CA Adapter Installation and Configuration Guide for

CA Adapter Installation and Configuration Guide for
CA Adapter
Installation and Configuration Guide for
Windows
r2.2.9
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to
as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without
the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed
by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing
your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and
CA.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may
print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your
employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced
copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2013 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
Contact CA Technologies
Contact CA Support
For your convenience, CA Technologies provides one site where you can access the
information that you need for your Home Office, Small Business, and Enterprise CA
Technologies products. At http://ca.com/support, you can access the following
resources:
■
Online and telephone contact information for technical assistance and customer
services
■
Information about user communities and forums
■
Product and documentation downloads
■
CA Support policies and guidelines
■
Other helpful resources appropriate for your product
Providing Feedback About Product Documentation
If you have comments or questions about CA Technologies product documentation, you
can send a message to techpubs@ca.com.
To provide feedback about CA Technologies product documentation, complete our
short customer survey which is available on the CA Support website at
http://ca.com/docs.
Contents
Chapter 1: Introduction to CA Adapter
9
Adapter Integration Options ...................................................................................................................................... 11
Adapter for SAML ................................................................................................................................................ 11
Adapter for SiteMinder ....................................................................................................................................... 11
Adapter for VPN .................................................................................................................................................. 12
Adapter Architecture.................................................................................................................................................. 12
Authentication Flow Manager ............................................................................................................................ 14
State Manager ..................................................................................................................................................... 17
User Data Service ................................................................................................................................................ 17
Authentication Shim ........................................................................................................................................... 18
Form Credential Collector (FCC) Pages ............................................................................................................... 18
CA VPN Client ...................................................................................................................................................... 18
Other CA Products Used with Adapter................................................................................................................ 18
Adapter Workflows .................................................................................................................................................... 19
End User Login Workflow in SAML ...................................................................................................................... 20
End User Authentication Workflow in SiteMinder .............................................................................................. 21
End User Authentication Workflow in IPSec VPN ............................................................................................... 21
End User Authentication Workflow in SSL VPN .................................................................................................. 22
Adapter Features........................................................................................................................................................ 22
Chapter 2: Planning the Deployment
23
Deployment Architecture ........................................................................................................................................... 23
Deployment Overview................................................................................................................................................ 24
Chapter 3: Preparing for Installation
29
Software Requirements for State Manager ............................................................................................................... 29
Minimum Software Requirements ...................................................................................................................... 29
Configuring the Application Server ..................................................................................................................... 31
Software Requirements for Authentication Flow Manager ....................................................................................... 31
Software Requirements for Authentication Shim ...................................................................................................... 33
Software Requirements for FCC Pages ....................................................................................................................... 33
Checklist for Integration ............................................................................................................................................. 34
Chapter 4: Installing Adapter
37
Installing in a Distributed Environment ...................................................................................................................... 37
Contents 5
For SiteMinder Integration.................................................................................................................................. 38
For SAML Integration .......................................................................................................................................... 41
For VPN Integration............................................................................................................................................. 42
Installing on a Single System ...................................................................................................................................... 44
Verifying the Installation ............................................................................................................................................ 44
Chapter 5: Performing Adapter Configuration Using the Wizard
45
Understanding the AFM Profile.................................................................................................................................. 46
Deploying the Wizard ................................................................................................................................................. 47
Configuring Adapter by Using the Wizard .................................................................................................................. 48
Copying the Adapter Configuration Files ................................................................................................................... 62
For SiteMinder Integration.................................................................................................................................. 62
For SAML Integration .......................................................................................................................................... 63
For VPN Integration............................................................................................................................................. 63
Chapter 6: Deploying and Configuring State Manager
65
Running Database Scripts ........................................................................................................................................... 65
Copying the JDBC Drivers ........................................................................................................................................... 66
Apache Tomcat ................................................................................................................................................... 67
JBoss .................................................................................................................................................................... 67
(For Microsoft SQL Server) Oracle WebLogic ...................................................................................................... 68
Creating a JNDI Connection ........................................................................................................................................ 68
Apache Tomcat ................................................................................................................................................... 69
IBM WebSphere .................................................................................................................................................. 71
JBoss .................................................................................................................................................................... 74
Oracle WebLogic ................................................................................................................................................. 75
Deploying State Manager ........................................................................................................................................... 76
Chapter 7: Deploying and Configuring Authentication Flow Manager
79
Deploying Authentication Flow Manager .................................................................................................................. 80
Next Steps .................................................................................................................................................................. 83
Chapter 8: Configuring Authentication Shim and FCC Pages
85
Deploying the FCC Pages ............................................................................................................................................ 85
Verifying the FCC Pages Deployment .................................................................................................................. 85
Deploying Authentication Shim.................................................................................................................................. 86
6 Installation and Configuration Guide for Windows
Chapter 9: Configuring CA SiteMinder Policy Server
87
Chapter 10: Deploying and Configuring SAML Sample Applications
89
Deploying the Sample Application WAR Files ............................................................................................................ 90
Verifying the Sample Application Deployment .......................................................................................................... 93
Configuring Sample Application ................................................................................................................................. 93
Performing Basic AFM Configurations Using Sample Application ...................................................................... 94
(Optional) Configuring Custom Certificates in Sample Application .................................................................... 95
Chapter 11: Configuring the Service Provider’s Application
97
Chapter 12: Verifying Adapter Integration
99
Verifying the State Manager Configuration ............................................................................................................... 99
Verifying the AFM Configuration ............................................................................................................................. 100
Verifying the Authentication Shim Configuration .................................................................................................... 100
Verifying SiteMinder Integration.............................................................................................................................. 101
Verifying SAML Integration ...................................................................................................................................... 101
Chapter 13: Uninstalling Adapter
103
Dropping the Adapter Schema ................................................................................................................................. 103
Uninstalling Adapter................................................................................................................................................. 104
Post-Uninstallation Steps ......................................................................................................................................... 105
Appendix A: Adapter File System Structure
107
Appendix B: Configuration Files and Options
113
State Manager Properties File .................................................................................................................................. 113
State Manager Log File ............................................................................................................................................. 118
AFM Properties File .................................................................................................................................................. 118
AFM Log File ............................................................................................................................................................. 137
SAML Properties File ................................................................................................................................................ 138
Authentication Shim Properties File ........................................................................................................................ 140
Configuring Global Information ........................................................................................................................ 143
Configuring the Log Information ....................................................................................................................... 145
Appendix C: Deploying and Configuring the Custom Application
149
Custom Application Deployment Architecture ........................................................................................................ 149
Deploying the Custom Application WAR Files .......................................................................................................... 150
Contents 7
Verifying the Custom Application Deployment ........................................................................................................ 151
Configuring the Custom Application ........................................................................................................................ 152
Testing the Custom Application ........................................................................................................................ 153
Appendix D: Additional Configurations to Support LDAP Repository in
AuthMinder
155
Creating Organization in LDAP Repository ............................................................................................................... 156
Resolving Credential Types for LDAP Organization .................................................................................................. 162
Verifying the LDAP Configuration in AuthMinder .................................................................................................... 162
Appendix E: Configuring SSL and Redirection in Apache Tomcat
163
Configuring SSL ......................................................................................................................................................... 164
Verifying the SSL Configuration in Tomcat ............................................................................................................... 165
Configuring IIS Server to Tomcat Redirection .......................................................................................................... 165
Configuring Properties and DLL Files ................................................................................................................ 166
Creating Registry Entries ................................................................................................................................... 167
Configuring IIS Management Console ............................................................................................................... 169
Verifying the IIS Server to Tomcat Redirection Configuration .......................................................................... 170
8 Installation and Configuration Guide for Windows
Chapter 1: Introduction to CA Adapter
Chapter 1: Introduction to CA Adapter 9
Adapter Integration Options
Organizations use various authentication methods to secure access to the resources
available in their private networks. Basic authentication methods, such as user name
and password, while protecting the integrity of data transmissions, expose organizations
to the risk of identity fraud. Authentication methods that utilize hardware devices, such
as One-Time Password (OTP) tokens, are expensive to deploy and manage. Also, the
problem of Identity Management is compounded by the increasing number of
applications in a network. Each application requires a unique username and password to
be remembered by the end user, and applications need dedicated resources to store
and manage the user credentials. Therefore, the need for Single Sign-On (SSO) and
multi-factor authentication services is pivotal for organizations to provide secure access
to protected resources.
Adapter provides SSO and multi-factor authentication services for multiple Web
applications. It enables organizations to upgrade from the standard user name and
password authentication mechanism, without changing their users login experience or
their critical business processes.
Adapter combines a flexible, software-based strong authentication solution, and a
risk-based adaptive authentication solution to provide a robust and secure solution for
accessing Web applications, such as:
■
SAML-based Web portals
■
Web Access Management solutions, such as SiteMinder
■
Internet Protocol Security (IPSec) or SSL-based Virtual Private Network (VPN)
appliances
This guide provides information for installing and configuring CA Adapter 2.2.9 on
Windows with supported applications, such as CA SiteMinder, Security Assertion
Markup Language (SAML) based Web portals, or Virtual Private Network (VPN)
applications. This guide describes the following:
■
The high-level architecture of the integration process
■
Components of Adapter
■
Requirements for installing Adapter
■
Installing and configuring Adapter to work with the supported applications
■
Uninstalling Adapter
This chapter introduces you to the basic concepts of Adapter and covers the following
topics:
■
Adapter Integration Options (see page 11)
■
Adapter Architecture (see page 12)
■
Adapter Workflows (see page 19)
■
Adapter Features (see page 22)
10 Installation and Configuration Guide for Windows
Adapter Integration Options
Note: CA Adapter still contains the terms Arcot, WebFort and RiskFort in some of its
code objects and other artifacts. Therefore, you will find occurrences of Arcot, WebFort
and RiskFort in all CA Adapter documentation. In addition, some of the topics in this
guide do not follow the standard formatting guidelines. These inconsistencies will be
fixed in a future release.
Adapter Integration Options
Adapter can integrate with the following types of applications:
■
SAML-based Web portals
■
SiteMinder
■
IPSec or SSL-based VPNs
The following subsections describe these integration options.
Adapter for SAML
By integrating Adapter with your business applications and resources, you enable a
solution that provides secure Single Sign-On access for all your Web applications using
Security Assertion Markup Language (SAMLv2). As a result, users can log in once and
gain access to all applications without having to individually log in to each of them.
When users are enrolled in Adapter, they are provided an AuthMinder credential that is
subsequently used as the authentication credential in one or more applications. As you
add subsequent applications and "link" them, you can use the same credential that you
set up for the first application. Any time you change your password or other
authentication credentials within one application, it will automatically be updated for all
of the applications.
Adapter for SiteMinder
CA SiteMinder provides centralized security management capability that enables
customers, partners, and end users to securely access and deliver applications and data
on the Web. Integrating SiteMinder with Adapter allows you to protect your resources
with multi-factor and risk-based adaptive authentication.
Chapter 1: Introduction to CA Adapter 11
Adapter Architecture
Adapter for VPN
Organizations provide their employees, contractors, and business partners with secure
remote access by using VPN over existing internet connections. However, VPNs do not
strongly defend against unauthorized access to the organization’s electronic assets.
Security experts recommend strong, two-factor authentication to protect remote
access. Adapter can be easily integrated with VPNs to provide a solution that combines
flexible, software-based strong authentication with a full-featured IPSec or SSL-based
VPN system that does not change the user’s login experience. The SSL-based VPN
integration leverages all the authentication mechanisms supported by AuthMinder.
However, the IPSec VPN integration supports only ArcotID PKI, which is CA’s unique
software-based credential.
Adapter Architecture
The following diagram illustrates how Adapter components integrate with the
supported applications.
12 Installation and Configuration Guide for Windows
Adapter Architecture
As illustrated in the preceding diagram, Adapter includes the following common
components:
■
Authentication Flow Manager (see page 14)
■
State Manager (see page 17)
■
User Data Service (see page 17)
The following components are used for the SiteMinder integration:
■
Authentication Shim (see page 18)
■
Form Credential Collector (FCC) Pages (see page 18)
Adapter also uses CA VPN Client (see page 18) for the IPsec VPN integration. In addition,
Adapter uses other Advanced Authentication products, which are explained in the
section "Other CA Products Used with Adapter" (see page 18).
Chapter 1: Introduction to CA Adapter 13
Adapter Architecture
Authentication Flow Manager
Authentication Flow Manager (AFM) functions as an interface between users and other
components of Adapter. For SAML-based portals, AFM can be deployed as an Identity
Provider (IdP) providing SSO-based federated identity services using SAML 2.0. It also
performs the function of a state machine that guides the end user through
authentication workflows.
AFM provides you the flexibility to create common ready-to-use authentication
configurations, known as AFM profiles. For more information about AFM profiles, see
section, Understanding the AFM Profile (see page 46).
You can use AFM to configure the following out-of-the-box workflows:
Important! All workflows are capable of enrolling users who do not possess an
AuthMinder credential.
■
Risk Evaluation and ArcotID Authentication: This authentication workflow is a
combination of the risk evaluation and ArcotID PKI authentication workflows. This
workflow can also be configured to use QnA, OTP by SMS, OTP by email, or ArcotID
OTP on mobile phones for secondary authentication on SAML, SiteMinder, and SSL
VPN integrations.
■
ArcotID Authentication: This workflow includes ArcotID PKI authentication using
AuthMinder. This workflow can be configured to present QnA, OTP by SMS, OTP by
email, or ArcotID OTP on mobile phones for secondary authentication on SAML,
SiteMinder, and SSL VPN integrations. However, the IPsec VPN integration uses only
QnA for secondary authentication.
■
LDAP and ArcotID Authentication: This workflow combines the LDAP or basic
SiteMinder authentication scheme and ArcotID PKI authentication. In this workflow,
the LDAP or basic authentication is performed before ArcotID PKI authentication.
This workflow can be configured to present QnA, OTP by E-Mail, OTP by SMS, or
ArcotID OTP on mobile phones for secondary authentication on a SiteMinder
integration.
■
Risk Evaluation and LDAP Authentication: This authentication workflow is a
combination of the risk evaluation workflow and LDAP or basic SiteMinder
authentication scheme. In this workflow, the risk evaluation is performed before
the LDAP or basic authentication. This workflow can be configured to present QnA,
OTP by SMS, OTP by email, or ArcotID OTP on mobile phones for secondary
authentication on SAML, SiteMinder, and SSL VPN integrations.
■
LDAP Authentication and Risk Evaluation: This authentication workflow combines
the LDAP or basic SiteMinder authentication scheme and the risk evaluation
workflow. In this workflow, the LDAP or basic authentication is performed before
the risk evaluation. This workflow can be configured to present QnA, OTP by SMS,
OTP by email, or ArcotID OTP on mobile phones for secondary authentication on
SAML, SiteMinder, and SSL VPN integrations.
14 Installation and Configuration Guide for Windows
Adapter Architecture
■
OATH-Based Authentication: This workflow includes authentication using
OATH-based hardware token credentials. You can configure this as a primary
authentication mechanism for any supported application on SAML, SiteMinder, and
SSL VPN integrations.
■
ArcotOTP-Based Authentication for Mobiles and Other Devices: This workflow
includes authentication using ArcotID OTP. The OTP that is used for authentication
is generated on your device, which can be a mobile device or the computer where
the ArcotID OTP application is installed.
You can configure this as a primary authentication mechanism for any supported
application. You can also configure this workflow to present QnA, OTP by E-Mail, or
OTP by SMS for secondary authentication on SAML, SiteMinder, and SSL VPN
integrations.
■
Risk Evaluation and ArcotOTP-Based Authentication for Browsers: This workflow
combines risk evaluation and ArcotID OTP authentication for browsers. In this
workflow, risk evaluation is performed before the ArcotID OTP authentication. You
can also configure this workflow to present QnA, OTP by E-Mail, or OTP by SMS for
secondary authentication on SAML, SiteMinder, and SSL VPN integrations.
■
ArcotOTP-Based Authentication for Browsers: This workflow includes
authentication using ArcotID OTP for browsers. You can configure this as a primary
authentication mechanism for any supported application. You can also configure
this workflow to present QnA, OTP by E-Mail, or OTP by SMS for secondary
authentication on SAML, SiteMinder, and SSL VPN integrations.
Typically, these authentication workflows are rendered as JavaServer Pages (JSPs) that
collect user information required for authentication. All authentication workflows
support user migration. For example, if a user is not enrolled for ArcotID PKI
authentication, then the user is taken through the enrollment workflow to complete the
authentication process.
The following JSP file can be used to directly enroll a user for AuthMinder
authentication:
■
masterEnrollment.jsp: The workflow defined in this JSP enrolls the user for the
configured AuthMinder credentials. This is done after authenticating the user with
LDAP, OTP, or both, depending on the configuration. If a profile has been
configured in the AFM wizard, then to enroll the user for the credentials configured
in the profile, a request parameter must be sent to the masterEnrollment.jsp file in
the following format:
arcotafm/masterEnrollment.jsp?profile=profile-name
Note: This enrollment workflow is available at the following location:
application_server_home\webapps\arcotafm\
The following JSP file can be used to update the user’s details:
Chapter 1: Introduction to CA Adapter 15
Adapter Architecture
■
settings.jsp: This JSP is used to enable end users to update their credentials. The
workflow defined in this JSP updates the credentials of the user. When you
integrate this JSP in your application, ensure that a link to this JSP is displayed to
the end user only after successful authentication. Use the following format for the
URL that leads to this JSP:
/arcotafm/settings.jsp?profile=profile_name
In the case of SiteMinder integration, this URL must be protected with the same
authentication mechanism that has been configured for the resource that the user
is trying to access.
AFM also maintains the state data of the user workflow, conducts AuthMinder
authentication, and reads or writes RiskMinder Device ID information required by
RiskMinder. In addition to using the authentication workflows shipped with AFM, you
can customize an authentication workflow as per your organization’s requirements.
Important! All users enrolled for authentication through any of the authentication
workflows are assigned some Custom Attributes, which are accessible through
AuthMinder Administration Console. While fetching the user details in the
Administration Console, you might see any of the following Custom Attributes:
– AOTPXML
– PAM_IMAGE
– OATH_SYNCHRONIZED
If you find any of the above-mentioned Custom Attribute in the user details, you must
not edit or delete the attribute. Doing so would result in unsuccessful user
authentication or enrollment workflow.
For information about supported authentication mechanisms for the different
integration types, see the "Performing Adapter Configuration Using the Wizard (see
page 45)" section.
16 Installation and Configuration Guide for Windows
Adapter Architecture
State Manager
State Manager is responsible for creating, maintaining, and tracking the tokens that are
used to associate the authentication and risk status of a logon session across multiple
Adapter components, and your application. The tokens, which contain information
about the user and the session state, enable other Adapter components to remain
stateless.
State Manager also provides a token validation mechanism to securely communicate
the authentication result, the risk result (if configured), and the subsequent action to be
performed by the IdP or Authentication Shim.
In the case of a SiteMinder integration, State Manager also acts as a proxy to
RiskMinder by providing risk evaluation services to other components. State Manager
receives the risk evaluation input parameters from the calling application and passes
them to RiskMinder. After the risk evaluation is complete, State Manager inserts the risk
evaluation result into the token for further examination or processing by other
components. Based on the implemented workflow, risk evaluation can be performed
before or after user authentication. If the risk evaluation takes place after user
authentication, the result of the user authentication is stored in the token and then the
risk evaluation is performed.
In the case of a SAML integration, State Manager maintains session information of the
authenticated user in a token.
In the case of an SSL VPN integration, State Manager is required when the primary
authentication mechanism is ArcotID OTP for browsers. If the ArcotID OTP is used on
multiple devices, State Manager is required to keep the ArcotID OTP data consistent
with the data stored on the server.
Adapter provides database failover support for State Manager. If the primary database
server is unavailable, State Manager can switch over to the secondary database server.
To use this feature, you need to configure the secondary database server and
synchronize it with the primary database. This makes the users’ session information
available all the time. To enable the failover support, a new set of parameters have
been introduced in the State Manager properties file that you would need to configure.
For details on the parameters that you need to configure to enable the database
failover, see Database Connectivity Parameters table in appendix.
User Data Service
The abstraction layer that provides access to user- and organization-related data from
different types of user repositories, such as relational databases (RDBMSs) and directory
servers (LDAPs).
Chapter 1: Introduction to CA Adapter 17
Adapter Architecture
Authentication Shim
Authentication Shim, which integrates with SiteMinder, acts as an interface between
SiteMinder and other Adapter components (State Manager and AFM), and AuthMinder
and RiskMinder.
The Authentication Shim is an instance of a shared library and resides in the SiteMinder
Policy Server instance. The Authentication Shim implements the SiteMinder
Authentication API.
Form Credential Collector (FCC) Pages
FCC pages are static HTML pages used by Authentication Shim (see page 18) to collect
user inputs during enrollment or basic authentication and to display error messages, if
any. These pages are deployed on the same Web server where the SiteMinder Web
Agent resides.
CA VPN Client
For IPSec VPN integration, Adapter uses the CA VPN Client application. This application
is installed on the end-user’s system. The VPN Client works with AFM and AuthMinder
Server to authenticate the end users before allowing them access to the resources
available on the enterprise network. In case of IPSec VPN integration, VPN Client is the
only component of Adapter that the end users interact with directly.
When a user specifies the ArcotID PKI credentials (user name and password), VPN Client
interacts with Authentication Flow Manager (see page 14) for the ArcotID PKI
authentication through AuthMinder. After successful authentication, AFM returns a
One-Time-Token (OTT) to the VPN Client which, in turn, invokes the client application of
the VPN appliance and passes the user name along with the OTT for further processing.
Other CA Products Used with Adapter
This section provides a brief introduction to the following CA products that are used
with Adapter 2.2.9:
■
AuthMinder (see page 19)
■
RiskMinder (see page 19)
18 Installation and Configuration Guide for Windows
Adapter Workflows
CA AuthMinder
CA AuthMinder protects users from identity theft and fraud by providing strong,
two-factor authentication, without changing their familiar user name/password-based
sign-on experience. As a result, it significantly enhances the varied authentication
management capabilities (including step-up authentication) of any access manager by
adding a transparent layer of strong multi-factor authentication.
Note: For information on installing and configuring CA AuthMinder, refer to the
documentation shipped with that product.
CA RiskMinder
CA RiskMinder provides real-time protection against frauds in online transactions. It
gathers data during the login process to track suspicious activities and formulates a Risk
Score and Advice based on the organization’s business rules and security protocols. The
Risk Advice then determines if the transaction is to be allowed or denied, whether a
greater degree of authentication is required, or if the customer service or network
security personnel need to be notified.
Note: For information on installing and configuring RiskMinder, refer to the
documentation shipped with that product.
Adapter Workflows
This section explains the end-user workflows, as experienced by the end users after they
start using the integrated solution. This section describes the following workflows:
■
End User Login Workflow in SAML (see page 20)
■
End User Authentication Workflow in SiteMinder (see page 21)
■
End User Authentication Workflow in IPSec VPN (see page 21)
■
End User Authentication Workflow in SSL VPN (see page 22)
Chapter 1: Introduction to CA Adapter 19
Adapter Workflows
End User Login Workflow in SAML
The following steps explain the user authentication procedure when Adapter is
integrated with any SAML-based Web portal:
1.
The user accesses a Web portal containing links to various resources or
applications.
2.
The user clicks a link to access an application (for example, a banking application),
which is hosted on the Service Provider's (SP) secure network.
3.
The SP issues a SAML authentication request message, which is sent through the
user’s browser to the intended IdP using the HTTP Redirect method.
4.
The IdP parses the SAML request and proceeds with user authentication, which
could be configured to be authentication only or a combination of AuthMinder
authentication and risk evaluation.
5.
On successful authentication, AFM sends a request to State Manager for token
creation. State Manager saves the user’s state as a token and securely
communicates the token information to the IdP.
6.
The IdP securely communicates the authenticated SAML response through the
user’s browser (using HTTP POST) to the SP.
7.
The SP validates the SAML response by using an appropriate certificate.
8.
The SP grants access to the requested resource.
The user can now access any other application on the Web portal without logging in
again.
20 Installation and Configuration Guide for Windows
Adapter Workflows
End User Authentication Workflow in SiteMinder
The following steps explain the user authentication and risk assessment procedure
when Adapter is integrated with SiteMinder and risk assessment is enabled:
1.
The user accesses a resource that is protected by SiteMinder.
2.
SiteMinder disambiguates the user.
3.
If the authentication has to be performed by CA components, then Authentication
Shim (see page 18) redirects the user to Authentication Flow Manager (see
page 14).
Note: If the user is not enrolled for AuthMinder authentication, AFM can be
configured to take the user through the enrollment process.
4.
AFM guides the user through the authentication and risk evaluation process, if risk
assessment is configured.
5.
Depending on the authentication and risk evaluation results, State Manager (see
page 17) saves the user’s state in a token and securely communicates the user's
state along with the authentication and risk result to Authentication Shim.
6.
Authentication Shim evaluates and forwards the authentication result to
SiteMinder.
If the user is authenticated successfully, the risk result is positive, and the user is
authorized to access the protected resource, then the user is granted access to the
protected resource.
