Configuring the Enterprise Management Server for SUN ONE and

Chapter 4: Configuring the Enterprise

Management Server for SUN ONE and CA

Directory

This scenario describes how you configure the Enterprise Management Server for SUN ONE or CA Directory. If you are using SUN ONE or CA Directory as the user store, you configure the user store settings after you install CA ControlMinder Enterprise Management. You use the CA IdentityMinder Management Console to configure the directory and environment settings.

Important! To use SUN ONE directory or CA Directory as the user store, select the Other User Store option in the Select User Store screen at the CA ControlMinder Enterprise Management installation wizard.

The target audience for this scenario is: ■ System Administrators

■ _{Database Administrators}

■ CA ControlMinder Administrators

The following diagram illustrates the steps you complete to configure the Enterprise Management Server for SUN ONE or CA Directory user stores:

How to Install the Enterprise Management Server Components

76 Implementation Guide

Follow these steps:

1. Install the user store directory.

Note: For SUN ONE, verify that you install the SUN ONE Directory Suite and Administration Services. For more information about CA Directory, refer to the CA DirectoryInstallation Guide.

2. Create a public user and a system manager account.

You specify the user credentials when you create the environment. 3. Install the Enterprise Management Server.

Note: Do not specify a user store during the installation. For more information about the Enterprise Management Server installation, refer to the Implementation Guide.

4. Create a directory and define the connection settings:

■ SUN ONE (see page 76)

■ CA Directory (see page 80)

5. Create an environment and define the environment settings:

■ SUN ONE (see page 77)

■ CA Directory

Note: You use the CA IdentityMinder Management Console to configure and define the settings for the directory and the environment.

Create a Directory for the SUN ONE User Store

A directory provides information about a user directory that the Enterprise

Management Server manages. You configure the SUN ONE directory settings after you install the Enterprise Management Server.

Follow these steps:

1. Navigate to the following directory, where JBOSS_HOME indicates the directory where you installed JBoss:

JBOSS_HOME/server/default/deploy/IdentityMinder.ear/user_console.war/META-INF /

2. Locate the SAM_iPlanet_directory.xml file and copy the file to a temporary directory.

3. Open the CA IdentityMinder Management Console as follows: http://enterprise_host:port/idmmanage

4. Select Directories, New.

The new directory window opens.

How to Install the Enterprise Management Server Components

Chapter 4: Configuring the Enterprise Management Server for SUN ONE and CA Directory 77 6. Enter the following information:

– Name—defines the directory logical name

– Description—(optional) specifies a description for the directory – Object Connection Name—specifies the name of the user store – Host—defines the directory host name or IP address

– Port—defines the directory port number

Example:389

– Search root—defines the organization search root. Directory search will start from the root level

– User DN—defines a user account with privileges to log in to the directory

Example: cn=Username, ou=Administration, ou=Corporate, o=Democorp, c=AU – Password—defines the user account password

– Confirm password—enter the user account password to confirm the password – Secure connection—indicates that the connection to the directory is secured 7. Click Next and Finish.

The new directory is created. You now need to create an environment.

Create an Environment for the SUN ONE User Store

Valid for Windows

After you create and configure the directory settings for the SUN ONE directory, you create an environment. An environment is a view of the user store. In an environment you manage users, groups, organizations, tasks and roles.

Note: The JBoss application server service automatically starts during Windows startup and if an environment does not exist, one is created. We recommend that you disable the automatic service startup. If the environment exists, delete it before you create the environment for the SUN ONE user store.

Before you create the environment, you must define the system manager account in the Sun ONE user directory.

Important! Verify that you do not define the system manager account directly under the search root Organization Unit (OU) rather, under an Organization Unit that is located under the search root. For example, if the search root you defined is dc=company, dc-com, create the system manager account under the Users OU as follows: uid=Sysmanager,ou=Users,dc=company,dc=com

How to Install the Enterprise Management Server Components

78 Implementation Guide

Follow these steps:

1. Navigate to the following directory, where JBOSS_HOME indicates the directory where you installed JBoss:

JBOSS_HOME/server/default/deploy/IdentityMinder.ear/user_console.war/META-INF /

a. Locate the following files and copy them to a temporary directory: ac-RoleDefinitions_Iplanet_EN.xml

ac-environmentSettings.xml

b. Delete the ac-environment.properties files, if exists.

2. Open the CA IdentityMinder Management Console, select Environments, then select New.

The new environment screen appears.

