Relational Databases as a Policy or Key Store

Installation and Upgrade Guides › Policy Server Installation Guide › Configuring SiteMinder Data Stores in a Relational Database › Relational Databases as a Policy or Key Store

Relational Databases as a Policy or Key Store

The SiteMinder policy store is the repository for all policy–related information. All Policy Servers in a SiteMinder installation must share the policy store data, either directly or through replication. SiteMinder is installed with tools that let administrators move policy store data from one storage facility to another.

When you install the Policy Server, you can automatically configure one of the following relational databases as a policy store:

Microsoft SQL Server
Oracle RDBMS

Optionally, you can manually configure a policy store after installing the Policy Server. Affter you install the Policy Server, you can also use the Policy Server Management Console to point the Policy Server to an existing policy store.

Note: For a list of supported CA and third-party components, refer to the SiteMinder r12.5 Platform Support Matrix on the Technical Support site.

In addition to policy store support, you can use a relational database to store SiteMinder keys, audit logs, and session data.

More information:

Locate the Platform Support Matrix

Installation Road Map

The following diagram illustrates a sample SiteMinder installation and lists the order in which you install and configure each component.

A solid line surrounds the Policy Server, which is required before configuring a policy store. If a Policy Server is not part of your environment, install it before continuing.
The dotted line surrounds the policy store. Configure this component now.

The following figure depicts a single policy/key store instance. Although not illustrated, your environment can use separate instances for individual policy and key stores.

Graphic showing the installation roadmap for the policy store

Important Considerations

Consider the following issues before configuring a policy store:

Avoid possible policy store corruption. Be sure that the database server that is to host the policy store is configured to store objects in UTF-8 form:
- (Oracle) Be sure that the database is configured to store objects in UTF-8 form. Oracle supports unicode within many of their character sets.
- (SQL Server) Be sure that the database is configured using the default collation (SQL_Latin1_General_CP1_CI_AS). Using a collation that is case-sensitive can result in unexpected behaviors.
Do not use brackets around the IP address when using IPv6 ODBC data sources or the connection fails.
Example: Use fec0::9255:20c:29ff:fe47:8089 instead of [fec0::9255:20c:29ff:fe47:8089]

Default Policy Store Objects Consideration

When you configure a policy store, the following default policy store object files are available:

smpolicy.xml
smpolicy-secure.xml

Both files contain the default objects that the policy store requires.

If you use the Policy Server Configuration Wizard to configure the policy store automatically, the wizard only uses smpolicy.xml.
If you want to use smpolicy–secure.xml, configure the policy store manually.

Both files provide default security settings. These settings are available in the default Agent Configuration Object (ACO) templates that are available in the Administrative UI. The smpolicy-secure file provides more restrictive default security settings. Choosing smpolicy.xml does not limit you from using the more restrictive default security settings. You can modify the default ACO settings using the Administrative UI.

The following table summarizes the security settings for both files:

Parameter Name	smpolicy Values	smpolicy–secure Values
BadCssChars	No value	<, >, ', ;, ), (, &, +, %00
BadQueryChars	No value	<, >, ', ;, ), (, &, +, %00
BadUrlChars	//, ./, /., /, ., ~, \, %00-%1f, %7f-%ff, %25	smpolicy.smdif values plus: <, >, ', ;, ), (, &, +
EnableCookieProvider	Yes	No
IgnoreExt	.class, .gif, .jpg, .jpeg, .png, .fcc, .scc, .sfcc, .ccc, .ntc	All smpolicy values.
LimitCookieProvider	No	Yes
ValidTargetDomain	This file does not include this parameter.	This parameter does not have a default value. Provide a valid redirection domain. Example: validtargetdomain=".example.com"

Schema Files for Relational Databases

SiteMinder provides schema files for configuring the following SiteMinder data stores:

policy store
key store
logging database
session store
sample users database

Note: The SiteMinder schema files are installed with the Policy Server. On a UNIX system, copy the schema files from siteminder_home/db/SQL directory to a temporary directory (C:\temp) on the Windows system where the database resides.

siteminder_home: Specifies the Policy Server installation path.