [%DATE%][%TIME%] Stopping Web Server

net stop w3svc >nul

net stop www.cookie.lab >nul

net stop SiteMinderSecureProxy >nul

net stop "SiteMinder Proxy Engine" >nul

net stop ServletExec-testmc1 >nul

net stop "Agent Service" >nul

taskkill /IM javaw.exe /F >nul

cd C:\Progra~1\NewAtl~1\Servle~1\se-testmc1\

call C:\Progra~1\NewAtl~1\Servle~1\se-testmc1\StopServletExec.bat >nul

 

 

echo [%DATE%][%TIME%] Stopping WAMUI

net stop SMADMINUI >nul

 

 

echo [%DATE%][%TIME%] Stopping SiteMinder Monitor

net stop smservmon >nul

 

 

echo [%DATE%][%TIME%] Stopping Risk Minder

net stop CARiskMinder >nul

 

 

echo [%DATE%][%TIME%] Stopping SiteMinder Policy Server

net stop smpolicysrv >nul

 

 

echo [%DATE%][%TIME%] Stopping CA Directory (PolicyStore)

dxserver stop all >nul

 

 

echo [%DATE%][%TIME%] Stopping Oracle Directory Server (UserStore)

net stop DirectoryServer7-2 >nul

net stop DirectoryServer7-1 >nul

net stop Dsccagent11g-1 >nul

Above is the Stop-SM.bat script.

I don't really need to shutdown the SQL server each time. It can stay up

CA Directory can be shutdown using the "dxserver stop all" so using that command.

"Agent Service" is actually a java process.

AdminUI is also a java process.

SerlvetExec-testmc1 is also a java process.

ServletExec is known ot have problem shutting down via Service control on Windows 2008 and above.

So, I am actually calling the "StopServletExec.bat" but even before thant I am actually killing all javaw.exe process before that to cleanup all the java processes.

 

Restart-SM.bat

@echo off

 

:BEGINSCRIPT

@set /A smcount=1

echo [%DATE%][%TIME%] Stopping Web Server

net stop w3svc >nul

net stop www.cookie.lab >nul

net stop SiteMinderSecureProxy >nul

net stop "SiteMinder Proxy Engine" >nul

net stop ServletExec-testmc1 >nul

net stop "Agent Service" >nul

taskkill /IM javaw.exe /F >nul

cd C:\Progra~1\NewAtl~1\Servle~1\se-testmc1\

call C:\Progra~1\NewAtl~1\Servle~1\se-testmc1\StopServletExec.bat >nul

 

 

echo [%DATE%][%TIME%] Stopping WAMUI

net stop SMADMINUI >nul

 

 

echo [%DATE%][%TIME%] Stopping SiteMinder Monitor

net stop smservmon >nul

 

 

echo [%DATE%][%TIME%] Stopping Risk Minder

net stop CARiskMinder >nul

 

 

echo [%DATE%][%TIME%] Stopping SiteMinder Policy Server

net stop smpolicysrv >nul

 

 

echo [%DATE%][%TIME%] Stopping CA Directory (PolicyStore)

dxserver stop all >nul

 

 

echo [%DATE%][%TIME%] Stopping Oracle Directory Server (UserStore)

net stop DirectoryServer7-2 >nul

net stop DirectoryServer7-1 >nul

net stop Dsccagent11g-1 >nul

 

 

 

:WAITCLRFILES

echo [%DATE%][%TIME%] Deleting IIS Web Agent Log files... This may take time until all processes locking the log files are shutdown.

