Policy Server Guides › Policy Server Configuration Guide › SiteMinder Administrators › How to Configure an External Administrator Store

How to Configure an External Administrator Store

Configure a connection to an external administrator store.

1. (Optional) If you want to protect the Administrative UI with CA SiteMinder®, configure an agent to function with a reverse proxy server.
2. Review the external administrator store guidelines.
3. Review the SSL guidelines.
4. Depending on your store type, do one of the following tasks:
   • (LDAP) Gather directory server connection information.
   • (RDB) Gather database connection information.
5. (RDB) Deploy a Java Database Connectivity (JDBC) data source to the application server.
6. Depending on your store type, do one of the following tasks:
   • Configure an LDAP administrator store connection.
   • Configure an RDB administrator store connection.
7. (Optional) Migrate Legacy Administrator Administrative UI permissions.

External Administrator Store Guidelines

Before you configure an external administrator store connection, consider the following items:

Important! Discontinuing the use of the policy store as the source of administrator identities is permanent. Configuring an external administrator store only affects the Administrative UI that is configured to use the external store. Any other Administrative UI not yet configured to use the external store continues to use the policy store to identify administrators.

• Legacy Administrators, including the default super user account, can continue to perform the following actions:
  • Manage the Policy Management API
  • Function as a Trusted Host administrator
  • Use Policy Server tools
• Legacy Administrators, including the default super user account, can no longer manage objects with the Administrative UI.
• For Legacy Administrators who must continue using the Administrative UI, add these users to the external store (with your vendor-specific tools). Once the users reside in the external store, map the existing user paths from the policy store to the external store to reinstate these privileges.

  Important! External administrator authentication does not let a single Legacy Administrator account retain rights to the Administrative UI, the Policy Management API, and Trusted Host privileges simultaneously. If a Legacy Administrator must continue functioning in these roles, leave the Legacy Administrator unchanged. Be sure that the user is present in the external store and separately configure a new Administrator using the external user identity.

• A super user that you identify when configuring the connection to the external store replaces the default super user account. The external user becomes the super user and has maximum permissions in the Administrative UI and access to all Policy Server tools.

  Delegate permissions to new Administrators with external super user.

• If multiple Administrative UI instances are to use the same administrator authentication store, be sure to configure each connection using the same network identifier. Mixing network identifiers for multiple Administrative UI connections to the same external administrator authentication store is not supported.

  Example: If you configured the first connection with 172.16.0.0, create subsequent connections with 172.16.0.0. If you configured the first connection with comp001@example.com, create subsequent connections with comp001@example.com.

SSL Guidelines

If you are configuring the external administrator store connection over SSL, consider the following items:

• The directory server must be configured to communicate over SSL.

  Note: For more information about configuring the directory server for SSL, see your vendor–specific documentation.

• If you installed the Administrative UI using the stand–alone option, the Administrative UI is installed with an embedded certificate database.
• If you installed the Administrative UI to an existing application server infrastructure, implement a certificate database as required by your application server.

  Note: For more information about implementing a certificate database, see your vendor–specific documentation.

• Enter an SSL–enabled port when entering directory connection information. If you do not enter an SSL–enabled port, the Administrative Authentication wizard becomes unresponsive.

Gather Directory Server Information

If you are configuring a connection to a directory server, gather the following information:

• Host name—Identify the IP address or fully qualified domain name of the directory server host system.
• Port—Identify the port on which the directory server is listening.
• Directory server user credentials—Identify the user name and password of an account that has read/write permissions to the directory server.
• Search root—Identify the base DN of the directory server.
• SSL certificate—If the directory server is configured to communicate over an SSL connection, obtain the SSL certificate.

Gather Database Information

If you are configuring a connection to a database, gather the following information:

• Host name—Identify the name of the database host system.
• Port—Identify the port on which the database is listening.
• (Microsoft SQL Server) Database name—Identify the name of database.
• (Oracle) Service name—Identify the service name of the database.
• Database user credentials—Identify the credentials of a user account that has read/write permissions to the database.

