Back to Bookshelf
CA SiteMinder® SPS
Legal Notices
CA Technologies Product References
Contact CA Technologies
Documentation Changes
Administration Guide
Introduction to the CA SiteMinder® SPS Architecture
Proxy Server Architecture
Traditional Reverse Proxy Server Architecture
SPS Architecture
Components
Product Features
Product Limitations
CA SiteMinder® SPS in an Enterprise
CA SiteMinder® SPS as a Centralized Access Control Filter
CA SiteMinder® SPS Support for Cookieless Sessions
Cookieless Session Scheme in a Federation Environment
CA SiteMinder® SPS Support for Extranet Access Control
Installing CA SiteMinder® SPS
Install, Upgrade, and Configure CA SiteMinder® SPS Manually
Prerequisites
Installation Worksheet
Install CA SiteMinder® SPS
Install CA SiteMinder® SPS on Windows
Install CA SiteMinder® SPS on Linux or Solaris
Verify CA SiteMinder® SPS Installation
Install Multiple Instances of CA SiteMinder® SPS
Upgrade CA SiteMinder® SPS
Additional Tasks for Upgrades
Customize JVM Parameters
Configure CA SiteMinder® SPS
Additional Configuration on CA SiteMinder® SPS
Manage Session Assurance
Modify the Default Location of the SiteMinder Forms
Protect the Administrative User Interface
Launch the Administrative User Interface
Install and Configure CA SiteMinder® SPS Silently
Uninstall CA SiteMinder® SPS
Administrating CA SiteMinder® SPS
Configuration Methods of CA SiteMinder® SPS
Configure the Apache Settings
Configure the Federation Settings
Configure the Custom Error Messages Settings
Modify the Default Custom Error Pages
Modify the Default CA SiteMinder® SPS Error Pages
Modify the Web Server Error Pages
Configure the Proxy Service Settings
Configure the Session Scheme Settings
Uses for Each Session Scheme
Configure the Default Session Scheme
Configure the SSL ID Session Scheme
Configure the IP Address Session Scheme
Configure the Mini-cookies Session Scheme
Configure the Simple URL Rewriting Session Scheme
Enable Cookieless Federation for Rewriteable Session Schemes
Rewrite FWS Redirects for Simple URL Session Schemes
Configure the Wireless Device ID Session Scheme
Configure the Session Store Settings
Configure the Tomcat Settings
Configure the User Agents Settings
Configure the Virtual Host Settings
Default Virtual Host Values
Handling Redirects by Destination Servers
Default Virtual Host
Create Virtual Host
Configure Log Settings
Configure CA SiteMinder® SPS Logs
Configure HttpClient Logging
Configure Proxy Rules
Planning Routes for Incoming Requests
Proxy Rules Terminology
Proxy Rules DTD
nete:proxyrules
Debug Attribute
nete:description
nete:case
Forward and Redirect Syntax
nete:cond
nete:default
nete:forward
Filter Attribute
nete:redirect
nete:local
nete:xprcond
nete:xpr and nete:xpr-default
nete:rule and nete:result
Response Handling
How nete:xprcond Elements Works
Regular Expression Syntax
Regular Expression Examples in nete:rule and nete:result
Map Single Rule to Many Destination Servers
Regular Expressions to Redirect Users
Header Values in Forwards, Redirects, and Results Filters
Dynamic Header Value in a nete:forward
Dynamic Header Value in a nete:redirect
Dynamic Header Value in a nete:result
Response Handling
Modify Proxy Rules Manually
Manage Proxy Rules Using Administrative UI
Add Filters
Validate the Proxy Rules
Test the Proxy Rules
Export the Proxy Rules
Sample Proxy Rules Configuration Files
Proxy Rules Example—Routing Requests by Virtual Host
Proxy Rules Example—Routing Requests by Header Value
Proxy Rules Example—Routing Requests by Device Type
Proxy Rules Example—Routing Requests with URIs
Proxy Rules Example—Routing Requests by File Extension
Proxy Rules Example—Routing Requests with Nested Conditions
Proxy Rules Example—Using Regular Expression in Proxy Rules
Proxy Rules Example—Routing Requests by Cookie Existence
Proxy Rules Example—Routing Requests by Cookie Value
Configure CA SiteMinder® SPS to Use FIPS
Migration to FIPS MIGRATE Mode
Configuration Process for FIPS ONLY Mode
