This document contains information on CA SiteMinder® Web Services Security features, operating system support, installation considerations, known issues, and fixes.
The following requirements must be met or exceeded for CA SiteMinder® Web Services Security to install and run correctly.
Before you install any CA SiteMinder® Web Services Security components, verify that you are using a supported operating system and third-party software.
For a complete list of supported web servers, application servers, databases, directories, web browsers, and CA interoperability requirements, see the CA SiteMinder® Web Services Security 12.52 Platform Support Matrix.
Note: CA SiteMinder® Web Services Security extensions that were formerly only available in the CA SOA Security Manager Policy Server are now integrated into the CA SiteMinder® Policy Server. Therefore, refer to the CA SiteMinder® 12.52 Platform Support Matrix for platform support information relating to the Policy Server.
The following minimum system requirements must be met for SiteMinder WSS Agents to install and run correctly.
Note: For additional non–system requirements, see the corresponding SiteMinder WSS Agent Guide.
For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a CA SiteMinder® component:
Note: For more information about which CA SiteMinder® components support Windows Server 2008, see the CA SiteMinder® Platform Support matrix.
To run CA SiteMinder® installation or configuration wizards on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The wizard starts.
To access the CA SiteMinder® Policy Server Management Console on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The Policy Server Management Console opens.
To run CA SiteMinder® command–line tools or utilities on a Windows Server 2008 system
Cmd
The User Account Control dialog appears and prompts you for permission.
A command window with elevated privileges appears. The title bar text begins with Administrator:
To ensure interoperability if you use multiple products, such as SiteMinder, Identity Manager, and Federation Manager check the Platform Support Matrices for the required releases of each product.
To install and configure a CA SiteMinder® component to a non-English directory, set the system to the same locale as the directory. Also, make sure that you installed the required language packages so the system can display and users can type localized characters in the installer screens.
For the details on how to set locale and required language packages, refer to respective operating system documents.
Linux does not support connections to link-scoped IPv6 addresses without additional information: The name of the interface on which to do the networking. This means that when registering a Linux system as a trusted host during SiteMinder WSS Agent configuration, it fails with the following error when the IP address of the Policy Server is link-scoped:
Registration failed (bad ipAddress[:port] or unable to connect to Authentication server (-1)).
Workaround
Use global or site-scoped IPv6 addresses.
r12.0 SOA Agents encrypt and decrypt SAML Session Tickets using the RC2 algorithm. However, 12.52 SiteMinder WSS Agents encrypt and decrypt SAML Session Ticket using the Advanced Encryption Standard (AES) algorithm by default. As a result, r12.1 SOA Agents and 12.52 SiteMinder WSS Agents cannot consume SAML Session Tickets produced by the other agent version.
To configure a 12.52 SiteMinder WSS Agent to use the RC2 encryption algorithm to exchange SAML Session Tickets with r12.0 SOA Agents, set the BackwardEncryption parameter in the XmlToolkit.properties file for that agent.
Follow these steps:
Note: The addresses that are provided are for Windows platforms. Substitute forward slashes (/) on UNIX platforms.
backwardencryption=yes
The following considerations apply to supported Windows operating environments:
For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a CA SiteMinder® component:
Note: For more information about which CA SiteMinder® components support Windows Server 2008, see the CA SiteMinder® Platform Support matrix.
To run CA SiteMinder® installation or configuration wizards on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The wizard starts.
To access the CA SiteMinder® Policy Server Management Console on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The Policy Server Management Console opens.
To run CA SiteMinder® command–line tools or utilities on a Windows Server 2008 system
Cmd
The User Account Control dialog appears and prompts you for permission.
A command window with elevated privileges appears. The title bar text begins with Administrator:
If you are deploying CA SiteMinder® components on Windows 2008 SP2, we recommend installing and managing the components with the same user account. For example, if you use a domain account to install a component, use the same domain account to manage it. Failure to use the same user account to install and manage a CA SiteMinder® component can result in unexpected behavior.
The following considerations apply to Solaris.
