Start the Policy Manager

You can access the Policy Manager in the following two ways:
gateway
You can access the Policy Manager in the following two ways:
  • Desktop client
    : The standard desktop client provides maximum functionality and best performance, but it requires the Policy Manager application to be installed on the client computer.
  • Browser client
    : The browser-based client provides the greatest flexibility—you can run the Policy Manager from virtually any computer with an Internet connection and a compatible Web browser with a Java Runtime Environment (JRE) installed. However, not all features are available.
Contents:
Start the Policy Manager from the Desktop Client
To start the Policy Manager as a desktop client, perform the following steps:
  • Linux:
    Navigate to the directory where the Policy Manager is installed and then either run ./Manager.sh or double-click the .sh icon.
  • Windows:
    Click Start, All Programs, Policy Manager, Policy Manager
After the Policy Manager is started, you can connect to the
CA API Gateway
Start the Policy Manager from the Browser Client
The Policy Manager can run within a supported browser using either of the following technologies:
  • Java Web Start:
    This is the preferred technology. It is used by all of the supported browsers.
  • Java applet:
    This is the older technology and is no longer recommended. It is supported only by the latest version of Internet Explorer. Use it only for legacy purposes.
To disable the client access of the browser, use the
Enable web-based administration
option in the Listen Port Properties ([
Endpoints
] tab) for the SSL endpoint.
Prerequisites:
  • Verify that the proper Java version is installed for running the Policy Manager from a browser. For more information, see Requirements and Compatibility
  • Verify that any JavaScript blockers are disabled in the browser.
  • Verify that the operator running the browser client has at least one assigned role in the Policy Manager.
  • Verify that the Policy Manager URL is added to the Java exceptions list. Add the Policy Manager web URL to the Java "Exception Site List" before the browser client can run. For more information, see: https://www.java.com/en/download/faq/exception_sitelist.xml
  • Verify that your browser is running the latest version of Java.
Run the Policy Manager Using Java Web Start Application
  1. Launch Policy Manager using this URL:
    https://
    <gatewayHostName>
    :8443/ssg/webstart/manager.jnlp
    : If port 8443 does not work, use port 9443 instead.
  2. Based on the type of browser perform the following steps:
    For Internet Explorer:
    • Ignore all the security warnings, select the required certificate, and proceed to the login page.
    For Mozilla Firefox:
    • Allow all the java plug-in popups.
    • Ignore all the security warnings and proceed to the login page.
  3. Once the Policy Manager starts, you can connect to the Gateway.
Run the Policy Manager Using the Java Applet
Internet Explorer is the only browser that still supports the older Java applet technology for the Policy Manager. This section describes the special handling required to eliminate warning messages that appear if your SSL certificate is not signed by a certificate authority.
  1. Launch the Policy Manager using this URL:
    https://
    <gatewayHostName>
    :9443/ssg/webadmin
  2. When presented with security or authentication prompts, accept the certificates after verifying the certificate information and thumbprint in accordance with your organization's security policy.
  3. Perform the following steps to enable the Java applet on Internet Explorer:
    1. You see the message
      There is a problem with this website's security certificate
      . Click
      Continue to this website
      .
    2. Log in to the Gateway.
    3. Click
      Certificate Error
      and then select
      View Certificates
      .
    4. Click
      Install Certificate
      . The browser's Certificate Import Wizard appears.
    5. Click
      Next
       to proceed to the 
      Certificate Store
       step of the wizard.
    6. Select 
      Automatically select the certificate store based on the type of certificate
       and then click
      Next
      . The successful completion screen should now appear.
    7. Click
      Finish
      . A confirmation dialog tells you that the SSL certificate was imported successfully into the browser.
    8. Click
      OK
       to dismiss the confirmation.
    9. Select the
      Certification Path
       tab on the Certificates dialog to import the CA root certificate.
    10. Select the root certificate on the tree of the Certificate Path and then click
      View Certificate
      .
    11. Click
      Install Certificate
       and run the Certificate Import Wizard. At the security warning, carefully verify the certificate according to your organization's security policies. Contact your network administrator if unsure.
    12. If the certificate is satisfactory, click
      Yes
       to proceed with the installation.
    13. Click
      OK
       to dismiss the Certificate dialog.
      The browser continues to display
      Certificate Error
      until it is restarted, at which point it becomes a padlock icon. To confirm that the certificates are correctly installed: click the error button, select
      View certificates
      , and then select the
      Certificate Path
      tab. The certificate status should show "This certificate is OK."
  4. Once the connection to the 
    CA API Gateway
    is established, the Policy Manager checks your user permissions as defined by your role, and then enables the appropriate features within the system.
    If you encounter any problems relating to field focus in the browser client (in other words, you cannot get the cursor to enter a text field), disable any third-party tool bars that may be installed in your browser. Some browsers require a mouse click to switch focus to the browser applet first, before subsequent mouse clicks are interpreted by the Policy Manager.
