Previous Topic: Configure a MySQL Policy StoreNext Topic: Configure an Oracle Policy Store


Configure a SQL Server Policy Store

A single SQL Server database can function as a:

Using a single database simplifies administration tasks. The following sections provide instruction on how to configure a single database server to store CA SiteMinder® data.

Consider the following items:

Gather Database Information

Configuring a single SQL Server database to function as a policy store or any other type of CA SiteMinder® data store requires specific database information.

Note: Information prefixed with (W) indicates that the information is only required if the Policy Server is installed on a Windows system; (U) indicates that the information is only required if the Policy Server is installed on a UNIX system. Different information is required when configuring the SQL Server data source.

Gather the following information before configuring the policy store or any other type of CA SiteMinder® data store. You can use the SQL Server Information Worksheet to record your values.

Note: Policy and data store worksheets are provided to help you gather and record information before configuring or upgrading a CA SiteMinder® data store. You can print the applicable worksheet and can use it to record required information before beginning.

Database instance name

Determine the name of the database instance that is to function as the policy store or data store.

Administrative account name and password

Determine the user name and password of an account with privileges to create, read, modify, and delete objects in the database.

(W) Data source name

Determine the name you will use to identify the data source.

Example: SM SQL Server Wire DS.

(W) SQL Server name

Determine the name of the SQL Server database that contains the instance that is to function as the policy store.

(U) Policy Server root

Determine the explicit path to where the Policy Server is installed.

(U) IP Address

Determine the IP Address of the SQL Server database.

How to Configure the Policy Store

Complete the following procedures to configure a SQL Server database as a policy store.

Note: Be sure that you have gathered the required database information before beginning. Some of the following procedures require this information.

  1. Be sure that the SQL Server database instance that is to contain the CA SiteMinder® data is accessible from the Policy Server system.
  2. Using the SQL Server Enterprise Manager, create the database instance for the CA SiteMinder® data store.

    Example:

    smdatastore
    
  3. Create the CA SiteMinder® Schema.
  4. Configure a SQL Server data source for CA SiteMinder®.
  5. Point the Policy Server to the database.
  6. Set the CA SiteMinder® superuser password.
  7. Import the policy store data definitions.
  8. Import the default CA SiteMinder® objects.
  9. Restart the Policy Server.
  10. Prepare for the Administrative UI registration.
Create the CA SiteMinder® Schema

You create the CA SiteMinder® schema so that SQL Server database can store policy, key, and audit logging information.

The following warnings are displayed when running the policy store and audit logging schema files. The warnings do not affect the policy store configuration:

Follow these steps:

  1. Start the Query Analyzer and log in as the person who administers the Policy Server database.
  2. Select the database instance from the database list.
  3. Open sm_mssql_ps.sql in a text editor and copy the contents of the entire file.
  4. Paste the schema from sm_mssql_ps.sql into the query and execute the query.

    The policy and key store schema is added to the database.

  5. Open SQLServer.sql in a text editor and copy the contents of the entire file.
  6. Paste the schema from SQLServer.sql into the query, and execute the query.

    The policy store schema is extended.

  7. Repeat steps three and four to use the policy store as an audit logging database. Use the following schema file:

    sm_mssql_logs.sql

    Note: You are not required to configure the policy store to store additional CA SiteMinder® data. You can configure individual databases to function as a separate audit log database, key store, and session store.

    The database can store CA SiteMinder® data.

Configure a SQL Server Data Source for CA SiteMinder®

If you are using ODBC, you need to configure a data source to let CA SiteMinder® communicate with the CA SiteMinder® data store.

More information:

SQL Server Authentication Mode Considerations

SQL Server Authentication Mode Considerations

CA SiteMinder® data sources do not support Windows authentication. Configure the CA SiteMinder® data source with the credentials of a user that is stored in the database.

Note: For more information about SQL Server authentication modes, see the vendor−specific documentation.

Create a SQL Server Data Source on Windows

ODBC requires that you configure a data source for the SQL Server wire protocol.

Note: This procedure only applies if the Policy Server is installed on a Windows System.

Follow these steps:

  1. Complete one of the following steps:

    The ODBC Data Source Administrator appears.

  2. Click the System DSN tab.

    System data source settings appear.

  3. Click Add.

    The Create New Data Source dialog appears.

  4. Select CA SiteMinder® SQL Server Wire Protocol and click Finish.

    The ODBC SQL Server Wire Protocol Driver Setup dialog appears.

  5. Enter the data source name in the Data Source Name field.

    Example: CA SiteMinder® Data Source.

    Note: Take note of your data source name. This information is required as you configure your database as a policy store.

  6. Enter the name of the SQL Server host system in the Server field.
  7. Enter the database name in the Database Name field.
  8. Click Test.

