|
|
|
|
|
When enabled for external authentication, MOVEit Transfer can interface with the CA eTrust SiteMinder product to enable single-signon to a MOVEit Transfer server operating in a SiteMinder environment. This allows users to log on to MOVEit Transfer without having to enter their credentials, as long as they are already authenticated to the SiteMinder environment.
This topic describes how to configure MOVEit Transfer and SiteMinder to allow MOVEit Transfer to function properly in a SiteMinder-integrated environment. For more details about configuring the SiteMinder Policy Server and Web Agents, see the documentation for these products.
Note: The SiteMinder integration feature, and these instructions, were developed for SiteMinder version 6.0 SP5.
Follow the steps indicated by the SiteMinder Web Agent installation guide. Enter valid administrative credentials for accessing the SiteMinder Policy Server. Enter a Trusted Host Name and a valid Host Configuration Object name (must already be defined on the Policy Server). Enter the IP address of the Policy Server. When prompted to select a Virtual Site to be configured, choose the web site that MOVEit Transfer was installed to. Finally, Enter a valid Agent Configuration Object name (must already be defined on the Policy Server) and choose to enable the Web Agent.
Configuring MOVEit Transfer to integrate with SiteMinder simply involves enabling the SiteMinder Integration option through the web interface. This option may be found by signing on to MOVEit Transfer as a SysAdmin, and then finding the SiteMinder settings page under Settings | System | User Authentication. For details about the setting, see System - User Authentication.
After enabling this setting, note the SiteMinder Shared Secret value. SiteMinder must be configured to return this value to MOVEit Transfer as part of a Response object before MOVEit Transfer begins trusting the SiteMinder HTTP headers injected into an authenticated and authorized request by the Web Agent.
Best practice: Because MOVEit Transfer requires several allowances to be made in SiteMinder, create a separate Agent Conf Object and a separate Realm or Sub-Realm in the SiteMinder Policy Server to protect the MOVEit Transfer server. This allows the following necessary changes to be made without affecting other protected servers.
Several of the MOVEit Transfer file transfer mechanisms involve making requests from the local server back to itself. To allow these to function correctly, the SiteMinder Web Agent must be configured to ignore requests to the local computer. Depending on how your server is configured, this is done in one of the following ways:
After the alias has been set up and SiteMinder has been configured to ignore it, change the Machine URL setting in the MOVEit Transfer Config program's Paths tab to use the alias, so that machine connections will be ignored by SiteMinder.
Note: If this latter method is used, be aware that the MOVEit Transfer Checker program will not work unless it is configured to test the alias URL. You can change the test settings for Checker by clicking Options | Configure....
Neither the ActiveX nor the Java-based MOVEit Wizard clients are able to access and submit the SiteMinder identification cookies necessary to operate against a SiteMinder-protected website. Therefore, the MOVEitISAPI module which they both use for file transfer operations needs to be exempted from protection by SiteMinder in order for browser-based file transfers with the MOVEit Wizard clients to work properly. Since such file transfers cannot be done without an established MOVEit Transfer session anyway, this should not pose a security risk to the server.
To exempt the MOVEitISAPI module from SiteMinder protection, a Sub-Realm needs to be created under the Realm that protects the MOVEit Transfer server. This sub-realm should have a resource filter of moveitisapi/moveitisapi.dll and should be marked as Unprotected.
In order for MOVEit Transfer to trust the HTTP headers provided by the SiteMinder Web Agent, a special static header must be included that contains the shared secret value automatically generated by MOVEit Transfer when its SiteMinder Integration setting is enabled. This header can be added by creating a new Response object under the policy Domain that protects the MOVEit Transfer server. The new Response object must include a static WebAgent-HTTP-Header-Variable attribute with a variable name of SM_MOVEITDMZ_SHAREDSECRET (so that the full HTTP header name ends up being HTTP_SM_MOVEITDMZ_SHAREDSECRET), and a variable value equal to the MOVEit Transfer shared secret string. Once the Response object has been created, it will need to be added as a Response to the Rule which covers the MOVEit Transfer server in the appropriate domain Policy object.
When configured to use an installed and working SiteMinder Web Agent, MOVEit Transfer no longer prompts users for credentials when they arrive at the MOVEit Transfer web browser interface. The username of the logged-in SiteMinder user will be used as the username for the MOVEit Transfer account as well.
As such, there is no direct way to log on to MOVEit Transfer with a different username than the one being used to authenticate to SiteMinder. If this becomes necessary (such as for logging in as an administrator user with a different username), log on to MOVEit Transfer as usual (using SiteMinder), then apply the following query string to the URL in the web browser:
?transaction=signoff&arg12=signon
These query string parameters instruct MOVEit Transfer to log off the current user account, and return the signon screen to the browser. From the signon screen, a different username and password can be entered. MOVEit Transfer uses the provided username and password to authenticate the user instead of the current SiteMinder information.