Installation and Upgrade Guides › Web Agent Installation Guide › Install a Web Agent on a UNIX System › Register a Trusted Host in GUI or Console Mode

Register a Trusted Host in GUI or Console Mode

These instructions are for GUI and Console Mode registration. The steps for the two modes are the same, with the following exceptions for Console mode:

• You may be instructed to select an option by entering a corresponding number for that option.
• You press Enter after each step to proceed through the process. The prompts should guide you through the process.
• All passwords that you enter are displayed in clear text. To workaround this issue, run the installation in GUI or unattended mode.

To register a host

1. If necessary, start the Configuration Wizard as follows:
   1. Open a console window.
   2. Navigate to web_agent_home/install_config_info
   3. Enter one of the following commands:

      GUI Mode: ./ca-wa-config.bin

      Console Mode: ./ca-wa-config.bin -i console

   The Configuration Wizard starts.

2. In the Host Registration dialog box:
   1. Select Yes to register a host now or No to register the host at a later time.
   2. If you are using PKCS11 cryptographic hardware in your SiteMinder environment, select the check box.
   3. Click Next.
3. If you enabled cryptographic hardware, complete the fields. If not, skip to the next step.
   1. In the PKCS11 DLL field, enter the full path to the PKCS11 DLL. Click on Choose to search for the DLL.
   2. Optionally, specify the token label in the Token Label and Token Passphrase, if applicable. Re-confirm the passphrase in the Confirm token passphrase field then click Next.
4. Complete the following fields in the Admin Registration dialog box, then click Next:
   • Admin User Name—enter the name of the administrator allowed to register the host with the Policy Server.

     This administrator should already be defined at the Policy Server and have the permission Register Trusted Hosts set. The default administrator is SiteMinder.

   • Admin Password—enter the administrator’s password.
   • Confirm Admin Password—re-enter the password.
   • Enabled Shared Secret Rollover—check this box to periodically change the shared secret used to encrypt communication between the trusted host and the Policy Server. Key rollover must be enabled at the Policy Server for this feature to work.

     Important: If you enable shared secret rollover, the user who owns the web server process must have permissions to write to the SmHost.conf file. If this file cannot be modified by this user, then the shared secret rollover cannot be updated.

     For example, for Oracle iPlanet and Apache web servers, the person specified by the User directive needs write permission to the SmHost.conf file. If the SmHost.conf file is owned by User1 and no other user has write permissions, the shared secret rollover is not written to the SmHost.conf file if User2 owns the server process.

5. In the Trusted Host Name and Configuration Object dialog box, enter values for the two fields then click Next.
   1. In the Trusted Host Name field, enter a unique name that represents the trusted host to the Policy Server. This name does not have to be the same as the physical client system that you are registering; it can be any unique name, for example, mytrustedhost.

      Note: This name must be unique among trusted hosts and not match the name of any 4.x Web Agent. It can be the same name as a 5.0 Web Agent, but this is not recommended.

   2. In the Host Configuration Object field, enter the name of the Host Configuration Object specified in the Policy Server, then click Next.

      This object defines the connection between the trusted host and the Policy Server. To use the default, enter DefaultHostSettings. In most cases, you will use your own Host Configuration Object.

      Note: The entry you specify must match the Host Configuration Object entry set at the Policy Server.

6. In the Policy Server IP Address dialog box:
   1. Enter the IP address, or host name, and the authentication port of the Policy Server where you are registering the host. The default port is 44442. If you do not provide a port, the default is used.

      You can specify a non-default port number, but if you are using a nondefault port and you omit it, SiteMinder displays the following error:

      Registration Failed (bad ipAddress[:port] or unable to connect to Authentication server (-1))

      Note also that if you specify a non-default port, that port is used for the Policy Server’s authentication, authorization, and accounting ports; however, the unified server responds to any Agent request on any port. The entry in the SmHost.conf file will resemble:

      policyserver="ip_address,5555,5555,5555"

   2. Click Add.

      You can add more than one Policy Sever; however, for host registration, only the first server in the list will be used. If you add multiple entries, separate them by a comma.

      If multiple Policy Servers are specified, the Agent uses them as bootstrap servers. When the Agent starts up, the Web Agent has several Policy Servers to which it can connect to retrieve its Host Configuration Object. After the Host Configuration Object is retrieved, the bootstrap Policy Server is no longer used by that server process. The Host Configuration Object can contain another set of servers, which may or may not include any of the bootstrap servers.

   3. Click Next.
7. If you want to use FIPS encryption, choose one of the following options:

   FIPS Compatibility Mode (Default)

   Specifies non-FIPS mode, which lets the Policy Server and the Agents read and write information using the existing SiteMinder encryption algorithms. If your organization does not require the use of FIPS-compliant algorithms, the Policy Server and the Agents can operate in non-FIPS mode without further configuration.

   FIPS Migration Mode

   Specifies FIPS-migration mode, which is used when you are upgrading an earlier version of SiteMinder to full-FIPS mode. The Policy Server and the Agents continue to use the existing SiteMinder encryption algorithms as you migrate your environment to use only FIPS 140-2 approved algorithms.

   FIPS Only Mode

   Specifies full-FIPS mode, which requires that the Policy Server and Web Agents read and write information using only FIPS 140-2 algorithms.

   Important! A SiteMinder installation that is running in Full FIPS mode cannot interoperate with, or be backward compatible to, earlier versions of SiteMinder, including all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. You must re-link all such software with the corresponding versions of the respective SDKs to achieve the required support for Full FIPS mode.

   If you are not using FIPS encryption, use the default value.

8. Click Next.
9. Accept the default location of the host configuration file, SmHost.conf or click Choose to select a different location. Click Next.

   If you select a non-default location then want to revert to the default directory, click Restore Default Folder.

   The host is registered and a host configuration file, SmHost.conf, is created in web_agent_home/config. You can modify this file.

10. Configure your Web Agent.