Skip to content
CA Privileged Access Manager - 2.8.3
Documentation powered by DocOps

CA Single Sign-On Integration

Last update April 7, 2017

As a security administrator, you can integrate CA Privileged Access Manager with CA Single Sign-On. You can use CA Single Sign-On to protect resources on the product itself.

Important! CA Privileged Access Manager does not support integration with CA Single Sign-On for AWS instances in this version.

Prerequisites

  • CA Single Sign-On Policy Server requires manual set-up before setting up CA Privileged Access Manager. Depending on the resources that you want to protect, you configure many of the following objects on the Policy Server:
    Agent, Agent Configuration Object, Host Configuration Object, Directory Object, Authentication Scheme Object, and either an Application, Domain, or Realm Object.
  • User Store supported by CA Single Sign-On (such as Active Directory)

CA Single Sign-On Policy Server Configuration

Before you set up SSO on CA Privileged Access Manager, configure these objects in the SiteMinder Administrative UI.

  1. Create an Agent.
    1. On the Infrastructure menu, select Agent, then Agents on its submenu. Click the Create Agent button on the right. Click OK to accept the option "Create a new object of type Agent."
    2. For Name, enter the Fully Qualified Domain Name of the host CA Privileged Access Manager.
  2. Create an Agent Configuration Object.
    1. On the Agent menu, select Agent Configuration Objects. Click the Create Agent Configuration button.
    2. Select the option "Create a copy of an object of type Agent Configuration." The ApacheDefaultSettings object is selected by default. Click OK.
    3. Enter a Name for the agent configuration object.

      Note

      Use the value of the Name field in the CA Privileged Access Manager SSO configuration.

    4. Of the many Parameters displayed, only these parameters change:
      • AgentName: Enter the Name of the Agent object created in Step 1. Click OK.
      • DefaultAgentName: Enter the Name of the Agent object created in Step 1. Click OK.
      • HttpsPorts: Enter the CA Privileged Access Manager HTTPS port, such as 443.
      • GetPortFromHeaders: Enter yes.
      • LogoffUri: Enter the Logoff page, such as "/logoff.php".
    5. Click Submit.
  3. Create or modify an existing Host Configuration Object.
    1. Under the Hosts menu, select Host Configuration Objects.
    2. Click Create Host Configuration to create one, or edit one by clicking the pencil opposite its Name field. For example, use DefaultHostSettings.

      Note

      Use the value of the Name field in the CA Privileged Access Manager SSO configuration.

    3. Ensure that the Host address for the Policy Server field is the IP address of the Policy Server.
    4. Click Submit.
  4. Create a Directory Object.
    1. Under the Directory menu, select User Directories.
    2. Click the Create User Directory button on the right.
    3. Complete the following fields, according to your customer environment.
      • In the Name field, enter a name for the user directory.
      • In the Server field, enter the IP address and port.
      • In the Administrator Credentials section, select Require Credentials.
      • In the Username, enter a user DN who has at least read access to the user directory. For example: CN=test,OU=Administrators,OU=IT,CN=doejo01
      • Enter the password for this user in the Password and Confirm Password fields.
      • In the LDAP Settings section, set the LDAP Search Root, enter a DN.For example: OU=Administrators,DC=company,DC=inc
      • Under LDAP User DN Lookup, for Start, enter "(sAMAccountName=".
      • In the End field, enter ")".
      • Under User Attributes, set the Universal ID field as "sAMAccountName".
      • In the Disabled Flag field, enter "carLicense".
      • In the Password field, enter "unicodePwd".
      • In the Password Data field, enter "audio".
    4. Click the Submit button.
  5. Create an Authentication Scheme Object.
    1. Under the Authentication menu, select Authentication Schemes. Click the Create Authentication Scheme button on the right.
    2. Select the option "Create a new object of type Authentication Scheme."
    3. Complete the following fields:
      • In the Name field, enter HTMLForm.
      • In Authentication Scheme Type, select HTML Form Template.
      • In the Scheme Setup section, select Use Relative Target.
      • For Target, enter /siteminderagent/forms/pamlogin.fcc.
      • Accept the default values for the remaining fields.
    4. Click submit.
  6. Set up an Application, Domain, or Realm Object.
    Depending upon how you want to protect your resources, select Application, Domain, or Realm. In this example, we demonstrate setting up an Application Object. We show how to set up protection for the Global Settings page of CA Privileged Access Manager. You likely want to protect more than one web page. For more information about setting up these objects, see the CA Single Sign-On documentation.
    1. Under the Policies menu, select Application, Applications. Click the Create Application button on the right.
    2. Complete the following fields:
      • In the Name field, enter CA Privileged Access Manager.
      • In the Component Name field, enter Global Settings for our example.
      • In the Resource Filter field, enter /entry.php for our example.
      • In the Default Resource Protection field, select Protected.
      • In the Authentication Scheme field, select HTMLForm.
      • Click Lookup Agent/Agent Group.
      • Select the Agent that you created in Step 1 (the Fully Qualified Domain Name of the host CA Privileged Access Manager). Click OK.
      • Click the Add/Remove button in the User Directories section.
      • Select the User Directory object that you created in Step 4. Click the arrow to move it to the Selected Members panel. Click OK.
      • Select the Resources tab, and click the Create button.
        • In the Name field, enter Global Settings for our example.
        • In the Resource field, enter *feat=config.
        • Select the box for Regular Expression.
        • In the Action field, select Get and Post.
        • Click OK.
      • Select the Roles tab, and click the Create button.
        • Select "Create a new object of type Role." Click OK.
        • In the Name field, enter All Users.
        • For "Role applies to", select All Users.
        • Click OK.
      • Click Submit to create the Application object.
      • In the Applications panel, edit CA Privileged Access Manager by clicking the pencil icon.
      • Select the Policies tab.
        • Select the box for All Users under the Roles column, in the Global Settings row.
    3. Click submit.

