Install, Upgrade, and Configure CA SiteMinder® SPS Manually

Administration Guide › Installing CA SiteMinder® SPS › Install, Upgrade, and Configure CA SiteMinder® SPS Manually

Install, Upgrade, and Configure CA SiteMinder® SPS Manually

The CA SiteMinder for Secure Proxy Server is a stand-alone server that provides a proxy-based solution for access control. CA SiteMinder® SPS employs a proxy engine that provides a network gateway for the enterprise and supports multiple session schemes that do not rely on traditional cookie-based technology.

The following diagram describes how you can install and configure CA SiteMinder® SPS:

You can use the SPS installer to install a new instance of SPS, install multiple instances of SPS on same computer each time, and upgrade SPS. Configure SPS and then protect the Administrative UI to use it.

Prerequisites

Before you install or upgrade CA SiteMinder® SPS, verify the following prerequisites:

CA SiteMinder® SPS must not be installed on the computer where Policy Server is installed.
Ensure that Policy Server is running.
On Linux, ensure that you have write permission on the /opt/etc/CA directory.
On Linux, the folder where you install CA SiteMinder® SPS must have sufficient permissions (755). Do not install CA SiteMinder® SPS under the /root folder, because its default permissions (750) are insufficient.
On Solaris, CA SiteMinder® SPS runs as the "nobody" user. If you prefer not to run CA SiteMinder® SPS as this user, create an alternate user and assign the necessary permissions.
If you are installing CA SiteMinder® SPS on RHEL, verify that you installed the ncurses package.
If you are installing CA SiteMinder® SPS on an RHEL 5 or RHEL 6 64-bit computer, verify that you installed the following libraries on the computer:
- libstdc++.so.6
- libexpat.so.0
- libuuid.so.01
- libkeyutils.so.1
Note: These libraries must be 32-bit binaries rather than 64-bit binaries.
If you are installing CA SiteMinder® SPS on an RHEL 5.5 computer, verify that you installed the Legacy Software Development package on the computer.
If you are installing or upgrading CA SiteMinder® SPS on Linux, verify that you installed the keyutils-libs-1.4-4.el6.i686.rpm package.
JCE—The current Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction patches are required to use the Java cryptographic algorithms. To locate the JCE package for your operating platform, go to the Oracle website.
Apply the patches to the following files on your system:
- local_policy.jar
- US_export_policy.jar
These files are in the following directories:

Windows: jre_home\lib\security

UNIX: jre_home/lib/security

jre_home

This variable specifies the location of the Java Runtime Environment installation.
Open port number 7658 between CA SiteMinder® SPS and Policy Server.
Ensure that the CA RiskMinder service is running. To check the status, perform the following steps:
Windows
1. Open the Task Manager and verify that the arrfserver process is running.
2. Navigate to <PolicyServer_InstallationPath>\aas\logs.
3. Open the cariskminderstartup.log file and verify that the folllowing line exists at the end of the file:
```
CA RiskMinder Service READY
```
UNIX
1. Run the ps command and verify that the arrfserver and arrfwatchdog processes are running.
2. Navigate to <PolicyServer_InstallationPath>/aas/logs.
3. Open the cariskminderstartup.log file and verify that the folllowing line exists at the end of the file:
```
CA RiskMinder Service READY
```

Installation Worksheet

CA SiteMinder® SPS configuration wizard displays a series of prompts for registering a trusted host. A trusted host is a client computer where one or more SiteMinder Web Agents can be installed. To establish a connection between the trusted host and the Policy Server, register the host with the Policy Server. After registration is complete, the registration tool creates the SmHost.conf file. When this file is created, the client computer becomes a trusted host.

Before you install, upgrade, or configure CA SiteMinder® SPS, verify that you gathered the following information required for host registration, embedded Apache web server and Tomcat server:

Parameter	Description
SiteMinder administrator name	Name of the administrator that matches the name already defined at the Policy Server. This administrator must have the privileges to create a trusted host.
SiteMinder administrator password	Password of the SiteMinder administrator who has privileges to register a trusted host. Must match the password used at the Policy Server.
Trusted host name	Name of the trusted host assigned during the installation.
Host Configuration Object	Name of a host configuration object already defined in Administrative UI.
Agent Configuration Object	Name of an existing Agent Configuration Object defined in Administrative UI.
IP address of the Policy Server where the host is registered	Note: Include a port number when SiteMinder is behind a firewall. For example, 111.12.12.2:12.
Agent Name	Name of the default agent or an agent defined in the ACO.
Master Key	Identifies the master encryption key for the advanced authentication server. Enter the same value that you configured in the Policy Server.
Host Configuration File name and location	Identifies the SmHost.conf file, which Web Agents and custom Agents use to act on behalf of the trusted host. The wizard lists the default location.
Name and location of the Web Agent configuration file	The wizard lists the default location.
Email address of the Apache web server administrator	The email address for the administrator Default: admin@company.com.
Fully qualified host name of the server	A fully qualified name in the following format: computer_name.company.com.
Port number for Apache HTTP requests	The port listening for HTTP requests from Apache. Default: 80
Port number for Apache SSL requests	The port listening for SSL requests from Apache. Default: 443
Port number for Tomcat HTTP requests	The port listening for HTTP requests from Tomcat. Default: 8080
Port number for Tomcat SSL requests	The port listening for SSL requests from Tomcat. Default: 543
Port number for Tomcat shutdown requests	The port listening for shutdown requests from Tomcat. Default: 8005
Port number of AJP	The port number of AJP. Default: 8009

