Installation and Upgrade Guides › Policy Server Installation Guide › Installing the Policy Server on Windows Systems

Installing the Policy Server on Windows Systems

Installation Road Map

The following diagram illustrates a sample CA SiteMinder® installation and lists the order in which you install and configure each component. Consider the following items:

• Confirm that the Policy Server host system meets the minimum system requirements. We recommend doing so before installing the Policy Server.
• A dotted line surrounds the Policy Server. Install this component now.

  

More information:

Policy Server System Requirements

Policy Server

Before You Install the Policy Server

Consider the following items before installing the Policy Server:

• Administrator privileges—A Windows account with local administrator privileges is required to install the Policy Server.
• System path length—If the system path length exceeds 1024 characters, the Policy Server installation fails. The limitation applies to both included or excluded CA SiteMinder® added directories.

  Note: We recommend trimming the pre–CA SiteMinder® system path to approximately 700 characters for best results.

• (Windows 2008) Firewall settings–If you are installing a Policy Server on Windows 2008, update the Windows firewall settings to allow inbound connections on the following ports:
  • 44441
  • 44442
  • 44443

  These ports are the default Policy Server accounting, authentication, and authorization ports. If you change these ports after installing the Policy Server, be sure to allow inbound connections to the respective ports.

  Note: For more information, see the Microsoft documentation.

• Environment variables—The Policy Server installation modifies environment variables.

More information:

Modified Environment Variables

How to Install the Policy Server

To install the Policy Server complete the following procedures:

1. Review the Policy Server component considerations.
2. Review the policy store considerations.
3. Review the FIPS considerations.
4. Gather information for the Policy Server installer.
5. Run the Policy Server installer.
6. (Optional) If you configured SNMP, enable SNMP event trapping.
7. (Optional) If you do not use the Policy Server installer to configure a policy store, manually configure the policy store.

More information:

Reinstall the Policy Server

Policy Server Component Considerations

In addition to the Policy Server, the installer can install and configure the following components. Review the following items before installing the Policy Server:

• OneView Monitor

  The OneView Monitor enables the monitoring of CA SiteMinder® components.

  Note: A supported Java SDK and ServletExec/AS is required to configure the OneView Monitor.

• Policy store

  Note: The key store and the certificate data store are automatically configured and collocated with the policy store.

• SNMP

  Be sure that you have an SNMP Service (Master OS Agent) installed with your Windows operating system before installing the Policy Server.

  Note: For more information about installing the SNMP Service, see the Windows online help system.

• Audit Logs

  You can store audit logs in either a relational database or a text file. After you install the Policy Server, audit logging is set to a text file and not to ODBC by default.

Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.

More information:

Locate the Platform Support Matrix

Certificate Data Store

Policy Store

Policy Store Considerations

Consider the following items before running the Policy Server installer or the Policy Server Configuration wizard:

• The Policy Server installer and the Policy Server Configuration wizard can automatically configure one of the following stores as a policy store:
  • Microsoft Active Directory Lightweight Directory Services (AD LDS)

    Note: Be sure that you have met the prerequisites for configuring AD LDS as a policy store.

  • Oracle^® Directory Enterprise Edition (formerly Sun Java^™ System Directory Server)

    Important! The Policy Server installer and the Policy Server Configuration wizard cannot automatically configure a policy store that is being connected to using an SSL connection.

  • Microsoft SQL Server^®
  • Oracle RDBMS
• (RDB policy store) The Policy Server installer or the Policy Server Configuration Wizard use specific database information to create the policy store data source. The Policy Server uses this data source to communicate with the policy store. Consider the following items:
  • The name of data source is CA CA SiteMinder® DSN.
  • The installer saves the data source to the Microsoft ODBC Data Source Administrator tool, under the System DSN tab.
• (RDB policy store) Verify that the database server that is to host the policy store is configured to store objects in UTF–8 form. This configuration avoids possible policy store corruption.
  • (Oracle) Be sure that the database is configured to store objects in UTF–8 form. Oracle supports unicode within many of their character sets. For more information about configuring your database to store objects in UTF–8 form, see your vendor–specific documentation.
  • (SQL Server) Be sure that the database is configured using the default collation (SQL_Latin1_General_CP1_CI_AS). Using a collation that is case–sensitive can result in unexpected behaviors. For more information about configuring your database to store objects using the default collation, see your vendor–specific documentation.
• The certificate data store is automatically collocated with the policy store.
• You manually configure any other supported directory server or relational database as a policy store after installing the Policy Server. Configuring a policy store manually is detailed in this document.

