SPECTRUM SiteMinder Integration Guide - CA...

SPECTRUM SiteMinder Integration

GuideDocument 5183

NoticeThis documentation (the "Documentation") and related computer software program (the "Software") (hereinafter collectively referred to as the "Product") is for the end user's informational purposes only and is subject to change or withdrawal by CA at any time.

This Product may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Product is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the Software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the Software are permitted to have access to such copies.

The right to print copies of the Documentation and to make a copy of the Software is limited to the period during which the license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user's responsibility to certify in writing to CA that all copies and partial copies of the Product have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS PRODUCT "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS PRODUCT, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE.

The use of this Product and any product referenced in the Documentation is governed by the end user's applicable license agreement.

The manufacturer of this Product is CA.

This Product is provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7013(c)(1)(ii), as applicable, or their successors.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Copyright © 2007 CA. All rights reserved.

3

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

SPECTRUM Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Document Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 1: Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

How SPECTRUM OneClick Is Integrated with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . 7

About SPECTRUM User Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Configure OneClick Web Server Parameters in Policy Server . . . . . . . . . . . . . . . . . . . . . . . 8

Access the SiteMinder Administration Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Create a SPECTRUM OneClick Host Configuration Object . . . . . . . . . . . . . . . . . . . . . . . 8

Create a SPECTRUM OneClick Custom Agent Type . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Create a SPECTRUM OneClick Custom Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Create a SPECTRUM OneClick Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configure OneClick Web Server Host Registration Settings . . . . . . . . . . . . . . . . . . . . . . . 12

Register the OneClick Web Server with the SiteMinder Policy Server . . . . . . . . . . . . . . 12

Configure OneClick Web Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Test and Enable/Disable the Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 2: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Debugging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

If You Are Required to Disable the Integration in the web.xml File . . . . . . . . . . . . . . . . . . 19

If You Must Re-Register the SPECTRUM OneClick Web Server . . . . . . . . . . . . . . . . . . . . . 20

Specific Problems and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Host Registration Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Authentication Server (Policy Server) Cannot Be Contacted . . . . . . . . . . . . . . . . . . . . 21

Prompted for SPECTRUM Log On Credentials When Invoking OneClick Console . . . . . . 21

Cannot Access the Disable Integration Option in Single Sign-On Configuration . . . . . . . 22

Application Web Agents Ignore OneClick Single Sign-On Tokens . . . . . . . . . . . . . . . . . 23

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 SPECTRUM SiteMinder Integration Guide

Contents

5

Preface

Content

“Audience” on page 5

“Organization” on page 5

“Text Conventions” on page 6

“SPECTRUM Documentation” on page 6

“Document Feedback” on page 6

AudienceThis manual is intended for administrators who want to integrate SPECTRUM OneClick with CA eTrust SiteMinder. Administrators should be familiar with SPECTRUM OneClick, SiteMinder single sign-on concepts and capabilities, and SiteMinder Policy Server configuration tasks.

OrganizationThis document is organized as follows:

• Chapter 1, “Integration,” on page 7 describes how to configure SPECTRUM OneClick web server parameters on the SiteMinder Policy Server and how to configure connection parameters for SiteMinder integration in OneClick.

• Chapter 2, “Troubleshooting,” on page 19 describes potential integration problems and solutions.


Preface

Text ConventionsThe following text conventions are used in this document where applicable:

SPECTRUM DocumentationThe SPECTRUM documentation set is available online at:

http://support.concord.com/support/secure/products/Spectrum_Doc/

Use this site to download the latest documentation updates and additions. To log on to the documentation site, you must supply your contract number and license number.

Document FeedbackPlease send feedback regarding SPECTRUM documents to the following e-mail address:

[email protected]

Thank you for helping us improve our documentation.

Element Convention Used Example

Variables

(The user supplies a value for the variable.)

Courier and Italic in angle brackets (<>)

Type the following:

DISPLAY=<workstation name>:0.0 export display

The directory where you installed SPECTRUM or OneClick

(The user supplies a value for the variable.)

