Agent for SharePoint Guide › Advanced Options › How to Enable SSL for the Agent for SharePoint › Register the Claims Search Service Endpoint on all WFE Servers › Change the States of the Services on your Agent for SharePoint

Change the States of the Services on your Agent for SharePoint

You can change the states of the related services on your Agent for SharePoint.

Note: To start or stop your Agent for SharePoint, change the value of the EnableWebAgent parameter first.

Follow these steps:

1. To change the states of the related services, select one of the following procedures:
   • For Windows operating environments, go to Step 2.
   • To start the Agent for SharePoint on UNIX operating environments, go to Step 3.
   • To stop the Agent for SharePoint on UNIX operating environments, go to Step 4.
2. For Windows operating environments, do the following steps:
   1. From the Windows Start menu navigate to Administrative Tools, Services.

      The Services dialog appears.

   2. Scroll down the list of services and select SiteMinder Agent for SharePoint.
   3. From the Action menu, select All Tasks and select the command that you want.
   4. Repeat Step b for SiteMinder Agent for SharePoint Proxy Engine.

      The states of the services and Agent for SharePoint are changed.

3. To start the Agent for SharePoint on UNIX operating environments, do the following steps.
   1. Log in as a root user.
   2. Navigate to the following directory:

      Agent-for-SharePoint_home/proxy-engine
      

   3. Run the following command:

      ./sps-ctl start
      

      The service and the Agent for SharePoint start. The Agent for SharePoint stops or starts according to the value you set in the EnableWebAgent parameter.

4. To stop the Agent for SharePoint on a system running UNIX, do the following steps:
   1. Navigate to the following directory:

      Agent-for-SharePoint_home/proxy-engine
      

   2. Run the following command:

      ./sps-ctl stop
      

      The service and the Agent for SharePoint stop.

Modify the SSL Configuration File for Your Agent for SharePoint

This section describes configuring secure communications between your Agent for SharePoint reverse proxy and the Public URLs of your SharePoint web applications.

The first step in configuring the reverse proxy for secure communications is modifying the SSL configuration file.

The SSL configuration file requires the following modifications:

• Add listening directives for each SSL port.
• Add virtual host sections for each port-based virtual host.

Follow these steps:

1. Log in to the server hosting your Agent for SharePoint:
2. Open the following file with a text editor:

   Agent-for-SharePoint_home\httpd\conf\extra\httpd-ssl.conf
   

   Agent-for-SharePoint_Home

   Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.

   Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint

   Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
   Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint

3. Add the appropriate number of 'Listen' directives for your environment. Use the following examples as a guide:
   • Listen 443 #(for the default http port 80)
   • Listen 481 #(for http port 81)
   • Listen 482 #(for http port 82)

   The previous example assumes that you already have three web applications listening for HTTP requests on ports 80, 81 and 82. The previous example shows how to add HTTPS ports 443, 481 and 482 respectively.

4. Add a section for each port-based virtual host, using the following examples as a guide:

   <VirtualHost _default_:443>
   # General setup for the virtual host
   DocumentRoot "C:/CA/Agent-for-SharePoint/httpd/htdocs"
   ServerName SMSPA2010.smtest.ca.com:443
   ServerAdmin Admin@smtest.ca.com
   # ErrorLog logs/error_log.log
   # TransferLog logs/access_log.log
   SSLEngine on
   SSLCertificateFile "C:/CA/Agent-for-SharePoint/SSL/certs/smspa2010.smtest.ca.com.cer"
   SSLCertificateKeyFile "C:/CA/Agent-for-SharePoint/SSL/keys/smspa2010.smtest.ca.com.key"
   </VirtualHost>
   <VirtualHost *:481>
   DocumentRoot "C:/CA/Agent-for-SharePoint/httpd/htdocs/481smspa2010"
   ServerName smspa2010.smtest.ca.com
   ServerAdmin Admin@smtest.ca.com
   ErrorLog logs/481smspa2010_error_log.log
   TransferLog logs/481smspa2010_access_log.log
   SSLEngine on
   SSLCertificateFile C:/CA/Agent-for-SharePoint/SSL/certs/smspa2010.smtest.ca.com.cer
   SSLCertificateKeyFile C:/CA/Agent-for-SharePoint/SSL/keys/smspa2010.smtest.ca.com.key
   CustomLog logs/cipher_log_481smspa2010 \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
   </VirtualHost>
   <VirtualHost *:482>
   DocumentRoot "C:/CA/Agent-for-SharePoint/httpd/htdocs/482smspa2010"
   ServerName smspa2010.smtest.ca.com
   ServerAdmin Admin@smtest.ca.com
   ErrorLog logs/482smspa2010_error_log.log
   TransferLog logs/482smspa2010_access_log.log
   SSLEngine on
   SSLCertificateFile C:/CA/Agent-for-SharePoint/SSL/certs/smspa2010.smtest.ca.com.cer
   SSLCertificateKeyFile C:/CA/Agent-for-SharePoint/SSL/keys/smspa2010.smtest.ca.com.key
   CustomLog logs/cipher_log_482smspa2010 \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
   </VirtualHost>
   

