The following diagram illustrates a sample CA SiteMinder® installation and lists the order in which you install and configure each component. Consider the following items:
A CA SiteMinder® Policy Server is supported in the following zones:
Consider the following scenarios when planning to run one or more Policy Servers in a Solaris 10 environment.
A global zone configuration limits the implementation to a single Policy Server instance across all zones. Specifically:
Example: Global zone support
Note: Web Agents, however, may run concurrently in any zone.
A sparse-root zone configuration supports multiple Policy Server instances running on multiple sparse-root zones. Specifically:
Example: Sparse-root zone support
Note: Web Agents, however, may run concurrently in any zone.
A whole-root zone configuration supports multiple Policy Server instances running on multiple whole-root zones. Specifically:
Example: Whole-root zone support
Note: Web Agents, however, may run concurrently in any zone.
Before you install the Policy Server on a UNIX system, complete the following steps, if applicable:
mv /dev/random /dev/random.org
ln -s /dev/urandom /dev/random
Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:
java.lang.UnsatisfiedLinkError
If you are installing, configuring, or upgrading a Linux version of this component, the following libraries are required on the host system:
compat–gcc-34-c++-3.4.6-patch_version.I386
libstdc++-4.x.x-x.el5.i686.rpm
libstdc++-4.x.x-x.el6.i686.rpm
Note: All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.
libXau-1.0.5-1.el6.i686.rpm
libxcb-1.5-1.el6.i686.rpm
compat-db42-4.2.52-15.el6.i686.rpm
compat-db43-4.3.29-15.el6.i686.rpm
libX11-1.3-2.el6.i686.rpm
libXrender-0.9.5-1.el6.i686.rpm
libexpat.so.1 (provided by expat-2.0.1-11.el6_2.i686.rpm)
libfreetype.so.6 (provided by freetype-2.3.11-6.el6_2.9.i686.rpm)
libfontconfig.so.1 (provided by fontconfig-2.8.0-3.el6.i686.rpm)
libICE-1.0.6-1.el6.i686.rpm
libuuid-2.17.2-12.7.el6.i686.rpm
libSM-1.1.0-7.1.el6.i686.rpm
libXext-1.1-3.el6.i686.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
compat-db-4.6.21-15.el6.i686.rpm
libXi-1.3-3.el6.i686.rpm
libXtst-1.0.99.2-3.el6.i686.rpm
libXft-2.1.13-4.1.el6.i686.rpm
libXt-1.0.7-1.el6.i686.rpm
libXp-1.0.0-15.1.el6.i686.rpm
The ksh Korn shell is required during Policy Server installation and upgrade on Linux platforms. Verify that the appropriate version for your Linux environment is installed.
Red Hat 5.x 32-bit
ksh-20100621-12.el5.i386.rpm
ksh-20100621-12.el5.x86_64.rpm
ksh-20100621-16.el6.i686.rpm
ksh-20100621-16.el6.x86_64.rpm
Create a UNIX account with the default shell as ksh. Name the account as follows:
smuser
Important! Do not use the installer to configure the OneView Monitor UI on the following web servers:
The installer modifies the configuration files of the web server. The new UNIX account does not have the required root privileges.
After you install the Policy Server, use the Policy Server Configuration Wizard as root to configure the OneView Monitor UI.
When the Policy Server is placed under load, it opens a large number of sockets and files. If the default limit parameters are not adequate for the load, a large number of sockets and files can become a problem. Modify the default limit parameters to avoid associated problems.
To view the default limit parameters, type the following command in a shell window:
ulimit -a
The system displays a message similar to the following example:
$ ulimit -a |
|
time(seconds) |
unlimited |
file(blocks) |
unlimited |
data(kbytes |
2097148 |
stack(kbytes) |
8192 |
coredump(blocks) |
unlimited |
nofiles(descriptors) |
256 |
vmemory(kbytes) |
unlimited |
In the example, the nofiles parameter is set to 256. The parameter is the total number of files (sockets + files descriptors) that this shell and its descendants have been allocated. If this parameter is not set high enough, the Policy Server returns numerous socket errors. The most common socket error is 10024, or too many open files.
Increase the nofiles parameter value for proper Policy Server operation under load. You can change this value by running the following command:
ulimit -n
For example, to set the value to 1024, place the following command in the profile file of the smuser account:
ulimit -n 1024
The Policy Server is bound by the nofiles parameter in the smuser account ulimit for the number of connections to it.
