Install the Administrative UI on Windows (stand-alone)
The following diagram describes how to complete a stand-alone installation of Administrative UI on Windows:
casso1283
The following diagram describes how to complete a stand-alone installation of Administrative UI on Windows:
CA SSO Administrative UI Installation on Windows

Complete the following steps:
Prepare for the Administrative UI Installation
Complete the following tasks to prepare your system for installing Administrative UI.
Verify the Windows UI Host System Requirements
A Windows host system for a stand-alone Administrative UI installation must meet the following minimum system requirements. These recommendations accommodate only the UI. Size your hardware appropriately for all services running on the same system.
- Memory—1.5 GB of system RAM.
- Available disk space—1.5 GB
- Temp directory space—3 GB
- Screen resolution—1024 x 768 or higher resolution with 256 colors or better to view the Administrative UI properly
Use the Platform Support Matrix to verify that the operating environment and other required third-party components are supported.
Locate the Installation Media
casso1283
To locate and download installation media, go to the CA Support site.
Enable 8dot3 Name Creation for the Windows File System
Before you run the Administrative UI prerequisite installer, enable 8dot3 name creation for the disk volume where you are installing the UI. The 8dot3 naming convention is required because the prerequisite installer runs the JBoss service script (service.bat). This script uses 8dot3 file names to create the Administrative UI Windows service, which starts and stops the JBoss application server.
Follow these steps:
- Check the current value of 8dot3name setting by running the followingfsutil8dot3command. This command manages the settings for the 8dot3 name behavior:fsutil 8dot3name queryVolumePathwhereVolumePathis the disk volume where you are installing the Administrative UI. The following example shows the command and the response:C:\>fsutil 8dot3name query c:The volume state is: 0 (8dot3 name creation is enabled).The registry state is: 2 (Per volume setting - the default).Based on the returned settings, 8dot3 name creation is enabled on volume C.
- If the 8dot3 name creation is disabled, enable it by entering the following command:fsutil 8dot3name setVolumePath0If you do not specify a volume path, 8dot3 name creation is enabled for all volumes on the system.
- Before you install the Administrative UI on a non-default drive (for example E:\), verify that the folder name conventions and file locations are correct. To do this, set the short file name using the following fsutil command:fsutil file setshortname <pathname> <shortname>Example:fsutil file setshortname "E:\Program Files" PROGRA~1If you do not set the short file name of the installation folder on the non-default drive, the installation proceeds but the Administrative UI fails to start with the following error message reported in the smadminui-stderr.<date>.log file:Error: Could not find or load main class Files\CA\siteminder\adminui\standalone\configuration\keyStore.jks
- After the prerequisite and the Administrative UI installations are finished, you can disable 8dot3 name creation by entering the following command:fsutil 8dot3name setVolumePath1If you do not specify a volume path, 8dot3 name creation is disabled for all volumes on the system.
Gather Information for the Installer
casso1283
Gather the following information before installing and registering the Administrative UI:
- Installation location—Determine the Administrative UI installation path.
- Administrative UI system name—Identify the fully qualified name of the Administrative UI host system.
- Server port—Identify the port on which JBoss must listen for HTTP requests.
- SSL port—Accept the default or identify the port on which JBoss must listen for HTTPS requests.
- Messaging Port, Messaging Throughput Port, Multicast Port—Accept the default ports or identify the ports on which JBoss must listen for messaging requests. If any of these ports are in use by other applications, specify new port numbers. Messaging ports are only used for internal JBoss communication. To prevent remote access through these ports, configure your firewall to block access.
- Super user account password—Identify the password for the default user account (siteminder).
- Policy Server system name—Identify the following:
- The Policy Server to which the Administrative UI will be registered.
- The fully qualified name of the Policy Server host system.
- Policy Server authentication port—If you changed the default settings after installing the Policy Server, identify the Policy Server authentication port. The Settings tab in the Policy Server Management Console lists the access control ports.
Reset the Administrative UI Registration Window
casso1283
Reset the Administrative UI registration window if you are installing Administrative UI after 24 hours of performing
one
of the following steps:- Configured a policy store during the Policy Server installation.
- Used the XPSRegClient utility to submit the super user credentials to the Policy Server.
Follow these steps:
- Log in to the Policy Server host system.
