Install the SiteMinder R12 Protected Resource Assertion
The gateway allows authentication requests to be sent to a CA Single Sign-On (SiteMinder) server, for the purposes of authentication and authorization. CA Single Sign-On FIPS-only mode is supported.
gateway92
This assertion is deprecated.
CA Technologies recommends using the Authenticate Against CA Single Sign-On Assertion, which does not require separate installation.The
CA API Gateway
allows authentication requests to be sent to a CA Single Sign-On (SiteMinder) server, for the purposes of authentication and authorization. CA Single Sign-On FIPS-only mode is supported.Contents:
When configuration is complete, the Authenticate with SiteMinder R12 Protected Resource Assertion appears in the Policy Manager. This custom assertion supports:
- CA Single Sign-On 12.0 SP3 Policy Server integration
- Policy Server running in FIPS-only mode
- Usage of the CA Single Sign-On 5.x Agent API
Gateway Agent Settings
In the CA Single Sign-On Policy Server, an agent setup must exist for the
CA API Gateway
to use. The Gateway sends authentication requests to the CA Single Sign-On server using the agent specified. The security policies defined in the CA Single Sign-On Policy Server for the agent either permits or denies access to the Web service.Requirement
Ensure that you have the custom assertion RPM installation file before you configure the Gateway. For example, this is the version for this Appliance Gateway:
ssg-sm12-
<version>
.x86_64.rpm
This file is located in the "CA API Gateway CustomAssertions" distribution archive.
Configure the Gateway
Two main steps are required to configure Gateway for the SiteMinder R12 Protected Resource assertion:
- Install the custom assertion onto the Gateway server.
- Configure the Gateway Agent properties.
Step 1: Install the Custom Assertion
To install the assertion in a cluster, repeat the following procedure for each Gateway node in the cluster.
To install the custom assertion on the Gateway:
- Log in asssgconfigand open a privileged shell from the Gateway configuration menu.
- Stop the Gateway:# service ssg stop
- Navigate to the location of the custom assertion installation file
- Install the custom assertion RPM:# rpm -Uvh ssg-sm12-<version>.x86_64.rpmwhere"<version>"is the version number of the Gateway, plus an archive number.
- Restart the Gateway:# service ssg start
Step 2: Register a Trusted Host
Next, use the Registration Tool to create the host configuration file that is required to configure the Gateway.
To register a trusted host:
- Make sure that the custom assertion is installed.
- Log in as userssgconfigand open a privileged shell from the Gateway configuration menu.
- Navigate to the SiteMinder directory:# cd /opt/SecureSpan/siteminder/bin
- Run the SiteMinder Registration Tool with this command:# ./smreghost.sh -i policy_server_IP_address:port -u administrator_username - p administrator_password -hn hostname_for_registration -hc host_configuration_object -cf fips_mode
The hostname is placed in the trusted host list in the SiteMinder Administrative UI. The host configuration file is saved to the file
SmHost.conf
. This file contains the registered hostname, IP address, and shared secret of the CA Single Sign-On (SiteMinder) Policy Server.Step 3: Configure the Gateway Agent
Configure the
siteminder12.agent.configuration
cluster property with the following format:# Agent configuration # ----------------------------- # multiple agent definitions are supported <agent_id>.name = name_of_the_agent <agent_id>.secret = shared_secret <agent_id>.address = 127.0.0.1 <agent_id>.ipcheck = false <agent_id>.hostname = name_of_the_registered_hostname <agent_id>.fipsmode = FIPS_mode # for non-cluster, define fail over (true) or round-robin load balancing (false) <agent_id>.noncluster_failover = false # for clusters, define threshold percentage for failing over to the next cluster sequence <agent_id>.cluster_threshold = 50 # Server Definitions # -------------------------- # cluster_seq = 0 : non-cluster deployment, there shouldn't be any cluster sequence numbers other than 0 # cluster_seq >= 1 : cluster deployment, multiple cluster definitions supported <agent_id>.server.<cluster_seq>.<server_number>.address = 123.101.1.222 <agent_id>.server.<cluster_seq>.<server_number>.authentication.port = 44442 <agent_id>.server.<cluster_seq>.<server_number>.authorization.port = 44443 <agent_id>.server.<cluster_seq>.<server_number>.accounting.port = 44441 <agent_id>.server.<cluster_seq>.<server_number>.connection.min = 1 <agent_id>.server.<cluster_seq>.<server_number>.connection.max = 3 <agent_id>.server.<cluster_seq>.<server_number>.connection.step = 1 <agent_id>.server.<cluster_seq>.<server_number>.timeout = 75
The following table describes the properties in the Agent configuration in more detail.
Property | Description |
<agent_id> .name | The name that identifies the Agent to the CA Single Sign-On deployment. The name can include any character, including spaces. Note the following limitations:
The "<agent_id>" prefix is entered using the Authenticate with SiteMinder R12 Protected Resource Assertion. |
<agent_id> .secret | The negotiated shared secret for the trusted host in the CA Single Sign-On host registration process. This shared secret is obtained from the “sharedsecret” setting in the SmHost.conf file. This file is generated after the Registration Tool is run (see “Step 2: Register a Trusted Host”).IMPORTANT: Passwords are stored in the clear in the cluster property and also travel in the clear between the nodes and the database. |
<agent_id> .address | The IP address to which the Agent is bound. The client also connects to this IP address to ask the CA Single Sign-On deployment for authorization to access a resource. This property is required. |
<agent_id> .ipcheck | Indicates whether to provide the IP address of the client to the CA Single Sign-On deployment while requesting authorization. Value is a Boolean. Default is false if not specified. |
<agent_id> .hostname | The registered hostname. This value is found in the trusted host list in the CA Single Sign-On Administrative UI or in the SmHost.conf file. |
<agent_id> .fipsmode | The CA Single Sign-On installation FIPS mode: COMPAT , MIGRATE or ONLY . |
<agent_id> .noncluster_failover | If the CA Single Sign-On deployment utilizes multiple servers in a non-cluster configuration, indicate the non-cluster strategy to be used. Value is a Boolean. The default is false if not specified.
|
<agent_id> .cluster_threshold | If the CA Single Sign-On deployment utilizes multiple servers in a cluster configuration, indicate the percentage of servers within a cluster that must be available before failing over to the next cluster. Defaults to 50 percent if not specified. |
Server Definitions | An Agent configuration can have multiple server definitions, for both cluster and non-cluster deployments. Each of the servers defined for an Agent must be properly configured as part of the same CA Single Sign-On deployment. Complete the following set of properties for each server definition:
|