Previous Topic: IBM Tivoli Directory Server as a Policy StoreNext Topic: Novell eDirectory as a Policy Store


Microsoft Active Directory LDS as a Policy Store

Microsoft Active Directory LDS can function as a policy store. A single directory server instance can function as a:

Using a single directory server simplifies administration tasks. The following sections provide instruction on how to configure a single directory server instance to store policy data and encryption keys. If your implementation requires, you can configure a separate key store.

Note: You can use the Policy Server Configuration wizard to configure this type of LDAP directory server as a policy store automatically.

Active Directory LDS Prerequisite

Only an administrative user in the configuration partition can import the policy store schema. This user must have administrative rights over the configuration partition and all application partitions, including the policy store partition.

Follow these steps:

  1. Open the ADSI Edit console.
  2. Navigate to the following in the configuration partition:
    cn=directory service, cn=windows nt,
    cn=services, cn=configuration, cn={guid}
    
  3. Locate the msDS-Other-Settings attribute.
  4. Add the following new value to the msDS-Other-Settings attribute:
    ADAMAllowADAMSecurityPrincipalsInConfigPartition=1
    
  5. In the configuration and policy store application partitions:
    1. Navigate to CN=Administrators, CN=Roles.
    2. Open the properties of CN=Administrators.
    3. Edit the member attribute.
    4. Click Add DN and paste the full DN of the user you created in the configuration partition.
    5. Go to the properties of the user you created and verify the value for the following object:
      msDS-UserAccountDisabled
      

      Be sure that the value is set false.

    The administrative user has rights over the configuration partition and all application partitions, including the policy store partition.

Gather Directory Server Information

Configuring Active Directory LDS as a policy store requires specific directory server information. Gather the following information before configuring the policy store.

How to Configure the Policy Store

To configure Active Directory LDS as a policy store, complete the following procedures:

  1. Be sure that you have met the Active Directory LDS prerequisite.
  2. Be sure that you have gathered the required information.
  3. Point the Policy Server to the directory server.
  4. Create the policy store schema.
  5. Set the CA SiteMinder® superuser password.
  6. Import the policy store data definitions.
  7. Import the default CA SiteMinder® objects.
  8. Restart the Policy Server.
  9. Prepare for the Administrative UI registration.
Point the Policy Server to the Policy Store

You point the Policy Server to the policy store so the Policy Server can access the policy store.

Note: The Policy Server can bind to an AD LDS policy store using a proxy object. A proxy object is created on AD LDS and is associated with an Active Directory account through the Security Identifier of the account. For more information about binding to an AD LDS instance using a proxy object, see the Microsoft documentation. If you configure a Policy Server connection using a proxy object and plan on using password policies, configure AD LDS for SSL.

Follow these steps:

  1. Open the Policy Server Management Console.

    Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.

  2. Click the Data tab.
  3. Select the following value from the Database list:
    Policy Store
    
  4. Select the following value from the Storage list:
    LDAP
    
  5. Configure the following settings in the LDAP Policy Store group box.

    Note: You can click Help for a description of fields, controls, and their respective requirements.

  6. Click Apply.
  7. Click Test LDAP Connection to verify that the Policy Server can access the policy store.
  8. Select the following value from the Database list:
    Key Store
    
  9. Select the following option:
    Use Policy Store database
    
  10. Click OK.
Create the Policy Store Schema

You create the policy store schema so the directory server can function as a policy store and store CA SiteMinder® objects.

Follow these steps:

  1. Run the following command:
    smldapsetup ldgen -ffile_name
    
    file_name

    Specifies the name of the LDIF file you are creating.

    An LDIF file with the CA SiteMinder® schema is created.

  2. Run the following command:
    smldapsetup ldmod -ffile_name
    
    file_name

    Specifies the name of the LDIF you created.

    smldapsetup imports the policy store schema.

  3. Navigate to siteminder_home\xps\db and open the following file:
    ADLDS.ldif
    
    siteminder_home

    Specifies the Policy Server installation path.

