A relatively new offering from CA is the SiteMinder Agent for SharePoint 2010.\u00a0 I’ve had the “privilege” of working with this product and while I’m impressed with its integration and what it does, be warned, you will need some patience and to be well versed in working on multiple web platforms.<\/p>\n
I say this because the installation and configuration is a mashup of vanilla Apache, TomCat, mutliple different SSL tools, some proprietary CA configurations (that are not yet well documented), and all of the usual SharePoint tools (IIS\/PowerShell\/Claims Based authentication).<\/p>\n
From my own experience with SiteMinder, it is very much a Unix targeted product.\u00a0 As such it is not surprising that it relies on Unix’s web server heavy hitters, Apache and tomcat.\u00a0 Tomcat is capable of running as an independent web server, or can have traffic routed to it from another webserver such as Apache.\u00a0 In the case of the Siteminder Agent, it is doing double duty as it uses both modes.<\/p>\n
For this reason, if you are a SharePoint administrator seeking to implement the SiteMinder agent, its time to get very familiar with these technologies as well.\u00a0 Important things to pay attention to if you are a straight IIS admin:<\/p>\n
1) Configuration files are case sensitive.\u00a0 If in doubt, copy and paste your paths.
\n2) Paths may either require forward slashes where backslashes are usually used in Windows, or they may need to be escaped backslashes.\u00a0 This depends on which configuration file you’re editing so pay attention.
\n3) Get comfortable with a command prompt and Notepad (I highly suggest choosing powershell over the vanilla command prompt for authcomplete goodness)<\/p>\n
We decided to implement SSL which doubled our complexity.\u00a0 Additional skill needed here:<\/p>\n
1) Familiarty with openssl command line tools.\u00a0 These will handle your certificates for the Siteminder Apache httpd server
\n2) Familiarity with Java’s keytool.\u00a0 This will handle your certificates for the Tomcat server.
\n3) Windows certificates, and SharePoint’s Trust store.
\n4) A good understanding of SSL\/TLS, the handshake and client authentication for troubleshooting.<\/p>\n
Quick note about #3, any SSL service that SharePoint is going to connect to, must have the destination’s SSL certificate (or it’s CA) added to the SharePoint trust store.\u00a0 It does not use the Windows certificate store to trust remote servers.\u00a0 But, you’ll still need to be comfortable with working with the Window’s certificate store in order to install and grant your IIS apps access to SSL certificates.\u00a0 This is to identify your servers to remote machines.\u00a0 Why they moved the trust store within SharePoint while still requiring knowledge of the Windows Certificate store for its own identification is beyond me.<\/p>\n
Quick note about #4, out of the box, one of the services that comes with the Agent for SharePoint requires client SSL authentication.\u00a0 That is, any server (WFE) attempting to connect to the agent must submit it’s own SSL certificate and the agent must trust and handshake with it.\u00a0 You can turn this off on the agent side, but it is an added level of security to prevent unauthorized access to your directory of users.<\/p>\n
At the end of the day, the CA SiteMinder Agent for SharePoint 2010 is not a small undertaking, so be sure you are familiar with the tools that will need to be used.<\/p>\n","protected":false},"excerpt":{"rendered":"
A relatively new offering from CA is the SiteMinder Agent for SharePoint 2010.\u00a0 I’ve had the “privilege” of working with this product and while I’m impressed with its integration and what it does, be warned, you will need some patience and to be well versed in working on multiple web platforms. I say this because … Continue reading Siteminder Agent for SharePoint 2010<\/span>