<$SPECROOT> Navigate to:

<$SPECROOT>/app-defaults

Linux, Solaris, and Windows directory paths

Unless otherwise noted, directory paths are common to all operating systems, with the exception that slashes (/) should be used in Linux and Solaris paths, and backslashes (\) should be used in Windows paths.

<$SPECROOT>/app-defaults on Linux and Solaris is equivalent to <$SPECROOT>\app-defaults on Windows.

On-screen text Courier The following line displays:

path=”/audit”

User-typed text Courier Bold Type the following path name:

C:\ABC\lib\dbCross-references Underlined and hypertext-blue See “Document Feedback”.

References to SPECTRUM documents (title and number)

Italic OneClick Console User Guide (5130)

http://www.aprisma.com/support/secure/manuals/

mailto:[email protected]

7

Chapter 1: Integration

OverviewThe SPECTRUM SiteMinder integration enables SPECTRUM OneClick to use SiteMinder single sign-on security management capabilities to authenticate SPECTRUM users and users of applications (CA portal and eHealth Reports for example) that are integrated with SPECTRUM.

How SPECTRUM OneClick users experience single sign-on in the integrated application environment:

• Users are not prompted for log on credentials when they invoke OneClick Console from the SPECTRUM OneClick main web page.

• Users logged on to the CA Portal are able to invoke OneClick Console without having to explicitly log on to OneClick.

• Users can invoke eHealth Reports (Solaris version only) from OneClick if OneClick and eHealth have been integrated and the user is a valid eHealth user. See the eHealth SPECTRUM Integration User Guide (5177) for more information.

How SPECTRUM OneClick Is Integrated with SiteMinder

You complete the following procedures to integrate SPECTRUM OneClick with SiteMinder:

1. Configure required SPECTRUM OneClick web server parameters on the SiteMinder Policy Server. See “Configure OneClick Web Server Parameters in Policy Server” on page 8 for details.

2. Register the OneClick web server as a trusted host with Policy Server using the Administration Pages option from the OneClick home page. See “Configure OneClick Web Server Host Registration Settings” on page 12 for details.

About SPECTRUM User Models

Before users can access OneClick in a single sign-on environment, they must have user models created for them in SPECTRUM. If you require information on how to create user models, see the following SPECTRUM manuals:

• OneClick Administration Guide (5166)

• Security and User Maintenance (2602)



Configure OneClick Web Server Parameters in Policy ServerThis section describes procedures for setting up the following SPECTRUM OneClick integration components in Policy Server:

• SPECTRUM OneClick host configuration object

• SPECTRUM OneClick custom agent type

• SPECTRUM OneClick custom agent

• SPECTRUM OneClick realm

Note: See SiteMinder Help if you require more information on Policy Server concepts and components referenced but not covered in detail in this section.

Access the SiteMinder Administration Window

The SiteMinder Administration window is the user interface to the SiteMinder Policy Server.

To access the SiteMinder Administration window

1. Access the Main Policy Server web page using the URL provided by SiteMinder administration personnel.

2. Click Administer Policy Server.

The SiteMinder Administration Login window opens.

3. Log on as a Policy Server administrator for the domain specified in the Main Policy Server web page address using credentials provided by SiteMinder administration personnel.

The SiteMinder Administration window opens.

Create a SPECTRUM OneClick Host Configuration Object

When you create a SPECTRUM OneClick web server host configuration object, you specify the parameters the SPECTRUM OneClick web server host uses when it connects to the SiteMinder Policy Server.

To create a SPECTRUM OneClick host configuration object

1. From the System tab, select Host Conf Objects.

2. Select the DefaultHostSettings object in the Host Conf Object list, and then select Edit, Duplicate Configuration Object.

The SiteMinder Host Configuration Object Dialog box opens.

3. Use the default object as a template for the new object. Specify the following configuration settings:

• Name — spectrum_oneclick_server

• EnableFallOver — YES

The configuration should look like the example in Figure 1-1.

Configure OneClick Web Server Parameters in Policy Server

SPECTRUM SiteMinder Integration Guide 9

Figure 1-1: Host Configuration Object Properties

4. Click Add to save the new object, and then click OK.

Create a SPECTRUM OneClick Custom Agent Type

The SPECTRUM OneClick custom agent type defines the actions that can be performed by the SPECTRUM OneClick custom agent.

Note: Make sure the View, Agent Types option is selected.

To create a SPECTRUM OneClick custom agent type

1. From the System tab, select Agent Types.

2. From the Edit menu, select Create Agent Type.

The SiteMinder Agent Type Dialog box opens.

3. Specify the following configuration settings:

• Name — SPECTRUM OneClick Custom agent

• Actions — Define an action as follows:

a. Under the Agent Type Definition tab, click Create (under the Actions box).

The New Agent Action box opens.

b. Enter “authenticate” and click OK.

The action name appears in the Actions list.




Figure 1-2: Agent Type Properties

4. Click OK to save the new agent type.

Create a SPECTRUM OneClick Custom Agent

The SPECTRUM OneClick custom agent enforces the Policy Server actions on the SPECTRUM OneClick web server.

To create a SPECTRUM OneClick custom agent

1. From the System tab, select Agents.

2. From the Edit menu, select Create Agent.

The SiteMinder Agent Dialog box opens.


• Name — SPECTRUM OneClick Custom Agent

• Agent Type — SiteMinder selected, SPECTRUM OneClick Custom Agent selected from the drop-down list

• Support 4.x agents — Deselected


Configure OneClick Web Server Parameters in Policy Server


Figure 1-3: Agent Properties

4. Click OK to save the new agent.

Create a SPECTRUM OneClick Realm

The SPECTRUM OneClick realm specifies the resources on the SPECTRUM OneClick web server that are protected and that require single sign-on authentication to be accessed.

When deploying single sign-on for SPECTRUM OneClick and applications with which it is integrated, the SPECTRUM OneClick realm and the other application realms should be included in the same domain object. Also, the domain object’s user store should include users who require access to SPECTRUM OneClick.

To create a SPECTRUM OneClick realm for a domain

1. From the Domain tab, expand the icon for domain for which you want to create the SPECTRUM OneClick realm.

2. Select Realms, and then select Edit, Create Realm.

The SiteMinder Realm Dialog box opens.


• Name — SPECTRUM OneClick

• Agent — SPECTRUM OneClick Custom Agent



• Resource Filter — /spectrum/

• Default Resource Protection — Protected


Figure 1-4: Realm Properties

4. Click OK to save the new realm.

Configure OneClick Web Server Host Registration SettingsThis section includes configuration procedures for setting up log on authentication by SiteMinder for users who access OneClick.

Register the OneClick Web Server with the SiteMinder Policy Server

This section describes how to register SPECTRUM OneClick web server as a trusted host in the Policy Server. The term, trusted host, refers to the machine where the web server is located.

When you register the web server host, initialization parameters that enable the host to connect to the Policy Server are saved to a local configuration file, SmHost.conf. Once the host connects to the Policy Server, the host uses the settings specified in the host configuration object created for it in Policy Server.

To register OneClick web server host as a trusted host

1. Access the OneClick home page.

2. Click the Administration link.

The Administration Pages menu appears.

Configure OneClick Web Server Host Registration Settings


3. Select the Single Sign-On Configuration option.

The Single Sign-On Configuration form appears.

4. Select the SITEMINDER option.

The SITEMINDER Configuration form appears.

5. Specify the following registration settings in the OneClick Host Registration section:

• Policy Server IP Address — The IP address of the Policy Server where you configured the SPECTRUM OneClick host configuration object.

• Policy Server Port — The Policy Server port number. The default port number is 44441.

• Policy Server Admin Username — The username of the SiteMinder administrator with privileges in the domain.

• Policy Server Admin Password — The SiteMinder administrator password.

• Trusted Host Name — The fully qualified domain name of the SPECTRUM OneClick web server host.

• Host Configuration Object — The SPECTRUM OneClick web server host object configured on the Policy Server (spectrum_oneclick_server).