The following table lists required and recommended patches by version:
Version |
Required |
Recommended |
Solaris 9 |
|
none |
You can find patches and their respective installation instructions at SunSolve (http://sunsolve.sun.com).
The following considerations apply to Red Hat Enterprise Linux AS and ES.
To use Apache 2.0 Web Server and ServletExec 5.0 on Red Hat AS
The ServletExec AS Java instance is created.
mod_servletexec2.c
Note: The directives are also present in the httpd.conf file of your Apache 1.3.x if you allowed the ServletExec installer to update the httpd.conf during installation. For more information on editing the httpd.conf file, refer to the New Atlanta Communication ServletExec documentation.
/servlet/TestServlet
The following topics describe general known issues.
CA SiteMinder® Web Services Security fails to create an encrypted WS-Security token when a response is configured to use the RSA-OAEP algorithm to encrypt the symmetric encryption key, generating the following error in tmxmltoolkit.log:
008-05-22 14:53:10,531 [INFO] handler.response.WSSecurityUsernameResponseHandler 8A2ADA6E-3D9B-57FB-35E3-9CC05471E849 - Cannot do encryption: unsupported key algorithm provided: rsa_oaep
Workaround
Configure the WS-Security header generating response to use the default rsa-1_5 algorithm to encrypt the symmetric encryption key.
If configured to generate signed SAML Session Tickets in the SOAP envelope, CA SiteMinder® Web Services Security produces the SAML Session Ticket and places it in the SOAP envelope as expected, but the message is not signed.
Signing works correctly for SAML Session Tickets placed in HTTP headers or HTTP cookies.
When creating an application policy from a WSDL file, operation-level policy changes in the Define Web Service Protection Policy table are lost if you return to the top level by clicking the All Web Services link and then immediately click the Next button to proceed.
Workaround
After you have specified operation-level policy changes for a particular port, if you click the All Web Services to return to the top level of the Define Web Service Protection Policy table, click any other button or link (for example, the link for that port again) before clicking Next to ensure the operation-level changes are committed.
Clicking the Back button on the Secure Web Services from WSDL: Define Policies pane of the Secure Web Services from WSDL Wizard sometimes results in an "Array Index out of range error -1". This error is non-fatal and can be ignored.
The following topics describe known issues related to product installation and uninstallation.
The option to go back to reenter incorrectly supplied information is not supported during console mode installation on UNIX.
Attempting to uninstall any CA SiteMinder® Web Services Security component without the prerequisite level of JVM installed and correctly referenced in the system path causes the uninstaller to fail with one of the following errors:
Workaround
Make sure the JRE is in the PATH variable.
The following topics describe SiteMinder WSS Agent for Web Servers issues.
If configured for failover and the primary Policy Server fails, the SiteMinder WSS Agent for Web Servers can take up to one minute to failover to the secondary Policy Server.
Unattended configuration sometimes fails when attempting to configure the SiteMinder WSS Agent for Web Servers to work with IIS 7.x on Windows Server 2008. In this case, the following message is written to the log:
“Unable to write to applicationHost.conf file. Please Restart the IIS Webserver and redo the configuration.”
This issue occurs when the configuration wizard cannot stop IIS before it attempts to modify the IIS applicationHost.file and therefore cannot edit the file because it is still in use.
Workaround
Stop IIS 7.x before attempting unattended configuration of the SiteMinder WSS Agent.
The following topics describe known issues in the SiteMinder WSS Agent for IBM WebSphere.
The SiteMinder WSS Agent for IBM WebSphere has the following limitations:
The following use case for coexistence of SiteMinder WSS Agent for IBM WebSphere and SiteMinder Agent for IBM WebSphere is not supported:
If you do configure such an environment, the SiteMinder TAI Module will intercept web service requests that should be handled by the SiteMinder WSS Agent.
The SiteMinder WSS Agent for IBM WebSphere does not support generation of WS-Security mustUnderstand attributes.
You should not therefore assign responses that generate mustUnderstand attributes to policies associated with resources protected by the SiteMinder WSS Agent for IBM WebSphere.
