This section contains the following topics:
Make the CA SiteMinder® Agent Java Class Accessible to Your Applications
Configure the WSS Agent JAX-RPC HTTP Handler to Protect Web Services in JBoss 6.x
Configure WSS Agent Security Interceptor Protection for JAX-WS Web Services Over HTTP Transport
Define a JBossSX Security Domain for the SiteMinder Agent Login Module on JBoss 6.x
Restart the JBoss Application Server
To protect your applications with CA SiteMinder®, they must be able to access the CA SiteMinder® Agent Java classes in module com.ca.siteminder.jbossagent. To make the CA SiteMinder® Agent Java classes accessible to your applications, do one of the following procedures:
Configure the CA SiteMinder® Agent as a global module by adding a new subsystem definition in the standalone.xml file.
Follow these steps:
<subsystem xmlns="urn:jboss:domain:ee:1.1"> <global-modules> <module name="com.ca.siteminder.jbossagent" slot="main"/> </global-modules> <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> <jboss-descriptor-property-replacement>true</jboss-descriptor-property-replacement> </subsystem>
Notes:
There is a conflict between the default JBoss and CA SiteMinder® XML Security libraries. If you configure the SiteMinder Agent as a global module, remove the JBoss XML Security library (org.apache.santuario.xmlsec) from the module definitions in module.xml.
Follow these steps:
<!-- <module name="org.apache.santuario.xmlsec" export="true"/> -->
Note: For applications that depend on the default JBoss XML Security library, do one of the following procedures to enable them to access to it:
If the CA SiteMinder® Agent is not defined as a global module, define it as a dependency in the jboss-deployment-structure.xml file of each application that you want to protect.
Follow these steps:
<module name="com.ca.siteminder.jbossagent" />
For example:
<?xml version="1.0" encoding="UTF-8"?> <jboss-deployment-structure> <deployment> <dependencies> <module name="com.ca.siteminder.jbossagent" /> </dependencies> </deployment> </jboss-deployment-structure>
Configure each JAX-RPC HTTP web service to invoke the WSS Agent JAX-RPC HTTP Handler.
Note: There is no global way to configure the WSS Agent JAX-RPC HTTP Handler to protect all JAX_RPC web services.
Follow these steps:
For example:
<webservices ...> <webservice-description> ... <port-component> ... <handler> <handler-name>SM XMLAgentJaxrpc Handler</handler-name> <handler-class>com.ca.soa.agent.appserver.jaxrpc.XMLAgentJaxrpcHandler</handler-class> </handler> </port-component> </webservice-description> </webservices>
The JBoss WSS Agent JAX-RPC HTTP Handler is invoked only for this web service.
To configure the WSS Agent Security Interceptor to protect JAX-WS web services over HTTP transport, configure those services to invoke the WSS Agent JAX-WS HTTP Handler. You can configure global use of the JAX-WS Handler for all JAX-WS HTTP web services or configure it for individual web services, as required.
To configure the WSS Agent Security Interceptor to protect all JAX-WS HTTP web services, make the following changes to standalone.xml:
Follow these steps:
<pre-handler-chain name="WSSAgent" protocol-bindings="##SOAP11_HTTP ##SOAP12_HTTP"> <handler name="SoaJaxWsHandler" class="com.ca.soa.agent.jaxwsplugin.JaxWsHandler"/> </pre-handler-chain>
Note: The default standalone-full.xml does not have a web services subsystem predefined. If no web services subsystem is present, add one that includes the previous pre-handler-chain element. For example:
<subsystem xmlns="urn:jboss:4domain:webservices:1.2"> <modify-wsdl-address>true</modify-wsdl-address> <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host> <endpoint-config name="Standard-Endpoint-Config"> <pre-handler-chain name="WSSAgent" protocol-bindings="##SOAP11_HTTP ##SOAP12_HTTP"> <handler name="SoaJaxWsHandler" class="com.ca.soa.agent.jaxwsplugin.JaxWsHandler"/> </pre-handler-chain> </endpoint-config> <client-config name="Standard-Client-Config"/> </subsystem>
The JBoss WSS Agent JAX-WS Handler is invoked for all JAX-WS HTTP web services.