End User Authentication Workflow in IPSec VPN
A generic user authentication workflow after integrating Adapter with the Cisco IPSec
VPN appliance is as follows:
1.
User invokes AVC to connect to your enterprise network.
2.
In the AVC user interface, user specifies their ArcotID PKI credentials and clicks the
Login button to connect.
3.
AFM performs ArcotID PKI authentication and returns an OTT to AVC.
4.
AVC invokes the Cisco VPN client application, which, in turn, connects to the Cisco
VPN server with the user’s information and the OTT.
5.
Cisco VPN server validates the OTT with AuthMinder, which is set up as the RADIUS
server.
6.
On successful authentication, user is logged in to your enterprise network.
Chapter 1: Introduction to CA Adapter 21
Adapter Features
End User Authentication Workflow in SSL VPN
A generic user authentication workflow after integrating Adapter with Juniper SSL VPN
appliance is as follows:
1.
User accesses the VPN login URL.
2.
The user request is intercepted by the Juniper SSL VPN appliance, which, in turn,
redirects the user request to AFM for authentication.
3.
AFM along with AuthMinder authentication server completes the authentication.
Note: ArcotID PKI and ArcotID PKI PIN that are a part of ArcotID PKI authentication
are used to extract the private key of the user. This private key is then used to sign
the challenge. Refer to CA AuthMinder Installation and Deployment Guide for more
information on ArcotID PKI authentication.
4.
AFM redirects the generated Authentication OTT to Juniper SSL VPN appliance.
5.
Juniper SSL VPN appliance validates the OTT with AuthMinder, which is set up as
the RADIUS server.
6.
After successful user authentication, Juniper SSL VPN appliance provides access to
the network.
Adapter Features
The key features and enhancements in the Adapter 2.2.9 release have been discussed in
detail in the section, "What’s New in this Release" in CA Adapter Release Notes.
22 Installation and Configuration Guide for Windows
Chapter 2: Planning the Deployment
This chapter discusses the various deployment options for Adapter and helps you plan
the deployment.
The following topics are covered in this chapter:
■
Deployment Architecture (see page 23)
■
Deployment Overview (see page 24)
Deployment Architecture
The following diagram depicts a possible deployment option for prerequisite software
and Adapter components.
Install and deploy Adapter components as depicted in the preceding diagram. Also, CA
recommends using a secured communication channel between all Adapter components.
For more information about configuring SSL communication, see appendix, "Configuring
SSL and Redirection in Apache Tomcat" (see page 163).
Important! As the systems involved in the deployment process must be accessed using
their Fully Qualified Distinguished Name (FQDN) only, make the following changes:
– Ensure that you have added the Service Provider's IP address and Web server's IP
address in the Windows hosts file of the end-user's system.
– Ensure that you have added the AFM application server's IP address in the Windows
hosts file of the Service Provider's system.
Chapter 2: Planning the Deployment 23
Deployment Overview
Deployment Overview
The following table serves as a checklist for installing Adapter for different types of
integrations:
Integrating Adapter
With
SiteMinder
Steps to Complete
1. Ensure that all the prerequisite software is installed and the
database is set up, as described in chapter, "Preparing for
Installation" (see page 29).
2. Install Adapter, as described in chapter, "Installing Adapter"
(see page 37).
3. Deploy the Adapter Wizard application, as described in the
section, Deploying the Wizard (see page 47).
4. Configure AFM by using the wizard, as described in the
section, Configuring Adapter by Using the Wizard (see
page 48).
5. Copy the Adapter configuration files, as described in the
section, Copying the Adapter Configuration Files (see page 62).
6. (Optional) Configure SSL for Apache Tomcat, as described in
appendix, "Configuring SSL and Redirection in Apache Tomcat"
(see page 163).
7. Deploy State Manager and configure the database
connection pooling, as described in chapter, "Deploying and
Configuring State Manager" (see page 65).
8. Deploy Authentication Flow Manager, as described in
chapter, "Deploying and Configuring Authentication Flow
Manager" (see page 79).
9. Deploy FCC pages and Authentication Shim, as described in
chapter, "Configuring Authentication Shim and FCC Pages" (see
page 85).
10. Configure CA SiteMinder Policy Server and Web Agent, as
described in section, Configuring CA SiteMinder Policy Server
(see page 87).
11. Verify the State Manager configuration, as described in the
section, Verifying the State Manager Configuration (see
page 99).
12. Verify the AFM configuration, as described in the section,
Verifying the AFM Configuration (see page 100).
13. Verify the Authentication Shim configuration, as described
in the section, Verifying the Authentication Shim Configuration
(see page 100).
14. Verify the SiteMinder integration, as described in the
section Verifying SiteMinder Integration (see page 101).
24 Installation and Configuration Guide for Windows
Deployment Overview
Integrating Adapter
With
SAML
Steps to Complete
1. Ensure that all the prerequisite software is installed and the
database is set up, as described in chapter, "Preparing for
Installation" (see page 29).
2. Install Adapter, as described in chapter, "Installing Adapter"
(see page 37).
3. Deploy the Adapter Wizard application, as described in the
section, Deploying the Wizard (see page 47).
4. Configure AFM by using the wizard, as described in the
section, Configuring Adapter by Using the Wizard (see
page 48).
5. Copy the Adapter configuration files, as described in the
section, Copying the Adapter Configuration Files (see page 62).
6. Configure SSL for Apache Tomcat, as described in appendix,
"Configuring SSL and Redirection in Apache Tomcat" (see
page 163).
7. Deploy State Manager and configure the database
connection pooling, as described in chapter, "Deploying and
Configuring State Manager" (see page 65).
8. Deploy Authentication Flow Manager, as described in
chapter, "Deploying and Configuring Authentication Flow
Manager" (see page 79).
9. Deploy the SAML sample application, as described in the
section, Deploying the Sample Application WAR Files (see
page 90).
10. Verify the SAML sample application deployment, as
described in the section, Verifying the Sample Application
Deployment (see page 93).
11. Configure the SAML sample application, as described in the
section, Configuring Sample Application (see page 93).
12. Verify the State Manager configuration, as described in the
section, Verifying the State Manager Configuration (see
page 99).
13. Verify the AFM configuration, as described in the section,
Verifying the AFM Configuration (see page 100).
14. Verify SAML integration, as described in the section,
Verifying SAML Integration (see page 101).
Chapter 2: Planning the Deployment 25
Deployment Overview
Integrating Adapter
With
Juniper SSL VPN
Steps to Complete
1. Ensure that all the prerequisite software is installed and the
database is set up, as described in chapter, "Preparing for
Installation" (see page 29).
2. Install Adapter, as described in chapter, "Installing Adapter"
(see page 37).
3. Deploy the Adapter Wizard application, as described in the
section, Deploying the Wizard (see page 47).
4. Configure AFM by using the wizard, as described in the
section, Configuring Adapter by Using the Wizard (see
page 48).
5. Copy the Adapter configuration files, as described in the
section, Copying the Adapter Configuration Files (see page 62).
6. Configure SSL for Apache Tomcat, as described in appendix,
"Configuring SSL and Redirection in Apache Tomcat" (see
page 163).
7. (If ArcotOTP on Browser is the authentication mechanism)
Deploy State Manager and configure the database connection
pooling, as described in chapter, "Deploying and Configuring
State Manager" (see page 65).
8. Deploy Authentication Flow Manager, as described in
chapter, "Deploying and Configuring Authentication Flow
Manager" (see page 79).
9. Perform the post-installation configuration and verification
tasks described in the CA Adapter for Juniper SSL VPN
Configuration Guide.
26 Installation and Configuration Guide for Windows
Deployment Overview
Integrating Adapter
With
Cisco IPSec VPN
Steps to Complete
1. Ensure that all the prerequisite software is installed and the
database is set up, as described in chapter, "Preparing for
Installation" (see page 29).
2. Install Adapter, as described in chapter, "Installing Adapter"
(see page 37).
3. Deploy the Adapter Wizard application, as described in the
section, Deploying the Wizard (see page 47).
4. Configure AFM by using the wizard, as described in the
section, Configuring Adapter by Using the Wizard (see
page 48).
5. Copy the Adapter configuration files, as described in the
section, Copying the Adapter Configuration Files (see page 62).
6. Configure SSL in Apache Tomcat, as described in appendix,
"Configuring SSL and Redirection in Apache Tomcat" (see
page 163).
7. Deploy Authentication Flow Manager, as described in
chapter, "Deploying and Configuring Authentication Flow
Manager" (see page 79).
8. Perform the post-installation configuration and verification
tasks described in the CA Adapter for Cisco IPSec VPN
Configuration Guide.
Chapter 2: Planning the Deployment 27
Chapter 3: Preparing for Installation
This chapter lists the software requirements for installing Adapter and discusses other
prerequisites for SAML, SiteMinder, and VPN appliances. The following topics are
covered in this chapter:
■
Software Requirements for State Manager (see page 29)
■
Software Requirements for Authentication Flow Manager (see page 31)
■
Software Requirements for Authentication Shim (see page 33)
■
Software Requirements for FCC Pages (see page 33)
■
Checklist for Integration (see page 34)
Software Requirements for State Manager
Note: State Manager is required when Adapter is integrated with SAML-based Web
portal, SiteMinder, or SSL VPN appliances (if the primary authentication mechanism is
ArcotOTP on Browser). You do not need to perform the instructions in this section if you
are integrating Adapter with IPSec VPN appliances.
This section lists the prerequisites for installing State Manager. This section includes the
following topics:
■
Minimum Software Requirements (see page 29)
■
Configuring the Application Server (see page 31)
Minimum Software Requirements
The following table lists the operating system requirements for State Manager.
Supported Operating System
Service Pack
Windows Server 2003 Enterprise Edition (32-bit)
SP2
Windows Server 2008 Enterprise Edition (32-bit)
Windows Server 2008 Enterprise Edition (64-bit)
Windows Server 2008 Standard Edition (32-bit)
Windows Server 2008 Standard Edition (64-bit)
Windows Server 2008 Release 2 (64-bit)
SP1
Chapter 3: Preparing for Installation 29
Software Requirements for State Manager
If you want to enable risk evaluation, then before you deploy and configure State
Manager, ensure that a supported version of the software listed in the following table is
installed and configured.
Software
Supported Version
Supported Operating System
CA RiskMinder
3.1
Microsoft Windows 2003
Microsoft Windows 2008 (32-bit and
64-bit)
For more information, see the CA
Advanced Authentication Compatibility
Matrix.
Database Requirements
The following table lists the database requirements for State Manager.
Database Server
■
Microsoft SQL Server 2005
■
Microsoft SQL Server 2008
■
MySQL Enterprise Edition 5.1
■
Oracle 10g
■
Oracle 11g
JDK and Application Server Requirements
The following table lists the JDK and the application server requirements for State
Manager. Both 32-bit and 64-bit versions of the application servers are supported.
Application Server
JDK
Apache Tomcat 5.5.31
Compatible versions of
Oracle JDK.
For more information, see
the Apache Tomcat
documentation.
Apache Tomcat 6.0.33
Compatible versions of
Oracle JDK.
For more information, see
the Apache Tomcat
documentation.
30 Installation and Configuration Guide for Windows
Software Requirements for Authentication Flow Manager
Application Server
JDK
Apache Tomcat 7.0.25
Compatible versions of
Oracle JDK.
For more information, see
the Apache Tomcat
documentation.
IBM WebSphere Application Server 6.1.0.41
IBM JDK 1.5.x
IBM WebSphere Application Server 7.0.x
IBM JDK 1.6.0
Oracle WebLogic 10.1.x
Oracle JRockIt 1.5.x
Oracle WebLogic 11gR1 or 10.3.3
Oracle JRockIt 1.6.x
JBoss Application Server 5.1.x
Oracle JDK 5.0
Configuring the Application Server
State Manager is a Web application that requires a Servlet container for its deployment.
Because State Manager uses JNDI to connect to the database, you must create a JNDI
connection. For more information, see "Creating a JNDI Connection" (see page 68).
CA recommends that State Manager communicate with other components using SSL
mode. To configure State Manager for SSL, enable the application server on which State
Manager is deployed for SSL communication.
Adapter provides sample Keystore and Truststore, which you can use for testing SSL
communication between the Adapter Components.
Software Requirements for Authentication Flow Manager
The following table lists the operating system requirements for AFM.
Supported Operating System
Service Pack
Windows Server 2003 Enterprise Edition (32-bit)
SP2
Windows Server 2008 Enterprise Edition (32-bit)
Windows Server 2008 Enterprise Edition (64-bit)
Windows Server 2008 Standard Edition (32-bit)
Windows Server 2008 Standard Edition (64-bit)
Windows Server 2008 Release 2 (64-bit)
SP1
Chapter 3: Preparing for Installation 31
Software Requirements for Authentication Flow Manager
Before deploying and configuring AFM, ensure that a supported version of the software
listed in the following table is installed and configured.
Software
Supported Version
Supported Operating System
CA AuthMinder
7.1
Microsoft Windows 2003
Microsoft Windows 2008 (32-bit
and 64-bit)
For more information, see the CA
Advanced Authentication
Compatibility Matrix.
For more information about installing CA AuthMinder, see the CA AuthMinder
Installation and Deployment Guide.
JDK and Application Server Requirements
The following table lists the JDK and the application server requirements for AFM.
Application Server
JDK
Apache Tomcat 5.5.31
Compatible versions of Oracle JDK.
For more information, see the
Apache Tomcat documentation.
Apache Tomcat 6.0.33
Compatible versions of Oracle JDK.
For more information, see the
Apache Tomcat documentation.
Apache Tomcat 7.0.25
Compatible versions of Oracle JDK.
For more information, see the
Apache Tomcat documentation.
IBM WebSphere Application Server 6.1.0.41
IBM JDK 1.5.x
IBM WebSphere Application Server 7.0.x
IBM JDK 1.6.0
Oracle WebLogic 10.1.x
Oracle JRockIt 1.5.x
Oracle WebLogic 11gR1 or 10.3.3
Oracle JRockIt 1.6.x
JBoss Application Server 5.1.x
Oracle JDK 5.0
32 Installation and Configuration Guide for Windows
Software Requirements for Authentication Shim
Software Requirements for Authentication Shim
Note: The software requirements specified in this section are applicable only for
SiteMinder integration.
Before proceeding with the Authentication Shim installation, ensure that a supported
version of the software listed in the following table is installed and configured.
Software
Supported Version
Supported Operating System
CA SiteMinder Policy
Server
■
r6.0 SP6
■
Microsoft Windows Server 2008
■
r12.0 SP3
■
Microsoft Windows Server 2003
■
r12.5
For more information, see the
SiteMinder Platform Support Matrix.
Software Requirements for FCC Pages
Note: The software requirements specified in this section are applicable only for
SiteMinder integration.
Before configuring the FCC pages, ensure that a supported version of the software listed
in the following table is installed and configured.
Software
Supported Version
Supported Operating System
CA SiteMinder Web Agent Refer to CA SiteMinder
documentation for more
information on the
compatible Web Agent
version.
For more information about the
supported operating systems,
see the SiteMinder Platform
Support Matrix.
Chapter 3: Preparing for Installation 33
Checklist for Integration
Checklist for Integration
The following requirements must be met before proceeding with the integration:
■
The following CA products are installed:
■
CA AuthMinder 7.1 is installed on the required operating system.
Book: For installing AuthMinder, see the CA AuthMinder Installation and
Deployment Guide.
■
If risk evaluation support is needed, then CA RiskMinder 3.1 is installed on the
required operating system.
Book: For installing RiskMinder, see the CA RiskMinder Installation and
Deployment Guide.
■
The application server(s) where you intend to deploy Adapter components are
independently operational.
■
The Web browser that you intend to use is configured to allow file download, active
scripting, and scripting of Java applet functions.
■
Required numbers of database instances are ready with applicable schemas for
storing the information required by Adapter.
■
The required number of the IPSec or SSL VPN appliances have been installed and
configured.
The following additional requirements are needed for integrating Adapter with
SiteMinder:
■
A SiteMinder Policy Server and a SiteMinder Web Agent are installed and
configured.
Refer to the appropriate SiteMinder documentation for installation details.
■
Create a virtual directory, for example, arcotlogin, on the Web server where you
plan to install the FCC pages.
Note: Note down the virtual directory name as you need this information at the
time of configuring the FCC virtual directory path in the Arcot Adapter
Configuration wizard.
■
Create at least one object of the following types by using the SiteMinder Policy
Server User Interface (r6.x) or Administrative User Interface (r12.x), as applicable.
Refer to the appropriate SiteMinder documentation for more information on
creating these objects:
■
Agents
■
Domains
■
Administrators
■
Realms
■
Users
34 Installation and Configuration Guide for Windows
Checklist for Integration
■
■
User directories
■
Rules for the realms
The redistributable package of Microsoft Visual C++ 2005 (x86), vcredist_x86.exe, is
installed on the system(s) where SiteMinder components are available.
If not already installed, then you can install this redistributable package from the
Adapter package, or download it from the following site:
http://www.microsoft.com/downloads/en/details.aspx?familyid=766a6af7-ec73-40
ff-b072-9112bab119c2&displaylang=en
Chapter 3: Preparing for Installation 35
Chapter 4: Installing Adapter
This chapter walks you through the process of installing Adapter on Windows, so that
you can use credentials based on any AFM profile with SAML, SiteMinder, or VPN
appliance. Adapter can also be configured to provide risk evaluation feature for SAML
and SiteMinder integrations.
Important!
– It is assumed that you are installing Adapter and its components on a fresh system.
The system where you plan to deploy Adapter must not have any previous installation of
Adapter or any of its components.
– If you are installing Adapter and other CA products (AuthMinder or RiskMinder) on the
same system in the same location, then you must install the other CA products before
installing Adapter.
Use the Arcot Adapter 2.2.9 installation wizard to install Adapter and its components.
This Wizard supports Complete and Custom installation types. After performing the
installation, you can check whether the installation has been performed successfully.
This chapter covers the following topics:
■
Installing in a Distributed Environment (see page 37)
■
Installing on a Single System (see page 44)
■
Verifying the Installation (see page 44)
Note: This chapter does not cover the installation procedure for prerequisite software
that are depicted in the deployment architecture diagram.
Installing in a Distributed Environment
To install and configure Adapter in a distributed environment, you must use the Custom
option when you run the installer. This section describes the steps that you must follow
to install Adapter components for the following integration types:
■
For SiteMinder Integration (see page 38)
■
For SAML Integration (see page 41)
■
For VPN Integration (see page 42)
Note: Before proceeding with the installation, ensure that all the prerequisite software
is installed and the database is set up, as described in chapter, "Preparing for
Installation" (see page 29).
Chapter 4: Installing Adapter 37
Installing in a Distributed Environment
For SiteMinder Integration
Before proceeding with the installation, refer to the deployment architecture. This
diagram illustrates the components that are required for each integration type, and also
helps you decide how you want to distribute the components. For SiteMinder
Integration, you must install the components listed in the following table.
Components
Description
Authentication Flow Manager and Related Components (See "Installing Common
Adapter Components" (see page 39))
Note: You can install Authentication Flow Manager (AFM), AFM Wizard, and State
Manager components on a fresh system that hosts your application server.
Authentication Flow
Manager
Navigates the user through the authentication process,
risk evaluation process, or both.
AFM Wizard
A Web-based application that helps perform basic
configurations of other Adapter components.
State Manager
Generates, maintains, and tracks the tokens that are
used to associate the authentication and risk status of
users’ sessions across Adapter and the integrated
solution’s components.
Components on SiteMinder Policy Server System (See "Installing on SiteMinder Policy
Server System" (see page 40))
Authentication Shim
This is the core component of the integrated solution. It
enables interaction between components, SiteMinder,
and other authentication schemes.
Components on SiteMinder Web Agent System (See "Installing on SiteMinder Web
Agent System" (see page 40))
Form Credential Collector
Pages
38 Installation and Configuration Guide for Windows
Collects authentication input from the user and sends it
for authentication and risk evaluation.
Installing in a Distributed Environment
Installing Common Adapter Components
To install Authentication Flow Manager (AFM), AFM Wizard, and State Manager
components:
1.
Navigate to the directory where the Arcot-Adapter-2.2.9-Windows-Installer.exe
file is located and double-click the file to run the installation wizard.
The Welcome screen opens.
2.
Click Next to continue.
The License Agreement screen opens.
3.
Read the license agreement carefully, select the I accept the terms of the License
Agreement option, and click the Next button to accept the agreement.
The installer now checks if any other CA product is installed on the computer.
If it does not find an existing CA product installation, then you will be prompted for
an installation directory. In this case, the Installation Location screen opens.
By default, the installer creates the Arcot Systems directory in
System_Drive\Program Files\ and installs in this new folder.
If the installer detects an existing CA installation, then you will not be prompted for
an installation directory.
4.
If you are prompted for the installation location, you can either accept the default
directory specified by the installer, or click Choose to navigate and to specify a
different installation directory.
5.
Click Next to install in the specified directory.
The Choose Install Type screen opens.
6.
Select Custom option to install only the selected components.
7.
Click Next to continue.
The Choose Product Features screen opens.
8.
Select the following components to install:
■
AFM Wizard
■
Authentication Flow Manager
■
State Manager
By default, all components are selected for installation. Deselect the components
that are not required.
9.
Click Next to continue.
The Pre-Installation Summary screen opens.
Review the information on this screen, and if you need to change a previous
selection, then click Previous to do so. After making the required changes, click
Next to come back to the Pre-Installation Summary screen.
Chapter 4: Installing Adapter 39
Installing in a Distributed Environment
10. Click Install to begin the installation process.
The Installing Arcot Adapter 2.2.9 screen opens. The installation process might take
some time to complete.
On successful installation, the Installation Complete screen opens.
11. Click Done to complete the installation.
Installing on SiteMinder Policy Server System
To install Adapter components on the system where SiteMinder Policy Server is
installed:
1.
Navigate to the directory where the Arcot-Adapter-2.2.9-Windows-Installer.exe
file is located and double-click the file to run the installation wizard.
2.
Follow the installer instructions from Step 2 to Step 7, as discussed in the For
SiteMinder Integration (see page 38) section to reach the Choose Product Features
screen.
3.
Select the Authentication Shim component.
By default, all components are selected for installation. Deselect the components
that are not required.
The installer creates a folder called Arcot Systems in the installation location, and
includes the Adapter files in this folder.
4.
Perform the tasks in Step 9 to Step 11, as discussed in the For SiteMinder
Integration (see page 38) section to complete the installation.
Installing on SiteMinder Web Agent System
To install Adapter components on the system where SiteMinder Web Agent is installed:
1.
Navigate to the directory where the Arcot-Adapter-2.2.9-Windows-Installer.exe
file is located and double-click the file to run the installation wizard.
2.
Follow the installer instructions from Step 2 to Step 7, as discussed in the For
SiteMinder Integration (see page 38) section to reach the Choose Product Features
screen.
3.
Select the Form Credential Collector Pages component.
By default, all components are selected for installation. Deselect the components
that are not required.
The installer creates a folder called Arcot Systems in the installation location, and
includes the Adapter files in this folder.
4.
Perform the tasks in from Step 9 to Step 11, as discussed in the For SiteMinder
Integration (see page 38) section to complete the installation.
40 Installation and Configuration Guide for Windows
Installing in a Distributed Environment
For SAML Integration
Before proceeding with the installation, refer to the deployment architecture. This
diagram illustrates the components that are required for each integration type, and also
helps you decide how you want to distribute the components.
For SAML Integration, you must install the components listed in the following table.
Components
Description
Authentication Flow Manager and Related Components (See "Installing Common
Adapter Components" (see page 41))
Note: You can install Authentication Flow Manager (AFM), AFM Wizard, and State
Manager components on a fresh system that hosts your application server.
Authentication Flow
Manager
Navigates the user through the authentication process,
risk evaluation process, or both.
AFM Wizard
A Web-based application that helps perform basic
configurations of other Adapter components.
State Manager
Generates, maintains, and tracks the tokens that are
used to associate the authentication and risk status of
users’ session across Adapter and integrated solution’s
components.
Components on Service Provider’s System (See "Installing on Service Provider’s
System" (see page 42))
Sample Applications
A set of three sample applications that you can use to
test the SAML integration.
Installing Common Adapter Components
The instructions for installing AFM, AFM Wizard, and State Manager are the same as
those discussed in Installing Common Adapter Components (see page 39) For
SiteMinder Integration (see page 38).
Chapter 4: Installing Adapter 41
Installing in a Distributed Environment
Installing on Service Provider’s System
To install SAML sample applications on the Service Provider’s system:
1.
Navigate to the directory where the Arcot-Adapter-2.2.9-Windows-Installer.exe
file is located and double-click the file to run the installation wizard.
2.
Follow the installer instructions from Step 2 to Step 7, as discussed in Installing
Common Adapter Components (see page 39) For SiteMinder Integration (see
page 38) to reach the Choose Product Features screen.
3.
Select the Sample Applications component.
By default, all components are selected for installation. Deselect the components
that are not required.
The installer creates a folder called Arcot Systems in the installation location, and
includes the Adapter files in this folder.
4.
