Tuesday Tip by Robert Phillips, Senior Support Engineer, for 5-29-12
There are many online documents about setting up a certificate keystore. This note assumes that the SiteMinder administrator must have set up the keystore and successfully imported required certificate(s). The following only covers how to enable SSL on AdminUI bundled JBOSS deployment & change SSL port if customer so desires.
Assumptions here are as follows:
* SiteMinder version in use: R12 SPX
* AdminUI installed using default directory: /opt/CA/siteminder/adminui
* AdminUI is already working on port : 8080
* SM Administrator has certificates imported to properly set up keyStore.
Enable SSL:
-------------
1. ) The SSL connector is disabled by default in the deployed server.xml file
The default server.xml file is located in the following directory:
/opt/CA/siteminder/adminui/server/default/deploy/jboss-web.deployer/server.xml
There are two (2) Connector Sections in this XML file, the second is commented out and looks like the following:
<!-- ENABLE SSL
<Connector
protocol="HTTP/1.1"
address="${jboss.bind.address}"
port="8443"
SSLEnabled="true"
scheme="https"
secure="true"
emptySessionPath="true"
enableLookups="true"
maxPostSize="0"
acceptCount="100"
connectionTimeout="20000"
minSpareThreads="5"
maxSpareThreads="75"
keystoreFile="${javax.net.ssl.keyStore}"
keystorePass="${javax.net.ssl.keyStorePassword}"
keystoreType="${javax.net.ssl.keyStoreType}"
truststoreFile="${javax.net.ssl.trustStore}"
truststoreType="${javax.net.ssl.trustStoreType}"
truststorePass="${javax.net.ssl.trustStorePassword}" />
ENABLE SSL -->
Note: The tags around this connector have disabled it, by making it a comment. You must remove these tags to enable the SSL connector.
2) In this SSL connector there are variables that hold values for the key & truststore.
Customer may choose to either hard code the values here, or set them in the configuration file where they
are passed back to this server.xml file upon startup. (Beware when passing the values to this server.xml file from the config file in version R12SP2 (bug) the values for keyStoreType & keyStorePasswords were transposed, it was fixed in R12SP3.)
If customer chooses to hardcode values here, then you are done enabling SSL. Once you restart you should be able to access https://hostname:8443/iam/siteminder/adminui
To configure values in the setup.sh file that are passed to the server.xml you must go to:
/opt/CA/siteminder/adminui/bin/setup.sh and enter the keyStore directory, Password, type, etc…
The above file is called by the run.sh script when you start the AdminUI.
Change SSL Port for AdminUI:
-----------------------------------------
1) Change the port that will be used for SSL: (Lets say we want to use 98443 as new port)
The configuration file for this is located in the following directory:
/opt/CA/siteminder/adminui/conf/service-bindings.xml
The important line here:
<binding name="secureConnector" host="R12SP3WUx64" port="8443" />
You are interested in changing the “secureConnector” listening port.
<binding name="secureConnector" host="R12SP3WUx64" port="98443" />
Once you change this, your AdminUI will now listen at https://hostname:98443/iam/siteminder/adminui
for SSL connections.
Next, you must tell the server to use this port for SSL.
2) Update /opt/CA/siteminder/adminui/server/default/deploy/jboss-web.deployer/server.xml
You want to change the default ports in the server.xml file as below:
In the first original Connector section you will want to update your redirect port. Basically, the redirect port tells the tomcat server when an https call is received on the default http port (8080), redirect it to the secure port (default 8443). You want to update this to the new port: 98443
redirectPort="8443"
update this to:
redirectPort="8443"
In the second SSL Connector section you will want to update the following port:
port="8443"
to the new port:
port=”98443”
Restart the AdminUI. Load https://hostname:98443/iam/siteminder/adminui