I have a one use case PHP application correlating and pulling policy objects directly from Oracle SM policy store using SQL. We migrated it to CA Directory with Siteminder 12.7. We are evaluating porting the application to connect to CA Directory from Oracle RDBMS.
The use case is
- I type a web agent name. It will pull out related policies, realms, auth scheme, rules, user directories etc.
-Same use case for other objects: domain, rules, user etc.
My Questions are:
If I want to port the application:
Please find my answers below :
Eric : " I type a web agent name. It will pull out related policies, realms, auth scheme, rules, user directories etc.
-Same use case for other objects: domain, rules, user etc. "
Ujwol => I am not aware of any API to pull the linked references for the child objects. What we have is an API to pull/export the linked objects for a root objects e.g. Domain, Application etc.
You can utilize Perl API for this. But I would recommend using the Policy Migration REST API as there is not much development happening on Perl API anymore. The focus is now on the REST API as it offers much more flexiblity.
You will need a minimum of PS 12.7 to access the Policy migration REST APIs.
From the doco :
Policy Object REST APIs - CA Single Sign-On - 12.8 - CA Technologies Documentation
Use the Policy Migration API to do the following tasks with the data in your policy store:
Note: All calls to the Policy Migration API require a valid token that is obtained from the Administrative Token API.
Use this call to export a subset of policy data by specifying one or more root objects. Only those objects that do not have a parent class can be exported. For example, to export a realm object, you specify the parent domain for the realm.
Example URL: https://adminui.example.com:8443/api/sso/services/policy/v1/deployment/export
Eric : "there tools doing similar use case available open source (proprietary or open source)"
Ujwol => Not a PHP tool, and not open source. But I know Coreblox does have CA SSO policy migration tool box. refer : CoreBlox CA SiteMinder ToolBox — CoreBlox
Coming back to your questions related to PERL API :
ERIC : "Use perl SM policy api (or other SM policy api) or directly query from LDAP policy store (Why)?"
Ujwol => PERL API does NOT allow direct access to Policy store.
Eric : "If I use perl api, the SDK has to be on the policy server? How can remote php application interface calls the perl api?"
From the doco "The Policy Management API must be installed on the machine where the target Policy Server is located. The Policy Management API cannot access a remote Policy Server. However, the policy store can be on a remote machine as long as Policy Server is configured to point to the remote policy store."
So no , you can not access the PERL API remotely.