Previous Topic: Novell eDirectory as a Policy StoreNext Topic: Oracle Directory Server as a Policy Store


OpenLDAP as a Policy Store

OpenLDAP can function as a policy store. A single directory server instance can function as a:

Using a single directory server simplifies administration tasks. The following sections provide instruction on how to configure a single directory server instance to store policy data and encryption keys. If your implementation requires, you can configure a separate key store.

Gather Directory Server Information

Configuring an LDAP directory server as a policy store or upgrading an existing policy store requires specific directory server information. Gather the following information before beginning. You can use the Policy Store Worksheets to record your values.

Host information

Specifies the fully-qualified host name or the IP Address of the directory server.

Port information

(Optional) Specifies a non-standard port.

Default values: 636 (SSL) and 389 (non-SSL)

Administrative DN

Specifies the LDAP user name of a user who has privileges to create, read, modify, and delete objects in the LDAP tree underneath the policy store root object.

Administrative password

Specifies the password for the Administrative DN.

Policy store root DN

Specifies the distinguished name of the node in the LDAP tree where policy store objects are to be defined.

SSL client certificate

Specifies the pathname of the directory where the SSL client certificate database file resides.

Limit: SSL only

How to Configure the Policy Store

Complete the following procedures to configure an OpenLDAP directory server as a policy store:

  1. Configure the sldap configuration file.
  2. Create the database.
  3. Point the Policy Server to the directory server.
  4. Set the CA SiteMinder® superuser password.
  5. Import the policy store data definitions.
  6. Import the default policy store objects.
  7. Prepare for the Administrative UI registration.
How to Configure the Slapd Configuration File

An OpenLDAP directory server requires additional configuration before you can use it as a policy store. The following process lists the configuration steps:

  1. Specify the CA SiteMinder® schema files.
  2. Specify policy store indexing.
  3. Enable user authentication.
  4. Specify database directives.
  5. Support Client-Side Sorting
  6. Test the configuration file.
  7. Restart the OpenLDAP server.

Specify the SiteMinder Schema Files

Specifying the schema files in the include section of the slapd configuration file (slapd.conf) configures the slapd process (the LDAP Directory Server daemon) to read the additional configuration information. The included files must follow the correct slapd configuration file format.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Navigate to siteminder_home/db/tier2/OpenLDAP and copy the following files to the schema folder in the OpenLDAP installation directory:
    siteminder_home

    Specifies the Policy Server installation path.

  3. Navigate to siteminder_home/xps/db and copy the following files to the schema folder in the OpenLDAP installation directory:
  4. Type the following entries in the include section of the slapd configuration file:
    ....
    .....
    include /usr/local/etc/openldap/schema/openldap_attribute.schema
    include /usr/local/etc/openldap/schema/openldap_object.schema
    include /usr/local/etc/openldap/schema/openldap_attribute_XPS.schema
    include /usr/local/etc/openldap/schema/openldap_object_XPS.schema
    

    Note: This procedure assumes that the OpenLDAP server is located in /usr/local/etc/openldap and that the schema files are located in the schema subdirectory.

    The CA SiteMinder® schema files are specified.

Specify Policy Store Indexing

Specify indexing in the slapd.conf file to use OpenLDAP as a policy store.

Follow these steps:

  1. Stop the slapd instance.
  2. Open the slapd.conf file with a text editor.
  3. Locate the following lines:
    # Indices to maintain
    index   objectClass     eq
    