Figure 1-5: OneClick Host Configuration

6. Click Register.

Initialization parameters specified in the registration are saved to the SmHost.conf file. A new form with the “Successfully registered with the Policy Server” message appears. The form includes five different configuration panels where you can specify additional OneClick registration settings for the Policy Server.



Configure OneClick Web Server Settings

After you have registered the OneClick web server host with Policy Server, you can set additional parameters:

• In the Policy Server Settings panel, you can specify backup Policy Servers that have been set up for failover and the maximum amount of time (in seconds) the SPECTRUM OneClick web server should wait before it drops a connection request from an unresponsive Policy Server.

• In the OneClick Agent Settings panel, you must specify the OneClick web server agent and cookie domain parameters. You can also specify that the web server agent check IP addresses in cookies so it can reject unauthorized web server requests if the IP address stored in a cookie does not match the IP address of the requestor.

• In the Authentication Logging panel, you can specify whether to log authentication information to the Tomcat log file or another log file. You can also disable logging.

• In the SPECTRUM Authentication Failover panel, you can specify whether to allow SPECTRUM OneClick authentication when single sign-on authentication fails because the Policy Server cannot be reached. This means that SPECTRUM users would be able to log on to OneClick as they normally would without single sign-on.

These settings do not go into effect until you enable the integration save the settings as described in “Test and Enable/Disable the Integration” on page 17.

Policy Server Settings

In the Policy Server Settings panel (Figure 1-6), you can specify one or more backup Policy Servers that have been configured for failover. The OneClick web server attempts to connect to a backup Policy Server if it determines the primary Policy Server (specified in the Registration form) is down.

Figure 1-6: Policy Server Settings Panel

You can also specify the timeout interval for connection requests by the OneClick web server to the Policy Server in the Policy Server Settings form. The OneClick web server drops the request if the Policy Server does not respond within the interval. The default interval is 60 seconds. You may want to the increase the interval if your connection requests result in frequent drops in high-data traffic or slow network environments.



Note: The OneClick web server does not attempt to connect to a backup server after a request drop because a connection failure alone does not necessarily indicate that the primary server is down.

To configure backup Policy Server settings

• To add a backup server, enter the backup’s IP address and the backup’s server port number if it differs from the default port, 44441, and then click Add.

The backup server and port number are added to the Policy Servers box.

• To remove a backup, select the server entry in the Policy Servers box, and then click Remove.

The backup entry is removed from the Policy Servers box.

• To modify the Request Timeout interval, enter a new interval value.

OneClick Agent Settings

In the OneClick Agent Settings panel (Figure 1-7), you must specify web agent configuration settings for this trusted host (the SPECTRUM OneClick web server).

Figure 1-7: Custom Agent Settings Panel

To specify custom agent settings:

Configure the following settings:

• Agent Name — Enter the name of the SPECTRUM OneClick custom agent that was created in Policy Server.

• Cookie Domain — Enter the cookie domain for the OneClick web server agent. The domain value must be formatted as follows:

.your_company.com

• Cookie Domain Scope — Enter a cookie domain scope value. The default value is 2. The scope determines the number of sections, separated by periods, that make up the domain name. For example:

Scope = 0, the most specific scope for a given host. (Not supported in this release.)

Scope = 2, .your_company.com

Scope = 3, your_division.your_company.com

(A scope value of 1 is not allowed by the HTTP specification.)



• Persistent IP Check — Enable (Yes) or disable (No) the agent to check whether a single sign-on session token originates from an IP address that differs from the IP address where it was created. If the agent detects a mismatch, it denies the session request.

Authentication Logging

In the Authentication Logging panel (Figure 1-8), you can enable verbose logging of authentication and authorization activities for all authentication requests. By default, log files are written to the Tomcat log file (stdout.log on Windows, Catalina.out on Linux/Solaris), but you can specify another file and location. Log files include information that can help you troubleshoot authentication and authorization problems. For example, the log indicates whether a user was authenticated properly in the Policy Server and whether a user had the appropriate role associated with a SPECTRUM user model for the OneClick application.

