Pages

Monday, February 21, 2011

Sharing your Report Portal with SiteMinder, Identity Manager, and Access Control

Configuring Identity Manager 12.5 ,SiteMinder 12sp3, and Access Control 12.5sp3 with common Report Server 
[Draft 1] If you are using multiple CA Security products, it will be cost effective and convenient to use a single Report Server by Identity Manager and SiteMinder. Based on different  release cycles, you are limited to use the latest supported version of the Business Objects Report Server supported by all the products you want to integrate. As a result, you will have to use version 2.1 until SiteMinder supports 3.0. More information can be referenced at CA support by searching for the technical report TEC537893.
For this exercise, the Business Objects 2.1 Report Server will be used. The set up consists of Identity Manager 12.5sp5 and SiteMinder 12sp3 using MS SQL 2008 DB. The Report Server will be installed using the included mySQL DB. Based on feedback from peers with experience installing the report portal, it s highly recommended to install on Windows instead of Solaris. 
pastedGraphic.pdf
The order of the installation is important. As recommended by CA, install and configure the Report Portal with SiteMinder first. 
Installing the SiteMinder Report Server
Install the report server at media:\cabi\Disk1\InstData\VM\install.exe
Accept the license agreement and click next.
Select Typical for installation type.
Select the installation path and click next.
Enter the Business Objects Administrator password. 
Next is the Apache Tomcat port settings. Leave as default. Due to performance, you don’t want to run any additional applications on the Report Portal.
For the MySQL settings, enter the desired MySQL root password, an user name and password to be used for accessing the mysql instance and a Database name to be created. 
Next is the option to enable Auditing. Select ‘No’. 
The final screen is the Review Settings. Validate your settings and click on Install to proceed. 
Installation will last up to 2 hours, depending on the configuration of your hardware. 
A restart will be required to complete the install. 
After reboot you will need to install the report templates. The Report Server Configuration Wizard is located at media:\ca-rs-config-12.0-sp3-win32.exe.
Accept the License agreement and click next. 
At the Administration Credential section, enter the password entered at install for the Business Objects Administrator. 
At the CA SiteMinder Audit Database Type, select your DB. You will have to have configured an audit DB to be used by the SiteMinder Policy Server previously. 
Review your settings and click on Install to start process. Restart will be required to complete install.
Register the Report Portal on the SiteMinder Policy Server
Using the XPSRegClient tool, register the Report Portal server. Example: XPSRegClient -report -vT
You will be prompted for password. 
After a successful client registration, you now register the report server with the Policy Server. From the Report Server, navigate to \CA\SC\CommonReporting\external\scripts\. Open a command prompt at this location. 
Run the command:
regreportserver.bat -pshost -client -passphrase
Restart the Report Server. Navigate to All Programs->BusinessObjects XI Release 2->BusinessObjects Enterprise->Central Configuration Manager
Stop and start all running services. WinHTTP Web Proxy is not running and can be left stopped. 
Configuring the Report Server via the SiteMinder Administration UI
Next, login to the SiteMinder policy server using the administration UI. Click on the Administration Tab. Click on Report Connections and click on Create Report Server Connection.
Define the Report Server settings on the new window. You will need to give the connection a name, the hostname of the Report Server and the Business Objects Administrator password. 
Configure the SiteMinder Audit Database connection
If you have not done it already, you need to configure the SiteMinder Audit Database with the policy server. For details, refer to the SiteMinder R12sp3 Bookshelf documentation. 
While still at the Report Connections section, click on Create Audit Report Connection. Select your DB type. Give the connection a Connection Name. For the DSN, make sure you use the same DSN used to configure the Policy Server. Next enter the database server, port if not default, database name and the credentials required to access the database. Click submit to complete registration. 
At this point, SiteMinder configuration is complete and you can start to run reports. 
Configuring Identity Manager Report Portal
From the location of your Identity Manager Administration tools, copy the following file to the report server:
..\CA\Identity Manager\IAM Suite\Identity Manager\tools\ReportServerTools\mergeconnections.reg
Double click the mergeconnections.reg file to import settings into report server. 
Next copy the appropriate jdbc jar file to the report server. From the location of your Identity Manager Administration tools, copy the following file to  the report server:
..\CA\Identity Manager\IAM Suite\Identity Manager\tools\lib\jdbcdrivers\sqljdbc.jar (for ms sql) to \common\3.5\java\lib\
Next, modify the CRConfig.xml located in \common\3.5\java. Add the location of the sqljdbc.jar file to the class path.
Install the Identity Manager Reports
On the report server, make sure Java 1.5 JDK is installed and the JAVA_HOME variable is defined. 
From the location of your Identity Manager Administration tools, copy the following directory to the report server:
..\CA\Identity Manager\IAM Suite\Identity Manager\tools\ReportServerTools\biconfig2.1\biconfig
Open a command line on the report server to the location of the ..\biconfig2.1\biconfig\ folder.
Run the command: biconfig.bat -h “reportserver” -u “Administrator” -p “password” -f “ms-sql-biar.xml” 
Keep in mind the user and password are the Business Object Admin user/password created at Report Server install time. 
Check the BIConfig.log for any errors and to validate success. 
You can also validate reports were imported by logging into the Business Objects InfoView console. Expand the Public Folders and you will see all available reports. At this point you should be able to see SiteMinder and IM Reports.  
Configuring the Identity Manager Environment to use reporting
Configure the Business Objects Report Server with your environment.  Navigate to http://:8080/idmmanage
Click on Environment, select your environment and click on Advanced Settings. Click on Reports and populate the required fields. 
The Business Objects Report Folder is always “IM Reports”.
Save your configuration . 
Configuration on Environment
Login into your environment as a system admin and click on the Reports->Snapshot Tasks tab. Expand Manage Snapshot Database Connection and Click on Create Snapshot Database Connection. The windows will be pre-populated with DB information taken from your IDM JDBC resources. 
Validate the connection data and enter the password for your DB User ID. Click the Test Connection button to validate. Click Submit to save. 
Next expand the Manage Snapshot Definition and click on Create Snapshot Definition. Select Create a new object of type Snapshot Type. Complete all the definition fields, select a Snapshot Parameter XML File and click on Submit. 
To test, go to Reports->Snapshot Tasks->Capture Snapshot Data. Click on Execute now. Select the snapshot definition and Submit. 
Next you must associate a Snapshot definition with a Report Task. Go to Roles and Tasks, click on Admin Tasks and again on Modify Admin Task. In the where filed, drop down to Category and enter Reports in the value field. Click on Search and you will get results for only the Reports Admin Tasks. 
Select a report. Click on Tabs tab. Click on the edit button by the Associate Snapshot Definitions.

