Configuration GuideCA SiteMinder Integration › Adding SiteMinder to an Existing CA Identity Manager Deployment

Previous Topic: Select Load Balancing or Fail Over

Next Topic: Removing SiteMinder from an Existing CA Identity Manager Deployment

Adding SiteMinder to an Existing CA Identity Manager Deployment

This section provides detailed instructions for adding CA SiteMinder to an existing CA Identity Manager environment (after CA Identity Manager has been installed). Before you begin, ensure that you have access to the following documents for reference:

Follow these steps:

Important! All existing password policy configurations will be lost. Password policies are not portable when moving from an environment without SiteMinder to an environment with SiteMinder.

  1. Verify that you have a Web Server.
  2. Install and configure a Web Server to the application server proxy forwarder.
  3. Install and configure a SiteMinder Policy Server and Web Agent for this Web Server.

    3a. Create a 4.x agent for uses as the IM-SM tunnel agent, which is in addition to the Web Agent created in the previous step. You manually create the 4.x agent using the SM Administrative UI. Specify the IP address of the Policy Server as the Trust server setting. Use only one 4.x agent for each application server cluster. You do not install any 4.1 agent on the IM server.

    Note: For more information, see the CA SiteMinder Policy Server Installation Guide and the CA SiteMinder Web Agent Installation Guide.

  4. Import the CA Identity Manager policy store schema to the policy store.
  5. Run the CA Identity Manager installer on the machine where the SiteMinder Policy Server is installed.

    Select only the Extensions for the SiteMinder option when you run the installer.

  6. In the Management Console, export the CA Identity Manager directories and environments.
  7. Delete all directories and environments after the export completes.
  8. Edit the ra.xml file located in \iam_im.ear\policyserver.rar\META-INF, as follows:
    1. If you are supporting FIPS, set ValidateSMHeadersWithPS to true.
    2. Search for the Enabled config-property and then change the config-property-value to true.
    3. In the ConnectionURL property, fill in the IP or hostname of the SiteMinder Policy Server.
    4. In the UserName property, fill in the name of the SiteMinder administrator.
    5. Encrypt password of the SiteMinder administrator using the CA Identity Manager Password Tool and put it in the AdminSecret property. The Password Tool can be found in:

      admin_tools\PasswordTool\pwdtools.bat.

      admin_tools

      The installed location of the Administrative Tools, which are installed in one of the following locations:

      Windows: C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools

      UNIX: /opt/CA/IdentityManager/IAM_Suite/Identity_Manager/tools

    6. In the AgentName property, fill in the name of the 4.x Agent configured for the IM-SM tunnel.
    7. Encrypt password of the Agent using the CA Identity Manager Password Tool and put it in the AgentSecret property.

    Note: For more information on modifying the ra.xml file, see Enable the <stmdr> Policy Server Resource Adapter.

  9. Edit the web.xml file located in iam_im.ear\ user_console.war\WEB-INF and set the FrameworkAuthFilter property to Enabled = false.

    Note: For WebSphere, the web.xml is located in WebSphere_home/AppServer/profiles/Profile_Name/config/cells/Cell_name/applications/iIam_im.ear/deployments/IdentityMinder/user_console.war/WEB-INF

  10. (WebSphere Only) Update the policyServer object in the Administrative Console with same values as in the ra.xml file.
  11. Restart the application server.
  12. For an RDB user store only, do the following tasks:
    1. Configure a data source that SiteMinder uses to connect to the user directory.

      Note: For more information on configuring the data source, see the CA SiteMinder Policy Server Installation Guide.

    2. Add the SiteMinder data source information to the directory by editing the directory.xml file. In the directory.xml file, locate the line containing the <JDBC datasource="jdbc/userstore"/> tag and add the following line after it, with your user name and encrypted password: 
      <Credentials user="<your-user>">{PBES}:gSex2/BhDGzEKWvFmzca4w==</Credentials>
<DSN name="<name of the data source you created>"/>
  13. Enable the Web Agent by modifying the webagent.conf file in the Web Agent folder and setting it to Enabled = yes.

    In order to test the Web Agent configuration, go to the Management Console by using the Web Server port instead of the application server port.

  14. Import the directory.xml from Step 6 to create a CA Identity Manager directory.
  15. Repeat Step 14 for all directories.
  16. In the environment ZIP file created in Step 6, edit the environment.xml file and add the SiteMinder Web Agent, as follows: 
    agent="SiteMinder_agent_name"

    Note: Be sure to specify the Web Agent (Step 3), not the SM-IM tunnel agent (Step 3a).

  17. Import the ZIP file to recreate the CA Identity Manager environment.

    Note: Make sure that you establish all of your connection objects again, such as JDBC or reporting connections, after recreating the environment.

  18. Repeat Step 16 and Step 17 for all environments.
  19. Restart the application server.