Install the Administrative UI on Linux (stand-alone)
The Administrative UI requires an application server to run. The following procedure describes a stand-alone installation. A stand-alone installation requires that you run a prerequisite installer followed by the Administrative UI installer. The prerequisite installer puts down an embedded JBoss application server and the required JDK. After a successful prerequisite installation, you run the Administrative UI installer.
The Administrative UI requires an application server to run. The following procedure describes a
stand-alone installation. A stand-alone installation requires that you run a prerequisite installer followed by the Administrative UI installer. The prerequisite installer puts down an embedded JBoss application server and the required JDK. After a successful prerequisite installation, you run the Administrative UI installer.
Prepare for the Administrative UI Installation
Before you install the Administrative UI, complete the following prerequisite tasks.
Verify the Host System Requirements
A host system for a stand-alone Administrative UI installation must meet the following minimum system requirements. These recommendations accommodate only the UI. Size your hardware appropriately for all services running on the same system.
- Memory:1.5 GB of system RAM
- Available disk space:1.5 GB
- Temp directory space:3 GB
- Screen resolution:1024 x 768 or higher resolution with 256 colors or better to view the Administrative UI properly
Use the Platform Support Matrix to verify that the operating environment and other required third-party components are supported.
By default, Red Hat uses entropy that is obtained from general computing operations to generate random numbers. The Red Hat default random number generator makes the numbers that it generates available through the /dev/random and /dev/urandom character devices. The /dev/random device is the most secure device because it stops supplying numbers when it determines that the amount of entropy is insufficient for generating a properly random output. The /dev/urandom device reuses the kernel entropy pool and is thus able to provide an unlimited supply of pseudo-random numbers, though with less entropy.
The Administrative UI installation and registration processes use /dev/random, which is the most secure option. However, because /dev/random stops supplying numbers when entropy is insufficient, this situation can cause the installation to take a very long time
andnegatively affect runtime performance.
To increase the source of randomness for the entropy pool, use one of the following options:
- (Most secure; FIPS compliant) Install a hardware entropy generator and configure the rngd daemon to use it to populate /dev/random.For example:rngd -r /dev/device_name-o /dev/random -bdevice_nameis the character device in use. The device name varies depending on the hardware random number generator that you are using, for example, /dev/hwrng.: For more information about the rngd daemon, see the RedHat documentation.
- (Good security; not FIPS compliant) Configure the rngd daemon to populate /dev/random by entering the following command:rngd -r /dev/urandom -o /dev/random -b: Third-party alternatives to the rngd entropy daemon are also available.
- (Least secure; not FIPS compliant) Configure a symbolic link between /dev/urandom and /dev/random by entering the following commands:mv /dev/random /dev/random.orgln -s /dev/urandom /dev/random
To monitor the entropy on the system, enter the following command:
watch -n 1 cat /proc/sys/kernel/random/entropy_avail
To ensure that sufficient entropy is available for the Policy Server after a system crash or reboot, add your chosen option to an appropriate startup or service script.
Verify Required Linux Libraries
No additional library files are required to install the Administrative UI on a typical RedHat Enterprise Linux installation
Install Required Korn Shell (ksh) Package on Linux
The Korn shell (ksh) is required during Policy Server installation and upgrade on Linux platforms. Verify that the following library is present:
Locate the Installation Media
To locate and download installation media, go to the CA Support site.
Gather Information for the Installer
Gather the following information before installing and registering the Administrative UI:
- Installation location—Determine the Administrative UI installation path.
- Administrative UI system name—Identify the fully qualified name of the Administrative UI host system.
- Server port—Identify the port on which JBoss must listen for HTTP requests.
- SSL port—Accept the default or identify the port on which JBoss must listen for HTTPS requests.
- Messaging Port, Messaging Throughput Port, Multicast Port—Accept the default ports or identify the ports on which JBoss must listen for messaging requests. If any of these ports are in use by other applications, specify new port numbers. Messaging ports are only used for internal JBoss communication. To prevent remote access through these ports, configure your firewall to block access.
- Super user account password—Identify the password for the default user account (siteminder).
- Policy Server system name—Identify the following:
- The Policy Server to which the Administrative UI will be registered.
