Layer 7 Access Management

Expand all | Collapse all

SM Policy Script / Application to LDAP Policy Store

Jump to Best Answer
  • 1.  SM Policy Script / Application to LDAP Policy Store

    Posted 05-17-2018 04:21 PM

    I have a one use case PHP application correlating and pulling policy objects directly from Oracle SM policy store using SQL. We migrated it to CA Directory with Siteminder 12.7. We are evaluating porting the application to connect to CA Directory from Oracle RDBMS.

    The use case is

    - I type a web agent name. It will pull out related policies, realms, auth scheme, rules, user directories etc.

    -Same use case for other objects: domain, rules, user etc.  

     

    My Questions are:

    •  Has similar use case implemented in latest SM siteminder WAM?
    •  Are there tools doing similar use case available open source (proprietary or open source)

    If I want to port the application:

    •  Use perl SM policy api (or other SM policy api) or directly query from LDAP policy store (Why)?
    • If I use perl api, the SDK has to be on the policy server? How can remote php application interface calls the perl api?
    • If I directly querying from LDAP policy store, is there any support libraries, examples, directory database layout/ schema.


  • 2.  Re: SM Policy Script / Application to LDAP Policy Store
    Best Answer

    Posted 05-21-2018 12:45 AM

    Hi Eric,

     

    Please find my answers below :

     

    Eric : " I type a web agent name. It will pull out related policies, realms, auth scheme, rules, user directories etc.

    -Same use case for other objects: domain, rules, user etc.  "

     

    Ujwol => I am not aware of any API to pull the linked references for the child objects. What we have is an API to pull/export the linked objects for a root objects e.g. Domain, Application etc.

     

    You can utilize Perl API for this. But I would recommend using the Policy Migration REST API as there is not much development happening on Perl API anymore. The focus is now on the REST API as it offers much more flexiblity.

    You will need a minimum of PS 12.7 to access the Policy migration REST APIs.

     

    From the doco :

    Policy Object REST APIs - CA Single Sign-On - 12.8 - CA Technologies Documentation 

    Policy Migration API Overview

    Use the Policy Migration API to do the following tasks with the data in your policy store:

    • Perform a granular export of a specified subset of your policy data
    • Import previously exported policy data

    Note: All calls to the Policy Migration API require a valid token that is obtained from the Administrative Token API.

    Export a Portion of Your Policy Data

    POST

    /ca/api/sso/services/policy/v1/deployment/export

    Use this call to export a subset of policy data by specifying one or more root objects. Only those objects that do not have a parent class can be exported. For example, to export a realm object, you specify the parent domain for the realm.

    Example URLhttps://adminui.example.com:8443/api/sso/services/policy/v1/deployment/export

    Eric : "there tools doing similar use case available open source (proprietary or open source)"

    Ujwol => Not a PHP tool, and not open source. But I know Coreblox does have CA SSO policy migration tool box. refer : CoreBlox CA SiteMinder ToolBox — CoreBlox 

    Coming back to your questions related to PERL API :

    ERIC : "Use perl SM policy api (or other SM policy api) or directly query from LDAP policy store (Why)?"

    Ujwol => PERL API does NOT allow direct access to Policy store.


     Eric : "If I use perl api, the SDK has to be on the policy server? How can remote php application interface calls the perl api?"

    Ujwol => 

    From the doco "The Policy Management API must be installed on the machine where the target Policy Server is located. The Policy Management API cannot access a remote Policy Server. However, the policy store can be on a remote machine as long as Policy Server is configured to point to the remote policy store."

    So no , you can not access the PERL API remotely.

    Regards,

    Ujwol Shrestha