Installation and Upgrade Guides › Policy Server Installation Guide › Installing the Policy Server on Windows Systems › Before You Install the Policy Server › Policy Store Considerations

Policy Store Considerations

Consider the following before running the Policy Server installer or the Policy Server Configuration wizard:

• The Policy Server installer and the Policy Server Configuration wizard can automatically configure one of the following as a policy store:
  • Microsoft^® Active Directory^® in Application Mode (ADAM)
  • Microsoft Active Directory Lightweight Directory Services (AD LDS)

    Note: Be sure that you have met the prerequisites for configuring ADAM or AD LDS as a policy store.

  • Oracle^® Directory Server Enterprise Edition (formerly Sun Directory Server Enterprise Edition)
  • Microsoft SQL Server^® (SQL Server)
  • Oracle RDBMS

  Important! The Policy Server installer and the Policy Server Configuration wizard cannot automatically configure a policy store that is being connected to using an SSL connection.

• (RDB policy store) The Policy Server installer or the Policy Server Configuration Wizard use specific database information to create the policy store data source. The Policy Server uses this data source to communicate with the policy store. Consider the following:
  • The name of data source is CA SiteMinder DSN.
  • (Windows) The installer saves the data source to the Microsoft ODBC Data Source Administrator tool, under the System DSN tab.
  • (UNIX) The installer saves the data source to the system_odbc.ini file, which is located at siteminder_home/db.

    siteminder_home

    Specifies the Policy Server installation path.

• (RDB policy store) Be sure that the database server that is to host the policy store is configured to store objects in UTF–8 form. This configuration avoids possible policy store corruption.
  • (Oracle) Be sure that the database is configured to store objects in UTF–8 form. Oracle supports unicode within many of their character sets. For more information about configuring your database to store objects in UTF–8 form, see your vendor–specific documentation.
  • (SQL Server) Be sure that the database is configured using the default collation (SQL_Latin1_General_CP1_CI_AS). Using a collation that is case sensitive can result in unexpected behaviors. For more information about configuring your database to store objects using the default collation, see your vendor–specific documentation.
• You manually configure any other supported directory server or relational database as a policy store after installing the Policy Server. Configuring a policy store manually is detailed in this guide.

More information:

ADAM/AD LDS Prerequisites

Configuring LDAP Directory Servers as a Policy or Key Store

Configuring SiteMinder Data Stores in a Relational Database

FIPS Considerations

The Policy Server uses certified Federal Information Processing Standard (FIPS) 140-2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). The libraries provide a FIPS mode of operation when a SiteMinder environment only uses FIPS-compliant algorithms to encrypt sensitive data.

You can install the Policy Server in one of the following FIPS modes of operation.

Note: The FIPS mode a Policy Server operates in is system-specific. For more information, see the SiteMinder r12.0 SP3 Platform Support Matrix on the Technical Support site.

• FIPS-compatibility mode—The default FIPS mode of operation during the installation is FIPS-compatibility mode. In FIPS-compatibility mode, the environment uses existing SiteMinder algorithms to encrypt sensitive data and is compatible with previous versions SiteMinder:
  • The use of FIPS-compliant algorithms in your environment is optional.
  • If your organization does not require the use of FIPS-compliant algorithms, install the Policy Server in FIPS-compatibility mode. No further configuration is required.
• FIPS-migration mode—FIPS-migration mode lets you transition an r12.0 SP3 environment running in FIPS-compatibility mode to FIPS-only mode.

  In FIPS-migration mode, the r12.0 SP3 Policy Server continues to use existing SiteMinder encryption algorithms as you migrate the r12.0 SP3 environment to use only FIPS-compliant algorithms.

  Install the Policy Server in FIPS-migration mode if you are in the process of configuring the existing environment to use only FIPS-compliant algorithms.

• FIPS-only mode—In FIPS-only mode, the environment only uses FIPS-compliant algorithms to encrypt sensitive data.

  Install the Policy Server in FIPS-only mode if the existing environment is upgraded to r12.0 SP3 and the existing environment is configured to use only FIPS-compliant algorithms.

  Important! A r12.0 SP3 environment that is running in FIPS-only mode cannot operate with versions of SiteMinder that do not also fully support FIPS (that is, versions before r12.0). This restriction applies to all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. Relink all such software with the r12.0 SP3 versions of the respective SDKs to achieve the required FIPS support.

Note: For more information about migrating an environment to use only FIPS-compliant algorithms, see the Upgrade Guide.

More information:

Locate the Platform Support Matrix

Gather Information for the Installer

The Policy Server installer requires specific information to install the Policy Server and any optional components.

Note: Installation worksheets are provided to help you gather and record information prior to installing or configuring Policy Server components using the Policy Server Installation Wizard or the Policy Server Configuration Wizard. You may want to print these worksheets and use them to record required information prior to running either wizard.

Required Information

Gather the following required information before running the Policy Server installer or the Configuration wizard. You can use the Required Information Worksheet to record your values.

• Java version ‑ Identify the supported Java Runtime Environment version for the Policy Server to use. On UNIX, verify that the JAVA_HOME system variable is set to the location of the JRE; the installer cannot locate the JRE if the JAVA_HOME system variable is incorrectly set.
• Policy Server installation location ‑ Determine where the installer is to install the Policy Server.

  Default: C:\Program Files\CA

• Encryption key value ‑ Determine the encryption key value. An encryption key is a case–sensitive, alphanumeric key that secures the data sent between the Policy Server and the policy store. All Policy Servers that share a policy store are required to use the same encryption key. For stronger protection, define a long encryption key.

  Limits: 6 to 24 characters.

More information:

Required Information Worksheet