Installation and Upgrade Guides › Policy Server Installation Guide › Installing the Administrative UI to an Existing Application Server

Installing the Administrative UI to an Existing Application Server

Administrative UI Installation Options

The Administrative UI requires an application server to run. As such, two installation options are available:

• Stand–alone installation—This option creates the required application server infrastructure through a prerequisite installer. The prerequisite installer installs an embedded application server (JBoss) and the required JDK. Verify that the Administrative UI host system meets the minimum system requirements before starting the installation.

  The prerequisite installer launches the Administrative UI installer after a successful installation. The Administrative UI installer uses the embedded application server infrastructure to complete the installation.

  Note: If you are installing to UNIX and running the prerequisite installation media in console–mode, you manually start the Administrative UI installer to complete the installation.

• Existing application server installation—This option lets you install the Administrative UI to an existing application server infrastructure. The Administrative UI installer prompts you for application server-specific information and the location of the required JDK. Verify that the Administrative UI host system meets all system and third–party component requirements before starting the installation.

The following sections detail how to install the Administrative UI to an existing application server. For more information about the stand-alone installation, see Installing the Administrative UI.

More information:

Installing the Administrative UI

Administrative UI Installation Requirements

The following sections detail the minimum system and application server requirements for installing the Administrative UI to an existing application server infrastructure.

Administrative UI System Requirements

The Administrative UI host must meet the following minimum system requirements.

Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.

More information:

Locate the Platform Support Matrix

Verify Windows System Requirements

If you are installing the Administrative UI to an existing application server, verify that the Windows system meets the following minimum system requirements:

• CPU—x86 or x64, 1.2 GHz or better.
• Memory—1 GB of system RAM. We recommend 2 GB.

  Note: If you are running WebSphere, 2 GB of system RAM is required.

• Available disk space—540 MB.

  Note: If you are running WebSphere, 2 GB of available disk space is required.

• Temp directory space—3 GB.
• JDK—The required JDK version is installed on the system to which you are installing the Administrative UI.
• Screen resolution—1024 x 768 or higher resolution with 256 colors or better to view the Administrative UI properly.

More information:

Locate the Platform Support Matrix

Verify UNIX System Requirements

If you are installing the Administrative UI to an existing application server, the UNIX system must meet the following minimum system requirements:

• CPU
  • Solaris—UltraSparc, 440 MHz or better.
  • Red Hat Linux—x86 or x64, 700 MHz or better.

    Note:The Red Hat 6 operating system relies on entropy for performance. Increase entropy before installing the component. Without sufficient entropy, the installation can take an exceedingly long time to complete. We recommend that you use the following command to set a symbolic link:

    mv /dev/random /dev/random.org
    ln -s /dev/urandom /dev/random
    

• Memory—1 GB of system RAM. We recommend 2 GB.

  Note: If you are running WebSphere, 2 GB of system RAM is required.

• Available disk space—540 MB.

  Note: If you are running WebSphere, 2 GB of available disk space is required.

• Temp directory space—3 GB.
• JDK—The required JDK version is installed on the system to which you are installing the Administrative UI.

  Note: If your application server runs on a Red Hat Linux operating system, install unlimited cryptography jar files for an IBM JDK when installing the Administrative UI.

• Screen resolution—1024 x 768 or higher resolution with 256 colors or better to view the Administrative UI properly.

Application Server Requirements

The Administrative UI is a J2EE application and requires a supported application server. Be sure of the following:

• A supported version of JBoss, WebLogic, or WebSphere is installed on the system that is to host the Administrative UI.
• The Administrative UI is the only application deployed on the application server.

Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.

More information:

Locate the Platform Support Matrix

JBoss

To prepare JBoss for Administrative UI installation, disable the HDScanner service.

Follow these steps:

1. Navigate to jboss_home/server/server_profile/deploy.

   jboss_home

   Specifies the JBoss installation path.

   server_profile

   Specifies the name of the server profile deployed in the application server.

   Example: default

2. Remove the following file to disable the service:

   hdscanner-jboss-beans.xml

WebLogic as an Application Server

The following sections provide basic instructions for using WebLogic as a CA SiteMinder® application server.

Install WebLogic

Install a version of a WebLogic server that is supported by CA SiteMinder®.

Note: More information on installing a WebLogic server exists in BEA's WebLogic server documentation.

