Previous Topic: How to Enable FCC InternationalizationNext Topic: Single Sign-On (SSO)


Agents and Password Services

This section contains the following topics:

How to Configure FCC Password Services

Password Services Implementations

How to Configure FCC Password Services

To configure password services, follow these steps:

  1. Open the Administrative UI
  2. Create password policies that are associated with a user directory in your CA SiteMinder® environment. Use the following path in the Redirection URL field:
    /siteminderagent/forms/smpwservices.fcc
    

Note: For more information, see the Policy Server documentation.

More information:

Create Password Policies

Password Services Implementations

CA SiteMinder® uses forms credential collectors (FCCs) to support password services.

Password services help you do the following tasks:

FCC Password Services and URL Query Encryption

The FCC Password Services application enables query data on the URL to be encrypted, further securing Agent interactions. You can only encrypt query data with FCC Password Services. FCC Password Services files include:

How to Localize FCC-based Password Services Change Forms

To localize the user messages for FCC-based Password Services for another locale follow these steps:

  1. Create an FCC folder on the web server for a new locale or use an existing folder if appropriate for your locale. The typical naming convention for the folder is formslocale.

    Note: The directories and file names that are shown could be case-sensitive, depending on your operating environment and the type of web server in use.

  2. Place a copy of the relevant Password Services files in the new folder.
  3. Modify the files to accommodate the locale, such as changing the English messages to the language for your locale. Repeat this step with all the files for the locale.
  4. In the Administrative UI, change the value of the Redirection URL field in the Password Policy.

    For example, to use FCC Password Services for Japanese users, put a copy of the following files in the folder formsja, which is located in web_agent_home/samples:

Use a Fully Qualified URL for Password Services Redirects

When you use password services you can instruct a Web Agent to create a fully qualified domain name (FQDN) to where users are redirected. Use the following parameter:

ConstructFullPwsvcUrl

Instructs the agent to add the server name (FQDN) of the system that is hosing the password services before redirecting the user. You define this server name in the password policy on the Policy Server.

For example, suppose that the value of this parameter is yes, and your password policy points to siteminderagent/forms/smpwservices.fcc. the Web Agent redirects to the following URL:

HTTP://server_name.example.com/siteminderagent/forms/smpwservices.fcc

The Web Agent uses the value that is defined in your password policy when the value of this parameter is no. For example, if your password policy only points to a subdirectory, the Web Agent redirects users to that subdirectory.

Default: No.

Example: No (redirects to the /siteminderagent/forms/smpwservices.fcc defined in your password policy).

Example: Yes (adds HTTP://server_name.example.com to the /siteminderagent/forms/smpwservices.fcc defined in your password policy).

The default URL for password policies in the Administrative UI does not contain a server name. The Web Agent redirects users to whatever URL exists in the password policy when the value of the previous parameter is set to yes.

Follow these steps:

  1. Use the examples in the following table as a guide for setting the ConstructFullPwsvcURl parameter:

To:

Add this URL to your password policy in the Administrative UI:

Set the value of the ConstructFullPwsvcURl to:

Host the password services on a specific server.

http://server_name.example.com:80/siteminderagent/forms/smpwservices.fcc

No

Host the password services on the same server as the Web Agent using a relative URL.

siteminderagent/forms/smpwservices.fcc

No

Host the password services on the same server as the Web Agent using an FQDN.

siteminderagent/forms/smpwservices.fcc

Yes

Configure SecureID Authentication with FCC Password Services

You must modify the SecureID HTML Form template using the Administrative UI if you are using SecureID as your authentication scheme and both of the following conditions exist in your environment:

SecureID is implemented using Password Services, which is why you must modify the authentication scheme's template.

To configure SecureID Authentication with FCC password services, add the path to the smpwservices.fcc file in the Target field of the SecureID template, as shown in the following example:

/siteminderagent/forms/smpwservices.fcc
How to Enable User-Initiated Password Changes with FCCs

You can configure the FCC Password services features of CA SiteMinder® to allow users to change their own passwords whenever they want.

