Required Servers
Server1: Windows 2003sp2, Java, Jboss, CA SiteMinder R12sp1 Policy Server, CA SiteMinder R12sp1 UI, Sun LDAP 5.2, MS SLQ 2005
Server 2: Solaris10 Sparc, java, WebSphere 6.1.0.13+, JCE patch, IBM HTTP Server 6.1
Prerequisites:
LDAP
LDAP instance to be used by WebSphere and SiteMinder as the user repository.
Required LDAP entries:
Uid=wsadmin,ou=people,dc=ca,dc=com
To be used as a WebSphere Admin
Uid=tester,ou=people,dc=ca,dc=com
To be used as a application test user
Cn=WASaccess,ou=groups,dc=ca,dc=com
Group to give access to snoop application
Add tester as member of group.
WebSphere 6.1.0.13 or higher
Standard or Deployment Manager
SM WebSphere ASA 6.0 plus CR 6 or higher
smasa-6.0-was-unix.zip
smasa-6.0-cr006-was.zip
Pre-Agent Setup
WebSphere Configurations
Setup WebSphere global security using the same LDAP repository to be used by SiteMinder.
Login to the WebSphere Admin console using the admin ID created at the time of install. http://
Configure Global security using the LDAP user store.
Expand Security and click on Secure administration, applications, and infrastructure. Click on Security Configuration Wizard.
Select Enable application security
Select Use Java 2 security to restrict application access to local resources
Click Next
Select Standalone LDAP registry, click on Next.
Enter the required info to connect to your LDAP repository. Click Next to continue.
Make note of the Primary administrative user name. You will need it later.
The final screen will be a summary screen. Click on Finish to save changes.
Click Save to implement the updates.
Log out of console to restart WebSphere. You will need to shut down the WebSphere server. Shut down using the following command:
example:
/opt/WebSphere/AppServer/bin/stopServer.sh server1
ADMU0116I: Tool information is being logged in file
/opt/WebSphere/AppServer/profiles/AppSrv01/logs/server1/stopServer.log
ADMU0128I: Starting tool with the AppSrv01 profile
ADMU3100I: Reading configuration for server: server1
ADMU3201I: Server stop request issued. Waiting for stop status.
ADMU4000I: Server server1 stop completed.
Before you restart the WebSphere environment, it is important to update the security property file to update the admin user and password with the WebSphere Primary administrative user name you used previously. This will allow the start, stop, and communication of WebSphere components without being prompted for the username and password.
On the WebSphere server,
example:
/opt/WebSphere/AppServer/profiles/AppSrv01/properties/soap.client.props
modify the following lines:
#------------------------------------------------------------------------------
# SOAP Client Security Enablement
#
# - security enabled status ( false[default], true )
#------------------------------------------------------------------------------
com.ibm.SOAP.securityEnabled=true
com.ibm.SOAP.loginUserid=wsadmin
com.ibm.SOAP.loginPassword=password
There is a way to encrypt the password and this can be done by the WebSphere admin if required.
Start WebSphere. Start up using the following command:
example:
/opt/WebSphere/AppServer/bin/startServer.sh server1
ADMU0116I: Tool information is being logged in file
/opt/WebSphere/AppServer/profiles/AppSrv01/logs/server1/startServer.log
ADMU0128I: Starting tool with the AppSrv01 profile
ADMU3100I: Reading configuration for server: server1
ADMU3200I: Server launched. Waiting for initialization status.
ADMU3000I: Server server1 open for e-business; process id is 1827
Log back into the WebSphere Console. A few more changes to the LDAP filters are required.
Expand Security. Click on Secure Administration, application, and infrastructure. Under Available realm definitions, click on Configure.
Next, click under Advanced Lightweight Directory Access protocol (LDAP) user registry settings.
Under General Properties, change the following filters
(This is specific for Sun LDAP using groups)
Group Filter
(&(cn=%v)(objectclass=ldapsubentry)) to
(&(cn=%v)(objectclass=groupofuniquenames))
Group member ID map
nsRole:nsRole to
groupofuniquenames:uniquemember
Click on Apply when completed.
Click on Save to apply changes.
You will need to restart the WebSphere environment again.
./stopServer.sh server1
./startServer.sh server
Next, the snoop servlet will have security added
Log into WebSphere Admin console. http://
Expand Applications, select Enterprise Applications. Click on DefaultApplication.
Under Detail Properties, click on Security role to user/group mapping.
