Page History
...
After you have finished installing all Precise components on a server, you may remove the user (used by the Precise services) from the Administrators group and either assigns it to the Power Users"group or Users group. In both cases the user should be set to have Login as service authorization. If the user is set to the Users group, you also need to grant access permissions to authenticated users for each Precise service on the machine. To do this, use the SC.exe utility from the Microsoft Resource Kit.
For example:
E:\Program Files\Resource Kit\sc.exe sdset psin_sentry_8.7NOTE This
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
E:\Program Files\Resource Kit\sc.exe sdset psin_i3fp_8.7
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
E:\Program Files\Resource Kit\sc.exe sdset psin_gui_8.7
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
| Info |
|---|
This is only an example. Do not copy and paste it in your application. The commands may be different in different Windows versions. The general idea is to use |
| Anchor | ||||
|---|---|---|---|---|
|
Support of the Single Sign On feature means adding the capability to Precise to be an integrated part of an enterprise application. It also allows the enterprise application users to log in to their systems only once, remembering the credentials and authorization used by the user, and then removing the need to log in again to each of the enterprise systems.
The prerequisites, installation, and configuration of this feature is described in the following sections:• About
...
...
...
...
...
| Anchor | ||||
|---|---|---|---|---|
|
Before you configure the Single Sign On feature it is best to define at least one user in Precise who also appears in the SiteMinder folder. This is important for security reasons.
To configure Precise and to enable it to operate using a Single Sign On feature, install and configure the following products:• Apache
- Apache Web server version 2.2.3 or higher
...
SiteMinder Web agent version 6.00 Hotfix 05.03 or higher*
...
Info Precise does not sell or provide CA SiteMinder®. This product should be acquired from Computer Associates.
...
- Precise version 8.2 and up.
*At the moment of creation of this text, the Web agent for the following platforms could be downloaded:
...
- Web-Agent 6QMR5 CR002 certified with ASF Apache 2.2.3 Web server on the SPARC based Solaris 8/9/10 platforms.
...
- Web-Agent 6QMR5 CR002 certified with ASF Apache 2.2.3 Web server on the RHAS 3.0 platform.
...
- Web-Agent 6QMR5 CR002 certified with ASF Apache 2.2.3 Web server on the RHAS 4.0 platform.
...
- Web-Agent 6QMR5 CR002 certified with ASF Apache 2.2.3 Web server on the Windows 2000 SP4 platform.
...
- Web-Agent 6QMR5 CR002 certified with ASF Apache 2.2.3 Web server on the Windows 2003 SP1 and Windows 2003 R2 platforms.
...
- Web-Agent 6QMR5 CR002 certified with ASF Apache 2.2.3 Web server on the AIX 5.2 and AIX 5.3 platforms.
| Anchor | ||||
|---|---|---|---|---|
|
The Precise Single Sign On feature works with Apache Web server v2.2.3 or higher. The Apache Web server should be configured to work as a reverse proxy server, which is installed using the Tomcat port of Precise.
To configure the Apache Web server for Windows
1. Open the \conf\httpd.conf file in the Apache installation folder.
2. Change the line with the Listen and port number to the GUI port of Precise (The port that the Precise Tomcat Web server listens to, in this example 20760). The information will become: Listen 20760
3. Change the line with the ServerName and port number (in this example 20760) to the required server and GUI port.
ServerName GUI-TEST-INST.precise.com:20760
4. Look for the following three lines with the proxy modules and remove the pound/hash marks (# sign) from them:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
5. Change the port the Precise Tomcat Web server will listen to, for example to 20761 by adding the following entries at the end of the file, where the new port of the Tomcat is used (In this case 20761, see the following section about this port):
<Proxy *>
Order deny,allow
Allow from all
</Proxy> ProxyRequests Off ProxyPreserveHost On
ProxyPass / http://gui-test-inst.precise.com:20761/ ProxyPassReverse / http://gui-test-inst.precise.com:20761/
Verify that http://gui-test-inst.precise.com:20761 is replaced with the fully qualified domain name and port of your Precise installation.
6. Open the <precise_root>/infra/setup.xml file and edit the <tomcat-port>tag.
7. Change the port of the Precise Tomcat Web server to a port that is not open to the outside world, or is behind a firewall, to prevent direct access to it. In this example, the Tomcat port will be 20761.
