«

»

Mai 02 2015

[Tuto] IAM: Protéger une application Apache avec Siteminder

Bonjour a tous,

Dans ce tuto nous allons voir comment protéger une application web sous Apache.

Dans mon précédent article nous avons vu comment proteger une application / site web sous IIS.

Du coté Siteminder la manipulation est exactement la même:

  • Création de l’agent
  • Création de l’ACO
  • Creation du Domain / Realm

La seule chose qui diffère est l’installation et la configuration de l’agent sous Linux.

Dans ce tutoriel je vais donc utiliser un serveur Apache (HTTPD) sous CentOS 6.

.

Dans ce tuto donc j’ai un serveur Web déjà en place comme sur IIS avec une page non sécurisée a cette adresse:

http://apache-server.smdomain.local/

et une page sécurisée à cet adresse: http://apache-server.smdomain.local/secure/

Je ne vais pas expliquer ici comment configuré Apache il y a des millions de tuto sur le sujet sur le net.

L’installation du WebAgent de Siteminder se fait en deux étapes:

  • Installation
  • Configuration

Installation de l’agent

Téléchargez l’agent sur sur le site de CA, pour ce tuto j’ai télécharger celui-ci:

CA SiteMinder Web Agent r12.52 SP1-for Linux-x86-64-ESD Only

Envoyez le fichier d’installation sur votre serveur (fichier .bin)

Et lancez l’installation comme ceci:

[root@apache-server ~]# chmod +x ca-wa-12.52-sp01-linux-x86-64.bin
[root@apache-server ~]# ./ca-wa-12.52-sp01-linux-x86-64.bin

L’installation se lance

Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...

Launching installer...

Graphical installers are not supported by the VM. The console mode will be used instead...

===============================================================================
CA SiteMinder Web Agent                          (created with InstallAnywhere)
-------------------------------------------------------------------------------

Preparing CONSOLE Mode Installation...

===============================================================================
Introduction
------------

InstallAnywhere will guide you through the installation of CA SiteMinder Web
Agent.

It is strongly recommended that you quit all programs before continuing with
this installation.

Respond to each prompt to proceed to the next step in the installation.  If you
want to change something on a previous step, type 'back'.

You may cancel this installation at any time by typing 'quit'.

PRESS <ENTER> TO CONTINUE:

===============================================================================
License Agreement
-----------------

Installation and use of CA SiteMinder Web Agent requires acceptance of the
following License Agreement:
............

............
DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N): Y

Acceptez la license et continuez l’installation

===============================================================================
Choose Install Location
-----------------------

Specify a location for the Web Agent.  If the path does not contains the word
"webagent," the installation program will create a folder called "webagent" and
appends it to the end of your path.

Where would you like to install?

  Default Install Folder: /root/CA/webagent

ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT
      : /opt/CA/webagent

INSTALL FOLDER IS: /opt/CA/webagent
   IS THIS CORRECT? (Y/N): y

===============================================================================
Pre-Installation Summary
------------------------

Please Review the Following Before Continuing:

Product Name:
    CA SiteMinder Web Agent

Install Folder:
    /opt/CA/webagent

Disk Space Information (for Installation Target):
    Required:  305,109,719 Bytes
    Available: 26,258,534,400 Bytes

PRESS <ENTER> TO CONTINUE:

===============================================================================
Installing...
-------------

 [==================|==================|==================|==================]
 [------------------|------------------|------------------|------------------]

===============================================================================
Install Complete
----------------

Congratulations. CA SiteMinder Web Agent has been successfully installed to:

/opt/CA/webagent

To configure the web agent, run the command
/opt/CA/webagent/install_config_info/ca-wa-config.bin

PRESS <ENTER> TO EXIT THE INSTALLER:

Configuration de l’agent

Une fois l’installation terminée il vous faut configurez l’agent, pour lancer le lancez tapez les commandes suivantes:

[root@apache-server]# . /opt/CA/webagent/ca_wa_env.sh
[root@apache-server]# /opt/CA/webagent/ca-wa-config.sh

L’utilitaire de configuration se lance

Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...

Launching installer...

Graphical installers are not supported by the VM. The console mode will be used instead...

===============================================================================
CA SiteMinder Web Agent Configuration            (created with InstallAnywhere)
-------------------------------------------------------------------------------

Preparing CONSOLE Mode Installation...

===============================================================================
Host Registration
-----------------

Select '1' to register this Agent with the Policy Server.

Select '2' to register later.

Note:  You cannot select choice 1 and 2 at the same time.

  ->1- Yes, I would like to do Host Registration now.
    2- No, I would like to do Host Registration later.

ENTER A COMMA-SEPARATED LIST OF NUMBERS REPRESENTING THE DESIRED CHOICES, OR
   PRESS <ENTER> TO ACCEPT THE DEFAULT: 1

===============================================================================
Admin Registration
------------------

Enter the name of an administrator who has the right to register trusted hosts
with the Policy Server.

This entry must match the name of an administrator defined in the Policy
Server.

Admin User Name (DEFAULT: ): siteminder

Enable Shared Secret Rollover (y/n) (DEFAULT: n): n

===============================================================================
Admin Registration
------------------

Enter the password of an administrator who has the right to register trusted
   hosts with the Policy Server. This entry must match the name of an
   administrator defined in the Policy Server.:

===============================================================================

Confirm Admin Password:

===============================================================================
Trusted Host Name and Configuration Object
------------------------------------------

Specify the name of the host you want to register with the Policy Server.

Enter the name of the host configuration object.  The name must match a host
configuration object name already defined on the Policy Server.

