Symantec Access Management

Hello All,

I am setting up CA Directory 14.0 as a Policy store.
I would like to create a Router DSA which will route the Policy server requests to Data DSAs.
1. How to configure data DSAs inside a router DSA using management console? i.e, How router DSA will understand that which DSAs will receive its requests.
2. Can we configure router DSA to either Load balance or fail over the requests to data DSAs?
3. While configuring the default Policy store objects, do we need to point each data DSA to the Policy server or only the router DSA?

4. Does router DSA setup provide better performance than the data DSA setup? Any article/discussion link will be helpful

Thanks,

Pankaj

1. How to configure data DSAs inside a router DSA using management console? i.e, How router DSA will understand that which DSAs will receive its requests.

I can't answer the part about using the management console.  The router DSA will load the knowledge files of all the data DSAs along with its own.  This will tell the router what data DSAs are available.

2. Can we configure router DSA to either Load balance or fail over the requests to data DSAs?

Yes.  By default, the router will use fail over.  If you add the load-share flag in the data dsa knowledge files, the router will know to load balance across the data dsas.

3. While configuring the default Policy store objects, do we need to point each data DSA to the Policy server or only the router DSA?

You would first setup your data DSAs and ensure the multi-write is working before configuring the policy objects.  You would then setup the policy objects using one policy server pointed to one data dsa.  The multi-write will take care of synchronizing the data to the other data DSA.  Once that is working, then introduce the router and verify connectivity.

4. Does router DSA setup provide better performance than the data DSA setup? Any article/discussion link will be helpful

For the policy store, a router doesn't add a whole lot of benefit.  It doesn't harm anything either.  The policy server loads the policy store into memory on startup.  From that point forward, it is more memory reads, than directory reads and writes.  For a user store, since you often have other applications needing to connect to the directory, a router definitely provides a benefit by obscuring the data DSA setup from the applications.

Thank you, David. This is really helpful.

Regarding point#3 - When we point Policy server to router DSA, we need to provide a username and a password to establish the connection. However, we can not create a user under router DSA as it does not have any database.

How do we handle this situation?

Thanks,

Pankaj

The router isn't the same as a data DSA.  All it does it route the requests to the data DSA.  The username and password you provide must be in the data DSA.  The router will just forward the request to a data DSA for validation.

Agreed.

Let me rephrase my question -

I have 1 Router DSA which is load balancing the requests to 2 Data DSAs. 

While configuring the Policy store from smconsole, we need to provide Policy store IP along with the port, base DN, Admin user and its password.

Here Policy store IP & port would be of Router DSA.

What about Admin user and password?

Regards,

Pankaj

Pankaj pn00455382

Have we reviewed this content and steps.  

Configure a CA Directory Policy Store - CA Single Sign-On - 12.8 - CA Technologies Documentation

Hi HubertDennis

Yes, I have followed these steps to configure CA directory with data DSA as a Policy store and that worked perfectly.

However, now I am stuck with the different Policy store set up where I have included Router DSA.

I have 1 Router DSA which is load balancing the requests to 2 Data DSAs. 

While configuring the Policy store from smconsole, we need to provide Policy store IP along with the port, base DN, Admin user and its password.

Here Policy store IP & port would be of Router DSA.

What about Admin user and password?

Pankaj pn00455382

Admin Username and Password is what you created within Data DSA in Step-6. There is no Data in Router DSA. All Data is only in Data DSA. Hence your Admin Username and Password is created within Data DSA. You'll use that Admin User Name and Password within Data DSA; but the IP and Port will be of Router DSA.

Since you have 2 Data DSA, make sure your Data is replicated i.e. REPLICATION is working fine. Because once the Router DSA has knowledge of both Data DSA, it'd send the bind to one of the Data DSA. Thus the Admin User and Password has to be present in both Data DSA.

