Configure LDAP Directory Server Policy, Session, and Key Stores

The content in this section describes how to configure LDAP data stores, which include:
The content in this section describes how to configure LDAP data stores, which include:
Policy Store
CA Single Sign-On
 policy store is the repository for all policy-related information. All Policy Servers in a 
CA Single Sign-On
 installation must share policy store data, either directly or through replication. The Policy Server is installed with tools that let administrators move policy store data from one storage facility to another.
When you install the Policy Server, you can automatically configure one of the following directory servers as a policy store:
  • Microsoft Active Directory Lightweight Directory Services (AD LDS)
  • Oracle Directory Server (formerly Sun Java System Directory Server)
If you do not use the Policy Server to configure a policy store automatically, manually configure a policy store after installing the Policy Server. After you install the Policy Server, use the Policy Server Management Console to point the Policy Server to an existing policy store.
For a list of supported CA and third-party components, refer to the Platform Support Matrix on the Technical Support site.
To avoid policy store corruption, configure the server where the policy store resides to store objects in UTF-8 form. For more information about storing objects in UTF-8 form, see the documentation for that server.
Default Policy Store Objects Consideration
When you configure a policy store, the following default policy store object files are available:
  • smpolicy.xml
  • smpolicy-secure.xml
Both files contain the default objects that the policy store requires. If you use the Policy Server Configuration Wizard to configure the policy store automatically, the wizard only uses smpolicy.xml. If you want to use smpolicy-secure.xml, configure the policy store manually.
Both files provide default security settings. These settings are available in the default Agent Configuration Object (ACO) templates that are available in the Administrative UI. The smpolicy-secure file provides more restrictive default security settings. Choosing smpolicy.xml does not limit you from using the more restrictive default security settings. You can modify the default ACO settings using the Administrative UI.
The following table summarizes the security settings for both files:
Parameter Name
smpolicy Values
smpolicy–secure Values
No value
<, >, ', ;, ), (, &, +, %00
No value
<, >, ', ;, ), (, &, +, %00
//,  ./, /., /*, *., ~, \, %00-%1f,
%7f-%ff, %25
smpolicy.smdif values plus:
<, >, ', ;, ), (, &, +
.class, .gif, .jpg, .jpeg, .png, .fcc, .scc, .sfcc, .ccc, .ntc
All smpolicy values.
This file does not include this parameter.
This parameter does not have a default value. Provide a valid redirection domain.
Example: validtargetdomain=""
Session Store
The session store is where the Policy Server stores persistent session data. A persistent session is one in which a cookie is maintained in the session store, in the memory of the web browser, and optionally the hard disk. CA Directory is the only LDAP directory server that the Policy Server supports as a session store. 
Before you implement persistent sessions, consider the following information:
  • Persistent sessions are configured on a per realm basis.
  • Use Persistent sessions only when necessary. Using session services to maintain sessions has an impact on system performance.
 If you plan to use persistent sessions in one or more realms, enable the session store using the Policy Server Management Console.
Key Store
The key store holds web agent keys and session ticket key, which are distributed to Agents at run time.
Web Agents use an agent key to encrypt cookies before passing the cookies to a browser. When a Web Agent receives a
CA Single Sign-On
cookie, the agent key enables the Agent to decrypt the contents of the cookie. Keys must be set to the same value for all Web Agents communicating with a Policy Server.
The Policy Server and Agents use encryption keys to encrypt and decrypt sensitive data that is passed between Policy Servers and Agents.
  • The Agent uses agent keys to encrypt
    CA Single Sign-On
     cookies that are read and shared by all agents in a single sign-on environment. The agent key also decrypts cookies encrypted by the other agents. The Policy Server manages agent keys and distributes the keys to agents periodically.
  • Session ticket key is used by the Policy Server to encrypt session tickets. Session tickets contains credentials and other information that is related to a session (including user credentials). Agents embed session tickets in
    CA Single Sign-On
     cookies, but do not have access to the session ticket key, which never leaves the Policy Server.
Both types of keys are kept in the Policy Server key store and distributed to Agents at runtime. By default, the key store is part of the Policy Store, but if necessary, you can create a separate key store database.