Configure Oracle Unified Directory as a Policy Store

Contents
casso127
Contents
2
Oracle Unified Directory (OUD) can function as a policy store. A single directory server instance can function as a:
  • Policy store
  • Key store
Using a single directory server simplifies administration tasks. This scenario describes how to configure a single directory server instance to store policy data and encryption keys.
If your implementation requires, you can configure a separate key store.
Gather Directory Server Information
casso127
Configuring an LDAP directory server as a policy store or upgrading an existing policy store requires specific directory server information. Gather the following information before beginning.
  • Host information
    Specifies the fully-qualified host name or the IP Address of the directory server.
  • Port information
    (Optional) Specifies a non-standard port.
    Default values:
    636 (SSL) and 389 (non-SSL)
  • Administrative DN
    Specifies the LDAP user name of a user who has privileges to create, read, modify, and delete objects in the LDAP tree underneath the policy store root object.
  • Administrative password
    Specifies the password for the Administrative DN.
  • Policy store root DN
    Specifies the distinguished name of the node in the LDAP tree where policy store objects are to be defined.
  • SSL client certificate
    Specifies the pathname of the directory where the SSL client certificate database file resides.
    Limit:
    SSL only
How to Configure the Oracle Unified Directory Instance
Oracle Unified Directory requires more configuration before you can use it as a policy store. The following process lists the configuration steps:
  1. Specify the
    CA Single Sign-On
    schema files on Windows or UNIX.
  2. Configure policy store indexing on Windows or UNIX.
Specify the
CA Single Sign-On
Schema Files on Windows
Specify the schema files.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Navigate to
    ps_home\
    db\tier2\OUD and copy the following file to the schema folder (
    oud_instance\
    config\schema) in the Oracle Unified Directory installation directory:
    oud_sm_schema.ldif
    • ps_home
      Specifies the Policy Server installation path.
    • oud_instance
      Specifies the name of the Oracle Unified Directory instance.
  3. Navigate to
    ps_home\
    xps\db\schema_extension\db\OUD and copy the following file to the schema folder (
    oud_instance\
    config\schema) in the Oracle Unified Directory installation directory:
    oud_XPS_schema.ldif
The
CA Single Sign-On
schema files are specified.
Specify the
CA Single Sign-On
Schema Files on UNIX
Specify the schema files.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Navigate to
    ps_home
    /db/tier2/OUD and copy the following file to the schema folder (
    oud_instance
    /config/schema) in the Oracle Unified Directory installation directory:
    oud_sm_schema.ldif
    • ps_home
      Specifies the Policy Server installation path.
    • oud_instance
      Specifies the name of the Oracle Unified Directory instance.
  3. Navigate to
    ps_home
    /xps/db/schema_extension/db/OUD and copy the following file to the schema folder (
    oud_instance
    /config/schema) in the Oracle Unified Directory installation directory:
    oud_XPS_schema.ldif
The
CA Single Sign-On
schema files are specified.
Configure Policy Store Indexing on Windows
Specify indexing in the Oracle Unified Directory instance config file (
oud_instance\
config\config.ldif) to use Oracle Unified Directory as a policy store.
Follow these steps:
  1. Stop the Oracle Unified Directory instance.
  2. Open the
    oud_instance\
    config\config.ldif file with a text editor.
    • oud_instance
      Specifies the name of the Oracle Unified Directory instance.
  3. Locate the following lines:
    dn: cn=Index,cn=userRoot,cn=Workflow Elements,cn=config
    objectClass: top
    objectClass: ds-cfg-branch
    cn: Index
  4. Insert a new line in the file, and then add the contents from the following files:
    • ps_home\
      db/tier2\OUD\oud_sm_indexes.ldif
    • ps_home\
      xps\db\ schema_extension\db\OUD\oud_xps_index.ldif.
  5. Save the file and close the text editor.
  6. To rebuild the indexes, navigate to
    oud_instance\
    bat and run the following command .
    rebuild-index.bat -b base_dn --rebuildAll -h hostname -p OUD_administration_port -D "cn=Directory Manager" -j <bindpasswordfile> -X -t 0 --completionNotify emailAddress
    • casso127
      base_dn
      Specifies the base DN of a back end that supports indexing. The index is rebuilt within the scope of the given base DN.
      hostname
      Specifies the fully qualified hostname or IP address of the directory server. If not provided, defaults to localhost.
      OUD_administration_port
      Specifies the administration port of the directory server. If not provided, the default administration port (44444) is used.
      bindpasswordfile
      Specifies the file that contains the bind password to use when authenticating to the directory server.
      completionNotify
      Specifies the email address of a recipient to be notified when the task completes. This option can be specified more than once in a single command.
  7. Restart the Oracle Unified Directory instance after the rebuild task is completed.
Policy store indexing for Oracle Unified Directory is specified.
