Web Services Security Guides › CA SiteMinder® Web Services Security Agent Guide for Apache-based Web Servers › Install and Configure Apache-based Agents on Windows

Install and Configure Apache-based Agents on Windows

This section contains the following topics:

Agent Installation Compared to Agent Configuration

Set the JRE in the Path Variable

Apply the Unlimited Cryptography Patch to the JRE

Configure the JVM to Use the JSafeJCE Security Provider

How to Install and Configure a SiteMinder WSS Agent for Apache on a Windows System

Agent Installation Compared to Agent Configuration

The concepts of installation and configuration have specific meanings when used to describe CA SiteMinder® agents.

Installation means installing the CA SiteMinder® agent software on a computer system. For example, installing an agent creates directories and copies the CA SiteMinder® agent software and other settings to the computer.

Configuration occurs after installation and means the act of preparing the CA SiteMinder® agent software for a specific web server on a computer. This preparation includes registering the agent with CA SiteMinder® Policy Servers, and creating a runtime server instance for the web server that is installed on the computer.

Use the wizard-based installation and configuration programs to install and configure your agent on your first web server. The wizard-based programs create a .properties file.

Use the .properties file and the respective executable file to install or configure the agent silently on additional web servers.

Set the JRE in the Path Variable

Set the Java Runtime Environment (JRE) in the Windows path variable.

Follow these steps:

Open the Windows Control Panel.
Double-click System.
Add the location of the JRE to the Path system variable in the Environment Variables dialog.

Apply the Unlimited Cryptography Patch to the JRE

Patch the Java Runtime Environment (JRE) used by the Agent to support unlimited key strength in the Java Cryptography Extension (JCE) package. The patches for all supported platforms are available from the Oracle website.

The files that need to be patched are:

local_policy.jar
US_export_policy.jar

The local_policy.jar and US_export_policy.jar files can found be in the following locations:

Windows
jre_home\lib\security
UNIX
jre_home/lib/security

jre_home: Defines the location of your Java Runtime Environment installation.

Configure the JVM to Use the JSafeJCE Security Provider

The SiteMinder WSS Agent XML encryption function requires that the JVM is configured to use the JSafeJCE security provider.

Follow these steps:

Add a security provider entry for JSafeJCE (com.rsa.jsafe.provider.JsafeJCE) to the java.security file located in the following location:
- JVM_HOME\jre\lib\security (Windows)
- JVM_HOME/jre/lib/security (UNIX)
JVM_HOME

Is the installed location of the JVM used by the application server.

In the following example, the JSafeJCE security provider entry has been added as the second security provider:
```
security.provider.1=sun.security.provider.Sun
security.provider.2=com.rsa.jsafe.provider.JsafeJCE
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
```
Note: If using the IBM JRE, always configure the JSafeJCE security provider immediately after (that is with a security provider number one higher than) the IBMJCE security provider (com.ibm.crypto.provider.IBMJCE)
Add the following line to JVM_HOME\jre\lib\security\java.security (Windows) or JVM_HOME/jre/lib/security/java.security (UNIX) to set the initial FIPS mode of the JsafeJCE security provider:
```
com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE
```
Note: The initial FIPS mode does not affect the final FIPS mode you select for the SiteMinder WSS Agent.

How to Install and Configure a SiteMinder WSS Agent for Apache on a Windows System

Installing CA SiteMinder® agents on the Windows operating environment requires several separate procedures. To install and configure an SiteMinder WSS Agent on Windows, use the following process:

Gather the Information for the Installation Program

Gather the following information about your web server before running the installation program for the CA SiteMinder® agent:

Installation Directory

Specifies the location of the CA SiteMinder® agent binary files on your web server. The web_agent_home variable is set to this location.

Limit: CA SiteMinder® requires the name "webagent" for the bottom directory in the path.

Gather Information Required for SiteMinder WSS Agent Configuration

The following information must be supplied during Trusted Host registration:

SM Admin User Name

The name of a Policy Server administrator allowed to register the host with the Policy Server.

This administrator should already be defined at the Policy Server and have the permission Register Trusted Hosts set. The default administrator is SiteMinder.

SM Admin Password

The Policy Server administrator account password.

