Policy Server Installation Guide - Secloreproduct.seclore.com/updates/external/docs/ps... ·...

lsquo

Policy Server Installation Guide V24260

Seclore Internal - Limited circulation only

1

Policy Server Installation Guide

Ver 24280

lsquo



2

Contents

1 Introduction 4

2 Preparing for Installation 4

21 System Configuration 4

22 Dependencies 4

23 Prerequisites 4

24 Creating Database Schema for Policy Server 5

25 Configuring Java for Policy Server 5

26 Configuring Tomcat for Policy Server 5

261 Updating Java Options for Tomcat 5

262 Customizing Tomcat Error Handling 6

263 AllowingRestricting Tomcat Manager Application 6

264 Copying Common Libraries 7

265 Configuring serverxml in Apache Tomcat 7

27 Disabling ProxyErrorOverride in Apache server 10

3 Setting Up and Configuring Policy Server 10

31 Adding Deployment Specific Buffer Files 10

32 License File 10

33 Consent File 10

34 Run Tomcat Service 11

35 Provide Configuration Details 11

36 Seclore Online Help 11

4 Configure BYOK (Bring Your Own Key) in Policy Server 11

5 Adoption Stats 12

6 Post Installation Configurations 12

7 Configuring Other Components 12

71 Lite Server 12

8 Uploading Customized Seclore Client Installers in Policy Server 12

9 Frequently Asked Questions 13

91 How do I acquire the Policy Server License 13

92 How do setup logger 13

93 How do I generate self-signed SSL certificate 13

94 How do I get a CA signed SSL certificate 14

95 How do I configure Windows Integrated Authentication for MSSQL 15

96 What is JNDI Connection Pooling 15

97 How do I configure Adoption Stats feature in Policy Server 15

lsquo



3

98 How do I tune the system for higher performance 15

10 Resources 16

lsquo



4

1 Introduction This guide provides information about the basic installation and setup of Policy Server components

Note

In case the Policy Server requires customizations refer to customization specific deployment documents after

Policy Server deployment

In case of adding one more Policy Server in the existing load balancing (HA) mode setup refer Add One More

Policy Server In HA ModePDF (Policy Server [Version]Installation DocsAdd Policy Server in HA ModeAdd

One More Policy Server In HA Modepdf)

2 Preparing for Installation The system configuration prerequisites and dependencies for the installation and configuration of Policy Server are

summarized in the sections below

21 System Configuration

Policy server deployment requires the following system configurations

RAM 2 GB or above

Hard Disk 40 GB or above

Operating System Windows Server 20122012 R220162019

Note

It is recommended that you place all Seclore components and other related installations (Java Tomcat Policy Server

SIM Site Server etc) in a folder named lsquoSeclorersquo in a non-OS drive like lsquoDSeclorersquo

lsquoltPOLICYSERVER_HOMEgtconfigreportingrsquo folder requires extra disk space for storing reporting index files

For everyone million file activities 500 MB additional disk space is required

22 Dependencies

The dependencies for the deployment of Policy Server are as follows

Database Ensure that MS SQL or Oracle database is properly installed The supported database are as

follows

o MS SQL 2008 2012 2014 2016 and 2017

o Oracle 12c 18c and 19c

o Note For multilingual support with Oracle database

o Policy Server supports internationalization and localization of data So for multilingual support

ensure that the database character set lsquoAL32UTFrsquo is correctly selected during installation of Oracle

database

Java Ensure that Open JDK 1101 is installed If not refer to Open JDK 11 Installation Guidepdf in the

References folder for the installation guidelines

Web Application Server Ensure that Apache Tomcat 9031 is installed If not refer to Tomcat 9

Installation Guidepdf in the References folder for the installation guidelines

23 Prerequisites

Ensure that the below prerequisites are met before you start with the Policy Server deployment

