etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0 etrust SiteMinder Agent for BEA WebLogic Guide

Transcription

1 etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0 etrust SiteMinder Agent for BEA WebLogic Guide

2 This documentation (the Documentation ) and related computer software program (the Software ) (hereinafter collectively referred to as the Product ) is for the end user s informational purposes only and is subject to change or withdrawal by CA at any time. This Product may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Product is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the Software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the Software are permitted to have access to such copies. The right to print copies of the Documentation and to make a copy of the Software is limited to the period during which the license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user s responsibility to certify in writing to CA that all copies and partial copies of the Product have been returned to CA or destroyed. EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS PRODUCT AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS PRODUCT, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE. The use of this Product and any product referenced in the Documentation is governed by the end user s applicable license agreement. The manufacturer of this Product is CA. This Product is provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections , , and (c)(1) - (2) and DFARS Section (c)(1)(ii), as applicable, or their successors. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Copyright June 15, 2006 CA. All rights reserved. CA Product References This document references the following CA products: CA etrust SiteMinder

3 Preface Documents Related to this Product Documentation Conventions Training Technical Support Documents Related to this Product Documentation Conventions CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0 Release Notes CA etrust SiteMinder Policy Server SiteMinder Release Notes CA etrust SiteMinder Policy Server SiteMinder Installation Guide CA etrust SiteMinder Policy Server Management CA etrust SiteMinder Policy Design CA etrust SiteMinder Agent Guide CA etrust SiteMinder Glossary Object Represented by Example Text, in a sentence, that you enter A complete line of text that you enter or a line of code. bold courier new Enter 1207 in the Host Port field. Navigate to c:\siteminder\bin Variables italic Enter install_root/bin, where install_root is the location of SiteMinder. Menu trail selection, selection,... Choose Start, Settings, and double-click Control Panel Training For information about training, visit the Computer Associates web site at: / Preface 3

4 Technical Support You may contact SiteMinder Technical Support as follows: Telephone Toll-free (U.S. and Canada only) (877) (877-SITEMINDER) Asia-Pacific International Online Please have the following information ready when you contact Technical Support: The product name(s) and version number(s) The installed components of the product(s) The type of computer platforms you are using and the version numbers of the operating systems A description of your problem Log files indicating the problem 4 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

5 Contents Preface 3 Documents Related to this Product Documentation Conventions Training Technical Support Chapter 1: Overview 9 Introduction Required Background Information WebLogic Security Overview Security Providers Java Authentication and Authorization Service (JAAS) Subject/Principals WebLogic Security Architecture Introducing the SiteMinder Agent SiteMinder Identity Asserter (IA) SiteMinder Authentication Provider SiteMinder Authorization Provider SiteMinder Adjudication Provider Which SiteMinder Security Providers Do I Need? Use Cases All SiteMinder Security Providers Use Case No Identity Asserter Use Case X.509 Identity Asserter Use Case Recommended Reading List Chapter 2: Installing the SiteMinder Agent for WebLogic 25 Introduction Software Requirement Notes About the Installation Installation Check Lists ASA_HOME Variable Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers Installing the SiteMinder Agent Installation Requirements Upgrading the SiteMinder Agent Installation Options Running the Installation in GUI Mode Running the Installation in Console Mode Post Installation Steps Setting the WebLogic Environment for the SiteMinder Agent Contents 5

6 Setting Up the Agent Configuration File (WebAgent.conf) Creating an Agent Configuration File for Each SiteMinder Agent Provider Uninstalling the Agent Uninstalling the SiteMinder Agent from Windows Uninstalling the SiteMinder Agent from UNIX Chapter 3: Configuring the SiteMinder Identity Asserter 47 Overview Configuring the SiteMinder Identity Asserter Validation Realm Configuring the SiteMinder Identity Asserter in WebLogic Configure the SiteMinder Identity Asserter in WebLogic Configure an Authentication Provider Enabling and Disabling the SiteMinder Identity Asserter Post-Configuration Notes Verifying that SiteMinder Identity Asserter is Configured Correctly Deploy the Sample Security Web Application Set Up the Test Scenario What to Do Next Chapter 4: Configuring the SiteMinder Authentication Provider 57 Overview Configuring the SiteMinder Authentication Provider Realm Configuring the SiteMinder Authentication Provider in WebLogic Configuring the SiteMinder Authentication Provider Determining How Users Are Authenticated Configuring the Agent to Return Group Membership to WebLogic Using Responses Example: Configuring Groups as Responses for the SiteMinder Agent Enabling and Disabling the Authentication Provider Chapter 5: Configuring the SiteMinder Authorization Provider 65 Overview Configuring the SiteMinder Authorization Provider Realm Configuring the SiteMinder Authorization Provider in WebLogic Enabling and Disabling the Authorization Provider Chapter 6: Configuring the SiteMinder Adjudication Provider 71 Overview Configuring the SiteMinder Adjudication Provider in WebLogic Enabling and Disabling the Adjudication Provider Chapter 7: Configuring Policies 75 Configuring Policies to Support Perimeter Authentication Configuring Policies for the SiteMinder Authorization Provider SiteMinder Resource Mapping for WebLogic Resources Configuring Rules for SiteMinder Authorization Provider Configuring Responses for SiteMinder Authentication and Authorization Providers Configuring Policies for SiteMinder Authorization Provider CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

7 Chapter 8: Logging 87 Log File Summary SiteMinder Agent Provider Log SiteMinder Agent Connection Log Proxy Server Web Agent Log Configuring SiteMinder Agent Log Files Log File Options Recording Messages in a Log File Displaying SiteMinder Agent Log Messages in a Console Setting Log Levels Appending Log Messages to an Existing Log File Limiting the Log File Size Configuring a SiteMinder Agent Provider Log for Each SiteMinder Agent Provider Chapter 9: Verifying the SiteMinder Agent Installation and Configuration 95 Introduction Deploy the WebLogic Sample Security Application Set Up the Test Scenario Modify the Sample Security Web Application Set Up the Policy Server for the Security Application Enable the SiteMinder Agent Providers Configure Logging Configure the SiteMinder Adjudication Provider Verify that the SiteMinder Agent Providers Start Correctly Access the Security Web Application Resource in a Web Browser Check the SiteMinder Agent Provider Logs Appendix A: SiteMinder Agent Installation and Configuration Files 103 SiteMinder Agent Directory Structure Modifying Configuration Files Guidelines for Modifying Configuration Settings Agent Configuration Trusted Host Configuration Appendix B: Troubleshooting 111 Preparing to Troubleshoot the SiteMinder Agent Configuring the WebLogic Server Log Configuring the BEA Proxy Log Solving Installation Problems Solving Runtime Problems Solving Configuration Problems Index 123 Contents 7

8 8 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

9 Chapter 1: Overview Introduction Introduction Required Background Information WebLogic Security Overview Introducing the SiteMinder Agent SiteMinder Identity Asserter (IA) SiteMinder Authentication Provider SiteMinder Authorization Provider SiteMinder Adjudication Provider Which SiteMinder Security Providers Do I Need? Use Cases Recommended Reading List This chapter introduces the SiteMinder Agent r5.5 for BEA WebLogic Server 9.0 and describes how the SiteMinder Agent integrates with this platform. Features of the Application Server Agent include: SiteMinder integration with the J2EE platform Fine-grained access control of the following J2EE resources: - Web Applications (including servlets, HTML pages, JSP, image files) - JNDI lookups - EJB components - JMS connection factories, topics, and queues - JDBC connection pools Support for SiteMinder single sign-on Support for WebLogic clustering The Application Server Agent resides on a WebLogic Server in the middle tier of a multi-tier architecture, between the client and enterprise information systems (EIS) tiers as shown in the following figure. 9

10 Required Background Information C lient Tier Middle Tier EIS Tier Client Application Server Agent WebLogic Server EIS (database legacy app.) Client Client Responses Policy Server Protected Resources Authorization Authentication Administration Accounting Policy Store Accounting Logs User Directories Required Background Information This guide is not intended for users who are new to Java, J2EE standards, or application server technology. It assumes that you have the following technical knowledge: An understanding of J2EE application servers and multi-tier architecture. Familiarity with the WebLogic Security Framework for WebLogic Server. Knowledge of how to provide security constraints for J2EE components through deployment descriptors. Experience with managing the WebLogic Server, including tasks such as accessing the administrative console. Familiarity with SiteMinder concepts, terms, and Policy Server configuration tasks. To learn more about the Java platform and Application Server technology, refer to the Recommended Reading List on page CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

11 WebLogic Security Overview WebLogic Security Overview Security Providers Java Authentication and Authorization Service (JAAS) Subject/Principals WebLogic Security Architecture Beginning with WebLogic Server release 7.0, the BEA WebLogic Security Framework provided a new extensible security architecture for the WebLogic Security Service. In the WebLogic Security Framework, access control services are provided by a set of security providers modules implemented using a set of public Security Service Provider Interfaces (SSPIs). The WebLogic Security Service provides standard security for the WebLogic Server using default security provider implementations. However, because the WebLogic SSPIs are public interfaces, WebLogic security can be extended by adding security providers developed by third-party security suppliers, such as CA, that can assist in making access decisions for protected WebLogic resources. For more information, see Security Providers on page 12. In the WebLogic Security Framework, security in a WebLogic domain is managed in a security realm. Every WebLogic domain includes a security realm, which is a logical grouping of users, groups, roles, resources and security providers. To gain access to a WebLogic resource, WebLogic requires clients to supply credentials using one of the following methods: Perimeter Authentication The process of authenticating the identity of a remote user outside of the WebLogic domain. User credentials are collected by an authentication agent outside the boundary of the WebLogic container and passed to the WebLogic Server in the form of a token. An Identity Assertion provider (or Identity Asserter) within the WebLogic domain validates the token and obtains authenticated user information, enabling WebLogic to trust the requests and not prompt users for reauthentication. WebLogic J2EE Authentication Client requests are challenged to supply username and password using Basic or Forms authentication. Also, clients can be challenged to supply client-certificates. 11

12 WebLogic Security Overview Security Providers WebLogic Server supports the following security providers: Identity Assertion provider (or Identity Asserter) Authentication provider Authorization providers Adjudication providers Audit providers Credential mapper provider Validates tokens acquired from an authentication agent outside the WebLogic container, effectively extending WebLogic s single sign-on capabilities to include third-party token types. Identity Asserters work with the authentication provider to validate that the identity of the token received through perimeter authentication maps to a user within the repository configured through WebLogic. Each Identity Asserter can support one or more token formats. Identity Asserters are only required within a security realm to support perimeter authentication. Allows WebLogic Server to establish trust by authenticating and validating users against user directories. A WebLogic security realm must contain at least one authentication provider. Where multiple authentication providers exist within a security realm, their priority is determined by their order and JAAS Control Flag settings. Control the interactions between users and WebLogic resources by providing access decisions, based on user identity, group or role membership, or other criteria. A WebLogic security realm must contain at least one authorization provider. Provides final access decisions based on decisions made by all authorization providers configured in a WebLogic domain. Where more than one Authorization provider exists, resolves any authorization conflicts that occur, by weighing the result of each Authorization provider's access decision. A WebLogic security realm must always contain a single adjudication provider. Records information about security requests. Associates, or maps, a WebLogic Server user to the appropriate credentials to be used with a Resource Adapter to access an Enterprise Information System (EIS). 12 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

13 WebLogic Security Overview Java Authentication and Authorization Service (JAAS) Subject/Principals WebLogic Security Architecture WebLogic Server uses Java Authentication and Authorization Service (JAAS) for remote Java client authentication, and internally for authentication. This section introduces some basic JAAS terminology used in this document. Subject JAAS representation of a user. Principal An identity assigned to a user or group as a result of authentication. Each principal stored in the same subject represents a separate aspect of the same user's identity, much like cards in a person's wallet. The following figure shows a simple view of the WebLogic security architecture, including perimeter authentication, security providers and WebLogic resources. 13