More information:

Configuring CA SiteMinder® Data Stores in a Relational Database

FIPS Considerations

The Policy Server uses certified Federal Information Processing Standard (FIPS) 140-2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). The libraries provide a FIPS mode of operation when a CA SiteMinder® environment only uses FIPS-compliant algorithms to encrypt sensitive data.

You can install the Policy Server in one of the following FIPS modes of operation.

Note: The FIPS mode a Policy Server operates in is system-specific. For more information, see the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.

• FIPS-compatibility mode—The default FIPS mode of operation during the installation is FIPS-compatibility mode. In FIPS-compatibility mode, the environment uses existing CA SiteMinder® algorithms to encrypt sensitive data and is compatible with previous versions CA SiteMinder®:
  • The use of FIPS-compliant algorithms in your environment is optional.
  • If your organization does not require the use of FIPS-compliant algorithms, install the Policy Server in FIPS-compatibility mode. No further configuration is required.
• FIPS-migration mode—FIPS-migration mode lets you transition an 12.52 environment running in FIPS-compatibility mode to FIPS-only mode.

  In FIPS-migration mode, the 12.52 Policy Server continues to use existing CA SiteMinder® encryption algorithms as you migrate the 12.52 environment to use only FIPS-compliant algorithms.

  Install the Policy Server in FIPS-migration mode if you are in the process of configuring the existing environment to use only FIPS-compliant algorithms.

• FIPS-only mode—In FIPS-only mode, the environment only uses FIPS-compliant algorithms to encrypt sensitive data.

  Install the Policy Server in FIPS-only mode if the existing environment is upgraded to 12.52 and the existing environment is configured to use only FIPS-compliant algorithms.

  Important! A 12.52 environment that is running in FIPS-only mode cannot operate with versions of CA SiteMinder® that do not also fully support FIPS (that is, versions before r12.0). This restriction applies to all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. Relink all such software with the 12.52 versions of the respective SDKs to achieve the required FIPS support.

Note: For more information about migrating an environment to use only FIPS-compliant algorithms, see the Upgrade Guide.

More information:

Locate the Platform Support Matrix

Gather Information for the Installer

The Policy Server installer requires specific information to install the Policy Server and any optional components.

Note: Installation worksheets are provided to help you gather and record information prior to installing or configuring Policy Server components using the Policy Server Installation Wizard or the Policy Server Configuration Wizard. You may want to print these worksheets and use them to record required information prior to running either wizard.

Required Information

Gather the following required information before running the Policy Server installer or the Configuration wizard. You can use the Required Information Worksheet to record your values.

• Java version ‑ Identify the supported Java Runtime Environment version for the Policy Server to use. On UNIX, verify that the JAVA_HOME system variable is set to the location of the JRE. If the JAVA_HOME system variable is incorrectly set, the installer cannot locate the JRE.
• Policy Server installation location ‑ Determine where the installer is to install the Policy Server.

  Default: C:\Program Files\CA

• CA SiteMinder® Encryption key value ‑ Determine the encryption key value. An encryption key is a case–sensitive, alphanumeric key that secures the data that is sent between the Policy Server and the policy store. All Policy Servers that share a policy store are required to use the same encryption key. For stronger protection, define a long encryption key.

  Limits: 6 to 24 characters.

• Advanced Authentication Server Encryption key value ‑ Determine the encryption key value. Use a case–sensitive, alphanumeric value. This key secures the data that is sent between the Policy Server and the advanced authentication server (running on the CA SiteMinder® SPS). The CA SiteMinder® SPS and all Policy Servers require the same key. For stronger protection, define a long encryption key.
  Limits: 6 to 24 characters.

Active Directory LDS Server Information

Gather the following required information to configure Microsoft Active Directory LDS as a policy store:

• System IP address—Identify the IP address of the directory server host system.
• Port number—Identify the port number on which the directory server is listening.
• Root DN of the application partition—Identify the root DN location of the application partition in the directory server where the policy store schema data must be installed.

  Example: dc=ca,dc=com

• Administrator domain name—Identify the full domain name, including the guid value, of the directory administrator.

