Symantec Access Management

Expand all | Collapse all

CA Directory - Router DSA

Jump to Best Answer

PANKAJ NEGI07-13-2018 10:16 AM

  • 1.  CA Directory - Router DSA

    Posted 07-13-2018 06:02 AM

    Hello All,

     

    I am setting up CA Directory 14.0 as a Policy store.
    I would like to create a Router DSA which will route the Policy server requests to Data DSAs.
    1. How to configure data DSAs inside a router DSA using management console? i.e, How router DSA will understand that which DSAs will receive its requests.
    2. Can we configure router DSA to either Load balance or fail over the requests to data DSAs?
    3. While configuring the default Policy store objects, do we need to point each data DSA to the Policy server or only the router DSA?

    4. Does router DSA setup provide better performance than the data DSA setup? Any article/discussion link will be helpful

     

    Thanks,

    Pankaj



  • 2.  Re: CA Directory - Router DSA

     
    Posted 07-13-2018 09:37 AM

    1. How to configure data DSAs inside a router DSA using management console? i.e, How router DSA will understand that which DSAs will receive its requests.

     

    I can't answer the part about using the management console.  The router DSA will load the knowledge files of all the data DSAs along with its own.  This will tell the router what data DSAs are available.

     

    2. Can we configure router DSA to either Load balance or fail over the requests to data DSAs?

     

    Yes.  By default, the router will use fail over.  If you add the load-share flag in the data dsa knowledge files, the router will know to load balance across the data dsas.


    3. While configuring the default Policy store objects, do we need to point each data DSA to the Policy server or only the router DSA?

     

    You would first setup your data DSAs and ensure the multi-write is working before configuring the policy objects.  You would then setup the policy objects using one policy server pointed to one data dsa.  The multi-write will take care of synchronizing the data to the other data DSA.  Once that is working, then introduce the router and verify connectivity.

     

    4. Does router DSA setup provide better performance than the data DSA setup? Any article/discussion link will be helpful

     

    For the policy store, a router doesn't add a whole lot of benefit.  It doesn't harm anything either.  The policy server loads the policy store into memory on startup.  From that point forward, it is more memory reads, than directory reads and writes.  For a user store, since you often have other applications needing to connect to the directory, a router definitely provides a benefit by obscuring the data DSA setup from the applications.



  • 3.  Re: CA Directory - Router DSA

    Posted 07-13-2018 09:45 AM

    Thank you, David. This is really helpful.

     

    Regarding point#3 - When we point Policy server to router DSA, we need to provide a username and a password to establish the connection. However, we can not create a user under router DSA as it does not have any database.

    How do we handle this situation?

     

    Thanks,

    Pankaj



  • 4.  Re: CA Directory - Router DSA

     
    Posted 07-13-2018 09:51 AM

    The router isn't the same as a data DSA.  All it does it route the requests to the data DSA.  The username and password you provide must be in the data DSA.  The router will just forward the request to a data DSA for validation.



  • 5.  Re: CA Directory - Router DSA

    Posted 07-13-2018 09:58 AM

    Agreed.

    Let me rephrase my question -

    I have 1 Router DSA which is load balancing the requests to 2 Data DSAs. 

     

    While configuring the Policy store from smconsole, we need to provide Policy store IP along with the port, base DN, Admin user and its password.

    Here Policy store IP & port would be of Router DSA.

    What about Admin user and password?

     

    Regards,

    Pankaj



  • 6.  Re: CA Directory - Router DSA

    Posted 07-13-2018 10:02 AM


  • 7.  Re: CA Directory - Router DSA

    Posted 07-13-2018 10:08 AM

    Hi HubertDennis

    Yes, I have followed these steps to configure CA directory with data DSA as a Policy store and that worked perfectly.

     

    However, now I am stuck with the different Policy store set up where I have included Router DSA.

     

    I have 1 Router DSA which is load balancing the requests to 2 Data DSAs. 

     

    While configuring the Policy store from smconsole, we need to provide Policy store IP along with the port, base DN, Admin user and its password.

    Here Policy store IP & port would be of Router DSA.

    What about Admin user and password?



  • 8.  Re: CA Directory - Router DSA

    Posted 07-13-2018 10:11 AM

    Pankaj pn00455382

     

    Admin Username and Password is what you created within Data DSA in Step-6. There is no Data in Router DSA. All Data is only in Data DSA. Hence your Admin Username and Password is created within Data DSA. You'll use that Admin User Name and Password within Data DSA; but the IP and Port will be of Router DSA.

     

    Since you have 2 Data DSA, make sure your Data is replicated i.e. REPLICATION is working fine. Because once the Router DSA has knowledge of both Data DSA, it'd send the bind to one of the Data DSA. Thus the Admin User and Password has to be present in both Data DSA.

     

    The way I'd do this is

    A. Create Router DSA.

    B. Create DataDSA-1.

    C. Create DataDSA-2.

    D. Create Replication.

    E. Create Structure (Step-5 in SSO Documentation to setup CA Dir as PStore) in DataDSA-1.

    F. Make sure replication is working by checking in Data-DSA2.

    G. Create a Superuser Administrator for the DSA (Step-6 in SSO Documentation to setup CA Dir as PStore) in DataDSA-1.

    H. Make sure replication is working by checking in Data-DSA2.

     

    Now use this Admin User created in DataDSA (Step-G) in smconsole; but as I mentioned would use IP and port of Router DSA.



  • 9.  Re: CA Directory - Router DSA

    Posted 07-13-2018 10:16 AM

    Great. Thanks.

    Let me try this.



  • 10.  Re: CA Directory - Router DSA

    Posted 07-13-2018 10:31 AM

    Hi HubertDennis

    I tried this but got an error -

     

    --------------- Verifying LDAP settings --------------------------------------------------------

    LDAPError: 52. LDAP error 52. DSA is unavailable.
    LDAP settings do not appear to be valid for <ServerIP>:<routerDSAPort>
    ------------------------Failure-----------------------------------------------------------------------

     

    Data DSA is added in the Knowledge group of Router DSA and base DN is same for Router and Data DSA.

    All the DSAs are up and running.



  • 11.  Re: CA Directory - Router DSA

    Posted 07-13-2018 10:58 AM

    Pankaj pn00455382

     

     

     

    In the Router DSA Knowledge file add.

    dsp-idle-time = 30
    dsa-flags = multi-write
    trust-flags = allow-check-password, trust-conveyed-originator, trust-dsa-triggered-operations

     

    In Data DSA knowledge file add.

    dsa-flags = multi-write-async, no-service-while-recovering
    trust-flags = allow-check-password

     

    Restart all DSA's and test.

     

     

    I am not seeing your configuration, but if you just have allowed Clear-Password and disabled Anonymous, then we would also need to set the below in settings for your DSA.

     

    set min-auth = none;
    To
    set min-auth = clear-password;



  • 12.  Re: CA Directory - Router DSA

    Posted 07-16-2018 03:16 PM

    Hi HubertDennis

     

    I tried this configuration but still, Policy server is not able to connect to the router DSA.

     

    I have following configurations -

    1. Data DSAs are added in the Knowledge group of Router DSA

    2. Both data DSAs are added in the knowledge group of each other for replication

    3. Admin user is created in the Data DSA (replicated to other data DSA)

    4. All DSAs(Router+Data) have same Base DN

    5. In the smconsole, router DSA IP: port is configured as Policy store.

    6. Admin user and password is of the Data DSA for Policy server connection with the Router DSA. 

     

    I am still not convinced how Policy server will connect to the Router DSA using Admin user of the Data DSA!!

     

    ===========================================================================

    When the Policy server connects to the Data DSA:

    [ser@serverbin]$ ./smldapsetup status -vE

     

    --------------- Verifying LDAP settings ---------------

    Directory Server: 'CA Directory' (14)

    ------------------------Success------------------------

    =============================================================================

     

    ============================================================================

    When the Policy server connects to the Router DSA:

    [user@server bin]$ ./smldapsetup status -vE

     

    --------------- Verifying LDAP settings ---------------

    LDAPError: 52. LDAP error 52. DSA is unavailable.
    LDAP settings do not appear to be valid for <IP>:<Router DSA Port>
    ------------------------Failure------------------------

    ===============================================================================



  • 13.  Re: CA Directory - Router DSA

    Posted 07-16-2018 03:54 PM

    Pankaj pn00455382

     

    Can you paste your RouterDSA knowledge file and DataDSA knowledge file (after removing IP Addresses / Ports etc).

     

    RouterDSA will not work with ADMIN CREDS OOB. DataDSA will work with ADMIN CREDS OOB.

     

    You have to configure this correctly for ADMIN CREDS to work via Router.

