Saturday, February 13, 2010

CA Identity Manager 12.5 and SiteMinder 12 sp2 integration: A quick guide.

This is a quick guide to doing a very basic integration of SiteMinder and Identity Manager.  A PDF of the guide with screenshots is available here. This is a first draft, and as the solution is implemented in our actual infrastructure I will update the documentation. In the meantime, for searching purposes, here is the text of the file:

Quick Guide to getting CA SiteMinder 12 integrated with Identity Manager 12.5
Draft 1
Server pre-requisites as used by this exercise:
3 Windows2003 Servers
Server 1: Sun DSEE LDAP and MS SQL2005
Server 2: CA Identity Manager Server
Server 3: CA SiteMinder Policy Manager Server
Software pre-requisites as used by this POC environment: Refer to CA’s support matrix for component options and compatabilities. 
Identity Manager:
Server 1: dsee7
LDAP instance for SiteMinder Policy Store
LDAP instance for User Repository
SQL DB Instance for SiteMinder UI object store
SMOBJSTORE port 1433
SQL DB Instance for Identity Manager object store
Server 2: idmr125
Java 1_5_0_16 JDK
Jboss 4.2.3GA
IIS 6.0
jboss proxy plugin for IIS ( isapi_redirect-1.2.28.dll )
CA Identity Manager R12.5
Server 3: smr12sp2ps
SiteMinder Policy Server R12sp2
For a quick guide on how to setup a R12 environment, refer to Coreblox’s excellent guide. In my case, I used a Sun LDAP instead of AD for Policy Store. 
Foundational work
Ensure you have a working LDAP user repository. 
example: suffix: dc=b2c,dc=com port: 1389

Required users: 
superadmin: default admin user for Identity Management environment
selfreguser: entry used to manage self-service tasks.
Ensure you have a working SiteMinder Environment. 
Install and configure an agent for the IIS web server instance running on the Identity Manager Server. Refer to the SiteMinder documentation “Web Agent Installation Guide: Install a Web Agent on a Windows System and Configure an IIS Web Agent”.
There is no need to create a realm or user directory at this time for the Identity Manager server. What is required is a basic setup that includes a trusted host. 
Setting up Jboss and the IIS JBoss connector.
Install Java 1.5.0.x jdk on the identity manager server. 
example: jdk-1_5_0_16-windows-i586-p.exe
After installation, set environmental variable:
JAVA_HOME = “C:\Program Files\Java\jdk1.5.0_16”
Unzip Jboss package at C:\
update the run.conf located at “C:\jboss-4.2.3.GA\bin\
Change the entry “#JAVA_HOME=” to the location of your java install.
JAVA_HOME=”C:\Program Files\Java\jdk1.5.0_16”
Open a command line and start up jboss:
C:\jboss-4.2.3.GA\bin\run.bat -b
Once jboss has started, verify by going to the jboss URL at:
Default port is 8080

IIS JBoss connector: Chicken-Egg Problem.
A few steps that must be delayed:
Extend SiteMinder Policy Schema with Identity Manager extensions.
Properly configure the IIS Jboss ISAPI connector
In order to have the necessary files to configure the Policy Store and IIS-Jboss connector, you must unfortunately first install the Identity Manager software. After installing, you will have access to the necessary files required. 
Installing the Identity Manager software
Shutdown jboss if it is running. 
Start ca-im-r12.5-win32.exe
Choose Components:
Only select Identity Manager Server, Connect to Existing SiteMinder Policy Server, and Identity Manager Administrative Tools. 

For this exercise, we are only using web-edition to manage external user ldaps, and not setting up the provisioning components. 
Click Next and continue. Select jboss 4.2.3 for Application Server Information. Make sure you enter the correct jboss location and a fully-qualified app server URL.

Choose the JDK you previously installed. 

Select your Database Type. In this exercise, SQL 2005 was used. 

Enter your SQL connection information.

Login information refers to a username and password for all components that are embedded within the Identity Manager environment. This Username will also result in the agent name created in the Policy Server. 

Next, enter Policy Server connection information.