Perform the tasks in Step 9 to Step 11, as discussed in Installing Common Adapter
Components (see page 39) For SiteMinder Integration (see page 38) to complete
the installation.
For VPN Integration
Before proceeding with the installation, refer to the Deployment Architecture (see
page 23) section for the architecture diagram. This diagram illustrates the components
that are required for each integration type, and also helps you decide how you want to
distribute the components.
For VPN Integration, you must install the components listed in the following table.
Components
Description
Authentication Flow Manager and Related Components (See "Installing Common
Adapter Components" (see page 43))
Note: You can install Authentication Flow Manager (AFM), AFM Wizard, and State
Manager components on a fresh system that hosts your application server.
AFM Wizard
A Web-based application that helps perform basic
configurations of other Adapter components.
Authentication Flow
Manager
Navigates the user through the authentication process,
risk evaluation process, or both.
Important! State Manager is required only when you are integrating Adapter with an
SSL VPN solution that you plan to use with the ArcotOTP on Browser authentication
mechanism. You do not need to configure State Manager for IPsec VPN integration.
42 Installation and Configuration Guide for Windows
Installing in a Distributed Environment
Components
Description
State Manager
Generates, maintains, and tracks the tokens that are
used to associate the authentication and risk status of
users’ session across Adapter and integrated solution’s
components.
Installing Common Adapter Components
To install AFM, AFM Wizard, and State Manager:
1.
Navigate to the directory where the Arcot-Adapter-2.2.9-Windows-Installer.exe
file is located and double-click the file to run the installation wizard.
2.
Follow the installer instructions from Step 2 to Step 7, as discussed in Installing
Common Adapter Components (see page 39) For SiteMinder Integration (see
page 38) to reach the Choose Product Features screen.
3.
Select the following components for installation:
■
AFM Wizard
■
Authentication Flow Manager
■
(Optional) State Manager
By default, all components are selected for installation. Deselect the components
that are not required.
The installer creates a folder called Arcot Systems in the installation location, and
includes the Adapter files in this folder.
4.
Perform the tasks in Step 9 to Step 11, as discussed in Installing Common Adapter
Components (see page 39) For SiteMinder Integration (see page 38) to complete
the installation.
Chapter 4: Installing Adapter 43
Installing on a Single System
Installing on a Single System
To install Adapter and its components on a single system, use the Complete installation
type.
Note: The Complete installation type is applicable only for SiteMinder integration. Do
not use this option for other integration types.
To install Adapter on a single system:
1.
Navigate to the directory where the Arcot-Adapter-2.2.9-Windows-Installer.exe
file is located and double-click the file to run the installation wizard.
2.
Follow the installer instructions from Step 2 to Step 5 to reach the Choose Install
Type screen.
3.
Select Complete as the installation type, and click Next.
4.
Perform the tasks in Step 9 to Step 11 to complete the installation.
Note: Adapter also includes a Custom Application that can be used to test the
authentication workflows without the need to integrate Adapter with any application.
For more information about deploying and testing the workflows using the Custom
Application, see appendix, "Deploying and Configuring the Custom Application" (see
page 149).
Verifying the Installation
After installation, you can access the installation log file,
Arcot_Adapter_2.2.9_InstallLog.log, from the following directory:
installation_dir\logs\
Note: installation_dir is the directory where the Adapter is installed. By default, it is
installed in the System_Drive\Program Files\Arcot Systems directory.
If for some reason, the installation failed, then an error log is available in the same
location from where you ran the installer.
Also, verify that the files listed in appendix, "Adapter File System Structure" (see
page 107) are available on the system where you have installed Adapter.
44 Installation and Configuration Guide for Windows
Chapter 5: Performing Adapter
Configuration Using the Wizard
Arcot Adapter Configuration wizard is a Web-based application used to configure
authentication and enrollment workflows. By using the Arcot Adapter Configuration
wizard, you can generate the configuration (.properties and .ini) files, which are used in
the integrated solution.
The configurations in the wizard are grouped into two parts. In the first part, you need
to create a profile, which controls the user’s authentication and enrollment flows. The
second part, referred to as Configure Global Settings enables you to configure the
parameters specific to the type of integration option that you selected and the
authentication mechanism configured for the profile.
The following table lists the sections available in the second part of the configuration
wizard. The sections that you can access and configure in this part depend on the
selected integration type and primary authentication mechanism.
Integration Type
Configurable Sections
SAML
■
Arcot WebFort and Arcot RiskFort Configuration
■
Arcot UDS Configuration
■
Arcot State Manager Configuration
■
SAML Configuration
■
Arcot WebFort and Arcot RiskFort Configuration
■
Arcot UDS Configuration
■
Arcot State Manager Configuration
■
SiteMinder Shim Configuration
■
Arcot WebFort and Arcot RiskFort Configuration
SiteMinder
VPN
Note: Only in case of SSL VPN integration type and only if Perform
Risk Assessment is selected, you need to configure the RiskMinder
Server-related parameters in the Arcot WebFort/Arcot RiskFort
Configuration section.
The Perform Risk Assessment option is not available for integration
of type IPSec VPN.
■
Arcot UDS Configuration
■
Arcot State Manager Configuration. This section is available
only if AOTP on Browser is selected as the primary
authentication mechanism in case of SSL VPN only.
Chapter 5: Performing Adapter Configuration Using the Wizard 45
Understanding the AFM Profile
Integration Type
Configurable Sections
All
■
Arcot WebFort and Arcot RiskFort Configuration
■
Arcot UDS Configuration
■
Arcot State Manager Configuration
■
SiteMinder Shim Configuration
■
SAML Configuration
This chapter covers the following topics:
■
Understanding the AFM Profile (see page 46)
■
Deploying the Wizard (see page 47)
■
Configuring Adapter by Using the Wizard (see page 48)
■
Copying the Adapter Configuration Files (see page 62)
Understanding the AFM Profile
Each end user in AFM is associated with at least one credential (such as ArcotID PKI,
QnA, Password, or OTP) that they must use to log in to the application. Every time they
log in using their credential, their authentication is controlled by a corresponding
profile.
The AFM wizard provides you the flexibility to create common ready-to-use
authentication configurations, known as AFM profiles that can be shared among
multiple organizations and, thereby, applied to multiple users. AFM Profiles specify
authentication configuration properties, and credential attributes such as, primary and
secondary authentication mechanisms, validity period for the chosen credential, and
how to enroll a new user.
You can create multiple profiles, each with a unique name. You can then assign one or
more profiles to an organization, one of which can also be set as default. AFM makes
use of these configured profiles at the time of authenticating or enrolling users.
46 Installation and Configuration Guide for Windows
Deploying the Wizard
Deploying the Wizard
To use the wizard, you first need to deploy the WAR file containing the wizard
application. To deploy the WAR files:
Important! It is assumed that you will be deploying the Adapter components as
depicted in "Arcot Adapter Deployment Diagram".
1.
If not already restarted, ensure that you restart your application server before you
proceed with the next steps.
2.
Navigate to the directory where the ArcotAFMWizard.war file is located. By
default, this WAR file is available at the following location:
afm_wizard_installation_dir\AFMWizard
3.
Install ArcotAFMWizard.war on the system where you plan to deploy the AFM
application.
For example, on Apache Tomcat, the location to install the WAR file is:
application_server_home\webapps
Apache Tomcat automatically deploys the WAR file and creates a folder named
ArcotAFMWizard under the webapps folder.
Note: Refer to the vendor documentation for instructions on how deploy on other
supported application servers.
4.
Access the following URL from the end-user’s system:
http[s]://host_name:port_number/ArcotAFMWizard/
Replace host_name and port-number with the host name and port of the system
where you have deployed the Adapter Wizard application. You should see the Arcot
Adapter Configuration Wizard page.
You can now use the wizard to create profiles, configure various components, and
generate the configuration files. The following section guides you through the process of
configuring the Adapter components by using the wizard.
Chapter 5: Performing Adapter Configuration Using the Wizard 47
Configuring Adapter by Using the Wizard
Configuring Adapter by Using the Wizard
Perform the following steps to configure the Adapter components:
1.
From the end-user's system, access the following URL:
http[s]://host_name:port_number/ArcotAFMWizard/index.html
The AFM Profiles page opens.
2.
Click the Create new Profile link.
The AFM Profile Configuration page opens.
3.
Configure the parameters on the AFM Profile Configuration page.
The following table describes the fields available on the AFM Profile Configuration
page.
Section
Field
Description
AFM Profile
Configuration
AFM Profile
Name
Specify a name for the AFM profile.
Integration
Type
Select the type of integration that this profile
should handle.
Note: You can enter a maximum of 16-digit
alphanumeric characters in this field. Ensure
that there are no special characters and blank
space in your profile name.
The possible options are:
■
SiteMinder
■
SAML
■
SSL VPN
■
IPSec VPN
Note: You can select multiple integration types
by pressing the Ctrl key and selecting the
required integration type.
48 Installation and Configuration Guide for Windows
Configuring Adapter by Using the Wizard
Section
Field
Primary
Primary
Authentication Authentication
Configuration
Description
Select a primary authentication mechanism to
use with this profile. The primary
authentication mechanism you can configure
depends on the integration type you selected
in the Integration Type field.
■
SiteMinder supports the following types of
primary authentication mechanisms:
– ArcotID
– LDAP
– ArcotOTP on Browser
– ArcotOTP on Mobile Device
– OATH
– LDAP + ArcotID
■
SAML and SSL VPN supports the following
types of primary authentication
mechanisms:
– ArcotID
– LDAP
– ArcotOTP on Browser
– ArcotOTP on Mobile Device
– OATH
■
IPSec VPN supports only ArcotID as the
primary authentication mechanism.
Note: If you have selected all integration types,
then ArcotID would become the default
primary authentication mechanism.
WebFort
Organization
Name
WebFort
Organization
Name
Specify the AuthMinder organization name. If
the specified organization does not exist in
AuthMinder, then you must create it before
testing the integrated solution.
Select "This organization is mapped to
enterprise LDAP" option, if the AuthMinder
organization you specified is configured to use
the LDAP repository. See appendix, "Additional
Configurations to Support LDAP Repository in
AuthMinder" (see page 155) for information
about additional configurations to support
LDAP repository in AuthMinder.
Chapter 5: Performing Adapter Configuration Using the Wizard 49
Configuring Adapter by Using the Wizard
1.
Click Next.
Note: If you have not specified any organization name in the Organization Name
field, then AuthMinder’s default organization is used with this profile. A prompt
opens asking whether the default organization is mapped with LDAP, if it is, then
you must Cancel the prompt and select "This organization is mapped to enterprise
LDAP" option before proceeding.
Depending on the type of the Primary Authentication mechanism you selected in
Step 3, the wizard will show you the configurable parameters applicable for that
authentication mechanism. These parameters are grouped under various sections.
The following table lists the configuration sections that you will see depending on
the type of authentication mechanism you selected.
Primary Authentication
Configurable Section
ArcotID
■
Risk Assessment Configuration
■
General Configuration
■
ArcotID Configuration
■
Secondary Authentication Mechanism
■
Issuance Profile Configuration
■
Authentication Policy Configuration
■
Risk Assessment Configuration
■
General Configuration
■
Secondary Authentication Mechanism
■
Issuance Profile Configuration
■
Authentication Policy Configuration
■
Risk Assessment Configuration
■
General Configuration
■
ArcotOTP Configuration
■
Secondary Authentication Mechanism
■
Issuance Profile Configuration
■
Authentication Policy Configuration
■
General Configuration
■
ArcotOTP Configuration
■
Secondary Authentication Mechanism
■
Issuance Profile Configuration
■
Authentication Policy Configuration
LDAP
ArcotOTP on Browser
ArcotOTP on Mobile
Device
50 Installation and Configuration Guide for Windows
Configuring Adapter by Using the Wizard
Primary Authentication
Configurable Section
OATH
■
General Configuration
■
Issuance Profile Configuration
■
Authentication Policy Configuration
■
General Configuration
■
ArcotID Configuration
■
Secondary Authentication Mechanism
■
Issuance Profile Configuration
■
Authentication Policy Configuration
LDAP + ArcotID
(SiteMinder only)
The following table describes the field available in the Risk Assessment
Configuration section.
Field
Description
Perform Risk Assessment Select this option to perform the risk assessment along
with the selected primary authentication mechanism.
If selected, then the following two options are made
available:
■
Pre-Authentication: If this option is selected, the
risk assessment is performed before the primary
authentication.
■
Post-Authentication: If this option is selected, the
risk assessment is performed after the primary
authentication.
Note: If ArcotID is selected as the primary
authentication mechanism, then by default the risk
assessment is performed before ArcotID
authentication.
Chapter 5: Performing Adapter Configuration Using the Wizard 51
Configuring Adapter by Using the Wizard
The following table describes the fields available in the General Configuration
section.
Field
Description
Perform enrollment using This option specifies the mechanism of sending the
an activation code
activation code to the user during enrollment. AFM
performs enrollment on successful authentication of
the activation code.
By default this option is selected, you can select the
mode of communication, which is email or SMS.
This configuration is optional if the LDAP organization
is selected as the AuthMinder organization.
Note: If you choose to send the activation code
through email, then you must configure the
parameters in the "Email Server Configuration"
section.
Log user into the system
after successful
enrollment
If selected, AFM considers the enrollment as
authenticated and no explicit user authentication is
required. If this option is not selected, users must
authenticate themselves after enrollment.
Collect first name, middle If selected, users must enter their first, middle, and
name and last name
last names during enrollment.
details during enrollment This configuration is not applicable if the configured
organization is an LDAP organization.
Support for user-defined
questions
Select this option to allow the user to add their own
question that is not available in the existing list of
out-of-the-box questions.
Enable email notification
If selected, AFM sends a notification email for different
scenarios, such as successful enrollment, roaming
download of ArcotID PKI, password change, ArcotOTP
on Mobile, ArcotOTP on Browser and updates to
security questions, user details, and ArcotID PKI
password.
Note: If you choose to send the notification email,
then you must configure the parameters in the "Email
Server Configuration" section.
Prompt user to accept
cookies
Select this option to ask the user for permission to
store cookies on their system.
Prompt user to enter his
personal assurance
message
Select this option to enable the user to enter a
personal assurance message during enrollment. This
message is presented to the user to assure them that
they are interacting with the correct and legitimate
server.
52 Installation and Configuration Guide for Windows
Configuring Adapter by Using the Wizard
Field
Description
Prompt user to select
Select this option to enable the user to select an image
personal assurance image during enrollment. This image is presented to the user
to assure them that they are interacting with the
correct and legitimate server.
The following table describes the fields available in the ArcotID Configuration
section.
Field
Description
Allow users to be able to
renew their ArcotID on
expiry
Select this option to allow users to renew their
impending ArcotID PKI.
Generate new ArcotID
while renewal
Select this option if a new ArcotID PKI should be
generated instead of renewing the existing ArcotID
PKI.
ArcotID Renewal time
period (in months)
Specify the time period for which the issued ArcotID
PKI will be valid.
Note: You cannot configure this field if Generate new
ArcotID while renewal option is selected.
ArcotID Client Type and
Preference
Select the ArcotID PKI Client type to be used for
authentication. If you select more than one option,
then you can specify the order of preference for the
ArcotID PKI Client to be used. For example, if Flash is
the first option in the list followed by JavaScript, then
AFM checks for the availability of Flash in the user's
browser. If AFM cannot detect Flash, it uses JavaScript
as the client type for authentication.
Possible options are:
■
JavaScript
■
Flash
■
Native
Note: If you want to select Native as the preferred
client type, then you must select Native in the list and
click Up to move Native to the top of the list.
Chapter 5: Performing Adapter Configuration Using the Wizard 53
Configuring Adapter by Using the Wizard
1.
Click Next.
Depending on the type of primary authentication mechanism you selected, you
might see any or all of the following configuration sections.
The following table describes the field available in the Secondary Authentication
Mechanism section.
Section Name
Description
Secondary Authentication Select one or more of the secondary authentication
Mechanism
mechanisms, such as Security Question, OTP by
Email, OTP by SMS, and ArcotOTP on Mobile for
different scenarios, such as RiskFort Advice Increase
Auth, Forgot Your Password, ArcotID Expiry, and
ArcotID Roaming.
The default secondary authentication method is
Security Questions. Secondary authentication is
performed during roaming download, forgot
password, and increase authentication scenarios.
AFM allows you to select multiple secondary
authentication mechanisms.
Note: If you select the OTP by Email mechanism for
secondary authentication, then you must configure
the parameters in the "Email Server Configuration"
section.
If you select the OTP by SMS mechanism for
secondary authentication, then you must configure
the parameters in the "Clickatell SMS Service
Configuration" section.
The following table describes the fields available in the Issuance Profile
Configuration section.
Field
Description
ArcotID Profile Name
The name of the ArcotID PKI profile created in
AuthMinder that should be used at the time of
creating or updating user credential.
Security Questions Profile The name of the Security Question and Answer profile
Name
created in AuthMinder that should be used at the time
of creating or updating the user credential.
OTP Profile Name for
Secondary
Authentication
54 Installation and Configuration Guide for Windows
The name of the OTP profile created in AuthMinder
that should be used at the time of creating or updating
the user credential.
Configuring Adapter by Using the Wizard
Field
Description
ArcotOTP Profile Name
The name of the ArcotID OTP profile created in
AuthMinder that should be used at the time of
creating or updating the user credential.
OTP Profile Name for
Enrollment Activation
Code
The name of the OTP profile created in AuthMinder
that should be used at the time of creating or updating
user credential.
The following table describes the fields available in the Authentication Policy
Configuration section.
Field
Description
ArcotID Policy Name
The name of the ArcotID PKI policy created in
AuthMinder that should be used during
authentication.
Security Questions Policy The name of the Security Question and Answer policy
Name
created in AuthMinder that should be used during
authentication.
OTP Policy Name for
Secondary
Authentication
The name of the OTP policy created in AuthMinder
that should be used during authentication.
ArcotOTP Policy Name
The name of the ArcotID OTP policy created in
AuthMinder that should be used during
authentication.
OTP Policy Name for
Enrollment Activation
Code
The name of the OTP policy created in AuthMinder
that should be used during authentication.
The following table describes the fields available in the ArcotOTP Configuration
section.
Field
Description
Allow users to be able to
renew their ArcotOTP on
expiry
Select this option to allow users to renew their
impending ArcotID OTP.
Generate new ArcotOTP
while renewal
Select this option if a new ArcotID OTP should be
generated instead of renewing the existing ArcotID
OTP.
ArcotOTP Renewal time
period (in months)
Specify the time period for which the issued ArcotID
OTP will be valid.
Chapter 5: Performing Adapter Configuration Using the Wizard 55
Configuring Adapter by Using the Wizard
2.
Click Create.
The new profile details are saved and the profile name opens in the AFM Profiles
page.
3.
Click Configure Global Settings.
The WebFort and RiskFort Configuration page opens.
Note: The RiskFort configuration section is displayed only if you enabled risk
assessment when configuring the AFM profile.
The following table describes the fields available in the WebFort and RiskFort
Configuration page.
Section
Field
Description
WebFort Server
Configuration
Authentication
Host Name
Specify the Fully Qualified Distinguished
Name (FQDN) of AuthMinder Server.
Authentication
Port
Specify the port at which AuthMinder Server
is available.
Default value: 9742
Issuance Host
Name
Specify the FQDN of the server hosting the
AuthMinder Issuance service.
Issuance Port
Specify the port at which the server hosting
the AuthMinder Issuance service is available.
Default value: 9744
RiskFort Server
Configuration
DeviceID
Storage Type
Select a mode to store the user’s device ID
information. The available options are:
■
HTTP Cookie
■
Flash Cookie
Host Name
Specify the FQDN of RiskMinder Server.
Port
Specify the port at which RiskMinder Server is
available.
Default value: 7680
56 Installation and Configuration Guide for Windows
Configuring Adapter by Using the Wizard
Note: If you are using secondary AuthMinder and RiskMinder servers, then specify
the secondary servers details in the corresponding fields.
1.
Click Next.
The Arcot UDS Configuration page opens.
The following table describes the fields available in the Arcot UDS Configuration
page.
Section
Field
Description
Arcot UDS
Configurations
Protocol
Specify the protocol for connecting to UDS.
The available options are:
Email Server
Configuration
■
HTTP
■
HTTPS
Host Name
Specify the IP address or the FQDN of UDS.
Port
Specify the port at which UDS is available.
User
Management
Service URL
pattern
Specify the URL pattern for UDS.
SMTP Host
Name
Specify the FQDN or IP address of the
server hosting the SMTP email service.
Default value:
arcotuds/services/ArcotUserRegistrySvc
SMTP Username Specify the user name to access the SMTP
email service.
SMTP
Password/
Specify the password to access the SMTP
email service.
Confirm SMTP
Password
Clickatell SMS
Service
Configuration
Clickatell Service Specify the URL where Clickatell SMS
URL
service is available.
Default value:
http://api.clickatell.com/http/sendmsg?
Clickatell API ID
Specify the unique identifier of the API that
handle the SMS request.
Clickatell
Username
Specify the user name to access the
Clickatell SMS service.
Clickatell
Password/
Confirm
Clickatell
Password
Specify the password to access the
Clickatell SMS service.
Chapter 5: Performing Adapter Configuration Using the Wizard 57
Configuring Adapter by Using the Wizard
1.
Click Next.
The Arcot State Manager Configuration page opens.
The following table describes the fields available in the Arcot State Manager
Configuration page.
Section
Field
Description
Arcot State
Manager
Configuration
Protocol
Select the protocol for State Manager Server.
Note: If you select HTTPS, then you must
configure your application server for SSL
communication. For more information about
configuring SSL in Apache Tomcat, see
appendix, "Configuring SSL and Redirection in
Apache Tomcat" (see page 163).
Host Name
Specify the FQDN of State Manager Server.
Port
Specify the port at which the application server
hosting
State Manager is available.
Database Type
Application
Server
Specify the type of database to use with State
Manager. Possible options are:
■
MS SQL Server
■
MySQL
■
Oracle
Select the application server on which State
Manager is deployed.
Possible options are:
■
Apache Tomcat
■
Oracle WebLogic
■
IBM WebSphere
■
JBoss
Primary JNDI
Name
Specify the JNDI name given to the primary
database connection pool setup for the Sate
Manager database.
Secondary JNDI
Name
Specify the JNDI name given to the secondary
database connection pool setup for the Sate
Manager database.
58 Installation and Configuration Guide for Windows
Configuring Adapter by Using the Wizard
1.
Click Next.
The SiteMinder Shim Configuration page opens.
The following table describes the fields available in the SiteMinder Shim
Configuration page.
Section
Field
Description
SiteMinder Web
Agent
Configuration
Protocol
Select the protocol for the Web server
hosting SiteMinder Web Agent.
Host Name
Specify the FQDN of the Web server where
you have deployed the FCC pages.
Port
Specify the port at which the Web server
hosting SiteMinder Web Agent is available.
FCC Virtual
Directory
Specify the virtual directory name (for
example, arcotlogin) created for deploying
the FCC pages.
Application
Protocol
Server
Configuration for
Host Name
AFM
Port
2.
Select the protocol for the application server
hosting the Arcot AFM application.
Specify the FQDN of the application server
hosting the Arcot AFM application.
Specify the port at which the application
server hosting the Arcot AFM application is
available.
Click Next.
The SAML Configuration page opens.
The following table describes the fields available in the SAML Configuration page.
Note: In the SAML Request Verification Configuration section, you can either
configure the Certificate or the Truststore details.
Section
Field
Description
SAML Request
Verification
Configuration
Certificate
Location
Specify the absolute path of the X.509
certificate of the Service Provider. This is
used to verify the signed SAML requests
from the Service Provider. The
corresponding key store must be used by
the SAML sample application for signing the
SAML request.
Note: The certificate must be in .DER
format.
Chapter 5: Performing Adapter Configuration Using the Wizard 59
Configuring Adapter by Using the Wizard
Section
Field
Description
Truststore
Location
Specify the absolute path of the trust store
file of the Service Provider. This file has a
certificate that is used to verify the signed
SAML requests from the Service Provider.
The corresponding key store must be used
by the SAML sample application for signing
the SAML request.
Truststore Alias Specify the alias with which the certificate is
stored in the truststore of the Service
Provider.
SAML Response
Signing
Configuration
Truststore
Password
Specify the password for the truststore of
the Service Provider.
Keystore
Location
Specify the absolute or relative path of the
Identity Provider’s keystore file on the file
system. This file has both the private key
and certificate that are used for signing the
SAML response.
Note: Ensure that the public-private key pair
is generated using "RSA" as the key
algorithm and "SHA1withRSA" as the signing
algorithm.
60 Installation and Configuration Guide for Windows
Keystore Alias
Specify an alias of the private key and
certificate stored in the Identity Provider's
keystore.
Keystore
Password
Specify the password for the keystore of the
Identity Provider.
Configuring Adapter by Using the Wizard
3.
Click Next.
The Verify Input page opens.
Review the information on this screen, and if you need to change a previous
selection, then click Previous to do so. After making the required changes, click
Next to come back to the Verify Input page.
4.
