SungHoon_Kim

How to setup AD as Policy Store

Blog Post created by SungHoon_Kim Employee on May 6, 2016

Let's say the Policy Store was pointing to an AD and it had been decomissioned.

You will have to setup the Policy Store again on another AD.

 

Following steps will help you achieve that.

 

Firstly, you need to know about the new AD instance that you want to use as Policy Store.

You will need the following information.

RootDN: dc=sso,dc=lab

Administrator account: cn=Administrator,cn=Users,dc=sso,dc=lab

Administrator password: xxxxxxx

You do not need the "cn=Administrator" account but rather a privileged account with permission to add/modify schema and create entries would suffice.

IP: 192.168.201.101

 

At the Policy Server, run "smconsole" to load Policy Server Management Console and goto "Data" tab..

You might have some information entered in there that is no longer valid.

In the above screenshot, it was not previously pointing to another AD but let's say it was.

 

You need to update the information above with the new AD information.

You will also need to ensure the "Test LDAP Connection" button returns "Success" as above.

If you have wrong password, it will show something like this.

Click "Apply" to save the changes.

 

You will also need to check if your Key Store need to be updated.

Select "Key Store" from the Database dropdown menu.

In my sample, Policy Store is also the Key Store.

Then no action is required for Key Store.

 

Click "OK" to close the smconsole.

 

You need to import the siteminder policy store schema into your AD.

Run "smldapsetup ldgen -f<filename> -v" would generate a schema for you.

In the following sample, I ran "smldapsetup ldgen -fschema.ldif -v" and it generated "schema.ldif" file.

 

Next is to import this to your AD.

The command is "smldapsetup ldmod -f<filename> -v".

Note the difference, ldgen vs ldmod

You should get a success as below.

If you already had the schema, then you would get following message but will still succeed.

Note the "ENTRY_EXISTS".

 

There is one more schema to import.

Navigate to "<PolicyServer>/xps/db" folder.

In my case it is "C:\Program Files (x86)\CA\siteminder\xps\db".

You will find "ActiveDirectory.ldif" file.

Copy that file to "AD_Mod.ldif"

And open it in a notepad.

You will find "<RootDN>" and this need to be replaced with your actual RootDN value, which is "dc=sso,dc=lab".

 

Following is the result of modification. Save the file.

 

Import the schema file as below.

"smldapsetup ldmod -fAD_Mod.ldif -v"

 

You will need to confirm that the schema import was indeed successful.

Use "ADSI Edit" tool to connect to your AD, select "Schema" context.

 

If the import of schema.ldif was successful, you should find "CN=smXXXXX" entries.

 

If the import of AD_Mod.ldif was successful, you should find "CN=xpsXXXXX" entries.

 

Next is easy.

You just need to import the base objects.

At the Policy Server, run the following command.

 

Navigate to "C:\Program Files (x86)\CA\siteminder\xps\dd"

 

 

You will find "SmMaster.xdd"

If you open it in a notepad, you will find that this actually references some other xdd files.

==> In case if you do not find SmMaster.xdd, you might be running R12.0 which did not have SmMaster.xdd

The order of the xdd files to import are 1) SmObjects.xdd, 2) FssSmObjects.xdd, 3) SOAObjects.xdd, 4) EPMObjects.xdd, 5) CDSObjects.xdd, 6) FedObjects.xdd, 7) SecCat.xdd, 8) SPSObjects.xdd, 9) CHSObjects.xdd

 

However, it does not import every xdd files (such as IdmSmObjects.xdd).

Those xdd files represent specific features and need to be imported only if you are expanding that feature.

Importing SmMaster.xdd is usually sufficient.

 

Run, "XPSDDInstall SmMaster.xdd"

 

If you goto your AD, you will find new entries are created as shown below.

 

Now, import the next base objects.

Navigate to "C:\Program Files (x86)\CA\siteminder\db"

You will find "smpolicy.xml"

 

Run the following command to import.

"XPSImport smpolicy.xml -npass"

Now your policy store is setup and you can startup policy server.

 

Although all the base objects are created, you do not have the "SiteMinder" administrator account yet.

You will need to run "smreg -su <password>" to create one and set the password at the same time.

"smreg.exe" file is shipped with the installer package so if you do not have it, you should download the matching version installer and extract the zip file to get the smreg.exe file.

As this tool allows you to reset the "SiteMinder" administrator account password, it is advisable to delete it from the machine after use.

 

Next would be to ensure that you have AdminUI to administer.

Outcomes