Configuring the SiteMinder Policy Server  Enabling Policy Server logging

Chapter 10: Creating and Using Custom Security Components

Configuring reverse-proxy access to EAServer

To support Netegrity single sign-on in your application, you must configure a compatible reverse-proxy server. EAServer has been tested with the Apache Web server running as a reverse-proxy with the Netegrity Web Agent installed. See the Netegrity SiteMinder Web Agent Installation Guide and Web Agent Guide for instructions on configuring Apache to run with the Netegrity Web Agent installed.

Reverse-proxy access requires the additional Policy Server settings described below.

StepsPolicy Server configuration for reverse-proxy server access

Use the Netegrity Policy Server User Interface Console to perform this configuration. For detailed instructions on each step, see the Netegrity documentation:

  1. Create a new Web agent to represent the proxy server, for example, ApacheAgent.

  2. Create an Agent Conf object for the proxy server agent. Highlight the ApacheDefaultSettings object, then create a new object from it. Set the DefaultAgentName parameter to match the name of the Web agent created in step 1, for example, “ApacheAgent.”

  3. Create a Host Conf object for the proxy server. Highlight the DefaultHostSettings object, then create a new object from it. Configure the Policy Server IP address and listener ports to match your installation.

  4. Configure authentication schemes to match your Netegrity configuration scenario. For user name/password access, configure a scheme that uses BASIC or FORM authentication. For client certificate authentication, configure a scheme that uses X.509 template authentication. For FORM and X.509 schemes, configure the proxy server itself as the Server name setting.

  5. Create a new realm for the Web agent that represents the proxy server with these settings:

    1. For Agent, select the name of the Web agent, for example, “ApacheAgent”.

    2. Add “/” to the resource filter.

    3. For Default Resource Protection, select Unprotected.

    4. Select an appropriate authentication scheme.

  6. Create a rule named “All” in the realm with these settings:

    1. Set the resource to “*”.

    2. Select “Get, Post, Put” for the Web agent actions.

    3. Select Allow Access.

    4. Select Enabled.

  7. In the policy configuration, set up mappings for the All rule to include the client user names and certificate common names that are used in your application.

  8. To ensure the changes you have made take effect, flush the Policy Server cache.




Copyright © 2005. Sybase Inc. All rights reserved. Enabling Policy Server logging

View this document as PDF