Trusted Host Name (DEFAULT: ): apache-server

Host Configuration Object (DEFAULT: ): MasterHost

===============================================================================
Policy Server IP Address
------------------------

Enter the IP Address of the Policy Server where you are registering this host.

  Multiple IP addresses must seperate by comma.  The IP address should be in
the form <server_address:port>, where the port represents a Policy Server
behind the firewall.

For example:

(IPv4)
111.12.12.2:1234 or myserver:1234

(IPv6)
[2001:db8::1428:57ab]:1234 or [2001:db8::1428:57ab] or 2001:db8::1428:57ab

NOTE:  Include the port number in the IP address only if your Policy Server is
behind a firewall.

Policy Server IP Address (DEFAULT: ): 192.168.2.71

===============================================================================
FIPS Mode Setting
-----------------

The use of FIPS-compliant algorithms is optional.If your organization does not
require the use of FIPS-compliant algorithms, leave FIPS Compatibility Mode
selected.If they are required, select either FIPS Migration Mode or FIPS Only
Mode. For more information about selecting the appropriate mode, see the Web
Agent Installation Guide.

  ->1- FIPS Compatibility Mode
    2- FIPS Migration Mode
    3- FIPS Only Mode

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1

===============================================================================
Host Configuration file location
--------------------------------

Enter a file name and location to store Host Configuration information or
accept the default location /opt/CA/webagent/config and filename SmHost.conf.

Enter file name (DEFAULT: SmHost.conf):

Enter location (DEFAULT: /opt/CA/webagent/config):

===============================================================================
Select Web Server(s)
--------------------

Select which Web Server(s) you want to configure as a Web Agent.

You will have to enter a path for each selected web server.

Note:   If you have an Apache-based Web server, please select the Apache Web
Server option.

    1- Apache Web Server
    2- Domino Web Server
  ->3- iPlanet or Sun ONE Web Server

ENTER A COMMA-SEPARATED LIST OF NUMBERS REPRESENTING THE DESIRED CHOICES, OR
   PRESS <ENTER> TO ACCEPT THE DEFAULT: 1

===============================================================================
Apache Web Server path
----------------------

Enter the root path of where Apache Web server installed.

Please enter path (DEFAULT: ): /etc/httpd

===============================================================================
Apache Version
--------------

Please select a choice for the Apache version.

    1- Apache version 1.x
    2- Apache version 2.x
    3- Apache version 2.2.x
    4- Apache version 2.4.x

ENTER THE NUMBER OF THE DESIRED CHOICE: 3

===============================================================================
Apache Server Type
------------------

Please select one of the following appropriately match your previous selection

  ->1- Oracle HTTP Server
    2- IBM HTTP Server
    3- HP Apache
    4- ASF/RedHat Apache

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 4

===============================================================================
Select Web Server(s)
--------------------

    1- [] Apache 2.2.15

Select the web server(s) you wish to preserve or configure/reconfigure as
   Web Agent(s). Enter a comma-separated list of numbers representing the
   desired choices. Already configured web servers are marked as [x] in the
   above list, you can un-configure or skip these web servers in next steps by
   not listing them in comma-separated list here.: 1

===============================================================================
Agent Configuration Object
--------------------------

Enter the name of an Agent Configuration Object that defines the configuration
parameters which the Web Agent will use for Apache 2.2.15.

Agent Configuration Object (DEFAULT: AgentObj): apache_agent_aco

===============================================================================
SSL Authentication
------------------

The following SSL configurations are available for this web server.  If the Web
Agent will be providing advanced authentication, select which configuration it
will use to configure Apache 2.2.15.

  ->1- HTTP Basic over SSL
    2- X509 Client Certificate
    3- X509 Client Certificate and HTTP Basic
    4- X509 Client Certificate or HTTP Basic
    5- X509 Client Certificate or Form
    6- X509 Client Certificate and Form
    7- No advanced authentication

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 7

===============================================================================
Webagent Enable option
----------------------

Please select Yes to Enable the WebAgent

    1- Yes
  ->2- No

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1

===============================================================================
Web Server Configuration Summary
--------------------------------

Please confirm the configuration selection.  Accept the configuration and press
'Enter' to continue.  To change one or more settings, select 'Previous'.
Select 'Cancel' will exit the configuration.

Configure the following webserver(s):
Apache Server:
Apache 2.2.15
Agent Configuration Object: apache_agent_aco
SSL Authentication type: No advanced authentication

IS WebAgent Enabled:  YES

Please enter a choice.

  ->1- Continue
    2- Previous
    3- Cancel

ENTER THE NUMBER OF THE DESIRED CHOICE, OR PRESS <ENTER> TO ACCEPT THE
   DEFAULT: 1

===============================================================================
Installing...
-------------

 [==================|==================|==================|==================]
 [------------------|------------------|------------------|------------------]

===============================================================================
Configuration Complete
----------------------

Congratulations! CA SiteMinder Web Agent Configuration has been successfully
configured.

PRESS <ENTER> TO EXIT THE INSTALLER:

Une fois l’agent installé éditez le fichier: /etc/init.d/httpd comme ceci:

# Source function library.
. /etc/rc.d/init.d/functions
#Raoutez cette ligne
. /opt/CA/webagent/ca_wa_env.sh

Enfin redémarrez Apache avec la commande:

/etc/init.d/httpd restart

Vous pouvez maintenant accéder à votre ressource protégé par votre serveur Apache.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Lire les articles précédents :
[Tuto] IAM: Protéger une application IIS avec Siteminder

Bonjour à tous, dans ce premier tutoriel consacré à CA Siteminder. nous allons voir comment protéger une application Web sous...

Fermer