How to Configure DSA Replication for Symantec SiteMinder Policy Store Using Symantec Directory in UNIX/Linux

Article By: Tiffany Kongpachith

Symantec Directory is a proven next-generation virtual directory server that provides a standards-based distribution model, replication model, and overall higher performance. Multiwrite-DISP replication is the recommended method of replication with Symantec Directory because it combines the efficiency of multiwrite when DSAs are online, with the strength of DISP to allow the DSAs to recover after being offline. Symantec Directory is used to support the Symantec SiteMinder Policy Store as a directory service for storing policy objects, SiteMinder objects, and Identity Management Suite objects.

Prerequisites

  • Assumption that Symantec Directory is fully installed on the server.
  • Assumption that DSA has been configured to support the SiteMinder Policy Store.
  • Assumption that the Policy Store DSA schema has been configured.
  • Assumption that there are multiple DSAs / Policy Stores for configurations for replication.
  • The user knows based on their implementation where the $DXHOME directory is located.
  • The user knows based on their implementation where the $PSHOME or $siteminder_home/ directory is located.
  • The user has access to a secure file transfer client or secure file transfer method.

Step 1 – Configure the Policy Store Schema for Replication

1. Log in to the server containing the SiteMinder Policy Store with the associated Symantec Directory service account for the environment.

2. Upon login with the service account, the user should be logged in under the $DXHOME directory.

3. First, verify the Policy Store DSA status by executing the command:
dxserver status [dsaname]
Result –

4. To turn off ALL the Policy Stores (associated for replication) by executing the command:
dxserver stop [dsaname]
Result –

5. Navigate to the $DXHOME/config/knowledge directory.

6. Locate and edit the Policy Store knowledge file by executing the command:
vi [dsaname].dxc

For example: smpolicystore.dxc

7. Locate the sections for dsa-flags and trust-flags in the file and make the following changes:

8. Save the Policy Store knowledge file.

Step 2 – Copy and Transfer the Policy Store Knowledge Files To Failover Policy Stores

1. Copy each of the Policy Store knowledge (.dxc) file to each server hosting the Policy Store DSAs required for replication.

For example:

If logged into the primary server hosting the Policy Store locate the knowledge file —————🡪  the knowledge file needs to be copied to the secondary Policy Store

If logged into the secondary server hosting the Policy Store locate the knowledge file ————🡪  the knowledge file needs to be copied to the primary Policy Store
Each Policy Store SHOULD contains BOTH knowledge files in the directory, $DXHOME/config/knowledge.

Step 3 – Create a Group Knowledge File for the Policy Store Knowledge Files for Sourcing

1. Once both Policy Store files are present on each server then create a knowledge group file (.dxg).

For example:

The group knowledge file could be named “policystores.dxg”

2. In the group knowledge file, add the following contents to source both Policy Store knowledge files:

For example:
source “smpolicystore1.dxc”;
source “smpolicystore2.dxc”;

4. Save the group knowledge file.

5. Navigate to the $DXHOME/servers directory.

6. Edit the Policy Store’s server file (.dxi) to reference the new knowledge group file to source and include multi-write directive. Execute the following command to edit: 
vi [dsaname]*.dxi

For example: smpolicystore1.dxi

7. Locate the #knowledge section in the Policy Store’s server file (.dxi) and add the following changes:

8. Locate the #multiwrite DISP recovery section in the Policy Store’s server file (.dxi) and change the following from false to “true”:

9. Save the Policy Store’s server (.dxi) file.

10. On all Policy Servers affected for replication, navigate to the $PSHOME or $siteminder_home/ directory.

11. Stop ALL Policy Servers by executing the following command:
./stop-all

Result –

Step 4 – Create a Backup Directory for the Policy Store Data Files

1. Open a new SSH session as the service account for Symantec Directory on the other Policy Stores for high availability.

