Installation and Upgrade Guides › SiteMinder Upgrade Guide › Upgrading from CA SiteMinder® r6.x › How to Migrate from r6.x › Extend the Policy Store Schema

Extend the Policy Store Schema

The existing r6.x policy store schema has not changed. The 12.51 migration requires that you extend the policy store schema for policy store for objects that 12.51 requires.

If you have deployed a smkeydatabase, extend the policy store schema before upgrading your first Policy Server. Extending the schema prepares the policy store for the smkeydatabase migration to the certificate data store during a Policy Server upgrade. Extending the schema does not affect compatibility mode. The policy store continues to function as it did in r6.x.

If you have not deployed a smkeydatabase, extend the schema as part of the policy store upgrade process.

Extend the Policy Store Schema for Your Active Directory Server

Follow these steps:

1. Copy the following ZIP file to a Policy Server host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\Active Directory
   

3. Open the ActiveDirectory.ldif file and manually replace each instance of <RootDN> with the DN (domain name) that represents the policy store schema location. Do not use the policy store object location.

   Example: If the following root DN represents the policy store object:

   ou=policystore,dc=domain,dc=com
   

   Replace each instance of <RootDN> with the following DN:

   dc=domain,dc=com
   

4. Save the file.
5. Navigate to siteminder_home/bin from a command window.

   siteminder_home

   Specifies the Policy Server installation path.

6. Run the following command:

   smldapsetup ldmod -fpath/ActiveDirectory.ldif
   

   path

   Specifies the path to the schema file.

   The policy store schema is extended.

Extend Policy Store Schema for Your Active Directory LDS Server

Follow these steps:

1. Copy the following ZIP file to a Policy Server host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\Active Directory LDS
   

3. Open the ADLDS.ldif file and replace each instance of {guid} with the actual value of guid in the braces.

   Example: {CF151EA3-53A0-44A4-B4AC-DA0EBB1FF200}

4. Save the file.
5. Navigate to siteminder_home/bin from a command window.

   siteminder_home

   Specifies the Policy Server installation path

6. Run the following command:

   smldapsetup ldmod -fpath/ADLDS.ldif
   

   path

   Specifies the path to the schema file.

   The policy store schema is extended.

Extend Policy Store Schema for Your CA Directory Server

Follow these steps:

1. Copy the following ZIP file to the CA Directory host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\CA Directory
   

3. Copy the following file into the CA Directory DXHOME\config\schema directory:

   etrust.dxc
   

4. Open the CA SiteMinder® schema file (.dxg), and add the following lines to the bottom of the file:

   #CA Schema
   source "netegrity.dxc"
   source "etrust.dxc"
   

5. Edit the DXI file for the DSA by adding the following lines to the bottom of the file:
   • r12

     # cache configuration
     set max-cache-size = 100;
     set cache-attrs = all-attributes;
     set cache-load-all = true;
     set ignore-name-bindings = true;
     

     Note: The DXI file is located in DXHOME\config\servers. The max-cache-size entry is the total cache size in MB. Adjust this value according to the total memory available on the CA Directory server and overall size of the policy store.

   • r12 SP1 or later

     # cache configuration
     #set max-cache-size = 100;
     #set cache-attrs = all-attributes;
     #set cache-load-all = true;
     set ignore-name-bindings = true;
     

6. Open the default DXC file (default.dxc) for the DSA and locate the following section:

   # size limits
   set max-users = 255;
   set credits = 5;
   set max-local-ops = 100;
   set max-dsp-ops = 100;
   set max-op-size = 200;
   set multi-write-queue = 20000;
   

   Note: The default DXC file is located in DXHOME\dxserver\config\limits.

7. Edit the settings to match the following settings and save the DXC file:

   # size limits
   set max-users = 1000;
   set credits = 5;
   set max-local-ops = 1000;
   set max-dsp-ops = 1000;
   set max-op-size = 4000;
   set multi-write-queue = 20000;
   

   Note: Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files.

   Important! The multi‑write‑queue setting is for text–based configurations only. If the DSA is set up with DXmanager, omit this setting.

8. Use JXplorer to access the policy store DSA.
9. Locate the root element, and then locate the following base tree structure:

   Netegrity, SiteMinder, PolicySvr4

10. Create an organizational unit (root element) under PolicySvr4 that is named:

    XPS

11. Stop and restart the DSA (as the DSA user) with the following commands:

    dxserver stop DSA_Name
    

    dxserver start DSA_Name
    

    DSA_Name

    Specifies the name of the policy store DSA.

    The policy store schema is extended.