Create a WebLogic Application Server Instance

Before installing the Administrative UI, create a WebLogic domain using the Configuration Wizard that is part of the WebLogic installation and do the following:

• Note the name of the domain. You will need the domain name when installing the Administrative UI.
• Select the Basic WebLogic Server Domain template.
• Verify that the JAVA_HOME variable is set to the path for the required Java environment in the setDomainEnv.cmd/ .sh file. This file is located in web_logic_home\user_projects\domains\weblogic_domain\bin.

  web_logic_home

  Specifies the WebLogic server installation path.

  weblogic_domain

  Specifies the name of the WebLogic domain you created.

Verify the WebLogic Domain

Confirm the following:

• The WebLogic server is running.
• You can access the WebLogic console at http://server.domain.port/console

  Example: http://myserver.mycompany.com:7001/console

• In the WebLogic console, under Domain Configurations, select the domains link and verify that the WebLogic domain you created appears in the list of existing domains.

Note: Once you have completed the verification, shut down the application server to prepare for the Administrative UI installation.

WebSphere as an Application Server

The following sections provide basic instructions for using WebSphere as a CA SiteMinder® application server.

Install WebSphere

Use the IBM documentation to install WebSphere.

Consider the following items when installing WebSphere:

• Select the Server and Client option.
• Disable the Administrative Security option.
• (Solaris) Before you install the Embedded Messaging service:
  • Configure the following groups:
    • mqm
    • mqbrkrs
  • Configure the following users:
    • mqm
    • root

    Note: For more information, see the IBM documentation.

Verify WebSphere is Working

Use the snoop utility provided by IBM to verify that WebSphere is installed correctly before installing the Administrative UI.

To verify WebSphere is working

1. Enter http://<fqdn:port>/snoop to verify that WebSphere is installed correctly.

   Example: http:MyServer.MyCompany.com:9080/snoop.

   If WebSphere is installed correctly, Snoop Servlet—Request Client Information page is displayed in the browser.

2. Enter http://<fqdn>/snoop to verify that the WebSphere application server plug-in is installed correctly.

   Example: http://MyServer.MyCompany.com/snoop

   If WebSphere is installed correctly, the same Snoop Servlet—Request Client Information page is displayed in the browser.

   You have verified that WebSphere is working properly.

Note: Contact IBM Technical Support for additional assistance with WebSphere.

Trusted Relationship with a Policy Server

A trusted relationship between the Administrative UI and a Policy Server is required to begin managing your environment. You establish this relationship the first–time you log in using the default CA SiteMinder® super user account (siteminder) and password. These credentials are stored in the policy store.

When you configure the policy store, you use the XPSRegClient utility to submit the super user credentials to the Policy Server. The Policy Server uses these credentials to verify that the registration request is valid and that the relationship can be created.

Note: If you used the Policy Server installer to configure the policy store automatically, the installer used the XPSRegClient utility to submit the credentials.

The time from which the credentials are supplied to when the initial Administrative UI login can occur is limited to 24 hours. Therefore, the process for installing the Administrative UI is determined by when the policy store is configured and the Administrative UI is installed.

Administrative UI Installation Checklist

Complete the following before you install the Administrative UI:

• Be sure that you are using a supported operating system.
• Be sure that the Administrative UI host system meets the minimum system requirements.
• (Linux) Be sure that the required Linux libraries are installed to the Administrative UI host system.
• Be sure that a supported application server is installed on the Administrative UI host system.
• Be sure that the required JDK is installed to the Administrative UI host system.
• Determine when the policy store was configured.

  If the policy store was configured more than 24 hours ago, use the XPSRegClient utility to submit the default CA SiteMinder® super user account credentials to the Policy Server before installing the Administrative UI. The Policy Server requires these credentials to create a trusted relationship with the Administrative UI.

Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.

More information:

Locate the Platform Support Matrix

Application Server Requirements

Administrative UI System Requirements

How to Install the Administrative UI

Complete the following procedures to install the Administrative UI:

1. Be sure that you have reviewed the installation checklist.
2. (Linux) Review the required Linux libraries requirement.
3. Gather application server information for the Administrative UI installer.
4. Install the Administrative UI.
5. Start the application server.

Required Linux Libraries

Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:

java.lang.UnsatisfiedLinkError 

If you are installing, configuring, or upgrading a Linux version of this component, the following libraries are required on the host system:

Red Hat 5.x

compat–gcc-34-c++-3.4.6-patch_version.I386

Red Hat 6.x (32-bit)

libstdc++-4.4.6-3.el6.i686.rpm

To have the appropriate 32-bit C run–time library for your operating environment, install the previous rpm.

