Installation and Upgrade Guides › Policy Server Installation Guide › Configuring LDAP Directory Servers to Store CA SiteMinder® Data › Oracle Directory Server as a Policy Store

Oracle Directory Server as a Policy Store

Oracle Directory Server (formerly Sun Java System Directory Server) can function as a policy store. A single directory server instance can function as a:

• Policy store
• Key store

Using a single directory server simplifies administration tasks. The following sections provide instruction on how to configure a single directory server instance to store policy data and encryption keys. If your implementation requires, you can configure a separate key store.

Note: You can use the Policy Server Configuration wizard to configure this type of LDAP directory server as a policy store automatically.

Gather Directory Server Information

Configuring an LDAP directory server as a policy store or upgrading an existing policy store requires specific directory server information. Gather the following information before beginning. You can use the Policy Store Worksheets to record your values.

Host information

Specifies the fully-qualified host name or the IP Address of the directory server.

Port information

(Optional) Specifies a non-standard port.

Default values: 636 (SSL) and 389 (non-SSL)

Administrative DN

Specifies the LDAP user name of a user who has privileges to create, read, modify, and delete objects in the LDAP tree underneath the policy store root object.

Administrative password

Specifies the password for the Administrative DN.

Policy store root DN

Specifies the distinguished name of the node in the LDAP tree where policy store objects are to be defined.

SSL client certificate

Specifies the pathname of the directory where the SSL client certificate database file resides.

Limit: SSL only

How to Configure the Policy Store

To configure Oracle Directory Sever Enterprise Edition (formerly Sun Directory Server Enterprise Edition) as a policy store, complete the following procedures:

1. (Optional) If applicable, use the vendor–specific software to create an LDAP directory server instance.
2. (Optional) If applicable, use the vendor–specific software to create an administrative user with the following privileges:
   • create
   • read
   • modify
   • delete

   Create this user in the LDAP tree underneath the policy store root object.

3. Review the Oracle Directory Server considerations.
4. Point the Policy Server to the directory server.
5. Create the policy store schema.
6. Set the CA SiteMinder® superuser password.
7. Import the policy store data definitions.
8. Import the default CA SiteMinder® objects.
9. Restart the Policy Server.
10. Prepare for the Administrative UI registration.

Oracle Directory Server Enterprise Edition Considerations

If you are using Oracle Directory Server Enterprise Edition as a policy store, consider the following.

smldapsetup and Oracle Directory Enterprise Edition

The smldapsetup utility creates the ou=Netegrity, root sub suffix and PolicySvr4 database.

root

The directory root you specified in the Root DN field on the Data tab of the Policy Server Management Console. This variable has to be either an existing root suffix or sub suffix.

Example: If your root suffix is dc=netegrity,dc=com then running smldapsetup produces the following in the directory server:

• A root suffix, dc=netegrity,dc=com, with the corresponding userRoot database.
• A sub suffix, ou=Netegrity,dc=netegrity,dc=com, with the corresponding PolicySvr4 database.

Example: If you want to place the policy store under ou=apps,dc=netegrity,dc=com, then ou=apps,dc=netegrity,dc=com has to be either a root or sub suffix of the root suffix dc=netegrity,dc=com.

If it is a sub suffix, then running smldapsetup produces the following:

• A root suffix, dc=netegrity,dc=com, with the corresponding userRoot database.
• A sub suffix, ou=apps,dc=netegrity,dc=com, with the corresponding Apps database.
• A sub suffix, ou=Netegrity,ou=apps,dc=netegrity,dc=com, with the corresponding PolicySvr4 database.

Note: For more information about root and sub suffixes, see the Oracle documentation.

Replicate an Oracle Directory Server Enterprise Edition Policy Store

CA SiteMinder® 12.51 creates a UserRoot and a PolicySvr4 database. The PolicySvr4 database has suffix mappings pointing to it. To replicate this policy store, set up a replication agreement for the PolicySvr4 database directory.

Note: More information about a replication agreement, see the Oracle documentation.

After you create the replication agreement, replicate the CA SiteMinder® indexes.

Follow these steps:

1. Generate the CA SiteMinder® indexes:

   smldapsetup ldgen -x -findexes.ldif
   

   Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.

