Integrate CA SiteMinder

This scenario describes how a security administrator configures the Unified Management Portal (UMP) to be protected by SiteMinder. Using SiteMinder with UMP provides greater security for your organization. In addition, you can implement single sign-on access to UMP and other web applications.
uim901
This scenario describes how a security administrator configures the Unified Management Portal (UMP) to be protected by SiteMinder. Using SiteMinder with UMP provides greater security for your organization. In addition, you can implement single sign-on access to UMP and other web applications.
 
Contents
 
 
 
Prerequisites
 Do not attempt to perform the procedures in this scenario unless you are proficient with CA UIM Monitor, CA SiteMinder, and directory administration.
Ensure that the following prerequisites have been met before using the instructions in this scenario:
  • CA UIM Monitor (UIM and UMP) 7.5 or higher are installed and configured.
  • CA SiteMinder r12.51 or higher is installed with an operational Secure Proxy Server.
  • An LDAP directory exists for SiteMinder authentication and for linking to CA UIM Monitor. The following directory services are supported:
    • Novell® eDirectory (TM) 8.8 SP1 (20114.57) and a Novell ® KDC (Key Distribution Center) server
    • SUN Java Directory Server v5.2
    • Windows 2008 and Windows 2012 Active Directory.
Verify LDAP Mapping
The following table identifies the user and group attributes that must map between your directory and the UIM hub and UMP. The attributes designated with an asterisk (*) are the required mappings for UMP. It is recommended that you determine these attributes in your directory service before continuing.
Refer to this table as needed as you perform the steps in the following sections.
Description
UIM Hub Mapping
UMP Mapping
LDAP Example
Group identifier
filter_group
ldap.import.group.search.filter
objectClass=groupOfNames
Group name
attr_grp_name
groupName
cn
Group member
attr_grp_member_name
user
member
Group description
attr_grp_description
description
description
User identifier
---
ldap.import.user.search.filter
objectClass=inetOrgPerson
*Username
---
screenName
cn
*User Password
---
password
userPassword
*User firstname
attr_usr_firstname
firstName
givenName
*User lastname
attr_usr_lastname
lastName
sn
*User email
attr_usr_mail, filter_user
emailAddress
mail
Configure LDAP on the Hub Probe
Configure the hub probe to forward login requests to your LDAP server, and to access the container with user groups.
 
Follow these steps:
 
  1. Log into Infrastructure Manager and locate the hub probe.
  2. Press the <Ctrl> key as you right-click the hub probe, and then select Raw Configure.
  3. Expand the ldap section, and expand the templates section.
  4. Select the appropriate directory service, and edit the value of key filter_user to (&(<loginAttribute>=$loginname)).
  5. Depending on the directory service you are using, you may need to update the values of other keys to match your directory. Attributes that may be of particular importance are as follows:
    • filter_group
    • filter_user
    • attr_grp_name
    • attr_grp_member_name
    • attr_grp_description
    • attr_usr_firstname
    • attr_usr_lastname
    • attr_usr_mail
  6. Click OK to commit your changes.
    The hub probe restarts.
  7. In Infrastructure Manager, right-click on the hub probe and select Configure.
  8. In the lower right of the General tab, select Settings.
  9. In the LDAP tab, do the following:
    1. Select Direct LDAP.
    2. Select LDAP Authentication.
    3. In the Server Name field, enter the <
      IP
      _
      address
      :
      port
      > of LDAP server.
    4. Select the appropriate directory service from the Server Type drop-down menu.
    5. Select LDAP > UIM from the Authentication Sequence drop-down menu.
    6. In the User field, enter the distinguished name (DN) of a directory user with administrative privileges.
    7. Provide a distinguished name (DN) in the Group Container (DN) and User Container (DN) fields as appropriate.
Link ACLs to LDAP Groups
Use the following steps to link ACLs to LDAP groups.
 
Follow these steps:
 
  1. In Infrastructure Manager, select Security >Manage Access Control List.
  2. Make a selection from the Access Control List, and click the Set LDAP Group button.
  3. Select an LDAP group from list.
  4. Select or de-select permissions in the list if desired.
Modify the Portal Configuration to Enable SiteMinder
Use the following steps to edit the portal-ext.properties file to map your directory to UMP.
 The steps in this section use the directory attribute 
mail
 as the <loginAttribute>. If <loginAttribute> is not 
mail
, certain lines must be edited differently as indicated. In addition, line numbers in the portal-ext.properties file are provided, but may vary slightly from the line numbers in your portal-ext.properties file.
 
