Saturday, April 10, 2010

CA Access Control R12.5 Quick Lab setup

If you are looking at upgrading your Access Control environment to take advantage of the Enterprise Management policy management, here is a quick guide doc to getting the management server installed and communicating with your Access Control endpoints. The install process is a lot easier than with previous versions. 

Follow this link to download the install guide. The text without screen shots is available here.

Quick Guide to CA Access Control R12.5 Enterprise Manager with Windows and Linux endpoints
Draft 1
This is a quick guide to getting a basic Access Manager R12.5 setup and configured. In this lab setup the following servers are used:

An Active Directory Environment for the AC R125 Enterprise Management Server to integrate with for console access.
An AD user that will be the Enterprise Manager Administrator
An SQL DB instance
It will be assumed that there is a basic understanding of Access Control and the new features that are available with R12.5. This guide will be focused on getting the basic setup up and running and the ability to manage a windows and linux endpoint. 
Part 1: Installing the Access Control Enterprise Management Server
Insert the 3rd party component DVD. This will have the pre-requisite installer which will setup java jdk 1.5.0-18 and jboss 4.2.3. 
Select the install location of Java and Jboss. Before Jboss is installed, you will have the option of selecting which ports you want jboss to use. By default, the installer will select 18080.
If you do not have any additional instance of jboss running on the host, select next and accept the defaults. If you need to change the ports, click on Advanced Configuration to have the option of changing all Jboss ports. 
After the Pre-installation Summary screen, click on Install. 
Once the installer is done, it will pause, giving you the opportunity to switch DVDs and insert the Enterprise Management DVD. Once you have inserted the DVD, click on Done and the EnterPrise Management installer will startup. 
Choose the location of the install and click on Next.
You will need to select a password that all components will use for communication. Enter the password and click Next. 
Specify the database you will be using. In this lab setup, it is a MS SQL 2005 instance. Select MS SQL and click Next. 

Enter the required information to connect to your DB instance and click Next.

Specify which user store you will use for controlling access to the Enterprise Management Server. For this lab environment, select Active Directory. 
Enter the required information to connect to your Active Directory environment. Click Next when complete.
Enter the AD user you have selected to be the system admin for the enterprise manager.  

Review your Pre-Installation summary and click Install. 
After Install, you will need to restart the server. Click Done to proceed. 
After the server reboot, all Access Control components will automatically startup. This includes the jboss application server. Don’t try and login to the Enterprise Manager application right away as it will fail since it will take a bit for the jboss application to load. 
Monitor the jboss server log at C:\jboss-4.2.3.GA\server\default\log\server.log to any errors or to validate the application is up and running. 
Validate the install
Open your browser and go to the url http://:18080/iam/ac
Enter the username / password for the AD user you selected as your system admin. 
Upon a successful login, you will be at  main screen. 
Click on the System tab. Expand the DMS section and click on View Connection. Do a search for any connections and you should have a default connection with the host. 
At this point, you have successfully installed the Enterprise Management UI. Next, validate that the Endpoint Management application was also successfully deployed. 
Go to the url http://:18080/acem
Enter the username of the ID you ran the installer under. If you installed it using a domain ID, make sure you use the domain\username. By default it will be the local Access Control admin ID. 

Upon a successful login you will be able to manage the local host via the Endpoint Management UI. 
At this point, you have validated the basic installation of the Access Control Enterprise Management and its supporting components. 
The next step is  to setup an endpoint to manage.
Part 2: Installing and managing an Access Control Endpoint on Windows 2003
Inset the Access Control for Windows DVD. Installer will auto startup. 

Expand the Components folder and select the Access Control appropriate for your OS. In this lab, using Windows 2003, select ‘CA Access Control for Windows (32-Bit)’. 
If not installed already, you will be prompted to install the MS Visual C++ 2005 Redistribution. You will need to install this. 
When it comes to selecting which components to install, the only additional component required for this lab, is to install is ‘Advanced Policy Management Client’. 

