Complete the following procedures to be sure that your environment only encrypts sensitive data using FIPs–compliant algorithms:
The process you follow to re–register an Administrative UI depends on how it is authenticating CA SiteMinder® administrators.
Note: Repeat this step until all Administrative UI connections are re–registered.
Note: Repeat this step until all Report Server connections are re–registered.
You set an Agent to FIPS-only mode to ensure that the Agent only accepts session keys, Agent Keys, and shared secrets that are encrypted using FIPS-compliant algorithms.
To set an Agent to FIPS-only mode
The following line appears in the file:
fipsmode="MIGRATE"
fipsmode="ONLY"
The agent is operating in FIPS-migration mode.
You may now set Policy Servers to operate in FIPS-only mode.
Setting the Policy Server to FIPS–only mode configures the Policy Server to read and write encrypted information using FIPS–compliant algorithms only.
Important! Password Services locks out users whose Password Blobs are not re-encrypted when the Policy Server is operating in FIPS-only mode. A user cannot regain access until you have deleted the Password Blob and cleared any disabled flags. Deleting the Password Blob results in the loss of the user's password history.
Note: For more information about identifying Password Blobs that are not re–encrypted, see Verify that Password Blobs are Re-encrypted.
Follow these steps:
setFIPSonly
ONLY appears in the command window.
Note: For more information about stopping and starting the Policy Server, see the Policy Server Administration Guide.
./ca_ps_env.ksh
Policy Server employing only FIPS-140 cryptographic algorithms.
The Policy Server is set to operate in FIPS-only mode.
You can now re–register each Administrative UI with its respective Policy Server.
Existing CA SiteMinder® algorithms continue to encrypt the shared secret that the Administrative UI and the Policy Server use to establish an encrypted connection. Re–registering the Administrative UI creates a new shared secret that is encrypted using FIPS–compliant algorithms.
Complete the following procedures to re–register an Administrative UI configured for internal authentication:
To stop the application server
Note: For more information about stopping the application server, see the Policy Server Installation Guide.
Delete the Administrative UI data directory to remove the existing trusted connection between the Administrative UI and the Policy Server.
To delete the Administrative UI data directory
data
administrative_ui_home
Specifies the Administrative UI installation path.
JBoss_home
Specifies the JBoss installation path.
The data folder contains the apacheds, derby, and siteminder folders.
data
WebLogic_domain_folder
Specifies the path to the WebLogic domain created for the Administrative UI.
data
WebSphere_home
Specifies the full path of the WebSphere installation.
profile
Specifies the name of the profile used for the Administrative UI.
The Administrative UI data dictionary is deleted.
Reset the registration window to submit the credentials of any super user in the policy store. The Policy Server uses these credentials to verify that the registration request is valid and that the relationship between the Administrative UI and the Policy Server can be trusted.
To reset the Administrative UI registration window
XPSRegClient siteminder_administrator[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
Specifies a CA SiteMinder® administrator with super user permissions.
Note: If a super user account is not available, use the smreg utility to create the default CA SiteMinder® account.
Specifies the password for the CA SiteMinder® administrator account.
Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm it.
Specifies that the Administrative UI is being re–registered with a Policy Server.
(Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.
Unit of measurement: minutes
Default: 240 (4 hours)
Minimum limit: 1
Maximum limit: 1440 (24 hours)
(Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging into the Administrative UI to complete the registration process.
Default: 1
Maximum limit: 5
(Optional) Inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies where the registration log file must be exported.
Default: siteminder_home\log
siteminder_home
Specifies the Policy Server installation path.
(Optional) Sends exceptions to the specified path.
Default: stderr
(Optional) Sets the verbosity level to TRACE.
(Optional) Sets the verbosity level to INFO.
(Optional) Sets the verbosity level to WARNING.
(Optional) Sets the verbosity level to ERROR.
(Optional) Sets the verbosity level to FATAL.
XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log into the Administrative UI.
To start the application server
Note: For more information about starting the application server, see the Policy Server Installation Guide.
Register the Administrative UI to create a new shared secret that is encrypted using FIPS–compliant algorithms.
