Migrate Legacy Administrator Permissions

Policy Server Guides › Policy Server Configuration Guide › Administrative User Interface Management › SiteMinder Administrators › How to Configure an External Administrator Store › Migrate Legacy Administrator Permissions

Migrate Legacy Administrator Permissions

If a Legacy Administrator must continue using the Administrative UI or Policy Server tools after configuring a connection to an external administrator store, migrate the permissions.

Important! External administrator authentication does not let a single Legacy Administrator account retain rights to the Administrative UI, Policy Server tools, the FSS Administrative UI, the Policy Management API, and Trusted Host privileges at the same time. If a Legacy Administrator must continue functioning in one or more of these roles, leave the Legacy Administrator unchanged. Be sure that the user is present in the external store and separately configure a new Administrator using the external user identity.

To migrate permissions

Be sure that the administrator is present in the external store.
Log into the Administrative UI using the external super user.
Click Administration, Administrators, Administrator, Modify Administrator.
The Search dialog opens.
Specify search criteria using the full name of the user and click Search.
Users matching the search criteria appear.
Select the Legacy Administrator you want and click Select.
The user path points to the policy store.
Click Lookup in the Details group box.
The Select a User dialog appears.
Specify search criteria and click Search.
Users matching the specified criteria appear.
Select the user you want and click Select.
The user path is updated to point to the external store.
Click Submit.
The Administrative UI authenticates the administrator using the external store. The administrator has the same level of access to the Administrative UI when the policy store was being used to store administrator identities.

Update External Administrator Store Credentials

If the credentials that the Administrative UI uses to connect to the external administrator store change, submit the new credentials to the Administrative UI or SiteMinder administrator authentication fails.

If you installed the Administrative UI using the stand–alone option, two utilities are provided for you:

(LDAP) Use the smjndisetup utility to update the directory server user account credentials.
Note: To update the directory server host system name or port information, use the Administrative UI to re–create the connection to the external administrator store. The smjndisetup utility cannot update host or port information.
(RDB) Use the smjdbcsetup utility to update the database user account credentials.
Note: To update the database host system name or port information, use the smjdbcsetup utility to re–deploy the JNDI data source.

If you installed the Administrative UI to an existing application server infrastructure, consider the following items:

(LDAP) Use the Administrative Authentication Wizard to update the credentials that the Administrative UI is to use to access the directory server.
Important! After you use the wizard to update the credentials, update the credentials on the directory server as soon as possible. Administrators cannot log in to the Administrative UI until the directory server credentials are updated to match the credentials you supplied using the wizard.
(RDB) Use the database–specific tool to update the data source.

More information:

Deploy a JDBC Data Source

Update Directory Server Credentials

Use the smjndisetup utility to update directory manager credentials.

Note: The smjndisetup utility can only update connection details that were configured using the Administrative UI. You cannot use the smjndisetup utility to create the connection credentials.

To update directory server credentials

Log in to the Administrative UI host system.
(UNIX) Stop the SiteMinder Administrative UI service.
Note: For more information about stopping the SiteMinder Administrative UI service, see the Policy Server Installation Guide.
Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.

administrative_ui_home

Specifies the Administrative UI installation path.
Run one of the following commands:
- (Windows)
```
smjndisetup.bat --reset-password
```
  Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
- (UNIX)
```
smjndisetup.sh --reset-password
```
  The utility prompts you for the user name.
Do one of the following operations:
- Type the new directory user and press Enter.
- Press Enter to accept the default user name.
  The utility prompts you for the password of the user.
Type the new password and press Enter.
The utility verifies the credentials and prompts you to update the directory connection credentials.
Type y and press Enter.
- If you ran the utility on Windows, the utility restarts the SiteMinder Administrative UI service. The utility also updates the new directory connection details.
- If you ran the utility on UNIX, start the Administrative UI service to update the new directory connection details.
  Note: For more information about starting the Administrative UI service, see the Policy Server Installation Guide.

Update Database Credentials

Use the smjdbcsetup utility to update database user credentials in the JNDI data source.

To update database credentials

Log in to the Administrative UI host system.
(UNIX) Stop the SiteMinder Administrative UI service.
Note: For more information about stopping the SiteMinder Administrative UI service, see the Policy Server Installation Guide.
Navigate to administrative_ui_home\CA\SiteMinder\adminui\bin.

administrative_ui_home

Specifies the Administrative UI installation path.
Run one of the following commands:
- (Windows)
```
smjdbcsetup.bat --reset-password
```
  Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
- (UNIX)
```
smjdbcsetup.sh --reset-password
```
The utility prompts you to enter a unique identifier.
Enter the name of the deployed data source.
Note: If you do not know the data source name, you can locate all deployed data sources in administrative_ui_home\SiteMinder\adminui\server\default\deploy.

administrative_ui_home

Specifies the Administrative UI installation path.

The utility prompts you for the database user name.
Enter the user name and press Enter.
The utility prompts you for the user password.
Enter the password and press Enter.
The utility prompts you to verify the new data source credentials and verify that they can be updated.
Type y and press Enter to confirm the new data source credentials.
The utility updates the data source.
- (Windows) The utility prompts you to restart the SiteMinder Administrative UI service.
- (UNIX) A message appears stating that the SiteMinder Administrative UI service must be manually started.
Do one of the following tasks:
- (Windows) Type y and press Enter to use the utility to restart the SiteMinder Administrative UI service and deploy the updated data source.
- (Windows) Type n and press Enter to start the SiteMinder Administrative UI service manually. The data source is deployed when the service is started.
- (UNIX) Manually start the SiteMinder Administrative UI service to deploy the data source.
Note: For more information about starting the SiteMinder Administrative UI service, see the Policy Server Installation Guide.

Modify the External Administrator Store Connection

Run the Administrative Authentication wizard again to change the external store to which the Administrative UI connects for administrator authentication.

More information:

How to Configure an External Administrator Store