Click Add, and Search when you are at the Select Snapshot Definition. Select the Snapshot Definition(s) you want to associate with this Report Task. 
Click OK and click on the Search tab. Click on Browse. 

Select the Task Roles Report Search Screen and click on Edit. 

In the Configure Report Template Selection Screen, click on the drop-down arrow for Connection Object for the Report and select ‘rptParamConn’. Click OK, then Select, and Submit. 
After the task completes, go to Reports->Reporting Tasks. Expand Request a Report. Click on the report you have associated with a Snapshot Definition. If you have more than 1 Snapshot taken, select the snapshot based on the timeframe you want to run your report against. Click on Schedule Report. 
With the Run Report set to Now, click Submit.  Depending on report, your report might take some time to finish. 
To view status of your report, click on Reports->Reporting Tasks-> View My Reports. Click on Search to view all submitted reports and their status.
Click on your report to view. Configuration and validation is complete. 

Additional Integration Options: 
Configuring Access Control R12.5 using the shared Report Portal
Access Control 12.5sp3 is also compatible with the Business Objects 2.1 version of the Report Portal. 
Deploying the Access Control Reports to the Report Portal
Navigate to the CA Access Control Premium Edition Server Components DVD. Copy the folder \ReportPackages to the Report Portal Server. 
Extract the contents of the biconfig.zip. Next, copy the contents of either the MSSQL2005 or Oracle folder into the extracted biconfig folder.
For simplicity sake, rename the biar file to a shorter name. For Example:
C:\ReportPackages\biconfig\AccessControl_R12.5.biar
Next edit the import_biar_config_mssql2005.xml file. 
Update the biar file location as well as your MS SQL connection information. 
Make sure for the datasource, you enter the DB created for use by Access Control Enterprise Manager and not the Report Portal DB. 
Example File:
OLE DB
MS SQL Server 2005
sa
P@ssword01
ac
dbserver.idmlabs.com
Next run biconfig.bat to import the reports. 
biconfig.bat -h -u administrator -p password(for BO administrator) -f import_biar_config_mssql2005.xml
Check the BIConfig.log to validate success or identify errors. 
Next you need to enable the management console on the Access Control Enterprise Manager server. First, shut down Jboss. Then navigate to \server\default\deploy\IdentityMinder.ear\management_console.war\WEB-INF. Edit the file web.xml
    
