Integrating Host Access Management and Security Server with SiteMinder or CA Single Sign-On

  • 7021600
  • 01-Nov-2011
  • 02-Mar-2018

Environment

Host Access Management and Security Server version 12.2 or higher
Reflection for the Web (All Editions) 12.2

Situation

If you use SiteMinder version 4.0 or higher to administer single sign-on authentication for multiple applications, you can integrate Host Access Management and Server, Reflection for the Web 2014, or Reflection Security Gateway 2014 with your SiteMinder installation. This technical note describes the steps to install and configure SiteMinder and these products so that they will work together to provide user authentication.

For integration with Reflection ZFE 2.0, see KB 7021344.

Resolution

Reflection for the Web or Reflection Security Gateway and SiteMinder

When you integrate SiteMinder with your Host Access Management and Server (MSS), Reflection for the Web 2014, or Reflection Security Gateway 2014 products, you can leverage SiteMinder’s single sign-on capabilities to authenticate your users. You can also configure additional authorization in MSS to restrict access to sessions.

Complete these steps to integrate MSS and SiteMinder:

1. Install or Enable IIS v6 or Higher

Refer to your Windows help documentation for instructions on how to install or enable IIS. IIS must be installed on the same machine where MSS is installed.

2. Install a SiteMinder Web Agent

Install a SiteMinder Web Agent on the same machine as the MSS server. The Web Agent can be configured to provide security for IIS. Refer to the SiteMinder documentation for detailed information about Web Agent installation and configuration.

3. Install MSS and Integrate with IIS

Install the MSS server. Follow the steps in the Reflection Installation Guide, which is available from these locations:

  • In the root directory of the downloaded MSS package (PDF)
  • On the Attachmate support site:

The automated installer for Reflection detects if IIS is installed on your machine and offers to integrate IIS with Reflection. Select the option to integrate Reflection with IIS. If you used the archive file to install Reflection, run the Reflection IIS Integration Utility before configuring access control for SiteMinder.

4. Add SiteMinder Libraries to MSS

SiteMinder provides two different Agent libraries that are compatible with Reflection. Add one of the following in your Reflection installation:

  • Java JNI Agent. This option is composed of a JAR file and several native modules, which are available on a Web Agent installation. Copy the following file from the SiteMinder Web Agent installation to the Reflection Server installation, as follows:

Copy: <Web Agent dir>\java\smjavaagentapi.jar

To: <Reflection dir>\apache-tomcat\webapps\rweb\WEB-INF\lib

Also, ensure that the SiteMinder Web Agent “bin†directory is findable through the PATH variable for the Operating System.

  • Pure Java Agent. This option is composed only of JAR files, which are available on the SiteMinder SDK. Copy the following JAR files from the SiteMinder SDK to the MSS Server installation, as follows:

Copy these files:

<SDK dir>\java[64]\smagentapi.jar
<SDK dir>\java\crypto.jar

To (depending on your product and version):

MSS 12.3: server\web\webapps\mss\WEB-INF\lib

MSS 12.2: apache-tomcat\webapps\mss\WEB-INF\lib

Prior versions: apache-tomcat\webapps\rweb\WEB-INF\lib

Paths are relative to the root of the product’s installation directory.

After adding one of the agent libraries, restart the servlet runner for the MSS Server.

5. Configure SiteMinder

You must create a new security realm for MSS content. Add or edit a rule for the realm so that the effective resource is accessible to clients:

MSS: <agent name>/mss*

Prior versions: <agent name>/rweb

SiteMinder users must be authorized for GET and POST actions against the resource.

6. Configure a path to SiteMinder libraries in MSS

By default, the path value in MSS for the native SiteMinder Web Agent libraries resolves to: C:\Program Files\CA\webagent\win64\bin

If the path value for the SiteMinder libraries is different for your system, then update this value in the property named wrapper.java.library.path.2 in the file container.conf, found in the MSS\server\conf directory. When updating this value, note that the path separator character is a forward slash. After the value is modified, you need to restart the MSS server for the changes to take effect.

7. Configure Authentication in MSS

Authentication is configured in the Administrative WebStation.

  1. Using a web browser, open the MSS Administrative WebStation. Example URL: http://msshost/mss/AdminStart.html
  2. In the left navigation bar under Activities, click Access Control Setup and then click Configure.
  3. On the Choose Authentication Method page, select SiteMinder and then click Next.

Note: If the SiteMinder option is disabled and its label includes the message “See Help to enableâ€, then the SiteMinder Java Agent library has not been detected in the classpath for the MSS Server. To resolve this, review the directions in Step 4: Add SiteMinder Libraries to MSS.

  1. On the Setup MSS for SiteMinder page, complete the options. Click Help in the Administrative WebStation for a description of the various options.

Review and confirm your selections on the Confirm Access Control Setup page and click Save Settings.

Troubleshooting

Error: Failed to initialize SiteMinder libraries

If you receive this error while configuring authentication, "Failed to initialize SiteMinder libraries," it may be due to a version conflict between SiteMinder binaries.

To resolve this issue, locate the file, smjavaagentapi.jar, in your SiteMinder Web Agent installation, and copy it to the web application’s “lib†directory. The location can vary based on product and version. Paths below are relative to the root of the product’s installation directory.

MSS 12.4: server\services\shared\lib

MSS 12.3: server\web\webapps\mss\WEB-INF\lib

MSS 12.2: apache-tomcat\webapps\mss\WEB-INF\lib

Prior versions: apache-tomcat\webapps\rweb\WEB-INF\lib

Once the file has been copied, restart the MSS Server.

Note: Users must first authenticate using SiteMinder before they can access Reflection for the Web sessions. The SiteMinder web agent downloads a cookie to each user's browser memory, which authenticates them for that browser session only.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2591.