CA Directory can function as a policy store. A single directory server instance can function as a:
Using a single directory server simplifies administration tasks. The following sections provide instruction on how to configure a single directory server instance to store policy data and encryption keys. If your implementation requires, you can configure a separate key store.
Configuring a CA Directory as a policy store requires specific directory server information.
Note: Policy and data store worksheets are provided to help you gather and record information before configuring or upgrading a CA SiteMinder® data store. You can print the applicable worksheet and can use it to record required information before beginning.
Gather the following information before configuring the policy store. You can use the Policy Store Worksheets to record your values.
To configure CA Directory as a policy store, complete the following procedures:
Create the DSA by running the following command:
dxnewdsa DSA_Name port "o=DSA_Name,c=country_code"
Specifies the name of the DSA.
Specifies the port on which the DSA is to listen.
Specifies the DSA prefix.
Example: "o=psdsa,c=US"
The dxnewdsa utility starts the new DSA.
Note: If the DSA does not automatically start, run the following:
dxserver start DSA_Name
You create the policy store schema so the directory server can function as a policy store.
Important! By default, CA Directory configuration files are read–only. Any CA Directory files that you are instructed to modify, must be updated for write permission. Once the files are updated, you can revert the permission to read–only. Also, all default.xxx files provided by CA Directory are overwritten during a CA Directory upgrade. Use caution when modifying any read-only files.
To create the Policy Store schema
Specifies the Directory Server installation path.
Note: The netegrity.dxc file is installed with the Policy Server in siteminder_home\eTrust. The etrust.dxc file is installed with the Policy Server in siteminder_home\xps\db.
Specifies the Policy Server installation path.
Note: The default.dxg schema file is located in DXHOME\config\schema\default.dxg.
Example: copy the default.dxg schema file and rename the copy to smdsa.dxg
#CA Schema
source "netegrity.dxc";
source "etrust.dxc";
Represents the name of the DSA you created for the policy store.
Note: The DXI file is located in DXHOME\config\servers.
# cache configuration set max-cache-size = 100; set cache-attrs = all-attributes; set cache-load-all = true; set ignore-name-bindings = true;
Note: The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the policy store.
# cache configuration set ignore-name-bindings = true;
Example: Copy the default DXC file and rename the copy smdsa.dxc.
Note: The default DXC file is located in DXHOME\dxserver\config\limits.
# size limits set max-users = 1000; set credits = 5; set max-local-ops = 1000; set max-op-size = 4000; set multi-write-queue = 20000;
Note: Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files.
Important! The multi-write-queue setting is for text–based configurations only. If the DSA is set up with DXmanager, omit this setting.
Example: change the limits configuration from default.dxc to smdsa.dxc.
Represents the name of the DSA you created for the policy store.
Note: The DXI file of the DSA is located in DXHOME\config\servers.If you created the DSA using DXmanager, the existing limits file is named dxmanager.dxc.
dxserver stop DSA_Name dxserver start DSA_Name
Specifies the name of the DSA.
The policy store schema is created.
You create a view into the directory server to manage objects.
Follow these steps:
Connection settings appear.
Specifies the host name or IP address of the system where CA Directory is running.
Specifies the port on which the DSA is listening.
Example: o=psdsa,c=US
A view into DSA appears.
You create a base tree structure to hold policy store data. You use the JXplorer GUI to create the organizational units.
To create the base tree structure for policy store data
Netegrity
SiteMinder
PolicySvr4
XPS
The base tree structure is created.
You only have to create a superuser administrator if you do not have an administrator account that CA SiteMinder® can use to access the DSA. The Policy Server requires this information to connect to the policy store.
Follow these steps:
Note: Create the user with the following object type:
inetOrgPerson
Example:
dn:cn=admin,o=yourcompany,c=in
You point the Policy Server to the policy store so the Policy Server can access the policy store.
Follow these steps:
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
Policy Store
LDAP
Note: You can click Help for a description of fields, controls, and their respective requirements.
Key Store
LDAP
Use Policy Store database
The default CA SiteMinder® administrator account is named:
siteminder
The account has maximum permissions.
We recommend that you do not use the default superuser for day–to–day operations. Use the default superuser to:
Follow these steps:
Specifies the Policy Server installation path.
Note: The utility is at the top level of the Policy Server installation kit.
smreg -su password
Specifies the password for the default CA SiteMinder® administrator.
Limits:
Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.
The password for the default CA SiteMinder® administrator account is set.
You can verify that the DXcache settings are enabled using the DXconsole.
Note: By default, the DxConsole is only accessible from localhost. For more about using the set dsa command to let the DxConsole accept a connection from a remote system, see the Directory Configuration Guide.
Follow these steps:
telnet DSA_Host DXconsole_Port
Specifies the host name or IP address of the system hosting the DSA.
Note: If you are on the localhost, enter localhost. Entering a host name or IP Address results in a failed connection.
Specifies the port on which the DXconsole is listening. This value appears in the console-port parameter of the following file:
DXHOME\config\knowledge\DSA_Name.dxc
Default: The DXconsole port is set to the value of the DSA port +1.
Example: If the DSA is running on port 19389, the DXconsole port is 19390.
The DSA Management Console appears.
get cache;
The DSA Management Console displays the current DSA DXcache settings and specifies the directory caching status.
logout;
Closes the DXconsole and returns to the system prompt.
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
Specifies the Policy Server installation path.
XPSDDInstall SmMaster.xdd
Imports the required data definitions.
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.
Consider the following items:
Specifies the Policy Server installation path.
Follow these steps:
XPSImport smpolicy.xml -npass
XPSImport smpolicy-secure.xml -npass
Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects Consideration.
Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA SiteMinder®. If you intend on using the latter functionality, contact your CA account representative for licensing information.
Enable the advanced authentication server as part of configuring your Policy Server.
Follow these steps:
The master key screen appears.
Note: If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.
The advanced authentication server is enabled.
You use the default CA SiteMinder® super user account (siteminder) to log into the Administrative UI for the first–time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.
You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.
Consider the following:
To prepare for the Administrative UI registration
XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
Specifies the password for the default CA SiteMinder® super user account (siteminder).
Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
Specifies that the Administrative UI is being registered with a Policy Server for the first–time.
(Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.
Unit of measurement: minutes
Default: 240 (4 hours)
Minimum Limit: 15
Maximum Limit: 1440 (24 hours)
(Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect CA SiteMinder® administrator credentials when logging into the Administrative UI for the first–time
Default: 1
Maximum Limit: 5
(Optional) Inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
Note: Surround comments with quotes.
(Optional) Specifies where the registration log file must be exported.
Default: siteminder_home\log
siteminder_home
Specifies the Policy Server installation path.
(Optional) Sends exceptions to the specified path.
Default: stderr
(Optional) Sets the verbosity level to TRACE.
(Optional) Sets the verbosity level to INFO.
(Optional) Sets the verbosity level to WARNING.
(Optional) Sets the verbosity level to ERROR.
(Optional) Sets the verbosity level to FATAL.
XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log into the Administrative UI for the first–time.
Copyright © 2013 CA.
All rights reserved.
|
|