by IDAMGroup
CA Siteminder Protecting Web Application Part 1
Protecting a simple web application using CA Siteminder r12.51
In this blog i will take you through the steps required to protect your web application using CA Siteminder r12.51
Product Versions
- Policy Server : CA Siteminder r12.51
- Webagent : ca-wa-12.51-linux.bin
- Webserver : Apache/2.4.7
- UserStore : CA Directory
Webserver Details
Hostname: WebOne
WebServer Root: /usr/local/apache2
Virtual host entry in the httpd.conf
<VirtualHost 10.10.103.89:82> DocumentRoot /usr/local/apache2/htdocs/myecorp/ ServerName WebOne.mysitea.com </VirtualHost>
Below is my simple webserver static page i am going to protect http://webone.mysitea.com:82
For Siteminder installation there is a cool video on you tube http://www.youtube.com/watch?v=lOd35Iyc_h0
Webagent installation on Suse Enterprise Linux SP11.
- Execute the Webagent binary #ca-wa-12.51-linux.bin
- Click Next and scroll down and accept the agreement and click Next
- Specify the Siteminder Webagent installation path and Click Next
- Click Install to start the Webagent installation.
- Now you have successfully completed the installation and ready to configure the Webagent.
After installation of Webagent execute the ca_wa_env.sh under #/opt/siteminder/webagent/ to set the webagent environment variable.
- Now before you start configuring the Webagent you need to create blow 2 things in Siteminder Policy server.
- Create ACO ( Agent Configuration Object)
- Create HCO (Host Configuration Object)
Host Configuration Object
Agent Configuration Object
Lets go and configure the webagent by executing the file on the Webserver WebOne:/opt/siteminder/webagent #ca-wa-config.sh
- Since we are configuring webagent for the first time in this webserver, click yes to do Host registration.
- Provide the Siteminder Administrative credentials
- Provide the name of the host to be registered in the Policy Server
- Then provide the HCO value as “WebOne_HCO” which we have created already.
- This host name will be registered in the Trusted host section of the policy server as below after the web agent configuration completed.
- Provide the policy server IP Address. You can add multiple Policy Server address to provide the High Availability functionality.
- Select the FIPS Compability Mode and click Next
- Accept the default location to store the Host Configuration file or provide your custom location.
- Next 5 steps would be selecting your webserver type. I am using Apache web server
- Root path of my web server
- Version 2.4.7
- Apache software foundation
- By this time it read my version as 2.4.7
- Now provide the ACO as “WebOne_ACO” name which we created at the beginning.
- Next choosing type of SSL we will be configuring for this Apache webserver. I am not doing SSL for this scenario so selected “No advance authentication”
- Enable the Webagent by selecting the “Yes”
- Confirm and click install to get started.
- Here you go now we have configured the Webagent successfully on “WebOne” host
- Webagent updates the httpd.conf file by adding the required Siteminder Modules and Directives as below
LoadModule sm_module "/opt/siteminder/webagent/bin/libmod_sm24.so" SmInitFile "/usr/local/apache2/conf/WebAgent.conf"
Alias /siteminderagent/pwcgi/ "/opt/siteminder/webagent/pw/" <Directory "/opt/siteminder/webagent/pw/"> Options Indexes MultiViews ExecCGI AllowOverride None Require all granted </Directory> Alias /siteminderagent/pw/ "/opt/siteminder/webagent/pw/" <Directory "/opt/siteminder/webagent/pw/"> Options Indexes MultiViews ExecCGI AllowOverride None Require all granted </Directory> Alias /siteminderagent/ "/opt/siteminder/webagent/samples/" <Directory "/opt/siteminder/webagent/samples/"> Options Indexes MultiViews AllowOverride None Require all granted </Directory>
Now lets start the Webserver and make sure the webagent starts without any error.
Edit the /usr/local/apache2/bin/apachectl file and add the webagent environment variable to load it ever time when you restart the webserver.
if test -f /usr/local/apache2/bin/envvars; then
. /usr/local/apache2/bin/envvars
. /opt/siteminder/webagent/ca_wa_env.sh
fi
Start the webserver
/usr/local/apache2/bin/apachectl start
Check the webserver logs to make sure the Siteminder Webagent started without any errors
[07/Feb/2014:22:14:03] [Info] [CA WebAgent LLAWP] [11936] [LLAWP Monitor: LLAWP has been started.] [07/Feb/2014:22:14:04] [Info] [CA WebAgent IPC] [11937] [CSmSem::getSem] Attempted to attach to non-existent semaphore with key 0x6b087048 [07/Feb/2014:22:14:04] [Info] [CA WebAgent IPC] [11937] [CSmSem::getSem] Attempted to attach to non-existent semaphore with key 0x6b087048 [07/Feb/2014:22:14:04] [Info] [CA WebAgent IPC] [11937] [CSmSem::getSem] Created semaphore 622593 using key 0x6b087048 07/Feb/2014:22:25:50] [Info] [CA WebAgent IPC] [11954] [CSmSharedSegment::smalloc] Attached to shared memory segment 16810005 using key 0x69087048 [07/Feb/2014:22:25:50] [Information] SiteMinder Agent SiteMinder agent is running.
In the following post http://mytechreference.com/ca-siteminder-protecting-web-application-part-2 i will be configuring objects on the policy server to protect this URL/application http://webone.mysitea.com:82
---------------------------------------------------------------------------------------------------------------------------------------------
Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.