Migration to FIPS ONLY Mode
Using CA SiteMinder® SPS with Federation Security Services
CA SiteMinder® SPS Use Cases in a SiteMinder Federated Environment
Use Case 1: Single Sign-on Based on Account Linking
Use Case 2: Single Sign-on Based on User Attribute Profiles
Use Case 3: Single Sign-on with No Local User Account
Use Case 4: Extended Networks
CA SiteMinder® SPS Roles in a SiteMinder Federated Environment
Solutions for CA SiteMinder® SPS Use Cases
Solution 1: SSO Based on Account Linking
Using SAML 1.x Artifact Authentication for Solution 1
Solution 2: SSO Using User Attribute Profiles
Solution 3: SSO with No Local User Account
Solution 4: SSO in an Extended Network
Using CA SiteMinder® SPS in Cookieless Federation
Enable Cookieless Federation at the Consuming Side
Using CA SiteMinder® SPS as a Web Agent Replacement
Prerequisites for Using CA SiteMinder® SPS as a Web Agent Replacement
Configuring CA SiteMinder® SPS as a Web Agent Replacement for Federation
Using CA SiteMinder® SPS as a Federation Gateway
Prerequisites for Using the Federation Gateway
Configuring the CA SiteMinder® SPS Federation Gateway
Limitations of the CA SiteMinder® SPS Federation Gateway
Configuring CA SiteMinder® SPS
CA SiteMinder® SPS in an Enterprise
Sticky-Bit Load Balancing
Proxying to Trusted Sites vs. Non-Trusted Sites
Configuring Virtual Hosts
Edit the Apache Configuration File To Handle Multiple Virtual Hosts
Implementing Session Scheme Mappings for Multiple Virtual Hosts
Configuring the Authentication and Authorization Web Services
How to Work with the Authentication and Authorization Web Services
Overview of the Authentication and Authorization Web Services
Configure the Web Services
Create an ACO for the Web Services
Protect the Web Services
Enable the Web Services
Configure the Web Services Logs
Create the Client Program
Authentication SOAP Interface
Authentication REST Interface
Authorization SOAP Service
Authorization REST Interface
Configure the Security Token Service
Deploy Multiple CA SiteMinder® SPS Instances
Configuring CA SiteMinder® SPS to Support the SessionLinker
How the SessionLinker Works
What the SessionLinker Does Not Support
Enable the SessionLinker
Create the NPS_Session_Linker ACO
Create the NPS_Session_Linker ACO Using webagent.conf
Create the NPS_Session_Linker ACO Using WAMUI
Working with Cookies
Single Session Cookie Enforcement
Enable Wildcard Cookie Names
Determine Cookie Settings
COOKIE Setting
COOKIEDOMAIN Setting
COOKIEPATH Setting
Maintain Links to Multiple Cookies
SessionLinker Troubleshooting
Configuring SSL for CA SiteMinder® SPS
Review the Considerations
Generate a Private Key
Generate a Private Encrypted RSA Server Key
Generate a Private Unencrypted RSA Server Key
Generate and Submit a Certificate Signing Request
Generate and Submit a Certificate Signing Request to a Certificate Authority
Generate a Self-signed Certificate
Download and Install the Certificates from the Certificate Authority
Enable SSL
Enable SSL for an Unencrypted Private Key on Windows
Enable SSL for an Unencrypted Private Key on UNIX
Enable SSL for an Encrypted Private Key
Enable SSL for Virtual Hosts
Configure CA SiteMinder® SPS to Support Integrated Windows Authentication
Windows Authentication Schemes
Configure Windows Authentication
Verify the Prerequisites
Configure a Windows Authentication Scheme
Enable Windows Authentication Scheme
Configure Web Browser to Support Automatic Login
Kerberos Authentication Schemes
Configure Kerberos Authentication
Configure Kerberos Key Distribution Center
Configure Policy Server
Configure Web Server
Configure Windows Workstation
Configure a Kerberos Authentication Scheme
Configure a Kerberos External Realm on Windows
Kerberos Configuration Examples
KDC Configuration on Windows 2008 Example
KDC Configuration on UNIX Example
Kerberos Configuration at the Policy Server on UNIX Example
Kerberos Configuration at the Policy Server on Windows Example