     

    Bind Requests in a Distributed Environment - CA Directory - 14.0 - CA Technologies Documentation 

     

    How User Authentication Is Conveyed between DSAs - CA Directory - 14.0 - CA Technologies Documentation 



  • 14.  Re: CA Directory - Router DSA

    Posted 07-16-2018 05:49 PM

    Hi HubertDennis

     

    1. RouterDSA knowledge:

    # knowledge
    clear dsas;
    set dsa "DSA-PolicyStore-Router" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>
    dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Router>
    dsa-password = "oDc5Nyfz"
    address = tcp "hostname" port 33088
    disp-psap = DISP
    snmp-port = 33088
    console-port = 33089
    remote-console-port = 0
    remote-console-ssl = false
    auth-levels = anonymous, clear-password
    dsp-idle-time = 600
    credits = 1000000
    dsa-flags = multi-write
    trust-flags = allow-check-password
    };
    set dsa "DSA-PolicyStore-Data1" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>
    dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data1>
    dsa-password = "k4BKunLl"
    address = tcp "hostname" port 33096
    disp-psap = DISP
    snmp-port = 33096
    console-port = 33096
    remote-console-port = 0
    remote-console-ssl = false
    auth-levels = anonymous, clear-password
    dsp-idle-time = 600
    credits = 1000000
    dsa-flags = multi-write-async, no-service-while-recovering
    trust-flags = allow-check-password
    };
    set dsa "DSA-PolicyStore-Data2" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>
    dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data2>
    dsa-password = "f1JnmhjH"
    address = tcp "hostname" port 33092
    disp-psap = DISP
    snmp-port = 33092
    console-port = 33093
    remote-console-port = 0
    remote-console-ssl = false
    auth-levels = anonymous, clear-password
    dsp-idle-time = 600
    credits = 1000000
    dsa-flags = multi-write-async, no-service-while-recovering
    trust-flags = allow-check-password
    };

     

    =================================================================

    2. DataDSA1 knowledge:

    # knowledge
    clear dsas;
    set dsa "DSA-PolicyStore-Data1" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>
    dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data1>
    dsa-password = "k4BKunLl"
    address = tcp "hostname" port 33096
    disp-psap = DISP
    snmp-port = 33096
    console-port = 33096
    remote-console-port = 0
    remote-console-ssl = false
    auth-levels = anonymous, clear-password
    dsp-idle-time = 600
    credits = 1000000
    dsa-flags = multi-write-async, no-service-while-recovering
    trust-flags = allow-check-password
    };
    set dsa "DSA-PolicyStore-Data2" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>
    dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data2>
    dsa-password = "f1JnmhjH"
    address = tcp "hostname" port 33092
    disp-psap = DISP
    snmp-port = 33092
    console-port = 33093
    remote-console-port = 0
    remote-console-ssl = false
    auth-levels = anonymous, clear-password
    dsp-idle-time = 600
    credits = 1000000
    dsa-flags = multi-write-async, no-service-while-recovering
    trust-flags = allow-check-password
    };

    ======================================================================

    3. DataDSA3 knowledge

    # knowledge
    clear dsas;
    set dsa "DSA-PolicyStore-Data1" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>
    dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data1>
    dsa-password = "k4BKunLl"
    address = tcp "hostname" port 33096
    disp-psap = DISP
    snmp-port = 33096
    console-port = 33096
    remote-console-port = 0
    remote-console-ssl = false
    auth-levels = anonymous, clear-password
    dsp-idle-time = 600
    credits = 1000000
    dsa-flags = multi-write-async, no-service-while-recovering
    trust-flags = allow-check-password
    };
    set dsa "DSA-PolicyStore-Data2" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>
    dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data2>
    dsa-password = "f1JnmhjH"
    address = tcp "hostname" port 33092
    disp-psap = DISP
    snmp-port = 33092
    console-port = 33093
    remote-console-port = 0
    remote-console-ssl = false
    auth-levels = anonymous, clear-password
    dsp-idle-time = 600
    credits = 1000000
    dsa-flags = multi-write-async, no-service-while-recovering
    trust-flags = allow-check-password
    };

     

    ==============================================================



  • 15.  Re: CA Directory - Router DSA

    Posted 07-16-2018 05:58 PM

    Pankaj pn00455382

     

    In the Router DSA add the below. Restart your Router DSA. Then test and let know.

     

    set dsa "DSA-PolicyStore-Router" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>
    dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Router>
    dsa-password = "oDc5Nyfz"
    address = tcp "hostname" port 33088
    disp-psap = DISP
    snmp-port = 33088
    console-port = 33089
    remote-console-port = 0
    remote-console-ssl = false
    auth-levels = anonymous, clear-password
    dsp-idle-time = 600
    credits = 1000000
    dsa-flags = multi-write
    trust-flags = allow-check-password, trust-conveyed-originator, trust-dsa-triggered-operations
    };



  • 16.  Re: CA Directory - Router DSA

    Posted 07-16-2018 06:08 PM

    HubertDennis Still same. Probably, some other important setting is getting missed.

    Do you have any case where Router DSA is working with CA Directory 14.0?



  • 17.  Re: CA Directory - Router DSA

    Posted 07-16-2018 07:14 PM

    Pankaj pn00455382

     

    One problem I do see is your PREFIX.

