Agent on IIS
Review support matrix from CA
depending on the release you install.
Check the compatibility depending
on the siteminder release you would like to install on IIS
Before beginning the Installation
and Configuration, It is advisable to do the necessary configurations in WAMUI
It is highly recommended to follow
the documentation first;
Installation
1. Copy
your Binary (.exe file for agent) from local machine to the server (Technically
stage the binaries on the Server)
2. Right
click and “Run as Administrator”
3. Installation
process will begin.
4. Click
next to continue
5. Scroll
down and click agree
6. Change
the install directory (Depending on the clients default location of
installation)
7. Review
and finish the installation
8. Restart
your web Server
Navigate to
CA_SiteMinder_Web_Agent_Install.log under install_config_info to confirm that
there were no errors or warning during the installation.
Assign full permissions to the
Log files so that the logs can be written when a user tries to access the
application after configuration.
Right click – Properties-
security- Click the usernames or Group and give full control.
Configuration
Make sure you have these ready
before you could start the configuration
1. Name
of the trusted host we would like to register with the policy server
2. Admin
username and password (account of the administrator who has the right to
register the trusted host with the policy server)
3. HCO
4. IP
addresses of the Policy Servers
5. ACO
Once you gather all your
requirements, you can start with the configuration of the agent.
1. Locate
Web Agent Configuration Wizard from the start menu (It appears only after the
servers get restarted)
Or
Navigate to
ca-wa-config.exe
Generally
WebagentHome\win64\install_config_info\ca-wa-config.exe
Win64 or Win32
depending on the system type (whether it is a 32 or a 64 bit operating system)
2. Right
click, run as administrator
3. You
can do the host registration now or later (But this needs to be done because
agent needs to talk to the Policy Server)
4. Now,
give the credentials of Admin who has the rights to register the trusted hosts
5. Specify
any name as the Trusted Host Name (You will observe this under trusted hosts in
WAMUI after configuration)
Specify the HCO
as created in WAMUI
6. Specify
the IP addresses of the Policy Servers.
7. Select
the FIPS Mode settings. In general we prefer FIPS Compatibility Mode
8. Specify
the path and file name to store information regarding the Host Configuration.
BY default the file name would be SmHost.conf
Trusted Host is
thus registered with the Policy Server. Since we registered our host as the
trusted Host, The agent can talk to the Policy Server
There are some
common errors while you are registering as a trusted Host
You might get an
error: Registration failed
Probable reasons:
You might have
entered wrong information (Check your Admin user name and password, Policy
Server IP address)
If you enter a
Host name that already exists in the Policy Server, Error message will be
thrown back saying that there is a trusted host that exists with this name.
If you have
given everything correct, then telnet to the Policy server with any of the
ports 44441, 44442, 44443 from the host server
If that doesn’t
work, there might be an issue with the firewall which does not allow the host
to communicate with the policy server, Open a firewall request to fix this
issue.
Eg: telnet
hostname 44441 (from command prompt)
You can also register trusted host manually
Eg: smreghost -i
POLICYSERVERIPADDRESS:44441,44442,44443 -u USERNAME -p PASSWORD -hn
TRUSTEDHOSTNAME -hc HCO
Navigate to the
directory where you need the .conf file (SmHost.conf file) and run the
smreghost tool as shown above to register the host manually. Orelse you can
specify the name and path manually
Now that you are done with
registering the trusted host, continue the configuration
to configure the sites
1. Select
the sites to be configured.
2. Enter
the ACO name (the one that you already configured in Policy Server)
3. Review
the configuration summary and click install
4. Check
the box if you would like to enable the agent. (In general leave it unchecked)
5. Finish
the configuration.
Navigate to
CA_SiteMinder_Web_Agent_ConfigLog.log to confirm the information you provided
and make sure you do not have any errors or warnings.
Make sure to
describe the path towards your log files and trace files in ACO before
configuring.
Enable the Webagent, Restart IIS and try to access the protected site.
Since the Log
file directory has full control, the log files will get updated and can be seen
in the log file directory (Path mentioned in ACO). If you do not have the log
files in the specified path, make sure to check the settings.
Web Agent (enable/disable):
1. Path
: Generally under Webagenthome\win64\bin\IIS\WebAgent.conf
a.
Open WebAgent.conf with notepad and edit the
value of EnableWebAgent="YES" if you want to enable the agent
b.
Open WebAgent.conf with notepad and edit the
value of EnableWebAgent="NO" if you want to disable the agent
2. WebAgent.conf
contains the version of the agent installed, details of the Host configuration
file location and ACO name you gave at the time of configuration in addition to
the option to enable or disable the agent.
Host Configuration File:
1. Contains
the information related to the registration of trusted host
2. Generally
the path will be Webagenthome\win64\config\SmHost.conf
3. You
can check the information related to the policy servers, HCO.
Log Files:
webagent.log: Can be named depending on the naming convention you
follow.
Contains the
configuration/ values you presented in ACO
webagenttrace.log
Logs
the flow of events/ requests when a protected resource is accessed.
Logs to check for troubleshooting
Policy server Logs:
1. Smaccess.log
2.
Smps.log
3. Smtracedefault.log
Webagent Logs:
Webagenttrace.log
