Configuring and Monitoring SiteMinder Policy Servers

Configuring and Monitoring SiteMinder Policy Servers eg Enterprise v5.6

Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this document may be reproduced or disclosed to others without the prior permission of eg Innovations, Inc. eg Innovations, Inc. makes no warranty of any kind with regard to the software and documentation, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Trademarks Microsoft Windows, Windows NT, Windows 2000, Windows 2003 and Windows 2008 are either registered trademarks or trademarks of Microsoft Corporation in United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Copyright 2012 eg Innovations, Inc. All rights reserved.

Table of Contents CONFIGURING AND MONITORING SITEMINDER POLICY SERVERS...1 CONFIGURING AND MONITORING THE SITEMINDER POLICY SERVER MODEL...2 1.1 CONFIGURING AN SITEMINDER POLICY SERVER TO WORK WITH THE EG ENTERPRISE SUITE...2 1.2 ADMINISTERING THE EG MANAGER TO WORK WITH THE SMPOLICYSERVER...3 1.3 MONITORING THE SITEMINDER POLICY SERVER...9 CONFIGURING AND MONITORING THE SITEMINDER 1VIEW SERVER...10 2.1 ADMINISTERING THE EG ENTERPRISE SUITE TO MONITOR THE SITEMINDER 1VIEW SERVER...10 2.2 MONITORING THE SITEMINDER 1VIEW SERVER...13 CONCLUSION...14

Table of Figures Figure 1.1: Opening the Siteminder Policy Server Management Console...2 Figure 1.2: Enabling audit logging...3 Figure 1.3: Selecting the Siteminder Policy server to be monitored...4 Figure 1.4: Managing the selected Siteminder Policy server...4 Figure 1.5: Configuring the SM Admin test...5 Figure 1.6: Configuring the SM Services test...6 Figure 1.7: Opening the Siteminder Policy Server Management Console...8 Figure 1.8: Viewing the service ports...9 Figure 2.1: Adding the Siteminder 1view server to be monitored...11 Figure 2.2: A list of unconfigured tests for the Siteminder 1view server...11 Figure 2.3: Configuring the SM Agent Authentication test...11

Configuring and Monitoring the Siteminder Policy Servers Configuring and Monitoring SiteMinder Policy Servers SiteMinder is a platform for secure portal, extranet, and intranet management. It meets key authentication, authorization, and personalization requirements for building and managing secure Web sites. A SiteMinder installation consists of two main components: the SiteMinder Policy Server and the SiteMinder Agent. The Policy Server manages the access control policies established by an administrator. These policies define which resources are protected and which users or user groups are allowed access to resources. Using policies, administrators can set time constraints on resource availability and IP address constraints on the client attempting access. The Policy Server runs on an NT or UNIX system and performs key security and portal management operations. To meet the security needs of each environment, the Policy Server supports a range of authentication methods and uses existing directory services to authenticate users. By supporting a wide range of authentication methods, the Policy Server provides flexibility and security for a diverse set of users. A SiteMinder Agent integrates with a Web server, a Web application server, or a custom application to enforce access control based on pre-defined policies. eg Enterprise provides different ways of monitoring the SiteMinder environment. For instance, eg agents can be deployed on each of the systems hosting a Web agent. Since every Web agent writes operational statistics to a local log file, the eg agent deployed on a Web agent host parses the log files and reads the desired performance data. Alternatively, the eg agent can be deployed on the Policy server itself. In this case, the eg agent uses SNMP to draw meaningful performance metrics from a component named SiteMinder OneView Monitor, which is hosted by the Policy server. This component identifies performance bottlenecks and provides information about resource usage in a SiteMinder deployment by collecting operational data from the Policy server and the Web agent. Each machine that hosts a monitored component includes an OneView agent, which sends operational data to the OneView Monitor. Depending upon the mode of monitoring that best suits their needs, users can adopt either one of the following monitoring models presented by the eg Enterprise suite: the Siteminder Policy model where monitoring is done by parsing log files, or the Siteminder 1view model, where monitoring is done using the SiteMinder OneView monitor This document discusses how to configure and monitor both the models. 1

