CA SSO : smldapsetup : support for different admins

Idea created by Hubert Dennis Employee on Oct 21, 2015
    Not planned
    Score3
    • SamatBoA
    • Hubert Dennis
    • Huned Rangwala

    ADLDS has 2 partitions i.e. Configuration and Data/Application Partition.

     

    We create 2 Users i.e. one in Configuration Partition and another user in Data/Application Partition.

     

    Configuration Partition User : CN=SM Admin,CN=Roles,CN=Configuration,CN={9C8DA8D9-7B7B-4287-8970-858F7E3B92AE}

    Application Partition User : CN=SM Admin,OU=serviceids,O=company.com

     

    This works fine if we use Policy Server configuration Wizard, because the Wizard has the option to define a different Admin for managing Store Objects.

     

    If we were to configure PStore and KStore separately, then we need to use smldapsetup command to manually point the Policy Server to a different KeyStore.

     

     

     

    Currently smldapsetup does not support this ability to define two different admins like the Wizard.

     

    I raised a support ticket "00225396: KStore and ADLDS" and was pointed in the direction to raise an ER to deliver this functionality. Hence raising the ER.

     

     

     

    There is a workaround......

     

    Run this command so that the schema gets imported into Configuration Partition.

     

    • smldapsetup reg -hhost.ca.com -p9991 -d"CN=SM Admin,CN=Roles,CN=Configuration,CN={391A45BD-831B-495E-8298-45E0A1EBBE31}" -wPassword -rOU=kstore9991,O=company.com -k1 -v

     

    • smldapsetup ldgen -ffilename -k1 -v
    • smldapsetup ldmod -ffilemame -k1 -v

     

    Then manually go into smconsole and change the Admin User for KeyStore to the Data Partition Admin User (CN=SM Admin,OU=serviceids,O=company.com).

     

     

     

    Not the best of the ways to do this, when all of this should be handled via smldapsetup (not all Customer have the luxury of running XWindows - cleared by TechOps / Security Teams). Hence need a functional fix (in glorified words "Enhancement") in smldapsetup and this needs to be for all LDAP which currently the Wizard supports. We already have the capability in smldapsetup to define Store Type using " -m[n] "; we just need to build upon that.

     

     

     

    NOTE : The Documentation also needs updation.

     

     

    Regards

     

    Hubert