2. Set up the indexes on a replica server:

   smldapsetup ldmod -x -findexes.ldif -hhost -preplicaport 
   -dAdminDN -wAdminPW
   

   host

   Specifies the replica host.

   replicaport

   Specifies the replica port number.

   AdminDN

   Specifies the replica administrator DN.

   Example: cn=directory manager

   AdminPW

   Specifies the replica administrator password.

   The CA SiteMinder® indexes are replicated.

More Information:

smldapsetup

Point the Policy Server to the Policy Store

You point the Policy Server to the policy store so the Policy Server can access the policy store.

Follow these steps:

1. Open the Policy Server Management Console.

   Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.

2. Click the Data tab.
3. Select the following value from the Database list:

   Policy Store
   

4. Select the following value from the Storage list:

   LDAP
   

5. Configure the following settings in the LDAP Policy Store group box.
   • LDAP IP Address
   • Admin Username
   • Password
   • Confirm Password
   • Root DN

   Note: You can click Help for a description of fields, controls, and their respective requirements.

6. Click Apply.
7. Click Test LDAP Connection to verify that the Policy Server can access the policy store.
8. Select the following value from the Database list:

   Key Store
   

9. Select the following value from the Storage list:

   LDAP
   

10. Select the following option:

    Use Policy Store database
    

11. Click OK.

Create the Policy Store Schema

You create the policy store schema so the directory server can function as a policy store and store CA SiteMinder® objects. Use this procedure for the following directory server products:

• Oracle 10g, 11g (32-bit)
• Sun Java System 6.1, 7.0

Perform the following prerequisites:

• Create an LDAP instance.
• Open the SiteMinder Management console, click the Data tab, and then enter the policy store and key store information for your LDAP instance.

Follow these steps:

1. Run the following command from the Policy Server host system:

   smldapsetup ldgen -ffile_name
   

   file_name

   Specifies the name of the LDIF file you are creating.

   An LDIF file with the CA SiteMinder® schema is created.

2. Run the following command:

   smldapsetup ldmod -ffile_name
   

   file_name

   Specifies the name of the LDIF you created.

3. Run the following command:

   smldapsetup ldmod -fpolicy_server_home\xps\db\OracleDirectoryServer.ldif
   

   policy_server_home

   Specifies the Policy Server Installation path.

4. Have the administrator of your directory server run the following command:

   dsconf reindex -h localhost -p port_number -e "ou=Netegrity,root_dn"
   

5. Edit the following ldif file:

   policy_server_home/xps/db/OracleDirectoryServerBrowse.ldif 
   

6. Confirm the LDAP Directory contains the following path before proceeding.(replace the Root DN below with your own root DN):

   ou=xps,ou=PolicySvr4,ou=siteminder,ou=netegrity,<Root DN>\
   

7. Edit the following LDIF file by putting the <root dn> value from the previous step into the two places where the file has the value of <root dn>:
8. Policy_server_home/xps/db/OracleDirectoryServerBrowser.ldifRun the following command:

   smldapsetup ldmod -fOracleDirectoryServerBrowse.ldif -v
   

9. Stop the database and re‑index the vlv indexes with the following commands:

   dsadm stop Instance_Path
   

   dsadm reindex -bl -t "Sort xpsSortKey" Instance_Path policysvr4
   dsadm reindex -bl -t "Sort modifyTimestamp" Instance_Path policysvr4
   dsadm reindex -b -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory -t xpsParameter -t xpsIndexedObject -t xpsTombstone instance_path policysvr4
   

10. Start the database with the following command:

    dsadm start Instance_Path
    

    The policy store schema is extended. You have created the policy store schema.

Set the CA SiteMinder® Super User Password

The default CA SiteMinder® administrator account is named:

siteminder

The account has maximum permissions.

We recommend that you do not use the default superuser for day–to–day operations. Use the default superuser to:

• Access the Administrative UI for the first–time.
• Manage CA SiteMinder® utilities for the first–time.
• Create another administrator with superuser permissions.

Follow these steps:

1. Copy the smreg utility to siteminder_home\bin.

   siteminder_home

   Specifies the Policy Server installation path.

