Installation and Upgrade Guides › Policy Server Installation Guide › Configuring LDAP Directory Servers to Store CA SiteMinder® Data › CA Directory as a Session Store

CA Directory as a Session Store

You can configure CA Directory as a session store.

Note: For more information about supported versions, see the 12.52 CA SiteMinder® Platform Support Matrix.

More information:

Locate the Platform Support Matrix

How to Configure the Session Store

Complete the following tasks to configure CA Directory as a session store:

1. Obtain the session store schema files.
2. Create a DSA for the session store.
3. Add a session store administrative user and root DN.
4. Create the session store schema.
5. Point the Policy Server to the session store.

Obtain the Session Store Schema Files

All required session store schema files are installed with the Policy Server. Contact your CA SiteMinder® Administrator and request the following file:

netegrity.dxc

Creates the DSA session store schema. The schema lets the DSA store and retrieve the session information of CA SiteMinder® users.

The files reside in siteminder_home\eTrust.

siteminder_home

Specifies the Policy Server installation path.

Create a DSA for the Session Store

Create a DSA and dedicate its use to the session store only. A dedicated DSA helps to maximize session store performance.

Follow these steps:

1. Log in to the CA Directory host system.
2. Create a data DSA by running the following command:

   dxnewdsa dsa_name port prefix
   

   dsa_name

   Specifies the name of the session store DSA.

   port

   Specifies the port on which the session store must listen for requests.

   prefix

   Specifies the namespace prefix. Use LDAP syntax to specify the prefix.

Example: Create a data DSA for the session store.

dxnewdsa smsessionstore 1234 o=forwardinc,c=us

Note: Forward, Inc. is a fictitious company name that is used strictly for instructional purposes only and is not meant to reference an existing company.

Add a Session Store Administrative User and Root DN

The Policy Server requires:

• The complete distinguished name (DN) and password of a user in the DSA. The Policy Server uses these credentials to manage the session store.
• A root DN to which session information can be written.

Follow these steps:

1. Access the DSA using anonymous authentication with one of the following methods:
   • Use the JXplorer tool.
   • Use the CA Directory command-line interface.
2. Create a user that CA SiteMinder® can use to manage the session store.
   • Be sure to create the user with only the following OBJECT CLASS:

     inetOrgPerson

   • Note the credentials. The credentials are required to point the Policy Server to the session store DSA.
3. Disconnect from JXplorer.
4. Start JXplorer.
5. Log in to the DSA using the complete DN of the administrative user you created to verify that you can access the DSA.

   Example: cn=admin,o=forwardinc,c=us

6. Manually create an organizational unit that serves as the root DN of the session store.

   Example: ou=sessionstore

7. Disconnect from JXplorer.

Note: We recommend that you disable the anonymous authentication to prevent unauthorized access to the session store.

Command-line Procedure for CA Directory

Create the Session Store Schema

The DSA requires the schema to store and retrieve the session information of CA SiteMinder® users.

Follow these steps:

1. Log in to the CA Directory host system.
2. Stop the DSA using the following command:

   dxserver stop DSA_Name
   

3. Add the CA SiteMinder® session store schema file (netegrity.dxc) in to DXHOME\config\schema.
4. Navigate to DXHOME\config\schema.
5. Create the session store schema by copying the default schema file of the DSA (default.dxg), removing the read–only attribute, and renaming it.

   Example: Copy default.dxg and rename the copy to smsession.dxg.

6. Edit the session store schema file:
   1. Add the following lines to the bottom of the file:

      #CA Schema
      source "netegrity.dxc";
      

   2. Save the file.
   3. Apply the read–only attribute.
7. Navigate to DXHOME\dxserver\config\limits.
8. Create a session store limits file by copying the default limits file (default.dxc), removing the read–only attribute, and renaming it.

   Example: Copy default.dxc and rename the copy smsession.dxc.

9. Edit the session store default limits file:
   1. Edit the max–local–ops attribute to match the following value:

      set max-op-size = 1000;
      

      The attribute is in the size limits section and represents a high limit. The session store is not expected to return more than 1,000 objects per search query.

   2. Save the file.
   3. Apply the read–only attribute.
10. Navigate to DXHOME\config\servers and open the session store initialization file (DSA_name.dxi).

    DSA_name

    Specifies the name of the session store DSA.

11. Edit the session store initialization file:
    1. Edit the schema reference from default.dxg to the session store schema file.

       The reference is in the schema section.

       Example: Change default.dxg to smsession.dxg.

    2. Edit the service limits reference from default.dxc to the session store limits file.

       The reference is in the service limits section.

       Example: Change default.dxc to smsession.dxc.

    3. Edit the set–cache index attribute to match the following setting:

       set cache-index-all-except = smVariableValue,smsessionblob;
       

       Note: Be sure that the cache index all attribute is set before the following attribute:

       set lookup-cache = true;
       

       The attribute is in the grid configuration section.

    4. (Optional) Compress the following attribute to store more session objects in memory:

       smVariableValue

    5. (Optional) Disable transaction logging to improve performance.

       Important! Consider the effects disabling transaction logging has on data recovery. For more information, see the CA Directory documentation.

12. Start the DSA using the following command:

    dxserver start DSA_Name
    

    The session store schema is created.

Point the Policy Server to the Session Store

Point the Policy Server to the session store DSA to let CA SiteMinder® manage the session store.

Follow these steps:

1. Open the Policy Server Management Console.

   Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.

2. Click the Data tab.
3. Select Session Store from the Database list.
4. Select CA Directory from the Storage list.
5. Select the Session Store Enabled option.
6. Under LDAP Session Store section:
   1. Enter the IP address and port of the session store DSA.
   2. Enter the root DN of the session store DSA.

      Example: ou=sessionstore,o=fowardinc,c=us

   3. Enter the complete DN of an administrative user in the DSA.

      Example: cn=admin,o=forwardinc,c=us

   4. Enter the password of the administrative user.
7. Click Test LDAP Connection to verify the connection.
8. Click OK.

   CA SiteMinder® is configured to manage the session store.