3. Enter ac-env as the name of the environment, provide a description and enter ac as the public URL alias, then click Next..

A screen appears displaying a list of available directories.

4. Select the SUN ONE directory you have defined to associate with this environment, then click Next.

a. (Optional) Select the directory to use as the provisioning directory for this environment, then click Next.

b. (Optional) Specify the user account to authenticate anonymous connections with, then select Validate.

CA IdentityMinder Management Console validates the user account. 5. Click Next to continue.

6. Select Import Roles from File and use Browse to locate the file ac-RoleDefinitions_iPlanet_EN.xml, click Next.

7. Specify the user manager account, select Add and then select Next. A summary screen opens.

Important! Verify that the user manager account exists in the directory. 8. Review the summary and click Finish.

CA IdentityMinder Management Console creates the environment. 9. Select Environments, ac-env, Advanced Settings, then click Import.

The Import Settings window opens.

a. Browse to the directory where you saved the ac-environmentSettings.xml file, select it, then click Finish.

How to Install the Enterprise Management Server Components

Chapter 4: Configuring the Enterprise Management Server for SUN ONE and CA Directory 79 10. Select Continue then select Start.

.

The environment starts up.

11. Select Environments, ac-env, Advanced Settings, Workflow. The workflow properties windows opens

a. Check the box next to the Enabled property to enable workflow and then click save.

CA IdentityMinder Management Console applies the changes to the environment.

12. Select Environments, ac-env, System Manager. The System Manager windows opens.

a. Specify the system manager user account, then select Validate.

CA IdentityMinder Management Console displays the system manager account properties.

b. Select Next, Finish.

CA IdentityMinder Management Console displays the system manager configuration output and specifies errors, if identified.

c. Select Continue.

13. In the Status field, select Restart.

CA IdentityMinder Management Console restarts the environment. 14. Restart the JBoss application server.

15. Open a Command Prompt window and navigate to the bin directory. 16. Run the following command to execute ComponentRegistration:

ComponentRegistration -comp jcs -register -userDN cn=root,dc=etasa -serverDN dc=im,dc=etasa -pwd <communication_password> -port 20411 -ssl yes -file C:\temp\output.txt -verbose

For example: ComponentRegistration -comp jcs -register -userDN cn=root,dc=etasa -serverDN dc=im,dc=etasa -pwd password -port 20411 -ssl yes -file

C:\temp\output.txt -verbose

You have defined the SUN ONE directory as the user store for CA ControlMinder Enterprise Management. You can now log in to CA ControlMinder Enterprise Management.

How to Install the Enterprise Management Server Components

80 Implementation Guide

Create a Directory for CA Directory

A directory provides information about a user directory that CA ControlMinder Enterprise Management manages. You configure the CA Directory settings after you install CA ControlMinder Enterprise Management.

Important! If the UID attribute in the directory does not contain a value, you must edit the SAM_CA_Directory.xml file before you create the directory. For example:

<ImsManagedObjectAttr physicalname="uid" displayname="User ID" description="User ID" valuetype="String" required="true" multivalued="false" wellknown="%USER_ID%" maxlength="0" permission="WRITEONCE"/>

Note: The UID attribute must have a unique user defined data. Each of the CA Directory attributes is mapped once to the CA ControlMinder Enterprise Management attributes in the CA Directory XML file.

Follow these steps:

1. Navigate to the following directory, where JBoss_HOME indicates the directory where you installed JBoss:

JBoss_HOME/server/default.deploy/IdentityMinder.ear/user_console.war/META-INF /

2. Copy the following files file to a temporary directory. a. SAM_CA_Directory.xml

b. ac-RoleDefinitions_CADir_EN.xml c. ac-environmentSettings.xml

3. Delete the ac-environment.properties file, if exists. 4. Start the JBoss application server.

5. Open the CA IdentityMinder Management Console as follows: http://enterprise_host:port/idmmanage

The CA IdentityMinder Management Console opens. 6. Select Directories, New.

The new directory window opens.

7. Select Browse and locate the SAM_CA_Directory.xml file. Click Next. 8. Enter the following details:

– Name—defines the directory logical name

– Description—(optional) specifies a description for the directory – Object Connection Name—specifies the name of the user store – Host—defines the directory host name or IP address

How to Install the Enterprise Management Server Components

Chapter 4: Configuring the Enterprise Management Server for SUN ONE and CA Directory 81

Example:389

– Search root—defines the organization search root. Directory search will start from the root level

Note: Leave this field blank if you work with multiple domains

– User DN—defines a user account with privileges to log in to the directory

Example: cn=Username, ou=Administration, ou=Corporate, o=Democorp, c=AU – Password—defines the user account password

– Confirm password—enter the user account password to confirm the password – Secure connection—indicates that the connection to the directory is secured 9. Click Next and Finish.