The way I'd do this is

A. Create Router DSA.

B. Create DataDSA-1.

C. Create DataDSA-2.

D. Create Replication.

E. Create Structure (Step-5 in SSO Documentation to setup CA Dir as PStore) in DataDSA-1.

F. Make sure replication is working by checking in Data-DSA2.

G. Create a Superuser Administrator for the DSA (Step-6 in SSO Documentation to setup CA Dir as PStore) in DataDSA-1.

H. Make sure replication is working by checking in Data-DSA2.

Now use this Admin User created in DataDSA (Step-G) in smconsole; but as I mentioned would use IP and port of Router DSA.

Great. Thanks.

Let me try this.

Hi HubertDennis

I tried this but got an error -

--------------- Verifying LDAP settings --------------------------------------------------------

LDAPError: 52. LDAP error 52. DSA is unavailable.
LDAP settings do not appear to be valid for <ServerIP>:<routerDSAPort>
------------------------Failure-----------------------------------------------------------------------

Data DSA is added in the Knowledge group of Router DSA and base DN is same for Router and Data DSA.

All the DSAs are up and running.

Pankaj pn00455382

In the Router DSA Knowledge file add.

dsp-idle-time = 30
dsa-flags = multi-write
trust-flags = allow-check-password, trust-conveyed-originator, trust-dsa-triggered-operations

In Data DSA knowledge file add.

dsa-flags = multi-write-async, no-service-while-recovering
trust-flags = allow-check-password

Restart all DSA's and test.

I am not seeing your configuration, but if you just have allowed Clear-Password and disabled Anonymous, then we would also need to set the below in settings for your DSA.

set min-auth = none;
To
set min-auth = clear-password;

Hi HubertDennis

I tried this configuration but still, Policy server is not able to connect to the router DSA.

I have following configurations -

1. Data DSAs are added in the Knowledge group of Router DSA

2. Both data DSAs are added in the knowledge group of each other for replication

3. Admin user is created in the Data DSA (replicated to other data DSA)

4. All DSAs(Router+Data) have same Base DN

5. In the smconsole, router DSA IP: port is configured as Policy store.

6. Admin user and password is of the Data DSA for Policy server connection with the Router DSA. 

I am still not convinced how Policy server will connect to the Router DSA using Admin user of the Data DSA!!

===========================================================================

When the Policy server connects to the Data DSA:

[ser@serverbin]$ ./smldapsetup status -vE

--------------- Verifying LDAP settings ---------------

Directory Server: 'CA Directory' (14)

------------------------Success------------------------

=============================================================================

============================================================================

When the Policy server connects to the Router DSA:

[user@server bin]$ ./smldapsetup status -vE

--------------- Verifying LDAP settings ---------------

LDAPError: 52. LDAP error 52. DSA is unavailable.
LDAP settings do not appear to be valid for <IP>:<Router DSA Port>
------------------------Failure------------------------

===============================================================================

Pankaj pn00455382

Can you paste your RouterDSA knowledge file and DataDSA knowledge file (after removing IP Addresses / Ports etc).

RouterDSA will not work with ADMIN CREDS OOB. DataDSA will work with ADMIN CREDS OOB.

You have to configure this correctly for ADMIN CREDS to work via Router.

Bind Requests in a Distributed Environment - CA Directory - 14.0 - CA Technologies Documentation 

How User Authentication Is Conveyed between DSAs - CA Directory - 14.0 - CA Technologies Documentation 

Hi HubertDennis

1. RouterDSA knowledge:

# knowledge
clear dsas;
set dsa "DSA-PolicyStore-Router" =
{
prefix = <c gb><o ab><ou sm><ou polstr>
dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Router>
dsa-password = "oDc5Nyfz"
address = tcp "hostname" port 33088
disp-psap = DISP
snmp-port = 33088
console-port = 33089
remote-console-port = 0
remote-console-ssl = false
auth-levels = anonymous, clear-password
dsp-idle-time = 600
credits = 1000000
dsa-flags = multi-write
trust-flags = allow-check-password
};
set dsa "DSA-PolicyStore-Data1" =
{
prefix = <c gb><o ab><ou sm><ou polstr>
dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data1>
dsa-password = "k4BKunLl"
address = tcp "hostname" port 33096
disp-psap = DISP
snmp-port = 33096
console-port = 33096
remote-console-port = 0
remote-console-ssl = false
auth-levels = anonymous, clear-password
dsp-idle-time = 600
credits = 1000000
dsa-flags = multi-write-async, no-service-while-recovering
trust-flags = allow-check-password
};
set dsa "DSA-PolicyStore-Data2" =
{
prefix = <c gb><o ab><ou sm><ou polstr>
dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data2>
dsa-password = "f1JnmhjH"
address = tcp "hostname" port 33092
disp-psap = DISP
snmp-port = 33092
console-port = 33093
remote-console-port = 0
remote-console-ssl = false
auth-levels = anonymous, clear-password
dsp-idle-time = 600
credits = 1000000
dsa-flags = multi-write-async, no-service-while-recovering
trust-flags = allow-check-password
};

