CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 19th April 2017
The scope of the document is to provide the necessary steps to configure the CA Single Sign-On R12.52 SP1 to protect ‘Global Settings’ page with CA Directory as user store
- CA Single Sign-On: Administrative UI >> Infrastructure >> Agents >> Agent
Create an Agent object
- CA Single Sign-On: Administrative UI >> Infrastructure >> Agents >> Agent Configuration Objects
Create an Agent Configuration object with copy of ‘ApacheDefaultSettings’ with updates to DefaultAgentName, HttpsPorts, GetPortFromHeaders and LogoffUri
- CA Single Sign-On: Administrative UI >> Infrastructure >> Authentication >> Authentication Schemes
Create HTML Form authentication scheme referencing pamlogin.fcc
- CA Single Sign-On: Administrative UI >> Infrastructure >> Directory >> User Directories
Create User Directory object referencing the CA Directory instance
- CA Single Sign-On: Administrative UI >> Infrastructure >> Hosts >> Host Configuration Objects
Create host configuration object referencing the Policy Server
- CA Single Sign-On: Administrative UI >> Policies >> Applications
Create an Application and associate the user directory created in Step 4 to the Application
Create Component to protect ‘Global Settings’ page and associate the authentication scheme created in Step 3 to the component
Create Resources with GET, POST actions
Create Roles, include all the users that are allow to access the protected resources
Create Policies to associate the Roles to the Resources
- CA PAM: Config >> CA Modules
Define the CA Single Sign-On Configuration
- Save the configuration and Restart Apache.
Troubleshooting
To disable CA Single Sign-On, you can disable it from the Utility Console (VMware OVA appliance)
OR disable it from CA PAM: Config >> CA Modules
If you are getting a blank page after CA Single Sign-On login or the CA Single Sign-On login page does not respond, please ensure that you have login to CA PAM using CA PAM server’s FQDN.
Error:
Registration failed. Host config object not found.
Resolution:
Ensure that the Host Configuration Object value defined in CA PAM matches the Host Configuration Object name defined in CA Single Sign-On and the object still exists in CA Single Sign-On.
Error:
‘Login failed: unknown reason’ (from CA PAM Client) OR ‘Internal Server Error’ (from web browser UI) after Apache restart for CA Single Sign-On integration.
Resolution:
Ensure that the Agent Configuration Object value defined in CA PAM matches the Agent Configuration Object name defined in Step 2 and the object still exists in CA Single Sign-On.
Error:
‘Checking for update failed. Reason: Server returned HTTP response code: 500 for URL: https://<PAM_FQDN>/client/structure.php?os=win’ (from CA PAM Client) OR ‘Internal Server Error’ (from web browser UI) when users attempt to access CA PAM with CA Single Sign-On integration enabled.
Resolution:
Ensure that CA Single Sign-On Policy Server is up and running.
Error:
Registration failed. A trusted host with the same name already exists.
Resolution:
This usually happens when you disabled and attempt to re-enable CA Single Sign-On (with same settings as before) from CA PAM.
Define a different Trusted Host Name
OR delete the existing Trusted Host from CA Single Sign On: Administrative UI >> Infrastructure >> Trusted Hosts, before saving the CA Single Sign-On Configuration