How to configure APS (Advanced Password Services) Help Desk Interface (APSAdmin)

book

Article ID: 36068

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign-On SITEMINDER

Issue/Introduction

Introduction :

The Help Desk Interface (APSAdmin) is designed to be a highly flexible, very secure tool that can be used by your Help Desk personnel to reset passwords and enable/disable user accounts. It also has some more generic user view/update capabilities.

Following steps will guide you through configuring APS Help Desk Interface starting with SiteMinder release r12.5 and higher.

Prerequisites:

  • APS is enabled on the Policy Server.
  • APS schema is created for all the user entries.
  • Virtual directory for Change Password(SmCPW) & Forgot Password (FPS) is already configured.
  • SmPortal.cfg is already configured (If not, steps are provided below on how to do this )

Instructions:

               1. Policy Database Configuration

    • Using the CA SiteMinder® Administrative UI (the Policy GUI), create a new Policy Domain called "APS Help Desk Interface".

Domain.png

    • Within the new Policy Domain, define a Realm named APSAdmin. This realm should be associated with the Agent or Agent Group corresponding to the Web Server(s) upon which this code was installed. Be sure to use this agent/agent group for this realm. The Resource Filteris /APSAdmin/.The Authentication Scheme is whatever is appropriate for your site.  

    Policy.png

 

      • Define a Rule within this Realm called "Help Desk Interface". The Resource will be APSAdmin*. The Action is GET and POST.

Rule.png

      • Define a Response called "Administrator Credentials". This response needs a single Attribute. This attribute needs to have a type of "WebAgent-HTTP-Header-Variable". Select "Static" as the Attribute Kind. The VariableName field should be set to "APSAdmin". The Variable Value must contain a CA SiteMinder® Administrator name, followed by a semicolon, followed by that administrator’s password. Note that this is a CA SiteMinder® Administrative UI administrator (the credentials used to log into the CA SiteMinder® Policy Server GUI, not into the Web Site). This administrator must be defined to CA SiteMinder® with "Manage Users" and Manage System and Domain Objects" rights.

Administrator Credential.png

      • Create a Policy called "Help Desk Administration". Select those users that should have access to this interface. The "Help Desk Interface" rule defined above should be specified. The "Administrator Credentials" response should be tied to the rule.

Policy.png        

Users.png

Response-Rule.png                                                                                                                                                     

               2. Web Server Configuration (For illustration purpose, we will use IIS 7.5 web server)

Define a virtual CGI directory for the directory that contains the APSAdmin CGI Program

      • Open IIS Manager ( type "inetmgr.exe" in the Run window and click enter)
      • Right Click on the Default Web Site and select Add Virtual Directory option. The virtual directory wizard opens.

                                  Specify as following :

                                  Alias : APSAdmin

                                  Physical path : <Web_Agent_Installation_Directory>\win32\bin\Web\APSAdmin

                             

2015-12-16_18-12-45.png

      • Click Ok

 

Add ISAPI and CGI Restrictions for APSAdmin CGI    

      • Open IIS Manager and navigate to the server level.
      • Double Click on ISAPI and CGI Restrictions
      • From the Action menu click "Add" to add new restrictions

Specify as following :

 

ISAPI or CGI path<Web_Agent_Installation_Directory>\win32\bin\Web\APSAdmin\APSAdmin.exe

Description : APSAdmin

ISAPI CGI Restrictions.png

      • Click Ok

 

Edit Feature Permissions for the Handler Mappings Feature for APSAdmin Virtual Directory

      • Open IIS Manager and navigate to the APSAdmin virtual directory level.
      • In the Features View , double click Handler Mappings.
      • In the Actions pane, click Edit Feature Permissions.
      • In the Edit Feature Permissions dialog box, do the following:

        Specify as following :

Select Read

Select Scripts

Select Execute

 

Handler Mapping - Execute.png

      • Click Ok

 

Modify the default SmPortal.cfg file installed.

Note :

    • If you have already configured Change Password (SMCPW) & Forgot Password (FPS) Interface following steps would probably have already been done.
    • For Help Desk Interface, it actually doesn't have anything to do with the SmPortal.cfg configuration but due to a bug in the APS code, it is required that following settings are configured before you could access Help Desk Interface.
    • In future release, you might probably can do away with the following steps.

 

      • Edit the SmPortal.cfg file located at <Web_Agent_Installation_Directory>\win32\bin folder.

Specify as following :

MyServer.ip = <Your Policy Server IP address>

By default, FPS is configured with a 4x agent by name "FPS" with shared secret "secret"

Change password is configured with a 4x agent by name "SMCPW"" with shared secret "secret"

By logging into the Administrative UI create the matching 4x agent as below:

FPS Agent.png

SMCPW Agent.png

      • The final SmPortal.cfg should look like following :

SmPortal.cfg.png

Smportal2.png

      • Validate SmPortal.cfg configuration using the SmPortalVfy.exe tool located at <Web_Agent_Installation_Directory>\win32\bin folder. It should state the verification as successful as below :

SmportalVerify.png

 

Testing & Verificaiton:

 

1. Access Help Desk Interface UI

    e.g. http://<server.domain.com>/APSAdmin/APSAdmin.exe

2. Provide valid user credential

3. Once the access to the interface is authorized, you will be prompted to enter the USER DN of the user which you want to manage.

    Enter the full user DN.

   

2015-12-16_20-20-39.png

4. Next, screen should now show the User Information screen for the user

2015-12-16_20-21-00.png

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Attachments

1559130442672000036068_sktwi1f5rjvs16wi1.png get_app
1559130440861000036068_sktwi1f5rjvs16wi0.png get_app
1559130438488000036068_sktwi1f5rjvs16whz.png get_app
1559130436608000036068_sktwi1f5rjvs16why.png get_app
1559130434871000036068_sktwi1f5rjvs16whx.png get_app
1559130433061000036068_sktwi1f5rjvs16whw.png get_app
1559130431259000036068_sktwi1f5rjvs16whv.png get_app
1559130429461000036068_sktwi1f5rjvs16whu.png get_app
1559130427586000036068_sktwi1f5rjvs16wht.png get_app
1559130425828000036068_sktwi1f5rjvs16whs.png get_app
1559130424119000036068_sktwi1f5rjvs16whr.jpeg get_app
1559130422207000036068_sktwi1f5rjvs16whq.png get_app
1559130420195000036068_sktwi1f5rjvs16whp.jpeg get_app
1559130418260000036068_sktwi1f5rjvs16who.png get_app
1559130416643000036068_sktwi1f5rjvs16whn.jpeg get_app
1559130414788000036068_sktwi1f5rjvs16whm.jpeg get_app
1559130412604000036068_sktwi1f5rjvs16whl.png get_app