Configure an IBM DB2 Policy Store

Contents
sm1252sp1
Contents
2
A single IBM DB2 database can function as a:
  • policy store
  • key store
  • logging database
Store session information in a separate database. Do not use the policy store to store session information.
Using a single database simplifies administrative tasks. The following sections provide instruction on how to configure a single database server to store
CA Single Sign-On
data.
Complete the following procedures to configure a single IBM DB2 database as a policy store, key store, and logging database.
Be sure that you have gathered the required database information before beginning. Some of the following procedures require this information.
Prerequisite Database Settings
Configure the following database instance settings:
  • If you are configuring only a policy store, set the table space page size (page_size) and the buffer pool page size settings to at least 16k. The default DB2 value for each setting is not sufficient for the policy store schema.
    To create an instance with 16k page size, run the following command from the DB2 admin command prompt:
    db2 create database <
    database
    > using codeset UTF-8 territory en PAGESIZE 16384
  • If you are configuring a policy store and an audit store, set the table space page size (page_size) and the buffer pool page size settings to at least 32k. The default DB2 value for each setting is not sufficient for the policy and audit store schemas.
Gather Database Information
Configuring a single IBM DB2 database to function as a policy store or any other type of
CA Single Sign-On
data store requires specific database information.
Consider the following items:
  • Information that is prefixed with a W represents a Windows requirement.
  • Information that is prefixed with a U represents a UNIX requirement.
Gather the following information before configuring the policy store or any other type of
CA Single Sign-On
data store. You can use the IBM DB2 Information Worksheet to record your values.
  • Database instance name
    —Determine the name of the database instance that is to function as the policy store or data store.
  • Administrative account
    —Determine the user name of an account with privileges to create, read, modify, and delete objects in the database.
  • Administrative password
    —Determine the password for the Administrative account.
  • IP address
    —Determine the IP address of the database host system.
  • Tcp port
    —Determine the port on which the database is listening.
  • (W)
    Data source name
    —Determine the name that is to identify the data source.
  • (U)
    Policy Server root
    —Determine the explicit path to where the Policy Server is installed.
  • (U)
    Package
    —Determine the name of the package that is to process dynamic SQL.
  • (U)
    Package owner
    —Determine the AuthID assigned to the package. The AuthID must have the authority to execute all SQLs in the package.
  • (U)
    Grant AuthID
    —If you want to restrict execute privileges for the package, determine the AuthID that is granted execute permissions for the package.
    Default wire protocol setting:
    Public
  • (U)
    Isolation level
    —Determine the method by which the system acquires and releases locks.
    Default wire protocol setting:
    CURSOR_STABILTY
  • (U)
    Dynamic sections
    —Determine the number of sections that the wire protocol driver package can prepare for a single user.
    Default wire protocol setting:
    100
Create the Schema
Follow these steps:
  1. Navigate to
    siteminder_home
    \db\tier2\DB2.
    siteminder_home
    specifies the Policy Server installation path.
  2. Open the
    sm_db2_ps.sql
    file in a text editor and copy the contents of the entire file:
    This file specifies the schema for a policy or key store in a DB2 database.
  3. Paste the file contents into a query and execute the query.
    The policy and key store schema is created in the DB2 database.
  4. (Optional) Repeat steps two and three to create the audit log or sample users schema in the DB2 database:
    • sm_db2_logs.sql
      Specifies the schema for an audit log store in a DB2 database. Edit this script before creating an audit store.
    • smsampleusers_db2.sql
      Specifies the schema for sample users in a DB2 database and populates the database with the sample users.
    The corresponding schema is created in the DB2 database.
    Using the policy store to store key, audit, and sample users is optional. You can use separate databases to function as these types of data stores individually.
  5. Copy the DB2.sql schema file from one of the following locations to the DB2 host system.
    Location:
    In case of a new installation, you can locate the schema file in the following directory:
    siteminder_home
    \xps\db\Tier2DirSupport.
    In case of an upgrade scenario, the schema file is located in the following directory:
    siteminder_home
    \xps\db\schema_extension\db\IBM DB2.
    siteminder_home specifies the Policy Server installation path.
  6. Open a command prompt and run the following command:
    db2 -td@ [-v] -f path\DB2.sql
    path s
    pecifies the path to the DB2 schema file.
  7. The policy store schema is created.
Configure an IBM DB2 Data Source for
CA Single Sign-On
If you are using ODBC, configure a data source to let
CA Single Sign-On
communicate with the
CA Single Sign-On
data store.
Create a DB2 Data Source on Windows Systems
When using ODBC, you can create a DB2 data source for the DB2 wire protocol driver.
Follow these steps:
  1. Complete one of the following steps:
    • If you are using a supported 32–bit Windows operating system, click Start and select Programs, Administrative Tools, ODBC Data Sources.
    • If you are using a supported 64–bit Windows operating system:
      1. Navigate to the
        install_home
        \Windows\SysWOW64.
      2. Double–click odbcad32.exe
    The ODBC Data Source Administrator appears.
  2. Click the System DSN tab and click Add.
  3. Scroll down and select
    CA Single Sign-On
    DB2 Wire Protocol and click Finish.
  4. In the ODBC DB2 Wire Protocol Driver Setup dialog, under the General tab, complete the following steps:
    1. In the Data Source Name field, enter any name.
      Example
      :
      SiteMinder DB2 Wire Data Source
    2. (Optional) In the Description field, enter a description of the DB2 wire protocol data source.
    3. In the IP Address field, enter the IP Address where the DB2 database is installed.
    4. In the Tcp Port field, enter the port number where DB2 is listening on the system.
    5. Click Test Connect.
      The connection is tested.
  5. Click OK.
    The ODBC DB2 Wire Protocol Driver Setup dialog closes, the selections are saved, and the DB2 data source is created on a Windows System.
You can now configure
CA Single Sign-On
to use the data source that you created.
Create a DB2 Data Source on UNIX Systems
The
CA Single Sign-On
ODBC data sources are configured using a system_odbc.ini file, which you can create by renaming db2wire.ini, located in policy_server_home/db, to system_odbc.ini. This system_odbc.ini file contains all of the names of the available ODBC data sources as well as the attributes that are associated with these data sources. This file must be customized to work for each site. Also, you can add additional data sources to this file, such as defining additional ODBC user directories for
CA Single Sign-On
.
The first section of the system_odbc.ini file, [ODBC Data Sources], contains a list of all of the currently available data sources. The name before the “=” refers to a subsequent section of the file describing each individual data source. After the “=” is a comment field.
Each data source has a section in the system_odbc.ini file describing its attributes. The first attribute is the ODBC driver to be loaded when this data source is used by
CA Single Sign-On
. The remaining attributes are specific to the driver.
Adding a DB2 Data source involves adding a new data source name in the [ODBC Data Sources] section of the file, and adding a section that describes the data source using the same name as the data source. You need to change the system_odbc.ini file if you create a new service name or want to use a different driver. You should have entries for the DB2 driver under [
CA Single Sign-On
Data Source].
Again, to configure a DB2 data source, you must first create a system_odbc.ini file in thepolicy_server_home/db directory. To do this, you need to rename db2wire.ini, located inpolicy_server_home/db, to system_odbc.ini.
policy_server_home specifies the Policy Server installation path.
Configure the DB2 Wire Protocol Driver
The following table contains configuration parameters for DB2 data sources. You can edit these parameters to configure data sources for separate key, audit log, session, and sample users databases.
Parameter
Description
How to Edit
Data Source Name
Name of the data source.
Enter the data source name inside the square brackets.
Driver
Full path to the
CA Single Sign-On
DB2 Wire Protocol driver.
Replace “nete_ps_root” with the
CA Single Sign-On
installation directory.
Description
Description of the data source.
Enter any desired description.
Database
Name of the DB2 UDB database.
Replace “nete_database” with the name of the database configured on the DB2 UDB server.
LogonID
Username required for accessing the database.
Replace “uid” with the username of the DB2 UDB administrator.
Password
Password required for accessing the database.
Replace “pwd” with the password of the DB2 UDB administrator.
IPAddress
IP address or hostname of the DB2 UDB server.
Replace “nete_server_ip” with the IP address or the hostname of the DB2 UDB server.
TcpPort
TCP port number of the DB2 UDB server.
Replace the default value of 50000 with the actual TCP port number of the DB2 UDB server.
Package
The name of the package to process dynamic SQL.
Replace “nete_package” with the name of the package you want to create.
PackageOwner
(Optional) The AuthID assigned to the package.
Empty by default. This DB2 AuthID must have authority to execute all SQLs in the package.
GrantAuthid
The AuthID granted execute privileges for the package.
“PUBLIC” by default. Specify the desired AuthID if you wish to restrict the execute privileges for the package.
GrantExecute
Specifies whether to grant execute privileges to the AuthID listed in GrantAuthid.
Can be either 1 or 0. Set to 0 by default.
IsolationLevel
The method by which locks are acquired and released by the system.
CURSOR_STABILITY by default.
DynamicSections
The number of statements that the DB2 Wire Protocol driver package can prepare for a single user.
100 by default. Enter the desired number of statements.
Point the Policy Server to the Database
You point the Policy Server to the database so the Policy Server can access the
CA Single Sign-On
data in the policy store.
Follow these steps:
  1. Open the Policy Server Management Console and click the Data tab.
  2. Select the following value from the Storage list:
    ODBC
  3. Select the following value from the Database list:
    Policy Store
  4. Enter the name of the data source in the Data Source Information field.
    • (Windows) The entry must match the name that you entered in the Data Source Name field when you created the data source.
    • (UNIX) The entry must match the first line of the data source entry in the system_odbc.ini file. By default, the first line in the file is [
      CA Single Sign-On
      Data Sources]. If you modified the first entry, be sure to enter the correct value.
  5. Enter and confirm the user name and password of the database account that has full access rights to the database instance in the respective fields.
  6. Specify the maximum number of database connections that are allocated to
    CA Single Sign-On
    .
    We recommend retaining the 25 connection default for best performance.
  7. Click Apply to save the settings.
  8. Select the following value from the Database list:
    Key Store
  9. Select the following value from the Storage list:
    ODBC
  10. Select the following option:
    Use the Policy Store database
  11. Select the following value from the Database list:
    Audit Logs
  12. Select the following value from the Storage list:
    ODBC
  13. Select the following option:
    Use the Policy Store database
  14. Click Apply to save the settings.
  15. Click Test Connection to verify that the Policy Server can access the policy store.
  16. Click OK.
    The Policy Server is configured to use the database as a policy store, key store, and logging database.
Set the
CA Single Sign-On
Super User Password
The default
CA Single Sign-On
administrator account is named
S
iteMinder
. The account has maximum permissions.
Do not use the default super user for day-to-day operations. Use the default super user to:
  • Access the Administrative UI for the first time.
  • Manage
    CA Single Sign-On
    utilities for the first time.
  • Create another administrator with super user permissions.
Follow these steps:
  1. Copy the smreg utility to
    siteminder_home
    \bin.
    • siteminder_home
      Specifies the Policy Server installation path.
    The utility is at the top level of the Policy Server installation kit.
  2. Run the following command:
    smreg -su
    password
    • password
      Specifies the password for the default administrator.
    The password has the following requirements:
    • The password must contain at least six (6) characters and cannot exceed 24 characters.
    • The password cannot include an ampersand (&) or an asterisk (*).
    • If the password contains a space, enclose the passphrase with quotation marks.
    If you are configuring an Oracle policy store, the password is case-sensitive. The password is not case-sensitive for all other policy stores.
  3. Delete smreg from
    siteminder_home
    \bin. Deleting smreg prevents someone from changing the password without knowing the previous one.
