Configure Microsoft Active Directory LDS as a Policy Store

Microsoft Active Directory LDS can function as a policy store. The Policy Server configuration wizard can set up this directory automatically as a policy store. However, if you did not use the wizard for set up, follow these instructions to set up the policy store up manually.
casso126
Microsoft Active Directory LDS can function as a policy store. The Policy Server configuration wizard can set up this directory automatically as a policy store. However, if you did not use the wizard for set up, follow these instructions to set up the policy store up manually.
You can use this single directory instance as a policy store and key store. Using a single directory server simplifies administration tasks. This topic includes a procedure to use the policy store as a key store. If your implementation requires, you can configure a separate key store.
This topic includes the following procedures:
Active Directory LDS Prerequisite
Only an administrative user in the configuration partition can import the policy store schema. This user must have administrative rights over the configuration partition and all application partitions, including the policy store partition.
Follow these steps:
  1. Create an administrative user in the configuration partition
  2. Open the ADSI Edit console.
  3. Navigate to the following in the configuration partition:
    cn=directory service, cn=windows nt,
    cn=services, cn=configuration, cn={guid}
  4. Locate the msDS-Other-Settings attribute.
  5. Add the following new value to the msDS-Other-Settings attribute:
    ADAMAllowADAMSecurityPrincipalsInConfigPartition=1
  6. In the configuration and policy store application partitions:
    1. Navigate to CN=Administrators, CN=Roles.
    2. Open the properties of CN=Administrators.
    3. Edit the member attribute.
    4. Click Add DN and paste the full DN of the user you created in the configuration partition in Step 1.
    5. Go to the properties of the user you created and verify the value for the following object:
      msDS-UserAccountDisabled
      Be sure that the value is set false.
    The administrative user has rights over the configuration partition and all application partitions, including the policy store partition.
Gather Directory Server Information
Configuring Active Directory LDS as a policy store requires specific directory server information. Gather the following information before configuring the policy store.
  • Host information
    —Determine the fully qualified name or the IP address of the directory server host system.
  • Port information
    —Determine if the directory server is listening on a non–standard port. If you do not provide port information, the
    CA Single Sign-On
    utilities you use to configure the policy store default to port 389 (non-SSL) and 636 (SSL).
  • Administrator DN
    —Determine the full domain name, including the guid value, of the directory server administrative user.
    Example
    : CN=user1,CN=People,CN=Configuration,CN,{guid}
  • Administrator password
    —Determine the password for the directory server administrative user.
  • Root DN of the application partition
    —Identify the root DN location of the application partition in the directory server where the policy store schema data must be installed.
  • (Optional)
    SSL client certificate
    —If the directory connection is made over SSL, determine the path of the directory that contains the SSL client certificate database.
Point the Policy Server to the Policy Store
You point the Policy Server to the policy store so the Policy Server can access the policy store.
Note:
The Policy Server can bind to an AD LDS policy store using a proxy object. A proxy object is created on AD LDS and is associated with an Active Directory account through the Security Identifier of the account. For more information about binding to an AD LDS instance using a proxy object, see the Microsoft documentation. If you configure a Policy Server connection using a proxy object and plan on using password policies, configure AD LDS for SSL.
Follow these steps:
  1. Open the Policy Server Management Console.
    casso126
    On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your
    CA Single Sign-On
    component.
  2. Click the Data tab.
  3. Select the following value from the Database list:
    Policy Store
  4. Select the following value from the Storage list:
    LDAP
  5. Configure the following settings in the LDAP Policy Store group box.
    • LDAP IP Address
    • Admin Username
      Specify the full domain name, including the guid value, of the directory server administrator.
    • Password
    • Confirm Password
    • Root DN
      Specifies the existing root DN location of the application partition in the AD LDS server. The existing root DN location is where the policy store schema is imported.
    You can click Help for a description of fields, controls, and their respective requirements.
  6. Click Apply.
  7. Click Test LDAP Connection to verify that the Policy Server can access the policy store.
  8. To use the policy store database as a key store, select the following value from the Database list:
    Key Store
  9. Select the following option:
    Use Policy Store database
  10. Click OK.
Create the Policy Store Schema
You create the policy store schema so the directory server can function as a policy store and store
CA Single Sign-On
objects.
Follow these steps:
  1. Run the following command:
    smldapsetup ldgen -f
    file_name
    • file_name
      Specifies the name of the LDIF file you are creating.
    An LDIF file with the
    CA Single Sign-On
    schema is created.
  2. Run the following command:
    smldapsetup ldmod -f
    file_name
    • file_name
      Specifies the name of the LDIF you created.
    smldapsetup imports the policy store schema.
  3. Navigate to
    siteminder_home\
    xps\db and open the following file:
    ADLDS.ldif
    • siteminder_home
      Specifies the Policy Server installation path.
  4. Replace each instance of {guid} with the actual value of guid in braces and save the file.
    Example:
    {CF151EA3-53A0-44A4-B4AC-DA0EBB1FF200}
  5. Run the following command:
    smldapsetup ldmod -f
    siteminder_home
    \xps\db\ADLDS.ldif
    The policy store schema is extended. You have created the policy store schema.
Set the Super User Password
The default
CA Single Sign-On
administrator account is named
siteminder
. The account has maximum permissions.
Do not use the default super user for day-to-day operations. Use the default super user to:
  • Access the Administrative UI for the first time.
  • Manage
    CA Single Sign-On
    utilities for the first time.
  • Create another administrator with super user permissions.
Follow these steps:
  1. Copy the smreg utility to
    siteminder_home
    \bin.
    • siteminder_home
      Specifies the Administrative Policy Server installation path.
    The utility is at the top level of the Administrative Policy Server installation kit.
  2. Run the following command:
    smreg -su
    password
    • password
      Specifies the password for the default administrator.
    The password has the following requirements:
    • The password must contain at least six (6) characters and cannot exceed 24 characters.
    • The password cannot include an ampersand (&) or an asterisk (*).
    • If the password contains a space, enclose the passphrase with quotation marks.
    If you are configuring an Oracle policy store, the password is case-sensitive. The password is not case-sensitive for all other policy stores.
  3. Delete smreg from
    siteminder_home
    \bin. Deleting smreg prevents someone from changing the password without knowing the previous one.
The password for the default administrator account is set.
Import the Policy Store Data Definitions
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
  1. Open a command window and navigate to
    siteminder_home
    \xps\dd.
    • siteminder_home
      Specifies the Administrative Policy Server installation path.
  2. Run the following command:
    XPSDDInstall SmMaster.xdd
    • XPSDDInstall
      Imports the required data definitions.
Import the Default Policy Store Objects
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Administrative Policy Server.
Consider the following items:
  • Be sure that you have write access to
    siteminder_home
    \bin. The import utility requires this permission to import the policy store objects.
    • siteminder_home
      Specifies the Administrative Policy Server installation path.
  • If Windows User Account Control (UAC) is enabled, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges. For more information, see the release notes for your
    CA Single Sign-On
    component.
Follow these steps:
  1. Open a command window and navigate to
    siteminder_home
    \db.
  2. Import one of the following files:
    • To import smpolicy.xml, run the following command:
      XPSImport smpolicy.xml -npass
    • To import smpolicy–secure.xml, run the following command:
      XPSImport smpolicy-secure.xml -npass
      • npass
        Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
      Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects and Schema Files.
    • To import Option Pack functionality, run the following command:
      XPSImport ampolicy.xml -npass
    • To import federation functionality, run the following command:
      XPSImport fedpolicy-12.5.xml -npass
    • To use OAuth or OpenID Connect, run the following command to import the default OAuth entities and default claims and scopes objects for OpenID Connect:
      XPSImport default-fedobjects-config.xml -npass
      -npass
      specifies that no passphrase is required.
    The policy store objects are imported.
Importing ampolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from
CA Single Sign-On
. If you intend on using the latter functionality, contact your CA account representative for licensing information.
Restart the Policy Server
casso126
You restart the Policy Server for certain settings to take effect.
 
