Oracle® Fusion Middleware
Part 13. CA SiteMinder

This topic explains how to create connections to CA SiteMinder and CA SOA Security Manager. Under the External Connections tree node in the Policy Studio, right-click the SiteMinder/SOA Security Manager Connection node, and select Add CA SiteMinder Connection or Add CA SOA Security Manager Connection.

You can specify how the API Gateway connects to CA SiteMinder using the SiteMinder Connection Details dialog. You can specify how the API Gateway connects to CA SOA Security Manager using the CA SOA Security Manager Connection Details dialog. In both cases, the API Gateway must have already been set up as an agent in the CA Policy Server.

The connection details to be configured for the API Gateway are the same for both SiteMinder and SOA Security Manager, with an additional setting for SOA Security Manager.

This section describes details that are common to both SiteMinder and CA SOA Security Manager connections.

Agent Name:

Enter the name of the agent to connect to SiteMinder or SOA Security Manager in the Agent Name field. This name must correspond to the name of an agent previously configured in the CA Policy Server.

Agent Configuration Object:

The name entered must match the name of the Agent Configuration Object (ACO) configured in the CA Policy Server. The API Gateway currently does not support any features represented by the ACO parameters except for the PersistentIPCheck setting. For example, the API Gateway ignores the DefaultAgent parameter, and uses the agent value it collects separately during agent registration.

When the PersistentIPCheck ACO parameter is set to yes, this instructs the API Gateway to compare the IP address from the last request (stored in a persistent cookie) with the IP address in the current request to see if they match. If the IP addresses do not match, the API Gateway rejects the request. If this parameter is set to no, this check is disabled.

SmHost.conf file created by smreghost:

The API Gateway host machine must be registered with SiteMinder or SOA Security Manager. To register the host machine, you must use the smreghost tool on the API Gateway machine. The smreghost tool creates a file called SmHost.conf. You must then use the Browse button to upload this file into the API Gateway configuration.

If you have already generated a suitable SmHost.conf file, and copied it to the machine on which you are running the Policy Studio, you can browse to the location of the file using the Browse button at the bottom right of the text area. You can select whether to use an SmHost.conf or SmHost.cnf file in the dialog. You can also enter the file name as an environment variable selector (for example, ${env.SMHOST}). After selecting the configuration file, the connection details are displayed in the text area. For more details on setting external environment variables for API Gateway instances, see the API Gateway Deployment and Promotion Guide.

If you do not have a suitable SmHost.conf file, you can generate one by running the smreghost command on the machine running the API Gateway. Complete the following steps:

This section describes details that are specific to CA SOA Security Manager connections only. In addition to the fields already described in the previous section, you must also configure the following field on the CA SOA Security Manager Connection Details dialog.

XMLSDKAcceptSMSessionCookie:

This setting controls whether the CA SOA Security Manager authentication filter accepts a single sign-on token for authentication purposes. The single sign-on token must reside in the HTTP header field named SMSESSION to authenticate using this mechanism. This token is created and updated when the CA SOA Security Manager authorization filter runs successfully.

When this checkbox is selected, the authentication filter allows authentication using a single sign-on token.