Previous Topic: Scripting InterfaceNext Topic: Policy Server Configuration Wizard


Installing the Policy Server on UNIX Systems

Installation Road Map

The following diagram illustrates a sample CA SiteMinder® installation and lists the order in which you install and configure each component. Consider the following items:

More information:

Policy Server System Requirements

Policy Server

Solaris 10 Zone Support

A CA SiteMinder® Policy Server is supported in the following zones:

Consider the following scenarios when planning to run one or more Policy Servers in a Solaris 10 environment.

Global Zone Support

A global zone configuration limits the implementation to a single Policy Server instance across all zones. Specifically:

Example: Global zone support

Graphic showing example of Global zone support

Note: Web Agents, however, may run concurrently in any zone.

Sparse-root Zone Support

A sparse-root zone configuration supports multiple Policy Server instances running on multiple sparse-root zones. Specifically:

Example: Sparse-root zone support

Graphic showing an example of sparse-root and whole-root support

Note: Web Agents, however, may run concurrently in any zone.

Whole-root Zone Support

A whole-root zone configuration supports multiple Policy Server instances running on multiple whole-root zones. Specifically:

Example: Whole-root zone support

Graphic showing an example of sparse-root and whole-root support

Note: Web Agents, however, may run concurrently in any zone.

How to Prepare for the Policy Server Installation

Before you install the Policy Server on a UNIX system, complete the following steps, if applicable:

  1. Determine if the Policy Server host system meets the minimum operating system patch requirements. For more information, see the Policy Server Release Notes.
  2. (Red Hat Linux) The Red Hat operating system relies on entropy for performance. Increase entropy before installing the component. Without sufficient entropy, the installation can take an exceedingly long time to complete. We recommend that you use the following command to set a symbolic link:
    mv /dev/random /dev/random.org
    
    ln -s /dev/urandom /dev/random
    
  3. (Linux) Be sure that the required Linux libraries are installed to the Policy Server host system.
  4. Create a New UNIX Account.
  5. Modify the UNIX System Parameters.
  6. Unset the Localization Variables.
  7. Unset the LANG Environment Variable.
Required Linux Libraries

Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:

java.lang.UnsatisfiedLinkError 

If you are installing, configuring, or upgrading a Linux version of this component, the following libraries are required on the host system:

Red Hat 5.x:

compat–gcc-34-c++-3.4.6-patch_version.I386

libstdc++-4.x.x-x.el5.i686.rpm

Red Hat 6.x:

libstdc++-4.x.x-x.el6.i686.rpm

Additionally, for Red Hat 6.x (64-bit):

Note: All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.

libXau-1.0.5-1.el6.i686.rpm

libxcb-1.5-1.el6.i686.rpm

compat-db42-4.2.52-15.el6.i686.rpm

compat-db43-4.3.29-15.el6.i686.rpm

libX11-1.3-2.el6.i686.rpm

libXrender-0.9.5-1.el6.i686.rpm

libexpat.so.1 (provided by expat-2.0.1-11.el6_2.i686.rpm)

libfreetype.so.6 (provided by freetype-2.3.11-6.el6_2.9.i686.rpm)

libfontconfig.so.1 (provided by fontconfig-2.8.0-3.el6.i686.rpm)

libICE-1.0.6-1.el6.i686.rpm

libuuid-2.17.2-12.7.el6.i686.rpm

libSM-1.1.0-7.1.el6.i686.rpm

libXext-1.1-3.el6.i686.rpm

compat-libstdc++-33-3.2.3-69.el6.i686.rpm

compat-db-4.6.21-15.el6.i686.rpm

libXi-1.3-3.el6.i686.rpm

libXtst-1.0.99.2-3.el6.i686.rpm

libXft-2.1.13-4.1.el6.i686.rpm

libXt-1.0.7-1.el6.i686.rpm

libXp-1.0.0-15.1.el6.i686.rpm

Korn Shell (ksh) Package Required on Linux

The ksh Korn shell is required during Policy Server installation and upgrade on Linux platforms. Verify that the appropriate version for your Linux environment is installed.

Red Hat 5.x 32-bit

ksh-20100621-12.el5.i386.rpm

Red Hat 5.x 64-bit

ksh-20100621-12.el5.x86_64.rpm

Red Hat 6.x 32-bit

ksh-20100621-16.el6.i686.rpm

Red Hat 6.x 64-bit

ksh-20100621-16.el6.x86_64.rpm

Create a New UNIX Account

Create a UNIX account with the default shell as ksh. Name the account as follows:

smuser

Important! Do not use the installer to configure the OneView Monitor UI on the following web servers:

The installer modifies the configuration files of the web server. The new UNIX account does not have the required root privileges.

After you install the Policy Server, use the Policy Server Configuration Wizard as root to configure the OneView Monitor UI.

Modify the UNIX System Parameters

When the Policy Server is placed under load, it opens a large number of sockets and files. If the default limit parameters are not adequate for the load, a large number of sockets and files can become a problem. Modify the default limit parameters to avoid associated problems.

