Configure the CA SSO Policy Store

A policy administrator uses the Administrative Tools to access the  Microsoft SQL scripts or LDAP schema text to add the IMS schema to the policy store. The identity administrator installs these tools in the Admin Tools folder.
cim140
A policy administrator uses the
Identity Manager
Administrative Tools to access the  Microsoft SQL scripts or LDAP schema text to add the IMS schema to the policy store. The identity administrator installs these tools in the Admin Tools folder.
This page contains the following topics:
Set Up the Policy Store
Follow
one
of the following procedures to configure the policy store:
Relational Database
You can use your relational database as the CA SSO policy store.
Follow these steps:
  1. Configure the database as the supported CA SSO policy store.
    Note:
    For configuration instructions, see the
    Policy Server Installation
    section in CA Single Sign-On documentation.
  2. Run the appropriate script for your database:
    • SQL:
      C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\MicrosoftSQLServer\ims8_mssql_ps.sql
    • Oracle:
      /opt/CA/IdentityManager/IAM_Suite/Identity_Manager/tools/policystore-schemas/OracleRDBMS/ims8_oracle_ps.sql
    The preceding paths are default installation locations. The location for your installation may be different.
Sun Java Systems Directory Server or IBM Directory Server
To configure Java or IBM directory server, you apply the appropriate schema file.
Follow these steps:
  1. Configure the directory as the supported CA SSO policy store.
    Note:
    For configuration instructions, see the
    Policy Server Installation
    section in CA Single Sign-On documentation.
  2. Add the appropriate LDIF schema file to the directory. Following is the default Windows location for the LDIF files:
    C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas
    Add the following schema files to your directory:
    • IBM Directory Server:
      IBMDirectoryServer\V3.identityminder8
    • Sun Java Systems Directory Server (iPlanet):
      SunJavaSystemDirectoryServer\sundirectory_ims8.ldif
Microsoft Active Directory
To configure a Microsoft Active Directory policy store, you apply the activedirectory_ims8.ldif script.
Follow these steps:
  1. Configure the directory as the supported CA SSO policy store.
    Note:
    For configuration instructions, see the
    Policy Server Installation
    section in the CA Single Sign-On documentation.
  2. Modify the activedirectory_ims8.ldif schema file as follows:
    1. In a text editor, open the activedirectory_ims8.ldif file. The default Windows location is:
      C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\MicrosoftActiveDirectory
    2. Replace all instances of {root} with the root organization for the directory.
      The root organization must match the root organization that you specified when you configured the policy store in the Policy Server Management Console.
      For example, if the root is dc=myorg,dc=com, replace
      dn: CN=imdomainid6,CN=Schema,CN=Configuration,{root}, with
      dn: CN=imdomainid6,CN=Schema,CN=Configuration,dc=myorg,dc=com
    3. Save the file.
  3. Add the schema file as described in the documentation for your directory.
Microsoft ADAM
To configure a Microsoft ADAM policy store, you apply the adam_ims8.ldif script.
Follow these steps:
  1. Configure the directory as the supported CA SSO policy store.
    Note:
    For configuration instructions, see the Policy Server Installation section in CA Single Sign-On documentation.
  2. Modify the adam_ims8.ldif schema file as follows:
    1. Open the adam_ims8.ldif\.ldif file in a text editor. The default Windows location is:
      C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\MicrosoftActiveDirectory
    2. Replace every cn={guid} reference with the string you found when you configured the CA SSO policy store in Step 1 of this procedure.
      For example, if the guid string is CN={39BC711D-7F27-4311-B6C0-68FDEE2917B8}, then replace every cn={guid} reference with CN={39BC711D-7F27-4311-B6C0-68FDEE2917B8}.
    3. Save the file.
  3. Add the schema file as described in the documentation for your directory.
CA Directory Server
To configure a CA Directory server, you create a custom schema file.