Java installation is successful

Tomcat installation is successful

SSL Certificate

o For production deployment valid SSL certificate is required Refer to How to get CA signed SSL

certificate

o For POCDemoUAT deployment a self-signed SSL certificate is enough Refer to How to generate

self-signed SSL certificate

Ensure that valid Policy Server License is available Refer to How do I acquire the Policy Server License

Policy Server Consent

o For production deployment a valid Policy Server Consent file is required This file can be generated

after an authorized person from the customer end accepts the license terms and conditions

o For POCDemoUAT deployment consent file is not required

lsquo



5

Important Note Make sure that the Service account from which Tomcat is running has Full Permissions on PolicyServer

Folder

24 Creating Database Schema for Policy Server

Refer to Creating Database Schemapdf in the lsquoPolicy Server [Version]Installation DocsReferencesrsquo folder for

creating database schema for Policy Server

Note Screenshots are for representational purposes only Java and Tomcat versions must match those mentioned

in the steps

25 Configuring Java for Policy Server

Locate the JDK folder used by the Apache Tomcat server

1 Run Tomcat9exe from lsquoltTOMCAT_HOMEgtbinrsquo folder

2 Click on the Java tab and verify the JDK path from the lsquoJava Virtual Machinersquo field

26 Configuring Tomcat for Policy Server

Note Memory usage of Tomcat server is based on the concurrent requests for viewing files processed by the Policy

Server It is recommended to assign higher JVM memory to Tomcat for better performance of Policy Server Refer to

Tweaking Tomcat JVM Memorytxt in the Supplements folder for the detailed steps

261 Updating Java Options for Tomcat

1 Run lsquoltTOMCAT HOMEgtbinTomcat9wexersquo

2 Go to the Java tab

3 Configure the below configurations in the lsquoJava Optionsrsquo field

Java Option Description

-Dusertimezone=AsiaCalcutta To update the time zone information in

Tomcat For configuring different time

lsquo



6

zones refer to Seclore Supported

Tmezonespdf in the References folder

-Dcomsunjndildapconnectpooltimeout=600000 This is required if you are planning to

configure Simple AD Repository in Policy

Server to connect with the Active

Directory If not this can be skipped Refer

to What is JNDI Connection Pooling For

further details

4 Configure the below configurations in the lsquoJava 9 Optionsrsquo field required by Seclore Policy Server

Note Do not update or delete the default lsquoJava 9 Optionsrsquo present in Tomcat 9

262 Customizing Tomcat Error Handling

1 Copy SecloreCustomErrorReportValvejar from the lsquoPolicy Server [Version]ToolsTomcatConfigure

Custom Error Pagesrsquo directory to the lsquoltTOMCAT_INSTALL_FOLDERgtlibrsquo directory

2 Open serverxml from lsquoltTOMCAT_INSTALL_FOLDERgtconfrsquo

3 Add the errorReportValveClass attribute inside the ltHosthellipgt tag to customize error handling for Tomcat

Server

263 AllowingRestricting Tomcat Manager Application

By default the manager application is enabled for Tomcat If the Tomcat manager application is enabled any

user can access the application Users can reload any web application from the Tomcat manager It is highly

recommended to restrict Tomcat manager application in the production environment

Note To restart any web application restart the Tomcat server

To restrict the Tomcat Manager application

1 Take a backup of the following files

From ltTOMCAT_HOMEgtwebappsROOT folder

I indexjsp

II faviconico

From ltTOMCAT_HOMEgtwebapps

I docs

II examples

III host-manager

IV manager

2 Overwrite indexjsp and faviconico from Policy Server [Version]ToolsTomcatBlock Manager

Application folder

--add-opens=javabasejavanio=ALL-UNNAMED

--add-exports=javadesktopsunawtimage=ALL-UNNAMED

--add-exports=javadesktopsunawt=ALL-UNNAMED

--add-exports=javadesktopcomsunimageiopluginsjpeg=ALL-UNNAMED

--add-exports=javadesktopcomsunimageiopluginspng=ALL-UNNAMED

--add-exports=javadesktopcomsunimageiopluginscommon=ALL-UNNAMED

--add-exports=javabasesunsecurityprovider=ALL-UNNAMED

--add-exports=javabasesunsecurityinternalspec=ALL-UNNAMED

--add-modules=jdkrmic

--add-exports=jdkrmicsuntoolsjavac=ALL-UNNAMED

ltHost name=localhost appBase=webapps

unpackWARs=true autoDeploy=true

errorReportValveClass=comseclorefscustomerrorvalveSecloreCustomErrorReportValvegt