   The previous example describes the virtual host entries that are created to match the port settings in Step 2.

5. Save the file and close the text editor.

   The SSL Configuration file is modified. Continue with the next step of generating certificates and keys for each unique server (FQDN) in your environment.

New Topic (182)

The next step in configuring the reverse proxy for secure communications is to generate a private (Windows) RSA Key (server key) for each virtual site with a fully qualified domain name (FQDN). Do one of the following procedures:

• Generate a private unencrypted RSA server key for each virtual site
• Generate a private encrypted RSA key

Generate a Private Unencrypted RSA Server Key for Each Virtual Site

Generate a private key for each virtual site with a fully qualified domain name (FQDN). This procedure describes how to generate an unencrypted private key.

Follow these steps:

1. Open a command-line window.
2. Navigate to the following directory

   Agent-for-Sharepoint_home\SSL\bin
   

   Agent-for-SharePoint_Home

   Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.

   Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint

   Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
   Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint

3. Generate the keys by running the following commands:

   .\openssl genrsa -out ..\keys\server_FQDN.key
   

   The following example describes creating a key for a server named smspa2010:

   .\openssl genrsa -out ..\keys\smspa2010.example.com.key
   

4. Repeat Step 3 for each virtual server.

   The private unencrypted server keys are created. Continue with the next step of generating a certificate signing request.

Generate a Private Encrypted RSA Key

Generate a private key for each virtual site with a fully qualified domain name (FQDN). This procedure describes how to generate an encrypted private key.

Follow these steps:

1. Open a command-line window.
2. Navigate to the following directory

   Agent-for-Sharepoint_home\SSL\bin
   

   Agent-for-SharePoint_Home

   Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.

   Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint

   Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
   Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint

3. Generate the keys by running the following commands:

   .\openssl genrsa -des3 -out ..\keys\server_FQDN.key
   

   The following example describes creating a key for a server named smspa2010:

   .\openssl genrsa-des3 -out ..\keys\smspa2010.example.com.key
   

4. Repeat Step 3 for each virtual server.

   The private encrypted server keys are created and written to the specified key output file.

The key output file will be in encrypted ASCII PEM (from “Privacy Enhanced Mail") format.

Because the file is encrypted, you will be prompted for a pass-phrase to protect it and decrypt it later if you want. If you do not want your key to be protected, do not use the -des3 argument in the command line.

Important! Do not use the -des3 option if you are running on Windows. The Secure Proxy Server does not start if there is a prompt for a pass-phrase.

To view the details of this RSA key, enter the following command:

openssl rsa -noout -text -in server.key

Generate and Submit Certificate Signing Requests

The next step in configuring the reverse proxy for secure communications is generating the certificate signing requests for each of the virtual servers.

Follow these steps:

1. Open a command-line window.
2. Generate the certificate signing requests by running the following command:

   .\openssl req -config .\openssl.cnf -new -key ..\keys\server_FQDN .key -out ..\keys\server_FQDN.csr
   

   The following example describes creating a certificate request for a server named smspa2010 on the support.example.com domain:

   .\openssl req -config .\openssl.cnf -new -key ..\keys\smspa2010.support.example.com.key -out ..\keys\smspa2010.support.example.com.csr
   

3. Create your certificate request by adding the information at each prompt, as shown in the following example:

   Country: Your_Country
   State: Your_State
   Locality: Your_Town
   Organization: Example
   Org. Unit: support
   CN: smspa2010.support.example.com
   E-Mail: admin@support.ca.com
   Challenge Pwd: firewall
   Optional name: blank
   

   Note: The value for the common name (CN) must match the fully qualified domain name (FQDN) of the web server.

