Monday, February 21, 2011

Sharing your Report Portal with SiteMinder, Identity Manager, and Access Control

Configuring Identity Manager 12.5 ,SiteMinder 12sp3, and Access Control 12.5sp3 with common Report Server 
[Draft 1] If you are using multiple CA Security products, it will be cost effective and convenient to use a single Report Server by Identity Manager and SiteMinder. Based on different  release cycles, you are limited to use the latest supported version of the Business Objects Report Server supported by all the products you want to integrate. As a result, you will have to use version 2.1 until SiteMinder supports 3.0. More information can be referenced at CA support by searching for the technical report TEC537893.
For this exercise, the Business Objects 2.1 Report Server will be used. The set up consists of Identity Manager 12.5sp5 and SiteMinder 12sp3 using MS SQL 2008 DB. The Report Server will be installed using the included mySQL DB. Based on feedback from peers with experience installing the report portal, it s highly recommended to install on Windows instead of Solaris. 
The order of the installation is important. As recommended by CA, install and configure the Report Portal with SiteMinder first. 
Installing the SiteMinder Report Server
Install the report server at media:\cabi\Disk1\InstData\VM\install.exe
Accept the license agreement and click next.
Select Typical for installation type.
Select the installation path and click next.
Enter the Business Objects Administrator password. 
Next is the Apache Tomcat port settings. Leave as default. Due to performance, you don’t want to run any additional applications on the Report Portal.
For the MySQL settings, enter the desired MySQL root password, an user name and password to be used for accessing the mysql instance and a Database name to be created. 
Next is the option to enable Auditing. Select ‘No’. 
The final screen is the Review Settings. Validate your settings and click on Install to proceed. 
Installation will last up to 2 hours, depending on the configuration of your hardware. 
A restart will be required to complete the install. 
After reboot you will need to install the report templates. The Report Server Configuration Wizard is located at media:\ca-rs-config-12.0-sp3-win32.exe.
Accept the License agreement and click next. 
At the Administration Credential section, enter the password entered at install for the Business Objects Administrator. 
At the CA SiteMinder Audit Database Type, select your DB. You will have to have configured an audit DB to be used by the SiteMinder Policy Server previously. 
Review your settings and click on Install to start process. Restart will be required to complete install.
Register the Report Portal on the SiteMinder Policy Server
Using the XPSRegClient tool, register the Report Portal server. Example: XPSRegClient -report -vT
You will be prompted for password. 
After a successful client registration, you now register the report server with the Policy Server. From the Report Server, navigate to \CA\SC\CommonReporting\external\scripts\. Open a command prompt at this location. 
Run the command:
regreportserver.bat -pshost -client -passphrase
Restart the Report Server. Navigate to All Programs->BusinessObjects XI Release 2->BusinessObjects Enterprise->Central Configuration Manager
Stop and start all running services. WinHTTP Web Proxy is not running and can be left stopped. 
Configuring the Report Server via the SiteMinder Administration UI
Next, login to the SiteMinder policy server using the administration UI. Click on the Administration Tab. Click on Report Connections and click on Create Report Server Connection.
Define the Report Server settings on the new window. You will need to give the connection a name, the hostname of the Report Server and the Business Objects Administrator password. 
Configure the SiteMinder Audit Database connection
If you have not done it already, you need to configure the SiteMinder Audit Database with the policy server. For details, refer to the SiteMinder R12sp3 Bookshelf documentation. 
While still at the Report Connections section, click on Create Audit Report Connection. Select your DB type. Give the connection a Connection Name. For the DSN, make sure you use the same DSN used to configure the Policy Server. Next enter the database server, port if not default, database name and the credentials required to access the database. Click submit to complete registration. 
At this point, SiteMinder configuration is complete and you can start to run reports. 
Configuring Identity Manager Report Portal
From the location of your Identity Manager Administration tools, copy the following file to the report server:
..\CA\Identity Manager\IAM Suite\Identity Manager\tools\ReportServerTools\mergeconnections.reg
Double click the mergeconnections.reg file to import settings into report server. 
Next copy the appropriate jdbc jar file to the report server. From the location of your Identity Manager Administration tools, copy the following file to  the report server:
..\CA\Identity Manager\IAM Suite\Identity Manager\tools\lib\jdbcdrivers\sqljdbc.jar (for ms sql) to \common\3.5\java\lib\
Next, modify the CRConfig.xml located in \common\3.5\java. Add the location of the sqljdbc.jar file to the class path.
Install the Identity Manager Reports
On the report server, make sure Java 1.5 JDK is installed and the JAVA_HOME variable is defined. 
From the location of your Identity Manager Administration tools, copy the following directory to the report server:
..\CA\Identity Manager\IAM Suite\Identity Manager\tools\ReportServerTools\biconfig2.1\biconfig
Open a command line on the report server to the location of the ..\biconfig2.1\biconfig\ folder.
Run the command: biconfig.bat -h “reportserver” -u “Administrator” -p “password” -f “ms-sql-biar.xml” 
Keep in mind the user and password are the Business Object Admin user/password created at Report Server install time. 
Check the BIConfig.log for any errors and to validate success. 
You can also validate reports were imported by logging into the Business Objects InfoView console. Expand the Public Folders and you will see all available reports. At this point you should be able to see SiteMinder and IM Reports.  
Configuring the Identity Manager Environment to use reporting
Configure the Business Objects Report Server with your environment.  Navigate to http://:8080/idmmanage
Click on Environment, select your environment and click on Advanced Settings. Click on Reports and populate the required fields. 
The Business Objects Report Folder is always “IM Reports”.
Save your configuration . 
Configuration on Environment
Login into your environment as a system admin and click on the Reports->Snapshot Tasks tab. Expand Manage Snapshot Database Connection and Click on Create Snapshot Database Connection. The windows will be pre-populated with DB information taken from your IDM JDBC resources. 
Validate the connection data and enter the password for your DB User ID. Click the Test Connection button to validate. Click Submit to save. 
Next expand the Manage Snapshot Definition and click on Create Snapshot Definition. Select Create a new object of type Snapshot Type. Complete all the definition fields, select a Snapshot Parameter XML File and click on Submit. 
To test, go to Reports->Snapshot Tasks->Capture Snapshot Data. Click on Execute now. Select the snapshot definition and Submit. 
Next you must associate a Snapshot definition with a Report Task. Go to Roles and Tasks, click on Admin Tasks and again on Modify Admin Task. In the where filed, drop down to Category and enter Reports in the value field. Click on Search and you will get results for only the Reports Admin Tasks. 
Select a report. Click on Tabs tab. Click on the edit button by the Associate Snapshot Definitions.