Note: Because of the large amount of information that is written to the log file, verbose logging should be enabled only as required for troubleshooting purposes and should not be enabled for an extended period of time. See Chapter 2, “Troubleshooting,” on page 19 for more information on other debugging/logging options.

To enable or disable authentication logging

• To enable logging to the Tomcat log, select YES.

• To enable logging to a specific file (not the Tomcat log), select YES and enter the full log file path and the log file name in the Log Filename box.

• To disable logging, select NO (default).

Figure 1-8: Authentication Logging Panel

SPECTRUM Authentication Failover

In the SPECTRUM Authentication Failover panel (Figure 1-9), you can specify whether users are able to log on to SPECTRUM OneClick as they normally would (no single sign-on) if the SPECTRUM OneClick web server connection to the Policy Server fails. You should not enable failover if your organization prefers that personnel access SPECTRUM OneClick only through single sign-on.

Note: SPECTRUM user passwords may differ from those used by Policy Server to authenticate those users.

Figure 1-9: SPECTRUM Authentication Failover Panel



To enable or disable authentication failover

• To enable authentication failover, select Enable.

User log on requests are authenticated by SPECTRUM if single sign-on fails. Users who have logged on to OneClick through single sign-on are prompted to provide SPECTRUM log on credentials when authentication failover occurs. Conversely, when a connection to the Policy Server is established, those users are prompted for single sign-on log on credentials.

• To disable authentication failover, select Disable (default).

User log on requests are not authenticated by SPECTRUM if single sign-on fails.

Test and Enable/Disable the Integration

In the Enable this integration to activate Single Sign-On panel (Figure 1-10), you should execute the integration test after you have set integration parameters and before you enable the integration. The test determines whether you configured connection parameters correctly and the test username and test password match an entry in the domain. If the test fails, you can reconfigure parameters and re-test.

When you enable the integration, you activate single sign-on integration in SPECTRUM OneClick. When you disable the integration, users are authenticated by the integrated applications they access from OneClick.

Figure 1-10: Enable and Test Integration

To test the integration configuration

1. Enter a username and password from the Policy Server's domain user directory in the Test Username box and Test Password box, respectively. SiteMinder administration personnel manage the user directory and provide the password used for single sign-on authentication.

Note: The username in the Policy Server user directory must match the username created in the applications (SPECTRUM, eHealth) the user plans to access.

2. Click Test.

If the test is successful, the following message appears:

“Successfully established connection with the Policy Server”



To enable/disable the integration

1. Enable or disable the integration.

• Select Enable and then click Save.

• Select Disable and then click Save.

You are prompted to restart Tomcat.

2. Click OK to restart Tomcat to apply the configuration, or click CANCEL to return to the Single Sign-On Configuration page without applying the configuration.

Note: See Chapter 2, “Troubleshooting,” on page 19 for potential solutions to any problems you encounter testing, enabling, and implementing the integration.

19

Chapter 2: Troubleshooting

This section provides solutions to problems you may encounter with the integration. If you cannot find a solution in this section to your particular problem or you need additional assistance, contact Technical Support.

Debugging OptionsOneClick provides multiple debugging options that can help you pinpoint problems with the integration.

• Users cannot log on to the OneClick main web page.

You can enable logging of authentication activities to the Tomcat log (stdout.log on Windows, catalina.out on Linux/Solaris) using the Authentication Logging option in Single Sign-On Configuration. Authentication logging indicates whether Policy Server is denying a user access to SPECTRUM OneClick or if the user role is not being retrieved from SPECTRUM. See “Authentication Logging” on page 16 for information on enabling/disabling logging.

• The OneClick web server cannot connect to Policy Server during single sign-on configuration.

You can enable logging of information about integration parameters to the Tomcat log (stdout.log on Windows, catalina.out on Linux/Solaris) by enabling the Web Server Debug Page (Runtime)/Single Sign-On Integration option available from the Debugging link on the Administration page.

• Particular users cannot access the OneClick Console from the OneClick main web page without be prompted for credentials.

