This section contains the following topics:
How to Configure FCC Password Services
Password Services Implementations
To configure password services, follow these steps:
/siteminderagent/forms/smpwservices.fcc
Note: For more information, see the Policy Server documentation.
CA SiteMinder® uses forms credential collectors (FCCs) to support password services.
Password services help you do the following tasks:
The FCC Password Services application enables query data on the URL to be encrypted, further securing Agent interactions. You can only encrypt query data with FCC Password Services. FCC Password Services files include:
This FCC is installed with the Web Agent and is located at:
web_agent_home/samples/forms
If Password Services is invoked and there is no password policy configured, the CA SiteMinder® Administrator at the Policy Server should set the environment variable NETE_PWSERVICES_REDIRECT to a relative path for smpwservices.fcc.
The path is:
/siteminderagent/forms/smpwservices.fcc
The new FCC displays the Password Services form based on the FCC directives authreason and username.
This file handles errors that occur during GET/POST actions of the Password Services forms.
This file is similar to other FCC unauthorized files that are invoked if there is a failure processing the request during the POST. This FCC handles error conditions, such as an empty TARGET variable. The error reporting is intended to be synchronized with the CGI-based Password Services and for handling any other unknown errors caused by an FCC POST.
This properties file is used by smpwservices.fcc to display the user-friendly messages on the Password Services forms.
This properties file has the user-friendly messages, which an administrator can modify depending on what he wants to display on the Password Services forms. The format for the message is name=value.
To localize the user messages for FCC-based Password Services for another locale follow these steps:
Note: The directories and file names that are shown could be case-sensitive, depending on your operating environment and the type of web server in use.
For example, to use FCC Password Services for Japanese users, put a copy of the following files in the folder formsja, which is located in web_agent_home/samples:
When you use password services you can instruct a Web Agent to create a fully qualified domain name (FQDN) to where users are redirected. Use the following parameter:
Instructs the agent to add the server name (FQDN) of the system that is hosing the password services before redirecting the user. You define this server name in the password policy on the Policy Server.
For example, suppose that the value of this parameter is yes, and your password policy points to siteminderagent/forms/smpwservices.fcc. the Web Agent redirects to the following URL:
HTTP://server_name.example.com/siteminderagent/forms/smpwservices.fcc
The Web Agent uses the value that is defined in your password policy when the value of this parameter is no. For example, if your password policy only points to a subdirectory, the Web Agent redirects users to that subdirectory.
Default: No.
Example: No (redirects to the /siteminderagent/forms/smpwservices.fcc defined in your password policy).
Example: Yes (adds HTTP://server_name.example.com to the /siteminderagent/forms/smpwservices.fcc defined in your password policy).
The default URL for password policies in the Administrative UI does not contain a server name. The Web Agent redirects users to whatever URL exists in the password policy when the value of the previous parameter is set to yes.
Follow these steps:
To: |
Add this URL to your password policy in the Administrative UI: |
Set the value of the ConstructFullPwsvcURl to: |
---|---|---|
Host the password services on a specific server. |
http://server_name.example.com:80/siteminderagent/forms/smpwservices.fcc |
No |
Host the password services on the same server as the Web Agent using a relative URL. |
siteminderagent/forms/smpwservices.fcc |
No |
Host the password services on the same server as the Web Agent using an FQDN. |
siteminderagent/forms/smpwservices.fcc |
Yes |
You must modify the SecureID HTML Form template using the Administrative UI if you are using SecureID as your authentication scheme and both of the following conditions exist in your environment:
SecureID is implemented using Password Services, which is why you must modify the authentication scheme's template.
To configure SecureID Authentication with FCC password services, add the path to the smpwservices.fcc file in the Target field of the SecureID template, as shown in the following example:
/siteminderagent/forms/smpwservices.fcc
You can configure the FCC Password services features of CA SiteMinder® to allow users to change their own passwords whenever they want.
Note: Use the following process only if your CA SiteMinder® Web Agent configuration also has the value of the SecureURLs parameter that is set to no.
To enable user-initiated password changes with FCCs, use the following process:
<a href="http:logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=
34&SMAGENTNAME=$$smencode(smagentname)$$&TARGET=$$smencode(target)$$">Change Password</font></a>
<a href="http://logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=34&SMAGENTNAME=Agent1&TARGET=https://logonserver.example.com/protected/myprotectedpage.html">Change Password</font></a>
The password change form appears.
If the password change is successful, a confirmation page appears with a link to the protected target resource.
If you can access the resource with your new password, the password change is successful.
You can configure the FCC Password services features of CA SiteMinder® to allow users to change their own passwords whenever they want.
Note: Use the following process only if your CA SiteMinder® Web Agent configuration also has the value of the SecureURLs parameter that is set to yes.
To enable user-initiated password changes with FCCs, use the following process:
<a href="http:logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=
34&SMAGENTNAME=$$smencode(smagentname)$$&TARGET=$$smencode(target)$$">Change Password</font></a>
<a href="http://logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=34&SMAGENTNAME=Agent1&TARGET=https://logonserver.example.com/protected/myprotectedpage.html">Change Password</font></a>
web_agent_home/samples/forms/smpwservices.fcc
@smpwselfchange=0
@smpwselfchange=1
The password change form appears.
If the password change is successful, a confirmation page appears with a link to the protected target resource.
If you can access the resource with your new password, the password change is successful.
You can configure the FCC Password services features of CA SiteMinder® to allow users to change their own passwords. The CA SiteMinder® X.509 Certificate and Basic authentication scheme requires a password-change URL that starts with the HTTPS protocol.
Follow these steps:
<a href="https:logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=
34&SMAGENTNAME=$$smencode(smagentname)$$&TARGET=$$smencode(target)$$">Change Password</font></a>
<a href="https://logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=34&SMAGENTNAME=Agent1&TARGET=https://logonserver.example.com/protected/myprotectedpage.html">Change Password</font></a>
The password change form appears.
A confirmation page appears with a link to the protected target resource.
If you can access the resource with your new password, the password change is successful.
Copyright © 2013 CA.
All rights reserved.
|
|