Enable the CA SSO Policy Server Resource Adapter

The identity administrator enables the CA SSO Policy Server Resource Adapter. The purpose of the adapter is to validate the SMSESSION cookie. After validation, CA SSO creates the user context.
cim143
The identity administrator enables the CA SSO Policy Server Resource Adapter. The purpose of the adapter is to validate the SMSESSION cookie. After validation, CA SSO creates the user context.
: This procedure only applies for systems using Wild Fly or WebLogic. To learn the WebSphere-specific procedure, see Enable the CA SSO Policy Server Resource Adapter on WebSphere.
Follow these steps:
  1. Navigate to the
    /iam_im.ear/policysever.rar/META-INF
    folder on the application server.
    Note:
    In a Virtual Appliance environment, the ra.xml file is located at /opt/CA/VirtualAppliance/custom/IdentityManager/SiteMinder_config.
  2. Open the
    ra.xml
    file in an editor.
  3. Search for the
    Enabled
    config-property, and then change the
    config-property-value
    to
    true
    as shown in the following code snippet:
    <config-property>
    <config-property-name>Enabled</config-property-name>
    <config-property-type>java.lang.String</config-property-type>
    <config-property-value>true</config-property-value>
    </config-property>
  4. The
    ValidateSMHeadersWithPS
    property enforces validation of the SM header user (SM_USERDN) by CA SSO.
    The default
    config-property-value
    for the
    ValidateSMHeadersWithPS
    property is
    true
    . You can set this value to
    false
    in case you trust the SM header user and want to skip the validation step.
    <config-property>
    <config-property-name>ValidateSMHeadersWithPS</config-property-name>
    <config-property-type>java.lang.String</config-property-type>
    <config-property-value>true</config-property-value>
    </config-property>
  5. Search for the
    ConnectionURL
    property and provide the hostname of the CA SSO Policy Server. Use a fully qualified domain name (FQDN).
  6. Search for the
    UserName
    property and specify the account to use for communication with CA SSO.
    SiteMinder
    is the default value for this account.
  7. Search for the
    AgentSecret
    config-property and then enter an encrypted password in the
    config-property-value
    as shown in the following code snippet:
    <config-property>
    <config-property-name>AgentSecret</config-property-name>
    <config-property-type>java.lang.String</config-property-type>
    <config-property-value><encrypted_password></config-property-value>
    </config-property>
    You can use the encrypted password from the
    directory.xml
    file that you had exported. In case you want to use a password different from the
    directory.xml
    , you can encrypt a new password using Password Tool
    .
  8. Search for the
    AgentName
    config-property and then update the
    config-property-value
    with the 4.x agent name as shown in the following code snippet. This is the same agent that the policy administrator creates during the CA SSO configuration.
    <config-property>
    <config-property-name>AgentName</config-property-name>
    <config-property-type>java.lang.String</config-property-type>
    <config-property-value>@AGENTNAME</config-property-value>
    </config-property>
  9. If you plan to integrate
    Identity Manager
    with CA Single Sign-On (with FIPS Mode enabled), ensure that you enable FIPS mode in the application servers that hosts
    Identity Manager
    :
    <config-property>
    <config-property-name>FIPSMode</config-property-name>
    <config-property-type>java.lang.String</config-property-type>
    <config-property-value>true</config-property-value>
    </config-property>
    For more information about FIPS compliance, see FIPS Compliance (Optional)
  10. Save
    ra.xml
    file.
The CA SSO Policy Server Resource Adapter is enabled.