You can enable the Debug Console for Single Sign-On in the OneClick Console. It provides information about single sign-on token recognition. You can also enable this option directly in the oneclick.jnlp file as described in “Prompted for SPECTRUM Log On Credentials When Invoking OneClick Console” on page 21.

If You Are Required to Disable the Integration in the web.xml FileIn some troubleshooting scenarios where you cannot access Single Sign-On Configuration from the Administration link in the OneClick main web page and you want to disable the integration, you must disable the integration in the web.xml file.



To disable the integration in the web.xml file

1. Stop SPECTRUM OneClick Tomcat.

2. Open the <$SPECROOT>/tomcat/webapps/spectrum/WEB-INF/web.xml file with a text editor, and then find the following element:

<auth-method>EXTERNALSSO</auth-method>

3. Change the element content:

<auth-method>BASIC</auth-method>

4. Restart Tomcat.

The integration is disabled.

If You Must Re-Register the SPECTRUM OneClick Web ServerIn some troubleshooting scenarios (current registration is invalid for example), you may have to remove the current registration and re-register the SPECTRUM OneClick web server with the SiteMinder Policy Server.

To re-register the web server

1. Stop SPECTRUM OneClick Tomcat.

2. Remove the Trusted Host Name for the server from the Policy Server. See Policy Server Help for more information.

3. Remove the <$SPECROOT>/custom/sso directory.

4. Specify SPECTRUM OneClick Authentication in the web.xml file. See “If You Are Required to Disable the Integration in the web.xml File” on page 19 for more information.

5. Restart Tomcat.

6. Register the web server as described in “Configure OneClick Web Server Host Registration Settings” on page 12.

Specific Problems and SolutionsThis section describes specific problems with SPECTRUM SiteMinder integration and recommended procedures for solving the problems.

Host Registration Fails

Valid on Linux, Solaris, and Windows

Symptom:

• When you test the registration, an error message indicates that the SPECTRUM OneClick web server was unable to connect to the Policy Server.

• When you test the registration, an error message indicates that the SPECTRUM OneClick web server was able to connect to the Policy Server, but the login credentials were invalid.

Specific Problems and Solutions


Solution:

If you received an “invalid credentials” message, make sure the username and the password you specified in Single Sign-on Configuration are correctly configured in SiteMinder. Consult the SiteMinder/Policy Server administrator for assistance.

If you received an “unable to connect” message, make sure the Policy Server is up and running and then check settings in Single Sign-on Configuration and Policy Server.

Single Sign-on Configuration:

• Make sure Policy Server IP Address and Policy Server Port settings are correct.

• Make sure Policy Server Admin Username and Policy Server Admin Password settings are correct. Also make sure the credentials provide administrative privileges.

Policy Server:

• Make sure the SPECTRUM OneClick host configuration object has been correctly created on the Policy Server.

• Make sure the name you specified in Single Sign-on Configuration for the Trusted Host Name setting is not a duplicate of a name already included as a Trusted Host in the Policy Server. If it is a duplicate, use another name or delete the name in Policy Server and retry the registration.

Authentication Server (Policy Server) Cannot Be Contacted


Symptom:

An error message states that the authentication server cannot be contacted when a user attempts to invoke OneClick Console.

Solution:

• Make sure the Policy Server is up and running.

• If the message mentions that the user failed to authorize, do the following:

1. On the Single Sign-On Configuration page, set Log File to “YES” and Save.

2. Look at the Tomcat log after the user attempts to log on. The log indicates whether the Policy Server is denying the user or if the user role is not being retrieved from SPECTRUM.

Prompted for SPECTRUM Log On Credentials When Invoking OneClick Console


Symptom:

Even though the integration is enabled, the user is prompted for a SPECTRUM user name and password when attempting to invoke the OneClick Console from the OneClick main web page.

Solution:

There is probably an error in the communication of Single Sign-On parameters to OneClick from the web server. To display how Single Sign-On information is being transferred, enable OneClick to display the java debug console.