Configure Security Zones on CA SiteMinder® SPS
Security Zones Benefits
Security Zone Basic Use Case
Parameters for Security Zones
Configure CA SiteMinder® SPS Security Zones
Using CA SiteMinder® SPS APIs
Session Scheme API
Overview of Session Scheme API Processing
Session Scheme API Class Files
Constructor for Session Scheme API
Session Scheme API Methods
Implement a Custom Session Scheme
Configure Custom Session Scheme in the server.conf File
Configure Rewritable Session Schemes
Implement the Rewritable Interface
Use an IP Address Session Scheme
Session Storage API
Filter API Overview
How CA SiteMinder® SPS Processes Custom Filters
Associate Custom Filters to Proxy Rules
Filter API Class File
ProxyFilter Interface
BaseProxyFilter Abstract Implementation
ProxyFilterConfig Interface
ProxyResponse Interface
ProxyFilterException Class
ProxyRequest Interface
Implement a Filter
Filter API Example
Using a Filter to Rewrite Absolute Links in a Requested Page
Troubleshooting
A Pop-up Window Appears in the Browser after SSL Configuration
Unable to Start Apache on UNIX systems
Non-english Input Characters Contain Junk Characters
Unable to Log Federation Web Services Errors
DNS is Cached for Every Request
Resource Request Fails
Configure spsagent Logs
Configure SPSAgentTrace Logs
Configure the mod_jk.log File
Configure the httpclient.log File
The Installation Program Displays Warnings
Cannot Start the CA SiteMinder® SPS Server
Cannot Access the CA SiteMinder® SPS with a Browser
Issues Configuring Virtual Hosts
Virtual Hosts Configuration Fails
CA SiteMinder® SPS Not Forwarding Requests
Error in Accessing a SharePoint Page
Release Notes
Secure Proxy Server Release Notes
Operating System Support
Installation and Upgrade Notes
Java JDK Installation Requirement
Documentation
Technical Support
New Features
New Feature for r12.52 SP1
Changed Features
Upgrade of OpenSSL
Defects Fixed in 12.52 SP1
STS Failure (183516)
Resolution of RFI: MBCS URL Support (181151)
User Was Unable to Configure Or Remove CAAdvancedAuthDSN (181778)
The http_connection_timeout Parameter Was Not Working (181742)
SPS 12.51 Exhibited Different Behavior in Different Browsers (178748)
SPS Returned Wrong HTTP Response Value (177085)
The Support of STS Web Service is Unclear (70462)
Unable to Install CA SiteMinder® SPS as a Non-root User (63021, 55654)
The Example Value of xmlns:nete is Incorrect (55916)
The Logout Request URI of Authentication Rest Interface is Incorrect (55904)
The Supported OpenSSL Version is Vulnerable (55897)
http_connection_timeout Fails to Work (55594, 55865)
The SPSTrace Log File Does Not Contain Detailed Logs (55857)
The Path to the Lib Directory is Incorrect (55780)
Unable to Mask Host Headers in Filters (55713)
The Default Values of server.conf File Must be Updated (55630)
Unable to Upload File to an Application (54141)
WebAppClientResponse Parameter Value Changes Automatically (54375)
Defects Fixed in 12.52
Server 500 Error while Accessing the SPS User Interface (178615)
Updates to SPS Documentation (178610)
The Secure Proxy Server Failed to Mask the Destination URL (177119)
SAMLDataPlugin Was Missing in SPS Install (174197)
Administrrative User Inferface URL Not Clear
Protect the Administrative User Interface Documentation (173062)
Extra Space in Closing TAG (172764)
Extra Space in TAG Name (172760)
Mismatched TAGS in Web Services Document (172758)
SPS Displays Destination Application URL (172522)
HTTP Headers Redirect Mode Was Not Working for SPS (172422)
SPS Start-up Problem
Product Limitations
SAML 2.0 Features that Cannot Be Used with the Simple URL Session Scheme
POST Preservation Issue with Transfer-Encoding Header
Large File Handling Limitation
Filter and Group Filter Name Restrictions
SPS Federation and Security Zones
Limitation for SAML 1.1 Transactions
Documentation
Known Issues
Changes to the Administration Guide
Third–Party Software Acknowledgments
Accessibility Features
Product Enhancements