  Important! If you are configuring a connection to Oracle, be sure to set the default schema for this user. The default schema must be the schema that is associated with the table that contains the administrative users. If you do not set the default schema for this user, the Administrative Authentication wizard cannot locate users in the database.

Deploy a JDBC Data Source

If you are configuring a connection to a relational database, the Administrative UI requires a JDBC data source to communicate with the administrator store. A utility is required to create the data source. If you installed the Administrative UI using the stand-alone option, the smjdbcsetup utility is provided for you.

Note: If you installed the Administrative UI to an existing application server, see your vendor-specific documentation for information about deploying a JDBC data source. If you are deploying a data source to WebSphere, verify that the JNDI name (under the datasource properties) begins with the following characters:

jdbc/

Example: If the datasource name is abc, then the JNDI name is jdbc/abc.

Follow these steps:

1. Log in to the Administrative UI host system.
2. (UNIX) Stop the CA SiteMinder® Administrative UI service.
3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.

   administrative_ui_home

   Specifies the Administrative UI installation path.

4. Run one of the following commands:
   • (Windows)

     smjdbcsetup.bat
     

     Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.

   • (UNIX)

     smjdbcsetup.sh
     

   The utility prompts you for a unique identifier. The utility appends the identifier to the data source.

5. Type a value and press Enter.

   The utility prompts you for a database driver type. The driver types are prefixed with a number.

6. Type a number to select a driver type and press Enter.

   The utility prompts you for the name of the database host system.

7. Type the database host name and press Enter.

   The utility prompts you for the port on which the database is listening.

8. Type the database port and press Enter.
   • If you are configuring a connection to Microsoft SQL Server, the utility prompts you for the database name.
   • If you are configuring a connection to Oracle, the utility prompts you for the service name.
9. Type the database name or the service name and press Enter.

   The utility prompts you for the database user account name.

10. Type the database user account name and press Enter.

    Note: This user account must have read/write permissions to the database.

    The utility prompts you for the password of the database user.

11. Type the password and press Enter.

    The connection details appear.

12. Review the details and do one of the following steps:
    • To configure and deploy the data source, type y and press Enter.

      The utility deploys the data source to admin_ui_home\CA\SiteMinder\adminui\server\default\deploy and prompts you to restart the CA SiteMinder® Administrative UI service.

      admin_ui_home

      Specifies the Administrative UI installation path.

      Note: Restarting the CA SiteMinder® Administrative UI service is required before you can use the data source to create the connection.

13. Start the service with one of the following steps:
    • (Windows) Type y and press Enter.
    • (UNIX) Type n and press Enter to start the service manually (automatic starts are not supported).

    The data source is configured and the utility exits.

Configure an LDAP Administrator Store Connection

Change the source of administrator identities from the policy store to the external store by configuring a connection.

Follow these steps:

1. Click Administration, Admin UI, Configure Administrative Authentication.
   • If you are configuring an external administrator store for the first–time, the Configure Administrative Authentication wizard appears.
   • If the Administrative UI is configured with an external administrator store, the connection details appear. Click OK to start the Configure Administrative Authentication wizard.
2. (Optional) To protect the Administrative UI with the product, pick an agent from the drop-down list and click Next.

   Be sure to select an agent that is configured with CA SiteMinder® SPS or an agent that is configured to function with a reverse proxy server.

3. Select a directory server vendor from the Directory type list and click Next.

   The wizard prompts you for connection details.

4. Do the following tasks:
   1. Type the IP address or the fully qualified domain name of the directory server host system in the Host field.

      Important! If multiple Administrative UI instances are to use the same administrator authentication store, take note of the network identifier you enter. Mixing network identifiers for multiple Administrative UI connections to the same external administrator authentication store is not supported.

      Example: If you configure the first connection with 172.16.0.0, create subsequent connections with 172.16.0.0. If you configure the first connection with comp001@example.com, create subsequent connections with comp001@example.com.

   2. Type the port on which the directory server is listening in the Port field.

      Important! If you are configuring the connection over SSL, enter an SSL–enabled port. If you do not, the Administrative Authentication wizard becomes unresponsive.

