Previous Topic: Properties File for Federation Web ServicesNext Topic: Set Up WebLogic to Work with Federation Web Services


Configure ServletExec to Work with Federation Web Services

For the Federation Web Services application to work with ServletExec, deploy Federation Web Services as a web application for ServletExec at the asserting and relying party.

Note: SiteMinder r12.0 SP3 is shipped with a ServletExec license key file named ServletExec_AS_6_license_key.txt. If you do not have this license key, contact CA Technical Support. From this license file, copy the license key and enter it in the ServletExec License dialog of the ServletExec Administration Console. For instructions on licensing ServletExec, see ServletExec documentation, available at the New Atlanta Communication website.

Important! If ServletExec runs in the context of your web server, such as ServletExec ISAPI or NSAPI, install the option pack on the same system where the SiteMinder Web Agent is installed. If ServletExec does run in the context of your web server, such as ServletExec AS, you can install the Web Agent Option Pack on a different system than the SiteMinder Web Agent.

The following illustration shows a SiteMinder and ServletExec sample configuration, where ServletExec, the Web Agent Option Pack, and the Web Agent are installed on the same server.

Graphic showing a FWS deployed in a network with ServletExec

Important! Apply the most current hot fixes for ServletExec. Without the hot fixes, Federation Web Services does not work with ServletExec. To obtain the hot fixes, go to the New Atlanta Communication website.

To set up ServletExec to work with FWS

  1. Open the ServletExec Administration Console.
  2. Under Web Applications, select manage.

    The Manage Web Applications dialog opens.

  3. Click Add a Web Applications.
  4. Enter the following information:
    1. Application Name: affwebservices
    2. URL Context Path: /affwebservices/
    3. Location: affwebservices_home

      Example:

      C:\program files\ca\webagent\affwebservices

  5. Click Submit.
  6. Exit the ServletExec Console.
Source the Environment Script on a UNIX Operating Environments

After you install the Web Agent Option Pack on a UNIX system, the installation program creates an environment script (ca-wa-opack-env.sh).

Source the environment script so the library path of the application server points to the location of the Web Agent Option Pack /bin directory.

Source the script by entering the following command at the command line:

. ./ca-wa-opack-env.sh

Setting the correct library path lets the option pack and the web or application server to work together.

After you source the script, the library path is set. The variable name for the library path differs depending on the operating system. Example of several library paths:

Solaris/Linux

LD_LIBRARY_PATH=/webagent_option_pack_home/bin

HP-UX

SHLIB_PATH=/webagent_option_pack_home/bin

AIX

LIBPATH=/webagent_option_pack_home/bin

Important! The application server startup script can reset the library path. Ensure that the path to the Web Agent Option Pack is the first entry in the path.

The path to the Web Agent Option Pack environment script points to one of the following locations:

Modify the FWS Properties File for a ServletExec Deployment

The AffWebServices.properties file contains all the initialization parameters for Federation Web Services. For deploying FWS, set only the parameter that specifies the location of the WebAgent.conf file.

To configure the AffWebServices.properties file

  1. Navigate to the AffWebServices.properties file. For ServletExec, go to web_agent_home/affwebservices/WEB-INF/classes.
  2. Set the AgentConfigLocation parameter to the location of the WebAgent.conf file at each partner site.
  3. Repeat this procedure for each application server where the Web Agent Option Pack is installed.
  4. Accept the default values for the rest of the settings.
Enable ServletExec to Write to the IIS File System

The IIS server user account must have proper rights for IIS to allow a plug-in to write to its file system. For ServletExec to write to the federation log files, the anonymous user account that is associated with ServletExec must have permissions to write to the file system.

Follow these steps:

  1. Open the IIS Internet Information Services Manager on the system where ServletExec is installed.
  2. Navigate to Web Sites, Default Web Site.

    The set of applications is displayed in the right pane.

  3. Select ServletExec and right-click Properties.
  4. Select the Directory Security tab in the Properties dialog.
  5. Click Edit in the Authentication and access control section.

    The Authentication Methods dialog opens.

  6. Set the controls as follows.
    1. Select Enable Anonymous Access.

      For anonymous access, enter a name and password of a user account that has the permissions to right to the Windows file system. To grant this right to a user account, see Windows documentation. For example, you can use the IUSR Internet Guest account for anonymous access.

    2. Clear Basic authentication.
    3. Clear Integrated Windows authentication.
  7. If prompted, apply the security changes to all child components of the web server.
  8. Restart the web server.

The user account that is associated with ServletExec can now write to the IIS file system.

Follow these steps:

  1. Open Control Panel, Administrative Tools, Local Security Policy, Local Policies, User Rights Assignment.

    The Local Security Settings dialog displays.

  2. Double-click Act as part of the operating system.

    The Act as part of the operating system Properties dialog opens.

  3. Add the anonymous user account to the Local Security Setting dialog.
  4. Click OK.
  5. Exit from the control panel.

Optionally, we strongly recommend that you look at the Agent Configuration Object for the Web Agent protecting the IIS Web Server. This object verifies that the SetRemoteUser parameter is set to yes to preventing any anonymous user from writing to the file system.

Ensure the IIS Default Web Site Exists

The Web Agent requires the IIS Web Server to have a Default Web Site for proper installation. The Default Web Site is automatically installed with the IIS Web Server. If this website does not exist, install the SiteMinder virtual directories to a different website on IIS. To install the SiteMinder virtual directories to a different website on IIS, edit the Metabase.

A technical note on the site describes the Technical Support site changes that are needed. To find the note:

  1. Go to the main Support page.
  2. Select Literature, Tech Notes.
  3. Select the document titled METABASE -3 Error.

    The documents are listed in alphabetical order.