This section contains the following topics:
Agent Installation Compared to Agent Configuration
Set the JRE in the Path Variable
Apply the Unlimited Cryptography Patch to the JRE
Configure the JVM to Use the JSafeJCE Security Provider
How to Install and Configure a SiteMinder WSS Agent for Apache on a Windows System
The concepts of installation and configuration have specific meanings when used to describe CA SiteMinder® agents.
Installation means installing the CA SiteMinder® agent software on a computer system. For example, installing an agent creates directories and copies the CA SiteMinder® agent software and other settings to the computer.
Configuration occurs after installation and means the act of preparing the CA SiteMinder® agent software for a specific web server on a computer. This preparation includes registering the agent with CA SiteMinder® Policy Servers, and creating a runtime server instance for the web server that is installed on the computer.
Use the wizard-based installation and configuration programs to install and configure your agent on your first web server. The wizard-based programs create a .properties file.
Use the .properties file and the respective executable file to install or configure the agent silently on additional web servers.
Set the Java Runtime Environment (JRE) in the Windows path variable.
Follow these steps:
Patch the Java Runtime Environment (JRE) used by the Agent to support unlimited key strength in the Java Cryptography Extension (JCE) package. The patches for all supported platforms are available from the Oracle website.
The files that need to be patched are:
The local_policy.jar and US_export_policy.jar files can found be in the following locations:
jre_home\lib\security
jre_home/lib/security
Defines the location of your Java Runtime Environment installation.
The SiteMinder WSS Agent XML encryption function requires that the JVM is configured to use the JSafeJCE security provider.
Follow these steps:
Is the installed location of the JVM used by the application server.
In the following example, the JSafeJCE security provider entry has been added as the second security provider:
security.provider.1=sun.security.provider.Sun security.provider.2=com.rsa.jsafe.provider.JsafeJCE security.provider.3=sun.security.rsa.SunRsaSign security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider
Note: If using the IBM JRE, always configure the JSafeJCE security provider immediately after (that is with a security provider number one higher than) the IBMJCE security provider (com.ibm.crypto.provider.IBMJCE)
com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE
Note: The initial FIPS mode does not affect the final FIPS mode you select for the SiteMinder WSS Agent.
Installing CA SiteMinder® agents on the Windows operating environment requires several separate procedures. To install and configure an SiteMinder WSS Agent on Windows, use the following process:
Gather the following information about your web server before running the installation program for the CA SiteMinder® agent:
Specifies the location of the CA SiteMinder® agent binary files on your web server. The web_agent_home variable is set to this location.
Limit: CA SiteMinder® requires the name "webagent" for the bottom directory in the path.
The following information must be supplied during Trusted Host registration:
The name of a Policy Server administrator allowed to register the host with the Policy Server.
This administrator should already be defined at the Policy Server and have the permission Register Trusted Hosts set. The default administrator is SiteMinder.
The Policy Server administrator account password.
Specifies a unique name that represents the trusted host to the Policy Server. This name does not have to be the same as the physical client system that you are registering; it can be any unique name, for example, mytrustedhost.
Note: This name must be unique among trusted hosts and not match the name of any other Agent.
The name of the Host Configuration Object in the Policy Server that defines the connection between the trusted host and the Policy Server. For example, to use the default, enter DefaultHostSettings. In most cases, you will have created your own Host Configuration Object.
Note: This value must match the Host Configuration Object entry preconfigured on the Policy Server.
The IP address, or host name, and authentication port of the Policy Server where you are registering the host. The default port is 44442. If you do not provide a port, the default is used.
You can specify a non-default port number, but if your Policy Server is configured to use a non-default port and you omit it when you register a trusted host, the following error is displayed:
Registration Failed (bad ipAddress[:port] or unable to connect to Authentication server (-1)
Note also that if you specify a non-default port, that port is used for the Policy Server’s authentication, authorization, and accounting ports; however, the unified server responds to any Agent request on any port. The entry in the SmHost.conf file will look like:
policyserver="ip_address,5555,5555,5555"
Determines whether the Agent communicates with the Policy Server using certified Federal Information Processing Standard (FIPS) 140-2 compliant cryptographic libraries.
