Installation and Upgrade Guides › Policy Server Installation Guide › Configuring the Policy Server for an International Environment

Configuring the Policy Server for an International Environment

This section contains the following topics:

Policy Servers in an International Environment

Planning Considerations Before Installing the Policy Server

Configure CA SiteMinder® Data Stores Supporting International Characters

Policy Servers in an International Environment

The Policy Server supports CA SiteMinder® data stores residing in an Oracle or SQL Server database, and LDAP servers for an international environment.

Planning Considerations Before Installing the Policy Server

Consider the following items before you install the Policy Server:

• Use supported operating system and third–party software.
• Create supported databases:
  • Before creating databases for storing policy or session data, be sure that they are formatted with UTF–8 encoding.
  • User store databases are not limited to UTF–8 encoding. You can create user databases in the local character set encoding.

    Note: The Active Directory namespace does not support multi–byte characters. Regardless of the code page you are using, CA SiteMinder® treats characters as they are defined in Unicode. Although your code page can reference a special character as single-byte, CA SiteMinder® treats it as a multi–byte character if Unicode defines it as such.

• All Administrative UI fields support multi–byte characters.
• Some Policy Server components support multi–byte and ASCII characters in an internationalized environment.
• CA SiteMinder® supports multi–byte character (MBCS) URLs.

Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.51 Platform Support Matrix on the Technical Support site.

More information:

Locate the Platform Support Matrix

Policy Server Components Supporting Multi-byte Characters

The following Policy Server components support multi–byte and ASCII characters in an internationalized environment:

• Administrative UI
• Policy Server Management Console
• Authentication Schemes
  • HTML Forms
  • X.509 Client Certificate
  • X.509 Client Certificate and HTML Forms
  • X.509 Client Certificate or HTML Forms
  • RADIUS CHAP/PAP
  • SecurID Authentication
  • Anonymous Authentication
  • Custom Authentication
  • Impersonation Authentication
• Password Services

  Note: Password Services are limited to ASCII characters, but can support a multi–byte character URL as a redirection URL.

• Responses
• Post Preservation
• CA SiteMinder® Test Tool
• Audit logging to text files
• Audit logging to ODBC databases
• smobjimport
• XPSExport and XPSImport
• Java Agent API

Support for Multi-Byte Character URLs

CA SiteMinder® supports URLs that contain multi-byte characters (MBCS). MBCS URL support includes support for:

• Internationalized domain names ‑ An internationalized domain name (IDN) is an Internet domain name that can contain non-ASCII characters, including letters with diacritics and characters from non‑Latin scripts, such as Arabic and Chinese.
• Internationalized resource identifiers ‑ An internationalized resource identifier (IRI) is the international equivalent of a uniform resource identifier (URI). An IRI can contain ASCII characters and characters from a MBCS set; a URI is limited to a subset of ASCII characters.

MBCS URL support lets:

• CA SiteMinder® protect resources that are accessed through MBCS URLs.
• You configure specific authentication schemes using an IDN and an IRI.

How to Enable MBCS URL Support

Support for MBCS URLs in a CA SiteMinder® environment requires that:

• The Web browsers used to access the protected resources meet specific requirements.
• The Web server implementation in your environment meets specific requirements.
• Specific default bad characters are removed from the Web Agent Configuration Object.

To enable support for MBCS URLs:

1. Ensure that the Web browsers meet the requirements for MBCS URLs.
2. Ensure that the Web servers meet the requirements for MBCS URLs.
3. Configure the Web Agent Configuration Object.

Web Browser Requirements for MBCS URLs

Web browsers must be able to send requests to Web servers that serve resources in UTF-8 format and whose domain names contain non-ASCII characters.

The Web browsers used to access the protected resources must be able to:

• Support Internationalized Domain Names (IDNs).
• Support Internationalized Resource Identifiers (IRIs).
• Send requests in UTF-8 format.

Web Server Requirements for MBCS URLs

A Web server can support MBCS URLs if it meets at least one of the following requirements:

• The Web server can convert UTF-8 requests to the local character set encoding.

  or

• The Web server can store files in UTF-8 format. This lets the Web server serve the file when it receives the IRI request from the Web browser in UTF-8 format.

Enable Multi-byte Character Support

MBCS support requires that you remove specific high‑bit ASCII character values from the Web Agent Configuration Object.

Note: Removing the high‑bit ASCII characters prevents the Web Agent from blocking the specific characters.

To enable MBCS support

1. Open the Administrative UI
2. Click Infrastructure, Agents.
3. Click Agent Configuration, Modify Agent Configuration.

   The Modify Agent Configuration pane appears.

4. Enter search criteria and click Search.

   Agent configuration objects matching the search criteria appear.

5. Select the Agent configuration object you want and click Select.

   Agent Configuration parameters are listed in the Parameters group box.

6. Click the Edit icon for BadURLChars.

   The Edit Parameter pane appears.

7. Remove the following from the Values field:
   • %00-%1f
   • %7f-%ff
8. Click OK.

   The edited values appear in the BadURLChars field.

9. Click Submit.

   The Web Agent Configuration Object is configured to support MBCS URLs.

Protect a Resource with MBCS URLs

Support for MBCS URLs lets CA SiteMinder® protect resources that are accessed through URLs that contain non-ASCII characters.

