Web Agent Guides › Web Agent Configuration Guide › Agents and Password Services

Agents and Password Services

This section contains the following topics:

How to Configure FCC Password Services

Password Services Implementations

How to Configure FCC Password Services

To configure password services, follow these steps:

Open the Administrative UI
Create password policies that are associated with a user directory in your CA SiteMinder® environment. Use the following path in the Redirection URL field:
```
/siteminderagent/forms/smpwservices.fcc
```

Note: For more information, see the Policy Server documentation.

More information:

Create Password Policies

Password Services Implementations

CA SiteMinder® uses forms credential collectors (FCCs) to support password services.

Password services help you do the following tasks:

Encrypt the query strings in password services URLs.
Support password services in multiple languages.
Redirect password services users to a fully qualified URL.
Support SecureID authentication with password services.
Allow users to change their own passwords. Use whichever of the following procedures applies to your situation:

FCC Password Services and URL Query Encryption

The FCC Password Services application enables query data on the URL to be encrypted, further securing Agent interactions. You can only encrypt query data with FCC Password Services. FCC Password Services files include:

smpwservices.fcc
This FCC is installed with the Web Agent and is located at:

web_agent_home/samples/forms

If Password Services is invoked and there is no password policy configured, the CA SiteMinder® Administrator at the Policy Server should set the environment variable NETE_PWSERVICES_REDIRECT to a relative path for smpwservices.fcc.

The path is:

/siteminderagent/forms/smpwservices.fcc

The new FCC displays the Password Services form based on the FCC directives authreason and username.
smpwservices.unauth
This file handles errors that occur during GET/POST actions of the Password Services forms.

This file is similar to other FCC unauthorized files that are invoked if there is a failure processing the request during the POST. This FCC handles error conditions, such as an empty TARGET variable. The error reporting is intended to be synchronized with the CGI-based Password Services and for handling any other unknown errors caused by an FCC POST.
smpwservicesUS-EN.properties
This properties file is used by smpwservices.fcc to display the user-friendly messages on the Password Services forms.

This properties file has the user-friendly messages, which an administrator can modify depending on what he wants to display on the Password Services forms. The format for the message is name=value.

How to Localize FCC-based Password Services Change Forms

To localize the user messages for FCC-based Password Services for another locale follow these steps:

Create an FCC folder on the web server for a new locale or use an existing folder if appropriate for your locale. The typical naming convention for the folder is formslocale.
Note: The directories and file names that are shown could be case-sensitive, depending on your operating environment and the type of web server in use.
Place a copy of the relevant Password Services files in the new folder.
Modify the files to accommodate the locale, such as changing the English messages to the language for your locale. Repeat this step with all the files for the locale.
In the Administrative UI, change the value of the Redirection URL field in the Password Policy.
For example, to use FCC Password Services for Japanese users, put a copy of the following files in the folder formsja, which is located in web_agent_home/samples:
- smpwservices.fcc, located in web_agent_home/samples/forms
- smpwservices.unauth, located in web_agent_home/samples/forms
- A new properties file, smpwservicesja.properties

Use a Fully Qualified URL for Password Services Redirects

When you use password services you can instruct a Web Agent to create a fully qualified domain name (FQDN) to where users are redirected. Use the following parameter:

ConstructFullPwsvcUrl

Instructs the agent to add the server name (FQDN) of the system that is hosing the password services before redirecting the user. You define this server name in the password policy on the Policy Server.

For example, suppose that the value of this parameter is yes, and your password policy points to siteminderagent/forms/smpwservices.fcc. the Web Agent redirects to the following URL:

HTTP://server_name.example.com/siteminderagent/forms/smpwservices.fcc

The Web Agent uses the value that is defined in your password policy when the value of this parameter is no. For example, if your password policy only points to a subdirectory, the Web Agent redirects users to that subdirectory.

Default: No.

Example: No (redirects to the /siteminderagent/forms/smpwservices.fcc defined in your password policy).

Example: Yes (adds HTTP://server_name.example.com to the /siteminderagent/forms/smpwservices.fcc defined in your password policy).

