CA SSO Agent for Siebel Guide › Post-Installation Configuration of Servers

Post-Installation Configuration of Servers

This section contains the following topics:

Post-Installation Configuration for Policy Server

Post-Installation Configuration for Web Server

Post-Installation Configuration for Siebel Server

Additional Options

Post-Installation Configuration for Policy Server

Create the Authentication Scheme

You can create the authentication scheme using the CA SSO Administrative UI.

Perform the following procedure to install the authentication scheme.

Follow these steps:

Navigate to the following location to access the Authentication Scheme library, SiebelSSOAuth:
```
<Siebel Agent Installation Directory>/siebel/bin
```
Copy the library to the bin or lib directory of the Policy Server.
Open the Administrative UI and log in as an administrator.
Click Infrastructure, Authentication, Authentication Schemes.
In the Authentication Schemes page, click Create Authentication Scheme.
Specify the following values.
Description

Siebel SSO Agent Authentication Scheme

(When you have completed the installation, you may optionally disable password acceptance by this Authentication Scheme.)

Authentication Scheme Type

Custom Template

Protection Level

5

In general, this value should be NO HIGHER than the value for any other HTML-based authentication scheme supporting username and password authentication.

Password Policies

Checkmark—if Password Services is in use

Library

SiebelSSOAuth

The Solaris and HP-UX platforms are case sensitive.

Secret

Enter a secret known only by the CA SSO administrator.

Confirm Secret

Re-enter the secret to confirm.

Parameter
A configuration string constructed from the following parameters separated by a semicolon:
- FCC=<URL for a login form>
  The FCC is the HTML page that collects credentials. This might be the URL that is used in another HTML-based authentication scheme. If you are unsure of the location of an appropriate FCC file on your system, and set the value for the FCC to:
  
  /siteminderagent/forms/login.fcc
  
  This displays the default CA SSO login form.
- ATTR=<User attribute>
  <User attribute> is the username that Siebel uses.
  
  Default: UID
- PERIOD=<Ticket Acceptance Period>
  The value, in seconds, for the maximum amount of time between the moment the SSO ticket is created and the moment a user might present a ticket. In general, this will be a very short period of approximately 10 to 20 seconds. The default is 60.
The order of the individual components in the parameter string is not important.

More information:

Disabling Password Acceptance

Create CA SSO Policies

CA SSO policies protect your Siebel applications and provide the framework for single sign-on (SSO). To create CA SSO policies to protect your Siebel resources, use the following process:

Follow these steps:

Open the Administrative UI.
Create a Policy Domain to contain all your Siebel applications, and do the following steps:
1. Within the Policy Domain, create one realm for each Siebel application to be integrated. For example, create a /sales/ realm and a /purchase/ realm. M
2. In each realm create two rules:
  - A rule with the actions Get and Post for the * resource
  - A rule with the Authentication event OnAuthAccept
3. For each of the realms, make sure to select the Authentication Scheme that you created earlier.
4. Create a response for SessionLinker. Siebel uses _sn as the name of the cookie. Thus, the correct configuration string for the SessionLinker is:
```
“COOKIE=_sn”
```
5. Create a policy with the following:
  - Add appropriate users.
  - Add both rules in each realm.
  - Link the SessionLinker response to the OnAuthAccept rule.
Create a Realm within the same Policy Domain for the startup URL (/SiebelConnector/).
1. Make sure to select the Authentication Scheme you created earlier.
2. In the CA SSO Agent Startup realm, create two rules:
  - One rule with the actions Get and Post for the * resource
  - One rule with the Authentication event OnAuthAccept
3. Create a response (for example, Siebel connector response).
4. In the CA SSO Response Attribute Editor, create two responses for the WebAgent-HTTP-Header-Variable attribute:
  - A response for the username. Specify the following values:

Attribute Kind

User Attribute

Variable Name

SIEBELUSER

Attribute Name

uid

This value should be the attribute used by the directory to locate users (whatever user attribute contains the Siebel username, typically uid). To determine the correct value, examine the user directory configuration and the DN lookup start and end.

A response for the single sign-on (SSO) ticket. Specify the following values:

Attribute Kind	Active Response
Variable Name	Leave this blank
Library Name	SiebelSSOAuth
Function Name	GetSSO Ticket In some environments, the function name should be GETSSOTicketWithDN. See Upgrade and Enable the New Encryption Ticket.
Parameters	Enter a string constructed from the following values: ATTR=<User attribute> <User attribute> is the username that Siebel uses. This is the value you entered in the Authentication Scheme’s configuration string. SECRET=<Secret String> This value should be same as the value entered in the Secret field of the Authentication Scheme. This parameter is mandatory. If you want to encrypt the secret, use the NPSEncrypt tool. See NPSEncrypt Tool. Parameters can be in any order, separated by semicolons.
Attribute Caching	Recalculate the value to a number that is less than the PERIOD setting in the Authentication Scheme, typically 60 seconds or less.

Click the Advanced tab and remove the equal sign (=), which, if it exists, is found before the less than (<) sign.
Create a Policy binding the OnAuthAccept rule with the response for all users that should have access to Siebel.