Siteminder Wa Install Enu

March 17, 2018 | Author: BuntyRay | Category: Apache Http Server, Ibm Notes, Internet Information Services, Web Server, Active Directory
Share
Report this link


Comments



Description

CA™ eTrust SiteMinder® Web Agent Installation Guide 6.x QMR 5 This documentation and any related computer software help programs (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the product are permitted to have access to such copies. The right to print copies of the Documentation and to make a copy of the related software is limited to the period during which the applicable license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE. The use of any product referenced in the Documentation is governed by the end user’s applicable license agreement. The manufacturer of this Documentation is CA. Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.2277014(b)(3), as applicable, or their successors. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Copyright © 2006 CA. All rights reserved. CA Product References This document references the following CA products: eTrust® SiteMinder eTrust® TransactionMinder eTrust® Identity Manager Contact Technical Support For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at http://ca.com/support. . .......... 17 Required Linux Libraries...................................................................................... 21 Fix Display Errors on Sun Java System with Cryptographic Hardware ............................ 25 Modify the DMS Admin Password for Registration Services..................................... 11 Ensure the Policy Server is Installed and Configured.............................. 22 Repair ServletExec’s CLASSPATH for JSP Password Services (Windows) .............................. 17 Install IBM Hot Fixes for Domino Web Servers .............................................................. 14 Install an Apache Web Server on Windows as a Service for All Users ..................................... 21 Add a SiteMinder Agent User to nCipher UNIX Group (UNIX Only)...................................2 ...... 16 Required HP-UX Patches ................................................................................................................................................. 13 Install the Correct Agent for a Web Server. 15 Required AIX Patches .............................................................................. 21 Collect nCipher Information............. 20 Decide Whether to Implement Cryptographic Hardware.......................................conf File for Agents on IBM HTTP Servers ............................. 22 Prerequisites and Guidelines for Password Services ...................................................................0 httpd................................................................................................................................................................................................................................................................. 23 Prerequisites and Guidelines for Registration Services (Optional)............................................... 24 Install a Servlet Engine for Registration Services (Optional) ....................................0. 16 Required Linux Patches ................................ 26 Run Registration Services with ServletExecAS (UNIX only)....... 15 Install UNIX Patches ................................................................ 18 IBM Hot Fix Required for Domino 6....... 18 Set the DISPLAY For Web Agent Installations on UNIX ................5................... 20 Set Up DNS on AIX Platforms for Agent Operation .............................................................................. 14 Use the IIS Default Web Site .................... 24 Use Registration Services........... 21 Install nCipher on an Agent Web Server................................................................ 19 Add a Logs Subdirectory for Apache Web Agents ............................................................................2 CF1 and CF2.......................................... 20 Prepare for Cryptographic Hardware Support (Optional)................................................................................ 12 Gather information Needed to Complete the Agent Installation ....................... 19 Enable Write Permissions for IBM HTTP Server Logs ..........................conf File....................................................................................................................................................................................................................................................................................................... 22 Preserve Changes in the WebAgentTrace................................................................................................ 18 Modify the Apache 2......................................................................... 23 Password Services and Forms Directories .. 24 Use Active Directory for Registration Services (Windows Only) ......................................................................................Contents Chapter 1: Prepare for the Installation 11 Use a Supported Operating System ............................................................................................................................... 17 IBM Hot Fixes for Domino 6..................................................................................... 15 Required Solaris Patches...................................................... 27 Contents v ............ 19 Compile an Apache Web Server on a Linux System ..................................................................................... .................................................... 42 Register Multiple Trusted Hosts on One System (Windows) ...................................................... 39 SmHost............................................... 32 Reinstall the Web Agent on Windows ............................ 88 Configure an Apache Web Agent.................................................... 58 Reinstall a Web Agent on UNIX ............Conf File (Windows) .......................................................... 35 Register Your System as a Trusted Host on Windows........... 71 Chapter 4: Configure a Web Agent 73 Configure an IIS Web Agent ................................conf Settings That Should Not Be Modified (UNIX) .............................................................................................................. 84 Apply Changes to Sun Java System Web Server Files .......................................................................... 60 Review the Results of the Installation and Host Registration ...................................Conf File (UNIX) ...........0 Servers ................................... 46 Fix the ServletExec CLASSPATH for DMS ........................ 73 Configuration Notes for Web Agents on IIS 6.......................................................................................................................................................................................................................................................................................................................... 73 Prerequisites for Configuring the Web Agent on IIS 6....................... 50 Install the Web Agent on a UNIX System ................................................................................................................................................................ 51 Run a GUI Mode Installation on UNIX ........................................ 41 Re-register a Trusted Host Using the Registration Tool (Windows) ...0 ............................................................................................................................... 89 vi Web Agent Installation Guide .......................................... 55 Run the nete_wa_env................................................................................... 81 Configure Sun Java System Web Agents on UNIX Systems ...........................................................................................................................conf Settings That Should Not Be Modified (Windows) ...................................................................................................................... 59 Register a Trusted Host in GUI or Console Mode ......................................................................................Chapter 2: Install a Web Agent on a Windows System 29 Install the Web Agent on Windows Systems ...... 63 SmHost... 29 Run a GUI Mode Installation on Windows ............................................................................................. 63 Modify the SmHost........ 66 Re-register a Trusted Host Using the Registration Tool (UNIX) ........................................................ 70 Registration Services Installed Files (UNIX)............................................ 67 Register Multiple Trusted Hosts on One System (UNIX).................................... 30 Run an Unattended Installation on Windows ................... 75 Configure a Sun Java System Web Agent.................................................................................................................. 35 Review the Results of the Installation and Host Registration .................. 47 Chapter 3: Install a Web Agent on a UNIX System 49 Install the Web Agent Documentation on UNIX Systems ...............................sh Script After Installation ................. 52 Run a Console Mode Installation on UNIX ............. 38 Modify the SmHost.............................................................. 45 Registration Services Installed Files (Windows) ................................................................................... 59 Register Your System as a Trusted Host on UNIX..................... 54 Run an Unattended Installation on UNIX ... 80 Configure Sun Java System Web Agents on Windows Systems ....... ............105 Configure Any Web Agent in Unattended Mode ...........132 Upgrade a 4...................................................0......128 Ensure LD_PRELOAD Variable Does Not Conflict with Existing Agent........116 Chapter 5: Uninstall a Web Agent 121 Notes About Uninstalling Web Agents ............................................................................128 Cookie Provider Redirection Differences Between 4.............................................................................................................134 Contents vii .........128 Know the Results of Running the Configuration Wizard After Upgrades .............100 Modify the http.......127 Back Up Customized Files ............................................................................................109 Run an Unattended Configuration...................................................x Agents.................................................................................Configure an Apache Web Agent on Windows Systems ..........................................................................................................................................................................x and 6....................................................................................................................................................x Web Agent to 6....................conf File to Improve Server Performance..........127 Upgrade Tasks and Issues ...................................................................................................................................................................125 Uninstall Documentation from UNIX Systems ..................................111 Tune the Shared Memory Segments (Apache and Sun Java System) ........................129 Upgrade a 5...................................116 Set Up Your Environment for JSP Password Services ..................................2/9..........................123 Uninstall a Web Agent from a UNIX System .................115 Use SiteMinder Password Services ....................................................................................................................x on Windows Systems ...................108 Prepare an Unattended Configuration ......................124 Uninstall Documentation from a Windows System ............................................................................................................................................................x QMR x Japanese Web Agents Required ......102 Configure a Domino Web Agent on Windows Systems ..0.............x on Windows Systems .........102 Configure Domino Web Agents on UNIX Systems ..130 Upgrade a 6.....................conf File for Apache Reverse Proxy Server ..........................x QMR 5 127 Review the Upgrade Procedure......121 Set JRE in PATH Variable Before Uninstalling the Web Agent ........................................................................3 HTTP Server ........0/HP-UX 11 .....................128 Replace Existing Read-only Files ........127 Know Which Password Services and Forms Template are Upgraded............ 92 Add Entries to the httpd.....................................129 Manual Upgrade from 4............................ 96 Set the LD_ASSUME_KERNAL for ..................................................................................................................126 Chapter 6: Upgrade a Web Agent to 6.................................................. 98 Enabling SHLIB Path for an Agent on Apache 2..x QMR 5 on Windows Systems .....................122 Uninstall a Web Agent from a Windows System ....................x Web Agent to 6..........112 Set Up Additional Agent Components ............................................................................................................................................... 96 Set the LD_PRELOAD Variable for Apache Agent Operation ............................................................................................. 99 Configure Apache for Oracle 9...................110 Reconfigure a Web Agent ............................................................... 89 Configure an Apache Web Agent on UNIX Systems ...................101 Configure a Domino Web Agent...................................................................x Web Agent to 6............... .................................................................................150 Domino Web Agent Issues..................................................................................................................149 IIS Web Agent Issues .....................................................................................................................................................................................................................................................................................................................................................................................properties File 153 nete-wa-installer...........................149 Apache Web Agent Issues .....151 Appendix A: Set Up the nete-wa-installer....................................................................................................................143 Troubleshoot Agent Start-Up/ShutDown with LLAWP.........................................................................................158 Identify Policy Servers for Trusted Host Registration .....................................................................................................................types File on Windows Platforms .....x on UNIX Systems.......................147 Uninstallation Issues.................................x Web Agent to 6..........148 Online Documentation Issues...............................................................160 WEB_SERVER_INFO Variables ...............................................................168 Code Added to the obj............................47 ............................................................................................................................136 Upgrade a 5..........................................171 viii Web Agent Installation Guide ..........................Upgrade a 4...................................x Web Agent to 6.........................................................................................................................................154 Modify General Information ...conf File on Windows Platforms ...................................................................................159 Specify the Host Configuration File ............................................................................170 Check Agent Start-up with LLAWP ..159 Select a Web Server for Configuration ......................................................................x on UNIX Systems.................................................149 Sun Java System Web Agent Issues...........................157 Register a Trusted Host......................138 Upgrade a 6..........x QMR 5 on UNIX Systems.........................................168 Code Added to the magnus........................................................................................................conf File on Windows Platforms ................161 Configure the Web Server to Restart (Windows Only) ...............................164 Appendix B: Settings Added to the Sun Java System Server Configuration 167 Add Settings to the Sun Java System Server 6.........140 Chapter 7: Troubleshooting 143 Agent Start-Up/Shutdown Issues (Framework Agents Only) .............properties File ............................................................................0 .......................0.......x Web Agent to 6..................146 General Installation Issues ...............171 Modifications Made to Sun Java System/UNIX Platforms ...................................157 Enable Cryptographic Hardware Configuration .....144 Stop LLAWP When Stopping IBM HTTP Server 2......167 Modifications Made to Sun Java System/Windows Platforms .....................................................................143 Web Agent Start Up and Shut Down Issues (IBM HTTP Server) .............145 Connectivity and Trusted Host Registration Issues .........169 Code Added to the mime..........................................164 Name the Trusted Host Name and Host Configuration Object...........148 Upgrade Issues (Windows and UNIX) .............................................................................................147 Cryptographic Hardware Issues ................................................................................ Code Added to the magnus.conf File on UNIX Platforms .....................................................172 Code Added to the obj.conf File on UNIX Platforms ............................................................172 Code Added to the mime.types File on UNIX Platforms .......................................................173 Appendix C: Configuration Changes to Web Servers with Apache Web Agent175 Library Path for the Web Server is Set for UNIX Systems .........................................................175 Set Library Path and Path for Oracle 10g Web Server Running in Apache 2.x Mode ......................176 Changes to the httpd.conf File .............................................................................................177 Entries Added to DSO Support Section.............................................................................177 SmInitFile Entry Added..................................................................................................179 Alias Entries Added .......................................................................................................180 AddHandler Entries Added for Agents v5.x QMR 6..............................................................182 Certificate Authentication Entries Added...........................................................................183 Agent Parameter Added for SSL Connections Using Apache 1.x Based Servers ............................183 Appendix D: Environment Variables Added or Modified by the Web Agent Installation 185 Added or Modified Environment Variables ..............................................................................185 Index 187 Contents ix Chapter 1: Prepare for the Installation This section contains the following topics: Use a Supported Operating System (see page 11) Ensure the Policy Server is Installed and Configured (see page 12) Gather information Needed to Complete the Agent Installation (see page 13) Install the Correct Agent for a Web Server (see page 14) Use the IIS Default Web Site (see page 15) Install UNIX Patches (see page 15) Required Linux Libraries (see page 17) Install IBM Hot Fixes for Domino Web Servers (see page 17) Set the DISPLAY For Web Agent Installations on UNIX (see page 18) Modify the Apache 2.0 httpd.conf File for Agents on IBM HTTP Servers (see page 19) Enable Write Permissions for IBM HTTP Server Logs (see page 19) Add a Logs Subdirectory for Apache Web Agents (see page 19) Compile an Apache Web Server on a Linux System (see page 20) Set Up DNS on AIX Platforms for Agent Operation (see page 20) Prepare for Cryptographic Hardware Support (Optional) (see page 20) Preserve Changes in the WebAgentTrace.conf File (see page 22) Prerequisites and Guidelines for Password Services (see page 22) Prerequisites and Guidelines for Registration Services (Optional) (see page 24) Use a Supported Operating System Before you install a Web Agent, make sure you are using a supported operating system and Web server configuration. For a list of SiteMinder Web Agents and supported Web server platforms, go to Technical Support http://support.netegrity.com, and search for the SiteMinder 6.0 Platform Matrix. Note: After you install the Web Agent, you can configure multiple Web Agent instances for each Sun Java System and Apache Web server installed on your system. Prepare for the Installation 11 see the CA eTrust SiteMinder Web Agent Guide. Note: For instructions about configuring Agents at the Policy Server. A trusted host is a client computer where one or more SiteMinder Web Agents are installed. Note: To configure an administrator. The term trusted host refers to the physical system. Subsequent connections are governed by the Host Configuration Object. Note: To read more about this object. Agent identity An Agent identity establishes a mapping between the name and the IP address of the Web Server instance hosting a Web Agent.conf file enable the host to connect to a Policy Server for the first connection only. the Policy Server must be installed and be able to communicate with the system where you plan to install the Web Agent. To centrally manage Agents. Agent Configuration Object This object includes the parameters that define the Web Agent configuration. The settings in the SmHost. Note: To read more about this object. The term trusted host refers to the physical system. There are a few required parameters you must set for basic operation described below. see the CA eTrust Policy Design. You assign it a name and specify the Agent type as a Web Agent. There must be an administrator with the privilege to register trusted hosts. you must configure Policy Server with the following: A SiteMinder Administrator that has the right to register trusted hosts. Host Configuration Object This object defines the communication between the trusted host and the Policy Server after the initial connection between the two is made. see CA eTrust Policy Design. For Agent parameter descriptions. The name you assign for the Agent is the same name you specify in the DefaultAgentName parameter for the Agent Configuration Object that you must also define to centrally manage an Agent. SmHost. 12 Web Agent Installation Guide .conf. see CA eTrust Policy Design. You define an Agent identity from the Agents object in the Policy Server User interface. see CA eTrust Policy Design. A trusted host is a client computer where one or more SiteMinder Web Agents can be installed. which is installed at the trusted host after a successful host registration.Ensure the Policy Server is Installed and Configured Ensure the Policy Server is Installed and Configured Before you install the Web Agent. Do not confuse this object with the trusted host’s configuration file. The Web Agent must use this NT user account. A single Agent Configuration Object can be referenced by many Agents. This entry should match an entry you defined in the Agents object. Prepare for the Installation 13 . For Domino Web Agents—the Agent Configuration Object must include values for the following parameters: DominoDefaultUser—if the user is not in the Domino Directory. which contains the Agent configuration settings. they may not have the necessary server access privileges. When users want to access resources on an IIS Web server protected by SiteMinder. to act as a proxy user account for users granted access by SiteMinder. this is the name by which the Domino Web Agent identifies that user to the Domino server. This value can be encrypted. The DefaultAgentName identifies the Agent identity that the Web Agent uses when it detects an IP address on its Web server that does not have an Agent identity assigned to it. Gather information Needed to Complete the Agent Installation You must have the following information before installing the Web Agent: Name of the SiteMinder Administrator allowed to install Agents Name of the Host Configuration Object. This value can be encrypted. or enable the Windows User Security Context feature. Note: If you plan to use the NTLM authentication scheme. and they have been authenticated by SiteMinder against another user directory. DominoSuperUser—ensures that all users successfully logged into SiteMinder will be logged into Domino as the Domino SuperUser. The DefaultUserName and DefaultPassword identify an existing NT user account that has sufficient privileges to access resources on an IIS Web server protected by SiteMinder. do not specify values for these IIS Web Agent parameters. For IIS Web Agents—the Agent Configuration Object may need to include values for the DefaultUserName and DefaultPassword parameters. which is assigned by an NT administrator.Gather information Needed to Complete the Agent Installation For all Agents—the Agent Configuration Object must include a value for the DefaultAgentName. Name of the Agent Configuration Object. This defines the trusted host configuration. When you install an Apache Web server. however. and search for the SiteMinder Platform Matrix for 6. Covalent Enterprise Ready Server. available for all users " so during configuration. for current user only" allows the Web Agent to be installed.com. Install an Apache Web Server on Windows as a Service for All Users The Web Agent Configuration Wizard will not detect a valid Apache installation if the Apache Web server is installed for an individual user. Installing the Apache Web Server with the option "manual start. the SiteMinder Web Agent can detect the existing Web server on a user’s system.Install the Correct Agent for a Web Server Install the Correct Agent for a Web Server Install the following Web Agents with the corresponding Web servers: Web Agent IIS Domino Sun Java System Apache Web Server Microsoft IIS IBM Lotus Domino Sun Java System Apache.netegrity. For details on Web server and operating system versions. the Web Agent cannot be configured for the server. 14 Web Agent Installation Guide . IBM HTTP.0. because the Configuration Wizard cannot detect the Apache Web server. Stronghold Most of the information for the Apache Web server applies to these Web servers. select the option to "install as a service. HP-based Apache. Oracle HTTP Server. Covalent FastStart. go to Technical Support http://support. You cannot rename it without risk of the Metabase -3 Error. By default. this site exists when you install an IIS Web server. go to Sun Microsystems Solution Center http://sunsolve. Go to the main Support page.sun. Required Solaris Patches Before installing a Web Agent on a Solaris machine. Install UNIX Patches The following sections discuss installing UNIX patches.19. If you install the Web Agent on IIS and for some reason the default web site does not exist (check the Internet Services Manager).Use the IIS Default Web Site Use the IIS Default Web Site SiteMinder requires IIS to have a default Web site for proper installation. Search for the document titled METABASE -3 Error. or you wish to install the SiteMinder virtual directories on a different IIS web site.4 and 1. Note: The Default Web Site must be the original one that was installed with IIS. You can check on patch versions by logging in as root and executing the following command: 'showrev -p | grep <patchid>' To locate Solaris patches.3. you need to edit the Metabase. To find the note: 1. The documents are listed in alphabetical order. 2. you must install the patches listed in the table that follows. Solaris Release Solaris 8 Patch IBM HTTP Server patch IBM PQ 71734 for IBM HTTP Server 1. Go to Technical Support http://support.5 C++ runtime patch 108434-09 111721-04 (need this patch to avoid a runtime issue with Web Agent installation binaries) Prepare for the Installation 15 .3.netegrity.com.com and search for a technical note that describes the needed changes.19. HP-UX Release HP-UX 11i v1 HP-UX 11i v1 Patch PHCO_29029 is recommended for SiteMinder 6. You can check the patch list by logging in as root and executing the instfix -i command.0.3. be sure to apply IBM HTTP Server patch PQ87084.5 16 Web Agent Installation Guide .0. Required HP-UX Patches Before installing a Web Agent on an HP-UX 11i machine. PHSS_26560 ld and linker cumulative patch IBM HTTP Server patch IBM PQ 71734 for IBM HTTP Server 1.x Web Server/AIX system.4 and SiteMinder 6.4 and 1.19.4 and 1.19.5 111722-04 (need this patch to avoid a runtime issue with Web Agent installation binaries) Required AIX Patches Before installing a Web Agent on an AIX machine with an IBM HTTP server.3. you must install the patches listed in the table that follows. you must install the patches listed in the table that follows.3.1.5.50 Before installing a Web Agent on an Apache 1.1 Patch IBM libpthreads patch 5.19.1 Maintenance Level 4 installed or apply the file set needed to obtain libpthreads 5.3.19. You can check the patch list by logging in as root and executing the swlist command.3.19. You should have AIX 5.Install UNIX Patches Solaris Release Solaris 9 Patch IBM HTTP Server patch IBM PQ 71734 for IBM HTTP Server 1.50 IBM HTTP Server patch IBM PQ 71734 for IBM HTTP Server 1.3.0.1.5. AIX Release AIX 5.4 and 1.19.0. 4.0. use the "rhel30" kit (the kit built with GCC 3. On Red Hat Enterprise Linux 4.rpm Install IBM Hot Fixes for Domino Web Servers The following sections discuss installing IBM Hot Fixes for Domino Web Servers.1 Required Linux Libraries When installing a Red Hat Enterprise Linux version of a Web Agent.2. The following is required: compat-libstdc++-33-3. On Red Hat Enterprise Linux 3.1 Patch glibc-2. the following are required libraries: On Red Hat Enterprise Linux 2. Linux Release Linux 2.0.1. use the "rhel30" kit (the kit built with GCC 3.i386. and there are no libraries required that are not part of a basic installation.Required Linux Libraries Required Linux Patches The following Linux patch is required. if using the "linux" kit (the kit built with GCC 2.20 for Linux Application Server 2.2-32.3-<patch_version>. there are no libraries required that are not part of a basic installation.96).2).2). Prepare for the Installation 17 . 2 IBM hot fix SPR #NORK632KQA is required for a Web Agent to run on a Domino 6. if your machine is 111. PCHE5UQRPJ IBM Hot Fix Required for Domino 6.1. More Information Run a Console Mode Installation on UNIX (see page 54) 18 Web Agent Installation Guide .5.1.11. For example.0. and SSAA5T7MXB.11. KSPR5LDMLT.12:0. set the variable as follows: DISPLAY=111. This hotfix applies to Windows and UNIX platforms. and SSAA5T7MXB. be sure the DISPLAY variable is set for the local system.2 server. which does not require the X window display mode.0. PCHE5SBKGW. DMEA5MRKJH. such as a Telnet or Exceed terminal.Set the DISPLAY For Web Agent Installations on UNIX IBM Hot Fixes for Domino 6. PCHE5SBKGW.0 export DISPLAY Note: You can also install the Web Agent using the console mode installation. KGAI5RBKU6.2 CF1 or CF2: Windows: SPR# GFLY5NCKSM. PCHE5UQRPJ UNIX: SPR# GFLY5NCKSM.2 CF1 and CF2 The following are required for a Web Agent to run on Domino 6. DMEA5MRKJH.12. Set the DISPLAY For Web Agent Installations on UNIX If you are installing the Web Agent on a UNIX system from a remote terminal. KSPR5LDMLT.5. 0 Web Agent is installed on an IBM HTTP Server 2.0 httpd. this Web server gets installed as root and its subdirectories do not give all users in all groups Write permissions.conf File for Agents on IBM HTTP Servers Modify the Apache 2.0. Add a Logs Subdirectory for Apache Web Agents For Apache Web Agents.Modify the Apache 2.0 httpd. a logs subdirectory must exist under the Apache server’s root directory so that the Web Agent can operate properly.conf file: #LoadModule ibm_afpa_module modules/mod_afpa_cache.0. This subdirectory must have Read and Write permissions for the user identity under which the Apache child process will be running. the server does not load if the ibm_afpa_module is also loaded in the httpd. Note: This configuration requirement applies to any Apache-based server that writes log files outside the Apache root directory. comment out the following lines from the httpd.x. Ensure that you allow write permissions for this user. the user running the Web server needs permission to write to the Web server’s log directory. For the Low Level Agent Worker Process (LLAWP) to write Web Agent initialization messages to the Web server logs.47 on Windows.conf file. To avoid this problem.0/logs/afpalog" V-ECLF Enable Write Permissions for IBM HTTP Server Logs If you install the Web Agent on an IBM HTTP Server v2. If the logs subdirectory does not exist.so #AfpaEnable #AfpaCache on #AfpaPort 9080 #AfpaLogFile "D:/Program Files/IBM HTTP Server 2.conf File for Agents on IBM HTTP Servers If an Apache 2. Prepare for the Installation 19 . create it with the required permissions. configure Apache as usual by entering: configure --enable-module=so --prefix=<your install target dir> make make install Set Up DNS on AIX Platforms for Agent Operation You can use nCipher cryptographic hardware with the Web Agent to encrypt the shared secret. enter: LIBS=-lpthread export LIBS Then. which is an encryption key that secures traffic between the Agent and the Policy Server. To compile Apache on Linux for the Web Agent. by default. but then hangs and does not handle any requests. the Apache server starts up. which is an encryption key that secures traffic between the Agent and the Policy Server. If you do not compile with the lpthread option. Prepare for Cryptographic Hardware Support (Optional) You can use nCipher cryptographic hardware with the Web Agent to encrypt the shared secret. you have to compile the server. Compiling is required because the Agent code uses pthreads (a library of POSIX-compliant thread routines). The Apache server on Linux cannot initialize a module which uses pthreads due to issues with Linux's dynamic loader. but the Apache server on the Linux platform does not. 20 Web Agent Installation Guide .Compile an Apache Web Server on a Linux System Compile an Apache Web Server on a Linux System For the Web Agent to operate with an Apache Web server running Linux. be sure the nCipher cryptographic hardware module and runtime software. including the PKCS11 library. More Information Allow Unattended Failover for nCipher Cryptographic Modules (see page 120) Install nCipher on an Agent Web Server Prior to registering you system as a Trusted Host. Add a SiteMinder Agent User to nCipher UNIX Group (UNIX Only) Before it can access the nCipher hardware the operating system user account must be a member of the nCipher UNIX group (typically nfast). or reconfigure SiteMinder’s use of hardware encryption. is already installed on the same Web Server as the Agent. Collect nCipher Information Have the following information prior to installing the Web Agent: full path to the PKCS11 DLL token label. note the following: Once SiteMinder has been configured to use cryptographic hardware modules. See your nCipher documentation for more information on this UNIX group. Use of hardware cryptography in your SiteMinder environment prevents unattended system failover — a passphrase must be supplied by an operator each time a cryptographic hardware-enabled Policy Server or Agent restarts. Add the UNIX user account that you will use to install the Agent. disable. you cannot remove. if applicable token passphrase Prepare for the Installation 21 . Read the nCipher installation documentation before attempting to install it in the SiteMinder environment. to the nCipher UNIX group.Prepare for Cryptographic Hardware Support (Optional) Decide Whether to Implement Cryptographic Hardware Before using nCipher cryptographic hardware. conf File Fix Display Errors on Sun Java System with Cryptographic Hardware If you install a Web Agent with cryptographic hardware support on an Sun Java System Web server running Solaris or HP-UX.conf file before the installation. After the installation. the WebAgentTrace. Note: The httpd process on the target machine must be able to access the DISPLAY.conf file and you are installing a new Web Agent over an existing Web Agent. you can integrate your changes into the new file. If the httpd server is not started manually from a shell./start command. Prerequisites and Guidelines for Password Services The following sections discuss prerequisites and guidelines for password services. you should rename or back up the WebAgentTrace. This problem indicates that the DISPLAY environment variable is not set to direct the display to the desired machine.conf File If you have modified the WebAgentTrace. To fix this problem.Preserve Changes in the WebAgentTrace. If DISPLAY is set correctly. the prompt for the pass phrase should display properly./start command.conf file is overwritten. you may receive a display error when attempting to start the Web Server using the . then the DISPLAY variable must be added to the start script or to an appropriate configuration file. set and export DISPLAY in the shell before executing the . Therefore. Run xhost + as the logged in user on the target machine to ensure it can. 22 Web Agent Installation Guide . Preserve Changes in the WebAgentTrace. 