Policy Server Guides › Policy Server Configuration Guide › Administrative User Interface Management › SiteMinder Administrators › How to Configure an External Administrator Store

How to Configure an External Administrator Store

Complete the following steps to configure a connection to an external administrator store.

1. (Optional) If you want to protect the Administrative UI with SiteMinder, configure an agent to function with a reverse proxy server.

   Note: For more information about configuring a reverse proxy server, see the Web Agent Configuration Guide.

2. Review the external administrator store considerations.
3. Review the SSL considerations.
4. Depending on your store type, do the following:
   • (LDAP) Gather directory server connection information.
   • (RDB) Gather database connection information.
   • (RDB) Deploy a Java Database Connectivity (JDBC) data source to the application server.
     • If you installed the Administrative UI using the stand-alone option, use the smjdbcsetup utility to configure and deploy the data source.
     • If you installed the Administrative UI to an existing application server infrastructure, see your vendor-specific documentation for information about configuring and deploying a data source.

       Note: If you are deploying a data source to WebSphere, be sure that the JNDI name, under the datasource properties, is prefixed with the following:

       jdbc/

       Example: If the datasource name is abc, then the JNDI name is jdbc/abc.

5. Configure the connection to the external administrator store.
6. (Optional) Migrate Legacy Administrator Administrative UI permissions.

External Administrator Store Considerations

Before you configure an external administrator store connection, consider the following items:

• Important! Discontinuing the use of the policy store as the source of administrator identities is permanent. Configuring an external administrator store only affects the Administrative UI that is configured to use the external store. Any other Administrative UI not yet configured to use the external store continues to use the policy store to identify administrators.
• Legacy Administrators, including the default SiteMinder super user account, can continue to perform the following actions:
  • Manage the Policy Management API
  • Function as a Trusted Host administrator
  • Use Policy Server tools
• Legacy Administrators, including the default SiteMinder super user account, can no longer manage SiteMinder objects in the Administrative UI.
• If you have Legacy Administrators who must continue using the Administrative UI, use your vendor-specific tools to add these users to the external store. Once the user identities are established in the external store, you can reinstate these privileges by mapping the existing user paths from the policy store to the external store.

  Important! External administrator authentication does not let a single Legacy Administrator account retain rights to the Administrative UI, the Policy Management API, and Trusted Host privileges at the same time. If a Legacy Administrator must continue functioning in these roles, leave the Legacy Administrator unchanged. Be sure that the user is present in the external store and separately configure a new Administrator using the external user identity.

• A super user that you identify when configuring the connection to the external store replaces the default SiteMinder super user account. The external user becomes the super user and has maximum permissions in the Administrative UI and access to all Policy Server tools.

  Use the external super user to delegate permissions to new Administrators.

• If multiple Administrative UI instances are to use the same administrator authentication store, be sure to configure each connection using the same network identifier. Mixing network identifiers for multiple Administrative UI connections to the same external administrator authentication store is not supported.

  Example: If you configured the first connection with 172.16.0.0, create subsequent connections with 172.16.0.0. If you configured the first connection with comp001@example.com, create subsequent connections with comp001@example.com.

SSL Considerations

If you are configuring the external administrator store connection over SSL, consider the following items:

• The directory server must be configured to communicate over SSL.

  Note: For more information about configuring the directory server for SSL, see your vendor–specific documentation.

• If you installed the Administrative UI using the stand–alone option, the Administrative UI is installed with an embedded certificate database.
• If you installed the Administrative UI to an existing application server infrastructure, implement a certificate database as required by your application server.

  Note: For more information about implementing a certificate database, see your vendor–specific documentation.

• Be sure to enter an SSL–enabled port when entering directory connection information. If you do not enter an SSL–enabled port, the Administrative Authentication wizard becomes unresponsive.

Gather Directory Server Information

If you are configuring a connection to a directory server, gather the following information:

• Host name—Identify the IP address or fully qualified domain name of the directory server host system.
• Port—Identify the port on which the directory server is listening.
• Directory server user credentials—Identify the user name and password of an account that has read/write permissions to the directory server.
• Search root—Identify the base DN of the directory server.
• SSL certificate—If the directory server is configured to communicate over an SSL connection, obtain the SSL certificate.

Gather Database Information

If you are configuring a connection to a database, gather the following information:

• Host name—Identify the name of the database host system.
• Port—Identify the port on which the database is listening.
• (Microsoft SQL Server) Database name—Identify the name of database.
• (Oracle) Service name—Identify the service name of the database.
• Database user credentials—Identify the credentials of a user account that has read/write permissions to the database.

  Important! If you are configuring a connection to Oracle, be sure to set the default schema for this user. The default schema must be the schema that is associated with the table that contains the administrative users. If you do not set the default schema for this user, the Administrative Authentication wizard cannot locate users in the database.

Deploy a JDBC Data Source

If you are configuring a connection to a relational database, the Administrative UI requires a JDBC data source to communicate with the administrator store. A utility is required to create the data source. If you installed the Administrative UI using the stand-alone option, the smjdbcsetup utility is provided for you.

Note: If you installed the Administrative UI to an existing application server, see your vendor-specific documentation for information about deploying a JDBC data source. If you are deploying a data source to WebSphere, verify that the JNDI name, under the datasource properties, is prefixed with the following text:

jdbc/

Example: If the datasource name is abc, then the JNDI name is jdbc/abc.

Follow these steps:

1. Log in to the Administrative UI host system.
2. (UNIX) Stop the SiteMinder Administrative UI service.

   Note: For more information about stopping the service, see the Policy Server Installation Guide.

3. Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.

   administrative_ui_home

   Specifies the Administrative UI installation path.

4. Run one of the following commands:
   • (Windows)

     smjdbcsetup.bat
     

     Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

   • (UNIX)

     smjdbcsetup.sh
     

   The utility prompts you for a unique identifier. The utility appends the identifier to the data source.

5. Type a value and press Enter.

   The utility prompts you for a database driver type. The driver types are prefixed with a number.

6. Type a number to select a driver type and press Enter.

   The utility prompts you for the name of the database host system.

7. Type the database host name and press Enter.

   The utility prompts you for the port on which the database is listening.

8. Type the database port and press Enter.
   • If you are configuring a connection to Microsoft SQL Server, the utility prompts you for the database name.
   • If you are configuring a connection to Oracle, the utility prompts you for the service name.
9. Type the database name or the service name and press Enter.

   The utility prompts you for the database user account name.

10. Type the database user account name and press Enter.

    Note: This user account must have read/write permissions to the database.

    The utility prompts you for the password of the database user.

11. Type the password and press Enter.

    The connection details appear.

12. Review the details and do one of the following steps:
    • To configure and deploy the data source, type y and press Enter.

      The utility deploys the data source to admin_ui_home\CA\SiteMinder\adminui\server\default\deploy and prompts you to restart the SiteMinder Administrative UI service.

      admin_ui_home

      Specifies the Administrative UI installation path.

      Note: Restarting the SiteMinder Administrative UI service is required before you can use the data source to create the connection.

    • To cancel the deployment, type n and press Enter.
13. Do one of the following steps:
    • To start the service automatically, do one of the following steps:
      • (Windows) Type y and press Enter.
      • (UNIX) You must manually start the service. For more information about starting the service, see the Policy Server Installation Guide.
    • To start the service manually, type n and press Enter.

    The data source is configured and the utility exits.