  5. Connect to the Gateway. 
Connect to the Gateway
Whenever you start the Policy Manager, the Login dialog automatically appears. Use this dialog to connect to the Gateway by doing either of the following steps:
  • Connect to an existing Gateway or cluster by selecting its URL from the drop-down list on the Login dialog.
  • Connect to a new Gateway or cluster by typing its URL in the Login dialog.
You can also display the Login dialog from within the Policy Manager by doing either of the following steps:
  • Click
    Connect 
    on the Main Tool Bar (if currently connected, you must first
    Disconnect
    before connecting to a different Gateway).
  • Select
    File
    ,
    Connect
    from the Main Menu.
Once the connection to the Gateway is established, the Policy Manager verifies your user permissions as defined by your role, and then enables the appropriate features within the system.
CA Technologies recommend using separate account for administrative access (that is, connecting to the Gateway) and for the message processing (that is, adding a user to a service policy). To simplify using separate user accounts, you may consider using different identity providers for administration/message traffic. .
The following table describes the Login dialog options:
Option
Description
User Name/Password
This option specifies the login User Name and Password. Your account may be configured to remember your user name.
For security, the administrative user account will be locked for 20 minutes after five unsuccessful login attempts. No further login attempts may be made during the lockout period. The settings can be changed using the Manage Administrative User Account Policy dialog.
Client certificate
This option allows you to log in using a client certificate. Select the certificate from the Certificate drop-down list. To add or remove certificates from the list, click Manage and select a task.
Users with client certificates are required to use their certificates during login. The 'CN' value in the certificate must match the username.
Gateway
This option allows you to select the Gateway to connect to from the drop-down list. If the correct Gateway is not listed, type the URL in the Gateway field, in the format machinename.domain.com. The URL is saved to the list.
Install the license file after connecting to a new Gateway.
Connecting to a non-default port
To connect to a port other than the default 8443, you must append the SSL Endpoint port number to the Gateway name. For example,
mygateway.domain.com:8445
.
IPv6 Support
The Gateway field supports IPv6 literals for the Gateway host. The following formats are supported:
[2222::7]
[2222::7]:8443
The IPv6 literals must be enclosed within square brackets ("[ ]") to be interpreted correctly.
 To edit the list of client certificates:
To...
Do this...
Add a client certificate to the list
  1. Click
    Manage
    under the Client Certificate option. The Certificate Manager dialog appears.
  2. Click
    Import
    and then navigate to the PKCS#12 keyStore to load.
  3. Enter the
    Keystore Password
    when prompted. The details of the selected certificate are displayed.
  4. Verify that the details are correct and then click OK. The imported certificate is added to the list.
Remove a client certificate from the list
  1. Click
    Manage
    under the Client Certificate option. The Certificate Manager dialog appears.
  2. Select the certificate to be deleted from the
    Certificate Lis
    t. The details of the certificate are displayed.
  3. Click
    Delete
    and then click Yes to confirm. The certificate is removed from the
    Certificate List
    .
  4. Click [
    OK
    ] to close the Certificate Manager and return to the Login dialog.
Connecting Through a Proxy
If you want to connect the Gateway through a proxy server, make the following modifications. Follow these steps before using the connection instructions mentioned in the previous section.
The modifications that are shown here are required only for the desktop client.
To configure the Policy Manager to use a proxy (Windows):
  1. Locate the file
    CA API Gateway Policy Manager.ini
    and open it in a text editor. This file is located in the same directory as the
    CA API Gateway Policy Manager.exe
    file.
  2. Add the following string before the "-jar" section of the file. For example, if your .INI file ends with "-jar Manager.jar", then add the string before "-jar".
    -Dhttp.proxyHost=
    <Proxy_host>
    -Dhttp.proxyPort=
    <Proxy_port>
    -Dhttp.proxyUsername=
    <User_name>
    -Dhttp.proxyPassword=
    <User_password>
  3. Save and exit. The Policy Manager now uses the proxy when connecting to the Gateway.
To configure the Policy Manager to use a proxy (Linux):
  1. Locate the file
    Manager.ini
    and open it in a text editor. This file is located in the same directory as the
    Manager.exe
    and
    Manager.jar
    files.
  2. Add the following to the "extra" variable declaration.
    extra="
    ...
    -Dhttp.proxyHost=
    <Proxy_host>
    -Dhttp.proxyPort=
    <Proxy_port>
    -Dhttp.proxyUsername=
    <User_name>
    -Dhttp.proxyPassword=
    <User_password>
    "
  3. Save and exit and then run
    Manager.sh
    . The Policy Manager now uses the proxy host when connecting to the Gateway.
This file is located in the same directory as the
Manager.exe
and
Manager.jar
files.