Configuring the Policy Server for an International Environment

This section contains the following topics:
sm1252sp1
This section contains the following topics:
2
Policy Servers in an International Environment
The Policy Server supports
CA Single Sign-On
data stores residing in an Oracle or SQL Server database, and LDAP servers for an international environment.
Planning Considerations Before Installing the Policy Server
Consider the following items before you install the Policy Server:
  • Use supported operating system and third–party software.
  • Create supported databases:
    • Before creating databases for storing policy or session data, be sure that they are formatted with UTF–8 encoding.
    • User store databases are not limited to UTF–8 encoding. You can create user databases in the local character set encoding.
      The Active Directory namespace does not support multi–byte characters. Regardless of the code page you are using,
      CA Single Sign-On
      treats characters as they are defined in Unicode. Although your code page can reference a special character as single-byte,
      CA Single Sign-On
      treats it as a multi–byte character if Unicode defines it as such.
  • All Administrative UI fields support multi–byte characters.
  • Some Policy Server components support multi–byte and ASCII characters in an internationalized environment.
  • CA Single Sign-On
    supports multi–byte character (MBCS) URLs.
sm1252sp1
For a list of supported CA and third-party components, see the
CA Single Sign-On
Platform Support Matrix.
Policy Server Components Supporting Multi-byte Characters
The following Policy Server components support multi–byte and ASCII characters in an internationalized environment:
  • Administrative UI
  • Policy Server Management Console
  • Authentication Schemes
    • HTML Forms
    • X.509 Client Certificate
    • X.509 Client Certificate and HTML Forms
    • X.509 Client Certificate or HTML Forms
    • RADIUS CHAP/PAP
    • SecurID Authentication
    • Anonymous Authentication
    • Custom Authentication
    • Impersonation Authentication
  • Password Services
    Password Services are limited to ASCII characters, but can support a multi–byte character URL as a redirection URL.
  • Responses
  • Post Preservation
  • CA Single Sign-On
    Test Tool
  • Audit logging to text files
  • Audit logging to ODBC databases
  • smobjimport
  • XPSExport and XPSImport
  • Java Agent API
Support for Multi-Byte Character URLs
CA Single Sign-On
supports URLs that contain multi-byte characters (MBCS). MBCS URL support includes support for:
  • Internationalized domain names
    - An
    internationalized domain name
    (IDN) is an Internet domain name that can contain non-ASCII characters, including letters with diacritics and characters from non-Latin scripts, such as Arabic and Chinese.
  • Internationalized resource identifiers
    - An
    internationalized resource identifier
    (IRI) is the international equivalent of a uniform resource identifier (URI). An IRI can contain ASCII characters and characters from a MBCS set; a URI is limited to a subset of ASCII characters.
MBCS URL support lets:
  • CA Single Sign-On
    protect resources that are accessed through MBCS URLs.
  • You configure specific authentication schemes using an IDN and an IRI.
How to Enable MBCS URL Support
Support for MBCS URLs in a
CA Single Sign-On
environment requires that:
  • The Web browsers used to access the protected resources meet specific requirements.
  • The Web server implementation in your environment meets specific requirements.
  • Specific default bad characters are removed from the Web Agent Configuration Object.
To enable support for MBCS URLs:
  1. Ensure that the Web browsers meet the requirements for MBCS URLs.
  2. Ensure that the Web servers meet the requirements for MBCS URLs.
  3. Configure the Web Agent Configuration Object.
Web Browser Requirements for MBCS URLs
Web browsers must be able to send requests to Web servers that serve resources in UTF-8 format and whose domain names contain non-ASCII characters.
The Web browsers used to access the protected resources must be able to:
  • Support Internationalized Domain Names (IDNs).
  • Support Internationalized Resource Identifiers (IRIs).
  • Send requests in UTF-8 format.
Web Server Requirements for MBCS URLs
A Web server can support MBCS URLs if it meets at least one of the following requirements:
  • The Web server can convert UTF-8 requests to the local character set encoding.
    or
  • The Web server can store files in UTF-8 format. This lets the Web server serve the file when it receives the IRI request from the Web browser in UTF-8 format.
Enable Multi-byte Character Support
MBCS support requires that you remove specific high-bit ASCII character values from the Web Agent Configuration Object.
Removing the high-bit ASCII characters prevents the Web Agent from blocking the specific characters.
To enable MBCS support
  1. Open the Administrative UI
  2. Click Infrastructure, Agents.
  3. Click Agent Configuration, Modify Agent Configuration.
    The Modify Agent Configuration pane appears.
  4. Enter search criteria and click Search.
    Agent configuration objects matching the search criteria appear.
  5. Select the Agent configuration object you want and click Select.
    Agent Configuration parameters are listed in the Parameters group box.
  6. Click the Edit icon for BadURLChars.
    The Edit Parameter pane appears.
  7. Remove the following from the Values field:
    • %00-%1f
    • %7f-%ff
  8. Click OK.
    The edited values appear in the BadURLChars field.
  9. Click Submit.
    The Web Agent Configuration Object is configured to support MBCS URLs.
Protect a Resource with MBCS URLs
Support for MBCS URLs lets
CA Single Sign-On
protect resources that are accessed through URLs that contain non-ASCII characters.