- The fully qualified name of the Policy Server host system.
- Policy Server authentication port—If you changed the default settings after installing the Policy Server, identify the Policy Server authentication port. The Settings tab in the Policy Server Management Console lists the access control ports.
Reset the Administrative UI Registration Period
If you completed either of the following actions more than 24 hours before installing the Administrative UI, reset the UI registration period. Otherwise, continue with the installation.
- Configured one of the default policy stores during the Policy Server installation
- Submitted the super user credentials to the Policy Server using the XPSRegClient utilityThe Policy Server requires these credentials to create a trusted relationship with the Administrative UI. The time to create a trusted relationship with a Policy Server cannot exceed 24 hours.
Follow these steps:
- Verify that Policy Server environment variable is set to run the XPSRegClient registration command. If the variable is not set, complete the following procedure:
- Log in to the Policy Server host system.
- Open a shell and navigate tositeminder_home.siteminder_home specifies the Policy Server installation path.
- Run the following command:smprofile.ksh
- Log in to the Policy Server host system
- Run the following command and press Enter:XPSRegClientadministrator[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -llog_path-eerror_path-vT -vI -vW -vE -vFadministrator specifies an UI administratorIf you are installing the Administrative UI as part a new environment, specify the default administrator account (siteminder). To install the UI as an upgrade, specify any administrator account with super user permissions in the policy store.To upgrade from r12.0 SP1 without a super user account in the policy store, create an account using the smreg utility.XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request at the first login to the UI.
The following table lists the command arguments that are used with the XPSRegclient command:
Specifies the password for the administrator account.
Specifies that the Administrative UI is being registered with a Policy Server for the first time.
(Optional) Specifies the allotted time, in minutes, from when you install the Administrative UI to the time you log in and you register the UI with the Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.
Default:1440 (24 hours)
Maximum:1440 (24 hours)
(Optional) Specifies how many failed attempts are allowed when you register the Administrative UI.
A failed attempt can result from submitting incorrect administrator credentials when logging in to the Administrative UI for the first time.
(Optional) Inserts the specified comments into the registration log file for informational purposes. Surround comments with quotes.
(Optional) Specifies that the registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and
inserts the specified comments into the registration log file for informational purposes. Surround comments with quotes.
(Optional) Specifies where the registration log file must be exported.
siteminder_homespecifies the Policy Server installation path.
(Optional) Sends exceptions to the specified path.
(Optional) Sets the verbosity level to TRACE.
(Optional) Sets the verbosity level to INFO.
(Optional) Sets the verbosity level to WARNING.
(Optional) Sets the verbosity level to ERROR.
(Optional) Sets the verbosity level to FATAL.
Configure Security–Enhanced Linux (SELinux) to Work with
CA Single Sign-On
SELinux may have one of the following modes assigned to it according to your organization standards.
- enforcingSpecifies that security policy is enforced
- permissivePrints warnings instead of enforcing the policy
- disabledSpecifies that no SELinux policy is loaded
Check the current status of SELinux and set the mode to either
disabledto configure it to work with
CA Single Sign-On.
Follow these steps:
- Access the/etc/selinux/configfile.
- Run the following command to check the current status:sestatus
- If SELinux is set toenforcing, change the status to eitherpermissiveordisabled.SELINUX=permissiveorSELINUX=disabledRun the following command to switch the SELinux status to permissive for that specific session.setenforce 0
- Run the following command to verify the mode that SELinux is currently set to:getenforce
(Optional) Add Exceptions to Security–Enhanced Linux (SELinux)
You can add exceptions to SELinux as an additional step but this is optional if you have configured SELinux to work with CA SSO. If Security–Enhanced Linux is enabled on the Policy Server host system, add
CA Single Sign-On–exceptions to the environment. Adding the exceptions prevents Security–Enhanced Linux text relocation denials.
Follow these steps:
- Log in to the Policy Sever host system.
- Open a shell and run the following command:chcon -t textrel_shlib_t /siteminder_home/lib/*
- siteminder_homeSpecifies the Policy Server installation path.
- Run the following command:chcon -t textrel_shlib_t /JDK_home/lib/amd64/*
- JDK_homeSpecifies the required JDK installation path.