=================================================================

2. DataDSA1 knowledge:

# knowledge
clear dsas;
set dsa "DSA-PolicyStore-Data1" =
{
prefix = <c gb><o ab><ou sm><ou polstr>
dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data1>
dsa-password = "k4BKunLl"
address = tcp "hostname" port 33096
disp-psap = DISP
snmp-port = 33096
console-port = 33096
remote-console-port = 0
remote-console-ssl = false
auth-levels = anonymous, clear-password
dsp-idle-time = 600
credits = 1000000
dsa-flags = multi-write-async, no-service-while-recovering
trust-flags = allow-check-password
};
set dsa "DSA-PolicyStore-Data2" =
{
prefix = <c gb><o ab><ou sm><ou polstr>
dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data2>
dsa-password = "f1JnmhjH"
address = tcp "hostname" port 33092
disp-psap = DISP
snmp-port = 33092
console-port = 33093
remote-console-port = 0
remote-console-ssl = false
auth-levels = anonymous, clear-password
dsp-idle-time = 600
credits = 1000000
dsa-flags = multi-write-async, no-service-while-recovering
trust-flags = allow-check-password
};

======================================================================

3. DataDSA3 knowledge

# knowledge
clear dsas;
set dsa "DSA-PolicyStore-Data1" =
{
prefix = <c gb><o ab><ou sm><ou polstr>
dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data1>
dsa-password = "k4BKunLl"
address = tcp "hostname" port 33096
disp-psap = DISP
snmp-port = 33096
console-port = 33096
remote-console-port = 0
remote-console-ssl = false
auth-levels = anonymous, clear-password
dsp-idle-time = 600
credits = 1000000
dsa-flags = multi-write-async, no-service-while-recovering
trust-flags = allow-check-password
};
set dsa "DSA-PolicyStore-Data2" =
{
prefix = <c gb><o ab><ou sm><ou polstr>
dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Data2>
dsa-password = "f1JnmhjH"
address = tcp "hostname" port 33092
disp-psap = DISP
snmp-port = 33092
console-port = 33093
remote-console-port = 0
remote-console-ssl = false
auth-levels = anonymous, clear-password
dsp-idle-time = 600
credits = 1000000
dsa-flags = multi-write-async, no-service-while-recovering
trust-flags = allow-check-password
};

==============================================================

Pankaj pn00455382

In the Router DSA add the below. Restart your Router DSA. Then test and let know.

set dsa "DSA-PolicyStore-Router" =
{
prefix = <c gb><o ab><ou sm><ou polstr>
dsa-name = <c gb><o ab><ou sm><ou polstr><cn DSA-PolicyStore-Router>
dsa-password = "oDc5Nyfz"
address = tcp "hostname" port 33088
disp-psap = DISP
snmp-port = 33088
console-port = 33089
remote-console-port = 0
remote-console-ssl = false
auth-levels = anonymous, clear-password
dsp-idle-time = 600
credits = 1000000
dsa-flags = multi-write
trust-flags = allow-check-password, trust-conveyed-originator, trust-dsa-triggered-operations
};

HubertDennis Still same. Probably, some other important setting is getting missed.

Do you have any case where Router DSA is working with CA Directory 14.0?

Pankaj pn00455382

One problem I do see is your PREFIX.

