Complete the following steps to configure a connection to an external administrator store.
Note: For more information about configuring a reverse proxy server, see the Web Agent Configuration Guide.
Note: If you are deploying a data source to WebSphere, be sure that the JNDI name, under the datasource properties, is prefixed with the following:
jdbc/
Example: If the datasource name is abc, then the JNDI name is jdbc/abc.
Before you configure an external administrator store connection, consider the following items:
Important! External administrator authentication does not let a single Legacy Administrator account retain rights to the Administrative UI, the Policy Management API, and Trusted Host privileges at the same time. If a Legacy Administrator must continue functioning in these roles, leave the Legacy Administrator unchanged. Be sure that the user is present in the external store and separately configure a new Administrator using the external user identity.
Use the external super user to delegate permissions to new Administrators.
Example: If you configured the first connection with 172.16.0.0, create subsequent connections with 172.16.0.0. If you configured the first connection with comp001@example.com, create subsequent connections with comp001@example.com.
If you are configuring the external administrator store connection over SSL, consider the following items:
Note: For more information about configuring the directory server for SSL, see your vendor–specific documentation.
Note: For more information about implementing a certificate database, see your vendor–specific documentation.
If you are configuring a connection to a directory server, gather the following information:
If you are configuring a connection to a database, gather the following information:
Important! If you are configuring a connection to Oracle, be sure to set the default schema for this user. The default schema must be the schema that is associated with the table that contains the administrative users. If you do not set the default schema for this user, the Administrative Authentication wizard cannot locate users in the database.
If you are configuring a connection to a relational database, the Administrative UI requires a JDBC data source to communicate with the administrator store. A utility is required to create the data source. If you installed the Administrative UI using the stand-alone option, the smjdbcsetup utility is provided for you.
Note: If you installed the Administrative UI to an existing application server, see your vendor-specific documentation for information about deploying a JDBC data source. If you are deploying a data source to WebSphere, verify that the JNDI name, under the datasource properties, is prefixed with the following text:
jdbc/
Example: If the datasource name is abc, then the JNDI name is jdbc/abc.
Follow these steps:
Note: For more information about stopping the service, see the Policy Server Installation Guide.
Specifies the Administrative UI installation path.
smjdbcsetup.bat
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
smjdbcsetup.sh
The utility prompts you for a unique identifier. The utility appends the identifier to the data source.
The utility prompts you for a database driver type. The driver types are prefixed with a number.
The utility prompts you for the name of the database host system.
The utility prompts you for the port on which the database is listening.
The utility prompts you for the database user account name.
Note: This user account must have read/write permissions to the database.
The utility prompts you for the password of the database user.
The connection details appear.
The utility deploys the data source to admin_ui_home\CA\SiteMinder\adminui\server\default\deploy and prompts you to restart the CA SiteMinder® Administrative UI service.
admin_ui_home
Specifies the Administrative UI installation path.
Note: Restarting the CA SiteMinder® Administrative UI service is required before you can use the data source to create the connection.
The data source is configured and the utility exits.
Configure the connection to change the source of administrator identities from the policy store to the external store.
To configure the external store connection with CA SiteMinder® authentication
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Be sure to select an agent that is configured to function with a reverse proxy server.
The wizard prompts you for connection details.
Important! If multiple Administrative UI instances are to use the same administrator authentication store, take note of the network identifier you enter. Mixing network identifiers for multiple Administrative UI connections to the same external administrator authentication store is not supported.
Example: If you configure the first connection with 172.16.0.0, create subsequent connections with 172.16.0.0. If you configure the first connection with comp001@example.com, create subsequent connections with comp001@example.com.
Important! If you are configuring the connection over SSL, be sure to enter an SSL–enabled port. If you do not enter an SSL–enabled port, the Administrative Authentication wizard becomes unresponsive when you click Next.
Note: The directory server must be configured to communicate over SSL. For more information about configuring the directory server for SSL, see your vendor–specific documentation.
Note: This user must have read/write permissions to the directory server.
The wizard prompts you for object class information.
The wizard prompts you to specify the individual attributes required to map to your administrative users. The lists populate with the attributes in your directory server that are likely to identify each attribute.
The wizard prompts you to search for a user.
Important! Do not point to any attribute that is used or written to by the LDAP or any other applications otherwise you may always be redirected to the /logout.jsp page and unable to log in to the Administrative UI.
Users matching the search criteria appear.