14 Introducing the SiteMinder Agent Introducing the SiteMinder Agent The SiteMinder Agent provides a SiteMinder-based access control solution for WebLogic Server by implementing the following security provider modules: SiteMinder Identity Asserter (IA) SiteMinder Authentication Provider SiteMinder Authorization Provider SiteMinder Adjudication Provider Supports perimeter authentication by validating the following token types: SiteMinder session (SMSESSION) cookies obtained from SiteMinder Web Agents on front-end proxy servers protected by Site- Minder. X.509 certificates obtained from a Certificate Authority. See SiteMinder Identity Asserter (IA) on page 15. Validates user credentials obtained from the SiteMinder Identity Asserter through perimeter authentication or WebLogic authentication against associated user directories configured in SiteMinder. The SiteMinder Authentication Provider cannot validate credentials obtained from other Identity Asserters. See SiteMinder Authentication Provider on page 17. Provides access decisions based on SiteMinder policy-based authorization support for WebLogic resources. See SiteMinder Authorization Provider on page 17. Provides the final access decision based on decisions made by all authorization providers configured in a WebLogic domain. Resolves any authorization conflicts that occur if authorization providers are configured in addition to the SiteMinder Authorization Provider. See SiteMinder Adjudication Provider on page 18. Together, the SiteMinder Agent security provider modules establish a comprehensive trust relationship between the WebLogic Server and SiteMinder. 14 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

15 SiteMinder Identity Asserter (IA) SiteMinder Identity Asserter (IA) In the Perimeter Authentication model specified in the WebLogic Security Framework, a user's identity is validated outside the boundary of the WebLogic server. In such an environment, the SiteMinder Identity Asserter allows the WebLogic Server to trust requests serviced by a SiteMinder-protected proxy server or associated with a recognized X.509 certificate so that these users are not rechallenged for credentials. The SiteMinder Identity Asserter supports perimeter authentication by asserting identities obtained from the following token types: SiteMinder SMSESSION cookies obtained from a SiteMinder Web Agent on a proxy server configured to: - Intercept HTTP requests - Authenticate and authorize users through policies defined on the Policy Server - Forward requests together with users credentials (in a session cookie) to the application server as shown in the following figure: WebLogic Application Server Web Container EJB Container Reverse Proxy Web Server Web Server with Proxy Plug-in SiteMinder Web Agent SMSESSION cookie Web Applications Server-side Applications WebLogic Security Services WebLogic SSPI Other Security SiteMinder IA Providers Validation Policy Server Authorization Authentication Administration Accounting User Registry (Store) X.509 certificates obtained from a certificate authority and supplied with any HTTP or Java client request as shown in the following figure: 15

16 SiteMinder Identity Asserter (IA) Or HTTP client HTTP request with X.509 Cert Java client Java request with X.509 Cert Web Container EJB Container WebLogic Application Server SiteMinder IA Web Applications WebLogic Security Services WebLogic SSPI Other Security Providers Server-side Applications Validation Policy Server Authorization Authentication Administration Accounting User Registry (Store) When you configure the SiteMinder Identity Asserter as an identity assertion provider in a security realm (for either or both token types), the WebLogic Security Service passes any such tokens associated with a request for a resource within that realm to the SiteMinder Identity Asserter for validation. The SiteMinder Identity Asserter then: 1. Validates the token by calling the Policy Server to: - Check that its session is valid (SiteMinder session cookie). - Authenticate it against SiteMinder user directories (X.509 certificate). 2. Obtain the requester s userdn from the token and maps it to a username. 3. Pass the associated username and SiteMinder session information back to the WebLogic Security Service. Note: If you only need to allow SiteMinder Single Sign-On (SSO) clients to access Web applications, you can use the SiteMinder Identity Asserter as a standalone component without any of the other SiteMinder Agent components. 16 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

17 SiteMinder Authentication Provider SiteMinder Authentication Provider The SiteMinder Authentication Provider module allows WebLogic to establish trust by validating user credentials against SiteMinder user directories. The SiteMinder Authentication Provider can handle: Requests that originate from the SiteMinder Identity Asserter (which have already been authenticated by SiteMinder and include SiteMinder session information). Authentication requests from the WebLogic security layer when the user credentials are collected through HTTP (browser-based) client authentication and Java Client authentication. The SiteMinder Authentication Provider validates that the username associated with a request maps to a user within the associated user directory configured in SiteMinder. If SiteMinder authentication is successful, the SiteMinder Authentication provider populates a WebLogic subject with a SiteMinder principal that contains the username and SiteMinder session data required to prove that SiteMinder authentication has occurred (required by the SiteMinder Authorization Provider). SiteMinder Authorization Provider The SiteMinder Authorization Provider determines whether or not an authenticated user is allowed to access a protected WebLogic resource, based on associated SiteMinder policies configured using the Policy Server User Interface. Note: The SiteMinder Authorization Provider only accepts subjects populated by the SiteMinder Authentication Provider that contain a principal containing SiteMinder session data (required to prove that SiteMinder authentication has occurred). The SiteMinder Authorization provides an ABSTAIN authorization decision for any other subject passed to it. Like all WebLogic authorization providers, the SiteMinder Authorization Provider provides PERMIT, DENY, or ABSTAIN authorization decisions based on the policies configured for a particular resource and a number of other contributing factors (as shown in the following table). In the table, "-N/A-" denotes either a YES or NO answer that does not affect the final outcome of the authorization decision. Was Subject Authenticated by SM Auth. Provider? Is Enable- WebAgent parameter set? Exceptions (such as Agent connection problems)? Was the SiteMinder authorization successful? Authorization Decision No No -N/A- -N/A- ABSTAIN Yes No -N/A- -N/A- ABSTAIN 17

18 SiteMinder Adjudication Provider Was Subject Authenticated by SM Auth. Provider? Is Enable- WebAgent parameter set? Exceptions (such as Agent connection problems)? Was the SiteMinder authorization successful? Authorization Decision No Yes -N/A- -N/A- ABSTAIN Yes Yes Yes -N/A- DENY Yes Yes No NO DENY Yes Yes No YES PERMIT The authorization decision table assumes that the resources in question are protected and that: The WebLogic Abstain if Not Protected flag is set to "N". With the flag set this way, the SiteMinder Authorization Provider will always provide a PERMIT decision for requests for unprotected resources. If the flag is set to "Y", the SiteMinder Authorization Provider will always provide an ABSTAIN decision for requests for unprotected resources. The WebLogic Abstain if Not Authenticated flag is set to "Y". With the flag set this way, the SiteMinder Authorization Provider will always provide an ABSTAIN decision for requests not authenticated by SiteMinder. If the flag is set to "N", the SiteMinder Authorization Provider will always provide a DENY decision for unauthenticated requests. SiteMinder Adjudication Provider The SiteMinder Adjudication Provider resolves any authorization conflicts that may occur when more than one authorization provider is configured in a security realm by weighing the result of each authorization provider's access decision. It does this by tallying different results returned by multiple Authorization providers' access decisions and providing a final decision on whether or not access should be granted to a WebLogic resource. The SiteMinder Adjudication Provider can be configured to operate in two different modes: SiteMinder Precedence In this mode, the SiteMinder Adjudication Provider assigns maximum weight to the result returned by a SiteMinder Authorization Provider. Equal Precedence In this mode, the SiteMinder Adjudication Provider assigns equal weight to the results returned by all configured Authorization Providers in the security realm. Note: Do not set EnableWebAgent="NO" for the SiteMinder Adjudication Provider doing so will prevent the WebLogic Server from starting. The following table indicates the behavior of these modes: 18 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

19 Which SiteMinder Security Providers Do I Need? SiteMinder Adjudication Mode Result from SiteMinder Authorization Provider Result from other Az Providers configured in the WebLogic Security realm Authorization Decision SiteMinder Precedence ABSTAIN PERMIT (all) PERMIT ABSTAIN DENY (one or more) DENY PERMIT -N/A- PERMIT DENY -N/A- DENY Equal Precedence ABSTAIN PERMIT (all) PERMIT ABSTAIN DENY (one or more) DENY DENY PERMIT (one or more) DENY PERMIT DENY (one or more) DENY PERMIT PERMIT (all) PERMIT Which SiteMinder Security Providers Do I Need? The SiteMinder security provider modules you require depend on your WebLogic access control needs. Select the security provider modules according to the functionality you require, being careful to ensure that the upstream and downstream requirements (that is, requirements from elements before and after in the flow of data in the security framework) of security providers match up as shown in the following table. Security Provider SiteMinder Identity Asserter (for SMSESSION Cookies) SiteMinder Identity Asserter (for X.509 Certificates) Upstream Requirements A trusted issuer of Site- Minder session cookies. A trusted issuer of X.509 certificate tokens. Downstream Requirements None. Requires SiteMinder Authentication Provider to authenticate identities obtained from X.509 certificates. 19

20 Which SiteMinder Security Providers Do I Need? Security Provider SiteMinder Authentication Provider SiteMinder Authorization Provider SiteMinder Adjudication Provider Upstream Requirements Requires SiteMinder Identity Asserter to validate and obtain user identity and SiteMinder session information from SiteMinder session cookies and X.509 certificates. Does not accept users obtained from other Identity Asserters. Requires subject populated by SiteMinder Authentication provider (containing a SiteMinder principal). ABSTAINs from other authorization decisions. Downstream Requirements None. Requires SiteMinder Adjudication Provider to resolve authorization disputes with other authorization providers. Requires SiteMinder Authorization Provider to be one of the configured authorization providers. -N/A- However, it is likely that most deployments will fall into one of two scenarios: Problem You need to establish a trust relationship between the Site- Minder and WebLogic Single- Sign On (SSO) environments so that HTTP clients authenticated by SiteMinder are not re-challenged by WebLogic when they access Web applications hosted by a WebLogic Server. You have existing WebLogic or application-based authorization policies that are sufficient for your needs. Solution Configure just the SiteMinder Identity Asserter in a perimeter authentication environment in which: HTTP requests to Web applications are intercepted by proxy sever protected by a SiteMinder Web Agent Users are authenticated through policies defined on the Policy Server Requests forwarded together with a session cookie to the application server. 20 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

21 Use Cases Problem You need to implement Site- Minder authentication and authorization policies for all requests for Web and serverside applications. Solution Configure the complete SiteMinder Agent solution, comprising of: SiteMinder Authentication Provider SiteMinder Authorization Provider SiteMinder Adjudication Provider SiteMinder Identity Asserter (optional, if perimeter authentication required) Use Cases All SiteMinder Security Providers Use Case No Identity Asserter Use Case X.509 Identity Asserter Use Case The following use cases illustrate the use of different SiteMinder Agent components to solve different access control needs. All SiteMinder Security Providers Use Case In the perimeter authentication configuration illustrated in the following figure, users can be authenticated through advanced authentication schemes (such as RADIUS or NTLM) by the front-end Web Agent without the need to write custom authentications providers, which would otherwise be required. Web Browser Web Agent SiteMinderX.509 Identity Asserter Web and EJB Application Containers Proxy SiteMinder SMSESSION Identity Asserter Web Server SiteMinder Authentication Provider SiteMinder Authorization Provider Default Authorization Provider Permit Deny Permit SiteMinder Adjudication Provider SiteMinder Precedence WebLogic Server No Identity Asserter Use Case In the configuration illustrated in the following figure, requests from Web and Java clients are made directly to the container. WebLogic collects credentials which are then handled by the SiteMinder Authentication Provider. 21

22 Use Cases SiteMinderX.509 Identity Asserter Web and EJB Application Containers SiteMinder SMSESSION Identity Asserter Java Client SiteMinder Authorization Provider Permit Permit Web Browser SiteMinder Authentication Provider Default Authorization Provider Deny SiteMinder Adjudication Provider SiteMinder Precedence WebLogic Server X.509 Identity Asserter Use Case In the configuration illustrated in the following figure, the SiteMinder X.509 Identity Asserter obtains credentials from the certificates associated with Web or Java client request and passes those on to the SiteMinder Authentication Provider for authentication. Java Client SiteMinderX.509 Identity Asserter Web Browser SiteMinder SMSESSION Identity Asserter Web and EJB Application Containers SiteMinder Authentication Provider SiteMinder Authorization Provider Default Authorization Provider Permit Deny Permit SiteMinder Adjudication Provider SiteMinder Precedence WebLogic Server 22 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

23 Recommended Reading List Recommended Reading List To learn about Java and BEA s WebLogic Application Server, refer to the following resources: Sun Microsystems, Inc. online documentation, found at: J2EE Security is described in the following: An introduction to the various security provider interfaces offered by BEA WebLogic: realm_chap.html#ream_chap_06 Detailed information about implementing an Identity Asserter Provider: Visit the SiteMinder support site for various documents about offerings and services: 23

