Professional Documents
Culture Documents
18
CA Directory
Date: 04-May-2016
CA Directory - 12.0.18
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the Documentation) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright 2016 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
04-May-2016 3/923
Table of Contents
CA Directory 4
Cannot Create a Datastore Larger Than 1GB on AIX ................................................................ 45
Known Issues On Windows Only ........................................................................................................ 46
Cannot Install on a Network Drive .............................................................................................. 46
DXtools Do Not Support Files Larger Than 4GB on Windows 32Bit .......................................... 46
Upgrades on Windows May Impact Other CA Products ............................................................ 46
Adding a Host Address on Windows Server 2008 ..................................................................... 46
Published Fixes ......................................................................................................................................... 46
New and Changed Features in CA Directory 12.0.18 ............................................................................... 47
Support for CA Directory Installation with Debian Packages .............................................................. 47
Support for CA Directory Installation with RPM Packages .................................................................. 47
Log Rollover Based on Maximum Lines .............................................................................................. 47
Force Start Inconsistent DSA .............................................................................................................. 47
SSL Protocol Settings ......................................................................................................................... 48
Packet Corruption ............................................................................................................................... 48
Certifications ........................................................................................................................................ 48
CA Directory 5
Install CA Directory on UNIX with Commands ........................................................................... 70
Use Response File For Silent Installation .................................................................................. 72
Create a DSA Datastore and Populate It from an LDIF File ...................................................... 73
Allow CA Directory To Use Ports 1-1024 ................................................................................... 75
Install CA Directory on Linux Using Debian Packages .............................................................. 75
Install CA Directory on Linux Using RPM Packages .................................................................. 76
Upgrading DXmanager ........................................................................................................................ 77
Run dxagent Manually After Installing CA Directory ........................................................................... 78
Uninstalling ................................................................................................................................................ 79
Uninstall Directory Packages on Windows .......................................................................................... 79
Uninstall Directory Packages Using the Script dxuninst.sh on UNIX .................................................. 80
dxuninst Command .................................................................................................................... 80
Troubleshooting ......................................................................................................................................... 81
Troubleshooting on all platforms ......................................................................................................... 81
Problem Resolving Hostname When Installing CA Directory ..................................................... 81
Troubleshooting on UNIX .................................................................................................................... 81
DXadmind Times Out after Upgrading ....................................................................................... 82
Troubleshooting on Windows .............................................................................................................. 83
Install Failed with 'Error starting 'dxadmind'' .............................................................................. 83
Cannot Connect to CA Directory from Remote Computer ......................................................... 84
Diagnose a CA Directory Startup Problem ................................................................................. 85
Administrating ............................................................................................ 86
How CA Directory Works ........................................................................................................................... 86
DSAs ................................................................................................................................................... 86
Types of DSA ............................................................................................................................. 86
Example How a Query to an LDAP Server Works ..................................................................... 87
How to Create a Data DSA ........................................................................................................ 87
Configuration ....................................................................................................................................... 89
DSA Configuration Files ............................................................................................................. 90
How a DSA Uses Its Initialization File ........................................................................................ 91
DSA Knowledge ......................................................................................................................... 91
Schema Files ............................................................................................................................. 92
Script Files ................................................................................................................................. 92
Group Files ................................................................................................................................. 93
View the Configuration ............................................................................................................... 93
IP Requirements .................................................................................................................................. 94
Configuring Alternative Network Addresses ............................................................................... 94
Tools to Manage CA Directory .................................................................................................................. 95
DXmanager ......................................................................................................................................... 95
DSA Console ....................................................................................................................................... 96
CA Directory 6
How the DSA Console Works .................................................................................................... 96
Connect to a Local DSA Console ............................................................................................... 97
Connect to a Remote DSA Console ........................................................................................... 97
Configure a DSA Console Using DXmanager ............................................................................ 98
Specify Which Users Can Connect to a DSA Console .............................................................. 99
Secure the DSA Console with TLSclient .................................................................................. 100
JXweb ............................................................................................................................................... 102
Start JXweb .............................................................................................................................. 102
Connect to a DSA with JXweb ................................................................................................. 103
DXtools .............................................................................................................................................. 104
How to Use the DXtools ........................................................................................................... 104
Lists of DXtools by Function ..................................................................................................... 104
Exit Status Codes for the DXtools ............................................................................................ 105
csv2ldif Tool -- Create an LDIF File from a CSV File ............................................................... 106
DXcertgen Tool -- Generate and Work with Certificates .......................................................... 107
DXdelete Tool -- Delete Directory Entries ................................................................................ 112
DXdisp Tool -- Set the Update Time for Multiwrite-DISP Replications ..................................... 115
DXdumpdb Tool -- Export Data from a Datastore to an LDIF File ........................................... 115
DXemptydb Tool -- Delete All Data from a Datastore .............................................................. 117
DXextenddb Tool -- Increase the Size of a Datastore ............................................................. 117
DXinfo Tool -- Collect System Information ............................................................................... 117
DXloaddb Tool -- Load a Datastore from an LDIF File ............................................................ 120
DXmodify Tool -- Add New or Changed Information to a Directory ......................................... 122
DXnewdb Tool -- Create a New Datastore ............................................................................... 126
DXnewdsa Tool -- Create a New DSA ..................................................................................... 126
DXpassword Tool -- Hash a Password .................................................................................... 128
DXrename Tool -- Change the Name of a Directory Entry ...................................................... 129
DXschemaldif Tool -- Extract the Schema from an LDAP Directory ........................................ 132
DXsearch Tool -- Search a Directory ....................................................................................... 133
DXsnmp Sample Tool -- Monitor DSAs .................................................................................... 138
DXsyntax Tool -- Check the Configuration of DSAs ................................................................. 138
DXtrap Sample Tool -- Receive SNMP Traps .......................................................................... 139
ldif2dxc Tool -- Convert Schema from LDIF to CA Directory Format ....................................... 140
ldifdelta Tool -- Calculate the Difference Between LDIF Files .................................................. 142
ldifsort Tool -- Sort LDIF Records ............................................................................................ 145
Logs .................................................................................................................................................. 148
Traces ............................................................................................................................................... 148
Alarms ............................................................................................................................................... 148
Set Up Schemas ..................................................................................................................................... 149
Schemas ........................................................................................................................................... 149
Defining Schemas .................................................................................................................... 149
Display a Schema .................................................................................................................... 151
CA Directory 7
Commands for Working with Schema ...................................................................................... 151
Changing the Schema for Attributes in Use ............................................................................. 152
Attributes ........................................................................................................................................... 154
Attribute Names ....................................................................................................................... 154
Single Valued Attributes ........................................................................................................... 155
Attribute Syntaxes .................................................................................................................... 155
Attribute Checking .................................................................................................................... 156
How CA Directory Stores and Returns Attribute Values .......................................................... 156
Syntax Aliases for Unsupported Attribute Syntax .................................................................... 156
Attribute Sets ............................................................................................................................ 156
Object Classes and Object Class Identifiers ..................................................................................... 157
Object Class Kind ..................................................................................................................... 157
Object Class Checking ............................................................................................................. 158
Object Class Storage ............................................................................................................... 158
Check Structural Object Classes ............................................................................................. 160
Name Bindings .................................................................................................................................. 160
Name Binding Checks .............................................................................................................. 161
Name Bindings and Structural Object Classes ........................................................................ 161
Name Bindings and Aliases ..................................................................................................... 161
Considerations for Schemas That Do Not Support Name Binding .......................................... 162
Set Up Replication ................................................................................................................................... 162
Benefits of Replication ...................................................................................................................... 162
Distribution and Replication Are Different ......................................................................................... 162
Types of Replication Supported on CA Directory .............................................................................. 162
Multiwrite Replication ........................................................................................................................ 163
How Multiwrite Replication Works ............................................................................................ 163
Enable Multiwrite Replication ................................................................................................... 169
Prevent Multiwrite Queues Being Lost When the DSA Stops .................................................. 171
Change the Maximum Queue Size .......................................................................................... 172
Limit the Size of Queues Between Groups .............................................................................. 172
Set the Retry Interval ............................................................................................................... 172
Prevent Network Flooding ........................................................................................................ 173
Send an SNMP Trap When a Replicated Update Is Refused .................................................. 173
Configure Multiwrite Recovery ................................................................................................. 173
DISP Replication ............................................................................................................................... 176
Features of DISP Replication ................................................................................................... 177
Shared DISP Configuration ...................................................................................................... 177
DISP Agreements .................................................................................................................... 177
Set a DSA to Use DISP Replication ......................................................................................... 178
Example DISP Replication ....................................................................................................... 178
DISP Routing ........................................................................................................................... 179
Manually Perform a DISP Update of DISP ............................................................................... 179
CA Directory 8
Selective Shadowing ................................................................................................................ 179
Multiwrite Replication with DISP Recovery (Multiwrite-DISP) ........................................................... 180
How Recovery Works in Multiwrite-DISP ................................................................................. 181
Benefits of DISP Recovery in Multiwrite-DISP ......................................................................... 181
Enable Multiwrite-DISP ............................................................................................................ 182
Granularity of DISP Reconciliation ........................................................................................... 182
Add a DSA to a Multiwrite-DISP System .................................................................................. 182
Transaction Log and Data Recovery ........................................................................................ 183
Example: Set up Multiwrite-DISP Replication between DSAs ................................................. 185
Multiwrite Groups Hubs ..................................................................................................................... 190
Replication and Recovery Topology ........................................................................................ 190
Configuring a DSA as Hub using DXmanager ......................................................................... 191
Replication Performance Tuning .............................................................................................. 191
Sample Topology and Disaster Recovery ................................................................................ 192
Prerequisites for Successful Replication ........................................................................................... 197
Set Up Distribution and Routing .............................................................................................................. 198
How Distribution Works ..................................................................................................................... 198
Example A Distributed Directory .............................................................................................. 198
Distribution Features ................................................................................................................ 199
How Multi-Chaining Searches Work ........................................................................................ 199
Example A Distributed Directory .............................................................................................. 200
Distribution Features ................................................................................................................ 200
How Multi-Chaining Searches Work ........................................................................................ 201
How Routing or Chaining Works ....................................................................................................... 201
Example Routing an Update Request ...................................................................................... 202
Impact of Operational Limits on Distribution ............................................................................ 202
Remote Operations .................................................................................................................. 203
Caching Entries from Subordinate DSAs ................................................................................. 203
Transparent Routing ................................................................................................................ 204
Example Routing an Update Request ...................................................................................... 204
Impact of Operational Limits on Distribution ............................................................................ 205
Remote Operations .................................................................................................................. 206
Caching Entries from Subordinate DSAs ................................................................................. 206
Transparent Routing ................................................................................................................ 207
DSAs with the Same Prefix ............................................................................................................... 207
Load Sharing ............................................................................................................................ 208
Failover and Failback ............................................................................................................... 209
Load Sharing ............................................................................................................................ 214
Failover and Failback ............................................................................................................... 215
Security in Distribution ...................................................................................................................... 220
Remote Bindings ...................................................................................................................... 220
Mutual Authentication ............................................................................................................... 220
CA Directory 9
Trusting Distributed DSA Triggered Operations ....................................................................... 221
Connect to Other LDAP Servers ....................................................................................................... 221
LDAP Integration with CA Directory ......................................................................................... 222
Connect to an LDAP Server ..................................................................................................... 222
User Credentials on DXlink Binds ............................................................................................ 222
Prefix Mapping ......................................................................................................................... 224
LDAP Integration with CA Directory ......................................................................................... 225
Connect to an LDAP Server ..................................................................................................... 226
User Credentials on DXlink Binds ............................................................................................ 226
Prefix Mapping ......................................................................................................................... 228
Horizontal Partitioning ....................................................................................................................... 229
Limitations in Horizontal Partitioning ........................................................................................ 230
Specify Horizontal Partitioning ................................................................................................. 230
Loading Horizontally Partitioned Data ...................................................................................... 231
Limitations in Horizontal Partitioning ........................................................................................ 231
Specify Horizontal Partitioning ................................................................................................. 232
Loading Horizontally Partitioned Data ...................................................................................... 232
Set Up Authentication .............................................................................................................................. 233
Authentication Levels ........................................................................................................................ 233
Anonymous Authentication ...................................................................................................... 233
Clear-Password Authentication ................................................................................................ 233
SSL Authentication ................................................................................................................... 234
Anonymous Authentication ...................................................................................................... 236
Clear-Password Authentication ................................................................................................ 236
SSL Authentication ................................................................................................................... 237
Configure Distributed User Authentication ........................................................................................ 238
Bind Requests in a Distributed Environment ..................................................................................... 239
Example Forward a Password Check to Another DSA ............................................................ 239
Change the Allow check password Setting .............................................................................. 240
Example Forward a Password Check to Another DSA ............................................................ 241
Change the Allow check password Setting .............................................................................. 242
How User Authentication Is Conveyed between DSAs ..................................................................... 242
How the Authentication Link Is Conveyed between DSAs ................................................................ 243
Upgrade the Link Type ............................................................................................................. 244
Downgrade the Link Type ........................................................................................................ 245
Upgrade the Link Type ............................................................................................................. 245
Downgrade the Link Type ........................................................................................................ 246
DSP Authentication ........................................................................................................................... 246
DSP Simple Authentication ...................................................................................................... 247
DSP SSL Authentication .......................................................................................................... 247
DSP Simple Authentication ...................................................................................................... 248
DSP SSL Authentication .......................................................................................................... 248
CA Directory 10
Password Storage ............................................................................................................................. 249
Activate Secure Proxy ....................................................................................................................... 250
Set Up Access Controls .......................................................................................................................... 250
How Access Controls Work ............................................................................................................... 250
Access Control Policies ..................................................................................................................... 251
Access Control Rules ........................................................................................................................ 251
Rule Configuration ................................................................................................................... 251
Where Access Control Rules Should Be Stored ...................................................................... 251
Limitations on Using Access Control Rules ............................................................................. 252
Rule Configuration ................................................................................................................... 252
Where Access Control Rules Should Be Stored ...................................................................... 252
Limitations on Using Access Control Rules ............................................................................. 252
Access Levels ................................................................................................................................... 252
Example Access Levels with Multiple Rules ............................................................................ 253
Example Access Levels with Multiple Rules and Specific Permissions on Protected Items .... 254
Super User Access .................................................................................................................. 254
Administrative User Access ..................................................................................................... 255
Protected Items ........................................................................................................................ 255
Registered Users ..................................................................................................................... 256
Public Users ............................................................................................................................. 256
Example Access Levels with Multiple Rules ............................................................................ 256
Example Access Levels with Multiple Rules and Specific Permissions on Protected Items .... 257
Super User Access .................................................................................................................. 258
Administrative User Access ..................................................................................................... 258
Protected Items ........................................................................................................................ 258
Registered Users ..................................................................................................................... 259
Public Users ............................................................................................................................. 260
Example Access Control Policy ........................................................................................................ 260
Set Up the Example Access Control Policy ............................................................................. 260
Set Up the Example Access Control Policy ............................................................................. 262
How Role-Based Access Controls Work ........................................................................................... 263
Role-Based Access Controls in a Router System .................................................................... 264
Assign a Role to an Access Control Rule ................................................................................ 264
Example Configure Role-Based Access Control in a Router DSA ........................................... 264
Role-Based Access Controls in a Router System .................................................................... 265
Assign a Role to an Access Control Rule ................................................................................ 265
Example Configure Role-Based Access Control in a Router DSA ........................................... 266
How Secure Proxies Work with Access Controls .............................................................................. 267
Configure Access Controls ................................................................................................................ 267
Enable Access Controls ........................................................................................................... 268
Disable Access Controls .......................................................................................................... 268
Create Access Control Rules ................................................................................................... 268
CA Directory 11
Set Up Role-Based Access Controls in a Router DSA ............................................................ 269
Display Access Controls .......................................................................................................... 269
Clear Access Controls .............................................................................................................. 269
Check Whether Access Controls Are Enabled ......................................................................... 269
Enable Access Controls ........................................................................................................... 270
Disable Access Controls .......................................................................................................... 270
Create Access Control Rules ................................................................................................... 270
Set Up Role-Based Access Controls in a Router DSA ............................................................ 271
Display Access Controls .......................................................................................................... 271
Clear Access Controls .............................................................................................................. 271
Check Whether Access Controls Are Enabled ......................................................................... 271
Set Up Encryption ................................................................................................................................... 272
SSL ................................................................................................................................................... 272
SSL Transactions ..................................................................................................................... 272
How an SSL Encryption Connection Is Established ................................................................. 272
When to Use SSL Encryption ................................................................................................... 273
SSL Transactions ..................................................................................................................... 273
How an SSL Encryption Connection Is Established ................................................................. 273
When to Use SSL Encryption ................................................................................................... 274
Certificates and Keys ........................................................................................................................ 275
SSL Processing ................................................................................................................................. 275
How DXserver Uses Certificates .............................................................................................. 275
How DXserver Uses Certificates .............................................................................................. 276
DSA Certificates ................................................................................................................................ 276
How to Create a DSA Certificate .............................................................................................. 276
How to Store DSA Keys in an HSM ......................................................................................... 277
How to Create a DSA Certificate .............................................................................................. 277
How to Store DSA Keys in an HSM ......................................................................................... 278
About the DXcertgen Tool ................................................................................................................. 278
How DXcertgen Creates Certificates When There Is No Keystore .......................................... 279
How DXcertgen Creates Certificates When There Is a Keystore ............................................. 279
Enable DXcertgen to Use a Keystore ...................................................................................... 279
Specify a Keystore for DXcertgen ............................................................................................ 280
Report on Certificates .............................................................................................................. 280
Use DXcertgen to Request and Use a Third-party Certificate for a DSA Certificate ................ 281
Delete a CA Certificate ............................................................................................................. 281
How to Encrypt Communication between CA Directory Components .............................................. 282
How to Encrypt Communication to DSAs ................................................................................. 283
How to Encrypt Communications Between Your Browser and DXmanager or JXweb ............ 285
How to Encrypt Communications between JXweb and the Directory ...................................... 286
How to Encrypt Communication to DSAs ................................................................................. 286
How to Encrypt Communications Between Your Browser and DXmanager or JXweb ............ 288
CA Directory 12
How to Encrypt Communications between JXweb and the Directory ...................................... 289
Configure a DSA to Use SSL ............................................................................................................ 289
Configure the DXtools to Use SSL .................................................................................................... 292
Set Up Views ........................................................................................................................................... 292
About Views ...................................................................................................................................... 292
Example A View Used by a Pay TV Company ......................................................................... 293
Compare Views to Stored Procedures in a Database .............................................................. 294
Limitations of Views ................................................................................................................. 294
Ways to Use Views ........................................................................................................................... 295
Using Views for Data Normalization (Class of Service) ........................................................... 295
Using Views for User Preferences ........................................................................................... 295
Using Views to Restrict Access ................................................................................................ 296
Using Views to Overlay Another Directory ............................................................................... 296
How Views Work ............................................................................................................................... 296
Example Cell Phone Service Provider ..................................................................................... 296
How the DSA Processes Phases in a View ............................................................................. 298
How the DSA Compares Parameters in Views ........................................................................ 298
How a Phase Uses Multiple Results from an Earlier Phase .................................................... 299
How the EIS Works .................................................................................................................. 299
How the DSA Processes Phases in a View ............................................................................. 300
How the DSA Compares Parameters in Views ........................................................................ 300
How a Phase Uses Multiple Results from an Earlier Phase .................................................... 301
How the EIS Works .................................................................................................................. 302
How to Use Views ............................................................................................................................. 302
Design a View .......................................................................................................................... 303
Set Up a View .......................................................................................................................... 303
How to Invoke a View ............................................................................................................... 305
Design a View .......................................................................................................................... 307
Set Up a View .......................................................................................................................... 307
How to Invoke a View ............................................................................................................... 309
Set Up Groups and Roles ....................................................................................................................... 312
Groups and Roles ............................................................................................................................. 312
Types of Groups and Roles ..................................................................................................... 312
Comparison of Static and Dynamic Groups ............................................................................. 313
Types of Groups and Roles ..................................................................................................... 313
Comparison of Static and Dynamic Groups ............................................................................. 314
Static Groups and Roles ................................................................................................................... 314
Static Groups ........................................................................................................................... 315
How Static Groups Work .......................................................................................................... 315
How Static Roles Work ............................................................................................................ 316
Active Directory memberOf Attribute ........................................................................................ 317
Static Groups ........................................................................................................................... 320
CA Directory 13
How Static Groups Work .......................................................................................................... 320
How Static Roles Work ............................................................................................................ 321
Active Directory memberOf Attribute ........................................................................................ 321
Dynamic Groups and Roles .............................................................................................................. 325
Setting up Static and Dynamic Groups and Roles ............................................................................ 325
Setting Up Static Groups .......................................................................................................... 326
Setting Up Static Directory Roles ............................................................................................. 327
Setting Up Dynamic Groups ..................................................................................................... 328
Setting Up Dynamic Directory Roles ........................................................................................ 330
Setting Up Static Groups .......................................................................................................... 332
Setting Up Static Directory Roles ............................................................................................. 334
Setting Up Dynamic Groups ..................................................................................................... 335
Setting Up Dynamic Directory Roles ........................................................................................ 339
Role-Based Configuration ................................................................................................................. 341
Examples Static Groups and Roles in Democorp ............................................................................. 342
Example Enable Static Groups in Democorp ........................................................................... 342
Example Create a Static Group in Democorp .......................................................................... 343
Example Enable Static Roles in Democorp ............................................................................. 344
Example Enable Static Groups in Democorp ........................................................................... 344
Example Create a Static Group in Democorp .......................................................................... 345
Example Enable Static Roles in Democorp ............................................................................. 346
Examples Dynamic Groups and Roles in Democorp ........................................................................ 347
Example Create a Dynamic Group in Democorp ..................................................................... 347
Example Enable Dynamic Roles in Democorp ........................................................................ 348
Example Create a Dynamic Group in Democorp ..................................................................... 348
Example Enable Dynamic Roles in Democorp ........................................................................ 349
Monitor the Directory ............................................................................................................................... 350
Monitoring with Log Files .................................................................................................................. 350
Types of Logs ........................................................................................................................... 350
Recommended Logs ................................................................................................................ 351
Open a Log File ........................................................................................................................ 352
List Which Logs Are Open ....................................................................................................... 352
Monitoring Disk Space ............................................................................................................. 353
How the Historical Log Files Roll Over ..................................................................................... 353
How Trace Logs and Alarm Logs Roll Over ............................................................................. 353
How the DSA Keeps Time During Rollover .............................................................................. 354
Rollover Based on Maximum Lines .......................................................................................... 354
Monitoring with SNMP ....................................................................................................................... 355
Enable SNMP for Each DSA .................................................................................................... 356
Monitor Conditions with SNMP Traps ...................................................................................... 357
Deliver Alarms as SNMP Traps ............................................................................................... 358
Send Traps about Any Update Operations .............................................................................. 358
CA Directory 14
Sample Tools for SNMP Monitoring ......................................................................................... 359
Enable SNMP for Each DSA .................................................................................................... 359
Monitor Conditions with SNMP Traps ...................................................................................... 360
Deliver Alarms as SNMP Traps ............................................................................................... 361
Send Traps about Any Update Operations .............................................................................. 361
Sample Tools for SNMP Monitoring ......................................................................................... 362
Monitoring with the DSA Console ..................................................................................................... 362
Monitoring with Traces ...................................................................................................................... 363
Protocol Tracing ....................................................................................................................... 363
Statistics Tracing ...................................................................................................................... 363
Change the Trace Level Temporarily ....................................................................................... 364
Display Trace in a Log File ....................................................................................................... 364
Turn Tracing Off ....................................................................................................................... 365
Protocol Tracing ....................................................................................................................... 365
Statistics Tracing ...................................................................................................................... 365
Change the Trace Level Temporarily ....................................................................................... 366
Display Trace in a Log File ....................................................................................................... 366
Turn Tracing Off ....................................................................................................................... 367
Monitor the Directory Backbone Daily ............................................................................................... 367
Monitoring With DXmanager ............................................................................................................. 367
Dashboard Tab ........................................................................................................................ 368
Maps Tab ................................................................................................................................. 368
Charts Tab ............................................................................................................................... 371
Alerts Tab ................................................................................................................................. 371
Preferences Tab ....................................................................................................................... 372
External Monitoring API .................................................................................................................... 372
Configuring External Endpoints ................................................................................................ 373
Monitoring Output Format ........................................................................................................ 376
Manage DSAs ......................................................................................................................................... 388
How to Stop a DSA ........................................................................................................................... 388
Tools for Controlling DSAs ................................................................................................................ 388
Reinitializing a DSA ........................................................................................................................... 388
View DSA Current Statistics Using DX Consol ................................................................................. 389
Reset a DSA's Statistics Counts ....................................................................................................... 389
View Current Operational Values of a DSA ...................................................................................... 389
Control DSAs by Using DXmanager ................................................................................................. 389
Control DSAs by Using a Command Line ......................................................................................... 390
Start a DSA Using a Command Line ........................................................................................ 390
Stop a DSA Using a Command Line ........................................................................................ 391
Force a DSA to Stop Using Command Line ............................................................................. 391
Force an Inconsistent DSA to Start Using Command Line ...................................................... 391
Refresh a DSA Using a Command Line ................................................................................... 392
CA Directory 15
Check the Status of a DSA by Using a Command Line ........................................................... 392
Increase the Size of Your Datastore ........................................................................................ 393
Control DSAs by Using the DSA Console ......................................................................................... 393
Stop a DSA Using the DSA Console ....................................................................................... 393
Force a DSA to Stop Using the DSA Console ......................................................................... 394
Disconnect from a DSA by Using the DSA Console ................................................................ 394
Manage Directory Data ........................................................................................................................... 394
Change Every Entry in a Directory .................................................................................................... 394
Copy Data between DSAs ....................................................................................................... 395
Backing Up Data ............................................................................................................................... 395
Comparison of Backup Methods .............................................................................................. 395
Comparison of Backup Methods .............................................................................................. 398
Unique Attribute Values .................................................................................................................... 400
How Unique Attribute Values Work .......................................................................................... 400
Check for Attribute Value Uniqueness in a Subtree ................................................................. 401
List the Unique Attributes in a DSA .......................................................................................... 402
How Unique Attribute Values Work .......................................................................................... 402
Check for Attribute Value Uniqueness in a Subtree ................................................................. 402
List the Unique Attributes in a DSA .......................................................................................... 403
Operational Attributes ....................................................................................................................... 403
Consider Not Using Operational Attributes .............................................................................. 404
Prevent the Creation and Automatic Updating of Operational Attributes ................................. 405
Consider Not Using Operational Attributes .............................................................................. 405
Prevent the Creation and Automatic Updating of Operational Attributes ................................. 405
Sort an LDIF File ............................................................................................................................... 405
Convert Data from CSV Format to LDIF ........................................................................................... 406
Counting Entries ................................................................................................................................ 406
Example Count Entries in a Single DSA .................................................................................. 406
Example Count Entries in a Distributed Directory .................................................................... 407
Example Count Entries at a Single Level in a Single DSA ....................................................... 407
Example Count the Entries at the Base Level ......................................................................... 408
Example Count Entries in a Single DSA .................................................................................. 408
Example Count Entries in a Distributed Directory .................................................................... 409
Example Count Entries at a Single Level in a Single DSA ....................................................... 409
Example Count the Entries at the Base Level ......................................................................... 410
Pattern Matching ............................................................................................................................... 410
Searching Data Using Approximate Matching ......................................................................... 410
Searching Data Using Approximate Matching ......................................................................... 412
Referential Integrity ........................................................................................................................... 413
Create Referential Integrity Rules ............................................................................................ 414
Create Referential Integrity Rules ............................................................................................ 415
Manage Bindings ..................................................................................................................................... 415
CA Directory 16
Bindings ............................................................................................................................................ 415
Monitoring Bindings ........................................................................................................................... 415
View Bindings ........................................................................................................................... 416
View the Binding Configuration ................................................................................................ 416
View the DSP Configuration ..................................................................................................... 416
View Outgoing Bindings ........................................................................................................... 416
Control Tracing of Bindings ...................................................................................................... 417
View Bindings ........................................................................................................................... 417
View the Binding Configuration ................................................................................................ 418
View the DSP Configuration ..................................................................................................... 418
View Outgoing Bindings ........................................................................................................... 418
Control Tracing of Bindings ...................................................................................................... 418
Closing Bindings ............................................................................................................................... 419
Abort All Bindings ..................................................................................................................... 419
Abort One Binding .................................................................................................................... 420
Close Outgoing Bindings .......................................................................................................... 420
Disable New Bindings .............................................................................................................. 420
Abort All Bindings ..................................................................................................................... 421
Abort One Binding .................................................................................................................... 421
Close Outgoing Bindings .......................................................................................................... 421
Disable New Bindings .............................................................................................................. 422
Setting Binding Limits ........................................................................................................................ 422
Limit the Number of Bindings ................................................................................................... 422
Limit the Number of Operations per Binding ............................................................................ 423
Set a Maximum Idle Time for DSP Bindings ............................................................................ 423
Set the Maximum Guaranteed Idle Time ................................................................................. 424
Set the Maximum Binding Time ............................................................................................... 424
Process Concurrent Binds from CA SiteMinder ....................................................................... 425
Limit the Number of Bindings ................................................................................................... 425
Limit the Number of Operations per Binding ............................................................................ 425
Set a Maximum Idle Time for DSP Bindings ............................................................................ 426
Set the Maximum Guaranteed Idle Time ................................................................................. 426
Set the Maximum Binding Time ............................................................................................... 427
Process Concurrent Binds from CA SiteMinder ....................................................................... 427
Manage Operations ................................................................................................................................. 427
Types of Operations .......................................................................................................................... 427
Searches Are Faster Than Updates ......................................................................................... 428
Simple and Complex Searches ................................................................................................ 428
Searches Are Faster Than Updates ......................................................................................... 429
Simple and Complex Searches ................................................................................................ 429
DSA Handling of Multiple Concurrent Queries .................................................................................. 429
Abandon an Operation ...................................................................................................................... 430
CA Directory 17
Limit Operations ................................................................................................................................ 430
Methods for Setting Operation Limits ....................................................................................... 431
How the Methods for Setting Limits Interact ............................................................................ 432
DSA-Based Limits .................................................................................................................... 433
Role-Based Limits .................................................................................................................... 434
Operational Limits .................................................................................................................... 436
Methods for Setting Operation Limits ....................................................................................... 436
How the Methods for Setting Limits Interact ............................................................................ 437
DSA-Based Limits .................................................................................................................... 438
Role-Based Limits .................................................................................................................... 439
Operational Limits .................................................................................................................... 441
Search Profiles .................................................................................................................................. 442
Using Search Profiles ............................................................................................................... 443
Create Search Profiles ............................................................................................................. 443
Assign a Search Profile to a Role ............................................................................................ 444
Create a Default Search Profile ............................................................................................... 444
Example Restrict Searches for All Users Except Administrators ............................................. 444
Using Search Profiles ............................................................................................................... 445
Create Search Profiles ............................................................................................................. 446
Assign a Search Profile to a Role ............................................................................................ 446
Create a Default Search Profile ............................................................................................... 446
Example Restrict Searches for All Users Except Administrators ............................................. 447
Reject Operations .............................................................................................................................. 448
Shadow DSAs .......................................................................................................................... 448
Make a Namespace Read-only ................................................................................................ 448
Reject Some Types of Requests .............................................................................................. 449
How the Limit Search Setting Works ........................................................................................ 449
Shadow DSAs .......................................................................................................................... 450
Make a Namespace Read-only ................................................................................................ 450
Reject Some Types of Requests .............................................................................................. 451
How the Limit Search Setting Works ........................................................................................ 451
Manage User Accounts and Passwords ................................................................................................. 452
User Accounts ................................................................................................................................... 452
Password Policies ............................................................................................................................. 453
How to Set Up a Password Policy ..................................................................................................... 453
Plan a Password Policy ..................................................................................................................... 455
Write a Password Policy in Plain Language ............................................................................. 455
Convert the Written Policy into Commands for Each DSA ....................................................... 455
Write a Password Policy in Plain Language ............................................................................. 456
Convert the Written Policy into Commands for Each DSA ....................................................... 456
Create a Password Policy ................................................................................................................. 456
Enable Password Policies ........................................................................................................ 457
CA Directory 18
Create Multiple Password Policies for Each DSA .................................................................... 457
How to Configure Password Quality Rules .............................................................................. 458
How to Set Account Expiry Rules ............................................................................................ 463
How to Set Account Suspension Rules .................................................................................... 465
Example Password Policies ..................................................................................................... 467
Enable Password Policies ........................................................................................................ 469
Create Multiple Password Policies for Each DSA .................................................................... 469
How to Configure Password Quality Rules .............................................................................. 470
How to Set Account Expiry Rules ............................................................................................ 475
How to Set Account Suspension Rules .................................................................................... 478
Example Password Policies ..................................................................................................... 480
Test Your Password Policy ............................................................................................................... 482
Use Password Settings to Administer User Accounts ....................................................................... 484
Reactivate a Suspended or Expired Account ........................................................................... 485
Force Users to Change Passwords after Reactivation ............................................................ 486
Enforce Password Rules When Reactivating an Account ........................................................ 486
Lock a User Account ................................................................................................................ 486
Check Which Accounts Are Locked ......................................................................................... 487
Track Password Suspensions .................................................................................................. 487
Use a Password Proxy User .................................................................................................... 487
Operational Attributes for User Accounts ................................................................................. 488
Reactivate a Suspended or Expired Account ........................................................................... 488
Force Users to Change Passwords after Reactivation ............................................................ 489
Enforce Password Rules When Reactivating an Account ........................................................ 489
Lock a User Account ................................................................................................................ 490
Check Which Accounts Are Locked ......................................................................................... 490
Track Password Suspensions .................................................................................................. 490
Use a Password Proxy User .................................................................................................... 491
Operational Attributes for User Accounts ................................................................................. 491
Password Encryption ........................................................................................................................ 492
How Password Encryption Works ............................................................................................ 492
Choose an Encryption Method for Passwords Stored in a DSA .............................................. 493
Convert Passwords Already in a DSA to a New Encryption Method ....................................... 493
Hide Passwords in Knowledge Files ........................................................................................ 495
Password Commands Requiring an LDAP Client ............................................................................. 496
Connect to LDAP Clients ......................................................................................................................... 497
LDAP Clients ..................................................................................................................................... 497
Defining the LDAP Port ............................................................................................................ 497
Configuring LDAP Names ........................................................................................................ 497
Handling LDAP Strings ............................................................................................................ 498
Transparent Routing ................................................................................................................ 498
Defining the LDAP Port ............................................................................................................ 498
CA Directory 19
Configuring LDAP Names ........................................................................................................ 498
Handling LDAP Strings ............................................................................................................ 499
Transparent Routing 1 ............................................................................................................. 499
Schema Publishing ........................................................................................................................... 499
LDAP Controls .................................................................................................................................. 500
Supported LDAP Controls ........................................................................................................ 500
Routing LDAP Controls ............................................................................................................ 504
Page Sizes for the Server-Side Sorting and VLV Controls ...................................................... 504
Supported LDAP Controls ........................................................................................................ 505
Routing LDAP Controls ............................................................................................................ 508
Page Sizes for the Server-Side Sorting and VLV Controls ...................................................... 509
LDAP Root DSE ................................................................................................................................ 509
Display the Whole Root DSE ................................................................................................... 510
Display the LDAP Version ........................................................................................................ 510
Display the CA Directory Version ............................................................................................. 510
Display the Supported LDAP Controls ..................................................................................... 510
Display the Naming Context ..................................................................................................... 511
Display the Supported Schema ................................................................................................ 511
Display the Whole Root DSE ................................................................................................... 511
Display the LDAP Version ........................................................................................................ 512
Display the CA Directory Version ............................................................................................. 512
Display the Supported LDAP Controls ..................................................................................... 512
Display the Naming Context ..................................................................................................... 512
Display the Supported Schema ................................................................................................ 513
LDAP Programming in Perl ............................................................................................................... 513
Comments on LDAP Program .................................................................................................. 514
Using DXmanager ................................................................................................................................... 515
Auditing DXmanager Events ............................................................................................................. 516
The Backbone Concept ..................................................................................................................... 516
Network Topology in DXmanager ............................................................................................ 517
Namespace Partitions .............................................................................................................. 520
How DXmanager Uses the Topology to Configure the Backbone ........................................... 521
Assigning the Topology Components to the Namespace Partitions - Instantiation .................. 522
How DXmanager Works with Third-Party LDAP Servers ......................................................... 522
DXmanager Configuration File ................................................................................................. 522
Network Topology in DXmanager ............................................................................................ 522
Namespace Partitions .............................................................................................................. 525
How DXmanager Uses the Topology to Configure the Backbone ........................................... 526
Assigning the Topology Components to the Namespace Partitions - Instantiation .................. 527
How DXmanager Works with Third-Party LDAP Servers ......................................................... 527
DXmanager Configuration File ................................................................................................. 527
Overview of the Process to Create a New Directory Backbone ........................................................ 528
CA Directory 20
Gather Data about the Directory .............................................................................................. 529
Configure the Test Environment .............................................................................................. 531
Modifying CA Directory Configuration to Use DXmanager ...................................................... 532
Check the Test Environment .................................................................................................... 534
Export the New Configuration to an XML File .......................................................................... 535
Configure the Production Environment .................................................................................... 535
Gather Data about the Directory .............................................................................................. 535
Configure the Test Environment .............................................................................................. 538
Modifying CA Directory Configuration to Use DXmanager ...................................................... 538
Check the Test Environment .................................................................................................... 541
Export the New Configuration to an XML File .......................................................................... 541
Configure the Production Environment .................................................................................... 541
Logging in to DXmanager ................................................................................................................. 542
Methods for Setting Up Login Accounts ................................................................................... 542
Hashed Passwords for Login Accounts ................................................................................... 546
DXManager Roles .................................................................................................................... 547
Methods for Setting Up Login Accounts ................................................................................... 548
Hashed Passwords for Login Accounts ................................................................................... 552
DXManager Roles .................................................................................................................... 553
How to Use DXmanager to Manage the Configuration ..................................................................... 554
Start DXmanager ..................................................................................................................... 554
Configure a New Directory Backbone ...................................................................................... 555
Import the XML Configuration .................................................................................................. 556
Update the Host Addresses ..................................................................................................... 556
Deploy the Configuration .......................................................................................................... 556
Start DXmanager ..................................................................................................................... 557
Configure a New Directory Backbone ...................................................................................... 557
Import the XML Configuration .................................................................................................. 558
Update the Host Addresses ..................................................................................................... 558
Deploy the Configuration .......................................................................................................... 559
How to Modify the Backbone ............................................................................................................ 559
Define Default Values for the Whole Backbone ....................................................................... 559
Create a New Region, Site, or Host ......................................................................................... 560
Create a Namespace Partition ................................................................................................. 561
Create a DSA ........................................................................................................................... 562
Edit All DSAs on a Host ........................................................................................................... 564
View the Properties of Part of the Backbone ........................................................................... 564
Define Default Values for the Whole Backbone ....................................................................... 565
Create a New Region, Site, or Host ......................................................................................... 565
Create a Namespace Partition ................................................................................................. 566
Create a DSA ........................................................................................................................... 567
Edit All DSAs on a Host ........................................................................................................... 569
View the Properties of Part of the Backbone ........................................................................... 570
CA Directory 21
Authentication in DXmanager ........................................................................................................... 570
Set the Authentication Level .................................................................................................... 570
Set the Authentication Level .................................................................................................... 571
Troubleshooting DXmanager ............................................................................................................ 572
Cannot Create a DSA .............................................................................................................. 572
DXmanager is Showing Unexpected Behavior ........................................................................ 573
Reset the DXadmind Configuration .......................................................................................... 573
Check Whether DXadmind Is Running .................................................................................... 574
Check Whether DXadmind Trusts DXmanager ....................................................................... 575
Check Whether a Firewall Prevents Access to a Host ............................................................. 575
Check That DXmanager Knows the Host's Network Address ................................................. 575
Change DXwebserver's Port Numbers .................................................................................... 576
Diagnose a Problem with DXmanager ..................................................................................... 577
Managing Configuration Conflicts ............................................................................................ 577
DXmanager is Showing Unexpected Behavior ........................................................................ 578
Reset the DXadmind Configuration .......................................................................................... 578
Check Whether DXadmind Is Running .................................................................................... 579
Check Whether DXadmind Trusts DXmanager ....................................................................... 579
Check Whether a Firewall Prevents Access to a Host ............................................................. 580
Check That DXmanager Knows the Host's Network Address ................................................. 580
Change DXwebserver's Port Numbers .................................................................................... 580
Diagnose a Problem with DXmanager ..................................................................................... 581
Managing Configuration Conflicts ............................................................................................ 582
Changing Data Store Location ................................................................................................. 583
Maintaining the DXadmind Log File ......................................................................................... 583
Troubleshooting CA Directory ................................................................................................................. 583
Cannot Create a DSA ....................................................................................................................... 583
Cannot Start a DSA ........................................................................................................................... 584
Collect Diagnostic Information for CA Support .................................................................................. 585
Information Collected by the DXinfo Tool ................................................................................. 586
Collecting Data if a DSA Fails Internal Tests -- DXDUMPCORE Environment Variable .................. 587
DSA Rejects a Delete Request That Closely Follows a Modify or Create Request .......................... 587
Set Up the Sample Directories ................................................................................................................ 588
Scripts for the Sample Directories ..................................................................................................... 588
Two Ways to Set Up the Sample Directories .................................................................................... 589
Set Up the Sample DSAs for Text-Based Configuration ................................................................... 589
Set Up the Sample DSAs for DXmanager ........................................................................................ 590
Set Up the Democorp Namespace Partition ............................................................................ 591
Set Up the UNSPSC Namespace Partition .............................................................................. 593
Set Up the Root Namespace Partition ..................................................................................... 594
Add More Hosts to the Sample Directory Backbone ................................................................ 596
Create Democorp DSAs on the New Hosts ............................................................................. 597
CA Directory 22
Create UNSPSC DSAs on the New Hosts ............................................................................... 598
Create a Router DSA on Each Host ......................................................................................... 598
Deploy the Backbone Configuration to the Hosts .................................................................... 600
Source the UNSPSC Schema .................................................................................................. 600
Set Up the Sample Datastores on the Hosts ........................................................................... 601
Update the Configuration Files for the Sample DSAs ....................................................................... 602
Rarely-Used Features ............................................................................................................................. 603
Set Up Class-of-Service Templates .................................................................................................. 603
How Class-of-Service Templates Work ................................................................................... 603
Working with Class-of-Service Templates ............................................................................... 604
Example The Excellent ISP Company ..................................................................................... 606
Set Up Aliases .......................................................................................................................... 608
Set Up Dynamic Objects ................................................................................................................... 611
Risks of Dynamic Objects ........................................................................................................ 612
Extensible Objects ................................................................................................................... 613
Auto-Registered Attributes ....................................................................................................... 615
Use Both Auto-Registered Attributes and Extensible Attributes .............................................. 617
Replicate Password Policy Attributes to Another LDAP Directory .................................................... 617
Sample DSML Server ....................................................................................................................... 619
How the DSML Server Works .................................................................................................. 619
Connect to the DSML Server ................................................................................................... 620
Change the DSML Properties in the DSML Server .................................................................. 621
Sample Tools .................................................................................................................................... 621
Deploy the CA Directory SCIM Server .............................................................................................. 622
Prepare DSA ............................................................................................................................ 623
Configure SCIM Server ............................................................................................................ 623
Sending Requests to SCIM Server .......................................................................................... 624
CA Directory 23
Test the New Slot ..................................................................................................................... 630
Generate the Certificate Authority Key Pair ............................................................................. 631
Generate the DSA Certificates ................................................................................................. 632
Test the New Certificate ........................................................................................................... 632
Export the CA Certificate to a PEM File ................................................................................... 633
Export the DSA Certificates to PEM Files ................................................................................ 633
Change the DSA Configuration to Use the New Certificates ............................................................ 634
Test Whether SSL Is Working ........................................................................................................... 634
Connect To The Directory Using SSL ...................................................................................... 634
Trace Incoming and Outgoing Operations ............................................................................... 636
Integrate a Websphere Portal Server ...................................................................................................... 636
Install CA Directory ........................................................................................................................... 636
Create a CA Directory Backbone ...................................................................................................... 636
Populate CA Directory ....................................................................................................................... 636
Create an LDIF file Containing Users ...................................................................................... 637
Create an LDIF file Containing Groups .................................................................................... 638
Load the LDIF Files Into the DSA ............................................................................................ 639
Set Up Websphere Portal Server ...................................................................................................... 640
Install Websphere Portal Server .............................................................................................. 640
Configure Websphere Portal Server to Use CA Directory ....................................................... 641
Check that Required Entries Are Present ................................................................................ 642
Switch the User Repository ...................................................................................................... 642
Test the Integrated System ............................................................................................................... 642
Log In to the Portal ................................................................................................................... 643
Create a New User In The Portal ............................................................................................. 643
Integrate Entrust Security Manager ......................................................................................................... 643
Pre-requisites .................................................................................................................................... 644
Configure CA Directory ..................................................................................................................... 644
Create an Entrust DSA ............................................................................................................. 644
Configure the Entrust DSA ....................................................................................................... 644
Add Entries to the Entrust DSA ................................................................................................ 646
Install Entrust Security Manager ....................................................................................................... 646
Install the Informix Database .................................................................................................... 647
Install Entrust Security Manager 1 ........................................................................................... 647
Install Entrust Security Manager Administration ...................................................................... 650
CA Directory 24
echo Command ................................................................................................................................. 652
echo-off Command ............................................................................................................................ 652
echo-on Command ............................................................................................................................ 652
source Command .............................................................................................................................. 653
DSA Commands (DXserver Commands) ................................................................................................ 653
About the CA Directory Commands .................................................................................................. 653
Quotation Marks ....................................................................................................................... 653
Non-ASCII Characters ............................................................................................................. 654
Command History .................................................................................................................... 654
Commands Categorized by Function ................................................................................................ 654
Commands for Access Controls ............................................................................................... 655
Commands for Using DSA Memory ......................................................................................... 655
Commands for Logging ............................................................................................................ 655
Commands for Tracing ............................................................................................................. 656
Commands for Managing User Accounts ................................................................................ 656
Commands for Multiwrite Replication ....................................................................................... 657
Commands for Schemas .......................................................................................................... 658
Commands for SNMP .............................................................................................................. 658
Commands for SSL .................................................................................................................. 659
Commands Reference ............................................................................................................................ 659
abandon Command -- Cancel Operations ........................................................................................ 659
Outcome of the abandon Command ........................................................................................ 659
abort Command -- Close Bindings .................................................................................................... 660
clear access Command -- Remove All Static Access Controls ......................................................... 660
clear allow-search Command -- Remove all Search Profiles ............................................................ 661
clear dsas Command -- Remove Knowledge of all Remote DSA Definitions ................................... 661
clear dynamic-group Command ........................................................................................................ 661
clear multi-write-queue Command -- Remove Entries from Multi-Write Queue ................................ 661
clear referential-integrity Command -- Remove Referential Integrity Rules ...................................... 662
clear view Command -- Remove All View Definitions ....................................................................... 662
close log Command -- Stop Output Being Sent to a Log File ........................................................... 662
dump dxgrid-db Command -- Take a Consistent Snapshot Copy of a Datastore ............................. 663
dxserver Command -- Start, Stop, Install, or Initialize DSAs ............................................................. 664
force-shutdown Command -- Force a DSA to Shut Down ................................................................ 665
get access Command -- Display Access Control Settings ................................................................ 665
get agreement Command -- Display a DISP Agreement .................................................................. 666
get agreements Command -- Display All DISP Agreements ............................................................. 666
get allow-search Command -- Display a list of All Search Profiles ................................................... 666
get cache Command -- Display the Cache Configuration ................................................................. 667
get ciphers Command -- List All Supported Ciphers ......................................................................... 667
get class-of-service Command -- Display the CoS Templates in Use .............................................. 667
get dsa Command -- Display Information About the DSA ................................................................. 668
CA Directory 25
get dsas Command -- Display All Known Remote DSAs .................................................................. 668
get dsp Command -- Display the DSP Configuration Values ............................................................ 668
get dynamic-group Command -- Display Any Dynamic Groups ........................................................ 669
get help Command -- Display the DXserver Console Commands .................................................... 669
get history Command -- Show How Many Console Commands the history Command Will Display ......
669
get log Command -- List All Log Files and Settings .......................................................................... 669
get mib Command ............................................................................................................................. 670
get online-dsa Command -- Display the Configuration of a DSA ...................................................... 670
get online-dsas Command -- Display Current Connections to a DSA ............................................... 670
get opensslversion Command -- Display the OpenSSL Version ....................................................... 671
get oper Command -- Display Operational Settings .......................................................................... 671
get referential-integrity Command -- Display Referential Integrity Rules .......................................... 671
get schema Command -- Display the Schema .................................................................................. 672
get stack Command -- Display Communication Settings, Such as Port Numbers ............................ 672
get stats Command -- Display Operational Statistics ........................................................................ 673
get trace Command -- Display the Trace Settings ............................................................................ 673
get trace-level Command -- Display the Trace Level ........................................................................ 673
get user Command -- Display the DSA Configuration ....................................................................... 673
get user-threads Command -- Display Thread Settings .................................................................... 673
get users Command -- Display the Current Bindings ........................................................................ 674
get view Command -- Display View Definitions ................................................................................. 674
help Command -- Display Help on a Command ................................................................................ 674
history Command -- Display Previously Entered Console Commands ............................................. 675
logout Command -- Close the DSA Console ..................................................................................... 675
reset class-of-service Command ....................................................................................................... 676
reset stats Command ........................................................................................................................ 676
roll-logs Command Roll Over Logs With Max-Log-Lines Configuration ......................................... 676
set access-controls Command -- Set Access Controls ..................................................................... 676
set add-oc-parents Command ........................................................................................................... 676
set admin-user Command -- Configure Administrative User Access Level Rights ........................... 677
set agreement Command -- Create a DISP Agreement ................................................................... 679
set alias-integrity Command -- Set the DSA to Manage the Integrity of Aliases ............................... 682
set allow-binds Command -- Enable or Disable New Bindings on a DSA ......................................... 682
set allow-native-prefix-reauthentication Command -- Allow Router DSAs to Use a Prefix-mapped User
Name to Authenticate ........................................................................................................................ 682
set allow-search Command -- Create a Search Profile ..................................................................... 683
set allow-search-default Command -- Make One Search Profile the Default .................................... 685
set attr-set Command -- Define an Attribute Set ............................................................................... 685
set attribute Command -- Define an Attribute .................................................................................... 685
set auth-trap Command -- Set the DSA to Raise an SNMP Trap When Authentication Fails .......... 687
set busy-for-referral Command -- Send Busy in Place of LDAP Referrals ........................................ 687
set cache-index Command -- Specify Attributes to Be Indexed ........................................................ 687
CA Directory 26
set cache-index-all-except Command -- Specify Attributes Not to Index .......................................... 687
set cache-search-bias Command -- Improve search performance tuning ........................................ 688
set cache-reverse Command -- Specify Which Cached Attributes to Reverse-index ....................... 689
set check-structural-oc -- Prevent Entries with Multiple Unrelated Structural Object Classes from
Being Created ................................................................................................................................... 689
set class-of-service Command -- Create a Class-of-Service Template ............................................ 689
set concurrent-bind-user Command -- Allow the DSA to Process Concurrent Binds ....................... 690
set connect-log Command -- Record Each Connection in the Connect Log ..................................... 690
set credits Command -- Limit the Number of Operations per User ................................................... 691
set dereference-alias-on-bind Command -- Follow Alias on Bind Request ....................................... 691
set disable-client-binds Command -- Set the DSA to Refuse Client Binds ....................................... 691
set disable-transaction-log -- Disable or Enable the Transaction Log ............................................... 692
set disable-transaction-log-flush -- Disable or Enable Transaction Log Flushing ............................. 692
set dsa Command -- Define the Knowledge Settings of a DSA ........................................................ 692
set dsa prefix -- Define the Prefix of a DSA ...................................................................................... 698
set dxconsole-connect-alert Command -- Set Tracing for Console Connections .............................. 699
set dxconsole-users Command -- Specify Which Users Can Connect to the DSA Console ............ 699
set dxgrid-backup-location -- Define the Backup Location ................................................................ 700
set dxgrid-db-location Command -- Define the Path to the Datastore .............................................. 700
set dxgrid-db-size Command -- Define the Size of the Datastore ..................................................... 701
set dxgrid-queue Command -- Add a Queue in Front of Data Store ................................................. 701
set dxgrid-tx-location -- Define the Transactions File's Location ....................................................... 702
set dxgrid-write-behind Command -- Flush the Grid File .................................................................. 702
set dynamic-group Command ........................................................................................................... 702
set enable-nonstandard-behaviour--Change the default beahvior of the DSA ................................. 703
set excluded-controls Command -- Prevent LDAP Controls from Being Used ................................. 704
set extended-stats-tracing command -- Include Statistical Information in Stats Log ......................... 704
set force-encrypt-anon Command -- Force Users to Use SSL on Anonymous Binds ...................... 705
set force-encrypt-auth Command -- Force Users to Use SSL on Authenticated Binds .................... 705
set group Command -- Define an Access Control Group .................................................................. 706
set history Command -- Set the Number of Console Commands the history Command Will Display ....
706
set hold-ldap-connections Command ................................................................................................ 706
set ignore-name-bindings Command -- Allow the DSA to Operate Without Name Bindings ............ 707
set ignore-null-value-attrs Command ................................................................................................ 707
set interrupt-searches Command -- Interrupt a Search to Allow an Update to Proceed ................... 707
set keep-order-of-values Command -- Keep Order of Values for Attribute Types ............................ 708
set limit-search-exceptions Command -- Let Some Users Bypass Complex Search Limits ............. 708
set limit-search-exceptions-browse Command -- Let Some Users Bypass Browse Search Limits .. 709
set log Command .............................................................................................................................. 709
set lookup-cache Command -- Enable Memory-Mapped File ........................................................... 710
set max-bind-time Command ............................................................................................................ 710
set max-cache-index-size Command ................................................................................................ 711
CA Directory 27
set max-filter-norm-size Command -- Limit memory for filter processing .......................................... 711
set max-op-size Command ............................................................................................................... 711
set max-op-time Command ............................................................................................................... 711
set max-pdu-size Command ............................................................................................................. 712
set max-users Command .................................................................................................................. 712
set max-view-filter Command ............................................................................................................ 713
set mimic-netscape-for-siteminder Command .................................................................................. 713
set modify-on-add Command ............................................................................................................ 713
set multi-write-disp-recovery Command - Enable Multiwrite-DISP Recovery ................................... 714
set multi-write-dsp-idle-time Command ............................................................................................. 714
set multi-write-error-trap Command .................................................................................................. 714
set multi-write-group-credit Command .............................................................................................. 715
set multi-write-outstanding-ops Command ........................................................................................ 715
set multi-write-queue Command ....................................................................................................... 715
set multi-write-retry-time Command .................................................................................................. 715
set name-binding Command ............................................................................................................. 716
set object-class Command ................................................................................................................ 717
set oid-prefix Command .................................................................................................................... 718
set op-attrs Command ....................................................................................................................... 718
set op-error-trap Command ............................................................................................................... 718
set paging-threshold Command -- Set a Threshold for Handling Paging Requests ......................... 719
set password-age Command ............................................................................................................ 719
set password-age-warning-period Command ................................................................................... 719
set password-allow-ignore-expired Command .................................................................................. 720
set password-allow-ignore-suspended Command ............................................................................ 720
set password-allow-locking Command .............................................................................................. 721
set password-alpha Command ......................................................................................................... 721
set password-alpha-num Command ................................................................................................. 722
set password-enforce-quality-on-reset Command ............................................................................ 722
set password-force-change Command ............................................................................................. 722
set password-grace-logins Command ............................................................................................... 723
set password-history Command ........................................................................................................ 724
set password-last-use Command ...................................................................................................... 724
set password-lowercase Command .................................................................................................. 724
set password-max-length Command ................................................................................................ 725
set password-max-repetition Command ........................................................................................... 725
set password-max-substring-repetition Command ............................................................................ 725
set password-max-suspension Command ........................................................................................ 726
set password-mimic-netscape-response-controls Command ........................................................... 726
set password-netscape-legacy-mode Command ..................................................................... 727
set password-min-age Command ..................................................................................................... 727
set password-min-length Command ................................................................................................. 727
set password-min-length-repeated-substring Command .................................................................. 728
CA Directory 28
set password-netscape-op-attrs Command ...................................................................................... 728
set password-non-alpha Command .................................................................................................. 728
set password-non-alpha-num Command .......................................................................................... 729
trace Command ................................................................................................................................. 729
set password-numeric Command ..................................................................................................... 731
set password-policy Command ......................................................................................................... 731
set password-proxy-user Command ................................................................................................. 732
set password-retries Command ........................................................................................................ 732
set password-storage Command ...................................................................................................... 732
Supporting Commands for the PBKDF2 Hashing Method ....................................................... 733
set password-substring-attrs Command ........................................................................................... 734
set password-suspended-trap Command ......................................................................................... 734
set password-uppercase Command ................................................................................................. 735
set password-username-substring Command .................................................................................. 735
set persistent-search Command ....................................................................................................... 735
set precedence Command ................................................................................................................ 736
set protected-items Command -- Configure Protected Items Access Level Controls ....................... 736
set prune-oc-parents Command ....................................................................................................... 740
set public-user Command -- Configure Anonymous User Access Level Rights ............................... 740
set query-log-show-eis Command -- Show or Hide eis Information in Query log ............................. 742
set query-log-advanced -- Set Advanced Logging Options ............................................................... 742
set rdn-order Command -- Specify Attribute Order ........................................................................... 744
set referential-integrity Command ..................................................................................................... 744
set reg-user Command -- Configure Registered User Access Level Rights ..................................... 746
set relaxed-not-search Command ..................................................................................................... 749
set rename-threshold Command -- Allow Renames for Horizontal Partitions .......................... 749
set return-oc-parents Command ....................................................................................................... 749
set role-subtree Command ................................................................................................................ 750
set snmp-description Command -- Describe the DSA ............................................................. 750
set snmp-contact Command -- Specify the Contact Name or Email Address .......................... 750
set snmp-name Command -- Specify the DSA Name .............................................................. 750
set snmp-location Command -- Identify the location of the DSA ............................................. 750
set snmp-poll-community Command ................................................................................................. 751
set snmp-trap-community Command ................................................................................................ 751
set ssl Command -- Configure SSL ................................................................................................... 751
set ssl-auth-bypass-entry-check Command ...................................................................................... 752
set super-user Command -- Configure Super User Access Level Rights ......................................... 753
set syntax-alias Command ................................................................................................................ 754
set target-password-policy Command -- Create Multiple Password Policies .................................... 755
set tcp-buff-size -- Set TCP Buffer Sizes .......................................................................................... 755
set time-log-search-threshold Command -- Limit The Display of Compare and Search Operations in
the Time Log ..................................................................................................................................... 756
CA Directory 29
set time-log-update-threshold Command -- Limit the Display of Update Operations in the Time Log ....
756
set trace Command -- Define Trace Levels ...................................................................................... 757
set transparent-routing Command .................................................................................................... 758
set trap-on-update Command ........................................................................................................... 759
set trap-on-update-verbose Command ............................................................................................. 759
set trust-sasl-proxy Command .......................................................................................................... 759
set unique-attrs Command -- Enable Checks for Uniqueness of Attribute Values ............................ 759
set unique-attrs-subtree Command -- Enable Checks for Uniqueness Within a Subtree ................. 760
set update-log-show-all-values Command -- Include Binary Attributes in the Update Log ............... 760
set update-log-show-values Command ............................................................................................. 761
set use-dynamic-roles Command ..................................................................................................... 761
set use-roles Command .................................................................................................................... 762
set user-idle-time Command ............................................................................................................. 762
set user-threads Command -- Define the Number of Threads for Requests .................................... 762
set view Command -- Define a View ................................................................................................. 763
Views Parameters .................................................................................................................... 767
set wait-for-multiwrite Command ....................................................................................................... 770
set windows-high-resolution-time Command -- Change the time resolution for Windows ................ 770
set write-precedence Command ....................................................................................................... 771
shutdown Command ......................................................................................................................... 771
trace disable assoc Command .......................................................................................................... 771
trace enable assoc Command .......................................................................................................... 771
unbind Command .............................................................................................................................. 772
update agreement Command ........................................................................................................... 773
Other Commands .................................................................................................................................... 773
DXadmind Commands ...................................................................................................................... 773
dxadmind debug Command -- Display Debugging Information about DXadmind .................... 774
dxadmind help Command -- Check the DXadmind Configuration ........................................... 774
dxadmind start Command -- Start DXadmind .......................................................................... 775
dxadmind stop Command -- Stop DXadmind ........................................................................... 775
dxadmind setup Command -- Change the DXadmind Configuration ....................................... 775
DXwebserver Commands ................................................................................................................. 775
dxwebserver start Command ................................................................................................... 776
dxwebserver stop Command ................................................................................................... 776
dxwebserver status Command ................................................................................................. 776
Commands Used in DXmanager ............................................................................................................. 776
Knowledge ........................................................................................................................................ 776
Trust Flags in DXmanager ....................................................................................................... 778
DSA Limits Configuration .................................................................................................................. 779
Logging ............................................................................................................................................. 780
Password Policy ................................................................................................................................ 782
CA Directory 30
Settings ............................................................................................................................................. 783
SSL Configuration ............................................................................................................................. 786
Features Not Supported by DXmanager ........................................................................................... 787
System Messages for CA Directory ........................................................................................................ 788
DXserver Alarm Messages ................................................................................................................ 788
Error Messages ........................................................................................................................ 788
Warning Messages .................................................................................................................. 802
Information Messages .............................................................................................................. 812
Installation Error Messages on Windows .......................................................................................... 818
Error 267 or Error 1606 ............................................................................................................ 818
Error 1605 Could not retrieve Version String ........................................................................... 818
Error 1639 Invalid Command Line Argument ........................................................................... 818
File Structure and File Formats ............................................................................................................... 819
File Structure ..................................................................................................................................... 819
LDIF .................................................................................................................................................. 820
Format of Information in an LDIF File ...................................................................................... 821
Encryption, Special Characters, and Binary Data in LDIF ....................................................... 823
LDIF Template Files (LDT) ................................................................................................................ 824
The Format of LDT files ........................................................................................................... 824
Example LDIF Template File .................................................................................................... 825
CSV ................................................................................................................................................... 825
Example CSV Data File ........................................................................................................... 825
Limits ....................................................................................................................................................... 826
Limits That You Can Change ............................................................................................................ 826
Limit the Number of Index Entries ............................................................................................ 826
Service Limits ........................................................................................................................... 826
Operations Limits ..................................................................................................................... 827
Bindings Limits ......................................................................................................................... 827
Multiwrite Replication Limits ..................................................................................................... 827
User Account Limits ................................................................................................................. 827
Logging Limits .......................................................................................................................... 829
Other Limits .............................................................................................................................. 829
Limits That You Cannot Change ....................................................................................................... 829
Data Limits ............................................................................................................................... 830
Namespace Limits .................................................................................................................... 830
DSA Limits ............................................................................................................................... 830
Other Unchangeable Limits ...................................................................................................... 831
Supported Schemas and Syntaxes ......................................................................................................... 831
Schema Files Provided with CA Directory ......................................................................................... 831
Supported Attribute Syntaxes ........................................................................................................... 832
Supported Standards and Protocols ....................................................................................................... 833
Conformance with Standards ............................................................................................................ 833
CA Directory 31
X.500 Standards ...................................................................................................................... 833
LDAP Standards ...................................................................................................................... 835
Management Standards ........................................................................................................... 838
Security Standards ................................................................................................................... 840
Web Services Standards .......................................................................................................... 841
Hashing Formats ............................................................................................................................... 841
Hashing Formats for DXserver Passwords .............................................................................. 842
Hashing Formats for the DSA Console Password ................................................................... 842
Encryption Formats for SSL ..................................................................................................... 843
US Government Standards ............................................................................................................... 844
Accessibility (Section 508) ....................................................................................................... 844
Common Criteria Certification .................................................................................................. 844
FIPS Compliance ..................................................................................................................... 845
Link Protocols .................................................................................................................................... 845
Server - Server Links ............................................................................................................... 846
Client - Server Links ................................................................................................................. 846
Web Services Protocols ........................................................................................................... 846
IPv6 Support ............................................................................................................................ 846
Protocol Diagrams .................................................................................................................... 846
Port Numbers Used by CA Directory ....................................................................................................... 848
Port Number Range .......................................................................................................................... 848
NSAP, PSAP, and TSAP Port Numbers ........................................................................................... 848
Ports Used by CA Directory Components ......................................................................................... 849
The Directory User Agent (DUA) ............................................................................................................. 849
Example Script for a DUA ................................................................................................................. 850
DUA Commands ............................................................................................................................... 851
abandon-req Command -- Stop a Request .............................................................................. 851
add-entry-req Command -- Add an Entry ................................................................................. 851
bind-req Command -- Create a Binding ................................................................................... 853
Close a Binding ........................................................................................................................ 854
common-args -- Common Arguments Applicable to All DUA Requests .................................. 854
compare-req Command -- Compare Entries ............................................................................ 855
list-req Command -- List Entries ............................................................................................... 856
mod-dn-req Command -- Rename an Entry ............................................................................ 857
mod-entry-req Command -- Modify an Entry ........................................................................... 858
rem-entry-req Command -- Delete an Entry ............................................................................. 860
read-req Command -- Read an Entry ...................................................................................... 861
search-req Command -- Find Entries ....................................................................................... 862
modify-passwd-req Command--Modify the LDAP Password ................................................... 866
Glossary .................................................................................................................................................. 866
alarms ............................................................................................................................................... 866
alerts ................................................................................................................................................. 866
CA Directory 32
alias entries ....................................................................................................................................... 866
association ........................................................................................................................................ 867
attributes ........................................................................................................................................... 867
authentication levels .......................................................................................................................... 867
auto-registered attributes .................................................................................................................. 867
auxiliary object class ......................................................................................................................... 867
backbone ........................................................................................................................................... 867
base-object searches ........................................................................................................................ 867
binding ............................................................................................................................................... 868
class-of-service templates ................................................................................................................. 868
credentials ......................................................................................................................................... 868
data DSA ........................................................................................................................................... 868
datastore ........................................................................................................................................... 868
deploying ........................................................................................................................................... 868
dereferencing .................................................................................................................................... 868
DIB (directory information base) ........................................................................................................ 868
directory management server ............................................................................................................ 869
DISP .................................................................................................................................................. 869
distribution ......................................................................................................................................... 869
DIT (directory information tree) ......................................................................................................... 869
DN (distinguished name) ................................................................................................................... 869
DSA (directory system agent) ........................................................................................................... 869
DSA console ..................................................................................................................................... 869
DSML (Directory Services Markup Language) .................................................................................. 870
DSML Server ..................................................................................................................................... 870
DSP (Directory System Protocol) ...................................................................................................... 870
DUA (directory user agent) ................................................................................................................ 870
DXadmind ......................................................................................................................................... 870
DXmanager ....................................................................................................................................... 870
DXtools .............................................................................................................................................. 870
dynamic groups ................................................................................................................................. 871
EIS (entry information selection) ....................................................................................................... 871
entries ............................................................................................................................................... 871
extensible objects .............................................................................................................................. 871
failback .............................................................................................................................................. 871
failover ............................................................................................................................................... 871
health ................................................................................................................................................ 871
horizontal partitioning ........................................................................................................................ 871
hosts .................................................................................................................................................. 872
hub .................................................................................................................................................... 872
idle time ............................................................................................................................................. 872
instantiation ....................................................................................................................................... 872
JNDI (Java Naming and Directory Interface) .................................................................................... 872
CA Directory 33
JXweb ............................................................................................................................................... 872
latency ............................................................................................................................................... 872
LDAP (Lightweight Directory Access Protocol) ................................................................................. 873
LDIF (LDAP Data Interchange Format) ............................................................................................. 873
LDIF files ........................................................................................................................................... 873
LDT file .............................................................................................................................................. 873
leaf entries ......................................................................................................................................... 873
load ................................................................................................................................................... 873
load sharing ....................................................................................................................................... 873
logs .................................................................................................................................................... 873
MIB (management information base) ................................................................................................ 874
multiwrite group ................................................................................................................................. 874
multiwrite peers ................................................................................................................................. 874
multiwrite replication .......................................................................................................................... 874
multiwrite-DISP replication ................................................................................................................ 874
namespace ........................................................................................................................................ 874
namespace partition .......................................................................................................................... 874
naming attributes ............................................................................................................................... 874
network topology ............................................................................................................................... 875
OID (object identifier) ........................................................................................................................ 875
OID prefix .......................................................................................................................................... 875
operational attributes ......................................................................................................................... 875
operations ......................................................................................................................................... 875
performance ...................................................................................................................................... 875
personality certificates ....................................................................................................................... 875
phase ................................................................................................................................................ 876
public user ......................................................................................................................................... 876
RDN (relative distinguished name) ................................................................................................... 876
recovery ............................................................................................................................................ 876
recovery mode .................................................................................................................................. 876
recovery notification list ..................................................................................................................... 876
referential integrity ............................................................................................................................. 876
region ................................................................................................................................................ 877
response files .................................................................................................................................... 877
router DSA ........................................................................................................................................ 877
SAML (Security Assertion Markup Language) .................................................................................. 877
schema .............................................................................................................................................. 877
script files .......................................................................................................................................... 877
selective shadowing .......................................................................................................................... 877
sites ................................................................................................................................................... 877
SPML (Services Provisioning Markup Language) ............................................................................. 878
static groups ...................................................................................................................................... 878
TCP port ............................................................................................................................................ 878
CA Directory 34
text-based configuration files ............................................................................................................ 878
third-party LDAP server ..................................................................................................................... 878
third-party X.500 DSA ....................................................................................................................... 878
topology ............................................................................................................................................. 878
traces ................................................................................................................................................ 879
transparent routing ............................................................................................................................ 879
view ................................................................................................................................................... 879
X.500 ................................................................................................................................................. 879
CA Directory 35
CA Directory - 12.0.18
CA Directory
04-May-2016 36/923
CA Directory - 12.0.18
Release Overview
The content in this section provides release information for features, operating system support,
system requirements, known issues, and fixes. Use the Table of Contents to access the content.
You can download the installation package for each operating system from Technical Support at
http://ca.com/support (http://www.ca.com/support).
For complete information on operating systems support, see the CA Directory Compatibility Matrix (
http://www.ca.com/us/support/ca-support-online/product-content/status/compatibility-matrix/ca-directory-
compatibility-matrix.aspx).
System Requirements
For production systems with very large datastores, or where maximum performance or fault-
tolerance is required, consult CA at http://ca.com/support (http://www.ca.com/support) for advice on
choosing server and disk configurations before installing this product.
04-May-2016 37/923
CA Directory - 12.0.18
If you use Internet Explorer 9, run it in Internet Explorer 8 Browser Mode.
Note: For information about which computers require JRE, see Getting Started.
UNIX Requirements
You must have superuser (root) access to the system to install CA Directory.
Linux Requirements
To install CA Directory, you must have a superuser (root) access to the system to install CA Directory.
Alternatively, define a special user with DXserver Administrator comment field and provide necessary
privileges to access the CA Directory installation location.
Windows Requirements
You must have superuser (administrator) access to the system to install CA Directory.
Known Issues
This section discusses about known issues in CA Directory.
Known Issues Affecting All Operating Systems (see page 39)
Known Issues On All UNIX Operating Systems (see page 42)
Known Issues On Linux Only (see page 42)
Known Issues On Solaris Only (see page 43)
Known Issues On HP-UX Only (see page 44)
Known Issues On AIX Only (see page 45)
Known Issues On Windows Only (see page 46)
04-May-2016 38/923
CA Directory - 12.0.18
The configuration dialog box may flicker when moving the mouse or entering data, when
connected to DXmanager over a latent connection
There is currently no field validation performed against IP addresses. Care must be taken to
ensure these items are syntactically correct otherwise features relying on them will not function
as expected.
If an edit session times out, a user may be blocked from selecting nodes on the Map view to edit.
If this occurs, the current configuration can be edited by going into Configuration -> Edit version
and selecting the most recently saved version.
DXmanager
DXadmind
04-May-2016 39/923
CA Directory - 12.0.18
Note: For more information about the -i option, see DXdumpdb Tool -- Export Data from a
Datastore to an LDIF File
In addition, if you switch back and forth between different versions of DXmanager on the same
computer, you must clear the Java cache each time you go back to the older version. For more
information about how to clear the Java cache, see the Administration Guide.
To work around this issue, log out of DXmanager before you close the tab, or close the browser, not
just the tab.
This means that during installation, you should set the same values for these on each host.
After installation, when you are using DXmanager to set up the directory backbone, you will specify
the DXadmind port and password that you set during the installation.
To update the state of the DSA and correct the display, do the following:
04-May-2016 40/923
CA Directory - 12.0.18
2. If the Start DSA and Stop DSA options are available, click one of these.
This will change the DSA to the selected state, and the display will be correct.
DXmanager charts are not updated if none of the DSAs being charted are running.
DXmanager charts do not display correct information after you deploy a new configuration.
To work around this issue, re-request the chart. To do this, navigate to a configuration page and then
back to the main tabbed page for charts on the dashboard. Alternatively, clear then redefine a chart
request for the charts tab.
Error messages from the DSA (for example: why a DSA could not start, data files filling up, and so
on).
04-May-2016 41/923
CA Directory - 12.0.18
To work around this issue, search for your java processes using the ps -ef command, then manually
kill the appropriate process.
You can still read the PDFs, and you can still search for text within a particular PDF.
04-May-2016 42/923
CA Directory - 12.0.18
Nautilus Warnings
When logging in as the user dsa on Linux platforms, some applications may display errors due to the
environmental variable "POSIXLY_CORRECT" being set in the dsa user's environment. This flag is
required for the correct operation of the DXtools. If this flag is removed from the environment so the
other applications can work correctly it must be set again before calling any of the DXtools. This may
be accomplished by wrapping the tools in a shell script.
DSAs May Not Start Automatically After Reboot on SuSe 9.3 After Installing EEM
On SuSe 9.3, if you install CA EEM after installing CA Directory, EEM creates duplicate symbolic links
to /etc/init.d/dxserver. As a result the script is called twice, and fails.
To work around this issue, delete the duplicate symbolic links. The name of the symbolic link is called
S99dxserver. Delete that link from the following directories:
/etc/init.d/rc3.d
/etc/init/rc4.d
/etc/init/rc5.d
DXdumpdb and DXloaddb Fail When the "get cache " Command is Used
If you upgrade CA Directory from r8.1 to r12 SP1 and you have the "get cache;" command defined in
the configuration, DXdumpdb and DXloaddb will fail as their parser detects this and returns an error.
When this happens during an upgrade, the installation program prompts you to find out whether you
want to continue with the installation, causing data to be lost.
Installing on Solaris 9
If you are not running a standard Solaris 9 installation, ensure you have the following Sun packages
installed before you install CA Directory:
SUNWbcp
SUNWscpr
SUNWscpu
04-May-2016 43/923
CA Directory - 12.0.18
SUNWscpu
SUNWscpux
SUNWsra
SUNWsrh
SUNWipc
SUNWcsw
etrdir::100:
4. Add the dsa user with the primary group etrdir. Do this using SAM or by editing /etc/passwd
and /etc/shadow.
Ensure that the UIDs are unique.
If you use SAM, do not create the home directories (let DXsetup do this step).
For example:
dsa:x:1002:100:DXserver
Administrator:/opt/CA/eTrustDirectory/dxserver:/bin/csh
04-May-2016 44/923
CA Directory - 12.0.18
This message appears because CA Directory r12 SP1 uses the getaddrinfo() function call to provide
IPv6 functionality. However, the initial releases of HP-UX 11.11 did not include support for this
function. Install the HP-UX patch PHCO_31903 or higher before you run CA Directory.
If the command returns no rows, then install PHCO_31903 or higher before installing CA
Directory.
If you try to create a larger datastore using DXnewdsa or DXnewdb, you will see a message similar to
the following:
$ ulimit
04-May-2016 45/923
CA Directory - 12.0.18
2.
To work around this issue, upgrade Lic98 to version 1.8.01 or later. To do this, refer to the CA ALP
License Update for Windows (https://support.ca.com/irj/portal/anonymous/phpdocs?filePath=0/common
/reglic/readme_standalone.html).
Published Fixes
All published fixes for this product can be found through Published Solutions on Technical Support at
http://ca.com/support (http://www.ca.com/support).
04-May-2016 46/923
CA Directory - 12.0.18
For more information, see Install CA Directory on Linux Using Debian Packages (see page 75).
For more information, see Install CA Directory on Linux Using RPM Packages (see page 76).
Also, the new roll-logs command causes all logs that are configured with a maximum lines threshold
to roll over immediately.
For more information, see Rollover Based on Maximum Lines (see page 354).
For more information, see Control DSAs by Using a Command Line (see page 390).
04-May-2016 47/923
CA Directory - 12.0.18
Packet Corruption
CA Directory 12.0.18 addresses two serious instances that could lead to response network packet
corruption. As a result of packet corruption, the LDAP client rejects the response as invalid.
Certifications
CA Directory is now supported on the following operating environments:
SUSE 12 SP1
04-May-2016 48/923
CA Directory - 12.0.18
Getting Started
CA Directory Documentation
The documentation for CA Directory is listed in the following table.
Documentation Conventions
The CA Directory documentation uses the following conventions:
Format Meaning
Code or program output
Mono-spaced
font
Italic Emphasis or a new term
Bold Text that you must type exactly as shown
A forward slash /
04-May-2016 49/923
CA Directory - 12.0.18
Format Meaning
Platform-independent directory separator used to describe UNIX and Windows
paths
The documentation also uses the following special conventions when explaining command syntax
and user input (in a mono-spaced font):
Format Meaning
Italic Information that you must supply
Between square Optional operands
brackets [ ]
Between braces { } Set of mandatory operands
Choices separated Separates alternative operands (choose one).
by pipe | For example, the following means either a user name or a group name:
{username|groupname}
... Indicates that the preceding item or group of items can be repeated
Underline Default values
A backslash at end Sometimes a command does not fit on a single line in this guide. In these cases, a
of line preceded by space followed by a backslash ( \) at the end of a line indicates that the
a space \ command continues on the following line.
Note: Avoid copying the backslash character and omit the line break. These are
not part of the actual command syntax.
The following code illustrates how command conventions are used in this guide:
In this example:
The command name (ruler) is shown in regular mono-spaced font as it must be typed as shown.
The className option is in italic as it is a placeholder for a class name (for example, USER).
You can run the command without the second part enclosed in square brackets, which signifies
optional operands.
When using the optional parameter (props), you can choose the keyword all or, specify one or more
property names separated by a comma.
04-May-2016 50/923
CA Directory - 12.0.18
Components of CA Directory
Fundamental Changes from r8.1
Current CA Directory versions are fundamentally different from r8.1. Before you upgrade CA
Directory from r8.1, you should be aware of the following:
In r8.1, CA Directory used an Ingres database to store data. CA Directory now uses a memory-
mapped file ("datastore") to provide persistent storage.
Apart from increasing performance, consider the following installation consequences:
Some of the DXtools commands from the previous release no longer exist and others have
changed, so you may need to modify script files.
You can no longer use cache-only DSAs. The installation process will not continue if it detects
a cache-only DSA.
In r8.1, one database can be used by many DSAs. However, now each datastore has only one DSA.
A DSA can multi-thread requests to its datastore.
If you have more than one DSA using a database, you need to remove all these DSAs except one
before upgrading. If there is more than one DSA associated with one database, the installer
produces an error message and exits.
Note: For more information about these changes, see the Release Summary.
Installation Components
Each CA Directory package contains several components. You can install, upgrade, or uninstall each
package separately from the others. The packages and their components are as follows:
Directory Package
DXserver
DXserver is the central component of CA Directory. Each DSA uses a DXserver process. You
can run many DSAs on one computer, but you need to install DXserver only once on each
computer.
Documentation
The documentation is delivered in HTML.
04-May-2016 51/923
CA Directory - 12.0.18
Directory Samples
The samples contain different DSA configurations and show different methods of populating a
directory. You can use these samples to explore the CA Directory features before setting up
your own directory. The files for the sample DSA are always installed when you install this
package, but you need to run a script to set them up.
DXmanager
DXmanager is a web application that lets you monitor, configure, and control DSAs. Using
Tomcat, you can give DXmanager users permission to monitor DSAs, to start and stop DSAs, or
to change the directory configuration.
JXweb
JXweb is a web-based LDAP browser and editor. You can use JXweb to browse, search,
configure, and update the directory data.
Documentation
This is the HTML version of the documentation. This includes information about
administration, installation, integration with other products, and reference information.
Web Samples
This component includes the DSML Server sample application. The DSML Server lets client
applications use DSML, rather than LDAP, to communicate with CA Directory.
JXplorer package
JXplorer is an open source, standards compliant, Java based, LDAP browser that lets you do the
following:
Note: For more information, see the JXplorer web site at JXplorer.org (http://jxplorer.org).
04-May-2016 52/923
CA Directory - 12.0.18
2. Ensure that the computer has a CD-ROM drive, or that you can access a CD-ROM drive on the
same network.
3. Log in as a user (on UNIX) or as a user with administration permissions (on Windows).
5. Back up the directory data, plus any schema files and configuration files that you have
customized.
6. Review our recommendations on the computers you should use for your directory backbone,
and determine which packages you want to install on each computer. (see page 53)
7. If you are upgrading from an earlier version of CA Directory, check and follow the
recommendations in Fundamental Changes from r8.1 (see page 51).
Note: For instructions about changing a CA Directory configuration to use DXmanager, see
the Administrating section.
04-May-2016 53/923
CA Directory - 12.0.18
Company A is a company with more than one hundred million customers. These customer details are
stored in a directory that is distributed across fifteen sites in four regions.
To maintain this directory backbone, each region has regional administrators and each site has site
administrators.
The administrator should install the following packages on the test computer, in this order:
1. JXplorer package
2. Directory package
04-May-2016 54/923
CA Directory - 12.0.18
Administrators computer
Each administrator and operator uses one of these computers to monitor and maintain the
directory.
Each administrator and operator connects to DXmanager and JXweb on the Directory
Management server. Computers that have DXmanager and JXweb installed also need JRE
installed.
The directory management server is the computer on which you have installed the Directory
Management package, which includes DXmanager.
The administrator and operators connect to this computer to run DXmanager, JXweb, and the
documentation, which are all included in the Directory Management package.
The Directory Management components use Tomcat, which is an open-source web server. The
Tomcat web server is installed as CA Directory Web Server. You must also install JRE on this
computer, because DXmanager requires JRE.
Note: Do not use this instance of Tomcat to host any other applications. It is customized to
work with DXmanager only.
Directory hosts
A host is a single computer with CA Directory installed on it. A single host may serve one or more
namespace partitions.
You install the Directory package on each of these computers. You can also install JXplorer (which
requires JRE).
c. (Optional) If you plan to access DXmanager using a web browser on another computer,
you must open one or both of the following TCP ports:
04-May-2016 55/923
CA Directory - 12.0.18
2.
In the following example of a typical Windows installation, the C and D drives are on separate
physical disks:
In the following example of a typical UNIX installation, the /local partition is on a separate physical
disk:
Note: For more information about disk configurations such as mirrored disks and RAID,
contact Technical Support at http://ca.com/support (http://www.ca.com/support).
Installation Methods
You can install CA Directory in the following ways:
04-May-2016 56/923
CA Directory - 12.0.18
Interactive installation
On Windows, the Installation Wizard lets you install each package using the installation wizard
(see page 59).
On UNIX, an interactive installation script (see page 69) lets you install each package.
If the installation is a new installation, the installation process does the following:
1. Prompts you for the location where you want to install the software.
1. Prompts you to make a system backup and the location of the backup.
2. Backs up the configuration. The installation process does not back up any configuration held
in XML files.
3. Backs up the data. Depending on the previous version that is installed, this backup is from
databases or datastores.
5. Removes the old version of software and installs the new version.
04-May-2016 57/923
CA Directory - 12.0.18
Installation Logging
All installations are logged.
The installation log is created in the temporary directory (/tmp on UNIX and %TEMP% on
Windows).
The file is copied to the ./DXHOME location when the installation or upgrade has completed
successfully.
The installation log is left in the temporary directory if the DXHOME environment variable is not
defined or the installation does not complete successfully.
Installing on Windows
The following sections describe how to install CA Directory and CA Directory Management on
Windows.
To customize these locations during installation, run a custom installation or use the dxsetup
command.
04-May-2016 58/923
CA Directory - 12.0.18
3. When prompted to choose an installation type, we recommend that you choose a custom
installation.
Typical installation -- The installation process installs all components and the default values are
used.
Custom installation -- You can select which components to install, and can change the values of
04-May-2016 59/923
CA Directory - 12.0.18
Custom installation -- You can select which components to install, and can change the values of
the items listed in the table.
We recommend that you choose a custom installation, using the values in the following table:
Complete installation -- The installation process installs all components and the default values
are used.
Custom installation -- You can select which components to install, and can change the values of
the items listed in the following table.
We recommend that you choose a custom installation, using the values in the following table:
04-May-2016 60/923
CA Directory - 12.0.18
If an error occurs during the installation process, it is recorded in the log file, and a message appears
on the screen.
CD-ROM\dxserver\windows
04-May-2016 61/923
CA Directory - 12.0.18
5. Run the dxsetup command with the options described in dxsetup Command -- Install the
Directory Package.
dxsetup
[ADDLOCAL=ALL | DXServer | ETRDocumentation]
[ETRDIR_DXADMIND_PORT=port-number]
[ETRDIR_DXADMIND_PASSWORD=password]
[ETRDIR_DXADMIND_DXMANAGER_HOST=hostname]
[ETRDIRBASEPATH=installation-path]
[ETRDIR_CONFIGURE_DXADMIND=0|1]
ALL
Installs DXserver and the documentation.
DXServer
Installs the DXserver component only.
ETRDocumentation
Installs the documentation only.
ETRDIR_DXADMIND_PORT=port-number
Sets the DXadmind port number. This standard LDAP port is used for communication between
DXadmind and DXmanager.
Default: 2123
ETRDIR_DXADMIND_PASSWORD=password
Sets the DXadmind user password. This is used in communication between DXmanager and
DXadmind. The password must have more than five characters.
ETRDIR_DXADMIND_DXMANAGER_HOST=hostname
Specifies the hostname of the computer that contains the DXmanager installation that you trust.
ETRDIRBASEPATH=installation-path
Specifies the installation path for the Directory package.
Default: C:\Program Files\CA\Directory
ETRDIR_CONFIGURE_DXADMIND=0|1
0: DXadmind is not set up during installation. This is useful if CA Directory is configured with text
configuration files rather then with DXmanager.
1: (Default) DXadmind is set up during the installation.
04-May-2016 62/923
CA Directory - 12.0.18
CD-ROM\webcomponents\windows
5. Run the dxwebsetup command, with the options described in dxwebsetup Command -- Install
the Directory Management Package .
All of the parameters are optional, and if you choose to not specify a parameter, its default is used.
dxwebsetup
[ADDLOCAL=ALL | DXmanager, JXweb, ETRDocumentation]
[DXMANAGER_SUPERUSER=user-name]
[DXMANAGER_PASSWORD=password]
[DXWEBSERVER_SECURE_PORT=port-number]
[DXWEBSERVER_SHUTDOWN_PORT=port-number]
[ETRDIRBASEPATH=installation-path]
ALL
Installs the entire Directory Management package.
DXmanager
Installs DXmanager.
JXweb
Installs JXweb.
ETRDocumentation
Installs the documentation.
DXMANAGER_SUPERUSER=user-name
Specifies the name of the DXmanager superuser. Ensure that you create this user in Embedded
Entitlements Manager.
Default: dxmanager
DXMANAGER_PASSWORD=password
Specifies the password for the DXmanager superuser.
DXWEBSERVER_SECURE_PORT=port-number
04-May-2016 63/923
CA Directory - 12.0.18
DXWEBSERVER_SECURE_PORT=port-number
Specifies the connection port on the CA Directory Web Server. This must be between 1024 and
65536.
Default: 8443
DXWEBSERVER_SHUTDOWN_PORT=port-number
Specifies the shutdown port on the CA Directory Web Server. This must be between 1024 and
65536.
Default: 8005
ETRDIRBASEPATH=installation-path
Specifies the installation path for the Directory Management package.
Default: C:\Program Files\CA\Directory
To avoid using a very long command, use the ETRDIRBASEPATH argument to set the location for the
entire installation, instead of setting the location of each component separately.
2. On the Review Settings dialog of the installation wizard, click Create Response File.
The Change Current Destination Folder dialog appears.
3. Select the folder where you want to save the response file, then click OK.
CDROM\dxserver\windows\
04-May-2016 64/923
3.
CA Directory - 12.0.18
RESPONSE_FILE=fileSpec
Specifies the response file, including the path name. If the file specification includes
spaces, then enclose it in quotation marks.
ETRDIR_DXADMIND_PASSWORD=password
Sets the DXadmind user password. This is used for communication between DXmanager
and DXadmind.
The following example installs the components based on the response file in C:\cadir.rsp:
Use a Response File to Install the Directory Management Package Silently on Windows
You can use a response file to install the Directory Management package silently.
CD-ROM\webcomponents\windows
RESPONSE_FILE=fileSpec
Specifies the response file, including the path name. If the file specification includes
spaces, then enclose it in quotation marks.
DXMANAGER_PASSWORD=password
Defines the password of the DXmanager superuser you defined in the response file.
Upgrade CA Directory
This procedure covers the case where you have an older release of CA Directory running on a
Windows computer, and you want to upgrade it to the latest version.
Note: Before you start, ensure each DSA in your system has only one database.
To upgrade Directory
04-May-2016 65/923
CA Directory - 12.0.18
4. Click Migrate.
The upgrade process backs up your data in the location you specified.
5. When prompted to choose an installation type, we recommend that you choose a custom
installation.
7. When prompted, confirm that you want to restore your configuration and databases.
The installation process restores the data that the installation process backed up in step 4.
The message Restoration is complete appears.
Use the following steps when migrating to the 64-bit version of CA Directory:
1. Stop all DSAs and backup directory data to LDIF using the dxdumpdb tool. Move to a
temporary location away from %DXHOME%.
4. After the 64-bit version is installed, the configuration can then be reinstated under %
DXHOME%\config.
5. If 64-bit version is installed on a different computer, update the set dsa commands in the
configuration files (usually under %DXHOME%\config\knowledge) with new host name or IP
address.
6. The data can be reloaded from LDIF using the dxloaddb tool for each data DSA.
7. Start all DSAs and if migrating to a separate 64-bit machine, redirect the applications.
04-May-2016 66/923
CA Directory - 12.0.18
3. Take backup/image of machine in case you encounter any issues during the upgrade.
8. Ensure that the CA Directory Webserver service is running. This step ensures that dxmanager.
war is unpacked.
12. Verify DXmanager is working as expected and that communication with DXadmind agents is
successful.
Software installation
This takes less than half an hour.
Note: The times to dump and load vary, depending on your hardware configuration.
04-May-2016 67/923
CA Directory - 12.0.18
Installing on UNIX
The following sections describe how to install CA Directory on UNIX.
To customize these locations during installation, run a custom installation or use the dxsetup
command.
04-May-2016 68/923
CA Directory - 12.0.18
2. Insert the CA Directory or CA Directory Management CD into your optical disk drive and
mount the drive.
./dxinstall.sh
If you are installing the Directory package, the script identifies the OS you are installing on and
starts the appropriate installation script.
If you are installing the Directory Management package, the following options appear:
4. When prompted, supply the requested information for the package you are installing:
Note: To install the Directory Management package, follow the procedure for installing
from a CD.
04-May-2016 69/923
CA Directory - 12.0.18
/pkg_path/dxserver/install
-nodocs
Installs the Directory package without installing the user documentation.
-r source_directory
Runs dxsetup from a location other than the current directory.
If an error occurs during the installation process, it is recorded in the log file, and a message appears
on the screen.
CD-ROM/dxserver/install
5. Run the dxsetup script, with the options described in dxsetup Command -- Install the
Directory Package.
04-May-2016 70/923
CA Directory - 12.0.18
-nodocs
Installs the Directory package without installing the user documentation.
-r source_directory
Runs dxsetup from a location other than the current directory.
-dxuser username
Specifies a username other than the default, which is dsa.
-dxadmindpass password
Specifies the DXadmind password. This removes the need to include the password in the
response file.
-write_responses response-file
Create a response file that can be used to install CA Directory silently.
This does not install CA Directory.
-silent
Installs CA Directory silently.
-responsefile response-file
Installs CA Directory using the options listed in the response file.
Warning! Do not use the dxuser and -dxadmindpass options when installing CA Directory
as a non-root user.
The following command installs CA Directory without the user documentation, and using an existing
account named dsaadmin:
CD-ROM/dxwebserver/install
5. Run the dxwebsetup command, with the options described in dxwebsetup Command -- Install
04-May-2016 71/923
CA Directory - 12.0.18
5. Run the dxwebsetup command, with the options described in dxwebsetup Command -- Install
the Directory Management Package.
-r source-directory
Run dxwebsetup from a location other than the current directory.
-dxuser username
Allows a username other than the default, which is dsa.
-silent
Installs the web components silently (no prompts are given to the user).
-nodocs
Installs the Directory package without installing the user documentation.
-r source_directory
Runs dxsetup from a location other than the current directory.
-write_responses filename
Creates a response file at the specified location.
04-May-2016 72/923
CA Directory - 12.0.18
-silent
Installs the package with no user interaction, using the defaults in the response file. If the
standard response file is used, the installation process still prompts you to accept the EULA. If a
previously generated response file is used, this means the user has previously accepted the EULA
and no user interaction is required.
-responsefile filename
Specifies the name of the response file used to install the package. The installation uses the
options listed in the specified response file.
Note: If the dsa users did not previously exist, this installation creates them without
passwords. You should assign passwords to these users.
-r source-directory
Specifies a directory to run dxwebsetup from. The default is the current directory.
-write_responses filename
Creates a response file at the specified location.
-silent
Installs the package with no user interaction, using the defaults in the response file. If the
standard response file is used, the installation process still prompts you to accept the EULA. If a
previously generated response file is used, this means the user has previously accepted the EULA
and no user interaction is required.
-responsefile filename
Specifies the name of the response file used to install the package. The installation uses the
options listed in the specified response file.
04-May-2016 73/923
CA Directory - 12.0.18
-n
Specifies that DXloaddb does not do any actions.
-s
Specifies that DXloaddb produces the following statistics concerning the datastore:
myDSAname
Defines the DSA whose datastore is to be loaded.
myLDIFfilename
Specifies the name of the LDIF file to load into the datastore.
The command displays the number of entries and size per entry you can use to estimate the
size of the datastore you will need to handle you LDIF.
myDSAname
Defines the name of the DSA. Maximum length is 31 characters.
Port
Specifies the port number of the DSA.
myDSAname
Defines the DSA whose datastore is to be loaded.
myLDIFfilename
04-May-2016 74/923
CA Directory - 12.0.18
myLDIFfilename
Specifies
For more information, see the Reference section for details of the dxloaddb and dxnewdsa
commands.
If you want DXserver and DXadmind to listen on these ports, the owner of the binaries must be root
and the setuid flag must be set. If you must allow DXserver and DXadmind to use the ports <= 1024,
change the SUID bit manually.
1. Log in as root.
2. Change to $DXHOME/bin.
3. Use the following commands to change the owner and SUID bit for the binary with ports <=
1024:
You are attempting to start a DSA with port 389 and the SUID bit is not set. An error message that the
port cannot start the DSA is displayed. The following message is written to the alarm log file:
Example:
04-May-2016 75/923
CA Directory - 12.0.18
cadirectory-samples_12.0.18-12066_amd64.deb
Example:
Use the following command to run the CA Directory 12.0.18 dxagent package:
dpkg -i cadirectory-dxagent_12.0.18-12066_amd64.deb
-r
This option removes only the package but not the configuration files.
-p
This option removes both the package and the configuration files.
For more information about the dpkg command, see dpkg man page using the following command:
man dpkg
Example:
cadirectory-samples-12.0.18-12066.x86_64.rpm
Example:
Use the following command to run the CA Directory 12.0.18 sample package:
rpm -i cadirectory-samples-12.0.18-12066.x86_64.rpm
04-May-2016 76/923
CA Directory - 12.0.18
rpm -i cadirectory-samples-12.0.18-12066.x86_64.rpm
For more information about the rpm command, see rpm man page using the following command:
man rpms
Upgrading DXmanager
DXmanager has been changed significantly since CA Directory r12 SP2.
To upgrade a component, run the installer again, using the instructions for Windows (see page 58)
or UNIX (see page 68).
(Windows) Open Control Panel, Java, Temporary Internet Files, Settings, then click Delete
Files.
4. Migrate customized command settings used by the pre-upgrade version that are now
supported by DXmanager:
a. Plan: Match your custom settings against the list in Commands Used in DXmanager.
04-May-2016 77/923
CA Directory - 12.0.18
Note: When a new model is deployed any customized settings placed in the
dxmanager.dxc files will not be detected as conflicts as they are now
ignored by DXmanager
c. Check the alert and warn logs for information about the conflicts.
d. Remove the settings from the text files, and update any DXmanager configuration,
then deploy the revised configuration.
The dxagent service provides a REST-based API for managing CA Directory. This API allows you to
perform a subset of management tasks that you could perform using the dxtools command-line
utilities. For a complete list of API methods that are provided by dxagent service, refer to the Swagger
UI.
This service runs as a Python WSGI (Web Server Gateway Interface) application that is hosted by
Gunicorn server. Internally, dxagent service uses the dxtools command-line utilities such as dxserver,
dxdumpdb to perform various tasks. Run this service as the designated dsa user. Doing so ensures
that all environment variables are set correctly and that the service has the right level of permissions
to manage DSAs. For complete information about Gunicorn, see the Gunicorn documentation (
http://docs.gunicorn.org/en/latest/).
Requirements:
Python 2.6 (newer versions of Python 2.x work, but it is not tested)
Python Bottle
Gunicorn server
1. Ensure that you are using Python version 2.6 and above on the system. Install python-pip,
which is required to install python virtualenv package on the system.
3.
04-May-2016 78/923
CA Directory - 12.0.18
3. Change directory to the $DXHOME/dxagent directory. This directory has two executable bash
scripts: install_dxagent.sh and start_dxagent.sh.
4. The install_dxagent.sh script sets up SSL certificates. This script also configures dxagent to
bind to the local machines fully qualified domain name on port 9443.
Note: The client name must not be the same as the server hostname on which the
DXagent is installed.
7. Users who use dxagent must copy the client certificate on their computers. This client
certificate allows the user to authenticate when they make a secure connection.
The client certificate can be found at $DXHOME/dxagent/openssl-ca/out/[client name].p12
8. Run the start_dxagent.sh script. This script installs virtualenv, bottle, and gunicorn (if
required), and starts dxagent.
This script also makes restarting dxagent easy. To restart, just run the start_dxagent.sh script
again.
9. To view the REST API documentation, import the dxagent client key or certificate into your
browser.
Use this URL: https://DXAGENT_HOST:DXAGENT_PORT/ca/api/dxagent/v0.1/doc/dxagent-api.
html (https://DXAGENT_HOSTDXAGENT_PORT)
When the dxserver is upgraded, all dxagent related files are replaced with new files except the
two configuration files that are created from sample files, the python virtual environment,
and the keys or certificates.
Uninstalling
Uninstall Directory Packages on Windows
On Windows, you can use the Installation Wizard to uninstall CA Directory packages. Each package
has a separate wizard. The uninstall process will not remove the data files.
