Contents
This topic explains how to create connections to CA SiteMinder and CA SOA Security Manager. Under the External Connections tree node in the Policy Studio, right-click the SiteMinder/SOA Security Manager Connection node, and select Add CA SiteMinder Connection or Add CA SOA Security Manager Connection.
You can specify how the API Gateway connects to CA SiteMinder using the SiteMinder Connection Details dialog. You can specify how the API Gateway connects to CA SOA Security Manager using the CA SOA Security Manager Connection Details dialog. In both cases, the API Gateway must have already been set up as an agent in the CA Policy Server.
The connection details to be configured for the API Gateway are the same for both SiteMinder and SOA Security Manager, with an additional setting for SOA Security Manager.
This section describes details that are common to both SiteMinder and CA SOA Security Manager connections.
Agent Name:
Enter the name of the agent to connect to SiteMinder or SOA Security Manager in the Agent Name field. This name must correspond to the name of an agent previously configured in the CA Policy Server.
Agent Configuration Object:
The name entered must match the name of the Agent Configuration Object (ACO)
configured in the CA Policy Server. The API Gateway currently
does not support any features represented by the ACO parameters except for the
PersistentIPCheck
setting. For example, the API Gateway ignores
the DefaultAgent
parameter, and uses the agent value it collects
separately during agent registration.
When the PersistentIPCheck
ACO parameter is set to yes
,
this instructs the API Gateway to compare the IP address from the last request (stored
in a persistent cookie) with the IP address in the current request to see if they
match. If the IP addresses do not match, the API Gateway rejects the request. If
this parameter is set to no
, this check is disabled.
SmHost.conf file created by smreghost:
The API Gateway host machine must be registered with SiteMinder or SOA Security Manager.
To register the host machine, you must use the smreghost
tool on the API Gateway
machine. The smreghost
tool creates a file called SmHost.conf
.
You must then use the Browse button to upload this file into the API Gateway
configuration.
If you have already generated a suitable SmHost.conf
file, and copied
it to the machine on which you are running the Policy Studio, you can browse to the location of
the file using the Browse button at the bottom right of the text area. You
can select whether to use an SmHost.conf
or SmHost.cnf
file in
the dialog. You can also enter the file name as an environment variable selector (for example,
${env.SMHOST}
). After selecting the configuration file, the connection details
are displayed in the text area. For more details on setting external environment variables
for API Gateway instances, see the API Gateway Deployment and Promotion Guide.
If you do not have a suitable SmHost.conf
file, you can generate one
by running the smreghost
command on the machine running the API Gateway.
Complete the following steps:
-
You need to run the
smreghost
command on the machine on which you have installed the API Gateway. Thesmreghost
tool is found in the following location, depending on your target platform:Windows:
/Win32/lib
Linux:
/Linux.i386/bin
Solaris:
/SunOS.sun4u-32/bin
Open a command prompt at this directory, and run the
smreghost
command. You must pass the appropriate command-line arguments, depending on thehostname
andhostconfigobject
configured to represent the API Gateway in the CA Policy Server. Similarly, you must specify the hostname/IP and port of the CA Policy Server. -
The
smreghost
tool writes its output to aSmHosts.conf
file in the same directory. You must manually copy this file from the machine running the API Gateway to the machine running the Policy Studio. -
Browse to the location of this file using the Browse button on the connection details dialog.
This section describes details that are specific to CA SOA Security Manager connections only. In addition to the fields already described in the previous section, you must also configure the following field on the CA SOA Security Manager Connection Details dialog.
XMLSDKAcceptSMSessionCookie:
This setting controls whether the CA SOA Security Manager authentication filter
accepts a single sign-on token for authentication purposes. The single sign-on
token must reside in the HTTP header field named SMSESSION
to
authenticate using this mechanism. This token is created and updated when the
CA SOA Security Manager authorization filter runs successfully.
When this checkbox is selected, the authentication filter allows authentication using a single sign-on token.
Note | |
---|---|
If no single sign-on token is present in the message, the authentication filter authenticates fully by gathering credentials from the request in whatever manner has been configured in the CA SOA Security Manager. When this checkbox is unselected, the authentication filter authenticates fully (it never allows authentication using a single sign-on token). |