Previous Topic: Directory Attributes OverviewNext Topic: How to Configure a CA LDAP Server for z/OS User Directory Connection

Policy Server GuidesPolicy Server Configuration GuideUser DirectoriesHow to Configure a CA Directory User Directory Connection

How to Configure a CA Directory User Directory Connection

The following process lists the steps for creating a CA Directory user store connection to the Policy Server:

  1. Configure a CA Directory User Directory Connection.
  2. Enable User Store DSA Parameters.
  3. (Optional) Enable Caching for a CA Directory User Store.
  4. (Optional) Verify the CA Directory Cache Configuration.
Ping the User Store System

Be sure to ping your user store system before configuring to verify that a network connection exists between the Policy Server and the user directory or database.

Note: Some user store systems may require the Policy Server to present credentials.

Configure CA Directory User Directory Connections

You can configure a user directory connection that lets the Policy Server communicate with a CA Directory user store.

Follow these steps:

  1. Click Infrastructure, Directory.
  2. Select User Directories.
  3. Click Create User Directory..
  4. Complete the required connection information in the General and Directory Setup areas.
  5. Configure the LDAP search and LDAP user DN lookup settings in the LDAP Settings area.
  6. Select Require Credentials the Administrator Credentials area.
  7. Enter the credentials of an administrator account.
  8. (Optional) Specify the user directory profile attributes that are reserved in the User Attributes area.
  9. (Optional) Click Create in the Attribute Mapping List area to configure user attribute mapping.
  10. Click Submit.

    The user directory connection is created.

More information:

LDAP Load Balancing and Failover

Define an Attribute Mapping

Enable User Store DSA Parameters

The Policy Server connects to CA Directory by performing a bind request for each authentication request. Configure CA Directory to handle these requests, or CA Directory runs out of connections and authentication fails.

Follow these steps:

  1. Open the .dxi file for the user store DSA.
  2. Define the following entries at the bottom of the file: 
    #SiteMinder
set mimic-netscape-for-siteminder = true;
set concurrent-bind-user = DN;
set hold-ldap-connections = true;
  3. Save and close the .dxi file.

    The user store DSA parameters are enabled.

    Note: The DN is in x500 format.

    Example: <o acme><cn smadmin>

Enable Caching for a CA Directory User Store

You can improve authentication and authorization performance for large user stores by enabling the CA Directory DXcache feature. A 5-MB user store is considered large.

Follow these steps:

  1. As the dsa user, add the following lines to the end of the DXI file (for example, <dxserver_install>\config\servers\eTrustDsa.dxi):

    Note: The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the user store. In addition, set the cache-index fields to those fields used to perform a user search in the user store. For example, if users are authenticated and authorized based on their common name (cn=*), make sure that the commonName is set in the cache-index.

  2. As the dsa user, stop and restart the user DSA to allow the DXcache configuration changes to take effect: 
    dxserver stop eTrustDsa
dxserver start eTrustDsa
Verify the CA Directory Cache Configuration

After configuring the CA DXcache feature for the user store, you can verify that the cache is enabled using the DXmanager user interface.

Follow these steps:

  1. Using a Web browser, connect to the CA DXmanager web interface.

    For example:

    http://<CA_host>:8080/dxmanager/ManagerServlet?hostgroup=All

  2. Navigate to the DSA configuration page and verify that the DXcache Status field is set to Enabled for your policy store DSA.