I wrote this article 2 years ago and I am moving it here from Integration - SM + SOI + EEM
ReadMe1st
SOI 3.0 Installer shows the following components to install
Install them in the listed order. Connectors are optional.
Platform |
| Product |
Windows |
| Java runtime (required by EEM installation) : JRE 1.6.0_05 (32bit) |
Windows |
| CA Embedded Entitlements Manager (EEM) |
Windows |
| CA Service Operations Insight |
Windows |
| CA Service Operations Insight - Integration Services |
Windows |
| CA Service Operations Insight - Sample Connector |
Windows |
| CA Service Operations Insight - Domain Connector |
Components
1. JRE 1.6.0_05 : 32bit, C:\Program Files (x86)\Java\jre1.6.0_05
Installed from SOI 3.0 installation
2. EEM : 32bit, C:\Program Files (x86)\SC\
Installs CA Directory (32bit, C:\Program Files (x86)\CA\Directory)
EiamAdmin/password
C:\Program Files (x86)\CA\SharedComponents\Embedded IAM
Integrated with SM. (Follow EEM documentation of SM integration)
Can view SM user directory list if correct values are entered.
Check the following log for any error if this does not connect to SM.
C:\Program Files (x86)\CA\SharedComponents\iTechnology\eiamsm.log
Or try restarting dxserver and iGateway service.
3. SOI 3.0 : 32bit, C:\Program Files (x86)\CA\SOI
Service Assurance Administrator Credential:
samuser/Siteminder1
As EEM is now integrated with SM, you need to configure EEM.
Logon to SOI application SSA-SOI as Eiam/password
Goto "Manage Identities" and click "Go" button.
Click on the user(in my case it is "Sung Hoon Kim"), click "Add Application User Details"!!!
make sure user is in adequate group and save.
You can logout and login to SOI using the SM users.
console will also show your username
DB Admin Credential
sa/Siteminder1
Database Name: SAMStore
4. MSSQL 2008 R2
sa/Siteminder1
5. Adobe Flash Player
6. Apache 2.2.17 installed as reverse proxy
#============ Added for SOI Integration ==============#
ProxyRequests off
ProxyPreserveHost on
<Location /sam>
ProxyPass http://soi.kim.net.my:7070/sam
ProxyPassReverse http://soi.kim.net.my:7070/sam
</Location>
<Location /sam/admin>
ProxyPass http://soi.kim.net.my:7090/sam/admin
ProxyPassReverse http://soi.kim.net.my:7090/sam/admin
</Location>
<Location /sam/debug>
ProxyPass http://soi.kim.net.my:7090/sam/debug
ProxyPassReverse http://soi.kim.net.my:7090/sam/debug
</Location>
and you get access to the backend SOI
some additional proxy is setup for troubleshooting
http://soi.kim.net.my/sam/admin
http://soi.kim.net.my/sam/debug
7. SiteMinder Web Agent
As the web server is 32bit, I installed R12.51CR1 Web Agent.
Agent Configuration Wizard detects the apache web server successfully.
Configured to protect /sam/ui/(normal agent) and /iamt.html(4.x agent)
Authenticates and authorizes users from "CA Directory", which is selected in the
EEM side configuration
Please follow the EEM document for SM side configuration.
/sam/ui/ is protected by HTML Authentication Scheme to make it easier to
differentiate whether the login challenge is from SiteMinder or SOI.
VERY IMPORTANT: Apache Proxy should proxy "/sam" to backend SOI.
But WebAgent must not protect "/sam", it should protect "/sam/ui/"
Otherwise, you will get multiple unexpected challenges and get exception when accessing "console".
1st challenge (in this sample, I used Basic Auth for easier view)
2nd challenge
3rd challenge
Exception
==========================================
Applied SOI 3.1
SOI 3.1 console requires JRE 1.6.0_25+ so existing JRE1.6.0_05 will not work.
Workaround is, login from client that has 1.6.0_25+.
Or, if you need to login from SOI machine, you can install 1.6.0_25+ on SOI machine.
Note: DO NOT UNINSTALL existing JRE 1.6.0_05 because EEM will not display the SM integration and will fail to connect to SiteMinder Policy Server.
VERY IMPORTANT: You MUST have at least SOI 3.1 to SSO with SiteMinder. 3.0 does not recognize SMSESSION cookie so the SSO will not work.
Steps to upgrade
- 1. Shutdown all SOI services.
C:\Program Files (x86)\CA\SOI\jsw\bin> SAM_Services.cmd stop
- 2. Run the SOI 3.1 installer
RO56291.exe
Select "Do not start services", this can be done manually after upgrade.
- 3. Install JRE 1.6.0_25+ (32bit)
I installed 1.6.0_45 (32bit).
Do not uninstall the previous JRE 1.6.0_05 (32bit) from this maching as it is
required by the EEM. SM integration will break if you uninstall JRE 1.6.0_05
In case if you did, you must update the "C:\Program Files (x86)\CA\SharedComponents\iTechnology\igateway.conf" file, locate <JVMSettings>.
If your JRE is not 1.6.0_25+, SOI console will fail to load and throw exception.
If you will not logon to SOI from this machine, you can skip this step.
You can also install 1.7.x (32bit) on client machine that you will be logging on to SOI from, I tested and worked. But it is always a best practise to match the major version required.
- 4. Startup SOI services.
C:\Program Files (x86)\CA\SOI\jsw\bin> SAM_Services.cmd start
- 5. Test logging on to SOI using SiteMinder user
If this fails, the upgrade is not successful.
If the upgrade is deemed failure, you can uninstall 3.1.
- 6. Uninstall 3.1 if the upgrade failed.
cd "C:\Program Files (x86)\CA\SOI\Patches"
You will find "Uninstall_<Patch Name>" folder
cd "Uninstall_SOIPatch_RO56291"
run "Uninstall_RO56291.exe"
===========================================
After posting this to the communities, yuhung asked if IWA can be used for authentication.
SiteMinder picks up username as "Domain\UserID" thus no matching user will be found from SOI.
Option is to use a Solution Module called "SmOverrideAuth" which will use "UserID" and strip-off the Domain from IWA.
Or, customer can develop a custom authentication module to do the same.