3.myorg. 5. Password Services and Forms Directories When you install a Web Agent for the first time. The "default" versions are backup directories for the original documents. Access the ServletExec Admin Web page by entering the following in a browser: http://myserver. This forces ServletExec to write the classpath.jsp. as follows: 1. If you are using Windows 2000. Under the Virtual Machine menu.). you may need to repair your classpath. if this procedure does not fix the classpath: 1. and samples directories are the working directories that include templates and forms that you customize. stop the IIS Admin services. Restart the Web server. 4.org/servlet/admin 2. verify that the ServletExec classpath is correct. Save the file.pref. select classpath to open the Classpath page. If your classpath is correct and you still get the error. On Windows 2000.pref file. Collapse all entries to one line separated by a semi-colon(.Prerequisites and Guidelines for Password Services Repair ServletExec’s CLASSPATH for JSP Password Services (Windows) If you install JSP-based Password Services on a Windows system and get an error message that a servlet is not found when you access an existing servlet or Password Services . pw.pref in a text editor. 4. the installation program creates the following folders in the Web Agent home directory: jpw_default and jpw (for Password Services) pw_default and pw (for Password Services) samples_default and samples (for DMS and standard forms) The jpw. 3. then start the World Wide Web Publishing service without manually starting the IIS Admin service. 2. Click Submit. Open the classpath. Prepare for the Installation 23 . Restart the Sun Java System Web server or IIS Admin services. com.01 Install a Servlet Engine for Registration Services (Optional) If you want the Agent to provide Registration Services. If. and search for the SiteMinder 6. you can continue running DMS 1 you can continue running DMS 2.0 Platform Matrix.01 You install v6..Prerequisites and Guidelines for Registration Services (Optional) Prerequisites and Guidelines for Registration Services (Optional) The following sections discuss prerequisites and guidelines for registration services..01 You install 6.x with SM 6.01 Hot Fix CR5 before you continue running DMS 2.x You have DMS 2. For a list of supported servlet engines. but you can use it without a DMS license.. Registration Services is a subset of the DMS product.netegrity. go to Technical Support http://support. see CA eTrust Policy Design.x with SM 6. Use Registration Services The SiteMinder Web Agent includes Registration Services. do not install Registration Services when you install the 6.x with SM 6.x.0 apply DMS 2.0 SP 4 Then. You have DMS 1 You install v6.. To continue using your existing DMS application with v6. you must install a supported servlet engine.x Web Agent. as shown in the following table.x You have DMS 2. Note: To learn about Registration Services. 24 Web Agent Installation Guide . com.Prerequisites and Guidelines for Registration Services (Optional) Use Active Directory for Registration Services (Windows Only) If you want to use Active Directory with Registration Services.01 Release Notes. and search for the DMS 2. go to Technical Support http://support. is operational Microsoft’s Certificate Server is configured for Active Directory Active Directory’s Root Certificate is accessible from a browser Note: For information about configuring Active Directory.netegrity. check that: Windows 2000. Prepare for the Installation 25 . see the DMS 2. To find this document. including Active Directory.01 Release Notes. Navigate to the bin directory where DMS is installed—for example: Windows: C:\Program Files\netegrity\webagent\bin UNIX: export/smuser/netegrity/webagent/bin 2. In the Password group box. 2.properties file. The DMS Administrator account secures DMS requests that are performed outside of the scope of a DMS administrator. double-click DMSAdmin.properties" password <new_password> where <DMS_home> is the installed location of DMS and <new_password> is the password that you want to specify. Execute the following command: Windows: dmsencryptkey -path "<DMS_home>\properties\dms. During the Web Agent installation. Select the System tab. 4. such as: Self-registration Calls against the SiteMinder policy store. then click Administrators. SiteMinder displays the Administrator Properties dialog box. This name and password must match the DMS Admin user name and password set at the Policy Server. such as searching for roles Establishing an Organization Administrator’s scope The DMS Administrator account includes a user name and an encrypted password. which are stored in the Web Agent’s dms. and also modify the DMS Admin properties in the Policy Server User Interface. you have to modify the dms. Access the Policy Server User Interface. At the Web Agent: 1. 3. 5. At the Policy Server: 1. In the right pane. To change the password. enter the new password in the User Password and Confirm Password fields.properties file. you are prompted for the DMS administrator’s password.properties" password <new_password> UNIX: dmsencryptkey -path "<DMS_home>/properties/dms.Prerequisites and Guidelines for Registration Services (Optional) Modify the DMS Admin Password for Registration Services The DMS Administrator is a SiteMinder administrator with Manage User privileges. 26 Web Agent Installation Guide . j ar:/export/smuser/netegrity/siteminder/webagent/java/smjavasdk2. Extend the CLASSPATH definition by adding the entries in boldface to the end of the CLASSPATH: Note: Your specific entries may vary from the ones shown in this procedure.Prerequisites and Guidelines for Registration Services (Optional) 6.jar:${NA_ROO T}/lib/jndi.jar:/export/smuser/netegrity/siteminder/webagent/ java/smjavaagentapi. It is located in /usr/local/NewAtlanta/ServletExecAs/se<instance_name>/StartServletExec 2.com with the actual server instance where ServletExec is installed /export/smuser/netegrity/siteminder/webagent/ with the actual SiteMinder Web Agent installation directory 3.jar:${NA_ROOT}/lib/jaxp.com/config In this CLASSPATH entry. The following table lists the variables.jar:${NA_ROOT}/lib/crimson.jar:${NA_RO OT}/lib/tools. Open StartServletExec in a text editor.jar:${NA_ROOT}/lib/servlet. CLASSPATH=${NA_ROOT}/lib/ServletExec41. export LD_LIBRARY_PATH The library path variable depends on the operating system.netegrity. Set the library path variable to point to <web_agent_home>/bin—for example: LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/export/smuser/netegrity/siteminder/webagent /bin.jar:/export/s muser/netegrity/siteminder/webagent/java/env. Run Registration Services with ServletExecAS (UNIX only) If you are using Registration Services with ServletExecAS requires modifications to the StartServletExec script.jar:${NA_ROOT}/se${SEINSTANCE}/classes:/export/smuser/netegrity/siteminder/webagent/java/dms. 4. Prepare for the Installation 27 .jar:/export/smuser/netegrity/sit eminder/webagent/java/jsafe. replace: /usr/iplanet/servers with the actual server installation directory myserver. Click OK.jar:/export/smuser/netegrity/siteminder/webagent/java:/ex port/smuser/netegrity/siteminder/webagent/samples:/export/smuser/netegrity/si teminder/webagent/samples/properties:/export/smuser/netegrity/siteminder/weba gent:/usr/iplanet/servers/myserver.netegrity. as follows: 1. Extend the document directories definition by adding the entry in bold: $SENAME $HOMEDIR $MIMEFILE $DOCROOTDIR es/dmspages"" -port $PORT $SEOPTS -addl "/siteminderagent/dmspages=/export/smuser/netegrity/siteminder/webagent/sampl Note: There are two double-quotes at the end of the definition. Replace /export/smuser/netegrity/siteminder/webagent with the actual Web Agent installation path. Prerequisites and Guidelines for Registration Services (Optional) Operating System Solaris HP-UX LINUX AIX Path Variable LD_LIBRARY_PATH SHLIB_PATH LD_LIBRARY_PATH LIBPATH 28 Web Agent Installation Guide . such as /opt/netegrity/webagent. Note: The Web Agent installation adds and modifies a few system environment variables. Note: In these procedures.Conf File (Windows) (see page 39) Re-register a Trusted Host Using the Registration Tool (Windows) (see page 42) Register Multiple Trusted Hosts on One System (Windows) (see page 45) Registration Services Installed Files (Windows) (see page 46) Fix the ServletExec CLASSPATH for DMS (see page 47) More Information Environment Variables Added or Modified by the Web Agent Installation (see page 185) Install the Web Agent on Windows Systems These procedures are for new installations on Web servers for Windows.Chapter 2: Install a Web Agent on a Windows System This section contains the following topics: Install the Web Agent on Windows Systems (see page 29) Reinstall the Web Agent on Windows (see page 35) Register Your System as a Trusted Host on Windows (see page 35) Review the Results of the Installation and Host Registration (see page 38) Modify the SmHost. Install a Web Agent on a Windows System 29 . <web_agent_home> refers to the installed location of the Web Agent. I would like to configure the Agent now. Select No To All if you see this message. Otherwise. you must be logged into the account where the Web server is installed. Click Next. Select whether to restart the system automatically or later on your own. In the Choose Install Folder dialog box. click Restore Default Folder. SiteMinder Web Agent. ensure the Create Icons for All Users check box is checked. Navigate to the win32 folder then double-click the executable file: nete-wa-6qmr5-win32. I will configure the Agent later.com. then click Next.netegrity. 30 Web Agent Installation Guide . You can also download the installation file from Technical Support http://support. Review the information in the Pre-Installation Summary dialog box.0 Agent 3. If the installation program detects that there are locked Agent files. 9. it will prompt you to restart your system instead of reconfiguring it.Install the Web Agent on Windows Systems Run a GUI Mode Installation on Windows To install an Agent. then click Next. Read the License Agreement then select the radio button to accept the agreement. Afterward. the installation terminates. It asks if you want to overwrite these newer files with older files. Review the information in the Introduction dialog box. accept the default location or use the Choose button to select a different location. deselect this option. the Web Agent Configuration dialog box is displayed. 4. 2. Insert the SiteMinder DVD into the DVD drive. Read the notes in the Important Information dialog box. 5. 7. If you select a non-default location then want to revert to the default directory. Choose one of the following options: Yes. Select the placement of the Agent Configuration Wizard shortcut in the Choose Shortcut Folder dialog box then click Next. No. If you do not accept the agreement. SiteMinder 6. then click Install. 8. 6. To allow all users access to the Configuration Wizard.exe The installation program prepares the files. Exit all applications that are running and stop the Web server. Note: The installation program may detect that newer versions of certain system dlls are installed on your system. 1. The Web Agent files are copied to the specified location. Select Product Downloads. Click Next. 10. but you must register the trusted host at some point. do not configure the Agent immediately after installation. 11. the Install Complete dialog box displays. If you selected the option to configure the Agent automatically. you can start the Wizard manually when you are ready to configure an Agent.0 servers. reboot your system after installation. the installation program prepares the Web Agent Configuration Wizard and begins the trusted host registration and configuration processes. If you choose not to configure the Agent. Installation Notes: After installation. 12. The file name is: CA_SiteMinder_Web_Agent_v6QMR5_InstallLog.log You may choose not to start the Web Agent Configuration Wizard immediately after installation—you may have to reboot your machine after installation. you can review the installation log file in <web_agent_home>\install_config_info.0 server.0 (see page 73) Install a Web Agent on a Windows System 31 . More Information Register Your System as a Trusted Host on UNIX (see page 59) Configure an IIS Web Agent (see page 73) Configure a Sun Java System Web Agent (see page 79) Configure an Apache Web Agent (see page 89) Configure a Domino Web Agent (see page 101) Prerequisites for Configuring the Web Agent on IIS 6. If so. it is not sufficient to restart the IIS service. You can do this before or after configuring an Agent.Install the Web Agent on Windows Systems For Web Agents installed on IIS 6. There are some tasks you need to do before configuring the Agent. Configure the Web Agent. Do the following: Register the trusted host. Click Done. Important! If you are configuring an Agent on an IIS 6. and prompts you to reboot the system. An unattended installation lets you install or uninstall the Web Agent without any user interaction. Save the file. For example. (Windows only) USER_REQUESTED_RESTART--Indicates whether the installation program should reboot a Windows machine if required. Prepare an Unattended Installation on Windows Unattended installation uses the nete-wa-installer. Set to YES to allow the reboot. The parameters are as follows: USER_INSTALL_DIR--Specifies the installed location of the Web Agent. USER_SHORTCUTS--Specifies where the Web Agent Configuration Wizard shortcut should be installed. Enter the full path to the installation directory. In this properties file.Install the Web Agent on Windows Systems Run an Unattended Installation on Windows After you have installed the Web Agent on one system. Open the nete-wa-installer. An unattended installation uses a properties file that is initially configured with values from the initial GUI mode Web Agent installation. you can automate installations on other web servers using the Agent’s unattended installation feature. then copy the file and the Web Agent executable file to any web server in your network to run an unattended installation. (Windows only) 3.properties file to propagate the Web Agent installation set up to all Agents in your network. then use the properties file to run an unattended installation on a UNIX system with an Apache Web server. More Information Set Up the nete-wa-installer. Enter the path to the desired location. 2. you cannot install an Agent on a Windows system with an Sun Java System Web server. Run an initial installation of the Web Agent. To prepare for an unattended installation: 1. you can only run an unattended installation on a system with the same platform and web server image as the system where you first installed the Web Agent. The nete-wa-installer. you define installation parameters. Therefore.properties file and modify the parameters in the file.properties File (see page 153) 32 Web Agent Installation Guide .properties file is installed in the following location: <web_agent_home>\install_config_info The default parameters and paths in the file reflect the information you entered during the initial Web Agent installation. Now. nete-wa-6qmr5-win32. Run the installation executable with the -f and . To run an unattended Web Agent installation: 1. From a system where the Web Agent is already installed. There are some setup procedures you need to perform before configuring the Agent. nete-wa-installer.properties file from <web_agent_home>\install_config_info Open a command window and navigate to the directory where you copied the two files. 4.i silent options.Install the Web Agent on Windows Systems More Information Prerequisites for Configuring the Web Agent on IIS 6. Install a Web Agent on a Windows System 33 . do not configure the Agent immediately after installation. enclose the entire path between quotation marks. as follows: <agent_executable> -f <properties_file> -i silent Assuming that you run the installation from the directory where the executable and properties file are located. Register the trusted host and configure the Web Agent. 2. you return to the command prompt. if necessary. copy the following files to a local directory: a.0 server.exe (Agent executable) from the SiteMinder DVD or from where it resides on your system. 3.log file. modified the nete-wa-installer. When the installation is complete. b. you can use the file to run subsequent Web Agent installations. Note: If you are configuring an Agent on an IIS 6.properties file.properties -i silent Note: If you are not at the directory where these files reside.exe -f nete-wa-installer. If there are spaces in the directory paths. the command would be: nete-wa-6qmr5-win32. you must specify the full path to each file. This log file contains the results of the installation.0 (see page 73) Configure Any Web Agent in Unattended Mode (see page 108) Run an Unattended Installation on Windows You should have completed an initial Web Agent installation and. located in the <web_agent_home>\install_config_info directory. Check to see if the installation completed successfully by looking in the CA_SiteMinder_Web_Agent _v6QMR5_InstallLog. 5. Install the Web Agent on Windows Systems Stop an Unattended Installation in Progress on Windows To manually stop the installation. use the Windows Task Manger and stop the nete-wa-6qmr5-win.exe and wa_install.exe processes. 34 Web Agent Installation Guide . After registration is complete. the registration tool creates the SmHost. SiteMinder. To register a host: 1. You can register a trusted host immediately after installing the Web Agent or at a later time. you need to register the host with the Policy Server. the host must be registered to communicate with the Policy Server. Programs.Reinstall the Web Agent on Windows More Information Run a GUI Mode Installation on Windows (see page 30) Reinstall the Web Agent on Windows Before you reinstall. SiteMinder automatically starts the Configuration Wizard. however. For this procedure. Web Agent Configuration Wizard. 2. Register Your System as a Trusted Host on Windows A trusted host is a client computer where one or more SiteMinder Web Agents can be installed. the client computer becomes a trusted host. the procedure will be different. Note: If you chose to configure the Web Agent immediately after the installation. The term trusted host refers to the physical system. The procedure for re-installing the Web Agent follows the GUI mode installation. start the Web Agent Configuration Wizard. To establish a connection between the trusted host and the Policy Server. Install a Web Agent on a Windows System 35 . simply reinstall over existing Agent files by repeating the installation procedure. If you have placed the Wizard shortcut in a nondefault location. Note: You only register the host once. The default method is to select Start. In the Host Registration dialog box: a. you do not uninstall the existing Web Agent. not each time you install and configure a Web Agent on your system.conf file. You can reinstall a Web Agent to restore missing application files. After this file is created successfully. Select Yes to register a host now or No to register the host at a later time. we recommend that you make copies of your registry settings and Web Agent configuration settings to have as a back up. If necessary. b. The default administrator is SiteMinder. Note: This name must be unique among trusted hosts and not match the name of any other Web Agent. In the PKCS11 DLL field. Confirm Admin Password—re-enter the password. enter the name of the Host Configuration Object specified in the Policy Server. you have to re-register the trusted host. 36 Web Agent Installation Guide . c. In the Trusted Host Name and Configuration Object dialog box. Click Next. Re-confirm the passphrase in the Confirm token passphrase field then click Next. Click on Choose to search for the DLL. This name does not have to be the same as the physical client system that you are registering. If not. This administrator should already be defined at the Policy Server and have the permission Register Trusted Hosts set. Admin Password—enter the administrator’s password. complete the following fields to identify an administrator with the rights to register a trusted host. In the Host Configuration Object field. select the checkbox. complete the fields. This DLL is installed with the nCipher software installed on same Web server as the Web Agent. If you are using PKCS11 cryptographic hardware in your SiteMinder environment. then click Next: Admin User Name—enter the name of the administrator allowed to register the host with the Policy Server. mytrustedhost. enter values for the two fields then click Next. enter the full path to the PKCS11 DLL. Key rollover must be enabled at the Policy Server for this feature to work. 4. b. 5. Optionally. In the Trusted Host Name field. it can be any unique name. then click Next. specify the token label in the Token Label and Token Passphrase. Enabled Shared Secret Rollover—check this box to periodically change the shared secret used to encrypt communication between the trusted host and the Policy Server. if applicable.Register Your System as a Trusted Host on Windows b. If you enabled cryptographic hardware. or use the Policy Management API in the C and Perl Scripting Interface to enable or disable shared secret rollover. 3. To disable shared secret rollover or enable it at a later time. for example. a. enter a unique name that represents the trusted host to the Policy Server. skip to the next step. a. In the Admin Registration dialog box. which may or may not include any of the bootstrap servers. however. Note: The entry you specify must match the Host Configuration Object entry set at the Policy Server. SiteMinder displays the following error: Registration Failed (bad ipAddress[:port] or unable to connect to Authentication server (-1) Note also that if you specify a non-default port. The default port is 44442. to use the default. After the Host Configuration Object is retrieved. authorization. you will have created your own Host Configuration Object.Register Your System as a Trusted Host on Windows This object defines the connection between the trusted host and the Policy Server. that port is used for the Policy Server’s authentication. Accept the default location of the host configuration file. If you select a non-default location then want to revert to the default directory. Click Next. the unified server responds to any Agent request on any port. enter DefaultHostSettings. The Host Configuration Object can contain another set of servers. is created in <web_agent_home>/config. SmHost.conf file will look like: policyserver="112. If you do not provide a port. only the first server in the list will be used. Click Add. You can specify a non-default port number. Enter the IP address. 7. the Agent uses them as bootstrap servers. Click Next. for host registration. 6. click Restore Default Folder.conf or click Choose to select a different location. For example. The host is registered and a host configuration file. If multiple Policy Servers are specified.55.conf. You can add more than one Policy Sever. but if you are using a nondefault port and you omit it.11.5555. 8.2. however. the Web Agent has several Policy Servers to which it can connect to retrieve its Host Configuration Object.5555" b. Click Continue. SmHost.5555. 9. the bootstrap Policy Server is no longer used by that server process. the default is used. In most cases. In the Policy Server IP Address dialog box: a. c. You can modify this file. and the authentication port of the Policy Server where you are registering the host. When the Agent starts up. Continue with the configuration by doing the following appropriate tasks: Configure an IIS Web Agent Install a Web Agent on a Windows System 37 . The entry in the SmHost. and accounting ports. or host name. nete-wa-details.log—provides specific details on any failures or problems that may have occurred. check the following log files. located in <web_agent_home>\install_config_info: 1.Review the Results of the Installation and Host Registration Configure a Sun Java System Web Agent Configure an Apache Web Agent Configure a Domino Web Agent More Information Configure an IIS Web Agent (see page 73) Configure a Sun Java System Web Agent (see page 79) Configure an Apache Web Agent (see page 89) Configure a Domino Web Agent (see page 101) Modify the SmHost. 2. 38 Web Agent Installation Guide .log—provides complete results of the installation. CA_SiteMinder_Web_Agent_v6QMR5_InstallLog. including the components that installed successfully and those that failed.Conf File (UNIX) (see page 63) Review the Results of the Installation and Host Registration To check the results of the installation or review any specific problems during the installation or configuration of the Web Agent. conf file: 1. When the trusted host first wants to make a connection to a Policy Server. The syntax for this parameter is: hostconfigobject="<host_configuration_object>" Install a Web Agent on a Windows System 39 . the initial connections are closed. This name must match a name defined in the Policy Server User Interface. If the trusted host where the Web Agent is installed has changed. Any further communication between the trusted host and the Policy Server are based on settings in the Host Configuration Object defined at the Policy Server. 2.conf Setting hostconfigobject Description and Configuration Specifies the host configuration object that defines connectivity between the trusted host and the Policy Server. This is the only purpose of the SmHost.conf file in a text editor.conf file to find a Policy Server and a Host Configuration Object.conf file. or you want to use an object with a different configuration. The following table lists the settings you may want to change. Enter new values for the settings you want to change.Conf File (Windows) Web Agents and custom Agents use the SmHost. Navigate to: <web_agent_home>\config Open the SmHost. To modify the SmHost. You can modify a subset of the SmHost. Using this file. 3.conf file to change the trusted host-toPolicy Server connection. SmHost. the host can find a Policy Server and establish a connection.conf file to act on behalf of the trusted host.Conf File (Windows) Modify the SmHost. it uses the settings in the SmHost.Modify the SmHost. you need to modify this setting. After the trusted host successfully connects to the Policy Server and the Agent is running. specifying multiple Policy Server entries is recommended to ensure that any child process can establish a connection to the secondary Policy Server if the primary Policy Server fails. delete the entry. Each time a new child process is started.Conf File (Windows) SmHost.1. For example: policyserver="123. 44441.44442. The proper syntax is: "<IP_address>. 44441. but you can specify non-default ports using the same number or different numbers for all three ports.44443" policyserver="321.44442.1.conf Setting policyserver Description and Configuration Specifies the Policy Server(s) to which the trusted host will try to connect.44443" policyserver="111. Multiple entries can be added during host registration or by modifying this parameter. To specify additional bootstrap servers for the Agent.44443" If a Policy Server is removed from your SiteMinder environment or is no longer in service.1.2. 44441. You may want to increase the timeout value if the Policy Server is busy due to heavy traffic or a slow network connection. The unified server responds to any Agent request on any port. You can modify this value.Modify the SmHost.CA Portal.44442. Place each server entry on its own line. requesttimeout Determines the number of seconds the trusted host waits before deciding that a Policy Server is unavailable.122.CA Portal" The default ports are 44441. For example.222.2. The default is 60 seconds.1.123. add multiple Policy Server entries to the file. CA Portal. the bootstrap servers are no longer needed for that server process. requesttimeout="60" 40 Web Agent Installation Guide . Important: If an Agent is configured on a multiprocess web server. Multiple entries provide the Agent with several Policy Servers to which it can connect to retrieve its Host Configuration Object.44442. After the Host Configuration Object is retrieved.44443. it will not be able to initialize the Web Agent if only one Policy Server is listed in the file and that Policy Server is unreachable. conf file: hostname—identifies the system serving as the trusted host.conf Settings That Should Not Be Modified (Windows) You should not modify the following settings directly in the SmHost.Conf File (Windows) SmHost. For security reasons. Install a Web Agent on a Windows System 41 . This setting is only valid if you enabled shared secret rollover during host registration. This value cannot be changed in the SmHost. sharedsecret—an encryption key used for encrypting traffic between the trusted host and the Policy Server. If the value is 0. smreghost. Host names must be unique in a given policy store and cannot have any spaces. cryptoprovider—defines the encryption method used for hardware encryption. The user provides this information during the registration of the trusted host or using the Agent Configuration Wizard. During registration of the host. the Policy Server automatically generates a shared secret. and then. it will show the last time the shared secret changed. sharedsecrettime—specifies when the shared secret key is rolled over.Modify the SmHost. the value for this parameter is masked and cannot be changed unless you re-register your host.conf file. It can only be changed by re-registering with the Registration Tool. it means that shared secret rollover was not enabled. 1 -u SiteMinder -p mypw -hn hostA -hc DefaultHostSettings Example with the -o argument: smreghost -i 123. Example: smreghost -i 123.Re-register a Trusted Host Using the Registration Tool (Windows) Re-register a Trusted Host Using the Registration Tool (Windows) When you install a Web Agent on a server for the first time. To change the shared secret that secures the connection between the trusted host and the Policy Server. To recreate the SmHost.123. use the Registration Tool. To register a trusted host if the trusted host policy objects have been deleted from the policy store or the policy store has been lost. which lets you overwrite an existing trusted host without having to delete it from the Policy Server. To overwrite an existing trusted host without deleting it first. such as: To rename the trusted host if there has been a change to your SiteMinder environment. To register a trusted host if the trusted host has been deleted in the Policy Server User Interface.1. To re-register a trusted host. you are prompted to register that server as a trusted host.1 -u SiteMinder -p mypw -hn hostA -hc DefaultHostSettings -o 42 Web Agent Installation Guide . you do not have to re-register with subsequent Agent installations. Once the trusted host is registered. Note: When you re-register a host using smreghost. -o.1. you must first remove the host from the Policy Server User Interface unless you use the smreghost command argument. 2. This tool is installed when you install an Agent on a trusted host. There may be situations when you want to re-register a trusted host independent of an Agent installation. Open a command prompt window.123.conf configuration file if it is lost. To run smreghost: 1. smreghost. and is located in the directory <web_agent_home>\bin. Enter the smreghost command using the following required arguments: smreghost -i <policy_server_IP_address:[port]> -u <administrator_username> -p <Administrator_password> -hn <hostname_for_registration> -hc <host_configuration_ object> Note: There should be a space between each command argument and its value. 5. Specify the port of the authentication server only if you are not using the default.conf file will be: "112. (required) p <administrator_password> hn <hostname_for_registration> hc <host_config_object> Install a Web Agent on a Windows System 43 . but it must be unique. the unified server responds to any Agent request on any port. see the following table. which can be a non-default port. (required) Password for the Administrator allowed to register a trusted host.2. however. Arguments i <policy_server_IP_ address:port> Value IP address of the Policy Server where you are registering this host.5555.5555. which is 44442. After registration. The policyserver entry in the SmHost.Re-register a Trusted Host Using the Registration Tool (Windows) For a list of all the smreghost command arguments. This can be any name that identifies the host.5555" u <administrator_username> Name of the SiteMinder administrator with the rights to register a trusted host. (required) If you specify a port number.11. this name is placed in the Trusted Host list in the Policy Server User Interface. accounting). that port is used for all three Policy Server servers (authentication. (required) Name of the host to be registered. authorization. (required) Name of the Host Configuration Object configured at the Policy Server. (required for PKCS11 encryption) Overwrites an existing trusted host without having to delete it first.bk extension to the backup file name. the file is installed in the location where you are running the smreghost tool. The proper syntax is -o. (optional) Full path to the PKCS11 DLL. If you do not specify a value. If you use the same name as an existing host configuration file. cd <crypto_provider_DLL_path> ct <crypto_provider_token_label> ck <crypto_provider_token_pin> o <overwrite_existing_trusted_host> 44 Web Agent Installation Guide . BSAFE is the default. The default file is SmHost. (required for PKCS11 encryption) Token label for the hardware token. (optional) On Windows systems.conf. This DLL is installed with the nCipher software installed on same Web server as the Web Agent. if you specify a file path with spaces.Re-register a Trusted Host Using the Registration Tool (Windows) Arguments f <path_to_host_config_file> Value Full path to the file that contains the registration data. If you do not specify a path. Only use this argument if there is a token label. (optional for PKCS11 encryption) Passphrase for the token. cp <cryptographic_provider> Name of the cryptographic provider you are using for encryption. the entire path must be enclosed in quote marks. the tool backups up the original and adds a . an application service provider may have many client computers with different applications installed. go through the registration process again. Using multiple trusted hosts ensures a unique shared secret and a secure connection for each client requiring communication with the Policy Server.conf file. it is an option for sites who require distinct. More Information Re-register a Trusted Host Using the Registration Tool (Windows) (see page 42) Install a Web Agent on a Windows System 45 . The Policy Server then issues unique shared secrets for each client connection. when prompted to specify a location for the SmHost. You can run this tool for each trusted host that you want to register." Registering with the smreghost command-line tool: Run the smreghost tool after you have completed the first Agent installation on a given computer. enter a unique path. However. For most installations this is not a recommended configuration. You may want a secure connection for each application. You can use the name SmHost. you can register multiple trusted hosts on one computer to create distinct connections for each SiteMinder client. you will see a warning message in the Host Registration dialog box. however. The message reads: "Warning: You have already registered this Agent with a Policy Server. To register multiple trusted hosts. For example.conf or give the file a new name. Do not register a new host and use an existing Web server’s SmHost. which you can achieve by registering multiple trusted hosts.conf file. However. use one of the following methods: Registering with the Configuration Wizard: To register additional servers as trusted hosts. Note: If you have registered a trusted host with a Policy Server and you run the Configuration Wizard to configure subsequent Agents without using a unique path for the SmHost.Register Multiple Trusted Hosts on One System (Windows) Register Multiple Trusted Hosts on One System (Windows) You typically register only one trusted host for each machine where Web servers and Web Agents are installed.conf file or that file will be overwritten. secure channels for each client or group of client applications protected by SiteMinder Agents. The following table describes each Registration Service Directory: Directory dmspages Description Contains JSPs and JavaScript used in Registration Services pages. You should not modify these files unless you are using Registration Services with DMS v1.fcc files.0. Contains the directories: Default—Contains properties files for configuring a hierarchical directory structure Default_attr-based—Contains properties files for configuring a flat directory structures Note: The forms. Physical Directories The Web Agent installation puts the Registration Services sub-directories in: <web_agent_home>\samples Contains files used by Registration Services that you can customize.Registration Services Installed Files (Windows) Registration Services Installed Files (Windows) The Web Agent installation installs a number of virtual and physical directories for Registration Services: Virtual Directories siteminderagent\dmspages siteminderagent\dmsforms You can view these directories using the Internet Services Manager and looking at the Default Web Site for your server. <web_agent_home>\samples_default Contains backup files for Registration Services.0. Do not modify these files. dmsforms properties Contains . 