The Next screen has you add any additional Administrator and hosts you want to allow management from. The Administrators would allow admin level access over the this particular host. Defining additional hosts allow access to manage this host for machines other than the local host.  
Users and Group. Select Yes for ‘Support users and groups from primary stores’. Click Next. 
SSL Communication. For this lab setup, keep the default ‘No’ for using SSL communication. Click Next. 
Encryption settings. Unselect ‘Change the default encryption key’. CLick Next. 

Advanced Policy Management Client. Enter the Advanced Policy Management Server host name which in this lab is the Enterprise Management server. 

Review Settings and click Next and Install. 
After installation is complete, a reboot of the server is required. 
Validate you can access and manage the Access Control Endpoint from the Enterprise Management server. 
Open a browser and go to the CA Access Control Endpoint Management application. If, you added the Enterprise Management server which has the UI applications installed as one the hosts that has permissions to manage the endpoint, then you will be able to connect to your managed endpoint. If you had not done this, the permissions would not exist for external management of the end point. You can always add additional hosts using selang commands on the endpoint. 
Example selang commands will be included at end of document. 
Go to the URL http://:18080/acem

After successful login, you will be able to manage that remote end point. 
Validate you can access the endpoint via the Enterprise Management UI.
Go to the Enterprise Application URL at http://:18080/iam/ac
Login as the AD account you selected to be the Admin. 

For this lab it is ‘superadmin’. 

Once you successfully login, you will be at the home view of the Enterprise 
Management UI. 

Click on Policy Management->Host->View Host
Click on Search.
The management server and the new windows endpoint should show up. 
This concludes basic validation of communication from the Enterprise Management server and the new windows Access Control end point. 
Part 3: Installing and managing an Access Control Endpoint on a Linux Endpoint 
Insert the Access Control for Unix DVD. Mount the DVD if not automatically mounted. Navigate to /media/CA_AC_P_E_12_5_U/ using RedHat as an example. Copy the Unix directory to /tmp or some similar temporary space. Chmod -R the Unix directory 755. If you try to run the installer from the DVD, you will get permission errors. 
Navigate to /tmp/Unix/Access-Control. To start the install, run ./install_base
Enter the command required to install the software
Next choose the install path or hit enter to accept the default.
Enter the path for installing CA Access Control
Installing the following CA Access Control package(s):
  - Client package
  - Server package
For installation options, please use 'install_base -h'.
Select 'Y' to install, 'N' to exit the script:Y
Select Y to proceed. 
Unless you already have a local(nis-ldap) group defined, you can leave this as none. 
Specify the audit group name [none]:
Do not Import users or groups. 
Import users, groups and hosts now? [N/y]: N
PMDB model is legacy Access Control. It is being replaced by the Advanced Policy Management that comes with R12.x. For the lab, enter none for parent policy model.
Enter parent policy model name [none]
The case is the same for a password policy model. Enter none for this lab setup. The idea is that you would use something like IdM to better manage your users and passwords instead of replicating the data via a pmdb model. 
Enter passwords policy model name [none]
-------------------[ Set up security administrators ]-------------------
  You may define users as security administrators and auditors.
  Specify user IDs separated by space, other than root.
  If you do not want to define administrators now, hit ENTER.
Please enter administrator names [none]:
If you have additional local users defined, you can add them as administrators for Access Control on this end point. 
Yes, you would like to support OS users. 
Do you want CA Access Control to support OS users? [N/y]: Y
Defining DB Admins. You can add additional admins later. For now, using root will be fine. 
No need to change the encryption method.
Do you want to change the default encryption method  [N/y]: N
You can install the Baseline Security setting later on. As part of the install, skip adding them. 
Do you want to install Baseline Security Pack now? [N/y]: N
Starting Access Control remotely can be useful so accept the default of Yes.
Do you want to be able to start CA Access Control from a remote host? [Y/n]: Y
Do you want to install Report Agent? [N/y]: N
Do you want to install PUPM Agent? [N/y]: N
Do you want to configure this end point for advanced policy management  [N/y]:Y
Specify the advanced policy management server components DH full name list separated by space [none]:DH__@w2k3acmgr

