Environment
Situation
If you use SiteMinder version 5.5 or higher to administer single sign-on authentication for multiple applications, Reflection for the Web can be integrated with your SiteMinder installation. This technical note describes the steps to install and configure SiteMinder and Reflection for the Web so that they will work together to provide user authentication.
Note: To integrate SiteMinder with Reflection for the Web 2011, see KB 7021600.
- Reflection for the Web versions 8.0 or higher support SiteMinder version 5.5.
- Reflection for the Web version 9.5 introduced support for SiteMinder version 6.0.
Resolution
Reflection for the Web and SiteMinder
When Reflection for the Web and SiteMinder are configured to work together, users are authenticated using the single sign-on capability of SiteMinder. If preferred, you can configure additional authorization in Reflection for the Web to restrict access to sessions.
To integrate Reflection for the Web and SiteMinder, follow the steps in each of these sections:
2. Install Reflection for the Web.
3. Set the path to the SiteMinder libraries.
4. Configure SiteMinder.
5. Configure authentication in Reflection for the Web.
6. Configure authorization in Reflection for the Web.
7. Define and publish sessions.
1. Install SiteMinder
Install SiteMinder, including the Policy Server and necessary web agents. Refer to the SiteMinder Installation Guides for detailed information about the policy server or the web agents.
2. Install Reflection for the Web
Install Reflection for the Web management server. Automated installers are available for Windows, Solaris, HP-UX, and Linux systems. Follow the steps in the Reflection for the Web Installation Guide, which is available from these locations:
- On the product CD: installguide.html at the root of the CD directory
- In the root directory of the downloaded Reflection for the Web package
- On the Attachmate support site (HTML):
Reflection for the Web: https://support.microfocus.com/manuals/wthdocs.html
Reflection for the Web 2008: https://support.microfocus.com/manuals/rweb2008.html
Your next step is dependent on the operating system on which you installed Reflection for the Web.
On Solaris, Linux, AIX, or HP-UX
If you used the automated installer for Solaris, Linux, or HP-UX or did a manual installation to any of these platforms or to AIX using tomcat.zip, continue with step 3. Set the Path to the SiteMinder Libraries.
On Windows
Follow these steps if you used the Windows automated installer or did a manual installation on Windows using tomcat.zip.
- Verify that the file, msvcp60.dll, is installed on your system.
- If you do not see this file in your C:\WINNT\system32 folder, download a copy from the Microsoft web site: http://support.microsoft.com/default.aspx?scid=kb;en-us;259403.
- Continue with step 4. Configure SiteMinder.
3. Set the Path to the SiteMinder Libraries
You must set the path to the SiteMinder libraries if you performed a non-automated (manual) installation on Solaris, Linux, AIX, or HP-UX using tomcat.zip.
Follow the procedure for your operating system. Note: The examples use the default path to the jakarta folder.
The path to the SiteMinder libraries is set in the setenv.sh file, located in the <install path>/Reflection Server/jakarta-tomcat/bin directory.
On Solaris, Linux, AIX, or HP-UX
- Open <jakarta folder>\bin\setenv.sh and locate this section:
# Set environment variables for SiteMinder integration
- In the section specific to your operating system (Solaris, Linux, AIX, or HP-UX), uncomment both the library path statement and the export command.
- Save the setenv.sh file.
On Windows
The path is already set when you install Reflection for the Web to a Windows platform. Continue with step 4. Configure SiteMinder.
4. Configure SiteMinder
Once the products are installed and the path to the SiteMinder libraries is set, you are ready to configure SiteMinder.
- Open the SiteMinder Administration console. (In Windows: Start > SiteMinder > Policy Server User Interface.)
- Select Agents in the left pane under System Configuration (on the System tab) and note the Name of the web agent that you are configuring to work with Reflection.
- In the Agents Properties dialog box, select the check box to Support 4.x agents, if required for your environment.
- If you select the check box, enter and note the Shared secret. (You will enter the agent name and shared secret when you configure Reflection.)
- If you do not select the check box, SiteMinder defaults to using 5.0 or higher agents.
- Enter the IP address or host name of the Reflection for the Web server.
- Save your settings.
If you have SiteMinder version 6.x, you must create a new security realm for Reflection for the Web content.
- Use the same name for the web agent that you specified in step 4B.
- Set the Resource filter to /rweb/.
- Under this realm, create a new security rule, setting the Resource parameter to * .
5. Configure Authentication in Reflection for the Web
Use the Administrative WebStation to configure authentication.
- Start the Reflection for the Web Administrative WebStation. For more information, see the Reflection for the Web Installation Guide.
- In the left navigation bar under Tools, click Access Control Setup.
- On the Access Control Setup - Current Settings page, click Configure.
- On the Choose Authentication Method page, select SiteMinder, and then click Next.
- On the Set Up Reflection for SiteMinder page, enter the following.
SiteMinder Agent Version: The configuration options differ according to the version you select, 4 or 5. Note: If you select 5, it applies to Agent versions 5 or higher.
Agent name: The name of the agent that is used by Reflection. This is the Name you noted in the SiteMinder Administration window under Agents in section 4. Configure SiteMinder.
Shared secret (Version 4 option): The secret used by the policy server to verify the agent. This is the shared secret you entered in the SiteMinder Administration window in section 4. Configure SiteMinder.
SiteMinder configuration file (Version 5 or higher option): Provide a full path to the SiteMinder host configuration file. This is typically SmHost.conf and resides in the installation directory of the standard SiteMinder web agent.
If no SiteMinder web agent is installed on the Reflection Management server, copy this from a machine running a standard web agent. Use the smreghost command from the SiteMinder Web Agent home's bin directory to do this:
smreghost.exe -i<Policy Server Address:[Port]> -u<Admin Name> -p<Admin Password>
-hn<Reflection Management Server Address> -hc<Host Config Object> -f<Host Config Path>
Where:
Policy Server Address |
DNS name or IP address of the SiteMinder policy server |
Port |
Optional port number of the policy server |
Admin Name |
Name of the administrative account on the policy server |
Admin Password |
Password of the administrative account on the policy server |
Reflection Management Server Address |
DNS name or IP address of the Reflection Management server |
Host Config Object |
Name of the preconfigured host configuration object on the policy server |
Host Config Path |
Full path to the host configuration file to be created (typically SmHost.conf) |
Policy server host: The IP address (preferred) or DNS name of the host on which the SiteMinder policy server is installed.
Authentication port: The default authentication port number for the policy server is 4442. If the default port was changed during the SiteMinder installation, check the port setting in the Policy Server Management Console and enter that port number here.
Note: To check the port number, open the Policy Server Management Console, click the Settings tab, and look for the Authentication port number under Agent Configuration. If other SiteMinder port numbers were changed from their defaults during setup, you must reset the corresponding port numbers in the Reflection for the Web PropertyDS.xml file, located in the ReflectionData folder.
After you enter the required information, click Next.
Troubleshooting
If you receive an error while configuring authentication, "Failed to initialize SiteMinder libraries," it may be due to a .dll version conflict. To resolve this issue, you must manually upgrade the smjavaagentapi.jar and smjavaagentapi.dll files. Locate these file in your SiteMinder installation, and copy them to the following Reflection locations:
<Tomcat installation home>/misc/siteminder/bin/<OS specific>/smjavaagentapi.dll
<RWeb webapp home>/WEB-INF/lib/smjavaagentapi.jar
Once the files have been copied, restart the Reflection for the Web Management Server.
6. Configure Authorization in Reflection for the Web
Once SiteMinder authentication is configured, you can choose to restrict Reflection access to specific users. Follow these steps to configure your authorization preferences.
- On the Choose Authorization Method page (displays after you configure Authentication), select either method: Allow authenticated users to access published sessions or Use LDAP to restrict access to sessions.
The methods are described in the following sections.
Allow authenticated users to access published sessions. This method grants access to Reflection using SiteMinder alone, and no additional authorization is performed when users access sessions.
- If you provide access to specific sessions, users can log into SiteMinder and go directly to their sessions.
- If you provide access to the Reflection links list, all users authenticated by SiteMinder have access to all published sessions.
Use LDAP to restrict access to sessions. Because this method uses both SiteMinder authentication and LDAP authorization, you have an additional layer of control over session access. To use SiteMinder authentication with LDAP authorization, the LDAP server that you configure in Reflection must be the same LDAP server used by SiteMinder.
- If you provide access to specific published sessions, users log into SiteMinder and go to their sessions. If the user is not authorized, an error message appears.
- If you provide access to the Reflection links list, you can use the Access Mapper to assign sessions to specific users and groups. Users log into SiteMinder, go to their links list, and then click a link to any session they are authorized to access.
- After you select an authorization method, click Next.
If you did not select LDAP authorization, skip to step C.
If you selected LDAP authorization, you will see the Configure Reflection for your LDAP Server page. The LDAP server configured here must be the same LDAP server used with SiteMinder. (For more information, click Help.)
When all of the information is entered, click Next.
- Review your choices on the Confirm Access Control Setting page, and then click Save Settings.
7. Define and Publish Sessions
Use the tools in the Administrative WebStation to define and publish sessions.
- Click Session Manager in the left navigation bar. Click Add, and follow the steps in the Session Manager to configure sessions.
- Click Access Mapper in the left navigation bar. If you have chosen to use SiteMinder authentication only, publish the session by selecting the check box next to the session name, and then click Save Settings.
If you selected LDAP authorization, search for users or groups and map the session to them. Click the Save Settings button in the Access Mapper.
Note: Users must first authenticate using SiteMinder before they can access Reflection for the Web sessions. The SiteMinder web agent downloads a cookie to each user's browser memory, which authenticates them for that browser session only.