Extend the Policy Store Schema for Your IBM DB2 Server

Follow these steps:

1. Copy the following ZIP file to the IBM DB2 host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\IBM DB2
   

3. Locate the following file:

   DB2.sql
   

4. Open a command prompt and run the following command:

   db2 -td@ [-v] -f path\DB2.sql
   

   path

   Specifies the path to the DB2 schema file.

   The policy store schema is extended.

Extend the Policy Store Schema for Your IBM Tivoli Directory Server

Follow these steps:

1. Use the IBM Tivoli Directory Server administration tool to update the policy store base tree structure. Create the following root node under ou=Netegrity,ou=SiteMinder,ou=PolicySvr4:

   ou=XPS
   

2. Copy the following ZIP file to the IBM Directory Server host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

3. Navigate to the following directory:

   schema_extension\db\IBM Tivoli Directory Server
   

4. Locate the following file:

   IBMDirectoryServer.ldif
   

5. Use the IBM Directory Server Configuration Tool to add the following file to the Manage Schema Files section of the schema configuration:

   IBMDirectoryServer.ldif
   

6. Restart the directory server.

   The policy store schema is extended.

Extend the Policy Store Schema for Your Novell eDirectory Server

Follow these steps:

1. Copy the following ZIP file to a Policy Server host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\Novell eDirectory
   

3. Locate and open the following file:

   Novell.ldif
   

4. Navigate to siteminder_home\bin from a command window.

   siteminder_home

   Specifies the Policy Server installation path.

5. Run the following command:

   ldapsearch -hhost -pport -bcontainer -ssub -DAdminDN -wAdminPW
   objectclass=ncpServer dn
   

   Example:

   ldapsearch -h192.168.1.47 -p389 -bo=nwqa47container -ssub
   -dcn=admin,o=nwqa47container -wpassword objectclass=ncpServer dn
   

   The Novell server DN opens.

6. Edit the open schema file. Replace every <ncpserver> variable with the value of the Novell server DN (domain name).

   Example: If your Novell server DN value is cn=servername,o=servercontainer, replace all instances of <ncpserver> with the following value:

   cn=servername,o=servercontainer
   

7. Save and close the schema file.
8. Run the following command:

   smldapsetup ldmod -fpath\Novell.ldif
   

   -fpath

   Specifies the path to the schema file.

   The policy store schema is extended.

Extend the Policy Store Schema for Your OpenLDAP Server

Follow these steps:

Note: This procedure assumes that the OpenLDAP server is at /usr/local/etc/openldap and that the schema files are located in the schema subdirectory.

1. Update the policy store base tree structure. Create the following root node under ou=Netegrity,ou=SiteMinder,ou=PolicySvr4:

   ou=XPS
   

2. Copy the following ZIP file to the OpenLDAP host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

3. Navigate to the following directory:

   schema_extension\db\OpenLDAP
   

4. Locate the following schema files:

   openldap_attribute_XPS.schema
   openldap_object_XPS.schema
   

5. Copy the schema files located in Step 4 to the schema folder in the OpenLDAP installation directory.
6. Type the following entry in the include section of the slapd configuration file:

   ....
   .....
   include /usr/local/etc/openldap/schema/openldap_attribute_XPS.schema
   include /usr/local/etc/openldap/schema/openldap_object_XPS.schema
   

   The policy store schema is extended.

Extend the Policy Store Schema for Your Oracle Internet Directory Server

Follow these steps:

1. Log in to the Oracle Internet Directory host system.
2. Use the Oracle catalog command line tool to index the following attribute. Indexing the attribute prevents an error from occurring when you import the default policy store objects:

   modifyTimestamp
   

   Run the following command:

   oracle_home/ldap/bin/catalog connect=conn_str add=TRUE attribute=modifyTimestamp
   

   oracle_home

   Specifies the Oracle Internet Directory installation path.

   conn_str

   Specifies the directory database connect string. If you have configured a tnsnames.ora file, then enter the net service name specified in the file.

   Note: For more information about the catalog command line tool, see the Oracle documentation.

3. Copy the following ZIP file to a Policy Server host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

4. Navigate to the following directory:

   schema_extension\db\Oracle Internet Directory
   

5. Locate the following file:

   OID_10g.ldif
   

6. Navigate to siteminder_home\bin from a command window.

   siteminder_home

   Specifies the Policy Server installation path.

7. Run the following command:

   ldapmodify -hhost -pport -dAdminDN -wAdminPW
   -c -fpath\OID_10g.ldif
   -Z -Pcert
   

   -hhost

   Specifies the IP address of the LDAP directory server.

   Example: 123.123.12.12

   -pport

   Specifies the port number of the LDAP directory server.

   Example: 3500

   -dAdminDN

   Specifies the name of the LDAP user who has the privileges to create the LDAP schema.

   -wAdminPW

   Specifies the password of the administrator that the –d option specifies.

