CA Identity Manager Configuration Guide › CA CA SiteMinder® Integration › Install the Web Proxy Server Plug-in › Install the Proxy Plug-In on WebLogic › IM_12.8--Configure the Apache Proxy Plug-in

IM_12.8--Configure the Apache Proxy Plug-in

Configuring the Apache Proxy Plug-in requires editing the http.conf file.

Follow these steps:

1. Stop the Apache web server after installing a Web Agent on Solaris and copy the mod_wl_20.so file from the following location:

   weblogic_home/server/lib/solaris

   to

   apache_home/modules

2. Edit the http.conf file (located in apache_home/conf) and make the following changes:
   1. Under the load module section, add the following code:

      LoadModule weblogic_module     modules/mod_wl_20.so
      

   2. Edit the server name with the name of the Apache server system.
   3. Add an If block at the end of the file as follows:

      <IfModule mod_weblogic.c>
        WebLogicHost weblogic_server.com
        WebLogicPort 7001
        MatchExpression /iam
        MatchExpression /castylesr5.1.1
        MatchExpression /ca/Odata
      </IfModule>
      

3. Save the http.conf file.
4. Restart the Apache web server.

Associate the CA SiteMinder® Agent with an CA Identity Manager Domain

The policy administrator performs this task after completing the CA Identity Manager tasks. While you load your environments into CA Identity Manager, reference the 4.X agent. CA SiteMinder® uses that agent when creating the Domain/Realm on the CA SiteMinder® Policy Server. This agent validates SMSESSION cookies. Update the Domain/Realm and reference the fully functioning agent that is on the web server is used to access CA Identity Manager. This web server acts as the access point to CA Identity Manager and creates SMSESSION cookies.

Follow these steps:

1. Log in to the CA SiteMinder® Administrative UI.
2. Navigate to Policies, Domains.
3. Modify the domain for your environment.
4. On the Realms tab, edit the first listed realm: XXX_ims_realm.
5. Search and select the agent on your proxy.

   Note: If you do not have a proxy agent (web server agent), create one. Verify that you have a web server and proxy in place to front CA Identity Manager.

6. Click OK twice and then repeat this process for the Public realm XXX_pub_realm.
7. After you update both realms, click Submit.
8. Wait for the agent to refresh, or restart the web server where the proxy agent is located.

Configure CA SiteMinder® LogOffUrI Parameter

After you add CA SiteMinder® to the environment, the logoff in CA Identity Manager does not really do anything. To reenable this functionality, update the Agent Configuration Object (ACO) for the agent on the proxy.

Follow these steps:

1. Log in to the CA SiteMinder® Administrative UI. Click the Infrastructure tab, Agents, Expand Agent Configuration and then click Modify Agent Configuration.
2. Locate your ACO. Locate the #LogoffUri parameter. Click the play button (arrow pointing to the right) to the left of that parameter.
3. Remove the pound sign (#) from the name in the Value field and enter /idm/logout.jsp.
4. Click OK and then Submit to update the agent configuration object.

   The next time that the agent retrieves its configuration from the policy server, the new setting is propagated.

Troubleshooting

The following topics describe common errors that you can occur. Where at all possible a resolution has been paired with the error to assist you with your integration.

Missing Windows DLL

Symptom:

Missing Windows DLL (MSVCP71.dll)

We observed that after the CA SiteMinder® connection was enabled, JBoss threw a java error complaining about a missing DLL (MSVCP71.dll).

Note: This error may not appear if JBoss is running as a service. If at all possible, test your configuration without running JBoss as a service.

Solution:

Follow these steps:

1. Locate MSVCP71.dll on the CA SiteMinder® Policy Server, if it is running on Windows.
2. Copy this DLL (MSVCP71.dll) into the \Windows\system32 folder.
3. After you place this file in the correct location, register it with the OS.
4. From a command window, run the regsvr32 command. As long as the file is loaded you should be ok.
5. Restart the application server.

Incorrect CA SiteMinder® Policy Server Location

Symptom:

Incorrect CA SiteMinder® Policy Server Location.

Solution:

An incorrect location is referenced in ra.xml the error, "Cannot connect to policy server: xxx" appears.

Follow these steps:

1. Verify the hostname provided in ra.xml.

   

2. In the ConnectionURL property, specify your CA SiteMinder® Policy Server hostname. Use a FQN (Fully Qualified Name).

Incorrect Admin Name

Symptom:

Incorrect Admin Name

Solution:

An incorrect admin is referenced in ra.xml, the error "Unknown administrator" appears.

Follow these steps:

1. Check the UserName property in ra.xml.

   

2. In the UserName property, specify the account used to communicate with CA CA SiteMinder®. For example, use the CA SiteMinder® account (default value).

Incorrect Admin Secret

Symptom:

Incorrect Admin Secret

Solution:

An incorrect admin secret is used in ra.xml, the error, "Cannot connect to the policy server: Invalid credentials" appears.

Follow these steps:

1. Check the AdminSecret property in ra.xml.

   

2. In the AdminSecret property, specify the encrypted password for the username referenced in the UserName property.

More information:

Modify a SiteMinder Password or Shared Secret

Incorrect Agent Name

Symptom:

Incorrect Agent Name

Solution:

An incorrect agent name is used in ra.xml, the error, "Cannot connect to the policy server: Failed to init Agent API: -1" appears.

Follow these steps:

1. Check the AgentName property in ra.xml.

   

2. Specify the 4.X agent name that you created during the 3rd step of the CA SiteMinder® configurations.

Incorrect Agent Secret

Symptom:

Incorrect Agent Secret

Solution:

An incorrect agent secret is used in ra.xml, the error "Cannot connect to the policy server: Failed to init Agent API: -1" appears with a preceding crypto handler error.

Follow these steps:

1. Check the AgentSecret property in ra.xml.

   

2. Specify the encrypted password that was used when creating that agent.

More information:

Modify a SiteMinder Password or Shared Secret

No User Context in CA Identity Manager

Symptom:

No User Context in CA Identity Manager.

If a user tries to access CA Identity Manager without a SMSESSION cookie, CA Identity Manager cannot authenticate the user. In this case, you can expect to see can emptyCA Identity Manager UI.

If you have Workflow enabled for your environment, expect to see a failure much like this.

Solution:

A few things can cause this, but it is usually one of the following:

• You have directly accessed CA Identity Manager.
• The CA SiteMinder® agent at the proxy is disabled (that is, nothing is protected – The SMSESSION Cookie is not being created).
• The CA SiteMinder® Domain for the CA Identity Manager environment is misconfigured .

The first two causes are pretty straight forward. Make sure that you route through the web server with the fully functional web agent enabled. If however you are going through the web server and the agent is enabled, then you need to modify the Domain.

Follow these steps:

1. Log in to the CA SiteMinder® Administrative UI.
2. Locate your CA Identity Manager Domain and click through the layers to modify it. Click the Realm Tab and then the first realm in the list.
3. The default location of the forward slash is under the realm. Delete it.
4. Click into the Rule under this Realm.

   The default effective resource for the rule is an asterisk "*".

5. Add the forward slash "/" in front of the asterisk.

   You have moved the forward slash from the realm to the rule. The protection is the same, but CA SiteMinder® treats it differently.

   You can successfully log in to CA Identity Manager through CA SiteMinder®. To validate proper protection, review your CA SiteMinder® agent logs.

Error Loading Environments

Symptom:

When importing an environment back into CA Identity Manager after integrating with CA SiteMinder®, an error appears about attribute "requireadminpassword" and the element "WebService".

Note: This issue can also occur when CA SiteMinder® is not part of the deployment.

Solution:

This error allows partial deployment of the environment. The partial deployment can create empty elements in the CA Identity Manager object store. Correct one of the environment XMLs and reimport.

Follow these steps:

1. Locate the archived ZIP file, and explore it.
2. Create a copy of the XXX_environment_settings.xml.
3. Edit this file and locate the "WebService" element.
4. Delete the tag "requireadminpassword="false."

   Note: Remove the tag and the value. Do not remove only the value.

5. Save your changes and place the file back into the ZIP file.
6. Reimport the archived environment zip file.

   You do not have to delete the environment that was created from the failed attempt. Reimporting a corrected file fixes the errors from the failed attempt.