Red Hat 6.x (64-bit)

libXau-1.0.5-1.el6.i686.rpm

libxcb-1.5-1.el6.i686.rpm

libstdc++-4.4.6-4.el6.i686.rpm

compat-db42-4.2.52-15.el6.i686.rpm

compat-db43-4.3.29-15.el6.i686.rpm

libX11-1.3-2.el6.i686.rpm

libXrender-0.9.5-1.el6.i686.rpm

libexpat.so.1 (provided by expat-2.0.1-11.el6_2.i686.rpm)

libfreetype.so.6 (provided by freetype-2.3.11-6.el6_2.9.i686.rpm)

libfontconfig.so.1 (provided by fontconfig-2.8.0-3.el6.i686.rpm)

libICE-1.0.6-1.el6.i686.rpm

libuuid-2.17.2-12.7.el6.i686.rpm

libSM-1.1.0-7.1.el6.i686.rpm

libXext-1.1-3.el6.i686.rpm

compat-libstdc++-33-3.2.3-69.el6.i686.rpm

compat-db-4.6.21-15.el6.i686.rpm

libXi-1.3-3.el6.i686.rpm

libXtst-1.0.99.2-3.el6.i686.rpm

libXft-2.1.13-4.1.el6.i686.rpm

libXt-1.0.7-1.el6.i686.rpm

libXp-1.0.0-15.1.el6.i686.rpm

Gather Application Server Information

The Administrative UI installer requires specific information about the application server that is installed on the Administrative UI host system.

The following sections detail the required information depending on the type of application server.

Note: Worksheets are provided to help you gather and record required information before installing the Administrative UI.

JBoss Information

Gather the following information about JBoss before installing and registering the Administrative UI:

JBoss installation folder

The path to the folder where JBoss is installed.

JBoss URL

The fully qualified URL of the JBoss host system.

JDK

The installation location of the required JDK.

WebLogic Information

Gather the following information before installing and registering the Administrative UI:

WebLogic binary folder

The path to the WebLogic installation directory.

WebLogic domain folder

The path to the WebLogic domain you created for the Administrative UI.

WebLogic server name

The name of the WebLogic server on which the WebLogic domain is configured.

Application server URL and port

The fully qualified URL of the WebLogic host system.

JDK

The installation location of the required JDK.

WebSphere Information

Gather the following information about WebSphere before installing and registering the Administrative UI:

WebSphere installation folder

The full path to the folder in which WebSphere is installed.

WebSphere URL

The fully qualified URL of the WebSphere host system.

Server name

The name of the application server.

Profile name

The name of the profile being used for the Administrative UI.

Cell name

The name of the cell where the server is located.

Node name

The name of the node where the server is located.

JDK

The installation location of the required JDK.

Install the Administrative UI

The following sections detail how to install the Administrative UI to an existing application server infrastructure.

Before You Install

Consider the following items before you install the Administrative UI:

• You install the Administrative UI using the installation media on the Technical Support site.

  Note: For a list of installation media names, see the Policy Server Release Notes.

• If you are installing to an existing application server infrastructure, the following procedures apply. If you are using the stand-alone option to install, see Installing the Administrative UI.
• (Windows) Run the installer from the Administrative UI host system. Do not run the installer from a mapped network share or UNC path.
• The installation zip contains a layout.properties file at the same level as the installation media. If you moved the installation media after extracting the installation zip, move the properties file to the same location or the installation fails.
• (Red Hat Linux) The Red Hat 6 operating system relies on entropy for performance. Increase entropy before installing the component. Without sufficient entropy, the installation can take an exceedingly long time to complete. We recommend that you use the following command to set a symbolic link:

  mv /dev/random /dev/random.org
  ln -s /dev/urandom /dev/random
  

• (UNIX) Depending on your permissions, run the following command to add executable permissions to the directory that contains the installation media:

  chmod -R+x directory
  

  directory

  Specifies the directory that contains the installation media.

• (UNIX) The user installing the Administrative UI must have read/write permissions for the directory to which the application server is installed.
• (UNIX) If you execute the Administrative UI installer across different subnets, it can crash. Install the Administrative UI directly on the host system.

More information:

Installing the Administrative UI

Locate the Installation Media

How to Install the Administrative UI

Install the Administrative UI

Install the Administrative UI to your existing application server to provide a management console for all tasks that are related to access control, reporting, and policy analysis.

Follow these steps:

1. Exit all applications that are running.
2. Navigate to the installation media.
3. Double-click installation_media.

   installation_media

   Specifies the Administrative UI installation executable.

   The installer starts.

   Note: For a list of installation media names, see the Policy Server Release Notes.

4. Use your completed installation worksheet to enter the required values.
5. Review the installation settings and click Install.

   The Administrative UI is installed.

   Note: You cannot use the Administrative UI to manage your environment until you have registered it with a Policy Server.

