SiteMInder Policy Server : Policy Stores Failover with CA Directory over SSL
search cancel

SiteMInder Policy Server : Policy Stores Failover with CA Directory over SSL


Article ID: 32148


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER


How can be configured 2 Policy Stores on CA Directory in failover and SSL?





Mainly, this setting has 3 steps:

1. Set replication among the Policy Stores (1);
2. Set up Failover among the Policy Stores in the Policy Server configuration without SSL (2);
3. Set up SSL communication between Policy Server and Policy Stores:

  1. On all CA Directory host part of this Policy Server DSAs doing MW replication, backup existing DXHOME/config/ssld folder;
  2. Pick one server and at the system prompt run “dxcertgen certs” to generate self-signed certificates;
  3. Note:
    "dxcertgen certs" used as is, defaults to ONE-year certificate validity. If extended validity is needed, use (number of days) switch. E.g. if 10 years validity is required, the command would be "dxcertgen –d 3650 certs".
  4. Next is to copy this entire DXHOME/config/ssld folder from this server where self-signed certs are generated to *all other* CA Directory hosts that are part of this Provisioning setup which is configured for MW replication;
  5. Next is to restart *ALL* Policy Store DSAs on *ALL* hosts so the new certs can be read in;

Then copy CA root cert and server certs to Policy Server machine; 

Policy Server configuration:

  1. Use certutil in the Policy Server bin directory to create the Certificate Database Files (3):

    Example: certutil -N -d C:\certdatabase

    -N (Creates the cert8.db, key3.db, and secmod.db certificate database files)
    -d (Specifies the directory in which the certutil tool is to create the certificate database files.)

  2. Add the Root CA and the server certificates to the Certificate database:

    <SiteMInder Home>\siteminder\bin>certutil -A -n "MyRootCA" -t "P,," -i <Path of certificate>\trusted.pem -d "<SiteMinder Home>SiteMinder\bin"
    <SiteMInder Home>\siteminder\bin>certutil -A -n "My Client01 Certificate" -t "P,," -i "<Path of certificate>example.pem" -d "<SiteMInder Home>\SiteMinder\bin"
    <SiteMInder Home>\siteminder\bin>certutil -A -n "My Client02 Certificate" -t "P,," -i "<Path of certificate>example.pem" -d "<SiteMInder Home>\SiteMinder\bin"
    After running the above command, locate the cert8.db file in "siteminder\bin" folder. To test the Policy Store connectivity through the "smconsole", in the data tab give the above location of cert8.db and check the SSL tab and give the SSL port number and verify the connection;


    - (which holds the root CA certificate);
    - server01.pem (client certificate for example01 DSA);
    - server02.pem (client certificate for example02 DSA);
    - The above certificates were copied to the following path on the Policy Server:
    - Example to C:\certdatabase
    - trusted.pem was copied from the following location on one of the policy store DSAs: \dxserver\config\ssld;
    - example01.pem and example01.pem were copied from the following location on one of the policy store DSAs: Directory\dxserver\config\ssld\personalities;
  3. Restart the Policy Server and in the management console, try to reconnect to the Policy Stores by checking the SSL option;
  4. Finally, use the following command to check cert validity by running at the system prompt:
  • dxcertgen report
  • The above will list out information on all (trusted root CA and personalities) certificates.

Additional Information