The LC_* variables are sometimes set by default in the profile file of the smuser account. Use of the LC_* environment variables are not permitted. Unset them before installing the Policy Server.
To unset the LC_* environment variables, open the profile file of the smuser account and unset them.
The LANG environment variable is not permitted. Unset it before installing the Policy Server.
To unset the variable, add the unset LANG command to the profile file of the smuser account.
Consider the following items before installing the Policy Server:
Note: For best results, we recommend that you install CA SiteMinder® to a location such that the installation path does not exceed 700 characters.
To install the Policy Server, complete the following steps:
In addition to the Policy Server, the installer can install and configure the following components. Review the following items before installing the Policy Server:
The OneView Monitor enables the monitoring of CA SiteMinder® components.
Note: To use the OneView Monitor, you must have the supported Java SDK and ServletExec/AS installed on the system.
You must have the following items to enable SNMP support:
Note: The key store and certificate data store are automatically configured and collocated with the policy.
You can store audit logs in either a relational database or a text file. After you install the Policy Server, audit logging is set to a text file and not to ODBC by default.
Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.
Consider the following items before running the Policy Server installer or the Policy Server Configuration wizard:
Note: Be sure that you have met the prerequisites for configuring AD LDS as a policy store.
Important! The Policy Server installer and the Policy Server Configuration wizard cannot automatically configure a policy store that is being connected to using an SSL connection.
Specifies the Policy Server installation path.
The Policy Server uses certified Federal Information Processing Standard (FIPS) 140-2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). The libraries provide a FIPS mode of operation when a CA SiteMinder® environment only uses FIPS-compliant algorithms to encrypt sensitive data.
You can install the Policy Server in one of the following FIPS modes of operation.
Note: The FIPS mode a Policy Server operates in is system-specific. For more information, see the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.
In FIPS-migration mode, the 12.52 Policy Server continues to use existing CA SiteMinder® encryption algorithms as you migrate the 12.52 environment to use only FIPS-compliant algorithms.
Install the Policy Server in FIPS-migration mode if you are in the process of configuring the existing environment to use only FIPS-compliant algorithms.
Install the Policy Server in FIPS-only mode if the existing environment is upgraded to 12.52 and the existing environment is configured to use only FIPS-compliant algorithms.
Important! A 12.52 environment that is running in FIPS-only mode cannot operate with versions of CA SiteMinder® that do not also fully support FIPS (that is, versions before r12.0). This restriction applies to all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. Relink all such software with the 12.52 versions of the respective SDKs to achieve the required FIPS support.
Note: For more information about migrating an environment to use only FIPS-compliant algorithms, see the Upgrade Guide.
The Policy Server installer requires specific information to install the Policy Server and any optional components.
Note: Installation worksheets are provided to help you gather and record information prior to installing or configuring Policy Server components using the Policy Server Installation Wizard or the Policy Server Configuration Wizard. You may want to print these worksheets and use them to record required information prior to running either wizard.
Gather the following required information before running the Policy Server installer or the Configuration wizard.
Limits: 6 to 24 characters.
Gather the following required information to configure Microsoft Active Directory LDS as a policy store:
Example: dc=ca,dc=com
Example: CN=user1,CN=people,CN=Configuration,CN=guid
Note: This user must have the necessary permissions to modify attributes and change passwords.
siteminder
Limits:
Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.
Gather the following required information to configure Oracle Directory Server to function as a policy store:
Default: 389
Example: o=yourorg.com
Example: cn=Directory Manager
Note: This user must have the necessary permissions to modify attributes and change passwords.
siteminder
Limits:
Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.
To configure Microsoft SQL Server as a policy store, gather the following required information:
Identify the IP address or name of the database host system.
Note: For more information about IPv6 support, see the CA SiteMinder® Platform Support Matrix.
Identify the named instance or the name of the database that is to function as the policy store.
Identify the port on which the database is listening.
Identify the name and password of an administrator account with permission to do the following operations:
Note: If the CA SiteMinder® schema is already present in the database, the wizard does not require the credentials of a database administrator with create permission. For more information, see Configure a SQL Server Policy Store.
The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:
siteminder
Limits:
Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.
Gather the following required information to configure Oracle RDBMS as a policy store.
Identify the IP address or the name of the database host system.
Note: For more information about IPv6 support, see the CA SiteMinder® Platform Support Matrix.
Identify the service name of the database that is to function as the policy store.
Identify the port on which the database is listening.
Identify the name of an administrator account with permission to do the following operations:
Identify the password of the administrator account.