   Note: The utility is at the top level of the Policy Server installation kit.

2. Run the following command:

   smreg -su password
   

   password

   Specifies the password for the default CA SiteMinder® administrator.

   Limits:

   • The password must contain at least six (6) characters and cannot exceed 24 characters.
   • The password cannot include an ampersand (&) or an asterisk (*).
   • If the password contains a space, enclose the passphrase with quotation marks.

   Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.

3. Delete smreg from siteminder_home\bin. Deleting smreg prevents someone from changing the password without knowing the previous one.

   The password for the default CA SiteMinder® administrator account is set.

Import the Policy Store Data Definitions

Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.

Follow these steps:

1. Open a command window and navigate to siteminder_home\xps\dd.

   siteminder_home

   Specifies the Policy Server installation path.

2. Run the following command:

   XPSDDInstall SmMaster.xdd
   

   XPSDDInstall

   Imports the required data definitions.

Import the Default Policy Store Objects

Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.

Consider the following items:

• Be sure that you have write access to siteminder_home\bin. The import utility requires this permission to import the policy store objects.

  siteminder_home

  Specifies the Policy Server installation path.

• Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges. For more information, see the release notes for your CA SiteMinder® component.

Follow these steps:

1. Open a command window and navigate to siteminder_home\db.
2. Import one of the following files:
   • To import smpolicy.xml, run the following command:

     XPSImport smpolicy.xml -npass
     

   • To import smpolicy–secure.xml, run the following command:

     XPSImport smpolicy-secure.xml -npass
     

     npass

     Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.

     Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects Consideration.

   • To import Option Pack functionality, run the following command:

     XPSImport ampolicy.xml -npass
     

   • To import federation functionality, run the following command:

     XPSImport fedpolicy-12.51.xml -npass
     

   The policy store objects are imported.

Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA SiteMinder®. If you intend on using the latter functionality, contact your CA account representative for licensing information.

Restart the Policy Server

You restart the Policy Server for certain settings to take effect.

Follow these steps:

1. Open the Policy Server Management Console.
2. Click the Status tab, and click Stop in the Policy Server group box.

   The Policy Server stops as indicated by the red stoplight.

3. Click Start.

   The Policy Server starts as indicated by the green stoplight.

   Note: On UNIX or Linux operating environments, you can also execute the stop-all command followed by the start-all command to restart the Policy Server. These commands provide an alternative to the Policy Server Management Console.

Prepare for the Administrative UI Registration

You use the default CA SiteMinder® super user account (siteminder) to log into the Administrative UI for the first–time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.

You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.

Consider the following items:

• The time from which you supply the credentials to when the initial Administrative UI login occurs is limited to 24 hours. If you do not plan on installing the Administrative UI within one day, complete the following steps before installing the Administrative UI.
• (UNIX) Be sure that the CA SiteMinder® environment variables are set before you use XPSRegClient. If the environment variables are not set, set them manually.

Follow these steps:

1. Log in to the Policy Server host system.
2. Run the following command:

   XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
   

   passphrase

   Specifies the password for the default CA SiteMinder® super user account (siteminder).

   Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.

   -adminui–setup

   Specifies that the Administrative UI is being registered with a Policy Server for the first–time.

   -t timeout

   (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.

   Unit of measurement: minutes

   Default: 240 (4 hours)

   Minimum Limit: 15

   Maximum Limit: 1440 (24 hours)

   -r retries

   (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging in to the Administrative UI for the first time.

   Default: 1

   Maximum Limit: 5

   -c comment

   (Optional) Inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -cp

   (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -l log path

   (Optional) Specifies where the registration log file must be exported.

   Default: siteminder_home\log

   siteminder_home

   Specifies the Policy Server installation path.

   -e error_path

   (Optional) Sends exceptions to the specified path.

   Default: stderr

   -vT

   (Optional) Sets the verbosity level to TRACE.

   -vI

   (Optional) Sets the verbosity level to INFO.

   -vW

   (Optional) Sets the verbosity level to WARNING.

   -vE

   (Optional) Sets the verbosity level to ERROR.

   -vF

   (Optional) Sets the verbosity level to FATAL.

3. Press Enter.

   XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first–time.