Policy Server Guides › Policy Server Configuration Guide › SiteMinder Administrators › How to Configure an External Administrator Store

How to Configure an External Administrator Store

Complete the following steps to configure a connection to an external administrator store.

1. (Optional) If you want to protect the Administrative UI with CA SiteMinder®, configure an agent to function with a reverse proxy server.

   Note: For more information about configuring a reverse proxy server, see the Web Agent Configuration Guide.

2. Review the external administrator store considerations.
3. Review the SSL considerations.
4. Depending on your store type, do the following:
   • (LDAP) Gather directory server connection information.
   • (RDB) Gather database connection information.
   • (RDB) Deploy a Java Database Connectivity (JDBC) data source to the application server.
     • If you installed the Administrative UI using the stand-alone option, use the smjdbcsetup utility to configure and deploy the data source.
     • If you installed the Administrative UI to an existing application server infrastructure, see your vendor-specific documentation for information about configuring and deploying a data source.

       Note: If you are deploying a data source to WebSphere, be sure that the JNDI name, under the datasource properties, is prefixed with the following:

       jdbc/

       Example: If the datasource name is abc, then the JNDI name is jdbc/abc.

5. Configure the connection to the external administrator store.
6. (Optional) Migrate Legacy Administrator Administrative UI permissions.

External Administrator Store Considerations

Before you configure an external administrator store connection, consider the following items:

• Important! Discontinuing the use of the policy store as the source of administrator identities is permanent. Configuring an external administrator store only affects the Administrative UI that is configured to use the external store. Any other Administrative UI not yet configured to use the external store continues to use the policy store to identify administrators.
• Legacy Administrators, including the default CA SiteMinder® super user account, can continue to perform the following actions:
  • Manage the Policy Management API
  • Function as a Trusted Host administrator
  • Use Policy Server tools
• Legacy Administrators, including the default CA SiteMinder® super user account, can no longer manage CA SiteMinder® objects in the Administrative UI.
• If you have Legacy Administrators who must continue using the Administrative UI, use your vendor-specific tools to add these users to the external store. Once the user identities are established in the external store, you can reinstate these privileges by mapping the existing user paths from the policy store to the external store.

  Important! External administrator authentication does not let a single Legacy Administrator account retain rights to the Administrative UI, the Policy Management API, and Trusted Host privileges at the same time. If a Legacy Administrator must continue functioning in these roles, leave the Legacy Administrator unchanged. Be sure that the user is present in the external store and separately configure a new Administrator using the external user identity.

• A super user that you identify when configuring the connection to the external store replaces the default CA SiteMinder® super user account. The external user becomes the super user and has maximum permissions in the Administrative UI and access to all Policy Server tools.

  Use the external super user to delegate permissions to new Administrators.

• If multiple Administrative UI instances are to use the same administrator authentication store, be sure to configure each connection using the same network identifier. Mixing network identifiers for multiple Administrative UI connections to the same external administrator authentication store is not supported.

  Example: If you configured the first connection with 172.16.0.0, create subsequent connections with 172.16.0.0. If you configured the first connection with comp001@example.com, create subsequent connections with comp001@example.com.

SSL Considerations

If you are configuring the external administrator store connection over SSL, consider the following items:

• The directory server must be configured to communicate over SSL.

  Note: For more information about configuring the directory server for SSL, see your vendor–specific documentation.

• If you installed the Administrative UI using the stand–alone option, the Administrative UI is installed with an embedded certificate database.
• If you installed the Administrative UI to an existing application server infrastructure, implement a certificate database as required by your application server.

  Note: For more information about implementing a certificate database, see your vendor–specific documentation.

• Be sure to enter an SSL–enabled port when entering directory connection information. If you do not enter an SSL–enabled port, the Administrative Authentication wizard becomes unresponsive.

Gather Directory Server Information

If you are configuring a connection to a directory server, gather the following information:

• Host name—Identify the IP address or fully qualified domain name of the directory server host system.
• Port—Identify the port on which the directory server is listening.
• Directory server user credentials—Identify the user name and password of an account that has read/write permissions to the directory server.
• Search root—Identify the base DN of the directory server.
• SSL certificate—If the directory server is configured to communicate over an SSL connection, obtain the SSL certificate.

Gather Database Information

If you are configuring a connection to a database, gather the following information:

• Host name—Identify the name of the database host system.
• Port—Identify the port on which the database is listening.
• (Microsoft SQL Server) Database name—Identify the name of database.
• (Oracle) Service name—Identify the service name of the database.
• Database user credentials—Identify the credentials of a user account that has read/write permissions to the database.