@taskkill /F /IM LLAWP.exe >nul

@del /q "%NETE_WA_ROOT%"\log\*.* >nul

@del /q C:\inetpub\logs\LogFiles\W3SVC1\*.* >nul

@del /q C:\inetpub\logs\LogFiles\W3SVC2\*.* >nul

@del /q C:\inetpub\logs\FailedReqLogFiles\W3SVC1\*.* >nul

@del /q C:\inetpub\logs\FailedReqLogFiles\W3SVC2\*.* >nul

@del /q C:\inetpub\temp\appPools\*.tmp >nul

@ping -n 2 127.0.0.1 >nul

if not exist "%NETE_WA_ROOT%"\log\wa.log GOTO WAITCLRFILES2

if exist "%NETE_WA_ROOT%"\log\wa.log GOTO WAITCLRFILES

 

 

 

:WAITCLRFILES2

echo [%DATE%][%TIME%] Deleting www.cookie.lab Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Apache24\logs\*.* >nul

@ping -n 2 127.0.0.1 >nul

if not exist C:\Apache24\logs\*.log GOTO WAITCLRFILES3

if exist C:\Apache24\logs\*.log GOTO WAITCLRFILES2

 

 

:WAITCLRFILES3

echo [%DATE%][%TIME%] Deleting SPS Server Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Progra~2\CA\secure-proxy\proxy-engine\logs\*.* >nul

@del /q C:\Progra~2\CA\secure-proxy\proxy-engine\*.log >nul

@del /q C:\Progra~2\CA\secure-proxy\proxy-engine\*.mdmp >nul

@del /q C:\Progra~2\CA\secure-proxy\arcot\logs\*.* >nul

@del /q C:\Progra~2\CA\secure-proxy\arcot\logs\backup\*.* >nul

@ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\secure-proxy\proxy-engine\logs\*.log GOTO WAITCLRFILES4

if exist C:\Progra~2\CA\secure-proxy\proxy-engine\logs\*.log GOTO WAITCLRFILES3

 

 

 

 

:WAITCLRFILES4

echo [%DATE%][%TIME%] Deleting Policy Server Log files... This may take time until all processes locking the log files are shutdown.

echo [%DATE%][%TIME%] Deleting Policy Server Logs retry count: %smcount%

if %smcount% GTR 10 (

    @taskkill /F /IM smpolicysrv.exe

    )

 

@del /q C:\Progra~2\CA\siteminder\log\*.* >nul

@del /q C:\Progra~2\CA\aas\logs\*.* >nul

@del /q C:\*.log >nul

@del /q C:\*.log >nul

@ping -n 2 127.0.0.1 >nul

@set /A smcount+=1

if not exist C:\Progra~2\CA\siteminder\log\smps.log GOTO WAITCLRFILES5

if exist C:\Progra~2\CA\siteminder\log\smps.log GOTO WAITCLRFILES4

 

 

 

 

:WAITCLRFILES5

echo [%DATE%][%TIME%] Deleting Audit Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Progra~2\CA\siteminder\audit\xps*.* >nul

@del /q C:\Progra~2\CA\siteminder\audit\harvest.log >nul

 

@ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\siteminder\audit\xps*.* GOTO WAITCLRFILES6

if exist C:\Progra~2\CA\siteminder\audit\xps*.* GOTO WAITCLRFILES5

 

 

 

 

:WAITCLRFILES6

echo [%DATE%][%TIME%] Deleting Temporary Audit Log files... This may take time until all processes locking the log files are shutdown.

@rd /s /q C:\Progra~2\CA\siteminder\audit_R6tmp >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\siteminder\audit_R6tmp GOTO WAITCLRFILES7

if exist C:\Progra~2\CA\siteminder\audit_R6tmp GOTO WAITCLRFILES6

 

 

 

:WAITCLRFILES7

echo [%DATE%][%TIME%] Deleting Archived Audit Log files... This may take time until all processes locking the log files are shutdown.

