September 14, 2014

Single Sign On Integration with SDL Tridion and CA Siteminder


In today’s world most of the products, be it a financial product like credit  card, media or electronics item,  do not come from just one vendor but from collaboration between different partner companies. All partners play  a unique role in marketing of such product and need access to related data.

Practically, it is not possible to provide access to all the partners to the Active Directory or LDAP and here comes SSO for the rescue which enables all the partners to use a common policy server to authenticate themselves.
SDL Tridion can be easily integrated with SSO servers like CA Siteminder and IBM Tivoli.

Following figures describes SSO flow till authentication.
Fig: Flow Chart of SSO Request

Installation & Configuration: Setting up SSO requires lots of configurationThe first step for configuring SSO for Tridion is installing Site Minder agent on CM server which intercepts all the request coming to Tridion CMS and authorize the user
The web agent interacts with Policy Server in order to authorize user based on the credential provided by user. Once authenticated, unique user id is set in header variable of each request which is then used by Tridion to identify the user if SSO is configured.
Authorization can be done at Tridion CMS security level where based on business requirement different access and permissions can be given to users on CMS items like publication etc.

Installing CA Siteminder agent on CMS server 
  1. Execute ca-wa-12.5-cr02-win64.exe.
  2. Follow the instructions according to installation wizard
  3. In the Host Registration dialog box, select ‘Yes’ to register a host and click Next.
  4. Complete the following fields in the Admin Registration dialog box, then click Next- Provide the required admin credentials
  5. Admin User Name
  6. Admin Password
  7. Confirm Admin Password 
  8. Enabled Shared Secret Rollover – Unchecked
  9. In the Trusted Host Name and Configuration Object dialog box, enter webserver name as trusted host name. 
  10. In the Policy Server IP Address dialog box enter the IP or  policy server VIP:
  11. Choose FIPS Compatibility Mode (Default) and click Next.
  12. Accept the default location of the host configuration file, SmHost.conf or click Choose to select a different location. Click Next.
  13. In the Select Web server(s) dialog box, select the option for the Microsoft IIS 7.5 and click Next.
  14. Select the virtual sites(SDL Tridion 2011) that need to be configured with this web agent and click Next.
  15. Enter the ACO name <webserver>_agent_config and click Next:
  16. In the WebAgent Enable Option, check the YES box and click Next.
  17. In the Web Server Configuration Summary dialog box. Confirm that the configuration settings are correct, then click Install.
  18. Click done when the installation is complete. The system restarts
Permission to user to modify encrypted configuration sections
  1. Open command prompt and go to where PSTools is located
  2. Run:    psexec -i -s cmd.exe
  3. This should open another new command prompt window
  4. In the new command prompt window, navigate to where aspnet_regiis is (should be in c:\Windows\Microsoft.Net\Framework64\v4.0.30319  
  5. Run:   aspnet_regiis -pa "TridionRsaKeyContainer" "Domain\UserName"
  6. Note: Here domain and username  are of the user who is executing the CMR
  7. Follow the same steps for user NT AUTHORITY\IUSR
Configuration Console:

Fig: SSO Configuration in CMS
Set header name which will be used to retrieve user name after authentication.

Some Useful links:

  • http://docs.sdl.com/LiveContent/content/en-US/SDL%20Tridion%202011%20SP1%20full%20documentation-v1/GUID-407B4F89-B8D0-4799-A16B-147D89B044F6
  • https://support.ca.com/cadocs/0/CA%20SiteMinder%20r6%200%20SP6-ENU/Bookshelf_Files/PDF/siteminder_wa_config_enu.pdf
Issues and Trouble shooting

In my previous experience with SSO the unique user GUID that is set by Siteminder in the header of response was not getting persisted and hence SSO was not working fine with Tridion. To resolve this issue one can try putting a custom HTTP Module in request pipeline and check if the GUID is getting persisted, and in case it is not you will have to explicitly set the header variable.
NOTE: One important point to take care of (especially in case you are making entries manually in web.config)  make sure that HTTP module entry in web.config for your custom http module comes after the entry of CA Siteminder.

