How to Configure a CA Directory Key Store
Content:
casso10
Content:
You can configure CA Directory to function as a key store.
Gather Directory Server Information
Gather the following information before configuring the key store:
- Host information—Determine the fully qualified host name or the IP address of the system on which CA Directory is running.
- DSA port number—Determine the port on which the DSA is to listen.
- Base DN—Determine the distinguished name of the node in the LDAP tree in which key store objects are to be defined.
- Administrative DN—Determine the LDAP user name of the account thatCA Single Sign-Onis to use manage objects in the DSA.
- Administrative password—Determine the password for the administrative user.
Create a DSA for the Key Store
Follow these steps:
- Create the DSA by running the following command:
dxnewdsaDSA_Nameport"o=DSA_Name,c=country_code"
- DSA_NameSpecifies the name of the DSA.
- portSpecifies the port on which the DSA is to listen.
- o=DSA_Name,c=country_codeSpecifies the DSA prefix.Example:"o=psdsa,c=US"
The dxnewdsa utility starts the new DSA.
If the DSA does not automatically start, run the following command:
dxserver start DSA_Name
Create the Key Store Schema
Create the key store schema so that the directory server can function as a key store.
By default, CA Directory configuration files are read–only. Any CA Directory files that you are instructed to modif must be updated for write permission. Once the files are updated, you can revert the permission to read–only. Also, all the default.xxx files provided by CA Directory are overwritten during a CA Directory upgrade. Use caution when modifying any read-only files.
Follow these steps:
- Copy the following files into the CA DirectoryDXHOME\config\schema directory:
- netegrity.dxc
- etrust.dxcDXHOMESpecifies the Directory Server installation path.
The netegrity.dxc file is installed with Policy Server insiteminder_home\eTrust. The etrust.dxc file is installed with Policy Server insiteminder_home\xps\db.- siteminder_homeSpecifies the Policy Server installation path.
- Windows %DXHOME%
- Unix/Linux: $DXHOME
- Create aCA Single Sign-Onschema file by copying the default.dxg schema file and renaming it.Note:The default.dxg schema file is located atDXHOME\config\schema\default.dxg.Example:Copy the default.dxg schema file and rename the copy to smdsa.dxg
- Add the following lines to the bottom of the newCA Single Sign-Onschema file:#CA Schemasource "netegrity.dxc";source "etrust.dxc";
- Edit the DXI file of the DSA (DSA_Name.dxi) by changing the schema from default.dxg to the newCA Single Sign-Onschema file.
- DSA_NameRepresents the name of the DSA you created for the key store.
The DXI file is located inDXHOME\config\servers. - Add the following lines to the end of the DXI file of the DSA:
- Release 12# cache configurationset max-cache-size = 100;set cache-attrs = all-attributes;set cache-load-all = true;set ignore-name-bindings = true;The max-cache-size entry is the total cache size in MB. Adjust this value based on the total memory available on the CA Directory server and overall size of the key store.
- Release 12 SP 1 or later# cache configurationset ignore-name-bindings = true;
- Copy the default limits DXC file of the DSA (default.dxc) to create aCA Single Sign-OnDXC file.Example:Copy the default DXC file and rename the copy smdsa.dxc.The default DXC file is located inDXHOME\dxserver\config\limits.
- Edit the settings in the new DXC file to match the following values:Warning: The multi-write-queue setting is for only text–based configurations. If the DSA is set up with DXmanager, omit this setting.# size limitsset max-users = 1000;set credits = 5;set max-local-ops = 1000;set max-op-size = 4000;set multi-write-queue = 20000;Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files.
- Save the DXC file.
- Edit the DXI file of the DSA (DSA_Name.dxi) by changing the limits configuration from default.dxc to the newCA Single Sign-Onlimits file.Example:change the limits configuration from default.dxc to smdsa.dxc.
- DSA_NameRepresents the name of the DSA you created for the key store.The DXI file of the DSA is located inDXHOME\config\servers.If you created the DSA using DXmanager, the existing limits file is named dxmanager.dxc.
- As the DSA user, stop and restart the DSA using the following commands:dxserver stopDSA_Namedxserver startDSA_Name
- DSA_NameSpecifies the name of the DSA.
The key store schema is created.
Open the DSA
Create a view into the directory server to manage objects.
Follow these steps:
- Ensure that the database is configured for an anonymous login.
- Launch the JXplorer GUI.
- Select the connect icon.
- Enterhost_name_or_IP_addressin the Host Name field.
- host_name_or_IP_addressSpecifies the host name or IP address of the system where CA Directory is running.
- Enterport_numberin the Port number field.
- port_numberSpecifies the port on which the DSA is listening.
- Enter o=DSA_Name,c=country_codein the Base DN field.Example:o=psdsa,c=US
- Select Anonymous from the Level list and click Connect.
Create the Base Tree Structure for Key Store Data
Create a base tree structure to hold key store data. Use the JXplorer GUI to create the organizational units.
Follow these steps:
- Select the root element of your DSA.
- Create an organizational unit namedNetegrityunder the root element.
- Create an organizational unit namedSiteMinderunder Netegrity.
- Create an organizational unit namedPolicySvr4under SiteMinder.
- Create an organizational unit namedXPSunder PolicySvr4.
Create a Superuser Administrator for the DSA
You have to create a superuser administrator only if you do not have an administrator account that
CA Single Sign-On
can use to access the DSA. Policy Server requires this information to connect to the key store.Follow these steps:
- Use the JXplorer GUI to access the DSA.
- Create an administrator of the following object type thatCA Single Sign-Oncan use to connect to the key store.inetOrgPerson
- Note the administrator DN and password. Use the credentials when pointing Policy Server to the key store.
Example:
dn:cn=admin,o=yourcompany,c=in
Point the Policy Server to the Key Store
Point Policy Server to the key store so that Policy Server can access the key store.
Follow these steps:
- Open the Policy Server Management Console.If you are accessing this graphical user interface on Windows Server, open the shortcut with Administrator permissions. Use the Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for yourCA Single Sign-Oncomponent.
- Click the Data tab.
- Select the following value from the Database list:Key Store
- Select the following value from the Storage list:LDAP
- Configure the following settings in the LDAP Key Store group box:
- LDAP IP Address
- Admin Username
- Password
- Confirm Password
- Root DN
- Click Apply.
- Click Test LDAP Connection to verify that the Policy Server can access the key store.
- Click OK.
- Restart Policy Server.