@rd /s /q C:\Progra~2\CA\siteminder\audit_archive >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\siteminder\audit_archive GOTO WAITCLRFILES8

if exist C:\Progra~2\CA\siteminder\audit_archive GOTO WAITCLRFILES7

 

 

 

:WAITCLRFILES8

echo [%DATE%][%TIME%] Deleting WAMUI Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Progra~2\CA\siteminder\adminui\server\default\log\*.* >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~2\CA\siteminder\adminui\server\default\log\server.log GOTO WAITCLRFILES9

if exist C:\Progra~2\CA\siteminder\adminui\server\default\log\server.log GOTO WAITCLRFILES8

 

 

 

:WAITCLRFILES9

echo [%DATE%][%TIME%] Deleting CADIR Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\Progra~1\CA\Directory\dxserver\logs\*.* >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\Progra~1\CA\Directory\dxserver\logs\PRIMARY_alarm.log GOTO WAITCLRFILESA

if exist C:\Progra~1\CA\Directory\dxserver\logs\PRIMARY_alarm.log GOTO WAITCLRFILES9

 

 

 

:WAITCLRFILESA

echo [%DATE%][%TIME%] Deleting Oracle Directory Server Log files... This may take time until all processes locking the log files are shutdown.

@del /q C:\dsee7\ldapinstances\slapd-primary\logs\*.* >nul

ping -n 2 127.0.0.1 >nul

if not exist C:\dsee7\ldapinstances\slapd-primary\logs\errors.rotationinfo GOTO WAITCLRFILESB

if exist C:\dsee7\ldapinstances\slapd-primary\logs\errors.rotationinfo GOTO WAITCLRFILESA

 

:WAITCLRFILESB

echo [%DATE%][%TIME%] Deleting Report Server logs.

@del /q "C:\Program Files (x86)\CA\SC\CommonReporting3\BusinessObjects Enterprise 12.0\logging\"*.*

 

:WAITCLRFILESC

echo [%DATE%][%TIME%] Clearing Windows Event logs...

wevtutil cl Application

wevtutil cl System

wevtutil cl Security

wevtutil cl Setup

wevtutil cl "DNS Server"

wevtutil cl "Active Directory Web Services"

wevtutil cl "DFS Replication"

wevtutil cl "Directory Service"

 

:WAITCLRFILESD

echo [%DATE%][%TIME%] Clearing Crashdump files...

rmdir /S /Q C:\ProgramData\Microsoft\Windows\WER\ReportQueue

ping -n 2 127.0.0.1 >nul

mkdir C:\ProgramData\Microsoft\Windows\WER\ReportQueue

 

GOTO STARTODIR

 

 

 

:STARTODIR

echo [%DATE%][%TIME%] Starting Oracle Directory Server

net start Dsccagent11g-1

net start DirectoryServer7-1

net start DirectoryServer7-2

GOTO STARTCADIR

 

 

 

 

:STARTCADIR

echo [%DATE%][%TIME%] Starting CA Directory (Policy Store)

@dxserver start all

GOTO STARTSMPS

 

 

 

:STARTSMPS

echo [%DATE%][%TIME%] Starting Policy Server

@net start "Agent Service"

@net start "SNMP"

@net start smpolicysrv

@net start SmServMon

@net start CARiskMinder

GOTO CHECKSMPS

 

 

 

:CHECKSMPS

echo [%DATE%][%TIME%] Waiting for SiteMinder Policy Server to fully initialize... This may take some time...

ping -n 2 127.0.0.1 >nul

@find "SiteMinder Policy Server is ready" C:\Progra~2\CA\siteminder\log\smps.log >nul

if errorlevel 1 GOTO CHECKSMPS

if errorlevel 0 GOTO STARTWAMUI

 

 

 

:STARTWAMUI

echo [%DATE%][%TIME%] Starting Administrative UI

@net start SMADMINUI

GOTO STARTIIS

 

 

 

:STARTIIS

echo [%DATE%][%TIME%] Starting Web Servers

@net start w3svc

@net start www.cookie.lab

@net start SiteMinderSecureProxy

@net start "SiteMinder Proxy Engine"

@net start ServletExec-www.kimmy.lab

 

 

:END

echo [%DATE%][%TIME%] Everything is started up successfully.

ping -n 5 127.0.0.1 >nul

What you need to note here is that I am also clearing out the event logs.