46 Web Agent Installation Guide . and formsja folders are used by Registration Services with DMS v1. which collect user credentials. This directory includes files that support Registration Services in hierarchical and flat user directory structures. formsfr. Restart the Web server. Under the Virtual Machine menu. If you are using Windows 2000. 3.). Save the file. Install a Web Agent on a Windows System 47 . as follows: 1. stop the IIS Admin services. Restart the Sun Java System Web server or IIS Admin services. select classpath to open the Classpath page.pref in a text editor. If your classpath is correct and you still get the error. Access the ServletExec Admin Web page by entering the following in a browser: http://myserver.myorg. Click Submit. Open the classpath. Collapse all entries to one line separated by a semi-colon(.org/servlet/admin 2. then start the World Wide Web Publishing service without manually starting the IIS Admin service. verify that the ServletExec classpath is correct. 4. On Windows 2000. you may need to repair your classpath. 3. This forces ServletExec to write the classpath.pref file.Fix the ServletExec CLASSPATH for DMS Fix the ServletExec CLASSPATH for DMS If you install DMS on a Windows system and get ‘servlet DMS not found’ errors when you access a DMS page. if this procedure does not fix the classpath: 1. 4. 5. 2.pref. . Conf File (UNIX) (see page 63) Re-register a Trusted Host Using the Registration Tool (UNIX) (see page 67) Register Multiple Trusted Hosts on One System (UNIX) (see page 70) Registration Services Installed Files (UNIX) (see page 71) Install a Web Agent on a UNIX System 49 .sh Script After Installation (see page 58) Reinstall a Web Agent on UNIX (see page 59) Register Your System as a Trusted Host on UNIX (see page 59) Register a Trusted Host in GUI or Console Mode (see page 60) Review the Results of the Installation and Host Registration (see page 63) Modify the SmHost.Chapter 3: Install a Web Agent on a UNIX System This section contains the following topics: Install the Web Agent Documentation on UNIX Systems (see page 50) Install the Web Agent on a UNIX System (see page 51) Run the nete_wa_env. netegrity.Install the Web Agent Documentation on UNIX Systems Install the Web Agent Documentation on UNIX Systems You install the Web Agent documentation independently from the Web Agent— it is not installed by default. solaris) on the SiteMinder DVD. and check the permissions on the binary file./nete-wa-doc-6qmr5-<operating_system>. the installation puts the Agent manuals in the same location as the Policy Server documents.bin 5. 2.bin Linux 2. linux. hpux.0: nete-wa-6qmr5-rhel30. The files are: Solaris: nete-wa-6qmr5-sol. From a console window. You may need to add execute to the installation file by running the chmod command. Note: If you plan to install the Web Agent documentation on the same system as existing Policy Server documentation.bin AIX: nete-wa-6qmr5-aix. Copy the appropriate installation file to a local directory then navigate to that directory./nete-wa-doc-6qmr5-<operating_system>.bin Suse-zLinux: nete-wa-6qmr5-SuSE-zLinux.bin HP-UX: nete-wa-6qmr5-hp.bin Linux 3. You will not be prompted to specify a location. Note: You can also download the installation programs from Technical Support http://support.com. for example. 3.bin HP-UX Itanium: nete-wa-6qmr5-hp-itan.bin 4. To install the documentation: 1.bin -i console 50 Web Agent Installation Guide . <policy_server_home>/netegrity_documents. run the documentation installation using one of the following commands: GUI mode: . for example: chmod +x nete-wa-6qmr5-sol.bin Console mode: . Open a console window. We recommend that you install the documentation before installing the Web Agent so you can specify the install location. Navigate to the directory for your operating system (aix. Insert the SiteMinder DVD into the drive.1: nete-wa-doc-6qmr5-linux. The file name is: CA_SiteMinder_Web_Agent_v6QMRn_InstallLog. You can ignore this warning. Install the Web Agent on a UNIX System There are three types of Web Agent installations on a UNIX system: Installing from a graphical user interface Installing from a console window responding to command-line prompts Installing installation file. SuSE-zLinux. aix. If you agree with the terms. Installation Notes When you install an Apache. unattended by an administrator and requiring no user interaction. or IBM HTTP Server Web Agent. Stronghold. or hp-itan The documentation installation starts. when the installation program prompts with a question. the default entry is displayed in brackets [].3 API. rhel30. this module might crash under EAPI—recompile it with DEAPI. 8. linux. 7. In console mode. Select the installation that best suits your environment. the following warning is displayed when you restart the Web server: Loaded DSO /export/smuser/netegrity/siteminder/webagent/bin/mod_sm. hp. In these procedures. enter Y to continue the installation. then click Next. you can find the installation log file in <web_agent_home>. This issue does not impact the functioning of the Web Agent. The installation program installs the 6.so uses plain Apache 1. After installation. Read the License Agreement. <web_agent_home> refers to the installed location of the SiteMinder Web Agent. pressing ENTER to page through the entire document.x Web Agent documentation in the directory you specified. Press ENTER to accept the default.Install the Web Agent on a UNIX System where <operating_system> is sol. Specify the installation directory. 6.log Install a Web Agent on a UNIX System 51 . Review the Important Instructions. 0 export DISPLAY If you try to run in GUI mode through a telnet window without an XWindows session. You can also download the installation file from Technical Support http://support. hpux.bin Linux 2. you need to set the DISPLAY variable to your terminal.bin 2. If you are installing the Web Agent via telnet or other terminal emulation software. you must be logged into the account where the Web server is installed. you must have an X-Windows session running in the background to run the GUI mode installation. 5. You can also run a command-line installation from a console window. Insert the SiteMinder DVD into the DVD drive.1: nete-wa-doc-6qmr5-linux.bin AIX: nete-wa-6qmr5-aix. 3. 4.com. linux. Exit all applications that are running. 7. This limitation has no affect on Web Agent installation and configuration. Copy the appropriate binary file to a local directory then navigate to that directory.12:0. solaris). Running a Web Agent GUI-mode installation or running the Configuration Wizard using the Exceed application may cause text in the dialog boxes to be truncated because of unavailable fonts. More Information Install UNIX Patches (see page 15) Environment Variables Added or Modified by the Web Agent Installation (see page 185) Run a GUI Mode Installation on UNIX To install an Agent. Solaris: nete-wa-6qmr5-sol. Additionally. as follows: DISPLAY=111. 6.Install the Web Agent on a UNIX System Note: The Web Agent installation adds and modifies a few system environment variables. the installer throws an Java exception and exits. Notes: 1.1.netegrity.11. Ensure that the /tmp directory has at least 300MB of disk space available. 52 Web Agent Installation Guide . Navigate to the directory for your operating system (aix. Click Next. If you select a non-default location then want to revert to the default directory.bin 9. Depending on your permissions. 11. Open a console window and from the local installation directory enter: . Read the notes in the Important Information dialog box. In the Install Complete dialog box. Read the License Agreement then select the radio button to accept the agreement.Install the Web Agent on a UNIX System Linux 3. 14. you may need to add executable permissions to the installation file by running the chmod command.bin where <operating_system> is sol.0: nete-wa-6qmr5-rhel30. 12.bin HP-UX: nete-wa-6qmr5-hp. SuSE-zLinux.bin 8./nete-wa-6qmr5-<operating_system>. run the Agent Configuration Wizard to register a trusted host and configure the Web Agent. More Information Run a Console Mode Installation on UNIX (see page 54) Register Your System as a Trusted Host on UNIX (see page 59) Configure a Web Agent (see page 73) Install a Web Agent on a UNIX System 53 . The Web Agent files are installed in the specified location. accept the default location or use the Choose button to select a different location. rhel30.bin Suse-zLinux: nete-wa-6qmr5-SuSE-zLinux. In the Choose Install Location dialog box. Click Next. click Restore Default Folder. In the Introduction dialog box. click Done. If you do not accept the agreement. then click Install. linux. the installation terminates.bin HP-UX Itanium: nete-wa-6qmr5-hp-itan. After installing the Agent. Review the information in the Pre-Installation Summary dialog box. read the information then click Next. or hp-itan The installation program prepares the files. 10. 16. then click Next. hp. aix. for example: chmod +x nete-wa-6qmr5-sol. 15. 13. linux. Insert the SiteMinder DVD into the DVD drive. pressing ENTER to read through the entire agreement. and check the permissions on the binary file. Review the Introduction and press ENTER to continue.bin 7.bin 6. aix. linux. Open a console window.netegrity./nete-wa-6qmr5-<operating_system>.bin AIX: nete-wa-6qmr5-aix. The installation prepares the License Agreement. rhel30. 2. The installation prepares the files. Enter Y to accept the agreement and continue with the installation. Solaris: nete-wa-6qmr5-sol. SuSE-zLinux.1: nete-wa-doc-6qmr5-linux./nete-wa-6qmr5-sol.com. 9. At the command prompt. 3. Exit all applications that are running and stop the Web server. solaris) on the SiteMinder DVD. Ensure that the /tmp directory has at least 300MB of disk space available.bin -i console The -i console command argument enables the installation to be run from the command line.bin -i console where <operating_system> is sol. Read the License Agreement. You may need to add execute permissions to the install file. 4. 8. Go to the folder for your operating system and download the installation file.bin HP-UX: nete-wa-6qmr5-hp.bin Suse-zLinux: nete-wa-6qmr5-SuSE-zLinux. 5. For example: chmod +x nete-wa-6qmr5-sol. Navigate to the directory for your operating system (aix. Copy the appropriate binary file to a local directory then navigate to that directory. 10.bin Linux 3.0: nete-wa-6qmr5-rhel30.bin Linux 2. start the console mode installation by entering: .Install the Web Agent on a UNIX System Run a Console Mode Installation on UNIX 1. hp. You can also download the installation programs from Technical Support http://support.bin HP-UX Itanium: nete-wa-6qmr5-hp-itan. 54 Web Agent Installation Guide . hpux. or hp-itan For example on Solaris the command is: . An unattended installation lets you install or uninstall the Web Agent without any user interaction. 16. Install a Web Agent on a UNIX System 55 . 12. press ENTER. you can automate installations on other web servers using the Agent’s unattended installation feature.Install the Web Agent on a UNIX System 11. Therefore. 14. if you specify export/netegrity/sm_webagent as the path. For example. Review the Important Information section for information about the installation and documentation. Press ENTER to exit the installer." If it does not. 15. For example. if you specify export/netegrity/wa. run the Agent Configuration Wizard to register a trusted host and configure the Web Agent. More Information Register Your System as a Trusted Host on Windows (see page 35) Configure a Web Agent (see page 73) Run an Unattended Installation on UNIX After you have installed the Web Agent on one system. specify the location where the installation should place the Agent files. The program begins installing files. However. then press ENTER to continue. When the installation is complete. 13. the installation program will accept this. you will receive a message along with instructions on locating the Configuration Wizard. you can only run an unattended installation on a system with the same platform and Web server image as the system where you first installed the Web Agent. To accept the default location. the installation program will create this folder and append it to the path. If you specify a path. then use the properties file to run an unattended installation on a Linux system with an Apache Web server. Review the information in the Pre-Installation Summary. After installing the Agent. An unattended installation uses a properties file that is initially configured with values from the initial GUI or console mode Web Agent installation. the path becomes export/netegrity/wa/webagent. In the Choose Install Location section. it must contain the word "webagent. Press ENTER to page through the notes and continue through the installation. you cannot install an Agent on a Solaris system with an Sun Java System Web server. Open the nete-wa-installer. then copy the file and the Web Agent executable file to any web server in your network to run an unattended installation. Save the file.properties file to propagate the Web Agent installation set up to all Agents in your network. The parameters are as follows: Parameter USER_SHORTCUTS Meaning Specifies where the Web Agent configuration shortcut should be installed.properties file and modify the parameters. To install the nete-wa-installer. In this properties file. Enter the full path to the installation directory. The nete-wa-installer. More Information Run a GUI Mode Installation on UNIX (see page 52) Set Up the nete-wa-installer.Install the Web Agent on a UNIX System Prepare an Unattended Installation on UNIX Unattended installation uses the nete-wa-installer. (Windows only) USER_INSTALL_DIR USER_REQUESTED_RESTART 3. 2. (Windows only) Specifies the installed location of the Web Agent.properties file is installed in the following location: <web_agent_home>/install_config_info The default parameters and paths in the file reflect the information you entered during the initial Web Agent installation. Enter the path to the desired location. Indicates whether the installation program should reboot a Windows machine if required.properties file: 1.properties File (see page 153) 56 Web Agent Installation Guide . Run an initial installation of the Web Agent. Set to YES to allow the reboot. you define installation parameters. b. located in the <web_agent_home>/install_config_info directory. To run an unattended Web Agent installation: 1. 5. Install a Web Agent on a UNIX System 57 . 4. Stop an Unattended Installation in Progress on UNIX To manually stop the installation. press Ctrl + C.bin (Agent executable) from the SiteMinder DVD or from where it resides on your system. Run the installation executable with the -f and . From a system where the Web Agent is already installed. Now. nete-wa-6qmr5-<operating_system>. you must specify the full path to each file./nete-wa-6qmr5-sol. you return to the command prompt.log file. copy the following files to a local directory: a. CA_SiteMinder_Web_Agent _v6QMR5_InstallLog. Copy the nete-wa-installer. This log file contains the results of the installation. modified the nete-wa-installer.properties -i silent When the installation is complete.Install the Web Agent on a UNIX System More Information Configure Any Web Agent in Unattended Mode (see page 108) Run an Unattended Installation on UNIX You should have completed an initial Web Agent installation and. you can use the file to run subsequent Web Agent installations.properties file from <web_agent_home>/install_config_info.bin -f nete-wa-installer.properties file. 2. the command for a Solaris system would be: .i silent options. Assuming that you run the installation from the directory where the executable and properties file are located. 3. if necessary. Open a console window and navigate to the directory where you copied the two files. Register the trusted host and configure the Web Agent. as follows: <agent_binary> -f <properties_file> -i silent Note: If you are not at the directory where these files reside. Note: You do not have to run this script for Sun Java System Web servers because this file as been added to the start script.sh script has been enhanced to set the following environment variables: NETE_WA_ROOT PATH NETE_WA_PATH LD_LIBRARY_PATH Note: The Web Agent requires that LD_LIBRARY_PATH include /usr/lib before any other directory containing older versions of libm.x QMR 1.sh Script After Installation Run the nete_wa_env.Run the nete_wa_env. The script sets environment variables required by the Web Agent. . Source this script after you install and configure the Web Agent. SHLIB_PATH LIBPATH Running the script for Web Agents installed on most UNIX platforms ensures that the Web Agent and Web server can work together.sh You can list the script in either the user ./nete_wa_env. You must source this script if you are upgrading a Web Agent from v6. as follows: .so.profile file or envvars file.sh Script After Installation The nete_wa_env. 58 Web Agent Installation Guide . The term trusted host refers to the physical system. To establish a connection between the trusted host and the Policy Server. you do not uninstall the existing Web Agent. simply reinstall over existing Agent files by repeating the installation procedure. After this file is successfully created. you must perform the registration at some point. you need to register the host with the Policy Server. After registration is complete. Note: You only register the host once. the client computer becomes a trusted host. You can register the trusted host immediately after installing the Web Agent or at a later time. the registration tool creates the SmHost. we recommend that you make copies of your Web Agent configuration settings to have as a back up. More Information Re-register a Trusted Host Using the Registration Tool (Windows) (see page 42) Configure Any Web Agent in Unattended Mode (see page 108) Install a Web Agent on a UNIX System 59 . For this procedure. however. You can run the Registration Tool independently from GUI or Console mode. Before you reinstall.Reinstall a Web Agent on UNIX Reinstall a Web Agent on UNIX To restore missing application files.conf file. More Information Run a GUI Mode Installation on UNIX (see page 52) Run a Console Mode Installation on UNIX (see page 54) Register Your System as a Trusted Host on UNIX A trusted host is a client computer where one or more SiteMinder Web Agents can be installed. but be aware that you will be prompted either with a Reinstall dialog box (GUI mode) or a Confirm Upgrade/Reinstall prompt (Console mode) to confirm the reinstallation or abort it. not each time you install and configure a Web Agent on your system. you can reinstall a Web Agent. The procedure for re-installing the Web Agent follows the GUI mode installation. /nete-wa-config. In the PKCS11 DLL field.Register a Trusted Host in GUI or Console Mode Register a Trusted Host in GUI or Console Mode These instructions are for GUI and Console Mode registration. The prompts should guide you through the process. Select Yes to register a host now or No to register the host at a later time. b. Navigate to <web_agent_home>/install_config_info Enter one of the following commands: GUI Mode: .bin -i console The Configuration Wizard starts. skip to the next step. This DLL is installed with the nCipher software installed on same Web server as the Web Agent. a. The steps for the two modes are the same. enter the full path to the PKCS11 DLL. 3. In the Host Registration dialog box: a. If you enabled cryptographic hardware. If necessary. To register a host: 1. b. To workaround this issue. select the checkbox. b. If you are using PKCS11 cryptographic hardware in your SiteMinder environment. Re-confirm the passphrase in the Confirm token passphrase field then click Next. then click Next: Admin User Name—enter the name of the administrator allowed to register the host with the Policy Server.bin Console Mode: . start the Configuration Wizard as follows: a. Complete the following fields in the Admin Registration dialog box. Optionally. complete the fields. You press ENTER after each step to proceed through the process. Open a console window. If not. 2. All passwords that you enter are displayed in clear text. specify the token label in the Token Label and Token Passphrase. Click on Choose to search for the DLL. c. run the installation in GUI or unattended mode. Click Next. if applicable. c. 4. with these exceptions for Console mode: You may be instructed to select an option by entering a corresponding number for that option. 60 Web Agent Installation Guide ./nete-wa-config. the person specified by the User directive needs write permission to the SmHost. enter DefaultHostSettings.conf file if User2 owns the server process. In most cases. Key rollover must be enabled at the Policy Server for this feature to work. Enter the IP address. and the authentication port of the Policy Server where you are registering the host. the default is used. Admin Password—enter the administrator’s password. enter values for the two fields then click Next. If this file cannot be modified by this user. To use the default. In the Policy Server IP Address dialog box: a. for Sun Java System and Apache Web servers.0 Web Agent. Note: The entry you specify must match the Host Configuration Object entry set at the Policy Server. SiteMinder displays the following error: Install a Web Agent on a UNIX System 61 .x Web Agent. Note: This name must be unique among trusted hosts and not match the name of any 4. you will use your own Host Configuration Object.conf file. enter a unique name that represents the trusted host to the Policy Server. then click Next. but if you are using a nondefault port and you omit it. but this is not recommended. In the Trusted Host Name field. then the shared secret rollover cannot be updated.conf file is owned by User1 and no other user has write permissions. enter the name of the Host Configuration Object specified in the Policy Server. This name does not have to be the same as the physical client system that you are registering. Confirm Admin Password—re-enter the password. The default port is 44442.Register a Trusted Host in GUI or Console Mode This administrator should already be defined at the Policy Server and have the permission Register Trusted Hosts set. The default administrator is SiteMinder. a. Enabled Shared Secret Rollover—check this box to periodically change the shared secret used to encrypt communication between the trusted host and the Policy Server. 5. or host name. If the SmHost. For example. b. the shared secret rollover is not written to the SmHost. the user who owns the Web server process must have permissions to write to the SmHost. You can specify a non-default port number. Important: If you enable shared secret rollover. for example. In the Host Configuration Object field. 6. If you do not provide a port. In the Trusted Host Name and Configuration Object dialog box. It can be the same name as a 5. mytrustedhost.conf file. it can be any unique name. This object defines the connection between the trusted host and the Policy Server. SmHost.11. Click Add.2.5555.conf. separate them by a comma. Accept the default location of the host configuration file. After the Host Configuration Object is retrieved.conf file will look like: policyserver="112. the unified server responds to any Agent request on any port.Register a Trusted Host in GUI or Console Mode Registration Failed (bad ipAddress[:port] or unable to connect to Authentication server (-1)) Note also that if you specify a non-default port. the Web Agent has several Policy Servers to which it can connect to retrieve its Host Configuration Object. When the Agent starts up. that port is used for the Policy Server’s authentication. If multiple Policy Servers are specified.5555" b. You can modify this file. the Agent uses them as bootstrap servers. however.55. c.Conf File (UNIX) (see page 63) 62 Web Agent Installation Guide . however. the bootstrap Policy Server is no longer used by that server process. click Restore Default Folder. The host is registered and a host configuration file. SmHost. only the first server in the list will be used. 8. Configure your Web Agent. You can add more than one Policy Sever. If you select a non-default location then want to revert to the default directory. The entry in the SmHost.5555. and accounting ports. More Information Configure an IIS Web Agent (see page 73) Configure a Sun Java System Web Agent (see page 79) Configure an Apache Web Agent (see page 89) Modify the SmHost. for host registration. which may or may not include any of the bootstrap servers.conf or click Choose to select a different location. Click Next. is created in <web_agent_home>/config. Click Next. 7. The Host Configuration Object can contain another set of servers. If you add multiple entries. authorization. The following table lists the settings you may want to change. When the trusted host first wants to make a connection to a Policy Server. the host can find a Policy Server and establish a connection. 2. Using this file. You can modify a subset of the SmHost.log—provides complete results of the installation. Enter new values for the settings you want to change. Navigate to: <web_agent_home>/config Open the SmHost.Conf File (UNIX) Web Agents and custom Agents use the SmHost. 4.conf file: 1. CA_SiteMinder_Web_Agent_v6QMR5_InstallLog. located in <web_agent_home>/install_config_info: nete-wa-details.conf file to find a Policy Server and a Host Configuration Object.log—provides specific details on any failures or problems that may have occurred.Review the Results of the Installation and Host Registration Review the Results of the Installation and Host Registration To check the results of the installation or review any specific problems during the installation or configuration of the Web Agent. 3. Modify the SmHost.conf file in a text editor. including the components that installed successfully and those that failed. the initial connections are closed. it uses the settings in the SmHost.conf file to act on behalf of the trusted host. Install a Web Agent on a UNIX System 63 .conf file to change the trusted host-toPolicy Server connection. After the trusted host successfully connects to the Policy Server and the Agent is running. To modify the SmHost. check the following log files. This is the only purpose of the SmHost.conf file. Any further communication between the trusted host and the Policy Server are based on settings in the Host Configuration Object defined at the Policy Server. or you want to use an object with a different configuration. This name must match a name defined in the Policy Server User Interface.Conf File (UNIX) SmHost.conf Setting hostconfigobject Description and Configuration Specifies the host configuration object that defines connectivity between the trusted host and the Policy Server. you need to modify this setting. If the trusted host where the Web Agent is installed has changed. The syntax for this parameter is: hostconfigobject="<host_configuration_object>" 64 Web Agent Installation Guide .Modify the SmHost. the bootstrap servers are no longer needed for that server.44442.1.44442. but you can specify non-default ports using the same number or different numbers for all three ports.Conf File (UNIX) SmHost.conf Setting policyserver Description and Configuration Specifies the Policy Server(s) to which the trusted host will try to connect.44443" policyserver="111. 44441. Place each server entry on its own line.122. To specify additional bootstrap servers for the Web Agent. Important: If an Agent is configured on a multiprocess web server. Install a Web Agent on a UNIX System 65 . 44441. Each time a new child process is started.2.44443" policyserver="321. Multiple entries provide the Agent with several Policy Servers it can connect to and retrieve its Host Configuration Object. CA Portal. The unified server responds to any Agent request on any port.44442.222.CA Portal. For example: policyserver="123. Once the Host Configuration Object is retrieved. add multiple Policy Server entries to the file. The proper syntax is: "<IP_address>.2. 44441.Modify the SmHost.123.CA Portal" The default ports are 44441.1.44443.1.44442.44443" If a Policy Server is removed from your SiteMinder environment or is no longer in service. Multiple entries can be added during host registration or by modifying this parameter.1. the new process will not be able to initialize the Web Agent if only one Policy Server is listed in the file and that Policy Server is unreachable. specifying multiple Policy Server entries is recommended to ensure that any child process can establish a connection to the Policy Server if the primary Policy Server fails. delete the entry. Modify the SmHost.conf Settings That Should Not Be Modified (UNIX) You should not modify the following settings directly in the SmHost.conf file. requesttimeout="60" SmHost. sharedsecrettime—specifies when the shared secret key is rolled over. For example. it will show the last time the shared secret changed. The default is 60 seconds. It can only be changed by re-registering with the Registration Tool. sharedsecret—an encryption key used for encrypting traffic between the trusted host and the Policy Server.Conf File (UNIX) SmHost. During registration of the host. cryptoprovider—defines the encryption method used for hardware encryption. For security reasons. The user provides this information during the registration of the trusted host or using the Agent Configuration Wizard.conf file: hostname—identifies the system serving as the trusted host. This value cannot be changed in the SmHost. it means that shared secret rollover was not enabled. Host names must be unique in a given policy store and cannot have any spaces. 66 Web Agent Installation Guide . the Policy Server automatically generates a shared secret. the value for this parameter is masked and cannot be changed unless you re-register your host. You may want to increase the timeout value if the Policy Server is busy due to heavy traffic or a slow network connection. If the value is 0. This setting is only valid if you enabled shared secret rollover during host registration. smreghost.conf Setting requesttimeout Description and Configuration Determines the number of seconds the trusted host waits before deciding that a Policy Server is unavailable. and then. You can modify this value. for Solaris systems enter the following two commands: LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/netegrity/webagent/b in export LD_LIBRARY_PATH The table that follows shows the different variables for each operating system. This tool is installed when you install an Agent. Note: When you re-register a host using smreghost. 3. smreghost. you do not have to re-register with subsequent Agent installations. To overwrite an existing trusted host without deleting it first. Open a command prompt window. To run smreghost: 1. To register a trusted host if the trusted host policy objects have been deleted from the policy store or the policy store has been lost. To recreate the SmHost. There may be situations when you want to re-register a trusted host independent of an Agent installation. you must first remove the host from the Policy Server User Interface unless you use the smreghost command argument. Enter the following two commands: <library_path_variable>=${library_path_variable}:<web_agent_hom e>/bin export <library_path_variable> For example. which lets you overwrite an existing trusted host without having to delete it from the Policy Server. and is located in the directory <web_agent_home>/bin. you are prompted to register that server as a trusted host. such as: To rename the trusted host if there has been a change to your SiteMinder environment. -o. 2. use the Registration Tool. Ensure that the library path environment variable contains the path to the Web Agent’s bin directory.Re-register a Trusted Host Using the Registration Tool (UNIX) Re-register a Trusted Host Using the Registration Tool (UNIX) When you install a Web Agent on a server for the first time. Install a Web Agent on a UNIX System 67 .conf configuration file if it is lost. To register a trusted host if the trusted host has been deleted in the Policy Server User Interface. To re-register a trusted host. Once the trusted host is registered. To change the shared secret that secures the connection between the trusted host and the Policy Server. Operating System i <policy_server_IP_ address:port> Path Variable IP address of the Policy Server where you are registering this host. Example: smreghost -i 123. which can be a nondefault port.1. (required) 68 Web Agent Installation Guide . accounting).1 -u SiteMinder -p mypw -hn hostA -hc DefaultHostSettings Example with the -o argument: smreghost -i 123. (required) Password for the Administrator allowed to register a trusted host.Re-register a Trusted Host Using the Registration Tool (UNIX) Operating System Solaris HP-UX LINUX AIX 4. Path Variable LD_LIBRARY_PATH SHLIB_PATH LD_LIBRARY_PATH LIBPATH Enter the smreghost command using the following required arguments: smreghost -i <policy_server_IP_address:[port]> -u <administrator_username> -p <Administrator_password> -hn <hostname_for_registration> -hc <host_configuration_ object> Note: There should be a space between each command argument and its value.conf file will be: "112.5555.5. authorization. the unified server responds to any Agent request on any port. which is 44442.2. (required) If you specify a port number.123. Specify the port of the authentication server only if you are not using the default.1 -u SiteMinder -p mypw -hn hostA hc DefaultHostSettings -o The following table lists all the smreghost command arguments.5555" u <administrator_us ername> p <Administrator_pa ssword> Name of the SiteMinder administrator with the rights to register a trusted host.5555. The policyserver entry in the SmHost.123. that port is used for all three Policy Server servers (authentication. however.1.11. this name is placed in the Trusted Host list in the Policy Server User Interface. the file is installed in the location where you are running the smreghost tool. If you do not specify a path.conf. but it must be unique. This can be any name that identifies the host. (optional for PKCS11 encryption) ck <crypto_provider_ Passphrase for the token. (optional) cd <crypto_provider _DLL_path> Full path to the PKCS11 DLL. After registration. Only use this token_label> argument if there is a token label. The proper syntax is -o Install a Web Agent on a UNIX System 69 . (required) hc <host_config_obj ect> f <path_to_host_con Full path to the file that contains the registration fig_file> data. (required for PKCS11 encryption) ct <crypto_provider_ Token label for the hardware token. (optional) cp <cryptographic_pr Name of the cryptographic provider you are using ovider> for encryption.bk extension to the backup file name. (required for PKCS11 token_pin> encryption) o <overwrite_existin g_trusted_host> Overwrites an existing trusted host without having to delete it first. If you use the same name as an existing host configuration file. The default file is SmHost. If you do not specify a value. This DLL is installed with the nCipher software installed on same Web server as the Web Agent. (required) Name of the Host Configuration Object configured at the Policy Server. BSAFE is the default. the tool backups up the original and adds a .Re-register a Trusted Host Using the Registration Tool (UNIX) Operating System hn <hostname_for_r egistration> Path Variable Name of the host to be registered. conf file or that file will be overwritten. Do not register a new host and use an existing Web server’s SmHost. use one of the following methods: Registering with the Configuration Wizard: To register additional servers as trusted hosts. You can use the name SmHost. You can run this tool for each trusted host that you want to register. enter a unique path. You may want a secure connection for each application. However. it is an option for sites who require distinct.conf file. For example. Using multiple trusted hosts ensures a unique shared secret and a secure connection for each client requiring communication with the Policy Server.conf or give the file a new name. Note: If you have registered a trusted host with a Policy Server and you run the Configuration Wizard to configure subsequent Agents without using a unique path for the SmHost. you can register multiple trusted hosts on one computer to create distinct connections for each SiteMinder client. you will see a warning message in the Host Registration dialog box. The message reads: "Warning: You have already registered this Agent with a Policy Server. 