   The system generates a certificate request with the certificate file name and a request number, as shown in the following example:

   smspa2010.support.example.com.csr 8
   

4. Record the file name and certificate signing request for future reference.
5. Repeat Steps 2 through 4 for the other virtual servers.
6. Submit your certificate signing requests to the certificate authority that your organization uses.

   The certificate signing requests are generated and submitted. Continue with the next step of downloading your certificates from your certificate authority.

Download and Install the Certificates from your Certificate Authority

The next step in configuring the reverse proxy for secure communications is downloading the signed certificates from the certificate authority.

The virtual host sections in your SSL configuration file specify a certificate location for each virtual host. The SSLCertificateFile line in the following example specifies the location for the spa2010.support.example.com server:

SSLCertificateFile "Agent-for-SharePoint_home/SSL/certs/smspa2010.support.example.com.cer

Agent-for-SharePoint_Home

Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.

Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint

Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint

Follow these steps:

1. Log in to your Agent for SharePoint server from which you issued the certificate requests.
2. Review the SSL configuration file for the SSLCerfificateFile lines.
3. Copy a certificate file to its respective location that is specified in the SSL Configuration file.
4. Repeat Step 3 for each unique server running a virtual host.

   The certificates are downloaded. Continue with the next step of accommodating your SSL sites by modifying the proxy rules.

Accommodate Your SSL Sites by Modifying the Proxy Rules

The next step in configuring the reverse proxy for secure communication is modifying the proxy rules for the server on which your Agent for SharePoint runs.

Note: Even if you are using only SSL, the proxy rules files require rules for both HTTP and HTTPS protocols.

Follow these steps:

1. Open the following file with a text editor:

   Agent-for-SharePoint_home\proxy-engine\conf\proxyrules.xml
   

   Agent-for-SharePoint_Home

   Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.

   Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint

   Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
   Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint

2. Modify the ProxyRules.xml file for the SSL sites by adding proxy rules that include the SSL port and the related web application. The following example shows the new rules in bold:

   <nete:proxyrules xmlns:nete="http://smspa2010.smtest.ca.com/" debug="yes">
   <nete:cond type="host" criteria="endswith">
   <nete:case value="81">
   <nete:forward>http://w2k8r2.smtest.ca.com:14056$0</nete:forward>
   </nete:case>
   <nete:case value="82">
   <nete:forward>http://w2k8r2.smtest.ca.com:31415$0</nete:forward>
   </nete:case>
   <nete:case value="481">
   <nete:forward>http://w2k8r2.smtest.ca.com:14056$0</nete:forward>
   </nete:case>
   <nete:case value="482">
   <nete:forward>http://w2k8r2.smtest.ca.com:31415$0</nete:forward>
   </nete:case>
   <nete:default>
   <nete:forward>http://w2k8r2.smtest.ca.com:31567$0</nete:forward>
   </nete:default>
   </nete:cond>
   </nete:proxyrules>
   

3. Save the file and close the text editor.

   The proxy rules are modified. Continue with the next step of enabling SSL on your Agent for SharePoint.

Enable SSL on Your Agent for SharePoint

The next step in configuring the reverse proxy for secure communication is enabling SSL on the server that runs your Agent for SharePoint.

To enable SLL on your Agent for SharePoint, run the appropriate command for your operating environment:

Windows

Agent-for-SharePoint_home\httpd\bin\configssl.bat -enable

UNIX/Linux

Agent-for-SharePoint_home/proxy-engine/sps-ctl startssl

SSL is enabled on your Agent for SharePoint. Continue with the next step of running the connection wizard.

Run the Connection Wizard

The next steps in configuring the reverse proxy for secure communications involve the following tasks:

• Running the connection wizard to change the protocol of the Authentication URL to HTTPS.
• Changing the SignIn URL on your SharePoint central administration server using several PowerShell commands.

Follow these steps:

1. Edit the existing connection using the Connection Wizard with the following steps:
   1. Log in to the server that runs your Agent for SharePoint.
   2. Navigate to the following directory:

      Agent-for-SharePoint_home/sharepoint_connection_wizard
      

   3. Do the appropriate step for your operating environment:
      • Windows: Right-click the executable and then select Run as administrator.
      • Solaris: sh ./ca-spconnect-12.0-sp3-sol.bin
      • Linux: sh ./ca-spconnect-12.0-sp3-rhel30.bin

      The SharePoint Connection wizard starts.