At times there are too many historical event records that makes things confusing so clearing the events and looking at only the new records related to the test is a good thing.

Another thing is that in the report server logs folder, there were 2 files that I did not want to delete so I made them Read-Only.

Those 2 files are "BOEInstall_0.log" and "boe_upgrade.xsl".

So, when this script deletes everything in that folder, those 2 files will remain.

In case of WER report files from Windows, I am actually deleting the whole folder and re-create the folder.

 

Next is the Stop-Report.bat

Stop-Report.bat

@echo off

 

echo [%DATE%][%TIME%] Stopping Server Intelligence Agent

net stop BOE120SIATESTMC1 >nul

 

echo [%DATE%][%TIME%] Stopping Report Server Tomcat

net stop BOE120Tomcat >nul

 

echo [%DATE%][%TIME%] Stopping Other Report Server Services

net stop SQLANYs_BOE120SQLAW >nul

 

And the Restart-Report.bat

Restart-Report.bat

@echo off

 

echo [%DATE%][%TIME%] Stopping Server Intelligence Agent

net stop BOE120SIATESTMC1 >nul

 

echo [%DATE%][%TIME%] Stopping Report Server Tomcat

net stop BOE120Tomcat >nul

 

echo [%DATE%][%TIME%] Stopping Other Report Server Services

net stop SQLANYs_BOE120SQLAW >nul

 

ping -n 30 127.0.0.1 >nul

 

 

echo [%DATE%][%TIME%] Startingg Other Report Server Services

net start SQLANYs_BOE120SQLAW >nul

 

echo [%DATE%][%TIME%] Starting Report Server Tomcat

net start BOE120Tomcat >nul

 

echo [%DATE%][%TIME%] Starting Server Intelligence Agent

net start BOE120SIATESTMC1 >nul

 

     - Logging

 

The challenge with log collection is that the logs are scattered in different folders and it takes time to collect a full set of logs and keep them in a single zip file for each iteration of test.

 

To workaround this problem, here is what I do.

You need a tool called "junction" from SysInternals. It is creating a symbolic link.

And you need 7zip to compress the files.

 

First, create a folder "C:\Logs"

Download and extract the junction.exe to "C:\Windows" or any folder that is within the PATH variable.

Install 7zip.

 

Open a command-line and goto "C:\Logs" folder.

 

junction IISLog1 "C:\inetpub\logs\LogFiles\W3SVC1

junction IISLog2 "C:\inetpub\logs\LogFiles\W3SVC2

junction IISWALogs C:\Progra~1\CA\webagent\win64\log

junction IISFRLog1 "C:\inetpub\logs\FailedReqLogFiles\W3SVC1

junction IISFRLog2 "C:\inetpub\logs\FailedReqLogFiles\W3SVC2

junction ApacheLog C:\Apache24\logs

junction SPSLogs "C:\Progra~2\CA\secure-proxy\proxy-engine\logs"

junction ArcotLogs "C:\Progra~2\CA\secure-proxy\arcot\logs"

junction PSLOGS "C:\Program Files (x86)\CA\siteminder\log"

junction PSAudit "C:\Program Files (x86)\CA\siteminder\audit"

junction RISKMLogs "C:\Program Filex (x86)\CA\aas\logs"

junction AdminUILogs C:\Progra~2\CA\siteminder\adminui\server\default\log

junction CADIRLogs C:\Progra~1\CA\Directory\dxserver\logs

junction ORADIRLogs C:\dsee7\ldapinstances\slapd-primary\logs

junction WER C:\ProgramData\Microsoft\Windows\WER\ReportQueue

 

There is no need to create junction for Report Server Logs folder.

After this, you should have the junctions created as below.

 

Now you need to create a LogCollection.bat script to create a zip file that includes all the log folders.

