Configure OpenLDAP as a Policy Store
Contents
sm1252sp1
Contents
2
OpenLDAP can function as a policy store. A single directory server instance can function as a:
- Policy store
- Key store
Using a single directory server simplifies administration tasks. The following sections provide instruction on how to configure a single directory server instance to store policy data and encryption keys. If your implementation requires, you can configure a separate key store.
Gather Directory Server Information
sm1252sp1
Configuring an LDAP directory server as a policy store or upgrading an existing policy store requires specific directory server information. Gather the following information before beginning.
- Host informationSpecifies the fully-qualified host name or the IP Address of the directory server.
- Port information(Optional) Specifies a non-standard port.Default values:636 (SSL) and 389 (non-SSL)
- Administrative DNSpecifies the LDAP user name of a user who has privileges to create, read, modify, and delete objects in the LDAP tree underneath the policy store root object.
- Administrative passwordSpecifies the password for the Administrative DN.
- Policy store root DNSpecifies the distinguished name of the node in the LDAP tree where policy store objects are to be defined.
- SSL client certificateSpecifies the pathname of the directory where the SSL client certificate database file resides.Limit:SSL only
Configure the Slapd Configuration File
An OpenLDAP directory server requires additional configuration before you can use it as a policy store. The following process lists the configuration steps:
- Specify theCA Single Sign-Onschema files.
- Specify policy store indexing.
- Enable user authentication.
- Specify database directives.
- Support Client-Side Sorting
- Test the configuration file.
- Restart the OpenLDAP server.
Specify the
CA Single Sign-On
Schema FilesSpecifying the schema files in the include section of the slapd configuration file (slapd.conf) configures the slapd process (the LDAP Directory Server daemon) to read the additional configuration information. The included files must follow the correct slapd configuration file format.
Follow these steps:
- Log in to the Policy Server host system.
- Navigate tositeminder_home/db/tier2/OpenLDAP and copy the following files to the schema folder in the OpenLDAP installation directory:
- openldap_attribute.schema
- openldap_object.schema
- siteminder_homeSpecifies the Policy Server installation path.
- Navigate tositeminder_home/xps/db and copy the following files to the schema folder in the OpenLDAP installation directory:
- openldap_attribute_XPS.schema
- openldap_object_XPS.schema
- Type the following entries in the include section of the slapd configuration file:.........include /usr/local/etc/openldap/schema/openldap_attribute.schemainclude /usr/local/etc/openldap/schema/openldap_object.schemainclude /usr/local/etc/openldap/schema/openldap_attribute_XPS.schemainclude /usr/local/etc/openldap/schema/openldap_object_XPS.schemaThis procedure assumes that the OpenLDAP server is located in /usr/local/etc/openldap and that the schema files are located in the schema subdirectory.TheCA Single Sign-Onschema files are specified.
Specify Policy Store Indexing
Specify indexing in the slapd.conf file to use OpenLDAP as a policy store.
Follow these steps:
- Stop the slapd instance.
- Open the slapd.conf file with a text editor.
