Previous Topic: Select Load Balancing or Fail OverNext Topic: Removing CA SiteMinder from an Existing CA Identity Manager Deployment

Configuration GuideCA CA SiteMinder IntegrationAdding CA SiteMinder to an Existing CA Identity Manager Deployment

Adding CA SiteMinder to an Existing CA Identity Manager Deployment

This section provides detailed instructions for adding CA CA SiteMinder to an existing CA Identity Manager environment (after CA Identity Manager has been installed). Before you begin, ensure that you have access to the following documents for reference:

Follow these steps:

Important! All existing password policy configurations will be lost. Password policies are not portable when moving from an environment without CA SiteMinder to an environment with CA SiteMinder.

  1. Verify that you have a Web Server.
  2. Install and configure a Web Server to the application server proxy forwarder.
  3. Install and configure a CA SiteMinder Policy Server and Web Agent for this Web Server.

    Create a 4.x agent for use as the CA Identity Manager-<stmdr> tunnel agent in addition to the Web Agent created in the previous step. You manually create the 4.x agent using the SM Administrative UI. Specify the IP address of the Policy Server as the Trust server setting. Use only one 4.x agent for each application server cluster. You do not install any 4.1 agent on the CA Identity Manager server.

    Note: For more information, see the CA CA SiteMinder Policy Server Installation Guide and the CA CA SiteMinder Web Agent Installation Guide.

  4. Import the CA Identity Manager policy store schema to the policy store.
  5. Run the CA Identity Manager installer on the machine where the CA SiteMinder Policy Server is installed.

    Select only the Extensions for the CA SiteMinder option when you run the installer.

  6. In the Management Console, export the CA Identity Manager directories and environments.
  7. Delete all directories and environments after the export completes.
  8. Edit the ra.xml file located in \iam_im.ear\policyserver.rar\META-INF, as follows:
    1. If you are supporting FIPS, set ValidateSMHeadersWithPS to true.
    2. Search for the Enabled config-property and then change the config-property-value to true.
    3. In the ConnectionURL property, fill in the IP or hostname of the CA SiteMinder Policy Server.
    4. In the UserName property, fill in the name of the CA SiteMinder administrator.
    5. Encrypt password of the CA SiteMinder administrator using the CA Identity Manager Password Tool and put it in the AdminSecret property. The Password Tool can be found in:

      admin_tools\PasswordTool\pwdtools.bat.

      admin_tools

      The installed location of the Administrative Tools, which are installed in one of the following locations:

      Windows: C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools

      UNIX: /opt/CA/IdentityManager/IAM_Suite/Identity_Manager/tools

    6. In the AgentName property, fill in the name of the 4.x Agent configured for the CA Identity Manager-<stmdr> tunnel.
    7. Encrypt the password of the Agent using the CA Identity Manager Password Tool and put it in the AgentSecret property.

    Note: For more information on modifying the ra.xml file, see Enable the <stmdr> Policy Server Resource Adapter.

  9. Edit the web.xml file located in iam_im.ear\ user_console.war\WEB-INF and set the FrameworkAuthFilter property to Enabled = false.

    Note: For WebSphere, the web.xml is located in WebSphere_home/AppServer/profiles/Profile_Name/config/cells/Cell_name/applications/iIam_im.ear/deployments/IdentityMinder/user_console.war/WEB-INF

  10. (WebSphere Only) Update the policyServer object in the Administrative Console with same values as in the ra.xml file.
  11. Restart the application server.
  12. For an RDB user store only, do the following tasks:
    1. Configure a data source that CA SiteMinder uses to connect to the user directory.

      Note: For more information on configuring the data source, see the CA CA SiteMinder Policy Server Installation Guide.

    2. Add the CA SiteMinder data source information to the directory by editing the directory.xml file. In the directory.xml file, locate the line containing the <JDBC datasource="jdbc/userstore"/> tag and add the following line after it, with your user name and encrypted password: 
      <Credentials user="<your-user>">{PBES}:gSex2/BhDGzEKWvFmzca4w==</Credentials>
<DSN name="<name of the data source you created>"/>
  13. Enable the Web Agent by modifying the webagent.conf file in the Web Agent folder and setting it to Enabled = yes.

    In order to test the Web Agent configuration, go to the Management Console by using the Web Server port instead of the application server port.

  14. Import the directory.xml from Step 6 to create a CA Identity Manager directory.
  15. Repeat Step 14 for all directories.
  16. In the environment ZIP file created in Step 6, edit the environment.xml file and add the CA SiteMinder Web Agent, as follows: 
    agent="SiteMinder_agent_name"

    Note: Be sure to specify the Web Agent (Step 3), not the SM-IM tunnel agent (Step 3a).

  17. Import the ZIP file to recreate the CA Identity Manager environment.

    Note: Make sure that you establish all of your connection objects again, such as JDBC or reporting connections, after recreating the environment.

  18. Repeat Step 16 and Step 17 for all environments.
  19. Restart the application server.