The password for the default administrator account is set.
Import the Policy Store Data Definitions
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
  1. Open a command window and navigate to
    siteminder_home
    \xps\dd.
    • siteminder_home
      Specifies the Policy Server installation path.
  2. Run the following command:
    XPSDDInstall SmMaster.xdd
    • XPSDDInstall
      Imports the required data definitions.
Import the Default Policy Store Objects
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.
Consider the following items:
  • Be sure that you have write access to
    siteminder_home
    \bin. The import utility requires this permission to import the policy store objects.
    • siteminder_home
      Specifies the Policy Server installation path.
  • Before running a
    CA Single Sign-On
    utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges. For more information, see the release notes for your
    CA Single Sign-On
    component.
Follow these steps:
  1. Open a command window and navigate to
    siteminder_home
    \db.
  2. Import one of the following files:
    • To import smpolicy.xml, run the following command:
      XPSImport smpolicy.xml -npass
    • To import smpolicy–secure.xml, run the following command:
      XPSImport smpolicy-secure.xml -npass
      • npass
        Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
      Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects Consideration.
    • To import Option Pack functionality, run the following command:
      XPSImport ampolicy.xml -npass
    • To import federation functionality, run the following command:
      XPSImport fedpolicy-12.5.xml -npass
    The policy store objects are imported.
Importing ampolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from
CA Single Sign-On
. If you intend on using the latter functionality, contact your CA account representative for licensing information.
Enable the Advanced Authentication Server
Enable the Advanced Authentication Server as part of configuring your Policy Server.
Follow these steps:
  1. Start the Policy Server configuration wizard.
  2. Perform one of the following steps:
    On Windows:
    Leave all the check boxes in the first screen of the wizard
    cleared
    and click Next.
    On Linux:
    Type 5 and press Enter.
  3. Create the master encryption key for the Advanced Authentication Server.
    If you are installing another (nth) Policy Server, use the same encryption key for the Advanced Authentication server that you used previously.
  4. Complete the rest of the Policy Server configuration wizard.
    The Advanced Authentication Server is enabled.
Prepare for the Administrative UI Registration
You use the default super user account (siteminder) to log into the Administrative UI for the first time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.
You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.
Consider the following items:
  • The time from which you supply the credentials to when the initial Administrative UI login occurs is limited to 24 hours. If you do not plan on installing the Administrative UI within one day, complete the following steps before installing the Administrative UI.
  • (UNIX) Be sure that the
    CA Single Sign-On
    environment variables are set before you use XPSRegClient. If the environment variables are not set, set them manually.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Run the following command:
    XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF
    • passphrase
      Specifies the password for the default super user account (siteminder).
      If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
    • -adminui–setup
      Specifies that the Administrative UI is being registered with a Policy Server for the first–time.
    • -t timeout
      (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.
      Unit of measurement:
      minutes
      Default:
      240 (4 hours)
      Minimum:
      15
      Maximum:
      1440 (24 hours)
    • -r retries
      (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect administrator credentials when logging in to the Administrative UI for the first time.
      Default:
      1
      Maximum:
      5
    • -c comment
      (Optional) Inserts the specified comments into the registration log file for informational purposes.
      Surround comments with quotes.
    • -cp
      (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
      Surround comments with quotes.
    • -l log path
      (Optional) Specifies where the registration log file must be exported.
      Default:
      siteminder_home
      \log
      siteminder_home
      Specifies the Policy Server installation path.
    • -e error_path
      (Optional) Sends exceptions to the specified path.
      Default:
      stderr
    • -vT
      (Optional) Sets the verbosity level to TRACE.
    • -vI
      (Optional) Sets the verbosity level to INFO.
    • -vW
      (Optional) Sets the verbosity level to WARNING.
    • -vE
      (Optional) Sets the verbosity level to ERROR.
    • -vF
      (Optional) Sets the verbosity level to FATAL.
  3. Press Enter.
    XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first time.