This article describes how you can perform a CA SiteMinder basic set up and configuration to provide CA Wily APM authentication before deploying CA EEM for. This example describes these tasks: Configure SiteMinder policy Configure EEM to connect to SiteMinder This example set up uses 4 machines. You ll install the required components on each machine as follows: Machine 1: SiteMinder Policy Store, Admin UI, and SunOne LDAP user directory Machine 2: SiteMinder Web Agent, Introscope EM Machine 3: CA EEM Machine 4: SiteMinder UI (called SiteMinder WAM UI) This diagram shows what the CA EEM/SiteMinder integrated environment looks like when the set up is complete. 1/31
Install SiteMinder Verify that SiteMinder is installed and working correctly. Start the SiteMinder UI Go to the WAMUI machine and start the task engine. Start ->Programs->CA->IAMSuite->siteminderWAM->Start Task Engine Go To Start > Programs > CA > IAM Suite > siteminderwam > SiteMinder Administrative User Interface Or http://<wamui ServerNAME>:8080/iam/siteminder Log in using credentials from your LDAP install that SiteMinder is configured to use. 2/31
The SiteMinder WAM Administrative UI appears. 3/31
Register the SiteMinder UI with the SiteMinder Policy server Note: Before you can add the UI, you must register it first with the SiteMinder Policy server. Run the command below on the SiteMinder machine. In this example, smui2 is the client name. Your client name must be a unique value that was not previously used on this server. xpsregclient smui2:123getout adminui su t 1440 The second value is the passphrase that will be used. (In this example the passphrase is 123Getout). This passphrase is needed when you register a Policy server with the WAM UI. Add the SiteMinder UI. In the SiteMinder WAM UI screen, click on the Administration tab > UI > Register Administration UI Server. Enter the server information and the client registration information that you entered when you ran the xpsregclient command to register the SiteMinder UI with the Policy Server. 4/31
Go to the Infrastructure tab. Click Agent > Create Agent. Select Create a new object of type Agent. 5/31
6/31
Select Support 4.x agents. Enter the IP address of the Web Agent machine. Enter a Shared Secret. Click Submit. 7/31
Go to Agent Configuration. Click on Create Agent Configuration. Create a copy of an object of type Agent Configuration. Select IISDefaultSettings. Click OK. 8/31
Enter the Name. Click on the icon to edit the Parameter for the DefaultAgentName. 9/31
Remove the # from the Parameter name. Set the value to the agent name that you created earlier (i.e. smagent). Click OK. Edit the AllowLocalConfig parameter. Change the value to Yes. (This parameter might be on the second page) 10/31
Click OK. 11/31
Go to Infrastructure > Authentication. Click Authentication Scheme > Create Authentication Scheme. Click OK. 12/31
Enter a Name. Select the Authentication Scheme Type: HTML Form Template. Enter the Web Server Name and Port. Click Submit. 13/31
Create the User Directory Go to Infrastructure > Directory. Click User Directory > Create User Directory. Enter the Name for the user Directory. Enter the Server and Port for the LDAP Server (The SunOne Default port is 389). Enter the Administrator Credentials. 14/31
Enter the LDAP Settings and the User Attributes for your LDAP server. Create a Host Configuration Go to Infrastructure > Hosts. Click Host Configuration > Create Host Configuration. 15/31
Enter the Host Config Name. Enter the Policy Server IP Address. Click Submit. 16/31
Create a Domain Go to Policies > Domains. Click Domains > Create Domain. Click the Add/Remove under the User Directories. Select the user directory that you created. 17/31
Click OK. 18/31
Click Submit. Create a Realm Go to Policies > Domains. Click Realm > Create Realm. 19/31
Select the domain you created Click Next. Enter the Realm Name. 20/31
Use the Browse button to select the Agent you created. Set the Authentication Scheme to the Scheme you created. Click Finish. 21/31
Create a Rule Go to Policies > Domains. Click Rule > Create Rule. Select the Domain. Select the Realm you created and click Next. 22/31
Enter the Rule Name. Select both Get and Post in the Action section. Click Finish. 23/31
Create a Policy Go to Policies > Domains. Click Policy > Create Policy. Select your Domain and click Next. Enter the Policy Name, then click Next. 24/31
Click Add All in the User Directories section. Click Next. 25/31
Click Add Rule. Select the Rule you created Click OK. Click Next. Click Finish. 26/31
Enable the Policy you created Go to Policies > Domains. Click Policies > Modify Policy. Select the Policy you created. Select the box to Enable the Policy. Click Submit. 27/31
Configure the WebAgent.conf and SmHost.conf You can manually edit the conf files, or run the ca wa config.cmd. WebAgent.conf C:\CA\webagent\bin\IIS\WebAgent.conf Open the file in notepad Enter the AgentConfigObject (Agent config you created) Enable the Web Agent AgentConfigObject="MyAgentConfig" EnableWebAgent="YES" SmHost.conf C:\CA\webagent\config\SmHost.conf Enter the Host Config Object (Host Config you created hostconfigobject="myhostconfig" Carry out final steps and confirmations Restart IIS on the Web Agent Machine. You can run the command iisreset on the Web Agent machine to restart IIS. To check your SiteMinder configuration. connect to a default IIS page. http://<webagentmachine>.ca.com/iisstart.htm At the Please Login page, you will be prompted for the SiteMinder Authentication. Enter the login credentials from your LDAP. 28/31
You will then be able to view the IIS page. Connect to your CA EEM server. http://localhost:5250/spin/eiam/eiam.csp Select the Configure tab. Go to EEM Server > Global users / Global Groups. Select Reference from CA SiteMinder. 29/31
Host: <SiteMinder Server Machine> Admin Name: <SiteMinder Admin user> Admin password: <SiteMinder Password> Agent name: smagent (agent you created in SiteMinder) Agent Secret: (enter the agent secret that you used when you created the agent) Authorization Store Type: Sun ONE Directory Authorization Store Name: wilyuserdir (Directory name that you created) Authentication Store Name: wilyuserdir (Directory name that you created) Click Save. The status should change to succeeded and loaded. 30/31
You now need to configure CA EEM and LDAP with the Access Policy and Groups needed for CA Wily APM. For more information, see the CA Wily APM Security Guide or KB article 2450: CA Wily APM security example: Setting up CA Wily APM users, groups, and resources in CA EEM. 31/31