The default URL for password policies in the Administrative UI does not contain a server name. The Web Agent redirects users to whatever URL exists in the password policy when the value of the previous parameter is set to yes.

Follow these steps:

Use the examples in the following table as a guide for setting the ConstructFullPwsvcURl parameter:

To:	Add this URL to your password policy in the Administrative UI:	Set the value of the ConstructFullPwsvcURl to:
Host the password services on a specific server.	http://server_name.example.com:80/siteminderagent/forms/smpwservices.fcc	No
Host the password services on the same server as the Web Agent using a relative URL.	siteminderagent/forms/smpwservices.fcc	No
Host the password services on the same server as the Web Agent using an FQDN.	siteminderagent/forms/smpwservices.fcc	Yes

Configure SecureID Authentication with FCC Password Services

You must modify the SecureID HTML Form template using the Administrative UI if you are using SecureID as your authentication scheme and both of the following conditions exist in your environment:

The FCC Password Services feature is configured
The value of the SecureUrls parameter for the Web Agent is set to yes

SecureID is implemented using Password Services, which is why you must modify the authentication scheme's template.

To configure SecureID Authentication with FCC password services, add the path to the smpwservices.fcc file in the Target field of the SecureID template, as shown in the following example:

/siteminderagent/forms/smpwservices.fcc

How to Enable User-Initiated Password Changes with FCCs

You can configure the FCC Password services features of CA SiteMinder® to allow users to change their own passwords whenever they want.

Note: Use the following process only if your CA SiteMinder® Web Agent configuration also has the value of the SecureURLs parameter that is set to no.

To enable user-initiated password changes with FCCs, use the following process:

Confirm that your user directory contains attributes that support Password Policies.
Use the Administrative UI to do the following tasks:
1. Create an FCC-based password policy and protect the resources that you want.
2. Configure the password policy to allow authorized users to change their passwords.
Create a password change URL that includes the following parts:
- The FQDN of the logon server (example: http:logonserver.example.com).
- The URI of the FCC-based Password services (example: siteminderagent/forms/smpwservices.fcc?).
- The name of the CA SiteMinder® Web Agent (SMAGENTNAME)
- One of the following target URLs:
- For password-change URLs embedded in FCC pages, use the relative values for the (SMAGENTNAME) and (TARGET) sections, as shown in the following example:
```
<a href="http:logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=
```
```
34&SMAGENTNAME=$$smencode(smagentname)$$&TARGET=$$smencode(target)$$">Change Password</a>
```
- For password-change URLs not embedded in FCC pages, hard-code the name of your CA SiteMinder® Agent for the (SMAGENTNAME) section. Then hard-code a fully qualified domain name value for the (TARGET) section, as shown in the following example:
```
<a href="http://logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=34&SMAGENTNAME=Agent1&TARGET=https://logonserver.example.com/protected/myprotectedpage.html">Change Password</a>
```
Embed the password-change URL (from Step 3) as a link in one or more unprotected web pages.
Test the password change function with the following steps:
1. Display a web page that has the password change link you created in Step 3.
2. Click the password change link.
  The password change form appears.
3. Fill out the password change form and submit it.
  If the password change is successful, a confirmation page appears with a link to the protected target resource.
4. Click the link and verify that the resource appears.
5. Close and reopen your browser. Try to access the protected resource using your new password.
  If you can access the resource with your new password, the password change is successful.

How to Enable User-Initiated Password Changes with FCCs (SecureURLs=Yes)

You can configure the FCC Password services features of CA SiteMinder® to allow users to change their own passwords whenever they want.

Note: Use the following process only if your CA SiteMinder® Web Agent configuration also has the value of the SecureURLs parameter that is set to yes.