Follow these steps:
 
  1. In Infrastructure Manager, deactivate the wasp probe.
  2. On the UMP system, open the following file for editing:
    <
    UMP_installation
    >\probes\service\wasp\webapps\ROOT\WEB-INF\classes\portal-ext.properties
  3. Modify line 12 as follows:
    company.security.auth.type=emailAddress
    : If <loginAttribute> is not 
    mail
    , modify line 12 as follows:
    company.security.auth.type=screenName
  4. Comment out lines 16 and 17 as follows:
    #auth.pipeline.pre=com.firehunter.ump.auth.NmsAuth
    #auth.pipeline.enable.liferay.check=false
  5. Uncomment lines 188 through 191 as follows:
    ldap.base.provider.url.0=ldap://<server:port>
    ldap.base.dn.0=ou=example,o=com
    ldap.security.principal.0=<DN of directory user>
    ldap.security.credentials.0=<password>
  6. Uncomment lines 195 and 196 as follows:
    ldap.auth.search.filter.0=([email protected][email protected])
    ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
    : If <loginAttribute> is not 
    mail
    , modify line 195 as follows:
    ldap.auth.search.filter.0=(<loginAttribute>[email protected][email protected])
  7. Uncomment line 199 as follows:
    ldap.import.method=user
  8. Uncomment lines 201 through 203, and modify the mapping as appropriate for your directory:
    ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\ngroup=ou
    ldap.import.group.search.filter.0=(objectClass=groupOfNames)
    ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=member
    : If <loginAttribute> is not 
    mail
    , modify the screenName mapping in line 201 as follows:
    screenName=<loginAttribute>
  9. Save the portal-ext.properties file, and reactivate the wasp probe.
Verify UMP Resources are Protected in SiteMinder Policy Server
Use the following steps to guide you in verifying that your UMP resources are protected.
 
Follow these steps:
 
  1. Log into the Policy Server Admin UI.
  2. Create a new agent for UMP, for example, <
    UIM_agent
    >.
  3. Create a new Agent Configuration Object (ACO) by copying the SPS ACO, and naming it <
    nimsoft_ACO
    >.
  4. Modify the default agent name key:
    DefaultAgentName: <
    nimsoft_agent
    >
  5. Optionally modify and enable the log and trace parameters.
  6. Define an Application or Domain Policy to protect the UMP resources, using the agent you just created (<
    UIM_agent
    >).
    1. The directory used for SiteMinder authentication is the same as that defined in the UIM Hub and in the portal.
    2. The specific URLs to protect are as follows:
      • /web*
      • /documents*
      • /user*
      • /group*
    3. Create a response of type WebAgent-HTTP-Header-Variable. Select User Attribute as the Attribute Kind. Use the Variable Name UMP_USER, and the Attribute Name <loginAttribute>.
       This response should be enabled for all resources.
Edit the Secure Proxy Server Configuration
Use the steps in this section to create a new web agent and define the virtual host for the UMP server.
 Do not allow direct access to the UMP server. Access should be controlled by firewall rules or other means.
 
Follow these steps:
 
  1. Log into the Secure Proxy Server (SPS) host.
  2. Follow the steps in the section "Web Agent Settings for the Default Virtual Host" in the CA SiteMinder Secure Proxy Server Administration Guide to copy the existing agent configuration file.
  3. Issue the following commands:
    cd C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\
    copy WebAgent.conf NimsoftWebAgent.conf
  4. Modify the file NimsoftWebAgent.conf as follows:
    AgentConfigObject="<
    nimsoft_ACO
    >"
    ServerPath="ServerPath_nimsoft"
    AgentIdFile="C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\NimsoftWebAgentId.dat"
  5. Edit the SPS server.conf file in the directory C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\, and add a VirtualHost entry for UMP at the end of the file:
    # Nimsoft UMP Virtual Host
    <VirtualHost name="nimsoftump">
    # The hostname the user sees in their browser
    hostnames="user.visible.hostname.com"
    redirectrewritablehostnames="ALL"
    enableredirectrewrite="yes"
    enablerewritecookiedomain="yes"
    enableproxypreservehost="yes"
    <WebAgent>
    sminitfile="C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\NimsoftWebAgent.conf"
    </WebAgent>
    </VirtualHost>
  6. Edit the proxyrules.xml in the directory C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\, and add a rule to forward requests to the UMP server:
    <nete:proxyrules xmlns:nete="http://www.ca.com/">
    <nete:cond type="host">
    <nete:case value="user.visible.hostname.com:80">
    <nete:forward>http://nimsoft.ump.hostname.com$0>
    </nete:case>
    <nete:default>
    <nete:forward>http://some.other.host.com/404.html>
    </nete:default>
    </nete:cond>
    </nete:proxyrules>
  7. Restart the SiteMinder Proxy Engine Windows service.
  8. Verify that you can access UMP via the virtual host defined previously in this section.