The PREFIX for ROUTERDSA has to be one level higher than DATADSA.

set dsa "DSA-PolicyStore-Router" =
{
prefix = <c gb><o ab><ou sm><ou polstr>

set dsa "DSA-PolicyStore-Data1" =
{
prefix = <c gb><o ab><ou sm><ou polstr>

set dsa "DSA-PolicyStore-Data2" =
{
prefix = <c gb><o ab><ou sm><ou polstr>

Could you change the ROUTERDSA to be higher e.g. 

set dsa "DSA-PolicyStore-Router" =
{
prefix = <c gb><o ab><ou sm>

set dsa "DSA-PolicyStore-Data1" =
{
prefix = <c gb><o ab><ou sm><ou polstr>

set dsa "DSA-PolicyStore-Data2" =
{
prefix = <c gb><o ab><ou sm><ou polstr>

Hi HubertDennis

Changed BaseDN of RouterDSA 1 level higher and tried connection again but it's same.

I raised a CA support case 01140290 last week and awaiting a response. 

[user@hostname bin]$ ./smldapsetup status -vE

mode: status

host: hostname
port: 33088
root: ou=sm,o=ab,c=gb
admindn: cn=admin,ou=polstr,ou=sm,o=ab,c=gb
adminpw: {RC2}eVhPY2CFUJu3y0+pKCLCIQ== (encrypted)
ldif:
tool:
ssl: 0
certdb:

--------------- Verifying LDAP settings ---------------

LDAPError: 52. LDAP error 52. DSA is unavailable.
LDAP settings do not appear to be valid for <serverIP>:<RouterPort33088>
------------------------Failure------------------------

Pankaj pn00455382

Pretty sure you may have missed the DSA-NAME for ROUTER-DSA.

Here is a working one but mine has SSL enabled as well. Ignore the SSL bit for now. Focus your attention on the highlighted lines.

One more thing, when you are using the connection parameters in smconsole OR JXplorer; your RootDN will always be "ou=polstr,ou=sm,o=ab,c=gb". Because that is where your data structure is.

Hi HubertDennis

This is strange as I have similar settings and it's not working for me.

I hope your configurations are from CA Directory 14.0.

I did entire configuration from management console.

I tried providing base DN of data as well router in smconsole to test but it always ends up with the error:

--------------- Verifying LDAP settings ---------------

LDAPError: 52. LDAP error 52. DSA is unavailable.
LDAP settings do not appear to be valid for server:routerPort
------------------------Failure------------------------

I can share my configurations in the CA case. As of now, I am waiting for a response from them since last week.

Hi HubertDennis

Finally, I managed to configure Policy store with CA Directory Router DSA setup.
What we missed in our discussion??

- We also need to add Router DSA in the Knowledge group of Data DSAs.

Thank you for the inputs and your time on this query 

Steps to setup CA Directory as a Policy store with Router DSA setup:

1. Create Router DSA.
2. Create Data DSA 1.
3. Create Data DSA 2.
4. Ensure that Base DN of Router DSA is 1 level higher than that of Data DSA.
5. Enable "allow-check-password" trust flag in all DSAs.
6. Add Data DSAs in the Knowledge group of each other to enable replication.
7. Add Router DSA in the Knowledge group of Data DSAs. Else, Data DSAs will not bind the admin user on behalf of Router DSA and you will get the following error in Data DSA log -
"Bind: Unknown DSA".
8. Add Policy server schema files netegrity.dxc and etrust.dxc in all the DSAs (Router and Data)
9. Create an Administrator and Policy store Structure (Step-5 in SSO Documentation to setup CA Dir as PStore) in Data DSA 1.
The same will be replicated to Data DSA 2.
10. Import default Policy store objects (https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-a-policy-server/configure-ldap-directory-servers-as-policy-session-and-key-stores/configure-an-ldap-directory-server-as-a-policy-store/configure-a-ca-directory-policy-store)
11. Restart Policy server.

Thank You Pankaj pn00455382

That is correct. All DSA (router / data) *MUST* have knowledge of each other for bind and replication to work.

I see that there are other tuning parameters that you'd need to consider e.g. disabling Anonymous Access.