       AccessFilter
       com.netegrity.ims.manage.filter.AccessFilter
      
         Enable
         true
      
Change the param-value from False to True. Restart Jboss after making the change. 
Once jboss is up, navigate to http://:18080/idmmanage
Click on Environments->ac-env->Advanced Settings->Reports
Enter the Access Control Database info and Business Objects settings.
Business Objects Reports folder is “CA Access Control r12”.
Restart Jboss for changes to go into effect. Once Jboss is available, login to the Enterprise Manager at http://:18080/iam/ac
Go to the Reports->Tasks tab. Expand Manage Snapshot Definition and click on Create Snapshot Definition. Create a new object of type Snapshot Type and click OK. 
Give the Snapshot Definition a Name. By default the only Identifier is PPM_ALL.xml. Click on Submit to proceed. You can only have one enabled Definition at a time.
Next, while still in Reports->Tasks tab, click on Capture Snapshot Data. Select the Snapshot Definition and click on Submit. 
Configuration is complete and you can now run reports. 

Sunday, February 20, 2011

How to Deploy CA Identity Manager R12.5 on WebSphere6.1 on AIX 6.1

UPDATE: March 1, 2011. Identity Manager 12.5 SP6 has been released and officially supports WebSphere 6.1 64bit on AIX 6.1


Additional Update: JDBC Resource configuration section has been updated with connection pool requirements.  JMS Queue Connection Factories section has been updated with connection pool requirements.



Unofficial / Unsupported Guide to deploying Identity Manager R12sp5 on WebSphere6.1 Cluster (64 bit) on AIX6.1
Scenario:
OS: AIX 6.1
APP: WebSphere 6.1 64bit Deployment Manager (Cluster)
This document is broken into 3 sections. Part one covers modifications required to the ear file. Part two covers all the WebSphere configurations required. Part three covers deployment and post deployment configurations.
If you are only deploying Identity Manager standalone, that is to say without any SiteMinder integration, then you can deploy on the CA supported WebSphere 6.1 32bit. However, if you are attempting to deploy Identity Manager and integrate with SiteMinder, there is a bug which requires that you use WebSphere 6.1 64 bit. Additional information on this bug can be found on CA support TEC #537795. You can still use this doc to do a manual deployment on the 32 bit WebSphere. Furthermore, the WebSphere configuration steps would be applicable to WebSphere on any platform.
Part One: Required ear file modifications
Extract Ear
Extract WAS_IMr12.ear to working directory /
jar -xvf WAS_IMr12.ear

Create folders:
policyserver
Move policyserver.rar into /policyserver folder

user_console
Move user_console.war into /user_console folder

workflow
Move workflow.rar into /workflow folder
Update SiteMinder agent libraries
Optional - You only need to do this if you are going to integrate with SiteMinder and if you are using AIX 6.1 or AIX 5.3 64 bit. You will need to download the Web Agent SDK. You will need to obtain the 64 bit version of the required files. 
libsmagentapi.so, libsmcommonutil.so, libsmerrlog.so, libsmjavaagentapi.so
Under the /library
Replace the existing *.so agent files in library.

Update Workpoint ports
Under /config folder
Update the following file and  value to match the WebSphere application server BOOTSTRAP ADDRESS
workpoint-client.properties
java.naming.provider.url=iiop://localhost:9810

Update the following file and  value to match the web server port
workpoint-server.properties
# This URL tells the WorkPoint Server where the WorkPoint Gateway is located.
workpoint.gateway.url=http://localhost:8080/wpGateway/

Update SiteMinder Policy Server Configurations
CD into the policyserver/ folder
Explode the policyserver.rar
jar -xvf policyserver.rar
CD into /policyserver/META-INF folder
Update the ra.xml file with correct SiteMinder environment information.
Will need all policy servers listed, admin ID, agent name, and password hash.
ValidateSMHeadersWithPS:true  
enabled:false
FIPSMode:false
ConnectionURL: policyserver1,44443,44442,44441
UserName: siteminder
AdminSecret: password encrypted*
AgentName: 4.x agent created for use by IdM
AgentSecret: 4.x agent password encrypted*
ConnectionMin:8
ConnectionMax:128
ConnectionStep:8
ConnectionTimeout:1000
FailoverServers: policyserver1,44443,44442,44441;policyserver2,44443,44442,44441
Failover: true

**
Get encypted password values for the Agent password as well as SiteMinder or other admin password.
Navigate to password tool section on IdM server:
.../CA/IdentityManager/IAM_Suite/Identity_Manager/tools/PasswordTool