  4. Replace each instance of {guid} with the actual value of guid in braces and save the file.

    Example: {CF151EA3-53A0-44A4-B4AC-DA0EBB1FF200}

  5. Run the following command:
    smldapsetup ldmod -fsiteminder_home\xps\db\ADLDS.ldif
    

    The policy store schema is extended. You have created the policy store schema.

Set the CA SiteMinder® Super User Password

The default CA SiteMinder® administrator account is named:

siteminder

The account has maximum permissions.

We recommend that you do not use the default superuser for day–to–day operations. Use the default superuser to:

Follow these steps:

  1. Copy the smreg utility to siteminder_home\bin.
    siteminder_home

    Specifies the Policy Server installation path.

    Note: The utility is at the top level of the Policy Server installation kit.

  2. Run the following command:
    smreg -su password
    
    password

    Specifies the password for the default CA SiteMinder® administrator.

    Limits:

    Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.

  3. Delete smreg from siteminder_home\bin. Deleting smreg prevents someone from changing the password without knowing the previous one.

    The password for the default CA SiteMinder® administrator account is set.

Import the Policy Store Data Definitions

Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.

Follow these steps:

  1. Open a command window and navigate to siteminder_home\xps\dd.
    siteminder_home

    Specifies the Policy Server installation path.

  2. Run the following command:
    XPSDDInstall SmMaster.xdd
    
    XPSDDInstall

    Imports the required data definitions.

Import the Default Policy Store Objects

Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.

Consider the following items:

Follow these steps:

  1. Open a command window and navigate to siteminder_home\db.
  2. Import one of the following files:

    The policy store objects are imported.

Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA SiteMinder®. If you intend on using the latter functionality, contact your CA account representative for licensing information.

Enable the Advanced Authentication Server

Enable the advanced authentication server as part of configuring your Policy Server.

Follow these steps:

  1. Start the Policy Server configuration wizard.
  2. Leave all the check boxes in the first screen of the wizard cleared.
  3. Click Next.
  4. Create the master encryption key for the advanced authentication server.

    Note: If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.

  5. Complete the rest of the Policy Server configuration wizard.

    The advanced authentication server is enabled.

Restart the Policy Server

You restart the Policy Server for certain settings to take effect.

Follow these steps:

  1. Open the Policy Server Management Console.
  2. Click the Status tab, and click Stop in the Policy Server group box.

    The Policy Server stops as indicated by the red stoplight.

  3. Click Start.

    The Policy Server starts as indicated by the green stoplight.

    Note: On UNIX or Linux operating environments, you can also execute the stop-all command followed by the start-all command to restart the Policy Server. These commands provide an alternative to the Policy Server Management Console.

Prepare for the Administrative UI Registration

You use the default CA SiteMinder® super user account (siteminder) to log into the Administrative UI for the first–time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.

You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.

Consider the following items:

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Run the following command:
    XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
    
    passphrase

    Specifies the password for the default CA SiteMinder® super user account (siteminder).

    Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.

    -adminui–setup

    Specifies that the Administrative UI is being registered with a Policy Server for the first–time.

    -t timeout

    (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.

    Unit of measurement: minutes

    Default: 240 (4 hours)

    Minimum Limit: 15

    Maximum Limit: 1440 (24 hours)

    -r retries

    (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging in to the Administrative UI for the first time.

    Default: 1

    Maximum Limit: 5

    -c comment

    (Optional) Inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -cp

    (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -l log path

    (Optional) Specifies where the registration log file must be exported.

    Default: siteminder_home\log

    siteminder_home

    Specifies the Policy Server installation path.

    -e error_path

    (Optional) Sends exceptions to the specified path.

    Default: stderr

    -vT

    (Optional) Sets the verbosity level to TRACE.

    -vI

    (Optional) Sets the verbosity level to INFO.

    -vW

    (Optional) Sets the verbosity level to WARNING.

    -vE

    (Optional) Sets the verbosity level to ERROR.

    -vF

    (Optional) Sets the verbosity level to FATAL.

  3. Press Enter.

    XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first–time.