Install CA SiteMinder® SPS

Before you install CA SiteMinder® SPS, verify that you have gathered the information required to install CA SiteMinder® SPS.

Install CA SiteMinder® SPS on Windows

Follow these steps:

Copy the installation program from the download location on the CA Support site.
Right-click the executable and select Run as administrator.
Double-click ca-proxy-<version>-<operating_system>.exe.
The installation program starts.
Follow the instructions from the installation wizard.
Note: By default, CA SiteMinder® SPS sets the instance name of the first installation as default. You cannot modify the default value and you cannot use the name for any other CA SiteMinder® SPS instance.
Restart your system after the installation completes.

Install CA SiteMinder® SPS on Linux or Solaris

CA SiteMinder® SPS supports installations on Linux and Solaris.

Follow these steps:

Copy one of the following programs from the download location on the CA Support site to a temporary directory:
```
Solaris: ca-proxy-12.5-sol.bin
```
```
Linux: ca-proxy-12.5-rhel30.bin
```

Enter one of the following commands:

sh ./ca-proxy-12.5-sol.bin

sh ./ca-proxy-12.5-rhel30.bin

Follow the screen prompts provided by the installation wizard.

Verify CA SiteMinder® SPS Installation

You can check the InstallLog file to verify that CA SiteMinder® SPS installation is successful. By default, the InstallLog is installed in the following location on all platforms:

sps_home\install_config_info\CA_SiteMinder_Secure_Proxy_Server_InstallLog.log

Install Multiple Instances of CA SiteMinder® SPS

You can install multiple CA SiteMinder® SPS instances on the same computer. Each CA SiteMinder® SPS instance uses a unique instance name and ports for communication, and creates a separate directory structure.

Follow these steps:

Double-click ca-proxy-<version>-<operating_system>.exe.
The installation program starts.
Select the option to install a new instance.
Follow the instructions from the installation wizard.
Note: Verify that you enter unique values for the instance name and the different ports that are used for communication.

Upgrade CA SiteMinder® SPS

You can run the installation program to upgrade from a previous version of CA SiteMinder® SPS to the current version.

Note: If you configured filters or customized session schemes, take a back up of the lib directory from the Tomcat/ path before you upgrade.

Follow these steps:

Double-click ca-proxy-<version>-<operating_system>.exe.
The installation program starts.
Select OK to upgrade CA SiteMinder® SPS version.
Follow the instructions from the installation wizard.
Restart your system after the installation completes.

Additional Tasks for Upgrades

At the end of the installation process, you can perform some additional steps to support the upgrade. Depending on the amount of customization in your CA SiteMinder® SPS deployment, you can perform one or more of the following tasks:

Verify that the SSL configuration paths inside the ssl.conf file and the server.conf file are correct for your environment. The automated portion of the upgrade assumes that all certificates are in the default location.
If you enabled SSL and upgraded the CA SiteMinder® SPS from a release earlier to CA SiteMinder® SPS 12.5 on Linux, execute the following command perform to start Apache in the SSL mode:
```
<install-path>/secure-proxy/proxy-engine/sps-ctl startssl
```
Verify that all certificates, Certificate Authorities, and keys have been correctly copied to their folders in the sps_home\secure-proxy\SSL.
Modify the path to the proxy rules DTD file in the proxyrules.xml file. The default path of the DTD file is sps_home\proxy-engine\conf\dtd\proxyrules.dtd.

Customize JVM Parameters

You can customize Java Virtual Machine (JVM) parameters in the following files:

On Windows, modify the SmSpsProxyEngine.properties file located in the directory sps_home\proxy-engine\conf.
On UNIX, modify the proxyserver.sh file located in the directory sps_home/proxy-engine.

Configure CA SiteMinder® SPS

After you install CA SiteMinder® SPS, run the configuration wizard. The configuration wizard lets you register the trusted host for the embedded SiteMinder Web Agent and performs some administrative tasks for the embedded Apache web server.

Important! Before you run the wizard, verify that you have set up the required objects at the Policy Server where you want to register the host. If these objects are not configured, trusted host registration fails.

