Installation and Upgrade Guides › Web Agent Installation Guide › Install a Web Agent on a Windows System › Register Your System as a Trusted Host on Windows

Register Your System as a Trusted Host on Windows

A trusted host is a client computer where one or more SiteMinder Web Agents can be installed.

To establish a connection between the Web Agent and the Policy Server, you need to register the web server by creating a trusted host object on the Policy Server. The web server requires a corresponding trusted host object on the Policy Server before the Web Agent can operate.

Note: You only register the host once, not each time you install and configure a Web Agent on your system.

To register a trusted host

1. If necessary, start the Web Agent Configuration Wizard.

   The default method is to select Start, Programs, SiteMinder, Web Agent Configuration Wizard. If you have placed the Wizard shortcut in a non-default location, the procedure will be different.

   Note: If you chose to configure the Web Agent immediately after the installation, SiteMinder automatically starts the Configuration Wizard.

2. In the Host Registration dialog box:
   1. Select Yes to register a host now or No to register the host at a later time.
   2. Click Next.
3. In the Admin Registration dialog box, complete the following fields to identify an administrator with the rights to register a trusted host, then click Next:
   • Admin User Name—enter the name of the administrator allowed to register the host with the Policy Server.

     This administrator should already be defined at the Policy Server and have the permission Register Trusted Hosts set. The default administrator is SiteMinder.

   • Admin Password—enter the administrator’s password.
   • Confirm Admin Password—re-enter the password.
   • Enabled Shared Secret Rollover—check this box to periodically change the shared secret used to encrypt communication between the trusted host and the Policy Server. Key rollover must be enabled at the Policy Server for this feature to work.

     To disable shared secret rollover or enable it at a later time, you have to re-register the trusted host, or use the Policy Management API in the C and Perl Scripting Interface to enable or disable shared secret rollover.

4. In the Trusted Host Name and Configuration Object dialog box, enter values for the two fields then click Next.
   1. In the Trusted Host Name field, enter a unique name that represents the trusted host to the Policy Server. This name does not have to be the same as the physical client system that you are registering; it can be any unique name, for example, mytrustedhost.

      Note: This name must be unique among trusted hosts and not match the name of any other Web Agent.

   2. In the Host Configuration Object field, enter the name of the Host Configuration Object specified in the Policy Server, then click Next.

      This object defines the connection between the trusted host and the Policy Server. For example, to use the default, enter DefaultHostSettings. In most cases, you will have created your own Host Configuration Object.

      Note: The entry you specify must match the Host Configuration Object entry set at the Policy Server.

5. In the Policy Server IP Address dialog box:
   1. Enter the IP address, or host name, and the authentication port of the Policy Server where you are registering the host. The default port is 44442. If you do not provide a port, the default is used.

      You can specify a non-default port number, but if your Policy Server is configured to use a non-default port and you omit it when you register a trusted host, SiteMinder displays the following error:

      Registration Failed (bad ipAddress[:port] or unable to connect to Authentication server (-1)

      Note also that if you specify a non-default port, that port is used for the Policy Server’s authentication, authorization, and accounting ports; however, the unified server responds to any Agent request on any port. The entry in the SmHost.conf file will look like:

      policyserver="ip_address,5555,5555,5555"

   2. Click Add.

      You can add more than one Policy Sever; however, for host registration, only the first server in the list will be used.

      If multiple Policy Servers are specified, the Agent uses them as bootstrap servers. When the Agent starts up, the Web Agent has several Policy Servers to which it can connect to retrieve its Host Configuration Object. After the Host Configuration Object is retrieved, the bootstrap Policy Server is no longer used by that server process. The Host Configuration Object can contain another set of servers, which may or may not include any of the bootstrap servers.

   3. Click Next.
6. If you want to use FIPS encryption, choose one of the following options:

   FIPS Compatibility Mode (Default)

   Specifies non-FIPS mode, which lets the Policy Server and the Agents read and write information using the existing SiteMinder encryption algorithms. If your organization does not require the use of FIPS-compliant algorithms, the Policy Server and the Agents can operate in non-FIPS mode without further configuration.

   FIPS Migration Mode

   Specifies FIPS-migration mode, which is used when you are upgrading an earlier version of SiteMinder to full-FIPS mode. The Policy Server and the Agents continue to use the existing SiteMinder encryption algorithms as you migrate your environment to use only FIPS 140-2 approved algorithms.

   FIPS Only Mode

   Specifies full-FIPS mode, which requires that the Policy Server and Web Agents read and write information using only FIPS 140-2 algorithms.

   Important! A SiteMinder installation that is running in Full FIPS mode cannot interoperate with, or be backward compatible to, earlier versions of SiteMinder, including all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. You must re-link all such software with the corresponding versions of the respective SDKs to achieve the required support for Full FIPS mode.

   If you do not want to use FIPS encryption, accept the default.

7. Click Next.
8. Accept the default location of the host configuration file, SmHost.conf or click Choose to select a different location. Click Next.

   If you select a non-default location then want to revert to the default directory, click Restore Default Folder.

   The host is registered and a host configuration file, SmHost.conf, is created in web_agent_home/config. You can modify this file.

   web_agent_home

   Indicates the directory where the SiteMinder Agent is installed.

   Default (Windows 32-bit installations of SiteMinder Web Agents only): C:\Program Files\CA\webagent

   Default (Windows 64-bit installations [SiteMinder Web Agents for IIS only]): C:\Program Files\CA\webagent\win64

   Default (Windows 32-bit applications operating on 64-bit systems [Wow64 with SiteMinder Web Agents for IIS only]): C:\Program Files (x86)\webagent\win32

   Default (UNIX/Linux installations): /opt/ca/webagent

9. Click Continue.

   The Trusted Host is registered.: