Configuring OpenLDAP as a SiteMinder Policy Store

OverviewSiteMinder supports OpenLDAP for use as a Policy Store. OpenLDAP provides a freely available, replicated directory that can be used as a redundant store for SiteMinder's configuration information. Unfortunately, the SiteMinder documentation covering how to configure OpenLDAP is at best incomplete and at worst incorrect. This article breaks down the steps required to enable OpenLDAP to be a Policy Store and configure the Policy Server to leverage the directory. Keep in mind that SiteMinder currently only supports OpenLDAP 2.3.x. This means that only Master/Slave replication is supported. While this is sufficient to ensure the availability of the Policy Store, if the Master directory is down, no policy or key updates can be performed. This article also assumes that the Key Store is set to the default setting of using the Policy Store as the location to store key information. Switch the directory paths outlined below to use backslashes if these steps are being performed on Windows.

1. Download and Install OpenLDAP This article does not cover the specific details on how to build and install OpenLDAP. The details for this can be found on the OpenLDAP site. A quick start guide is located there as well.

2. Download the OpenLDAP Schema Files for SiteMinder OpenLDAP is considered a "Tier 2" directory for SiteMinder. As such, the ability to configure the directory as a Policy Store is not automated. In order to obtain the needed schema files for the Policy Store, the "CA SiteMinder Tier 2 Directories- ESD Only" package must be downloaded. To download this file (current as of 10/12/2011):

  1. Log in to the Technical Support Site
  2. Click "Download Center" in the lefthand navigation
  3. Type siteminder into the "Select a Product" field
  4. Select the listed SiteMinder product
  5. Select 12.0 in the "Select a Release" drop-down
  6. Select SP3 in the "Select a Gen level" drop-down
  7. Click the [GO] button
  8. Scroll down to the bottom of the list of returned downloads
  9. Download and unzip the "CA SiteMinder Tier 2 Directories- ESD Only" download to the Policy Server

3. Configure OpenLDAP To Support the SiteMinder Policy Store The OpenLDAP server requires manual configuration to support its use as a SiteMinder Policy Store. The following steps are required:

3a. Copy the Policy Store schema files into the OpenLDAP schema directory 3b. Include the SiteMinder Policy Store schema files in the OpenLDAP configuration 3c. Ensure that SiteMinder can detect it is an OpenLDAP Policy Store 3d. Create the base Policy Store structure 3e. Restart OpenLDAP

Note that these instructions assume that the install location for OpenLDAP is under the /usr/local path and the default directories are used. For this example, the root of the directory is "dc=company,dc=com" for the location of the Policy Store. These steps will need to be modified if a different path or directory structure is used.

3a. Copy the Policy Store schema files into the OpenLDAP schema directory The OpenLDAP schema needs to be extended to support the SiteMinder Policy Store objects. This is done by copying the schema files to the server and adding them into the slapd.conf configuration file. To copy the schema files:

  1. If not already done, unzip the Tier 2 directory support zip file to a known location (I used "/home/installers" for these steps)
  2. Copy the following files to the "/usr/local/etc/openldap/schema" directory by running the following commands:
cp /home/installers/Tier2DirSupport/openldap/openldap_attribute.schema /usr/local/etc/openldap/schema
cp /home/installers/Tier2DirSupport/openldap/openldap_object.schema /usr/local/etc/openldap/schema
cp /home/installers/Tier2DirSupport/xps/openldap/openldap_attribute_XPS.schema /usr/local/etc/openldap/schema
cp /home/installers/Tier2DirSupport/xps/openldap/openldap_object_XPS.schema /usr/local/etc/openldap/schema

The schema files now need to be added into the OpenLDAP configuration.

3b. Include the SiteMinder Policy Store schema files in the OpenLDAP configuration Once the Policy Store schema files are copied into the correct location, they need to be added to the OpenLDAP configuration. This is done by adding them to the slapd.conf file. In this example, the slapd.conf file is located in the "/usr/local/etc/openldap" directory. To include the files:

  1. Edit the slapd.conf file with your favorite editor (e.g. vi slapd.conf)
  2. Add the following lines to the file under the "include /usr/local/etc/openldap/schema/core.schema" line and then save the configuration (note that other changes to this file will be made in later steps):
include         /usr/local/etc/openldap/schema/openldap_attribute.schema
include         /usr/local/etc/openldap/schema/openldap_object.schema
include         /usr/local/etc/openldap/schema/openldap_attribute_XPS.schema
include         /usr/local/etc/openldap/schema/openldap_object_XPS.schema

OpenLDAP can now reference the appropriate schema files for the Policy Store objects.

3c. Ensure that SiteMinder can detect it is an OpenLDAP Policy Store Since OpenLDAP does not support server-side sorting SiteMinder must instead handle sorting on the client side. To accomplish this, all XPS objects are retrieved at start-up using server-side paging.

To support client-side sorting, OpenLDAP must be configure with the following settings in the slapd.conf file:

  • Allow SiteMinder to read the Root DSE so that it can determine the directory is of type OpenLDAP
  • Set the maximum number of entries returned in a search operation to at least 500 so that the XPS objects are retrieved in increments of 500 or more objects
  • Allow v2 LDAP binds so that the SiteMinder Admin Console (smconsole) to test the LDAP connection to the Policy Store

To allow SiteMinder to read the Root DSE, uncomment the following 2 lines in the slapd.conf file:

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

By default the sizelimit setting for OpenLDAP is 500. Ensure that this is the minimum value in the slapd.conf file. If the value is less than 500, increase it to 500 by adding the following line above the "BDB database definitions" section in the slapd.conf file:

sizelimit 500

To allow v2 binds, add the following line above the "BDB database definitions" section in the slapd.conf file:

allow bind_v2

SiteMinder should now be able to correctly identify the Policy Store as an OpenLDAP server and validate that it can connect to the server.

3d. Create the base Policy Store structure In order to import the Policy Store base objects, the proper directory structure must be in place prior to running the administration tools. This is done by creating an LDIF file with the correct DIT structure and importing it into the OpenLDAP server.

An LDIF file is a text file which represents the objects in an LDAP directory. In my example where my base DN is "dc=company,dc=com" I created the following LDIF file and saved it in the /home/installers directory. This LDIF file creates the base structure for SiteMinder to store its policy objects and also the Manager account which SiteMinder will use to bind (authenticate) to the directory:

# company.com
dn: dc=company,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: company

# Manager, company.com
dn: cn=Manager,dc=company,dc=com
objectclass: organizationalRole
cn: Manager

# Netegrity, company.com
dn: ou=Netegrity,dc=company,dc=com
ou: Netegrity
objectClass: organizationalUnit
objectClass: top

# SiteMinder, Netegrity, company.com
dn: ou=SiteMinder,ou=Netegrity,dc=company,dc=com
ou: SiteMinder
objectClass: organizationalUnit
objectClass: top

# PolicySvr4, SiteMinder, Netegrity, company.com
dn: ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,dc=company,dc=com
ou: PolicySvr4
objectClass: organizationalUnit
objectClass: top
# XPS, policysvr4, siteminder, netegrity, company.com
dn: ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,dc=company,dc=com
ou: XPS
objectClass: organizationalUnit
objectClass: top

Once this file is created, you can import it using the following command (I called the file base.ldif):

/usr/local/bin/ldapadd -x -D "cn=Manager,dc=company,dc=com" -W -f /home/installers/base.ldif

3e. Restart OpenLDAP To pick up the slapd.conf file changes, the OpenLDAP server must be restarted. Use the following command to stop OpenLDAP:

kill -INT `cat /usr/local/var/run/slapd.pid`

Use the following command to start OpenLDAP:

/usr/local/libexec/slapd

The OpenLDAP server should now be set to go for the next set of steps to load SiteMinder base policy objects.

4. Configure SiteMinder to Use OpenLDAP as the Policy Store Once OpenLDAP is set up with the proper schema and other settings from section 3, the next step is to point SiteMinder at the OpenLDAP directory and create the base objects used by the policy server. The following steps are required:

4a. Point SiteMinder at the OpenLDAP instance 4b. Load the base objects into the Policy Store

These instructions assume that you have already installed the Policy Server binaries. For details on how to do this follow the instructions in the SiteMinder documentation. You do not need to configure the Policy Store during the installation of the Policy Server (that's what we are doing here).

4a. Point SiteMinder at the OpenLDAP instance You can point the Policy Server at the OpenLDAP directory either in the Policy Server Management Console (smconsole) or through the command line. The following section contains the command line based steps:

1. Run the following command to validate that the Policy Server can communicate with the OpenLDAP directory:

smldapsetup status -hhost -pport -dAdminDN -wAdminPW -rroot -ssl1/0 -ccert

Where:

-hhost Specifies the IP Address of the LDAP server host system.-pport Specifies the port on which the LDAP server is listening -dAdminDN Specifies the name of an LDAP user with privileges to create LDAP schema in the LDAP directory server -wAdminPW Specifies the password for an LDAP user with privileges to create LDAP schema in the LDAP directory server -rroot Specifies the DN location of the SiteMinder data in the LDAP directory -ssl1|0 Specifies an SSL connection. Limits: 0=no | 1=yes Default: 0 -ccert (Only required if the ssl value is 1) Specifies the path to the directory where the SSL client certificate database file, cert7.db, exists

Since I have OpenLDAP installed locally, the following command was used:

smldapsetup status -h127.0.0.1 -p389 -d"cn=Manager,dc=company,dc=com" -wpassword -r"dc=company,dc=com" -ssl0

2. Run the following command to configure the Policy Server to use the OpenLDAP Policy Store:

smldapsetup reg -hhost -pport -dAdminDN -wAdminPW -rroot -ssl1/0 -ccert

Where:

-hhost Specifies the IP Address of the LDAP server host system.-pport Specifies the port on which the LDAP server is listening -dAdminDN Specifies the name of an LDAP user with privileges to create LDAP schema in the LDAP directory server -wAdminPW Specifies the password for an LDAP user with privileges to create LDAP schema in the LDAP directory server -rroot Specifies the DN location of the SiteMinder data in the LDAP directory -ssl1|0 Specifies an SSL connection. Limits: 0=no | 1=yes Default: 0 -ccert (Only required if the ssl value is 1) Specifies the path to the directory where the SSL client certificate database file, cert7.db, exists

So, for this install the following command was used:

smldapsetup reg -h127.0.0.1 -p389 -d"cn=Manager,dc=company,dc=com" -wpassw0rd -r"dc=company,dc=com" -ssl0

4b. Load the base objects into the Policy Store The next step is to load the base objects into the Policy Store. To load the Policy Store objects the following steps are required:

  • Register the SiteMinder admin user
  • Load the base policy objects
  • Load the base federation objects
  • Import the XPS data definitions

To register the SiteMinder admin account, smreg is required. You may need to copy smreg from the SiteMinder Policy Server installation media to the <Policy Server Home>/bin directory where <Policy Server Home> is the installation path for the Policy Server.

1. Run the following command in the terminal to register the SiteMinder administrator account (switch to the <Policy Server Home>/bin directory is necessary):

smreg -su adminPW

Where:

adminPW is the administrator password for the "SiteMinder" account

2. Run the following command to import the base policy store objects:

smobjimport -i<Policy Server Home>/db/smdif/smpolicy.smdif -dsiteminder_super_user_name -wsiteminder_super_user_password -f -v -c

Where:

<Policy Server Home> is the installation path for the Policy Server -i<Policy Server Home>/db/smdif/smpolicy.smdif Specifies the path and name of the import file -dsiteminder_super_user_name Specifies the name of the SiteMinder administrator account -wsiteminder_super_user_password Specifies the password for the SiteMinder administrator account -f Overrides duplicate objects -v Turns on tracing and outputs error, warning, and comment messages in verbose format so that you can monitor the status of the import -c Indicates that the smdif input file contains unencrypted data

So, for this install the following command was used:

smobjimport -i/home/smuser/CA/siteminder/db/smdif/smpolicy.smdif -dsiteminder -wpassword -f -v -c

