Previous Topic: SiteMinder AdministratorsNext Topic: How to Create an Administrator


How to Configure an External Administrator Store

Complete the following steps to configure a connection to an external administrator store.

  1. (Optional) If you want to protect the Administrative UI with CA SiteMinder®, configure an agent to function with a reverse proxy server.

    Note: For more information about configuring a reverse proxy server, see the Web Agent Configuration Guide.

  2. Review the external administrator store considerations.
  3. Review the SSL considerations.
  4. Depending on your store type, do the following:
  5. Configure the connection to the external administrator store.
  6. (Optional) Migrate Legacy Administrator Administrative UI permissions.
External Administrator Store Considerations

Before you configure an external administrator store connection, consider the following items:

SSL Considerations

If you are configuring the external administrator store connection over SSL, consider the following items:

Gather Directory Server Information

If you are configuring a connection to a directory server, gather the following information:

Gather Database Information

If you are configuring a connection to a database, gather the following information:

Deploy a JDBC Data Source

If you are configuring a connection to a relational database, the Administrative UI requires a JDBC data source to communicate with the administrator store. A utility is required to create the data source. If you installed the Administrative UI using the stand-alone option, the smjdbcsetup utility is provided for you.

Note: If you installed the Administrative UI to an existing application server, see your vendor-specific documentation for information about deploying a JDBC data source. If you are deploying a data source to WebSphere, verify that the JNDI name, under the datasource properties, is prefixed with the following text:

jdbc/

Example: If the datasource name is abc, then the JNDI name is jdbc/abc.

Follow these steps:

  1. Log in to the Administrative UI host system.
  2. (UNIX) Stop the CA SiteMinder® Administrative UI service.

    Note: For more information about stopping the service, see the Policy Server Installation Guide.

  3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.
    administrative_ui_home

    Specifies the Administrative UI installation path.

  4. Run one of the following commands:

    The utility prompts you for a unique identifier. The utility appends the identifier to the data source.

  5. Type a value and press Enter.

    The utility prompts you for a database driver type. The driver types are prefixed with a number.

  6. Type a number to select a driver type and press Enter.

    The utility prompts you for the name of the database host system.

  7. Type the database host name and press Enter.

    The utility prompts you for the port on which the database is listening.

  8. Type the database port and press Enter.
  9. Type the database name or the service name and press Enter.

    The utility prompts you for the database user account name.

  10. Type the database user account name and press Enter.

    Note: This user account must have read/write permissions to the database.

    The utility prompts you for the password of the database user.

  11. Type the password and press Enter.

    The connection details appear.

  12. Review the details and do one of the following steps:
  13. Do one of the following steps:

    The data source is configured and the utility exits.

Configure an LDAP Administrator Store Connection

Configure the connection to change the source of administrator identities from the policy store to the external store.

To configure the external store connection with CA SiteMinder® authentication

  1. Click Administration, Admin UI.
  2. Click Configure Administrative Authentication.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  3. (Optional) If you want to protect the Administrative UI with CA SiteMinder®, select an agent from the drop-down list and click Next.

    Be sure to select an agent that is configured to function with a reverse proxy server.

  4. Select a directory server vendor from the Directory type list and click Next.

    The wizard prompts you for connection details.

  5. Do the following:
    1. Type the IP address or the fully qualified domain name of the directory server host system in the Host field.

      Important! If multiple Administrative UI instances are to use the same administrator authentication store, take note of the network identifier you enter. Mixing network identifiers for multiple Administrative UI connections to the same external administrator authentication store is not supported.

      Example: If you configure the first connection with 172.16.0.0, create subsequent connections with 172.16.0.0. If you configure the first connection with comp001@example.com, create subsequent connections with comp001@example.com.

    2. Type the port on which the directory server is listening in the Port field.

      Important! If you are configuring the connection over SSL, be sure to enter an SSL–enabled port. If you do not enter an SSL–enabled port, the Administrative Authentication wizard becomes unresponsive when you click Next.

    3. (Optional) Select Use SSL and upload a Certificate Authority (CA) certificate to enable SSL communication between the Administrative UI and the administrator store.

      Note: The directory server must be configured to communicate over SSL. For more information about configuring the directory server for SSL, see your vendor–specific documentation.

    4. Type the common name and password of a directory server user in the respective fields.

      Note: This user must have read/write permissions to the directory server.

    5. Click Next.

    The wizard prompts you for object class information.

  6. Do the following:
    1. Type the directory server search root in the Search Root field.
    2. Use the shuttle controls to add and remove the object classes that apply to the CA SiteMinder® administrators.
    3. Click Next.

    The wizard prompts you to specify the individual attributes required to map to your administrative users. The lists populate with the attributes in your directory server that are likely to identify each attribute.

  7. Select the mnemonic attribute string that maps to each of the required attributes and click Next.

    The wizard prompts you to search for a user.

    Important! Do not point to any attribute that is used or written to by the LDAP or any other applications otherwise you may always be redirected to the /logout.jsp page and unable to log in to the Administrative UI.

  8. Enter all or part of the user name in the Keywords field.

    Users matching the search criteria appear.

  9. Select a user and click Next.

    Note: You can only select one user. The user you select becomes the superuser when the connection is configured.

    A summary page appears.

