Agent for SharePoint Guide › Advanced Options › How to Enable SSL for the Agent for SharePoint › Register the Claims Search Service Endpoint on all WFE Servers

Register the Claims Search Service Endpoint on all WFE Servers

The next step in establishing the mutual trust relationship is registering the claims search service endpoint on all WFE servers in your SharePoint farm.

Registering a new end point for the claims search service associates the secure connection with the client authentication certificate. A PowerShell script that is installed with the claims provider automates the registration process. Register the new end point for all of the web front end (WFE) servers in your SharePoint environment.

Follow these steps:

1. Remove any previously registered CA SiteMinder claims services from the WFE server by running the following script:

   SharePointClaimsProvider_directory\scripts\Remove-SMClaimSearchService.ps1 -WebApplication url_of_SharePoint_web_application
   

   The following example describes removing the registration of a previous claims search service endpoint for the following web applications:

   • SharePoint_webapplication.support.example.com:8189/ (runs on port 8189)
   • SharePoint_webapplication.support.example.com:8286/ (runs on port 8286)

     .\Add-SMClaimSearchService.ps1 -WebApplication http://SharePoint_webapplication.support.example.com:8189/ -ClaimSerchService
     

     https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl -EnableSSLClientAuthentication
     

     -ClientCertificateName SiteminderClaimsProvider
     

     .\Add-SMClaimSearchService.ps1 -WebApplication http://SharePoint_webapplication.support.example.com:8286/ -ClaimSerchService
     

     https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl -EnableSSLClientAuthentication
     

     -ClientCertificateName SiteminderClaimsProvider
     

2. Repeat Step 1 for each SharePoint web application on the WFE server
3. Gather the following information:

   –WebApplication url_of_SharePoint_web application

   Specifies the URL associated with a SharePoint web application.
   Example: http://SharePoint_webapplication.support.example.com:/ (runs on the default port).

   Example: http://SharePoint_webapplication.support.example.com:81/ (runs on port 81).

   Example: http://SharePoint_webapplication.support.example.com:82/ (runs on port 82).

   -ClaimSearchService claims_search_service_URL

   Specifies the URL of the claims search service.

   Limits: If the claim search service uses SSL, specify the https: protocol.

   Example: https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl

   –ClientCertificateName

   Specifies the value in the Issued To: field of your client authentication certificate. This client certificate protects the Claims WS (web service).

   Example: SiteminderClaimsProvider

4. Open the SharePoint 2010 Management Shell.
5. Navigate to the following directory:

   SharePointClaimsProvider_directory\scripts
   

6. Enter the following command for your first web application:

   .\Add-SMClaimSearchService.ps1 -WebApplication url_of_web_application url  -ClaimSearchService https://claims_search_service_url -EnableSSLClientAuthentication -ClientCertificateName name_in_Issued-To:_field_of_Certificate
   

   The first end point is registered.

7. Repeat Step 4 for each SharePoint web application on the WFE server. The following example describes registering a claims search service endpoint for the following web applications:
   • SharePoint_webapplication.support.example.com:81 (runs on port 81)
   • SharePoint_webapplication.support.example.com:82 (runs on port 82)

     .\Add-SMClaimSearchService.ps1 -WebApplication http://SharePoint_webapplication.support.example.com81/ -ClaimSerchService
     

     https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl -EnableSSLClientAuthentication
     

     -ClientCertificateName SiteminderClaimsProvider
     

     .\Add-SMClaimSearchService.ps1 -WebApplication http://SharePoint_webapplication.support.example.com:82/ -ClaimSerchService
     

     https://claim_search_service.support.example.com:8002/ClaimsWS/services/WSSharePointClaimsServiceImpl-EnableSSLClientAuthentication
     

     -ClientCertificateName SiteminderClaimsProvider
     

8. Restart your WFE server.
9. Repeat Steps 1 through 8 on all of the web front end (WFE) servers in your SharePoint environment.

   The claims serach service endpoint is registered. Continue with the next step of creating a trusted store for the root certificate authority certificate.

Install the Client Authentication Certificate on Your Agent for SharePoint

The next step in creating a mutual trust relationship is to install the client authentication certificate on the server that runs your Agent for SharePoint.

The Agent for SharePoint needs the same client authentication certificate that you installed on your SharePoint central administration server and your web front-end (WFE) servers.

Follow these steps:

1. Export the client authentication certificate from one of your WFE servers with the following steps:
   1. Log in to a WFE server that contains the client authentication certificate.
   2. Click Start, Run.

      The Run dialog appears.

   3. In the Open field, type mmc and then click OK.
   4. Expand Certificates — Local Computer.
   5. Expand Personal.

      The certificates folder appears.

   6. Right-click your client authentication certificate, and then select All Tasks, Export.

      The certificate export wizard opens.

   7. Export the certificate using the Base-64 encoded X.509 (.cer) option.

      The client authentication certificate is exported. Note the location of the exported certificate.

2. Copy the exported client authentication certificate from your WFE server to the following directory on the server that runs your Agent for SharePoint:

   Agent_for_SharePoint_Home/SSL/keys
   

   Agent-for-SharePoint_Home

   Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.

   Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint

   Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
   Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint

3. Run the following command:

   keytool -importcert -alias ClientAuthCert -file .\ClientAuthCert.cer -trustcerts -keystore .\TrustStore.jceks -storepass keystore_password -storetype JCEKS
   

   A confirmation prompt appears.

4. Enter yes.

   The client authentication certificate is installed on the server that runs your Agent for SharePoint. Continue with the next step of updating the SSL Configuration file.

Update the SSLConfig.properties File

The next step of the process of creating a mutual trust relationship is updating the SSLConfig.properties file.

The server that runs your Agent for SharePoint requires a password-protected location (trust store) for the client authentication certificate. Specify a password for the trust store when creating it.

Follow these steps:

1. Run the following command on the server that runs your Agent for SharePoint:

   GenerateSSLConfig -keystorepass keystore_password -truststore Agent_for_SharePoint_Home\SSL\keys\TrustStore.jceks -truststorepass truststore_password
   

   A confirmation prompt for your trust store password appears.

2. Re—enter your trust store password.

   A confirmation prompt for client authentication appears.

3. Enter yes.

   The SSLConfig.properties file is updated. Continue with the next step of restarting your Agent for SharePoint.

Restart the Agent for SharePoint

Starting or stopping the Agent for SharePoint involves the following separate procedures:

1. Changing the value of EnableWebAgent in the WebAgent.conf file.
2. Changing the state of the related services on the computer running the Agent for SharePoint.