More information:

How to Register the Administrative UI

Installation Media Names

Install the Administrative UI Using a GUI

Install the Administrative UI to your existing application server to provide a management console for all tasks that are related to access control, reporting, and policy analysis.

Follow these steps:

1. Exit all applications that are running in the foreground.
2. Open a shell and navigate to the installation media.
3. Enter the following command:

   ./installation_media gui
   

   installation_media

   Specifies the Administrative UI installation executable.

   The installer starts.

   Note: For a list of installation media names, see the Policy Server Release Notes.

4. Use your completed installation worksheet to enter the required values.
5. Review the installation settings and click Install.

   The Administrative UI is installed.

6. Click Done and reboot the system.

   The Administrative UI is installed.

   Note: You cannot use the Administrative UI to manage your environment until you have registered it with a Policy Server.

Install the Administrative UI Using a UNIX Console

Install the Administrative UI to your existing application server to provide a management console for all tasks that are related to access control, reporting, and policy analysis.

Follow these steps:

1. Exit all applications that are running in the foreground.
2. Open a shell and navigate to the installation media.
3. Enter the following command:

   ./installation_media -i console
   

   installation_media

   Specifies the Administrative UI installation executable.

   The installer starts.

   Note: For a list of installation media names, see the Policy Server Release Notes.

4. Use your completed installation worksheet to enter the required values.
5. Review the installation settings and press Enter.

   The Administrative UI is installed.

6. Press Enter.

   The installer closes.

7. Reboot the system.

   The Administrative UI is installed.

   Note: You cannot use the Administrative UI to manage your environment until you have registered it with a Policy Server.

How to Register the Administrative UI

Register the Administrative UI before you use it to manage your environment. Registering the Administrative UI creates a trusted connection between the Administrative UI and a Policy Server.

This process explains how to register an Administrative UI that you installed to an existing application server infrastructure. To register an Administrative UI you installed using the stand-alone option, see Installing the Administrative UI.

To register the Administrative UI, complete the following procedures:

1. Reset the registration window.
2. If necessary, create the FIPs environment variable.
3. Start the application server.
4. Register the Administrative UI.

More information:

Installing the Administrative UI

How to Register the Administrative UI

Reset the Administrative UI Registration Window

If either of the following actions occurred more than 24 hours ago, this step is required:

• You used the Policy Server installation wizard to configure a policy store automatically.
• You used the XPSRegClient utility to submit the CA SiteMinder® super user credentials to the Policy Server.

Note: (UNIX) Be sure that the CA SiteMinder® environment variables are set before you use XPSRegClient. If the environment variables are not set, set them manually.

Follow these steps:

1. Log in to the Policy Server host system.
2. Run the following command:

   XPSRegClient siteminder_administrator[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
   

   siteminder_administrator

   Specifies a CA SiteMinder® administrator. If you are installing the Administrative UI as part of:

   • A new 12.52 environment, specify the following default account:

     siteminder
     

   • An upgrade, specify any CA SiteMinder® administrator account with super user permissions in the policy store. If you do not have a super user account in the policy store, use the smreg utility to create the default account.

   passphrase

   Specifies the password for the CA SiteMinder® administrator account.

   -adminui-setup

   Specifies that the Administrative UI is being registered with a Policy Server for the first–time.

   -t timeout

   (Optional) Specifies how long you have after you install the Administrative UI to log in for the time to complete the registration. The Policy Server denies the registration request when the timeout value is exceeded.

   Unit of measurement: minutes

   Default: 1440 (24 hours)

   Minimum limit: 1

   Maximum limit: 1440 (24 hours)

   -r retries

   (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging in to the Administrative UI for the first–time.

   Default: 1

   Maximum limit: 5

   -c comment

   (Optional) Inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -cp

   (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -l log path

   (Optional) Specifies where the registration log file must be exported.

   Default: siteminder_home\log

   siteminder_home

   Specifies the Policy Server installation path.

   -e error path

   (Optional) Sends exceptions to the specified path.

   Default: stderr

   -vT

   (Optional) Sets the verbosity level to TRACE.

   -vI

   (Optional) Sets the verbosity level to INFO.

   -vW

   (Optional) Sets the verbosity level to WARNING.

   -vE

   (Optional) Sets the verbosity level to ERROR.

   -vF

   (Optional) Sets the verbosity level to FATAL.

3. Press Enter.

   The utility supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first–time.

Create the FIPS Environment Variable

If your environment meets both of the following criteria, creating the FIPs environment variable is required to register the Administrative UI for the first–time:

• The Policy Server to which you are registering is operating in FIPs–only mode.
• The Administrative UI is not installed on the Policy Server host system.

