Chapter 5: Configuring CA LDAP Server and CA DSI Server
CA LDAP Server and CA DSI Server Configuration
CA LDAP Server and CA DSI Server provide an interface to perform security
administration against CA ACF2 and CA Top Secret databases and provide the following functions:
■ The capability to route security database requests to remote systems by
communicating with a remote CA LDAP Server or CA DSI Server. This includes the following:
– Modify and delete user requests through the Investigator
– Read and write access through the Security Administration in Quick Links
■ Access to manage policy that is written through the CA Chorus CA Compliance Manager interface.
■ Access to simulation
■ Access to Security Command Manager
■ The ability to query the CA Compliance Manager repository for summary reports with regards to compliance management
■ CIA Real-Time update process
CA DSI Server provides a CA LDAP Server the capability of running security
administration requests remotely to other LPARs. DSI also provides a mechanism to allow CA ACF2 or CA Top Secret running on local and remote computers to
communicate to a single CIA repository.
Note: Detailed instructions are provided in the CA LDAP Server Installation Guide and CA DSI Server Installation Guide.
Sample CA DSI Server Configuration with CIA Real-Time
When the CIA real-time feature is enabled, the security product sends updates to CA DSI Server. CA DSI Server invokes the CA DSI Server plugin to send the update to the CIA repository. The result is that the CIA repository is updated and synchronized with the security product database. The CA DSI Server that is used for this process (spawned or standalone) must have the plugin configured. In this example, the CA DSI Server plugin is configured in the standalone CA DSI Server.
CA LDAP Server and CA DSI Server Configuration
82 Site Preparation Guide
The following diagram shows a sample configuration with real-time CIA updates using standalone CA DSI Server servers:
This diagram shows a sample configuration for CIA real-time processing with the CA Chorus UI running on LPAR B. The CA Chorus UI gets data from the CIA repository, which communicates with the CA DSI Server. CA DSI Server receives real-time CIA updates from your external security manager (CA ACF2 or CA Top Secret).
■ (A) CA Chorus Application Server spawns a CA DSI Server to perform authentication and resource checks on LPAR B.
■ (B) LPAR A and C include a standalone CA DSI Server. The CA DSI Server plugin is not required for the CA DSI Servers on LPAR A and C.
Obtain LDAP Configuration Values
Chapter 5: Configuring CA LDAP Server and CA DSI Server 83 When a user wants to execute a native command from CA Chorus, they launch the Security Command Manager and type in a command. CA Chorus sends the
command to the CA DSI Server for execution and results. For this CA DSI Server to Security Command Manager interaction, the CA DSI Server is defined in data set member E1MI0015 in your_chorussec_hlq.CE1MJCL. See the CA Chorus Installation Guide.
■ (C) CIA real-time updates from the security products on LPAR A and C are sent to the CA DSI Server running on LPAR B. The CA DSI Server feeding the CIA repository on LPAR B requires the CA DSI Server plugin. The CA DSI Server plugin is invoked to write updates to the CIA repository.
Note: The Real-Time CIA updates are a sub-task of the external security manager, not a stand-alone STC.
■ (D) Security Command Manager and simulation are executed from the CA Chorus interface on LPAR B point to the local system.
Obtain LDAP Configuration Values
The following CA LDAP Server values are required for the CA Compliance Manager interface installation procedure.
LPAR name or IP Address
Defines the name or IP address of the system running the CA LDAP Server.
Port number
Specifies the TCP/IP port that CA LDAP Server is using.
Example: 389 LDAP suffix
Specifies the values that let CA LDAP Server and CA Chorus for Security and Compliance Management communicate; these values identify the back-end.
Example: o=ca,c=us
Important! These values should have been obtained during installation of CA LDAP Server. If not, use the following procedure to obtain these values.
Obtain LDAP Configuration Values
84 Site Preparation Guide
Follow these steps:
1. Obtain LDAP status values by issuing the following command from a z/OS console:
F LDAPRnn,STATUS
CA LDAP Server displays the LDAP port and its status.
2. Obtain LDAP back-end values by issuing the following command from a z/OS console:
F LDAPRnn,BACKEND
CA LDAP Server displays the LDAP suffix and current back-end values.
3. Use the output to identify and record the values that you need for the installation.
Obtain LDAP Configuration Values
Chapter 5: Configuring CA LDAP Server and CA DSI Server 85 Example: Sample Output from the STATUS Command
The following is an example of output from the STATUS command. This command shows the LDAP port.
Note: You need the field in bold to complete the installation.
ETLDP05I CA LDAP Server status: 928 slapd 15.2012.0229
Obtain LDAP Configuration Values
86 Site Preparation Guide
Example: Sample Output from the BACKEND Command
The following is an example of output from the BACKEND command. This command shows you the LDAP suffix values that you need for the installation.
Note: You need the fields in bold to complete the installation.
ETLDP05I CA LDAP Server status: 935 Status for cmgr_utf backend:
Obtain LDAP Configuration Values
Chapter 5: Configuring CA LDAP Server and CA DSI Server 87 Status for cmdc_utf backend:
suffix o=cmdc,c=us DB DSN DATACOM DB User DCOMUSER Tbl Qualifier CMGRD1 Policy DD MAPDB Permit class CIEM Permit entity CIEM DB Discovered Yes
Adm Account ADMACCOUNT Sec Control SECCONTROL Adm Policy ADMPOLICY Adm Misc ADMMISC Obj Access OBJACCESS Sys Access SYSACCESS USS User USSUSER USS File USSFILE Header Delta HDRDELTA Delta Count 13 PDS Delta PDSDELTA PDS Count 13 List Delta LSTDELTA List Count 26 Single Delta SNGDELTA Single Count 9
Mulit Delta MULDELTA Multi Count 4
Chg Approval CHGAPPROVED Chg App Count 10