  Example: CN=user1,CN=people,CN=Configuration,CN=guid

• Administrator password—Identify the password of the directory administrator.
• Alternate user account—By default, CA SiteMinder® uses the administrator account to communicate with the directory server. However, you can use a different user account to administer the policy store. Identify the complete administrator DN and password to configure CA SiteMinder® to use an alternative user account to administer the policy store.

  Note: This user must have the necessary permissions to modify attributes and change passwords.

• CA SiteMinder® superuser password—The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:

  siteminder
  

  Limits:

  • The password must contain at least six (6) characters and cannot exceed 24 characters.
  • The password cannot include an ampersand (&) or an asterisk (*).
  • If the password contains a space, enclose the passphrase with quotation marks.

  Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.

Oracle Directory Server Information

Gather the following required information to configure Oracle Directory Server to function as a policy store:

• System IP address—Determine the IP address of the Oracle Directory Server host system.
• Directory instance port number—Determine the port number for the Oracle Directory Server instance.

  Default: 389

• Root DN—Identify the root DN of the Oracle Directory Server.

  Example: o=yourorg.com

• Administrator account—Identify the user name (Bind DN) for the LDAP administrator account.

  Example: cn=Directory Manager

• Administrator password—Identify the password for the Oracle Directory Server administrator.
• Alternate LDAP administrator—By default, CA SiteMinder® uses the LDAP administrator account to communicate with the LDAP server. However, you can use a different LDAP user account to administer the policy store. Identify the complete administrator DN and password to configure CA SiteMinder® in this way.

  Note: This user must have the necessary permissions to modify attributes and change passwords.

• CA SiteMinder® superuser password—The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:

  siteminder
  

  Limits:

  • The password must contain at least six (6) characters and cannot exceed 24 characters.
  • The password cannot include an ampersand (&) or an asterisk (*).
  • If the password contains a space, enclose the passphrase with quotation marks.

  Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.

Microsoft SQL Server Information

To configure Microsoft SQL Server as a policy store, gather the following required information:

Database server name

Identify the IP address or name of the database host system.

Note: For more information about IPv6 support, see the CA SiteMinder® Platform Support Matrix.

Database name

Identify the named instance or the name of the database that is to function as the policy store.

Database port

Identify the port on which the database is listening.

Database administrator user name and password

Identify the name and password of an administrator account with permission to do the following operations:

• Create schema
• Create, read, modify, and delete objects.

Note: If the CA SiteMinder® schema is already present in the database, the wizard does not require the credentials of a database administrator with create permission. For more information, see Configure a SQL Server Policy Store.

CA SiteMinder® superuser password

The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:

siteminder

Limits:

• The password must contain at least six (6) characters and cannot exceed 24 characters.
• The password cannot include an ampersand (&) or an asterisk (*).
• If the password contains a space, enclose the passphrase with quotation marks.

Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.

Oracle RDBMS Information

Gather the following required information to configure Oracle RDBMS as a policy store.

Database server name

Identify the IP address or the name of the database host system.

Note: For more information about IPv6 support, see the CA SiteMinder® Platform Support Matrix.

Database service name

Identify the service name of the database that is to function as the policy store.

Database port

Identify the port on which the database is listening.

Database administrator user name

Identify the name of an administrator account with permission to do the following operations:

• Create schema
• Create, read, modify, and delete objects.

Database administrator password

Identify the password of the administrator account.

CA SiteMinder® superuser password

The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:

siteminder

Limits:

• The password must contain at least six (6) characters and cannot exceed 24 characters.
• The password cannot include an ampersand (&) or an asterisk (*).
• If the password contains a space, enclose the passphrase with quotation marks.

Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.

OneView Monitor Information

You only have to gather OneView Monitor information if you plan on configuring the OneView Monitor.

Gather the following required information to configure the OneView Monitor. You can use the OneView Monitor Information Worksheet to record your values.

• JDK path—Identify the path to the required JDK version.
• ServletExec installation directory—Identify ServletExec installation directory.

  Example: /usr/local/NewAtlanta/ServletExecAS

• ServletExec port number—Determine the port number for the ServletExec instance.
• Sun Java System administrator directory—Determine the following information:
  • The installed location of the Sun Java System.
  • The installed location of the Sun Java System Web servers.

  Example: /sunjavasystem_home/location

  sunjavasystem home

  Specifies the installed location of the Sun Java System.

  location

  Specifies the installed location of the Sun Java System Web servers.