Click Save
The wizard saves your settings and creates the configuration files at the following
location:
AFM_HOME\conf\afm
Note: AFM_HOME is the environment variable that stores the Adapter install
location. By default, Adapter is installed in the System_Drive\Program Files\Arcot
Systems directory.
Integration Type
Properties Files Generated
SAML
■
arcotafm.properties
Contains the AFM configurations.
■
saml_config.properties
Contains configurations for the SAML
integration.
■
samlsampleapp.properties
Contains the SAML sample
application\xE2\x80\x99s configurations.
■
arcotsm.properties
Contains the State Manager configurations.
■
arcotafm.properties
Contains the AFM configurations.
■
adaptershim.ini
Contains the Authentication Shim-related
configurations.
■
arcotsm.properties
Contains the State Manager configurations.
■
arcotafm.properties
Contains the AFM configurations.
SiteMinder
VPN
In addition to the above file, the following file will be
created when AOTP on Browser is selected as the
primary authentication mechanism:
■
arcotsm.properties
Contains the State Manager configurations.
Chapter 5: Performing Adapter Configuration Using the Wizard 61
Copying the Adapter Configuration Files
Integration Type
Properties Files Generated
All
■
arcotafm.properties
Contains the AFM configurations.
■
saml_config.properties
Contains configurations for the SAML
integration.
■
samlsampleapp.properties
Contains the SAML sample application
configurations and the custom application
configurations.
■
adaptershim.ini
Contains the Authentication Shim-related
configurations.
■
arcotsm.properties
Contains the State Manager configurations.
■
customapp.properties
Contains the custom application-related
configurations.
Copying the Adapter Configuration Files
This section describes how to deploy the Adapter properties files for the following
integration types:
■
For SiteMinder Integration (see page 62)
■
For SAML Integration (see page 63)
■
For VPN Integration (see page 63)
For SiteMinder Integration
To deploy the properties files for SiteMinder integration:
1.
Copy adaptershim.ini from AFM_HOME\conf\afm folder to the following location
on the system where SiteMinder Policy Server is hosted:
AFM_HOME\conf
Note: AFM_HOME is the environment variable that stores the Adapter install
location. By default, Adapter is installed in the System_Drive\Program Files\Arcot
Systems directory.
2.
Restart the SiteMinder Policy Server.
62 Installation and Configuration Guide for Windows
Copying the Adapter Configuration Files
For SAML Integration
To deploy the properties files for SAML integration:
1.
If you plan to install the SAML sample application on the system where AFM is
hosted, then skip this step. Else, copy the saml_config.properties,
samlsampleapp.properties, and sampleapps-log4j.properties from
AFM_HOME\conf\afm folder to AFM_HOME\conf\afm on the system where you
plan to deploy the SAML sample applications.
For information about deploying the SAML sample application, see section
"Deploying the Sample Application WAR Files" (see page 90).
2.
After deploying the SAML sample applications, restart the application server.
For VPN Integration
If the AFM wizard and AFM are deployed on separate systems, then you must copy the
arcotafm.properties file to the AFM_HOME\conf\afm location on the system where
AFM is deployed.
Chapter 5: Performing Adapter Configuration Using the Wizard 63
Chapter 6: Deploying and Configuring State
Manager
This chapter walks you through the process of deploying and configuring the State
Manager. It covers the following topics:
■
Running Database Scripts (see page 65)
■
Copying the JDBC Drivers (see page 66)
■
Creating a JNDI Connection (see page 68)
■
Deploying State Manager (see page 76)
Important! State Manager is required when you are integrating Adapter with any of the
following:
– SAML-based Web portal
– SiteMinder
– SSL VPN that is configured to use the ArcotOTP on Browser authentication mechanism
You do not need to configure State Manager for IPsec VPN integration.
Running Database Scripts
Adapter is shipped with scripts that are required to create necessary tables in the
database. To create the required database tables:
1.
Navigate to the following location:
For MS SQL Server:
<state_manager_installation_dir>\dbscripts\mssql
For MySQL:
<state_manager_installation_dir>\dbscripts\mysql
For Oracle:
<state_manager_installation_dir>\dbscripts\oracle
2.
Run the arcot-db-config-for-adapter-statemanager-2.2.9.sql file on the database.
This command creates the ARTSTOKENS table in your database. This table contains
the token information, such as the token ID, time when the token was issued and
last used, and the timestamp of communication with the RiskMinder Server.
Chapter 6: Deploying and Configuring State Manager 65
Copying the JDBC Drivers
Copying the JDBC Drivers
State Manager uses Java Database Connectivity (JDBC) to connect to the database. The
Adapter installation package is shipped with the JDBC drivers required by State
Manager. If you are deploying State Manager on Oracle WebLogic Server, use the JDBC
driver that is shipped with the application server. For any other application servers, use
the JDBC driver that is shipped with the installation package. To successfully deploy
State Manager, you need to copy these drivers to the application server installation
directory and create the JNDI connection between the database and State Manager.
Following are the JDBC JAR files that you will need to copy to your application server:
■
■
For MS SQL Server 2005 and 2008:
■
If the JDK version of the Application Server is 1.5: sqljdbc.jar
■
If the JDK version of the Application Server is 1.6: sqljdbc4.jar
For MySQL: mysql-connector-java-5.1.22-bin.jar
Note: You can download the JAR file for MySQL from the Internet.
■
For Oracle: ojdbc14.jar
The following sub-sections walk you through the steps for copying the JDBC JAR
required for your database to one of the following application servers:
■
Apache Tomcat (see page 67)
■
JBoss (see page 67)
■
(For Microsoft SQL Server) Oracle WebLogic (see page 68)
66 Installation and Configuration Guide for Windows
Copying the JDBC Drivers
Apache Tomcat
Perform the following steps to copy the JDBC drivers:
1.
Navigate to the following directory:
For MS SQL Server:
<state_manager_installation_dir>\adapterStateManager\mssql
For MySQL:
<state_manager_installation_dir>\adapterStateManager\mysql
For Oracle:
<state_manager_installation_dir>\adapterStateManager\oracle
2.
Copy the JAR file corresponding to the database that you are using to the following
application server installation directory.
For Apache Tomcat 5.5.x:
<Tomcat_root>\common\lib
For Apache Tomcat 6.x and 7.x:
<Tomcat_root>\lib
Note: <Tomcat_root> refers to the Apache Tomcat installation directory.
3.
Restart Apache Tomcat.
JBoss
Perform the following steps to copy JDBC JAR file to JBoss:
1.
Copy the JDBC JAR file to the following location on the JBOSS installation directory:
<JBOSS_HOME>\server\default\lib
2.
Restart the application server.
Chapter 6: Deploying and Configuring State Manager 67
Creating a JNDI Connection
(For Microsoft SQL Server) Oracle WebLogic
If you are using Microsoft SQL Server, perform the following steps to copy the JDBC JAR
file to Oracle WebLogic:
Note: If you are using Oracle database, do not perform the configurations mentioned in
this section, because WebLogic supports Oracle database by default. Therefore, you can
directly proceed with the database connection pooling configurations for Oracle
WebLogic, as discussed in "Creating a JNDI Connection" (see page 68).
1.
Copy the <Database_JAR> file to the following directory:
<JAVA_HOME used by Oracle WebLogic instance>\jre\lib\ext
2.
Log in to WebLogic Administration Console.
3.
Navigate to Deployments.
4.
Enable the Lock and Edit option.
5.
Click Install and navigate to the directory that contains the <Database_JAR> file.
6.
Click Next.
The Application Installation Assistant screen opens.
7.
Click Next.
The Summary page opens.
8.
Click Finish.
9.
Activate the changes.
10. Restart the Oracle WebLogic server.
Creating a JNDI Connection
This section describes how to create the JNDI connection on the following application
servers that are supported by State Manager:
■
Apache Tomcat (see page 69)
■
IBM WebSphere (see page 71)
■
JBoss (see page 74)
■
Oracle WebLogic (see page 75)
Note: Perform steps in this section to create JNDI connections for the primary database
server. If database failover support is needed, then you must also specify the data
sources with JNDI names for the secondary database server.
68 Installation and Configuration Guide for Windows
Creating a JNDI Connection
Apache Tomcat
To create a JNDI connection in Apache Tomcat:
1.
Collect the following database-specific information:
■
JNDI Name
The JNDI name used by the Arcot components.
Note: The value you enter in the JNDI Name field must exactly match the
"Primary JNDI Name" that you have configured in the AFM wizard.
■
User ID
The database user ID.
■
Password
The database password.
■
JDBC Driver Class
The JDBC driver class name. Depending on the database you are using, this
value would be one of the following:
For MS SQL Server:
com.microsoft.sqlserver.jdbc.SQLServerDriver
For MySQL:
com.mysql.jdbc.Driver
For Oracle:
oracle.jdbc.driver.OracleDriver
■
JDBC URL
The JDBC URL for the database server. Depending on the database you are
using, this URL would be one of the following:
For MS SQL Server:
jdbc:sqlserver://server:port_number;databaseName=database_name;selectMe
thod=cursor
For MySQL:
jdbc:mysql://host_name:port_number/database_name
For Oracle:
jdbc:oracle:thin:@server:port_number:sid
2.
Take a backup of server.xml file present in the TOMCAT_HOME\conf directory.
3.
Open the server.xml file present in the TOMCAT_HOME\conf directory.
4.
Use the information that you collected in Step 1 to add an entry in the following
format for defining the data source within the <GlobalNamingResources> tag:
Chapter 6: Deploying and Configuring State Manager 69
Creating a JNDI Connection
<Resource name="data source_name" auth="Container" type="javax.sql.DataSource"
username="user_id" password="password" driverClassName="JDBC_driver_class"
url="jdbc_url" maxWait="30000" maxActive="32" maxIdle="4" initialSize="4"
timeBetweenEvictionRunsMillis="600000" minEvictableIdleTimeMillis="600000"/>
5.
Save and close the server.xml file.
6.
Take a backup of the context.xml file present in the TOMCAT_HOME\conf directory.
7.
Open the context.xml file present in the TOMCAT_HOME\conf directory.
8.
Use the information that you entered in Step 4 to add an entry in the following
format for defining the data source within the <Context> tag. The data source name
that you specify in this step must be the same as the data source name that you
specify in Step 4.
<ResourceLink global="data source_name" name="data source_name"
type="javax.sql.DataSource"/>
9.
Save and close the context.xml file.
70 Installation and Configuration Guide for Windows
Creating a JNDI Connection
IBM WebSphere
To create a JNDI connection in IBM WebSphere:
1.
Log in to WebSphere Administration Console.
2.
Click Resources and expand the JDBC node.
3.
Click JDBC Providers.
The JDBC Providers page opens.
4.
In the Preferences section, click New.
The Create a new JDBC Provider page opens.
5.
Perform the following steps to create a JDBC provider:
Note: Refer to
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere
.base.iseries.doc/info/iseries/ae/tdat_ccrtprov.html for more information on JDBC
providers.
a.
b.
If you are using MS SQL Server or Oracle, perform the following steps:
■
Specify the Database Type and Provider Type.
■
Select Connection pool data source from the Implementation Type
drop-down list.
If you are using MySQL, perform the following steps:
■
Specify User-Defined as the Database Type.
■
Specify the following as the Implementation Class Name:
com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource
c.
Enter a Name for the JDBC provider. You can also enter a Description for the
JDBC provider.
d.
Click Next.
The Enter database class path information screen opens.
e.
Enter the absolute path for the JAR file.
f.
Click Next.
The Summary screen opens.
g.
6.
After reviewing the summary of the information that you have entered, click
Finish.
Set the CLASSPATH for the JDBC provider that you created in Step 5.
a.
Click Resources and expand the JDBC node.
b.
Click JDBC Providers.
The JDBC Providers page opens.
Chapter 6: Deploying and Configuring State Manager 71
Creating a JNDI Connection
7.
c.
Click the JDBC provider that you created in Step 5.
d.
Set the Class Path for the JDBC JAR.
e.
Click Apply to save the changes.
Create a Data Source, as follows:
a.
Go to Resources, and then click JDBC.
b.
Under JDBC, open Data Sources and click New. Perform the following steps to
create a data source:
c.
Specify the Data source name.
d.
Specify the JNDI name.
Note: The value you enter in the JNDI name field must exactly match the
"Primary JNDI Name" that you have configured in the AFM wizard.
e.
Click Next.
f.
Select an existing JDBC provider created in Step 3.
g.
Click Next.
The Enter database specific properties for the data source screen opens.
h.
Depending on the database, enter the following information:
■
For MS SQL Server:
Specify the Database name, Port number, and Server name.
■
For Oracle:
Specify the Value for JDBC URL. This URL would be of the following type:
jdbc:oracle:thin:@server:port_number:sid
i.
Select the Data store helper class name. For MySQL, ensure that the data store
helper class name is com.ibm.websphere.rsadapter.GenericDataStoreHelper.
j.
Click Next.
The Setup Security aliases screen opens.
k.
Click Next to view the Summary screen, and then click Finish.
8.
Click the data source created in Step 7.
9.
If you are using MS SQL Server or Oracle, perform the following steps:
a.
In the Related Items section, click JAAS - J2C authentication data.
b.
Click New to create a new credential.
c.
Enter login credentials that are used to connect to the database and save the
credential.
d.
Click Apply, and then click OK to save the changes made.
e.
Click Data Sources and select the data source that you created in Step 7.
72 Installation and Configuration Guide for Windows
Creating a JNDI Connection
f.
Under Security Settings -> Component-managed authentication alias, select
the JAAS credential that you created in earlier and click Apply, and then OK.
10. If you are using MySQL, perform the following steps:
a.
Click the Custom Properties link.
A screen showing the existing custom properties opens.
b.
Click New, and enter values for the following properties:
■
databaseName
Enter a value in the dbname?autoReconnect=true format.
■
user
■
password
■
port
Enter 3306 for MySQL.
■
serverName
c.
Log in again to WebSphere Administration Console.
d.
Go to Resources, and then click JDBC.
11. Click Data Sources and select the check box for the data source you created in
Step 7.
12. Click Test connection to verify that you have specified the connection correctly.
Note: This test only checks the connection to the database server, not necessarily the
correct definition of the data source. On MySQL, if you find that the connection test fails
even though you have specified the correct connection parameters, restart the
application server and then retry the connection test.
Chapter 6: Deploying and Configuring State Manager 73
Creating a JNDI Connection
JBoss
To create a JNDI connection in JBoss:
1.
Access the JBOSS AS Administration Console.
2.
In the left pane, click the Resources, Datasources, Local Tx DataSource.
The Local Tx Datasource page opens.
3.
Click Add a new resource button.
4.
In the Select Resource Template field, select default (Local Tx Datasource).
5.
Click Continue.
The Add New datasource page opens.
6.
Enter the following information to create a new data source:
■
JNDI Name
The JNDI name used by the Arcot components.
Note: The value you enter in the JNDI Name field must exactly match the
"Primary JNDI Name" that you have configured in the AFM wizard.
■
Username
The database user name.
■
Password
The database password.
■
JDBC Driver Class
The JDBC driver class name. For example, oracle.jdbc.driver.OracleDriver.
■
Connection URL
The connection URL for the database server. For example, if you are using
Oracle driver, then URL would be: jdbc:oracle:thin:server:port_number:sid.
7.
Click Save.
74 Installation and Configuration Guide for Windows
Creating a JNDI Connection
Oracle WebLogic
This section provides the steps to enable Oracle WebLogic for JNDI-based database
operations.
Perform the following steps to create a data source in Oracle WebLogic:
1.
Log in to WebLogic Administration Console.
2.
Click the Lock & Edit button, if it is not done.
3.
Go to Resources, and then click JDBC.
4.
Under JDBC, open Data Sources, and click New to create a new data source.
In case of Oracle WebLogic 11g, navigate to Services, then JDBC, and finally to Data
Sources.
5.
Set the following JNDI and database information:
a.
Specify the name of the data source in the Name field.
b.
Specify the JNDI name in the JNDI Name field.
Note: The value you enter in the JNDI Name field must exactly match the
"Primary JNDI Name" that you have configured in the AFM wizard.
c.
Choose a suitable Database Type, for example Oracle.
d.
Select a suitable Database Driver, for example Oracle Thin Driver.
6.
Click Next, retain the default values, and then click Next again.
7.
In the Connection Properties page, set the database details. The values mentioned
here are for the Oracle database:
■
Database: SID or service name of the DB server
■
Hostname: The IP address or host name of the DB server
■
Port: 1521 or any other port the DB server is running
■
Database User Name
■
Database Password / Confirm Password
8.
Click Test Configuration to verify that you have specified the correct database
parameters.
9.
Click Next and set the data source target to the preferred WebLogic server instance.
10. Click Finish to return to the data source list page.
11. Click Activate to enable the data source settings.
Chapter 6: Deploying and Configuring State Manager 75
Deploying State Manager
Deploying State Manager
Important! If you are integrating Adapter with SAML or SiteMinder, and you have opted
to use RiskMinder for risk evaluation, then ensure that the RiskMinder Server is started
and running.
You need the arcotsm.war file to deploy State Manager. This file is available at the
following location:
■
If you are using MS SQL database with State Manager:
state_manager_installation_dir\adapterStateManager\mssql
■
If you are using MySQL with State Manager:
state_manager_installation_dir\adapterStateManager\mysql
■
If you are using Oracle database with State Manager:
state_manager_installation_dir\adapterStateManager\oracle
To deploy State Manager, depending on the database you are using, install the
arcotsm.war file from one of the preceding locations on your application server. For
example, on Apache Tomcat, the location to install the WAR file is:
application_server_home\webapps
Apache Tomcat extracts the WAR file and creates a folder named arcotsm under the
webapps folder.
Note: Refer to the vendor documentation for instructions on how to deploy on other
supported application servers. Also, CA recommends using a secured communication
channel between all Adapter components. For more information about configuring SSL
communication, see appendix, "Configuring SSL and Redirection in Apache Tomcat" (see
page 163).
The following subsections list the additional steps required to deploy State Manager on
IBM WebSphere application server.
Applicable Only for IBM WebSphere 6.1
Perform the following steps to deploy WAR file on WebSphere 6.1:
1.
Log in to the IBM WebSphere administration console.
2.
Navigate to Applications -> Install New Application.
3.
Based on the location of the WAR file, select either Local file system or Remote file
system.
4.
In the Full path field, enter the absolute path of the WAR file or click Browse to
select the WAR file location.
5.
Specify arcotsm as the context root.
6.
In the How do you want to install the application section, select the Show me all
installation options and parameters option.
76 Installation and Configuration Guide for Windows
Deploying State Manager
7.
Click Next.
8.
Click Next on the Preparing for the application installation screen.
9.
Click Continue on the Application Security Warnings screen.
10. In the Step 1: Select install options screen, select the Precompile JavaServer Pages
files option.
11. Click Next.
12. Click Next on the Step 2: Map modules to servers screen.
13. In the Step 3: Provide options to compile JSPs screen, enter the value 15 in JDK
Source level column.
14. Follow the onscreen instructions and complete the deployment.
Perform the following steps after you deploy the WAR file:
1.
Log in to the IBM WebSphere administration console.
2.
Navigate to Applications -> Enterprise Applications -> WebSphere enterprise
applications.
3.
Click the WAR file link.
4.
Click the Class loading and update detection link.
5.
In the Class loader order section, select the Classes loaded with local class loader
first option.
6.
In the WAR class loader policy section, select the Single class loader for application
option.
Applicable Only for IBM WebSphere 7.1
Perform the following steps after you deploy the WAR file:
1.
Log in to the IBM WebSphere administration console.
2.
Navigate to Applications -> Application Types -> WebSphere enterprise
applications.
3.
Click the WAR file link.
4.
Click the Class loading and update detection link.
5.
In the Class loader order section, select the Classes loaded with local class loader
first (parent last) option.
6.
In the WAR class loader policy section, select the Single class loader for application
option.
Chapter 6: Deploying and Configuring State Manager 77
Chapter 7: Deploying and Configuring
Authentication Flow Manager
This chapter lists the tasks that you must perform to deploy and configure
Authentication Flow Manager (AFM). It covers the following topics:
■
Deploying Authentication Flow Manager (see page 80)
■
Next Steps (see page 83)
Important! Before deploying and configuring AFM, ensure that AuthMinder is installed,
configured, and running.
Chapter 7: Deploying and Configuring Authentication Flow Manager 79
Deploying Authentication Flow Manager
Deploying Authentication Flow Manager
You need the arcotafm.war file to deploy AFM. This file is available at the following
location:
afm_installation_dir\adapterAFM\
To deploy the AFM application, install the arcotafm.war file on your application server.
For example, on Apache Tomcat, the location to install the WAR file is:
application_server_home\webapps
Apache Tomcat extracts the WAR file and creates a folder named arcotafm under the
webapps folder.
Note: Refer to the vendor documentation for deployment instructions on other
supported application servers.
Depending on the application server that you are using, perform the additional steps
described in one of the following sections:
■
Applicable Only for JDK 1.5 on Apache Tomcat
■
Applicable Only for IBM WebSphere 6.1
■
Applicable Only for IBM WebSphere 7.1
■
Applicable Only for Oracle WebLogic
■
Applicable Only for JBoss 5.1
Applicable Only for JDK 1.5 on Apache Tomcat
Important! The additional configurations given in this section are required only when
you are integrating Adapter with SAML-based web portal.
Perform the following steps to deploy the JAR files on an Apache Tomcat installation
that is using JDK 1.5:
1.
Browse to the location where the Adapter installer file is unzipped.
2.
Copy the JAR files from the endorsed folder to the location configured for the
-Djava.endorsed.dirs system property.
3.
Restart the application server for the changes to take effect.
Applicable Only for IBM WebSphere 6.1
Perform the following steps to deploy the WAR file on WebSphere 6.1:
1.
Log in to the IBM WebSphere administration console.
2.
Navigate to Applications -> Install New Application.
3.
Based on the location of the WAR file, select either Local file system or Remote file
system.
80 Installation and Configuration Guide for Windows
Deploying Authentication Flow Manager
4.
In the Full path field, enter the absolute path of the WAR file or click Browse to
select the WAR file location.
5.
Specify arcotsm as the context root.
6.
In the How do you want to install the application section, select the Show me all
installation options and parameters option.
7.
Click Next.
8.
Click Next on the Preparing for the application installation screen.
9.
Click Continue on the Application Security Warnings screen.
10. In the Step 1: Select install options screen, select the Precompile JavaServer Pages
files option.
11. Click Next.
12. Click Next on the Step 2: Map modules to servers screen.
13. In the Step 3: Provide options to compile JSPs screen, enter the value 15 in JDK
Source level column.
14. Follow the onscreen instructions and complete the deployment.
Perform the following steps after you deploy the WAR file:
1.
Log in to the IBM WebSphere administration console.
2.
Navigate to Applications -> Enterprise Applications -> WebSphere enterprise
applications.
3.
Click the WAR file link.
4.
Click the Class loading and update detection link.
5.
In the Class loader order section, select the Classes loaded with local class loader
first option.
6.
In the WAR class loader policy section, select the Single class loader for application
option.
7.
Use the admin console of the application server to start AFM and then State
Manager.
Applicable Only for IBM WebSphere 7.1
Perform the following steps after you deploy the WAR file:
1.
Log in to the IBM WebSphere administration console.
2.
Navigate to Applications -> Application Types -> WebSphere enterprise
applications.
3.
Click the WAR file link.
4.
Click the Class loading and update detection link.
Chapter 7: Deploying and Configuring Authentication Flow Manager 81
Deploying Authentication Flow Manager
5.
In the Class loader order section, select the Classes loaded with local class loader
first (parent last) option.
6.
In the WAR class loader policy section, select the Single class loader for application
option.
7.
Use the admin console of the application server to start AFM and then State
Manager.
Applicable Only for Oracle WebLogic
Important! The additional configurations given in this section are required only when
you are integrating Adapter with SAML-based web portal.
Perform the following steps:
1.
Stop the WebLogic Server.
2.
Create a directory named endorsed, if it does not already exist, in the
<JAVA_HOME>\jre\lib directory.
3.
If there is an existing <JAVA_HOME>\jre\lib\endorsed directory, take a backup of
the following JAR files and then delete them from the
<JAVA_HOME>\jre\lib\endorsed directory:
■
resolver
■
serializer
■
xalan
■
xercesImpl
■
xml-apis
4.
Copy the JAR files that are available in the endorsed directory of the Adapter
package to the <JAVA_HOME>\jre\lib\endorsed directory.
5.
Start the WebLogic server.
Applicable Only for JBoss 5.1
Important! The additional configurations given in this section are required only when
you are integrating Adapter with SAML-based web portal.
Perform the following steps:
1.
Stop the JBoss application server.
2.
Navigate to the following location:
<JBOSS_Install_Home>\lib \endorsed
3.
If the following files are present in the <JBOSS_HOME>\lib \endorsed directory,
take a backup of the files and then delete them from <JBOSS_HOME>\lib
\endorsed.
■
resolver
82 Installation and Configuration Guide for Windows
Next Steps
4.
■
serializer
■
xalan
■
xercesImpl
■
xml-apis
Copy the JAR files available in the endorsed directory of the Adapter package to the
following location:
<JBOSS_HOME>\lib\endorsed
5.
Start the JBoss application server.
