Protecting the Administrative UI with CA SiteMinder® requires that you configure an agent to function with a reverse proxy server and configure an external administrator store. Rather than accessing the Administrative UI directly on the application server, you access the Administrative UI through the reverse proxy server.
Consider the following:
You can use CA SiteMinder® SPS to protect the Administrative UI. Configuring CA SiteMinder® SPS with a CA SiteMinder® agent acts as a proxy server to protect the Administrative UI.
Consider the following prerequisites:
Note:
Configure CA SiteMinder® SPS to function as a proxy server for the Administrative UI.
Follow these steps:
<CA SiteMinder® SPS install location>\proxy-engine\conf <!-- Proxy Rules--> <nete:proxyrules xmlns:nete="http://<Administrative UI hostname:port>/"> <nete:cond criteria="beginswith" type="uri"> <nete:case value="/iam/siteminder/"> <nete:forward>http(s)://<Administrative UI hostname:port>$0</nete:forward> </nete:case> <nete:case value="/castylesr5.1.1/"> <nete:forward>http(s):// <Administrative UI hostname:port>$0</nete:forward> </nete:case> <nete:default> <nete:forward>http://www.example.com$0</nete:forward> </nete:default> </nete:cond> </nete:proxyrules>
<CA SiteMinder® SPS install location>\proxy-engine\conf
<CA SiteMinder® SPS install location>/SSL/certs
You can select CA SiteMinder® SPS as the agent to protect the Administrative UI while configuring administrative authentication to enable basic authentication.
Follow these steps:
Example:
http://hostname.example.com:port/iam/siteminder
Specifies the name of the host that is installed with CA SiteMinder® SPS.
Specifies the port on which CA SiteMinder® SPS is running.
Note: For more information, see Configure an LDAP Administrator Store Connection and Configure an RDB Administrator Store Connection.
Selecting CA SiteMinder® SPS as the agent creates a domain that is named SiteMinderDomain with the corresponding realm and rule. The newly created domain protects the Administrative UI with a basic authentication instead of the default login page.
The application server restarts automatically to enforce CA SiteMinder® authentication.
Important! Use the credentials of the superuser that is created while configuring the user directory connection.
The Administrative UI home page is displayed successfully.
Note: The URL in address bar does not change and displays the URL of the proxy server.
The basic authentication displays a pop-up window to specify the user credentials. If you want a login page to specify the user credentials, use the HTML forms authentication scheme.
Perform the following procedure after enabling authentication for the Administrative UI.
Follow these steps:
From:
<Administrative UI install location>/siteminder/webagent-resource
To:
Webagent/samples
Note: For more information, see How to Configure HTML Forms Authentication.
Example:
/siteminderagent/admin/login.fcc
http://hostname.example.com:port/iam/siteminder/adminui
The Administrative UI home page appears. You can notice that the URL in the address bar is of the proxy server when you access the Administrative UI.
In addition to CA SiteMinder® SPS, you can also use an Apache web server as a reverse proxy server to protect the Administrative UI with CA SiteMinder®.
You can protect the Administrative UI with CA SiteMinder® using an Apache web server as a reverse proxy server.
Follow these steps:
Certain types of web servers, such as Apache, that support CA SiteMinder® Web agents can also function as reverse proxy servers. See the support matrix for the supported servers.
Note: Update the configuration file of Apache web server to make the Apache web server function as a reverse proxy server. For more information about configuring a reverse proxy server and updating the configuration file, see the Web Agent configuration documentation.
Important! The URL used in the rules that are set for the proxy server must be the same URL used to register the Administrative UI initially.
Example:
If the Administrative UI was initially registered with the following URL, specify the same URL in the proxy server rules.
http://host_name:8080/iam/siteminder/adminui
/iam/siteminder/logout.jsp
Note: The application server restarts automatically after you configure the external administrator store. The Administrative UI is protected with CA SiteMinder® only after the restart.
The default CA SiteMinder® authentication scheme used to protect the Administrative UI is basic user name and password. You can change the default authentication scheme to any CA SiteMinder® supported authentication scheme, except SAML and WS-Fed authentication.
Follow these steps:
SiteMinder_ims_realm
Note: This realm is associated with a domain named SiteMinderDomain.
The Administrative UI is protected using the selected authentication scheme.
If you do not want to protect the Administrative UI with CA SiteMinder®, you can disable CA SiteMinder® authentication. You can access the Administrative UI through the reverse proxy server only even after you remove CA SiteMinder® protection for the Administrative UI.
To access the Administrative UI directly on an application server, delete the data directory and reregister the Administrative UI with the Policy Server.
Follow these steps:
Note: Leave the existing directory server or database connection information to continue using the external administrator store.
install_dir/adminui/server/default/data
Copyright © 2014 CA.
All rights reserved.
|
|