Previous Topic: Microsoft AD LDS as a Key StoreNext Topic: Oracle Internet Directory Server as a Key Store


Oracle Directory Server Enterprise Edition as a Key Store

You can configure Oracle Directory Server Enterprise Edition as a separate key store.

How to Configure the Key Store

Complete the following tasks to create the key store:

  1. Create a directory server instance that is to function as the key store. Be sure to create a root suffix and root object to store the CA SiteMinder® keys.

    Note: For more information, see your vendor–specific documentation.

  2. Create an LDAP user with privileges to create the schema, and read, modify, and delete objects in the LDAP tree underneath the key store root object.

    Note: For more information, see your vendor–specific documentation.

  3. Review the key store consideration.
  4. Gather directory server information.
  5. Register the key store.
  6. Create the key store schema.
  7. Import the key store schema.
  8. Restart the Policy Server.

Key Store Considerations

The smldapsetup utility creates the ou=Netegrity, root sub suffix and PolicySvr4 database.

root

The directory root you specify when registering the key store. This variable has to be either an existing root suffix or sub suffix.

Example: If your root suffix is dc=netegrity,dc=com then running smldapsetup produces the following entries in the directory server:

If you want to place the key store under ou=apps,dc=netegrity,dc=com, then ou=apps,dc=netegrity,dc=com has to be either a root or sub suffix of the root suffix dc=netegrity,dc=com.

If it is a sub suffix, then running smldapsetup produces the following entries:

Note: For more information about root and sub suffixes, see your vendor–specific documentation.

Gather Directory Server Information

Specific information is required to configure a separate key store. Gather the following information:

Host

The fully qualified name or the IP Address of the directory server host system.

Port

The port on which the directory server instance is listening. This value is only required if the instance is listening on a non–standard port.

Default values: 636 (SSL) and 389 (non-SSL)

Administrative DN

Specifies the LDAP user name of a user that has privileges to:

Note: This permission is only required to import the key store schema. After you deploy the key store, you can configure the Policy Server with a user that does not have the permission.

Administrative password

Specifies the password for the Administrative DN.

Key store root DN

Specifies the distinguished name of the node in the LDAP tree where the key store objects must be imported.

SSL client certificate

Specifies the pathname of the directory where the SSL client certificate database file resides.

Limit: SSL only

Register the Key Store

Registering the key store configures a connection between the key store and the Policy Server. The Policy Server uses the credentials that you supply to manage the key store.

Important! Registration does not configure the Policy Server to use the separate key store. The settings do not take effect until the Policy Server is restarted. Do not restart the Policy Server until the key store is configured and you are ready to deploy it.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Run the following command to configure the connection:
    smldapsetup reg -hhost -pport -dadmin_user -wadmin_password -rroot -k1
    

    Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

    Note: For more information about these modes and arguments, see the Policy Server Administration Guide.

    Example:

    smldapsetup reg -host172.16.0.0 -p389 -d"cn=directory manager" -wpassword -r"dc=test" -k1
    
  3. Start the Policy Server Management Console and open the Data tab.
  4. Complete one of the following procedures:

    Note: The Use Policy Store database setting is cleared. The cleared setting is expected normal behavior. The Policy Server continues to use the key store that is collocated with the policy store.

  5. Exit the Policy Server Management Console.

    The separate key is registered with the Policy Server.

Create the Key Store Schema

The key store instance requires the schema to store and retrieve CA SiteMinder® web agent keys. Use the smldapsetup utility to create the key store schema file.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Run the following command to create the key store schema file:
    smldapsetup ldgen -ffile_name -k1
    

    Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

    Note: For more information about these modes and arguments, see the Policy Server Administration Guide.

    Example: smldapsetup ldgen -fkeystoreschema -k1

    The key store schema file is created.

Import the Key Store Schema

The key store instance requires the schema to store and retrieve CA SiteMinder® web agent keys. Use the smldapsetup utility to import the key store schema file.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Run the following command to import the key store schema:
    smldapsetup ldmod -ffile_name -k1
    

    Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

    Consider the following items:

    Example: smldapsetup ldmod -fkeystoreschema -k1

    The key store–specific schema is imported.

Restart the Policy Server

The Policy Server continues to use the collocated key store until you restart the Policy Server. Restart the Policy Server to begin using the separate key store.

Note: For more information, see the Policy Server Administration Guide.

Replicate an Oracle Directory Server Key Store

CA SiteMinder® creates a UserRoot and a PolicySvr4 database. Suffix mappings point to the PolicySvr4 database. Replicating a key store requires that you set up a replication agreement for the PolicySvr4 database directory.

Follow these steps:

  1. Configure a replication agreement as detailed by your vendor–specific documentation.
  2. Log in to the Policy Server host system.
  3. Run the following command to generate the CA SiteMinder® indexes:
    smldapsetup ldgen -x -findexes.ldif
    

    Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

  4. Set up the indexes on a replica server:
    smldapsetup ldmod -x -findexes.ldif -hhost -preplicaport 
    -dAdminDN -wAdminPW
    
    host

    Specifies the replica host.

    replicaport

    Specifies the replica port number.

    AdminDN

    Specifies the replica administrator DN.

    Example: cn=directory manager

    AdminPW

    Specifies the replica administrator password.

    The CA SiteMinder® indexes are replicated.

More Information:

smldapsetup