To enable the java debug console in OneClick

1. Edit the JNLP file (located at $SPECROOT/tomcat/webapps/spectrum/oneclick.jnlp).

2. Find the following line:



3. Add the following line below it:

<argument>-debug SSOConsoleDebug=on</argument>

4. Launch into the OneClick console with the java debug console displayed.

If you detect that the –ssoToken parameter is not being passed or it does not have a value associated with it, there is a problem with how your Single Sign-On cookies are being written. Make sure your cookie settings (located in the OneClick Agent Settings area of the Single Sign-On Configuration administration page) coincide with how you are accessing your OneClick web server.

Here is an example of an incorrect cookie setting that would produce the authentication problem:

• In the OneClick Agent Settings page, the cookie domain is set to “.ca.com” and the cookie scope is set to “2”. This means that cookies will be written to.ca.com in the browser.

• You access your web server using http://someuser/spectrum in your URL. This violates the cookie settings because “someuser” is out of scope with the.ca.com domain. Instead, you should use http://someuser.ca.com/spectrum to access your web server.

Cannot Access the Disable Integration Option in Single Sign-On Configuration


Symptom:

You cannot access the Single Sign-On Configuration page and disable the integration.

Solution:

The OneClick access authorization method is specified in the web.xml file. You can disable the integration (and restore standard SPECTRUM OneClick login access) by editing the <auth-method> element in the file. See “If You Are Required to Disable the Integration in the web.xml File” on page 19 for more information.

Specific Problems and Solutions


Application Web Agents Ignore OneClick Single Sign-On Tokens

SPECTRUM OneClick's implementation of SiteMinder uses its own customized agent, rather than an installed web server agent, to communicate with the SiteMinder policy server. If you are sharing single sign-on tokens between SPECTRUM OneClick and installed web agents of other applications, you may need to modify the agent configuration of each installed web agent to recognize, or not ignore, OneClick agent tokens.

Set the following web agent parameter from NO to YES for the other applications:

AcceptTPCookie=YES

25

Index

AAdministration Pages, OneClick main web

page 12agent 15agent type 9authentication failover, enabling to

SPECTRUM 16authentication logging, enabling 16authentication server, cannot contact 21

Bbackup authentication servers, specifying 14

Ccookie domain 15cookie domain scope 15custom agent 10, 15

Ddebugging 19disable integration 18

Eenable integration 18

Ffailover, authentication server 14

HHost Conf Objects 8host configuration object 8Host Configuration Object dialog box 8

Iinitialization parameters in SmHost.conf file 12integration

disable from configuration panel 18disabling in the web.xml file 19enable 18procedure overview 7process overview 7test 17

invalid credentials, message 21

Jjava debug console 22

Llogging, authentication data 16


Index

OOneClick custom agent type 9OneClick token, recognition of by application

web servers 23OneClick web server

configuring parameters for in Policy Server 8OneClick web server host as a trusted host 12OneClick web server, register as a trusted

host 12oneclick.jnlp 22

Ppersistent IP check 16Policy Server

configure OneClick web server parameters in 8

failover backup servers 14

Rrealm 11registration

re-registering 20test failure 20trusted host 12

request timeout interval 14re-registering a registration 20

SSiteMinder Administration window, accessing 8SiteMinder Agent dialog box 10SiteMinder Agent Type dialog box 9SiteMinder Realm dialog box 11SmHost.conf 12SPECTRUM log on credentials, incorrectly

prompted for 21SPECTRUM OneClick custom agent 10SPECTRUM OneClick host configuration object 8SPECTRUM OneClick realm 11SPECTRUM user models 7sso directory 20

Ttest, the integration 17timeout, for connection requests 14tomcat log 16troubleshooting

debugging options 19trusted host 12

Uunable to connect, message 21user models, SPECTRUM 7

Wweb agent configuration 15Web agents ignoring OneClick token,

resolving 23web.xml 20

SPECTRUM SiteMinder Integration Guide - CA...

Documents

Transcript of SPECTRUM SiteMinder Integration Guide - CA...