Federation Security Services Guide › Deploy Federation Using a Manual Configuration › Set Up the Identity Provider › Install the IdP Web Agent Option Pack

Install the IdP Web Agent Option Pack

The Web Agent Option pack installs the Federation Web Services (FWS) application. FWS is a required component for SiteMinder federation.

To set up the Web Agent Option Pack

1. Install the Web Agent Option Pack on the same web server as the Web Agent. In this deployment, the server is an IIS Web Server.

   For instructions on installing the Web Agent Option Pack, see the Web Agent Option Pack Guide.

2. Configure the Web Server with the Web Agent Option Pack.

Configure the Web Server with the Web Agent Option Pack

Configure the Federation Web Services (FWS) application for the sample deployment.

To set up FWS:

• Install the JDK for Federation Web Services
• Install and Configure ServletExec to work with FWS at the IdP
• Configure the AffWebServices.properties File at the IdP
• Test Federation Web Services at the IdP

Install the JDK for Federation Web Services

The Web Agent Option Pack requires a JDK to run the Federation Web Services application.

For the correct JDK version, go to the Technical Support site and search for the SiteMinder Platform Support Matrix for the release.

Install and Configure ServletExec to work with FWS at the IdP

For FWS to operate, you can install ServletExec or any supported application server. This sample network uses ServletExec on an IIS 6.0 Web Server.

Note: SiteMinder r12.0 SP3 is shipped with a ServletExec license key file named ServletExec_AS_6_license_key.txt. If you do not have this license key, contact CA Technical Support. From this license file, copy the license key and enter it in the ServletExec License dialog of the ServletExec Administration Console. For instructions on licensing ServletExec, see ServletExec documentation, available at the New Atlanta Communication website.

Be sure to apply the most current hot fixes for the supported version of ServletExec you are using. The hot fixes are necessary for Federation Web Services to work with ServletExec. To obtain hot fixes, go to the website for New Atlanta Communication.

To set up ServletExec

1. Install ServletExec. For more information, see the New Atlanta documentation.
2. Open the ServletExec Administration Console.
3. Under Web Applications, select manage.

   The Manage Web Applications dialog opens.

4. Click Add a Web Application.
5. Enter the following information:

   Application Name

   affwebservices

   URL Context Path

   /affwebservices/

   Location

   C:\program files\ca\webagent\affwebservices

   Note: The location of affwebservices in your setup can be different. Enter the correct location.

6. Click Submit.
7. Exit the ServletExec Console.
8. Modify the directory security settings for the IIS default user account.

Important! The IIS user account must have proper rights for IIS to allow any plug-in to write to a file system. Therefore, for Federation Web Services to work with ServletExec, modify the directory security settings for the IIS default user account.

More Information:

Enable ServletExec to Write to the IIS File System

Configure the FWS Properties File at the IdP

Enable ServletExec to Write to the IIS File System

The IIS server user account must have proper rights for IIS to allow a plug-in to write to its file system. For ServletExec to write to the federation log files, the anonymous user account that is associated with ServletExec must have permissions to write to the file system.

Follow these steps:

1. Open the IIS Internet Information Services Manager on the system where ServletExec is installed.
2. Navigate to Web Sites, Default Web Site.

   The set of applications is displayed in the right pane.

3. Select ServletExec and right-click Properties.
4. Select the Directory Security tab in the Properties dialog.
5. Click Edit in the Authentication and access control section.

   The Authentication Methods dialog opens.

6. Set the controls as follows.
   1. Select Enable Anonymous Access.

      For anonymous access, enter a name and password of a user account that has the permissions to right to the Windows file system. To grant this right to a user account, see Windows documentation. For example, you can use the IUSR Internet Guest account for anonymous access.

   2. Clear Basic authentication.
   3. Clear Integrated Windows authentication.
7. If prompted, apply the security changes to all child components of the web server.
8. Restart the web server.

The user account that is associated with ServletExec can now write to the IIS file system.

Follow these steps:

1. Open Control Panel, Administrative Tools, Local Security Policy, Local Policies, User Rights Assignment.

   The Local Security Settings dialog displays.

2. Double-click Act as part of the operating system.

   The Act as part of the operating system Properties dialog opens.

3. Add the anonymous user account to the Local Security Setting dialog.
4. Click OK.
5. Exit from the control panel.
6. Optionally, we strongly recommend that you look at the Agent Configuration Object for the Web Agent protecting the IIS Web Server. This object verifies that the SetRemoteUser parameter is set to yes to preventing any anonymous user from writing to the file system.

Configure the FWS Properties File at the IdP

The affwebservices.properties file contains all the initialization parameters for Federation Web Services. Modify at least one of the settings in this file.

To modify the affwebservices.properties file

1. On the IdP system with the Web Agent Option Pack, go to the directory C:\Program Files\ca\webagent\affwebservices\WEB-INF\classes
2. Set the AgentConfigLocation parameter to the location of the WebAgent.conf file. This parameter must have a value.

   For this deployment, an IIS web server hosts the FWS application. So, the path to the WebAgent.conf file is:

   C:\\Program Files\\ca\\webagent\\bin\\IIS\\WebAgent.conf
   

   Note: Federation Web Services is a Java component, so the Windows paths must contain double backslashes. This format applies only to Windows.

   Verify that this path is entered on one line.

3. Save and close the file.
4. Test Federation Web Services at the IdP.

Test Federation Web Services at the IdP

After you set up Federation Web Services, verify that the application is operating correctly.

Follow these steps:

1. Open a web browser and enter the following link:

   http://<fqhn>:<port_number>/affwebservices/assertionretriever

   fqhn

   Defines the fully qualified host name.

   port_number

   Defines the port number of the server where the Web Agent and Web Agent Option Pack are installed.

   For this deployment, enter:

   http://www.idp.demo:80/affwebservices/assertionretriever

   If Federation Web Services is operating correctly, the following message appears:

   Assertion Retrieval Service has been successfully initialized.
   

   The requested servlet accepts only HTTP POST requests.
   

   This message indicates that Federation Web Services is listening for data activity. If Federation Web Services is not operating correctly, you get a message that the Assertion Retrieval Service has failed. If Assertion Retrieval Service fails, examine the Federation Web Services log.

2. Enable Web Agent Option Pack Logging at the IdP.

Enable Web Agent Option Pack Logging at the IdP

At the IdP, enable logging for the system with the Web Agent Option Pack. You want to be able to view the following logs:

• affwebservices.log
• FWSTrace.log

Follow these steps:

1. Configure the affwebservices.log by setting up the LoggerConfig.properties file.
2. Configure FWS trace logging.
3. Specify the User Store for the IdP Policy Server.

More Information:

Set up the LoggerConfig.properties File

Federation Security Services Trace Logging