lsquo



7

3 Update the indexjsp page to enable any of the following options

Display blank page with security message

I Open the indexjsp file

II Uncomment the Block 1

III Provide the customized message

Display blank page with security message and Policy Server redirect URL



III Please provide the customized message

IV Provide the application name in the anchor tag

Redirect to Policy Server



III Provide the application name

4 Remove the following applications from the ltTOMCAT_HOMEgtwebapps folder

docs

examples

host-manager

manager

264 Copying Common Libraries

Copy the common library files from Policy Server[Version]ToolsCommon Libs to ltTOMCAT HOMEgtlib

265 Configuring serverxml in Apache Tomcat

The serverxml file is in the ltTOMCAT_HOMEgtconf folder

1 Comment the ltConnectorgt tag with port attribute as 8080 and 8009 by enclosing thee tags within lt--

--gt if these ports are not used by any other application

2 Add the configuration for the ltConnectorgt tag into the serverxml inside the ltService

name=rdquocatalinagt tag

Note

The keyAlias value is the name of the alias that you have entered while creating keystore

entry

The disableUploadTimeout is false for uploading larger files through the Lite Server

application

Check whether the port specified in the connector tag specified below is not used by any

other application

lt-- ltConnector port=8080 protocol=HTTP11 connectionTimeout=20000 redirectPort=8443 gt rarr lt-- ltConnector port=8009 protocol=AJP13 redirectPort=8443 gt --gt

lsquo



8

Note Refer to SSL 30 Configurationtxt only to enable SSL 30 protocol for IE6 and other dependent DC

versions (24000 and older)

3 Add the configuration for AJP connector

Note

AJP connector is needed if Apache is available in front of the Policy Server

In an ideal scenario only one connector configuration must be available and the other

connector configurations removed

In the Apache the TTL configuration for balancer member should be 1200 to match

connectionTimeout and keepAliveTimeout In case the configuration is changed it should be

corrected on both the Apache reverse proxy and Tomcat server

Address attribute value should be the IP of tomcat server which is configure in the Apache

for proxy pass

requiredSecret attributes value should be the same as configured in Apaches policyserver

vhost file Refer secret keyword while configuring ajps balancemanager

ltConnector port=443 protocol = orgapachecoyotehttp11Http11Nio2Protocol keystoreFile=ABSOLUTE PATH OF THE KEY STORE FILE keyAlias = NAME_OF_KEYSTORE_ALIAS keystorePass=PASSWORD redirectPort=-1 maxHttpHeaderSize=16384 disableUploadTimeout=false connectionUploadTimeout=3600000 acceptCount=100 acceptorThreadCount=2 maxThreads=15000 maxConnections=-1 useServerCipherSuitesOrder=true scheme=https secure=true SSLEnabled=true clientAuth=false sslEnabledProtocols=TLSv1TLSv11TLSv12 URIEncoding=UTF-8 server=Seclore Server ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHAgt ltConnectorgt

ltConnector port=8009 protocol=AJP13

packetSize=16384 URIEncoding=UTF-8 connectionTimeout=1200000 keepAliveTimeout=1200000 maxConnections=-1 maxThreads=15000 address=127001 requiredSecret=YOUR_AJP_SECRET gt

lsquo



9

4 Add the configuration for Policy Server within the ltHosthellipgt tag

Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy

Server

For MSSQL Database Server

Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows

authentication for MSSQL Database Server

For ORACLE Database Server

Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase

Credentials Encryption Guidetxt to configure encrypted username and password for the database

ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt

ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt

lsquo



10

5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag

Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for

Resolving Client IP Addressespdf for configuring RemoteValve in different server setups

27 Disabling ProxyErrorOverride in Apache server

Perform the following steps if your Policy Server is deployed behind an Apache server

1 Open the vhost file where Policy Serverrsquos proxypass is configured

2 Add following lines of code in it

3 Restart Apache server

3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents

of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as

ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer

Follow the steps mentioned below to configure the Policy Server

31 Adding Deployment Specific Buffer Files

Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF

buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC

purpose and a default buffer file is needed then the buffer files can be copied from Policy

Server[Version]Installation Docs

32 License File

Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder

33 Consent File

Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder

Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port

- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt

If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in

ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt

When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests

If TomcatApache is behind any Load Balancer (LB) please make sure it is configured

to accept 16KB header size requests

ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt

lsquo



11

34 Run Tomcat Service

Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the

Apache Tomcat 90 service to start the Policy Server

35 Provide Configuration Details

1 Access the POLICY_SERVER_APPLICATION_URLsysadmin

2 Log in using system administrator credentials The Manage Server Configuration page appears

3 Enter information such as Organization Name Application Name Application URL etc

4 Click Save

5 Restart Tomcat service

Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt

Configuration gtgt Manager Server Configuration on system administrator login

36 Seclore Online Help

Seclore Online Help are updated regularly to provide the latest information about Seclore components and their

functionalities

To configure Seclore Online Help

1 Get the latest Help Manuals from Seclore

2 Extract PolicyServerzip from this folder The extracted folder has the following structure

3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER

4 Overwrite existing files and folders if prompted

Note

o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are

mentioned in this file

o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in

the Policy Server

4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems

o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server

[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt

o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to

Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt

By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it

Perform Following steps to disable the BYOK

PolicyServer portal pages

help

en

aportal

aum

eum

hag

sag

es

lsquo



12

1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml

a Remove the entire ltmdk-configgt tag

b Only an empty ltmdk-configsgt tag should be present

Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot

be altered

5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th

of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption

Stats feature in Policy Server

Note This feature requires a valid consent file to be available

For Production deployment Adoption Stats will not be sent if valid consent file is not available

For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent

6 Post Installation Configurations Policy Server homepage can be accessed using

ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo

For example ldquohttpsirmacmegroupcompolicyserverrdquo

System Admin login can be accessed using

ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo

For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo

A System Administrator can provide configuration details configure repositories create Organization Unit

Admin (OU admin) Manage Enterprise Application etc

7 Configuring Other Components

71 Lite Server

Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation

Guidetxt folder for the Lite Server Application deployment

8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL

2 Log in using System Admin credentials

3 Navigate to More gtgt Configuration gtgt Installer and Patch Management

4 Upload the installers of all the clients

5 After successful upload view the installer details in the Uploaded Installer and Patches section

ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt

ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt

lsquo



13

6 To verify the uploaded installer file click the download icon or installer file name

9 Frequently Asked Questions

91 How do I acquire the Policy Server License To acquire the license

1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk

for example DSecloreLicense Utility

2 Run the UserInfoexe file on the machine where the policy server needs to be installed

The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the

supportseclorecom to get the license file

92 How do setup logger Logging for the Policy Server can be set in 4 different modes

Off Logs nothing

Error Logs only errors

Info Logs error and the major milestones like connection to database or connection to AD

Debug Logs each processing of the server in detail

To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file

REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog

DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog

SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog

Modify the following properties for different logger for different logging type

93 How do I generate self-signed SSL certificate To create the certificate file

1 Open command prompt

2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example

DSeclore

Note

Note down the alias name and password These details are required while configuring the SSL key in

the serverxml file

For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example

wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example

yourdomaincom

Keystore password and key password for alias name are required for smooth functioning of the