Specify Policy Store Indexing on UNIX
Specify indexing in the Oracle Unified Directory instance config file (
oud_instance/
config/config.ldif) to use Oracle Unified Directory as a policy store.
Follow these steps:
  1. Stop the Oracle Unified Directory instance.
  2. Open the
    oud_instance
    /config/config.ldif file with a text editor.
    • oud_instance
      Specifies the name of the Oracle Unified Directory instance.
  3. Locate the following lines:
    dn: cn=Index,cn=userRoot,cn=Workflow Elements,cn=config
    objectClass: top
    objectClass: ds-cfg-branch
    cn: Index
  4. Insert a new line in the file, and then add the contents from the following files:
    • ps_home
      /db/tier2/OUD/oud_sm_indexes.ldif
    • ps_home
      /xps/db/ schema_extension/db/OUD/oud_xps_index.ldif.
    • ps_home
      Specifies the Policy Server installation path.
  5. Save the file and close the text editor.
  6. Navigate to
    oud_instance/
    bin and run the following command to rebuild the indexes.
    rebuild-index -b base_dn --rebuildAll -h hostname -p OUD_administration_port -D "cn=Directory Manager" -j bindpasswordfile -X -t 0 --completionNotify emailAddress
    • casso127
      base_dn
      Specifies the base DN of a back end that supports indexing. The index is rebuilt within the scope of the given base DN.
      hostname
      Specifies the fully qualified hostname or IP address of the directory server. If not provided, defaults to localhost.
      OUD_administration_port
      Specifies the administration port of the directory server. If not provided, the default administration port (44444) is used.
      bindpasswordfile
      Specifies the file that contains the bind password to use when authenticating to the directory server.
      completionNotify
      Specifies the email address of a recipient to be notified when the task completes. This option can be specified more than once in a single command.
  7. Restart the Oracle Unified Directory instance after the rebuild task is completed.
The policy store indexing for Oracle Unified Directory is specified.
How to Create the Database
The following process lists the steps for creating the directory server database for the policy store:
  1. Create the base tree structure.
  2. Add entries.
Create the Base Tree Structure
To create a base tree structure to store policy store objects, specify the following entry under the root DN:
ou=Netegrity,ou=SiteMinder,ou=PolicySvr4
Add Entries to the Database
Add entries to the directory server so that
CA Single Sign-On
has the necessary organization and organizational role information.
Follow these steps:
  1. Create an LDIF file.
    Example
    : The following example contains an organization entry and an organizational role entry for the entries.ldif.
    # CA, example.com
    dn: ou=Netegrity,dc= example,dc=com
    ou: CA
    objectClass: organizationalUnit
    objectClass: top
     
    # SiteMinder, CA, example.com
    dn: ou=SiteMinder,ou=CA,dc= example,dc=com
    ou: SiteMinder
    objectClass: organizationalUnit
    objectClass: top
     
    # PolicySvr4, SiteMinder, CA, example.com
    dn: ou=PolicySvr4,ou=SiteMinder,ou=CA,dc= example,dc=com
    ou: PolicySvr4
    objectClass: organizationalUnit
    objectClass: top
  2. Run the following command to add the entries.
    ldapmodify -h hostname -p port -D bindDN -j pwd_file -a -f LDIF_file_name
    • hostname
      Specifies the fully qualified hostname or IP address of the directory server.
      Default
      : localhost.
    • port
      Specifies the port on which to contact the directory server.
      Default
      : 389
    • BindDN
      Specifies the bind DN to authenticate to the directory server.
      Default
      : cn=Directory Manager
    • pwd_file
      Specifies the file that contains the bind password for authenticating to the directory server.
    • LDIF_file_name
      Specifies the LDIF file that you created in Step 1.
Point the Policy Server to the Policy Store
casso127
You point the Policy Server to the policy store so the Policy Server can access the policy store.
Follow these steps:
  1. Open the Policy Server Management Console.
    casso127
    On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your
    CA Single Sign-On
    component.
  2. Click the Data tab.
  3. Select the following value from the Database list:
    Policy Store
  4. Select the following value from the Storage list:
    LDAP
  5. Configure the following settings in the LDAP Policy Store group box.
    • LDAP IP Address
    • Admin Username
    • Password
    • Confirm Password
    • Root DN
    You can click Help for a description of fields, controls, and their respective requirements.
  6. Click Apply.
  7. Click Test LDAP Connection to verify that the Policy Server can access the policy store.
  8. Select the following value from the Database list:
    Key Store
  9. Select the following value from the Storage list:
    LDAP
  10. Select the following option:
    Use Policy Store database
  11. Click OK.
Set the
CA Single Sign-On
Super User Password
casso127
The default administrator account is named
siteminder
. The account has maximum permissions.
Do not use the default super user for day-to-day operations. Use the default super user to:
  • Access the Administrative UI for the first time.