   -c

   Specifies continuous mode (do not stop on errors).

   -fpath

   Specifies the path to the extracted schema file.

   -Z

   Specifies a connection that is encrypted by SSL.

   -Pcert

   Specifies the path of the directory where the SSL client certificate database file (cert7.db) exists.

   Example:

   If cert7.db exists in app/siteminder/ssl, specify:

   -Papp/siteminder/ssl
   

   The policy store schema is extended.

Extend the Policy Store Schema for Your Red Hat Directory Server

Follow these steps:

1. Copy the following ZIP file to a Policy Server host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\Red Hat Directory Server
   

3. Locate the following file:

   RedHat_7_1.ldif
   

4. Navigate to siteminder_home/bin from a command window.

   siteminder_home

   Specifies the Policy Server installation path.

5. Run the following command:

   smldapsetup ldmod -fpath/RedHat_7_1.ldif
   

   path

   Specifies the path to the extracted schema file.

   The policy store schema is extended.

Extend the Policy Store Schema for Your Siemens DirX Server

Follow these steps:

1. Use the DirXmanage tool to update the policy store base tree structure. Under the existing root path:

   ou=Netegrity,ou=SiteMinder,ou=PolicySvr4
   

   Create the following root node:

   ou=XPS 
   

2. Copy the ZIP file, policy_store_schema_ext.zip, to the Siemens DirX host system and extract it to a temporary location.
3. Navigate to the following directory:

   schema_extension\db\Siemens DirX
   

4. Locate the following extracted files and copy them to DirX_install_path\scripts\security\Netegrity\SiteMinder:
   • bind.tcl
   • GlobalVar.tcl
   • l-bind.cp
   • schema_ext_for_XPS.adm

   DirX_install_path

   Specifies the DirX installation path.

   Example: C:\program files\siemens\dirx

5. Locate the extracted file dirxabbr-ext.XPS and copy it to DirX_install_path\client\conf.
6. Stop and restart the DirX service.
7. Edit the GlobalVar.tcl file to update the global variables that the DirX scripts reference.

   Default values:

   • LDAP port: 389
   • Root DN: o=pqr
   • Admin username: cn=admin,o=pqr
   • Admin password: dirx

   Note: Correct the values so they apply to your existing setup.

8. Navigate to DirX_install_path\scripts\security\CA\SiteMinder.
9. Execute the following command:

   dirxadm schema_ext_for_XPS.adm
   

10. Use the DirXmanage utility to rebind to the DSA.

    Note: Watch for errors.

    The policy store schema is extended.

Extend the Policy Store Schema for Your Sun Java System Directory Server

Follow these steps:

1. Copy the following ZIP file to a Policy Server host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\Sun Java System Directory Server
   

3. Locate the following file:

   OracleDirectoryServer.ldif
   

4. Navigate to siteminder_home\bin from a command window.

   siteminder_home

   Specifies the Policy Server installation path.

5. Run the following command:

   smldapsetup ldmod -fpath\OracleDirectoryServer.ldif
   

   -fpath

   Specifies the path to the extracted schema file.

   The policy store schema is extended.

Extend the Policy Store Schema for Your Microsoft SQL Server

Follow these steps:

1. Copy the following ZIP file to the SQL Server host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\Microsoft SQL Server
   

3. Locate the following file:

   SQLServer.sql
   

4. Log in to SQL Server as the user who administers the policy store database.
5. Start the Query Analyzer.
6. Select the policy store database instance from the database list.
7. Open the file in a text editor and copy the contents of the entire file.
8. Paste the schema into the query and execute the query.

   The policy store schema is extended.

Extend the Policy Store Schema for Your MySQL Server

Follow these steps:

1. Copy the following ZIP file to the MySQL host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\MySQL
   

3. Locate the following file:

   MySQL.sql
   

4. Open the file in a text editor and copy the contents of the entire file.
5. Paste the file contents into a query.
6. Use the MySQL command line tool to execute the query.

   The policy store schema is extended.

Extend the Policy Store Schema for Your Oracle Server

Follow these steps:

1. Copy the following zip file to the Oracle host system and extract it to a temporary location:

   policy_store_schema_ext.zip
   

2. Navigate to the following directory:

   schema_extension\db\Oracle
   

3. Locate the following file:

   Oracle.sql
   

4. Log in to the Oracle server with sqlplus or another Oracle utility as the user who administers the policy store database.

   Note: We recommend that you do not create the CA SiteMinder® schema with the SYS or SYSTEM users. If necessary, create an Oracle user, such as SMOWNER, and create the schema with that user.

5. Import the file into the r6.x database instance.

   Note: If you are using sqlplus, run the schema using an @ sign.

   The policy store schema is extended.