Note: You can also use uninstall each CA Directory package by using Windows Control
Panel, Add/remove programs.
04-May-2016 79/923
CA Directory - 12.0.18
Note: If the Installation Wizard does not start, navigate to the CD drive and run the
dxsetup.exe or dxwebsetup.exe file to uninstall CA Directory or CA Directory
Management respectively.
4. Click Uninstall.
5. When prompted confirm whether you want to make a backup of your tailored schema and
configuration files.
The uninstall process removes the CA Directory or CA Directory Management package as
requested.
When the uninstall process backs up the data files, it removes the original files.
./dxuninst.sh
4. When prompted, enter the path to store a backup of the data files.
dxuninst Command
The uninstallation script has the following format:
-dxuser non-dsa-user
04-May-2016 80/923
CA Directory - 12.0.18
-dxuser non-dsa-user
(Optional) Defines a directory administrator to remove during uninstallation.
The script assumes that the DXserver administrator user ID is dsa. If you created a different user
ID during installation, you need to specify this user during the uninstallation. When the script
runs, if it fails to find the default DXserver administrator, it prompts you to specify the user ID.
-silent
(Optional) Specifies that the uninstallation runs in silent mode (no user prompts or feedback).
Troubleshooting
This chapter describes how to deal with problems that might occur during or after installing or
upgrading
Symptom:
When installing CA Directory, I get an error message saying it could not resolve the hostname.
Solution:
Troubleshooting on UNIX
This section describes how to deal with problems that might occur during or after installing or
upgrading CA Directory.
04-May-2016 81/923
CA Directory - 12.0.18
Symptom:
Solution:
In a standard upgrade for DXserver, the upgrade process stops and restarts DXadmind when the
upgrade is complete. However, if you cancel the installation for DXserver during the process,
DXadmind may not have stopped. As a result, it times out when it tries to restart.
dxadmind status
dxadmind stop
DXadmind stops.
dxadmind start
DXadmind restarts.
The command finds the Dxadmind process and a response which includes a line similar
to the following appears:
04-May-2016 82/923
CA Directory - 12.0.18
In this example, the process name is dxadmind, and the process number is 6204.
pkill dxadmind
kill 6204
DXadmind ends.
DXadmind restarts.
Troubleshooting on Windows
This section describes how to deal with problems that might occur during or after installing or
upgrading CA Directory.
Note: For descriptions of messages that can appear during installation, see Installation
Error Messages on Windows in the Reference Guide.
Symptom:
My installation of Directory failed and I got the error message Error Starting 'dxadmind'.
Solution:
This occurs if IPv6 has been disabled, but the tunnel from IPv6 to IPv4 has not been disabled.
04-May-2016 83/923
CA Directory - 12.0.18
e. Click OK.
services.msc
3. Install Directory.
Symptom:
Solution:
Disable the firewall. This means all ports are open and you do not need to configure any port
If you do not want to disable the firewall completely, use one of the following solutions:
5. Click OK.
6. On the Exceptions tab, select the check box next to dxserver.exe, and then click OK.
If you later decide that you do not want the program to be an exception, clear this check box.
04-May-2016 84/923
CA Directory - 12.0.18
Port Number
Specifies the number of the port you want to open.
Example: Port 2125 specifies DXadmind.
Name
Specifies the name of the port.
Example: DXadmind.
TCP
Specifies a TCP port.
To permit connections to a specific DSA only, add the port number for that specific DSA. For example,
add port number 19389 for access to the Democorp DSA only.
Symptom:
Solution:
The /etc/init.d/dxserver script starts and stops CA Directory at system boot and shutdown. This script
starts and stops DXadmind, and any DSAs marked for autostart.
The script writes a log called dxserver-rc.log, usually in the DXserver logs directory, DXHOME/logs (if
DXHOME is not defined, then look for this file in the /tmp directory). This log shows each of the
processes started or stopped.
04-May-2016 85/923
CA Directory - 12.0.18
Administrating
Types of DSA
Router DSA
A router DSA has no local data and no datastore. It can only route traffic to other DSAs.
Data DSA
A data DSA holds data, and queries are routed to it by router DSAs. A data DSA can perform local
operations, replicate updates, and route traffic to other DSAs.
A data DSA is always associated with a datastore, which stores the data even if the DSA is shut
down.
The datastore is a memory-mapped file. The DSA uses the in-memory copy of the namespace
partition, and relies on the operating system memory mapping functions to keep the file copy on
disk up to date.
04-May-2016 86/923
CA Directory - 12.0.18
2. The router DSA checks the Staff server's configuration to see whether there are any special
conditions for linking to that DSA. The configuration indicates that the Staff server requires
that any links use LDAP.
3. The router DSA uses acts as a client to make an LDAP search request of the Staff server.
4. The Staff server responds with the search result (also using LDAP).
04-May-2016 87/923
CA Directory - 12.0.18
Usually you index all attributes. Only restrict the list of indexed attributes if you want to save space.
To index attributes, add the following command to the initialization file after the schema definition:
To monitor the index usage, open the console and use the following command:
get cache;
CA Directory does not use a reverse index in preference to a regular forward index. It is only used in
substring lookups where you use specify final as an allowed filter.
To reverse-index an attribute, add the following command to the initialization file (.dxi):
This command sets the maximum number of entries (or distinct attribute values for each attribute
type) that a DSA can index.
04-May-2016 88/923
CA Directory - 12.0.18
If you leave this setting at its default value, a DSA can contain up to about 195 million entries. For
example, if each entry had two unique telephone numbers, then by default the cache could hold only
97.5 million entries. Attributes that are not indexed are not affected.
Use this command only if you are sure you need more than the default entries or distinct attribute
values. If you set this value higher than the default value, the DSA has bigger memory requirements,
and its performance is likely to degrade.
Ensure that this command appears after any other commands in the initialization file. The DSA loads
the memory-mapped file as soon as it reads the set lookup-cache command.
Configuration
You can configure CA Directory using commands in text files. The text files contain commands that
define how the DSA works. These commands are identical to the commands that can be entered
from a DSA console.
Note: If you have DXmanager installed, use it to define the knowledge. It stores the
knowledge in an XML file. Do not edit this file yourself: use DXmanager instead.
The different types of CA Directory configuration files are as follows. The file extensions for the text
files are a convention to help people recognize the file types, and they are not mandatory.
File Extension Location How What the File Contains How to Edit the File
Type Many?
DSA .dxi DXHOM One for Contains the source commands that initia In a text editor
Initializa E/config each lize a DSA (see page 91). These
tion /servers DSA commands to refer to .dxg and .dxc files
files / in other config subdirectories.
The name of the initialization file must
be the same as the DSA name. When a
DSA starts, it uses an initialization file
named dsaname.dxi.
DSA .dxc As Contain one or more commands that set In a text editor
configur many configuration parameters. The
ation as knowledge file is one type of configuratio
files require n file (see page 90).
d
.dxg In a text editor
04-May-2016 89/923
CA Directory - 12.0.18
File Extension Location How What the File Contains How to Edit the File
Type Many?
Group As Contain a series of source commands to
files many group one or more .dxc files in the
as current directory.
require
d
Script .dxs As Contain commands supported by a DSA In a text editor
files many console. You usually use script files for
as testing.
require
d
DXman .xml One for Contains the topology and namespace This file is created by
ager each partitions of the whole backbone, plus DXmanager. Never
configur director some configuration of each DSA. edit this file yourself:
ation y DXmanager uses this instead of use DXmanager
file backbo knowledge files. instead.
ne This information is shared by all DSAs
that are configured in DXmanager.
access
Contains access control commands (see page 250).
Usual location: DXHOME/config/access/
knowledge
Contains only the set dsa command. This command defines many settings, including the prefix,
address, and port of the DSA.
Note: If you use DXmanager, this file is replaced by an XML file. Do not edit this XML file
yourself. Instead, use DXmanager (see page 515).
limits
Contains commands that limit the behavior of the DSA.
Usual location: DXHOME/config/limits/
logging
Contains commands that define which logs are in use, and sets the level of information contained
in each type of log (see page 148).
Usual location: DXHOME/config/logging/
replication
Contains commands that define DISP replication (see page 176).
Usual location: DXHOME/config/replication/
04-May-2016 90/923
CA Directory - 12.0.18
schema
Contains commands that formally define the content and structure of the directory data (see
page 149)
Usual location: DXHOME/config/schema/
settings
Contains the remaining commands that define how the DSA operates.
Usual location: DXHOME/config/settings/
SSL certificates
Contains SSL certificates (see page 272).
Usual location: DXHOME/config/ssld/
1. The DSA looks for a file in DXHOME/config/servers that has the same name as the DSA and a .
dxi extension.
For example, a DSA named Democorp looks for the file Democorp.dxi.
2. The DSA reads the initialization file and executes the commands in the order they are read.
A source command causes the DSA to read the sourced file, and execute commands in that
file.
The order of commands and sourced files is important because some commands require certain
settings to be defined. For example, access control rules require that attributes are already defined,
so the schema file (which defines attributes) must be sourced before access control rules are defined.
If an error occurs while reading the configuration files, the DSA cannot start. You can find information
about this error in both the operating system error log and the DSA alarm and trace log files in the
DXHOME/dxserver/logs directory.
DSA Knowledge
The information a DSA needs about other DSAs (and non-DSA directories) is called knowledge. Each
DSA has its own knowledge, which includes:
The total knowledge of the system is used to form a backbone of directory servers to which each DSA
belongs.
It is important that all DSAs in a backbone have a consistent view of each other. We recommend that
all DSAs share the same knowledge.
04-May-2016 91/923
CA Directory - 12.0.18
set dsa command -- Every DSA in the backbone has a configuration file that contains a set dsa
command. This command defines the knowledge for only one DSA.
The knowledge file has the same name as the DSA and its initialization file. A DSA determines its
own identity by looking for its own name among all the set dsa definitions.
Note: The commands in the knowledge file must appear in the correct order. For
information about this order, see the text file DXHOME\config\knowledge\knowledge.
help.
DXmanager -- Use DXmanager to configure the DSAs. DXmanager is a web application that stores
all configuration for the entire backbone in a single XML file.
If you use DXmanager to configure a backbone, DSAs do not allow the set dsa command. If you
send a set dsa command to a DSA that is managed by DXmanager, the follow errors occur:
If you send the set dsa command from the console, the DSA returns a syntax error
Schema Files
The schema of the CA Directory server is in its schema directory (for example, DXHOME/config
/schema), and consists of individual schema configuration files (.dxc) and group files (.dxg).
The schema of a running directory is available to LDAP clients through the LDAP Version 3 mechanism
of schema publishing. LDIF is a convenient format in which to publish the schema.
To use new schema, it must be made available to the directory and the DXtools. This means a new or
updated .dxc file, and possibly an updated .dxg file.
Script Files
Script files store frequently used, or complex commands (such as a series of searches). You can
execute these files from a DSA console, or by using the source command, from other script files.
04-May-2016 92/923
CA Directory - 12.0.18
Group Files
A configuration directory for a component can contain a number of configuration (.dxc) files. For
complex configurations with many DSAs, you might need many configuration files, grouped in a
convenient manner using group (.dxg) files.
To enable a .dxi file to source a single configuration group (.dxg) file for one configuration
component (such as limits).
To manage ordering of the configuration files. This is especially important in schema where
definitions in one file depend on definitions in another file.
The Acme Company has a directory that uses a number of DSAs. Each DSA uses the same schema
files.
Instead of each DSA initialization file sourcing the schema files directly, the directory administrator
uses a group file named Acme.dxg, which sources the schema files. Each DSA initialization file sources
Acme.dxg, by including the following line:
source "../schema/Acme.dxg";
If the DSAs require additional schema, the administrator only needs to edit one file, Acme.dxg.
The following diagram shows the configuration files and the source statements:
04-May-2016 93/923
CA Directory - 12.0.18
You can also put the get cache command in the initialization file to print the configuration to the log
on startup. Ensure that the get cache command is after the lookup-cache command, as in this
example:
IP Requirements
CA Directory works across an IP network and has the following requirements:
127.0.0.1 host1
This causes the DSA to fail. Provide the global IP address of the host or use DNS to resolve the
host name.
If your firewall translates remote addresses, your DSA may not recognize the remote DSA because of
the changed address. You must configure alternative network addresses in the knowledge file of the
remote DSA by specifying the address of the remote DSA followed by the address of the firewall.
04-May-2016 94/923
CA Directory - 12.0.18
Note: To configure more than one network address for a DSA, use the Connections area in
DXmanager.
DXmanager
DXmanager is a web application that lets you create, configure, monitor, and control your directory
backbone.
The DSA console lets you connect to a DSA to give DXserver commands, receive trace information,
and act as a user agent.
JXweb is a general purpose LDAP-compliant directory browser and editor, which lets you access a
directory through the Web.
The DXtools are a set of command-line utilities that come with CA Directory. These tools help you
manage directory administration, work with LDIF data, load and unload data to and from a directory,
and to extract and convert schemas for use with CA Directory.
The logs contain output from a DSA, including its trace, diagnostics, warnings, and alarms.
A DSA's trace is its record of almost all operations going into and out of that DSA. You can view a
DSA's trace in the log files, and also by using the DSA console.
DXmanager
DXmanager is a web application that lets you create, configure, monitor, and control your directory
backbone.
04-May-2016 95/923
CA Directory - 12.0.18
DSA Console
The DSA console lets you connect to a DSA to give DXserver commands, receive trace information,
and act as a user agent.
However, when the DSA shuts down, the configuration changes you made through the console are
not saved.
We recommend that you define a console port for each DSA. The DSA can only have one console
connection open at a time to prevent attacks from remote telnet sessions. This scheme uses the local
host security. An administrator must have an account on the local computer to communicate with
the DSA through this port.
Specify the console port of a DSA to allow the DSA to accept local connections.
If you want to restrict access to the DSA through the console, you can also specify a console
password. You can use SSL to encrypt communications on the remote connection.
When the DSA console is configured in remote mode, DSAs can accept connections from remote
computers. If you have set up a remote console port and a password, you can use the console
remotely .
You can also use the remote console port to connect from localhost.
A DSA can accept only one console connection at a time, even if you have set up ports for both local
and remote connections. This means you can prevent other console connections to a DSA by keeping
a console connection open.
If you set this up, the following steps describe what happens when a user connects to the directory:
1. The user tries to connect to the directory, using the correct console port.
04-May-2016 96/923
CA Directory - 12.0.18
4. The DSA checks whether the user or their role is listed in the set dxconsole-users command.
If the user is listed, the user is now connected to the DSA console.
Note: We recommend using this feature through TLSClient to protect clear-text passwords.
local-port-number
Specifies the console port number of the DSA to which you want to connect.
host-name
Specifies the name of the host on which the DSA is running.
remote-port-number
Specifies the remote console port number of the remote DSA to which you want to
connect.
Important! If you do not want the password to be displayed when it is entered, turn local
echo OFF on the Telnet session.
04-May-2016 97/923
CA Directory - 12.0.18
The following command connects to the DSA that uses the remote console port 19392 on the host
eagle:
DXmanager lets you set the DSA console parameters for each DSA, and for all DSAs that serve a
namespace partition.
3. Click the Maps tab, and choose the place you want to set up the console.
To set up a console for a particular DSA, display the Topology map, and navigate to the
DSA.
To set up a console for all DSAs that serve a namespace partition, display the Namespace
map.
4. Right-click the item for which you want to set up a console, and select Edit properties.
5. Find the Console settings (in the Console area), and enter the values as follows:
Console port
Specifies the port on which the DSA accepts connections from the local computer only. If
this is not specified, there is no console for the DSA.
Console password
Specifies the password required for connection to this DSA. You must specify a password if
you want to connect to this DSA from a remote computer. This password is optional for
local connections.
6. Click OK or Finish.
04-May-2016 98/923
CA Directory - 12.0.18
8. (Optional) Click Configuration, Deploy to update the hosts with the new configuration.
1. Ensure that the DSA has a local or remote console port set up and working correctly.
3. (Optional) Create one or more roles, containing users you want to give access to.
users
Specifies the users who can connect to this DSA's console, as a comma-separated list of
DNs.
roles
Specifies the roles which can connect to this DSA's console, as a comma-separated list of
DNs.
Example: Set Up the Democorp DSA to Allow Directory Users to Connect through a console
This example shows how to allow users in the Democorp directory to connect to the DSA.
2. Use JXweb to add passwords to the following entries in the Democorp DSA:
cn=Nadia Kite,ou=Administration,ou=Corporate,o=Democorp,c=AU
cn=Craig Link,ou=Administration,ou=Corporate,o=Democorp,c=AU
cn=Roles,o=Democorp,c=AU
04-May-2016 99/923
3.
CA Directory - 12.0.18
cn=Nadia Kite,ou=Administration,ou=Corporate,o=Democorp,c=AU
4. Reinitialize the Democorp DSA by running the following command as user dsa:
5. Try to use the DSA console to connect to the Democorp DSA using the following credentials:
Password: Use the password you created for Craig Link in Step 2.
6. Try to use the DSA console to connect to the Democorp DSA using the following credentials:
Password: Use the password you created for Craig Link in Step 2.
7. Try to use the DSA console to connect to the Democorp DSA using the following credentials:
Password: password
2. Create the TLSclient configuration file and include the following line in the file:
inPort
The port on the client computer that is used for tunneling.
04-May-2016 100/923
CA Directory - 12.0.18
outPort
The remote-console-port on the server.
remoteAddress
The host name of the server running the console you want to connect to.
Here is an example for the sample Democorp DSA running on the server computer:
3. Save the new file on the client computer in this location: DXHOME/config/tlsclient/tlsclient.
cfg.
trace full;
04-May-2016 101/923
CA Directory - 12.0.18
JXweb
JXweb is a general-purpose LDAP-compliant directory browser and editor, which lets you access a
directory through the web.
View schemas
View certificates
Start JXweb
You can use JXweb to access a directory. This section describes how to start JXweb. After you start
JXweb, connect to a directory.
http://hostname:portnumber/jxweb
hostname
Use this field to specify the name of the computer on which JXweb is installed.
portnumber
Use this field to specify the port number of CA Directory Web Server on which JXweb runs.
Default: 8080
The JXweb Connect page opens in your browser. You can now connect to a directory using
LDAP or DSML.
Note: On Windows, you can start JXweb by clicking Start, Programs, CA, Directory, JXweb.
04-May-2016 102/923
CA Directory - 12.0.18
After you connect to a directory, you can view and update the directory data and structure.
To connect to a directory for the first time in this session, start JXweb (see page 102). The
Connect page appears.
To connect to a directory while you are browsing another directory, click Disconnect from
the menu bar. Your current connection is disconnected, and the Connect page appears.
Host
Use this field to specify the name of the computer on which the DSA resides.
Port
Use this field to specify the port number of the DSA.
Base DN
(Optional) Use this field to specify the base distinguished name of the DSA to which you
want to connect.
Example: o=DEMOCORP,c=au.
User DN
(Optional) Use this field to specify the DN of your user account. If you use this field, also
specify the password.
Password
(Optional) Use this field to specify the password of your user account. If you use this field,
also specify the user name.
Use SSL
(Optional) Use this field to specify an SSL connection between the directory and the web
server.
3. Click Connect.
JXweb is now connected to the directory.
04-May-2016 103/923
CA Directory - 12.0.18
DXtools
The DXtools simplify the management of directory data. Together, these tools let you easily load and
dump data for demonstration and prototyping. Each tool can be run on a command line or in a script
file.
Run the DXtools commands on the host, using the DSA console.
Run the DXtools commands on a remote host, using the DSA console over a TCP/IP network.
Some tools require that the DXHOME environment variable is set to the home path of DXserver. This
path is set automatically when CA Directory is installed.
Some tools expect the DSA configuration files to be located in the config folder under the path in
DXHOME.
These tools are slightly modified versions of the public domain LDAP tools (ldapdelete, ldapmodify,
ldaprename, and ldapsearch):
04-May-2016 104/923
CA Directory - 12.0.18
DXcertgen Tool
These tools simplify the extraction of schemas from LDAP directories, and the conversion of schemas
into a format appropriate for CA Directory and for use by other DXtools:
DXpassword Tool
Sample Tools
LDIF Tools
LDIF is a format suitable for describing directory information or changes to be made to directory
information.
LDIF files are text files that store directory information in LDIF. You can use LDIF files to transfer
directory information between LDAP directory servers or to describe a set of changes to be applied to
a directory.
These tools are useful to create, manipulate, and use LDIF data:
04-May-2016 105/923
CA Directory - 12.0.18
0
Success
Non-zero value
An error condition. The cause is explained by an error message.
csv2ldif directs its output to standard output. To create an LDIF file, redirect the output to a file
name.
options
Denotes one or more of the following options:
-b badfile
Specifies the output file name for CSV lines with bad format.
-d
Permits duplicate parent nodes to be generated.
-f branching factor
Specifies the number of branching factors. The default is 32.
Note: This is a low-level option. Do not use it unless you are told to by CA Technical
Support.
-i Numberoflines
Ignores the first NumberofLines lines of the CSV file.
-s sep
Defines a field separator (default is a comma)
numfields
Specifies the total number of fields defined in the input CSV file.
LDTfile
Specifies the name of the LDT file.
CSVfile
Specifies the name of the input CSV file.
The following command uses the csv2ldif utility to convert CSV data to LDIF:
04-May-2016 106/923
CA Directory - 12.0.18
The output is redirected to the acme.ldi file. The following is a portion of acme.ldi:
dxcertgen certs Command -- Create DSA and User Certificates (see page 107)
dxcertgen certreq Command -- Create a Certificate Signing Request (CSR) (see page 110)
dxcertgen certmerge Command -- Use a CSR Response to Create a Certificate (see page 111)
dxcertgen importca Command -- Import a Certificate (see page 111)
dxcertgen listca Command -- List Root Certificates (see page 111)
dxcertgen removeca Command -- Delete Root Certificates (see page 112)
dxcertgen report Command -- Report on Certificates (see page 112)
If DXcertgen can use a keystore, it stores the root certificate and the private key there. If it cannot
use keystore, it stores the root certificate (but not the private key) in a file.
If DXcertgen uses a keystore to hold the root certificate, it reuses that root certificate when it creates
DSA and user certificates.
If DXcertgen does not use a keystore, it creates a root certificate each time it creates DSA or user
certificates. DXcertgen invalidates all certificates it had previously created. DXcertgen also deletes the
private key of the root certificate it has just created. This precaution is to ensure that no more
certificates are created from that key and to maintain the integrity of the encryption.
Note: DXcertgen uses a keystore if (and only if) it finds keystore software in JAVA_HOME
04-May-2016 107/923
CA Directory - 12.0.18
Note: DXcertgen uses a keystore if (and only if) it finds keystore software in JAVA_HOME
/bin/keytool.
DXcertgen can only create DSA certificates for DSAs that already exist.
This command always stores DSA certificates in DXHOME/ssld/personalities. This command stores
user certificates in a keystore that is specified in the -c option, or in the path that is specified in the -p
option.
-a rootalias
Specifies the root key in the keystore. Only use this option if you use a root certificate keystore.
Default: dxcertgen
-c cert-ks-path -C cert-ks-password
cert-ks-path
Specifies the path to a keystore to use to store the created user certificates that are given by
the -u option.
Default: DXHOME/config/ssld/javakeystores
cert-ks-password
Specifies the existing password to access the user certificate keystore. You must have set this
password when you created the keystore.
-d days
Specifies the number of days for which the certificate will be valid.
Default: 365
-D dsaname
Specifies the DSA for which a new certificate will be created. If you do not use this option,
DXcertgen creates certificates for all DSAs.
Only use this if you use a root certificate keystore.
-i issuer
Specifies the name to use if you are creating a root certificate. DXcertgen generates a root
certificate with the name given here. Usually the issuer is your company name.
Default: "CN=DXCertGenCA,O=DXCertGenPKI,C=AU"
-k keylength
Defines the key length for the new certificate. DXcertgen can generate certificates with the
following key lengths:
1024
2048
3072
04-May-2016 108/923
CA Directory - 12.0.18
3072
4096
-p cert-file-path
Specifies the path to a file to use to store created user certificates.
Default: DXHOME/config/ssld/personalities
-P rootcert-pk-ks-password
Specifies a password to protect the private key in the root certificate keystore. You set this
password here.
rootcert-ks-path
Specifies the path to the root certificate keystore.
Default: DXHOME/config/ssld/javakeystores
rootcert-ks-password
Specifies the password to access the root certificate keystore. You must have set this
password when you created the keystore.
Default: changeit
-u users
Specifies an LDIF file that contains a list of users to create certificates for.
-Z algorithm
Specify which signature algorithm to use when generating the certificate:
SHA1
(Default) Signs the certificate using the SHA-1 algorithm.
SHA224
SHA256
SHA384
SHA512
dxcertgen certs
DXcertgen writes the certificates and associated private keys files for DSAs into the directory DXHOME
/ssld/personalities.
Each DSA certificate and private key is created in a file with a name based on the DSA name, as
follows:
dsa_name_in_lowercase.pem
04-May-2016 109/923
CA Directory - 12.0.18
The files are not password protected or encrypted in any way. They must be made secure as soon as
possible.
The private keys that are written out are not password protected or encrypted in any way. They must
be made secure as soon as possible.
The user certificates are generated from the same private key as the DSA certificates.
This command creates a CSR and a private key. You do not send the private key to the CA.
If the request is successful, the CA sends a certificate that is digitally signed with the CA's private key.
(You can then use this certificate by using the command dxcertgen certmerge.)
The command dxcertgen certreq stores the CSR in DXHOME/config/ssld/dsaname.csr, and stores the
private key in DXHOME/config/ssld/dsaname.key.
-D dsaname
Specifies the DSA for which a CSR is created. If you do not use this option, DXcertgen creates
requests for all DSAs.
-Z algorithm
Specify which signature algorithm to use when generating the certificate signing request:
SHA1
(Default) Creates the private key using the SHA-1 algorithm.
SHA224
SHA256
SHA384
SHA512
04-May-2016 110/923
CA Directory - 12.0.18
2. The command checks that the received certificate is a response to the CSR that you sent using
the dxcertgen certreq command.
3. The command merges the returned certificate and the original private key. Also, the
command stores the DSA certificate and associated private key in the file DXHOME/config/ssld
/personalities/dsaname.pem.
-D dsaname
Specifies the DSA for which a new merged certificate is created.
-n cert-file
Specifies the certificate file that was returned from the external CA in response to the CSR.
PKCS#12
-n cert-file
Specifies the certificate file that you want to add to the list of trusted certificates.
04-May-2016 111/923
CA Directory - 12.0.18
dxcertgen listca
Note: Certificate numbers change when adding and removing certificates in trusted.pem.
Be sure to perform a 'listca' befany coreertificate removal.
-r certnumber
Specifies the number corresponding to the certificate you want to delete.
The report summarizes all the certificates, including root certificates, DSA personality certificates, and
user certificates.
Validity dates
dxcertgen report
04-May-2016 112/923
CA Directory - 12.0.18
options
Denotes one or more of the following options:
-c
Runs in continuous mode. Errors are reported, but the process is not stopped.
level
Defines the level of debugging as follows:
-1 Enable all debugging
0 No debugging
1 Trace function
2 Debug packet handling
4 Heavy trace debugging
8 Connection management
16 Print out packages sent and received
32 Search filter processing
64 Configuration file processing
128 Access control list processing
256 Stats log connections/operations/results
512 Stats log entries sent
1024 Print communication with shell backends
2048 Print entry parsing debugging
You can add numbers together to specify multiple debug levels at the same time. For
example, a debug level of 6 specifies the debugging levels of both 2 and 4.
-D bindDN
Specifies the distinguished name of the user performing the bind.
-f filename
Specifies a file to read from, rather than standard input.
-H URI
Specifies the LDAP URI of the directory host. If you do not specify this, the tool uses localhost
instead.
You can use an IPv6 address, as in the following example:
-H ldap://[2001:db8:0:1:99a4:6159:198f:b309]
-h dap-host
Note: This option has been deprecated. Use the -H option instead. The -h option still
works in the current version of CA Directory.
Specifies the address or host name of the directory host. If you do not specify this, the tool uses
localhost instead.
You can include OSI addressing for transport, session, and presentation SAPs by fully expanding
dap-host:
04-May-2016 113/923
CA Directory - 12.0.18
hostname:port/tsel/ssel/psel
You can include binary and ASCII characters in the tsel, ssel, and psel selectors, using the %
followed by the two hexadecimal digits that represent the ASCII code for the character, for
example:
/ is expressed as %2F
% is expressed as %25
-M
Enables the Manage DSA IT control.
-MM
Enables the Manage DSA IT control, and makes it critical. For more information, see LDAP
Controls in the Administration Guide.
-P 2|3
Specifies the LDAP protocol. By default, this is set to 3.
-p dap-port
Specifies the port on directory host computer. If you do not specify this, the tool uses port 102,
the OSI port, by default
You can combine the -h and -p arguments into a single argument, and express them as a dotted IP
address or hostname. For example, you can replace the options on the first line with those on the
second:
-h 192.168.19.202 -p 19389
-h 192.168.19.202:19389
-r
Makes any delete operation recursive.
-v
Runs in verbose mode.
-W
Prompts the user for the bind password.
-w password
Specifies the bind password.
-y filename
Specifies a file that contains the bind password.
dn-list
Specifies distinguished names to be deleted. Separate DNs with spaces.
This example uses the Democorp sample directory supplied with CA Directory. You can repeat this
example as a training exercise.
04-May-2016 114/923
CA Directory - 12.0.18
To test that the entry was deleted, use the DXsearch tool.
This command reads the configuration file of every DSA on the current machine and updates the DISP
time for the specified DSA in the .dp file of each DSA.
Note: For a list of the status codes returned by all the DXtools commands, including this
command, see Exit Status Codes for the DXtools (see page 105).
dxdisp dsaname
dsaname
Identifies the DSA that is having its last update time changed.
Note: For a list of the status codes returned by all the DXtools commands, including this
command, see Exit Status Codes for the DXtools (see page 105).
options
Denotes one or more of the following options:
-f filename
Specifies the file to receive the exported data. If this option is not specified, the output goes to
standard output or the screen.
-i attribute-list
Includes the listed attributes in the dump file.
04-May-2016 115/923
CA Directory - 12.0.18
Note: The attributes specified with the -i option must include the naming attributes. If the
attributes are not specified, then the tool does not dump the entries. In addition, the must-
contain attributes must also be specified if the output is intended to be used with
DXloaddb again.
-vRuns in verbose mode. This option switches on error and status tracing. For the -v option to
work, you must also specify the -f option.
-x
Excludes the listed attributes from the dump file.
Note: You should not exclude attributes that form part of the DN.
-z
Specifies that DXdumpdb dumps from the copy of the datastore that is produced by the console
command dump dxgrid-db.
DSA
Defines the DSA. DXdumpdb looks in the configuration files of this DSA to find the datastore to
export to an LDIF file.
The following example prints the LDIF format data from the datastore of the democorp DSA to the
screen:
dxdumpdb democorp
This command works, but the output cannot be loaded back into democorp with DXloaddb because
the must-contain sn attribute is missing.
04-May-2016 116/923
CA Directory - 12.0.18
This command works and the generated output file can be loaded into democorp again because the
output file contains all the name attributes and must-contain attributes.
The following example prints the LDIF format data from the datastore of democorp, including only
entries containing the inetOrgPerson objectClass.
dxdumpdb j inetOrgPerson,top,person,organizationalPerson democorp
Note: The super classes of inetOrgPerson that are stored with the entry must be included.
Note: For a list of the status codes that are returned by all DXtools commands, see Exit
Status Codes for the DXtools (see page 105).
dxemptydb DSA
DSA
Specifies the name of the DSA. This command empties the datastore of the specified DSA.
The size of the datastore is set in the configuration file. If you want to change the size, change the
configuration file and then run the DXextenddb tool.
dxextenddb dsaname
dsaname
Specifies the DSA that you want to extend.
dxinfo [-f filename] [-t foldername] [-a foldername] [-d date] [-x options] [-v] [-h]
04-May-2016 117/923
CA Directory - 12.0.18
-f filename
Specify the file name for the system information. If you do not specify a file name, DXinfo stores
the information in etrdir_dxinfo.log.
-t foldername
Specify the folder in which the results will be stored. Include the trailing slash. If you leave out
this option, DXinfo saves the results in the running directory.
-a foldername
Specify an additional folder to be collected. This option lets you include DXmanager-related logs
and configuration files. Any files that you specify here are compressed into a separate archive file.
-d date
Specify the date for which the DXinfo tool will collect logs. If you use this option, the tool collects
files with the date included in the filename, plus any log files with no date in the name.
Use one of the following formats to specify the date:
yyyymmdd
-x options
Specifies the information that you want to exclude, where options is a comma-separated list of
one or more of the following:
-v
Runs in verbose mode.
-h
Displays usage information for this tool
04-May-2016 118/923
CA Directory - 12.0.18
The files are in the location in which you ran the DXinfo tool, unless you used the -t option to save the
files elsewhere.
04-May-2016 119/923
CA Directory - 12.0.18
Usage notes:
DXloaddb hashes any password entry in the LDIF file that is in clear text.
If a hash algorithm is specified in the DSA configuration, DXloadbdb uses that. Otherwise it uses
SHA-1.
By default, DXloaddb uses the DSA's configuration for operational attribute handling:
If op-attrs = true then any operational attributes in the LDIF file are loaded into the datastore.
Any entries in the LDIF file that do not have a createTimestamp, have a creatTimestamp
added to the datastore.
If op-attrs = false then operational attributes in the LDIF file are ignored and no operational
attributes are created by the DXloaddb.
options
Denotes one or more of the following options:
-n
Specifies that DXloaddb does not do any actions.
-O
Specifies that DXloaddb includes standard operational attributes, such as password policy (for
example, number of login attempts), and time stamp attributes. If this option is specified,
DXloaddb creates any operational attributes that are not defined in the LDIF file.
-s
Specifies that DXloaddb produces the following statistics concerning the datastore:
04-May-2016 120/923
CA Directory - 12.0.18
-v
Specifies verbose output.
ldif-file
The name of the LDIF file to load into the datastore.
DSA
Defines the DSA whose datastore is to be loaded.
dxnewdb
dxloaddb
The following example loads the data from democorp.ldif file to datastore democorp:
04-May-2016 121/923
CA Directory - 12.0.18
When you run the DXmodify tool, you can enter the new or changed information from standard input
or from an LDIF file.
action
Specifies the action the tool will take. The DXmodify tool follows any changetype directives in the
LDIF file. If the LDIF file contains entries and no changetype directives, then you can tell DXmodify
whether it should add these entries or replace existing entries. DXmodify replaces entries if either
of the following conditions are true:
The entry in the LDIF file is a modify operation and the modify type is specified for an
attribute in the LDIF file
-r is specified
-a
Adds the entries in the LDIF file to the directory.
-r
Replaces the entries or attributes in the directory with those in the LDIF file.
options
Denotes one or more of the following options:
-c
Runs in continuous mode. Errors are reported, but the process is not stopped.
level
Defines the level of debugging as follows:
-1 Enable all debugging
0 No debugging
1 Trace function
04-May-2016 122/923
CA Directory - 12.0.18
-D bindDN
Specifies the distinguished name of the user performing the bind.
-E search-extension
Specifies a search extension such as paged results. For example, to return results in pages of 10,
use this command:
-F
Forces all change records to be used.
-f filename
Specifies a source LDIF file. If you do not specify this option, or do not specify a file name, then
DXmodify waits for input from standard input.
-H URI
Specifies the LDAP URI of the directory host. If you do not specify this, the tool uses localhost
instead.
You can use an IPv6 address, as in the following example:
-H ldap://[2001:db8:0:1:99a4:6159:198f:b309]
-h dap-host
Note: This option has been deprecated. Use the -H option instead. The -h option still
works in the current version of CA Directory.
Specifies the address or host name of the directory host. If you do not specify this, the tool uses
localhost instead.
You can include OSI addressing for transport, session, and presentation SAPs by fully expanding
dap-host:
hostname:port/tsel/ssel/psel
04-May-2016 123/923
CA Directory - 12.0.18
You can include binary and ASCII characters in the tsel, ssel, and psel selectors, using the %
followed by the two hexadecimal digits that represent the ASCII code for the character, for
example:
/ is expressed as %2F
% is expressed as %25
-l timelimit
Specifies the time limit (in seconds) for each DAP operation.
-M
Enables the Manage DSA IT control.
-MM
Enables the Manage DSA IT control, and makes it critical. For more information, see LDAP
Controls in the Administration Guide.
-n
Shows what would be done, but does not actually do it. This can be useful for debugging
purposes, usually you use this with the -v option.
-P 2|3
Specifies the LDAP protocol. By default, this is set to 3.
-p dap-port
Specifies the port on directory host computer. If you do not specify this, the tool uses port 102,
the OSI port, by default
You can combine the -h and -p arguments into a single argument, and express them as a dotted IP
address or hostname. For example, you can replace the options on the first line with those on the
second:
-h 192.168.19.202 -p 19389
-h 192.168.19.202:19389
-q
Runs in quiet mode, in which successful operations are not reported.
-S file
Writes any skipped modifications into the specified file.
-s time
Specifies the time (in milliseconds) to sleep after each operation.
-v
Runs in verbose mode.
-W
Prompts the user for the bind password.
-w password
Specifies the bind password.
04-May-2016 124/923
CA Directory - 12.0.18
-y filename
Specifies a file that contains the bind password.
-Z [ssld_config_filename]
Specifies that the tool should start a TLS request, using the specified configuration file. If you omit
the filename, the tool uses DXHOME/config/ssld/dxldap.conf.
Use -ZZ to require a response from the DSA when a request is successful.
Note: For more information, see SSLD Configuration File (see page 147).
This example uses the Democorp sample directory supplied with CA Directory. You can repeat this
example as a training exercise.
You can make multiple changes, such as changing the title and postal address, adding a second
telephone number, and deleting the description of an entry.
This example shows that you can replace the values of multiple attributes using one replace
statement as long as the replace statement specifies the first attribute name in the series.
This shows how to add a JPEG file with a personnel record from staff.ldif.
For JPEG files, the object class is cosinePilotObject, the X.500 attribute name is cosineJpegPhoto, and
the LDAP attribute name is JpegPhoto.
This example uses the Democorp sample directory supplied with CA Directory. You can repeat this
example as a training exercise.
1. Decide on the directory schema object class and attribute to use to hold the binary data.
04-May-2016 125/923
CA Directory - 12.0.18
1. Decide on the directory schema object class and attribute to use to hold the binary data.
For this example, use the cosineJpegPhoto attribute within the cosinePilotObject object class.
attributeName:< FILE://path
If the DSA is running or if a datastore already exists for the DSA, DXnewdb will exit immediately.
Note: For a list of the status codes returned by all the DXtools commands, including this
command, see Exit Status Codes for the DXtools (see page 105).
dxnewdb DSA-name
DSA-name
Defines the DSA.
If a DSA with the same name already exists, the command exits.
04-May-2016 126/923
CA Directory - 12.0.18
If a DSA with the same name already exists, the command exits.
If the datastore exists, DXnewdsa uses it, without changing its size or contents. If the datastore does
not exist, DXnewdsa creates the datastore.
DXnewdsa creates configuration files for the new DSA. The configuration includes the following
commands:
#gxgrid configuration
set dxgrid-db-location = ...;
set dxgrid-db-size = ...;
set cache-index = all-attributes;
set lookup-cache = true;
Note: For a list of the status codes returned by all the DXtools commands, including this
command, see Exit Status Codes for the DXtools (see page 105).
options
Denotes one or more of the following options:
-t {data | router}
data
(default) Specifies that DXnewdsa should create a data DSA.
router
Specifies that DXnewdsa should create a router DSA.
-l location
(Optional) Defines the directory that holds the datastore. This is only valid for a data DSA.
The default directory is DXHOME/data.
If the location is provided as a relative location, DXnewdsa takes this as relative to the current
directory, to produce an absolute path. DXnewdsa uses the -l parameter to create a command in
the DSA configuration file, as follows:
-s size
(Optional) Defines the size of the datastore in MB. This is only valid for a data DSA. It is ignored if
the datastore already exists.
DXnewdsa writes the size as a dxgrid-db-size setting in the DSA configuration file.
The maximum is 60,000.
The default is 500 MB.
dsaname
Defines the name of the DSA. Maximum length is 31 characters.
04-May-2016 127/923
CA Directory - 12.0.18
port
Specifies the port number of the DSA.
prefix
(Optional) Defines the namespace prefix. To specify the prefix, use LDAP syntax; for example as
follows:
This command creates a data DSA1 and specifies port 1234 and a null prefix.
The configuration includes the prefix setting in the knowledge file in the following form:
-P algorithm
Hashes the password, where algorithm is one of the following:
SHA
Hashes the password using the SHA-1 algorithm
SSHA
Hashes the password using the Salted SHA-1 algorithm. This algorithm produces a different
hash even for the same clear text password, which is more secure.
SHA512
Hashes the password using the SHA-512 algorithm
SSHA512
(Default) Hashes the password using the Salted SHA-512 algorithm
04-May-2016 128/923
CA Directory - 12.0.18
MD5
Hashes the password using the Message Digest algorithm.
SMD5
Hashes the password using the Salted Message Digest algorithm
PBKDF2
Hashes the password using the PBKDF2 (Password-Based Key Derivation Function 2) method.
This option uses the default PBKDF2 values mentioned in Supporting Commands for the
PBKDF2 Hashing Method (see page 733) as it does not read DSA configuration.
CRYPT
Hashes the password using the UNIX crypt method.
CADIR
Hashes the password using a reversible obfuscation algorithm. Use this option to hash a
password before including it in a knowledge file in the dsa-password or ldap-dsa-password
configuration items. This protects the password from users with access to the computer
running the DSA.
-v
Runs in verbose mode.
password
Specifies the password to be hashed.
The following command hashes the password qwer123 using the MD5 algorithm:
{MD5}VT6DymlpOzPvc5WMBLejFQ==
The following command hashes the password qwer123 using the SSHA-512 algorithm, which is the
default:
dxpassword -v qwer123
04-May-2016 129/923
CA Directory - 12.0.18
the rename data for a single entry from the keyboard or for multiple entries from a file.
options
Denotes one or more of the following options:
-c
Runs in continuous mode. Errors are reported, but the process is not stopped.
level
Defines the level of debugging as follows:
-1 Enable all debugging
0 No debugging
1 Trace function
2 Debug packet handling
4 Heavy trace debugging
8 Connection management
16 Print out packages sent and received
32 Search filter processing
64 Configuration file processing
128 Access control list processing
256 Stats log connections/operations/results
512 Stats log entries sent
1024 Print communication with shell backends
2048 Print entry parsing debugging
You can add numbers together to specify multiple debug levels at the same time. For
example, a debug level of 6 specifies the debugging levels of both 2 and 4.
-D bindDN
Specifies the distinguished name of the user performing the bind.
-f filename
Specifies a file to read from, rather than standard input.
-H URI
Specifies the LDAP URI of the directory host. If you do not specify this, the tool uses localhost
instead.
You can use an IPv6 address, as in the following example:
-H ldap://[2001:db8:0:1:99a4:6159:198f:b309]
-h dap-host
Note: This option has been deprecated. Use the -H option instead. The -h option still
works in the current version of CA Directory.
Specifies the address or host name of the directory host. If you do not specify this, the tool uses
04-May-2016 130/923
CA Directory - 12.0.18
Specifies the address or host name of the directory host. If you do not specify this, the tool uses
localhost instead.
You can include OSI addressing for transport, session, and presentation SAPs by fully expanding
dap-host:
hostname:port/tsel/ssel/psel
You can include binary and ASCII characters in the tsel, ssel, and psel selectors, using the %
followed by the two hexadecimal digits that represent the ASCII code for the character, for
example:
/ is expressed as %2F
% is expressed as %25
-M
Enables the Manage DSA IT control.
-MM
Enables the Manage DSA IT control, and makes it critical. For more information, see LDAP
Controls in the Administration Guide.
-p dap-port
Specifies the port on directory host computer. If you do not specify this, the tool uses port 102,
the OSI port, by default
You can combine the -h and -p arguments into a single argument, and express them as a dotted IP
address or hostname. For example, you can replace the options on the first line with those on the
second:
-h 192.168.19.202 -p 19389
-h 192.168.19.202:19389
-r
Removes the old RDN.
-s superior-entry-DN
Moves the entry under a new parent.
-v
Runs in verbose mode.
-W
Prompts the user for the bind password.
-w password
Specifies the bind password.
-y filename
Specifies a file that contains the bind password.
dn
Specifies the distinguished name of the entry that is to be renamed.
04-May-2016 131/923
CA Directory - 12.0.18
newrdn
Specifies the new RDN.
This example uses the Democorp sample directory supplied with CA Directory. You can repeat this
example as a training exercise.
cn=Murray HORSFALL,ou=Repair,ou=Operations,o=Democorp,c=AU
cn=Murray J HORSFALL
options
Denotes one or more of the following options:
-D binddn
Specifies the bind DN. If you don't specify the bind DN, the tool will bind anonymously.
04-May-2016 132/923
CA Directory - 12.0.18
-v
Runs in verbose mode.
-w password
Specifies the password (for simple authentication only).
hostaddr:port
Specifies the host address and port of the LDAP server (such as DXserver).
> filename
Redirect the output from the screen to the named file.
Note: To get help on the tool, enter the command dxschemaldif with neither options nor
parameter.
To extract the schema from a Version 3 LDAP directory and redirect the output to the new_schema.
ldif file, enter the following command:
You can use the ldif2dxc tool to convert the LDIF schema into the CA Directory schema format.
options
Denotes one or more of the following options:
-A
Retrieves attribute names only (no values).
-b basedn
Specifies the base DN for the search.
-B
Prints non-ASCII values. Remove this option to suppress these values.
04-May-2016 133/923
CA Directory - 12.0.18
-c
Runs in continuous mode. Errors are reported, but the process is not stopped.
-C
Specifies that referrals will be chased, if necessary. This option is is not necessary if your directory
backbone contains only CA Directory DSAs. CA Directory DSAs handle referrals automatically, as
specified in the X.500 standard.
level
Defines the level of debugging as follows:
-1 Enable all debugging
0 No debugging
1 Trace function
2 Debug packet handling
4 Heavy trace debugging
8 Connection management
16 Print out packages sent and received
32 Search filter processing
64 Configuration file processing
128 Access control list processing
256 Stats log connections/operations/results
512 Stats log entries sent
1024 Print communication with shell backends
2048 Print entry parsing debugging
You can add numbers together to specify multiple debug levels at the same time. For
example, a debug level of 6 specifies the debugging levels of both 2 and 4.
-D bindDN
Specifies the distinguished name of the user performing the bind.
-E parameters
Specifies search extensions. Include the ! to make the parameter critical.
[!]domainScope
Domain scope
[!]mv=filter
Matched values filter
[!]pr=size[/prompt|noprompt]
Paged results/prompt
[!]subentries[=true|false]
Subentries
[!]sync=ro[/cookie]
LDAP Sync refreshOnly
04-May-2016 134/923
CA Directory - 12.0.18
rp[/cookie][/slimit]
LDAP Sync refreshAndPersist
-F prefix
Identifies the URL prefix to be used for files. If you do not specify this option, the default is used:
file:///tmp/.
-h host
Specifies the directory host. If you do not specify this, the tool uses localhost instead.
-H LDAP_URI
Specifies the LDAP URI of the directory host. If you do not specify this, the tool uses localhost
instead.
You can use an IPv6 address, as in the following example:
-H ldap://[2001:db8:0:1:99a4:6159:198f:b309]
-L
Prints entries in LDIF V1 format, with non-ASCII values.
-LL
Prints entries in LDIF format without comments and with non-ASCII values.
-LLL
Prints entries in LDIF format without comments, without version information, and with non-ASCII
values.
-M
Does not multicast; limits search to a single directory.
-P 2|3
Specifies the LDAP protocol. By default, this is set to 3.
-p dap-port
Specifies the port on directory host computer. If you do not specify this, the tool uses port 102,
the OSI port, by default
You can combine the -h and -p arguments into a single argument, and express them as a dotted IP
address or hostname. For example, you can replace the options on the first line with those on the
second:
-h 192.168.19.202 -p 19389
-h 192.168.19.202:19389
04-May-2016 135/923
CA Directory - 12.0.18
-S attribute
Sorts the results by the attribute.
-t dir
Writes values to files in the specified directory.
-T
Times the search (no search results printed).
-u
Includes user-friendly entry names in the output.
-v
Runs in verbose mode.
-W
Prompts the user for the bind password.
-w password
Specifies the bind password.
-y filename
Specifies a file that contains the bind password.
-z number-entries
Specifies the size limit (in entries) for search.
filter
An RFC2254-compliant LDAP search filter.
attributelist
Specifies a space-separated list of attributes to retrieve. If no attribute list is given, all attributes
are retrieved.
This example uses the Democorp sample directory supplied with CA Directory. You can repeat this
example as a training exercise.
04-May-2016 136/923
CA Directory - 12.0.18
sn: HORSFALL
title: Information Technology Manager
telephone: 797 8877
description: Replacements
mail: Murray.HORSFALL@Democorp.com
postalAddress: 173 Toorak Pde $ Berkeley NSW
postalCode: 2506
If you send the output to an LDIF file, you can edit the file contents and use the DXmodify tool to
implement the changes.
Example: Using the -f option to source a text file containing LDAP search filters
The file contains LDAP search filters. Ensure that each filter does not have enclosing brackets:
&(oc=inetOrgPerson)(cn=user1)
&(oc=inetOrgPerson)(cn=user2)
&(oc=inetOrgPerson)(cn=user3)
Example: Using the -f option to source a text file containing user names
The file contains text that the DXsearch tool substitutes for %s when used in a filter, as in this
example:
user1
user2
user3
The most commonly used LDAP extension in dxsearch is simple paged results. This extension allows
large results to be broken up into a number of pages of a user specified size. With this extension, a
search can bypass the administrative size limits set on the DSA. Also, this extemsion allows other
requests being processed at the time throughput.
The format of the simple paged results extension used by dxsearch is:
-E [<criticality>]pr=<number of entries per page>/[prompt|noprompt]
04-May-2016 137/923
CA Directory - 12.0.18
<number of entries per page>: This number indicates how many entries the server returns in
each page of results.
prompt (default): dxsearch displays a page of results and then waits for the user to hit enter (or
enter a different page size).
noprompt: dxsearch continues to the next page of results without prompting the user.
Example 1: Returning searches 5 entries at a time without prompting to move to the next page. The
simple paged result control must be handled by the server (critical).
dxsearch -h {hostname}:{port} -b c=AU -E !pr=5/noprompt (oc=*) commonName
Example 2: Returning searches 200 entries at a time prompting the user for the next 200 entries
dxsearch -h {hostname}:{port} -b c=AU -E pr=200 (oc=*) commonName
Note: Single quotes are required when using the critical exclamation mark ! and the wildcard *.
DXHOME\samples\snmp
-rn
Specifies the number of seconds between each refresh. If you omit the -r option, the tool uses the
default value of 5 seconds.
ipaddress
Identifies the computer on which the DSA is running.
port
Identifies the SNMP port of the DSA to be monitored.
04-May-2016 138/923
CA Directory - 12.0.18
dxsyntax [dsaname]
dsaname
Specifies the name of the DSA. This can be a file name pattern.
dxsyntax
To check all DSAs whose names start with rk, run the following command:
dxsyntax rk*.
If no errors are found, DXsyntax exits without a message, and with a return code of 0. This is handy
for use in routine test scripts. If one or more errors are found, DXsyntax exits with an error message
and a non-zero return code.
Note: The DXsyntax relies on the DXHOME environment variable. DXHOME must be set to
the home path of DXserver. This is done automatically when CA Directory is installed. The
DXsyntax tool expects the DSA configuration files to be located in the config folder under
the path in DXHOME.
DXHOME\samples\trap
dxtrap port
port
Specifies the SNMP trap port. If you omit this option, the tool uses the default port 162.
04-May-2016 139/923
CA Directory - 12.0.18
options
Denotes one or more of the following options:
-b badfile
Write bad schema records to the specified file.
-f file
Read input from the specified file.
-m map
Get OIDs from the specified map file.
-M oid_arc
Generate missing OIDs from 'oid_arc'. For example x.y.z. generates x.y.z.0, x.y.z.1, etc. x.y.z.34
generates x.y.z.34, x.y.z.35, etc.
-x dxcFile
Exclude schema that is defined in the specified .dxc file.
-Z schema
Append new schema definitions in DXtools schema file format to the specified file.
outfile
Specifies the name of the file into which the LDIF data will be saved.
You want to convert the schema in the new_schema.ldif file. In this case, you are not interested in
the entire external schema, but rather schema unique to the external source. The local directory also
typically sources a single DSA schema group file (for example, dxmanager.dxg).
To convert only the schema unique to the external source, you want to instruct the tool to exclude an
existing schema file. In addition, you want to instruct the tool not to redefine any internal DSA
schema definitions.
While converting the schema in the new_schema.ldif file, the tool stops with an error because of
04-May-2016 140/923
CA Directory - 12.0.18
While converting the schema in the new_schema.ldif file, the tool stops with an error because of
schema incompatibility with CA Directory and does not produce any output. The problem may be
caused by an unsupported syntax or matching rule, or an error in the published schema. In these
cases, you can instruct the tool to write any bad schema to a bad file but continue writing the good
schema to your output file. You can inspect the bad file and decide whether it is worthwhile to
correct any of the errors (for example, remove an obscure matching rule for substrings), and then
rerun the tool until you have what you need.
To run the tool with a bad file, enter the following command:
Some LDAP directories publish OIDs as labels rather than dotted decimal strings (for example,
xyConfig-oid). These object classes and attributes do not load into the directory. Instead, the tool
assigns them temporary OIDs off the CA Directory arc to enable you to load the new schema, but this
solution may not be suitable for all directory implementations.
If the dotted decimal form of these object class and attribute OIDs are available, you can create a
map file, and instruct the tool to look up these label OIDs in the file and substitute the labels by the
dotted decimal OIDs.
The map file is a three-column CSV file with the following format:
-------------------------------------
#
# format: objectClass, attributeType, oid
#
# objectClasses
xyConfig-oid,,1.2.3.4
xyAdmin-oid,,1.2.3.5
# attributeTypes
,abstract-oid,1.2.4.5
,aci-oid,1.2.4.6
-------------------------------------
You map a dotted decimal OID to either an object class or an attribute type, but not both.
To run the tool with a map file, enter the following command:
If there are a large number of "label" OIDs (e.g. xyConfig-oid) in the LDIF schema file it may take a
long time to add an entry for everyone in a map file. An alternative is to specify an OID arc that the
tool will use in place of any label OID, incrementing it for each label OID it finds.
If your arc is new, you can specify it with a trailing '.', and the tool will start incrementing it from 0. If
some OIDs have already been assigned against this OID arc, you can specify the next available OID,
and the tool will start incrementing from that one.
To replace the map file in Example 15 with a new OID arc of "1.22.333.444.", on a UNIX system,
04-May-2016 141/923
CA Directory - 12.0.18
To replace the map file in Example 15 with a new OID arc of "1.22.333.444.", on a UNIX system,
enter:
If the tool encountered the OID label xyConfig-oid in new_schema.ldif, it will assign it an OID of
1.22.333.444.0. If it then encountered the OID label abConfig-oid, it will assign it an OID of
1.22.333.444.1, etc.
If twenty OIDs from this arc were assigned, the next available OID would be 1.22.333.444.20. If you
were to perform another integration with schema from new_schema2.ldif, to avoid clashing with
existing OIDs in the directory, on a UNIX system, enter:
If the tool encountered the OID label cdConfig-oid in new_schema2.ldif, it will assign it an OID of
1.22.333.444.20. If it then encountered the OID label efConfig-oid, it will assign it an OID of
1.22.333.444.21, etc.
1. Get the two LDIF files you want to compare, oldfile and newfile.
To do this, use the DXsearch tool (with the -L option) or the DXdumpdb tool.
ldifdelta can produce an output file, which, is a file containing LDIF change records. You can use the
DXmodify tool to apply these LDIF change records to the sorted oldfile, and so update it to newfile.
It compares distinguished name in a case insensitive way, not by schema matching rules.
When comparing URL values, ldifdelta compares only the file names.
It does not attempt to interpret the nature or contents of the file that the URL references.
04-May-2016 142/923
CA Directory - 12.0.18
dsaType
createTimestamp
modifyTimestamp
creatorsName
modifiersName
subschemaSubentry
dxUpdatedByDisp
dxEntryCount
dxTotalEntryCount
dxProxyRole
dxProxyUser
dxDynamicAccess
dxDeleteTimestamp
dxServerVersion
dxPwdLoginTime
dxPwdLastChange
dxPwdHistory
dxPwdFailedAttempts
dxPwdFailedTime
dxPwdLocked
dxPwdGraceLogins
dxPwdIgnoreExpired
dxPwdMustChange
04-May-2016 143/923
CA Directory - 12.0.18
dxPwdIgnoreSuspended
dxPwdGraceUseTime
dxErrorReason
dxAttrOverlayReferenceSubordinate
dxAttrRdnValue
dxNewSuperior
-x
Ignores X.500 and DXserver operational attributes.
-v
Runs in verbose mode.
-S dsaname
Specifies the DSA server containing schema definitions.
Note: The DSA name is only used for schema checking. This does not imply that the LDIF
and DSA name used are linked in any way.
oldfile
Specifies the outdated file to produce the delta for.
newfile
Specifies the more recent file to compare against oldfile.
outfile
(Optional) Specifies the output file containing the differences between newfile and oldfile.
If you do not specify this file, ldifdelta produces its output to the standard output.
This example makes the old directory the same as the reference directory:
04-May-2016 144/923
CA Directory - 12.0.18
The tool can sort the LDIF record based on any attribute. By default, the ldifsort tool sorts LDIF
records based on their distinguished names. This ensures that each record is followed by its
immediate subordinates.
You may opt to sort in descending order. You can use this option, for example, when deleting the
entries in an LDIF file from the directory. This sorts the LDIF file on DN in descending order, thus
ordering subordinates before superior entries. The LDIF file can then be passed to dxmodify to delete
these entries.
Although the default sort is by DN, you may wish to use another attribute, for example, to sort
employee records in an LDIF file based on their employee numbers for administration, or based on
telephone numbers to allocate spare lines.
The ldifsort tool can cope with bad input records. See the -b option. A record is bad for one of the
following reasons:
options
Denotes one or more of the following options:
-a attr
Sorts entries based on the specified attribute. The default sort attribute is dn.
-b file
Writes bad input records to the specified file. Each bad input record is accompanied by the
reason it is considered bad.
If -b is not specified, bad records are silently discarded, except that the final summary report
gives the count of bad input records.
-d
Sorts in descending order. The default is to sort in ascending order.
04-May-2016 145/923
CA Directory - 12.0.18
-m count
Specifies the number of records that are put into each sorting bucket. The default is 200. For
the fastest sort time, set this option to the square root of the number of entries in the file (-m
count = square root number of entries in file).
-r block
Specifies the number of sorting buckets to allocate at a time. The default is 10,000.
-s bytes
Specifies the size of read buffer for each bucket. The default is 2,048 bytes.
-t dir
Specifies the directory to use for temporary files.
-u
(Default). Checks for duplicates. Duplicate records are considered bad input records.
-U
Does not check for duplicates, so duplicates are considered good input records.
-vRuns in verbose mode. In this mode, diagnostics are sent to standard error.
infile
Specifies the file to be sorted.
outfile
Specifies the file to which output is to be written. The default output is standard out.
This example makes the old directory the same as the reference directory:
The most common reason for the ldifsort tool created a BAD record is a duplicate entry.
A BAD record is written to the BAD file, if one is specified (-b option), alongside the reason it is
considered BAD, which can be one of the following:
Duplicate Entry
04-May-2016 146/923
CA Directory - 12.0.18
DXdelete
DXmodify
DXsearch
DXrename
By default, this file is named dxldap.conf. If your file has a different name, you can specify this in the -
Z option.
TLS_CACERT trusted_pem_file
Specifies the file that contains certificates for all of the Certificate Authorities the client will
recognize.
This must be an absolute reference to a full path, without environment variables. Do not enclose
the file path in quotation marks.
TLS_REQCERT {allow|demand|hard|never|try}
(Optional) Specifies the check to perform on server certificates in a TLS session, if any:
allow - The client requests a server certificate and if no certificate is provided, the session
proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds
normally.
demand - The client requests a server certificate and if no certificate is provided, or a bad
certificate is provided, the session is immediately terminated. This is the default setting.
never - The client does not request or check any server certificate.
try - The client requests a server certificate and if no certificate is provided, the session
proceeds normally. However, if a bad certificate is provided, the session immediately
terminates.
04-May-2016 147/923
CA Directory - 12.0.18
Example: dxldap.conf file on a UNIX System, Using the Default TLS_REQECRT Setting
In this example, the TLS_REQCERT setting is not specified, which means that the default value of
demand will be used:
TLS_CACERT /opt/CA/Directory/dxserver/config/ssld/trusted.pem
Logs
The logs contain the output from a DSA.
Diagnosing problems
Note: We recommend that you use only the logs that are actually required. Because a DSA
has to write to the log files, keeping too many log files open can reduce performance.
Traces
Tracing provides information that can help you to analyze the operations performed by the directory.
Tracing does not control what is logged to the summary, query, or stats logs.
In the DSA, the trace command controls the level of tracing that is sent to the DSA console, and to the
trace log file, if the trace log file is open.
Alarms
Alarms are reports of critical events that should be monitored. Some triggers of alarms are:
A configuration problem -- For example, a DSA fails to start because it has the same listen
address as one already running.
04-May-2016 148/923
CA Directory - 12.0.18
For a list of some alarm messages, see the System Messages chapter in the Reference Guide.
Alarm messages are always written to the alarm log (which cannot be closed).
When an SNMP log is open, an SNMP trap is raised for every alarm.
Set Up Schemas
Schemas
A schema is a formal definition of the contents and structure of the directory data. It governs where
each entry can be placed within the directory structure, how entries are to be named, and what
attributes each entry can contain.
When a DSA starts up, it reads the schema configuration files, which contain schema rules. The DSA
enforces these rules on the directory data.
The names of the various types of attributes that can exist in an entry
Which attributes in each object class (a defined group of attributes) are mandatory and which are
optional
How each directory entry is named (for example, a person is named by his or her common-name
attribute)
Where the directory entry can be created in the namespace (DIT). For example, an
OrganizationalUnit entry can only exist under an Organization entry.
The schema of a running directory is available to LDAP clients through the LDAP Version 3 mechanism
of schema publishing. For more information, see Schema Publishing (see page 499).
Defining Schemas
You can configure all aspects of the schema, down to the level of attribute syntaxes compiled in the
entry.
You should create the schema within configuration files (that is, in the DXHOME/config/schema
directory) rather than dynamically using the console interface, as the latter only remains in effect
while that DSA is running.
04-May-2016 149/923
CA Directory - 12.0.18
Registering an OID
Each object class or attribute type must be assigned a unique name and Object Identifier (OID).
Generally, one OID is sufficient to meet all of your schema needs by adding another level of hierarchy
to create new branches, or OID arcs. An OID arc is an OID that has been reserved for use as a
container for defining additional OIDs.
You can obtain an OID from the IANA home page at http://iana.org. Other organizations that issue
OIDs are ANSI (for US organizations), and BSI (for UK organizations).
Note: IANA's term for OIDs is enterprise numbers, as they are used primarily for Simple
Network Management Protocol (SNMP).
Schema Prefixes
All attribute, attribute set, object class, and name binding definitions have a unique object identifier
(for example, 2.5.4.6) that uniquely identifies that object.
When defining a schema, you can find many definitions on the same branch of the schema definition
tree. You can define a schema prefix that replaces the branch of the tree in all subsequent
definitions.
Given the previous definition, the prefix x500attr can replace any occurrence of the 2.5.4 portion of
an object identifier. Thus, an attribute with the object identifier of 2.5.4.6 can also be represented as
x500attr:6.
Schema prefixes improve readability and reduce the chance of errors in the definition, especially
when the object identifiers are long. For example, the object identifiers of each of the Quipu
attributes are of the form 0.9.2342.19200300.99.1.x, making a prefix desirable.
04-May-2016 150/923
CA Directory - 12.0.18
Schema Groups
You usually define schema in a single definition file. All schema definition files reside in the schema
configuration directory. When building your directory schema, you typically need definitions from
several schema definition files. You can group these schema definition files together in a single file
using the source command.
The initialization file (for instance, Democorp-Host2-democorp.dxi) sources this schema definition.
Display a Schema
To display a schema, use one of the following methods:
04-May-2016 151/923
CA Directory - 12.0.18
Changes to attribute syntax (note that some data cleansing may be required so that values are
valid for the new syntax)
Important! A single schema file may be used by many different DSAs. If you change a
schema file, check that it works correctly with all of the DSAs that use that file.
3. Use the DXdumpdb tool to dump the datastore to an LDIF file, using the following command:
5. Load the datastore from the sorted LDIF file with DXloaddb.
04-May-2016 152/923
CA Directory - 12.0.18
Local Schema
The X.500 standards enable the definition of local attributes, attribute sets, object classes, and name
bindings in the schema in much the same way as described in Name Bindings and Aliases (see page
161).
Before defining local schema, you should check the existing published schema to determine whether
the required attribute, object class, and name binding definitions already exist.
When you need to define additional schema, create an object identifier arc (1.3.6.1.4.1.3327.1 in the
following example) and add the new schema under this arc. Use the set commands described
previously to define the schema, and then include the newly created configuration file (.dxc) in the
schema group configuration file (.dxg), used by the DSA.
The following example describes a single object class that can contain three attributes. CA created
the object class so that you could add the additional attributes to an organizationalPerson object.
All the names in the following schema definition have the prefix ca. The use of an object identifier
prefix in the name helps simplify attribute references by replacing the common portion of a
complicated object identifier with a simple character string and helps identify related attributes.
Example: Local Attribute, Attribute Set, Object Class, and Name Binding Definitions
04-May-2016 153/923
CA Directory - 12.0.18
kind = structural
may-contain caAttributeSet
description = "CA Organizational Person Object Class" };
set name-binding caNbind:0 = {
name = caOrgPerson-org
caOrgPerson allowable-parent organization
named-by commonName };
Attributes
Contents
Attribute Names (see page 154)
Single Valued Attributes (see page 155)
Attribute Syntaxes (see page 155)
New Syntaxes (see page 155)
Changes to Attribute Syntax (see page 155)
Attribute Checking (see page 156)
How CA Directory Stores and Returns Attribute Values (see page 156)
Syntax Aliases for Unsupported Attribute Syntax (see page 156)
Attribute Sets (see page 156)
An attribute is the foundation of directory information. It consists of a type and one or more values.
For example, in one entry, the attribute commonName could have the values Rick and Richard.
You define an attribute in the configuration file with information about its object identifier (OID),
name, LDAP names, syntax, whether it is single-valued, whether its value can be modified, and a
description.
There is no limit to the number of attributes or rules that you can define for a DSA or on the size of
the attributes you can store in the DSA.
Attribute Names
Every attribute has a name.
You can also define one or more LDAP names for each attribute. The LDAP name defaults to the
attribute name, so typically you need to define only the LDAP name when it is different from the
attribute name.
For example, when you define an attribute using the following command, you can use
04-May-2016 154/923
CA Directory - 12.0.18
For example, when you define an attribute using the following command, you can use
organizationName or the shorter LDAP name o in other commands that need to reference the
attribute:
Note: The single valued attribute is a characteristic of an attribute within each entry. Do not confuse
this with the concept of unique attribute value, which is a run time check that compares the attribute
values between different entries, and is not part of the schema.
Attribute Syntaxes
Attribute syntaxes define the format of basic information types.
New Syntaxes
To support new attribute syntaxes on demand, CA Directory DSAs accepts unknown attribute
syntaxes and stores them in the directory. Intelligent matching rules are applied so you can search for
them.
Note: A DSA does not store the names of all possible attribute names and syntaxes.
If you try to change the syntax of an attribute when an instance of that attribute already exists, the
DSA does not allow this, and produces the following message:
** ALARM **: datastore attribute attribute has different syntax than schema
This approach maintains the integrity of the directory data when you change the configuration of the
DSA.
04-May-2016 155/923
CA Directory - 12.0.18
Attribute Checking
When you load attributes (by using the set attribute command), the DSA checks their syntax. If you
try to add attributes with values that do not comply with the attribute syntax, the DSA returns an
error containing the attribute and the associated problem. For example if the syntax specifies
numericString but the attribute value contains non-numeric characters, the DSA returns an error.
In the search service, the system ignores invalid attributes after the base object is found.
The DSA permits attributes of any size, so you do not have to define any attribute bound limits.
Attribute Sets
Attribute sets let you easily group attribute definitions under a label so you can use them later in
object class and other definitions.
Define attribute sets in the configuration file using the set attr-set command. The attribute set is
given an object identifier and a definition. The definition consists of a name and a list of attributes or
attribute sets that are contained in the attribute set being defined.
Attribute sets are a convenient way of grouping large numbers of attributes together for use in object
class definitions. Attribute sets can contain other previously defined attribute sets.
04-May-2016 156/923
CA Directory - 12.0.18
An object class is an attribute of an entry. It specifies which attributes the entry can have.
You define an object class by specifying its object identifier, a name, an alternate name, a subclass, an
object class kind, a list of must-contain and a list of may-contain attributes or attribute sets, and a
description.
Auxiliary classes
If you do not define the kind for an object class, if the object class inherits top, the DSA assumes it to
be structural class; otherwise the DSA assumes it to be auxiliary.
04-May-2016 157/923
CA Directory - 12.0.18
Abstract Classes
The abstract object class determines the structure of an LDAP directory. The object class top, for
example, is the root object class from which all structural object classes are derived. It contains one
mandatory attribute, objectClass, and because all entries inherit its attributes, it ensures that an
object class defines these entries.
An abstract object class cannot stand alone in an entry. The entry must also contain a structural
object class.
Structural Classes
Most of the object classes in a directory are structural, because they define what an entry is. They
also impose rules on the entries that are stored beneath them. For example, the object class
organization (o) may require that all objects stored beneath it belong to the object class
organizationalUnit (ou). Other examples of structural object classes are groupOfNames,
inetOrgPerson, and person.
Auxiliary Classes
An entry belongs to only one structural object class. However, an entry can also belong to one or
more auxiliary object classes. An auxiliary object class adds attributes to entries already defined by a
structural object class. An auxiliary object class cannot stand on its own in an entry. The entry must
contain a structural object class. Unlike structural object classes, auxiliary object classes place no
restrictions on storing an entry.
For example:
When adding an entry with the object class inetOrgPerson, the must-contain and may-contain
attribute lists are inherited from all superclasses including:
top
must-contain: objectClass
person (subclass of top)
must-contain: commonName, surname
may-contain: description, seeAlso, telephoneNumber, userPassword
organizationalPerson (subclass of person)
may-contain: localeAttributeSet, ou, postalAttributeSet, telecommunicationAttributeSet, title
Inheritance needs to be taken into account when creating custom object classes.
04-May-2016 158/923
CA Directory - 12.0.18
By default, the DSA adds the object classes to the entry exactly as specified in the LDAP or DAP add
request (for example, the object class attribute may have multiple OIDs). However, directory
performance improves slightly when the object class attribute contains only a single value (the OID of
the refined OC). However, this should not be the main influence over the object class design of
attributes.
Where entries contain a single inherited object class and explicitly list all its superiors (their OC OIDs),
the superiors can be removed, leaving the lowest-level object class in the hierarchy as a single OID
value. Similarly, when entries are returned, the object class attribute can be automatically modified
by the DSA to contain all the superior object classes.
This OC refinement information can be returned as OC OIDs because the directory maintains the
object class structure rules that have been configured in its internal schema management control
system.
For example, if a directory contains entries corresponding to people, then each entry can explicitly
contain the following object classes within the datastore:
inetOrgPerson
organizationalPerson
Person
top
The following boolean configuration settings control the pruning and replacing of object classes:
set prune-oc-parents
Removes redundant superior object classes when new entries are created.
set return-oc-parents
Replaces the superior object classes to entries returned to the client.
set add-oc-parents
Causes parent object classes to be added when entries are added. For example, consider adding a
Democorp entry with the following class:
inetOrgPerson
This control adds all the parent classes. As a result the entry holds the following classes:
04-May-2016 159/923
CA Directory - 12.0.18
top
person
organizationalPerson
inetOrgPerson
When prune-oc-parents or return-oc-parents is set, searching entries using an object class filter (for
example, oc=Person) does not return any entries, because the specified object class of Person is not
present in the data; it is added only to search results that contain the inetOrgPerson object class.
If you do not want entries with multiple unrelated structural object classes to be created, you can use
the set check-structural-oc command to enforce this.
If set check-structural-oc is set to true, it will not be possible to add an entry which has more than one
structural object class hierarchy.
Name Bindings
Contents
Name Binding Checks (see page 161)
Name Bindings and Structural Object Classes (see page 161)
Name Bindings and Aliases (see page 161)
Considerations for Schemas That Do Not Support Name Binding (see page 162)
Name bindings define where entries appear in the namespace. CA Directory requires a separate
name binding for each parent-child relationship in the directory.
You can use multiple attributes together to name an entry, in which case you separate the attributes
by commas. You can also specify additional optional naming attributes, using the keyword optional.
In this example, a new definition (arbitrarily named org-country) states that you can place an
organization entry under a country entry and that you must name it by the organizationName
attribute. The definition org-top states that you can also place an organization object under a top
object (that is, the root of the namespace) named by the organizationName attribute.
04-May-2016 160/923
CA Directory - 12.0.18
When you enable warnings (set trace = warn,;), the system sends a message describing the reason
for the name binding failure to the console.
There is one exception regarding name binding checks. When an object is added under the naming
context (or prefix) of a DSA, then no name bindings need exist. This facilitates the changing of the
directory's naming context without the need to change associated name binding definitions. In this
situation, CA Directory gives the following message:
The DSA permits modification of the structural object class only when a name binding satisfies the
parent-object relationship and the object is a leaf entry.
You do not need to define an object-alias name binding for every part of the DIT where you can place
an alias.
For example, when there is an org to orgUnit name binding, the DSA lets you place an alias under an
organization object when you name it using an organizationalUnitName attribute.
04-May-2016 161/923
CA Directory - 12.0.18
You can retrieve the state of this flag by using the get user command.
Set Up Replication
In a replicated directory, information that is stored in one part of the directory is also stored
elsewhere as one or more copies.
Replication involves copying data and ensuring that the copies are synchronized.
Benefits of Replication
Replication is deployed for one or both of the following reasons:
Improved availability
Replication can make a system more robust by enabling the directory on one server to failover to
an alternative server. Applications can continue working, because as there are alternate DSAs or
servers in the network that can serve the same parts of the namespace.
Improved performance
Replication can place frequently accessed information closer to where it is needed, which
improves response times and allows the load to be shared between DSAs.
In a replicated directory, each piece of data is held on more than one server. The entire namespace is
stored in more than one place.
You can use both replication and distribution in the same system. The namespace is partitioned over
many different servers, and at least some sections of the namespace are also copied and stored in
more than one place.
Multiwrite
04-May-2016 162/923
CA Directory - 12.0.18
Multiwrite
Multiwrite replication is a mechanism for replicating updates to a number of DSAs to ensure that
they are synchronized. When a DSA receives an update, it updates its own data and then sends
the update to its peers. If a peer DSA cannot be reached, the updates are queued and replayed
when the DSA becomes available.
DISP
DISP (Directory Information Shadowing Protocol) is defined in the 1993 X.525 standard. DISP lets
you replicate information in OSI-conformant directories, which permits copying of directory
information from one DSA to another using a standardized procedure and protocol.
Multiwrite Replication
Multiwrite replication is a good choice for a system that includes applications requiring real-time
replication. This section discusses the following topics:
To use multiwrite replication successfully, your network links, computers, and power supplies should
be reliable.
Warning! Treat system crashes and unreliable networks as disaster scenarios. Recovery
requires manual reconciliation between datastores.
04-May-2016 163/923
CA Directory - 12.0.18
2. DSA 1 sends the update request to its peers, DSA 2 and DSA 3.
3. DSA 2 and DSA 3 each apply the update to itself, and then send an update response to DSA 1.
4. After receiving an update response from both peers, DSA 1 sends an update confirmation to
the client.
Any client can now query any DSA and it gets the same response, because the update has
been made to all DSAs.
Recovery in Multiwrite
A multiwrite update can fail. Usually, this is because a DSA is down or otherwise offline. When the
DSA comes back online again, the system must be recovered.
With multiwrite replication, there are two ways you can recover the system: multiwrite recovery and
DISP recovery. If recovery is with multiwrite, the replication scheme is just called multiwrite. If
recovery is with DISP, the replication scheme is called Multiwrite-DISP (see page 180).
If you want to ensure that a region continues to service a namespace even if one DSA fails, you need
at least three DSAs in each region. This is because if one DSA fails, you may need to take a second
DSA offline to resynchronize the failed DSA.
Multiwrite Queues
While a peer DSA is offline, the sending DSA puts new updates for the peer in a queue, and
periodically tries to connect to the peer.
When the peer DSA comes back online, the queued requests are sent in the order that they were
processed locally.
04-May-2016 164/923
CA Directory - 12.0.18
While the peer DSA remains offline, the queue grows. The DSA raises an alarm, and writes to the
alarm log, at 60%, 70%, 80%, 90%, and 100% of queue capacity.
If the queue becomes full, the peer DSA ignores the unavailable DSA. It discards all the queued
requests for the unavailable DSA and temporarily drops it from the multiwrite set. To bring this DSA
back into service, you must resynchronize the DSA datastores manually, and restart the DSAs.
If a DSA has attempted a multiwrite operation, the get dsp console command returns one of the
following states:
Failed
Indicates that the multiwrite DSA is not responding to an update. Updates for that DSA are held in
the multiwrite queue until the DSA responds. The queue is retained until the multiwrite queue
size is exceeded.
Recovering
Indicates that the DSA has become available and still has old updates in its queue.
OK
This is the normal multiwrite DSA status.
After the DSA puts the update request in a queue, it sends a confirmation to the client. In effect,
multiwrite reverts to a write-behind scheme until the offline DSA becomes available.
Important! A queued update is stored in memory only, and is lost if the DSA holding the
queue is restarted.
The following diagrams show how a DSA in simple multiwrite system recovers.
04-May-2016 165/923
CA Directory - 12.0.18
While DSA 2 is down, the following happens when the client application makes an update
request:
b. DSA 1 makes the update to itself and queues the update for DSA 2.
DSA 2 is now out-of-date.
a. DSA 2 starts up in recovery mode, which means that it can receive binds only from its
peer, DSA 1.
b. DSA 1 sends updates from its queue, in the order that it queued them, to DSA 2, as
follows:
04-May-2016 166/923
CA Directory - 12.0.18
a. When the queue is empty, DSA 1 sends a notification to DSA 2 that the data is
synchronized. This switches DSA 2 out of recovery mode, returning it to service.
Multiwrite Groups
Multiwrite replication works well if all DSAs are connected with high-speed high-bandwidth links.
If some of your DSAs are connected by latent links, updates to the entire directory will be slower. This
is because multiwrite replication is synchronous by default. In synchronous replication, an update
operation is not confirmed until all the multiwrite peers have applied it, which provides for
loadsharing and failover.
If your backbone includes any slow network connections, you should set up multiwrite groups (or
regions if you use DXmanager). DSAs connected by slow links should be in different groups.
The following diagram shows a backbone with one namespace partition (Staff) across three regions:
04-May-2016 167/923
CA Directory - 12.0.18
Example showing the sequence of updates passed between three multiwrite groups
1. Write to self (synchronous): A client sends an update request to a DSA, which applies the
update to itself.
2. Write to peers in group: If the local update succeeds, the DSA sends the request to its peers
in the same group. If these updates succeed, the peers send confirmations back to the first
DSA.
3. Send response to client: When the first DSA has received confirmation from each peer in its
region, it sends the confirmation response to the client.
4. Write to hub DSAs in other groups (asynchronous): The first DSA sends the request to the
hub DSAs in each of the other groups.
5. Hub DSAs write to peers: Each hub DSA sends the request to the other DSAs in its group.
The following steps are not shown in the diagram.
6. Peer DSAs write to self: Each peer DSA makes the update.
7. Peer DSAs send confirmation to hubs: Each peer DSA sends confirmation of the update to the
hub DSA of their group.
8. Hub DSAs send confirmation to the first DSA: Each hub DSA sends the confirmation response
to the first DSA. This DSA has already sent confirmation back to the client, so the client is not
affected by the slow links.
This diagram shows the speed of the network connections between the sites:
04-May-2016 168/923
CA Directory - 12.0.18
Map showing which sites are connected by slow and fast links
Sites 1, 2, 3, 4, and 5 are linked by fast connections. Sites 6, 7, 8, and 9 are also linked by fast
connections.
However, these two groups of sites are connected by slow links. Also, Site 10 is only connected to
other sites by slow links.
04-May-2016 169/923
CA Directory - 12.0.18
To enable multiwrite replication using configuration files
1. Add the DSA flags multi-write and no-service-while-recovering to the shared knowledge, as
follows:
You can configure partial multi-write replication to a peer by setting 'multi-write-attrs' in the
knowledge of that peer DSA. The directive must occur after 'load-share-group' and before 'dsa-flags'.
Example:
set dsa "test" = { ...
multi-write-attrs = cn, surname, objectClass
dsa-flags = multi-write
};
Note:
If you do not use DXmanager and you want to enable replication, you need to use configuration files.
04-May-2016 170/923
1.
CA Directory - 12.0.18
multi-write-group = group-name
dsa-flags = ...
...
};
Any DSAs with the same value for group-name are in the same multi-write group.
Multiwrite queues
To display the multiwrite status of a DSA, enter the following command on a DSA console:
get dsp;
If this configuration item is set to True and you stop the DSA, the DSA stops processing but it does not
exit while it has multiwrite queues that contain data.
To prevent multiwrite queues being lost when the DSA stops, using commands
To prevent multiwrite queues being lost when the DSA stops, using DXmanager
2. Click the Maps tab, and choose the place where you want to set Wait for Multiwrite to True:
To set this value for a particular DSA or for the entire backbone, display the Topology map.
To set this value for all DSAs that serve a namespace partition, display the Namespace
map.
3. Right-click on the item for which you want to set Wait for Multiwrite to True, and click Edit
Properties.
04-May-2016 171/923
CA Directory - 12.0.18
4. Find the Replication area, and set Wait for Multiwrite to True.
5. Click OK or Finish.
As the queue builds up, it consumes more memory, which can cause machine memory limitations or
can exceed the multiwrite queue size. To avoid this problem, use the set multi-write-group-credit
command to set an acceptable number of updates for the multiwrite queue.
When the number of queued updates exceeds the limit you have set, the DSA switches to the
synchronous multiwrite. In this mode, the DSA sends confirmation to the client after its peers have
sent confirmation to it. This confirmation slows the rate at which updates are accepted, giving the
queue time to empty. When the queue is smaller than the limit you set, the DSA switches back to the
asynchronous multiwrite.
If the DSA is receiving the bulk updates from a client, then you cannot limit the size of the queue.
When a client sends batch updates, it does not wait for confirmation from the DSA. In this situation,
the set multi-write-group-credit command has no effect.
04-May-2016 172/923
CA Directory - 12.0.18
By default, a multiwrite DSA sends up to ten multiwrite operations without waiting for a response
from the replication peer DSA. If the DSA has not received any response to those ten operations, it
stops sending updates to that DSA. Further updates will be queued against the peer DSA and the
queue will drain as responses from the peer are received.
For most implementations the default of ten is sufficient. you should not change this value unless
there is a specific reason. The default multiwrite operation threshold should only be changed by
someone with advanced network knowledge and only if the speed of the replication is of concern.
In normal circumstances, changing this parameter will have little effect. However, if there is a
problem with multiwrite performance over latent links, changing this setting to a higher value may
improve the situation.
The trap will contain diagnostic information on why the update failed.
If the peer DSA is unreachable, no SNMP traps are sent for updates sent to it. However, when the
peer DSA is reachable but it refuses an update, the trap is sent.
1. Configure traps
Test Whether Two Datastores Are the Same (see page 175)
04-May-2016 173/923
CA Directory - 12.0.18
Test Whether Two Datastores Are the Same (see page 175)
To prevent a recovering DSA from sending out-of-date information to a client, use the No Service
While Recovering setting on all the DSAs in a multiwrite system. When the No Service While
Recovering setting is used, a recovering DSA accepts updates from peers only, and does not accept
other client operations. This prevents clients from accessing out-of-date data.
To prevent multiwrite queues being lost when the DSA stops, using DXmanager
2. Click the Maps tab, and choose the place where you want to set No Service While Recovering
to True:
To set this value for a particular DSA or for the entire backbone, display the Topology map.
To set this value for all DSAs that serve a namespace partition, display the Namespace
map.
3. Right-click on the item for which you want to set No Service While Recovering to True, and
click Edit Properties.
4. Find the Replication area, and set No Service While Recovering to True.
5. Click OK or Finish.
04-May-2016 174/923
CA Directory - 12.0.18
DSA 1. This DSA is up-to-date and keeps working as a directory server throughout the
resynchronize process.
DSA 2. This DSA was working fine and is up-to-date at the start of the synchronization process,
but we will take it off-line to use it as the source for loading DSA 3.
DSA 3. This one has been offline. We are going to load it with up-to-date information from DSA 2.
Note: When you are deciding which of the working DSAs to be the source for loading the
offline DSA, choose the DSA that does not have a multiwrite update queue for the other
DSA. This means you will not lose data when you take it offline.
3. Stop DSA 2.
When the DSA is stopped, its datastore is not updated while you extract the data from it.
Important! Any multiwrite queues in this DSA are deleted, so check these queues
before you stop it. You may need to use the command forcestop. If do this, you will
lose data.
5. Make sure that DSA 2 and DSA 3 each have the No Service While Recovering setting set to
true. By default, DXmanager sets this setting to true. You can also set this using the no-service-
while-recovering DSA flag in the knowledge file.
2. Use the DXdumpdb tool to dump the datastores to LDIF files, as follows:
04-May-2016 175/923
CA Directory - 12.0.18
2. Use the DXdumpdb tool to dump the datastores to LDIF files, as follows:
Note: If you do not intend to resynchronize the datastores using these snapshots,
then you can restart the DSAs now.
4. Use the ldifdelta tool to compare the two LDIF files, as follows:
DISP Replication
CA Directory implements the 1993 Directory Information Shadowing Protocol (DISP), which lets you
replicate information in OSI-conformant directories. This implementation supports the following:
DISP routing
Shared configuration
X.500 defines a master-slave replication scheme using DISP. In this scheme, any update that succeeds
locally is forwarded to other DSAs according to any controlling bilateral agreement with those other
DSAs.
04-May-2016 176/923
CA Directory - 12.0.18
DISP replication may cause large updates which make the DSAs appear to be unresponsive.
To help make updates between DSAs in a Multi-Write DISP configuration as fast as possible, the
system will assess the number of updates that need to be sent to a peer DSA and if that number is
greater 5% of the total number of entries on that DSA, it will send updates in smaller packets of data.
When two DSAs share a configuration that includes a DISP agreement, the system performs
automatic DISP updates as determined by that agreement.
Note: CA Directory supports the push DISP scenario and the pull DISP scenario.
DISP Agreements
A DISP agreement is a set of statements that defines the DISP replication between two DSAs. When
two DSAs share an agreement, one of the DSAs is the master and the other is the slave. A DSA can
have a number of agreements relating to one or more remote DSAs.
To view the details of all DISP agreements, use the following command:
get agreements;
04-May-2016 177/923
CA Directory - 12.0.18
2. In DXmanager, ensure that the DSA's configuration includes a DISP PSAP definition.
2. Ensure that the datastores of each DSA contain the same data.
3. Create the DISP agreement in the configuration file (agreement.dxc) in the replication
directory of both DSAs, using the following command:
4. Ensure that the configuration for the Slave (Consumer) DSA configuration includes a DISP
PSAP definition.
5. Edit the Democorp master DSA initialization file (.dxi) to source the replication agreement,
using the following command:
# replication agreement
source "../replication/agreement.dxc";
6. Edit the Democorp slave DSA initialization file (.dxi) to source the replication agreement
(agreement.dxc), using the following command:
# replication agreement
source "../replication/agreement.dxc";
Note: You can also consider setting the slave DSA to be a shadow.
04-May-2016 178/923
CA Directory - 12.0.18
DISP Routing
CA Directory supports the concept of a DISP routing that lets you route DISP through one or more
intermediate DSAs. This is especially useful for firewall applications, as shown in the following
diagram:
To include a DSA that does DISP routing in a DISP replication process, all three DSAs must have an
agreement that identifies the DSA that does the DISP routing. All three DSAs can share the same DISP
configuration.
The agreement can define an incremental or a full update. An incremental update refreshes all
entries that have changed since the last DISP update and since the DSA started.
Selective Shadowing
You can restrict the data that a shadow master replicates to a shadow slave. There are three ways to
achieve this:
04-May-2016 179/923
CA Directory - 12.0.18
If you use the subtree filter, you should base the restrictions on object class, not on attributes. If the
subtree filter contains anything other than comparisons of object class values, this can cause the
shadow DSA to have incorrect data. This happens if the entry is modified on the master DSA and so
no longer matches the search filter. In that case, subsequent DISP updates do not contain this entry,
and leave the shadow DSA with unmodified and incorrect data.
Potentially the subtree filter could cause problems when shadowing to other vendors' directories, if
for example, a full refresh is requested, or if an entry is shadowed but its parent entry does not exist
on the shadow slave. CA Directory overcomes this potential problem by automatically creating
Directory Specific Entries (DSE) that have a name but no attributes.
Each element of attrSelectionList is an attrSelection element, which specifies the attributes that the
shadow supplier is to select for shadowing. Specification of attributes for an object superclass also
applies its subclasses. If the class is omitted, the selection applies to all classes.
When using the exclude specification, any attributes contained in an entry that are not explicitly
excluded are implicitly included. Attributes are implicitly included where all-attributes is specified.
The attribute object class, all attributes that are described in the schema as must contain, and all
operational attributes, are replicated unless they are listed in an exclude list.
Where entries belong to more than one of the specified classes, the specifications are cumulative.
When there are conflicting specifications, include has priority over explicitly excluded attributes and
exclude has priority over implicitly included attributes.
A selective DISP update can include entries that do not satisfy the schema requirements of the
shadow consumer. For example, mandatory attributes need not be present in an entry contained in
the DISP update.
With CA Directory, such an update is allowed because the master DSA verifies the schema of the
complete entry and allows the partial replication to the shadow DSA. This may, however, cause
problems when replicating to other vendors' directories.
If you flag the DSA as a shadow (so that it is read-only for non-DISP operations), the fact that not all
attributes are present for a particular entry is of no consequence.
04-May-2016 180/923
CA Directory - 12.0.18
Note: For the purposes of explanation, we call the DSA that is always available DSA 1, call the DSA
that was unavailable and comes online, DSA 2.
2. DISP on DSA 1 performs the resynchronization by calculating and sending an update for the
period in which DSA 2 was offline. While this is occurring, DSA 1 queues any further updates
to DSA 2.
3. When the DISP update completes, the multiwrite queue on DSA 1 is replayed to DSA 2.
Note: There are no explicit DISP agreements; all resynchronization and reconciliation is automatic.
DISP recovery works with multiwrite replication by handling all recovery operations. In effect, fast
multiwrite is used during uptime and DISP is used only for recovery after a downtime.
State-based
Resynchronization uses state-based updates. When there are a large number of replays, this is
more efficient than replay-based recovery.
Reconciliation
DISP processing supports automatic conflict resolution using a last-write-wins rule. Managing
conflicts is often a problem for replay-based systems because the order of updates from different
masters can be critical.
04-May-2016 181/923
CA Directory - 12.0.18
Note: DISP recovery uses the highest authentication level that is available. Only specify the
use of SSL authentication level (ssl-auth in a knowledge file) if you have set up the
necessary SSL certificates for the DSAs in the region.
Enable Multiwrite-DISP
To turn on multiwrite with DISP recovery, use DXmanager, or add the following command to the DSA
settings file:
In a multimaster system, it is possible for some changes to clash. In practice this is exceedingly rare.
The window for discrepancy is small and all running master DSAs keep themselves synchronized using
multiwrite. However, CA Directory resolves such conflicts automatically, using a last-write-wins rule.
The granularity of reconciliation is an X.500 object.
If DSA 1 updates an object's surname attribute at time T, and DSA 2 updates an object's phoneNumber
attribute at time T+1, then the final object after resynchronization is the object contained in DSA 2.
This does not have the changes to the surname.
1. Create the new peer DSA, for example, by using the DXnewsdsa tool.
2. Configure the new DSA to enable multiwrite, for example, by following the instructions in
Enable Multiwrite Replication Using Configuration Files (see page 169).
3. Configure the new DSA to enable DISP recovery, for example by adding the following
command to the DSA configuration file:
4. Reset the times in the DISP files on each host for all peer DSAs (including the newly added
one) using the following command:
dxdisp newDS
This command updates the .dp file to prevent all other peer DSAs trying to replicate all their
data to the new one.
04-May-2016 182/923
CA Directory - 12.0.18
Note: For more information on these commands, see the Reference Guide.
Note: You could use the DXdumpdb tool instead, but the procedure for using
DXdumpdb is more involved than using this online dump method.
6. Rename and move the file that is produced from the online dump to form the datastore file
for the new DSA, as follows:
Rename the database file existingDSA.zdb to newDSA.db
CA Directory keeps a transaction log of the updates it makes to a datastore. You should configure the
transaction log based on your requirements for safety versus performance:
Disable transaction logging -- Provides the highest performance, but if the DSA exits abnormally,
or there is a power failure, you will have to perform disaster recovery to restore the datastore
from a backup.
Enable logging without flushing -- Provides a performance that almost parallels that of a disabled
log. If the DSA exits abnormally, you can simply restart it and recovery is not required. However, if
there is a power outage, recovery is necessary.
Enabled logging with flushing -- The safest setting as the DSA can be restarted after an abnormal
termination or power failure and recovery is not required. However, there will be around 100
updates per second, instead of around 10,000 per second if flushing was disabled.
Note: Just setting the transaction log to flush to disk may not be enough for safety. This is
because many operating systems, depending on configuration and disk systems, may
report that the data has been written to disk some time before the transfer actually takes
place. Refer to your OS documentation for more information about write behind settings.
04-May-2016 183/923
CA Directory - 12.0.18
You need to perform disaster recovery for a single server if any of the following occurs:
Loss of a server
A power failure or a critical error in the operating system and the transaction file is not being
flushed
A disk failure
Enable multiwrite-DISP
If a DSA terminates normally or abnormally, it may simply be restarted. The transaction file allows the
DSA to make the datastore consistent and multiwrite-DISP ensures that the DSA is synchronized with
its peers.
Note: For more information, see Multiwrite Replication with DISP Recovery (Multiwrite-
DISP) (see page 180).
The DSA has been down for a long time (or it is a new DSA)
04-May-2016 184/923
CA Directory - 12.0.18
3. Rename the backed up files by removing the prefix z from the filename extension. The file
should now be named server.db.
Note: The steps below assume that you have multiple peers and peer B was unavailable
for a long time. The procedure for adding a new peer is very similar.
server1: dsa1
server2: dsa2
04-May-2016 185/923
CA Directory - 12.0.18
dsa-password = "secret"
disp-psap = DISP
snmp-port = 20000
console-port = 20001
dsa-flags =
multi-write
trust-flags = allow-check-password
};
Example:
dsa-password = "secret"
disp-psap = DISP
snmp-port = 20000
console-port = 20001
dsa-flags =
multi-write
trust-flags = allow-check-password
04-May-2016 186/923
CA Directory - 12.0.18
trust-flags = allow-check-password
};
The prefix must be the same for dsa1 and dsa2 for replication to work.
Note: If a knowledge group file exists for dsa1 and dsa2, update this file to ensure that
both dsa1 and dsa2 are sourced.
\config\knowledge
04-May-2016 187/923
CA Directory - 12.0.18
\config\knowledge
Copy server1: %DXHOME%\config\knowledge\dsa2.dxc server2: %DXHOME%
\config\knowledge
Copy server1: %DXHOME%\config\knowledge\dsas.dxg server2: %DXHOME%
\config\knowledge
Update the knowledge on one server and then copy to the other. This step keeps the servers
consistent.
If the DSAs contain synchronized data (for example, loads from the same LDIF), checkpoint the DSAs
when enabling MW-DISP.
server1: dxdisp dsa2
server2: dxdisp dsa1
This step prevents the existing data from being superfluously replicated.
Check that the DSAs have contacted each other and the replication state is OK.
server1: logout;
...
...
04-May-2016 188/923
CA Directory - 12.0.18
multi-write-group-credit = 0
multi-write-outstanding-ops = 10
dsa2:
OK
, total 0, waiting remote 0, confirmed local 0
server2: logout;
...
...
multi-write-group-credit = 0
multi-write-outstanding-ops = 10
dsa1:
OK, total 0, waiting remote 0, confirmed local 0
For the output of get dsp; command, the replicating queue status must be OK. Any other status such
as DISP-FAILED indicates either a replication problem or a connectivity problem between the two
DSAs. The warn-log and alarm-log are good places to start when diagnosing these replication
problems.
Another sanity test is to connect to dsa1 through an LDAP browser (like JXplorer) and modify.
Connect to dsa2 and ensure that the update is replicated. A similar test for MW-DISP can be
performed by stopping dsa2 before updating dsa1. When dsa2 is started, it recovers updates from
dsa1 and the updates must be reflected.
Other Considerations
We recommend running one or more router DSAs with the replicas to allow for automatic failover
and failback.
$DXHOME/config/knowledge must be identical between machines. Doing so ensures that all DSAs
function in a consistent manner.
We recommend setting one of the replicas as a preferred master. Add the following line to the
router.dxi file:
set write-precedence = dsa1, dsa2;
This step prevents update conflicts (same entry getting updated simultaneously on dsa1 and
dsa2).
04-May-2016 189/923
CA Directory - 12.0.18
Automated recovery and disaster recovery is simplified when hubs are marked as preferred
masters (included at the start of the groups router write-precedence list). All updates flow
through hubs, making them the definitive source of data for recovery purposes (either single a
DSA recovery or an entire group).
If more than two groups exist, then each group will elect the same DSA as hub.
If it is known which DSA from a group is a hub, then urgent action can be taken if it becomes
unavailable.
If it is known which DSA from a group is a hub then care can be taken when shutting them down.
the DSA replicates or recovers all DSAs within its group only
the hub is then responsible for propagating the update or recovery to a hub from each other
group
04-May-2016 190/923
CA Directory - 12.0.18
MW-DISP is enabled.
Other Considerations
We recommend creating a local router to service each multiwrite group. Configure the router with
the set write-precedence = command to include the locally configured hub at the start of the list
to make the hub the groups preferred master, followed by the local multiwrite DSAs.
A bottleneck where the peer DSA (local group or remote hub) cannot keep up with the volume of
04-May-2016 191/923
CA Directory - 12.0.18
A bottleneck where the peer DSA (local group or remote hub) cannot keep up with the volume of
updates, or
Either issue can cause a serious problem for response times if they occur for local replication
(replication within a group).
For the first issue, if the multi-write-queue is set too large, then consider reducing the size and
letting MW-DISP handle the recovery. When the queue size is exceeded, MW-DISP recovery begins
and client or router updates will no longer be held up by all other queued updates. For example, a
queue contains 100,000 updates that are destined for a local MW peer DSA. A new update needs to
wait until all 100,000 updates complete before a response is sent back to the client. Switching to MW-
DISP by setting the queue size lower can result in better client experience.