Next Steps
Based on your integration type, proceed with the configuration steps that are discussed
in this section.
■
■
■
For SiteMinder Integration
a.
Complete the Authentication Shim, FCC pages, and SiteMinder configurations,
as discussed in the chapters, “Configuring Authentication Shim and FCC Pages”
and “Configuring CA SiteMinder Policy Server”.
b.
Verify the integration as discussed in the section, "Verifying SiteMinder
Integration" (see page 101).
For SAML Integration
a.
Deploy and configure the SAML sample applications, as discussed in chapter,
"Deploying and Configuring SAML Sample Applications" (see page 89).
b.
Verify the integration, as discussed in the section, "Verifying SAML Integration"
(see page 101).
For Cisco IPSec VPN Integration
Perform the post-installation configuration tasks described in the CA Adapter for
Cisco IPSec VPN Configuration Guide.
■
For Juniper SSL VPN Integration
Perform the post-installation configuration tasks described in the CA Adapter for
Juniper SSL VPN Configuration Guide.
Chapter 7: Deploying and Configuring Authentication Flow Manager 83
Chapter 8: Configuring Authentication Shim
and FCC Pages
This chapter describes how to configure the Form Credential Collector (FCC) pages and
Authentication Shim. It covers the following topics:
■
Deploying the FCC Pages (see page 85)
■
Deploying Authentication Shim (see page 86)
Deploying the FCC Pages
You need to create a virtual directory in IIS Web Server to deploy the FCC pages. To
create a virtual directory in IIS 7.0 Web Server and deploy the FCC pages, perform the
following steps on the system where SiteMinder Web Agent is deployed:
1.
Launch the Internet Information Services (IIS) Manager application.
2.
In the Connections pane, expand the Sites node.
3.
Select the Web site and then click Add Virtual Directory.
The Add Virtual Directory dialog box opens.
4.
Enter arcotlogin in the Alias field.
5.
Click the Browse button corresponding to the Physical path field to select the path
of the FCC pages folder.
By default, the FCC pages are available in the following folder:
<fcc_pages__installation_dir>\adapterSiteMinder\fcc
6.
Click OK.
A virtual directory named arcotlogin is created under the Sites -> Web Site node.
Verifying the FCC Pages Deployment
To verify the virtual directory and FCC pages deployment, perform the following steps:
1.
In the IIS Manager, select the arcotlogin virtual directory.
2.
Switch over to the Content View mode.
The arcotlogin directory content is displayed.
You will notice the FCC pages listed in the right pane of the IIS Manager window.
You can also verify the properties you configured for the virtual directory in the
arcotlogin Properties window.
Chapter 8: Configuring Authentication Shim and FCC Pages 85
Deploying Authentication Shim
Deploying Authentication Shim
The files required to deploy Authentication Shim are available at the following location
on the SiteMinder Policy Server system:
<auth_shim_installation_dir>\adapterSiteMinder\lib\
To deploy the Authentication Shim:
1.
Ensure that the Authentication Shim library and the log library files are available in
the system PATH system variable by doing one of the following:
■
Copying the ArcotSiteMinderAdapter.dll and ArcotLog2FileSC.dll files, available
at:
<auth_shim_installation_dir>\adapterSiteMinder\lib
to the bin directory of the SiteMinder Policy Server.
or
■
2.
Including the <auth_shim_installation_dir>\adapterSiteMinder\lib directory in
the PATH variable.
Ensure that the Microsoft VC++ 2005 SP1 Redistributable package
(vcredist_x86.exe) is installed.
If not, install it from the following location:
<auth_shim_installation_dir>\adapterSiteMinder\lib\
3.
Restart the SiteMinder Policy Server.
86 Installation and Configuration Guide for Windows
Chapter 9: Configuring CA SiteMinder Policy
Server
To configure SiteMinder Policy Server to integrate with Adapter, perform the following
steps (on the system hosting SiteMinder Policy Server). The steps documented here are
for SiteMinder Policy Server version 12. If you are using a different version of the
SiteMinder Policy Server, refer to the relevant SiteMinder Policy Server documentation.
1.
Create a new Authentication Scheme in the SiteMinder Policy Server administrative
interface, as follows:
a.
Open SiteMinder Policy Server Administrative User Interface, click the
Infrastructure tab, click Authentication, and then click Authentication Scheme.
b.
Click Create Authentication Scheme.
c.
In the Create Authentication Scheme screen, select Create a new object of
type Authentication Scheme, and click OK.
d.
In the General section of the Create Authentication Scheme screen, do the
following:
e.
■
Specify a name and description for the new authentication scheme in the
Name and Description fields respectively.
■
Select Custom Template from the Authentication Scheme Type
drop-down list.
■
Specify a protection level. The protection level is enforced during single
sign-on when the user tries to access resources protected by different
authentication schemes.
■
Some authentication scheme types support Password Policies, while others
do not. Select the Password Policies enabled for this Authentication
Scheme check box, if you want the authentication scheme to support
password policies.
In the Scheme Setup section of the Create Authentication Scheme screen, do
the following:
■
Enter the Adapter library file name as ArcotSiteMinderAdapter in the
Library field.
■
Enter the name of the configured workflow in the Parameter field.
Important! The value you enter in the Parameter field is case-sensitive and it
must exactly match the "AFM Profile Name" that you have configured in the
AFM wizard.
f.
Click Submit to create the authentication scheme.
Chapter 9: Configuring CA SiteMinder Policy Server 87
Deploying Authentication Shim
2.
Any realm that you wish to protect with CA authentication must be configured to
use the new Authentication Scheme that you created in Step 1. Use SiteMinder
Realm Dialog to perform this operation.
3.
For SiteMinder Policy Server to work with Adapter, set the parameters from the
following table in the SiteMinder Agent Configuration Object Dialog screen.
Parameter
Value
CssChecking
Yes
FCCCompatMode
Yes
AgentName
Name of the agent.
LogFileName
Name of the Web Agent log file.
This is not a mandatory setting, but can be used for
debugging.
DefaultAgentName Name of the default Web Agent.
DefaultPassword
Web Agent password.
LogFileSize
Size of the Web Agent log file.
Logfile
Yes
RequireCookies
Yes
TraceConfigFile
Name of the trace configuration file.
This is not a mandatory setting, but can be used for
debugging.
TraceFile
Yes
TraceFileName
Name of the trace file.
TraceFileSize
Size of the trace file.
88 Installation and Configuration Guide for Windows
Chapter 10: Deploying and Configuring
SAML Sample Applications
SAML sample applications can be used to verify if Adapter was successfully installed and
configured for SAML integration. In addition, it demonstrates:
■
The typical authentication workflows supported by Adapter
■
Integration of your application with Adapter
Important! Sample application must not be used in production deployments. The
sample application is provided to demonstrate the AFM SAML workflows.
This chapter covers the following topics:
■
Deploying the Sample Application WAR Files (see page 90)
■
Verifying the Sample Application Deployment (see page 93)
■
Configuring Sample Application (see page 93)
Chapter 10: Deploying and Configuring SAML Sample Applications 89
Deploying the Sample Application WAR Files
Deploying the Sample Application WAR Files
The Adapter installation package includes the following SAML sample applications:
■
samlsampleapp.war: The main sample application.
■
bankapp.war: The sample bank application.
■
insuranceapp.war: The sample insurance application.
Using these modules, you can test the authentication workflows available in the SAML
integration. To deploy sample application:
1.
Navigate to the following location:
saml_sample_app_installation_dir\sampleApplications
2.
Copy the samlsampleapp.war, bankapp.war, and insuranceapp.war files to your
application server. For example on Apache Tomcat, the location to copy the WAR
file is:
application_server_home\webapps
Apache Tomcat automatically deploys the WAR files and creates the following
folders under the webapps folder:
■
samlsampleapp
■
bankapp
■
insuranceapp
Note: Refer to the vendor documentation for deployment instructions on other
supported application servers.
3.
4.
(Applicable Only for JDK 1.5 on Apache Tomcat) Perform the following steps to
deploy the JAR files on an Apache Tomcat installation that is using JDK 1.5:
a.
Browse to the location where the Adapter installer file is unzipped.
b.
Copy the JAR files from the endorsed folder to the location configured for the
-Djava.endorsed.dirs system property.
c.
Restart the application server for the changes to take effect.
(Applicable Only for IBM WebSphere 6.1) Perform the following steps to deploy
WAR file on WebSphere 6.1:
a.
Log in to the IBM WebSphere administration console.
b.
Navigate to Applications -> Install New Application.
c.
In the How do you want to install the application section, select the Show me
all installation options and parameters option.
d.
Click Next.
e.
Click Next on the Preparing for the application installation screen.
f.
Click Continue on the Application Security Warnings screen.
90 Installation and Configuration Guide for Windows
Deploying the Sample Application WAR Files
5.
6.
7.
g.
In the Step 1: Select install options screen, select the Precompile JavaServer
Pages files option.
h.
Click Next.
i.
Click Next on the Step 2: Map modules to servers screen.
j.
In the Step 3: Provide options to compile JSPs screen, enter the value 15 in JDK
Source level column.
k.
Follow the on-screen instructions and complete the deployment.
(Applicable Only for IBM WebSphere 6.1) Perform the following steps after you
deploy the WAR file:
a.
Log in to the IBM WebSphere administration console.
b.
Navigate to Applications -> Enterprise Applications -> WebSphere enterprise
applications.
c.
Click the WAR file link.
d.
Click the Class loading and update detection link.
e.
In the Class loader order section, select the Classes loaded with local class
loader first option.
f.
In the WAR class loader policy section, select the Single class loader for
application option.
g.
Restart IBM WebSphere.
(Applicable Only for IBM WebSphere 7.0) Perform the following steps after you
deploy the WAR file:
a.
Log in to the IBM WebSphere administration console.
b.
Navigate to Applications -> Enterprise Applications -> WebSphere enterprise
applications.
c.
Click the WAR file link.
d.
Click the Class loading and update detection link.
e.
In the Class loader order section, select the Classes loaded with local class
loader first (parent last) option.
f.
In the WAR class loader policy section, select the Single class loader for
application option.
g.
Restart IBM WebSphere.
(Applicable only for Oracle WebLogic) Perform the following steps:
a.
Stop the WebLogic Server.
b.
Create a directory named endorsed, if it does not already exist, in the
<JAVA_HOME>\jre\lib directory.
Chapter 10: Deploying and Configuring SAML Sample Applications 91
Deploying the Sample Application WAR Files
c.
8.
If there is an existing <JAVA_HOME>\jre\lib\endorsed directory, take a backup
of the following JAR files and then delete them from the
<JAVA_HOME>\jre\lib\endorsed directory:
■
resolver
■
serializer
■
xalan
■
xercesImpl
■
xml-apis
d.
Copy the JAR files that are available in the endorsed directory of the Adapter
package to the <JAVA_HOME>\jre\lib\endorsed directory.
e.
Start the WebLogic server.
(Applicable Only for JBoss 5.1) Perform the following steps:
a.
Stop the JBoss application server.
b.
Navigate to the following location:
<JBOSS_Install_Home>\lib \endorsed
c.
d.
If the following files are present in the <JBOSS_HOME>\lib \endorsed directory,
take a backup of the files and then delete them from <JBOSS_HOME>\lib
\endorsed.
■
resolver
■
serializer
■
xalan
■
xercesImpl
■
xml-apis
Copy the JAR files available in the endorsed directory of the Adapter package to
the following location:
<JBOSS_HOME>\lib\endorsed
e.
Start the JBoss application server.
92 Installation and Configuration Guide for Windows
Verifying the Sample Application Deployment
Verifying the Sample Application Deployment
The webapps folder must now contain the following folders:
■
samlsampleapp
■
bankapp
■
insuranceapp
You can access the following URL from the end-user's system:
http[s]://host_name:port_number/samlsampleapp/
Replace host_name and port_number with the host name and port of the system where
you have deployed sample application. The main page of sample application opens.
If you see the welcome page of sample application, it indicates that you have
successfully deployed SAML sample application.
Configuring Sample Application
Important! Ensure that the system time of SAML sample application and the system
where AFM is deployed is in sync. If the time is not in sync, then SAML sample
application will throw an authentication failure error.
After deploying sample application, you need to configure it before you can test it. To
configure sample application, perform the following tasks:
■
Performing Basic AFM Configurations Using Sample Application (see page 94)
■
(Optional) Configuring Custom Certificates in Sample Application (see page 95)
Chapter 10: Deploying and Configuring SAML Sample Applications 93
Configuring Sample Application
Performing Basic AFM Configurations Using Sample Application
Perform the following steps to configure SAML sample application:
1.
From the end-user's system, access sample application in a Web browser window.
The default URL for sample application is:
http[s]://host_name:port_number/samlsampleapp/
The main page of sample application opens.
2.
Click Setup.
The AFM setup page opens.
3.
On the AFM setup page, provide the following information:
a.
Arcot AFM Protocol: Select a protocol for establishing the communication
channel with the application server hosting AFM.
Note: If you are using ArcotID PKI Flash client, then you must select the https
protocol. For more information about ArcotID PKI Flash client, see the CA ArcotID
PKI Client Reference Guide available with the CA AuthMinder documentation.
4.
b.
Arcot AFM Host: Specify the FQDN or IP address of the application server
hosting AFM.
c.
Arcot AFM Port: Specify the port at which the application server hosting AFM is
available.
d.
Flow type: Select an AFM profile from the list of available profiles that is
displayed in the drop-down list. These profiles would have been created at the
time of configuring Adapter. For information about creating AFM profiles, see
"Performing Adapter Configuration Using the Wizard" (see page 45).
Click Submit.
The "Setup Successful" message appears.
94 Installation and Configuration Guide for Windows
Configuring Sample Application
(Optional) Configuring Custom Certificates in Sample Application
SAML sample application can be configured to use a different set of certificates instead
of bundled sample certificates. To configure sample application to use different
certificates:
1.
Navigate to the location where you have deployed SAML sample application. For
example, navigate to the following location:
AFM_HOME\conf\afm
2.
Open the samlsampleapp.properties file in a text editor.
3.
Configure the properties, as described in the following table.
Property
Description
SamlSigningCertPath
Specify the complete path of the X.509 certificate
that will be used to verify the SAML response. The
corresponding key store must be used in AFM for
signing the SAML response.
Note: The certificate must be in .DER format.
SamlSigningPrivateKeyPat
h
Specify the complete path of the key store file that is
used to sign the SAML request.
Note: Ensure that the public-private key-pair is
generated using "RSA" as key algorithm and
"SHA1withRSA" as the signing algorithm.
SamlSigningKeyStoreAlias
Specify an alias of the private key and certificate
stored in the key store.
SamlSigningJKSPassword
Specify the password for the key store.
4.
Save and close the samlsampleapp.properties file.
5.
Restart the application server.
Chapter 10: Deploying and Configuring SAML Sample Applications 95
Chapter 11: Configuring the Service
Provider’s Application
This chapter provides an overview of how to integrate your SAML enabled applications
with AFM. The JSPs explained in this chapter are available in the
application_server_home\webapps\arcotafm\ directory.
■
master.jsp: This JSP provides pointers to the JSPs for the individual workflows that
are configured in the JSPs listed in the "Authentication Flow Manager" (see
page 14) section.
To integrate your application with AFM, you need to configure your application to
send authentication or user migration request to the master.jsp file. You can
configure your application to send a request in any one of the following ways:
a.
b.
Service Provider Initiated Workflow: In this approach, the Service Provider’s
application sends the authentication request to AFM. In this approach, the
parameters described in the following table must be passed in the request.
Parameter
Description
SigAlg
The algorithm used by your application for signing the
request.
Signature
The signature of the parameters as explained in the
SAML Protocol.
SAMLRequest
Base64 encoded SAML request.
RelayState
This is an opaque reference to the state on the Service
Provider’s side. This is an optional parameter.
Profile
This is the AFM profile created from Wizard. This
defines the primary and secondary authentication
mechanisms and other related configurations.
Processreq
This is used by AFM.
Identity Provider Initiated Workflow: In this workflow the user can either
directly hit the AFM URL or the Service Provider can redirect the user’s
authentication request to AFM with the parameters described in the following
table.
Parameter
Description
Profile
This is the AFM profile created from Wizard. This
defines the primary and secondary authentication
mechanism and other related configurations.
Chapter 11: Configuring the Service Provider’s Application 97
Configuring Sample Application
Parameter
Description
Processreq
This used by AFM.
If you are using the second approach (Step ), then you need to configure the
AssertionConsumerServiceURL property in the saml_config.properties file. This
property specifies the URL where the SAML response (generated after
authentication) has to be posted back.
After user’s authentication request is processed, AFM generates a SAML
response and sends it back to the Service Provider’s application. The Service
Provider’s application needs to verify this response. You may need to configure
the following properties based on your SAML Service Provider implementation:
■
■
SignSamlAssertionOnly: Specify whether the complete SAML response or
only the assertion part of the response needs to be signed.
■
CanonicalizationMethod: Specify the canonicalization method that is
applied to the SAML response before signing it.
settings.jsp: This JSP is used to enable end users to update their credentials. The
workflow defined in this JSP updates the credentials of the user. When you
integrate this JSP in your application, ensure that a link to this JSP is displayed to
the end user only after successful authentication. Use the following format for the
URL that leads to this JSP:
/arcotafm/settings.jsp?profile=<profile-name>
This URL must also include a signed SAML request in the query parameter.
■
masterEnrollment.jsp: The workflow defined in this JSP enrolls the user for the
configured AuthMinder credentials. This is done after authenticating the user with
LDAP, OTP, or both, depending on the configuration. If a profile has been
configured in the AFM wizard, then to enroll the user for the credentials configured
in the profile, ensure that a request parameter is sent from your application to this
JSP in the following format:
arcotafm/masterEnrollment.jsp?profile=<profile-name>
98 Installation and Configuration Guide for Windows
Chapter 12: Verifying Adapter Integration
This chapter covers the following topics:
■
Verifying the State Manager Configuration (see page 99)
■
Verifying the AFM Configuration (see page 100)
■
Verifying the Authentication Shim Configuration (see page 100)
■
Verifying SiteMinder Integration (see page 101)
■
Verifying SAML Integration (see page 101)
Verifying the State Manager Configuration
To test the State Manager configuration:
1.
Restart the application server where State Manager is installed.
2.
Access State Manager by using the following URL:
http[s]://host_name:port_number/arcotsm/index.jsp
Replace host_name and port_number with the host name and port of the system
where you have deployed State Manager. The State Manager Operations page
opens.
3.
Click Create token.
A sample token is created.
4.
Open the arcotsm.log file, which is available on the system where State Manager is
hosted. The default location of this log file is:
AFM_HOME\logs
5.
Search for the following lines in the log file, which indicate that State Manager is
configured successfully:
Servlet com.arcot.integrations.toksvr.server.TokenCreator starting up
...
Servlet com.arcot.integrations.toksvr.server.TokenRemover starting up
...
Servlet com.arcot.integrations.toksvr.server.TokenReader starting up
Chapter 12: Verifying Adapter Integration 99
Verifying the AFM Configuration
Verifying the AFM Configuration
To test the AFM configuration:
Note: If AFM and State Manager are deployed on the same application server and if
State Manager is started after AFM, then an error message might get recorded in the
log. You can ignore this error because it does not affect the functioning of AFM or State
Manager.
1.
Open the arcotafm.log file, which is available on the system hosting the AFM
application. The default location of this log file is:
AFM_HOME\logs
2.
Search for the following lines in the log file, which indicate that AFM is configured
successfully.
WebFort 7.1 Authentication SDK initialized successfully.
WebFort 7.1 Issuance SDK initialized successfully.
Verifying the Authentication Shim Configuration
To test the Authentication Shim configuration:
1.
Open the arcotadaptershim.log log file available in the
<auth_shim_installation_dir>\logs directory.
Note: By default, the installer does not create this file. It is generated when the
Authentication Shim receives the first authentication request.
2.
Search for the following entry in the log file, which indicates that Authentication
Shim is configured successfully:
Logger initialized
STARTING [Authentication Shim 2.2.9.0 ]
100 Installation and Configuration Guide for Windows
Verifying SiteMinder Integration
Verifying SiteMinder Integration
To test the SiteMinder integration:
Note: For testing purposes, the protected resource in SiteMinder is configured to use
the ArcotID workflow. If you have configured the protected resource for any other
authentication mechanism, then you will not see the same FCC pages described in this
section.
1.
Restart the application server where AFM is installed.
2.
Restart SiteMinder Policy Server and Web Agent services.
3.
From the end-user's system, access the protected resource that you configured in
SiteMinder.
The FCC page opens.
4.
Enter the user name existing in the User Directory configured in SiteMinder.
5.
Click Continue.
If the user is not enrolled for ArcotID PKI authentication, then the AFM User
Enrollment page opens.
If you see the AFM page, it indicates that you have successfully configured Adapter with
SiteMinder.
Verifying SAML Integration
To test the SAML integration by using SAML sample application:
1.
From the end-user's system, launch a new instance of the Web browser and access
the main page of sample application by using the following URL:
http[s]://host_name:port-number/samlsampleapp/
Replace host_name and port_number with the host name and port of the system
where you have deployed sample application.
The main page of sample application opens.
2.
Click the Banking Account link.
The Arcot Authentication page that opens depends on the authentication workflow
that you have configured.
If you see the AFM page, it indicates that you have successfully configured Adapter with
SAML sample application.
Chapter 12: Verifying Adapter Integration 101
Chapter 13: Uninstalling Adapter
Before you uninstall Adapter, you should remove its database schema and then proceed
with the uninstallation process. After you complete the uninstallation, you must
perform the post-uninstallation tasks to clean up the residual WAR files.
This chapter guides you through the steps for uninstalling Adapter and its components.
This chapter covers the following topics:
■
Dropping the Adapter Schema (see page 103)
■
Uninstalling Adapter (see page 104)
■
Post-Uninstallation Steps (see page 105)
Dropping the Adapter Schema
Note: If for some reason, you need to retain the database, then do not proceed with the
instructions in this section. You can start with the uninstallation instructions in the
section, Uninstalling Adapter (see page 104).
Perform the following tasks to uninstall the Adapter database schema:
1.
Based on the database that you are using, navigate to one of the following
subdirectories:
For MS SQL Server:
<state_manager_installation_dir>\dbscripts\mssql\
For MySQL:
<state_manager_installation_dir>\dbscripts\mysql\
For Oracle:
<state_manager_installation_dir>\dbscripts\oracle\
2.
Run the drop-adapter-statemanager-2.2.9.sql script.
Chapter 13: Uninstalling Adapter 103
Uninstalling Adapter
Uninstalling Adapter
To uninstall Adapter, you must remove the components installed during the installation
process. Perform the following steps on the systems where you have installed Adapter
components:
1.
Navigate to the following directory:
Installation_dir\Uninstall Arcot Adapter 2.2.9
2.
Double-click the Uninstall Arcot Adapter 2.2.9.exe file.
The Uninstall Options screen opens.
3.
On the Uninstall Options screen, do one of the following:
■
If you would like to uninstall all components of Adapter from the current
system:
1.
Select Complete Uninstall.
2.
Click Next to continue and proceed with Step 6.
■
If you would like to uninstall only the selected components of Adapter from the
current system:
1.
Select Uninstall Specific Features.
2.
Click Next to continue.
The Choose Product Features screen is displayed. Go to Step 4.
4.
The Choose Product Features screen displays the Adapter components that are
installed on the current system.
Check the components you wish to uninstall.
5.
Click Next to proceed.
6.
In the Backup Location screen, click Choose to select the location where you want
to back up the configuration and log files.
7.
Click Uninstall to begin the uninstallation process.
After the software is uninstalled successfully, the Uninstallation Complete screen
opens with a success message.
8.
Click Done to exit the wizard.
104 Installation and Configuration Guide for Windows
Post-Uninstallation Steps
Post-Uninstallation Steps
You need to perform the following post-uninstallation steps to ensure that all Adapter
components are removed:
1.
If the installation directory (<installation_dir>) exists, delete it.
Note: If multiple CA products are installed on this system, then delete this directory
only if Adapter is the last product to be uninstalled.
2.
Uninstall the following WAR files from the appropriate subdirectory in the
application server installation directory. Refer to the application server vendor
documentation for detailed information on uninstalling the WAR files.
■
arcotafm.war: Authentication Flow Manager
■
arcotsm.war: State Manager
■
ArcotAFMWizard.war: Arcot Configuration Wizard application
■
Sample application WAR files:
■
samlsampleapp.war: The main sample application.
■
bankapp.war: The sample bank application.
■
insuranceapp.war: The sample insurance application.
Note: You have to locate these files on the system where you have deployed the
particular component.
Chapter 13: Uninstalling Adapter 105
Appendix A: Adapter File System Structure
Adapter installs the directories and files listed in the following table.
Important! In addition to the directories and files discussed in the following table, you
will also see the adapterkey and arcotkey files in the Arcot Systems directory. These
files are used by the installer to detect any previously installed CA product. If these files
are deleted, the installer will not be able to detect if any CA product was previously
installed. As a result, it will allow new installations to be performed in any location and
will not be able to ensure the same destination directory for multiple CA products. In
such cases, the products might not work, as expected. However, these files have no
impact on patches and upgrade.