Policy Server application

3 Enter the following command

Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before

executing the command

o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -

keystore acmegroupkeystore

ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt

ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt

ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt

lsquo



14

At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed

by the command prompt while running the keytool command For example in the sample screens above the keystore

file is generated at DSeclore

Note This keystore file will be later referred in Tomcat serverxml configuration

94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate

values before executing commands

To generate CSR (Certificate Signing Request) request and to import certificate

1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file

2 To generate CSR from keystore file

a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the

following command in the command prompt

lsquo



15

keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore

b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in

current user directory

c Send the CSR to the vendor of the SSL certificate

Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later

3 After receiving the certificates from the vendor import them into keystore

For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore

For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore

acmegroupkeystore

For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore

acmegroupkeystore

95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy

Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated

Authentication for MSSQLpdf file

96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different

parameters that can be configured for the connection pool Visit the following URL for details about the

connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml

The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends

following parameter to be provided with Tomcat startup arguments

-Dcomsunjndildapconnectpooltimeout=600000

This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes

(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment

To configure the startup parameter in Tomcat Server

1 The syntax to configure the parameter is -Dparam_name=param_value

2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory

3 Go to the Java tab and in the Java Options field append the parameter name value pair For example


97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database

For Disabling Adoption stats

o MSSQL Database

Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql

o Oracle Database

Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql

For Enabling Adoption stats

o MSSQL Database

Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql

o Oracle Database

Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql

98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server

[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo

file

lsquo



16

10 Resources Below is the list of documents included with location

Document Description

Policy Server [Version]Installation Docs

Lite Server Installation Guidetxt Steps for Lite Server installation

Policy Server [Version]Installation DocsSupplements

Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the

IBM Tivoli Access Manager WebSEAL SSO server

Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to

Active Directory (over SSL)

SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server

Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate

Trust Store

Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat

Tomcat Valve Configuration for Resolving Client

IP Adressespdf

Steps to configure RemoteIPValve in different server

environment setups

Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server

Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server

Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server

Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file

Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server

SSL 30 Configurationtxt Steps to enabledisable SSL 30

GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server

Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database

Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication

for MSSQL

Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration

Outlook on the Web Add-in Configuration

Guidepdf

Steps to install and configure Outlook on the web Add-in

Policy Server

Policy Server [Version]Installation DocsReferences

Creating Database Schemapdf Steps to configure database and execute database script

for Policy Server

Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server

Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server

Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java

options

TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay

lsquo



17

This document is meant for training and informational purposes only and should not be distributed without permission The information in this

