Integrating CA Identity Manager with CA Single Sign-On using Virtual Appliance

You can integrate CA Identity Manager with CA Single Sign-On using the standard procedure which is detailed at Integrate CA Identity Manager with CA Single Sign-On.Several Virtual Appliance specific steps (Example, the use of aliases, performing Virtual Appliance step, or placing files in locations specific to Virtual Appliance) that are outlined below do not replace the standard CA CA Single Sign-On integration procedure but rather complement it:
cislp143
You can integrate Identity Manager with CA Single Sign-On using the standard procedure which is detailed at Integrate CA Identity Manager with CA Single Sign-On.
Several Virtual Appliance specific steps (Example, the use of aliases, performing Virtual Appliance step, or placing files in locations specific to Virtual Appliance) that are outlined below do not replace the standard CA Single Sign-On integration procedure but rather complement it:
Add Schema Objects to the Identity Manager Policy Store
Add schema objects to the Identity Manager Policy Store by following the procedure documented at Configure the CA SSO Policy Store.
Verify the ImsVersion Registry Key on the Policy Server
  1. For Policy Servers running on
    Unix/Linux
    platforms:
    1. Verify that the following entry exists in the
      sm.registry
      file:
      ImsInstalled=8.0; REG_SZ
  2. For Policy Servers running on
    Windows
    platforms:
    1. Run the following command to edit the registry:
      regedt32
    2. Navigate to the following path:
      1. For a 32-bit Policy Server (version 12.52 and below) running on 64-bit Windows platform:
        HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion
      2. For a 32-bit Policy Server (version 12.52 and below) running on 32-bit Windows platform, or for a 64-bit Policy Server (version 12.6 and above):
        HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion
    3. Verify that a string (REG_SZ) key is defined as follows. Create the key if not available.
      "ImsInstalled"="8.0"
Import IMS XPS Objects to the Policy Store
  1. Run the following command to import IMS XPS objects to the Policy Store (replace "
    C:\CA\siteminder
    " with the directory where the CA Single Sign-On Policy Server is installed):
    C:\CA\siteminder\bin\XPSDDInstall.exe
    C:\CA\siteminder\xps\dd\IdmSmObjects.xdd
    Note:
    If the
    IdmSmObjects.xdd
    file does not exist, run the CA Identity Manager installer on the Policy Server and select "Install CA SSO extensions".
  2. Run the following command to view the XPS objects deployed (replace "
    C:\CA\siteminder
    " with the directory where the CA Single Sign-On Policy Server is installed):
    C:\CA\siteminder\bin\XPSExplorer.exe
  3. Ensure that objects starting with an "
    IMS
    " prefix are shown, for example:
    127- IMSAdditionalProperties 128- IMSAdditionalPropertiesSet 129- IMSBLTH 130- IMSDirectory 131- IMSEnvironment 132- IMSIdentityPolicy 133- IMSIdentityPolicySet 134- IMSManagedObject 135- IMSManagedObjectAttr 136- IMSRole 137- IMSRoleAdminPolicy 138- IMSRoleChangePolicy 139- IMSRoleMemberPolicy 140- IMSRoleOwnerPolicy 141- IMSRoleRule 142- IMSRoleScopeRule 143- IMSScreen 144- IMSScreenDefinition 145- IMSScreenField 146- IMSTab 147- IMSTabDefinition 148- IMSTask 149- IMSValidationRule 150- IMSValidationRuleSet
  4. Restart the Policy Server.
Update the Hosts File on the Policy Server
When the
ra.xml
has the CA Single Sign-On integration set to "enabled" and an Environment, User Store or Provisioning Directory are created, CA Identity Manager automatically creates objects (directory, domain, realms...) in the Policy Server.
During the automatic objects creation, the Policy Server attempts to configure a User Directory.
As Virtual Appliance uses a
common hostname
for the User Store connection that is named
caim-srv
, a host record must be added manually to the hosts file on the Policy Servers to allow connections to the User Store.