CA Privileged Access Manager Configuration

Once the CA Single Sign-On Policy Server configuration steps are complete, follow these steps on CA Privileged Access Manager.

  1. On the Config menu, select CA Modules, and find the CA Single Sign-On Configuration section.
    • Policy Servers IP Address and Port – Use either IPv4 or IPv6 address. If you specify a port, use a colon. If you specify a port in IPv6, enclose the IP address in square brackets.
    • Policy Server User Name
    • Policy Server Password
    • Host Configuration Object – from CA SSO setup (such as DefaultHostSettings)
    • Agent Configuration Object – from CA SSO setup 
      Note: If this setting is incorrect, it causes the resource that is protected by this integration to become inaccessible. See Use Console in Emergency for more information.
    • Trusted Host Name – The name that is used to register the CA SSO Policy Server with CA Privileged Access Manager.
    • FIPS_VALUE
      This setting corresponds to one of the three Federal Information Processing Standard (FIPS) modes in which CA Single Sign-On operates.
      • COMPAT
        FIPS-compatibility mode uses algorithms existing in previous versions of CA Single Sign-On to encrypt sensitive data to maintain compatibility.
      • MIGRATE
        FIPS-migration mode enables you to transition from FIPS–compatibility mode to FIPS–only mode.
      • ONLY
        FIPS-only mode ensures that the Agent only accepts session keys, Agent Keys, and shared secrets that are encrypted using FIPS-compliant algorithms.
    • Activate – turns on SSO, but does not take effect until the web server is restarted (with the Restart Apache button).
    • Disable - If CA Single Sign-On integration is "Currently enabled," this button disables it.
    • Reset button – returns the previous values of the fields on the CA Single Sign-On Configuration form.
    • Restart Apache – Once activated, the CA Privileged Access Manager Apache server requires a restart for the SSO integration to take effect.
    • Download Form – The standard CA Single Sign-On login form has been modified for use with the main CA Privileged Access Manager frame. Download this form (pamlogin_xx-XX.fcc), alter it if necessary, and copy it to the desired location. Change the Target field value to the new form name and location.
    • Download Log – Download the latest log file record of this instance of the CA Single Sign-On Web Agent. This file might be useful for troubleshooting if problems arise in the configuration of this CA module integration.
  2. Click the Activate button to save your configuration of CA SiteMinder Web Agent and turn on Single Sign-On.
  3. For the changes to take effect, click the Restart Apache button to restart the web server.
  4. To test the SSO feature, log in to CA Privileged Access Manager. Attempt to access the resource you are protecting.
    The SSO login screen appears. If the SSO login screen does not appear, the SSO integration has failed.

Troubleshooting

Use Console in Emergency

If CA Privileged Access Manager is inaccessible, and you need to disable SSO, use the Utility Console. If you have a VM, use an admin app such as vSphere to access the console. On the Console Main Menu, there is a new menu item for SSO. Select Disable CA Single Sign-On.

Known Issues

Agent Configuration Object Internal Server Error

If an invalid Agent Configuration Object is specified, the web agent does not report an error. The user gets a success message and is prompted to restart. They do and then they cannot get back into CA Privileged Access Manager. They get this message:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, or support.ca.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server error was encountered while trying to use an ErrorDocument to handle the request.

To enter CA Privileged Access Manager in this situation, disable SSO with the Utility Console. If you have a VM, use an admin such as vSphere to access the console. On the Console Main Menu, there is a new menu item for SSO. Select Disable CA Single Sign-On.

CA Privileged Access Manager Client Failure

When using the CA Privileged Access Manager Client to connect to your CA Privileged Access Manager instance, use the FQDN rather than the IP address. The Fully Qualified Domain Name succeeds, but the IP address fails without raising an error.

Was this helpful?

Please log in to post comments.