- Run the following command:XPSRegClientsiteminder_administrator[:passphrase] -adminui-setup -ttimeout-rretries-ccomment-cp-llog_path-eerror_path-vT -vI -vW -vE -vFsiteminder_administratorDefines the administrator.passphraseDefines the password for the administrator account.-adminui-setupSpecifies that the Administrative UI is being registered with a Policy Server for the first time.-t timeout(Optional) Defines the time period in minutes in which you must log in to the Administrative UI from the time you install and register it with Policy Server. Policy Server denies the registration request if the time period expires.Default: 1440 (24 hours)Minimum: 1Maximum: 1440 (24 hours)-r retries(Optional) Specifies how many failed attempts are allowed when you register the Administrative UI. A failed attempt can result from submitting incorrect administrator credentials when logging in to the Administrative UI for the first time.Default: 1Maximum: 5-c comment(Optional) Inserts the specified comments into the registration log file for informational purposes. Surround comments with quotes.-cp(Optional) Specifies that the registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes. Surround comments with quotes.-l log_path(Optional) Specifies where the registration log file must be exported.Default: siteminder_home\log-e error_path(Optional) Sends exceptions to the specified path.Default: stderr-vT(Optional) Sets the verbosity level to TRACE.-vI(Optional) Sets the verbosity level to INFO.-vW(Optional) Sets the verbosity level to WARNING.-vE(Optional) Sets the verbosity level to ERROR.-vF(Optional) Sets the verbosity level to FATAL.XPSRegClient supplies the administrator credentials to Policy Server. Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first time.
Review the Installation Prerequisites
Consider the following items before you install the Administrative UI:
- Install the Administrative UI using the installation media on the Technical Support site.For a list of installation media names, see Platform Support and Installation Media.
- Run the installer from the Administrative UI host system. Do not run the installer from a mapped network share or UNC path.
- There is one installation zip for the prerequisite installer and one for the Administrative UI installer. Extract the executables from each zip to the same location.
- The Administrative UI installation zip contains a layout.properties file. If you move the installation executables, move the properties file to the same location or the installation fails.
- The Administrative UI can be installed on the same system as the Policy Server
Install the Administrative UI
Run the prerequisite installer followed by the Administrative UI installer.
Follow these steps:
- Exit all applications that are running.
- Navigate to the prerequisite installation media.
- Ensure that you have the local administrator privileges to run the installer. Double-clickprerequisite_installation_media.prerequisite_installation_media specifies the prerequisite installer executable for the Administrative UI.The installer starts.
- Click Install.The required components are installed.
- Click Done.The Administrative UI installer launches automatically.
- Follow the prompts and click Install.The Administrative UI is installed. After the installation is complete, the Administrative UI starts automatically and the login screen displays.If you are using an older browser and plan to register the UI over an HTTPS connection, the login screen might not display. In this situation, review the information about TLS protocols and the Administrative UI.
Continue by registering the Admin UI with the Policy Server.
Register the Administrative UI
The Administrative UI is registered with Policy Server when you log in to it for the first time with the default super user account (siteminder) credentials. This registration process establishes a trusted relationship between the Administrative UI and a Policy Server. Policy Server is managed using the Administrative UI according to the administrative privileges of the user.
The super user account credentials are stored in the policy store. If you configured one of the default policy stores during the Policy Server installation, the installer submits these credentials automatically. If you configured the policy store independent of the Policy Server installation, use the XPSRegClient utility to submit the credentials to Policy Server. Policy Server uses these credentials to verify that the registration request from the UI is valid and that the trust relationship can be created.
Review the following considerations before you start the Administrative UI for the first time:
- The first time that you launch an Administrative UI over SSL, the browser warns that a trusted company did not issue the security certificate. This warning relates to a self-signed certificate that is generated during SSL registration. Approve the certificate and proceed.
- The Administrative UI requires that you enable JavaScript in the browser. If you use IE 11 to access the Administrative UI, you might see a message that the website content is blocked. From this message, add the Administrative UI as a trusted site, where JavaScript is enabled by default. If you clear the check box associated with the message you can log in to the UI, but it does not render correctly unless you enable JavaScript. Enable JavaScript for the security zone that the UI is in or add the UI as a trusted site. To add a trusted site, begin at the IE menu and select Tools, Internet Options. From the Security tab, select Trusted Sites and add the UI.