Configuring and Monitoring the Siteminder Policy Server Model Chapter 1 Configuring and Monitoring the Siteminder Policy Server Model 1.1 Configuring an Siteminder Policy Server to work with the eg Enterprise suite To ensure that the eg Enterprise suite extracts the required performance metrics from the Siteminder Policy server model, the audit logging capability of the server needs to be enabled. To achieve this, do the following: 1. Open the "SiteMinder Policy Server Management Console" using the menu sequence depicted by Figure 1.1. Figure 1.1: Opening the Siteminder Policy Server Management Console 2. Click on the Settings tab to open it. 2

Configuring and Monitoring the Siteminder Policy Server Model Figure 1.2: Enabling audit logging 3. In the Audit Logging section present at the bottom of this tab (see Figure 1.2), click on the Audit User Activity and Audit Administrative Activity check boxes. 4. Then, select the Text File option, and specify the full path to the log file that is to be used for audit logging. Ensure that the same path is specified against the PATH parameter of the SmAdminTest, SmAuthTest, and SmAzTest, respectively. 5. Finally, click the Apply button and then the OK button to register the changes. 1.2 Administering the eg Manager to work with the SMPolicyServer To achieve the above, do the following: 1. Log into the eg administrative interface. 2. If a Siteminder Policy server is already discovered, then directly proceed towards managing it using the COMPONENTS - MANAGE/UNMANAGE page (Infrastructure -> Components -> Manage/Unmanage). However, if it is yet to be discovered, then run discovery (Infrastructure -> Components -> Discover) to get it discovered or add the component manually using the ADD/MODIFY COMPONENTS page (Infrastructure -> Components -> Add/Modify). Remember that components manually added are managed automatically. Discovered components, however, are managed using the COMPONENTS - MANAGE/UNMANAGE page. Figure 1.3 and Figure 1.4 clearly illustrate the process of managing the Siteminder Policy server. For more details on managing components, refer to Configuring and Monitoring Web Servers document. 3

Configuring and Monitoring the Siteminder Policy Server Model Figure 1.3: Selecting the Siteminder Policy server to be monitored Figure 1.4: Managing the selected Siteminder Policy server 6. Next, try to sign out of the eg administrative interface. 7. A LIST OF UNCONFIGURED TESTS listing the Siteminder tests requiring manual configuration, will appear. Click on the SM Admin test to configure it. Doing so will reveal the SM Admin 4

Configuring and Monitoring the Siteminder Policy Server Model test configuration page (see Figure 1.5). Figure 1.5: Configuring the SM Admin test 8. In this page, specify the following: a. TEST PERIOD - How often should the test be executed b. HOST - The host for which the test is to be configured c. PORT The port number of the administration service in the SMPolicyServer d. LOGOPTION - The default value of the LOGOPTION parameter is "logfile". This is because, the test collects measures by parsing the log files. e. PATH - The full path to the log file from which measures are collected. For example, "D:\Progra~1\Netegrity\SiteMinder\Log\smaccess.log". The path specified here should be the same as that specified in the Text File text box of Figure 1.2. f. AGENTNAMES A list of agent names separated by a comma g. DETAILED DIAGNOSIS - To make diagnosis more efficient and accurate, the eg Enterprise system embeds an optional detailed diagnostic capability. With this capability, the eg agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular component, choose the On option against DETAILED DIAGNOSIS. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled: The eg manager license should allow the detailed diagnosis capability Both the normal and abnormal requencies configured for the detailed diagnosis measures should not be 0. 9. Finally, click on the Update button of Figure 1.5. 10. Try to signout of the administrative interface again, and this time, you will be prompted to configure the SM Services test. Clicking on the test name will open the corresponding test configuration page (see Figure 1.6). 5

Configuring and Monitoring the Siteminder Policy Server Model Figure 1.6: Configuring the SM Services test 11. The SM Services test measures the availability of the Siteminder Policy server s services, and the time taken by the server for performing authentication and authorization checks. In the test configuration page that appears (see Figure 1.6), specify the following: a. TEST PERIOD - How often should the test be executed b. HOST - The host for which the test is to be configured. c. PORT The port at which the server listens d. TIMEOUT - The duration (in seconds) for which the test should wait for a response from the SMPolicyServer services e. AUTHENTICATIONPORT - The port number of the Authentication Service of the SMPolicyServer f. AUTHORIZATIONPORT - The port number of the Authorization Service of the SMPolicyServer g. ACCOUNTINGPORT - The port number of the Accounting service of the SMPolicyServer h. ADMINPORT - The port number of the Administration service of the SMPolicyServer i. AGENTNAME - The name of the configured webagent in the policy server user interface j. SHAREDSECREAT - The shared secreat assigned to the specified web agent k. RESOURCE - The resource, which is protected by the above configured web agent and requires username and password for authentication. Example: "/transpolar/inventory/3inventorysignon.htm". While specifying the resource value, ensure that it does not contain the IP address of the host machine. An example for a wrong resource value would be: "http://192.168.10.47/transpolar/inventory/3inventorysignon.htm" 6

Configuring and Monitoring the Siteminder Policy Server Model l. ACTION The action that needs to be checked. Example: "GET m. USERNAME - A valid USERNAME having permissions for the specified resource and configured action n. PASSWORD - The password for the above user o. JARFILEPATH - The full path to the directory in which the "smjavaagentapi.jar" file is present p. DETAILED DIAGNOSIS - To make diagnosis more efficient and accurate, the eg Enterprise system embeds an optional detailed diagnostic capability. With this capability, the eg agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular component, choose the On option against DETAILED DIAGNOSIS. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled: The eg manager license should allow the detailed diagnosis capability Both the normal and abnormal requencies configured for the detailed diagnosis measures should not be 0. 12. Finally, click on the Update button in Figure 1.6 to register the changes. 13. Signout of the eg administrative interface. To know the Administration, Accounting, Authorization, and Authentication ports of the SMPolicyServer, do the following: 1. Open the SiteMinder Policy Server Management Console using the menu sequence depicted by Figure 1.7 below: 7

Configuring and Monitoring the Siteminder Policy Server Model Figure 1.7: Opening the Siteminder Policy Server Management Console 2. Click on the Settings tab in the SiteMinder Policy Server Management Console to view the TCP ports of the SMPolicyServer services (see Figure 1.8). 8

Configuring and Monitoring the Siteminder Policy Server Model Admin Port Authorization Port Authentication Port Accounting Port Figure 1.8: Viewing the service ports 1.3 Monitoring the Siteminder Policy Server To monitor the Siteminder Policy Server, do the following: 1. Login as a monitor / supermonitor user. 2. Click on the Components option in the menu bar, and select the Servers option from the Components menu. 3. From the COMPONENT LIST, click on the Siteminder Policy Server being monitored. 9

Configuring and Monitoring the SiteMinder 1view Server Chapter 2 Configuring and Monitoring the Siteminder 1view Server 2.1 Administering the eg Enterprise suite to Monitor the Siteminder 1view Server To achieve the above, do the following: 1. Log into the eg administrative interface. 2. If an Siteminder 1view server is already discovered, then directly proceed towards managing it using the COMPONENTS - MANAGE/UNMANAGE page (Infrastructure -> Components -> Manage/Unmanage). However, if it is yet to be discovered, then run discovery (Infrastructure -> Components -> Discover) to get it discovered or add the component manually using the ADD/MODIFY COMPONENTS page (Infrastructure -> Components -> Add/Modify). Remember that components manually added are managed automatically. Discovered components, however, are managed using the COMPONENTS - MANAGE/UNMANAGE page. Figure 2.1 clearly illustrates the process of adding the Siteminder 1view server. For more details on managing components, refer to Configuring and Monitoring Web Servers document. 10

Configuring and Monitoring the SiteMinder 1view Server Figure 2.1: Adding the Siteminder 1view server to be monitored 3. Next, try to sign out of the eg administrative interface. 4. A LIST OF UNCONFIGURED TESTS listing the SiteMinder tests requiring manual configuration, will appear (see Figure 2.2). Figure 2.2: A list of unconfigured tests for the Siteminder 1view server 5. Click on the SM Agent Authentication test to configure it. This test tracks every critical step in the request authorization cycle of a Web agent, beginning with the Web agent's attempt to login to the Siteminder 1view server, through the request validation process, and finally, authorization. In the process, it indicates if any serious errors/failures have occurred at any stage. 6. Clicking on the test will reveal the test's configuration page (see Figure 2.3). Figure 2.3: Configuring the SM Agent Authentication test 11

Configuring and Monitoring the SiteMinder 1view Server 7. In this page, specify the following: TEST PERIOD - How often should the test be executed HOST - The host for which the test is to be configured PORT The port number of the Siteminder 1view server SNMPPORT - The port number at which the Siteminder 1view exposes its SNMP MIB. The default is 161. SNMPVERSION By default, the eg agent supports SNMP version 1. Accordingly, the default selection in the SNMPVERSION list is v1. However, if a different SNMP framework is in use in your environment, say SNMP v2 or v3, then select the corresponding option from this list. SNMPCOMMUNITY The SNMP community name that the test uses to communicate with the target device. This parameter is specific to SNMP v1 and v2 only. Therefore, if the SNMPVERSION chosen is v3, then this parameter will not appear. USERNAME This parameter appears only when v3 is selected as the SNMPVERSION. SNMP version 3 (SNMPv3) is an extensible SNMP Framework which supplements the SNMPv2 Framework, by additionally supporting message security, access control, and remote SNMP configuration capabilities. To extract performance statistics from the MIB using the highly secure SNMP v3 protocol, the eg agent has to be configured with the required access privileges in other words, the eg agent should connect to the MIB using the credentials of a user with access permissions to be MIB. Therefore, specify the name of such a user against the USERNAME parameter. AUTHPASS Specify the password that corresponds to the above-mentioned USERNAME. This parameter once again appears only if the SNMPVERSION selected is v3. CONFIRM PASSWORD Confirm the AUTHPASS by retyping it here. AUTHTYPE This parameter too appears only if v3 is selected as the SNMPVERSION. From the AUTHTYPE list box, choose the authentication algorithm using which SNMP v3 converts the specified USERNAME and PASSWORD into a 32-bit format to ensure security of SNMP transactions. You can choose between the following options: o o MD5 Message Digest Algorithm SHA Secure Hash Algorithm ENCRYPTFLAG This flag appears only when v3 is selected as the SNMPVERSION. By default, the eg agent does not encrypt SNMP requests. Accordingly, the ENCRYPTFLAG is set to NO by default. To ensure that SNMP requests sent by the eg agent are encrypted, select the YES option. ENCRYPTTYPE If the ENCRYPTFLAG is set to YES, then you will have to mention the encryption type by selecting an option from the ENCRYPTTYPE list. SNMP v3 supports the following encryption types: o o DES Data Encryption Standard AES Advanced Encryption Standard ENCRYPTPASSWORD Specify the encryption password here. CONFIRM PASSWORD Confirm the encryption password by retyping it here. SNMPCOMMUNITY - The community string of the Siteminder 1view server TIMEOUT The duration (in seconds) for which this test will wait for a response from 12

Configuring and Monitoring the SiteMinder 1view Server the Siteminder 1view server; beyond the stated period, the test will time out; the default period is 30 seconds. 8. Finally, click on the Update button of Figure 2.3. 9. Signout of the eg administrative interface. 2.2 Monitoring the Siteminder 1view Server To monitor the Siteminder 1view server, do the following: 1. Login as a monitor / supermonitor user. 2. Click on the Components option in the menu bar, and select the Servers option from the Components menu. 3. From the COMPONENT LIST, click on the Siteminder 1view server being monitored. 13

Conclusion Chapter 3 Conclusion This document has described in detail the steps for configuring and monitoring the Siteminder Policy Servers. For details of how to administer and use the eg Enterprise suite of products, refer to the user manuals. We will be adding new measurement capabilities into the future versions of the eg Enterprise suite. If you can identify new capabilities that you would like us to incorporate in the eg Enterprise suite of products, please contact support@eginnovations.com. We look forward to your support and cooperation. Any feedback regarding this manual or any other aspects of the eg Enterprise suite can be forwarded to feedback@eginnovations.com. 14