Contents
This topic explains how to create connections to CA SiteMinder and CA SOA Security Manager. Under the External Connections tree node in the Policy Studio, right-click the SiteMinder/SOA Security Manager Connection node, and select Add CA SiteMinder Connection or Add CA SOA Security Manager Connection.
You can specify how the API Gateway connects to CA SiteMinder using the SiteMinder Connection Details dialog. You can specify how the API Gateway connects to CA SOA Security Manager using the CA SOA Security Manager Connection Details dialog. In both cases, the API Gateway must have already been set up as an agent in the CA Policy Server.
The connection details to be configured for the API Gateway are the same for both SiteMinder and SOA Security Manager, with an additional setting for SOA Security Manager.
Integration with CA SiteMinder requires CA SiteMinder SDK version 12.0-sp1-cr005 or later. You must add the required third-party binaries to your API Gateway and Policy Studio installations.
Integration with CA SOA Security Manager requires CA TransactionMinder SDK version 6.0 or later. You must add the required third-party binaries to your API Gateway and Policy Studio installations.
For details on obtaining the required third-party binaries, see your CA product documentation.
API Gateway
To add third-party binaries to the API Gateway, you must perform the following steps:
-
Add the binary files as follows:
-
Add
.jar
files to theinstall-dir/apigateway/ext/lib
directory. -
Add
.dll
files to theinstall-dir\apigateway\Win32\lib
directory. -
Add
.so
files to theinstall-dir/apigateway/platform/lib
directory.
-
-
Restart the API Gateway.
Policy Studio
To add third-party binaries to Policy Studio, you must perform the following steps:
-
Select Windows > Preferences > Runtime Dependencies in the Policy Studio main menu.
-
Click Add to select a JAR file to add to the list of dependencies.
-
Click Apply when finished. A copy of the JAR file is added to the
plugins
directory in your Policy Studio installation. -
Click OK.
-
Restart Policy Studio.
This section describes details that are common to both SiteMinder and CA SOA Security Manager connections.
Agent Name:
Enter the name of the agent to connect to SiteMinder or SOA Security Manager in the Agent Name field. This name must correspond to the name of an agent previously configured in the CA Policy Server.
Agent Configuration Object:
The name entered must match the name of the Agent Configuration Object (ACO) configured
in the CA Policy Server. The API Gateway currently oes not support any features represented
by the ACO parameters except for the PersistentIPCheck
setting. For example,
the API Gateway ignores the DefaultAgent
parameter, and uses the agent value
it collects separately during agent registration.
When the PersistentIPCheck
ACO parameter is set to yes
,
this instructs the API Gateway to compare the IP address from the last request (stored
in a persistent cookie) with the IP address in the current request to see if they
match. If the IP addresses do not match, the API Gateway rejects the request. If
this parameter is set to no
, this check is disabled.
SmHost.conf file created by smreghost:
The API Gateway host machine must be registered with SiteMinder or SOA Security Manager. To
register the host, you must use the smreghost
tool on the API Gateway machine.
The tool creates a file called SmHost.conf
, which you can then upload into
the API Gateway configuration using Policy Studio.
To generate a SmHost.conf
file, perform the following steps:
-
Install the
smreghost
command on the machine on which the API Gateway is installed. For details on installingsmreghost
, see your CA product documentation. -
Open a command prompt in the directory where you installed
smreghost
, and run thesmreghost
command. You must pass the appropriate command-line arguments, depending on thehostname
andhostconfigobject
configured to represent the API Gateway in the CA Policy Server. Similarly, you must specify the hostname or IP address and port of the CA Policy Server. -
The
smreghost
tool writes its output to aSmHost.conf
file in the same directory.
When you have generated a SmHost.conf
file, perform the following steps:
-
Copy the
SmHost.conf
file to the machine on which you are running Policy Studio. -
Specify the file location using the browse button at the bottom right of the text area.
-
You can select whether to use an
SmHost.conf
orSmHost.cnf
file in the dialog. You can also enter the file name as an environment variable selector (for example,${env.SMHOST}
). For more details, see the API Gateway Deployment and Promotion Guide.
After selecting the SmHost.conf
configuration file, the connection details are
displayed in the text area.
This section describes details that are specific to CA SOA Security Manager connections only. In addition to the fields already described in the previous section, you must also configure the following field on the CA SOA Security Manager Connection Details dialog.
XMLSDKAcceptSMSessionCookie:
This setting controls whether the CA SOA Security Manager authentication filter
accepts a single sign-on token for authentication purposes. The single sign-on
token must reside in the HTTP header field named SMSESSION
to
authenticate using this mechanism. This token is created and updated when the
CA SOA Security Manager authorization filter runs successfully.
When this checkbox is selected, the authentication filter allows authentication using a single sign-on token.
Note | |
---|---|
If no single sign-on token is present in the message, the authentication filter authenticates fully by gathering credentials from the request in whatever manner has been configured in the CA SOA Security Manager. When this checkbox is unselected, the authentication filter authenticates fully (it never allows authentication using a single sign-on token). |