Policy Server Guides › Policy Server Configuration Guide › Administrative User Interface Management › Protecting the Administrative UI with SiteMinder

Protecting the Administrative UI with SiteMinder

Protecting the Administrative UI with CA SiteMinder® requires that you configure an agent to function with a reverse proxy server and configure an external administrator store. Rather than accessing the Administrative UI directly on the application server, you access the Administrative UI through the reverse proxy server.

Consider the following:

• If you have more than one Administrative UI to protect, we recommend protecting each instance with a separate agent functioning with a reverse proxy server.
• If the Administrative UI is installed to WebSphere, the application server host system requires at least 500 MB of free memory to enable CA SiteMinder® authentication.

How to Protect the Administrative UI with SiteMinder

You can protect the Administrative UI with CA SiteMinder®:

Follow these steps:

1. Configure an agent to operate with a reverse proxy server.

   Certain types of web servers, such as Apache, that support CA SiteMinder® Web agents can also function as reverse proxy servers. See the support matrix for the supported servers.

   Note: Update the configuration file of Apache web server to make the Apache web server function as a reverse proxy server. For more information about configuring a reverse proxy server and updating the configuration file, see the Web Agent Configuration Guide.

   Important! The URL used in the rules that are set for the proxy server must be the same URL used to register the Administrative UI initially.

   Example:

   If the Administrative UI was initially registered with the following URL, specify the same URL in the proxy server rules.

   http://host_name:8080/iam/siteminder/adminui

2. In your agent configuration object (ACO), set the value of the LogOffUri parameter as shown in the following example:

   /iam/siteminder/logout.jsp
   

   Note: For more information about setting the LogOffUri parameter, see the Web Agent Configuration Guide.

3. Configure an external administrator store.

   Note: The application server restarts automatically after you configure the external administrator store. The Administrative UI is protected with CA SiteMinder® only after the restart.

More information:

How to Configure an External Administrator Store

Change the Authentication Scheme

The default CA SiteMinder® authentication scheme used to protect the Administrative UI is basic user name and password. You can change the default authentication scheme to any CA SiteMinder® supported authentication scheme, except SAML and WS-Fed authentication.

Follow these steps:

1. Click Policies, Domain.
2. Click Realms.
3. Search for the following realm and click the name to open it:

   SiteMinder_ims_realm

   Note: This realm is associated with a domain named SiteMinderDomain.

4. Click Modify to enable the settings.
5. Select the authentication scheme you want from the Authentication Scheme list .
6. Enter additional settings, if required.
7. Click Submit.

   The Administrative UI is protected using the selected authentication scheme.

More information:

Authentication Schemes

Disable SiteMinder Authentication for the Administrative UI

If you do not want to protect the Administrative UI with CA SiteMinder®, you can disable CA SiteMinder® authentication. You can access the Administrative UI through the reverse proxy server only even after you remove CA SiteMinder® protection for the Administrative UI.

To access the Administrative UI directly on an application server, delete the data directory and reregister the Administrative UI with the Policy Server.

Follow these steps:

1. Log in to the Administrative UI.
2. Run the Administrative Authentication wizard to specify that you no longer want to protect the Administrative UI using CA SiteMinder® authentication.

   Note: Leave the existing directory server or database connection information to continue using the external administrator store.

3. Log in to the Administrative UI host system.
4. Delete the Administrative UI data directory. The type of application server to which you deployed the Administrative UI determines where the data directory is located:
   • If you installed the Administrative UI using the stand-alone option, the data directory is located at the following location:

     install_dir/adminui/server/default/data

   • If you installed the Administrative UI to an existing application server, the default location for the data directory is:
     • (JBoss): <JBOSS Install>/server/default/data
     • (WebSphere): <WebSphere>\AppServer\profiles\<your_profile>\data
     • (WebLogic): <welbogic install>\user_projects\domains\<user_domain>\data
5. Log in to the Policy Server host system and reset the Administrative UI registration window using the XPSRegClient utility.
6. Register the Administrative UI with the Policy Server.

   Note: For more information about resetting the registration window and register the Administrative UI, see the Policy Server Installation Guide.