  Important! If you are configuring a connection to Oracle, be sure to set the default schema for this user. The default schema must be the schema that is associated with the table that contains the administrative users. If you do not set the default schema for this user, the Administrative Authentication wizard cannot locate users in the database.

Deploy a JDBC Data Source

If you are configuring a connection to a relational database, the Administrative UI requires a JDBC data source to communicate with the administrator store. A utility is required to create the data source. If you installed the Administrative UI using the stand-alone option, the smjdbcsetup utility is provided for you.

Note: If you installed the Administrative UI to an existing application server, see your vendor-specific documentation for information about deploying a JDBC data source. If you are deploying a data source to WebSphere, verify that the JNDI name, under the datasource properties, is prefixed with the following text:

jdbc/

Example: If the datasource name is abc, then the JNDI name is jdbc/abc.

Follow these steps:

1. Log in to the Administrative UI host system.
2. (UNIX) Stop the CA SiteMinder® Administrative UI service.

   Note: For more information about stopping the service, see the Policy Server Installation Guide.

3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.

   administrative_ui_home

   Specifies the Administrative UI installation path.

4. Run one of the following commands:
   • (Windows)

     smjdbcsetup.bat
     

     Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

   • (UNIX)

     smjdbcsetup.sh
     

   The utility prompts you for a unique identifier. The utility appends the identifier to the data source.

5. Type a value and press Enter.

   The utility prompts you for a database driver type. The driver types are prefixed with a number.

6. Type a number to select a driver type and press Enter.

   The utility prompts you for the name of the database host system.

7. Type the database host name and press Enter.

   The utility prompts you for the port on which the database is listening.

8. Type the database port and press Enter.
   • If you are configuring a connection to Microsoft SQL Server, the utility prompts you for the database name.
   • If you are configuring a connection to Oracle, the utility prompts you for the service name.
9. Type the database name or the service name and press Enter.

   The utility prompts you for the database user account name.

10. Type the database user account name and press Enter.

    Note: This user account must have read/write permissions to the database.

    The utility prompts you for the password of the database user.

11. Type the password and press Enter.

    The connection details appear.

12. Review the details and do one of the following steps:
    • To configure and deploy the data source, type y and press Enter.

      The utility deploys the data source to admin_ui_home\CA\SiteMinder\adminui\server\default\deploy and prompts you to restart the CA SiteMinder® Administrative UI service.

      admin_ui_home

      Specifies the Administrative UI installation path.

      Note: Restarting the CA SiteMinder® Administrative UI service is required before you can use the data source to create the connection.

    • To cancel the deployment, type n and press Enter.
13. Do one of the following steps:
    • To start the service automatically, do one of the following steps:
      • (Windows) Type y and press Enter.
      • (UNIX) You must manually start the service. For more information about starting the service, see the Policy Server Installation Guide.
    • To start the service manually, type n and press Enter.

    The data source is configured and the utility exits.

Configure an LDAP Administrator Store Connection

Configure the connection to change the source of administrator identities from the policy store to the external store.

To configure the external store connection with CA SiteMinder® authentication

1. Click Administration, Admin UI.
2. Click Configure Administrative Authentication.
   • If you are configuring an external administrator store for the first–time, the Configure Administrative Authentication wizard appears.
   • If the Administrative UI is configured with an external administrator store, the connection details appear. Click OK to start the Configure Administrative Authentication wizard.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

3. (Optional) If you want to protect the Administrative UI with CA SiteMinder®, select an agent from the drop-down list and click Next.

   Be sure to select an agent that is configured to function with a reverse proxy server.

4. Select a directory server vendor from the Directory type list and click Next.

   The wizard prompts you for connection details.

5. Do the following:
   1. Type the IP address or the fully qualified domain name of the directory server host system in the Host field.

      Important! If multiple Administrative UI instances are to use the same administrator authentication store, take note of the network identifier you enter. Mixing network identifiers for multiple Administrative UI connections to the same external administrator authentication store is not supported.

      Example: If you configure the first connection with 172.16.0.0, create subsequent connections with 172.16.0.0. If you configure the first connection with comp001@example.com, create subsequent connections with comp001@example.com.

   2. Type the port on which the directory server is listening in the Port field.

      Important! If you are configuring the connection over SSL, be sure to enter an SSL–enabled port. If you do not enter an SSL–enabled port, the Administrative Authentication wizard becomes unresponsive when you click Next.

   3. (Optional) Select Use SSL and upload a Certificate Authority (CA) certificate to enable SSL communication between the Administrative UI and the administrator store.

      Note: The directory server must be configured to communicate over SSL. For more information about configuring the directory server for SSL, see your vendor–specific documentation.

   4. Type the common name and password of a directory server user in the respective fields.

      Note: This user must have read/write permissions to the directory server.