Validate all settings at Pre-Install Summary and when ready click Install.
After installation, validate by starting up jboss. This time, using the supplied startup script. 
C:\jboss-4.2.3.GA\bin\run_idm.bat -b
Validate Identity Manager is running by going to the URL:

Installing and configuring the IIS-JBoss Connector
Installing the ISAPI connector
Now that the Identity Manager has been installed, additional tool components are now available to finish the IIS-JBoss connector as well as the SiteMinder Policy Store schema extensions. 
Download the isapi_redirect-.dll. Create a directory “C:\ISAPI” and place .dll there. Next you need to copy some configuration property files to use with the isapi module. Go to “C:\CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\ConnectorConfiguration\windows\IIS_JBoss\” and copy the 2 property file to “C:\ISAPI”.
Edit the jakarta.reg file. 
Make sure the extention_uri contains the correct isapi_redirect.dll module name. It should be equal to what you downloaded. 
The “log_file”, “worker_file”, and “worker_mount_file” should all point to the location where you copied the property files, in our example at “C:\ISAPI”.
Double-click the jakarta.reg file to add the settings to the registry.
Configuring IIS
Start the Internet Information Services (IIS) Manager. Right-click the Default Web Site and select New>Virtual Directory. The Virtual Directory Creation Wizard opens.
Click Next to begin using the Virtual Directory Creation Wizard. In the Alias field, enter "jakarta". Click Next. In the Directory field, enter the full path to the directory where the configuration files are located. For example: C:\ISAPI.
Click Next to display the Access Permissions screen. Select the following permissions, and click Next: Read, Run scripts (optional), Execute. Click Finish.

Next add the Jakarta filter to the ISAPI filters. Right-click Default Web Site and select Properties. Select the ISAPI Filters tab. Click Add. The Filter Properties dialog box opens. In the Filter Name field, enter "jakarta". In the Executable field, enter the full directory path and filename of the isapi_redirector.dll file that you downloaded. Click OK.

Next, allow the jakarta extension: Right-click "Web Service Extensions" and select "Add a new Web Service Extension..." In the Extension Name field, enter "jakarta". Click Add. The Add File dialog box opens. Enter the full directory path and file of the isapi_redirect.dll file that you downloaded. Click OK. Check Set Extension Status to Allowed. Click OK.
Restart the IIS Admin Service, including the World Wide Web Publishing Service.

Note: The AJP connector uses port 8009 by default. To change the port number,
modify it in the following location:
Verify IIS-Jboss connector is working
Validate Identity Manager is accessible via the proxy by going to the URL:
http:///idmmanage  (without the need of port 8080)

Finishing up SiteMinder Policy Server configuration
Extend Policy Store LDAP schema
The schema file is located at “C:\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\SunJavaSystemDirectoryServer\sundirectory_im8.ldif”
This would be the case if you are using Sun LDAP. Additional schema files are available for other ldap and DB instances commonly used as policy store. 

Validate your policy store schema has been extended. 
installing the Extensions for SiteMinder Policy Server
Re-launch the Identity Manager software. Start ca-im-r12.5-win32.exe
In the “Choose Components” window, only select “Extensions for SiteMinder”.

Continue the install and restart the policy server when completed. 
Configuring a Directory and Environment within Identity Manager
Having installed and configured all the components of Identity Manager and SiteMinder, your next step is to configure a connected directory and environment which in turn automatically creates a user directory and domain on your SiteMinder policy Server. 
To configure a directory, you can upload a pre-configured directory.xml file that defines the Directory structure and attributes. You configure your directory using the Wizard which walks you through the directory structure and attributes. Either way, you need to start with a base directory.xml file. These are supplied within the ..\tools\directoryTemplates location. There are base directory.xml files for many ldap and DB vendors. In addition, you need to choose your directory.xml based on whether your ldap structure is flat or contains hierarchy. For this exercise, the ldap structure created is flat. All users are within the ou=people organizational unit. 
There are 3 key areas within the directory.xml that are most relevant. The first section defines user objects and attributes. The second defines groups and the third defines organizations. If you are NOT using organizations, it is important to remove the organization section and any references to configuring organizations withi the directory.xml. 
Refer to the Identity Manager documentation to get an understanding of how Identity Manager uses organizations to manage a hierarchical structure. Its important to have a clear understanding on when you would want to use organizations. In this flat ldap being used for this example, organizations are not required. 
Schema extensions to support IdM functions
While you can use any existing attributes as part of the inetorgperson, I have created an auxiliary class object that contains some custom attributes to be used by Identity Manager and our fictional web application. 
The following attributes were added to my ldap instance:
objectclass=b2cperson with Parent object class of inetorgperson
b2cPerson contains these additional attributes used by Identity Manager:
sm-disabledFlag: The user's status 
sm-passwordData: The user's password information for SiteMinder password policies
sm-questionAnswer: The user's self service security questions and answers 
sm-adminRole: The list of admin roles the user is a member or administrator of 
sm-certStatus: The user's certification status
sm-lastCertDate: The date the user's roles were last certified 

