Question:
How can I configure 2 Policy Stores on CA Directory in failover and in SSL?
Environment:
Siteminder 12.52 SP1
Answer:
Mainly, this setting has 3 steps:
1.Set replication among the Policy Stores (https://communities.ca.com/message/241815367#241815367) or you can reference the below KB:
SiteMinder with CA Directory as policy store/session store high availability
Document ID: TEC577451
2. Set up Failover among the Policy Stores in the Policy Server configuration without SSL (Please see "Configure LDAP Failover" on the Policy Server Administration Guide)
3. Set up SSL communication between Policy Server and Policy Stores:
- On all CA Directory host part of this Policy Server DSAs doing MW replication, backup existing DXHOME/config/ssld folder.
- Pick one server and at the system prompt run “dxcertgen certs” to generate self-signed certificates.
Note:
‘dxcertgen certs’ used as is, defaults to ONE year certificate validity. If you want to extended validity, you can use –d (number of days) switch.
e.g. if you want 10 years validity, the command would be ‘dxcertgen –d 3650 certs’
- Next is to copy this entire DXHOME/config/ssld folder from this server where self-signed certs are generated to *all other* CA Directory hosts that are part of this Provisioning setup which is configured for MW replication.
- Next is to restart *ALL* Policy Store DSAs on *ALL* hosts so the new certs can be read in.
- Then copy CA root cert and server certs to policy server machine.
Policy Server side configuration:
1.Use certutil in PS bin directory to create the Certificate Database Files:
Example: certutil -N -d C: \certdatabase
-N(Creates the cert8.db, key3.db, and secmod.db certificate database files)
-d (Specifies the directory in which the certutil tool is to create the certificate database files.)
2. Add the Root CA and the server certificates to the certificate database:
- C:\Program Files (x86)\CA\siteminder\bin>certutil -A -n "MyRootCA" -t "P,," -i C:\certdatabase\trusted.pem -d "C:\Program Files (x86)\CA\SiteMinder\bin"
- C:\Program Files (x86)\CA\siteminder\bin>certutil -A -n "My Client01 Certificate" -t "P,," -i "C:\certdatabase\server01.pem" -d "C:\Program Files (x86)\CA\SiteMinder\bin"
- C:\Program Files (x86)\CA\siteminder\bin>certutil -A -n "My Client02 Certificate" -t "P,," -i "C:\certdatabase\server02.pem" -d "C:\Program Files (x86)\CA\SiteMinder\bin"
- After running the above command , you can locate the cert8.db file in "siteminder\bin" folder. To test the policy store connectivity through the “smconsole”, in data tab give the above location of cert8.db and check the SSL tab and give the SSL port numner and verify the connection.
(For more information, please review PS guide on configuring an ssl connection to an LDAP data store)
Note:
- trusted.pm (which holds the root CA certificate)
- server01.pem (client certificate for sserver01 DSA)
- server02.pem (client certificate for server02 DSA)
- The above certificates were copied to the following path on the Policy Server:
- Example to C:\certdatabase
- trusted.pem was copied from the following location on one of the policy store DSAs:C:\Program Files\CA\Directory\dxserver\config\ssld
- server01.pem and server02.pem were copied from the following location on one of the policy store DSAs: C:\Program Files\CA\Directory\dxserver\config\ssld\personalities
- Restart the Policy server and close the management console, and then try to reconnect to the Policy stores checking the SSL option.
- Finally, you can also use following command to check cert validity by running at the system prompt.
- dxcertgen report
- The above will list out information on all (trusted root CA and personalities) certificates.
Additional Information:
https://docops.ca.com/ca-single-sign-on/12-6/EN/administrating/configuring-policy-server-data-storage-options/configure-an-ssl-connection-to-an-ldap-data-store
KB : TEC1852061#