By default, snoop has an application role defined named All Role. By having the current mapping to Everyone, there is no requirements for access.
You want to change the setting to only allow users who are members of the cn=WASaccess group. Unselect Everyone?. Click on select and click on Look up groups.
Under Search String enter the fully qualified name of the group we will use to control access to snoop. cn=WASaccess,ou=groups,dc=cg,dc=com
Once it is found, it will show up under Available:
Select the group and using the arrow keys, move it to the Selected: box.
Click on OK when done.
Once you are returned to the Security role to user/group mapping. The Mapped groups should display the selected group. Click on OK.
Click on Save to apply the new settings.
Restart the DefaultApplication by clicking on Stop, and upon completion, Start.
You can now test the WebSphere security by trying to access the snoop servlet.
On a default WebSphere Application, the URL is:
http://
example: http://slpux01.cg.com:9080/snoop
a basic pop-up window will appear for login. Enter your test ID and password.
Upon successful authentication, you will see the snoop servlet.
You have now concluded protecting snoop servlet using WebSphere Security.
SiteMinder Configurations
The next phase is to configure the SiteMinder Policy Server to create the required objects for the WebSphere Application Server Agent and to create a realm to protect the snoop servlet.
Agent
Create an agent. Example:
WebSphere Agent ACO
Using ApacheDefaultSettings as a template, create a new ACO
Example:
At a minimum, modify or add the following parameters:
challengeforCredentials=NO
By using ‘NO’, only basic auth pop-up will be used if you login directly to the WebSphere application. You can still establish an SMSESSION ahead of time and you will not get a basic auth pop-up when you reach the snoop servlet.
ChallengeforCredentials=YES
By selecting YES, you are able to use forms-based login based on your auth scheme attached to your realms policy.
DefaultAgentName=(same as agent previously created)
FCCCompatMode=NO
LogAppend=YES
Logfile=YES
LogFileName=/opt/smwasasa/logs/ASA.log (or any other appropriate location)
User Directory
Setup the LDAP user directory to be the same as the one being used by WebSphere Security.
You will also need to create some Attribute Mappings to be used by the policies you will create later.
Securing the snoop servlet using EPM. Create an Application protecting /snoop and using the LDAP Directory you defined previously as the shared user store.
Create Application Resource protecting * and assigning GET, POST as the actions.
Create Role based on the Directory mapping you completed earlier. WASaccess with an expression value of TRUE. This will define a role for any users that are members of the WASAccess role which is mapped to the cn=WASaccess group in the user directory.
Create a policy to map the WASAccess role to the snoop Resource.
You have configured the minimum to have a working integration of WebSphere and SiteMinder.
Solaris Configurations
Patch WebSphere’s JAVA with JCE encryption files.
Download and install the Jave JCE jar files.
http://www.ibm.com/developerworks/java/jdk/security/50/
2 jar files are included in the JCE download.
US_export_policy.jar
local_policy.jar
copy these 2 files to
example:
/opt/WebSphere/AppServer/java/jre/lib/security/
Set PATH to use WebSphere JAVA
Example:
# echo $PATH
/usr/sbin:/usr/bin
# PATH=/opt/WebSphere/AppServer/java/jre/bin:$PATH
# echo $PATH
/opt/WebSphere/AppServer/java/jre/bin:/usr/sbin:/usr/bin
# which java
/opt/WebSphere/AppServer/java/jre/bin/java
#
Install the WebSphere Application Server Agent
# ./ca-asa-6.0-was-unix.bin –i console
===============================================================================
Choose Install Folder
---------------------
Please choose the folder where the product will be installed.
Where would you like to install?
Default Install Folder: /opt/smwasasa
ENTER AN ABSOLUTE PATH, OR PRESS
: /opt/smwasasa
INSTALL FOLDER IS: /opt/smwasasa
IS THIS CORRECT? (Y/N): Y
Create Install Directory?
-------------------------
The directory /opt/smwasasa does not exist. Create it?
->1- No, go back
2- Yes, continue
ENTER THE NUMBER OF THE DESIRED CHOICE, OR PRESS
DEFAULT: 2
===============================================================================
Choose WebSphere Folder
-----------------------
Please enter the folder where WebSphere 6.0 is installed.
Full path (DEFAULT: /opt/WebSphere/AppServer):
Host Registration
-----------------
Would you like to create a trusted host?
1- Yes, create trusted host.
->2- No, use existing file.
ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS
: 1
===============================================================================
Host Registration
-----------------
Please enter configuration data.