The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:
siteminder
Limits:
Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.
You only have to gather OneView Monitor information if you plan on configuring the OneView Monitor.
Gather the following required information to configure the OneView Monitor. You can use the OneView Monitor Information Worksheet to record your values.
Example: /usr/local/NewAtlanta/ServletExecAS
Example: /sunjavasystem_home/location
Specifies the installed location of the Sun Java System.
Specifies the installed location of the Sun Java System Web servers.
Install the Policy Server using the installation media on the Technical Support site. Consider the following items:
chmod +x installation_media
Specifies the Policy Server installer executable.
Follow these steps:
./ca-ps-12.5-cr-unix_version
Specifies the cumulative release number. The base r12.5 release does not include a cumulative release number.
Specifies the UNIX version: sol or linux.
The installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
Consider the following items when running the installer:
siteminder
Example:
[2001:db8::1428:57ab]
The Policy Server and all selected components are installed and configured.
Note: The installation can take several minutes.
The installer closes.
Note: If you experience problems during the installation, you can locate the installation log file and the policy store details file in siteminder_home/siteminder/install_config_info.
Specifies the Policy Server installation path.
Install the Policy Server using the installation media on the Technical Support site. Consider the following items:
chmod +x installation_media
Specifies the Policy Server installer executable.
Follow these steps:
./ca-ps-12.5-cr-unix_version -i console
Specifies the cumulative release number. The base r12.5 release does not include a cumulative release number.
Specifies the UNIX version: sol or linux.
The installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
Consider the following items when entering information:
siteminder
Example:
[2001:db8::1428:57ab]
The Policy Server and all selected components are installed and configured.
Note: The installation can take several minutes.
The installer closes.
Note: If you experience problems during the installation, you can locate the installation log file and the policy store details file in siteminder_home/siteminder/install_config_info.
Specifies the Policy Server installation path.
If Security–Enhanced Linux is enabled on the Policy Server host system, add CA SiteMinder®–exceptions to the environment. Adding the exceptions prevents Security–Enhanced Linux text relocation denials.
Follow these steps:
chcon -t textrel_shlib_t /siteminder_home/lib/*
Specifies the Policy Server installation path.
chcon -t textrel_shlib_t /JDK_home/lib/i386/*
Specifies the required JDK installation path.
chcon -t textrel_shlib_t /JDK_home/lib/i386/server/*
Specifies the required JDK installation path.
CA SiteMinder®–specific exceptions have been added.
Use the following files to troubleshoot the Policy Server installation:
The installation log contains a summary section that lists the number of successes, warnings, non–fatal errors, and errors that occurred during the installation. Individual installation actions are listed with the respective status.
Specifies the Policy Server release.
Location: siteminder_home\siteminder\install_config_info
The policy store log details the policy store status.
Location: siteminder_home\siteminder\install_config_info
The smps.log is created when you start the Policy Server. This log contains the following line if the Policy Server installed successfully:
[Info] Journaling thread started, will delete commands older than 60 minutes.
Location: siteminder_home\siteminder\log
Specifies the Policy Server installation path.
You only have to restart the SNMP daemon if you configured SNMP during the Policy Server installation.
To restart the SNMP daemon
The SNMP daemon stops.
The SNMP daemon starts.
If you did not use the Policy Server installer to configure a policy store automatically, manually configure a supported LDAP directory server or relational database as a policy store.
You configure auto startup to ensure that the Policy Server restarts automatically when the UNIX system is rebooted.
Follow these steps:
Example: /export/ca/siteminder
Note: Do not use the suse command.
You are prompted for a password.
s98sm automatically calls the stop-all and start-all executables, which stop and start the Policy Server service when the UNIX system is rebooted.
Note: If you are using a local LDAP directory server as a policy store, you must configure the LDAP directory to start automatically before starting the Policy Server automatically.
After the Policy Server is manually installed on one machine, you can reinstall it or install it on a separate machine using an unattended installation mode. An unattended installation lets you install or uninstall the Policy Server without any user interaction.
The installer provides a ca-ps-installer.properties template file that lets you define installation variables. The default parameters, passwords, and paths in this file reflect the information you entered during the initial Policy Server installation. In this file, you can either store encrypted or plain text passwords. If you are using encrypted passwords, for example, a shared secret and CA SiteMinder® Super User, you must use the same ones that you entered during the initial installation since they are encrypted in the file and cannot be modified. However, you can use plain text passwords by modifying the file.
Copyright © 2013 CA.
All rights reserved.
|
|