 

LogCollection.bat

@echo off

 

reg export HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity "%NETE_PS_ROOT%\log\policyserver.reg"

reg export HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ODBC "%NETE_PS_ROOT%\log\ODBC.reg"

reg export HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity "%NETE_WA_ROOT%\log\webagent.reg"

 

 

if %time:~0,2% LSS 10 GOTO FILENAME2

 

 

:FILENAME1

set filename=Logs_ALLINONE2_%date:~-4,4%%date:~4,2%%date:~-7,2%-%time:~0,2%%time:~3,2%%time:~6,2%.zip

GOTO MAIN

 

 

:FILENAME2

set filename=Logs_ALLINONE2_%date:~-4,4%%date:~4,2%%date:~-7,2%-0%time:~1,1%%time:~3,2%%time:~6,2%.zip

GOTO MAIN

 

 

 

:MAIN

echo %filename%

 

set CONTAINER=C:\Logs

cd %CONTAINER%

 

C:\Progra~2\7-Zip\7z a -x!*.zip -ssw %filename%

 

I created a "Scripts" folder on the Administrator's Desktop and saved all the above batch files there.

Then I dragged those scripts to the "Start" menu so I will have easier access to those scripts.

 

 

And for the Policy Server, we need to have a profiler setting that would be good for most use cases but also not to generate too much log entries.

 

I have the following template that I use for general purpose.

simple_support_trace.template

components: AgentFunc/IsProtected, AgentFunc/Login, AgentFunc/ChangePassword, AgentFunc/Validate, AgentFunc/Logout, AgentFunc/Authorize, AgentFunc/GetConfig, AgentFunc/DoManagement, AgentFunc/GetSingleUseCookie, AgentFunc/SetSingleUseCookie, AgentFunc/DelSingleUseCookie, IsProtected, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Active_Expression, Login_Logout/Password_Service, Login_Logout/Certificates, Login_Logout/Session_Management, IsAuthorized/Policy_Evaluation, LDAP/Connection_Management, LDAP/Performance_Measurement, LDAP/Ldap_Error_Messages, Fed_Client/General_Info, Fed_Client/Single_Sign_On, Fed_Client/Single_Logout, Fed_Client/Configuration, Fed_Server/Assertion_Generator, Fed_Server/Auth_Scheme, Fed_Server/Configuration, Fed_Server/Single_Logout, Fed_Server/Saml_Requester

data: Date, Time, User, Message, Data, AgentName, Resource, AuthStatus, AuthReason, CertDistPt, Query, CallDetail, Pid, Tid

It is actually 2 lines(3 lines including an empty line at the bottom)

First line is "components" and the second is "data".

Depending on the components and data you choose, you will get a different log output.

In case if you are unsure of what to add and if it need real analysis effort, you should add all components and data to ensure that you did not miss anything out.

 

Save this file at "C:\Program Files (x86)\CA\siteminder\config\profiler_templates\" folder.

Load "smconsole" (aka Policy Server Management Console" and goto "Profiler" tab to load this template.

Check the "Enable Profiling" option.

Then click on the "Configure Settings" button.

At the "Template" drop down menu, select "simple_support_trace.template".

Click "Load Template" button.

Click "OK" and click "OK" to close smconsole.

 

And you can configure a scheduler to run "smpolicysrv -stats" command to get the policy server statistics.

 

Open "Task Scheduler" and click "Create Basic Task..."

 

Click "OK to save.

Since this is not running at the moment, select the task and click "Run" button at the right pane.

Now, if you look at smps.log, you will find the "Statistics" information.

 

Once you reboot the machine, from then on you will find this task is running every 2 minutes.

If you did startup SiteMinder Services(Restart-SM.bat) then in the smps.log you will find the following statistics every 2 minutes.

 

     - Basic Concepts

 

Before you jump into SiteMinder world, you need to have some basics.

I will not be going in too much here because you will pick up most of it from subsequent articles but here is really the basics.

 

SiteMinder has 4 main components.

1. Web Agent

2. Policy Server

3. Policy Store

4. User Store

 

The main reason why you are interested in SiteMinder is because of 2 reasons.

