Symantec Access Management

Hi,

I am trying to install the R12QMR3CR11 vesion of Siteminder in Linux Operating System(which has 2.2.15 version of Apache).

Generally, I will perform the registration and configuration manually (without using ca-wa-config.sh script).

For the first time, today I used the script for configuration but I am not getting the expected behavior.

1) While configuring, I got the below section and I choosed the value as '6' but I am not sure with this. Is there any way to know the Apache Server type?

2) If we configure the web instance with the help of script, what are the entries which will get updated and in which files it will get updated?

3) Is there any way to unconfigure(with out manual removal) after configuring the instance with the help of script?

4) Assume that my requirement is :  Nobody should be able to access the URL server1@ca.com/," target="_blank">http://server1@ca.com/

    I have completed all the necessary activities.  But, on launching the URL, I am getting 403 Forbidden from the server and nothing from the siteminder.

• In the traces, I could see entries but not for [Resolved URL: '/'.] but with [Resolved URL: '/error/noindex.html'.]
• While checking the redirections with the help of Http Watch, I am not able to find any Siteminder entry on launching the URL. Ideally, it should interupt the request.
• On disabling the siteminder, I am getting the default page without any error.

     Can anyone please explain the behavior and let me know what I have to do?

Thanks in advance for your help!

Regards,

Dhilip

Dhilip,

What is your O/S specifically? Is it RedHat, OEL? OpenSUse etc? What version O/S and Bit level?

Option 6 sounds right for this but please provide more info. Is the configuration script locating the server root?

e.g

/etc/httpd ?

The script will write in the httpd.conf and the conf directory where httpd server root is.

When you ran the script did you do the host registration with the policy server? Was this successful and a trusted host object created in polict store?

Have you identified the resource to siteminder that the web agent is going to protect or not protect with either a Domain/Realm model or an Application administrative model on the SM WAMUI?

Have you validated the user identified in the httpd.conf has proper permissions on the Siteminder config files in for example

/opt/CA/webagent

and /httpdserverrootdirectory/conf/WebAgent.conf and the other SiteMinder conf files here.

I'd recommend setting the ACO parameters for

this agent to write the Trace and Agent Log files so you can get a better understanding of what's going on.

Thanks,

Adam

Hi,

Thanks for your response.

PFB my feedback for your questions.

OS => Red Hat Enterprise Linux Server release 6.7 (64 bits)

Web server path => /etc/httpd

Host registration => Yes, host registration is successful and Trusted Host Object was created.    

PS configuration => All the PS configurations are completed in WAMUI with Domain/Realm model. In fact, this is the second environment. All the changes are successfully tested in first environment (I performed manual WA configuration there).

Permission => Yes, I confirm that the user has all the necessary permissions and there is no error in the apache error logs.

Traces => I have already enabled the traces but on launching the URI ( / ), I could see entries with (/error/noindex.html) in the traces. But in the Http Watch, I am not getting any siteminder entry.

Regards,

Dhilip

Dhi1ip,

Can you please post the contents of the /etc/sysconfig/httpd file.

I want to verify the proper env variables and library path statement is set.

thanks,

Adam

Hi Adam,

Thanks for your response.

I have re-checked and confirm that the env varaiables and library path has been correctly as per below.

/etc/sysconfig/httpd       => { .(space)(path of ca_wa_env.sh) }

httpd.conf file                => PassEnv LD_LIBRARY_PATH

Regards,

Dhilip

Hi Dhilip,

Here some input to your questions:

2) If we configure the web instance with the help of script, what are the entries which will get updated and in which files it will get updated?

R: httpd.conf (contain entries of Siteminder module), SmHost.conf should be generated if trusted host registration success, WebAgent.conf

3) Is there any way to unconfigure(with out manual removal) after configuring the instance with the help of script?

R: Rerun the configuration wizard and follow the same process of configure web agent. The wizard should be able to detect if the agent configure to web server and give you an option to unconfigure.

In your case, I think first you need to check the install_config_info folder to check if the installation/configuration logs return any errors. You might not need to unconfigure if everything is fine.

The 403 error could be some configuration issue. What authentication scheme you use to protect / ?

If web agent trace log was generated, I think the agent startup is fine. Maybe some configuration on the policy server. On the ACO, did you provide defaultagentname?

Regards,

Kar Meng

Hi Kar Meng,

Thanks for your response.

I tried re-running the wizard, but I didnt get any option to unconfigure. So, I have performed the below actions.

1) Took a backup of SmHost.conf.

2) Commented the siteminder lines(siteminder module, webagent sourcing & library path statement) in the httpd.conf file.

3) Uninstalled the web agent and deleted the complete Siteminder folder.

4) Installed the webagent again, restored the SmHost.conf file and uncommented the siteminder lines in httpd.conf file.

But, as expected it is of no use...

As I have already removed the siteminder folder, unfortunately I cannot check the old logs now.

Regarding agentname => yes, the defaultagentname is provided and from the logs I could see that the the correct agent (agent for that corresponding application) is being used but below is the behavior.

• On launching the URI ( /abc ), I could see no entires in the logs. I am getting 403 from the server (the behavior is same even before my activity) 

               Note: 'abc' is a protected resource and the authentication scheme is WinSSO

• On launching the URI ( / ), I could see entries with (/error/noindex.html) and getting 403 from the server (the behavior is not same as I was getting the default page before my activity)

               Note:  '/' is a protected resource and the access is denied for everyone by means of global rule.

I dont think this behavior is because of policy server configuration as generally the changes are just pushed from one environment to other and it is working fine in the first environment. Could you provide your opinion?

Thanks in advance!

Regards,

Dhilip

Hi Dhilip,

Thanks for your update. 403 generally means forbidden error.

At this stage, I assume the web agent has no problem to startup with web agent logs generated and ACO parameters loaded. Disable web agent and access /abc return result as expected. Correct me if that's incorrect.

Can you test with Siteminder test tool (using the same SmHost.conf) to check if access resource /abc gave you expected response? This can help us to isolate if there is any policy server configuration problem. If Siteminder test tool provide expected result (means isProtected, isAuthenticated, isAuthorized return positive result), then we can focus on the web agent side.

The header trace log, Apache access log, error log, Siteminder web agent log, web agent trace log will give some hints. As the environment was working in one environment but not the other, you can compare the different between httpd.conf.

I'm not sure if WinSSO authentication scheme means Windows authentication scheme. If it is Windows authentication scheme, I would suggest to use default form authentication scheme to simplify components involved.

Hope this helps.

Regards,

Kar Meng

Hi Karmeng,

Thanks for your response.

Regarding disabling SM => Yes, we are getting the expected behavior on disabling the siteminder.

Regarding testing with SM test Tool => Actually, policy server configurations will be performed by another team so I cannot test the same.

I feel that the issue is because of some application configuration/permission as we are facing the same issue in the other server (even after performing the manual configuration).

Also, some activity from application team is not yet completed. So, currently I am waiting for that to be completed to continue investigation.

Thanks for your continuous support. Could you please your feedback for my first point in the initial mail?

Regards,

Dhilip

Hi Dhilip,

Your first point of initial mail:

1) While configuring, I got the below section and I choosed the value as '6' but I am not sure with this. Is there any way to know the Apache Server type?

R: Option 6 is referring to ASF Apache

As for the issue on 403, if you have working and non-working environment, compare the different in httpd.conf could give you some hints.

Regards,

Kar Meng