   3. (Optional) Select Use SSL and upload a Certificate Authority (CA) certificate to enable SSL communication between the Administrative UI and the administrator store.

      Note: The directory server must communicate over SSL. For more information about configuring the directory server for SSL, see your vendor–specific documentation.

   4. Type the common name and password of a directory server user in the respective fields.

      Note: This user must have read/write permissions to the directory server.

   5. Click Next.
5. Do the following tasks:
   1. Type the directory server search root in the Search Root field.
   2. Use the shuttle controls to add and remove the object classes that apply to the CA SiteMinder® administrators.
   3. Click Next.
6. Select the mnemonic attribute string that maps to each of the required attributes and click Next.

   The wizard prompts you to search for a user.

   Important! Do not point to any attribute that is used or written to by the LDAP or any other applications. If this situation happens, you are redirected to the /logout.jsp page and unable to log in to the Administrative UI.

7. Enter all or part of the user name in the Keywords field.
8. Select one user and click Next.

   Note: You can only select one user. This user becomes the superuser when the connection is configured.

9. Confirm the connection details and click Finish.

Important! Restart the application server manually before you log in with the new credentials of administrator.

Configure an RDB Administrator Store Connection

Change the source of administrator identities from the policy store to the external store by configuring the connection.

Follow these steps:

1. Click Administration, Admin UI, Configure Administrative Authentication.
   • If you are configuring an external administrator store for the first–time, the Configure Administrative Authentication wizard appears.
   • If the Administrative UI is configured with an external administrator store, the connection details appear. Click OK to start the Configure Administrative Authentication wizard.
2. (Optional) To protect the Administrative UI with the product, pick an agent from the drop-down list, and click Next.

   Pick an agent that is configured to function with a reverse proxy server.

3. Select one of the following items from the Directory type list:
   • If your user schema includes a column that identifies the full–name of users select the Relational Database (with full name column) template.
   • If the full–name of users must be calculated, select the Relational Database (without full name column) template.
4. Click Next.

   Note: If data sources do not appear, click Cancel and deploy a JDBC data source to the application server. You cannot create the connection without a deployed data source.

5. Select the data source and click Next.
6. Select the user table and click Next.
7. Do one of the following tasks:
   • If you selected the Relational Database (with full name column) template, pick the column name that maps to each of the required user attributes. Click Next.
   • If you selected the Relational database Database (no full name) template:
     1. Select the column name that maps to each of the required user attributes.
     2. Build the Get Full Name Query. Replace ##FIRST_NAME, ##LAST_NAME, and ##PRIMARY_KEY with the column name that maps to the respective user attribute.

        Note: Leave the question mark (?) at the end of the query.

        Example: select SmUser.FirstName + ' ' + SmUser.LastName from SmUser where SmUser.UserID = ?

     3. Click Next
8. Enter all or part of the user name in the User Keywords field.
9. Select a user and click Next.

   Note: This user becomes the super user.

10. Confirm the connection details and click Finish.

Important! After you configure an external administrator store, restart the application server manually before you log in with the new credentials of administrator.

Migrate Legacy Administrator Permissions

If a Legacy Administrator must continue using the Administrative UI or Policy Server tools after configuring a connection to an external administrator store, migrate the permissions.

Important! External administrator authentication does not let a single Legacy Administrator account retain rights to the following items simultaneously:

• The Administrative UI
• The Policy Server tools, the Policy Management API
• The Trusted Host privileges

If a Legacy Administrator must continue functioning in one or more of these roles, leave the Legacy Administrator unchanged. Verify that the user is present in the external store and separately configure a new Administrator using the external user identity.

Follow these steps:

Note: Verify that the administrator is present in the external store. Log in to the Administrative UI using the external super user.

1. Click Administration, Administrator.
2. Click Administrators.
3. Specify search criteria using the full name of the user and click Search.
4. Click the name of the Administrator you want to modify.
5. Click Modify.
6. Click Lookup in General.
7. Specify search criteria and click Search.
8. Select the user that you want and click Select.
9. Click Submit.

   The Administrative UI authenticates the administrator using the external store. The administrator has the same level of access to the Administrative UI when the policy store was being used to store administrator identities.

