MyTechReference - Technical Notes


by IDAMGroup

CA Siteminder Protecting Web Application Part 1

Protecting a simple web application using CA Siteminder  r12.51

In this blog i will take you through the steps required to protect your web application using CA Siteminder r12.51

Product Versions

  • Policy Server      : CA Siteminder r12.51
  • Webagent          : ca-wa-12.51-linux.bin
  • Webserver         : Apache/2.4.7
  • UserStore          : CA Directory

 

Webserver Details

Hostname: WebOne

WebServer Root: /usr/local/apache2

Virtual host entry in the httpd.conf

<VirtualHost 10.10.103.89:82>
DocumentRoot /usr/local/apache2/htdocs/myecorp/
ServerName WebOne.mysitea.com
</VirtualHost>

 

Below is my simple webserver static page i am going to protect  http://webone.mysitea.com:82

webapp_protect_16

For Siteminder installation there is a cool video on you tube http://www.youtube.com/watch?v=lOd35Iyc_h0

Webagent installation on Suse Enterprise Linux SP11.

  • Execute the Webagent binary #ca-wa-12.51-linux.bin

 webapp_protect_22

  •  Click Next and scroll down and accept the agreement and click Next

webapp_protect_24

 

  • Specify the Siteminder Webagent installation path and Click Next

webapp_protect_25

 

  • Click Install to start the Webagent installation.

webapp_protect_26

  •  Now you have successfully completed the installation and ready to configure the Webagent.

webapp_protect_27

After installation of Webagent execute the ca_wa_env.sh under #/opt/siteminder/webagent/ to set the webagent environment variable.

  • Now before you start configuring the Webagent  you need to create blow 2 things in Siteminder Policy server.
    • Create ACO ( Agent Configuration Object)
    • Create HCO (Host Configuration Object)

Host Configuration Object

webapp_protect_18

 

Agent Configuration Object

webapp_protect_20

Lets go and configure the webagent by executing the file on the Webserver WebOne:/opt/siteminder/webagent #ca-wa-config.sh

webapp_protect_30

 

  • Since we are configuring webagent for the first time in this webserver, click yes to do Host registration.

 

webapp_protect_33

 

  • Provide the Siteminder Administrative credentials

 

webapp_protect_34

 

  • Provide the name of the host to be registered in the Policy Server
  • Then provide the HCO value as “WebOne_HCO” which we have created already.

webapp_protect_36

    • This host name will be registered in the Trusted host section of the policy server as below after the web agent configuration completed.

webapp_protect_56

 

  • Provide the policy server IP Address. You can add multiple Policy Server address to provide the High Availability functionality.

webapp_protect_37

 

  • Select the FIPS Compability Mode and click Next

webapp_protect_38

 

  • Accept the default location to store the Host Configuration file or provide your custom location.

 

webapp_protect_39

  • Next 5 steps would be selecting your webserver type. I am using Apache web server

webapp_protect_40

  • Root path of my web server

webapp_protect_41

  • Version 2.4.7

webapp_protect_42

  • Apache software foundation

webapp_protect_43

  • By this time it read my version as 2.4.7

webapp_protect_44

  • Now provide the ACO as “WebOne_ACO” name which we created at the beginning.

webapp_protect_45

  • Next choosing type of  SSL we will be configuring for this Apache webserver. I am not doing SSL for this scenario so selected “No advance authentication”

webapp_protect_46

  • Enable the Webagent by selecting the “Yes”

webapp_protect_47

  • Confirm and click install to get started.

webapp_protect_48

  • Here you go now we have configured the Webagent successfully on “WebOne” host

webapp_protect_49

  • Webagent updates the httpd.conf file by adding the required Siteminder Modules and Directives as below
LoadModule sm_module "/opt/siteminder/webagent/bin/libmod_sm24.so"
SmInitFile "/usr/local/apache2/conf/WebAgent.conf"
Alias /siteminderagent/pwcgi/ "/opt/siteminder/webagent/pw/"
<Directory "/opt/siteminder/webagent/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/pw/ "/opt/siteminder/webagent/pw/"
<Directory "/opt/siteminder/webagent/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /siteminderagent/ "/opt/siteminder/webagent/samples/"
<Directory "/opt/siteminder/webagent/samples/">
Options Indexes MultiViews
AllowOverride None
Require all granted
</Directory>

Now lets start the Webserver and make sure the webagent starts without any error.

Edit the /usr/local/apache2/bin/apachectl  file and add the webagent environment variable to load it ever time when you restart the webserver.

if test -f /usr/local/apache2/bin/envvars; then
. /usr/local/apache2/bin/envvars
. /opt/siteminder/webagent/ca_wa_env.sh
fi

Start the webserver

/usr/local/apache2/bin/apachectl start 

Check the webserver logs to make sure the Siteminder Webagent started without any errors

 [07/Feb/2014:22:14:03] [Info] [CA WebAgent LLAWP] [11936] [LLAWP Monitor: LLAWP has been started.]
 [07/Feb/2014:22:14:04] [Info] [CA WebAgent IPC] [11937] [CSmSem::getSem] Attempted to attach to non-existent semaphore with key 0x6b087048
 [07/Feb/2014:22:14:04] [Info] [CA WebAgent IPC] [11937] [CSmSem::getSem] Attempted to attach to non-existent semaphore with key 0x6b087048
 [07/Feb/2014:22:14:04] [Info] [CA WebAgent IPC] [11937] [CSmSem::getSem] Created semaphore 622593 using key 0x6b087048
 07/Feb/2014:22:25:50] [Info] [CA WebAgent IPC] [11954] [CSmSharedSegment::smalloc] Attached to shared memory segment 16810005 using key 0x69087048
 [07/Feb/2014:22:25:50] [Information] SiteMinder Agent
 SiteMinder agent is running.

 In the following post http://mytechreference.com/ca-siteminder-protecting-web-application-part-2 i will be configuring objects on the policy server to protect this URL/application http://webone.mysitea.com:82  

 

---------------------------------------------------------------------------------------------------------------------------------------------

Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.