After you install the Federation Agent, run the configuration wizard. On a Windows system, select the authentication protocol (Kerberos or NTLM). ON a UNIX system, Kerberos is the only supported protocol.
Note: The configuration executable and folder names include the string iwa, which references support for Integrated Windows Authentication technology.
The following parameters are required for NTLM and for Kerberos configurations.
Important! The values for these parameters must match the values that are specified in the Deployment settings of the Administrative UI. Find out the value of these these settings from the CA SiteMinder® Federation Standalone administrator before you configure the Federation Agent.
Specifies the single sign-on security zone name.
Default: FED
Value: An alphabetic string
Specifies the name of the open format cookie.
Default: ""
Value: An alphabetic string
Specifies the password that derives a key for encrypting the cookie.
Default: ""
Value: An alphanumeric string
Specifies the FIPS-compliant cryptographic transform.
Default: AES128/CBC/PKCS5Padding
Limits: AES128/CBC/PKCS5Padding, AES192/CBC/PKCS5Padding, AES256/CBC/PKCS5Padding, 3DES_EDE/CBC/PKCS5Padding
Specifies whether to use a Hash Message Authentication Code (HMAC).
Default: false
Limits: true or false
Note: If you are on a system running Windows and you have selected the Kerberos authentication protocol, you can optionally select NTLM as the failover option.
When specifying the Kerberos protocol, provide values for the following parameters:
Specifies the fully qualified domain name of the key distribution center (KDC).
Specifies the domain name of the system on which the KDC is located.
Specifies the path of the keytab file. This file is created on the KDC system and moved to the system where the Federation Agent is installed.
Specifies the service principal name (SPN), which uniquely identifies an instance of a service, for example, HTTP/host.abc.com. HTTP is the name of the service and host.abc.com is the name of the host on which the service resides.
The Keytab location and Principal parameters are written to the login.conf file. The other parameters are written to the IWAConnectorConfig.conf file.
Note: If you review the login.conf file, do not change the value of the isInitiator parameter.
Run the configuration wizard for the Federation Agent after the installation. The wizard establishes values for parameters related to authentication protocol and cookie specifications.
Follow these steps:
federation_installation_dir\connectors\IWA.
The configuration wizard starts.
The configuration is complete.
The configuration wizard for the Federation Agent establishes values for parameters related to authentication protocol and cookie specifications.
Run the configuration wizard to complete the installation process.
Follow these steps:
federation_installation_dir/connectors/IWA
The configuration wizard starts.
. /federation_install_dir/connectors/IWA/ca_fedmgr_iwa_env.ksh
federation_install_dir/fedmanager.sh stop
federation_install_dir/fedmanager.sh start
Note: Do not stop and start the services as the root user. You must be a non-root user.
After you configure the Federation Agent one time using the wizard, you can configure it on the same system, or a different system, using unattended mode. An unattended mode configuration does not require user intervention. It uses a configuration properties file. You can modify the configuration properties to suit your requirements.
Follow these steps:
federation_installation_dir\connectors\IWA\install_config_info
ca-fedmanager-iwa-confg.bin i-silent -f ca-fedmanager-iwa-config.properties
Specifies the name of the Federation Agent configuration properties file. If the properties file is not in the same directory as the executable file, specify the relative path to the properties file.
Specifies the configuration mode. For unattended mode, the value is silent.
The unattended configuration is complete.
After you configure the Federation Agent one time using the wizard, you can configure it on the same system, or a different system, using unattended mode. An unattended mode configuration does not require user intervention. It uses a configuration properties file. Modify the configuration properties file to suit your requirements.
Follow these steps:
federation_installation_dir/connectors/IWA/install_config_info
ca-fedmanager-iwa-confg.bin i-silent -f ca-fedmanager-iwa-config.properties
Specifies the name of the Federation Agent configuration properties file. If the properties file is not in the same directory as the executable file, specify the relative path to the properties file.
Specifies the configuration mode. For unattended mode, the value is silent.
The unattended configuration is complete.
After you have run the configuration wizard, the values you specified are written to the IWAConnectorConfig.conf file. You can rerun the wizard at any time to modify almost all the parameter values.
Several parameter values are not set in the configuration wizard. You can modify the file directly when you want to update the following values:
Specifies the interval after which the cleanup thread starts deleting the expired context. Decreasing this value leads to quicker cleanup and better memory availability.
Default: 30000 milliseconds
Value: A lower value is recommended when you expect many incomplete requests.
Specifies the time after which a context is assumed to be expired. For NTLM, context is valid for maximum 1 minute.
Default: 60000 milliseconds
Value: The value of this parameter cannot be set less than 1 minute. A higher value can possibly lead to a stale context not getting cleaned up.
Specifies the priority for the context clean-up thread.
Default: 5
Value: A higher priority is recommended when you expect many incomplete requests.
|
Copyright © 2014 CA.
All rights reserved.
|
|