24 Recommended Reading List 24 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

25 Chapter 2: Installing the SiteMinder Agent for WebLogic Introduction Introduction Software Requirement Notes About the Installation Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers Installing the SiteMinder Agent Post Installation Steps Uninstalling the Agent This chapter describes how to install the SiteMinder Agent for WebLogic 9.0 Application Servers on Windows and UNIX platforms. The SiteMinder Agent installation includes the following security providers: Identity Asserter (IA) Authentication Provider Authorization Provider Adjudication Provider For information on the SiteMinder Agent security providers, see the Chapter 1, Overview on page 9. Although each of these providers is installed when you run the SiteMinder Agent installation, you need only configure the providers that you want to use. For information on which providers to configure for your environment, see Which SiteMinder Security Providers Do I Need? on page 19. For configuration instructions, see: Chapter 3, Configuring the SiteMinder Identity Asserter on page 47 Chapter 4, Configuring the SiteMinder Authentication Provider on page 57 Chapter 5, Configuring the SiteMinder Authorization Provider on page 65 Chapter 6, Configuring the SiteMinder Adjudication Provider on page 71 25

26 Software Requirement Software Requirement Before installing the SiteMinder Agent, install the following software: BEA WebLogic Application Server 9.0 For WebLogic 9.0 hardware and software requirements, see the WebLogic documentation at: SiteMinder Policy Server Note the following: For the correct installation order, see Installation Check Lists on page 27. For a complete list of supported versions for required software, see the Platform Support Matrices on the SiteMinder Support site at: To use the SiteMinder Identity Asserter to validate identities obtained from SiteMinder session cookies during perimeter authentication, install the following additional software: SiteMinder Web Agent A Web server proxy supported by SiteMinder and BEA For a list of supported proxies, see: - SiteMinder Support site at See Platform Support Matrices. - BEA s documentation site at: overview.html. User directory compatible with the SiteMinder Policy Server and WebLogic Application Server. Figure 1 shows where each of these software components is installed in an environment that uses SiteMinder SSO-based perimeter authentication. 26 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

27 Notes About the Installation Figure 1: A Sample Application Server Agent Deployment Supported Web Server WebLogic Application Server WebLogic Proxy Plug-in SiteMinder Web Agent SiteMinder Application Server Agent User Directory Notes About the Installation Installation Check Lists Note: See Installation Check Lists on page 27 for the correct installation order. Installation Check Lists ASA_HOME Variable SiteMinder Policy Server Before you install the SiteMinder Agent on WebLogic, complete the steps in Figure 2. To ensure proper configuration, follow the steps in order. If you want to use the SiteMinder Identity Asserter (IA) for perimeter authentication, complete the additional steps in Figure 3. Figure 2: SiteMinder Agent Installation Check List Completed Steps Refer to Install and configure the Site- Minder Policy Server. 2. Install the BEA WebLogic Application Server. CA etrust Policy Server Installation Guide The BEA WebLogic Application Server documentation. 27

28 Notes About the Installation Figure 2: SiteMinder Agent Installation Check List Completed Steps Refer to Configure the Policy Server for the SiteMinder Agent. 4. Install the SiteMinder Agent on the WebLogic Application Server Configuring the SiteMinder Policy Server for the Site- Minder Agent Providers on page 29 Installing the SiteMinder Agent on page 30 Note: For WebLogic clusters, install the SiteMinder Agent on each node in the cluster. 5. Perform additional required configuration steps. 6. Optionally, install and configure the requisite software for using the SiteMinder IA for perimeter authentication. Post Installation Steps on page 36 Figure 3. SiteMinder IA Installation Check List on page 28 Complete the steps in Figure 3 only if you want to use the SiteMinder IA to validate identities obtained from SiteMinder session cookies during perimeter authentication. Figure 3: SiteMinder IA Installation Check List Completed Steps Refer to Install a supported Web server on the proxy server system. 8. Install and configure the WebLogic proxy plug-in on the proxy server. 9. If you want to use the Identity Asserter to validate Site- Minder session cookies obtained from a front-end proxy server protected by a SiteMinder Web Agent, install and configure the Web Agent on the proxy server. The installation documentation provided with the Web server. For detailed proxy plug-in installation and configuration directions, see the BEA WebLogic 9.0 Application Server documentation at: docs90/plugins/overview.html. CA etrust SiteMinder Web Agent Installation Guide and the CA etrust SiteMinder Agent Guide 28 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

29 Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers Figure 3: SiteMinder IA Installation Check List Completed Steps Refer to Restart the Web server on the proxy server. The documentation for the Web server. ASA_HOME Variable In this guide, ASA_HOME refers to the system variable that points to the installed location of the SiteMinder Agent. For example: Windows: ASA_HOME=c:\smwlsasa UNIX: ASA_HOME=/opt/smwlsasa Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers Before you install the SiteMinder Agent, configure SiteMinder objects for the SiteMinder Agent in the Policy Server User Interface. The Agent objects used by SiteMinder Agent fully conform to the SiteMinder central Agent management model. Configure the following 5.x Agent objects in a manner similar to a SiteMinder Web Agent. You need to configure: Host Configuration Object (one for each application server) Agent Configuration Object (one for the SiteMinder Agent providers) Agent identity (one for the SiteMinder Agent providers) Note: If you are using SiteMinder SSO-based perimeter authentication to validate identities obtained from SiteMinder session cookies, you must configure separate Agents for the SiteMinder Agent and Web Agent on the proxy server. For detailed information about how to configure Agent-related objects (Web Agent and other SiteMinder Agents), see CA etrust SiteMinder Policy Design and the CA etrust SiteMinder Web Agent Installation Guide. The following procedure is an overview of the Agent configuration process. On the Policy Server: 1. Duplicate or create a Host Configuration Object, which holds initialization parameters for a Trusted Host. The Trusted Host is a server that hosts one or more Agents and handles their connection to the Policy Server. 2. As necessary, add or edit Trusted Host parameters in the Host Configuration Object that you just created. 3. Create an Agent identity for the Agent. You must select Web Agent as the Agent type for an SiteMinder Agent. 29

30 Installing the SiteMinder Agent 4. Duplicate or create an Agent Configuration Object, which holds Agent configuration parameters and can be used to centrally configure a group of Agents. 5. Add or edit Agent parameters in that Agent Configuration Object. The configuration object must include the DefaultAgentName parameter to specify the Agent identity from Step 3. In addition, the Agent accepts several optional configuration parameters, described in Figure 13 in Appendix A, SiteMinder Agent Installation and Configuration Files on page 103. What To Do Next After configuring the Policy Server for the SiteMinder Agent, install the SiteMinder Agent software as described in Installing the SiteMinder Agent on page 30. Then, complete the steps in Post Installation Steps on page 36. Installing the SiteMinder Agent Installation Requirements Installation Requirements Upgrading the SiteMinder Agent Installation Options Running the Installation in GUI Mode Running the Installation in Console Mode Before you install the SiteMinder Agent: Uninstall any previously installed SiteMinder Agent versions. Configure the Policy Server for the SiteMinder Agent Providers if you have not already completed the steps in Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29. Ensure that a Java Virtual Machine (JVM) if installed and the path to the JVM is present in your environment. For example, on UNIX systems, if your Java Virtual Machine (JVM) is not in the PATH variable, run these commands: PATH=$PATH:JVM/bin export PATH where JVM is the location of your Java Virtual Machine; for example, /opt/jre1.5.0_06/bin Make sure you have the following information, as you will be prompted for it during the installation: - Installation location of the WebLogic Application Server - Policy Server IP Address - Information about the Trusted Host: 30 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

31 Installing the SiteMinder Agent Upgrading the SiteMinder Agent Installation Options To register a new Trusted Host, you need the name of the Trusted Host Configuration File that you created in Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29. Note: If you want to register a new Trusted Host, be sure that the Policy Server is running before you start the SiteMinder Agent installation. To use an existing Trusted Host on the physical machine where the SiteMinder Agent resides, you need the location of the SmHost.conf file. - Agent Configuration Object name for the Agent you created in Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29. You cannot upgrade from any other previous versions of the SiteMinder Agent (previously known as SiteMinder Application Server Agent) for BEA WebLogic. You must uninstall any other previous versions and then install this version of the SiteMinder Agent on your WebLogic Application Server. Also, do not try to install the SiteMinder Agent for BEA WebLogic 9.0 solution with another version of WebLogic. This section describes the options for installing the SiteMinder Agent. If you need to reinstall the SiteMinder Agent, you must uninstall it first. (See Uninstalling the Agent on page 42.) Windows: Run the installation in the graphical user interface (GUI) mode to install the SiteMinder Agent. See Running the Installation in GUI Mode in the following section. UNIX: Use either of these methods to install or upgrade the SiteMinder Agent: Use the graphical user interface (GUI) mode. See Running the Installation in GUI Mode in the following section. Use the console mode. See Running the Installation in Console Mode on page

32 Installing the SiteMinder Agent Running the Installation in GUI Mode The SiteMinder Agent installation program installs all the necessary files for running the SiteMinder Agent. See the SiteMinder Agent Directory Structure on page 103 for a list of installed files and directories. 1. Close all programs. 2. Download one of the following installation files to a temporary location: Windows: ca-asa-5.5-wls-win32.exe Solaris: ca-asa-5.5-wls-sol.bin HP-UX: ca-asa-5.5-wls-hpux.bin LINUX: ca-asa-5.5-wls-linux.bin Note: Depending on your UNIX system permissions, you might need to add executable permissions to the install file. For example: chmod +x ca-asa-5.5-wls-sol.bin 3. Navigate to the directory where you downloaded the file in Step 2, and enter: Windows: ca-asa-5.5-wls-win32.exe or From Windows Explorer, double-click ca-asa-5.5-wls-win32.exe. UNIX: sh./ca-asa-5.5-wls-unix_version.bin where UNIX_version is sol, hpux, or linux. 4. Read the License Agreement and select I accept the terms of the License Agreement and click Next if you accept the agreement. 5. In the Choose SiteMinder Agent for WebLogic Install Folder dialog box, specify the location for the SiteMinder Agent installation, then click Next. Enter the location in the text box or click Choose to browse for the location. CA recommends the following default location: Windows: drive:\smwlsasa UNIX: /opt/smwlsasa If you specify a directory that doesn t exist, the installer asks if you want to create the directory. Click Yes, Continue to create the directory or No, Go Back to specify a different directory. 6. In the Choose WebLogic Folder dialog box, specify the installation location of the WebLogic Application Server 9.0 and click Install. For example: Windows: drive:/bea/weblogic90 UNIX: /opt/bea/weblogic90 The installation program installs the required files and prepares to configure the SiteMinder Agent. 32 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

33 Installing the SiteMinder Agent 7. In the Host Registration dialog box, respond to the prompt by selecting: - Yes, create a trusted host The installation registers a trusted host. A trusted host is a client computer where one or more SiteMinder Agents can be installed. The term trusted host refers to the physical system. To establish a connection between the trusted host and the Policy Server, the installer registers the host with the Policy Server. The registration process creates the SmHost.conf file. After this file is created successfully, the client computer becomes a trusted host. Note: Before registering a trusted host, you must create a Host Configuration Object and specify the destination Policy Server(s) there. See Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29 for more information. - No, use existing file The installation uses an existing SmHost.conf file to establish the connection between the trusted host and the Policy Server. Select this option if you have already registered the system where you are installing the SiteMinder Agent as a trusted host. 8. Complete one of the following steps, then click Next: If... If you are creating a new trusted host If you are using an existing trusted host Then... Specify the following information: Policy Server IP Address The IP address of the Policy Server where you are registering the host. SM Admin Username The name of the administrator allowed to register the host with the Policy Server SM Admin Password The password for the SM Admin account. Host Name A unique name that represents the trusted host to the Policy Server. This name does not have to be the same as the physical client system that you are registering; it can be any unique name. Host Config Object The name of the Host Configuration Object specified in the Policy Server. Enter the location of the Host configuration file (SmHost.conf) in the text box, or click Choose to browse for the file. If you are using the SmHost.conf file from a previously installed Web Agent, the location of SmHost.conf is Web Agent installation\config 33

34 Installing the SiteMinder Agent 9. In the Agent Configuration dialog box, supply the name of Agent Configuration Object that you created for the SiteMinder Agent and click Next. 10. In the Install Complete dialog box, click Done. 11. Restart the WebLogic Application Server for installation changes to take effect. Running the Installation in Console Mode The SiteMinder Agent installation script installs all the necessary files for running the SiteMinder Agent. See the SiteMinder Agent Directory Structure on page 103 for a list of installed files and directories. 1. Close all programs. 2. Connect to the system where WebLogic is installed as the user who installed WebLogic. For example, if you connected as root, connect as root to install the Site- Minder Agent. 3. Download one of the following files to a temporary directory: Solaris: ca-asa-5.5-wls-sol.bin HP-UX: ca-asa-5.5-wls-hpux.bin LINUX: ca-asa-5.5-wls-linux.bin Note: Depending on your permissions, you might need to add executable permissions to the install file. For example: chmod +x ca-asa-5.5-wls-sol.bin 4. In a UNIX shell, enter the following command to start the install: sh./ca-asa-5.5-wls-unix_version.bin -i console where UNIX_version is sol, hpux, or linux. For example, the command for Solaris is: sh./ca-asa-5.5-wls-sol.bin -i console Note: The -i console portion of the command is optional. It lets you run the installation from a console instead of a user interface. If your Java Virtual Machine (JVM) is not in the PATH variable, run these commands: PATH=$PATH:JDK/bin export PATH where JDK is the location of your Java Development Kit; for example, /opt/bea/jdk141_06 5. Read the License Agreement and enter Y, then press Enter if you accept the agreement. 6. In the Choose Install Folder section, specify the location for the SiteMinder Agent installation, then press Enter. CA recommends the following default location: 34 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