Configuring a User Directory
Go to the URL http:///idmmanage

Click on Directories
If you have a pre-configured directory.xml, you can just import those definitions, or you can start with a template and use the wizard to walk you through all the attribute mappings. 
For this exercise, I will select the wizard and select the modified directory.xml file I updated removing any references to organizations. 

The first screen will have  you enter the basic LDAP connection information. 

Next screen will show you all configurable options. In this modified directory.xml, there is only user object and group object. 

This next section, Select User Attributes, will map out the objectclass and attributes to be used by Identity Manager.
If you are using an auxiliary objectclass, change the structural class to reference your custom one. This will expose all the custom attributes. 
Verify your Container properly defines the location of your users in the ldap structure and finally select all the attributes you want the Identity Manager to be aware of. 
Click next to continue.

In the next section, you will map the attributes to the Identity Managers attribute names. 
Click next when done with the mapping. 
Next section allows you to add descriptions to any attributes as displayed by the Identity Manager system. Click next after making any changes. 
Finally for users, there is the User Attribute Details where you can add any conditions around the availability and sue of the attribute within the IdM system. You can set attributes to be requires or set minimum values for a given attribute. 

Click Next and you will be returned to the Configure Managed Objects screen. You will repeat the same steps, this time for configuring the Group Objects. 
As you go through the screens, make any changes as necessary. For the most part, these can stay as they are. For this exercise, no additional changes have to be made. 

Continue clicking Next until you return to the Configure Managed Objects.  The Show summary and deploy directory option should be selected by default. Click Save to make a new copy of your modified directory.xml. CLick Next to review the configuration and Finish to implement the Directory. 

After a successful creation of the directory, you should have a similar message. 

Login to your SiteMinder AdminUI and verify that the new Directory instance you just created on the Identity Manager server has now created a Directory instance on the SiteMinder policy server. 

Creating a Managed Environment
You will need to know the following info before you create your new managed environment:
The LDAP entry for  your over-all admin user
The LDAP entry for a self-service system user
the URL alias you will use for this managed environment ‘b2c’
the URL alias you will use for the self-service public section of this managed environment ‘b2cpub’
Go to the URL http:///idmmanage. This time click on Environments. Next click on New.
On the first screen, enter your managed environment’s name and the alias which will be added to the jboss URL. Click Next
On the next screen, select the Directory server you will manage. In this exercise, there should only be one entry, the b2c LDAP. Click next. 
The next screen will give you the option to select a provisioning directory. Since this exercise is not covering provisioning, no options will appear. Select next to continue. 

The next screen will configure the public URL and self-service components. Enter the URL which will be used for public access and enter the self-service ldap entry. 

Click Next.

In the next screen you can select which roles you want imported into the managed environment. For this exercise, only select Create default roles (recommended).

Click Next.

There is optional Role Definitions section. There is no need to select any additional role definitions, so just click on Next.
Next section has you select your system admin. Enter the name of the ldap entry that will be the superadmin and click on Add. 

Click Next.

The next screen has to do with SiteMinder integration. You can select which Agent will be used to protect the Identity Manager b2c managed environment. As you will see, Identity Manager automatically creates its own agent. Select this agent for use. 

Click Next.
The final screen will contain a summary of the new environment about to be created. 

Click Finish after reviewing your settings. 