1. Protect Web Resources

2. Achieve Single Sign-On

 

So the resource we are going to be talking about is Web Server resources.

http://www.sso.lab/protected/index.html

 

The blue is the protocol that you are using to access the website.

http is not encrypted so if people can tap into your network, they may be able to capture the network traffic and pick up your userID and Password.

https is encrypted.

 

The green is the Fully Qualified Hostname which is constructed with 2 section.

Server Name + Domain

The first part before the dot(.) is the hostname and the rest is the domain (cookie domain).

In this case, "www" is the hostname and ".sso.lab" is the domain.

 

SiteMinder uses cookies(encrypted) to store user session information so the domain value is used to set the cookies at the browser.

If the browser visits any website that has matching cookie domain, then the cookie will be submitted by browser.

For example, browser has SiteMinder session cookie (called SMSESSION cookie) that was set for .sso.lab cookie which was set from www.sso.lab web site, if the brower visits hello.sso.lab, the SMSESSION cookie will be submitted by browser because the cookie domain matches.

 

How SiteMinder protects a web site is by installing Web Agent.

Web Agent is a plugin to the Web Server and that gives it ability to intercept a request coming into the web server.

As the Web Agent can intercept requests, it can perform the following whenever there is a request to a resource.

 

WebAgent makes following calls to Policy Server.

* Is the requested resource protected? (aka IsProtected)

* Is the requesting browser have an SMSESSION cookie representing a user identity? (aka IsAuthenticated)

* Is the user identity allowed to access this resource? (aka IsAuthorized)

 

The orage above is the resource and that is what the Web Agent will ask Policy Server whether it is protected or not.

If the request did not have an SMSESSION, then the Web Agent will redirect the browser to a login page so user can submit userID and Password to login.

This login is what we call "Authenticated" because by submitting the userID and a valid Password, a unique user in the user store is identified to be you.

 

When Web Agent asks Policy Server if a resource is protected, it asks by submitting the following information.

 

1. Agent Identity

2. URI (This is the resource part above)

 

For example, Web Agent submits "agent1" and "/protected/index.html" to Policy Server.

Policy Server will say it is protected if it finds the "agent1" Agent Identity and a "Realm" that is having a matching "Resource Filter" such as "/protected/"

 

This "Realm" is what you will be creating in the Policy Server to protect resources.

Realm has following additional properties.

 

1. Authentication Scheme (login method)

2. Resource Filter (The URI for the protected resource)

 

That is how Policy Server determines whether the resource is protected.

 

How it determines whether you are who you claim to be, SiteMinder redirects browser to a login page for user to submit userID and Password.

In general, the UserID that you submit will be searched in the userstore.

 

If a matching user is found, then the submitted password will be compared with the password stored for that matching user.

If they match, then Policy Server tells Web Agent that the user is Authenticated.

 

WebAgent will then set SMSESSION cookie with the user information.

Once SMSESSION is made available, the user do not need to submit userID/Password anymore as long as they remain authorized to access the resources.

 

How SiteMinder determines wheher you are Authorized to access certain resources is by reviewing a Policy.

Policy is where SiteMInder links the Users and Resources.

If the Policy is configured to allow users from certain group to access resource X, then if you belong to that group then you will be Authorized.

If you are not, then you will be redirected to login page again.

 

I hope you are liking my articles.

If you have attended "SiteMinder 200" training then you should be good here.

 

 

Now, lets configure SiteMinder to protect a resource on IIS web server.

There are 2 ways to protect a resource. At the lower level, they are essentially the same but one is called "Domain" and other is called "Application"

The "Domain" is what had been there from the beginning of SiteMinder and Application is something new as it was supposed to make the configuration easier and introduce Role based authorization.

 

I will demonstrate how to protect a resource using "Domain" and "Application" so that you can spot the differences and the commonalities.

 

The sequence of objects to create in the SiteMinder AdminUI is as below.

