Previous Topic: Implementing Policy-based SecurityNext Topic: Protecting the Administrative UI with SiteMinder


Administrative User Interface Management

Administrative UI Overview

The Policy Server is managed through a graphical user interface. The interface is generated dynamically based on the administrative privileges of the user. This chapter discusses how to log in to the Administrative UI and the common procedures that you use while configuring and managing Policy Server objects.

The Administrative UI contains two panes:

The menu of tasks on the left can be open or closed. If the menu is closed, you can open it by clicking the right-facing arrow. Likewise, if the menu is open, you can close it by clicking the left-facing arrow.

Important! When working on the task pane on the right, always save your changes before opening or closing the menu pane on the left or navigating to another task.

Do not use the Refresh or Back buttons of the browser while using the Administrative UI. Using these buttons resubmits the form, repeats the action that was initiated by clicking a button in the form, and creates an invalid state.

Start the Administrative UI

Follow these steps:

  1. Open a web browser:
  2. Enter the credentials of a CA SiteMinder® administrator.
  3. Click Login.

    The system displays the relevant tabs for your administrator privileges. The contents of this window differ based on the privileges of the administrator account you use to log in to the Administrative UI.

Manage Policy Server Objects

The Administrative UI lets you view, modify, and delete Policy Server objects. Although the details of each task differ by object, the general methods are similar. For example, the procedure for deleting an agent is similar to the procedure for deleting a response.

The following sections describe the general tasks for viewing, modifying, and deleting Policy Server objects. Other chapters in this guide describe how to create the Policy Server objects necessary to manage and secure resources.

Duplicate Policy Server Objects

The easiest way to create a Policy Server object is to copy an existing object and modify its properties. You can use the properties of the existing object as a template, only changing the information that is different for the new object. The copy option is not available for all objects.

Note: Your administrative privileges determine the objects you can access.

Follow these steps:

  1. Navigate to the subcomponent type that contains the object you want to duplicate.

    Example: Click Infrastructure, Agent.

  2. Select the type of object you want to duplicate..

    Example: Agent

  3. Click the Create button.

    The Create siteminder_object screen opens.

  4. Select Create a copy of an object, specify search criteria, and click Search.

    A list of objects that match the search criteria opens.

  5. Select an object from the list and click OK.

    The Create siteminder_object: Copy of object_name screen appears.

    object_name

    Specifies the name of the object from which the new object is based.

  6. Type a new name and description in the fields on the General group box.
  7. Modify the properties that are different for the new object and click Submit.

    The Policy Server object is created.

View Policy Server Object Properties

You can view the properties of a Policy Server object.

Note: Your administrative privileges determine the objects you can access.

Follow these steps:

  1. Select the subcomponent of object you want to view .

    Example: Select Policies, Domain.

  2. Click on the type of object.

    Example: Domain

    The siteminder_object screen appears.

  3. Specify search criteria and click Search.

    A list of objects that match the search criteria appears. The name of the object is a link.

  4. Click the name of the object that you want to view

    The View screen appears with information about the object you selected.

Modify an Existing Policy Server Object

The Administrative UI lets you modify the properties of existing Policy Server objects.

Note: Your administrative privileges determine the objects you can access.

Follow these steps:

  1. Navigate to the subcomponent of object you want to modify.

    Example: Click Policies, Domain.

  2. Click the type of object you want to modify.

    Example: Realms

    The siteminder_object screen appears.

  3. Specify search criteria and click Search.

    A list of objects that match the search criteria appears. The name of the object is a link.

  4. Click the name of the object that you want to modify.

    The View screen appears. All fields and controls are inactive.

  5. Scroll to the bottom of the page and click Modify.

    All fields and controls are active.

  6. Make the required changes and click Submit.

    The Policy Server object is modified.

Delete a Policy Server Object

You can delete a Policy Server object that is no longer needed.

Note: Your administrative privileges determine the objects you can access.

Follow these steps:

  1. Select the subcomponent of object you want to delete.

    Example: Click Infrastructure, Authentication.

  2. Click the type of object.

    Example: Authentication Schemes

  3. Specify search criteria and click Search.

    A list of objects that match the search criteria appears.