For resources protected by the SiteMinder WSS Agent for IBM WebSphere, XML Digital Signature authentication is failing for certain XML payloads.
The SiteMinder WSS Agent Configuration Wizard does not allow you to unconfigure the SiteMinder WSS Agent for WebSphere as it does for the SiteMinder WSS Agent for Web Servers.
Workaround
To unconfigure a SiteMinder WSS Agent for WebSphere (that is, to stop it from protecting web service resources in the WebSphere container), perform the following steps:
The following topics describe known issues in the SiteMinder WSS Agent for Oracle WebLogic.
The SiteMinder WSS Agent for Oracle WebLogic has the following limitations:
The SiteMinder WSS Agent Configuration Wizard does not allow you to unconfigure the SiteMinder WSS Agent for WebLogic as it does for the SiteMinder WSS Agent for Web Servers.
Workaround
To unconfigure s SiteMinder WSS Agent for WebLogic (that is, to stop it from protecting web service resources in the WebLogic container), perform the following steps:
The following topics describe known issues in the CA SiteMinder® Agent for JBoss.
Attempting to uninstall the SiteMinder Agent for JBoss without the prerequisite level of JVM installed and correctly referenced in the system path causes the uninstaller to fail with one of the following errors:
Workaround
Make sure the JVM is in the system PATH variable.
Symptom:
Due to an issue in JBoss, request messages with digitally signed envelopes or headers fail to authenticate on JBoss 6.x. This issue occurs for requests to web services protected by the WS-Security and XML Digital Signature authentication schemes.
An issue (support case 00997994) is open with JBoss to investigate.
For resources protected by the SiteMinder WSS Agent for JBoss, XML Digital Signature authentication is failing for SOAP requests where the entire document is signed. This failure is because the JBoss container does not preserve whitespace between SOAP message elements.
Workaround
Program the web service client to remove all whitespace between SOAP message elements in the request message to match the space removal that JBoss performs upon receiving the message.
When the SiteMinder Agent for JBoss installer prompts for the JVM location, it displays an "Unable to install the Java Virtual Machine included with this installer" error message even when a valid path is entered.
Workaround
This error message is erroneous; the installer continues with the installation regardless of the error message.
The following topics describe known issues in the CA SiteMinder® Web Services Security SDK.
When the signWSDocument method of the XMLDocument class of the Web Service Client API is called with a PEM format X.509 file argument, it fails with an "Uninitialized keystore" error.
When the signWSDocument method of the XMLDocument class of the Web Service Client API is called with a DER format X.509 file argument, it throws an exception indicating it cannot parse the certificate.
When the signDocument method of the XMLDocument class of the Web Service Client API is called to sign a SOAP document with a DER format X.509 file argument, the method produces a signature that cannot be validated by a SiteMinder WSS Agent. The SOAP Body element is identified with the following syntactically correct attribute:
ID="Body"
However, SiteMinder WSS Agents can only resolve references to "Id", not "ID" attributes (note the case: Id as opposed to ID).
When the signDocument method of the XMLDocument class of the Web Service Client API is called to sign a non-SOAP XML document with a null publicKeyFile argument and a valid X.509 file argument, the method throws a NullPointerException.
The CA SiteMinder® Web Services Security r12.1 SP3 release contains the following fixes.
Attempts by all SOA Agent types to connect to a RedHat Policy server to authenticate an encrypted request fail intermittently.
Generation of signed SAML Session Tickets using the public key obtained from a digital signature by the XML Digital Signature authentication scheme results in the generation of an unsigned rather than signed SAML Session Ticket.
That is, if a web service is protected by the XML Digital Signature authentication scheme and a SAML Session Ticket response is configured to extract the client's public key from the certificate and use it to sign the SAML assertion, the generated SAML Session Ticket is not signed as expected.
Workaround
Configure the policy to obtain the public key from a source other than the document with the digital certificate. For example, configure the response to obtain the public key from a client certificate sent over an SSL connection or from the user store.