8. Restart first the Tomcat service and then the Apache service.
The restart order is important because the Tomcat server has to release the port that the Apache server is configured to listen to.
To configure the Apache Web server for Linux
1. Change the port of the Precise Tomcat Web server to a port that is not open to the outside world, or is behind a firewall, to prevent direct access to it. In this example, the Tomcat port will be 20761.
Remember to make the change in the Precise setup.xml file
2. Enable the mod_proxy feature in the Apache Web server. For example, on a Debian server it is done by symlinking some files:
symsrv:/etc/apache2/mods-enabled# ls
cgid.conf cgid.load userdir.conf userdir.load
symsrv:/etc/apache2/mods-enabled# ln -s ../mods-available/proxy.* . symsrv:/etc/apache2/mods-enabled# ln –s
../mods-available/proxy_http.* .
symsrv:/etc/apache2/mods-enabled# ls
cgid.conf cgid.load proxy.conf proxy.load proxy_http.conf proxy_http.load userdir.conf userdir.load
3. Configure the mod_proxy feature by creating a configuration file snippet, conf.d/symi3, as described in the following code:
symsrv:/etc/apache2/mods-enabled# cd ../conf.d
symsrv:/etc/apache2/conf.d# cat > symi3
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://gui-test-inst.precise.com:20761/ ProxyPassReverse / http://gui-test-inst.precise.com:20761/
teacup:/etc/apache2/conf.d#
Verify that http://gui-test-inst.precise.com:20761 is replaced with the fully qualified domain name and port of your Precise installation.
| Anchor | ||||
|---|---|---|---|---|
|
For installing the SiteMinder Web agent you need to have SiteMinder installed on your application and a user name and password for access to the SiteMinder support site to download the SiteMinder Web agent.
To install the SiteMinder Web agent
1. Before downloading and installing the SiteMinder Web agent, perform the steps described in the procedure To make changes on the System tab in the Configuring the SiteMinder Policy server section.
2. Download and install the latest SiteMinder Web agent for Apache Web servers.
Verify that the version you download supports the Apache Web server version that we support – in this case, version 2.2.3 and that you download the file for the platform on which your Apache Web server is installed. Download the agent from https//support.netegrity.com; Insert your user name and password; Select Tools in the left pane; Choose Download Manager; Select SiteMinder Web Agent in the Download a product drop-down menu; Choose SiteMinder 6.x QMR's; Choose the agent to be downloaded.
3. After installing the SiteMinder Web agent, configure it according to the SiteMinder’s Web agent Installation and Configuration guide.
4. Open the WebAgent.conf file in the \Program Files\Apache Software Foundation\Apache2.2\conf folder. Set EnableWebAgent="YES".
5. Add the Apache Web server as a protected resource to the SiteMinder’s protected resources.
6. Restart the machine after you have installed the Web Agent.
| Anchor | ||||
|---|---|---|---|---|
|
The SiteMinder Policy server is used to configure the policy server to protect Precise.
To configure the Policy server
1. Log in to the Policy server management application.
2. Define the protection on the Precise application by performing steps on two of the three main tabs (System, Domains, Global Policies) on the main window of the Policy server management application as described in separate procedures.
To make changes on the System tab
1. Define a new Web agent under the Agents item.
2. Define a new Host Configuration Object under the Host Conf Objects item.
3. Duplicate the DefaultHostSettings object, give it a name, and replace the complete <IPAddress> with the Policy Server IP address.
4. Define a new Agent Configuration Object under the Agent Conf Objects item.
5. Duplicate the ApacheDefaultSettings configuration object, give it a name, and configure the following items so that they have the values as described in the table:
PersistentCookies Yes
IgnoreExt Add the following extensions: .xml and .css
ForceFQHost Yes
DefaultAgentName Verify that this contains the name of the new Web agent defined in the Agents item.
AgentName Verify that this contains the name of the new Web agent defined in the Agents item.
CookieDomain Add the domain the agent is working in. For example: .precise.com
To make changes on the Domains tab
1. In the domain tab, add a domain and give it a name – for example: precise.
2. Add the user directories to the related Precise domain. see the SiteMinder documentation for further instructions.
3. Under the Precise domain, add a realm and give it a name – for example: precise-Realm. This realm will protect Precise.