  4. Insert a new line in the file, and then add the following lines:
    index smAdminOID4 pres,eq
    index smAuthDirOID4 pres,eq
    index smAzDirOID4 pres,eq
    index smcertmapOID4 pres,eq
    index smIsRadius4 pres,eq
    index smIsAffiliate4 pres,eq
    index smParentRealmOID4 pres,eq
    index smPasswordPolicyOID4 pres,eq
    index smAgentGroupOID4 pres,eq
    index smKeyManagementOID4 pres,eq
    index smAgentOID4 pres,eq
    index smAgentKeyOID4 pres,eq
    index smRootConfigOID4 pres,eq
    index smAGAgents4 pres,eq
    index smDomainAdminOIDs4 pres,eq
    index smDomainOID4 pres,eq
    index smvariableoid5 pres,eq
    index smNestedVariableOIDs5 pres,eq
    index smvariabletypeoid5 pres,eq
    index smActiveExprOID5 pres,eq
    index smDomainUDs4 pres,eq
    index smVariableOIDs5 pres,eq
    index smusractiveexproid5 pres,eq
    index smPropertyOID5 pres,eq
    index smPropertySectionOID5 pres,eq
    index smPropertyCollectionOID5 pres,eq
    index smFilterClass4 pres,eq
    index smTaggedStringOID5 pres,eq
    index smNoMatch5 pres,eq
    index smTrustedHostOID5 pres,eq
    index smIs4xTrustedHost5 pres,eq
    index smDomainMode5 pres,eq
    # index smImsEnvironmentOIDs5 pres,eq
    index smSecretRolloverEnabled6 pres,eq
    index smSecretGenTime6 pres,eq
    index smSecretUsedTime6 pres,eq
    index smSharedSecretPolicyOID6 pres,eq
    index smFilterPath4 pres,eq
    index smPolicyLinkOID4 pres,eq
    index smIPAddress4 pres,eq
    index smRealmOID4 pres,eq
    index smSelfRegOID4 pres,eq
    index smAzUserDirOID4 pres,eq
    index smResourceType4  pres,eq
    index smResponseAttrOID4 pres,eq
    index smResponseGroupOID4  pres,eq
    index smResponseOID4     pres,eq
    index smRGResponses4 pres,eq
    index smRGRules4     pres,eq
    index smRuleGroupOID4 pres,eq
    index smRuleOID4   pres,eq
    index smSchemeOID4 pres,eq
    index smisTemplate4  pres,eq
    index smisUsedbyAdmin4 pres,eq
    index smSchemeType4   pres,eq
    index smUserDirectoryOID4 pres,eq
    index smODBCQueryOID4 pres,eq
    index smUserPolicyOID4 pres,eq
    index smAgentTypeAttrOID4 pres,eq
    index smAgentTypeOID4 pres,eq
    index smAgentTyperfcid4 pres,eq
    index smAgentTypeType4 pres,eq
    index smAgentCommandOID4 pres,eq
    index smTimeStamp4     pres,eq
    index smServerCommandOID4 pres,eq
    index smAuthAzMapOID4 pres,eq
    index xpsParameter pres,eq
    index xpsValue  pres,eq
    index xpsNumber pres,eq
    index xpsCategory pres,eq
    index xpsGUID pres,eq
    index xpsSortKey pres,eq
    index xpsIndexedObject pres,eq
    
  5. Save the file and close the text editor.
  6. Run the following command:
    slapindex -f slapd.conf
    
  7. Restart the slapd instance.

    The policy store indexing for OpenLDAP is specified.

Enable User Authentication

Enabling user authentication ensures that you can protect resources with a supported authentication scheme.

To enable user authentication, add the following to the slapd configuration file:

access to attrs=userpassword
by self write
by anonymous auth
by * none

Specify Database Directives

The slapd configuration file requires values for additional database directives.

To specify the directives, edit the following:

database

Specify any supported backend type.

Example: bdb

suffix

Specify the database suffix.

Example: dc=example,dc=com

rootdn

Specify the DN of root.

Example: cn=Manager,dc=example,dc=com

rootpw

Specify the password to root.

directory

Specify the path of the database directory.

Example: /usr/local/var/openldap-data

Note: The database directory must exist prior to running slapd and should only be accessible to the slapd process.

Support Client-Side Sorting

OpenLDAP is the only supported LDAP directory that does not support server-side sorting. Instead, OpenLDAP requires that all sorting be performed on the client side. To accomplish this, all XPS objects are retrieved at start-up using server-side paging.

To support client-side sorting, the OpenLDAP directory administrator must configure the following settings in the slapd.conf file:

Follow these steps:

  1. Add the following lines to the slapd.conf file:
    access to *
    by users read
    by anonymous read
    access to dn.base=ACL by users read
    
    ACL

    Specifies an access control list or list of permissions.

    Note: For more information on how to specify the ACL, see http://www.openldap.org/doc/admin24/access-control.html.

  2. Verify that the value specified by the sizelimit directive in the slapd.conf file >= 500:
    sizelimit 500
    

    Note: The default sizelimit value is 500. For more information, see http://www.openldap.org/doc/admin24/slapdconfig.html.

  3. Add the following line to the slapd.conf file:
    allow bind_v2
    

The slapd.conf file is configured to support client-side sorting.

Test the Configuration File

Testing the configuration file ensures that it is correctly formatted.

Follow these steps:

  1. Change the directory to the OpenLDAP server directory.
  2. Run the following command:
    ./slapd
    

    Note: Unless you specified a debugging level, including level 0, slapd automatically forks, detaches itself from its controlling terminal, and runs in the background.

  3. Run the following command:
     ./slapd -Tt
    

    The slapd configuration file is tested.

Restart the OpenLDAP Server

Restarting the OpenLDAP directory server loads the SiteMinder schema. The Policy Server requires that the SiteMinder schema is loaded before you can use the directory server as a policy store.

Follow these steps:

  1. Stop the directory server using the following command:
    kill -INT 'cat path_of_var/run_directory/slapd.pid`
    
    path_of_var/run_directory

    Specifies the path of the database directory.

    Example: kill -INT `cat /usr/local/var/run/slapd.pid`

  2. Start the directory server using the following command:
    ./slapd
    
How to Create the Database

The following process lists the steps for creating the directory server database for the policy store:

  1. Create the base tree structure.
  2. Add entries.

Create the Base Tree Structure

You can create a base tree structure to store policy store objects.

Specify the following entry under the root DN:

ou=Netegrity,ou=SiteMinder,ou=PolicySvr4,ou=XPS

The base tree structure is created.

Add Entries

Add entries to the directory server so that CA SiteMinder® has the necessary organization and organizational role information.

