Installation and Configuration Log Files
To check the results of the installation or review any specific problems during the installation or configuration of a SiteMinder WSS Agent, check the CA_SiteMinder_Web_Services_Security_Install_date-time_InstallLog.log file located in WSS_Home\install_config_info.
Specifies the date and time of the CA SiteMinder WSS installation.
Modify the SmHost.conf File
SiteMinder WSS Agents act as trusted hosts by using the information in the SmHost.conf file to locate and make initial connections to a Policy Server. Once the Agent connects to the Policy Server, the initial connections are closed. Any further communication between the Agent and the Policy Server is based on settings in the Host Configuration Object that is located on the Policy Server.
You can modify portions of the SmHost.conf file to change the initial Agent-to-Policy Server connection.
To modify the SmHost.conf file
Is the installed location of the SiteMinder WSS Agent.
Important! Change only the settings of the parameters listed here. Do not modify the settings of any other parameters in the SmHost.conf file.
Specifies the host configuration object that defines connectivity between the Agent that is acting as trusted host and the Policy Server. This name must match a name defined in the Administrative UI.
If you want to change the host configuration object an object so the SOA Agent uses it, you need to modify this setting.
Specifies the Policy Server to which the trusted host will try to connect. The proper syntax is as follows:
"IP_address, port,port,port"
The default ports are 44441,44442,44443, but you can specify non-default ports using the same number or different numbers for all three ports. The unified server responds to any Agent request on any port.
To specify additional bootstrap servers for the Agent, add multiple Policy Server entries to the file. Multiple entries provide the Agent with several Policy Servers to which it can connect to retrieve its Host Configuration Object. After the Host Configuration Object is retrieved, the bootstrap servers are no longer needed for that server process.
Multiple entries can be added during host registration or by modifying this parameter. If a Policy Server is removed from your CA SiteMinder® environment or is no longer in service, delete the entry.
Important: If an Agent is configured on a multi-process web server, specifying multiple Policy Server entries is recommended to ensure that any child process can establish a connection to the secondary Policy Server if the primary Policy Server fails. Each time a new child process is started, it will not be able to initialize the Agent if only one Policy Server is listed in the file and that Policy Server is unreachable.
Default: IP_address, 44441,44442,44443
Example (Syntax for a single entry): "IP_address, port,port,port"
Example (Syntax for multiple entries, place each Policy Server on a separate line):
policyserver="123.122.1.1, 44441,44442,44443"
policyserver="111.222.2.2, 44441,44442,44443"
policyserver="321.123.1.1, 44441,44442,44443"
Specifies an interval of seconds during which the Agent that is acting as a trusted host waits before deciding that a Policy Server is unavailable. You can increase the time-out value if the Policy Server is busy due to heavy traffic or a slow network connection.
Default: 60
Example: requesttimeout="60"
The changes to the SmHost.conf file are applied.
When you install a SiteMinder WSS Agent on a server for the first time, you are prompted to register that server as a trusted host. After the trusted host is registered, you do not have to re-register with subsequent agent installations. There are some situations where you may need to re-register a trusted host independently of installing an Agent, such as the following:
The registration tool, smreghost, re-registers a trusted host. This tool is installed in the agent_home/bin directory when you install a SiteMinder WSS Agent.
Is the installed location of the SiteMinder WSS Agent.
To re-register a trusted host using the registration tool
LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:agent_home/bin
export LD_LIBRARY_PATH
For example, for a SiteMinder WSS Agent for WebLogic, enter the following two commands:
LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/SOA Security Manager/wlsagent/bin
export LD_LIBRARY_PATH
smreghost -i policy_server_IP_address:[port] -u administrator_username -p Administrator_password -hn hostname_for_registration -hc host_configuration_ object
Note: Separate each command argument from its value with a space. Surround any values that contain spaces with double quotes (").
See the following example:
smreghost -i 123.123.1.1 -u SiteMinder -p mypw -hn "host computer A" -hc DefaultHostSettings
The following example contains the -o argument:
smreghost -i 123.123.1.1 -u SiteMinder -p mypw -hn "host computer A" -hc DefaultHostSettings -o
The following arguments are used with the smreghost command:
Indicates the IP address of the Policy Server where you are registering this host. Specify the port of the authentication server only if you are not using the default port.
If you specify a port number, which can be a non-default port, that port is used for all three Policy Server processes (authentication, authorization, accounting). The Policy Server responds to any Agent request on any port.
Use a colon between the IP address and non-default port number, as shown in the following examples.
Default: (ports) 44441,44442,44443
Example: (IPv4 non-default port of 55555) -i 127.0.0.1:55555
Example: (IPv4 default ports) -i 127.0.0.1
Example: (IPv6 non-default port of 55555) -i [2001:DB8::/32][:55555]
Example: (IPv6 default ports) -i [2001:DB8::/32]
Indicates the name of the CA SiteMinder® administrator with the rights to register a trusted host.
Indicates the password of the Administrator who is allowed to register a trusted host.
Indicates the name of the host to be registered. This can be any name that identifies the host, but it must be unique. After registration, this name is placed in the Trusted Host list in the Administrative UI.
Indicates the name of the Host Configuration Object configured at the Policy Server. This object must exist on the Policy Server before you can register a trusted host.
Specifies the shared secret for the agent, which is stored in the SmHost.conf file on the local web server. This argument changes the shared secret on only the local web server. The Policy Server is not contacted.
Specifies whether the shared secret will be updated (rolled over) automatically by the Policy server. This argument instructs the Policy Server to update the shared secret.
(Optional) Indicates the full path to the file that contains the registration data. The default file is SmHost.conf. If you do not specify a path, the file is installed in the location where you are running the smreghost tool.
If you use the same name as an existing host configuration file, the tool backs up the original and adds a .bk extension to the backup file name.
Specifies one of the following FIPS modes:
Important! A CA SiteMinder® installation that is running in Full FIPS mode cannot interoperate with, or be backward compatible to, earlier versions of CA SiteMinder®, including all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. You must re-link all such software with the corresponding versions of the respective SDKs to achieve the required support for Full FIPS mode.
If this switch is not used, or you use the switch without specifying a mode, the default setting is used.
Default: COMPAT
Note: More information on the FIPS Certified Module and the algorithms being used; the data that is being protected; and the CA SiteMinder® Cryptographic Boundary exists in the Policy Server Administration Guide.
Overwrites an existing trusted host. If you do not use this argument, you will have to delete the existing trusted host with the Administrative UI before using the smreghost command. We recommend using the smreghost command with this argument.
The trusted host is re-registered.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|