   4. Click Next.

      The Login Details screen appears.

   5. Enter the following login for the Policy Server.

      Policy Server Name

      Specifies the Policy Server name or IP address.

      Username

      Specifies the Policy Server administrator username.

      Password

      Specifies the Policy Server administrator password.

      Agent Name

      Specifies the Agent-4x. The connection with the Policy Server is established using the details given in the Agent Name.

      Shared Secret Key

      Specifies the shared secret key that is associated with the Agent.

   6. Click Next

      The Select Action screen appears.

   7. Select Edit a SharePoint Connection option.
   8. Click Next.

      The SharePoint Connection Properties screen appears.

   9. Change the protocol of the Authentication URL to HTTPS in the SharePoint Connection Properties screen.
   10. Click Install in the Commit Details screen.

       The Save Complete screen appears.

   11. Click Done.

   The partnership details are saved, the SharePoint Connection is modified, and the wizard closes.

2. Modify the SignInUrl of the CA SiteMinder Trusted Identity Token Issuer with the following steps:
   1. Log in to your SharePoint central administration server.
   2. Click Start, All Programs, Microsoft SharePoint 2010 Products, SharePoint 2010 Management Shell.
   3. Verify the following settings by running the Get-SPTrustedIdentityTokenIssuer command:
      • The name of the provider
        (such as LDAP-Claims)
      • The current SignInUrl
        (such as http://smspa2010.support.example.com/affwebservices/public/wsfeddispatcher).
   4. Run the Set-SPTrustedIdentityTokenIssuer command as shown in the following example:

      Set-SPTrustedIdentityTokenIssuer "LDAP-Claims" -SignInUrl
      https://smspa2010.support.example.com/affwebservices/public/wsfeddispatcher
      

   5. Run the Get-SPTrustedIdentityTokenIssuer command again to verify the change to the SigInUrl.

      Note: For more information about the Set-SPTrustedIdentityTokenIssuer command, see http://technet.microsoft.com/en-us/library/ff607792.aspx

   The protocol is changed. Continue with the next step of creating alternate access mappings for your port-based virtual sites.

Create Alternate Access Mappings for Your Port-Based Virtual Sites

The next step in configuring the reverse proxy for secure communication is creating alternate access mappings on your SharePoint server for the port-based virual hosts on your Agent for SharePoint.

Port-based proxy rules require the following alternate access mappings on your SharePoint central administration server:

• Set the public URL for the zone to the URL of your virtual host on your Agent for SharePoint that is associated with the web application.
• Set the internal URL to the SharePoint server to which the requests from the virtual host on the Agent for SharePoint are forwarded.

Follow these steps:

1. Open your SharePoint central administration site
2. Click Application Management.
3. Under Web Applications, click Configure Alternate Access Mappings..
4. Use the examples in the following table as a guide to edit your public URLs and Add Internal URLs:

The alternate access mappings are created. Continue with the next step of modifying the ConfigSLL.bat file.

Modify the ConfigSSL.bat File

The next step in configuring the reverse proxy for secure communication is modifying the ConfigSSL.bat file.

The ConfigSSL.bat file simplifies the configuration changes required to implement secure communication for your reverse proxy.

Follow these steps:

1. Open the following file with a text editor.
2. Change all instances of "SiteMinder Secure Proxy" to "SiteMinderAgentforSharePoint".
3. Save your changes to the file, and then close the text editor.
4. Run the updated configssl.bat file.

   The SSL configuration settings are updated. Continue with the next step of modifying your authentication scheme.

Modify Your Authentication Scheme

The next step in configuring the reverse proxy for secure communication is modifying your CA SiteMinder authentication scheme to use SSL.

Authentication schemes use HTTP unless you specify HTTPS when creating the authentication scheme.

Follow these steps:

1. Login to the Administrative UI.
2. Click Infrastructure, Authentication, Authentication Schemes.
3. Click the link of the authentication scheme that you want.
4. Click Modify.
5. Select the Use SSL Connection check box.
6. Click Submit.

   A confirmation screen appears.

7. Click OK.

   The authentication scheme is modified. Continue with the next step of restarting your Agent for SharePoint.

Restart the Agent for SharePoint

Starting or stopping the Agent for SharePoint involves the following separate procedures:

1. Changing the value of EnableWebAgent in the WebAgent.conf file.
2. Changing the state of the related services on the computer running the Agent for SharePoint.