You can change the states of the related services on your Agent for SharePoint.
Note: To start or stop your Agent for SharePoint, change the value of the EnableWebAgent parameter first.
Follow these steps:
The Services dialog appears.
The states of the services and Agent for SharePoint are changed.
Agent-for-SharePoint_home/proxy-engine
./sps-ctl start
The service and the Agent for SharePoint start. The Agent for SharePoint stops or starts according to the value you set in the EnableWebAgent parameter.
Agent-for-SharePoint_home/proxy-engine
./sps-ctl stop
The service and the Agent for SharePoint stop.
This section describes configuring secure communications between your Agent for SharePoint reverse proxy and the Public URLs of your SharePoint web applications.
The first step in configuring the reverse proxy for secure communications is modifying the SSL configuration file.
The SSL configuration file requires the following modifications:
Follow these steps:
Agent-for-SharePoint_home\httpd\conf\extra\httpd-ssl.conf
Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.
Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint
Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint
The previous example assumes that you already have three web applications listening for HTTP requests on ports 80, 81 and 82. The previous example shows how to add HTTPS ports 443, 481 and 482 respectively.
<VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "C:/CA/Agent-for-SharePoint/httpd/htdocs" ServerName SMSPA2010.smtest.ca.com:443 ServerAdmin Admin@smtest.ca.com # ErrorLog logs/error_log.log # TransferLog logs/access_log.log SSLEngine on SSLCertificateFile "C:/CA/Agent-for-SharePoint/SSL/certs/smspa2010.smtest.ca.com.cer" SSLCertificateKeyFile "C:/CA/Agent-for-SharePoint/SSL/keys/smspa2010.smtest.ca.com.key" </VirtualHost> <VirtualHost *:481> DocumentRoot "C:/CA/Agent-for-SharePoint/httpd/htdocs/481smspa2010" ServerName smspa2010.smtest.ca.com ServerAdmin Admin@smtest.ca.com ErrorLog logs/481smspa2010_error_log.log TransferLog logs/481smspa2010_access_log.log SSLEngine on SSLCertificateFile C:/CA/Agent-for-SharePoint/SSL/certs/smspa2010.smtest.ca.com.cer SSLCertificateKeyFile C:/CA/Agent-for-SharePoint/SSL/keys/smspa2010.smtest.ca.com.key CustomLog logs/cipher_log_481smspa2010 \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> <VirtualHost *:482> DocumentRoot "C:/CA/Agent-for-SharePoint/httpd/htdocs/482smspa2010" ServerName smspa2010.smtest.ca.com ServerAdmin Admin@smtest.ca.com ErrorLog logs/482smspa2010_error_log.log TransferLog logs/482smspa2010_access_log.log SSLEngine on SSLCertificateFile C:/CA/Agent-for-SharePoint/SSL/certs/smspa2010.smtest.ca.com.cer SSLCertificateKeyFile C:/CA/Agent-for-SharePoint/SSL/keys/smspa2010.smtest.ca.com.key CustomLog logs/cipher_log_482smspa2010 \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
The previous example describes the virtual host entries that are created to match the port settings in Step 2.
The SSL Configuration file is modified. Continue with the next step of generating certificates and keys for each unique server (FQDN) in your environment.
The next step in configuring the reverse proxy for secure communications is to generate a private (Windows) RSA Key (server key) for each virtual site with a fully qualified domain name (FQDN). Do one of the following procedures:
Generate a private key for each virtual site with a fully qualified domain name (FQDN). This procedure describes how to generate an unencrypted private key.
Follow these steps:
Agent-for-Sharepoint_home\SSL\bin
Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.
Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint
Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint
.\openssl genrsa -out ..\keys\server_FQDN.key
The following example describes creating a key for a server named smspa2010:
.\openssl genrsa -out ..\keys\smspa2010.example.com.key
The private unencrypted server keys are created. Continue with the next step of generating a certificate signing request.
Generate a private key for each virtual site with a fully qualified domain name (FQDN). This procedure describes how to generate an encrypted private key.
Follow these steps:
Agent-for-Sharepoint_home\SSL\bin
Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.
Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint
Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint
.\openssl genrsa -des3 -out ..\keys\server_FQDN.key
The following example describes creating a key for a server named smspa2010:
.\openssl genrsa-des3 -out ..\keys\smspa2010.example.com.key
The private encrypted server keys are created and written to the specified key output file.
The key output file will be in encrypted ASCII PEM (from “Privacy Enhanced Mail") format.
Because the file is encrypted, you will be prompted for a pass-phrase to protect it and decrypt it later if you want. If you do not want your key to be protected, do not use the -des3 argument in the command line.
Important! Do not use the -des3 option if you are running on Windows. The Secure Proxy Server does not start if there is a prompt for a pass-phrase.
To view the details of this RSA key, enter the following command:
openssl rsa -noout -text -in server.key
The next step in configuring the reverse proxy for secure communications is generating the certificate signing requests for each of the virtual servers.