70 Web Agent Installation Guide . when prompted to specify a location for the SmHost.conf file. however. an application service provider may have many client computers with different applications installed." Registering with the smreghost command-line tool: Run the smreghost tool after you have completed the first Agent installation on a given computer. To register multiple trusted hosts. which you can achieve by registering multiple trusted hosts.Register Multiple Trusted Hosts on One System (UNIX) More Information Re-register a Trusted Host Using the Registration Tool (UNIX) (see page 67) Register Multiple Trusted Hosts on One System (UNIX) You typically register only one trusted host for each machine where Web servers and Web Agents are installed. secure channels for each client or group of client applications protected by SiteMinder Agents. For most installations this is not a recommended configuration. The Policy Server then issues unique shared secrets for each client connection. go through the registration process again. However. where web_agent_home is the installed location of the Web Agent.0. This directory includes files that support Registration Services in hierarchical and flat user directory structures. and formsja folders are used by Registration Services with DMS v1. Install a Web Agent on a UNIX System 71 .Registration Services Installed Files (UNIX) Registration Services Installed Files (UNIX) The Web Agent installation installs a number of virtual and physical directories for Registration Services: Virtual Directories siteminderagent/dmspages siteminderagent/dmsforms You can view these directories using the Internet Services Manager and looking at the Default Web Site for your server. You should not modify these files unless you are using Registration Services with DMS v1. Physical Directories The Web Agent installation puts the Registration Services sub-directories in: <web_agent_home>/samples Contains files used by Registration Services that you can customize. <web_agent_home>/samples_default Contains backup files for Registration Services. Do not modify these files. formsfr.fcc files. Directory dmspages Description Contains JSPs and JavaScript used in Registration Services pages. The following table describes each directory. Contains the directories: Default—Contains properties files for configuring a hierarchical directory structure Default_attr-based—Contains properties files for configuring a flat directory structures Important! The forms. dmsforms properties Contains . which collect user credentials.0. . 0.0 (see page 73) Configure an IIS Web Agent Before you configure the Web Agent on an IIS 6.0 The Web Agent can operate with an IIS 6.Chapter 4: Configure a Web Agent This section contains the following topics: Configure an IIS Web Agent (see page 73) Configure a Sun Java System Web Agent (see page 79) Configure an Apache Web Agent (see page 89) Configure a Domino Web Agent (see page 101) Configure Any Web Agent in Unattended Mode (see page 108) Reconfigure a Web Agent (see page 111) Tune the Shared Memory Segments (Apache and Sun Java System) (see page 112) Set Up Additional Agent Components (see page 115) Use SiteMinder Password Services (see page 116) More Information Prerequisites for Configuring the Web Agent on IIS 6. run the Configuration Wizard for an IIS Web Agent.0 Web server. After completing these prerequisites. <web_agent_home> refers to the installed location of the SiteMinder Web Agent. do the following: 1. Allow IIS to execute Web Agent ISAPI and CGI extensions. 2. 3.0 Web server on Windows Server 2003. Prerequisites for Configuring the Web Agent on IIS 6. Before you configure the Web Agent on IIS 6. Assign read permissions to samples and error files directories. In these procedures. you will need to complete some prerequisites. More Information Assign Read Permissions to Samples and Error Files Directories (see page 74) Allow IIS to Execute Web Agent ISAPI and CGI Extensions (see page 75) Run the Configuration Wizard for an IIS Web Agent (see page 77) Configure a Web Agent 73 . Open Windows Explorer and go to the appropriate directory: samples: <web_agent_home>/samples custom error file: the location or your custom error files. 1. In the Permissions for Network Service scroll-box. Select the Security tab. 2. Note: You have to perform the procedure for each directory. b. Click OK to finish. Accept the defaults for the Select this object type and From this Location fields. 4.Configure an IIS Web Agent Assign Read Permissions to Samples and Error Files Directories The Network Service account must have Read permissions to any directory where the Web Agent reads forms credential collector (FCC) files and to any directory where the Web Agent reads Web Agent custom error files. or Groups dialog box opens. You return to the Properties dialog box for the directory. Right-click the directory and select Sharing and Security. allow Read permissions. The Select Users. 7. In the Enter the object names to select field. Click Add. Do one of the following: a. 5. 74 Web Agent Installation Guide . Computers. There is no default location. 6. enter Network Service and click OK. 3. Double-click Web Service Extensions to open the extensions dialog box. in <web_agent_home>/pw Suggested extension name: Password Services CGI smpwservicescgi. Open the Internet Information Services (IIS) Manager.0 servers. The Add File dialog box opens. You return to the Web Service Extensions dialog box.exe.dll file in <web_agent_home>/bin. Repeat these steps for the following additional Web Agent files. c. navigate to the ISAPI6WebAgent. then click OK.exe. smpwservicescgi. Using the Browse button. Configure a Web Agent 75 .Configure an IIS Web Agent Allow IIS to Execute Web Agent ISAPI and CGI Extensions To permit the IIS 6.0 Servers The following sections contain configuration notes for Web Agents on IIS 6. 1. 4.0 Web server to execute Web Agent ISAPI and CGI scripts and other files. Select Add a new Web service extension. 3. The New Web Service Extension dialog box opens. add the appropriate extensions. the files are in different directories so you need to add an extension for each. then click Add. b. 2. enter ISAPI6WebAgentDLL. In the Extension name field. in <web_agent_home>/pw_default Suggested extension name: PW Default CGI Configuration Notes for Web Agents on IIS 6. For each ISAPI Web Agent: a. Though they are the same extension. and select the web server you are configuring for the Web Agent. following Microsoft IIS development guidelines. the ISAPI filters should be used for filtering requests and the ISAPI extensions should be used to process and/or redirect requests.0 processes ISAPI filters before calling ISAPI extensions.0 is unable to authenticate or authorize access to applications implemented as pure ISAPI filters.Configure an IIS Web Agent IIS 6. Therefore.0 Web server does not enforce how third-party filters and extensions behave. The Web Agent must be configured as the first wildcard application map if it is going to protect applications running as or spawned by an ISAPI extension.0 Web Agent consists of an ISAPI filter and an ISAPI extension. than the default of 2. Note: The IIS 6.0 Web Agent Operating with Third-Party Software on the Same Server The IIS 6.0 Web Server with other thirdparty software.5 MB will be used. 76 Web Agent Installation Guide . Create a new DWORD registry key in SOFTWARE\Netegrity\SiteMinder Web Agent\Microsoft IIS called MaxRequestAllowed. refer to Microsoft IIS 6.0 Web server has its own size limit. 2. Changing the Web Agent’s limit will not affect the IIS 6. The value of this key overrides the default limit.0 limit. Set this value to the desired file size limit. the SiteMinder Web Agent for IIS 6. including the Web Agent extension.5 MB for uploading files. These guidelines specify that for the IIS 6. if those offerings are implemented as ISAPI filters that process and/or redirect the request before ISAPI extensions are called. IIS 6. If the value of this key is less than or equal to 0. such as WebSphere or ServletExec.0 Web server. The IIS 6.0 Has Size Limit for Uploading Files The Web Agent installed on an IIS 6.0 Web server has a size limit of 2. This limitation impacts Web Agent integration with other third-party offerings for the IIS 6.0 Web server. Web Agent on IIS 6. To upload files that are larger than this limit: 1. When the Web Agent is installed on an IIS 6.0 documentation. the Agent has the following restrictions: The Web Agent filter and Web Agent extension must be configured to run before other third-party filters installed on the Web server.0 server’s limit. The majority of Web Agent processing occurs in the extension. If you want to change the IIS 6. enter the name of the Agent Configuration Object for this Web server instance. a. you may want to register the system where the Agent is installed as a trusted host. If necessary. If you want to configure Registration Services for DMS2.Configure an IIS Web Agent Run the Configuration Wizard for an IIS Web Agent Before you configure the Agent. In the Agent Configuration Object field. If you have already configured a server with a Web Agent and you are running the Configuration Wizard to configure additional Web servers instances. Important! If you uncheck a previously configured server. then click Next. This dialog box lists the Web servers that you have previously configured. select No. Click Next. If you have placed the Wizard shortcut in a nondefault location. enter IISDefaultSettings to use the default. SiteMinder automatically starts the wizard automatically. 5. the Web Agent will be removed from this server. If the Web Agent Configuration Wizard does not detect a servlet engine. The default method is to select Start. This name must match an Agent Configuration Object already defined at the Policy Server. For example. 3. Select the Web server instances that you want to configure with Web Agents. then click Next. SiteMinder. To configure an IIS Web Agent: 1. 2. Preserve—to preserve the Web servers configuration. If you have registered the trusted host. the Select Servlet Engine for Registration dialog box is not displayed. b. If not. Web Agent Configuration Wizard. If not. you can do this at a later time. Note: If you chose to configure the Web Agent immediately after the installation. A servlet engine is required to run Self Registration. the procedure will be different. 4. Programs. select No in the Host Registration dialog box to skip registration. Select one of the following: Overwrite—to overwrite the server instance configuration. start the Web Agent Configuration Wizard. the Wizard displays the Select One or More Instances to Overwrite dialog box. select Yes. If you selected Yes to configure Registration Services: Configure a Web Agent 77 . skip to the next step. however. Services and Applications. In the Web Server Configuration Summary dialog box.properties file on the Web Agent. Note: You need to reboot the machine once the Agent is configured to ensure proper logging of Agent and trace messages. select Other Advanced server. In the Self Registration Services Admin Account dialog box. d. then click Install. b. Computer Management. Double click the World Wide Web Publishing Service. Admin Password and Admin Confirm Password fields and click Next. you need to allow the associated Web-server service to interact with the desktop. c. Click OK. Enable the Web Agent: a. Exit the Control Panel. identify the the DMS Administrator by provide values for the Admin User Name. you access Services by selecting Administrative Tools. Select Allow Service to Interact with Desktop. 7. The user name and password that you enter here must match the DMS Admin values you set at the Policy Server. this checkbox is on the Log On tab for the World Wide Web Publishing Service. Set the EnableWebAgent parameter to Yes. On Windows 2000. On Windows 2000. 9. Save the file and restart the Web server. such as selfregistration. e. The DMS Administrator account secures DMS requests that are performed outside of the scope of a DMS administrator. Click Next. The user name and encrypted password for the account are stored in the dms. Open the Services control panel. confirm that the configuration settings are correct.conf file located in <web_agent_home>\bin\IIS Example: C:\Program Files\netegrity\webagent\bin\IIS b. To configure the service to interact with the desktop: a. This allows the service to prompt for the hardware’s associated passphrase. If you do not see your engine displayed. 78 Web Agent Installation Guide . Open the WebAgent. 8. Select a servlet engine to be configured for the web server. 6. The Web Agent files are installed. c. If you enabled cryptographic hardware on an Agent.Configure an IIS Web Agent a. b. The Service dialog box opens. Click Done when the installation is complete. Configure an IIS Web Agent More Information Register Your System as a Trusted Host on Windows (see page 35) Install a Web Agent on a Windows System (see page 29) Put the Agent Filter and Extension Before Other Third-Party Filters After you install and configure an IIS 6. the Agent’s filter is automatically placed at the top of the ISAPI filters list. b.0 Web server. c. To check the filter order: a. However. If it is not. Select the ISAPI Filters tab. if you install any other third-party plugins after installing the Web Agent. Configure a Web Agent 79 . those filters may take precedence. d. use the Move Up button to place it at the top of the list. Click OK. Open the IIS Manager. go to the application settings and display the Application Mappings list to see the list of extensions. f. Checking the ISAPI Extensions To ensure the ISAPI extension is listed first. e. Exit the IIS Manager. Select Web Sites then right-click and select Properties. Checking the ISAPI Filter When you install the Web Agent on an IIS 6. Check the list of filters and ensure that siteminderagent is the first entry in the list. In the Home Directory tab. open the IIS management console and access the properties for the Web server top level or for the server’s default Web site.0 Web Agent. This enables the Web Agent to process requests before a third-party. it is essential that the siteminderagent ISAPI filter and extension be listed before any third-party filter or extension. 80 Web Agent Installation Guide .Configure a Sun Java System Web Agent Configure a Sun Java System Web Agent The following sections discuss configuring a Sun Java System Web Agent. 3. Web Agent Configuration Wizard. Programs. 2. <web_agent_home> refers to the installed location of the SiteMinder Web Agent. skip to the next step. If you have placed the Wizard shortcut in a nondefault location. More Information Run the Configuration Wizard on Windows (see page 81) Configure Any Web Agent in Unattended Mode (see page 108) Register Your System as a Trusted Host on Windows (see page 35) Run the Configuration Wizard on Windows To configure the Web Agent on an Sun Java System Web server: 1. To register a trusted host. you can do this at a later time. a. the Wizard displays the Select One or More Instances to Overwrite dialog box. The default method is to select Start. SiteMinder. If necessary. start the Web Agent Configuration Wizard. If you have already configured a server with a Web Agent and you are running the Configuration Wizard to configure additional Web servers instances. This dialog box lists the Web servers that you have previously configured.Configure a Sun Java System Web Agent Configure Sun Java System Web Agents on Windows Systems There are two ways to configure a Web Agent on Windows: GUI mode Unattended mode Before you configure the Agent. Select one of the following: Overwrite—to overwrite the server instance configuration. If not. you may want to register the system where the Agent is installed as a trusted host. the procedure will be different. Note: In these procedures. then click Next. If you have already done host registration. go to the installation chapter for your platform. Configure a Web Agent 81 . Preserve—to preserve the Web servers configuration. Note: If you chose to configure the Web Agent immediately after the installation. SiteMinder automatically starts the wizard automatically. Select the Web server instances that you want to configure with Web Agents. select No in the Host Registration dialog box to skip registration. however. Configure a Sun Java System Web Agent Important! If you uncheck a previously configured server. X509 Client Cert or Form—The X.509 V3 client certificates. Click Next.509 Client Certificate and Basic authentication.509 Client Certificate and HTML Forms authentication scheme combines the use of X. Using this scheme. The user’s X.509 client certificate must be verified or the user must provide the credentials requested by an HTML form. X509 Client Cert and HTTP Basic—combines X. or he or she must provide a valid user name and password. 5. X509 Client Cert and Form—The X. The selections are: HTTP Basic over SSL—identifies a user based on a user name and password. the user’s X. If the Agent is not providing advanced authentication. For example. Click Next. set the Agent’s EnforcePolicies setting to No to improve performance. X509 Client Certificate—identifies a user based on X.509 client certificate must be verified. enter the name of the Agent Configuration Object for this Web server instance. this guide. Certificate authentication uses SSL communication.509 Client Certificate and Basic authentication. Digital certificates act as a signature for a user. X509 Client Cert or HTTP Basic—combines X. The user’s X.509 Client Certificates and the use of customized HTML forms to collect authentication information. refer to CA eTrust Policy Design or.509 Client Certificate or HTML Forms authentication scheme combines the use of X. If this Web Agent is installed on an SSL server to handle only credential collection requests for advanced authentication schemes. select No advanced authentication. refer to CA eTrust Policy Design. If applicable. b. Using this scheme. The credential delivery is always done over an encrypted Secure Sockets Layer (SSL) connection.509 client certificate must be verified and he or she must provide a valid user name and password. In the Agent Configuration Object field. select one of the advanced SSL authentication schemes listed in the SSL Authentication dialog box. then click Next. for local configuration. the user’s X. 82 Web Agent Installation Guide . To modify the Agent’s configuration.509 client certificate must be verified and the user must provide the credentials requested by an HTML form.509 Client Certificates and the use of customized HTML forms to collect authentication information. 4. This name must match an Agent Configuration Object already defined at the Policy Server. Note: For additional information about advanced authentication schemes. the Web Agent will be removed from this server. to use the default enter iPlanetDefaultSettings. identify the the DMS Administrator by provide values for the Admin User Name. Enable the Web Agent: a. 9. A servlet engine is required to run Self Registration. 10. Exit the Control Panel. Computer Management. select Yes. 8. select No. Confirm that the configuration settings are correct. the Select Servlet Engine for Registration dialog box is not displayed. The DMS Administrator account secures DMS requests that are performed outside of the scope of a DMS administrator. If the Web Agent Configuration Wizard does not detect a servlet engine.Configure a Sun Java System Web Agent 6. d. select Other Advanced server. The Web Agent files are installed and the Configuration Complete dialog box displays. If you do not see your engine displayed. Services and Applications. b. In the Self Registration Services Admin Account dialog box. 7. If you want to configure Self Registration for DMS2. Double click the appropriate iWS or Netscape server entry. In the Web Server Configuration Summary dialog box. e. b. you also need to allow the associated Web-server service to interact with the desktop. To configure the service to interact with the desktop: a. Click OK. If you enabled cryptographic hardware on an Agent. select Administrative Tools. then click Install. The user name and password that you enter here must match the DMS Admin values you set at the Policy Server. Click Next. If you selected Yes to configure Self Registration: a. Click Done to exit the Configuration Wizard. Open the Services control panel.properties file on the Web Agent. If not. The user name and encrypted password for the account are stored in the dms. Admin Password and Admin Confirm Password fields and click Next. Select a servlet engine to be set up for the web server. This allows the service to prompt for the hardware’s associated passphrase. The Service dialog box opens. Open the WebAgent.conf file. On Windows 2000. such as selfregistration. located in: <Sun_Java_System_server_home>\servers\httpshostname\config Configure a Web Agent 83 . Select Allow Service to Interact with Desktop. c. Configure a Sun Java System Web Agent b. Set the EnableWebAgent parameter to Yes. Note: In these procedures. you may want to register the system where the Agent is installed as a trusted host. 11. you can do this at a later time. <web_agent_home> refers to the installed location of the SiteMinder Web Agent. Configure Sun Java System Web Agents on UNIX Systems There are three modes you can use configure the Sun Java System Web Agent on UNIX: GUI mode Console mode Unattended mode Before you configure the Agent. More Information Configure Sun Java System Web Agents Using GUI or Console Mode (see page 85) Configure Any Web Agent in Unattended Mode (see page 108) Register Your System as a Trusted Host on Windows (see page 35) 84 Web Agent Installation Guide . however. Save the file. Apply changes to Sun Java System Web Server files. c. This is required for the Agent’s configuration to take effect. Specify the root path where the Sun Java System Web server is installed and click Next." as stated in the following procedure. c. Open a console window. 4. 5. b. 3. If necessary. If you have already done host registration. Otherwise. run the installation in GUI or unattended mode. which corresponds to this server. then click Next. /opt/iPlanet/servers./nete-wa-config. To configure the Web Agent on an Sun Java System Web Server: 1. select the option for the iPlanet or Sun ONE Web Server and click Next. select the option to skip host registration. go to the installation chapter for your platform.bin -i console 2. start the Configuration Wizard. Configure a Web Agent 85 .Configure a Sun Java System Web Agent More Information Apply Changes to Sun Java System Web Server Files (see page 88) Configure Sun Java System Web Agents Using GUI or Console Mode These instructions are for GUI and Console Mode configuration. you enter a 3. The prompts for each mode will help guide you through the process. You can click Choose to locate the root directory. The steps for the two modes are the same. For example. To register the trusted host.bin Console mode: ./nete-wa-config. Navigate to <web_agent_home>/install_config_info Enter one of the following commands: GUI mode: . Select the Web server instances that you want to configure with Web Agents. skip to the next step. with these exceptions for Console Mode: You may be instructed to select an option by entering a corresponding number. All passwords that you enter are displayed in clear text. In the Select Web Server(s) dialog box. To workaround this issue. to select the Sun Java System Web Server. Press ENTER after each step to proceed through the process instead of "clicking Next. a. For example. If applicable. the user’s X. or he or she must provide a valid user name and password.Configure a Sun Java System Web Agent If you have already configured a server with a Web Agent and you are running the Configuration Wizard to configure additional Web servers instances. X509 Client Certificate—identifies a user based on X. Click Next following your choice. to use the default enter iPlanetDefaultSettings. The user’s X.509 Client Certificate and Basic authentication. select No advanced authentication.509 V3 client certificates.509 client certificate must be verified or the user must provide the credentials requested by an HTML form.509 Client Certificate or HTML Forms authentication scheme combines the use of X. This dialog box lists the Web servers that you have previously configured. The credential delivery is always done over an encrypted Secure Sockets Layer (SSL) connection. 7. a. the Wizard displays the Select One or More Instances to Overwrite dialog box. 86 Web Agent Installation Guide . For example.509 Client Certificates and the use of customized HTML forms to collect authentication information. Important! If you uncheck a previously configured server. X509 Client Cert or Form—The X. This name must match an Agent Configuration Object already defined at the Policy Server. Select one of the following: Overwrite—to overwrite the server instance configuration. X509 Client Cert or HTTP Basic—combines X.509 client certificate must be verified. If the Agent is not providing advanced authentication. The user’s X. 6. The selections are: HTTP Basic over SSL—identifies a user based on a user name and password. select one of the advanced SSL authentication schemes listed in the SSL Authentication dialog box. X509 Client Cert and HTTP Basic—combines X. the Web Agent will be removed from this server. enter the name of the Agent Configuration Object for this Web server instance. Using this scheme. Click Next. In the Agent Configuration Object field. Certificate authentication uses SSL communication.509 Client Certificate and Basic authentication.509 client certificate must be verified and he or she must provide a valid user name and password. Preserve—to preserve the Web servers configuration. Digital certificates act as a signature for a user. b. identify the the DMS Administrator by provide values for the Admin User Name.conf file. To modify the Agent’s configuration. If you do not see your engine displayed. the Select Servlet Engine for Registration dialog box is not displayed. The Web Agent files are installed and the Configuration Complete message is displayed.properties file on the Web Agent. Enable the Web Agent: a.Configure a Sun Java System Web Agent X509 Client Cert and Form—The X. select No. Note: For additional information about advanced authentication schemes. Admin Password and Admin Confirm Password fields and click Next. Open the WebAgent. the user’s X. set the Agent’s EnforcePolicies setting to No to improve performance. such as selfregistration. If not. b. In the Web Server Configuration Summary dialog box. refer to CA eTrust Policy Design or. If you selected Yes to configure Self Registration: a. refer to CA eTrust Policy Design. Using this scheme.509 client certificate must be verified and the user must provide the credentials requested by an HTML form. Click Done when the installation is complete. Set the EnableWebAgent parameter to Yes. this guide. 9. Click Next. In the Self Registration Services Admin Account dialog box. for local configuration. Select a servlet engine to be configured for the web server. If this Web Agent is installed on an SSL server to handle only credential collection requests for advanced authentication schemes. then click Install. A servlet engine is required to run Self Registration. If you want to configure Self Registration for DMS2. The user name and encrypted password for the account are stored in the dms. Confirm that the configuration settings are correct. select Yes. 8. The DMS Administrator account secures DMS requests that are performed outside of the scope of a DMS administrator. The user name and password that you enter here must match the DMS Admin values you set at the Policy Server. located in <Sun_Java_System_server>/servers/https-hostname/config b. If the Web Agent Configuration Wizard does not detect a servlet engine. 10.509 Client Certificates and the use of customized HTML forms to collect authentication information. select Other Advanced server. 11.509 Client Certificate and HTML Forms authentication scheme combines the use of X. Configure a Web Agent 87 . you must apply the changes to these files before making any modifications with the console or the Web Agent configuration may be lost. use the Configuration Wizard to reconfigure your Web Agent. Apply changes to the Sun Java System Web Server files.conf. 4. SiteMinder does not remove these settings later if the Agent is reconfigured to support a different advanced authentication scheme. Click Load Configuration Files.conf file when the Agent is configured to support an advanced authentication scheme. 5. Restart the Web server. More Information Settings Added to the Sun Java System Server Configuration (see page 167) Tune the Shared Memory Segments (Apache and Sun Java System) (see page 112) 88 Web Agent Installation Guide . To apply changes to the Sun Java System configuration files: 1. Note: The Web Agent adds settings to the Sun Java System’s obj. Apply Changes to Sun Java System Web Server Files The Web Agent Configuration Wizard makes changes to the Sun Java System server’s magnus. Restart the Web server. 6.conf. and mime. Administrators must edit the obj. 3. 2. obj. Exit the console. 7. d. select the Web server with the Web Agent installed and click Manage. If you plan to use the Sun Java System Administration console. If you lose your configuration. From the Servers tab. You will see a warning message about loading the modified configuration files. Optimize the Sun Java System Web Agent by tuning the shared memory segments. click Apply. You may be required reboot your machine once the Agent is configured.Configure a Sun Java System Web Agent c. 12. Log on to the Sun Java System Administration Server console. Save the file.conf file manually to remove the settings that are no longer relevant. This is required for the Agent’s configuration to take effect.types files. In the right corner of the dialog box. 0. however.Configure an Apache Web Agent Configure an Apache Web Agent The following sections explain how to configure an Apache Web Agent. If you have already done host registration. Programs. Select this option for an Apache Web server and re-enter the root path. If necessary. To register the trusted host. Web Agent Configuration Wizard. you can do this at a later time. HP Apache-based. then click Next. or Stronghold server. The default method is to select Start. Configure an Apache Web Agent on Windows Systems Before you configure the Agent. In this case. select the option to skip host registration. If you installed the Agent on an Apache-based server. Stronghold). If you’ve placed the Wizard shortcut in a non-default location. select the radio button for the Apache Web Server and click Next. IBM HTTP Server. I would like to enter a specific configuration path. specify the Apache Web server root. start the Web Agent Configuration Wizard. 4. such as Covalent server. go to the installation chapter for your platform. the Configuration Wizard displays the Apache Web Server Failure dialog box with the following options: I would like to re-enter the Apache Server Root. Otherwise. IBM HTTP. I don’t have an Apache Web server. the Web Agent may not recognize the path. To configure the Apache Web Agent: 1. Select this option if you are using an Apache-based Web server (Covalent. the procedure will be different. SiteMinder. skip to the next step. 3. Configure a Web Agent 89 . In these procedures. Oracle. you may want to register the system where the Agent is installed as a trusted host. In the Select Web Server(s) dialog box. Note: Apache Web Agents are only supported on Windows systems using Apache Web Server version 2. In the Apache Web Server Path dialog box. 2. You are prompted to enter the full configuration path to the Web server root. <web_agent_home> refers to the installed location of the SiteMinder Web Agent. identify the the DMS Administrator by provide values for the Admin User Name. In the Self Registration Services Admin Account dialog box. Click Next. the Wizard displays the Select One or More Instances to Overwrite dialog box. select No and go to Step . select Other Advanced server. 7. In the Agent Configuration Object field.0 6. 90 Web Agent Installation Guide . If you do not see your engine displayed. If you have already configured a server with a Web Agent and you are running the Configuration Wizard to configure additional Web servers instances. Click Next. b. b. to use the default enter ApacheDefaultSettings. If the Web Agent Configuration Wizard does not detect a servlet engine. This name must match an Agent Configuration Object already defined at the Policy Server. The user name and password that you enter here must match the DMS Admin values you set at the Policy Server. Select the Web server instances that you want to configure with Web Agents. Select from these two options: Apache version 1. Select one of the following: Overwrite—to overwrite the server instance configuration. Preserve—to preserve the Web servers configuration. the Select Servlet Engine for Registration dialog box is not displayed. a. specify the version of Apache you are using. A servlet engine is required to run Self Registration. Important! If you uncheck a previously configured server. select Yes. If not. Admin Password and Admin Confirm Password fields and click Next. 5. If you selected Yes to configure Self Registration: a. This dialog box lists the Web servers that you have previously configured. Following the server root path.Configure an Apache Web Agent Choose this option to skip Apache configuration and continue with the Agent configuration. enter the name of the Agent Configuration Object for this Web server instance.0 Apache version 2. If you want to configure Self Registration for DMS2. Click Next. For example. Select a servlet engine to be configured for the web server. the Web Agent will be removed from this server. 