Symantec Access Management

Hi all,

I've been googling like mad but not getting anywhere with my "issue" and i wondered if anyone could point me in the right direction.

I am running a pair of websites under Apache 2.2.22 (let's say domain1.com and domain2.com) on a single server, under a single IP/port. I'm using virtual hosts on the domain name to separate the traffic as required.

Both sites are protected using SiteMinder, with all urls under /secure/ protected (that's the same for both web sites) and all other content public.

We have set up separate policies in SiteMinder for each URL (partly because to start with these sites were on independent servers but now have to reside on the one box), and running a single web agent on the apache server. We also have a desktop SSO config running to.

I'm stuck as how to configure Apache to make this work.

I'm set up as follows:
httpd.conf - no modules being loaded there, but this includes two additional conf files - one for vhosts and one for the SM web agent config (smwa.conf)
The smwa.conf file loads the apache modules in and also contains an SmInitFile directive that points at a default WebAgent.conf file
The default WebAgent.conf file contains the AgentConfigObject directive that points at one of my two policies (aco-domain1.com) as a default. I am not using the agentname directive
The vhosts conf contains additional SmInitFile directives for each vhost that point to their own copy of WebAgent.conf (eg WebAgent.conf.domain1) which are copies of the main WebAgent.conf file but with their matching ACOs

The issue I am getting is an inconsistency in which policy kicks in for each site. They both point to independent login pages, but i find that domain1.com sometimes points to its own login page and other times it points to the domain2.com login page. There doesnt seem to be any pattern to this either.

I've tried things like
- not including the SmInitFile in smwa.conf or not having the default ACoin the default WebAgent config file, but the result is that the first one to load (based on what site i hit first) becomes the one all sites use
- not having the default WebAgent file, but Apache and the web agent will not start
- not defiing the ACO in the default webAgent file,

Has anyone done anything similar and can advise or can anyone point me in the direction of any example configs online?

Thanks!

So I'm assuming you have two different agent object one for each site.

In the single ACO that is being used by that apache server you need use add the AgentName parameter as a multivalued parameter and set it:

Agent1, domain1.com
Agent2, domain2.com

Then your policies should map so that agent1 is protecting the resources for domain1 and agent2 is protecting the resources for domain2

By using Agent Identities you are telling the agent when a request comes in for domain1.com it is for Agent1, etc etc.

You may also want to search for Agent Identities in the documentation it gives a full explanation, rather than my quick and dirty.

Hi,

That's a quick reply!

Yes I have two agent config objects, one for each domain. So your recommendation is to use a single ACO, apply that to the WebAgent (dropping all the vhost-specific messing about) but define it to use the two agents from my policies. Correct?

I'll read up on Agent identities for sure.

Thanks again!

Almost Ben,

You will still need the vhosts for apache to map to the two different servers, but a single apache instance will share the single agent configuration object so don't worry about specifying agent info relative to the vhosts. The agent is at the apache level not the vhost level.

That is where the agent identities come into play. Just like apache maps the vhosts based on the incoming domain, the agent will do the same thing.

So in the end you have Apache with two vhosts using a single agent Single Agent Config Object. That single agent config object references two agent identities one for each vhost using the AgentName parameter. Those Agent identities refer to individual Agent Objects.

J

Got it... I'm hassling my SM team now and seeing what we can do.. I'll update once I get somewhere.

Once again - many thanks,

Hi Ben,

There are a few different ways to accomplish this, but here is a good start:


1.) Typically you have something like this in your httpd.conf for the virtual instance:

NameVirtualHost 192.168.1.203:81
<VirtualHost 192.168.1.203:81>
DocumentRoot /www/docs/sample.newDomain.com
ServerName sample.newDomain.com
</VirtualHost>


...IPv6 addresses must be specified in square brackets because the optional port number could not be determined otherwise. An IPv6 example is shown below:
<VirtualHost [2001:db8::a00:20ff:fea7:ccea]:81>


2.) The WebAgent.conf for the Apache server needs to be edited. This file needs to be edited in order to create another agent identity for the virtual server to be protected by SiteMinder.

agentname=”apache2,192.168.1.203”

In your ACO (Agent Configuration Object) on the Policy Server, you can have “apache” defined for the “defaultagentname”.

3.) In the SiteMinder Policy Server User Interface, create a new Agent for the new agent identity “apache2”. The IP addresses and Agent Name must be the identical with what is specified in the WebAgent.conf and httpd.conf.

4.) The virtual server that needs to be protected by SiteMinder, a new realm should be created.

5.) Restart the web server for the changes to take effect.

Regards,
Peter