Single Sign-On Service › SSO Policy Server Configuration Guide › Administrative User Interface Management

Administrative User Interface Management

The Policy Server is managed through a user interface that is generated dynamically based on the administrative privileges of the user.

Important! When working on the task pane on the right, always save your changes before opening or closing the menu pane on the left or navigating to another task.

Do not use the Refresh or Back buttons of the browser while using the CSP console. Using these buttons resubmits the form, repeats the action that was initiated by clicking a button in the form, and creates an invalid state.

Administrative UI Overview

The Policy Server is managed through a graphical user interface. The interface is generated dynamically based on the administrative privileges of the user. This chapter discusses how to log in to the CSP console and the common procedures that you use while configuring and managing Policy Server objects.

The Administrative UI contains two panes:

Menu pane - a menu of tasks on the left
Task pane - the current task on the right

The menu of tasks on the left can be open or closed. If the menu is closed, you can open it by clicking the right-facing arrow. Likewise, if the menu is open, you can close it by clicking the left-facing arrow.

Important! When working on the task pane on the right, always save your changes before opening or closing the menu pane on the left or navigating to another task.

Start the Administrative UI

Follow these steps:

Open a web browser:
- If you installed the CSP console using the stand–alone option and you registered it over SSL, go to the following location:
  https://host.domain:8443/iam/siteminder/adminui
- If you installed the CSP console using the stand–alone option and you did not register it over SSL, go to the following location:
  http://host.domain:8080/iam/siteminder/adminui
- If you installed the CSP console to an existing application server infrastructure, go to one of the following locations:
  http://host.domain:port/iam/siteminder/adminui
  
  https://host.domain:port/iam/siteminder/adminui
  
  host
  
  Specifies the name of the CSP console host system.
  
  domain
  
  Specifies the fully qualified domain name of the CSP console host system.
  
  port
  
  Specifies the port on which the application server listens for requests.
Enter the credentials of a CA SiteMinder® administrator.
Click Login.
The system displays the relevant tabs for your administrator privileges. The contents of this window differ based on the privileges of the administrator account you use to log in to the CSP console.

Manage Policy Server Objects

The CSP console lets you view, modify, and delete Policy Server objects. Although the details of each task differ by object, the general methods are similar. For example, the procedure for deleting an agent is similar to the procedure for deleting a response.

Copy Policy Server Objects

The easiest way to create a Policy Server object is to copy an existing object and modify its properties. You can use the properties of the existing object as a template, only changing the information that is different for the new object. The copy option is not available for all objects.

Note: Your administrative privileges determine the objects you can access.

Follow these steps:

Navigate to the subcomponent type that contains the object you want to duplicate.
Example: Click Infrastructure, Agent.
Select the type of object you want to duplicate.
Example: Agent
Click Create.
Select Create a copy of an object, specify search criteria, and click Search.
Select an object from the list and click OK.
Enter a new name and description.
Modify the properties that are different for the new object and click Submit.
The object is created.

View Policy Server Object Properties

You can view the properties of a Policy Server object.

Note: Your administrative privileges determine the objects you can access.

Follow these steps:

Select the subcomponent of object you want to view.
Example: Select Policies, Domain.
Click the type of object.
Example: Domain
Specify search criteria and click Search.
Click the name of the object that you want to view.
The View screen appears with information about the object you selected.

Modify an Existing Policy Server Object

The CSP console lets you modify the properties of existing Policy Server objects.

Note: Your administrative privileges determine the objects you can access.

Follow these steps:

Navigate to the subcomponent of object you want to modify.
Example: Click Policies, Domain.
Click the object that you want to modify.
Example: Realms
Specify search criteria and click Search.
Click the name of the object that you want to modify.
Scroll to the bottom of the page and click Modify.
Make the required changes and click Submit.
The object is modified.

Delete a Policy Server Object

You can delete a Policy Server object that is no longer needed.

Note: Your administrative privileges determine the objects you can access.

Follow these steps:

Select the subcomponent of the object that you want to delete.
Example: Click Infrastructure, Authentication.
Click the type of object.
Example: Authentication Schemes
Specify search criteria and click Search.
Select the object that you want to delete.
Click Delete.
Confirm that you want to delete the object.
The Policy Server object is deleted.

