SiteMinder/SOA Security Manager Connection

Overview

This topic explains how to create connections to CA SiteMinder and CA SOA Security Manager. Under the External Connections tree node in the Policy Studio, right-click the SiteMinder/SOA Security Manager Connection node, and select Add CA SiteMinder Connection or Add CA SOA Security Manager Connection.

You can specify how the API Gateway connects to CA SiteMinder using the SiteMinder Connection Details dialog. You can specify how the API Gateway connects to CA SOA Security Manager using the CA SOA Security Manager Connection Details dialog. In both cases, the API Gateway must have already been set up as an agent in the CA Policy Server.

The connection details to be configured for the API Gateway are the same for both SiteMinder and SOA Security Manager, with an additional setting for SOA Security Manager.

Prerequisites

Integration with CA SiteMinder requires CA SiteMinder SDK version 12.0-sp1-cr005 or later. You must add the required third-party binaries to your API Gateway and Policy Studio installations.

Integration with CA SOA Security Manager requires CA TransactionMinder SDK version 6.0 or later. You must add the required third-party binaries to your API Gateway and Policy Studio installations.

For details on obtaining the required third-party binaries, see your CA product documentation.

API Gateway

To add third-party binaries to the API Gateway, you must perform the following steps:

  1. Add the binary files as follows:

    • Add .jar files to the install-dir/apigateway/ext/lib directory.

    • Add .dll files to the install-dir\apigateway\Win32\lib directory.

    • Add .so files to the install-dir/apigateway/platform/lib directory.

  2. Restart the API Gateway.

Policy Studio

To add third-party binaries to Policy Studio, you must perform the following steps:

  1. Select Windows > Preferences > Runtime Dependencies in the Policy Studio main menu.

  2. Click Add to select a JAR file to add to the list of dependencies.

  3. Click Apply when finished. A copy of the JAR file is added to the plugins directory in your Policy Studio installation.

  4. Click OK.

  5. Restart Policy Studio.

SiteMinder and SOA Security Manager Connection Details

This section describes details that are common to both SiteMinder and CA SOA Security Manager connections.

Agent Name:

Enter the name of the agent to connect to SiteMinder or SOA Security Manager in the Agent Name field. This name must correspond to the name of an agent previously configured in the CA Policy Server.

Agent Configuration Object:

The name entered must match the name of the Agent Configuration Object (ACO) configured in the CA Policy Server. The API Gateway currently oes not support any features represented by the ACO parameters except for the PersistentIPCheck setting. For example, the API Gateway ignores the DefaultAgent parameter, and uses the agent value it collects separately during agent registration.

When the PersistentIPCheck ACO parameter is set to yes, this instructs the API Gateway to compare the IP address from the last request (stored in a persistent cookie) with the IP address in the current request to see if they match. If the IP addresses do not match, the API Gateway rejects the request. If this parameter is set to no, this check is disabled.

SmHost.conf file created by smreghost:

The API Gateway host machine must be registered with SiteMinder or SOA Security Manager. To register the host, you must use the smreghost tool on the API Gateway machine. The tool creates a file called SmHost.conf, which you can then upload into the API Gateway configuration using Policy Studio.

To generate a SmHost.conf file, perform the following steps:

  1. Install the smreghost command on the machine on which the API Gateway is installed. For details on installing smreghost, see your CA product documentation.

  2. Open a command prompt in the directory where you installed smreghost, and run the smreghost command. You must pass the appropriate command-line arguments, depending on the hostname and hostconfigobject configured to represent the API Gateway in the CA Policy Server. Similarly, you must specify the hostname or IP address and port of the CA Policy Server.

  3. The smreghost tool writes its output to a SmHost.conf file in the same directory.

When you have generated a SmHost.conf file, perform the following steps:

  1. Copy the SmHost.conf file to the machine on which you are running Policy Studio.

  2. Specify the file location using the browse button at the bottom right of the text area.

  3. You can select whether to use an SmHost.conf or SmHost.cnf file in the dialog. You can also enter the file name as an environment variable selector (for example, ${env.SMHOST}). For more details, see the API Gateway Deployment and Promotion Guide.

After selecting the SmHost.conf configuration file, the connection details are displayed in the text area.

SOA Security Manager Connection Details Only

This section describes details that are specific to CA SOA Security Manager connections only. In addition to the fields already described in the previous section, you must also configure the following field on the CA SOA Security Manager Connection Details dialog.

XMLSDKAcceptSMSessionCookie:

This setting controls whether the CA SOA Security Manager authentication filter accepts a single sign-on token for authentication purposes. The single sign-on token must reside in the HTTP header field named SMSESSION to authenticate using this mechanism. This token is created and updated when the CA SOA Security Manager authorization filter runs successfully.

When this checkbox is selected, the authentication filter allows authentication using a single sign-on token.

[Note] Note

If no single sign-on token is present in the message, the authentication filter authenticates fully by gathering credentials from the request in whatever manner has been configured in the CA SOA Security Manager. When this checkbox is unselected, the authentication filter authenticates fully (it never allows authentication using a single sign-on token).