Perform the following steps on each CA Single Sign-On Policy Server:
  1. Edit the hosts file on the Policy Server:
    For Policy Server running on Windows platforms, edit the file
    C:\Windows\System32\drivers\etc\hosts
    For Policy Server running on UNIX platforms, edit the file
    /etc/hosts
  2. Add a host record that is named
    caim-srv
    pointing to any Virtual Appliance based CA Identity Manager server in the deployment. This allows the Policy Server to connect to the User Store router DSA hosted on each CA Identity Manager node.
    The line to be added has the format that is listed below (Replace "10.10.10.10" with the IP address of the CA Identity Manager server).
  3. Add host records that are named
    ca-prov-srv-primary
    ,
    ca-prov-srv, and
    ca-prov-srv-01
    pointing to any Virtual Appliance based Provisioning Server in the deployment.
    Example:
    10.10.10.10 caim-srv 10.10.10.12 ca-prov-srv-primary ca-prov-srv ca-prov-srv-01
Edit the
ra.xml
File
Perform the following steps on each CA Identity Manager Server:
  1. Log in to the server through the command-line interface or SSH using the “config” user.
  2. Run the
    Password tool
    to encrypt the AgentSecret and AdminSecret passwords:
    cd /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/PasswordTool ./pwdtools.sh -JSAFE -p 'CLEAR-TEXT-PASSWORD'
    Note:
    The supplied password must be enclosed in single quotes as shown above.
    The supplied password (for example, CLEAR-TEXT-PASSWORD) is encrypted and displayed with the prefix of “
    Encrypted value:
    “. See the following output for reference:
    -------------------------------------------------- Your JAVA_HOME is currently set to /opt/CA/jdk1.8.0_71/ -------------------------------------------------- Encrypting your password ... ****************************************** Plain Text: CLEAR-TEXT-PASSWORD Encrypted value: {PBES}:Z08nlvRQ/Q1U7wLrofK6K3Q0TTKrqI2J ******************************************
  3. Run the following command to edit the
    ra.xml
    file:
    vim /opt/CA/VirtualAppliance/custom/IdentityManager/SiteMinder_config/ra.xml
  4. Change the following parameters as required:
    • Enabled
      enabled flag
    • ConnectionURL
      CA Single Sign-On Policy Server address
    • UserName
      CA Single Sign-On Policy Server admin user
    • AdminSecret
      CA Single Sign-On Policy Server admin password
      Encrypt the password using pwdtools -JSAFE -p <pwd>
    • AgentName
      Virtual Appliance 4.x web-agent name - CA Identity Manager uses this agent to communicate with the Policy Server. This agent is
      not
      used for the protection of the domain.
    • AgentSecret
      Virtual Appliance 4.x web-agent password. Encrypt the password using pwdtools -JSAFE -p <pwd>
  5. To save the file and exit the vim editor do the following: Press "
    Esc
    ", then press "
    :
    ", then type “
    x
    ”, then press
    <ENTER>
    .
Configure CA Single Sign-On Web Agent Name
To configure CA Single Sign-On Web agent name, perform the following steps on each CA Identity Manager Server:
  1. Run the following command to edit the configuration file for the CA Single Sign-On Web Agent name:
    vim /opt/CA/VirtualAppliance/custom/IdentityManager/SiteMinder_config/sm_web_agent_name
  2. Insert a line below the comment line (which begins with a "#") containing the web-agent name protecting CA Identity Manager, for example:
    # This file should hold the name of the CA Single Sign-On (also known as SiteMinder) web-agent name to be used to protect the Identity Manager realms in SiteMinder sso-proxy01
  3. To save the file and exit the vim editor do the following: Press "
    Esc
    ", then press "
    :
    ", then type “
    x
    ”, then press
    <ENTER>
    .