   5. Click Next.

   The wizard prompts you for object class information.

6. Do the following:
   1. Type the directory server search root in the Search Root field.
   2. Use the shuttle controls to add and remove the object classes that apply to the CA SiteMinder® administrators.
   3. Click Next.

   The wizard prompts you to specify the individual attributes required to map to your administrative users. The lists populate with the attributes in your directory server that are likely to identify each attribute.

7. Select the mnemonic attribute string that maps to each of the required attributes and click Next.

   The wizard prompts you to search for a user.

   Important! Do not point to any attribute that is used or written to by the LDAP or any other applications otherwise you may always be redirected to the /logout.jsp page and unable to log in to the Administrative UI.

8. Enter all or part of the user name in the Keywords field.

   Users matching the search criteria appear.

9. Select a user and click Next.

   Note: You can only select one user. The user you select becomes the superuser when the connection is configured.

   A summary page appears.

10. Confirm the connection details and click Finish.

    The connection to the external store is configured.

Important! After you configure an external administrator store, restart the application server manually before you log in with the new credentials of administrator.

Configure an RDB Administrator Store Connection

Configure the connection to change the source of administrator identities from the policy store to the external store.

To configure the external store connection with CA SiteMinder® authentication

1. Click Administration, Admin UI.
2. Click Configure Administrative Authentication.
   • If you are configuring an external administrator store for the first–time, the Configure Administrative Authentication wizard appears.
   • If the Administrative UI is configured with an external administrator store, the connection details appear. Click OK to start the Configure Administrative Authentication wizard.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

3. (Optional) If you want to protect the Administrative UI with CA SiteMinder®, select an agent from the drop-down list and click Next.

   Be sure to select an agent that is configured to function with a reverse proxy server.

4. Select one of the following from the Directory type list:
   • If your user schema includes a column that identifies the full–name of users, select the Relational Database (with full name column) template.
   • If the full–name of users must be calculated, select the Relational Database (without full name column) template.
5. Click Next.

   The wizard prompts you to select a data source.

   Note: If data sources do not appear, click Cancel and deploy a JDBC data source to the application server. You cannot create the connection without a deployed data source.

6. Select the data source and click Next.

   The wizard prompts you to select the user table that contains the CA SiteMinder® administrators.

7. Select the user table and click Next.

   The wizard prompts you to specify the individual attributes required to map to your administrative users. The lists populate with the column names in the database that are likely to identify each attribute.

8. Do one of the following:
   • If you selected the Relational Database template, select the column name that maps to each of the required user attributes and click Next.

     The wizard prompts you to search for a user.

   • If you selected the Relation Database (no full name) template:
     1. Select the column name that maps to each of the required user attributes.
     2. Build the Get Full Name Query by replacing ##FIRST_NAME, ##LAST_NAME, and ##PRIMARY_KEY with the column name that maps to the respective user attribute.

        Note: Leave the question mark (?) at the end of the query.

        Example: select SmUser.FirstName + ' ' + SmUser.LastName from SmUser where SmUser.UserID = ?

     3. Click Next

     The wizard prompts you to search for a user.

9. Enter all or part of the user name in the User Keywords field.

   Users matching the search criteria appear in Search Results.

10. Select a user and click Next.

    Note: The user you select becomes the super user when the connection is configured.

    A summary page appears.

11. Confirm the connection details and click Finish.

    The connection to the external store is configured.

Important! After you configure an external administrator store, restart the application server manually before you log in with the new credentials of administrator.

Migrate Legacy Administrator Permissions

If a Legacy Administrator must continue using the Administrative UI or Policy Server tools after configuring a connection to an external administrator store, migrate the permissions.

Important! External administrator authentication does not let a single Legacy Administrator account retain rights to the Administrative UI, Policy Server tools, the Policy Management API, and Trusted Host privileges at the same time. If a Legacy Administrator must continue functioning in one or more of these roles, leave the Legacy Administrator unchanged. Be sure that the user is present in the external store and separately configure a new Administrator using the external user identity.

Follow these steps:

Note: Be sure that the administrator is present in the external store. Log in to the Administrative UI using the external super user.

1. Click Administration, Administrator.
2. Click Administrators.

   The Administrators page appears.

3. Specify search criteria using the full name of the user and click Search.

   Users matching the search criteria appear.

4. Click the name of the Administrator you want to modify.

   The View Administrator page appears. The user path points to the policy store.

5. Click Modify.

   The settings and controls become active.

6. Click Lookup in General.

   The Select a User page appears.

7. Specify search criteria and click Search.

   Users matching the specified criteria appear.