     

    The PREFIX for ROUTERDSA has to be one level higher than DATADSA.

     

     

    set dsa "DSA-PolicyStore-Router" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>

     

     

    set dsa "DSA-PolicyStore-Data1" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>

     

     

    set dsa "DSA-PolicyStore-Data2" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>

     

     

    Could you change the ROUTERDSA to be higher e.g. 

     

     

    set dsa "DSA-PolicyStore-Router" =
    {
    prefix = <c gb><o ab><ou sm>

     

     

    set dsa "DSA-PolicyStore-Data1" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>

     

     

    set dsa "DSA-PolicyStore-Data2" =
    {
    prefix = <c gb><o ab><ou sm><ou polstr>



  • 18.  Re: CA Directory - Router DSA

    Posted 07-17-2018 03:45 AM

    Hi HubertDennis

    Changed BaseDN of RouterDSA 1 level higher and tried connection again but it's same.

    I raised a CA support case 01140290 last week and awaiting a response. 

     

    [user@hostname bin]$ ./smldapsetup status -vE

    mode: status

    host: hostname
    port: 33088
    root: ou=sm,o=ab,c=gb
    admindn: cn=admin,ou=polstr,ou=sm,o=ab,c=gb
    adminpw: {RC2}eVhPY2CFUJu3y0+pKCLCIQ== (encrypted)
    ldif:
    tool:
    ssl: 0
    certdb:

    --------------- Verifying LDAP settings ---------------

    LDAPError: 52. LDAP error 52. DSA is unavailable.
    LDAP settings do not appear to be valid for <serverIP>:<RouterPort33088>
    ------------------------Failure------------------------



  • 19.  Re: CA Directory - Router DSA

    Posted 07-17-2018 06:49 AM

    Pankaj pn00455382

     

    Pretty sure you may have missed the DSA-NAME for ROUTER-DSA.

     

    Here is a working one but mine has SSL enabled as well. Ignore the SSL bit for now. Focus your attention on the highlighted lines.

     

    One more thing, when you are using the connection parameters in smconsole OR JXplorer; your RootDN will always be "ou=polstr,ou=sm,o=ab,c=gb". Because that is where your data structure is.

     

     



  • 20.  Re: CA Directory - Router DSA

    Posted 07-17-2018 07:27 AM

    Hi HubertDennis

    This is strange as I have similar settings and it's not working for me.

    I hope your configurations are from CA Directory 14.0.

    I did entire configuration from management console.

     

    I tried providing base DN of data as well router in smconsole to test but it always ends up with the error:

    --------------- Verifying LDAP settings ---------------

    LDAPError: 52. LDAP error 52. DSA is unavailable.
    LDAP settings do not appear to be valid for server:routerPort
    ------------------------Failure------------------------

     

    I can share my configurations in the CA case. As of now, I am waiting for a response from them since last week.



  • 21.  Re: CA Directory - Router DSA
    Best Answer

    Posted 07-18-2018 06:46 PM

    Hi HubertDennis

     

    Finally, I managed to configure Policy store with CA Directory Router DSA setup.
    What we missed in our discussion??

    - We also need to add Router DSA in the Knowledge group of Data DSAs.

     

    Thank you for the inputs and your time on this query 

     

    Steps to setup CA Directory as a Policy store with Router DSA setup:

    1. Create Router DSA.
    2. Create Data DSA 1.
    3. Create Data DSA 2.
    4. Ensure that Base DN of Router DSA is 1 level higher than that of Data DSA.
    5. Enable "allow-check-password" trust flag in all DSAs.
    6. Add Data DSAs in the Knowledge group of each other to enable replication.
    7. Add Router DSA in the Knowledge group of Data DSAs. Else, Data DSAs will not bind the admin user on behalf of Router DSA and you will get the following error in Data DSA log -
    "Bind: Unknown DSA".
    8. Add Policy server schema files netegrity.dxc and etrust.dxc in all the DSAs (Router and Data)
    9. Create an Administrator and Policy store Structure (Step-5 in SSO Documentation to setup CA Dir as PStore) in Data DSA 1.
    The same will be replicated to Data DSA 2.
    10. Import default Policy store objects (https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-a-policy-server/configure-ldap-directory-servers-as-policy-session-and-key-stores/configure-an-ldap-directory-server-as-a-policy-store/configure-a-ca-directory-policy-store)
    11. Restart Policy server.



  • 22.  Re: CA Directory - Router DSA

    Posted 07-19-2018 11:21 AM

    Thank You Pankaj pn00455382

     

    That is correct. All DSA (router / data) *MUST* have knowledge of each other for bind and replication to work.

     

    I see that there are other tuning parameters that you'd need to consider e.g. disabling Anonymous Access.