- Locate the following lines:# Indices to maintainindex objectClass eq
- Insert a new line in the file, and then add the following lines:index smAdminOID4 pres,eqindex smAuthDirOID4 pres,eqindex smAzDirOID4 pres,eqindex smcertmapOID4 pres,eqindex smIsRadius4 pres,eqindex smIsAffiliate4 pres,eqindex smParentRealmOID4 pres,eqindex smPasswordPolicyOID4 pres,eqindex smAgentGroupOID4 pres,eqindex smKeyManagementOID4 pres,eqindex smAgentOID4 pres,eqindex smAgentKeyOID4 pres,eqindex smRootConfigOID4 pres,eqindex smAGAgents4 pres,eqindex smDomainAdminOIDs4 pres,eqindex smDomainOID4 pres,eqindex smvariableoid5 pres,eqindex smNestedVariableOIDs5 pres,eqindex smvariabletypeoid5 pres,eqindex smActiveExprOID5 pres,eqindex smDomainUDs4 pres,eqindex smVariableOIDs5 pres,eqindex smusractiveexproid5 pres,eqindex smPropertyOID5 pres,eqindex smPropertySectionOID5 pres,eqindex smPropertyCollectionOID5 pres,eqindex smFilterClass4 pres,eqindex smTaggedStringOID5 pres,eqindex smNoMatch5 pres,eqindex smTrustedHostOID5 pres,eqindex smIs4xTrustedHost5 pres,eqindex smDomainMode5 pres,eq# index smImsEnvironmentOIDs5 pres,eqindex smSecretRolloverEnabled6 pres,eqindex smSecretGenTime6 pres,eqindex smSecretUsedTime6 pres,eqindex smSharedSecretPolicyOID6 pres,eqindex smFilterPath4 pres,eqindex smPolicyLinkOID4 pres,eqindex smIPAddress4 pres,eqindex smRealmOID4 pres,eqindex smSelfRegOID4 pres,eqindex smAzUserDirOID4 pres,eqindex smResourceType4 pres,eqindex smResponseAttrOID4 pres,eqindex smResponseGroupOID4 pres,eqindex smResponseOID4 pres,eqindex smRGResponses4 pres,eqindex smRGRules4 pres,eqindex smRuleGroupOID4 pres,eqindex smRuleOID4 pres,eqindex smSchemeOID4 pres,eqindex smisTemplate4 pres,eqindex smisUsedbyAdmin4 pres,eqindex smSchemeType4 pres,eqindex smUserDirectoryOID4 pres,eqindex smODBCQueryOID4 pres,eqindex smUserPolicyOID4 pres,eqindex smAgentTypeAttrOID4 pres,eqindex smAgentTypeOID4 pres,eqindex smAgentTyperfcid4 pres,eqindex smAgentTypeType4 pres,eqindex smAgentCommandOID4 pres,eqindex smTimeStamp4 pres,eqindex smServerCommandOID4 pres,eqindex smAuthAzMapOID4 pres,eqindex xpsParameter pres,eqindex xpsValue pres,eqindex xpsNumber pres,eqindex xpsCategory pres,eqindex xpsGUID pres,eqindex xpsSortKey pres,eqindex xpsIndexedObject pres,eq
- Save the file and close the text editor.
- Run the following command:slapindex -f slapd.conf
- Restart the slapd instance.The policy store indexing for OpenLDAP is specified.
Enable User Authentication
Enabling user authentication ensures that you can protect resources with a supported authentication scheme.
To enable user authentication, add the following to the slapd configuration file:
access to attrs=userpasswordby self writeby anonymous authby * none
Specify Database Directives
The slapd configuration file requires values for additional database directives.
To specify the directives, edit the following:
- databaseSpecify any supported backend type.Example: bdb
- suffixSpecify the database suffix.Example: dc=example,dc=com
- rootdnSpecify the DN of root.Example: cn=Manager,dc=example,dc=com
- rootpwSpecify the password to root.
- directorySpecify the path of the database directory.Example: /usr/local/var/openldap-dataThe database directory must exist prior to running slapd and should only be accessible to the slapd process.
Support Client-Side Sorting
OpenLDAP is the only supported LDAP directory that does not support server-side sorting. Instead, OpenLDAP requires that all sorting be performed on the client side. To accomplish this, all XPS objects are retrieved at start-up using server-side paging.
To support client-side sorting, the OpenLDAP directory administrator must configure the following settings in the slapd.conf file:
- Enable reading of the Root DSE.This setting allows the XPS client to read the OpenLDAP directory's type and capabilities.
- Set the maximum number of entries that can be returned from a search operation >= 500.This setting accommodates XPS objects which are retrieved in increments of 500 by server-side paging.
- Allow a simple V2 bind.This setting allows smconsole to test the LDAP connection using a simple V2 bind.
Follow these steps:
- Add the following lines to the slapd.conf file:access to * by users read by anonymous readOraccess to dn.base="ou=<Root_DN>" by users read
- Root_DNSpecifies the distinguished name of the node in the LDAP tree where policy store objects must be defined.
Note:For more information on how to specify the ACL, see http://www.openldap.org/doc/admin24/access-control.html. - Verify that the value specified by the sizelimit directive in the slapd.conf file >= 500:sizelimit 500Note:The default sizelimit value is 500. For more information, see http://www.openldap.org/doc/admin24/slapdconfig.html.
- Add the following line to the slapd.conf file:allow bind_v2
The slapd.conf file is configured to support client-side sorting.
Test the Configuration File
Testing the configuration file ensures that it is correctly formatted.
Follow these steps:
- Change the directory to the OpenLDAP server directory.
- Run the following command:./slapdUnless you specified a debugging level, including level 0, slapd automatically forks, detaches itself from its controlling terminal, and runs in the background.
- Run the following command:./slapd -TtThe slapd configuration file is tested.
Restart the OpenLDAP Server
Restarting the OpenLDAP directory server loads the
CA Single Sign-On
schema. The Policy Server requires that the CA Single Sign-On
schema is loaded before you can use the directory server as a policy store.Follow these steps:
- Stop the directory server using the following command:kill -INT 'cat path_of_var/run_directory/slapd.pid`
- path_of_var/run_directorySpecifies the path of the database directory.Example: kill -INT `cat /usr/local/var/run/slapd.pid`
- Start the directory server using the following command:./slapd
Create the Database
The following process lists the steps for creating the directory server database for the policy store:
- Create the base tree structure.
- Add entries.
Create the Base Tree Structure
You can create a base tree structure to store policy store objects.
Specify the following entry under the root DN:
ou=Netegrity,ou=SiteMinder,ou=PolicySvr4,ou=XPS
The base tree structure is created.
Add Entries
Add entries to the directory server so that
CA Single Sign-On
has the necessary organization and organizational role information.Follow these steps:
- Create an LDIF file.Example: The following example contains an organization entry and an organizational role entry for the entries.ldif.# Netegrity, example.comdn: ou=Netegrity,dc= example,dc=comou: NetegrityobjectClass: organizationalUnitobjectClass: top# SiteMinder, Netegrity, example.comdn: ou=SiteMinder,ou=Netegrity,dc= example,dc=comou: SiteMinderobjectClass: organizationalUnitobjectClass: top# PolicySvr4, SiteMinder, CA, example.comdn: ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,dc= example,dc=comou: PolicySvr4objectClass: organizationalUnitobjectClass: top# XPS, PolicySvr4, SiteMinder, Netegrity, example.comdn: ou=XPS,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,dc= example,dc=comou: XPSobjectClass: organizationalUnitobjectClass: top
- Use the following command to add the entries.ldapadd -f <file_name.ldif> -D "cn=Manager,dc=example,dc=com"-w<password>
Point the Policy Server to the Policy Store
sm1252sp1
You point the Policy Server to the policy store so the Policy Server can access the policy store.
Follow these steps:
- Open the Policy Server Management Console.sm1252sp1On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for yourCA Single Sign-Oncomponent.
- Click the Data tab.
- Select the following value from the Database list:Policy Store
- Select the following value from the Storage list:LDAP
- Configure the following settings in the LDAP Policy Store group box.
- LDAP IP Address
- Admin Username
- Password
- Confirm Password
- Root DN
You can click Help for a description of fields, controls, and their respective requirements. - Click Apply.
- Click Test LDAP Connection to verify that the Policy Server can access the policy store.
- Select the following value from the Database list:Key Store
- Select the following value from the Storage list:LDAP
- Select the following option:Use Policy Store database
- Click OK.
Set the
CA Single Sign-On
Super User Passwordsm1252sp1
The default
CA Single Sign-On
administrator account is named siteminder
. The account has maximum permissions.Do not use the default super user for day-to-day operations. Use the default super user to:
- Access the Administrative UI for the first time.
- ManageCA Single Sign-Onutilities for the first time.
- Create another administrator with super user permissions.
Follow these steps:
- Copy the smreg utility tositeminder_home\bin.
- siteminder_homeSpecifies the Policy Server installation path.
The utility is at the top level of the Policy Server installation kit. - Run the following command:smreg -supassword
- passwordSpecifies the password for the default administrator.