Manage Task-persistence Database

Every CSP console task stays in the task-persistence database indefinitely or until removed by a CA SiteMinder® administrator. You can remove tasks from the database and free up disk space by scheduling cleanup tasks. Cleanup tasks allow you to manage the size of the task-persistence database and improve runtime performance.

Every task exists in the task-persistence database in one of the following states:

Audit State
A task in the audit state has been initiated in the CSP console, but not submitted. For example, View tasks are initiated in the CSP console, but are never submitted.
Submitted State
Submitted tasks are tasks that have been submitted for processing in the CSP console, but that are not yet complete.
Completed State
Completed tasks are submitted tasks that completed processing. Completed tasks include tasks that completed processing successfully and tasks that failed to complete processing successfully, but are nonetheless complete.

Cleanup tasks can remove tasks in the audit state and completed state from the task-persistence database. Cleanup tasks cannot remove submitted tasks that are still pending.

You can schedule, modify, and delete cleanup tasks through the following two options:

Clean Up Submitted Tasks: Use this option to schedule new cleanup tasks or modify existing ones.
Delete Recurring Tasks: Use this option to delete scheduled cleanup tasks.

Cleanup Submitted Tasks

You configure cleanup tasks to remove tasks in the completed state and the audit state from the database. You can also configure limits for the cleanup task itself.

Note: You can only run scheduled jobs for cleaning up the submitted tasks when you log in as the System Manager. The System Manager account is defined using the Configure Administrative Authentication option. This account that is used during the initial registration of the CSP console and can be from an external administrator store. The cleanup submitted task functionality is not available to any other administrators, including administrator accounts with super user permissions.

Follow these steps:

Click Administration, Admin UI, Clean Up Submitted Tasks.
Select one of the follow option buttons:
- Execute now
  Select this option and click Next to skip the scheduling step and go directly to the Clean Up Submitted Tasks pane.
- Schedule new job
- Modify existing job
Specify the name of the cleanup task in the Job Name field, the type of schedule, and the scheduling details on the scheduling sections. Click Next.
Complete the following fields:

Minimum Age

Specifies the minimum age in Months, Weeks, Days, Hours, or Minutes of the completed tasks that must be removed.

Note: Task age is measured from the time that tasks are completed.

Audit Timeout

(Optional) Specifies the maximum number of days to keep tasks in the audit state in the task-persistence database.

Limits: one or greater

Default: one

Time Limit

(Optional) Specifies a time limit in minutes for the cleanup task.

Task Limit

(Optional) Specifies a task limit for the cleanup task.
Click Finish.
The Cleanup task is submitted for processing.

Delete Recurring Tasks

You can delete scheduled cleanup tasks that are no longer needed.

Follow these steps:

Click Administration, Admin UI, Delete Recurring Tasks.
Select one or more of scheduled cleanup tasks that must be deleted.
Click Submit.
The delete task is submitted for processing.

How the Web Agent and Policy Server Calculate Time

For each system that has a Policy Server or Web Agent installed, you must set the system clock for the time zone appropriate to that system’s geographical location. Policy Servers and Web Agents use the time zones to calculate time relative to Greenwich Mean Time (GMT).

The following figure shows how the Policy Server executes a policy relative to time. A resource is stored on a Web Server in Massachusetts and is protected by a Policy Server in California. The policy allows access to the resource between 9:00 a.m. and 5:00 p.m. However, the user in Massachusetts can still access the resource at 6:00 p.m. because the policy is based on the Policy Server’s time zone, Pacific Standard Time (PST), which is 3 hours behind the Web Agent’s time zone, Eastern Standard Time (EST).

Graphic showing how the Policy Server executes a policy relative to time

Note: For Windows systems, the time zone and the time of day that you set in the Date/Time control panel must agree. For example, to reset a system in the USA from Eastern Standard Time to Pacific Time, you must set the system’s clock back three hours and change the time zone to Pacific Standard Time. If these two settings do not match, single sign-on across multiple domains and agent key management will not work properly.