You should have no errors when the environment is built. 
Click on Continue

You will be returned to the Environments screen. The final step is to update the IIS’s webagent.conf file, restart IIS, startup the b2c environment and validate a corresponding SiteMinder domain and realm was created. 

Update the IIS’s webagent.conf to have the proper agent configure object which was created by the environment build. Restart your IIS server after updating. 
Next , to start the environment, click on b2c. Scroll to the bottom and look for the Status setting. It will be set to Stopped. Click on Start. 

Make note of the SiteMinder Policy DOmain name. This was created as part of the environment build. 
Log into your SiteMinder AdminUI and go to view your Domains. You should see the b2c domain created. 

View the b2cDomain and you will notice that the user directory will be configured as well as the default realms required by Identity Manager. 
Final Step - Validate you can log into the b2c managed environment as the superuser. 
Go to the URL http:///idm/b2c
A pop-up should occur requesting login credentials. Login as superAdmin

After a successful login, you should see all the following tabs displayed. 

Validating functionality - Create an user. 
As Superadmin, click on the User tab -> Create User. 

When new screen appears, select Create a new user and click on OK. 
Enter required information to create the user. Click Submit when done. 

When the task completes, you will get a Confirmation message. 

Validate the user has been completed by checking your ldap server to ensure the entry was created. 

Similarly, you can create a new group and validate it has been created under ou=groups. 
This concludes the basic information to have a functional integration with CA Identity Manager 12.5 and SiteMinder 12.1. 


  1. Excellent work and great docs! You are truely great!!

  2. Thanks for the complement. I work with a great team, I certainly don't know everything. But I like to share what I learn. I'm working on documenting additional work I've done and hope it continues to be useful. Thanks!

  3. I am attempting to perform the same task as you have described here. I cannot get beyond the isapi-redirect verification.

    I have installed the dll from the link you provided. I registered the dll and followed the IIS6 configuration as documented. However when I attempt to browse to the /idmmanage URL, I receive a 404 error page.

    The jakarta.log is telling me that it is forwarding to JBoss, however I still am getting the 404.

    Here is the jakarta l:og

    Jakarta/ISAPI/isapi_redirector/1.2.28 initialized
    jk_isapi_plugin.c (1841): Filter started
    jk_uri_worker_map.c (1036): Attempting to map URI '/' from 9 maps
    Attempting to map context URI '/castylesr5.1.1/*=jboss' source 'uriworkermap'
    jk_uri_worker_map.c (850): Attempting to map context URI '/castylesr5.1.1/=jboss' source 'uriworkermap'
    jk_uri_worker_map.c (850): Attempting to map context URI '/jmx-console/*=jboss' source 'uriworkermap'
    jk_uri_worker_map.c (850): Attempting to map context URI '/idm/*=jboss' source 'uriworkermap'
    jk_uri_worker_map.c (850): Attempting to map context URI '/idm/=jboss' source 'uriworkermap'
    jk_uri_worker_map.c (850): Attempting to map context URI '/castylesr5.1.1*=jboss' source 'uriworkermap'
    jk_uri_worker_map.c (850): Attempting to map context URI '/jmx-console*=jboss' source 'uriworkermap'
    jk_uri_worker_map.c (850): Attempting to map context URI '/idm*=jboss' source 'uriworkermap'
    jk_uri_worker_map.c (863): Found a wildchar match '/idm*=jboss'
    jk_isapi_plugin.c (1922): check if [/idmmanage/] points to the web-inf directory
    jk_isapi_plugin.c (1938): [/idmmanage/] is a servlet url - should redirect to jboss
    jk_isapi_plugin.c (1978): fowarding escaped URI [/idmmanage/]

  4. Let me try and configure a new jboss environment and see if I missed a step.

  5. This comment has been removed by the author.

  6. This comment has been removed by the author.

  7. My integration was a bit trickier - having to include provisioning components. Got it done.. thanks for the tips..

  8. Glad you resolved your issue. Was it due to using organizations in your directory source? I would get empty tasks when my organizations were not properly defined. But yes, setting it up as a provisioning server is more complex than what I did.

  9. I have created new user in identity manager but i am not able to login with given password?