Previous Topic: Installing CA SiteMinder® SPSNext Topic: Install and Configure CA SiteMinder® SPS Silently


Install, Upgrade, and Configure CA SiteMinder® SPS Manually

The CA SiteMinder for Secure Proxy Server is a stand-alone server that provides a proxy-based solution for access control. CA SiteMinder® SPS employs a proxy engine that provides a network gateway for the enterprise and supports multiple session schemes that do not rely on traditional cookie-based technology.

The following diagram describes how you can install and configure CA SiteMinder® SPS:

You can use the SPS installer to install a new instance of SPS, install multiple instances of SPS on same computer each time, and upgrade SPS. Configure SPS and then protect the Administrative UI to use it.

Prerequisites

Before you install or upgrade CA SiteMinder® SPS, verify the following prerequisites:

Installation Worksheet

CA SiteMinder® SPS configuration wizard displays a series of prompts for registering a trusted host. A trusted host is a client computer where one or more SiteMinder Web Agents can be installed. To establish a connection between the trusted host and the Policy Server, register the host with the Policy Server. After registration is complete, the registration tool creates the SmHost.conf file. When this file is created, the client computer becomes a trusted host.

Before you install, upgrade, or configure CA SiteMinder® SPS, verify that you gathered the following information required for host registration, embedded Apache web server and Tomcat server:

Parameter

Description

SiteMinder administrator name

Name of the administrator that matches the name already defined at the Policy Server. This administrator must have the privileges to create a trusted host.

SiteMinder administrator password

Password of the SiteMinder administrator who has privileges to register a trusted host. Must match the password used at the Policy Server.

Trusted host name

Name of the trusted host assigned during the installation.

Host Configuration Object

Name of a host configuration object already defined in Administrative UI.

Agent Configuration Object

Name of an existing Agent Configuration Object defined in Administrative UI.

IP address of the Policy Server where the host is registered

Note: Include a port number when SiteMinder is behind a firewall. For example, 111.12.12.2:12.

Agent Name

Name of the default agent or an agent defined in the ACO.

Master Key

Identifies the master encryption key for the advanced authentication server. Enter the same value that you configured in the Policy Server.

Host Configuration File name and location

Identifies the SmHost.conf file, which Web Agents and custom Agents use to act on behalf of the trusted host. The wizard lists the default location.

Name and location of the Web Agent configuration file

The wizard lists the default location.

Email address of the Apache web server administrator

The email address for the administrator Default: admin@company.com.

Fully qualified host name of the server

A fully qualified name in the following format: computer_name.company.com.

Port number for Apache HTTP requests

The port listening for HTTP requests from Apache. Default: 80

Port number for Apache SSL requests

The port listening for SSL requests from Apache.

Default: 443

Port number for Tomcat HTTP requests

The port listening for HTTP requests from Tomcat.

Default: 8080

Port number for Tomcat SSL requests

The port listening for SSL requests from Tomcat.

Default: 543

Port number for Tomcat shutdown requests

The port listening for shutdown requests from Tomcat.

Default: 8005

Port number of AJP

The port number of AJP.

Default: 8009

Install CA SiteMinder® SPS

Before you install CA SiteMinder® SPS, verify that you have gathered the information required to install CA SiteMinder® SPS.

Install CA SiteMinder® SPS on Windows

Follow these steps:

  1. Copy the installation program from the download location on the CA Support site.
  2. Right-click the executable and select Run as administrator.
  3. Double-click ca-proxy-<version>-<operating_system>.exe.

    The installation program starts.

  4. Follow the instructions from the installation wizard.

    Note: By default, CA SiteMinder® SPS sets the instance name of the first installation as default. You cannot modify the default value and you cannot use the name for any other CA SiteMinder® SPS instance.

  5. Restart your system after the installation completes.
Install CA SiteMinder® SPS on Linux or Solaris

CA SiteMinder® SPS supports installations on Linux and Solaris.

Follow these steps:

  1. Copy one of the following programs from the download location on the CA Support site to a temporary directory:
    Solaris: ca-proxy-12.5-sol.bin
    
    Linux: ca-proxy-12.5-rhel30.bin
    
  2. Enter one of the following commands:
    sh ./ca-proxy-12.5-sol.bin
    
    sh ./ca-proxy-12.5-rhel30.bin
    
  3. Follow the screen prompts provided by the installation wizard.
Verify CA SiteMinder® SPS Installation

You can check the InstallLog file to verify that CA SiteMinder® SPS installation is successful. By default, the InstallLog is installed in the following location on all platforms:

sps_home\install_config_info\CA_SiteMinder_Secure_Proxy_Server_InstallLog.log

Install Multiple Instances of CA SiteMinder® SPS

You can install multiple CA SiteMinder® SPS instances on the same computer. Each CA SiteMinder® SPS instance uses a unique instance name and ports for communication, and creates a separate directory structure.

Follow these steps:

  1. Double-click ca-proxy-<version>-<operating_system>.exe.

    The installation program starts.

  2. Select the option to install a new instance.
  3. Follow the instructions from the installation wizard.

    Note: Verify that you enter unique values for the instance name and the different ports that are used for communication.

Upgrade CA SiteMinder® SPS

You can run the installation program to upgrade from a previous version of CA SiteMinder® SPS to the current version.

Note: If you configured filters or customized session schemes, take a back up of the lib directory from the Tomcat/ path before you upgrade.

Follow these steps:

  1. Double-click ca-proxy-<version>-<operating_system>.exe.

    The installation program starts.

