Installation and Upgrade Guides › Policy Server Installation Guide › Configuring CA SiteMinder® Data Stores in a Relational Database › Configure a MySQL Policy Store

Configure a MySQL Policy Store

A MySQL policy store can also function as:

• A key store
• An audit logging database

  Note: CA SiteMinder® session information should be stored in a separate database. You should not use the policy store to store session information.

Using a single database simplifies administration tasks. The following sections provide instruction on how to configure a single database server to store CA SiteMinder® data.

Gather Database Information

Configuring a single MySQL Server database to function as a policy store or any other type of CA SiteMinder® data store requires specific database information.

Gather the following information before configuring the policy store or any other type of CA SiteMinder® data store.

• Database host—Identify the name of the database host system.
• Database name—Identify the name of the database instance that is to function as the policy store or data store.
• Database port—Identify the port on which the database is listening.
• Administrator account—Identify the login ID of an administrator account that has permission to create, read, modify, and delete objects in the database.
• Administrator password —Identify the password for the administrator account.

How to Configure the Policy Store

You can configure MySQL Server as a policy store.

Note: Gather the required database information before beginning the policy store setup.

Follow these steps:

1. Verify that MySQL is installed using the Latin1 or UTF8 character set. Use the UTF8 character set to support Unicode characters.

   Note: If MySQL is not installed using one of these character sets, reinstall MySQL with the appropriate character set before configuring the CA SiteMinder® data store.

2. Confirm that the MySQL database acting as the policy store is accessible from the Policy Server host system.
3. Create the database instance for the CA SiteMinder® data store, using the vendor–specific user interface.
   • To create a database instance for Unicode characters, use the character set and collation for UTF8.
   • To create a database instance for non-Unicode characters, use the character set and collation for Latin1.
4. Create the CA SiteMinder® schema.
5. Configure a MySQL data source for CA SiteMinder®.
   • (Windows) Create a MySQL data source.
   • (UNIX) Create a MySQL data source on UNIX systems.
   • (UNIX) Configure the MySQL wire protocol driver.
6. Point the Policy Server to the database.
7. Set the CA SiteMinder® superuser password.
8. Import the policy store data definitions.
9. Import the default policy store objects.
10. Restart the Policy Server.
11. Prepare for the Administrative UI registration.

Create the CA SiteMinder® Schema

You create the CA SiteMinder® schema so that the MySQL database can store the policy, key, and audit logging information.

Follow these steps:

1. Start the Query Browser and log in as the person who administers the Policy Server database.
2. Select the database instance from the database list.
3. Navigate to the following location:

   siteminder_home\db\tier2\MySQL.

   siteminder_home

   Specifies the Policy Server installation path.

4. Open one of the following files in a text editor:
   • To store Unicode characters in the policy store, open sm_mysql_ps.sql.unicode.
   • To store non-Unicode characters in the policy store, open sm_mysql_ps.sql.
5. Locate the following lines in the sm_mysql_ps file:

   DROP FUNCTION IF EXISTS `databaseName`.`getdate` $$
   CREATE FUNCTION `databaseName`.`getdate` () RETURNS DATE
   

6. Replace each instance of 'databaseName' with the name of the database functioning as the policy store.
7. After you replace the databaseName instances, copy the contents of the entire file.
8. Paste the file contents into a query and execute the query.

   The policy and key store schema are added to the database.

9. Navigate to the following location:

   siteminder_home\xps\db\Tier2DirSupport\MySQL

10. Open one of the following files in a text editor and copy the contents of the entire file:
    • To store Unicode characters in the policy store, open MySQL.sql.unicode.
    • To store non-Unicode characters in the policy store, open MySQL.sql.
11. Paste the schema from the appropriate MySQL file into a query and execute the query.

    The policy store schema is extended.

12. To use the policy store as an audit logging database, repeat steps three and four but use the following logging schema file:

    sm_mysql_logs.sql

    The database can store CA SiteMinder® data.

    Note: You are not required to configure the policy store to store more CA SiteMinder® data. You can configure individual databases to function as a separate audit log database, key store, and session store.

