You can use a CA Directory user directory as a user store. The following process lists the steps for creating the user store connection to the Policy Server:
Pinging the user store system verifies that a network connection exists between the Policy Server and the user directory or database.
Note: Some user store systems may require the Policy Server to present credentials.
You can configure a user directory connection that lets the Policy Server communicate with a CA Directory user store.
Follow these steps:
Objects related to user directories appear on the left.
The User Directories screen appears.
The Create User Directory screen appears and displays the required settings to configure an LDAP connection.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: If the Policy Server is operating in FIPS mode and the directory connection is to use a secure SSL connection when communicating with the Policy Server, the certificates used by the Policy Server and the directory store must be FIPS compliant.
The user directory connection is created.
CA SiteMinder® uses the Sun Java System LDAP SDK, which lets clients open one managed connection to the directory server and perform user binds under that connection. If you are using CA Directory as a user store, the Policy Server connects to CA Directory by performing a bind request for each authentication request. Configure CA Directory to handle these requests, or CA Directory runs out of connections and authentication fails.
Follow these steps:
#SiteMinder set mimic-netscape-for-siteminder = true; set concurrent-bind-user = DN; set hold-ldap-connections = true;
The user store DSA parameters are enabled.
Note: The DN is in x500 format.
Example: <o acme><cn smadmin>
You can improve CA SiteMinder® authentication and authorization performance for large user stores by enabling the CA Directory DXcache feature. A 5 MB user store is considered large.
To enable caching
# cache configuration set max-cache-size = 100; set cache-index = commonName, surname, objectClass; set cache-attrs = all-attributes; set cache-load-all = true; set lookup-cache = true;
Note: The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the user store. In addition, set the cache-index fields to those fields used by CA SiteMinder® to perform a user search in the user store. For example, if users are authenticated and authorized based on their common name (cn=*), make sure that the commonName is set in the cache-index.
dxserver stop eTrustDsa dxserver start eTrustDsa
After configuring the CA DXcache feature for the user store, you can verify that the cache is enabled using the DXmanager user interface.
To verify the cache
For example:
http://<CA_host>:8080/dxmanager/ManagerServlet?hostgroup=All
Copyright © 2013 CA.
All rights reserved.
|
|