- The password must contain at least six (6) characters and cannot exceed 24 characters.
- The password cannot include an ampersand (&) or an asterisk (*).
- If the password contains a space, enclose the passphrase with quotation marks.
If you are configuring an Oracle policy store, the password is case-sensitive. The password is not case-sensitive for all other policy stores. - Delete smreg fromsiteminder_home\bin. Deleting smreg prevents someone from changing the password without knowing the previous one.
The password for the default administrator account is set.
Import the Policy Store Data Definitions
sm1252sp1
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
- Open a command window and navigate tositeminder_home\xps\dd.
- siteminder_homeSpecifies the Policy Server installation path.
- Run the following command:XPSDDInstall SmMaster.xdd
- XPSDDInstallImports the required data definitions.
Import the Default Policy Store Objects
sm1252sp1
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.
Consider the following items:
- Be sure that you have write access tositeminder_home\bin. The import utility requires this permission to import the policy store objects.
- siteminder_homeSpecifies the Policy Server installation path.
- Before running aCA Single Sign-Onutility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges. For more information, see the release notes for yourCA Single Sign-Oncomponent.
Follow these steps:
- Open a command window and navigate tositeminder_home\db.
- Import one of the following files:
- To import smpolicy.xml, run the following command:XPSImport smpolicy.xml -npass
- To import smpolicy–secure.xml, run the following command:XPSImport smpolicy-secure.xml -npass
- npassSpecifies that no passphrase is required. The default policy store objects do not contain encrypted data.
- To import Option Pack functionality, run the following command:XPSImport ampolicy.xml -npass
- To import federation functionality, run the following command:XPSImport fedpolicy-12.5.xml -npass
Importing ampolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from
CA Single Sign-On
. If you intend on using the latter functionality, contact your CA account representative for licensing information.Enable the Advanced Authentication Server
sm1252sp1
Enable the Advanced Authentication Server as part of configuring your Policy Server.
Follow these steps:
- Start the Policy Server configuration wizard.
- Perform one of the following steps:On Windows:Leave all the check boxes in the first screen of the wizardclearedand click Next.On Linux:Type 5 and press Enter.
- Create the master encryption key for the Advanced Authentication Server.sm1252sp1If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.
- Complete the rest of the Policy Server configuration wizard.The Advanced Authentication Server is enabled.
Prepare for the Administrative UI Registration
sm1252sp1
You use the default super user account (siteminder) to log into the Administrative UI for the first time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.
You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.
Consider the following items:
- The time from which you supply the credentials to when the initial Administrative UI login occurs is limited to 24 hours. If you do not plan on installing the Administrative UI within one day, complete the following steps before installing the Administrative UI.
- (UNIX) Be sure that theCA Single Sign-Onenvironment variables are set before you use XPSRegClient. If the environment variables are not set, set them manually.
Follow these steps:
- Log in to the Policy Server host system.
- Run the following command:XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
- passphraseSpecifies the password for the default super user account (siteminder).If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
- -adminui–setupSpecifies that the Administrative UI is being registered with a Policy Server for the first–time.
- -t timeout(Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.Unit of measurement:minutesDefault:240 (4 hours)Minimum:15Maximum:1440 (24 hours)
- -r retries(Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect administrator credentials when logging in to the Administrative UI for the first time.Default:1Maximum:5
- -c comment(Optional) Inserts the specified comments into the registration log file for informational purposes.Surround comments with quotes.
- -cp(Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.Surround comments with quotes.
- -l log path(Optional) Specifies where the registration log file must be exported.Default:siteminder_home\logsiteminder_homeSpecifies the Policy Server installation path.
- -e error_path(Optional) Sends exceptions to the specified path.Default:stderr
- -vT(Optional) Sets the verbosity level to TRACE.
- -vI(Optional) Sets the verbosity level to INFO.
- -vW(Optional) Sets the verbosity level to WARNING.
- -vE(Optional) Sets the verbosity level to ERROR.
- -vF(Optional) Sets the verbosity level to FATAL.
- Press Enter.XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first time.