Configure a MySQL Data Source for CA SiteMinder®

You configure a data source to let the Policy Server communicate with the CA SiteMinder® data store.

Note: If you are using MySQL 5.1.x, ensure that you assign the TRIGGER permission to the user name that is used to create the DSN.

Create a MySQL Data Source on Windows

You create a MySQL data source for the MySQL wire protocol driver.

Follow these steps:

1. Log in to the Policy Server host system.
2. Do one of the following steps:
   • If you are using a supported 32–bit Windows operating system, click Start and select Programs, Administrative Tools, ODBC Data Sources.
   • If you are using a supported 64–bit Windows operating system:
     1. Navigate to the install_home\Windows\SysWOW64.
     2. Double–click odbcad32.exe.

   The ODBC Data Source Administrator appears.

3. Click System DSN.

   System Data Sources lists all available data sources.

4. Click Add.

   The Create New Data Source dialog appears.

5. Scroll down and select CA SiteMinder® MySQL Wire Protocol and click Finish.

   The ODBC MySQL Wire Protocol Driver Setup dialog appears.

6. Complete the following steps in the General tab:
   1. Enter a data source name in the Data Source Name field.

      Example:

      CA SiteMinder® MySQL Wire Data Source
      

   2. Enter the name of the MySQL database host system in the Host Name field.
   3. Enter the port on which the MySQL database is listening in the Port Number field.
   4. Enter the name of the MySQL database in the Database Name field.
7. Click Test Connect.

   The connection settings are tested. If the settings are valid, a prompt states that the connection is successful.

8. Click OK.

   The data source is created and appears in the System Data Sources list.

Note: You can now point the Policy Server to the CA SiteMinder® data store.

Create a MySQL Data Source on UNIX Systems

The CA SiteMinder® ODBC data sources are configured using a system_odbc.ini file, which you create by renaming mysqlwire.ini to system_odbc.ini. The mysqlwire.ini file is located in siteminder_home/db.

siteminder_home

Specifies the Policy Server installation path.

This system_odbc.ini file contains all of the names of the available ODBC data sources and the attributes that are associated with these data sources. This file must be customized to work for each site. Also, you can add additional data sources to this file, such as defining additional ODBC user directories for CA SiteMinder®.

The first section of the system_odbc.ini file, [ODBC Data Sources], contains a list of all of the currently available data sources. The name before the “=” refers to a subsequent section of the file describing each individual data source. After the “=” is a comment field.

Note: If you modify of the first line of data source entry, which is [CA SiteMinder® Data Source], take note of the value. The value is required when you configure the database as a policy store.

Each data source has a section in the system_odbc.ini file describing its attributes. The first attribute is the ODBC driver that is loaded when CA SiteMinder® uses this data source. The remaining attributes are specific to the driver.

Adding a MySQL Server Data source involves:

• Adding a new data source name in the [ODBC Data Sources] section of the file.
• Adding a section that describes the data source using the same name as the data source.

If you create a new service name or want to use a different driver, update the system_odbc.ini file. You should have entries for the MySQL driver under [CA SiteMinder® Data Source].

Again, to configure a MySQL Server data source, you create the system_odbc.ini file by renaming mysqlwire.ini to system_odbc.ini.

Create the MySQL Wire Protocol Driver

You configure the wire protocol driver to specify the settings CA SiteMinder® uses to connect to the database.

Note: This procedure only applies if the Policy Server is installed on a UNIX system. If you have not already done so, copy one of the following files and rename it system_odbc.ini. The file you rename depends on the database vendor you are configuring as a CA SiteMinder® data store.

• sqlserverwire.ini
• oraclewire.ini
• mysqlwire.ini

These files are located in siteminder_home/db

The system_odbc.ini file contains the following sections. The data source that you are configuring determine the section or sections that you edit:

[SiteMinder Data Source]

Specifies the settings CA SiteMinder® is to use to connect to the database functioning as the policy store.

[SiteMinder Logs Data Source]

Specifies the settings CA SiteMinder® is to use to connect to the database functioning as the audit log database.