Note: Use the following process only if your CA SiteMinder® Web Agent configuration also has the value of the SecureURLs parameter that is set to no.

To enable user-initiated password changes with FCCs, use the following process:

  1. Confirm that your user directory contains attributes that support Password Policies.
  2. Use the Administrative UI to do the following tasks:
    1. Create an FCC-based password policy and protect the resources that you want.
    2. Configure the password policy to allow authorized users to change their passwords.
  3. Create a password change URL that includes the following parts:
  4. Embed the password-change URL (from Step 3) as a link in one or more unprotected web pages.
  5. Test the password change function with the following steps:
    1. Display a web page that has the password change link you created in Step 3.
    2. Click the password change link.

      The password change form appears.

    3. Fill out the password change form and submit it.

      If the password change is successful, a confirmation page appears with a link to the protected target resource.

    4. Click the link and verify that the resource appears.
    5. Close and reopen your browser. Try to access the protected resource using your new password.

      If you can access the resource with your new password, the password change is successful.

How to Enable User-Initiated Password Changes with FCCs (SecureURLs=Yes)

You can configure the FCC Password services features of CA SiteMinder® to allow users to change their own passwords whenever they want.

Note: Use the following process only if your CA SiteMinder® Web Agent configuration also has the value of the SecureURLs parameter that is set to yes.

To enable user-initiated password changes with FCCs, use the following process:

  1. Confirm that your user directory contains attributes that support Password Policies.
  2. Use the Administrative UI to do the following tasks:
    1. Create an FCC-based password policy and protect the resources that you want.
    2. Configure the password policy to allow authorized users to change their passwords.
    3. Set the value of the ValidTargetDomain parameter to the domain of the target resource you want to protect.
  3. Create a password change URL that includes the following parts:
  4. Embed the password-change URL (from Step 3) as a link in one or more unprotected web pages.
  5. Open the following file on your web server:
    web_agent_home/samples/forms/smpwservices.fcc
    
    1. Locate the following line:
      @smpwselfchange=0
      
    2. Change the 0 (zero) at the end of the previous line to 1 (one), as shown in the following example:
      @smpwselfchange=1
      
    3. Save and close the smpwservices.fcc file.
  6. Embed the URL you created in Step 3 as a link in one or more unprotected web pages.
  7. Test the password change function with the following steps:
    1. Display a web page that has the password change link you created in Step 3.
    2. Click the password change link.

      The password change form appears.

    3. Fill out the password change form and submit it.

      If the password change is successful, a confirmation page appears with a link to the protected target resource.

    4. Click the link and verify that the resource appears.
    5. Close and reopen your browser. Try to access the protected resource using your new password.

      If you can access the resource with your new password, the password change is successful.

How to Enable User-Initiated Password Changes when using the CA SiteMinder® X.509 Certificate and Basic Authentication Scheme

You can configure the FCC Password services features of CA SiteMinder® to allow users to change their own passwords. The CA SiteMinder® X.509 Certificate and Basic authentication scheme requires a password-change URL that starts with the HTTPS protocol.

Follow these steps:

  1. Confirm that your user directory contains attributes that support Password Policies.
  2. Use the Administrative UI to do the following tasks:
    1. Create an FCC-based password policy and protect the resources that you want.
    2. Configure the password policy to allow authorized users to change their passwords.
  3. Create a password change URL that includes the following parts:
  4. Embed the password-change URL (from Step 3) as a link in one or more unprotected web pages.
  5. Test the password change function with the following steps:
    1. Display a web page that has the password change link you created in Step 3.
    2. Click the password change link.

      The password change form appears.

    3. Fill out the password change form and submit it.

      A confirmation page appears with a link to the protected target resource.

    4. Click the link and verify that the resource appears.
    5. Close and reopen your browser. Try to access the protected resource using your new password.

      If you can access the resource with your new password, the password change is successful.