8. The Web Agent files are installed. 10. Enable the Web Agent: a. To configure the service to interact with the desktop: a. The user name and encrypted password for the account are stored in the dms. More Information Register Your System as a Trusted Host on Windows (see page 35) Configuration Changes to Web Servers with Apache Web Agent (see page 175) Configure an Apache Web Agent (see page 89) Configure a Web Agent 91 . Restart the Web server. Click Done when the installation is complete. On Windows 2000.conf changes to take effect. Services and Applications. Open the WebAgent. then click Install. Save and close the file. This allows the service to prompt for the hardware’s associated passphrase. If you enabled cryptographic hardware on an Agent. 11. When you run the Configuration Wizard for the Apache Web Agent. Select Allow Service to Interact with Desktop.conf file. from the control panel select Administrative Tools.conf file and to the library path. Exit the Control Panel. In the Web Server Configuration Summary dialog box. you need to allow the associated Web-server service to interact with the desktop. c. located as follows: <Apache_home>\conf where Apache_home is the installed location of the Apache Web server. it makes changes to the Web Server’s httpd. c. you need to restart the web server. b. Computer Management. For httpd. Click OK.Configure an Apache Web Agent The DMS Administrator account secures DMS requests that are performed outside of the scope of a DMS administrator. 9. The Service dialog box opens. Set the EnableWebAgent parameter to Yes. Confirm that the configuration settings are correct. such as selfregistration. 13.properties file on the Web Agent. b. e. Open the Services Control Panel. 12. Double click the appropriate Apache server entry. d. 0.0. Covalent FastStart.3 HTTP Server (see page 100) 92 Web Agent Installation Guide . Before you configure the Agent.3 HTTP Servers. and Oracle HTTP Web server. you may want to register the system as a trusted host. All the information for the Apache Web server applies to those Web servers also.2/9.Configure an Apache Web Agent Configure an Apache Web Agent on UNIX Systems There are three modes you can use configure the Apache Web Agent on UNIX: GUI mode Console mode Unattended mode Notes: For Stronghold. Covalent Enterprise Ready Server. More Information Configure an Apache Web Agent Using GUI or Console Mode (see page 93) Configure Any Web Agent in Unattended Mode (see page 108) Register Your System as a Trusted Host on Windows (see page 35) Configure Apache for Oracle 9. you can do this at a later time.0. IBM HTTP Web server. you need to follow other configuration instructions. however. the Apache Web Agent is the Agent you should have installed. HP Apache-based Web server. For Apache Web Agents installed on Oracle 9. In this case. select the option for the Apache Web Sever and click Next. Click Next. Oracle. The steps for the two modes are the same. If you have already done host registration. HP Apache-based." as stated in the following procedure. Configure a Web Agent 93 . 4.Configure an Apache Web Agent Configure an Apache Web Agent Using GUI or Console Mode These instructions are for GUI and Console Mode configuration. select the option to skip host registration. Open a console window. c.bin Console mode: . In the Select Web server(s) dialog box. To configure the Apache Web Agent: 1. skip to the next step. Otherwise. or Stronghold server. Stronghold). If you installed the Agent on an Apache-based server. /opt/apache2. Press ENTER after each step to proceed through the process instead of "clicking Next. run the installation in GUI or unattended mode. then click Next. a. The prompts for each mode will help guide you through the process. To register the trusted host. start the Configuration Wizard. All passwords that you enter are displayed in clear text. You are prompted to enter the full configuration path to the Web server root.bin -i console 2. with these exceptions for Console Mode: You may be instructed to select an option by entering a corresponding number. which corresponds to this server./nete-wa-config. Select this option for an Apache Web server and re-enter the root path. b. For example. for example. To workaround this issue. If necessary./nete-wa-config. to select the Apache Web Server. IBM HTTP Server. I would like to enter a specific configuration path. Select this option if you are using an Apache-based Web server (Covalent. 3. such as Covalent server. the Configuration Wizard displays the Apache Web Server Failure dialog box with the following options: I would like to re-enter the Apache Server Root. In the Apache Web Server Path dialog box. IBM HTTP. you enter a 1. go to the installation chapter for your platform. Navigate to <web_agent_home>/install_config_info Enter one of the following commands: GUI mode: . the Web Agent may not recognize the path. specify the Apache Web Server root. 7. b. Important! If you uncheck a previously configured server. If you have already configured a server with a Web Agent and you are running the Configuration Wizard to configure additional Web servers instances. the Select Servlet Engine for Registration dialog box is not displayed. select Yes. Select one of the following: Overwrite—to overwrite the server instance configuration. If you want to configure Self Registration for DMS2. select No. Preserve—to preserve the Web servers configuration. the Wizard displays the Select One or More Instances to Overwrite dialog box. If you do not see your engine displayed. Click Next. Select the Web server instances that you want to configure with Web Agents. This name must match an Agent Configuration Object already defined at the Policy Server. Following the server root path. 8. b. If not.0 Apache version 2.Configure an Apache Web Agent I don’t have an Apache Web server. enter the name of the Agent Configuration Object for this Web server instance. identify the the DMS Administrator by provide values for the Admin User Name.0 6. If you selected Yes to configure Self Registration: a. a. Click Next. A servlet engine is required to run Self Registration. If the Web Agent Configuration Wizard does not detect a servlet engine. to use the default enter ApacheDefaultSettings. specify the version of Apache you are using. the Web Agent will be removed from this server. 94 Web Agent Installation Guide . This dialog box lists the Web servers that you have previously configured. 5. In the Self Registration Services Admin Account dialog box. Select from these two options: Apache version 1. Select a servlet engine to be configured for the web server. Admin Password and Admin Confirm Password fields and click Next. Choose this option to skip Apache configuration and continue with the Agent configuration. select Other Advanced server. Click Next. In the Agent Configuration Object field. For example. c. then click Install.conf file and to the library path. Enable the Web Agent: a. located as follows: <Apache_home>/conf b. Set the EnableWebAgent parameter to yes. More Information Configuration Changes to Web Servers with Apache Web Agent (see page 175) Configure an Apache Web Agent (see page 89) Tune the Shared Memory Segments (Apache and Sun Java System) (see page 112) Configure a Web Agent 95 . Restart the Web server. For httpd. The user name and encrypted password for the account are stored in the dms. 11. For Apache on UNIX systems. Confirm that the configuration settings are correct. 9.conf file. Click Done when the installation is complete. optimize the Apache Web Agent by tuning the shared memory segments. Open the WebAgent. The Web Agent files are installed. 13. In the Web Server Configuration Summary dialog box.Configure an Apache Web Agent The user name and password that you enter here must match the DMS Admin values you set at the Policy Server. When you run the Configuration Wizard for the Apache Web Agent. you need to restart the web server.conf changes to take effect. such as selfregistration. 12. 10.properties file on the Web Agent. The DMS Administrator account secures DMS requests that are performed outside of the scope of a DMS administrator. it makes changes to the Web Server’s httpd. Save and close the file. however. you can improve server performance by modifying the default configuration settings. Set the LD_PRELOAD Variable for Apache Agent Operation The LD_PRELOAD variable needs to be defined for the Apache Web Agent to operate on different platforms. these changes are not required: For low-traffic Web sites. More Information Set the LD_PRELOAD Variable for an Oracle 10G Web Server on Linux (see page 97) Set the LD_PRELOAD Variable for Apache Web Server on SUSE Linux 98 (see page 97) Set the LD_PRELOAD Variable for SSL Configuration on an IBM HTTP Server 2.0. Apache20WebAgent.conf File to Improve Server Performance Optionally. define the following directives: Set MaxRequestsPerChild>3000 or Set MaxRequestsPerChild=0 MinSpareServers >10 MaxSpareServers>15 StartServers=MinSpareServers>10 Note: For all Web sites (low and high traffic).0 System (see page 98) 96 Web Agent Installation Guide .dll must be assigned a higher priority level than other auth or access modules installed on your Apache and Sun Java System configuration.Configure an Apache Web Agent Add Entries to the httpd. define the following directives: Set MaxRequestsPerChild>1000 or Set MaxRequestsPerChild=0 MinSpareServers >5 MaxSpareServers>10 StartServers=MinSpareServers>5 For high-traffic Web sites.47/Linux AS 3. so. a load change may spawn multiple processes that eventually consume 100% of the CPU cycles.so.x on an Oracle 10G Web server running on a Linux platform. Open the apachectl file. Add the LD_PRELOAD entry as follows: LD_PRELOAD=<web_agent_home>/bin/libbtunicode. If the LD_PRELOAD variable is not included in the apachectl script. When a SAML Affiliate Agent is running on an Apache Web Server.so Without this setting. only set this variable when starting or stopping a Web server that loads the SiteMinder Web Agent. Therefore. 2. Configure a Web Agent 97 .so export LD_PRELOAD 3. 1.x on an Apache Web server running on SUSE 9. set this variable only when starting or stopping a Web server that loads the SiteMinder Web Agent. Run the script to start the Apache server. you must set the LD_PRELOAD environment variable in the apachectl script. two problems may occur: The Apache web server may dump core upon shutdown. Note: Setting this environment variable causes any application executed from that environment to bind with libbtunicode.Configure an Apache Web Agent Set the LD_PRELOAD Variable for Apache Web Server on SUSE Linux 98 After you install the Web Agent v6. you must set the LD_PRELOAD environment variable as follows: LD_PRELOAD=<web_agent_home>/bin/libbtunicode. Set the LD_PRELOAD Variable for an Oracle 10G Web Server on Linux After you install the Web Agent v6. Note: Setting this environment variable causes any application executed from that environment to bind with libbtunicode. Therefore. the Oracle 10G Web server may dump core upon shutdown and fail to restart. the key database file. 98 Web Agent Installation Guide .kdb.2-2.3 Set the LD_ASSUME_KERNAL for After you install the Web Agent on an Apache Web server running on SuSE Linux 9 for zSeries.21 export LD_ASSUME_KERNAL Note: 2.1 running SUSE8.4. To resolve this issue. key. Set LD_PRELOAD for Using X.3 After setting this variable.0.2-2.21 represents the kernel release that the SuSE z-Linux is using.4.47/Linux AS 3.47. set the following environment variable before starting the Domino Web Server: export LD_PRELOAD=/usr/lib/libstdc++-libc6.590-based Authentication Schemes on Domino 6. the graphical user interface for the IBM key management utility. set the following environment variable: export LD_PRELOAD=/usr/lib/libstdc++-libc6.0 System When configuring SSL on an IBM HTTP Server 2.5. To resolve this issue.3/SuSe8 Linux System When accessing resource protected with any X.509-based Auth Schemes with Domino 6. set the LD_ASSUME_KERNAL environment variable as follows: LD_ASSUME_KERNEL=2.0. crashes when it is used to create a key database. Without this setting.so. ikeyman.so. is created successfully.3/SuSe8 Linux.5. the following problems occur: The Apache Web server will not start properly. Host registration dumps core. the Domino Server Crashes and generates an NSD.Configure an Apache Web Agent Set the LD_PRELOAD Variable for SSL Configuration on an IBM HTTP Server 2. be sure the SHLIB_PATH is enabled in the Apache executable. If it is not enable. Notice that SHLIB_PATH is disabled. enter chatr +s enable httpd.0 web server running HP-UX 11. A partial sample of the output is shown below. A partial sample of the output is shown below. 1. Check if the SHLIB PATH is already enabled by executing the command chatr httpd. . shared library dynamic path search: SHLIB_PATH enabled second embedded path enabled first /home/userx/apache2043hp/lib: home/userx/apache2043hp//lib shared library list: Configure a Web Agent 99 . First the current values are shown followed by the new values.Configure an Apache Web Agent Enabling SHLIB Path for an Agent on Apache 2. httpd: current values: shared executable shared library dynamic path search: SHLIB_PATH disabled second embedded path enabled first /home/userx/apache2043hp/lib:/ home/userx/apache2043hp//lib .0/HP-UX 11 For the Web Agent to operate on an Apache 2. httpd: shared executable shared library dynamic path search: SHLIB_PATH disabled second embedded path enabled first /home/userx/apache2043hp/lib: home/userx/apache2043hp//lib 2. . you must install a server certificate using the Oracle Wallet Manager application.3 on a system running Solaris 8. For SSLenabled Oracle HTTP Servers. For more information.03. Prerequisites: Before you configure the Apache Agent for OHS. you must: 1. Solaris 9. or HP-UX 11i. Configure the Apache Web Agent for the Oracle Server Restart the Web Server as follows: a. see the documentation supplied with your Oracle HTTP Server. Optionally. 3. you should have already installed the Oracle Server 9.0.0. the Configuration Wizard makes changes to the server’s httpd.0.30 or later before installing the Oracle server. Install a Server Certificate (Required for SSL Only).0.Configure an Apache Web Agent Configure Apache for Oracle 9. 100 Web Agent Installation Guide .2/9.3 HTTP Server Oracle HTTP Server (OHS) is based on the Apache Web Server and is protected using the Apache Web Agent. More Information Configuration Changes to Web Servers with Apache Web Agent (see page 175) Configure an Apache Web Agent (see page 89) 2. Restart the Web Server by executing the command: dcmctl start –ct ohs –v Note: When you configure an Apache Web Agent on an Oracle HTTP Server. To configure the Apache Web Agent for Oracle HTTP Server.conf file. install patch a C++ runtime A.2/9. Stop the Web server from <OHS_home>/dcm/bin by executing the command: dcmctl stop b. For HP-UX 11i systems. org/realma/ Note: For information about implementing a reverse proxy solution on Apache. and the <URL> is a partial URL for the remote server. To successfully implement a reverse proxy solution. When a request for a resource is received by a reverse proxy server. This directive takes the following form: ProxyPassReverse <path> <URL> The <path> is the name of the local virtual path. The local server essentially mirrors the specified remote server.myorg.conf file by adding ProxyPass and ProxyPassReverse directives. as opposed to redirecting the request to a remote server over the Internet. For example: ProxyPass /realma/ http://server. Configure a Web Agent 101 .myorg. The ProxyPass directive takes the following form: ProxyPass <path> <URL> The <path> is the name of the local virtual path. For example: ProxyPassReverse /realma/ http://server. refer to the CA eTrust SiteMinder Web Agent Guide. the request is directed to a server behind the firewall.Configure an Apache Web Agent Modify the http.conf File for Apache Reverse Proxy Server A reverse proxy server acts on behalf of incoming requests to a company’s internal network as opposed to outgoing requests from a private network to the Internet. modify the http. and the <URL> is a partial URL for the remote server.org/realma/ The ProxyPassReverse directive allows Apache to adjust the Location header on the HTTP redirect responses. The ProxyPass directive allows remote servers to be mapped to the space of the local server. In the Select the Web server(s) dialog box. 4. select the radio button for the Domino Web Sever and click Next. the Wizard displays the Select One or More Instances to Overwrite dialog box. start the Web Agent Configuration Wizard. select the option to skip host registration. 2. such as C:\Lotus\Domino\notesdata. Web Agent Configuration Wizard. Preserve—to preserve the Web servers configuration. then click Next. To configure a Domino Web Agent: 1.ini file. then click Next. Note: In these instructions. Otherwise. Select one of the following: Overwrite—to overwrite the server instance configuration. SiteMinder. the procedure will be different. If you have already done host registration.Configure a Domino Web Agent Configure a Domino Web Agent The following sections explain how to configure a Domino Web Agent. however. In the Domino Web Server Path dialog box. To register the trusted host. go to the installation chapter for your platform.conf in the notes. 3. <web_agent_home> refers to the installed location of the Web Agent. If you have already configured a server with a Web Agent and you are running the Configuration Wizard to configure additional Web servers instances. Select the Web server instances that you want to configure with Web Agents. skip to the next step. If necessary. you may want to register the system where the Agent is installed as a trusted host. 102 Web Agent Installation Guide . The default method is to select Start. If you’ve placed the Wizard shortcut in a non-default location. you can do this at a later time. Programs. This dialog box lists the Web servers that you have previously configured. specify the location of the notes.ini file. Configure a Domino Web Agent on Windows Systems Before you configure the Agent. Note: The installation automatically writes the path to the WebAgent. a. 5. located in where you installed the Domino Web server root directory. For example. This name must match an Agent Configuration Object already defined at the Policy Server. to use the default enter DominoDefaultSettings. Save the file. 9. In the Agent Configuration Object field. In the Web Server Configuration Summary dialog box. 6. Open the WebAgent. confirm that the configuration settings are correct. enter the name of the Agent Configuration Object for this Web server instance. then click Next. c. 7. Click Done when the installation is complete. the Web Agent will be removed from this server. then click Install. b. Enable the Web Agent: a. b. 8. Click Next. More Information Register Your System as a Trusted Host on UNIX (see page 59) Configure a Web Agent 103 . The Web Agent files are installed.conf file. Set the EnableWebAgent parameter to YES.Configure a Domino Web Agent Important! If you uncheck a previously configured server. 6.nsf displayed. for example: C:\Program Files\netegrity\webagent\bin\ DOMINOWebAgent. Click Save and Close.dll file to the filter DLLs. In the Server field. 10. In the Database scroll box. Database. Restart the Web server. Select your server and click Edit Server. Open Lotus Notes. 104 Web Agent Installation Guide . In the left pane. 4. The server’s address book opens. Select the Internet Protocols tab. select the server’s address book. 2. 3. You may be required to reboot your machine after the Agent is configured. find the DSAPI filter file names field and enter the full path to the Domino Web Agent DLL. 7. Click Open. 9. In the DSAPI section of the window. Select File. To add the Domino Web Agent DLL: 1. The Web Agent DLL must be the first DLL in the list. 8. select the Domino Server where you installed the Web Agent. Open.dll Note: This entry should be the first in the list of filters. The Domino server’s administration console opens. 5. you must add the DOMINOWebAgent. 11. expand the Server folder and double-click on the All Server Documents icon. In the Filename field you should see names.Configure a Domino Web Agent Add the Domino Web Agent DLL (Windows) To make the Domino Web Agent operate properly. /nete-wa-config. All passwords that you enter are displayed in clear text. Press ENTER after each step to proceed through the process instead of "clicking Next. More Information Configure Domino Web Agents in GUI or Console Mode (see page 105) Configure Any Web Agent in Unattended Mode (see page 108) Register Your System as a Trusted Host on UNIX (see page 59) Configure Domino Web Agents in GUI or Console Mode These instructions are for GUI and Console Mode configuration. run the installation in GUI or unattended mode. SiteMinder automatically starts the Configuration Wizard. To register the trusted host. Open a console window. If you have already done host registration. to select the Apache Web Server./nete-wa-config. then click Next. c. a.Configure a Domino Web Agent Configure Domino Web Agents on UNIX Systems There are two ways you can use to configure a Domino Web Agent on UNIX: GUI mode Console mode Unattended mode Before you configure the Agent. Configure a Web Agent 105 . The steps for the two modes are the same. If necessary. go to the installation chapter for your platform. skip to the next step. which corresponds to this server." as stated in the following procedure. For example. you may want to register the system where the Agent is installed as a trusted host. b. you enter a 1. you can do this at a later time. however. The prompts for each mode will help guide you through the process.bin -i console Note: If you chose to configure the Web Agent immediately after the installation. with these exceptions for Console Mode: You may be instructed to select an option by entering a corresponding number. Otherwise. Navigate to <web_agent_home>/install_config_info Enter one of the following commands: GUI mode: . 1. To workaround this issue. 2. select the option to skip host registration.bin Console mode: . start the Configuration Wizard. For example. Click Next. 9. Important! If you uncheck a previously configured server. 8. If you have already configured a server with a Web Agent and you are running the Configuration Wizard to configure additional Web servers instances. 7. then click Next.ini file. 4.conf file. then click Install. In the Select the Web server(s) dialog box. such as /local/notesdata. b. a. c. Click Done when the installation is complete. to use the default enter DominoDefaultSettings. Open the WebAgent. b. the Wizard displays the Select One or More Instances to Overwrite dialog box. Confirm that the configuration settings are correct. Preserve—to preserve the Web servers configuration.conf in the notes.ini file. In the Agent Configuration Object field. In the Domino Web Server Path dialog box. the Web Agent will be removed from this server. 5. 6. In the Web Server Configuration Summary dialog box.Configure a Domino Web Agent 3. Note: The installation automatically writes the path to the WebAgent. The Web Agent files are installed. This name must match an Agent Configuration Object already defined at the Policy Server. Select one of the following: Overwrite—to overwrite the server instance configuration. Set the EnableWebAgent parameter to Yes. enter the name of the Agent Configuration Object for this Web server instance. located in the Domino Web server root directory. Select the Web server instances that you want to configure with Web Agents. specify the location of the notes. This dialog box lists the Web servers that you have previously configured. Save the file. select the radio button for the Domino Web Sever and click Next. 106 Web Agent Installation Guide . Enable the Web Agent: a. add the following and click submit: Servlet Name: PSWDChangeServlet Servlet Class: PSWDChangeServlet ServletExec should verify that the PSWDChangeServlet has been added successfully. Select Servlets. 5. Under Manage Web Applications. Select Web Applications. Under Manage Web Applications. Go back to the main ServletExec Administration page.xml link. 12. click Add Servlet. Under servletexec: Manage Servlets. Start the ServletExec Administration page by entering the following in a browser: http://localhost/servletexec/admin 2.0 for JSP-based Password Services: 1. Select Web Applications. 7. select the next web. 8. Configure a Web Agent 107 .Configure a Domino Web Agent Configure ServletExec 5. 6.0 for JSP Password Services for an IIS Web Server To properly configure ServletExec 5. Classpath and enter the following: <Web_Agent_installation>\jpw\jpw. and then ServletExec is properly configured. Manage. select the top web. Manage. Manage. 11. Repeat steps 5 to 8. and add the following: URL pattern: /siteminderagent/pwservlet/PSWDChangeServlet Servlet Name: PSWDChangeServlet 9. select Servlets. Under servletexec: Add Servlet.jar <Web_Agent_installation>\java\jsafe. Mapping. On the servletexec: Set Display Options screen. 4. 10.xml link.jar 3. Select Virtual Machine. 7. for example: <web_agent_home>/bin/dominowebagent. Select the Internet Protocols tab.nsf displayed. Configure Any Web Agent in Unattended Mode After you have installed the Web Agent on one system. 8. In the Database scroll box. you must add the dominowebagent. In the DSAPI section of the window. 9. This library must be first in the list. Open. 1. Restart the Web server. The Domino server’s administration console opens. In the Server field.so Note: This entry should be the first in the list of filters. Click Open. 3. Select your server and click Edit Server. Select File. 10.so library to the filter DLLs. select the Domino Server where you installed the Web Agent.Configure Any Web Agent in Unattended Mode Add the Domino Web Agent DLL (UNIX) For the Domino Web Agent to operate properly. find the DSAPI filter file names field and enter the full path to the Domino Web Agent file. The server’s address book opens. Click Save and Close. An unattended configuration lets you configure the Web Agent without any user interaction. 2. you can automate the Web Agent configuration on other web servers using the Agent’s unattended configuration feature. In the Filename field you should see names. 108 Web Agent Installation Guide . Database. 5. In the left pane. select the server’s address book. 6. 4. expand the Server folder and double-click on the All Server Documents icon. 11. Open Lotus Notes. properties File (see page 153) Install a Web Agent on a UNIX System (see page 49) Install a Web Agent on a Windows System (see page 29) Configure a Web Agent 109 . 3. 2. Save the file. if necessary. then copy the file to any web server in your network to run an unattended configuration. When you perform an initial Web Agent installation and configuration. To make the nete-wa-installer.properties file is installed in the following location: <web_agent_home>/install_config_info The default parameters and paths in the file reflect the information you entered during the initial Web Agent installation and configuration. you define configuration parameters in the properties file. Run an initial installation of the Web Agent.Configure Any Web Agent in Unattended Mode Prepare an Unattended Configuration Unattended configuration uses the nete-wa-installer. Open the nete-wa-installer. For configuration.properties file available on your system: 1.properties file and. More Information Set Up the nete-wa-installer.properties file to propagate the Web Agent configuration set up across all Agents in your network. the nete-wa-installer. modify the configuration parameters. Configure Any Web Agent in Unattended Mode Run an Unattended Configuration You should have completed: an initial (attended) Web Agent installation an initial (attended) Web Agent configuration modification of the nete-wa-installer. located in the <web_agent_home>/install_config_info directory. Run the following command: <agent_config_executable> -f <properties_file> -i silent For example.properties -i silent UNIX: nete-wa-config. Check to see if the configuration completed successfully by looking in the CA_SiteMinder_Web_Agent_v6QMR5_InstallLog.exe -f nete-wa-installer. you return to the command prompt. 2. 4. This installation makes the configuration executable available. To run an unattended Web Agent configuration: 1. This log file contains the results of the configuration. 3. enclose the entire path between quotation marks.log file. From a system where the Web Agent is already installed.properties file from <web_agent_home>/install_config_info to a local directory on the system where you want to run an unattended configuration. if you copied the properties file to the install_config_info directory. copy the netewa-installer.properties file You use this file to run subsequent unattended Web Agent configurations an installation (attended or unattended) on the system where you want to run the unattended configuration.bin -f nete-wa-installer. specify the full path to this file in the command. If there are spaces in the directory path. When the configuration is complete. 110 Web Agent Installation Guide . the command would be: Windows: nete-wa-config. Note: You must run the unattended configuration from the install_config_info directory because the configuration executable file must remain in this directory. Open a console window and navigate to <web_agent_home>/install_config_info.properties -i silent If you do not copy the properties file to the install_config_info directory. If this file cannot be modified by this user.conf file. then the shared secret rollover cannot be updated.conf file. re-run the Configuration Wizard.conf file is owned by User1 and no other user has write permissions.conf File Permissions for Shared Secret Rollover If you enable shared secret rollover. Reconfigure a Web Agent Reconfigure a Web Agent for the following reasons: You have upgraded the Web Agent and now you need to update the configuration You need to change the configuration settings previously defined for a Web Agent You need to remove the configuration settings from the Web Agent without uninstalling the entire Web Agent (you would need to configure the Web Agent again at a later time) You want to configure the Web Agent for a different Web Server installed on the same system as the configured server.Reconfigure a Web Agent Check SmHost. the user who owns the Web server process must have permissions to write to the SmHost. the person specified by the User directive needs write permission to the SmHost. the shared secret rollover cannot be updated if User2 owns the server process. If the SmHost. More Information Configure Configure Configure Configure an IIS Web Agent (see page 73) a Sun Java System Web Agent (see page 79) an Apache Web Agent (see page 89) a Domino Web Agent (see page 101) Configure a Web Agent 111 . To reconfigure a Web Agent in any mode. For example. for Sun Java System and Apache Web servers. There are no additional steps or prompts for reconfiguring an Agent. allocate maximum 4KB/entry in each cache. you must tune the operating system’s shared memory settings for the Web Agent to function correctly. 1 mb 112 Web Agent Installation Guide . Note: To estimate the Controls the amount of memory segments required. or size of the view cache usage statistics Agent resource and in the OneView Monitor. segment size. as shown in the following table: Note: No tuning is necessary for Apache or Sun Java System servers on Linux and AIX platforms. you improve the performance of the Web Agent. session cache. Maximum Adjust the shared setting memory accordingly. Controls the minimum size of the Agent resource and session cache. segment size. Name shmsys:shminfo_shmmax Description Required Change Web Server 33554432 (32 mb) for busy sites that need large cache capacity. By increasing the operating system’s shared memory segments.Tune the Shared Memory Segments (Apache and Sun Java System) Tune the Shared Memory Segments (Apache and Sun Java System) If you install an Apache or Sun Java System Web Agent on Solaris or HP-UX systems. The variables that control shared memory segments are defined in the operating system’s specification file. shmsys:shminfo_shmmin Minimum Adjust the shared setting memory accordingly. See the CA eTrust SiteMinder Web Agent Guide to learn how to configure the Web Agent to use the OneView Monitor. For optimal performance. 24 semsys:seminfo_semmni 10 for every instance of the Agent that you run on the system. 100 semsys:seminfo_semmns Number of 10 for every semaphores instance of the in the system. Agent that you run on the system Number of processes using the undo facility. 6 shmsys:shminfo_shmseg Note: This parameter is no longer required for Solaris 9. 100 semsys:seminfo_semmnu 200 or greater than the maxclients (Apache) or maxprocs (Sun Java System) setting. Configure a Web Agent 113 . shared memory segments that can exist simultaneousl y.Tune the Shared Memory Segments (Apache and Sun Java System) Name shmsys:shminfo_shmmni Description Required Change Web Server 200 The maximum Adjust the setting number of accordingly. Maximum number of shared memory segments per process Number of semaphore identifiers. systemwide. semmnu should be greater than the number of Apache child processes or Sun Java System processes running on the system at any one time. x/Solaris 9 33554432 N/A N/A 24 33554432 1 200 24 shmsys:shminfo_shmmax shmsys:shminfo_shmmin shmsys:shminfo_shmmni shmsys:shminfo_shmseg Note: This parameter is no longer required for Solaris 9. Verify your changes by entering the command: $ sysdef -i 114 Web Agent Installation Guide .x/Solaris 9 1. SAM displays a set of variables. using the editor of your choice. Modify the shared memory variables: Solaris: Add the variables listed below and configure them using the recommended settings. HP-UX: Start the System Administration Manager (SAM) utility 2. 100 100 200 200 400 400 Save your changes then exit the file or the utility. Variable Name Recommended Recommended Setting—Apache Setting— excluding Apache 1. semsys:seminfo_semmni semsys:seminfo_semmns semsys:seminfo_semmnu 3. Reboot the system. Highlight and modify each one listed below using the recommended settings. Use the following syntax: set shmsys:shminfo_shmmax=33554432 HP-UX: Using the SAM utility.Tune the Shared Memory Segments (Apache and Sun Java System) To increase shared memory segments: 1. 4. select Kernel Configuration. 5. Follow the procedure for your operating system: Solaris: Open the /etc/system file. Configurable Parameters. act as forms credential collectors (FCC) and/or an SSL credential collectors (SCC). some of these functions. you configure all other Agents in the single sign-on environment to point to the cookie provider by entering that Agent’s URL. there are other Agent components that you can configure without the wizard. The cookie provider URL setting in the Agent’s configuration dictates which Web Agent is the cookie provider. All Web Agents have the ability to be the cookie provider. Note: To read about advanced authentication schemes. All SiteMinder Web Agents can protect resources. such as the cookie provider require additional configuration. Configuring an Agent as an SSL credential collector You specify whether the Agent performs SSL credential collection during the initial Agent configuration with the Configuration Wizard. and serve as a cookie provider for single sign-on. You can set up additional features as follows: Configuring an Agent as a forms credential collector The libraries and files for forms credential collection are set up automatically during installation. The Web Agent can serve in one or more of these roles simultaneously. which uses the FCC. After you determine which Agent is the cookie provider. but you must configure only one Web Agent in this role. However. see the CA eTrust Policy Design. are set up automatically. At installation. Note: To configure forms authentication. other capabilities. Configure a Web Agent 115 .Set Up Additional Agent Components Set Up Additional Agent Components The Web Agent Configuration Wizard guides you through basic Agent configuration. Note: For information about single sign-on. such as acting as the forms credential collector. refer to the chapter on authentication schemes in CA eTrust Policy Design. Configuring the Agent as a cookie provider for multiple cookie domain single sign-on A cookie provider lets the Agent implement single sign-on in a multiple cookie domain environment. however. refer to the CA eTrust SiteMinder Agent Guide. More Information Add Password Services JAR files to the Servlet Engine Classpath (see page 117) Modify the File to Invoke JSP Password Services Servlet (see page 117) Configure ServletExec for JSP Password Services for a UNIX Sun Java System Web Server (see page 118) Configure ServletExec 5. Modify a servlet engine file to invoke the JSP Password Services servlet. More Information Set Up Your Environment for JSP Password Services (see page 116) Set Up Your Environment for JSP Password Services To use Password Services with JSP forms. Password Services CGI with customizable HTML forms—the default mechanism.0 for JSP Password Services for an IIS Web Server (see page 107) 116 Web Agent Installation Guide .Use SiteMinder Password Services Use SiteMinder Password Services SiteMinder Password Services lets you manage user passwords in LDAP user directories or ODBC databases. you have to make some modifications to your Web server and servlet engine. Password Services servlet with customizable JSP forms—uses standard JSP forms for site-specific customizations. Configure ServletExec for JSP Password Services. you have to make the following modifications to your Web server and servlet engine: Add Password Services JAR files to the servlet engine classpath. supports previously customized password services . SiteMinder Password Services provides three mechanisms for implementing password management: FCC-based Password Services—uses SiteMinder forms to implement password services functionality.template forms. see the CA eTrust SiteMinder Agent Guide. To use Password Services with JSP forms. Note: For more information on FCC-based password services. Modify the File to Invoke JSP Password Services Servlet To invoke the servlet for the JSP Password Services. To modify the rules. In the file that invokes servlets.jar Note: These JAR files are added automatically for ServletExec. These directory paths must specify the physical location of the JAR file for Password Services: <web_agent_home>\jpw\jpw. the rules. modify the appropriate servlet engine file that defines how servlets are invoked. Save the file. Stop the web server. Go to <ServletExec_home>\ServletExec Data\default where ServletExec_home is the installed location of ServletExec 3. See your servlet engine documentation for instructions on invoking servlets. 4. Configure a Web Agent 117 . This file is different for each servlet engine.properties file and add the following lines to the end of the file. in the order shown: /siteminderagent/pwservlet/PSWDChangeServlet=PSWDChangeServlet *.properties file: 1.properties file lists the mappings to invoke servlets. 5.jsp=JSP10Servlet Note: The JSP10Servlet entry must always follow the PSWDChangeServlet entry.Use SiteMinder Password Services Add Password Services JAR files to the Servlet Engine Classpath Add the following JAR files to the servlet engine’s classpath. Open the rules.jar <web_agent_home>\Java\jsafe.jar <web_agent_home>\Java\servlet. Restart the Web server. add the following line: /siteminderagent/pwservlet/PSWDChangeServlet=PSWDChangeServlet For ServletExec. See your servlet engine documentation for instructions on modifying the classpath. 2. Configure Servlet Attributes. Configure Servlet Virtual Path Translation. 118 Web Agent Installation Guide . Make the following modifications: a. Extend the CLASSPATH definition by adding the following entries to the end of the CLASSPATH: <web_agent_home>/jpw/jpw. Select Legacy Servlets. and uncheck the two check boxes to disable the Sun Java System servlet engine. and change the port of communication with Web server to any free port (for example. Select Java. Install ServletExec ASAPI.jar 3. In the StartServletExec file. 1. and add the following: Servlet Name: PSWDChangeServlet Servlet Code: PSWDChangeServletServlet Classpath: <web_agent_home>/jpw/jpw. 5.jar c. Enable/Disable Servlets/JSP. Consult your Web Server documentation for how to configure servlets on other Web Servers. To properly configure ServletExec for JSP-based Password Services: Note: In this procedure. Extend the document directories definition by adding the directory entries after the following line: $SENAME $HOMEDIR $MIMEFILE $DOCROOTDIR -port $PORT $SEOPTS -addl "/siteminderagent/jpw=<web_agent_home>/jpw"" b. PORT="7777"). Open the Web Server administration console and open the particular instance on which the Web Agent is configured. find PORT="8888". 2. 6.Use SiteMinder Password Services Configure ServletExec for JSP Password Services for a UNIX Sun Java System Web Server The following procedure assumes an Sun Java System 6. and add the Virtual Path: /siteminderagent/pwservlet/PSWDChangeServlet and Servlet Name: PSWDChangeServlet 4. <web_agent_home> refers to the installed location of the SiteMinder Web Agent.x Web Server installed on a UNIX system. Select Legacy Servlets. In a text editor. open the file: <ServletExec_home>/se-<instance_name>/StartServletExec where ServletExec_home is the installed location of ServletExec 7.jar <web_agent_home>/java/jsafe. 8. Aliases. Manage. Navigate to the config folder.conf file and add the following entry: NameTrans fn="assign-name" from="/siteminderagent/pwservlet/PSWDChangeServlet" name="<instance_name>" Insert the entry into the following block: <Object name="default"> AuthTrans fn="SiteMinderAgent" NameTrans fn="assign-name" from="/servlet/*" name="<instance_name>" NameTrans fn="assign-name" from="/siteminderagent/pwservlet/PSWDChangeServlet" name="<instance_name>" --------</Object> 13. Configure a Web Agent 119 .conf file. For example: http://<web_agent_instance:port>/servlet/admin 9. and add the alias: /siteminderagent/pwservlet/PSWDChangeServlet Servlet Name: PSWDChangeServlet 11. change the IP address and port number to match the address for the Agent system that you already defined: Init fn="ServletExecInit" <instance_name>. located in <Sun_Java_System_home>/<https-hostname>/config and open the magnus. For the following line. Restart the Sun Java System Web server and start ServletExec.Use SiteMinder Password Services Note: There are two quotation marks at the end of the entry. Select Servlets. Select Servlets. and add the following: Servlet Name: PSWDChangeServlet Servlet Class: PSWDChangeServlet 10. Start ServletExec by running the script StartServletExec and open the ASAPI admin console by giving the URL.instances="<IP_address>:7777" 12. Open the Sun Java System obj. if the passphrase supplied in NETE_CMN_PINFO is wrong. where passphrase is the token passphrase in the environment in which the Agent processes run.Use SiteMinder Password Services Allow Unattended Failover for nCipher Cryptographic Modules You can configure Agents equipped with an nCipher cryptographic module to allow unattended failover. Configuring unattended failover may therefore reduce the level of additional security otherwise provided by the addition of a cryptographic module. Important! The values of environment variables are not encrypted in memory. the SiteMinder processes that require access to the cryptographic token use passphrase without prompting the console operator. Once NETE_CMN_PINFO is set. set the NETE_CMN_PINFO environment variable to the value rpw:passphrase. Additionally. To do this. the SiteMinder process that tried to use it to access the token attempts to obtain a correct passphrase by prompting for the console operator to supply it. However. 120 Web Agent Installation Guide . the environment variable must typically be read from an unencrypted command file at runtime. (pw_default. the non-default copies of these directories (pw. see the SiteMinder Platform Matrix for 6. jpw_default.netegrity. samples) are not removed because these directories may contain customized files. However. For a supported version. samples_default) will be removed. jpw.Chapter 5: Uninstall a Web Agent The following sections explain how to uninstall a Web Agent.com. The Password Services and Forms directories.0 at Technical Support http://support. This section contains the following topics: Notes About Uninstalling Web Agents (see page 121) Uninstall a Web Agent from a Windows System (see page 123) Uninstall a Web Agent from a UNIX System (see page 124) Uninstall Documentation from a Windows System (see page 125) Uninstall Documentation from UNIX Systems (see page 126) Notes About Uninstalling Web Agents Be aware of the following: All Web Agents for all installed Web servers will be uninstalled. Make sure that the JRE is installed on the Web Agent system. Uninstall a Web Agent 121 . as it is needed for uninstallation. 5. C:\j2sdk1.0_01\jre\bin On Solaris Run these two commands: a. c.5." To set the JRE in the PATH variable: On Windows a. export PATH 122 Web Agent Installation Guide . add the location of the JRE to the PATH system variable.” "No Java virtual machine could be found from your PATH environment variable. /usr/bin/j2sdk1. For example. You must install a VM prior to running this program.0_01/jre b. Go to the Control Panel. In the Environment Variables dialog. when you are uninstalling the Web Agent. For example.Notes About Uninstalling Web Agents Set JRE in PATH Variable Before Uninstalling the Web Agent On Windows and UNIX systems. Double-click System. make sure the JRE is in the PATH variable or the uninstallation program stops and issues one of the following error messages: “Could not find a valid Java virtual machine to load. b. PATH=$PATH:<JRE>/bin where <JRE> is the location of your JRE. You need to reinstall a supported Java virtual machine. Review the information in the Uninstall SiteMInder Web Agent dialog box. choose whether to reboot your system now or later then click Done. 2. 3. the dialog box displays. Restart your Web server. Scroll through the program list and select CA SiteMinder Web Agent v6QMR5. you may want to make copies of your registry settings and Web Agent configuration settings to have as a back up. 6. 4. Uninstall a Web Agent 123 . then click Uninstall. Click Change/Remove. Stop the Web server. Open the Add/Remove Programs control panel. When the uninstallation is finished. 7. 1. 5.Uninstall a Web Agent from a Windows System Uninstall a Web Agent from a Windows System Before you uninstall. /uninstall -i console The uninstallation program starts. then click Uninstall.Uninstall a Web Agent from a UNIX System Uninstall a Web Agent from a UNIX System These instructions are for GUI and Console Mode uninstallation.conf file that the Configuration Wizard added. with these exceptions for Console Mode: You may be instructed to select an option by entering a corresponding number. 8. From a console window. Click Done to exit the uninstallation program. add the JRE to the PATH variable as follows: PATH=/<jre_home>/bin:${PATH} export PATH <jre_home> is the location of the JRE 4. Optionally. 3. 10. Press ENTER after each step to proceed through the process instead of "clicking Next. Navigate to the directory where the Web Agent is installed: <web_agent_home>/install_config_info/nete-wa-uninstall If necessary. Change to your home directory (the current directory has been deleted). remove the lines from the httpd. If you receive an error message that the Java virtual machine could not be found. 5." as stated in the following procedure. you may want to make copies of your Web Agent configuration settings to have as a back up. The Web Agent is removed from the system. 9. Log into the UNIX system. ensure you have execute permissions on the uninstallation program by entering chmod +x uninstall./uninstall Console mode: . The prompts for each mode will help guide you through the process. if you are uninstalling an Apache Web Agent. 11. 1. The steps for the two modes are the same. Read the information in the dialog box to confirm the removal of the Web Agent. Note: Before you uninstall. enter one of the following commands: GUI mode: . 2. Stop the Web server. Restart the Web server(s). 6. Specify the JRE in the PATH environment variable to uninstall the Web Agent. 7. 124 Web Agent Installation Guide . the obj. 7.Uninstall Documentation from a Windows System Note: For Sun Java System Web servers. Stop the web server. To uninstall all the documentation: 1.0 for Web Agent. 3. Scroll through the program list and select CA SiteMinder Documentation v6. 2. Click Uninstall. Uninstall a Web Agent 125 . The documents are removed. Select Add/Remove Programs. Open the Control Panel.conf. 5. 8. magnus. 6. 4. and mime. Uninstall Documentation from a Windows System Running the documentation uninstallation program removes the manuals for all products from the netegrity_documents directory.types files are restored to its original settings prior to the Web Agent installation. Review the information in the dialog box to confirm the uninstallation. Click Change/Remove. Click Done to exit the installer.conf. The steps for the two modes are the same. To uninstall documentation from UNIX systems: 1. Press ENTER after each step to proceed through the process instead of "clicking Next. 4.Uninstall Documentation from UNIX Systems Uninstall Documentation from UNIX Systems These instructions are for GUI and Console Mode uninstallation. To reinstall the documentation. 3. The documentation is removed./uninstall -i console The uninstallation program begins and displays a dialog box to confirm the uinstallation. Click Done to exit the installer. Click Uninstall. with these exceptions for Console Mode: You may be instructed to select an option by entering a corresponding number. The prompts for each mode help guide you through the process. Enter one of the following commands: GUI mode: . Navigate to the following directory: <documentation_home>/install_config_info/netegrity-wa-doc-uninstall 2." as stated in the following procedure. run the appropriate documentation program for the product./uninstall Console mode: . 126 Web Agent Installation Guide . x QMR 5 on Windows Systems (see page 132) Upgrade a 4. Back up configured files. The upgrade is ensured only if the Web server version has remained the same since the last Web Agent installation.x on UNIX Systems (see page 138) Upgrade a 6. Upgrade a Web Agent to 6.x QMR 5 This section contains the following topics: Review the Upgrade Procedure (see page 127) Upgrade Tasks and Issues (see page 127) Manual Upgrade from 4.x Web Agent to 6.Chapter 6: Upgrade a Web Agent to 6.x QMR 5 127 . you should have reviewed the upgrade process in the CA eTrust SiteMinder Upgrade Guide.x Web Agent to 6.x Web Agent to 6.x Web Agent to 6.x QMR 5 on UNIX Systems (see page 140) Review the Upgrade Procedure Before upgrading a Web Agent.x Web Agent to 6.x QMR x Japanese Web Agents Required (see page 129) Upgrade a 5. Upgrade Tasks and Issues The following sections discuss upgrade tasks and issues. Note: If you have upgraded the Web server itself since you last installed the Web Agent. Back Up Customized Files Customized files may be overwritten by the upgrade.x on Windows Systems (see page 134) Upgrade a 4.x on Windows Systems (see page 130) Upgrade a 6.x Web Agent to 6. the Agent upgrade may not work. This guide contains important overview information as well as critical tasks that you should complete prior to upgrading a Web Agent.x on UNIX Systems (see page 136) Upgrade a 5. such as Agent and Host configuration files before upgrading. conf). Select Yes to all. you may see messages asking whether you want to replace read-only files. Ensure LD_PRELOAD Variable Does Not Conflict with Existing Agent If you are upgrading or reinstalling a Web Agent on a Linux system. and samples). 128 Web Agent Installation Guide . which may contain customized files.conf).Upgrade Tasks and Issues Know Which Password Services and Forms Template are Upgraded For Password Services and forms templates. Know the Results of Running the Configuration Wizard After Upgrades When you run the Web Agent Configuration Wizard after upgrading the Web Agent. SiteMinder moves the IgnoreExt and BadURLCharacters lines into the new WebAgent. pw. the following occurs: SiteMinder saves a copy of the current Web Agent configuration file (WebAgent. For example. from the shell. will not be modified in any way. so that you can easily add your custom elements.conf file as commented lines. Note: SiteMinder does not save a copy of the Trusted Host configuration file (SmHost. set the LD_PRELOAD variable so that it points to a different location from any existing Web Agent installation directory. pw_default.so Before you reinstall or upgrade. However the non-default versions of these directories (jpw. the jpw_default. if an existing LD_PRELOAD entry is set to: LD_PRELOAD=<web_agent_home>/bin/libbtunicode. and samples_default directories are upgraded. set the variable to: export LD_PRELOAD= This entry sets the variable to a blank value. Replace Existing Read-only Files When you upgrade a Web Agent. see CA eTrust SiteMinder Web Agent Configuration.x and 6. except framework agents.x QMR 5 version. Note: For more information on framework agents.Manual Upgrade from 4.x Web Agents redirect to the cookie provider only on GET actions.x Web Agents.x QMR 5.x Agents 6. Upgrade a Web Agent to 6.x QMR x Japanese Web Agents Required Cookie Provider Redirection Differences Between 4. You are required to perform manual upgrades by uninstalling earlier versions of the product and then installing the 6.x QMR x Japanese Web Agents Required 6. New and rearchitected framework agents continue to redirect to the cookie provider for GET and POST actions so Web Agents can support POST preservation when a cookie provider is enabled.x QMR x Japanese Web Agents to 6. have been modified to redirect to the cookie provider only for GET actions. Clients using Web services should consider moving these applications to servers separate from their other applications that require multi-cookie domain single sign-on.x Web Agents redirect to the cookie provider on GET and POST actions.x QMR 5 does not include automated upgrades for 4. Manual Upgrade from 4. This functional difference causes upgrade issues when applications that require cookie provider support for GET actions and Web services responding to POST actions are installed on IIS virtual servers. Web service applications or any custom application that cannot interpret 302 redirects should be configured separately from applications requiring multicookie domain single sign-on.x QMR 5 129 . All 6. whereas 4. Select whether to restart the system immediately or later. 2. it prompts you to restart your system instead of reconfiguring it.Upgrade a 5.x QMR 8 If you have upgraded the Web server itself since you last installed the Web Agent. 130 Web Agent Installation Guide .exe service is unable to locate the smconapi. If the system with the 5. Read the License Agreement select the radio button to accept the agreement then click Next.netegrity.x QMR 6 5. 5. 1. Insert the SiteMinder DVD or download the installation program from https://support. read the information then click Next.x Web Agent being upgraded has not previously been registered as a trusted host. reboot your system before launching the Web Agent Configuration Wizard. Navigate to the win32 folder and double-click nete-wa-6qmr5-win32.x QMR 7 5. If you are installing an Agent on an Sun Java System Web server.exe. Read the notes in the Important Information dialog box.x QMR 5 5. To upgrade Web Agents on Windows: Exit all applications that are running and stop the Web server. In the Introduction dialog box.x on Windows Systems Upgrade a 5. You can upgrade if you have applied a hotfix to any of these releases. Be aware of the following: If the installation program detects any locked Agent files.x on Windows Systems The SiteMinder Web Agent v6. then click Next. If this message appears.x Web Agent to 6.x Web Agent to 6.x QMR 4 5. you will be prompted to register at this time. 3. It will upgrade the following Web Agents to 6. The upgrade is ensured only if the Web server version has remained the same since the last Web Agent installation. the Agent upgrade may not work. The program prepares the files.x DVD contains a single executable. you may see an error message stating that the httpd.com.dll. 4. provided the Web server version has not changed since the last installation of the Web Agent: 5.x QMR 5. ensure the Create Icons for All Users check box is checked. In the Install Complete dialog box. 8. deselect this option. Select No To All if you see this message. confirm that the installation settings are correct.Upgrade a 5. Abort the upgrade—exits the upgrade procedure without upgrading the Web Agent. It asks if you want to overwrite these newer files with older files. In the Pre-installation Summary dialog box.x.x on Windows Systems 6. 9. More Information Register Your System as a Trusted Host on UNIX (see page 59) Upgrade a Web Agent to 6. The upgrade program locates the existing Web Agent and displays the Confirm Upgrade dialog box.x Web Agent to 6. and then click Install. choose whether to restart your system immediately or later. Otherwise. and then click Done. select one of the following then click Next: Continue with the upgrade—upgrades the Web Agent to 6. Note: The installation program may detect that newer versions of certain system dlls are installed on your system. Select the placement of the Agent Configuration Wizard shortcut in the Choose Shortcut Folder dialog box then click Next. The new Web Agent files are copied to the specified location. Note: To allow all users access to the Configuration Wizard via the shortcut. 7. In the Confirm Upgrade dialog box.x QMR 5 131 . If this message appears. provided the Web server version has not changed since the last installation of the Web Agent: 6.x QMR 3 6. then click Next. 3. 2.x QMR 5 on Windows Systems Upgrade a 6. you may see an error message stating that the httpd. Be aware of the following: If the installation program detects any locked Agent files.com. It will upgrade the following Web Agents to 6. If you are installing an Agent on an Sun Java System Web server. reboot your system before launching the Web Agent Configuration Wizard.x Web Agent to 6. 7.exe service is unable to locate the smconapi. 5. Read the notes in the Important Information dialog box. 6.x QMR 1 6. read the information then click Next.x QMR 4 If you have upgraded the Web server itself since you last installed the Web Agent. 4. Read the License Agreement select the radio button to accept the agreement then click Next.x QMR 5. Exit all applications that are running and stop the Web server. Navigate to the win32 folder and double-click nete-wa-6qmr5-win32. Select the placement of the Agent Configuration Wizard shortcut in the Choose Shortcut Folder dialog box then click Next. 132 Web Agent Installation Guide .0 6.x DVD contains a single executable. it prompts you to restart your system instead of reconfiguring it.exe. The upgrade is ensured only if the Web server version has remained the same since the last Web Agent installation.netegrity.x QMR 5 on Windows Systems The SiteMinder Web Agent v6. You can upgrade if you have applied a hotfix to any of these releases.x Web Agent to 6.x QMR 2 6. In the Introduction dialog box.Upgrade a 6. To upgrade Web Agents on Windows: 1.dll. Insert the SiteMinder DVD or download the installation program from https://support. The program prepares the files. the Agent upgrade may not work. Select whether to restart the system immediately or later. Otherwise. confirm that the installation settings are correct. deselect this option. Select No To All. Abort the upgrade—exits the upgrade procedure without upgrading the Web Agent. and then click Next: Continue with the upgrade—upgrades the Web Agent to 6. Then click Done.x. if you see this message. 9. In the Pre-installation Summary dialog box. select one of the following options. 8. The new Web Agent files are copied to the specified location.x QMR 5 on Windows Systems To allow all users access to the Configuration Wizard via the shortcut. The upgrade program locates the existing Web Agent and displays the Confirm Upgrade dialog box. ensure the Create Icons for All Users check box is checked.x QMR 5 133 .Upgrade a 6. In the Confirm Upgrade dialog box. In the Install Complete dialog box.x Web Agent to 6. Note: The installation program may detect that newer versions of certain system . Upgrade a Web Agent to 6. It asks if you want to overwrite these newer files with older files. choose whether to restart your system immediately or later. then click Install.dlls are installed on your system. 10. It will upgrade the following Web Agents to 6.x Web Agent to 6. Insert the SiteMinder DVD or download the installation program from Technical Support http://support.x on Windows Systems The SiteMinder Web Agent v6. 5.x QMR 5. the Agent upgrade may not work. Select the placement of the Agent Configuration Wizard shortcut in the Choose Shortcut Folder dialog box then click Next. 3. Note: When upgrade from a 4. 9. 134 Web Agent Installation Guide .x WebAgent.x DVD contains a single executable. read the information then click Next. 6.x Web Agent and displays the Confirm Upgrade dialog box.Upgrade a 4. ensure the Create Icons for All Users check box is checked. Read the License Agreement select the radio button to accept the agreement then click Next. Read the notes in the Important Information dialog box. Otherwise. select one of the following then click Next: Continue with the upgrade—Upgrades the Web Agent to 6. To upgrade Web Agents on Windows: 1.x on Windows Systems Upgrade a 4. this requires that you migrate the configuration settings in the 4. provided the Web server version has not changed since the last installation of the Web Agent: 4. 8. Exit all applications that are running and stop the Web server. You can upgrade if you have applied a hotfix to any of these releases. 2. To allow all users access to the Configuration Wizard via the shortcut.x. The upgrade is ensured only if the Web server version has remained the same since the last Web Agent installation. Navigate to the win32 folder and double-click nete-wa-6qmr5-win32. Abort the installation—Exits the upgrade procedure without upgrading the Web Agent.x Web Agent you can implement central agent configuration.x Web Agent to a 6. 4.x QMR 6 If you have upgraded the Web server itself since you last installed the Web Agent. The upgrade program locates the existing 4.com.exe. However. then click Next. In the Introduction dialog box. See the CA eTrust SiteMinder Upgrade Guide for further instructions.netegrity. 7.conf file to an Agent Configuration Object on the Policy Server.x QMR 5 4. In the Confirm Upgrade dialog box.x Web Agent to 6. deselect this option. x on Windows Systems 10. then click Done. In the Install Complete dialog box. Note: The installation program may detect that newer versions of certain system dlls are installed on your system. then click Install. In the Pre-installation Summary dialog box. confirm the installation settings.x Web Agent to 6. click Done.Upgrade a 4.dll. More Information Register Your System as a Trusted Host on UNIX (see page 59) Configure an IIS Web Agent (see page 73) Configure a Sun Java System Web Agent (see page 79) Configure an Apache Web Agent (see page 89) Configure a Domino Web Agent (see page 101) Upgrade a Web Agent to 6. The new Web Agent files are copied to the specified location. reboot your system before launching the Web Agent Configuration Wizard. If this message appears. then click Next: Yes. No. Note: If you are installing an Agent on an Sun Java System Web server. Choose one of the following options. It asks if you want to overwrite these newer files with older files. choose whether to reboot your system immediately or later.x QMR 5 135 . I would like to configure the Agent now. When the Configuration Complete dialog box is displayed. If you select Yes to configure the Agent. the Wizard prompts you to register.exe service is unable to locate the smconapi. 11. Select No To All if you see this message. the Wizard prompts you to configure the Web Agent. the Web Agent Configuration dialog box is displayed. you may see an error message stating that the httpd. I will configure the Agent later. 12. 13. Afterward. the Web Agent Configuration Wizard starts up and does one of the following: If you have not registered your system as a trusted host. If your system is already registered as a trusted host. x DVD contains a single executable.x Web Agent to 6.bin HP-UX: nete-wa-6qmr5-hp.x WebAgent. this requires that you migrate the configuration settings in the 4. Insert the SiteMinder DVD into the drive or download the . To upgrade a Web Agent on UNIX systems: 1.com. Solaris: nete-wa-6qmr5-sol. You can upgrade if you have applied a hotfix to any of these releases. 2.x on UNIX Systems The SiteMinder Web Agent v6.x Web Agent to a 6.x Web Agent. See the CA eTrust SiteMinder Upgrade Guide for further instructions. The upgrade is ensured only if the Web server version has remained the same since the last Web Agent installation.Upgrade a 4.bin Linux 2. you can upgrade using console mode by executing the Web Agent binary file (nete-wa-6qmr5-<operating_system>. However. Note: When upgrading from a 4. solaris) on the SiteMinder DVD.bin) with the -i console command argument.x QMR 5. provided the Web server version has not changed since the last installation of the Web Agent: 4.x on UNIX Systems Upgrade a 4.x Web Agent to 6. you may need to add executable permissions to the installation file by running the chmod command. 4. you can implement central agent configuration. hpux.bin HP-UX Itanium: nete-wa-6qmr5-hp-itan. for example: 136 Web Agent Installation Guide . Exit all applications that are running and stop the Web server. The upgrade instructions that follow reflect the GUI mode procedures.1: nete-wa-doc-6qmr5-linux.x QMR 6 If you have upgraded the Web server itself since you last installed the Web Agent.bin 5. Copy the appropriate binary file to a local directory then navigate to that directory. Navigate to the directory for your operating system (aix. For UNIX systems.bin file from https://support.conf file to an Agent Configuration Object on the Policy Server. linux.bin AIX: nete-wa-6qmr5-aix.x QMR 5 4. The command-line upgrade prompts will be similar to GUI mode prompts. Depending on your permissions. It will upgrade the following Web Agents to 6. the Agent upgrade may not work.netegrity. 3. In the Install Complete dialog box. linux. 7. confirm that the installation settings are correct. Specify the installation directory in the Choose Install Folder dialog box.x. Then click Next. Then click Next. hp. Click Next. The new Web Agent files are copied to the specified location. 10. read the information. click Done. then click Install. 14. In the Confirm Upgrade dialog box.Upgrade a 4. Abort the installation—Exits the upgrade procedure without upgrading the Web Agent.x QMR 5 137 . 9. In the Pre-installation Summary dialog box. and then click Next. Open a console window and from the location of the installation program enter: .bin. Read the License Agreement.x on UNIX Systems chmod +x nete-wa-6qmr5-sol. 12./nete-wa-6qmr5-<operating_system>. 11. More Information Configure a Web Agent (see page 73) Register Your System as a Trusted Host on UNIX (see page 59) Upgrade a Web Agent to 6. Read the notes in the Important Information dialog box. where <operating_system> is sol. Then select the radio button to accept the agreement. select one of the following then click Next: Continue with the upgrade—Upgrades the Web Agent to 6. 8.bin 6. After installing the Agent. run the Agent Configuration Wizard to register a trusted host and configure the Web Agent. In the Introduction dialog box. 13. aix.x Web Agent to 6. or hp-itan The installation program prepares the files. The Confirm Upgrade dialog box displays. bin HP-UX Itanium: nete-wa-6qmr5-hp-itan. Copy the appropriate binary file to a local directory then navigate to that directory.1: nete-wa-doc-6qmr5-linux.x Web Agent to 6.x QMR 6 5.bin 5.Upgrade a 5.bin Suse-zLinux: nete-wa-6qmr5-SuSE-zLinux. Insert the SiteMinder DVD into the drive or download the installation program from https://support.bin 6.x on UNIX Systems The SiteMinder Web Agent v6. provided the Web server version has not changed since the last installation of the Web Agent: 5. To upgrade a Web Agent on UNIX systems: 1. Exit all applications that are running and stop the Web server.x on UNIX Systems Upgrade a 5.netegrity.x QMR 5 5. solaris). for example: chmod +x nete-wa-6qmr5-sol. you may need to add executable permissions to the installation file by running the chmod command.x QMR 8 If you have upgraded the Web server itself since you last installed the Web Agent. Navigate to the directory for your operating system (aix. Solaris: nete-wa-6qmr5-sol.bin AIX: nete-wa-6qmr5-aix. linux.com.0: nete-wa-6qmr5-rhel30. You can upgrade if you have applied a hotfix to any of these releases. 4. 2. Open a console window and from the location of the installation program enter: 138 Web Agent Installation Guide .x QMR 7 5.x QMR 5.x DVD contains a single executable.x QMR 4 5. Depending on your permissions.bin Linux 3. hpux. 3. The upgrade is ensured only if the Web server version has remained the same since the last Web Agent installation. the Agent upgrade may not work.x Web Agent to 6. It will upgrade the following Web Agents to 6.bin Linux 2.bin HP-UX: nete-wa-6qmr5-hp. or hp-itan 7./nete-wa-6qmr5-<operating_system>. SuSE-zLinux. select one of the following.bin where <operating_system> is sol. In the Confirm Upgrade dialog box. The Confirm Upgrade dialog box is displayed. 10. The new Web Agent files are copied to the specified location.x. read the information. Then click Next.x Web Agent being upgraded has not previously been registered as a trusted host. In the Pre-installation Summary dialog box.x QMR 5 139 . 9. Abort the installation—exits the upgrade procedure without upgrading the Web Agent. More Information Register Your System as a Trusted Host on UNIX (see page 59) Upgrade a Web Agent to 6. linux. aix. Then click Next. Read the License Agreement then select the radio button to accept the agreement. rhel30. and then click Next: Continue with the upgrade—upgrades the Web Agent to 6. 8. Click Next.x on UNIX Systems . Read the notes in the Important Information dialog box. click Done. In the Install Complete dialog box.x Web Agent to 6. If the system with the 5. confirm that the installation settings are correct. 11. In the Introduction dialog box. 12. hp.Upgrade a 5. you need to register at the system at some point. then click Install. Depending on your permissions.x Web Agent to 6.bin 6.bin Linux 2. 2.x Web Agent to 6. linux.1: nete-wa-doc-6qmr5-linux. Copy the appropriate binary file to a local directory then navigate to that directory. You can upgrade if you have applied a hotfix to any of these releases. Exit all applications that are running and stop the Web server. Navigate to the directory for your operating system (aix. you may need to add executable permissions to the installation file by running the chmod command. Insert the SiteMinder DVD into the drive or download the installation program from https://support.bin Suse-zLinux: nete-wa-6qmr5-SuSE-zLinux. The upgrade is ensured only if the Web server version has remained the same since the last Web Agent installation.x QMR 2 6. the Agent upgrade may not work. Open a console window and from the location of the installation program enter: . Solaris: nete-wa-6qmr5-sol.bin HP-UX Itanium: nete-wa-6qmr5-hp-itan. for example: chmod +x nete-wa-6qmr5-sol.com.x QMR 1 6. solaris).0: nete-wa-6qmr5-rhel30. It will upgrade the following Web Agents to 6.x QMR 3 6.x QMR 5.bin 5.x QMR 5 on UNIX Systems The SiteMinder Web Agent v6. 4. hpux.x QMR 4 If you have upgraded the Web server itself since you last installed the Web Agent.bin Linux 3.x DVD contains a single executable.x QMR 5 on UNIX Systems Upgrade a 6.bin HP-UX: nete-wa-6qmr5-hp. provided the Web server version has not changed since the last installation of the Web Agent: 6. 3.bin AIX: nete-wa-6qmr5-aix.netegrity./nete-wa-6qmr5-<operating_system>.Upgrade a 6.bin 140 Web Agent Installation Guide . To upgrade a Web Agent on UNIX systems: 1. x Web Agent to 6. In the Introduction dialog box.x Web Agent being upgraded has not previously been registered as a trusted host. you need to register at the system at some point. select one of the following. Read the notes in the Important Information dialog box. linux.x QMR 5 141 . The Confirm Upgrade dialog box is displayed. rhel30. Abort the installation—exits the upgrade procedure without upgrading the Web Agent. Click Next. hp. In the Install Complete dialog box. 12.x. 11. 8. Read the License Agreement then select the radio button to accept the agreement. 9. confirm that the installation settings are correct. aix. The new Web Agent files are copied to the specified location.x QMR 5 on UNIX Systems where <operating_system> is sol. or hp-itan 7. In the Pre-installation Summary dialog box. click Done. In the Confirm Upgrade dialog box. then click Install. If the system with the 5. More Information Register Your System as a Trusted Host on UNIX (see page 59) Upgrade a Web Agent to 6.Upgrade a 6. SuSE-zLinux. and then click Next. 10. and then click Next: Continue with the upgrade—upgrades the Web Agent to 6. read the information then click Next. . The LLAWP handles inter-process Agent management. check the Event Viewer’s Application Log. errors are written to the Web server error log. For Apache 2. Troubleshoot Agent Start-Up/ShutDown with LLAWP If the Agent is not starting or shutting down properly.0. which isolates Web Agent issues. check the following error logs: On Windows.0.0. On UNIX. For IIS 6. messages are processed by the server’s standard error handling. By running LLAWP from the command line. LLAWP starts up after the Web Agent receives the first request. For the Apache 2. Error messages are written to the Event log for Windows or to the console on UNIX systems. Troubleshooting 143 . On Windows or UNIX. you eliminate the Web server from the diagnostic process. the LLAWP process automatically starts when the Apache Web server starts. run the Low Level Agent Worker Process (LLAWP) to isolate the problem. you can run the Low Level Agent Worker Process (LLAWP) from the command line.Chapter 7: Troubleshooting This section contains the following topics: Agent Start-Up/Shutdown Issues (Framework Agents Only) (see page 143) Web Agent Start Up and Shut Down Issues (IBM HTTP Server) (see page 144) Connectivity and Trusted Host Registration Issues (see page 146) General Installation Issues (see page 147) Cryptographic Hardware Issues (see page 147) Uninstallation Issues (see page 148) Online Documentation Issues (see page 148) Upgrade Issues (Windows and UNIX) (see page 149) IIS Web Agent Issues (see page 149) Sun Java System Web Agent Issues (see page 149) Apache Web Agent Issues (see page 150) Domino Web Agent Issues (see page 151) Agent Start-Up/Shutdown Issues (Framework Agents Only) If the Web Agent does not start after installation or you cannot shut it down. use the command with this syntax: LLAWP <path_to_WebAgent. check the Event Viewer’s Application Log. Web Agent Start Up and Shut Down Issues (IBM HTTP Server) If the Web Agent does not start after installation or you cannot shut it down.conf> -<web_server_type> -shutdown For example: LLAWP /usr/apache/conf/WebAgent." The LLAWP process will take a few seconds to shut down. so that the process cleans up shared system resources used by the Web Agent.Web Agent Start Up and Shut Down Issues (IBM HTTP Server) Shut Down LLAWP If the LLAWP process does not shut down properly when shutting down the Web server.conf -APACHE20 -shutdown Note: Configuration file names and version strings that contain spaces should be surrounded by quotes. This shuts down the running worker process associated with a WebAgent. 144 Web Agent Installation Guide . such as "value with spaces. Use the command line to shut the LLAWP down instead of the kill -9 command. shut down the LLAWP from the command line. On UNIX. messages are processed by the server’s standard error handling. To shut down the LLAWP.conf file. check the following error logs: On Windows. 47 starts properly.exe child process crashes with an access violation in LIBAPR.47 The IBM HTTP Server 2.c> # AfpaEnable # AfpaCache on # AfpaPort 8082 # AfpaLogFile "C:/Program Files/IBM HTTP Server 2.0/logs/afpalog" V-ECLF #</IfModule> #<IfModule !mod_afpa_cache. If the ibm_afpa_module is loaded and a module registering an init function does not exit that function quickly. Troubleshooting 145 .0.conf file associated with LoadModule ibm_afpa_module.0. the apache.c> line in the httpd.0.dll.0.x. comment out the following lines: #LoadModule ibm_afpa_module modules/mod_afpa_cache.47 on Windows 2000 and 2003 crashes if the ibm_afpa_module and the Web Agent are enabled. Note: More information about the IBM HTTP Server limitation may be found by reading the document titled "Hang or crash of Microsoft Windows when Running AFPA and When Antivirus Software is Active" on the IBM Support site.c> # Listen @@Port@@ #</IfModule> By disabling the AFPA module. if there is an <IfModule mod_afpa_cache. the IBM HTTP Server 2.Web Agent Start Up and Shut Down Issues (IBM HTTP Server) Stop LLAWP When Stopping IBM HTTP Server 2.so #<IfModule mod_afpa_cache. To solve this issue for versions of IBM HTTP Server v2. Re-register using a unique name for the trusted host. Make sure the Agent Configuration Object has a DefaultAgentName specified. depending on the Web Server. Check that EnableWebAgent is set to yes in the WebAgent. Trusted host cannot make a connection to the Policy Server Check for the SmHost. that the IP address for the server is correct..Connectivity and Trusted Host Registration Issues Connectivity and Trusted Host Registration Issues If. More Information Install the Web Agent on a UNIX System (see page 51) 146 Web Agent Installation Guide .conf file has been deleted. Host is registered but the SmHost..conf file in <web_agent_home>/config. Check the SiteMinder administrator name and password and make sure these are correct. Make sure that the Policy Server is installed and configured on the target server. Also. Re-register the host using the smreghost tool. Then.conf file. Make sure that the Host Configuration Object and Agent Configuration Object specified during the Agent installation and configuration are defined at the Policy Server. and that the Policy Server is running.. You may be using a name for the trusted host that is already in use by an existing trusted host. In the Policy Server User Interface. The presence of this file indicates a successful registration of the trusted host.. ensure that the minimum required parameters are configured. remove the Trusted Host Object corresponding to the host name for which the file was deleted. Trusted host registration fails. Ensure that the host where the Agent is installed has been registered as a trusted host. Make sure the Policy Server is running. com.xml or /var/.registry. then retry the installation. Check the ServletExec CLASSPATH and modify it if necessary. More Information Add a SiteMinder Agent User to nCipher UNIX Group (UNIX Only) (see page 21) Troubleshooting 147 .. you receive a servlet DMS not found error when you access a DMS page.xml The registry file is locked while an installation is taking place. More Information Fix the ServletExec CLASSPATH for DMS (see page 47) Cryptographic Hardware Issues If. The registry file is in the following locations: Windows: C:\Program Files\ZeroG Registry\com. This error message is displayed: Setting encryption key configuration failed (error code 1). so if multiple installations are running at the same time.log file. See the nete-wa-details.com..General Installation Issues General Installation Issues If.. Rename the ZeroG registry file. causing the installation to hang. Ensure that the UNIX user for the Agent belongs to the nCipher UNIX group.registry.. Try one of the following in the order listed: Reboot the system and try the installation again. they cannot write to this file. You are running multiple installations on the same system at the same time and an installation hangs.zerog..xml UNIX: $HOME/. Please re-enter parameters carefully.zerog. located in <web_agent_home>/install_config_info.zerog. Then.. Then..registry.. You want to see what failed during installation On Windows systems. Applications. Netscape automatically launches Acrobat Reader each time you request to view a . select Navigator. Open the registry editor.. select Portable Document Format and click Edit. Open a DOS window and paste the UninstallString into the window at a DOS prompt.Uninstallation Issues Uninstallation Issues If.. In the Netscape Applications dialog. 2. 148 Web Agent Installation Guide . Remove the Agent as follows: 1. The Agent is uninstalled..pdf file in the /tmp directory. set Acrobat Reader as a helper application in Netscape Navigator.. 5. if you installed Acrobat Reader in the default location. Highlight the entire UninstallString entry and copy it. In Navigator.pdf file. Specify helper applications for different file types.htm page. go to Edit. 5. You cannot uninstall the Web Agent from the Add/Remove Programs list control panel because the SiteMinder Web Agent is not listed. 2. set this value to: /usr/local/Acrobat4/bin/acroread %s. If a . 4. In the Netscape Preferences dialog. To set Acrobat Reader as a helper application: 1. Navigator launches Acrobat Reader and opens the . When you set this option. select Applications and set it to: <Acrobat_Reader_home>/bin/acroread %s For example. Under Applications.pdf file does not open after you click a link on the doc_index. Online Documentation Issues If. Preferences. PDF Files Do Not Open from the Online Manuals Index HTML page on a UNIX system using a Netscape browser Then. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SiteMinder\WebAgent 3. Press ENTER. Click OK to close these dialogs. Then. 3.... After you set this option. 4.. IIS Web Agent Issues If. 3. Close the Management Console. Make recommended adjustments to the shared memory segments... stop the Policy Server. stop the server using the Policy Server Management Console.... you see the message: shmget failed. set EnableWebAgent to yes. 1. Start the Policy Server Management Console. 2.... You receive the following error during an upgrade: ComponentMoveData Error -115 Then.Upgrade Issues (Windows and UNIX) If.. The IIS Web Agent is not enabled even though the Web server has started. In the WebAgent.conf file. Adobe Acrobat Reader will not install on a Windows System Then. You may be trying to make a cache that is too large Then. Run the upgrade or again and this error message should no longer appear...conf file. 5. The Sun Java System Web Agent is not enabled even though the Web server has started... Upgrade Issues (Windows and UNIX) If. From the console. Sun Java System Web Agent Issues If. set EnableWebAgent to yes. 4.. In the WebAgent. Troubleshooting 149 . then the installation program should start... If the Acrobat Reader installation program hangs while the Policy Server is running. Click OK to exit the error message. When starting the Web Server. Then. Apache Web Agent Issues If... Web Agent configuration changes are not in the obj.conf file. The Web Agent cannot operate. Sun Java System Web server is failing at run time. Then... You used the Sun Java System Administration console to make server modifications before you applied the changes made by the Agent configuration to the obj.conf. Re-configure the Web Agent. Increase the StackSize setting in the Sun Java System server’s magnus.conf file to a value of 256 KB. The magnus.conf file is located in: <Sun_Java_System_home>/<web_server_instance> / config More Information Tune the Shared Memory Segments (Apache and Sun Java System) (see page 112) Apache Web Agent Issues If... The Apache Agent is not enabled even though the Web server has started Then... In the WebAgent.conf file, set EnableWebAgent to yes. You did not compile the Apache Web server to include the Apache module mod_so. You did not modify the httpd.conf file to load the SiteMinder Agent Module mod_sm. You did not modify the httpd.conf file to add the SiteMinder Agent Module mod-hpaCCso.c for Apache Agents on HP-UX systems only. You did not modify the httpd.conf file to initialize the Agent, using the SmInitFile entry. When starting the web server, you see: shmget failed. You may be trying to make a cache that is too large or be doing apachectl restart Apache Web Agent is not operating Tune the Apache operating system shared memory. Make recommended adjustments to the shared memory segments. 150 Web Agent Installation Guide Domino Web Agent Issues If... Then... More Information Tune the Shared Memory Segments (Apache and Sun Java System) (see page 112) Domino Web Agent Issues If... The Domino Web Agent is not enabled even though the Web server has started. Then... In the WebAgent.conf file, set EnableWebAgent to yes. Ensure that the DOMINOWebAgent.dll file has been added to the filter DLLs. The Web Agent DLL must be the first DLL in the list. Check that the full path to the WebAgent.conf file is added to the notes.ini file. Domino Agent cannot initialize in local configuration mode More Information Add the Domino Web Agent DLL (Windows) (see page 104) Troubleshooting 151 Appendix A: Set Up the nete-wainstaller.properties file.properties File 153 .properties File The following sections discuss setting up the nete-wa-installer. Set Up the nete-wa-installer. nete-wa-installer.properties File nete-wa-installer.properties File The nete-wa-installer.properties file is generated during a Web Agent installation and configuration. It contains all of the parameters, paths, and passwords entered during the installation and configuration. During an unattended installation and configuration, this properties file provides the settings that would be entered by an end-user in a GUI or Console mode installation. Be default, the nete-wa-installer.properties file contains the settings from the initial installation. You can use the default properties file to run installations with the same settings or use the file as a template that you modify to suite your environment. An unattended installation uses a properties file that is initially configured with values from the initial GUI or console mode Web Agent installation. Therefore, you can only run an unattended installation on a system with the same platform and web server image as the system where you first installed the Web Agent. For example, you cannot install an Agent on a Solaris system with an Sun Java System Web server, then use the properties file to run an unattended installation on a Linux system with an Apache Web server. The following is a sample of the nete-wa-installer.properties file. ################################################################## ## nete-wa-installer.properties ## Properties file for the SiteMinder Web Agent ## unattended installation and configuration ## ## This file is generated by an initial Web Agent installation ## and configuration performed in GUI or Console mode. ## ## ## ## ## ## ## Use this file for unattended installation and configuration. ## ################################################################## ################################################################ # General Information ################################################################ # Specifies the information used for the unattended installation. USER_INSTALL_DIR=C:\\Program Files\\Netegrity\\webagent USER_SHORTCUTS=C:\\Documents and Settings\\jdoe\\Start Menu\\Programs ################################################################ # 1. Trusted Host Registration ################################################################ # A trusted host is a client computer where one or more Agents # can be installed. To establish a connection between the # trusted host and the Policy Server, register the host with # the Policy Server. 154 Web Agent Installation Guide nete-wa-installer.properties File # Register the trusted host only once, not each time you install # and configure a Web Agent. # Set to 1 to register this host as a trusted host. HOST_REGISTRATION_YES=1 ################################################################ # 1.1 Administrator For Trusted Host Registration ################################################################ # Enter the name and password of an administrator who has the # right to register a trusted host with the Policy Server. # This entry must match the name of an administrator defined # at the Policy Server. ADMIN_REG_NAME=siteminder ADMIN_REG_PASSWORD=ENC:nGDaSDy1H7qZqcdbkJKPEQ== # Set to 1 to enable shared secret rollover SHARED_SECRET_ROLLOVER_YES=0 ################################################################ # 1.2 Cryptographic Hardware Configuration (optional) ################################################################ # This section only applies if you registered a trusted host. # # NOTE: These are only used if CRYPTO_CONFIG_YES = 1. # # # Select a path and file name of PKCS11, then enter the token label and pass phrase. The token label can be blank. The passphrase cannot be blank. # Set to 1 to enable PKCS11 Cryptographic Hardware. CRYPTO_CONFIG_YES=$CRYPTO_CONFIG_YES$ # The location and file name of the PKCS11 library. PKCS11_FILENAME= # The token label for PKCS11 TOKEN_LABEL= # The token passphrase TOKEN_PASS_PHRASE= ################################################################ # 1.3 Trusted Host Name and Host Configuration Object ################################################################ # Specify the name of the host you want to register with the # Policy Server. Set Up the nete-wa-installer.properties File 155 nete-wa-installer.properties File # Enter the name of the host configuration object. # The name must match a host configuration object name # already defined at the Policy Server. TRUSTED_HOST_NAME=mytrustedhost CONFIG_OBJ=MyHostSettings ################################################################ # 1.4 List of Policy Servers IP Addresses ################################################################ # Enter the IP Address of the Policy Server where you are # registering this host. # # Specify the IP address in the form of <IP_address:port> # To list multiple addresses, enter <IP_address:port>, # <IP_address:port> # For example: 111.112.1.45, 122.113.1.47:45 IP_ADDRESS_STRING=111.11.1.111 ################################################################ # 1.5 Host Configuration File Location ################################################################ # Enter a name and location for the Host Configuration File, # SmHost.conf. SM_HOST_FILENAME=SmHost.conf SM_HOST_DIR=C:\\Program Files\\Netegrity\\webagent\\config ############################################################### # 2. Web Server Selection ############################################################### #The following entries are for UNIX systems only: APACHE_SELECTED= APACHE_WEBSERVER_ROOT= DOMINO_SELECTED= DOMINO_WEBSERVER_ROOT= IPLANET_SELECTED= IPLANET_WEBSERVER_ROOT= # NOTE: Do not edit the following WEB_SERVER_INFO entry. To modify # # it, re-run the Web Agent configuration to regenerate this string with the appropriate values. 156 Web Agent Installation Guide 1.6.httpshost1 (Netscape ES 6.https-host1. ENC:6f1I5TLVEpuSBHpf4GrASg==. if required.1. you can modify the settings in the following table: Parameter Description and Sample Value HOST_REGISTRATION_Y Indicates whether the installation will go through ES the trusted host registration process. For example: C:\\Program Files\\netegrity\\webagent USER_SHORTCUTS The location where the installation places a shortcut to the Configuration Wizard. USER_REQUESTED_RESTART= Modify General Information In the General Information section of the properties file. For example.iplanet. No advanced authentication.Windows. Restart Web Server Option (Windows only) ################################################################ # Set to YES to allow the installation program to reboot the # Windows machine. HOST_REGISTRATION_YES=1 Set Up the nete-wa-installer.undefined.1.0.0.0.properties File 157 .https-host1. For example: C:\\Documents and Settings\\jdoe\\Start Menu\\Programs Register a Trusted Host In the Trusted Host Registration section of the properties file.0). ################################################################ # 3.0.Modify General Information WEB_SERVER_INFO=.C:\\iPlanet\\Servers\\https-host1\\config. you can modify the settings in the following table: Parameter USER_INSTALL_DIR Description and Sample Value The location where the unattended installation will place the Web Agent.C:\\iPlanet\\Servers\\httpshost1.1.+EMPTYSTR+.iPlanetDefaultSettings. The default is 0. For example: TOKEN_LABEL=cardset1 158 Web Agent Installation Guide . you can either reconfigure the Agent or modify this parameter by entering a new password in clear text. For example: PKCS11_FILENAME=/opt/nfast/swspro/lib/libcknfas t. SHARED_SECRET_ROLLOVER_YES=1 Enable Cryptographic Hardware Configuration In the Cryptographic Hardware Configuration section of the properties file. Set to 1 to enable. ADMIN_REG_NAME=siteminder ADMIN_REG_PASSWOR D Password for the administrator with the rights to register a trusted host. This value is encrypted by the installation program. For example: CRYPTO_CONFIG_YES=1 PKCS11_FILENAME Full path. The default is 0. This DLL is installed with the nCipher software on the server where the Web Agent is installed. you can modify the settings in the following table: Parameter CRYPTO_CONFIG_YES Description and Sample Value Indicates whether cryptographic hardware will be configured. SHARED_SECRET_ROLL OVER_YES Enables shared secret rollover. Set this parameter to 1 to enable shared secret rollover. For example. to the PKCS11 DLL.so TOKEN_LABEL Specifies the token label. For example. ADMIN_REG_PASSWORD=ENC:nGDaSDy1H7qZqcd bkJKPEQ To change the password.Enable Cryptographic Hardware Configuration Parameter ADMIN_REG_NAME Description and Sample Value Name of the administrator with the rights to register a trusted host. which periodically changes the secret that encrypts communication between the trusted host and the Policy Server. For example. including the file name. 122. you can specify multiple addresses. SM_HOST_FILENAME=SmHost.conf file is installed. For example: TOKEN_PASS_PHRASE=cardpassword Identify Policy Servers for Trusted Host Registration In the section to list Policy Servers for trusted host registration.11.Identify Policy Servers for Trusted Host Registration Parameter TOKEN_PASS_PHRASE Description and Sample Value Specifies the passphrase for the token. you can modify the setting in the following table: Parameter IP_ADDRESS_STRING Description and Sample Value Specifies the IP address of the Policy Server where you are registering the trusted host. For example. separated by a comma.2. For example. SM_HOST_DIR=C:\\Program Files\\Netegrity\\webagent\\config Set Up the nete-wa-installer.conf.34 Specify the Host Configuration File In the Host Configuration File Location section you can modify the settings in the following table: Parameter SM_HOST_FILENAME Description and Sample Value Names the Host Configuration File. IP_ADDRESS_STRING=111. To have multiple bootstrap servers for failover. The default For example.11.conf SM_HOST_DIR Identifies the directory where the SmHost.1. SmHost.properties File 159 .123. for UNIX Systems: DOMINO_SELECTED=1 DOMINO_WEBSERVER_ROOT=/usr/lotus 160 Web Agent Installation Guide . For example. For APACHE_WEBSERVER_ROOT example. Indicates which Apache Web server you are configuring and that server’s root directory. for UNIX Systems: APACHE_SELECTED=0 APACHE_WEBSERVER_ROOT=/export/apache IPLANET_SELECTED For UNIX Systems. you can modify the settings in the following table: Parameter APACHE_SELECTED Description and Sample Value Indicates which Apache Web server you are configuring and that server’s root directory. Indicates which Sun Java System Web server you are configuring and that server’s root IPLANET_WEBSERVER_ROOT directory. for UNIX Systems: IPLANET_SELECTED=0 IPLANET_WEBSERVER_ROOT=C:\\iPlanet\\ servers DOMINO_SELECTED DOMINO_WEBSERVER_ROO T For UNIX Systems. For example.Select a Web Server for Configuration Select a Web Server for Configuration In the Trusted Host Registration section of the properties file. <existing_server_config>.<web_server_version>.<server_instance>.<preser ve_web_server>. Important! The WEB_SERVER_INFO setting can be modified from one Web server to another. but modify the setting at your own risk. Each web server consists of comma-separated values.<web_ server_path>.<agent_config_obj>.<adv anced_auth_scheme>. even for the same machine.<self_regi stration>.Select a Web Server for Configuration Parameter WEB_SERVER_INFO Description and Sample Value The WEB_SERVER_INFO setting contains information about the Web servers configured with a SiteMinder Web Agent.properties File 161 .<service_name >.<OneView_ Monitor_config>. The WEB_SERVER_INFO entry consists of a set of Web servers.<sele cted_web_server>. Making a mistake when changing a value could cause the Agent installer to fail or the Agent to be configured with inappropriate data.<empty_string>. You can either edit this setting in the file or re-run the Web Agent configuration to regenerate this string with the appropriate values. separated by a semicolon.<web_server_listing>.<document_selection>. The WEB_SERVER_INFO setting is as follows: WEB_SERVER_INFO=.<web_server_type>.<DMS_admin_username>.<DMS_admin_pa ssword> More Information WEB_SERVER_INFO Variables (see page 161) WEB_SERVER_INFO Variables The values of each variable are listed in the table in the following table: Variable <server_instance> Meaning Web server instance Example: https-server1 Set Up the nete-wa-installer.<web_serv er_config_dir>.<confirm_web_server_config>.<empty_string>. iplanet.Select a Web Server for Configuration Variable Meaning <web_server_config_dir Path to the Web server’s config directory.0) <service_name> Web server service name Example: https-server1 <web_server_type> Type can be: apache. domino. Example: +EMPTYSTR+ <empty_string> Empty string for future use. sunone Note: For the Sun Java System web server. use iplanet or sunone. Example: +EMPTYSTR+ <selected_web_server> Indicates whether the selected Web server should be configured with an Agent. this entry reflects how the Web server is shown in the list of available Web servers to configure. Enter: 1=yes or 0=no <existing_server_config > Previous Web server configuration states whether there is an existing Agent configuration Enter: 1=yes 0=no <preserve_web_server> Indicates whether the specified Web server’s configuration with a Web Agent should be overwritten with a new configuration or preserved.0 <web_server_path> Path to the web_server_instance root Example: /usr/iplanet/servers/https-server1 <empty_string> Empty string for future use. Example: sunone <web_server_version> Web server version Example: 6. Example: https-server1 (Sun Java System 6. Enter: 1=preserve 0=overwrite 162 Web Agent Installation Guide . IIS. > Example: /usr/iplanet/servers/https-server1/config <web_server_listing> During the Agent configuration. Select a Web Server for Configuration Variable <document_selection> Meaning For Policy Server only. Entry is ignored by Web Agent. Accept the default. Valid entry: 1=yes or 0=no <OneView_Monitor_conf For Policy Server only. Entry is ignored by the Web ig> Agent. Accept the default. Valid entry: 1=yes or 0=no <confirm_web_server_c onfig> Confirm that the selected Web server should be configured with an Agent. Enter: 1=yes or 0=no <advanced_auth_schem Specifies the advanced authentication scheme, if e> any, being used. Choose one of the following options: HTTP Basic over SSL X509 Client Certificate X509 Client Certificate and HTTP Basic X509 Client Certificate or HTTP Basic X509 Client Certificate or Form X509 Client Certificate and Form No advanced authentication <agent_config_object> Indicates which Agent Configuration Object to use. Example: iplanetdefaultsettings <self_registration> Enables self Registration. Enter: 1=yes or 0=no <DMS_admin_name> DMS Administrator’s name. Example: Admin1 <DMS_admin_password > DMS Administrator’s password. Example: ENC:6f1I5TLVEpuSBHpf4GrASg Set Up the nete-wa-installer.properties File 163 Configure the Web Server to Restart (Windows Only) Any of these values can be changed except for DMS Admin password. Password can be reused by copying the value from one properties file to another. The only way to change the DMS Admin password is to re-run the Agent configuration. The encryption and decryption will always encrypt and decrypt in the same manner. Sample Entry: WEB_SERVER_INFO=;https-server1,/usr/iplanet/servers/https-server1/config,httpsserver1 (iPlanet 6.0),https-server1,iplanet,6.0,/usr/iplanet/servers/httpshost,+EMPTYSTR+,+EMPTYSTR+,1,0,1,0,0,1,HTTP Basic over SSL,agent1,0,undefined,ENC:6f1I5TLVEpuSBHpf4GrASg==,;httpshost2,/usr/iplanet/servers/https-host2/config,https-host2 (Netscape ES 6.0),https-host2,iplanet,6.0,/usr/iplanet/servers/httpsiplanetdefaultsettings,+EMPTYSTR+,+EMPTYSTR+,1,0,0,0,1,No advanced authentication,host2,0,undefined,ENC:6f1I5TLVEpuSBHpf4GrASg== Configure the Web Server to Restart (Windows Only) In the section to list Policy Servers for trusted host registration, you can modify the setting in the following table: Parameter Description and Sample Value USER_REQUESTED_RESTA Allows the installation program to reboot the RT Windows machine, if required after the configuration process. Set to Yes to allow a reboot. Otherwise, set to No. Name the Trusted Host Name and Host Configuration Object In the section for naming the Trusted Host and Host Configuration Object, you can modify the settings in the following table: Parameter TRUSTED_HOST_NAME Description and Sample Value Names the trusted host. This name must be unique. For example: TRUSTED_HOST_NAME=mytrustedhost 164 Web Agent Installation Guide Name the Trusted Host Name and Host Configuration Object Parameter CONFIG_OBJ Description and Sample Value Identifies the Host Configuration Object, which defines communication between the trusted host and Policy Server. For example: CONFIG_OBJ=MyHostSettings Set Up the nete-wa-installer.properties File 165 . the obj.types file. The Web Agent adds settings to the Sun Java System’s obj.conf file. depending on the version of the Sun Java System Web Server.Appendix B: Settings Added to the Sun Java System Server Configuration The following sections discuss settings added to the Sun Java System Server configuration.conf file when the Agent is configured to support an advanced authentication scheme. These files are loaded automatically when the Web server is started.0. When the Web Agent installation program adds information to the Web server’s configuration. This information is only for reference. it divides this information differently. and the mime. configuration settings are added to the magnus. Settings Added to the Sun Java System Server Configuration 167 . These added settings are used to initialize the Web Agent. Add Settings to the Sun Java System Server 6. Administrators must edit the obj. SiteMinder does not remove these settings later if the Agent is reconfigured to support a different advanced authentication scheme.0 When you install the Web Agent on an Sun Java System Web server 6.conf file manually to remove the settings that are no longer relevant.conf file. Note: You do not need to make the modifications documented in the following sections. SiteMinderAgent.SmLoginFcc. Also.conf file: Init fn="load-modules" shlib="C:/Program Files/Netegrity/webagent/bin/NSAPIWebAgent.SmMakeCooki e. The lines of code in plain text are added to the Sun Java System server’s configuration by the Web Agent installation program.conf.SmSSLLoginFcc" Init fn=SmInitAgent config="C:/iPlanet/Servers/httpsserver1/config/WebAgent.dll" funcs="SmInitAgent. magnus. Note: Some of the entries may differ slightly from your files. Code Added to the magnus. In these sample lines of code.SmGetCred. "servletengine" represents the servlet engine instance. These lines added by the servlet engine must come before the NameTrans fn functions added by the SiteMinder Web Agent.SiteMinderAgent.conf" These lines instruct the Web server to load the SiteMinder Web Agent with three NSAPI functions: SmInitAgent. and SmRequireAuth.Modifications Made to Sun Java System/Windows Platforms Modifications Made to Sun Java System/Windows Platforms The obj. 168 Web Agent Installation Guide .conf and mime. smhome in the directory paths represents the installed location of SiteMinder on your system.conf File on Windows Platforms The following lines are added to the magnus.SmRequireAuth.types files are located as follows: <Sun_Java_System_install_location>\servers\https-hostname\config\ where Sun_Java_System_install_location is the location where the Sun Java System server is installed on your system and hostname is the name of the server. The two lines of code in bold are added by the servlet engine that you configure for SiteMinder’s JSP version of Password Services. for the Web server. Most of the lines that begin NameTrans fn="pfx2dir" add virtual directories and mappings for the Agent to support SiteMinder’s Password Services (CGI and JSP versions).jsp*" name="myservletengine" NameTrans fn="assign-name" from="/servlet/*" name="myservletengine" NameTrans fn="assign-name" from="/siteminderagent/pwservlet/*" name="servletengine" NameTrans fn="pfx2dir" from="/siteminderagent/pwcgi" dir="/smhome/siteminder/webagent/pw" name="cgi" NameTrans fn="pfx2dir" from="/siteminderagent/pw" dir="/smhome/siteminder/webagent/pw" NameTrans fn="pfx2dir" from="/siteminderagent/certoptional" dir="/smhome/siteminder/webagent/samples" NameTrans fn="pfx2dir" from="/siteminderagent/jpw" dir="/smhome/siteminder/webagent/jpw" NameTrans fn="pfx2dir" from="/siteminderagent" dir="/smhome/siteminder/webagent/samples" PathCheck fn="SmRequireAuth" PathCheck fn="get-client-cert" dorequest="1" PathCheck fn="get-client-cert" require="0" dorequest="1" Service method="(GET|HEAD)" type="magnus-internal/scc" fn="smGetCred" Service method="(GET|POST|HEAD)" type="magnus-internal/fcc" fn="SmLoginFcc" Service method="(GET|POST|HEAD)" type="magnus-internal/sfcc" fn="SmSSLLoginFcc" Service fn="send-cgi" type="magnus-internal/cgi" Service method="(GET|HEAD)" type="magnus-internal/ccc" fn="smMakeCookie" The following provides more information about each line: The line that reads AuthTrans fn="SiteMinderAgent" is added to the default object (<Object name="default">). It sets up the SiteMinder Web Agent as the Authorization method.conf File on Windows Platforms AuthTrans fn="SiteMinderAgent" NameTrans fn="assign-name" from="*.jsp*" name="myservletengine" and NameTrans fn="assign-name" from="/servlet/*" name="myservletengine"create mappings for the Agent to support SiteMinder’s Password Services. Settings Added to the Sun Java System Server Configuration 169 . The lines that read NameTrans fn="assign-name" from="*. The line that begins NameTrans fn="pfx2dir" from="/siteminderagent/certoptional" is added if you chose to configure a certificate based authentication scheme. The line that reads NameTrans fn="assign-name" from= "/siteminderagent/pwservlet/*" name="myservletengine" is a filter added by the Web Agent that maps the JSP Password Services servlet to the instance of the servlet engine so that engine can process it. or AuthTrans function.Modifications Made to Sun Java System/Windows Platforms Code Added to the obj. during configuration.types file by the setup program: type=magnus-internal/sfcc exts=sfcc type=magnus-internal/fcc exts=fcc type=magnus-internal/scc exts=scc type=magnus-internal/ccc exts=ccc These lines set up the mime types to support advanced SiteMinder features. Note: Both PathCheck lines for advanced authentication should be commented out for "Basic Auth over SSL. you indicated that the Web Agent would support advanced authentication schemes. and certificate and forms authentication schemes.types File on Windows Platforms The following lines are added to the mime.Modifications Made to Sun Java System/Windows Platforms The lines that read PathCheck fn="SmRequireAuth" is added to any existing PathCheck lines in the default object. The line that reads PathCheck fn="get-client-cert" dorequest="1" is added if. It supports the use of certificate. It supports the use of certificate or basic and certificate or forms authentication schemes. The line that reads PathCheck fn="get-client-cert" require="0" dorequest="1" is added if. Code Added to the mime." The lines that begin Service method are added to instruct the Web server what to do with the MIME types. certificate plus basic. It verifies that the user is authorized to perform the requested action on the requested resource. during configuration. you indicated that the Web Agent would support advanced authentication schemes. 