Configure CA Directory as a Policy Store

Installation and Upgrade Guides › Policy Server Installation Guide › Configuring LDAP Directory Servers as a Policy or Key Store › Create a Policy Store in an LDAP Directory › How to Configure the Policy Server to Use CA Directory as a Policy Store › Configure CA Directory as a Policy Store

Configure CA Directory as a Policy Store

Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with Administrator permissions. Open the command line window this way, even if your account has Administrator privileges. For more information, see the release notes for your SiteMinder component.

To configure CA Directory as a policy store

Copy the netegrity.dxc file into the CA Directory DXHOME\config\schema directory.
Note: The netegrity.dxc file is installed with the Policy Server in siteminder_home\eTrust.

siteminder_home

Specifies the Policy Server installation path.
Create a SiteMinder schema file by copying the default.dxg schema file and renaming it.
Note: The default.dxg schema file is located in DXHOME\config\schema\default.dxg.

Example: Copy the default.dxg schema file and rename the copy to smdsa.dxg
Add the following lines to the bottom of the new SiteMinder schema file:
```
# Netegrity Schema
source "netegrity.dxc";
```
Edit the DXI file of the DSA (DSA_name.dxi) by changing the schema from default.dxg to the new SiteMinder schema file.

DSA_name

Represents the name of the DSA you created for the policy store.

Note: The DXI file is located in DXHOME\config\servers.
Add the following lines to the end of the DXI file of the DSA:
- r12
```
# cache configuration
set max-cache-size = 100;
set cache-attrs = all-attributes;
set cache-load-all = true;
set ignore-name-bindings = true;
```
  Note: The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the policy store.
- r12 SP1 or later
```
# cache configuration
```
```
set ignore-name-bindings = true;
```
Copy the default limits DXC file of the DSA (default.dxc) to create a SiteMinder DXC file.
Example: Copy the default DXC file and rename the copy smdsa.dxc.

Note: The default DXC file is located in DXHOME\dxserver\config\limits.
Edit the settings in the new DXC file to match the following:
```
# size limits
set max-users = 1000;
set credits = 5;
set max-local-ops = 1000;
set max-op-size = 4000;
set multi-write-queue = 20000;
```
Note: Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files.

Important! The multi–write–queue setting is for text–based configurations only. If the DSA is set up with DXmanager, omit this setting.
Save the DXC file.
Edit the DXI file of the DSA (DSA_Name.dxi) by changing the limits configuration from default.dxc to the new SiteMinder limits file.
Example: change the limits configuration from default.dxc to smdsa.dxc.

DSA_Name

Represents the name of the DSA you created for the policy store.

Note: The DXI file of the DSA is located in DXHOME\config\servers. If you created the DSA using DXmanager, the existing limits file is named dxmanager.dxc.
As the DSA user, restart the DSA using the following commands:
```
dxserver stop DSA_name
dxserver start DSA_name
```
DSA_name

Specifies the name of the DSA.

The policy store schema is created.
Do the following to create a view into the DSA
1. Launch the JXplorer GUI.
2. Select the connect icon.
  Connection settings appear.
3. Enter host_name_or_IP_address in the Host Name field.
  
  host_name_or_IP_address
  
  Specifies the host name or IP address of the CA Directory host system.
4. Enter port_number in the Port number field.
  
  port_number
  
  Specifies the port on which the DSA is listening.
5. Enter o=DSA_name,c=country_code in the Base DN field.
  Example: o=psdsa,c=US
6. Select Anonymous from the Level list and click Connect.
  A view into DSA appears.
Create the base tree structure to hold the policy store data. Use the JXplorer GUI to create the following organizational units:
1. Select the root element of your DSA.
2. Under the root element, create an organizational unit named:
  Netegrity
3. Under Netegrity, create an organizational unit (root element) named:
  SiteMinder
4. Under SiteMinder, create an organizational unit (root element) named:
  PolicySvr4
  
  The base tree structure is created.
Use JXplorer to create an administrator that has the rights to create, delete, and modify objects in the DSA.
Consider the following:
- Be sure that the administrator is of object type inetOrgPerson.
- Take note of administrator user name and password. You use this information when pointing the Policy Server to the policy store.
Example: dn: cn=admin,o=yourcompany,c=in
From the Policy Server host system, open the Policy Server Management Console and click the Data tab.
Database settings appear.

Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions, even if you are logged into the system as an Administrator. For more information, see the release notes for your SiteMinder component.
Do the following to point the Policy Server at the CA Directory policy store:
1. Select Policy Store from the Database list.
2. Select LDAP from the Storage list.
3. Configure the following settings in the LDAP Policy Store section:
  - LDAP IP Address
  - Root DN
  - Admin Username
  - Password
  - Confirm Password
4. Click Apply.
  The policy store settings are saved.
5. Click Test LDAP Connection to test the connection.
If the connection is successful, SiteMinder returns a confirmation. If the connection is not successful, SiteMinder returns an error message. If you receive an error message, verify that the values you entered are correct and that the directory is running.
Do the following to set the SiteMinder superuser password:
1. Copy the smreg utility from the top level of the Policy Server installation kit to siteminder_home\bin.
  
  siteminder_home
  
  Specifies the Policy Server installation path.
2. Run the following command:
```
smreg -su super_user_password
```
  super_user_password
  
  Specifies the password for the SiteMinder superuser account.
  
  Note: Be sure that there is a space between -su and the superuser password.
3. Delete smreg.exe.
  Deleting smreg.exe prevents anyone from changing the superuser password without knowing the previous one.
Import the default policy store objects by running the following command:
```
smobjimport -isiteminder_home\db\smdif\smpolicy.smdif -dsuper_user_administrator 
-wsuper_user_password -v
```
siteminder_home

Specifies the Policy Server installation path.

Note: When manually configuring a policy store on Windows, you can import one of the following:
- smpolicy.smdif
- smpolicy–secure.smdif
The file named smpolicy–secure provides additional security through enhanced default Web Agent configuration parameters.

super_user_administrator

Specifies the name of a SiteMinder account with superuser privileges.

super_user_password

Specifies the password for the SiteMinder superuser.

Note: If an argument contains spaces, use double quotes around the entire argument.

Windows example: smobjimport -i“C:\Program Files\Netegrity\siteminder\db\smdif\smpolicy.smdif” -d"SM Admin" -wPassword -v

UNIX: smobjimport -i$NETE_PS_ROOT/db/smdif/smpolicy.smdif
-d"SM Admin" -wPassword -v

-v

Outputs error, warning, and comment messages in verbose format so you can monitor the status of the import.

The policy store is configured and you can now log in to the Policy Server User Interface.

More Information:

Policy Store Schema Considerations

Email CA Technologies about this topic