3. Run the following command to import the base federation objects:

smobjimport -i<Policy Server Home>/db/smdif/ampolicy.smdif -dsiteminder_super_user_name -wsiteminder_super_user_password -f -v -c

Where:

<Policy Server Home> is the installation path for the Policy Server -i<Policy Server Home>/db/smdif/smpolicy.smdif Specifies the path and name of the import file -dsiteminder_super_user_name Specifies the name of the SiteMinder administrator account -wsiteminder_super_user_password Specifies the password for the SiteMinder administrator account -f Overrides duplicate objects -v Turns on tracing and outputs error, warning, and comment messages in verbose format so that you can monitor the status of the import -c Indicates that the smdif input file contains unencrypted data

So, for this install the following command was used:

smobjimport -i/home/smuser/CA/siteminder/db/smdif/ampolicy.smdif -dsiteminder -wpassword -f -v -c

4. Importing the policy store data definitions is required to use the policy store with the Administrative UI. The base definitions describe the policy store data. Run the following commands to import the XPS data definitions (note that these commands must be run in the order below or the imports fail):

  1. Switch to the <Policy Server Home>/xps/dd directory where <Policy Server Home> is the installation path for the Policy Server
  2. Run the following command: XPSDDInstall SmObjects.xdd
  3. Run the following command: XPSDDInstall EPMObjects.xdd
  4. Run the following command: XPSDDInstall SecCat.xdd
  5. Run the following command: XPSDDInstall FssSmObjects.xdd

The Policy Server is now fully configured to use OpenLDAP for the Policy Store.

5. Prepare the Policy Store for registration of the Administrative UI The default SiteMinder super user account (siteminder) is used to log into the Administrative UI for the first time in order to register the Administrative UI. This creates a trusted relationship between both components. The XPSRegClient utility is used to supply the super user account name and password. The Policy Server uses these credentials to verify that the registration request is valid and that the trusted relationship can be established. Keep in mind that the time from which you supply the credentials to when the initial Administrative UI login occurs is limited to 24 hours. If you do not plan on installing the Administrative UI within one day, complete the following before installing the Administrative UI.

Run the following command to prepare the Policy Server for the Administrative UI registration:

XPSRegClient siteminder[:passphrase] -adminui-setup -t timeout -r retries -c comment -cp -l log_path -e error_path -vT -vI -vW -vE -vF

Where:

passphrase Specifies the password for the default SiteMinder super user account (if you do not specify the passphrase, XPSRegClient prompts you to enter and confirm one). -adminui–setup Specifies that the Administrative UI is being registered with a Policy Server for the first–time. -t timeout (Optional) Specifies the allotted time from when you to install the Administrative UI to the time you log in and create a trusted relationship with a Policy Server. The Policy Server denies the registration request when the timeout value is exceeded.

Unit of measurement: minutes Default: 240 (4 hours) Minimum Limit: 1 Maximum Limit: 1440 (24 hours)

-r retries (Optional) Specifies how many failed attempts are allowed when you are registering the Administrative UI. A failed attempt can result from submitting incorrect SiteMinder administrator credentials when logging into the Administrative UI for the first–time

Default: 1 Maximum Limit: 5

-c comment (Optional) Inserts the specified comments into the registration log file for informational purposes. Surround the comments with quotes. -cp (Optional) Specifies that registration log file can contain multiple lines of comments. The utility prompts for multiple lines of comments and inserts the specified comments into the registration log file for informational purposes. Surround the comments with quotes. -l log path (Optional) Specifies where the registration log file must be exported.

Default: <Policy Server Home>/log where <Policy Server Home> is the installation path for the Policy Server.

-e error_path (Optional) Sends exceptions to the specified path.

Default: stderr

-vT (Optional) Sets the verbosity level to TRACE. -vI (Optional) Sets the verbosity level to INFO. -vW (Optional) Sets the verbosity level to WARNING. -vE (Optional) Sets the verbosity level to ERROR. -vF (Optional) Sets the verbosity level to FATAL.

XPSRegClient supplies the Policy Server with the administrator credentials the Policy Server uses to verify the registration request when you log into the Administrative UI for the first–time.