<add name="CASiteMinderWebagentModule" preCondition="integratedMode,bitness64" />
<add name="customhttpmodule" type="<>, Version=1.1.0.0, Culture=neutral, PublicKeyToken=<>" />
Some point worth noting is that we were not able to run the Tridion Client applications like Template Builder and Content porting using SSO and hence it was explicitly set on windows authentication.

July 09, 2014

Content Porter - How it works

Content Porter(CP)  is integral part of SDL Tridion development to transfer content in DTAP environments. I have used it in various releases 5.3 sp1, 2009, 2011 etc. Its has been improved a lot in each of the releases. 2013 sp1 claims to be fastest CP ever.

Next set of lines i will explain some internals of content porter. 

Following tools/services are behind the import/export of a Content Porter package.
  • Content Porter Client
  • Import Export Service
  • Core Service
 1) Content Porter Client - this tools is generally downloaded on the client machine from the CM GUI interface. 
It acts as thin client for user, which send user selections/settings to server and show the progress of import/export.

 2) Import Export Service - It is installed after running Content Porter server setup. Here import/export happens. It basically groups and wraps different method of Core Service.

if you open: http://CMSURL/ImportExportService/ImportExportService.asmx. You will see some endpoints. and from their names you can figure out the use.

Another URL http://CMSURL/ImportExportService/UploadPackage.aspx:  its used to upload package from client to Server side.

 3) Core Service - Its is installed as part of Tridion CM installation. It is used by Import/Export service APIs to facilitate the import/export of content.

Export Process: 

  1. User selects content to be exported.
  2. and that selections are sent to Import/Export Service
  3. Import export service calls Core service APIs and complete Package is generated at server file-system
  4. Progress of that is shown to user on CP client
  5. at last exported package is sent back to User Machine via CP client.
Fig-1: Export Process

                                                               


Import Process

  1. User selects package to be imported
  2. Package is uploaded at server with help of client & import/export service
  3. Service extract the package to a temp folder
  4. Service read the package
  5. Then items are updated in the CM DB using coreservice



Fig-2: Import Process

So in both cases(export/import) most of the work is performed at server side,  so it does not matter much from where you actually trigger content porter.

April 25, 2014

Deployer Extension Secrets in SDL Tridion

While migrate from 5.3 to 2011, i found an issue in Deployer extension, My particular extension Module was  on top of  "deploy" action processor in  Tridion 5.3, but same did not work in 2011.

In 2011 Deployer works in transactions, so whatever i was updating initially it got updated in DB but it was  was not assumed as part of transaction and on final commit it was getting removed from database.

I get to know about an optional attribute "Phase" in Processor node. so i performed following steps to configure my extension

1) Copy paste existing Processor node with action deploy/undeploy  depending upon your requirement.

2) <Processor Action="Deploy" Class="com.tridion.deployer.Processor"  Phase="post-transaction"
>
            <!-- A Module is triggered by a Processor to process incoming instructions.
                    The 'Type' attribute needs to be unique within a Processor and serves
                    as a symbolic identifier. The 'Class' attribute defines the
                    implementation used for any type of Module. Replace or add modules to
                    implement custom Deployer behavior. -->
                                <Module Type="CustomDeploy" Class="com.tridion. portal. Deploy">
                       
                                                </Module>
        </Processor>
3) It would be activated only after the transaction has committed its results.

4) Now there would be 3 processor in cd_deployer.config file.

Possible values of Phase, I did not find  cd_deployer.schema to validate.
  • pre-processing
  • processing
  • post-processing
  • pre-transaction
  • post-transaction










January 26, 2014

Recycle app pool on specific date time command line

Recycle/Reset application  pool aka App pool on specific date time from command line

I have not found direct solution resetting app pool on specific date time. you can use following commands you can achieve it.

%windir%\system32\inetsrv/appcmd recycle apppool /apppool.name:rajMittal

you can put above command in batch file and schedule it using Windows Scheduler.


 

Copyright 2010 All Rights Reserved