For the second issue, setting multi-write-dsp-idle-time to a low setting causes the DSA to switch to
recovery mode (MW-DISP) sooner than relying on the operating system to notifyxthe DSA that the
link is no longer viable.
For replication between hubs, see the multi-write-group-credit section for details on preventing the
target hubs multiwrite queue growing too large during asynchronous replication.
Each group has a multiwrite hub that is configured (in red). An example of the write-precedence for
each router DSA is included.
04-May-2016 192/923
CA Directory - 12.0.18
Disaster Recovery
While MW-DISP recovery ensures that data remains consistent across all replicating peers during
outages, there are times when a DSA must be rebuilt. The DSA must be rebuilt if there is a hardware
or disk failure, or database corruption. In such cases, a disaster recovery procedure ensures that all
DSAs are up and running with consistent data. These situations typically arise when the DSA must be
rebuilt from backup or when the DSA does not start due to grid-related errors. Adding new multiwrite
groups or DSAs can follow a similar process to synchronize data between peers. You can consider
following a disaster recovery procedure after an extended outage. Using a recovery procedure is
more efficient than leaving it to MW-DISP to reconcile large changes.
As with any disaster recovery procedure, use it in a test environment first so that deployment-specific
steps can be documented.
When using multiwrite group hubs, there are two disaster recovery scenarios. The following steps
ensure that DSAs are still active during recovery.
The recovery steps use the Sample Topology as a reference and can be customized for a specific
deployment.
Disaster scenario:
04-May-2016 193/923
CA Directory - 12.0.18
DSA US2 fails to start with a grid-related error after the computer where it is running stops due to a
kernel panic.
Step 2: Set US2 to a time (now) before taking the data snapshot (online dump) from US1. This step
ensures that the DSAs replicating to US2 only send recovery updates from the time the data snapshot
was taken.
Host F: Run dxdisp US2 (This command sets the time US2 was last updated by US3)
Host D: Run dxdisp US2 (This command sets the time US2 was last updated by US1)
Step 3: When feasible, perform an online dump from the hub DSA (US1). The sooner the snapshot is
taken after running dxdisp, the smaller the number of updates that are reapplied to US2 during
recovery. Thus, the recovery is more efficient.
Host D: Telnet to the DSA console of US1 (hub) and run the dump dxgrid-db; command to begin
an online dump. Use the logout; command then to exit the DSA console.
Host D: Check the US1 warn-log to see when the dump has started, and more importantly
completed.
Host D: Once the dump has completed, a file named $DXHOME/data/US1.zdb is created. Copy
this file to Host E. For example, copy to Host E: /tmp/US1.zdb.
Note: Compress files before copying between machines as most grid files compress well.
Check that the timestamp is recent to ensure that the online backup command created the
file being copied.
Step 4: Prevent US2 from replaying updates back to hub and peers.
Step 5: Now a snapshot from the hub has been taken, this information can be copied.
Host E: Remove the old transaction log (if enabled) - remove $DXHOME/data/US2.tx
Host E: Copy (and uncompress) the backup grid file that is generated in Step 3, for example, copy
/tmp/US1.zdb $DXHOME/data/US2.db
Host E: After a short period, US2 is back in sync with US1. The progress of MW-DISP recovery can
be followed in the alarm-log for US2.
04-May-2016 194/923
CA Directory - 12.0.18
Note: US2 does not allow binds from routers or applications until recovery is complete.
Recovery time can take longer if there is a large volume of updates that occur in parallel.
Disaster scenario: DSA US1 fails to start with a grid-related error, after the computer where it is
running stops due to a kernel panic.
Step 2: Set US1 to a time (now) on each hub before taking the data snapshot (online dump) from one
of the other hubs. This step ensures that the DSAs replicating to US1 only send recovery updates
from the time the data snapshot was taken.
Ensure that replication between AU3 and UK1 has the status OK. This status can be checked by
issuing a get dsp; command on the console of hub AU3. This step ensures that when taking a
snapshot from UK1, the data contains updates from AU3. After dxdisp is performed, AU3 is
responsible for recovering these updates directly.
Host C: Run dxdisp US1 (this command sets the time US1 was last updated by *hub* AU3).
Host G: Run dxdisp US1 (this command sets the time US1 was last updated by *hub* UK1).
Host G: Telnet to the DSA console of UK1 (hub) and run the dump dxgrid-db; command to begin
an online dump. Use the logout; command then to exit the DSA console.
Host G: Check the UK1 warn log to see when the dump has started, and more importantly when it
is completed.
Host G: Once the dump has completed, a file named $DXHOME/data/UK1.zdb is created.
Host G: Copy this file to Host D. For example, copy to Host D: /tmp/UK1.zdb
Host G: Copy this file to Host E. For example, copy to Host E: /tmp/UK1.zdb
Host G: Copy this file to Host F. For example, copy to Host F: /tmp/UK1.zdb
04-May-2016 195/923
CA Directory - 12.0.18
Note: Compress files before copying between machines as most grid files compress well.
Check that the timestamp is recent to ensure that the online backup command created the
file being copied.
Step 4: Prevent US1 from replaying updates back to hubs. Also prevent US2 and US3 from replaying
updates back to hub US1.
Step 5: Instate the snapshot from UK1 on each DSA in the US multiwrite group.
Host D: Remove the old transaction log (if enabled) - remove $DXHOME/data/US1.tx
Host D: Copy (and uncompress) the backup grid file that is generated in Step 3. For example, copy
/tmp/UK1.zdb $DXHOME/data/US1.db.
Host E: Remove the old transaction log (if enabled) - remove $DXHOME/data/US2.tx
Host E: Copy (and uncompress) the backup grid file that is generated in Step 3. For example, copy
/tmp/UK1.zdb $DXHOME/data/US2.db.
Host F: Remove the old transaction log (if enabled) - remove $DXHOME/data/US3.tx
Host F: Copy (and uncompress) the backup grid file that is generated in Step 3. For example, copy
/tmp/UK1.zdb $DXHOME/data/US3.db.
Host D: After a period US1 is back in sync with AU3 and UK1. The progress of MW-DISP recovery
can be followed in the alarm-log US1. The resynchronization of US1 also includes US2, US3. The
recovery process can be monitored by using the get dsp; command on the consoles of AU3,
UK1, US1, US2 & US3 to ensure that replication is functioning as expected.
04-May-2016 196/923
CA Directory - 12.0.18
Note: US1, US2, and US3 do not allow binds from routers or applications until recovery is
complete. Recovery time can take longer if there is a large volume of updates that occur in
parallel.
Notes
For Windows, the path to the grid files is %DXHOME%\data
Do not copy or modify the .dp files are never copied or modified.
On UNIX, perform these steps as the DSA user, that is, dsa.
Do not copy the grid file before the dump is complete. Doing so can corrupt or incomplete. In
such a case, repeat the process.
Check the timestamp of the .zdb file to ensure that it was written recently and an older backup is
not accidentally used.
They must share knowledge. We recommend using a knowledge group file that sources each DSA
and shares this knowledge for each DSA between computers. Use a knowledge group file if you
are not using DXmanager.
If the DSAs use SSL, the DSAs must have personality certificates that are signed by the same root
CA. These certificates must be copied to each computer running the replicas.
Set the multi-write-disp-recovery setting to true on all replicating DSAs if you are using MW-DISP.
Note: While MW-DISP uses the DISP protocol for recovery, a DISP agreement is not
necessary. DISP is invoked automatically when DSAs reconnect after an outage.
04-May-2016 197/923
CA Directory - 12.0.18
In a distributed directory, many DSAs cooperate to form a single namespace. Parts of the namespace
are served by different DSAs. An application connected to any DSA can search the entire namespace.
From the client's point of view, the directory backbone is a single entity, because every request is
routed to the appropriate DSAs within the namespace.
The DSAs may be all on the same computer, or they may be on different computers.
A distributed directory is useful to organizations with offices in several locations, because each office
can maintain its own directory, and yet to a client it appears as just one directory. It is also useful for
large directories because you improve scalability and performance when you share the data across
different servers.
A distributed directory can incorporate LDAP servers. CA Directory fully complies with the LDAP
standards, which means that it can be used as a backbone, to unify directories that support LDAP.
04-May-2016 198/923
CA Directory - 12.0.18
When the client sends a query to the directory, the query is routed to the DSA that serves the
relevant part of the namespace. The client does not need to know that the directory is distributed.
Distribution Features
In a distributed directory, the DSAs use the X.500 Directory Systems Protocol (DSP) to cooperate to
resolve queries on any area of the namespace.
CA Directory fully supports the X.500 directory systems protocol, including the following distribution
features:
Routing or Chaining
Requests sent to a DSA are performed by another DSA. The routing decision is based on the base
DN of the request and the prefixes of DSAs in the backbone. A routed request is handled by a
single DSA, if the target DSA cannot be contacted then the request is refused with a referral error.
Multi-Chaining Search
A search that involves an entire subtree may be spread across multiple DSAs. If multi-chaining is
enabled, a multi-chained search follows a process across an entire subtree.
04-May-2016 199/923
CA Directory - 12.0.18
4. When all the searches are complete, the results are collated and returned to the client
If any DSAs in the scope of the search cannot be contacted, a partial outcome is included with the
search result indicating the unexplored area of the directory information tree.
When the client sends a query to the directory, the query is routed to the DSA that serves the
relevant part of the namespace. The client does not need to know that the directory is distributed.
Distribution Features
In a distributed directory, the DSAs use the X.500 Directory Systems Protocol (DSP) to cooperate to
resolve queries on any area of the namespace.
CA Directory fully supports the X.500 directory systems protocol, including the following distribution
features:
04-May-2016 200/923
CA Directory - 12.0.18
Routing or Chaining
Requests sent to a DSA are performed by another DSA. The routing decision is based on the base
DN of the request and the prefixes of DSAs in the backbone. A routed request is handled by a
single DSA, if the target DSA cannot be contacted then the request is refused with a referral error.
Multi-Chaining Search
A search that involves an entire subtree may be spread across multiple DSAs. If multi-chaining is
enabled, a multi-chained search follows a process across an entire subtree.
4. When all the searches are complete, the results are collated and returned to the client
If any DSAs in the scope of the search cannot be contacted, a partial outcome is included with the
search result indicating the unexplored area of the directory information tree.
When a DSA in a backbone receives a request, it may need to forward (or chain) the request to
another DSA to deal with the request.
A DSA receiving a request is able to forward that request directly to any other DSA within the domain
using the shortest path routing, as the entire directory backbone shares the same configuration
knowledge.
04-May-2016 201/923
CA Directory - 12.0.18
In the following diagram, DSA 1 is the superior of DSA 2 and DSA 3. DSA 4 and DSA 5 are subordinates
of DSA 3:
How chaining works in a backbone with five DSAs, each controlling a portion of the namespace
1. A client sends a request to DSA 2, to modify the phone number of the entry cn=Milio
GILMORE,ou=Legal,ou=Corporate,o=DEMOCORP,c=AU.
2. When DSA 2 cannot handle the request, it routes (forwards) the request to DSA 5 using the
shortest path routing.
3. DSA 5 modifies the phone number, and sends a confirmation response back to DSA 2.
Time Limit
When a request is received by a local DSA, a time limit can be applied (for example, max-op-time,
or service time limit). If the request is either chained or multi-chained to a remote DSA, the local
DSA still retains a reference to the request. This reference is impacted by the time limit even
though the request is now being serviced by one or more remote DSAs.
Example:
If max-op-time is set to 30 seconds and Democorp: <c AU><o Democorp> receives a request in
the scope of UNSPSC: <c AU><o UNSPSC> the request is chained. If Democorp does not receive a
response from UNSPSC for 30 seconds, a request refusal (adminLimitExceeded) is sent to the
client. Democorp also sends an abandon request to UNSPSC in an attempt to stop the request
from continuing.
04-May-2016 202/923
CA Directory - 12.0.18
Size Limit
When a search request is received by a local DSA, a size limit is imposed on the result (for
example, max-op-size, or service size limit). If the request is chained or multi-chained to another
DSA then the local DSA limit is not enforced. The size limit is only enforced by the data DSA
performing the search locally.
Example:
If max-op-size is set to 100 for all DSAs and Router: <c AU> receives a whole subtree search with
scope <c AU>, the search is multi-chained to both Democorp: <c AU><o Democorp> and UNSPSC:
<c AU><o UNSPSC>. Democorp and UNSPSCS both have the size limit applied and return 100
entries each with a partial outcome (adminLimitExceeded). The router collates the results (200
entries) and sends the result (including partial outcome) to the client. The router does not trim
the result set, as the size limit is unenforced by the router, but the DSA handles the chained
request.
Remote Operations
Each DSA has a context prefix that defines the base of the DIT controlled by that DSA.
When the DSA receives an incoming operation, it services the request locally when the request
occurs in its own section of the namespace. When the operation is not local, it chains the operation
to a remote DSA except in the following circumstances:
A link of the appropriate authentication level to the remote DSA cannot be established.
Depending on the circumstance, the remote operation returns one of the following options:
Result
Referral
Service error
Security error
See the X.500 standards for a complete specification of how distributed DSAs cooperate to resolve a
query.
These one-level searches become a problem when there are many subordinate DSAs because a one-
level search must be broadcast to each of the DSAs (whereas a LIST returns the names of the DSAs).
04-May-2016 203/923
CA Directory - 12.0.18
To stop the flooding effect that this creates, especially at first-level DSAs, the DSA caches the replies
to one-level-search queries and makes them available to subsequent similar requests.
Only one-level searches returning object class are cached. These are the searches commonly used to
browse the directory.
Transparent Routing
Transparent routing allows a router DSA to process LDAP requests and responses without requiring
the controlling schema. This is useful if the router DSA is being used to link LDAP clients to an LDAP
server, or the clients and server have schema that are not known by the router DSA. Transparent
routing works with LDAP clients only.
By default, transparent routing is set to false. Transparent routing can be set on a router, as shown in
the following diagram
In the following diagram, DSA 1 is the superior of DSA 2 and DSA 3. DSA 4 and DSA 5 are subordinates
of DSA 3:
04-May-2016 204/923
CA Directory - 12.0.18
How chaining works in a backbone with five DSAs, each controlling a portion of the namespace
1. A client sends a request to DSA 2, to modify the phone number of the entry cn=Milio
GILMORE,ou=Legal,ou=Corporate,o=DEMOCORP,c=AU.
2. When DSA 2 cannot handle the request, it routes (forwards) the request to DSA 5 using the
shortest path routing.
3. DSA 5 modifies the phone number, and sends a confirmation response back to DSA 2.
Time Limit
When a request is received by a local DSA, a time limit can be applied (for example, max-op-time,
or service time limit). If the request is either chained or multi-chained to a remote DSA, the local
DSA still retains a reference to the request. This reference is impacted by the time limit even
though the request is now being serviced by one or more remote DSAs.
Example:
If max-op-time is set to 30 seconds and Democorp: <c AU><o Democorp> receives a request in
the scope of UNSPSC: <c AU><o UNSPSC> the request is chained. If Democorp does not receive a
response from UNSPSC for 30 seconds, a request refusal (adminLimitExceeded) is sent to the
client. Democorp also sends an abandon request to UNSPSC in an attempt to stop the request
from continuing.
Size Limit
When a search request is received by a local DSA, a size limit is imposed on the result (for
example, max-op-size, or service size limit). If the request is chained or multi-chained to another
DSA then the local DSA limit is not enforced. The size limit is only enforced by the data DSA
performing the search locally.
Example:
If max-op-size is set to 100 for all DSAs and Router: <c AU> receives a whole subtree search with
scope <c AU>, the search is multi-chained to both Democorp: <c AU><o Democorp> and UNSPSC:
<c AU><o UNSPSC>. Democorp and UNSPSCS both have the size limit applied and return 100
entries each with a partial outcome (adminLimitExceeded). The router collates the results (200
04-May-2016 205/923
CA Directory - 12.0.18
<c AU><o UNSPSC>. Democorp and UNSPSCS both have the size limit applied and return 100
entries each with a partial outcome (adminLimitExceeded). The router collates the results (200
entries) and sends the result (including partial outcome) to the client. The router does not trim
the result set, as the size limit is unenforced by the router, but the DSA handles the chained
request.
Remote Operations
Each DSA has a context prefix that defines the base of the DIT controlled by that DSA.
When the DSA receives an incoming operation, it services the request locally when the request
occurs in its own section of the namespace. When the operation is not local, it chains the operation
to a remote DSA except in the following circumstances:
A link of the appropriate authentication level to the remote DSA cannot be established.
Depending on the circumstance, the remote operation returns one of the following options:
Result
Referral
Service error
Security error
See the X.500 standards for a complete specification of how distributed DSAs cooperate to resolve a
query.
These one-level searches become a problem when there are many subordinate DSAs because a one-
level search must be broadcast to each of the DSAs (whereas a LIST returns the names of the DSAs).
To stop the flooding effect that this creates, especially at first-level DSAs, the DSA caches the replies
to one-level-search queries and makes them available to subsequent similar requests.
Only one-level searches returning object class are cached. These are the searches commonly used to
browse the directory.
04-May-2016 206/923
CA Directory - 12.0.18
Transparent Routing
Transparent routing allows a router DSA to process LDAP requests and responses without requiring
the controlling schema. This is useful if the router DSA is being used to link LDAP clients to an LDAP
server, or the clients and server have schema that are not known by the router DSA. Transparent
routing works with LDAP clients only.
By default, transparent routing is set to false. Transparent routing can be set on a router, as shown in
the following diagram
Many DSAs can have the same prefix, and so serve the same namespace partition. A router DSA
selects one of these DSAs to receive queries.
04-May-2016 207/923
CA Directory - 12.0.18
Having multiple DSAs with the same prefix improves the performance and availability of the directory
service. These DSAs can be on the same computer, or on different computers.
You can use groups of DSAs with the same prefix and the same data, as follows:
Failover
To improve the availability of the service, when one DSA fails, another automatically takes over its
request load.
Load sharing
To improve performance, read requests are divided between two or more DSAs. This happens
automatically between DSAs in the same site.
Load Sharing
Load sharing lets a router DSA distribute incoming requests evenly among all DSAs in the same site
that serve the same namespace partition. This improves performance.
DXmanager automatically sets up load sharing between DSAs in the same site that serve the same
namespace partition.
If you do not use DXmanager you need to set the DSA knowledge to enable load-sharing. The DSA
flags you can set are as follows:
precedence -- This specifies the order in which DSAs are allocated work.
The router DSAs use a least-busy load-sharing algorithm, which uses an ordered list of DSAs serving
each namespace partition. The routers favor the DSAs highest in the list that are not busy.
Note: DXmanager requires that DSAs that serve the same namespace partition must be on
different hosts. Also, DXmanager only allows load-sharing between DSAs in the same
region as the router.
The following diagram shows a router DSA connected to three data DSAs within the same site:
04-May-2016 208/923
CA Directory - 12.0.18
Example directory system that has one router DSA and three data DSAs in the same site, two of which have the
same prefix
The two Customers DSAs have the same prefix, so the router shares the load for that prefix between
those two DSAs.
During normal operation, the standby DSA is kept synchronized with the primary data DSA in case it is
needed.
The following diagram shows a single router DSA that usually sends requests to the Customers DSAs
on its own host, and on the NY21 host.
If both of these data DSAs fail, the router DSA automatically sends all requests to the Customers DSA
on NY23. This change is invisible to the clients.
In this example, the Customers DSA on NY23 is a backup: it is used only if the other data DSAs fail.
04-May-2016 209/923
CA Directory - 12.0.18
If a local data DSA fails, each router directs queries to the remote data DSA. This maintains the
availability and reliability of the directory.
The following diagram shows an example directory backbone that is distributed across two sites, New
York and Montreal.
A replicated system that allows for DSA failover and improved performance
The New York router cannot load-share to the Customers DSAs in Montreal because they are in a
different site from the router.
04-May-2016 210/923
CA Directory - 12.0.18
However, if both of the New York Customers DSAs are unavailable, the router can failover to the
Customers DSA in Montreal. Although the performance is lower until the New York DSAs are running
again, the service is still available.
Note: Failover consistency is guaranteed within a region, but not between regions.
1. Run more than one router DSA on more than one computer.
2. Configure the client applications to failover from one router DSA to the other.
As in Failover Between Hosts (see page 209), the router DSAs can fail over to the second data DSA.
However, this system also shows that the client application can fail over between the two router
DSAs.
These two router DSAs are set up to use the data DSAs in exactly the same way, which means that
the service to the client application is not interrupted.
04-May-2016 211/923
CA Directory - 12.0.18
Simple example showing that the client application can use the second router DSA if the first one fails
The set precedence command defines the order of the DSAs that the router DSA fails over to.
The set write-precedence command defines the order in which DSAs are chosen to perform updates.
You can use it to direct the write requests from a failover computer to a preferred master. If the set
write-precedence command is not present, updates follow the normal precedence, which is defined
by the order of the DSAs in the configuration file, or the set precedence command.
The DSAs in these lists have precedence over those that are not listed, and DSAs earlier in the lists
have precedence over those later in the lists.
To maximize performance, in general you should give faster DSAs precedence over slower DSAs, and
local DSAs precedence over remote DSAs.
When these commands occur in a configuration file, source them after the knowledge.
These commands should appear once only in the configuration files sourced by any particular DSA.
04-May-2016 212/923
CA Directory - 12.0.18
These commands should appear once only in the configuration files sourced by any particular DSA.
The DSAs EAST, WEST, NORTH and SOUTH contain the same information. The following command
ensures that DSAs in the east fail over to EAST before WEST:
The DSAs NORTH and SOUTH are not listed, so if both EAST and WEST are unavailable, DSAs will fail
over to them in the order that they are listed in the configuration file.
If you use the set precedence command to list DSAs that are also in load-sharing groups, then a load-
sharing group has the precedence of the highest DSA in that group.
A load-sharing group that includes DSA1 and DSA4 has precedence over a group that includes DSA2
and DSA3.
Also, a load-sharing group that includes DSA4 has precedence over a group that includes no listed
DSAs.
Round-robin DNS
This solution is easy to implement, but each client must maintain affinity with a single router DSA
for the duration of its connection. Also the inherent delays in pushing out changes to the DNS
records might cause a problem.
IP failover
Another good solution is to provide an immediate IP failover mechanism between the computers
running router DSAs. There is some extra configuration required for a router DSA to bind to a new
IP address, but it can be done. Ensure that the method you choose is immediate, does not require
rebooting, and handles failback.
04-May-2016 213/923
CA Directory - 12.0.18
Failback
Failback is the restoration to normal service of a CA Directory DSA after failing over and recovering.
When a subordinate DSA becomes unavailable, the router redirects all the requests targeted for that
DSA to another DSA servicing the same prefix (failover). When the unavailable DSA becomes available
again, then CA Directory automatically sends the requests to the DSA (failback).
Load Sharing
Load sharing lets a router DSA distribute incoming requests evenly among all DSAs in the same site
that serve the same namespace partition. This improves performance.
DXmanager automatically sets up load sharing between DSAs in the same site that serve the same
namespace partition.
If you do not use DXmanager you need to set the DSA knowledge to enable load-sharing. The DSA
flags you can set are as follows:
precedence -- This specifies the order in which DSAs are allocated work.
The router DSAs use a least-busy load-sharing algorithm, which uses an ordered list of DSAs serving
each namespace partition. The routers favor the DSAs highest in the list that are not busy.
Note: DXmanager requires that DSAs that serve the same namespace partition must be on
different hosts. Also, DXmanager only allows load-sharing between DSAs in the same
region as the router.
The following diagram shows a router DSA connected to three data DSAs within the same site:
04-May-2016 214/923
CA Directory - 12.0.18
Example directory system that has one router DSA and three data DSAs in the same site, two of which have the
same prefix
The two Customers DSAs have the same prefix, so the router shares the load for that prefix between
those two DSAs.
Failover is the ability of a router DSA to continue to service queries even when a data DSA becomes
unavailable. If the router detects that a DSA has failed, it resends outstanding requests to another
DSA that serves the same partition, making the failure invisible to clients.
During normal operation, the standby DSA is kept synchronized with the primary data DSA in case it is
needed.
The following diagram shows a single router DSA that usually sends requests to the Customers DSAs
04-May-2016 215/923
CA Directory - 12.0.18
The following diagram shows a single router DSA that usually sends requests to the Customers DSAs
on its own host, and on the NY21 host.
If both of these data DSAs fail, the router DSA automatically sends all requests to the Customers DSA
on NY23. This change is invisible to the clients.
In this example, the Customers DSA on NY23 is a backup: it is used only if the other data DSAs fail.
If a local data DSA fails, each router directs queries to the remote data DSA. This maintains the
availability and reliability of the directory.
The following diagram shows an example directory backbone that is distributed across two sites, New
York and Montreal.
04-May-2016 216/923
CA Directory - 12.0.18
A replicated system that allows for DSA failover and improved performance
The New York router cannot load-share to the Customers DSAs in Montreal because they are in a
different site from the router.
However, if both of the New York Customers DSAs are unavailable, the router can failover to the
Customers DSA in Montreal. Although the performance is lower until the New York DSAs are running
again, the service is still available.
Note: Failover consistency is guaranteed within a region, but not between regions.
1. Run more than one router DSA on more than one computer.
2. Configure the client applications to failover from one router DSA to the other.
As in Failover Between Hosts (see page 215), the router DSAs can fail over to the second data DSA.
However, this system also shows that the client application can fail over between the two router
DSAs.
These two router DSAs are set up to use the data DSAs in exactly the same way, which means that
the service to the client application is not interrupted.
04-May-2016 217/923
CA Directory - 12.0.18
Simple example showing that the client application can use the second router DSA if the first one fails
The set precedence command defines the order of the DSAs that the router DSA fails over to.
The set write-precedence command defines the order in which DSAs are chosen to perform updates.
You can use it to direct the write requests from a failover computer to a preferred master. If the set
write-precedence command is not present, updates follow the normal precedence, which is defined
by the order of the DSAs in the configuration file, or the set precedence command.
The DSAs in these lists have precedence over those that are not listed, and DSAs earlier in the lists
have precedence over those later in the lists.
To maximize performance, in general you should give faster DSAs precedence over slower DSAs, and
local DSAs precedence over remote DSAs.
When these commands occur in a configuration file, source them after the knowledge.
These commands should appear once only in the configuration files sourced by any particular DSA.
04-May-2016 218/923
CA Directory - 12.0.18
The DSAs EAST, WEST, NORTH and SOUTH contain the same information. The following command
ensures that DSAs in the east fail over to EAST before WEST:
The DSAs NORTH and SOUTH are not listed, so if both EAST and WEST are unavailable, DSAs will fail
over to them in the order that they are listed in the configuration file.
If you use the set precedence command to list DSAs that are also in load-sharing groups, then a load-
sharing group has the precedence of the highest DSA in that group.
A load-sharing group that includes DSA1 and DSA4 has precedence over a group that includes DSA2
and DSA3.
Also, a load-sharing group that includes DSA4 has precedence over a group that includes no listed
DSAs.
Round-robin DNS
This solution is easy to implement, but each client must maintain affinity with a single router DSA
for the duration of its connection. Also the inherent delays in pushing out changes to the DNS
records might cause a problem.
IP failover
Another good solution is to provide an immediate IP failover mechanism between the computers
running router DSAs. There is some extra configuration required for a router DSA to bind to a new
IP address, but it can be done. Ensure that the method you choose is immediate, does not require
rebooting, and handles failback.
04-May-2016 219/923
CA Directory - 12.0.18
Failback
Failback is the restoration to normal service of a CA Directory DSA after failing over and recovering.
When a subordinate DSA becomes unavailable, the router redirects all the requests targeted for that
DSA to another DSA servicing the same prefix (failover). When the unavailable DSA becomes available
again, then CA Directory automatically sends the requests to the DSA (failback).
Security in Distribution
Contents
Remote Bindings (see page 220)
Mutual Authentication (see page 220)
Trusting Distributed DSA Triggered Operations (see page 221)
To set up a DSA in a distributed system, you should be aware of how security works in a distributed
system.
Remote Bindings
The DSA dynamically binds to and unbinds from remote DSAs. A DSA maintains at most one binding
per security level (set by the auth-levels list in the DSA definition) to a remote DSA. When a DSA has
an established DSP binding of the correct security level to a remote DSA, it uses this binding. A
second binding of the same security level is not set up.
The DSA definition supports trust flags that enable a DSA to upgrade or downgrade a link between
DSAs. For example, when a link between two DSAs supports only anonymous connections, a
credentialed user can access the link when the receiving DSA supports the allow-downgrading trust
flag. Conversely, when the only allowed DSP link is a clear-password link, an anonymous user can
access the link only when there is support for the allow-upgrading trust flag.
A DSP binding to a remote DSA unbinds after the dsp-idle-time is exceeded. Ensure that you set this
value higher on router DSAs than on data DSAs.
Mutual Authentication
When a link is created between two DSAs, the DSAs authenticate with each other through a DSP bind
request. This authentication is two-way (mutual). The authentication takes place in two parts.
04-May-2016 220/923
CA Directory - 12.0.18
When a triggered operation must be sent to a different DSA, this access control override is lost. The
trust-flags = trust-dsa-triggered-operations notifies the DSA receiving one of these operations that
the request was internally generated and to run these operations at an elevated access level.
If you use any of the features mentioned earlier in a distributed environment, then we recommend
setting trust-flags = trust-dsa-triggered-operations on the DSAs that trigger the operation. This is
typically routers for the first three requests and data DSAs for the last three requests. If in doubt, you
can use trust-dsa-triggered-operations for all DSAs.
CA Directory supports Lightweight Directory Access Protocol (LDAP), which allows any LDAP-
conformant client to access CA Directory.
04-May-2016 221/923
CA Directory - 12.0.18
LDAP is fully integrated with CA Directory and provides greater performance and efficiency than
gateway approaches. Another advantage of integrated LDAP is that it obeys the DSA schema. This
means that you configure a new schema only once, because both LDAP and DAP protocols share the
same configuration.
CA Directory also supports the integration of LDAP servers into a distributed directory backbone. CA
Directory can send requests to one or more LDAP servers and process the results returned from them
as if they were normal X.500 directory hosts. This enables LDAP servers to be integrated into a fully
distributed directory framework.
Although DXmanager cannot start, stop, or reconfigure LDAP servers, it can monitor them.
A complication arises with name and password security (simple credentials). In DSP, a single link
between DSAs can support any number of users, because user information is passed with each DSP
request. However, in LDAP, links cannot be shared, so the CA Directory DSA must set up separate
links for every LDAP user.
04-May-2016 222/923
CA Directory - 12.0.18
When the DSA is acting as a direct pass-through from a user to an LDAP server and the user's name is
on the LDAP server, the DSA sets up a separate link for that user and uses their credentials in that
link.
The user invoking the request is authenticated using a DN that is outside the LDAP server.
...
ldap-dsa-password = fredspassword
...
};
The LDAP DSA name must be a valid entry in the LDAP server because all requests from the backbone
use the permissions that are granted to this entry.
The DSA in the previous example expects credentials to be returned on the bind confirm sent by the
LDAP server. If no credentials are returned, then the bind is rejected.
The knowledge reference of the LDAP server can include the trust flag no-server-credentials, which
indicates to the DSA that the LDAP server will not return credentials on a bind.
When this flag is set, then the DSA accepts a bind confirm result returned from the LDAP server if it
does not include credentials, as in the following example:
You can include the dsp-ldap-proxy link flag in the DXlink knowledge to cause the last DSA in the
chain to use the authorization of the originating user to perform operations on the LDAP server.
04-May-2016 223/923
CA Directory - 12.0.18
Important! This may compromise security because the originating user is never
authenticated by the LDAP server.
Usually, the last DSA in the chain binds to the LDAP server using the credentials specified in the ldap-
dsa-name and ldap-dsa-password flags.
If the dsp-ldap-proxy flag is also set, then the DN of the user that made the initial bind is added to the
following subsequent requests:
search
compare
modify
add
delete
modify DN
The proxy user is conveyed by the DSA that chains the operation over DXlink by including the
originator DN of the user performing the operation in the LDAP proxy authorization control on the
request. The LDAP server must permit the configured ldap-dsa-name user, the authority to proxy all
users.
Note: The dsp-ldap-proxy link flag can only be used if the target LDAP server supports the
LDAP Proxy Authorization control.
Prefix Mapping
Prefix mapping lets LDAP servers, other DSAs, or agents map into a backbone namespace.
Prefix mapping is useful for collecting disjointed subtrees under a common node. Applications include
transient groupings (such as task forces) or logical groupings (such as libraries where individual
libraries are spread across an organization or location tree).
Prefix mapping is also useful for if you want to integrate an LDAP server into a backbone. Because
LDAP servers have no concept of distribution, their DITs usually contain the first- or second-level
nodes. This makes it hard to integrate them into a host DIT.
To enable prefix mapping, configure the DSA's native prefix, using the set dsa command or
DXmanager.
04-May-2016 224/923
CA Directory - 12.0.18
There is also an LDAP server, which controls the partition o=Acme, c=US. Originally this controlled
the North American part of Acme but must now be incorporated into the backbone. To do this, the
knowledge for the LDAP server must contain the following prefix and native-prefix definitions:
Prefix Mapping
2. It replaces the prefix it received with the LDAP server's native prefix:
"o=acme"
5. The backbone DSA replaces the LDAP server's native prefix with the original prefix and sends
the results back to the client.
04-May-2016 225/923
CA Directory - 12.0.18
Although DXmanager cannot start, stop, or reconfigure LDAP servers, it can monitor them.
LDAP servers expect connections only from LDAP users; therefore, DXlink must make the X.500
backbone look like an ordinary LDAP user.
A complication arises with name and password security (simple credentials). In DSP, a single link
between DSAs can support any number of users, because user information is passed with each DSP
request. However, in LDAP, links cannot be shared, so the CA Directory DSA must set up separate
links for every LDAP user.
When the DSA is acting as a direct pass-through from a user to an LDAP server and the user's name is
on the LDAP server, the DSA sets up a separate link for that user and uses their credentials in that
link.
The user invoking the request is authenticated using a DN that is outside the LDAP server.
04-May-2016 226/923
CA Directory - 12.0.18
...
ldap-dsa-password = fredspassword
...
};
The LDAP DSA name must be a valid entry in the LDAP server because all requests from the backbone
use the permissions that are granted to this entry.
The DSA in the previous example expects credentials to be returned on the bind confirm sent by the
LDAP server. If no credentials are returned, then the bind is rejected.
The knowledge reference of the LDAP server can include the trust flag no-server-credentials, which
indicates to the DSA that the LDAP server will not return credentials on a bind.
When this flag is set, then the DSA accepts a bind confirm result returned from the LDAP server if it
does not include credentials, as in the following example:
You can include the dsp-ldap-proxy link flag in the DXlink knowledge to cause the last DSA in the
chain to use the authorization of the originating user to perform operations on the LDAP server.
Important! This may compromise security because the originating user is never
authenticated by the LDAP server.
Usually, the last DSA in the chain binds to the LDAP server using the credentials specified in the ldap-
dsa-name and ldap-dsa-password flags.
If the dsp-ldap-proxy flag is also set, then the DN of the user that made the initial bind is added to the
following subsequent requests:
search
compare
modify
add
04-May-2016 227/923
CA Directory - 12.0.18
delete
modify DN
The proxy user is conveyed by the DSA that chains the operation over DXlink by including the
originator DN of the user performing the operation in the LDAP proxy authorization control on the
request. The LDAP server must permit the configured ldap-dsa-name user, the authority to proxy all
users.
Note: The dsp-ldap-proxy link flag can only be used if the target LDAP server supports the
LDAP Proxy Authorization control.
Prefix Mapping
Contents
Example Prefix Mapping (see page 228)
Prefix mapping lets LDAP servers, other DSAs, or agents map into a backbone namespace.
Prefix mapping is useful for collecting disjointed subtrees under a common node. Applications include
transient groupings (such as task forces) or logical groupings (such as libraries where individual
libraries are spread across an organization or location tree).
Prefix mapping is also useful for if you want to integrate an LDAP server into a backbone. Because
LDAP servers have no concept of distribution, their DITs usually contain the first- or second-level
nodes. This makes it hard to integrate them into a host DIT.
To enable prefix mapping, configure the DSA's native prefix, using the set dsa command or
DXmanager.
There is also an LDAP server, which controls the partition o=Acme, c=US. Originally this controlled
the North American part of Acme but must now be incorporated into the backbone. To do this, the
knowledge for the LDAP server must contain the following prefix and native-prefix definitions:
04-May-2016 228/923
CA Directory - 12.0.18
Prefix Mapping
2. It replaces the prefix it received with the LDAP server's native prefix:
"o=acme"
5. The backbone DSA replaces the LDAP server's native prefix with the original prefix and sends
the results back to the client.
Horizontal Partitioning
Contents
Limitations in Horizontal Partitioning (see page 230)
Specify Horizontal Partitioning (see page 230)
Loading Horizontally Partitioned Data (see page 231)
If you have a large flat namespace, you can improve the scalability and performance by partitioning
the namespace. Thus, different DSAs serve different parts of the same level of namespace. In CA
Directory, horizontal partitioning is a method of achieving this objective.
A horizontal partitioning setup consists of a router DSA and a number of data DSAs.
The router and its data DSAs serve the namespace. The clients do not know which data DSA stores
the data for each part of the namespace.
04-May-2016 229/923
CA Directory - 12.0.18
The namespace data is partitioned among the data DSAs by hashing the RDN of each entry. Each data
DSA has a distinguishing hash value that is assigned to the prefix. Apart from the hash value, the
prefix specification is identical for all the DSAs in the set.
In a horizontal partition, a multi chained search gives a separate dxEntryCount for each DSA which
returns a hit. To get a consolidated number, use the value in dxTotalEntryCount.
Note: You can rename horizontally partitioned entries in SP10 or later using the set
rename-threshold = <num>; command. However, in previous versions, horizontal
partitioning uses the hash of the RDN, so you cannot rename horizontally partitioned
entries. In these older versions, delete the old entry and create a new one to force a
recalculation of the hash.
1. Select the attribute whose value you use to partition the namespace.
If there are multiple attributes, specify the asterisk (*) character instead of an attribute, as in
the following example:
2. Select a horizontal portioning hash that has the most even distribution of data to prevent
unbalanced partitions. The following hashing algorithms are supported:
3. For each DSA in the partitioning, append the string that determines the partition hashing to
the prefix.
You specify the prefix in the knowledge, so use either DXmanager or the set dsa prefix
command.
04-May-2016 230/923
CA Directory - 12.0.18
From a client point of view, all entries appear in the namespace <c AU> <ou Users>.
When the router receives a request, the router applies the specified hash function (hash1) to the
specified attribute value (guid) in the request. If the result is zero, it routes the request to DSA_A. If
the result is one, it routes the request to DSA_B, and so on.
To help you migrate existing data into a set of horizontally partitioned DSAs, use the DXloaddb tool to
load a subset of data from a single LDIF (containing all data) into each DSA servicing the horizontally
partitioned namespace. For each DSA, DXloaddb loads only the entries that match the partitioning
criteria.
In a horizontal partition, a multi-chained search gives a separate dxEntryCount for each DSA which
returns a hit. To get a consolidated number, use the value in dxTotalEntryCount.
Note: You can rename horizontally partitioned entries in SP10 or later using the set
rename-threshold = <num>; command. However, in previous versions, horizontal
partitioning uses the hash of the RDN, so you cannot rename horizontally partitioned
entries. In these older versions, you should delete the old entry and create a new one to
force a recalculation of the hash.
04-May-2016 231/923
CA Directory - 12.0.18
1. Select the attribute whose value you will use to partition the namespace.
If there are multiple attributes, specify the asterisk (*) character instead of an attribute, as in
the following example:
2. Select a horizontal portioning hash that has the most even distribution of data to prevent
unbalanced partitions. The following hashing algorithms are supported:
3. For each DSA in the partitioning, append the string that determines the partition hashing to
the prefix.
You specify the prefix in the knowledge, so use either DXmanager or the set dsa prefix
command.
From a client point of view all entries appear in the namespace <c AU> <ou Users>.
When the router receives a request, the router applies the specified hash function (hash1) to the
specified attribute value (guid) in the request. If the result is zero, it routes the request to DSA_A. If
the result is one, it routes the request to DSA_B, and so on.
04-May-2016 232/923
CA Directory - 12.0.18
To help you migrate existing data into a set of horizontally partitioned DSAs, use the DXloaddb tool to
load a subset of data from a single LDIF (containing all data) into each DSA servicing the horizontally
partitioned namespace. For each DSA, DXloaddb loads only the entries that match the partitioning
criteria.
Set Up Authentication
Authentication Levels
Contents
Anonymous Authentication (see page 233)
Clear-Password Authentication (see page 233)
How a Connection Is Established with Clear-Password Authentication (see page 234)
SSL Authentication (see page 234)
How an SSL Connection Is Established (see page 235)
How a Directory Connection Is Established (see page 235)
Bypass the Entry Check (see page 236)
Authentication is the process of validating users. During authentication, the server asks itself, Is the
user who he or she says they are?
Each DSA has one or more authentication levels. The authentication levels assigned to a DSA define
what credentials a user must present to bind to and query that DSA.
Anonymous Authentication
Anonymous authentication lets users connect to a directory without providing credentials.
This is useful for public directory services, because user identification is usually not important.
Clear-Password Authentication
Clear-password authentication (sometimes called simple authentication) allows users to connect or
bind to a directory by providing a username and password.
04-May-2016 233/923
CA Directory - 12.0.18
The minimum authentication of all the DSAs must not include the value ssl-auth.
The entry named by the user name does not contain a password attribute.
The password provided does not match the password value of the attribute in the entry named
by the user name.
1. The client sends a bind request with its username and password.
2. The DSA checks the username and password against the relevant DN entry.
3. If the username exists and the password matches, the bind is authenticated and established.
If the username does not exist, or the password is incorrect, an BIND REFUSE message is
returned to the client.
Simple Bind
Note: Once a bind or connection is established, all further client operations or directory
requests are subject to access control rules.
SSL Authentication
Strong authentication uses SSL certificates to protect LDAP and X.500 access by encrypting data with
Secure Sockets Layer (SSL) security. When certificate-based authentication is used, all communication
on the binding set up by the bind use SSL encryption.
SSL certificate based authentication is typically used in environments where personal or company
data requires protection, for example, an online banking environment.
04-May-2016 234/923
CA Directory - 12.0.18
Simple SSL
Authenticated SSL
Simple SSL authenticates the server only, while Authenticated SSL authenticates both the client and
the server.
The following diagram illustrates the first part of the SSL certificate-based authentication process:
2. DSA validates the connection request by checking the validity dates and checking the issuer of
the certificate against the configured trusted roots.
3. If the certificate details are correct, the DSA establishes an SSL connection with the client
application.
In a distributed or X.500 environment, the bind external procedure is used. This tells the directory to
use the certificate from the link layer.
2. The DSA checks the directory entry named by the subject DN contained in the certificate.
3. If the DN named in the subject DN of the certificate match those in the directory, then the
DSA accepts the bind request.
Note: In a secure environment, you can choose to bypass the DSA check on the DN.
04-May-2016 235/923
CA Directory - 12.0.18
When this is set, while authenticating the client, the DSA does not check that an entry with a
distinguished name matching the subject field in the certificate of the client exists in the directory.
Anonymous Authentication
Anonymous authentication lets users connect to a directory without providing credentials.
This is useful for public directory services, because user identification is usually not important.
Clear-Password Authentication
Contents
How a Connection Is Established with Clear-Password Authentication (see page 236)
The minimum authentication of all the DSAs must not include the value ssl-auth.
The entry named by the user name does not contain a password attribute.
The password provided does not match the password value of the attribute in the entry named
by the user name.
1. The client sends a bind request with its username and password.
2. The DSA checks the username and password against the relevant DN entry.
04-May-2016 236/923
CA Directory - 12.0.18
3. If the username exists and the password matches, the bind is authenticated and established.
If the username does not exist, or the password is incorrect, an BIND REFUSE message is
returned to the client.
Simple Bind
Note: Once a bind or connection is established, all further client operations or directory
requests are subject to access control rules.
SSL Authentication
Contents
How an SSL Connection Is Established (see page 237)
How a Directory Connection Is Established (see page 238)
Bypass the Entry Check (see page 238)
Strong authentication uses SSL certificates to protect LDAP and X.500 access by encrypting data with
Secure Sockets Layer (SSL) security. When certificate-based authentication is used, all communication
on the binding set up by the bind use SSL encryption.
SSL certificate based authentication is typically used in environments where personal or company
data requires protection, for example, an online banking environment.
Simple SSL
Authenticated SSL
Simple SSL authenticates the server only, while Authenticated SSL authenticates both the client and
the server.
The following diagram illustrates the first part of the SSL certificate-based authentication process:
04-May-2016 237/923
CA Directory - 12.0.18
2. DSA validates the connection request by checking the validity dates and checking the issuer of
the certificate against the configured trusted roots.
3. If the certificate details are correct, the DSA establishes an SSL connection with the client
application.
In a distributed or X.500 environment, the bind external procedure is used. This tells the directory to
use the certificate from the link layer.
2. The DSA checks the directory entry named by the subject DN contained in the certificate.
3. If the DN named in the subject DN of the certificate match those in the directory, then the
DSA accepts the bind request.
Note: In a secure environment, you can choose to bypass the DSA check on the DN.
When this is set, while authenticating the client, the DSA does not check that an entry with a
distinguished name matching the subject field in the certificate of the client exists in the directory.
In a distributed system, the namespace is divided into many DSAs. This means that users could bind
to one DSA and request information on another. Users can also bind to one DSA, which then forwards
the user's credentials to a second DSA to confirm the bind.
How the networked system of DSAs responds to these requests depends on how they are configured.
04-May-2016 238/923
CA Directory - 12.0.18
How the networked system of DSAs responds to these requests depends on how they are configured.
1. Set appropriate authentication levels for each DSA (see page 570).
2. (Optional) Configure relevant DSAs to allow forwarding of password checks (see page 239).
3. (Optional) Configure all relevant DSAs to trust conveyed originators (see page 242).
4. Check the authentication link between all DSAs (see page 243).
CA Directory lets you define how much each DSA should trust another. By default, security is tight.
The settings let you selectively relax security between DSAs.
In a distributed network of DSAs, users can bind to one DSA when their entries are held on a second
DSA. When the initial bind is made, the DSA can forward the password compare check to a second
DSA if certain authentication parameters are set.
To allow users to bind to a local DSA when their details are held on a remote DSA, set allow check
password to true . This is set to true by default.
When a bind is requested, the local DSA forwards a Password Compare request to the remote DSA. If
this returns a Compare Confirm with the assertion true, the local DSA returns a Bind Confirm message
to the user.
The Customers DSA contains the entries for the customers, including the credentials required during
binds. The Allow check password setting for the Customers DSA is true.
The following diagram shows how the router DSA delegates a password check to the Customers DSA:
04-May-2016 239/923
CA Directory - 12.0.18
1. The router DSA receives a bind request from a user whose credentials are stored in the
Customers DSA. The router DSA cannot check the user's credentials, but it knows that the
Customers DSA can.
2. The router DSA checks the configuration of the Customers DSA to see whether it can trust the
Customers DSA to authenticate a user. The Allow check password setting indicates that this is
permissible.
3. The router DSA requests the Customers DSA to authenticate the user.
You can set the value for this configuration item at the following levels:
Namespace partition -- This affects all DSAs that serve that partition.
04-May-2016 240/923
4.
CA Directory - 12.0.18
a. Right-click on the partition you want this setting applied to, and then select Edit
properties.
7. Click OK.
The Customers DSA contains the entries for the customers, including the credentials required during
binds. The Allow check password setting for the Customers DSA is true.
The following diagram shows how the router DSA delegates a password check to the Customers DSA:
1. The router DSA receives a bind request from a user whose credentials are stored in the
Customers DSA. The router DSA cannot check the user's credentials, but it knows that the
Customers DSA can.
2. The router DSA checks the configuration of the Customers DSA to see whether it can trust the
Customers DSA to authenticate a user. The Allow check password setting indicates that this is
permissible.
3. The router DSA requests the Customers DSA to authenticate the user.
04-May-2016 241/923
CA Directory - 12.0.18
You can set the value for this configuration item at the following levels:
Namespace partition -- This affects all DSAs that serve that partition.
a. Right-click on the partition you want this setting applied to, and then select Edit
properties.
7. Click OK.
The following steps provide a high-level overview of how user authentication is conveyed between
DSAs:
1. A user binds to a DSA. The bind request includes the user's DN, and the user's credentials.
04-May-2016 242/923
CA Directory - 12.0.18
1. A user binds to a DSA. The bind request includes the user's DN, and the user's credentials.
3. The user makes another request that the current DSA cannot fulfill.
4. The DSA passes the request to another DSA that can fulfill the request. The request includes
the user's DN and authentication.
5. The receiving DSA must decide whether to trust the user's authentication. To do this, it looks
at the configuration of the first DSA for the Trust conveyed originator option.
6. If the receiving DSA finds the Trust conveyed originator option, it accepts the request. Even
though the user was authenticated on the first DSA, it is treated as if it had been
authenticated on the second.
7. The receiving DSA uses the DN of the originating user to determine what access controls to
apply to the request.
In this example, a client is connecting to one DSA and requesting information from a second DSA.
Rather than repeat user authentication, the UNSPSC DSA can be configured to trust all user
authentication being passed by the Democorp DSA.
To do this, the UNSPSC DSA's configuration includes the Trust conveyed originator option.
If the initial bind was made using a strong SSL certificate-based connection then communication
between DSAs occurs at the SSL security level. Alternatively, if the initial bind was made using no
authentication, then all communication would occur at the same level.
Strong security
SSL authentication is carried on an SSL bind
Simple security
Simple authentication is carried on a clear-password bind
No security
Anonymous authentication is carried on an anonymous bind
04-May-2016 243/923
CA Directory - 12.0.18
The three possible links between two DSAs: anonymous, simple, or SSL authenticated
A user may bind to one DSA using simple authentication, and then request information from a
second DSA that requires SSL authentication.
A user may connect to one DSA using SSL authentication but then is refused any distributed
operations because further DSAs do not support SSL. Both issues result in the following error
message:
To overcome these potential issues, you can either change the authentication levels so that
a compatible link can be established, or upgrade or downgrade the trust levels between
distributed DSAs.
A link is upgraded if a DSA uses a higher level of authentication to forward a clients request to
another DSA that is higher than the authentication level used by the client to bind to the DSA.
To upgrade the link type between DSAs, set the following command in the appropriate knowledge
configuration file:
trust-flags = allow-upgrading
Important! Allow upgrading presents a serious security risk. For example, you are allowing
an anonymous user to act as if they had presented a username and password.
A user is connecting to one DSA using anonymous authentication and then requesting information
from a second DSA that requires simple authentication (username and password). Unless the link is
upgraded, the user receives the error message No compatible link type.
To upgrade the link, the DemoCorp DSA knowledge file includes configuration commands as in the
following extract:
04-May-2016 244/923
CA Directory - 12.0.18
To downgrade the link type between DSAs, set the following command in the appropriate knowledge
configuration file:
trust-flags = allow-downgrading
Important! Use this command only to permit unauthenticated DSA links within the one
organization (or on the one host), or to grant access to a public server.
In this example, a user is connecting to one DSA using SSL authentication, and then requesting
information from a second DSA that requires simple authentication (username and password). Unless
the link is downgraded, the user receives the error message No compatible link type.
To downgrade the link, the Democorp DSA is configured with the trust flag allow-downgrading.
To upgrade the link type between DSAs, set the following command in the appropriate knowledge
configuration file:
trust-flags = allow-upgrading
Important! Allow upgrading presents a serious security risk. For example, you are allowing
an anonymous user to act as if they had presented a username and password.
A user is connecting to one DSA using anonymous authentication and then requesting information
from a second DSA that requires simple authentication (username and password). Unless the link is
upgraded, the user receives the error message No compatible link type.
04-May-2016 245/923
CA Directory - 12.0.18
To upgrade the link, the DemoCorp DSA knowledge file includes configuration commands as in the
following extract:
To downgrade the link type between DSAs, set the following command in the appropriate knowledge
configuration file:
trust-flags = allow-downgrading
Important! Use this command only to permit unauthenticated DSA links within the one
organization (or on the one host), or to grant access to a public server.
In this example, a user is connecting to one DSA using SSL authentication, and then requesting
information from a second DSA that requires simple authentication (username and password). Unless
the link is downgraded, the user receives the error message No compatible link type.
To downgrade the link, the Democorp DSA is configured with the trust flag allow-downgrading.
DSP Authentication
Contents
DSP Simple Authentication (see page 247)
Credentials Used during DSA Binds (see page 247)
DSP SSL Authentication (see page 247)
How DSP SSL Authentication Works (see page 247)
Directory system protocol (DSP) is an X.500 exchange protocol between DSAs. It supports
anonymous, simple and SSL authentication. The following sections summarize DSP simple and SSL
authentication.
04-May-2016 246/923
CA Directory - 12.0.18
Authenticated DSP binds use mutual authentication. During the bind process, each DSA supplies its
own credentials to the other DSA, and each DSA also checks the credentials supplied to it by the
other DSA.
The distinguished name of the credentials matches the remote DSA name.
The address of the binding DSA matches the address of the remote DSA.
We recommend that the DSAs in a DSP-meshed network share the same group knowledge
configuration file so that all the combinations of names and passwords are known to each DSA.
If you want only DSA-to-DSA connections to be encrypted, SSL authentication is unnecessary. Instead,
set the link-flags element in the DSA knowledge to ssl-encryption.
1. The DSA sending the bind request checks its own knowledge file to determine if it can use SSL.
2. The sending DSA then checks the knowledge file of the receiving DSA to see if it can accept an
SSL connection. If it cannot, the bind attempt is aborted. If it can, the DSA sends the SSL bind
request.
In this example, the Democorp DSA finds the ssl-auth flag in its copy of the UNSPSC knowledge file, so
it sends the SSL bind request as follows:
04-May-2016 247/923
CA Directory - 12.0.18
DSP binds are subject to the min-auth setting. This means that if the local DSA has enabled
authentication, an incoming DSP bind request must have valid bind credentials.
Authenticated DSP binds use mutual authentication. During the bind process, each DSA supplies its
own credentials to the other DSA, and each DSA also checks the credentials supplied to it by the
other DSA.
The distinguished name of the credentials matches the remote DSA name.
The address of the binding DSA matches the address of the remote DSA.
We recommend that the DSAs in a DSP-meshed network share the same group knowledge
configuration file so that all the combinations of names and passwords are known to each DSA.
To enable SSL authentication between DSAs, the auth-levels flag of the receiving DSA must include
the value ssl-auth.
If you want only DSA-to-DSA connections to be encrypted, SSL authentication is unnecessary. Instead,
set the link-flags element in the DSA knowledge to ssl-encryption.
04-May-2016 248/923
CA Directory - 12.0.18
1. The DSA sending the bind request checks its own knowledge file to determine if it can use SSL.
2. The sending DSA then checks the knowledge file of the receiving DSA to see if it can accept an
SSL connection. If it cannot, the bind attempt is aborted. If it can, the DSA sends the SSL bind
request.
In this example, the Democorp DSA finds the ssl-auth flag in its copy of the UNSPSC knowledge file, so
it sends the SSL bind request as follows:
Password Storage
To check a password, an application either requests a compare operation of the userPassword
attribute, or performs a bind operation using clear password authentication. The DSA then hashes
(encrypts) the candidate password and compares it with the value saved in the stored directory.
When a password is stored in a directory (add or modify of userPassword), the hashing algorithm that
is applied is configured using the set password-storage command. Default: Salted SHA-512
To assist with migration from Active Directory, you can load passwords that are hashed using the NT
/NTLM algorithms using dxloaddb. Prefix the userPassword values using the {NT} or {NTLM} labels,
respectively.
Example:
userPassword: {NTLM}Afxaa+e8aSmq07Q1tRQE7g==
userPassword: {NT}DLaUiAX3l78qgoB5c7iVNw==
This example supports operations and authentication without requiring all migrated users to change
their passwords. When a password is modified, the algorithm moves it from NT/NTLM to the
configured password-storage method.
04-May-2016 249/923
CA Directory - 12.0.18
In this command, dn is the distinguished name of a trusted proxy. The proxy must bind using SASL
/EXTERNAL over SSL.
CA Directory access controls are based on the 1993 X.500 standards. However, the 1993 X.500 access
controls are difficult to understand and work with. CA Directory provides access control rules that are
easier to work with, and maps these rules to the X.500 access controls.
Is this client permitted to perform this operation, on this data, in this subtree, at this time?
Where:
An operation is one of the usual directory services, including compare, list, search, read, add,
remove, modify, or modify-dn
The time is a particular minute of the day or a particular day of the week
When the answer to this question is yes, the operation can proceed. When the answer is no, the
operation is refused.
For information about how aliases work with access controls, see Access Controls and Aliases.
04-May-2016 250/923
CA Directory - 12.0.18
Although only one access control policy can be in place at any given time, the policy can have
different effects at different times. For example, a policy can contain one set of access controls for
business hours and another for after hours.
Each access control rule determines the operations that can be performed by a user or client. A set of
rules defines the complete access control policy.
For example, you can create rules that specify the following:
All access control rules contain parameters that specify who, where, and what the rule applies to.
Rules are also cumulative, which means you can define a very complex access control policy.
Rule Configuration
Access control rules are stored in one or more configuration files. To change a rule you need to edit
the file containing the rule. For the rule to take effect, the DSAs that source the access control file
must be restarted after the file has been edited.
You can also group access control files into a group configuration file (.dxg). This helps you share
policies among a number of DSAs.
Ensure that each DSA's initialization file sources the file that contains these commands. The DSA then
04-May-2016 251/923
CA Directory - 12.0.18
Ensure that each DSA's initialization file sources the file that contains these commands. The DSA then
activates these commands when it starts up or is reinitialized.
Access control rules are defined on named entries, subtrees or attributes. If you rename these
items, then the access control rule no longer protects those items.
If you deny access to a naming attribute and do not deny access to entries lower down in the
tree, then the naming attribute is still visible.
Access controls are effective only when you enable access controls.
Rule Configuration
Access control rules are stored in one or more configuration files. To change a rule you need to edit
the file containing the rule. For the rule to take effect, the DSAs that source the access control file
must be restarted after the file has been edited.
You can also group access control files into a group configuration file (.dxg). This helps you share
policies among a number of DSAs.
Ensure that each DSA's initialization file sources the file that contains these commands. The DSA then
activates these commands when it starts up or is reinitialized.
Access control rules are defined on named entries, subtrees or attributes. If you rename these
items, then the access control rule no longer protects those items.
If you deny access to a naming attribute and do not deny access to entries lower down in the
tree, then the naming attribute is still visible.
Access controls are effective only when you enable access controls.
Access Levels
Contents
Example Access Levels with Multiple Rules (see page 253)
Example Access Levels with Multiple Rules and Specific Permissions on Protected Items (see page
254)
04-May-2016 252/923
CA Directory - 12.0.18
Static access control rules have a hierarchy of precedence. When a DSA receives a request, the DSA
tests whether to accept the request by using the applicable access control rule with the highest
precedence, and ignores any other access control rules. The precedence levels are as follows:
For that item, within the scope of those rules, and for the users specified in those rules:
04-May-2016 253/923
CA Directory - 12.0.18
Since there is no super user access rule, there are no super users.
Example Access Levels with Multiple Rules and Specific Permissions on Protected
Items
Assume that access controls are set on, and that an item has the following access control rules (and
that no other rules are set):
For that item, within the scope of those rules, and for the users specified in those rules:
Since there is no super user access rule, there are no super users.
Entry level access control is specified. That is, no attributes are specified.
04-May-2016 254/923
CA Directory - 12.0.18
You can give a user Administrative access to only some attributes in a subtree. Users then cannot add
or remove entries; they can only work with the selected attributes.
Administrative user access has a higher precedence than protected items access level.
Protected Items
The set protected-items command totally or partially denies access by public and registered users to a
subtree, entry, or attributes in a subtree or entry.
For example, you might give registered users read access to the whole directory, and then specify
personnel records as protected items. This makes the personnel records invisible to registered and
public users.
Protected items access rules never grant an access. They specify what sorts of access are denied.
Protected items access rules take precedence over public users and registered users access level
rules.
Protect an entry
When you protect an entry, neither registered nor public users can read it. It can, however,
appear in a list result if the user can access the parent.
This occurs because the protected entry may have subordinates that are visible to the user.
Protect a subtree
If the same entry has protection as a subtree, a registered or public user cannot read it, and it
does not appear in a list result as a subordinate entry.
Protecting Passwords
Protecting a password makes the password attribute invisible to public and registered users.
Because authentication requires the name of an entry, and that entry must contain a password,
hiding the password makes login entries indistinguishable from other entries.
04-May-2016 255/923
CA Directory - 12.0.18
The specified entry is invisible to members of the employees role (unless a higher precedence access
control rule grants them some access).
Example Let a User Modify All Attributes in Their Own Entry Except "role"
In this example, the set reg-user rule gives the user modification rights to all attributes in their own
entry, and the protected-items rule takes away modification rights for just the role attribute. The
result is that users can modify all attributes in their own entries except "role", which they can read.
set reg-user = {
own-entry
subtree = <o Democorp>
perms = modify
};
set protected-items = {
own-entry
subtree = <o DemoCorp>
attrs = role
perms = modify
};
Without the perms = modify in the set protected-items rule, the user would be denied all access to
the role attribute (including read access).
Registered Users
Registered user access gives registered (authenticated) users access rights over specified scopes.
These scopes can be a subtree, entry, or designated attributes in an entry or subtree.
You can give a registered user access to only some attributes in a subtree. The user then cannot add
or remove entries: they can only work with the selected attributes.
Registered user access level rules are a lower precedence than protected items access level rules.
Public Users
Public user access gives all anonymous users access rights over specified scopes. These scopes can be
a subtree, entry, or designated attributes in an entry or subtree.
Any access right you give for public users is given to all users, unless the access is taken away by a
protected items access rule. Public user access level is the lowest precedence access level.
04-May-2016 256/923
CA Directory - 12.0.18
For that item, within the scope of those rules, and for the users specified in those rules:
Since there is no super user access rule, there are no super users.
Example Access Levels with Multiple Rules and Specific Permissions on Protected
Items
Assume that access controls are set on, and that an item has the following access control rules (and
that no other rules are set):
For that item, within the scope of those rules, and for the users specified in those rules:
Since there is no super user access rule, there are no super users.
04-May-2016 257/923
CA Directory - 12.0.18
Since there is no super user access rule, there are no super users.
Entry level access control is specified. That is, no attributes are specified.
You can give a user Administrative access to only some attributes in a subtree. Users then cannot add
or remove entries; they can only work with the selected attributes.
Administrative user access has a higher precedence than protected items access level.
Protected Items
Contents
Protecting Entries and Subtrees (see page 258)
Protecting Passwords (see page 259)
Example Protect an Entry (see page 259)
Example Let a User Modify All Attributes in Their Own Entry Except "role" (see page 259)
The set protected-items command totally or partially denies access by public and registered users to a
subtree, entry, or attributes in a subtree or entry.
For example, you might give registered users read access to the whole directory, and then specify
personnel records as protected items. This makes the personnel records invisible to registered and
public users.
Protected items access rules never grant an access. They specify what sorts of access are denied.
Protected items access rules take precedence over public users and registered users access level
rules.
Protect an entry
When you protect an entry, neither registered nor public users can read it. It can, however,
appear in a list result if the user can access the parent.
This occurs because the protected entry may have subordinates that are visible to the user.
04-May-2016 258/923
CA Directory - 12.0.18
Protect a subtree
If the same entry has protection as a subtree, a registered or public user cannot read it, and it
does not appear in a list result as a subordinate entry.
Protecting Passwords
Protecting a password makes the password attribute invisible to public and registered users.
Because authentication requires the name of an entry, and that entry must contain a password,
hiding the password makes login entries indistinguishable from other entries.
The specified entry is invisible to members of the employees role (unless a higher precedence access
control rule grants them some access).
Example Let a User Modify All Attributes in Their Own Entry Except "role"
In this example, the set reg-user rule gives the user modification rights to all attributes in their own
entry, and the protected-items rule takes away modification rights for just the role attribute. The
result is that users can modify all attributes in their own entries except "role", which they can read.
set reg-user = {
own-entry
subtree = <o Democorp>
perms = modify
};
set protected-items = {
own-entry
subtree = <o DemoCorp>
attrs = role
perms = modify
};
Without the perms = modify in the set protected-items rule, the user would be denied all access to
the role attribute (including read access).
Registered Users
Registered user access gives registered (authenticated) users access rights over specified scopes.
These scopes can be a subtree, entry, or designated attributes in an entry or subtree.
You can give a registered user access to only some attributes in a subtree. The user then cannot add
or remove entries: they can only work with the selected attributes.
04-May-2016 259/923
CA Directory - 12.0.18
Registered user access level rules are a lower precedence than protected items access level rules.
Public Users
Public user access gives all anonymous users access rights over specified scopes. These scopes can be
a subtree, entry, or designated attributes in an entry or subtree.
Any access right you give for public users is given to all users, unless the access is taken away by a
protected items access rule. Public user access level is the lowest precedence access level.
The directory architect has created the following plain-English access control policy:
Authenticated users (that is, all users except public users) can update their own entries.
Public (anonymous) users can view, but not change, the name, email address, and telephone
number of any staff member, and can also view, but not change, anything in the public subtree.
This denies all users any access. This provides a clear basis on which to apply layers of
permissions.
clear access;
Give DSA administrators all privileges (assuming a role called DSA-administrators has been
defined):
04-May-2016 260/923
CA Directory - 12.0.18
defined):
role=DSA-Administrators
};
own-subtree
perms=modify
};
Let PABX operators update all telephone numbers (assuming a role called pabx-operators has
been defined):
role=pabx-operators
subtree=<o ACME>
attrs=telephoneNumber
perms=modify
};
Let public users view (but not change) the name, e-mail address, and telephone number of staff:
attrs=commonName,eMailAddress,telephoneNumber
};
Let public users view (but not change) anything in the public subtree:
};
Make passwords invisible to everyone except DSA administrators (this requires that only DSA
administrators have the necessary access controls)
subtree=<o ACME>
attrs = userPassword
};
Make users administrators of their own passwords so they have update rights:
04-May-2016 261/923
CA Directory - 12.0.18
set admin-user = {
own-entry
attrs = userPassword
};
This denies all users any access. This provides a clear basis on which to apply layers of
permissions.
clear access;
Give DSA administrators all privileges (assuming a role called DSA-administrators has been
defined):
role=DSA-Administrators
};
own-subtree
perms=modify
};
Let PABX operators update all telephone numbers (assuming a role called pabx-operators has
been defined):
role=pabx-operators
subtree=<o ACME>
attrs=telephoneNumber
04-May-2016 262/923
CA Directory - 12.0.18
perms=modify
};
Let public users view (but not change) the name, e-mail address, and telephone number of staff:
attrs=commonName,eMailAddress,telephoneNumber
};
Let public users view (but not change) anything in the public subtree:
};
Make passwords invisible to everyone except DSA administrators (this requires that only DSA
administrators have the necessary access controls)
subtree=<o ACME>
attrs = userPassword
};
Make users administrators of their own passwords so they have update rights:
set admin-user = {
own-entry
attrs = userPassword
};
If you have set up a role, then you can assign that role to one or more access control rules. All
members of that role then inherit those access control rules. This works for both static and dynamic
roles.
04-May-2016 263/923
CA Directory - 12.0.18
2. The DSA searches all roles in the Role subtree, looking for the user's DN in the member and
uniqueMember attributes of any entry with the groupOfNames or groupofUniqueNames
object classes.
3. The DSA uses the names returned by this search as the roles for that user for the duration of
this binding, and uses them in access control decisions.
Note: Before you can use role-based access controls, you must set up roles in the directory.
The roles DSA must contain an access control rule that gives the router DSA access to the role
subtree. This means that when a user connects to a local DSA and the password is confirmed, the DSA
looks up the user's roles without bypassing access controls.
Because you assign a role to an access control by creating an access control rule, you need to restart
the DSA for the assignment to take effect.
3. Create an access control rule that specifies that the role is a user of the access control rule.
A router DSA
Both the Router and Roles DSAs are configured with the following commands:
04-May-2016 264/923
CA Directory - 12.0.18
clear access;
set access-controls = true;
set role-subtree = <c AU><o Roles>;
set use-roles = true;
set reg-user = {
user = <c AU><cn DXserver>
subtree = <c AU><o Roles>
};
The roles DSA must contain an access control rule that gives the router DSA access to the role
subtree. This means that when a user connects to a local DSA and the password is confirmed, the DSA
looks up the user's roles without bypassing access controls.
Because you assign a role to an access control by creating an access control rule, you need to restart
the DSA for the assignment to take effect.
04-May-2016 265/923
CA Directory - 12.0.18
3. Create an access control rule that specifies that the role is a user of the access control rule.
A router DSA
Both the Router and Roles DSAs are configured with the following commands:
clear access;
set access-controls = true;
set role-subtree = <c AU><o Roles>;
set use-roles = true;
set reg-user = {
user = <c AU><cn DXserver>
subtree = <c AU><o Roles>
};
04-May-2016 266/923
CA Directory - 12.0.18
The proxy binds to a DSA using certificate-based authentication. Those users permitted to proxy
(impersonate someone else) are identified to a DSA as a list of distinguished names held in the trust-
sasl-proxy list.
When using a proxy, impersonating usera can never obtain more power than they already have. In
other words, in assuming the identity of another user, they may not obtain all the privileges of that
user.
Once bound to a DSA, the proxy may change identity by changing the value of dxProxyUser in the
entry cn=roles to the distinguished name of the new identity. This has the effect of evaluating the
roles for the new identity. An exception is where the proxy also changes the value of dxProxyRole in
cn=roles. In this case, roles are taken directly from the attribute value, not by accessing role entries in
the directory.
The entry cn=roles is an operational entry, which means that it does not appear in the directory
information tree, and it is never returned in any query results.
To permit the proxy to impersonate users not in the directory (external users), the proxy replaces the
value of the dxProxyUser attribute in the operational entry with the distinguished name of the new
identity, and at the same time replaces the value of the dxProxyRole attribute with the roles of the
new identity. In this instance, the roles provided in the replace operation are used directly, if the
following command is set:
For more information on each command type and available parameters, see DXserver Commands.
04-May-2016 267/923
CA Directory - 12.0.18
When you disable access controls, all users have complete access to the directory.
Note: You can not enter control rules directly in the CA Directory console.
2. Set up access control rules for one or more of the following access levels:
Super users
Super users have unrestricted read and update access to all parts of the DSA.
To set access controls for super users, use the command set super-user.
Administrative users
Administrative users typically have read and update privileges over a specified directory
subtree.
To set access controls for administrative users, use the command set admin-user.
Protected items
Protected items take away privileges from registered users and public users.
To set access controls for protected items, use the command set protected-items.
Registered users
Registered users typically have read access to a specified subtree.
To set access controls for registered users, use the command set reg-user.
04-May-2016 268/923
CA Directory - 12.0.18
Public users
Public (anonymous) users typically have read-only access to a specified subtree.
To set access controls for public users, use the command set public-user.
To use role-based access controls in a distributed environment, you can configure a router
DSA to compare passwords and look up roles using its own credentials. Do this in
DXmanager, by setting the flag Trust DSA_triggered operations.
get access;
clear access;
get oper;
If the output from this command includes the following line, access controls are enabled:
04-May-2016 269/923
2.
CA Directory - 12.0.18
access-controls = TRUE
When you disable access controls, all users have complete access to the directory.
Note: You can not enter control rules directly in the CA Directory console.
2. Set up access control rules for one or more of the following access levels:
Super users
Super users have unrestricted read and update access to all parts of the DSA.
To set access controls for super users, use the command set super-user.
Administrative users
Administrative users typically have read and update privileges over a specified directory
subtree.
To set access controls for administrative users, use the command set admin-user.
Protected items
Protected items take away privileges from registered users and public users.
To set access controls for protected items, use the command set protected-items.
04-May-2016 270/923
CA Directory - 12.0.18
Registered users
Registered users typically have read access to a specified subtree.
To set access controls for registered users, use the command set reg-user.
Public users
Public (anonymous) users typically have read-only access to a specified subtree.
To set access controls for public users, use the command set public-user.
To use role-based access controls in a distributed environment, you can configure a router
DSA to compare passwords and look up roles using its own credentials. Do this in
DXmanager, by setting the flag Trust DSA_triggered operations.
get access;
clear access;
04-May-2016 271/923
CA Directory - 12.0.18
get oper;
If the output from this command includes the following line, access controls are enabled:
access-controls = TRUE
Set Up Encryption
SSL
Contents
SSL Transactions (see page 272)
How an SSL Encryption Connection Is Established (see page 272)
When to Use SSL Encryption (see page 273)
SSL is a protocol for providing secure communications over TCP/IP. With its successor Transport Layer
Security (TLS), SSL has become the industry standard for confidentiality and integrity services.
For more information about SSL, see the SSL 3.0 Specification (http://wp.netscape.com/eng
/ssl3).
CA Directory supports SSL methods for encryption and authentication. These are known as SSL
encryption and SSL authentication. SSL authentication always uses SSL encryption.
You can use SSL encryption to protect any link connections to or from CA Directory DSAs and web
applications.
SSL supports X.509 certificates. You can manage these certificates by using DXcertgen, a certification
authority, or other appropriate software.
SSL Transactions
An SSL transaction is between a server and a client. An example is when an LDAP client has a
transaction with a DSA. The DSA is a server in the SSL transaction.
04-May-2016 272/923
2. CA Directory - 12.0.18
3. If the certificate is valid and the client trusts the Certification Authority, the client has now
verified the server's identity, and the connection is made.
However, you should use SSL to protect connections between clients and DSAs on different
computers.
The following diagram shows an application and directory backbone that are spread across three
computers.
In this backbone, SSL encryption is used for all links between computers, but not for the link between
the DSAs on SF03:
SSL Transactions
An SSL transaction is between a server and a client. An example is when an LDAP client has a
transaction with a DSA. The DSA is a server in the SSL transaction.
04-May-2016 273/923
CA Directory - 12.0.18
3. If the certificate is valid and the client trusts the Certification Authority, the client has now
verified the server's identity, and the connection is made.
However, you should use SSL to protect connections between clients and DSAs on different
computers.
The following diagram shows an application and directory backbone that are spread across three
computers.
In this backbone, SSL encryption is used for all links between computers, but not for the link between
the DSAs on SF03:
04-May-2016 274/923
CA Directory - 12.0.18
A certificate is a digital document that contains text encrypted with a private key. If you change the
certificate without knowing the private key, you invalidate the certificate. If the certificate is valid,
anybody can use the public key to decrypt the certificate information. If the public key does not work
then somebody has corrupted the certificate and it cannot be trusted.
You cannot use a certificate that is valid for one DSA on another DSA.
You can only create a valid certificate by using appropriate software, for example the CA Directory
tool DXcertgen or OPENSSL.
SSL Processing
Contents
How DXserver Uses Certificates (see page 275)
CA Directory handles DAP, LDAP, DSP and DISP protocols over an SSL connection. Each DSA will
process SSL connections internally.
SSL processing is a based on OpenSSL. The OpenSSL library has been modified to limit the cipher
suites to those that comply with U.S. export controls and the terms of the CA Directory encryption
export license, and to include HSM support. Symmetric keys are limited to 256 bits or less, and
asymmetric keys, used in key exchange, are limited to 2048 bits.
CA Directory supports SSLv3 and TLSv1 protocols. Though CA Directory does not support SSLv2
protocol, it still supports SSLv2 client hello for compatibility, but negotiates using the SSLv3 or TLSv1
protocol only. If you configure SSL in FIPS mode, then only the TLSv1 protocol is supported.
DSA certificates
There is one certificate for each DSA, and each one contains a private key.
Root CA certificates
These are one or more certificates of trusted Certification Authorities.
User certificates
These certificates are used by users (clients), for example, JXplorer.
04-May-2016 275/923
CA Directory - 12.0.18
DSA certificates
There is one certificate for each DSA, and each one contains a private key.
Root CA certificates
These are one or more certificates of trusted Certification Authorities.
User certificates
These certificates are used by users (clients), for example, JXplorer.
DSA Certificates
Contents
How to Create a DSA Certificate (see page 276)
How to Store DSA Keys in an HSM (see page 277)
To take part in SSL as a server, a DSA needs to have a certificate and the corresponding private key.
CA Directory always stores the DSA certificate in a PEM file.
CA Directory can store the private key with the certificate, or you can specify that it stores the private
key in a Hardware Security Module (HSM).
If private key is stored in a PEM file, DXserver uses the DSA name to determine the name of the PEM
file to access and use the certificate.
If the private key is stored in an HSM, then the PEM file holds a certificate but not the private key.
DXserver uses the DSA name to determine the name of the PEM file and uses the HSM to access and
apply the private key when this is required.
In either case the PEM file is named dsaname.pem (the DSA name is converted to lowercase).
1. Use a certificate authority that you trust to create a certificate and the associated key pair.
You can use the following tools:
DXcertgen
Certificate Authority software such as OpenSSL, which is available from the OpenSSL site (
http://www.openssl.org/).
04-May-2016 276/923
CA Directory - 12.0.18
2. Check the created certificate to ensure that the DSA name in the subject field of the
certificate matches the DSA name.
3. Add the root certificate of the Certificate Authority that you used to create the DSA certificate
to the end of the file trusted.pem.
CA Directory is designed to support any HSM that supports PKCS#11. It has been tested on the
Eracom ProtectServer Orange External.
To store keys in an HSM that has an onboard CA engine to create private keys and export the signed
certificates, use the supporting tools from the HSM manufacturer as follows:
2. Get the HSM to sign a certificate request. The subject in the certificate must be the DSA name.
4. Name the PEM file to the DSA name, converted to lowercase, with the added extension .pem
6. Export the root CA certificate from the HSM and store it in the file trusted.pem.
When an SSL session occurs, DXserver uses the certificate subject and the HSM pin number to access
the HSM.
1. Use a certificate authority that you trust to create a certificate and the associated key pair.
You can use the following tools:
DXcertgen
Certificate Authority software such as OpenSSL, which is available from the OpenSSL site (
http://www.openssl.org/).
2. Check the created certificate to ensure that the DSA name in the subject field of the
certificate matches the DSA name.
3. Add the root certificate of the Certificate Authority that you used to create the DSA certificate
to the end of the file trusted.pem.
04-May-2016 277/923
CA Directory - 12.0.18
CA Directory is designed to support any HSM that supports PKCS#11. It has been tested on the
Eracom ProtectServer Orange External.
To store keys in an HSM that has an onboard CA engine to create private keys and export the signed
certificates, use the supporting tools from the HSM manufacturer as follows:
2. Get the HSM to sign a certificate request. The subject in the certificate must be the DSA name.
4. Name the PEM file to the DSA name, converted to lowercase, with the added extension .pem
6. Export the root CA certificate from the HSM and store it in the file trusted.pem.
When an SSL session occurs, DXserver uses the certificate subject and the HSM pin number to access
the HSM.
CA Directory includes the DXcertgen tool for generating and working with certificates and their
associated keys. You can use DXcertgen to do the following:
Generate new certificates and key pairs for DSAs and users
04-May-2016 278/923
CA Directory - 12.0.18
1. Creates a new key pair and root certificate, and stores these in memory.
2. Generates the user and DSA certificates, and signs them with the private key.
For DSA certificates, the DSA name is used as the subject of the certificate.
3. Destroys the private key and appends the root certificate to the end of the following file:
DXHOME/config/ssld/trusted.pem
Every time that DXcertgen creates a certificate, and does not use a keystore, it creates a new key pair
and root certificate, and reissues all the user and DSA certificates based on the new key pair. This can
be inconvenient, because you need to distribute the certificates to the client applications.
1. If DXcertgen cannot find the root certificate or the key pair in the keystore, it creates a new
root certificate and key pair, and stores these in the keystore.
2. When DXcertgen finds the root certificate and key pair in the keystore, it uses the root
certificate and the private key to sign the certificates.
By default, DXcertgen looks for the keystore in the default CA Directory ssld config folder, which is as
follows:
DXHOME/config/ssld/javakeystores
However, when you invoke DXcertgen, you can use options in the dxcertgen command to specify a
different location.
2. Set the environment variable JAVA_HOME to the JRE path, for example:
C:\Program Files\Java\jre1.6.0_16
3. Ensure that the environment variable PATH includes the Java bin folder, for example:
04-May-2016 279/923
CA Directory - 12.0.18
3.
C:\Program Files\Java\jre1.6.0_16\bin
keytool
Note: The keytool utility is a Java utility and is documented on the java keytool web page
on the Java web site .
2. When you run DXcertgen, specify the path to the keystore and the root alias of the certificate
you created.
The following command then causes DXcertgen to use that certificate to create certificates and
private keys for all configured DSAs:
Report on Certificates
DXcertgen can report on the status of the directory's certificates.
The report shows who the subject of the certificate is, the Certificate Authority who issued it, validity
dates, and whether the certificate is currently valid.
To Report on Certificates
dxcertgen report
04-May-2016 280/923
CA Directory - 12.0.18
Use DXcertgen to Request and Use a Third-party Certificate for a DSA Certificate
By default, Dxcertgen creates a certificate and associated private key for each DSA and user.
However, you can use Dxcertgen to request another Certificate Authority (CA) to create a certificate.
You can then use DXcertgen to merge the DXcertgen private key with the CA-created certificate to
create a DSA certificate and associated private key.
Note: For the CA to sign the CSR, they might need additional information such as
validity timeframes.
2. When the CA responds with a certificate, use the following command to merge this certificate
with the private key that was used to create the CSR:
3. Add the certificate to the file trusted.pem. CA Directory trusts the certificate that you have
created. You can use the following command to do this:
Delete a CA Certificate
The CA certificates are stored in the file trusted.pem.
04-May-2016 281/923
CA Directory - 12.0.18
Where there are multiple certificates in a file, they are numbered in the order they are found. When
you add and remove certificates in trusted.pem, the numbering changes. Ensure that you list the
certificates immediately before you delete a certificate.
1. List the certificates that are stored in the file trusted.pem, by using the following command:
dxcertgen listca
2. Find the certificate that you want to delete, and note the number of this certificate.
You should use SSL to protect connections between components on different computers.
04-May-2016 282/923
CA Directory - 12.0.18
The location of the DSA and user certificates, and public and private keys
Note: If you are using an HSM you must also provide the HSM specific information.
To force SSL encryption on anonymous bindings, include the following command in the settings
configuration file of the DSA:
When this setting is on, if a user tries to create an anonymous binding without SSL, the DSA disallows
it and returns an "Inappropriate authentication" error.
To force SSL encryption on authenticated bindings, include the following command in the settings
configuration file of the DSA:
04-May-2016 283/923
CA Directory - 12.0.18
When this setting is on, if a user tries to create an authenticated binding without SSL, the DSA
disallows it and returns an "Inappropriate authentication" error.
The set force-encrypt-auth setting does not prevent the credentials from being sent unencrypted
over the network. However it refuses any unencrypted binding request.
Note: When using link encryption between DSAs that reside on the same computer, you
cannot use the trust-flags = ssl-encryption-remote setting with these commands. Instead,
use trust-flags = ssl-encryption. Else, DSAs connecting to each other locally fail at the clear-
password authentication level as the link is not encrypted. Alternatively, you can force SSL
encryption on the router DSAs only and can prevent clients connecting directly to data
DSAs. Use the set disable-client-binds = true; command to prevent clients connecting
directly to data DSAs. This setting allows the trust-flags = ssl-encryption-remote setting to
be used.
CA Directory DSAs operate as SSL clients when they act as LDAP clients to communicate with LDAP
servers. This means that the LDAP servers do not need copies of the CA Directory DSA's root or DSA
certificates.
You can secure the connection using SSL encryption by using the following steps:
2. Using your Certificate Authority, produce server certificates for both the LDAP server and the
DSA, and sign them with the Certificate Authority's root certificate.
3. Configure CA Directory and the LDAP server to trust the Certificate Authority by importing the
root certificate.
4. Configure CA Directory and the LDAP server to use the server certificate signed by the
Certificate Authority for SSL operations.
c. Verify that SSL is being used using the following command on a DSA console:
trace x500;
04-May-2016 284/923
CA Directory - 12.0.18
To secure these communications, use SSL between your browser and DXwebserver, as shown in the
following diagram:
2. Create a Certificate Signing Request (CSR) using the command dxcertgen certreq
4. (Optional - Windows only) Update any shortcuts to DXwebserver with the SSL connection
details.
1. Ensure you have the Java bin directory set in your path.
04-May-2016 285/923
3.
CA Directory - 12.0.18
For information about more command options, visit the keytool page on the Java site (http://java.sun.
com).
2. Start JXweb.
The location of the DSA and user certificates, and public and private keys
Note: If you are using an HSM you must also provide the HSM specific information.
To force SSL encryption on anonymous bindings, include the following command in the settings
configuration file of the DSA:
04-May-2016 286/923
CA Directory - 12.0.18
When this setting is on, if a user tries to create an anonymous binding without SSL, the DSA disallows
it and returns an "Inappropriate authentication" error.
To force SSL encryption on authenticated bindings, include the following command in the settings
configuration file of the DSA:
When this setting is on, if a user tries to create an authenticated binding without SSL, the DSA
disallows it and returns an "Inappropriate authentication" error.
The set force-encrypt-auth setting does not prevent the credentials from being sent unencrypted
over the network. However it refuses any unencrypted binding request.
Note: When using link encryption between DSAs that reside on the same computer, you
cannot use the trust-flags = ssl-encryption-remote setting with these commands. Instead,
use trust-flags = ssl-encryption. Else, DSAs connecting to each other locally fail at the clear-
password authentication level as the link is not encrypted. Alternatively, you can force SSL
encryption on the router DSAs only and can prevent clients connecting directly to data
DSAs. Use the set disable-client-binds = true; command to prevent clients connecting
directly to data DSAs. This setting allows the trust-flags = ssl-encryption-remote setting to
be used.
CA Directory DSAs operate as SSL clients when they act as LDAP clients to communicate with LDAP
servers. This means that the LDAP servers do not need copies of the CA Directory DSA's root or DSA
certificates.
You can secure the connection using SSL encryption by using the following steps:
2. Using your Certificate Authority, produce server certificates for both the LDAP server and the
DSA, and sign them with the Certificate Authority's root certificate.
3. Configure CA Directory and the LDAP server to trust the Certificate Authority by importing the
root certificate.
4. Configure CA Directory and the LDAP server to use the server certificate signed by the
Certificate Authority for SSL operations.
04-May-2016 287/923
6. CA Directory - 12.0.18
c. Verify that SSL is being used using the following command on a DSA console:
trace x500;
You should encrypt communications between your browser and DXmanager or JXweb, because these
communications might include sensitive information, including port numbers, DSA passwords, and
DSA console passwords.
To secure these communications, use SSL between your browser and DXwebserver, as shown in the
following diagram:
2. Create a Certificate Signing Request (CSR) using the command dxcertgen certreq
4. (Optional - Windows only) Update any shortcuts to DXwebserver with the SSL connection
details.
04-May-2016 288/923
CA Directory - 12.0.18
1. Ensure you have the Java bin directory set in your path.
For information about more command options, visit the keytool page on the Java site (http://java.sun.
com).
2. Start JXweb.
The SSL functionality that used to provide certificate authentication in the SSLD external to the DSA,
has been incorporated into each DSA. To automatically migrate the old SSL configuration to the new
configuration settings, upgrade CA Directory to the latest version.You can migrate your SSL
configuration without upgrading the entire product. These steps describe how to do this.
2. Create a new configuration file to hold the new set ssl command. We recommend that you
04-May-2016 289/923
CA Directory - 12.0.18
2. Create a new configuration file to hold the new set ssl command. We recommend that you
save the file as dsaname.dxc and store it in DXHOME/config/ssld
3. Use the existing settings to write a new set ssl command in the new configuration file:
set ssl = {
cert-dir = CertificationDirectory
ca-file = CertificateAuthorityFile
};
Note: The port, debug, and threads commands are no longer needed.Note: You can
find the default SSL settings in DXHOME/config/ssld/default.dxc.
If you do not set a cipher, the DSA uses the default ciphers. You can check the available
ciphers using the console command get ciphers. For a list of ciphers currently supported, see
the section Encryption Formats for SSL. For more information about ciphers, see the OpenSSL
site (http://www.openssl.org/).
4. Make the new SSL configuration known to the appropriate DSA by sourcing ssld/ dsaname.dxc
in the dsaname.dxi file, as follows:
source "../ssld/dsaname.dxc";
Example: Compare old-style SSLD settings and the new set ssl command
The following example compares the two ways of configuring SSL functionality.
port 2112
certfiles /opt/CA/Directory/dxserver/samples/ssl/certs
ca /opt/CA/Directory/dxserver/samples/ssl/certs/gary_michael.pem
debug 3
threads 0
protocol TLS
cipher ALL:!EXPORT40:!ADH
FIPS 140-2 enabled
hsm_pin 2345
hsm_lib /opt/CA/Directory/dxserver/bin/tlsclient
hsm_slot 1
set ssl = {
cert-dir = "/opt/CA/Directory/dxserver/samples/ssl/certs"
04-May-2016 290/923
CA Directory - 12.0.18
ca-file = "/opt/CA/Directory/dxserver/samples/ssl/certs/gary_michael.pem"
cipher = "ALL:!EXPORT40:!ADH"
protocol = tls
fips = true
pin = 2345
lib = "/opt/CA/Directory/dxserver/bin/tlsclient"
slot = 1
};
Note: The port, debug, and threads command are no longer needed.
This example shows how to set up SSL for the sample Democorp DSA
2. Create a PEM certificate and add the trusted root CA in the relevant files and folders.
To automatically create a PEM certificate for each DSA present on the system and add the
root CA signing certificate into the trusted.pem file, use the following command:
dxcertgen certs
3. Create a new text file and add the following command to it:
set ssl = {
cert-dir = "config/ssld/personalities"
ca-file = "config/ssld/trusted.pem"
};
# access controls
clear access;
source "../access/default.dxc";
# ssl
source "../ssld/Democorp.dxc";
# replication agreements (rarely used)
# source "../replication/";
stop democorp
...
start democorp
...
You can now bind to your Democorp DSA using an SSL connection.
04-May-2016 291/923
CA Directory - 12.0.18
You can now bind to your Democorp DSA using an SSL connection.
DXsearch
DXmodify
DXrename
DXdelete
None of these tools can see the DSA's trusted.pem file and therefore are unable to trust the self-
signed certificate.
1. Create a new text file with the following name and location:
DXHOME/config/ssld/dxldap.conf
2. Open the file in a text editor, and add the following text:
4. Set an environment variable named LDAPCONF that points to the file you have just created.
You should now be able to connect to the directory through SSL using the tools listed.
Set Up Views
About Views
Contents
Example A View Used by a Pay TV Company (see page 293)
Compare Views to Stored Procedures in a Database (see page 294)
Limitations of Views (see page 294)
A view lets you make a series of searches on a directory, and have the results returned together. Each
phase of the search can use the results from previous phases as its inputs.
04-May-2016 292/923
CA Directory - 12.0.18
A view provides a virtual abstraction of directory data. This enables LDAP applications to view the
data in a way that matches the needs of the application, similar to the way that database views are
used in RDBMS systems. You define a view to the DSA process and can then invoke it multiple times.
Sometimes you need the results from one search to use as input to another one, and you may also
need to include the results of multiple searches to get the result you need. A view helps in such
situations because it gives you a way to define a single complex search that combines a number of
ordinary LDAP searches. The searches can be performed across multiple DSAs, and a search can use
the results of earlier searches in the view.
A view is a complex command, which can be stored in a configuration file. When you need to use a
view, you search the directory, invoking the view in the search command. The directory carries out
the search, including the phases defined in the view. When the searches are all complete, it return
the results in a single response.
Views allow simpler applications, and let you keep the same application even if the underlying
data changes.
Views let you normalize directory information, which reduces DIT size, and still lets you reference
the data with a single, view-based, search.
Views increase performance because the DSA keeps intermediate results for reuse in a view,
rather than sending them back to the user.
The DIT in this example includes information held in four different locations of the tree
The structure of this directory makes it simple for staff to navigate, but it is not easy to find
information about the services associated with a particular device.
The following diagram shows the series of searches required to find out the channels being served to
a particular device:
04-May-2016 293/923
CA Directory - 12.0.18
A view includes phases, and the result from each phase can be used in the next phase
You can define a view so that a search for a device's MAC address can return the channels available
on the device.
Example view, showing the results from each phase being used as inputs for the next phase
Limitations of Views
Views have the following limitations:
Access controls - All phases of the view searches are performed with the credentials of the user
invoking the view.
Views may require specialized applications for performing view searches and interpreting results
04-May-2016 294/923
CA Directory - 12.0.18
Views may require specialized applications for performing view searches and interpreting results
Unexpected results may occur when the linking attributes are not unique for a given subtree (this
can be enforced by using 'unique-attrs')
Mapping - the attributes used to link objects don't require the same type but need to be the same
(normalized) value
Views support authentication where the entry returned in phase 1 contains authentication
information (userPassword). Authentication is limited to CA Directory DSAs. If the phase 1 entry is
stored in a DXlink DSA, for example, Active Directory, then authentication fails.
This section goes through a number of real-world examples and explains how views can be harnessed
to meet these requirements.
1. Create a separate subtree to hold office information including a unique office identifier in
each entry.
2. Replace the repetitive office information with the related office identifier in each user entry.
3. Create a view so that an entry being returned will also perform a lookup of the office details
and include them in the user entry.
The result of this search (base-object of entry returned) can then be used to perform a one-level
/subtree search to return the entry's subordinates.
04-May-2016 295/923
CA Directory - 12.0.18
/subtree search to return the entry's subordinates.
For example, a pay TV customer that has subscribed to a package that includes adult content, wishes
to have adult content disallowed as they have small children.
A view can be created to retrieve the services for a particular package a user has subscribed to.
The next phase of the view can retrieve restricted items that can then be pruned from the values
/objects retrieved above.
Views can be used to achieve this by storing entries in another directory instance that share unique
values with the other directory. A view can be created to retrieve the two linked entries and merge
the result into a single entry.
04-May-2016 296/923
CA Directory - 12.0.18
(cn="John Smith")
The DSA uses this value to replace $cn term. Therefore, phase 1 performs a
search with the following filter:
(cn="John Smith")
Because the phase does not include any other options, the phase returns all the
information for the entries in the subtree that match the filter.
This is the second phase of the view, so it must be labeled 2.
(phase = 2 This phase searches the following subtree:
subtree =
"ou=cellphones, "ou=cellphones,ou=Accounts,o=ACME"
ou=Accounts,
o=ACME" The DSA replaces $1:cellphone with the value of the cellphone attribute
filter = returned by phase 1, for example, 01001001001
"(account=$1: The eis option means that the only attribute value that the phase returns is simC
cellphone)" ardnumber.
eis = If the customer has two phones, then the filter is an OR of the phone numbers
simCardNumber returned, as in the following example:
options =
result-required (|(account=01001001001)(account=01001001002)
)
}; Two simCardNumber values are returned in this case.
Because this phase specifies result-required, the DSA checks that the link
between the attributes in each subtree is valid. If the link is not valid, then it
raises an alarm.
Given the view defined in the preceding table, you could use the following search to find a customer's
SIM card numbers:
04-May-2016 297/923
CA Directory - 12.0.18
You can specify that the DSA should use the output of one phase as input in another phase. You do
this using the views parameters, which you include in the view definition in place of attribute values.
The DSA replaces parameters with values as soon as the results are available, either from the values
given in the invoking search command, or from the result of a phase.
The DSA runs a phase as soon as all the parameters it needs have been replaced by values, and it runs
phases in parallel if possible.
The order of the phases is important because the DSA runs each phase only once per view invocation,
and the DSA can only replace a phase's parameters with the results from earlier (lower numbered)
phases. That is, a phase's parameters cannot refer to later phases.
All attribute values have associated matching rules. One commonly used rule is the caseIgnoreMatch
rule, which says that you can ignore letter case when comparing strings for equality.
When a views parameter is compared to a phase result and the matching rules are not identical, the
transformation that the DSA has performed can produce unexpected results. For example, spaces are
not important for telephone numbers, so if an attribute is defined with telephoneNumberMatching
matching rules, the following entries are equivalent:
+61 3 1300-1001
+61313001001
Similarly, you can invoke a view with the following search command:
In this case, if ph is defined with telephone number syntax, the DSA stores $ph as follows:
+61313001001
If an account number is stored as a numericString, then the DSA transforms the following result:
ac="+613 1300-1001"
04-May-2016 298/923
CA Directory - 12.0.18
61313001001
Because comparisons are performed after the strings are converted, the following comparison fails:
($ac=$ph)
Subtree DN
A phase always has a subtree specification, which is the DN that defines the root of phase search.
If this DN is defined by the result of a previous phase, then the DSA runs a separate phase search
for each different result. For example, if phase one returns four DNs, and phase two specifies its
subtree DN as the result of phase one, then the DSA runs a phase two search four times, once
with each different value of DN.
Filter
If a phase specifies a filter as part of its search, then the DSA ORs all the specified values of all the
returned entries. For example, consider a view in which phase one returns two entries with
attribute Attr, the first of which has two values Val1 and Val2, and the second of which has value
Val3. A filter in a subsequent phase can use the returned values of Attr from phase one by
including the fragment:
filter = $1:attr
filter = (|(attr=val1)(attr=val2)(attr=val3))
eis
Every return value is used. This is equivalent to specifying multiple attribute names in the eis
option.
If an EIS is passed in on the view search then all phase searches will include this and include any
linking attributes not present. This overrides the EIS specified for each phase.
If no EIS is passed in on the view search then the phase search will include any phase EIS attributes
plus any linking attributes not present.
04-May-2016 299/923
CA Directory - 12.0.18
If a phase search returns multiple entries with the same linking attribute or a linking attribute with
multiple values, then the searches will branch off. This occurs when the relationship between objects
is one-to-many or many-to-many. When this occurs the next phase search's filter will contain an OR
of the filter defined. For example, 2 entries are returned and 'attr' is the linking attribute. Entry 1 has
attr = 1, attr = 2 and entry 2 has attr = 3. If the next phase search filter is (attr=$attr) then the search
performed will have filter (|(attr=1)(attr=2)(attr=3)).
Delimiting - '$3:restriction[|:1]' would retrieve field one from the value of restriction returned by
the phase 3 search delimited by '|'. For example, the value "service|01012007|didn't pay bill"
would translate to "service".
Truncation - '3:restriction[5]' would retrieve the first 5 characters from the value of restriction.
In a view search, if the EIS is dxEntryCount then the views will returned a single entry with a
dxEntryCount attribute. The value of this attribute is the number of entries that would be returned by
the view for this search.
You can specify that the DSA should use the output of one phase as input in another phase. You do
this using the views parameters, which you include in the view definition in place of attribute values.
The DSA replaces parameters with values as soon as the results are available, either from the values
given in the invoking search command, or from the result of a phase.
The DSA runs a phase as soon as all the parameters it needs have been replaced by values, and it runs
phases in parallel if possible.
The order of the phases is important because the DSA runs each phase only once per view invocation,
and the DSA can only replace a phase's parameters with the results from earlier (lower numbered)
phases. That is, a phase's parameters cannot refer to later phases.
All attribute values have associated matching rules. One commonly used rule is the caseIgnoreMatch
rule, which says that you can ignore letter case when comparing strings for equality.
