SiteMinder integration configuration

CA SiteMinder is a third-party application that controls user access to secured applications and provides a Single Sign-On (SSO) portal. A SSO portal is a Web gateway or proxy that enables users to access multiple secured Web applications using a single user name and password they provide once at the start of the user session.

SecureTransport can be integrated into a SiteMinder SSO environment and use SiteMinder to SSO authenticate and authorize resource access using only HTTP or HTTPS.

Note Before configuring SiteMinder settings, be sure to read SiteMinder integration.

Before using SecureTransport with SiteMinder, you must configure the SiteMinder settings using the SecureTransport Administration Tool.

Note If SecureTransport is deployed in a secure perimeter network (DMZ) configuration, configure the SiteMinder settings on SecureTransport Server as described in this topic. The SiteMinder Settings page is not available on SecureTransport Edge.
  1. Select Authentication > SiteMinder Settings.
  2. The CA SiteMinder Setting page is displayed.
  3. Provide the information as described in the following table:
  4. Name Description Required/ optional
    IP Address The network address of the SiteMinder Policy Server. Required
    Administrator Username The user name used to connect to the SiteMinder database. Optional
    Administrator Password

    If a password is required, select Use Password and enter it in the field provided.

    Note Exported configuration from SecureTransport 4.x.y systems does not include the SiteMinder administrator password.
    Optional
    Authorization Port The authorization port for the SiteMinder Policy Server. Required
    Authentication Port The authentication port for the SiteMinder Policy Server. Required
    Accounting Port The accounting port for the SiteMinder Policy Server. Required
    LDAP User Directory Name of the SiteMinder user directory used to retrieve the home folder, user ID, and group ID. Optional
    Agent Name The name for the SiteMinder agent that SecureTransport should use when connecting to the SiteMinder Policy Server. Required
    Agent Type For SiteMinder protocol version 4 the shared secret used to communicate with the SiteMinder Policy Server. For version 5, the path to SmHost.conf. Required
    Shared Secret The password for the SiteMinder agent that SecureTransport uses to connect to the Policy Server. Required
    Maximum Connections The maximum number of SiteMinder connections that SecureTransport can have open simultaneously. This does not limit the number of users who can log in to the SecureTransport Server using the Site Minder SSO portal. Required
    Connection Timeout The amount of time (in seconds) that a SiteMinder connection can be idle before it is closed. The default is 30 seconds. This is independent of user session timeout. Required
    File Storage Root Path The segment of the absolute URI that is removed before it is submitted to the SiteMinder Policy Server for authorization. If the entire absolute URI is submitted for authorization, type / in this field. Required
    SiteMinder Path Prefix

    After the File Storage Root Path is removed, but prior to SiteMinder authorization, this entry is prefixed to the absolute URI. For example, if the absolute URI is /mnt/ab/user1, the File Storage Root Path is /mnt/ab, and the SiteMinder Path Prefix is /root; then /root/user1 is sent to SiteMinder for authorization. If this box is left blank, no prefix is applied to the URI prior to authorization.

    Note When SiteMinder is enabled, all SecureTransport users must have GET access to the path specified in the SiteMinder Path Prefix to successfully log in. If this setting is left blank, then users must have GET access to /. The SiteMinder administrator must set up the SiteMinder Policy Server accordingly.

    Optional
    Default Home Folder

    The absolute URI of the default home folder of the local user.

    The default home folder is used when a home folder is not supplied by the SiteMinder Policy Server.

    Requirements: 

    • The folder must be created manually on the machine.
    • On Windows, the folder should not use shared storage.
    • On Linux, the permissions of the folder must be set to “777” on all nodes in the cluster.
    Required
    Default Local User ID

    The numeric user ID (UID) of a user that has full read/write access to the directory specified as the File Storage Root Path and its subdirectories. This default is used only if a UID is not supplied by SiteMinder.

    Note On Windows, type the name of the respective virtual user. Windows does not support UIDs.
    Required
    Default Local Group ID The numeric group ID (GID) of a user that has full read/write access to the directory specified in the File Storage Root Path and its subdirectories. If no UID or GID are supplied by SiteMinder, these defaults are used for all file operations (including ownership of new files) performed by SecureTransport for users authenticated by SiteMinder. Required
    Explicitly uses SiteMinder Attributes

    When selected, SecureTransport uses the values specified in the User Attribute Names section.

    If not selected, and

    • if the user is assigned to an account template, the User ID, Group ID, and Home Folder are determined from the template.
    • if the user is not assigned to an account template, the default home folder, local user ID, and local group ID are used.

    The state of the checkbox has no effect on SiteMinder users mapped as virtual users.

    Optional

    Home Folder Attribute

    SiteMinder returns information about the user as name=value pairs. The attributes define the name part of the pair which must be added manually.

     

    In Home Folder Attribute, you should provide the name of the SiteMinder attribute which value is the absolute URI of the user home folder.

    Requirements: 

    • The folder must be created manually on the machine.
    • On Windows, the folder should not use shared storage.
    • On Linux, the permissions of the folder must be set to “777” on all nodes in the cluster.
    Note When changing Home Folder Attribute, the Transaction Manager should be restarted in order for the changes to be applied.
    Note If Home Folder Attribute, Group ID Attribute and User ID Attribute are left blank, and the attributes therefore not defined, the default Home Folder, Local User ID, and Local Group ID are used.
    Optional
    User ID Attribute Optional
    Group ID Attribute Optional
  5. Click Update SiteMinder Settings.
  6. To use one or two more SiteMinder servers for failover, specify server configuration parameters that correspond to the fields described above. The names of the parameters for the second server start with Siteminder.PolicyServers.Second.PolicyServer. The names for the third server start with Siteminder.PolicyServers.Third.PolicyServer. The final parts of the names are given in the following table:
Field Sever configuration parameter
Enable SiteMinder Module enable
IP Address host
Administrator Username adminUsername
Administrator Password adminPassword
Authorization Port authorizationPort
Authentication Port authenticationPort
LDAP User Directory ldapUserDirectory
Maximum Connections maxConnections
Connection Timeout timeout
Note If more than one SiteMinder server is configured in a server that is upgraded from SecureTransport 4.x.y or in configuration that is imported from a SecureTransport 4.x.y server, set the Siteminder.PolicyServers.Second.PolicyServer.enable and the Siteminder.PolicyServers.Third.PolicyServer.enable system configuration parameters to true as required.

There are also parameters for minConnections and connectionsStep which are not set in the CA SiteMinder Setting page.

Related Links