Protecting the Administrative UI with SiteMinder

Policy Server Guides › Policy Server Configuration Guide › Administrative User Interface Management › Protecting the Administrative UI with SiteMinder

Protecting the Administrative UI with SiteMinder

Protecting the Administrative UI with CA SiteMinder® requires that you configure an agent to function with a reverse proxy server and configure an external administrator store. Rather than accessing the Administrative UI directly on the application server, you access the Administrative UI through the reverse proxy server.

Consider the following:

If you have more than one Administrative UI to protect, we recommend protecting each instance with a separate agent functioning with a reverse proxy server.
If the Administrative UI is installed to WebSphere, the application server host system requires at least 500 MB of free memory to enable CA SiteMinder® authentication.

Using CA SiteMinder® SPS

You can use CA SiteMinder® SPS to protect the Administrative UI. Configuring CA SiteMinder® SPS with a CA SiteMinder® agent acts as a proxy server to protect the Administrative UI.

Prerequisites to Protect Administrative UI Using CA SiteMinder® SPS

Consider the following prerequisites:

A Policy Server and a policy store are configured.
The Administrative UI is configured successfully with the Policy Server.
Gateway (CA SiteMinder® SPS) is installed and configured with the Policy Server.
(Optional) To protect the Administrative UI that is configured for SSL, configure SSL on the host that is installed with CA SiteMinder® SPS.

Note:

Version of the Administrative UI and CA SiteMinder® SPS must be same.
Use https request to access the Administrative UI configured for SSL.

Configure CA SiteMinder® SPS

Configure CA SiteMinder® SPS to function as a proxy server for the Administrative UI.

Follow these steps:

Update the Proxy Rules.xml file that is available in the following location with the following proxy rules:

<CA SiteMinder® SPS install location>\proxy-engine\conf
<!-- Proxy Rules-->
<nete:proxyrules xmlns:nete="http://<Administrative UI hostname:port>/">	
<nete:cond criteria="beginswith" type="uri">
<nete:case value="/iam/siteminder/">
 <nete:forward>http(s)://<Administrative UI hostname:port>$0</nete:forward>
</nete:case>
<nete:case value="/castylesr5.1.1/">
 <nete:forward>http(s):// <Administrative UI hostname:port>$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://www.example.com$0</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

Update the Default Virtual Host section of the server.conf file available in the following location with the following parameters:
```
<CA SiteMinder® SPS install location>\proxy-engine\conf
```
- enableredirectrewrite
- redirectrewritablehostnames
If the Administrative UI is running on an SSL port, then download the self-signed certificate of the server hosting the Administrative UI. Access the Administrative UI after deleting the temp files of the browser.
Place the self-signed certificate of the Administrative UI in the Certificate Authorities file of CA SiteMinder® SPS available in the following location:
```
<CA SiteMinder® SPS install location>/SSL/certs
```
Restart CA SiteMinder® SPS.

Enable Administrative UI Authentication

You can select CA SiteMinder® SPS as the agent to protect the Administrative UI while configuring administrative authentication to enable basic authentication.

Follow these steps:

Access the Administrative UI through the agent using reverse proxy.
Example:
```
http://hostname.example.com:port/iam/siteminder
```
Hostname

Specifies the name of the host that is installed with CA SiteMinder® SPS.

Port

Specifies the port on which CA SiteMinder® SPS is running.
Provide the default login credentials of the Administrative UI.
When you configure Administrative Authentication, select CA SiteMinder® SPS as the agent to protect the Administrative UI.
Note: For more information, see Configure an LDAP Administrator Store Connection and Configure an RDB Administrator Store Connection.

Selecting CA SiteMinder® SPS as the agent creates a domain that is named SiteMinderDomain with the corresponding realm and rule. The newly created domain protects the Administrative UI with a basic authentication instead of the default login page.

The application server restarts automatically to enforce CA SiteMinder® authentication.
Provide the username and password of a user that is available in the configured user directory.
Important! Use the credentials of the superuser that is created while configuring the user directory connection.

The Administrative UI home page is displayed successfully.

Note: The URL in address bar does not change and displays the URL of the proxy server.

Use the HTML Forms Authentication Scheme

The basic authentication displays a pop-up window to specify the user credentials. If you want a login page to specify the user credentials, use the HTML forms authentication scheme.