Component
Location
Authenticati <installation_dir>\
on Flow
adapterAFM
Manager
Files
Contains the WAR files and the following
subdirectory:
■
certs
Stores the keystore and truststore
files that AFM requires.
Note: These key store and trust store files
are bundled with the package for testing
purposes only. You can use these files to
enable two-way SSL communication
between AFM and State Manager.
<installation_dir>\
docs
Contains the AFM Java documents.
Chapter 13: Uninstalling Adapter 107
Post-Uninstallation Steps
Component
Location
Files
State
Manager
<installation_dir>\
adapterStateManager
Contains the following subdirectories:
■
certs
Stores the keystore and truststore
files that State Manager requires.
Note: These key store and trust store files
are bundled with the package for testing
purposes only. You can use these files to
enable two-way SSL communication
between State Manager, Authentication
Shim, and AFM.
108 Installation and Configuration Guide for Windows
■
mssql
Store the State Manager’s WAR file
and the JDBC drivers for MS SQL
Server.
■
mysql
Store the State Manager’s WAR file.
■
oracle
Store the State Manager’s WAR file
and the JDBC driver for the Oracle
Database server.
Post-Uninstallation Steps
Component
Location
Files
<installation_dir>\
dbscripts
Contains the SQL scripts required to
create the State Manager schema in the
supported database.
Contains the following subdirectories:
<installation_dir>\AFMWiz
A
ard
F
M
■
mssql
Stores the SQL scripts for creating and
dropping database schema in MS SQL
Server.
■
mysql
Stores the SQL scripts for creating and
dropping database schema in MySQL.
■
oracle
Stores the SQL scripts for creating and
dropping database schema in the
Oracle Database server.
Contains the ArcotAFMWizard.war file
that AFM Wizard requires.
W
i
z
a
r
d
Authenticati <installation_dir>\
on Shim
adapterSiteMinder\
certs
(applicable
Contains the default root CA certificate,
client certificate, and client key files in
.PEM format.
for
SiteMinder
integration)
Note: These certificates are bundled with
the package for testing purposes only. You
can use these files to enable two-way SSL
communication between Authentication
Shim and State Manager.
<installation_dir>\
adapterSiteMinder\lib
Contains the following files:
■
ArcotLog2FileSC.dll: Log library file
■
ArcotSiteMinderAdapter.dll:
Authentication Shim library file
■
vcredist_x86.exe: Microsoft
re-distributable package
Chapter 13: Uninstalling Adapter 109
Post-Uninstallation Steps
Component
Location
Files
<installation_dir>\
conf
Contains adaptershim.ini that specifies
the Authentication Shim configuration
parameters.
110 Installation and Configuration Guide for Windows
Post-Uninstallation Steps
Component
Location
Files
FCC Pages
<installation_dir>\
adapterSiteMinder\
fcc
Contains the FCC pages and the following
subdirectories:
(applicable
for
SiteMinder
integration)
■
css
Stores a style sheet file called
arcot-enrollment.css.
■
fonts
Stores the fonts used by the FCC
pages.
■
images
Stores the logo and other image files
used by the FCC pages.
■
js
Stores a JavaScript file called
ArcotAdapterIntegration.js.
The fcc directory contains the following
files:
■
shim.fcc
This page accepts the username and
LDAP password as input for
authenticating the user. This FCC
page is used in One-Page login
scenarios.
■
shim2.fcc
This page accepts the username,
which is used for further processing.
This FCC page is used in Two-Page
login scenarios. In these scenarios,
the LDAP password is collected by the
shimfinal2.fcc page. In addition, this
page collects the username when
authentication, risk evaluation, or
both are performed by
Authentication Shim.
■
shimerror.fcc
This page is displayed if an error
occurs during authentication.
■
shimfinal.fcc
This page is used by AFM to redirect
the user back to the Policy Server
after authentication, risk evaluation,
or both based on the authentication
workflow.
■
shimfinal2.fcc
This page collects the LDAP password
of the user for authentication. It is
Chapter 13: Uninstalling Adapter 111
used in the Two-Page login scenarios,
where the SiteMinder authentication
is performed after the risk evaluation.
Post-Uninstallation Steps
Component
Location
Sample
<installation_dir>\sampleA
Applications pplications
Common
Files and
Directories
Files
■
shimunknownuser.fcc
This page is displayed if you access
the FCC pages directly and not as a
result of redirection.
■
shimerror.unauth.html
This page is displayed if the user
enters incorrect credentials and
exceeds the maximum number of
login attempts that SiteMinder
allows.
Contains the following sample application
WAR files:
■
bankapp.war
■
insuranceapp.war
■
samlsampleapp.war
■
customapp.war
<installation_dir>\
ext-license
Contains the third-party software licenses
used by Adapter.
<installation_dir>\
logs
Contains the log files.
It also contains the following subdirectory:
■
<installation_dir>\
Uninstall Arcot Adapter
2.2.9
112 Installation and Configuration Guide for Windows
backup
Stores the rolled over log files of
Authentication Shim.
Contains the files required for uninstalling
Adapter.
Appendix B: Configuration Files and
Options
This appendix discusses the configuration files that Adapter uses and the parameters
that you can configure in these files. The following configuration files are available in
Adapter:
■
State Manager Properties File (see page 113)
■
AFM Properties File (see page 118)
■
SAML Properties File (see page 138)
■
Authentication Shim Properties File (see page 140)
Note: When updating any of the configuration files, ensure that you uncomment the
parameters that you want to configure.
State Manager Properties File
To manually configure the State Manager properties, perform the following steps:
1.
Navigate to the following directory on the system where you have installed State
Manager:
AFM_HOME\conf\afm\
2.
Open the arcotsm.properties file in a text editor.
The properties file contains the RiskMinder parameters, as described in the
following table.
Parameter
Required/
Optional
RiskFortHOST.1
Required
RiskFortHOST.2
Optional
RiskFortPORT.1
Required
RiskFortPORT.2
Optional
Used By
Description
SiteMinder
Specify the IP address or the Fully
Qualified Distinguished Name
(FQDN) of RiskMinder Server.
SiteMinder
Specify the port where RiskMinder
Server is listening to the incoming
requests.
Default value: 7680
Chapter 13: Uninstalling Adapter 113
State Manager Properties File
Parameter
RiskFortTRANSP
ORT_TYPE
Required/
Optional
Optional
Used By
Description
SiteMinder
Specify the protocol for RiskMinder
Server.
Note: CA recommends that the
communication between State
Manager and RiskMinder must be
over SSL. Refer to the CA
RiskMinder Installation and
Deployment Guide for more
information on how to configure
RiskMinder for SSL.
Default value: TCP
RiskFortCA_CERT Optional, SiteMinder
_
Required
FILE
only if
RiskFortTR
ANSPORT_
TYPE=SSL
Specify the complete path of the
certification authority (CA)
certificate file for RiskMinder
Server. The file must be in.PEM
format.
RiskFortCLIENT_P Optional, SiteMinder
12_FILE
Required
only if
RiskFortTR
ANSPORT_
TYPE=SSL
Specify the path of the PKCS 12 file
that contains the key and certificate
of the client that communicates
with RiskMinder Server. This would
establish two-way SSL between the
RiskMinder client and server.
RiskFortCLIENT_P Optional, SiteMinder
12_PASSWORD
Required
only if
RiskFortTR
ANSPORT_
TYPE=SSL
Specify the password for the PKCS
12 file specified in the
RiskFortCLIENT_P12_FILE
parameter.
RiskFortCONNEC Optional
TION_TIMEOUT
Specify the time (in milliseconds)
before RiskMinder Server is
considered unreachable.
SiteMinder
Default value: 30000 (30 seconds)
RiskFortREAD_TI
MEOUT
Optional
SiteMinder
Specify the maximum time (in
milliseconds) allowed for a response
from RiskMinder Server.
Default value: 30000 (30 seconds)
114 Installation and Configuration Guide for Windows
State Manager Properties File
Parameter
Required/
Optional
RiskFortCONNEC Optional
TION_RETRIES
Used By
Description
SiteMinder
Specify the maximum number of
retries allowed to connect to the
RiskMinder Server.
Default value: 3
RiskFortUSE_CO Optional
NNECTION_POOL
ING
SiteMinder
Specify whether the connection
pooling with RiskMinder Server is
enabled or disabled.
Possible values are:
■
1: Enabled
■
0: Disabled
Default value: 1
RiskFortMAX_AC Optional
TIVE
SiteMinder
Specify the number of maximum
connections that can exist between
State Manager and RiskMinder
Server. The number of connections
should not exceed this value.
Default value: 32
RiskFortTIME_BE Optional
TWEEN_CONNEC
TION_EVICTION
SiteMinder
Specify the time (in milliseconds)
after which the connection eviction
thread will be executed to check
and delete any idle RiskMinder
Server connection.
Default value: 900000 (90 seconds)
RiskFortIDLE_TI Optional
ME_OF_CONNEC
TION
SiteMinder
Specify the time (in milliseconds)
after which an idle RiskMinder
Server connection will be closed.
Default value: 1800000 (3 minutes)
RiskFortWHEN_E Optional
XHAUSTED_ACTI
ON
SiteMinder
Specify the behavior when the
maximum number of supported
connections have exhausted.
Default value: BLOCK
Chapter 13: Uninstalling Adapter 115
State Manager Properties File
The following table describes the token-related parameters.
Parameter
Required/
Optional
TokenMaxInactiv Optional
itySeconds
Used By
Description
SAML
Specify the time (in seconds) for
which the token can be idle after an
operation is performed on it. If
there is no action on the token
within this period, the token
becomes unusable.
SiteMinder
Default value: 900 (15 minutes)
TokenMaxLifetim Optional
eSeconds
SAML
SiteMinder
Specify the maximum amount of
time (in seconds) for which the
token is accessible after it is
generated.
Default value: 900 (15 minutes)
TokenCleanupInt Optional
ervalSeconds
SAML
SiteMinder
Specify the frequency (in seconds)
at which the expired tokens are
checked and deleted from the
database.
Default value: 30
TSMClass
Optional
SAML
SiteMinder
Specify the class implementing the
type of storage mechanism to be
used for State Manager. By default,
State Manager uses a JDBC
database.
Default value:
com.arcot.integrations.toksvr.serv
er.tsmimpl.iBatisTSMImpl
The following table describes the database connectivity parameters.
Parameter
DbType
Required/
Optional
Required
Used By
Description
SAML
Specify the type of database
applicable to all database
connections. Set the value of this
parameter to mssqlserver, mysql, or
oracle.
SiteMinder
116 Installation and Configuration Guide for Windows
State Manager Properties File
Parameter
AutoRevert
Required/
Optional
Optional
Used By
Description
SAML
Specify whether or not the system
attempts to reconnect to the
primary database after a failover
occurs. Set AutoRevert=1, if you
have a backup database configured
and if you want the server to
reconnect to the primary database
after it has switched to the backup
database.
SiteMinder
Default value: 1
AppServerConne Required
ctionPoolName.n
SAML
SiteMinder
If the database connection pooling
of the application server is used,
then specify the JNDI name used to
look up the connection pool object.
A pool by this JNDI name must be
created in the containing
application server, and sufficient
privileges must be given to State
Manager for it to use the
connection pool.
For example, configure this
property in Apache Tomcat, as
shown:
AppServerConnectionPoolName.1=
java:comp/env/jdbc/ArcotStateMan
agerDataSource1
For other application servers,
specify only the JNDI name. For
example:
AppServerConnectionPoolName.1=
jdbc/ArcotStateManagerDataSource
1
If Application Server connection
pool is not required, then leave this
configuration empty.
1.
To enforce secure communication between State Manager and other components,
ensure that the parameter RequireSecureConnection is set to true, which is also the
default value.
Chapter 13: Uninstalling Adapter 117
State Manager Log File
State Manager Log File
To configure the log file for State Manager, perform the following steps:
1.
Navigate to the following directory on the system where you have installed State
Manager:
AFM_HOME\conf\afm\
2.
Open the arcotsm-log4j.properties file in a text editor, and set the log information
as described in the following table.
Parameter
Description
log4j.appender.smlog.File
Specify the log file name and the location where
the State Manager log files must be created. By
default, on Apache Tomcat, the State Manager
log file name is arcotsm.log and it is created in
the AFM_HOME\logs directory.
AFM Properties File
To manually configure the AFM properties, perform the following steps:
1.
Navigate to the following directory on the system where you have installed AFM:
AFM_HOME\conf\afm\
2.
Open the arcotafm.properties file in a text editor.
The following table describes the State Manager configuration parameters in this
properties file:
Parameter
Required/
Optional
Used By
Description
Most Used State Manager Parameters
ArcotSMHostnam Required
e
SAML
ArcotSMPort
SAML
Required
SiteMinder
SiteMinder
ArcotSMBaseURL Optional
SAML
SiteMinder
Specify the Fully Qualified
Distinguished Name (FQDN) or IP
address of State Manager.
Specify the port of the application
server where State Manager is
deployed.
Specify the URL where State
Manager is available.
Default value: arcotsm/servlet
118 Installation and Configuration Guide for Windows
AFM Properties File
Parameter
ArcotSMSecure
Connection
Required/
Optional
Optional
Used By
Description
SAML
Specify whether AFM
communicates with State Manager
in a secure mode over SSL.
SiteMinder
Possible values are:
■
true
■
false
Default value: true
ArcotSMTrustSto Optional
re
SAML
SiteMinder
Specify the path where the root
SSL certificate of State Manager is
present.
This parameter is valid if
ArcotSMSecureConnection is set to
true.
Default value:
/certs/tsclient.truststore
Note: This setting is ignored if the
JRE parameters
javax.net.ssl.trustStore and
javax.net.ssl.trustStorePassword
are set.
ArcotSMTrustSto Optional
re
Password
(Required,
if ArcotSM
TrustStore
is
provided.)
SAML
ArcotSMKeyStore Optional
SAML
SiteMinder
Specify the password of the
truststore.
This parameter is valid if the
SMTrustStore path is provided.
Default value: 123456
SiteMinder
Specify the path of the client SSL
keystore.
Default value:
/certs/tsclient.keystore
This setting is ignored if the JRE
parameters javax.net.ssl.keyStore
and javax.net.ssl.keyStorePassword
are set.
Chapter 13: Uninstalling Adapter 119
AFM Properties File
Parameter
Required/
Optional
ArcotSMKeyStore Optional
Password
Used By
Description
SAML
Specify the password of the
keystore.
SiteMinder
Default value: 123456
(Required,
if ArcotSM
KeyStore is
provided.)
Least Used State Manager Parameters
ArcotAFMLandin
gURL
Optional
SiteMinder
This parameter is used by
Authentication Shim or other
components that redirect the
user’s authentication request to
AFM to verify whether or not the
user’s request was processed with
the redirected URL.
Specify this parameter only if the
application server does not map
the URL to the same value as
Authentication Shim that is used
for redirection.
Default value: URL of the Controller
JSP that receives HTTPRequest.
ArcotSMConnTim Optional
e
outMS
SAML
SiteMinder
Specify the time (in milliseconds)
before State Manager is considered
unreachable and the attempt is
aborted.
Default value: 15000 (15 seconds)
ArcotSMReadTim Optional
e
outMS
SAML
SiteMinder
Specify the maximum time (in
milliseconds) for which AFM must
wait for a response from State
Manager.
Note: Do not set this parameter to
0 as the client will wait for a
response indefinitely.
Default value: 30000 (30 seconds)
120 Installation and Configuration Guide for Windows
AFM Properties File
Parameter
Required/
Optional
ArcotSMMaxRetri Optional
es
Used By
Description
SAML
Specify the maximum number of
retries allowed to connect to State
Manager.
SiteMinder
Default value: 0 (no retries)
ArcotSMTestCon
nAtStartup
Optional
SAML
SiteMinder
Specify whether a test token must
be created when the Web
application starts.
Note: If you are using JRE 1.4.2.x
and AFM starts before State
Manager, then AFM cannot
time-out the connection, and
cannot start up.
Possible values are:
■
true
■
false
Set this to false if AFM and State
Manager are deployed on the same
application server, because the
application server may hang if the
test is run before State Manager is
initialized.
Default value: true
The following table describes the AuthMinder Server’s authentication and
issuance-related parameters:
Parameter
Required/
Optional
Used By
Description
Most Used AuthMinder Server Authentication Parameters
WebFortauthenti Optional,
SAML
cation.host.1
Required
SiteMinder
only if CA VPN
WebFortauthenti AuthMinde
r is used.
cation.host.2
Specify the FQDN or IP address of
AuthMinder Server.
WebFortauthenti Optional,
SAML
cation.port.1
Required
SiteMinder
only if CA VPN
WebFortauthenti AuthMinde
r is used.
cation.port.2
Specify the port at which
AuthMinder Server is available.
Default value: 9742
Chapter 13: Uninstalling Adapter 121
AFM Properties File
Parameter
Required/
Optional
WebFortauthenti Optional
cation.transport.
1
Used By
Description
SAML
Specify the protocol for
AuthMinder Server.
SiteMinder
VPN
Note: CA recommends that the
communication between AFM and
AuthMinder must be over SSL.
Refer to the CA AuthMinder
Installation and Deployment Guide
for more information on how to
configure AuthMinder for SSL.
Possible values are:
■
TCP
■
SSL
Default value: TCP
WebFortauthenti
cation.serverCAC
ert
PEMPath.1
Optional,
WebFortauthenti
cation.clientCertK
ey
P12Path.1
Optional,
SAML
Required
SiteMinder
only if
VPN
WebFortau
thenticatio
n.transport
.1=SSL and
AuthMinde
r Server is
configured
for
two-way
SSL.
SAML
Required
SiteMinder
only if
VPN
WebFortau
thenticatio
n.transport
.1=SSL and
AuthMinde
r Server is
configured
for
two-way
SSL.
122 Installation and Configuration Guide for Windows
Specify the complete path of the
certification authority (CA)
certificate file for AuthMinder
Server. The file must be in .PEM
format.
Specify the path of the p12 file that
contains the
key and certificate of the client
communicating with AuthMinder
Server. This establishes a two-way
SSL between the AuthMinder client
and server.
AFM Properties File
Parameter
WebFortauthenti
cation.clientCertK
ey
Password.1
Required/
Optional
Used By
Description
Optional,
SAML
Specify the client key pair
password to open the p12 file
specified in the
WebFortauthentication.clientCertK
eyP12Path.1 parameter.
Required
SiteMinder
only if
VPN
WebFortau
thenticatio
n.transport
.1=SSL and
AuthMinde
r Server is
configured
for
two-way
SSL.
WebFortpool.lifo Optional
SAML
SiteMinder
VPN
Determines whether or not the
pool returns idle objects in the
last-in-first-out (LIFO) order.
Possible values are:
■
true: Idle objects are returned
in the LIFO order
■
false: Idle objects are not
returned in the LIFO order
Default: false
WebFortpool.nu
m
PreCreate
Optional
WebFortpool.nu Optional
m
ConnectFailuresT
o
TriggerFailover
SAML
SiteMinder
VPN
SAML
SiteMinder
VPN
Specify the number of connections
to be created during pool
initialization.
Default: 0
Specify the number of consecutive
connection failures required to
fallback to another pool.
Default: 1
Least Used AuthMinder Server Authentication Parameters
WebFortpool.ma Optional
x
active
SAML
SiteMinder
VPN
Specify the maximum number of
connections that can exist between
AFM and AuthMinder Server.
The number of connections should
not exceed this value.
Default value: 32
Chapter 13: Uninstalling Adapter 123
AFM Properties File
Parameter
Required/
Optional
WebFortpool.ma Optional
x
Idle
Used By
Description
SAML
Specify the maximum number of
idle connections that can be
established between SDK and
AuthMinder Server.
SiteMinder
VPN
Default value: 16
WebFortpool.ma Optional
x
WaitTimeMillis
SAML
SiteMinder
VPN
Specify the maximum amount of
time (in milliseconds) that a
request waits to establish the
connection. The default value of -1
indicates that the thread will wait
indefinitely.
Default value: -1
WebFortpool.min Optional
EvictableIdleTime
Millis
SAML
SiteMinder
VPN
Specify the minimum amount of
time a connection might be idle in
the pool before it is evicted by the
idle connection evictor, if any. The
default value of -1 indicates that
the idle connection would not be
evicted.
Default value: -1
WebFortpool.tim Optional
e
BetweenEviction
RunsMillis
SAML
SiteMinder
VPN
The amount of time (in
milliseconds) to sleep before
checking the pool to evict the idle
connections. The default value of
-1 indicates that there would not
be any connection eviction.
Default value: -1
WebFortauthenti Optional
cation.connectio
nTimeout.1
WebFortauthenti Optional
cation.readTimeo
ut.1
SAML
SiteMinder
VPN
SAML
SiteMinder
VPN
Specify the time (in milliseconds)
before AuthMinder Server is
considered unreachable.
Default value: 10000 (10 seconds)
Specify the maximum time (in
milliseconds) allowed for a
response from AuthMinder Server.
Default value: 30000 (30 seconds)
Note: A value of 0 results in the
request waiting for a connection
indefinitely.
Most Used AuthMinder Server Issuance Parameters
124 Installation and Configuration Guide for Windows
AFM Properties File
Parameter
Required/
Optional
WebFortissuance Optional,
.
host.1
WebFortissuance
.
host.2
Used By
SAML
SiteMinder
VPN
Description
Specify the FQDN or IP address of
the server hosting the AuthMinder
RIssuance service.
e
q
u
i
r
e
d
o
n
l
y
i
f
C
A
A
u
t
h
M
i
n
d
e
r
i
s
u
s
e
d
.
Chapter 13: Uninstalling Adapter 125
AFM Properties File
Parameter
Required/
Optional
Used By
Description
WebFortissuance Optional,
SAML
.
Required
SiteMinder
port.1
only if CA VPN
AuthMinde
WebFortissuance rCA
AuthMinde
.
r is used.
port.2
Specify the port at which the server
hosting the AuthMinder Issuance
service is available.
WebFortissuance Optional
.
transport.1
Specify the protocol for the
AuthMinder Issuance service.
SAML
SiteMinder
VPN
Default value: 9742
Note: CA recommends that the
communication between AFM and
AuthMinder must be over SSL.
Refer to the CA AuthMinder
Installation and Deployment Guide
for more information on how to
configure AuthMinder for SSL.
Possible values are:
■
TCP
■
SSL
Default value: TCP
WebFortissuance
.
serverCACertPEM
Path.1
Optional,
WebFortissuance
.
clientCertKeyP12
Path.1
Optional,
SAML
Required
SiteMinder
only if
VPN
WebFortiss
uance.tran
sport.1=SS
L
SAML
Required
SiteMinder
only if
VPN
WebFortiss
uance.tran
sport.1=SS
L and
AuthMinde
r Server is
configured
for
two-way
SSL.
126 Installation and Configuration Guide for Windows
Specify the complete path of the
CA certificate file for AuthMinder
Server. The file must be in .PEM
format.
Specify the path of the p12 file that
contains the key and certificate of
the client communicating with
AuthMinder Server. This would
establish two-way SSL between the
AuthMinder client and server.
AFM Properties File
Parameter
WebFortissuance
.
clientCertKeyPass
word.1
Required/
Optional
Used By
Description
Optional,
SAML
Specify the client key pair
password for the p12 file specified
in the
WebFortissuance.clientCertKeyP12
Path.1 parameter.
Required
SiteMinder
only if
VPN
WebFortiss
uance.tran
sport.1=SS
L and
AuthMinde
r Server is
configured
for
two-way
SSL
Least Used AuthMinder Server Issuance Parameters
WebFortissaunce Optional
.
connectionTimeo
ut.1
SAML
WebFortissuance Optional
.
readTimeout.1
SAML
SiteMinder
VPN
SiteMinder
VPN
Specify the time (in milliseconds)
before AuthMinder Server is
considered unreachable.
Default value: 10000 (10 seconds)
Specify the maximum time (in
milliseconds) allowed for a
response from AuthMinder.
Default value: 30000 (30 seconds)
The following table describes the User Data Service (UDS) parameters. These
settings control how AFM communicates with UDS.
Parameter
uds.connection.
pool.count
Required/
Optional
Optional
Used By
Description
SAML
Specify the maximum number of
connections maintained by AFM
with the UDS Web service at any
given time.
SiteMinder
VPN
Default value: 20
uds.ssl.keystore.p Optional
ath
SAML
SiteMinder
Specify the absolute path to the
two-way SSL keystore for UDS.
VPN
Chapter 13: Uninstalling Adapter 127
AFM Properties File
Parameter
Required/
Optional
Used By
Description
uds.ssl.keystore.p Optional
SAML
assword
Required
SiteMinder
only if
VPN
uds.ssl.key
store.path
parameter
is set.
Specify the password for the UDS
keystore.
uds.ssl.truststore. Optional
path
Specify the absolute path to the
two-way SSL truststore for UDS.
SAML
SiteMinder
VPN
uds.ssl.truststore. Optional
SAML
password
Required
SiteMinder
only if
VPN
uds.ssl.trus
tstore.path
parameter
is set.
Specify the password for the UDS
truststore.
