Web Services Security Guides › CA SiteMinder WSS Agent Guide for IIS Web Servers › Install an Agent for IIS on Windows Operating Environments › How to Configure Certain Settings for the SiteMinder WSS Agent for IIS Manually

How to Configure Certain Settings for the SiteMinder WSS Agent for IIS Manually

In some situations, the SiteMinder WSS Agent configuration programs cannot add the proper settings to all the IIS web server directories which need them.

Configure the SiteMinder WSS Agent for IIS settings manually in any of the following situations:

• Your CA SiteMinder® Agent for IIS log files are not stored in the following default directory:

  WSS_agent_home\log
  

  agent_home

  Indicates the directory where the SiteMinder WSS Agent is installed on your web server.

  Default (Windows 32-bit SiteMinder WSS Agent installations: C:\Program Files\CA\Web Services Security\webagent

  Default (Windows 64-bit SiteMinder WSS Agent installations: C:\Program Files\CA\Web Services Security\webagent\win64

  Default (Windows 32-bit SiteMinder WSS Agent installations operating on 64-bit systems: C:\Program Files (x86)\CA\Web Services Security\webagent\win32

  For example, suppose that you store your log files in the C:\My Logs\SiteMinder directory. Grant this directory permissions.

• You use a CA SiteMinder WSS authentication scheme which requests or requires client certificates.

Set Permissions Manually for Non-Default Log Locations

If you decide to store your agent log files in a non default directory, grant your application pools permissions to the directory. For example, if you want to store your log files in a directory named C:\MyLogFiles, grant permissions for all your application pool identities to C:\MyLogFiles.

Microsoft provides a command line utility, icacls.exe you can use to set the appropriate permissions. This procedure provides one possible example of a way to set permissions using tools or utilities provided by third-party vendors.

Important! CA provides this information only as an example of one possible method of configuring CA SiteMinder® without using the programs and utilities tested and approved by CA. Microsoft provides the icacls.exe command as part of the Windows operating environment. You may choose to use the following examples as a guide to grant file permissions for the agent for IIS. This command and the syntax shown are subject to change by Microsoft at any time and without notice. For more information, go to the Microsoft Support website, and search for "icacls"

Follow these steps:

1. Open a Command Prompt Window on your IIS web server.

   Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.

2. Run the icacls command. Use the following example as a guide:

   icacls log_directory /grant IIS AppPool\application_pool_identity
   

   log_directory

   Specifies the non default log directory to which you must grant permissions.

   application_pool_identity

   Specifies the identity of the application pool associated with the application protected by CA SiteMinder® on your IIS web server.

3. Repeat Step 2 for each application pool identity on your IIS web server. For example, if you have two application pools, grant permissions to both.
4. If you have an IIS server farm using Shared Configuration, repeat Steps 1 through 3 for each IIS web server in the farm.

   The permissions are set.

Change IIS Settings Manually for CA SiteMinder WSS Authentication Schemes Requiring Certificates

If you use CA SiteMinder WSS authentication schemes that request or require certificates, change the settings for the following virtual directories:

• cert
• certoptional

Follow these steps:

1. Open IIS manager.
2. Expand your web server.
3. The Application pools icon and Sites folder appear.
4. Expand Sites.

   A list of web sites appears.

5. Expand the website that is associated with your authentication scheme that requires certificates.

   The siteminderagent virtual folder appears.

6. Expand the siteminderagent virtual folder.

   A list of subfolders appears.

7. Click the cert folder.

   The settings icons appear.

8. Double-click SSL Settings.

   The SSL Settings page appears.

9. Select the Require SSL check box, and then click the Require option button.
10. Under Actions, click Apply.

    The changes are applied.

11. Click the certoptional folder.

    The settings icons appear.

12. Double-click SSL Settings.

    The SSL Settings page appears.

13. Click the Accept option button.
14. Under Actions, click Apply.

    The changes are applied.

15. Repeat Steps 3 through 14 for other websites on your IIS web server that require certificates.
16. For IIS server farms using Shared Configuration, repeat Steps 1 through 15 on each IIS web server in your farm.

    The settings are changed.