Follow these steps:

  1. Create an LDIF file.

    Example: The following example contains an organization entry and an organizational role entry for the entries.ldif.

    # CA, example.com
    dn: ou=Netegrity,dc= example,dc=com
    ou: CA
    objectClass: organizationalUnit
    objectClass: top
    
    
    # SiteMinder, CA, example.com
    dn: ou=SiteMinder,ou=CA,dc= example,dc=com
    ou: SiteMinder
    objectClass: organizationalUnit
    objectClass: top
    
    
    # PolicySvr4, SiteMinder, CA, example.com
    dn: ou=PolicySvr4,ou=SiteMinder,ou=CA,dc= example,dc=com
    ou: PolicySvr4
    objectClass: organizationalUnit
    objectClass: top
    
    
    # XPS, policysvr4, siteminder, ca, example.com
    dn: ou=XPS,ou=policysvr4,ou=siteminder,ou=ca,dc= example,dc=com
    ou: XPS
    objectClass: organizationalUnit
    objectClass: top
    
  2. Use the following command to add the entries.
    ldapadd -f <file_name.ldif> -D "cn=Manager,dc=example,dc=com"
    
    -w<password>
    
Point the Policy Server to the Policy Store

You point the Policy Server to the policy store so the Policy Server can access the policy store.

Follow these steps:

  1. Open the Policy Server Management Console.

    Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.

  2. Click the Data tab.
  3. Select the following value from the Database list:
    Policy Store
    
  4. Select the following value from the Storage list:
    LDAP
    
  5. Configure the following settings in the LDAP Policy Store group box.

    Note: You can click Help for a description of fields, controls, and their respective requirements.

  6. Click Apply.
  7. Click Test LDAP Connection to verify that the Policy Server can access the policy store.
  8. Select the following value from the Database list:
    Key Store
    
  9. Select the following value from the Storage list:
    LDAP
    
  10. Select the following option:
    Use Policy Store database
    
  11. Click OK.
Set the CA SiteMinder® Super User Password

The default CA SiteMinder® administrator account is named:

siteminder

The account has maximum permissions.

We recommend that you do not use the default superuser for day–to–day operations. Use the default superuser to:

Follow these steps:

  1. Copy the smreg utility to siteminder_home\bin.
    siteminder_home

    Specifies the Policy Server installation path.

    Note: The utility is at the top level of the Policy Server installation kit.

  2. Run the following command:
    smreg -su password
    
    password

    Specifies the password for the default CA SiteMinder® administrator.

    Limits:

    Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.

  3. Delete smreg from siteminder_home\bin. Deleting smreg prevents someone from changing the password without knowing the previous one.

    The password for the default CA SiteMinder® administrator account is set.

Import the Policy Store Data Definitions

Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.

Follow these steps:

  1. Open a command window and navigate to siteminder_home\xps\dd.
    siteminder_home

    Specifies the Policy Server installation path.

  2. Run the following command:
    XPSDDInstall SmMaster.xdd
    
    XPSDDInstall

    Imports the required data definitions.

Import the Default Policy Store Objects

Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.

Consider the following items:

Follow these steps:

  1. Open a command window and navigate to siteminder_home\db.
  2. Import one of the following files:

    The policy store objects are imported.

Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA SiteMinder®. If you intend on using the latter functionality, contact your CA account representative for licensing information.

Enable the Advanced Authentication Server

Enable the advanced authentication server as part of configuring your Policy Server.

Follow these steps:

  1. Start the Policy Server configuration wizard.
  2. Leave all the check boxes in the first screen of the wizard cleared.
  3. Click Next.
  4. Create the master encryption key for the advanced authentication server.

    Note: If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.

  5. Complete the rest of the Policy Server configuration wizard.

    The advanced authentication server is enabled.

Prepare for the Administrative UI Registration

You use the default CA SiteMinder® super user account (siteminder) to log into the Administrative UI for the first–time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.

You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.

Consider the following items:

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Run the following command:
    XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
    
    passphrase

    Specifies the password for the default CA SiteMinder® super user account (siteminder).

    Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.

    -adminui–setup

    Specifies that the Administrative UI is being registered with a Policy Server for the first–time.

    -t timeout

    (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.

    Unit of measurement: minutes

    Default: 240 (4 hours)

    Minimum Limit: 15

    Maximum Limit: 1440 (24 hours)

    -r retries

    (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging in to the Administrative UI for the first time.

    Default: 1

    Maximum Limit: 5

    -c comment

    (Optional) Inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -cp

    (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -l log path

    (Optional) Specifies where the registration log file must be exported.

    Default: siteminder_home\log

    siteminder_home

    Specifies the Policy Server installation path.

    -e error_path

    (Optional) Sends exceptions to the specified path.

    Default: stderr

    -vT

    (Optional) Sets the verbosity level to TRACE.

    -vI

    (Optional) Sets the verbosity level to INFO.

    -vW

    (Optional) Sets the verbosity level to WARNING.

    -vE

    (Optional) Sets the verbosity level to ERROR.

    -vF

    (Optional) Sets the verbosity level to FATAL.

  3. Press Enter.

    XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first–time.