To enable user-initiated password changes with FCCs, use the following process:

Confirm that your user directory contains attributes that support Password Policies.
Use the Administrative UI to do the following tasks:
1. Create an FCC-based password policy and protect the resources that you want.
2. Configure the password policy to allow authorized users to change their passwords.
3. Set the value of the ValidTargetDomain parameter to the domain of the target resource you want to protect.
Create a password change URL that includes the following parts:
- The FQDN of the logon server (example: http:logonserver.example.com).
- The URI of the FCC-based Password services (example: siteminderagent/forms/smpwservices.fcc?).
- The name of the CA SiteMinder® Web Agent (SMAGENTNAME)
- One of the following target URLs:
- For password-change URLs embedded in FCC pages, use the relative values for the (SMAGENTNAME) and (TARGET) sections, as shown in the following example:
```
<a href="http:logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=
```
```
34&SMAGENTNAME=$$smencode(smagentname)$$&TARGET=$$smencode(target)$$">Change Password</a>
```
- For password-change URLs not embedded in FCC pages, hard-code the name of your CA SiteMinder® Agent for the (SMAGENTNAME) section. Then hard-code a fully qualified domain name value for the (TARGET) section, as shown in the following example:
```
<a href="http://logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=34&SMAGENTNAME=Agent1&TARGET=https://logonserver.example.com/protected/myprotectedpage.html">Change Password</a>
```
Embed the password-change URL (from Step 3) as a link in one or more unprotected web pages.
Open the following file on your web server:
```
web_agent_home/samples/forms/smpwservices.fcc
```
1. Locate the following line:
```
@smpwselfchange=0
```
2. Change the 0 (zero) at the end of the previous line to 1 (one), as shown in the following example:
```
@smpwselfchange=1
```
3. Save and close the smpwservices.fcc file.
Embed the URL you created in Step 3 as a link in one or more unprotected web pages.
Test the password change function with the following steps:
1. Display a web page that has the password change link you created in Step 3.
2. Click the password change link.
  The password change form appears.
3. Fill out the password change form and submit it.
  If the password change is successful, a confirmation page appears with a link to the protected target resource.
4. Click the link and verify that the resource appears.
5. Close and reopen your browser. Try to access the protected resource using your new password.
  If you can access the resource with your new password, the password change is successful.

How to Enable User-Initiated Password Changes when using the CA SiteMinder® X.509 Certificate and Basic Authentication Scheme

You can configure the FCC Password services features of CA SiteMinder® to allow users to change their own passwords. The CA SiteMinder® X.509 Certificate and Basic authentication scheme requires a password-change URL that starts with the HTTPS protocol.

Follow these steps:

Confirm that your user directory contains attributes that support Password Policies.
Use the Administrative UI to do the following tasks:
1. Create an FCC-based password policy and protect the resources that you want.
2. Configure the password policy to allow authorized users to change their passwords.
Create a password change URL that includes the following parts:
- The HTTPS scheme (protocol).
- The FQDN of the logon server (example: http:logonserver.example.com).
- The URI of the FCC-based Password services (example: siteminderagent/forms/smpwservices.fcc?).
- The name of the CA SiteMinder® Web Agent (SMAGENTNAME).
- One of the following target URLs:
- For password-change URLs embedded in FCC pages, use the relative values for the (SMAGENTNAME) and (TARGET) sections, as shown in the following example:
```
<a href="https:logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=
```
```
34&SMAGENTNAME=$$smencode(smagentname)$$&TARGET=$$smencode(target)$$">Change Password</a>
```
- For password-change URLs not embedded in FCC pages, hard-code the name of your CA SiteMinder® Agent for the (SMAGENTNAME) section. Then hard-code a fully qualified domain name value for the (TARGET) section, as shown in the following example:
```
<a href="https://logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=34&SMAGENTNAME=Agent1&TARGET=https://logonserver.example.com/protected/myprotectedpage.html">Change Password</a>
```
Embed the password-change URL (from Step 3) as a link in one or more unprotected web pages.
Test the password change function with the following steps:
1. Display a web page that has the password change link you created in Step 3.
2. Click the password change link.
  The password change form appears.
3. Fill out the password change form and submit it.
  A confirmation page appears with a link to the protected target resource.
4. Click the link and verify that the resource appears.
5. Close and reopen your browser. Try to access the protected resource using your new password.
  If you can access the resource with your new password, the password change is successful.