Set Up Credential Collectors for Apache Web Servers

Web Agent Guides › Web Agent Configuration Guide › Authenticate Users with Forms › Use Credential Collectors for Authentication and Single Sign-On › Configure MIME Types for Each Credential Collector › Set Up Credential Collectors for Apache Web Servers

Set Up Credential Collectors for Apache Web Servers

For Apache web servers on Windows or UNIX, you have to modify the httpd.conf file after you install the Web Agent.

Specifically, you need to add entries to the Alias section that direct the web server to the installed location of the Web Agent and the Web Agent’s samples directory, where the forms templates reside. You also have to add entries to the AddHandler section for each MIME type.

Note: For more information, see the SiteMinder Web Agent Installation documentation.

Configure Credential Collectors in a Mixed Environment

From SiteMinder r6.x to SiteMinder r12.0 SP3, the credential collectors operate differently than the older 4.x type credential collectors do. 4.x type credential collectors placed a cookie in the browser of the user, and then redirected the user back to the original agent.

In the newer SiteMinder versions, the credential collector logs the user in to the Policy Server on behalf of the agent protecting the requested resource. Cookies are not used.

Note: We recommend using credential collectors to log users in directly rather than setting cookies. Using credential collectors to log users in better secures user credentials because these credentials are not being passed around the network in cookies.

A credential collector requires the following information to log a user in:

The name of the agent protecting the requested resource.
The credentials that are supplied by the user.

To learn the Agent name, a credential collector uses the following process:

Use the SMAGENTNAME query parameter that the original Agent adds to the query string of the URL as it redirects to the credential collector.
If no Agent name is appended to the URL, use the mappings defined in the AgentName configuration parameter that is associated with the credential collector.
Each mapping in the AgentName parameter specifies the name and IP address of a host using that collector for its protected resources.
If no Agent name mappings are configured, use the fully qualified host name of the target URL as the Agent name. This behavior is determined by enabling the AgentNamesAreFQHostNames configuration parameter.
This parameter is disabled by default, so the credential collector uses the value of the DefaultAgentName parameter as the agent name.

Consider the previous implications before configuring credential collectors in a mixed environment.

Use FCCs and NTCs in a Mixed Environment

To process requests, the FCC and NTC rely on the user credentials and the name of the Web Agent that is protecting the requested resource. However, 4.x agents and third-party agents posting to the FCC and NTC do not pass the Agent name on the URL they send.

The following configuration options help FCCs and NTCs to operate with 4.x Web Agents:

Use Compatibility Mode—to enable a r5.x, r6.x, or r12.0 SP3 FCC/NTC to serve up forms for resources that are protected by 4.x agents or third-party applications, then enable the FCCCompatMode parameter. Traditional Web Agents have the FCCCompatMode parameter is enabled by default. Framework Agents have the FCCCompatMode parameter is disabled by default.

Enabling this parameter makes a r5.x, r6.x, or r12.0 SP3 Agent handle forms and NTLM credential collection like a 4.x Agent. This setting which means that a form or NTLM credential cookie is written to the browser of the user is redirected back to the Agent before logging in. This configuration permits the agents to interoperate.

When the value of the FCCCompatMode parameter is set to no, compatibility with 4.x Agents is disabled. In an r12.0 SP3 environment, set the value of the parameter to no.

Important! Setting this parameter to no removes support for version 4.x of the Netscape browser.

Specify Agent name mappings—FCC only: If you disable backward compatibility, map the AgentName parameter to the name and IP address of each host using that FCC for its protected resources. Set up these mappings in the configuration settings of the FCC.
Example mappings:

myagent, 123.1.12.1

myagent, www.sitea.com
Use Host Names as Agent Names—FCC only: If the first two options in the algorithm are not optimal, you can set the value of the AgentNamesAreFQHostNames parameter to yes. This setting instructs the FCC to use the fully qualified host name in the target URL as the Agent name. For example, if the URL string includes:
url?A=1&Target=http://www.nete.com/index.html

The www.nete.com portion of the Target string serves as the Agent name.

By default, this parameter is set to no. Consequently, the value of the DefaultAgentName parameter is used as the Agent name.

The following tables list guidelines for configuring r5.x, r6.x, or r12.0 SP3 and 4.x FCCs and NTCs, and describes how each behaves in a mixed environment:

Notes:

NTLM credential collectors can redirect users from non-IIS Web Servers to IIS Web Servers.
For framework Web Agents, refer only to the instructions where FCC compatibility mode is disabled.

