Idea Details

CA SSO : smldapsetup : support for different admins

Last activity 06-04-2019 12:06 PM
HubertDennis's profile image
10-21-2015 09:46 AM

ADLDS has 2 partitions i.e. Configuration and Data/Application Partition.

 

We create 2 Users i.e. one in Configuration Partition and another user in Data/Application Partition.

 

Configuration Partition User : CN=SM Admin,CN=Roles,CN=Configuration,CN={9C8DA8D9-7B7B-4287-8970-858F7E3B92AE}

Application Partition User : CN=SM Admin,OU=serviceids,O=company.com

 

This works fine if we use Policy Server configuration Wizard, because the Wizard has the option to define a different Admin for managing Store Objects.

 

If we were to configure PStore and KStore separately, then we need to use smldapsetup command to manually point the Policy Server to a different KeyStore.

 

 

 

Currently smldapsetup does not support this ability to define two different admins like the Wizard.

 

I raised a support ticket "00225396: KStore and ADLDS" and was pointed in the direction to raise an ER to deliver this functionality. Hence raising the ER.

 

 

 

There is a workaround......

 

Run this command so that the schema gets imported into Configuration Partition.

 

  • smldapsetup reg -hhost.ca.com -p9991 -d"CN=SM Admin,CN=Roles,CN=Configuration,CN={391A45BD-831B-495E-8298-45E0A1EBBE31}" -wPassword -rOU=kstore9991,O=company.com -k1 -v

 

  • smldapsetup ldgen -ffilename -k1 -v
  • smldapsetup ldmod -ffilemame -k1 -v

 

Then manually go into smconsole and change the Admin User for KeyStore to the Data Partition Admin User (CN=SM Admin,OU=serviceids,O=company.com).

 

 

 

Not the best of the ways to do this, when all of this should be handled via smldapsetup (not all Customer have the luxury of running XWindows - cleared by TechOps / Security Teams). Hence need a functional fix (in glorified words "Enhancement") in smldapsetup and this needs to be for all LDAP which currently the Wizard supports. We already have the capability in smldapsetup to define Store Type using " -m[n] "; we just need to build upon that.

 

 

 

NOTE : The Documentation also needs updation.

 

 

Regards

 

Hubert


Comments

03-01-2017 02:23 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your suggested enhancement. Based on current roadmap priorities and/or the limited amount of community support for this idea over the last year (please see this document describing how we are reviewing ideas: https://communities.ca.com/docs/DOC-231170123), we are not accepting this idea into the product backlog. Therefore, it is being moved to a “Not Planned” status.

06-27-2016 04:44 PM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team is reviewing your enhancement suggestion. The Community will continue to be able to vote on this enhancement idea.