  2. Select OK to upgrade CA SiteMinder® SPS version.
  3. Follow the instructions from the installation wizard.
  4. Restart your system after the installation completes.
Additional Tasks for Upgrades

At the end of the installation process, you can perform some additional steps to support the upgrade. Depending on the amount of customization in your CA SiteMinder® SPS deployment, you can perform one or more of the following tasks:

Customize JVM Parameters

You can customize Java Virtual Machine (JVM) parameters in the following files:

Configure CA SiteMinder® SPS

After you install CA SiteMinder® SPS, run the configuration wizard. The configuration wizard lets you register the trusted host for the embedded SiteMinder Web Agent and performs some administrative tasks for the embedded Apache web server.

Important! Before you run the wizard, verify that you have set up the required objects at the Policy Server where you want to register the host. If these objects are not configured, trusted host registration fails.

Follow these steps:

  1. Open a console window and navigate to the directory sps_home/secure-proxy.
  2. Enter one of the following commands:
    Windows: ca-sps-config.exe
    
    UNIX: ca-sps-config.sh
    

    The configuration wizard starts.

  3. Select the version of the Policy Server with which you want to configure CA SiteMinder® SPS.
  4. Select the option to perform host registration immediately.
  5. (Optional) Select the option to enable shared secret rollover.
  6. Perform the following steps to register the trusted host registration:
    1. Specify the name and password of the SiteMinder administrator.

      Note: The information you enter must already be defined at the Policy Server where the trusted host is registered.

    2. Specify the name of the Trusted Host and the Host Configuration Object.

      Note: The name you enter for the trusted host must be unique. The name for the Host Configuration Object must already be defined at the Policy Server where the trusted host is registered.

    3. Enter the IP address of the Policy Server where you want to register the trusted host.
    4. Select a FIPS mode.
    5. Specify the name and location of the host configuration file, SmHost.conf. The wizard lists the default location.
    6. Specify the name of the Agent Configuration Object.

      Note: The Agent Configuration Object that you enter must already be defined at the Policy Server where the trusted host is registered.

  7. Enter the following information for the Apache web server:
  8. Enter the following information for the Tomcat server:

    Note: Users installing on systems running Solaris or Linux see an additional screen that prompts for the name of the user under which Tomcat and Apache runs. This user cannot be root. Create the user account manually; the installation program does not create it for you. The Tomcat user must have all privileges (rwa) for the log directories.

  9. Select Yes if you want to enable the Web Agent.
  10. Select Yes if you want CA SiteMinder® SPS to act as a Federation Gateway.
  11. Review the Configuration Summary
  12. Click Install.

    CA SiteMinder® SPS is configured and the configuration files are installed.

  13. Click Done to exit the wizard.
  14. Start the SiteMinder Secure Proxy and SiteMinder proxy engine services.

Note: If you run the Configuration Wizard again, SSL must be reinitialized.

Additional Configuration on CA SiteMinder® SPS

After installing CA SiteMinder® SPS and running the configuration wizard, you can modify CA SiteMinder® SPS configuration to suit your environment. The following configuration files contain settings that affect CA SiteMinder® SPS:

httpd.conf

Contains the settings for the Apache web server.

server.conf

Contains the settings that determine CA SiteMinder® SPS behavior, including virtual hosts, and session scheme mapping.

logger.properties

Contains the settings that determine CA SiteMinder® SPS logging behavior.

proxyrules.xml

Contains the rules that determine how CA SiteMinder® SPS handles incoming requests.

Manage Session Assurance

By default, CA SiteMinder® SPS enables Session Assurance. If you want to disable the feature, perform the following steps:

  1. Open the server.conf file.
  2. Navigate to the <Context name="AALoginService"> section and set the value of enable to no.
  3. Navigate to the <Context name="Advanced Auth Application"> section and set the value of enable to no.
  4. Navigate to the <Context name="UI Application"> section and set the value of enable to no.
  5. Save the changes.
Modify the Default Location of the SiteMinder Forms

Beginning with CA SiteMinder® SPS v6.0, the default location of the SiteMinder forms is no longer /siteminderagent/forms. To continue to use this location to serve forms, modify the CA SiteMinder® SPS forms location.

Follow these steps:

  1. Create the siteminderagent directory in the following location:

    sps_home/proxy-engine/examples/siteminderagent

  2. Copy the forms folder from the following directory

    sps_home/proxy-engine/examples

    to the following directory:

    sps_home/proxy-engine/examples/siteminderagent

    The forms are copied to sps_home/proxy-engine/examples/siteminderagent/forms.

    Note: If you customize the location of the forms folder, ensure that you update the httpd.conf file with the location of the forms images.

Protect the Administrative User Interface

By default, the installer creates a protection policy to protect the Administrative User Interface. The installer uses the defined Agent Name to create the protection policy with the following details:

The protection policy does not contain the user directory information. Perform the following steps to log in to the Administrative User Interface:

  1. Update DOMAIN-SPSPADMINUI with the user directory information.
  2. Update POLICY-SPSADMINUI with user information.

Launch the Administrative User Interface

You can launch the Administrative User Interface after you start the proxy engine services. To launch the URL, enter the following URL in a web browser:

http://fullyqualifiedhostname:Tomcat_port/proxyui/

CA SiteMinder® SPS is installed or upgraded, and is configured.

If you want to perform a silent installation and configuration after the first installation, see Silent Installation and Configuration. If you want to uninstall CA SiteMinder® SPS, see Uninstall CA SiteMinder® SPS. If you want to start CA SiteMinder® SPS in various modes, see Start CA SiteMinder® SPS in Single-Process or Multiple Process Mode. If you want to modify the default location of the SiteMinder forms, see Modify the Default Location of the SiteMinder Forms.