How to Integrate SiteMinder + SOI + EEM

Blog Post created by SungHoon_Kim Employee on Nov 27, 2015

I wrote this article 2 years ago and I am moving it here from Integration - SM + SOI + EEM






SOI 3.0 Installer shows the following components to install

Install them in the listed order. Connectors are optional.






Java runtime (required by EEM installation) : JRE 1.6.0_05 (32bit)



CA Embedded Entitlements Manager (EEM)



CA Service Operations Insight



CA Service Operations Insight - Integration Services



CA Service Operations Insight - Sample Connector



CA Service Operations Insight - Domain Connector





1. JRE 1.6.0_05                   : 32bit, C:\Program Files (x86)\Java\jre1.6.0_05

                                                   Installed from SOI 3.0 installation

2. EEM                                  : 32bit, C:\Program Files (x86)\SC\

                                                   Installs CA Directory (32bit, C:\Program Files (x86)\CA\Directory)


                                                   C:\Program Files (x86)\CA\SharedComponents\Embedded IAM

                Integrated with SM. (Follow EEM documentation of  SM integration)

                Can view SM user directory list if correct values are entered.


                Check the following log for any error if this does not connect to SM.

                C:\Program Files (x86)\CA\SharedComponents\iTechnology\eiamsm.log

                Or try restarting dxserver and iGateway service.


3. SOI 3.0                             : 32bit, C:\Program Files (x86)\CA\SOI

                Service Assurance Administrator Credential:



                As EEM is now integrated with  SM, you need to configure EEM.

                Logon to SOI application SSA-SOI as Eiam/password


Goto "Manage Identities" and click "Go" button.



Click on the user(in my case it is "Sung Hoon Kim"), click "Add Application User Details"!!!

make  sure user is in adequate group and save.


You can logout and login to SOI using the SM users.


console will  also show your username





DB Admin Credential


                Database Name: SAMStore


4. MSSQL 2008 R2



5. Adobe Flash  Player


6. Apache 2.2.17 installed as reverse proxy


#============ Added for SOI Integration ==============#


ProxyRequests off

ProxyPreserveHost on



<Location /sam>






<Location /sam/admin>





<Location /sam/debug>






                and you get access to the backend SOI


                some additional proxy is setup for troubleshooting




7. SiteMinder Web  Agent

                As the web server is 32bit, I installed R12.51CR1 Web Agent.

                Agent Configuration Wizard detects the apache web server successfully.

                Configured to protect /sam/ui/(normal agent) and /iamt.html(4.x agent)

                Authenticates and authorizes users from "CA Directory", which is selected in the

                EEM side configuration

                Please follow the EEM document for SM side configuration.


                /sam/ui/ is protected by HTML Authentication Scheme to make it easier to

                differentiate whether the login challenge is from SiteMinder or SOI.



VERY IMPORTANT: Apache Proxy should proxy "/sam" to backend SOI.

But WebAgent must not protect "/sam", it should protect "/sam/ui/"

Otherwise, you will get multiple unexpected challenges and get exception when accessing "console".


1st challenge (in this  sample, I used Basic Auth for easier view)


2nd challenge


3rd challenge










Applied SOI 3.1

SOI 3.1 console requires JRE 1.6.0_25+ so existing JRE1.6.0_05 will not work.

Workaround is, login from client that has 1.6.0_25+.

Or, if you need to login from SOI machine, you can install 1.6.0_25+ on SOI machine.

Note: DO NOT UNINSTALL existing JRE 1.6.0_05 because EEM will not display the SM integration and will fail to connect to SiteMinder Policy Server.


VERY IMPORTANT: You MUST have at least SOI 3.1 to SSO with SiteMinder. 3.0 does not recognize SMSESSION cookie so the SSO will not work.


Steps to upgrade

  1. 1. Shutdown all SOI services.

C:\Program Files (x86)\CA\SOI\jsw\bin> SAM_Services.cmd stop


  1. 2. Run the SOI 3.1 installer


                Select "Do not start services", this can be done manually after upgrade.


  1. 3. Install JRE 1.6.0_25+ (32bit)

I installed 1.6.0_45 (32bit).

                Do not uninstall the previous JRE 1.6.0_05 (32bit) from this maching as it is

                required by the EEM. SM integration will break if you uninstall JRE 1.6.0_05

                In case if you did, you must update the "C:\Program Files (x86)\CA\SharedComponents\iTechnology\igateway.conf" file, locate <JVMSettings>.


If your JRE is not 1.6.0_25+, SOI console will fail to load and throw exception.

If you will not logon to SOI from this machine, you can skip this step.

You can also install 1.7.x (32bit) on client machine that you will be logging on to SOI from, I tested and worked. But it is always a best practise to match the major version required.



  1. 4. Startup SOI services.

C:\Program Files (x86)\CA\SOI\jsw\bin> SAM_Services.cmd start


  1. 5. Test logging on to SOI using SiteMinder user

If this fails, the upgrade is not successful.

                If the upgrade is deemed failure, you can uninstall 3.1.


  1. 6. Uninstall 3.1 if the upgrade failed.

cd "C:\Program Files (x86)\CA\SOI\Patches"

You will find "Uninstall_<Patch Name>" folder

cd "Uninstall_SOIPatch_RO56291"

run "Uninstall_RO56291.exe"



After posting this to the communities, yuhung asked if IWA can be used for authentication.

SiteMinder picks up username as "Domain\UserID" thus no matching user will be found from SOI.


Option is to use a Solution Module called "SmOverrideAuth" which will use "UserID" and strip-off the Domain from IWA.

Or, customer can develop a custom authentication module to do the same.