This section contains the following topics:
Configure Data Storage Options Overview
Configure the Policy Store Database
Configure the Key Store or Audit Logs to Use the Policy Store Database
Configure a Separate Database for the Key Store
Configure a Separate Database for the Audit Logs
Configure LDAP Storage Options
Configure ODBC Storage Options
Configure Text File Storage Options
Audit Data Import Tool for ODBC
Specify a Netscape Certificate Database File
You configure storage locations for CA SiteMinder® data stores from the Policy Server Management Console Data tab.
Follow these steps:
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
Note: For more information about the settings and controls on this tab, click Help, Management Console Help.
Note: The following table lists the data stores that you can configure and the respective storage options. The combination of these settings determines the settings displayed in the context–sensitive controls that become available.
The following table lists CA SiteMinder® data stores and the available storage options. For more information about these stores, see the CA SiteMinder® Implementation Guide.
|
Database |
Available Storage |
|---|---|
|
Policy Store |
LDAP ODBC |
|
Key Store |
LDAP ODBC |
|
Audit Logs |
ODBC Text file |
|
Session Store |
ODBC CA Directory |
The Policy Store is the database in which all Policy Server objects are stored.
To configure the policy store database
Note: If you have one or more Policy Servers communicating with an LDAP-enabled policy store, configure the same setting in the Management Console on each of those Policy Server systems.
After you configure the Policy Store, you can optionally configure databases. If the Policy Store is of a compatible storage type (that is, if the Policy Store is configured to be stored in a database that is also a valid storage option for the other database), you can configure the Policy Server to use the policy store database as one or more of the following:
Important! If you are using an LDAP database as your Policy Store, do not use the Policy Store database for audit logs. Audit logs cannot be written to an LDAP database. If you are using the CA SiteMinder® sample data source (SmSampleUsers) as your Policy Store, do not use the Policy Store database for audit logs. Audit logs are not supported by the sample policy store.
To configure another database to be stored in the Policy Store database, set the Use Policy Store Database option that appears between the Database drop-down list and the Storage Options area whenever a database other than Policy Store is chosen from the Database drop-down list.
When the Use Policy Store Database option is selected, the Storage drop-down list and the context-sensitive Storage Options are grayed-out.
The Key store is where the Policy Server stores keys used to encrypt cookies created by CA SiteMinder® Agents.
To configure a separate database for the key store
Note: The Policy Server supports mixed LDAP/ODBC policy and key stores. The policy store can exist in an ODBC database and the key store can reside in an LDAP Directory Server or vice versa. For a list of supported databases, refer to the CA SiteMinder® Platform Matrix on the Technical Support site.
The audit log database is where the Policy Server stores audit logs containing event information.
Storing audit logs in a database has the potential add to latency to your environment. This latency occurs because of the additional traffic between the Policy Server and the database. As the amount of transactions increase, this database latency can affect the performance of the Policy Server. When the database slows down, the Policy Server also slows down.
Consider logging to a text file and exporting those logs to a database as an alternative if the performance of your database is unacceptable.
Follow these steps:
When deciding whether to store the Policy Server audit logs in an ODBC database or text file, consider the following factors:
We recommend 60 seconds for heavy loads. The default is 30 seconds.
We recommend 30 seconds for heavy loads. The default is 15 seconds.
We recommend 30 seconds for heavy loads. The default is 15 seconds.
Note: The value of ConnectionHangwaitTime must always be at least double the value of QueryTimeout and LoginTimeout.
The session store is where the Policy Server stores persistent session data.
Follow these steps:
If you are going to use persistent sessions in one or more realms, enable the session store. Enabling the session store affects Policy Server performance.
Note: The following option is disabled:
Use Policy Store database
For performance reasons, the session store cannot be run on the same database as the policy store.
Under heavy load conditions, long-running queries necessary for session store maintenance tasks, such as removing idled–out or expired sessions, can timeout. Adjust the timeout for session store maintenance tasks (60 seconds by default), by increasing the value of the MaintenanceQueryTimeout registry setting. Increase the value so that the maintenance thread can complete its tasks successfully.
The MaintenanceQueryTimeout registry setting can be found at the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\ SessionServer
Use the LDAP context–sensitive storage controls to point CA SiteMinder® to an LDAP directory server that is configured as:
Consider the following items:
To configure an LDAP database
Note: You can specify multiple servers in this field to allow for LDAP server failover.
Note: If you select this option, you must specify a certificate database in the Netscape Certificate Database File field.