Once install has completed, cd to /opt/CA/AccessControl/bin
Start Access Control by running ./seload
[root@rh52acep bin]# ./seload
CA Access Control seload v12.50.00.1861 - Loader Utility        
Copyright (c) 2009 CA. All rights reserved.
08 Apr 2010 23:25:37> WAKE_UP : Server going up
08 Apr 2010 23:25:37> INFO    : Filter mask: 'WATCHDOG*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: 'INFO    : Setting PV*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: 'INFO    : DB*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: '*seosd.trace*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: '*FILE*secons*(*/log/*)*' is registered
Starting seosd. PID = 15604.
Checking database ...
Starting seagent. PID = 15607
seagent: Loading database image...
seagent: Initialization phase completed
Starting seoswd. PID = 15611
[root@rh52acep bin]# 
Authorizing remote management of the host. 
With Access Control Running, the next step will be to start the selang command line interface to setup permissions to allow remote administration from the Enterprise Management server. While you can manage this host locally using the command line tools, by authorizing the management server, you are allowing the ability to manage policies using the End Point management UI application. 
This is not a tutorial on the selang command tool. Again, it is assumed you have some knowledge of Access Control. 
start selang utility
[root@rh52acep bin]# ./selang
CA Access Control selang v12.50.00.1861 - CA Access Control command line interpreter
Copyright (c) 2009 CA. All rights reserved.
Create a terminal resource
AC> nr TERMINAL defacc(none) ow(nobody)
Successfully created TERMINAL
Now create a rule to authorize access to that terminal
AC> nr TERMINAL defacc(none) ow(nobody)
Successfully created TERMINAL
AC> auth TERMINAL uid(*) acc(r,w)
Successfully added * to's ACL
Repeat the validation tests you ran prior for the windows Access Control endpoint via the Enterprise management server. 

Tuesday, April 6, 2010

Installing CA Identity Manager 12.5 on Solaris 10

This is a supplement to the "Quick Guide to getting CA SiteMinder 12 integrated with Identity Manager 12.5" post. This document contains the steps to install Identity Manager on JBoss on Solaris as well as  integrate with a SiteMinder Policy Server.

For searching purposes, here is the text of the document:

Quick Guide to Integrating CA SiteMinder 12sp2 with Identity Manager 12.5 on Solaris
Draft - supplement to “Quick Guide to getting CA SiteMinder 12sp2 integrated with Identity Manager 12.5” available here.
Setup requirements
A working SiteMinder R12sp2 environment
A MS SQL instance
Solaris 10 Server for Identity Manager install
On the Solaris 10 box, install apache2.2 and jboss 4.2.3.GA
Pre-configuring the environment for IdM install and integration with SiteMinder. 
Check support matrix first
SiteMinder: filePath=0/5262/5262_docindex.html#PSM
Identity Manager: filePath=0/5655/5655_docindex.html#PSM
Need help on installing SiteMinder r12sp2? Refer to coreblox’s excellent how to guide:
Pre-requisites before installing Identity Manager
Preparing the SiteMinder Policy Server
On SiteMinder Policy Server, install Identity Manager components and extend schema. 
Launch the Identity Manager software. Start ca-im-r12.5-win32.exe
In the “Choose Components” window, select “Identity Manager Administrative Tools” and “Extensions for SiteMinder”.
By installing the “Identity Manager Administrative Tools” you will have access to all the extras you will need. These tools can be used regardless of the platform they are installed on. 
While the policy server is still down, extend the schema of the Policy Store. The schema file is located within the tools you just installed. In my environment I am using Sun LDAP, so the schema file is located at: “C:\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\SunJavaSystemDirectoryServer\sundirectory_im8.ldif”
Startup the policy server and check the smps.log for any errors.
Configuring the Apache2.2 web server
Install and register the apache2.2 instance on the solaris server. Enable the webagent and restart apache to make sure it is working. 
Seting up apache2.2 proxy plugin for jboss
download the tomcat connector for apache on sparc.
rename to mod_jk and copy to ../apache2.2/modules
copy the example file from the Administrative Tools you installed on the Policy Server to ../apache2.2/conf/
 C:\CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\ConnectorConfiguration\solaris\Apache_JBoss\
Ignore the included readme.txt. It has a few errors. 
The file should work as is assuming you are running jboss on default ports. If you are running jboss on something different, modify the file accordingly. 
      worker.jboss.port=8009 (Default AJP jboss port)
Next update the httpd.conf file to include the following lines:
LoadModule jk_module modules/
JkWorkersFile /wam/apache2.2/conf/
JKLogFile /wam/apache2.2/logs/jk2_mod.log
JkLogLevel DEBUG
JkShmFile /wam/apache2.2/logs/jk-runtime-status
and also
        JkMount /idm/* jboss
        JkMount /idmmanage/* jboss
        JkMount /castylesr5.1.1/* jboss
        JkMount /jkstatus/* jboss
After these changes, restart the web server. Check the logs for any startup errors. 
Installing Identity Manager on Solaris
# ./ca-im-r12.5-sol.bin -i console
Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...
Launching installer...
Hit enter 197 times.
Choose Components
  ->1- Identity Manager Server
    2- Connect to Existing SiteMinder Policy Server
  ->3- Identity Manager Administrative Tools
  ->4- Identity Manager Provisioning Server
  ->5- Identity Manager Provisioning Directory
  ->6- Extensions for SiteMinder (if SiteMinder is installed locally)
Please select the components you would like to install.  Enter a 
   comma-separated list of numbers for your selection.
   The Identity Manager Administrative Tools option includes Workflow Designer,
   Provisioning Manager, and code samples.: 1,2,3
Next, set your install Path and make your FIPS selection. 
Application Server Information
Choose the type of application server that will host CA Identity Manager
For the latest supported application server versions, see the CA Identity Manager support site (
  ->1- JBoss 4.2.3
    2- WebLogic 9.2.1
    3- WebLogic 10.3
    4- WebSphere 6.1.x
   : 1
JBoss Application Server Information
Please enter information for the application server.
Note: In the Application Server URL field, enter the fully-qualified URL including port number.
JBoss Folder (no spaces) (DEFAULT: /jboss-4.2.3): /wam/jboss-4.2.3.GA
App Server URL and port (DEFAULT: http://:8080)
Select your Java install
Select Database Type
Select the type of database that CA Identity Manager will use to store task persistence and archive, workflow, auditing, and reporting information, and required objects. Select an existing database type.
    1- Oracle 10/11g
    2- SQL 2005/2008
Database Connection Information
Please enter the connection information for the database [Object store,Task Persistence and archive store, Audit store, Report store and Workflow store]
Host Name (DEFAULT: ): w2k3db
Port Number (DEFAULT: 1433): 
Database Name (DEFAULT: ): IDMGRDB
Username (DEFAULT: ): sa
Login Information
Please provide a username and password for all CA components that are embedded within CA Identity Manager.
This user will be created to connect to the embedded CA components. 
Username (DEFAULT: ): IdMMgr
This will be the common Id/password used for all components. Will also be the name of the auto agent created on the policy server.
Setup Policy Server Connection info
SiteMinder Policy Server Information
Please enter information for the SiteMinder administrator account that CA Identity Manager will use to communicate with the SiteMinder Policy Server.
Policy Server Host Name (DEFAULT: localhost): w2k3smps
Review Pre-Install Summary. Before you start install, make sure the Policy Server is running. Install.
Install Complete
Congratulations. CA_Identity_Manager has been successfully installed.
Start jboss and check for any errors
2010-04-06 17:15:30,500 WARN  [ims.default] * Startup Step 26 : Attempting to recover events and runtime status details
2010-04-06 17:15:30,502 WARN  [ims.default] ---- CA IAM FW Startup Sequence Complete. ----
Go to the jboss URL directly to verify the application is running.

Next verify you can also reach the Identity Manager application via the apache web-server proxy. 