When creating a realm and the associated rule or rules to protect the resource, you can enter a MBCS URL in the Resource field. Users can access the protected resource using a browser that supports IDNs and IRIs.

Note: More information on creating realms and rules exists in the Policy Server Configuration Guide.

Authentication Schemes Supporting MBCS URLs

You can configure the following authentication schemes with an IDN in the Server Name field and an IRI in the Target field:

• Basic over SSL
• HTML Form Template
• HTML Form Template over SSL
• X509 Client Cert
• X509 Client Cert and Forms

Note: Netscape and Firefox do not accept redirections to URLs that contain an IDN. Entering an IDN for a forms-related authentication scheme results in a failure unless Punycode is used. More information about configuring authentication schemes exists in the Policy Server Configuration Guide.

Configure CA SiteMinder® Data Stores Supporting International Characters

You can configure CA SiteMinder® data stores in SQL Server or Oracle databases. When configuring these data stores, be aware that the Policy Server only supports UTF-8 encoding and, as a result, you must use databases that support this encoding type.

Note: This section applies to configuring CA SiteMinder® data stores in relational databases. More information on configuring these stores in LDAP servers exists in LDAP Directory Servers as a Policy Store or Key Store.

Configure an International CA SiteMinder® Data Store in SQL Server

To create policy, keys, session, or key stores, configure a CA SiteMinder® data store in the SQL Server database.

Note: By default, SQL Server supports UTF-8 character encoding.

Configure an International CA SiteMinder® Data Store in Oracle

To configure an international CA SiteMinder® data store in Oracle

1. On the machine where Oracle is installed, create a custom Oracle database that supports UTF-8 character encoding.

   Note: For more information and instructions, see Oracle’s documentation.

   To verify if an existing Oracle database supports UTF-8 character encoding, run the following query:

   Select * from nls_database_parameters where parameter = ‘NLS_CHARACTERSET’

2. Create policy, keys, session, or key stores for the Policy Server, by configuring a CA SiteMinder® data store in the Oracle database.

Solaris/LINUX Red Hat Policy Server Logging UTF-8 Characters to an Oracle Database

A Solaris/LINUX Red Hat Policy Server can log UTF-8 characters to an Oracle audit log database. To enable this configuration, you need to set the following environment variables:

For a simplified Chinese operating system

• LANG=zh_CN.utf8

For a Japanese operating system

• LANG=jp_JP.UTF-8

You set the LANG variable system-wide or just for the Policy server process.

Note: To avoid impacting any other applications, make sure that you set this variable for the Policy Server process only.

Database Driver Variable

• IANAAppCodePage=utf-8

You set this variable in the appropriate data source definition section of the system_odbc.ini file, installed in <policy_server_installation>/db.

Oracle Client Settings

Since the Policy Server uses the Oracle wire protocol driver, an Oracle client is not necessary. However, if you need an Oracle SQLPLUS client in your environment to read data from the audit log database, you may have to set one or both of the following environment variables to correctly display the multi-bytes characters:

For a simplified Chinese operating system

• LANG=zh_CN.utf8

For a Japanese operating system

• LANG=jp_JP.UTF-8

For the Oracle SQLPlus Client

• NLS_LANG (For example, NLS_LANG=Japanese_Japan.UTF8)

Note: For more information, see the operating system and database client configuration manual.

Configure a User Store that Supports Unicode in SQL Server

Using the smsampleusers_sqlserver.sql file installed with the Policy Server, you can configure a user store in a SQL Server database. This file is installed in the siteminder_installation\db\SQL directory.

Note: User stores are not limited to UTF-8 format. You can create a user store in the local character set encoding.

Follow these steps:

1. Edit the smsampleusers_sqlserver.sql file, by doing the following:
   1. Replace every varchar instance with nvarchar.
   2. Place an N before any insert statement with international strings.

Japanese example:

insert into SmUser ( UserID , Name, Password,
LastName, FirstName, ...)

values (12, N'',
'siteminder','guest','guest','guest@mycompany.com...)

1. Import the smsampleusers_sqlserver.sql file.

   Note: More information on importing the smsampleusers_sqlserver.sql file exists in Sample User Directories.

2. Open the Policy Server User Interface’s SiteMinder ODBC Query Scheme dialog and modify the policy store’s SQL query scheme by placing an N before every %s reference in any = %s statement.

Example:

The following sample query scheme statements:

select Name, 'User' from SmUser where Name = '%s' Union select Name, 'Group' from SmGroup where Name = '%s'

should become:

select Name, 'User' from SmUser where Name = N'%s' Union select Name, 'Group' from SmGroup where Name = N'%s'

1. Stop and restart the Policy Server.

   The user store configuration is complete and now supports multi-byte characters.

Configure a Japanese User Store in Oracle

Using the smsampleusers_oracle.sql file installed with the Policy Server, you can configure a user store in an Oracle database. This file is installed in the <siteminder_installation>\db\SQL directory.

Note: User stores are not limited to UTF-8 format. You can create a user store in the local character set encoding.

To configure a Japanese user store in Oracle

1. Create a database for the user data that supports Oracle’s UTF-8 NLS_CHARACTERSET encoding.
2. Using Oracle’s SQL-Plus, import the smsampleusers_oracle.sql file.

   Note: More information on importing the smssampleusers_oracle.sql file exists in Sample User Directories. Be aware that if you are inserting Japanese characters, import the file from a Japanese operating system.

   The user store configuration is complete.