Thursday, October 4, 2012

Deploying SiteMinder 12.5 Federation Services on WebSphere 7

One of the new features of SiteMinder 12.5 is that it has finally integrated most of the federation management capabilities into the AdminUI. There are various options that can be used for deploying the federation services. In this example, I will go over how to deploy the federation service on a WebSphere 7 clustered environment. Compared to earlier versions of the product, SiteMinder 12.5 Federation services was extremely easy to do this time around.

SiteMinder 12.5 Policy Server
WebSphere 7 clustered environment
IHS configured with plugin to the WebSphere Application Servers
SiteMinder 12.5 WebAgent on the IHS configured with Policy Server

Installing the Option Pack
On the WebSphere Application server, install the SiteMinder Web Agent Option Pack. For example on Linux with 64 bit WebSphere, it is ca-wa-opack-12.5-linux-x86-64.bin.

./ca-wa-opack-12.5-linux-x86-64.bin -i console
Hit ENTER 55 times to make it through the license agreement and Y once to accept it.

The next step is to select the correct java. Make sure you use the WebSphere java and not a OS install.
The location of the WebSphere jre is:

Next, enter the path of an existing SiteMinder Web Agent if you have a local IHS instance on the Application Server. Even if you do happen to have a local IHS with the SiteMinder Agent installed, we have always installed the option pack in its own location. This was a method recommended to use by CA Pro Services as a clean way to keep the web agent and option pack installs separate and independent of each other. This also avoids any issues with a 32 bit web agent for IHS and 64 bit option pack for WebSphere.
So, enter a new path for the option pack and proceed with install.

Source the Web Agent Option Pack and WebSphere App Server variables
Source the web agent option pack environment variables
. ./CA/webagent_optionpack/
Source the WebSphere paths. We, for example, keep this in a .profile_WAS we maintain. And furthermore, WebSphere needs to have the option pack variables for anytime WebSphere is restarted.As such, we add the option pack variables to our WebSphere profile.

Register the Web Agent OptionPack
If you have a local IHS on the WebSphere server, with a webagent configured, then you can skip this step because you will already have an existing SmHost.conf and WebAgent.conf file. If not, you will need to register the web agent option pack and create a WebAgent.conf file. Start by creating an ACO for the webagent option pack.

.../CA/webagent_optionpack/bin/smreghost -i"policyserver" -u"siteminder" -p"password" -hn"trustedHostName" -hc"HCO"

Once the SmHost.conf is created, move the file to:

Also, within the config directory, create the WebAgent.conf file. The basic parameters required are:

Configuring the Federation Service
Navigate to ../CA/webagent_optionpack/affwebservices/WEB-INF/classes
modify the file.

Next modify the file.
Update the logging options to enable basic logging and or trace level logging. Update the path of the log location.

Copy Web Agent Option Pack libraries to WebSphere
Copy the following files to your WebSphere Application server profile:
from ../CA/webagent_optionpack/bin/
to ../WebSphere/Common/profiles//bin/

Create the Federation Services WAR file
Navigate to ../CA/webagent_optionpack/affwebservices
run the jar command: (if you don't have the WebSphere PATH sourced, jar command will fail.)
"jar -cvf affwebservices.war ."

Deploy the affwebservices.war
Login to the WebSphere Deployment Manager

Deploy the Enterprise Application and navigate to the location of the war file.

For Deployment options, select Detailed

On Application Security Warnings, click Continue
1 Select installation option, choose defaults
2 Map Modules to servers, make sure you select the appropriate cluster and your web server as well.
Steps 3,4,5,6,7 can be left default
8 Map context roots for Web Modules, change the context root to /affwebservices/ 


Finish Deployment and Save

Post Deploy Configurations
In WebSphere Console, navigate to Applications, Enterprise Applications and select affwebservices_war.

Select Class Loader and update the WAR class loader policy to:
Single class loader for application.

By default, Class loader order should already be correct, but if not, set to:
Classes loaded with parent class loader first

Save changes.
 Update the Global Plugin and make sure it is pushed out to the local and or remote IHS instance.

Bounce WebSphere
Make sure the option pack is being sourced by the same profile WebSphere uses. Restart your WebSphere environment and monitor the SystemOut.log for any errors.

Test the deployment by going to the federation web service which is located at:

You should get a message back:
Assertion Retrieval Service has been successfully initialized.

No comments:

Post a Comment