Symantec Access Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Tech Tip : CA Single Sign-On : CA SSO R12.8 Installation & Configuration queries

  • 1.  Tech Tip : CA Single Sign-On : CA SSO R12.8 Installation & Configuration queries

    Broadcom Employee
    Posted Oct 18, 2018 03:53 AM

    Question

     

    We're setting the Policy Server registry to connect to the LDAP Policy
    Store with a plain text password, then the Policy Server still can
    connect to the LDAP Policy Store.

     

    We'd like to know if this is as expected and the underlined reason for
    that behavior.

     

    In the Policy Server registry, we've modified the following

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore=281504719 

    AdminDN= cn=Directory Manager; REG_SZ
    AdminPW= {RC2}88/212fUIqNTlL0iZDPAJ4WgRuR8+juL; REG_SZ

     

    to

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore=281504719
    AdminDN= cn=Directory Manager; REG_SZ
    AdminPW= password; REG_SZ

    and we can start the Policy Server as this one connects succesfully to
    the LDAP Policy Store still.

    smps.log

     

    [1539/140436049700672][Wed Oct 03 2018 16:22:57][SmObjProvider.cpp:243][INFO][sm-Server-02830] Initializing policy store provider 'LDAP:'
    [1539/140436049700672][Wed Oct 03 2018 16:22:57][SmObjProvider.cpp:282][INFO][sm-Server-02840] Loading of policy store provider extension DLL: 'smobjldapims' succeeded.
    [1539/140436049700672][Wed Oct 03 2018 16:22:57][SmLdapPs.cpp:253][INFO][sm-Ldap-02140] SSL client init will not be attempted - no certificate database defined
    [1539/140436049700672][Wed Oct 03 2018 16:22:58][smldaputils.cpp:523][INFO][sm-Ldap-00540] Opening policy store connection to LDAP server: ' 127.0.0.1:389 '
    [1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:174][CreateRoot][INFO][sm-xpsxps-01160] LDAP Provider Info String =
    Sun-Directory-Server/11.1.1.7.171017 B2017.1007.1406
    [1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120] LDAP Provider Version: supportedLDAPVersion = 2
    [1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120] LDAP Provider Version: supportedLDAPVersion = 3
    [1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:236][CreateRoot][INFO][sm-xpsxps-01130] LDAP Provider Vendor: vendorName = Oracle Corporation
    [1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120] LDAP Provider Version: vendorVersion =
    Sun-Directory-Server/11.1.1.7.171017
    [1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120] LDAP Provider Version: dataversion =
    020181003142123020181003142123

     

    Answer:

     

    Indeed, if you put the password in plain text it will still be able to
    connect to the Policy Store. This is as expected. And we recommend to
    set it using the smconsole in order to have it encrypted. You can use
    also smldapsetup command line to set it encrypted too. This facility
    is there to help to make connection to the Policy Store when only
    editing the sm.registry file is possible.

     

    KB : KB000117752