[SiteMinder Keys Data Source]

Specifies the settings CA SiteMinder® is to connect to the database functioning as the key store.

[SiteMinder Session Data Source]

Specifies the settings CA SiteMinder® is to connect to the database functioning as the session store.

[SmSampleUsers Data Source]

Specifies the settings CA SiteMinder® is to connect to the database functioning as the sample user data store.

Follow these steps:

1. Open the system_odbc.ini file.
2. Enter the following under [ODBC Data Sources]:

   SiteMinder Data Source=DataDirect 7.1 MySQL Wire Protocol
   

3. Depending on the data source you are configuring, edit the one or more of the data source sections with the following information:

   Driver=nete_ps_root/odbc/lib/NSmysql27.so
   Description=DataDirect 7.1 MySQL Wire Protocol
   Database=database_name
   HostName=host_name
   LogonID=root_user
   Password=root_user_password
   PortNumber=mysql_port
   

   Note: When editing data source information, do not use the pound sign (#). Entering a pound sign comments the information, which truncates the value. The truncated value can cause ODBC connections to fail.

   nete_ps_root

   Specifies the Policy Server installation path. Enter this value as an explicit path, rather than one with an environment variable.

   Example: /export/smuser/siteminder

   database_name

   Specifies the name of the MySQL database that is to function as the CA SiteMinder® data store.

   host_name

   Specifies the name of the MySQL database host system.

   root_user

   Specifies the login ID of the MySQL root user.

   root_user_password

   Specifies the password for the MySQL root user.

   mysql_port

   Specifies the port on which the MySQL database is listening.

4. Save the file.

   The wire protocol driver is configured.

Point the Policy Server to the Database

You point the Policy Server to the database so the Policy Server can access the CA SiteMinder® data in the policy store.

Follow these steps:

1. Open the Policy Server Management Console and click the Data tab.
2. Select the following value from the Storage list:

   ODBC
   

3. Select the following value from the Database list:

   Policy Store
   

4. Enter the name of the data source in the Data Source Information field.
   • (Windows) The entry must match the name that you entered in the Data Source Name field when you created the data source.
   • (UNIX) The entry must match the first line of the data source entry in the system_odbc.ini file. By default, the first line in the file is [CA SiteMinder® Data Sources]. If you modified the first entry, be sure to enter the correct value.
5. Enter and confirm the user name and password of the database account that has full access rights to the database instance in the respective fields.
6. Specify the maximum number of database connections that are allocated to CA SiteMinder®.

   Note: We recommend retaining the 25 connection default for best performance.

7. Click Apply to save the settings.
8. Select the following value from the Database list:

   Key Store
   

9. Select the following value from the Storage list:

   ODBC
   

10. Select the following option:

    Use the Policy Store database
    

11. Select the following value from the Database list:

    Audit Logs
    

12. Select the following value from the Storage list:

    ODBC
    

13. Select the following option:

    Use the Policy Store database
    

14. Click Apply to save the settings.
15. Click Test Connection to verify that the Policy Server can access the policy store.
16. Click OK.

    The Policy Server is configured to use the database as a policy store, key store, and logging database.

Set the CA SiteMinder® Super User Password

The default CA SiteMinder® administrator account is named:

siteminder

The account has maximum permissions.

We recommend that you do not use the default superuser for day–to–day operations. Use the default superuser to:

• Access the Administrative UI for the first–time.
• Manage CA SiteMinder® utilities for the first–time.
• Create another administrator with superuser permissions.

Follow these steps:

1. Copy the smreg utility to siteminder_home\bin.

   siteminder_home

   Specifies the Policy Server installation path.

   Note: The utility is at the top level of the Policy Server installation kit.

2. Run the following command:

   smreg -su password
   

   password

   Specifies the password for the default CA SiteMinder® administrator.

   Limits:

   • The password must contain at least six (6) characters and cannot exceed 24 characters.
   • The password cannot include an ampersand (&) or an asterisk (*).
   • If the password contains a space, enclose the passphrase with quotation marks.

   Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.