Configure individual JAX-WS HTTP web services to invoke the WSS Agent JAX-WS Handler.
Follow these steps:
<?xml version="1.0" encoding="UTF-8"?> <handler-chains xmlns="http://java.sun.com/xml/ns/javaee"> <handler-chain> <handler> <handler-name>JBoss JAX-WS PEP Interceptor</handler-name> <handler-class>com.ca.soa.agent.jaxwsplugin.JaxWsHandler</handler-class> </handler> </handler-chain> </handler-chains>
@HandlerChain(file = "Services_handler.xml")
The JBoss WSS Agent JAX-WS Handler is invoked for the web service.
To configure the WSS Agent Web Interceptor to protect JAX-WS web services over JMS transport, configure those services to invoke the WSS Agent JAX-WS JMS Handler. You can configure global use of the JAX-WS JMS Handler for all JAX-WS JMS web services or configure it for individual web services, as required.
Important! Do not place the WSS Agent JAX-WS HTTP Handler and the WSS Agent JAX-WS JMS Handler in the same handler chain. If you configure either handler in the default handler chain for the container, verify that all JAX-WS web services in the container use the corresponding transport.
To configure the WSS Agent Security Interceptor to protect all JAX-WS JMS web services, make the following changes to standalone.xml:
Follow these steps:
<pre-handler-chain name="WSSAgent" protocol-bindings="##SOAP11_HTTP ##SOAP12_HTTP"> <handler name="SoaJaxWsJMSHandler" class="com.ca.soa.agent.jaxwsplugin.JaxWsJMSHandler"/> </pre-handler-chain>
Note: The default standalone.xml does not have a web services subsystem predefined. If no web services subsystem is present, add one that includes the previous pre-handler-chain element. For example:
<subsystem xmlns="urn:jboss:4domain:webservices:1.2"> <modify-wsdl-address>true</modify-wsdl-address> <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host> <endpoint-config name="Standard-Endpoint-Config"> <pre-handler-chain name="WSSAgent" protocol-bindings="##SOAP11_HTTP ##SOAP12_HTTP"> <handler name="SoaJaxWsJMSHandler" class="com.ca.soa.agent.jaxwsplugin.JaxWsJMSHandler"/> </pre-handler-chain> </endpoint-config> <client-config name="Standard-Client-Config"/> </subsystem>
The JBoss WSS Agent JAX-WS Handler is invoked for all JAX-WS JMS web services.
You can configure individual JAX-WS JMS web services to invoke the WSS Agent JAX-WS JMS Handler.
Follow these steps:
<?xml version="1.0" encoding="UTF-8"?> <handler-chains xmlns="http://java.sun.com/xml/ns/javaee"> <handler-chain> <handler> <handler-name>JBoss JAX-WS PEP Interceptor</handler-name> <handler-class>com.ca.soa.agent.jmsplugin.JaxWsJMSHandler</handler-class> </handler> </handler-chain> </handler-chains>
@HandlerChain(file = "Services_handler.xml")
The JBoss WSS Agent JAX-WS Handler is invoked only for this web service.
Define a JBoss security domain named SiteMinderDomain that configures the SiteMinder Agent Login Module required to authenticate credentials obtained by SiteMinder Agent authenticators. Configure the SiteMinderDomain by adding a <security-domain-name> element to the standalone.xml file.
Follow these steps:
<security-domain name="SiteMinderDomain" cache-type="default"> <authentication> <login-module code="com.ca.soa.agent.appserver.jaas.XMLAgentLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">anonymous</module-option> </login-module> </authentication> </security-domain>
Restart the JBoss Application Server to commit configuration changes you made for the SiteMinder Agent.
To restart the JBoss Application Server
The JBoss Application Server restarts with the configuration changes you made for the SiteMinder Agent.
Copyright © 2014 CA.
All rights reserved.
|
|