Disable the Native Authentication Filter
Perform the following steps on each Identity Manager Server:
Run the following alias from the command-line interface to disable the Native Authentication Filter:
DisableIdmAuthFilterSecurity
Note:
You can roll back this action by running the following alias:
EnableIdmAuthFilterSecurity
Restart CA Identity Manager
Perform the following steps on each CA Identity Manager Server:
  1. Run the following alias to restart the CA Identity Manager server:
    restart_im
  2. Run the following command to monitor the IDM server log file:
    tail_im_log
  3. Inspect the log to ensure that the environment starts with no errors; the following lines indicate a successful startup:
    [ims.Main] (MSC service thread 1-6) CA IAM Framework Server
    [ims.Main] (MSC service thread 1-6) Copyright 2000 - 2013 CA. All Rights Reserved
    [ims.Main] (MSC service thread 1-6) ################################################
    [ims.Main] (MSC service thread 1-6) # IAM Framework 400.0.0.0.634
    [ims.Main] (MSC service thread 1-6) ################################################
    [ims.Main] (MSC service thread 1-6) ################################################
    [ims.Main] (MSC service thread 1-6) # CA Identity Manager 14.0.0.0.222
    [ims.Main] (MSC service thread 1-6) ################################################
    [ims.Main] (MSC service thread 1-6) ---- CA IAM FW Startup Sequence Initiated. ----
    [ims.Main] (MSC service thread 1-6) * Startup Step 1 : Attempting to start ServiceLocator.
    [ims.Main] (MSC service thread 1-6) * Startup Step 2 : Attempting to start PolicyServerService
    [ims.Main] (MSC service thread 1-6) * Startup Step 3 : Attempting to start ServerCommandService
    [ims.Main] (MSC service thread 1-6) * Startup Step 4 : Attempting to start EnvironmentService
    [ims.Main] (MSC service thread 1-6) * Startup Step 5 : Attempting to start SecretKeyStore
    [ims.Main] (MSC service thread 1-6) * Startup Step 6 : Attempting to start CacheManagerService
    [ims.Main] (MSC service thread 1-6) * Startup Step 7 : Attempting to load global plugins.
    [ims.Main] (MSC service thread 1-6) * Startup Step 8 : Attempting to start AdaptersConfigService
    [ims.Main] (MSC service thread 1-6) * Startup Step 9 : Attempting to start EmailProviderService
    [ims.Main] (MSC service thread 1-6) * Startup Step 10 : Attempting to start AuditProviderService
    [ims.Main] (MSC service thread 1-6) * Startup Step 11 : Attempting to start RuntimeStatusDetailService
    [ims.Main] (MSC service thread 1-6) * Startup Step 12 : Attempting to start PasswordService
    [ims.Main] (MSC service thread 1-6) * Startup Step 13 : Attempting to start LogicalAttributeService
    [ims.Main] (MSC service thread 1-6) * Startup Step 14 : Attempting to start BLTHService
    [ims.Main] (MSC service thread 1-6) * Startup Step 15 : Attempting to start ParticipantResolverService
    [ims.Main] (MSC service thread 1-6) * Startup Step 16 : Attempting to start NotificationRuleService
    [ims.Main] (MSC service thread 1-6) * Startup Step 17 : Attempting to start EventAdapterService
    [ims.Main] (MSC service thread 1-6) * Startup Step 18 : Attempting to start TaskService
    [ims.Main] (MSC service thread 1-6) * Startup Step 19 : Attempting to start WorkflowCallbackService
    [ims.Main] (MSC service thread 1-6) * Startup Step 20 : Attempting to start WorkflowService
    [ims.Main] (MSC service thread 1-6) * Startup Step 21 : Attempting to start TaskStatusNotifyService
    [ims.Main] (MSC service thread 1-6) * Startup Step 22 : Attempting to start EventService
    [ims.Main] (MSC service thread 1-6) * Startup Step 23 : Attempting to start AdminService
    [ims.Main] (MSC service thread 1-6) * Startup Step 24 : Attempting to start GeneralMonitorAdmin
    [ims.Main] (MSC service thread 1-6) * Startup Step 25 : Attempting to start StatusNotificationService