- Run the following command:chcon -t textrel_shlib_t /JDK_home/lib/amd64/server/*
CA Single Sign-On–specific exceptions have been added.
- JDK_homeSpecifies the required JDK installation path.
Install and Register the Administrative UI on a Linux System
Complete the following procedures to perform a stand-alone installation of the Administrative UI:
- Review the installation prerequisites.
- Install the UI using one of the following methods:
- GUI mode
- Console mode
- Start the embedded application server.
- Log in to the Administrative UI to register it with the Policy Server.
Before you install the Administrative UI, be aware of the following information:
- The prerequisite installer has one installation zip file and the Administrative UI has another installation zip file. Extract the executables to the same location.
- The Administrative UI installation zip contains a layout.properties file. If you move the installation media after extracting the installation zip, move the properties file to the same location or the installation fails.
- Depending on your permissions, run the following command to add executable permissions to the directory that contains the installation media:chmod -R+xdirectorydirectory specifies the directory that contains the installation media.
- If you execute the Administrative UI installer across different subnets, it can crash. Install the Administrative UI directly on the host system.
Install the Administrative UI on a Linux System
Install the Administrative UI and prerequisite components to provide a console for management. This procedure describes how to install the Administrative UI on Linux systems.
These instructions are for GUI and Console mode installations. The steps for the two modes are the same, with the following exceptions for Console Mode:
- Console mode instructions include the command-i console.
- Select an option by entering a corresponding number.
- Press ENTER after each step to proceed through the process.
- Type BACK to visit the previous step.
Follow these steps:
- Exit all applications that are running.
- Open a shell and navigate to the prerequisite installer media.
- Enter one of the following commands:GUI mode:./prerequisite_installation_mediaConsole mode:./prerequisite_installation_media-i consoleprerequisite_installation_media specifies the Administrative UI prerequisite installer executable.The installer starts.
- Click Install.The required components are installed. The prerequisite installer prompts you to run the Administrative UI installer.
- Enter one of the following commands:GUI mode:./installation_mediaConsole mode:./installation_media-i consoleinstallation_media specifies the Administrative UI installer executable.The Administrative UI installer starts.
- Follow the prompts and click Install.The Administrative UI is installed.
After a successful installation, start the application server and register the Administrative UI. You cannot use the Administrative UI until you register it with a Policy Server.
Start the Application Server (Linux) to Register the UI
For Linux systems, start the application server included with the stand-alone installation manually. After you start the server, register the Administrative UI with the Policy Server. Starting the application server allows administrators to
accessthe Administrative UI; it does not open the Administrative UI directly.
Follow these steps:
- At the Administrative UI host system, navigate toinstall_home/CA/siteminder/adminui/bin.install_home specifies the Administrative UI installation path.
- Enter the following command:standalone.sh
The application server is started.
Stop the Application Server
To stop the application server for any reason, go back to the directory where you started it. Enter the following command:
jboss-cli.sh -c --command=:shutdown
Register the Administrative UI
The first time you log in to the Administrative UI with the default super user account (siteminder) and password, the UI is registered with the Policy Server. This registration process establishes a trusted relationship between the Administrative UI and a Policy Server. This relationship is required to manage your environment.
The super user account credentials are stored in the policy store. If you configured one of the default policy stores during the Policy Server installation, the installer submits these credentials automatically. If you configure the policy store independent of the Policy Server installation, use the XPSRegClient utility to submit the credentials to the Policy Server. The Policy Server uses these credentials to verify that the registration request from the UI is valid and that the trust relationship can be created.
A 24-hour limit exists between the time the super user account credentials are submitted to the policy store and when the administrator logs in to the Administrative UI. If the credentials were set more than 24 hours before the initial log in to the Administrative UI, reset the credentials using the XPSRegClient utility.
Follow these steps:
- Completeoneof the following steps:
- (Recommended) Open a web browser and go to the following location to register the Administrative UI over SSL:https://host:8443/iam/siteminder/adminui
- Open a browser and go to the following location:http://host:8080/iam/siteminder/adminuihost specifies the fully qualified Administrative UI host system name.If the host system does not have a web browser, you can remotely access the login screen.
- In the User Name field, entersiteminder.