Follow these steps:
 
  1. Open the Policy Server Management Console.
  2. Click the Status tab, and click Stop in the Policy Server group box.
    The Policy Server stops as indicated by the red stoplight.
  3. Click Start.
    The Policy Server starts as indicated by the green stoplight.
     
    Note
    : To restart the Policy Server on UNIX, execute either the 
    stop-ps
     and 
    start-ps
     commands or
     stop-all
     and 
    start-all
     commands.
Prepare for the Administrative UI Registration
You use the default super user account to log into the Administrative UI for the first time. The initial login requires that you to register the Administrative UI with Administrative Policy Server, which creates a trusted relationship between both components.
You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Administrative Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.
Consider the following items:
  • The time from which you supply the credentials to when the initial Administrative UI login occurs is limited to 24 hours. If you do not plan on installing the Administrative UI within one day, complete the following steps before installing the Administrative UI.
  • (UNIX) Be sure that the
    CA Single Sign-On
    environment variables are set before you use XPSRegClient. If the environment variables are not set, set them manually.
Follow these steps:
  1. Log in to the Administrative Policy Server host system.
  2. Run the following command:
    XPSRegClient super_user_account_name[:
    passphrase
    ] -adminui-setup -t
    timeout
    -r
    retries
    -c
    comment
    -cp -l
    log_path
    -e
    error_path
    -vT -vI -vW -vE -vF
    • passphrase
      Specifies the password for the default super user account.
      If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
    • -adminui–setup
      Specifies that the Administrative UI is being registered with Administrative Policy Server for the first–time.
    • -t
      timeout
      (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with Administrative Policy Server. The Administrative Policy Server denies the registration request when the timeout value is exceeded.
      Unit of measurement:
      minutes
      Default:
      240 (4 hours)
      Minimum:
      15
      Maximum:
      1440 (24 hours)
    • -r
      retries
      (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect administrator credentials when logging in to the Administrative UI for the first time.
      Default:
      1
      Maximum:
      5
    • -c
      comment
      (Optional) Inserts the specified comments into the registration log file for informational purposes.
      Surround comments with quotes.
    • -cp
      (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
      Surround comments with quotes.
    • -l
      log_path
      (Optional) Specifies where the registration log file must be exported.
      Default:
      siteminder_home
      \log
      siteminder_home
      Specifies the Administrative Policy Server installation path.
    • -e
      error_path
      (Optional) Sends exceptions to the specified path.
      Default:
      stderr
    • -vT
      (Optional) Sets the verbosity level to TRACE.
    • -vI
      (Optional) Sets the verbosity level to INFO.
    • -vW
      (Optional) Sets the verbosity level to WARNING.
    • -vE
      (Optional) Sets the verbosity level to ERROR.
    • -vF
      (Optional) Sets the verbosity level to FATAL.
  3. Press Enter.
    XPSRegClient supplies the Administrative Policy Server with the administrator credentials. The Administrative Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first time.