Previous Topic: Web Services Security System RequirementsNext Topic: Web Services Security Known Issues

Release NotesWeb Services Security (formerly SOA Security Manager) Release NotesWeb Services Security Installation and Upgrade Considerations

Web Services Security Installation and Upgrade Considerations

Compatibility with Other Products

To ensure interoperability if you use multiple products, such as SiteMinder, Identity Manager, and Federation Manager check the Platform Support Matrices for the required releases of each product.

More information:

Locate the Platform Support Matrix

System Locale Must Match the Language of Installation and Configuration Directories

To install and configure a CA SiteMinder® component to a non-English directory, set the system to the same locale as the directory. Also, make sure that you installed the required language packages so the system can display and users can type localized characters in the installer screens.

For the details on how to set locale and required language packages, refer to respective operating system documents.

Host registration Fails When Policy Server Has a Link-Scoped IPv6 Address When Configuring SOA Agent on Linux (136734)

Linux does not support connections to link-scoped IPv6 addresses without additional information: The name of the interface on which to do the networking. This means that when registering a Linux system as a trusted host during SiteMinder WSS Agent configuration, it fails with the following error when the IP address of the Policy Server is link-scoped:

Registration failed (bad ipAddress[:port] or unable to connect to Authentication server (-1)).

Workaround

Use global or site-scoped IPv6 addresses.

r12.1 SOA Agents and 12.51 SiteMinder WSS Agents Cannot Consume SAML Session Tickets Produced by the Other Agent Version (147478)

r12.0 SOA Agents encrypt and decrypt SAML Session Tickets using the RC2 algorithm. However, 12.51 SiteMinder WSS Agents encrypt and decrypt SAML Session Ticket using the Advanced Encryption Standard (AES) algorithm by default. As a result, r12.1 SOA Agents and 12.51 SiteMinder WSS Agents cannot consume SAML Session Tickets produced by the other agent version.

To configure a 12.51 SiteMinder WSS Agent to use the RC2 encryption algorithm to exchange SAML Session Tickets with r12.0 SOA Agents, set the BackwardEncryption parameter in the XmlToolkit.properties file for that agent.

Follow these steps:

  1. Navigate to one of the following locations:

    Note: The addresses that are provided are for Windows platforms. Substitute forward slashes (/) on UNIX platforms.

  2. Open XmlToolkit.properties in a text editor.
  3. Uncomment and modify the backwardencryption parameter line as follows: 
    backwardencryption=yes
  4. Save and close the XmlToolkit.properties file.
  5. Restart the SiteMinder WSS Agent.

Windows Considerations

The following considerations apply to supported Windows operating environments:

Windows Server 2008 System Considerations

For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a CA SiteMinder® component:

Note: For more information about which CA SiteMinder® components support Windows Server 2008, see the CA SiteMinder® Platform Support matrix.

To run CA SiteMinder® installation or configuration wizards on a Windows Server 2008 system

  1. Right–click the executable and select Run as administrator.

    The User Account Control dialog appears and prompts you for permission.

  2. Click Allow.

    The wizard starts.

To access the CA SiteMinder® Policy Server Management Console on a Windows Server 2008 system

  1. Right–click the shortcut and select Run as administrator.

    The User Account Control dialog appears and prompts you for permission.

  2. Click Allow.

    The Policy Server Management Console opens.

To run CA SiteMinder® command–line tools or utilities on a Windows Server 2008 system

  1. Open your Control Panel.
  2. Verify that your task bar and Start Menu Properties are set to Start menu and not Classic Start menu.
  3. Click Start and type the following in the Start Search field: 
    Cmd
  4. Press Ctrl+Shift+Enter.

    The User Account Control dialog appears and prompts you for permission.

  5. Click Continue.

    A command window with elevated privileges appears. The title bar text begins with Administrator:

  6. Run the CA SiteMinder® command.

More information:

Contact CA Technologies

Deploying CA SiteMinder® Components

If you are deploying CA SiteMinder® components on Windows 2008 SP2, we recommend installing and managing the components with the same user account. For example, if you use a domain account to install a component, use the same domain account to manage it. Failure to use the same user account to install and manage a CA SiteMinder® component can result in unexpected behavior.

Solaris Considerations

The following considerations apply to Solaris.

Required Operating System Patches on Solaris (24317, 28691)

The following table lists required and recommended patches by version:

Version

Required

Recommended

Solaris 9
  • 111722-04 or any superseding patch
  • 111711-15 or any superseding patch

none

You can find patches and their respective installation instructions at SunSolve (http://sunsolve.sun.com).

Red Hat Enterprise Linux AS and ES Considerations

The following considerations apply to Red Hat Enterprise Linux AS and ES.

Apache 2.0 Web Server and ServletExec 5.0 on Red Hat Enterprise Linux AS (28447, 29518)

To use Apache 2.0 Web Server and ServletExec 5.0 on Red Hat AS

  1. Run the ServletExec 5.0 AS installer against Apache 1.3.x.

    The ServletExec AS Java instance is created.

  2. Run ServletExec and Apache 1.3.x, and make sure you can run /servlet/TestServlet.
  3. Shutdown Apache 1.3.x, but leave ServletExec running.
  4. Using anonymous FTP, access ftp://ftp.newatlanta.com/public/servletexec/4_2/patches and download the latest zip.
  5. Extract the following from the zip: 
    mod_servletexec2.c
  6. Edit the httpd.conf file of your HP-Apache 2.x so that it contains the necessary ServletExec-specific directives.

    Note: The directives are also present in the httpd.conf file of your Apache 1.3.x if you allowed the ServletExec installer to update the httpd.conf during installation. For more information on editing the httpd.conf file, refer to the New Atlanta Communication ServletExec documentation.

  7. Start Apache 2.x.
  8. Test the Web Server with ServletExec by accessing: 
    /servlet/TestServlet