Configure the CA SSO Policy Store

A policy administrator uses the Administrative Tools to access the  Microsoft SQL scripts or LDAP schema text to add the IMS schema to the policy store. The identity administrator installs these tools in the Admin Tools folder.
cim140
A policy administrator uses the 
Identity Manager
 Administrative Tools to access the  Microsoft SQL scripts or LDAP schema text to add the IMS schema to the policy store. The identity administrator installs these tools in the Admin Tools folder.
This page contains the following topics:
 
 
Set Up the Policy Store
Follow 
one
 of the following procedures to configure the policy store:
Relational Database
You can use your relational database as the CA SSO policy store.
 
Follow these steps:
 
  1. Configure the database as the supported CA SSO policy store.
     
    Note:
     For configuration instructions, see the 
    Policy Server Installation 
    section in CA Single Sign-On documentation.
     
     
  2. Run the appropriate script for your database:
    •  
      SQL:
       C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\MicrosoftSQLServer\ims8_mssql_ps.sql
    •  
      Oracle:
       /opt/CA/IdentityManager/IAM_Suite/Identity_Manager/tools/policystore-schemas/OracleRDBMS/ims8_oracle_ps.sql
    The preceding paths are default installation locations. The location for your installation may be different.
Sun Java Systems Directory Server or IBM Directory Server
To configure Java or IBM directory server, you apply the appropriate schema file.
 
Follow these steps:
 
  1. Configure the directory as the supported CA SSO policy store.
    Note: 
    For configuration instructions, see the
     Policy Server Installation 
    section in CA Single Sign-On documentation.
  2. Add the appropriate LDIF schema file to the directory. Following is the default Windows location for the LDIF files: 
    C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas
    Add the following schema files to your directory:
    •  
      IBM Directory Server:
      IBMDirectoryServer\V3.identityminder8
    •  
      Sun Java Systems Directory Server (iPlanet):
      SunJavaSystemDirectoryServer\sundirectory_ims8.ldif
Microsoft Active Directory
To configure a Microsoft Active Directory policy store, you apply the activedirectory_ims8.ldif script.
 
Follow these steps:
 
  1. Configure the directory as the supported CA SSO policy store.
     
    Note: 
    For configuration instructions, see the 
    Policy Server Installation 
    section in the CA Single Sign-On documentation.
  2. Modify the activedirectory_ims8.ldif schema file as follows:
    1. In a text editor, open the activedirectory_ims8.ldif file. The default Windows location is:
      C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\MicrosoftActiveDirectory
    2. Replace all instances of {root} with the root organization for the directory.
      The root organization must match the root organization that you specified when you configured the policy store in the Policy Server Management Console.
      For example, if the root is dc=myorg,dc=com, replace
      dn: CN=imdomainid6,CN=Schema,CN=Configuration,{root}, with
      dn: CN=imdomainid6,CN=Schema,CN=Configuration,dc=myorg,dc=com
    3. Save the file.
  3. Add the schema file as described in the documentation for your directory.
Microsoft ADAM
To configure a Microsoft ADAM policy store, you apply the adam_ims8.ldif script.
 
Follow these steps:
 
  1. Configure the directory as the supported CA SSO policy store.
     
    Note:
     For configuration instructions, see the Policy Server Installation section in CA Single Sign-On documentation.
  2. Modify the adam_ims8.ldif schema file as follows:
    1. Open the adam_ims8.ldif\.ldif file in a text editor. The default Windows location is:
      C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\MicrosoftActiveDirectory
    2. Replace every cn={guid} reference with the string you found when you configured the CA SSO policy store in Step 1 of this procedure.
      For example, if the guid string is CN={39BC711D-7F27-4311-B6C0-68FDEE2917B8}, then replace every cn={guid} reference with CN={39BC711D-7F27-4311-B6C0-68FDEE2917B8}.
    3. Save the file.
  3. Add the schema file as described in the documentation for your directory.
CA Directory Server
To configure a CA Directory server, you create a custom schema file. 
 
