How to Configure the Policy Store

Installation and Upgrade Guides › Policy Server Installation Guide › Configuring LDAP Directory Servers as a Policy or Key Store › CA Directory as a Policy Store › How to Configure the Policy Store

How to Configure the Policy Store

To configure CA Directory as a policy store, complete the following procedures:

Create a DSA for the policy store.
Create the policy store schema.
Open the DSA.
Create the base tree structure for policy store data.
Create a super user administrator for the DSA.
Point the Policy Server to the policy store.
Set the SiteMinder super user password.
Verify the CA Directory cache configuration.
Import the default policy store objects.
Import the policy store data definitions.
Prepare for the Administrative UI registration.

Create a DSA for the Policy Store

Create the DSA by running the following command:

dxnewdsa DSA_Name port "o=DSA_Name,c=country_code"

DSA_Name

Specifies the name of the DSA.

port

Specifies the port on which the DSA is to listen.

o=DSA_Name,c=country_code

Specifies the DSA prefix.

Example: "o=psdsa,c=US"

The dxnewdsa utility starts the new DSA.

Note: If the DSA does not automatically start, run the following:

dxserver start DSA_Name

Create the Policy Store Schema

You create the policy store schema so the directory server can function as a policy store.

Important! By default, CA Directory configuration files are read–only. Any CA Directory files that you are instructed to modify, must be updated for write permission. Once the files are updated, you can revert the permission to read–only. Also, all default.xxx files provided by CA Directory are overwritten during a CA Directory upgrade. Use caution when modifying any read-only files.

To create the Policy Store schema

Copy the following files into the CA Directory DXHOME\config\schema directory:
- netegrity.dxc
- etrust.dxc
DXHOME

Specifies the Directory Server installation path.

Note: The netegrity.dxc file is installed with the Policy Server in siteminder_home\eTrust. The etrust.dxc file is installed with the Policy Server in siteminder_home\xps\db.
siteminder_home
Specifies the Policy Server installation path.
- Windows %DXHOME%
- Unix/Linux: $DXHOME
Create a SiteMinder schema file by copying the default.dxg schema file and renaming it.
Note: The default.dxg schema file is located in DXHOME\config\schema\default.dxg.

Example: copy the default.dxg schema file and rename the copy to smdsa.dxg
Add the following lines to the bottom of the new SiteMinder schema file:
```
#CA Schema
```
```
source "netegrity.dxc";
```
```
source "etrust.dxc";
```
Edit the DXI file of the DSA (DSA_Name.dxi) by changing the schema from default.dxg to the new SiteMinder schema file.

DSA_Name

Represents the name of the DSA you created for the policy store.

Note: The DXI file is located in DXHOME\config\servers.
Add the following lines to the end of the DXI file of the DSA:
- r12
```
# cache configuration
set max-cache-size = 100;
set cache-attrs = all-attributes;
set cache-load-all = true;
set ignore-name-bindings = true;
```
  Note: The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the policy store.
- r12 SP1 or later
```
# cache configuration
set ignore-name-bindings = true;
```
Copy the default limits DXC file of the DSA (default.dxc) to create a SiteMinder DXC file.
Example: Copy the default DXC file and rename the copy smdsa.dxc.

Note: The default DXC file is located in DXHOME\dxserver\config\limits.
Edit the settings in the new DXC file to match the following:
```
# size limits
set max-users = 1000;
set credits = 5;
set max-local-ops = 1000;
set max-op-size = 4000;
set multi-write-queue = 20000;
```
Note: Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files.

Important! The multi-write-queue setting is for text–based configurations only. If the DSA is set up with DXmanager, omit this setting.
Save the DXC file.
Edit the DXI file of the DSA (DSA_Name.dxi) by changing the limits configuration from default.dxc to the new SiteMinder limits file.
Example: change the limits configuration from default.dxc to smdsa.dxc.

DSA_Name

Represents the name of the DSA you created for the policy store.

Note: The DXI file of the DSA is located in DXHOME\config\servers.If you created the DSA using DXmanager, the existing limits file is named dxmanager.dxc.
As the DSA user, stop and restart the DSA using the following commands:
```
dxserver stop DSA_Name
dxserver start DSA_Name
```
DSA_Name

Specifies the name of the DSA.

The policy store schema is created.

Open the DSA

You create a view into the directory server to manage objects.

Follow these steps:

Be sure that the database is configured for an anonymous login.
Launch the JXplorer GUI.
Select the connect icon.
Connection settings appear.
Enter host_name_or_IP_address in the Host Name field.

host_name_or_IP_address

Specifies the host name or IP address of the system where CA Directory is running.
Enter port_number in the Port number field.

port_number

Specifies the port on which the DSA is listening.
Enter o=DSA_Name,c=country_code in the Base DN field.
Example: o=psdsa,c=US
Select Anonymous from the Level list and click Connect.
A view into DSA appears.

Create the Base Tree Structure for Policy Store Data

You create a base tree structure to hold policy store data. You use the JXplorer GUI to create the organizational units.

To create the base tree structure for policy store data

Select the root element of your DSA.
Create an organizational unit under the root element called:
Netegrity
Create an organizational unit (root element) under Netegrity called:
SiteMinder
Create an organizational unit (root element) under SiteMinder called:
PolicySvr4
Create an organizational unit (root element) under PolicySvr4 called:
XPS

The base tree structure is created.

Create a Superuser Administrator for the DSA

You only have to create a superuser administrator if you do not have an administrator account that SiteMinder can use to access the DSA. The Policy Server requires this information to connect to the policy store.

Follow these steps:

Use the JXplorer GUI to access the DSA.
Create an administrator that SiteMinder can use to connect to the policy store.
Note: Create the user with the following object type:
```
inetOrgPerson
```
Note the administrator DN and password. You use the credentials when pointing the Policy Server to the policy store.

Example:

dn:cn=admin,o=yourcompany,c=in

Point the Policy Server to the Policy Store

You point the Policy Server to the policy store so the Policy Server can access the policy store.

Follow these steps:

Open the Policy Server Management Console.
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your SiteMinder component.
Click the Data tab.
Select the following value from the Database list:
```
Policy Store
```
Select the following value from the Storage list:
```
LDAP
```
Configure the following settings in the LDAP Policy Store group box.
- LDAP IP Address
- Admin Username
- Password
- Confirm Password
- DN
Note: You can click Help for a description of fields, controls, and their respective requirements.
Click Apply.
Click Test LDAP Connection to verify that the Policy Server can access the policy store.
Select the following value from the Database list:
```
Key Store
```
Select the following value from the Storage list:
```
LDAP
```
Select the following option:
```
Use Policy Store database
```
Click OK.