35 Installing the SiteMinder Agent /opt/smwlsasa 7. Enter 2, then press Enter to create or confirm the install location. 8. Specify the root of the WebLogic Application Server 9.0 installation. For example: /opt/bea/weblogic90 The installation program installs the required files and prepares to configure the SiteMinder Agent. 9. Specify whether the installation program should create a new trusted host or use an existing trusted host file by entering: - 1: The installation registers a trusted host. A trusted host is a client computer where one or more SiteMinder Agents can be installed. The term trusted host refers to the physical system. To establish a connection between the trusted host and the Policy Server, the installer registers the host with the Policy Server. The registration process creates the SmHost.conf file. After this file is created successfully, the client computer becomes a trusted host. Note: Before registering a trusted host, you must create a Host Configuration Object in the Policy Server. See Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29 for more information. - 2: The installation uses an existing SmHost.conf file to establish the connection between the trusted host and the Policy Server. Select this option if you have already registered the system where you are installing the SiteMinder Agent as a trusted host. 10. Complete one of the following steps: If... You entered 1 in Step 9 to create a new trusted host Then... Enter the following information: Policy Server IP Address The IP address of the Policy Server where you are registering the host. SM Admin Username The name of the administrator allowed to register the host with the Policy Server. SM Admin Password The password for the SM Admin account. Host Name A unique name that represents the trusted host to the Policy Server. This name does not have to be the same as the physical client system that you are registering; it can be any unique name. Host Config Object The name of the Host Configuration Object specified in the Policy Server. 35

36 Post Installation Steps If... You entered 2 in Step 9 to use an existing trusted host configuration file, Then... Enter the location of the host configuration file (SmHost.conf). If you are using the SmHost.conf file from a previously installed Web Agent, the location of SmHost.conf is Web_Agent_installation/config For example: /opt/siteminder/webagent/config Post Installation Steps 11. Supply the name of Agent Configuration Object that you created for the SiteMinder Agent. 12. In response to the installation complete prompt, press ENTER to exit the install program. The installation of the SiteMinder Agent is now complete. 13. Restart the WebLogic Application Server for installation changes to take effect. Once you have installed the SiteMinder Agent, complete these steps: 1. Set up home, library path, and classpath environment variables. See Setting the WebLogic Environment for the SiteMinder Agent on page Set up the Agent configuration file. (WebAgent.conf). Setting Up the Agent Configuration File (WebAgent.conf) on page Configure the following SiteMinder Agent providers as needed: To Configure... Identity Asserter SiteMinder Authentication Provider SiteMinder Authorization Provider SiteMinder Adjudication Provider See... Configuring the SiteMinder Identity Asserter on page 47 Configuring the SiteMinder Authentication Provider on page 57 Configuring the SiteMinder Authorization Provider on page 65 Configuring the SiteMinder Adjudication Provider on page Set up policies for the SiteMinder Agent with the SiteMinder Policy Server. For information on creating policies, see Netegrity Policy Design and Chapter 7, Configuring Policies on page CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

37 Post Installation Steps Setting the WebLogic Environment for the SiteMinder Agent Before the SiteMinder Agent can operate with the WebLogic Application Server, you must configure SiteMinder Agent-related environment settings in one of the following: The WebLogic start script for both managed and standalone servers (startweblogic.cmd on Windows; startweblogic.sh on UNIX) Note: The startweblogic.cmd (Windows) or startweblogic.sh (Unix) script that contains the environment configuration is placed in the "bin" folder of a created domain. If using the Node Manager to control Managed Servers, in the Server Start configuration page in the WebLogic Adminstration Console. For details regarding the "Server Start" configuration page, refer to WebLogic documentation found at: ConfigureStartupArgumentsForManagedServers.html To do this, in the location appropriate for your environment: Define a Java environment variable smasa.home that refers to the directory where the SiteMinder Agent for WebLogic 9.0 is installed. Add the following SiteMinder Agent files and directories to the CLASSPATH variable: - ASA_HOME\conf - ASA_HOME\lib\smjavaagentapi.jar - ASA_HOME\lib\smjavasdk2.jar - ASA_HOME\lib\sm_jsafe.jar - ASA_HOME\lib\smclientclasses.jar Add ASA_HOME\bin to the the java.library.path Java environment variable. Where ASA_HOME is the location where the SiteMinder Agent for WebLogic 9.0 is installed. Example: Standalone WebLogic Server (Windows) 1. Edit the startweblogic.cmd.cmd file. The startweblogic.cmd is located in wl_install\user_projects\domains\your_domain\bin where wl_install is the installed location of the WebLogic application server, and your_domain is the name of the WebLogic domain where the Site- Minder Agent is installed. For example: C:\bea\user_projects\domains\MyDomain\bin\startWebLogic.cmd 2. Define the SMASA_CLASSPATH as follows: set SMASA_CLASSPATH=ASA_HOME\conf; ASA_HOME\lib\smjavaagentapi.jar; ASA_HOME\lib\smjavasdk2.jar; ASA_HOME\lib\sm_jsafe.jar; ASA_HOME\lib\smclientclasses.jar; 37

38 Post Installation Steps where ASA_HOME is the location where the SiteMinder Agent for WebLogic 9.0 is installed. 3. Add %SMASA_CLASSPATH% to the beginning of the CLASSPATH definition. The modified CLASSPATH variable should resemble the following: set CLASSPATH=%SMASA_CLASSPATH%;%CLASSPATH% 4. Define the SM_JAVA_OPTIONS variable as follows: set SM_JAVA_OPTIONS= -Djava.library.path="ASA_HOME\bin;%PATH%" -Dsmasa.home="ASA_HOME" 5. Add %SM_JAVA_OPTIONS% to the execution entry. The modified execution entry should resemble the following: %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% %SM_JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% - Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS% 6. Save startweblogic.cmd. 7. Restart the WebLogic Application Server for changes to take effect. Example: Standalone WebLogic Server (UNIX) 1. Edit the startweblogic.sh file. The startweblogic.sh is located in wl_install/user_projects/domains/ your_domain/bin where wl_install is the installed location of the WebLogic application server, and your_domain is the name of the WebLogic domain where the Site- Minder Agent is installed. For example: /opt/bea/user_projects/domains/mydomain/bin/startweblogic.sh 2. Define the SMASA_CLASSPATH as follows: SMASA_CLASSPATH=ASA_HOME/conf: ASA_HOME/lib/smjavaagentapi.jar: ASA_HOME/lib/smjavasdk2.jar; ASA_HOME/lib/sm_jsafe.jar: ASA_HOME/lib/smclientclasses.jar: where ASA_HOME is the location where the SiteMinder Agent for WebLogic 9.0 is installed. 3. Add ${SMASA_CLASSPATH} to the beginning of the CLASSPATH definition. The modified CLASSPATH variable should resemble the following: CLASSPATH=${SMASA_CLASSPATH}:${CLASSPATH} 4. Define the SM_JAVA_OPTIONS variable as follows: SM_JAVA_OPTIONS= -Djava.library.path=ASA_HOME/bin:${PATH} -Dsmasa.home=ASA_HOME 5. Add SM_JAVA_OPTIONS to the execution entry. The modified execution entry should resemble the following: 38 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

39 Post Installation Steps ${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} ${SM_JAVA_OPTIONS} -Dweblogic.Name=${SERVER_NAME} 6. Save startweblogic.sh. 7. Restart the WebLogic Application Server. Setting Up the Agent Configuration File (WebAgent.conf) The SiteMinder Agent installation creates an Agent configuration file (WebAgent.conf) that contains the following default configuration information: EnableWebAgent HostConfigFile AgentConfigObject Note: For additional parameters that you can configure in the Agent configuration file, see Agent Configuration on page 104. The Agent configuration file is located in the ASA_HOME\conf directory, where ASA_HOME is the location where you installed the SiteMinder Agent. For example: For Windows: C:\smwlsasa\conf For UNIX: /opt/smwlsasa/conf You can use the default Agent configuration file for all of the SiteMinder Agent Providers, or you can create a separate configuration file for each Provider. The following table describes the benefits of both configurations: 39

40 Post Installation Steps Configuration All Providers share the same configuration You create a separate Agent configuration file for each provider Benefits Agent configuration is defined centrally in the Agent Configuration Object in the Policy Server and applies to all Providers. See Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29. Note: The settings in the Agent Configuration Object are dynamic. You do not have to restart the Application Server for a setting change to take effect. Information from all Providers is written to the same log. You can enable or disable all of the SiteMinder Agent Providers in a single location. Agent configuration can be defined locally in the WebAgent.conf file so you can have different settings for each Provider. Note: The AllowLocalConfig parameter in the Agent Configuration Object must be set to yes. See Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29. Provider-specific information can be written to a separate log file. For example, you can configure one log file for Identity Asserter messages and a different log file for Authentication Provider messages. You can enable or disable each Provider separately. You can configure different cache settings for each Provider. 40 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

41 Post Installation Steps Creating an Agent Configuration File for Each SiteMinder Agent Provider To create an Agent configuration file for each SiteMinder Agent Provider: 1. In the Policy Server User Interface: a. Open the Agent Configuration Object that you created for the Site- Minder Agent components. b. Set the AllowLocalConfig parameter to yes. 2. On the system where the SiteMinder Agent is installed: a. Create a configuration file by copying the WebAgent.conf file. The WebAgent.conf file is located in ASA_HOME\conf. Save the configuration file with a name that indicates the Provider to which the file applies. For example, name the configuration file for the Identity Asserter IAWebAgent.conf. Be sure that the agentname, HostConfigFile, and the AgentConfigObject parameters are configured correctly. b. Add parameters to the renamed WebAgent.conf file as described in Modifying Configuration Files on page 104. c. Repeat Step a and Step b for each SiteMinder Agent Provider. To configure an SiteMinder Agent Provider to use the configuration file that you created, you specify the file when you configure the provider in the WebLogic Administrative Console: Configuring the SiteMinder Identity Asserter on page 47 Configuring the SiteMinder Authentication Provider on page 57 Configuring the SiteMinder Authorization Provider on page 65 Configuring the SiteMinder Adjudication Provider on page 71 41

42 Uninstalling the Agent Uninstalling the Agent Uninstalling the SiteMinder Agent from Windows Uninstalling the SiteMinder Agent from UNIX Uninstalling the SiteMinder Agent from Windows 1. In the WebLogic Administration Console, remove the SiteMinder Agent Providers: To remove... The SiteMinder Identity Asserter, Authentication Provider or Authorization Provider The SiteMinder Adjudication Provider Complete these steps 1. In the navigation frame on the left of the console, click the Security Realms node in the Domain Structure list. 2. Click on the name of the realm you are configuring (for example, myrealm). 3. Click the Providers tab. 2. Click the tab for the type of provider that you are removing. For example, click the Authentication tab to remove the SiteMinder Identity Asserter. 4. Click the Lock and Edit button. 3. Select the SiteMinder provider from the list and click Delete. 4. Click Yes to confirm the deletion. 1. In the navigation frame on the left of the console, click the Security Realms node in the Domain Structure list. 2. Click on the name of the realm you are configuring (for example, myrealm). 3. Click the Providers tab. 4. Click the Adjudication tab. 5. Click the Lock and Edit button. 6. Select the SiteMinder Adjudication provider from the list and clickclick Replace. 7. On the Create a New Adjudication Provider page: - Specify a name for the Adjudication Provider in the Name field. For example, SMAdjudicationProvider. - Select a replacement Adjudication Provider from the Type dropdown list. 8. Click OK to save the new Adjudication Provider. 42 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