When a views parameter is compared to a phase result and the matching rules are not identical, the
transformation that the DSA has performed can produce unexpected results. For example, spaces are
not important for telephone numbers, so if an attribute is defined with telephoneNumberMatching
matching rules, the following entries are equivalent:
04-May-2016 300/923
CA Directory - 12.0.18
+61 3 1300-1001
+61313001001
Similarly, you can invoke a view with the following search command:
In this case, if ph is defined with telephone number syntax, the DSA stores $ph as follows:
+61313001001
If an account number is stored as a numericString, then the DSA transforms the following result:
ac="+613 1300-1001"
61313001001
Because comparisons are performed after the strings are converted, the following comparison fails:
($ac=$ph)
Subtree DN
A phase always has a subtree specification, which is the DN that defines the root of phase search.
If this DN is defined by the result of a previous phase, then the DSA runs a separate phase search
for each different result. For example, if phase one returns four DNs, and phase two specifies its
subtree DN as the result of phase one, then the DSA runs a phase two search four times, once
with each different value of DN.
Filter
If a phase specifies a filter as part of its search, then the DSA ORs all the specified values of all the
returned entries. For example, consider a view in which phase one returns two entries with
attribute Attr, the first of which has two values Val1 and Val2, and the second of which has value
Val3. A filter in a subsequent phase can use the returned values of Attr from phase one by
including the fragment:
filter = $1:attr
filter = (|(attr=val1)(attr=val2)(attr=val3))
eis
04-May-2016 301/923
CA Directory - 12.0.18
eis
Every return value is used. This is equivalent to specifying multiple attribute names in the eis
option.
If an EIS is passed in on the view search then all phase searches will include this and include any
linking attributes not present. This overrides the EIS specified for each phase.
If no EIS is passed in on the view search then the phase search will include any phase EIS attributes
plus any linking attributes not present.
If a phase search returns multiple entries with the same linking attribute or a linking attribute with
multiple values, then the searches will branch off. This occurs when the relationship between objects
is one-to-many or many-to-many. When this occurs the next phase search's filter will contain an OR
of the filter defined. For example, 2 entries are returned and 'attr' is the linking attribute. Entry 1 has
attr = 1, attr = 2 and entry 2 has attr = 3. If the next phase search filter is (attr=$attr) then the search
performed will have filter (|(attr=1)(attr=2)(attr=3)).
Delimiting - '$3:restriction[|:1]' would retrieve field one from the value of restriction returned by
the phase 3 search delimited by '|'. For example, the value "service|01012007|didn't pay bill"
would translate to "service".
Truncation - '3:restriction[5]' would retrieve the first 5 characters from the value of restriction.
In a view search, if the EIS is dxEntryCount then the views will returned a single entry with a
dxEntryCount attribute. The value of this attribute is the number of entries that would be returned by
the view for this search.
04-May-2016 302/923
CA Directory - 12.0.18
You invoke a view by providing the view's DN as the base object in an LDAP request to the DSA.
Search requests are restricted in scope to the base object and filtered subtree searches. Bind,
compare, and modify requests are restricted to using only attributes contained in the entry defined in
phase 1.
Design a View
Before views are configured the implementer needs to be aware of what objects are going to be
stored and how they are related (data models). At this point use cases can be developed to solve
particular application requirements.
Each object requires a separate search (phase). When each phase completes, then subsequent
phases can be performed that rely on values returned. In the above example the phase search 1 will
retrieve the 'DevGuid'. When this completes, the phase 2 search can retrieve Packages using the
'DevGuid' returned, and so on.
Set Up a View
You define a view to the DSA process by using the set view command.
You might find it useful to create a file settings/views.dxc to contain your view definitions. This file
should include a clear view command before the set view commands. See set view Command.
A view command has a header and a body. The header identifies the view and contains the view
name, DN, and post-processing options. The view body consists of a list of searches, called phases.
Each phase has a DN and a filter (and some ancillary information).
clear view;
set view "Channel list" = {
description = "Display list of channels for a given MACAddress"
entry = <c AU><o Views><cn "Channel list">
( phase = 1
subtree = "o=Devices,c=AU"
filter = "(MACAddress=$MACAddress)"
options = ignore-from-result ),
( phase = 2
subtree = "o=Subscribers,c=AU"
filter = "(DevGuids=$1:DevGuid)"
eis = Package
options = result-required, ignore-from-result ),
( phase = 3
subtree = "o=Packages,c=AU"
04-May-2016 303/923
CA Directory - 12.0.18
filter = "(PackageName=$2:Package)" ),
( phase = 4
subtree = "o=Services,c=AU"
filter = "(ServiceName=$3:Services)"
eis = Channel )
};
For example, you could add a prefix to search results from a particular source, to help you distinguish
these results from results from other sources.
You can add prefixes and suffixes to attributes with string syntaxes only (such as caseIgnore and
caseExact).
2. In the eis section of one of the phases in the set view command, add a prefix or suffix as
follows:
eis = [prefix]attributeName[suffix]
3. For example, you could use this eis to add the prefix SAP to all results from this phase:
Search phases that have all required information to proceed will be performed in parallel.
View phase searches that are marked ignore-from-result are temporary results. These results are
not returned to the client, so the EIS for those searches contains only the linking attributes.
View phase searches that are marked prune-from-results are removed from the final result, so
entries are returned, but attributes are not.
04-May-2016 304/923
CA Directory - 12.0.18
clear view;
You invoke the view by requesting a search that includes the DN of the view.
The invoking search request also specifies a filter and the scope. Both of these are passed to the
view.
The DSA uses the filter only to supply values to parameters in the phases of the search.
The scope can be base-object search or a subtree search. The view does not directly use this scope
specification, because the scope of each search (phase) in a view is separately defined in the view
definition. Instead, the view uses the scope to determine what filter to use in its first phase of the
view.
Subtree Searches
When the scope is a subtree search, the filter is not used directly and the DSA uses the filter in the
search request to pass parameters to phase one of the view.
This search returns the following result if the collapse-result option is enabled:
This invokes the SIM View view. Phase one of the view should have a filter that includes the term $cn.
The DSA replaces any occurrence of $cn in the view with John Smith, and then runs phase one. See
also Example: Cell Phone Service Provider (see page 296).
Base-object searches can be used to perform simple queries like (Channel=1) or (!(Channel=2)) which
04-May-2016 305/923
CA Directory - 12.0.18
Base-object searches can be used to perform simple queries like (Channel=1) or (!(Channel=2)) which
are applied after the view has been resolved.
This search returns the following result if the 'collapse-result' option is enabled:
This invokes the SIM View view. The phase one filter is (baseObject=*).
Binds
Many applications perform a subtree search for a specific user. The user is then authenticated via a
bind using the distinguished name of the entry returned.
If a subtree search of a view entry "cn=SMUsers,o=Views,c=AU" returns the view subordinate entry
"guid=1234,cn=SMUsers,o=Views,c=AU", a bind for this user can be performed. The directory
processes the bind in this manner::
4. The password compare is applied to this entry and if the userPassword matches, the
authentication is successful.
Modifies
When a user is authenticated by the view some applications update lastLogin information for that
user. When a modify request is received for a view subordinate entry the following processing will
take place:
04-May-2016 306/923
CA Directory - 12.0.18
Note: Updates are only applied to the entry returned by the phase 1 search.
Compares
When a compare request is received for a view subordinate entry the following processing will take
place:
Note: Compares are only applied to the entry returned by the phase 1 search.
Design a View
Before views are configured the implementer needs to be aware of what objects are going to be
stored and how they are related (data models). At this point use cases can be developed to solve
particular application requirements.
Each object requires a separate search (phase). When each phase completes, then subsequent
phases can be performed that rely on values returned. In the above example the phase search 1 will
retrieve the 'DevGuid'. When this completes, the phase 2 search can retrieve Packages using the
'DevGuid' returned, and so on.
Set Up a View
Contents
Example set view Command (see page 308)
Add a Prefix or Suffix to a Search Result (see page 308)
Improve the Performance of a View (see page 309)
Remove View Definitions (see page 309)
You define a view to the DSA process by using the set view command.
You might find it useful to create a file settings/views.dxc to contain your view definitions. This file
should include a clear view command before the set view commands. See set view Command.
04-May-2016 307/923
CA Directory - 12.0.18
A view command has a header and a body. The header identifies the view and contains the view
name, DN, and post-processing options. The view body consists of a list of searches, called phases.
Each phase has a DN and a filter (and some ancillary information).
clear view;
set view "Channel list" = {
description = "Display list of channels for a given MACAddress"
entry = <c AU><o Views><cn "Channel list">
( phase = 1
subtree = "o=Devices,c=AU"
filter = "(MACAddress=$MACAddress)"
options = ignore-from-result ),
( phase = 2
subtree = "o=Subscribers,c=AU"
filter = "(DevGuids=$1:DevGuid)"
eis = Package
options = result-required, ignore-from-result ),
( phase = 3
subtree = "o=Packages,c=AU"
filter = "(PackageName=$2:Package)" ),
( phase = 4
subtree = "o=Services,c=AU"
filter = "(ServiceName=$3:Services)"
eis = Channel )
};
For example, you could add a prefix to search results from a particular source, to help you distinguish
these results from results from other sources.
You can add prefixes and suffixes to attributes with string syntaxes only (such as caseIgnore and
caseExact).
2. In the eis section of one of the phases in the set view command, add a prefix or suffix as
follows:
eis = [prefix]attributeName[suffix]
3. For example, you could use this eis to add the prefix SAP to all results from this phase:
04-May-2016 308/923
CA Directory - 12.0.18
3.
Search phases that have all required information to proceed will be performed in parallel.
View phase searches that are marked ignore-from-result are temporary results. These results are
not returned to the client, so the EIS for those searches contains only the linking attributes.
View phase searches that are marked prune-from-results are removed from the final result, so
entries are returned, but attributes are not.
clear view;
You invoke the view by requesting a search that includes the DN of the view.
The invoking search request also specifies a filter and the scope. Both of these are passed to the
view.
The DSA uses the filter only to supply values to parameters in the phases of the search.
The scope can be base-object search or a subtree search. The view does not directly use this scope
specification, because the scope of each search (phase) in a view is separately defined in the view
definition. Instead, the view uses the scope to determine what filter to use in its first phase of the
view.
04-May-2016 309/923
CA Directory - 12.0.18
Subtree Searches
When the scope is a subtree search, the filter is not used directly and the DSA uses the filter in the
search request to pass parameters to phase one of the view.
This search returns the following result if the collapse-result option is enabled:
This invokes the SIM View view. Phase one of the view should have a filter that includes the term $cn.
The DSA replaces any occurrence of $cn in the view with John Smith, and then runs phase one. See
also Example: Cell Phone Service Provider (see page 296).
Base-object searches can be used to perform simple queries like (Channel=1) or (!(Channel=2)) which
are applied after the view has been resolved.
This search returns the following result if the 'collapse-result' option is enabled:
04-May-2016 310/923
CA Directory - 12.0.18
This invokes the SIM View view. The phase one filter is (baseObject=*).
Binds
Many applications perform a subtree search for a specific user. The user is then authenticated via a
bind using the distinguished name of the entry returned.
If a subtree search of a view entry "cn=SMUsers,o=Views,c=AU" returns the view subordinate entry
"guid=1234,cn=SMUsers,o=Views,c=AU", a bind for this user can be performed. The directory
processes the bind in this manner::
4. The password compare is applied to this entry and if the userPassword matches, the
authentication is successful.
Modifies
When a user is authenticated by the view some applications update lastLogin information for that
user. When a modify request is received for a view subordinate entry the following processing will
take place:
Note: Updates are only applied to the entry returned by the phase 1 search.
Compares
When a compare request is received for a view subordinate entry the following processing will take
place:
04-May-2016 311/923
CA Directory - 12.0.18
Note: Compares are only applied to the entry returned by the phase 1 search.
CA Directory lets you set up groups in a directory. You can use groups to allow applications to
customize the user experience based on which groups they are a member of.
If you set up static or dynamic groups, you can also use these groups as roles. The directory can use
role membership to determine a user's access permissions and configuration items within the
directory itself. For more information, see Role-Based Configuration (see page 341).
A static group is an entry in the directory with a member attribute, which stores a list of the DNs of
the entries that are members of this group.
If you set up static groups, you can then use static roles, to which you can assign access controls.
A dynamic group is an entry in the directory with its membership defined by an LDAP filter. All entries
that satisfy this filter are members of the dynamic group.
If you set up dynamic groups, you can set up dynamic roles to which you can assign access controls.
04-May-2016 312/923
CA Directory - 12.0.18
If you already use access control groups, you can keep using them. However, we recommend that for
new groups, you use static or dynamic groups instead, because they are more flexible and powerful,
for the following reasons:
Access control groups are less flexible -- To add, delete, or change members in a static or
dynamic group, you need to edit only the group's entry in the directory. You do not need to
restart the DSA as you do with changes to access control groups.
Access control groups are less powerful -- Applications can use static and dynamic groups
because they are directory entries. You can also extend these groups to form roles, which the
directory itself can use for access controls and role-specific configuration.
A static group is an entry in the directory with a member attribute, which stores a list of the DNs of
the entries that are members of this group.
If you set up static groups, you can then use static roles, to which you can assign access controls.
A dynamic group is an entry in the directory with its membership defined by an LDAP filter. All entries
that satisfy this filter are members of the dynamic group.
04-May-2016 313/923
CA Directory - 12.0.18
If you set up dynamic groups, you can set up dynamic roles to which you can assign access controls.
If you already use access control groups, you can keep using them. However, we recommend that for
new groups, you use static or dynamic groups instead, because they are more flexible and powerful,
for the following reasons:
Access control groups are less flexible -- To add, delete, or change members in a static or
dynamic group, you need to edit only the group's entry in the directory. You do not need to
restart the DSA as you do with changes to access control groups.
Access control groups are less powerful -- Applications can use static and dynamic groups
because they are directory entries. You can also extend these groups to form roles, which the
directory itself can use for access controls and role-specific configuration.
04-May-2016 314/923
CA Directory - 12.0.18
You can group users and other entries in the directory using a static group entry.
A static group entry contains a list of the group members. After you set up a static group, applications
that query the directory can check if an entry is in a group, and use that information to set
permissions for that entry.
If you want to set permissions and other configuration on an entry's access to the directory itself, you
can extend the group to work as a role. You can then set permissions and limits for the role, and
these apply to all of the role's members.
Static Groups
A static group is an entry in the directory that stores a list of the members of the group.
A static group entry usually has one of the object classes listed in the following table:
If a user is removed from the directory, then the user must also be removed from any static groups
that the user belonged to. To do this, you remove the user's member DN from each group that the
user was a member of. This means that static groups are useful for directories in which the group
memberships do not change frequently.
If a static group contains a large number of members, it can take a long time to update the entry.
Dynamic groups (see page 325) do not have this disadvantage.
An application can query the directory to check if a DN is contained in a particular group. The
application can then use that information to grant or deny access to the user, or other changes.
04-May-2016 315/923
CA Directory - 12.0.18
Company A has hundreds of thousands of employees, all of whom are listed in the staff directory. The
subtrees in this directory are divided by geography, and then by business unit.
The directory is used by many different applications, and each application needs to know which users
should be allowed to administer that application. For example, the Payroll application gives extra
privileges to users who are in the Payroll Administrators group.
2. The application connects to the directory and searches for the user.
3. The application takes the DN of the user entry and searches the groups subtree for any groups
in which this user is a member.
In this example, the user is not in the Payroll Administrators group.
4. The application gives users the access only allowed to general employees. This might include
permission to update their own address and view their salary, tax, and leave details.
5. If this user were in the Payroll Administrators group, the application would have given greater
privileges, such as the ability to view and change the details of other employees.
To use static roles, you first need to set up static groups and then configure the roles.
When a user logs in to a directory with static roles, the following happens:
3. The DSA searches all of the groups in the specified subtree for the user's DN.
4. If it finds any group that contains the user's DN in the member or uniqueMember attributes, it
uses those groups as the user's roles for this connection.
These roles are used in decisions about access controls and other role-specific configuration
items.
If an access control or other configuration item is set for the whole DSA and for a user's role, the
more generous setting applies to that user.
If you change the value of a role-based configuration item, the new value does not apply to users that
are currently logged in. After they have logged out and back in again, the new settings apply.
04-May-2016 316/923
CA Directory - 12.0.18
CA Directory updates the memberOf attribute of an entry every time the entry DN is included or
removed from a group.
The following example returns the groups that jsmith01 is a member of. If an entry is in the
administrator and backup operator groups, then returning the entry cn=jsmith01 includes the group
that jsmith01 is a member of:
dn: cn=Administrators,ou=Groups,o=CA,c=AU
member: cn=jsmith01,ou=Users,o=CA,c=AU
member: ...
dn: cn=jsmith01,ou=Users,o=CA,c=AU
memberOf: cn=Administrators,ou=Groups,o=CA,c=AU
memberOf: cn=Backup Operators,ou=Groups,o=CA,c=AU
Referential integrity cannot be guaranteed. If a group is added at the same time as a group is
removed, the user can be left in a group that no longer exists. To prevent users being left in a group
that does not exist, handle group updates with a single application.
We recommend that you rename groups by performing a delete and an add operation, otherwise,
the changed name is not reflected in the memberOf attribute. If this error occurs, a cautionary alarm
is issued.
2. Add one or more DNs under the memberOf group and user containers. Enter the following
settings:
04-May-2016 317/923
2.
CA Directory - 12.0.18
Important! Both items must be set, otherwise, the DSA produces a critical alarm
and shutdown.
Note: The memberOf attribute schema is required but you do not need to include it in the
entry objectClass. Mark this attribute no-user-modification in the schema as direct
updates of memberOf can cause data integrity problems. For more information, see
DXHOME/config/schema/sunone.dxc.
Access Controls
The group update is performed with the credentials of the binding user. The DSA triggers the
memberOf update and therefore bypasses access controls and also schema checking.
If a separate DSA services the user subtree, the DSA handling the group update requires the 'trust-
dsa-triggered-operations' trust flag.
1. Execute the following command to help ensure that entries do not contain memberOf
attribute.
Entries that contain memberOf attribute are returned. Remove memberOf from any entries
that are returned.
04-May-2016 318/923
CA Directory - 12.0.18
4.
cat groups.ldif | grep "dn: " | awk '{print $2}' | dxdelete -h{host} -p{port}
6. Add groups.
Example: Migration
This example migration shows how you can export group and user containers:
The following are the types of updates that can trigger a memberOf update:
Modify removing one or more DNs from member attribute of group entry
1. CA Directory inspects its contents to determine whether all the following conditions are true:
The baseObject exists for a modify or delete request, and the baseObject does not exist
for an add request.
The user performing the update has the appropriate AC to perform the operation.
2. For each member attribute that is subordinate to a DN from the list of configured 'memberof-
user-containers':
a. The request is performed on the user entry, and the group DN is added to or removed
from memberOf, and a rollback modify is created.
b. If the request is successful then a a rollback modify is inserted into rollback list. If an
error occurs, a rollback is performed.
04-May-2016 319/923
CA Directory - 12.0.18
3. If memberOf attributes have been updated for all user entries the following occurs:
Multi-write Replication
Updates of group membership received by multi-write do not trigger memberOf updates. The DSA
performing the memberOf population handles replication.
Static Groups
A static group is an entry in the directory that stores a list of the members of the group.
A static group entry usually has one of the object classes listed in the following table:
If a user is removed from the directory, then the user must also be removed from any static groups
that the user belonged to. To do this, you remove the user's member DN from each group that the
user was a member of. This means that static groups are useful for directories in which the group
memberships do not change frequently.
If a static group contains a large number of members, it can take a long time to update the entry.
Dynamic groups (see page 325) do not have this disadvantage.
Static groups are entries in the directory that contain lists of the DNs of other entries.
An application can query the directory to check if a DN is contained in a particular group. The
application can then use that information to grant or deny access to the user, or other changes.
Company A has hundreds of thousands of employees, all of whom are listed in the staff directory. The
subtrees in this directory are divided by geography, and then by business unit.
The directory is used by many different applications, and each application needs to know which users
should be allowed to administer that application. For example, the Payroll application gives extra
privileges to users who are in the Payroll Administrators group.
04-May-2016 320/923
CA Directory - 12.0.18
2. The application connects to the directory and searches for the user.
3. The application takes the DN of the user entry and searches the groups subtree for any groups
in which this user is a member.
In this example, the user is not in the Payroll Administrators group.
4. The application gives users the access only allowed to general employees. This might include
permission to update their own address and view their salary, tax, and leave details.
5. If this user were in the Payroll Administrators group, the application would have given greater
privileges, such as the ability to view and change the details of other employees.
To use static roles, you first need to set up static groups and then configure the roles.
When a user logs in to a directory with static roles, the following happens:
3. The DSA searches all of the groups in the specified subtree for the user's DN.
4. If it finds any group that contains the user's DN in the member or uniqueMember attributes, it
uses those groups as the user's roles for this connection.
These roles are used in decisions about access controls and other role-specific configuration
items.
If an access control or other configuration item is set for the whole DSA and for a user's role, the
more generous setting applies to that user.
If you change the value of a role-based configuration item, the new value does not apply to users that
are currently logged in. After they have logged out and back in again, the new settings apply.
CA Directory emulates the ability of Active Directory to auto populate the memberOf attribute when
04-May-2016 321/923
CA Directory - 12.0.18
CA Directory emulates the ability of Active Directory to auto populate the memberOf attribute when
it returns or looks up user entries. The memberOf attribute contains all the group distinguished
names (DNs) of which the entry is a member.
CA Directory updates the memberOf attribute of an entry every time the entry DN is included or
removed from a group.
The following example returns the groups that jsmith01 is a member of. If an entry is in the
administrator and backup operator groups, then returning the entry cn=jsmith01 includes the group
that jsmith01 is a member of:
dn: cn=Administrators,ou=Groups,o=CA,c=AU
member: cn=jsmith01,ou=Users,o=CA,c=AU
member: ...
dn: cn=jsmith01,ou=Users,o=CA,c=AU
memberOf: cn=Administrators,ou=Groups,o=CA,c=AU
memberOf: cn=Backup Operators,ou=Groups,o=CA,c=AU
Referential integrity cannot be guaranteed. If a group is added at the same time as a group is
removed, the user can be left in a group that no longer exists. To prevent users being left in a group
that does not exist, handle group updates with a single application.
We recommend that you rename groups by performing a delete and an add operation, otherwise,
the changed name is not reflected in the memberOf attribute. If this error occurs, a cautionary alarm
is issued.
2. Add one or more DNs under the memberOf group and user containers. Enter the following
settings:
Important! Both items must be set, otherwise, the DSA produces a critical alarm
04-May-2016 322/923
CA Directory - 12.0.18
Important! Both items must be set, otherwise, the DSA produces a critical alarm
and shutdown.
Note: The memberOf attribute schema is required but you do not need to include it in the
entry objectClass. Mark this attribute no-user-modification in the schema as direct
updates of memberOf can cause data integrity problems. For more information, see
DXHOME/config/schema/sunone.dxc.
Access Controls
The group update is performed with the credentials of the binding user. The DSA triggers the
memberOf update and therefore bypasses access controls and also schema checking.
If a separate DSA services the user subtree, the DSA handling the group update requires the 'trust-
dsa-triggered-operations' trust flag.
1. Execute the following command to help ensure that entries do not contain memberOf
attribute.
Entries that contain memberOf attribute are returned. Remove memberOf from any entries
that are returned.
cat groups.ldif | grep "dn: " | awk '{print $2}' | dxdelete -h{host} -p{port}
04-May-2016 323/923
CA Directory - 12.0.18
6. Add groups.
Example: Migration
This example migration shows how you can export group and user containers:
The following are the types of updates that can trigger a memberOf update:
Modify removing one or more DNs from member attribute of group entry
1. CA Directory inspects its contents to determine whether all the following conditions are true:
The baseObject exists for a modify or delete request, and the baseObject does not exist
for an add request.
The user performing the update has the appropriate AC to perform the operation.
2. For each member attribute that is subordinate to a DN from the list of configured 'memberof-
user-containers':
a. The request is performed on the user entry, and the group DN is added to or removed
from memberOf, and a rollback modify is created.
b. If the request is successful then a a rollback modify is inserted into rollback list. If an
error occurs, a rollback is performed.
3. If memberOf attributes have been updated for all user entries the following occurs:
04-May-2016 324/923
CA Directory - 12.0.18
3. If memberOf attributes have been updated for all user entries the following occurs:
Multi-write Replication
Updates of group membership received by multi-write do not trigger memberOf updates. The DSA
performing the memberOf population handles replication.
Each dynamic group entry includes an LDAP search request that is executed when a base-object
search is performed on the dynamic group entry. This search finds all the directory entries that satisfy
the search filter. These entries are members of the group.
You cannot make the same entry work as both a static and a dynamic role.
Dynamic groups are useful when you know that you often need to change the membership of a
group, because there is no overhead involved in maintaining the group data.
If a user is removed from the directory, then that user's entry is not found by the LDAP search when it
is next evaluated, so the user is automatically removed from the dynamic group.
Dynamic roles are based on the dxMemberURL attribute of the following object classes:
dxDynamicGroupOfNames
dxDynamicGroupOfUniqueNames.
04-May-2016 325/923
CA Directory - 12.0.18
This section describes how to set up static and dynamic groups and roles.
2. Make the DSA sources the x500.dxc schema file supplied with CA Directory. This provides the
required object classes.
To do this, add the following command to the schema file sourced by the DSA:
source "x500.dxc";
4. Ensure that the DIT contains a subtree in which you can store the group entries.
You should create a special subtree for group entries. This helps you implement roles later.
04-May-2016 326/923
CA Directory - 12.0.18
1. (Optional) Create a new subtree for group entries, if none exists yet.
2. Create an entry in the groups subtree with the object class groupOfNames or
groupOfUniqueNames.
If the group has the object class groupOfNames or groupOfUniqueNames, the members are stored in
the attribute member or uniqueMember.
These are multi-valued attributes, and there is no limit to the number of members a static group can
have. However, a group with too many entries is very slow to update. We recommend that you use
dynamic groups for very large groups.
To add a user to a group, add the user's DN to the member or uniqueMember attribute.
add-entry-req
entry = <countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "Roles">
<commonName "AdminFinance">
contents = {
(objectClass groupOfNames )
(member <c au><o Democorp><ou Clerical><cn "Noelene Correa">,<c au><o
Democorp><ou Finance><ou Budgets><cn "Linda Deacon"> )
};
04-May-2016 327/923
CA Directory - 12.0.18
A static group becomes a static role when the set use-roles = true command is used.
2. Specify the subtree that stores the group entries by including the following commands in the
DSA's configuration:
In this command, dn is the distinguished name of the subtree used to store the group entries.
dxDynamicGroupOfNames
dxDynamicGroupOfUniqueNames
You can add these attributes to a groupOfNames or groupOfUniqueNames object class respectively
so that dxMemberURL can be included.
04-May-2016 328/923
CA Directory - 12.0.18
clear dynamic-group;
set dynamic-group [tag] = {
objectclass = object-class
url-attr = attribute
member-attr = attribute
};
For example:
4. Ensure that the DIT contains a subtree in which you can store the roles entries.
Note: Using the [subtree = DN] parameter, you can also specify the dynamic-group-
subtree to inspect for the specified baseObject, narrowing the search to only this
sub-tree. This supports dynamic group membership search and compare requests
without requiring set use-dynamic-roles = true;.
For instance, the examples use the following subtree (see page 342):
c=AU,o=Democorp,ou=Groups
You should create a special subtree for group entries. This helps you implement roles later.
1. (Optional) Create a new subtree for group entries, if none exists yet.
04-May-2016 329/923
CA Directory - 12.0.18
You have created a dynamic group that uses the following filter:
ldap://o=user,c=AU??sub?(position=manager)
The next time that the manager group is evaluated, this user is a member of the group.
get dynamic-groups;
04-May-2016 330/923
3.
CA Directory - 12.0.18
2. Add the following commands to the DSA's settings configuration file, in DXHOME/config
/settings:
dxDynamicGroupOfNames
This object class contains an attribute groupOfNames, which you can use to store the DN.
dxDynamicGroupOfUniqueNames
This object class contains an attribute groupOfUniqueNames.
1. Add a value to the dxMemberURL attribute of a dynamic group containing a search filter in
LDAP URL form:
ldap:///base-dn??scope?filter
(|(group=teachers)(group=students))
base-dn
Specifies the base object for the filter search.
scope
(Optional) One of the following:
sub
Specifies that the filter searches the entire subtree below the base DN.
base
04-May-2016 331/923
CA Directory - 12.0.18
base
(Default) Specifies that the filter returns just the DN.
one
Specifies that the filter searches one level below the base DN.
filter
(Optional) Defines the LDAP search filter, for example:
dn: cn=Manager,ou=Groups,o=Democorp,c=AU
objectClass: groupOfNames
objectClass: dxDynamicGroupOfNames
objectClass: top
cn: Manager
dxMemberURL:: bGRhcDovLy9jPVFVSz9zdWI/AHNuPOR1bWVsZWXvssUpIA=0
The DN in the dxMemberURL attribute is encoded, because of the attribute's syntax. The unencoded
value is as follows:
ldap:///o=Democorp,c=AU??sub?(position=manager)
In this URL, the search's base object and scope are ignored.
3.
04-May-2016 332/923
CA Directory - 12.0.18
2. Make the DSA sources the x500.dxc schema file supplied with CA Directory. This provides the
required object classes.
To do this, add the following command to the schema file sourced by the DSA:
source "x500.dxc";
4. Ensure that the DIT contains a subtree in which you can store the group entries.
You should create a special subtree for group entries. This helps you implement roles later.
1. (Optional) Create a new subtree for group entries, if none exists yet.
2. Create an entry in the groups subtree with the object class groupOfNames or
groupOfUniqueNames.
If the group has the object class groupOfNames or groupOfUniqueNames, the members are stored in
the attribute member or uniqueMember.
These are multi-valued attributes, and there is no limit to the number of members a static group can
have. However, a group with too many entries is very slow to update. We recommend that you use
dynamic groups for very large groups.
To add a user to a group, add the user's DN to the member or uniqueMember attribute.
04-May-2016 333/923
CA Directory - 12.0.18
add-entry-req
entry = <countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "Roles">
<commonName "AdminFinance">
contents = {
(objectClass groupOfNames )
(member <c au><o Democorp><ou Clerical><cn "Noelene Correa">,<c au><o
Democorp><ou Finance><ou Budgets><cn "Linda Deacon"> )
};
A static group becomes a static role when the set use-roles = true command is used.
2. Specify the subtree that stores the group entries by including the following commands in the
DSA's configuration:
04-May-2016 334/923
2.
CA Directory - 12.0.18
In this command, dn is the distinguished name of the subtree used to store the group entries.
You can also exclude a member from a dynamic group (see page 337).
dxDynamicGroupOfNames
dxDynamicGroupOfUniqueNames
You can add these attributes to a groupOfNames or groupOfUniqueNames object class respectively
so that dxMemberURL can be included.
04-May-2016 335/923
CA Directory - 12.0.18
clear dynamic-group;
set dynamic-group [tag] = {
subtree = DN
object-class = objectClass
url-attr = attribute
member-attr = attribute
};
For example:
4. Ensure that the DIT contains a subtree in which you can store the group entries.
Note: Using the [subtree = DN] parameter, you can also specify the dynamic-group
subtree to inspect for the baseObject of each request that is received by the DSA.
By using this parameter, you can narrow the search to only this subtree. This
parameter supports dynamic group membership search and compare requests
without requiring the set use-dynamic-roles = true; command.
For instance, the examples use the following subtree (see page 342):
ou=Groups,o=Democorp,c=AU
Create a special subtree for group entries. This step helps you implement access controls and roles
later.
1. (Optional) If a subtree does not exist, create a subtree for group entries.
04-May-2016 336/923
CA Directory - 12.0.18
2.
Create a dynamic group subtree and a dynamic group entry for users in a Manager role.
dn: ou=Groups,o=Democorp,c=AU
objectClass: organizationalUnit
dn: cn=Managers,ou=Groups,o=Democorp,c=AU
objectClass: groupOfNames # structural objectClass that contains
member
objectClass: dxDynamicGroupOfNames # auxiliary objectClass that contains
dxMemberURL
dxMemberURL:ldap://ou=Users,o=Democorp,c=AU??sub?(position=Manager)
You have created a dynamic group that uses the following filter:
ldap://ou=Users,o=Democorp,c=AU??sub?(position=Manager)
The next time that the Manager group is evaluated, this user will be a member of the group.
dn: cn=Craig Link,ou=Users,o=Democorp,c=AU
objectClass: inetOrgPerson
surname: Linkposition: Manager
Example: Exclude The User Joe Bloggs From The Administrators Group
Consider a user that is an administrator outside of directory (title=Administrator). This attribute also
has directory roles for which the user should not have administrator privileges.
04-May-2016 337/923
CA Directory - 12.0.18
objectClass: dxDynamicGroupOfNames
dxMemberURL:ldap:///ou=Users,o=Democorp,c=AU??sub?(title=Administrator)
The group has the following user that satisfies the dxMemberURL:
dn: cn=Joe Bloggs,ou=Users,o=Democorp,c=AU
objectClass: inetOrgPerson
surname: Bloggs
title: Administrator
You can exclude the user from the dynamic group, but can retain the title attribute value by making
the following change to the dynamic group:
dn: cn=administrators,ou=Groups,o=Democorp,c=AU
objectClass: groupOfNames
objectClass: dxDynamicGroupOfNames
dxMemberURL:ldap:///ou=Users,o=Democorp,c=AU??sub?(title=Administrator)
dxExcludeMember: cn=Joe Bloggs,ou=Users,o=Democorp,c=AU
Excluding a member from a dynamic group membership impacts the following operations involving a
dynamic group:
Membership Lookups: If you exclude a member, searching the dynamic group subtree with filter
containing member=<DN> will not return any results.
Role Lookups: If the member is explicitly excluded, l oading roles when a user binds to a DSA is
affected. The roles the member is excluded from are no longer loaded. (requires set use-dynamic-
roles = true;)
Dynamic group expansion: Returning a dynamic group using a base-object-only search that
returns all attributes does not include the excluded member in the member attributes value list.
Notes:
If you add a large number of values (> 100) to dxExcludeMember, then you might need
to rework the dynamic group entry configuration. This feature is meant for the
exceptions, not the rule.
For hybrid groups (containing both static and dynamic members), a static member is
excluded if used with dxExcludeMember. Ideally, the static member value should be
explicitly removed.
For static groups, dxExcludeMember is not used. If the static member value is no longer
required, it can simply be removed.
04-May-2016 338/923
CA Directory - 12.0.18
get dynamic-groups;
2.
04-May-2016 339/923
CA Directory - 12.0.18
2. Add the following commands to the DSA's settings configuration file, in DXHOME/config
/settings:
dxDynamicGroupOfNames
This object class contains an attribute groupOfNames, which you can use to store the DN.
dxDynamicGroupOfUniqueNames
This object class contains an attribute groupOfUniqueNames.
1. Add a value to the dxMemberURL attribute of a dynamic group containing a search filter in
LDAP URL form:
ldap:///base-dn??scope?filter
(|(group=teachers)(group=students))
base-dn
Specifies the base object for the filter search.
scope
(Optional) One of the following:
sub
Specifies that the filter searches the entire subtree below the base DN.
base
(Default) Specifies that the filter returns just the DN.
one
Specifies that the filter searches one level below the base DN.
filter
(Optional) Defines the LDAP search filter, for example:
04-May-2016 340/923
CA Directory - 12.0.18
dn: cn=Manager,ou=Groups,o=Democorp,c=AU
objectClass: groupOfNames
objectClass: dxDynamicGroupOfNames
objectClass: top
cn: Manager
dxMemberURL:: bGRhcDovLy9jPVFVSz9zdWI/AHNuPOR1bWVsZWXvssUpIA=0
The DN in the dxMemberURL attribute is encoded, because of the attribute's syntax. The unencoded
value is as follows:
ldap:///o=Democorp,c=AU??sub?(position=manager)
In this URL, the search's base object and scope are ignored.
Role-Based Configuration
After you have set up a group, you can add some specified attributes that restrict the searches for
group members. A group that is used to provide restrictions in this way is named a role.
This configuration works for both static and dynamic directory groups. You can use role-based
configuration in both local and distributed directories.
For a group to hold these attributes, it needs to have the dxRoleBasedConfig auxiliary object class.
dxRoleBasedConfig lets the group entry contain attributes that define the following types of
restrictions:
Operational limits
You can add the following attributes to a role:
dxSizeLimit -- This attribute specifies the maximum number of entries that a search can
return.
For more information about operation limits, see Limit Operations (see page 430).
Search profiles
You can add the attribute dxAllowSearch to a role. This attribute specifies the name of a search
profile. The set allow-search command defines the search profiles (see page 442).
You can also use a group to provide role-based access controls. For more information, see Set Up
04-May-2016 341/923
CA Directory - 12.0.18
You can also use a group to provide role-based access controls. For more information, see Set Up
Access Controls (see page 250).
The following examples show how to set up static groups and roles in Democorp, one of the sample
directories provided with CA Directory. You can use these examples as training exercises.
The Democorp directory does not contain any groups. Use these instructions to prepare the directory
for static groups.
1. Stop the Democorp DSA by entering the following command at a command prompt:
a. Look in the DXHOME/config/servers directory for the democorp.dxi file, and open it in
a text editor.
This is the Democorp DSA's initialization file.
source "../schema/samples.dxg";
source "x500.dxc";
This means that when the Democorp DSA starts, it sources the schema files listed in samples.
dxg.
4. Open samples.dxg in a text editor, and add this line to the file:
5. Make the DSA sources the x500.dxc schema file supplied with CA Directory. This provides the
required object classes.
To do this, add the following command to the schema file sourced by the DSA:
source "x500.dxc";
04-May-2016 342/923
CA Directory - 12.0.18
6. Start the Democorp DSA by entering the following command at a command prompt:
b. Select the DEMOCORP entry in the tree on the left, and then click New.
c. Enter ou=Groups in the RDN for New Entry field, click Submit twice, and then click OK.
This group lists the first aid officers in Democorp. It is already populated with two group members.
version: 1
2. Open a command prompt and change to the directory in which you saved the LDIF file.
3. Load the entry into the Democorp directory, using the following command in the command
prompt:
-h hostname
Specifies the name of the computer on which the DSA is running.
-p portnumber
Specifies the port number of the DSA. By default, the Democorp sample DSA uses port
19389.
The new entry First Aid Officers can now be used as a static group. You can now add or delete
members from this group.
04-May-2016 343/923
CA Directory - 12.0.18
source "../settings/dxmanager.dxc";
This means that when the Democorp DSA starts, it uses the settings in settings/dxmanager.dxc
. You need to add the role commands to this file.
3. Add the commands to enable static roles to the Democorp settings file. To do this:
a. Ensure that the settings file is writable, and then open it in a text editor.
#roles
set role-subtree = <c AU><o Democorp><ou Groups>;
set use-roles = true;
The Democorp directory does not contain any groups. Use these instructions to prepare the directory
for static groups.
1. Stop the Democorp DSA by entering the following command at a command prompt:
a. Look in the DXHOME/config/servers directory for the democorp.dxi file, and open it in
04-May-2016 344/923
2. CA Directory - 12.0.18
a. Look in the DXHOME/config/servers directory for the democorp.dxi file, and open it in
a text editor.
This is the Democorp DSA's initialization file.
source "../schema/samples.dxg";
source "x500.dxc";
This means that when the Democorp DSA starts, it sources the schema files listed in samples.
dxg.
4. Open samples.dxg in a text editor, and add this line to the file:
5. Make the DSA sources the x500.dxc schema file supplied with CA Directory. This provides the
required object classes.
To do this, add the following command to the schema file sourced by the DSA:
source "x500.dxc";
6. Start the Democorp DSA by entering the following command at a command prompt:
b. Select the DEMOCORP entry in the tree on the left, and then click New.
c. Enter ou=Groups in the RDN for New Entry field, click Submit twice, and then click OK.
This group lists the first aid officers in Democorp. It is already populated with two group members.
version: 1
04-May-2016 345/923
1.
CA Directory - 12.0.18
objectClass: top
cn: First Aid Officers
uniqueMember: cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP,c=AU
uniqueMember: cn=Vivienne LEVER,ou=Administration,ou=Corporate,o=DEMOCORP,c=AU
2. Open a command prompt and change to the directory in which you saved the LDIF file.
3. Load the entry into the Democorp directory, using the following command in the command
prompt:
-h hostname
Specifies the name of the computer on which the DSA is running.
-p portnumber
Specifies the port number of the DSA. By default, the Democorp sample DSA uses port
19389.
The new entry First Aid Officers can now be used as a static group. You can now add or delete
members from this group.
source "../settings/dxmanager.dxc";
This means that when the Democorp DSA starts, it uses the settings in settings/dxmanager.dxc
. You need to add the role commands to this file.
3. Add the commands to enable static roles to the Democorp settings file. To do this:
a. Ensure that the settings file is writable, and then open it in a text editor.
#roles
set role-subtree = <c AU><o Democorp><ou Groups>;
set use-roles = true;
04-May-2016 346/923
CA Directory - 12.0.18
The following examples show how to set up dynamic groups and roles in Democorp, one of the
sample directories that comes with CA Directory. You can use these examples as training exercises.
This dynamic group includes entries in Democorp that have the word engineer in the description
attribute.
4. Click Submit.
The new entry is created. You now need to add the LDAP filter to the dxMemberURL attribute.
5. Display the attributes without values by clicking the arrow beside List of attributes without
values.
6. Click the Edit icon next to the description attribute, enter the following filter, and then
click Modify:
ldap:///o=Democorp,c=AU??sub?(description=*engineer*)
04-May-2016 347/923
CA Directory - 12.0.18
source "../settings/dxmanager.dxc";
This means that when the Democorp DSA starts, it uses the settings in settings/dxmanager.dxc
. You need to add the role commands to this file.
3. Add the commands to enable dynamic roles to the Democorp settings file. To do this:
a. Ensure that the settings file is writable, and then open it in a text editor.
#roles
set role-subtree = <c AU><o Democorp><ou Groups>;
set use-dynamic-roles = true;
If this file already includes the set use-dynamic-roles = true command, you can leave it there.
A DSA can contain both static and dynamic roles.
This dynamic group includes entries in Democorp that have the word engineer in the description
attribute.
04-May-2016 348/923
CA Directory - 12.0.18
4. Click Submit.
The new entry is created. You now need to add the LDAP filter to the dxMemberURL attribute.
5. Display the attributes without values by clicking the arrow beside List of attributes without
values.
6. Click the Edit icon next to the description attribute, enter the following filter, and then
click Modify:
ldap:///o=Democorp,c=AU??sub?(description=*engineer*)
source "../settings/dxmanager.dxc";
This means that when the Democorp DSA starts, it uses the settings in settings/dxmanager.dxc
. You need to add the role commands to this file.
3. Add the commands to enable dynamic roles to the Democorp settings file. To do this:
a. Ensure that the settings file is writable, and then open it in a text editor.
#roles
set role-subtree = <c AU><o Democorp><ou Groups>;
set use-dynamic-roles = true;
04-May-2016 349/923
CA Directory - 12.0.18
If this file already includes the set use-dynamic-roles = true command, you can leave it there.
A DSA can contain both static and dynamic roles.
Types of Logs
CA Directory lets you set up the following types of log for each DSA:
Alarm log
The alarm log contains all alarms. Alarms are reports of critical events that should be monitored.
This is not dependent on the tracing level or whether the DSA console is open.
This is the only log that cannot be closed. It is always open when a DSA is running.
This log has a default name of dsa-name_alarm.log.
Alert log
An alert log contains all authentication errors and account suspensions. It can be used to show
attempts at unauthorized access to the DSA. This is not dependent on the tracing level.
Certificate log
A certificate log contains a summary of operations that involve certificates or CRLs. This includes
all add and modify operations that include a userCertificate, caCertificate, or
certificateRevocationList attribute. In addition, any read request, search request, or search filter
that returns one of these attributes is recorded.
This is not dependent on the tracing level.
Connection log
04-May-2016 350/923
CA Directory - 12.0.18
Connection log
A connection log contains a line for each successful connection made, and each released
connection. This is not dependent on the tracing level.
The connection log is time-stamped and date-stamped, and a new one is written daily.
Diagnostic log
A diagnostic log contains a list of operations that the DSA has rejected, for whatever reason. This
includes the operation, the DN of the affected entry, and a diagnostic message. Use this file to
debug applications.
If diagnostic tracing has been enabled, this output is also sent to the trace log.
Query log
A query log contains detailed information about every operation, including a time and date
stamp. This is not dependent on the tracing level.
You can use the set query-log-advanced commandto provide even more detail for operations in
the query log.
SNMP log
An SNMP log contains all events that are sent to SNMP traps.
Statistics log
A statistics log contains a summary of operational statistics for every minute that the DSA is
active. When the DSA is not active, no information is written to the log, which prevents the log
file from growing during inactivity. This is not dependent on the tracing level. You can use the set
extended-stats-tracing command to log low-level statistic information.
Summary log
A summary log contains a summary of every operation. This is not dependent on the tracing level
or whether the DSA console is open.
Time log
A time log contains the time taken for each successful operation.
You can use the set time-log-search-threshold command and the set time-log-update-threshold
command to log only those operations that exceed thresholds.
If tracing or parsing is turned on, use the get log command to display the configuration of the
time log.
Trace log
A trace log contains tracing information for all successful operations. The level of tracing written
to a trace log is dependent on the level of tracing set on the DSA.
Update log
An update log contains detailed information for all add, modify, rename, and delete operations.
This is not dependent on the tracing level. You can use the set update-log-show-values command
to include attribute values in the update log.
Warning log
A warning log contains all errors and warnings, which are useful for diagnosing problems. This is
not dependent on the tracing level. For descriptions of error messages, see System Messages.
Recommended Logs
You can use the following logs for DSAs in production environments:
04-May-2016 351/923
CA Directory - 12.0.18
Alarm
Diagnostic
Statistics
Summary
Only use this for router DSAs. This file becomes very large for data DSAs.
Trace
When the trace level is set to none, this log acts like a console log. For test environments, set the
trace level to error.
Warn
Note: We recommend that you use only the logs that are actually required. Because a DSA
has to write to the log files, keeping too many log files open can reduce performance.
If a log file does not exist when opened, it is created. If it already exists, the DSA appends new output
to the existing output in the file.
When you close a log file, the DSA stops sending output to the log file. When the DSA shuts down, it
automatically closes any open log file.
If the log file name contains the string $s, then the system substitutes the name of the DSA.
For example, to open the query log, enter the following command:
set query-log = "logs/$s.log";
You can configure the logs using the commands listed in Commands for Logging in the Reference.
04-May-2016 352/923
CA Directory - 12.0.18
For example, the following command produces a log file in the logs directory of the form
dsaname_yyyymmdd.log for each day there is activity on the DSA:
set summary-log = "logs/$s.log";
You can use these history files to inspect auditing, accounting, billing, and statistical information.
This is exactly the same way that the other logs rotate (summary, query etc), except for one
difference: the current day's trace and alarm logs will always be known as " dsaName_trace.log" and "
dsaName_alarm.log".
When the system clock ticks over to one past mightnight (00:01), the DSA acknowledges that more
than 24 hours has elapsed and does the following:
3. The DSAs renames the current trace or alarm log to "dsaName_trace_ccyymmdd.log" & "
dsaName_alarm_ccyymmdd.log".
This method allows the alarm and trace logs to retain their current log file names, as well as enabling
the rollover effect.
04-May-2016 353/923
CA Directory - 12.0.18
The logs will roll when: 'hour' * 60 + 'minute' + delta in seconds since the last roll / 60 > 1440.
For example:
Start DSA at 23:50
Hours = 23 Minutes = 50
roll check at 23.59 1380 + 50 + 9 = 1439 - no roll
roll check at 0.00 1380 + 50 + 10 = 1440 - no roll
roll check at 0.01 1380 + 50 + 11 = 1441 - roll
The roll check occurs only when any log message is being written after 1 minute past midnight.
The set rollover-trace-log command needs to be set after the set trace-log command, and same for
alarm (if set). Otherwise, the rollover settings will be set back to their default state of off.
To enable rollover based on maximum lines, use the following commands to configure maximum line
limit for each log.
set alarm-log-max-lines=$NUMBER
set summary-log-max-lines=$NUMBER
set trace-log-max-lines=$NUMBER
set stats-log-max-lines=$NUMBER
set query-log-max-lines=$NUMBER
set update-log-max-lines=$NUMBER
set alert-log-max-lines=$NUMBER
set connect-log-max-lines=$NUMBER
set warn-log-max-lines=$NUMBER
set diag-log-max-lines=$NUMBER
set time-log-max-lines=$NUMBER
To ensure that a log does not roll over before one second, a minimum of 1000 lines must be logged.
Setting the max-lines value to zero indicates that rollover based on maximum lines is disabled.
The DSA checks each log to verify if the log-max-lines functionality is enabled. When max-lines are set
for logs, the DSA creates new log files with the YYYYMMDD_HHMMSS suffix for all logs except trace
and alarm logs. For instance, when the maximum line threshold is reached, the DSA creates these
logs, router_summary_20150914_120413.log and router_warn_20150914_120413.log.
For the trace and alarm logs, when the maximum line limit has reached, the following actions occur:
1. The DSAs flushes the trace or alarm log and then closes the log.
3. The DSAs opens the trace or alarm log dsaName_trace.log and dsaName_alarm.log
When max-lines are set, the trace and alarm log do not trigger a rollover in the midnight even if
04-May-2016 354/923
CA Directory - 12.0.18
When max-lines are set, the trace and alarm log do not trigger a rollover in the midnight even if
rollover-trace-log or rollover-alarm-log is set to true.
Example:
For all logs except alarm and trace logs:
router_summary_20150914_000000.log (A new log is started at midnight)
router_summary_20150914_120413.log (When the maximum lines threshold is exceeded, a
new log is started with the timestamp appended.)
router_summary_20150914_180212.log(When the maximum lines threshold is exceeded, a
new log is started with the timestamp appended.)
router_summary_20150915_000000.log (A new log is started after 24 hours.)
CA Directory comes with an SNMP agent, which enables the following monitoring information:
SNMP traps -- The SNMP agent sends a trap when a particular condition is met. You can send
traps to an SNMP manager or a log file.
You can use any SNMP manager that supports the RFC1567 MIB.
The CA Directory Management Information Base (MIB) defines what can be monitored with SNMP.
This MIB conforms to RFC1567 Directory Monitoring Management Information Base (MIB).
dsaOpsTable -- Provides summary statistics on the directory accesses, operations, and errors
dsaEntriesTable -- Provides summary statistics on the entries held by the DSA and on cache
performance
dsaIntTable -- Provides useful information about the interaction of the monitored DSA with peer
DSAs
04-May-2016 355/923
CA Directory - 12.0.18
In addition, the SNMP agent can also monitor the following information that is specific to CA
Directory:
Multiwrite replication
DSA statistics
DXcache
Thread utilization
DXHOME\samples\snmp
This is the only UDP port that the DSA uses. It does not interfere with TCP port numbers, so you can
use any number.
set snmp-description
set snmp-contact
set snmp-name
set snmp-location
set snmp-poll-community
set snmp-trap-community
04-May-2016 356/923
CA Directory - 12.0.18
This example shows how to enable SNMP monitoring for a DSA with text-based configuration.
2. Include information to identify the DSA to the person who is managing the SNMP monitoring:
set auth-trap
Send a trap whenever an authentication failure occurs.
set multi-write-error-trap
Send a trap whenever an update is refused by a peer. This can indicate a problem with data
synchronization.
set op-error-trap
Send a trap whenever an update error occurs.
set password-suspended-trap
Send a trap whenever a binding user exceeds the configured password retry count occurs. If
password suspension is configured to be ignored for the user, the DSA still sends a trap, because
of the risk of a dictionary attack.
set trap-on-update
set trap-on-update-verbose
Send a trap whenever an update occurs.
If you update the user record of Craig Link, the following output appears in the DXtrap window or in
the log:
04-May-2016 357/923
CA Directory - 12.0.18
- Update -
sysName kookaburra:389:DEMOCORP
sysDescr CA Directory DSA
sysLocation MOD cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP,c=AU
You can set this in the DSA logging configuration file (.dxc) in the logging directory.
Trap 0 -- Unclassified DSA alarms & assertion failures. See Traps 6, 7, and 8 for classified alarms.
close snmp-log;
04-May-2016 358/923
CA Directory - 12.0.18
You can set this in the DSA settings configuration file (.dxc) in the settings directory.
DXsnmp
DXtrap
These are both sample tools, which means that although they might be useful, they are not officially
supported. Do not rely on sample tools for consistent results, because they may change without
notice.
This is the only UDP port that the DSA uses. It does not interfere with TCP port numbers, so you can
use any number.
set snmp-description
set snmp-contact
set snmp-name
set snmp-location
set snmp-poll-community
set snmp-trap-community
This example shows how to enable SNMP monitoring for a DSA with text-based configuration.
04-May-2016 359/923
CA Directory - 12.0.18
2. Include information to identify the DSA to the person who is managing the SNMP monitoring:
set auth-trap
Send a trap whenever an authentication failure occurs.
set multi-write-error-trap
Send a trap whenever an update is refused by a peer. This can indicate a problem with data
synchronization.
set op-error-trap
Send a trap whenever an update error occurs.
set password-suspended-trap
Send a trap whenever a binding user exceeds the configured password retry count occurs. If
password suspension is configured to be ignored for the user, the DSA still sends a trap, because
of the risk of a dictionary attack.
set trap-on-update
set trap-on-update-verbose
Send a trap whenever an update occurs.
If you update the user record of Craig Link, the following output appears in the DXtrap window or in
the log:
04-May-2016 360/923
CA Directory - 12.0.18
You can set this in the DSA logging configuration file (.dxc) in the logging directory.
Trap 0 -- Unclassified DSA alarms & assertion failures. See Traps 6, 7, and 8 for classified alarms.
close snmp-log;
You can set this in the DSA settings configuration file (.dxc) in the settings directory.
04-May-2016 361/923
CA Directory - 12.0.18
You can set this in the DSA settings configuration file (.dxc) in the settings directory.
DXsnmp
DXtrap
These are both sample tools, which means that although they might be useful, they are not officially
supported. Do not rely on sample tools for consistent results, because they may change without
notice.
get stats;
get stack;
get online-dsas;
get users;
get log;
get dsp;
04-May-2016 362/923
CA Directory - 12.0.18
A DSA's trace is its record of almost all operations going into and out of that DSA. You can view a
DSA's trace in the log files, and also by using the DSA console.
You can set the trace levels for each DSA. Each trace level records only a certain type of information
about the DSA's operations.
Because the trace can be written to log files, you should not leave the trace set to a high level if it is
not required. This can fill up log files and waste disk space.
We recommend that you set the trace level in the configuration files of all DSAs to a low level, such as
error.
You can change the tracing level temporarily using the DSA console. When the DSA is next restarted,
the tracing returns to the level set in the configuration file.
For a list of the possible trace levels, see set trace Command in the Reference.
Protocol Tracing
Low-level protocol can be traced. The protocol trace is written to the trace log, if open. This tracing is
only for debugging purposes.
Statistics Tracing
The stats trace option enables you to retrieve the following minute-by-minute statistical information
about a DSA:
Assocs
Displays the number of bindings at the time that the statistics were collected.
NilCredit
Displays the number of times during the statistics period that the credit limit reached zero.
Queue
Displays the following numbers:
The number of operations that have been received but are not yet processed
04-May-2016 363/923
CA Directory - 12.0.18
Together, these figures give the number of operations that this DSA is currently looking after.
For a router or a DSA performing chaining, this figure counts local requests plus all requests sent
to remote DSAs to perform a local request.
MWQ
Displays the following numbers:
The number of queued multiwrite operations that have not been sent to peer DSAs
There is a discrepancy between these two numbers when multiwrite recovery in progress.
Ops
Displays the number of operations that the DSA processed in the last minute.
Entries
Displays the number of entries returned in search operations in the last minute
For example, to set the trace level to x500, use the following command:
Note: Tracing uses CPU; therefore, the DSA's response time is slower if you have set a high
tracing level.
04-May-2016 364/923
CA Directory - 12.0.18
dsaname_trace.log
To turn tracing off, enter the following command from the DSA console or a configuration file:
Protocol Tracing
Low-level protocol can be traced. The protocol trace is written to the trace log, if open. This tracing is
only for debugging purposes.
Statistics Tracing
The stats trace option enables you to retrieve the following minute-by-minute statistical information
about a DSA:
Assocs
Displays the number of bindings at the time that the statistics were collected.
NilCredit
Displays the number of times during the statistics period that the credit limit reached zero.
Queue
Displays the following numbers:
The number of operations that have been received but are not yet processed
Together, these figures give the number of operations that this DSA is currently looking after.
For a router or a DSA performing chaining, this figure counts local requests plus all requests sent
to remote DSAs to perform a local request.
04-May-2016 365/923
CA Directory - 12.0.18
MWQ
Displays the following numbers:
The number of queued multiwrite operations that have not been sent to peer DSAs
There is a discrepancy between these two numbers when multiwrite recovery in progress.
Ops
Displays the number of operations that the DSA processed in the last minute.
Entries
Displays the number of entries returned in search operations in the last minute
For example, to set the trace level to x500, use the following command:
Note: Tracing uses CPU; therefore, the DSA's response time is slower if you have set a high
tracing level.
04-May-2016 366/923
CA Directory - 12.0.18
dsaname_trace.log
To turn tracing off, enter the following command from the DSA console or a configuration file:
2. Check the log files for each DSA. If a log file has a non-zero size, view the log and determine
the cause of the error.
3. Check the disk space to ensure that there is enough free space to perform a backup of the
datastores used by the DSAs.
5. (Optional) If using Windows, check the application event log for errors.
6. (Optional) If you want to monitor the load changes on a DSA, enable DSA stats tracing and
check the stats log. This provides a summary of the number of operations performed each
minute, and can be used to determine usage. For more information, see Using DSA Tracing
(see page 364).
Health -- A directory's health is a measure of whether the directory is running smoothly. This
04-May-2016 367/923
CA Directory - 12.0.18
Health -- A directory's health is a measure of whether the directory is running smoothly. This
includes whether all DSAs are running, and whether any are logging warning, error, or alarm
messages.
Load -- A directory's load is a measure of the amount and type of operations being sent to that
directory.
Dashboard Tab
The Dashboard tab in DXmanager shows a high-level summary of the health and load of the directory
backbone.
The top of the Dashboard area shows the following messages areas:
Alerts
Notifies you of any new alerts. Look at the Alerts tabs to read the messages.
Configuration
Shows whether another user is editing the configuration. Only one user can edit the configuration
at a time.
Below the messages areas, the Dashboard area includes the following graphs:
Status graph
Shows the overall status of each region. The possible statuses are running, stopped, partially
running, and unknown.
Maps Tab
DXmanager helps you monitor the health of your directory. You can easily see the current health of
every part of the entire backbone, and you can also look at historical data to identify events and
patterns.
DXmanager helps you locate the source of any health problems, and work out their severity. You can
then quickly take action to solve the problems.
04-May-2016 368/923
CA Directory - 12.0.18
When the lowest load occurs, such that maintenance outages can be scheduled
In each of these maps, each part of the directory is shown as an icon. For example, a site is shown
with the following icon:
Every icon also has a small status indicator, as shown in the following table, in order of increasing
severity:
Stopped
DXmanager icon - stopped
Unknown
DXmanager icon - unknown
For DSAs, the status indicator shows whether the DSA is running, stopped, or cannot be contacted.
For example, a data DSA that is running is shown with the following icon:
For all other parts of the backbone, the status indicator shows a roll-up of the statuses of the DSAs
under it. For example, if a site includes some DSAs that are running and some that are stopped, the
site is shown with the following icon:
04-May-2016 369/923
CA Directory - 12.0.18
If any DSA has the status unknown, all higher sections also show the status unknown.
Links between icons can be shown as dashed or solid lines. Dashed lines mean there is no current
connection between the icon and its higher-level host, site, region or backbone. A solid line means at
least one DSA is running.
The connections between these nodes are shown as thin lines when there is no load of operations
flowing between them.
When a DSA is under load, the connections between topology units swell to show the load, as shown
in the following screenshot:
You can hover the cursor over a link to show the percentage of the total load on that link.
The icons show the status of each DSA, and the blue lines show the load on each DSA. Thicker lines
show greater load.
The status of the entire backbone is derived using the following steps:
04-May-2016 370/923
CA Directory - 12.0.18
On Host1, all DSAs are running. The host icon also shows the green icon, because all of its DSAs
are running.
On Host2, two DSAs are running, but the status of the third is unknown. The host shows the worst
status, which is unknown.
On Host3, two DSAs are running and one is stopped. The host icon shows the blue-and-white
status icon, to show that some of its DSAs are running and some are stopped.
The site icon shows the worst status of the hosts in that site, which is unknown.
The region has only one site, and the backbone has only one region, so those icons also show the
gray icon.
In this way, the Topology map reveals that this directory backbone is in poor health. The DSA with the
status of unknown must be fixed.
Charts Tab
The Charts tab lets you look at historical data to identify events and patterns.
Note: There is a two to six minute delay for updated data to appear in the charts.
The default chart shows line graphs of operations over time over the last hour.
You can export the data into a CSV file for later processing.
Alerts Tab
Alerts are any events that the user should be made aware of. In this version of DXmanager, the alerts
are harvested from the alarm logs.
Alerts tab
All alerts are displayed on the Alerts tab in DXmanager.
Email messages
You can also configure DXmanager to send email notifications containing alerts as they are
detected. You can filter which types of alerts are sent to each address.
04-May-2016 371/923
CA Directory - 12.0.18
Preferences Tab
The Preferences tab is used to configure users to receive email notifications when events are
detected by DXmanager. This tab enables you to set the following details:
System Preferences: Configure a SMTP mail server to relay DXmanager mail messages. This is a
mandatory requirement.
Mail server: Specify the address of a SMTP mail server that forwards the messages to the
configured recipients.
Note: Encryption and authentication are not supported.
Reply Address: Specify the email address that appears in the From field when receiving an
email notification.
Alert Filter
This filter is used to only send alerts of a particular type. When using Detail, then wildcard * can be
used.
Item Value
Severity Error, Warning, Information, Diagnostic
Type DXmanager, DXadmind, DXserver
Source n/a
Detail Message text
Email Recipients
The email recipients could either be a current DXmanager user (User preferences) or a list of non-
DXmanager users (system preferences).
Address(es): Enter comma separated list of email addresses that will receive notifications.
Send informational alerts: When not using an alert filter, the DXmanager sends only those
messages where Severity = Information.
04-May-2016 372/923
CA Directory - 12.0.18
These current monitoring mechanisms available for CA Directory require machine access to monitor
information:
SNMP monitoring
SNMP traps
Log files
External CA Directory monitoring unifies this information for easy integration with third-party
monitoring product. Monitoring information is sent using JSON formatted monitoring objects through
HTTP.
The following configuration options are used when using the external monitoring:
clear external-monitor;
get external-monitor;
set external-monitor <label> = { <monEndPointDef> <monEventDef>
<monVersionDef> <monCredDef> <monOptionsDef>
<monFormatDef> <monPushInterval> };
<label> ::= <string>
<monEendPointDef> ::= endpoint = <string>
<monEventDef> ::= monitor-events = <event-list>
<monCredDef> ::= credentials = username <string> password <string> | NULL
<monOptionsDef> ::= options = no-http-header | NULL
<monPushInterval> ::= push-interval = <num> | NULL
<event-list> ::= <event> | <event> , <event-list>
<event> ::= alarm-log-all | alarm-log-information | alarm-log-
critical |
alarm-log-caution | update-log | query-log |
auth-failures | account-susp | op-error | mw-error |
multiwrite | cache | stats | dsastats
clear external-monitor;
This option clears the current list of external monitoring endpoints. This action is required when the
configuration is reloaded over a dxserver init.
get external-monitor;
This option displays a list of configured end points through DXconsole.
set external-monitor
label (mandatory)
endpoint (mandatory)
04-May-2016 373/923
CA Directory - 12.0.18
When https is specified, the DSA well transmits monitoring messages over an SSL encrypted link. This
requires the following additional DSA configuration:
$DXHOME/config/ssld/trusted.pem must include the public root CA certificate from the server
receiving monitoring information. This certificate is verified by the DSA during the SSL handshake.
The optional uri component is prepended to the dxmonitor/v1 uri where the monitoring object is put.
Note: All DSAs configured for external monitoring require access (route) to the hostname
of the configured endpoint.
monitor-events (mandatory)
The following table describes the various events, triggers, and the monitoring object.
04-May-2016 374/923
CA Directory - 12.0.18
Warning: Be careful when using the query-log and update-log options in high volume
environments. The volume of traffic generated may severely impact performance and
memory utilization. If log consolidation is necessary, a background tool acting on the query-
log and update-log files directly is a better option.
credentials (optional)
When configured, the username and password are included in the HTTP Authorization header (basic).
This protects an endpoint from unnecessary events being posted.
A password can be encoded using dxpassword -P CADIR password command and included.
Example:
% dxpassword -P CADIR password
{CADIR}2RqNRjmDUKw=
.
credentials = username monitorUser password {CADIR}2RqNRjmDUKw=
.
options (optional)
no-http-header
This option sends only the PUT line of the HTTP request and the request body. This action can assist
some endpoints with processing the events being received.
push-interval (optional)
This option defines the number of seconds timer triggered events are sent. To prevent excess
monitoring traffic, the value must be greater or equal to 5 seconds.
04-May-2016 375/923
CA Directory - 12.0.18
Note: When using monitoring-event = dsastats, you cannot configure this option as it
shares the existing internal statistics calculations that are reset between snapshots every
60 seconds.
Configuration Example
clear external-monitor;
set external-monitor STATS = {
endpoint = "http://hostname.com:8080/rest"
monitor-events = stats, cache, multiwrite
credentials = username "dxmonitor" password "{CADIR}2RqNRjmDUKw="
push-interval = 120
};
# dsastats must occur every 60 seconds
set external-monitor DSASTATS = {
endpoint = "http://hostname.com:8080/rest"
monitor-events = dsastats
credentials = username "dxmonitor" password "{CADIR}2RqNRjmDUKw="
};
set external-monitor EVENTS = {
endpoint = "http://hostname.com:8080/rest"
monitor-events = auth-failures, account-susp, op-error, mw-error
credentials = username "dxmonitor" password "{CADIR}2RqNRjmDUKw="
};
# protect confidential information
set external-monitor ENCRYPTED = {
endpoint = "https://hostname.com:8443/rest"
monitor-events = alarm-log-all, update-log, query-log
options = no-http-header
credentials = username "dxmonitor" password "{CADIR}2RqNRjmDUKw="
};
HTTP Message
The monitoring message is in JSON formatted object sent over HTTP/s to the configured monitoring
address. The HTTP header consists of the following information and header fields:
PUT /{uri}/dxmonitor/v1/{event} HTTP/1.1<CR><LF>
Host: {hostname}<CR><LF>
User-Agent: CA Directory<CR><LF>
Authorization: Basic {credentials}<CR><LF>
Accept: application/json<CR><LF>
Content-Type: application/json; charset=UTF-8<CR><LF>
Content-Length: {length}<CR><LF>
Connection: keep-alive<CR><LF>
Pragma: no-cache<CR><LF>
Cache-Control: no-cache<CR><LF>
<CR><LF>
{JSON message}
Where
04-May-2016 376/923
CA Directory - 12.0.18
uri
The uri is taken from configured monitoring URL, for example, http://host:20000/uri.
event
The events currently supported are: log, alarm, event, cache, stats, dsastats, multiwrite.
hostname
The hostname refers to the full qualified name of the host that is sending information.
credentials
Base64 encoded credentials, if configured.
length
Length of attached JSON message.
JSON message
Object containing monitoring information in JSON format.
Monitoring Information
Every monitoring push contains the information as shown in the following table:
Alarm Information
Alarm information is sent each time an alarm message is written to the alarm log depending on the
configured type. The alarm log captures a large number of critical events in the lifecycle of a DSA.
04-May-2016 377/923
CA Directory - 12.0.18
The alarm message contains the following information as shown in this table:
critical
caution
information
message String Text describing the alarm event that occurred
This example is an informational alarm message sent when you stop the DSA.
{ "dxserver-monitor": {
"host-name": "hostname.com",
"dsa-name": "data1",
"time": "20141205.165412.212",
"alarm": {
"id": "DSA_I1240",
"type": "information",
"message": "DSA shutting down"
}
}
}
Event Information
While the DSA is running, a number of key events can be detected. These events are useful from an
auditing perspective or to detect problems that require immediate attention.
The event message contains the following information as shown in this table:
auth-failure
account-susp
op-error
04-May-2016 378/923
CA Directory - 12.0.18
mw-error
message String Text describing the event that occurred
This example is when a bind to the DSA occurs with invalid credentials. If this occurs frequently, it
may indicate a dictionary-based attack.
{ "dxserver-monitor": {
"host-name": "hostname.com",
"dsa-name": "data1",
"time": "20141205.165412.212",
"event" : {
"type": "auth-failure",
"message": "cn=justin,ou=users,o=ca,c=au 123.123.123.123"
}
}
}
Logs Information
While the DSA is running, a number of logs are written to the file system. These logs can be directory
to the monitoring address.
The logs message contains the following information as shown in this table:
query-log
update-log
message String Text describing the log event that occurred
04-May-2016 379/923
CA Directory - 12.0.18
"log" : {
"type": "query-log",
"message": "20150223.171428.225 0.11 RESULT success 1 entries 16 msecs"
}
}
}
Statistics Information
The DSA keeps running counts of various operations received and other information as shown in the
following table. This information is reset when a DSA is restarted. This count keeps increasing until
the values wrap back to zero when unsigned MAX_INT (32-bit) is reached.
If periodic snapshots are taken, then this information provides a reasonable measure of how the DSA
is performing over time. The delta of snapshots indicates the amount of work a DSA has performed in
that period.
Trigger: If push-interval is configured, this object is used, else, a message is sent every 60 seconds.
04-May-2016 380/923
CA Directory - 12.0.18
whole-subtree- Numbe >=0 Total number of whole subtree search operations processed
searches r
security-errors Numbe >=0 Total number of security errors that have occurred
r
operation-errors Numbe >=0 Total number of failed operations
r
Cache Information
The DSA uses a high speed cache to optimize performance. Since r12, all information is now cached
(DXgrid) and this event provides a snapshot of the current state of the DXgrid DSA cache.
Note: If set on router DSAs, all counters are set to zero and the status is disabled. For this
reason, it is more efficient to set this option on data DSAs only.
Trigger: If push-interval is configured, this object is used, else, a message is sent every 60 seconds.
The cache message contains the following information as shown in this table:
04-May-2016 381/923
CA Directory - 12.0.18
insane
size Num >=0 Memory used (to the nearest MB) to cache the entries and build indexes
ber
search- Num >=0 How many searches the cache has serviced
hits ber
sequenti Num >=0 How many searches caused the cache to sequentially scan all entries. These
al-scans ber searches are inefficient and should be monitored.
entries Num >=0 Number of entries serviced by the cache
ber
file-size Num >=0 The configured size of the DXgrid db file
ber
used- Num >=0 Number of bytes used to store data in the DXgrid db file. The file utilization
bytes ber percentage can be calculated using this formula: used-bytes / file-size * 100.
reclaima Num >=0 Number of bytes from deleted entries or values that may be reclaimed by
ble- ber subsequent updates
bytes
Multiwrite Information
When a DSA is part of a replicating set of DSAs, the multiwrite event keeps track of each multiwrite
peer DSA it is servicing. A DSA may have one or more peers and the multiwrite event provides a
separate status line for each peer.
04-May-2016 382/923
CA Directory - 12.0.18
Note: No events are sent if a DSA is not replicating. If there are many multiwrite DSAs, then
each DSA sends a multiwrite event for each peer in its replicating set. This may trigger to a
large amount of traffic. For this reason, increase the push interval to reduce monitoring
traffic.
Trigger: If push-interval is configured, this object is used, else, a message is sent every 60 seconds.
04-May-2016 383/923
CA Directory - 12.0.18
confirm Num >=0 Count of updates in queue that clients are not waiting for confirmation on.
ed- ber The updates have either been confirmed or are replicating asynchronously.
local
DSA mw1 has 2 multiwrite peer DSAs (mw2 & mw3), therefore, two messages are sent.
{ "dxserver-monitor": {
"host-name": "hostname.com",
"dsa-name": "mw1",
"time": "20150223.214700.014",
"multiwrite" : {
"dsa-name": "mw2",
"queue-length": 0,
"status": "ok",
"pending-remote": 10,
"confirmed-local": 10
}
}
}
{ "dxserver-monitor": {
"host-name": "hostname.com",
"dsa-name": "mw1",
"time": "20150223.214700.014",
"multiwrite" : {
"dsa-name": "mw3",
"queue-length": 1000,
"status": "failed",
"pending-remote": 0,
"confirmed-local": 0
}
}
}
Some information is reset when a DSA is restarted and keeps increasing until the values wrap back to
zero when unsigned MAX_INT (32 bit) is reached. Other information is reset after each snapshot. For
this reason the push-interval is not supported for this monitoring event.
Nam Va F Description
e lue o
Ty r
pe m
a
t
assoc > Number of active connections to the DSA
iation =
s 0
04-May-2016 384/923
CA Directory - 12.0.18
Nu
m
be
r
nil- Nu > Number of times since the last message when an operation processing got delayed as
credit m = the credit limit was reached. This value is reset every 60 seconds.
be 0
r
queu Nu > Number of operations the DSA is processing
ed- m =
ops be 0
r
queu Nu > Number of operations that have been sent to other DSAs for processing
ed- m =
remo be 0
te- r
ops
ops- Nu > Number of operations that have been processed since the last message. This value is
proce m = reset every 60 seconds.
ssed be 0
r
entri Nu > Number of entries returned by the DSA since the last message. This value is reset every
es- m = 60 seconds.
retur be 0
ned r
mw- Nu > The total number of queued updates in all multiwrite queues
queu m =
e be 0
r
mw- Nu > The total number of updates that are pending a response from remote peer DSAs
replic m =
ating be 0
r
activ Nu > Approximately the percentage of active threads over the last minute. This value is reset
e m = every 60 seconds.
be 0
r
mem Nu > The number of internal memory blocks in use
ory- m =
trees be 0
r
mem Nu > Total amount of memory DSA has requested from the operating system
ory- m =
usage be 0
r
mallo >
cs =
0
04-May-2016 385/923
CA Directory - 12.0.18
Nu The number of times malloc was called since the last message. The DSA reuses memory
m so over time the number of malloc calls should reduce. If these calls do not reduce, the
be DSA is not performing at full efficiency as requesting memory from the OS incurs a
r performance cost.
04-May-2016 386/923
CA Directory - 12.0.18
"thread-count": 8,
"thread-mean": 0
}
}
}
Response Format
When the DSA sends a request through REST, a response from the server must be sent back to the
DSA. The DSA does not enforce it, but can be used to indicate an issue with processing the response
and aids in diagnosing server side monitoring issues. It may be more efficient for the endpoint to not
send responses.
The DSA currently expects the following HTTP responses and the body of the response are ignored.
Response Messages
Performance Impact
The goal of any monitoring is to reduce performance degradation of normal functioning. Therefore,
monitoring messages are sent asynchronously.
Note: If a monitoring endpoint cannot keep up with the traffic that is being sent by DSAs,
then the DSA memory consumption increases.
Diagnostics (Debugging)
To assist with diagnosing monitoring issues, additional diagnostic messages are displayed. The trace
stack; level is enhanced to display HTTP request and response contents. This information assists users
in diagnosing issues while sending to and integrating with the external monitoring address.
04-May-2016 387/923
CA Directory - 12.0.18
Manage DSAs
How to Stop a DSA
You can stop a DSA using DXmanager or a DSA console.
However, if a DSA has a multiwrite queue and Wait for Multiwrite is set to True for that DSA, the DSA
does not stop. This is to prevent the queue being lost. If Wait for Multiwrite is True, the DSA does not
stop until the queue has been flushed (that is, the target DSA has accepted all of the queued
updates).
To ensure a DSA stops, we recommend that you stop processes in this order:
We recommend that you do not forcibly stop a DSA with queues, because this causes the queues to
be permanently lost.
DXmanager
DXconsole
A command line
Note: On Windows, you can use the Service Manager to start and stop DSA services.
Reinitializing a DSA
If you have changed a DSA's configuration files, the DSA does not change until you restart the DSA.
This is because a DSA checks its configuration only when it is starting up. When it is running, it does
not refer to its configuration.
However, you can reinitialize a DSA to make it check its configuration. This lets you change a DSA's
04-May-2016 388/923
CA Directory - 12.0.18
However, you can reinitialize a DSA to make it check its configuration. This lets you change a DSA's
behavior without stopping and restarting it.
get stats;
1. Use Telnet to connect to the DSA whose statistics you want to reset.
reset stats;
get oper;
DXmanager lets you use a single click to control any of these groups of DSAs:
A single DSA
All DSAs that serve a namespace partition (these DSAs all have the same prefix)
04-May-2016 389/923
CA Directory - 12.0.18
All DSAs that serve a namespace partition (these DSAs all have the same prefix)
2. Click the Maps tab, then choose the level at which you want to control the DSAs:
To control all DSAs that serve a namespace partition, display the Namespace map.
To control a single DSA or all DSAs on a host, in a site, or in a region, display the Topology
map.
Any of the commands that you can use in a command line can also be used in a script.
Start a DSA Using a Command Line (see page 390)
Stop a DSA Using a Command Line (see page 391)
Force a DSA to Stop Using Command Line (see page 391)
Force an Inconsistent DSA to Start Using Command Line (see page 391)
Refresh a DSA Using a Command Line (see page 392)
Check the Status of a DSA by Using a Command Line (see page 392)
Increase the Size of Your Datastore (see page 393)
dsaname
This attribute starts the named DSA only.
04-May-2016 390/923
2.
CA Directory - 12.0.18
all
This attribute starts all DSAs on this computer.
dsaname
This attribute stops the named DSA only.
all
This attribute stops all DSAs on this computer.
Note: We strongly recommend that you do not use a force stop in a production environment.
(Windows only) Stop the service using the Windows Service Manager.
Power outage
04-May-2016 391/923
CA Directory - 12.0.18
In these cases, a data DSA could be performing updates that might not be complete. The grid DB file
might be corrupt or is missing the most recent changes. When starting a DSA after an abnormal
termination, it might not start with the following message:
{dsaname} inconsistent
To start a DSA, which is in inconsistent state, use the dxserver forcestart command.
Note: To prevent data loss, we recommend running a transaction log (with flushing enabled).
However, in high volume update environments, this setting might be disabled. If the transaction log is
disabled, we recommend performing a full disaster recovery from a replicating peer DSA before using
the force start command.
dsaname
This attribute initializes the named DSA only.
all
This attribute initializes all DSAs on this computer.
04-May-2016 392/923
CA Directory - 12.0.18
3. Modify the dxgrid-db-size setting to define the new increased size you want for the datastore.
shutdown;
04-May-2016 393/923
CA Directory - 12.0.18
Note: We strongly recommend that you do not use a force stop in a production environment.
force-shutdown;
dsa> logout;
You can also close the DSA console from the local Telnet session:
<control-]>
telnet> quit
The Telnet session closes automatically when the DSA shuts down.
If you perform this procedure on a regular basis, you may want to set up replication between the
DSAs.
dxnewdb dsaname
In this command dsaname is the name of the datastore that you want to empty.
04-May-2016 394/923
CA Directory - 12.0.18
In this command ldif-file is the name of the LDIF file that contains the new data and dsaname
is the name of the DSA to which you want to load the data. The options include the following:
-O rows
Specifies that DXloaddb loads operational attributes.
dxnewdb Democorp
2. Load the new data from the file newdemocorp.ldi using the following command:
Backing Up Data
Contents
Comparison of Backup Methods (see page 395)
File System Backup (see page 396)
Example of File System Backup Plan (see page 396)
Using an LDIF file to Back Up and Load Data (see page 397)
Back Up a Directory to an LDIF File (see page 397)
How to Load Directory Data from an LDIF File (see page 397)
Online Datastore Dump (see page 397)
There are two ways to back up CA Directory data. The fastest and safest way is to back up the file
system. You can also export the data to an LDIF file.
04-May-2016 395/923
CA Directory - 12.0.18
Environment (DXHOME)
Their directory contains hundreds of millions of user entries and uses eight Solaris computers. Each
computer has four data DSAs and several layers of router DSAs on it. Company A runs a 24-hours-a-
day, 7-days-a-week operation with strict SLAs relating to availability, and a small weekly maintenance
window.
The IT team automatically backs up the file system once a day at 4 a.m.
04-May-2016 396/923
CA Directory - 12.0.18
CA Directory comes with the DXdumpdb tool, which lets you unload data from a datastore into an
LDIF file. You can then later load the data from the LDIF file into a datastore to recover the directory
content.
1. Log in as the user dsa (on UNIX) or the DXserver administrator (on Windows).
2. Use the following command to back up the datastore to the LDIF file:
-f filename
Specifies the file path and name where the data is dumped.
-z
Specifies that DXdumpdb dumps from the copy of the datastore that is produced by the
console command dump dxgrid-db.
dsaname
Specifies the name of the DSA.
Load an entire datastore from an LDIF file, using the DXloaddb tool. For more information, see
dxloaddb in the Reference Guide.
Load some data into an existing datastore, using the DXmodify tool. For more information, see
dxmodify in the Reference Guide.
The datastore file is copied to a file with extension starting .z, so the database file is dxgrid-db.zdb
Note: Each dump overwrites the previous backup file. If you want to save the backup file,
copy it to another location before the next dump.
04-May-2016 397/923
CA Directory - 12.0.18
04-May-2016 398/923
CA Directory - 12.0.18
Environment (DXHOME)
Their directory contains hundreds of millions of user entries and uses eight Solaris computers. Each
computer has four data DSAs and several layers of router DSAs on it. Company A runs a 24-hours-a-
day, 7-days-a-week operation with strict SLAs relating to availability, and a small weekly maintenance
window.
The IT team automatically backs up the file system once a day at 4 a.m.
CA Directory comes with the DXdumpdb tool, which lets you unload data from a datastore into an
LDIF file. You can then later load the data from the LDIF file into a datastore to recover the directory
content.
1. Log in as the user dsa (on UNIX) or the DXserver administrator (on Windows).
2. Use the following command to back up the datastore to the LDIF file:
-f filename
Specifies the file path and name where the data is dumped.
-z
Specifies that DXdumpdb dumps from the copy of the datastore that is produced by the
console command dump dxgrid-db.
dsaname
Specifies the name of the DSA.
04-May-2016 399/923
CA Directory - 12.0.18
Load an entire datastore from an LDIF file, using the DXloaddb tool. For more information, see
dxloaddb in the Reference Guide.
Load some data into an existing datastore, using the DXmodify tool. For more information, see
dxmodify in the Reference Guide.
The datastore file is copied to a file with extension starting .z, so the database file is dxgrid-db.zdb
Note: Each dump overwrites the previous backup file. If you want to save the backup file,
copy it to another location before the next dump.
Sometimes you need the attribute value in an entry to be unique. For example, for email to work
each user needs a unique email ID.
You can specify which attributes must have unique values, and you can also specify a subtree within
which the specified attribute must have unique values. You can specify different subtrees for
different attributes.
If you implement unique attributes, ensure the client applications can handle refusals when they add
or modify attribute values that already exist.
If the value is used, an error message is sent back to the client application; otherwise the client
request is confirmed.
04-May-2016 400/923
CA Directory - 12.0.18
When a DSA searches entries to determine if an attribute value is unique, the search bypasses access
controls. This means that a user could write a client application to determine the unique values. If
these are sensitive information, this may be a security issue.
If the scope of the subtree covers more than one DSA, the first DSA (DSA-A) sends the search to
another DSA (DSA-B). DSA-B obeys access controls unless DSA-A has set the trust flag trust-DSA-
triggered-operations. To allow DSA-B to bypass access controls, set this flag in the DSA-A knowledge
and ensure that DSA-B shares DSA-A's knowledge.
There is no DSA mechanism to find duplicates in existing directory data. Before you enable unique
attributes on a running directory, you should check for duplicate attribute values.
If you load data using the DXloaddb tool, uniqueness is not enforced.
Checks for uniqueness apply to any number of DSAs in a backbone as long as they are under the
specified uniqueness subtree.
1. (Optional) Define the subtree within which the attributes must be unique using the following
command:
This command lets you specify which subtree each attribute should be unique within, but this
is optional.
If you do not set these subtrees here or in the set unique-attrs-subtree command, attributes
are unique within the local prefix.
3. (Optional) Set the trust flag Trust-DSA-triggered operations in the knowledge of the DSA.
Then, if the search extends to another DSA, this other DSA bypasses access controls when it
performs uniqueness checking.
04-May-2016 401/923
CA Directory - 12.0.18
1. Use Telnet to connect to the DSA that contains the unique attributes.
get user;
The output lists the DSA's configuration, including any unique attributes.
When a client application tries to update an attribute that is set to be unique, CA Directory checks
that the attribute value is not already used.
If the value is used, an error message is sent back to the client application; otherwise the client
request is confirmed.
When a DSA searches entries to determine if an attribute value is unique, the search bypasses access
controls. This means that a user could write a client application to determine the unique values. If
these are sensitive information, this may be a security issue.
If the scope of the subtree covers more than one DSA, the first DSA (DSA-A) sends the search to
another DSA (DSA-B). DSA-B obeys access controls unless DSA-A has set the trust flag trust-DSA-
triggered-operations. To allow DSA-B to bypass access controls, set this flag in the DSA-A knowledge
and ensure that DSA-B shares DSA-A's knowledge.
There is no DSA mechanism to find duplicates in existing directory data. Before you enable unique
attributes on a running directory, you should check for duplicate attribute values.
If you load data using the DXloaddb tool, uniqueness is not enforced.
04-May-2016 402/923
CA Directory - 12.0.18
Checks for uniqueness apply to any number of DSAs in a backbone as long as they are under the
specified uniqueness subtree.
1. (Optional) Define the subtree within which the attributes must be unique using the following
command:
This command lets you specify which subtree each attribute should be unique within, but this
is optional.
If you do not set these subtrees here or in the set unique-attrs-subtree command, attributes
are unique within the local prefix.
3. (Optional) Set the trust flag Trust-DSA-triggered operations in the knowledge of the DSA.
Then, if the search extends to another DSA, this other DSA bypasses access controls when it
performs uniqueness checking.
1. Use Telnet to connect to the DSA that contains the unique attributes.
get user;
The output lists the DSA's configuration, including any unique attributes.
Operational Attributes
Contents
Consider Not Using Operational Attributes (see page 404)
Prevent the Creation and Automatic Updating of Operational Attributes (see page 405)
An operational attribute represents information used to control the operation of the directory (such
as access control information), or used by the directory to represent some aspects of its operation.
If you use the all-extra-attrs or extra-attrs options, search requests include operational attributes in
the reply.
04-May-2016 403/923
CA Directory - 12.0.18
read-req
entry = <c "AU"><o "Democorp">
all-extra-attrs;
The command returns all attributes of the entry, including all operational attributes, for example:
Entry:
<countryName "AU">
<organizationName "Democorp">
Contents:
(objectClass organization)
(organizationName "Democorp")
(telephoneNumber "(03) 9727 8900")
(creatorsName <countryName "AU"> <organizationName "Democorp"> <commonName "DSA
Administrator">
)
(createTimestamp 19980712035245Z)
(modifiersName <countryName "AU"> <organizationName "Democorp">
<organizationalUnitName "Services"> <commonName "John Smith">
)
(modifyTimestamp 19980718062137Z)
(dseType (any)3,2,16)
read-req
entry = <c "AU"><o "Democorp"><ou "Corporate">
extra-attrs = modifyTimestamp;
The command returns attributes and values of the entry, plus the requested operational attributes:
Entry:
<countryname "AU">
<organizationName "Democorp">
<organizationalUnitName "Corporate">
Contents:
(objectClass organizationalUnit)
(organizationalUnitName "Corporate")
(facsimileTelephoneNumber "(03) 9727 9722")
(telephoneNumber "(03) 9727 9942")
(modifyTimestamp 19980718062137Z)
04-May-2016 404/923
CA Directory - 12.0.18
This setting prevents the DSA from automatically creating operational attributes. However,
some operational attributes will be created by the DSA if either DISP or multiwrite DISP
recovery is configured.
This setting prevents the DSA from automatically creating operational attributes. However,
some operational attributes will be created by the DSA if either DISP or multiwrite DISP
recovery is configured.
04-May-2016 405/923
CA Directory - 12.0.18
-b bad-file
Writes duplicate or bad input records to the specified file.
infile
Specifies the file to be sorted.
outfile
Specifies the file to which output is to be written. If you do not use this option, the output is
written to the screen or STDOUT.
For example, you could use the csv2ldif tool to convert a spreadsheet of the names and addresses of
twenty new employees into LDIF, and then use the DXloaddb tool to add twenty new entries into the
directory.
Counting Entries
Contents
Example Count Entries in a Single DSA (see page 406)
Example Count Entries in a Distributed Directory (see page 407)
Example Count Entries at a Single Level in a Single DSA (see page 407)
Example Count the Entries at the Base Level (see page 408)
To count the number of entries in a directory, you can search for all of the entries in the directory,
and then count the number of entries returned.
However, this is not feasible in an automated system or in a system where the search returns large
numbers of entries.
Instead, CA Directory provides a special entry information selector dxEntryCount to provide this
information. This is far more efficient when result sets are large. This selector lets you count the
entries within a single DSA.
CA Directory also provides the entry information selector dxTotalEntryCount, which counts the
entries in a directory that is distributed across more than one DSA.
This is a subtree search, which means that the filter is applied to the base object and all entries in the
tree below the base object.
To count how many entries in the Democorp DSA have a surname starting with the letter C
04-May-2016 406/923
CA Directory - 12.0.18
In this search, computer-name is the computer that contains the Democorp DSA.
This search returns a single entry with a dxEntryCount attribute, which is set to the number of
entries that satisfy the search filter.
o=DEMOCORP,c=AU
dxEntryCount=98
This search result indicates that there are 98 entries with a surname beginning with C in the
Democorp DSA.
This is also a subtree search, which means that the filter is applied to the base object and all entries
in the tree below the base object.
In this search, computer-name is the computer that contains the Democorp DSA.
o=DEMOCORP,c=AU
dxTotalEntryCount=1380
This search result indicates that there are 1380 entries in the Democorp DSA.
To count how many top-level department names in the Democorp DSA include the letter C
04-May-2016 407/923
1.
CA Directory - 12.0.18
In this search, computer-name is the computer that contains the Democorp DSA.
o=DEMOCORP,c=AU
dxEntryCount=6
This search result indicates that 6 of the top-level department names contain the letter c.
The following example shows how to check whether the organization attribute of the Democorp base
entry includes the letter "c".
In this search, computer-name is the computer that contains the Democorp DSA.
o=DEMOCORP,c=AU
dxEntryCount=1
This search result indicates that the organization attribute for the Democorp base object does
include the letter c.
This is a subtree search, which means that the filter is applied to the base object and all entries in the
tree below the base object.
To count how many entries in the Democorp DSA have a surname starting with the letter C
In this search, computer-name is the computer that contains the Democorp DSA.
This search returns a single entry with a dxEntryCount attribute, which is set to the number of
entries that satisfy the search filter.
04-May-2016 408/923
CA Directory - 12.0.18
o=DEMOCORP,c=AU
dxEntryCount=98
This search result indicates that there are 98 entries with a surname beginning with C in the
Democorp DSA.
This is also a subtree search, which means that the filter is applied to the base object and all entries
in the tree below the base object.
In this search, computer-name is the computer that contains the Democorp DSA.
o=DEMOCORP,c=AU
dxTotalEntryCount=1380
This search result indicates that there are 1380 entries in the Democorp DSA.
To count how many top-level department names in the Democorp DSA include the letter C
In this search, computer-name is the computer that contains the Democorp DSA.
o=DEMOCORP,c=AU
dxEntryCount=6
This search result indicates that 6 of the top-level department names contain the letter c.
04-May-2016 409/923
CA Directory - 12.0.18
The following example shows how to check whether the organization attribute of the Democorp base
entry includes the letter "c".
In this search, computer-name is the computer that contains the Democorp DSA.
o=DEMOCORP,c=AU
dxEntryCount=1
This search result indicates that the organization attribute for the Democorp base object does
include the letter c.
Pattern Matching
Contents
Searching Data Using Approximate Matching (see page 410)
Phonetic Matching (see page 411)
Relaxed Syllable Matching (see page 411)
Word Completion (see page 411)
Benefits of Using Both Phonetic and Pattern Matching (see page 411)
Example Compare CA Directory with Soundex (see page 411)
The pattern matching mode is triggered when a filter contains the asterisk (*) or question mark (?)
wildcards. In this mode, DXserver applies the pattern to find matching entries. For example, the filter,
cn~=T?M J*N, would match Tim Junn, Tom Jamerson, and Tam Jinaran. This is a very precise form of
matching. Use this mode if you want a lot of control over the entries that are returned.
Some other directories implement approximate match (~=) exclusively as Soundex. This can be very
limiting, so DXserver supports a more general approximate matching capability that has two modes --
pattern matching and phonetic matching.
04-May-2016 410/923
CA Directory - 12.0.18
Phonetic Matching
Phonetic matching is the default mode. It is used when a filter contains no wildcards. It uses a
Soundex-style algorithm that looks for similar sounding matches, but also permits more relaxed
syllable matching and word completion.
This is a lenient form of matching. Use this mode if you prefer to get extra results rather than miss
some results.
For example, the filter (sn ~= Stone) matches Stein, Stratton, and Stevenson, because the match
involves st and n.
Word Completion
The word completion mode permits arbitrary suffixes. For example, the filter (cn ~= Pat) matches Pat,
Patrick, Patrice, and Patricia.
This is also useful for searching by initials. For example, the filter (cn ~= a b) matches Anne Buckley,
Andrew Bradley, Andrea Bingham, Andy Brennan, Annette Bolt, and Anna Bromley.
For example, the filter (sn ~= ma*l) finds only surnames that begin with Ma and end in l,
including Maxwell, Marshal, and Mantel.
04-May-2016 411/923
CA Directory - 12.0.18
Some other directories implement approximate match (~=) exclusively as Soundex. This can be very
limiting, so DXserver supports a more general approximate matching capability that has two modes --
pattern matching and phonetic matching.
Phonetic Matching
Phonetic matching is the default mode. It is used when a filter contains no wildcards. It uses a
Soundex-style algorithm that looks for similar sounding matches, but also permits more relaxed
syllable matching and word completion.
This is a lenient form of matching. Use this mode if you prefer to get extra results rather than miss
some results.
For example, the filter (sn ~= Stone) matches Stein, Stratton, and Stevenson, because the match
involves st and n.
Word Completion
The word completion mode permits arbitrary suffixes. For example, the filter (cn ~= Pat) matches Pat,
Patrick, Patrice, and Patricia.
This is also useful for searching by initials. For example, the filter (cn ~= a b) matches Anne Buckley,
Andrew Bradley, Andrea Bingham, Andy Brennan, Annette Bolt, and Anna Bromley.
04-May-2016 412/923
CA Directory - 12.0.18
For example, the filter (sn ~= ma*l) finds only surnames that begin with Ma and end in l,
including Maxwell, Marshal, and Mantel.
Referential Integrity
Contents
Create Referential Integrity Rules (see page 414)
A directory entry has referential integrity if all DNs in the entry are valid, that is, point to other,
existing, entries.
CA Directory provides a way to help enforce referential integrity. You can ensure that when an entry
is deleted, all existing references to that entry are also deleted. This method is called direct
referential integrity, and is equivalent to the cascade delete rule for databases. It helps keep the
directory clear of dangling references, that is, references that point nowhere.
You can also ensure that when an entry is deleted, attributes in other entries that use a common
value (rather than a DN) to identify the deleted entry are also deleted. This is called indirect
referential integrity, and is useful if the directory uses non-DN attribute values to link different
entries.
You enable referential integrity by creating one or more referential integrity rules in a DSA. A
referential integrity rule specifies:
04-May-2016 413/923
CA Directory - 12.0.18
The subtree of entries in which the DSA searches for attributes that have references (direct or
indirect) to the deleted entry
The names of the attributes in which the DSA searches for references (direct or indirect) to the
deleted entry
The referential integrity search begins only after the DSA has deleted the specified entry, so after an
entry is deleted, there is a short time during which an entry containing a dangling reference is
available to a user. Therefore, the CA Directory implementation does not guarantee referential
integrity.
There are no checks for referential integrity when an entry is created or changed.
The DSA searches only those attribute names that are specified in the referential integrity rule,
and furthermore, searches only within the subtree that is specified in the rule, so dangling
references can still exist in other attributes or other subtrees.
Assume a directory contains an entry (for example, Sales) that has a Member attribute, where
Member contains user DNs.
A direct referential integrity rule can ensure that when a user entry is deleted, the DSA automatically
deletes that user's DN from the value of the Member attribute in Sales.
Assume that each user contains an attribute UserID, and also that Sales has a UserID attribute, where
UserID contains userIDs. This is similar to the previous example, with the difference that here, UserID
contains userIDs instead of user DNs.
An indirect referential integrity rule can ensure that when a user entry is deleted, the DSA
automatically deletes that user's ID from the value of the UserID attribute in Sales.
Define all the referential integrity rules in one place in one configuration file.
1. In a configuration file, enter the command to clear referential integrity rules, clear referential-
integrity, followed by one or more instances of the command to create integrity rules, set
referential-integrity, as follows:
clear referential-integrity;
set referential-integrity integrity_rule_name {
...
04-May-2016 414/923
CA Directory - 12.0.18
Define all the referential integrity rules in one place in one configuration file.
1. In a configuration file, enter the command to clear referential integrity rules, clear referential-
integrity, followed by one or more instances of the command to create integrity rules, set
referential-integrity, as follows:
clear referential-integrity;
set referential-integrity integrity_rule_name {
...
}
Manage Bindings
Bindings
When a DSA, an LDAP client, or a DUA successfully binds to a DSA, the resulting relationship is called
a binding. Because each binding corresponds to a user, the term user can be used to mean a binding.
A DSA numbers its bindings when it creates them, starting at zero and incrementing by one.
You should monitor the type, number, and duration of bindings to DSAs. If a DSA's performance is
suffering because it has too many bindings, or because the bindings have too many operations,
consider configuring the DSA to limit the type, number, and duration of bindings.
Monitoring Bindings
Contents
View Bindings (see page 416)
View the Binding Configuration (see page 416)
04-May-2016 415/923
CA Directory - 12.0.18
You can view the information that a DSA keeps about its bindings -- their current state and their
configuration parameters. You can also enable or disable tracing on binding activity.
Monitoring bindings lets you check the health of a DSA, and to diagnose performance issues.
View Bindings
You can view the current bindings information held by a DSA. You may want to do this to check the
performance of a DSA.
To view bindings
get users;
To view the binding configuration issue the following command from the DSA console:
get user;
To view the DSP configuration, issue the following command from the DSA console:
get dsp;
To view outgoing bindings, issue the following command from the DSA console:
get online-dsas;
04-May-2016 416/923
CA Directory - 12.0.18
3. Use the following command to determine the number of the binding that you want to trace:
get users;
5. When you are finished, use the following command to stop tracing the binding:
This example shows you how to show the error messages that are produced from an binding.
get users;
View Bindings
You can view the current bindings information held by a DSA. You may want to do this to check the
performance of a DSA.