Follow these steps:
  1. Configure the directory as the supported CA SSO policy store.
    Note:
    For configuration instructions, see the Policy Server Installation section in CA Single Sign-On documentation.
  2. Copy etrust_ims8.dxc to
    dxserver_home
    \config\schema.
    dxserver_home
    is the directory where CA Directory is installed. Following is the default source location for this file on Windows:
    C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\eTrustDirectory
  3. Create a custom schema configuration file as follows:
    1. Copy the
      dxserver_home
      \config\schema\default.dxg to
      dxserver_home
      \config\schema\
      company_name
      -schema.dxg
      .
    2. Edit the
      dxserver_home
      \config\schema\
      company_name
      -schema.dxg file by adding the following lines to the bottom of the file:
      # Identity Manager Schema source "etrust_ims8.dxc";
  4. Create a custom limits configuration file as follows:
    1. Copy the
      dxserver_home
      \config\limits\default.dxc to
      dxserver_home
      \config\limits\
      company_name
      -limits.dxc.
    2. Increase the default size limit to 5000 in the
      dxserver_home
      \config\limits\
      company_name
      -limits.dxc file as follows:
      set max-op-size=5000;
      Note:
      Upgrading CA Directory overwrites the limits.dxc file. Therefore, ensure that you reset max-op-size to 5000 after the upgrade is completed.
  5. Edit the
    dxserver_home
    \config\servers\
    dsa_name
    .dxi as follows:
    # schema source "company_name-schema.dxg"; #service limits source "company_name-limits.dxc";
    where
    dsa_name
    is the name of the DSA using the customized configuration files.
  6. Run the dxsyntax utility.
  7. Stop and restart the DSA as the dsa user to make the schema changes take effect, as follows:
    dxserver stop dsa_name dxserver start dsa_name
Novell eDirectory Server
To configure a Novell eDirectory Server policy store, you apply the novell_ims8.ldif script.
Follow these steps:
  1. Configure the directory as the supported CA SSO policy store.
    Note:
    For configuration instructions, see the Policy Server Installation section in CA Single Sign-On documentation.
  2. Find the Distinguished Name (DN) of the NCPServer for your Novell eDirectory Server by entering the following information in a command prompt on the system where the Policy Server is installed:
    ldapsearch -h hostname -p port -b container -s sub -D admin_login -w password objectClass=ncpServer dn
    For example:
    ldapsearch -h 192.168.1.47 -p 389 -b "o=nwqa47container" -s sub -D "cn=admin,o=nwqa47container" -w password objectclass=ncpServer dn
  3. Open the novell_ims8.ldif file.
  4. Replace every NCPServer variable with the value you found in Step 2.
    The default location for novell_ims8.ldif on Windows is:
    C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\policystore-schemas\NovelleDirectory
    For example, if the DN value is cn=servername,o=servercontainer, you would replace every instance of
    NCPServer
    with cn=servername,o=servercontainer.
  5. Update the eDirectory Server with the novell_ims8.ldif file.
    See the Novell eDirectory documentation for instructions.
Oracle Internet Directory (OID)
To configure an Oracle Internet Directory, you update the oracleoid ldif file.
Follow these steps:
  1. Configure the directory as the supported CA SSO policy store.
    Note:
    For configuration instructions, see the Policy Server Installation section in CA Single Sign-On documentation.
  2. Update the Oracle Internet Directory Server with the oracleoid_ims8.ldif file. The default installation location for this file on Windows is:
    install_path
    \policystore-schemas\OracleOID\
    See the Oracle Internet Directory documentation for instructions.
Verify the Policy Store
To verify the policy store, confirm the following points:
  • Your Policy Server log does not contain a section of warnings that begins with the following code:
    *** IMS NO SCHEMA BEGIN
    This warning appears only if you have installed the Extensions for the CA SSO Policy Server, but you have not extended the policy store schema.
  • The
    Identity Manager
    objects exist in the policy store database or directory. The
    Identity Manager
    objects begin with an ims prefix.