UDS Web Services Parameters
uds.user.manage Required
ment.webservice.
protocol
SAML
uds.user.manage Required
ment.webservice.
host
SAML
uds.user.manage Required
ment.webservice.
port
SAML
uds.user.manage Required
ment.webservice.
urlpattern
SAML
128 Installation and Configuration Guide for Windows
SiteMinder
Specify the protocol for connecting
to UDS.
VPN
SiteMinder
Specify the IP address or the FQDN
of UDS.
VPN
SiteMinder
Specify the port at which UDS is
available.
VPN
SiteMinder
VPN
Specify the URL pattern for UDS.
AFM Properties File
The following table describes the SSL VPN parameters. These settings control how
AFM communicates with an SSL-enabled VPN.
Parameter
Required/
Optional
ssl.vpn.username Required
.form.name
Used By
Description
VPN
Specify the form parameter name
in which the username parameter
(collected by AFM) must be passed
to the VPN gateway.
Default value: username
ssl.vpn.password. Required
form.name
VPN
Specify the form parameter name
in which the password parameter
(collected by AFM) must be passed
to the VPN gateway.
Default value: password
ssl.vpn.mandator Optional
y.form.names
VPN
Specify the form parameter
name(s) in which the mandatory
(or required) request parameters
collected from the SSL VPN must
be posted back by AFM to the VPN
gateway.
Note: Multiple form parameters
can be specified with a comma as
the delimiter. For example, if you
specify the value as realm,type,
then AFM collects both realm and
type from the VPN request.
Default value: realm
ssl.vpn.posturl.
form.name
Optional
Required, if
ssl.vpn.for
m.post.url
is
specified.
VPN
Specify the form parameter name
in which the posturl parameter
must be passed to the VPN
gateway.
Note: The posturl parameter refers
to the URL to which AFM posts the
authentication response.
Default value: posturl
Chapter 13: Uninstalling Adapter 129
AFM Properties File
Parameter
Required/
Optional
ssl.vpn.form.post Optional
.url
Used By
Description
VPN
Specify the URL to which the
authentication response should be
posted back.
VPN
Specify the parameter name from
which AFM determines an error
occurred at the VPN-end after
successful authentication by AFM.
In this case, the request is sent
back to AFM.
Required, if
ssl.vpn.for
m.posturl.f
orm.name
is
specified.
ssl.vpn.error
Optional
message.form.na
me
Default value: errormessage
The following table describes the RiskMinder Server-related parameters:
Parameter
Required/
Optional
Used By
Description
Most Used RiskMinder Parameters
RiskFortHOST.1
RiskFortHOST.2
RiskFortPORT.1
RiskFortPORT.2
Optional,
SAML
Specify the IP address or the FQDN
of RiskMinder Server.
SAML
Specify the port at which
RiskMinder Server is available.
Required
only if
RiskMinder
is used in
the
integrated
solution
Optional,
Required
only if
RiskMinder
is used in
the
integrated
solution
130 Installation and Configuration Guide for Windows
Default value: 7680
AFM Properties File
Parameter
Required/
Optional
RiskFortTRANSPO Optional
RT_TYPE
Used By
Description
SAML
Specify the protocol to connect to
RiskMinder Server.
Note: CA recommends that the
communication between State
Manager and RiskMinder must be
over SSL. Refer to the CA
RiskMinder Installation and
Deployment Guide for more
information on how to configure
RiskMinder for SSL.
Possible values are:
■
TCP
■
TLS
Default value: TCP
RiskFortCA_CERT Optional,
SAML
_
Required
FILE
only if
RiskFortTR
ANSPORT_
TYPE=TLS
Specify the complete path of the
CA certificate file for RiskMinder
Server. The file must be in.PEM
format.
RiskFortAuthAddi Optional
tionalInputs_<ke
y>
Specify additional inputs to
RiskMinder for risk evaluation.
<key> should be replaced with the
key name.
SAML
Only alphanumeric characters can
be passed as keys and values for
the additional input.
Note: For ISO 8859 Character Sets
support, use the
addRfAuthAdditionalInputs
method of the AbstractStateData
class.
Least Used RiskMinder Parameters
RiskFortCONNEC
TION_TIMEOUT
Optional
SAML
Specify the time (in milliseconds)
before RiskMinder Server is
considered unreachable.
Default value: 30000 (30 seconds)
Chapter 13: Uninstalling Adapter 131
AFM Properties File
Parameter
RiskFortREAD_TI
MEOUT
Required/
Optional
Optional
Used By
Description
SAML
Specify the maximum time (in
milliseconds) allowed for a
response from RiskMinder Server.
Default value: 30000 (30 seconds)
RiskFortCONNEC
TION_RETRIES
Optional
SAML
Specify the maximum number of
retries allowed to connect to
RiskMinder Server.
Default value: 3
RiskFortUSE_CON Optional
NECTION_POOLI
NG
SAML
Specify whether the connection
pooling with RiskMinder Server is
enabled or disabled.
Possible values are:
■
1: Enabled
■
0: Disabled
Default value: 1
RiskFortMAX_AC
TIVE
Optional
SAML
Specify the number of maximum
connections that can exist between
State Manager and RiskMinder
Server. The number of connections
should not exceed this value.
Default value: 32
RiskFortTIME_
Optional
BETWEEN_CONN
ECTION_EVICTIO
N
SAML
Specify the time (in milliseconds)
after which the connection eviction
thread will be executed to check
and delete any idle RiskMinder
Server connection.
Default value: 900000 (90 seconds)
132 Installation and Configuration Guide for Windows
AFM Properties File
Parameter
Required/
Optional
RiskFortIDLE_TIM Optional
E_OF_CONNECTI
ON
Used By
Description
SAML
Specify the time (in milliseconds)
after which an idle RiskMinder
Server connection will be closed.
Default value: 1800000 (3 minutes)
Note: Ensure that the value of
RiskFortTIME_BETWEEN_CONNECT
ION_EVICTION +
RiskFortIDLE_TIME_OF_CONNECTI
ON is less than the firewall
connection timeout value.
RiskFortWHEN_E Optional
XHAUSTED_ACTI
ON
SAML
Specify the behavior when the
maximum number of supported
connections have exhausted.
Default value: BLOCK
The following table describes the AFM parameters:
Parameter
Required/
Optional
Used By
Description
SAML
Specify the type of cookie that
must be stored on the end-user’s
system. RiskMinder uses Device ID
to register and identify the device
that is used by the user during a
transaction. The Device ID needs to
be set as a cookie on the user’s
computer. This cookie can either
be an HTTP cookie or a Flash
cookie.
Most Used AFM Parameters
User Browser Resources
DeviceIDType
Optional
SiteMinder
Possible values are:
■
httpcookie
■
flashcookie
Default value: httpcookie
User Credential Settings
Chapter 13: Uninstalling Adapter 133
AFM Properties File
Parameter
Required/
Optional
ArcotUserIDType Optional
Used By
Description
SiteMinder
Specify the user ID to use for the
ArcotID PKI authentication and risk
evaluation.
Possible values are:
■
LoginID: Indicates that the
user ID entered in the
authentication page is used for
risk evaluation and ArcotID PKI
authentication.
■
FullDN: Indicates that
disambiguated user ID is used
for risk evaluation and ArcotID
PKI authentication.
Default value: LoginID
Lifecycle Settings
MigrationMessag Optional
e
DisplayTimeLimit
SAML
SiteMinder
VPN
Specify the time limit in
milliseconds for displaying the
migration success message to the
user before it proceeds further.
Default value: 6000
EnrollSuccess
Optional
DisplayTimeLimit
SAML
SiteMinder
VPN
Specify the time limit in
milliseconds for displaying the
enrollment success message to the
user before it proceeds further.
Default value: 6000
FailureMessage
Optional
DisplayTimeLimit
SAML
SiteMinder
VPN
Specify the time limit in
milliseconds for displaying the
failure message to the user (in case
of any credential expiry, locked, or
disabled credential) before
redirecting back to the caller.
Default value: 6000
134 Installation and Configuration Guide for Windows
AFM Properties File
Parameter
Required/
Optional
Used By
Description
ProvisionAOTPPa Required
ge
URL
SAML
Specify the URL to issue ArcotID
OTP through a mobile device.
VPN
Default value:
/arcotafm/controller_aotp.jsp
EnrollSuccessPag Optional
e
URL
SAML
Specify the path of the page that
must be displayed after successful
user enrollment. This parameter is
valid only when returnurl
parameter is not present in the
request. It is useful when a user is
going through the registration
workflow and not the migration
workflow. You must specify this
parameter for SiteMinder direct
enrollment.
SiteMinder
SiteMinder
VPN
Default value:
/arcotafm/success.jsp
Notification Settings
sms.service.impl
Required
SAML
SiteMinder
VPN
Specify the implementation class
for the SMS Service Provider. This
class should implement the
com.arcot.integrations.frontend.S
MSService interface.
Important! By default, this
parameter is set to use the
ClickATell SMS Service, which is
provided for testing purposes only.
CA recommends you not to use the
default settings for production
deployments.
Chapter 13: Uninstalling Adapter 135
AFM Properties File
Parameter
Required/
Optional
email.service.imp Required
l
Used By
Description
SAML
Specify the implementation class
for the email Service Provider. This
class should implement the
com.arcot.integrations.frontend.E
mailService interface.
SiteMinder
VPN
Important! By default, this
parameter is set to use the
ClickATell SMS Service, which is
provided for testing purposes only.
CA recommends you not use the
default settings for production
deployments.
email.from.addre Required
ss
email.from.name Required
SAML
Specify the sender’s email ID.
SiteMinder
VPN
Default value:
Do_Not_Reply@arcot.com
SAML
Specify the sender’s name.
SiteMinder
Default value: Authentication Flow
Manager
VPN
email.smtp.host.
name
Optional
SAML
SiteMinder
VPN
email.smtp.user.
name
Optional
SAML
SiteMinder
Specify the FQDN or IP address of
the server hosting the SMTP email
service.
Specify the user name to access
the SMTP email service.
VPN
email.smtp.user.
password
Optional
SAML
SiteMinder
Specify the password to access the
SMTP email service.
VPN
email.smtp.isaut
h
Optional
SAML
SiteMinder
VPN
136 Installation and Configuration Guide for Windows
Specify whether or not user
authentication is required to send
email notification.
AFM Log File
The following table describes the Utility parameters:
Parameter
Required/
Optional
Used By
Description
StopActionMode
Optional
SAML
This option enables you to stop the
automatic posting or redirecting of
the AFM pages. The pages include
a button that you must click to
proceed to the next page.
SiteMinder
VPN
Possible values are:
■
true
■
false
Default value: false
MaxStateMachin
eLoopCount
Optional
SAML
SiteMinder
VPN
Specify the maximum number of
loops allowed
in the state machine before an
error is thrown to indicate an
infinite loop condition.
Default values: 100
AFM Log File
To configure the log file for AFM, perform the following steps:
1.
Navigate to the following directory on the system where you have installed AFM:
AFM_HOME\conf\afm\
2.
Open the arcotafm-log4j.properties file in a text editor, and set the log information,
as described in the following table:
Parameter
Description
log4j.appender.afmout.
File
Specify the log file name and the location where the
AFM log files must be created. By default, on Apache
Tomcat, the AFM log file name is arcotafm.log and it
is created in the AFM_HOME\logs directory.
Chapter 13: Uninstalling Adapter 137
SAML Properties File
SAML Properties File
To manually configure the SAML properties, perform the following steps:
1.
Navigate to the following directory on the system where you have installed AFM:
AFM_HOME\conf\afm\
2.
Open the saml_config.properties file in a text editor.
3.
Make changes in the properties file by setting the parameters, as described in the
following table.
Parameter
Required/
Optional
SamlIssuer
Required
Specify an identifier for the Issuer of SAML
response that is making the claim(s) in the
assertion. This property would set the SAML
<ISSUER> tag. For example, ArcotCSSO.
SamlStartLag
Optional
Specify the time (in milliseconds) to calculate the
NotBefore time of an assertion. This is used in the
condition when a valid assertion gets rejected
because of skew of the time clocks between IdP
and SP.
Description
Defaults value: 0
SamlResponseVal Optional
idity
Specify the time (in milliseconds) for which the
SAML response issued by AFM is valid.
Default value: 300000 (5 minutes)
SignSamlAssertio Optional
nOnly
Specify whether the complete SAML response or
only the assertion part of the response needs to
be signed.
If the complete response needs to be signed, set
this property to false.
Default value: true (only the SAML assertion
would be signed)
Canonicalization
Method
Optional
Specify the canonicalization method that is
applied to the SAML response before signing it.
Default value:
ALGO_ID_C14N_EXCL_WITH_COMMENTS
SignatureMethod Optional
Specify the signing algorithm used to sign the
SAML response.
Default value: ALGO_ID_SIGNATURE_RSA_SHA1
138 Installation and Configuration Guide for Windows
SAML Properties File
Parameter
Required/
Optional
Audience
Optional
Description
Specify the comma-separated (,) list of identifiers
that can use the SAML response for taking any
access decisions. If not specified, then only the
issuer is added to the audience in the SAML
response.
AssertionConsum Optional
erServiceURL
Specify the URL where the SAML response
(generated after authentication) has to be
redirected. If the Service Provider is not sending
this in the SAML request, then this property has
to be configured. If the incoming SAML request
has a value for the
AssertionConsumerServiceURL, then that takes
precedence over the configured value.
LogoutResponseR Optional
edirectURL
Specify the URL where the SAML logout response
is sent after completing the logout procedure.
This is not required if the logout request is
processed through the Web service.
SamlIDPKeyStore Required
Specify the absolute or relative path of the
Identity Provider’s key store file on the file
system. This file has both the private key and
certificate that are used to sign the SAML
response.
The syntax to specify the relative path is:
/samlcerts/IDP.keystore
SamlIDPKeyStore Required
Alias
Specify an alias of the private key and certificate
stored in the Identity Provider's keystore.
Default value: arcotadapter
SamlIDPKeyStore Required
Password
Specify the password for the keystore of the
Identity Provider.
Default value: 123456
SamlSPTrustStore Optional,
Specify the absolute or relative path of the trust
store file of the Service Provider. This file has a
if
SamlSPSign certificate that is used to verify the signed SAML
VerifyCert requests from the Service Provider.
is
The syntax to specify the relative path is:
configured /samlcerts/SP.truststore
Chapter 13: Uninstalling Adapter 139
Authentication Shim Properties File
Parameter
Required/
Optional
Description
SamlSPTrustStore Optional,
Specify the alias with which the certificate is
Alias
stored in the truststore of the Service Provider.
Required
only if
Default value: arcotadapter
SamlSPTru
stStore is
configured
SamlSPTrustStore Optional,
Specify the password for the truststore of the
Password
Service Provider.
Required
only if
Default value: 123456
SamlSPTru
stStore is
configured
SamlSPSignVerify Optional,
Cert
if
SamlSPTru
stStore is
configured
Specify the absolute or relative path of the X.509
certificate of the Service Provider. This is used to
verify the signed SAML requests from the Service
Provider.
The syntax to specify the relative path is:
/samlcerts/spcert.cer
Authentication Shim Properties File
The Authentication Shim configurations are performed in the adaptershim.ini file. This
file defines the configuration parameters that must be set for Adapter and SiteMinder
to communicate with each other. The file is available at the following location on the
system where you have installed Authentication Shim:
<installation_dir>\conf
The section [arcot/integrations/smadapter/Default] contains the parameters that you
need to set according to the authentication workflow that you want to use. The
following table explains the parameters of this section.
Parameter
Required/
Optional
PasswdSvcUserAtt Optional
Description
Specify a valid LDAP attribute of string type which
has read-write access. This attribute must not be
used by any other application.
Note: This parameter is required only for
authentication workflows using LDAP and when the
password services are enabled in SiteMinder.
140 Installation and Configuration Guide for Windows
Authentication Shim Properties File
Parameter
Required/
Optional
DisambigSchemeLi Optional
b
Description
Specify the DLL library name of an authentication
scheme to use for user disambiguation.
Note: This parameter does not support the refresh
option. This means that if you switch to use Adapter
authentication, then you must restart the
SiteMinder Policy Server.
DisambigSchemeP Optional
aram
Specify the parameter string to pass to the
disambiguation authentication scheme. This must be
structured the same way that the SiteMinder Policy
Server would build the string from the configuration
parameters for the scheme.
AuthSchemeLib
Specify the library name of an authentication
scheme to use as a backing scheme for primary
authentication.
Optional
Note:
– This parameter does not support the refresh
option. This means that if you switch to use Adapter
authentication, then you must restart the
SiteMinder Policy Server.
– This parameter is not used for the delegated
authentication scenario.
AuthSchemePara
m
Optional
If you have configured a backing authentication
scheme, this parameter is passed as the
configuration string to the backing authentication
scheme. This parameter must be set to have the
same content that the SiteMinder Policy Server
would set from the scheme configuration dialog.
You can determine this by examining the scheme
setup dialog boxes in the SiteMinder Policy Server
administration interface. As you change parameters,
the dialog box shows the parameter that the
SiteMinder Policy Server would send.
Note: This parameter is not used for the delegated
authentication scenario.
ArcotSMBaseURL
Required
Specify the URL where State Manager is available.
The syntax to specify State Manager URL is:
https://host_name:port_number/arcotsm/servlet/
Chapter 13: Uninstalling Adapter 141
Authentication Shim Properties File
Parameter
Required/
Optional
ArcotSMRetries
Optional
Description
Specify the maximum number of retries allowed to
connect to State Manager.
If this value is 0, it signifies that only one connection
attempt is allowed.
Default value: 0
ArcotSMResponse Required
Wait
Specify the time period (in seconds) for which
Authentication Shim will wait for State Manager to
respond before logging an error.
Default value: 5
ArcotSMTrustedR
ootPEM
Required, if Specify the location of the certificate of the trusted
HTTPS is
root certificate authority, if State Manager is
enabled
enabled for HTTPS.
The file must be in .PEM format.
ArcotSMClientSSL
Cert
Required, if Specify the location of the client-side SSL certificate,
HTTPS is
if State Manager is enabled for HTTPS.
enabled
The file must be in .PEM format.
ArcotSMClientPriv Required, if Specify the private key of the client in .PEM format,
ateKey
HTTPS is
if State Manager is enabled for HTTPS.
enabled
The file must be in .PEM format.
ArcotAFMLanding
URL
Required
The controller JSP URL of AFM.
Note: Although you can use multiple sample flows,
you can configure only one ArcotAFMLandingURL
per section.
UseCustomization Optional
EngineAuth
Specify whether AFM is used to perform
authentication.
Default value: false
InitialPhasePrimar Optional
yAuth
Specify whether to perform LDAP authentication
before risk evaluation or after. This parameter is
applicable if UseCustomizationEngineAuth is set to
false.
Default value: true (LDAP authentication is
performed before risk evaluation.)
ErrorPageURL
Required
142 Installation and Configuration Guide for Windows
Specify the URL of the error FCC page. This page is
displayed to the user in case of an error.
Authentication Shim Properties File
Parameter
Required/
Optional
InitialFCCURL
Required
Specify the URL of the initial FCC page served to the
user. Authentication Shim reports this URL to
SiteMinder during initialization. When the user
attempts to access a protected resource and
authentication is required, SiteMinder directs the
user to this page. Depending on the authentication
workflow, the page can collect information, such as
the username or username and password.
FinalFCCURL
Required
Specify the URL that is used by AFM to forward the
control back to Authentication Shim. AFM retrieves
this URL from the token.
Description
Configuring Global Information
The global Authentication Shim configuration parameters are available in the GLOBAL
SETUP section of the adaptershim.ini file. The following table describes the parameters
of the [arcot/integrations/smadapter] section.
Parameter
Required/
Optional
WatchInterval
Required
Description
Specify the polling interval (in seconds) for
Authentication Shim to use for monitoring the
configuration file. Authentication Shim allows
configuration changes without restarting SiteMinder
Policy Server. It monitors the configuration file at
this interval and if the file has changed, it reloads
the configuration.
Default value: 300
ShimIdentifierStrin Optional
g
Specify a unique identifier for the Authentication
Shim instance. The value that you specify is
appended with the section name to create an
identifier.
LogSupported
Specify whether to enable logging for Authentication
Shim. Set this to 1 if you want to enable logging, or
set this value to 0 to disable logging.
Required
MultipleUserDirec Optional
toriesSupported
Specify whether to enable multiple user directory
support. If this parameter is set to 1, then multiple
user directory support is enabled.
Default value: 0 (disabled)
Chapter 13: Uninstalling Adapter 143
Authentication Shim Properties File
Parameter
Required/
Optional
UserStatusFlag
Optional
Description
Specify the user attribute in the directory server
used by SiteMinder to store the user’s status.
Note: This parameter is required to enable detailed
logging of user status in SiteMinder audit logs and
Authentication Shim logs. The value of this
parameter must match the value specified for the
Disabled Flag(RW) attribute under the User
Attributes tab in the SiteMinder User Directory
Dialog.
SmApiVersion
Optional
Specify the supported version of the SiteMinder API.
Supported versions are:
■
300
■
400
■
401
Default value: 400
Note: If you change this value, restart the Policy
Server for the changes to take effect.
SMPSLogEnabled
Optional
Specify whether to enable logging to the SiteMinder
Policy Server log. Set the value to 1 if you want to
enable logging to the SiteMinder Policy Server log.
Set the value to 0 if you do not want to enable
logging to the SiteMinder Policy Server log.
Default value: 0 (disabled)
SMTraceLogEnabl
ed
Optional
Specify whether to enable logging to the SiteMinder
trace log. Set the value to 1 if you want to enable
logging to the SiteMinder trace log. Set the value to
0 if you do not want to enable logging to the
SiteMinder trace log.
Default value: 0 (disabled)
144 Installation and Configuration Guide for Windows
Authentication Shim Properties File
Configuring the Log Information
Authentication Shim generates log messages as a part of its operation to support error
reporting, auditing, and debugging. The level of details logged by Authentication Shim
can be configured.
All Authentication Shim log messages, except trace messages, are written to the
SiteMinder Policy Server log file (smps.log). All trace messages are logged in the files
that are configured in SiteMinder Policy Server.
All entries that are logged in the smps.log file are also logged in the Adapter log file
(arcotadaptershim.log). However, the level of message details in the Adapter log file is
determined by the HandleLevel parameter.
The log-related parameters are in the LOGGING SETUP section of the adaptershim.ini
file. The log-related topics are described in the following subsection.
Setting Up Log Parameters
The following table describes the log parameters defined in the
[arcot/integrations/smadapter/LogLibraryn] section.
Parameter
Required/
Optional
DLLName
Optional
Description
Specify the name of the library file that performs the
logging.
Note: Do not specify the suffix of the file name,
because it is automatically added during run time.
Default value: ArcotLog2FileSC
HandleLevel
Optional
Specify the log level, which defines the details that
must be included in the log messages. Messages
with the specified severity level and higher levels are
logged. For example, if the value is set to 2, then the
messages of severity level 2 to 7 are logged.
Supported values are:
■
1=low
■
2=info
■
3=notice
■
4=warning
■
5=error
■
6=alert
■
7=fatal
Default value: 3
Chapter 13: Uninstalling Adapter 145
Authentication Shim Properties File
Parameter
Required/
Optional
EntryPoint
Optional
Description
Specify the function within the library that must be
called to get a handle to the logging object.
Note: This is fixed for a given log handler DLL.
Default value: CreateFileLogHandler
ParamSupported
Optional
Specify the number of parameters to pass to the
logging object.
Default value: 4
Param1=LOG_FILE Optional
_NAME
Specify the name and location of the log file.
Default value:
<installation_dir>\logs\arcotadaptershim.log
Param2=LOG_FILE Optional
_
ROLLOVER_INTER
VAL
Specify how often you want to roll over the log file
to a backup file.
Supported values are:
■
HOURLY
■
DAILY
■
WEEKLY
■
MONTHLY
Note: The LOG_FILE_ROLLOVER_INTERVAL
parameter and the MAX_LOG_FILE_SIZE parameter
(described in the next row) are both mutually
exclusive. If you set one of these parameters, then
you must comment the other one. The
LOG_FILE_ROLLOVER_INTERVAL parameter is
commented by default.
146 Installation and Configuration Guide for Windows
Authentication Shim Properties File
Parameter
Param2=MAX_LO
G_FILE_
SIZE
Required/
Optional
Optional
Description
Specify the maximum size of the log file. This is an
alternative way to indicate rollover, if the rollover
interval is not set. The size is expressed in bytes.
For example:
Param3=MAX_LOG_FILE_SIZE=10000000
The above value indicates that the size of the log file
is approximately 10 MB.
Note: If this parameter is set to 0, the log file will
continue to grow indefinitely. In addition, the
MAX_LOG_FILE_SIZE parameter and the
LOG_FILE_ROLLOVER_INTERVAL parameter
(described in the previous row) are both mutually
exclusive. If you set one of these parameters, then
you must comment the other one. The
MAX_LOG_FILE_SIZE parameter is enabled by
default.
Param3=BACKUP_ Optional
LOG_
FILE_LOCATION
Specify the complete path where the backup log file
is stored. The path provided must be valid.
