Store Key Information in IBM DB2

Contents
sm1252sp1
 
Contents
 
 
 
2
 
 
Gather Database Information
sm1252sp1
Configuring a single IBM DB2 database to function as a policy store or any other type of
CA Single Sign-On
data store requires specific database information.
Consider the following items:
  • Information that is prefixed with a W represents a Windows requirement.
  • Information that is prefixed with a U represents a UNIX requirement.
Gather the following information before configuring the policy store or any other type of
CA Single Sign-On
data store. You can use the IBM DB2 Information Worksheet to record your values.
  • Database instance name
    —Determine the name of the database instance that is to function as the policy store or data store.
  • Administrative account
    —Determine the user name of an account with privileges to create, read, modify, and delete objects in the database.
  • Administrative password
    —Determine the password for the Administrative account.
  • IP address
    —Determine the IP address of the database host system.
  • Tcp port
    —Determine the port on which the database is listening.
  • (W)
    Data source name
    —Determine the name that is to identify the data source.
  • (U)
    Policy Server root
    —Determine the explicit path to where the Policy Server is installed.
  • (U)
    Package
    —Determine the name of the package that is to process dynamic SQL.
  • (U)
    Package owner
    —Determine the AuthID assigned to the package. The AuthID must have the authority to execute all SQLs in the package.
  • (U)
    Grant AuthID
    —If you want to restrict execute privileges for the package, determine the AuthID that is granted execute permissions for the package.
    Default wire protocol setting:
    Public
  • (U)
    Isolation level
    —Determine the method by which the system acquires and releases locks.
    Default wire protocol setting:
    CURSOR_STABILTY
  • (U)
    Dynamic sections
    —Determine the number of sections that the wire protocol driver package can prepare for a single user.
    Default wire protocol setting:
    100
Create the Key Store Schema
You create the 
CA Single Sign-On
 schema so that an IBM DB2 database can store key information.
 
Follow these steps:
 
  1. Log in to the Policy Server host system.
  2. Navigate to 
    siteminder_home
    \db\tier2\DB2.
    •  
      siteminder_home
      Specifies the Policy Server installation path.
  3. Open the following file and copy the contents to a text editor:
    sm_db2_ps.sql
  4. Paste the contents into a query and execute the query.
     For more information executing a query, see the IBM documentation.
    The key store schema is added to the database.
Configure an IBM DB2 Data Source for 
CA Single Sign-On
 