Trusted Host Name

Specifies a unique name that represents the trusted host to the Policy Server. This name does not have to be the same as the physical client system that you are registering; it can be any unique name, for example, mytrustedhost.

Note: This name must be unique among trusted hosts and not match the name of any other Agent.

Host Configuration Object

The name of the Host Configuration Object in the Policy Server that defines the connection between the trusted host and the Policy Server. For example, to use the default, enter DefaultHostSettings. In most cases, you will have created your own Host Configuration Object.

Note: This value must match the Host Configuration Object entry preconfigured on the Policy Server.

Policy Server IP Address

The IP address, or host name, and authentication port of the Policy Server where you are registering the host. The default port is 44442. If you do not provide a port, the default is used.

You can specify a non-default port number, but if your Policy Server is configured to use a non-default port and you omit it when you register a trusted host, the following error is displayed:

Registration Failed (bad ipAddress[:port] or unable to connect to Authentication server (-1)

Note also that if you specify a non-default port, that port is used for the Policy Server’s authentication, authorization, and accounting ports; however, the unified server responds to any Agent request on any port. The entry in the SmHost.conf file will look like:

policyserver="ip_address,5555,5555,5555"

FIPS Encryption Mode

Determines whether the Agent communicates with the Policy Server using certified Federal Information Processing Standard (FIPS) 140-2 compliant cryptographic libraries.

FIPS Compatibility Mode (Default)

Specifies non-FIPS mode, which lets the Policy Server and the Agents read and write information using the existing CA SiteMinder® encryption algorithms. If your organization does not require the use of FIPS-compliant algorithms, the Policy Server and the Agents can operate in non-FIPS mode without further configuration.

FIPS Only Mode

Specifies full-FIPS mode, which requires that the Policy Server and Web Agents read and write information using only FIPS 140-2 algorithms.

Important! A CA SiteMinder® installation that is running in Full FIPS mode cannot interoperate with, or be backward compatible to, earlier versions of CA SiteMinder®, including all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. You must re-link all such software with the corresponding versions of the respective SDKs to achieve the required support for Full FIPS mode.

Run the Installer to Install a SiteMinder WSS Agent

Install the SiteMinder WSS Agent using the CA SiteMinder® Web Services Security installation media on the Technical Support site.

Follow these steps:

Exit all applications that are running.
Navigate to the installation material.
Double-click ca-sm-wss-12.52-cr-win32.exe.

cr

Specifies the cumulative release number. The base 12.52 release does not include a cumulative release number.

The CA SiteMinder® Web Services Security installation wizard starts.

Important! If you are running this wizard on Windows Server 2008, run the executable file with Administrator permissions, even if you are logged into the system as an Administrator. For more information, see the CA SiteMinder® Web Services Security Release Notes.
Use gathered system and component information to install the SiteMinder WSS Agent. Consider the following points when running the installer:
- When prompted to select which CA SiteMinder® Web Services Security Agents to install, select CA SiteMinder® Web Services Security Agent for Web Servers.
- When prompted to select the Java version, the installer lists all Java executables present on the system. Select a supported 32-bit Java Runtime Environment (refer to the Platform Support Matrix on the Technical Support site).
- If you enter path information in the wizard by cutting and pasting, enter (and delete, if necessary) at least one character to enable the Next button.
- If the installer detects the presence of an existing CA SiteMinder® Web Agent, it displays a warning dialog stating that the install will upgrade the Web Agent. Click Continue to upgrade the Web Agent to a SiteMinder WSS Agent. If you proceed, the software upgrade occurs in the installed location of the existing Web Agent.
Review the information that is presented on the Pre-Installation Summary page, then click Install.
Note: If the installation program detects that newer versions of certain system DLLs are installed on your system, it asks if you want to overwrite these newer files with older files. Select No To All if you see this message.

The SiteMinder WSS Agent files are copied to the specified location.
On the CA SiteMinder® Web Services Security Configuration screen, click one of the following options and click Next:
- Yes. I would like to configure CA SiteMinder® Web Services Security Agents now.
- No. I will configure CA SiteMinder® Web Services Security Agents later.
If the installation program detects that there are locked Agent files, it prompts you to restart your system instead of reconfiguring it. Select whether to restart the system automatically or later on your own.
Click Done.
If you selected the option to configure SiteMinder WSS Agents now, the installation program prepares the CA SiteMinder® Web Services Security Configuration Wizard and begins the trusted host registration and configuration process. Use the information that you gathered earlier to complete the wizard.