8. Select the user that you want and click Select.

   The user path is updated to point to the external store.

9. Click Submit.

   The Administrative UI authenticates the administrator using the external store. The administrator has the same level of access to the Administrative UI when the policy store was being used to store administrator identities.

Update External Administrator Store Credentials

If the credentials that the Administrative UI uses to connect to the external administrator store change, submit the new credentials to the Administrative UI or CA SiteMinder® administrator authentication fails.

If you installed the Administrative UI using the stand–alone option, two utilities are provided for you:

• (LDAP) Use the smjndisetup utility to update the directory server user account credentials.

  Note: To update the directory server host system name or port information, use the Administrative UI to re–create the connection to the external administrator store. The smjndisetup utility cannot update host or port information.

• (RDB) Use the smjdbcsetup utility to update the database user account credentials.

  Note: To update the database host system name or port information, use the smjdbcsetup utility to re–deploy the JNDI data source.

If you installed the Administrative UI to an existing application server infrastructure, consider the following items:

• (LDAP) Use the Administrative Authentication Wizard to update the credentials that the Administrative UI is to use to access the directory server.

  Important! After you use the wizard to update the credentials, update the credentials on the directory server as soon as possible. Administrators cannot log in to the Administrative UI until the directory server credentials are updated to match the credentials you supplied using the wizard.

• (RDB) Use the database–specific tool to update the data source.

More information:

Deploy a JDBC Data Source

Update Directory Server Credentials

Use the smjndisetup utility to update directory manager credentials.

Note: The smjndisetup utility can only update connection details that were configured using the Administrative UI. You cannot use the smjndisetup utility to create the connection credentials.

To update directory server credentials

1. Log in to the Administrative UI host system.
2. (UNIX) Stop the CA SiteMinder® Administrative UI service.

   Note: For more information about stopping the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.

3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.

   administrative_ui_home

   Specifies the Administrative UI installation path.

4. Run one of the following commands:
   • (Windows)

     smjndisetup.bat --reset-password
     

     Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

   • (UNIX)

     smjndisetup.sh --reset-password
     

     The utility prompts you for the user name.

5. Do one of the following operations:
   • Type the new directory user and press Enter.
   • Press Enter to accept the default user name.

     The utility prompts you for the password of the user.

6. Type the new password and press Enter.

   The utility verifies the credentials and prompts you to update the directory connection credentials.

7. Type y and press Enter.
   • If you ran the utility on Windows, the utility restarts the CA SiteMinder® Administrative UI service. The utility also updates the new directory connection details.
   • If you ran the utility on UNIX, start the Administrative UI service to update the new directory connection details.

     Note: For more information about starting the Administrative UI service, see the Policy Server Installation Guide.

Update Database Credentials

Use the smjdbcsetup utility to update database user credentials in the JNDI data source.

To update database credentials

1. Log in to the Administrative UI host system.
2. (UNIX) Stop the CA SiteMinder® Administrative UI service.

   Note: For more information about stopping the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.

3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.

   administrative_ui_home

   Specifies the Administrative UI installation path.

4. Run one of the following commands:
   • (Windows)

     smjdbcsetup.bat --reset-password
     

     Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

   • (UNIX)

     smjdbcsetup.sh --reset-password
     

   The utility prompts you to enter a unique identifier.

5. Enter the name of the deployed data source.

   Note: If you do not know the data source name, you can locate all deployed data sources in administrative_ui_home\SiteMinder\adminui\server\default\deploy.

   administrative_ui_home

   Specifies the Administrative UI installation path.

   The utility prompts you for the database user name.

6. Enter the user name and press Enter.

   The utility prompts you for the user password.

7. Enter the password and press Enter.

   The utility prompts you to verify the new data source credentials and verify that they can be updated.

8. Type y and press Enter to confirm the new data source credentials.

   The utility updates the data source.

   • (Windows) The utility prompts you to restart the CA SiteMinder® Administrative UI service.
   • (UNIX) A message appears stating that the CA SiteMinder® Administrative UI service must be manually started.
9. Do one of the following tasks:
   • (Windows) Type y and press Enter to use the utility to restart the CA SiteMinder® Administrative UI service and deploy the updated data source.
   • (Windows) Type n and press Enter to start the CA SiteMinder® Administrative UI service manually. The data source is deployed when the service is started.
   • (UNIX) Manually start the CA SiteMinder® Administrative UI service to deploy the data source.

   Note: For more information about starting the CA SiteMinder® Administrative UI service, see the Policy Server Installation Guide.

Modify the External Administrator Store Connection

Run the Administrative Authentication wizard again to change the external store to which the Administrative UI connects for administrator authentication.

More information:

How to Configure an External Administrator Store