CA SiteMinder® SPS is configured through settings contained in the server.conf file. These settings in the file are groups of name/value pairs or directives that the CA SiteMinder® SPSCA SiteMinder® SPS reads at startup.
After CA SiteMinder® SPS is operating, it verifies the values in this file to determine if any changes have been made to the CA SiteMinder® SPS Web Agent log level settings. If changes are detected, the affected settings are reloaded so that CA SiteMinder® SPS can be dynamically updated without interrupting network traffic.
The server.conf file is located in the following directory:
sps_home/secure-proxy/proxy-engine/conf
The file contents are grouped into the following sections:
Each section is an XML-like element tag. The name of the section is the beginning tag of the XML element and the section ends with a corresponding ending tag. The directives contained in each section follow the format name=value.
Any lines beginning with the # symbol are comments, and are not read when CA SiteMinder® SPS loads configuration settings.
Note: Pathnames on Windows systems use double backslashes (\\), such as \\logs\\server.log
The settings for CA SiteMinder® SPS are maintained in the server.conf file located in the following directory:
sps_home/secure-proxy/proxy-engine/conf
To change the settings in the server.conf file
The settings are changed.
The <Server> section of the server.conf file contains parameters for server connectors, Federation, and SSL.These parameters are described in the sections that follow.
#Define the listeners between #HTTP listener and proxy engine.
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.reply_timeout=0
worker.ajp13.retries=2
Note: The values for the connector directives are not contained in quotes. Values for other types of directives are contained in quotes.
The name/value pairs are:
Specifies the port for the ajp13 connector.
Specifies the local ajp13 host as the local host.
Additional tuning parameters can be defined for the connection between the HTTP listener and the proxy engine, including:
Specified the maximum time in milliseconds that can elapse between any two packets received from the proxy engine after which the connection between HTTP listener and the proxy engine is dropped. A value of zero makes it wait indefinitely, until a response is received.
Default: 0
Specifies the maximum number of times that the worker sends a request to the proxy engine in a communication error.
Default: 2
A Tomcat server is embedded in the SPS. The Tomcat server provides a servlet container and servlet engine.
The following excerpt is from the Tomcat tuning section in the server.conf file:
#Define AJP13 tuning parameters #Number of request waiting in queue (queue length) #Number of threads created at initialization time #Maximum number of concurrent connections possible worker.ajp13.accept_count=10 worker.ajp13.min_spare_threads=10 worker.ajp13.max_threads=100 worker.apj13.connection_pool_timeout=0 worker.apj13.max_packet_size=8192
The Tomcat tuning directives are listed following.
Defines the number of requests waiting in the queue when all possible request processing threads are in use. Any requests received when the queue is filled are refused.
Default: 10
Defines the minimum number of idle threads at any time, waiting for new requests to arrive. min_spare_threads must be greater than 0.
Default: 10
Defines the maximum number of concurrent connections possible, the pool will not create more than this number of threads.
Default: 100
Defines the maximum time (in seconds) that the idle connections (between apache and tomcat over mod-jk) remain in the connection pool before timing out. The default is zero, which means that connections never timeout.
Default: 0
Defines the maximum packet size in Bytes. The maximum value is 65536
Default: 8192
Tomcat version 5.5 changed its behavior for handling cookies. Tomcat version 5.5 by default puts quotes around a cookie. Previous versions of Tomcat did not put quotes around a cookie. Tomcat sends the cookie back to the browser. CA SiteMinder® SPS r12.0 SP 3 uses Tomcat version 5.5. If your deployment requires visiting an earlier version of SPS, the cookie cannot be decoded. The earlier version of CA SiteMinder® SPS is using Tomcat version 5.0, which does not put quotes around the cookie.
To ensure that the cookie behavior is compatible between different versions of SPS, set the addquotestobrowsercookie parameter in the server.conf file to "no". The Tomcat org.apache.catalina.STRICT_SERVLET_COMPLIANCE variable is set to "TRUE". Tomcat parses the cookie according to the servlet specification, which means that no quotes are added. When the addquotestobrowsercookie parameter is set to "yes", CA SiteMinder® SPS enables the default Tomcat version 5.5 cookie behavior.
Tomcat 5.5 and later adds an equals (=) sign to the cookie. CA SiteMinder® SPS allows this practice and parses cookie values that contain an equal sign. The default value for the allowequalsincookievalue parameter in the server.conf file is "yes".
Set the allowequalsincookievalue parameter to "no" if you want parsing of the cookie value to terminate when the parser encounters an equal sign.
The federation settings in the server.conf file enable CA SiteMinder® SPS to act as a federation gateway within a SiteMinder federation network.