The new directory is created. You now need to create an environment.

Create an Environment for CA Directory

Valid on Windows

After you create and configure the directory settings for CA Directory, you create an environment. An environment is a view of the user store. In an environment you manage users, groups, organizations, tasks and roles.

Note: The JBoss application server service automatically starts during Windows startup and if an environment does not exist, one is created. We recommend that you disable the automatic service startup. If the environment exists, delete it before you create the environment for CA Directory.

Before you create the environment, define the system manager account in CA Directory. Important! Verify that you do not define the system manager account directly under the search root Organization Unit (OU) rather, under an Organization Unit that is located under the search root. For example, if the search root you defined is dc=company, dc-com, create the system manager account under the Users OU as follows: uid=Sysmanager,ou=Users,dc=company,dc=com

Note: For multiple domDN.ins support, define the user full DN.

Follow these steps:

1. Open the CA IdentityMinder Management Console, select Environments, then select New.

How to Install the Enterprise Management Server Components

82 Implementation Guide

2. Enter ac-env as the name of the environment, provide a description and enter ac as the public URL alias, then click Next.

A screen appears displaying a list of available directories.

3. Select CA Directory to associate with this environment, then click Next. a. (Optional) Select the directory to use as the provisioning directory for this

environment, then click Next.

b. (Optional) Specify the user account to authenticate anonymous connections with, then select Validate.

CA IdentityMinder Management Console validates the user account. 4. Click Next to continue.

5. Select Import Roles from File and use Browse to locate the file ac-RoleDefinitions_CADir_EN.xml, click Next.

6. Specify the user manager account, select Add and then select Next.

Note: For multiple domains support, specify the user full DN. A summary screen opens.

Important! Verify that the user manager account exists in the directory. 7. Review the summary and click Finish.

CA IdentityMinder Management Console creates the environment. 8. Select Environments, ac-env, Advanced Settings, then click Import.

The Import Settings window opens.

a. Browse to the directory where you saved the ac-environmentSettings.xml file, select it, then click Finish.

CA IdentityMinder Management Console creates the environment. 9. Select Continue then select Start.

.

The environment starts up.

10. Select Environments, ac-env, Advanced Settings, Workflow. The workflow properties windows opens

a. Check the box next to the Enabled property to enable workflow and then click save.

CA IdentityMinder Management Console applies the changes to the environment.

How to Install the Enterprise Management Server Components

Chapter 4: Configuring the Enterprise Management Server for SUN ONE and CA Directory 83 11. Select Environments, ac-env, System Manager.

The System Manager windows opens.

a. Specify the system manager user account, then select Validate.

CA IdentityMinder Management Console displays the system manager account properties.

b. Select Next, Finish.

CA IdentityMinder Management Console displays the system manager configuration output and specifies errors, if identified.

c. Select Continue.

12. In the Status field, select Restart.

CA IdentityMinder Management Console restarts the environment. 13. Restart the JBoss application server.

14. Open a Command Prompt window and navigate to the bin directory. 15. Run the following command to execute ComponentRegistration:

ComponentRegistration -comp jcs -register -userDN cn=root,dc=etasa -serverDN dc=im,dc=etasa -pwd <communication_password> -port 20411 -ssl yes -file C:\temp\output.txt -verbose

For example: ComponentRegistration -comp jcs -register -userDN cn=root,dc=etasa -serverDN dc=im,dc=etasa -pwd password -port 20411 -ssl yes -file

C:\temp\output.txt -verbose

You have defined CA ControlMinder Enterprise Management to use CA Directory. You can now log in to CA ControlMinder Enterprise Management.

How to Install the Enterprise Management Server Components

84 Implementation Guide

Start CA ControlMinder Enterprise Management

After you install CA ControlMinder Enterprise Management you need to start CA ControlMinder and the web application server.

Follow these steps:

1. Verify that CA ControlMinder services are started.

CA ControlMinder Enterprise Management requires that CA ControlMinder is running.

2. Verify that JBoss Application Server service is started. If JBoss Application Server services are not started, do one of the following:

■ (Windows) Click Start, Programs, CA, ControlMinder, Start Task Engine.