SOA Security Manager does not accept a WS-Security SAML 1.1 holder of key assertion token more than once; SAML 1.1 holder of key tokens cannot therefore be used in use cases where replay is required.
Workaround
SAML 2.0 holder of key tokens work as expected and can be used in to implement use cases in which replay is required.
If you choose to create the application object that will define your security policy from within the Secure Web Services from WSDL wizard any Responses created from the Responses tab of the Create Application nested task are not displayed or available for assignment in the Define web service protection policy table.
Workaround
If you need to bind responses to web service ports and operations on the Define Policies page of the Secure Web Services from WSDL wizard, you must create the application and the required responses prior to running the wizard.
Because of a memory leak in com/ibm/ws/security/auth/AuthCache, the SOA Agent for IBM WebSphere fails under load.
An IBM support ticket (PMR 30393,756,000) is open for this issue.
When you install the CA SiteMinder® Web Services Security Administrative UI in console mode on a Weblogic Application server, a non-fatal error “ERROR - Command failed: Installing Workflow Store Data “ is written to the install log. You can ignore this error.
This CA SiteMinder® Web Services Security r12.1 release contains the following fixes.
Symptom:
Variables created in the CA SiteMinder® Web Services Security Administrative UI which contain expression keywords (or, and, and so on) as substrings of the variable name are resolved incorrectly by the expression editor. For example a variable named "RandomVariableName" will be incorrectly converted to the name "R&omVariableName" causing the expression to be evaluated incorrectly.
Solution:
This is no longer an issue.
Symptom:
The SOA Agent configuration wizard is not making required configuration changes in the httpd.conf file or creating the required webagent.conf file, preventing the SOA Agent from starting.
Solution:
This is no longer an issue.
Symptom:
In the SOA installer property file created during install (SOA_HOME\install_config_info\ca-soasmr12-installer.properties), required double backslashes in pathnames in entries related to the SOA Admin UI are not present. For example, rather than the following expected entry:
DEFAULT_NETE_JAVA_HOME = E:\\ProgramFiles\\Java\\jdk1.5.0_01
The following incorrect entry is written in the file:
DEFAULT_NETE_JAVA_HOME has value E:ProgramFilesJavajdk1.5.0_01
Solution:
This is no longer an issue.
Symptom:
When uninstalling the SOA Agent for IBM WebSphere, the CA SiteMinder® Web Services Security uninstaller incorrectly deletes the WS_HOME/java/jre/lib/ext and WS_HOME/lib/ext directories, preventing the IBM WebSphere Application Server from running.
Solution:
This is no longer an issue.
Symptom:
The SOA Security Manager r12.1 uninstaller does not removing the soa_home\siteminder\ETPKI folder.
Solution:
This is no longer an issue.
Symptom:
The CA SiteMinder® Web Services Security does not uninstall files associated with the CA SiteMinder® Web Services Security SDK.
Solution
This is no longer an issue.
Symptom:
The SOA Agent for Web Servers does not failover to a secondary Policy Server in a clustered environment when the primary Policy Server fails.
Solution:
This is no longer an issue.
Symptom:
The CA SiteMinder® Web Services Security r12.1 documentation install leaves all existing r12.0 documentation files in place when upgrading to r12.1.
Solution:
This is no longer an issue.
An internationalized product is an English product that runs correctly on local language versions of the required operating system and required third-party products, and supports local language data for input and output. Internationalized products also support the ability to specify local language conventions for date, time, currency and number formats. CA SiteMinder® Web Services Security is an internationalized product.
A translated product (sometimes referred to as a localized product) is an internationalized product that includes local language support for the product user interface, online help and other documentation, and local language default settings for date, time, currency, and number formats. CA SiteMinder® Web Services Security is not a translated product.
Use the Platform Support Matrix to verify that the operating environment and other required third-party components are supported.
Follow these steps:
The CA SiteMinder® product page appears.
Note: You can download the latest JDK and JRE versions at the Oracle Developer Network.
Copyright © 2013 CA.
All rights reserved.
|
|