document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage

arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and

trademarks are the properties of their respective owners

lsquo



2

Contents

1 Introduction 4

2 Preparing for Installation 4

21 System Configuration 4

22 Dependencies 4

23 Prerequisites 4

24 Creating Database Schema for Policy Server 5

25 Configuring Java for Policy Server 5

26 Configuring Tomcat for Policy Server 5

261 Updating Java Options for Tomcat 5

262 Customizing Tomcat Error Handling 6

263 AllowingRestricting Tomcat Manager Application 6

264 Copying Common Libraries 7

265 Configuring serverxml in Apache Tomcat 7

27 Disabling ProxyErrorOverride in Apache server 10

3 Setting Up and Configuring Policy Server 10

31 Adding Deployment Specific Buffer Files 10

32 License File 10

33 Consent File 10

34 Run Tomcat Service 11

35 Provide Configuration Details 11

36 Seclore Online Help 11

4 Configure BYOK (Bring Your Own Key) in Policy Server 11

5 Adoption Stats 12

6 Post Installation Configurations 12

7 Configuring Other Components 12

71 Lite Server 12

8 Uploading Customized Seclore Client Installers in Policy Server 12

9 Frequently Asked Questions 13

91 How do I acquire the Policy Server License 13

92 How do setup logger 13

93 How do I generate self-signed SSL certificate 13

94 How do I get a CA signed SSL certificate 14

95 How do I configure Windows Integrated Authentication for MSSQL 15

96 What is JNDI Connection Pooling 15

97 How do I configure Adoption Stats feature in Policy Server 15

lsquo



3


10 Resources 16

lsquo



4


Note










RAM 2 GB or above



Note





22 Dependencies



follows

o MS SQL 2008 2012 2014 2016 and 2017





database





23 Prerequisites




SSL Certificate


certificate








lsquo



5


Folder





in the steps
















lsquo



6








further details








Server









I indexjsp

II faviconico


I docs

II examples

III host-manager

IV manager


Application folder














lsquo



7
















docs

examples

host-manager

manager









Note


entry


application


other application


lsquo



8




Note








for proxy pass






lsquo



9



Server









lsquo



10


















32 License File


33 Consent File










lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



3


10 Resources 16

lsquo



4


Note










RAM 2 GB or above



Note





22 Dependencies



follows

o MS SQL 2008 2012 2014 2016 and 2017





database





23 Prerequisites




SSL Certificate


certificate








lsquo



5


Folder





in the steps
















lsquo



6








further details








Server









I indexjsp

II faviconico


I docs

II examples

III host-manager

IV manager


Application folder














lsquo



7
















docs

examples

host-manager

manager









Note


entry


application


other application


lsquo



8




Note








for proxy pass






lsquo



9



Server









lsquo



10


















32 License File


33 Consent File










lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



4


Note










RAM 2 GB or above



Note





22 Dependencies



follows

o MS SQL 2008 2012 2014 2016 and 2017





database





23 Prerequisites




SSL Certificate


certificate








lsquo



5


Folder





in the steps
















lsquo



6








further details








Server









I indexjsp

II faviconico


I docs

II examples

III host-manager

IV manager


Application folder














lsquo



7
















docs

examples

host-manager

manager









Note


entry


application


other application


lsquo



8




Note








for proxy pass






lsquo



9



Server









lsquo



10


















32 License File


33 Consent File










lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



5


Folder





in the steps
















lsquo



6








further details








Server









I indexjsp

II faviconico


I docs

II examples

III host-manager

IV manager


Application folder














lsquo



7
















docs

examples

host-manager

manager









Note


entry


application


other application


lsquo



8




Note








for proxy pass






lsquo



9



Server









lsquo



10


















32 License File


33 Consent File










lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



6








further details








Server









I indexjsp

II faviconico


I docs

II examples

III host-manager

IV manager


Application folder














lsquo



7
















docs

examples

host-manager

manager









Note


entry


application


other application


lsquo



8




Note








for proxy pass






lsquo



9



Server









lsquo



10


















32 License File


33 Consent File










lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



7
















docs

examples

host-manager

manager









Note


entry


application


other application


lsquo



8




Note








for proxy pass






lsquo



9



Server









lsquo



10


















32 License File


33 Consent File










lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



8




Note








for proxy pass






lsquo



9



Server









lsquo



10


















32 License File


33 Consent File










lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



9



Server









lsquo



10


















32 License File


33 Consent File










lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



10


















32 License File


33 Consent File










lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



11








4 Click Save






functionalities






Note




the Policy Server









help

en

aportal

aum

eum

hag

sag

es

lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



12





be altered
















71 Lite Server










lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



13










Off Logs nothing












DSeclore

Note


the serverxml file



yourdomaincom











lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



14












lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



15









acmegroupkeystore


acmegroupkeystore



















o MSSQL Database


o Oracle Database



o MSSQL Database


o Oracle Database




file

lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



16












Trust Store



IP Adressespdf


environment setups










for MSSQL



Guidepdf


Policy Server



for Policy Server




options


lsquo



17





lsquo



17





Policy Server Installation Guide - Secloreproduct.seclore.com/updates/external/docs/ps... ·...

Documents

Transcript of Policy Server Installation Guide - Secloreproduct.seclore.com/updates/external/docs/ps... ·...