Note: The Task Engine may take some time to load the first time you start it. ■ (Windows) Start the JBoss Application Server service from the Services panel. ■ (Linux) Enter ./JBOSS_HOME/bin/run.sh -b 0.0.0.0

When the JBoss Application Server completes loading, you can log in to the CA ControlMinder Enterprise Management web-based interface.

Open CA ControlMinder Enterprise Management

Once you install and start CA ControlMinder Enterprise Management you can start the web-based interface from a remote computer using the URL for CA ControlMinder Enterprise Management.

To open CA ControlMinder Enterprise Management

1. Open a web browser and enter one of the following URLs, for your host: ■ To use a non-SSL connection, enter the following URL:

http://enterprise_host:port/iam/ac

■ To use an SSL connection, enter the following URL: https://enterprise_host:HTTPSport/iam/ac 2. Use your credentials to log in.

The CA ControlMinder Enterprise Management home page appears.

Note: You can also open CA ControlMinder Enterprise Management from a Windows computer where you installed it by clicking Start, Programs, CA, Access Control, Enterprise Management.

How to Install the Enterprise Management Server Components

Chapter 4: Configuring the Enterprise Management Server for SUN ONE and CA Directory 85 Example: Open CA ControlMinder Enterprise Management

Enter the following URL into your web browser to open CA ControlMinder Enterprise Management from any computer on the network:

http://appserver123:18080/iam/ac

The URL suggests that CA ControlMinder Enterprise Management is installed on a host named appserver123 and uses the default CA ControlMinder Enterprise Management port 18080.

Example: Open CA ControlMinder Enterprise Management Using SSL

Enter the following URL into your web browser to open CA ControlMinder Enterprise Management using SSL from any computer on the network:

https://appserver123:18443/iam/ac

The URL suggests that CA ControlMinder Enterprise Management is installed on a host named appserver123 and uses the default CA ControlMinder Enterprise Management SSL port 18443.

Enterprise Management Server SSL Communication

Starting from 12.7, the Enterprise Management Server components use SSL for communication. You can modify the SSL communication setting for the following components:

■ JBoss Application Server

By default, JBoss is not installed with SSL support. ■ _{Message Queue}

You can modify the Message Queue default SSL ports to prevent unauthorized access to well-known ports.

■ CA ControlMinder Enterprise Management ■ _{(Optional) Java Connector Server}

Import a new SSL certificate after you upgrade to CA ControlMinder r12.5 SP3 only if you used the default certificate.

SSL Communication for JBoss

Starting from 12.7, the JBoss application server is installed with SSL support.You can modify the JBoss SSL communication settings.

Note: For more information about how to configure SSL for JBoss, refer to the JBoss product documentation.

How to Install the Enterprise Management Server Components

86 Implementation Guide

Example: Modify JBoss for SSL Communication on Windows

This example shows you how to configure the JBoss application server to use SSL for secure communication.

Important! This procedure describes how to configure JBoss to use SSL for secure communication using JBoss version 4.2.3 and JDK version 1.5.0.

Follow these steps:

1. Stop JBoss if it is running.

2. Open a command-prompt window and navigate to the following directory: JBoss_HOME\server\default\deploy\IdentityMinder.ear\custom\ppm\truststore 3. Enter the following command to change the default ssl, keystore password:

keytool -storepasswd -new <password> -keystore ssl.keystore -storepass secret

-storepasswd

Specifies to change the keystore password. The password must be at least six (6) characters long.

-keystore

Specifies the keystore name to add the certificate.

-keystore

Specifies the keystore name.

-storepass

Defines the password that is used to protect the keystore.

4. Enter the following command to create a key for the Enterprise Management Server:

keytool -genkey -alias entm -keystore ssl.keystore -keyalg RSA

-genkey

Specifies that the command generates a key pair (public and private keys).

-alias

Defines the alias to add an entry to the keystore.

-keyalg

Specifies the algorithm to generate the key pair. The keytool utility starts.

How to Install the Enterprise Management Server Components

Chapter 4: Configuring the Enterprise Management Server for SUN ONE and CA Directory 87 5. Enter the password secret.

6. Complete the prompts as required and press enter to verify the parameters that you entered.

The certificate is added to the keystore.

Note: The keystore and key alias must use identical passwords.

7. Enter the following command to encrypt the keystore password to a file: java -cp C:/jboss-4.2.3.GA/server/default/lib/jbosssx.jar

In document CA ControlMinder. Implementation Guide 12.7 (Page 75-101)