Note: You can only select one user. The user you select becomes the superuser when the connection is configured.
A summary page appears.
The connection to the external store is configured.
Important! After you configure an external administrator store, restart the application server manually before you log in with the new credentials of administrator.
Configure the connection to change the source of administrator identities from the policy store to the external store.
To configure the external store connection with CA SiteMinder® authentication
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Be sure to select an agent that is configured to function with a reverse proxy server.
The wizard prompts you to select a data source.
Note: If data sources do not appear, click Cancel and deploy a JDBC data source to the application server. You cannot create the connection without a deployed data source.
The wizard prompts you to select the user table that contains the CA SiteMinder® administrators.
The wizard prompts you to specify the individual attributes required to map to your administrative users. The lists populate with the column names in the database that are likely to identify each attribute.
The wizard prompts you to search for a user.
Note: Leave the question mark (?) at the end of the query.
Example: select SmUser.FirstName + ' ' + SmUser.LastName from SmUser where SmUser.UserID = ?
The wizard prompts you to search for a user.
Users matching the search criteria appear in Search Results.
Note: The user you select becomes the super user when the connection is configured.
A summary page appears.
The connection to the external store is configured.
Important! After you configure an external administrator store, restart the application server manually before you log in with the new credentials of administrator.
If a Legacy Administrator must continue using the Administrative UI or Policy Server tools after configuring a connection to an external administrator store, migrate the permissions.
Important! External administrator authentication does not let a single Legacy Administrator account retain rights to the Administrative UI, Policy Server tools, the Policy Management API, and Trusted Host privileges at the same time. If a Legacy Administrator must continue functioning in one or more of these roles, leave the Legacy Administrator unchanged. Be sure that the user is present in the external store and separately configure a new Administrator using the external user identity.
Follow these steps:
Note: Be sure that the administrator is present in the external store. Log in to the Administrative UI using the external super user.
The Administrators page appears.
Users matching the search criteria appear.
The View Administrator page appears. The user path points to the policy store.
The settings and controls become active.
The Select a User page appears.
Users matching the specified criteria appear.
The user path is updated to point to the external store.
The Administrative UI authenticates the administrator using the external store. The administrator has the same level of access to the Administrative UI when the policy store was being used to store administrator identities.
If the credentials that the Administrative UI uses to connect to the external administrator store change, submit the new credentials to the Administrative UI or CA SiteMinder® administrator authentication fails.
If you installed the Administrative UI using the stand–alone option, two utilities are provided for you:
Note: To update the directory server host system name or port information, use the Administrative UI to re–create the connection to the external administrator store. The smjndisetup utility cannot update host or port information.
Note: To update the database host system name or port information, use the smjdbcsetup utility to re–deploy the JNDI data source.
If you installed the Administrative UI to an existing application server infrastructure, consider the following items:
Important! After you use the wizard to update the credentials, update the credentials on the directory server as soon as possible. Administrators cannot log in to the Administrative UI until the directory server credentials are updated to match the credentials you supplied using the wizard.
Use the smjndisetup utility to update directory manager credentials.
Note: The smjndisetup utility can only update connection details that were configured using the Administrative UI. You cannot use the smjndisetup utility to create the connection credentials.
To update directory server credentials
Note: For more information about stopping the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.
Specifies the Administrative UI installation path.
smjndisetup.bat --reset-password
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
smjndisetup.sh --reset-password
The utility prompts you for the user name.
The utility prompts you for the password of the user.
The utility verifies the credentials and prompts you to update the directory connection credentials.
Note: For more information about starting the Administrative UI service, see the Policy Server Installation Guide.
Use the smjdbcsetup utility to update database user credentials in the JNDI data source.
To update database credentials
Note: For more information about stopping the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.
Specifies the Administrative UI installation path.
smjdbcsetup.bat --reset-password
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
smjdbcsetup.sh --reset-password
The utility prompts you to enter a unique identifier.
Note: If you do not know the data source name, you can locate all deployed data sources in administrative_ui_home\SiteMinder\adminui\server\default\deploy.
Specifies the Administrative UI installation path.
The utility prompts you for the database user name.
The utility prompts you for the user password.
The utility prompts you to verify the new data source credentials and verify that they can be updated.
The utility updates the data source.
Note: For more information about starting the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.
Run the Administrative Authentication wizard again to change the external store to which the Administrative UI connects for administrator authentication.
Copyright © 2013 CA.
All rights reserved.
|
|