Param4=LOG_LINE Optional
_
FORMAT
Specify the format of the logging string. This
indicates the attributes that will be logged on each
line of the file.
Default value: <installation_dir>\logs\backup
Note: If this parameter is not set, the legacy format
will be used.
Supported values are:
■
LTZ=System Timezone, Date, and Time
■
SEV=Severity
■
PID=ProcessID
■
TID=ThreadID
■
MID=MessageIDNumber
■
MSG=Log Message Text
■
LID=LoggingID
Chapter 13: Uninstalling Adapter 147
Appendix C: Deploying and Configuring the
Custom Application
Adapter is also shipped with a Custom Application, which can be used to verify the user
enrollment and authentication workflows. The Custom Application is a standalone
application and does not require you to integrate it with any other non-adapter
components.
Important! Custom Application must not be used in production deployments. The
Custom Application is provided to demonstrate the AFM workflows.
This appendix covers the following topics:
■
Custom Application Deployment Architecture (see page 149)
■
Deploying the Custom Application WAR Files (see page 150)
■
Verifying the Custom Application Deployment (see page 151)
■
Configuring the Custom Application (see page 152)
Custom Application Deployment Architecture
The following diagram depicts possible deployment option for the Custom Application
and the required Adapter components:
Install and deploy Custom Application and Adapter components as depicted in the
preceding diagram.
Chapter 13: Uninstalling Adapter 149
Deploying the Custom Application WAR Files
Deploying the Custom Application WAR Files
To deploy Custom Application:
1.
Navigate to the following location:
sample_app_installation_dir\sampleApplications
2.
Copy the customapp.war file to your application server. For example on Apache
Tomcat, the location to copy the WAR file is:
application_server_home\webapps
Restart Apache Tomcat to extract the WAR file and to create a folder named
customapp under the webapps folder.
Note: Refer to the vendor documentation for instructions on how deploy on other
supported application servers.
3.
Copy the customapp.properties file from the place where you ran the AFM Wizard
to the following location:
AFM_HOME\conf\afm
4.
5.
(Applicable Only for IBM WebSphere 6.1) Perform the following steps to deploy
WAR file on WebSphere 6.1:
a.
Log in to the IBM WebSphere administration console.
b.
Navigate to Applications -> Install New Application.
c.
In the How do you want to install the application section, select the Show me
all installation options and parameters option.
d.
Click Next.
e.
Click Next on the Preparing for the application installation screen.
f.
Click Continue on the Application Security Warnings screen.
g.
In the Step 1: Select install options screen, select the Precompile JavaServer
Pages files option.
h.
Click Next.
i.
Click Next on the Step 2: Map modules to servers screen.
j.
In the Step 3: Provide options to compile JSPs screen, enter the value 15 in JDK
Source level column.
k.
Follow the on-screen instructions and complete the deployment.
(Applicable Only for IBM WebSphere 6.1) Perform the following steps after you
deploy the WAR file:
a.
Log in to the IBM WebSphere administration console.
b.
Navigate to Applications -> Enterprise Applications -> WebSphere enterprise
applications.
c.
Click the WAR file link.
150 Installation and Configuration Guide for Windows
Verifying the Custom Application Deployment
6.
d.
Click the Class loading and update detection link.
e.
In the Class loader order section, select the Classes loaded with local class
loader first option.
f.
In the WAR class loader policy section, select the Single class loader for
application option.
g.
Restart IBM WebSphere.
(Applicable Only for IBM WebSphere 7.0) Perform the following steps after you
deploy the WAR file:
a.
Log in to the IBM WebSphere administration console.
b.
Navigate to Applications -> Application Types -> WebSphere enterprise
applications.
c.
Click the WAR file link.
d.
Click the Class loading and update detection link.
e.
In the Class loader order section, select the Classes loaded with local class
loader first (parent last) option.
f.
In the WAR class loader policy section, select the Single class loader for
application option.
g.
Restart IBM WebSphere.
Verifying the Custom Application Deployment
Access the following URL from the end-user's system:
http[s]://host_name:port-number/customapp/
Replace host_name and port_number with the host name and port of the system where
you have deployed Custom Application. The main page of Custom Application opens.
If you see the welcome page of Custom Application, it indicates that you have
successfully deployed Custom Application.
Chapter 13: Uninstalling Adapter 151
Configuring the Custom Application
Configuring the Custom Application
After deploying Custom Application, you need to configure it before you can test it. To
configure Custom Application, perform the following steps:
1.
From the end-user's system, access Custom Application in a Web browser window.
The default URL for Custom Application is:
http[s]://host_name:port_number/customapp/
The main page of Custom Application opens.
2.
Click Setup.
The Custom Application setup page opens.
3.
On the setup page, provide the following information:
a.
Arcot AFM Protocol: Select a protocol for establishing the communication
channel with the application server hosting the AFM.
Note: If you are using ArcotID PKI Flash client, then you must select the https
protocol. For more information about ArcotID PKI Flash client, see the CA
ArcotID PKI Client Reference Guide available with the CA AuthMinder
documentation.
4.
b.
Arcot AFM Host: Specify the FQDN or IP address of the application server
hosting the AFM.
c.
Arcot AFM Port: Specify the port at which the application server hosting the
AFM is available.
d.
Flow type: Select an AFM profile from the list of available profiles that is
displayed in the drop-down list. These profiles would have been created at the
time of configuring Adapter. For information about creating AFM profiles, see
chapter, "Performing Adapter Configuration Using the Wizard" (see page 45).
Click Submit.
The "Setup Successful" message appears.
152 Installation and Configuration Guide for Windows
Configuring the Custom Application
Testing the Custom Application
To test the Custom Application:
1.
From the end-user's system, launch a new instance of the Web browser and access
the main page of Custom Application by using the following URL:
http[s]://host_name:port_number/customapp/
Replace host_name and port_number with the host name and port of the system
where you have deployed Custom Application.
The main page of Custom Application opens.
2.
Click the Custom Application link.
Depending on the Flow Type you selected, you will be redirected to the AFM page
for authentication. If you see the AFM page, it indicates that you have successfully
configured the Custom Application.
Chapter 13: Uninstalling Adapter 153
Appendix D: Additional Configurations to
Support LDAP Repository in AuthMinder
This appendix covers the following topics:
■
Creating Organization in LDAP Repository (see page 156)
■
Resolving Credential Types for LDAP Organization (see page 162)
■
Verifying the LDAP Configuration in AuthMinder (see page 162)
Chapter 13: Uninstalling Adapter 155
Creating Organization in LDAP Repository
Creating Organization in LDAP Repository
You must use CA Administration Console to support LDAP user directories. You must do
this after you have successfully configured AuthMinder Server and Administration
Console for AuthMinder.
1.
Log in to Administration Console as Master Administrator by using the following
URL:
http[s]://host_name:port_number/arcotadmin/masteradminlogin.htm
In the preceding URL, host_name indicates the host name or the IP address of the
application server where you configured the Administration Console and
port_number indicates the port at which the server listens to incoming requests.
2.
Create a Global Administrator account and assign only the DEFAULTORG to this
administrator.
3.
Log out of Administration Console.
4.
Access AuthMinder Administration Console for the Global Administrator by using
the following URL:
http[s]://host_name:port_number/arcotadmin/adminlogin.htm
5.
Provide the organization name as DEFAULTORG and the username and password
assigned to the global user account that you created in Step 2.
You will be prompted to reset your password and login again to the Administration
Console.
6.
Click the Organizations tab.
7.
Under the Manage Organizations section, click the Create Organization link to
display the Create Organization page.
8.
Enter the details of the organization, as described in the following table.
Field
Description
Organization Information
Organization Name
Enter a unique ID for the organization that you
want to create. Ensure that you specify this
organization name in the Name (Mapped to LDAP)
field described in the "Configuring Adapter by
Using the Wizard (see page 48)" section.
Note: You can use Administration Console to log in
to this organization, by specifying this value, not
the Display Name of the organization.
Display Name
Enter a descriptive name for the organization.
Note: This name appears on all other
Administration Console pages and reports.
156 Installation and Configuration Guide for Windows
Creating Organization in LDAP Repository
Field
Description
Description
Provide a description for the administrators who
will manage this organization.
Note: You can provide additional details for later
reference for the organization by using this field.
Administrator Authentication Select the Basic User Password mechanism to
Mechanism
authenticate administrators belonging to this
organization.
User Data Location
Repository Type
9.
Select Enterprise LDAP. By specifying this option,
the user and administrator details for the new
organization will be stored in the LDAP repository
that you will specify on the next page.
Click Next.
The Create Organization page to collect the LDAP repository details opens.
10. Enter the details, listed in the following table, to connect to the LDAP repository.
Field
Description
Host Name
Enter the host name of the system where the LDAP
repository is available.
Port Number
Enter the port number on which the LDAP repository
service is listening.
Schema Name
Specify the LDAP schema used by the LDAP
repository. This schema specifies the types of objects
that an LDAP repository can contain, and specifies
the mandatory and optional attributes of each object
type.
Typically, the schema name for Active Directory is
user and for SunOne Directory server it is
inetorgperson.
Chapter 13: Uninstalling Adapter 157
Creating Organization in LDAP Repository
Field
Description
Base Distinguished Name
Enter the base Distinguished Name of the LDAP
repository. This value indicates the starting node in
the LDAP hierarchy to search in the LDAP repository.
For example, for SunOne Directory server to search
or retrieve a user with a DN of cn=rob laurie,
dc=Test,dc=Pvt, you must specify the Base
Distinguished Name as:
dc=Test,dc=Pvt
Note: Typically, this field is case sensitive and
searches all sub-nodes under the provided base DN.
Redirect Schema
Name
Specify the name of the schema that provides the
definition of the "member" attribute.
You can search for users in the LDAP repository using
the Base DN defined for an organization. But this
search only returns users belonging to the specific
Organization Unit (OU). An LDAP administrator might
want to create a group of users belonging to
different Organization Units for controlling access to
an entire group, and might want to search for users
from different groups. When the administrator
creates groups, user node DNs are stored in a
"member" attribute within the group node. By
default, UDS does not allow search and DN
resolution based on attribute values. Redirection
enables you to search for users belonging to
different groups within LDAP, based on specific
attribute values for a particular node.
Typically, the redirect schema name for Active
Directory is group and for SunOne directory it is
groupofuniquenames.
Connection Type
158 Installation and Configuration Guide for Windows
Select the type of connection that you want to use
between Administration Console and the LDAP
repository. Supported types are:
■
TCP
■
One-way SSL
■
Two-way SSL
Creating Organization in LDAP Repository
Field
Description
Login Name
Enter the complete distinguished name of the LDAP
repository user who has the privilege to log into the
repository server and manage the Base Distinguished
Name. The following example shows how to specify
the Login Name for SunOne Directory server:
cn=Directory Manager
Login Password
Enter the password of the user provided in the Login
Name.
Server Trusted Root
Certificate
Enter the path for the trusted root certificate who
issued the SSL certificate to the LDAP server by using
the Browse button, if the required SSL option is
selected.
Client Key Store Path
Enter the path for the key store that contains the
client certificate and the corresponding key by using
the Browse button, if the required SSL option is
selected.
Note: You must upload either PKCS#12 or JKS key
store type.
Client Key Store Password
Enter the password for the client key store, if the
required SSL option is selected.
Chapter 13: Uninstalling Adapter 159
Creating Organization in LDAP Repository
1.
Click Next to proceed.
The page to map the repository attributes opens.
2.
On this page:
a.
Select an attribute from the Arcot Database Attributes list, then select the
appropriate attribute from the Enterprise LDAP Attributes list that needs to be
mapped with the Arcot attribute, and click Map.
Important! Mapping of the USERNAME, EMAILADDR, and TELEPHONENUMBER
attributes is compulsory. If you are using SunOne Directory, then map
USERNAME to uid, EMAILADDR to mail, and TELEPHONENUMBER to
telephoneNumber.
b.
Repeat the process to map multiple attributes, until you finish mapping all the
required attributes.
Note: You do not need to map all the attributes in the Arcot Database
Attributes list. You only need to map the attributes that you will use.
The attributes that you have mapped will be moved to the Mapped Attributes
list.
If required, you can unmap the attributes. If you want to unmap a single
attribute at a time, then select the attribute and click Unmap. However, if you
want to clear the Mapped Attribute list, then click Reset to unmap all the
mapped attributes.
3.
Click Next to proceed.
The Select Attribute(s) for Encryption page opens.
4.
Select the attributes that you want to encrypt, and click Next.
The Add Administrators page opens.
Note: This page is not displayed, if all the administrators currently present in the
system have scope to manage all organizations.
5.
From the Available Administrators list, select the administrators who will manage
the organization and click the > button to add the administrator to the Managing
Administrators list.
Note: Assigning organization to administrators can be done at any time by updating
the scope of existing administrators or by creating new administrators to manage
the organization.
The Available Administrators list displays all the administrators who can manage
the new organization.
Note: If some administrators have scope to manage all organizations in the system,
then you will not see the corresponding entries for those administrators in this list.
6.
The Managing Administrators list displays the administrators that you have
selected to manage this organization.
7.
Click Next to proceed.
160 Installation and Configuration Guide for Windows
Creating Organization in LDAP Repository
The Activate Organization page opens.
Note: The username attribute cannot be changed or updated after the organization
is activated.
8.
Click Enable to activate the new organization.
A message box opens prompting whether you want to activate the selected
organization.
9.
Click OK to complete the process.
10. Refresh the AuthMinder cache for changes to take effect.
Now if you perform a search for organizations, in the search result, you will see the
LDAP-based organization you created.
11. Create a user in this organization.
12. Search for the user created in the preceding step and promote that user to Global
Administrator (GA).
Book: Refer to the Promoting Users to Administrators section in Chapter 9,
"Managing Users and Their Credentials" of CA AuthMinder Administration Guide for
more information.
You will need the details of this GA to resolve the credential types for the
LDAP-based organization. See "Resolving Credential Types for LDAP Organization"
(see page 162) for more information.
13. Log out of the Administration Console.
Chapter 13: Uninstalling Adapter 161
Resolving Credential Types for LDAP Organization
Resolving Credential Types for LDAP Organization
The authentication requests that are presented to the AuthMinder Server must specify
the type of credential that has to be used to process the request. If the input requests
are presented with the unknown credential type, then such requests are resolved to any
password-based mechanism supported by AuthMinder.
To resolve the credential types for the LDAP-based organization created in the "Creating
Organization in LDAP Repository" (see page 156) section:
1.
Ensure that you are logged in as the Global Administrator (GA) created in the
"Creating Organization in LDAP Repository" (see page 156) section.
2.
Activate the Services and Server Configurations tab on the main menu.
3.
Ensure that the WebFort tab in the submenu is active.
4.
Under the Miscellaneous Configurations section, click the Credential Type
Resolution link to display the Credential Type Resolution Configuration page.
5.
In this page:
■
Create a new configuration with the name, for example, LDAPResolution.
■
In the Resolve Plain to field, select LDAP Password.
6.
Save the configuration.
7.
Apply this configuration using the Assign Default Configurations page.
Book: Refer to the Assigning Default Configurations section in chapter, "Managing
Global AuthMinder Configurations" of CA AuthMinder Administration Guide for
more information.
Verifying the LDAP Configuration in AuthMinder
To verify the LDAP organization and user configuration:
1.
Log in to AuthMinder Sample Application by using the following URL:
http[s]://host_name:port_number/webfort-7.1-sample-application/
2.
In the left pane, click Password -> Authentication -> Complete Password to open
the Password Authentication opens.
3.
Enter the LDAP user name, organization, and password.
4.
Click Authenticate.
The Authentication Response Details page opens.
If you see the details of the LDAP user, it indicates that you have successfully
configured LDAP support in AuthMinder.
162 Installation and Configuration Guide for Windows
Appendix E: Configuring SSL and
Redirection in Apache Tomcat
For security purposes, CA recommends that you enable SSL between different Adapter
components. To do this, you must enable the application server where Adapter
components are deployed for SSL communication.
For testing purposes, you can use the default certificates shipped with the Adapter
package to enable the SSL communication between the Adapter components. These
certificates are available in the certs folder of the installation directory.
This appendix walks you through the following topics:
■
Configuring SSL (see page 164)
■
Verifying the SSL Configuration in Tomcat (see page 165)
■
Configuring IIS Server to Tomcat Redirection (see page 165)
Chapter 13: Uninstalling Adapter 163
Configuring SSL
Configuring SSL
Authentication Flow Manager (AFM) and State Manager components are installed on
the application server. Therefore, to enable SSL for these components, you have to
configure the application server where these components are deployed for SSL.
To enable Authentication Shim to communicate over SSL, you must set the following
configuration parameters in the adaptershim.ini file:
■
ArcotSMTrustedRootPEM
■
ArcotSMClientSSLCert
■
ArcotSMClientPrivateKey
To enable Apache Tomcat for SSL
Important! If you are integrating Adapter with the SAML-based Web portal, then you
must also perform this task on the Service Provider's system.
1.
Browse to the following location on the system where you have installed State
Manager:
state_manager_installation_dir\adapterStateManager\certs
2.
Copy the server.keystore file on the system where AFM is installed. For example,
copy this file into a temporary folder called system_drive\Arcot Adapter\certificate.
3.
Navigate to the following location on the system where AFM is installed:
Tomcat_root\conf
Note: Tomcat_root refers to the Apache Tomcat installation directory. Refer to the
vendor documentation for instructions on how deploy on other supported
application servers.
4.
Open server.xml file in a text editor.
5.
Search for the following code:
<!-<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
Replace the code with
<Connector SSLEnabled="true" clientAuth="false"
keystoreFile="system_drive/Arcot Adapter/certificate/server.keystore"
keystorePass="123456" maxThreads="150" port="8443" protocol="HTTP/1.1"
scheme="https" secure="true" sslProtocol="TLS"/>
6.
(Only for Apache Tomcat 7.x) If you are configuring SSL on Apache Tomcat 7.x, you
might see an error with default configurations. In this case, you must:
a.
Delete the bin\tcnative-1.dll file.
b.
In server.xml, search for and remove the following line:
164 Installation and Configuration Guide for Windows
Verifying the SSL Configuration in Tomcat
<Listener
className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
7.
Save and close server.xml.
8.
Restart Apache Tomcat.
Verifying the SSL Configuration in Tomcat
From the end-user's system, access the following URL:
http[s]://host_name:port_number/
Replace host_name and port_number with the host name and the SSL port that you
configured on the system where you have installed Apache Tomcat (on the system
hosting AFM and if configured on Service Provider’s system). You should see the Apache
Tomcat home page.
Note: Because the certificates shipped with Adapter package are for testing purposes
only, you will notice the Certificate Error on accessing this page. You can safely ignore
this error.
Configuring IIS Server to Tomcat Redirection
This section walks you through the process of configuring IIS 7.0 Web Server to
communicate with Apache Tomcat. By enabling this communication channel between
IIS and Tomcat, all JSP requests coming to IIS would be redirected to and processed by
the configured Apache Tomcat application server. To configure redirection in IIS 7.0
Web Server, you must perform the following tasks on the system hosting the SiteMinder
Web Agent:
1.
Configuring Properties and DLL Files (see page 166)
2.
Creating Registry Entries (see page 167)
3.
Configuring IIS Management Console (see page 169)
4.
Verifying the IIS Server to Tomcat Redirection Configuration (see page 170)
Important! The instructions given in this section are applicable only for IIS 7.0 Web
Server. If you are using any other version of IIS, then the instructions in this section
might not work as expected.
Chapter 13: Uninstalling Adapter 165
Configuring IIS Server to Tomcat Redirection
Configuring Properties and DLL Files
1.
Open Notepad and add the following code:
worker.list = worker1
worker.worker1.host=<app_server_IP>
worker.worker1.port=8009
worker.worker1.type=ajp13
2.
In the preceding code, provide values for the following parameter:
Note: If JRE is not installed on the Web Agent system, then download and install it
from the following URL:
http://www.java.com/en/download/index.jsp
■
worker.worker1.host: Replace <app_server_IP> with the IP address of the
system where AFM is available.
3.
Save the file as workers.properties.
4.
Close the workers.properties file.
5.
Open Notepad and add the following code:
/arcotafm/*=worker1
/examples/*=worker1
6.
Save the file as uriworkermap.properties.
7.
Close the uriworkermap.properties file.
8.
Download the tomcat-connectors-1.2.32-windows-x86_64-iis.zip file from the
following URL:
http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/windows/
9.
Extract the contents of the zip file.
10. Navigate to the location where you have extracted the contents of the zip file and
copy the isapi_redirect.dll file to a directory. For example, save it in the C:\tomcat
directory
11. Copy the workers.properties and uriworkermap.properties files to the C:\tomcat
directory.
12. Right-click the tomcat directory and select Properties.
The tomcat properties dialog opens.
13. Click the Security tab.
14. Click Add.
The Select Users or Groups dialog box opens.
15. Enter Network Service in the Enter the object names to select text box.
16. Click Check Names.
17. Click OK.
The Network Service group is added in the Group or user names list.
166 Installation and Configuration Guide for Windows
Configuring IIS Server to Tomcat Redirection
18. Select the Network Service group in the Group or user names list.
19. In the Permissions for Network Service list, select Full Control.
20. Click OK.
21. Repeat Step 12 to Step 20 to add a new group named IIS_IUSRS with Full Control on
the win32 folder.
Creating Registry Entries
To create registry entries:
1.
Click Start, and select Run.
2.
Enter regedit in the Run prompt.
The Registry Editor window opens.
3.
Create the following registry entry in the HKEY_LOCAL_MACHINE\SOFTWARE\
section:
Apache Software Foundation\Jakarta Isapi Redirector\1.0
4.
In the right pane of the Registry Editor window, right-click, point to New, and select
String Value.
5.
Name the new String Value as @.
6.
In the right pane of the Registry Editor window, right-click, point to New, and select
String Value.
7.
Name the new String Value as extension_uri.
8.
Double click extension_uri.
The Edit String dialog box opens.
9.
In the Value data field, enter /jakarta/isapi_redirect.dll.
10. Perform the tasks in Step 6 to Step 9 to add new String Values listed in the following
table.
String Value Name
Value Data
log_file
C:\tomcat\isapi.log
Note: Specify the log file location.
log_level
debug
Note: Specify the level of logging to perform.
Possible values are: debug, info, error, and emerg.
worker_file
C:\tomcat\workers.properties
Note: Specify the complete path to the
workers.properties file.
Chapter 13: Uninstalling Adapter 167
Configuring IIS Server to Tomcat Redirection
String Value Name
Value Data
worker_mount_file
C:\tomcat\uriworkermap.properties
Note: Specify the complete path to the
uriworkermap.properties file.
11. Close the Registry Editor window.
168 Installation and Configuration Guide for Windows
Configuring IIS Server to Tomcat Redirection
Configuring IIS Management Console
To configure the IIS Server:
1.
Launch the Internet Information Services (IIS) Manager application.
2.
In the Connections pane, select the server where you have configured the
SiteMinder Web Agent.
3.
Switch to the Features View and double-click ISAPI and CGI Restrictions.
4.
In the Actions pane, click Add.
The Add ISAPI or CGI Restriction dialog box opens.
5.
6.
Provide the following information in the Add ISAPI or CopenGI Restriction dialog
box:
■
In the ISAPI or CGI path field, browse to the location where the
isapi_redirect.dll file is available.
■
In the Description field, provide a description of the restriction. For example,
enter "tomcat redirector".
Click OK.
The new restrictions are displayed in the ISAPI and CGI Restrictions workspace.
7.
In the Connections pane, select the Default Web Site container.
8.
Switch to the Features View and click ISAPI Filters.
9.
In the Actions pane, click Add.
The Add ISAPI Filter dialog box opens.
10. Provide the following information in the Add ISAPI Filter dialog box:
■
Filter name: Enter a unique name for the filter, for example, jakarta.
■
Executable: Browse to the location where the isapi_redirect.dll file is stored.
11. Click OK.
The new filter is displayed in the ISAPI Filters workspace.
12. Create a new virtual directory with the following parameters:
Note: Refer to the section, Deploying the FCC Pages (see page 85) for information
about creating a virtual directory in IIS 7.0.
■
Alias: jakarta
■
Physical Path: Browse to the location where the isapi_redirect.dll file is stored
(C:\tomcat).
13. Click OK.
14. In the left pane, click the jakarta folder.
15. Switch to the Features View and click Handler Mappings.
Chapter 13: Uninstalling Adapter 169
Configuring IIS Server to Tomcat Redirection
16. In the Extension name field, enter a unique name to identify this Web service. For
example, tomcat.
17. Select the ISAPI-dll and click the Edit Feature Permissions in the Actions pane.
The Edit Feature Permissions dialog box opens.
18. Select the Read, Script, and Execute permissions.
19. Restart IIS.
Verifying the IIS Server to Tomcat Redirection Configuration
To verify the IIS Server to Tomcat redirection configuration, access the following URL
from the end-user's system:
http[s]://<Web_Agent_hostname>/examples/jsp
Replace <Web_Agent_hostname> with the host name or IP address of the system where
the Web Agent is available. You should see the JSP Samples page.
170 Installation and Configuration Guide for Windows
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising