AdminUI bound to more than one Policy Server
search cancel

AdminUI bound to more than one Policy Server

book

Article ID: 277973

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction


When running AdminUI, how to attach the AdminUI to more than one Policy Server?

Having one new Policy Server, can it be used with the existing AdminUI, which is pointed to different Policy Server on same VDI?

Can the AdminUI be pointed to 2 different Policy Servers?

How to integrate a single AdminUI with multiple Policy Servers?

 

Resolution


Yes, a single AdminUI can be attached to more than one Policy Server (1).

To do that, set first an External Administrator Store (1):

"For the Administrative UI to connect to multiple Policy Servers, use an external administrator store. An external user store is a requirement for extra Policy Server connections. Create the administrator accounts for the administrator identities in the store. The accounts enable the Administrative UI to locate administrator records in the external store.

   [...omitted for brevity...]
   
Note: If the Administrative UI is using the policy store as its source of administrator identities, you cannot configure extra Policy Server connections."

That's the reason why only the menu for "Configure Administrative Authentication" is seen.

Bind the external store for the AdminUI by accessing the AdminUI through a Proxy Server, that could be CA Access Gateway (SPS) or Web Agent on Apache Reverse Proxy. One configured with the Proxy, configure a "Super Account" acting as the SiteMinder one, the menu to add a Policy Server connection will be seen (2)(3).

Here are the generic steps by steps to implement it as a reference:

Protecting AdminUI with CA Access Gateway (SPS)
-----------------------------------------------

ps.example.com  : Policy Server and AdminUI
sps.example.com : SPS CA Access Gateway (SPS)

On the AdminUI installation

# cp -p {/home_policy_server}/adminui/standalone/deployments/iam_siteminder.ear/policyserver.rar/META-INF/ra.xml {/home_policy_server}/adminui/standalone/deployments/iam_siteminder.ear/policyserver.rar/META-INF/ra.xml.orig

On the CA Access Gateway (SPS)

# nano -w {/home_sps}/proxy-engine/conf/proxyrules.xml

add these lines 

    <nete:case value="/iam/siteminder/">
      <nete:forward>https://ps.example.com:8443$0</nete:forward>
    </nete:case>
    <nete:case value="/castylesr5.1.1/">
      <nete:forward>https://ps.example.com:8443$0</nete:forward>
    </nete:case>
    <nete:case value="/ca/">
      <nete:forward>https://ps.example.com:8443$0</nete:forward>
    </nete:case>
    
# cp -p {/home_sps}/proxy-engine/conf/server.conf {/home_sps}/proxy-engine/conf/server.conf.sav
# nano -w {/home_sps}/proxy-engine/conf/server.conf

change :

# Default Virtual Host
<VirtualHost name="default">

requestblocksize="4"
responseblocksize="8"
hostnames="sps.example.com"
defaultsessionscheme="default"
enableredirectrewrite="no"
redirectrewritablehostnames=""
</VirtualHost>

to

# Default Virtual Host
<VirtualHost name="default">

requestblocksize="4"
responseblocksize="8"
hostnames="sps.example.com"
defaultsessionscheme="default"
enableredirectrewrite="yes"
redirectrewritablehostnames="ps.example.com"
</VirtualHost>

Open the AdminUI, and edit the CA Access Gateway (SPS) ACO:

 LogOffUri /iam/siteminder/SiteMinderLogout.jsp

Restart the CA Access Gateway (SPS);

Access the AdminUI through the CA Access Gateway (SPS):

c:\> start /B firefox https://sps.example.com/iam/siteminder/adminui

Log into AdminUI;

Click on Administration / Admin UI / Configure Administrative Authentication;
In "CA Single Sign-On agent" select the ACO of the CA Access Gateway (SPS);
Click "Next";
In "Directory Type", select "CA Directory";
Click "Next";
In "Host" write : <Ip of the user store>
In "Port" write : <Port of the user store>
In "Username" write : <full dn of the account to access the user store>
In "Password", write the password of the above account;
Click "Next";
Click "Next"; 
In "Disabled State", select "carLicense";
Click "Next";
In "User Keyword", write the user you want to act as superuser; ie: admin;
Click "Go";
Select one account;
Click "Next";
Click "Finish";

wait the AdminUI to completely restart;

 

Additional Information

 

  1. (Optional) Configure Additional Policy Server Connections for the Administrative UI
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-the-administrative-ui/optional-configure-additional-policy-server-connections-for-the-administrative-ui.html

  2. Protect the Administrative UI with SiteMinder
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/start-the-administrative-ui-and-manage-objects/protect-the-administrative-ui-with-siteminder.html

  3. Configure an External Administrator Store
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/administrators/configure-an-external-administrator-store.html

 

Powered by Wolken Software