Install Policy Server on Windows
The following flowchart describes how to install Policy Server on Windows:
casso1283
The following flowchart describes how to install Policy Server on Windows:
Policy Server Installation on Windows in Release 12.6

Perform the following steps to install Policy Server:
Review the Considerations
Review the following considerations before you install Policy Server:
- Administrator privileges—A Windows account with local administrator privileges is required to install Policy Server.
- CPU—x64.
- Memory—2 GB of system RAM.Tip: Use 2 GB of RAM for Policy Server processing, and make available at least 4 GB of RAM to the Policy Server host system.
- Available disk space:
- 4 GB of free disk space in the install location.
- 3 GB of free space in the temporary file location of the system. These requirements are based on a medium size policy database of approximately 1,000 policies.
- JRE—Verify that a supported JRE is installed on the Policy Server host system. Verify the supported Java version on the Platform Support Matrix.
- (Oracle JDK) JCE—Verify that JRE supports unlimited key strength in the Java Cryptography Extension (JCE) package.For JDK 1.8_161 and later, no additional steps are required.For JDK 1.8_151 to 1.8_160, perform the following steps:
- Navigate to thejdk_home/jre/lib/security directory and open thejava.securityfile.
- Uncomment the following line:crypto.policy=unlimited
- Save the file.
For the other previous versions of JDK, perform the following steps:- Locate the JCE package for your operating system from the Oracle website.
- Download the unlimited JCE package for the Java version that is supported byCA Single Sign-on.
- Navigate to thejdk_home\jre\lib\security directory on your system and apply the patch to the following files:
- local_policy.jar
- US_export_policy.jar
jdk_homespecifies the location of the Java installation. - LDAP directory server or relational database—Verify that you are using a supported LDAP directory server or relational database as a policy store.
- Windows Firewall–We recommend that youdisableStealth Mode as it increases the time that it takes for agents to make new connections to the Policy Server. These delays can adversely effect functionality such as failover.
- Firewall settings—Update the Windows firewall settings to allow inbound connections on the following ports:
- 44441
- 44442
- 44443
These ports are the default Policy Server accounting, authentication, and authorization ports. If you change these ports after installing Policy Server, allow inbound connections to the respective ports. For more information, see the Microsoft documentation. - Environment variables—The Policy Server installation modifies environment variables.For a list of supported CA and third-party components, see theCA Single Sign-onPlatform Support Matrix.
Enable 8dot3 Name Creation for the Windows File System
Enable 8dot3 name creation for the disk volume if you want to install Policy Server and Administrative UI on the same machine and in the same non-default drive.
Follow these steps:
- Check the current value of 8dot3name setting by running the followingfsutil8dot3command. This command manages the settings for the 8dot3 name behavior:fsutil 8dot3name queryVolumePathwhereVolumePathis the disk volume where you want to install Policy Server. The following example shows the command and the response:C:\>fsutil 8dot3name query c:The volume state is: 0 (8dot3 name creation is enabled).The registry state is: 2 (Per volume setting - the default).Based on the returned settings, 8dot3 name creation is enabled on volume C.
- If the 8dot3 name creation is disabled, enable it by entering the following command:fsutil 8dot3name setVolumePath0If you do not specify a volume path, 8dot3 name creation is enabled for all volumes on the system.
- Before you install Policy Server on a non-default drive (for example E:\), verify that the folder name conventions and file locations are correct. To do this, set the short file name using the following fsutil command:fsutil file setshortname <pathname> <shortname>Example:fsutil file setshortname "E:\Program Files" PROGRA~1
- After the installation is complete, you can disable 8dot3 name creation by executing the following command:fsutil 8dot3name setVolumePath1If you do not specify a volume path, 8dot3 name creation is disabled for all volumes on the system.