  • Manage
    CA Single Sign-On
    utilities for the first time.
  • Create another administrator with super user permissions.
Follow these steps:
  1. Copy the smreg utility to
    siteminder_home
    \bin.
    • siteminder_home
      Specifies the Policy Server installation path.
    The utility is at the top level of the Policy Server installation kit.
  2. Run the following command:
    smreg -su 
    password
    • password
      Specifies the password for the default administrator.
    The password has the following requirements:
    • The password must contain at least six (6) characters and cannot exceed 24 characters.
    • The password cannot include an ampersand (&) or an asterisk (*).
    • If the password contains a space, enclose the passphrase with quotation marks.
    If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores.
  3. Delete smreg from
    siteminder_home
    \bin. Deleting smreg prevents someone from changing the password without knowing the previous one.
The password for the default administrator account is set.
Import the Policy Store Data Definitions
casso127
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
  1. Open a command window and navigate to
    siteminder_home
    \xps\dd.
    • siteminder_home
      Specifies the Policy Server installation path.
  2. Run the following command:
    XPSDDInstall SmMaster.xdd
    • XPSDDInstall
      Imports the required data definitions.
Import the Default Policy Store Objects
casso127
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.
Consider the following items:
  • Be sure that you have write access to
    siteminder_home
    \bin. The import utility requires this permission to import the policy store objects.
    • siteminder_home
      Specifies the Policy Server installation path.
  • If Windows User Account Control (UAC) is enabled, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges. For more information, see the release notes for your
    CA Single Sign-On
    component.
Follow these steps:
  1. Open a command window and navigate to
    siteminder_home
    \db.
  2. Import one of the following files:
    • To import smpolicy.xml, run the following command:
      XPSImport smpolicy.xml -npass
    • To import smpolicy–secure.xml, run the following command:
      XPSImport smpolicy-secure.xml -npass
      • npass
        Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
      Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The smpolicy–secure file provides more restrictive security settings. For more information, see Default Policy Store Objects and Schema Files.
    • To import Option Pack functionality, run the following command:
      XPSImport ampolicy.xml -npass
    • To import federation functionality, run the following command:
      XPSImport fedpolicy-12.5.xml -npass
    • To use OAuth or OpenID Connect, run the following command to import the default OAuth entities and default claims and scopes objects for OpenID Connect:
      XPSImport default-fedobjects-config.xml -npass
      -npass
      specifies that no passphrase is required.
    The policy store objects are imported.
Importing ampolicy.xml makes available legacy federation and Web Service Variables functionality that is separately licensed from
CA Single Sign-On
. If you intend on using the latter functionality, contact your CA account representative for licensing information.
Prepare for the Administrative UI Registration
casso127
You use the default super user account to log into the Administrative UI for the first time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.
You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.
Consider the following items:
  • The time from which you supply the credentials to when the initial Administrative UI login occurs is limited to 24 hours. If you do not plan on installing the Administrative UI within one day, complete the following steps before installing the Administrative UI.
  • (UNIX) Be sure that the
    CA Single Sign-On
    environment variables are set before you use XPSRegClient. If the environment variables are not set, set them manually.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Run the following command:
    XPSRegClient super_user_account_name[:
    passphrase
    ] -adminui-setup -t 
    timeout 
    -r 
    retries 
    -c 
    comment 
    -cp -l 
    log_path 
    -e 
    error_path 
    -vT -vI -vW -vE -vF
    • passphrase
      Specifies the password for the default super user account.
      If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
    • -adminui–setup
      Specifies that the Administrative UI is being registered with a Policy Server for the first–time.
    • -t
      timeout
      (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.
      Unit of measurement:
      minutes
      Default:
      240 (4 hours)
      Minimum:
      15
      Maximum:
      1440 (24 hours)
    • -r
      retries
      (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect administrator credentials when logging in to the Administrative UI for the first time.
      Default:
      1
      Maximum:
      5
    • -c
      comment
      (Optional) Inserts the specified comments into the registration log file for informational purposes.
      Surround comments with quotes.
    • -cp
      (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.
      Surround comments with quotes.
    • -l
      log_path
      (Optional) Specifies where the registration log file must be exported.
      Default:
      siteminder_home
      \log
      siteminder_home
      Specifies the Policy Server installation path.
    • -e
      error_path
      (Optional) Sends exceptions to the specified path.
      Default:
      stderr
    • -vT
      (Optional) Sets the verbosity level to TRACE.
    • -vI
      (Optional) Sets the verbosity level to INFO.
    • -vW
      (Optional) Sets the verbosity level to WARNING.
    • -vE
      (Optional) Sets the verbosity level to ERROR.
    • -vF
      (Optional) Sets the verbosity level to FATAL.
  3. Press Enter.
    XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first time.