Tuesday, February 16, 2010

Configuring SiteMinder FSS Client without the new AdminUI

SiteMinder R12 introduced the new Administrative UI which brings a great wealth of features and usability. However, there can be situations where you might not be interested in the overhead of the new UI requirements (app server, db), or simply not like it and prefer to keep using the classic SiteMinder Administrative UI. Now renamed SiteMinder FSS Administrative UI, it has been changed where you can no longer start it up and login using your SiteMinder ID. 

As SiteMinder R12 documentation states: " must install and configure the Administrative UI before registering the FSS Administrative UI."The challenge then is that it seems you can't get around just using the FSS Admin UI without installing the new administrative framework. 

In essence, what the FSS UI needs to work is a 4x-compatible agent. Therefore, instead of requiring the Admin UI to create a 4.x compatible agent, you can simply run a perl script to create the agent required to allow your FSS to login. 

Many  thanks to my co-worker, V G, who gave me this script. I am not sure of its origins other than it was written by Netegrity at some point. 

Click here to download a copy of the perl script. Be sure to modify to your needs. 

You don't need to install PERL. It is already installed as part of the policy server install. First, lets look at the script. 

#                                                                              #
#   Copyright (C) 1997-2004, Netegrity, Inc. All rights reserved               #
#                                                                              #
#   Netegrity, Inc. makes no representations concerning either the             #
#   merchantability of this software or the suitability of this software       #
#   for any particular purpose. It is provided "as is" without express         #
#   or implied warranty of any kind.                                           #
#                                                                              #

use Netegrity::AgentAPI;
use Netegrity::PolicyMgtAPI;

#                                                                              #
# Begin site-specific configuration                                            #
# The follwing information should be changed before running this sample.       #
#                                                                              #

$adminName          = 'SiteMinder';
$adminPwd           = 'P@ssword01';
$agentIP            = '';
$agentSecret        = 'P@ssword01';

#                                                                              #
# End site-specific configuration                                              #
#                                                                              #

$policymgtapi = Netegrity::PolicyMgtAPI->New();
$session = $policymgtapi->CreateSession($adminName, $adminPwd);

die "\nFATAL: Cannot create session. Please check admin credentials\n"
    unless ($session != undef);


sub showmenu {

    print "\n\n*********** SiteMinder (SM) Scripting Interface Demo  ***********\n";
    print "\n";
    print "\n";
    print "\tPlease make a selection from the following:\n";
    print "\n";
    print "\t[1] Setup Policy Store.\n";
    print "\n";
    print "\t[9] Exit\t\t\t\t\t\t\n";
    print "\n";
    print "\tChoice: ";

    chomp($choice = );
    if($choice == 1) {
    } elsif ($choice == 9) {
    } else {
        print "Invalid Choice. Please make another selection.\n";

sub setup_ps_store {

    # Create an agent. Agent will be a 4x Agent

    print "\n\tCreating Agent \'FSS-Agent\'…";
    $agent = $session->CreateAgent( "FSS-Agent",
                                    $session->GetAgentType("Web Agent"),

    if(!defined $agent) {
        die "\nFATAL: Unable to create Agent \'web-agent\'\n";


Key things to change:

$adminName          = 'SiteMinder';
$adminPwd           = 'P@ssword01';
$agentIP            = '';
$agentSecret        = 'P@ssword01';

Update the admin connection information for the script to be able to connect to your policy server.

    print "\n\tCreating Agent \'FSS-Agent\'…";
    $agent = $session->CreateAgent( "FSS-Agent",
                                    $session->GetAgentType("Web Agent"),

You can change 'FSS-Agent' to be whatever name you want the agent to have.

Running the script

If you download the script, make sure you rename the file to a .pl extension.

To simplify things, copy the script to ..\CA\siteminder\CLI\bin

Use the PERL executable that is located within the ...\CA\siteminder\CLI\bin location. 


*********** SiteMinder (SM) Scripting Interface Demo  ***********

        Please make a selection from the following:

        [1] Setup Policy Store.

        [9] Exit

        Choice: 1

        Creating Agent 'FSS-Agent'...

After running the script, you are all done. Start the FSS UI and use the agent and password you just created as the 'Host Name' and 'Passphrase' of the FSS UI.