Perform the following procedure after enabling authentication for the Administrative UI.

Follow these steps:

Copy the admin folder

From:

<Administrative UI install location>/siteminder/webagent-resource

To:

Webagent/samples

Create an HTML forms authentication scheme.
Note: For more information, see How to Configure HTML Forms Authentication.
In the Scheme Setup section, specify the location of the .fcc file available in the admin folder that you copied in step 1, in Target.
Example:
```
/siteminderagent/admin/login.fcc
```
Add the newly created HTML form authentication scheme to the SiteMinderDomain domain.
Refresh the cache.

Access the Administrative UI using a URL as follows:

http://hostname.example.com:port/iam/siteminder/adminui

Enter the username and password of the authorized user.
The Administrative UI home page appears. You can notice that the URL in the address bar is of the proxy server when you access the Administrative UI.

Using Apache as Reverse Proxy Server

In addition to CA SiteMinder® SPS, you can also use an Apache web server as a reverse proxy server to protect the Administrative UI with CA SiteMinder®.

Protect the Administrative UI with CA SiteMinder® Using Apache

You can protect the Administrative UI with CA SiteMinder® using an Apache web server as a reverse proxy server.

Follow these steps:

Configure an agent to operate with a reverse proxy server.
Certain types of web servers, such as Apache, that support CA SiteMinder® Web agents can also function as reverse proxy servers. See the support matrix for the supported servers.

Note: Update the configuration file of Apache web server to make the Apache web server function as a reverse proxy server. For more information about configuring a reverse proxy server and updating the configuration file, see the Web Agent configuration documentation.

Important! The URL used in the rules that are set for the proxy server must be the same URL used to register the Administrative UI initially.

Example:

If the Administrative UI was initially registered with the following URL, specify the same URL in the proxy server rules.

http://host_name:8080/iam/siteminder/adminui
In your agent configuration object (ACO), set the value of the LogOffUri parameter as shown in the following example:
```
/iam/siteminder/logout.jsp
```
Configure an external administrator store.
Note: The application server restarts automatically after you configure the external administrator store. The Administrative UI is protected with CA SiteMinder® only after the restart.

More information:

How to Configure an External Administrator Store

Change the Authentication Scheme

The default CA SiteMinder® authentication scheme used to protect the Administrative UI is basic user name and password. You can change the default authentication scheme to any CA SiteMinder® supported authentication scheme, except SAML and WS-Fed authentication.

Follow these steps:

Click Policies, Domain.
Click Realms.
Search for the following realm and click the name to open it:
SiteMinder_ims_realm

Note: This realm is associated with a domain named SiteMinderDomain.
Click Modify to enable the settings.
Select the authentication scheme you want from the Authentication Scheme list .
Enter additional settings, if required.
Click Submit.
The Administrative UI is protected using the selected authentication scheme.

More information:

Authentication Schemes

Disable SiteMinder Authentication for the Administrative UI

If you do not want to protect the Administrative UI with CA SiteMinder®, you can disable CA SiteMinder® authentication. You can access the Administrative UI through the reverse proxy server only even after you remove CA SiteMinder® protection for the Administrative UI.

To access the Administrative UI directly on an application server, delete the data directory and reregister the Administrative UI with the Policy Server.

Follow these steps:

Log in to the Administrative UI.
Run the Administrative Authentication wizard to specify that you no longer want to protect the Administrative UI using CA SiteMinder® authentication.
Note: Leave the existing directory server or database connection information to continue using the external administrator store.
Log in to the Administrative UI host system.
Delete the Administrative UI data directory. The type of application server to which you deployed the Administrative UI determines where the data directory is located:
- If you installed the Administrative UI using the stand-alone option, the data directory is located at the following location:
  install_dir/adminui/server/default/data
- If you installed the Administrative UI to an existing application server, the default location for the data directory is:
  - (JBoss): <JBOSS Install>/server/default/data
  - (WebSphere): <WebSphere>\AppServer\profiles\<your_profile>\data
  - (WebLogic): <welbogic install>\user_projects\domains\<user_domain>\data
Log in to the Policy Server host system and reset the Administrative UI registration window using the XPSRegClient utility.
Register the Administrative UI with the Policy Server.