To view the default limit parameters, type the following command in a shell window:

ulimit -a

The system displays a message similar to the following example:

$ ulimit -a
 
time(seconds)
unlimited
file(blocks)
unlimited
data(kbytes
2097148
stack(kbytes)
8192
coredump(blocks)
unlimited
nofiles(descriptors)
256
vmemory(kbytes)
unlimited

In the example, the nofiles parameter is set to 256. The parameter is the total number of files (sockets + files descriptors) that this shell and its descendants have been allocated. If this parameter is not set high enough, the Policy Server returns numerous socket errors. The most common socket error is 10024, or too many open files.

Increase the nofiles parameter value for proper Policy Server operation under load. You can change this value by running the following command:

ulimit -n

For example, to set the value to 1024, place the following command in the profile file of the smuser account:

ulimit -n 1024

The Policy Server is bound by the nofiles parameter in the smuser account ulimit for the number of connections to it.

Unset Localization Variables

The LC_* variables are sometimes set by default in the profile file of the smuser account. Use of the LC_* environment variables are not permitted. Unset them before installing the Policy Server.

To unset the LC_* environment variables, open the profile file of the smuser account and unset them.

Unset the LANG Environment Variable

The LANG environment variable is not permitted. Unset it before installing the Policy Server.

To unset the variable, add the unset LANG command to the profile file of the smuser account.

Before You Install the Policy Server

Consider the following items before installing the Policy Server:

How to Install the Policy Server

To install the Policy Server, complete the following steps:

  1. Review the Policy Server component considerations.
  2. Review the policy store considerations.
  3. Review the FIPS considerations.
  4. Gather information for the Policy Server installer.
  5. Run the Policy Server installer.
  6. (Linux) If Security–Enhanced Linux is enabled, add CA SiteMinder®–specific exceptions.
  7. (Optional) If you configured SNMP, restart the SNMP daemon.
  8. (Optional) If you do not use the Policy Server installer to configure a policy store, manually configure the policy store.
Policy Server Component Considerations

In addition to the Policy Server, the installer can install and configure the following components. Review the following items before installing the Policy Server:

Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.

More information:

Locate the Platform Support Matrix

Certificate Data Store

Policy Store

Policy Store Considerations

Consider the following items before running the Policy Server installer or the Policy Server Configuration wizard:

More information:

Configuring CA SiteMinder® Data Stores in a Relational Database

FIPS Considerations

The Policy Server uses certified Federal Information Processing Standard (FIPS) 140-2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). The libraries provide a FIPS mode of operation when a CA SiteMinder® environment only uses FIPS-compliant algorithms to encrypt sensitive data.

You can install the Policy Server in one of the following FIPS modes of operation.

Note: The FIPS mode a Policy Server operates in is system-specific. For more information, see the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.

Note: For more information about migrating an environment to use only FIPS-compliant algorithms, see the Upgrade Guide.

More information:

Locate the Platform Support Matrix

Gather Information for the Installer

The Policy Server installer requires specific information to install the Policy Server and any optional components.

Note: Installation worksheets are provided to help you gather and record information prior to installing or configuring Policy Server components using the Policy Server Installation Wizard or the Policy Server Configuration Wizard. You may want to print these worksheets and use them to record required information prior to running either wizard.

Required Information

Gather the following required information before running the Policy Server installer or the Configuration wizard.

Active Directory LDS Server Information

Gather the following required information to configure Microsoft Active Directory LDS as a policy store:

Oracle Directory Server Information

Gather the following required information to configure Oracle Directory Server to function as a policy store:

Microsoft SQL Server Information

To configure Microsoft SQL Server as a policy store, gather the following required information:

Database server name

Identify the IP address or name of the database host system.

Note: For more information about IPv6 support, see the CA SiteMinder® Platform Support Matrix.

Database name

Identify the named instance or the name of the database that is to function as the policy store.

Database port

Identify the port on which the database is listening.

Database administrator user name and password

Identify the name and password of an administrator account with permission to do the following operations:

Note: If the CA SiteMinder® schema is already present in the database, the wizard does not require the credentials of a database administrator with create permission. For more information, see Configure a SQL Server Policy Store.

CA SiteMinder® superuser password

The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:

siteminder

Limits:

Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.

Oracle RDBMS Information

Gather the following required information to configure Oracle RDBMS as a policy store.

Database server name

Identify the IP address or the name of the database host system.

Note: For more information about IPv6 support, see the CA SiteMinder® Platform Support Matrix.

Database service name

Identify the service name of the database that is to function as the policy store.

Database port

Identify the port on which the database is listening.

Database administrator user name

Identify the name of an administrator account with permission to do the following operations:

Database administrator password

Identify the password of the administrator account.

CA SiteMinder® superuser password

The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:

siteminder

Limits:

Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.

OneView Monitor Information

You only have to gather OneView Monitor information if you plan on configuring the OneView Monitor.

Gather the following required information to configure the OneView Monitor. You can use the OneView Monitor Information Worksheet to record your values.

Install the Policy Server in GUI Mode

Install the Policy Server using the installation media on the Technical Support site. Consider the following items:

Follow these steps:

  1. Exit all foreground applications.
  2. Open a shell and navigate to the installation media.
  3. Enter the following command:
    ./ca-ps-12.5-cr-unix_version
    
    cr

    Specifies the cumulative release number. The base r12.5 release does not include a cumulative release number.

    unix_version

    Specifies the UNIX version: sol or linux.

    The installer starts.

    Note: For a list of installation media names, see the Policy Server Release Notes.

  4. Use the system and component information you have gathered to install the Policy Server.

    Consider the following items when running the installer:

  5. Review the installation settings and click Install.

    The Policy Server and all selected components are installed and configured.

    Note: The installation can take several minutes.

  6. Click Done.

    The installer closes.

  7. (Optional) If you did not use the installer to configure a policy store, manually configure the policy.

Note: If you experience problems during the installation, you can locate the installation log file and the policy store details file in siteminder_home/siteminder/install_config_info.

siteminder_home

Specifies the Policy Server installation path.

More information:

Locate the Installation Media

Troubleshoot the Policy Server Installation

Installation Media Names

Install the Policy Server in Console Mode

Install the Policy Server using the installation media on the Technical Support site. Consider the following items:

Follow these steps:

  1. Exit all applications that are running.
  2. Open a shell and navigate to the installation media.
  3. Run the following command:
    ./ca-ps-12.5-cr-unix_version -i console
    
    cr

    Specifies the cumulative release number. The base r12.5 release does not include a cumulative release number.

    unix_version

    Specifies the UNIX version: sol or linux.

    The installer starts.

    Note: For a list of installation media names, see the Policy Server Release Notes.

  4. Use the system and component information you have gathered to install the Policy Server.

    Consider the following items when entering information:

  5. Review the installation settings and press Enter.

    The Policy Server and all selected components are installed and configured.

    Note: The installation can take several minutes.

  6. Press Enter.

    The installer closes.

  7. (Optional) If you did not use the installer to configure a policy store, manually configure the policy.

Note: If you experience problems during the installation, you can locate the installation log file and the policy store details file in siteminder_home/siteminder/install_config_info.

siteminder_home

Specifies the Policy Server installation path.

More information:

Locate the Installation Media

Troubleshoot the Policy Server Installation

Installation Media Names

Add Exceptions to Security–Enhanced Linux

If Security–Enhanced Linux is enabled on the Policy Server host system, add CA SiteMinder®–exceptions to the environment. Adding the exceptions prevents Security–Enhanced Linux text relocation denials.

Follow these steps:

  1. Log in to the Policy Sever host system.
  2. Open a shell and run the following command:
    chcon -t textrel_shlib_t /siteminder_home/lib/*
    
    siteminder_home

    Specifies the Policy Server installation path.

  3. Run the following command:
    chcon -t textrel_shlib_t /JDK_home/lib/i386/*
    
    JDK_home

    Specifies the required JDK installation path.

  4. Run the following command:
    chcon -t textrel_shlib_t /JDK_home/lib/i386/server/*
    
    JDK_home

    Specifies the required JDK installation path.

    CA SiteMinder®–specific exceptions have been added.

Troubleshoot the Policy Server Installation

Use the following files to troubleshoot the Policy Server installation:

Restart the SNMP Daemon

You only have to restart the SNMP daemon if you configured SNMP during the Policy Server installation.

To restart the SNMP daemon

  1. Enter S76snmpdx stop in /etc/rc3.d.

    The SNMP daemon stops.

  2. Enter S76snmpdx start in /etc/rc3.d.

    The SNMP daemon starts.

Configure a Policy Store

If you did not use the Policy Server installer to configure a policy store automatically, manually configure a supported LDAP directory server or relational database as a policy store.

Configure Auto Startup

You configure auto startup to ensure that the Policy Server restarts automatically when the UNIX system is rebooted.

Follow these steps:

  1. Modify the S98M script by replacing every instance of the string “nete_ps_root” with an explicit path to the SiteMinder installation directory.

    Example: /export/ca/siteminder

  2. Change the directory to the siteminder installation directory.
  3. Enter su and press ENTER.

    Note: Do not use the suse command.

    You are prompted for a password.

  4. Enter the root password and press ENTER.
  5. Enter $ cp S98sm /etc/rc2.d and press ENTER.

    s98sm automatically calls the stop-all and start-all executables, which stop and start the Policy Server service when the UNIX system is rebooted.

Note: If you are using a local LDAP directory server as a policy store, you must configure the LDAP directory to start automatically before starting the Policy Server automatically.

Unattended Policy Server Installation

After the Policy Server is manually installed on one machine, you can reinstall it or install it on a separate machine using an unattended installation mode. An unattended installation lets you install or uninstall the Policy Server without any user interaction.

The installer provides a ca-ps-installer.properties template file that lets you define installation variables. The default parameters, passwords, and paths in this file reflect the information you entered during the initial Policy Server installation. In this file, you can either store encrypted or plain text passwords. If you are using encrypted passwords, for example, a shared secret and CA SiteMinder® Super User, you must use the same ones that you entered during the initial installation since they are encrypted in the file and cannot be modified. However, you can use plain text passwords by modifying the file.

More information:

How to Run an Unattended Policy Server Install