Web Agent Protecting Resources	r5.x, r6.x, or r12.0 SP3 FCC in FCC Compatibility Mode	r5.x, r6.x, or r12.0 SP3 FCC - FCC Compatibility Mode Disabled
r5.x, r6.x, or r12.0 SP3	FCC issues a credential cookie. Certificate and Forms authentication are disabled. Certificate or Forms authentication are disabled.	FCC issues a session cookie Certificate and Forms authentication works. Certificate or Forms authentication works.
Web Agent Protecting Resources	4.x QMR 2/3/4 FCC
4.x QMR 5 or 4.x QMR 6	Agent issues a credential cookie Certificate and Forms authentication are disabled. Certificate or Forms authentication works
r5.x, r6.x, or r12.0 SP3	Agent issues a credential cookie Certificate and Forms authentication are disabled. Certificate or Forms authentication works

Note: For more information about SSL Authentication Schemes, see the Policy Server documentation.

Web Agent Protecting Resources	r5.x, r6.x, or r12.0 SP3 FCC in FCC Compatibility Mode	r5.x, r6.x, or r12.0 SP3 FCC - FCC Compatibility Mode Disabled
4.x QMR 5 or 4.x QMR 6	NTC issues a credential cookie.	NTC issues a session cookie
r5.x, r6.x, or r12.0 SP3	NTC issues a credential cookie.	NTC issues a session cookie

Web Agent Protecting Resources

r5.x, r6.x, or r12.0 SP3 FCC in FCC Compatibility Mode

r5.x, r6.x, or r12.0 SP3 FCC - FCC Compatibility Mode Disabled

4.x QMR 5 or

4.x QMR 6

NTC issues a credential cookie.

NTC issues a session cookie

r5.x, r6.x, or r12.0 SP3

NTC issues a credential cookie.

NTC issues a session cookie

Web Agent Protecting Resources	4.x QMR 2/3/4 NTC
4.x QMR 5, 4.x QMR 6	Agent issues a credential cookie
r5.x, r6.x, or r12.0 SP3	Agent issues a credential cookie

Use SCCs in a Mixed Environment

To enable 4.x type Web Agents and r5.x, r6.x, or r12.0 SP3 SCCs to interoperate, do one of the following tasks:

Specify Agent name mappings: Map the AgentName parameter to the host name and IP address of each host using that SCC for its protected resources. Create these mappings in the agent configuration parameters of the SCC.
Use Host Names as Agent Names: If you do not specify Agent name mappings, you can set the AgentNamesAreFQHostNames parameter to Yes. This setting instructs the SCC to use the fully qualified host name in the target URL as the Agent name.
For example, if the URL string is:
```
url?A=1&Target=http://www.nete.com/index.html
```
The www.nete.com portion of the Target string serves as the Agent name.

By default, this parameter is set to no. Consequently, the value of the DefaultAgentName parameter is used as the Agent name.

The following table shows how 4.x and r5.x, r6.x, or r12.0 SP3 Agents acting as SCCs operate in a mixed environment:

Web Agent Version	4.x QMR 2/3/4 SCC	r5.x, r6.x, or r12.0 SP3 SCC
4.x QMR 5 or 4.x QMR 6	Agent issues an SSL credential cookie. Certificates cannot be collected without redirecting requests, even if the original connection from the browser to server is over SSL.	Create mappings in the AgentName parameter or set AgentNamesAreFQHostNames to Yes. SCC issues a session cookie Certificates cannot be collected without redirecting requests, even if the original connection from the browser to server is over SSL.
r5.x, r6.x, or r12.0 SP3	Agent issues an SSL credential cookie. Certificates can be collected without redirecting requests.	SCC issues a session cookie Certificates can be collected without redirecting requests.

Note: For more information about SSL Authentication Schemes, see the Policy Server documentation.

Configure the FCC to Use a Single Resource Target

To configure the FCC to direct users to a single resource, hard-code the target in the login.fcc template file.

Follow these steps:

Open the login.fcc file, which is located in agent_home/Samples.
Add @target=target_resource to the FCC.
Add the following entry:
@smagentname=agent_name_protecting_resource

For example: @smagentname=mywebagent
Set the EncryptAgentName parameter to no. This parameter is required because no method exists to encrypt the agent name after you hard code it in the file.
Set the EncryptAgentName to no for any other agent using this FCC.

Note: For more information, see the Policy Server documentation.