    The connection settings are tested and a prompt appears specifying that the connection is successful.

  9. Click OK.

    The SQL Server data source is configured and appears in the System Data Sources list.

Create a SQL Server Data Sources on UNIX Systems

The CA SiteMinder® ODBC data sources are configured using a system_odbc.ini file, which you create by renaming sqlserverwire.ini, located in policy_server_installation/db, to system_odbc.ini. This system_odbc.ini file contains all of the names of the available ODBC data sources as well as the attributes that are associated with these data sources. This file must be customized to work for each site. Also, you can add additional data sources to this file, such as defining additional ODBC user directories for CA SiteMinder®.

The first section of the system_odbc.ini file, [ODBC Data Sources], contains a list of all of the currently available data sources. The name before the “=” refers to a subsequent section of the file describing each individual data source. After the “=” is a comment field.

Note: If you modify of the first line of data source entry, which is [CA SiteMinder® Data Source], take note of the change because you will need this value when configure your ODBC database as a policy store.

Each data source has a section in the system_odbc.ini file describing its attributes. The first attribute is the ODBC driver to be loaded when this data source is used by CA SiteMinder®. The remaining attributes are specific to the driver.

Adding a MS SQL Server Data source involves adding a new data source name in the [ODBC Data Sources] section of the file, and adding a section that describes the data source using the same name as the data source. You need to change the system_odbc.ini file if you create a new service name or want to use a different driver. You should have entries for the Oracle or SQL drivers under [CA SiteMinder® Data Source].

Again, to configure a MS SQL Server data source, you must first create a system_odbc.ini file in the policy_server_installation/db directory. To do this, you need to rename sqlserverwire.ini, located in policy_server_installation/db, to system_odbc.ini.

Configure the SQL Server Wire Protocol Driver

You configure the wire protocol driver to specify the settings CA SiteMinder® uses to connect to the database.

Note: This procedure only applies if the Policy Server is installed on a UNIX system. If you have not already done so, copy one of the following files and rename it system_odbc.ini. The file you rename depends on the database vendor you are configuring as a CA SiteMinder® data store.

These files are located in siteminder_home/db

The system_odbc.ini file contains the following sections. The data source that you are configuring determine the section or sections that you edit:

[SiteMinder Data Source]

Specifies the settings CA SiteMinder® is to use to connect to the database functioning as the policy store.

[SiteMinder Logs Data Source]

Specifies the settings CA SiteMinder® is to use to connect to the database functioning as the audit log database.

[SiteMinder Keys Data Source]

Specifies the settings CA SiteMinder® is to connect to the database functioning as the key store.

[SiteMinder Session Data Source]

Specifies the settings CA SiteMinder® is to connect to the database functioning as the session store.

[SmSampleUsers Data Source]

Specifies the settings CA SiteMinder® is to connect to the database functioning as the sample user data store.

Follow these steps:

  1. Open the system_odbc.ini file.
  2. Enter the following under [ODBC Data Sources]:
    SiteMinder Data Source=DataDirect 7.1 SQL Server Wire Protocol
    
  3. Depending on the data source you are configuring, edit one or more of the data source sections with the following information:
    Driver=nete_ps_root/odbc/lib/NSsqls27.so
    Description=DataDirect 7.1 SQL Server Wire Protocol
    Database=SiteMinder Data
    Address=myhost, 1433
    QuotedId=No
    AnsiNPW=No
    

    Note: When editing data source information, do not use the pound sign (#). Entering a pound sign comments the information, which truncates the value. The truncated value can cause ODBC connections to fail.

    nete_ps_root

    Specifies the explicit path of the Policy Server installation, rather than a path with an environment variable.

    Example: export/smuser/siteminder

    CA SiteMinder® Data

    Specifies the SQL Server database instance name.

    myhost

    Specifies the IP Address of the SQL Server database.

    1433

    Represents the default listening port for SQL Server.

  4. If you are using Microsoft SQL Server 2008 to function as any CA SiteMinder® store, edit the [ODBC] section as follows:
    TraceFile=nete_ps_root/db/odbctrace.out
    TraceDll=nete_ps_root/odbc/lib/NStrc27.so
    InstallDir=nete_ps_root/odbc
    
    nete_ps_root

    Specifies the explicit path to the Policy Server installation directory. This path cannot contain an environment variable.

  5. Save the file.

    The wire protocol driver is configured.

Point the Policy Server to the Database

You point the Policy Server to the database so the Policy Server can access the CA SiteMinder® data in the policy store.

Follow these steps:

  1. Open the Policy Server Management Console and click the Data tab.
  2. Select the following value from the Storage list:
    ODBC
    
  3. Select the following value from the Database list:
    Policy Store
    
  4. Enter the name of the data source in the Data Source Information field.
  5. Enter and confirm the user name and password of the database account that has full access rights to the database instance in the respective fields.
  6. Specify the maximum number of database connections that are allocated to CA SiteMinder®.