43 Uninstalling the Agent Warning: Make sure that there are other providers to assume the responsibility of the provider that you are removing before you restart the WebLogic Server. 5. Stop the WebLogic Server. Note: If you try to uninstall the SiteMinder Agent while WebLogic is still running, the SiteMinder Agent might not be completely uninstalled. 6. Go to the ca-asa-wls-uninstall directory in the folder where you installed the SiteMinder Agent. For example: ASA_HOME\asa-wls-uninstall 7. Double-click uninstall.exe and the Uninstall dialog box appears. 8. In the Uninstall dialog box, click Uninstall. 9. When the uninstall is complete, click Done. 10. If required, manually delete the ASA_HOME directory (for example, smwlsasa) that the install program created. Uninstalling the SiteMinder Agent from UNIX 1. In the WebLogic Administration Console, remove the SiteMinder Agent Providers: To remove... The SiteMinder Identity Asserter, Authentication Provider or Authorization Provider Complete these steps 1. In the navigation frame on the left of the console, click the Security Realms node in the Domain Structure list. 2. Click on the name of the realm you are configuring (for example, myrealm). 3. Click the Providers tab. 2. Click the tab for the type of provider that you are removing. For example, click the Authentication tab to remove the SiteMinder Identity Asserter. 4. Click the Lock and Edit button. 3. Select the SiteMinder provider from the list and click Delete. 4. Click Yes to confirm the deletion. 43

44 Uninstalling the Agent To remove... The SiteMinder Adjudication Provider Complete these steps 1. In the navigation frame on the left of the console, click the Security Realms node in the Domain Structure list. 2. Click on the name of the realm you are configuring (for example, myrealm). 3. Click the Providers tab. 4. Click the Adjudication tab. 5. Click the Lock and Edit button. 6. Select the SiteMinder Adjudication provider from the list and clickclick Replace. 7. On the Create a New Adjudication Provider page: - Specify a name for the Adjudication Provider in the Name field. For example, SMAdjudicationProvider. - Select a replacement Adjudication Provider from the Type dropdown list. 8. Click OK to save the new Adjudication Provider. Warning: Make sure that there are other providers to assume the responsibility of the provider that you are removing before you restart the WebLogic Server. 5. Stop the WebLogic Server. Note: If you try to uninstall the SiteMinder Agent while WebLogic is still running, the SiteMinder Agent might not be completely uninstalled. 6. Open a UNIX shell and go to ASA_HOME/asa-wls-uninstall. 7. Enter the following command: sh./uninstall.bin Note: Depending on your permissions, you might need to add executable permissions to the uninstall file. For example: chmod +x uninstall.bin The Uninstaller begins. 8. Press ENTER to start the uninstallation. The uninstallation program removes the SiteMinder Agent components from your system. 44 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

45 Uninstalling the Agent 9. If necessary, manually delete the ASA_HOME directory (for example, smwlsasa) that the installation created: a. Go to the directory one level above where the SiteMinder Agent is installed. For example: /opt b. Enter: rm -rf ASA_HOME 45

46 Uninstalling the Agent 46 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

47 Chapter 3: Configuring the SiteMinder Identity Asserter Overview Configuring the SiteMinder Identity Asserter Validation Realm Configuring the SiteMinder Identity Asserter in WebLogic Enabling and Disabling the SiteMinder Identity Asserter Post-Configuration Notes Verifying that SiteMinder Identity Asserter is Configured Correctly What to Do Next This chapter describes how to configure the SiteMinder Identity Asserter to operate with the WebLogic Application Server. Overview In environments that use perimeter authentication, the SiteMinder Identity Asserter (IA) validates the following token types: SiteMinder session (SMSESSION) cookies obtained from Web Agents on front-end proxy servers protected by SiteMinder. X.509 certificates obtained from a Certificate Authority. After validating a token, the SiteMinder IA passes a valid user name and additional session information to an authentication provider for authentication within the WebLogic domain. For more information, see SiteMinder Identity Asserter (IA) on page 15. Figure 4 lists the steps to configure the SiteMinder Identity Asserter. Figure 4: SiteMinder Identity Asserter Configuration Check List Completed Step Refer to Configure a SiteMinder validation realm. 2. Configure the SiteMinder Identity Asserter in WebLogic. Configuring the SiteMinder Identity Asserter Validation Realm on page 48 Configuring the SiteMinder Identity Asserter in WebLogic on page

48 Configuring the SiteMinder Identity Asserter Validation Realm Figure 4: SiteMinder Identity Asserter Configuration Check List (Continued) Completed Step Refer to Enable the Identity Asserter. 4. Verify that the SiteMinder Identity Asserter is configured correctly. 5. Optionally, configure the SiteMinder Authentication, Authorization, and Adjudication Providers. 6. Set up logs to record Identity Asserter activity. Enabling and Disabling the Site- Minder Identity Asserter on page 51. Verifying that SiteMinder Identity Asserter is Configured Correctly on page 52 Chapter 4, Configuring the SiteMinder Authentication Provider on page 57 Chapter 5, Configuring the SiteMinder Authorization Provider on page 65 Chapter 6, Configuring the SiteMinder Adjudication Provider on page 71 Chapter 8, Logging on page 87. Configuring the SiteMinder Identity Asserter Validation Realm The Identity Asserter requires that you create a validation realm using the Policy Server User Interface. This realm allows the Identity Asserter to validate users' credentials using session information received from the SMSESSION cookie set by the SiteMinder Web Agent, or to validate X509 Client Certificates. 1. Start the SiteMinder Policy Server User Interface. 2. On the System tab, right-click Authentication Schemes and select Create Authentication Scheme to create an authentication scheme for the validation realm. Enter the following: - Name Enter a unique name for the authentication scheme. - Authentication Scheme Type Select an X509 Client Cert authentication scheme, such as X509 Client Cert Template, to enable the Identity Asserter to validate x.509 Client Certificates. - Server Name Enter the name of the server where WebLogic is installed. - Target Leave the default value unchanged. Note: This authentication scheme only passes credentials to the Policy Server for verification. It does not redirect requests to an SSL credential collector. Therefore, the Policy Server does not use the values specified in the Server Name and Target fields. See the Authentication Schemes chapter in the CA etrust SiteMinder Policy Design guide for instructions on creating an authentication scheme. 48 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

49 Configuring the SiteMinder Identity Asserter in WebLogic 3. Right-click Domains and select Create Domain to create a policy domain that you want to protect. Associate the domain with a user directory that contains the users who can access protected resources. 4. On the Domains tab, right-click the domain from Step 2 and select Create Realm. 5. In the SiteMinder Realm dialog, enter the following information: - Name: A unique name for the realm for example, SiteMinder Identity Asserter Validation Realm - Description: An optional description for the realm - Agent: The name of the SiteMinder Agent identity that you created for the SiteMinder Agent. For details, see Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29. Enter the Agent name in the text box or click Lookup to select the Agent name from a list of configured Agent identities. - Resource Filter: /smiavalidationrealm - Authentication Scheme: Select the Authentication Scheme that you created in Step Click the Session tab and disable session timeouts. If the session timeouts are not disabled, the identity assertion process may fail and the native WebLogic security services may challenge the request. 7. Click OK. You do not need to configure any rules for the Identity Asserter validation realm. Configuring the SiteMinder Identity Asserter in WebLogic Configure the SiteMinder Identity Asserter in WebLogic Configure an Authentication Provider Configure the SiteMinder Identity Asserter in WebLogic Configure the Identity Asserter in the Security Realms Node in the WebLogic Administration console. 1. Start the WebLogic server and the WebLogic Server Administration Console. 2. In the navigation frame on the left of the console, click the Security Realms node in the Domain Structure list. 3. Click on the name of the realm you are configuring (for example, myrealm). 4. Click the Providers tab. 5. If necessary, click the Authentication tab to display the Authentication Providers list. 6. Click the Lock and Edit button. 7. (Optional) Delete the DefaultIdentityAsserter provider, if it is one of the authentication providers listed. 8. Click New to create a new Authentication Provider. 49

50 Configuring the SiteMinder Identity Asserter in WebLogic 9. On the Create a New Authentication Provider page: - Specify a name for the Identity Asserter in the Name field. For example, SMIdentityAsserter - Select SiteMinderIdentityAsserter from the Type dropdown list. Note: If SiteMinderIdentityAsserter is not listed in the Type dropdown list, check the SiteMinder Agent installation to determine if it was completely successful. Check Chapter 2, Installing the SiteMinder Agent for WebLogic on page 25 and Appendix B, Troubleshooting on page Click OK to save the new Identity Asserter Provider. 11. Click the entry for your SiteMinder Identity Asserter in the Authentication Providers list to open it for editing: a. On the Configuration tab, click the Provider Specific link. b. In the Config File field, enter the location of the configuration file for the SiteMinder Identity Asserter. If you are using the default Agent configuration file (WebAgent.conf), the location is ASA_HOME/conf/WebAgent.conf. If you created a new Agent configuration file for the Identity Asserter, be sure to enter the location and file name of the file you created. (See Setting Up the Agent Configuration File (WebAgent.conf) on page 39.) You can use an absolute or relative path. If you use a relative path, the configuration file will be relative to the smasa.home/conf or relative to your current WebLogic server's working directory, BEA_HOME/ user_projects/yourdomain. c. In the Active Types Chooser, Use the arrow key to move the SMSES- SION and X.509 token types from the Available field to the Chosen field, as needed. Click Apply. Note: Each token type is handled by only one Identity Asserter. If you want the SiteMinder Identity Asserter to handle X.509 token types, be sure that no other Identity Asserter is configured to handle X.509 tokens. d. In the User Name Attribute Mapper String field, specify an attribute in a user DN that stores a user name to be used only when the Site- Minder session cookie does not contain a NAME attribute. When the Identity Asserter receives a token that does not contain a NAME attribute through perimeter authentication, it extracts the user name from the specified attribute in the user DN and maps it to a user in the WebLogic user directory. For example, if the user DN is uid=jsmith, ou=myorganization, o=mycompany.com, and you specify uid in the User Name Attribute Mapper String field, the user name jsmith is passed to WebLogic. 12. Click Save. 13. If you finished configuring SiteMinder Agent Providers, restart the WebLogic server for the changes to take effect. If you are configuring additional SiteMinder Agent Providers, you can restart the WebLogic server after all of the configuration steps are complete. 50 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

51 Enabling and Disabling the SiteMinder Identity Asserter Configure an Authentication Provider For the Identity Asserter to propagate the user identity, an authentication provider must be able to verify that the user exists in a user store. You cannot use the Identity Asserter with the default authentication provider connected to the internal BEA LDAP; it is not supported. You must configure the SiteMinder Authentication Provider and/or an authentication provider for a directory supported by both CA and BEA. See Configuring the SiteMinder Authentication Provider on page 57. See BEA s documentation for information about configuring authentication providers other than the SiteMinder Authentication Provider. For a list of SiteMinder supported directories, see the matrix on the SiteMinder Support site, and see Platform Support Matrices. Enabling and Disabling the SiteMinder Identity Asserter After making all configuration changes, enable the Identity Asserter so that it can communicate with the Policy Server to gather management information. When you disable a Identity Asserter, it no longer validates the user and authentication defaults to WebLogic's native security mechanism. You enable or disable the SiteMinder Identity Asserter in the Agent configuration file for the Agent. (See Setting Up the Agent Configuration File (WebAgent.conf) on page 39.) 1. Open the Agent configuration file in the ASA_HOME\conf directory. 2. Set the EnableWebAgent parameter as follows: - To enable the Identity Asserter, set EnableWebAgent to Yes as follows: EnableWebAgent="Yes" - To disable the Identity Asserter set EnableWebAgent to No: EnableWebAgent="No" Note: The EnableWebAgent parameter applies to all of the Providers that use the Agent configuration file. For example, if you configured all of the SiteMinder Agent Providers to use a single Agent configuration file, setting EnableWebAgent to yes enables all of the Providers. For more information, see Modifying Configuration Files on page

52 Post-Configuration Notes Post-Configuration Notes To leverage an Identity Asserter, WebLogic requires that Web applications are configured to use the CLIENT-CERT authentication method. For each Web Modify the web application deployment descriptor, as follows: <auth-method>client-cert</auth-method> Then redeploy the web application onto WebLogic server. To test your configuration and integration, see Verifying that SiteMinder Identity Asserter is Configured Correctly on page 52. If you need to troubleshoot the configuration, see Appendix B, Troubleshooting on page 111. Verifying that SiteMinder Identity Asserter is Configured Correctly Deploy the Sample Security Web Application Set Up the Test Scenario This section describes a test scenario you can use to confirm that your Web Agent, proxy plug-in, Identity Asserter, and WebLogic Application Server are integrated correctly. The test scenario uses a sample security web application, located at BEA_HOME/weblogic90/samples/server/examples/build/ exampleswebapp. To verify that the Identity Asserter is operating correctly: 1. Deploy the Sample Security Web Application. 2. Set Up the Test Scenario. 3. Modify the Sample Security Web Application. Deploy the Sample Security Web Application Add the following security constraint to the web application deployment descriptor: <security-constraint> <web-resource-collection> <web-resource-name>jws_webservice_jsp</web-resource-name> <url-pattern>/jws_webservice.jsp</url-pattern> <http-method>get</http-method> <http-method>post</http-method> </web-resource-collection> <auth-constraint> <role-name>privilegeduser</role-name> </auth-constraint> </security-constraint> Deploy the sample security web application and verify that it works properly with the authentication provider and other security settings you configured. To verify that the sample is installed and protected correctly, use a web browser to access the following security web application resource: JWS_WebService.jsp 52 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

