Kishore Thotakoora's Blog

Wednesday, December 9, 2015

Siteminder: Authentication Scheme Processing

Definition: When a user attempts to access a protected network resource, the Policy Server uses the authentication scheme associated with the resource‘s realm to determine how to identify the user. The authentication scheme specifies the credentials that the user must supply for authentication, as well as the method used by the Policy Server to validate the user‘s identity.

In the example above, the user requests the protected resource sales.html from the /Sales/ realm. This realm requires Basic authentication. The Policy Server informs the Web Agent that the resource is protected and requests Basic credentials from the user via the Web Agent, which prompts the user for a user name and password.

There are two type of Authentication scheme templates available in Aministrative UI.

■ Basic (HTTP Basic)
■ Basic over SSL

Wednesday, October 14, 2015

Jython: simple script to update RFH header in all the queues

nodeid=AdminConfig.getid("/Node:node01")
for qname in AdminTask.listWMQQueues(nodeid).split():
AdminTask.modifyWMQQueue(qname, '[-persistence APP -priority APP -expiry APP -ccsid 1208 -useNativeEncoding true -integerEncoding Normal -decimalEncoding Normal -floatingPointEncoding IEEENormal -useRFH2 true -sendAsync QDEF -readAhead QDEF -readAheadClose DELIVERALL -messageBody UNSPECIFIED ]')
AdminConfig.save()

Wednesday, September 23, 2015

Stash password from a .sth file by using perl

#!/usr/bin/perl -w
use strict;
die "Usage: $0 <stash file>" if $#ARGV!=0;
my $file=$ARGV[0];
open(F,$file) || die "Can't open $file: $!";
my $stash;
read F,$stash,1024;
my @unstash=map {$_^0xf5} unpack("C*",$stash);
foreach my $c (@unstash){
last if $c eq 0;
printf "%c",$c;
}

Sunday, September 20, 2015

Simple script to caputure socket connection information on SM Policy server

# Written by Kishore Thotakoora to troubleshoot Q3-2015 login.fcc latency issues
#!/bin/ksh

host=`hostname`

count1707=`netstat -an | grep 1707 | wc -l`
echo "=======================================================================" >> /opt/siteminder/netegrity/log/NoOfConnections.log
echo `date` >> /opt/siteminder/netegrity/log/NoOfConnections.log
echo "=======================================================================" >> /opt/siteminder/netegrity/log/NoOfConnections.log
echo "No of Sockets established to 1707 are: $count1707" >> /opt/siteminder/netegrity/log/NoOfConnections.log
count1708=`netstat -an | grep 1708 | wc -l`
echo "No of Sockets established to 1708 are: $count1708" >> /opt/siteminder/netegrity/log/NoOfConnections.log

count44443_ESTABLISHED=`netstat -an | grep 44443 | grep ESTABLISHED | wc -l`
echo "No of Sockets established to 44443 are: $count44443_ESTABLISHED" >> /opt/siteminder/netegrity/log/NoOfConnections.log
count44443_SYN_SENT=`netstat -an | grep 44443 | grep SYN_SENT | wc -l`
echo "No of connections Attempts to establish a connection on 44443 are: $count44443_SYN_SENT" >> /opt/siteminder/netegrity/log/NoOfConnections.log

Tuesday, September 1, 2015

Siteminder: webagent registration with policy server

Below command has to run as user/root on the host where webagent lying on

Syntax:
/ihs/SYSsiteminder/32bit/12.5.0.732/webagent/bin/smreghost -i <PolicyServer_hostname>:44441 -u siteminder -p <password> -hc CATHostSettings -hn `hostname` -f <Path>/conf/SMHosts.conf

You will get a below message:

Host Registration written to <Path>/conf/SMHosts_CAT.conf'

After the registration, You must see your host in policy server Trusted host list

Note: If the agent is already registered with policy server we might encountered with below exception. In that case you can use that previous generated file if you have with you. Otherwise you can regenerate again by running above command.

Registration failed (Unable to create trusted host).

Below is the snippet of Policy server console:

Friday, August 28, 2015

APM Web View sample screen shot

Tuesday, June 23, 2015

Siteminder: Domain import/export steps from Source to Target Policy Server

1. Using XPSExplorer command we will find the Domain_ID of Domain which we need to import in target policy server.

Below commands are required to run on Source policy server to make a copy of domain in a file(i.e .xml)

$ pwd

/opt/siteminder/netegrity/bin

$ find XPS*

XPSConfig

XPSCounter

XPSDDInstall

XPSDictionary

XPSEvaluate

XPSExplorer

XPSExport

XPSImport

XPSLicense

XPSRegClient

XPSSweeper

$ ./XPSExplorer

[XPSExplorer - XPS Version 12.5.0000.732]

