How to configure CA LDAP Server R15 for z/OS (RACF) as User Store with SiteMinder Policy Server R12 SP3.
Article ID: 50621
CA Single Sign On Secure Proxy Server (SiteMinder)AXIOMATICS POLICY SERVERCA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
This document describes the settings that need to be done in order to configure CA LDAP Server R15 for z/OS (RACF) as User Store with SiteMinder Policy Server R12 SP3.
Policy Server Registry Changes
The CA LDAP Server R15 for z/OS (RACF) contains a different set of object classes as compared to other LDAP servers. Before configuring a user directory connection for this server following Policy Server registry entries need to be modified. Listed below are these registry entries along-with their updated values:
Add eTRACUserid and eTRACAdminGrp to this registry entry:
Name Type DataeTRACUserid REG_DWORD 0x00000001(1)eTRACAdminGrp REG_DWORD 0x00000002(2)
There is another registry entry specific to UNIX platforms which need to be added under: HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug
LDAPPingTimeout= 300; REG_DWORD
The value of this registry key can be varied as per the response time of the CA LDAP Server R15 for z/OS (RACF).
Configure Directory Connection
To configure a CA LDAP Server R15 for z/OS (RACF) directory connection:
Open the User Directory Dialog.
In the Directory Setup tab, select LDAP from the namespace dropdown list.
In the Directory Setup tab, enter connection information for your LDAP directory as described in User Directory Dialog?LDAP Namespace Directory Setup Tab in the CA eTrust SiteMinder Policy Design Reference Guide.
Failover is not supported for this server.
In the LDAP Search box, in the Max Time field, specify a value of 300 seconds. A greater timeout value is needed since the Policy Server is known to take more time to retrieve the results from the CA LDAP Server R15 for z/OS (RACF).
In the Credentials and Connection tab, specify administrator credentials that the Policy Server will use to connect to the CA LDAP Server R15 for z/OS (RACF). Specifying administrator credentials is mandatory as anonymous binds to the user store are not allowed with CA LDAP Server R15 for z/OS (RACF).
Non supported features
Password services are not supported with this server.
Anonymous binds to the CA LDAP Server R15 for z/OS (RACF) are not allowed. Therefore in the "Credentials and Connection" tab in the User-Directory Dialog, make sure to provide the Administrator Credentials.
The following characters are not valid characters for a logon-id in CA LDAP Server R15 for z/OS (RACF):
'(', ')', ',', ''', '\', ' '.
Adding a user group to the policy and then trying to authorize a user from that group will not work.