Symantec Access Management

Expand all | Collapse all

Enabling SSL for SiteMinder AdminUI-12.7

  • 1.  Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 09, 2017 06:59 PM

    Hello All,

     

    Can someone please let me know, how to enable ssl to siteminder adminui -12.7?

     

    Here are the steps that i followed to enable ssl to siteminder adminui -12.52 SP1 CR06

    1) created a keystore with name adminui.keystore and added our organizational certs to the adminui.keystore

    2) copied adminui.keystore to location (/opt/SiteMinder/siteminder/adminui/server/default/conf)

    3) modified keystore location and password in run.conf under location /opt/SiteMinder/siteminder/adminui/bin like this:

    JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=$JBOSS_HOME/server/default/conf/adminui.keystore"

    JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=xxxxxxx"

    4)modified parameters like keystorefile, keystorepass, and port on server.xml under location (/opt/SiteMinder/siteminder/adminui/server/default/deploy/jbossweb.sar) like this:

     

    <Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" connectionTimeout="20000" emptySessionPath="true" enableLookups="false" maxHttpHeaderSize="10240" maxPostSize="0" port="8443" protocol="HTTP/1.1" redirectPort="8443"/>

    <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="adminui" keystoreFile="/opt/SiteMinder/siteminder/adminui/server/default/conf/adminui.keystore" keystorePass="xxxx" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/>

     

    Here is the documentation that is been shared by CA Support Engineer for 12.52. So I am looking for is there any documentation like this for 12.7? Because i see there are lot of changes in the file naming and directory structures on 12.7

     

    How to obtain and import a Trusted Certificate into the CA Single Sign-On Administrative UI 

     

    Thanks,

    Naveen



  • 2.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Broadcom Employee
    Posted Oct 09, 2017 10:25 PM

    Naveen,

     

    Follow the below steps for enabling SSL on 12.7 AdminUI and to import trusted certificate (optional).

    Install the Administrative UI on Linux (stand-alone) - CA Single Sign-On - 12.7 - CA Technologies Documentation 

    1. Configure the Administrative UI to Use an SSL (HTTPS) Connection

    By default, the Administrative UI is accessed using an unsecured (HTTP) connection. After you register the Administrative UI with the Policy Server, you can configure the Administrative UI to use an SSL (HTTPS) connection. To change the connection, modify the web.xml file of the embedded JBoss application server and enable secure cookies.

    Follow these steps:

    1. Shut down the application server.
    2. Navigate to the following location: user_console.war\WEB-INF
    3. Open the web.xml file.
    4. Add the <secure> attribute to the cookie-config section and set it to true:

      <session-config>

        <cookie-config>
         <http-only>true</http-only>
         <secure>true</secure>
       </cookie-config>
      </session-config>

    5. Save and close the file.
    6. Restart the application server.
      The web.xml file is updated and secure cookies are enabled.

    2. Obtain and Import a Trusted Certificate into the Administrative UI

     

    (Optional) Obtain and Import a Trusted Certificate into the Administrative UI - CA Single Sign-On - 12.7 - CA Technologi… 



  • 3.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 11, 2017 07:12 PM

    Hi Naveen007

     

    Do you still need any help on this ? Can you please confirm if solution provided by Ashok resolved your issue ?



  • 4.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 12, 2017 11:45 AM

    Ujwol,

     

    The issue right now we are facing is even if we access adminui by using https://adminuiserver.domain.com:8443/iam/siteminder/console/  for some reason it is redirecting back to http://adminuiserver.domain.com:8080/iam/siteminder/console/ 

     

    Not sure on why adminui redirecting us from 8443 to 8080. we thought of if we access through 8443 it need's to invoke self-signed cert that comes with the adminui installation. can you please let me know why it is by default going to port 8080?

     

    Thank you,

    Naveen



  • 5.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 12, 2017 01:00 PM

    Port 8080 is probably the port you used to access the WAM UI when you first accessed it after installation.  Once you do that, it always wants to go back to that port.  You need to access the WAM UI using 8443 for the very first access attempt and then when you access 8080 it will send you to 8443.  I haven't taken the time to find out where 8080 is getting written to cause this behavior.  I always access on 8443 to ensure the WAM UI uses SSL.



  • 6.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 12, 2017 03:27 PM

    David,

    I know that we accessed WAM UI through 8080 for the first time after the installation. But now we want to access through port 8443 for security purposes . Based on your reply i see that the only way to access WAM UI through 8443 is you need to access WAM UI through 8443 for the first time after the installation.

     

    In our scenario we already registered 12 policy servers as trusted hosts, So we are not really looking into an option to re-install the WAM UI again and access it through 8443 for the first time. Is there any way that we can access WAM UI through 8443 without a re-install?

     

    I really appreciate all your help on this thread.

     

    Thank you,

    Naveen 



  • 7.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 12, 2017 04:34 PM

    Naveen

     

    When we run the following commands what is the output?

     

    netstat -an | grep 8080

    netstat -an | grep 8443



  • 8.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 12, 2017 05:59 PM

    Dennis,

    These are the outputs that i am getting when i run the commands that you mentioned above.

     

    -sh-4.1$ netstat -an | grep 8080
    tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
    tcp 0 0 10.86.19.83:8080 10.75.32.175:62977 ESTABLISHED
    tcp 0 0 10.86.19.83:8080 10.75.32.175:62976 ESTABLISHED
    tcp 0 0 10.86.19.83:8080 10.75.32.175:62975 ESTABLISHED
    tcp 0 0 10.86.19.83:8080 10.75.32.175:62974 ESTABLISHED
    tcp 0 0 10.86.19.83:8080 10.75.32.175:62973 ESTABLISHED
    -sh-4.1$ netstat -an | grep 8443
    tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN
    -sh-4.1$

     

    Thank you,

    Naveen



  • 9.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 12, 2017 06:25 PM

    OK this is good info. It seems like all your WAM UI requests are binding on 8080.

     

    In my setup which is running 8443, it is the reverse.

     

    [smuser@server adminui]$ netstat -an | grep 8080
    tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN
    [smuser@server adminui]$ netstat -an | grep 8443
    tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN
    tcp        0      0 10.100.204.706:8443      10.12.14.27:63597    ESTABLISHED
    tcp        0      0 10.100.204.706:8443      10.12.14.27:63595    ESTABLISHED
    [smuser@server adminui]$

     

    I am trying to see where this setting is. https://developer.jboss.org/thread/253008?_sscc=t 

     

    As David suggested the first access is crucial. But in the past we have flipped it to SSL. With 12.7 it is JBoss wildfly I believe. Need to grab the right settings.

     

    Must be in the standalone.xml,

    adminui/standalone/configuration/standalone-full.xml

    adminui/standalone/configuration/standalone.xml

     

    The moment Jboss starts binding on IP Address:8443, your WAMUI will start working solely on 8443. Currently the WAMUI is binding on IP Address:8080. Hence even if we access on 8443, it gets routed to 8080.

     

    Unsure if this would help. Here's what is in my standalone-full.xml. Could we compare this against yours.

     

                <server name="default-server">
                    <http-listener name="default" socket-binding="http"/>
                    <https-listener enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1.1,TLSv1.2" name="https" security-realm="SSLRealm" socket-binding="https"/>
                    <host alias="localhost" name="default-host">
                        <location handler="welcome-content" name="/"/>
                        <filter-ref name="server-header"/>
                        <filter-ref name="x-powered-by-header"/>
                    </host>
                </server>



  • 10.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 13, 2017 12:12 PM

    Hubert,

     

    Thanks for looking into this. Now I am able to access WAM UI via https through 8443 port. Thanks for looking into this.

     

    Thank you,

    Naveen



  • 11.  RE: Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Nov 13, 2019 01:28 PM
    Hello Ujwol,

    I've followed the Broadcom documentation for enabling SSL in AdminUI, for a SPS version 12.8 SP2, it worked fined.
    Since our client generates and signs it's own certificate (we don't generate a CSR from the PS server), we have to change the password from default 'changeit' to the one our client uses for the certificate, the issue I'm facing is that on file standalon-full.xml, is where you update this password, so for security reasons, client does not allow to write a plain-text password. 

    Is there a way to encrypt the password or file, so it gets secured?

    Thank you in advance.


  • 12.  Re: Enabling SSL for SiteMinder AdminUI-12.7
    Best Answer

    Posted Oct 12, 2017 10:01 PM

    Hi Naveen007,

     

    Could you please try out this :

     

    The specified item was not found. 

     

    Regards,

    Ujwol

    Ujwol's Single Sign-On Blog 



  • 13.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Posted Oct 13, 2017 12:10 PM

    Ujwol,

     

    I followed your documentation. Now i am able to access WAM UI via https through port 8443. Thanks for the help on this.

     

    Thank you,

    Naveen 



  • 14.  Re: Enabling SSL for SiteMinder AdminUI-12.7

    Broadcom Employee
    Posted Nov 08, 2017 11:18 PM

    Hi

     

    Just an extra note - for info.

     

    I've just been dealing with this issue at a client site :  I noticed that if you reregister the adminui  (delete "data" directory and restart Jboss Server) at the point you bring up the /iam/siteminder/adminui  page for the logon to complete the registration, you can now choose whether to bring this page as HTTP or HTTPS, and that choice seems to determine the mode adminui runs in moving forward.

     

    Regards

    David