Configuring Siteminder 12.8.x and later with EEM 12.6

Products

CA Process Automation Base SITEMINDER

Issue/Introduction

This document goes over the setup of SiteMinder with Embedded Entitlements Manager (EEM) to enable the SiteMinder integration with EEM.

Environment

Used in this example integration
Windows 2016
SiteMinder 12.8.x
EEM 12.6

Resolution

Pre-requisite info:

This document assumes you have the following installed:

EEM server 12.6
Siteminder Policy Server and Adminui 12.8.x
Siteminder Access Gateway 12.8.x
Supported JDK for Siteminder and EEM per the Support Matrix of each product

This Document expects that you already have a Siteminder Environment up and running with access to the Adminui to create the objects.

In This Document, CA Directory has been used as the User Store and tested successfully. The same should work with any supported User Directory within the Siteminder Support Matrix.
Items on the agenda:

Configure Agent and Host infrastructure.
Configure Access Gateway
Configure ldap data mapping attributes in Siteminder for user authentication
Configure authentication scheme
Configure Policy for forms based authentication
Configure EEM server (for SSO)

From the Siteminder AdminUI, configure a new agent, Agent Config object and Host Config Object to be used to register the Access Gateway with the Policy Server

Login to the AdminUi and start by creating an agent. Note the Agent Name that is keyed in, in our example, 128agenteem has been used:

Next, create an Agent Configuration Object using the default “SPSDefaultSettings” template and make sure you enable the DefaultAgentName ACO parameter and set its value to the agent name we created in previous step. Keep all other parameters to default to note that you can enable the log and trace for troubleshooting puproses (please refer to Siteminder Document on how to enable Agent log and trace):

Create the Host Configuration Object (HCO) to be used for the Access Gateway Registration. Make sure you set the host to the Policy Server IP or FQDN:

After installing your Access Gateway on a supported platform, run the configuration wizard to register your Access Gateway with the Policy Server using the HCO / ACO and Agent created in the previous steps

Launch the installer and choose the below option to perform a host registration:

Enter the Siteminder super user Admin and password:

Enter the HCO you created in the Adminui and provide a trusted host name for registration:

Provide the IP of the Policy Server in the next steps.
Choose the FIPS corresponding with you Policy Server (FIPS compatibility is the default).
Provide the ACO created in the Adminui and fill in the Apache listening ports as well as Tomcat App server and AJP connector ports as seen below and make sure you enable the Agent when prompted:

Finally, review the summary of the entered details and click on Install to complete the installation
You may want to copy the configuration info on the last screen before clicking install.

Open the SPSinstallpath\server.conf for editing:

Add these three settings to the VirtualHostDefaults section of server.conf
enableproxypreservehost="yes"
enableredirectrewrite="yes"
redirectrewritablehostnames="ALL"

Save server.conf

Edit the proxyrules.xml file and add a case to forward the request to the EEM backend server.

To ensure the Access Gateway is redirecting correctly, open the proxyrules.xml file for editing.
In this example, the Access Gateway will be taking requests on Host “eem.myapp.com” which will be used going forward to access EEM once the integration is completed.

The case below will trigger for any request coming on “eem.myapp.com” over https and forward it to the EEM backend server with the Resource and query data:

<nete:case value="eem.myapp.com:443">
<nete:forward>http://<EEM_host_here>$0</nete:forward>
</nete:case>

Configure ldap data mapping attributes in Siteminder for user authentication

Open the Siteminder Adminui and modify the user directory previously created as per the pre-requisite.
Add the UID and Password attributes as defined below. CA Directory User Store is being used in this example. This can be set to the attributes corresponding with the directory type being used:

Under the Attributes mapping list, create the necessary object attributes for EEM to work with Siteminder.
Create new attributes for each of the following:

This should be the end result:

Submit all changes.

Configure authentication scheme

While still in the infrastructure tab in SM WAM UI, create a new Authentication scheme as per below:

Create a Domain to protect the EEM Resource access (Domain, Realm, Rule, Policy)

Go to Policies -> Domains -> and create a Domain .
Attach the Directory in Question to your Domain as seen below:

Next, create a realm as seen below and attach it to your Access Gateway agent protecting the / and link the Created Auth Scheme to it:

Create a Rule under the Realm which has the Actions: Get, Post, Put, and Connect .
Click OK and then OK again until you have returned to the Create Domain screen:

Create a Policy and allow all users and attach the rule to it as seen below:

Click OK and then Submit all changes for this policy.

At this point the website access is being protected from the root level ‘/’ so the Siteminder forms-based authentication will step in and show the default forms auth fcc. The result after a test user login will result in the Access Gateway redirecting to the EEM Application in the backend.

Configure EEM server for SSO

On the Infrastructure tab in Siteminder Adminui, create a new Host Config object to be used by the EEM SDK agent when communicating to Siteminder as per below:
Create a copy of the DefaultHostSettings once again:

Submit all changes.

Navigate to the EEM server’s %EIAM_HOME%\bin folder and notice the new smreghost.bat file. Open a command prompt on the EEM server and navigate to this same location.
Run the smreghost utility to see the usage:

You will run the command as such. The –i is the policy server (not EEM server):

Make sure that the Windows Firewall is disabled for the domain or rules are in place for every node involved or else you will get an error “Failed to register any clusters”.

Once this is successful you will see a new SmHost.conf file located in the %EIAM_HOME%\bin folder.
This file needs to be copied to the EEM home directory, otherwise you will need to modify the resource path for it including the /bin folder.

Next visit the EEM Admin UI and navigate to Configure > EEM server > SSO Server and enable SSO server:

You should see a connected confirmation if the policy server is running.
The old integration “Reference from CA Siteminder” or “Reference from an external LDAP directory” is not required for the SSO integration to work, even though the old method is still supported. Note that EEM will not be able to view users under manage identities in this configuration.

At this point the main implementation is completed. The proxyrules.xml will need to be modified with specific embedding product url links beyond root. Editing proxyrules.xml and description of cookie handling for specific apps is not a part of this document.

Below is a general picture of the deployment model:

Additional Information

Although this document states that Access Gateway is required, this does not mean that a regular Webserver / Agent and a proxy module of your preference to proxy the request to the backend EEM application can't be used. It is outside of the scope of this document, however.
Setting up the Proxy and forward rules are vendor-specific .

The usage of the Access Gateway facilitates the configuration as it is straightforward with the proxy engine installed out of the box along with the agent which requires no additional third-party components.