To view bindings
04-May-2016 417/923
2. CA Directory - 12.0.18
get users;
To view the binding configuration issue the following command from the DSA console:
get user;
To view the DSP configuration, issue the following command from the DSA console:
get dsp;
To view outgoing bindings, issue the following command from the DSA console:
get online-dsas;
3. Use the following command to determine the number of the binding that you want to trace:
get users;
5. When you are finished, use the following command to stop tracing the binding:
04-May-2016 418/923
5. CA Directory - 12.0.18
This example shows you how to show the error messages that are produced from an binding.
get users;
Closing Bindings
Contents
Abort All Bindings (see page 419)
Abort One Binding (see page 420)
Close Outgoing Bindings (see page 420)
Disable New Bindings (see page 420)
You can close a binding by closing the TCP link to a DSA. You can also explicitly close bindings by using
the abort command.
You can also close outgoing bindings from a DSA to one or all other DSAs by using the unbind
command.
Whichever of these methods is used, the DSA closes the binding immediately, discarding any current
operations on the binding.
1. Use Telnet to connect to the DSA on which you want to abort all bindings.
abort all-users;
04-May-2016 419/923
CA Directory - 12.0.18
1. Use Telnet to connect to the DSA on which you want to abort the binding.
get users;
number
Specifies the binding that you want to abort.
1. Use Telnet to connect to the DSA on which you want to abort the bindings.
2. (Optional) On a DSA console, find the number of remote DSAs by using the following
command:
get dsas;
dsa-num
Specifies the remote DSA. The command aborts all outgoing bindings from the local DSA
to the DSA that is specified by dsa-num.
1. Use Telnet to connect to the DSA for which you want to prevent additional bindings.
04-May-2016 420/923
CA Directory - 12.0.18
2.
set allow-binds=false;
Note: If a user tries to bind to the DSA after you have issued this command, it refuses and
returns an error message.
3. (Optional). You can re-enable new bindings with the following command:
set allow-binds=true;
1. Use Telnet to connect to the DSA on which you want to abort all bindings.
abort all-users;
1. Use Telnet to connect to the DSA on which you want to abort the binding.
get users;
number
Specifies the binding that you want to abort.
1. Use Telnet to connect to the DSA on which you want to abort the bindings.
2.
04-May-2016 421/923
CA Directory - 12.0.18
2. (Optional) On a DSA console, find the number of remote DSAs by using the following
command:
get dsas;
dsa-num
Specifies the remote DSA. The command aborts all outgoing bindings from the local DSA
to the DSA that is specified by dsa-num.
1. Use Telnet to connect to the DSA for which you want to prevent additional bindings.
set allow-binds=false;
Note: If a user tries to bind to the DSA after you have issued this command, it refuses and
returns an error message.
3. (Optional). You can re-enable new bindings with the following command:
set allow-binds=true;
To ensure the good performance of a DSA you should set limits on the bindings.
If a DSA receives a request for a new binding when it has already reached the maximum number of
04-May-2016 422/923
CA Directory - 12.0.18
If a DSA receives a request for a new binding when it has already reached the maximum number of
bindings, then it looks for a binding that it can abort to make room for the new request. It aborts an
existing binding if the binding has reached its maximum bind time or its maximum guaranteed idle
time. If there are no such bindings then the DSA rejects the request for a new binding.
max-bindings
Defines the maximum number of concurrent bindings.
The following command removes any DSA limit to the number of bindings. However, the operating
system sets an upper limit to the number of bindings per DSA, which is based on the maximum
number of file descriptors per process.
set max-users = 0;
You can also limit the total number of concurrent operations for a DSA. To do that, see Limit the
Number of Concurrent Operations.
To limit the number of operations per binding, use the following command from a DSA console:
max-operations
Specifies the maximum number of concurrent operations the DSA allows for each binding.
You can set the maximum DSP idle time in the following places:
Backbone
If you set the value here then it applies as a default value for the whole directory backbone.
04-May-2016 423/923
CA Directory - 12.0.18
3. Click the Maps tab, and then choose the place you want to set the maximum DSP idle time.
To set the value for a namespace partition, display the Namespace map.
4. Right-click on the item that you want to change, and then select Edit properties.
5. Find the maximum DSP idle time setting (in the bindings area), and then enter the value.
6. Click OK or Finish.
To set the maximum guaranteed idle time, issue the following command from a DSA console:
num-secs
Defines the number of seconds that a binding can be idle without risking being closed.
To set the maximum binding time, use the following command from a DSA console:
num-secs
Defines the maximum duration for any binding in seconds.
Note: If num-secs is zero, the DSA does not set any maximum binding time.
04-May-2016 424/923
CA Directory - 12.0.18
To let CA SiteMinder process authentications asynchronously, the DSA must do both of the following:
If a DSA receives a request for a new binding when it has already reached the maximum number of
bindings, then it looks for a binding that it can abort to make room for the new request. It aborts an
existing binding if the binding has reached its maximum bind time or its maximum guaranteed idle
time. If there are no such bindings then the DSA rejects the request for a new binding.
max-bindings
Defines the maximum number of concurrent bindings.
The following command removes any DSA limit to the number of bindings. However, the operating
system sets an upper limit to the number of bindings per DSA, which is based on the maximum
number of file descriptors per process.
set max-users = 0;
You can also limit the total number of concurrent operations for a DSA. To do that, see Limit the
Number of Concurrent Operations.
To limit the number of operations per binding, use the following command from a DSA console:
04-May-2016 425/923
CA Directory - 12.0.18
To limit the number of operations per binding, use the following command from a DSA console:
max-operations
Specifies the maximum number of concurrent operations the DSA allows for each binding.
You can set the maximum DSP idle time in the following places:
Backbone
If you set the value here then it applies as a default value for the whole directory backbone.
3. Click the Maps tab, and then choose the place you want to set the maximum DSP idle time.
To set the value for a namespace partition, display the Namespace map.
4. Right-click on the item that you want to change, and then select Edit properties.
5. Find the maximum DSP idle time setting (in the bindings area), and then enter the value.
6. Click OK or Finish.
To set the maximum guaranteed idle time, issue the following command from a DSA console:
num-secs
Defines the number of seconds that a binding can be idle without risking being closed.
04-May-2016 426/923
CA Directory - 12.0.18
To set the maximum binding time, use the following command from a DSA console:
num-secs
Defines the maximum duration for any binding in seconds.
Note: If num-secs is zero, the DSA does not set any maximum binding time.
To let CA SiteMinder process authentications asynchronously, the DSA must do both of the following:
Manage Operations
Types of Operations
Contents
Searches Are Faster Than Updates (see page 428)
Simple and Complex Searches (see page 428)
CA Directory is an X.500 directory that also uses LDAP. This means that CA Directory can deal with
any LDAP or X.500 query which is also called a query.
04-May-2016 427/923
CA Directory - 12.0.18
The following table lists the types of searches that are complex:
04-May-2016 428/923
CA Directory - 12.0.18
The following table lists the types of searches that are complex:
04-May-2016 429/923
CA Directory - 12.0.18
CA Directory enforces limits on the number of queries that the DSA concurrently processes. Use the
set user-threads command to specify the number of concurrent user threads per DSA. The
performance of a user thread does not vary significantly for different types of query.
Abandon an Operation
The result returned by an abandoned operation depends on how far the operation progressed before
being abandoned. The display shows either partial results (with the partial outcome qualifier set to
the appropriate problem) or the following error message:
To abandon an operation
1. Use Telnet to connect to the DSA whose operation you want to abandon.
get users;
3. Identify the binding number of the operation that you want to abandon.
Limit Operations
Contents
Methods for Setting Operation Limits (see page 431)
How the Methods for Setting Limits Interact (see page 432)
DSA-Based Limits (see page 433)
Limit the Time for Operations (see page 433)
Limit the Number of Entries Returned (see page 433)
Role-Based Limits (see page 434)
How Role-Based Limits Work (see page 434)
Apply Operational Limits to a Role (see page 434)
Example Add Limits to an Existing Role (see page 435)
Operational Limits (see page 436)
Example Send a Limited Search to a DSA with Limits in Its Configuration (see page 436)
04-May-2016 430/923
CA Directory - 12.0.18
Size
Limits the number of entries that the operation can return.
You can set a size limit on any search or list operation.
Time
Limits the time that the operation can run.
You can set a time limit on any inquire operation (search, compare, read, list, and abandon).
If an operation reaches one of these limits, the operation is not abandoned. Instead, the following
happens:
04-May-2016 431/923
CA Directory - 12.0.18
An operational limit that is less restrictive than a DSA-based limit takes precedence over that DSA-
based limit.
An operational limit that is less restrictive than a role-based limit takes precedence over that role-
based limit.
If the user has a role and limits defined in the operation are larger than the limits configured for
the role, then the role's limits are enforced.
The example directory system shown in the diagram below has limits set in three places:
Example showing a system that has limits set on a role, in operations, and on the DSA
The following table shows the actual limits that apply for each operation run by this user:
Operation Limits
Operation 1 Time: 20 sec
Size: 150 entries
Operation 2 Time: 20 sec
Size: 100 entries
Operation 3 Time: 5 sec
Size: 150 entries
If another user, who is not a member of any roles, runs these operations, the following limits apply:
04-May-2016 432/923
CA Directory - 12.0.18
Operation Limits
Operation 1 Time: 10 sec
Size: 200 entries
Operation 2 Time: 10 sec
Size: 100 entries
Operation 3 Time: 5 sec
Size: 200 entries
DSA-Based Limits
You can limit the time and size of queries for an entire DSA.
If you also set limits for a request or a role, the largest setting applies.
3. Save the file, and then stop and start the DSA.
3. Save the file, and then stop and start the DSA.
04-May-2016 433/923
CA Directory - 12.0.18
Role-Based Limits
If roles are set up, you can apply operational limits to a role. All members of that role inherit the
limits you have set. This works for both static and dynamic roles.
Role-based limits are applied to each connection, which means that any changes to these limits do
not take effect until the users reconnect.
Because role-based configuration is set using attributes, you do not need to restart the DSA for the
change to take effect.
2. During the bind, the DSA checks whether the user is a member of a role.
3. If the user is a member of a role that has limits, these limits are stored against the active
connection.
If a user has multiple roles, each with limits, then the largest values are used.
If no role-based limits apply to a user, then the limits in the DSA apply.
Add the attribute dxSizeLimit to the role entry and change the value to the maximum
number of entries that can be returned by a search.
Add the attribute dxTimeLimit to the role entry and change the value to the time (in
seconds) before the operation is canceled.
04-May-2016 434/923
CA Directory - 12.0.18
This example assumes that the dynamic role Engineer is already set up.
4. Scroll down the Available list to find the dxRoleBasedConfig object class.
5. Select this class and then use the arrow to add it to the entry.
7. Display the attributes without values by clicking the arrow beside List of attributes without
values, as shown in the following screenshot:
Screenshot of JXweb, showing how to display the attributes that have no values
Click the Edit icon next to the dxSizeLimit attribute, enter the number of entries, and
then click Modify.
Click the Edit icon next to the dxTimeLimit attribute, enter a time in seconds, and then
click Modify.
04-May-2016 435/923
CA Directory - 12.0.18
Operational Limits
When you submit a search or list request to the directory, you can specify a maximum time limit and
maximum number of entries to be returned.
If the limits defined in the operation are larger than the limits configured in the DSA, then the DSA's
limits are enforced.
If the user has a role and limits defined in the operation are larger than the limits configured for the
role, then the role's limits are enforced.
You want to search this DSA for all entries below a base DN that have the sn attribute populated. You
want to limit the search to 1000 seconds and a maximum of 10,000 entries to be returned.
1. Use the DXsearch tool to submit the following request to the DSA, specifying size and time
limits:
If you try this yourself, ensure that you replace the values for the -b, -h, and -p options.
3. When 100 entries have been found, the DSA stops the operations, and returns the following
error to the LDAP client application:
04-May-2016 436/923
CA Directory - 12.0.18
An operational limit that is less restrictive than a DSA-based limit takes precedence over that DSA-
based limit.
An operational limit that is less restrictive than a role-based limit takes precedence over that role-
based limit.
If the user has a role and limits defined in the operation are larger than the limits configured for
the role, then the role's limits are enforced.
The example directory system shown in the diagram below has limits set in three places:
04-May-2016 437/923
CA Directory - 12.0.18
Example showing a system that has limits set on a role, in operations, and on the DSA
The following table shows the actual limits that apply for each operation run by this user:
Operation Limits
Operation 1 Time: 20 sec
Size: 150 entries
Operation 2 Time: 20 sec
Size: 100 entries
Operation 3 Time: 5 sec
Size: 150 entries
If another user, who is not a member of any roles, runs these operations, the following limits apply:
Operation Limits
Operation 1 Time: 10 sec
Size: 200 entries
Operation 2 Time: 10 sec
Size: 100 entries
Operation 3 Time: 5 sec
Size: 200 entries
DSA-Based Limits
Contents
Limit the Time for Operations (see page 438)
Limit the Number of Entries Returned (see page 439)
You can limit the time and size of queries for an entire DSA.
If you also set limits for a request or a role, the largest setting applies.
04-May-2016 438/923
CA Directory - 12.0.18
3. Save the file, and then stop and start the DSA.
3. Save the file, and then stop and start the DSA.
Role-Based Limits
Contents
How Role-Based Limits Work (see page 439)
Apply Operational Limits to a Role (see page 440)
Example Add Limits to an Existing Role (see page 440)
If roles are set up, you can apply operational limits to a role. All members of that role inherit the
limits you have set. This works for both static and dynamic roles.
Role-based limits are applied to each connection, which means that any changes to these limits do
not take effect until the users reconnect.
Because role-based configuration is set using attributes, you do not need to restart the DSA for the
change to take effect.
2. During the bind, the DSA checks whether the user is a member of a role.
3.
04-May-2016 439/923
CA Directory - 12.0.18
3. If the user is a member of a role that has limits, these limits are stored against the active
connection.
If a user has multiple roles, each with limits, then the largest values are used.
If no role-based limits apply to a user, then the limits in the DSA apply.
Add the attribute dxSizeLimit to the role entry and change the value to the maximum
number of entries that can be returned by a search.
Add the attribute dxTimeLimit to the role entry and change the value to the time (in
seconds) before the operation is canceled.
This example assumes that the dynamic role Engineer is already set up.
4. Scroll down the Available list to find the dxRoleBasedConfig object class.
5. Select this class and then use the arrow to add it to the entry.
6.
04-May-2016 440/923
CA Directory - 12.0.18
7. Display the attributes without values by clicking the arrow beside List of attributes without
values, as shown in the following screenshot:
Screenshot of JXweb, showing how to display the attributes that have no values
Click the Edit icon next to the dxSizeLimit attribute, enter the number of entries, and
then click Modify.
Click the Edit icon next to the dxTimeLimit attribute, enter a time in seconds, and then
click Modify.
Operational Limits
Contents
Example Send a Limited Search to a DSA with Limits in Its Configuration (see page 441)
When you submit a search or list request to the directory, you can specify a maximum time limit and
maximum number of entries to be returned.
If the limits defined in the operation are larger than the limits configured in the DSA, then the DSA's
limits are enforced.
If the user has a role and limits defined in the operation are larger than the limits configured for the
role, then the role's limits are enforced.
04-May-2016 441/923
CA Directory - 12.0.18
You want to search this DSA for all entries below a base DN that have the sn attribute populated. You
want to limit the search to 1000 seconds and a maximum of 10,000 entries to be returned.
1. Use the DXsearch tool to submit the following request to the DSA, specifying size and time
limits:
If you try this yourself, ensure that you replace the values for the -b, -h, and -p options.
3. When 100 entries have been found, the DSA stops the operations, and returns the following
error to the LDAP client application:
Search Profiles
Contents
Using Search Profiles (see page 443)
Create Search Profiles (see page 443)
Assign a Search Profile to a Role (see page 444)
Create a Default Search Profile (see page 444)
Example Restrict Searches for All Users Except Administrators (see page 444)
Search profiles give an administrator a way to restrict the searches that specified users can perform.
This is useful, for example, if you want to ensure that some users do not perform potentially
performance-affecting searches.
A search profile specifies a category of searches. It defines the category in terms of the scope and the
filter of the search. For more information on how to specify a search profile, see the set allow-search
command.
When a user requests a search, the DSA checks the search request against the user's search profiles
and only accepts the request if the search matches one of the profiles.
A simple example is a search profile that only allows searches that have a base-object scope and an
equality match filter. If a user is restricted to such a search profile, then neither of the following LDAP
searches would be allowed:
04-May-2016 442/923
CA Directory - 12.0.18
You can specify a search profile that allows any search. If this profile is assigned to a role, then any
user with that role can perform any search, even if the user's other roles have more restricted search
profiles. This is useful if you want to create a group of unrestricted users, while still restricting the
searches of users who are not in the group.
If you make a search profile the default profile, then it applies to all users who do not have a role
with a search profile.
If you assign the search profile to a role, then when a user is assigned to that role, the user is
restricted to searches allowed by that profile. If a user is assigned to multiple roles, and so has
multiple search profiles, then that user can perform a search if any of the search profiles allows the
search.
Each role can have at most one search profile. If a role does not specify a search profile, then the role
plays no part in allowing or restricting searches by search profiles.
If a user request has been allowed after being tested against a search profile, then the DSA ignores
the DXmanager configuration items for limit list and limit search when processing that request.
Define all the search profiles in one place in one configuration file.
1. In a configuration file, enter the command to clear search profiles, clear allow-search,
followed by one or more instances of the command to create search profiles, set allow-
search, as follows:
clear allow-search;
set allow-search profile_name ={
...
04-May-2016 443/923
CA Directory - 12.0.18
If a role has the attribute dxAllowSearch and the attribute value equals a defined search profile name,
and then any user in that role is now restricted to the searches allowed in the search profile.
2. Add the attribute dxAllowSearch to the role, and for the attribute value give a search profile
name.
Any user assigned to that role is now restricted to searches allowed by that search profile
unless the search is allowed by another search profile that also applies to that user.
2. Make the search profile the default one by using the set allow-search-default command.
clear allow-search;
set allow-search userDefault = {
(scope = read),
(scope = browse filter = none),
(scope = subtree filter = and, or, equality)
};
set allow-search-default = userDefault;
Note: To browse using an LDAP browser (for example JXplorer), set the filter scope
04-May-2016 444/923
CA Directory - 12.0.18
Note: To browse using an LDAP browser (for example JXplorer), set the filter scope
to none.
Note: When you update the role-based configuration, users must rebind for the
updated search profile to apply to subsequent search operations.
dn: cn=Administrators,ou=groups,o=CA,c=AU
objectClass: groupOfNames
objectClass: dxRoleBasedConfig
member: cn=John Smith,ou=users,c=CA,c=AU
dxAllowSearch: admin
If you make a search profile the default profile, then it applies to all users who do not have a role
with a search profile.
If you assign the search profile to a role, then when a user is assigned to that role, the user is
restricted to searches allowed by that profile. If a user is assigned to multiple roles, and so has
multiple search profiles, then that user can perform a search if any of the search profiles allows the
search.
Each role can have at most one search profile. If a role does not specify a search profile, then the role
plays no part in allowing or restricting searches by search profiles.
04-May-2016 445/923
CA Directory - 12.0.18
If a user request has been allowed after being tested against a search profile, then the DSA ignores
the DXmanager configuration items for limit list and limit search when processing that request.
Define all the search profiles in one place in one configuration file.
1. In a configuration file, enter the command to clear search profiles, clear allow-search,
followed by one or more instances of the command to create search profiles, set allow-
search, as follows:
clear allow-search;
set allow-search profile_name ={
...
If a role has the attribute dxAllowSearch and the attribute value equals a defined search profile name,
and then any user in that role is now restricted to the searches allowed in the search profile.
2. Add the attribute dxAllowSearch to the role, and for the attribute value give a search profile
name.
Any user assigned to that role is now restricted to searches allowed by that search profile
unless the search is allowed by another search profile that also applies to that user.
2. Make the search profile the default one by using the set allow-search-default command.
04-May-2016 446/923
CA Directory - 12.0.18
clear allow-search;
set allow-search userDefault = {
(scope = read),
(scope = browse filter = none),
(scope = subtree filter = and, or, equality)
};
set allow-search-default = userDefault;
Note: To browse using an LDAP browser (for example JXplorer), set the filter scope
to none.
Note: When you update the role-based configuration, users must rebind for the
updated search profile to apply to subsequent search operations.
04-May-2016 447/923
4.
CA Directory - 12.0.18
dn: cn=Administrators,ou=groups,o=CA,c=AU
objectClass: groupOfNames
objectClass: dxRoleBasedConfig
member: cn=John Smith,ou=users,c=CA,c=AU
dxAllowSearch: admin
Reject Operations
Contents
Shadow DSAs (see page 448)
Make a Namespace Read-only (see page 448)
Reject Some Types of Requests (see page 449)
How the Limit Search Setting Works (see page 449)
Update requests
List requests
Shadow DSAs
A router does not direct update requests to DSAs that are marked Read-only or Shadow.
The Read-only setting prevents all updates to the directory data, including DISP and multiwrite
updates.
The Shadow setting prevents all updates to the directory data, except through DISP or multiwrite.
Clients can query, but cannot update, the DSA using DAP or LDAP.
4. Right-click the namespace partition that you want to make read-only, and then select Edit
properties.
5. In the Namespace partition area, select the Read only check box, and then click OK.
04-May-2016 448/923
CA Directory - 12.0.18
5. In the Namespace partition area, select the Read only check box, and then click OK.
The configuration for this namespace partition has been updated.
6. To apply the changes to the DSAs that serve this namespace partition, deploy the new
configuration.
List requests
This is useful if the DIT has a very flat structure and there are thousands of entries under one
node. In this case, the list operation is not useful.
4. Navigate to the DSA that you want to change, right-click on it, and then select Edit properties.
5. In the Performance area, select the types of request that the DSA should not accept, and then
click OK.
The configuration for this namespace partition has been updated.
6. To apply the changes to the DSAs that serve this namespace partition, deploy the new
configuration.
Note: If you want to prevent different types of requests depending on the user sending the
request, use search profiles. Search profiles let you allow or disallow different requests for
different users. For more information, see Search Profiles (see page 442).
Because the configuration is shared, any DSA that needs to route a query to another DSA can first
check whether that query would be rejected.
The following diagram shows how the configuration for a Limit Search DSA works:
04-May-2016 449/923
CA Directory - 12.0.18
1. The router DSA receives a complex search request from a client application. The router DSA
cannot fulfill the search request, but it knows that the Customer's DSA can.
2. The router DSA checks the configuration for the Customer's DSA to see whether there are any
conditions for searching the Customer's DSA. The Limit Search item indicates that the
Customer's DSA rejects any complex searches.
Shadow DSAs
A router does not direct update requests to DSAs that are marked Read-only or Shadow.
The Read-only setting prevents all updates to the directory data, including DISP and multiwrite
updates.
The Shadow setting prevents all updates to the directory data, except through DISP or multiwrite.
Clients can query, but cannot update, the DSA using DAP or LDAP.
4. Right-click the namespace partition that you want to make read-only, and then select Edit
properties.
5. In the Namespace partition area, select the Read only check box, and then click OK.
The configuration for this namespace partition has been updated.
6.
04-May-2016 450/923
CA Directory - 12.0.18
6. To apply the changes to the DSAs that serve this namespace partition, deploy the new
configuration.
List requests
This is useful if the DIT has a very flat structure and there are thousands of entries under one
node. In this case, the list operation is not useful.
4. Navigate to the DSA that you want to change, right-click on it, and then select Edit properties.
5. In the Performance area, select the types of request that the DSA should not accept, and then
click OK.
The configuration for this namespace partition has been updated.
6. To apply the changes to the DSAs that serve this namespace partition, deploy the new
configuration.
Note: If you want to prevent different types of requests depending on the user sending the
request, use search profiles. Search profiles let you allow or disallow different requests for
different users. For more information, see Search Profiles (see page 442).
Because the configuration is shared, any DSA that needs to route a query to another DSA can first
check whether that query would be rejected.
The following diagram shows how the configuration for a Limit Search DSA works:
04-May-2016 451/923
CA Directory - 12.0.18
1. The router DSA receives a complex search request from a client application. The router DSA
cannot fulfill the search request, but it knows that the Customer's DSA can.
2. The router DSA checks the configuration for the Customer's DSA to see whether there are any
conditions for searching the Customer's DSA. The Limit Search item indicates that the
Customer's DSA rejects any complex searches.
You can use CA Directory to manage these user accounts, including locking and unlocking user
accounts, setting up password quality rules, and assigning account suspension rules.
You can also create groups and roles in the directory. While roles are usually only useful for managing
user entries, you can use groups to manage other kinds of entries as well.
Active
The user can log in.
Expired
The user cannot log in because they have not changed their password recently.
Suspended
The user cannot log in because they have tried to log in with invalid credentials too many times,
or they have not logged in recently.
Locked
The user cannot log in because an administrator has locked the account.
04-May-2016 452/923
CA Directory - 12.0.18
Password Policies
A policy is a set of rules that defines behavior.
You can use CA Directory to set up password policies to manage your user accounts. A password
policy applies to the userPassword attribute, which contains the password that users enter when
binding to a DSA using simple authentication.
Authentication
Password strength
In previous releases, you could define only one password policy for each DSA. From CA Directory r12
SP12, you can apply many password policies to each DSA (see page 457).
You can define password policies in the directory and in an application. However, we recommend
that you do not set up a password policy within CA Directory if another application also handles
password policies.
04-May-2016 453/923
CA Directory - 12.0.18
1. To design the password policy, the directory designer follows these steps:
b. Convert the written policy into commands for each DSA (see page 455).
2. To test the password policy, the directory administrator does the following steps:
a. Set up a test directory that contains some typical user account entries.
b. Create the password rules to implement the policy (see page 456).
3. When the administrator is sure that the password policy works correctly, repeat the previous
steps to implement the policy in the enterprise directory:
a. Create the password rules to implement the policy (see page 456).
04-May-2016 454/923
3.
CA Directory - 12.0.18
a. Create the password rules to implement the policy (see page 456).
Before you start setting up password rules, plan your global password policy:
2. Convert the written policy into commands for each DSA (see page 455).
3. (Optional) Create multiple password policies for each DSA (see page 457).
We recommend that you use the following principles while you are developing your password policy:
Keep it simple
Each policy rule is actually a command that you should include in a .dxc file in the DXHOME/config
/settings folder.
Use the information in Create a Password Policy (see page 456) to learn about these commands.
04-May-2016 455/923
CA Directory - 12.0.18
We recommend that you use the following principles while you are developing your password policy:
Keep it simple
Each policy rule is actually a command that you should include in a .dxc file in the DXHOME/config
/settings folder.
Use the information in Create a Password Policy (see page 456) to learn about these commands.
04-May-2016 456/923
CA Directory - 12.0.18
After you have planned your password policy, you need to configure the appropriate settings.
Each policy rule is actually a command that you should include in a .dxc file in the DXHOME/config
/settings folder.
From CA Directory r12 SP12 onwards, you can apply multiple password policies to each DSA. You can
then assign a particular password policy to a user.
The set target-password-policy command defines a password policy. All password commands after
this command apply to that policy.
If you do not use set target-password-policy command, the DSA has a single password policy named
Default.
04-May-2016 457/923
CA Directory - 12.0.18
Any password commands before this setting apply to the Default policy.
Any password commands after this setting apply to the named policy. The named policy
inherits settings from the Default policy.
2. (Optional) Create more password policies by adding more instances of the set target-
password-policy command with a unique policy name.
3. To apply a password policy, add the dxPwdPolicy attribute containing the password policy-
name to the user's entry.
Users without a dxPwdPolicy attribute have the Default policy. Users whose dxPwdPolicy
attribute value does not match any defined policy also have the Default policy.
set password-force-change
set password-allow-locking
set password-allow-ignore-expired
set password-allow-ignore-suspended
If you have set rules about password quality, these rules are applied when users try to change their
own passwords. If the new password does not pass the tests, the users have to try again with another
new password.
When an administrator changes a password for a user, the password policy rules are not usually
applied. The rules are applied the next time that the user changes his or her password. However, you
can force the password quality rules to be applied all of the time, even when an administrator resets
a user's password. For more information, see Force Users to Change Passwords after Reactivation
(see page 486).
04-May-2016 458/923
CA Directory - 12.0.18
To set the minimum number of particular types or characters, use one or more of these commands:
In this example, you want to force users to create passwords that include the following characters:
abcd12#
This password contains no uppercase characters.
ABCD!@#$
This password contains no lowercase characters and no numeric characters.
Abcd12#
ABCd1234!@#$
04-May-2016 459/923
CA Directory - 12.0.18
This lets you set the number of times a character can be repeated within a password.
You have set up the following password policy in the Democorp DSA:
helllo
lillly
hello
llily
1. Set the minimum length of the substring that you want to check for, using the following
command:
Set the number of times a substring can be repeated, using the following command:
04-May-2016 460/923
CA Directory - 12.0.18
moomoo
mooomooo
momo
mooomouu
The password cannot be a substring of the user's name and the user's name cannot be a substring of
the password.
You have set up the following password policy in the Democorp DSA:
04-May-2016 461/923
CA Directory - 12.0.18
The user with the DN <c AU><o DEMOCORP><ou Corporate><ou Administration><cn "Craig LINK">
has the name Craig LINK.
craig
link
clink
23craig4
This lists the attributes that contain details about the user that you do not want to be used in new
passwords. The password cannot be a substring of the substring attrs and the substring attrs cannot
be a substring of the password.
The user's details are taken from the values of the attributes in their own entry.
We recommend that you include only attributes that have string syntaxes. Values of other syntaxes
may not be picked up by the password substring check.
You have set up the following password policy in the Democorp DSA:
The entry for Craig Link includes the following attributes and values:
Attribute Value
cn Craig LINK
description Railways
title Communications Engineer
Craig Link cannot create the following passwords because they are substrings of the title attribute
value:
engineer
Communications Eng
04-May-2016 462/923
CA Directory - 12.0.18
railways
This is acceptable because the description attribute is not listed in the set password-substring-attr
command.
CommunicationsEngineer
The space is missing, so this is not a substring of Communications Engineer.
An account expires when the password has not been modified for the configured period.
If the number of grace logins is exceeded, the account behaves as if it were expired.
The number of grace logins remaining is sent back to the binding client in the presence of the
password policy request control.
If you use this command with an LDAP client that is aware of the Behera password policy request
control, the client is informed of the number of logins remaining. Otherwise, the command works,
but the client is not notified of the number of logins remaining.
Note: To check which user passwords are set to never expire, search for all user accounts
with the attribute dxPwdIgnoreExpired = true.
04-May-2016 463/923
CA Directory - 12.0.18
To set the number of days for which a password is valid, use the following command:
You want to make users who work with sensitive information change their passwords before they are
four days old.
To set the minimum life span of passwords, use the following command:
You want to make users change their passwords at least every two weeks, and you want to prevent
users from reusing any of their last 20 passwords.
However, you also want to prevent them from changing their password more than once a day to
"flush" their password history.
To include LDAP response controls about password expiry to bind and compare responses, use the
following command:
04-May-2016 464/923
CA Directory - 12.0.18
To set the number of days for which warnings about the password expiring are added to bind and
compare responses, use the following command:
Note: You can use this command only if the client is an LDAP client and it is aware of the
Behera password policy request control.
During normal operation these commands cause bind and compare responses from a DSA to append
a LDAP control containing the number of seconds before an account expires.
During the warning period, the password expiry notification control is appended to bind and compare
responses.
If you use this command, each user must log in successfully at least as frequently as you set. If this
does not occur, the account is suspended.
To set the number of days a password remains valid if it is not used, use the following command:
In this example, you want to users to log in at least once every 60 days, and to change their password
at least every 90 days.
In this example, you want to allow people to keep using the same password, as long as they log in at
least every 10 days.
04-May-2016 465/923
CA Directory - 12.0.18
To make passwords valid indefinitely except when they are not used for 10 days, use these
commands:
You do not need to use the set password-age option because you are using its default value of 0 (off).
If you do not set this command, the default value of three retries is used.
In this example, you want to allow users only two unsuccessful login attempts before suspending
their account.
The following happens when a user tries to log in with an incorrect password:
Set the Time after Which Users Can Attempt to Log In Again
If you use the set password-retries command to define how many times a user can attempt to log in
before their account is suspended, you can also set a time after which the user can try again.
This means that after the period you set, the suspended account becomes active again.
If you do not use this option, an administrator must reset the user's password to unlock the account.
To let users try to log in again after a certain amount of time has passed, use the following command:
Example: Allow Users 5 Login Attempts, and a Delay of 30 Minutes before Trying Again
In this example, you want to allow users five unsuccessful login attempts before suspending their
account. You then want to let the user try again after half an hour.
04-May-2016 466/923
CA Directory - 12.0.18
The following happens when a user tries to log in with an incorrect password:
3. After 30 minutes, Craig Link's account is active again, and he can try to log in again.
You can use this to protect critical accounts that need to be immune to password lockout attacks.
Note: To check which user passwords are set to never expire, search for all user accounts
with the attribute dxPwdIgnoreSuspended = true.
Passwords can be reused. You do not want to keep a history of old passwords.
A password must be at least eight characters long with at least one numeral.
04-May-2016 467/923
CA Directory - 12.0.18
If a user's password is ever reset, you want the user to change the password immediately after
the first login.
If a password is not used for sixty days, you want the account to be suspended.
Passwords must contain at least seven characters, at least three of which must be alphabetical,
and at least three of which must be numeric.
Passwords must be at least one day old before they are changed, to prevent users from changing
their password many times to fill up the password history.
After a password has expired, users may still log in twice, to give them a chance to change the
password.
After three incorrect attempts at logging in, the account is suspended for 30 minutes, after which
the user may try to log in again.
The Default policy contains settings that are common to both policies. However some of these are
overridden.
04-May-2016 468/923
CA Directory - 12.0.18
overridden.
Administrator passwords must contain at least two numbers and at least one uppercase letter.
After creating the password policies, assign the policies to the relevant users:
dn: cn=admin,ou=Administrators,c=au
objectClass: inetOrgperson
dxPwdPolicy: Admin
From CA Directory r12 SP12 onwards, you can apply multiple password policies to each DSA. You can
04-May-2016 469/923
CA Directory - 12.0.18
From CA Directory r12 SP12 onwards, you can apply multiple password policies to each DSA. You can
then assign a particular password policy to a user.
The set target-password-policy command defines a password policy. All password commands after
this command apply to that policy.
If you do not use set target-password-policy command, the DSA has a single password policy named
Default.
Any password commands before this setting apply to the Default policy.
Any password commands after this setting apply to the named policy. The named policy
inherits settings from the Default policy.
2. (Optional) Create more password policies by adding more instances of the set target-
password-policy command with a unique policy name.
3. To apply a password policy, add the dxPwdPolicy attribute containing the password policy-
name to the user's entry.
Users without a dxPwdPolicy attribute have the Default policy. Users whose dxPwdPolicy
attribute value does not match any defined policy also have the Default policy.
set password-force-change
set password-allow-locking
set password-allow-ignore-expired
set password-allow-ignore-suspended
You can set up rules to ensure that users choose only strong passwords.
04-May-2016 470/923
CA Directory - 12.0.18
If you have set rules about password quality, these rules are applied when users try to change their
own passwords. If the new password does not pass the tests, the users have to try again with another
new password.
Note: When applying password policy rules, the DSA treats UTF-8 (multi-byte) characters
as a single character.
When an administrator changes a password for a user, the password policy rules are not usually
applied. The rules are applied the next time that the user changes his or her password. However, you
can force the password quality rules to be applied all of the time, even when an administrator resets
a user's password. For more information, see Force Users to Change Passwords after Reactivation
(see page 489).
To set the minimum number of particular types or characters, use one or more of these commands:
In this example, you want to force users to create passwords that include the following characters:
04-May-2016 471/923
CA Directory - 12.0.18
abcd12#
This password contains no uppercase characters.
ABCD!@#$
This password contains no lowercase characters and no numeric characters.
Abcd12#
ABCd1234!@#$
This lets you set the number of times a character can be repeated within a password.
You have set up the following password policy in the Democorp DSA:
helllo
lillly
04-May-2016 472/923
CA Directory - 12.0.18
hello
llily
1. Set the minimum length of the substring that you want to check for, using the following
command:
Set the number of times a substring can be repeated, using the following command:
moomoo
mooomooo
04-May-2016 473/923
CA Directory - 12.0.18
momo
mooomouu
The password cannot be a substring of the user's name and the user's name cannot be a substring of
the password.
You have set up the following password policy in the Democorp DSA:
The user with the DN <c AU><o DEMOCORP><ou Corporate><ou Administration><cn "Craig LINK">
has the name Craig LINK.
craig
link
clink
23craig4
04-May-2016 474/923
CA Directory - 12.0.18
This lists the attributes that contain details about the user that you do not want to be used in new
passwords. The password cannot be a substring of the substring attrs and the substring attrs cannot
be a substring of the password.
The user's details are taken from the values of the attributes in their own entry.
We recommend that you include only attributes that have string syntaxes. Values of other syntaxes
may not be picked up by the password substring check.
You have set up the following password policy in the Democorp DSA:
The entry for Craig Link includes the following attributes and values:
Attribute Value
cn Craig LINK
description Railways
title Communications Engineer
Craig Link cannot create the following passwords because they are substrings of the title attribute
value:
engineer
Communications Eng
railways
This is acceptable because the description attribute is not listed in the set password-substring-attr
command.
CommunicationsEngineer
The space is missing, so this is not a substring of Communications Engineer.
Use password policy settings to control when user accounts move from active to expired.
04-May-2016 475/923
CA Directory - 12.0.18
An account expires when the password has not been modified for the configured period.
If the number of grace logins is exceeded, the account behaves as if it were expired.
The number of grace logins remaining is sent back to the binding client in the presence of the
password policy request control.
If you use this command with an LDAP client that is aware of the Behera password policy request
control, the client is informed of the number of logins remaining. Otherwise, the command works,
but the client is not notified of the number of logins remaining.
Note: To check which user passwords are set to never expire, search for all user accounts
with the attribute dxPwdIgnoreExpired = true.
To set the number of days for which a password is valid, use the following command:
You want to make users who work with sensitive information change their passwords before they are
04-May-2016 476/923
CA Directory - 12.0.18
You want to make users who work with sensitive information change their passwords before they are
four days old.
To set the minimum life span of passwords, use the following command:
You want to make users change their passwords at least every two weeks, and you want to prevent
users from reusing any of their last 20 passwords.
However, you also want to prevent them from changing their password more than once a day to
"flush" their password history.
To include LDAP response controls about password expiry to bind and compare responses, use the
following command:
To set the number of days for which warnings about the password expiring are added to bind and
compare responses, use the following command:
Note: You can use this command only if the client is an LDAP client and it is aware of the
Behera password policy request control.
During normal operation these commands cause bind and compare responses from a DSA to append
04-May-2016 477/923
CA Directory - 12.0.18
During normal operation these commands cause bind and compare responses from a DSA to append
a LDAP control containing the number of seconds before an account expires.
During the warning period, the password expiry notification control is appended to bind and compare
responses.
You can set a user account to be suspended if someone has made too many unsuccessful attempts to
log in, or that user has not logged in recently.
If you use this command, each user must log in successfully at least as frequently as you set. If this
does not occur, the account is suspended.
To set the number of days a password remains valid if it is not used, use the following command:
In this example, you want to users to log in at least once every 60 days, and to change their password
at least every 90 days.
In this example, you want to allow people to keep using the same password, as long as they log in at
least every 10 days.
To make passwords valid indefinitely except when they are not used for 10 days, use these
commands:
04-May-2016 478/923
CA Directory - 12.0.18
You do not need to use the set password-age option because you are using its default value of 0 (off).
If you do not set this command, the default value of three retries is used.
In this example, you want to allow users only two unsuccessful login attempts before suspending
their account.
The following happens when a user tries to log in with an incorrect password:
Set the Time after Which Users Can Attempt to Log In Again
If you use the set password-retries command to define how many times a user can attempt to log in
before their account is suspended, you can also set a time after which the user can try again.
This means that after the period you set, the suspended account becomes active again.
If you do not use this option, an administrator must reset the user's password to unlock the account.
To let users try to log in again after a certain amount of time has passed, use the following command:
Example: Allow Users 5 Login Attempts, and a Delay of 30 Minutes before Trying Again
In this example, you want to allow users five unsuccessful login attempts before suspending their
account. You then want to let the user try again after half an hour.
The following happens when a user tries to log in with an incorrect password:
04-May-2016 479/923
CA Directory - 12.0.18
3. After 30 minutes, Craig Link's account is active again, and he can try to log in again.
You can use this to protect critical accounts that need to be immune to password lockout attacks.
Note: To check which user passwords are set to never expire, search for all user accounts
with the attribute dxPwdIgnoreSuspended = true.
Passwords can be reused. You do not want to keep a history of old passwords.
A password must be at least eight characters long with at least one numeral.
If a user's password is ever reset, you want the user to change the password immediately after
04-May-2016 480/923
CA Directory - 12.0.18
If a user's password is ever reset, you want the user to change the password immediately after
the first login.
If a password is not used for sixty days, you want the account to be suspended.
Passwords must contain at least seven characters, at least three of which must be alphabetical,
and at least three of which must be numeric.
Passwords must be at least one day old before they are changed, to prevent users from changing
their password many times to fill up the password history.
After a password has expired, users may still log in twice, to give them a chance to change the
password.
After three incorrect attempts at logging in, the account is suspended for 30 minutes, after which
the user may try to log in again.
The Default policy contains settings that are common to both policies. However some of these are
overridden.
04-May-2016 481/923
CA Directory - 12.0.18
Administrator passwords must contain at least two numbers and at least one uppercase letter.
After creating the password policies, assign the policies to the relevant users:
dn: cn=admin,ou=Administrators,c=au
objectClass: inetOrgperson
dxPwdPolicy: Admin
You can use this example to show that the CA Directory password policy is functioning correctly.
Client applications using this feature need to be able to parse the password policy response control.
In test 1 and 2, the password policy response control is empty (no information to report).
04-May-2016 482/923
CA Directory - 12.0.18
3. Use the LDUA to ensure that the DSA supports the password policy control:
ldua> bind-req
----> remote-addr = {
----> nsap = ip "hostname" port 19389
----> }
ldua> unbind-req;
ldua> search-req
----> base-object = <>
----> attrs = supportedControl;
ldua>
<- LDAP SEARCH-CONFIRM
invoke-id = 2 credit = 24
Entry: <>
Contents:
(supportedControl "1.3.6.1.4.1.42.2.27.8.5.1")
ldua>
ldua> bind-req
----> user = <c au>
----> <o Democorp>
----> <ou Corporate>
----> <ou Administration>
----> <cn "Craig link">
----> password = "wrong"
----> remote-addr = {
----> nsap = ip "hostname" port 19389
----> }
----> controls = { password-policy };
ldua>
04-May-2016 483/923
CA Directory - 12.0.18
You can use password settings to lock and suspend user accounts.
Account locking
Use account locking when you need to manually lock and unlock an account.
04-May-2016 484/923
CA Directory - 12.0.18
Account suspension
A user account is suspended when the user tries to log in with the wrong password multiple times
or does not change a password before it expires.
If an indefinite password suspension is required, then do not set password-max-suspension or set
it to zero (re-init friendly).
Password management rules help you manage user accounts. The rules include the following:
Forcing a user to change the password after the administrator has reset it
Setting the time after which users can try to log in again after locking due to unsuccessful login
attempts
Nominating a user account to act as a single proxy user to handle all account administration
The user has tried to log in with an incorrect password too many times.
Regardless of the reason that the account is inactive, an administrator can reactivate it by changing
the password.
This works because most password rules are only applied when operations are being performed by
the user who owns the password.
This means that whenever an administrator updates a user password, the password policy attributes
for that entry are reset. These attributes include the following:
1. Log in as an administrator.
04-May-2016 485/923
CA Directory - 12.0.18
When a user logs in with a newly reset password, the only operation the user can perform is to
change passwords. After the user has changed his or her password, normal operations are restored.
Note: You can use this command only if the client is an LDAP client and it is aware of the
Behera password policy request control.
Do not use this feature if you have an application that performs a single bind to the directory for
authentication. For these applications users would never be required to change their passwords.
When set password-force-change is set to true, DAP binds are refused because they cannot carry
LDAP control information.
However, you can choose to enforce the password quality rules for all new passwords, including
passwords set when an administrator reactivates a user's account.
This command means that all of the rules discussed in How to Configure Password Quality Rules (see
page 458) and How to Set Account Expiry Rules (see page 463) apply to all password changes.
Note: If a user uses an LDAP client that is aware of LDAP password policy controls (for
example, LDUA or a PAM-LDAP client), then the account-locked password policy control is
returned in a bind refuse of a locked account.
04-May-2016 486/923
CA Directory - 12.0.18
2. Lock a user's account by adding the attribute dxPwdLocked with the value true to the user's
entry.
To unlock a user account, remove the attribute dxPwdLocked from the user's entry, or set the value
to false.
The only way to find out if entries have this attribute is to search for the dxPwdLocked attribute
explicitly. To actually return the dxPwdLocked attribute the attribute must be explicitly included in
the entry information selection component of a search request.
This means that if someone binds as a different user for account administration reasons, password
checks and changes to password policy are ignored.
04-May-2016 487/923
CA Directory - 12.0.18
2. Use the following command to identify this account as the password proxy user:
When an application binds as this password proxy user, the password policy is applied to password
compares and modifications.
You can use these operational attributes to diagnose problems with user accounts.
The user has tried to log in with an incorrect password too many times.
Regardless of the reason that the account is inactive, an administrator can reactivate it by changing
the password.
This works because most password rules are only applied when operations are being performed by
the user who owns the password.
04-May-2016 488/923
CA Directory - 12.0.18
This means that whenever an administrator updates a user password, the password policy attributes
for that entry are reset. These attributes include the following:
1. Log in as an administrator.
When a user logs in with a newly reset password, the only operation the user can perform is to
change passwords. After the user has changed his or her password, normal operations are restored.
Note: You can use this command only if the client is an LDAP client and it is aware of the
Behera password policy request control.
Do not use this feature if you have an application that performs a single bind to the directory for
authentication. For these applications users would never be required to change their passwords.
When set password-force-change is set to true, DAP binds are refused because they cannot carry
LDAP control information.
However, you can choose to enforce the password quality rules for all new passwords, including
passwords set when an administrator reactivates a user's account.
This command means that all of the rules discussed in How to Configure Password Quality Rules (see
04-May-2016 489/923
CA Directory - 12.0.18
This command means that all of the rules discussed in How to Configure Password Quality Rules (see
page 470) and How to Set Account Expiry Rules (see page 475) apply to all password changes.
Note: If a user uses an LDAP client that is aware of LDAP password policy controls (for
example, LDUA or a PAM-LDAP client), then the account-locked password policy control is
returned in a bind refuse of a locked account.
2. Lock a user's account by adding the attribute dxPwdLocked with the value true to the user's
entry.
To unlock a user account, remove the attribute dxPwdLocked from the user's entry, or set the value
to false.
The only way to find out if entries have this attribute is to search for the dxPwdLocked attribute
explicitly. To actually return the dxPwdLocked attribute the attribute must be explicitly included in
the entry information selection component of a search request.
04-May-2016 490/923
CA Directory - 12.0.18
This means that if someone binds as a different user for account administration reasons, password
checks and changes to password policy are ignored.
2. Use the following command to identify this account as the password proxy user:
When an application binds as this password proxy user, the password policy is applied to password
compares and modifications.
You can use these operational attributes to diagnose problems with user accounts.
04-May-2016 491/923
CA Directory - 12.0.18
The following operational attribute values contain time information (syntax = generalizedTime) in the
CCYYMMDDhhmmssZ format.
dxPwdLastChange
dxPwdGraceUseTime
dxPwdLoginTime
dxPwdFailedTime
If you use these attributes for other purposes or debugging, note that this time may vary from the
local time. For example, if you perform password policy testing on a machine in Eastern Time (ET),
the operational attribute values will be 4 hours (+4) in the future (GMT).
Password Encryption
Contents
How Password Encryption Works (see page 492)
Choose an Encryption Method for Passwords Stored in a DSA (see page 493)
Convert Passwords Already in a DSA to a New Encryption Method (see page 493)
Hide Passwords in Knowledge Files (see page 495)
CA Directory provides the tools to let you change the attributes of passwords, for example, minimum
password length, and to change the password encryption.
Passwords are encrypted before they are stored in the directory. This prevents the possibility of
interrogating the directory directly for the value of any passwords.
Passwords are always single-valued. This means that an administrator cannot add a secret value and
use this as an unpublished entry point into the DSA.
Password logins are secure only if each person can change only his or her own password. Ensure that
you set access controls so that each user can update only their own password. Also, ensure that
administrators are allowed to update any user password.
3.
04-May-2016 492/923
CA Directory - 12.0.18
3. The DSA encrypts the password, and then stores the encrypted password in the userPassword
attribute.
The encrypted password includes the name of the encryption scheme.
By default, DSAs use salted SHA-512 to encrypt passwords, but you can change to a different scheme
if you prefer.
Note: Before CA Directory r12 SP11, DSAs used SHA-1 by default. From CA Directory r12 SP12
onwards, all new and updated passwords are encrypted with salted SHA-512.
By default, the passwords stored in the userPassword attribute are encrypted using salted SHA-512
(SSHA512).
However, you can use a different encryption scheme to encrypt these passwords. To do this, you
need to create a password rule that specifies the encryption scheme. Each password is encrypted
with the new scheme when it is next updated.
1. Choose an encryption method for passwords stored in a DSA (see page 493).
2. Search the DSA for all passwords encrypted using the old encryption method, and write the
results to an LDIF file.
3. Open the LDIF file in a text editor and make the following changes:
04-May-2016 493/923
3.
CA Directory - 12.0.18
changetype: modify
replace: userPassword
userPassword: new-password
Replace new-password with the actual new password for each entry.
5. Load the LDIF file into the DSA using the DXmodify tool.
6. Use the DXsearch tool to confirm that no passwords are encrypted using the old method, and
also that passwords are now encrypted using the new method.
This example shows how to convert the passwords in the Democorp DSA from SHA-1 to SSHA-1.
Name and password of the user who is authorized to change passwords: AdminUser,
adminpassword
2. Search the DSA for all passwords encrypted using SHA-1, using the following command:
This returns the entries in which the password is currently encrypted using SHA-1, and writes
the results to the file sha-1.ldif.
04-May-2016 494/923
CA Directory - 12.0.18
changetype: modify
replace: userPassword
userPassword: new-password
Replace new-password with the actual new password for each entry.
9. Load the file into the DSA using the following command:
10. Confirm that the passwords have changed by performing another search for SHA-1 hashed
passwords, using the following command:
The search result should show that no passwords are now encrypted with SHA-1.
11. Confirm that the passwords are encrypted with SSHA-1 by repeating the search for SSHA-1
passwords:
The DXpassword tool can produce obfuscated passwords, by specifying the encryption method
CADIR. This helps shield passwords in configuration files from users with access to the computer
running the DSA.
2. Use the DXpassword tool to encrypt the password using the CADIR option:
04-May-2016 495/923
2.
CA Directory - 12.0.18
3. Copy the entire output into the knowledge file, replacing the clear-text password.
In this example, the password for the LDAP server is HelloThere. The DSA knowledge file currently
contains the following line:
ldap-dsa-password = "HelloThere"
1. Use the DXpassword tool to encrypt the password using the CADIR option:
{CADIR}4YuDX1xmndSL7A==
ldap-dsa-password = "{CADIR}4YuDX1xmndSL7A=="
4. Save the knowledge file and stop and start the DSA.
CA Directory uses the following command to mimic the nonstandard functionality of some other
directories:
This section of the CA Directory password policy is specified in an Internet Draft on the IETF home
page (http://www.ietf.org). The specification of its operation can change over time. Also, the name of
the draft document changes as revisions are made. At the time of writing, the document name is
draft-behera-ldap-password-policy-09.txt.
04-May-2016 496/923
CA Directory - 12.0.18
CA Directory DSAs can be accessed from LDAP clients, such as web browsers, address books, and
Lightweight Directory User Agents (LDUAs).
This address definition is mandatory; it automatically enables LDAP as the DSA listens for different
protocols on the same port.
For a list of all ports in a default installation of CA Directory, see Port Numbers Used by CA Directory.
04-May-2016 497/923
CA Directory - 12.0.18
LDAP is a string-handling protocol only; therefore, the following restrictions are implicit:
Developers of directory clients must ensure the DSA receives an appropriately formatted LDAP
message because the LDAP syntax is highly dependent on appropriate punctuation, white space,
and so forth.
Developers of LDAP directory clients must define locally customized attributes and objects
through the DSA schema definition process.
Developers should remember that LDAP names are not necessarily unique. For example, two
organizations can define the string mail but have different syntaxes and uses for it.
Transparent Routing
When using a router DSA to route client requests to external LDAP directories using DXlink, it may not
be feasible or convenient to include all third-party schema.
This address definition is mandatory; it automatically enables LDAP as the DSA listens for different
protocols on the same port.
For a list of all ports in a default installation of CA Directory, see Port Numbers Used by CA Directory.
04-May-2016 498/923
CA Directory - 12.0.18
LDAP is a string-handling protocol only; therefore, the following restrictions are implicit:
Developers of directory clients must ensure the DSA receives an appropriately formatted LDAP
message because the LDAP syntax is highly dependent on appropriate punctuation, white space,
and so forth.
Developers of LDAP directory clients must define locally customized attributes and objects
through the DSA schema definition process.
Developers should remember that LDAP names are not necessarily unique. For example, two
organizations can define the string mail but have different syntaxes and uses for it.
Transparent Routing 1
When using a router DSA to route client requests to external LDAP directories using DXlink, it may not
be feasible or convenient to include all third-party schema.
Schema Publishing
CA Directory supports schema publishing through LDAP Version 3. This enables LDAP directory clients
to read the directory schema dynamically from the DXserver using LDAP Version 3. For further
information, see section 4.2 Subschema Subentries in RFC 4512.
The following information is published through the cn=schema subschema subentry using LDAP
Version 3:
Attributes
Object Classes
Attribute Types
Syntaxes
Name Forms
Structure Rules
04-May-2016 499/923
CA Directory - 12.0.18
Structure Rules
This schema information can be retrieved by performing a base-object search of the cn=schema
subentry with a search filter of objectClass present.
LDAP Controls
Contents
Supported LDAP Controls (see page 500)
Server-Side Sorting Control (see page 501)
Simple Paged Results Control (see page 501)
Password Policy Control (see page 501)
Proxied Authorization Control (see page 501)
Netscape Password Policy Controls (see page 502)
Persistent Search Control (see page 502)
Limitations on Persistent Searching (see page 502)
Tree Delete Control (see page 502)
Virtual List View (VLV) Control (see page 503)
Routing LDAP Controls (see page 504)
Page Sizes for the Server-Side Sorting and VLV Controls (see page 504)
LDAP controls are a mechanism for extending or changing the way a server handles a particular
operation. Controls may be attached to LDAP operations and generally change the semantics for that
specific operation. Controls that are not recognized are ignored if they are not marked critical. If a
control is marked critical and is not recognized, the error unsupported critical extension is returned
and the operation is not performed.
Because CA Directory supports distribution, it is possible that a control is not honored even though it
is recognized. For example, if server-side sorting is requested but the request has to be multi-chained
to complete the operation, the server-side sorting control is not honored. If the control is marked
critical, an error is returned to the client; otherwise, the control is ignored.
Controls recognized by CA Directory are published through the root DSE according to RFC 4512.
04-May-2016 500/923
CA Directory - 12.0.18
Note: You can use the set excluded-controls command to prevent this control from being
used.
This control is specified in an Internet Draft on the IETF home page (http://www.ietf.org). The
specification of its operation can change over time. Also, the name of the draft document changes as
revisions are made. At the time of writing, the document name is draft-behera-ldap-password-policy-
08.txt.
If the link flag dsa-ldap-proxy is used with DXlink, the proxied authorization control is added to
operations chained to third-party LDAP servers containing the entry of the request's originator. The
root DSE of the third-party LDAP server should be queried to check that it supports this control.
This control is specified in an Internet Draft on the IETF home page (http://www.ietf.org). The
specification of its operation can change over time. Also, the name of the draft document changes as
revisions are made. At the time of writing, the document name is draft-weltmann-ldapv3-proxy-13.txt
.
04-May-2016 501/923
CA Directory - 12.0.18
These controls are described in an Internet Draft that has expired. They are not subject to IETF
standardization.
This control can be used only if the scope it specifies is mastered by the DSA it is sent to. This is
because the DSA does not coordinate with other directories (including CA Directory DSAs) holding the
same or other parts of the DIT.
The control is specified in an Internet Draft that has expired. It is not subject to IETF standardization.
For more information, see draft-ietf-ldapext-psearch-03.txt on the IETF home page (http://www.ietf.org
).
For example, persistent searching does not work in the following situations:
If you have update and search DSAs, then the persistent search is not likely to work unless it is
done in the router.
If there are multiple routers, then persistent search in the router does not work. Instead, it must
be done on the update DSA.
If there is query streaming and persistent search is done in the update DSA, the search is never
sent to the update DSA, so it does not work in this situation either.
Without this control, an LDAP directory cannot delete an entire subtree; only a leaf entry may be
deleted. In a situation where CA Directory needs to delete many entries, this LDAP limitation can
cause problems.
04-May-2016 502/923
CA Directory - 12.0.18
Note: You can use the set excluded-controls command to prevent this control from being
used.
When you use the VLV control, also use the server-side sorting control.
This control is useful for a directory that contains entries for millions of entries.
before
Defines the number of entries before the target entry that the client requests the server to send.
after
Defines the number of entries after the target entry that the client requests the server to send.
offset
Defines the target entry.
content-count
Defines the number of entries in the result set.
greater-or-equal
Defines the target entry by comparing it to the values of the attribute specified.
Note: You can use the set excluded-controls command to prevent this control from being
used.
The client provides a greater-than-or-equal to match-value defining a position in the desired page.
In this example, the server returns the page starting with an entry where the attribute, such as
myattr1 has a value greater than or equal to 499.
04-May-2016 503/923
CA Directory - 12.0.18
wait;
The server returns the page defined by an ordinal offset, when there is no matching value.
In this example, the server returns the page that starts with entry 2000.The request can only be
handled by assembling the entire result set, sorting it, and moving to the 2000th entry.
Controls on responses are also passed back to the client even when not recognized, if the result is not
an error.
The DSA uses the relative sizes of the page size in the request and the paging threshold to decide how
to handle the request.
If the page size in the request is greater than the paging threshold, the DSA sorts the results and then
returns the first page to the client.
If the page size in the request is less than the paging threshold, the DSA can collect the page on the
fly. If this happens, the entire result is not sorted.
By default, the paging threshold is 100 entries. If you want to change this threshold, use the
command set paging-threshold.
A client sends a request to the DSA, asking for all users whose surname begins with A. In this
example, there are 120 such users.
The client asks that the results be paged, with only 20 results included in each page. This means that
the DSA sends the first 20 results, and then the next 20 results, and so on until it has sent all of the
results.
However, in this example, the client wants the request to be both paged and sorted.
04-May-2016 504/923
CA Directory - 12.0.18
The page size of 20 is smaller than the paging threshold (by default this is 100). This means that the
DSA sorts the entire list of all surnames beginning with A, and it returns the first 20 entries to the
client.
Note: You can use the set excluded-controls command to prevent this control from being
used.
04-May-2016 505/923
CA Directory - 12.0.18
This control is specified in an Internet Draft on the IETF home page (http://www.ietf.org). The
specification of its operation can change over time. Also, the name of the draft document changes as
revisions are made. At the time of writing, the document name is draft-behera-ldap-password-policy-
08.txt.
If the link flag dsa-ldap-proxy is used with DXlink, the proxied authorization control is added to
operations chained to third-party LDAP servers containing the entry of the request's originator. The
root DSE of the third-party LDAP server should be queried to check that it supports this control.
This control is specified in an Internet Draft on the IETF home page (http://www.ietf.org). The
specification of its operation can change over time. Also, the name of the draft document changes as
revisions are made. At the time of writing, the document name is draft-weltmann-ldapv3-proxy-13.txt
.
These controls are described in an Internet Draft that has expired. They are not subject to IETF
standardization.
This control can be used only if the scope it specifies is mastered by the DSA it is sent to. This is
because the DSA does not coordinate with other directories (including CA Directory DSAs) holding the
same or other parts of the DIT.
The control is specified in an Internet Draft that has expired. It is not subject to IETF standardization.
04-May-2016 506/923
CA Directory - 12.0.18
The control is specified in an Internet Draft that has expired. It is not subject to IETF standardization.
For more information, see draft-ietf-ldapext-psearch-03.txt on the IETF home page (http://www.ietf.org
).
For example, persistent searching does not work in the following situations:
If you have update and search DSAs, then the persistent search is not likely to work unless it is
done in the router.
If there are multiple routers, then persistent search in the router does not work. Instead, it must
be done on the update DSA.
If there is query streaming and persistent search is done in the update DSA, the search is never
sent to the update DSA, so it does not work in this situation either.
Without this control, an LDAP directory cannot delete an entire subtree; only a leaf entry may be
deleted. In a situation where CA Directory needs to delete many entries, this LDAP limitation can
cause problems.
Note: You can use the set excluded-controls command to prevent this control from being
used.
When you use the VLV control, also use the server-side sorting control.
This control is useful for a directory that contains entries for millions of entries.
before
Defines the number of entries before the target entry that the client requests the server to send.
04-May-2016 507/923
CA Directory - 12.0.18
after
Defines the number of entries after the target entry that the client requests the server to send.
offset
Defines the target entry.
content-count
Defines the number of entries in the result set.
greater-or-equal
Defines the target entry by comparing it to the values of the attribute specified.
Note: You can use the set excluded-controls command to prevent this control from being
used.
The client provides a greater-than-or-equal to match-value defining a position in the desired page.
In this example, the server returns the page starting with an entry where the attribute, such as
myattr1 has a value greater than or equal to 499.
The server returns the page defined by an ordinal offset, when there is no matching value.
In this example, the server returns the page that starts with entry 2000.The request can only be
handled by assembling the entire result set, sorting it, and moving to the 2000th entry.
Controls on responses are also passed back to the client even when not recognized, if the result is not
an error.
04-May-2016 508/923
CA Directory - 12.0.18
The DSA uses the relative sizes of the page size in the request and the paging threshold to decide how
to handle the request.
If the page size in the request is greater than the paging threshold, the DSA sorts the results and then
returns the first page to the client.
If the page size in the request is less than the paging threshold, the DSA can collect the page on the
fly. If this happens, the entire result is not sorted.
By default, the paging threshold is 100 entries. If you want to change this threshold, use the
command set paging-threshold.
A client sends a request to the DSA, asking for all users whose surname begins with A. In this
example, there are 120 such users.
The client asks that the results be paged, with only 20 results included in each page. This means that
the DSA sends the first 20 results, and then the next 20 results, and so on until it has sent all of the
results.
However, in this example, the client wants the request to be both paged and sorted.
The page size of 20 is smaller than the paging threshold (by default this is 100). This means that the
DSA sorts the entire list of all surnames beginning with A, and it returns the first 20 entries to the
client.
The top of the directory information tree (DIT) on each DSA is the root of the tree.
The root contains a special entry called the root DSA-specific entry (DSE). This is specified in the LDAP
[RFC4512] and therefore can only be read using the LDAP protocol.
04-May-2016 509/923
CA Directory - 12.0.18
The information provided by reading the root DSE is useful for application developers in determining
information, features, and schema specific to the LDAP directory.
The following examples to retrieve root DSE information use the ldapsearch utility available on most
operating systems.
supportedLdapVersion=3
The presence of this attribute indicates to clients that this is a CA Directory DSA. The value of the
attribute contains version information.
The following table describes some LDAP controls supported by CA Directory DSAs:
04-May-2016 510/923
CA Directory - 12.0.18
The information retrieved is the subentry that contains the schema information, for example:
subschemaSubentry=cn=schema
2. Perform another search from this base to retrieve the schema, for example:
objectClasses
attributeTypes
dITStructureRules
nameforms
ldapSyntaxes
04-May-2016 511/923
CA Directory - 12.0.18
supportedLdapVersion=3
The presence of this attribute indicates to clients that this is a CA Directory DSA. The value of the
attribute contains version information.
The following table describes some LDAP controls supported by CA Directory DSAs:
04-May-2016 512/923
CA Directory - 12.0.18
The information retrieved is the subentry that contains the schema information, for example:
subschemaSubentry=cn=schema
2. Perform another search from this base to retrieve the schema, for example:
objectClasses
attributeTypes
dITStructureRules
nameforms
ldapSyntaxes
This section illustrates how to access LDAP data using the Net::LDAP module, which is available from
any Perl CPAN archive.
This section assumes that you are familiar with Perl; it does not cover the installation of Perl or the
Net::LDAP module. This example is provided without any implied or explicit warranties. CA does not
provide support for either the Perl language or the Net::LDAP Perl module.
Note: The line numbers reference the comments (they are not part of the program).
04-May-2016 513/923
CA Directory - 12.0.18
This program extracts entries with the job title Secretary from the Democorp directory, and prints
their name and telephone number:
#!/usr/local/bin/perl -w
2
# This is a demonstration of accessing the Democorp directory using the
# Net::LDAP Perl modules
5 use strict;
7 use warnings;
8 use Net::LDAP;
10
11 my($ldap, $mesg, $entry);
12
13 $ldap = Net::LDAP->new('yourhost.com:19389') or die "Can't connect: $@";
14
15 # anonymous bind
16 $mesg = $ldap->bind;
17 if($mesg->is_error){
18 die "Bind error: ".$mesg->error;
19 }
20
21 # search for job title = "Secretary"
22 $mesg = $ldap->search(base => "o=Democorp,c=AU",
23 filter => "(title=Secretary)"
24 );
25 if($mesg->is_error){
26 die "Search error: ".$mesg->error;
27 }
28
29 foreach $entry ($mesg->entries) {
30
31 # report entry's common name (cn) and telephone number
32 print $entry->get_value('cn'), "\t",
33 $entry->get_value('telephoneNumber'), "\n";
34
35 }
36
37 print "Finished\n";
38
39 $ldap->unbind;
Replace yourhost.com with the name of the machine on which the Democorp directory is installed
and running.
Line 16
Line 17
04-May-2016 514/923
CA Directory - 12.0.18
Line 17
Line 22
Line 29
This loop executes for each entry found by the search. No errors are possible at this point.
Line 32 and 33
Print out the entries found. This usually produces the following output:
Finished
Line 39
Using DXmanager
DXmanager is a web application that lets you create, configure, monitor, and control your directory
backbone.
For information about the main components managed by DXmanager, see the following:
04-May-2016 515/923
CA Directory - 12.0.18
For information about using DXmanager to monitor your directory backbone, see the following:
Windows: %DXWEBHOME%\webapps\dxmanager\WEB-INF\data\dxmanager-audit.
log
UNIX: $DXWEBHOME/webapps/dxmanager/WEB-INF/data/dxmanager-audit.log
04-May-2016 516/923
CA Directory - 12.0.18
The backbone is the term used in DXmanager to refer to the directory installation as a whole. It
includes all the DSAs and their configuration data.
All the DSAs in a backbone combine together to service one namespace. Because the namespace is a
hierarchical tree it can be divided into partitions. A DSA manages one namespace partition. On small
installations a DSA might manage a whole namespace.
When you use DXmanager you set properties in the backbone by editing the properties of one of the
following:
The namespace
The network hardware and software that together runs the directory.
DXmanager applies the relevant properties of the namespace and of the network to the DSAs that it
manages.
Hosts (computers)
When you configure a setting for an item, it becomes the default for all the items contained within it.
For example, a setting defined for a region becomes the default setting for all the sites in that region
(and therefore for all hosts in those sites).
DXmanager lets you define the network topology of the systems in which the directory runs.
04-May-2016 517/923
CA Directory - 12.0.18
Hosts
A host is a single computer with CA Directory installed on it. A single host may serve one or more
namespace partitions.
Note: The directory management server is the computer on which you have installed the
Directory Management package, which includes DXmanager. Do not define the directory
management server as a host to DXmanager unless it also serves a namespace partition.
Sites
A site is a DXmanager term for collection of hosts that are connected by a reliable, fast and low
latency network, such as a LAN. hosts A site corresponds to a load sharing group.
If a number of hosts within a site manage the same namespace then DXmanager shares the load
between the hosts.
A router does not send read queries to a different site if there is a DSA in the same site that can
handle the query.
If there is no DSA on the same site that can handle a read query, the router sends the query to
another site in the same region, and if there is no DSA available there, it sends the query to another
region.
The router sends updates to only one DSA in each region. It uses the first DSA in its list of DSAs.
Regions
A region is a collection of sites. Multiwrite replication between DSAs in the same region is
synchronous.
You should define multiple regions to separate sites that have poor-quality connections. Doing this
helps minimize the performance cost of replicating updates across these links. However, use just one
region to cover for hosts that are connected by a fast network.
04-May-2016 518/923
CA Directory - 12.0.18
Each region is placed into a multiwrite group. Multiwrite replication is synchronous within a group,
and asynchronous between groups. This means that the poor quality of the connections does not
unduly slow directory performance.
Similarly, because regions are connected by slow links, CA Directory prevents load-sharing
between regions unless load-sharing within a region is not possible.
1. Backbone -- (broadest level) Works as a default value for the whole directory.
2. Namespace partition -- This affects all DSAs that serve that partition.
Using DXmanager, you can create configuration values at any of these levels A value at a more
specific level overrrides a value at a broader level. So, for example, a value specified at DSA level
overrides a value specified at Namespace partition level.
When you change a configuration value, all inherited instances of that configuration item change as
well.
DXmanager displays which configuration values are inherited and where they are inherited from.
Not all configuration items can be set at all levels. In particular, you cannot set values in the network
topology levels for configuration items that are applicable to namespaces.
We recommend that you set configuration values at the broadest level possible. This makes it easier
for you to make changes across the backbone, also means that you do not need to specify so much
new information when you add a new item.
04-May-2016 519/923
CA Directory - 12.0.18
To set this up, you could define this port number at the host level. However, this would mean that
you would have to set this for every host. Instead, we recommend that you set the SSL port number
at the backbone level. This then works as a default value for the entire directory backbone.
If the port number you choose is already in use on a particular host, you can set a different value for
that host, which overrides the value you set for the entire backbone.
Namespace Partitions
A namespace is the tree of all data in the directory, synonymous with directory information tree. It is
defined by the DN of the top node in the tree.
A namespace partition is a sub-section of the directory information tree. (The partition might cover
the whole namespace.)
Each DSA serves a namespace partition. When a namespace is partitioned to be served by more than
one DSA, the directory is said to be distributed. A well distributed directory provides good scalability
and performance.
You can control each namespace partition separately. Each partition can have different security and
can be located on a different set of hosts than other namespace partitions.
If more than one DSA serves the same namespace partition, the partition is said to be replicated.
Replicated namespace:
Unreplicated namespace:
The size (memory usage) of a namespace is too big for one DSA
Partitioning the namespace amongst DSAs is the only effective way to deal with this problem.
One subtree has a much higher number of operations than other subtrees
Placing the subtree in its own partition means DSAs can be dedicated to serving just the busy
subtree, and queries for other areas of the namespace are served by other DSAs. This usually
improves performance
04-May-2016 520/923
CA Directory - 12.0.18
Note: DSAs in different regions might be briefly inconsistent with each other.
DXmanager automatically sets up load sharing between DSAs in the same site that serve the same
namespace partition. If you do not use DXmanager you need to set the DSA knowledge to enable
load sharing.
If no DSAs within the router DSA's site are reachable, the router DSA sends queries to a DSA in
another site in the same region.
If a router cannot find a suitable DSA in any site in the same region, then it sends the query to
another region. If this happens, the performance is probably significantly lower, but the service is
maintained.
Note: Failover is managed by a router, but it requires that the DSAs in the group maintain
their synchronicity, which they do by using replication.
04-May-2016 521/923
CA Directory - 12.0.18
At the end of this process, each namespace partition has one or more DSAs assigned to it.
DXmanager does not do everything required to create a DSA. You still have to provide any DSA
specific properties. You also need to do the following tasks:
Set up any non-DXmanager configuration; that is, all the non-knowledge configuration. There is
also some knowledge configuration that is not yet set up by DXmanager
The file contains the topology and namespace partitions of the whole backbone, plus some
configuration of each DSA.
All DSAs that are configured in DXmanager use this XML configuration file.
DXmanager creates and edits the configuration file. Never edit this file yourself: use DXmanager
instead.
Hosts (computers)
04-May-2016 522/923
CA Directory - 12.0.18
When you configure a setting for an item, it becomes the default for all the items contained within it.
For example, a setting defined for a region becomes the default setting for all the sites in that region
(and therefore for all hosts in those sites).
DXmanager lets you define the network topology of the systems in which the directory runs.
Hosts
A host is a single computer with CA Directory installed on it. A single host may serve one or more
namespace partitions.
Note: The directory management server is the computer on which you have installed the
Directory Management package, which includes DXmanager. Do not define the directory
management server as a host to DXmanager unless it also serves a namespace partition.
Sites
A site is a DXmanager term for collection of hosts that are connected by a reliable, fast and low
latency network, such as a LAN. hosts A site corresponds to a load sharing group.
If a number of hosts within a site manage the same namespace then DXmanager shares the load
between the hosts.
A router does not send read queries to a different site if there is a DSA in the same site that can
handle the query.
If there is no DSA on the same site that can handle a read query, the router sends the query to
another site in the same region, and if there is no DSA available there, it sends the query to another
region.
The router sends updates to only one DSA in each region. It uses the first DSA in its list of DSAs.
04-May-2016 523/923
CA Directory - 12.0.18
Regions
A region is a collection of sites. Multiwrite replication between DSAs in the same region is
synchronous.
You should define multiple regions to separate sites that have poor-quality connections. Doing this
helps minimize the performance cost of replicating updates across these links. However, use just one
region to cover for hosts that are connected by a fast network.
Each region is placed into a multiwrite group. Multiwrite replication is synchronous within a group,
and asynchronous between groups. This means that the poor quality of the connections does not
unduly slow directory performance.
Similarly, because regions are connected by slow links, CA Directory prevents load-sharing
between regions unless load-sharing within a region is not possible.
1. Backbone -- (broadest level) Works as a default value for the whole directory.
2. Namespace partition -- This affects all DSAs that serve that partition.
Using DXmanager, you can create configuration values at any of these levels A value at a more
specific level overrrides a value at a broader level. So, for example, a value specified at DSA level
overrides a value specified at Namespace partition level.
When you change a configuration value, all inherited instances of that configuration item change as
well.
DXmanager displays which configuration values are inherited and where they are inherited from.
04-May-2016 524/923
CA Directory - 12.0.18
Not all configuration items can be set at all levels. In particular, you cannot set values in the network
topology levels for configuration items that are applicable to namespaces.
We recommend that you set configuration values at the broadest level possible. This makes it easier
for you to make changes across the backbone, also means that you do not need to specify so much
new information when you add a new item.
To set this up, you could define this port number at the host level. However, this would mean that
you would have to set this for every host. Instead, we recommend that you set the SSL port number
at the backbone level. This then works as a default value for the entire directory backbone.
If the port number you choose is already in use on a particular host, you can set a different value for
that host, which overrides the value you set for the entire backbone.
Namespace Partitions
Contents
Reasons to Partition a Namespace (see page 525)
A namespace is the tree of all data in the directory, synonymous with directory information tree. It is
defined by the DN of the top node in the tree.
A namespace partition is a sub-section of the directory information tree. (The partition might cover
the whole namespace.)
Each DSA serves a namespace partition. When a namespace is partitioned to be served by more than
one DSA, the directory is said to be distributed. A well distributed directory provides good scalability
and performance.
You can control each namespace partition separately. Each partition can have different security and
can be located on a different set of hosts than other namespace partitions.
If more than one DSA serves the same namespace partition, the partition is said to be replicated.
Replicated namespace:
Unreplicated namespace:
04-May-2016 525/923
CA Directory - 12.0.18
The size (memory usage) of a namespace is too big for one DSA
Partitioning the namespace amongst DSAs is the only effective way to deal with this problem.
One subtree has a much higher number of operations than other subtrees
Placing the subtree in its own partition means DSAs can be dedicated to serving just the busy
subtree, and queries for other areas of the namespace are served by other DSAs. This usually
improves performance
When you define the network topology, DXmanager automatically uses this information to set up
replication, failover, and load-sharing.
Note: DSAs in different regions might be briefly inconsistent with each other.
DXmanager automatically sets up load sharing between DSAs in the same site that serve the same
namespace partition. If you do not use DXmanager you need to set the DSA knowledge to enable
load sharing.
04-May-2016 526/923
CA Directory - 12.0.18
If no DSAs within the router DSA's site are reachable, the router DSA sends queries to a DSA in
another site in the same region.
If a router cannot find a suitable DSA in any site in the same region, then it sends the query to
another region. If this happens, the performance is probably significantly lower, but the service is
maintained.
Note: Failover is managed by a router, but it requires that the DSAs in the group maintain
their synchronicity, which they do by using replication.
At the end of this process, each namespace partition has one or more DSAs assigned to it.
DXmanager does not do everything required to create a DSA. You still have to provide any DSA
specific properties. You also need to do the following tasks:
Set up any non-DXmanager configuration; that is, all the non-knowledge configuration. There is
also some knowledge configuration that is not yet set up by DXmanager
The file contains the topology and namespace partitions of the whole backbone, plus some
configuration of each DSA.
All DSAs that are configured in DXmanager use this XML configuration file.
04-May-2016 527/923
CA Directory - 12.0.18
DXmanager creates and edits the configuration file. Never edit this file yourself: use DXmanager
instead.
The following flowchart shows the steps to create a new directory backbone. Each step is described
fully in the following sections.
04-May-2016 528/923
CA Directory - 12.0.18
Review any design notes or documentation on the current configuration so that you are aware of any
special requirements implemented by the design.
Was a specific schema required for any applications (for example, CA SiteMinder)?
04-May-2016 529/923
CA Directory - 12.0.18
The level of performance you require is defined by the applications that use the directory. If the
applications have a service level agreement (SLA), you can use that as a start.
The performance of a directory is measured in the number of searches and updates performed per
second.
An online banking application uses a directory as a repository for user authentication data. The
application has an SLA (service level agreement) of 100 authentications (user logins) per second, as
shown in the following diagram:
This SLA is helpful for working out the performance requirement for the directory, but it is not
enough to base a directory design on.
In this example, for each authentication, this application actually performs five operations on the
directory, including a search to see if the user entry is present and an update to the last login time
value.
This means that the performance requirement for the directory is actually 500 operations per second,
as shown in the following diagram:
The application receives 100 authentication requests per second which results in 500 directory requests per
second
04-May-2016 530/923
CA Directory - 12.0.18
If you work out the requirement for an individual application only, the directory may not perform as
required.
The following diagram shows a single authentication directory that is currently used by two
applications (online banking and car insurance).
In this example, the third application (share trading) is new, and the directory designer is currently
checking the performance of the directory with this new application.
A directory that serves three applications, receiveing a total of 1600 operations per second
Even though the new application only requires the directory to respond to 100 operations per
second, the directory is also servicing requests from the other applications.
This directory must be stress-tested under the full load of 1600 operations per second.
The test environment should mimic the production environment as closely as possible. This includes
hardware, software, and data.
04-May-2016 531/923
CA Directory - 12.0.18
We recommend that you use short descriptive names for namespace partitions, regions, sites, and
hosts. DXmanager uses these names to label each part of your directory backbone. The DXmanager
maps have limited space, so we recommend that you use short names to make the maps as clear as
possible.
You can then copy the new configuration file to the production environment.
You can test the upgrade procedure without affecting your production environment.
You can learn about the new configuration system without affecting the production environment.
You can take the time to design a simpler configuration than you have today.
This should result in minimal disruption and greater confidence when you upgrade your production
environment.
Complex Configurations
Your directory may use a complex configuration. Complex configurations rely on obsolete features of
the old-style knowledge files.
04-May-2016 532/923
CA Directory - 12.0.18
If you are using a complex configuration, you must resolve it before you can upgrade CA Directory.
You may need help in translating your configuration.
Knowledge Hiding
Knowledge hiding is sometimes used to deliberately give some DSAs no knowledge of other DSAs. A
DSA cannot route a query to a DSA that it has no knowledge of.
The disadvantage of knowledge hiding is seen during failover: router DSAs need to know all DSAs that
serve each namespace partition.
Knowledge hiding is not required if you use DXmanager, as is explained in the following table:
a. Record the business reasons for the directory (see page 529).
c. Copy the configuration files from the production environment (see page 534).
04-May-2016 533/923
CA Directory - 12.0.18
7. Test the production environment to determine that CA Directory is functioning as you expect
and that the upgrade is complete.
If there is a problem, you can roll back the production environment to the previous
configuration and resolve the problem using the test environment.
1. Create a folder on the directory management server to store the old configuration files.
3. Copy the entire DXHOME/config directory from each computer in the production
environment into the corresponding folder.
You should now have a single folder that contains one subfolder for each host, each of which
contains the old configuration files from that host.
Load some test data into the directory, and then set up the test applications.
04-May-2016 534/923
CA Directory - 12.0.18
Load some test data into the directory, and then set up the test applications.
Perform some application tasks to verify that they run correctly with the new directory backbone
you have set up.
This creates an XML file that contains the new configuration. You can later import this file using
DXmanager in the production environment.
7. Test the production environment to determine that CA Directory is functioning as you expect
and that the upgrade is complete.
If there is a problem, roll back the production environment to the previous configuration and
executables. You should then resolve the problem using the test environment.
Before you start creating the directory configuration in the test environment, you should gather
information about the requirements for the directory.
Review any design notes or documentation on the current configuration so that you are aware of any
04-May-2016 535/923
CA Directory - 12.0.18
Review any design notes or documentation on the current configuration so that you are aware of any
special requirements implemented by the design.
Was a specific schema required for any applications (for example, CA SiteMinder)?
The level of performance you require is defined by the applications that use the directory. If the
applications have a service level agreement (SLA), you can use that as a start.
The performance of a directory is measured in the number of searches and updates performed per
second.
An online banking application uses a directory as a repository for user authentication data. The
application has an SLA (service level agreement) of 100 authentications (user logins) per second, as
shown in the following diagram:
This SLA is helpful for working out the performance requirement for the directory, but it is not
enough to base a directory design on.
In this example, for each authentication, this application actually performs five operations on the
directory, including a search to see if the user entry is present and an update to the last login time
value.
This means that the performance requirement for the directory is actually 500 operations per second,
04-May-2016 536/923
CA Directory - 12.0.18
This means that the performance requirement for the directory is actually 500 operations per second,
as shown in the following diagram:
The application receives 100 authentication requests per second which results in 500 directory requests per
second
If you work out the requirement for an individual application only, the directory may not perform as
required.
The following diagram shows a single authentication directory that is currently used by two
applications (online banking and car insurance).
In this example, the third application (share trading) is new, and the directory designer is currently
checking the performance of the directory with this new application.
A directory that serves three applications, receiveing a total of 1600 operations per second
Even though the new application only requires the directory to respond to 100 operations per
second, the directory is also servicing requests from the other applications.
This directory must be stress-tested under the full load of 1600 operations per second.
04-May-2016 537/923
CA Directory - 12.0.18
The test environment should mimic the production environment as closely as possible. This includes
hardware, software, and data.
We recommend that you use short descriptive names for namespace partitions, regions, sites, and
hosts. DXmanager uses these names to label each part of your directory backbone. The DXmanager
maps have limited space, so we recommend that you use short names to make the maps as clear as
possible.
CA Directory lets you use DXmanager to manage the configuration of the entire backbone.
04-May-2016 538/923
CA Directory - 12.0.18
You can then copy the new configuration file to the production environment.
You can test the upgrade procedure without affecting your production environment.
You can learn about the new configuration system without affecting the production environment.
You can take the time to design a simpler configuration than you have today.
This should result in minimal disruption and greater confidence when you upgrade your production
environment.
Complex Configurations
Your directory may use a complex configuration. Complex configurations rely on obsolete features of
the old-style knowledge files.
If you are using a complex configuration, you must resolve it before you can upgrade CA Directory.
You may need help in translating your configuration.
Knowledge Hiding
Knowledge hiding is sometimes used to deliberately give some DSAs no knowledge of other DSAs. A
DSA cannot route a query to a DSA that it has no knowledge of.
The disadvantage of knowledge hiding is seen during failover: router DSAs need to know all DSAs that
serve each namespace partition.
Knowledge hiding is not required if you use DXmanager, as is explained in the following table:
04-May-2016 539/923
CA Directory - 12.0.18
a. Record the business reasons for the directory (see page 535).
c. Copy the configuration files from the production environment (see page 541).
7. Test the production environment to determine that CA Directory is functioning as you expect
and that the upgrade is complete.
If there is a problem, you can roll back the production environment to the previous
configuration and resolve the problem using the test environment.
04-May-2016 540/923
CA Directory - 12.0.18
1. Create a folder on the directory management server to store the old configuration files.
3. Copy the entire DXHOME/config directory from each computer in the production
environment into the corresponding folder.
You should now have a single folder that contains one subfolder for each host, each of which
contains the old configuration files from that host.
Load some test data into the directory, and then set up the test applications.
Perform some application tasks to verify that they run correctly with the new directory backbone
you have set up.
This creates an XML file that contains the new configuration. You can later import this file using
DXmanager in the production environment.
04-May-2016 541/923
CA Directory - 12.0.18
7. Test the production environment to determine that CA Directory is functioning as you expect
and that the upgrade is complete.
If there is a problem, roll back the production environment to the previous configuration and
executables. You should then resolve the problem using the test environment.
Logging in to DXmanager
Contents
Methods for Setting Up Login Accounts (see page 542)
Authentication Using Existing Accounts (see page 543)
Configure Authentication to a Directory or Database (see page 543)
How to Set Up Login Accounts in Tomcat (see page 545)
Add a New Login Account in Tomcat (see page 545)
Hashed Passwords for Login Accounts (see page 546)
Enable Hashed Passwords in Tomcat (see page 547)
DXManager Roles (see page 547)
To use DXmanager, users must log in. You need to create a login account for every user who needs to
use the product, including the following:
DXmanager controllers
DXmanager monitors
Note: When you install DXmanager, the installation creates some sample accounts. You
should customize these accounts to reflect your own user accounts.
Note: Do not use this instance of Tomcat to host any other applications. It is customized to
work with DXmanager only.
04-May-2016 542/923
CA Directory - 12.0.18
Important! Using this method, you need to restart the Directory Management Server
once, after you set up the connection to the directory or database.
If you use a database, it must contain at least two tables, including the following:
A table containing one record for every role that is assigned to the accounts.
This table must contain a column of account names (the same values as in the previous table) and
one of roles.
If you use a directory, each required login account must have in the directory a unique entry that
corresponds to an element in the initial DirContext defined by the connectionURL attribute.
Note: For more information about the structure of the directory, check the Tomcat realms
on the Apache site (http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html).
Note: Before you begin, stop the Tomcat service: CA Directory Webserver. This disconnects
any currently open sessions.
04-May-2016 543/923
CA Directory - 12.0.18
1. (Optional) If your directory or database includes hashed passwords, enable hashed passwords
in Tomcat (see page 547).
2. Download the JDBC or JNDI driver for your database or directory, and put it in the following
location:
DXHOME/../dxwebserver/lib
3. Create a new user account for the directory or database, or identify a suitable existing
account.
This account must have at least read-only access to the user and role data. Tomcat connects
to the directory or database using this account.
4. Identify the structure of the user and role data in the directory or database, using the
instructions in Tomcat realms on the Apache site (http://tomcat.apache.org/tomcat-5.5-doc/realm-
howto.html).
DXHOME/../dxwebserver/conf/server.xml
This disables the default realm, which uses accounts in a local XML file for authentication.
7. Define a realm element for the type of directory or database that you plan to use.
Some realm elements are already included in the XML file, enclosed with commenting marks.
If a suitable realm is already defined, do the following:
a. Identify the commented-out realm element that applies to the type of directory or
database you plan to use, and then delete the commenting marks.
b. Update the attributes in the new realm element with the details of your directory or
database, using the instructions in Tomcat realms on the Apache site (http://tomcat.
apache.org/tomcat-5.5-doc/realm-howto.html).
If a suitable realm is not yet defined in the file, create a new realm element for your directory
or database using the instructions in Tomcat realms on the Apache site (http://tomcat.apache.
org/tomcat-5.5-doc/realm-howto.html).
04-May-2016 544/923
CA Directory - 12.0.18
Note: CA recommends that you use this method for a test or demonstration system only.
For a production system, use an existing directory or database for authentication.
To set up login accounts in Tomcat using the local XML file, follow this process:
2. Create new login accounts for the users (see page 545).
Note: CA recommends that you use this method for a test or demonstration system only. For a
production system, use an existing directory or database for authentication.
Every login account in tomcat-users.xml must correspond to a user in the warehouse. The User ID
must match the user name that you specify in the XML file.
Note: Before you begin, stop the Tomcat service: CA Directory Webserver. This disconnects
any currently open sessions.
DXHOME/../dxwebserver/conf/tomcat-users.xml
username
Specifies the name that the user enters when they log in to DXmanager. Make sure that
this value corresponds to the User ID of a user in the warehouse.
password
Specifies the password for this user. If you have enabled hashed passwords, include the
hashed value here.
roles
04-May-2016 545/923
CA Directory - 12.0.18
roles
Specifies the roles for this user. This is a comma-separated list, so you can specify more
than one role.
The following snippet of tomcat-users.xml shows the details for two users:
<tomcat-users>
<user name="Jenny Watts"
password="5460cdf0d7c4370224eb2be031b7c7eb724fa583"
roles="dxmanagerMonitor" />
<user name="Terry Morrow"
password="5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
roles="dxmanagerSuperUser" />
</tomcat-users>
In this example, Jenny Watts has the Monitor role, and Terry Morrow has the Superuser role. This
means that Jenny can only monitor DSAs and customize monitoring functionality. Terry can perform
all DXmanager tasks as he has Superuser access.
Note: The passwords in this example are hashed, which means that hashed passwords
must be enabled in Tomcat.
If Tomcat uses an existing directory or database of accounts, then by default Tomcat expects to
receive clear-text passwords. If your existing account repository already stores passwords as hashes,
you should set Tomcat to accept hashed passwords.
If Tomcat uses a local XML file containing account details, then by default this file contains clear-text
passwords, which can be read by anyone with access to the file. If you store the login accounts in the
XML file, we strongly recommend that you configure Tomcat to use hashed passwords instead. This
means that the passwords of any login account details that are stored in the local Tomcat file can be
stored as a hash rather than in clear text.
To use hashed passwords in either the local XML file or in an existing database or directory, you must
configure Tomcat to accept hashed passwords.
04-May-2016 546/923
CA Directory - 12.0.18
Note: Before you begin, stop the Tomcat service: CA Directory Webserver. This disconnects
any currently open sessions.
DXHOME/../dxwebserver/conf/server.xml
2. Find the <realm> section, then add the digest and digestEncoding elements. For each of these,
choose from SHA, MD2, and MD5. For example:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
digest="SHA"
digestEncoding=""/>
Note: When you do not specify the digestEncoding element, Tomcat uses the
platform default. If your directory or database uses a different encoding to the
platform default, see the information about Tomcat realms on the Apache site (
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html) for instructions.
DXManager Roles
A role defines what screens a user can see in DXmanager, which limits the tasks they can do. Every
DXmanager login account has one or more roles.
You can assign each user to one or more of the following roles in ascending order of access:
dxmanagerMonitor
Users with the Monitor role can only monitor DSAs and customize monitoring functionality.
dxmanagerControl
Users with the Control role can start, stop, and initialize DSAs.
04-May-2016 547/923
CA Directory - 12.0.18
dxmanagerChange
Users with the Configure role can change the configuration of the backbone, and deploy the new
configuration to the hosts.
dxmanagerSuperUser
Users with the Superuser role can set system properties. When you installed CA Directory, you
created a password for a DXmanager user with the Superuser role.
Roles are hierarchical, so if an account has the superuser role, then it also has the abilities of all lesser
roles.
Note: Users with more than one role assigned to them are granted the privileges of the
role with the highest level of access.
The following table summarizes the privileges associated with these roles:
DXmanager uses a Tomcat web server, also known as CA Directory Web Server for realm based
authentication and authorization. You need to configure Tomcat with authentication details for the
login accounts you require.
Note: Do not use this instance of Tomcat to host any other applications. It is customized to
work with DXmanager only.
04-May-2016 548/923
CA Directory - 12.0.18
Important! Using this method, you need to restart the Directory Management Server
once, after you set up the connection to the directory or database.
If you use a database, it must contain at least two tables, including the following:
A table containing one record for every role that is assigned to the accounts.
This table must contain a column of account names (the same values as in the previous table) and
one of roles.
If you use a directory, each required login account must have in the directory a unique entry that
corresponds to an element in the initial DirContext defined by the connectionURL attribute.
Note: For more information about the structure of the directory, check the Tomcat realms
on the Apache site (http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html).
Note: Before you begin, stop the Tomcat service: CA Directory Webserver. This disconnects
any currently open sessions.
04-May-2016 549/923
CA Directory - 12.0.18
1. (Optional) If your directory or database includes hashed passwords, enable hashed passwords
in Tomcat (see page 553).
2. Download the JDBC or JNDI driver for your database or directory, and put it in the following
location:
DXHOME/../dxwebserver/lib
3. Create a new user account for the directory or database, or identify a suitable existing
account.
This account must have at least read-only access to the user and role data. Tomcat connects
to the directory or database using this account.
4. Identify the structure of the user and role data in the directory or database, using the
instructions in Tomcat realms on the Apache site (http://tomcat.apache.org/tomcat-5.5-doc/realm-
howto.html).
DXHOME/../dxwebserver/conf/server.xml
This disables the default realm, which uses accounts in a local XML file for authentication.
7. Define a realm element for the type of directory or database that you plan to use.
Some realm elements are already included in the XML file, enclosed with commenting marks.
If a suitable realm is already defined, do the following:
a. Identify the commented-out realm element that applies to the type of directory or
database you plan to use, and then delete the commenting marks.
b. Update the attributes in the new realm element with the details of your directory or
database, using the instructions in Tomcat realms on the Apache site (http://tomcat.
apache.org/tomcat-5.5-doc/realm-howto.html).
If a suitable realm is not yet defined in the file, create a new realm element for your directory
or database using the instructions in Tomcat realms on the Apache site (http://tomcat.apache.
org/tomcat-5.5-doc/realm-howto.html).
04-May-2016 550/923
CA Directory - 12.0.18
Note: CA recommends that you use this method for a test or demonstration system only.
For a production system, use an existing directory or database for authentication.
To set up login accounts in Tomcat using the local XML file, follow this process:
2. Create new login accounts for the users (see page 551).
Note: CA recommends that you use this method for a test or demonstration system only. For a
production system, use an existing directory or database for authentication.
Every login account in tomcat-users.xml must correspond to a user in the warehouse. The User ID
must match the user name that you specify in the XML file.
Note: Before you begin, stop the Tomcat service: CA Directory Webserver. This disconnects
any currently open sessions.
DXHOME/../dxwebserver/conf/tomcat-users.xml
username
Specifies the name that the user enters when they log in to DXmanager. Make sure that
this value corresponds to the User ID of a user in the warehouse.
password
Specifies the password for this user. If you have enabled hashed passwords, include the
hashed value here.
roles
04-May-2016 551/923
CA Directory - 12.0.18
roles
Specifies the roles for this user. This is a comma-separated list, so you can specify more
than one role.
The following snippet of tomcat-users.xml shows the details for two users:
<tomcat-users>
<user name="Jenny Watts"
password="5460cdf0d7c4370224eb2be031b7c7eb724fa583"
roles="dxmanagerMonitor" />
<user name="Terry Morrow"
password="5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
roles="dxmanagerSuperUser" />
</tomcat-users>
In this example, Jenny Watts has the Monitor role, and Terry Morrow has the Superuser role. This
means that Jenny can only monitor DSAs and customize monitoring functionality. Terry can perform
all DXmanager tasks as he has Superuser access.
Note: The passwords in this example are hashed, which means that hashed passwords
must be enabled in Tomcat.
By default, the Tomcat web server deals with clear-text passwords, regardless of the method you use
for setting up login accounts.
If Tomcat uses an existing directory or database of accounts, then by default Tomcat expects to
receive clear-text passwords. If your existing account repository already stores passwords as hashes,
you should set Tomcat to accept hashed passwords.
If Tomcat uses a local XML file containing account details, then by default this file contains clear-text
passwords, which can be read by anyone with access to the file. If you store the login accounts in the
XML file, we strongly recommend that you configure Tomcat to use hashed passwords instead. This
means that the passwords of any login account details that are stored in the local Tomcat file can be
stored as a hash rather than in clear text.
04-May-2016 552/923
CA Directory - 12.0.18
To use hashed passwords in either the local XML file or in an existing database or directory, you must
configure Tomcat to accept hashed passwords.
Note: Before you begin, stop the Tomcat service: CA Directory Webserver. This disconnects
any currently open sessions.
DXHOME/../dxwebserver/conf/server.xml
2. Find the <realm> section, then add the digest and digestEncoding elements. For each of these,
choose from SHA, MD2, and MD5. For example:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
digest="SHA"
digestEncoding=""/>
Note: When you do not specify the digestEncoding element, Tomcat uses the
platform default. If your directory or database uses a different encoding to the
platform default, see the information about Tomcat realms on the Apache site (
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html) for instructions.
DXManager Roles
A role defines what screens a user can see in DXmanager, which limits the tasks they can do. Every
DXmanager login account has one or more roles.
You can assign each user to one or more of the following roles in ascending order of access:
dxmanagerMonitor
Users with the Monitor role can only monitor DSAs and customize monitoring functionality.
dxmanagerControl
Users with the Control role can start, stop, and initialize DSAs.
04-May-2016 553/923
CA Directory - 12.0.18
dxmanagerChange
Users with the Configure role can change the configuration of the backbone, and deploy the new
configuration to the hosts.
dxmanagerSuperUser
Users with the Superuser role can set system properties. When you installed CA Directory, you
created a password for a DXmanager user with the Superuser role.
Roles are hierarchical, so if an account has the superuser role, then it also has the abilities of all lesser
roles.
Note: Users with more than one role assigned to them are granted the privileges of the
role with the highest level of access.
The following table summarizes the privileges associated with these roles:
Start DXmanager
DXmanager is a web application that lets you create, configure, monitor, and control your directory
backbone. You can connect to DXmanager from any computer that has a web browser and a
connection to the computer on which DXmanager is installed.
To use DXmanager, you need to log in. A superuser account is created during installation. You can use
this account to log in and create more user accounts.
To start DXmanager
04-May-2016 554/923
CA Directory - 12.0.18
https://hostname:portnumber/dxmanager
hostname
portnumber
a. Specifies the port number of CA Directory Web Server on which DXmanager runs.
b. Default: 8443
The DXmanager wizards include some default values. We recommend that you use these default
values unless you are sure that your backbone requires a different value.
1. Log in to DXmanager as a user with the Change or Superuser role. These roles give you
permission to change the directory backbone's configuration.
DXmanager opens, showing a page that links to the following items:
Advanced
Opens DXmanager in Edit mode, so you can create the configuration without the wizard.
3. In the first page, define default values for the whole backbone (see page 559).
04-May-2016 555/923
CA Directory - 12.0.18
3. In the first page, define default values for the whole backbone (see page 559).
Click Configuration, Deploy to update the hosts with the new configuration.
This is useful if you have set up a test environment to develop the configuration. You can later import
the configuration into the production environment.
3. Change the network address for each host from the address of the test environment to the
network address for the production environment.
Ensure that you change every host.
Click Configuration, Deploy to update the hosts with the new configuration.
04-May-2016 556/923
CA Directory - 12.0.18
Click Configuration, Deploy to update the hosts with the new configuration.