If you did not select the option to configure SiteMinder WSS Agents now, or if you are required to reboot the system after installation, run the configuration wizard manually later.

Installation Notes:

After installation, you can review the installation log file in WSS_HOME\install_config_info. The file name is: CA_SiteMinder_Web_Services_Security_Install_install-date-and-time.log

WSS_Home

Specifies the path to where CA SiteMinder® Web Services Security is installed.

Default: C:\Program Files\CA\Web Services Security

install-date-and-time

Specifies the date and time that the SiteMinder WSS Agent was installed.
The Agent cannot communicate properly with the Policy Server until the trusted host is registered.

More information:

Gather the Information for the Agent Installation Program for the Windows Operating Environment

Copy cryptojFIPS.jar to the WebSphere JRE

Gather the Information for the Agent Configuration Program for IIS Web Servers

Run the SiteMinder WSS Agent Configuration Program on Windows

After gathering the information for your agent configuration, run the agent configuration program. This program creates an agent runtime instance for the web servers running on your computer.

This configuration program is wizard or console based, depending on the option you select. Running the configuration program in the wizard or console mode once creates a properties file. Use the properties file to run unattended configurations on other computers with same operating environment in the future.

Follow these steps:

Open the following directory on your web server:
```
WSS_Home\install_config_info
```
WSS_Home

Specifies the path to where CA SiteMinder® Web Services Security is installed.

Default: C:\Program Files\CA\Web Services Security
Use one of the following configuration methods:
- For a GUI-based configuration, right-click ca-pep-config.exe, and then select Run as Administrator:
- For a console-based configuration, enter the following command from a Command Prompt window with Administrator privileges open to WSS_Home\install_config_info:
```
ca-pep-config.exe -i console
```
  Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your CA SiteMinder® component.
Use the information you gathered earlier to complete the wizard.
The agent runtime instance is created for your web servers.

Run the Unattended or Silent Installation and Configuration Programs Subsequent SiteMinder WSS Agents on Windows

The unattended or silent installation option can help you automate the installation and configuration process. This method saves time if you have a large CA SiteMinder® Web Services Security environment that uses many agents with identical settings.

For example, suppose the Agents in your environment use the same web server version, installation directory, Agent Configuration Object and Policy Servers. Use the installation wizard or console-based installation program for your first installation. Afterwards, you could create your own script to run the installation program with the .properties file the wizard or console-based installation program created.

Follow these steps:

Run the following wizards on your first web server (in the order shown):
1. The CA SiteMinder® Web Services Security Installation wizard.
2. The CA SiteMinder® Web Services Security Configuration wizard.
Locate the following file on your first web server:
```
WSS_Home\install_config_info\ca-wss-installer.properties
```
Note: If the path contains spaces, surround it with quotes.

WSS_Home

Specifies the path to where CA SiteMinder® Web Services Security is installed.

Default: C:\Program Files\CA\Web Services Security
Perform each of the following steps on the other web servers in your environment:
Note: To automate this process, create your own customized script to execute these files on your systems. Use any scripting language that you want.
1. Create a temporary directory on the subsequent web server.
2. Copy the following files from your first web server (from Steps 1 and 2) to the temporary directory on your subsequent web server:
  - The SiteMinder WSS Agent Installation executable file.
  - The ca-pepconfig-installer.properties file.
3. Open a Command Prompt window with Administrative privileges in the temporary directory.
4. Run the following command:
```
ca-sm-wss-12.52-cr-win32.exe -f properties_file -i silent.
```
  cr
  
  Specifies the cumulative release number. The base 12.52 release does not include a cumulative release number.
  
  Important! If you are running this wizard on Windows Server 2008, run the executable file with Administrator permissions, even if you are logged into the system as an Administrator. For more information, see the CA SiteMinder® Web Services Security Release Notes.
  
  The SiteMinder WSS Agent is installed and configured on the subsequent server automatically.
5. (Optional) Delete the temporary directory from your subsequent web server.
Repeat Step 3 for each additional web server in your CA SiteMinder® environment that uses the configuration that the settings in your ca-wss-installer.properties file specify.