Note: For more information about registering the Administrative UI, see the Policy Server Installation Guide.
Existing CA SiteMinder® algorithms continue to encrypt the shared secret that the Administrative UI and the Policy Server use to establish an encrypted connection. Re–registering the Administrative UI creates a new shared secret that is encrypted using FIPS–compliant algorithms.
Complete the following procedures to re–register an Administrative UI configured for external authentication:
You delete the Administrative UI connection to the Policy Server so that you can re–register the connection.
To delete the Administrative UI connection to the Policy Server
A list of connection types appears.
The Delete Policy Server Connection pane appears.
Connections matching your criteria appear.
You are prompted to confirm the request.
The connection between the Administrative UI and the Policy Server is deleted.
You run the Administrative UI registration tool to create a client name and passphrase. A client name and passphrase pairing are values that the Policy Server uses to identify the Administrative UI you are registering. You submit the client and passphrase values from the Administrative UI to complete the registration process.
To run the registration tool
XPSRegClient client_name[:passphrase] -adminui -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
Note: Inserting a space between client_name and [:passphrase] results in an error.
Identifies the Administrative UI being registered.
Limit: This value must be unique. For example, if you have previously used smui1 to register an Administrative UI, enter smui2.
Note: Record this value. This value is to complete the registration process from the Administrative UI.
Specifies the password required to complete the registration of the Administrative UI.
Limits:
Note: If you do not specify the passphrase in this step, XPSRegClient prompts you to enter and confirm one.
Important! Record the passphrase, so that you can refer to it later.
Specifies that an Administrative UI is being registered.
(Optional) Specifies how long you have to complete the registration process from the Administrative UI. The Policy Server denies the registration request when the timeout value is reached.
Unit of measurement: minutes
Default: 240 (four hours)
Minimum Limit: 1
Maximum Limit: 1440 (one day)
(Optional) Specifies how many failed attempts are allowed when you complete the registration process from the Administrative UI. A failed attempt can result from an incorrect client name or passphrase submitted to the Policy Server during the registration process.
Default: 1
Maximum Limit: 5
(Optional) Inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies that registration log file can contain multiple lines of comments. The registration tool prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies where to export the registration log file.
Default: siteminder_home\log
siteminder_home
Specifies the Policy Server installation path.
(Optional) Sends exceptions to the specified path.
Default: stderr
(Optional) Sets the verbosity level to TRACE.
(Optional) Sets the verbosity level to INFO.
(Optional) Sets the verbosity level to WARNING.
(Optional) Sets the verbosity level to ERROR.
(Optional) Sets the verbosity level to FATAL.
The registration tool lists the name of the registration log file and prompts for a passphrase.
The registration tool creates the client name and passphrase pairing.
You can now register the Administrative UI with a Policy Server. You complete the registration process from the Administrative UI.
The Administrative UI requires specific information from the registration process so that you can register it with the Policy Server.
Gather the following information before logging in to the Administrative UI:
Default: 44442
You configure the Administrative UI and Policy Server connection so CA SiteMinder® administrators can use the Administrative UI to manage policy information through the Policy Server. You configure the connection from the Administrative UI.
To configure the Administrative UI and Policy Server connection
http://host.domain/iam/siteminder/adminui
The Administrative UI login screen appears.
The Register Policy Server Connection pane opens.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: This value must match the value in the Authentication port (TCP) field on the Settings tab in the Policy Server Management Console. The default authentication port is 44442.
The connection between the Administrative UI and Policy Server is configured. The shared secret the Administrative UI and Policy Server use to establish an encrypted connection is encrypted using FIPS-approved algorithms.
You have completed the process for re–registering the Administrative UI.
Re–registering the Administrative UI with a Policy Server creates a new trusted host. You delete the previous trusted host as it is no longer needed.
To delete the trusted host connection
The Delete Trusted Host pane appears.
Note: A trusted host that is created as a result of the Administrative UI registration process has the following description: Generated by XPSRegClient.
The Administrative UI prompts you to verify the selection.