    [ims.Main] (MSC service thread 1-6) * Startup Step 26 : Attempting to start GlobalInitializer plug-ins
    [ims.Main] (MSC service thread 1-8) * Deploying Directory : UserStore
    [ims.Main] (MSC service thread 1-8) * Deploying Directory : ProvStore
    [ims.Main] (MSC service thread 1-8) * Deploying Environment : identityEnv
    [ims.Main] (MSC service thread 1-6) * Startup Step 27 : Attempting to start SchedulerService
    [ims.Main] (MSC service thread 1-6) * Startup Step 28 : Attempting to start NIMSMIntegrationService
    [ims.Main] (MSC service thread 1-6) * Startup Step 29 : Attempting to start environments
    [ims.Main] (MSC service thread 1-6) * Starting environment: identityEnv
    [com.workpoint.client.ClientContext] (Thread-159) Loaded client properties from URL: vfs:/opt/CA/wildfly-idm/standalone/deployments/iam_im.ear/config/workpoint-client.properties
    [com.workpoint.client.ClientContext] (Thread-159) Connected to server at: localhost
    [ims.llsdk.etrustadmindirectory] (MSC service thread 1-6) Not setting tenant key for environment identityEnv
    [com.workpoint.server.ServerProperties] (Thread-159) Loaded server properties from /opt/CA/wildfly-idm/standalone/deployments/iam_im.ear/config/workpoint-server.properties
    [com.workpoint.server.ServerProperties] (Thread-159) PRODUCT = Workpoint; VERSION = 3.5.2; BUILD = 20140214.P004; BUILD DATE = June 20, 2015
    [com.workpoint.server.ServerProperties] (Thread-159) No event configuration File specified in the server properties, so no event subscribers will be configured.
    [com.workpoint.server.ServerProperties] (Timer-3) ServerProperties.setProperty() invoked for property= calculated.db.offset.millis, value=0
    [com.workpoint.server.DbVerifier] (Timer-3) SQL Driver Information for DSN=WPDS: JDBC Driver = Oracle JDBC driver, Driver Version = 11.1.0.7.0-Production, Database = Oracle, Database Version = Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production, Database default transaction isolation = TRANSACTION_READ_COMMITTED
    [com.workpoint.server.DbVerifier] (Timer-3) Workpoint DSN 'WPDS' using database version '3.5.2'.
    [ims.Main] (MSC service thread 1-6) * Started environment: identityEnv
    [ims.Main] (MSC service thread 1-6) ** FIPS mode enabled : false
    [ims.Main] (MSC service thread 1-6) * Startup Step 30 : Attempting to start ApplicationContextInitializer plug-ins
    [ims.Main] (MSC service thread 1-6) ---- CA IAM FW Startup Sequence Complete. ----
Install the Proxy Plugin for WildFly
For information about installing the proxy plugin for WildFly, see Install the Proxy Plug-In for WildFly.
Virtual Appliance by default enables AJP listener. To disable the AJP Listener, you must apply the hotfix - HF-AJPCONFIG_20200320_001 on each node. After applying the hotfix, the AJP Listener is disabled by default.
After applying the hotfix, you can
also
Toggle AJP Listener ON/OFF.
We recommend using HTTP listener instead of AJP listener for integration.
Switch the CA Single Sign-On Authentication Scheme Type to HTML Form Template
The out of the box integration between CA Identity Manager and CA Single Sign-On creates the domain and realms in CA Single Sign-On to protect CA Identity Manager.
The integration also creates a default authentication scheme in CA Single Sign-On named "
identityEnv__idm_default_auth
" and links this scheme to the CA Identity Manager protected realm.
This "
identityEnv__idm_default_auth
" authentication scheme type is set to "
Basic
Template
", by default.
Before authenticating to the CA Single Sign-On Domain protecting CA Identity Manager, ensure that you modify this authentication scheme type from "
Basic
Template
" to "
HTML Form Template
".
Ensure that you clear the CA Single Sign-On server cache and restart your web agent for the changes to take effect.