./pwdtools.sh -JSAFE -p P@ssword01
--------------------------------------------------
Your JAVA_HOME is currently set to .../WebSphere/Common/java
--------------------------------------------------
Encrypting your password ...
******************************************
Plain Text: P@ssword01
Encrypted value: {PBES}:xfx8/9xxmHDOB3Raw9VZJA==
******************************************

Repackage policyserver.rar
Move up one level to /policyserver
Delete existing policyserver.rar
jar -cvf policyserver.rar *
Move new policyserver.rar up one level to /
Delete the folder /policyserver/

Update User Console Config
CD into /user_console
Explode the user_console.war
jar -xvf user_console.war
CD into /user_console/WEB-INF
Update web.xml with following change:
    FrameworkAuthFilter
    com.netegrity.webapp.authentication.FrameworkLoginFilter
       
    Enable
    false
       


Repackage user_console.war
Move up one level to /user_console
Delete existing user_console.war
jar -cvf user_console.war *
Move new user_console.war up one level to /
Delete the folder /user_console/

Update Workflow Config
CD into /workflow
Explode the workflow.rar
jar -xvf workflow.rar
CD into /workflow/META-INF
Edit ra.xml

       
            UserName
            java.lang.String
            IDM
       
       
            Password
            java.lang.String
            P@ssword01
       

This IDM user must exist and be referenced by WebSphere at runtime. Also, Do NOT encrypt the password. It is encrypted by WebSphere at deployment time. The location of this ID will depend on your WebSphere Global Security configuration. 

Repackage workflow.rar
Move up one level to /workflow
Delete existing workflow.rar
jar -cvf workflow.rar *
Move new workflow.rar up one level to /
Delete the folder /workflow/

Repackage Ear
After all modifications are made, repackage the ear for the particular environment being deployed to.
From the location, delete the existing WAS_IMr12.ear.
Package the new ear with the following format:
WAS_IMr12(major version)sp(Service pack version)_environment.ear
jar -cvf  WAS_IMr125sp5_Dev.ear *

Ear file is ready to be deployed.
Part Two: Manual Configuration of WebSphere Resources
Creating JDBC Resources
JDBC Provider:
Create the appropriate Provider

Required JDBC Sources

Name
JNDI name
Audit Data Source
auditDbDataSource
Object Store Data Source
jdbc/objectstore
Report Snapshot Data Source
jdbc/reportsnapshot
Task Persistence Archive Data Source
jdbc/archive
Task Persistence Data Source
jdbc/idm
Workflow Data Source
jdbc/WPDS

IMSBUS Configuration
Create Bus
Service Integration->Buses->New
IMSBus (no security) IMSBUS# if using Clusters. 1 IMSBus per Cluster with unique names.

Select newly created IMSBus
Topology->Bus members->Add
Select Application Server
Select DB *Setting are unique for each member

Data Source JNDI Name
jdbc/ibmwssib1
Schema Name
Idm_sib1

Buses->IMSBus->Destinations
Create New Queue using the following Identifier:
IMSEvents
wpUtilQueue
wpServAutoActQueue
RuntimeStatusDetailQueue
wpEventQueue

New Topic space using the following identifier:
ServerCommand

JMS Resources Configuration

Queue Connection Factories
Always use Default Messaging Provider

Name
JNDI name
Bus name
neteQCF
javax.jms.QueueConnectionFactory
IMSBus
wpConnectionFactory
jms/wpConnectionFactory
IMSBus

Topic Connection Factories
Always use Default Messaging Provider

Name
JNDI name
Bus name
neteTCF
javax.jms.TopicConnectionFactory
IMSBus
GeneralMonitorCF
com/netegrity/idm/GeneralMonitorCF
IMSBus


Queues
Always use Default Messaging Provider

Name
JNDI name
Bus name
Queue name
IMSEvents
com.netegrity.ims.msg.queue
IMSBus
IMSEvents
wpServAutoActQueue
queue/wpServAutoActQueue
IMSBus
wpServerAutoActQueue
wpUtilQueue
queue/wpUtilQueue
IMSBus
wpUtilQueue
RuntimeStatusDetailQueue
queue/RuntimeStatusDetailQueue
IMSBus
RuntimeStatusDetailQueue
wpEventQueue
queue/wpEventQueue
IMSBus
wpEventQueue
  
Topics
Always use Default Messaging Provider

Name
JNDI name
Bus name
Topic name
ServerCommand
topic/ServerCommandTopic
IMSBus
ServerCommand
  