Gather Information for the Installer
The Policy Server installer requires the following information:
- FIPS mode
- Features to be installed and their related configuration information
- JRE location
- Policy Server installation location
- Encryption key value to secure communication between Policy Server and policy store
Complete the following steps to gather the required information to run the installer:
Determine the FIPS Mode
Policy Server uses certified Federal Information Processing Standard (FIPS) 140-2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). The libraries provide a FIPS mode of operation when a
CA Single Sign-on
environment uses only FIPS-compliant algorithms to encrypt sensitive data.You can install Policy Server in one of the following FIPS modes of operation.
Note
: The FIPS mode a Policy Server operates in is system-specific. For more information, see the Platform Support Matrix.- FIPS-compatibility mode—The default FIPS mode of operation during the installation is FIPS-compatibility mode. In FIPS-compatibility mode, the environment uses existing algorithms to encrypt sensitive data and is compatible with previous versions ofCA Single Sign-on.Note:
- The use of FIPS-compliant algorithms in your environment is optional.
- If your organization does not require the use of FIPS-compliant algorithms, install Policy Server in FIPS-compatibility mode. No further configuration is required.
- FIPS-migration mode—FIPS-migration mode lets you transition an environment running in FIPS-compatibility mode to FIPS-only mode. In this mode, Policy Server continues to use existing encryption algorithms as you migrate the environment to use only FIPS-compliant algorithms. Use this mode if you are in the process of configuring the existing environment to use only FIPS-compliant algorithms.
- FIPS-only mode—In FIPS-only mode, the environment only uses FIPS-compliant algorithms to encrypt sensitive data. Use this mode if the existing environment is upgraded to a new version and the existing environment is configured to use only FIPS-compliant algorithms.
An environment that is running in FIPS-only mode cannot operate with versions of
CA Single Sign-on
that do not also fully support FIPS (that is, versions before r12.0). This restriction applies to all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. Relink all such software with the versions of the respective SDKs to achieve the required FIPS support.Determine the Features to be Installed and Configured
In addition to Policy Server, the installer lets you install and configure the following components:
- OneView MonitorEnables monitoring theCA Single Sign-oncomponents. To use the OneView Monitor, you must have the supported Java SDK and Apache Tomcat server installed on the system. Gather the following information:
- JDK pathDefines the path to the required JDK version.
- Apache Tomcat installation directoryDefines the path to the Apache Tomcat installation directory. If you have multiple Tomcat instances, determine the instance to which you want to configure the OneView Monitor GUI.
- Tomcat container port numberDefines the port number for the Tomcat instance. If installing OneView Monitor on the same system as the Administrative UI, change the Tomcat port number from its default 8080 to any other value to avoid a conflict.
- Sun Java System administrator directoryDefines the installation location of the Sun Java System and Sun Java System Web servers.
Do not configure OneView Monitor if you are installing Policy Server for the first–time on this system. The installer modifies the configuration files of the web server that is to host the UI. The smuser account does not have the required root privileges. Use the Policy Server Configuration Wizard as the root user to configure OneView Monitor UI after you install Policy Server on the system. - SNMPEnables many operational aspects of the environment to be monitored by SNMP-compliant network management applications. You must have the following items to enable SNMP support:
- The password of the root user
- A native SunSolstice Master Agent
- Policy storeThe installer can automatically configure one of the following stores as a policy store:
- Relational Database
- ADAM/Microsoft Active Directory Lightweight Directory Services (AD LDS)
- Oracle® Directory Server
Policy Server includes the binaries required by the SessionLinker. You do not need to install SessionLinker separately.
- CA Identity Manager IntegrationEnables the integration of CA Identity Manager withCA Single Sign-on. When you select this feature, the installer automatically creates the required registry in 64-bit location which enables the integration of Identity Manager withCA Single Sign-on. Also, selecting this option eliminates the requirement of copying the Identity Manager installer on to theCA Single Sign-onmachine.
Determine the Policy Store Type
You can configure a policy store using the installer during the Policy Server installation or manually after the Policy Server installation. The installer can automatically configure one of the following stores as a policy store:
- Relational Database
- Microsoft SQL
- Oracle
- PostgreSQL
- ADAM/Microsoft Active Directory Lightweight Directory Services (AD LDS)
- Oracle® Directory Server
Important! For AD LDS and Oracle Directory Server, the installer cannot automatically configure a policy store that is being connected to using an SSL connection.