  10. Confirm the connection details and click Finish.

    The connection to the external store is configured.

Important! After you configure an external administrator store, restart the application server manually before you log in with the new credentials of administrator.

Configure an RDB Administrator Store Connection

Configure the connection to change the source of administrator identities from the policy store to the external store.

To configure the external store connection with CA SiteMinder® authentication

  1. Click Administration, Admin UI.
  2. Click Configure Administrative Authentication.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  3. (Optional) If you want to protect the Administrative UI with CA SiteMinder®, select an agent from the drop-down list and click Next.

    Be sure to select an agent that is configured to function with a reverse proxy server.

  4. Select one of the following from the Directory type list:
  5. Click Next.

    The wizard prompts you to select a data source.

    Note: If data sources do not appear, click Cancel and deploy a JDBC data source to the application server. You cannot create the connection without a deployed data source.

  6. Select the data source and click Next.

    The wizard prompts you to select the user table that contains the CA SiteMinder® administrators.

  7. Select the user table and click Next.

    The wizard prompts you to specify the individual attributes required to map to your administrative users. The lists populate with the column names in the database that are likely to identify each attribute.

  8. Do one of the following:
  9. Enter all or part of the user name in the User Keywords field.

    Users matching the search criteria appear in Search Results.

  10. Select a user and click Next.

    Note: The user you select becomes the super user when the connection is configured.

    A summary page appears.

  11. Confirm the connection details and click Finish.

    The connection to the external store is configured.

Important! After you configure an external administrator store, restart the application server manually before you log in with the new credentials of administrator.

Migrate Legacy Administrator Permissions

If a Legacy Administrator must continue using the Administrative UI or Policy Server tools after configuring a connection to an external administrator store, migrate the permissions.

Important! External administrator authentication does not let a single Legacy Administrator account retain rights to the Administrative UI, Policy Server tools, the Policy Management API, and Trusted Host privileges at the same time. If a Legacy Administrator must continue functioning in one or more of these roles, leave the Legacy Administrator unchanged. Be sure that the user is present in the external store and separately configure a new Administrator using the external user identity.

Follow these steps:

Note: Be sure that the administrator is present in the external store. Log in to the Administrative UI using the external super user.

  1. Click Administration, Administrator.
  2. Click Administrators.

    The Administrators page appears.

  3. Specify search criteria using the full name of the user and click Search.

    Users matching the search criteria appear.

  4. Click the name of the Administrator you want to modify.

    The View Administrator page appears. The user path points to the policy store.

  5. Click Modify.

    The settings and controls become active.

  6. Click Lookup in General.

    The Select a User page appears.

  7. Specify search criteria and click Search.

    Users matching the specified criteria appear.

  8. Select the user that you want and click Select.

    The user path is updated to point to the external store.

  9. Click Submit.

    The Administrative UI authenticates the administrator using the external store. The administrator has the same level of access to the Administrative UI when the policy store was being used to store administrator identities.

Update External Administrator Store Credentials

If the credentials that the Administrative UI uses to connect to the external administrator store change, submit the new credentials to the Administrative UI or CA SiteMinder® administrator authentication fails.

If you installed the Administrative UI using the stand–alone option, two utilities are provided for you:

If you installed the Administrative UI to an existing application server infrastructure, consider the following items:

More information:

Deploy a JDBC Data Source

Update Directory Server Credentials

Use the smjndisetup utility to update directory manager credentials.

Note: The smjndisetup utility can only update connection details that were configured using the Administrative UI. You cannot use the smjndisetup utility to create the connection credentials.

To update directory server credentials

  1. Log in to the Administrative UI host system.
  2. (UNIX) Stop the CA SiteMinder® Administrative UI service.

    Note: For more information about stopping the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.

  3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.
    administrative_ui_home

    Specifies the Administrative UI installation path.

  4. Run one of the following commands:
  5. Do one of the following operations:
  6. Type the new password and press Enter.

    The utility verifies the credentials and prompts you to update the directory connection credentials.

  7. Type y and press Enter.
Update Database Credentials

Use the smjdbcsetup utility to update database user credentials in the JNDI data source.

To update database credentials

  1. Log in to the Administrative UI host system.
  2. (UNIX) Stop the CA SiteMinder® Administrative UI service.

    Note: For more information about stopping the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.

  3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.
    administrative_ui_home

    Specifies the Administrative UI installation path.

  4. Run one of the following commands:

    The utility prompts you to enter a unique identifier.

  5. Enter the name of the deployed data source.

    Note: If you do not know the data source name, you can locate all deployed data sources in administrative_ui_home\SiteMinder\adminui\server\default\deploy.

    administrative_ui_home

    Specifies the Administrative UI installation path.

    The utility prompts you for the database user name.

  6. Enter the user name and press Enter.

    The utility prompts you for the user password.

  7. Enter the password and press Enter.

    The utility prompts you to verify the new data source credentials and verify that they can be updated.

  8. Type y and press Enter to confirm the new data source credentials.

    The utility updates the data source.

  9. Do one of the following tasks:

    Note: For more information about starting the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.

Modify the External Administrator Store Connection

Run the Administrative Authentication wizard again to change the external store to which the Administrative UI connects for administrator authentication.

More information:

How to Configure an External Administrator Store