Bonjour a tous,
Dans ce tuto nous allons voir comment protéger une application web sous Apache.
Dans mon précédent article nous avons vu comment proteger une application / site web sous IIS.
Du coté Siteminder la manipulation est exactement la même:
- Création de l’agent
- Création de l’ACO
- Creation du Domain / Realm
La seule chose qui diffère est l’installation et la configuration de l’agent sous Linux.
Important!
Donc pour tout ce qui est création de l’agent, de l’ACO, et du domain / realm ou application vous pouvez voir mon précédent article: ICIDans ce tutoriel je vais donc utiliser un serveur Apache (HTTPD) sous CentOS 6.
Warning!
ATTENTION: CentOS n’est pas officiellement supporté par le WebAgent de Siteminder n’ayant pas de Red Hat sous la main je me suis porté sur CentOSDans ce tuto donc j’ai un serveur Web déjà en place comme sur IIS avec une page non sécurisée a cette adresse:
http://apache-server.smdomain.local/
et une page sécurisée à cet adresse: http://apache-server.smdomain.local/secure/
Je ne vais pas expliquer ici comment configuré Apache il y a des millions de tuto sur le sujet sur le net.
L’installation du WebAgent de Siteminder se fait en deux étapes:
- Installation
- Configuration
Installation de l’agent
Téléchargez l’agent sur sur le site de CA, pour ce tuto j’ai télécharger celui-ci:
CA SiteMinder Web Agent r12.52 SP1-for Linux-x86-64-ESD Only
Envoyez le fichier d’installation sur votre serveur (fichier .bin)
Et lancez l’installation comme ceci:
[root@apache-server ~]# chmod +x ca-wa-12.52-sp01-linux-x86-64.bin [root@apache-server ~]# ./ca-wa-12.52-sp01-linux-x86-64.bin
L’installation se lance
Preparing to install... Extracting the JRE from the installer archive... Unpacking the JRE... Extracting the installation resources from the installer archive... Configuring the installer for this system's environment... Launching installer... Graphical installers are not supported by the VM. The console mode will be used instead... =============================================================================== CA SiteMinder Web Agent (created with InstallAnywhere) ------------------------------------------------------------------------------- Preparing CONSOLE Mode Installation... =============================================================================== Introduction ------------ InstallAnywhere will guide you through the installation of CA SiteMinder Web Agent. It is strongly recommended that you quit all programs before continuing with this installation. Respond to each prompt to proceed to the next step in the installation. If you want to change something on a previous step, type 'back'. You may cancel this installation at any time by typing 'quit'. PRESS <ENTER> TO CONTINUE: =============================================================================== License Agreement ----------------- Installation and use of CA SiteMinder Web Agent requires acceptance of the following License Agreement: ............ ............ DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N): Y
Acceptez la license et continuez l’installation
===============================================================================
Choose Install Location
-----------------------
Specify a location for the Web Agent. If the path does not contains the word
"webagent," the installation program will create a folder called "webagent" and
appends it to the end of your path.
Where would you like to install?
Default Install Folder: /root/CA/webagent
ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT
: /opt/CA/webagent
INSTALL FOLDER IS: /opt/CA/webagent
IS THIS CORRECT? (Y/N): y
===============================================================================
Pre-Installation Summary
------------------------
Please Review the Following Before Continuing:
Product Name:
CA SiteMinder Web Agent
Install Folder:
/opt/CA/webagent
Disk Space Information (for Installation Target):
Required: 305,109,719 Bytes
Available: 26,258,534,400 Bytes
PRESS <ENTER> TO CONTINUE:
===============================================================================
Installing...
-------------
[==================|==================|==================|==================]
[------------------|------------------|------------------|------------------]
===============================================================================
Install Complete
----------------
Congratulations. CA SiteMinder Web Agent has been successfully installed to:
/opt/CA/webagent
To configure the web agent, run the command
/opt/CA/webagent/install_config_info/ca-wa-config.bin
PRESS <ENTER> TO EXIT THE INSTALLER:
Configuration de l’agent
Une fois l’installation terminée il vous faut configurez l’agent, pour lancer le lancez tapez les commandes suivantes:
[root@apache-server]# . /opt/CA/webagent/ca_wa_env.sh [root@apache-server]# /opt/CA/webagent/ca-wa-config.sh
L’utilitaire de configuration se lance
Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...
Launching installer...
Graphical installers are not supported by the VM. The console mode will be used instead...
===============================================================================
CA SiteMinder Web Agent Configuration (created with InstallAnywhere)
-------------------------------------------------------------------------------
Preparing CONSOLE Mode Installation...
===============================================================================
Host Registration
-----------------
Select '1' to register this Agent with the Policy Server.
Select '2' to register later.
Note: You cannot select choice 1 and 2 at the same time.
->1- Yes, I would like to do Host Registration now.
2- No, I would like to do Host Registration later.
ENTER A COMMA-SEPARATED LIST OF NUMBERS REPRESENTING THE DESIRED CHOICES, OR
PRESS <ENTER> TO ACCEPT THE DEFAULT: 1
===============================================================================
Admin Registration
------------------
Enter the name of an administrator who has the right to register trusted hosts
with the Policy Server.
This entry must match the name of an administrator defined in the Policy
Server.
Admin User Name (DEFAULT: ): siteminder
Enable Shared Secret Rollover (y/n) (DEFAULT: n): n
===============================================================================
Admin Registration
------------------
Enter the password of an administrator who has the right to register trusted
hosts with the Policy Server. This entry must match the name of an
administrator defined in the Policy Server.:
===============================================================================
Confirm Admin Password:
===============================================================================
Trusted Host Name and Configuration Object
------------------------------------------
Specify the name of the host you want to register with the Policy Server.