  4. Select the object that you want to delete
  5. Click Delete.

    A confirmation screen appears.

  6. Click Yes.

    The Policy Server object is deleted.

Manage Task-persistence Database

Every Administrative UI task stays in the task-persistence database indefinitely or until removed by a CA SiteMinder® administrator. You can remove tasks from the database and free up disk space by scheduling cleanup tasks. Cleanup tasks allow you to manage the size of the task-persistence database and improve runtime performance.

Every task exists in the task-persistence database in one of the following states:

Cleanup tasks can remove tasks in the audit state and completed state from the task-persistence database. Cleanup tasks cannot remove submitted tasks that are still pending.

You can schedule, modify, and delete cleanup tasks through the following two options:

Clean Up Submitted Tasks

Use this option to schedule new cleanup tasks or modify existing ones.

Delete Recurring Tasks

Use this option to delete scheduled cleanup tasks.

Cleanup Submitted Tasks

You can manage the size of the task-persistence database and can improve runtime performance by scheduling cleanup tasks. You can configure cleanup tasks to remove tasks in the completed state and the audit state from the database. You can also configure limits for the cleanup task itself.

Note: The Cleanup Submitted Tasks option only appears in the Administrative UI (Administration, Admin UI) and you can run scheduled jobs for cleaning up the submitted tasks when you log in as the CA SiteMinder® System Manager. The CA SiteMinder® System Manager account is defined using the Configure Administrative Authentication option. This account that is used during the initial registration of the Administrative UI can be from an external administrator store. The Cleanup Submitted Tasks option does not appear in the Administrative UI for an administrator, even with superuser permissions, and so cannot schedule cleanup tasks.

To clean up submitted tasks

  1. Click Administration, Admin UI, Clean Up Submitted Tasks.

    The Recurrence pane opens.

  2. Select one of the follow option buttons:
  3. Specify the name of the cleanup task in the Job Name field, the type of schedule, and the scheduling details on the scheduling sections, and click Next.

    The Clean Up Submitted Tasks pane opens.

  4. Complete the following fields on the Clean Up Submitted Tasks pane:
    Minimum Age

    Specifies the minimum age in Months, Weeks, Days, Hours, or Minutes of the completed tasks to remove from the task-persistence database.

    Note: Task age is measured from the time that tasks are completed.

    Audit Timeout

    (Optional) Specifies the maximum number of days to keep tasks in the audit state in the task-persistence database.

    Limits: one or greater

    Default: one

    Time Limit

    (Optional) Specifies a time limit in minutes for the cleanup task.

    Task Limit

    (Optional) Specifies a task limit for the cleanup task.

  5. Click Finish.

    The Cleanup task is submitted for processing.

Delete Recurring Tasks

You can delete scheduled cleanup tasks that are no longer needed.

To delete recurring tasks

  1. Click Administration, Admin UI, Delete Recurring Tasks.

    The Delete Recurring Tasks pane opens.

  2. Select one or more scheduled cleanup tasks to delete, and click Submit.

    The Delete task is submitted for processing.

How the Web Agent and Policy Server Calculate Time

For each system that has a Policy Server or Web Agent installed, you must set the system clock for the time zone appropriate to that system’s geographical location. Policy Servers and Web Agents use the time zones to calculate time relative to Greenwich Mean Time (GMT).

The following figure shows how the Policy Server executes a policy relative to time. A resource is stored on a Web Server in Massachusetts and is protected by a Policy Server in California. The policy allows access to the resource between 9:00 a.m. and 5:00 p.m. However, the user in Massachusetts can still access the resource at 6:00 p.m. because the policy is based on the Policy Server’s time zone, Pacific Standard Time (PST), which is 3 hours behind the Web Agent’s time zone, Eastern Standard Time (EST).

Graphic showing how the Policy Server executes a policy relative to time

Note: For Windows systems, the time zone and the time of day that you set in the Date/Time control panel must agree. For example, to reset a system in the USA from Eastern Standard Time to Pacific Time, you must set the system’s clock back three hours and change the time zone to Pacific Standard Time. If these two settings do not match, single sign-on across multiple domains and agent key management will not work properly.