How to Configure a CA Directory Key Store

Content:
casso128
Content:
You can configure CA Directory to function as a key store.
Gather Directory Server Information
Gather the following information before configuring the key store:
  • Host information—
    Determine the fully qualified host name or the IP address of the system on which CA Directory is running.
  • DSA port number
    —Determine the port on which the DSA is to listen.
  • Base DN
    —Determine the distinguished name of the node in the LDAP tree in which key store objects are to be defined.
  • Administrative DN
    —Determine the LDAP user name of the account that 
    CA Single Sign-On
     is to use manage objects in the DSA.
  • Administrative password
    —Determine the password for the administrative user.
Create a DSA for the Key Store
Follow these steps:
  1. Create the DSA by running the following command:
dxnewdsa 
DSA_Name
port
 "o=
DSA_Name
,c=
country_code
"
  • DSA_Name
    Specifies the name of the DSA.
  • port
    Specifies the port on which the DSA is to listen.
  • o=
    DSA_Name,c=country_code
    Specifies the DSA prefix.
    Example:
     "o=psdsa,c=US"
The dxnewdsa utility starts the new DSA.
If the DSA does not automatically start, run the following command:
dxserver start DSA_Name
Create the Key Store Schema
Create the key store schema so that the directory server can function as a key store.
By default, CA Directory configuration files are read–only. Any CA Directory files that you are instructed to modif must be updated for write permission. Once the files are updated, you can revert the permission to read–only. Also, all the default.xxx files provided by CA Directory are overwritten during a CA Directory upgrade. Use caution when modifying any read-only files.
Follow these steps:
  1. Copy the following files into the CA Directory 
    DXHOME
    \config\schema directory:
    • netegrity.dxc
    • etrust.dxc
      DXHOME
      Specifies the Directory Server installation path.
    The netegrity.dxc file is installed with Policy Server in
    siteminder_home
    \eTrust. The etrust.dxc file is installed with Policy Server in
    siteminder_home
    \xps\db.
    • siteminder_home
      Specifies the Policy Server installation path.
      • Windows %
        DXHOME
        %
      • Unix/Linux: $
        DXHOME
  2. Create a 
    CA Single Sign-On
     schema file by copying the default.dxg schema file and renaming it.
    Note:
     The default.dxg schema file is located at 
    DXHOME
    \config\schema\default.dxg.
    Example:
     Copy the default.dxg schema file and rename the copy to smdsa.dxg
  3. Add the following lines to the bottom of the new 
    CA Single Sign-On
     schema file:
    #CA Schema
    source "netegrity.dxc";
    source "etrust.dxc";
  4. Edit the DXI file of the DSA (
    DSA_Name
    .dxi) by changing the schema from default.dxg to the new 
    CA Single Sign-On
     schema file.
    • DSA_Name
      Represents the name of the DSA you created for the key store.
    The DXI file is located in
    DXHOME
    \config\servers.
  5. Add the following lines to the end of the DXI file of the DSA:
    • Release 12
      # cache configuration
      set max-cache-size = 100;
      set cache-attrs = all-attributes;
      set cache-load-all = true;
      set ignore-name-bindings = true;
      The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the key store.
    • Release 12 SP 1 or later
      # cache configuration
      set ignore-name-bindings = true;
  6. Copy the default limits DXC file of the DSA (default.dxc) to create a 
    CA Single Sign-On
     DXC file.
    Example:
     Copy the default DXC file and rename the copy smdsa.dxc.
    The default DXC file is located in
    DXHOME
    \dxserver\config\limits.
  7. Edit the settings in the new DXC file to match the following values:
    Warning
    : The multi-write-queue setting is for only text–based configurations. If the DSA is set up with DXmanager, omit this setting.
    # size limits
    set max-users = 1000;
    set credits = 5;
    set max-local-ops = 1000;
    set max-op-size = 4000;
    set multi-write-queue = 20000;
    Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files.
  8. Save the DXC file.
  9. Edit the DXI file of the DSA (
    DSA_Name
    .dxi) by changing the limits configuration from default.dxc to the new 
    CA Single Sign-On
     limits file.
    Example:
     change the limits configuration from default.dxc to smdsa.dxc.
    • DSA_Name
      Represents the name of the DSA you created for the key store.
      The DXI file of the DSA is located in
      DXHOME
      \config\servers.If you created the DSA using DXmanager, the existing limits file is named dxmanager.dxc.
  10. As the DSA user, stop and restart the DSA using the following commands:
    dxserver stop 
    DSA_Name
    dxserver start 
    DSA_Name
    • DSA_Name
      Specifies the name of the DSA.
    The key store schema is created.
Open the DSA
Create a view into the directory server to manage objects.
Follow these steps:
  1. Ensure that the database is configured for an anonymous login.
  2. Launch the JXplorer GUI.
  3. Select the connect icon.
  4. Enter 
    host_name_or_IP_address
     in the Host Name field.
    • host_name_or_IP_address
      Specifies the host name or IP address of the system where CA Directory is running.
  5. Enter 
    port_number
     in the Port number field.
    • port_number
      Specifies the port on which the DSA is listening.
  6. Enter o=
    DSA_Name
    ,c=
    country_code
     in the Base DN field.
    Example:
     o=psdsa,c=US
  7. Select Anonymous from the Level list and click Connect.
Create the Base Tree Structure for Key Store Data
Create a base tree structure to hold key store data. Use the JXplorer GUI to create the organizational units.
Follow these steps:
  1. Select the root element of your DSA.
  2. Create an organizational unit named
    Netegrity
    under the root element.
  3. Create an organizational unit named
    SiteMinder
    under Netegrity. 
  4. Create an organizational unit named
    PolicySvr4
    under SiteMinder.
  5. Create an organizational unit named
    XPS
    under PolicySvr4.
Create a Superuser Administrator for the DSA
You have to create a superuser administrator only if you do not have an administrator account that 
CA Single Sign-On
 can use to access the DSA. Policy Server requires this information to connect to the key store.
Follow these steps:
  1. Use the JXplorer GUI to access the DSA.
  2. Create an administrator of the following object type that 
    CA Single Sign-On
     can use to connect to the key store.
     
    inetOrgPerson
  3. Note the administrator DN and password. Use the credentials when pointing Policy Server to the key store.
Example:
dn:cn=admin,o=yourcompany,c=in
Point the Policy Server to the Key Store
Point Policy Server to the key store so that Policy Server can access the key store.
Follow these steps:
  1. Open the Policy Server Management Console.
    If you are accessing this graphical user interface on Windows Server, open the shortcut with Administrator permissions. Use the Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your
    CA Single Sign-On
    component.
  2. Click the Data tab.
  3. Select the following value from the Database list:
    Key Store
  4. Select the following value from the Storage list:
    LDAP
  5. Configure the following settings in the LDAP Key Store group box:
    • LDAP IP Address
    • Admin Username
    • Password
    • Confirm Password
    • Root DN
  6. Click Apply.
  7. Click Test LDAP Connection to verify that the Policy Server can access the key store.
  8. Click OK.
  9. Restart Policy Server.