Update External Administrator Store Credentials

When the credentials that the Administrative UI uses to connect to the external administrator store change, submit the new credentials to the Administrative UI. Otherwise the administrators lose access.

If you installed the Administrative UI using the stand–alone option, the following utilities are available:

• (LDAP) Use the smjndisetup utility to update the directory server user account credentials.

  Note: To update the directory server host system name or port information, use the Administrative UI to re–create the connection to the external administrator store. The smjndisetup utility cannot update host or port information.

• (RDB) Use the smjdbcsetup utility to update the database user account credentials.

  Note: To update the database host system name or port information, use the smjdbcsetup utility to re–deploy the JNDI data source.

If you installed the Administrative UI to an existing application server infrastructure, reveiw the following items:

• (LDAP) Use the Administrative Authentication Wizard to update the credentials that the Administrative UI is to use to access the directory server.

  Important! After you use the wizard to update the credentials, update the credentials on the directory server as soon as possible. Administrators cannot log in to the Administrative UI until the directory server credentials are updated to match the credentials you supplied using the wizard.

• (RDB) Use the database–specific tool to update the data source.

More information:

Deploy a JDBC Data Source

Update Directory Server Credentials

Update directory manager credentials with the smjndisetup utility.

Note: The smjndisetup utility can only update connection details that were configured using the Administrative UI. You cannot use the smjndisetup utility to create the connection credentials.

Follow these steps:

1. Log in to the Administrative UI host system.
2. (UNIX) Stop the CA SiteMinder® Administrative UI service.
3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.

   administrative_ui_home

   Specifies the Administrative UI installation path.

4. Run one of the following commands:
   • (Windows)

     smjndisetup.bat --reset-password
     

     Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.

   • (UNIX)

     smjndisetup.sh --reset-password
     

5. Do one of the following tasks:
   • Type the new directory user and press Enter.
   • Press Enter to accept the default user name.
6. Type the new password and press Enter.
7. Type y and press Enter.
   • If you ran the utility on Windows, the utility restarts the CA SiteMinder® Administrative UI service. The utility also updates the new directory connection details.
   • If you ran the utility on UNIX, start the Administrative UI service to update the new directory connection details.

Update Database Credentials

Use the smjdbcsetup utility to update database user credentials in the JNDI data source.

To update database credentials

1. Log in to the Administrative UI host system.
2. (UNIX) Stop the CA SiteMinder® Administrative UI service.
3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.

   administrative_ui_home

   Specifies the Administrative UI installation path.

4. Run one of the following commands:
   • (Windows)

     smjdbcsetup.bat --reset-password
     

     Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.

   • (UNIX)

     smjdbcsetup.sh --reset-password
     

   The utility prompts you to enter a unique identifier.

5. Enter the name of the deployed data source.

   Note: If you do not know the data source name, you can locate all deployed data sources in administrative_ui_home\SiteMinder\adminui\server\default\deploy.

   administrative_ui_home

   Specifies the Administrative UI installation path.

   The utility prompts you for the database user name.

6. Enter the user name and press Enter.

   The utility prompts you for the user password.

7. Enter the password and press Enter.

   The utility prompts you to verify the new data source credentials and verify that they can be updated.

8. Type y and press Enter to confirm the new data source credentials.

   The utility updates the data source.

   • (Windows) The utility prompts you to restart the CA SiteMinder® Administrative UI service.
   • (UNIX) A message appears stating that the CA SiteMinder® Administrative UI service must be manually started.
9. Do one of the following tasks:
   • (Windows) Type y and press Enter to use the utility to restart the CA SiteMinder® Administrative UI service and deploy the updated data source.
   • (Windows) Type n and press Enter to start the CA SiteMinder® Administrative UI service manually. The data source is deployed when the service is started.
   • (UNIX) Manually start the CA SiteMinder® Administrative UI service to deploy the data source.

   Note: For more information about starting the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.

Modify the External Administrator Store Connection

Run the Administrative Authentication wizard again to change the external store to which the Administrative UI connects for administrator authentication.

More information:

How to Configure an External Administrator Store