Skip to content
CA Single Sign-On - 12.52 SP2
Documentation powered by DocOps

Configure a CA Directory Policy Store

Last update June 18, 2018

This content describes how to configure a single CA Directory server instance to store policy data and encryption keys. If your implementation requires, you can configure a separate key store. Using a single directory server simplifies administration tasks.

Gather Directory Server Information

Configuring a CA Directory as a policy store requires specific directory server information. Gather the following information before configuring the policy store.

  • Host information—Determine the fully qualified host name or the IP address of the system on which CA Directory is running.
  • DSA port number—Determine the port on which the DSA is to listen.
  • Base DN—Determine the distinguished name of the node in the LDAP tree in which policy store objects are to be defined.
  • Administrative DN—Determine the LDAP user name of the account that CA Single Sign-On is to use manage objects in the DSA.
  • Administrative password—Determine the password for the administrative user.

Create a DSA for the Policy Store

Create the DSA by running the following command:

dxnewdsa DSA_Name port "o=DSA_Name,c=country_code"

  • DSA_Name
    Specifies the name of the DSA.
  • port
    Specifies the port on which the DSA is to listen.
  • o=DSA_Name,c=country_code
    Specifies the DSA prefix.
    Example: "o=psdsa,c=US"

The dxnewdsa utility starts the new DSA.

Note: If the DSA does not automatically start, run the following:

dxserver start DSA_Name

Create the Policy Store Schema

You create the policy store schema so the directory server can function as a policy store.

Important! By default, CA Directory configuration files are read–only. Any CA Directory files that you are instructed to modify, must be updated for write permission. Once the files are updated, you can revert the permission to read–only. Also, all default.xxx files provided by CA Directory are overwritten during a CA Directory upgrade. Use caution when modifying any read-only files.

Follow these steps:

  1. Copy the following files into the CA Directory DXHOME\config\schema directory:
    • netegrity.dxc
    • etrust.dxc
    • DXHOME
      Specifies the Directory Server installation path.
    Note: The netegrity.dxc file is installed with the Policy Server in siteminder_home\eTrust. The etrust.dxc file is installed with the Policy Server in siteminder_home\xps\db.
    • siteminder_home
      Specifies the Policy Server installation path.
      • Windows %DXHOME%
      • Unix/Linux: $DXHOME
  2. Create a CA Single Sign-On schema file by copying the default.dxg schema file and renaming it.
    Note: The default.dxg schema file is located in DXHOME\config\schema\default.dxg.
    Example: copy the default.dxg schema file and rename the copy to smdsa.dxg
  3. Add the following lines to the bottom of the new CA Single Sign-On schema file:

    #CA Schema

    source "netegrity.dxc";

    source "etrust.dxc";

  4. Edit the DXI file of the DSA (DSA_Name.dxi) by changing the schema from default.dxg to the new CA Single Sign-On schema file.
    • DSA_Name
      Represents the name of the DSA you created for the policy store.
    Note: The DXI file is located in DXHOME\config\servers.
  5. Add the following lines to the end of the DXI file of the DSA:

    # cache configuration

    set ignore-name-bindings = true;

  6. Copy the default limits DXC file of the DSA (default.dxc) to create a CA Single Sign-On DXC file.
    Example: Copy the default DXC file and rename the copy smdsa.dxc.

    Note: The default DXC file is located in DXHOME\dxserver\config\limits.
  7. Edit the settings in the new DXC file to match the following:

    # size limits

    set max-users = 1000;

    set credits = 5;

    set max-local-ops = 1000;

    set max-op-size > 10000;

    set multi-write-queue = 20000;

    Note: Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files.
    Important! The multi-write-queue setting is for text–based configurations only. If the DSA is set up with DXmanager, omit this setting.
  8. Save the DXC file.
  9. Edit the DXI file of the DSA (DSA_Name.dxi) by changing the limits configuration from default.dxc to the new CA Single Sign-On limits file.
    Example: change the limits configuration from default.dxc to smdsa.dxc.
    • DSA_Name
      Represents the name of the DSA you created for the policy store.

      Note: The DXI file of the DSA is located in DXHOME\config\servers.If you created the DSA using DXmanager, the existing limits file is named dxmanager.dxc.
  10. As the DSA user, stop and restart the DSA using the following commands:

    dxserver stop DSA_Name

    dxserver start DSA_Name

    • DSA_Name
      Specifies the name of the DSA.
    The policy store schema is created.

Open the DSA

You create a view into the directory server to manage objects.