2. Navigate back to the $DXHOME/data directory .

3. Make a backup directory while under the $DXHOME directory to store the ORIGINAL Policy Store/DSA data files with the following command:
mkdir backup

4. Navigate back to the $DXHOME/data directory.

5. Make the data files executable and move the original Policy Store data files (.db) and (.tx) to the backup directory by executing the commands:

chmod 775 [dsaname].db ../originalbackup
chmod 775 [dsaname].tx ../originalbackup
mv [dsaname].db ../originalbackup
mv [dsaname].tx ../originalbackup

For example:

“chmod 775 smpolicystore1.db ../originalbackup”
“chmod 775 smpolicystore1.tx ../originalbackup”
“mv smpolicystore1.db ../originalbackup”
“mv smpolicystore1.tx ../originalbackup”

6. On the “primary” Policy Store, secure file transfer or copy the “primary” Policy Store’s data files (.db) and (.tx) to each Policy Servers required for replication.

For example:

On the “primary” Policy Store Server 1 (“smpolicystore1”)

  1. Go to the $DXHOME directory.
  2. List the contents in the directory with the “ls” command.
  3. Secure File Transfer the primary files: [dsaname]1.db and [dsaname]1.tx with “scp” to the target Policy Server/Policy Store or “cp” command.

On the “secondary” Policy Store Server 2 (“smpolicystore2”) to the $DXHOME/data directory.

7. Rename the moved “primary” Policy Store data files to the associated Policy Store. Execute the command:

“mv [dsaname].db [dsaname].db”
“mv [dsaname].tx [dsaname].tx”

For example:

On Policy Store Server 2 but the user has copied over Policy Store 1 data files rename the files to indicate the primary data files to become the current Policy Store (on Policy Store server 2) data files –
“mv smpolicystore1.db smpolicystore2.db”
mv smpolicystore1.tx smpolicystore2.tx

Note: Since we want to apply Policy Store 1’s data files as Policy Store 2’s data files to match for replication. Since we moved the original Policy Store 2 data files to the /backup directory.

Step 5 – Start the SiteMinder Policy Stores and Policy Servers

1. Start ALL the DSAs/Policy Stores, by executing the following command:
dxserver start [dsaname]

For example: 
“dxserver start smpolicystore1”

Result – System should produce the following result:

2. Validate the Policy Stores were started by executing the command:
dxserver status

Result – System should produce the following result:

3. Change directory to the $PSHOME or $siteminder_home/ directory.

4. From the $PSHOME or $siteminder_home/ directory, execute the following command to start the Policy Server:
./start-all

Result – System should produce the following result:

Step 6 – Configure Agent Key Generation in the SiteMinder Policy Server Management Console

1. Upon Policy Store replication setup, login to the SiteMinder Policy Servers that are NOT the primary Policy Servers for the environment (secondary, third…etc).

2. Change directory to the $PSHOME or $siteminder_home/ directory.

3. Navigate to the $siteminder_home/bin directory.

4. Open the SiteMinder Policy Server Management Console by executing the command:
./smconsole

Note:  X11 forwarding must be setup on the server and enabled first, for the SiteMinder Policy Server Management Console to appear.

Result – System should produce the following result:

5. Navigate to the Keys tab.

6. Locate the Enable Agent Key Generation and un-check the checkbox to Disable.

Note: Other Policy Servers that are NOT the primary Policy Store server handling the replication will need the Agent Key Generation to be disabled. Reason being so that the Policy Servers do not have duplicates of Agent Keys while Policy Stores are replicating.

7. Exit the Policy Server Management Console by clicking Apply then click OK to save and apply changes.

Summary of Configuring DSA Replication With Symantec Directory

Setting up replication for the SiteMinder Policy Store leveraging Symantec Directory gives the ability for real-time updates and DISP for recovery. Multiwrite replication and DISP will provide updates to other DSAs (Policy Stores) and is fast and secure for small differences. So, any changes that are made on one Policy Store will be updated and carried over to the next Policy Store for consistency. 

Looking for additional help with the configuration of DSA replication with Symantec Directory? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Symantec Directory services. Take your interoperability to the next level, and contact an ISX consultant today.

ISXHow to Configure DSA Replication for Symantec SiteMinder Policy Store Using Symantec Directory in UNIX/Linux

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *