Configuration Guide › CA SiteMinder Integration › How Resources are Protected

How Resources are Protected

Advanced authentication requires you to use a SiteMinder Policy Server in your implementation. The application server hosting the CA IdentityMinder Server is on a different operating environment from Web Server. To provide forwarding services, the Web Server requires:

• An application server vendor provided plug-in.
• A SiteMinder agent to protect the CA IdentityMinder resources, such as the User Console, Self Registration, and the Forgotten Password feature.

The Web Agent controls the access of users who request CA IdentityMinder resources. Once the users are authenticated and authorized, the Web Agent allows the Web Server to process the requests.

When the Web Server receives the request, the application server plug-in forwards it to the application server hosting the CA IdentityMinder Server.

The Web Agent protects CA IdentityMinder resources that are exposed to users and administrators.

Overview of SiteMinder and CA IdentityMinder Integration

When the policy administrator and the identity administrator work together to integrate SiteMinder into an existing CA IdentityMinder installation, the CA IdentityMinder architecture expands to include the following components:

SiteMinder Web Agent

Protects the CA IdentityMinder Server. The Web Agent is installed on the system with the CA IdentityMinder Server.

SiteMinder Policy Server

Provides advanced authentication and authorization for CA IdentityMinder.

The following figure is an example of a CA IdentityMinder installation with a SiteMinder Policy Server and Web Agent:

Note: The components are installed on different platforms as examples. However, you can choose other platforms. The CA IdentityMinder databases are on Microsoft SQL Server and the user store is on the IBM directory Server. The SiteMinder Policy Store is on AD LDS on Windows.

Completing this process requires two roles: the CA IdentityMinder identity administrator and the SiteMinder policy administrator. In some organizations, one person fills both roles. When two people are involved, close collaboration is required to complete the procedures in this scenario. The policy administrator begins and ends this process; the identity administrator does all the steps in the middle.

Important! For CA IdentityMinder installations starting with Release12.5 SP7, the Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files (JCE libraries) are required. Download these libraries from the Oracle Web site. Load them into the following folder: <Java_path>\<jdk_version>\jre\lib\security\.

The following diagram illustrates the complete process of integrating SiteMinder into CA IdentityMinder:

Follow these steps:

1. Configure the SiteMinder Policy Store for CA IdentityMinder.
2. Import the CA IdentityMinder Schema into the Policy Store.
3. Create a SiteMinder 4.X agent object.
4. Export the CA IdentityMinder directories and environments.
5. Delete all directory and environment definitions.
6. Enable the SiteMinder Policy Server Resource Adapter.
7. Disable the native CA IdentityMinder Framework Authentication Filter.
8. Restart the application server.
9. Configure a data source for SiteMinder.
10. Import the directory definitions.
11. Update and import environment definitions.
12. Restart the application server.
13. Install the web proxy server plug-in.
14. Associate the SiteMinder Agent with an CA IdentityMinder domain.
15. Configure SiteMinder LogOffUrl Parameter.

Configure the SiteMinder Policy Store for CA IdentityMinder

As a policy administrator you use the CA IdentityMinder Administrative Tools to access the SQL scripts or LDAP schema text to add the IMS schema to the policy store. The identity administrator will have installed these tools in the Admin Tools folder. Follow one of the following procedures to configure the policy store:

Configure a Relational Database

Configure Sun Java Systems Directory Server or IBM Directory Server

Configure Microsoft Active Directory

Configure Microsoft ADAM

Configure CA Directory Server

Configure Novell eDirectory Server

Configure Oracle Internet Directory (OID)

Configure a Relational Database

After configuration, you can use your relational database as a SiteMinder policy store.

Follow these steps:

1. Configure the database as a supported SiteMinder policy store.

   Note: For configuration instructions, see the SiteMinder Policy Server Installation Guide.

2. Run the appropriate script for your database:
   • SQL: C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\MicrosoftSQLServer\ims8_mssql_ps.sql
   • Oracle: /opt/CA/IdentityManager/IAM_Suite/Identity_Manager/tools/policystore-schemas/OracleRDBMS/ims8_oracle_ps.sql

   The preceding paths are default installation locations. The location for your installation may be different.

Configure Sun Java Systems Directory Server or IBM Directory Server

To configure a Java or IBM directory server you apply the appropriate schema file.

Follow these steps:

1. Configure the directory as a supported SiteMinder policy store.

   Note: For configuration instructions, see the CA SiteMinder Policy Server Installation Guide.

2. Add the appropriate LDIF schema file to the directory. The default Windows location for the LDIF files is C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas.

   Adding the following schema files for your directory:

   • IBM Directory Server:

     IBMDirectoryServer\V3.identityminder8

   • Sun Java Systems Directory Server (iPlanet):

     SunJavaSystemDirectoryServer\sundirectory_ims8.ldif

Configure Microsoft Active Directory

To configure a Microsoft Active Directory policy store, you apply the activedirectory_ims8.ldif script.

Follow these steps:

1. Configure the directory as a supported SiteMinder policy store.

   Note: For configuration instructions, see the CA SiteMinder Policy Server Installation Guide.

2. Modify the activedirectory_ims8.ldif schema file as follows:
   1. In a text editor, open the activedirectory_ims8.ldif file. The default Windows location is:

      C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\MicrosoftActiveDirectory

   2. Replace all instances of {root} with the root organization for the directory.

      The root organization must match the root organization that you specified when you configured the policy store in the Policy Server Management Console.

      For example, if the root is dc=myorg,dc=com, replace
      dn: CN=imdomainid6,CN=Schema,CN=Configuration,{root} with dn: CN=imdomainid6,CN=Schema,CN=Configuration,dc=myorg,dc=com

   3. Save the file.
3. Add the schema file as described in the documentation for your directory.

Configure Microsoft ADAM

To configure a Microsoft ADAM policy store, you apply the adam_ims8.ldif script.

Follow these steps:

1. Configure the directory as a supported SiteMinder policy store.

   Note: For configuration instructions, see the CA SiteMinder Policy Server Installation Guide.

   Make note of the CN value (the guid).

2. Modify the adam_ims8.ldif schema file as follows:
   1. Open the adam_ims8.ldif\.ldif file in a text editor. The default Windows location is:

      C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\MicrosoftActiveDirectory

   2. Replace every cn={guid} reference with the string you found when you configured the SiteMinder policy store in Step 1 of this procedure.

      For example, if the guid string is CN={39BC711D-7F27-4311-B6C0-68FDEE2917B8}, then replace every cn={guid} reference with CN={39BC711D-7F27-4311-B6C0-68FDEE2917B8}.

   3. Save the file.
3. Add the schema file as described in the documentation for your directory.

Configure CA Directory Server

To configure a CA Directory server you create a custom schema file. In the steps that follow, dxserver_home is the directory where CA Directory is installed. The default source location for this file on Windows is C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\eTrustDirectory.

Follow these steps:

1. Configure the directory as a supported SiteMinder policy store.

   Note: For configuration instructions, see the CA SiteMinder Policy Server Installation Guide.

2. Copy etrust_ims8.dxc to dxserver_home\config\schema.
3. Create a custom schema configuration file as follows:
   1. Copy the dxserver_home\config\schema\default.dxg to dxserver_home\config\schema\company_name-schema.dxg.
   2. Edit the dxserver_home\config\schema\company_name-schema.dxg file by adding the following lines to the bottom of the file:

      # Identity Manager Schema
      source "etrust_ims8.dxc";
      

4. Edit the dxserver_home\bin\schema.txt file by adding the contents of etrust_ims_schema.txt to the end of the file. The default source location for this file on Windows is C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\eTrustDirectory.
5. Create a custom limits configuration file as follows:
   1. Copy the dxserver_home\config\limits\default.dxc to dxserver_home\config\limits\company_name-limits.dxc.
   2. Increase the default size limit to 5000 in the dxserver_home\config\limits\company_name-limits.dxc file as follows:

      set max-op-size=5000
      

      Note: Upgrading CA Directory overwrites the limits.dxc file. Therefore, make sure that you reset max-op-size to 5000 after the upgrade is completed.

6. Edit the dxserver_home\config\servers\dsa_name.dxi as follows:

   # schema
   source "company_name-schema.dxg";
   
   #service limits
   source "company_name-limits.dxc";
   

   where dsa_name is the name of the DSA using the customized configuration files.

7. Run the dxsyntax utility.
8. Stop and restart the DSA as the dsa user to make the schema changes take effect, as follows:

   dxserver stop dsa_name
   dxserver start dsa_name
   

Configure Novell eDirectory Server

To configure a Novell eDirectory Server policy store, you apply the novell_ims8.ldif script.

Follow these steps:

1. Configure the directory as a supported SiteMinder policy store.

   Note: For configuration instructions, see the CA SiteMinder Policy Server Installation Guide.

2. Find the Distinguished Name (DN) of the NCPServer for your Novell eDirectory Server by entering the following information in a command window on the system where the Policy Server is installed:

   ldapsearch -h hostname -p port -b container -s sub 
   -D admin_login -w password objectClass=ncpServer dn
   

   For example:

   ldapsearch -h 192.168.1.47 -p 389 -b "o=nwqa47container" -s sub -D "cn=admin,o=nwqa47container" -w password objectclass=ncpServer dn
   

3. Open the novell_ims8.ldif file.
4. Replace every NCPServer variable with the value you found in Step 2.

   The default location for novell_ims8.ldif on Windows is:

   C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\NovelleDirectory

   For example, if the DN value is cn=servername,o=servercontainer, you would replace every instance of NCPServer with cn=servername,o=servercontainer.

5. Update the eDirectory Server with the novell_ims8.ldif file.

   See the Novell eDirectory documentation for instructions.

Configure Oracle Internet Directory (OID)

To configure an Oracle Internet Directory you update the oracleoid ldif file.

Follow these steps:

1. Configure the directory as a supported SiteMinder policy store.

   Note: For configuration instructions, see the CA SiteMinder Policy Server Installation Guide.

2. Update the Oracle Internet Directory Server with the oracleoid_ims8.ldif file. The default installation location for this file on Window is:

   install_path\policystore-schemas\OracleOID\

   See the Oracle Internet Directory documentation for instructions.

Verify the Policy Store

To verify the policy store, confirm the following points:

• Your Policy Server log does not contain a section of warnings that begins with the following code:

  *** IMS NO SCHEMA BEGIN
  

  This warning appears only if you have installed the Extensions for the SiteMinder Policy Server, but you have not extended the policy store schema.

• The CA IdentityMinder objects exist in the policy store database or directory. The CA IdentityMinder objects begin with an ims prefix.

Import the CA IdentityMinder Schema into the Policy Store

The policy administrator imports the CA IdentityMinder schema into the policy store. This task lets CA IdentityMinder create, update, and delete policy objects. Examples include directory objects, domains, realms, rules, policies, and the policy objects that enable access roles and tasks.

Follow these steps:

1. On the SiteMinder Policy Server, shut down the Policy Server service.
2. Run the CA IdentityMinder installer for the version that you are using.
3. When asked which components to install, select the Extensions for SiteMinder (if SiteMinder is installed locally).
4. Verify that the Policy Server service is restarted before continuing.

Create a SiteMinder 4.xAgent Object

The policy administrator creates a SiteMinder 4.x Web Agent. This task enables communication between SiteMinder and CA IdentityMinder. The identity administrator references this agent during the CA IdentityMinder configuration.

Follow these steps:

1. Log on to the SiteMinder Administrative UI.

   The relevant tabs for your administrator privileges appear.

2. Click Infrastructure, Agents, Agent, Create Agent.

   The Create Agent dialog appears.

3. Select Create a new object of type Agent, and then click OK.

   The Create Agent dialog appears.

4. Enter a name and an optional description.

   Note: Use a name that you can easily associate with the corresponding SharePoint Connection Wizard.

5. Select SiteMinder.
6. Select Web Agent from the drop-down list.
7. Enable 4.x functionality with the following steps:
   1. Select the Supports 4.x agents check box.

      The trust settings fields appear.

   2. Add the trust settings by completing the following fields:

      IP Address

      Specifies the IP Address of the Policy Server.

      Shared Secret

      Specifies a password that is associated with the 4.x Agent object. The SharePoint Connection Wizard also requires this password.

      Confirm Secret

      Confirms a password that is associated with the 4.x Agent object. The SharePoint Connection Wizard also requires confirmation of this password.

8. Click Submit.

   The Create Agent Object task is submitted for processing and the confirmation message appears.

Export the CA IdentityMinder Directories and Environments

The integration process removes all of the current environment and directory definitions. To help ensure that this information is maintained, the identity administrator exports the environments using the CA IdentityMinder Management Console. After you complete the integration, these definitions restore the directories and environments.

Follow these steps:

1. Open the CA IdentityMinder Management Console.
2. Click Directories.
3. Click the first directory in the list and click Export.
4. Save and archive the directory xml file.
5. Repeat this process for the remaining directories.
6. Click Home, and then click Environments.
7. Select the first environment.
8. Click Export.
9. Repeat this process for the remaining environments.

   Note: This process can take a few minutes for each environment.

Delete All Directory and Environment Definitions

To prepare for SiteMinder to protect CA IdentityMinder, the identity administrator deletes the directory and environment definitions using the CA IdentityMinder Management Console.

Follow these steps:

1. Open the CA IdentityMinder Management Console.
2. Click Environments.
3. Select the first environment
4. Click Delete.
5. Repeat this process for each of your remaining environments.

   Note: Delete your environments before deleting your directories because the environments reference the directories.

6. Navigate back to the Directories section.
7. Select all of the directories listed.
8. Click Delete.

Enable the SiteMinder Policy Server Resource Adapter

The identity administrator enables the SiteMinder Policy Server Resource Adapter. The purpose of the adapter is to validate the SMSESSION cookie. After validation, SiteMinder creates the user context.

Follow these steps:

1. Navigate to the \policysever.rar\META-INF folder located within the iam_im.ear on the application server that is running CA IdentityMinder.
2. Open the ra.xml file in an editor.
3. Search for the Enabled config-property, and then change the config-property-value to true as shown in the following example:

   

4. Locate the ConnectionURL property and provide the hostname of the SiteMinder Policy Server. Use a fully qualified domain name (FQDN).
5. Locate the UserName property and specify the account to use for communication with SiteMinder. SiteMinder is the default value for this account.
6. Locate the AdminSecret property. Provide the encrypted password. Copy the password from the directory.xml file that you exported and paste it into ra.xml. If you are not sure that you have a common password, encrypt your password using the CA IdentityMinder Password Tool.
7. Paste the encrypted password into the ra.xml file.
8. Specify the 4.x agent name that the policy administrator created during the SiteMinder configuration.
9. Specify the encrypted password. Use the Password Tool to encrypt the password if necessary.
10. Save the changes to the ra.xml file.

The SiteMinder Policy Server Resource Adapter is enabled.

More information:

Modify a SiteMinder Password or Shared Secret

Disable the Native CA IdentityMinder Framework Authentication Filter

With the SiteMinder adapter in place, the Framework Authentication Filter is no longer needed. The identity administrator can disable the filter.

Follow these steps:

1. Locate and edit the web.xml file in the \user_console.war\WEB-INF folder under the iam_im.ear.
2. Locate the FrameworkAuthFilter and switch the value of the Enable init-param to false.

   If you are using CA IdentityMinder r12.5 SP7 or later, verify that the Java Cryptographic Extension Unlimited Strength Jurisdiction Policy Files (JCE) are downloaded into \<Java_path>\<jdk_version>\jre\lib\security in the CA IdentityMinder environment. These files enable CA IdentityMinder to connect to SiteMinder.

   If the JCE libraries are installed, you see the following messages during CA IdentityMinder application startup:

   2012-07-06 11:23:56,079 WARN  [ims.default] (main) * Startup Step 2 : Attempting to start PolicyServerService
   2012-07-06 11:23:56,081 WARN  [ims.default] (main) Unlimited Strength Java Crypto Extensions enabled: TRUE
   

   Otherwise, the value is false for the "Unlimited Strength Java Crypto Extensions enabled" entry. CA IdentityMinder fails to connect to the Policy Server.

Restart the Application Server

The restart refreshes the application server with the changes. The identity administrator validates that the switch was successful and that a proper connection to the SiteMinder Policy Server exists.

Follow these steps:

1. Use the services panel to restart CA IdentityMinder when your application server is running as a service.
2. Refer to the server.log to validate the connection

Configure a Data Source for SiteMinder

If your CA IdentityMinder environment uses a relational database for its identity store, the identity administrator is required to complete an additional process on the SiteMinder Policy Server. SiteMinder requires a local data source to communicate with the database.

Follow these steps:

1. For Windows servers, open the ODBC Data Source Administrator console that is found under Administrative Tools.
2. Click the System DSN tab.
3. Click Add and select the corresponding SiteMinder driver for your database.
4. Provide the needed information to reference the relational database user store.
5. Test the connectivity before you continue.

Import the Directory Definitions

To prepare for importing the environments, the identity administrator imports the directories that the environments reference. Importing the directory definition in CA IdentityMinder also adds the directory information to the SiteMinder policy store.

Follow these steps:

1. Ensure CA IdentityMinder is running and connected to SiteMinder,
2. Navigate to the CA IdentityMinder Management Console.
3. Click Directories and then click Create or Update from XML.
4. Select your directory configuration file (directory.xml). This file is the one that you exported in Export the CA IdentityMinder Directories and Environments.
5. Click Next.
6. Click Finish and review the load output. Verify that the directory is present in CA IdentityMinder and SiteMinder.
7. Repeat these steps for the Provisioning Store and any remaining directories.
8. Log in to the SiteMinder Administrative UI to validate the creation of the user directories.

Update and Import Environment Definitions

The identity administrator imports the updated environments back into CA IdentityMinder.

Follow these steps:

1. Unlike the directory exports, the environment export is in the form of a zip file. Drag a copy of the name.xml file out of the zipfile.
2. Copy the name.xml file. Insert a reference to the protecting agent (not the SM 4.x agent) at the end of the ImsEnvironment element, before the enclosing /> bracket: agent="idmadmin"
3. Save and paste the file back into the zip file.
4. Open the CA IdentityMinder Management Console and click Environments and then Import.
5. Enter the name of the updated environment zip file.
6. Click Finish and review the import output.
7. Repeat this process for all your remaining environments.
8. Restart the Application Server.

Install the Web Proxy Server Plug-in

Based on which application is installed, the identity administrator installs one of the following plug-ins that the web server uses to forward requests to the application server:

• WebSphere
• JBoss
• WebLogic