Click Add, and Search when you are at the Select Snapshot Definition. Select the Snapshot Definition(s) you want to associate with this Report Task. 
Click OK and click on the Search tab. Click on Browse. 

Select the Task Roles Report Search Screen and click on Edit. 

In the Configure Report Template Selection Screen, click on the drop-down arrow for Connection Object for the Report and select ‘rptParamConn’. Click OK, then Select, and Submit. 
After the task completes, go to Reports->Reporting Tasks. Expand Request a Report. Click on the report you have associated with a Snapshot Definition. If you have more than 1 Snapshot taken, select the snapshot based on the timeframe you want to run your report against. Click on Schedule Report. 
With the Run Report set to Now, click Submit.  Depending on report, your report might take some time to finish. 
To view status of your report, click on Reports->Reporting Tasks-> View My Reports. Click on Search to view all submitted reports and their status.
Click on your report to view. Configuration and validation is complete. 

Additional Integration Options: 
Configuring Access Control R12.5 using the shared Report Portal
Access Control 12.5sp3 is also compatible with the Business Objects 2.1 version of the Report Portal. 
Deploying the Access Control Reports to the Report Portal
Navigate to the CA Access Control Premium Edition Server Components DVD. Copy the folder \ReportPackages to the Report Portal Server. 
Extract the contents of the Next, copy the contents of either the MSSQL2005 or Oracle folder into the extracted biconfig folder.
For simplicity sake, rename the biar file to a shorter name. For Example:
Next edit the import_biar_config_mssql2005.xml file. 
Update the biar file location as well as your MS SQL connection information. 
Make sure for the datasource, you enter the DB created for use by Access Control Enterprise Manager and not the Report Portal DB. 
Example File:
MS SQL Server 2005
Next run biconfig.bat to import the reports. 
biconfig.bat -h -u administrator -p password(for BO administrator) -f import_biar_config_mssql2005.xml
Check the BIConfig.log to validate success or identify errors. 
Next you need to enable the management console on the Access Control Enterprise Manager server. First, shut down Jboss. Then navigate to \server\default\deploy\IdentityMinder.ear\management_console.war\WEB-INF. Edit the file web.xml
Change the param-value from False to True. Restart Jboss after making the change. 
Once jboss is up, navigate to http://:18080/idmmanage
Click on Environments->ac-env->Advanced Settings->Reports
Enter the Access Control Database info and Business Objects settings.
Business Objects Reports folder is “CA Access Control r12”.
Restart Jboss for changes to go into effect. Once Jboss is available, login to the Enterprise Manager at http://:18080/iam/ac
Go to the Reports->Tasks tab. Expand Manage Snapshot Definition and click on Create Snapshot Definition. Create a new object of type Snapshot Type and click OK. 
Give the Snapshot Definition a Name. By default the only Identifier is PPM_ALL.xml. Click on Submit to proceed. You can only have one enabled Definition at a time.
Next, while still in Reports->Tasks tab, click on Capture Snapshot Data. Select the Snapshot Definition and click on Submit. 
Configuration is complete and you can now run reports. 


  1. This strategy will inhibit applying maintenance to one or more of your deployed IAM products. Please contact support.

  2. Chris: Support has a similar doc covering this and Pre-sales pushes this as a benefit. Best practices might dictate this is not the best approach depending on your implementation but I have seen this requested by customers after being told it was an option.

    Thanks for your input. If folks will get themselves in trouble by doing this, definitely need to warn folks.

  3. I read through TEC537893, which simply indicates that it's possible to do the CABI 2.1 integration with specific versions of IM and SM NOT that it's been certified or that there's any interoperability certification of latest CABI version, for future releases of IM / SM. This technical document was published before IM r12.5 SP06 was released, which has now mandated the use of CABI 3.2 with IM up through the current SP8. There's no backwards compatibility for End of Service CABI version 2.1, which is no longer available for download. Please consider many functional snapshot filtering and reporting fixes have been released or are pending to be released in later IM service packs, which are critical for large scale deployments. However, please consider it's fully supported to unify reporting by simply deploying one Identity Manager Report server installation for all your Dev, QA, UAT and PROD IM environments, providing you ensure consistent and proactive maintenance routine throughout all your mutually exclusive IM deployments.