SungHoon_Kim

How to Integrate SiteMinder + SOI + EEM

Blog Post created by SungHoon_Kim Employee on Nov 27, 2015

I wrote this article 2 years ago and I am moving it here from Integration - SM + SOI + EEM

 

 

ReadMe1st

 

 

SOI 3.0 Installer shows the following components to install

Install them in the listed order. Connectors are optional.

Platform

 

Product

Windows

 

Java runtime (required by EEM installation) : JRE 1.6.0_05 (32bit)

Windows

 

CA Embedded Entitlements Manager (EEM)

Windows

 

CA Service Operations Insight

Windows

 

CA Service Operations Insight - Integration Services

Windows

 

CA Service Operations Insight - Sample Connector

Windows

 

CA Service Operations Insight - Domain Connector

 

 

 

Components

1. JRE 1.6.0_05                   : 32bit, C:\Program Files (x86)\Java\jre1.6.0_05

                                                   Installed from SOI 3.0 installation

2. EEM                                  : 32bit, C:\Program Files (x86)\SC\

                                                   Installs CA Directory (32bit, C:\Program Files (x86)\CA\Directory)

                                                   EiamAdmin/password

                                                   C:\Program Files (x86)\CA\SharedComponents\Embedded IAM

                Integrated with SM. (Follow EEM documentation of  SM integration)

                Can view SM user directory list if correct values are entered.

1.png

                Check the following log for any error if this does not connect to SM.

                C:\Program Files (x86)\CA\SharedComponents\iTechnology\eiamsm.log

                Or try restarting dxserver and iGateway service.

 

3. SOI 3.0                             : 32bit, C:\Program Files (x86)\CA\SOI

                Service Assurance Administrator Credential:

                samuser/Siteminder1

 

                As EEM is now integrated with  SM, you need to configure EEM.

                Logon to SOI application SSA-SOI as Eiam/password

2.png

Goto "Manage Identities" and click "Go" button.

3.png

4.png

Click on the user(in my case it is "Sung Hoon Kim"), click "Add Application User Details"!!!

make  sure user is in adequate group and save.

5.png

You can logout and login to SOI using the SM users.

6.png

console will  also show your username

7.png

 

 

 

DB Admin Credential

                sa/Siteminder1

                Database Name: SAMStore

 

4. MSSQL 2008 R2

                sa/Siteminder1

 

5. Adobe Flash  Player

 

6. Apache 2.2.17 installed as reverse proxy

 

#============ Added for SOI Integration ==============#

 

ProxyRequests off

ProxyPreserveHost on

 

 

<Location /sam>

                ProxyPass http://soi.kim.net.my:7070/sam

                ProxyPassReverse http://soi.kim.net.my:7070/sam

</Location>

 

 

<Location /sam/admin>

                ProxyPass http://soi.kim.net.my:7090/sam/admin

                ProxyPassReverse http://soi.kim.net.my:7090/sam/admin

</Location>

 

<Location /sam/debug>

                ProxyPass http://soi.kim.net.my:7090/sam/debug

                ProxyPassReverse http://soi.kim.net.my:7090/sam/debug

</Location>

 

                http://soi.kim.net.my/sam/ui

                and you get access to the backend SOI

 

                some additional proxy is setup for troubleshooting

                http://soi.kim.net.my/sam/admin

                http://soi.kim.net.my/sam/debug

 

7. SiteMinder Web  Agent

                As the web server is 32bit, I installed R12.51CR1 Web Agent.

                Agent Configuration Wizard detects the apache web server successfully.

                Configured to protect /sam/ui/(normal agent) and /iamt.html(4.x agent)

                Authenticates and authorizes users from "CA Directory", which is selected in the

                EEM side configuration

                Please follow the EEM document for SM side configuration.

 

                /sam/ui/ is protected by HTML Authentication Scheme to make it easier to

                differentiate whether the login challenge is from SiteMinder or SOI.

 

 

VERY IMPORTANT: Apache Proxy should proxy "/sam" to backend SOI.

But WebAgent must not protect "/sam", it should protect "/sam/ui/"

Otherwise, you will get multiple unexpected challenges and get exception when accessing "console".

 

1st challenge (in this  sample, I used Basic Auth for easier view)

8.png

2nd challenge

9.png

3rd challenge

10.png

Exception

11.png

 

 

 

 

 

==========================================

Applied SOI 3.1

SOI 3.1 console requires JRE 1.6.0_25+ so existing JRE1.6.0_05 will not work.

Workaround is, login from client that has 1.6.0_25+.

Or, if you need to login from SOI machine, you can install 1.6.0_25+ on SOI machine.

Note: DO NOT UNINSTALL existing JRE 1.6.0_05 because EEM will not display the SM integration and will fail to connect to SiteMinder Policy Server.

 

VERY IMPORTANT: You MUST have at least SOI 3.1 to SSO with SiteMinder. 3.0 does not recognize SMSESSION cookie so the SSO will not work.

 

Steps to upgrade

  1. 1. Shutdown all SOI services.

C:\Program Files (x86)\CA\SOI\jsw\bin> SAM_Services.cmd stop

 

  1. 2. Run the SOI 3.1 installer

RO56291.exe

                Select "Do not start services", this can be done manually after upgrade.

 

  1. 3. Install JRE 1.6.0_25+ (32bit)

I installed 1.6.0_45 (32bit).

                Do not uninstall the previous JRE 1.6.0_05 (32bit) from this maching as it is

                required by the EEM. SM integration will break if you uninstall JRE 1.6.0_05

                In case if you did, you must update the "C:\Program Files (x86)\CA\SharedComponents\iTechnology\igateway.conf" file, locate <JVMSettings>.

 

If your JRE is not 1.6.0_25+, SOI console will fail to load and throw exception.

If you will not logon to SOI from this machine, you can skip this step.

You can also install 1.7.x (32bit) on client machine that you will be logging on to SOI from, I tested and worked. But it is always a best practise to match the major version required.

 

 

  1. 4. Startup SOI services.

C:\Program Files (x86)\CA\SOI\jsw\bin> SAM_Services.cmd start

 

  1. 5. Test logging on to SOI using SiteMinder user

If this fails, the upgrade is not successful.

                If the upgrade is deemed failure, you can uninstall 3.1.

 

  1. 6. Uninstall 3.1 if the upgrade failed.

cd "C:\Program Files (x86)\CA\SOI\Patches"

You will find "Uninstall_<Patch Name>" folder

cd "Uninstall_SOIPatch_RO56291"

run "Uninstall_RO56291.exe"

 

===========================================

After posting this to the communities, yuhung asked if IWA can be used for authentication.

SiteMinder picks up username as "Domain\UserID" thus no matching user will be found from SOI.

 

Option is to use a Solution Module called "SmOverrideAuth" which will use "UserID" and strip-off the Domain from IWA.

Or, customer can develop a custom authentication module to do the same.

Attachments

Outcomes