Follow these steps:
 
  1. Configure the directory as the supported CA SSO policy store.
     
    Note:
     For configuration instructions, see the Policy Server Installation section in CA Single Sign-On documentation.
  2. Copy etrust_ims8.dxc to
     dxserver_home
    \config\schema.
    dxserver_home
     is the directory where CA Directory is installed. Following is the default source location for this file on Windows:
    C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\eTrustDirectory
  3. Create a custom schema configuration file as follows:
    1. Copy the 
      dxserver_home
      \config\schema\default.dxg to 
      dxserver_home
      \config\schema\
      company_name
      -schema.dxg
      .
       
    2. Edit the 
      dxserver_home
      \config\schema\
      company_name
      -schema.dxg file by adding the following lines to the bottom of the file:
      # Identity Manager Schema source "etrust_ims8.dxc";
  4. Create a custom limits configuration file as follows:
    1. Copy the 
      dxserver_home
      \config\limits\default.dxc to 
      dxserver_home
      \config\limits\
      company_name
      -limits.dxc.
    2. Increase the default size limit to 5000 in the 
      dxserver_home
      \config\limits\
      company_name
      -limits.dxc file as follows:
      set max-op-size=5000
       
      Note:
       Upgrading CA Directory overwrites the limits.dxc file. Therefore, ensure that you reset max-op-size to 5000 after the upgrade is completed.
  5. Edit the 
    dxserver_home
    \config\servers\
    dsa_name
    .dxi as follows:
    # schema source "company_name-schema.dxg"; #service limits source "company_name-limits.dxc";
    where 
    dsa_name
     is the name of the DSA using the customized configuration files.
  6. Run the dxsyntax utility.
  7. Stop and restart the DSA as the dsa user to make the schema changes take effect, as follows:
    dxserver stop dsa_name dxserver start dsa_name
Novell eDirectory Server
To configure a Novell eDirectory Server policy store, you apply the novell_ims8.ldif script.
 
Follow these steps:
 
  1. Configure the directory as the supported CA SSO policy store.
    Note:
     For configuration instructions, see the Policy Server Installation section in CA Single Sign-On documentation.
  2. Find the Distinguished Name (DN) of the NCPServer for your Novell eDirectory Server by entering the following information in a command prompt on the system where the Policy Server is installed:
    ldapsearch -h hostname -p port -b container -s sub -D admin_login -w password objectClass=ncpServer dn
    For example:
    ldapsearch -h 192.168.1.47 -p 389 -b "o=nwqa47container" -s sub -D "cn=admin,o=nwqa47container" -w password objectclass=ncpServer dn
  3. Open the novell_ims8.ldif file.
  4. Replace every NCPServer variable with the value you found in Step 2.
    The default location for novell_ims8.ldif on Windows is:
    C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\NovelleDirectory
    For example, if the DN value is cn=servername,o=servercontainer, you would replace every instance of 
    NCPServer
     with cn=servername,o=servercontainer.
  5. Update the eDirectory Server with the novell_ims8.ldif file.
    See the Novell eDirectory documentation for instructions.
Oracle Internet Directory (OID)
To configure an Oracle Internet Directory, you update the oracleoid ldif file.
 
Follow these steps:
 
  1. Configure the directory as the supported CA SSO policy store.
     
    Note:
     For configuration instructions, see the Policy Server Installation section in CA Single Sign-On documentation.
  2. Update the Oracle Internet Directory Server with the oracleoid_ims8.ldif file. The default installation location for this file on Windows is:
    install_path
    \policystore-schemas\OracleOID\
    See the Oracle Internet Directory documentation for instructions.
Verify the Policy Store
To verify the policy store, confirm the following points:
  • Your Policy Server log does not contain a section of warnings that begins with the following code:
    *** IMS NO SCHEMA BEGIN
    This warning appears only if you have installed the Extensions for the CA SSO Policy Server, but you have not extended the policy store schema.
  • The 
    Identity Manager
     objects exist in the policy store database or directory. The 
    Identity Manager
     objects begin with an ims prefix.