If you have multiple LDAP directories, you can configure directories for failover. To enable failover, enter LDAP server IP addresses and port numbers in the LDAP Server field as a space-delimited list of LDAP server addresses. You can specify a unique port for each server. If your LDAP servers are running on a non-standard port (389 for non SSL/ 636 for SSL), append the port number to the last server IP address using a ‘:’ as a delimiter. For example, if your servers are running on ports 511 and 512, you can enter the following:
123.123.12.11:511 123.123.12.22:512
If the LDAP server 123.123.12.11 on port 511 did not respond to a request, the request is automatically passed to 123.123.12.22 on port 512.
If all of your LDAP servers are running on the same port, you can append the port number to the last server in the sequence. For example, if all of your servers are running on port 511, you can enter the following:
123.123.12.11 123.123.12.22:511
Enhancements have been made to CA SiteMinder®’s LDAP referral handling to improve performance and redundancy. Previous versions of CA SiteMinder® supported automatic LDAP referral handling through the LDAP SDK layer. When an LDAP referral occurred, the LDAP SDK layer handled the execution of the request on the referred server without any interaction with the Policy Server.
CA SiteMinder® now includes support for non-automatic (enhanced) LDAP referral handling. With non-automatic referral handling, an LDAP referral is returned to the Policy Server rather than the LDAP SDK layer. The referral contains all of the information necessary to process the referral. The Policy Server can detect whether the LDAP directory specified in the referral is operational, and can terminate a request if the appropriate LDAP directory is not functioning. This feature addresses performance issues that arise when an LDAP referral to an offline system causes a constant increase in request latency. Such an increase can cause CA SiteMinder® to become saturated with requests.
To configure LDAP referral handling
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
Mark this check box to allow the Policy Server to use enhanced handling LDAP referrals at the Policy Server, rather than allowing LDAP referral handling by the LDAP SDK layer.
Indicates the maximum number of consecutive referrals that will be allowed while attempting to resolve the original request. Since a referral can point to a location that requires additional referrals, this limit is helpful when replication is misconfigured, causing referral loops.
Large LDAP policy stores can cause Administrative UI performance issues.
To prevent these problems, you can modify the values of the following registry settings:
Specifies the Administrative UI buffer size (the maximum amount of data [bytes] that is passed from the Policy Server to the Administrative UI in one packet).
Configure this setting at the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion \PolicyServ\
We recommend using caution when setting this value. Allocation of a larger buffer decreases overall performance.
Range: 256 KB to 2,097,000 KB
Default: 256 KB (also applies when this registry setting does not exist).
Specifies the search timeout, in seconds, for LDAP policy stores.
Configure this setting at the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion \LdapPolicyStore\SearchTimeout
Examples of factors which influence the appropriate value for this setting include (but are not limited to) the following items:
A large enough value prevents any LDAP timeouts when fetching large amounts of policy store data.
Limit: Use hexadecimal numbers.
Default: 0x14 (20 seconds). This value is also used when the registry setting does not exist.
Example: 0x78 (120 seconds)
Configuring an LDAP connection over SSL requires that you configure CA SiteMinder® to use your certificate database files.
Complete the following steps to configure a connection over SSL:
Consider the following SSL prerequisites:
Note: For more information, see vendor–specific documentation.
Important! Do not use Microsoft Internet Explorer to install certificates into your cert8.db database file.
Thecertificate database files must be in the Netscape database file format (cert8.db). Use the Mozilla Network Security Services (NSS) certutil application that is installed with the Policy Server to create the certificate database files.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.
certutil -N -d certificate_database_directory
Creates the cert8.db, key3.db, and secmod.db certificate database files.
Specifies the directory in which the certutil tool is to create the certificate database files.
Note: If the file path contains spaces, bracket the path in quotes.
The utility prompts for a password to encrypt the database key.
NSS creates the required certificate database files:
Example: Create the Certificate Database Files
certutil -N -d C:\certdatabase
Add the root Certificate Authority (CA) to make it available for communication over SSL. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to add the root CA.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
certutil -A -n alias -t trust_arguments -i root_CA_path -d certificate_database_directory
Adds a certificate to the certificate database.
Specifies an alias for the certificate.
Note: If the alias contains spaces, bracket the alias with quotes.
Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the root CA is trusted to issue SSL certificates. In each category position, you may use zero or more of the following attribute arguments.
p
Valid peer.
P
Trusted peer. This argument implies p.
c
Valid CA.
T
Trusted CA to issue client certificates. This argument implies c.
C
Trusted CA to issue server certificates (SSL only). This argument implies c.
Important! This is a required argument for the SSL trust category.
u
Certificate can be used for authentication or signing.
Specifies the path to the root CA file. Consider the following:
Note: If the file path contains spaces, bracket the path in quotes.
Specifies the path to the directory that contains the certificate database.
Note: If the file path contains spaces, bracket the path in quotes.
NSS adds the root CA to the certificate database.
Example: Adding a Root CA to the Certificate Database
certutil -A -n "My Root CA" -t "C,," -i C:\certificates\cacert.cer -d C:\certdatabase
Add the server certificate to the certificate database to make it available for communication over SSL. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to add the server certificate.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
To add the server certificate to the certificate database
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
certutil -A -n alias -t trust_arguments -i server_certificate_path -d certificate_database_directory
Adds a certificate to the certificate database.
Specifies an alias for the certificate.
Note: If the alias contains spaces, bracket the alias with quotes.
Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the certificate is trusted. In each category position, you may use zero or more of the following attribute arguments:
p
Valid peer.
P
Trusted peer. This argument implies p.
Important! This is a required argument for the SSL trust category.
Specifies the path to the server certificate. Consider the following:
Note: If the file path contains spaces, bracket the path in quotes.
Specifies the path to the directory that contains the certificate database.
Note: If the file path contains spaces, bracket the path in quotes.
NSS adds the server certificate to the certificate database.
Example: Adding a Server Certificate to the Certificate Database
certutil -A -n "My Server Certificate" -t "P,," -i C:\certificates\servercert.cer -d C:\certdatabase
List the certificates to verify that they were added to the certificate database. Use the Mozilla Network Security Services (NSS) certutil application that is installed with the Policy Server to create the certificate database files.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
Follow these steps:
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.
certutil -L -d certificate_database_directory
Lists all of the certificates in the certificate database.
Specifies the path to the directory that contains the certificate database.
Note: If the file path contains spaces, bracket the path in quotes.
displays the root CA alias, the server certificate alias, and the trust attributes you specified when adding the certificates to the certificate database.
Example: List the Certificates in the Certificate Database
certutil -L -d C:\certdatabase
Point the Policy Server to the certificate database to configure CA SiteMinder® to communicate with the user directory over SSL.
To point the Policy Server to the certificate database
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
Example: C:\certdatabase\cert8.db
Note: The key3.db file must be in the same directory as the cert8.db file.
The Policy Server is configured to communicate with the user directory over SSL.
Use the ODBC context–sensitive storage controls to configure an ODBC data source for:
Note: For more information about configuring ODBC data sources, see the Policy Server Installation Guide.
To configure an ODBC data source
Indicates the name of the ODBC data source. You can enter multiple names in this field to enable failover.
Indicates the user name of the database account (if required) with full rights to access the database.
Contains the password of the database account.
Contains a duplicate of the database account password, for verification.
Indicates the maximum number of ODBC connections per database allowed at one time.
If you have multiple ODBC data sources and you want to configure failover, list the data source names in the Data Source Information field, separated by commas. For example, entering CA SiteMinder® Data Source1,CA SiteMinder® Data Source2 causes the Policy Server to look at Data Source 1 first. If CA SiteMinder® Data Source1 does not respond, the Policy Server automatically looks for CA SiteMinder® Data Source2.
Note: Using the method described above, you can configure failover for data sources used as policy stores, key stores, session stores, and audit logs.
SQL queries that return large numbers of records can cause the Policy Server to hang or crash. To manage this outcome, you can output a warning message to the SMPS logs when the number of records returned exceeds a maximum value that you specify.
To configure the maximum, add the registry key, MaxResults, and set its value to one or more. When the number of records returned by a query equals or exceeds the limit specified by MaxResults, the Policy Server outputs a warning to the SMPS logs. When MaxResults is set to zero or undefined, no warning messages are output.
Adding the registry key, MaxResults, does not change the number of records returned. Adding the key does warn you when the number of results exceeds a limit that you set. You can use this feedback to modify your SQL queries and fine-tune the number of records returned, as needed.
To configure a limit to the number of records returned by a SQL query
Windows
Add the registry key MaxResults to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds \ODBCProvider
Solaris
Add the following lines to the sm.registry file:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds \ODBCProvider=35921 MaxResults=0x1; REG_DWORD
The parameters listed following control timeout for the connection between and ODBC database and the Policy Server in various situations. The key on Windows and UNIX is available the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Database
The time that is allowed to connect to the database.
Allows 30 seconds for the query to complete. When the query does not complete within this time, a cancel request is sent to the database. For an ODBC user directory, the query timeout is overridden with the user directory object Searchtimeout. You set this value using XPSExplorer.
The number of seconds before the Policy Server marks a connection as hung. This value must be larger than twice the value of QueryTimeout or SearchTimeout.
The maximum wait time on a connection. In cases where the query timeout or the log-in timeout apply, those values override the connection timeout.
Use the Text File storage options to configure a text file to store the Policy Store audit logs.
To specify a text file, type the full path of a file in the File name field or click the Browse button and browse to the required directory and click on or type the name of the desired file.
The Policy Server can store audit data in an ODBC database or output audit data to a text file. The smauditimport tool reads a CA SiteMinder® audit data text file and imports the data into an ODBC database. The database has been configured as an audit store using 5.x or 6.x schema.
The smauditimport tool imports authentication, authorization, and admin data into the corresponding tables in the ODBC database. The tool logs the number of rows successfully imported into the ODBC database. For each row that cannot be imported into the ODBC database, the tool logs the row number.
The characters '[', ']', or '\' appearing in a field in the policy or user store require a preceding escaping character '\' (backslash). These characters appear because they have been used in fields like username, realm name, and so on.
Set the following registry key, to escape these characters automatically:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\LogConfig]
Value Type: DWORD VALUE
Value Name: EscapeAuditFields
Value Data: 1
When Value Data is set to 0, or if the key does not exist, there is no escaping, and the operation fails.
Note: In some CA SiteMinder® documentation, the terms audit and logging are used interchangeably.
By default, the Policy Server logs less audit data to a text file than to an ODBC database. You can log more audit data to a text file than the default and bring the amount of data in line with an ODBC database. To do so, manually add the following registry key and set its value to one: "Enable Enhance Tracing". To disable "Enable Enhance Tracing", set its value to zero (the default).
To log more audit data to a text file
Windows
Add the following key:
TYPE=DWORD \netegrity\SiteMinder\CurrentVersion\Reports \"Enable Enhance Tracing"
Solaris
Follow these steps:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder \CurrentVersion\Reports=25089
"Enable Enhance Tracing"=0x1; REG_DWORD
Note: The value of "Enable Enhance Tracing" does not affect logging of Entitlement Management Services (EMS) events.
Before you run the tool smauditimport, verify that the following prerequisites have been satisfied:
Note: For Solaris and Linux platforms, run nete_ps_env.ksh before running the smauditimport tool.
Note: For more information about how to configure an ODBC database as an audit (logging) store, see the Policy Server Installation Guide.
The tool smauditimport reads a CA SiteMinder® audit data text file and imports it into an ODBC database. The tool is located in the \bin directory under the Policy Server installation directory.
Important! Before you import audit data into an ODBC database, configure the database as an audit store with CA SiteMinder® 5.x or 6.x schema. For more information about how to configure an ODBC database with the CA SiteMinder® schema, see the Policy Server Installation Guide.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
Follow these steps:
Specifies the Policy Server installation path.
smauditimport audit_file dsn user_name user_password -f -v -bbulk_load_size -s5 | -s6 -anumber
Specifies the path and name of the text file containing the audit data.
Note: The smauditimport tool requires the full path name of the audit data text file.
Specifies the Data Source Name (DSN) of the ODBC database.
Specifies the name of the ODBC database administrator.
Specifies the password of the ODBC database administrator.
(Required) Specifies the value of the Enable Enhance Tracing registry setting on the Policy Server. This setting exists under HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\Currentversion\Reports. On Windows operating environments, this setting is in the Windows registry. For the UNIX or the Linux operating environments, this setting is in the sm.registry file. The value of the setting must match the value of used with this option.
Example: -a2 (Indicates an Enable Enhance Tracing registry setting of 2).
(Optional) When an error occurs while importing audit data, smauditimport logs the row number and continues processing.
Default: Without the -f option, smauditimport logs the row number, but stops processing when an error occurs.
(Optional) Validates the number of fields in the text file, validates that the values in numeric fields fall within specified ranges, validates the connection to the database, and outputs errors.
Note: When the smauditimport tool is run in the validation mode, no data is imported into the database.
(Optional) Specifies the number of rows to read and import into the ODBC database.
Default: 100
Note: If using the smauditimport tool to import audit data into an Oracle database using the -b option, do not set the Enable bulk load option in the ODBC Oracle Wire Protocol Driver Setup dialog. If the ODBC Oracle Wire Protocol Driver Setup Enable bulk load option is set, unexpected behavior occurs during the bulk load.
(Optional) Supports an ODBC database that is configured as an audit store with either 5.x schema or 6.x schema.
Default: Supports an ODBC database that is configured as an audit store with 6.x schema.
If you are using an LDAP directory to store policies or user information over SSL, you must point the Policy Server to the directory that contains Netscape Certificate Database files. The directory must contain the cert8.db and key3.db files.
Before you install the Certificate Database file, make a copy of it. Use the certificate database copy instead of the original and do not use cert8.db if it is currently being used by Netscape Communicator.
Type the name of the Certificate database in the Netscape Certificate Database file field or browse the directory tree to locate and select the database. This field does not require a value for Active Directory user stores configured in the Administrative UI using the AD namespace. AD user stores use the native Windows certificate repository when establishing an SSL connection.
|
Copyright © 2013 CA.
All rights reserved.
|
|