53 Verifying that SiteMinder Identity Asserter is Configured Correctly Set Up the Test Scenario where fully_qualified_domain_name is the name of the system where WebLogic is installed. For example: When you access this URL, WebLogic prompts you for credentials using a default realm. After the authentication and authorization process, you will be granted access to the target resource. The goal of this test scenario is to create a SiteMinder realm and associate it with an HTML forms authentication scheme, so that the Web Agent does the following before forwarding the user s session and credential information to WebLogic: Intercepts the HTTP request for the security web application. Challenges the user for credentials. Authenticates the user. The Identity Asserter s role is to verify the SiteMinder token created by the Web Agent, and assert the user identity to the WebLogic server. Use the following security web application resource: where fully_qualified_domain_name is the name of the Web server s machine port is the port number For example: To set up the test scenario: 1. Modify the Sample Security Web Application 2. Set up the Web Server Proxy for the WebLogic Server 3. Set up the SiteMinder Web Server Agent 4. Set up a SiteMinder Policy for the Web Server Agent 5. Access the Security Web Application Resource in a Web Browser Modify the Sample Security Web Application To leverage an Identity Asserter, WebLogic requires that the target web application be configured to use the CLIENT-CERT authentication method. Modify the sample security web application deployment descriptor, as follows: <auth-method>client-cert</auth-method> Redeploy the sample security web application onto WebLogic server. 53

54 Verifying that SiteMinder Identity Asserter is Configured Correctly Set up the Web Server Proxy for the WebLogic Server Set up the SiteMinder Web Server Agent The Identity Asserter requires that the WebLogic server run in proxy mode. Therefore, you need to set up a Web server proxy for your WebLogic server. See WebLogic documentation about Using Web Server Plug-Ins With WebLogic Server. The Identity Asserter requires that a SiteMinder Web Agent run in the front-end Web server, which proxies the requests to the WebLogic server. For information about using the SiteMinder Web Agent, see the SiteMinder Agent Guide r5.x/6.x or the SiteMinder Agent Operations Guide v4.x. Set up a SiteMinder Policy for the Web Server Agent 1. Start the SiteMinder Policy Server User Interface. 2. On the System tab, right-click User Directories and select Create User Directory to make a user directory configured to the same LDAP user store as the one used by WebLogic. For more information on creating user directories, see Policy Design r5.x/6.x. 3. Right-click Domains and select Create Domain to create a policy domain that you want to protect. Assign the user directory from Step 2 to this domain. For more information on creating domains, see the Netegrity Policy Design document. 4. On the Domains tab, right-click the domain from Step 3 and select Create Realm. In the SiteMinder Realm dialog box, enter the following: Name: Security Web Application Realm Description: Security Web Application Realm Agent: The name of the SiteMinder Web Agent identity that you specified in the DefaultAgentName parameter in the Agent Configuration Object or WebAgent.conf file. Resource Filter: /exampleswebapp Authentication Scheme: Forms Auth Scheme For instructions on creating an HTML forms authentication scheme, see the Netegrity SiteMinder Policy Design document. Default Resource Protection: Protected 5. Click OK. 6. Right-click the realm from Step 4 and select Create Rule Under Realm. 7. In the SiteMinder Rule dialog, create a Security Web Application Rule and include all the agent actions. 8. Click Apply and OK. 9. Create and assign a policy that uses the Security Web Application Realm from Step 4 and the Security Web Application Rule from Step CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

55 Verifying that SiteMinder Identity Asserter is Configured Correctly Access the Security Web Application Resource in a Web Browser After setting up a user directory, realm, rule, policy, and policy domain in the Policy Server User Interface, access the security web application resource. 1. Make sure that the Policy Server, Web server, and WebLogic are running. 2. Make sure that the Web Agent and the Identity Asserter are both enabled by setting EnableWebAgent="Yes" in both of their Agent configuration files. For more information about the Web Agent and the Identity Asserter Agent configuration files, see Modifying Configuration Files on page In a browser, access the security web application resource through the Web server at the following URL: JWS_WebService.jsp where fully_qualified_domain_name is the name of the machine where Web server is installed. port is the port number. For example: Using the HTML forms authentication scheme, the Web Agent should challenge you for credentials using the HTML forms authentication scheme associated with the Security Web Application Realm. Once you are authorized by the Web Agent, the request is forwarded to the WebLogic server. At this time, the Identity Asserter verifies the authentication for the WebLogic server. The user identity is propagated for WebLogic authorization. Once authorized by the WebLogic server, you should be granted access to the security web application resource on the WebLogic server. To double-check that everything is working as expected, check the Web Agent, Identity Asserter, and WebLogic log files. For details about logging, Chapter 8, Logging on page 87. If everything is working properly, you should find the following references in SiteMinder Identity's log file: "The SiteMinder Identity Asserter has been successfully initialized." "The SiteMinder Identity Asserter is propagating the user identity: ID to the WebLogic server". If you do not find these references, you will need to troubleshoot the configuration. See Appendix A, SiteMinder Agent Installation and Configuration Files on page

56 What to Do Next What to Do Next To finish enabling the SiteMinder Agent solution to protect WebLogic resources, complete these steps in any order: Configure the SiteMinder Authentication, Authorization, and Adjudication Providers to implement the complete SiteMinder Agent solution (optional). See the following chapters: - Chapter 4, Configuring the SiteMinder Authentication Provider on page 57 - Chapter 5, Configuring the SiteMinder Authorization Provider on page 65 - Chapter 6, Configuring the SiteMinder Adjudication Provider on page 71 If you configured the complete SiteMinder Agent solution, verify that the SiteMinder Authentication, Authorization, and Adjudication Providers are configured correctly. See Chapter 9, Verifying the SiteMinder Agent Installation and Configuration on page 95. Configure SiteMinder policies for the Web Agent on the proxy server. See the CA etrust SiteMinder Policy Design guide. 56 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

57 Chapter 4: Configuring the SiteMinder Authentication Provider Overview Overview Configuring the SiteMinder Authentication Provider Realm Configuring the SiteMinder Authentication Provider in WebLogic Configuring the Agent to Return Group Membership to WebLogic Using Responses Enabling and Disabling the Authentication Provider The SiteMinder Authentication Provider authenticates a user within the WebLogic security realm by checking the user s credentials against a SiteMinder directory. After validating a user, the Authentication Provider adds the SiteMinder principal to the subject. The Authentication Provider can also obtain the groups that users belong to and populate the subject with a principal for each group. For more information on how the SiteMinder Authentication provider works, see SiteMinder Authentication Provider on page 17. For more information on WebLogic principals and subjects and principals, see BEA s documentation at: Figure 5 lists the steps to configure the SiteMinder Authentication provider. Figure 5: SiteMinder Authentication Provider Configuration Check List Completed Step See Configure a SiteMinder realm for authentication. 2. Configure the SiteMinder Authentication provider in WebLogic. 3. Configure the SiteMinder Agent to return group membership to the WebLogic Server. Configuring the SiteMinder Authentication Provider Realm on page 58 Configuring the SiteMinder Authentication Provider in WebLogic on page 59 Configuring the Agent to Return Group Membership to WebLogic Using Responses on page 62 57

58 Configuring the SiteMinder Authentication Provider Realm Figure 5: SiteMinder Authentication Provider Configuration Check List Completed Step See Enable the Authentication provider. Enabling and Disabling the Authentication Provider on page 64 Configuring the SiteMinder Authentication Provider Realm The SiteMinder Authentication Provider requires that you create an authentication realm using the Policy Server User Interface. This realm allows the Authentication Provider to validate user credentials against a SiteMinder user directory. 1. Start the SiteMinder Policy Server User Interface. 2. Right-click Domains and select Create Domain to create a policy domain that you want to protect. Add the user directories that SiteMinder will use to authenticate users to the domain. 3. On the Domains tab, right-click the domain from Step 2 and select Create Realm. 4. In the SiteMinder Realm dialog, enter the following information: - Name: A unique name for the realm for example, SiteMinder Authentication Provider Validation Realm - Description: An optional description for the realm - Agent: The name of the SiteMinder Agent identity that you created for the SiteMinder Agent. For details, see Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29. Enter the Agent name in the text box or click Lookup to select the Agent name from a list of configured Agent identities. - Resource Filter: /smauthenticationrealm - Authentication Scheme: Select Basic. 5. Click the Session tab. Disable any session time-outs and make sure the No Persistent Session option is selected. 6. Click OK. You do not need to configure any rules or policies for the Authentication provider validation realm. Warning: After initial setup, do not attempt to reconfigure the SiteMinder Authentication validation realm while the WebLogic Application Server is running. 58 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

59 Configuring the SiteMinder Authentication Provider in WebLogic Configuring the SiteMinder Authentication Provider in WebLogic Configuring the SiteMinder Authentication Provider Determining How Users Are Authenticated Configuring the SiteMinder Authentication Provider Configure the Authentication Provider in the Security Realms Node in the WebLogic Administration console. 1. Start the WebLogic server and the WebLogic Server Administration Console. 2. In the navigation frame on the left of the console, click the Security Realms node in the Domain Structure list. 3. Click on the name of the realm you are configuring (for example, myrealm). 4. Click the Providers tab. 5. If necessary, click the Authentication tab to display the Authentication Providers list. 6. Click the Lock and Edit button. 7. Click New to create a new Authentication Provider. 8. On the Create a New Authentication Provider page: - Specify a name for the Authentication Provider in the Name field. For example, SMAuthenticationProvider. - Select SiteMinderAuthenticationProvider from the Type dropdown list. Note: If SiteMinderAuthenticationProvider is not listed, check the SiteMinder Agent installation to determine if it was completely successful. Check Chapter 2, Installing the SiteMinder Agent for WebLogic on page 25 and Appendix B, Troubleshooting on page Click OK to save the new Authentication Provider. 10. Click the entry for your SiteMinder Authentication Provider in the Authentication Providers list to open it for editing: 11. In the SiteMinder Authentication Provider configuration page, complete the following: a. In the Control Flag field, select the priority that applies to the Site- Minder Authentication Provider. See Setting the Control Flag on page 61 for a description of the options in the Control Flag field. Note: If your environment includes other authentication providers, we recommend setting the Control Flag for the SiteMinder Authentication Provider to SUFFICIENT. b. Click the Provider Specific tab. c. In the SMAuth Provider Config File field, enter the location of the configuration file for the Authentication Provider. 59

60 Configuring the SiteMinder Authentication Provider in WebLogic If you are using the default Agent configuration file, the location is ASA_HOME/conf/WebAgent.conf. If you created a new Agent configuration file for the Authentication Provider, be sure to enter the location and file name of the file you created. (See Setting Up the Agent Configuration File (WebAgent.conf) on page 39.) You can use an absolute or relative path. If you use a relative path, the configuration file will be relative to the directory smasa.home/conf or relative to your current WebLogic server's working directory, BEA_HOME/user_projects/yourdomain. d. Click Save. 12. If multiple authentication providers are configured for the security realm, specify the order in which WebLogic executes the authentication providers as described in Configuring the Execution Order on page If the Default Authentication Provider is configured for the security realm, change the Control Flag setting for the Default Authentication Provider from REQUIRED to SUFFICIENT. 14. Enable the Authentication Provider. See Enabling and Disabling the Authentication Provider on page Enable SiteMinder logging. See Chapter 8, Logging on page Restart the WebLogic server and check SiteMinder logs to verify that the Authentication Provider is configured correctly. If you are configuring additional SiteMinder Agent SiteMinder Agent Providers, you can restart the WebLogic server after all of the configuration steps are complete. Determining How Users Are Authenticated Configuring the Execution Order In a WebLogic security realm that includes multiple authentication providers, the process for authenticating users is determined by: The execution order of the configured authentication providers The Control Flag setting for each authentication provider You can list the order in which WebLogic executes authentication providers in the WebLogic Administration Console. When a user attempts to access a protected resource, WebLogic executes the first authentication provider in the list. After the first authentication attempt, WebLogic determines whether to execute the next authentication provider based on the following criteria: The outcome of the first authentication attempt The control flag setting for the authentication provider that performed the authentication. (See Setting the Control Flag on page 61 for more information.) For example, if the SiteMinder Authentication Provider is configured first in the execution order with control flag setting SUFFICIENT and it fails to authenticate a user, the user s request is rejected immediately. WebLogic does not execute 60 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