Review the following considerations:
- (Relational Database) The installer uses specific database information to create the policy store data source with the name CA SiteMinder DSN. Policy Server uses the data source to communicate with the policy store. The installer saves the data source to the system_odbc.ini file that is located in siteminder_home/db.
- (Relational Database) Verify that the database server that is to host the policy store is configured to store objects in UTF–8 form. This configuration avoids possible policy store corruption.
- (Oracle) Oracle supports unicode within many of their character sets. For information about configuring your database to store objects in UTF–8 form, see your vendor–specific documentation.
- (SQL Server) Ensure that the database is configured using the default collation (SQL_Latin1_General_CP1_CI_AS). Using a collation that is case–sensitive can result in unexpected behaviors. For information about configuring your database to store objects using the default collation, see your vendor–specific documentation.
- The key store and certificate data store are automatically configured and collocated with the policy.
The installer prompts for information depending on the database that you select. For information that is required for each database, see the
Gather Database Information
section of the following topics:Gather the JRE Location
Gather the location where the supported JRE that is shipped with the JDK is installed. You can use AdoptOpenJDK HotSpot JVM or a licensed Oracle JDK version.
Determine the Install Location
Determine where the installer must install Policy Server.
Important! We recommend that you do not exceed 700 characters. The installation fails if the system path length exceeds 1024 characters. The limitation applies to both included or excluded
CA Single Sign-on
added directories.Determine the Encryption Key Value
Determine the encryption key value that secures the data communicated between Policy Server and the policy store. All Policy Servers that share a policy store are required to use the same encryption key. For stronger protection, define a long encryption key. The encryption key is case-sensitive and can contain alphanumeric key value.
Value
: 6 to 24 characters. You can include only one '$' character.Run the Installer
Install Policy Server using the installation media. For a list of installation media names, see the
Release Notes
.Follow these steps:
- Exit all applications that are running.
- Ensure that you have the local administrator privileges to run the installer
- Double–clickinstallation_mediato start the installation.Note:installation_media specifies the name of the Policy Server installation executable.
- Accept the license agreement.
- Use the information that you gathered in Gather Information for the Installer section to continue working with the installer. Consider the following items when you specify the inputs:
- You can use AdoptOpenJDK or a licensed Oracle JDK version.
- You can configure a policy store now or after the Policy Server installation.
- If you configured a policy store now and are initializing a policy store, you are prompted to enter a password for the default user account. The default account name is siteminder. Initialize the policy store only when you configure a new policy store instance.
- You are prompted to install the default certificate authority certificates to the certificate data store. You can add additional certificates and private keys to the certificate data store after the installation.
- If you are using IPv6 addresses, surround entries with brackets.Example: [2001:db8::1428:57ab]
- Review the installation summary and ClickInstall.The installation can take several minutes. Policy Server and the selected features, if any, are installed and configured.
- Exit the installer.
If you experience problems during the installation, you can locate the installation log file and the policy store details file at
siteminder_home
/siteminder/install_config_info.If you did not use the installer to configure a policy store, run the Policy Server Configuration Wizard to manually configure a policy store. If you configured a policy store, proceed to install Administrative User Interface.
Enable SNMP Event Trapping
(Only for SNMP)
Follow these steps
:- Ensure thhat you have an SNMP Service installed on the Windows systems.
- Use the XPSConfig utility to set the event handler library, eventsnmp.dll, to the XPSAudit list.Default Location of eventsnmp.dll:policy_server_home\bin.
- Configure the snmptrap.conf file. For information about the necessary SNMP prerequisites and procedures, see SNMP Support.
(Optional) Reinstall the Policy Server
You can reinstall Policy Server over an existing Policy Server of the same version to restore lost application files or restore the Policy Server default installation settings.
Follow these steps
:- Stop Policy Server using the Policy Server Management Console.
- Close the Policy Server Management Console.
- Install Policy Server.
- Start the Policy Server using the Policy Server Management Console.