Novell eDirectory can function as a policy store. A single directory server instance can function as a:
Using a single directory server simplifies administration tasks. The following sections provide instruction on how to configure a single directory server instance to store policy data and encryption keys. If your implementation requires, you can configure a separate key store.
Be sure that you have the following installed before beginning:
Consider the following items when working with Policy Store objects in a Novell eDirectory:
A Novell eDirectory DN cannot exceed 256 characters. Some CA SiteMinder® objects can reach 241 characters. If your root DN is longer than 15 characters, some objects can exceed the 256–byte limit.
Configuring an LDAP directory server as a policy store or upgrading an existing policy store requires specific directory server information. Gather the following information before beginning. You can use the Policy Store Worksheets to record your values.
Specifies the fully-qualified host name or the IP Address of the directory server.
(Optional) Specifies a non-standard port.
Default values: 636 (SSL) and 389 (non-SSL)
Specifies the LDAP user name of a user who has privileges to create, read, modify, and delete objects in the LDAP tree underneath the policy store root object.
Specifies the password for the Administrative DN.
Specifies the distinguished name of the node in the LDAP tree where policy store objects are to be defined.
Specifies the pathname of the directory where the SSL client certificate database file resides.
Limit: SSL only
To configure Novell eDirectory as a policy store, complete the following procedures:
Note: You do not have to complete this procedure if you already have a CA SiteMinder® super user password.
Edit the Novell policy store schema file to be sure that it contains your Novell server DN information. You edit the Novell policy store schema file from the Novell Client.
Follow these steps:
Specifies the Policy Server installation path.
ldapsearch -hhost -pport -bbasedn -ssub -Dadmin_DN -wAdminPWd objectclass=ncpServer dn
Specifies the fully qualified host name or the IP Address of the directory server.
Specifies the port on which the LDAP directory server is listening.
Specifies the base DN for the search.
Specifies the DN of the administrator account that can bind to the directory server.
Specifies the password for the administrator account.
Example:
ldapsearch -h192.168.1.47 -p389 -bo=nwqa47container -ssub -dcn=admin,o=nwqa47container -wpassword objectclass=ncpServer dn
The Novell server DN opens.
Example: If your Novell server DN value is cn=servername,o=servercontainer, replace every instance of <ncpserver> with cn=servername,o=servercontainer.
Novell.ldif
Example: If your Novell server DN value is cn=servername,o=servercontainer, replace every instance of <ncpserver> with cn=servername,o=servercontainer.
The Novell policy store schema files contain your Novell server DN information.
You point the Policy Server to the policy store so the Policy Server can access the policy store.
Follow these steps:
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
Policy Store
LDAP
Note: You can click Help for a description of fields, controls, and their respective requirements.
Key Store
LDAP
Use Policy Store database
You create the policy store schema so the directory server can function as a policy store and store CA SiteMinder® objects. You use the smldapsetup tool to add the policy store schema.
Follow these steps:
smldapsetup ldmod -v
-fpolicy_server_home\novell\Novell_Add_release.ldif
Specifies the Policy Server installation path.
Turns on tracing and outputs error, warning, and comment messages.
Specifies the CA SiteMinder® release.
smldapsetup ldmod -v -fpolicy_server_home\xps\db\Novell.ldif
The policy store schema is created.
The default CA SiteMinder® administrator account is named:
siteminder
The account has maximum permissions.
We recommend that you do not use the default superuser for day–to–day operations. Use the default superuser to:
Follow these steps:
Specifies the Policy Server installation path.
Note: The utility is at the top level of the Policy Server installation kit.
smreg -su password
Specifies the password for the default CA SiteMinder® administrator.
Limits:
Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.
The password for the default CA SiteMinder® administrator account is set.
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
Specifies the Policy Server installation path.
XPSDDInstall SmMaster.xdd
Imports the required data definitions.
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.
Consider the following items:
Specifies the Policy Server installation path.
Follow these steps:
XPSImport smpolicy.xml -npass
XPSImport smpolicy-secure.xml -npass
Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects Consideration.
XPSImport ampolicy.xml -npass
XPSImport fedpolicy-12.52 SP1.xml -npass
The policy store objects are imported.
Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA SiteMinder®. If you intend on using the latter functionality, contact your CA account representative for licensing information.
You refresh the LDAP server to help ensure that the changes take effect on Novell eDirectory. You use the Novell Client to refresh the LDAP server.
Follow these steps:
The LDAP server is refreshed.
Enable the advanced authentication server as part of configuring your Policy Server.
Follow these steps:
Note: If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.
The advanced authentication server is enabled.
You restart the Policy Server for certain settings to take effect.
Follow these steps:
The Policy Server stops as indicated by the red stoplight.
The Policy Server starts as indicated by the green stoplight.
Note: On UNIX or Linux operating environments, you can also execute the stop-all command followed by the start-all command to restart the Policy Server. These commands provide an alternative to the Policy Server Management Console.
You use the default CA SiteMinder® super user account (siteminder) to log into the Administrative UI for the first–time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.
You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.
Consider the following items:
Follow these steps:
XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
Specifies the password for the default CA SiteMinder® super user account (siteminder).
Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
Specifies that the Administrative UI is being registered with a Policy Server for the first–time.
(Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.
Unit of measurement: minutes
Default: 240 (4 hours)
Minimum Limit: 15
Maximum Limit: 1440 (24 hours)
(Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging in to the Administrative UI for the first time.
Default: 1
Maximum Limit: 5
(Optional) Inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies where the registration log file must be exported.
Default: siteminder_home\log
siteminder_home
Specifies the Policy Server installation path.
(Optional) Sends exceptions to the specified path.
Default: stderr
(Optional) Sets the verbosity level to TRACE.
(Optional) Sets the verbosity level to INFO.
(Optional) Sets the verbosity level to WARNING.
(Optional) Sets the verbosity level to ERROR.
(Optional) Sets the verbosity level to FATAL.
XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first–time.
Copyright © 2014 CA.
All rights reserved.
|
|