CA Single Sign-On Configuration Properties

When creating or editing a CA Single Sign-On configuration, the CA Single Sign-On Configuration Properties dialog is displayed. This dialog is used to manage the CA Single Sign-On Agent configuration settings, to enable the  to communicate with a CA Single Sign-On Policy Server.
gateway93
When creating or editing a CA Single Sign-On configuration, the CA Single Sign-On Configuration Properties dialog is displayed. This dialog is used to manage the CA Single Sign-On Agent configuration settings, to enable the
Layer7 API Gateway
to communicate with a CA Single Sign-On Policy Server.
CA Single Sign-On is not supported in the SaaS version of the
Layer7 API Gateway
.
Caching
To minimize the number of calls to the Policy Server, the Gateway has several built-in caches for improved performance. The following caches can be configured in the "Cluster Settings" section of the configuration properties:
  • Resource cache:
    Set the
    resourceCache.size
    and
    resourceCache.maxAge
    .
  • Authentication cache:
    Set the
    authenticationCache.size
    and
    authenticationCache.maxAge
    .
  • Authorization cache:
    Set the
    authorizationCache.size
    and
    authorizationCache.maxAge
    .
(1) Caching is enabled by default. The cache default settings are stored in the cluster properties under WS Management API do not support these caching properties. (3) If your environment has previous CA SiteMinder caching hotfixes applied, they will be superseded by the new caching mechanism.
FIPS Mode
If you are using FIPSONLY mode to communicate with CA SSO Policy Server, make the following configuration changes to specify that FIPSONLY mode is used to ensure that Gateway validates SSO tokens on all nodes of a cluster.
  1. Add the following line before the line “CAPKIHOME=${CAROOT}/CAPKI” in the /opt/SecureSpan/Gateway/runtime/etc/profile.d/siteminder-env.sh file:
    CA_SM_PS_FIPS140=ONLY
  2. Modify the following line to export CA_SM_PS_FIPS140 environment variable:
    export CAROOT LD_LIBRARY_PATH CAPKIHOME CA_SM_PS_FIPS140
  3. Restart the Gateway process:
    service ssg restart
Manage CA SSO Configuration Properties
To access the properties for a CA Single Sign-On configuration
:
  1. Add or edit a CA Single Sign-On configuration. The CA Single Sign-On Configuration Properties appear.
  2. When adding a new CA Single Sign-On configuration, it is recommended that you click [
    Register
    ] and complete the parameters in the CA Single Sign-On Registration Properties.
    Registration populates most of the Agent Configuration fields for you. If you do not use the Register button, you can manually enter the Agent Configuration, including the shared secret.
    When editing an existing CA Single Sign-On configuration, using [
    Register
    ] will re-register the CA Single Sign-On Agent with the Policy Server. This may invalidate previous registrations, so use this option carefully. A safe alternative is to manually edit the fields in the CA Single Sign-On Configuration Properties.
    Complete the fields in the dialog box as shown below. All fields are required.
    Setting
    Description
    Address
    Enter the address of the CA Single Sign-On Policy Service, either as an IP address or hostname.
    Host Name
    Enter the name of the registered host. This can be the
    Layer7 API Gateway
    name or any other symbolic name used to distinguish the host.
    Host Configuration
    Enter the CA Single Sign-On Policy Server host configuration used by the agent.
    FIPS Mode
    Choose the FIPS mode supported by the CA Single Sign-On Policy Server. The available values are:
    COMPAT (default)
    MIGRATE
    ONLY
    User Name
    Enter the user name of the CA Single Sign-On administrator.
    Password
    Choose the stored password to use from the drop-down list.
    Only stored passwords may be specified here—you cannot type in a password. To define a stored password, click [
    Manage Passwords
    ]. For more information, see Manage Stored Passwords.
  3. Click [
    OK
    ] to register the trusted host once all the required fields are filled. Upon successful registration, the agent configuration and server settings are populated in the CA Single Sign-On Configuration Properties dialog.
  4. Enter or modify the remaining CA Single Sign-On properties as follows:
    Setting
    Description
    Configuration Name
    Specify the CA Single Sign-On configuration name. This name will be used in the Check Protected Resource Against CA Single Sign-On assertion. This field is required.
    Register
    Click this button to enter or update the CA Single Sign-On registration parameters.
    Agent Configuration
    Secret
    This is the CA Single Sign-On shared secret used by the agent to establish communication with the Policy Server. This secret can be generated by clicking [
    Register
    ] or you can paste it from another source. This field is required.
    The shared secret cannot be copied nor will it be imported during a policy import or exported during a policy export/import.
    Address
    Enter the IP address of the CA Single Sign-On agent. This field is required if the Check IP check box is selected, otherwise it may be left blank.
    This address is used only when the client application does not supply the IP address.
    Check IP
    Select this check box to have the CA Single Sign-On Policy Server compare the client IP against the address stored in the CA Single Sign-On SSO Token. If they do not match, an error is recorded and the assertion(s) will be considered "falsified."