sm1252sp1
If you are using ODBC, configure a data source to let
CA Single Sign-On
communicate with the
CA Single Sign-On
data store.
Create a DB2 Data Source on Windows Systems
sm1252sp1
When using ODBC, you can create a DB2 data source for the DB2 wire protocol driver.
Follow these steps:
  1. Complete one of the following steps:
    • If you are using a supported 32–bit Windows operating system, click Start and select Programs, Administrative Tools, ODBC Data Sources.
    • If you are using a supported 64–bit Windows operating system:
      1. Navigate to the
        install_home
        \Windows\SysWOW64.
      2. Double–click odbcad32.exe
    The ODBC Data Source Administrator appears.
  2. Click the System DSN tab and click Add.
  3. Scroll down and select
    CA Single Sign-On
    DB2 Wire Protocol and click Finish.
  4. In the ODBC DB2 Wire Protocol Driver Setup dialog, under the General tab, complete the following steps:
    1. In the Data Source Name field, enter any name.
      Example
      :
      SiteMinder DB2 Wire Data Source
    2. (Optional) In the Description field, enter a description of the DB2 wire protocol data source.
    3. In the IP Address field, enter the IP Address where the DB2 database is installed.
    4. In the Tcp Port field, enter the port number where DB2 is listening on the system.
    5. Click Test Connect.
      The connection is tested.
  5. Click OK.
    The ODBC DB2 Wire Protocol Driver Setup dialog closes, the selections are saved, and the DB2 data source is created on a Windows System.
You can now configure
CA Single Sign-On
to use the data source that you created.
Create a DB2 Data Source on UNIX Systems
sm1252sp1
The
CA Single Sign-On
ODBC data sources are configured using a system_odbc.ini file, which you can create by renaming db2wire.ini, located in policy_server_home/db, to system_odbc.ini. This system_odbc.ini file contains all of the names of the available ODBC data sources as well as the attributes that are associated with these data sources. This file must be customized to work for each site. Also, you can add additional data sources to this file, such as defining additional ODBC user directories for
CA Single Sign-On
.
The first section of the system_odbc.ini file, [ODBC Data Sources], contains a list of all of the currently available data sources. The name before the “=” refers to a subsequent section of the file describing each individual data source. After the “=” is a comment field.
Each data source has a section in the system_odbc.ini file describing its attributes. The first attribute is the ODBC driver to be loaded when this data source is used by
CA Single Sign-On
. The remaining attributes are specific to the driver.
Adding a DB2 Data source involves adding a new data source name in the [ODBC Data Sources] section of the file, and adding a section that describes the data source using the same name as the data source. You need to change the system_odbc.ini file if you create a new service name or want to use a different driver. You should have entries for the DB2 driver under [
CA Single Sign-On
Data Source].
Again, to configure a DB2 data source, you must first create a system_odbc.ini file in thepolicy_server_home/db directory. To do this, you need to rename db2wire.ini, located inpolicy_server_home/db, to system_odbc.ini.
policy_server_home specifies the Policy Server installation path.
Configure the DB2 Wire Protocol Driver
sm1252sp1
The following table contains configuration parameters for DB2 data sources. You can edit these parameters to configure data sources for separate key, audit log, session, and sample users databases.
Parameter
Description
How to Edit
Data Source Name
Name of the data source.
Enter the data source name inside the square brackets.
Driver
Full path to the
CA Single Sign-On
DB2 Wire Protocol driver.
Replace “nete_ps_root” with the
CA Single Sign-On
installation directory.
Description
Description of the data source.
Enter any desired description.
Database
Name of the DB2 UDB database.
Replace “nete_database” with the name of the database configured on the DB2 UDB server.
LogonID
Username required for accessing the database.
Replace “uid” with the username of the DB2 UDB administrator.
Password
Password required for accessing the database.
Replace “pwd” with the password of the DB2 UDB administrator.
IPAddress
IP address or hostname of the DB2 UDB server.
Replace “nete_server_ip” with the IP address or the hostname of the DB2 UDB server.
TcpPort
TCP port number of the DB2 UDB server.
Replace the default value of 50000 with the actual TCP port number of the DB2 UDB server.
Package
The name of the package to process dynamic SQL.
Replace “nete_package” with the name of the package you want to create.
PackageOwner
(Optional) The AuthID assigned to the package.
Empty by default. This DB2 AuthID must have authority to execute all SQLs in the package.
GrantAuthid
The AuthID granted execute privileges for the package.
“PUBLIC” by default. Specify the desired AuthID if you wish to restrict the execute privileges for the package.
GrantExecute
Specifies whether to grant execute privileges to the AuthID listed in GrantAuthid.
Can be either 1 or 0. Set to 0 by default.
IsolationLevel
The method by which locks are acquired and released by the system.
CURSOR_STABILITY by default.
DynamicSections
The number of statements that the DB2 Wire Protocol driver package can prepare for a single user.
100 by default. Enter the desired number of statements.
Point the Policy Server to Database
sm1252sp1
You point the Policy Server to the database so the Policy Server can read and store key information.
To point the Policy Server to the data store
  1. Open the Policy Server Management Console, and click the Data tab.
    Database settings appear.
  2. Select ODBC from the Storage list.
    ODBC settings appear.
  3. Select Key Store from the Database list and clear the Use Policy Store database check box.
    Data source settings become active.
  4. Enter the name of the data source in the Data Source Information field.
    • (Windows) this entry must match the name you entered in the Data Source Name field when you created the data source.
    • (UNIX) this entry must match the first line of the data source entry in the system_odbc.ini file. By default, the first line in the file is [
      CA Single Sign-On
      Data Sources]. If you modified the first entry, be sure that you enter the correct value.
  5. Enter and confirm the user name and password of the database account that has full access rights to the database instance in the respective fields.
  6. Specify the maximum number of database connections allocated to
    CA Single Sign-On
    .
    We recommend retaining the default for best performance.
  7. Click Apply.
    The settings are saved.
  8. Click Test Connection.
    CA Single Sign-On
    returns a confirmation that the Policy Server can access the data store.
  9. Click OK.
    The Policy Server is configured to use the database as a key store
Restart the Policy Server
sm1252sp1
You restart the Policy Server for certain settings to take effect.
Follow these steps:
  1. Open the Policy Server Management Console.
  2. Click the Status tab, and click Stop in the Policy Server group box.
    The Policy Server stops as indicated by the red stoplight.
  3. Click Start.
    The Policy Server starts as indicated by the green stoplight.
    Note
    : On UNIX, execute the stop-ps and start-ps commands to restart Policy Server. To restart Policy Server and CA Risk Authentication, execute the stop-all and start-all commands.