61 Configuring the SiteMinder Authentication Provider in WebLogic Setting the Control Flag any other Authentication Providers (unless other providers are set to REQUIRED). To configure the execution order: 1. Start the WebLogic server and the WebLogic Server Administration Console. 2. In the navigation frame on the left of the console, click the Security Realms node in the Domain Structure list. 3. Click on the name of the realm you are configuring (for example, myrealm). 4. Click the Providers tab. 5. If necessary, click the Authentication tab to display the Authentication Providers list. 6. Click the Lock and Edit button. 7. Click Reorder. 8. In the Reorder Authentication Providers list box, select a configured provider and use the arrows to change its position in the list. 9. Click Apply. When you configure an authentication provider in the WebLogic Administrative Console, you set the control flag on the General tab on the properties page for the provider. The Control Flag determines how much weight an authentication decision has in an environment that includes multiple Authentication Providers. You can select one the following options for the control flag: REQUIRED REQUISITE This Authentication provider is always called, and the user must always pass its authentication test. After this authentication provider attempts to authenticate the user, WebLogic executes the other configured authentication providers, regardless of whether or not the authentication attempt succeeded. The authentication provider must authenticate the user. After the user is authenticated by the authentication provider, other authentication providers attempt to validate the user. The user can fail to authenticate through any other authentication provider, except providers that have the control flag set to REQUIRED. 61

62 Configuring the Agent to Return Group Membership to WebLogic Using Responses SUFFICIENT OPTIONAL If a user is authenticated by the authentication provider, no other authentication is required (unless another authentication provider has the control flag set to REQUIRED). REQUIRED modules listed after a module flagged SUFFI- CIENT do not run if it passes. The user may pass or fail the authentication provider authentication. If all of the authentication providers are set to OPTIONAL, the user must pass at least one authentication test. See BEA s documentation for more information on the control flag: SetTheJAASControlFlag.html Configuring the Agent to Return Group Membership to WebLogic Using Responses During user authentication, the SiteMinder Agent can return physical or virtual group membership information to the WebLogic Server by using SiteMinder HTTP header responses from the Policy Server. When the SiteMinder Agent receives responses containing the _SM_WLS_GROUP=group name syntax (where group_name is a response attribute value from the Policy Server that could be a physical group name from the user store or a virtual group), the SiteMinder Agent converts the group_name value to a group principal and adds this principal to the subject after successful authentication. The SiteMinder Agent adds the same amount of group principals as responses received from the Policy Server. Example: Configuring Groups as Responses for the SiteMinder Agent Before following this example, retrieve the 5.5/6.0 CA etrust SiteMinder Policy Design manual, as you will need it as a reference when performing these steps. Step 1: Configuring a Rule in the SiteMinder Authentication Realm 1. Review Configuring the SiteMinder Authentication Provider Realm on page Use these sections as a reference: - "Configuring a Rule for Authentication Event Actions" on page 454 in the 6.0 CA etrust SiteMinder Policy Design manual - Configuring a Rule for Authentication Event Actions" on page 426 in the 5.5 SP2 CA etrust SiteMinder Policy Design manual. 3. In the SiteMinder Authentication Realm, configure an OnAuthAccept rule named Group Authentication Rule with a * resource filter. 62 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

63 Configuring the Agent to Return Group Membership to WebLogic Using Responses Step 2: Configuring Responses for the SiteMinder Authentication Realm 1. Use these sections as a reference: - "Configuring a Response" on page 488 in the 6.0 CA etrust SiteMinder Policy Design manual - Configuring a Response" on page 456 in the 5.5 SP2 CA etrust Site- Minder Policy Design manual. 2. In the policy domain for the SiteMinder Authentication Realm, create Site- Minder responses with a static HTTP header attribute for the following sample WebLogic groups: Name Attribute Kind Variable Name Variable Value Group Administrators Static HTTP Header _SM_WLS_GROUP Administrators Group Deployers Static HTTP Header _SM_WLS_GROUP Deployers Group Monitors Static HTTP Header _SM_WLS_GROUP Monitors Group Operators Static HTTP Header _SM_WLS_GROUP Operators Step 3: Configuring Policies in the SiteMinder Authentication Realm 1. Use these sections as a reference: - "Configuring a Policy" on page 560 in the 6.0 CA etrust SiteMinder Policy Design manual - Configuring a Policy" on page 536 in the 5.5 SP2 CA etrust SiteMinder Policy Design manual. 2. In the policy domain for the SiteMinder Authentication Realm: a. Configure a policy named Group Administrator Policy. b. Attach the Administrator group or users, who belong to the Administrator group, to this policy. c. Attach the Group Authentication Rule from Step 1: Configuring a Rule in the SiteMinder Authentication Realm to this policy. d. Bind the Group Administrator response from Step 2: Configuring Responses for the SiteMinder Authentication Realm to this rule. e. Repeat this step and configure separate policies for the Deployers, Operators, and Monitors groups. 63

64 Enabling and Disabling the Authentication Provider Enabling and Disabling the Authentication Provider After you set up the Authentication Provider realm and configure the Authentication Provider in the WebLogic administration console, enable the SiteMinder Authentication Provider so that it can authenticate users against SiteMinder user directories. When you disable a SiteMinder Authentication Provider, it no longer authenticates users and authentication defaults to other configured authentication providers. You enable or disable the SiteMinder Authentication Provider in the Agent configuration file for the Agent. (See Setting Up the Agent Configuration File (WebAgent.conf) on page 39.) Note: If you are using a single Agent configuration file for multiple SiteMinder Agent providers including the Authentication Provider and you have already enabled a Provider in that file, you do not need to complete this procedure. Continue the configuration process by completing the verification steps in Chapter 9, Verifying the SiteMinder Agent Installation and Configuration on page Open the Agent configuration file in the ASA_HOME\conf directory. 2. Set the EnableWebAgent parameter as follows: - To enable the Authentication Provider, set EnableWebAgent to Yes as follows: EnableWebAgent="Yes" - To disable the Authentication Provider, set EnableWebAgent to No: EnableWebAgent="No" Note: The EnableWebAgent parameter applies to all of the Providers that use the Agent configuration file. For example, if you configured all of the SiteMinder Agent Providers to use a single Agent configuration file, setting EnableWebAgent to yes, enables all of the Providers. For more information about the Agent configuration file, see Modifying Configuration Files on page CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

65 Chapter 5: Configuring the SiteMinder Authorization Provider Overview Overview Configuring the SiteMinder Authorization Provider Realm Configuring the SiteMinder Authorization Provider in WebLogic Enabling and Disabling the Authorization Provider After a user has been authenticated by the SiteMinder Authentication Provider, the SiteMinder Authorization Provider evaluates SiteMinder policies to determine whether or not the user can access a protected WebLogic resource. (See SiteMinder Authorization Provider on page 17 for more information.) Note: The SiteMinder Authorization Provider only authorizes requests that have been authenticated by the SiteMinder Authentication Provider. Figure 6 lists the steps to configure the SiteMinder Authorization Provider. Figure 6: SiteMinder Authorization Provider Configuration Check List Completed Step Refer to Configure a SiteMinder realm for authorization. 2. Configure the SiteMinder Authorization Provider in WebLogic. 3. Enable the Authorization provider. 4. Configure SiteMinder policies. 5. Configure the SiteMinder Adjudication Provider. 6. Verify that the Authorization Provider is configured correctly. Configuring the SiteMinder Authorization Provider Realm on page 66 Configuring the SiteMinder Authorization Provider in WebLogic on page 67 Enabling and Disabling the Authorization Provider on page 68. Chapter 7, Configuring Policies on page 75 Chapter 6, Configuring the Site- Minder Adjudication Provider on page 71 Chapter 9, Verifying the Site- Minder Agent Installation and Configuration on page 95 65

66 Configuring the SiteMinder Authorization Provider Realm Configuring the SiteMinder Authorization Provider Realm To enable granular policy definition for WebLogic resources, the SiteMinder Authorization Provider requires that you create a realm in the Policy Server User Interface. This realm allows you to create rules and policies that determine whether or not a user is allowed to access a protected WebLogic resource. 1. Start the SiteMinder Policy Server User Interface. 2. Right-click Domains and select a domain such as the domain you created for the SiteMinder Authentication Provider realm. (See Configuring the SiteMinder Authentication Provider Realm on page 58.) 3. On the Domains tab, right-click the domain from Step 2 and select Create Realm. 4. In the SiteMinder Realm dialog, enter the following information: - Name: A unique name for the realm for example, SiteMinder Authorization Provider Realm - Description: An optional description for the realm - Agent: The name of the SiteMinder Agent identity that you created for the SiteMinder Agent. For details, see Configuring the SiteMinder Policy Server for the SiteMinder Agent Providers on page 29. Enter the Agent name in the text box or click Lookup to select the Agent name from a list of configured Agent identities. - Resource Filter: /wlsspiaz - Authentication Scheme: Select Basic. If you are using the SiteMinder Authorization Provider in conjunction with the SiteMinder IA, the protection level for the authentication scheme for the Authorization Provider should be the same or lower than the protection level for realms that are protected by the front-end Web Agent. If the protection level is higher, the Authorization Provider will reject the user using the WebLogic native security services. 5. Click the Session tab. Disable any session time-outs and make sure the No Persistent Session option is selected. 6. Click OK. 66 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

67 Configuring the SiteMinder Authorization Provider in WebLogic Configuring the SiteMinder Authorization Provider in WebLogic Configure the Authorization Provider in the Security Realms Node in the WebLogic Administration console. 1. Start the WebLogic server and start the WebLogic Server Administration Console. 2. In the navigation frame on the left of the console, click the Security Realms node in the Domain Structure list. 3. Click on the name of the realm you are configuring (for example, myrealm). 4. Click the Providers tab. 5. Click the Authorization tab to display the Authorization Providers list. 6. Click the Lock and Edit button. 7. Click New to create a new Authorization Provider. 8. On the Create a New Authentication Provider page: - Specify a name for the Authorization Provider in the Name field. For example, SMAuthorizationProvider. - Select SiteMinderAuthorizationProvider from the Type dropdown list. Note: If SiteMinderAuthorizationProvider is not listed, check the SiteMinder Agent installation to determine if it was completely successful. Check Chapter 2, Installing the SiteMinder Agent for WebLogic on page 25 and Appendix A, SiteMinder Agent Installation and Configuration Files on page Click OK to save the new Authorization Provider. 10. Click the entry for your SiteMinder Authorization Provider in the Authentication Providers list to open it for editing: a. Click the Provider Specific tab. b. To determine what access decision the SiteMinder Authorization provider returns when the requested resource is not authenticated by SiteMinder, set the Abstain if Not Authenticated flag as follows: If the Flag is... Enabled Disabled The result from the SiteMinder Authorization Provider is... ABSTAIN DENY The effect that these access decisions have on a user s access to a WebLogic resource depends on how the Adjudication Provider is configured. For more information, see SiteMinder Adjudication Provider on page 18. c. To determine what access decision the SiteMinder Authorization provider returns when the requested resource is not protected by a Site- Minder policy, set the Abstain if Not Protected flag as follows: 67

68 Enabling and Disabling the Authorization Provider If the Flag is... Enabled Disabled The result from the SiteMinder Authorization Provider is... ABSTAIN PERMIT d. In the SMAz Provider Config File field, enter the location of the configuration file for Authorization Provider. If you are using the default Agent configuration file, the location is ASA_HOME/conf/WebAgent.conf. If you created a new Agent configuration file for the Authorization Provider, be sure to enter the location and file name of the file you created. (See Setting Up the Agent Configuration File (WebAgent.conf) on page 39.) You can use an absolute or relative path. If you use a relative path, the configuration file will be relative to the directory smasa.home/conf or relative to your current WebLogic server's working directory, BEA_HOME/user_projects/yourdomain. 11. Click Save. 12. Enable the Authorization Provider. See Enabling and Disabling the Authorization Provider on page Enable SiteMinder logging. See Chapter 8, Logging on page If you finished configuring SiteMinder Agent Providers, restart the WebLogic server and check SiteMinder logs to verify that the Authorization Provider is configured correctly. If you are configuring additional SiteMinder Agent Providers, you can restart the WebLogic server after all of the configuration steps are complete. Enabling and Disabling the Authorization Provider After you set up the Authorization Provider realm and configure the Authorization Provider in the WebLogic administration console, enable the SiteMinder Authorization Provider so that it can authorize users against SiteMinder user directories. When you disable a SiteMinder Authorization Provider, it no longer authorizes users and authorization defaults to other configured authorization providers. Warning: If the SiteMinder Authorization Provider is the only authorization provider configured for a security realm and you disable it, all authorization requests will be denied. You enable or disable the SiteMinder Authorization Provider in the Agent configuration file for the Agent. (See Setting Up the Agent Configuration File (WebAgent.conf) on page 39.) Note: If you are using a single Agent configuration file for multiple SiteMinder Agent providers including the Authorization Provider and you have already enabled a Provider in that file, you do not need to complete this procedure. Continue the configuration process by completing the verification steps on page CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