Activation Specifications
Always use Default Messaging Provider

Name
JNDI name
Destination type
Destination JNDI name
Bus name
Act
ACT
queue
com.netegrity.ims.msg.queue
IMSBus
wpServAutoActActSpec
jms/wpServAutoActActSpec
queue
queue/wpServAutoActQueue
IMSBus
wpUtilActSpec 
jms/wpUtilActSpec
queue
queue/wpUtilQueue
IMSBus
ServerCommand
ServerCommand
topic
topic/ServerCommandTopic
IMSBus
RuntimeStatusDetailQueue
jms/RuntimeStatusDetailQueue
queue
queue/RuntimeStatusDetailQueue
IMSBus
wpEventActSpec
jms/wpEventActSpec
queue
queue/wpEventQueue
IMSBus

Mail Resources

Mail->Mail Sessions->New

Name
JNDI name
mailMail
mail/Mail
  
Core Groups Configuration
Servers->Core groups -> Core group settings->DefaultCoreGroup->Policies
Create new policy for each node that will be a part of the cluster.
New policy->Select  "One of N policy"
Name: (Create a unique name) Node1GP
Is alive timer =120
Click OK to enable Match criteria link
Additional Properties->Match criteria->New
Name=type Value=WSAF_SIB
Name=WSAF_SIB_MESSAGING_ENGINE Value=(IMSBus Bus member value)

Core groups->DefaultCoreGroup->Policies->Node1GP->Preferred servers (One per cluster/node)

Add Node(s)
When multiple node, 1 policy will have primary and secondary servers in 1 order, while the 2nd policy will have order in reverse.


Web Container Configuration

In the administrative console click Servers > Application Servers > server_name > Web Container settings > Web Container
Under Additional Properties select Custom Properties.
On the Custom Properties page, click New and create these two value pairs.
com.ibm.ws.jsp.jdkSourceLevel  = 15
com.ibm.ws.webcontainer.invokefilterscompatibility = true
Bounce WebSphere Environment

Part Three: IDM ear File Deployment and Post Deploy Configurations
Deploy Identity Manager ear files.
Deploy CA_Styles_R5.1.1
Deploy to web server and cluster. Accept Defaults for deployment

Deploy WAS_R125sp5.ear
Select Precompile JavaServer Pages Files.
Deploy to web server and cluster.
The rest are left as default.

Do not start new applications.

Post Deployment Configuration

Message Driven Bean Listener
Enterprise Applications > IdentityMinder > Message Driven Bean listener bindings

You only need to update the first 3 modules as the remaining 3 are properly configured.

EJB
Bindings-Activation Specification Target Resource JNDI Name
SubscriberMessageEJB
ACT
ServerCommandsEJB
ServerCommand
RuntimeStatusDetailEJB
jms/RuntimeStatusDetailQueue
ServerAutomatedActivityMDBean
jms/wpServAutoActActSpec
EventMDBean
jms/wpEventActSpec
UtilityMDBean
jms/wpUtilActSpec



PolicyServer J2C Connection Factory Configuration
Enterprise Applications > IdentityMinder > Manage Modules > policyserverRA > Resource Adapter> J2C connection factories > PolicyServerRA >New

Name
JNDI name
PolicyServerConnection
nete/rar/PolicyServerConnection
Set all Container-managed authentication alias to "None"
Delete default connection factory: com.netegrity.ra.policyserver.IPolicyServerConnectionFactory

Optional: Validate settings are appropriate for SiteMinder environment
Enterprise Applications > IdentityMinder > Manage Modules > policyserver.rar > IdentityMinder.PolicyServerRA > J2C connection factories > PolicyServerConnection > Custom properties
Validate correct SiteMinder settings

Workflow J2C Connection Factory Configuration
Now select the following from the actions menu Enterprise Applications > IdentityMinder > Manage Modules > WorkflowRA > Resource Adapter > J2C connection factories > WorkflowRA>New

Name
JNDI name
Workflow
Workflow
Set all Container-managed authentication alias to "None"
Do not delete existing connection factory

User Console Class Loader Configuration
Now select the following from the actions menu Enterprise Applications > IdentityMinder > Manage Modules >IMS-UI
Change Class loader order to use:
Classes loaded with application class loader first

Application Server LIBPATH Configuration
Navigate to Application Servers-> server->process definition ->Environment Entries->New

Name
Value*
LIBPATH
.../WebSphere/Common/profile/AppServer/installedApps/.../IdentityMinder.ear/library
*Path will be unique for each application server

Starting Identity Manager
Make sure nodes are in sync and restart WebSphere Environment
Check SystemOut.log for any errors.

Check IdentityManager console for validation
http://host:port/idmmanage/homepage.do