    The CA Single Sign-On Policy Server may be configured to restrict certain IP addresses.This will be enforced if IP Check is enabled.
    Clear this check box to not check the client IP address against the SSO Token. Requests from a different IP address (but with a valid SSO Token) will result in successful authentication/authorization.
    Host Name
    Enter the name of the host registered with the CA Single Sign-On Policy Server (for example, the name of the
    Layer7 API Gateway
    ).This field is required.
    FIPS Mode
    Choose the FIPS mode supported by the CA Single Sign-On Policy Server. The available values are:
    COMPAT (default)
    MIGRATE
    ONLY
    If the Policy Server does not support FIPS mode (for example, CA Single Sign-On Policy Server version 6), choose COMPAT.
    This field is required.
    Cluster Threshold
    Specify the percentage of servers within a cluster that must be available for Policy Server requests. When the number of available servers in a cluster falls below this percentage, failover to the next cluster occurs. This field is required.
    Example: If the failover percentage is "60" and a cluster has five servers, failover occurs when the number of available servers in the cluster falls below three.
    EnableFailover
    Select this check box to enable failover. In this mode, CA Single Sign-On continually uses one server until it becomes unavailable, at which time it switches to another server.
    Clear this check box to enable round-robin. In this mode, CA Single Sign-On dynamically distributes requests across all the servers based on the performance capabilities of each server.
    This setting is meaningful only if the Policy Server has more than one node.
    Update SSO Token
    Select this check box to update the SSO Token after successful authentication/authorization (provided that the "Use SSO Token from Context Variable" option was selected in the assertions).
    Clear this check box to not update the SSO Token after authentication/authorization.
    Cluster Settings
    In this section, you define the additional settings required in order to connect a client application to the Policy Server. You will need to define at least one set of properties.
    The following cluster settings are available.
    Note:
    The "
    <prefix>
    " is "server.
    x.y
    " where where "x" represents the cluster sequence (since there can be more than one cluster) and "y" represents the server sequence in the cluster.
    • <prefix>
      .
      accounting.port
      : Server accounting port
    • <prefix>
      .
      address
      : Server IP address; required
    • <prefix>
      .
      authentication.port
      : Server authentication port
    • <prefix>
      .
      authorization.port
      : Server authorization port (Tip: Ports 44441 - 44443 are accepted, even when the actual authorization port number is 44443; required)
    • <prefix>
      .
      connection.max
      : Maximum number of connections
    • <prefix>
      .
      connection.min
      : Number of initial connections
    • <prefix>
      .
      connection.step
      : Number of connections to allocate when out of connections
    • <prefix>
      .
      timeout
      : Connection timeout (in seconds)
    • authenticationCache.maxAge
      : Maximum age of entries in the Authentication Cache; default is
      3600000
      (milliseconds).
    • authenticationCache.size
      : Number of entries to cache in the Authentication Cache; default is
      10
      , while
      0
      (zero) indicates no caching.
    • authorizationCache.maxAge
      : Maximum age of entries in the Authorization Cache; default is
      3600000
      (milliseconds).
    • authorizationCache.size
      : Number of entries to cache in the Authorization Cache; default is
      10
      , while
      0
      (zero) indicates no caching.
    • resourceCache.maxAge
      : Maximum age of entries in the Resource Cache; default is
      300000
      (milliseconds).
    • resourceCache.size
      : Number of entries to cache in the Resource Cache; default is
      10
      , while
      0
      (zero) indicates no caching.
    • siteminder.cache.acoCache.maxAge:
      Maximum age of entries in the ACO cache; default is
      30000
      (milliseconds).
    • siteminder.cache.acoCache.size:
      Number of entries to cache in the ACO cache; default is
      10
      , while
      0
      (zero) indicates no caching.
    You can modify the defaults for the caches through the CA Single Sign-On Cluster Properties.
    To add a cluster setting:
    1. Click [
      Add
      ].
    2. Enter the Name and Value of the setting.
    3. Click [
      OK
      ].
    To modify a cluster setting:
    1. Select the setting to edit.
    2. Click [
      Edit
      ].
    3. Modify the Name or Value as necessary.
    4. Click [
      OK
      ].
    To remove a cluster setting:
    1. Select the setting.
    2. Click [
      Remove
      ].
    3. Click [
      Remove
      ] to confirm.
    Disable
    Select this check box to disable the CA Single Sign-On configuration. This will make the configuration unavailable for use, while preserving all settings.
    Clear this check box to re-enable the configuration.
    Security Zone
    Optionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "No security zone".
    For more information about security zones, see Understanding Security Zones.
    This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones).
    Test
    Click this button to test the CA Single Sign-On configuration. You will see a "Validation passed" message if the configuration is correct.
  5. Click [
    OK
    ] when done.
    The caches are flushed each time you click [
    OK
    ] to close the properties dialog, regardless of whether there are any changes to save. If you wish to close the dialog box without flushing the caches, click [
    Cancel
    ] instead.