170 Web Agent Installation Guide . Check Agent Start-up with LLAWP Check Agent Start-up with LLAWP To start the LLAWP process: 1. magnus.conf. you must also shut it down from the command line. 2.conf" -ISAPI60 UNIX: LLAWP /usr/apache/conf/WebAgent. "servletengine" represents the servlet engine instance. and mime. Note: Some of the entries may differ slightly from your files.conf. Also.conf -APACHE20 Note: If you start the LLAWP from the command line. In these sample lines of code. Settings Added to the Sun Java System Server Configuration 171 . These lines added by the servlet engine must come before the NameTrans fn functions added by the SiteMinder Web Agent. Ensure you have configured the Web Agent with the Configuration Wizard. Open a console window and enter the following command: LLAWP <path_to_WebAgent.conf> -<web_server_type> web_server_type can be ISAPI60 or APACHE20 path_to_WebAgent. smhome in the directory paths represents the installed location of SiteMinder on your system. Modifications Made to Sun Java System/UNIX Platforms The obj.types files are located as follows: /usr/<Sun_Java_System_install_location>/servers/https-hostname/config/ where Sun_Java_System_install_location is the location in which the Sun Java System server is installed on your system and hostname is the name of the server.conf can be a full path or a relative path from the location where you are running LLAWP. The two lines of code in bold are added by the servlet engine that you configure for SiteMinder’s JSP version of Password Services. For example: Windows: LLAWP "C:\Program Files\Netegrity\Siteminder Web Agent\Bin\IIS\WebAgent. The lines of code in plain text are added to the Sun Java System Web server’s configuration by the Web Agent installation program. so" funcs="SmInitAgent.SmRequireAuth.SmGetCred . Code Added to the obj.conf File on UNIX Platforms AuthTrans fn="SiteMinderAgent" NameTrans fn="assign-name" from="*.SmLoginFcc.conf" Init fn="SmInitChild" LateInit=”yes” These lines instruct the Web server to load the SiteMinder Web Agent with four NSAPI functions: SmInitAgent.conf file: Init fn="load-modules" shlib="/usr/netegrity/siteminder/agents/bin/NSAPIWebAgent.SmMakeCookie.SmInitChild. SmInitChild.SmSSLLoginFcc" Init fn=SmInitAgent config="/usr/iPlanet/servers/httpsyourserver/config/WebAgent.SiteMinderAgent. SiteMinderAgent. and SmRequireAuth.Modifications Made to Sun Java System/UNIX Platforms Code Added to the magnus.conf File on UNIX Platforms The following lines are added to the magnus.jsp*" name="myservletengine" NameTrans fn="assign-name" from="/servlet/*" name="myservletengine" NameTrans fn="assign-name" from="/siteminderagent/pwservlet/*" name="servletengine" NameTrans fn="pfx2dir" from="/siteminderagent/pwcgi" dir="/smhome/siteminder/webagent/pw" name="cgi" NameTrans fn="pfx2dir" from="/siteminderagent/pw" dir="/smhome/siteminder/webagent/pw" NameTrans fn="pfx2dir" from="/siteminderagent/certoptional" dir="/smhome/siteminder/webagent/samples" NameTrans fn="pfx2dir" from="/siteminderagent/jpw" dir="/smhome/siteminder/webagent/jpw" NameTrans fn="pfx2dir" from="/siteminderagent" dir="/smhome/siteminder/webagent/samples" PathCheck fn="SmRequireAuth" #SMSSL The line below should be uncommented for "cert" and "cert plus basic" schemes PathCheck fn="get-client-cert" dorequest="1" #SMSSL The line below should be uncommented for "cert or basic" or "cert or form" schemes PathCheck fn="get-client-cert" require="0" dorequest="1" #SMSSL Both of the above PathCheck lines should be commented out for "Basic Auth over SSL" Service method="(GET|HEAD)" type="magnus-internal/scc" fn="smGetCred" Service method="(GET|POST|HEAD)" type="magnus-internal/fcc" fn="SmLoginFcc" Service method="(GET|POST|HEAD)" type="magnus-internal/sfcc" fn="SmSSLLoginFcc" Service method="(GET|HEAD)" type="magnus-internal/ccc" fn="smMakeCookie" 172 Web Agent Installation Guide . during configuration you indicated during installation that the Web Agent would support advanced authentication schemes. Settings Added to the Sun Java System Server Configuration 173 . during configuration. The line that begins NameTrans fn="pfx2dir" from="/siteminderagent/certoptional" is added if you chose to configure a certificate based authentication scheme.Modifications Made to Sun Java System/UNIX Platforms The following provides more information about each line: The line that reads AuthTrans fn="SiteMinderAgent" is added to the default object (<Object name="default">). It verifies that the user is authorized to perform the requested action on the requested resource. The line that reads NameTrans fn="assign-name" from= "/siteminderagent/pwservlet/*" name="myservletengine" is a filter added by the Web Agent that maps the JSP Password Services servlet to the instance of the servlet engine so that engine can process it. It supports the use of certificate. The line that reads PathCheck fn="get-client-cert" dorequest="1" is added if.types file by the setup program: type=magnus-internal/sfcc exts=sfcc type=magnus-internal/fcc exts=fcc type=magnus-internal/scc exts=scc type=magnus-internal/ccc exts=ccc These lines set up the mime types to support advanced SiteMinder features. The line that reads PathCheck fn="SmRequireAuth" is added to any existing PathCheck lines in the default object. Code Added to the mime. It sets up the SiteMinder Web Agent as the Authorization method.types File on UNIX Platforms The following lines are added to the mime. Note: Both PathCheck lines for advanced authentication should be commented out for "Basic Auth over SSL. Most of the lines that begin NameTrans fn="pfx2dir" add virtual directories and mappings for the Agent to support SiteMinder’s Password Services (CGI and JSP versions). certificate plus basic. you indicated that the Web Agent would support advanced authentication schemes. The line that reads PathCheck fn="get-client-cert" require="0" dorequest="1" is added if." The lines that begin Service method are added to instruct the Web server what to do with the MIME types. for the Web server. and certificate and forms authentication schemes. or AuthTrans function. It supports the use of certificate or basic or the certificate or forms authentication schemes. . 0. Oracle 10G.x. Covalent Enterprise Web Server. Stronghold. For example: export LD_LIBRARY_PATH <web_agent_home>/bin The library path variable depends on the operating system—it should always point to <web_agent_home>/bin.Appendix C: Configuration Changes to Web Servers with Apache Web Agent This appendix lists changes made automatically by running the Web Agent Configuration Wizard to configure an Apache Web Agent. IBM HTTP Server. including Apache 1. These changes apply to all Web servers that support the Apache Web Agent. Library Path for the Web Server is Set for UNIX Systems The library path for the Apache Web server is required because it enables the Apache server to load libraries correctly on a UNIX system. and HP Apache. Apache 2. The following table lists the variables. Operating System Solaris HP-UX LINUX AIX Path Variable LD_LIBRARY_PATH SHLIB_PATH LD_LIBRARY_PATH LIBPATH Configuration Changes to Web Servers with Apache Web Agent 175 . export SHLIB_PATH Set Library Path and Path for Oracle 10g Web Server Running in Apache 2.0. export LD_LIBRARY_PATH Oracle HTTP Server 9.0.2 on Solaris and Linux: if [ -z "$LD_LIBRARY_PATH" ] then LD_LIBRARY_PATH=<OHS_home>/libexec:<web_agent_home>/bin. LD_LIBRARY_PATH is automatically added to the apachectl script. both the LD_LIBRARY_PATH and PATH variables need to be set in the apachectl script.x mode.x Mode For an Oracle 10g Web server running in Apache 2.x Mode The entries are as follows: Oracle HTTP Server 9. export LD_LIBRARY_PATH else LD_LIBRARY_PATH=<OHS_home>/libexec:${LD_LIBRARY_PATH}. export SHLIB_PATH else SHLIB_PATH=<OHS_home>/libexec:${SHLIB_PATH}.2 on HP-UX: if [ -z "$SHLIB_PATH" ] then SHLIB_PATH=/<OHS_home>/libexec:<web_agent_home>/bin. Add the following entry for PATH in the apachectl script: PATH=<Path of webagent install>/bin:${PATH} .Set Library Path and Path for Oracle 10g Web Server Running in Apache 2. export PATH 176 Web Agent Installation Guide . which is located in the directory <OHS_home>/Apache/Apache/bin/. 2/9.0. The <web_agent_home> variable represents the installed location of the Web Agent. which precedes the Main server configuration section of the file. the httpd.conf configuration file to enable the Web server to operate with the Apache Web Agent. this file is located in the conf directory: <Apache_home>/conf For the Oracle 9. Entries Added to DSO Support Section The following line(s) are added to the Dynamic Shared Object (DSO) Support configuration section.conf file is located in: <OHS_home>/Apache/Apache/conf where <OHS_home> is the server root for Oracle HTTP Server. Configuration Changes to Web Servers with Apache Web Agent 177 .conf File The Configuration Wizard modifies the httpd. such as: UNIX: /opt/netegrity/webagent Windows: C:\Program Files\netegrity\webagent For most Apache-based Web servers. Notes: The examples in this procedure are for UNIX platforms.conf File Changes to the httpd. however the same changes are made to Windows platforms using the appropriate Windows syntax.3 HTTP Server (OHS).Changes to the httpd.0. sl For Apache 1.so 178 Web Agent Installation Guide .so For Apache 1. mod_ibm_ssl.so.conf File LoadModule Entries Added One of these modules is required to load the SiteMinder Agent. the IBM HTTP Server 2. Therefore.so For Apache 2.0.sl For Apache 2.sl HPaCCLoadModule sm_module <web_agent_home>/bin/mod_sm.Changes to the httpd. For Oracle HTTP Server (excluding servers running HP-UX 11i).0 running Windows: LoadModule sm_module <web_agent_home>/bin/mod_sm20.dll For Apache 2. the following line is added to the DSO configuration section: LoadModule sm_certenv <web_agent_home>/bin/mod_smcertenv.x running HP-UX 11i: LoadModule hpaCCso_module <web_agent_home>/bin/mod_hpaCCso. for UNIX systems.0. to enable certificate-based authentication.0 (excluding servers running HP-UX 11i): LoadModule sm_module <web_agent_home>/bin/libmod_sm20. add: LoadModule sm_module <web_agent_home>/bin/mod_sm.dll For IBM HTTP Server 2.0 running HP-UX 11i: LoadModule sm_module <web_agent_home>/bin/libmod_sm20.47 running HP-UX 11i: LoadModule ibm_ssl_module modules/mod_ibm_ssl.47 on HP-UX 11i requires that the IBM SSL module be last in the list of LoadModule directives.so For Oracle HTTP Server running HP-UX 11i: LoadModule hpaCCso_module <web_agent_home>/bin/mod_hpaCCso.sl HPaCCLoadModule sm_module <web_agent_home>/bin/mod_sm.x (servers except HP-UX 11i): LoadModule sm_module <web_agent_home>/bin/mod_sm.x running Windows: LoadModule sm_module <web_agent_home>/bin/Apache20WebAgent.sl Optionally. For Apache 1. the Web Agent and all other Apache LoadModule directives are placed above the IBM SSL library.so Note: If you are communicating across an SSL connection. x Web server.27 Web servers.c #Siteminder AddModule mod_sm. such as Stronghold. IBM HTTP Server.c . If the operating system for the Web Agent is HP-UX.conf Configuration Changes to Web Servers with Apache Web Agent 179 .0.sl extension is used.conf" For Oracle 9. mod_sm. Note: HP-UX uses the extension .3 HTTP Server. AddModule mod_servletexec.c entry is placed at the end of the AddModule section of the file. .conf File mod_smcertenv enables certificate-based authentication to work with Apache Web servers without requests being redirected to the SSL credential collector.c Entry Added to ClearModuleList If the directive ClearModuleList exists in the DSO configuration section.Changes to the httpd. Note: This module is only for Apache 1. The entry to load mod_smcertenv must come after the entry to load mod_sm. or Oracle HTTP Server. .0.3.c SmInitFile Entry Added In the Main server section of the file. the . not a relative path.sl to refer to a shared library. the SmInitFile entry is added: SmInitFile <Apache_home>/conf/WebAgent. as shown in bold: ClearModuleList AddModule mod_env. the entry is: SmInitFile <OHS_home>/Apache/Apache/conf/WebAgent.3. For example: SmInitFile "/export/Apache2/conf/WebAgent. the mod_sm.2/9.conf This entry is placed after the LoadModule entry. A full path is used. It is not supported for proprietary versions of the Apache 1. Each alias entry appears on its own line.conf File Alias Entries Added In the Aliases section of the file.deny Allow from all </Directory> Basic over SSL authentication AliasMatch /siteminderagent/nocert/[0-9]+/(. To obtain this module.*) "<web_agent_home>/$1" <Directory "<web_agent_home>/$1"> Options Indexes MultiViews AllowOverride None Order allow.deny Allow from all </Directory> Alias /siteminderagent/pw/ “<web_agent_home>/pw/” <Directory "/export/webagent/pw/"> Options Indexes MultiViews ExecCGI AllowOverride None Order allow.modssl. SSL must be enabled by compiling the Apache server to include the mod_ssl module. see www.*) "<web_agent_home>/$1" <Directory "<web_agent_home>/$1"> Options Indexes 180 Web Agent Installation Guide . Note the following: The Alias /siteminderagent/ “<web_agent_home>/samples/” entry must come after all other aliases in the Aliases section. For SiteMinder to use Basic over SSL or X.Changes to the httpd. entries are added to enable SiteMinder features.deny Allow from all </Directory> X509 Client Cert or X509 Client Cert and Basic authentication AliasMatch /siteminderagent/cert/[0-9]+/(.org.509 certificate-based authentication schemes with an Apache Web Agent. Password Services Alias /siteminderagent/pwcgi/ “<web_agent_home>/pw/” <Directory "/export/webagent/pw/"> Options Indexes MultiViews ExecCGI AllowOverride None Order allow. conf File AllowOverride None Order allow.Changes to the httpd. Configuration Changes to Web Servers with Apache Web Agent 181 .deny Allow from all </Directory> X509 Client Cert or Basic authentication AliasMatch /siteminderagent/certoptional/[0-9]+/(.deny Allow from all </Directory> X509 Certificate or Form or X509 Client Cert and Form authentication Alias /siteminderagent/certoptional/"<web_agent_home>/ samples/" <Directory "<web_agent_home>/samples/" Options Indexes AllowOverride None Order allow.deny Allow from all </Directory> Note: This is the alias that should be placed at the end of the section.*) "<web_agent_home>/$1" <Directory "<web_agent_home>/$1" Options Indexes AllowOverride None Order allow.deny Allow from all </Directory> Forms authentication or Agent is cookie provider for single sign-on Alias /siteminderagent/ “<web_agent_home>/samples/” <Directory "/export/webagent/samples/"> Options Indexes MultiViews AllowOverride None Order allow. fcc AddHandler smsslformsauth-handler .sfcc AddHandler smadvancedauth-handler . SiteMinder Feature Password Services Forms authentication Certificate and Forms authentication Certificate or forms authentication SSL authentication.exe AddHandler smformsauth-handler .scc AddHandler smcookieprovider-handler .x QMR 6 For Web Agents prior to 5. including: Basic over SSL Certificate Certificate or basic Certificate and basic Cookie provider for single sign-on AddHandler Entry AddHandler cgi-script .scc AddHandler smcookieprovider-handler .x QMR 6.conf File AddHandler Entries Added for Agents v5.sfcc AddHandler smadvancedauth-handler . entries are added to the AddHandler section of the file for SiteMinder features.0 Web servers.x Web servers.exe AddHandler smformsauth-handler .ccc The modified section would appear as follows: AddHandler cgi-script .fcc AddHandler smsslformsauth-handler .ccc 182 Web Agent Installation Guide . such as Agents installed on Apache 2. Note: These entries do not apply to Web Agents after v5.Changes to the httpd.x QMR 6. such as Agents installed on Apache 1. Configuration Changes to Web Servers with Apache Web Agent 183 .wlt SSLWalletPassword <your_wallet_password> Agent Parameter Added for SSL Connections Using Apache 1.x based server. which converts HTTPS to HTTP.02/9. the SSL Client Authentication type is set it to optional: SSLVerifyClient optional For Oracle 9. Note: If a server is behind an HTTPS accelerator. the following SSL Engine Options entry in the Virtual Hosts section is uncommented for the appropriate virtual host (if multiple hosts are defined): SSLOptions +ExportCertData +StdEnvVars Note: If there is an existing SSL option in the Virtual Hosts section. If you are using X509 Client Cert or Forms authentication. For example.conf file or the Agent Configuration Object configured at the Policy Server. or X509 Client Cert or Basic authentication.Agent Parameter Added for SSL Connections Using Apache 1.03 HTTP Server. X509 Client Cert and Basic. the httpsports parameter is added to the WebAgent. all requests are treated as SSL connections by your browser. The entries should look similar to the following: SSLWallet file:<OHS_home>/Apache/Apache/conf/ssl. This parameter specifies one or more (comma-separated) HTTPS port numbers the Web server is listening on. the SSLWallet and SSLWalletPassword entries are added to the Virtual Hosts section. if SSL has been configured.x Based Servers Certificate Authentication Entries Added If you are using X509 Client Cert. the following SSL Engine Options entry in the Virtual Hosts section is uncomment for the appropriate virtual host (if multiple hosts are defined): SSLOptions +StdEnvVars +CompatEnvVars In the Virtual Hosts section of the file. set httpsports to 80. then that existing entry is commented out and the new SSL entry is added.x Based Servers If you are using SSL connections (HTTPS) to an Apache 1. . Appendix D: Environment Variables Added or Modified by the Web Agent Installation This section contains the following topics: Added or Modified Environment Variables (see page 185) Added or Modified Environment Variables The following environment variables are added or modified by the Web Agent installation: NETE_WA_ROOT = $INSTALL_PATH$ NETE_WA_PATH = $INSTALL_PATH$$/$bin Environment Variables Added or Modified by the Web Agent Installation 185 . . 77.types File on Windows Platforms • 170 Code Added to the obj. 85 using forms authentication • 115 X. configuring • 81. 93 configuring.conf. 85 X509 Client Certificate • 81. console mode • 93 configuring.conf File Permissions for Shared Secret Rollover • 111 Code Added to the magnus.conf File on UNIX Platforms • 172 Code Added to the magnus.509 client certificate and basic • 81. 60.conf File • 177 Check Agent Start-up with LLAWP • 171 Check SmHost.conf File on Windows Platforms • 168 Code Added to the mime. 63 C CA Product References • iii Certificate Authentication Entries Added • 183 Changes to the httpd. 85 X. GUI mode • 93 for IBM HTTP Web server • 92 for Stronghold server • 92 http. setting • 97 modifying httpd. modifying • 101 increasing shared memory • 112 installing • 51 LD_PRELOAD.conf File on UNIX Platforms • 172 Index 187 . configuring • 35. caution • 14 Apply Changes to Sun Java System Web Server Files • 88 Assign Read Permissions to Samples and Error Files Directories • 74 authentication schemes HTTP Basic over SSL • 81. 105 configuring • 89.conf File to Improve Server Performance • 96 Add Password Services JAR files to the Servlet Engine Classpath • 117 Add Settings to the Sun Java System Server 6. 85 X. accessing • 35. 89.509 client certificate or basic • 81.509 client certificate or HTML Forms • 81. UNIX • 124 Apache Web Agent Issues • 150 Apache Web server installing as service • 14 installing on windows. 85 B Back Up Customized Files • 127 boostrap servers.Index A Add a Logs Subdirectory for Apache Web Agents • 19 Add a SiteMinder Agent User to nCipher UNIX Group (UNIX Only) • 21 Add Entries to the httpd. 85 SSL.x QMR 6 • 182 Agent Configuration Object definition • 12 Domino requirements • 12 IIS requirements • 12 installation requirement • 12 Agent Parameter Added for SSL Connections Using Apache 1.509 client certificate and HTML Forms • 81.x Based Servers • 183 Agent Start-Up/Shutdown Issues (Framework Agents Only) • 143 Alias Entries Added • 180 Allow IIS to Execute Web Agent ISAPI and CGI Extensions • 75 Allow Unattended Failover for nCipher Cryptographic Modules • 120 Apache Web Agent as reverse proxy server • 101 Configuration Wizard.0 • 167 Add the Domino Web Agent DLL (UNIX) • 108 Add the Domino Web Agent DLL (Windows) • 104 Added or Modified Environment Variables • 185 AddHandler Entries Added for Agents v5. 81. 39.conf • 177 reinstalling • 59 supported platforms • 11 tuning shared memory • 112 uninstalling.types File on UNIX Platforms • 173 Code Added to the mime. 85 X. UNIX • 124 upgrading 4.0 for JSP Password Services for an IIS Web Server • 107 Configure ServletExec for JSP Password Services for a UNIX Sun Java System Web Server • 118 Configure Sun Java System Web Agents on UNIX Systems • 84 Configure Sun Java System Web Agents on Windows Systems • 81 Configure Sun Java System Web Agents Using GUI or Console Mode • 85 Configure the Web Server to Restart (Windows Only) • 164 Connectivity and Trusted Host Registration Issues • 146 console mode configuring Domino • 105 Contact Technical Support • iii Cookie Provider Redirection Differences Between 4. UNIX • 50 uninstalling UNIX • 126 uninstalling on a UNIX system • 126 uninstalling on a Windows system • 125 Domino Web Agent configuring/Windows • 102 Domino Web Agent adding DLLs • 104 Configuration Wizard.x Agents.x Agents. UNIX • 136 upgrading 4.x Agents • 129 cryptographic hardware settings. Windows • 108 Configuration Changes to Web Servers with Apache Web Agent • 175 Configuration Notes for Web Agents on IIS 6.x Agents. Windows • 134 upgrading 5.0 Servers • 75 Configure a Domino Web Agent • 102 Configure a Domino Web Agent on Windows Systems • 102 Configure a Sun Java System Web Agent • 80 Configure a Web Agent • 73 Configure an Apache Web Agent • 89 Configure an Apache Web Agent on UNIX Systems • 92 Configure an Apache Web Agent on Windows Systems • 89 Configure an Apache Web Agent Using GUI or Console Mode • 93 Configure an IIS Web Agent • 73 Configure Any Web Agent in Unattended Mode • 108 Configure Apache for Oracle 9.x and 6. Windows • 111 reinstalling. accessing • 102 configuring.Code Added to the obj. UNIX • 138 upgrading 5. Windows • 132 Domino Web Agent Issues • 151 E Enable Cryptographic Hardware Configuration • 158 Enable Write Permissions for IBM HTTP Server Logs • 19 Enabling SHLIB Path for an Agent on Apache 2. UNIX • 59 uninstalling.conf File on Windows Platforms • 169 Collect nCipher Information • 21 Compile an Apache Web Server on a Linux System • 20 configuration unattended mode. Windows • 130 upgrading 6.0. UNIX • 105 installing.0.0/HP-UX 11 • 99 188 Web Agent Installation Guide . modifying password • 26 dms.properties • 26 dmsencrytpkey modifying DMSAdmin password • 26 documentation installing.x Agents. UNIX • 140 upgrading 6.2/9. UNIX • 51 reconfiguring. Domino Web Agent • 104 DMS Admin account.3 HTTP Server • 100 Configure Domino Web Agents in GUI or Console Mode • 105 Configure Domino Web Agents on UNIX Systems • 105 Configure ServletExec 5.x Agents. unattended installation • 158 unattended failover • 120 Cryptographic Hardware Issues • 147 D Decide Whether to Implement Cryptographic Hardware • 21 DLLs adding.x Agents. UNIX • 52 IIS • 29 on UNIX • 51 Sun Java System/UNIX • 51 Sun Java System/Windows • 29 J JSP Password Services adding JAR files.2 CF1 and CF2 • 18 IBM HTTP Server Agent configuration • 92 installing Agent • 14. UNIX • 138 upgrading 5.properties. 51 upgrading 4. Windows • 130 upgrading 6.x Agents.0. description • 32.2 • 18 IBM Hot Fixes for Domino 6. Windows • 134 upgrading 5. 85 httpd. 63 settings. 109 installing documentation. UNIX • 140 Identify Policy Servers for Trusted Host Registration • 159 IIS 6. unattended installation • 157 General Installation Issues • 147 GUI mode installation • 52 H hardware encryption using. Windows • 117 invoking password services servlet • 117 Index 189 .x Agents. UNIX • 50 installing Web Agents Apache • 51 Domino/UNIX • 51 Domino/Windows • 29 GUI mode. Windows • 39.x Agents.Ensure LD_PRELOAD Variable Does Not Conflict with Existing Agent • 128 Ensure the Policy Server is Installed and Configured • 12 Entries Added to DSO Support Section • 177 Environment Variables Added or Modified by the Web Agent Installation • 185 F Fix Display Errors on Sun Java System with Cryptographic Hardware • 22 Fix the ServletExec CLASSPATH for DMS • 47 forms authentication scheme credential collection • 115 G Gather information Needed to Complete the Agent Installation • 13 general information settings.properties file description • 56 installer. UNIX • 136 upgrading 4.0.conf modifying for Apache • 177 I IBM Hot Fix Required for Domino 6. Windows • 20 Host Configuration File modifying. Windows • 132 upgrading Agents.x Agents. 63 purpose • 39.5. 59.x Agents. Sun Java System Web Agent • 124 HTTP Basic over SSL authentication scheme • 81. prerequisites • 73 reconfiguring • 111 reinstalling • 35 IIS Web Agent Issues • 149 Install a Servlet Engine for Registration Services (Optional) • 24 Install a Web Agent on a UNIX System • 49 Install a Web Agent on a Windows System • 29 Install an Apache Web Server on Windows as a Service for All Users • 14 Install IBM Hot Fixes for Domino Web Servers • 17 Install nCipher on an Agent Web Server • 21 Install the Correct Agent for a Web Server • 14 Install the Web Agent Documentation on UNIX Systems • 50 Install the Web Agent on a UNIX System • 51 Install the Web Agent on Windows Systems • 29 Install UNIX Patches • 15 installer.0 Web Agent Operating with Third-Party Software on the Same Server • 76 IIS Web Agent configuring • 77 IIS 6. unattended installation • 159 Host Configuration Object definition • 12 installation requirement • 12 HP-UX uninstalling. Windows • 116 JSP servlet. Windows • 35 settings. Apache/Linux • 97 Library Path for the Web Server is Set for UNIX Systems • 175 Linux compiling Apache server • 20 LoadModule Entries Added • 178 P Password Services configuring JSP version.conf. UNIX • 11 Preserve Changes in the WebAgentTrace. configuring • 35. 81. Windows • 116 O obj. See Windows • 102 190 Web Agent Installation Guide .Conf File (Windows) • 39 multiple bootstap servers. Windows • 20 Policy Server checking configuration • 12 initial connection to Agent • 35 initial connection with Agent • 59 registering a trusted host.required modifications.conf File • 22 properties files dms.conf modifications made by Agent • 167 Online Documentation Issues • 148 Oracle 9. 60.x HTTP Server configuring • 100 Oracle HTTP Server httpd. 89 Notes About Uninstalling Web Agents • 121 NT.Conf File (UNIX) • 63 Modify the SmHost. 39. 63 N Name the Trusted Host Name and Host Configuration Object • 164 nete-wa-installer. modifying • 117 JSP version • 116 JSP-based JARs • 117 Password Services and Forms Directories • 23 PKCS11 cryptographic hardware using.c Entry Added to ClearModuleList • 179 Modifications Made to Sun Java System/UNIX Platforms • 171 Modifications Made to Sun Java System/Windows Platforms • 168 Modify General Information • 157 Modify the Apache 2.x QMR x Japanese Web Agents Required • 129 mod_sm.conf File for Agents on IBM HTTP Servers • 19 Modify the DMS Admin Password for Registration Services • 26 Modify the File to Invoke JSP Password Services Servlet • 117 Modify the http.properties • 26 Put the Agent Filter and Extension Before Other Third-Party Filters • 79 M Manual Upgrade from 4. modifying • 100 K Know the Results of Running the Configuration Wizard After Upgrades • 128 Know Which Password Services and Forms Template are Upgraded • 128 L LD_PRELOAD setting.0 • 73 prerequisites for installation Web Agents.0 httpd. unattended installation • 159 Prepare an Unattended Configuration • 109 Prepare an Unattended Installation on UNIX • 56 Prepare an Unattended Installation on Windows • 32 Prepare for Cryptographic Hardware Support (Optional) • 20 Prepare for the Installation • 11 Prerequisites and Guidelines for Password Services • 22 Prerequisites and Guidelines for Registration Services (Optional) • 24 Prerequisites for Configuring the Web Agent on IIS 6.conf File for Apache Reverse Proxy Server • 101 Modify the SmHost. See iPlanet Web Server • 77. UNIX • 59 registering a trusted host.properties File • 154 Netscape. 67 using smreghost. UNIX • 67 using smreghost.3/SuSe8 Linux System • 98 Set Library Path and Path for Oracle 10g Web Server Running in Apache 2.5. 63 Review the Upgrade Procedure • 127 Run a Console Mode Installation on UNIX • 54 Run a GUI Mode Installation on UNIX • 52 Run a GUI Mode Installation on Windows • 30 Run an Unattended Configuration • 110 Run an Unattended Installation on UNIX • 55. 70 Registration Services installed files • 46 prerequisites • 24 requirements for Web Agent • 24 Registration Services Installed Files (UNIX) • 71 Registration Services Installed Files (Windows) • 46 Registration Tool reregisring trusted hosts. 47 with registration services • 27 Set JRE in PATH Variable Before Uninstalling the Web Agent • 122 Set LD_PRELOAD for Using X.509-based Auth Schemes with Domino 6. 57 Run an Unattended Installation on Windows • 32. 67 reverse proxy server modifying http. 33 Run Registration Services with ServletExecAS (UNIX only) • 27 Run the Configuration Wizard for an IIS Web Agent • 77 Run the Configuration Wizard on Windows • 81 Run the nete_wa_env. Registration Services • 24 ServletExec invoking PWS servlet • 117 repairing classpath.x Mode • 176 Set the DISPLAY For Web Agent Installations on UNIX • 18 Set the LD_ASSUME_KERNAL for • 98 Set the LD_PRELOAD Variable for an Oracle 10G Web Server on Linux • 97 Index 191 . Windows • 42. UNIX • 59 Web Agents. Windows • 42. UNIX • 67 using. Windows • 111 Register a Trusted Host • 157 Register a Trusted Host in GUI or Console Mode • 60 Register Multiple Trusted Hosts on One System (UNIX) • 70 Register Multiple Trusted Hosts on One System (Windows) • 45 Register Your System as a Trusted Host on UNIX • 59 Register Your System as a Trusted Host on Windows • 35 registering a trusted host on UNIX platform • 59 on Widows platform • 35 registering trusted hosts administrator rights • 12 registering multiple hosts • 45. UNIX • 67 using.conf • 101 Review the Results of the Installation and Host Registration • 38.sh Script After Installation • 58 S Select a Web Server for Configuration • 160 servlet engine required. Windows • 42 reregistering trusted hosts • 42 using.R Reconfigure a Web Agent • 111 reconfiguring Web Agent. DMS • 23. 67 Reinstall a Web Agent on UNIX • 59 Reinstall the Web Agent on Windows • 35 re-installing Web Agents. Windows • 35 Repair ServletExec’s CLASSPATH for JSP Password Services (Windows) • 23 Replace Existing Read-only Files • 128 Required AIX Patches • 16 Required HP-UX Patches • 16 Required Linux Libraries • 17 Required Linux Patches • 17 Required Solaris Patches • 15 Re-register a Trusted Host Using the Registration Tool (UNIX) • 67 Re-register a Trusted Host Using the Registration Tool (Windows) • 42 reregistering trusted hosts • 42. 47 • 145 Stronghold Web server Apache Web Agent.47/Linux AS 3. 35. Windows • 134 upgrading 5. 56. accessing • 81 configuring. Windows • 39. description • 56 installer. UNIX • 140 upgrading 6.properties File • 153 Set Up Your Environment for JSP Password Services • 116 Settings Added to the Sun Java System Server Configuration • 167 shared memory segments.x Agents.conf creating. UNIX • 59 creating.conf Settings That Should Not Be Modified (UNIX) • 66 SmHost.0 System • 98 Set Up Additional Agent Components • 115 Set Up DNS on AIX Platforms for Agent Operation • 20 Set Up the nete-wa-installer. Windows • 132 Sun Java System Web Agent Issues • 149 Sun Java System Web server changes to obj. configuring • 81. 63 purpose • 35. UNIX • 57 running. Windows • 134 upgrading 5. 67 settings. 67 Specify the Host Configuration File • 159 SSL authentication schemes. 63 modifying.conf • 167 supported platforms UNIX • 11 T Troubleshoot Agent Start-Up/ShutDown with LLAWP • 143 Troubleshooting • 143 trusted host definition • 12. UNIX • 59 reinstalling. Windows • 33. 85 Stop an Unattended Installation in Progress on UNIX • 57 Stop an Unattended Installation in Progress on Windows • 34 Stop LLAWP When Stopping IBM HTTP Server 2. nCipher modules • 120 unattended installation installer. 110 UNIX • 55 Windows • 32 Uninstall a Web Agent • 121 192 Web Agent Installation Guide . 70 registering. Windows • 42.properties. UNIX • 59 registering. 109 preparing • 32.x Agents.Set the LD_PRELOAD Variable for Apache Agent Operation • 96 Set the LD_PRELOAD Variable for Apache Web Server on SUSE Linux 98 • 97 Set the LD_PRELOAD Variable for SSL Configuration on an IBM HTTP Server 2. 51 upgrading 4. UNIX • 67 using.x Agents.x Agents.x Agents. 164 Tune the Shared Memory Segments (Apache and Sun Java System) • 112 U unattended configuration Windows • 108 unattended failover. upgrading UNIX • 136 installing an Agent • 14. Windows • 35 reregistering • 42. 109 running. Windows • 130 using Apache Agent • 92 Sun Java System Web Agent Configuration Wizard. 59 SmHost. Windows • 111 reinstalling. tuning • 112 Shut Down LLAWP • 144 SiteMinder Administrator for registering hosts • 12 SmHost. unattended installation • 157.conf Settings That Should Not Be Modified (Windows) • 41 SmInitFile Entry Added • 179 smreghost Registration Tool • 42.0. Windows • 35 description • 39. UNIX • 124 upgrading 4.x Agents. UNIX • 138 upgrading 5.x Agents. 67 using. UNIX • 136 upgrading 4. 59 registering multiple hosts • 45. Windows • 130 upgrading 6.0.properties file. description • 32. Windows • 35 tuning shared memory • 112 uninstalling. Windows • 81 increasing shared memory • 112 reconfiguring.x Agents. 93 Apache.x Web Agent to 6.x QMR 5 on Windows Systems • 132 Upgrade a Web Agent to 6. configuring • 92 IIS.x Web Agent to 6. upgrading • 134 4. Apache Web Server • 35.Uninstall a Web Agent from a UNIX System • 124 Uninstall a Web Agent from a Windows System • 123 Uninstall Documentation from a Windows System • 125 Uninstall Documentation from UNIX Systems • 126 Uninstallation Issues • 148 uninstalling documentation UNIX • 126 uninstalling Web Agent documentation UNIX • 126 Windows • 125 UNIX platforms Agent. 81. Sun Java System Web Agent • 51 reinstalling a Web Agent • 59 Upgrade a 4.x. UNIX platforms • 51 modifying httpd.x.x Web Agents. configuring. Domino Web Agent • 51 installing.x on Windows Systems • 130 Upgrade a 6. configuring • 81 supported UNIX platforms • 11 uninstalling documentation. UNIX • 105 Domino. 140 Apache. upgrading • 130 5. upgrading.x.x Web Agents.x Web Agents. UNIX • 138 5. configuring • 102 IBM HTTP server. UNIX • 59 reinstalling. configuring GUI Mode. 105 accessing. 140 back up custom files • 127 cookie provider redirection differences • 129 forms templates • 128 general procedure • 127 password services templates • 128 pre-upgrade issues • 127 replacing read-only files • 128 running Configuration Wizard. Windows • 130 6.x.x QMR 5 • 127 Upgrade Issues (Windows and UNIX) • 149 Upgrade Tasks and Issues • 127 upgrading 4.x on UNIX Systems • 136 Upgrade a 4.x. configuring • 89. configuring Console Mode. upgrading.conf. Domino Web Server • 102 accessing. results • 128 setting LD_PRELOAD • 128 Use a Supported Operating System • 11 Use Active Directory for Registration Services (Windows Only) • 25 Use Registration Services • 24 Use SiteMinder Password Services • 116 Use the IIS Default Web Site • 15 W Web Agent 4. configuring • 134 Web Agent Configuration Wizard accessing. 89. Apache • 177 reconfiguring. UNIX • 136 5. configuring. upgrading • 132.x Web Agents.x Web Agents. upgrading • 130 5. Windows • 132.x QMR 5 on UNIX Systems • 140 Upgrade a 6.x on UNIX Systems • 138 Upgrade a 5. Stronghold server • 92 configuring an Apache Web Agent • 93 data needed to install Agent • 13 GUI mode installation • 52 installation prerequisites • 11 installing an Agent • 51 installing.x Web Agent to 6. Windows • 35 Sun Java System/Windows. configuring • 77 installing.x on Windows Systems • 134 Upgrade a 5.x QMR x Japanese Agents • 129 4. Windows • 111 reinstalling.x.x Web Agent to 6. GUI mode • 93 Domino. Windows • 125 uninstalling. UNIX • 124 Windows systems. UNIX • 105 Domino/Windows. 77.x Web Agent to 6.x Web Agent to 6. Sun Java System Web • 81 Index 193 . console mode • 93 Apache. UNIX • 138 6. Windows • 134 5. UNIX • 136 4. unattended instal • 164 settings.Web Agent on IIS 6. Sun Java System Web Agent • 29 reinstalling a Web Agent • 35 Sun Java System Web Agent Configuration Wizard.509 client certificate and HTML Forms authentication schemes • 81. configuring • 102 installing.0 Has Size Limit for Uploading Files • 76 Web Agent Start Up and Shut Down Issues (IBM HTTP Server) • 144 web server configuration restarting Windows.509 client certificate or basic authentication schemes • 81. 85 X. 85 194 Web Agent Installation Guide . IIS Web Agent • 29 installing.509 client certificate or HTML Forms authentication schemes • 81. 85 X.509 client certificate and basic authentication schemes • 81. 85 X. 85 X509 Client Certificate authentication scheme • 81. unattended installation • 160 WEB_SERVER_INFO Variables • 161 Windows configuring an IIS Web Agent • 77 Domino Web Agent. acc • 81 uninstalling documentation • 125 Windows platforms configuring an Apache Web Agent • 89 X X. Domino Web Agent • 29 installing.
Copyright © 2024 DOKUMEN.SITE Inc.