This section contains the following topics:
Central and Local Configuration Together
A central agent configuration manages one or more Web Agents from an Agent Configuration Object in the Policy Server. The Agent Configuration Object that resides in the Policy Server contains the parameters used by the Web Agents. One advantage of central configuration is that you can update the parameter settings of several agents at once. Most parameter changes occur dynamically, but some Framework parameters require a web server restart after they are changed.
You create and edit an Agent Configuration Object with the Administrative UI. Each Web Agent communicating with the Policy Server must be associated with an Agent Configuration Object, but many Web Agents can use a single Agent Configuration Object.
Note: For more information about creating an Agent Configuration Object, see the Policy Server documentation.
Central configuration is enabled by default. The agent uses the configuration settings from the existing Agent Configuration Object that you specified when you configured the agent with the configuration wizard. You can change the settings of the parameters to suit your needs at any time.
Follow these steps:
The Welcome screen appears.
A list of agent configuration objects appears.
The Modify Agent Configuration window appears.
The Modify Agent Configuration window closes, and a confirmation message appears.
A confirmation message appears. Central configuration is implemented. Most parameter changes occur dynamically, but some changes require a web server restart to take effect.
A local agent configuration manages a Web Agent using local files that are installed on the system hosting the web server. The parameter settings in the local file override any settings stored in an Agent Configuration Object on the Policy Server. The settings in the Agent Configuration Object do not change. Situations to consider local agent configuration include the following:
Framework Web Agents use the following files for local configuration:
Contains the core settings that the Framework Web Agent uses to start and connect to a Policy Server.
Contains the configuration settings for the Framework Web Agents.
Traditional Web Agents use the following file for local configuration:
Contains all of the configuration settings for traditional Web Agents.
The following table shows the locations of the WebAgent.conf file on various web servers:
Indicates the directory where the CA SiteMinder® Agent is installed.
Default (Windows 32-bit installations of CA SiteMinder® Web Agents only): C:\Program Files\CA\webagent
Default (Windows 64-bit installations [CA SiteMinder® Web Agents for IIS only]): C:\Program Files\CA\webagent\win64
Default (Windows 32-bit applications operating on 64-bit systems [Wow64 with CA SiteMinder® Web Agents for IIS only]): C:\Program Files (x86)\webagent\win32
Default (UNIX/Linux installations): /opt/ca/webagent
Web Server |
File Location |
---|---|
IIS |
web_agent_home\bin\IIS |
Oracle iPlanet (iPlanet/SunOne) |
Oracle_iPlanet_server_home/https-hostname/config where Oracle_iPlanet_home is the location in which theOracle iPlanet web server is installed and hostname is the name of the server. |
Apache, IBM HTTP Server Oracle HTTP Server |
web_server_home/conf where web_server_home is the installed location of the web server |
Domino |
Windows: c:\lotus\domino UNIX: $HOME/notesdata |
In addition to the AgentConfigObject, HostConfigFile, and EnableWebAgent parameters, the following parameters are also added to the WebAgent.conf file of Framework Agents:
Important! Do not modify any sections of the file that refer to other CA SiteMinder® products other than the Web Agent. However, you can change the values of the Web Agent parameters in the file.
Specifies the location of the LocalConfig.conf file, where most of Agent configuration settings reside.
Identifies the web server directory (of Apache 2.0 and Oracle iPlanet web servers) to the Agent.
Specifies which plug-ins are loaded for Framework Agents. The plug-ins support different types of Agent functions. The following plug-ins are available:
Specifies whether the Web Agent operates as an HTTP agent.
Default: Enabled
Allows communication between the Web Agent and a SAML Affiliate Agent (if you have purchased Federation Security Services).
Default: Disabled
Allows communication between the Web Agent and a 4.x Affiliate Agent.
Default: Disabled.
Limits: The SAML affiliate agent does not use this plug-in.
Lets the web agent use the OpenID authentication scheme (OIAS).
Default: Disabled
To enable the other LoadPlugin entries, remove the pound symbol (#) from the beginning of the line.
Specifies the path of the AgentId file which stores the unique ID string of the agent. The agent automatically generates the AgentId file, which must not be modified. Both on Windows and UNIX, the agent must have write permission to update the AgentId file. On Windows, the Web Agent configuration wizard grants the write permission automatically.