Follow these steps:

  1. Be sure that the database is configured for an anonymous login.
  2. Launch the JXplorer GUI.
  3. Select the connect icon.
    Connection settings appear.
  4. Enter host_name_or_IP_address in the Host Name field.
    • host_name_or_IP_address
      Specifies the host name or IP address of the system where CA Directory is running.
  5. Enter port_number in the Port number field.
    • port_number
      Specifies the port on which the DSA is listening.
  6. Enter o=DSA_Name,c=country_code in the Base DN field.
    Example: o=psdsa,c=US
  7. Select Anonymous from the Level list and click Connect.
    A view into DSA appears.

Create the Base Tree Structure for Policy Store Data

You create a base tree structure to hold policy store data. You use the JXplorer GUI to create the organizational units.

Follow these steps:

  1. Select the root element of your DSA.
  2. Create an organizational unit under the root element called:
    Netegrity
  3. Create an organizational unit (root element) under Netegrity called:
    SiteMinder
  4. Create an organizational unit (root element) under SiteMinder called:
    PolicySvr4
  5. Create an organizational unit (root element) under PolicySvr4 called:
    XPS
    The base tree structure is created.

Create a Superuser Administrator for the DSA

You only have to create a superuser administrator if you do not have an administrator account that CA Single Sign-On can use to access the DSA. The Policy Server requires this information to connect to the policy store.

Follow these steps:

  1. Use the JXplorer GUI to access the DSA.
  2. Create an administrator that CA Single Sign-On can use to connect to the policy store.

    Note: Create the user with the following object type:

    inetOrgPerson

  3. Note the administrator DN and password. You use the credentials when pointing the Policy Server to the policy store.

Example:

dn:cn=admin,o=yourcompany,c=in

Point the Policy Server to the Policy Store

You point the Policy Server to the policy store so the Policy Server can access the policy store.

Follow these steps:

  1. Open the Policy Server Management Console.
    Important! On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA Single Sign-On component.
  2. Click the Data tab.
  3. Select the following value from the Database list:

    Policy Store

  4. Select the following value from the Storage list:

    LDAP

  5. Configure the following settings in the LDAP Policy Store group box.
    • LDAP IP Address
    • Admin Username
    • Password
    • Confirm Password
    • Root DN
    Note: You can click Help for a description of fields, controls, and their respective requirements.
  6. Click Apply.
  7. Click Test LDAP Connection to verify that the Policy Server can access the policy store.
  8. Select the following value from the Database list:

    Key Store

  9. Select the following value from the Storage list:

    LDAP

  10. Select the following option:

    Use Policy Store database

  11. Click OK.

Set the CA Single Sign-On Super User Password

The default administrator account is named siteminder. The account has maximum permissions.

Do not use the default super user for day-to-day operations. Use the default super user to:

  • Access the Administrative UI for the first time.
  • Manage CA Single Sign-On utilities for the first time.
  • Create another administrator with super user permissions.

Follow these steps:

  1. Copy the smreg utility to siteminder_home\bin.
    • siteminder_home
      Specifies the Policy Server installation path.
    Note: The utility is at the top level of the Policy Server installation kit.
  2. Run the following command:

    smreg -su password

    • password
      Specifies the password for the default administrator.
    The password has the following requirements:
    • The password must contain at least six (6) characters and cannot exceed 24 characters.
    • The password cannot include an ampersand (&) or an asterisk (*).
    • If the password contains a space, enclose the passphrase with quotation marks.
    Note: If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.
  3. Delete smreg from siteminder_home\bin. Deleting smreg prevents someone from changing the password without knowing the previous one.

The password for the default administrator account is set.

Verify the CA Directory Cache Configuration

You can verify that the DXcache settings are enabled using the DXconsole.

Note: By default, the DxConsole is only accessible from localhost. For more about using the set dsa command to let the DxConsole accept a connection from a remote system, see the Directory Configuration Guide.

Follow these steps:

  1. From a command prompt, enter the following command to Telnet to the DSA DXConsole port:

    telnet DSA_HostDXconsole_Port

    • DSA_Host
      Specifies the host name or IP address of the system hosting the DSA.

      Note: If you are on the localhost, enter localhost. Entering a host name or IP Address results in a failed connection.
    • DXConsole_Port
      Specifies the port on which the DXconsole is listening. This value appears in the console-port parameter of the following file:
      DXHOME\config\knowledge\DSA_Name.dxc

      Default: The DXconsole port is set to the value of the DSA port +1. Example: If the DSA is running on port 19389, the DXconsole port is 19390.
    The DSA Management Console appears.
  2. Enter the following command:

    get cache;

    The DSA Management Console displays the current DSA DXcache settings and specifies the directory caching status.

  3. Enter the following command:

    logout;

    Closes the DXconsole and returns to the system prompt.

Import the Policy Store Data Definitions

Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.

Follow these steps:

  1. Open a command window and navigate to siteminder_home\xps\dd.
    • siteminder_home
      Specifies the Policy Server installation path.
  2. Run the following command:

    XPSDDInstall SmMaster.xdd

    • XPSDDInstall
      Imports the required data definitions.