The updated configuration file is sent to all hosts. Any new DSAs are created automatically. Any
existing DSAs are reinitialized.
Start DXmanager
DXmanager is a web application that lets you create, configure, monitor, and control your directory
backbone. You can connect to DXmanager from any computer that has a web browser and a
connection to the computer on which DXmanager is installed.
To use DXmanager, you need to log in. A superuser account is created during installation. You can use
this account to log in and create more user accounts.
To start DXmanager
https://hostname:portnumber/dxmanager
hostname
portnumber
a. Specifies the port number of CA Directory Web Server on which DXmanager runs.
b. Default: 8443
The DXmanager wizards include some default values. We recommend that you use these default
values unless you are sure that your backbone requires a different value.
04-May-2016 557/923
CA Directory - 12.0.18
1. Log in to DXmanager as a user with the Change or Superuser role. These roles give you
permission to change the directory backbone's configuration.
DXmanager opens, showing a page that links to the following items:
Advanced
Opens DXmanager in Edit mode, so you can create the configuration without the wizard.
3. In the first page, define default values for the whole backbone (see page 565).
Click Configuration, Deploy to update the hosts with the new configuration.
This is useful if you have set up a test environment to develop the configuration. You can later import
the configuration into the production environment.
3. Change the network address for each host from the address of the test environment to the
04-May-2016 558/923
CA Directory - 12.0.18
3. Change the network address for each host from the address of the test environment to the
network address for the production environment.
Ensure that you change every host.
Click Configuration, Deploy to update the hosts with the new configuration.
The updated configuration file is sent to all hosts. Any new DSAs are created automatically. Any
existing DSAs are reinitialized.
You can modify any aspect of a directory backbone. When you use DXmanager to change the
configuration, the XML file on the DXmanager server is updated. You can then deploy the new
configuration to the hosts in the backbone.
4. Right-click on the Backbone icon, and then select Edit Properties, as shown in the following
example:
04-May-2016 559/923
4. CA Directory - 12.0.18
5. In the Edit Backbone Default dialog, specify the configuration values for the entire backbone
as defaults.
Click Configuration, Deploy to update the hosts with the new configuration.
Note: If this is the first time you have run DXmanager and you are using the Create a
Backbone wizard, enter these default values in the first page of the wizard, and then click
OK and deploy the configuration.
When you want to add another computer to the directory backbone, you should add a new host in
the directory configuration. Similarly, you can add new sites or regions if your company has acquired
data centers.
We recommend that you give each host, region, and site a short descriptive name.
4. Right-click the level above the item you want to create, and then select the option to add a
new item.
The following example shows the option for creating a new host by right-clicking on a site:
04-May-2016 560/923
CA Directory - 12.0.18
5. Enter the information about the new region, site, or host in the dialog, and click OK when you
are done.
The Topology map now displays the new region, site, or host.
Click Configuration, Deploy to update the hosts with the new configuration.
You need to create a namespace partition before you can create a DSA that serves the partition.
Note: Decide if this namespace partition is to be served by a router DSA or a data DSA. One
namespace partition cannot be served by both types of DSA.
Partition name
Specifies the name of the namespace partition that you are creating. This name is used in
DXmanager displays.
Prefix
If this namespace partition is to be served by a data DSA, then this specifies the context
prefix of the DIT that the DSA publishes that it serves. If Native prefix is also set, then this
becomes the logical prefix rather than the physical prefix and prefix mapping is done in
the server.
If you plan to use a router DSA to serve this namespace partition, then leave this blank.
SNMP port
04-May-2016 561/923
CA Directory - 12.0.18
SNMP port
Specifies the SNMP port for this partition. This is the port the DSA will use to send SNMP
traps. This is needed by the DXmanager to be able to monitor DSAs.
Port
Specifies the port associated with this namespace partition. The DSAs created when you
deploy this namespace partition to a host uses this port as their listen address.
Console port
Specifies the port on which the DSA accepts connections from the local computer only. If
this is not specified, there is no console for the DSA.
This is automatically populated when you enter the Port value.
Datastore size
Specifies the datastore size in MB.
b. Enter a comment that describes the current state of the configuration, and then click
OK.
Create a DSA
To create a new DSA, you tell DXmanager the host, the namespace that the DSA will serve, and the
type of DSA you want DXmanager to create.
4. Right-click the host that will hold the new DSA, then select Instantiate a new partition to this
host.
Note: You can also create a new DSA by right-clicking on a partition in the
Namespace map.
04-May-2016 562/923
CA Directory - 12.0.18
As a Router DSA
As a Data DSA
a. Select the namespace partition that the new DSA will serve, and then click Next.
Note: A namespace cannot be served by both a data DSA and a router DSA,
so if it is already served by one of these sorts of DSA, the other option is
unavailable.
b. Choose the network address for this DSA. If the host has a single address, you can
leave this unchanged.
Click Configuration, Deploy to update the hosts with the new configuration.
Note: If you edit and deploy the configuration again, the initialization files
are not overwritten. This means that you do not need to change the
initialization files again - your customizations remain in the files.
c. Load or synchronize each DSA with other DSAs that serve the same namespace
partition.
04-May-2016 563/923
CA Directory - 12.0.18
namespace-host
For example, a data DSA on the host named Server15 that serves the namespace partition of Staff is
given the following name:
Staff-Server15
Note: When you create a DSA outside of DXmanager, avoid the DXmanager naming
convention. Using a different naming convention allows DXmanager and non-DXmanager
DSAs to exist side by side without confusion.
4. Enter the new configuration information, and click OK when you are done.
Click Configuration, Deploy to update the hosts with the new configuration.
04-May-2016 564/923
CA Directory - 12.0.18
1. Log in to DXmanager.
2. Click the Maps tab, and then display either the Namespace or Topology map.
3. Right-click any item in the map, and then select View Properties
The dialog that appears lists the properties of the item you selected.
4. Right-click on the Backbone icon, and then select Edit Properties, as shown in the following
example:
5. In the Edit Backbone Default dialog, specify the configuration values for the entire backbone
as defaults.
Click Configuration, Deploy to update the hosts with the new configuration.
Note: If this is the first time you have run DXmanager and you are using the Create a
Backbone wizard, enter these default values in the first page of the wizard, and then click
OK and deploy the configuration.
When you want to add another computer to the directory backbone, you should add a new host in
04-May-2016 565/923
CA Directory - 12.0.18
When you want to add another computer to the directory backbone, you should add a new host in
the directory configuration. Similarly, you can add new sites or regions if your company has acquired
data centers.
We recommend that you give each host, region, and site a short descriptive name.
4. Right-click the level above the item you want to create, and then select the option to add a
new item.
The following example shows the option for creating a new host by right-clicking on a site:
5. Enter the information about the new region, site, or host in the dialog, and click OK when you
are done.
The Topology map now displays the new region, site, or host.
Click Configuration, Deploy to update the hosts with the new configuration.
You need to create a namespace partition before you can create a DSA that serves the partition.
Note: Decide if this namespace partition is to be served by a router DSA or a data DSA. One
namespace partition cannot be served by both types of DSA.
04-May-2016 566/923
CA Directory - 12.0.18
Partition name
Specifies the name of the namespace partition that you are creating. This name is used in
DXmanager displays.
Prefix
If this namespace partition is to be served by a data DSA, then this specifies the context
prefix of the DIT that the DSA publishes that it serves. If Native prefix is also set, then this
becomes the logical prefix rather than the physical prefix and prefix mapping is done in
the server.
If you plan to use a router DSA to serve this namespace partition, then leave this blank.
SNMP port
Specifies the SNMP port for this partition. This is the port the DSA will use to send SNMP
traps. This is needed by the DXmanager to be able to monitor DSAs.
Port
Specifies the port associated with this namespace partition. The DSAs created when you
deploy this namespace partition to a host uses this port as their listen address.
Console port
Specifies the port on which the DSA accepts connections from the local computer only. If
this is not specified, there is no console for the DSA.
This is automatically populated when you enter the Port value.
Datastore size
Specifies the datastore size in MB.
b. Enter a comment that describes the current state of the configuration, and then click
OK.
Create a DSA
Contents
How DXmanager Names DSAs (see page 569)
To create a new DSA, you tell DXmanager the host, the namespace that the DSA will serve, and the
04-May-2016 567/923
CA Directory - 12.0.18
To create a new DSA, you tell DXmanager the host, the namespace that the DSA will serve, and the
type of DSA you want DXmanager to create.
4. Right-click the host that will hold the new DSA, then select Instantiate a new partition to this
host.
Note: You can also create a new DSA by right-clicking on a partition in the
Namespace map.
As a Router DSA
As a Data DSA
a. Select the namespace partition that the new DSA will serve, and then click Next.
Note: A namespace cannot be served by both a data DSA and a router DSA,
so if it is already served by one of these sorts of DSA, the other option is
unavailable.
b. Choose the network address for this DSA. If the host has a single address, you can
leave this unchanged.
Click Configuration, Deploy to update the hosts with the new configuration.
04-May-2016 568/923
1.
CA Directory - 12.0.18
Note: If you edit and deploy the configuration again, the initialization files
are not overwritten. This means that you do not need to change the
initialization files again - your customizations remain in the files.
c. Load or synchronize each DSA with other DSAs that serve the same namespace
partition.
namespace-host
For example, a data DSA on the host named Server15 that serves the namespace partition of Staff is
given the following name:
Staff-Server15
Note: When you create a DSA outside of DXmanager, avoid the DXmanager naming
convention. Using a different naming convention allows DXmanager and non-DXmanager
DSAs to exist side by side without confusion.
04-May-2016 569/923
3. CA Directory - 12.0.18
4. Enter the new configuration information, and click OK when you are done.
Click Configuration, Deploy to update the hosts with the new configuration.
1. Log in to DXmanager.
2. Click the Maps tab, and then display either the Namespace or Topology map.
3. Right-click any item in the map, and then select View Properties
The dialog that appears lists the properties of the item you selected.
Authentication in DXmanager
Contents
Set the Authentication Level (see page 570)
Namespace partition -- This affects all DSAs that serve that partition.
04-May-2016 570/923
CA Directory - 12.0.18
b. In the Security section, check or uncheck one or more of the Authentication levels
boxes, and then click OK.
a. Right-click on the partition you want this setting applied to, and then select Edit
properties.
The inherited authentication levels are displayed in the Security section.
If you want to change the value, click Override, and check or uncheck one or more of
the Authentication levels boxes.
If you want to inherit the value from the backbone, click Inherit.
b. Click OK.
Note: You do not need to set the level of authentication for an incoming request to a DSA,
because the DSA does this automatically.
Namespace partition -- This affects all DSAs that serve that partition.
b. In the Security section, check or uncheck one or more of the Authentication levels
boxes, and then click OK.
a. Right-click on the partition you want this setting applied to, and then select Edit
04-May-2016 571/923
6. CA Directory - 12.0.18
a. Right-click on the partition you want this setting applied to, and then select Edit
properties.
The inherited authentication levels are displayed in the Security section.
If you want to change the value, click Override, and check or uncheck one or more of
the Authentication levels boxes.
If you want to inherit the value from the backbone, click Inherit.
b. Click OK.
Note: You do not need to set the level of authentication for an incoming request to a DSA,
because the DSA does this automatically.
Troubleshooting DXmanager
Contents
Cannot Create a DSA (see page 572)
DXmanager is Showing Unexpected Behavior (see page 573)
Reset the DXadmind Configuration (see page 573)
Check Whether DXadmind Is Running (see page 574)
Check Whether DXadmind Trusts DXmanager (see page 575)
Check Whether a Firewall Prevents Access to a Host (see page 575)
Check That DXmanager Knows the Host's Network Address (see page 575)
Change DXwebserver's Port Numbers (see page 576)
Diagnose a Problem with DXmanager (see page 577)
Managing Configuration Conflicts (see page 577)
If DXmanager cannot connect to the DXadmind on a host, then no information can be returned. This
causes the following problems:
To work out the cause of the problem, look for messages in the Alerts tab.
Solution:
04-May-2016 572/923
CA Directory - 12.0.18
If you cannot create a DSA from the Namespace Map, you may need to clear the Java Applet Cache.
4. On the General tab, click the Settings button under Temporary Internet Files.
7. Click OK.
The cache is now cleared and the DXmanager browser can be opened again.
Solution:
If the DXmanager is behaving unexpectedly, you may need to log out and log back in to DXmanager.
If there is a problem with the DXadmind configuration, you can use the dxadmind setup command to
reset it.
In particular, DXadmind must be configured to trust the computer on which DXmanager is installed.
dxadmind stop
4. Delete the initialization files of any DSAs that were previously configured on this host. These
04-May-2016 573/923
CA Directory - 12.0.18
4. Delete the initialization files of any DSAs that were previously configured on this host. These
files are in DXHOME/config/servers.
trustedhost
Specifies the trusted management server. This is a computer that runs DXmanager.
Note: You can specify the trustedhost using an IP address or using a host name. If
you use the name format, then you must have reverse (ip-address to hostname)
lookups enabled on the DNS.
port
Specifies the port that DXmanager uses to access DXadmind. This must be the same as the
DXadmind port specified in DXmanager.
password
(Optional) Specifies the password that DXmanager uses to access DXadmind. This must be
the same as the DXadmind password specified in DXmanager. You can either specify the
password directly via the command line, or you can answer the password prompt.
dxadmind start
dxadmind status
dxadmind is running
04-May-2016 574/923
CA Directory - 12.0.18
dxadmind help
To fix this problem, configure the firewall to allow bidirectional access for the DXadmind port. (By
default this port is 2123.)
There was a typing error when you set up the backbone configuration in DXmanager.
Check that the host's address is correct and that DXadmind is running on the host.
If DXadmind is running and the DXadmind password and host details are correct in the DXmanager
deployed configuration, then the problem is probably that DXadmind cannot establish the host name
of the incoming connection. If you specified the DXmanager address to DXadmind as a host name
(rather than as an IP address), then you need to have reverse DNS enabled. To solve this problem,
enable the DNS to have reverse DNS (reverse lookup).
04-May-2016 575/923
CA Directory - 12.0.18
a. Change the standard port 8080, on which DXwebserver listens for non-SSL
connections.
b. Change the secure port 8443, on which DXwebserver listens for SSL connections. This
is also used for the Coyote/JK2 1.3 connector port.
You need to change the value 8443 in two locations in server.xml, as follows:
Note: If you change the port number, the DSML sample server will not work.
c. Change the shutdown port 8005, on which DXwebserver listens for the shutdown
command, in the following section of server.xml:
dxwebserver stop
dxwebserver start
On Windows, use the Control Panel to open the Services window, and restart the CA
Directory - DXwebserver service.
04-May-2016 576/923
CA Directory - 12.0.18
Windows: %DXWEBHOME%\webapps\dxmanager\WEB-INF\web.xml
UNIX: $DXWEBHOME/webapps/dxmanager/WEB-INF/web.xml
2. To log all events, set the DXmanagerDebug parameter to 255. To disable logging, set the
parameter to 0.
<servlet>
<servlet-name>DXmanagerServlet</servlet-name>
<servlet-class>com.ca.directory.dxmanager.server.DXmanagerServlet</servlet-
class>
<load-on-startup>1</load-on-startup>
<init-param>
<param-name>DXmanagerDebug</param-name>
<param-value>255</param-value>
</init-param>
</servlet>
3. Restart dxwebserver.
Windows: %DXWEBHOME%\log\catalina.out
UNIX: $DXWEBHOME/log/catalina.out
DXmanager has been changed significantly between CA Directory r12 SP2 and r12 SP9. In particular,
many configuration items are now supported by DXmanager, and no longer need to be set in
configuration text files.
If your dxmanager.dxc files contain any of these configuration items, it will not appear to cause any
conflicts even though these values are overridden by the DXmanager configuration. This is because
the dxmanager.dxc files are ignored if they conflict with settings in DXmanager.
If any of these settings exists in a custom configuration file, it may cause conflicts. When CA Directory
encounters a configuration conflict while loading or re-initializing the configuration, the following
alarm is logged:
04-May-2016 577/923
CA Directory - 12.0.18
The warn-log shows which commands are being redefined by DXmanager. You should remove these
items from the text configuration files and set them using DXmanager. Use the list of configuration
items in Commands Used in DXmanager to find out where to set these items in DXmanager.
Note: We recommend that you use a pre-production test environment, to help you isolate any
migration issues and configuration conflicts.
Solution:
If the DXmanager is behaving unexpectedly, you may need to log out and log back in to DXmanager.
If there is a problem with the DXadmind configuration, you can use the dxadmind setup command to
reset it.
In particular, DXadmind must be configured to trust the computer on which DXmanager is installed.
dxadmind stop
4. Delete the initialization files of any DSAs that were previously configured on this host. These
files are in DXHOME/config/servers.
trustedhost
Specifies the trusted management server. This is a computer that runs DXmanager.
Note: You can specify the trustedhost using an IP address or using a host name. If
04-May-2016 578/923
CA Directory - 12.0.18
Note: You can specify the trustedhost using an IP address or using a host name. If
you use the name format, then you must have reverse (ip-address to hostname)
lookups enabled on the DNS.
port
Specifies the port that DXmanager uses to access DXadmind. This must be the same as the
DXadmind port specified in DXmanager.
password
(Optional) Specifies the password that DXmanager uses to access DXadmind. This must be
the same as the DXadmind password specified in DXmanager. You can either specify the
password directly via the command line, or you can answer the password prompt.
dxadmind start
dxadmind status
dxadmind is running
04-May-2016 579/923
2. CA Directory - 12.0.18
dxadmind help
To fix this problem, configure the firewall to allow bidirectional access for the DXadmind port. (By
default this port is 2123.)
There was a typing error when you set up the backbone configuration in DXmanager.
Check that the host's address is correct and that DXadmind is running on the host.
If DXadmind is running and the DXadmind password and host details are correct in the DXmanager
deployed configuration, then the problem is probably that DXadmind cannot establish the host name
of the incoming connection. If you specified the DXmanager address to DXadmind as a host name
(rather than as an IP address), then you need to have reverse DNS enabled. To solve this problem,
enable the DNS to have reverse DNS (reverse lookup).
04-May-2016 580/923
CA Directory - 12.0.18
3.
a. Change the standard port 8080, on which DXwebserver listens for non-SSL
connections.
b. Change the secure port 8443, on which DXwebserver listens for SSL connections. This
is also used for the Coyote/JK2 1.3 connector port.
You need to change the value 8443 in two locations in server.xml, as follows:
Note: If you change the port number, the DSML sample server will not work.
c. Change the shutdown port 8005, on which DXwebserver listens for the shutdown
command, in the following section of server.xml:
dxwebserver stop
dxwebserver start
On Windows, use the Control Panel to open the Services window, and restart the CA
Directory - DXwebserver service.
Windows: %DXWEBHOME%\webapps\dxmanager\WEB-INF\web.xml
UNIX: $DXWEBHOME/webapps/dxmanager/WEB-INF/web.xml
04-May-2016 581/923
CA Directory - 12.0.18
2. To log all events, set the DXmanagerDebug parameter to 255. To disable logging, set the
parameter to 0.
<servlet>
<servlet-name>DXmanagerServlet</servlet-name>
<servlet-class>com.ca.directory.dxmanager.server.DXmanagerServlet</servlet-
class>
<load-on-startup>1</load-on-startup>
<init-param>
<param-name>DXmanagerDebug</param-name>
<param-value>255</param-value>
</init-param>
</servlet>
3. Restart dxwebserver.
Windows: %DXWEBHOME%\log\catalina.out
UNIX: $DXWEBHOME/log/catalina.out
DXmanager has been changed significantly between CA Directory r12 SP2 and r12 SP9. In particular,
many configuration items are now supported by DXmanager, and no longer need to be set in
configuration text files.
If your dxmanager.dxc files contain any of these configuration items, it will not appear to cause any
conflicts even though these values are overridden by the DXmanager configuration. This is because
the dxmanager.dxc files are ignored if they conflict with settings in DXmanager.
If any of these settings exists in a custom configuration file, it may cause conflicts. When CA Directory
encounters a configuration conflict while loading or re-initializing the configuration, the following
alarm is logged:
The warn-log shows which commands are being redefined by DXmanager. You should remove these
items from the text configuration files and set them using DXmanager. Use the list of configuration
items in Commands Used in DXmanager to find out where to set these items in DXmanager.
Note: We recommend that you use a pre-production test environment, to help you isolate any
migration issues and configuration conflicts.
04-May-2016 582/923
CA Directory - 12.0.18
2. Extract the data to LDIF format or take a copy of the existing .db files.
4. Add the DSA to DXmanager and ensure to update the Data Store Location.
5. Reload the data (and resynchronize the DSAs if using Multiwrite or Multiwrite Replication with
DISP Recovery). If you had taken a copy of the .db files, copy these files to the new location.
The DXadmind background process logs diagnostic information to the following location:
%DXHOME%\logs\dxadmind.log
During normal operations, the DXadmind log file is small in size. However, when there are
connectivity issues with DXmanager or the DXadmind debug level is raised above the default value,
the DXadmind log file can grow in size over time.
When the DXadmind log exceeds 4 GB, DXadmind may not function as expected. You must then
manually reset the DXadmind log file.
Troubleshooting CA Directory
Cannot Create a DSA
Symptom:
04-May-2016 583/923
CA Directory - 12.0.18
Solution:
If you cannot create a DSA from the Namespace Map, you may need to clear the Java Applet Cache.
4. On the General tab, click the Settings button under Temporary Internet Files.
7. Click OK.
The cache is now cleared and the DXmanager browser can be opened again.
Solution:
If a DSA fails to start, work through the following steps to diagnose the problem:
Check the error messages. For more information, see System Messages.
Check the following server logs:
DXHOME/logs/dsa-name_alarm.log
DXHOME/logs/dsa-name_trace.log
04-May-2016 584/923
CA Directory - 12.0.18
When you log a support issue for CA Directory, you may be asked to supply information about your
directory. CA Directory includes DXinfo, which is a tool that compiles this information for you.
If your issue involves distribution, replication, or remote operations, send information from all
directory hosts to CA Support. This information helps our Support staff develop a complete picture of
your directory backbone.
a. Back up the CA Directory logs to a safe location, and then remove the original log files.
The log files are in DXHOME/logs.
b. Use Telnet to connect to the DSA. For example, to connect to the Democorp DSA on
the local computer, use the following command:
a. Check the levels of trace that is being logged, using the following command on the DSA
console:
b. Set the trace level to capture all events. To do this, use the following command on the
DSA console:
3. Collate the information needed by CA Support, by following these steps on each directory
host:
b. Use the following command to run the DXinfo tool to capture the required
information:
dxinfo
Note: See DXinfo Tool -- Collect System Information for the syntax for this
command.
04-May-2016 585/923
CA Directory - 12.0.18
The DXinfo tool creates a series of files in the current working directory.
c. (Optional) Edit the files to remove any sensitive information that you do not want to
send to CA Technologies.
Note: If you want to exclude some information from the files, use the -x
option with the dxinfo command.
d. If DXDUMPCORE is defined, get the latest core dump file from DXHOME.
The core dump file is named core (core.processID on Linux systems).
4. Send the files created by the DXinfo tool, and the core dump file if there is one, to Technical
Support for analysis.
The files are in the location in which you ran the DXinfo tool, unless you used the -t option to save the
files elsewhere.
04-May-2016 586/923
CA Directory - 12.0.18
Specify which information you do not want collated, using the -x option
Edit the files after they have been collated, to remove sensitive information
If one of these internal tests fails, it means that the DSA is in an unexpected state, and this should not
happen. However, it does happen, though rarely.
Normally if an internal test fails, the DSA logs this and continues to run. This behavior ensures that
the DSA does not stop, which is what you want when the DSA is used in a production environment.
However the log entry might not contain enough information to fully analyze the problem that
caused the test to fail.
To collect more information, and so enable a full analysis of the problem, define the environment
variable DXDUMPCORE on the DSA host. If DXDUMPCORE is defined and an internal test fails, the
DSA writes the contents of the program to a file (sometimes this is called a core dump) and then
stops. The file that contains the core dump is in DXHOME and is called:
Important! Only define DXDUMPCORE if you are prepared for the DSA to stop if it fails an
internal test. Make sure DXDUMPCORE is not defined in production environments, because
if it is defined, the DSA is vulnerable to Denial of Service attacks.
If DXDUMPCORE is defined and the DSA fails an internal test, you can send the core dump file (with
the DXinfo output) to CA Support for a full analysis of the problem.
When a modify request is followed by a delete request on the same entry, the two operations may
04-May-2016 587/923
CA Directory - 12.0.18
When a modify request is followed by a delete request on the same entry, the two operations may
have the same timestamp. In this case a multiwrite-DISP DSA will reject the delete request with the
following message:
unwillingToPerform
To avoid this problem, use the following command to change the system-wide time resolution from
15.6 milliseconds to 1 millisecond:
Reduces the chance of a multiwrite-DISP conflict where an entry is updated twice at the same
time.
When you install the Directory package, the files for the sample directories are automatically
installed but the directories are not set up. You can run scripts to create and configure the sample
directories.
UNSPSC -- The UNSPSC sample directory includes all of the products and services in the Universal
Standard Products and Services Classification (UNSPSC). This directory contains more than 10,000
entries.
1. Use the csv2ldif tool to convert the data from CSV format into LDIF.
2. Use the DXloaddb tool to load the LDIF entries into the datastore.
You can also examine the scripts that set up the samples, which illustrate how you can load data into
your own directory.
04-May-2016 588/923
CA Directory - 12.0.18
2. Open a command prompt and navigate to the setup files for the Democorp directory:
DXHOME/samples/democorp
UNIX:
setup.sh
Windows :
setup.bat
This script creates the democorp datastore and populates it with sample data, then creates
the democorp DSA.
DXHOME/samples/unspsc
UNIX:
setup.sh
Windows:
04-May-2016 589/923
CA Directory - 12.0.18
setup.bat
This script creates the unspsc datastore and populates it with sample data, then creates the
unspsc DSA.
DXHOME/samples/router
UNIX:
setup.sh
Windows:
setup.bat
This script creates the router DSA which can communicate with the UNSPSC and Democorp
DSA.s.
You can now update the configuration files for the sample DSAs (see page 602).
4. Add more hosts to the sample directory backbone (see page 596)
10. Set up the sample datastores on the hosts (see page 601)
04-May-2016 590/923
CA Directory - 12.0.18
Note: This description assumes that you use DXmanager the first time you set up a
namespace otherwise the wizard will not appear.
3. Use the wizard to enter the following default values for the backbone:
Console password
Specifies the password required for connection to this DSA on a DSA console. You must
specify a password if you want to connect to this DSA from a remote computer. This
password is optional for local connections.
Password
Specifies the password that DXmanager uses when contacting DXadmind on the host. This
password is used for communication between DXadmind and DXmanager.
Ensure that you enter same password that was specified when CA Directory was installed
on each host.
Partition name
Specifies the name of the namespace partition that you are creating. This name is used on
the DXmanager maps.
Enter: Democorp
Prefix
Specifies the context prefix of the DIT that the DSA publishes that it serves. If Native prefix
is also set, then this becomes the logical prefix rather than the physical prefix and prefix
mapping is done in the server.
Enter: o=Democorp,c=au
Port
Specifies the port for this namespace partition. The DSAs created when you deploy this
namespace partition to a host use this port as their listen address.
Enter: 19389
SNMP port
Specifies the SNMP port for this partition. This is the port the DSA will use to send SNMP
traps. This is needed by the DXmanager to be able to monitor DSAs.
Enter: 19389 (automatically populated when you enter the Port).
04-May-2016 591/923
CA Directory - 12.0.18
5. Create the topology. This wizard lets you create a single-host topology only, which means that
you can create only one region, one site, and one host. You can add more later. Enter the
following details:
Region
Specifies the name of the region.
Enter: Australia
Site
Specifies the name of the site.
Enter: Melbourne
Host name
Specifies the name of the host.
Enter: Your host name
Network Address
Identifies the host on the network, in one of the following formats: IP address or network
address.
You can also look at the new Topology map, which should appear similar to the following:
04-May-2016 592/923
CA Directory - 12.0.18
These maps have been created from the details you just entered.
b. Enter a comment that describes the current state of the configuration, and then click
OK.
Name
Specifies the name of the namespace partition that you are creating. This name is used in
DXmanager displays.
Enter: UNSPSC
Prefix
Specifies the context prefix of the DIT that the DSA publishes that it serves. If Native prefix
is also set, then this becomes the logical prefix rather than the physical prefix and prefix
mapping is done in the server.
Enter: o=UNSPSC,c=au
Port
Specifies the port for this namespace partition. The DSAs created when you deploy this
namespace partition to a host uses this port as their listen address.
Enter: 19489
04-May-2016 593/923
5.
CA Directory - 12.0.18
Console port
Specifies the port on which the DSA accepts connections from the local computer only. If
this is not specified, there is no console for the DSA.
Enter: 19490 (automatically populated when you enter the Port).
SNMP Port
Specifies the SNMP port for this partition. This is the port the DSA will use to send SNMP
traps. This is needed by the DXmanager to be able to monitor DSAs.
Enter: 19489
b. Enter a comment that describes the current state of the configuration, and then click
OK.
2. Right-click the c=au node (middle of the tree) and select Add new partition.
04-May-2016 594/923
CA Directory - 12.0.18
3.
Partition name
Specifies the name of the namespace partition that you are creating. This name is used in
DXmanager displays.
Enter: router
Prefix
Specifies the context prefix of the DIT that the DSA publishes that it serves.
Enter: c=au (automatically populated)
Port
Specify the port for this namespace partition. The DSAs created when you deploy this
namespace partition to a host uses this port as their listen address.
Enter: 19289
Console port
Specifies the port on which the DSA accepts connections from the local computer only. If
this is not specified, there is no console for the DSA.
Enter: 19290 (automatically populated when you enter the Port).
SNMP port
Specifies the SNMP port for this partition. This is the port the DSA will use to send SNMP
traps. This is needed by the DXmanager to be able to monitor DSAs.
Enter: 19289
DIR--Router Namespace--OTH
04-May-2016 595/923
5.
CA Directory - 12.0.18
b. Enter a comment that describes the current state of the configuration, and then click
OK.
3. Right-click the Site icon, and select Add a new host to the site.
Host name
Specifies the name of the new host.
Network Address
Identifies the host on the network, in one of the following formats: IP address or network
address.
5. Click Finish.
You have now created the configuration for a new host.
04-May-2016 596/923
CA Directory - 12.0.18
b. Enter a comment that describes the current state of the configuration, and then click
OK.
4. Click Next, and then review the list of network addresses for this host. If the list is correct,
click Finish.
04-May-2016 597/923
CA Directory - 12.0.18
b. Enter a comment that describes the current state of the configuration, and then click
OK.
2. Right-click a host, select the select Instantiate a new partition to this host, and then select As
a Data DSA.
The New Relationship dialog opens.
4. Click Next, and then review the list of network addresses for this host. If the list is correct,
click Finish.
b. Enter a comment that describes the current state of the configuration, and then click
OK.
You have now created configuration for all three DSAs in this backbone.
2. Right-click a host, select Instantiate a new partition to this host, and then select As a Router
DSA.
04-May-2016 598/923
CA Directory - 12.0.18
5. Click Next, and then review the list of network addresses for this host. If the list is correct,
click Finish.
b. Enter a comment that describes the current state of the configuration, and then click
OK.
You have now created configuration for three router DSAs in this backbone. The Topology map
should now appear similar to the following diagram.
04-May-2016 599/923
CA Directory - 12.0.18
You now need to deploy the configuration to the hosts. This process sends a copy of the
configuration file to each host and creates any required DSAs.
1. Find the Configuration button at the top right of the DXmanager window.
DXmanager sends the configuration file to each host, and each host creates the required
DSAs.
3. Right-click the backbone icon, and then select Start all DSAs.
All of the DSAs in the backbone start. Their icons change to show the green Started symbol.
However, the data in the UNSPSC DSA requires the UNSPSC schema, which is supplied with CA
Directory.
1. Find the initialization file for the UNSPSC DSA in the following folder:
DXHOME/config/servers
The files each have the same name as the DSA, as in the filename UNSPSC-Host1.dxi.
2.
04-May-2016 600/923
CA Directory - 12.0.18
2. Open the initialization file in a text editor and find the statement that sources a schema group
file. For example:
source "../schema/dxmanager.dxg";
source "unspsc.dxc";
2. Determine the names of the DSAs that DXmanager created. To do this, open a command
prompt and run the following command:
dxserver status
The output from this command lists the names of the DSAs on this host. The DSA names will
look similar to the following:
Democorp-hostname
UNSPSC-hostname
3. In the command prompt, navigate to the setup files for the Democorp directory:
DXHOME/samples/democorp
4. Run the setup script, specifying the Democorp DSA name that you discovered in Step 2. This
script creates the datastore and populates it with the sample Democorp data.
For example, if the DSA name is Democorp-server23 on a UNIX computer, run the following
command:
setup.sh Democorp-server23
04-May-2016 601/923
5. CA Directory - 12.0.18
DXHOME/samples/unspsc
Run the setup script, specifying the UNSPSC DSA name that you discovered in Step 2. This
script creates the unspsc datastore and populates it with the sample UNSPSC data.
For example, if the DSA name is UNSPSC-mycomputer on a Windows computer, run the
following command:
setup.bat Democorp-mycomputer
The datastores are ready for use. You can now update the configuration files for the sample DSAs
(see page 602).
If you used DXmanager to set up the DSAs, the initialization file sources files that contain settings
for access controls and schema.
If you set up the DSAs for text-based configuration, the initialization file sources all of the
configuration files.
You can edit each DSA's initialization file to source different configuration files. You can also edit the
configuration files to include custom settings. For DXmanager DSAs, be careful to not use any settings
that should be set in DXmanager.
1. On one of the hosts, navigate to the folder that contains the initialization files:
DXHOME/config/servers
2. Open the initialization file in a text editor, change the source statements to reference
different configuration files, and then save the file.
3. On the same host, navigate to the folders that contains the configuration files that the
initialization file sources.
DXHOME/config/access
DXHOME/config/schema
For DSAs with text-based configuration, use files in any or all of the folders under DXHOME
/config.
4. Open a configuration file in a text editor, change the configuration commands, and then save
the file.
04-May-2016 602/923
CA Directory - 12.0.18
Rarely-Used Features
This appendix describes how to use some special features of CA Directory. These specialized features
are useful only for particular scenarios. There is no need for most customers to use them. Ensure that
you actually need one of these features before you implement it.
However, views do have some limitations in how information is retrieved. You could use class-of-
service templates instead of views if you cannot change the applications to support the data access
limitations.
When directory information needs to be shared across multiple entries, the shared information can
be stored in an class-of-service template. A class-of-service template stores information that can then
be included in many entries. Class-of-service templates can reduce the size of a directory, help keep
data consistent, and reduce the time required for bulk updates.
When a search returns an entry that contains an attribute from the class-of-service template, the
attributes and values from the associated template are included in the entry.
This means that the information in class-of-service templates is stored only once, which is good for
three reasons:
Information is consistent
The shared information is usually a level of service, such as a standard or premium subscription to an
Internet Service Provider.
When a search returns an entry that uses a class-of-service template, the attributes and values from
the associated template are presented.
04-May-2016 603/923
CA Directory - 12.0.18
A template can have multiple attributes and values. All attributes in a template are added to the
entry.
If an entry already has a value for an attribute in a template, the attribute in the template can either
overwrite the value, or the value can be left untouched. This is controlled by the disposition of the
template attribute. The two possible dispositions are as follows:
default
The value from the template replaces the existing value.
override
If the entry already contains this attribute, the existing value persists. Use this when a customer
requires special treatment.
The attributes that are stored in class-of-service templates are not searchable.
When the shared attribute values change, they can be updated in the configuration files. Therefore,
ensure that configuration files are stored in a source code control system to permit rollbacks.
clear class-of-service;
This lets you change attributes while the DSA is still running, using the command dxserver init.
Ensure that the template configuration file is sourced after the schema is sourced. The template uses
attributes that are defined in the schema configuration.
04-May-2016 604/923
CA Directory - 12.0.18
get class-of-service;
This produces a listing of each class-of-service template in use, with the template label at the top.
The template for the standard class of service at Excellent ISP appears, as follows:
04-May-2016 605/923
CA Directory - 12.0.18
The company Excellent ISP is an Internet service provider. The customers of Excellent ISP can
subscribe for one of two classes of service described in the following table:
Standard Premium
Mail Storage 20 MB 30 MB
Web Space 20 MB 30 MB
Hours per Month 15 hr Unlimited
Cost per Month $19.95 $29.95
Cost of Extra Hours $1.00/hr $0.00/hr
The Excellent ISP customer directory includes the subscription information in each customer entry.
If there are one million users, then these attributes appear one million times. If Excellent ISP
increases its fees, then a large global update is required.
Here is an example entry for an Excellent ISP customer who has the standard class of service:
Here is an example entry for an Excellent ISP customer who has the premium class of service:
04-May-2016 606/923
CA Directory - 12.0.18
excellentISPaccessHours: Unlimited
excellentISPprice: 29.95
excellentISPextraHoursPrice: 0
excellentISPpackage: Premium
The attributes from the class-of-service template are added to the entry on a search.
04-May-2016 607/923
CA Directory - 12.0.18
Set Up Aliases
An alias entry is a directory entry that contains the name of another entry. When you search or
browse a directory, you can decide whether to resolve aliases (show the details of the target entry) or
to show the details of the alias entry itself.
Aliases are a powerful mechanism where you want one entry to have two names. However, if you do
not use them properly, the result can be inconsistent DITs and degraded performance. Following
aliases during operations has an additional cost. To increase performance, use aliases sparingly or not
at all. Also, aliases are generally not expanded when they point to an entry in another DSA.
How Aliases Work (see page 608)
Example Aliases in Democorp (see page 609)
Alias Integrity (see page 610)
Enable Alias Integrity (see page 610)
Disable Alias Integrity (see page 610)
Access Controls and Aliases (see page 610)
How Aliases Affect DIT Searches (see page 610)
Example Searching Aliases (see page 611)
Example Searching Aliases Again (see page 611)
04-May-2016 608/923
CA Directory - 12.0.18
Alias entries are leaves of the directory information tree. All other entries are object entries. Alias
entries can point to object entries or other alias entries and thus provide an alternative name for the
corresponding object.
The DSA resolves alias entries to the distinguished name of the object entry to which they point.
For more information, see Name Bindings and Aliases (see page 160).
In the Aviation subtree, a new alias entry points to the Bernd Stark entry in the Construction
subtree.
In the Projects subtree, a new alias entry points to the Construction entry.
Part of the Democorp DIT, showing two alias entries, which point to other entries
cn=Bernd Stark,ou=Aviation,ou=Projects,o=Democorp
This is an alias entry that points to cn=Bernd Stark,ou=Construction,ou=Projects,o=Democorp.
This entry has the object class alias, and the attribute aliasedObjectName has the value cn=Bernd
Stark,ou=Construction,ou=Projects,o=Democorp.
ou=Building,ou=Projects,o=Democorp
This is an alias entry that points to ou=Construction,ou=Projects,o=Democorp.
This entry also has the object class alias, and the attribute aliasedObjectName has the value
ou=Construction,ou=Projects,o=Democorp.
04-May-2016 609/923
CA Directory - 12.0.18
Alias Integrity
Managing aliases properly is an application design issue.
We recommend that you enable alias integrity. This prevents the creation of aliases that point to no
object entry.
When an entry that has one or more aliases pointing to it is removed, the aliases are also
removed.
By default CA Directory will not allow binds using aliases. To enable aliases to be used on binds, use
set dereference-alias-on-bind = true.
If you have set CA Directory to allow alias on bind and the user name is an alias, the system checks
the password against the password in the entry to which the alias points, but the user name
associated with the bind is the alias name.
This means that a user can bind with more than one user name, and each user name can have
different access controls associated with it.
The search alias control does not affect the base object of the search, but does determine if an alias
entry can be returned in the results of a search. This can have some peculiar effects, especially with
base-object searches.
04-May-2016 610/923
CA Directory - 12.0.18
When a directory receives a search request, the directory navigates to the base object that is defined
in the request. A base object is the entry from which the search is run. After the directory locates the
base object, the search is performed from that location.
If the base object is an alias, the search may request that the alias be dereferenced. An alias entry is
dereferenced if, during a search, the entry the alias points to is used as the base object rather than
the alias itself.
When the directory has located the base object and dereferenced it (if requested), the search is
performed. A search may return any number of alias entries. These alias entries may also be
dereferenced.
The base object of a search request is the following alias entry: ou=Building, ou=Projects,
o=Democorp. This is an alias that points to ou=Construction, ou=Projects, o=Democorp.
If you choose to dereference aliases while navigating, the searchs run from ou=Construction,
ou=Projects, o=Democorp.
However, you can tell the search request to not dereference aliases while navigating. If you do this,
the search runs from the alias entry, ou=Building, ou=Projects, o=Democorp.
If you choose to dereference aliases while searching, any aliases returned in the results are
dereferenced.
If a search found the alias entry cn=Bernd Stark,ou=Aviation,ou=Projects, the target entry is returned:
cn=Bernd Stark,ou=Construction,ou=Projects.
CA Directory lets you dynamically extend the schema of a DSA in the following ways:
04-May-2016 611/923
CA Directory - 12.0.18
You can extend an object to use auto-registered attributes, any nondefined attributes, or both.
If you do use dynamic attributes, you have less control over which attributes can be added to an
object. You can still control which of the defined attributes are included, but you cannot control
which unknown attributes are added.
If you use auto-registered attributes, different applications may use an attribute of the same name
for different purposes.
For example, the following diagram shows a single DSA that is used by two applications. The
application Client 1 uses the auto-registered attribute newPerson:
Two client applications and one DSA. One client uses the attribute newPerson.
However, problems occur when Client 2 tries to also register an attribute named newPerson, which
has different parameters, as shown in the following diagram:
04-May-2016 612/923
CA Directory - 12.0.18
Two client applications and one DSA. Both clients use the attribute newPerson.
Extensible Objects
Contents
Make an Existing Object Class Extensible (see page 613)
Make an Existing Object Extensible (see page 614)
Add an Attribute to an Extensible Object (see page 614)
Example Extending an Object Class Definition (see page 615)
If you define an object as extensible, it may contain any attribute that is already defined in the DSA
schema.
Extensible objects are defined in RFC 4512. This standard defines the auxiliary object class
extensibleObject.
The auxiliary object class extensibleObject is defined in the schema file ldapv3.dxc, which is supplied
with CA Directory. However, it is not in the default schema group. If you want a DSA to use this
schema, you must add it to the DSA's initialization file.
1. Open the schema file and find the object class that you want to update.
04-May-2016 613/923
2.
CA Directory - 12.0.18
all-attributes
...
};
1. If the DSA does not include ldapv3.dxc in its schema, do the following:
a. Add ldapv3.dxc to the DSA initialization file after the X.500 schema is sourced, as in the
following example:
source "../schema/dxmanager.dxg";
source "../schema/ldapv3.dxc";
4. In the right pane, select the Table Editor tab to display the attributes for this object.
6. In the Set Object Entry Classes dialog, find the object class extensibleObject in the Available
Classes list.
7. Select the object class extensibleObject, click Add, and click OK.
You cannot do this using JXweb. This section describes how to do this using DSA console commands.
2. Open a DSA console, and bind to the DSA using the following command:
04-May-2016 614/923
CA Directory - 12.0.18
2.
bind-req;
For example, to add the carLicense attribute with the value EXT 133 to the Democorp
organization entry, use the following command:
The person object class must contain the attributes cn and surname, which means that the newPerson
object class must also include those attributes. In addition, it may contain any other defined
attribute.
Auto-Registered Attributes
Contents
How Auto-Registered Attributes Work with Other CA Directory Features (see page 615)
Limitations of Auto-Registered Attributes (see page 616)
Use Auto-Registered Attributes in an Object (see page 616)
Example Using Auto-Registered Attributes (see page 617)
If you permit an object to use auto-registered attributes, it may contain any attribute that is not
already defined in the DSA schema.
This can be useful if an LDAP application uses attributes that are not defined in the DSA's schema.
The following list describes how auto-registered attributes work with CA Directory tools and features:
DAP Tools
Auto-registered attributes do not work with the DAP tools (DXmodify, DXrename, DXdelete, and
DXsearch).
04-May-2016 615/923
CA Directory - 12.0.18
DXloaddb Tool
You can use the DXloaddb tool to load auto-registered attributes from an LDIF file into a
datastore. The DXloaddb tool auto-registers an attribute only if it is using the schema from the
DSA configuration.
Replication
Auto-registered attributes work with DISP, multiwrite, and multiwrite-DISP DSAs, but only with
other CA Directory DSAs.
Other features
Auto-registered attribute names are not supported within the configuration files. This means that
special indexing, access controls, class of service, and other features do not support auto-
registered attribute names.
You cannot use an auto-registered attribute as the naming attribute for an object.
Attributes that are automatically registered use the following template for their virtual schema
definition:
attribute auto-generated-OID = {
name = supplied-name
equality = caseIgnoreMatch
substr = caseIgnoreSubstringsMatch
syntax = directoryString
}
You can use JXweb to display extensible attributes, but you cannot use it to add a new value to an
extensible attribute.
1. Open the schema file and find the object class that you want to update.
04-May-2016 616/923
CA Directory - 12.0.18
The organization object class must contain the attribute organizationName and may contain any
attribute in the organizationalAttributeSet. These requirements are inherited by the object class
autoOrganization. In addition, it must contain the attribute description and may contain any other
attribute that is not defined in the DSA's schema.
1. Open the schema file, and find the object class that you want to update.
1. Decide which password policy attributes are to be replicated to the other LDAP directory.
04-May-2016 617/923
CA Directory - 12.0.18
2. For each attribute to be replicated, add the following line to the attribute definition in the
dxserver.dxc schema file:
ldap-names = attribute-name
Note: Any password policy attributes that are not marked with ldap-names are not
included in the replicated update. If no attributes are included, then the update is
not sent.
In this example, your directory backbone includes a SunONE directory. This is kept synchronized by
multiwrite replication between the CA Directory DSA and the SunONE directory.
1. In the dxserver.dxc schema file, find the definitions for the two CA Directory attributes.
3. Add the following command to a .dxc file used by the CA Directory DSA:
04-May-2016 618/923
CA Directory - 12.0.18
The DSML Server lets client applications use DSML, rather than LDAP, to communicate with CA
Directory.
DSML can be used anywhere LDAP is used. However, it is usually best to use LDAP. This is because
LDAP is the more established protocol and slightly more efficient.
http://localhost:8080/dsml/services/DSML
2. The DSML Server translates the DSML request into LDAP and passes it on to the DSA.
4. The DSML Server translates the DSA response from LDAP to DSML and sends it back to the
DSML client, as shown in the following diagram:
04-May-2016 619/923
CA Directory - 12.0.18
For example, if you connect to the Democorp DSA using DSML and you set the server DN to c=AU,
c=AU is not displayed in the tree, and the top node is o=DEMOCORP.
If you use JXweb to connect to the DSML Server, you can also specify the base DN. This is the DN of
the entry in the tree that you want displayed. The base DN is relative to the server DN. The base DN is
not set by the DSML Server: instead, it is set by the client that connects to the server.
For example, if you connect to the Democorp DSA using DSML and you set the server DN to c=AU,
you could then also set the base DN to ou=National,ou=Customer,o=DEMOCORP. Because the base
DN is relative to the server DN, you could not set the base DN to ou=National,ou=Customer,
o=DEMOCORP,c=AU.
1. The DSML Server checks the POST parameters of the HTTP request: ldapHost and ldapPort.
2. If these parameters are not supplied, the DSML Server checks the configuration file dsml.
properties for a server URL.
For example, the server URL could look like this:
ldap://computer27:19289
3. If the configuration file is not available, the DSML Server uses the default URL.
If the DSML Server can determine the name of the local machine, this default URL is as
follows:
ldap://hostname:19289
ldap://localhost:19289
If the DSML Server cannot determine the name of the local machine, this default URL is as
follows:
dsml/services/DSML
If you use a URL of this form, the DSML client looks for connection details in the dsml.properties file.
dsml/services/DSML?ldapHost=computername&ldapPort=port-number
04-May-2016 620/923
CA Directory - 12.0.18
In this URL:
computername
Specifies the name of the computer on which the DSML service is running.
port-number
Specifies the port number of the DSML service.
dsml/services/DSML?ldapHost=computername&ldapPort=port-number&ldapDN=DN
In this URL:
computername
Specifies the name of the computer on which the DSML service is running.
port-number
Specifies the port number of the DSML service.
DN
Specifies the server DN as follows:
%3d
Represents the equal-to character ( = ).
%2c
Represents the comma character ( , ).
o%3dDEMOCORP%2cc%3dAU
Sample Tools
The sample tools are some extra tools for managing CA Directory.
These tools are provided for testing and demonstration purposes. The tools are installed into the
04-May-2016 621/923
CA Directory - 12.0.18
These tools are provided for testing and demonstration purposes. The tools are installed into the
following subdirectories in DXHOME/samples. For more information, look in the Readme for each
tool.
democorp
A setup script that automatically configures the Democorp DSA and populates it with data for the
staff directory for the fictional company, Democorp.
DXsoak
An executable to measure the throughput (in searches per second) of a DSA.
dua
A sample text-based Directory User Agent (DUA) that runs over DAP which you can use to execute
scripts to add, modify, or remove entries from the directory. This can also be used to perform
searches.
languages
Language certification sample files. These language files have been provided so that the user can
test CA Directory operating systems other than English.
Use only the language files that relate to your operating system.
ldua
A LDAP directory client scripting DUA that you can use to execute scripts to add, modify, or
remove entries from the directory. This can also be used to perform searches.
snmp
A management client that retrieves management information from a CA Directory DSA using the
SNMP protocol.
ssl
Examples of using DUA-DSA and DSA-DSA SSL authentication and encryption.
test
A selection of scripts to modify the directory using the supplied DUA or LDUA clients. The DAP
and LDAP script DUAs connect to the Democorp DXserver using SSL encryption or SSL
authentication.
trap
A management application that receives SNMP traps from a CA Directory DSA.
unspsc
A setup script that automatically configures the UNSPSC DSA and populates it with data. This data
is the United Nations Standard Product and Services Classification (UNSPSC) Code System.
The SCIM server is installed beside DXmanager and is deployed on the same Tomcat application
server (DXwebserver).
04-May-2016 622/923
CA Directory - 12.0.18
Prepare DSA
First, a DSA instance that includes the SCIM schema must be created. Use the script at $DXHOME
/samples/scim/setup.sh to create a DSA with sample SCIM objects.
Example:
To create the sample DSA to listen on port 1389 on the Unix platform, use this command:
$ ./setup.sh "1389" "[hostname]"
The hostname argument is optional in Unix. If the hostname is unspecified, the command `hostname -
f` is used to determine this value. If the command fails to determine the hostname, then the user is
prompted for a hostname.
To create the sample DSA to listen on port 1389 on the Windows platform, use this command :
> setup.bat "1389" "host"
You could also use an IP address instead. For example, use 0.0.0.0 to accept traffic for any
destination, or 127.0.0.1 for localhost.
A DSA named 'scim' is created to listen on port 1389. This DSA is populated with a sample
'automation' tenant. Under this tenant, a user is created with the id '00000000-00000000-00000000-
00000000', user name 'test', and password 'test123'. Use this DSA as the data store for the SCIM
server in the next step.
For a sample DSA on host 'machine01.domain.com:1389' that uses sample SCIM data, run scim-
04-May-2016 623/923
CA Directory - 12.0.18
For a sample DSA on host 'machine01.domain.com:1389' that uses sample SCIM data, run scim-
websetup.sh with the following arguments:
$ ./scim-websetup.sh "machine01.domain.com" "1389" "id=00000000-00000000-00000000-
00000000,ou=users,o=automation" "test123"
Note: The proxy user can be configured as having READ ONLY access (See Set Up Access Controls for
more information). This configuration is used for perform lookups to retrieve the bind DN based on
the provided user name from the HTTP Authorization Header.
The best way to explore the REST service that the SCIM server exposes is to browse the API Spec. The
API Spec also provides an interface to access the REST service. From a browser, go to the following
URL:
http://host:port/ca/doc/scim-api.html
From this UI, you can see the various SCIM resources and operations that can be performed.
For example, click on Users:Get and fill out the required fields to retrieve all user objects. To perform
the same operation using a command-line utility such as curl, use the following command:
$ curl -X GET --user "test:test123" -H "Content-type: application/json" http://host:
port/ca/api/automation/scim/v1.1/Users
The SCIM server supports HTTP basic authentication. Every request must contain the Authorization
HTTP header. The value of this header must be encoded as specified in RFC2617 Basic Authentication
Scheme. Use the SCIM user name, not id, when forming the value for this header.
Example:
For a proxy user with the id '00000000-00000000-00000000-00000000', user name 'test' and
password 'test123', the complete value of the Authorization Header would be 'Basic
dGVzdDp0ZXN0MTIz'. This value is the base64-encoding of the string 'test:test123'.
Warning! This is just an example. Do not use the proxy user credentials when making SCIM
server requests.
The SCIM Server uses the credentials that are specified in the Authorization Header to perform all
underlying LDAP operations against the DSA. This user has READ/WRITE privileges if the DSA enforces
access controls. When accessing the Swagger API Spec, enter this value in the HTTP Basic
Authorization Header field.
04-May-2016 624/923
CA Directory - 12.0.18
Integrating
Gateway: 10.1.1.1
The instructions are based on the sample directories provided with CA Directory. These sample
directories include:
When you log in for the first time, the Eracom system prompts you for a new root password. Enter a
password that is suitable for your company's security policy.
04-May-2016 625/923
CA Directory - 12.0.18
hsmstate
If the HSM is functioning correctly, the system responds with the following message.
1. Open /etc/hostname.
This file contains only one line.
2. Change the line from the default of rasam to the HSM hostname. For example, change it to
orange.
04-May-2016 626/923
CA Directory - 12.0.18
nameserver 10.1.2.102
search gc.eracom-tech.com
In the following example, the desired access control configuration is to deny access to all but one IP
address, that of your directory host. In this example, the directory host's IP address will be 10.1.3.10.
iptables -F INPUT
iptables -A INPUT -s 10.1.3.10 -j ACCEPT
iptables -A INPUT -j DROP
/etc/init.d/iptables save active
Once the last command is entered, the HSM should respond with the following message.
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
/etc/init.d/iptables save inactive
Once the last command is entered, the HSM should respond with the following message.
/etc/init.d/networking restart
04-May-2016 627/923
CA Directory - 12.0.18
1. Insert the CD ProtectToolkit C Orange into the CDROM drive of the directory host.
{CDROM}:\Win32\Network_HSM_Access_Provider\ETnethsm.exe
3. At the Eracom Network HSM Access Provider Installation screen, click Next.
6. In the Remote Client Setup page, enter the IP address of the HSM ProtectServer Orange
External HSM, and the listener TCP port. By default it is 12396. Once you are complete, click
Next.
1. Insert the CD titled: ProtectToolkit C Orange into the CDROM drive of the directory host.
{CDROM}:\Win32\PTKC_Runtime\ETcprt.exe
At the ProtectToolkit C Runtime Installation screen, click Next.
04-May-2016 628/923
5.
CA Directory - 12.0.18
hsmstate
hsmstate
HSM device 0: HSM in NORMAL MODE. RESPONDING
ctconf
The first time you run this command you will be asked to set the pin for two roles, Admin and
Administrator.
Select pins for both roles.
04-May-2016 629/923
CA Directory - 12.0.18
Create Certificates
To use the HSM, you need to create certificates.
1. Open a command window on the directory host and enter the following command:
ctconf -c1
ctstat -sslot-number
04-May-2016 630/923
CA Directory - 12.0.18
2.
ctconf -nslot-number
ctcert: The user PINN for the token in slot # is not initialised.
ctkmu p -sslot-number
Common Name
Organization
Organizational Unit
Locality
State
Country
This creates a CA keypair called rootCA. The output looks like this:
04-May-2016 631/923
CA Directory - 12.0.18
Each of the DSA certificates will be stored in slot 2, along with the CA certificate.
For this example, use the table below when entering the responses:
Common Name
Organization
Country
ctcert l -s2
04-May-2016 632/923
CA Directory - 12.0.18
Note: Only the certificates will be exported, not the private keys. The private keys will
remain in the HSM.
where:
-lcertificate-lable
Specifies the label of the certificate stored in the HSM slot
-ffilename
Specifies the file name of the exported certificate
-lcertificate-label
Specifies the label of the certificate stored in the HSM slot.
-ffilename
Specifies the file name of the exported certificate.
04-May-2016 633/923
CA Directory - 12.0.18
# HSM configuration
set ssl = {
cert-dir = "config/ssld/personalities"
ca-file = "config/ssld/rootCA.pem"
pin = "1000"
lib = "C:\Program Files\Eracom\ProtectToolkit C Runtime\cryptoki.dll"
slot = 2
};
3. Modify the DXI file to use the new SSLD configuration file:
source "../ssld/default.dxc";
source "../ssld/HSM.dxc";
1. Use an LDAP browser to connect to the router DSA, using the following details:
04-May-2016 634/923
1.
CA Directory - 12.0.18
Port: 19289
This confirms your trust of the trusted root certificate that has been presented to the LDAP
browser.
2. To trust the certificate and add it to the trusted certificate key store of the JXplorer browser,
click Always.
This connection validates that CA Directory is communicating with HSM.
3. Confirm the certificate has been loaded into the keystore of the browser. To do this in
JXplorer, click on the Security menu, and select Trusted servers and CAs.
This opens a lists of the certificates registered in the keystore.
04-May-2016 635/923
CA Directory - 12.0.18
Because the root CA is trusted by the browser, any DSA that presents a certificate signed by
this root CA is immediately trusted by your browser.
If SSL is working, the incoming and outgoing operations are preceded by the text (SSL).
Install CA Directory
To install CA Directory
2. Insert the CA Directory CD, or download the latest version from http://ca.com/support (
http://www.ca.com/support).
Directory
Directory Management
You only need to install the JXweb component from this package.
Use DXmanager to create a new backbone that includes a single DSA, and make sure that the DSA is
started.
Populate CA Directory
Before you install and configure Websphere Portal & Application Servers, you must have a default set
of user accounts and groups populated in the directory.
This section describes how to create LDIF files containing the necessary users and groups, and how to
04-May-2016 636/923
CA Directory - 12.0.18
This section describes how to create LDIF files containing the necessary users and groups, and how to
load them into the DSA.
The LDIF data in this section has been adapted from the sample LDIF files on the Websphere Portal
Installation Setup CD (PortalUsers.ldif and ContentUsers.ldif).
wpsadmin
wpsbind
The absolute DN of these user accounts will be determined by the DIT structure of your directory. For
this example, you will populate them into the following subtree:
c=au,o=democorp,ou=Administrators,ou=Websphere
3. Copy and paste the following LDIF representation into a new document:
dn: c=au
oc: top
oc: country
c: au
dn: o=democorp,c=au
oc: top
oc: organization
o: democorp
dn: ou=users,o=democorp,c=au
objectClass: organizationalUnit
objectClass: top
ou: users
dn: uid=wpsadmin,ou=users,o=democorp,c=au
oc: inetOrgPerson
oc: organizationalPerson
oc: person
oc: top
userPassword: wpsadmin
04-May-2016 637/923
CA Directory - 12.0.18
uid: wpsadmin
cn: wps admin
sn: admin
dn: uid=wpsbind,ou=users,o=democorp,c=au
oc: inetOrgPerson
oc: organizationalPerson
oc: person
oc: top
userPassword: wpsbind
uid: wpsbind
cn: wps bind
sn: bind
wpsadmins
wpsContentAdministrators
wpsDocReviewer
wcmadmins
2. Copy and paste the following LDIF representation into a new document:
dn: cn=wpsContentAdministrators,ou=groups,o=democorp,c=au
objectClass: groupOfUniqueNames
objectClass: top
cn: wpsContentAdministrators
uniqueMember: uid=wpsadmin,ou=users,o=democorp,c=AU
dn: cn=wcmadmins,ou=groups,o=democorp,c=au
objectClass: groupOfUniqueNames
objectClass: top
cn: wcmadmins
uniqueMember: uid=wpsadmin,ou=users,o=democorp,c=AU
dn: cn=wpsDocReviewer,ou=groups,o=democorp,c=au
objectClass: groupOfUniqueNames
objectClass: top
cn: wpsDocReviewer
uniqueMember: uid=wpsadmin,ou=users,o=democorp,c=AU
dn: cn=wpsadmins,ou=groups,o=democorp,c=au
04-May-2016 638/923
CA Directory - 12.0.18
objectClass: groupOfUniqueNames
objectClass: top
cn: wpsadmins
uniqueMember: uid=wpsadmin,ou=users,o=democorp,c=AU
1. Use the following command to load the LDIF file containing the users:
2. Use the following command to load the LDIF file containing the groups:
3. When the load is completed, start JXwebplorer and connect to port 19389. User anonymous
connection, as we have not activated any directory access controls as yet.
4. Once connected, expand all the DIT subtrees, and you should see exactly the same entries, as
displayed in the image below.
You have now set up CA Directory act as the LDAP repository for Websphere Portal Server.
04-May-2016 639/923
CA Directory - 12.0.18
You have now set up CA Directory act as the LDAP repository for Websphere Portal Server.
The Websphere Portal Server installation uses about 4 GB of disk space. Ensure that you have
adequate disk space before you install.
Information Recommendation
Select a language to be Select your language
used for this wizard
Software License Read, and accept it if you agree.
Agreement
Setup Type Select Full
Websphere Application Confirm that this path is correct.
Server installation path Note: This full installation will consume approx 4 gigabytes of disk space.
Ensure that you have adequate disk space before continuing.
Node name Enter a name for this instance of WebSphere
WebSphere Application Enter the name of the computer that you are installing on
Server hostname
Websphere Portal Confirm that this path is correct.
installation directory Note: This full installation will consume approx 4 gigabytes of disk space.
Ensure that you have adequate disk space before continuing.
System Logon User ID If you want to start the Websphere components as a service, define a user
account that the service can log in as.
WebSphere Portal Create a user name and password that you will use later to log in to the
administrative user Websphere portal.
This user does not need to exist within Windows: this account is internal
to the portal only.
1. Later in the installation process, enter the installation CDs when prompted.
2.
04-May-2016 640/923
CA Directory - 12.0.18
2. In the last installation screen, de-select the Launch First Steps check box, and then click Finish.
The installation has completed.
WasUserid=uid=wpsbind,ou=users,o=democorp,c=au
WasPassword=wpsbind
PortalAdminId=uid=wpsadmin,ou=users,o=democorp,c=au
PortalAdminIdShort=wpsadmin
PortalAdminPwd=wpsadmin
PortalAdminGroupId=cn=wpsadmins,ou=groups,o=democorp,c=au
WpsContentAdministrators=cn=wpsContentAdministrators,ou=groups,o=democorp,c=au
WpsContentAdministratorsShort=wpsContentAdministrators
WpsDocReviewer=cn=wpsDocReviewer,ou=groups,o=democorp,c=au
WpsDocReviewerShort=wpsDocReviewer
WcmAdminGroupId=cn=oucmadmins,ou=groups,o=democorp,c=au
WcmAdminGroupIdShort=Wcmadmins
LTPAPassword=password
LTPATimeout=120
LDAPHostName=hostname
LDAPPort=19389
LDAPAdminUId=uid=wpsadmin,ou=users,o=democorp,c=au
LDAPAdminPwd=wpsadmin
LDAPServerType=DOMINO502
LDAPBindID=uid=wpsbind,ou=users,o=democorp,c=au
LDAPBindPassword=wpsbind
LDAPSuffix=o=democorp,c=au
LDAPUserPrefix=uid
LDAPUserSuffix=ou=users
LDAPGroupPrefix=cn
LDAPGroupSuffix=ou=groups
LDAPUserObjectClass=inetOrgPerson
LDAPGroupObjectClass=groupOfUniqueNames
LDAPGroupMember=uniqueMember
LDAPUserFilter=(&(uid=%v)(objectclass=inetOrgPerson))
LDAPGroupFilter=(&(cn=%v)(objectclass=groupOfUniqueNames))
04-May-2016 641/923
CA Directory - 12.0.18
2. If the script finishes with the following, then the script ran to completion:
BUILD SUCCESSFUL
Total time: nn seconds
If it failed, you should check the contents of the wpsconfig.properties file for a configuration
error.
This script will only work if the validate-wmmur-ldap script has run without error.
2. If the script finishes with the following then the script ran to completion:
BUILD SUCCESSFUL
Total time: nn minutes nn seconds
04-May-2016 642/923
CA Directory - 12.0.18
Password: wpsadmin
2. Type in the user's details, and then click OK to register the new user.
When the user has been registered by the portal, the Congratulations screen appears.
4. Type in the user ID and password, and then click Log in again.
When the login has finished, the portal view appears.
This will be different to the wpsadmin login you just performed, because the new user is not a
member of the wpsadmins group within the directory.
04-May-2016 643/923
CA Directory - 12.0.18
Pre-requisites
Before you can integrate CA Directory and Entrust Security Manager, ensure that the following
conditions are met:
CA Directory is installed.
Configure CA Directory
To integrate Entrust Security manager, you need to configure CA Directory by creating and
configuring a DSA to store Entrust's internal policies and certificate-related data.
Use DXmanager to create a new backbone that includes a single DSA with the following details:
When you upgrade CA Directory, these default configuration files are overwritten, even if you have
customized them.
To prevent an upgrade from overwriting the configuration files used by the Entrust DSA, you should
create your own set of configuration files and set the Entrust DSA to use these.
04-May-2016 644/923
CA Directory - 12.0.18
source "entrust.dxc";
6. When the Entrust DSA is started, it will source the Entrust schema.
7. Confirm that the configuration files do not contain errors, using the following command:
04-May-2016 645/923
7.
CA Directory - 12.0.18
dxsyntax
dn: ou=Certificates,o=enTrust,c=AU
objectClass: organizationalUnit
objectClass: enTrustCA
objectClass: top
ou: Certificates
userPassword: {password}
dn: ou=Admin,o=enTrust,c=AU
objectClass: organizationalUnit
objectClass: top
ou: Admin
dn: cn=DirAdmin,ou=Admin,o=enTrust,c=AU
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: DirAdmin
sn: DirAdmin
userPassword: {password}
04-May-2016 646/923
CA Directory - 12.0.18
Follow the steps below to apply this patch, and then install the database software.
1. Download the full installation for Informix 9.4 for Security Manager 7.1.
2. Choose the "Unpack the files used to perform the installation to the location specified below,
and don't remove these files after the setup is completed." option.
3. Run Informix_9_4_for_easm_win.exe.
7. Copy the patched version of informix.msi from the temp directory over the original version.
This section describes the only steps that will be defined here directly relate to the CA Directory
configuration.
04-May-2016 647/923
CA Directory - 12.0.18
3. Click Finish.
The Security Manager configuration wizard begins
4. Select the Simple Configuration using LDAP Directory from the dropdown list, and click Next.
5. Follow the standard installation process until the Simple Configuration for LDAP Directory
dialog appears:
04-May-2016 648/923
5.
CA Directory - 12.0.18
DIR--Screenshot of the Simple Configuration using LDAP Directory page in the of the Entrust cinfiguration
wizard
6. Add the Root CA certificate DN credentials, and click Test Bind Information to test these
credentials.
7. Add the bind credentials of the administrative user, and click Test Bind Information to test
these credentials.
8. Add the DSA connection information of the Entrust DSA that you created in Create an Entrust
DSA (see page 644).
The details should be entered as is displayed above. The only change may be in the DN
structure, if you've created a different DN suffix to the o=entrust,c=au suffix used above.
Note: You cannot use this dialog to change the TCP/IP port to connect to the DSA.
This is set to port 389, which is the reason that you must set the Entrust DSA to use
port 389.
9. Click Next, and continue to configure the Security Manager as described in the Entrust
installation documentation.
04-May-2016 649/923
CA Directory - 12.0.18
Install Entrust Security Manager Administration using the Entrust installation documentation.
04-May-2016 650/923
CA Directory - 12.0.18
Reference
source "script-file";
The source command is relative to the file that invokes it. For example, you can source the file
schema.dxg using the following command:
source "../schema/schema.dxg";
The schema.dxg script can then source a file in its own directory using the following command:
source "attr.dxc";
To obtain a full log of every command executed in a script file, set the first lines of the script file to:
echo-on;
set trace-file = "script.log";
After running the script file, you can examine the log file to locate any failed command and the
reason for the failure.
! Command
The ! command is the short form of the source command.
04-May-2016 651/923
CA Directory - 12.0.18
source "democorp.dxc";
! "democorp.dxc";
echo Command
The echo command displays each command in a script file before the command is executed.
The output of echoed commands goes to the DSA console (if connected) and the trace-log file (if
open).
echo-off Command
The echo-off command turns off echoing. After this command has been read, no output is sent to the
log file.
If you do not want the password to be displayed when it is entered, use the echo-off command in the
Telnet session.
echo-on Command
The echo-on command sends an echo of the command to the command before it is executed, and
also send the command results to the same output.
To obtain a full log of a script on a DSA, set the first lines of the script file to:
echo-on;
set trace-log = "script.log";
echo-on;
set log-type = "script.log";
flush trace-log;
quit;
04-May-2016 652/923
CA Directory - 12.0.18
source Command
The source command includes the contents of another file.
You can nest source commands, and source a file that contains further source commands.
source filename;
filename
Example
If a file contains the first command listed below, it sources the file schema.dxg. The schema.dxg script
can then source a file in its own directory using the second command:
source "../schema/schema.dxg";
source "attr.dxc";
Quotation Marks
You do not need to enclose simple (one-word) strings in quotation marks.
04-May-2016 653/923
CA Directory - 12.0.18
However, you must quote complex (many-word) strings. Within a quoted string, you can use a
backslash (\) as an escape mechanism for the following cases:
Non-ASCII Characters
You can specify attribute values in character sets other than ASCII. LDAPv3 uses UTF-8 for
internationalization.
Example: Search for All Entries with Common Names Beginning with
To search for all entries with common names beginning with e, use the following DUA command:
To search for all entries with common names beginning with , use the following DUA command:
The Latin-1 character e-acute (E9) in UTF-8 (C3A9) has been encoded.
Command History
DXserver stores commands when they are entered. You can view these commands by using the
history command, and can repeat them by using the number of the command in the history list.
Each of these commands is described fully in Commands Reference (see page 659).
04-May-2016 654/923
CA Directory - 12.0.18
04-May-2016 655/923
CA Directory - 12.0.18
04-May-2016 656/923
CA Directory - 12.0.18
clear multi-write-queue Command -- Remove Entries from Multi-Write Queue (see page 661)
get dsp Command -- Display the DSP Configuration Values (see page 668)
set dsa Command -- Define the Knowledge Settings of a DSA (see page 692)
set multi-write-dsp-idle-time Command (see page 714) (obsolete but still supported)
04-May-2016 657/923
CA Directory - 12.0.18
04-May-2016 658/923
CA Directory - 12.0.18
get ciphers Command -- List All Supported Ciphers (see page 667)
Commands Reference
abandon Command -- Cancel Operations
The abandon command cancels any outstanding operations on one or more bindings.
To use this command, you need to know the binding number, which you can find out using the get
users command. You might also need to know the operation number, which is the invoke-id seen in
the trace logs.
operation-number
Specifies the operation that you want to cancel.
assoc-number
Specifies the binding which contains the operation you want to cancel.
The following command abandons all unfinished operations on the binding 131072:
04-May-2016 659/923
CA Directory - 12.0.18
abandon confirm
If the operation cannot be abandoned, the operation returns the following message, with the
appropriate error message explaining why the operation was not abandoned:
abandon-refused
all-users
Aborts all bindings.
user binding-number
Aborts one binding. binding-number is a number that specifies the binding you want to abort. Use
the get users command to find this.
This command is often used before loading access controls, to ensure that conflicting controls are not
loaded.
clear access;
04-May-2016 660/923
CA Directory - 12.0.18
Before you define a search profile, you should delete any existing search profile that has the same
name. To do so, you need to delete all search profiles.
clear allow-search;
This command is often used before sourcing knowledge of remote DSAs, to prevent conflicting
definitions of remote DSAs being loaded.
Note: This command is only useful for DSAs that use the pre-r12 configuration.
clear dsas;
clear dynamic-group;
04-May-2016 661/923
CA Directory - 12.0.18
clear referential-integrity;
Before you define a view, you should delete any existing view that has the same name. To do so, you
need to delete all views.
clear view;
When a DSA shuts down, it automatically closes any open log file. To close a log file manually, use the
close command. You can only close one log at a time.
close log-type;
log-type
alert-log
cert-log
connect-log
diag-log
query-log
snmp-log
stats-log
summary-log
04-May-2016 662/923
CA Directory - 12.0.18
summary-log
trace-log
update-log
warn-log
close trace-log
Note: Each dump overwrites the previous backup file. Create a cron job on UNIX or a
scheduled task on Windows to copy the backed up file to a safe location before the next
dump.
The DXdumpdb tool can export data from a datastore created by the dump command.
start
Defines the number of seconds from Sunday 00:00:00 a.m. GMT.
Note: The start time is defined using GMT and not your local time.
period
Defines the number of seconds between online dumps.
Note: The start time is relative to the period and should be lower than it. If you specify a
start time that is greater than the period, the actual start is start - period. For example, if
the period is 3600 seconds (one hour) and start is 3610 seconds, the online dump starts 10
seconds from midnight GMT and continues every hour from then on.
04-May-2016 663/923
CA Directory - 12.0.18
seconds from midnight GMT and continues every hour from then on.
The following command takes a snapshot copy of the datastore every hour:
The following command takes a snapshot copy of the datastore every night at 3 a.m. in a GMT+10:00
time zone:
In this example, the start time is the number of seconds from Sunday midnight GMT to the first 3 a.
m. slot, corrected by the time zone value, as follows:
forcestop dsaname
Stops the DSA dsaname even if it has multiwrite queues.
install dsaname
Adds dsaname to the list of servers to start at system startup. For example:
dxserver install DemoCorp-Host5-democorp
remove dsaname
Removes dsaname from the auto-startup list, for example:
dxserver remove DemoCorp-Host5-democorp
04-May-2016 664/923
CA Directory - 12.0.18
status dsaname
Reports the running status of a DSA. For example:
dxserver status DemoCorp-Host5-democorp
version
Displays information about the version of CA Directory that is installed.
onlinebackup dsaname
Triggers the DSA to perform an online dump. This command is an alternative to issuing the dump
dxgrid-db command in the DSA console. Onlinebackup can be triggered on an individual DSA only.
For this command to be executed successfully, the DSA must be running.
For example, to trigger onlinebackup for the DSA democorp:
$ dxserver onlinebackup democorp
logroll dsaname
On using this command, the DSA causes all logs configured with maximum lines limit to roll over
immediately.
dxserver logroll democorp
force-shutdown;
get access;
04-May-2016 665/923
CA Directory - 12.0.18
id
Specifies the identification number of the agreement
version
Specifies the version number of the agreement
agreements
Displays all agreements
Agreement 1.0
initiator = EAGLE supplier
responder = BACKUP
area = <countryName AU><organizationName Democorp>
- last update at Thu Jul 9 09:53:47 2006
get agreements;
get allow-search;
04-May-2016 666/923
CA Directory - 12.0.18
get cache;
The following entry shows that there are 1001235 values, all distinct, and 5879 searches used this
index:
The following entry shows that are 1002390 values which are highly repetitive, so there is no need to
index this value:
The following entry shows that there are no searches that access this attribute, so there is no need to
index this attribute:
get ciphers;
04-May-2016 667/923
CA Directory - 12.0.18
get class-of-service;
For example, the template for the standard class of service at Excellent ISP would appear like this:
get dsas;
04-May-2016 668/923
CA Directory - 12.0.18
get dsp;
get dynamic-group;
get help;
get history;
To change the number of previously entered commands the system will display, see set history
command.
get log;
To assist in debugging, the get log command displays a line count for each log file that is currently
open.
Example:
In this case, the stats log max-lines is set to 500000, the trace log max-lines is set to 1000000, and the
query log max-lines is set to 1000000. On running the get log command, the output is:
04-May-2016 669/923
CA Directory - 12.0.18
get mib;
Note: This command is only useful for DSAs that use the pre-r12 configuration.
This includes both remote and local DSAs. To see a list of remote DSAs, use the command get dsas.
get online-dsas;
04-May-2016 670/923
CA Directory - 12.0.18
get opensslversion;
get oper;
max-op-time = 120
max-op-size = 50
access-controls = TRUE
op-attrs = TRUE
read-only = FALSE
prune-oc-parents = FALSE
return-oc-parents = FALSE
add-oc-parents = FALSE
modify-on-add = FALSE
ignore-name-bindings = FALSE
alias-integrity = TRUE
relaxed-not-search = FALSE
timestamp-resolution-seconds = FALSE
password-storage = sha-1
get referential-integrity;
04-May-2016 671/923
CA Directory - 12.0.18
identifier
A name or an object identifier of any schema definition (an attribute, object class, name binding,
prefix, or attribute set).
Attribute (2.5.4.3)
name = commonName
ldap-names = cn
syntax = caseIgnoreString
get stack;
dap-psap = ""
dsp-psap = ""
disp-psap = "DISP"
04-May-2016 672/923
CA Directory - 12.0.18
get stats;
get trace;
get trace-level;
get user;
get user-threads;
04-May-2016 673/923
CA Directory - 12.0.18
get users;
get view;
help;
When you are not sure of the syntax, try a nonsense word for the missing part, or leave the
command incomplete and let the resulting error message tell you what is expected:
When you enter the help command at the console, the response is similar to:
04-May-2016 674/923
CA Directory - 12.0.18
history;
h;
Each command is displayed with a unique consecutive number. To reuse a command, enter the
number, followed by a semi-colon, that corresponds to the command you want to use. For example:
10;
At any time you can reuse the last command you entered, by entering:
0;
For information on how to set the number of previous commands this history command will display,
see set history.
The following example shows how to use the set history and history commands. In this example, the
user sets the number of items returned by the history command to 5, then gets the history, and then
reuses the get cache command. The user input is indicated by bold text.
logout;
04-May-2016 675/923
CA Directory - 12.0.18
reset class-of-service;
reset stats;
It complements the prune-oc-parents and return-oc-parents flags and is added for Netscape
compatibility.
04-May-2016 676/923
CA Directory - 12.0.18
Access rights granted at this access level cannot be taken away by other access control rules.
Administrative user access controls rules are effective only when you enable access controls.
tag
(Optional) Defines a name for this rule.
users
Defines the users that this rule applies to, where users is one of the following:
user = DN
Defines the user that this rule applies to.
role = DN
Defines the role that this rule applies to.
group = group-name
Defines the access control group that this rule applies to. Use of access control groups is
deprecated, so use of this option is also deprecated.
user-subtree = DN
Defines the top of the subtree of users that this rule applies to.
own-entry
Specifies that the users defined in scope have access to their own entries only.
own-subtree
Specifies that the users defined in scope have access to their own entries and any entries
below their own entry.
scope
Defines the area of the DIT that this rule gives access to, where scope is one of the following:
entry = DN
04-May-2016 677/923
CA Directory - 12.0.18
entry = DN
Specifies the entry that this rule grants or denies access to.
subtree = DN
Specifies the subtree that this rule grants or denies access to.
attrs = attribute-list
(Optional) Defines the attributes or attribute set to which this rule applies, where attribute-list is
a comma-separated list of attribute names.
If attrs is not specified, then the access rule applies to the whole entry. add and remove
permissions require that attrs is not specified.
perms = permission-list
(Optional) Specifies the permissions that this rule grants to the users for the scope.
If perms is not specified, then all permissions are granted.
permission-list is a comma-separated list of one or more of the following:
all
Specifies that users have all available permissions over the scope. This option implies all of the
permissions listed below.
read
Specifies that users can read the information defined in the scope.
add
Specifies that users can add to the information defined in the scope.
remove
Specifies that users can delete entries defined in the scope.
modify
Specifies that users can change information defined in the scope.
rename
Specifies that users can rename the entries defined in the scope.
simple
Specifies that this rule only applies to users that bind using simple authentication (username
and password).
ssl-auth
Specifies that this rule only applies to users that bind using SSL authentication.
on day
04-May-2016 678/923
CA Directory - 12.0.18
on day
Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is
Monday).
The following command gives all users in the Finance subtree access to the Corporate subtree:
The command in this example gives users in the role project-leader-group read and update privileges
to the Technology SIG entry if they bind to the DSA using SSL authentication:
The command in this example lets all users in the group pabx-mgmt-group update the attribute
workPhone in the R&D subtree:
The command in this example gives all users in the R&D subtree permission to update the values of
the attributes workPhone and description in their own entry only:
04-May-2016 679/923
CA Directory - 12.0.18
{
initiator = dsaname { supplier | consumer }
responder = dsaname { anonymous | clear-password | ssl-auth }
[relay = dsaname { anonymous | clear-password | ssl-auth }]
area = DN
[filter = search-filter ]
[attributes = attribute-list ]
[strategy = onchange | frequency time type ]
};
id.version
The agreement identification and version numbers (for example, 1.2).
initiator
The DSA initiating the DISP update:
dsaname
The name of the initiating DSA.
supplier
Specifies that the initiating DSA is acting as a supplier.
consumer
Specifies that the initiating DSA is acting as a consumer.
responder
The DSA receiving the DISP update.
dsaname
The name of the responding DSA.
anonymous
Specifies that the responding DSA can receive an anonymous connection.
clear-password
Specifies that the responding DSA requires a user ID and password.
ssl-auth
Specifies that the responding DSA requires a SSL authentication.
relay
(Optional) Specifies an intermediate DSA used to relay the DISP update:
dsaname
Names the relay DSA.
anonymous
Specifies that the relay DSA can receive an anonymous connection.
clear-password
Specifies that the relay DSA requires a user ID and password.
04-May-2016 680/923
CA Directory - 12.0.18
ssl-auth
Specifies that the relay DSA requires a SSL authentication.
area = DN
Specifies the distinguished name of the entry at the top of the subtree covered by this
agreement.
filter = search-filter
(Optional) Specifies an X500 search filter that restricts the entries to be included in the DISP
update.
attributes = attribute-list
(Optional) Specifies a comma-separated list of attributes to include or exclude from the DISP
update.
strategy
(Optional) Enables automatic DISP updates, or specifies when the updates will take place:
onchange
Enables automatic DISP updates.
frequency
Specifies the update frequency. Use one of the following values: hourly, daily, weekly, or
monthly.
time
Specifies the time at which the update will occur. Use one of these formats: dd:hh:mm or hh:
mm.
type
Specifies the type of update. Use one of the following values: incremental or full.
04-May-2016 681/923
CA Directory - 12.0.18
};
true
New bindings are accepted. This is normal operational behavior.
false
New bindings are rejected. Use this option as a prelude to performing a graceful shutdown.
This is useful in the following situtation: If DSA A and DSA B both have a native prefix and if the router
has accessed DSA A on behalf of a client application, and this same client application tries to access
DSA B, and if in addition the router cannot bind to DSA B because the username apparently doesn't
address an entry in DSA B but the previously prefix-mapped username from the access to DSA A is
apparently in the non-prefix-mapped DSA B, the router will use this prefix-mapped username to
authenticate to DSA B.
04-May-2016 682/923
CA Directory - 12.0.18
profileName
Defines the name that the DSA command interpreter uses to identify the search profile. If the
name contains spaces or non-alphanumeric characters, then it must be enclosed in quotes.The
name is either used to set the default profile or to store a group of users when used in
conjunction with the role-based configuration.
read
Allows base-object searches.
browse
Allows one level searches.
subtree
Allows whole subtree searches.
all
Allows searches of any scope.
and
Allows the AND operator in filters, for example, (&(oc=inetOrgPerson)(cn="john smith")).
04-May-2016 683/923
CA Directory - 12.0.18
any
Allows filters with wildcards anywhere, for example, (cn=*john*smith*).
approx
Allows pattern/phonetic matching, for example, (cn~=john smith).
equality
Allows exact match filter items, for example, (cn=john smith).
final
Allows filters with a leading wildcard, for example, (cn=*smith).
greater-or-equal
Allows the >= operator in filters, for example, (retries>=3).
initial
Allows filters with a trailing wildcard, for example, (cn=john*).
less-or-equal
Allows the <= operator in filters, for example, (retries<=3).
none
Allows searches that do not contain a filter.
not
Allows the NOT operator in filters, for example, (!(cn="john smith")).
or
Allows the OR operator in filters, for example, (|(cn="john doe")(cn="john smith")).
present
Allows filters for presence, for example, (objectClass=*).
This search profile allows base-object searches only. No filter is specified with the scope parameter,
so the search can contain any filter or none.
04-May-2016 684/923
CA Directory - 12.0.18
This search profile allows base-object searches with any filter and other searches if they have a filter
for exact matches.
profileName
Specifies the profile to be used as the default search profile.
An attribute set consists of an attribute set name and a list of previously defined attributes or
attribute sets.
04-May-2016 685/923
CA Directory - 12.0.18
syntax =
[ single-valued | multi-valued ]
[ no-user-modification ]
[ description ]
};
OID
Specifies the object ID for the attribute. An OID has one of the following forms:
(2.5.4.10)
OID_Suffix
(Optional) Further specifies the OID.
name = attribute-name
Specifies the name of the attribute. This is its formal name, and is often descriptive.
ldap-names
Specifies alternative names for the attribute. These are similar to nicknames: they can be used
anywhere the name can be used. Often these are shorter, and used in DNs. For example, c for
country.
equality
Indicates the type of matching to apply to the attribute.
ordering
Indicates the ordering rules to apply to the attribute.
substr
Indicates the substring-matching rule to apply to the attribute.
syntax
Indicates the type of data that may be stored in the attribute.
single-valued | multi-valued
Indicates whether the attribute has multiple values (for example, lines of an address), or is limited
to a single value (for example, salary).
no-user-modification
Indicates whether the user can modify the value of the attribute
description
A description of the attribute.
04-May-2016 686/923
CA Directory - 12.0.18
syntax = caseIgnoreString ;
The cache responds to a search filter that uses one of these attributes. You can define as many as you
like, separated by commas. Memory requirements are affected.
04-May-2016 687/923
CA Directory - 12.0.18
This command behaves like cache-index-all except that it also allows you to specify a number of
attributes that will not be indexed. It may be simpler to specify all except" than to give a complete list
of attributes to index, as for cache-index, especially as trying to specify all attributes to index may not
cover new attributes that are added in the future.
It may be necessary to limit the number of attributes that are indexed as indexing an attribute
requires additional memory. If indexing all attributes would consume all the memory allocated to
DXgrid, this command could help tune the memory requirements.
It is a good idea to index attributes, because searches require indexes to evaluate their filters. Also,
indexes are required to find specific entries that are targeted by updates. On the other hand,
searches may still proceed even where few attributes are indexed, but they may take much longer to
process. There is therefore a trade-off between memory and performance. Where memory is not a
problem it would be best to index all attributes.
1. DN Post Processing (Index): The DSA builds a list of candidate entries by applying the filter to
the indexes. The DSA then checks if the candidate entry is in the scope of the search before
applying it to the set of search results.
2. Filter Post Processing (Scan): In this method, the DSA builds a list of candidate entries under
the search base object. The DSA then applies the filter to each candidate entry to determine
its inclusion in the set of search results.
The method that is used depends on the number of entries under the search base object as
compared to the entries that match the filter. Depending on data and search scope, in some cases,
the DSA uses the incorrect method, which degrades the performance.
The command set cache-search-bias biases the choice toward the DN post processing over the filter
post processing method.
<Number>
Specifies the multiplier to be applied to the count of candidate entries.
Limits: 1-1000
Example:
04-May-2016 688/923
CA Directory - 12.0.18
Example:
Assume that there are 500,000 entries under a base object and 510,000 entries match the filter. In
such a case, using the DN post processing is faster than sequentially scanning 500,000 entries. Setting
the cache-search-bias value to two causes the comparison to be 1,000,000 entries under the base
object. As a result, the DSA favors the DN post processing method.
Important! This command is applied to all searches, so you must ensure that this setting
does not affect the performance of other searches.
CA Directory does not use a reverse index in preference to a regular forward index. It is only used in
substring lookups where you use specify final as an allowed filter.
If you do not want entries with multiple unrelated structural object classes to be created, you can set
a schema flag to enforce this.
If set check-structural-oc is set to true, it will not be possible to add an entry which has more than one
structural object class hierarchy.
04-May-2016 689/923
CA Directory - 12.0.18
In order that SiteMinder process authentications asynchronously, you must set the DSA to do both of
the following:
Any DSA that is needed for authenticating concurrent binds needs the rebind link-flag set in its
knowledge.
DN
The username that SiteMinder uses to bind to the directory.
When a connection log is open, a line for each connection made when the connection is released is
added to the connection log file.
Writing to the connect log is not affected by the trace setting. It is time- and date-stamped, and a
new one is written daily.
If the log file already exists, the DSA adds the new output to the existing log file. If the log file does
not exist, it is created.
04-May-2016 690/923
CA Directory - 12.0.18
log-name
Specifies the name of the file. If the log file name contains the string $S then the system
substitutes the name of the DSA. For example, if the DSA name is democorp, the log-name /logs
/warn-$S specifies the file name warn-democorp_YYYYMMDD.log.
number-credits
Specifies the maximum number of concurrent operations the DSA processes for each user
binding.
04-May-2016 691/923
CA Directory - 12.0.18
04-May-2016 692/923
CA Directory - 12.0.18
[ ldap-dsa-name = DN ]
[ ldap-dsa-password = password ]
address = tcp hostname port port-number [ ,tcp hostname2 port port-
number2 ]
[ bind-address = hostname ]
[ tsap = tsel ]
[ ssap = ssel ]
[ osi-psap = psel ]
[ disp-psap = dispsap ]
[ snmp-port = port-number ]
[ console-port = port-number ]
[ remote-console-port = port-number ]
[ remote-console-ssl = true | false ]
[ console-password = password | "{password-format}password-hash" ]
[ auth-levels = anonymous | clear-password | ssl-auth ]
[ dsp-idle-time = idle-time ]
[ dsa-flags = dsaflag-list ]
[ trust-flags = trustflag-list ]
[ link-flags = linkflag-list ]
};
dsaname
Specifies the name of the DSA.
prefix
Specifies a partial DN, which specifies the namespace partition served by this DSA.
native-prefix
Specifies a partial DN, which the DSA recognizes as applicable to its entries. This is generally only
used with LDAP servers.
dsa-name
Specifies the name of the DSA as a DN; not to be confused with the name of the server
dsa-password
Specifies the password other DSAs must supply to communicate with this DSA.
ldap-dsa-name
Specifies the name of the LDAP DSA.
ldap-dsa-password
Specifies the password of the LDAP DSA.
address
Specifies one or more TCP/IP addresses for the DSA in one of the following forms:
If there is a choice of addresses associated with the host name, the IPv6 address is selected. To
specify the IPv4 address, replace the string tcp with ipv4. To specify the IPv6 address, replace the
string tcp with ipv6.
04-May-2016 693/923
CA Directory - 12.0.18
bind-address
Specifies a TCP/IP bind address for the DSA in one of the following forms:
The bind address sets the source IP address, that is, binds the configured address to the outbound
socket when connecting to another DSA.
During DSP mutual authentication, the DSA receiving a DSP bind request checks the source IP
address against its local copy of knowledge for that DSA. If the resolved address does not match
the source IP address, the bind request is refused. Typically, the source IP address is identical to
the listening address and do not need to be configured. However, sometimes, the source address
may differ from the listening address. For example, these addresses can vary in complex network
topologies, or when the DSA is running on a computer with multiple network interface cards. In
these cases, the bind-address must be set to allow DSAs to communicate.
tsap
Specifies a Transport SAP port number. This is not often used.
ssap
Specifies a Session SAP port number. This is not often used.
osi-psap
Specifies a Presentation SAP port number. This is not often used.
04-May-2016 694/923
CA Directory - 12.0.18
disp-psap
Specifies DISP Presentation SAP. If this is not set, DISP is disabled.
snmp-port
Specifies the SNMP port.
console-port
Specifies the console port address, which allows the DSA console to accept connections from the
local computer. If this is not specified, the DSA does not have a local console.
remote-console-port
Allows the DSA console to accept a connection from a remote computer on this port. When this is
not specified, there is no remote console for the DSA.
remote-console-ssl
Forces the DSA to encrypt console sessions when it runs remotely.
console-password
The password required for connections from a remote computer. This password is transmitted in
clear text.
auth-levels
Specifies the levels of authentication that will be accepted by this DSA. May include anonymous,
clear-password, and ssl-auth.
dsp-idle-time
Specifies the maximum time (in seconds) that a DSP connection can be idle before it is
disconnected.
dsa-flags
Specifies the flags that control the operation of the DSA. DSA flags are as follows:
limit-list
Disables the list operation on the DSA.
limit-search
Restricts complex searches or searches with no filter on the DSA.
limit-search-exact
Limits a DSA to performing exact searches, that is searches with a single equality filter item
with no wildcards.
load-share
Marks a DSA as part of a load share group. The DSA should have other peer DSAs with the
same prefix, which are also marked as load-share. A router DSA shares operations over each
DSA in the load share group.
multi-write
Marks a DSA as part of a multiwrite group. The DSA should have other peer DSAs, with the
same prefix, which are also marked as multiwrite. Updates are automatically propagated to all
peer DSAs marked as multiwrite.
multi-write-async
04-May-2016 695/923
CA Directory - 12.0.18
multi-write-async
Makes the DSA update asynchronously, even though it is in a multiwrite group.
multi-write-group-hub
Specifies which DSAs in the group acts as the hub. This only works if you also have multi-write-
group enabled. This setting prevents unsuitable DSAs being selected as the hub in a failover
situation.
no-routing-ac
Permits forwarding of a request to another DSA regardless of access control constraints.
no-service-while-recovering
While this DSA is in recovery mode, it only accepts updates from peers: this prevents clients
from accessing out-of-date data.
read-only
Disables update operations on the DSA.
relay
Permits a router DSA to exist without consuming a level of the DIT.
shadow
Permits a DSA to be updated by DISP or multiwrite, but prevents any other updates, for
example, through DAP or LDAP.
trust-flags
Specifies flags relating to trust that control the operation of the DSA. Trust flags are as follows:
allow-check-password
Permits a DSA, while processing a bind request from a user who is not local, to pass a name
and password-compare request to this DSA. The result of the compare request is then used to
authenticate the user.
trust-conveyed-originator
Signifies that a DSA treats the originator and authentication level passed in DSP chaining
arguments as if that user and authentication level were authenticated locally.
trust-dsa-triggered-operations
Support additional operations that are triggered by the DSA to resolve a request, where the
additional operations are handled by (chained to) a different DSA rather than locally.
allow-upgrading
Lets the DSA pass an anonymous user request across an authenticated DSP link.
allow-downgrading
Lets the DSA pass an authenticated user request across an anonymous DSP link.
no-server-credentials
Removes the requirement for mutual authentication and permits a link to be set up if the
remote DSA does not send credentials in the bind response.
link-flags
Specifies flags that control connecting to the DSA. Link flags are as follows
04-May-2016 696/923
CA Directory - 12.0.18
dsp-ldap
The DSA is treated as an LDAP server that supports LDAP 3.0. Other DSAs will send requests to
the DSA as if it was an LDAP server.
When dsp-ldap is configured, there will be no COMPARE operation on the userPassword
attribute, following a bind. If the same user connects more than once, that user will use the
same link, and dxserver will check that the user and the password are the same.
dsp-ldap-proxy
Causes the last DSA in the chain to use the authorization of the originating user to perform
operations on the LDAP server.
dsp-ldapv3
The DSA is treated as an LDAP server that supports LDAP 3.0.
ms-ad
The DSA is treated as an Active Directory service. If you observe any problems with linking to
Active Directory, set this flag. The ms-ad flag translates search and compare requests chained
to Active Directory that contain the modifyTimeStamp attribute into a format accepted by
Active Directory.
nexor
Allows this DSA to bind anonymously to a Nexor DSA. To bind anonymously with a Nexor DSA,
the message ID must be stripped of all identifying credentials.
rebind
Allows this DSA to support concurrent binds. If this flag is not set on a link that a DSA requires
for authenticating concurrent binds, these binds will fail. Used with the set concurrent-bind-
user command.
Note: Only use this flag for LDAP directories. If you do not use dsp-ldap, we
recommend that you do not use use rebind either.
siemens
Allows this DSA to bind anonymously to a Siemens DSA. To bind anonymously with a Siemens
DSA, the message ID must be non-zero.
ssl-encryption
All communication between DSAs with this link flag uses SSL encryption. Ensure that
personality certificates have been created for all DSAs using this flag and trusted.pem is
correctly configured.
ssl-encryption-remote
The link flag is similar to ssl-encryption, but SSL encryption is not used between DSAs running
on the same host.
Note: This link flag is ignored if used with the ssl-encryption setting, so do not include
both flags.
04-May-2016 697/923
CA Directory - 12.0.18
unavailable
Marks a DSA as unavailable. A DSA will not forward requests to a DSA marked as unavailable.
X500DN
Defines a partial DN in X.500 format.
horizontal_partition
Defines a horizontal partitioning for a DSA and has the following syntax:
The symbols in the above line (< " [ ( ) = ] " > ) are part of the command.
horizontal_partition_attribute
Defines the RDN that specifies the entry, for example UserID.
hashn
Specifies the hash algorithm that the router will use to partition the namespace. This can be
one of the following:
hash1
hash2
Specifies that the routing uses a sum of the uppercase ASCII values as the hash
Specifies that the routing uses a CRC-16 hashing algorithm
total
An integer that defines the total number of DSAs in the horizontal partition.
DSAid
An integer from zero to total-1 that defines the DSA. For example if total is 3, DSAid is 0, 1, or
2.
04-May-2016 698/923
CA Directory - 12.0.18
If dxconsole-connect alert is enabled, when a user successfully connects to the DSA console, the
system writes a message containing the IP address and username (if dxconsole-users is set) to the
trace log.
users
Specifies the users who can connect to the console for this DSA, as a comma-separated list of
DNs.
roles
Specifies the roles which can connect to the console for this DSA, as a comma-separated list of
DNs.
The following command allows Craig Link to connect to the Democorp console:
Now, Craig Link can connect to the console by logging in with the following details:
cn=Craig Link,ou=Administration,ou=Corporate,o=Democorp,c=AU
Example: Craig Link and the Manager Role Can Connect to the Democorp Console
The following command allows Craig Link and all users with the Manager role to connect to the
04-May-2016 699/923
CA Directory - 12.0.18
The following command allows Craig Link and all users with the Manager role to connect to the
Democorp console:
More information:
pathfilename
Defines the path and filename of the backup files. If the path is relative, it is relative to DXHOME.
This sets the location for dumping the datastore file to DXHOME/backup.
pathfilename
Defines the path and filename of the datastore. If the path is relative, it is relative to DXHOME.
04-May-2016 700/923
CA Directory - 12.0.18
size
Defines the size of the datastore in MB.
Allows abandoning of searches that are not performed yet (due to reasons such as client
disconnect or timeout).
Allows the set interrupt-searches = true|false; command to be used to prevent long running
searches blocking updates. See the set interrupt-searches (https://docops.ca.com/display/CAD1214
/set+interrupt-searches+Command+--+Interrupt+a+Search+to+Allow+an+Update+to+Proceed)command for
more details.
set dxgrid-queue=true|false;
false
Operation queue is disabled.
true
(Default) All operations are processed through a back-end queue.
04-May-2016 701/923
CA Directory - 12.0.18
pathfilename
Defines the path and filename of the transaction file. If the path is relative, it is relative to
DXHOME.
If you do not set this command, the grid file flushes when the transaction file becomes half full.