Policy Server IP Address: (DEFAULT: ): smr12.cg.com
SM Admin Username: (DEFAULT: siteminder):
SM Admin Password: (DEFAULT: ): password
Host Name: (DEFAULT: localhost): slpux01-WAS
Host Config Object: (DEFAULT: ): Development
Agent Configuration
-------------------
Please enter the agent configuration object name.
Agent configuration object name: (DEFAULT: ): slpux01-WAS
Installation Complete
---------------------
Congratulations. CA eTrust SiteMinder Agent v6.0 for WebSphere has been
successfully installed to:
/opt/smwasasa
Install the WebSphere ASA CR
Extract the latest cr available for the WebSphere ASA. For this example:
smasa-6.0-cr006-was.zip is used.
The CR6 contains the following jars:
nete_asa.jar
smagentapi.jar
smwebsphereasa.jar
Java64/sm_jsafe.jar
Java64/sm_jsafeJCE.jar
Copy nete_asa.jar, smagentapi.jar, smwebsphereasa.jar to
example:
/opt/WebSphere/AppServer/lib/ext
Copy sm_jsafe.jar, sm_jsafeJCE.jar to
example:
/opt/WebSphere/AppServer/java/jre/lib/ext
Post Install Configurations
Configure the agent modules you need. This example will only implement TAI. As such, the login module and JAAC provider need to be turned off.
Go to
Example:
/opt/smwasasa/conf
Modify the AsaAgent-az.conf file to turn off the WebAgent.
EnableWebAgent="NO"
HostConfigFile="/opt/smwasasa/conf/SmHost.conf"
AgentConfigObject="slpux01-WAS"
Repeat the process for the AsaAgent-auth.conf
EnableWebAgent="NO"
HostConfigFile="/opt/smwasasa/conf/SmHost.conf"
AgentConfigObject="slpux01-WAS"
Only the AsaAgent-assertion.conf should be enabled.
EnableWebAgent="YES"
HostConfigFile="/opt/smwasasa/conf/SmHost.conf"
AgentConfigObject="slpux01-WAS"
Modify the smagent.properties
Change logappend to YES. Makes tailing the log easier.
logfilename="/opt/smwasasa/log/SmWasAsaDefault.log"
loglevel="4"
logappend="YES"
logfile="YES"
logconsole="NO"
smazconf="/opt/smwasasa/conf/AsaAgent-az.conf"
smauthconf="/opt/smwasasa/conf/AsaAgent-auth.conf"
smassertionconf="/opt/smwasasa/conf/AsaAgent-assertion.conf"
Copy the smagent.properties file to
example:
/opt/WebSphere/AppServer/profiles/AppSrv01/properties
Grant J2SE permissions for jars under
This file is located at
Example:
/opt/WebSphere/AppServer/profiles/AppSrv01/properties
Add the following lines to the bottom of the server.policy file.
grant codeBase "file:/ASA_HOME/lib/-" {
permission java.security.AllPermission;
};
Configure Agent settings on WebSphere Console
Login to WebSphere console. Default URL is
https://
Configure the SiteMinder Agent class loader
Expand the Server tab, click on Application servers.
Click on server1. Under Server Infrastructure, click on Process Definition.
Under Additional Properties, click on Java Virtual Machine.
Under Additional Properties, click on Custom Properties.
Create 2 new variables.
smasa.home=/opt/smwasasa
log4j.ignoreTCL=true
Click on Apply and then Save to apply the changes.
Click on Apply and then Save to apply the changes.
Enable the SiteMinder TAI
Expand Security. Under Authentication, expand Web Security. Click on Trust Association.
Under General Properties, click on Enable trust association. Click on Apply and Save changes.
Return to same screen. Under Additional Properties, click on Interceptors.
Click on New. Enter new Interceptor class name:
com.netegrity.siteminder.websphere.auth.SmTrustAssociationInterceptor
Click on Apply and Save.
You now need to restart the WebSphere Environment. Shut down the WebSphere environment.
/opt/WebSphere/AppServer/bin/stopServer.sh server1
Once the server is completely shut down, clean out any existing WebSphere and ASA logs.
WebSphere logs are located at:
example:
/opt/WebSphere/AppServer/profiles/AppSrv01/logs/server1
delete all *.log files
ASA logs are located at:
example:
/opt/smwasasa/log
delete any *.log files.