4. Configure the Precise-Realm (in the realms subfolder).
5. Under the Precise-Realm, create a rule and give it a name - for example: Precise-rule.
6. Add a new response under the Precise/Responses entry.
7. Add a new policy under the Precise/Policies entry:
To configure the Precise-Realm
1. Open the Realms subfolder by clicking the + icon next to the Realms folder under the Precise domain
2. Double click the Precise-Realm folder.
3. On the Resource tab, verify that the following items have the following values:
Agent Add the Web agent that is installed on the Precise Web server.
Resource filter /i3/Login
Authentication scheme Basic authentication
Default resource protection Protected
4. On the Session tab, verify that the following items have the following values:
Maximum Time Out Enabled Check 2 hours, 0 minutes Idle.
Time Out Enabled Check 2 hours, 0 minutes.
Persistent Session Choose No Persistent Session.
Synchronous Auditing Should be unchecked.
5. On the Advanced tab, perform the following steps:
o Configure the Directory Mapping to the location of the user folder.
o Select the Process Authentication Events checkbox.
o Select the Process Authorization Events checkbox.
6. Click Apply and OK.
To create and name a rule under the Precise-Realm
1. Right-click in the tree on the Precise-Realm and choose Create Rule under Realm.
2. In the Rules Properties dialog box provide a name for the rule - for example Precise-Rule
3. Clear the Perform Regular Expression checkbox.
4. Under the Action group, select the Web Agent actions and Get and Post.
5. Under the Allow/Deny and Enable/Disable group, select the Allow Access radio button.
6. Under the Allow/Deny and Enable/Disable group, select the Enabled checkbox.
To add a new response under the Precise/Responses entry
1. Give a name to the response – for example: Precise-response.
2. Select SiteMinder’s Web agent response type option.
3. Click on Create and create the response attribute.
4. Select the User Attribute radio button.
5. Create a cookie called: Precise-SiteMinderUser. That returns the FullName if it is the NT domain name. If working with a different folder, choose the property in the folder that holds the user name.
This user name should be defined also in the Precise application in the Precise AdminPoint.
6. Select the Recalculate value every xx seconds checkbox and give it a value of 15.
To add a new policy under the Precise/Policies entry
1. Give a name to the policy – for example: Precise-policy.
2. Verify that the policy is enabled.
3. In the Rules tab, insert the Precise-rule and the Precise-response with the values you set in the previous procedures.
4. In the Users tab, define the relevant users.
| Anchor | ||||
|---|---|---|---|---|
|
The Precise configuration needs to be changed to connect it to SiteMinder and activate the Single Sign On feature. To connect SiteMinder and activate the Single Sign On feature to Precise.
1. Edit the siteMinder.htm file located in:
<precise_root>\products\gui\website\webapps\i3\Login.
2. Set the bSiteMinderActive variable to true (bSiteMinderActive = true;).
3. Save the file.
4. Edit the products\i3fp\login\jaas.config file so that its content looks like:
StartPoint{com.precise.infra.login.SiteMinderLoginModule required;};
5. Stop and then restart the Precise FocalPoint.
| Anchor | ||||
|---|---|---|---|---|
|
To disable the integration between SiteMinder and Precise, two procedures need to be performed: one to roll back the Precise configuration changes and one to roll back the Apache Web agent configuration changes.
To roll back the Precise configuration changes
1. Edit the siteMinder.htm file located in:
<precise_root>\products\gui\website\webapps\i3\Login.
2. Set the bSiteMinderActive variable to false (bSiteMinderActive = false;).
3. Edit the products\i3fp\login\jaas.config file so that its content looks like: StartPoint{com.precise.infra.login.InfraDbLoginModule required;};
4. Stop and then restart the Precise FocalPoint.
To rollback the SiteMinder configuration changes
1. Shut down the Web Agent installed on Precise Web server’s machine. For more information on how to shut down the Web agent, see the SiteMinder documentation.
2. In the Apache installation folder, open the WebAgent.conf file which is located in:
Windows:
\Program Files\Apache Software Foundation\Apache2.2\conf
Linux:
web_server_home/conf
where web_server_home is the location of the installed Web server.
3. Change EnableWebAgent to no (EnableWebAgent="NO").
4. Restart the Apache service.
...