This command should be unnecessary, but it may help if the DSA stalls while Linux flushes a very
large (40 GB) grid file. If you use this command, start by setting the number of operations to 100.
04-May-2016 702/923
CA Directory - 12.0.18
The set dynamic-group command describes the location and contents of entries that are used to
configure and store dynamic groups.
[subtree = DN]
(Optional) Specifies the dynamic-group subtree where dynamic groups entries are located. When
requests are received, the baseObject of the request is inspected and the DSA determines if the
request might require dynamic group processing. This operation supports dynamic group
membership search and compares requests without requiring set use-dynamic-roles = true;
command. This method is more efficient than having the DSA check if every request may involve
dynamic groups.
When performing searches against a dynamic group on the form (member=<DN>), the dynamic
group definition requires a subtree to be defined.
object-class = objectClass
Specifies an objectClass that is stored against each dynamic group entry.
url-attr = attribute
Specifies an attribute that contains the LDAP filter describing the criteria for dynamic group
membership.
member-attr = attribute
When a dynamic group is evaluated, a search containing the filter from the url-attr is performed.
The distinguishedNames of the entries that are returned by this search are then returned as
values of the configured member-attr attribute (typically members).
exclude-member-attr = attribute
Enables a directory administrator to exclude group members when a dynamic group member
attribute is being populated with entries that satisfy the url-attr.
Example Configuration:
When a dynamic group is defined, the following types of searches are supported:
04-May-2016 703/923
CA Directory - 12.0.18
By setting this command as true, the default behavior of the DSA changes in the following areas:
Default: False
When you use this command, the DSA no longer advertises support for the LDAP controls listed. In
addition, if the DSA receives an excluded control request, it ignores the control. However, if the
control has criticality set to true, the request is rejected.
In this example, the directory administrator finds that an application has mistakenly used the tree-
delete control to delete a large amount of data. The administrator sets the following command to
prevent the problem happening again:
Mallocs: Number of times the DSA has request blocks of memory from the operating system.
Buffers: Number of transport buffers (to receive or send requests or responses) in use. Also
includes the number of transports buffers that can be reused.
Selects: Number of times the DSA checks for read or write events and the number of write events
received.
04-May-2016 704/923
CA Directory - 12.0.18
true
Includes additional low level statistics in the stats log.
false
(Default) Does not include additional statistics.
Note: When using link encryption between DSAs that reside on the same computer, you
cannot use the trust-flags = ssl-encryption-remote setting with the force-encrypt-anon
command. Instead, use trust-flags = ssl-encryption. Else, DSAs connecting to each other
locally fail at the clear-password authentication level as the link is not encrypted.
Alternatively, you can force SSL encryption on the router DSAs only and can prevent clients
connecting directly to data DSAs. Use the set disable-client-binds = true; command to
prevent clients connecting directly to data DSAs. This setting allows the trust-flags = ssl-
encryption-remote setting to be used.
Note: When using link encryption between DSAs that reside on the same computer, you
cannot use the trust-flags = ssl-encryption-remote setting with the force-encrypt-auth
command. Instead, use trust-flags = ssl-encryption. Else, DSAs connecting to each other
locally fail at the clear-password authentication level as the link is not encrypted.
Alternatively, you can force SSL encryption on the router DSAs only and can prevent clients
04-May-2016 705/923
CA Directory - 12.0.18
Alternatively, you can force SSL encryption on the router DSAs only and can prevent clients
connecting directly to data DSAs. Use the set disable-client-binds = true; command to
prevent clients connecting directly to data DSAs. This setting allows the trust-flags = ssl-
encryption-remote setting to be used.
This command is only useful for access control groups and using access control groups is deprecated.
Use static or dynamic groups instead.
set group = {
name = "group-name"
users = DN-list
};
name = group-name
Specifies the name of this group.
users = DN-list
Lists the members of the group. This is a comma-separated list of distinguished names.
number-of-commands
Sets the number of commands the system will store and display. You can check what this is set to
at any time using the get history command.
Default: By default this is set to 15.
04-May-2016 706/923
CA Directory - 12.0.18
When set to true, this command prevents a DSA from clearing the underlying TCP/IP connection after
a bind refusal.
This functionality is useful when the schema is imported from a directory that does not support name
bindings.
If the LDAP applications are legacy and cannot be modified, use the new command, set ignore-null-
value-attrs. This command causes the DSA to ignore the null valued attributes rather than rejecting
the requests that contain them.
Default: false
If you set this command to true, any interrupted searches will proceed normally after the update is
complete.
04-May-2016 707/923
CA Directory - 12.0.18
If a search includes an entry that is updated during the search, the results will show either the new
contents or the old contents (but not a mix of the two).
false
(Default) The set dxgrid-queue command works normally.
true
Long searches yield to updates.
Note: This command will not work for operational attributes, distinguished values or object
class values.
attr-list
A comma-separated list of the attribute types whose values must be kept in the order in which
they were added.
Alternatively, specify "none" if you do not want to keep the order in which values are added for
any attribute type.
DN-list
04-May-2016 708/923
CA Directory - 12.0.18
DN-list
Specifies the users and roles who can perform complex searches without limitations. This is a
comma-separated list of distinguished names of users and roles.
true
Allows all users to browse the DSA when limit-search is in effect. General searching is still limited.
false
Prevents users from browsing the DSA when limit-search is in effect.
set log-type-list;
log-type-list
A comma-separated list of one or more log files to be opened:
alert-log
cert-log
connect-log
diag-log
query-log
snmp-log
stats-log
04-May-2016 709/923
CA Directory - 12.0.18
stats-log
summary-log
time-log
trace-log
update-log
warn-log
Note: For more information on the types of log you can set up, see the Administration
Guide.
It must appear after the other cache settings. This is because the DSA loads the file as soon as it reads
this command.
true
Enables the memory-mapped file.
false
Unloads the file and disable the DSA
bind-time
Specifies the maximum time, in seconds, that any particular binding can last (a value of 0 or none
means unlimited)
04-May-2016 710/923
CA Directory - 12.0.18
number-entries
Specifies the maximum number of entries that can be present in an index in a data DSA.
Default: 195000000 (195 million)
size
Defines the maximum size that a filter can grow during normalization in MB.
Default: 100 MB.
number-entries
Specifies the maximum number of entries that any operation may return
none
Allows operations to continue with no size limitation
04-May-2016 711/923
CA Directory - 12.0.18
If the user has requested a time limit, and the max-op-time has also been set, the shorter setting
takes effect.
time
Specifies the time in seconds for which any operation may last
none
Allows operations to continue with no time limitation
If this value has been set, you can retrieve it with the get user command.
pdu-size
Specifies the largest size (in bytes) that a protocol data unit may be to be accepted by a DSA
number-bindings
Specifies the maximum number of bindings.
none
Prevents any bindings to this DSA
Note: If you set max-users to 0 (zero) this has the effect of setting the maximum number of
connections to about 4096. To prevent new connections to a DSA, use the set allow-binds
(see page 682) command.
04-May-2016 712/923
CA Directory - 12.0.18
num
Specifies the maximum size in KB that a view phase filter can expand to, when values are
substituted from previous phases. Valid values are between 32 KB and 1000 KB.
Default: 32 KB
This is necessary when you use a CA Directory DSA with SiteMinder, because SiteMinder uses a single
thread for authentication. If SiteMinder does not detect a Netscape, iPlanet, or SunOne server, this
thread serializes authentication binds to the directory, which slows performance.
To let SiteMinder process authentications asynchronously, the DSA must do both of the following:
Process concurrent binds (see set concurrent-bind-user Command (see page 690))
true
Sets the CA Directory DSA to imitate a Netscape directory for the purposes of SiteMinder
authentication
false
Turns off this Netscape mimicry
04-May-2016 713/923
CA Directory - 12.0.18
This command is no longer required, because each DSA is now multi-threaded. However, it is still
supported, for backward-compatibility.
This command was useful for when the DSP idle time was set to a very low value. This could cause
the link between a multiwrite DSA and its recovering peer DSA to time out before the DSA was
recovered.
time
Specifies the idle time (in seconds) for links between multiwrite DSAs.
The trap will contain diagnostic information on why the update failed.
04-May-2016 714/923
CA Directory - 12.0.18
number-operations
Defines the maximum size of the multiwrite queues for DSAs in other groups.
number-operations
Defines the maximum size of the multiwrite queues for peer DSAs.
04-May-2016 715/923
CA Directory - 12.0.18
A name binding consists of a name for the name binding, an object and its allowable parent, and an
attribute that names the object
OID
Specifies the object identifier of the attribute
name
The name of the name binding. This is often descriptive. It can be constructed by concatenating
the names of the object classes being connected.
allowable-parent
Specifies the parent and child object classes
named-by
Lists the attributes that name an object of the child object class. Often only one attribute is listed.
optional
(Optional) Lists attributes that may optionally be appended to the list specified in named-by.
In this example, a new definition (arbitrarily named org-country) states that you can place an
organization object under a country object and that you must name it by the organizationName
attribute. The definition org-top states that you can also place an organization object under a top
object (that is, the root of the namespace) named by the organizationName attribute.
Multiple attributes can name an object, in which case you separate the attributes by commas.
Additional naming attributes are optional when the keyword optional precedes them.
04-May-2016 716/923
CA Directory - 12.0.18
};
An object class is a fundamental part of the schema, and essential to the directory.
name
The name of the object class. This is its formal name, and is often descriptive.
ldap-names
Alternative names for the object class. Think of these as nicknames-they can be used anywhere
the name can be used. Often these are shorter.
subclass-of
Specifies the object class, or object classes, from which this object class inherits.
kind
Specifies the kind of object class.
must-contain attribute-list
Lists the attributes that must be supplied for every instance of this object class.
may-contain attribute-list
Lists the attributes that may be supplied in an instance of this object class.
description
A description of the object class.
04-May-2016 717/923
CA Directory - 12.0.18
name = organizationalUnit
subclass-of top
kind = structural
must-contain organizationalUnitName
may-contain organizationalAttributeSet
description = "X.500 Organizational Unit Object Class"
set object-class caOclass:0 = {
name = caOrgPerson
subclass-of organizationalPerson
kind = structural
may-contain caAttributeSet
description = "CA Organizational Person Object Class" };
An OID prefix consists of a name used to represent the portion of the object identifier common to
multiple schema definition statements.
true
The DSA automatically adds and updates operational attributes.
This is the default setting.
Note: If the multi-write-disp-recovery flag is set, the op-attrs parameter must be true.
false
Prevents the DSA from automatically creating operational attributes. However, some operational
attributes will be created by the DSA if either DISP or multiwrite DISP recovery is configured.
04-May-2016 718/923
CA Directory - 12.0.18
By default, this threshold is 100 entries. If you need to change this value, use the following setting:
size
Sets the size of a page (in entries), beyond which the page is taken only after sorting the entire
result set.
If the password is not changed within the time set, the user account will expire. If this happens, an
administrator must reset the password.
CA Directory uses the operational attribute dxPwdLastChange to maintain the password age.
number-days
Specifies the number of days a password is valid.
0
(Default) Makes the password valid for an unlimited time.
For example, if a password has a life of 31 days, and you set the warning period to 5 days, the
warning messages will be included in the last five days of the password's life.
Note: You can use this command only if the client is an LDAP client and it is aware of the
04-May-2016 719/923
CA Directory - 12.0.18
Note: You can use this command only if the client is an LDAP client and it is aware of the
Behera password policy request control.
number-days
Specifies the number of days during which a warning will appear.
0
(Default) Disables this feature.
This command only takes effect for entries that include the attribute dxPwdIgnoreExpired and its
value is true. This is useful for administrative accounts and accounts used by mission-critical
applications.
true
Enables expiration bypassing. Administrators can now set an account to never expire by adding
the attribute dxPwdIgnoreExpired and setting its value to true.
false
(Default) Disables expiration bypassing. All accounts expire as usual.
Use this to protect an account from password lockout attacks. This is useful for administrative
accounts and accounts used by mission-critical applications.
This command only takes effect for entries that include the attribute dxPwdIgnoreSuspended and its
value is true.
04-May-2016 720/923
CA Directory - 12.0.18
true
Enables suspension bypassing. Administrators can now set an account to never be suspended by
adding the attribute dxPwdIgnoreSuspended and setting its value to true.
false
(Default) Disables suspension bypassing. All accounts can be suspended as usual.
This command does not actually lock any accounts: this only takes effect for entries that include the
attribute dxPwdLocked.
true
Enables password locking. Administrators can now lock accounts by including the attribute
dxPwdLocked.
false
(Default) Disables password locking. No accounts can be manually locked.
a-z
A-Z
number-chars
Specifies the minimum number of alphabetic characters that a password must contain.
0
(Default) Disables this feature.
04-May-2016 721/923
CA Directory - 12.0.18
a-z
A-Z
0-9
number-chars
Specifies the minimum number of alphanumeric characters that a password must contain.
0
(Default) Disables this feature.
If you do not set this, the password quality rules are not applied when an administrator changes a
user's password.
true
Enforces the password quality checks on every password change.
false
(Default) Enforces the password quality checks only when a user changes their own password.
04-May-2016 722/923
CA Directory - 12.0.18
Note: You can use this command only if the client is an LDAP client and it is aware of the
Behera password policy request control.
When set password-force-change is set to true any bind by a new user or by a user with a reset
password will be checked to see if it includes the Behera password policy control. This control is
required so that the DSA can return the password-force-change control back to the client.
DAP binds do not support the Behera controls, which means that a user cannot bind to a DSA if set
password-force-change is set to true and the password has been reset or the user's entry has just
been created.
true
Enables forced password changes. Users are prompted to change their password when they log in
using a password that an administrator has changed.
false
(Default) Disables forced password changes. Users can continue to use a password that was
changed by an administrator.
If the client is an LDAP client and the bind contains the Behera password-policy control, then if the
password contained in the bind has expired, the bind-confirm returns an LDAP control containing the
number of grace logins remaining.
If the client is not aware of the Behera password policy request control, grace logins will work, but
the client will not be able to track how many grace logins are left.
number-logins
Specifies the number of times a user can log in with an expired password.
0
(Default) Disables this feature.
04-May-2016 723/923
CA Directory - 12.0.18
CA Directory uses the operational attribute dxPwdHistory to maintain the password history.
number-passwords
Specifies the maximum number of passwords to retain in the history.
0
(Default) Disables this feature.
CA Directory uses the operational attribute dxPwdLoginTime to record the last time the password
was used.
number-days
Specifies the number of days during which a password is not used but still remains valid.
0
(Default) Disables this feature.
number-chars
Specifies the minimum number of lowercase characters that a password must contain.
04-May-2016 724/923
CA Directory - 12.0.18
0
(Default) Disables this feature.
number-chars
Specifies the maximum number of characters a password may contain.
0
(Default) Disables this feature.
number-chars
Specifies the maximum number of repeated characters that a password may contain.
0
(Default) Disables this feature.
The length of the substrings that will be checked for is set with the set password-min-length-
repeated-substring command (see page 728).
number-repetitions
Specifies the number of times that substrings can be repeated in a password.
04-May-2016 725/923
CA Directory - 12.0.18
This setting only applies to accounts that were suspended because the user tried to log in too many
times with the wrong credentials, as set with the set password-retries command.
CA Directory uses the operational attribute dxPwdFailedTime to record the time since the account
was suspended due to failed login attempts.
number-seconds
Specifies the time (in seconds) for which a suspended password remains suspended. After the
time has passed, the account in active.
0
(Default) Disables this feature.
For more information about the controls that are added to the responses, see the Sun Java System
LDAP SDK for C Programming Guide (http://docs.sun.com/source/817-6707/controls.html#wp28216).
true
Includes the following LDAP response controls in bind and compare responses:
false
(Default) No extra controls are added to bind and compare responses.
04-May-2016 726/923
CA Directory - 12.0.18
Default: false
The format of the response controls has been updated to comply with https://tools.ietf.org/html
/draft-vchu-ldap-pwd-policy-00. If applications are created using the previous (noncompliant) format,
then they can be reinstated by using the command set password-netscape-legacy-mode = true;.
CA Directory uses the operational attribute dxPwdLastChange to maintain the lockout period.
number-days
Specifies the time (in days) that must pass after the password is changed before it can be changed
again.
0
(Default) Disables this feature.
number-chars
Specifies the minimum password length.
Default: 6.
04-May-2016 727/923
CA Directory - 12.0.18
The number of repetitions is set with the set password-max-substring-repetition command (see page
725).
If set password-max-substring-repetition is set to true, you must use the set password-min-length-
repeated-substring command to set the substring length.
length-substring
Specifies the minimum length of substrings that will be checked.
If set password-max-substring-repetition is set to true and you do not use this command to set
the substring length, this value
0
Disables this feature.
This command only affects the attributes that include the line ldap-names = attribute-name in their
attribute definition in dxserver.dxc.
true
Replicates some CA Directory attributes to the other LDAP directory.
false
(Default)
04-May-2016 728/923
CA Directory - 12.0.18
space
`~!@#$%^&*()-_=+\|[]{}'";:/?,.<>
0123456789
number-chars
Specifies the minimum number of non-alphabetic characters that each password must contain.
0
(Default) Disables this feature.
space
`~!@#$%^&*()-_=+\|[]{}'";:/?,.<>
number-chars
Specifies the minimum number of non-alphanumeric characters that each password must
contain.
0
(Default) Disables this feature.
trace Command
The trace command displays details of service requests, confirmations, or errors. You need to specify
the level of tracing you want to use.
full
Traces everything. Full tracing degrades performance, so you should use it only during testing.
none
Turns off all tracing
04-May-2016 729/923
CA Directory - 12.0.18
trace-event-list
alert
Displays authentication errors.
cert
Displays certificate operations.
connect
Displays connections.
diag
Traces local DXserver operations that were refused.
dsa
Similar to the x500 trace, but also includes tracing of the module flow inside the DSA.
error
These events that may impact on the ability of DXserver to perform a requested operation. This is the
default trace level.
We recommend that the error trace option is included in the set trace command during normal
operation.
ldap
Traces detailed LDAP operations. The output can become quite large when searches return a large
number of entries.
limit
Traces any violation of size or time limits.
query
Displays a one-line summary containing the server request and result.
stack
Displays detailed protocol tracing. The output can become quite large.
stats
Displays statistical information for each minute the DSA is not idle.
summary
Displays a one-line summary containing the service request and result.
time
Displays the time taken for successful operations.
To send this output to a separate file, use the set time-log command.
04-May-2016 730/923
CA Directory - 12.0.18
update
warn
Warn messages usually represent a user error, rather than a problem with DXserver.
x500
Displays the full details of the service request, confirmation, or error. This traces DAP, DSP, and
LDAP operations. The output can become quite large when searches return a large number of
entries.
number-chars
Specifies the minimum number of numeric characters that each password must contain.
0
(Default) Disables this feature.
true
Enables password policies. Any password rules you have set are active.
false
(Default) Disables password policies. No password rules are active.
04-May-2016 731/923
CA Directory - 12.0.18
When an application binds as this password proxy user, the password policy will be applied to
password compares and modifications.
This can be useful if an application that uses the directory can only have one connection to the
directory.
DN
Specifies the DN of the password proxy user.
CA Directory uses the operational attribute dxPwdFailedAttempts to record the number of failed
login attempts.
number-retries
Specifies the number of times a user may attempt to log in with an incorrect password before
their account is suspended.
Default: 3
04-May-2016 732/923
CA Directory - 12.0.18
ssha-512
(Default) Hashes the password using the Salted SHA-512 algorithm.
sha-512
Hashes the password using the SHA-512 algorithm.
ssha-1
Hashes the password using the Salted SHA-1 algorithm. This algorithm produces a different hash
even for the same clear text password, which is more secure.
sha-1
Hashes the password using the SHA-1 algorithm.
pbkdf2
Hashes the password using the PBKDF2 (Password-Based Key Derivation Function 2) method.
crypt
Hashes the password using the UNIX crypt method.
md5
Hashes the password using the Message Digest algorithm.
smd5
Hashes the password using the Salted Message Digest algorithm.
none
Passwords are not hashed. This should only be used for testing.
Where <num> is a value greater than 0. This value specifies the number of iterations when deriving a
hash.
Default: 64000
When you decide to use the PBKDF2 hashing method for improved security, keep in mind the
computation cost. The larger the number of iterations, the higher is the cost.
Where <num> is a value from 8 through 65544 that is divisible by 8. This value (in bits) is the length of
04-May-2016 733/923
CA Directory - 12.0.18
Where <num> is a value from 8 through 65544 that is divisible by 8. This value (in bits) is the length of
the salt (random data) included with the password.
Using this method makes it difficult to pregenerate a table of hashes for a given password value.
Default: 128
Where <num> is a value from 8 through 65544 that is divisible by 8. This value (in bits) is the length of
the hash generated.
Default: 128
Important! These default values must be reviewed annually to take into account
computational speed of machines increasing over time.
attribute-list
Specifies the attributes that the password will be checked against. This is a comma-separated list
of attributes.
true
Raises an SNMP trap when a password is suspended.
false
(Default) Disables the SNMP trap.
04-May-2016 734/923
CA Directory - 12.0.18
number-chars
Specifies the minimum number of uppercase characters that a password must contain.
0
(Default) Disables this feature.
When this is set to true, the password must not be a substring of the last RDN in the user's DN.
true
Checks all new passwords against the user's name, and rejects any password that is a substring of
the user's name.
false
(Default) Disables the username check.
This is useful if an application opens persistent searches so that it is notified as and when operations
happen. For more information about LDAP persistent searches, see Persistent Search (see page 506).
true
Allows CA Directory to respond to searches that use the LDAP V3 persistent search control
04-May-2016 735/923
CA Directory - 12.0.18
false
Disables persistent searching
This command should appear once only in the configuration files that are sourced by any particular
DSA.
This command denies (takes away) specified access rights that have been granted at the registered
users and public users access level
Access rights denied at this access level can be granted by rules at the administrative users and super
users access levels.
Access control rules are effective only if you enable access controls.
tag
(Optional) Defines a name for this rule.
users
(Optional) Identifies the users that are to be denied access to the item. Use one of the following:
own-entry
Specifies that this rule restricts users' access to their own entry.
own-subtree
04-May-2016 736/923
CA Directory - 12.0.18
own-subtree
Specifies that this rule restricts users' access to the subtree beneath their own entry.
user = DN
Specifies the user whose access this rule restricts.
role = DN
Specifies the role whose access this rule restricts.
group = group-name
Specifies the access control group whose access this rule restricts.
user-subtree = DN
Specifies the subtree of users whose access this rule restricts.
scope
(Optional) Defines the part of the DIT that this rule applies to.
Use one of the following:
entry = DN
Specifies the entry that this rule protects.
If entry is specified and is not a leaf node then the user still has the right to use the entry in a
path to a lower level entry, so normally you only specify entry if it is a leaf node.
subtree = DN
Specifies the subtree that this rule protects.
attrs = attribute-list
(Optional) Defines the attributes or attribute set to which this rule applies, where attribute-list is
a comma-separated list of attribute names.
If attrs is not specified, then the access rule applies to the whole entry.
perms = permission-list
If perms is not specified then the command will deny all permissions.
Normally you will not specify perms.
all
Denies users all permissions over the scope.
read
Denies users read permission over the scope. This has the same effect as specifying perms=all.
add
Denies users permission to add to the information defined in the scope.
remove
Denies users permission to remove attributes defined in the scope.
modify
Denies users permission to change information defined in the scope.
rename
Denies users permission to rename the entries defined in the scope.
04-May-2016 737/923
CA Directory - 12.0.18
on day
Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is
Monday).
The command in this example could be used to hide some management information about a DSA
definition stored within the directory:
The specified entry is invisible to members of the employees role (unless a higher precedence access
control rule grants them some access).
The command in this example protects the homePhone and userPassword attributes in any entries in
the Democorp subtree that have these attributes.
These attributes are visible to any super users and administrative users that have the Democorp
subtree in their scope, but the attributes are hidden from all other users:
Example: Let Users View a Whole Entry and Modify Some Attributes
This example shows how to give users update access to most attributes within an entry but prevent
the update of a small number of attributes.
This problem is made more complex because the list of attributes that can be updated can grow, for
example, as more attributes are added to the entry.
04-May-2016 738/923
CA Directory - 12.0.18
Setting protected-items on some attributes will prevent updates, but not by users with admin-user
rights. It will also prevent reads by users with public-user or reg-user rights.
A solution to this problem is to use the optional permissions in the access control rules. The following
access rule will let all users in the subtree modify all attributes in their own entry:
set reg-user = {
own-entry
subtree = <o test>
perms = modify
};
To prevent update access to some of these attributes, use the following command:
set protected-items = {
own-entry
subtree = <o test>
attrs = attr1, attr2, ...
perms = modify
};
This prevents the user modifying the attributes listed, but it does not prevent read access. This is
because the only permission denied is modify.
Example: Let Users Modify All Attributes in Their Own Entry Except "role"
In this example, the set reg-user rule gives users modification rights to all attributes in their own
entry, and the protected-items rule takes away modification rights for just the role attribute. The
result is that users can modify all attributes in their own entries except "role", which they can read:
set reg-user = {
own-entry
subtree = <o Democorp>
perms = modify
};
set protected-items = {
own-entry
subtree = <o DemoCorp>
attrs = role
perms = modify
};
Without the perms = modify in the set protected-items rule, the user would be denied all access to
the role attribute (including read access).
04-May-2016 739/923
CA Directory - 12.0.18
This command grants specified access rights at the public user access level, to all users, over a
specified scope.
Any access that is granted by this command applies to public users, and by extension to all users.
That is, a user who is authenticated can do anything that a public user can do.
Access rights granted at this access level can be taken away by access control rules defined at the
protected items access level.
Access control rules are effective only if you enable access controls. If access controls are not
enabled, then public users have full permission over the whole directory.
tag
(Optional) Defines a name for this rule.
scope
Defines the area of the DIT that this rule gives access to, where scope is one of the following:
entry = DN
Specifies the entry that this rule grants access to.
subtree = DN
Specifies the subtree that this rule grants access to.
04-May-2016 740/923
CA Directory - 12.0.18
attrs = attribute-list
(Optional) Defines the attributes or attribute set to which this rule applies, where attribute-list is
a comma-separated list of attribute names.
If attrs is not specified, then the access rule applies to the whole entry. add and remove
permissions require that attrs is not specified.
perms = permission-list
(Optional) Specifies the permissions (access rights) that this rule grants to public users for the
scope.
If perms is not specified, then read access permission is granted.
permission-list is a comma-separated list of one or more of the following:
all
Specifies that public users have all available permissions over the scope. This option implies all
of the permissions listed below.
read
Specifies that public users can read the information defined in the scope.
add
Specifies that public users can add to the information defined in the scope. This also grants
read permission.
remove
Specifies that public users can delete entries defined in the scope. This also grants read
permission.
modify
Specifies that public users can change information defined in the scope. This also grants read
permission.
rename
Specifies that public users can rename the entries defined in the scope. This also grants read
permission.
on day
Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is
Monday).
In the following example, all users can view the name, telephone number, and X.400 mail addresses
in the Phone List subtree:
04-May-2016 741/923
CA Directory - 12.0.18
In the following example, all users in the role cell-research have read privileges on the directory R&D
subtree:
Note: This command is deprecated. We recommend that you use the show-eis option in
the set query-log-advanced command (see page 742).
If query-log-show-eis is set to true, then query logs include the attribute names contained in a search
requests entry information selection. The default behavior is to show only a count of attributes
returned.
none
(Default) The query log contains only basic information about each request.
all
Includes all of the options.
options
04-May-2016 742/923
CA Directory - 12.0.18
options
A comma-separated list of one or more of the following options:
ssl
Includes the text (ssl) line if a request is sent over SSL. For example:
source
Indicates where a request originated, where the origin is one of the following:
client: The source of the request is from a client over the DAP or LDAP protocol.
mw: The update request received was replicated with multiwrite. This includes the name
of the DSA from which the request was sent.
dsp: The request was received from a DSA servicing another namespace (either chained or
multi-chained). These are received over the DSP (inter-DSA) protocol.
internal: The request was generated internally by the DSA to perform another triggered
action. For example, password policy may trigger an update of password policy attributes
on a bind request.
For example:
ldap-controls
Includes a description of LDAP controls known/supported by the DSA. The descriptions are
logged on requests and responses. If an LDAP control is not known the OID is displayed.
For example:
ldap-error
Includes the LDAP error name and number in an error response.
For example:
update-timer
Includes the time in milliseconds taken for an update to successfully complete.
For example:
04-May-2016 743/923
CA Directory - 12.0.18
show-eis
Includes the list of attributes requested on a search instead of the count of attributes being
returned. This option performs the same function as the set query-log-show-eis command.
For example:
rulename
Defines the name of the integrity rule.
subtreeDN
Specifies the subtree that contains the entries whose removal triggers this rule. When an entry in
this subtree is deleted the DSA runs this integrity rule.
referenceDN
Specifies the subtree to be searched when the DSA runs this integrity rule.
memberAttribute
Specifies an attribute that may exist in one or more entries in the referenceDN subtree. The DSA
finds all attributes named memberAttribute that are in the referenceDN subtree and have DN
syntax. For each of these attributes, the DSA removes the value if it equals the DN of the entry
that was deleted.
04-May-2016 744/923
CA Directory - 12.0.18
entryAttribute
Specifies an attribute name in the deleted entry. When the DSA deletes an entry, it retrieves the
value of that entry's entryAttribute.
referenceAttribute
Specifies the attribute name that the DSA uses to search for references. The DSA finds all
attributes named referenceAttribute that are in the referenceDN subtree. For each of these
attributes, the DSA removes the value if it equals the value of entryAttribute.
After it has deleted the entry, the DSA deletes the value cn=Craig Link,o=Users,c=AU from all
attributes that satisfy all the following conditions:
Have a DN syntax
After it has deleted the entry, the DSA deletes the value of the userID attribute in the deleted entry
from all attributes that satisfy all the following conditions:
Have a value equal to the value of the userID attribute in the deleted entry
04-May-2016 745/923
CA Directory - 12.0.18
Have a value equal to the value of the userID attribute in the deleted entry
Access rights granted at this access level can be taken away by access control rules defined at the
protected items access level.
Access control rules are effective only if you enable access controls.
tag
(Optional) Defines a name for this rule.
users
Defines the users that this rule applies to, where users is one of the following:
user = DN
Defines the user that this rule applies to.
role = DN
Defines the role that this rule applies to.
group = group-name
Defines the access control group that this rule applies to. Use of access control groups is
deprecated, so use of this option is also deprecated.
user-subtree = DN
Defines the top of the subtree of users that this rule applies to.
own-entry
Specifies that the users defined in scope have access to their own entries only.
own-subtree
Specifies that the users defined in scope have access to their own entries and any entries
below their own entry.
04-May-2016 746/923
CA Directory - 12.0.18
scope
Defines the area of the DIT that this rule gives access to, where scope is one of the following:
entry = DN
Specifies the entry that this rule grants access to.
subtree = DN
Specifies the subtree that this rule grants access to.
attrs = attribute-list
(Optional) Defines the attributes or attribute set to which this rule applies, where attribute-list is
a comma-separated list of attribute names.
If attrs is not specified, then the access rule applies to the whole entry. add and remove
permissions require that attrs is not specified.
perms = permission-list
(Optional) Specifies the permissions (access rights) that this rule grants to the users for the scope.
If perms is not specified, then read access permission is granted.
permission-list is a comma-separated list of one or more of the following:
all
Grants users all permissions over the scope.
read
Grants users permission to read the information defined in the scope.
add
Grants users permission to add to the information defined in the scope. This also grants read
permission.
remove
Grants users permission to delete entries defined in the scope. This also grants read
permission.
modify
Grants users permission to change information defined in the scope. This also grants read
permission.
rename
Grants users permission to rename the entries defined in the scope. This also grants read
permission.
simple
Specifies that this rule only applies to users who bind using simple authentication (username
and password).
ssl-auth
Specifies that this rule only applies to users who bind using SSL authentication.
04-May-2016 747/923
CA Directory - 12.0.18
on day
Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is
Monday).
In the following example, all the users in the R&D subtree can read the Democorp subtree:
In the following example, all users in the group staff have read privileges on the Democorp entry:
Example: Let All Users Read Some Attributes in Their Own Entry
The following example lets any user in the subtree AU/Democorp view only the selected attributes in
their entry:
set reg-user = {
own-entry
subtree = <c AU><o Democorp>
attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, odEmail
};
In this example, all Democorp users can browse all entries in the subtree Democorp; however, when
they read or search for an entry in the subtree, only those attributes that you declare are visible.
The users also have modify privileges on the listed attributes for all entries in the subtree:
04-May-2016 748/923
CA Directory - 12.0.18
The set relaxed-not-search command lets you interpret NOT in the non-standard manner supported
by some other directories.
Normally, CA Directory handles NOT in LDAP searches according to this standard: ISO/IEC 9594-3 :
2001 (E) Section 7.8.2 Filter item, 4th paragraph. However, some other directories handle this
differently. If you set this command to true, CA Directory will handle NOT in searches in this non-
standard way.
For example, if relaxed-not-search is set to true, and you search for "description not equal M*", the
search returns the entries that contain no description, and the entries that have a description and the
description does not start with M.
If you run the same search while relaxed-not-search is not set or is set to false, the same search
returns only those entries that have a description and the description does not start with M.
To display the value of this setting, use the get oper command.
true
Interprets NOT in searches in the non-standard way of some other directories
false
Interprets NOT in searches as specified in ISO/IEC 9594-3 : 2001
04-May-2016 749/923
CA Directory - 12.0.18
The set role-subtree command specifies the DN where the roles are defined.
DN
Specifies the distinguished name at the top of the subtree that stores the roles.
You could use a job title or an administrative email address. This description appears
04-May-2016 750/923
CA Directory - 12.0.18
The command only takes effect when the DSA starts. If you change SSL parameters using the DSA
console, values are not changed and the following warning is logged to the warn file:
Note: Before CA Directory r12 SP2, SSL functionality was provided by SSLD, a separate
process. Now, each DSA provides its own SSL functionality.
set ssl = {
cert-dir = certificate_directory
ca-file = certification_authority
[cipher = cipher]
[protocol = ssl]
[fips = true]
[pin = pin]
[lib = library]
[slot = slot-number]
};
04-May-2016 751/923
CA Directory - 12.0.18
cert-dir
Identifies the directory that contains certificate and private-key files in PEM format.
ca-file
Identifies the file that contains trusted certification authority certificates in PEM format.
cipher
(Optional) Specifies the ciphers that will be used for SSL and TLS connections.
protocol
(Optional) Instructs the DSA to use a specific SSL or TLS minimum protocol. If you do not set this
to SSL, the DSA uses the default protocol, TLS. The supported keywords are ssl, tls, tlsv11 and
tlsv12. This option defines the minimum protocol that is supported.
fips
(Optional) Instructs the DSA to accept only FIPS-compliant ciphers. To accept all SSL ciphers, omit
this parameter.
pin
(Optional) Specifies the hardware security module (HSM) user PIN. If specified, the private key is
used through the HSM. For example:
pin=1234
lib
(Optional) Specifies the file containing the pks#11 library supplied by the HSM vendor. For
example:
slot
(Optional) Specifies the slot location in the HSM where the corresponding private keys are stored.
For example:
slot=2
When set to true, this command turns off automatic checking for the existence of an entry named by
the subject held in the certificate.
04-May-2016 752/923
CA Directory - 12.0.18
Access rights granted at this access level cannot be taken away by other access control rules.
Access control rules are effective only if you enable access controls.
tag
(Optional) Defines a name for this rule.
users
Defines the users that this rule applies to, where users is one of the following:
user = DN
Defines the user that this rule applies to.
role = DN
Defines the role that this rule applies to.
group = group-name
Defines the access control group that this rule applies to. Use of access control groups is
deprecated, so use of this option is also deprecated.
user-subtree = DN
Defines the top of the subtree of users that this rule applies to.
own-entry
Specifies that the users defined in scope have super user access to their own entries only.
own-subtree
Specifies that the users defined in scope have super user access to their own entries and any
entries below their own entry.
04-May-2016 753/923
CA Directory - 12.0.18
simple
Specifies that this rule only applies to users that bind using simple authentication (username
and password).
ssl-auth
Specifies that this rule only applies to users that bind using SSL authentication.
on day
Defines the day on which this rule is valid, where day is a string like 12345 or 67 (1 is
Monday).
The following command defines a single user with super user privileges:
Example: Give Users Super User Rights to Their Own Entry Only
The following command gives all users in the domain of this DSA super user privileges on their own
entry from 0800 hours to 1800 hours on Monday (day 1) to Friday (day 5):
When you include this command in an access.dxc file that multiple DSAs source, all users in the
domains of those DSAs will have super user privileges on their own entries.
The own-entry and own-subtree options are the only types of super user rule that do not grant the
user access to all parts of the DSA.
alias-for = syntax
04-May-2016 754/923
CA Directory - 12.0.18
alias-for = syntax
Specifies one of the supported syntaxes.
policy-name
Specifies the name of the new policy.
precedence
This value is currently ignored.
The new password policy inherits the attributes of the default password policy. However, further
password policy commands modify the new password policy and not the default password policy.
An exception to this rule is that the following commands apply to all password policies.
txSize
Defines TCP buffer size of the send buffer where size is in bytes.
Default: 0
rxSize
Defines TCP buffer size of the receive buffer where size is in bytes.
Default: 0
04-May-2016 755/923
CA Directory - 12.0.18
These values affect the send and receive buffer sizes as they are passed to the socket() system call.
Setting both the values to 0 allows the operating system to scale the buffers up to the operating
system imposed maximum.
To display the value of this setting, use the get user command.
time
(In milliseconds) Only those compare and search operations with a duration greater than or equal
to this value are displayed.
none
No compare or search operations will be listed in the time log.
To display the value of this setting, use the get user command.
time
(In milliseconds) Only those add, modify, moddn, and remove operations with a duration greater
than or equal to this value are displayed.
none
No compare or search operations will be listed in the time log.
04-May-2016 756/923
CA Directory - 12.0.18
Trace options in the set trace command are not cumulative and override options set in previous set
trace commands.
none
Turns off all tracing
trace-level-list
A comma-separated list of one or more of the following trace options:
alert
Displays authentication errors.
cert
Displays certificate operations.
connect
Displays connections.
diag
Traces local DSA operations that were refused.
dsa
Similar to the x500 trace, but also includes tracing of the module flow inside the DSA. Use this
trace level when you are trying to identify a problem with the directory.
error
Displays error messages of very high severity.
These events that may impact on the ability of the DSA to perform a requested operation.
These events are usually more serious than those reported under warn.
This is the default trace level. It has the lowest impact on performance, and we recommend
that you use this level during normal operation.
ldap
Traces detailed LDAP operations. The output can become quite large when searches return a
large number of entries.
limit
Traces any violation of size or time limits.
query
Displays a one-line summary containing the server request and result.
stack
Displays detailed protocol tracing. The output can become large.
04-May-2016 757/923
CA Directory - 12.0.18
stats
Displays statistical information for each minute the DSA is not idle.
summary
Displays a one-line summary containing the service request and result.
time
Displays the time taken for successful operations.
To send this output to a separate file, use the set time-log command.
update
Displays update operations-add, delete, modify, and rename.
warn
Displays error messages of moderately high severity.
Warning messages usually represent a user error, rather than a problem with the DSA. This
used to be the default trace level, but the default is now error.
x500
Displays the full details of the service request, confirmation, or error. This traces DAP, DSP,
and LDAP operations. The output can become large when searches return a large number of
entries.
You can set more than one trace level. This means that the trace includes all of the information
usually captured by each trace level.
The following command sets the DSA to capture any high-level error messages, plus any violations of
time or size limits:
This example shows a set of tracing commands. Because the set trace command is not cumulative,
only the last command affects the final tracing level. In the following example, the final trace option
is summary:
The time and error options are turned off by the second command.
04-May-2016 758/923
CA Directory - 12.0.18
When set to true, this verbose command will raise an SNMP trap whenever an add, delete, modify, or
rename event occurs and will also record information about what attribute was changed for an entry,
and whether the request for that change originated on another DSA (assuming you have multi-write
configured).
DN-list
Specifies the distinguished names of one or more trusted proxies in a comma-separated list.
You can specify the subtree that each attribute must be unique within.
04-May-2016 759/923
CA Directory - 12.0.18
attribute
Specifies an attribute that should have unique values.
subtree = DN
(Optional) Specifies the subtree that the attribute should be unique in.
If you don't specify this, the attribute will be unique in the subtree specified by the set unique-
attr-subtree command. If you have not defined the set unique-attr-subtree command, the
attribute will be unique within the local prefix.
The following commands specify that the values of the uid and cn attributes must be unique within
the Corporate subtree in Democorp:
In this example, the values of the uid and phoneNumber attributes must be unique within the
Corporate subtree. However, the values of the cn attribute must be unique within the Staff subtree:
DN
Specifies the distinguished name of the base for unique value checking.
This command has the same effect as the set update-log-show-values command (see page 761), PLUS
04-May-2016 760/923
CA Directory - 12.0.18
This command has the same effect as the set update-log-show-values command (see page 761), PLUS
the following:
The password and certificate values are written to the update log. The set update-log-show-
values command leaves out these binary values.
This command is designed for internal use. Although you can use it, the set update-log-show-values
command is more useful for most customers.
If you want to include binary attributes in the update log, use the following command:
Operational attributes
Binary values
Note: The size of a line written to this log is restricted to 4096 bytes, so large values may be
truncated.
true
Includes attribute values in the update log.
false
(Default) Does not include the attribute values.
To use dynamic roles, you need to set up dynamic groups, and then use the set use-dynamic-roles
04-May-2016 761/923
CA Directory - 12.0.18
To use dynamic roles, you need to set up dynamic groups, and then use the set use-dynamic-roles
and set role-subtree commands.
To use static roles, you need to set up static groups, and then use the set use-roles and set role-
subtree commands.
When a user is idle for too long, that user is disconnected. This reduces the number of users
connected and lets new users connect to the DSA.
time
Specifies the maximum idle time in seconds.
On a multi-CPU host, eight is a suitable initial setting. For a single CPU host, do not set user-threads,
or set it to 1. The default is 8.
set user-threads = n;
n
Defines the number of user threads.
04-May-2016 762/923
CA Directory - 12.0.18
Defines the number of user threads.
viewName
Defines the name that the DSA command interpreter uses to identify the view. If the name
contains spaces or non-alphanumeric characters, then the name must be enclosed in quotes.
description = "description"
Describes the view. The description is any text string enclosed in quotes.
entry = ViewDN
Defines the base object of the view in LDAP format. This DN is the target of searches that invoke
this view.
collapse-result
(Optional) Specifies that the view merges all the results into one entry, which is the base-object of
the search request invoking the view.
04-May-2016 763/923
CA Directory - 12.0.18
collapse-result-under-entry
(Optional) Specifies that the view merges all the results into one entry, which is the entry DN
returned by the phase one search. If the phase one search returns multiple entries, then the view
is applied to each entry independently and multiple collapsed entries are returned.
remap-originator
(Optional) Specifies that the originator, and hence access controls, are applied to the bind DN.
The bind DN is a virtual entry when binding to a view using a DN returned by a previous search
with the collapse-result-under-entry. The remap-originator option re-maps the originator to the
underlying phase 1 entry allowing existing ACIs to be used.
view-entry-access-controls
(Optional) Specifies that temporary access to some sections of the view that are not visible to the
user invoking the view are allowed. Use this in conjunction with trust-dsa-triggered-operations.
This works by ignoring access controls while the view searches are invoked and post-applying the
access controls before the result is returned.
if (condition)
Specifies conditional views that must be met before the phase is performed. The conditional if
and else if accept a view parameter a = (equals) or != (not equals) and a regular expression. The
value substituted for the view parameter is compared to the regular expression.
Each phase/s can be conditional triggered based on information from previous phases. A
condition consists of a views attribute an = or != and a regular expression. for example, "$2:
userPassword=." will trigger the following brace enclosed phase/s if the phase 2 search result
contains the userPassword attribute.
phase = phaseNum
Specifies the phase number.
A phase is a directory search within a view. A phase can use the results of previous phases in the
same invocation of the view.
Each phase must be given a number, starting at one and incrementing by one for each subsequent
phase.
subtree = phaseDN
Defines the subtree of the search performed for this phase, in LDAP format. The subtree RDN
elements can reference previous search phases. This can be omitted for attribute-level pruning
/allowing.
For example:
"$1:dn" - Searches with a subtree set to the DN of each search result returned in phase 1
"$1:dn[3]" - Searches with a subtree set to the 3 top RDNs of the DN of each search result
returned in phase 1
04-May-2016 764/923
CA Directory - 12.0.18
"uid=$1:uids,o=Democorp,c=AU" - Replaces the last RDN of the subtree with the value/s of
'uids' returned by the phase 1 search. If multiple values were returned then multiple searches
are performed.
attributeName
Specifies an attribute to be returned. This follows the syntax for views parameters. <link>
as attributeName
Maps the result to this attribute. This is useful if the underlying data has naming conflicts.
Note: The syntax for both the attribute being returned and the mapped attribute must be
identical.
prefix
Adds text to the start of the result. For more information, see Add a Prefix or Suffix to a Value
in Administrating.
suffix
Adds text to the end of the result. For more information, see Add a Prefix or Suffix to a Value
in the Administrating.
subtree
Searches the entire subtree.
base
Searches the base object only.
one-level
Searches one level only.
filter = phaseFilter
(Optional for base and one-level searches) Defines the LDAP filter that the phase uses for its
search. Any item in the filter can include views parameters.
If the scope of the search that invokes the view is base-object, then filter is ignored.
This LDAP search filter contains substitution items OR 'from-client'. When from-client the filter
will directly reference the filter passed in be the client.
Phase 1 - The substitution item must be $attrName. Where attrName is passed in on the
subtree search on the view entry.
04-May-2016 765/923
CA Directory - 12.0.18
Phase >1 - The substitution item must be a view attribute of the form $phase:attrName.
$phase must reference the result from an earlier phase and attrName is the name of that
attribute.
filter = from-client
(Optional) During normal operation, the filter is derived from values passed from a search request
or a previous search result. When from-client is used, the filter is a copy of the filter passed in by
the search request invoking the view.
For example, if a view is invoked using the search: dxsearch -h host:port -b cn=view,ou=views,
o=CA,c=AU (oc=inetOrgPerson)(sn=LINK)(cn=*), the filter used for the search phase is: filter =
(oc=inetOrgPerson)(sn=LINK)(cn=*)
Note: filter = from-client is typically used in Phase 1 in preference to using substitution items.
allow-attr = allowAttributeList
(Optional) Specifies the attributes that will be included in a phase result. This list of attributes
follows the syntax for views parameters.
Specifies the attribute name whose value is appended to the list of attribute values in allow-
target
allow-target = allowTarget
(Optional) Specifies the views parameter to take the value in allow-attr. If allow-target does not
exist it is created when the first allow-attr is returned.
allowTarget follows the syntax for views parameters.
allow-target is used only with the allow-attr option.
prune-attr = pruneAttributeList
(Optional) Specifies the attributes that will be removed from a phase result.
pruneAttributeList follows the syntax for views parameters.
prune-attr is used only with the prune-target option.
prune-target = pruneTargetList
(Optional) Specifies the views parameter whose value is compared to the value of the attribute in
prune-attr. If the two values match, then the attribute entry is removed from the result.
Otherwise, the attribute entry is included in the result.
pruneTargetList follows the syntax for views parameters.
prune-target is used only with the prune-attr option.
merge-dn-attr
(Optional) Specifies the attribute of DN syntax that each DN of the current phase result will be
returned under. For example, it is often useful to return the groups a user is a member of with
the users entry. If this is set to memberOf, the phase subtree is where the groups are stored and
the filter = member = $1:dn.
ignore-from-result
Specifies that the phase should return only those attributes whose values are referenced as
parameters in later phases. If this is set, the phase search results are temporary. The results
from this phase will not be returned to the client.
04-May-2016 766/923
CA Directory - 12.0.18
prune-from-result
Specifies that the phase should return only the DN and not return any attributes at all.
result-required
Specifies that the DSA should check if an attribute is referenced as a parameter in later phases
does exist. If not, then the DSA aborts the search and raises an alarm.
collapse-target
(requires view option collapse-result-under-view-entry)
Instead of collapsing the view results under the entry specified by phase 1, this option allows
for the view to be collapsed under a later phase. An error will occur if the later phase search
returns multiple entries.
Views Parameters
You use a views parameter inside the set view command to specify a placeholder for a string. The
DSA will determine the value of the views parameter when the view is invoked or after the DSA has
run an earlier phase within the view.
[$][phaseNumberList:]attributeName[substringIdentifier]
$
(Optional) Specifies that the DSA should treat this as a views parameter.
If the $ is missing, then the string is treated as a literal attribute name and no substitution occurs.
In that case, substringIdentifier must be blank.
phaseNumberList:
(Optional) Defines the phase number that produces the value of attributeName. If phaseNumber:
is omitted, then the DSA provides the value of attributeName from the filter given in the LDAP
search command that invoked the view.
phaseNumber must be a smaller number than the number of the phase in which the parameter is
used. That is, a phase can refer only to earlier phases of the view.
You can specify a list of phase numbers when using conditional views.
attributeName
Specifies the attribute whose value is used to replace the parameter.
substringIdentifier
(Optional) Specifies a section within an attribute value string.
There are two possible formats for the substring identifier.
The first form for substringIdentifier is useful if you want to extract a substring based on delimiter
characters, and is as follows:
[delimiterString:substringNumber]
The square brackets and the colon are part of the syntax, and are required if this option is
used.
04-May-2016 767/923
CA Directory - 12.0.18
delimiterString
Defines the delimiter inside the attribute value string. It is a literal string so, for example, it
can include white space, quotation marks, and non-alpha-numeric characters. The delimiter
string partitions the attribute value into substrings.
substringNumber
Specifies which substring to extract from the attribute value string. The substrings of the
attribute value are numbered from left to right starting at one.
The second form for substringIdentifier is useful if you want to extract the leading DNs from a
string of DNs, or if you want to extract the leading characters of the string. This form is as follows:
[numberOfDNsOrCharacters]
The square brackets are part of the syntax and are required if this option is used.
numberOfDNsOrCharacters
Specifies how many RDNs or characters to extract from the attribute value string, starting at
the leftmost character.
If this parameter is used as part of the subtree specification of a phase ("subtree=..."), then it
returns the number of RDNs; otherwise it specifies the number of characters.
When the view is invoked, the DSA replaces the example string with the value of the cn attribute
provided in the filter of the search command that was used to invoke the view.
Smith, John
When the view is invoked, the DSA replaces the example string with the characters preceding the first
comma in the value of the cn attribute.
ldapsearch... (cn="Smith,John")
Smith
Example: $cn[7]
When the view is invoked, the DSA replaces the example string with the first seven characters in the
value of the cn attribute.
04-May-2016 768/923
CA Directory - 12.0.18
ldapsearch... (cn="Smith,John")
Smith,J
Example: $3:cn
Immediately after running phase three of the view, the DSA replaces the example string with the
value of the cn attribute returned by phase three. The example string is only valid in phases four and
later.
Example: $2,3:cn
Using $2,3:cn in the following example uses $2:cn or $3:cn depending on which phase was invoked.
if ( condition )
{ (phase = 2) }
else
{ (phase = 3) }
...
(phase=2
subtree = $1:dn
...
This is a fragment of a set view command. Immediately after running phase one, the DSA replaces the
string $1:dn with the value of the DN of each search result returned in phase one. If phase one
returns multiple DNs, then phase two is run multiple times -- once for each DN result returned from
phase one.
...
(phase=2
subtree = $1:dn[3]
...
This is a fragment of a set view command. Immediately after running phase one, the DSA replaces the
string $1:dn[3] with the value of the first three RDNs of the DNs of each search result returned in
phase one. If phase one returns multiple DNs, then phase two is run multiple times -- once for each
DN result returned from phase one.
Example: subtree="uid=$1:uids,o=Democorp,c=AU"
...
(phase=2
subtree="uid=$1:uids,o=Democorp,c=AU"
...
04-May-2016 769/923
CA Directory - 12.0.18
This is a fragment of a set view command. Immediately after running phase one, the DSA replaces the
string $1:uid with the value of 'uids returned by the phase one search. If phase one returns multiple
DNs, then phase two is run multiple times: once for each DN result returned from phase one.
For example, if phase returns 12345 for the value of uid, then this fragment is exactly equivalent to
the following:
...
(phase=2
subtree="uid=12345,o=Democorp,c=AU"
...
If wait-for-multiwrite is set to true and you then use the dxserver stop command, the DSA stops
processing, but it does not exit if it still has multiwrite queues. When the multiwrite queues are
flushed, the DSA stops.
If wait-for-multiwrite is set to true and you want to force the DSA to stop, use the dxserver forcestop
command. This command deletes the multiwrite queue.
This will provide better granularity in timestamps (logs/entries). This will also reduce the chance of
MW-DISP conflict resolution where the same entry is updated at the same time.
true
Changes the Windows time resolution from 15.6 milliseconds to 1 millisecond.
The greater resolution provides greater granularity in timestamps for log messages. This change
also reduces the chance of MW-DISP update conflicts in which two updates occur at the same
time.
false
Leaves the Windows time resolution unchanged.
04-May-2016 770/923
CA Directory - 12.0.18
If the set write-precedence command is not present, updates follow the normal precedence, which is
defined by the order of the DSAs in the configuration file, or the set precedence command.
This command should appear once only in the configuration files that are sourced by any particular
DSA.
shutdown Command
This command has the following format:
shutdown;
Before you use the trace enable assoc command, use the get users command to find out the binding
number.
binding-number
Specifies the binding that you want to trace
04-May-2016 771/923
CA Directory - 12.0.18
This example shows how to disable all tracing, find out a binding number, and then trace all requests
and responses occurring on that binding:
Total Associations: 1
dsa> trace enable assoc = 2;
trace enable assoc = 2;
dsa>
unbind Command
The unbind command closes outgoing bindings to other DSAs. This command has the following
format:
all
Unbinds all outgoing bindings from this DSA.
04-May-2016 772/923
CA Directory - 12.0.18
dsa dsa-number
Unbinds all outgoing bindings from this DSA to the specified DSA.
You can find the dsa-number by using the get dsas command.
id.version
The agreement identification and version numbers (for example, 1.2).
Other Commands
DXadmind Commands
DXadmind is a background process that runs on each host that contains a DSA. DXmanager uses
DXadmind to communicate with the DSAs. The DXadmind on each host collects information for
DXmanager and manages the DSAs on that host on behalf of DXmanager.
The CA Directory installation process installs dxadmind, so dxadmind is started each time the
operating system starts up.
If you are having problems with DXmanager, you may need to monitor, start, or stop DXadmind.
dxadmind command
command
Specifies the command and is one of the following:
help [local]
Display basic configuration information.
install name
Install the service instance specified.
remove [name]
Uninstall the dxadmind service on the local host.
04-May-2016 773/923
CA Directory - 12.0.18
start [name]
Start the dxadmind service.
status [name]
Display the status of the dxadmind service.
stop [name]
Stop the dxadmind service.
level
Specifies the debug level
local
In local mode only one server is allowed in the XML configuration file and it is assumed to be the
current host. Local mode is for situations where no network interfaces are available.
dxadmind help
Config version
Lists the latest version of the configuration that DXadmind has received. You can compare this
number with the version shown in DXmanager.
DXadmind Port
Lists the port on which DXadmind listens for requests from DXmanager. You can change this port
using the dxadmind setup command.
DXmanager Host
Lists the IP address of the Management Server that DXadmind trusts. You can change this using
the dxadmind setup command.
Configured DSAs
Lists the DSAs from the configuration that exist on this host.
04-May-2016 774/923
CA Directory - 12.0.18
dxadmind start
dxadmind stop
trustedhost
Specifies the host computer that runs DXmanager.
Note: You can specify trustedhost using an IP address or using a host name. If you use the
host name format, then you must have reverse DNS lookups enabled on the DNS.
port
Specifies the port that DXmanager will use to access DXadmind. This must be the same as the
DXadmind port you specified in DXmanager.
password
(Optional) Specifies the password that DXmanager will use to access DXadmind. This must be the
same as the DXadmind password you specified in DXmanager.
DXwebserver Commands
The Directory Management components use Tomcat, which is an open-source web server. The
Tomcat web server is installed as CA Directory Web Server.
On Windows, use the Services window to control CA Directory Web Server. The DXwebserver
04-May-2016 775/923
CA Directory - 12.0.18
On Windows, use the Services window to control CA Directory Web Server. The DXwebserver
commands are useful for UNIX only.
dxwebserver start.
dxwebserver stop
dxwebserver status
Knowledge
This table lists the DXmanager configuration items that replace the parameters of the set dsa
command. This command sets the knowledge of a DSA.
The table shows the items in same order as in the set dsa command (see page 692).
04-May-2016 776/923
CA Directory - 12.0.18
04-May-2016 777/923
CA Directory - 12.0.18
GenericX500
Nexor
04-May-2016 778/923
CA Directory - 12.0.18
Nexor
GenericLdapV3
GenericLdapV2
MsActiveDirectory
Authentication levels must be consistent across CA Directory DSAs. For this reason, these options are
not available for Relay, Router, and Data DSAs
The table shows the items in same order as they appear in DXmanager.
04-May-2016 779/923
CA Directory - 12.0.18
Logging
This table lists the DXmanager configuration items that replace various set commands that define
limits for DSAs. For information about each item, find the relevant command in DSA Commands (see
page 653).
In this table, items are grouped by the log to which they apply.
Some set commands relate to two items in DXmanager. These commands are listed twice; once for
each matching DXmanager item.
04-May-2016 780/923
CA Directory - 12.0.18
logs
/$s_query.
log
set stats-log Enable Stats Log enabled Logging > Yes - - Yes
General
set stats-log Stats Log File logs/$s_stats. Logging > Yes Yes - Yes
log Advanced
set summary-log Enable Summary enabled Logging > Yes - - Yes
Log General
set summary-log Summary Log File logs Logging > Yes Yes - Yes
/$s_summary Advanced
.log
set time-log Enable Time Log - Logging > Yes - - Yes
General
set time-log Time Log File logs/$s_time. Logging > Yes Yes - Yes
log Advanced
time-log-search- Time Log Search Logging > Yes - - Yes
threshold Threshold General
time-log-update- Time Log Update Logging > Yes - - Yes
threshold Threshold General
set trace-log Enable Trace Log enabled Logging > Yes - - Yes
General
set trace-log Trace Log File logs/$s_trace. Logging > Yes Yes - Yes
log Advanced
trace Trace Level Error Logging > Yes - - Yes
General
rollover-trace- Rollover Trace Logging > Yes - - Yes
log Log General
set update-log Enable Update - Logging > Yes - - Yes
Log General
set update-log Update Log File logs Logging > Yes Yes - Yes
/$s_update. Advanced
log
update-log-show- Show Values in Logging > Yes - - Yes
values Update Log General
set warn-log Enable Warn Log enabled Logging > Yes - - Yes
General
set warn-log Warn Log File logs/$s_warn. Logging > Yes Yes - Yes
log Advanced
04-May-2016 781/923
CA Directory - 12.0.18
Password Policy
This table lists the DXmanager configuration items that replace various set commands that define the
password policy. For information about each item, find the relevant command in DSA Commands
(see page 653).
The table shows the items in same order as they appear in DXmanager.
04-May-2016 782/923
CA Directory - 12.0.18
Security >
Password Policy
password-max-length Max Length Security > Yes - Yes -
Password Policy
password-max-repetition Max Repetition Security > Yes - Yes -
Password Policy
password-max-substring- Max Substring Security > Yes - Yes -
repetition Repetition Password Policy
password-min-length- Min Length Repeated 2 Security > Yes - Yes -
repeated-substring Substring Password Policy
password-grace-logins Grace Logins Security > Yes - Yes -
Password Policy
password-proxy-user Proxy User Security > Yes - Yes -
Password Policy
password-username- Username Substring Security > Yes - Yes -
substring Password Policy
password-force-change Force Change Security > Yes - Yes -
Password Policy
password-allow-locking Allow Locking Security > Yes - Yes -
Password Policy
password-allow-ignore- Allow Ignore Expired Security > Yes - Yes -
expired Password Policy
password-allow-ignore- Allow Ignore Security > Yes - Yes -
suspended Suspended Password Policy
password-mimic-netscape- Mimic Netscape Security > Yes - Yes -
response-controls Response Controls Password Policy
password-netscape-op-attrs Netscape Op Attrs Security > Yes - Yes -
Password Policy
password-enforce-quality-on- Enforce Quality on Security > Yes - Yes -
reset Reset Password Policy
Settings
This table lists the DXmanager configuration items that replace various set commands for DSAs. For
information about each item, find the relevant command in DSA Commands (see page 653).
The table shows the items in same order as they appear in DXmanager.
04-May-2016 783/923
CA Directory - 12.0.18
dxgrid-db-size (enables DXgrid and Data Store Size rea read rea
hence replaces cache-attrs, cache- (MB) d- - d-
load-all, lookup-cache) onl only onl
y y
dxgrid-db-location Data Store data General > General Yes - - rea
Location d-
onl
y
dxgrid-tx-location Transaction File data General > General Yes - - -
Location
dxgrid-backup-location Backup File data General > General Yes - - -
Location
persistent-search Enable Persistent General > General Yes - Yes -
Search
busy-for-referral Busy For Referral General > General Yes - Yes -
dereference-alias-on-bind Dereference Alias General > General Yes - Yes -
on Bind
add-oc-parents ObjectClass As General > Advanced Yes - Yes -
prune-oc-parents Storage Sup
plie
d
alias-integrity Alias Integrity ena General > Advanced Yes - Yes -
bled
multi-chaining Multi Chaining ena General > Advanced Yes - Yes -
bled
ignore-name-bindings Ignore Name General > Advanced Yes - - -
Bindings
modify-on-add Write General > Advanced Yes - Yes -
ModifyTimestamp
during Add
return-oc-parents Return General > Advanced Yes - Yes -
ObjectClass
Parents
use-roles, use-dynamic-roles Use Roles Non Security > General - - Yes -
e
role-subtree Role Subtree Security > General - - Yes -
password-storage Password Storage sha- Security > General Yes - -
1
force-encrypt-anon Force Encrypt Security > General or Yes - Yes Yes
Anon Advanced
force-encrypt-auth Force Encrypt Security > General or Yes - Yes Yes
Auth Advanced
trust-sasl-proxy Trust SASL Proxy Security > Advanced Yes - Yes -
memberof-user-containers Member-Of User Security > Advanced Yes - Yes -
Containers
04-May-2016 784/923
CA Directory - 12.0.18
04-May-2016 785/923
CA Directory - 12.0.18
SSL Configuration
This table lists the DXmanager configuration items that replace the parameters of the set ssl
command. This command defines the SSL parameters of a DSA.
The table shows the items in same order as in the set ssl command (see page 751).
04-May-2016 786/923
CA Directory - 12.0.18
Class of Service
DISP Agreements
Referential Integrity
Search Profiles
Views
set dynamic-group
set exclude-addresses
set interrupt-searches
set paging-threshold
set query-log-advanced
set write-precedence
04-May-2016 787/923
CA Directory - 12.0.18
link-flags = siemens
trust-flags = allow-upgrading
Information Messages (see page 812) -- Interesting, but not necessarily a problem
You can configure which level of messages appears in a DSA's alarm log file.
Error Messages
Contents
DSA_E1000 DSA has invalid authenticationLevel (see page 789)
DSA_E1010 Bad tag itemOrUserFirst (see page 790)
DSA_E1060 Illegal specificationFilter (see page 790)
DSA_E1070 ProtectedItems allAttributeValues not allowed (see page 790)
DSA_E1080 ProtectedItems attributeValue not allowed (see page 790)
DSA_E1090 ProtectedItems selfValue not allowed (see page 790)
DSA_E1100 ProtectedItems No protected items (see page 791)
DSA_E1170 Unable to open pid file '$1' (see page 791)
DSA_E1180 Unable to write to pid file '$1' (see page 791)
DSA_E1200 DSA needs attention 'dsaname' (see page 791)
DSA_E1250 DSA stopping but multiwrite queues exist (see page 792)
DSA_E1260 DSA stopping but operations in progress. If running multiwrite then data may be out
of sync (see page 792)
DSA_E1280 Error in initialization files (see page 792)
DSA_E1290 No stack and no console (see page 792)
DSA_E1310 Cannot open local console (see page 792)
DSA_E1370 Fatal signal received (see page 793)
DSA_E1380 Cache is full - index limit reached ($1) (see page 793)
DSA_E1420 Online dump failed (see page 793)
04-May-2016 788/923
CA Directory - 12.0.18
The Error level is the highest level. These messages tell you that something serious has happened.
04-May-2016 789/923
CA Directory - 12.0.18
Solution:
Contact CA Support.
Solution:
Contact CA Support.
Solution:
Contact CA Support.
Solution:
Contact CA Support.
Solution:
Contact CA Support.
Solution:
04-May-2016 790/923
CA Directory - 12.0.18
Solution:
Contact CA Support.
Solution:
Contact CA Support.
On startup, the DSA could not create a PID file under DXHOME/pid.
Solution:
Ensure that the DSA user has write access to this directory.
On startup, the DSA could not write to the PID file under DXHOME/pid.
Solution:
Ensure that the DSA user has write access to this file.
A DSA is trying to contact another DSA to received replicated or chained (routed) requests. The
originating DSA produces this alarm after ten failed attempts to contact the target DSA.
Solution:
2. Check the network connection between the computers that host the two DSAs.
If the target computer has received a new IP address after it was restarted, restart the target DSA.
04-May-2016 791/923
CA Directory - 12.0.18
The DSA was forced to shut down while holding multiwrite queues of updates for peers.
Solution:
Manually resynchronize the multiwrite peer DSAs. For more information on how resynchronize a
multiwrite DSA, see the Administration Guide chapter on Replication.
DSA_E1260 DSA stopping but operations in progress. If running multiwrite then data may be out of
sync
Symptom:
The DSA was forced to shut down while operations were in progress.
Solution:
Solution:
The DSA trace log indicates the issue that needs to be resolved before the DSA can be started.
Solution:
Ensure that the host and the DSA are properly configured.
Solution:
Ensure that the port configured for the DSA console is not currently in use.
04-May-2016 792/923
CA Directory - 12.0.18
A memory fault has occurred and the DSA process has abnormally terminated.
Solution:
Contact CA support (http://www.ca.com/support). If core dumping is enabled, the core file produced
will greatly assist in investigating the fault.
Solution:
Use the set max-cache-index-size command to increase the cache index size to a value larger than the
required number of attributes, then restart the DSA.
The online backup of data from the DSA has been unsuccessful. This is usually caused by problems
with file creation or with disk space.
Solution:
Use the diagnostic information in the warn-log to work out what went wrong.
The DSA cache is no longer running. The most common reasons are:
Solution:
See the trace log to see why the cache was disabled.
DSA_E1495 A data file was specified but the cache did not start. Please ensure 'lookup-cache' is
enabled
Symptom:
04-May-2016 793/923
CA Directory - 12.0.18
When a DSA started, it detected that a DXgrid location has been defined but the cache has not been
enabled.
Solution:
Ensure that the following command is set when a DXgrid database has been defined:
When a DSA started, it detected that it is set to use the memberOf feature, but either a group or user
container is not defined.
Solution:
DSA_E1515 memberOf rollback failed for group update '$1'. memberOf data integrity will be
compromised
Symptom:
When a bulk update on a group that triggers multiple memberOf attribute updates in user entries
fails, the updates up to the point of failure are rolled back. This alarm is produced in the unlikely
event that the updates fail to rollback.
Solution:
If you see this alarm, check the data integrity to ensure that each user entrys memberOf attribute
correctly depicts group membership.
If this value is incorrect, users may have increased/reduced privileges in the application that uses the
memberOf feature.
DSA_E1960 Detected XML schema version '$1' but only support version '$2'
Symptom:
The DSA has detected an XML configuration file that is too new. The XML schema defines the
information held by DXmanager.
Solution:
Ensure that DXmanager has the same version of the XML schema as the DSAs that it manages.
The DSA is trying to register a port as the SNMP port to listen on, but the port is already being used.
04-May-2016 794/923
CA Directory - 12.0.18
The DSA is trying to register a port as the SNMP port to listen on, but the port is already being used.
Solution:
Solution:
Ensure that the interface address or hostname, and the port are valid and not currently in use.
Solution:
Contact CA Support.
Action:
Reduce the number of results returned by single searches by breaking them into a number of
separate, smaller searches, each returning part of the result. Also, consider increasing the amount of
virtual memory.
Solution:
Check the logs for diagnostic information. If this problem continues, contact CA support (http://www.
ca.com/support).
DSA_E2750 Multiwrite DSA failed to respond (May need to increase queue size)
Symptom:
In a multiwrite-DISP directory, replication to a third-party LDAP server using DXlink failed. After this
04-May-2016 795/923
CA Directory - 12.0.18
In a multiwrite-DISP directory, replication to a third-party LDAP server using DXlink failed. After this
failure, the multiwrite queue for the LDAP server was purged, so that all pending updates were
removed and no further updates will be replicated.
For this reason, we do not recommend using multiwrite-DISP when replicating to a third-party LDAP
server.
Solution:
To fix this problem, manually synchronize the third-party LDAP server and then restart the DSA that is
holding the queue.
Solution:
Solution:
Contact CA Support.
DSA_E2825 Multiwrite-DISP Received MW-DISP from a DSA that isn't configured as a multi-write
peer. Please check your configuration
Symptom:
The current DSA has been contacted by another DSA to synchronize via Multiwrite-DISP recovery,
however this DSA does not have multiwrite enabled.
Solution:
Ensure that all DSAs that share a prefix have the following configuration:
Enable multiwrite-DISP:
Enable multiwrite:
dsa-flags = multi-write
04-May-2016 796/923
CA Directory - 12.0.18
Solution:
None.
Solution:
Ensure that the prefix for the DSA is correct and is supported by the schema.
Solution:
Solution:
A DSA server file (.dxi) does not source a knowledge definition that describes the DSA being started.
In a text file based configuration, the .dxi file name does not match the knowledge file given by 'set
dsa name' and any source knowledge file/group.
In a DXmanager based configuration, a server file might have been updated without using
DXmanager. Doing this is not recommended.
Solution:
04-May-2016 797/923
CA Directory - 12.0.18
If you are using DXmanager, then ensure you use DXmanager to modify the server files.
If you are using knowledge files, ensure the DSA name of the .dxi file matches the label used in the
set dsa command.
The definition of the horizontal partition is not valid. The definition is missing one or square brackets
or angles brackets (chevrons).
Solution:
attr
Defines the naming attribute that is being partitioned.
hashn
Specifies the hash, and is one of the following:
hash1
hash2
total
Defines the number of partitions.
id
Specifies one partition, and is a number from zero to number of partitions - 1.
Solution:
Solution:
04-May-2016 798/923
CA Directory - 12.0.18
DSA_E3030 Partition criteria must be the same for each partition DSA $1
Symptom:
Not all DSAs in a horizontal partition set have the same hash definition.
Solution:
Ensure all DSAs in a horizontal partition set have the same hash definition.
Solution:
DSA_E3050 Partition count must be the same for each partition DSA $1
Symptom:
In a horizontally partitioned directory, one of the partition DSAs that service the same prefix is
configured with an incorrect number.
DSA 1: "[hash1(3)=0]"
DSA 2: "[hash1(4)=1]"
DSA 3: "[hash1(3)=2]"
Solution:
Check the count for each of the DSAs that make up the horizontal partition.
For example, every DSA that services the prefix "[hash1(3)=0]" must have a count of 3.
In a horizontally partitioned directory, the directory is divided into more than 30 partition DSAs.
Solution:
Reduce the number of partition DSAs that service the same prefix. You cannot divide a directory into
more than 30 partition DSAs.
04-May-2016 799/923
CA Directory - 12.0.18
In a horizontally partitioned directory, the number of partitions does not match number of partition
DSAs.
For example, this configuration below requires three DSAs to make up the horizontal partition but
only two DSAs have been configured:
DSA 1: "[hash1(3)=0]"
DSA 2: "[hash1(3)=1]"
Solution:
Check the prefix specified in the set dsa prefix command for each partition DSA. Ensure that a DSA
exists for the number of horizontal partitions configured in the count.
This alarm appears when one of the following rules of horizontal partitions is broken:
The first partition number is 0 and the other partition numbers increase by 1.
The last partition number is N-1, where N is the total number of partitions.
DSA 1: "[hash1(4)=1]"
DSA 2: "[hash1(4)=1]"
DSA 3: "[hash1(4)=3]"
DSA 4: "[hash1(4)=4]"
Solution:
Check the prefix specified in the set dsa prefix command for each partition DSA. Ensure that a DSA
exists for the number of horizontal partitions configured in the count.
DSA_E3130 Multiwrite Hub removal detected all queued updates will be lost
Symptom:
04-May-2016 800/923
CA Directory - 12.0.18
The DSA acting as the hub for a multiwrite group has been removed from the group. No other DSA in
the group is capable of taking over as the multiwrite group hub.
This can occur only when a single DSA services a multiwrite group.
Solution:
This error occurs when a multiwrite group contains only third-party LDAP servers.
Each multiwrite group must contain at least one DSA, which is the hub of the group. This hub is
responsible for replicating updates to all other LDAP servers and queuing updates if these should go
offline.
Solution:
For each multiwrite group that includes a third-party LDAP servers, include at least one DSA.
An alternative approach is to put each LDAP server in its own unique group.
A problem was detecting while applying a DISP update from a peer DSA.
Solution:
Use the diagnostic information in the warn-log to work out what went wrong.
Solution:
Use the diagnostic information in the warn-log to work out why the request was rejected.
04-May-2016 801/923
CA Directory - 12.0.18
DSA_E3400 Configuration DXmanager set values are redefining text-based configured values (see
warn-log for details)
Symptom:
Some configuration items are defined in text files. DXmanager redefines any text-based configuration
items it encounters.
Solution:
Use the warn-log to see which configuration items DXmanager found. For each item, use DXmanager
to apply that configuration again.
DSA_E3410 Configuration Text-based configured values are redefining DXmanager set values (see
warn-log for details)
Symptom:
You can define configuration items in DXmanager or in text-based configuration (files or DXconsole).
This message appears when an item that was defined in DXmanager has been redefined in a text file
or in DXconsole.
Solution:
We recommend you use DXmanager to define as many configuration items as possible. Use text files
or DXconsole to define only those configuration items that DXmanager does not yet support.
Warning Messages
Contents
DSA_W1390 '$1' erroneously appears in '$2.dp' (see page 803)
DSA_W1400 Cannot remove entries created by failed HP rename $1 (see page 804)
DSA_W1410 Cannot remove source images of HP-renamed entries $1 (see page 804)
DSA_W1430 DSA cache index almost exhausted ($1) (see page 804)
DSA_W1450 Cache is $1% full (see page 804)
DSA_W1830 LDAP Abandon Invalid invoke ID in UOW (see page 805)
DSA_W1890 DSA $1 has 'no-server-credentials' set (see page 805)
DSA_W1900 DXconsole connection alert now off. Successful DXconsole connections will no longer
produce any alerts. (see page 805)
DSA_W1910 check-roles-with-dsa-credentials is a deprecated command. Use the setting trust-dsa-
triggered-operations instead (see page 805)
DSA_W1920 check-unique-attrs-with-dsa-credentials is a deprecated command. Use the setting
'trust-dsa-triggered-operations' instead. (see page 805)
DSA_W1940 Setting trace level to 'asn' (see page 806)
DSA_W1970 Configuration Text-based configured value redefining item '$1' (see page 806)
DSA_W2000 Cannot initialise SNMP trap - no memory (see page 806)
DSA_W2020 Cannot create hash table - no memory (see page 806)
DSA_W2040 Cannot send SNMP response to $1 (see page 806)
04-May-2016 802/923
CA Directory - 12.0.18
The Warning level is less serious than the Error level. Warning messages tell you that something
important has happened, but it might not be a problem.
The DXgrid DISP file (.dp) file for the current DSA is invalid. It contains the current DSA as a target.
This file appears to have been copied from another DSA. This may signify an incorrect disaster
recovery procedure.
Solution:
04-May-2016 803/923
CA Directory - 12.0.18
When a rename occurs between horizontal partition DSAs, this is performed via an ADD (target DSA)
and a REMOVE (current DSA).
This error is produced when the ADD was rejected, which causes the entire rename to fail.
Solution:
Check the logs for the target DSA to see why the ADD operation of the renamed entry was rejected.
When a rename occurs between horizontal partition DSAs, this is performed via an ADD (target DSA)
and a REMOVE (current DSA).
This error is produced when the ADD operation was successful but the REMOVE was rejected, which
causes the entire rename to fail.
Solution:
Check the logs for the target DSA to see why the REMOVE operation of the renamed entry was
rejected.
The DSA index is growing and has almost the maximum number of values it can hold.
Solution:
Consider increasing max-cache-index-size to a value larger than the required number of attributes.
You need to restart the DSA after changing max-cache-index-size for the new setting to take effect.
This indicates how full the cache is, as a percentage of the value of max-cache-size.
Solution:
If the cache is nearing 100%, then consider increasing max-cache-size. You need to restart the DSA
after changing max-cache-size for the new setting to take effect.
04-May-2016 804/923
CA Directory - 12.0.18
Solution:
Contact CA Support.
Solution:
DSA_W1900 DXconsole connection alert now off. Successful DXconsole connections will no longer
produce any alerts.
Symptom:
Normally, you turn the DSA console connection alerts on for auditing requirements. This message
alerts the user that somebody has turned these off, which may be a breach of security.
Solution:
Use the command set dxconsole-connect-alert to turn DSA console alerts off or on.
Solution:
Solution:
04-May-2016 805/923
CA Directory - 12.0.18
Trace level has been set to asn. Normally this trace level is only used for debugging purposes.
Solution:
Be aware that using the trace level 'asn' can cause password information to be written to the DSA log
files.
Solution:
Action:
Reduce the number of results returned by single searches by breaking them into a number of
separate, smaller searches, each returning part of the result. Also, consider increasing the amount of
virtual memory.
Action:
Reduce the number of results returned by single searches by breaking them into a number of
separate, smaller searches, each returning part of the result. Also, consider increasing the amount of
virtual memory.
Solution:
04-May-2016 806/923
CA Directory - 12.0.18
Solution:
Ensure the network is properly configured and that the SNMP client is available.
The DSA failed to accept a new call. The message includes the reason for the failure.
Solution:
The DSA console rejected a connection request because it already has a connection.
Solution:
Solution:
Ensure the user is a configured DSA console user and the password is correct.
If these messages appear frequently, this may indicate an attack from a malicious user trying to gain
DSA console access.
The password supplied does not match the configured DSA console password.
Solution:
Ensure password is correct. If these appear frequently may indicate an attack from a malicious user
trying to gain DSA console access.
DSA_W2530 DISP bind failure DISP agreement authentication level is not supported by DISP
responder
Symptom:
The DISP agreement uses an authentication level that does exist on the link between the sender and
04-May-2016 807/923
CA Directory - 12.0.18
The DISP agreement uses an authentication level that does exist on the link between the sender and
responder.
Solution:
Ensure that the DISP initiator and responder are using the same authentication level.
Solution:
Ensure that the DISP is properly configured and that the DISP initiator can contact the DISP
responder.
Solution:
Contact CA Support.
Solution:
Contact CA Support.
The DSA failed to retrieve the last time it updated a peer DSA. It will periodically retry to get the last
update time.
Solution:
04-May-2016 808/923
CA Directory - 12.0.18
Solution:
The LDAP URL specifies the location of role members. The URL must have the following form, as
specified in RFC 2255:
ldap:///<filter>
When multiwrite-DISP is enabled, the DISP file .dp is updated when synchronization with a DISP peer
has been successful or during successful replication.
This message is produced when the update of this file fails. This can happen for these reasons:
Solution:
Ensure that the DSA user has write permissions for the .dp files and for the parent directory of these
files.
The multi-write queue for the DSA specified in the message is filling up.
Solution:
The DSA failed to update a peer DSA using multiwrite DISP. This usually occurs when a DSA is not
properly configured, for example, there may be authentication or address problems.
Solution:
04-May-2016 809/923
CA Directory - 12.0.18
The DSA received an update from a MW-DISP peer. The DSA could not apply the update because it
has run out of memory.
Solution:
Ensure that the system has enough memory to allow multiwrite-DISP recovery to complete.
The DSA tried to replicate an update, or to flush a multiwrite queue, to a multiwrite peer DSA, but it
cannot contact the peer.
Solution:
DSA_W2730 "Multiwrite-DISP Attempt to receive update from '$1' failed - cannot connect
Symptom:
The DSA tried to replicate to a peer using multiwrite DISP, but it cannot contact the peer DSA.
Solution:
Solution:
None.
The multiwrite queue to the peer DSA in the message has been purged but multiwrite is enabled. The
source DSA will use multiwrite DISP (instead of multiwrite) to update the peer DSA.
Solution:
Ensure that the peer DSA is running and reachable, so that multiwrite DISP can resynchronize data
and multi-write replication can continue normally.
04-May-2016 810/923
CA Directory - 12.0.18
Solution:
Contact CA Support.
Solution:
Contact CA Support.
The role-based allow search label for the current user does not exist in the DSA's configuration.
Solution:
Ensure that the allow-search labels used for the role-based dxAllowSearch attribute exist in the allow-
search list.
Solution:
Create a password policy control. See LDAP Controls, in Connect to LDAP clients in the Administration
Guide.
An attempt was made to add a duplicate attribute value but unique-attrs is set.
Solution:
None required.
DSA_W2930 Views phase $1 search for view $2 is marked result-required but did not return a result
Symptom:
04-May-2016 811/923
CA Directory - 12.0.18
Solution:
DSA_W3100 Multiwrite multi-write-group rename ignored, please restart DSAs to incorporate this
change
Symptom:
The configuration has been updated to change the name of a multiwrite group.
Solution:
Follow these steps after you change the name of a multiwrite group:
1. Wait until the change has been pushed to all DSAs that are affected by the name change.
Information Messages
Contents
DSA_I1020 UserClasses ignoring UniqueIdentifier (see page 813)
DSA_I1030 acf_copyUserClasses duplicate group (see page 813)
DSA_I1150 DXgrid file usage $1 (see page 813)
DSA_I1220 DSA started $1 (see page 813)
DSA_I1230 DSA reloading configuration (see page 813)
DSA_I1240 DSA shutting down (see page 814)
DSA_I1340 DSA has been forced to shutdown (see page 814)
DSA_I1350 DSA shutting down as queues have flushed (see page 814)
DSA_I1360 DSA received command to stop (see page 814)
DSA_I1880 Loading XML model version $1 $2 (see page 814)
DSA_I2010 SNMP Requested community not supported $1 (see page 815)
DSA_I2200 Mutex $1 from $2 held too long (see page 815)
DSA_I2210 Thread $1 ran continuously in the last minute (see page 815)
DSA_I2450 Accepted console request from $1 (see page 815)
DSA_I2490 Accepted console request for user $1 from $2 (see page 816)
DSA_I2690 Multiwrite-DISP Peer '$1' updated (see page 816)
DSA_I2695 Multiwrite-DISP Update from '$1' applied (see page 816)
DSA_I2830 Clearing multiwrite queue $1 (see page 816)
DSA_I2850 Aborting all non-peer connections (see page 816)
DSA_I3110 Multiwrite Removing multi-write queue '$1' (see page 817)
DSA_I3120 Multiwrite Hub removal detected (see page 817)
DSA_I3300 DISP Update from peer '$1' applied (see page 817)
DSA_I3320 DISP Peer '$1' updated (see page 817)
The Information level is the lowest level. Information messages tell you that something interesting
has happened, but it is probably not a problem.
04-May-2016 812/923
CA Directory - 12.0.18
has happened, but it is probably not a problem.
When the DSA applies ACLs on names using the NameAndOptionalUID syntax, it ignores the UID part
of the name.
Solution:
None.
Solution:
Contact CA Support.
This alarm is added to the alarm log at startup. It reports on data store size ($1), used bytes ($2, $3),
and reclaimable bytes ($4).
Solution:
Solution:
None.
Solution:
None.
04-May-2016 813/923
CA Directory - 12.0.18
Solution:
None.
(Windows) The DSA was shut down with the forcestop option. All updates were successfully
replicated.
Solution:
None.
The DSA has flushed its multiwrite queues and is now safely shutting down.
Solution:
None.
Solution:
None.
Solution:
None.
04-May-2016 814/923
CA Directory - 12.0.18
The DSA is using a snmp-poll-community string, and the SNMP client is polling using an incorrect
community.
Solution:
Ensure that the SNMP client uses the community string configured for the DSA. Use the commands
set snmp-poll-community and set snmp-trap-community.
A mutual exclusion lock (mutex) should only be held briefly by any one process. If a mutex is held too
long, then DXserver performance can suffer.
Solution:
This message occurs when the DSA is under an extreme load, which can occur in the following
conditions:
In a data DSA to which requests coming into a router come through a single DSP link.
Solution:
If this occurs frequently and response times are impacted, try these options:
Ensure your system has enough CPUs and memory to handle extreme load.
Solution:
None.
04-May-2016 815/923
CA Directory - 12.0.18
Solution:
None.
Solution:
None.
Solution:
No action required.
This is a notification that a user has issued the command clear multi-write-queue.
Solution:
If you issue the clear multi-write-queue command and want to synchronize multiwrite DSAs, you
need to do the synchronization manually.
A multiwrite DSA has received a notification to shut down. If the DSA receives an update request
during its shutdown process, the DSA cannot replicate those updates.
To ensure that no updates are received during the shutdown process, the DSA discards non-peer
connections, including connections to applications and routers.
This situation is fairly rare, and occurs because the network connections are repeatedly breaking and
reforming.
04-May-2016 816/923
CA Directory - 12.0.18
Solution:
A configuration change has occurred that has caused a multiwrite peer to be removed. The current
DSA will no longer replicate to that peer DSA.
Solution:
No action required.
The DSA that was a hub of the current multiwrite group has been re-configured in one of these ways:
The updates have been moved to another DSA in the multiwrite group that is capable of taking over
as the hub.
Solution:
No action required.
Solution:
No action required.
Solution:
No action required.
04-May-2016 817/923
CA Directory - 12.0.18
These errors occur when there are inconsistencies with the Windows Installer DLL.
This usually occurs because a reboot was not performed when Windows Installer was upgraded. This
problem can also occur when you are upgrading from eTrust Directory 3.6.
Solution:
To prevent this problem from occurring or to fix this error if it has already happened, use the CA
Directory Cleanup tool, which is located under Unsupported on the CA Directory installation CD. To
run this tool, use the following command:
CleanReg.exe -fixup267
This error appears when the registry has rogue entries under the Windows Installer areas. These are
usually from an aborted or failed uninstallation.
Solution:
Use the CA Directory Cleanup tool, which is located under Unsupported on the CA Directory
installation CD.
CleanReg.exe -all
This error can occur when you install CA Directory using commands.
Solution:
All paths specified in the VALUE must have quotes if they contain spaces. For example, FOLDER="c:
04-May-2016 818/923
CA Directory - 12.0.18
All paths specified in the VALUE must have quotes if they contain spaces. For example, FOLDER="c:
\Program Files\CA"
DXHOME
|__ bin
|__ config
| |__ access
| |__ autostart (UNIX only)
| |__ knowledge
| |__ limits
| |__ logging
| |__ replication
| |__ schema
| |__ servers
| |__ settings
| |__ ssld
|__ data
|__ install (UNIX only)
|__ logs
|__ pid
|__ samples
|__ uninstall (UNIX only)
bin
Holds all binary executables and batch files for CA Directory.
config
Holds the current configuration files, and some Readme files for your reference. DSAs always start
with the configuration information stored in this directory. We recommend that you give read-
only permissions to files in these directories to prevent accidental overwriting.
Each subdirectory contains the configuration file(s) that deal with a component of the
configuration.
access
Holds configuration files that specify access control rules.
autostart
(UNIX only) Tracks the DSAs that must start at the same time as the operating system.
knowledge
Holds the knowledge files for DSAs if DXmanager is not used.
04-May-2016 819/923
CA Directory - 12.0.18
limits
Holds configuration files that specify administrative limits, such as size limits and time limits.
logging
Holds configuration files that specify trace levels and log file names.
replication
Holds configuration files that specify replication agreements.
schema
Holds configuration files that specify schema definitions.
servers
Holds initialization files that specify startup information. An initialization file must exist for
each DXserver on the host computer.
settings
Holds configuration files that specify operational settings and controls.
ssld
Holds .pem certificates for trusted CA and server entities.
data
Holds the data store file (.db) for each DSA.
install
(UNIX, for CA Directory use only) Contains installation files and environment information.
logs
Holds all log output for CA Directory. You can specify another directory.
pid
(CA Directory use only) Contains information about currently running processes. The pid directory
is empty immediately after an installation, but when the services are run, files are created in that
directory.
samples
Contains demonstration utilities and test script files. Each sample has its own subdirectory and an
associated Readme file.
uninstall
(UNIX only) Contains uninstallation scripts.
LDIF
LDIF is a format suitable for describing directory information or changes to be made to directory
information.
04-May-2016 820/923
CA Directory - 12.0.18
LDIF files are text files that store directory information in LDIF. You can use LDIF files to transfer
directory information between LDAP directory servers or to describe a set of changes to be applied to
a directory.
LDIF is defined in the Internet standard RFC 2849. For more information about LDIF, see the draft RFC
available at the IETF home page (http://www.ietf.org).
Each record describes a directory entry or a set of changes to a directory entry. These two types of
records cannot be mixed in an LDIF file.
Information only
If you want to do any of the following tasks, use an information-only LDIF file:
The first line of an entry is the distinguished name (dn). The rest of the entry is made up of attribute
value pairs, separated by a colon (:) and a space.
04-May-2016 821/923
CA Directory - 12.0.18
dn: distinguished-name
attribute-type : attribute-value
attribute-type : attribute-value...
This example shows two LDIF records. An LDIF file that contains these records could be used to load
these two entries into a directory:
version: 1
dn: cn=Barbara Jensen, ou=Product Development, dc=airius, dc=com
objectclass: top
objectclass: person
cn: Barbara Jensen
sn: Jensen
changetype: add
changetype: delete
changetype: modify
version: 1
dn: distinguished-name
changetype: modrdn
newrdn: name
[deleteoldrdn: 0|1]
[newsuperior]
This example shows a single entry, for which the title will be replaced:
04-May-2016 822/923
CA Directory - 12.0.18
version: 1
dn: cn=Murray HORSFALL, ou=Repair,ou=Operations,o=Democorp,c=AU
changetype: modify
replace: title
title: Chief Information Officer
version: 1
dn: cn=Murray HORSFALL, ou=Repair,ou=Operations,o=Democorp,c=AU
changetype: modify
replace: title
title: Chief Information Officer
-
add: telephone
telephone: 797 8888
-
delete: description
-
replace: postalAddress
postalAddress: 173 Toorak Rd $ South Yarra
postalCode: 3066
Modern LDIF files all have a version number at the top of the file, which is almost always version: 1.
Some older LDIF files do not have this, but they follow the same general rules.
Unicode strings are encoded in base-64 form, which is not human-readable. The base-64 data is
converted back into the original data when the LDIF file is read into a program, such as the DXloaddb
tool.
dn:: b3U95Za25qWt6YOoLG89QWlyaXVz
04-May-2016 823/923
CA Directory - 12.0.18
objectclass: top
objectclass: organizationalUnit
ou:: 5Za25qWt6YOo
Binary Data
An LDIF file stores the binary data that is stored in the entry. For example, an entry might include a
JPEG photo or a certificate.
The information contained in a data file is a list of values. To give meanings to these values, you must
specify what the values in each field represent. To do this, define an LDIF template (LDT) file.
The LDT files describe the objects contained in the directory. The LDT file follows the LDIF file format,
which is used to add directory information to the data values. An LDIF file consists of a series of
records separated by blank lines. A record consists of a sequence of lines describing a directory entry.
Special substitution tokens are used to place fields from the CSV file into the LDT.
Each line in the LDT file defines a rule that links a field in a CSV data file to a directory attribute or
name with an object description. These rules let the tools translate CSV file information into LDIF file
formats.
use the $ character to denote a column in the source csv file. For example $2 gets replaced with the
contents of the entry in second column in the csv file. If the escape character (\) precedes the $
character the the $ symbol is interpreted literally. Use \\ to represent the \ character.
Using substitution tokens in the DN line lets you specify leaf nodes and their parents. You can
therefore infer hierarchy from the original CSV data. You must explicitly code parent objects in the
template file, and they must appear in increasing-depth order in the file before any definition of leaf
objects.
To specify a literal number following immediately after a substitution token, use the three-digit form
of the token as in the following example:
...
Description: $00199 \$ $2 \$ $3
...
04-May-2016 824/923
CA Directory - 12.0.18
When this LDT file is interpreted, the csv2ldif program looks at the first three digits after the $ for the
column number. In this example, it interprets $00199 to mean find the $001 column of the CSV to
substitute, that is column one, and append the characters "99" to it. If you use $199 it substitutes the
value from the 199th column of the CSV.
CSV
Contents
Example CSV Data File (see page 825)
A source data file is a comma-separated list of values. Each source data (CSV) file can contain many
lines, and each line in the file should contain information about a single object or entry.
While the default separator is a comma, the DXtools support the use of alternative and user-defined
separators.
You should enclose embedded commas within quotes. For example, if Tom Smith's address is
contained as a single field, you can include embedded commas in the single address field:
04-May-2016 825/923
CA Directory - 12.0.18
Ian,Hall,Boilermaker,Manufacturing,987 6510
Linda,Bates,Accountant,Administration,987 6511
Sam,Campbell,Welder,Manufacturing,987,6510
Limits
Limits That You Can Change
Limit the Number of Index Entries
Use the set max-cache-index-size Command (see page 711) to limit the number of entries in the
cache index.
Service Limits
You can set limits on the searches that a DSA can perform.
Note: If the DSA tests a user request against any search profile, then it will ignore the limit
list and limit search configuration items for that request. For more information, see Using
Search Profiles.
Description of the Limit How to Set the Limit Default If Limit Is Not
Changed
Prevent a DSA from accepting list requests Specify the Limit list List requests are not
Prevents a superior DSA from sending list configuration item in prevented
requests to this DSA. DXmanager
Prevent a DSA from accepting lengthy Specify the Limit search Search requests are
search requests. configuration item in not limited
Prevents another (superior) DSA from DXmanager
sending lengthy search requests to this
DSA
Limit the DSA to only exact searches Specify the Limit search exact con The DSA is not limited
figuration item in DXmanager to only exact searches
Prevent all DSAs that service a namespace Set the Read Only configuration The DSAs accept
from accepting update requests item in DXmanager update requests
Prevents a router DSA from sending
update requests to these DSAs
04-May-2016 826/923
CA Directory - 12.0.18
Operations Limits
What Is Limited How to Set the Limit Default If
Limit Is Not
Changed
Number of entries The service limit set by the client, or if this is not given, the role- 10000
that a search or list based administrative limit dxSizeLimit, or if this is not set, the set
can return max-op-size Command (see page 711)
Time that a non- The service limit set by the client, or if this is not given, the role- 600
update operation based administrative limit dxTimeLimit, or if this is not set, the set
can continue to run max-op-time Command (see page 711)
Number of set credits Command (see page 691) 5
concurrent
operations per user
Bindings Limits
What Is Limited How to Set the Limit Default If Limit Is
Not Changed
Number of concurrent bindings set max-users Command 255
(see page 712)
Time that a DSA keeps a binding before closing it set max-bind-time Command No limit
(see page 710)
Time that a binding can remain idle before being set user-idle-time Command 3600
eligible to be closed. (see page 762)
Time that a DSP binding between DSAs remains The DSP Idle Time setting in 600
idle before the DSA closes it. DXmanager
04-May-2016 827/923
CA Directory - 12.0.18
You can only use the commands listed here if you have enabled password policies, with the set
password-policy Command (see page 731).
04-May-2016 828/923
CA Directory - 12.0.18
Logging Limits
What Is Limited How to Set the Limit Default If Limit
Is Not Changed
Minimum duration of the compare and search set time-log-search- No limit
operations that you want to see in the time log threshold Command (see
page 756)
Minimum duration of the add, modify, moddn, and set time-log-update- No limit
remove operations that you want to see in the time threshold Command (see
log page 756)
Other Limits
What Is Limited How to Set the Limit Default If Limit Is Not
Changed
Size of a protocol data unit acceptable set max-pdu-size Command (see 0 (unlimited)
by DSAs page 712)
04-May-2016 829/923
CA Directory - 12.0.18
Data Limits
What is Limited Description Value
Number of There is no restriction on the number of searchable characters in
searchable DSAs.
characters in an
attribute value
Number of UNIX shells and the Windows command line may limit the number
characters in of characters in a single command.
commands This can a problem if you want to set the installation destinations
for many CA Directory components.
To avoid using a very long command, use the ETRDIRBASEPATH
argument to set the location for the entire installation, instead of
setting the location of each component separately.
Maximum attribute This is sometimes called the Maximum Binary Large Object (BLOB) 59 MB
value size size.
Size of attribute The largest LDAP request that a DSA can accept is limited. 30 MB
values in an LDAP
request
Size of integer The largest integer syntax value is limited. 4B
attribute values
Number of This is the maximum number of values in a particular attribute in a More than
attribute values per single entry. one
attribute in an Note: Performance will degrade significantly (especially for updates) hundred
entry if some entries have large numbers of attribute values. million
Namespace Limits
What is Limited Description Value
Size of RDNs There is no restriction on the length of RDNs. No
limit
Depth of namespace tree The maximum depth of a Namespace in a single DSA is determined 19-
in a single DSA by the number of entries in the DSA. 56
DSA Limits
What is Limited Description Value
Number of entries in a DSA CA Directory can cope with enormous numbers More than one
of entries. hundred million
Number of DSAs in a CA Directory can cope with enormous numbers Hundreds
backbone of DSAs.
Number of replicated DSAs in CA Directory can cope with enormous numbers Hundreds
a backbone of replicated DSAs.
04-May-2016 830/923
CA Directory - 12.0.18
Some of the schemas are referenced in config/schema/dxmanager.dxg. If you source this file in a
DSA's initialization file, the schemas listed will be available to the DSA.
The following table lists the schema files that are supplied in the config/schema folder.
04-May-2016 831/923
CA Directory - 12.0.18
CA Directory also supports some attribute syntaxes defined in ACP 133. These are marked with * in
the list below.
audio jpeg
binary mhsDLSubmitPermission*
bitString* mhsORAddress*
boolean mhsORName*
caseExactIA5String nameAndOptionalUID
caseExactString numericString
caseIgnoreAlphaString* objectIdentifier
caseIgnoreIA5String octetString
caseIgnoreList postalAddress
caseIgnoreString preferredDelivery
certificate presentationAddress
certificateList printableString
distinguishedName printableStringList*
enumerated* rIParameters*
facsimileNumber telephoneNumber
04-May-2016 832/923
CA Directory - 12.0.18
fax teletexTerminalId
generalizedTime telexNumber
guide uTCTime
integer
The detailed conformance of the CA Directory DSA with DAP, DSP, DISP, and LDAP protocols are
documented in the Protocol Implementation Conformance Statement (PICS) and Internationalisation
Profiles (ISPs) response document.