Follow these steps:
.\openssl req -config .\openssl.cnf -new -key ..\keys\server_FQDN .key -out ..\keys\server_FQDN.csr
The following example describes creating a certificate request for a server named smspa2010 on the support.example.com domain:
.\openssl req -config .\openssl.cnf -new -key ..\keys\smspa2010.support.example.com.key -out ..\keys\smspa2010.support.example.com.csr
Country: Your_Country State: Your_State Locality: Your_Town Organization: Example Org. Unit: support CN: smspa2010.support.example.com E-Mail: admin@support.ca.com Challenge Pwd: firewall Optional name: blank
Note: The value for the common name (CN) must match the fully qualified domain name (FQDN) of the web server.
The system generates a certificate request with the certificate file name and a request number, as shown in the following example:
smspa2010.support.example.com.csr 8
The certificate signing requests are generated and submitted. Continue with the next step of downloading your certificates from your certificate authority.
The next step in configuring the reverse proxy for secure communications is downloading the signed certificates from the certificate authority.
The virtual host sections in your SSL configuration file specify a certificate location for each virtual host. The SSLCertificateFile line in the following example specifies the location for the spa2010.support.example.com server:
SSLCertificateFile "Agent-for-SharePoint_home/SSL/certs/smspa2010.support.example.com.cer
Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.
Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint
Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint
Follow these steps:
The certificates are downloaded. Continue with the next step of accommodating your SSL sites by modifying the proxy rules.
The next step in configuring the reverse proxy for secure communication is modifying the proxy rules for the server on which your Agent for SharePoint runs.
Note: Even if you are using only SSL, the proxy rules files require rules for both HTTP and HTTPS protocols.
Follow these steps:
Agent-for-SharePoint_home\proxy-engine\conf\proxyrules.xml
Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.
Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint
Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint
<nete:proxyrules xmlns:nete="http://smspa2010.smtest.ca.com/" debug="yes"> <nete:cond type="host" criteria="endswith"> <nete:case value="81"> <nete:forward>http://w2k8r2.smtest.ca.com:14056$0</nete:forward> </nete:case> <nete:case value="82"> <nete:forward>http://w2k8r2.smtest.ca.com:31415$0</nete:forward> </nete:case> <nete:case value="481"> <nete:forward>http://w2k8r2.smtest.ca.com:14056$0</nete:forward> </nete:case> <nete:case value="482"> <nete:forward>http://w2k8r2.smtest.ca.com:31415$0</nete:forward> </nete:case> <nete:default> <nete:forward>http://w2k8r2.smtest.ca.com:31567$0</nete:forward> </nete:default> </nete:cond> </nete:proxyrules>
The proxy rules are modified. Continue with the next step of enabling SSL on your Agent for SharePoint.
The next step in configuring the reverse proxy for secure communication is enabling SSL on the server that runs your Agent for SharePoint.
To enable SLL on your Agent for SharePoint, run the appropriate command for your operating environment:
Agent-for-SharePoint_home\httpd\bin\configssl.bat -enable
Agent-for-SharePoint_home/proxy-engine/sps-ctl startssl
SSL is enabled on your Agent for SharePoint. Continue with the next step of running the connection wizard.
The next steps in configuring the reverse proxy for secure communications involve the following tasks:
Follow these steps:
Agent-for-SharePoint_home/sharepoint_connection_wizard
The SharePoint Connection wizard starts.
The Login Details screen appears.
Specifies the Policy Server name or IP address.
Specifies the Policy Server administrator username.
Specifies the Policy Server administrator password.
Specifies the Agent-4x. The connection with the Policy Server is established using the details given in the Agent Name.
Specifies the shared secret key that is associated with the Agent.
The Select Action screen appears.
The SharePoint Connection Properties screen appears.
The Save Complete screen appears.
The partnership details are saved, the SharePoint Connection is modified, and the wizard closes.
Set-SPTrustedIdentityTokenIssuer "LDAP-Claims" -SignInUrl https://smspa2010.support.example.com/affwebservices/public/wsfeddispatcher
Note: For more information about the Set-SPTrustedIdentityTokenIssuer command, see http://technet.microsoft.com/en-us/library/ff607792.aspx
The protocol is changed. Continue with the next step of creating alternate access mappings for your port-based virtual sites.
The next step in configuring the reverse proxy for secure communication is creating alternate access mappings on your SharePoint server for the port-based virual hosts on your Agent for SharePoint.
Port-based proxy rules require the following alternate access mappings on your SharePoint central administration server:
Follow these steps:
Public URL |
Internal URL |
https://support.example.com |
https://spa2010.support.example.com\443 |
The alternate access mappings are created. Continue with the next step of modifying the ConfigSLL.bat file.
The next step in configuring the reverse proxy for secure communication is modifying the ConfigSSL.bat file.
The ConfigSSL.bat file simplifies the configuration changes required to implement secure communication for your reverse proxy.
Follow these steps:
The SSL configuration settings are updated. Continue with the next step of modifying your authentication scheme.
The next step in configuring the reverse proxy for secure communication is modifying your CA SiteMinder authentication scheme to use SSL.
Authentication schemes use HTTP unless you specify HTTPS when creating the authentication scheme.
Follow these steps:
A confirmation screen appears.
The authentication scheme is modified. Continue with the next step of restarting your Agent for SharePoint.
Starting or stopping the Agent for SharePoint involves the following separate procedures:
Copyright © 2013 CA.
All rights reserved.
|
|