Start the WebSphere environment
/opt/WebSphere/AppServer/bin/startServer.sh server1
As soon as the WebSphere SystemOut.log is created, start to tail it.
tail –f SystemOut.log
Look for the following message in the SystemOut.log
SMINFO: SiteMinder TAI agent conf file not specified in configuration properties - checking environment
SMINFO: SiteMinder ASA Home 'smasa.home' resolved to: /opt/smwasasa
SMINFO: Configuring SiteMinder TAI with agent conf file = /opt/smwasasa/conf/AsaAgent-assertion.conf
SMINFO: Configuring SiteMinder TAI with processed agent conf file = /opt/smwasasa/conf/AsaAgent-assertion.conf
SMINFO: SiteMinder TAI successfully initialized
Once you get the message:
WSVR0001I: Server server1 open for e-business
The server is up and operational.
Testing the WebSphere SiteMinder Integration.
Open a browser and go to the snoop servet:
http:
If you selected challengeforcredentials=no,
A basic auth popup will appear. Login with your test credentials. The snoop servlet page will be loaded. Look for Client cookies to validate a SMSESSION has been established.
If you configured challengeforcredentials=yes,
You will be re-directed to the location of your login forms web server as defined in your Authentication Scheme.
Once you are authenticated, validate that an SMSESSION is created.
Validate IDs that are not members of the WASAccess group are not allowed to access the snoop servlet.
You should fail to login. Besides a browser error, you should also get an error in the WebSphere SystemOut.log
SECJ0129E: Authorization failed for wsadmin while invoking GET on default_host://snoop, Authorization failed, Not granted any of the required roles: All Role
DONE
Hi Carlos,
ReplyDeleteI know this is a really old post but I was just wondering if you still monitor all these threads and could help me with this one please? I have tried following these instructions closely but I cannot seem to establish the SMSESSION cookie? Did you just use Websphere or did you have a web server on front of it as well? Also can you please list your full ACO settings (just wondering why you chose the ApacheDefaultSettings as the template as opposed to the WAS one?)
Regards
Rod
Yeah, this information is 4+ years old. It was with the WebSphere ASA agent v6 with SiteMinder 6.5. What versions of WAS and SiteMinder are you using? I used the ApacheDefaultSettings as this was before the WAS one was available. I think one of my guys is doing a R12 agent ASA. I'll ask him for details on how he gets it working. Won't be soon, but will try and post details.
ReplyDeleteThanks for replying. I am using Websphere Application Server 6.1.0.37 with Siteminder 12.0 SP3 Policy Server and 12.0 SP2 WAS Agent. Basic LDAP in WAS is working, I am getting prompted by Siteminder as I can see the resource name as 'Snoop' but its rejecting my LDAP credentials after 3 attempts. I am wondering if I need to configure something else such as JACC (I dont have a web server in front of Websphere - do I need one?).
ReplyDeleteHere are my request and response headers (can't see SMSESSION in there at all?):-
GET http://192.168.108.231:9080/snoop HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: JSESSIONID=0000tykUJZxbViZ39q9v5XywnYn:-1
Authorization: Basic dGVzdGVyOnBhc3N3b3Jk
Host: 192.168.108.231:9080
HTTP/1.1 401 Unauthorized
Content-Type: text/html;charset=ISO-8859-1
WWW-Authenticate: Basic realm="Snoop [13:34:8:118] "
$WSEP:
Content-Language: en-US
Content-Length: 742
Set-Cookie: SMCHALLENGE=YES; Path=/; Domain=.168.108.231
Set-Cookie: SMONDENIEDREDIR=NO; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/; Domain=.168.108.231
Date: Tue, 03 Jul 2012 12:34:07 GMT
Server: WebSphere Application Server/6.1
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Cheers
Rod
For my older version of the ASA, I do have IHS configured with the agent as well. I believe it does require additional configuration to get it to work without a front-end web server. I have not tried that. But, if you do use a web server such as IHS with a web agent, you only need to configure the TAI and not the JACC.
ReplyDeleteNice blog! Actually, I am getting more information to read your great post. Thank you.
ReplyDeletePega Training in Chennai
Pega Course in Chennai
Excel Training in Chennai
Corporate Training in Chennai
Embedded System Course Chennai
Linux Training in Chennai
Tableau Training in Chennai
Oracle Training in Chennai
Oracle DBA Training in Chennai
Two full thumbs up for this magneficent article of yours. I've really enjoyed reading this article today and I think this might be one of the best article that I've read yet. Please, keep this work going on in the same quality. Latest & Bugs Free Version
ReplyDeleteThe blog and data is excellent and informative as well Latest & Updated Version
ReplyDeleteI don t have the time at the moment to fully read your site but I have bookmarked it and also add your RSS feeds. I will be back in a day or two. thanks for a great site. Download Tubidy APK for Android Free Latest Version
ReplyDeletegreat article....thanks for sharing waiting for next update..
