Configure Oracle Virtual Directory as a Policy Store
Contents
casso127
Contents
2
Oracle Virtual Directory (OVD) can function as a policy store. A single directory server instance can function as a:
- Policy store
- Key store
Using a single directory server simplifies administration tasks. This scenario describes how to configure a single directory server instance to store policy data and encryption keys.
If your implementation requires, you can configure a separate key store.
Gather Directory Server Information
casso127
Configuring an LDAP directory server as a policy store or upgrading an existing policy store requires specific directory server information. Gather the following information before beginning.
- Host informationSpecifies the fully-qualified host name or the IP Address of the directory server.
- Port information(Optional) Specifies a non-standard port.Default values:636 (SSL) and 389 (non-SSL)
- Administrative DNSpecifies the LDAP user name of a user who has privileges to create, read, modify, and delete objects in the LDAP tree underneath the policy store root object.
- Administrative passwordSpecifies the password for the Administrative DN.
- Policy store root DNSpecifies the distinguished name of the node in the LDAP tree where policy store objects are to be defined.
- SSL client certificateSpecifies the pathname of the directory where the SSL client certificate database file resides.Limit:SSL only
Extend the OVD Local Schema With the
CA Single Sign-On
Schema FilesExtend the Oracle Virtual Directory with the following
CA Single Sign-On
schema files:- ovd_sm_schema.ldif
- ovd_xps_schema.ldif
Follow these steps:
- Log in to the Policy Server host system.
- Navigate tositeminder_home/db/tier2/Oracle Virtual Directory and copy the following file to the OVD host system:ovd_sm_schema.ldif
- Navigate tositeminder_home/xps/db/schema_extension/db/Oracle Virtual Directory and copy the following file to the OVD host system.ovd_xps_schema.ldif
- Log in to the Oracle Virtual Directory system.
- Have the administrator of your directory server run the following commands to extend the local schema with theCA Single Sign-Onschema files:ldapmodify -h OVD_Host -p OVD_Port -D cn=Admin -w Admin_Password -v -a -f ovd_sm_schema.ldifldapmodify -h OVD_Host -p OVD_Port -D cn=Admin -w Admin_Password -v -a -f ovd_xps_schema.ldifdsconf reindex -h localhost -p OVD_Port -e "ou=Netegrity,root_database"
- OVD_HostSpecifies the OVD system IP Address or fully qualified domain name.
- OVD_PortSpecifies the port on which the OVD instance is running.
- cn=AdminSpecifies the OVD server admin with rights to modify the schema.
- Admin_PasswordSpecifies the server admin password.
Create an Oracle Virtual Directory Adapter to Connect to Existing Policy Store
To create an Oracle Virtual Directory LDAP adapter to connect to your existing policy store, use the Oracle Directory Services Manager.
Follow these steps:
- Log in to Oracle Directory Services Manager.
- Select Adapter from the task selection bar. The Adapter navigation tree appears.
- Click the Create Adapter button. The New Adapter Wizard appears.
- Specify the following values on the Type screen:
- Adapter TypeSelect LDAP.
- Adapter NameEnter a unique name for the LDAP adapter.
- Adapter TemplateSelect an adapter template that corresponds to the directory type of the existing policy store.
- Click Next.
- Enter the following values on the Connection screen (accept the defaults for all other settings):
- Use DNS for Auto DiscoverySelect No.
- HostEnter the hostname or IP address of the remote host.
- PortEnter the port at which the remote host instance is running.
- Server proxy Bind DNEnter the credentials of a directory user who has permission to modify directory contents.
- Proxy PasswordPassword for the user that is specified in theSecure proxy Bind DNfield.
- Click Next.
- On the Connection Test screen, click Next if the connection status is OK. Otherwise, click Back and troubleshoot your connection settings.
- Enter the following values on the Namespace screen (accept the defaults for all other settings):
- Remote Base:Click Browse and select the DN at which the policy data is stored.
- Mapped NamespaceEnter a local DN at which to map the policy data.
- Review the Summary page and click Finish.
Point the Policy Server to the Policy Store
You point the Policy Server to the policy store so the Policy Server can access the policy store.