X.500 Standards
Contents
Standards (see page 833)
PICS (see page 834)
Standards
CA Directory supports all the mandatory requirements of the following standards:
04-May-2016 833/923
CA Directory - 12.0.18
Recommendation Title
X.500, ISO/IEC 9594- Information technology - Open Systems Interconnection - The Directory:
1 (1993) Overview of Concepts, Models, and Services
X.501, ISO/IEC 9594- Information technology - Open Systems Interconnection - The Directory:
2 (1993) Models
X.511, ISO/IEC 9594- Information technology - Open Systems Interconnection - The Directory:
3 (1993) Abstract Service Definition
X.518, ISO/IEC 9594- Information technology - Open Systems Interconnection - The Directory:
4 (1993) Procedures for Distributed Operation
X.519, ISO/IEC 9594- Information technology - Open Systems Interconnection - The Directory:
5 (1993) Protocol Specifications
X.520, ISO/IEC 9594- Information technology - Open Systems Interconnection - The Directory:
6 (1993) Selected Attribute Types
X.521, ISO/IEC 9594- Information technology - Open Systems Interconnection - The Directory:
7 (1993) Selected Object Classes
X.509, ISO/IEC 9594- Information technology - Open Systems Interconnection - The Directory:
8 (1993) Authentication Framework
X.525, ISO/IEC 9594- Information technology - Open Systems Interconnection - The Directory:
9 (1993) Replication
X.501 Corrigendum Information technology - Open Systems Interconnection - The Directory:
1 (03/2000) Models
Technical Corrigendum 1
X.501 Corrigendum Information technology - Open Systems Interconnection - The Directory:
2 (02/2001) Models
Technical Corrigendum 2
PICS
The Protocol Implementation Conformance Statement (PICS) documents consist of the main
document plus four attachments detailing how CA Directory DSAs conform with DAP, DSP, DISP, and
LDAP.
04-May-2016 834/923
CA Directory - 12.0.18
LDAP Standards
Contents
LDAP RFCs (see page 836)
Internet Drafts (see page 836)
PICS (see page 836)
Conformance Tests (see page 837)
Identrus Certifications (see page 837)
Open Group Certifications (see page 837)
Industry Extensions (see page 838)
CA Directory supports all of the significant LDAP Request for Comments (RFCs). Support for other
LDAP standards will be included as they gain industry acceptance.
04-May-2016 835/923
CA Directory - 12.0.18
LDAP RFCs
CA Directory supports all the significant LDAP Requests for Comment (RFCs). These are listed in the
following table:
Internet Drafts
To read these drafts, see the IETF home page (http://www.ietf.org).
PICS
The LDAP PICS is listed with the X.500 PICS (see page 834).
04-May-2016 836/923
CA Directory - 12.0.18
Conformance Tests
The LDAP protocol is tested with the following conformance tests:
Test Description
Suite
BLITS CA Directory has been tested against the Basic LDAP Version 3 Interoperability Test Suite.
For more information, see http://www.opengroup.org.
PRO CA Directory has been tested against the PROTOS protocol security test suite for LDAP, which
TOS was made prominent by CERT.
See the CERT Advisory page (http://www.cert.org/advisories/CA-2001-18.html).
VSLD CA Directory has been tested against the VSLDAP test suite. VSLDAP is The Open Groups test
AP suite for servers of the Lightweight Directory Access Protocol (LDAP) Version 3.
See http://www.opengroup.org for more information.
Identrus Certifications
CA Directory is fully certified by Identrus for authentication of digital identities.
See http://www.identrust.com/company/press_releases/archives/release_030709.html.
BASE profile
This is a compulsory requirement
STANDARD profile
This is an optional requirement, but the conformance statement must state whether the product
implements the features of the STANDARD profile.
eTrust Directory r8.1 is 2.2 LDAP certified V2.2 and implements both the BASE and STANDARD
features.
The following table lists the platforms on which eTrust Directory r8.1 is certified:
04-May-2016 837/923
CA Directory - 12.0.18
Industry Extensions
CA Directory supports the following industry extensions made popular by other LDAP products:
Management Standards
Contents
ISO Standards (see page 838)
ISO Corrigendum (see page 839)
Management RFCs (see page 839)
ISO Standards
The CA Directory supports the following industry standards for management:
Standard Title
Recommendation X. Data communication networks: Open Systems interconnection (OSI);
711 Management Common Management Information Protocol Specification for
CCITT applications (1991)
Recommendation X. Information technology - Open Systems Interconnection - Structure of
720 ISO/IEC IS Management Information - Part 1: Management Information Model
10165-1
ISO/IEC CD 9594-10 Information technology - Open Systems Interconnection - The Directory: Use of
Systems Management for Administration of the Directory
04-May-2016 838/923
CA Directory - 12.0.18
ISO Corrigendum
Recommenda Title
tion
X.711 Information technology - Open Systems Interconnection - Common management
Corrigendum information protocol: Specification Technical Corrigendum 1
1 (03/1999)
X.711 Information technology - Open Systems Interconnection - Common management
Corrigendum information protocol: Specification Technical Corrigendum 2: Revision to include ASN.
2 (02/2000) 1: 1997 ITU-T
Management RFCs
RF Title Comments
C
85 Telnet Protocol Specification (May 1983) Obsoletes: NIC 18639 and STD0008
4 Status: Standard
11 Structure and Identification of Management Information Obsoletes RFC1065 Also STD0016
55 for TCP/IP-based Internets (May 1990) Status: Standard
11 Simple network management protocol(SNMP). (May Obsoletes RFC1098 Also STD0015
57 1990) Status: Standard
12 Concise MIB Definitions (March 1991) Obsoletes STD0016
12 Status: Standard
12 Management Information Base for Network Obsoletes RFC1158) Updated by
13 Management of TCP/IP-based internets: MIB-II (March RFC2011, RFC2012, RFC2013, and
1991) STD0017
Status: Standard
15 X.500 Directory Monitoring MIB (January 1994) Obsoleted by RFC2605
67 Status: Proposed standard
04-May-2016 839/923
CA Directory - 12.0.18
Security Standards
St Title Comment
a
n
d
ar
d
SS The SSL Status: IETF Internet Draft
L Protocol
V Version 3.0
3. (Nov 1996)
0
P PKCS #11 v2. This is an "RSA Security Inc. Public-Key Cryptography Standards (PKCS)"
K 11:
C Cryptographic
S Token
# Interface
1 Standard
1 (November
2001)
P PKCS 12 v1.0: This is an "RSA Security Inc. Public-Key Cryptography Standards (PKCS)"
K Personal
C Information
S Exchange
# Syntax
1 Standard (June
2 1999)
R The TLS Status: Proposed standard
F Protocol
C Version 1.0
2
2
4
6
P PKCS #11 v2.11 This is an "RSA Security Inc. Public-Key Cryptography Standards (PKCS)"
K Amendment 1
C (August 2002)
S
#
1
1
A
P PKCS #12 v1.0 This is an "RSA Security Inc. Public-Key Cryptography Standards (PKCS)"
K Technical
C Corrigendum
S (February
# 2000)
1
04-May-2016 840/923
CA Directory - 12.0.18
2
T
C
FI SECURITY CA Directory r12 and later utilizes an embedded cryptographic module that has
P REQUIREMENTS been validated as meeting the Federal Information Processing Standards (FIPS)
S FOR 140-2 Security Requirements for Cryptographic Modules. This module (RSA
1 CRYPTOGRAPHI BSAFE Crypto-C ME) provides all of the cryptographic services in the CA Product.
4 C MODULES The validation certificate number for this module is #608.
0-
2
FI DIGITAL CA Directory r12 and later utilizes an embedded cryptographic module (RSA
P SIGNATURE BSAFE Crypto-C ME) that has been validated as meeting FIPS 140-2 Security
S STANDARD Requirements for Cryptographic Modules.
1 (DSS) 2000
8 January 27 The validation for FIPS140-2 includes certification of DSA (Cert. #143); RNG (Cert.
6- #130); ECDSA (Cert. #11). These algorithms are required by FIPS 186 and hence
2 supports the implementation of a DSS solution.
Errata Title
DSML 2.0 Directory Services Markup Language v2.0 Errata
Hashing Formats
For explanations of the cryptographic terms used in the following sections, refer to TLS Request For
Comments (RFC) 2246:
Hashing formats for the DSA console password (see page 842)
04-May-2016 841/923
CA Directory - 12.0.18
SHA
(Default) Hashes the password using the SHA-1 algorithm.
SSHA
Hashes the password using the Salted SHA-1 algorithm. This algorithm produces a different hash
even for the same clear text password, which is more secure.
SHA512
Hashes the password using the SHA-512 algorithm.
SSHA512
Hashes the password using the Salted SHA-512 algorithm. This algorithm produces a different
hash even for the same clear text password, which is more secure.
MD5
Hashes the password using the Message Digest algorithm.
SMD5
Hashes the password using the Salted Message Digest algorithm.
CRYPT
Hashes the password using the UNIX crypt method.
CADIR
Hashes the password using a reversible obfuscation algorithm. Use this option to hash a password
before including it in a knowledge file in the dsa-password or ldap-dsa-password configuration
items. This protects the password from users who have access to the computer running the DSA.
SHA
(Default) Hashes the password using the SHA-1 algorithm.
SSHA
Hashes the password using the Salted SHA-1 algorithm. This algorithm produces a different hash
even for the same clear text password, which is more secure.
SHA512
Hashes the password using the SHA-512 algorithm.
SSHA512
Hashes the password using the Salted SHA-512 algorithm. This algorithm produces a different
hash even for the same clear text password, which is more secure.
MD5
04-May-2016 842/923
CA Directory - 12.0.18
MD5
Hashes the password using the Message Digest algorithm.
SMD5
Hashes the password using the Salted Message Digest algorithm.
CRYPT
Hashes the password using the UNIX crypt method.
To protect communications links, CA Directory can use SSL encryption. The supported encryption
techniques are listed below.
get ciphers
This command lists the cipher suites supported by CA Directory. Each row in the list describes one
supported cipher.
For example, the following row in the output describes the DHE-RSA-AES128-SHA cipher suite:
04-May-2016 843/923
CA Directory - 12.0.18
US Government Standards
The following sections describe the extent to which CA Directory conforms to standards and
programs required by the US government.
Keyboard Access
To be able to operate all CA Directory functionality without using a mouse
Assistive Devices
To be able to operate all CA Directory functionality with assistive technology such as a screen
reader
04-May-2016 844/923
CA Directory - 12.0.18
Its purpose is to allow users to specify their security requirements, to allow developers to specify the
security attributes of their products, and to allow evaluators to determine if products actually meet
their claims.
Version 2.1 of the Common Criteria is equivalent to the ISO International Standard 15408 [I15408].
CA Directory r8.1 has been certified by Cygnacom Solutions. We evaluated at Assurance Level EAL3.
FIPS Compliance
FIPS 140-2 (Security Requirements for Cryptographic Modules) is a security accreditation program for
cryptographic modules in software that is used by government departments and industries that deal
with "sensitive, but not classified" information. Validation is coordinated by the National Institute of
Standards and Technology (NIST).
Text-based configuration: If you set up your directory to use text-based configuration files, it is
compliant with FIPS.
CA Directory utilizes an embedded cryptographic module that has been validated as meeting the
Federal Information Processing Standards (FIPS) 140-2 Security Requirements for Cryptographic
Modules.
DXmanager: If you set up your directory to use DXmanager, it is not compliant with FIPS.
The cryptographic libraries used by DXmanager and DXadmind are not FIPS 140-2 compliant.
These libraries are also used to encrypt the XML configuration used by DXmanager.
Link Protocols
CA Directory uses industry standard protocols for client-to-server and server-to-server
communications. Any of the following protocols may be operated over an encrypted link.
For more information about securing communications with SSL, see Set Up Encryption.
04-May-2016 845/923
CA Directory - 12.0.18
IPv6 Support
IPv6 is the next generation of the Internet Protocol, designed not only to extend the address space
(to cope with growth in Internet usage) but also to take advantage of concepts like multicast and
quality of service.
Protocol Diagrams
Contents
Diagram of Directory Protocols (see page 847)
Diagram of Web Services Protocols (see page 848)
This section shows the components of CA Directory and the protocols that they use.
04-May-2016 846/923
CA Directory - 12.0.18
04-May-2016 847/923
CA Directory - 12.0.18
When you are running CA Directory on a UNIX platform, your system administrator will allocate
available port numbers. On most systems, the port numbers also go up to 64K (65536).
These options are available to ensure interoperability with third-party X.500 directories. They are not
required for LDAP.
04-May-2016 848/923
CA Directory - 12.0.18
This is because the X.500 standard was built on top of the OSI model, whereas LDAP was layered
directly over TCP/IP. TCP/IP effectively maps to the Network and Transport layers, and the concept of
ports negates the need for NSAPs and PSAPs.
Each DSA you create will take up at least one additional port number.
You can use the get stack command to see the port numbers used on a DSA.
Usually you use an LDAP client such as JXweb to access the directory. However the DUA is useful
when you want a command line interface, for example to run batch operations such as tests on the
directory.
The DUA commands fully implement every aspect of every X.500 service and form the basis for
04-May-2016 849/923
CA Directory - 12.0.18
The DUA commands fully implement every aspect of every X.500 service and form the basis for
testing CA Directory. You can consult the test scripts released with CA Directory for various examples
of any given service.
DUA commands issued at the console are asynchronous. That is, you can enter a command without
waiting for the previous one to be complete. If you use DUA commands in a script then use the wait
command to force the script to wait till the command is complete.
See the X.500 standards documentation for full details of Directory User Agent services.
The following set of command initializes the DUA and connects it to the DSA specified by the NSAP
parameter in the bind request.
04-May-2016 850/923
CA Directory - 12.0.18
flush summary-log;
quit;
DUA Commands
abandon-req Command -- Stop a Request
This command stops a read type request. The stopped command returns any partial results that it
had produced at the time it was stopped.
compare-req
list-req
read-req
search-req
invoke-id
Specifies the ID number of the service to be abandoned.
An abandon confirmed message is returned if the request is stopped. If the request completes, or it
cannot be abandoned, then an abandon refuse message is returned.
The add-entry-req command adds an entry. The new entry must obey the name-binding rules, and
the entry attributes must obey the entry's object-class rules.
add-entry-req
entry = DN
contents = {
(objectClass objectClass-name)
(attribute attribute-value [,attribute-value...] )
04-May-2016 851/923
CA Directory - 12.0.18
[...]
}
[common-args]
;
DN
Defines the entry to be added, expressed in x.500 format.
objectClass objectClass-name
Defines the object class of the new entry.
common-args
Defines the common arguments. For more information, see common-args (see page 854).
add-entry-req
entry = <countryName "AU"> <organizationName "Democorp"> <organizationalUnitName
"Sales">
contents = {
( objectClass organizationalUnit )
( postalAddress "100 222 - 268 Maroondah Highway"."Mooroolbark"."Victoria" )
( postalCode "3138" )
( telephoneNumber "(03) 9727-8900" , "(03) 9727-8901" )
( facsimileTelephoneNumber "(03) 9727-3491" )
};
In this example, a multivalued attribute commonName has the value "John Smith", which is the
distinguished name and names the entry. The commonName attribute is in the contents of the add
request so that you can add the value J SMITH.
add-entry-req
entry = <countryName "AU"> <organizationName "Democorp"> <commonName "John Smith"
>
contents = {
( objectClass organizationalPerson )
( surname "Smith" )
( commonName "J SMITH" )
};
Add an Alias
To add an alias with the add-entry-req command, you supply the object class alias and the attribute
aliasedObjectName.
Aliases have no name binding rules, so you can add an alias entry anywhere in a DIT.
04-May-2016 852/923
CA Directory - 12.0.18
Aliases have no name binding rules, so you can add an alias entry anywhere in a DIT.
If when you add an alias, the DSA has alias integrity enabled, the DSA must be able to navigate to the
entry that the alias points to.
add-entry-req
entry = <countryname "AU">
<organizationName "Democorp">
<commonName "Brendan Randall">
contents = {
(objectClass alias)
(aliasedObjectName
<countryname "AU">
<organizationName "Democorp">
<organizationalUnitName "Services">
<organizationalUnitName "Networks">
<commonName "Brendan Randall"> )
}
;
When you enter the bind-req command using the DSA console, the system treats the command as if
it had come from a remote DUA.
It is aborted, probably because the connection failed or the DSA was shut down.
bind-req {
[ssl-auth [pem-file]]
| [[ssl-encryption ] user=user password=password]
}
[ remote-addr= {
rfc1278-p-addr
| [psap=psap-addr] [ssap=ssap-addr][tsap=sap-addr][nsap= tcp tcp-addr tcp-
port port]
}
]
04-May-2016 853/923
CA Directory - 12.0.18
ssl-auth
Specifies that the bind request should use SSL authorization.
pem-file
Defines the SSL personality file. Maximum length is 20 characters. The DUA adds the filename
extension .pem.
ssl-encryption
Specifies that the username and password are to be encrypted.
bind-req
user = <countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "Services">
<organizationalUnitName "Networks">
<commonName "Brendan RANDALL">
password = "secret"
Close a Binding
Close the binding between the DUA and the DSA by using one of the following methods:
For outgoing bindings, you can use the unbind_req command, as follows:
unbind-req;
The DUA discards any unfinished operations and closes the binding.
abort-req;
common-args = {
[chaining-prohibited]
[dont-deref-aliases]
[local-scope]
[size-limit = numberOfEntries]
[time-limit = numberOfSeconds]
}
04-May-2016 854/923
CA Directory - 12.0.18
chaining-prohibited
Has the same effect as local-scope.
dont-deref-aliases
Specifies that the DUA should treat an alias as the target for the command.
The default for the commands that read entries is to treat an alias as a pointer, and return
information about the entry that the alias points to. This applies to the following commands:
compare-req
list-req
read-req
search-req
By contrast, the commands that write to the directory always act on the DN specified in the
command, and do not treat an alias as a pointer. Hence this option is implied. The update
commands are the following:
add-entry-req
mod-dn-req
mod-entry-req
rem-entry-req
local-scope
Prevents the DSA that receives a request from passing the request to another DSA. Do not use
this in a configuration with router DSAs, because a router DSA always needs to pass requests to
another DSA. However, this parameter can be useful for testing purposes.
size-limit= numberofEntries
Defines the maximum size allowed for the returned result. If the request is not complete within
this limit, it returns the partial results. If the max-op-size setting in the DSA configuration is
smaller than size-limit, then max-op-size takes precedence.
This argument is only relevant for the inquire services: compare-req, read-req, search-req and list-
req. It is ignored for the other, update, commands.
time-limit= NumberOfSeconds
Defines the maximum time the request is allowed. If the request is not complete within this time,
it returns the partial results. If the max-op-time setting in the DSA configuration is smaller than
time-limit, then max-op-time takes precedence.
compare-req entry=DN
assertion = attribute-name "attribute-value"
04-May-2016 855/923
CA Directory - 12.0.18
[common-args]
;
entry=DN
Defines the distinguished name of the entry. DN is expressed in X.500 format.
common-args
Defines the common arguments. For more information, see common-args (see page 854).
If the DSA cannot find the entry or attribute, it returns the following result:
compare-refuse
If DSA finds the entry and attribute, it returns one of the following results:
compare-confirm was-matched
compare-confirm not-matched
compare-req
entry = <c "AU"><organizationName "Democorp">
<organizationalUnitName "Corporate">
assertion = telephoneNumber "03 9727 9942";
When the DSA has knowledge of other DSAs, the list makes these references visible.
list-req
entry = DN
[common-args]
;
entry=DN
Defines the distinguished name of the entry. DN is expressed in X.500 format.
common-args
Defines the common arguments. For more information, see common-args (see page 854).
Example: List Entries below the Organizational Unit Corporate under the Organization Democorp:
04-May-2016 856/923
CA Directory - 12.0.18
You can use mod-dn-req to change the case of a value, for example, from Democorp to DEMOCORP.
mod-dn-req
entry = DN
new-rdn = DN
[ delete-old | dont-delete-old ]
[new-superior = DN ]
[common-args]
;
delete-old
Specifies that the command should delete the old DN of the entry. If you do not specify delete-
old, the RDN remains in the entry as one or more non-distinguished attribute values.
new-superior = DN
Specifies that the command should move the entry (and any subordinates) to a different place in
the DIT.
common-args
Defines the common arguments. For more information, see common-args (see page 854).
To change the name of the organizational unit R&D (under organization Democorp) to Research &
Development:
mod-rdn-req
entry = <countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "R&D" >
new-rdn = <organizationalUnitName "Research & Development">
delete-old;
04-May-2016 857/923
CA Directory - 12.0.18
The following command moves the R&D entry and all of its subordinates from AU,Democorp to AU,
Democorp, Corporate.
mod-rdn-req
entry = <countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "R&D" >
new-rdn = <organizationalUnitName "Research & Development">
delete-old
new-superior = <countryName "AU">
<organizationName "Democorp">
<organizationalUnitName Corporate>;
The mod-entry-req command adds and removes attributes and values. If you use this command on
an alias, it changes the alias, not the entry that the alias points to.
Note: You cannot use mod-entry-req to create an alias -- use add-entry-req instead.
mod-entry-req
entry = DN
Modifications
[common-args]
Modifications
Defines the changes to be made to the entry. The format of the modifications options is as
follows:
| rem-attr attribute
[, ...]
The braces ({}) in the add-attr, add-values, and rem-values options are part of the command.
If two or more modifications are specified, they are separated by commas.
add-attr
Specifies that an attribute is to be added. If the attribute already exists, add-attr is treated as
if it were add-values.
add-values
04-May-2016 858/923
CA Directory - 12.0.18
add-values
Specifies that one or more values are to be added to an existing attribute. You cannot add a
second value to a single-valued attribute.
rem-values
Specifies that one or more values are to be removed from the attribute. Removing the last
value removes the attribute.
rem-attr
Specifies that an attribute is to be removed from the entry. You cannot remove mandatory
attributes.
common-args
Defines the common arguments. For more information, see common-args (see page 854).
mod-entry-req
entry = <countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "Corporate" >
add-attr {facsimileTelephoneNumber "03-9727-9722" }
;
Add another phone number value for John Smith, and remove one of his common names -- the non-
distinguished value, J SMITH:
mod-entry-req
entry = <countryName "AU">
<organizationName "Democorp">
<commonName "John Smith">
rem-values { commonName "J SMITH" },
add-values { telephoneNumber "03 9727 9111" };
If the DSA has alias integrity enabled when you add an alias, the DSA must be able to navigate to the
object that the alias points to.
04-May-2016 859/923
CA Directory - 12.0.18
To modify an alias, use the mod-entry-req command to remove the value of the attribute
aliasedObjectName, and add a new value.
mod-entry-req
entry = <countryName "AU">
<organizationName "Democorp">
<commonName "Brendan Randall">
rem-values {
(aliasedObjectName
<countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "Services">
<organizationalUnitName "Networks">
<commonName "Brendan Randall"> )},
add-values {
(aliasedObjectName
<countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "Services">
<organizationalUnitName "Networks">
<commonName "System Manager"> }
;
Instead of removing and adding values, you can remove and add the attributes. This is probably the
more common way to making such a change.
If the DSA has alias integrity enabled, when you delete an entry all aliases of the entry are also
deleted.
You can delete a subtree by deleting leaves recursively, or by using another tool, such as the
DXmodify tool.
rem-entry-req
entry = DN
[common-args]
;
entry=DN
Defines the distinguished name of the entry. DN is expressed in X.500 format.
common-args = {common-args}
See the description of common -args in read-req Command.
04-May-2016 860/923
CA Directory - 12.0.18
rem-entry-req
entry = <countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "Sales">;
rem-entry-req
entry = <countryName "AU">
<organizationName "Democorp">
<commonName "Brendan Randall">;
read-req entry = DN
[no-info-return | attrs-only | attr-and-val]
[all-attrs | attrs = attribute[,attribute...] ]
[ all-extra-attrs | extra-attrs = attribute[,attribute...] ]
[common-args]
;
entry=DN
Defines the distinguished name of the entry. DN is expressed in X.500 format.
attrs=attribute [,attribute]
Defines the non-operational attributes to display. The service returns an error if it does not find
these attributes in the entry.
By default, all non-operational attributes are displayed.
common-args
Defines the common arguments. For more information, see common-args (see page 854).
extra-attrs=attribute [,attribute]
Defines the operational attributes to display. By default no operational attributes are displayed.
The following command returns all the attribute values for the Democorp entry:
The following command returns the selected attribute values for the Corporate entry:
04-May-2016 861/923
CA Directory - 12.0.18
read-req
entry = <c "AU"><o "Democorp"><ou "Corporate">
attrs = facsimileTelephoneNumber, telephoneNumber;
Example: Read an Alias Object, not the Entry that the Alias Points To
read-req
entry = <countryName "AU">
<organizationName "Democorp">
<commonName "Brendan Randall">
common-args = {dont-deref-aliases } ;
The search service can return many objects. If the search exceeds a size limit or a time limit, or if the
DUA receives an abandon request, the search returns partial results, that is, the entries that it
collected before being stopped.
The search detects if an alias directly or indirectly points to itself, and returns an error.
search-req
base-object = DN
[one-level-only | base-object-only | whole-subtree]
[filter = { search-req-filter }]
[no-info-return]
[dont-search-aliases | search-aliases]
[attr-only | attr-and-val]
[all-attrs | attrs = attribute [,attribute...]]
[common-args]
;
base-object = DN
Defines the distinguished name of the entry at which the search starts. DN is expressed in X.500
format.
{search-req-filter }
Specifies a filter for the search. The braces are part of the command. For more information about
its syntax, see search-req-filter (see page 864).
no-info-return
04-May-2016 862/923
CA Directory - 12.0.18
no-info-return
(Optional) Returns only the names of the entries that satisfy the filter.
dont-search-aliases
(Optional) Specifies that search-req should not follow the aliasedObjectname of an alias. If this is
not specified, search-req treats aliases as pointers to entries.
common-args
Defines the common arguments. For more information, see common-args (see page 854).
The following example is equivalent to a read-req. It retrieves all attributes and values of one entry:
search-req
base-object = <countryName "AU">
<organizationName "Democorp">;
The following example is equivalentg to a list-req. It retrieves the names of all objects from one level
under Democorp:
search-req
base-object = <countryName "AU">
<organizationName "Democorp">
one-level-only
no-info-return;
The following example searches all entries under Democorp, including Democorp. It retrieves all
information about every entry that contains an attribute surname with the value Smith:
search-req
base-object = <countryName "AU">
<organizationName "Democorp">
whole-subtree
filter = { attr = surname value = "Smith" };
Search the local directory tree, retrieving all objects that contain a surname attribute with a value of
Smith and a title attribute with a value of Manager and a telephoneNumber attribute. Retrieve only
the commonName, surname, and telephoneNumber attributes of the objects matching the search
filter.
search-req
base-object = <>
whole-subtree
04-May-2016 863/923
CA Directory - 12.0.18
search-req-filter
The search-req-filter option defines the filter for the search-req command. The search-req command
uses the filter to determine whether to display the entries it finds, or to exclude these entries from its
results.
Syntax
A search-req filter consists of one filter item, or a number of filter items linked together by one of the
logical operators: and, not, or.
search-filter-item
and {search-filter-item ,search-filter-item ...}
or {search-filter-item ,search-filter-item ...}
not {search-filter-item}
The braces ({}) in these expressions are part of the syntax and define the scope of the operator.
Wherever you have one search filter item you can replace it with one of the above expressions, and
you can can nest these expressions indefinitely.
search-filter-item
Defines an item within a search filter. It has one of the following formats:
attr=DN present
The braces ({}) and pipe symbols (|) in these expressions are not part of the command -- they are
there merely to show the alternative forms of the expression: the braces enclose a set of
alternatives, and the pipes separate the alternatives.
The operators and other parameters in these expressions are as follows:
=
Equals
<=
Less than or equals
>=
Greater than or equals
04-May-2016 864/923
CA Directory - 12.0.18
~=
Approximately equals
attributeValue
Defines a possible attribute value.
attributeValueSubstring
Defines a possible substring of an attribute value.
LDAP-Only Examples
These commands are supported by the LDUA, which is the LDAP version of the DUA. Because the
LDUA uses the LDAP protocol, it has access to LDAP controls, which permit operations to be modified.
For example, the search command can include server-side sorting and paged results.
Search all objects under Democorp, retrieving all objects with common name beginning with H, and
sort the objects in reverse order by description:
search-req
base-object=<o Democorp>
whole-subtree
filter = { attr = commonName substrings [ initial h ] }
attrs = commonName,description
controls = { server-side-sort description reverse critical };
Search all objects under Democorp, retrieving all objects that contain an attribute common name
beginning with H, and page the results:
These LDUA controls can be used together. The following example searches all objects under
Democorp, retrieves all objects that contain an attribute common name beginning with H, and sorts
and pages the results:
04-May-2016 865/923
CA Directory - 12.0.18
userIdentity
Specifies the full DN string of the user whose password is to be modified. If this argument is not
specified, then the password of the bind (session) identity is modified.
newPasswd
Specifies the new password to be set for the user. If this argument is not specified, then a random
password is generated.
oldPasswd
Specifies the old password to be replaced. If this argument is not specified, all current passwords
of the user are replaced with the new password. If this argument is specified, it must match one
of the current passwords of the user, otherwise the operation fails.
Glossary
alarms
Alarms are reports of critical events that should be monitored.
alerts
Alerts are any events that the user should be made aware of. In this version of DXmanager, the alerts
are harvested from the alarm logs.
alias entries
An alias entry is a directory entry that contains the name of another entry. When you search or
browse a directory, you can decide whether to resolve aliases (show the details of the target entry) or
to show the details of the alias entry itself.
04-May-2016 866/923
CA Directory - 12.0.18
association
association is a synonym for binding.
attributes
An attribute is a property of an entry that can have a value. An entry is defined by the values of its
attributes. For example, an entry in a staff directory could include an attribute named phoneNumber,
with the value 555-1234-567.
authentication levels
Each DSA has one or more authentication levels. The authentication levels assigned to a DSA define
what credentials a user must present to bind to and query that DSA.
auto-registered attributes
An auto-registered attribute is an attribute that is used in a directory without being defined in the
directory's schema. To use auto-registered attributes in a particular object class, that class must
include the keyword auto-register-attributes in its may-contain list.
backbone
The backbone is the term used in DXmanager to refer to the directory installation as a whole. It
includes all the DSAs and their configuration data.
base-object searches
A base-object search specifies a search that returns one node, the base object, as specified by the DN.
It is one of the three types of LDAP search. The others are single-level and subtree.
04-May-2016 867/923
CA Directory - 12.0.18
binding
When a DSA, an LDAP client, or a DUA successfully binds to a DSA, the resulting relationship is called
a binding. Because each binding corresponds to a user, the term user can be used to mean a binding.
class-of-service templates
A class-of-service template stores information that can then be included in many entries. Class-of-
service templates can reduce the size of a directory, help keep data consistent, and reduce the time
required for bulk updates.
credentials
A user's credentials are information that identifies them, which are used for authorization.
Credentials can be a user name and password, or a certificate.
data DSA
A data DSA holds data, and queries are routed to it by router DSAs.
datastore
Each data DSA holds its directory data in memory. The datastore is a file that is mapped to the
memory image and provides persistent storage of the data.
deploying
Deploying is the process of transferring the XML configuration file from DXmanager to the DSA's host,
and then reinitializing the DSAs.
dereferencing
An alias entry is dereferenced if, during a search, the entry the alias points to is used as the base
object rather than the alias itself.
04-May-2016 868/923
CA Directory - 12.0.18
DISP
DISP (Directory Information Shadowing Protocol) is defined in the 1993 X.525 standard. DISP lets you
replicate information in OSI-conformant directories, which permits copying of directory information
from one DSA to another using a standardized procedure and protocol.
distribution
In a distributed directory, many DSAs cooperate to form a single namespace. Parts of the namespace
are served by different DSAs. An application connected to any DSA can search the entire namespace.
DN (distinguished name)
A distinguished name (DN) uniquely identifies a directory entry and its location in the directory
namespace. The DN includes the name of the entry, plus the names of all superior entries, for
example, cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP,c=AU.
DSA console
The DSA console lets you connect to a DSA to give DXserver commands, receive trace information,
and act as a user agent.
04-May-2016 869/923
CA Directory - 12.0.18
DSML Server
The DSML Server lets client applications use DSML, rather than LDAP, to communicate with CA
Directory.
DXadmind
DXadmind is a background process that runs on each host that contains a DSA. DXmanager uses
DXadmind to communicate with the DSAs. The DXadmind on each host collects information for
DXmanager and manages the DSAs on that host on behalf of DXmanager.
DXmanager
DXmanager is a web application that lets you create, configure, monitor, and control your directory
backbone.
DXtools
The DXtools are a set of command-line utilities that come with CA Directory. These tools help you
manage directory administration, work with LDIF data, load and unload data to and from a directory,
and to extract and convert schemas for use with CA Directory.
04-May-2016 870/923
CA Directory - 12.0.18
dynamic groups
A dynamic group is an entry in the directory with its membership defined by an LDAP filter. All entries
that satisfy this filter are members of the dynamic group.
entries
The entry is the basic unit of information storage in a directory. All information in a directory is stored
in the form of entries, which are also sometimes named objects. For example, in a directory listing all
staff members at a company, each staff member would have an entry.
extensible objects
An extensible object is an object class that may include any attribute defined in the DSA schema.
failback
Failback is the restoration to normal service of a CA Directory DSA after failing over and recovering.
failover
Failover is the ability of a router DSA to continue to service queries even when a data DSA becomes
unavailable. If the router detects that a DSA has failed, it resends outstanding requests to another
DSA that serves the same partition, making the failure invisible to clients.
health
A directory's health is a measure of whether the directory is running smoothly. This includes whether
all DSAs are running, and whether any are logging warning, error, or alarm messages.
horizontal partitioning
If you have a large flat namespace, you can improve the scalability and performance by partitioning
the namespace, so that different DSAs each serve different parts of the same level of namespace. In
CA Directory, horizontal partitioning is a method of doing this.
04-May-2016 871/923
CA Directory - 12.0.18
hosts
A host is a single computer with CA Directory installed on it. A single host may serve one or more
namespace partitions.
hub
A hub is the DSA that is responsible for receiving multiwrite update requests from other regions.
idle time
The idle time for a connection is the time elapsed since the DSA last performed an operation on that
connection.
instantiation
In DXmanager, the process of assigning hosts, sites, or regions to namespace partitions is called
instantiation. After the configuration is deployed, this process creates one or more DSAs to serve the
namespace partitions.
JXweb
JXweb is a general purpose LDAP-compliant directory browser and editor, which lets you access a
directory through the Web.
latency
Latency is the delay caused by the round-trip time taken between sending a network packet and
receiving a response. For replication, latency describes the time during which the shadow servers are
out-of-date with respect to a master.
04-May-2016 872/923
CA Directory - 12.0.18
LDIF files
LDIF files are text files that store directory information in LDIF. You can use LDIF files to transfer
directory information between LDAP directory servers or to describe a set of changes to be applied to
a directory.
LDT file
An LDT file is a text file that contains rules for transforming data into LDIF format. The csv2ldif tool
uses an LDT file to transform CSV data into LDIF.
leaf entries
A leaf entry is a directory entry that has no subordinate entries.
load
A directory's load is a measure of the amount and type of operations being sent to that directory.
load sharing
Load sharing lets a router DSA distribute incoming requests evenly among all DSAs in the same site
that serve the same namespace partition. This improves performance.
logs
The logs contain output from a DSA, including its trace, diagnostics, warnings, and alarms.
04-May-2016 873/923
CA Directory - 12.0.18
multiwrite group
A multiwrite group is a synonym for a region.
multiwrite peers
Multiwrite peer DSAs are the DSAs in a multiwrite replication system. Multiwrite peers service the
same prefix, share knowledge of each other, and their knowledge includes the DSA flag multi-write.
multiwrite replication
Multiwrite replication is a mechanism for replicating updates to a number of DSAs to ensure that they
are synchronized. When a DSA receives an update, it updates its own data and then sends the update
to its peers. If a peer DSA cannot be reached, the updates are queued and replayed when the DSA
becomes available.
multiwrite-DISP replication
Multiwrite-DISP replication is a replication scheme that uses multiwrite replication for real-time
updates and DISP for recovery.
namespace
A namespace is the tree of all data in the directory, synonymous with directory information tree. It is
defined by the DN of the top node in the tree.
namespace partition
A namespace partition is a sub-section of the directory information tree.
naming attributes
The naming attribute is the attribute used to form the RDN, which uniquely identifies each entry in
the directory.
04-May-2016 874/923
CA Directory - 12.0.18
network topology
The network topology describes the hosts on which the directory backbone runs, and the quality of
network connections between the hosts. The quality of connections is represented by sites and
regions.
OID prefix
An OID prefix consists of a name used to represent the portion of the object identifier common to
multiple schema definition statements.
operational attributes
An operational attribute represents information used to control the operation of the directory (such
as access control information), or used by the directory to represent some aspects of its operation.
operations
A directory operation reads data from the directory or writes data to it. Operations include add,
compare, delete, modify entry, modify RN, read, search.
performance
Directory performance measures the load and throughput of the directory. DXmanager can tell you
which DSAs and hosts are under the most load, and the kinds of operations they are performing
(searches, updates, compares, and so on).
personality certificates
DSA personality certificates are the same as user certificates, except that they are for DSAs. These
personality certificates permit the links between DSAs to be secured using SSL encryption or
authentication.
04-May-2016 875/923
CA Directory - 12.0.18
phase
A phase is a directory search within a view. A phase can use the results of previous phases in the
same invocation of the view.
public user
A public user is a user who has not been authenticated. The following terms are identical: public user,
unauthenticated user, anonymous user, user who has not logged in.
recovery
Recovery is the process of a DSA returning to service after an outage.
recovery mode
A DSA in recovery mode is one that has been offline, so its data may now inconsistent with its
replication peer DSAs. In recovery mode, a DSA only accepts binds and updates from its replication
peers. This prevents clients and parent or non-peer DSAs from querying or updating the recovering
DSA.
referential integrity
A directory entry has referential integrity if all DNs in the entry are valid, that is, point to other,
existing, entries.
04-May-2016 876/923
CA Directory - 12.0.18
region
A region is a collection of sites. Multiwrite replication between DSAs in the same region is
synchronous.
response files
A response file is a text file that supplies information used during the installation process. The user
normally supplies this information during the installation process.
router DSA
A router DSA has no local data and no datastore. It can only route traffic to other DSAs.
schema
A schema is a formal definition of the contents and structure of the directory data. It governs where
each entry can be placed within the directory structure, how entries are to be named, and what
attributes each entry can contain.
script files
Script files store frequently used, or complex commands (such as a series of searches). You can
execute these files from a DSA console, or by using the source command, from other script files.
selective shadowing
Selective shadowing is the ability to replicate only some information to a shadow DSA.
sites
A site is a DXmanager term for collection of hosts that are connected by a reliable, fast and low
latency network, such as a LAN. hosts A site corresponds to a load sharing group.
04-May-2016 877/923
CA Directory - 12.0.18
static groups
A static group is an entry in the directory with a member attribute, which stores a list of the DNs of
the entries that are members of this group.
TCP port
The TCP port is the port on which DSA listens for, and accepts connections from, clients and other
DSAs.
topology
The topology defines the network in terms of a hierarchy of regions, sites, and hosts. A group of hosts
belongs to a site, and a group of sites belongs to a region. Because the topology is hierarchical, a site
cannot contain a region and a host cannot contain a site or region.
04-May-2016 878/923
CA Directory - 12.0.18
traces
A DSA's trace is its record of almost all operations going into and out of that DSA. You can view a
DSA's trace in the log files, and also by using the DSA console.
transparent routing
Transparent routing allows a router DSA to process LDAP requests and responses without requiring
the controlling schema. This is useful if the router DSA is being used to link LDAP clients to an LDAP
server, or the clients and server have schema that are not known by the router DSA. Transparent
routing works with LDAP clients only.
view
A view is a read-only virtual directory that provides a layer between the user agent and the real
directories. It lets you combine multiple LDAP searches into one search. You can use views to improve
performance and to reduce the complexity of applications.
X.500
X.500 is a set of computer networking standards that define directory services. The protocols defined
by the X.500 standards include DAP, DSP, and DISP. A directory that follows the X.500 standard has
distributed operations, distributed management, distributed security, and replication.
04-May-2016 879/923
CA Directory - 12.0.18
End User License Agreement (the "Agreement") for the CA software product that is being installed as
well as the associated documentation and any SDK, as defined below, included within the product
("the Product").
Carefully read the following terms and conditions regarding your use of the Product before installing
and using the Product. Throughout this Agreement, you will be referred to as "You" or "Licensee."
By selecting the "I accept the terms of the License Agreement" radio button below, and then clicking
on the "Next" button, you are
(I) Representing that you are not a minor, and have full legal capacity and have the authority to bind
yourself and your employer, as applicable, to the terms of this Agreement;
(II) Consenting on behalf of yourself and/or as an authorized representative of your employer, as
applicable, to be bound by this Agreement.
By selecting the "I do NOT accept the terms of the License Agreement" radio button below, and then
clicking on the "Cancel" button, the installation process will cease.
1. CA (or where the Product is being supplied outside of North America the CA subsidiary identified
after Section 15 below for the country in which the Product is being supplied, and in such instance CA
shall mean the CA subsidiary identified) provides Licensee with one copy of the Product, for use by a
single user, or the quantity designated as the authorized use limitation ("Authorized Use Limitation")
on any Order Form (defined below) referencing the terms of this Agreement or CD sleeve included
within the Product box. CA licenses the Product to Licensee on a non-exclusive basis, pursuant to the
terms of this Agreement as well as the terms of (a) any CA Order Form or Registration Form which
has been signed by Licensee and CA; or (b) a License Program Certificate which is provided by CA to
Licensee, as applicable (each hereafter referred to as the "Order Form").
2. If the Product is an alpha or beta version of the program, hereinafter referred to as the "beta
program" or "beta version" and not generally available to date, CA does not guarantee that the
generally available release will be identical to the beta program or that the generally available release
will not require reinstallation. Licensee agrees that if it registers for support or if otherwise required
by CA, Licensee shall provide CA with specific information concerning Licensees experiences with the
operation of the Product. Licensee agrees and acknowledges that the beta version of the Product (a)
is to be used only for testing purposes and not to perform any production activities unless CA shall
have otherwise approved in writing and (b) has not been tested or debugged and is experimental and
that the documentation may be in draft form and will, in many cases, be incomplete. Licensee agrees
that CA makes no representations regarding the completeness, accuracy or Licensees use or
operation of the beta version of the Product. BETA PRODUCTS ARE PROVIDED ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED
INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR REPRESENTATIONS OF TITLE OR NON-
INFRINGEMENT. If Licensee is also a Tester of the beta version of the Product (as "Tester" is defined
by the Beta Testing Agreement that was agreed to by Licensee during the registration process before
obtaining the beta version of the Product), Licensee agrees that the terms of this Agreement are in
addition to, and do not supersede, the terms of the Beta Testing Agreement.
3. If the Product is being licensed on a trial or evaluation basis, Licensee agrees to use the Product
04-May-2016 880/923
CA Directory - 12.0.18
3. If the Product is being licensed on a trial or evaluation basis, Licensee agrees to use the Product
solely for evaluation purposes, in accordance with the usage restrictions set forth in Section 1, for a
thirty-day evaluation period unless a different period is otherwise noted (the "Trial Period"). At the
end of the Trial Period, Licensees right to use the Product automatically expires and Licensee agrees
to de-install the Product and return to CA all copies or partial copies of the Product or certify to CA in
writing that all copies or partial copies of the Product have been deleted from Licensees computer
libraries and/or storage devices and destroyed. If Licensee desires to continue its use of the Product
beyond the Trial Period, Licensee may contact CA to acquire a license to the Product for the
applicable fee. LICENSEES USE OF THE PRODUCT DURING THE TRIAL PERIOD IS ON AN "AS IS" BASIS
WITHOUT ANY WARRANTY, AND CA DISCLAIMS ALL WARRANTIES INCLUDING, WITHOUT LIMITATION,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AS
WELL AS ANY EXPRESS WARRANTIES PROVIDED ELSEWHERE IN THIS AGREEMENT.
4. If the Product includes a Software Development Kit ("SDK"), the terms and conditions of this
paragraph apply solely for the use of the SDK. The SDK may include software, APIs and associated
documentation. The SDK is provided solely for Licensee's internal use to develop software that
enables the integration of third party software or hardware with the Product, or to develop software
that functions with the Product, such as an agent. Licensees use of the SDK is restricted solely to
enhance Licensees internal use of the Product. No distribution rights of any kind are granted to
Licensee regarding the Product. In addition to the limitations on use set forth in Section 8, below,
Licensee may not reproduce, disclose, market, or distribute the SDK or the documentation or any
applications containing any executable versions of the SDK to third parties, on the internet, or use
such executables in excess of the applicable Authorized Use Limitation. If there is a conflict between
the terms of this section and the terms of any other section in this Agreement, the terms of this
section will prevail solely with respect to the use of the SDK.
5. Payment of the fees specified on the Order Form or as agreed between Licensee and an authorized
reseller of CA, shall entitle Licensee to use the Product for the term specified on the Order Form (the
"Term"), which use may include the right to receive maintenance services therefore for the period set
forth on the Order Form. All fees payable hereunder shall be payable in advance. Licensee will install
each new release of the Product delivered to Licensee. After the Term, continued usage and/or
maintenance of the Product as provided herein shall be subject to the payment by Licensee of the
fees described on the Order Form. Notwithstanding the foregoing, if the Product was licensed under
this Agreement without an Order Form, Licensee shall be entitled to use the Product for an indefinite
period, but the license does not include the right to receive maintenance services. Notwithstanding
the foregoing, with respect to any Product that relies on continuous content updates, such as
signature files and security updates, Licensee shall be entitled to such content updates for a period of
one (1) year from the effective date of the license.
6. If maintenance is provided by CA, it shall be renewed annually as specified in the Order form with
CA. All fees are net of applicable taxes. Licensee agrees to pay any tariffs, duties or taxes imposed or
levied by any government or governmental agency including, without limitation, federal, state and
local, sales, use, value added and personal property taxes, (other than franchise and income taxes for
which CA is responsible) upon a presentation of invoices by CA. Any claimed exemption from such
tariffs, duties or taxes must be supported by proper documentary evidence delivered to CA. Any
invoice which is unpaid by Licensee when due shall be subject to an interest charge equal to the
lower of 1.5% per month or the highest applicable legal rate.
04-May-2016 881/923
CA Directory - 12.0.18
7. Licensee may use the Product as provided herein solely to process its own data and the data of its
majority-owned subsidiaries and use is restricted to the location, computer equipment, and
Authorized Use Limitation specified on the Order Form or CD sleeve, as applicable. If Licensee desires
to use the Product beyond such restrictions, it shall notify CA, and Licensee will be invoiced for and
shall pay the applicable fees for such expanded use.
8. The Product, including any source or object code that may be provided to Licensee hereunder, as
well as documentation, appearance, structure and organization, is the proprietary property of CA and
/or its licensors, if any, and may be protected by copyright, patent, trademark, trade secret and/or
other laws. Title to the Product, or any copy, modification, translation, partial copy, compilation,
derivative work or merged portion of any applicable SDK, shall at all times remain with CA and/or its
licensors. Usage rights respecting the Product may not be exchanged for any other CA product. The
Product is licensed as a single product. Its component parts may not be separated for use. Licensee
and its employees will keep the Product and the terms of this license strictly confidential and use its
best efforts to prevent and protect the Product from unauthorized disclosure or use. Licensee may
not (i) disclose, de-compile, disassemble nor otherwise reverse engineer the Product except to the
extent the foregoing restriction is expressly prohibited under applicable law; (ii) create any derivative
works based on the Product; (iii) use the Product to provide facilities management or in connection
with a service bureau or like activity whereby Licensee, without purchasing a license from CA for such
purpose, operates or uses the Product for the benefit of a third party who has not purchased a copy
of the Product; or (iv) permit the use of the Product by any third party without the prior written
consent of CA. Licensee shall not release the results of any benchmark testing of the Product to any
third party without the prior written consent of CA. Licensee will not transfer, assign, rent, lease, use,
copy or modify the product, in whole or in part, or permit others to do any of the foregoing with
regard to the Product without CAs prior written consent, except to the extent the foregoing
restriction is expressly prohibited under applicable law. Licensee will not remove any proprietary
markings of CA or its licensors. Licensee may copy the Product as reasonably required for back-up
and disaster recovery purposes, provided that production use of the Product is restricted to the
Authorized Use Limitation specified on the Order Form or CD sleeve, and provided that use of the
Product for disaster recovery testing shall be limited to one week in any three month period. The
Product may be used only within the boundaries of the country where the Product was purchased
(except as otherwise provided on the Order Form) unless CA consents otherwise in writing. If this
license terminates for any reason, Licensee shall certify to CA in writing that all copies and partial
copies of the Product have been deleted from all computers and storage devices and are returned to
CA or destroyed and are no longer in use. Licensee shall comply with all relevant import and export
regulations, including those adopted by the Office of Export Administration of the US Department of
Commerce. The Product and any accompanying documentation have been developed entirely at
private expense. They are delivered and licensed as "commercial item" "computer software" as
defined in FAR 2.101. In the event Licensee is a U.S. Federal Government agency, the licensing terms
of CA's then current GSA FSS contract shall govern use of the Computer Program(s), in lieu of the
terms contained in the license delivered with the Program(s). For such purposes, the term "Product"
and "Computer Program" shall have the same meaning hereunder. The Computer Program(s) was
developed at private expense, is commercial, and is published and copyrighted. Third parties
purchasing on behalf of a Federal Government agency shall only transfer the Computer Program(s) to
the Government with "Restricted Rights" as that term is defined in FAR 52.227-19(c)(2) or DFAR
252.227-7015, and in accordance with CA's then current GSA FSS contract. All Software is provided
FOB shipping point or electronic delivery. Acceptance is waived and deemed to have occurred at the
earliest of point of physical shipment or delivery of keys/access codes for electronic delivery. CA is
the manufacturer of the Product.
This Agreement shall be governed by and interpreted in accordance with the laws of the State of New
York, without regard to its choice of law provisions.
9. CA warrants that it can enter into this Agreement and that it will indemnify, hold Licensee
04-May-2016 882/923
CA Directory - 12.0.18
9. CA warrants that it can enter into this Agreement and that it will indemnify, hold Licensee
harmless, and defend or, at its option, settle any claim that CA is not so authorized or that Licensees
use of the Product as authorized hereby infringes any patent, copyright or other intellectual property
right of any third party. CA also warrants that the Product will operate in accordance with its
published specifications, provided that CAs only responsibility will be to use reasonable efforts,
consistent with industry standards, to cure any defect. The foregoing warranty respecting the
operation of the Product will be in effect only during any period for which Licensee shall have paid
the applicable license fee and annual maintenance fee, or, with respect to Products licensed without
an Order Form, during a period of ninety (90) days from Licensees acquisition of license for the
Product. If, within a reasonable time after receiving Licensees written notice of breach of either of
the above warranties, CA is unable to cause the Product to operate (a) without infringing a third
partys intellectual property rights, or (b) in accordance with CAs written specifications, then either
party may terminate this Agreement on written notice to the other party and CA or the authorized
reseller will refund the relevant license fees paid for such non-compliant Product only when Licensee
returns the Product to CA or its authorized reseller from whom it obtained the Product, with the
purchase receipt within the warranty period noted above. The warranties set forth in this Section do
not apply to beta versions of the Product, Product licensed on a trial or evaluation basis or to
Software Development Kits.
10. EXCEPT AS SET FORTH ABOVE, TO THE FULL EXTENT PERMITTED BY APPLICABLE LAW:
(I) NO OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE MADE
BY CA;
(II) IN NO EVENT WILL CA BE LIABLE TO LICENSEE OR ANY OTHER PARTY FOR ANY CLAIM FOR LOSS,
INCLUDING TIME, MONEY, GOODWILL, AND CONSEQUENTIAL DAMAGES, WHICH MAY ARISE FROM
THE USE, OPERATION OR MODIFICATION OF THE PRODUCT, EVEN IF CA HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. IN THE EVENT THAT THE ABOVE LIABILITY LIMITATION IS FOUND TO
BE INVALID UNDER APPLICABLE LAW, THEN CAS LIABILITY FOR SUCH CLAIM SHALL BE LIMITED TO
THE AMOUNT OF THE LICENSE FEE ACTUALLY PAID FOR THE PRODUCT BY LICENSEE. NO THIRD
PARTY, INCLUDING AGENTS, DISTRIBUTORS, OR AUTHORIZED CA RESELLERS IS AUTHORIZED TO
MODIFY ANY OF THE ABOVE WARRANTIES OR MAKE ANY ADDITIONAL WARRANTIES ON BEHALF OF
CA. CA DOES NOT WARRANT THAT THE PRODUCT WILL MEET LICENSEES REQUIREMENTS OR THAT
USE OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE.
11. Licensee may assign this Agreement only if Licensee complies with CAs then prevailing policies
respecting assignment of licenses, which includes a requirement that the scope of use of the Product
not be expanded beyond the business of Licensee and the business of Licensees majority-owned
subsidiaries. CA may assign this Agreement to any third party that succeeds to CAs interests in the
Product and assumes the obligations of CA hereunder; and CA may assign its right to payment
hereunder or grant a security interest in this Agreement or such payment right to any third party.
12. If Licensee breaches any term of this Agreement or if Licensee becomes insolvent or if bankruptcy
or receivership proceedings are initiated by or against Licensee, CA shall have the right to withhold its
own performance hereunder and/or to terminate this Agreement immediately and, in addition to all
other rights of CA, all amounts due or to become due hereunder will immediately be due and payable
to CA.
13. If Licensee fails to pay the applicable maintenance fee, then Licensee may reinstate maintenance
thereafter by paying to CA a fee equal to 150% of CAs then prevailing maintenance fee for each year
for which the maintenance fee has not been paid.
04-May-2016 883/923
CA Directory - 12.0.18
14. If a court holds that any provision of this Agreement to be illegal, invalid or unenforceable, the
remaining provisions shall remain in full force and effect. No waiver of any breach of this Agreement
shall be a waiver of any other breach, and no waiver shall be effective unless made in writing and
signed by an authorized representative of the waiving party. Any questions concerning this
Agreement should be referred to CA, Inc., One CA Plaza, Islandia, NY 11749, Attention: Worldwide
Law Department.
15. In the event Licensee acquires a license for the Product outside of the United States, the following
Sections will apply to the use of the Product:
Notwithstanding the terms of the last sentence of Section 8, the laws of the country in which
Licensee acquires a license for the Product shall govern this Agreement, except as otherwise provided
below.
Argentina
The CA subsidiary that is the licensor is Computer Associates de Argentina S.A.
Australia
The CA subsidiary that is the licensor is Computer Associates Pty. Ltd.
04-May-2016 884/923
CA Directory - 12.0.18
Austria
The last sentence of Section 8 is deleted and replaced with:
The laws of Austria govern this Agreement. The following is added to Section 8: In addition, CA is
entitled to bring action against Licensee in a court located in Licensees place of incorporation,
establishment or permanent residence.
Belgium
The CA subsidiary that is the licensor is Computer Associates S.A./N.V.
Brazil
The CA subsidiary that is the licensor is CA Programas de Programas de Computador Ltda.
Canada
The CA subsidiary that is the licensor is Computer Associates Canada Company.
Chile
The CA subsidiary that is the licensor is Computer Associates de Chile S.A.
04-May-2016 885/923
CA Directory - 12.0.18
China
The CA subsidiary that is the licensor is CA (China) Co., Ltd.
Colombia
The CA subsidiary that is the licensor is Computer Associates de Colombia S.A.
Czech Republic
The first sentence of Section 1 is deleted and replaced with:
CA grants the Licensee a non-exclusive license to use the Product, for use by a single user, or the
quantity designated as the authorized use limitation ("Authorized Use Limitation") on any Order Form
(defined below) referencing the terms of this Agreement or CD sleeve included within the Product
box.
Denmark
The CA subsidiary that is the licensor is Computer Associates Scandinavia A/S.
04-May-2016 886/923
CA Directory - 12.0.18
(I) Disclose, de-compile, disassemble nor otherwise reverse engineer the Product save to the extent
expressly permitted by law;
(II) Create any derivative works based on the Product;
(III) Use the Product in connection with a service bureau or like activity whereby Licensee, without
purchasing a license from CA for such purpose, operates or uses the Product for the benefit of a third
party who has not purchased a copy of the Product;
(IV) Permit the use of the Product by any third party without the prior written consent of CA, save for
contract staff of the Licensee who are acting on the Licensees business, not engaged in facilities
management and who the Licensee agrees as a condition of this Agreement to ensure such contract
staff shall comply with all the terms of this Agreement, including without limitation, confidentiality
provisions.
04-May-2016 887/923
CA Directory - 12.0.18
France
The CA subsidiary that is the licensor is CA S.A.
Germany
The CA subsidiary that is the licensor is CA Computer Associates GmbH.
The twelfth sentence of Section 8 is deleted. The sixteenth sentence of Section 8 is deleted and
replaced with:
Licensee shall comply with all relevant import and export regulations, including those adopted by the
Office of Export Administration of the US Department of Commerce, any competent EU government
and German export regulations. Licensee understands and acknowledges that US, EU and German
restrictions vary regularly and, depending on Product, Licensee must refer to then current US, EU or
German regulations.
arisen, or, in the cause of non-payment, more than three (3) years from the date of the relevant
04-May-2016 888/923
CA Directory - 12.0.18
arisen, or, in the cause of non-payment, more than three (3) years from the date of the relevant
invoice. Neither party shall be liable for delay in performing or failure to perform any of its
obligations under this Agreement if the delay or failure results from events or circumstances outside
its reasonable control. Such delay or failure shall not constitute a breach of this Agreement and time
for performance shall be extended by time equivalent to the length of the delay caused by force
majeure.
Greece
The CA subsidiary that is the licensor is Computer Associates Hellas Ltd.
Hong Kong
The CA subsidiary that is the licensor is CA (Hong Kong) Limited.
The following is added at the end of Section 10: The aforementioned liability limitation and the
aforementioned maximum liability amount will not affect or prejudice the statutory rights of the
licensee under the sale of goods ordinance, the supply of services (implied terms) ordinance or the
control of exemption sections ordinance, nor will they limit or exclude any liability for death or
personal injury solely caused by CA's negligence.
India
The CA subsidiary that is the licensor is CA (India) Technologies Private Limited.
Indonesia
Israel
The CA subsidiary that is the licensor is CA Computer Associates Israel Ltd.
04-May-2016 889/923
CA Directory - 12.0.18
Italy
The CA subsidiary that is the licensor is Computer Associates S.p.A.
According to article 1341 and 1342 of the Italian Civil Code, the Licensee expressly accepts the terms
and conditions included in Sections 6 (specifically the interest rate set forth in the last sentence), 8
and 9.
Japan
The CA subsidiary that is the licensor is CA Japan, Ltd.
Korea
The CA subsidiary that is the licensor is CA Korea Inc., Ltd.
Lybia, Egypt, Lebanon, Jordan, Iraq, Kingdom of Saudi Arabia, Kuwait, Qatar, United Arab Emirates,
Oman, Yemen and Pakistan
award rendered may be executed by any court having jurisdiction, or application may be made to
04-May-2016 890/923
CA Directory - 12.0.18
award rendered may be executed by any court having jurisdiction, or application may be made to
such court for a judicial recognition of the award or any order of enforcement thereof, as the case
may be. The award of the arbitration shall be the sole and exclusive remedy between the parties
regarding any and all claims and counterclaims presented to the arbitrators.
Malaysia
The CA subsidiary that is the licensor is Computer Associates (M) Sdn. Bhd.
Mexico
The CA subsidiary that is the licensor is Computer Associates de Mxico S.A. de C.V.
Netherlands
The CA subsidiary that is the licensor is Computer Associates B.V.
04-May-2016 891/923
CA Directory - 12.0.18
New Zealand
The CA subsidiary that is the licensor is CA Pacific (NZ) Ltd.
Notwithstanding the final sentence of Section 6, the applicable interest charge on invoices unpaid by
Licensee is 1.5% per month.
04-May-2016 892/923
CA Directory - 12.0.18
Norway
The CA subsidiary that is the licensor is Computer Associates Norway AS.
04-May-2016 893/923
CA Directory - 12.0.18
Peru
The CA subsidiary that is the licensor is Computer Associates de Peru S.A.
Philippines
The CA subsidiary that is the licensor is Philippine Computer Associates International Inc.
The first seven sentences of Section 8 are deleted and replaced with:
Title to the Product and all modifications thereto shall remain with CA. The Product is a trade secret
and the proprietary property of CA or its licensors. Usage rights respecting the Product may not be
exchanged for any other CA product. Licensee and its employees will keep the Product and the terms
of this Agreement strictly confidential. To the maximum extent permitted by applicable law, Licensee
will not disclose, de-compile, disassemble nor otherwise reverse engineer the Product.
04-May-2016 894/923
CA Directory - 12.0.18
Poland
If payments are to be made in PLN, the last sentence of Section 6 is replaced as follows:
Any invoice which is unpaid by Licensee when due shall be subject to an interest charge equal to the
lower of 1.5% per month or the statutory delay interest rate then applicable in Poland.
Portugal
The last sentence of Section 8 is deleted and replaced with:
Any dispute hereunder shall finally be determined by Lisbon Courts.
Singapore
The CA subsidiary that is the licensor is Computer Associates Pte. Ltd.
Sweden
The CA subsidiary that is the licensor is Computer Associates Sweden AB.
You will promptly be issued a full refund of any license fees paid for the Product and, if applicable,
04-May-2016 895/923
CA Directory - 12.0.18
You will promptly be issued a full refund of any license fees paid for the Product and, if applicable,
maintenance fees paid. If requested at the time of return and provided that receipts of costs incurred
are provided, CA or the authorized reseller shall also refund to you any postage costs you incurred in
returning the Product.
Switzerland
The following is added at the end of Section 1:
The place of performance of any duties of CA under this Agreement is Islandia, New York.
Taiwan
04-May-2016 896/923
CA Directory - 12.0.18
Taiwan
The CA subsidiary that is the licensor is CA (Taiwan) Ltd.
Thailand
The CA subsidiary that is the licensor is Computer Associates Pte. Ltd.
Turkey
The following is added at the end of Section 8:
Licensee undertakes to keep all information of trade secret nature strictly private and confidential,
and to use all necessary measures and its best efforts in order to assure and maintain the
confidentiality thereof and to prevent and protect it, or any part thereof, from disclosure to any third
person. Furthermore, Licensee hereby expressly undertakes:
(I) Not to use a CA trade secret directly or indirectly in any respect or for whatever reason on its own
behalf or on behalf of any third party or allow it to be used for any other purpose except as expressly
permitted by CA;
(II) Not to disclose, de-compile, disassemble nor otherwise reverse engineer the Product and to avoid
such a disclosure in whatever form;
(III) Not to copy or permit the others to copy without CAs prior written consent.
Licensee acknowledges that in the event of a breach of any one of the obligations imposed upon it
under this Section, CA might suffer significant damage, notwithstanding the return of all copies of the
Product, arising out of the fact that it has breached the aforesaid obligations. Consequently, Licensee
undertakes to indemnify CA in full against any such damage.
Licensee acknowledges that CA has the right to prevent any threat to confidentiality or restrain
ongoing infringement or breach of confidentiality by Licensee through legal proceedings and in case
an order is obtained against Licensee for breach, Licensee shall reimburse CAs juridical costs and
expenses including the attorney fees.
The following is added at the end of the second sentence of Section 10:
EXCEPT THAT MAY ARISE FROM CAS WILFUL FAULT OR NEGLIGENCE.
United Kingdom
04-May-2016 897/923
CA Directory - 12.0.18
United Kingdom
The CA subsidiary that is the licensor is Computer Associates Plc.
04-May-2016 898/923
CA Directory - 12.0.18
Venezuela
The CA subsidiary that is the licensor is Computer Associates de Venezuela, CA.
16. If the Product contains third party software, and the licensor requires the incorporation of specific
license terms and conditions for such software into this Agreement, those specific terms and
conditions, which are hereby incorporated by this reference, are located below this Agreement.
04-May-2016 899/923
CA Directory - 12.0.18
Ant 1.6.5
Commons Codec 1.3
commons configuration 1.3
Commons Digester 1.7
Commons Logging 1.0.4
Commons httpclient 2.0.2
Commons Lang 2.1
Google-gson 2.3
Guava
HTTP Web Server 2.0.54
jackson 2.4.1
Jettison
Joda-time
Log4j 1.2.17
Slide 2.1
Spring-ldap_Core
Swagger v.1.3.12
SwaggerUI v.2.0.24
Tomcat 6.0.32
Velocity 1.5
Xalan-C 1.9.0
Xerces Java
XML Security 1.3
The Apache software is distributed in accordance with the following license agreement:
Apache License
http://www.apache.org/licenses/
1. Definitions.
'License' shall mean the terms and conditions for use, reproduction,and distribution as defined by
Sections 1 through 9 of this document.
'Licensor' shall mean the copyright owner or entity authorized by the copyright owner that is granting
04-May-2016 900/923
CA Directory - 12.0.18
'Licensor' shall mean the copyright owner or entity authorized by the copyright owner that is granting
the License.
'Legal Entity' shall mean the union of the acting entity and all other entities that control, are
controlled by, or are under common control with that entity. For the purposes of this definition,
'control' means (i) the power, direct or indirect, to cause the direction or management of such entity,
whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding
shares, or (iii) beneficial ownership of such entity.
'You' (or 'Your') shall mean an individual or Legal Entity exercising permissions granted by this
License.
'Source' form shall mean the preferred form for making modifications, including but not limited to
software source code, documentation source, and configuration files.
'Object' form shall mean any form resulting from mechanical transformation or translation of a
Source form, including but not limited to compiled object code, generated documentation, and
versions to other media types.
'Work' shall mean the work of authorship, whether in Source or Object form, made available under
the License, as indicated by a copyright notice that is included in or attached to the work(an example
is provided in the Appendix below).
'Derivative Works' shall mean any work, whether in Source or Object form, that is based on (or
derived from) the Work and for which the editorial revisions, annotations, elaborations, or other
modifications represent, as a whole, an original work of authorship. For the purposes of this License,
Derivative Works shall not include works that remain separable from, or merely link (or bind by
name) to the interfaces of, the Work and Derivative Works thereof.
'Contribution' shall mean any work of authorship, including the original version of the Work and any
modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted
to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity
authorized to submit on behalf of the copyright owner. For the purposes of this definition,
'submitted' means any form of electronic, verbal, or written communication sent to the Licensor or
its representatives, including but not limited to communication on electronic mailing lists, source
code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor
for the purpose of discussing and improving the Work, but excluding communication that is
conspicuously marked or otherwise designated in writing by the copyright owner as 'Not a
Contribution.'
'Contributor' shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution
has been received by Licensor and subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform,
sublicense, and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made, use, offer to sell, sell, import,
and otherwise transfer the Work, where such license applies only to those patent claims licensable by
such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of
their Contribution(s)with the Work to which such Contribution(s) was submitted. If You institute
04-May-2016 901/923
CA Directory - 12.0.18
their Contribution(s)with the Work to which such Contribution(s) was submitted. If You institute
patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that
the Work or a Contribution incorporated within the Work constitutes direct or contributory patent
infringement, then any patent licenses granted to You under this License for that Work shall
terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof
in any medium, with or without modifications, and in Source or Object form, provided that You meet
the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices stating that You changed the files;
and
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright,
patent, trademark, and attribution notices from the Source form of the Work, excluding those notices
that do not pertain to any part of the Derivative Works; and
(d) If the Work includes a 'NOTICE' text file as part of its distribution, then any Derivative Works that
You distribute must include a readable copy of the attribution notices contained within such NOTICE
file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of
the following places: within a NOTICE text file distributed as part of the Derivative Works; within the
Source form or documentation, if provided along with the Derivative Works; or, within a display
generated by the Derivative Works, if and wherever such third-party notices normally appear. The
contents of the NOTICE file are for informational purposes only and do not modify the License. You
may add Your own attribution notices within Derivative Works that You distribute, alongside or as an
addendum to the NOTICE text from the Work, provided that such additional attribution notices
cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or
different license terms and conditions for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the
Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally
submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions. Notwithstanding the above, nothing herein
shall supersede or modify the terms of any separate license agreement you may have executed with
Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service
marks, or product names of the Licensor, except as required for reasonable and customary use in
describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides
the Work (and each Contributor provides its Contributions) on an 'AS IS' BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation,
any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or
redistributing the Work and assume any risks associated with Your exercise of permissions under this
License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence),
04-May-2016 902/923
CA Directory - 12.0.18
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence),
contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent
acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct,
indirect, special, incidental, or consequential damages of any character arising as a result of this
License or out of the use or inability to use the Work (including but not limited to damages for loss of
goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages
or losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works
thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this License. However, in accepting such
obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of
any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor
harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your
accepting any such warranty or additional liability.
Copyright (C) 2002-2010 Aleksey Sanin. All Rights Reserved. Permission is hereby granted, free of
charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the following conditions: The above
copyright notice and this permission notice shall be included in all copies or substantial portions of
the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ALEKSEY SANIN BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of Aleksey Sanin
shall not be used in advertising or otherwise to promote the sale, use or other dealings in this
Software without prior written authorization from him.
Copyright (C) 2002-2010 Aleksey Sanin. All Rights Reserved. Copyright (c) 2003 America Online, Inc.
All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions: The above copyright notice and this
permission notice shall be included in all copies or substantial portions of the Software. Portions of
the Software were created using source code and/or APIs governed by the Mozilla Public License
(MPL). The MPL is available at http://www.mozilla.org/MPL/MPL-1.1.html. The MPL permits such
portions to be distributed with code not governed by MPL, as long as the requirements of MPL are
fulfilled for such portions. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ALEKSEY
SANIN BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of
04-May-2016 903/923
CA Directory - 12.0.18
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of
Aleksey Sanin shall not be used in advertising or otherwise to promote the sale, use or other dealings
in this Software without prior written authorization from him.
Copyright (C) 2002-2010 Aleksey Sanin. All Rights Reserved. Copyright (C) 2003 Cordys R&D BV, All
rights reserved. Copyright (C) 2007 Roumen Petrov. Copyright (c) 2005-2006 Cryptocom LTD (
http://www.cryptocom.ru). Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions: The above copyright notice and
this permission notice shall be included in all copies or substantial portions of the Software. THE
SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ALEKSEY SANIN BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of Aleksey Sanin
shall not be used in advertising or otherwise to promote the sale, use or other dealings in this
Software without prior written authorization from him.
References
* AOL
http://www.aleksey.com/pipermail/xmlsec/2003/005488.html
http://www.aleksey.com/pipermail/xmlsec/attachments/20030729/0e25648e/attachment.htm
* Cordys R&D BV
http://www.aleksey.com/pipermail/xmlsec/2003/005581.html
* Cryptocom LTD
http://www.aleksey.com/pipermail/xmlsec/2006/007410.html
==================================================================================================
This product contains portions of the "Java Architecture for XML Binding" (JAXB) 2.0 (the "JAXB
Component"). Use of the JAXB Component is governed by the Common Development and
Distribution License v1.0. The source code for the JAXB Component may be found here:
http://opensrcd.ca.com/ips/2584_6 or here https://jaxb.dev.java.net/.
==================================================================================================
Javassist
04-May-2016 904/923
CA Directory - 12.0.18
Javassist content was obtained under the Mozilla Public License v.1.1, and is distributed by CA for use
with this CA product in unmodified, object code form, under the CA license agreement. Any
provisions in the CA license agreement that differ from the Mozilla Public License are offered by CA
alone and not by any other party. The third party licensors of this component provide it on an "AS-IS"
BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including,
without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY,
or FITNESS FOR A PARTICULAR PURPOSE, and disclaim liability for any claim or loss, including, without
limitation, direct, indirect, special, punitive, exemplary or consequential damages. CA makes the
source code for this component available at http://opensrcd.ca.com/ips/00001177_8 under the
terms of the Mozilla Public License v.1.1. Alternatively, you may obtain the source code from
http://www.csg.is.titech.ac.jp/~chiba/javassist/.
--------------------------------------------------------------------------------
1. Definitions.
1.0.1. "Commercial Use" means distribution or otherwise making the Covered Code available to a
third party.
1.1. ''Contributor'' means each entity that creates or contributes to the creation of Modifications.
1.2. ''Contributor Version'' means the combination of the Original Code, prior Modifications used by a
Contributor, and the Modifications made by that particular Contributor.
1.3. ''Covered Code'' means the Original Code or Modifications or the combination of the Original
Code and Modifications, in each case including portions thereof.
1.4. ''Electronic Distribution Mechanism'' means a mechanism generally accepted in the software
development community for the electronic transfer of data.
1.5. ''Executable'' means Covered Code in any form other than Source Code.
1.6. ''Initial Developer'' means the individual or entity identified as the Initial Developer in the Source
Code notice required by Exhibit A.
1.7. ''Larger Work'' means a work which combines Covered Code or portions thereof with code not
governed by the terms of this License.
1.8.1. "Licensable" means having the right to grant, to the maximum extent possible, whether at the
time of the initial grant or subsequently acquired, any and all of the rights conveyed herein.
1.9. ''Modifications'' means any addition to or deletion from the substance or structure of either the
Original Code or any previous Modifications. When Covered Code is released as a series of files, a
Modification is:
A. Any addition to or deletion from the contents of a file containing Original Code or previous
Modifications.
B. Any new file that contains any part of the Original Code or previous Modifications.
04-May-2016 905/923
CA Directory - 12.0.18
1.10. ''Original Code'' means Source Code of computer software code which is described in the
Source Code notice required by Exhibit A as Original Code, and which, at the time of its release under
this License is not already Covered Code governed by this License.
1.10.1. "Patent Claims" means any patent claim(s), now owned or hereafter acquired, including
without limitation, method, process, and apparatus claims, in any patent Licensable by grantor.
1.11. ''Source Code'' means the preferred form of the Covered Code for making modifications to it,
including all modules it contains, plus any associated interface definition files, scripts used to control
compilation and installation of an Executable, or source code differential comparisons against either
the Original Code or another well known, available Covered Code of the Contributor's choice. The
Source Code can be in a compressed or archival form, provided the appropriate decompression or de-
archiving software is widely available for no charge.
1.12. "You'' (or "Your") means an individual or a legal entity exercising rights under, and complying
with all of the terms of, this License or a future version of this License issued under Section 6.1. For
legal entities, "You'' includes any entity which controls, is controlled by, or is under common control
with You. For purposes of this definition, "control'' means (a) the power, direct or indirect, to cause
the direction or management of such entity, whether by contract or otherwise, or (b) ownership of
more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
2. Source Code License. 2.1. The Initial Developer Grant.
The Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive license, subject to
third party intellectual property claims: (a) under intellectual property rights (other than patent or
trademark) Licensable by Initial Developer to use, reproduce, modify, display, perform, sublicense
and distribute the Original Code (or portions thereof) with or without Modifications, and/or as part of
a Larger Work; and
(b) under Patents Claims infringed by the making, using or selling of Original Code, to make, have
made, use, practice, sell, and offer for sale, and/or otherwise dispose of the Original Code (or
portions thereof).
(c) the licenses granted in this Section 2.1(a) and (b) are effective on the date Initial Developer first
distributes Original Code under the terms of this License.
(d) Notwithstanding Section 2.1(b) above, no patent license is granted: 1) for code that You delete
from the Original Code; 2) separate from the Original Code; or 3) for infringements caused by: i) the
modification of the Original Code or ii) the combination of the Original Code with other software or
devices.
(c) the licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date Contributor first makes
Commercial Use of the Covered Code.
(d) Notwithstanding Section 2.2(b) above, no patent license is granted: 1) for any code that
04-May-2016 906/923
CA Directory - 12.0.18
(d) Notwithstanding Section 2.2(b) above, no patent license is granted: 1) for any code that
Contributor has deleted from the Contributor Version; 2) separate from the Contributor Version; 3)
for infringements caused by: i) third party modifications of Contributor Version or ii) the combination
of Modifications made by that Contributor with other software (except as part of the Contributor
Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of
Modifications made by that Contributor.
3. Distribution Obligations.
3.1. Application of License.
The Modifications which You create or to which You contribute are governed by the terms of this
License, including without limitation Section 2.2. The Source Code version of Covered Code may be
distributed only under the terms of this License or a future version of this License released under
Section 6.1, and You must include a copy of this License with every copy of the Source Code You
distribute. You may not offer or impose any terms on any Source Code version that alters or restricts
the applicable version of this License or the recipients' rights hereunder. However, You may include
an additional document offering the additional rights described in Section 3.5.
3.2. Availability of Source Code.
Any Modification which You create or to which You contribute must be made available in Source
Code form under the terms of this License either on the same media as an Executable version or via
an accepted Electronic Distribution Mechanism to anyone to whom you made an Executable version
available; and if made available via Electronic Distribution Mechanism, must remain available for at
least twelve (12) months after the date it initially became available, or at least six (6) months after a
subsequent version of that particular Modification has been made available to such recipients. You
are responsible for ensuring that the Source Code version remains available even if the Electronic
Distribution Mechanism is maintained by a third party.
(c) Representations. Contributor represents that, except as disclosed pursuant to Section 3.4(a)
above, Contributor believes that Contributor's Modifications are Contributor's original creation(s) and
/or Contributor has sufficient rights to grant the rights conveyed by this License.
04-May-2016 907/923
CA Directory - 12.0.18
04-May-2016 908/923
CA Directory - 12.0.18
(a) such Participant's Contributor Version directly or indirectly infringes any patent, then any and all
rights granted by such Participant to You under Sections 2.1 and/or 2.2 of this License shall, upon 60
days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice
You either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your
past and future use of Modifications made by such Participant, or (ii) withdraw Your litigation claim
with respect to the Contributor Version against such Participant. If within 60 days of notice, a
reasonable royalty and payment arrangement are not mutually agreed upon in writing by the parties
or the litigation claim is not withdrawn, the rights granted by Participant to You under Sections 2.1
and/or 2.2 automatically terminate at the expiration of the 60 day notice period specified above.
(b) any software, hardware, or device, other than such Participant's Contributor Version, directly or
indirectly infringes any patent, then any rights granted to You by such Participant under Sections 2.1
(b) and 2.2(b) are revoked effective as of the date You first made, used, sold, distributed, or had
made, Modifications made by that Participant.
8.3. If You assert a patent infringement claim against Participant alleging that such Participant's
Contributor Version directly or indirectly infringes any patent where such claim is resolved (such as by
license or settlement) prior to the initiation of patent infringement litigation, then the reasonable
value of the licenses granted by such Participant under Sections 2.1 or 2.2 shall be taken into account
in determining the amount or value of any payment or license.
8.4. In the event of termination under Sections 8.1 or 8.2 above, all end user license agreements
(excluding distributors and resellers) which have been validly granted by You or any distributor
hereunder prior to termination shall survive termination.
9. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER
TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL DEVELOPER,
ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY OF
04-May-2016 909/923
CA Directory - 12.0.18
ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY OF
SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR
LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL
OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF
THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY
FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT
APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND
LIMITATION MAY NOT APPLY TO YOU.10. U.S. GOVERNMENT END USERS. The Covered Code is a
''commercial item,'' as that term is defined in 48 C.F.R. 2.101 (Oct. 1995), consisting of ''commercial
computer software'' and ''commercial computer software documentation,'' as such terms are used in
48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through
227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights
set forth herein.11. MISCELLANEOUS. This License represents the complete agreement concerning
subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall
be reformed only to the extent necessary to make it enforceable. This License shall be governed by
California law provisions (except to the extent applicable law, if any, provides otherwise), excluding
its conflict-of-law provisions. With respect to disputes in which at least one party is a citizen of, or an
entity chartered or registered to do business in the United States of America, any litigation relating to
this License shall be subject to the jurisdiction of the Federal Courts of the Northern District of
California, with venue lying in Santa Clara County, California, with the losing party responsible for
costs, including without limitation, court costs and reasonable attorneys' fees and expenses. The
application of the United Nations Convention on Contracts for the International Sale of Goods is
expressly excluded. Any law or regulation which provides that the language of a contract shall be
construed against the drafter shall not apply to this License.12. RESPONSIBILITY FOR CLAIMS. As
between Initial Developer and the Contributors, each party is responsible for claims and damages
arising, directly or indirectly, out of its utilization of rights under this License and You agree to work
with Initial Developer and Contributors to distribute such responsibility on an equitable basis.
Nothing herein is intended or shall be deemed to constitute any admission of liability.13. MULTIPLE-
LICENSED CODE. Initial Developer may designate portions of the Covered Code as "Multiple-
Licensed". "Multiple-Licensed" means that the Initial Developer permits you to utilize portions of the
Covered Code under Your choice of the MPL or the alternative licenses, if any, specified by the Initial
Developer in the file described in Exhibit A.
The Initial Developer of the Original Code is Shigeru Chiba. Portions created by the Initial Developer
are
Copyright (C) 1999- Shigeru Chiba. All Rights Reserved.
04-May-2016 910/923
CA Directory - 12.0.18
Alternatively, the contents of this software may be used under the terms of the GNU Lesser General
Public License Version 2.1 or later (the "LGPL"), or the Apache License Version 2.0 (the "AL"), in which
case the provisions of the LGPL or the AL are applicable instead of those above. If you wish to allow
use of your version of this software only under the terms of either the LGPL or the AL, and not to
allow others to use your version of this software under the terms of the MPL, indicate your decision
by deleting the provisions above and replace them with the notice and other provisions required by
the LGPL or the AL. If you do not delete the provisions above, a recipient may use your version of this
software under the terms of any one of the MPL, the LGPL or the AL.
==================================================================================================
JBoss software is an open source library that is used with the software. The JBoss software is not
owned by Computer Associates International, Inc. ( CA ). Use, copying, distribution and modification
of the JBoss software are governed by the GNU Lesser General Public License ( LGPL ) version 2.1. A
copy of the LGPL license can be found in the directory on the installation disk on which the JBoss
software is distributed. Additionally, a copy of the LGPL license can be found at http://opensource.org
/licenses/lgpl-license.php or write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330,
Boston, MA 02111-1307 USA. CA makes the source code for the JBoss software available at , and
includes a copy of the source code on the same disk as the executable code. Use of the software is
governed solely by the end user license agreement ( EULA ), not by the LGPL license. You cannot use,
copy, modify or redistribute any code except as may be expressly set forth in the EULA. The JBoss
software is provided AS IS WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. Further details of the disclaimer of warranty with respect to
the JBoss software can be found in the LGPL license itself. To the full extent permitted under
applicable law, CA disclaims all warranties and liability arising from or related to any use of the JBoss
software.
==================================================================================================
jsr305 2.0.1
This product includes jsr305 2.0.1, which is distributed in accordance with the following terms:
Note: You may omit clause 3 and still be OSD-conformant. Despite its colloquial name "BSD New",
this is not the newest version of the BSD license; it was followed by the even newer BSD-2-Clause
version, sometimes known as the "Simplified BSD License". On January 9th, 2008 the OSI Board
approved BSD-2-Clause, which is used by FreeBSD and others. It omits the final "no-endorsement"
clause and is thus roughly equivalent to the MIT License.
04-May-2016 911/923
CA Directory - 12.0.18
Historical Background: The original license used on BSD Unix had four clauses. The advertising clause
(the third of four clauses) required you to acknowledge use of U.C. Berkeley code in your advertising
of any product using that code. It was officially rescinded by the Director of the Office of Technology
Licensing of the University of California on July 22nd, 1999. He states that clause 3 is "hereby deleted
in its entirety." The four clause license has not been approved by OSI. The license below does not
contain the advertising clause.
In the original BSD license, both occurrences of the phrase "COPYRIGHT HOLDERS AND
CONTRIBUTORS" in the disclaimer read "REGENTS AND CONTRIBUTORS".
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the <ORGANIZATION> nor the names of its contributors may be used to endorse
or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
==================================================================================================
jsr311-api
jsr311-api was obtained under the CDDL v.1.0 license, the terms and conditions of which are set forth
below. jsr311-api is distributed by CA for use with this CA product in unmodified, object code form,
under the CA license agreement. Any provisions in the CA license agreement that differ from the
CDDL are offered by CA alone and not by any other party. Source code for jsr311-api is available at
http://jsr311.java.net/. In addition, CA makes the source code for jsr311-api available at
http://opensrcd.ca.com/ips/12869_28/ under the terms of the CDDL v.1.0. license:
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0
1. Definitions.
1.1. "Contributor" means each individual or entity that creates or contributes to the creation of
Modifications.
04-May-2016 912/923
CA Directory - 12.0.18
Modifications.
1.2. "Contributor Version" means the combination of the Original Software, prior Modifications used
by a Contributor (if any), and the Modifications made by that particular Contributor.
1.3. "Covered Software" means (a) the Original Software, or (b) Modifications, or (c) the combination
of files containing Original Software with files containing Modifications, in each case including
portions thereof.
1.4. "Executable" means the Covered Software in any form other than Source Code.
1.5. "Initial Developer" means the individual or entity that first makes Original Software available
under this License.
1.6. "Larger Work" means a work which combines Covered Software or portions thereof with code
not governed by the terms of this License.
1.7. "License" means this document.
1.8. "Licensable" means having the right to grant, to the maximum extent possible, whether at the
time of the initial grant or subsequently acquired, any and all of the rights conveyed herein.
1.9. "Modifications" means the Source Code and Executable form of any of the following:
A. Any file that results from an addition to, deletion from or modification of the contents of a file
containing Original Software or previous Modifications;
B. Any new file that contains any part of the Original Software or previous Modification; or C. Any
new file that is contributed or otherwise made available under the terms of this License.
1.10. "Original Software" means the Source Code and Executable form of computer software code
that is originally released under this License.
1.11. "Patent Claims" means any patent claim(s), now owned or hereafter acquired, including without
limitation, method, process, and apparatus claims, in any patent Licensable by grantor.
1.12. "Source Code" means (a) the common form of computer software code in which modifications
are made and (b) associated documentation included in or with such code.
1.13. "You" (or "Your") means an individual or a legal entity exercising rights under, and complying
with all of the terms of, this License. For legal entities, "You" includes any entity which controls, is
controlled by, or is under common control with You. For purposes of this definition, "control" means
(a) the power, direct or indirect, to cause the direction or management of such entity, whether by
contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or
beneficial ownership of such entity.
2. License Grants.
2.1. The Initial Developer Grant.
Conditioned upon Your compliance with Section 3.1 below and subject to third party intellectual
property claims, the Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive
license:
(a) under intellectual property rights (other than patent or trademark) Licensable by Initial Developer,
to use, reproduce, modify, display, perform sublicense and distribute the Original Software (or
portions thereof), with or without Modifications, and/or as part of a Larger Work; and
(b) under Patent Claims infringed by the making, using or selling of Original Software, to make, have
made, use, practice, sell, and offer for sale, and/or otherwise dispose of the Original Software (or
portions thereof).
(c) The licenses granted in Sections 2.1(a) and (b) are effective on the date Initial Developer first
distributes or otherwise makes the Original Software available to a third party under the terms of this
License.
(d) Notwithstanding Section 2.1(b) above, no patent license is granted: (1) for code that You delete
from the Original Software, or (2) for infringements caused by: (i) the modification of the Original
Software, or (ii) the combination of the Original Software with other software or devices.
2.2. Contributor Grant.
Conditioned upon Your compliance with Section 3.1 below and subject to third party intellectual
property claims, each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:
(a) under intellectual property rights (other than patent or trademark) Licensable by Contributor to
use, reproduce, modify, display, perform, sublicense and distribute the Modifications created by such
Contributor (or portions thereof), either on an unmodified basis, with other Modifications, as
04-May-2016 913/923
CA Directory - 12.0.18
Contributor (or portions thereof), either on an unmodified basis, with other Modifications, as
Covered Software and/or as part of a Larger Work; and
(b) under Patent Claims infringed by the making, using, or selling of Modifications made by that
Contributor either alone and/or in combination with its Contributor Version (or portions of such
combination), to make, use, sell, offer for sale, have made, and/or otherwise dispose of: (1)
Modifications made by that Contributor (or portions thereof); and (2) the combination of
Modifications made by that Contributor with its Contributor Version (or portions of such
combination).
(c) The licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date Contributor first
distributes or otherwise makes the Modifications available to a third party.
(d) Notwithstanding Section 2.2(b) above, no patent license is granted: (1) for any code that
Contributor has deleted from the Contributor Version; (2) for infringements caused by: (i) third party
modifications of Contributor Version, or (ii) the combination of Modifications made by that
Contributor
with other software (except as part of the Contributor Version) or other devices; or (3) under Patent
Claims infringed by Covered Software in the absence of Modifications made by that Contributor.
3. Distribution Obligations.
3.1. Availability of Source Code.
Any Covered Software that You distribute or otherwise make available in Executable form must also
be made available in Source Code form and that Source Code form must be distributed only under
the terms of this License. You must include a copy of this License with every copy of the
Source Code form of the Covered Software You distribute or otherwise make available. You must
inform recipients of any such Covered Software in Executable form as to how they can obtain such
Covered Software in Source Code form in a reasonable manner on or through a medium customarily
used for software exchange.
3.2. Modifications.
The Modifications that You create or to which You contribute are governed by the terms of this
License. You represent that You believe Your Modifications are Your original creation(s) and/or You
have sufficient rights to grant the rights conveyed by this License.
3.3. Required Notices.
You must include a notice in each of Your Modifications that identifies You as the Contributor of the
Modification. You may not remove or alter any copyright, patent or trademark notices contained
within the Covered Software, or any notices of licensing or any descriptive text giving attribution to
any Contributor or the Initial Developer.
3.4. Application of Additional Terms.
You may not offer or impose any terms on any Covered Software in Source Code form that alters or
restricts the applicable version of this License or the recipients' rights hereunder. You may choose to
offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more
recipients of Covered Software.
However, you may do so only on Your own behalf, and not on behalf of the Initial Developer or any
Contributor. You must make it absolutely clear that any such warranty, support, indemnity or liability
obligation is offered by You alone, and You hereby agree to indemnify the Initial Developer and every
Contributor for any liability incurred by the Initial Developer or such Contributor as a result of
warranty, support, indemnity or liability terms You offer.
3.5. Distribution of Executable Versions.
You may distribute the Executable form of the Covered
Software under the terms of this License or under the terms of a license of Your choice, which may
contain terms different from this License, provided that You are in compliance with the terms of this
License and that the license for the Executable form does not attempt to limit or alter the recipient's
rights in the Source Code form from the rights set forth in this License. If You distribute the Covered
Software in Executable form under a different license, You must make it absolutely clear that any
terms which differ from this License are offered by You alone, not by the Initial Developer or
Contributor. You hereby agree to indemnify the Initial Developer and every Contributor for any
liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer.
04-May-2016 914/923
CA Directory - 12.0.18
liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer.
3.6. Larger Works.
You may create a Larger Work by combining Covered Software with other code not governed by the
terms of this License and distribute the Larger Work as a single product. In such a case, You must
make sure the requirements of this License are fulfilled for the Covered Software.
4. Versions of the License.
4.1. New Versions.
Sun Microsystems, Inc. is the initial license steward and may publish revised and/or new versions of
this License from time to time. Each version will be given a distinguishing version number. Except as
provided in Section 4.3, no one other than the license steward has the right to modify this License.
4.2. Effect of New Versions.
You may always continue to use, distribute or otherwise make the Covered Software available under
the terms of the version of the License under which You originally received the Covered Software. If
the Initial Developer includes a notice in the Original Software prohibiting it from being distributed or
otherwise made available under any subsequent version of the License, You must distribute and
make the Covered Software available under the terms of the version of the License under which You
originally received the Covered Software. Otherwise, You may also choose to use, distribute or
otherwise make the Covered Software available under the terms of any subsequent version of the
License published by the license steward.
4.3. Modified Versions.
When You are an Initial Developer and You want to create a new license for Your Original Software,
You may create and use a modified version of this License if You: (a) rename the license and remove
any references to the name of the license steward (except to note that the license differs
from this License); and (b) otherwise make it clear that the license contains terms which differ from
this License.
5. DISCLAIMER OF WARRANTY.
COVERED SOFTWARE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES
THAT THE COVERED SOFTWARE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR
PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
COVERED SOFTWARE IS WITH YOU. SHOULD ANY COVERED SOFTWARE PROVE DEFECTIVE IN ANY
RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE COST OF
ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES
AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED SOFTWARE IS AUTHORIZED
HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
6. TERMINATION.
6.1. This License and the rights granted hereunder will terminate automatically if You fail to comply
with terms herein and fail to cure such breach within 30 days of becoming aware of the breach.
Provisions which, by their nature, must remain in effect beyond the termination of this License shall
survive.
6.2. If You assert a patent infringement claim (excluding declaratory judgment actions) against Initial
Developer or a Contributor (the Initial Developer or Contributor against whom You assert such claim
is referred to as "Participant") alleging that the Participant Software (meaning the Contributor
Version where the Participant is a Contributor or the Original Software where the Participant is the
Initial Developer) directly or indirectly infringes any patent, then any and all rights granted directly or
indirectly to You by such Participant, the Initial Developer (if the Initial Developer is not the
Participant) and all Contributors under Sections 2.1 and/or 2.2 of this License shall, upon 60 days
notice from Participant terminate prospectively and automatically at the expiration of such 60 day
notice period, unless if within such 60 day period You withdraw Your claim with respect to the
Participant Software against such Participant either unilaterally or pursuant to a written agreement
with Participant.
04-May-2016 915/923
CA Directory - 12.0.18
6.3. In the event of termination under Sections 6.1 or 6.2 above, all end user licenses that have been
validly granted by You or any distributor hereunder prior to termination (excluding licenses granted
to You by any distributor) shall survive termination.
7. LIMITATION OF LIABILITY.
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING
NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL DEVELOPER, ANY OTHER
CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED SOFTWARE, OR ANY SUPPLIER OF ANY OF SUCH
PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS,
LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL
OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF
THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY
FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT
APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND
LIMITATION MAY NOT APPLY TO YOU.
8. U.S. GOVERNMENT END USERS.
The Covered Software is a "commercial item," as that term is defined in 48 C.F.R. 2.101 (Oct. 1995),
consisting of "commercial computer software" (as that term is defined at 48 C.F.R. 252.227-7014(a)
(1)) and "commercial computer software documentation" as such terms are used in 48 C.F.R. 12.212
(Sept.1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June
1995), all U.S. Government End Users acquire Covered Software with only those rights set forth
herein.
This U.S. Government Rights clause is in lieu of, and supersedes, any other FAR, DFAR, or other clause
or provision that addresses Government rights in computer software under this License.
9. MISCELLANEOUS.
This License represents the complete agreement concerning subject matter hereof. If any provision of
this License is held to be unenforceable, such provision shall be reformed only to the extent
necessary to make it enforceable. This License shall be governed by the law of the jurisdiction
specified in a notice contained within the Original Software (except to the extent applicable law, if
any, provides otherwise), excluding such jurisdiction's conflict-of-law provisions. Any litigation
relating to this License shall be subject to the jurisdiction of the courts located in the jurisdiction and
venue specified in a notice contained within the Original Software, with the losing party responsible
for costs, including, without limitation, court costs and reasonable attorneys' fees and expenses. The
application of the United Nations Convention on Contracts for the International Sale of Goods is
expressly excluded. Any law or regulation which provides that the language of a contract shall be
construed against the drafter shall not apply to this License.
You agree that You alone are responsible for compliance with the United States export
administration regulations (and the export control laws and regulation of any other countries) when
You use, distribute or otherwise make available any Covered Software.
10. RESPONSIBILITY FOR CLAIMS.
As between Initial Developer and the Contributors, each party is responsible for claims and damages
arising, directly or indirectly, out of its utilization of rights under this License and You agree to work
with Initial Developer and Contributors to distribute such responsibility on an equitable basis.
Nothing herein is intended or shall be deemed to constitute any admission of liability.
==================================================================================================
JSON-C
04-May-2016 916/923
CA Directory - 12.0.18
==================================================================================================
Libxml2
Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved. Permission is hereby granted, free of
charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the following conditions: The above
copyright notice and this permission notice shall be included in all copies or substantial portions of
the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
==================================================================================================
This product contains a copy of the Microsoft Cabinet (CAB) File Software SDK. All title, rights and
04-May-2016 917/923
CA Directory - 12.0.18
This product contains a copy of the Microsoft Cabinet (CAB) File Software SDK. All title, rights and
interests therein is retained by Microsoft Corporation.
==================================================================================================
OpenLDAP
This product includes software developed by The OpenLDAP Foundation. The software is distributed
in accordance with the following license agreement.
Redistribution and use of this software and associated documentation ("Software"), with or without
modification, are permitted provided that the following conditions are met:
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this
list of conditions, and the following disclaimer in the documentation and/or other materials provided
with the distribution, and
3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may
revise this license from time to time. Each revision is distinguished by a version number. You may use
this Software under terms of this license revision or under the terms of any subsequent revision of
the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND
ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER
(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to
promote the sale, use or other dealing in this Software without specific, written prior permission.
Title to copyright in this Software shall at all times remain with copyright holders.
==================================================================================================
OpenSSL
04-May-2016 918/923
CA Directory - 12.0.18
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (
http://www.openssl.org/). This product also includes libraries from an SSL implementation written by
Eric Young (eay@cryptsoft.com (http://cryptsoft.com)).
LICENSE ISSUES
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and
the original SSLeay license apply to the toolkit.
See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In
case of any license issues related to OpenSSL please contact openssl-core@openssl.org (mailto:openssl-
core@openssl.org).
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (
http://www.openssl.org/). Terms and Conditions for the Use of xmlsec-openssl:
OpenSSL License
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgment: "This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org (mailto:openssl-core@openssl.org).
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in
their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product
includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.
openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
04-May-2016 919/923
CA Directory - 12.0.18
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com (http://cryptsoft.com)) All rights reserved.
This library is free for commercial and non-commercial use as long as the following conditions are
aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com (
http://cryptsoft.com)).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts
of the library used. This can be in the form of a textual message at program startup or in
documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met: 1. Redistributions of source code must retain the
copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form
must reproduce the above copyright notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution. 3. All advertising materials
mentioning features or use of this software must display the following acknowledgement: "This
product includes cryptographic software written by Eric Young (eay@cryptsoft.com (http://cryptsoft.
com))" The word 'cryptographic' can be left out if the rouines from the library being used are not
cryptographic related :-). 4. If you include any Windows specific code (or a derivative thereof) from
the apps directory (application code) you must include an acknowledgement: "This product includes
software written by Tim Hudson (tjh@cryptsoft.com (http://cryptsoft.com))"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
04-May-2016 920/923
CA Directory - 12.0.18
The licence and distribution terms for any publically available version or derivative of this code
cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence
[including the GNU Public Licence.]
PCRE
This product includes PCRE 8.12 which is distributed in accordance with the following terms:
PCRE LICENCE
------------
PCRE is a library of functions to support regular expressions whose syntax and semantics are as close
as possible to those of the Perl 5 language.
Release 8 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The
documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the
software itself.
The basic library functions are written in C and are freestanding. Also included in the distribution is a
set of C++ wrapper functions.
---------------------------
-------------------------
-----------------
04-May-2016 921/923
CA Directory - 12.0.18
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of the University of Cambridge nor the name of Google Inc. nor the names of
their contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
zlib 1.2.5
This product contains Zlib, which is distributed in accordance with the following:
This software is provided 'as-is', without any express or implied warranty. In no event will the authors
be held liable for any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial
applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the
original software. If you use this software in a product, an acknowledgment in the product
documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being
the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly
Mark Adler
==================================================================================================
Scala 2.10.0
04-May-2016 922/923
CA Directory - 12.0.18
Copyright (c) 2002-2014 EPFL Copyright (c) 2011-2014 Typesafe, Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or other materials provided
with the distribution. Neither the name of the EPFL nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written permission of
the author.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
==================================================================================================
SLF4J
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
associated documentation files (the "Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to
the following conditions: The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
04-May-2016 923/923