Follow these steps:

1. Complete one of the following steps:
   • (Windows) Log into the Administrative UI host system as an administrative user.
   • (UNIX) Log into the Administrative UI host system as the user that installed the Administrative UI.
2. Set the following environment variable:

   CA_SM_PS_FIPS140=ONLY

   Note: For more information about setting environment variables, see your OS–specific documentation.

3. Verify that Windows or the UNIX shells that runs the Administrative UI correctly recognizes the CA_SM_PS_FIPS140 variable.

Start the Application Server

If you installed the Administrative UI to an existing application server infrastructure, the following procedure applies. If you installed the Administrative UI using the stand-alone option, see Installing the Administrative UI.

Follow these steps:

1. Complete one of the following steps:
   • JBoss—From a command prompt, navigate to jboss_home\bin.

     jboss_home

     Specifies the JBoss installation path.

   • WebLogic—From a command prompt, navigate to domains\bin.

     domains

     Specifies the path of the WebLogic domain you created for the Administrative UI.

     Example: C:\bea\user_projects\domains\mydomain

   • WebSphere—From a command prompt, navigate to profile\bin.

     profile

     Specifies the path of the WebSphere profile name you created for the Administrative UI.

     Example: C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSvr01\bin

2. Complete one of the following steps:

   Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

   • JBoss
     • Windows: Type the following command and press Enter:

       run.bat

     • UNIX: Type the following command and press Enter:

       run.sh

   • WebLogic
     • Windows: Type the following command and press Enter:

       startWebLogic.cmd

     • UNIX: Type the following command and press Enter:

       startWebLogic.sh

   • WebSphere
     • Windows: Type the following command and press Enter:

       startServer.bat identifier

     • UNIX: Type the following command and press Enter:

       startServer.sh identifier

     identifier

     Specifies the identifier for the WebSphere installation.

     Example: startServer.bat Server1

   The application server is started.

More information:

Installing the Administrative UI

Start the Application Server

Register the Administrative UI

You register the Administrative UI with a Policy Server to begin managing your environment.

Follow these steps:

1. Complete one of the following steps:
   • (Windows) Use the Administrative UI shortcut to open the Administrative UI.
   • (UNIX) Open a web browser and go to the following location:

     host:port/iam/siteminder/adminui
     

     Note: If the host system does not have a web browser, you can remotely access the login screen.

     host

     Specifies the fully qualified Administrative UI host system name.

     port

     Specifies the port on which JBoss listens for HTTP requests.

     The CA SiteMinder® Administrative UI login screen appears.

2. Enter the following value in the User Name field:

   siteminder
   

3. Type the CA SiteMinder® superuser account password in the Password field.

   Note: If your superuser account password contains dollar‑sign ($) characters, replace each instance of the dollar-sign character with $DOLLAR$. For example, if the CA SiteMinder® superuser account password is $password, enter $DOLLAR$password in the Password field.

4. Type the fully qualified Policy Server host name in the Server field.

   Consider the following items:

   • You can enter a valid IPv4 address or IPv6 address.
   • If you do not specify a port, the registration defaults to 44442, which is the default Policy Server authentication port.

   The Administrative UI opens and is registered with the Policy Server.

More information:

Registration Not on File Error Appears

Stop the Application Server

If you installed the Administrative UI to an existing application server infrastructure, the following procedure applies. If you installed the Administrative UI using the stand-alone option, see Installing the Administrative UI.

To stop the application server

1. Do one of the following:
   • JBoss—From the Administrative UI host system, open the Start Task Engine Command prompt.
   • WebLogic—From the Administrative UI host system, open the Start Task Engine Command prompt.
   • WebSphere—From a command prompt, navigate to profile\bin

     profile

     Specifies the path of the WebSphere profile name you created for the Administrative UI

     Example: C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSvr01\bin

2. Do one of the following:
   • JBoss—Enter the following keyboard combination:

     Ctrl+c.
     

   • WebLogic—Enter the following keyboard combination:

     Ctrl+c.
     

   • WebSphere
     • Windows: Type stopServer.bat identifier and press Enter.

     Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

     • UNIX: Type stopServer.sh identifier and press Enter.

     identifier

     Specifies the identifier for the WebSphere installation.

     Example: stopServer.bat Server1

   The application server is stopped.

More information:

Installing the Administrative UI

Stop the Application Server

Administrator Credentials

By default, the Administrative UI uses the policy store as its source for CA SiteMinder® administrator credentials. You can configure the Administrative UI to use an external store, for example, a corporate directory.

Note: For more information about configuring an external administrator user store, see the Policy Server Configuration Guide.

More information:

How to Configure an External Administrator Store