    Note: We recommend retaining the 25 connection default for best performance.

  7. Click Apply to save the settings.
  8. Select the following value from the Database list:
    Key Store
    
  9. Select the following value from the Storage list:
    ODBC
    
  10. Select the following option:
    Use the Policy Store database
    
  11. Select the following value from the Database list:
    Audit Logs
    
  12. Select the following value from the Storage list:
    ODBC
    
  13. Select the following option:
    Use the Policy Store database
    
  14. Click Apply to save the settings.
  15. Click Test Connection to verify that the Policy Server can access the policy store.
  16. Click OK.

    The Policy Server is configured to use the database as a policy store, key store, and logging database.

Set the CA SiteMinder® Super User Password

The default CA SiteMinder® administrator account is named:

siteminder

The account has maximum permissions.

We recommend that you do not use the default superuser for day–to–day operations. Use the default superuser to:

Follow these steps:

  1. Copy the smreg utility to siteminder_home\bin.
    siteminder_home

    Specifies the Policy Server installation path.

    Note: The utility is at the top level of the Policy Server installation kit.

  2. Run the following command:
    smreg -su password
    
    password

    Specifies the password for the default CA SiteMinder® administrator.

    Limits:

    Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.

  3. Delete smreg from siteminder_home\bin. Deleting smreg prevents someone from changing the password without knowing the previous one.

    The password for the default CA SiteMinder® administrator account is set.

More information:

Locate the Installation Media

Installation Media Names

Import the Policy Store Data Definitions

Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.

Follow these steps:

  1. Open a command window and navigate to siteminder_home\xps\dd.
    siteminder_home

    Specifies the Policy Server installation path.

  2. Run the following command:
    XPSDDInstall SmMaster.xdd
    
    XPSDDInstall

    Imports the required data definitions.

Import the Default Policy Store Objects

Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.

Consider the following items:

Follow these steps:

  1. Open a command window and navigate to siteminder_home\db.
  2. Import one of the following files:



Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA SiteMinder®. If you intend on using the latter functionality, contact your CA account representative for licensing information.

Enable the Advanced Authentication Server

Enable the advanced authentication server as part of configuring your Policy Server.

Follow these steps:

  1. Start the Policy Server configuration wizard.
  2. Leave all the check boxes in the first screen of the wizard cleared.
  3. Click Next.

    The master key screen appears.

  4. Create the master encryption key for the advanced authentication server.

    Note: If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.

  5. Complete the rest of the Policy Server configuration wizard.

    The advanced authentication server is enabled.

Restart the Policy Server

You restart the Policy Server for certain settings to take effect.

Follow these steps:

  1. Open the Policy Server Management Console.
  2. Click the Status tab, and click Stop in the Policy Server group box.

    The Policy Server stops as indicated by the red stoplight.

  3. Click Start.

    The Policy Server starts as indicated by the green stoplight.

    Note: On UNIX or Linux operating environments, you can also execute the stop-all command followed by the start-all command to restart the Policy Server. These commands provide an alternative to the Policy Server Management Console.

Prepare for the Administrative UI Registration

You use the default CA SiteMinder® super user account (siteminder) to log into the Administrative UI for the first–time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.

You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.

Consider the following:

To prepare for the Administrative UI registration

  1. Log into the Policy Server host system.
  2. Run the following command:
    XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
    
    passphrase

    Specifies the password for the default CA SiteMinder® super user account (siteminder).

    Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.

    -adminui–setup

    Specifies that the Administrative UI is being registered with a Policy Server for the first–time.

    -t timeout

    (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.

    Unit of measurement: minutes

    Default: 240 (4 hours)

    Minimum Limit: 15

    Maximum Limit: 1440 (24 hours)

    -r retries

    (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging into the Administrative UI for the first–time

    Default: 1

    Maximum Limit: 5

    -c comment

    (Optional) Inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -cp

    (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

    Note: Surround comments with quotes.

    -l log path

    (Optional) Specifies where the registration log file must be exported.

    Default: siteminder_home\log

    siteminder_home

    Specifies the Policy Server installation path.

    -e error_path

    (Optional) Sends exceptions to the specified path.

    Default: stderr

    -vT

    (Optional) Sets the verbosity level to TRACE.

    -vI

    (Optional) Sets the verbosity level to INFO.

    -vW

    (Optional) Sets the verbosity level to WARNING.

    -vE

    (Optional) Sets the verbosity level to ERROR.

    -vF

    (Optional) Sets the verbosity level to FATAL.

  3. Press Enter.

    XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log into the Administrative UI for the first–time.