The next step in establishing the mutual trust relationship is registering the claims search service endpoint on all WFE servers in your SharePoint farm.
Registering a new end point for the claims search service associates the secure connection with the client authentication certificate. A PowerShell script that is installed with the claims provider automates the registration process. Register the new end point for all of the web front end (WFE) servers in your SharePoint environment.
Follow these steps:
SharePointClaimsProvider_directory\scripts\Remove-SMClaimSearchService.ps1 -WebApplication url_of_SharePoint_web_application
The following example describes removing the registration of a previous claims search service endpoint for the following web applications:
.\Add-SMClaimSearchService.ps1 -WebApplication http://SharePoint_webapplication.support.example.com:8189/ -ClaimSerchService
https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl -EnableSSLClientAuthentication
-ClientCertificateName SiteminderClaimsProvider
.\Add-SMClaimSearchService.ps1 -WebApplication http://SharePoint_webapplication.support.example.com:8286/ -ClaimSerchService
https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl -EnableSSLClientAuthentication
-ClientCertificateName SiteminderClaimsProvider
Specifies the URL associated with a SharePoint web application.
Example: http://SharePoint_webapplication.support.example.com:/ (runs on the default port).
Example: http://SharePoint_webapplication.support.example.com:81/ (runs on port 81).
Example: http://SharePoint_webapplication.support.example.com:82/ (runs on port 82).
Specifies the URL of the claims search service.
Limits: If the claim search service uses SSL, specify the https: protocol.
Example: https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl
Specifies the value in the Issued To: field of your client authentication certificate. This client certificate protects the Claims WS (web service).
Example: SiteminderClaimsProvider
SharePointClaimsProvider_directory\scripts
.\Add-SMClaimSearchService.ps1 -WebApplication url_of_web_application url -ClaimSearchService https://claims_search_service_url -EnableSSLClientAuthentication -ClientCertificateName name_in_Issued-To:_field_of_Certificate
The first end point is registered.
.\Add-SMClaimSearchService.ps1 -WebApplication http://SharePoint_webapplication.support.example.com81/ -ClaimSerchService
https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl -EnableSSLClientAuthentication
-ClientCertificateName SiteminderClaimsProvider
.\Add-SMClaimSearchService.ps1 -WebApplication http://SharePoint_webapplication.support.example.com:82/ -ClaimSerchService
https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl-EnableSSLClientAuthentication
-ClientCertificateName SiteminderClaimsProvider
The claims serach service endpoint is registered. Continue with the next step of creating a trusted store for the root certificate authority certificate.
The next step in creating a mutual trust relationship is to install the client authentication certificate on the server that runs your Agent for SharePoint.
The Agent for SharePoint needs the same client authentication certificate that you installed on your SharePoint central administration server and your web front-end (WFE) servers.
Follow these steps:
The Run dialog appears.
The certificates folder appears.
The certificate export wizard opens.
The client authentication certificate is exported. Note the location of the exported certificate.
Agent_for_SharePoint_Home/SSL/keys
Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.
Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint
Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint
keytool -importcert -alias ClientAuthCert -file .\ClientAuthCert.cer -trustcerts -keystore .\TrustStore.jceks -storepass keystore_password -storetype JCEKS
A confirmation prompt appears.
The client authentication certificate is installed on the server that runs your Agent for SharePoint. Continue with the next step of updating the SSL Configuration file.
The next step of the process of creating a mutual trust relationship is updating the SSLConfig.properties file.
The server that runs your Agent for SharePoint requires a password-protected location (trust store) for the client authentication certificate. Specify a password for the trust store when creating it.
Follow these steps:
GenerateSSLConfig -keystorepass keystore_password -truststore Agent_for_SharePoint_Home\SSL\keys\TrustStore.jceks -truststorepass truststore_password
A confirmation prompt for your trust store password appears.
A confirmation prompt for client authentication appears.
The SSLConfig.properties file is updated. Continue with the next step of restarting your Agent for SharePoint.
Starting or stopping the Agent for SharePoint involves the following separate procedures:
Copyright © 2013 CA.
All rights reserved.
|
|