A MySQL policy store can also function as:
Note: Session information is stored in a separate database. Do not use the policy store to store session information.
Using a single database simplifies administration tasks. The following sections provide instruction on how to configure a single database server.
Gather the following information before configuring the policy store or any other type of CA SiteMinder® data store:
Be sure that you have gathered the required database information before beginning the policy store setup.
Follow these steps:
You create the CA SiteMinder® schema so that the MySQL database can store the policy, key, and audit logging information.
Follow these steps:
siteminder_home\db\tier2\MySQL.
Specifies the Policy Server installation path.
DROP FUNCTION IF EXISTS `databaseName`.`getdate` $$ CREATE FUNCTION `databaseName`.`getdate` () RETURNS DATE
The policy and key store schema are added to the database.
siteminder_home\xps\db\Tier2DirSupport\MySQL
The policy store schema is extended.
sm_mysql_logs.sql
The database can store CA SiteMinder® data.
Note: You are not required to configure the policy store to store more CA SiteMinder® data. You can configure individual databases to function as a separate audit log database, key store, and session store.
You configure a data source to let the Policy Server communicate with the CA SiteMinder® data store.
Note: If you are using MySQL 5.1.x, ensure that you assign the TRIGGER permission to the user name that is used to create the DSN.
Create a MySQL Data Source on Windows
You create a MySQL data source for the MySQL wire protocol driver.
Follow these steps:
The ODBC Data Source Administrator appears.
Example:
CA SiteMinder® MySQL Wire Data Source
The data source is created and appears in the System Data Sources list.
Note: You can now point the Policy Server to the CA SiteMinder® data store.
Create a MySQL Data Source on UNIX Systems
The CA SiteMinder® ODBC data sources are configured using a system_odbc.ini file, which you create by renaming mysqlwire.ini to system_odbc.ini. The mysqlwire.ini file is located in siteminder_home/db.
Specifies the Policy Server installation path.
This system_odbc.ini file contains all of the names of the available ODBC data sources and the attributes that are associated with these data sources. This file must be customized to work for each site. Also, you can add other data sources to this file, such as defining other ODBC user directories for CA SiteMinder®.
The first section of the system_odbc.ini file, [ODBC Data Sources], contains a list of all of the currently available data sources. The name before the “=” refers to a subsequent section of the file describing each individual data source. After the “=” is a comment field.
Note: The value of the first line of data source entry is required when you configure the database as a policy store.
Each data source has a section in the system_odbc.ini file describing its attributes. The first attribute is the ODBC driver that is loaded when CA SiteMinder® uses this data source. The remaining attributes are specific to the driver.
Adding a MySQL Server Data source includes:
Update the system_odbc.ini file when creating a new service name. You have entries for the MySQL driver under [CA SiteMinder® Data Source].
Again, to configure a MySQL Server data source, you create the system_odbc.ini file by renaming mysqlwire.ini to system_odbc.ini.
Create the MySQL Wire Protocol Driver
You configure the wire protocol driver to specify the settings CA SiteMinder® uses to connect to the database.
Note: This procedure only applies if the Policy Server is installed on a UNIX system. If you have not already done so, copy one of the following files and rename it system_odbc.ini. The file you rename depends on the database vendor you are configuring as a CA SiteMinder® data store.
These files are located in siteminder_home/db
The system_odbc.ini file contains the following sections. The data source that you are configuring determine the section or sections that you edit:
Specifies the settings CA SiteMinder® is to use to connect to the database functioning as the policy store.
Specifies the settings CA SiteMinder® is to use to connect to the database functioning as the audit log database.
Specifies the settings CA SiteMinder® is to connect to the database functioning as the key store.
Specifies the settings CA SiteMinder® is to connect to the database functioning as the session store.
Specifies the settings CA SiteMinder® is to connect to the database functioning as the sample user data store.
Follow these steps:
SiteMinder Data Source=DataDirect 7.1 MySQL Wire Protocol
Driver=nete_ps_root/odbc/lib/NSmysql27.so Description=DataDirect 7.1 MySQL Wire Protocol Database=database_name HostName=host_name LogonID=root_user Password=root_user_password PortNumber=mysql_port
Note: When editing data source information, do not use the pound sign (#). Entering a pound sign comments the information, which truncates the value. The truncated value can cause ODBC connections to fail.
Specifies the Policy Server installation path. Enter this value as an explicit path, rather than one with an environment variable.
Example: /export/smuser/siteminder
Specifies the name of the MySQL database that is to function as the CA SiteMinder® data store.
Specifies the name of the MySQL database host system.
Specifies the login ID of the MySQL root user.
Specifies the password for the MySQL root user.
Specifies the port on which the MySQL database is listening.
The wire protocol driver is configured.
You point the Policy Server to the database so the Policy Server can access the CA SiteMinder® data in the policy store.
Follow these steps:
ODBC
Policy Store
Note: We recommend retaining the 25 connection default for best performance.
Key Store
ODBC
Use the Policy Store database
Audit Logs
ODBC
Use the Policy Store database
The Policy Server is configured to use the database as a policy store, key store, and logging database.
The default CA SiteMinder® administrator account is named:
siteminder
The account has maximum permissions.
We recommend that you do not use the default superuser for day–to–day operations. Use the default superuser to:
Follow these steps:
Specifies the Policy Server installation path.
Note: The utility is at the top level of the Policy Server installation kit.
smreg -su password
Specifies the password for the default CA SiteMinder® administrator.
Limits:
Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.
The password for the default CA SiteMinder® administrator account is set.
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
Specifies the Policy Server installation path.
XPSDDInstall SmMaster.xdd
Imports the required data definitions.
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.
Consider the following items:
Specifies the Policy Server installation path.
Follow these steps:
XPSImport smpolicy.xml -npass
XPSImport smpolicy-secure.xml -npass
Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects Consideration.
XPSImport ampolicy.xml -npass
XPSImport fedpolicy-12.52 SP1.xml -npass
The policy store objects are imported.
Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA SiteMinder®. If you intend on using the latter functionality, contact your CA account representative for licensing information.
Enable the advanced authentication server as part of configuring your Policy Server.
Follow these steps:
Note: If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.
The advanced authentication server is enabled.
You restart the Policy Server for certain settings to take effect.
Follow these steps:
The Policy Server stops as indicated by the red stoplight.
The Policy Server starts as indicated by the green stoplight.
Note: On UNIX or Linux operating environments, you can also execute the stop-all command followed by the start-all command to restart the Policy Server. These commands provide an alternative to the Policy Server Management Console.
You use the default CA SiteMinder® super user account (siteminder) to log into the Administrative UI for the first–time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.
You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.
Consider the following items:
Follow these steps:
XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
Specifies the password for the default CA SiteMinder® super user account (siteminder).
Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
Specifies that the Administrative UI is being registered with a Policy Server for the first–time.
(Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.
Unit of measurement: minutes
Default: 240 (4 hours)
Minimum Limit: 15
Maximum Limit: 1440 (24 hours)
(Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging in to the Administrative UI for the first time.
Default: 1
Maximum Limit: 5
(Optional) Inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies where the registration log file must be exported.
Default: siteminder_home\log
siteminder_home
Specifies the Policy Server installation path.
(Optional) Sends exceptions to the specified path.
Default: stderr
(Optional) Sets the verbosity level to TRACE.
(Optional) Sets the verbosity level to INFO.
(Optional) Sets the verbosity level to WARNING.
(Optional) Sets the verbosity level to ERROR.
(Optional) Sets the verbosity level to FATAL.
XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first–time.
Copyright © 2014 CA.
All rights reserved.
|
|