- When using the task pane on the right, always save your changes before opening or closing the menu pane on the left or navigating elsewhere.
- Do not use the Refresh or Back buttons of the browser while using the Administrative UI. Using these buttons resubmits the form, and creates an invalid state.
Follow these steps:
- Open a web browser.If the Administrative UI is installed on a Windows system, you can start the Administrative UI on that system by clicking the SSO Administrative Console shortcut in the CA program group.
- Enter the location of the Administrative UI using the following guidelines:
- If the Administrative UI was installed using the standalone option and the Administrative UI was registered over SSL, use the following URL format:https://host.domain:8443/iam/siteminder/adminui
- If the Administrative UI was installed using the standalone option and the Administrative UI was not registered over SSL, use the following URL format:http://host.domain:8080/iam/siteminder/adminuiWhere,specifies the name of the Administrative UI host system.hostspecifies the fully qualified domain name of the Administrative UI host systemdomainpecifies the port on which the application server listens for requests.ports
- In the login screen, typesiteminderin theUser Namefield.
- Type the siteminder account password in thePasswordfield.If your super user account password contains dollar sign ($) characters, replace each dollar-sign with $DOLLAR$. For example, if the super user account password is $password, enter$DOLLAR$passwordin the Password field.
- Type the fully qualified Policy Server host name in the Server field.Consider the following points:
- You can enter a valid IPv4 address or IPv6 address.
- If you do not specify a port, the registration defaults to 44442, which is the default Policy Server authentication port.
The Administrative UI opens and is registered with the Policy Server.
Configure additional Policy Server connections for the Administrative UI, or proceed to install an agent.
If you encountered any installation issues, use the following log files to troubleshoot the issues:
- Administrative_UI_Prerequisite_Installer_InstallLog.logDefault Location:administrative_ui_home\adminui\install_config_info
- CA_ SiteMinder_Administrative_UI_InstallLog.logDefault Location:administrative_ui_home\adminui\install_config_info
(Optional) Configure the Administrative UI to Use an SSL (HTTPS) Connection
By default, the Administrative UI is accessed using an unsecured (HTTP) connection. After you register the Administrative UI with the Policy Server, you can configure the Administrative UI to use an SSL (HTTPS) connection. To change the connection, modify the web.xml file of the embedded JBoss application server and enable secure cookies.
Follow these steps:
- Shut down the application server.
- Navigate to the following location: user_console.war\WEB-INF
- Open theweb.xmlfile.
- Add the <secure> attribute to the cookie-config section and set it totrue:<session-config><cookie-config> <http-only>true</http-only><secure>true</secure></cookie-config></session-config>
- Save and close the file.
- Restart the application server.The web.xml file is updated and secure cookies are enabled.
: When the Administrative UI is accessed over SSL, the connection is secured using a self-signed certificate by default. For better security, optionally replace the Administrative UI server self-signed certificate with a certificate that is signed by a trusted Certificate Authority (CA).
TLS Protocols Supported by the Administrative UI
Most current web browsers support the SSL protocols TLSv1.2 and TLSv1.1 by default. The protocol TLS v1.0 is no longer considered secure so applications might be vulnerable to attacks, such as the BEAST Exploit (CVE-2011-3389).
If you try accessing the Administrative UI with an older browser that supports only TLSv1.0, the UI does not display and you cannot register the UI. You can enable TLSv1.0 so that the UI is accessible for older browsers; however, the UI can be vulnerable to the Beast attack.
To enable the TLSv1.0 protocol for the embedded JBoss application server:
- Navigate toadmin_ui_installation_dir\standalone\configuration.
- Open the standalone.xml file.
- Add the TLSv1.0 protocol to the enabled-protocols list. This list is in the <https-listener/> element of the standalone-full.xml file. Example:
<https-listener name="https" socket-binding="https" security-realm="SSLRealm"enabled-protocols="TLSv1.0,TLSv1.1,TLSv1.2"
(Optional) Configure an External Administrator Store for UI Administrators
The policy store is the default repository for administrator identities. After you install and configure the Administrative UI, we recommend that you configure an external administrator store for UI administrators. You can use an LDAP directory server or a relational database as an external administrator store. For details, see Configuring an External Administrator Store.