Important! Be sure that you delete the trusted host that was created the last time you registered the Administrative UI and not the new trusted host.
The trusted host connection is deleted.
Re-registering the Report Server ensures that the connection between the Report Server and the Policy server is encrypted using FIPS-approved algorithms.
Complete the following steps to re-register a report server:
You run the XPSRegClient utility to create a client name and passphrase. A client name and passphrase are:
To run the registration tool
Specifies the Policy Server installation path.
XPSRegClient client_name[:passphrase] -report -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
Identifies the name of Report Server you are registering.
Limit: The value must be unique. For example, if you have previously used reportserver1, enter reportserver2.
Note: Record this value. This value is required to complete registration process from the Report Server host system.
Specifies the password required to complete the Report Server registration.
Limits: The passphrase
If you do not specify the passphrase in this step, XPSRegClient prompts you to enter and confirm it.
Note: Record this value. This value is required to complete registration process from the Report Server host system.
Specifies that a Report Server is being registered.
(Optional) Specifies how long you have to complete the registration process from the Report Server host system. The Policy Server denies the registration request when the timeout value is reached.
Unit of measurement: minutes
Default: 240 (4 hours)
Minimum Limit: 1
Maximum Limit: 1440 (one day)
(Optional) Specifies how many failed attempts are allowed when you complete the registration process from the Report Server host system. A failed attempt can result from submitting an incorrect passphrase to the Policy Server during the registration.
Default: 1
Maximum Limit: 5
(Optional) Inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies that registration log file can contain multiple lines of comments. The registration tool prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
Note: Surround comment with quotes.
(Optional) Specifies where the registration log file must be exported.
Default: siteminder_home\log, where siteminder_home is where the Policy Server is installed.
(Optional) Sends exceptions to the specified path.
Default: stderr
(Optional) Sets the verbosity level to TRACE.
(Optional) Sets the verbosity level to INFO.
(Optional) Sets the verbosity level to WARNING.
(Optional) Sets the verbosity level to ERROR.
(Optional) Sets the verbosity level to FATAL.
The utility lists the name of the registration log file. If you did not provide a passphrase, the utility prompts for one.
The registration tool creates the client name and passphrase.
You can now register the Report Server with the Policy Server. You complete the registration process from the Report Server host system.
Completing the registration process between the Report Server and the Policy Server requires specific information. Gather the following information before running the XPSRegClient utility from the Report Server host system.
You register the Report Server with the Policy Server to create a trusted relationship between both components. You configure the connection from the Report Server host system using the Report Server registration tool.
To configure the connection to the Policy Server
Specifies the Report Server installation location.
Default: (Windows) C:\Program Files\CA\SC\CommonReporting3
Default: (UNIX) /opt/CA/SharedComponents/CommonReporting3
regreportserver.bat -pshost host_name -client client_name -passphrase passphrase -psport portnum -fipsmode 0|1
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.
regreportserver.sh -pshost host_name -client client_name -passphrase passphrase -psport portnum -fipsmode 0|1
Specifies the IP address or name of the Policy Server host system to which you are registering the Report Server.
Specifies the client name. The client name identifies the Report Server that you are registering.
Note: This value must match the client name that you specified using the XPSRegClient utility when you registered the Report Server on the Policy Server host system.
Example: If you specified "reportserver1" when using the XPSRegClient utility, enter "reportserver1".
Specifies the passphrase that is paired with the client name. The client name identifies the Report Server that you are registering.
Note: This value must match the passphrase that you specified using the XPSRegClient utility when you registered the Report Server on the Policy Server host system.
Example: If you specified CA SiteMinder® when using the XPSRegClient utility, enter CA SiteMinder®.
(optional) Specifies the port on which the Policy Server is listening for the registration request.
Specifies how the communication between the Report Server and the Policy Server is encrypted.
Default: 0
You receive a message stating that the registration is successful. You have completed re–registering the Report Server with the Policy Server. The connection between the Report Server and the Policy Server is encrypted using FIPS-compliant algorithms.
Copyright © 2014 CA.
All rights reserved.
|
|