Follow these steps:
- Open the Policy Server Management Console.casso127On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for yourCA Single Sign-Oncomponent.
- Click the Data tab.
- Select the following value from the Database list:Policy Store
- Select the following value from the Storage list:LDAP
- Configure the following settings in the LDAP Policy Store group box.
- LDAP IP Address
- Admin Username
- Password
- Confirm Password
- DN
You can click Help for a description of fields, controls, and their respective requirements. - Click Apply.
- Click Test LDAP Connection to verify that the Policy Server can access the policy store.
- Click OK.
Set the
CA Single Sign-On
Super User Passwordcasso127
The default administrator account is named
siteminder
. The account has maximum permissions.Do not use the default super user for day-to-day operations. Use the default super user to:
- Access the Administrative UI for the first time.
- ManageCA Single Sign-Onutilities for the first time.
- Create another administrator with super user permissions.
Follow these steps:
- Copy the smreg utility tositeminder_home\bin.
- siteminder_homeSpecifies the Policy Server installation path.
The utility is at the top level of the Policy Server installation kit. - Run the following command:smreg -supassword
- passwordSpecifies the password for the default administrator.
- The password must contain at least six (6) characters and cannot exceed 24 characters.
- The password cannot include an ampersand (&) or an asterisk (*).
- If the password contains a space, enclose the passphrase with quotation marks.
If you are configuring an Oracle policy store, the password is case–sensitive. The password is not case–sensitive for all other policy stores. - Delete smreg fromsiteminder_home\bin. Deleting smreg prevents someone from changing the password without knowing the previous one.
The password for the default administrator account is set.
Restart the Policy Server
casso127
You restart the Policy Server for certain settings to take effect.
Follow these steps:
- Open the Policy Server Management Console.
- Click the Status tab, and click Stop in the Policy Server group box.The Policy Server stops as indicated by the red stoplight.
- Click Start.The Policy Server starts as indicated by the green stoplight.Note: To restart the Policy Server on UNIX, execute either thestop-psandstart-pscommands orstop-allandstart-allcommands.
Prepare for the Administrative UI Registration
casso127
You use the default super user account to log into the Administrative UI for the first time. The initial login requires that you to register the Administrative UI with a Policy Server, which creates a trusted relationship between both components.
You prepare for the registration by using the XPSRegClient utility to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established.
Consider the following items:
- The time from which you supply the credentials to when the initial Administrative UI login occurs is limited to 24 hours. If you do not plan on installing the Administrative UI within one day, complete the following steps before installing the Administrative UI.
- (UNIX) Be sure that theCA Single Sign-Onenvironment variables are set before you use XPSRegClient. If the environment variables are not set, set them manually.
Follow these steps:
- Log in to the Policy Server host system.
- Run the following command:XPSRegClient super_user_account_name[:passphrase] -adminui-setup -ttimeout-rretries-ccomment-cp -llog_path-eerror_path-vT -vI -vW -vE -vF
- passphraseSpecifies the password for the default super user account.If you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one.
- -adminui–setupSpecifies that the Administrative UI is being registered with a Policy Server for the first–time.
- -ttimeout(Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.Unit of measurement:minutesDefault:240 (4 hours)Minimum:15Maximum:1440 (24 hours)
- -rretries(Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect administrator credentials when logging in to the Administrative UI for the first time.Default:1Maximum:5
- -ccomment(Optional) Inserts the specified comments into the registration log file for informational purposes.Surround comments with quotes.
- -cp(Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes.Surround comments with quotes.
- -llog_path(Optional) Specifies where the registration log file must be exported.Default:siteminder_home\logsiteminder_homeSpecifies the Policy Server installation path.
- -eerror_path(Optional) Sends exceptions to the specified path.Default:stderr
- -vT(Optional) Sets the verbosity level to TRACE.
- -vI(Optional) Sets the verbosity level to INFO.
- -vW(Optional) Sets the verbosity level to WARNING.
- -vE(Optional) Sets the verbosity level to ERROR.
- -vF(Optional) Sets the verbosity level to FATAL.
- Press Enter.XPSRegClient supplies the Policy Server with the administrator credentials. The Policy Server uses these credentials to verify the registration request when you log in to the Administrative UI for the first time.