3. Delete smreg from siteminder_home\bin. Deleting smreg prevents someone from changing the password without knowing the previous one.

   The password for the default CA SiteMinder® administrator account is set.

More information:

Locate the Installation Media

Installation Media Names

Import the Policy Store Data Definitions

Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.

Follow these steps:

1. Open a command window and navigate to siteminder_home\xps\dd.

   siteminder_home

   Specifies the Policy Server installation path.

2. Run the following command:

   XPSDDInstall SmMaster.xdd
   

   XPSDDInstall

   Imports the required data definitions.

Import the Default Policy Store Objects

Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.

Consider the following items:

• Be sure that you have write access to siteminer_home\bin. The import utility requires this permission to import the policy store objects.

  siteminder_home

  Specifies the Policy Server installation path.

• Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges. For more information, see the release notes for your CA SiteMinder® component.

Follow these steps:

1. Open a command window and navigate to siteminder_home\db.
2. Import one of the following files:
   • To import smpolicy.xml, run the following command:

     XPSImport smpolicy.xml -npass
     

   • To import smpolicy–secure.xml, run the following command:

     XPSImport smpolicy-secure.xml -npass
     

     npass

     Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.

     Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects Consideration.

Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA SiteMinder®. If you intend on using the latter functionality, contact your CA account representative for licensing information.

Enable the Advanced Authentication Server

Enable the advanced authentication server as part of configuring your Policy Server.

Follow these steps:

1. Start the Policy Server configuration wizard.
2. Leave all the check boxes in the first screen of the wizard cleared.
3. Click Next.

   The master key screen appears.

4. Create the master encryption key for the advanced authentication server.

   Note: If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.

5. Complete the rest of the Policy Server configuration wizard.

   The advanced authentication server is enabled.

Restart the Policy Server

You restart the Policy Server for certain settings to take effect.

Follow these steps:

1. Open the Policy Server Management Console.
2. Click the Status tab, and click Stop in the Policy Server group box.

   The Policy Server stops as indicated by the red stoplight.

3. Click Start.

   The Policy Server starts as indicated by the green stoplight.

   Note: On UNIX or Linux operating environments, you can also execute the stop-all command followed by the start-all command to restart the Policy Server. These commands provide an alternative to the Policy Server Management Console.

Prepare for the Administrative UI Registration

You use the default CA SiteMinder® super user account (siteminder) to log into the Administrative UI for the first–time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.

You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.

Consider the following:

• The time from which you supply the credentials to when the initial Administrative UI login occurs is limited to 24 hours. If you do not plan on installing the Administrative UI within one day, complete the following before installing the Administrative UI.
• (UNIX) Be sure that the CA SiteMinder® environment variables are set before you use XPSRegClient. If the environment variables are not set, set them manually.

To prepare for the Administrative UI registration

1. Log into the Policy Server host system.
2. Run the following command:

   XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
   

   passphrase

   Specifies the password for the default CA SiteMinder® super user account (siteminder).

   Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.

   -adminui–setup

   Specifies that the Administrative UI is being registered with a Policy Server for the first–time.

   -t timeout

   (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.

   Unit of measurement: minutes

   Default: 240 (4 hours)

   Minimum Limit: 15

   Maximum Limit: 1440 (24 hours)

   -r retries

   (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging into the Administrative UI for the first–time

   Default: 1

   Maximum Limit: 5

   -c comment

   (Optional) Inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -cp

   (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

   Note: Surround comments with quotes.

   -l log path

   (Optional) Specifies where the registration log file must be exported.

   Default: siteminder_home\log

   siteminder_home

   Specifies the Policy Server installation path.

   -e error_path

   (Optional) Sends exceptions to the specified path.

   Default: stderr

   -vT

   (Optional) Sets the verbosity level to TRACE.

   -vI

   (Optional) Sets the verbosity level to INFO.

   -vW

   (Optional) Sets the verbosity level to WARNING.

   -vE

   (Optional) Sets the verbosity level to ERROR.

   -vF

   (Optional) Sets the verbosity level to FATAL.

3. Press Enter.

   XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log into the Administrative UI for the first–time.