Log output: XPSExplorer.xxxxxx_073226.log

MAIN MENU *******************************************************************

CA (Vendor) 65- Agent*

CDS (Product) 66- Agent4x

3- Certificate* 67- AgentConfig*

4- CRLRevocationData* 68- AgentGroup*

5- OCSPRevocationData* 69- AgentInstance*

EPM (Product) 70- AgentType*

7- Application* 71- AgentTypeAttr

8- ApplicationGroup* 72- AuthAzMap*

9- AttributeMapping 73- AuthScheme*

10- CapabilityGroup 74- AuthValidateMap*

11- LDAPUserDirectory 75- AzIdentityMappingEntry

12- ODBCQuery 76- CertMap*

13- ODBCUserDirectory 77- ConfigParameter*

14- ResponseConstraint 78- ConfigParametersWithRule*

15- Role 79- Domain*

FED (Product) 80- GlobalDomain

17- ArtResService* 81- GlobalPolicy

18- AssConService* 82- GlobalPolicyLink

19- AttributeMapping* 83- GlobalRealm

20- AttributeSource* 84- GlobalResponse

21- AuthnContextMapping* 85- GlobalResponseAttr

22- AuthnContextTemplate* 86- GlobalResponseGroup

23- BackchannelConfig* 87- GlobalRule

24- Certificate* 88- GlobalRuleGroup

25- ContactPerson* 89- GlobalUserPolicy

26- EncryptionConfig* 90- GlobalVariable

27- Endpoint* 91- HostConfig*

28- GlobalConfig* 92- IdentityMapping

29- IdPBase* 93- IdentityMappingEntry

30- IdPLocal 94- ODBCQuery*

31- IdPPartnership 95- PasswordPolicy*

32- IdPRemote 96- Policy

33- NameIDConfig* 97- PolicyLink

34- OpenCookieConfig* 98- Realm

35- Organization* 99- RegularExpr

36- PartnershipBase* 100- ResourcePartnerUsers

37- PhysicalAttributeMapping* 101- Response

38- SAML1xAssnConService* 102- ResponseAttr

39- SAML1xAssnRetrService* 103- ResponseGroup

40- SAML1xAttribute* 104- RootConfig*

41- SAML1xConsToProdPartnership 105- Rule

42- SAML1xConsumerLocal 106- RuleGroup

43- SAML1xConsumerRemote 107- SAMLAffiliation*

44- SAML1xEntityBase* 108- SAMLv1IdP

45- SAML1xPartnershipBase* 109- SAMLv1SP

46- SAML1xProdToConsPartnership 110- SAMLv2IdP

47- SAML1xProducerLocal 111- SAMLv2SP

48- SAML1xProducerRemote 112- SelfReg*

49- SAML1xSSOService* 113- ServiceProviderUsers

50- SAML2Attribute* 114- SharedSecretPolicy*

51- SiteMinderConnector* 115- TrustedHost*

52- SLOService* 116- UserDirectory*

53- SPBase* 117- UserPolicy

54- SPLocal 118- ValidateIdentityMappingEntry

55- SPPartnership 119- Variable

56- SPRemote 120- VariableType*

57- SSOService* 121- WSFEDIdP

58- StandaloneStoreVersion* 122- WSFEDSP

59- StatusRedirects* XPS (Product)

60- UserMapping* 124- CounterValue*

SM (Product) 125- Expression*

62- Admin* 126- ExtractManifest

63- AffiliateDomain 127- ExtractManifestEntry

64- AffiliateUsers

* indicates object types that can be granularly exported.

-------------------------------------------------------------------

F - Find by XID or RID

B - Begin Transaction

X - XCart Management (0 items)

P - Synchronize with Policy Server (if running)

Q - Quit

-------------------------------------------------------------------

Enter Option (#,F,B,X,P, or Q): 79

CLASS MENU *************************************************************** #11

Class: Domain [CA.SM::Domain]

SiteMinder Type: 3

Export Group: Policy

Import Type: Replace

Category: Dictionary (1)

Data Category: Object Store (2)

-------------------------------------------------------------------

A - List 7 Attributes

L - List 7 Links

C - List 10 child Classes

E - List 3 extension Classes

N - Create a New instance of this class

F - Find an object by XID or RID

S - Search objects

Q - Quit

-------------------------------------------------------------------

Enter Option (ALCENFSQ): S

After providing the option "S" it will show you the no.of domains which exist on the source policy server like below.

34-CA.SM::Domain@03-00016817-2434-1e83-84c7-33c2a7edff3b

(I) Name : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

(C) Desc : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

35-CA.SM::Domain@03-0007d915-f793-1ed5-8710-83d2a7edff3b

(I) Name : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

(C) Desc : "xxxxxxxxxxxxxxxxxxxxxxxxxn"

36-CA.SM::Domain@03-00014282-f54a-1062-aeb4-833224c9ff3b

(I) Name : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

(C) Desc : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

So the highlighed blue line become the Domain_ID

2. Run XPSExport command to export the domain in a file(ex .xml)

./XPSExport filename -xo-overlay Domain_ID –npass (if domain exists on the target server)

./XPSExport filename -xo-add Domain_ID –npass (if domain doesn’t exists on the target server)

Eg. ./XPSExport Something_you_like.xml -xo-overlay CA.SM::Domain@03-00014282-f54a-1062-aeb4-833224a9ff3b -npass

3. Run XPSImport command on target server

Copy the file which we have created in the step2 on SourcePolicyServer to TargetPolicyServer on /tmp

Path: /opt/siteminder/netegrity/bin

./XPSImport filename –npass

Eg, ./XPSImport /tmp/Something_you_like.xml –npass

So, we are finished here with the domain import from Source to Destination policy server.

Same way we can use below command to import policies import.

./SiteminderPoliciesImport.sh filename

Please feel free to contact me if any help required regarding.