Installation and Upgrade Guides › Policy Server Installation Guide › Configuring LDAP Directory Servers to Store CA SiteMinder® Data › CA Directory as a Session Store
CA Directory as a Session Store
You can configure CA Directory as a session store.
Note: For more information about supported versions, see the 12.52 CA SiteMinder® Platform Support Matrix.
More information:
Locate the Platform Support Matrix
How to Configure the Session Store
Complete the following tasks to configure CA Directory as a session store:
- Obtain the session store schema files.
- Create a DSA for the session store.
- Add a session store administrative user and root DN.
- Create the session store schema.
- Point the Policy Server to the session store.
Obtain the Session Store Schema Files
All required session store schema files are installed with the Policy Server. Contact your CA SiteMinder® Administrator and request the following file:
- netegrity.dxc
-
Creates the DSA session store schema. The schema lets the DSA store and retrieve the session information of CA SiteMinder® users.
The files reside in siteminder_home\eTrust.
- siteminder_home
-
Specifies the Policy Server installation path.
Create a DSA for the Session Store
Create a DSA and dedicate its use to the session store only. A dedicated DSA helps to maximize session store performance.
Follow these steps:
- Log in to the CA Directory host system.
- Create a data DSA by running the following command:
dxnewdsa dsa_name port prefix
- dsa_name
-
Specifies the name of the session store DSA.
- port
-
Specifies the port on which the session store must listen for requests.
- prefix
-
Specifies the namespace prefix. Use LDAP syntax to specify the prefix.
Example: Create a data DSA for the session store.
dxnewdsa smsessionstore 1234 o=forwardinc,c=us
Note: Forward, Inc. is a fictitious company name that is used strictly for instructional purposes only and is not meant to reference an existing company.
Add a Session Store Administrative User and Root DN
The Policy Server requires:
- The complete distinguished name (DN) and password of a user in the DSA. The Policy Server uses these credentials to manage the session store.
- A root DN to which session information can be written.
Follow these steps:
- Access the DSA using anonymous authentication with one of the following methods:
- Create a user that CA SiteMinder® can use to manage the session store.
- Be sure to create the user with only the following OBJECT CLASS:
inetOrgPerson
- Note the credentials. The credentials are required to point the Policy Server to the session store DSA.
- Disconnect from JXplorer.
- Start JXplorer.
- Log in to the DSA using the complete DN of the administrative user you created to verify that you can access the DSA.
Example: cn=admin,o=forwardinc,c=us
- Manually create an organizational unit that serves as the root DN of the session store.
Example: ou=sessionstore
- Disconnect from JXplorer.
Note: We recommend that you disable the anonymous authentication to prevent unauthorized access to the session store.
Command-line Procedure for CA Directory
Create the Session Store Schema
The DSA requires the schema to store and retrieve the session information of CA SiteMinder® users.
Follow these steps:
- Log in to the CA Directory host system.
- Stop the DSA using the following command:
dxserver stop DSA_Name
- Add the CA SiteMinder® session store schema file (netegrity.dxc) in to DXHOME\config\schema.
- Navigate to DXHOME\config\schema.
- Create the session store schema by copying the default schema file of the DSA (default.dxg), removing the read–only attribute, and renaming it.
Example: Copy default.dxg and rename the copy to smsession.dxg.
- Edit the session store schema file:
- Add the following lines to the bottom of the file:
#CA Schema
source "netegrity.dxc";
- Save the file.
- Apply the read–only attribute.
- Navigate to DXHOME\dxserver\config\limits.
- Create a session store limits file by copying the default limits file (default.dxc), removing the read–only attribute, and renaming it.
Example: Copy default.dxc and rename the copy smsession.dxc.
- Edit the session store default limits file:
- Edit the max–local–ops attribute to match the following value:
set max-op-size = 1000;
The attribute is in the size limits section and represents a high limit. The session store is not expected to return more than 1,000 objects per search query.
- Save the file.
- Apply the read–only attribute.
- Navigate to DXHOME\config\servers and open the session store initialization file (DSA_name.dxi).
- DSA_name
-
Specifies the name of the session store DSA.
- Edit the session store initialization file:
- Edit the schema reference from default.dxg to the session store schema file.
The reference is in the schema section.
Example: Change default.dxg to smsession.dxg.
- Edit the service limits reference from default.dxc to the session store limits file.
The reference is in the service limits section.
Example: Change default.dxc to smsession.dxc.
- Edit the set–cache index attribute to match the following setting:
set cache-index-all-except = smVariableValue,smsessionblob;
Note: Be sure that the cache index all attribute is set before the following attribute:
set lookup-cache = true;
The attribute is in the grid configuration section.
- (Optional) Compress the following attribute to store more session objects in memory:
smVariableValue
- (Optional) Disable transaction logging to improve performance.
Important! Consider the effects disabling transaction logging has on data recovery. For more information, see the CA Directory documentation.
- Start the DSA using the following command:
dxserver start DSA_Name
The session store schema is created.
Point the Policy Server to the Session Store
Point the Policy Server to the session store DSA to let CA SiteMinder® manage the session store.
Follow these steps:
- Open the Policy Server Management Console.
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
- Click the Data tab.
- Select Session Store from the Database list.
- Select CA Directory from the Storage list.
- Select the Session Store Enabled option.
- Under LDAP Session Store section:
- Enter the IP address and port of the session store DSA.
- Enter the root DN of the session store DSA.
Example: ou=sessionstore,o=fowardinc,c=us
- Enter the complete DN of an administrative user in the DSA.
Example: cn=admin,o=forwardinc,c=us
- Enter the password of the administrative user.
- Click Test LDAP Connection to verify the connection.
- Click OK.
CA SiteMinder® is configured to manage the session store.
Copyright © 2013 CA.
All rights reserved.
|
|