Installation and Upgrade Guides › Policy Server Installation Guide › Configuring LDAP Directory Servers as a Policy or Key Store › Configure a Separate Key Store › Microsoft ADAM/AD LDS as a Key Store › Import the Policy Store Data Definitions › Key Store Prerequisites › Allow User Creation in the Configuration Partition

Allow User Creation in the Configuration Partition

Only an administrative user in the configuration partition can import the key store schema. This user must have administrative rights over the configuration partition and all application partitions, including the key store partition.

Note: The following procedure assumes that you are familiar with configuration, application, and schema partitions.

Follow these steps:

1. Open the ADSI Edit console.
2. Navigate to the following in the configuration partition:

   cn=directory service, cn=windows nt,

   cn=services, cn=configuration, cn={guid}

3. Locate the msDS-Other-Settings attribute.
4. Add the following new value to the msDS-Other-Settings attribute:

   ADAMAllowADAMSecurityPrincipalsInConfigPartition=1

5. In the configuration and policy store application partitions:
   1. Navigate to CN=Administrators, CN=Roles.
   2. Open the properties of CN=Administrators.
   3. Edit the member attribute.
   4. Do one of the following:
      • (ADAM 2000 and 2003) Click Add ADAM Account and paste the full DN of the user you created in the configuration partition.
      • (AD LDS) Click Add DN and paste the full DN of the user you created in the configuration partition.
   5. Go to the properties of the user you created and verify the value for the following object:

      msDS-UserAccountDisabled

      Be sure that the value is set false.

   The administrative user has rights over the configuration partition and all application partitions, including the key store partition.

Gather Directory Server Information

Specific information is required to configure a separate key store. Gather the following information:

Host

The fully qualified name or the IP address of the directory server host system.

Port

The port on which the directory server instance is listening. This value is only required if the instance is listening on a non–standard port.

Default values: 636 (SSL) and 389 (non-SSL)

• Administrator DN

  The full domain name, including the guid value, of the directory server administrator.

  Example: CN=user1,CN=People,CN=Configuration,CN,{guid}

  This user requires the following privileges:

  • create schema

    Note: This permission is only required to import the key store schema. After you deploy the key store, you can configure the Policy Server with a user that does not have the permission.

  • read
  • write
  • modify
  • delete

Administrator password

The password for the directory server administrator.

Root DN of the application partition

The root DN location of the application partition where the key store schema must be imported.

(Optional) SSL client certificate

If the directory connection is made over SSL, the path of the directory that contains the SSL client certificate database.

More information:

Policy and Data Store Worksheets

Microsoft ADAM/AD LDS Information Worksheet

Register the Key Store

Registering the key store configures a connection between the key store and the Policy Server. The Policy Server uses the credentials that you supply to manage the key store.

Important! Registration does not configure the Policy Server to use the separate key store. The settings do not take effect until the Policy Server is restarted. Do not restart the Policy Server until the key store is configured and you are ready to deploy it.

Follow these steps:

1. Log in to the Policy Server host system.
2. Run the following command to configure the connection:

   smldapsetup reg -hhost -pport -dadmin_user -wadmin_password -rroot -k1
   

   Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

   Note: For more information about these modes and arguments, see the Policy Server Administration Guide.

   Example:

   smldapsetup reg -host172.16.0.0 -p389 -d"cn=directory manager" -wpassword -r"dc=test" -k1
   

3. Start the Policy Server Management Console and open the Data tab.
4. Complete one of the following procedures:
   • If the Policy Server is configured to use a data relational database:
     1. Select Keystore from the Database list.
     2. Select LDAP from the Storage list to display the connection settings and administrative credentials.
     3. Verify that the connection settings and administrative user setting appear.
     4. Click test LDAP Connection to verify that the Policy Server can communicate with the key store instance.
   • If the Policy Server is configured to use a directory server:

     a. Select Keystore from the Database list.

     b. Verify that the connection settings and the administrative user settings appear.

     c. Click test LDAP Connection to verify that the Policy Server can communicate with the key store instance.

   Note: The Use Policy Store database setting is cleared. The cleared setting is expected normal behavior. The Policy Server continues to use the key store that is collocated with the policy store.

5. Exit the Policy Server Management Console.

   The separate key is registered with the Policy Server.

Create the Key Store Schema

The key store instance requires the schema to store and retrieve SiteMinder web agent keys. Use the smldapsetup utility to create the key store schema file.

Follow these steps:

1. Log in to the Policy Server host system.
2. Run the following command to create the key store schema file:

   smldapsetup ldgen -ffile_name -k1
   

   Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

   Note: For more information about these modes and arguments, see the Policy Server Administration Guide.

   Example: smldapsetup ldgen -fkeystoreschema -k1

   The key store schema file is created.

Import the Key Store Schema

The key store instance requires the schema to store and retrieve SiteMinder web agent keys. Use the smldapsetup utility to import the key store schema file.

Follow these steps:

1. Log in to the Policy Server host system.
2. Run the following command to import the key store schema:

   smldapsetup ldmod -ffile_name -k1
   

   Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

   Consider the following items:

   • For more information about these modes and arguments, see the Policy Server Administration Guide.
   • Standard out displays all policy store schema being imported. The behavior is normal and expected. The utility only imports the key–store specific schema.

   Example: smldapsetup ldmod -fkeystoreschema -k1

   The key store–specific schema is imported.

Restart the Policy Server

The Policy Server continues to use the collocated key store until you restart the Policy Server. Restart the Policy Server to begin using the separate key store.

Note: For more information, see the Policy Server Administration Guide.