The code excerpt that follows is the <federation> section on the server.conf file:
# Provide the values for the Federation related parameters here # # enablefederationgateway - "yes" or "no" - Enable or Disable SPS Federation Gateway # fedrootcontext - Name of the Federation root context ("affwebservices" by default) # authurlcontext - Path of the Authentication URL (without the jsp file name) (siteminderagent/redirectjsp by default) # protectedbackchannelservices - Names of protected Backchannel services
<federation>
enablefederationgateway="yes" fedrootcontext="affwebservices" authurlcontext="siteminderagent/redirectjsp" protectedbackchannelservices="saml2artifactresolution,saml2certartifactresolution, saml2attributeservice,saml2certattributeservice,assertionretriever,certassertionretriever"
</federation>
The federation parameters are as follows:
Enables CA SiteMinder® SPS to act as a federation gateway proxy server.
Limits: yes or no
This parameter is set during the installation.
Specifies the root context of the federation web services application. Do not change this parameter.
Default: affwebservices
Specifies the alias to the redirect.jsp file. When a user requests a protected federation resource and they do not have a SiteMinder session at the site that produces assertions, the user is sent to this URL which points to a redirect.jsp file. The user is redirected to the Web Agent at the producing site where they are presented with an authentication challenge and upon successfully logging in, establish a session.
Default: siteminderagent/redirectjsp.
Lists the services that require a secure back channel for communication.
You can enable HttpLogging by setting the httpclientlog parameter to "yes". This parameter in located in the <Server> section of the server.conf file. By default, this parameter is set to "no".
We recommend that you enable HttpClient logging only for debugging. In a production environment, enabling logging can cause performance degradation.
You can configure various aspects of HttpClient logging by setting values to parameters in the httpclientlogging.properties file. This file is located in the sps_home\Tomcat\properties directory.
Important! Because of potential performance degradation, do not enable HttpClient logging in a production environment.
The httpclientlogging.properties file has the following configurable parameters:
Description: Specifies the name of the formatter class
Limits:
java.util.logging.SimpleFormatter — writes brief summaries of log records
java.util.logging.XMLFormatter — writes detailed descriptions in XML format
Default: java.util.logging.SimpleFormatter
Description: Specifies the name of the HttpClient log file.
Limits:
sps_home\proxy-engine\logs\httpclient%g.log
%g represents the generation number of the rotated log file.
Description: Specifies the number of output files in a cycle
Default: 10
Description: Specifies an approximate maximum number of bytes to write to any on log file.
Limits: If set to zero, there is no limit.
Default: 5,000,000
The <sslparams> section in the server.conf file contains the settings that are required to enable Secure Sockets Layer (SSL) communications between CA SiteMinder® SPS and destination servers.
The SSL configuration section is listed following.
<sslparams>
# Set the SSL protocol version to support:SSLv3, TLSv1 # NOTE: SSL version 2 is no longer supported versions="SSLv3"
ciphers="-RSA_With_Null_SHA,+RSA_With_Null_MD5,-RSA_With_RC4_SHA,+RSA_With_RC4_MD5,+RSA_With_DES_CBC_SHA,+RSA_Export_With_RC4_40_MD5,-RSA_Export_With_DES_40_CBC_SHA,+RSA_Export_With_RC2_40_CBC_MD5,-DH_RSA_With_DES_CBC_SHA,-DH_RSA_With_3DES_EDE_CBC_SHA,-DH_RSA_Export_With_DES_40_CBC_SHA,-DH_DSS_With_DES_CBC_SHA,-DH_DSS_Export_With_DES_40_CBC_SHA,-DH_Anon_With_RC4_MD5,-DH_Anon_With_DES_CBC_SHA,-DH_Anon_With_3DES_EDE_CBC_SHA,-DH_Anon_Export_With_DES_40_CBC_SHA,-DH_Anon_Export_With_RC4_40_MD5,-DHE_RSA_With_DES_CBC_SHA,-DHE_RSA_Export_With_DES_40_CBC_SHA,-DHE_DSS_With_DES_CBC_SHA,-DHE_DSS_Export_With_DES_40_CBC_SHA" fipsciphers="+DHE_DSS_With_AES_256_CBC_SHA, +DHE_RSA_With_AES_256_CBC_SHA, +RSA_With_AES_256_CBC_SHA, +DH_DSS_With_AES_256_CBC_SHA, +DH_RSA_With_AES_256_CBC_SHA, +DHE_DSS_With_AES_128_CBC_SHA, +DHE_RSA_With_AES_128_CBC_SHA, +RSA_With_AES_128_CBC_SHA, +DH_DSS_With_AES_128_CBC_SHA, +DH_RSA_With_AES_128_CBC_SHA, +DHE_DSS_With_3DES_EDE_CBC_SHA, +DHE_RSA_With_3DES_EDE_CBC_SHA, +RSA_With_3DES_EDE_CBC_SHA, +DH_DSS_With_3DES_EDE_CBC_SHA"
# Covalent SSL CA certificate bundle and certs path to be converted # The bundle and/or certs located at defined location will be converted # to binary (DER) format and loaded as SSLParams. # NOTE: Only put Base64 (PEM) encoded cert files/bundles in the covalent # certificate directory. cacertpath="<install-dir>\SSL\certs" cacertfilename="<install-dir>\SSL\certs\ca-bundle.cert"
# This certificate configured below is used as SPS client certificate for the backend servers when # SSL client authentication is enabled. # Location of the Key file : <install-dir>\SSL\clientcert\key\ # Location of public certs : <install-dir>\SSL\clientcert\certs\ # NOTE: Only put DER encoded, password encrypted pkcs8 keyfile. # Client pass phrase should be encrypted using EncryptUtil tool. #ClientKeyFile= #ClientPassPhrase=
</sslparams>
The SSL parameters include:
Determines the SSL versions supported by the SPS. The entry can be one or more of the following.
If you specify more than one version, separate the values by commas.
Specifies the list of ciphers that can be enabled or disabled. If a cipher is enabled, it is preceded by a + symbol. If a cipher is disabled, it is preceded by a - symbol. If you specify more than one cipher, separate each entry by commas.
Specifies the path of the directory that contains the trusted certificate authority information. This path is relative to the install path of the SPS. This value is configured when you run the configuration wizard during the CA SiteMinder® SPS installation; do not change it.
Specifies the fully qualified path name of the file that contains the Certificate Authority bundle of certificates. This file must have a file extension of .cer or .cert, and must be PEM encoded. It must also include the full path to the Certificate Authority (CA) bundle. This value is configured when you run the configuration wizard during the CA SiteMinder® SPS installation.
Specifies the file name of the CA SiteMinder® SPS client certificate key in DER-encoded and password-encrypted pkcs8 format. Verify that the file is located in the following location:
<CA SiteMinder® SPS Installation Path>/SSL/clientcert/key
Specifies the passphrase that extracts the key from the CA SiteMinder® SPS client certificate key file using the EncryptUtil tool.
Specifies the duration, in milliseconds, that the SSL session ID is cached for re-use by the CA SiteMinder® SPS HTTPS client. When a user requests a file via an HTTPS connection, an SSL handshake occurs and an SSL session ID is created. This SSL session ID is used by CA SiteMinder® SPS and the backend server to identify a user session. When the HTTPS connection is terminated for the user, CA SiteMinder® SPS caches the SSL session ID for the maximum duration specified by this parameter.
When the same user requests a new HTTPS connection to the backend server, the user can send the SSL session ID that is cached for a faster response. In this case, the SSL session ID provided by the user is compared with the cached SSL session ID. If the SSL session ID is available in cache, the new HTTPS connection is established faster.
Default: 120000 milliseconds
Note: Before you enable SSL communication, verify that you have installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files in the JDK location that was used to install the SPS.
You can also establish a client certificate authentication for a secured SSL connection between CA SiteMinder® SPS and a web server. If you enable the client certificate authentication, CA SiteMinder® SPS uses a client certificate to authenticate itself when requesting a resource from a web server.
Before you configure CA SiteMinder® SPS to enable client certificate authentication, verify that the following tasks are complete:
Configure CA SiteMinder® SPS to enable the client certificate authentication.
Follow these steps:
Windows
EncryptUtil.bat <SPSCertificatePrivateKey_Password>
UNIX
EncryptUtil.sh <SPSCertificatePrivateKey_Password>
The encrypted password is displayed.
The client certificate authentication is configured in the server.conf file.
Client certificate authentication is enabled between CA SiteMinder® SPS and the web server.
The server.conf file includes a parameter, addquotestocookie, for preserving CA SiteMinder® SPS practice of enclosing the cookie parameter value in double quotes when the value is not zero. You can change the value of addquotestocookie to "no" when you do not want CA SiteMinder® SPS to add double quotes around the cookie value before sending it to the backend.
The entry in the server.conf file appears as follows:
<Server> . . <sslparams> . . </sslparams> #This parameter is applicable to the cookie added by backend. #"yes"--- Default Value. Quotes will be added to the cookie parameter value #which contains special characters if the cookie version is other than "0" #"no" --- Quotes will not be added to the cookie. addquotestocookie="yes" </Server>
You can specify the character set for the appropriate locale by setting the value of the requestheadercharset parameter. The HttpClient application reads this value to determine how to encode the headers to send to the backend server. Possible values are:
The default is requestheadercharset="US-ASCII".
The following two parameters are included in the server.conf to enable POST data caching and to set the size of cached data:
Description: Specifies whether CA SiteMinder® SPS caches POST data.
Limits: Yes, No
Default: No
Description: Specifies the size (in KB) of the POST data to cache.
Limits: None
Default: 1024 KB
You can configure CA SiteMinder® SPS to ignore benign SSL exceptions when the backend web server returns the disconnect notification to CA SiteMinder® SPS. To ignore benign SSL exceptions, set the ignoresslbackendexception parameter to yes.
Copyright © 2013 CA.
All rights reserved.
|
|