- Type the super user account password in the Password field.If your super user account password contains dollar-sign ($) characters, replace each instance of the dollar-sign character with $DOLLAR$. For example, if the super user account password is $password, enter$DOLLAR$passwordin the Password field.
- Type the fully qualified Policy Server host name in the Server field. Consider the following items:
- Enter a valid IPv4 address or IPv6 address.
- If you do not specify a port, the registration defaults to 44442, which is the default Policy Server authentication port.
To use an older browser then register with the Administrative UI over an HTTPS connection, the UI log in screen might not display. In this situation, review the information about TLS protocols and the Administrative UI.
(Optional) Configure the Administrative UI to Use an SSL (HTTPS) Connection
By default, the Administrative UI is accessed using an unsecured (HTTP) connection. After you register the Administrative UI with the Policy Server, you can configure the Administrative UI to use an SSL (HTTPS) connection. To change the connection, modify the web.xml file of the embedded JBoss application server and enable secure cookies.
Follow these steps:
- Shut down the application server.
- Navigate to the following location: user_console.war\WEB-INF
- Open theweb.xmlfile.
- Add the <secure> attribute to the cookie-config section and set it totrue:<session-config><cookie-config> <http-only>true</http-only><secure>true</secure></cookie-config></session-config>
- Save and close the file.
- Restart the application server.The web.xml file is updated and secure cookies are enabled.
: When the Administrative UI is accessed over SSL, the connection is secured using a self-signed certificate by default. For better security, optionally replace the Administrative UI server self-signed certificate with a certificate that is signed by a trusted Certificate Authority (CA). For more information, see (Optional) Obtain and Import a Trusted Certificate into the Administrative UI.
TLS Protocols Supported by the Administrative UI
Most current web browsers support the SSL protocols TLSv1.2 and TLSv1.1 by default. The protocol TLS v1.0 is no longer considered secure and it applications can be vulnerable to attacks, such as BEAST Exploit (CVE-2011-3389).
If you try accessing the Administrative UI with an older browser that supports only TLSv1.0, the UI does not display and you cannot proceed with registration. Enable TLSv1.0 so that the UI is accessible for older browsers; however, the UI becomes vulnerable to the Beast attack.
To enable the TLSv1.0 protocol for the embedded JBoss application server:
- Navigate toadmin_ui_installation_dir\standalone\configuration.
- Open the standalone.xml file.
- Add the TLSv1.0 protocol to the enabled-protocols list. This list is in the <https-listener/> element of the standalone-full.xml file. Example:
<https-listener name="https" socket-binding="https" security-realm="SSLRealm"enabled-protocols="TLSv1.0,TLSv1.1,TLSv1.2"
Restart the SNMP Daemon
Only for SNMP)
Restart the SNMP daemon if you configured SNMP during the Policy Server installation.
Follow these steps:
- Execute S76snmpdx stop in /etc/rc3.d.The SNMP daemon stops.
- Execute S76snmpdx start in /etc/rc3.d.The SNMP daemon starts.
Troubleshoot the Administrative UI Installation
Use the following files to troubleshoot the Administrative UI installation:
- Administrative_UI_Prerequisite_Installer_InstallLog.logIf you used the stand–alone installation option, this log lists the number of successes, warnings, non–fatal errors, and errors that occurred during the prerequisite installation. Individual installation actions are listed with the respective status.Location:administrative_ui_home\adminui\install_config_infoadministrative_ui_home specifies the Administrative UI installation path. For example, C:\CA\siteminder or /opt/CA/siteminder
- CA_ SiteMinder_Administrative_UI_InstallLog.logThis log lists the number of successes, warnings, non–fatal errors, and errors that occurred during the Administrative UI installation. Individual installation actions are listed with the respective status.Location:administrative_ui_home\adminui\install_config_infoadministrative_ui_home specifies the Administrative UI installation path. For example, C:\CA\siteminder or /opt/CA/siteminder
Configure an External Administrator Store for UI Administrators (Optional)
The policy store is the default repository for administrator identities. After you install and configure the Administrative UI, we recommend that you configure an external administrator store for UI administrators. Use an LDAP directory server or a relational database as an external administrator store. For details, see Configuring an External Administrator Store.