ReplyDeleteManual Testing Training in Chennai
Manual Testing courses in Chennai
testing courses in chennai
Manual Testing Training in Anna Nagar
Manual Testing Training in T Nagar
Mobile Testing Training in Chennai
core java training in chennai
DOT NET Training in Chennai
Hibernate Training in Chennai
Html5 Training in Chennai
ReplyDeleteYour post is really awesome .It is very useful for me to develop my skills....
Tally Course in chennai
Tally Course in Bangalore
Tally Training in Bangalore
Tally training in coimbatore
Tally course in madurai
Tally Course in Hyderabad
Tally Classes in Bangalore
Tally institute in Bangalore
Ethical hacking course in bangalore
Selenium Course in Bangalore
I’m inspired, I should say. Seldom do I encounter a blog that’s both educative and thrilling, and absolutely, you've got hit the nail on the pinnacle. The hassle is an problem that not sufficient oldsters are speakme intelligently about. Now i'm very satisfied I stumbled across this in the course of my web hunt for something concerning this.
ReplyDeleteEverything is very open with a precise clarification of the issues. It was definitely informative. Your develop website is extremely helpful. Many thanks for sharing!
ReplyDeleteGreat info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have.
ReplyDeletedigital marketing course in chennai, digital marketing courses in chennai, best digital marketing courses in chennai, best digital marketing course, digital marketing course, digital marketing, seo training in chennai, seo course in chennai, best seo service in chennai, best seo services in chennai, digital marketing blog, digital marketing blog india, top digital marketing blog, skartec digital marketing academy, skartec digital marketing, skartec digital marketing, skartec digital marketing, digital marketing course fees,
This is the first & best article to make me satisfied by presenting good content. I feel so happy and delighted. Thank you so much for this article.
ReplyDeleteDot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery
I am incapable of reading articles online very often, but I’m happy I did today. It is very well written, and your points are well-expressed. I request you warmly, please, don’t ever stop writing. baixe o apk Lulubox download 2020
ReplyDeleteThank you a bunch for sharing this with all of us you actually realize what you are talking about! Bookmarked. Please also seek advice from my site =). We could have a hyperlink change contract between us! buy 50 instagram likes gradual
ReplyDeleteI’ve read some good stuff here. Definitely worth bookmarking for revisiting. I surprise how much effort you put to create such a great informative website.
ReplyDeleteacte reviews
acte velachery reviews
acte tambaram reviews
acte anna nagar reviews
acte porur reviews
acte omr reviews
acte chennai reviews
acte student reviews
good talk on creating something new and well done my friend must say that its a awesome blog dude
ReplyDeleteFull Stack Course Chennai
Full Stack Training in Bangalore
Full Stack Course in Bangalore
Full Stack Training in Hyderabad
Full Stack Course in Hyderabad
Full Stack Training
Full Stack Course
Full Stack Online Training
Full Stack Online Course
salesforce is not difficult to learn. If you put your mind and head into learning the Salesforce CRM and at the same time take up this online Salesforce .
ReplyDeleteSalesforce Training in Chennai
Salesforce Online Training in Chennai
Salesforce Training in Bangalore
Salesforce Training in Hyderabad
Salesforce training in ameerpet
Salesforce Training in Pune
Salesforce Online Training
Salesforce Training
Thanks for the efforts in writing the wonderful article.
ReplyDeletephp interview questions and answers
salesforce interview questions
Awesome blog. Thanks for sharing such a worthy information....
ReplyDeleteDigital Marketing Course in Hyderabad
Digital Marketing Course in Gurgaon
Thanks for sharing this blog. It was so informative.
ReplyDeleteBest selenium Training Institute in Chennai
Best training institute for selenium in chennai
Thanks for sharing this blog. It was so informative.
ReplyDeleteGerman Classes in Chennai
German Language Course in Chennai
Nice blog! Thanks for sharing this valuable information
ReplyDeleteGreatest Challenges of Cyber Security
Cyber Security Challenges
Synthesia 10.9 Crack is the latest version of software that is provides the very amazing features and fast speed result. Synthesia Full Version
ReplyDelete