Enter the name of the host configuration object. The name must match a host
configuration object name already defined on the Policy Server.
Trusted Host Name (DEFAULT: ): apache-server
Host Configuration Object (DEFAULT: ): MasterHost
===============================================================================
Policy Server IP Address
------------------------
Enter the IP Address of the Policy Server where you are registering this host.
Multiple IP addresses must seperate by comma. The IP address should be in
the form <server_address:port>, where the port represents a Policy Server
behind the firewall.
For example:
(IPv4)
111.12.12.2:1234 or myserver:1234
(IPv6)
[2001:db8::1428:57ab]:1234 or [2001:db8::1428:57ab] or 2001:db8::1428:57ab
NOTE: Include the port number in the IP address only if your Policy Server is
behind a firewall.
Policy Server IP Address (DEFAULT: ): 192.168.2.71
===============================================================================
FIPS Mode Setting
-----------------
The use of FIPS-compliant algorithms is optional.If your organization does not
require the use of FIPS-compliant algorithms, leave FIPS Compatibility Mode
selected.If they are required, select either FIPS Migration Mode or FIPS Only
Mode. For more information about selecting the appropriate mode, see the Web
Agent Installation Guide.
->1- FIPS Compatibility Mode
2- FIPS Migration Mode
3- FIPS Only Mode
ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1
===============================================================================
Host Configuration file location
--------------------------------
Enter a file name and location to store Host Configuration information or
accept the default location /opt/CA/webagent/config and filename SmHost.conf.
Enter file name (DEFAULT: SmHost.conf):
Enter location (DEFAULT: /opt/CA/webagent/config):
===============================================================================
Select Web Server(s)
--------------------
Select which Web Server(s) you want to configure as a Web Agent.
You will have to enter a path for each selected web server.
Note: If you have an Apache-based Web server, please select the Apache Web
Server option.
1- Apache Web Server
2- Domino Web Server
->3- iPlanet or Sun ONE Web Server
ENTER A COMMA-SEPARATED LIST OF NUMBERS REPRESENTING THE DESIRED CHOICES, OR
PRESS <ENTER> TO ACCEPT THE DEFAULT: 1
===============================================================================
Apache Web Server path
----------------------
Enter the root path of where Apache Web server installed.
Please enter path (DEFAULT: ): /etc/httpd
===============================================================================
Apache Version
--------------
Please select a choice for the Apache version.
1- Apache version 1.x
2- Apache version 2.x
3- Apache version 2.2.x
4- Apache version 2.4.x
ENTER THE NUMBER OF THE DESIRED CHOICE: 3
===============================================================================
Apache Server Type
------------------
Please select one of the following appropriately match your previous selection
->1- Oracle HTTP Server
2- IBM HTTP Server
3- HP Apache
4- ASF/RedHat Apache
ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 4
===============================================================================
Select Web Server(s)
--------------------
1- [] Apache 2.2.15
Select the web server(s) you wish to preserve or configure/reconfigure as
Web Agent(s). Enter a comma-separated list of numbers representing the
desired choices. Already configured web servers are marked as [x] in the
above list, you can un-configure or skip these web servers in next steps by
not listing them in comma-separated list here.: 1
===============================================================================
Agent Configuration Object
--------------------------
Enter the name of an Agent Configuration Object that defines the configuration
parameters which the Web Agent will use for Apache 2.2.15.
Agent Configuration Object (DEFAULT: AgentObj): apache_agent_aco
===============================================================================
SSL Authentication
------------------
The following SSL configurations are available for this web server. If the Web
Agent will be providing advanced authentication, select which configuration it
will use to configure Apache 2.2.15.
->1- HTTP Basic over SSL
2- X509 Client Certificate
3- X509 Client Certificate and HTTP Basic
4- X509 Client Certificate or HTTP Basic
5- X509 Client Certificate or Form
6- X509 Client Certificate and Form
7- No advanced authentication
ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 7
===============================================================================
Webagent Enable option
----------------------
Please select Yes to Enable the WebAgent
1- Yes
->2- No
ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1
===============================================================================
Web Server Configuration Summary
--------------------------------
Please confirm the configuration selection. Accept the configuration and press
'Enter' to continue. To change one or more settings, select 'Previous'.
Select 'Cancel' will exit the configuration.
Configure the following webserver(s):
Apache Server:
Apache 2.2.15
Agent Configuration Object: apache_agent_aco
SSL Authentication type: No advanced authentication
IS WebAgent Enabled: YES
Please enter a choice.
->1- Continue
2- Previous
3- Cancel
ENTER THE NUMBER OF THE DESIRED CHOICE, OR PRESS <ENTER> TO ACCEPT THE
DEFAULT: 1
===============================================================================
Installing...
-------------
[==================|==================|==================|==================]
[------------------|------------------|------------------|------------------]
===============================================================================
Configuration Complete
----------------------
Congratulations! CA SiteMinder Web Agent Configuration has been successfully
configured.
PRESS <ENTER> TO EXIT THE INSTALLER:
Une fois l’agent installé éditez le fichier: /etc/init.d/httpd comme ceci:
# Source function library. . /etc/rc.d/init.d/functions #Raoutez cette ligne . /opt/CA/webagent/ca_wa_env.sh
Enfin redémarrez Apache avec la commande:
/etc/init.d/httpd restart
Vous pouvez maintenant accéder à votre ressource protégé par votre serveur Apache.
Commentaires récents