Protecting a simple web application using CA Siteminder  r12.51

In this blog i will take you through the steps required to protect your web application using CA Siteminder r12.51

Product Versions

• Policy Server      : CA Siteminder r12.51
• Webagent          : ca-wa-12.51-linux.bin
• Webserver         : Apache/2.4.7
• UserStore          : CA Directory

Webserver Details

Hostname: WebOne

WebServer Root: /usr/local/apache2

Virtual host entry in the httpd.conf

<VirtualHost 10.10.103.89:82>
DocumentRoot /usr/local/apache2/htdocs/myecorp/
ServerName WebOne.mysitea.com
</VirtualHost>

Below is my simple webserver static page i am going to protect  http://webone.mysitea.com:82

For Siteminder installation there is a cool video on you tube http://www.youtube.com/watch?v=lOd35Iyc_h0

Webagent installation on Suse Enterprise Linux SP11.

• Execute the Webagent binary #ca-wa-12.51-linux.bin

•  Click Next and scroll down and accept the agreement and click Next

• Specify the Siteminder Webagent installation path and Click Next

• Click Install to start the Webagent installation.

•  Now you have successfully completed the installation and ready to configure the Webagent.

After installation of Webagent execute the ca_wa_env.sh under #/opt/siteminder/webagent/ to set the webagent environment variable.

• Now before you start configuring the Webagent  you need to create blow 2 things in Siteminder Policy server.
  • Create ACO ( Agent Configuration Object)
  • Create HCO (Host Configuration Object)

Host Configuration Object

Agent Configuration Object

Lets go and configure the webagent by executing the file on the Webserver WebOne:/opt/siteminder/webagent #ca-wa-config.sh

• Since we are configuring webagent for the first time in this webserver, click yes to do Host registration.

• Provide the Siteminder Administrative credentials

• Provide the name of the host to be registered in the Policy Server
• Then provide the HCO value as “WebOne_HCO” which we have created already.

• This host name will be registered in the Trusted host section of the policy server as below after the web agent configuration completed.

• Provide the policy server IP Address. You can add multiple Policy Server address to provide the High Availability functionality.

• Select the FIPS Compability Mode and click Next

• Accept the default location to store the Host Configuration file or provide your custom location.

• Next 5 steps would be selecting your webserver type. I am using Apache web server

• Root path of my web server

• Version 2.4.7

• Apache software foundation

• By this time it read my version as 2.4.7

• Now provide the ACO as “WebOne_ACO” name which we created at the beginning.

• Next choosing type of  SSL we will be configuring for this Apache webserver. I am not doing SSL for this scenario so selected “No advance authentication”

• Enable the Webagent by selecting the “Yes”

• Confirm and click install to get started.

• Here you go now we have configured the Webagent successfully on “WebOne” host

• Webagent updates the httpd.conf file by adding the required Siteminder Modules and Directives as below

LoadModule sm_module "/opt/siteminder/webagent/bin/libmod_sm24.so"
SmInitFile "/usr/local/apache2/conf/WebAgent.conf"

Alias /siteminderagent/pwcgi/ "/opt/siteminder/webagent/pw/"
<Directory "/opt/siteminder/webagent/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/pw/ "/opt/siteminder/webagent/pw/"
<Directory "/opt/siteminder/webagent/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/ "/opt/siteminder/webagent/samples/"
<Directory "/opt/siteminder/webagent/samples/">
Options Indexes MultiViews
AllowOverride None
Require all granted
</Directory>

Now lets start the Webserver and make sure the webagent starts without any error.

Edit the /usr/local/apache2/bin/apachectl  file and add the webagent environment variable to load it ever time when you restart the webserver.

if test -f /usr/local/apache2/bin/envvars; then
. /usr/local/apache2/bin/envvars
. /opt/siteminder/webagent/ca_wa_env.sh
fi

Start the webserver

/usr/local/apache2/bin/apachectl start 

Check the webserver logs to make sure the Siteminder Webagent started without any errors

 [07/Feb/2014:22:14:03] [Info] [CA WebAgent LLAWP] [11936] [LLAWP Monitor: LLAWP has been started.]
 [07/Feb/2014:22:14:04] [Info] [CA WebAgent IPC] [11937] [CSmSem::getSem] Attempted to attach to non-existent semaphore with key 0x6b087048
 [07/Feb/2014:22:14:04] [Info] [CA WebAgent IPC] [11937] [CSmSem::getSem] Attempted to attach to non-existent semaphore with key 0x6b087048
 [07/Feb/2014:22:14:04] [Info] [CA WebAgent IPC] [11937] [CSmSem::getSem] Created semaphore 622593 using key 0x6b087048
 07/Feb/2014:22:25:50] [Info] [CA WebAgent IPC] [11954] [CSmSharedSegment::smalloc] Attached to shared memory segment 16810005 using key 0x69087048
 [07/Feb/2014:22:25:50] [Information] SiteMinder Agent
 SiteMinder agent is running.

 In the following post http://mytechreference.com/ca-siteminder-protecting-web-application-part-2 i will be configuring objects on the policy server to protect this URL/application http://webone.mysitea.com:82  

---------------------------------------------------------------------------------------------------------------------------------------------

Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.