• Multiple ServletExec instances—If you have multiple ServletExec instances, determine the instance to which you want to configure the OneView Monitor GUI.

Run the Policy Server Installer

You install the Policy Server using the installation media on the Technical Support site.

Note: For a list of installation media names, see the Policy Server Release Notes.

Follow these steps:

1. Be sure that the system meets the windows requirements.
2. Exit all applications that are running.
3. Do the step appropriate for your version of Windows:
   • Windows 2008 and Windows 7: Right-click installation_media and select Run as administrator.
   • Other Windows versions: Double–click installation_media.

     installation_media

     Specifies the name of the Policy Server installation executable.

   The installer starts.

4. Use the gathered system and component information to install the Policy Server and configure Policy Server components. Considering the following items when running the installer:
   • You are prompted to select a FIPS mode of operation. For more information about which FIPS mode to select, see FIPS Considerations.
   • When the installer prompts you to select components, clear the Policy Store check box if you are not configuring a policy store automatically. For more information about which stores can be automatically configured as a policy store, see Policy Store Considerations.
   • If you are initializing a policy store, you are prompted to enter a password for the default CA SiteMinder® user account. The default account name is

     siteminder
     

   • You are prompted to install the default certificate authority certificates to the certificate data store. You can add additional certificates and private keys to the certificate data store after installation.
   • If you are using IPv6 addresses, surround entries with brackets.

     Example: [2001:db8::1428:57ab]

   • Create an encryption key for the Advanced Authentication server. Use the same key on all Policy Servers in your environment.
5. Review the installation settings and click Install.

   The Policy Server and all selected components are installed and configured.

6. (Optional) If you did not use the installer to configure a policy store, manually configure the policy store.

Note: If you experience problems during the installation, you can locate the installation log file and the policy store details file in siteminder_home\siteminder\install_config_info.

siteminder_home

Specifies the Policy Server installation path.

More information:

Locate the Installation Media

Installation Media Names

Troubleshoot the Policy Server Installation

Use the following files to troubleshoot the Policy Server installation:

• CA_SiteMinder_Policy_Server_release_InstallLog.log

  The installation log contains a summary section that lists the number of successes, warnings, non–fatal errors, and errors that occurred during the installation. Individual installation actions are listed with the respective status.

  release

  Specifies the Policy Server release.

  Location: siteminder_home\siteminder\install_config_info

• ca-ps-details.log

  The policy store log details the policy store status.

  Location: siteminder_home\siteminder\install_config_info

• smps.log

  The smps.log is created when you start the Policy Server. This log contains the following line if the Policy Server installed successfully:

  [Info] Journaling thread started, will delete commands older than 60 minutes.
  

  Location: siteminder_home\siteminder\log

  siteminder_home

  Specifies the Policy Server installation path.

Enable SNMP Event Trapping

This is an optional step. You only have to enable SNMP trapping if you configured this feature when installing the Policy Server.

Note: Before completing this procedure, ensure you have an SNMP Service installed on the Windows systems.

To enable SNMP event trapping, use the XPSConfig utility to set the event handler library (eventsnmp.dll) to the XPSAudit list. The default location of eventsnmp.dll is policy_server_home\bin.

policy_server_home

Specifies the Policy Server installation location.

Note: More information on using the XPSConfig utility to set event handler libraries exists in the Policy Server Administration Guide.

To finish configuring SNMP event trapping, configure the snmptrap.conf file. The necessary SNMP prerequisites and procedures are detailed in SNMP Support.

More information:

SNMP Support Overview

Configure a Policy Store

If you did not use the Policy Server installer to configure a policy store automatically, manually configure a supported LDAP directory server or relational database as a policy store.

Unattended Policy Server Installation

After the Policy Server is manually installed on one machine, you can reinstall it or install it on a separate machine using an unattended installation mode. An unattended installation lets you install or uninstall the Policy Server without any user interaction.

The installer provides a ca-ps-installer.properties template file that lets you define installation variables. The default parameters, passwords, and paths in this file reflect the information you entered during the initial Policy Server installation. In this file, you can either store encrypted or plain text passwords. If you are using encrypted passwords, for example, a shared secret and CA SiteMinder® Super User, you must use the same ones that you entered during the initial installation since they are encrypted in the file and cannot be modified. However, you can use plain text passwords by modifying the file.

More information:

How to Run an Unattended Policy Server Install