Installation and Upgrade Guides › Web Agent Installation Guide › Install a Web Agent on a Windows System › Register Your System as a Trusted Host on Windows › Re-register a Trusted Host Using the Registration Tool (Windows)

Re-register a Trusted Host Using the Registration Tool (Windows)

When you install a Web Agent on a server for the first time, you are prompted to register that server as a trusted host. After the trusted host is registered, you do not have to re-register with subsequent Agent installations. There are some situations where you may need to re-register a trusted host independently of installing an Agent, such as the following:

• To rename the trusted host if there has been a change to your SiteMinder environment.
• To register a trusted host if the trusted host has been deleted in the Administrative UI.
• To register a trusted host if the trusted host policy objects have been deleted from the policy store or the policy store has been lost.
• To change the shared secret that secures the connection between the trusted host and the Policy Server.
• To recreate the SmHost.conf configuration file if it is lost.
• To overwrite an existing trusted host without deleting it first.

The registration tool, smreghost, re-registers a trusted host. This tool is installed in the web_agent_home\bin directory when you install a Web Agent.

web_agent_home

Indicates the directory where the SiteMinder Agent is installed.

Default (Windows 32-bit installations of SiteMinder Web Agents only): C:\Program Files\CA\webagent

Default (Windows 64-bit installations [SiteMinder Web Agents for IIS only]): C:\Program Files\CA\webagent\win64

Default (Windows 32-bit applications operating on 64-bit systems [Wow64 with SiteMinder Web Agents for IIS only]): C:\Program Files (x86)\webagent\win32

Default (UNIX/Linux installations): /opt/ca/webagent

Follow these steps:

1. Open a command prompt window.
2. Enter the smreghost command using the following required arguments:

   smreghost -i policy_server_IP_address:[port]
   -u administrator_username -p Administrator_password
   -hn hostname_for_registration -hc host_configuration_ object
   

   Note: Separate each command argument from its value with a space. Surround any values that contain spaces with double quotes ("). See the following

   examples:

   smreghost -i 192.168.2.1:44441,44442,44443 -u SiteMinder -p mypw -hn "host computer A" 
   -hc DefaultHostSettings
   

   The following example contains the -o argument:

   smreghost -i 192.168.2.1:44441,44442,44443 -u SiteMinder -p mypw -hn "host computer A"
   -hc DefaultHostSettings -o
   

   The following arguments are used with the smreghost command:

   -i policy_server_IP_ address:port

   Indicates the IP address of the Policy Server where you are registering this host. Specify the port of the authentication server only if you are not using the default port.

   If you specify a port number, which can be a non-default port, that port is used for all three Policy Server processes (authentication, authorization, accounting). The Policy Server responds to any Agent request on any port.

   Use a colon between the IP address and non-default port number, as shown in the following examples.

   Default: (ports) 44441,44442,44443

   Example: (IPv4 non-default port of 55555) -i 127.0.0.1:55555

   Example: (IPv4 default ports) -i 127.0.0.1

   Example: (IPv6 non-default port of 55555) -i [2001:DB8::/32][:55555]

   -u administrator_username

   Indicates the name of the SiteMinder administrator with the rights to register a trusted host.

   -p Administrator_password

   Indicates the password of the Administrator who is allowed to register a trusted host.

   -hn hostname_for_registration

   Indicates the name of the host to be registered. This can be any name that identifies the host, but it must be unique. After registration, this name is placed in the Trusted Host list in the Administrative UI.

   -hc host_config_object

   Indicates the name of the Host Configuration Object configured at the Policy Server. This object must exist on the Policy Server before you can register a trusted host.

   -sh shared_secret

   Specifies the shared secret for the agent, which is stored in the SmHost.conf file on the local web server. This argument changes the shared secret on only the local web server. The Policy Server is not contacted.

   -rs

   Specifies whether the shared secret will be updated (rolled over) automatically by the Policy server. This argument instructs the Policy Server to update the shared secret.

   -f path_to_host_config_file

   (Optional) Indicates the full path to the file that contains the registration data. The default file is SmHost.conf. If you do not specify a path, the file is installed in the location where you are running the smreghost tool.

   If you use the same name as an existing host configuration file, the tool backs up the original and adds a .bk extension to the backup file name.

   -cf FIPS mode

   Specifies one of the following FIPS modes:

   • COMPAT--Specifies non-FIPS mode, which lets the Policy Server and the Agents read and write information using the existing SiteMinder encryption algorithms. If your organization does not require the use of FIPS-compliant algorithms, the Policy Server and the Agents can operate in non-FIPS mode without further configuration.
   • MIGRATE--Specifies FIPS-migration mode, which is used when you are upgrading an earlier version of SiteMinder to full-FIPS mode. The Policy Server and the Agents continue to use the existing SiteMinder encryption algorithms as you migrate your environment to use only FIPS 140-2 approved algorithms.
   • ONLY--Specifies full-FIPS mode, which requires that the Policy Server and Web Agents read and write information using only FIPS 140-2 algorithms.

   Important! A SiteMinder installation that is running in Full FIPS mode cannot interoperate with, or be backward compatible to, earlier versions of SiteMinder, including all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. You must re-link all such software with the corresponding versions of the respective SDKs to achieve the required support for Full FIPS mode.

   If this switch is not used, or you use the switch without specifying a mode, the default setting is used.

   Default: COMPAT

   Note: More information on the FIPS Certified Module and the algorithms being used; the data that is being protected; and the SiteMinder Cryptographic Boundary exists in the Policy Server Administration Guide.

   -o

   Overwrites an existing trusted host. If you do not use this argument, you will have to delete the existing trusted host with the Administrative UI before using the smreghost command. We recommend using the smreghost command with this argument.

   The trusted host is re-registered.

Register Multiple Trusted Hosts on One System (Windows)

You typically register only one trusted host for each machine where web servers and Agents are installed. However, you can register multiple trusted hosts on one computer to create distinct connections for each SiteMinder client. Using multiple trusted hosts ensures a unique shared secret and a secure connection for each client requiring communication with the Policy Server.

For most installations this is not a recommended configuration. However, it is an option for sites who require distinct, secure channels for each client or group of client applications protected by SiteMinder Agents. For example, an application service provider may have many client computers with different applications installed. You may want a secure connection for each application, which you can achieve by registering multiple trusted hosts. The Policy Server then issues unique shared secrets for each client connection.

To register multiple trusted hosts, use one of the following methods:

• Registering with the Configuration Wizard: To register additional servers as trusted hosts, go through the registration process again; however, when prompted to specify a location for the SmHost.conf file, enter a unique path. Do not register a new host and use an existing web server’s SmHost.conf file or that file will be overwritten. You can use the name SmHost.conf or give the file a new name.

  Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your SiteMinder component.

  Note: If you have registered a trusted host with a Policy Server and you run the Configuration Wizard to configure subsequent Agents without using a unique path for the SmHost.conf file, you will see a warning message in the Host Registration dialog box. The message reads:

  "Warning: You have already registered this Agent with a Policy Server."

• Registering with the smreghost command-line tool: Run the smreghost tool after you have completed the first Agent installation on a given computer. You can run this tool for each trusted host that you want to register.

  Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.