 

DomainApplication
User DirectoryUser Directory
Authentication SchemeAuthentication Scheme
DomainApplication
RealmComponent
RuleResources
N/ARole
PolicyPolicy

 

 

Let's create a User Directory.

Logon to "AdminUI ==> Infrastructure ==> Directory ==> User Directories" and click "Create User Directory"

The steps are documented previously in the following article while trying to protect the ProxyUI.

Creating an ALL-IN-ONE VM Image - Part 9

 

That actually demonstrates how to create a "Domain" to protect /proxyui/.

We will use the same AD user directory made from the previous step.

SSO LAB Domain Users

Enter the following information.

Name : SSO LAB Domain Users

Namespace: LDAP:

Server: 192.168.201.101 192.168.201.102

Require Credentials: <check this box>

Username: CN=Administrator,CN=Users,DC=SSO,DC=LAB

Password: <Administrator password>

Root: DC=SSO,DC=LAB

Start: (samaccountname=

End: )

 

Then click "Submit"

 

However, this AD is not using SSL connection and we need to configure SSL communication to this AD.

AD does not allow changing user password if the connection is not secure.

 

When you promote a server to become a domain controller, AD is installed on that server.

And if you have a Microsoft Certificate System configured, it will automatically issue a certificate for that domain controller by default (there is auto enroll policy).

That means, your AD is already secured. You can run "netstat -an|findstr LISTEN|findstr 636" you will find "0.0.0.0:636"

 

All you need to do now is to import that RootCA certificate and store it in cert8.db file and let Policy Server reference it.

 

Download ROOT CA Certificate from http://www.sso.lab/certsrv

Click on "Download a CA certificate, certificate chain, or CRL"

Click on "Download CA certificate".

It will be downloaded to your "Downloads" folder as "certnew.cer". Rename it to "ROOTCA.cer".

Following is a screenshot of the CA certificate for reference. It is SHA2 certificate.

This was already performed in the previous article.

Creating an ALL-IN-ONE VM Image - Part 6

 

Creating cert8.db

Create "C:\Program Files (x86)\ca\siteminder\certs" folder.

Rename the newcer.cer to ROOTCA.cer and copy it to "C:\Program Files (x86)\ca\siteminder\certs"

 

Open a command-line and change directory to "C:\Program Files (x86)\ca\siteminder\certs"

Run the following command to create cert8.db file.

 

"certutil -A -n "ALLINONE Root CA" -t "C,," -i ROOTCA.cer -d ."

 

This command will create cert8.db, key3.db and secmod.db files if it did not exist, and also add the certificate as trusted Root CA certificate.

If you already have the cert8.db, key3.db and secmod.db files, then it will only add.

 

Now, load the smconsole and enter the configuration at the "Data" tab.

Select "cert8.db" file and click "Apply"

 

Once this step is completed, then you can configure the "SSO LAB Domain Users" user directory to connect using secure channel.

 

From AdminUI, modify the "SSO LAB Domain Users" (click on "Modify" button).

Check on the "Secure Connection".

If you entered "Server" the IP and Port, then you will need to update the port.

In the above case, I only used IP because I was using default ports (389 for non-secure and 636 for secure).

And since we will be connecting to 636

 

Then at the "User Attributes", enter "unicodePWD" at "Password (RW)" then Submit.

With this change, the users or the Administrator can reset the password via SiteMinder.

!! This does not mean you can authenticate a user using the attribute you define here. This does not replace a password attribute to something you specify here. What it does is, telling the policy server to update this attribute when there is password change request. It is because the password attribute as you can see above, can have different attribute name.

 

Next is creating Authentication Scheme.

But there is a default "Basic" authentication scheme out of the box. We will use this one for now.

We did create "AUTHSCHEME-SPSADMINUI" before for protecting SPS "/proxyui".

In the up coming articles, we will go into Authentication Schemes more.

 

In the next article, we will be setting up both Domain and Application and see what are the differences.

 

This concludes "Configuring an ALL-IN-ONE VM Image - Part 1"

Outcomes