Default name: Agentid.dat
Path: WebAgent.conf directory/AgentId.dat
When you install a Framework Web Agent, the CA SiteMinder® installation program creates a LocalConfig.conf file in the following directory:
web _agent_home\config
web _agent_home/config
Important! This file contains all of the default settings. Do not modify this file. We recommend creating a backup copy of this file for future reference or for recovery purposes.
When you configure the Web Agent, the configuration wizard copies the LocalConfig.conf file to the following directory:
web_agent_home\bin\IIS
Oracle_iPlanet_home/https-hostname/config
Apache_home/conf
The Web Agent retrieves its configuration settings from this copy of the LocalConfig.conf file.
For central Agent configurations, most of the parameters in the local configuration file are also in an Agent Configuration Object. The following parameters are used in the local configuration file only and are not found in Agent Configuration Objects:
Defines the name of an Agent Configuration Object (stored on a policy server) in a local agent configuration file. This parameter is not used in Agent Configuration Objects.
Default: no default
Activates a Web Agent and allows it to communicate with the Policy server. Set this parameter to yes only after you have finished changing all of the configuration parameters.
Default: No
Specifies the path to the SMHost.conf file (in an IIS 6.0 or Apache agent) that is created after a trusted host computer has been successfully registered with a Policy server. All Web Agents on a computer share the SMHost.conf file.
Default: No default
You can control whether local configuration is allowed with the following parameter:
Instructs the Agent Configuration Object on the Policy Server to read the local configuration file to obtain configuration parameters for the agent. This parameter is used only in Agent Configuration Objects.
Add multiple values for this parameter in the Agent Configuration Object to control which parameters can be changed in a local configuration file. When multiple values are set for this parameter, they are processed in the following order:
Default: No (local configuration prohibited).
Example: No, EnableAuditing, EnableMonitoring (all local configuration prohibited).
Example: No, Yes (all local configuration prohibited).
Example: EnableAuditing, EnableMonitoring (allows local control of the only the two previous parameters).
Follow these steps:
The Modify Agent Configuration dialog appears.
The Edit Parameter dialog appears.
The Edit Parameter dialog closes.
Local configuration is enabled.
Local configuration is enabled and any updated parameters are changed.
The agent configuration file controls the settings of a locally configured Web Agent. To change those settings, use the following process:
All local configuration changes are effective. If you make more changes after an Agent has been enabled, restart your web server to apply those changes.
With central agent configuration, you can restrict the configuration parameters which local web server administrators modify. We recommend this method when the CA SiteMinder® administrator and the web server administrator are different people.
Follow these steps:
The Welcome screen appears.
A list of Agent Configuration objects appears.
Click the edit icon in the line Agent Configuration Object you want.
The Modify Agent Configuration dialog appears.
The Edit Parameter dialog appears.
An empty field appears.
Example: The following example shows how to allow only the EnableAuditing and EnableMonitoring parameters to be set on the local web server:
AllowLocalConfig=EnableAuditing,EnableMonitoring
The Edit Parameter dialog closes, and the Modify Agent Configuration dialog appears.
The Modify Agent Configuration dialog closes, and a confirmation message appears.
Your changes will be applied the next time the Web Agent polls the Policy Server.
If you have a large number of Web Agents that you want to configure centrally, but the settings of a few of those Web Agents need to be different than the others, you can use a combination of central and local configuration together.
For example, if you need to configure multiple cookie domain single sign-on across a CA SiteMinder® network without configuring the Agents individually, you can use a central configuration for all of the agents, and local configuration settings for the smaller group that needs the different settings.
In the previous example, suppose the CookieDomain parameter in the Agent Configuration Object is set to example.com. However, for one Web Agent in your network, you want to set the CookieDomain parameter to .example.net, while still using all the other parameter values set in the Agent Configuration Object.
To implement the example configuration
The value for the CookieDomain parameter in the lone Agent's local configuration file overrides the value in the Agent Configuration Object, while the Agent Configuration Object determines the settings for all the other parameters.
Copyright © 2014 CA.
All rights reserved.
|
|