Import the Default Policy Store Objects

Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.

Consider the following items:

  • Be sure that you have write access to siteminder_home\bin. The import utility requires this permission to import the policy store objects.
    • siteminder_home
      Specifies the Policy Server installation path.
  • If Windows User Account Control (UAC) is enabled, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges. For more information, see the release notes for your CA Single Sign-On component.

Follow these steps:

  1. Open a command window and navigate to siteminder_home\db.
  2. Import one of the following files:
    • To import smpolicy.xml, run the following command:

      XPSImport smpolicy.xml -npass

    • To import smpolicy–secure.xml, run the following command:

      XPSImport smpolicy-secure.xml -npass

      • npass
        Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
      Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects and Schema Files.
    • To import Option Pack functionality, run the following command:

      XPSImport ampolicy.xml -npass

    • To import federation functionality, run the following command:

      XPSImport fedpolicy-12.5.xml -npass

    The policy store objects are imported.
Note: Importing ampolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA Single Sign-On. If you intend on using the latter functionality, contact your CA account representative for licensing information.

Enable the Advanced Authentication Server

Enable the Advanced Authentication Server as part of configuring your Policy Server.

Follow these steps:

  1. Start the Policy Server configuration wizard.
  2. Perform one of the following steps:

    On Windows:
    Leave all the check boxes in the first screen of the wizard
    cleared and click Next.

    On Linux:
    Type 5 and press Enter.
  3. Create the master encryption key for the Advanced Authentication Server.

    Note: If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.
  4. Complete the rest of the Policy Server configuration wizard.
    The Advanced Authentication Server is enabled.

Prepare for the Administrative UI Registration

You use the default super user account to log into the Administrative UI for the first time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.

You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.

Consider the following items:

  • The time from which you supply the credentials to when the initial Administrative UI login occurs is limited to 24 hours. If you do not plan on installing the Administrative UI within one day, complete the following steps before installing the Administrative UI.
  • (UNIX) Be sure that the CA Single Sign-On environment variables are set before you use XPSRegClient. If the environment variables are not set, set them manually.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Run the following command:

    XPSRegClient super_user_account_name[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF

    • passphrase
      Specifies the password for the default super user account.

      Note: If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
    • -adminui–setup
      Specifies that the Administrative UI is being registered with a Policy Server for the first–time.
    • -t timeout
      (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.
      Unit of measurement: minutes
      Default: 240 (4 hours)
      Minimum: 15
      Maximum: 1440 (24 hours)
    • -r retries
      (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect administrator credentials when logging in to the Administrative UI for the first time.
      Default: 1
      Maximum: 5
    • -c comment
      (Optional) Inserts the specified comments into the registration log file for informational purposes.

      Note: Surround comments with quotes.
    • -cp
      (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.

      Note: Surround comments with quotes.
    • -l log_path
      (Optional) Specifies where the registration log file must be exported.
      Default:siteminder_home\log
      siteminder_home
      Specifies the Policy Server installation path.
    • -e error_path
      (Optional) Sends exceptions to the specified path.
      Default: stderr
    • -vT
      (Optional) Sets the verbosity level to TRACE.
    • -vI
      (Optional) Sets the verbosity level to INFO.
    • -vW
      (Optional) Sets the verbosity level to WARNING.
    • -vE
      (Optional) Sets the verbosity level to ERROR.
    • -vF
      (Optional) Sets the verbosity level to FATAL.
  3. Press Enter.
    XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first time.
Was this helpful?

Please log in to post comments.

  1. SARAVANAN RAMALINGAM
    2016-04-08 09:39

    The following note needs to be changed/verified:

    Note: Importing smpolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from CA Single Sign-On. If you intend on using the latter functionality, contact your CA account representative for licensing information.

    I think this note should reference ampolicy.xml and not the smpolicy.xml

    1. Rapley, Timothy
      2016-04-08 02:42

      Good catch, Saravanan. I have made the change in source and it will be available here as soon as we republish this space.

  2. Murthy Ravi
    2016-07-22 07:02

    If you are configuring Policy Store for ipv6, Please follow ipv4 Vs ipv6 section of this link, before starting adminui(JBoss) server:

    https://docs.jboss.org/author/display/WFLY8/Interfaces+and+ports

  3. Murthy Ravi
    2016-07-22 07:02

    If you are configuring Policy Store for ipv6, Please follow ipv4 Vs ipv6 section of this link, before starting adminui(JBoss) server:

    https://docs.jboss.org/author/display/WFLY8/Interfaces+and+ports

    1. Rapley, Timothy
      2016-07-22 03:05

      Hi Ravi,

      Thanks for your comment. Can you please explain to me how JBoss Wildfly configuration changes for IPv6 pertain to CA Directory as a Policy Store?

      --Tim