Key Tools deprecated CA SiteMinder

Below tools are deprecated in latest Siteminder r12.51 version
createDB
This option is not being replaced and does not work with the accessLegacyKS argument. If a script uses this option:
– The option executes to maintain backwards compatibility, but does not create a smkeydatabase.
– A message states that the option is deprecated.

deleteDB
This option is deprecated. The removeAllCertificateData replaces this option.

changePassword
This option is not being replaced

New features in Siteminder r12.51

Below are the new features in CA Siteminder latest version r12.51
--> Internationalization
The Administrative UI can detect the desired locale of users, 
which is set in the web browser, and present the pages in the respective language.

Support for user directories that contain users with non–English distinguished names.

Support for non–English operating systems, which includes installation on non–English paths.

Support for non–English characters in user names, policy, and configuration objects.

CA SiteMinder 12.51 Policy Server includes CA SiteMinder WSS extensions that were formerly only available in the CA SOA Security Manager Policy Server.


--> The Policy Server can now create open format cookies.
--> OAuth authentication scheme is now available from the Policy Server.
CA SiteMinder now provides web services for logging in a user and granting access to web resources. 
--> The web services support the SOAP 1.2 protocol and the HTTP-based RESTful architecture.
--> Record Policy Server Events to the Syslog.
--> For Sensitive applications, we can configure to re-authenticate again while granting the access.
--> Log file and Command Line help are supported in the other languages also.
--> MS Passport Authentication is NOT supported anymore
--> SMPS Log Data Enhanced
--> NTLM Authentication Scheme Replaced by Windows Authentication Scheme.

Siteminder Custom Login page

Below is the sample Login code required to develop Custom Forms login pages

 

@username=%USER%

@smretries=0

<html>

<head>

<title> Forms Login Page </title>

</head>

<body>

<form NAME="Login" METHOD="POST">

<b>Please Login</b></font>

      UserName: <input type="text" name="USER">

      Password: <input type="password" name="PASSWORD">

      <input type=hidden name=target value="$$target$$">

      <input type=hidden name=smquerydata value="$$smquerydata$$">

      <input type=hidden name=smauthreason value="$$smauthreason$$">

      <input type=hidden name=smagentname value="$$smagentname$$">

      <input type=hidden name=postpreservationdata value="$$postpreservationdata$$">

      <input type="submit" value="Login">

</form>

</body>

</html>

Siteminder status flags used in password policies

Siteminder status flags used in password policies

Disable Flag = 0 (User profile is active)

           = 1 ( Disabled by Administrator)

           = 2 (Account locked out)

     = 4 (Expired due to inactivity)

           = 8 (Expired due to inactivity)

           = 16777216 (force chane password mode

16777216+2 = 16777218   (force chane password mode + Account locked out)

Securing Tomcat/JBoss web application using Siteminder

Apache web server will act as a proxy for Tomcat protecting the tomcat application.
Explanation is for Tomcat server however it works for JBoss server as well with little or no modification.

Download the Tomcat connector from http://tomcat.apache.org/connectors-doc/

Install the Tomcat connector.

Copy the DLL (or .so) file downloaded as the connector to your Apache modules folder.
Path: Apache2\modules

Create a mod_jk.conf file file

In Tomcat 6.0\conf folder create (or edit) a mod_jk.conf file.
Enter the following information into the file
LoadModule jk_module <name of the tomcat connector with full path>
JkWorkersFile "<Root folder of tomcat installation>/conf/workers.properties"
JkLogFile " <Full path and name of the logfile you wish to use>"
JkLogLevel info/debug/Error # select one of them as per requirement.
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat "%w %V %T"
Finally add the line:
JkMount / [your application name] smworker
JkMount / [your application name] /* smworker
This will redirect everything sent to the application name you specify to tomcat, For example:
JkMount /example smworker
JkMount /example/* smworker
will send all requests received by apache on http://myserver.ca.com/example to be redirected to tomcat.
Edit the webservers httpd.conf file.

On a windows system this is commonly located in C:\Program Files\Apache Group\Apache2\conf
At the end of this file add the line:
include " [tomcat install folder] /conf/mod_jk.conf"
Where [tomcat install folder] is the location of your tomcat installation.
Create a worker.properties file in [Tomcat root folder] /conf
Paste the following information into this file:
# Define 1 real worker named smworker
worker.list=smworker
# Set properties for worker named smworker to use ajp13 protocol,
# and run on port 8009
worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009
worker.ajp13.lbfactor=50
worker.ajp13.cachesize=10
worker.ajp13.cache_timeout=600
worker.ajp13.socket_keepalive=1
worker.ajp13.socket_timeout=300
In the server.xml file (located in [Tomcat root folder] /conf) ensure the have the following line uncommented.

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Start apache with the new module using these commands:
apache -k install
apache -k start
Finally start the tomcat server.

Install the Siteminder Apache Webagent.

Install the Siteminder Apache webagent using the installation wizard as you would normally.

Protect the application.

using the Siteminder administrative interface create a realm with the appropriate resource filter to protect the application mounted with the jkmount command earlier.

Then create rules. policies and responses to protect the application as you would normally.

Configure the Siteminder Apache Webagent.
Use the webagent configuration wizard to configure the Apache2 agent as you would normally.

Restart the Apache HTTP server.

Test the install.

The tomcat application is now protected using Apache webserver webagent.

You should be prompted by Siteminder to provide credentials when accessing the application.

CA Security Moves to the Minder Brand!

CA Technologies is pleased to announce the renaming of its security portfolio to follow the well-known product family "Minder" name. This is an exciting change that will make it easier for our customers to identify CA Security products, highlight the cohesiveness of our security solutions, and improve the clarity of product focus and capabilities. The new product names now appear in our online support systems. Click here for more details.

Directory Server Enterprise Edition (DSEE) configuration/installation
Pre-Configure Directory Service Control Center (DSCC)
    1. Create the WAR file for DSCC using below command
        dsccsetup war-file-create
        In this step WAR file gets created, so ensure you noted down the path of war file.
        Ex: Created the WAR file at C:\Softwares\dsee7\var\dscc7.war
       
    2. Initialize the DSCC registry
        dsccsetup ads-create
        It prompts for Directory Service Manager password. This is required to login to DSCC console
       
    3. Note the port and the path assigned to DSCC registry.
        dsccsetup status
        ***
        DSCC Agent is not registered in Cacao
        ***
        DSCC Registry has been created
        Path of DSCC registry is C:/Softwares/dsee7/var/dcc/ads
        Port of DSCC registry is 3998
        ***
        This is the default port of DSCC registry
    4. Deploy the WAR file in the supported application server.
   
To Pre-Configure the DSCC Agent

    5. dsccsetup cacao-reg
        cacao will listen on DSCC Agent
            21162 is the default port configured during my configuration, it may differ in some scenarios.
           
   
Login to the DSCC Console
    Copy the WAR file "dsee7\var\dscc7.war" in the web apps folder of Tomcat server
    Login using http://localhost:port/dscc7/
    Enter the DSCC credentials to login.