Follow these steps:

Open a console window and navigate to the directory sps_home/secure-proxy.
Enter one of the following commands:
```
Windows: ca-sps-config.exe
```
```
UNIX: ca-sps-config.sh
```
The configuration wizard starts.
Select the version of the Policy Server with which you want to configure CA SiteMinder® SPS.
Select the option to perform host registration immediately.
(Optional) Select the option to enable shared secret rollover.
Perform the following steps to register the trusted host registration:
1. Specify the name and password of the SiteMinder administrator.
  Note: The information you enter must already be defined at the Policy Server where the trusted host is registered.
2. Specify the name of the Trusted Host and the Host Configuration Object.
  Note: The name you enter for the trusted host must be unique. The name for the Host Configuration Object must already be defined at the Policy Server where the trusted host is registered.
3. Enter the IP address of the Policy Server where you want to register the trusted host.
4. Select a FIPS mode.
5. Specify the name and location of the host configuration file, SmHost.conf. The wizard lists the default location.
6. Specify the name of the Agent Configuration Object.
  Note: The Agent Configuration Object that you enter must already be defined at the Policy Server where the trusted host is registered.
Enter the following information for the Apache web server:
- Server name
- Web server administrator email address
- HTTP port number
- SSL port number
Enter the following information for the Tomcat server:
- HTTP port number
- SSL port
- Shutdown port number
- AJP port number
Note: Users installing on systems running Solaris or Linux see an additional screen that prompts for the name of the user under which Tomcat and Apache runs. This user cannot be root. Create the user account manually; the installation program does not create it for you. The Tomcat user must have all privileges (rwa) for the log directories.
Select Yes if you want to enable the Web Agent.
Select Yes if you want CA SiteMinder® SPS to act as a Federation Gateway.
Review the Configuration Summary
Click Install.
CA SiteMinder® SPS is configured and the configuration files are installed.
Click Done to exit the wizard.
Start the SiteMinder Secure Proxy and SiteMinder proxy engine services.

Note: If you run the Configuration Wizard again, SSL must be reinitialized.

Additional Configuration on CA SiteMinder® SPS

After installing CA SiteMinder® SPS and running the configuration wizard, you can modify CA SiteMinder® SPS configuration to suit your environment. The following configuration files contain settings that affect CA SiteMinder® SPS:

httpd.conf: Contains the settings for the Apache web server.
server.conf: Contains the settings that determine CA SiteMinder® SPS behavior, including virtual hosts, and session scheme mapping.
logger.properties: Contains the settings that determine CA SiteMinder® SPS logging behavior.
proxyrules.xml: Contains the rules that determine how CA SiteMinder® SPS handles incoming requests.

Manage Session Assurance

By default, CA SiteMinder® SPS enables Session Assurance. If you want to disable the feature, perform the following steps:

Open the server.conf file.
Navigate to the <Context name="AALoginService"> section and set the value of enable to no.
Navigate to the <Context name="Advanced Auth Application"> section and set the value of enable to no.
Navigate to the <Context name="UI Application"> section and set the value of enable to no.
Save the changes.

Modify the Default Location of the SiteMinder Forms

Beginning with CA SiteMinder® SPS v6.0, the default location of the SiteMinder forms is no longer /siteminderagent/forms. To continue to use this location to serve forms, modify the CA SiteMinder® SPS forms location.

Follow these steps:

Create the siteminderagent directory in the following location:
sps_home/proxy-engine/examples/siteminderagent
Copy the forms folder from the following directory
sps_home/proxy-engine/examples

to the following directory:

sps_home/proxy-engine/examples/siteminderagent

The forms are copied to sps_home/proxy-engine/examples/siteminderagent/forms.

Note: If you customize the location of the forms folder, ensure that you update the httpd.conf file with the location of the forms images.

Protect the Administrative User Interface

By default, the installer creates a protection policy to protect the Administrative User Interface. The installer uses the defined Agent Name to create the protection policy with the following details:

Domain: DOMAIN-SPSPADMINUI
Policy: POLICY-SPSADMINUI

The protection policy does not contain the user directory information. Perform the following steps to log in to the Administrative User Interface:

Update DOMAIN-SPSPADMINUI with the user directory information.
Update POLICY-SPSADMINUI with user information.

Launch the Administrative User Interface

You can launch the Administrative User Interface after you start the proxy engine services. To launch the URL, enter the following URL in a web browser:

http://fullyqualifiedhostname:Tomcat_port/proxyui/

CA SiteMinder® SPS is installed or upgraded, and is configured.

If you want to perform a silent installation and configuration after the first installation, see Silent Installation and Configuration. If you want to uninstall CA SiteMinder® SPS, see Uninstall CA SiteMinder® SPS. If you want to start CA SiteMinder® SPS in various modes, see Start CA SiteMinder® SPS in Single-Process or Multiple Process Mode. If you want to modify the default location of the SiteMinder forms, see Modify the Default Location of the SiteMinder Forms.