SmAPS, the Policy Server component of APS, requires that all User Directories have administrator credentials stored within the policy server database. This is required because APS uses the connection to the User Directory maintained by SiteMinder (for almost all operations). APS needs to be able to write to the User Directory such information as the date of the user’s last login and needs to be able to disable user accounts.
To enter User Directory credentials, edit the properties of the User Directory. Check the box marked "Require Credentials" and then enter the "Administrator" and "Password" values. This set of credentials should have sufficient access to the directory. After applying the changes, you should press the "View Contents" button to test the credentials. If nothing is displayed after pressing the button, then the credentials are incorrect.
For iPlanet/Netscape LDAP directories, CA strongly recommends the use of cn=Directory Manager as the administrator account. This account is hard-coded within iPlanet LDAP servers to bypass all Access Control Information (ACI). If any other account is used, it is possible that an ACI will prevent APS (or SiteMinder, for that matter) from reading or writing an attribute value.
There are implications to using the cn=Directory Administrator account under iPlanet that you should be aware of. Not only does it bypass all internal access controls, but it has unrestricted time and size limits on its server-side process and will be given priority by the Directory Server over all other user requests. APS’ use of the Directory Server is highly optimized and is very resource-economic.
Minimally, two Rules are required for changing passwords (one to GET the form, the other to POST the change) and must be protected in a separate Realm from all other pages on the site. This is easiest to create and maintain by creating a special "Change Password" Policy Domain.
This Realm must not have authentication and authorization events enabled. This prevents the possibility of infinite loops (where the user is redirected while being redirected to the change password page).
There should be two Rules defined within this realm, one to GET the form, the other to POST the change. Even if your site is using the default form produced by SmCPW (thus the GET and POST are the same resource) and though SiteMinder 3.6 (and later) allows multiple actions for a single resource, CA recommends that two separate Rules be created.
There should be a rule (within the Change Password Realm) for the form resource and an action of GET. If you are using the default form supplied with APS, this resource should be set to SmCPW*. If you are using your own form, be sure to append the wildcard to the resource definition so that various query strings can be passed to the page.
A second Rule for SmCPW* should be defined with an action of POST. Even if you are using a custom form, you will use SmCPW* for posting. Be sure to include the wildcard ("*") in the resource definition, so that the query string arguments can be passed.
A response attribute may be required to be passed when posting to SmCPW. This attribute explicitly identifies the user changing the password. With normal Web Agent configuration, this response is not needed (versions of APS prior to version 4 required this response). If SmCPW complains that it cannot identify the user, then this response will be required. If this response exists, SmCPW will use it, so it does not hurt to have it set up even when it is not needed.
See your SiteMinder documentation for how to set up Response Attributes. The active expression required is as follows:
<@ lib="smaps" func="SMCPW" param=""" @>
This is set up as a standard HTTP-Variable type of attribute, though you do not specify an attribute name. You must select "Active Expression" as the attribute type, then select the "Manual Entry" page in order to create this Active Response, since there is no variable name.
This attribute is only required on the POST rule for the SmCPW program. The GET rule does not need it.
Finally, a single Policy must be created. Both Rules should be defined for the Policy and the Response should be assigned only to the POST Rule. All users in all directories should be allowed to access this policy.
No special SiteMinder Policy configuration is required for FPS. However, all pages involved with the FPS process, including both custom pages and the Forgot CGI program itself, must be entirely unprotected by SiteMinder. If cascading style sheets or client-side includes are used, they must be unprotected as well.
The Help Desk Interface (APSAdmin) is designed to be a highly flexible, very secure tool that can be used by your Help Desk personnel to reset passwords and enable/disable user accounts. It also has some more generic user view/update capabilities.
APSAdmin is not intended to replace a full CRM system. It is designed so that it can augment an existing system or to provide limited such functionality.
There are three parts of APSAdmin configuration.
Using the SiteMinder Policy Server User Interface (the Policy GUI), create a new Policy Domain called "APS Help Desk Interface".
Within the new Policy Domain, define a Realm named APSAdmin. This realm should be associated with the Agent or Agent Group corresponding to the Web Server(s) upon which this code was installed, not the APSAdmin agent defined in the SmPortal.cfg file. Be sure to use this agent/agent group for this realm. The Resource Filter is /APSAdmin/. The Authentication Scheme is whatever is appropriate for your site.
Define a Rule within this Realm called Help Desk Interface. The Resource will be APSAdmin*. The Action is GET and POST.
Define a Response called Administrator Credentials. This response needs a single Attribute. This attribute needs to have a type of "WebAgent-HTTP-Header-Variable". Select "Static" as the Attribute Kind. The Variable Name field should be set to "APSAdmin". The Variable Value must contain a SiteMinder Administrator name, followed by a semicolon, followed by that administrator’s password. Note that this is a SiteMinder Policy Server User Interface administrator (the credentials used to log into the SiteMinder Policy Server GUI, not into the Web Site).
Create a Policy called Help Desk Administration. Select those users that should have access to this interface. The "Help Desk" rule defined above should be specified. The "Administrator Credentials" response should be tied to the rule.
The following configuration is required for the redirections supported by APS. These should be set up regardless of which events are set up for APS. Later, if an event is enabled in the configuration file, everything will work properly if this setup was performed initially. None of this setup has any affect on email notification of events.
Every single Realm defined in the Policy Database must have Authentication and Authorization events enabled, except the Change Password realm.
There must be three Rules defined in every Realm, except the Change Password realm.
An OnAuthAccept rule to catch password expiration, password change warnings and other events that occur, even though the user properly authenticates.
An OnAuthReject rule to catch "three strikes you’re out" and other events that occur when SiteMinder accepts, but APS rejects, the user.
An OnAccessAccept rule to process forced password change requests.
Three Rule Groups should be defined in each Policy Domain except the Change Password domain.
Each Rule Group should collect all of the rules within the Policy Domain that are alike. That is, all of the OnAuthAccept rules should be collected together into a single Rule Group, all of the OnAuthReject rules together into a single Rule Group and all of the OnAccessAccept rules into their own Rule Group.
Three Responses must be created in every Policy Domain except the Change Password domain.
The first response, for the OnAuthAccept events, should contain a single Active Attribute. This attribute must be of the type OnAccept-Redirect and invoke the following active attribute:
<@ lib="smaps" func="SmApsRedirect" param="" @>
The second response, for the OnAuthReject events, should contain a single Active Attribute. This attribute must be of the type OnReject-Redirect and invoke the following active attribute:
<@ lib="smaps" func="SmApsRedirect" param="" @>
The third response, for the OnAccessAccept events, should contain a single Active Attribute. This attribute must be of the type OnAccept-Redirect and invoke the following active attribute:
<@ lib="smaps" func="AZRedirect" param="" @>
For all three responses, you can access additional functionality by providing values for the param argument. See the section entitled Redirection for a complete discussion of these options.
Each Policy Domain, except the Change Password domain, will need one additional Policy (in addition to its own). This policy will bind each of the three Rule Groups to the three responses. The Policy should apply to all users.
You will need to install and configure the APS Authentication Scheme if you expect to use:
A complete description of the Authentication Scheme and how to configure it is can be found in the chapter entitled Authentication Scheme.
|
Copyright © 2014 CA.
All rights reserved.
|
|