When creating a realm and the associated rule or rules to protect the resource, you can enter a MBCS URL in the Resource field. Users can access the protected resource using a browser that supports IDNs and IRIs.
Authentication Schemes Supporting MBCS URLs
You can configure the following authentication schemes with an IDN in the Server Name field and an IRI in the Target field:
  • Basic over SSL
  • HTML Form Template
  • HTML Form Template over SSL
  • X509 Client Cert
  • X509 Client Cert and Forms
Netscape and Firefox do not accept redirections to URLs that contain an IDN. Entering an IDN for a forms-related authentication scheme results in a failure unless is used.
Configure
CA Single Sign-On
Data Stores Supporting International Characters
You can configure
CA Single Sign-On
data stores in SQL Server or Oracle databases. When configuring these data stores, be aware that the Policy Server only supports UTF-8 encoding and, as a result, you must use databases that support this encoding type.
This section applies to configuring
CA Single Sign-On
data stores in relational databases. More information on configuring these stores in LDAP servers exists in LDAP Directory Servers as a Policy Store or Key Store.
Configure an International
CA Single Sign-On
Data Store in SQL Server
To create policy, keys, session, or key stores, configure a
CA Single Sign-On
data store in the SQL Server database.
By default, SQL Server supports UTF-8 character encoding.
Configure an International
CA Single Sign-On
Data Store in Oracle
To configure an international
CA Single Sign-On
data store in Oracle
  1. On the machine where Oracle is installed, create a custom Oracle database that supports UTF-8 character encoding.
    For more information and instructions, see Oracle’s documentation.
    To verify if an existing Oracle database supports UTF-8 character encoding, run the following query:
    Select * from nls_database_parameters where parameter = ‘NLS_CHARACTERSET’
  2. Create policy, keys, session, or key stores for the Policy Server, by configuring a
    CA Single Sign-On
    data store in the Oracle database.
Solaris LINUX Red Hat Policy Server Logging UTF-8 Characters to an Oracle Database
A Solaris/LINUX Red Hat Policy Server can log UTF-8 characters to an Oracle audit log database. To enable this configuration, you need to set the following environment variables:
For a simplified Chinese operating system
  • LANG=zh_CN.utf8
For a Japanese operating system
  • LANG=jp_JP.UTF-8
You set the LANG variable system-wide or just for the Policy server process.
To avoid impacting any other applications, make sure that you set this variable for the Policy Server process only.
Database Driver Variable
  • IANAAppCodePage=utf-8
You set this variable in the appropriate data source definition section of the system_odbc.ini file, installed in
<policy_server_installation>
/db.
Oracle Client Settings
Since the Policy Server uses the Oracle wire protocol driver, an Oracle client is not necessary. However, if you need an Oracle SQLPLUS client in your environment to read data from the audit log database, you may have to set one or both of the following environment variables to correctly display the multi-bytes characters:
For a simplified Chinese operating system
  • LANG=zh_CN.utf8
For a Japanese operating system
  • LANG=jp_JP.UTF-8
For the Oracle SQLPlus Client
  • NLS_LANG (For example, NLS_LANG=Japanese_Japan.UTF8)
For more information, see the operating system and database client configuration manual.
Configure a User Store that Supports Unicode in SQL Server
Using the smsampleusers_sqlserver.sql file installed with the Policy Server, you can configure a user store in a SQL Server database. This file is installed in the
siteminder_installation
\db\SQL directory.
User stores are not limited to UTF-8 format. You can create a user store in the local character set encoding.
Follow these steps:
  1. Edit the smsampleusers_sqlserver.sql file, by doing the following:
    1. Replace every varchar instance with
      nvarchar
      .
    2. Place an
      N
      before any insert statement with international strings.
Japanese example:
insert into SmUser ( UserID , Name, Password, LastName, FirstName, ...)
values (12,
N
''241877.png,'siteminder','guest','guest','[email protected]mycompany.com...)
Import the smsampleusers_sqlserver.sql file.
More information on importing the smsampleusers_sqlserver.sql file exists in Sample User Directories.
Open the Administrative UI’s
CA Single Sign-On
ODBC Query Scheme dialog and modify the policy store’s SQL query scheme by placing an
N
before every %s reference in any = %s statement.
Example:
The following sample query scheme statements:
select Name, 'User' from SmUser where Name = '%s' Union select Name, 'Group' from SmGroup where Name = '%s'
should become:
select Name, 'User' from SmUser where Name =
N
'%s' Union select Name, 'Group' from SmGroup where Name =
N
'%s'
  • Stop and restart the Policy Server.
    The user store configuration is complete and now supports multi-byte characters.
Configure a Japanese User Store in Oracle
Using the smsampleusers_oracle.sql file installed with the Policy Server, you can configure a user store in an Oracle database. This file is installed in the
<siteminder_installation>
\db\SQL directory.
Note:
User stores are not limited to UTF-8 format. You can create a user store in the local character set encoding.
To configure a Japanese user store in Oracle
  1. Create a database for the user data that supports Oracle’s UTF-8 NLS_CHARACTERSET encoding.
  2. Using Oracle’s SQL-Plus, import the smsampleusers_oracle.sql file.
    More information on importing the smssampleusers_oracle.sql file exists in Sample User Directories. Be aware that if you are inserting Japanese characters, import the file from a Japanese operating system.
    The user store configuration is complete.