69 Enabling and Disabling the Authorization Provider 1. Open the Agent configuration file in the ASA_HOME/conf directory. 2. Set the EnableWebAgent parameter as follows: - To enable the Authorization Provider, set EnableWebAgent to Yes as follows: EnableWebAgent="Yes" - To disable the Authorization Provider, set EnableWebAgent to No: EnableWebAgent="No" Note: The EnableWebAgent parameter applies to all of the Providers that use the Agent configuration file. For example, if you configured all of the SiteMinder Agent Providers to use a single Agent configuration file, setting EnableWebAgent to yes, enables all of the Providers. For more information about the WebAgent.conf file, see Modifying Configuration Files on page

70 Enabling and Disabling the Authorization Provider 70 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

71 Chapter 6: Configuring the SiteMinder Adjudication Provider Overview Overview Configuring the SiteMinder Adjudication Provider in WebLogic Enabling and Disabling the Adjudication Provider The SiteMinder Adjudication Provider makes a final access decision after a user has been authenticated and authorized for a protected resource. In an environment that uses more than one authorization provider, the SiteMinder Adjudication Provider resolves conflicts by weighing the result of each authorization provider s access decision. See SiteMinder Adjudication Provider on page 18 for more information. Note: A WebLogic security domain can have only one Adjudication Provider. Figure 7 lists the steps to configure the SiteMinder Adjudication Provider. Figure 7: SiteMinder Adjudication Provider Configuration Check List Completed Step Refer to Configure the SiteMinder Adjudication Provider in WebLogic. Configuring the SiteMinder Adjudication Provider in WebLogic on page Enable the Adjudication. Enabling and Disabling the Adjudication Provider on page Validate that the Adjudication Provider is configured correctly. Chapter 9, Verifying the Site- Minder Agent Installation and Configuration on page 95 Configuring the SiteMinder Adjudication Provider in WebLogic Configure the SiteMinder Adjudication Provider in the Security Realms Node in the WebLogic Administration console. 1. Start the WebLogic server and the WebLogic Server Administration Console. 2. In the navigation frame on the left of the console, click the Security Realms node in the Domain Structure list. 71

72 Configuring the SiteMinder Adjudication Provider in WebLogic 3. Click on the name of the realm you are configuring (for example, myrealm). 4. Click the Providers tab. 5. Click the Adjudication tab to display the Adjudication Providers list. 6. Click the Lock and Edit button. 7. Click Replace to replace the default adjudication provider. 8. On the Create a New Adjudication Provider page: - Specify a name for the Adjudication Provider in the Name field. For example, SMAdjudicationProvider. - Select SiteMinderAdjudicationProvider from the Type dropdown list. Note: If SiteMinderAdjudicationProvider is not listed, check the SiteMinder Agent installation to determine if it was completely successful. Check Chapter 2, Installing the SiteMinder Agent for WebLogic on page 25 and Appendix A, SiteMinder Agent Installation and Configuration Files on page Click OK to save the new Adjudication Provider. 10. Click the entry for your SiteMinder Adjudication Provider to open it for editing: a. Click the Provider Specific tab. b. In the SMAdjudication Provider Config File field, enter the location of the configuration file for the Adjudication Provider. If you are using the default Agent configuration file, the location is ASA_HOME/conf/WebAgent.conf. If you created a new Agent configuration file for the Adjudication Provider, be sure to enter the location and file name of the file you created. (See Setting Up the Agent Configuration File (WebAgent.conf) on page 39.) You can use an absolute or relative path. If you use a relative path, the configuration file will be relative to the directory smasa.home/conf or relative to your current WebLogic server's working directory, BEA_HOME/user_projects/yourdomain. c. In the SiteMinder Permission Decision field, select one of the following options: SiteMinder Precedence The SiteMinder Adjudication Provider assigns maximum weight to the result returned by a SiteMinder Authorization Provider. Equal Precedence The SiteMinder Adjudication Provider assigns equal weight to the results returned by all configured Authorization Providers in the security realm. For information on how these settings affect access decisions, see SiteMinder Adjudication Provider on page Click Save. 12. Enable the Adjudication Provider. See Enabling and Disabling the Adjudication Provider on page CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

73 Enabling and Disabling the Adjudication Provider 13. Configure logging. See Chapter 8, Logging on page Restart the WebLogic server and check SiteMinder logs to verify that the Adjudication Provider is configured correctly. Enabling and Disabling the Adjudication Provider After you configure the SiteMinder Adjudication Provider in the WebLogic administration console, enable the Adjudication Provider so that it can evaluate authorization decisions. Warning: If the SiteMinder Adjudication Provider is disabled, it will always return DENY access to any resource, including the WebLogic administration functions; you will not be able to start the WebLogic server or access the WebLogic Administration Console. You enable or disable the SiteMinder Adjudication Provider in the configuration file (WebAgent.conf) for the Agent. (See Setting Up the Agent Configuration File (WebAgent.conf) on page 39.) Note: If you are using a single Agent configuration file for multiple SiteMinder Agent providers including the Adjudication Provider and you have already enabled a Provider in that file, you do not need to complete this procedure. Continue the configuration process by completing the verification steps in Chapter 9, Verifying the SiteMinder Agent Installation and Configuration on page Open the Agent configuration file in the ASA_HOME/conf directory. 2. Set the EnableWebAgent parameter as follows: - To enable the Adjudication Provider, set EnableWebAgent to Yes as follows: EnableWebAgent="Yes" - To disable the Adjudication Provider, set EnableWebAgent to No: EnableWebAgent="No" Note: The EnableWebAgent parameter applies to all of the Providers that use the Agent configuration file. For example, if you configured all of the SiteMinder Agent Providers to use a single Agent configuration file, setting EnableWebAgent to yes enables all of the Providers. For more information about the WebAgent.conf file, see Modifying Configuration Files on page

74 Enabling and Disabling the Adjudication Provider 74 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

75 Chapter 7: Configuring Policies Configuring Policies to Support Perimeter Authentication Configuring Policies for the SiteMinder Authorization Provider Note: This chapter assumes that you have already configured each SiteMinder security provider component you intend to use according to the directions in chapters 3 through 6. Configuring Policies to Support Perimeter Authentication To configure the SiteMinder Agent for WebLogic to protect Web applications by perimeter authentication, you need to create policies that specify how the Web Agent on the proxy server should control access to the URL that represents the proxied WebLogic Web application resources. For complete information about SiteMinder policy configuration for Web container resources, see the Policies chapter in Policy Design r5.x/6.x. Configuring Policies for the SiteMinder Authorization Provider SiteMinder Resource Mapping for WebLogic Resources Configuring Rules for SiteMinder Authorization Provider Configuring Responses for SiteMinder Authentication and Authorization Providers Configuring Policies for SiteMinder Authorization Provider To configure the SiteMinder Agent for WebLogic to protect WebLogic resources using the SiteMinder Authorization Provider, you need to create policies in a similar manner as you would to protect a Web resource with a Web Agent. The only differences are: All rules in your policies must be created within the SiteMinder Authorization Provider validation realm and use SiteMinder to WebLogic resource mapping conventions to specify the WebLogic resources that you wish to protect. See SiteMinder Resource Mapping for WebLogic Resources on page 76. Rules for non-url resources must specify the Web Agent Get rule action. Rules for URL resources can specify Post and other HTTP-based actions. See Configuring Rules for SiteMinder Authorization Provider on page 82. Responses, variables and policy expressions are not supported. See Configuring Policies for SiteMinder Authorization Provider on page

76 Configuring Policies for the SiteMinder Authorization Provider For complete information about SiteMinder policy configuration, see the Policies chapter in Policy Design v5.x/6.x. SiteMinder Resource Mapping for WebLogic Resources The Resource field in a SiteMinder rule specifies the resource that is the subject of the rule. The complete resource specification (shown by the Effective Resource field on the Rule dialog box) is a concatenation of the values of the Resource Filter of the parent realm (or realms in a nested realm environment) and the Resource field of the rule itself. Resources that are not accessed via a URL must be defined using special mapping conventions. This section describes the SiteMinder resource mapping for WebLogic resources. This mapping, which is summarized in Figure 8, provides a means of representing WebLogic resources in the realms and rules that make up your authorization policies. Figure 8: SiteMinder Resource Mapping for WebLogic Resources /az_provider_resource_filter /resource_type_filter /resource_type-specific_mapping Always /wlsspiaz, the resource filter for the SiteMinder Authorization Provider validation realm. Depending on the protected resource type, one of: /adm /ejb /jdbc /jms /jndi /svr /url (Each typically specified by the resource filter of a corresponding nested realm.) One or more slash(/)-delimited resource type-specific parameters that identify the protected WebLogic resource to SiteMinder. For example, for an Administration resource: /UserLockout/myRealm/ unlockuser Configuring the az_provider_resource_filter Section Configuring the resource_type_filter Section The first section of the mapping, az_provider_resource_filter, tells SiteMinder that the resource is a WebLogic resource protected by the SiteMinder Authorization Provider. Its value is static (/wlsspiaz) and is defined by the resource filter in the Authorization Provider validation realm. The second section of the mapping, resource_type_filter, tells SiteMinder what type of WebLogic resource is protected. Its value is determined by the type of resource, as shown in the following table. Resource Type Administration Resource EJB Resource resource_type_filter value adm ejb 76 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0

77 Configuring Policies for the SiteMinder Authorization Provider Resource Type JDBC Resource JMS Resource JNDI Resource Server Resource URL Resource resource_type_filter value jdbc jms jndi svr url Note: If the SiteMinder Resource Mapper obtains a resource from WebLogic that is not of the types shown in the above table, the default resource mapping will be a concatenation of the requested resource values obtained from the WebLogic resource type. Spaces within the resource values will be converted to a slash (/). You can use debug log messages from the SiteMinder Authorization Provider to obtain information on the requested WebLogic resource and the SiteMinder mapping of the WebLogic resource to a SiteMinder resource. CA recommends that you configure a nested realm under the SiteMinder Authorization Provider validation realm for each WebLogic resource type, specifying the appropriate resource_type_filter as the resource filter as shown in the following table. Nested Realm Resource Filter /adm Nested Realm Type Administration Resource realm Realm Contents Rules for Administration Resources /jdbc JDBC resource realm Rules for JDBC resources /jms JMS resource realm Rules for JMS resources /jndi JNDI resource realm Rules for JNDI resources /svr Server resource realm Rules for Server resources /url URL resource realm Rules for URL resources Note: If you choose to implement your security policies using nested realms, you must ensure that the Enable Nested Security setting is enabled on the SiteMinder Global Settings dialog box. You must also create a simple allow access rule in the SiteMinder Authorization Provider validation realm and include it in your authorization policy. For more information on nested realms, see the section titled "Understanding Nested Realms" in CA etrust SiteMinder Policy Design. For example: 77

78 Configuring Policies for the SiteMinder Authorization Provider Alternatively, you can simply include the resource_type_filter value as part of the resource specification in the rule. Configuring the resource_type-specific_mapping Section The final section of the mapping, resource_type-specific_mapping, tells SiteMinder the specifics of the protected resource. Its value is one or more slash(/)-delimited parameters specific to the type of resource being protected (as defined in the resource_type_filter section). The parameters for each resource type are described in the following sections. Administration Resources To protect a WebLogic Administration resource, resource_type_filter must specify the following parameters (in the order shown): /category/realm/action Where: Parameter Name category realm action Description Category associated with the administration resource. Name of the WebLogic security realm. Action associated with the resource. Optional if not specified, defaults to "GET". Field value example UserLockout MyRealm unlockuser For example, for an Administration Resource with the following properties: category=userlockout, realm=myrealm, action=unlockuser The complete resource mapping (effective resource) would be: /wlsspiaz/adm/userlockout/myrealm/unlockuser 78 CA etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0