Troubleshooting areas for CA Identity Portal and CA SSO integration

Document ID:  TEC1980722
Last Modified Date:  08/03/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 CA SiteMinder
  • CA Single Sign-On:Release:12.52 SP2
  • CA Single Sign-On:Release:12.52 SP1
  • CA Single Sign-On:Release:12.6
  • CA Single Sign-On:Release:12.6.1
  • CA Single Sign-On:Release:12.7

Components

  • SITEMINDER -POLICY SERVER:SMPLC
  • SITEMINDER SECURE PROXY SERVER:SMSPS
Introduction:

We are using Identity Suite virtual appliance, SSO, and Access Gateway as a web agent replacement. We are trying to protect the Identity portal with SSO policy. When we try to access the Identity portal, over HTTPS, we get "Unauthorized Access" error from the portal.  Where are some key areas to troubleshoot?

Environment:
This affects any version of Identity Suite and SSO.
Instructions:

Troubleshooting areas to check

 

Area 1: Make sure the management console is configured as per following:

Web Services Properties:

-Check Enable Execution

-Check Enable WSDL Generation

-Check Enable admin_id (allow impersonation)

-Set SiteMinder Authentication to "Other"

-All other fields are left Unchecked and blank.

 image001.png

 

User Defined Properties:

-AuditViewTask = false

-CheckPxSecurity = true

-DefualtConsole = ui7

-EnableSMRBAC = true

-managerattribute = imManagerId

 image002.png

 

Area 2: The following file must contain the CA SSO (AKA Siteminder) web agent name that is used to protect Identity Manager realms in SSO (NOTE: this is not the 4x agent)

 

/opt/CA/VirtualAppliance/custom/IdentityManager/SiteMinder_config/sm_web_agent_name

 

Area 3: Configure AJP port in SPS (OPTIONAL - for AJP integration only):

The CA Access Gateway (AKA Secure Proxy Server) rule in Proxy XML file should look similar to below. Change accordingly to fit your environment. Replace "dummyName" with anything you like.

<nete:case value="/name/">

<nete:forward>http://abc123.mycompany.com/dummyName/$1</nete:forward>

</nete:case>

 

Add the following entry to the “httpd.conf” file, changing the RewriteRule to fit accordingly:

#The below 7 lines are added to post header on AJP port for name portal.

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule rewrite_module modules/mod_rewrite.so

RewriteEngine On

RewriteRule ^/dummyName/(.*) ajp://10.10.10.5:8010/sigma/$1 [P]

 

Area 4: Enable HTTPS protocol by running following lines on virtual appliance where Identity portal is configured. (OPTIONAL - for HTTP or HTTPS integration):

NOTE: the port number is 9991 not the default 9990 for widfly-portal

 

#Generate Certificate valid for 20 years (7300).

/opt/CA/jdk1.8.0_71/bin/keytool -genkeypair -noprompt -alias caip-srv -keyalg RSA -keystore /opt/CA/VirtualAppliance/custom/IdentityPortal/server.keystore -storepass changeit -keypass changeit -validity 7300 -dname cn=caip-srv 

 

#Add user.

/opt/CA/wildfly-portal/bin/add-user.sh jbossadmin password 

 

#Take snapshot (OPTIONAL).

/opt/CA/wildfly-portal/bin/jboss-cli.sh --connect controller=localhost:9991 --user=jbossadmin --password=password --commands=":take-snapshot" 

 

#Add security realm.

/opt/CA/wildfly-portal/bin/jboss-cli.sh --connect controller=localhost:9991 --user=jbossadmin --password=password --commands="/core-service=management/security-realm=WebSslRealm:add()" 

 

#Add Certificate to the server.

/opt/CA/wildfly-portal/bin/jboss-cli.sh --connect controller=localhost:9991 --user=jbossadmin --password=password --commands="/core-service=management/security-realm=WebSslRealm/server-identity=ssl:add(keystore-path=/opt/CA/VirtualAppliance/custom/IdentityPortal/server.keystore, keystore-password=changeit key-password=changeit)" 

 

#Add user to the controller.

/opt/CA/wildfly-portal/bin/jboss-cli.sh --connect controller=localhost:9991 --user=jbossadmin --password=password --commands="/subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=WebSslRealm)" 

 

After executing the above commands, Identity Portal on virtual appliance will start listening on HTTPS port at 8444.

 

Area 5: Virtual appliance works on a fixed ports, 8081 for HTTP, 8444 for HTTPS, and 8010 for AJP. You cannot change these ports.

 

Area 6: For HTTPS configuration (if corresponding CA SSO configuration was created using the Out of Box perl script), you should access the sigma Identity Portal as the following URL:

For HTTP: http://10.10.10.5:8081/sigma/app/

For HTTPS: https://10.10.10.5:8444/sigma/app/

NOTE:  The URL has /app/ appended.

 

Area 7: To access Identity Portal links anonymously from any page or application, make sure there is a public domain defined in CA SSO with anonymous access (anonymous authentication scheme).  Add all the links and related resources that can be accessed anonymously to the public domain realm.  Refer to the following example,

Self-Registration Link: http://demo.sso.local/sigma/public/index#/registration

Forgotten Password Reset: http://demo.sso.local/sigma/public/index#/forgot-password

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >