Previous Topic: Directory Attributes OverviewNext Topic: How to Configure a CA LDAP Server for z/OS User Directory Connection


How to Configure a CA Directory User Directory Connection

You can use a CA Directory user directory as a user store. The following process lists the steps for creating the user store connection to the Policy Server:

  1. Ping the User Store System
  2. Configure a CA Directory User Directory Connection
  3. (Optional) Enable Caching for a CA Directory User Store
  4. (Optional) Verify the CA Directory Cache Configuration
Ping the User Store System

Pinging the user store system verifies that a network connection exists between the Policy Server and the user directory or database.

Note: Some user store systems may require the Policy Server to present credentials.

Configure CA Directory User Directory Connections

You can configure a user directory connection that lets the Policy Server communicate with a CA Directory user store.

Follow these steps:

  1. Click Infrastructure, Directory.

    Objects related to user directories appear on the left.

  2. Click User Directories.

    The User Directories screen appears.

  3. Click Create User Directory.

    The Create User Directory screen appears and displays the required settings to configure an LDAP connection.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  4. Complete the required connection information in the General and Directory Setup areas.

    Note: If the Policy Server is operating in FIPS mode and the directory connection is to use a secure SSL connection when communicating with the Policy Server, the certificates used by the Policy Server and the directory store must be FIPS compliant.

  5. Configure the LDAP search and LDAP user DN lookup settings in the LDAP Settings area.
  6. Do the following in the Administrator Credentials area:
    1. Select Require Credentials.
    2. Enter the credentials of an administrator account.
  7. (Optional) Specify the user directory profile attributes that are reserved for CA SiteMinder® in the User Attributes area.
  8. (Optional) Click Create in the Attribute Mapping List area to configure user attribute mapping.
  9. Click Submit.

    The user directory connection is created.

More information:

LDAP Load Balancing and Failover

Define an Attribute Mapping

Enable User Store DSA Parameters

CA SiteMinder® uses the Sun Java System LDAP SDK, which lets clients open one managed connection to the directory server and perform user binds under that connection. If you are using CA Directory as a user store, the Policy Server connects to CA Directory by performing a bind request for each authentication request. Configure CA Directory to handle these requests, or CA Directory runs out of connections and authentication fails.

Follow these steps:

  1. Open the .dxi file for the user store DSA.
  2. Define the following entries at the bottom of the file:
    #SiteMinder
    set mimic-netscape-for-siteminder = true;
    set concurrent-bind-user = DN;
    set hold-ldap-connections = true;
    
  3. Save and close the .dxi file.

    The user store DSA parameters are enabled.

    Note: The DN is in x500 format.

    Example: <o acme><cn smadmin>

Enable Caching for a CA Directory User Store

You can improve CA SiteMinder® authentication and authorization performance for large user stores by enabling the CA Directory DXcache feature. A 5 MB user store is considered large.

To enable caching

  1. As the dsa user, edit the user store DSA’s DXI file (for example, <dxserver_install>\config\servers\eTrustDsa.dxi) and add the following lines to the end of the file:
    # cache configuration
    set max-cache-size = 100;
    set cache-index = commonName, surname, objectClass;
    set cache-attrs = all-attributes;
    set cache-load-all = true;
    set lookup-cache = true;
    

    Note: The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the user store. In addition, set the cache-index fields to those fields used by CA SiteMinder® to perform a user search in the user store. For example, if users are authenticated and authorized based on their common name (cn=*), make sure that the commonName is set in the cache-index.

  2. As the dsa user, stop and restart the user DSA to allow the DXcache configuration changes to take effect:
    dxserver stop eTrustDsa
    dxserver start eTrustDsa
    
Verify the CA Directory Cache Configuration

After configuring the CA DXcache feature for the user store, you can verify that the cache is enabled using the DXmanager user interface.

To verify the cache

  1. Using a Web browser, connect to the CA DXmanager Web interface.

    For example:

    http://<CA_host>:8080/dxmanager/ManagerServlet?hostgroup=All

  2. Navigate to the DSA configuration page and verify that the DXcache Status field is set to Enabled for your policy store DSA.