Specifies non-FIPS mode, which lets the Policy Server and the Agents read and write information using the existing CA SiteMinder® encryption algorithms. If your organization does not require the use of FIPS-compliant algorithms, the Policy Server and the Agents can operate in non-FIPS mode without further configuration.
Specifies full-FIPS mode, which requires that the Policy Server and Web Agents read and write information using only FIPS 140-2 algorithms.
Important! A CA SiteMinder® installation that is running in Full FIPS mode cannot interoperate with, or be backward compatible to, earlier versions of CA SiteMinder®, including all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. You must re-link all such software with the corresponding versions of the respective SDKs to achieve the required support for Full FIPS mode.
Install the SiteMinder WSS Agent using the CA SiteMinder® Web Services Security installation media on the Technical Support site.
Follow these steps:
Specifies the cumulative release number. The base 12.52 release does not include a cumulative release number.
The CA SiteMinder® Web Services Security installation wizard starts.
Important! If you are running this wizard on Windows Server 2008, run the executable file with Administrator permissions, even if you are logged into the system as an Administrator. For more information, see the CA SiteMinder® Web Services Security Release Notes.
Note: If the installation program detects that newer versions of certain system DLLs are installed on your system, it asks if you want to overwrite these newer files with older files. Select No To All if you see this message.
The SiteMinder WSS Agent files are copied to the specified location.
If the installation program detects that there are locked Agent files, it prompts you to restart your system instead of reconfiguring it. Select whether to restart the system automatically or later on your own.
If you selected the option to configure SiteMinder WSS Agents now, the installation program prepares the CA SiteMinder® Web Services Security Configuration Wizard and begins the trusted host registration and configuration process. Use the information that you gathered earlier to complete the wizard.
If you did not select the option to configure SiteMinder WSS Agents now, or if you are required to reboot the system after installation, run the configuration wizard manually later.
Installation Notes:
Specifies the path to where CA SiteMinder® Web Services Security is installed.
Default: C:\Program Files\CA\Web Services Security
Specifies the date and time that the SiteMinder WSS Agent was installed.
After gathering the information for your agent configuration, run the agent configuration program. This program creates an agent runtime instance for the web servers running on your computer.
This configuration program is wizard or console based, depending on the option you select. Running the configuration program in the wizard or console mode once creates a properties file. Use the properties file to run unattended configurations on other computers with same operating environment in the future.
Follow these steps:
WSS_Home\install_config_info
Specifies the path to where CA SiteMinder® Web Services Security is installed.
Default: C:\Program Files\CA\Web Services Security
ca-pep-config.exe -i console
Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your CA SiteMinder® component.
The agent runtime instance is created for your web servers.
The unattended or silent installation option can help you automate the installation and configuration process. This method saves time if you have a large CA SiteMinder® Web Services Security environment that uses many agents with identical settings.
For example, suppose the Agents in your environment use the same web server version, installation directory, Agent Configuration Object and Policy Servers. Use the installation wizard or console-based installation program for your first installation. Afterwards, you could create your own script to run the installation program with the .properties file the wizard or console-based installation program created.
Follow these steps:
WSS_Home\install_config_info\ca-wss-installer.properties
Note: If the path contains spaces, surround it with quotes.
Specifies the path to where CA SiteMinder® Web Services Security is installed.
Default: C:\Program Files\CA\Web Services Security
Note: To automate this process, create your own customized script to execute these files on your systems. Use any scripting language that you want.
ca-sm-wss-12.52-cr-win32.exe -f properties_file -i silent.
Specifies the cumulative release number. The base 12.52 release does not include a cumulative release number.
Important! If you are running this wizard on Windows Server 2008, run the executable file with Administrator permissions, even if you are logged into the system as an Administrator. For more information, see the CA SiteMinder® Web Services Security Release Notes.
The SiteMinder WSS Agent is installed and configured on the subsequent server automatically.
Copyright © 2013 CA.
All rights reserved.
|
|